You are previewing Cyber Forensics: From Data to Digital Evidence.
O'Reilly logo
Cyber Forensics: From Data to Digital Evidence

Book Description

An explanation of the basic principles of data

This book explains the basic principles of data as building blocks of electronic evidential matter, which are used in a cyber forensics investigations. The entire text is written with no reference to a particular operation system or environment, thus it is applicable to all work environments, cyber investigation scenarios, and technologies. The text is written in a step-by-step manner, beginning with the elementary building blocks of data progressing upwards to the representation and storage of information. It inlcudes practical examples and illustrations throughout to guide the reader.

Table of Contents

  1. Cover
  2. Contents
  3. Title
  4. Copyright
  5. Dedication
  6. Preface
  7. Acknowledgments
  8. Chapter One: The Fundamentals of Data
    1. Base 2 Numbering System: Binary and Character Encoding
    2. Communication in a Two-State Universe
    3. Electricity and Magnetism
    4. Building Blocks: The Origins of Data
    5. Growing the Building Blocks of Data
    6. Moving Beyond Base 2
    7. American Standard Code for Information Interchange
    8. Character Codes: The Basis for Processing Textual Data
    9. Extended ASCII and Unicode
    10. Summary
    11. Notes
  9. Chapter Two: Binary to Decimal
    1. American Standard Code for Information Interchange
    2. Computer as a Calculator
    3. Why is this Important in Forensics?
    4. Data Representation
    5. Converting Binary to Decimal
    6. Conversion Analysis
    7. A Forensic Case Example: An Application of the Math
    8. Decimal to Binary: Recap for Review
    9. Summary
  10. Chapter Three: The Power of HEX: Finding Slivers of Data
    1. What the HEX?
    2. Bits and Bytes and Nibbles
    3. Nibbles and Bits
    4. Binary to HEX Conversion
    5. Binary (HEX) Editor
    6. The Needle within the Haystack
    7. Summary
    8. Notes
  11. Chapter Four: Files
    1. Opening
    2. Files, File Structures, and File Formats
    3. File Extensions
    4. Changing a File’s Extension to Evade Detection
    5. Files and the HEX Editor
    6. File Signature
    7. ASCII is not Text or HEX
    8. Value of File Signatures
    9. Complex Files: Compound, Compressed, and Encrypted Files
    10. Why do Compound Files Exist?
    11. Compressed Files
    12. Forensics and Encrypted Files
    13. The Structure of Ciphers
    14. Summary
    15. Notes
    16. Appendix 4A: Common File Extensions
    17. Appendix 4B: File Signature Database
    18. Appendix 4C: Magic Number Definition
    19. Appendix 4D: Compound Document Header
  12. Chapter Five: The Boot Process and the Master Boot Record (MBR)
    1. Booting Up
    2. Primary Functions of the Boot Process
    3. Forensic Imaging and Evidence Collection
    4. Summarizing the BIOS
    5. BIOS Setup Utility: Step by Step
    6. The Master Boot Record (MBR)
    7. Partition Table
    8. Hard Disk Partition
    9. Summary
    10. Notes
  13. Chapter Six: Endianness and the Partition Table
    1. The Flavor of Endianness
    2. Endianness
    3. The Origins of Endian
    4. Partition Table within the Master Boot Record
    5. Summary
    6. Notes
  14. Chapter Seven: Volume versus Partition
    1. Tech Review
    2. Cylinder, Head, Sector, and Logical Block Addressing
    3. Volumes and Partitions
    4. Summary
    5. Notes
  15. Chapter Eight: File Systems—FAT 12/16
    1. Tech Review
    2. File Systems
    3. Metadata
    4. File Allocation Table (FAT) File System
    5. Slack
    6. HEX Review Note
    7. Directory Entries
    8. File Allocation Table (FAT)
    9. How is Cluster Size Determined?
    10. Expanded Cluster Size
    11. Directory Entries and the FAT
    12. FAT Filing System Limitations
    13. Directory Entry Limitations
    14. Summary
    15. Appendix 8A: Partition Table Fields
    16. Appendix 8B: File Allocation Table Values
    17. Appendix 8C: Directory Entry Byte Offset Description
    18. Appendix 8D: FAT 12/16 Byte Offset Values
    19. Appendix 8E: FAT 32 Byte Offset Values
    20. Appendix 8F: The Power of 2
  16. Chapter Nine: File Systems—NTFS and Beyond
    1. New Technology File System
    2. Partition Boot Record
    3. Master File Table
    4. NTFS Summary
    5. exFAT
    6. Alternative Filing System Concepts
    7. Summary
    8. Notes
    9. Appendix 9A: Common NTFS System Defined Attributes
  17. Chapter Ten: Cyber Forensics: Investigative Smart Practices
    1. The Forensic Process
    2. Forensic Investigative Smart Practices
    3. Time
    4. Summary
    5. Note
  18. Chapter Eleven: Time and Forensics
    1. What is Time?
    2. Network Time Protocol
    3. Timestamp Data
    4. Keeping Track of Time
    5. Clock Models and Time Bounding: The Foundations of Forensic Time
    6. MS-DOS 32-Bit Timestamp: Date and Time
    7. Date Determination
    8. Time Determination
    9. Time Inaccuracy
    10. Summary
    11. Notes
  19. Chapter Tweleve: Investigation: Incident Closure
    1. Forensic Investigative Smart Practices
    2. Step 5: Investigation (Continued)
    3. Step 6: Communicate Findings
    4. Characteristics of a Good Cyber Forensic Report
    5. Report Contents
    6. Step 7: Retention and Curation of Evidence
    7. Step 8: Investigation Wrap-Up and Conclusion
    8. Investigator’s Role as an Expert Witness
    9. Summary
    10. Notes
  20. Chapter Thirteen: A Cyber Forensic Process Summary
    1. Binary
    2. Binary—Decimal—ASCII
    3. Data Versus Code
    4. HEX
    5. From Raw Data to Files
    6. Accessing Files
    7. Endianness
    8. Partitions
    9. File Systems
    10. Time
    11. The Investigation Process
    12. Summary
  21. Appendix
  22. Glossary
  23. About the Authors
  24. Index