You are previewing A Practical Guide to Computer Forensics Investigations.
O'Reilly logo
A Practical Guide to Computer Forensics Investigations

Book Description

All you need to know to succeed in digital forensics: technicalandinvestigative skills, in one book

Complete, practical, and up-to-date

Thoroughly covers digital forensics for Windows, Mac, mobile, hardware, and networks

Addresses online and lab investigations, documentation, admissibility, and more

By Dr. Darren Hayes, founder of Pace University’s Code Detectives forensics lab–one of America’s “Top 10 Computer Forensics Professors”

Perfect for anyone pursuing a digital forensics career or working with examiners

Criminals go where the money is. Today, trillions of dollars of assets are digital, and digital crime is growing fast. In response, demand for digital forensics experts is soaring. To succeed in this exciting field, you need strong technical and investigative skills. In this guide, one of the world’s leading computer orensics experts teaches you all the skills you’ll need.

Writing for students and professionals at all levels, Dr. Darren Hayes presents complete best practices for capturing and analyzing evidence, protecting the chain of custody, documenting investigations, and scrupulously adhering to the law, so your evidence can always be used.

Hayes introduces today’s latest technologies and technical challenges, offering detailed coverage of crucial topics such as mobile forensics, Mac forensics, cyberbullying, and child endangerment.

This guide’s practical activities and case studies give you hands-on mastery of modern digital forensics tools and techniques. Its many realistic examples reflect the author’s extensive and pioneering work as a forensics examiner in both criminal and civil investigations.

  • Understand what computer forensics examiners do, and the types of digital evidence they work with

  • Explore Windows and Mac computers, understand how their features affect evidence gathering, and use free tools to investigate their contents

  • Extract data from diverse storage devices

  • Establish a certified forensics lab and implement good practices for managing and processing evidence

  • Gather data and perform investigations online

  • Capture Internet communications, video, images, and other content

  • Write comprehensive reports that withstand defense objections and enable successful prosecution

  • Follow strict search and surveillance rules to make your evidence admissible

  • Investigate network breaches, including dangerous Advanced Persistent Threats (APTs)

  • Retrieve immense amounts of evidence from smartphones, even without seizing them

  • Successfully investigate financial fraud performed with digital devices

  • Use digital photographic evidence, including metadata and social media images

  • Table of Contents

    1. About This eBook
    2. Title Page
    3. Copyright Page
    4. Contents at a Glance
    5. Table of Contents
    6. About the Author
    7. About the Technical Reviewer
    8. Dedication
    9. Acknowledgments
    10. We Want to Hear from You!
    11. Reader Services
    12. Introduction
    13. Chapter 1. The Scope of Computer Forensics
      1. Introduction
        1. Popular Myths about Computer Forensics
      2. Types of Computer Forensics Evidence Recovered
        1. Electronic Mail (Email)
        2. Images
        3. Video
        4. Websites Visited and Internet Searches
        5. Cellphone Forensics
      3. What Skills Must a Computer Forensics Investigator Possess?
        1. Computer Science Knowledge
        2. Legal Expertise
        3. Communication Skills
        4. Linguistic Abilities
        5. Continuous Learning
        6. An Appreciation for Confidentiality
      4. The Importance of Computer Forensics
        1. Job Opportunities
      5. A History of Computer Forensics
        1. 1980s: The Advent of the Personal Computer
        2. 1990s: The Impact of the Internet
      6. Training and Education
        1. Law Enforcement Training
      7. Summary
        1. Key Terms
      8. Assessment
        1. Classroom Discussions
        2. Multiple-Choice Questions
        3. Fill in the Blanks
        4. Projects
    14. Chapter 2. Windows Operating and File Systems
      1. Introduction
      2. Physical and Logical Storage
        1. File Storage
      3. File Conversion and Numbering Formats
        1. Conversion of Binary to Decimal
        2. Hexadecimal Numbering
        3. Conversion of Hexadecimal to Decimal
        4. Conversion of Hexadecimal to ASCII (American Standard Code for Information Interchange)
        5. Unicode
      4. Operating Systems
        1. The Boot Process
        2. Windows File Systems
      5. Windows Registry
        1. Registry Data Types
        2. FTK Registry Viewer
      6. Microsoft Windows Features
        1. Windows Vista
        2. Windows 7
        3. Windows 8.1
      7. Summary
        1. Key Terms
      8. Assessment
        1. Classroom Discussions
        2. Multiple Choice Questions
        3. Fill in the Blanks
        4. Projects
    15. Chapter 3. Handling Computer Hardware
      1. Introduction
      2. Hard Disk Drives
        1. Small Computer System Interface (SCSI)
        2. Integrated Drive Electronics (IDE)
        3. Serial ATA (SATA)
      3. Cloning a PATA or SATA Hard Disk
        1. Cloning Devices
      4. Removable Memory
        1. FireWire
        2. USB Flash Drives
        3. External Hard Drives
        4. MultiMedia Cards (MMCs)
      5. Summary
        1. Key Terms
      6. Assessment
        1. Classroom Discussions
        2. Multiple-Choice Questions
        3. Fill in the Blanks
        4. Projects
      7. References
    16. Chapter 4. Acquiring Evidence in a Computer Forensics Lab
      1. Introduction
      2. Lab Requirements
        1. American Society of Crime Laboratory Directors
        2. American Society of Crime Laboratory Directors/Lab Accreditation Board (ASCLD/LAB)
        3. ASCLD/LAB Guidelines for Forensic Laboratory Management Practices
        4. Scientific Working Group on Digital Evidence (SWGDE)
      3. Private Sector Computer Forensics Laboratories
        1. Evidence Acquisition Laboratory
        2. Email Preparation Laboratory
        3. Inventory Control
        4. Web Hosting
      4. Computer Forensics Laboratory Requirements
        1. Laboratory Layout
        2. Laboratory Management
        3. Laboratory Access
      5. Extracting Evidence from a Device
        1. Using the dd Utility
        2. Using Global Regular Expressions Print (GREP)
      6. Skimmers
      7. Summary
        1. Key Terms
      8. Assessment
        1. Classroom Discussions
        2. Multiple-Choice Questions
        3. Fill in the Blanks
        4. Projects
    17. Chapter 5. Online Investigations
      1. Introduction
      2. Working Undercover
        1. Generate an Identity
        2. Generate an Email Account
        3. Mask Your Identity
      3. Website Evidence
        1. Website Archives
        2. Website Statistics
      4. Background Searches on a Suspect
        1. Personal Information: Mailing Address, Email Address, Telephone Number, and Assets
        2. Personal Interests and Membership of User Groups
        3. Searching for Stolen Property
      5. Online Crime
        1. Identity Theft
        2. Credit Cards for Sale
        3. Electronic Medical Records
        4. Cyberbullying
        5. Social Networking
      6. Capturing Online Communications
        1. Using Screen Captures
        2. Using Video
        3. Viewing Cookies
        4. Using Windows Registry
      7. Summary
        1. Key Terms
      8. Assessment
        1. Classroom Discussions
        2. Multiple-Choice Questions
        3. Fill in the Blanks
        4. Projects
    18. Chapter 6. Documenting the Investigation
      1. Introduction
      2. Obtaining Evidence from a Service Provider
      3. Documenting a Crime Scene
      4. Seizing Evidence
        1. Crime Scene Examinations
      5. Documenting the Evidence
        1. Completing a Chain of Custody Form
        2. Completing a Computer Worksheet
        3. Completing a Hard Disk Drive Worksheet
        4. Completing a Server Worksheet
      6. Using Tools to Document an Investigation
        1. CaseNotes
        2. FragView
        3. Helpful Mobile Applications (Apps)
        4. Network Analyzer
        5. System Status
        6. The Cop App
        7. Lock and Code
        8. Digital Forensics Reference
        9. Federal Rules of Civil Procedure (FRCP)
        10. Federal Rules of Evidence (FREvidence)
      7. Writing Reports
        1. Time Zones and Daylight Saving Time (DST)
        2. Creating a Comprehensive Report
      8. Using Expert Witnesses at Trial
        1. The Expert Witness
        2. The Goals of the Expert Witness
        3. Preparing an Expert Witness for Trial
      9. Summary
        1. Key Terms
      10. Assessment
        1. Classroom Discussions
        2. Multiple-Choice Questions
        3. Fill in the Blanks
        4. Projects
    19. Chapter 7. Admissibility of Digital Evidence
      1. Introduction
      2. History and Structure of the United States Legal System
        1. Origins of the U.S. Legal System
        2. Overview of the U.S. Court System
        3. In the Courtroom
      3. Evidence Admissibility
      4. Constitutional Law
        1. First Amendment
        2. First Amendment and the Internet
        3. Fourth Amendment
        4. Fifth Amendment
        5. Sixth Amendment
        6. Congressional Legislation
        7. Rules for Evidence Admissibility
        8. Criminal Defense
      5. When Computer Forensics Goes Wrong
        1. Pornography in the Classroom
      6. Structure of the Legal System in the European Union (E.U.)
        1. Origins of European Law
        2. Structure of European Union Law
      7. Structure of the Legal System in Asia
        1. China
        2. India
      8. Summary
        1. Key Terms
      9. Assessment
        1. Classroom Discussions
        2. Multiple-Choice Questions
        3. Fill in the Blanks
        4. Projects
    20. Chapter 8. Network Forensics
      1. Introduction
      2. The Tools of the Trade
      3. Networking Devices
        1. Proxy Servers
        2. Web Servers
        3. DHCP Servers
        4. SMTP Servers
        5. DNS Servers
        6. Routers
        7. IDS
        8. Firewalls
        9. Ports
      4. Understanding the OSI Model
        1. The Physical Layer
        2. The Data Link Layer
        3. The Network Layer
        4. The Transport Layer
        5. The Session Layer
        6. The Presentation Layer
        7. The Application Layer
      5. Advanced Persistent Threats
        1. Cyber Kill Chain
        2. Indicators of Compromise (IOC)
      6. Investigating a Network Attack
      7. Summary
        1. Key Terms
      8. Assessment
        1. Classroom Discussions
        2. Multiple-Choice Questions
        3. Fill in the Blanks
        4. Projects
    21. Chapter 9. Mobile Forensics
      1. Introduction
      2. The Cellular Network
        1. Base Transceiver Station
        2. Mobile Station
        3. Cellular Network Types
        4. SIM Card Forensics
        5. Types of Evidence
      3. Handset Specifications
        1. Memory and Processing
        2. Battery
        3. Other Hardware
      4. Mobile Operating Systems
        1. Android OS
        2. Windows Phone
      5. Standard Operating Procedures for Handling Handset Evidence
        1. National Institute of Standards and Technology
        2. Preparation and Containment
        3. Wireless Capabilities
        4. Documenting the Investigation
      6. Handset Forensics
        1. Cellphone Forensic Software
        2. Cellphone Forensics Hardware
        3. Logical versus Physical Examination
      7. Manual Cellphone Examinations
        1. Flasher Box
      8. Global Satellite Service Providers
        1. Satellite Communication Services
      9. Legal Considerations
        1. Carrier Records
      10. Other Mobile Devices
        1. Tablets
        2. GPS Devices
      11. Summary
        1. Key Terms
      12. Assessment
        1. Classroom Discussions
        2. Multiple-Choice Questions
        3. Fill in the Blanks
        4. Projects
    22. Chapter 10. Photograph Forensics
      1. Introduction
      2. Understanding Digital Photography
        1. File Systems
        2. Digital Photography Applications and Services
      3. Examining Picture Files
        1. Exchangeable Image File Format (EXIF)
      4. Evidence Admissibility
        1. Federal Rules of Evidence (FRE)
        2. Analog vs. Digital Photographs
      5. Case Studies
        1. Worldwide Manhunt
        2. NYPD Facial Recognition Unit
      6. Summary
        1. Key Terms
      7. Assessment
        1. Classroom Discussions
        2. Multiple-Choice Questions
        3. Fill in the Blanks
        4. Projects
    23. Chapter 11. Mac Forensics
      1. Introduction
      2. A Brief History
        1. Macintosh
        2. Mac Mini with OS X Server
        3. iPod
        4. iPhone
        5. iPad
        6. Apple Wi-Fi Devices
      3. Macintosh File Systems
      4. Forensic Examinations of a Mac
        1. IOReg Info
        2. PMAP Info
        3. Epoch Time
        4. Recovering Deleted Files
        5. Journaling
        6. DMG File System
        7. PList Files
        8. SQLite Databases
      5. Macintosh Operating Systems
        1. Mac OS X
        2. Target Disk Mode
      6. Apple Mobile Devices
        1. iOS
        2. iOS 7
        3. iOS 8
        4. Security and Encryption
        5. iPod
        6. iPhone
        7. Enterprise Deployment of iPhone and iOS Devices
      7. Case Studies
        1. Find My iPhone
        2. Wanted Hactevist
        3. Michael Jackson
        4. Stolen iPhone
        5. Drug Bust
      8. Summary
        1. Key Terms
      9. Assessment
        1. Classroom Discussions
        2. Multiple-Choice Questions
        3. Fill in the Blanks
        4. Projects
    24. Chapter 12. Case Studies
      1. Introduction
      2. Zacharias Moussaoui
        1. Background
        2. Digital Evidence
        3. Standby Counsel Objections
        4. Prosecution Affidavit
        5. Exhibits
        6. Email Evidence
      3. BTK (Bind Torture Kill) Killer
        1. Profile of a Killer
        2. Evidence
      4. Cyberbullying
        1. Federal Anti-harassment Legislation
        2. State Anti-harassment Legislation
        3. Warning Signs of Cyberbullying
        4. What Is Cyberbullying?
        5. Phoebe Prince
        6. Ryan Halligan
        7. Megan Meier
        8. Tyler Clementi
      5. Sports
      6. Summary
        1. Key Terms
      7. Assessment
        1. Classroom Discussions
        2. Multiple-Choice Questions
        3. Fill in the Blanks
        4. Project
      8. Assessment of Cases by Judges
    25. Index
    26. Answers to Multiple-Choice and Fill in the Blanks Questions
      1. Chapter 1 Answers
        1. Multiple-Choice
        2. Fill in the Blanks
      2. Chapter 2 Answers
        1. Multiple-Choice
        2. Fill in the Blanks
      3. Chapter 3 Answers
        1. Multiple-Choice
        2. Fill in the Blanks
      4. Chapter 4 Answers
        1. Multiple-Choice
        2. Fill in the Blanks
      5. Chapter 5 Answers
        1. Multiple-Choice
        2. Fill in the Blanks
      6. Chapter 6 Answers
        1. Multiple-Choice
        2. Fill in the Blanks
      7. Chapter 7 Answers
        1. Multiple-Choice
        2. Fill in the Blanks
      8. Chapter 8 Answers
        1. Multiple-Choice
        2. Fill in the Blanks
      9. Chapter 9 Answers
        1. Multiple-Choice
        2. Fill in the Blanks
      10. Chapter 10 Answers
        1. Multiple-Choice
        2. Fill in the Blanks
      11. Chapter 11 Answers
        1. Multiple-Choice
        2. Fill in the Blanks
      12. Chapter 12 Answers
        1. Multiple-Choice
        2. Fill in the Blanks
    27. Code Snippets