Index

A
AccessData
Forensic Tool Kit (FTK), 38, 39
MPE+, 156
Registry Viewer, 125
Active data, 22
Administrator of PC, 71
Allred, Nephi, 87, 99
Amazon (Amazon Web Services), 165
American Academy of Forensic Sciences (AAFS), 11
Digital & Multimedia Sciences of, 11
American Society for Testing and Materials (ASTM), 12, 44
American Society of Crime Laboratory Directors/Laboratory Accreditation Board (ASCLD/LAB), 11, 164
accreditation process, 43
ASCLD/LAB-International Supplemental Requirements, 43
international program, 43
legacy program, 43
Analysis, 8
degrees of likelihood, 9
Anti-Forensics.com, 83
Anti-forensics techniques, 83
breaking passwords or cryptanalysis, 90
brute force attack, 91
data destruction, 95
defragmentation, 96
dictionary attack, 91
hiding techniques, 84
password resetting, 91
steganography, 93
Anti-static material bags, 54
AOL Instant Messenger (AIM), 20, 125
Apple OSX Lion, 96
ASCII, 17
Authentication Center (AuC), 147
Auto-saved logs, 126
B
Barbara, John, 83
Base station, 147
Base Station Controller (BSC), 147
Binary, 15, 16
to text, 17
Bind, Torture, Kill (BTK) investigation, 3
BitLocker, 88, 89
BitPim, 155
Bits, bytes, and numbering schemes, 15
Bitstream image, 54
Blind test, 34
Blowfish Encryption Algorithm, 93
Botnet, 137
C
Caesar Cipher, 85, 86
Cain and Abel tool, 90
Call Detail Records (CDRs), 151
Campus Area Networks (CANs), 135
Caproni, Valerie, 83
Case file, 36
Casey Anthony trial, 130
CBL Data Shredder, 96
Cellebrite, 40
Cell phone evidence, 150
acquisition, physical and logical, 154
billing records, 152
Call Detail Records (CDRs), 151
collecting, 152
forensic tools for collecting, 155
Subscriber Identity Modules (SIMs), 154
Cell phones, 145
operating system (OS) of, 149
searches, 110
Cellular networks, 146
components, 147
types, 148
Central Processing Unit (CPU), 20
Chain of custody, 33, 53
of evidence, 7
Chat applications, 125
Check-out and check-in process, 33
Cipher Text, 85
Clarke, Richard, 128
Client/server network, 134
Client-side technology, 120
Cloning, forensic, 54
forensically clean drive, 56
forensic image formats for, 57
in hash values, 61
process, 56
purpose of, 55
risks and challenges, 57
value in eDiscovery, 57
Cloud computing, 21
benefits, 166
definition, 165
forensic and legal perspectives, 165, 166
Infrastructure as a Service (IaaS), 22
Platform as a Service (PaaS), 22
public, 165
Software as a Service (SaaS), 22
Cloud Service Providers (CSPs), 165
Clusters, 25
Code Division Multiple Access (CDMA), 148
Communications Assistance to Law Enforcement Act (CALEA), 107
Computer forensics, 6
Computer Forensic Tool Testing, 12
Computer Forensic Tool Testing Project (CFTT), 38
Computer Security Incident Handling Guide, 139
Computing “environments,”, 21
active data, 22
archival data, 23
cloud, 21
latent data, 22
mainframe system, 21
networked computer, 21
stand-alone computer, 21
Consent, 108
party’s legal ability to provide, 109
search, 108
technician’s ability to provide, 109
Consent-to-search form, 108
Content.IE5 directories, 130
Control, defined, 164
Cookies, 122
Crime scenes and collecting evidence. See also Documentation of evidence; Tracking user’s activity
cell phones, 49
chain of custody, 53
cloning a drive, 54
documenting crime scene, 51
final report, 62
hashing, 61
live acquisition concerns, 58
marking evidence, 54
notes, 52
order of volatility, 51
photography, 52
power of cell phones, 50
preserving evidence in RAM, 59
protection of cell phones, 50
removable media, 48
Crypto-Gram Newsletter (Bruce Schneier), 93
Cryptographic hashing algorithm, 61
CSI TV series, 13
Cyclical redundancy check (CRC), 136
D
Darik’s Boot, 96
Data destruction, 95
Data persistence, 24
Data types, 22
active, 22
archival, 23
latent, 22
Daubert v. Merrell Dow Pharmaceuticals, Inc., 116, 164
Davenport, Claude E., 91
Decimal, 15
“Deep sleep” modes, 66
Defragging, 96
Defragmentation, 96
Delete-a-thons, 67
Deleted data, 66, 154
Device Configuration Overlays (DCOs), 24
Dictionary attack, 91
Digital dependence, growth of, 1
Digital evidence, 1, 114
administrative matters, 5
application, 2
duty to preserve, 114
Scientific Working Group on, 10
Digital fingerprint. See Hashing
Digital forensics, 2, 163
9/11 attack, investigation using, 5
Bind, Torture, Kill (BTK) investigation using, 3
in civil litigations, 4
in the context of a criminal investigation, 3
definition, 2
organizations, contributions of, 10
process, 7
registry keys and log files, significance of, 10
scope of, 2
Securities and Exchange Commission (SEC), administrative investigation of, 6
speed of change, 168
standards and controls, 163
uses of, 3
Digital forensics practitioner, role in judicial system, 12
Digital Forensics With Open Source Tools (Cory Altheide and Harlan Carvey), 41
Digital forensic tools, 37
AccessData’s Forensic Tool Kit (FTK), 38, 39
crime scene kits, 40
Graphical User Interface (GUI)-based forensic tools, 42
hardware tools, 38, 42
hardware write-blocking device (HWB), 38
“Push-button” tools, 42
search tools, 41
software products, 40, 42
tool selection, 38
Digital universe, 1
Direct Client Connection (DCC), 126
DiskWipe, 96
Distributed Denial of Service (DDoS), 137
Document and Media Exploitation (DOMEX), 5
Documentation of evidence, 35, 153. See also Tracking user’s activity
chain of custody, 53
crime scene, 51
final report, 62
notes, 52
photography, 52
Domain Name Server (DNS), 120
Drive-wiping utilities, 96
Dropbox Pack-Rat service, 166. See also Cloud computing
Duty to preserve evidence, 114
Dynamic page, 120
E
E30 committee, 12
EFnet, 126
E.I. du Pont de Nemours v. Kolon Industries, 58
Elcomsoft’s System Recovery tool, 91
Electronically stored information (“ESI”), 113, 114
Electronic Communications Privacy Act (ECPA), 107
Electronic controls, 33
Electronic discovery (eDiscovery), 4, 57, 113
international, 115
sanctions in, 58
Electronic Serial Numbers (ESNs), 148
E-mail, 107, 127, 138
accessing, 124
components, 128
as evidence, 128
protocols, 127
reading headers, 129
shared accounts, 128
spoofing an, 128
things included in, 127
tracing, 128
E-mail servers, 134
EMule, 121
EnCase, 63, 69
Smartphone Examiner, 156
Encrypting File System (EFS), 89
Encryption, 85, 93
algorithms, 86
BitLocker, 88
FileVault, 89
full disk encryption (FDE), 88
key space, 88
TrueCrypt, 89
Evidence2.doc, 27
Evidence Eliminator software, 96, 97
Evidence storage, 33
check-out and check-in process, 33
policies and procedures, 34
quality assurance (QA), 34
Examiner’s final report, 36
Examiner’s notes, 36
Exigent circumstances, 109
Expert presentation, 9
Expert testimony, 116, 117
Exploiting a command, 138
External drives, 72
External test, 35
F
Facebook, 130
Federal Rules of Civil Procedure, 4
Fidelity National Information Services Inc. (FIS), 133
Fifth Circuit, 106
File Allocation Table (FAT), 23
File carving, 66
File extensions, 17
File fragmentation, 97
File headers and footers, 66
File servers, 134
File sharing, 135
File signature analysis, 17
File systems, 23
File translation layer, 168
FileVault, 88
Apple’s, 89
Final report, 62
FindLaw, 116
Firefox, 83, 84
Firewall, 137
Five root-level keys, 68, 69
Flash-based hard drives, 20
Flash memory, 20
Floats, 19
Florida Department of Law Enforcement (FDLE), 164
Foley, Tracey Lee Ann, 95
Forensic laboratories, 31. See also Digital forensic tools
accreditation and certification, 43, 44
case submission forms, 36
documentation, 35
evidence storage, 33
examiner’s final report, 36
examiner’s notes, 36
security, 32
tool validation process, 35
virtual, 32
Forensic science, definition of, 2
Forensic Science Education Programs Accreditation Commission (FEPAC), 11
Forensics examiners, 26
Forensic Toolkit (FTK®), 41, 63, 69
Fourth Amendment of the U.S. Constitution, 106
Electronic Communications Privacy Act (ECPA), 107
e-mail, 107
particularity mandated by, 111
reasonable expectation of privacy, 106, 109, 110
searches, 106
Frostwire, 121
Frye Test, 116
G
Gateway, 136
GigaTribe, 121
Global Area Networks (GANs), 135
Global positioning systems (GPS), 157
Global System for Mobile Communication (GSM), 148, 149
Gnutella requests, 121
Good, Donald, 35
Google, 165
Gmail, 127
Griffith, Jason “Blu,”, 158
Guest account of PC, 71
Guide to Forensic Testimony: The Art and Practice of Presenting Testimony as an Expert Technical Witness, A (Fred Smith and Rebecca Bace), 117
H
Hackers, 134
Handoff, 148
Hard handoff, 148
Hardware write-blocking device (HWB), 38
Harlan Carvey’s RegRipper, 125
Hashing, 8, 61
algorithms, 61
example, 61
uses, 62
Hexadecimal, 16, 98
Hibernation, 67
Hibernation file (hiberfile.sys), 66
Hiding techniques, 84
encryption, 85
Hierarchical File System (HFS+), 23
History.IE5, 130
HKEY, 68
Home Location Register (HLR), 147
Host Protected Areas (HPAs), 24
Hybrid GPS units, 157
Hybrid sleep, 67
Hypertext Markup Language (HTML) document, 120
Hypertext Transfer Protocol (HTTP), 119
I
Identity Spoofing (IP Spoofing), 137
Imaging, 7
Incriminating document, 67
INDEX.DAT files, 121–123, 130
Infrastructure as a Service (IaaS), 22, 165
Inner workings of a computer, 15
allocated and unallocated space, 24
bits, bytes, and numbering schemes, 15
data persistence, 24
file extensions and file signatures, 17
file systems, 23
storage and memory, 18
Installed programs, 81
Integrated Circuit Card Identifier (ICC-ID), 154
Integrated Digitally Enhanced Network (iDEN), 148, 149
Internal test, 34
International Mobile Equipment Identity (IMEI), 149
International Mobile Subscriber Identity (IMSI), 154
Internet, 119
artifacts in the registry, 124
chat applications, 125
cookies, 122
Domain Name Server (DNS), 120
e-mail, 127
Gnutella requests, 121
history, 123
INDEX.DAT files, 121
interacting with website, forensics perspective, 120
Internet Protocol (IP) address, 120
Internet Relay Chat (IRC), 126
I Seek You (ICQ), 126
NTUSER.DAT file, 124
peer-to-peer (P2P), 121
social networking sites, 130
Temporary Internet Files (TIF), 122
Uniform Resource Locator (URL), 119
Web browsers, 120, 122
web pages, 120
web technology, 120
Internet Message Access Protocol (IMAP), 127
Internet protocol (IP) connection logs, 5
Internet Relay Chat (IRC), 126
Internet Service Providers (ISPs), 136
Intrusion Detection System (IDS), 137, 139
Intrusion of privacy, 111
IP address, 135, 136
IPv4 address, 135
IPv6 address, 135
IRCnet, 126
I Seek You (ICQ), 126
J
JavaScript, 120
John the Ripper tool, 90
K
KaZaA, 121
Kerckhoffs, Auguste, 87
Key space, 88
L
Latent data, 22
Leafs, 121
LinkedIn, 130
Link files, 81
Linux Ubuntu operating system, 41
Live acquisition/collection, 58
advantages of, 59
conducting and documenting, 60
evidence in RAM, 60
preserving evidence in RAM, 59
principles of, 59
Local Area Network (LAN), 135
Locard’s exchange principle, 9
Log files, 142
Logging, 126
Lord of the Rings (LOTR) fan, 92
M
Magnetic disks, 19
Magnetic hard drives, working of, 25
Mainframe system, 21
Malware, 33
Man-in-the-Middle-Attack, 137
Message Digest 5 (MD5), 61
Message ID, 129
Metadata, 75
accessed date/time stamp, 76
case examples, 77
created date/time stamp, 76
modified date/time stamp, 76
removing, 76
Metropolitan Area Networks (MANs), 135
Microsoft (Azure), 165
Hotmail, 127
Outlook Express, 127
RegEdit, 125
TechNet, 67
Mini-computers, 145
Mitnick, 137
Mobile Switching Center (MSC), 147
Motorola’s iTap, 151
Moussaoui, Zacarias, 5
Multimedia Messaging Service (MMS), 148
N
Narvaez, Elise, 158
National Academy of Sciences (NAS), 11
National High Tech Crime Unit (NHTCU), 138
National Initiative Cyber Security Education (NICE), 12
National Institute of Justice (NIJ), 38
National Institute of Standards and Technology (NIST), 11, 12, 38, 165
area of focus, 12
programs, 12
National Software References Library, 12
NetIntercept, 142
Netwitness Investigator, 142
Networked computer, 21
Network evidence and investigations, 140
investigation challenges, 143
investigative tools, 142
log files, 142
training and research in, 143
Networking
attack of a network, 137
fundamentals, 134
inside threats, 138
intrusions, response to, 139
security tools, 136
types, 135
Network intrusion detection system (NIDS), 137
Network intrusions, response to, 139
analysis of security incident, 139
containment, eradication, and recovery, 140
detecting a security incident, 139
post-incident activity, 140
preparation, 139
proactive measures, 139
responding to a security breach, 140
Network protocol, 134
Network Solutions, 121
New Technology File System (NTFS), 23
Nodes on Gnutella requests, 121
Nonaccredited labs and evidence collection, 44
Notes, 52
NTUSER.DAT file, 124
Nuke, 96
O
Omnibus Crime Control and Safe Streets Act (1968), 107
Open Handset Alliance, 150
Open test, 34
Operating system (OS) of cell phones, 149
Android, 150
Blackberrys, 149
iOS, 150
Symbian, 149
Optical discs, 20
Order of volatility, 51
Organizations of note, 10
Oxygen Forensic Suite, 155
P
Paraben Corporation, 40, 155
Parole officers, 109
Partially overwritten file, 25
Particularity, 111
Password Recovery Toolkit (PRTK), 90, 99
Password reset, 91
Patriot Act (2006), 107
Peer-to-peer (P2P), 121, 135
Personal Area Networks (PANs), 135
Personal Identification Number (PIN), 150, 154
Personal Unlock Key (PUK), 150, 154
Petabyte, 1
Photography, 52
Plain Text, 85
Plain view doctrine, 109
Platform as a Service (PaaS), 22, 165
Post Office Protocol (POP), 127
Power of cell phones, 50
Predictive text, 150
Prefetching, 80
Prepaid cell phones, 149
Print servers, 134
Private searches, 107
in workplace, 115
Public Switched Telephone Network (PSTN), 148
“Push to Talk,”, 149
Q
Quality assurance (QA), 34
administrative review, 34
proficiency tests, 34
technical review, 34
R
Rackspace, 165
Rader, Dennis, 3
RAM, 20
Reasonable expectation of privacy, 106, 109, 110
Recently used lists, 78
Recycle bin, 73
bypass, 74
function, 73
Regional Computer Forensic Laboratory (RCFL) program, 31, 32
Registry, 67
case examples using, 69, 71
Internet Explorer artifacts in, 124
structure, 68
Removable media, 48
Removable storage media, 49
Repeatability (quality assurance), 8
Reporting, 9
Restore points (RPs), 79
Restricted access, 32
Riley v. California, 110
S
SANS Institute, 143
SANS Investigative Forensic Toolkit (SIFT), 41
Schneier, Bruce, 93
Scientific method, 10
Scientific Working Group for DN Analysis Methods (SWGDAM), 10
Scientific Working Group for Firearms and Toolmarks (SWGGUN), 10
Scientific Working Group on Digital Evidence (SWGDE), 11, 164
digital forensic certification, core competencies of, 44
mission of, 11
Screen names, 125
Search authority, 7
Searches, 106
border, 109
cell phone, 110
of computer hardware and software, 112
exceptions, 107
notion of common areas, 108, 109
plain view doctrine, 109
private, 107, 115
with warrant, 111
Secrets & Lies: Digital Security in a Networked World (Bruce Schneier), 93
Sectors, 25
Secure Erase, 96, 99
Secure Hashing Algorithm (SHA) 1 and 2, 61
Securities and Exchange Commission (SEC), 6
issues with firewall, 6
Office of the Inspector General (OIG), 6
Security Account Manager (SAM), 91
Security identifier (SID), 72
Server-side technology, 120
Service Level Agreements (SLAs), 167
Shadow copies, 79, 80
Short Message Service Center (SMSC), 147
“Show” commands, 142
Simple Mail Transfer Protocol (SMTP), 127
Slack space, 25, 28, 29
Sleep mode, 67
Sniffers, 142
Snort, 142
Social engineering, 134, 137
Social networking sites, 130
Software as a Service (SaaS), 22, 165
Solid State Drive (SSD), 20
Solid state hard drives (SSDs), 167
Spindle, 19
Spoliation of evidence, 114
Spoofing, 128
Spooling, 72
Stand-alone computer, 21
Standard, defined, 163
Standard Operating Procedures (SOPs), 34
Steganography, 93
Steganography Analysis and Center (SARC), 94
Stego Suite™, 94
Storage and memory of a computer, 18
flash memory, 20
magnetic disks, 19
optical discs, 20
removable media, 48
volatile vs nonvolatile memory, 20
Stored Communications Act (SCA), 113, 115
Subscriber Identity Modules (SIMs), 154
“Swiss Army knife”-like capabilities, 41
System data, 157
T
Technical Work Groups (TWGs), 10
Tegic Communication’s T9, 151
Temporary Internet Files (TIF), 122
Tenth Circuit, 107
Thehacker, Bill, 92
Thumbnail images as evidence, 78
Time Division Multiple Access (TDMA), 149
Time To Live (TTL) value, 121
Top Level Domain (TLD), 119
Tracking user’s activity
attribution, 71
deleted data, finding, 66
hibernation files, 67
installed programs, 81
link files, 81
metadata usage, 75
most recently used lists, 78
prefetch files, 80
printing activities, 72
program folder, 81
recycle bin operation, 73
registry, examining, 67
restore points, 79
shadow copies, 79, 80
system date and time stamps, 76
thumbnail images as evidence, 78
Track log, 157
Trackpoints, 157
Transmission Control Protocol/Internet Protocol (TCP/IP), 134, 135
TrueCrypt, 89
Trusted Platform Module (TPM), 89
Twitter, 130, 169
U
Ultrapeers, 121
Undernet, 126
Unicode, 17
Uniform Resource Locator (URL), 119
United States Secret Service (USSS), 138
United States v. Frye, 116
United States v. Slanina, 106
Universal Forensic Extraction Device (UFED), 156
U.S. Immigration and Customs Enforcement Cybercrime Center, 91
USBStor keys, 71
User data, 157
User Identification Number (UIN), 127
V
Validated tools, 8
Vance, Christopher, 158
Verizon Business, 138
Virtual labs, 32
accessibility, 32
integrity of evidence, 33
Visitor Location Register (VLR), 147
Voicemail evidence, 154
Volatile vs nonvolatile memory, 20
W
Warrantless search, 107
Waypoints, 157
Webmail evidence, 123
Web pages, 120
Webroot Window Washer Eliminator, 96
Web technology, 120
Wide Area Network (WAN), 135
Windows Live Mail, 127
Wireshark, 142
Wiretap Act (1968), 107
Woodall, Glen, 35
World Wide Web, 122
Y
Yahoo, 125
Z
Zain, Fred, 35
Zatyko, Ken, 2
ZiCorp’s eZiText, 151
Zombies, 137
Zubalake v. USB Warburg, 114