You are previewing Computer Evidence: Collection and Preservation, Second Edition.
O'Reilly logo
Computer Evidence: Collection and Preservation, Second Edition

Book Description

As computers and data systems continue to evolve, they expand into every facet of our personal and business lives. Never before has our society been so information and technology driven. Because computers, data communications, and data storage devices have become ubiquitous, few crimes or civil disputes do not involve them in some way. This book teaches law enforcement, system administrators, information technology security professionals, legal professionals, and students of computer forensics how to identify, collect, and maintain digital artifacts to preserve their reliability for admission as evidence. It has been updated to take into account changes in federal rules of evidence and case law that directly address digital evidence, as well as to expand upon portable device collection.

Table of Contents

  1. Copyright
  2. Acknowledgments
  3. About the Author
  4. Introduction
  5. Computer Forensics and Evidence Dynamics
    1. Computer Forensics Essentials
      1. What Is Computer Forensics?
      2. Crime Scene Investigation
      3. Phases of Computer Forensics
      4. Formalized Computer Forensics from the Start
      5. Who Performs Computer Forensics?
      6. Seizing Computer Evidence
      7. Challenges to Computer Evidence
      8. Summary
      9. References
        1.  
      10. Resources
    2. Rules of Evidence, Case Law, and Regulation
      1. Understanding Rules of Evidence
      2. 2007 Amendments to the FRCP
      3. Expert Witness (Scientific) Acceptance
      4. Testifying Tips: You Are the Expert
      5. Computer-Related Case Law
      6. Regulation
      7. Summary
      8. References
        1.  
      9. Resources
    3. Evidence Dynamics
      1. Forces of Evidence Dynamics
      2. Human Forces
      3. Natural Forces
      4. Equipment Forces
      5. Proper Tools and Procedures
      6. Summary
      7. References
        1.  
      8. Resources
  6. Information Systems
    1. Interview, Policy, and Audit
      1. Supporting and Corroborating Evidence
      2. Subject Interviews
      3. Policy Review
      4. Audit
      5. Executive Summary
      6. Recommendations
      7. Scope
      8. Host-Specific Findings
      9. War Dialing Results
      10. Conclusion
      11. Summary
      12. References
        1.  
      13. Resources
    2. Network Topology and Architecture
      1. Networking Concepts
      2. Types of Networks
      3. Physical Network Topology
      4. Network Cabling
      5. Wireless Networks
      6. Open Systems Interconnection (OSI) Model
      7. TCP/IP Addressing
      8. Diagramming Networks
      9. Summary
      10. References
      11. Resources
    3. Volatile Data
      1. Types and Nature of Volatile Data
      2. Operating Systems
      3. Volatile Data in Routers and Appliances
      4. Volatile Data in Personal Devices
      5. Traditional Incident Response of Live Systems
      6. Understanding Windows Rootkits in Memory
      7. Accessing Volatile Data
      8. Summary
      9. References
        1.  
  7. Data Storage Systems and Media
    1. Physical Disk Technologies
      1. Physical Disk Characteristics
      2. Physical Disk Interfaces and Access Methods
      3. Logical Disk Addressing and Access
      4. Disk Features
      5. Summary
      6. References
        1.  
      7. Resources
    2. SAN, NAS, and RAID
      1. Disk Storage Expanded
      2. Redundant Array of Independent Disks
      3. Storage Area Networks
      4. Network-Attached Storage
      5. Storage Service Providers
      6. Summary
      7. References
      8. Resources
    3. Removable Media
      1. Removable, Portable Storage Devices
      2. Tape Systems
      3. Optical Discs
      4. Removable Disks—Floppy and Rigid
      5. Flash Media
      6. Summary
      7. References
      8. Resources
  8. Artifact Collection
    1. Tools, Preparation, and Documentation
      1. Planning
      2. Boilerplates
      3. Hardware Tools
      4. Software Tools
      5. Tool Testing
      6. Documentation
      7. Summary
      8. References
        1.  
      9. Resources
    2. Collecting Volatile Data
      1. Benefits of Volatile-Data Collection
      2. A Blending of Incident Response and Forensics
      3. Building a Live Collection Disk
      4. Live Boot CD-ROMs
      5. Summary
      6. References
        1.  
      7. Resources
    3. Imaging Methodologies
      1. Approaches to Collection
      2. Bit-Stream Images
      3. Local Dead System Collection
      4. Verification, Testing, and Hashing
      5. Live and Remote Collection
      6. Summary
      7. References
        1.  
      8. Resources
    4. Large System Collection
      1. Defining a Large Collection
      2. Large System Imaging Methodologies
      3. Tying Together Dispersed Systems
      4. Risk-Sensitive Evidence Collection
      5. Summary
      6. References
        1.  
    5. Personal Portable Device Collection
      1. Seemingly Endless Device List
      2. Device Architectures
      3. Special Collection Considerations
      4. Mobile Phones
      5. Special-Purpose Personal Devices
      6. Summary
      7. References
        1.  
      8. Resources
  9. Archiving and Maintaining Evidence
    1. The Forensics Workstation
      1. The Basics
      2. Lab Workstations
      3. Portable Field Workstations
      4. Configuration Management
      5. Summary
      6. References
        1.  
      7. Resources
    2. The Forensics Lab
      1. Lab and Network Design
      2. Logical Design, Topology, and Operations
      3. Storage
      4. Lab Certifications
      5. Summary
      6. References
        1.  
    3. What’s Next
      1. Areas of Interest
      2. Training, Knowledge, and Experience
      3. Analysis and Reporting
      4. Methodologies
      5. Professional Advancement
      6. Summary
      7. References
        1.  
      8. Resources
  10. Computer Evidence Collection and Preservation Appendixes
    1. Sample Chain of Custody Form
    2. Evidence Collection Worksheet
    3. Evidence Access Worksheet
    4. Forensics Field Kit
    5. Hexadecimal Flags for Partition Types
    6. Forensics Tools for Digital Evidence Collection
      1. Software
      2. Hardware
      3. General Supplies
    7. Agencies, Contacts, and Resources
      1. Agencies
      2. Training Resources
      3. Associations
      4. State Agencies
      5. General
      6. Discussion List Servers
      7. Journals
    8. Cisco Router Command Cheat Sheet
      1. Using the Cisco Wildcard Mask
      2. Packet Filtering on Cisco Routers
    9. About the CD-ROM
      1. System Requirements
      2. CD-ROM Folders
  11. Index