You are previewing Computer Forensics For Dummies®.
O'Reilly logo
Computer Forensics For Dummies®

Book Description

Uncover a digital trail of e-evidence by using the helpful, easy-to-understand information in Computer Forensics For Dummies! Professional and armchair investigators alike can learn the basics of computer forensics, from digging out electronic evidence to solving the case. You won’t need a computer science degree to master e-discovery. Find and filter data in mobile devices, e-mail, and other Web-based technologies.

You’ll learn all about e-mail and Web-based forensics, mobile forensics, passwords and encryption, and other e-evidence found through VoIP, voicemail, legacy mainframes, and databases. You’ll discover how to use the latest forensic software, tools, and equipment to find the answers that you’re looking for in record time. When you understand how data is stored, encrypted, and recovered, you’ll be able to protect your personal privacy as well. By the time you finish reading this book, you’ll know how to:

  • Prepare for and conduct computer forensics investigations

  • Find and filter data

  • Protect personal privacy

  • Transfer evidence without contaminating it

  • Anticipate legal loopholes and opponents’ methods

  • Handle passwords and encrypted data

  • Work with the courts and win the case

Plus, Computer Forensics for Dummies includes lists of things that everyone interested in computer forensics should know, do, and build. Discover how to get qualified for a career in computer forensics, what to do to be a great investigator and expert witness, and how to build a forensics lab or toolkit.

Table of Contents

  1. Copyright
  2. About The Authors
  3. Authors' Acknowledgments
  4. Publisher's Acknowledgments
  5. Introduction
    1. Who Should Read This Book?
    2. About This Book
    3. How to Use This Book
    4. What You Don't Need to Read
    5. Foolish Assumptions
    6. How This Book Is Organized
      1. Part I: Digging Out and Documenting Electronic Evidence
      2. Part II: Preparing to Crack the Case
      3. Part III: Doing Computer Forensic Investigations
      4. Part IV: Succeeding in Court
      5. Part V: The Part of Tens
      6. Glossary
    7. About the Web Site and Blog
    8. Icons Used in This Book
    9. Where to Go from Here
  6. I. Digging Out and Documenting Electronic Evidence
    1. 1. Knowing What Your Digital Devices Create, Capture, and Pack Away — Until Revelation Day
      1. 1.1. Living and Working in a Recorded World
        1. 1.1.1. Deleting is a misnomer
        2. 1.1.2. Getting backed up
        3. 1.1.3. Delusions of privacy danced in their headsets
      2. 1.2. Giving the Third Degree to Computers, Electronics, and the Internet
      3. 1.3. Answering the Big Questions
        1. 1.3.1. What is my computer doing behind my back?
          1. 1.3.1.1. Can you hear me now?
          2. 1.3.1.2. Surfers Non-Anonymous
          3. 1.3.1.3. The unblinking eyes of search engines
        2. 1.3.2. How does my data get out there?
        3. 1.3.3. Why can data be discovered and recovered easily?
      4. 1.4. Examining Investigative Methods
        1. 1.4.1. Getting permission
        2. 1.4.2. Choosing your forensic tools
        3. 1.4.3. Knowing what to look for and where
        4. 1.4.4. Gathering evidence properly
      5. 1.5. Revealing Investigation Results
        1. 1.5.1. Preparing bulletproof findings
        2. 1.5.2. Making it through trial
    2. 2. Suiting Up for a Lawsuit or Criminal Investigation
      1. 2.1. Deciphering the Legal Codes
        1. 2.1.1. Learning about relevancy and admissibility
        2. 2.1.2. Getting started with electronic discovery
        3. 2.1.3. Deciding what's in and what's not
        4. 2.1.4. Playing by the rules
      2. 2.2. Managing E-Discovery
        1. 2.2.1. Understanding that timing is everything
        2. 2.2.2. Grasping ESI discovery problems
        3. 2.2.3. Avoiding overbroad requests
        4. 2.2.4. Shaping the request
        5. 2.2.5. Stepping through the response
      3. 2.3. Conducting the Investigation in Good Faith
      4. 2.4. Deciding Who's Paying the Bill
    3. 3. Getting Authorized to Search and Seize
      1. 3.1. Getting Authority: Never Start Without It
        1. 3.1.1. Acknowledging who's the boss (not you!)
        2. 3.1.2. Putting together your team
        3. 3.1.3. Involving external sources
        4. 3.1.4. No warrant, no problem (if it's done legally)
      2. 3.2. Criminal Cases: Papering Your Behind (CYA)
        1. 3.2.1. Learning about the case and the target
        2. 3.2.2. Drafting an affidavit for a search warrant
        3. 3.2.3. Presenting an affidavit for judicial processing
      3. 3.3. Civil Cases: Verifying Company Policy
        1. 3.3.1. Searching with verbal permission (without a warrant)
        2. 3.3.2. Obtaining a subpoena
    4. 4. Documenting and Managing the Crime Scene
      1. 4.1. Obsessing over Documentation
        1. 4.1.1. Keeping the chain complete
        2. 4.1.2. Dealing with carbon memories
        3. 4.1.3. Deciding who gets the evidence first
        4. 4.1.4. Getting to the truth
          1. 4.1.4.1. Using scientific methods
          2. 4.1.4.2. Recognizing Occam's razor
      2. 4.2. Directing the Scene
        1. 4.2.1. Papering the trail
        2. 4.2.2. Recording the scene: Video
        3. 4.2.3. Recording the sounds: Audio
        4. 4.2.4. Getting the lead out
      3. 4.3. Managing Evidence Behind the Yellow Tape
        1. 4.3.1. Arriving ready to roll: Bringing the right tools
        2. 4.3.2. Minimizing your presence
      4. 4.4. Stepping Through the Scene
        1. 4.4.1. Securing the area
        2. 4.4.2. Surveying the scene
        3. 4.4.3. Transporting the e-evidence
  7. II. Preparing to Crack the Case
    1. 5. Minding and Finding the Loopholes
      1. 5.1. Deciding to Take On a Client
        1. 5.1.1. Learning about the case and the theory
        2. 5.1.2. Finding out the client's priorities
        3. 5.1.3. Timing your work
        4. 5.1.4. Defining the scope of work
      2. 5.2. Determining Whether You Can Help the Case
        1. 5.2.1. Serving as a resource for the lawyer
        2. 5.2.2. Taking an active role
        3. 5.2.3. Answering big, blunt questions
        4. 5.2.4. Signing on the dotted line
      3. 5.3. Passing the Court's Standard As a Reliable Witness
        1. 5.3.1. Getting your credentials accepted
        2. 5.3.2. Impressing opinions on the jury
      4. 5.4. Going Forward with the Case
        1. 5.4.1. Digging into the evidence
        2. 5.4.2. Organizing and documenting your work
        3. 5.4.3. Researching and digging for intelligence
      5. 5.5. Keeping a Tight Forensic Defense
        1. 5.5.1. Plugging loopholes
          1. 5.5.1.1. Preinvestigation preparation
          2. 5.5.1.2. Acquisition and preservation
          3. 5.5.1.3. Authentication
          4. 5.5.1.4. Analysis
          5. 5.5.1.5. Production and reporting
    2. 6. Acquiring and Authenticating E-Evidence
      1. 6.1. Acquiring E-Evidence Properly
      2. 6.2. Step 1: Determine the Type of Media You're Working With
      3. 6.3. Step 2: Find the Right Tool
        1. 6.3.1. Finding all the space
        2. 6.3.2. A write-protect device
        3. 6.3.3. Sterile media
      4. 6.4. Step 3: Transfer Data
        1. 6.4.1. Transferring data in the field
        2. 6.4.2. From computer to computer
        3. 6.4.3. From storage device to computer
      5. 6.5. Step 4: Authenticate the Preserved Data
      6. 6.6. Step 5: Make a Duplicate of the Duplicate
    3. 7. Examining E-Evidence
      1. 7.1. The Art of Scientific Inquiry
      2. 7.2. Gearing Up for Challenges
      3. 7.3. Getting a Handle on Search Terms
        1. 7.3.1. Defining your search list
        2. 7.3.2. Using forensic software to search
          1. 7.3.2.1. Searching by keyword
          2. 7.3.2.2. Expressing a search with Boolean
        3. 7.3.3. Assuming risks
      4. 7.4. Challenging Your Results: Plants and Frames and Being in the Wrong Place
        1. 7.4.1. Knowing what can go wrong
        2. 7.4.2. Looking beyond the file
      5. 7.5. Finding No Evidence
        1. 7.5.1. No evidence of who logged in
        2. 7.5.2. No evidence of how it got there
      6. 7.6. Reporting Your Analysis
    4. 8. Extracting Hidden Data
      1. 8.1. Recognizing Attempts to Blind the Investigator
        1. 8.1.1. Encryption and compression
        2. 8.1.2. Data hiding techniques
          1. 8.1.2.1. File extensions
          2. 8.1.2.2. Hidden files
          3. 8.1.2.3. Hidden shares
          4. 8.1.2.4. Alternate data streams
          5. 8.1.2.5. Layers
          6. 8.1.2.6. Steganography
      2. 8.2. Defeating Algorithms, Hashes, and Keys
      3. 8.3. Finding Out-of-Sight Bytes
      4. 8.4. Cracking Passwords
        1. 8.4.1. Knowing when to crack and when not to crack
        2. 8.4.2. Disarming passwords to get in
        3. 8.4.3. Circumventing passwords to sneak in
      5. 8.5. Decrypting the Encrypted
        1. 8.5.1. Sloppiness cracks PGP
        2. 8.5.2. Desperate measures
  8. III. Doing Computer Forensics Investigations
    1. 9. E-Mail and Web Forensics
      1. 9.1. Opening Pandora's Box of E-Mail
        1. 9.1.1. Following the route of e-mail packets
        2. 9.1.2. Becoming Exhibit A
        3. 9.1.3. Tracking the biggest trend in civil litigation
      2. 9.2. Scoping Out E-Mail Architecture
        1. 9.2.1. E-mail structures
        2. 9.2.2. E-mail addressing
        3. 9.2.3. E-mail lingo
        4. 9.2.4. E-mail in motion
      3. 9.3. Seeing the E-Mail Forensics Perspective
        1. 9.3.1. Dissecting the message
        2. 9.3.2. Expanding headers
        3. 9.3.3. Checking for e-mail extras
      4. 9.4. Examining Client-Based E-Mail
        1. 9.4.1. Extracting e-mail from clients
        2. 9.4.2. Getting to know e-mail file extensions
        3. 9.4.3. Copying the e-mail
        4. 9.4.4. Printing the e-mail
      5. 9.5. Investigating Web-Based Mail
      6. 9.6. Searching Browser Files
        1. 9.6.1. Temporary files
        2. 9.6.2. Internet history
      7. 9.7. Looking through Instant Messages
    2. 10. Data Forensics
      1. 10.1. Delving into Data Storage
        1. 10.1.1. The anatomy of a disk drive
        2. 10.1.2. Microsoft operating systems
          1. 10.1.2.1. FAT
          2. 10.1.2.2. NTFS
        3. 10.1.3. Apple: HFS
        4. 10.1.4. Linux/Unix
      2. 10.2. Finding Digital Cavities Where Data Hides
        1. 10.2.1. Deleted files
          1. 10.2.1.1. Retrieving deleted files
          2. 10.2.1.2. Retrieving cached files
          3. 10.2.1.3. Retrieving files in unallocated space
          4. 10.2.1.4. Retrieving files in file slack areas
        2. 10.2.2. Non-accessible space
        3. 10.2.3. RAM
        4. 10.2.4. Windows Registry
        5. 10.2.5. Search filtering
      3. 10.3. Extracting Data
      4. 10.4. Rebuilding Extracted Data
    3. 11. Document Forensics
      1. 11.1. Finding Evidential Material in Documents: Metadata
        1. 11.1.1. Viewing metadata
        2. 11.1.2. Extracting metadata
      2. 11.2. Honing In on CAM (Create, Access, Modify) Facts
      3. 11.3. Discovering Documents
        1. 11.3.1. Luring documents out of local storage
          1. 11.3.1.1. Matching file headers to extensions
          2. 11.3.1.2. Modifying the file header
        2. 11.3.2. Finding links and external storage
          1. 11.3.2.1. Finding external storage options
          2. 11.3.2.2. Finding external networks
        3. 11.3.3. Rounding up backups
    4. 12. Mobile Forensics
      1. 12.1. Keeping Up with Data on the Move
        1. 12.1.1. Shifting from desktop to handhelds
        2. 12.1.2. Considering mobile devices forensically
        3. 12.1.3. Recognizing the imperfect understanding of the technology
      2. 12.2. Making a Device Seizure
        1. 12.2.1. Mobile phones and SIM cards
          1. 12.2.1.1. The cellular network
          2. 12.2.1.2. The device you're investigating
          3. 12.2.1.3. Phone characteristics
          4. 12.2.1.4. The SIM card
        2. 12.2.2. Personal digital assistants
        3. 12.2.3. Digital cameras
        4. 12.2.4. Digital audio recorders
      3. 12.3. Cutting-Edge Cellular Extractions
        1. 12.3.1. Equipping for mobile forensics
        2. 12.3.2. Mobile forensic hardware
        3. 12.3.3. Securing the mobile device
        4. 12.3.4. Finding mobile data
        5. 12.3.5. Examining a smart phone step-by-step
    5. 13. Network Forensics
      1. 13.1. Mobilizing Network Forensic Power
      2. 13.2. Identifying Network Components
        1. 13.2.1. Looking at the Open Systems Interconnection Model (OSI)
        2. 13.2.2. Cooperating with secret agents and controlling servers
      3. 13.3. Saving Network Data
        1. 13.3.1. Categorizing the data
        2. 13.3.2. Figuring out where to store all those bytes
          1. 13.3.2.1. Storage area network (SAN)
          2. 13.3.2.2. Network attached storage (NAS)
          3. 13.3.2.3. Direct attached storage (DAS)
      4. 13.4. Re-Creating an Event from Traffic
        1. 13.4.1. Analyzing time stamps
        2. 13.4.2. Putting together a data sequence
        3. 13.4.3. Spotting different data streams
      5. 13.5. Looking at Network Forensic Tools
        1. 13.5.1. Test Access Port (TAP)
        2. 13.5.2. Mirrors
        3. 13.5.3. Promiscuous NIC
        4. 13.5.4. Wireless
      6. 13.6. Discovering Network Forensic Vendors
    6. 14. Investigating X-Files: eXotic Forensics
      1. 14.1. Taking a Closer Look at Answering Machines
      2. 14.2. Examining Video Surveillance Systems
      3. 14.3. Cracking Home Security Systems
      4. 14.4. Tracking Automobiles
      5. 14.5. Extracting Information from Radio Frequency Identification (RFID)
      6. 14.6. Examining Copiers
      7. 14.7. Taking a Look On the Horizon
  9. IV. Succeeding in Court
    1. 15. Holding Up Your End at Pretrial
      1. 15.1. Pretrial Motions
        1. 15.1.1. Motion to suppress evidence
        2. 15.1.2. Motion in limine
        3. 15.1.3. Motion to dismiss
        4. 15.1.4. Other motions
      2. 15.2. Handling Pretrial Hearings
      3. 15.3. Giving a Deposition
        1. 15.3.1. Swearing to tell truthful opinions
        2. 15.3.2. Surviving a deposition
        3. 15.3.3. Bulletproofing your opinions
        4. 15.3.4. Checking your statements
        5. 15.3.5. Fighting stage fright
    2. 16. Winning a Case Before You Go to Court
      1. 16.1. Working Around Wrong Moves
      2. 16.2. Responding to Opposing Experts
        1. 16.2.1. Dealing with counterparts
        2. 16.2.2. Formatting your response
        3. 16.2.3. Responding to affidavits
        4. 16.2.4. Hardening your testimony
    3. 17. Standing Your Ground in Court
      1. 17.1. Making Good on Deliverables
      2. 17.2. Understanding Barroom Brawls in the Courtroom
        1. 17.2.1. Managing challenging issues
        2. 17.2.2. Sitting on the stand
        3. 17.2.3. Instructing jurors about expert testimony
      3. 17.3. Presenting E-Evidence to Persuade
        1. 17.3.1. Staging a disaster
        2. 17.3.2. Exhibiting like an expert
      4. 17.4. Communicating to the Court
        1. 17.4.1. Giving testimony about the case
        2. 17.4.2. Answering about yourself
        3. 17.4.3. Getting paid without conflict
  10. V. The Part of Tens
    1. 18. Ten Ways to Get Qualified and Prepped for Success
      1. 18.1. The Front Ten: Certifications
        1. 18.1.1. ACE: AccessData
        2. 18.1.2. CCE: Certified Computer Examiner
        3. 18.1.3. CFCE: Certified Forensic Computer Examiner
        4. 18.1.4. CEECS: Certified Electronic Evidence Collection Specialist
        5. 18.1.5. Cisco: Various certifications
        6. 18.1.6. CISSP: Certified Information Systems Security Professional
        7. 18.1.7. CompTia: Various certifications
        8. 18.1.8. EnCE: Guidance Software
        9. 18.1.9. Paraben training
        10. 18.1.10. SANS and GCFA: GIAC Certified Forensics Analyst
      2. 18.2. The Back Ten: Journals and Education
    2. 19. Ten Tactics of an Excellent Investigator and a Dangerous Expert Witness
      1. 19.1. Stick to Finding and Telling the Truth
      2. 19.2. Don't Fall for Counsel's Tricks in Court
      3. 19.3. Be Irrefutable
      4. 19.4. Submit a Descriptive, Complete Bill
      5. 19.5. Prepare a Clear, Complete Report
      6. 19.6. Understand Nonverbal Cues
      7. 19.7. Look 'Em Straight in the Eye
      8. 19.8. Dress for Your Role As a Professional
      9. 19.9. Stay Certified and Up-to-Date
      10. 19.10. Know When to Say No
    3. 20. Ten Cool Tools for Computer Forensics
      1. 20.1. Computer Forensic Software Tools
        1. 20.1.1. EnCase
        2. 20.1.2. Forensic ToolKit (FTK)
        3. 20.1.3. Device Seizure
      2. 20.2. Computer Forensic Hardware
        1. 20.2.1. FRED
        2. 20.2.2. WiebeTech Forensic Field Kit
        3. 20.2.3. Logicube
      3. 20.3. Computer Forensic Laboratories
        1. 20.3.1. Computer forensic data server
        2. 20.3.2. Forensic write blockers
        3. 20.3.3. Media wiping equipment
        4. 20.3.4. Recording equipment
  11. Glossary