Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
Introduction
Who Should Read This Book?
About This Book
How to Use This Book
What You Don't Need to Read
Foolish Assumptions
How This Book Is Organized
Part I: Digging Out and Documenting Electronic Evidence
Part II: Preparing to Crack the Case
Part III: Doing Computer Forensic Investigations
Part IV: Succeeding in Court
Part V: The Part of Tens
Glossary
About the Web Site and Blog
Icons Used in This Book
Where to Go from Here
Part I: Digging Out and Documenting Electronic Evidence
Chapter 1: Knowing What Your Digital Devices Create, Capture, and Pack Away — Until Revelation Day
Living and Working in a Recorded World
Deleting is a misnomer
Getting backed up
Delusions of privacy danced in their headsets
Giving the Third Degree to Computers, Electronics, and the Internet
Answering the Big Questions
What is my computer doing behind my back?
How does my data get out there?
Why can data be discovered and recovered easily?
Examining Investigative Methods
Getting permission
Choosing your forensic tools
Knowing what to look for and where
Gathering evidence properly
Revealing Investigation Results
Preparing bulletproof findings
Making it through trial
Chapter 2: Suiting Up for a Lawsuit or Criminal Investigation
Deciphering the Legal Codes
Learning about relevancy and admissibility
Getting started with electronic discovery
Deciding what's in and what's not
Playing by the rules
Managing E-Discovery
Understanding that timing is everything
Grasping ESI discovery problems
Avoiding overbroad requests
Shaping the request
Stepping through the response
Conducting the Investigation in Good Faith
Deciding Who's Paying the Bill
Chapter 3: Getting Authorized to Search and Seize
Getting Authority: Never Start Without It
Acknowledging who's the boss (not you!)
Putting together your team
Involving external sources
No warrant, no problem (if it's done legally)
Criminal Cases: Papering Your Behind (CYA)
Learning about the case and the target
Drafting an affidavit for a search warrant
Presenting an affidavit for judicial processing
Civil Cases: Verifying Company Policy
Searching with verbal permission (without a warrant)
Obtaining a subpoena
Chapter 4: Documenting and Managing the Crime Scene
Obsessing over Documentation
Keeping the chain complete
Dealing with carbon memories
Deciding who gets the evidence first
Getting to the truth
Directing the Scene
Papering the trail
Recording the scene: Video
Recording the sounds: Audio
Getting the lead out
Managing Evidence Behind the Yellow Tape
Arriving ready to roll: Bringing the right tools
Minimizing your presence
Stepping Through the Scene
Securing the area
Surveying the scene
Transporting the e-evidence
Part II: Preparing to Crack the Case
Chapter 5: Minding and Finding the Loopholes
Deciding to Take On a Client
Learning about the case and the theory
Finding out the client's priorities
Timing your work
Defining the scope of work
Determining Whether You Can Help the Case
Serving as a resource for the lawyer
Taking an active role
Answering big, blunt questions
Signing on the dotted line
Passing the Court's Standard As a Reliable Witness
Getting your credentials accepted
Impressing opinions on the jury
Going Forward with the Case
Digging into the evidence
Organizing and documenting your work
Researching and digging for intelligence
Keeping a Tight Forensic Defense
Plugging loopholes
Chapter 6: Acquiring and Authenticating E-Evidence
Acquiring E-Evidence Properly
Step 1: Determine the Type of Media You're Working With
Step 2: Find the Right Tool
Finding all the space
A write-protect device
Sterile media
Step 3: Transfer Data
Transferring data in the field
From computer to computer
From storage device to computer
Step 4: Authenticate the Preserved Data
Step 5: Make a Duplicate of the Duplicate
Chapter 7: Examining E-Evidence
The Art of Scientific Inquiry
Gearing Up for Challenges
Getting a Handle on Search Terms
Defining your search list
Using forensic software to search
Assuming risks
Challenging Your Results: Plants and Frames and Being in the Wrong Place
Knowing what can go wrong
Looking beyond the file
Finding No Evidence
No evidence of who logged in
No evidence of how it got there
Reporting Your Analysis
Chapter 8: Extracting Hidden Data
Recognizing Attempts to Blind the Investigator
Encryption and compression
Data hiding techniques
Defeating Algorithms, Hashes, and Keys
Finding Out-of-Sight Bytes
Cracking Passwords
Knowing when to crack and when not to crack
Disarming passwords to get in
Circumventing passwords to sneak in
Decrypting the Encrypted
Sloppiness cracks PGP
Desperate measures
Part III: Doing Computer Forensics Investigations
Chapter 9: E-Mail and Web Forensics
Opening Pandora's Box of E-Mail
Following the route of e-mail packets
Becoming Exhibit A
Tracking the biggest trend in civil litigation
Scoping Out E-Mail Architecture
E-mail structures
E-mail addressing
E-mail lingo
E-mail in motion
Seeing the E-Mail Forensics Perspective
Dissecting the message
Expanding headers
Checking for e-mail extras
Examining Client-Based E-Mail
Extracting e-mail from clients
Getting to know e-mail file extensions
Copying the e-mail
Printing the e-mail
Investigating Web-Based Mail
Searching Browser Files
Temporary files
Internet history
Looking through Instant Messages
Chapter 10: Data Forensics
Delving into Data Storage
The anatomy of a disk drive
Microsoft operating systems
Apple: HFS
Linux/Unix
Finding Digital Cavities Where Data Hides
Deleted files
Non-accessible space
RAM
Windows Registry
Search filtering
Extracting Data
Rebuilding Extracted Data
Chapter 11: Document Forensics
Finding Evidential Material in Documents: Metadata
Viewing metadata
Extracting metadata
Honing In on CAM (Create, Access, Modify) Facts
Discovering Documents
Luring documents out of local storage
Finding links and external storage
Rounding up backups
Chapter 12: Mobile Forensics
Keeping Up with Data on the Move
Shifting from desktop to handhelds
Considering mobile devices forensically
Recognizing the imperfect understanding of the technology
Making a Device Seizure
Mobile phones and SIM cards
Personal digital assistants
Digital cameras
Digital audio recorders
Cutting-Edge Cellular Extractions
Equipping for mobile forensics
Mobile forensic hardware
Securing the mobile device
Finding mobile data
Examining a smart phone step-by-step
Chapter 13: Network Forensics
Mobilizing Network Forensic Power
Identifying Network Components
Looking at the Open Systems Interconnection Model (OSI)
Cooperating with secret agents and controlling servers
Saving Network Data
Categorizing the data
Figuring out where to store all those bytes
Re-Creating an Event from Traffic
Analyzing time stamps
Putting together a data sequence
Spotting different data streams
Looking at Network Forensic Tools
Test Access Port (TAP)
Mirrors
Promiscuous NIC
Wireless
Discovering Network Forensic Vendors
Chapter 14: Investigating X-Files: eXotic Forensics
Taking a Closer Look at Answering Machines
Examining Video Surveillance Systems
Cracking Home Security Systems
Tracking Automobiles
Extracting Information from Radio Frequency Identification (RFID)
Examining Copiers
Taking a Look On the Horizon
Part IV: Succeeding in Court
Chapter 16: Winning a Case Before You Go to Court
Working Around Wrong Moves
Responding to Opposing Experts
Dealing with counterparts
Formatting your response
Responding to affidavits
Hardening your testimony
Chapter 17: Standing Your Ground in Court
Making Good on Deliverables
Understanding Barroom Brawls in the Courtroom
Managing challenging issues
Sitting on the stand
Instructing jurors about expert testimony
Presenting E-Evidence to Persuade
Staging a disaster
Exhibiting like an expert
Communicating to the Court
Giving testimony about the case
Answering about yourself
Getting paid without conflict
Chapter 18: Ten Ways to Get Qualified and Prepped for Success
The Front Ten: Certifications
ACE: AccessData
CCE: Certified Computer Examiner
CFCE: Certified Forensic Computer Examiner
CEECS: Certified Electronic Evidence Collection Specialist
Cisco: Various certifications
CISSP: Certified Information Systems Security Professional
CompTia: Various certifications
EnCE: Guidance Software
Paraben training
SANS and GCFA: GIAC Certified Forensics Analyst
The Back Ten: Journals and Education
Chapter 19: Ten Tactics of an Excellent Investigator and a Dangerous Expert Witness
Stick to Finding and Telling the Truth
Don't Fall for Counsel's Tricks in Court
Be Irrefutable
Submit a Descriptive, Complete Bill
Prepare a Clear, Complete Report
Understand Nonverbal Cues
Look 'Em Straight in the Eye
Dress for Your Role As a Professional
Stay Certified and Up-to-Date
Know When to Say No
Chapter 20: Ten Cool Tools for Computer Forensics
Computer Forensic Software Tools
EnCase
Forensic ToolKit (FTK)
Device Seizure
Computer Forensic Hardware
FRED
WiebeTech Forensic Field Kit
Logicube
Computer Forensic Laboratories
Computer forensic data server
Forensic write blockers
Media wiping equipment
Recording equipment
Chapter 15: Holding Up Your End at Pretrial
Pretrial Motions
Motion to suppress evidence
Motion in limine
Motion to dismiss
Other motions
Handling Pretrial Hearings
Giving a Deposition
Swearing to tell truthful opinions
Surviving a deposition
Bulletproofing your opinions
Checking your statements
Fighting stage fright
← Prev
Back
Next →
← Prev
Back
Next →