You are previewing The Best Damn Cybercrime and Digital Forensics Book Period.
O'Reilly logo
The Best Damn Cybercrime and Digital Forensics Book Period

Book Description

Electronic discovery refers to a process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a legal case. Computer forensics is the application of computer investigation and analysis techniques to perform an investigation to find out exactly what happened on a computer and who was responsible. IDC estimates that the U.S. market for computer forensics will be grow from $252 million in 2004 to $630 million by 2009. Business is strong outside the United States, as well. By 2011, the estimated international market will be $1.8 billion dollars. The Techno Forensics Conference has increased in size by almost 50% in its second year; another example of the rapid growth in the market.

This book is the first to combine cybercrime and digital forensic topics to provides law enforcement and IT security professionals with the information needed to manage a digital investigation. Everything needed for analyzing forensic data and recovering digital evidence can be found in one place, including instructions for building a digital forensics lab.

* Digital investigation and forensics is a growing industry
* Corporate I.T. departments needing to investigate incidents related to corporate espionage or other criminal activities are learning as they go and need a comprehensive step-by-step guide to e-discovery
* Appeals to law enforcement agencies with limited budgets

Table of Contents

  1. Copyright
  2. Contributing Authors
  3. 1. Computer Forensics in Today’s World
    1. Introduction
    2. History of Forensics
    3. Objectives of Computer Forensics
    4. Computer-Facilitated Crimes
    5. Reasons for Cyber Attacks
    6. Computer Forensic Flaws and Risks
      1. Modes of Attack
        1. Stages of Forensic Investigation in Tracking Computer Crime
    7. Rules of Computer Forensics
      1. Digital Forensics
      2. Assessing the Case: Detecting/Identifying the Event/Crime
      3. Preservation of Evidence: Chain of Custody
      4. Collection: Data Recovery, Evidence Collection
      5. Examination: Tracing, Filtering, Extracting Hidden Data
      6. Analysis
    8. Approach the Crime Scene
    9. Where and When Do You Use Computer Forensics?
    10. Legal Issues
    11. The Computer Forensics Lab
    12. Laboratory Strategic Planning for Business
      1. Philosophy of Operation
        1. A Forensics Laboratory Is a Business Venue
        2. A Forensics Laboratory Is a Technology Venue
        3. A Forensics Laboratory Is a Scientific Venue
        4. A Forensics Laboratory Is an Artistic Venue
      2. Core Mission and Services
      3. Revenue Definition
        1. “I Know How Expensive I Am. Now, How Do I Get Paid?”
      4. SOP (Standard Operating Procedure)
        1. Quality Standards: Accreditation
        2. Quality Standards: Auditing
      5. Human Talent
        1. Education and Continuing Education
    13. Elements of Facilities Build-out
      1. Space Planning Considerations
        1. Examination Environment
        2. Evidence Storage
        3. Network Facilities
      2. Fire Protection/Suppression
        1. Water Dispersion Systems
          1. Wet Pipe System
          2. Dry Pipe System
          3. Preaction System
        2. Gaseous Suppression
          1. Inert Gas Suppressors
          2. Flourine Compound Suppressors
        3. Chemical Suppression
    14. Electrical and Power Plant Considerations
      1. LAN/WAN Planning
      2. HVAC
        1. Abatements
          1. Temperature
          2. Humidity
        2. Static Electricity
        3. EMI (electromagnetic interference)
        4. Acoustic Balancing
      3. Security
      4. Evidence Locker Security
      5. General Ambience
      6. Spatial Ergonomics
        1. A Note on “common office technology”
        2. Personal Workspace Design
        3. Common Area Considerations
    15. Essential Laboratory Tools
      1. Write Blockers
        1. Write Block Field Kits
        2. Hardware Duplication Platforms
        3. Portable Forensics Systems
        4. Portable Enterprise Systems
        5. Laboratory Forensics Systems
      2. Media Sterilization Systems
      3. Data Management (Backup, Retention, Preservation)
        1. CD/DVD Hardware Solutions
      4. Portable Device Forensics, Some Basic Tools
        1. Faraday Devices as Applied to Forensics
        2. Real-World Examples
      5. Portable Devices and Data Storage
        1. Locating the Data
        2. Power
        3. Readers, readers, readers!
        4. Cables, cables, cables!
      6. Forensic Software
        1. Operating Systems
        2. File Systems
        3. Investigative Platforms
        4. Other/Specialty Tools
      7. Tools in the Enterprise
      8. Ad Hoc scripts and programs
      9. Software Licensing
      10. Tool Validation
  4. 2. Digital Forensics: An Overview
    1. Introduction
    2. Digital Forensic Principles
      1. Practice Safe Forensics
      2. Establish and Maintain a Chain of Custody
      3. Minimize Interaction with Original Evidence
      4. Use Proven Tools and Know How They Work
        1. Is the Tool in General Use?
        2. What Is the History of the Developer and the Tool?
        3. Do You Know How the Tool Works?
      5. Conduct Objective Analysis and Reporting
    3. Digital Environments
      1. Corporate
      2. Government
      3. Academic
      4. The Internet
      5. The Home
    4. Digital Forensic Methodologies
      1. Litigation Support
        1. Identification
        2. Collection
        3. Organization
        4. Presentation
      2. Digital Media Analysis
        1. Identification
        2. Collection
        3. Analysis
      3. Network Investigations
        1. Identification
        2. Collection
        3. Analysis
    5. Summary
    6. Solutions Fast Track
      1. Digital Forensic Principles
      2. Digital Environments
      3. Digital Forensic Methodologies
    7. Frequently Asked Questions
  5. 3. Developing an Enterprise Digital Investigative/Electronic Discovery Capability
    1. Introduction
    2. Identifying Requirements for an Enterprise Digital Investigative/Electronic Discovery Capability
      1. Costs
      2. Time
      3. Resources
      4. Allies
    3. Administrative Considerations for an Enterprise Digital Investigative/Electronic Discovery Capability
      1. Policy and Standard Operating Procedures
      2. Funding
      3. Organizational Framework
      4. Training
      5. Tool Validation
      6. Certification
      7. Accreditation
    4. Identifying Resources (Software/Hardware/Facility) for Your Team
      1. Software
      2. Hardware and Storage
      3. Hardware
      4. Storage
      5. Write Blockers
      6. Facility
      7. Location
      8. Security
      9. Ventilation and Air-Conditioning Systems
      10. Electrical and Power Systems
    5. Summary
    6. References
    7. Frequently Asked Questions
  6. 4. Integrating a Quality Assurance Program in a Digital Forensic Laboratory
    1. Introduction
    2. Quality Planning, Quality Reviews, and Continuous Quality Improvement
      1. Deficiencies and Driving Out Error
      2. Meeting Client Stated and Implied Needs
      3. Continuous Quality Improvement
      4. Laboratory Planning
        1. The Structure of an Organization’s SOPs or QAMs
          1. Mission Objectives
          2. Laboratory Administration
          3. Personnel Responsibilities and Job Descriptions
          4. Laboratory Operations
          5. Standard Operating Procedures
          6. Quality System
          7. Document History and Approval
      5. “Do” or Executing the Plan
        1. “Check” or Study Processes
      6. “Act” or Adapt and Refine the Plan
      7. Continuous Upward Spiral of Excellence
      8. Cost of Quality: Why Bother?
    3. Other Challenges: Ownership, Responsibility and Authority
      1. Management’s Responsibility for Ownership in the Quality System
      2. The Quality Manager
      3. Personalities and Patience
      4. Assess Your Client’s Needs
      5. Adapt to Your Client’s Needs
        1. Private Sector Challenge
    4. Summary
    5. Frequently Asked Questions
  7. 5. Balancing E-discovery Challenges with Legal and IT Requirements
    1. Introduction
    2. Drivers of E-discovery Engineering
      1. Storage
      2. Federal Rules of Civil Procedure
        1. Purpose
      3. Costs
    3. Locations, Forms and Preservation of Electronically Stored Information
      1. Locations of ESI
      2. Forms of ESI
        1. File Types
        2. Metadata Fields
    4. Legal and IT Team Considerations for Electronic Discovery
      1. IT Members within the Legal Team
        1. Records and Information Managers
        2. Information Lifecycle Managers
        3. E-mail, IM, and PDA Managers
        4. Backup and Archiving Managers
    5. Are You Litigation Ready?
      1. Served with a Request
        1. Contact Your Chief Information Officer or Equivalent
        2. Be Prepared to Field Questions from the Professionals
        3. Be Prepared to Ask Questions
        4. Interviews
        5. Inventory
      2. Discovery Readiness Planning
        1. Project Scope/Collect Available Information
        2. Interviews
        3. Data Cataloging/Mapping
        4. Review of Information Collected
        5. Gap Analysis
        6. Findings and Recommendations
        7. Business Process Improvement
    6. E-discovery Tools
    7. Summary
    8. Frequently Asked Questions
  8. 6. Forensic Software and Hardware
    1. Introduction
    2. Part 1: Forensic Software Tools
      1. Visual TimeAnalyzer
      2. X-Ways Forensics
      3. Evidor
      4. Slack Space & Data Recovery Tools
        1. Ontrack
        2. DriveSpy
      5. Data Recovery Tools
        1. Device Seizure
        2. Forensic Sorter
        3. Directory Snoop
      6. Permanent Deletion of Files
        1. PDWipe
        2. Darik’s Boot and Nuke (DBAN)
      7. File Integrity Checker
        1. FileMon
        2. File Date Time Extractor (FDTE)
        3. Decode - Forensic Date/Time Decoder
      8. Disk Imaging Tools
        1. Snapback DatArrest
      9. Partition Managers: Partimage
      10. Linux/UNIX Tools: Ltools and Mtools
        1. LTools
        2. MTools
        3. The Coroner’s Toolkit (TCT) and Tctutils
      11. Password Recovery Tools
        1. @Stake
        2. Decryption Collection Enterprise
        3. AIM Password Decoder
        4. MS Access Database Password Decoder
        5. FavURLView - Favorite Viewer
        6. NetAnalysis
      12. Multipurpose Tools
        1. Maresware
        2. LC Technologies Software
        3. WinHex Specialist Edition
        4. Prodiscover DFT
      13. Toolkits
        1. NTI Tools
          1. Stealth Suite
          2. Computer Incident Response Suite
          3. Data Elimination Suite
          4. TextSearch Suite
          5. NTI Secure ToolKit
          6. SafeBack 3.0
        2. R-Studio
      14. Datalifter
        1. Forensic Toolkit (FTK)
        2. Image Master Solo and Fastbloc
          1. Image MASSter Solo
          2. FastBloc
        3. Encase
        4. E-mail Recovery Tools
          1. Paraben’s E-mail Examiner
        5. Network E-mail Examiner
        6. Oxygen Phone Manager
        7. SIM Card Seizure
        8. Autoruns
        9. HashDig
        10. Patchit
        11. PowerGREP
        12. Reverse Engineering Compiler
    3. Part 2: Forensic Hardware Tools
      1. Hard Disk Write Protection Tools
        1. NoWrite
        2. FireWire DriveDock
        3. LockDown
        4. Write Protect Card Reader
        5. Drive Lock IDE
        6. Serial-ATA DriveLock Kit
        7. Wipe MASSter
        8. ImageMASSter Solo-3 IT
        9. ImageMASSter 4002i
        10. ImageMASSter 3002SCSI
        11. Image MASSter 3004 SATA
    4. Summary
    5. Frequently Asked Questions
  9. 7. Incident Response: Live Forensics and Investigations
    1. Introduction
    2. Postmortmem versus Live Forensics
      1. Evolution of the Enterprise
      2. Evolution of Storage
      3. Encrypted File Systems
    3. Today’s Live Methods
    4. Case Study: Live vs. Postmortem
    5. Computer Analysis for the Hacker Defender Program
    6. Network Analysis
    7. Summary
    8. Special Thanks
    9. References
    10. Frequently Asked Questions
  10. 8. Seizure of Digital Information
    1. Introduction
    2. Defining Digital Evidence
    3. Digital Evidence Seizure Methodology
      1. Seizure Methodology in Depth
        1. Step 1: Digital Media Identification
        2. Step 2: Minimizing the Crime Scene by Prioritizing the Physical Media
        3. Step 3: Seizure of Storage Devices and Media
        4. To Pull the Plug or Not to Pull the Plug, that Is the Question
    4. Factors Limiting the Wholesale Seizure of Hardware
      1. Factors Limiting Wholesale Seizure: Size of Media
      2. Factors Limiting Wholesale Seizure: Disk Encryption
      3. Factors Limiting Wholesale Seizure: Privacy Concerns
      4. Factors Limiting Wholesale Seizure: Delays Related to Laboratory Analysis
      5. Protecting the Time of the Most Highly Trained Personnel
      6. The Concept of the First Responder
    5. Other Options for Seizing Digital Evidence
      1. Responding to a Victim of a Crime Where Digital Evidence Is Involved
      2. Seizure Example
      3. Previewing Information On-scene to Determine the Presence and Location of Evidentiary Data Objects
      4. Obtaining Information from a Running Computer
      5. Imaging Information On-Scene
      6. Imaging Finite Data Objects On-Scene
      7. Use of Tools for Digital Evidence Collection
    6. Common Threads within Digital Evidence Seizure
    7. Determining the Most Appropriate Seizure Method
    8. Summary
    9. Works Cited
      1. Additional Relevant Resources
    10. Frequently Asked Questions
  11. 9. Conducting Cyber Investigations
    1. Introduction
    2. Demystifying Computer/Cyber Crime
    3. Understanding IP Addresses
    4. The Explosion of Networking
      1. Hostname
      2. MAC Address
    5. The Explosion of Wireless Networks
      1. Hotspots
      2. Wardriving
      3. Wireless Storage Devices
    6. Interpersonal Communication
      1. E-mail
      2. Chat/Instant Messaging
      3. Social Networking and Blogging
      4. Media and Storage
    7. Summary
    8. Frequently Asked Questions
  12. 10. Acquiring Data, Duplicating Data, and Recovering Deleted Files
    1. Introduction
    2. Recovering Deleted Files and Deleted Partitions
      1. Deleting Files
        1. Command Line Delete
        2. Moving Files
        3. Disk Cleanup
        4. Permanently Destroying Data
      2. Recycle Bin
        1. What Gets Deleted
        2. Configuring the Recycle Bin
        3. Storage Locations of the Recycle Bin
        4. Undeleting or Permanently Deleting a File
        5. Damaged Recycle Bins
      3. Data Recovery in Linux
      4. Recovering Deleted Files
      5. Deleted File Recovery Tools
        1. Undelete Tools
          1. Undelete
          2. Active@ Data Recovery Software
          3. R-Undelete
          4. Easy-Undelete
          5. WinUndelete
          6. Restoration
          7. Mycroft V3
          8. Recover My Files
          9. eData Unerase
          10. Recover4all Professional
          11. File Scavenger
          12. VirtualLab
          13. File Recover
          14. Badcopy Pro
          15. Zero Assumption Recovery
          16. SUPERFileRecover
          17. DiskInternals Uneraser and NTFS Recovery
          18. PC Inspector File Inspector
          19. Search and Recover
          20. O&O Unerase
          21. Filesaver
          22. Stellar Phoenix
          23. Restorer 2000
          24. R-linux
          25. PC ParaChute
        2. Recycle Bin Replacements
          1. Diskeeper Undelete
          2. Fundelete
        3. CD/DVD Data Recovery
          1. CDRoller
          2. IsoBuster
          3. CD Data Rescue
          4. InDisk Recovery
        4. Microsoft Office Repair and Recovery
          1. OfficeFIX
          2. Repair My Excel and Repair My Word
        5. Compressed Files
          1. Zip Repair
        6. Deleted Images
          1. eIMAGE Recovery
          2. Canon RAW File Recovery Software
          3. ImageRecall
          4. RecoverPlus Pro
          5. Zero Assumption Digital Image Recovery
          6. DiskInternals Flash Recovery
          7. PC Inspector Smart Recovery
      6. Recovering Deleted Partitions
        1. Deleting Partitions Using Windows
        2. Deleting Partitions from the Command Line
          1. FDISK
          2. DISKPART
      7. Deleted Partition Recovery Tools
        1. Active@ Partition Recovery
        2. Active@ Disk Image
        3. DiskInternals Partition Recovery
        4. GetDataBack
        5. NTFS Deleted Partition Recovery
        6. Handy Recovery
        7. Acronis Recovery Expert
        8. TestDisk
        9. Scaven
        10. Recover It All!
        11. Partition Table Doctor
    3. Data Acquisition and Duplication
      1. Data Acquisition Tools
        1. FTK Imager
        2. SafeBack
        3. DriveSpy
        4. Mount Image Pro
        5. DriveLook
        6. DiskExplorer
        7. SnapBack DatArrest
        8. SCSIPAK
        9. IBM DFSMSdss
      2. Hardware Tools
        1. ImageMASSter Solo-3 Forensic
        2. LinkMASSter-2 Forensic
        3. ImageMASSter 6007SAS
        4. RoadMASSter-3
        5. Disk Jockey IT
      3. Backing Up and Duplicating Data
        1. R-Drive Image
        2. Save-N-Sync
        3. QuickCopy
      4. Acquiring Data in Linux
        1. DD
        2. Netcat
    4. Summary
    5. Frequently Asked Questions
  13. 11. Forensic Discovery and Analysis Using BackTrack
    1. Introduction
    2. Digital Forensics
    3. Acquiring Images
      1. Linux dd
      2. Linux dcfldd
      3. dd_rescue
    4. Forensic Analysis
      1. Autopsy
      2. mboxgrep
      3. memfetch
      4. Memfetch Find
      5. pasco
      6. Rootkit Hunter
      7. The Sleuth Kit
      8. The Sleuth Kit Continued: Allin1 for The Sleuth Kit
      9. Vinetto
    5. File Carving
      1. Foremost
      2. Magicrescue
    6. Case Studies: Digital Forensics with the BackTrack Distribution
    7. Summary
  14. 12. Windows, Linux, and Macintosh Boot Processes
    1. Introduction
    2. The Boot Process
      1. System Startup
        1. POST: Power On Self Test
        2. The Master Boot Record
      2. Loading MSDOS
      3. Loading Windows XP
      4. Loading Linux
        1. LILO Booting
        2. GRUB Booting
    3. The Macintosh Boot Process
      1. EFI and BIOS: Similar but Different
        1. DARWIN
          1. The OS X Kernel
    4. Macintosh Forensic Software
      1. BlackBag Forensic Suite
        1. Directory Scan
        2. FileSpy
        3. HeaderBuilder
        4. Other Tools
      2. Carbon Copy Cloner
        1. MacDrive6/7
    5. Summary
    6. Frequently Asked Questions
  15. 13. Windows and Linux Forensics
    1. Introduction
    2. Windows Forensics
      1. Where Can You Locate and Gather Evidence on a Windows Host?
        1. How Can You Gather Volatile Evidence?
        2. The Features and Advantages of Windows Forensics Tools
          1. Helix Live on Windows
          2. The Tools Present in Helix CD for Windows Forensics
          3. MD5 Generators
          4. Pslist
          5. fport
          6. Psloggedon
      2. What Is File Slack? How Can You Investigate Windows File Slack?
        1. How Do You Examine File Systems?
        2. Built-in Tool: Sigverif
        3. The Word Extractor Forensic Tool
      3. How Can You Interpret the Windows Registry and Memory Dump Information?
        1. HKEY_LOCAL_MACHINE
          1. Registry Viewer Tool: RegScanner
          2. Microsoft Security ID
        2. Summary of the Features and Importance of Memory Dump
          1. Pagefile.sys and PMDump
        3. What Is Virtual Memory?
        4. System Scanner
        5. Integrated Windows Forensics Software: X-Ways Forensics and its Features
      4. How Can You Investigate Internet Traces?
        1. Traces Viewer
        2. IECookiesView
        3. IE History Viewer
        4. Cache Monitor
      5. How Do You Investigate System State Backups?
        1. Investigating ADS Streams
        2. Creating a CD-ROM Bootable for Windows XP
          1. Bart PE (Bart Preinstalled Environment): Screenshot
          2. Ultimate Boot CD-ROM
    3. Linux Forensics
      1. Why Use Linux as a Forensic Tool?
      2. File System Description
        1. The Primary Linux Directories
        2. Mount Command
        3. The Linux Boot Sequence
      3. The Challenges in Disk Forensics with Linux
      4. Popular Linux Forensics Tools
        1. The Sleuth Kit
          1. Tools Present in “The Sleuth Kit”
        2. Autopsy
          1. The Evidence Analysis Techniques in Autopsy
        3. SMART for Linux
        4. Penguin Sleuth
          1. Tools Included in Penguin Sleuth Kit
        5. Forensix
        6. Maresware
          1. Major Programs Present in Maresware
        7. Captain Nemo
        8. The Farmer’s Boot CD
    4. Summary
    5. Frequently Asked Questions
  16. 14. Investigating Network Traffic and Investigating Logs
    1. Introduction
    2. Overview of the OSI Model
      1. Layers of the OSI Model
        1. The Physical Layer
        2. The Data Link Layer
        3. The Network Layer
        4. The Transport Layer
        5. The Session Layer
        6. The Presentation Layer
        7. The Application Layer
    3. Network Addresses and NAT
    4. Network Information-Gathering Tools
      1. Sniffers
      2. Intrusion Detection
    5. Snort
      1. Gathering Snort Logs
      2. Building an Alerts Detail Report
        1. Alerts by IP Address
      3. Building an Alerts Overview Report
    6. Monitoring User Activity
      1. Tracking Authentication Failures
        1. Listing Failed Logons
        2. Identifying Single versus Multiple Failed Logons
      2. Identifying Brute Force Attacks
        1. Identifying a Brute Force Authentication Attack
      3. Tracking Security Policy Violations
        1. Determining Logon/Logoff Behavior
      4. Auditing Successful and Unsuccessful File Access Attempts
        1. Auditing Unsuccessful File Access Attempts
        2. Auditing Successful File Access Attempts
    7. Summary
    8. Frequently Asked Questions
  17. 15. Router Forensics and Network Forensics
    1. Introduction
    2. Network Forensics
      1. The Hacking Process
      2. The Intrusion Process
    3. Searching for Evidence
    4. An Overview of Routers
      1. What Is a Router?
      2. The Function of a Router
      3. The Role of a Router
      4. Routing Tables
      5. Router Architecture
      6. Routing Protocols
        1. RIP
        2. OSPF
    5. Hacking Routers
      1. Router Attacks
      2. Router Attack Topology
      3. Denial-of-Service Attacks
      4. Routing Table Poisoning
      5. Hit-and-Run Attacks and Persistent Attacks
    6. Investigating Routers
      1. Chain of Custody
        1. Volatility of Evidence
        2. Case Reports
    7. Incident Response
      1. Compromises
    8. Summary
    9. Frequently Asked Questions
  18. 16. Investigating Wireless Attacks
    1. Introduction
    2. Basics of Wireless
      1. Advantages of a Wireless Network
      2. Disadvantages of a Wireless Network
      3. Association of Wireless AP and a Device
      4. Access Control
        1. Encryption
        2. WEP
        3. WPA
        4. MAC Filtering
        5. Cloaking the SSID
    3. Wireless Penetration Testing
      1. Search Warrants
      2. Direct Connections to Wireless Access Point
        1. Scanning for Wireless Access Points with Nmap
        2. Scanning for Wireless Access Points with Nessus
        3. Rogue Access Points
      3. Wireless Connect to a Wireless Access Point
        1. Information Gathering
          1. Kismet
          2. Aircrack-ng
        2. Injection
        3. Cracking
      4. Passive and Active Sniffing
      5. Logging
    4. Summary
    5. Frequently Asked Questions
  19. 17. E-mail Forensics
    1. Introduction
    2. Where to Start?
      1. E-mail Terminology
        1. Here is an Example HELO Exchange from Wikipedia
        2. Functions of E-mail
        3. Archive Types
        4. Server Storage Archives
          1. MS Exchange
        5. Lotus Notes
        6. Novell GroupWise
        7. Local Level Archives
          1. What is a local storage archive?
        8. Ingredients of E-mail
          1. Mailbox/Archive
        9. Mailbox Archive
        10. Other Associated Files of the Archive
        11. Message
          1. Header
          2. Body
          3. Encoding
          4. Encoding Types
        12. Attachments
    3. Forensic Acquisition
    4. Processing Local Mail Archives
      1. Step 1-Acquisition Outlook PST file
      2. Step 2-Processing
        1. Using Paraben’s E-mail Examiner
        2. Using MS Outlook for processing Outlook Express files
        3. Processing Server Level Archives
        4. Step 1 Acquisition
        5. Step 2 Processing
      3. Using OnTrack PowerControls
      4. Using Paraben’s Network E-mail Examiner (NEMX)
        1. Deleted E-mail Recovery
        2. Eudora Mail
        3. Outlook PST
        4. Network Archives
  20. 18. Steganography and Application Password Crackers
    1. Introduction
      1. History of Steganography
        1. The Greeks
        2. The Chinese
        3. The Culpers
        4. Civil War Rugs
        5. World War I
        6. World War II
        7. The Vietnam War
        8. Terrorists
      2. The Future of Steganography
    2. Classification of Steganography
      1. Background Information to Image Steganography
      2. Insertion
      3. Substitution
        1. Example 1
      4. Creation
    3. Six Categories of Steganography in Forensics
      1. Substitution System
      2. Transform Domain Techniques
      3. Spread Spectrum Techniques
      4. Statistical Methods
      5. Distortion Techniques
      6. Cover Generation Methods
    4. Types of Steganography
      1. Linguistic Steganography
      2. Text Semagrams
      3. Technical Steganography
      4. Embedding Methods
      5. Least Significant Bit
      6. Transform Techniques
      7. Spread-Spectrum Encoding
      8. Perceptual Masking
    5. Application of Steganography
      1. Still Images: Pictures
      2. Moving Images: Video
      3. Audio Files
      4. Text Files
      5. Steganographic File Systems
      6. Hiding in Disk Space
      7. Unused Sectors
      8. Hidden Partitions
      9. Slack Space
    6. Hiding in Network Packets
    7. Issues in Information Hiding
      1. Levels of Visibility
      2. Robustness vs. Payload
      3. File Format Dependence
    8. Steg Tools
      1. Snow
      2. Steganos
      3. Gifshuffle
      4. Outguess
      5. Stegomagic
    9. Steganography vs. Watermarking
      1. Fragile
      2. Robust
    10. Attacking Watermarking
      1. Mosaic Attack
      2. 2Mosaic
    11. Detecting and Attacking Steganography
      1. Detection
      2. Statistical Tests
      3. Stegdetect
      4. Stegbreak
      5. Visible Noise
      6. Appended Spaces and “Invisible” Characters
      7. Color Palettes
      8. Attacking Steganography
        1. Steg-Only Attack
        2. Known-Cover Attack
        3. Known-Message Attack
        4. Known-Stego Attack
        5. Chosen-Stego Attack
        6. Chosen-Message Attack
        7. Disabling or Active Attacks
          1. Blur
          2. Noise
          3. Noise Reduction
          4. Sharpen
          5. Rotate
          6. Resample
          7. Soften
    12. Application Password Cracking
      1. Types of Password Cracking
        1. Guessing
        2. Dictionary
        3. Brute Force
        4. Syllable Attack
        5. Rule-Based
        6. Hybrid
        7. Rainbow
      2. Password-Cracking Tools
        1. Cain and Abel
        2. LCP
        3. Ophcrack
        4. John the Ripper
        5. Brutus
        6. Rock XP
      3. Common Recommendations for Improving Passwords
        1. No Dictionary Words
        2. No Personal Data
        3. Multiple Character Sets
        4. Do Not Store Weak Hashes
      4. Standard Password Advice
        1. Change
        2. Not in More Than One Place
        3. Size
        4. Creation
    13. Summary
  21. 19. PDA and Blackberry
    1. Introduction
      1. PDA Background Information
      2. Components of a PDA
    2. PDA Forensics
      1. Investigative Methods
      2. Step 1: Examination
      3. Step 2: Identification
      4. Step 3: Collection
      5. Step 4: Documentation
    3. PDA Investigative Tips
      1. Device Switched On
      2. Device Switched Off
      3. Device in Its Cradle
      4. Device Not in Its Cradle
      5. Wireless Connection
      6. Expansion Card in Slot
    4. Expansion Sleeve Removed
    5. Deploying PDA Forensic Tools
      1. PDA Secure
      2. PDA Seizure
      3. EnCase
    6. Introduction to the Blackberry
      1. Operating System of the Blackberry
      2. Blackberry Operation and Security
      3. Wireless Security
    7. Security for Stored Data
    8. Forensic Examination of a Blackberry
      1. Acquisition of Information Considerations
      2. Device is in the “Off” State
      3. Device is in the “On” State
      4. Password Protected
      5. Evidence Collection
      6. Unit Control Functions
      7. Imaging and Profiling
    9. Attacking the Blackberry
    10. Securing the Blackberry
      1. Information Hiding in a Blackberry
      2. Blackberry Signing Authority Tool
    11. Summary
    12. Frequently Asked Questions
  22. 20. MP3 Forensics
    1. Introduction
    2. History
    3. Why Is an iPod Considered Alternative Media?
    4. Imaging and Hashing
    5. Hardware vs. Nonhardware Imaging
      1. Removing the Hard Drive
      2. Linux
      3. Registry Keys
    6. Types of iPods
      1. File Types Supported
    7. File Systems
    8. “Hacking Tools” and Encrypted Home Directories
    9. Evidence: Normal vs. Not Normal
      1. Uncovering What Should Not Be There
    10. Analysis Tools
    11. Summary