Index
A
Aerial surveillance
coordination with ground surveillance,
60–
61
Altered evidence
authenticity validation,
237–
238
common access, difficulties,
239–
240
hash value, checking,
239
listing possible suspects,
239
Microsoft Windows operating systems, example,
239
track changes, checking,
239
two files with the same name, example,
238–
239
Analogies
description, electronic data,
175–
176
of digital forensic community,
175
folder access, listing,
179
physical access to computer, impact on,
176–
177
reasonable comparison, using,
176
Animations, for case presentation,
165–
167
Assumptions
innocent victim, as prey,
124–
125
United States v. Barry Vincent Ardolf (2011), example 1230
wireless network, misusing,
125
Audience
effective case presentation to,
159–
160
B
Backdating documents
email attachments, checking,
227
Master File Table (MFT), checking,
227
Bad things, searching
Basic case tracking
bagging and logging tips,
138
evidence supporting suppositions,
138–
139
Blog posts, threatening
anonymous webmail account,
233
erroneous information, IP address,
233
Blogs
comments posting, suspects,
220–
221
Internet communication,
212
online investigation,
211
Bomb threats, by email
anonymous proxy servers,
246
online association, suspect,
247
suspect’s mistakes, utilizing,
247
C
Case organization
indexing, information,
161
Cases, naming
electronic file names,
139–
140
legal format, example,
139
Category-specific search engine,
215
Cell phone tracking
cell tower analysis,
74–
75
Cellular devices
suspect identification,
24
wipe command, suspect,
24
Charts analysis
basic design symbols,
150
complex computer systems,
168
file movement, single system,
169
identical evidence, in different computers,
168
listing suspects, example,
152
mathematical knowledge,
173
visual representation,
149
Cheat sheets
evidence control through,
188
forensic examiner, using,
184
include analysis in report making,
184–
186
Checklists
in digital forensics,
191
professionals, using,
191
skipping steps, explanation for,
191–
192
Child pornography investigations
questioning the suspect on,
44–
46
Circumstantial evidence,
Compiling information
asking, right questions,
123
crime scene reconstruction,
124
investigative questions,
125–
129
Computer user activity
Consumer purchase records
for locating suspects,
77
Covertly installed cameras
for constant recording,
65
personal privacy issues,
65
Cybercriminal’s life
altered evidence and spoliation,
237–
240
bomb threats, by email,
246–
247
disgruntled employee behavior,
242–
245
disposable email accounts,
229–
230
employer’s data stealing,
242–
245
evidence leading to more evidence,
230–
231
searching for all bad things,
231–
233
spoofed call harassment,
240–
242
threatening blog posts,
233–
234
Cyberinvestigators life,
255–
258
connecting suspects, with crime,
256
dealing different cases,
257–
258
electronic data, building,
255
information sharing, impact on,
255
technical knowledge and skills,
256–
257
testimonials, working,
258–
259
D
Dark Web
address appearing, example,
219
Data storage and access
easier aspects, in placing the suspect behind keyboard,
197–
199
16 Gbyte USB flash drive,
198
Database analysis
for larger datas, methods of,
147
for multiple timelines,
147–
148
Dead box approaches
acquisition method,
boot media application, –
for civil case,
evidence collection, issues,
10
for forensic image, –
forensic disc booting methods, –
Raptor Forensics Boot Operating System,
for search warrant,
steps creation in,
Dealing different cases, cyber investigator
forensic artifacts, role in,
257
objectives and goals,
257
Decision-making flowchart
location, suspect’s system,
20
pre-planned decisions,
20
time frame, impact on,
20
Deconfliction
law enforcement method,
82–
83
Diagrams
basic math knowledge,
173
complex computer systems, avoiding,
168
file movement, single system,
169
flow charts, example,
171
identical evidence, in different computers,
168
Dialed Number Recorders (DNR),
70–
72
Difficulties, in placing the suspect behind keyboard
massive and duplicate datas,
205–
206
remote control of systems,
204–
205
Digital evidence collection, –
in civil case,
computer applications, impact on,
data acquisition, –
for forensic image,
24–
25
human interaction vs,
in search warrant,
seizure method,
Digital investigative techniques
biological forensic evidence,
118
interconnectivity devices, using,
103–
104
Internet evidence for,
103–
110
Internet history, analyzing,
104–
106
IP address and devices connection,
108–
110
Locard’s Exchange Principle for,
86
network (cloud) connections,
95–
97
online social networking,
113–
114
other devices, forensic analysis,
112–
113
previews, electronic media,
118–
121
to know who? what? when? why? where? and how?,
89–
112
user activities of suspects,
114–
116
user-specific computer activity,
115–
116
Direct evidence,
Disposable Email accounts,
229–
230
E
Easier aspects, in placing the suspect behind keyboard
hardware applications,
195–
197
mistakes, done by suspects,
199–
200
new and innovative computing devices,
197
new laws and employer rights,
201
pre-placed surveillance system,
200–
201
software applications,
195–
197
Education
difficulties, in placing the suspect behind keyboard,
204
easier aspects, in placing the suspect behind keyboard,
199
Electronic evidence
attributes,
data collection,
gathering of,
obtaining,
simple file copying,
specific programs,
value,
Electronic surveillance
legal approval for,
69–
70
Elimination process
charts and spreadsheets, using,
123
illegal computer use, example,
123,
128
listing possible suspects,
126
physical investigative methods,
123
shared computer systems, by suspect,
123,
128
Employee, information stealing
copy machine, analyzing,
245
graphic representation, suspect movements,
244
intellectual property (PI) theft,
242
SUB device information,
243–
244
Evidence collection
corporate policy violations,
124
effective time management,
124
resource availability, impact on,
124
Evidence leading to more evidence
victim identification,
231
F
False names
IP address verification,
230
Finding persons
multiple users, single computer,
88–
89
through user accounts,
88
by virtual private networks (VPN),
87
Follow-up, evidence
listing possible suspects,
133
Forums
for category specific search,
215
online investigations,
211
username and profile,
218
G
GPS
data tracking through,
24
timeline activities,
24–
25
see also specific entries
H
Hanging locations in Cheat sheets,
187
Hash value, checking in altered evidence,
239
Human interaction, in digital evidence collection,
Human trafficking investigations,
234–
235
I
Icerocket (search engine),
215
Identifying suspects
questioning, family and friends,
249
United States of America v Higinio O. Ochoa III 2012 example,
247–
248
Identity theft investigations
questioning the suspect on,
46–
47
Internet
search engines and directories,
214–
215
suspect identification,
212
Investigative aids
evidence control, forensic research,
188
software application,
189
Investigative mindset,
158
IP addresses, as evidence
manipulative, nature,
254
see also specific entries
K
Keystroke logging
L
Live box approaches
chat-details, non recovery of,
12
data collection methods,
10–
11
data destruction, prevention,
19
decryption keys, importance of,
14–
15
dropbox folder, access,
19
encryption programs, examples,
14
events processing, running system,
10–
11
F-Response connection,
13–
14
full disk encryption,
15–
16
hard drive application,
11
host system vs guest virtual machine,
17
malware existence, impact on,
13
online deletion, suspect,
19
order of volatility in,
11–
12
physical memory acquisition,
11–
12
pre-configured volatile memory collection systems, examples,
12–
13
remote acquisition of data,
13
rootkits installation,
13
Team-Viewer, usage by suspect,
19
third party encryption programs,
15
troubleshooting issues,
13
two individual system, in virtual machine,
17
virtual machine applications, examples,
16–
17
volatile data information collection issues,
12
Locard’s Exchange Principle,
86
Location, placing suspect
security-conscious criminals, dealing with,
251
visual inspection, reasons for,
251
M
Maps analysis
PerpHound program for,
153–
154
plotting geolocation,
153
suspects movements and location,
153
Minimal information, hazards of
disastrous effects,
54–
55
incorrect information,
56
innocent victims, charging of,
55–
56
Washington State Patrol, example,
55–
56
Missing evidence
finding relevant medias,
245
removable devices, listing,
245–
246
timing and proximity,
246
tracking USB storage devices,
246
Mobile surveillance
finger print identification,
59
high traffic, impact on,
58–
59
identification through,
58
lead vehicle’s role,
57–
58
suspect’s vehicle, checking of,
59
suspects activities, observing,
58–
59
Motive, crimes
deletion, electronic document,
126
listing suspects, remote access,
126
multiple persons, single incident,
126
N
Neighbors
assisting surveillance,
82
Note taking
listing potential suspects,
141
OneNote program example,
141–
142
Note, analyzing
freeware applications, examples,
143–
144
KeepNote application,
143
processing software applications,
142–
143
wholesome information,
144
O
Omnibus Crime Control and Safe Streets Act 1968,
70
Online extortion
anonymous identity and,
249
investigative methods,
250
Online friends
human trafficking investigations,
234–
235
physical electronic evidence, need for,
234
sexual predator case, example,
234
Online investigations
access to government database,
211
credibility, public record database,
211–
212
Internet information, physical proof,
212
logging time, suspects,
221
real-time information,
212
social networking, using,
213
Opportunity
physical access, computers,
126
Other alleged crimes
questioning the suspect on,
47–
48
P
Personal information, suspect
Internet activities,
78–
79
Phone records
Physical surveillance
resource requirements,
56
successful operation, tips for,
56–
57
Planted evidence
electronic devices for,
255
Presentation media
non-technical devices,
164
Presentation methods
skill development tips,
180
technical explanations,
179–
180
visual aids and analogies, using,
180
Preview
Field Search application,
22
forensic software application,
20–
21
specific data capturing,
22
Property stealing
location, identification,
253
Public awareness
difficulties, in placing the suspect behind keyboard,
204
easier aspects, in placing the suspect behind keyboard,
199
Q
Questioning a suspect
about Internet usage,
36–
37
about online social networking,
37–
40
about other devices,
34–
35
about software usage,
35–
36
commonly used electronic devices,
29–
30
computer skill, criminal,
30
control of the devices,
33–
34
encryption features, operating system,
31
file storage methods,
29–
30
for non-criminal cases,
28
human-to-human interaction,
28
password protection,
31–
32
peer-to-peer networking program,
29,
40–
42
steganography, defined,
32
types of answer, expecting from,
30–
31
verification, suspects admission,
28–
29
visual survey, suspect’s home,
29
Questioning network administrators
on customer accounts,
50–
51
document retention policies,
50
on Internet service providers,
50–
51
on online data hosting,
50–
51
on other online services,
50–
51
Questioning victims
on email harassment,
49–
50
on text harassment,
49–
50
Quickstart guides
for information research,
184
R
Raptor Forensics Boot Operating System,
Residence landlines
S
Simple file copying
in civil case,
comprehensive method of,
denial of specific actions,
forensic applications,
tool choice,
using of,
Slideshows
for case presentation,
165–
167
Smartphones
suspect identification,
24
wipe command, suspect,
24
Social networking websites
hacking and knitting,
217
user specified selection,
216
Spoofed call harassment
as criminal activity,
240
disposable phones, using,
241–
242
phone number, identifying,
240
service providers, using help,
241
Spreadsheet analysis
case presentation method,
146
chronological events,
145
X-Ways Forensics for,
145
Study guides
electronic data analysis,
190
investigative goals and,
189–
190
Successful resolution techniques
identifying rabbit holes, suspect,
133–
134
Surveillance notes
visual representation,
68–
69
Surveillance recording sources
access-control systems,
66
behavioral biometrics,
67
keycard access system,
66
physical biometrics,
66–
67
Suspect’s mistake
anonymous email account,
235
Suspect’s machine
benefits, virtual machine,
173–
174
evidence file, description,
174
files location, virtual machine,
174–
175
guest and host operating system,
173
virtual machine creation from,
173
T
Technical knowledge and skills, cyberinvestigator
common practices, using,
257
discovering new process,
256–
257
evaluating, other’s cases,
256
learning and sharing,
256
working with, electronic devices,
256
Testimonials, cyberinvestigators work
comprehensive analysis of,
258
court instructions, following,
259
for criminal investigation,
258
trial period, suspects,
258
with evidence collectors,
259
Timelines
authenticity validation,
132
collecting information,
131
Too Much Information (TMI), avoidance,
179
Trash runs
Triage
Field Search application,
22
forensic software application,
20–
21
specific data capturing,
22
Turnover folder
for digital forensics analysts,
186
U
Undercover operations
investigative methods,
80
Usernames
benefits, of finding,
215
finding, in websites,
215
V
Vehicle tracking
automated toll collection devices,
76
GPS installation type,
75
through wireless transmission,
75
traffic stops, case example,
76
Video surveillance
ceiling mounted camera through,
64
government jurisdiction on,
61
traffic camera model,
61–
62
visual identification, suspect,
63–
64
Virtual machines
difficulties, in placing the suspect behind keyboard,
206–
208
Virtual private networks (VPN)
Visual aids,
Visual values
Volume Shadow Copy Service (VSS),
194–
195
W
Web browser
Mozilla’s Firefox, example,
213
Webpages
printing and copying,
221
Wikis
Win or lose situations,
158–
159
Witness
in corporate environment,
82
outside factors, affecting,
81
Workplace, employee allegations
accessing, classified information,
251
recorded activity, as evidence,
252
X
X-Ways Forensics, Spreadsheet analysis,
145