Preface

In performing an investigation that explores the use of computers or digital data, one is basically embarking on an archaeological expedition. To extract useful artifacts (information, in our case), one must be exceedingly careful in how one approaches the site. The similarities between a digital investigation and an archaeological excavation are much closer than you might imagine. Data, like physical artifacts, gets dropped into the oddest places. The effects of time and environment are just as damaging, if not more so, to digital artifacts as they are physical mementos.

This book takes the concepts of archaeology and applies them to computer science. It is a tutorial on how to investigate a computer system to find evidence of a crime or other misbehavior, and to make sure that evidence will stand up in court. While there are numerous other books that cover the whys and wherefores of digital forensics, this one will go into some detail on how to accomplish the task.

We’ve all watched the TV programs where the good guys figure out everything the bad guys did just from examining a piece of hair. (Is this why the bad guys are always called “hairballs”?) In modern-day investigations, the role of the computer plays as big a part as the star witness in many cases. In fact, the computer often is the star witness. Many cases have been solved or settled on the basis of what trained professionals were able to discover while examining electronic evidence (e-evidence).

However, the courts take a dim view on just anybody digging around in somebody else’s computers. They generally insist that legal process be followed, and that only a trained professional attempt the examination. The extraction and analysis of e-evidence is all part of what we call computer forensics. So what is forensics? The word itself originated from the Latin word forum, which described a place where people could assemble publicly and discuss matters of interest to the community. In that context, the word was derived from the strict rules of presentation applied to such discussions. In the context of this book, the word best means application of science or technology to the collection of evidence for the purpose of establishing facts. The vast majority of references specify that forensic science is targeted at criminal investigation. However, in the real world, digital investigations are commonly used in civil cases and within organizations to identify members engaged in illicit activities.

A crime scene investigator might have DNA from samples of hair found at the scene analyzed to prove that a specific individual was on the scene at least once. Chemical analysis of soil can identify a geographical origin. The process of computer forensics is a series of steps by which professionals can prove the following:

• Data exists.

• Data once existed.

• Data originated from a specific source.

• A particular individual either created or had access to the data in question.

• The data is relevant to the case.

• The data has not changed in any way from acquisition to analysis.

While it is not always necessary to prove all of the above statements are true, in order to secure a case it is best if as many as possible can be locked down. Even when all of the above are proven, a slick lawyer can always point out the fact that e-evidence is almost always circumstantial and press for reasons why the investigation team has presented insufficient corroborating evidence to demonstrate relevance or authenticity. (Both of these terms will be discussed in greater detail in the course of this book.) Even if you can prove beyond a shadow of a doubt that Tammy Sue created the letter you found on Billy Bob’s computer, can you prove that Billy Bob actually acquired the letter illegally? Probably not—which is why, as an expert witness, you don’t even try. You simply collect the evidence and state the facts. The more incriminating evidence that you can find, the better the chances are that your side wins the battle.

In addition, while the book’s primary goal is not to show people how to hide their tracks, understanding the processes discussed in this book can help an individual or organization prepare for a hostile demand for the delivery of electronic information (e-discovery). Properly identifying the bits on your computer can go a long way in preparing a defensible stance. If you know the garbage they are likely to find, you can be ready with an explanation. Foreknowledge also stops you from making the legally indefensible mistake of deliberately destroying evidence in advance of e-discovery. Such bad behavior doesn’t just result in a slap on the wrist. It can result in fines ranging into the millions (or even billions) of dollars.

There will be terms used in this book that I assume the reader already knows from previous experience or learning, because they are more relevant to general computer technology than to digital forensics. While it is not necessary to be a networking guru, it is certainly essential that you have a firm understanding of the concepts of networking, including principles of TCP/IP, network hardware, and communications.

From there on, the book describes tools and techniques that the average investigator will use on a day-in, day-out basis. The chapters are set up in approximately the order that the tasks will be accomplished in the real world. Finally, some of the humdrum aspects of the profession are discussed. Documentation, certification, and business aspects of digital forensics aren’t that much fun. But they are necessary aspects of the profession.

• Bold: A new term that will appear in the glossary

• Italics: A definition

• Monospace type: Code or commands to be typed into the computer

• Command Syntax:

Click here to view code image

copy {filename.doc} {PATH: ewfile.doc} is the syntax used in
the text to represent the command copy novel.doc c: empdocs
novel.doc. Brackets will not be used at the command prompt.

• Sidebars: Anecdotes or examples that relate to the current text

A sign of how strong the field is can be seen in the Great Recession of 2008. When nearly six million people in regular walks of life all lost their jobs, openings couldn’t be filled for practitioners in the black arts of digital forensics. To top things off, scanning a listing of job offerings showed the lowest offering salary (that was stated) at $46,000 per year. The vast majority of starting salaries listed ranged from the high fifties to the mid-sixties per year. And this was starting salary.

With recent laws such as Sarbanes-Oxley and the new Federal Rules of Civil Procedure, along with venerable old laws like HIPAA and Gramm-Leach-Bliley, putting more pressure on business, health, and nonprofit organizations, it is a certain bet that the number of investigators needed will only increase. The key to getting one of these jobs is training and certification. And compliance has become a huge issue for many organizations.

• Certified Electronic Evidence Collection Specialist (CEECS): International Association of Computer Investigative Specialists (offered only to law enforcement officials)

• Certified Forensic Computer Examiner (CFCE): International Association of Computer Investigative Specialists

• Certified Information Systems Security Professional (CISSP): (ISC)²

• Global Information Assurance Certification (GIAC) Certified Forensic Analyst

• GIAC Certified Forensic Examiner

• EnCase Certified Examiner: Guidance Software

• Paraben: Various certificates of completion

• Cisco Certified Network Engineer (CCNE): Proof of mastery of Cisco router and switch management

• A+: Vendor-neutral certification of expertise in computer hardware installation and maintenance offered by the Computing Technology Industry Association (CompTIA)

• Network1: Vendor-neutral certification of expertise in network infrastructure and administration offered by CompTIA

I discovered that I liked repairing computers a whole lot more than I did selling them. So I started distributing my resume to a variety of potential employers—and didn’t get a single response. On a whim, I self-studied for the A+ certification from CompTIA, took the exams, and passed with flying colors. As soon as I had those letters behind my name, I started circulating my resume again and got three invitations to interview on the first pass. Of those, I was offered a position that paid approximately 35% more than I earned in my best year as a sales rep. For me, that was a very powerful lesson on the value of certification. Getting a master of science in digital investigation management hasn’t hurt either.

First of all, I would like to thank Robert J. Sherman for his help in mobile phone technology. Okay, to be precise, he didn’t just help . . . he wrote the whole chapter on mobile device forensics. He is an expert in this field, and my knowledge pales in comparison. So in the face of a lot of begging and pleading, along with promises of fame and fortune (sorry, bud . . . this is all the fame and fortune you’re likely to get out of this deal), he caved and agreed to help me. In the end, he turned out an excellent chapter. So if, after reading that chapter, you wonder why it reads so much better than the rest of the book, now you know.

Next, I’d like to give credit to two amazing reviewers whose comments turned a marginal first draft into a profoundly better final manuscript. Jay Lightfoot and Ruth Watson both provided chapter-by-chapter comments on my first effort, suggesting numerous improvements in both structure and content. Without those reviews, I don’t think this book would be as good as it is (however good that may be).

Naturally, I’m saving the best for last. My publisher actually made me complete the book! What’s with that? Michelle Housley, Michael Thurston, and Bernard Goodwin at Addison-Wesley all refused to give up hope on either me or the project (although I’m sure there were times it was tempting) and got me through that inevitable mid-book crisis where I felt I couldn’t possibly write another page without insanity setting in. This book is proof that I was wrong about the former, but I cannot with certainty attest to the latter.

Michael W. Graves
April, 2013