You are previewing Digital Forensics for Legal Professionals.
O'Reilly logo
Digital Forensics for Legal Professionals

Book Description

Digital Forensics for Legal Professionals provides you with a guide to digital technology forensics in plain English. In the authors’ years of experience in working with attorneys as digital forensics experts, common questions arise again and again: “What do I ask for?” “Is the evidence relevant?” “What does this item in the forensic report mean?” “What should I ask the other expert?” “What should I ask you?” “Can you explain that to a jury?” This book answers many of those questions in clear language that is understandable by non-technical people. With many illustrations and diagrams that will be usable in court, they explain technical concepts such as unallocated space, forensic copies, timeline artifacts and metadata in simple terms that make these concepts accessible to both attorneys and juries.

The authors also explain how to determine what evidence to ask for, evidence might be that could be discoverable, and the methods for getting to it including relevant subpoena and motion language. Additionally, this book provides an overview of the current state of digital forensics, the right way to select a qualified expert, what to expect from a qualified expert and how to properly use experts before and during trial.



  • Includes a companion Web site with: courtroom illustrations, and examples of discovery motions
  • Provides examples of direct and cross examination questions for digital evidence
  • Contains a reference of definitions of digital forensic terms, relevant case law, and resources for the attorney

Table of Contents

  1. Front Cover
  2. Digital Forensics for Legal Professionals
  3. Copyright Page
  4. Contents
  5. Preface
    1. Intended Audience
    2. Organization of this Book
      1. Section I: Overview of Digital Forensics
      2. Section II: Experts
      3. Section III: Motions and Discovery
      4. Section IV: Common Types of Digital Evidence
  6. About the Authors
  7. About the Tech Editors
  8. 1 WHAT IS DIGITAL FORENSICS?
    1. 1 Digital Evidence Is Everywhere
      1. Introduction
      2. 1.1 What is Digital Forensics?
      3. 1.2 What is Digital Evidence?
      4. 1.3 How Digital Evidence is Created And Stored
      5. Summary
    2. 2 Overview of Digital Forensics
      1. Introduction
      2. 2.1 Digital Forensics
        1. 2.1.1 Acquisition
        2. 2.1.2 Preservation
        3. 2.1.3 Analysis
        4. 2.1.4 Presentation
      3. 2.2 A Little Computer History
      4. 2.3 A Brief History of Computer Forensics
      5. 2.4 Computer Forensics Becomes Digital Forensics
      6. Summary
    3. 3 Digital Forensics: The Subdisciplines
      1. Introduction
      2. 3.1 The Subdisciplines
      3. 3.2 Computer Forensics
        1. 3.2.1 Incident response
        2. 3.2.2 Cell phone forensics
        3. 3.2.3 GPS forensics
        4. 3.2.4 Media device forensics
        5. 3.2.5 Social media forensics
        6. 3.2.6 Digital video and photo forensics
        7. 3.2.7 Digital camera forensics
        8. 3.2.8 Digital audio forensics
        9. 3.2.9 Multiplayer game forensics
        10. 3.2.10 Game console forensics
      4. Summary
    4. 4 The Foundations of Digital Forensics: Best Practices
      1. Introduction
      2. 4.1 Who Establishes Best Practices?
      3. 4.2 Who should be Following Best Practices?
      4. 4.3 Summary of Best Practices
        1. 4.3.1 Volatile data and live forensics
        2. 4.3.2 Preservation best practices
        3. 4.3.3 Acquisition best practices
      5. 4.4 What Really Happens in Many Cases
      6. Summary
    5. 5 Overview of Digital Forensics Tools
      1. Introduction
      2. 5.1 What Makes a Tool Forensically Sound?
      3. 5.2 Who Performs Tool Testing?
      4. 5.3 Computer Forensics Tools: An Overview
      5. 5.4 Classes of Forensics Tools
      6. 5.5 Mobile Device Forensics Tools
      7. Summary
      8. References
    6. 6 Digital Forensics at Work in the Legal System
      1. Introduction
      2. 6.1 Mitigation
      3. 6.2 Pre-trial Motions
      4. 6.3 Trial Preparation
      5. 6.4 Example Trial Questions
        1. 6.4.1 A civil case example
        2. 6.4.2 Criminal trial example
      6. 6.5 Trial Phase
      7. Summary
  9. 2 EXPERTS
    1. 7 Why Do I Need an Expert?
      1. Introduction
      2. 7.1 Why Hire a Digital Forensics Expert?
      3. 7.2 When to Hire a Digital Forensics Expert
      4. Summary
    2. 8 The Difference between Computer Experts and Digital Forensics Experts
      1. Introduction
      2. 8.1 The Computer Expert
      3. 8.2 The Digital Forensics Expert
      4. 8.3 A Side-by-Side Comparison
      5. 8.4 Investigation of Digital Evidence
        1. 8.4.1 What does it mean to “investigate”?
      6. Summary
    3. 9 Selecting a Digital Forensics Expert
      1. Introduction
      2. 9.1 What is an Expert?
      3. 9.2 Locating and Selecting an Expert
        1. 9.2.1 Establishing your selection criteria
        2. 9.2.2 What evidence is part of your case?
        3. 9.2.3 What type of case do you have?
        4. 9.2.4 The prequalification process
        5. 9.2.5 What is a reasonable fee?
        6. 9.2.6 How can you tell what is a reasonable fee quote?
      4. 9.3 Certifications
      5. 9.4 Training, Education, and Experience
      6. 9.5 The Right Forensic Tools
      7. Summary
      8. References
    4. 10 What to Expect from an Expert
      1. Introduction
      2. 10.1 General Expectations
      3. 10.2 Where to Begin?
        1. 10.2.1 Sample protocol for evidence collection by a third or opposing party
      4. 10.3 The Examination
      5. 10.4 Court Preparation
      6. 10.5 Expert Advice
      7. Summary
    5. 11 Approaches by Different Types of Examiners
      1. Introduction
      2. 11.1 Standards
      3. 11.2 Training and Experience
      4. 11.3 Impact on Examinations
      5. 11.4 Ethics
      6. 11.5 The Approach to an Examination
      7. Summary
      8. References
    6. 12 Spotting a Problem Expert
      1. Introduction
      2. 12.1 Beyond the Window Dressings
        1. 12.1.1 Verifiable experience and criminal records
        2. 12.1.2 Attitude
        3. 12.1.3 The bull factor
        4. 12.1.4 Appearance matters
        5. 12.1.5 The big problems
        6. 12.1.6 Aversion
      3. Summary
    7. 13 Qualifying an Expert in Court
      1. Introduction
      2. 13.1 Qualifying an Expert
        1. 13.1.1 Federal Rules of Evidence: Rule 702 Expert Witnesses
        2. 13.1.2 The resume or curriculum vitae
        3. 13.1.3 Certifications
        4. 13.1.4 Training
        5. 13.1.5 Experience
        6. 13.1.6 Education
      3. 13.2 Qualifying Experts in Court
        1. 13.2.1 Sample qualification questions
      4. Summary
      5. Reference
  10. 3 MOTIONS AND DISCOVERY
    1. 14 Overview of Digital Evidence Discovery
      1. Introduction
      2. 14.1 Discovery Motions in Civil and Criminal Cases
        1. 14.1.1 Common challenges in criminal and civil cases
      3. Summary
    2. 15 Discovery of Digital Evidence in Criminal Cases
      1. Introduction
      2. 15.1 Sources of Digital Evidence
      3. 15.2 Building the Motion
        1. 15.2.1 Discovery motion specifics
      4. Summary
    3. 16 Discovery of Digital Evidence in Civil Cases
      1. Introduction
      2. 16.1 Rules Governing Civil Discovery
      3. 16.2 Electronic Discovery in Particular
      4. 16.3 Time is of the Essence
      5. 16.4 Getting to the Particulars
        1. 16.4.1 What happened?
        2. 16.4.2 Who was involved?
        3. 16.4.3 How would electronic evidence be involved?
        4. 16.4.4 Where might electronic evidence be stored?
        5. 16.4.5 Who has control of the electronic evidence you need to collect?
      6. 16.5 Getting the Electronic Evidence
      7. Summary
      8. References
    4. 17 Discovery of Computers and Storage Media
      1. Introduction
      2. 17.1 An Example of a Simple Consent to Search Agreement
      3. 17.2 Example of a Simple Order for Expedited Discovery
      4. 17.3 Example of an Order for Expedited Discovery and Temporary Restraining Order
      5. Summary
    5. 18 Discovery of Video Evidence
      1. Introduction
      2. 18.1 Common Issues with Video Evidence
        1. 18.1.1 Collecting and preserving tape media
        2. 18.1.2 Video recording devices
      3. 18.2 Collecting Video Evidence
      4. 18.3 Example Discovery Language for Video Evidence
      5. Summary
    6. 19 Discovery of Audio Evidence
      1. Introduction
      2. 19.1 Common Issues with Audio Evidence
        1. 19.1.1 Audio recording devices
        2. 19.1.2 Tape media
        3. 19.1.3 Audio metadata
        4. 19.1.4 File formats and audio programs
      3. 19.2 Example Discovery Language for Audio Evidence
      4. Summary
    7. 20 Discovery of Social Media Evidence
      1. Introduction
      2. 20.1 Legal Issues in Social Media Discovery
      3. 20.2 Finding Custodian of Records Contact Information
      4. 20.3 Facebook Example
        1. 20.3.1 Sample language to include for Facebook
      5. 20.4 Google Information
        1. 20.4.1 Google blogger example
        2. 20.4.2 Sample language for Google Blogger accounts and posts
      6. 20.5 Online E-Mail Accounts
      7. Summary
      8. References
    8. 21 Discovery in Child Pornography Cases
      1. Introduction
      2. 21.1 The Adam Walsh Child Protection and Safety Act of 2006
      3. 21.2 The Discovery Process
        1. 21.2.1 First round of discovery
        2. 21.2.2 The second round of discovery
      4. Summary
      5. References
    9. 22 Discovery of Internet Service Provider Records
      1. Introduction
      2. 22.1 Internet Service Provider Records or IP Addresses
        1. 22.1.1 How to find the Internet service provider for an IP address step by step
        2. 22.1.2 Motion language once you know the IP address
      3. 22.2 Example Language for Web-Based E-Mail Addresses
      4. 22.3 What to Expect From an Internet Service Provider (ISP) Subpoena
      5. Summary
    10. 23 Discovery of Global Positioning System Evidence
      1. Introduction
      2. 23.1 GPS Tracking Evidence Overview
        1. 23.1.1 Categories of potential GPS tracking evidence
      3. 23.2 Discovery of GPS Evidence
        1. 23.2.1 Language for getting a GPS device for examination
        2. 23.2.2 Language for getting information from a manufacturer about a device
        3. 23.2.3 Language for getting GPS evidence from a third party
      4. Summary
    11. 24 Discovery of Call Detail Records
      1. Introduction
      2. 24.1 Discovery Issues in Cellular Evidence
      3. 24.2 Example Language for Call Detail Records
      4. Summary
    12. 25 Obtaining Expert Funding in Indigent Cases
      1. Introduction
      2. 25.1 Justifying Extraordinary Expenses
      3. 25.2 Example Language for an Ex Parte Motion for Expert Funds
      4. Summary
  11. 4 COMMON TYPES OF DIGITAL EVIDENCE
    1. 26 Hash Values: The Verification Standard
      1. Introduction
      2. 26.1 Hash Values
      3. 26.2 How Hash Values are Used in Digital Forensics
        1. 26.2.1 Using hash values to find hidden files
        2. 26.2.2 How to determine whether a file exists on a computer
        3. 26.2.3 De-duplicating data in e-discovery
        4. 26.2.4 The dangers of court testimony without verification
        5. 26.2.5 What if an opposing expert did not verify evidence?
      4. Summary
    2. 27 Metadata
      1. Introduction
      2. 27.1 The Purpose of Metadata
      3. 27.2 Common Types of Metadata
        1. 27.2.1 File system metadata
        2. 27.2.2 Internet metadata
        3. 27.2.3 Document metadata
        4. 27.2.4 Picture metadata
      4. Summary
    3. 28 Thumbnails and the Thumbnail Cache
      1. Introduction
      2. 28.1 Thumbnails and the Thumbnail Cache
      3. 28.2 How Thumbnails and the Thumbnail Cache Work
        1. 28.2.1 When are these thumbs.db cache files created?
        2. 28.2.2 Changes in Windows Vista and Windows 7
        3. 28.2.3 Thumbs.db and networked drives
      4. 28.3 Thumbnails and the Thumbnail Cache as Evidence
      5. Summary
      6. Reference
    4. 29 Deleted Data
      1. Introduction
      2. 29.1 How Data is Stored on a Hard Drive
        1. 29.1.1 Hard drive data storage structure
      3. 29.2 Deleted File Recovery
        1. 29.2.1 Simple file recovery
        2. 29.2.2 Advanced file recovery: file carving
      4. 29.3 Evidence of Data Destruction
        1. 29.3.1 Physical destruction
      5. Summary
    5. 30 Computer Time Artifacts (MAC Times)
      1. Introduction
      2. 30.1 Computer File System Time Stamps
      3. 30.2 Fundamental Issues in Forensic Analysis of Timeline
      4. 30.3 Created, Modified, Accessed
      5. 30.4 The Bottom Line
      6. Summary
    6. 31 Internet History (Web and Browser Caching)
      1. Introduction
      2. 31.1 What is Web Caching?
      3. 31.2 How Internet Browser (Web) Caching Works
      4. 31.3 Internet (Web) Caching as Evidence
      5. 31.4 What if the Internet Cache is Cleared by the User?
      6. Summary
    7. 32 Windows Shortcut Files (Link Files)
      1. Introduction
      2. 32.1 The Purpose of Link Files, How They are Created, and How They Work
      3. 32.2 How Link Files can be of Evidentiary Value
      4. 32.3 Link Files as Evidence
        1. 32.3.1 Using link files to show that a file was accessed by the user
        2. 32.3.2 Using link files to show that a deleted file once existed on a computer
        3. 32.3.3 Using link files to show that a contraband image was saved to a computer but never opened again
        4. 32.3.4 Connecting a deleted file on a computer to a USB device using link file evidence
      5. Summary
    8. 33 Cellular System Evidence and Call Detail Records
      1. Introduction
      2. 33.1 An Overview of the Cellular Phone System
      3. 33.2 How Cell Phones Work
        1. 33.2.1 Anatomy of a Cell Phone Call
      4. 33.3 Call Detail Records
      5. 33.4 Call Detail Records as Evidence of Cell Phone Location
        1. 33.4.1 A Cell Tower Location Example
      6. 33.5 Enhanced 911 Wireless Location Services
      7. 33.6 The E911 System Overview
      8. 33.7 Emergency Situations: Real-Time Cell Phone Tracking
      9. Summary
      10. Reference
    9. 34 E-mail Evidence
      1. Introduction
      2. 34.1 E-mail as Evidence
      3. 34.2 E-mail Storage and Access: Where is it?
        1. 34.2.1 Server-based storage
        2. 34.2.2 User-based E-mail Storage
      4. 34.3 Web Mail
      5. Summary
      6. Reference
    10. 35 Social Media
      1. Introduction
      2. 35.1 Common Forms of Social Networking (Social Media)
      3. 35.2 Evidence Out in the Open
      4. 35.3 Convenience Versus Security
      5. 35.4 The Allure of Anonymity
        1. 35.4.1 Hobby or obsession?
      6. 35.5 Social Media as Evidence
        1. 35.5.1 Connecting evidence from a device to social media evidence
      7. 35.6 Getting Information from Online Services
      8. Summary
      9. References
    11. 36 Peer-to-Peer Networks and File Sharing
      1. Introduction
      2. 36.1 What is Peer-to-Peer File Sharing?
      3. 36.2 How it Works
        1. 36.2.1 It’s all about sharing!
        2. 36.2.2 Using a file-sharing program
      4. 36.3 Privacy and Security Issues with Peer-to-Peer File Sharing
      5. 36.4 Peer-to-Peer Network Evidence
        1. 36.4.1 Investigating file-sharing networks
      6. Summary
      7. Reference
    12. 37 Cell Phones
      1. Introduction
      2. 37.1 The Fragile Nature of Cellular Evidence
        1. 37.1.1 Protecting cell phone evidence
      3. 37.2 Forensic Acquisition Methods for Cellular Phones
        1. 37.2.1 Logical acquisitions
        2. 37.2.2 Physical acquisitions
        3. 37.2.3 Manual examinations
      4. 37.3 Subscriber Identity Module (SIM) Cards
        1. 37.3.1 Media cards (removable storage cards)
      5. 37.4 Cell Phone Backup Files
      6. 37.5 Advanced Cell Phone Data Analytics
      7. 37.6 The Future of Cell Phone Forensics
      8. Summary
      9. References
    13. 38 Video and Photo Evidence
      1. Introduction
      2. 38.1 The Most Critical Steps in the Forensic Examination of Video and Photo Evidence
        1. 38.1.1 Documentation
        2. 38.1.2 Knowing how your tools work
      3. 38.2 Using Video and Photo Evidence in Cases
        1. 38.2.1 Enhancing an image or video
        2. 38.2.2 Determining the authenticity of a video or image
        3. 38.2.3 Contesting unqualified claims to video or image evidence
      4. Summary
      5. References
    14. 39 Databases
      1. Introduction
      2. 39.1 Databases in Everyday Life
      3. 39.2 What is a Database?
        1. 39.2.1 What is a database management system?
        2. 39.2.2 Modern databases
        3. 39.2.3 Database formats
      4. 39.3 Database Files as Evidence
      5. 39.4 Database Recovery
      6. 39.5 Data as Evidence
      7. Summary
    15. 40 Accounting Systems and Financial Software
      1. Introduction
      2. 40.1 Accounting and Money Management Programs
      3. 40.2 Personal Money Management Software
      4. 40.3 Business Accounting Software
        1. 40.3.1 Small business accounting software
        2. 40.3.2 Mid-level to enterprise accounting software
      5. 40.4 Getting the Evidence
      6. 40.5 Types of Evidence from Financial Software
      7. 40.6 Batch Files as Evidence
      8. 40.7 Other Sources of Financial Evidence
      9. Summary
    16. 41 Multiplayer Online Games
      1. Introduction
      2. 41.1 The Culture of Massively Multiplayer Online Role Playing Games (MMORPGs)
      3. 41.2 MMORPG Data as Evidence
        1. 41.2.1 Timeline evidence
        2. 41.2.2 Content evidence
        3. 41.2.3 General location evidence
        4. 41.2.4 Game subscriber information
        5. 41.2.5 Getting server-side evidence
      4. Summary
      5. References
    17. 42 Global Positioning Systems
      1. Introduction
      2. 42.1 An Overview of Global Positioning Systems
      3. 42.2 An Overview of the Navstar Global Positioning System
      4. 42.3 How GPS Works
        1. 42.3.1 How geolocation works using GPS
      5. 42.4 Types of GPS Evidence
        1. 42.4.1 Waypoints and routes
        2. 42.4.2 Track points and track logs
        3. 42.4.3 Other GPS device evidence
      6. 42.5 Collection of Evidence from GPS Devices
        1. 42.5.1 Preservation of GPS data
        2. 42.5.2 Challenges to data collection
        3. 42.5.3 Service-based data collection
      7. 42.6 Interpretation of GPS Evidence
        1. 42.6.1 Data errors
        2. 42.6.2 Map errors
      8. Summary
      9. References
  12. Index