Index

A

Aerial surveillance
benefits, 5960
coordination with ground surveillance, 6061
video recording, 60
Altered evidence
authenticity validation, 237238
common access, difficulties, 239240
hash value, checking, 239
listing possible suspects, 239
metadata embedding, 239
Microsoft Windows operating systems, example, 239
modifying files, 238
possibilities, 237
track changes, checking, 239
two files with the same name, example, 238239
work schedules and, 240
Analogies
description, electronic data, 175176
effective use of, 176, 178
of digital forensic community, 175
folder access, listing, 179
password keeping, 177178
physical access to computer, impact on, 176177
reasonable comparison, using, 176
for visual aids, 176
Animations, for case presentation, 165167
Assumptions
avoiding, 124125
innocent victim, as prey, 124125
United States v. Barry Vincent Ardolf (2011), example 1230
wireless network, misusing, 125
Audience
effective case presentation to, 159160
knowing, 159

B

Backdating documents
antedating documents, 227229
email attachments, checking, 227
manipulated copy, 226
Master File Table (MFT), checking, 227
metadata extraction, 227
time stamping, 227229
Bad things, searching
browsing activity, 232
electronic evidence, 231232
specifications, 232233
work location, 233
Basic case tracking
bagging and logging tips, 138
evidence supporting suppositions, 138139
Blog posts, threatening
anonymous webmail account, 233
erroneous information, IP address, 233
Internet account, 233
using false names, 233
Blogs
comments posting, suspects, 220221
example, 217218
information control, 217
Internet communication, 212
online investigation, 211
search engine for, 215
Bomb threats, by email
anonymous proxy servers, 246
online association, suspect, 247
suspect’s mistakes, utilizing, 247
tragedy prevention, 246

C

Case organization
dtSearch program, 161
indexing, information, 161
reading reports, 160161
tracking reports, 160
Cases, naming
electronic file names, 139140
internal system, 139
legal format, example, 139
numbering system, 139
Category-specific search engine, 215
Cell phone tracking
cell tower analysis, 7475
data retention, 73
with GPS, 74
Cellular devices
remote access, 24
storage capacity, 24
suspect identification, 24
wipe command, suspect, 24
Charts analysis
basic design symbols, 150
complex computer systems, 168
computer booting, 168
data visualization, 167
event chart, 151
file movement, single system, 169
flow chart, 151, 171
identical evidence, in different computers, 168
link charting, 150151
listing suspects, example, 152
mathematical knowledge, 173
matrix chart, 150
negative effects, 173
randomizing data, 172
timelines data in, 169170
types, 167, 172
visual representation, 149
Cheat sheets
benefits of, 189, 192
creating own, 190
evidence control through, 188
forensic examiner, using, 184
hanging locations, 187
include analysis in report making, 184186
online sources, 184
as study guides, 189
turnover folders, 186
as visual aids, 187
Checklists
benefits of keeping, 191
in digital forensics, 191
professionals, using, 191
reasons, to avoid, 191
skipping steps, explanation for, 191192
Child pornography investigations
questioning the suspect on, 4446
Circumstantial evidence, 1
Compiling information
asking, right questions, 123
crime scene reconstruction, 124
investigative questions, 125129
Computer user activity
identifying, 133
patterns, analyzing, 133
Consumer purchase records
credit card use, 77
for locating suspects, 77
Covertly installed cameras
for constant recording, 65
court approval, 6566
personal privacy issues, 65
specific purpose, 65
Cybercriminal’s life
altered evidence and spoliation, 237240
backdating documents, 226229
bomb threats, by email, 246247
disgruntled employee behavior, 242245
disposable email accounts, 229230
employer’s data stealing, 242245
evidence leading to more evidence, 230231
false names, 229230
locating suspect, 250252
making mistakes, 235237
missing evidence, 245246
online extortion, 249250
planted evidence, 254255
property stealing, 252253
searching for all bad things, 231233
spoofed call harassment, 240242
suspects IP address, 247249, 253254
threatening blog posts, 233234
wrong online friends, 234235
Cyberinvestigators life, 255258
connecting suspects, with crime, 256
dealing different cases, 257258
electronic data, building, 255
information sharing, impact on, 255
technical knowledge and skills, 256257
testimonials, working, 258259

D

Dark Web
accessing, 219
address appearing, example, 219
services, 220
suspects visiting, 219
transitory nature, 220
Data storage and access
easier aspects, in placing the suspect behind keyboard, 197199
16 Gbyte USB flash drive, 198
Database analysis
benefits of, 147
for larger datas, methods of, 147
manipulating, 149
for multiple timelines, 147148
searching capability, 148149
timestamps, example, 148
Dead box approaches
acquisition method, 5
boot media application, 78
for civil case, 8
evidence collection, issues, 10
for forensic image, 57
forensic disc booting methods, 89
Raptor Forensics Boot Operating System, 9
in small media, 910
for search warrant, 8
steps creation in, 5
Dealing different cases, cyber investigator
forensic artifacts, role in, 257
objectives and goals, 257
responsibilities, 257258
Decision-making flowchart
location, suspect’s system, 20
pre-planned decisions, 20
in seizure missions, 19
time frame, impact on, 20
Deconfliction
law enforcement method, 8283
resource pooling, 83
Diagrams
basic math knowledge, 173
complex computer systems, avoiding, 168
computer booting, 168
data visualization, 167
file movement, single system, 169
flow charts, example, 171
identical evidence, in different computers, 168
negative effects, 173
randomizing data, 172
timelines data in, 169170
types, 167, 172
Dialed Number Recorders (DNR), 7072
Difficulties, in placing the suspect behind keyboard
encryption, 201204
massive and duplicate datas, 205206
open Wi-Fi hotspots, 205
public awareness, 204
remote control of systems, 204205
Digital evidence collection, 24
in civil case, 8
computer applications, impact on, 3
data acquisition, 23
for forensic image, 2425
general rule, 2425
human interaction vs, 3
in search warrant, 8
seizure method, 3
Digital investigative techniques
biological forensic evidence, 118
calendar evidence, 111112
digital authorship, 116117
game consoles, 107108
geolocation warning, 101103
HTTP extraction, 108
interconnectivity devices, using, 103104
Internet evidence for, 103110
Internet history, analyzing, 104106
IP address and devices connection, 108110
Locard’s Exchange Principle for, 86
location, 8990
network (cloud) connections, 9597
online groups, using, 106107
online social networking, 113114
other devices, forensic analysis, 112113
previews, electronic media, 118121
texts and emails, 110111
through profiling, 116117
time, 9094
to know who? what? when? why? where? and how?, 89112
triage, 118121
user activities of suspects, 114116
user logins, finding, 114115
user-specific computer activity, 115116
using photos, 97103
using videos, 97103
Direct evidence, 1
Disposable Email accounts, 229230

E

Easier aspects, in placing the suspect behind keyboard
hardware applications, 195197
mistakes, done by suspects, 199200
new and innovative computing devices, 197
new laws and employer rights, 201
operating systems, 194195
pre-placed surveillance system, 200201
public awareness, 199
software applications, 195197
Education
difficulties, in placing the suspect behind keyboard, 204
easier aspects, in placing the suspect behind keyboard, 199
Electronic evidence
attributes, 1
data collection, 3
data losses, 18
gathering of, 2
obtaining, 2
physical memory data, 12
preview, 20
seizure of, 3, 24
simple file copying, 4
specific programs, 3
storage device, 25
value, 1
Electronic surveillance
legal approval for, 6970
purpose, 69
Elimination process
charts and spreadsheets, using, 123
geolocation finding, 123, 127
illegal computer use, example, 123, 128
incident time, 123
listing possible suspects, 126
physical investigative methods, 123
shared computer systems, by suspect, 123, 128
Employee, information stealing
confidential dates, 242
copy machine, analyzing, 245
e-mail, using, 245
graphic representation, suspect movements, 244
intellectual property (PI) theft, 242
safeguard measures, 242243
SUB device information, 243244
visual depiction, 244
Evidence collection
corporate policy violations, 124
effective time management, 124
resource availability, impact on, 124
timesheets for, 124
user activities, 124
Evidence leading to more evidence
geolocation, 231
storage media, 230
victim identification, 231

F

False names
in email, 229
IP address verification, 230
Ivins case example, 230
Federal Wiretap Act, 70
Finding persons
by MAC address, 87
multiple users, single computer, 8889
through IP address, 87
through user accounts, 88
by Tor working, 8788
by virtual private networks (VPN), 87
Follow-up, evidence
factual evidence, 132133
listing possible suspects, 133
Forums
as pertinent areas, 213
example, 211
for category specific search, 215
information control, 217
Internet, 212
issues, in relying, 218, 220
online investigations, 211
posting, suspects, 218219
username and profile, 218

G

GPS
cell phone tracking, 74
data tracking through, 24
timeline activities, 2425
vehicle tracking, 7576
see also specific entries

H

Hanging locations in Cheat sheets, 187
Hash value, checking in altered evidence, 239
Human interaction, in digital evidence collection, 3
Human trafficking investigations, 234235

I

Icerocket (search engine), 215
Identifying suspects
investigative means, 248249
questioning, family and friends, 249
through IP address, 247
United States of America v Higinio O. Ochoa III 2012 example, 247248
Identity theft investigations
questioning the suspect on, 4647
Internet
search engines and directories, 214215
suspect identification, 212
uninhibited views, 212
users, 212
Investigative aids
cheat sheets, 188
evidence control, forensic research, 188
software application, 189
Investigative mindset, 158
IP addresses, as evidence
arrest based on, 253
as lead or clue, 254
innocent victim, 254
manipulative, nature, 254
see also specific entries

K

Keystroke logging
case examples, 77
hardware, 76
installation, 76
software program, 7677

L

Live box approaches
chat-details, non recovery of, 12
data collection methods, 1011
data destruction, prevention, 19
data encryption, 14
data loss, issues, 18
data wiping programs, 16
decryption keys, importance of, 1415
dropbox folder, access, 19
encryption programs, examples, 14
events processing, running system, 1011
F-Response connection, 1314
full disk encryption, 1516
hard drive application, 11
host system vs guest virtual machine, 17
malware existence, impact on, 13
memory ranges, 13
online deletion, suspect, 19
order of volatility in, 1112
physical memory acquisition, 1112
pre-configured volatile memory collection systems, examples, 1213
processing hours, 16
remote acquisition of data, 13
rootkits installation, 13
steps creation, 11
task bar application, 18
Team-Viewer, usage by suspect, 19
third party encryption programs, 15
troubleshooting issues, 13
two individual system, in virtual machine, 17
virtual machine applications, examples, 1617
volatile data information collection issues, 12
Locard’s Exchange Principle, 86
Location, placing suspect
alibi creation, 251
IP address, using, 250
security-conscious criminals, dealing with, 251
visual inspection, reasons for, 251

M

Maps analysis
GeoTime application, 153154
PerpHound program for, 153154
plotting geolocation, 153
suspects movements and location, 153
Minimal information, hazards of
Chism v Washington, 55
disastrous effects, 5455
incorrect information, 56
innocent victims, charging of, 5556
Washington State Patrol, example, 5556
Missing evidence
finding relevant medias, 245
removable devices, listing, 245246
storage devices, 245
timing and proximity, 246
tracking USB storage devices, 246
Mobile surveillance
benefits, 59
finger print identification, 59
high traffic, impact on, 5859
identification through, 58
lead vehicle’s role, 5758
operating tips, 57
suspect’s vehicle, checking of, 59
suspects activities, observing, 5859
vehicle requirements, 90
Motive, crimes
deletion, electronic document, 126
for profit, 126
listing suspects, remote access, 126
multiple persons, single incident, 126

N

Neighbors
assisting surveillance, 82
Note taking
benefits, 141
listing potential suspects, 141
methods, 141
OneNote program example, 141142
Note, analyzing
freeware applications, examples, 143144
KeepNote application, 143
processing software applications, 142143
wholesome information, 144

O

Omnibus Crime Control and Safe Streets Act 1968, 70
Online directories, 215
Online extortion
anonymous identity and, 249
investigative methods, 250
victims of, 249
Online friends
anonymous gifts, 234
child pornography, 234
human trafficking investigations, 234235
physical electronic evidence, need for, 234
sexual predator case, example, 234
Online investigations
access to government database, 211
credibility, public record database, 211212
emails and, 213
information search, 213
Internet information, physical proof, 212
logging time, suspects, 221
mirrored webpages, 212213
preparations, 222
real-time information, 212
social networking, using, 213
Opportunity
hidden motives, 126
physical access, computers, 126
Other alleged crimes
questioning the suspect on, 4748

P

Pen Registers, 7071
Personal information, suspect
examples, 78
Internet activities, 7879
Ochoa case example, 79
online, 78
public sources, 78
Phone records
example, 71
Physical surveillance
covert, 57
legitimate alibi, 56
resource requirements, 56
successful operation, tips for, 5657
types, 5657
Planted evidence
allegation, denial, 254255
electronic devices for, 255
innocent victim, 255
irrationality of, 255
Preparation, 160
Presentation media
audience preference, 162163
backup plans, 163164
effective ways, 163
flip chart model, 164
non-technical devices, 164
physical devices, 164
Presentation methods
skill development tips, 180
technical explanations, 179180
visual aids and analogies, using, 180
Preview
on dead box, 23
defined, 20
Field Search application, 22
forensic software application, 2021
in live system, 22
methodology, 20
owner’s consent, 22
questioning suspects, 23
specific data capturing, 22
step creation, 22
Property stealing
location, identification, 253
photos, as evidence, 252
resolution method, 253
smartphone, using, 253
Public awareness
difficulties, in placing the suspect behind keyboard, 204
easier aspects, in placing the suspect behind keyboard, 199

Q

Questioning a suspect
about boards, 3740
about email, 3740
about forums, 3740
about Internet usage, 3637
about online chat, 3740
about online social networking, 3740
about other devices, 3435
about software usage, 3536
commonly used electronic devices, 2930
computer skill, criminal, 30
control of the devices, 3334
data hiding, 3233
encryption features, operating system, 31
evidence-gathering, 28
file storage methods, 2930
for non-criminal cases, 28
guidelines, 29
human-to-human interaction, 28
main goal of, 28
password protection, 3132
peer-to-peer networking program, 29, 4042
steganography, defined, 32
types of answer, expecting from, 3031
verification, suspects admission, 2829
visual survey, suspect’s home, 29
Questioning network administrators
on customer accounts, 5051
document retention policies, 50
on Internet service providers, 5051
on online data hosting, 5051
on other online services, 5051
order of volatility, 50
Questioning victims
on email harassment, 4950
on identity theft, 4849
on online posting, 4950
on text harassment, 4950
Quickstart guides
for information research, 184
turnover folders, 186

R

Raptor Forensics Boot Operating System, 9
Residence landlines
for locating suspect, 72

S

Simple file copying
in civil case, 4
comprehensive method of, 5
denial of specific actions, 4
forensic applications, 5
tool choice, 4
using of, 4
Slideshows
for case presentation, 165167
Smartphones
remote access, 24
storage capacity, 24
suspect identification, 24
wipe command, suspect, 24
Social networking websites
hacking and knitting, 217
privacy concerns, 217
user specified selection, 216
Spoofed call harassment
as criminal activity, 240
Caller ID, tracking, 241
disposable phones, using, 241242
Internet access, 241
listing suspects, 242
phone number, identifying, 240
pre-paid cards, 241
service providers, using help, 241
Spreadsheet analysis
case presentation method, 146
charts and graphs, 145146
chronological events, 145
manipulating, 144
methods of, 146
timelines, creation, 144
types, 145
X-Ways Forensics for, 145
Study guides
cheat sheets as, 189
electronic data analysis, 190
investigative goals and, 189190
Successful resolution techniques
identifying rabbit holes, suspect, 133134
Surveillance notes
common methods of, 67
electronic, 68
example, 67
spreadsheet for, 68
visual representation, 6869
with timeline, 68
Surveillance recording sources
access-control systems, 66
behavioral biometrics, 67
keycard access system, 66
physical biometrics, 6667
Suspect’s mistake
anonymous email account, 235
breaking case, 235
BTK case, example, 237
data encryption, 236
finding password, 236
Suspect’s machine
benefits, virtual machine, 173174
evidence file, description, 174
files location, virtual machine, 174175
guest and host operating system, 173
virtual machine creation from, 173

T

Technical knowledge and skills, cyberinvestigator
common practices, using, 257
discovering new process, 256257
evaluating, other’s cases, 256
information sharing, 257
learning and sharing, 256
working with, electronic devices, 256
Testimonials, cyberinvestigators work
comprehensive analysis of, 258
court instructions, following, 259
for criminal investigation, 258
planning, 259
trial period, suspects, 258
with evidence collectors, 259
with factual means, 258259
with interns, 258
Timelines
authenticity validation, 132
collecting information, 131
creating, 130
defined, 129
spreadsheets, using, 130131
use of, 129130
visual displays, 132
Title III, 70
Too Much Information (TMI), avoidance, 179
Trash runs
legal approval, 72
significance of, 73
Triage
on dead box, 23
defined, 20
Field Search application, 22
forensic software application, 2021
in live system, 22
methodology, 20
owner’s consent, 22
questioning suspects, 23
specific data capturing, 22
step creation, 22
Triggerfish, 7172
Turnover folder
for digital forensics analysts, 186
Marine Corps using, 186
template forms, 186

U

Undercover operations
agent activities, 79
benefits, 81
by codes tracking, 80
examples, 79
by FBI, 80
investigative methods, 80
locating by voice, 80
safety risks, 8081
Usernames
benefits, of finding, 215
finding, in websites, 215

V

Vehicle tracking
automated toll collection devices, 76
deactivation, GPS, 75
GPS device for, 7576
GPS installation type, 75
through wireless transmission, 75
traffic stops, case example, 76
Video surveillance
by private companies, 63
ceiling mounted camera through, 64
government jurisdiction on, 61
limitations, 64
public opinion on, 61
suspect tracking, 6263
traffic camera model, 6162
visual identification, suspect, 6364
Virtual machines
difficulties, in placing the suspect behind keyboard, 206208
Virtual private networks (VPN)
access, by suspect, 221
Visual aids,
cheat sheets, 187
forensic artifacts, 187
Visual values
in case presentation, 162173
Volume Shadow Copy Service (VSS), 194195

W

Web browser
add-ons, 213214
for online research, 213
Mozilla’s Firefox, example, 213
thorough search, 213
Webpages
dynamic chugs, 221
preserving methods, 221
printing and copying, 221
saving, 221
Wikis
online investigation, 217219
Win or lose situations, 158159
Wiretap authority, 70
Witness
identification, 81
in corporate environment, 82
outside factors, affecting, 81
potential dangers, 81
Workplace, employee allegations
accessing, classified information, 251
movement tracking, 251252
recorded activity, as evidence, 252

X

X-Ways Forensics, Spreadsheet analysis, 145
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.172.38