Note: Page numbers followed by f and t indicate figures and tables, respectively.
academia, 10
academic/knowledge-based attack, 117
academic/knowledge-based code breaking, 130
AccessData’s Forensic Toolkit, 71, 101–102, 101–102f, 111, 139, 165, 168, 185, 215, 219, 246, 296
AccuBurn-R, 300
ACE.
acknowledgment flag (ACK), 51
action:a, 211
active IDSs, 209
active state, 246
actual data loss, 151
ADRAM.
Advanced Forensic Format (AFF), 98
Advanced Format, 136
adverse events, 281
AES.
AFF.
AIX for PowerPC, 227
-al commands, 233
American Academy of Forensic Sciences (AAFS), 303
American Heritage Dictionary, 4
American Society of Crime Laboratory Directors (ASCLD), 69–70
American Standard Code for Information Interchange (ASCII), 229
analysis plan, 62
anonymizer, 158
anti-forensics, 26
anti-malware, 280
Apache web server, 209
Apple, 226
Apple DOS, 226
Apple iPhone iTunes display, 248f
Apple Mail, 164
Apple Network Server, 227
Apple Pascal, 226
Apple SOS, 226
application filter, 271
application log, 183
applications and services logs, 183
armored virus, 54
ARPANET network, 159
ASCII.
ASCLD.
ASR Data Acquisition & Analysis, 296
asynchronous dynamic random access memory (ADRAM), 16
Auditpol.exe, 184
augmented reality, 292
authentication of evidence, 61
Back Orifice, 257
base station controller (BSC), 238
base station system (BSS), 238
base transceiver station (BTS), 238
Bash.
basic networking, 77
Basic Service Set Identifier (BSSID), 245
basic subscriber information, 169
BCP.
BEDO.
Bell Laboratories, 200
Bellaso, Giovan Battista, 120
Berger v. New York, 30
BIA.
binary operations, 125
BIOS.
bit-level information, 64
bit-level tools, 64
bit-plane complexity segmentation steganography (BPCS), 110
block ciphers, 123
Blu-ray discs, 97
boot, 212
boot camp, 76
/boot directory, 212
boot partition, 175
boot phase, 176
boot sector, 205
bootstrap environment, 205
bootwait, 212
Bourne-again shell (Bash), 201
Bourne shell (sh), 201
BSS.
BTS.
burst EDO (BEDO) DRAM, 16
business continuity plan (BCP), 276
business extension exemption, 306
C shell (csh), 201
CALEA.
call history, 244
carver-recovery.exe, 152
cd command, 202t
CD-ROMs, 97
CDE for UNIX systems.
cell-phone forensics, 14
Center for Education and Research in Information Assurance and Security (CERIAS), 65
Central Bureau of Investigation (CBI), 55
central processing unit (CPU), 175
CERT.
Certified Ethical Hacker test, 78
Certified Forensic Computer Examiner (CFCE) certification, 302
Certified Hacking Forensic Investigator, 302
Certified Information Systems Security Professional (CISSP®), 76
CFCE certification.
changes in law, 292
channel, steganography, 109
checksum, 71
Cheetah.
CHFI certification.
chi-square method, 111
Child Protection and Sexual Predator Punishment Act of 1998, 28
Children’s Online Privacy Protection Act (COPPA) of 1988, 28
chkdsk utility, 151
chosen plaintext attack, 131
Christmas tree scan, 255
CimTrak tool, 184
Cisco routers, 269
CISSP®.
clean room, 149
close-color pairs, 110
cloud computing, 290
cluster bitmap file, 137
cmp command, 202t
Cocoa Touch layer, 240
COFF.
“cold” site, 289
Common Object File Format (COFF), 20
Communication Assistance to Law Enforcement Act (CALEA) of 1994, 28, 171, 306
Communications Decency Act of 1996, 29
CommView, 260
compact discs (CDs) structure, 66
computer attacks, 37
Computer Emergency Response Team (CERT), 4
Computer Forensics Tool Testing (CFTT) Project, 247
Computer Fraud and Abuse Act, 305
Computer Security Act of 1987, 28
conferences, 305
consent exception, 306
containment, 280
content information, 169
contiguous blocks, 145
ControlSet, 190
cookies, 39
Coordinated Universal Time (UTC), 234
COPPA.
CopyQM Plus disk duplication software, 75
Core OS layer, 240
Core Services layer, 240
corporations, 10
cp command, 202t
CPU.
cracking modern cryptographic methods, 131
CRC.
crime, effect on forensics, 41, 43, 45, 46, 48–49, 50, 52–53, 54, 55, 56
crime scenes, digital, 13
criminal prosecutors, 10
cross-site scripting, 43
Crss.exe, 177
csh.
curriculum vitae (CV), 6
cyberbullying, 46
cyclic redundancy check (CRC), 256
Darik’s Boot and Nuke (DBAN), 300
DAT.
data acquisition, 290
data authentication, 90
data consistency, 178
data destruction, 26
data doctor, 247
data hiding, 26
Data Link Layer protocol, 256
data piracy, 50
data segment, 178
data transformation, 26
data volumes, 12
date command, 234
Daubert challenge, 27
DBAN.
DC3.
DCFLdd, 150
dd utility, 287
DDoS attack.
DDR SDRAM.
dead drop, 110
Debian, 207
decoy scans, 271
decryption, 116
deleted files, 249
demonstrative evidence, 11
deployment phases, 66
deposition, 8
DES.
Desktop Manager, 250
/dev directory, 212
Development and Support of Cybersecurity Forensic Capabilities, 293
device seizure, 247
DFRWS.
diff command, 202t
differential backup, 279
Diffie-Hellman algorithm, 130
digest, 129
digital audio tape (DAT) drives, 96
Digital Detective, 297
Digital Equipment Corporation (DEC), 97
Digital Intelligence, Inc., 297
Digital Investigation, 304
digital linear tape (DLT), 97
Digital Millennium Copyright Act (DMCA) of 1998, 29
digital system forensics analysis, 14
digital video disc (DVD), 97
disaster recovery plan (DRP), 276
discarded information, 41
disk controllers, 151
disk forensics, 14
Disk Operating System, 174
disk structure, 66
DLLs.
DLT.
DNS.
document trail, 15
documentary evidence, 11
documentation of forensic processing, 66
DoD.
DoD Cyber Crime Center (DC3), 64
Domain Name System (DNS), 23
domains of IT infrastructure, 5f
domestic terrorism, 171
DOS.
DoS attacks.
DOS commands, 174
dot (.) entry, 151
dot-dot (..) entry, 151
double data rate (DDR) SDRAM, 16
drive geometry, 18
DRP.
dump, 178
duplicate backup site, 289
Duronio, Roger, 54
DVD.
Dynamic Host Configuration Protocol (DHCP), 268
dynamic memory, 178
dynamic ports, 271
EC Council Computer Hacking Forensic Investigator (CHFI) certification, 78, 302
echo method, 110
Economic Crime Institute (ECI), IJDE, 304
ECPA.
EDGE.
EDO DRAM.
EEPROM.
EFS.
EIDE.
electromagnetic radiation (EMR), 69
electronic backup, 279
Electronic Communications Privacy Act (ECPA) of 1986, 28, 169, 306
Electronic Serial Numbers (ESNs), 239
electronically erasable programmable read-only memory (EEPROM), 17
ELF.
email attachment, 40f
email forensics, 14
email logs, 168
email server forensics, 168
email spoofing, 158
EnCase, 70–71, 72, 77, 98, 111, 139, 165, 168, 185, 215, 219, 246, 298–299
EnCase Add Device window, 100f
EnCase After Acquisition dialog box, 101f
EnCase boot disk, 71
EnCase Case Options dialog box, 100f
EnCase network boot disk, 71
EnCase Tree pane, 71
EnCE certification.
Encrypted File System (EFS), 175
encrypted files, 91
end-to-end Internet communication, 23
Enhanced Data Rates for GSM Evolution (EDGE), 239
Enhanced Integrated Drive Electronics (EIDE), 17
Enigma machine, 121
enlightenment, 204
EPROM.
equipment, 68
eradication, 280
erasable programmable read-only memory (EPROM), 17
ESNs.
/etc folder, 211
/etc/inittab, 211
Ethernet header, 254
ETSI.
Euler’s Totient, 129
European Telecommunications Standards Institute (ETSI), 239
event-based digital forensics investigation framework, 65–66
evidence collection, 63
evidence finding, 66
evidence form, 88f
evidence gather, 67
evidence preparation, 67
evidence, securing, 15
Evidor, 299
Executable and Linkable Format (ELF), 19
Explorer.exe, 177
extended data out dynamic random access memory (EDO DRAM), 16
Extensible Linking Format (ELF), 19
extundelete utility, 147
FakeAV.86, 53
FastBlock device, 99
FAT.
FBI.
FCC.
fdisk command, 202t
Federal Communications Commission (FCC), 306
Federal Privacy Act of 1974, 27
Federal Rules of Evidence (FRE), 61
Federal Rules, U.S., 9
file formats, 98
file system alteration, 26
filenames/dates/times documentation, 91
FILETIME structure, 190
Filter pane tool, 71
FIN bit, 254
FIN scan, 255
financial crimes, 157
finger command, 218
fire-resistant safe, 69
FISA.
Flame, 53
Flash tutorial, 263
follow-up phase, 280
foreign intelligence information, 171
Foreign Intelligence Surveillance Act (FISA) of 1978, 28, 171
forensic computer science, 5
forensic SIM cloner, 247
forensic specialists.
Forensic Toolkit (FTK), 71, 73, 101–102, 101–102f, 111, 139, 165, 168, 185, 215, 219, 246, 296
forensic tools, 15
forensics tools for Linux, 223
ForwardedEvents log, 183
Fourth Amendment to the U.S. Constitution, 169
Fowler-Nordheim tunneling, 97
FPort, 182
fragile attack, 260
Fraud and Related Activity in Connection with Access Devices, § 1020, 29
Fraud and Related Activity in Connection with Computers, § 1030, 29
FRE.
frequency analysis, 131
FTK.
full backup, 279
Gameover ZeuS, 53
GB.
Generic Forensic Zip (Gfzip), 98
GET command, 263
Gfzip.
GIAC.
gigabyte, 175
GIMP.
Global Information Assurance Certification (GIAC), 78
Global System for Mobile (GSM) communications networks, 238, 239
GNOME.
GNU Image Manipulation Program (GIMP), 109
GNU operating system, 201
good blocks marked as bad, 96
Google Glass, 291
government agencies, 10
GPS information.
Grand Unified Bootloader (GRUB), 205
GRUB.
GSM communications networks.
GUI.
GUID (globally unique identifier) Partition Table, 230
Hal.dll, 177
hard disk drives (HDDs), 18
hard disks structure, 66
HCU.
/hdiutil partition/dev/disk0 command, 234
Health Insurance Portability and Accountability Act (HIPAA) of 1996, 307
heap (H) segment, 178
Helix, 74
HFS.
HFS Extended, 229
HFS Standard, 229
HFS+.
hierarchical storage management (HSM), 279
high-level format, 18
high-risk investigations, 69
High Tech Crime Network (HTCN) certifications, 78
HIPAA of 1996.
history command, 215
hives, 189
HKCR.
HKCU.
HKEY.
HKEY_CLASSES_ROOT (HKCR), 189
HKEY_CURENT_CONFIG (HCU), 189
HKEY_CURRENT_USER (HKCU), 189
HKEY_LOCAL_MACHINE (HKLM), 189
HKEY_USERS (HKU), 189
HKLM.
home location register (HLR), 238
hops, 156
host protected area (HPA), 96
“hot” site, 289
Hotmail, 164
HPA.
HSM.
HTCN certifications.
HTTP commands, 263t
HTTP response message, 264t
hub, 268
IACIS.
IBM, 124
IBM AIX system, 227
ICCID.
IceCat, 220
IceWeasel, 220
ICMP packet.
ICU, 40
IDE.
Identity Theft and Aggravated Identity Theft, § 1028A, 30
IDSs.
IEEE 802.11ac, 266
IEEE 802.11ad Wireless Gigabyte Alliance, 266
IEEE 802.11n-2009 standard, 266
IIN.
IJDCF.
IJDE.
IMAP.
IMEI number.
IMSI.
inappropriate usage, 281
incremental backup, 279
incriminating evidence, 93
INFO2 file, 138
init command, 146
init(), 206
inode, 146
insurance companies, 10
integrated circuit card identifier (ICCID), 239
integrated drive electronics (IDE), 17
Intel-based Macintosh machines, 230
Intelligence Community Worldwide Threat Assessment, 55
interfaces key, 191
Internal Revenue Service (IRS), 98
International Association of Computer Investigative Specialists (IACIS), 302
International Information Systems Security Certification Consortium (ISC)2®, 76
International Journal of Digital Crime and Forensics (IJDCF), 304
International Journal of Digital Evidence (IJDE), 304
International Mobile Equipment Identity (IMEI) number, 239
International Mobile Subscriber Identity (IMSI), 238
Internet-based fraud, 49
Internet Control Message Protocol (ICMP) packet, 255, 258, 281
Internet forensics, 14
intrusion prevention systems (IPSs), 209
investigations, types of, 245
iOS, 240
IP addresses.
IP header, 254
IP packet, 23
IPSs.
ISC2®.
ISO 27001, 277
ISO 27035, 277
ISO9660, 230
ISPs.
Issuer Identification Number (IIN), 239
IT infrastructure domains, 5f
IXimager, 98
L0phtCrack, 300
lab manager, 69
land attack, 259
LastWriteTime, 190
Lauffenburger, Michael, 54
law enforcement criteria, 47
law firms, 10
layer 1 frames, 21
least significant bit (LSB) method, 108
legal process in cloud computing, 290
Leopard.
Library_CallHistory_call_history.db, 249
Library_Cookies_Cookies.plist, 249
Lighttpd web server, 210
Lightweight Directory Access Protocol, Secure (LDAPS), 257
LILO.
LinEn boot disk, 71
Linux-based Android, 291
Linux distributions, 207
Linux Loader (LILO), 205
Lion.
Lisa OS, 226
live response technique, 177
load phase, 176
Locard, Edmond, 60
Locky virus, 53
log file, 208
logical port numbers, 22
logon screen, 41
lone wolves, 172
Long Term Evolution (LTE), 239
loopholes, 169
Lotus Notes, 168
low-level format, 18
Lsass.exe, 177
LSB.
ls/dev/disk? command, 234
LTE.
Lucifer cipher, 124
Mac examination, 235
Mac OS for PowerPC, 227
Macintosh File System (MFS), 228
Macintosh Hierarchical File System (HFS), 186
macro viruses, 53
Magnet Ram Capture tool, 86
magnetic media, 95
mail server log, 209
malicious code, 281
malware forensics.
manual method, Linux, 219
mathematical authentication, 90
maximum tolerable downtime (MTD), 278
MBR.
mean time before failure (MTBF), 278
mean time to repair (MTTR), 278
media layer, 240
medical devices, 292
memory, 17
memory dumping, 178
memory-resident virus, 54
memory segments, 178
Meta File Table, 137
MFS.
MFT.
Microsoft Disk Operating System (MS-DOS), 230
Microsoft Exchange, 168
military, 10
MIME.
MIMO.
Minix, 201
mirror server, 289
MixColumns, AES, 128
mkdir command, 202t
/mnt directory, 212
mobile switching center (MSC), 238
MobileEdit, 247
mobileemail.plist, 249
monoalphabet substitution method, 117
Moore, Gordon E., 286
Moore’s law, 286
Moore’s observation.
most recently used (MRU), 190
motives, 55
Mountain Lion.
MRU.
MS-DOS.
MSC.
MTBF.
MTD.
MTTR.
multialphabet substitution, 120
Multics.
multipartite viruses, 54
multiple-input multiple-output (MIMO), 266
Multiplexed Information and Computing Service (Multics), 200
Multipurpose Internet Mail Extensions (MIME), 160
mv command, 202t
MySQL database server, 209
nascent state, 246
National Institute of Standards and Technology (NIST) guidelines, 245–246, 247
National Security Agency (NSA), 124
Negated AND (NAND) gate-based flash memory, 95
Netanalysis, 297
NetBIOS, 257
netcat command, 99
NetResident, 260
network forensics, 14
network security devices, 265
networking, basic, 77
New Technology File System (NTFS), 20, 136, 137–138, 151, 230
NFPA 1600, 277
ngrep, 260
NIC.
NIST 800–34, 277
NIST 800–61, 277
NIST guidelines.
Novell GroupWise, 168
Ntbootdd.sys, 177
Ntdetect.com, 177
NTFS file system, 186
NTLDR, 176
Ntoskrnl.exe, 177
null scan, 255
Obstruct Terrorism Act of 2001, 171
OmniPeek, 260
online Flash tutorial, 263
open source tools, 150
Open Systems Interconnection (OSI) model, 254
OpenSuse, 207
Operating Systems: Design and Implementation (book), 201
Ophcrack compact disc (CD), 44
opt-out lists, 170
optical media, 97
ordered (ext4), 208
OSForensics, 73, 77, 86, 102–103, 139, 144, 145f, 165, 185, 194, 195f, 219, 235, 296
oxygen forensics, 246
P2P file-sharing services.
packet filter, 271
packet mistreating attack, 260
packets, 254
Panther.
Paraben Software, 247
parallel advanced technology attachment (PATA), 17
PATA.
Patriot Sunsets Extension Act of 2011, 172
PC-based Linux system, 206
peer-to-peer (P2P) file-sharing services, 281
personal identification number (PIN), 238
personal unlocking code (PUK), 239
pgrep command, 217
phone forensics, 14
Photoshop tool, 109
physical crime scene investigation phases, 65
physical ports, 21
PID.
PIN.
ping flood, 259
ping of death attack, 258
plaintext, 117
plug-in, 195
Pocket PC 2000, 243
Pokémon, 292
polymorphic virus, 54
POP3.
port numbers, 22
Portable Executable (PE), 20
POST command, 263
Post Office Protocol version 2 (POP 2), 22
postrecovery follow-up, 279
PowerPC-based Macs, 231
PPA.
Prefetch technique, 193
presentation phase, 65
printer log, 209
Privacy Act of 1974, 27
Privacy Protection Act (PPA) of 1980, 28
private forensic labs, 293
process ID (PID), 217
ProDOS, 226
ProDOS 16, 226
program files (x86), 175
programmable read-only memory (PROM), 17
protected computer, 306
PSTN.
PsTools suite, 179
PTFinder, 182
public switched telephone network (PSTN), 238
PUK.
Puma.
pump and dump, 49
Pwnage, 249
RAID acquisitions.
raw quick pair method, 111
RCFL program.
read-only memory (ROM), 17
read-only virtual machines, 235
readiness phase, 65
ReadPST, 167
real evidence, 11
real-time access, 169
Recover My iPod, 249
recovery, 280
Red Hat Enterprise Linux (RHEL), 207
redundant array of independent disks (RAID) acquisitions, 104–105
redundant array of inexpensive disks (RAID) controllers, 150
Regional Computer Forensics Laboratory (RCFL) program, 33
registered ports, 271
Registry key, 190
related-key attack, 131
remote desktop, 257
repeatability, 182
restoring backups, 280
RFC 3864, 160
RHEL.
Rijndael block cipher.
rm command, 202t
rmdir command, 202t
ROM.
Rombertik virus, 53
/root directory, 210
ROT13 cipher, 118
round function, 124
router, 268
router attacks types, 269
router table poisoning, 269
routing table, 268
RST bit, 254
rules of evidence, 61
S-boxes.
SaaS.
SAN.
SANS institute, 303
Sarbanes-Oxley Act of 2002, 29
SATA.
/sbin directory, 211
Scalpel, 148
Scalpel file carving tool, 152
Scientific Working Group on Digital Evidence (SWGDE), 65, 206–207
screened firewall, 271
scrubbers, 94
SCSI.
scytale cipher, 118
SDRAM.
searching virtual memory, 233
sector, 18
sectors, clusters and, 136
Security Accounts Manager (SAM) file, 129
security by obscurity, 122
security log, 183
seized computers, 87
semi-active state, 246
Senate Select Committee on Intelligence, 55
September 11 (2001), terrorist attacks, 55
serial SCSI, 17
Server Message Block (SMB) protocol, 257
service set identifier (SSID), 191
Sexual Exploitation of Children, § 2251, 30
ShellBag, 192
ShiftRows, AES, 128
show ip route command, 270
show running-config command, 270
show startup-config command, 270
show tech-support command, 270
show version command, 269
SID (Security Identifier), 138
SIM.
SIM card data retrieval utility, 247
simple substitution ciphers, 123
single-alphabet substitution method, 117
Slackware, 207
slurred image, 181
small computer system interface (SCSI), 17
Small Scale Digital Device Forensics Journal (SSDDFJ), 305
Smss.exe, 177
SMTP.
Smurf attack, 259
sniffer, 260
Snow, 109
Snow Leopard.
social engineering, 132
Social Security numbers, 37
socket numbers, 271
Softperfect Network Protocol Analyzer, 260
software forensics, 14
Sophisticated Operating System (SOS), 226
sparse infector virus, 54
spear phishing, 38
SPHardwareDataType, 234
SPI firewall.
spinning, 150
spoofing, email, 158
SQL injection.
SSDDFJ.
SSDs.
SSID.
stack (S) segment, 178
stack memory, 178
start_kernel() function, 206
state of network connections, 91
state of running processes, 91
stateful packet inspection (SPI) firewall, 271
Stealth Files 4, 109
steganophony, 110
StegVideo, 109
storage area network (SAN), 289
storage as a service, 289
stream ciphers, 123
su command, 217
subscriber identity module (SIM), 238
subscriber information, basic, 169
substitution boxes (S-boxes), 126
Super Digital Linear Tape (DLT), 97
suppression lists.
sweepers, 94
SWGDE.
swipe-card access, 68
switch, 268
symbolic link, 146
SYN bit, 254
synchronize (SYN) flag, 51
synchronous dynamic random access memory (SDRAM), 16
sysinit, 212
System 7, 227
system crashes, 151
System log, 183
system_profiler SPHardwareDataType command, 234
system_profiler SPSerialATADataType command, 234
system_profiler SPSoftwareDataType command, 234
Table pane tool, 71
tableau device, 99
TCP.
TCP packet.
Tcpdump, 260
TDoS attack.
teardrop attack, 259
Teen Safe, 40
Telecommunications Act of 1996, 29
telephony denial of service (TDoS) attack, 52
TEMPEST program, 69
temporary data, 91
Test access points (TAPs), 250
test system, 150
testimonial evidence, 11
TFN.
TFN2K, 51
three-way handshake, 51
thumb drives.
Tiger.
Timbuktu, 257
Time to Live (TTL) fields, 272
timeline creation, 95
tools (iOS), 249
tracking Word documents in Registry, 191
trade secrets, 10
transactional information, 169
Transport Layer Security (TLS) Protocol, 157
transposition cipher, 123
trash directory, 235
Tree pane tool, 71
Trin00 tool, 52
Tripwire, 184
TShark, 260
TTL fields.
typical default active services, 206t
UDF.
UDP header.
UFS.
UMTS.
unauthorized access, 281
Unicode, 229
Unified Extensible Firmware Interface (UEFI), 89
uninstalled software, 192
United States v. David, 31
United States v. Jacobsen, 30
United States v. Schlingloff, 31
Universal Disk Format (UDF), 230
Universal Mobile Telecommunications System (UMTS), 239
UNIX operating system, 200
URG bit, 254
URL.
U.S. Federal Rules, 9
U.S. Internal Revenue Service (IRS), 98
USB.
USBSTOR, 191
User Datagram Protocol (UDP) header, 254
Userdump tool, 182
/usr directory, 212
UTC.
valid emails, 159
/var directory, 212
/var/spool directory, 213
Verizon Terremark Data Breach Investigations Report, 41
video steganography, 110
virtual private networks (VPNs), 265
visitor location register (VLR), 238
Visual TimeAnalyzer, 301
Visual User Environment (VUE), 204
VLR.
VMware, 177
Volume Shadow Copy, 193
volume slack, 96
VPNs.
VUE.
wall command, 146
“warm” site, 289
Way Back Machine, 301
Wayne, Ronald, 226
Web Application Firewall (WAF), 271
Web traffic, 262
Web Watcher, 40
well-known ports, 271
Wheatstone, Charles, 118
who command, 218
whois databases, 168
Wi-Fi scanning, 267
Windows NT, 174
Windows passwords, 44
Windows Phone 7, 243
Windows swap file, 183
Windows Sysinternals Administrator’s Reference, 174
Windows Volume Shadow Copy, 193
WinDump, 260
WinHex, 300
Winlogon.exe, 177
WinZapper tool, 184
Wireless Communications and Public Safety Act of 1999, 29
wireless local area networks (LANs), 266
wireless networks, 191
WorkTime, 40
Wozniak, Steve, 226
writeback, 208
18.119.172.146