Index

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Previous Chapter

References

Index

Note: Page numbers followed by f and t indicate figures and tables, respectively.

> command, 202t
18 U.S.C. 2252B, 170–171
32-bit system, 175, 185
64-bit system, 175, 185
802.11a standard, 266
802.11b standard, 266
802.11g standard, 266
802.11n standard, 266

A

academia, 10
academic/knowledge-based attack, 117
academic/knowledge-based code breaking, 130
AccessData Certified Examiner (ACE), 77, 302
AccessData’s Forensic Toolkit, 71, 101–102, 101–102f, 111, 139, 165, 168, 185, 215, 219, 246, 296
AccuBurn-R, 300
ACE. See AccessData Certified Examiner
ACK bit, 254, 255
acknowledgment flag (ACK), 51
action:a, 211
active IDSs, 209
active state, 246
actual data loss, 151
adb (Android Debugging Bridge) shell, 242–243
AddRoundKey, AES, 127, 128
ADRAM. See asynchronous dynamic random access memory
Advanced Encryption Standard (AES), 117, 127–128
Advanced Forensic Format (AFF), 98
Advanced Format, 136
adverse events, 281
AES. See Advanced Encryption Standard
AFF. See Advanced Forensic Format
AIX for PowerPC, 227
-al commands, 233
Alternate Data Streams, 186–187
American Academy of Forensic Sciences (AAFS), 303
American Heritage Dictionary, 4
American Society of Crime Laboratory Directors (ASCLD), 69–70
American Standard Code for Information Interchange (ASCII), 229
AnaDisk Disk analysis tool, 74–75
analysis plan, 62
Android operating system, 240–243
anonymizer, 158
anonymous remailing, 158–159
anti-forensics, 26
anti-malware, 280
Apache web server, 209
Apple, 226
Apple DOS, 226
Apple II, 226–227
Apple iPhone iTunes display, 248f
Apple Mail, 164
Apple Network Server, 227
Apple Partition Map, 230, 231
Apple Pascal, 226
Apple SOS, 226
application filter, 271
application log, 183
applications and services logs, 183
armored virus, 54
ARPANET network, 159
ASCII. See American Standard Code for Information Interchange
ASCLD. See American Society of Crime Laboratory Directors
ASR Data Acquisition & Analysis, 296
asymmetric cryptography, 122, 129–130
asynchronous dynamic random access memory (ADRAM), 16
Atbash cipher, 117–118, 123
Auditpol.exe, 184
augmented reality, 292
authentication of evidence, 61
Autopsy, 75, 98, 219–221, 220–222f, 299

B

Back Orifice, 257
BackTrack, 19, 74, 207
backups, 12, 156, 278
base station controller (BSC), 238
base station system (BSS), 238
base transceiver station (BTS), 238
Bash. See Bourne-again shell
basic input/output system (BIOS), 89, 175, 205
basic networking, 77
Basic Service Set Identifier (BSSID), 245
basic subscriber information, 169
BCP. See business continuity plan
BEDO. See burst EDO
Belkasoft RAM Capturer, 194, 194f
Bell Laboratories, 200
Bellaso, Giovan Battista, 120
Berger v. New York, 30
Berkeley Fast File System, 21, 208
BIA. See business impact analysis
/bin directory, 211, 211f
binary operations, 125
BIOS. See basic input/output system
bit-level copy, 60, 233
bit-level information, 64
bit-level tools, 64
bit-plane complexity segmentation steganography (BPCS), 110
bitmap, 146, 208
BlackBerry device, 243, 249–250
block ciphers, 123
Blu-ray discs, 97
boot, 212
boot camp, 76
/boot directory, 212
boot loader, 205–206
boot partition, 175
boot phase, 176
boot process, 175–177
boot sector, 205
bootstrap environment, 205
bootwait, 212
Border Gateway Protocol (BGP), 22, 257
Bourne-again shell (Bash), 201
Bourne shell (sh), 201
breaking encryption, 130–133
brute force, 126, 130
brute-force attack, 116, 126
BSS. See base station system
BTS. See base transceiver station
burst EDO (BEDO) DRAM, 16
business continuity plan (BCP), 276
business extension exemption, 306
business impact analysis (BIA), 277–278

C

C shell (csh), 201
Caesar cipher, 116–117, 120
CALEA. See Communication Assistance to Law Enforcement Act
call history, 244
CAN-SPAM Act, 169–170
carrier file, 109, 111, 112f
cars, with GPS devices, 291–292
carver-recovery.exe, 152
carving, file, 152–153
cd command, 202t
CD-ROMs, 97
CDE for UNIX systems. See Common Desktop Environment for UNIX systems
cell phone, 243–246
cell-phone forensics, 14
Cellabrite, 246–247
cellular device concepts, 238–243
Center for Education and Research in Information Assurance and Security (CERIAS), 65
Central Bureau of Investigation (CBI), 55
central processing unit (CPU), 175
CERT. See Computer Emergency Response Team
Certified Cyber Forensics Professional (CCFP) test, 78, 303
Certified Ethical Hacker test, 78
Certified Forensic Computer Examiner (CFCE) certification, 302
Certified Hacking Forensic Investigator, 302
Certified Information Systems Security Professional (CISSP^®), 76
CFCE certification. See Certified Forensic Computer Examiner certification
chain of custody, 11, 15, 66, 85, 87, 89f
changes in law, 292
channel, steganography, 109
checksum, 71
Cheetah. See Mac OS X
CHFI certification. See EC Council Computer Hacking Forensic Investigator certification
chi-square method, 111
child pornography, 30, 31
Child Protection and Sexual Predator Punishment Act of 1998, 28
Children’s Online Privacy Protection Act (COPPA) of 1988, 28
chkdsk utility, 151
chosen plaintext attack, 131
Christmas tree scan, 255
CimTrak tool, 184
CIO, 38–39
ciphertext, 117, 123, 130, 131
Cisco routers, 269
CISSP^®. See Certified Information Systems Security Professional
clean room, 149
close-color pairs, 110
cloud, 288–292, 290f
cloud computing, 290
cluster, 18, 136
cluster bitmap file, 137
cluster usage, 138, 139f
cmp command, 202t
Cocoa Touch layer, 240
COFF. See Common Object File Format
“cold” site, 289
Common Desktop Environment (CDE) for UNIX systems, 204, 227
Common Object File Format (COFF), 20
Communication Assistance to Law Enforcement Act (CALEA) of 1994, 28, 171, 306
Communications Decency Act of 1996, 29
CommView, 260
compact discs (CDs) structure, 66
computer attacks, 37
computer crimes, 10, 13, 30, 35–57
Computer Emergency Response Team (CERT), 4
computer forensics, 4–5, 16–26
Computer Forensics Tool Testing (CFTT) Project, 247
Computer Fraud and Abuse Act, 305
Computer Security Act of 1987, 28
ComputerCOP, 296–297
conferences, 305
consent exception, 306
consistency checking, 151–152
containment, 280
content information, 169
contiguous blocks, 145
ControlSet, 190
cookies, 39
Coordinated Universal Time (UTC), 234
COPPA. See Children’s Online Privacy Protection Act of 1998
CopyQM Plus disk duplication software, 75
Core OS layer, 240
Core Services layer, 240
corporations, 10
cp command, 202t
CPU. See central processing unit
cracking modern cryptographic methods, 131
cracking passwords tools, 132–133
CRC. See cyclic redundancy check
crime, computer, 10, 13, 30, 35–57
crime, effect on forensics, 41, 43, 45, 46, 48–49, 50, 52–53, 54, 55, 56
crime scenes, digital, 13
criminal prosecutors, 10
cross-site scripting, 43
Crss.exe, 177
cryptanalysis, 115, 121, 130, 131
cryptographic hashes, 128–129
cryptography, 107, 115
csh. See C shell
curriculum vitae (CV), 6
cyberattacks, 55, 56, 64
cyberbullying, 46
cybercrimes, 14, 32, 36
cybercriminals, 26, 36
cyberespionage, 55, 56
cyberstalking, 46–49, 244
cyberterrorism, 55–56
cyclic redundancy check (CRC), 256

D

Darik’s Boot and Nuke (DBAN), 300
DAT. See digital audio tape
data acquisition, 290
data authentication, 90
data collection, 91, 271–272
data consistency, 178
data destruction, 26
data doctor, 247
Data Encryption Standard (DES), 124–127, 128
data hiding, 26
Data Link Layer protocol, 256
data piracy, 50
data recovery, 10, 149–152
data segment, 178
data transformation, 26
data volumes, 12
date command, 234
Daubert challenge, 27
Daubert standard, 26–27, 294
DBAN. See Darik’s Boot and Nuke
DC3. See DoD Cyber Crime Center
DCFLdd, 150
dd command, 98–99, 218, 233
dd utility, 287
DDoS attack. See distributed denial of service attack
DDR SDRAM. See double data rate SDRAM
dead drop, 110
Debian, 207
decompress_kernel() function, 205–206
decoy scans, 271
decryption, 116
deleted files, 249
demonstrative evidence, 11
denial of service (DoS) attacks, 51–53, 254, 255, 258, 281
Department of Defense (DoD), U. S., 64, 94
Department of Justice, U.S., 37, 46
deployment phases, 66
deposition, 8
DES. See Data Encryption Standard
Desktop Manager, 250
/dev directory, 212
Development and Support of Cybersecurity Forensic Capabilities, 293
device seizure, 247
DFRWS. See Digital Forensic Research Workshop
diff command, 202t
differential backup, 279
Diffie-Hellman algorithm, 130
digest, 129
digital audio tape (DAT) drives, 96
digital crime scenes, 13, 65
Digital Detective, 297
Digital Equipment Corporation (DEC), 97
digital evidence, 10–11
Digital Forensic Research Workshop (DFRWS), 64–65
digital forensics, 4, 9–15, 285
Digital Intelligence, Inc., 297
Digital Investigation, 304
digital linear tape (DLT), 97
Digital Millennium Copyright Act (DMCA) of 1998, 29
digital system forensics analysis, 14
digital video disc (DVD), 97
Directory Snoop, 300, 300f
disaster recovery, 276–280
disaster recovery plan (DRP), 276
discarded information, 41
disk controllers, 151
disk forensics, 14
Disk Investigator, 75–76, 298, 299f
Disk Operating System, 174
disk structure, 66
DiskDigger, 139–140, 139–140f, 141f
distributed denial of service (DDoS) attack, 51, 259, 281
DLLs. See dynamic-link libraries
DLT. See Digital linear tape
dmesg command, 210, 213–214, 215f
DNS. See Domain Name System
document trail, 15
documentary evidence, 11
documentation of forensic processing, 66
DoD. See Department of Defense
DoD Cyber Crime Center (DC3), 64
Domain Name Service (DNS), 7, 22, 257
Domain Name System (DNS), 23
domains of IT infrastructure, 5f
domestic terrorism, 171
DOS. See Disk Operating System
DoS attacks. See denial of service attacks
DOS commands, 174
dot (.) entry, 151
dot-dot (..) entry, 151
double data rate (DDR) SDRAM, 16
drive geometry, 18
DRP. See disaster recovery plan
dump, 178
Dump-it tool, 86, 194
duplicate backup site, 289
Duronio, Roger, 54
DVD. See digital video disc
Dynamic Host Configuration Protocol (DHCP), 268
dynamic-link libraries (DLLs), 180, 193
dynamic memory, 178
dynamic ports, 271

E

EC Council Certified Ethical Hacker, 77, 78, 302
EC Council Computer Hacking Forensic Investigator (CHFI) certification, 78, 302
echo method, 110
Economic Crime Institute (ECI), IJDE, 304
ECPA. See Electronic Communications Privacy Act
EDGE. See Enhanced Data Rates for GSM Evolution
EDO DRAM. See extended data out dynamic random access memory
EEPROM. See electronically erasable programmable read-only memory
EFS. See Encrypted File System
EIDE. See enhanced integrated drive electronics
electromagnetic radiation (EMR), 69
electronic backup, 279
Electronic Communications Privacy Act (ECPA) of 1986, 28, 169, 306
Electronic Serial Numbers (ESNs), 239
electronically erasable programmable read-only memory (EEPROM), 17
ELF. See Extensible Linking Format
email, 73, 74, 156–172
email attachment, 40f
email clients, 163–164
email database, 167, 167f
email examiner, 165, 166–167, 166–167f
email files, 164–165, 165f
email forensics, 14
email headers, 159–167
email logs, 168
email protocols, 157–159
email server forensics, 168
email spoofing, 158
email tracing, 167–168
EnCase, 70–71, 72, 77, 98, 111, 139, 165, 168, 185, 215, 219, 246, 298–299
EnCase Add Device window, 100f
EnCase After Acquisition dialog box, 101f
EnCase boot disk, 71
EnCase Case Options dialog box, 100f
EnCase Certified Examiner (EnCE) certification, 77, 302
EnCase imaging, 99–101
EnCase network boot disk, 71
EnCase Tree pane, 71
EnCE certification. See EnCase Certified Examiner certification
Encrypted File System (EFS), 175
encrypted files, 91
encryption, 115–133
end-to-end Internet communication, 23
Enhanced Data Rates for GSM Evolution (EDGE), 239
Enhanced Integrated Drive Electronics (EIDE), 17
Enigma machine, 121
enlightenment, 204
EPROM. See erasable programmable read-only memory
equipment, 68
eradication, 280
erasable programmable read-only memory (EPROM), 17
ESNs. See Electronic Serial Numbers
/etc folder, 211
/etc/inittab, 211
Ethernet, 23, 255–256
Ethernet header, 254
ETSI. See European Telecommunications Standards Institute
Euler’s Totient, 129
European Telecommunications Standards Institute (ETSI), 239
event-based digital forensics investigation framework, 65–66
evidence, 4–5
evidence collection, 63
evidence finding, 66
evidence form, 88f
evidence from router, 269–270
evidence gather, 67
evidence-gathering measures, 92–95
evidence-handling tasks, 66–68, 90–95
evidence, log files as, 265–266
evidence preparation, 67
evidence preservation, 67, 281–282
evidence, securing, 15
Evidor, 299
Executable and Linkable Format (ELF), 19
expert reports, 6–8, 67–68
expert testimony, 8–9
Explorer.exe, 177
extended data out dynamic random access memory (EDO DRAM), 16
Extended File System (ext), 20, 145, 207–208
Extensible Linking Format (ELF), 19
extundelete utility, 147

F

FakeAV.86, 53
faking email messages, 158–159
FastBlock device, 99
FAT. See file allocation table
FBI. See Federal Bureau of Investigation
FCC. See Federal Communications Commission
fdisk command, 202t
Federal Bureau of Investigation (FBI), 31–32, 38, 50
Federal Communications Commission (FCC), 306
federal guidelines, 31–33
Federal Privacy Act of 1974, 27
Federal Rules of Evidence (FRE), 61
Federal Rules, U.S., 9
Feistel function, 123–124, 125f
file allocation table (FAT), 20, 137, 235
file carving, 152–153
file command, 217, 217f
file formats, 98
file permissions (Windows), 188–189
file slack, 66, 96
file system, 19–21, 151
file system alteration, 26
File Transfer Protocol (FTP), 22, 256
filenames/dates/times documentation, 91
FILETIME structure, 190
Filter pane tool, 71
FIN bit, 254
FIN scan, 255
financial crimes, 157
finger command, 218
fire-resistant safe, 69
firewall forensics, 271–272
FISA. See Foreign Intelligence Surveillance Act
Flame, 53
Flash tutorial, 263
follow-up phase, 280
foreign intelligence information, 171
Foreign Intelligence Surveillance Act (FISA) of 1978, 28, 171
forensic certifications, 76–78
forensic computer science, 5
forensic imaging, 98–104
forensic investigations, 6, 60
forensic resources, 282–283
forensic SIM cloner, 247
forensic software programs, 70–76
forensic specialists. See system forensics specialists
Forensic Toolkit (FTK), 71, 73, 101–102, 101–102f, 111, 139, 165, 168, 185, 215, 219, 246, 296
forensic tools, 15
forensically scrubbing file/folder, 140, 141–142t
forensics, 4, 41, 43, 45, 46, 48–49, 50, 52–56, 283
forensics lab, 59–80
forensics tools for Linux, 223
ForwardedEvents log, 183
Fourth Amendment to the U.S. Constitution, 169
Fowler-Nordheim tunneling, 97
FPort, 182
fragile attack, 260
fraud, 49–50
Fraud and Related Activity in Connection with Access Devices, § 1020, 29
Fraud and Related Activity in Connection with Computers, § 1030, 29
FRE. See Federal Rules of Evidence
FreeBSD, 148, 234
FreeUndelete, 143, 144f
frequency analysis, 131
fsck command, 202t, 214
FTK. See Forensic Toolkit
full backup, 279

G

Gameover ZeuS, 53
GB. See gigabyte
Generic Forensic Zip (Gfzip), 98
GET command, 263
Gfzip. See Generic Forensic Zip
GIAC. See Global Information Assurance Certification
gigabyte, 175
GIMP. See GNU Image Manipulation Program
Global Information Assurance Certification (GIAC), 78
global positioning system (GPS) information, 245, 291–292
Global System for Mobile (GSM) communications networks, 238, 239
Gmail headers, 163, 163f, 164f
GNOME. See GNU Network Object Model Environment
GNU Image Manipulation Program (GIMP), 109
GNU Network Object Model Environment (GNOME), 203, 203f
GNU operating system, 201
good blocks marked as bad, 96
Google Glass, 291
government agencies, 10
GPS information. See global positioning system information
Grand Unified Bootloader (GRUB), 205
graphical user interface (GUI), 174, 201, 203
grep command, 146–147, 214
Grok-NTFS, 296, 297f
GRUB. See Grand Unified Bootloader
GSM communications networks. See Global System for Mobile communications networks
GUI. See graphical user interface
GUID (globally unique identifier) Partition Table, 230

H

hacking, 41–46, 77
Hal.dll, 177
harassment/cyberstalking, 46–49
hard disk drives (HDDs), 18
hard disks structure, 66
hard drives, 17–18, 136
hard link, 146, 229
hardware, 16–18
hardware configuration, 89, 189
hash, 90, 129
HCU. See HKEY_CURENT_CONFIG
/hdiutil partition/dev/disk0 command, 234
Health Insurance Portability and Accountability Act (HIPAA) of 1996, 307
heap (H) segment, 178
Helix, 74
HFS. See Hierarchical File System
HFS Extended, 229
HFS Standard, 229
HFS+. See Hierarchical File System Plus
Hierarchical File System (HFS), 228–229
Hierarchical File System Plus (HFS+), 148, 229–230
hierarchical storage management (HSM), 279
high-level format, 18
high-risk investigations, 69
High Tech Crime Network (HTCN) certifications, 78
HIPAA of 1996. See Health Insurance Portability and Accountability Act of 1996
history command, 215
hives, 189
HKCR. See HKEY_CLASSES_ROOT
HKCU. See HKEY_CURRENT_USER
HKEY. See HKEY_USERS
HKEY_CLASSES_ROOT (HKCR), 189
HKEY_CURENT_CONFIG (HCU), 189
HKEY_CURRENT_USER (HKCU), 189
HKEY_LOCAL_MACHINE (HKLM), 189
HKEY_USERS (HKU), 189
HKLM. See HKEY_LOCAL_MACHINE
home location register (HLR), 238
hops, 156
host protected area (HPA), 96
“hot” site, 289
Hotmail, 164
HPA. See host protected area
HSM. See hierarchical storage management
HstEx version 4, 297, 298f
HTCN certifications. See High Tech Crime Network certifications
HTTP commands, 263t
HTTP response message, 264t
HTTP Sniffer, 260, 261–263, 262f
hub, 268
HyperTerminal, 269, 269f
Hypertext Transfer Protocol (HTTP), 22, 257
Hypertext Transfer Protocol, Secure (HTTPS), 22, 257

I

IACIS. See International Association of Computer Investigative Specialists
IBM, 124
IBM AIX system, 227
ICCID. See integrated circuit card identifier
IceCat, 220
IceWeasel, 220
ICMP packet. See Internet Control Message Protocol packet
ICU, 40
IDE. See integrated drive electronics
identity theft, 37–41
Identity Theft and Aggravated Identity Theft, § 1028A, 30
IDSs. See intrusion detection systems
IEEE 802.11ac, 266
IEEE 802.11ad Wireless Gigabyte Alliance, 266
IEEE 802.11n-2009 standard, 266
IIN. See Issuer Identification Number
IJDCF. See International Journal of Digital Crime and Forensics
IJDE. See International Journal of Digital Evidence
IMAP. See Internet Message Access Protocol
IMEI number. See International Mobile Equipment Identity number
IMSI. See International Mobile Subscriber Identity
inappropriate usage, 281
incident response, 279–280, 282–283
incident response plan, 276–279
incremental backup, 279
incriminating evidence, 93
index.dat, 187–188
INFO2 file, 138
init command, 146
init(), 206
initdefault, inittab, 212
inittab, 211–212
inode, 146
insurance companies, 10
integrated circuit card identifier (ICCID), 239
integrated drive electronics (IDE), 17
Intel-based Macintosh machines, 230
intellectual property theft, 10, 50
Intelligence Community Worldwide Threat Assessment, 55
interfaces key, 191
Internal Revenue Service (IRS), 98
International Association of Computer Investigative Specialists (IACIS), 302
International Information Systems Security Certification Consortium (ISC)²^®, 76
International Journal of Digital Crime and Forensics (IJDCF), 304
International Journal of Digital Evidence (IJDE), 304
International Mobile Equipment Identity (IMEI) number, 239
International Mobile Subscriber Identity (IMSI), 238
Internet-based fraud, 49
Internet Control Message Protocol (ICMP) packet, 255, 258, 281
Internet forensics, 14
Internet harassment, 46–49
Internet Message Access Protocol (IMAP), 22, 157, 257
Internet Protocol (IP) addresses, 23, 156, 159, 271
Internet Relay Chat (IRC), 22, 257
Internet service providers (ISPs), 169, 265–266, 305
intrusion detection systems (IDSs), 36, 209, 210, 265
intrusion prevention systems (IPSs), 209
investigations, 6, 9, 12, 26, 32–33
investigations, types of, 245
investment offers, 49–50
Invisible Secrets, 109, 111–114, 112–114f
iOS, 240
IP addresses. See Internet Protocol addresses
IP header, 254
IP packet, 23
ipconfig, 23, 24f
iPhone, 248–249
IPSs. See intrusion prevention systems
ISC²^®. See International Information Systems Security Certification Consortium
ISO 27001, 277
ISO 27035, 277
ISO9660, 230
ISPs. See Internet service providers
Issuer Identification Number (IIN), 239
IT infrastructure domains, 5f
IXimager, 98

J

Jaguar. See Mac OS X
JDFSL. See Journal of Digital Forensics, Security and Law
Jobs, Steve, 226
John the Ripper, 133
Joint Test Action Group (JTAG), 250–251
Journal of Digital Forensic Practice, 304
Journal of Digital Forensics, Security and Law (JDFSL), 304
Journal of Forensic Sciences, 304
journaling, 20, 95, 151, 208
journaling file systems, 229
journals, 208, 304–305
JTAG, 250–251

K

K Desktop Environment (KDE), 204, 204f
Kali Linux, 19, 74, 99, 200, 219–222
Kasiski examination, 131
KDE. See K Desktop Environment
Kerberos, 22, 257
Kerkhoff’s principle, 122
kernel stage of boot process, 205
kernel_thread() function, 206
key bundle, 126
keyspace, 126
kill command, 217
Known File Filter (KFF), 31
known plaintext attack, 131
Kodiak, 227
Korn shell (ksh), 201

L

L0phtCrack, 300
lab manager, 69
label, inittab, 211
land attack, 259
LastWriteTime, 190
Lauffenburger, Michael, 54
law enforcement criteria, 47
law firms, 10
laws, 305–307
layer 1 frames, 21
least significant bit (LSB) method, 108
legal and procedural trends, digital forensics, 292–294
legal process in cloud computing, 290
Leopard. See Mac OS X
libPST package, 165, 167
Library_CallHistory_call_history.db, 249
Library_Cookies_Cookies.plist, 249
life span, 62–63
Lighttpd web server, 210
Lightweight Directory Access Protocol (LDAP), 22, 257
Lightweight Directory Access Protocol, Secure (LDAPS), 257
LILO. See Linux Loader
LinEn boot disk, 71
Linux, 19, 145–148, 226
Linux-based Android, 291
Linux basics, 200–207
Linux boot process, 204–206
Linux commands, 90, 98–99
Linux directories, 210–213
Linux distributions, 207
Linux file systems, 207–208, 218–219
Linux history, 200–201
Linux Loader (LILO), 205
Linux logs, 208–210
Linux shells, 201–203, 202t
Lion. See Mac OS X
Lisa OS, 226
ListDLLs, 180, 180f
live response technique, 177
live system forensics, 14, 178
load phase, 176
Locard, Edmond, 60
Locky virus, 53
log file, 208
log files as evidence, 265–266
log records, 209, 210
logic bombs, 54–55
logical analysis, 93, 94
logical damage, 150–152
logical port numbers, 22
Logical Volume Manager (LVM), 206–207
logon screen, 41
lone wolves, 172
Long Term Evolution (LTE), 239
loopholes, 169
Lotus Notes, 168
low-level format, 18
Low Orbit Ion Cannon, 51, 52f
ls command, 202t, 218, 233
Lsass.exe, 177
LSB. See least significant bit
ls/dev/disk? command, 234
LTE. See Long Term Evolution
Lucifer cipher, 124

M

MAC, 188–189
MAC address, 21, 254
Mac examination, 235
Mac File Systems, 228–230
Mac operating system, 226–231
Mac OS for PowerPC, 227
Mac OS X, 227–228, 228f
Macintosh, 19, 148, 227
Macintosh directories, 232–233
Macintosh File System (MFS), 228
Macintosh forensic techniques, 233–234
Macintosh Hierarchical File System (HFS), 186
Macintosh logs, 231–232
MacKeeper, 148, 149f
macro viruses, 53
Magnet Ram Capture tool, 86
magnetic media, 95
mail server log, 209
mail servers, 156, 159
malicious code, 281
malware, 37, 40, 257
malware forensics. See software forensics
malware in Registry, 191–192
manual method, Linux, 219
manual recovery, 146–147
master boot record (MBR), 96, 175, 205, 231
master file table (MFT), 137, 235
mathematical authentication, 90
maximum tolerable downtime (MTD), 278
MBR. See master boot record
mean time before failure (MTBF), 278
mean time to repair (MTTR), 278
media layer, 240
medical devices, 292
memory, 17
memory dumping, 178
memory forensics, 194–197
memory-resident virus, 54
memory segments, 178
Meta File Table, 137
metadata, 12, 94
MFS. See Macintosh File System
MFT. See master file table
Microsoft Disk Operating System (MS-DOS), 230
Microsoft Exchange, 168
military, 10
MIME. See Multipurpose Internet Mail Extensions
MIMO. See multiple-input multiple-output
Minix, 201
mirror server, 289
MixColumns, AES, 128
mkdir command, 202t
/mnt directory, 212
mobile device, seizing evidence from, 246–250
mobile switching center (MSC), 238
MobileEdit, 247
mobileemail.plist, 249
modern cryptography, 122–130
monoalphabet substitution method, 117
Moore, Gordon E., 286
Moore’s law, 286
Moore’s observation. See Moore’s law
most recently used (MRU), 190
motives, 55
mount command, 202t, 215
Mountain Lion. See Mac OS X
MP3Stego, 109, 114
MRU. See most recently used
MS-DOS. See Microsoft Disk Operating System
MSC. See mobile switching center
MTBF. See mean time before failure
MTD. See maximum tolerable downtime
MTTR. See mean time to repair
multialphabet substitution, 120
Multics. See Multiplexed Information and Computing Service
multipartite viruses, 54
multiple-input multiple-output (MIMO), 266
Multiplexed Information and Computing Service (Multics), 200
Multipurpose Internet Mail Extensions (MIME), 160
mv command, 202t
MySQL database server, 209

N

nascent state, 246
National Institute of Standards and Technology (NIST) guidelines, 245–246, 247
National Security Agency (NSA), 124
Negated AND (NAND) gate-based flash memory, 95
net sessions command, 85, 86f
Netanalysis, 297
NetBIOS, 257
netcat command, 99
netcat utility, 233, 287
NetResident, 260
netstat command, 85, 85f
netstat utility, 181, 182f
NetWitness, 260, 265
network attacks, 258–260
network forensics, 14
network interface card (NIC), 267–268
network packet analysis, 254–265
network packets, 254–258
network security devices, 265
network traffic analysis, 265–267
network traffic analysis tools, 260–265
networking, basic, 77
networks, 21, 239
New Technology File System (NTFS), 20, 136, 137–138, 151, 230
NFPA 1600, 277
ngrep, 260
NIC. See network interface card
NIST 800–34, 277
NIST 800–61, 277
NIST guidelines. See National Institute of Standards and Technology guidelines
Nmap, 260, 263, 264f
non-access computer crimes, 50–55
Novell GroupWise, 168
Ntbootdd.sys, 177
Ntdetect.com, 177
NTFS file system, 186
NTLDR, 176
Ntoskrnl.exe, 177
null scan, 255

O

obscured information, 25–26
Obstruct Terrorism Act of 2001, 171
OmniPeek, 260
online Flash tutorial, 263
open source tools, 150
Open Systems Interconnection (OSI) model, 254
openfiles command, 85, 86f
OpenSuse, 207
operating systems, 75, 240–243
Operating Systems: Design and Implementation (book), 201
Ophcrack, 43–45, 44f, 132, 132f
Ophcrack compact disc (CD), 44
opt-out lists, 170
optical media, 97
ordered (ext4), 208
OSForensics, 73, 77, 86, 102–103, 139, 144, 145f, 165, 185, 194, 195f, 219, 235, 296
Outlook 2010 headers, 160–162, 161f, 162f
oxygen forensics, 246

P

P2P file-sharing services. See peer-to-peer file-sharing services
packet filter, 271
packet header, 254–255
packet mistreating attack, 260
packets, 254
Panther. See Mac OS X
Paraben Software, 247
Paraben’s email examiner, 165, 166–167, 166–167f
parallel advanced technology attachment (PATA), 17
partition types, 230–231
passwords, 39, 41, 192
PATA. See parallel advanced technology attachment
Patriot Sunsets Extension Act of 2011, 172
payload, 109, 110, 111, 255
PC-based Linux system, 206
PC hardware, 16, 77
peer-to-peer (P2P) file-sharing services, 281
personal identification number (PIN), 238
personal unlocking code (PUK), 239
pgrep command, 217
phishing, 38–39
phone forensics, 14
Photoshop tool, 109
physical analysis, 93–94
physical crime scene investigation phases, 65
physical damage, 149–150
physical ports, 21
PID. See process ID
PIN. See personal identification number
ping command, 24–25, 24f
ping flood, 259
ping of death attack, 258
plaintext, 117
Playfair cipher, 118–120
plug-in, 195
Pocket PC 2000, 243
Pokémon, 292
polymorphic virus, 54
POP3. See Post Office Protocol version 3
port numbers, 22
Portable Executable (PE), 20
ports, 256–258
POST command, 263
Post Office Protocol version 2 (POP 2), 22
Post Office Protocol version 3 (POP3), 22, 157, 257
postrecovery follow-up, 279
power-on self test (POST), 175, 205
PowerPC-based Macs, 231
PPA. See Privacy Protection Act of 1980
Prefetch technique, 193
presentation phase, 65
preserving evidence, 281–282
printer log, 209
Privacy Act of 1974, 27
Privacy Protection Act (PPA) of 1980, 28
private forensic labs, 293
/proc directory, 213, 213f
process ID (PID), 217
process, inittab, 211
Process Monitor, 300–301, 301f
ProDOS, 226
ProDOS 16, 226
program files (x86), 175
programmable read-only memory (PROM), 17
protected computer, 306
ps command, 202t, 216
PsInfo tool, 179, 180f
pslist, 195, 196f
PsList tool, 179, 179f
PsLoggedOn tool, 181, 181f
psscan, 196, 197f
PSTN. See Public Switched Telephone Network
PsTools suite, 179
pstree, 195, 196f
pstree command, 216, 216f
PTFinder, 182
public switched telephone network (PSTN), 238
PUK. See personal unlocking code
Puma. See Mac OS X
pump and dump, 49
Pwnage, 249

Q

QRNX operating system, 243
QuickStego, 109
quiescent state, 246

R

RAID acquisitions. See redundant array of independent disks acquisitions
rainbow tables, 45, 132–133
RAM Capturer, 194, 194f
random access memory (RAM), 16–17, 174, 183, 267
raw quick pair method, 111
RCFL program. See Regional Computer Forensics Laboratory program
read-only memory (ROM), 17
read-only virtual machines, 235
readiness phase, 65
ReadPST, 167
real evidence, 11
real-time access, 169
Recover My iPod, 249
recovery, 280
recovery plan, 278–279
Recycle Bin in Windows, 91–92, 137, 235
RECYCLER, 137–138
Red Hat Enterprise Linux (RHEL), 207
redundant array of independent disks (RAID) acquisitions, 104–105
redundant array of inexpensive disks (RAID) controllers, 150
Regional Computer Forensics Laboratory (RCFL) program, 33
registered ports, 271
Registry, 176, 189–193
Registry key, 190
Reiser File System, 20, 208
related-key attack, 131
remote desktop, 257
repeatability, 182
resources, 301–305
restoring backups, 280
RFC 2822, 159, 160
RFC 3864, 160
RHEL. See Red Hat Enterprise Linux
Rijndael block cipher. See Advanced Encryption Standard
rm command, 202t
rmdir command, 202t
ROM. See read-only memory
Rombertik virus, 53
/root directory, 210
ROT13 cipher, 118
round function, 124
router, 268
router attacks types, 269
router basics, 267–269
router, evidence from, 269–270
router forensics, 267–270
router table poisoning, 269
routing table, 268
RSA algorithm, 129–130
RSA NetWitness, 260, 265
RST bit, 254
rules of evidence, 61
run_level, inittab, 211

S

S-boxes. See substitution boxes
SaaS. See software as a service
SAN. See storage area network
SANS institute, 303
Sarbanes-Oxley Act of 2002, 29
SATA. See Serial Advanced Technology Attachment
/sbin directory, 211
Scalpel, 148
Scalpel file carving tool, 152
Scientific Working Group on Digital Evidence (SWGDE), 65, 206–207
scope of system forensics, 11–14
screened firewall, 271
scrubbers, 94
SCSI. See small computer system interface
scytale cipher, 118
SDRAM. See synchronous dynamic random access memory
searching virtual memory, 233
Secret Service, U.S., 32–33
sector, 18
sectors, clusters and, 136
Secure Shell (SSH), 22, 256
security, 68–69, 77
Security Accounts Manager (SAM) file, 129
security by obscurity, 122
security log, 183
seized computers, 87
semi-active state, 246
Senate Select Committee on Intelligence, 55
September 11 (2001), terrorist attacks, 55
Serial Advanced Technology Attachment (SATA), 17, 234
serial SCSI, 17
Server Message Block (SMB) protocol, 257
service set identifier (SSID), 191
Sexual Exploitation of Children, § 2251, 30
shell commands (forensics), 213–219, 234
ShellBag, 192
ShiftRows, AES, 128
show ip route command, 270
show running-config command, 270
show startup-config command, 270
show tech-support command, 270
show version command, 269
shutting down the computer, 84–85
SID (Security Identifier), 138
SIM. See subscriber identity module
SIM card data retrieval utility, 247
Simple Mail Transfer Protocol (SMTP), 22, 157, 256
Simple Network Management Protocol (SNMP), 22, 257
simple substitution ciphers, 123
single-alphabet substitution method, 117
slack space, 18, 66, 138, 186
Slackware, 207
Sleuth Kit, 75, 98, 219, 299
slurred image, 181
small computer system interface (SCSI), 17
Small Scale Digital Device Forensics Journal (SSDDFJ), 305
Smss.exe, 177
SMTP. See Simple Mail Transfer Protocol
Smurf attack, 259
sniffer, 260
Snort, 260, 263, 265
Snow, 109
Snow Leopard. See Mac OS X
social engineering, 132
Social Security numbers, 37
socket numbers, 271
soft link, 146, 229
Softperfect Network Protocol Analyzer, 260
software, 18–21
software as a service (SaaS), 287–288
software forensics, 14
software programs for a lab, 70–76
solid-state drives (SSDs), 17–18, 95–96
Sophisticated Operating System (SOS), 226
spam, 38, 170
sparse infector virus, 54
spear phishing, 38
SPHardwareDataType, 234
SPI firewall. See Stateful Packet Inspection firewall
spinning, 150
spoofing, email, 158
spyware, 39–40
SQL injection. See Structured Query Language injection
SSDDFJ. See Small Scale Digital Device Forensics Journal
SSDs. See solid-state drives
SSID. See service set identifier
stack (S) segment, 178
stack memory, 178
start_kernel() function, 206
state of network connections, 91
state of running processes, 91
stateful packet inspection (SPI) firewall, 271
Stealth Files 4, 109
steganalysis, 110–111
steganography, 107–115
steganophony, 110
StegVideo, 109
storage area network (SAN), 289
storage as a service, 289
storage formats, 95–98
stream ciphers, 123
Structured Query Language (SQL) injection, 41–43
su command, 217
SubBytes, AES, 127, 128
subscriber identity module (SIM), 238
subscriber information, basic, 169
substitution boxes (S-boxes), 126
substitution cipher, 116, 117, 123
Super Digital Linear Tape (DLT), 97
suppression lists. See opt-out lists
svcscan, 196, 197f
swap file, 91, 93–94, 183
sweepers, 94
SWGDE. See Scientific Working Group on Digital Evidence
swipe-card access, 68
switch, 268
symbolic link, 146
symmetric cryptography, 123–128
SYN bit, 254
SYN flood attack, 51, 259
synchronize (SYN) flag, 51
synchronous dynamic random access memory (SDRAM), 16
sysinit, 212
System 7, 227
system complexity, 12–13
system crashes, 151
system forensics, 11–14
system forensics specialists, 11–14, 62, 66
System log, 183
system_profiler SPHardwareDataType command, 234
system_profiler SPSerialATADataType command, 234
system_profiler SPSoftwareDataType command, 234

T

Table pane tool, 71
tableau device, 99
Target Disk Mode, 233, 234f
TCP. See Transmission Control Protocol
TCP packet. See Transmission Control Protocol packet
Tcpdump, 260
TDoS attack. See telephony denial of service attack
teardrop attack, 259
Teen Safe, 40
Telecommunications Act of 1996, 29
telephony denial of service (TDoS) attack, 52
Telnet, 22, 256, 257
TEMPEST program, 69
temporary data, 91
Test access points (TAPs), 250
test system, 150
testimonial evidence, 11
TFN. See Tribal Flood Network
TFN2K, 51
threats, 46–47
three-way handshake, 51
thumb drives. See universal serial bus drives
Tiger. See Mac OS X
Timbuktu, 257
Time to Live (TTL) fields, 272
timeline creation, 95
tools (Windows), 179–182
tools (iOS), 249
tools, for cracking password, 132–133
top command, 202t, 217
tracert command, 25, 25f, 167
tracking Word documents in Registry, 191
trade secrets, 10
trailer, 255–256
transactional information, 169
Transmission Control Protocol (TCP) packet, 23, 51, 254
Transport Layer Security (TLS) Protocol, 157
transposition cipher, 123
trash directory, 235
Tree pane tool, 71
Tribal Flood Network (TFN), 51–52
tricking tech support, 45–46
Trin00 tool, 52
Triple DES (3DES), 126–127
Tripwire, 184
Trivial File Transfer Protocol (TFTP), 22, 257
Trojan horse, 40, 53, 54, 73, 180
TShark, 260
TTL fields. See Time to Live fields
typical default active services, 206t

U

Ubuntu Linux, 148, 207
UDF. See Universal Disk Format
UDP header. See User Datagram Protocol header
UFS. See UNIX File System
UMTS. See Universal Mobile Telecommunications System
unallocated space, 94, 96, 186
unauthorized access, 281
undeleting data, 135–149
Unicode, 229
Unified Extensible Firmware Interface (UEFI), 89
uniform resource locators (URLs), 23, 159
uninstalled software, 192
United States Secret Service, 32–33
United States v. David, 31
United States v. Jacobsen, 30
United States v. Schlingloff, 31
Universal Disk Format (UDF), 230
Universal Mobile Telecommunications System (UMTS), 239
universal serial bus (USB) drives, 97, 233
UNIX File System, 21, 208, 230
UNIX operating system, 200
URG bit, 254
URL. See uniform resource locator
U.S. Department of Defense (DoD), 64, 94
U.S. Department of Justice, 37, 46
U.S. Federal Rules, 9
U.S. Internal Revenue Service (IRS), 98
U.S. laws affecting digital forensics, 27–31
USA Patriot Act, 29, 171–172, 292–293, 305–306
USB. See universal serial bus
USB information, 190–191
USBSTOR, 191
User Datagram Protocol (UDP) header, 254
UserAssist, 185, 186f
Userdump tool, 182
/usr directory, 212
UTC. See Coordinated Universal Time

V

valid emails, 159
/var directory, 212
/var/spool directory, 213
Verizon Terremark Data Breach Investigations Report, 41
victims, 36, 37, 40, 46, 48
video steganography, 110
viewing email headers, in Gmail, 163, 164f
Vigenère cipher, 120–121, 121f
virtual machine (VM), 235, 290
virtual private networks (VPNs), 265
viruses, 53–54
visitor location register (VLR), 238
Visual TimeAnalyzer, 301
Visual User Environment (VUE), 204
VLR. See Visitor Location Register
VMware, 177
Voice over IP (VoIP), 52, 306
volatile data, 91, 177–182
volatile memory, 16, 177
volatility, 17, 63, 194–197
Volume Shadow Copy, 193
volume slack, 96
VPNs. See virtual private networks
VUE. See Visual User Environment

W

wall command, 146
“warm” site, 289
warrants, 30–31
Way Back Machine, 301
Wayne, Ronald, 226
Web Application Firewall (WAF), 271
Web sites, 303–304
Web traffic, 262
Web Watcher, 40
well-known ports, 271
Wheatstone, Charles, 118
who command, 218
WhoIS, 22, 256
whois databases, 168
Wi-Fi, 191, 239
Wi-Fi scanning, 267
Windows, 18–19, 136–140, 174–177, 243
Windows, important files, 177
Windows 8, 162, 175, 189, 243
Windows 10, 175, 189, 243
Windows color palette, 108, 108–109f
Windows details, 174–177
Windows directories, 185–187
Windows files and permissions, 188–189
Windows history, 174–175
Windows logs, 183–185, 184f
Windows NT, 174
Windows passwords, 44
Windows Phone 7, 243
Windows Registry, 18–19, 71, 190f, 192, 246
Windows swap file, 183
Windows Sysinternals Administrator’s Reference, 174
Windows tools, 139–140
Windows Volume Shadow Copy, 193
Window Washer, 187, 187f
WinDump, 260
WinHex, 300
Winlogon.exe, 177
WinUndelete tool, 140, 143f, 144f
WinZapper tool, 184
wireless, 266–267
Wireless Communications and Public Safety Act of 1999, 29
wireless fidelity (Wi-Fi), 191, 239
wireless local area networks (LANs), 266
wireless networks, 191
Wireshark, 260, 261, 261–262f
WorkTime, 40
Wozniak, Steve, 226
writeback, 208

X

X-Ways Forensics, 299
X-Ways Software Technology AG, 299–300

Y

Yahoo! email headers, 162, 163f

Z

zero-knowledge analysis, 151, 152

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Index

Create new playlist

Sign In

Sign Up

Table of Contents for
Index