Guide to Computer Forensics and Investigations 6th Edition PDF

Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 INFORMATION SECURITY GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS Sixth Edition Bill Nelson Amelia Phillips Chris Steuart Australia Brazil Mexico Singapore United Kingdom United States Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 68944_fm_hr_i-xxx.indd 1 3/15/18 3:10 PM This is an electronic version of the print textbook. Due to electronic rights restrictions, some third party content may be suppressed. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. The publisher reserves the right to remove content from this title at any time if subsequent rights restrictions require it. For valuable information on pricing, previous editions, changes to current editions, and alternate formats, please visit www.cengage.com/highered to search by ISBN#, author, title, or keyword for materials in your areas of interest. Important Notice: Media content referenced within the product description or the product text may not be available in the eBook version. Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Guide to Computer Forensics and © 2019, 2016 Cengage Learning, Inc. Investigations: Processing Digital Evidence, Sixth Edition Unless otherwise noted, all content is © Cengage. Bill Nelson, Amelia Phillips, ALL RIGHTS RESERVED. No part of this work covered by the copyright Christopher Steuart herein may be reproduced or distributed in any form or by any means, except as permitted by U.S. copyright law, without the prior written SVP, GM Skills: Jonathan Lau permission of the copyright owner. Product Director: Lauren Murphy SOURCE FOR ILLUSTRATIONS: Copyright © Cengage. Product Team Manager: Kristin McNary Microsoft® is a registered trademark of the Microsoft Corporation. Product Manager: Amy Savino Product Assistant: Jake Toth For product information and technology assistance, contact us at Cengage Customer & Sales Support, 1-800-354-9706 Executive Director, Content Design: or support.cengage.com. Marah Bellegarde For permission to use material from this text or product, submit Director, Learning Design: Leigh Hefferon all requests online at www.cengage.com/permissions. Learning Designer: Natalie Onderdonk Library of Congress Control Number: 2018936389 Development Editor: Lisa M. Lord ISBN: 978-1-337-56894-4 Sr. Marketing Director: Michele McTighe Cengage Assoc. Marketing Manager: 20 Channel Center Street Cassie Cloutier Boston, MA 02210 USA Director, Content Delivery: Patty Stephan Cengage is a leading provider of customized learning solutions with Senior Content Manager: employees residing in nearly 40 different countries and sales in more Brooke Greenhouse than 125 countries around the world. Find your local representative at Digital Delivery Lead: Jim Vaughey www.cengage.com. Senior Designer: Diana H. Graham Cengage products are represented in Canada by Nelson Production Service/Composition: Education, Ltd. SPi Global To learn more about Cengage platforms and services, visit Cover Image(s): iStock.com/Vertigo3d www.cengage.com. To register or access your online learning solution or purchase materials for your course, visit www.cengagebrain.com. Notice to the Reader Publisher does not warrant or guarantee any of the products described herein or perform any independent analysis in connection with any of the product information contained herein. Publisher does not assume, and expressly disclaims, any obligation to obtain and include information other than that provided to it by the manufacturer. The reader is expressly warned to consider and adopt all safety precautions that might be indicated by the activities described herein and to avoid all potential hazards. By following the instructions contained herein, the reader willingly assumes all risks in connection with such instructions. The publisher makes no representations or warranties of any kind, including but not limited to, the warranties of fitness for particular purpose or merchantability, nor are any such representations implied with respect to the material set forth herein, and the publisher takes no responsibility with respect to such material. The publisher shall not be liable for any special, consequential, or exemplary dam- ages resulting, in whole or part, from the readers’ use of, or reliance upon, this material. Printed in the United States of America Print Number: 01 Print Year: 2018 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 68944_fm_hr_i-xxx.indd 2 3/15/18 3:10 PM Brief Contents PREFACE xvii INTRODUCTION xix CHAPTER 1 Understanding the Digital Forensics Profession and Investigations 1 CHAPTER 2 The Investigator’s Office and Laboratory 63 CHAPTER 3 Data Acquisition 93 CHAPTER 4 Processing Crime and Incident Scenes 143 CHAPTER 5 Working with Windows and CLI Systems 195 CHAPTER 6 Current Digital Forensics Tools 267 CHAPTER 7 Linux and Macintosh File Systems 305 CHAPTER 8 Recovering Graphics Files 339 CHAPTER 9 Digital Forensics Analysis and Validation 377 CHAPTER 10 Virtual Machine Forensics, Live Acquisitions, and Network Forensics 415 CHAPTER 11 E-mail and Social Media Investigations 453 CHAPTER 12 Mobile Device Forensics and the Internet of Anything 493 CHAPTER 13 Cloud Forensics 523 iii Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 68944_fm_hr_i-xxx.indd 3 3/15/18 3:10 PM iv Brief Contents CHAPTER 14 Report Writing for High-Tech Investigations 561 CHAPTER 15 Expert Testimony in Digital Investigations 591 CHAPTER 16 Ethics for the Expert Witness 631 APPENDIX A Certification Test References 681 APPENDIX B Digital Forensics References 685 APPENDIX C Digital Forensics Lab Considerations 691 APPENDIX D Legacy File System and Forensics Tools 697 GLOSSARY 705 INDEX 721 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 68944_fm_hr_i-xxx.indd 4 3/15/18 3:10 PM Table of Contents PREFACE xvii INTRODUCTION xix CHAPTER 1 Understanding the Digital Forensics Profession and Investigations 1 An Overview of Digital Forensics 2 Digital Forensics and Other Related Disciplines 4 A Brief History of Digital Forensics 7 Understanding Case Law 9 Developing Digital Forensics Resources 9 Preparing for Digital Investigations 11 Understanding Law Enforcement Agency Investigations 11 Following Legal Processes 13 Understanding Private-Sector Investigations 15 Maintaining Professional Conduct 21 Preparing a Digital Forensics Investigation 22 An Overview of a Computer Crime 22 An Overview of a Company Policy Violation 24 Taking a Systematic Approach 25 Procedures for Private-Sector High-Tech Investigations 32 Employee Termination Cases 32 Internet Abuse Investigations 32 E-mail Abuse Investigations 33 Attorney-Client Privilege Investigations 34 Industrial Espionage Investigations 36 Understanding Data Recovery Workstations and Software 38 Setting Up Your Workstation for Digital Forensics 40 Conducting an Investigation 41 Gathering the Evidence 41 Understanding Bit-stream Copies 41 Analyzing Your Digital Evidence 43 Completing the Case 50 Critiquing the Case 52 Chapter Summary 52 Key Terms 53 Review Questions 54 Hands-On Projects 55 Case Projects 61 v Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 68944_fm_hr_i-xxx.indd 5 3/15/18 3:10 PM vi Table of Contents CHAPTER 2 The Investigator’s Office and Laboratory 63 Understanding Forensics Lab Accreditation Requirements 64 Identifying Duties of the Lab Manager and Staff 64 Lab Budget Planning 65 Acquiring Certification and Training 69 Determining the Physical Requirements for a Digital Forensics Lab 71 Identifying Lab Security Needs 72 Conducting High-Risk Investigations 72 Using Evidence Containers 73 Overseeing Facility Maintenance 75 Considering Physical Security Needs 75 Auditing a Digital Forensics Lab 76 Determining Floor Plans for Digital Forensics Labs 76 Selecting a Basic Forensic Workstation 78 Selecting Workstations for a Lab 79 Selecting Workstations for Private-Sector Labs 80 Stocking Hardware Peripherals 80 Maintaining Operating Systems and Software Inventories 81 Using a Disaster Recovery Plan 81 Planning for Equipment Upgrades 82 Building a Business Case for Developing a Forensics Lab 82 Preparing a Business Case for a Digital Forensics Lab 84 Chapter Summary 88 Key Terms 89 Review Questions 89 Hands-On Projects 90 Case Projects 91 CHAPTER 3 Data Acquisition 93 Understanding Storage Formats for Digital Evidence 94 Raw Format 95 Proprietary Formats 95 Advanced Forensic Format 96 Determining the Best Acquisition Method 97 Contingency Planning for Image Acquisitions 99 Using Acquisition Tools 101 Mini-WinFE Boot CDs and USB Drives 101 Acquiring Data with a Linux Boot CD 102 Capturing an Image with AccessData FTK Imager Lite 116 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 68944_fm_hr_i-xxx.indd 6 3/15/18 3:10 PM Table of Contents vii Validating Data Acquisitions 121 Linux Validation Methods 122 Windows Validation Methods 124 Performing RAID Data Acquisitions 125 Understanding RAID 125 Acquiring RAID Disks 128 Using Remote Network Acquisition Tools 129 Remote Acquisition with ProDiscover 130 Remote Acquisition with EnCase Enterprise 131 Remote Acquisition with R-Tools R-Studio 131 Remote Acquisition with WetStone US-LATT PRO 132 Remote Acquisition with F-Response 132 Using Other Forensics Acquisition Tools 132 PassMark Software ImageUSB 132 ASR Data SMART 132 Runtime Software 133 ILookIX IXImager 133 SourceForge 133 Chapter Summary 133 Key Terms 134 Review Questions 134 Hands-On Projects 135 Case Projects 140 CHAPTER 4 Processing Crime and Incident Scenes 143 Identifying Digital Evidence 144 Understanding Rules of Evidence 145 Collecting Evidence in Private-Sector Incident Scenes 153 Processing Law Enforcement Crime Scenes 158 Understanding Concepts and Terms Used in Warrants 158 Preparing for a Search 160 Identifying the Nature of the Case 160 Identifying the Type of OS or Digital Device 160 Determining Whether You Can Seize Computers and Digital Devices 161 Getting a Detailed Description of the Location 161 Determining Who Is in Charge 162 Using Additional Technical Expertise 163 Determining the Tools You Need 163 Preparing the Investigation Team 166 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 68944_fm_hr_i-xxx.indd 7 3/15/18 3:10 PM viii Table of Contents Securing a Digital Incident or Crime Scene 166 Seizing Digital Evidence at the Scene 167 Preparing to Acquire Digital Evidence 168 Processing Incident or Crime Scenes 169 Processing Data Centers with RAID Systems 172 Using a Technical Advisor 172 Documenting Evidence in the Lab 173 Processing and Handling Digital Evidence 173 Storing Digital Evidence 174 Evidence Retention and Media Storage Needs 175 Documenting Evidence 176 Obtaining a Digital Hash 176 Reviewing a Case 179 Sample Civil Investigation 179 An Example of a Criminal Investigation 181 Reviewing Background Information for a Case 182 Planning the Investigation 182 Conducting the Investigation: Acquiring Evidence with OSForensics 182 Chapter Summary 186 Key Terms 188 Review Questions 188 Hands-On Projects 189 Case Projects 192 CHAPTER 5 Working with Windows and CLI Systems 195 Understanding File Systems 196 Understanding the Boot Sequence 196 Understanding Disk Drives 197 Solid-State Storage Devices 200 Exploring Microsoft File Structures 201 Disk Partitions 201 Examining FAT Disks 209 Examining NTFS Disks 212 NTFS System Files 214 MFT and File Attributes 215 MFT Structures for File Data 220 NTFS Alternate Data Streams 228 NTFS Compressed Files 232 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 68944_fm_hr_i-xxx.indd 8 3/15/18 3:10 PM Table of Contents ix NTFS Encrypting File System 232 EFS Recovery Key Agent 232 Deleting NTFS Files 233 Resilient File System 234 Understanding Whole Disk Encryption 235 Examining Microsoft BitLocker 236 Examining Third-Party Disk Encryption Tools 236 Understanding the Windows Registry 237 Exploring the Organization of the Windows Registry 238 Examining the Windows Registry 240 Understanding Microsoft Startup Tasks 244 Startup in Windows 7, Windows 8, and Windows 10 244 Startup in Windows NT and Later 245 Understanding Virtual Machines 248 Creating a Virtual Machine 249 Chapter Summary 257 Key Terms 258 Review Questions 259 Hands-On Projects 260 Case Projects 266 CHAPTER 6 Current Digital Forensics Tools 267 Evaluating Digital Forensics Tool Needs 268 Types of Digital Forensics Tools 269 Tasks Performed by Digital Forensics Tools 270 Tool Comparisons 281 Other Considerations for Tools 283 Digital Forensics Software Tools 283 Command-Line Forensics Tools 284 Linux Forensics Tools 285 Other GUI Forensics Tools 287 Digital Forensics Hardware Tools 287 Forensic Workstations 288 Using a Write-Blocker 289 Recommendations for a Forensic Workstation 290 Validating and Testing Forensics Software 290 Using National Institute of Standards and Technology Tools 290 Using Validation Protocols 292 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 68944_fm_hr_i-xxx.indd 9 3/15/18 3:10 PM x Table of Contents Chapter Summary 293 Key Terms 294 Review Questions 294 Hands-On Projects 296 Case Projects 303 CHAPTER 7 Linux and Macintosh File Systems 305 Examining Linux File Structures 306 File Structures in Ext4 313 Understanding Macintosh File Structures 320 An Overview of Mac File Structures 320 Forensics Procedures in Mac 323 Using Linux Forensics Tools 326 Installing Sleuth Kit and Autopsy 327 Examining a Case with Sleuth Kit and Autopsy 329 Chapter Summary 333 Key Terms 334 Review Questions 334 Hands-On Projects 335 Case Projects 337 CHAPTER 8 Recovering Graphics Files 339 Recognizing a Graphics File 340 Understanding Bitmap and Raster Images 340 Understanding Vector Graphics 341 Understanding Metafile Graphics 341 Understanding Graphics File Formats 341 Understanding Digital Photograph File Formats 342 Understanding Data Compression 347 Lossless and Lossy Compression 347 Locating and Recovering Graphics Files 348 Identifying Graphics File Fragments 349 Repairing Damaged Headers 349 Searching for and Carving Data from Unallocated Space 351 Rebuilding File Headers 356 Reconstructing File Fragments 360 Identifying Unknown File Formats 360 Analyzing Graphics File Headers 361 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 68944_fm_hr_i-xxx.indd 10 3/15/18 3:10 PM Table of Contents xi Tools for Viewing Images 363 Understanding Steganography in Graphics Files 363 Using Steganalysis Tools 367 Understanding Copyright Issues with Graphics 367 Chapter Summary 369 Key Terms 371 Review Questions 371 Hands-On Projects 373 Case Projects 376 CHAPTER 9 Digital Forensics Analysis and Validation 377 Determining What Data to Collect and Analyze 378 Approaching Digital Forensics Cases 378 Using Autopsy to Validate Data 381 Collecting Hash Values in Autopsy 383 Validating Forensic Data 388 Validating with Hexadecimal Editors 388 Validating with Digital Forensics Tools 393 Addressing Data-Hiding Techniques 395 Hiding Files by Using the OS 395 Hiding Partitions 395 Marking Bad Clusters 398 Bit-Shifting 399 Understanding Steganalysis Methods 402 Examining Encrypted Files 403 Recovering Passwords 404 Chapter Summary 405 Key Terms 406 Review Questions 406 Hands-On Projects 408 Case Projects 413 CHAPTER 10 Virtual Machine Forensics, Live Acquisitions, and Network Forensics 415 An Overview of Virtual Machine Forensics 416 Type 2 Hypervisors 417 Conducting an Investigation with Type 2 Hypervisors 422 Working with Type 1 Hypervisors 432 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 68944_fm_hr_i-xxx.indd 11 3/15/18 3:10 PM xii Table of Contents Performing Live Acquisitions 434 Performing a Live Acquisition in Windows 435 Network Forensics Overview 435 The Need for Established Procedures 436 Securing a Network 436 Developing Procedures for Network Forensics 438 Investigating Virtual Networks 443 Examining the Honeynet Project 444 Chapter Summary 445 Key Terms 446 Review Questions 447 Hands-On Projects 448 Case Projects 450 CHAPTER 11 E-mail and Social Media Investigations 453 Exploring the Role of E-mail in Investigations 454 Exploring the Roles of the Client and Server in E-mail 455 Investigating E-mail Crimes and Violations 457 Understanding Forensic Linguistics 457 Examining E-mail Messages 458 Viewing E-mail Headers 460 Examining E-mail Headers 463 Examining Additional E-mail Files 464 Tracing an E-mail Message 465 Using Network E-mail Logs 465 Understanding E-mail Servers 466 Examining UNIX E-mail Server Logs 468 Examining Microsoft E-mail Server Logs 469 Using Specialized E-mail Forensics Tools 470 Using Magnet AXIOM to Recover E-mail 472 Using a Hex Editor to Carve E-mail Messages 475 Recovering Outlook Files 479 E-mail Case Studies 479 Applying Digital Forensics Methods to Social Media Communications 480 Social Media Forensics on Mobile Devices 482 Forensics Tools for Social Media Investigations 483 Chapter Summary 484 Key Terms 486 Review Questions 486 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 68944_fm_hr_i-xxx.indd 12 3/15/18 3:10 PM Table of Contents xiii Hands-On Projects 488 Case Projects 491 CHAPTER 12 Mobile Device Forensics and the Internet of Anything 493 Understanding Mobile Device Forensics 494 Mobile Phone Basics 495 Inside Mobile Devices 498 Understanding Acquisition Procedures for Mobile Devices 500 Mobile Forensics Equipment 503 Using Mobile Forensics Tools 506 Understanding Forensics in the Internet of Anything 510 Chapter Summary 513 Key Terms 514 Review Questions 514 Hands-On Projects 515 Case Projects 521 CHAPTER 13 Cloud Forensics 523 An Overview of Cloud Computing 524 History of the Cloud 524 Cloud Service Levels and Deployment Methods 524 Cloud Vendors 526 Basic Concepts of Cloud Forensics 527 Legal Challenges in Cloud Forensics 528 Service Level Agreements 528 Jurisdiction Issues 530 Accessing Evidence in the Cloud 531 Technical Challenges in Cloud Forensics 534 Architecture 534 Analysis of Cloud Forensic Data 535 Anti-Forensics 535 Incident First Responders 535 Role Management 536 Standards and Training 536 Acquisitions in the Cloud 536 Encryption in the Cloud 537 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 68944_fm_hr_i-xxx.indd 13 3/15/18 3:10 PM xiv Table of Contents Conducting a Cloud Investigation 539 Investigating CSPs 539 Investigating Cloud Customers 540 Understanding Prefetch Files 540 Examining Stored Cloud Data on a PC 541 Windows Prefetch Artifacts 546 Tools for Cloud Forensics 547 Forensic Open-Stack Tools 547 F-Response for the Cloud 548 Magnet AXIOM Cloud 548 Chapter Summary 548 Key Terms 550 Review Questions 550 Hands-On Projects 552 Case Projects 559 CHAPTER 14 Report Writing for High-Tech Investigations 561 Understanding the Importance of Reports 561 Limiting a Report to Specifics 563 Types of Reports 563 Guidelines for Writing Reports 565 What to Include in Written Preliminary Reports 566 Report Structure 567 Writing Reports Clearly 568 Designing the Layout and Presentation of Reports 570 Generating Report Findings with Forensics Software Tools 574 Using Autopsy to Generate Reports 575 Chapter Summary 579 Key Terms 580 Review Questions 580 Hands-On Projects 581 Case Projects 590 CHAPTER 15 Expert Testimony in Digital Investigations 591 Preparing for Testimony 591 Documenting and Preparing Evidence 593 Reviewing Your Role as a Consulting Expert or an Expert Witness 594 Creating and Maintaining Your CV 595 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 68944_fm_hr_i-xxx.indd 14 3/15/18 3:10 PM Table of Contents xv Preparing Technical Definitions 595 Preparing to Deal with the News Media 596 Testifying in Court 596 Understanding the Trial Process 597 Providing Qualifications for Your Testimony 597 General Guidelines on Testifying 599 Testifying During Direct Examination 603 Testifying During Cross-Examination 604 Preparing for a Deposition or Hearing 607 Guidelines for Testifying at Depositions 608 Guidelines for Testifying at Hearings 610 Preparing Forensics Evidence for Testimony 610 Preparing a Defense of Your Evidence-Collection Methods 613 Chapter Summary 614 Key Terms 615 Review Questions 615 Hands-On Projects 617 Case Projects 628 CHAPTER 16 Ethics for the Expert Witness 631 Applying Ethics and Codes to Expert Witnesses 631 Forensics Examiners’ Roles in Testifying 633 Considerations in Disqualification 634 Traps for Unwary Experts 636 Determining Admissibility of Evidence 636 Organizations with Codes of Ethics 637 International Society of Forensic Computer Examiners 637 International High Technology Crime Investigation Association 638 International Association of Computer Investigative Specialists 638 American Bar Association 639 American Psychological Association 639 Ethical Difficulties in Expert Testimony 639 Ethical Responsibilities Owed to You 640 Standard Forensics Tools and Tools You Create 641 An Ethics Exercise 642 Performing a Cursory Exam of a Forensic Image 642 Performing a Detailed Exam of a Forensic Image 645 Performing the Exam 651 Interpreting Attribute 0x80 Data Runs 653 Carving Data Run Clusters Manually 660 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 68944_fm_hr_i-xxx.indd 15 3/15/18 3:10 PM xvi Table of Contents Chapter Summary 663 Key Terms 665 Review Questions 665 Hands-On Projects 666 Case Projects 679 APPENDIX A Certification Test References 681 APPENDIX B Digital Forensics References 685 APPENDIX C Digital Forensics Lab Considerations 691 APPENDIX D Legacy File System and Forensics Tools 697 GLOSSARY 705 INDEX 721 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 68944_fm_hr_i-xxx.indd 16 3/15/18 3:10 PM Preface Guide to Computer Forensics and Investigations is now in its sixth edition. As digital technology and cyberspace have evolved from their early roots as basic communication platforms into the hyper-connected world we live in today, so has the demand for people who have the knowledge and skills to investigate legal and technical issues involving computers and digital technology. My sincere compliments to the authors and publishing staff who have made this textbook such a remarkable resource for thousands of students and practitioners worldwide. Computers, the Internet, and the world’s digital ecosystem are all instrumental in how we conduct our daily lives. When the founding fathers of the modern computing era were designing the digital infra- structure as we know it today, security and temporal accountability issues were not at the top of their list of things to do. The technological advancement of these systems over the past 10 years has changed the way we learn, socialize, and conduct business. Finding digital data that can be used as evidence to incriminate or exonerate a suspect accused in a legal or administrative proceeding is not an easy task. Cyberthreats have become pervasive in modern society. They range from simple computer viruses to complex ransomware and cyber extortion schemes. The ability to conduct sophisticated digital forensics investigations has become a requirement in both the government and commercial sectors. Currently, the organizations and agencies whose job it is to investigate both criminal and civil matters involving the use of rapidly developing digital technology often struggle to keep up with the ever-changing digital landscape. Additionally, finding trained and qualified people to conduct these types of inquiries has been challenging. Today, an entire industry has evolved for the purpose of investigating events occurring in cyberspace to include incidents involving international and corporate espionage, massive data breaches, and even cyberterrorism. The opportunities for employment in this field are expanding every day. Professionals in this exciting field of endeavor are now in high demand and are expected to have multiple skill sets in areas such as malware analysis, cloud computing, social media, and mobile device forensics. Guide to Computer Forensics and Investigations can now be found in both academic and professional environments as a reliable source xvii Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 68944_fm_hr_i-xxx.indd 17 3/15/18 3:10 PM xviii Preface of current technical information and practical exercises concerning investigations involving the latest digital technologies. It’s my belief that this book, combined with an enthusiastic and knowledgeable facilitator, makes for a fascinating course of instruction. As I have stated to many of my students in the past, it’s not just laptop computers and servers that harbor the binary code of ones and zeros, but an infinite array of digital devices. If one of these devices retains evidence of a crime, it’s up to newly trained and educated digital detectives to find the evidence in a forensically sound manner. This book will assist both students and practitioners in accomplishing this goal. Respectfully, John A. Sgromolo As a Senior Special Agent, John was one of the founding members of the NCIS Computer Crime Investigations Group. John left government service to run his own company, Digi- tal Forensics, Inc., and has taught hundreds of law enforcement and corporate students nationwide in the art and science of digital forensics investigations. Currently, he serves as a senior consultant for Verizon’s Global Security Services, where he helps manage the Threat Intel Response Service. Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 68944_fm_hr_i-xxx.indd 18 3/15/18 3:10 PM Introduction Computer forensics, now most commonly called “digital forensics,” has been a professional field for many years, but most well-established experts in the field have been self-taught. The growth of the Internet and the worldwide proliferation of computers have increased the need for digital investigations. Computers can be used to commit crimes, and crimes can be recorded on computers, including company policy violations, embezzlement, e-mail harassment, murder, leaks of proprietary information, and even terrorism. Law enforcement, network administrators, attorneys, and private investigators now rely on the skills of professional digital forensics experts to investigate criminal and civil cases. This book is not intended to provide comprehensive training in digital forensics. It does, however, give you a solid foundation by introducing digital forensics to those who are new to the field. Other books on digital forensics are targeted to experts; this book is intended for novices who have a thorough grounding in computer and networking basics. The new generation of digital forensics experts needs more initial training because operating systems, computer and mobile device hardware, and forensics software tools are changing more quickly. This book covers current and past operating systems and a range of hardware, from basic workstations and high-end network servers to a wide array of mobile devices. Although this book focuses on a few forensics software tools, it also reviews and discusses other currently available tools. The purpose of this book is to guide you toward becoming a skilled digital forensics investigator. A secondary goal is to help you pass related certification exams. As the field of digital forensics and investigations matures, keep in mind that certifications will change. You can find more information on certifications in Chapter 2 and Appendix A. Intended Audience Although this book can be used by people with a wide range of back- grounds, it’s intended for those with A+ and Network+ certifications or the equivalent. A networking background is necessary so that you understand how computers operate in a networked environment and can work with a network administrator when needed. In addition, you xix Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 68944_fm_hr_i-xxx.indd 19 3/15/18 3:10 PM xx Introduction must know how to use a computer from the command line and how to use common operating systems, including Windows, Linux, and macOS, and their related hardware. This book can be used at any educational level, from technical high schools and community colleges to graduate students. Current professionals in the public and private sectors can also use this book. Each group will approach investigative problems from a different perspective, but all will benefit from the coverage. What’s New in This Edition The chapter flow of this book is organized so that you’re first exposed to what happens in a forensics lab and how to set one up before you get into the nuts and bolts. Coverage of several GUI tools has been added to give you a familiarity with some widely used software. In addition, Chapter 11 has additional coverage of social media forensics, Chapter 12 has been expanded to include more information on smartphones and tablets, and Chapter 13 on forensics procedures for information stored in the cloud has been updated. Corrections have been made to this edition based on feedback from users, and all software tools and Web sites have been updated to reflect what’s current at the time of publication. Finally, a new digital lab manual is being offered in MindTap for Guide to Computer Forensics and Investigations to go with the sixth edition textbook. Chapter Descriptions Here is a summary of the topics covered in each chapter of this book: Chapter 1, “Understanding the Digital Forensics Profession and Investigations,” introduces you to the history of digital forensics and explains how the use of e lectronic evidence developed. It also reviews legal issues and compares public and private s ector cases. This chapter also explains how to take a systematic approach to p reparing a digital investigation, describes how to conduct an investigation, and summarizes requirements for workstations and software. Chapter 2, “The Investigator’s Office and Laboratory,” outlines physical requirements and equipment for digital forensics labs, from small private investigators’ labs to the regional FBI lab. It also covers certifications for digital investigators and building a business case for a forensics lab. Chapter 3, “Data Acquisition,” explains how to prepare to acquire data from a suspect’s drive and discusses available Linux and GUI acquisition tools. This chapter also discusses acquiring data from RAID systems and gives you an overview of tools for remote acquisitions. Chapter 4, “Processing Crime and Incident Scenes,” explains search warrants and the nature of a typical digital forensics case. It discusses when to use outside professionals, how to assemble a team, and how to evaluate a case and explains the correct procedures for searching and seizing evidence. This chapter also introduces you to calculating hashes to verify data you collect. Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 68944_fm_hr_i-xxx.indd 20 3/15/18 3:10 PM Introduction xxi Chapter 5, “Working with Windows and CLI Systems,” discusses the most c ommon operating systems. You learn what happens and what files are altered during computer startup and how file systems deal with deleted and slack space. In addition, this chapter covers some options for decrypting drives encrypted with whole disk encryption and explains the purpose of using virtual machines. Chapter 6, “Current Digital Forensics Tools,” explores current digital forensics software and hardware tools, including those that might not be readily available, and evaluates their strengths and weaknesses. Chapter 7, “Linux and Macintosh File Systems,” continues the operating system dis- cussion from Chapter 5 by examining Macintosh and Linux OSs and file systems. It also gives you practice in using Linux forensics tools. Chapter 8, “Recovering Graphics Files,” explains how to recover graphics files and examines data compression, carving data, reconstructing file fragments, and steganography and copyright issues. Chapter 9, “Digital Forensics Analysis and Validation,” covers determining what data to collect and analyze and refining investigation plans. It also explains validation with hex editors and forensics software and data-hiding techniques. Chapter 10, “Virtual Machine Forensics, Live Acquisitions, and Network Forensics,” covers tools and methods for conducting forensic analysis of virtual machines, performing live acquisitions, reviewing network logs for evidence, and using network- monitoring tools to detect unauthorized access. It also examines using Linux tools and the Honeynet Project’s resources. Chapter 11, “E-mail and Social Media Investigations,” examines e-mail crimes and violations and reviews some specialized e-mail and social media forensics tools. It also explains how to approach investigating social media communications and handling the challenges this content poses. Chapter 12, “Mobile Device Forensics and The Internet of Anything,” covers investigation techniques and acquisition procedures for smartphones, other mobile devices, Internet of Anything devices, and sensors. You learn where data might be stored or backed up and what tools are available for these investigations. Chapter 13, “Cloud Forensics,” summarizes the legal and technical challenges in conducting cloud forensics. It also describes how to acquire cloud data and explains how remote acquisition tools can be used in cloud investigations. Chapter 14, “Report Writing for High-Tech Investigations,” discusses the importance of report writing in digital forensics examinations; offers guidelines on report content, structure, and presentation; and explains how to generate report findings with forensics software tools. Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 68944_fm_hr_i-xxx.indd 21 3/15/18 3:10 PM xxii Introduction Chapter 15, “Expert Testimony in Digital Investigations,” explores the role of an expert witness or a fact witness, including developing a curriculum vitae, understanding the trial process, and preparing forensics evidence for testimony. It also offers guidelines for testifying in court and at depositions and hearings. Chapter 16, “Ethics for the Expert Witness,” provides guidance in the principles and practice of ethics for digital forensics investigators and examines other professional organizations’ codes of ethics. Appendix A, “Certification Test References,” provides information on the National Institute of Standards and Technology (NIST) testing processes for validating digital forensics tools and covers digital forensics certifications and training programs. Appendix B, “Digital Forensics References,” lists recommended books, journals, e-mail lists, and Web sites for additional information and further study. It also covers the latest ISO 27000 standards that apply to digital forensics. Appendix C, “Digital Forensics Lab Considerations,” provides more information on considerations for forensics labs, including certifications, ergonomics, structural design, and communication and fire-suppression systems. It also covers applicable ISO standards. Appendix D, “Legacy File System and Forensics Tools,” reviews FAT file system basics and Mac legacy file systems and explains using DOS forensics tools, creating forensic boot media, and using scripts. It also has an overview of the hexadecimal numbering system and how it’s applied to digital information. Features To help you fully understand digital forensics, this book includes many features designed to enhance your learning experience: Chapter objectives—Each chapter begins with a detailed list of the concepts to be mastered in that chapter. This list gives you a quick reference to the chapter’s contents and is a useful study aid. Figures and tables—Screenshots are used as guidelines for stepping through commands and forensics tools. For tools not included with the book or that aren’t offered in free demo versions, figures have been added when possible to illustrate the tool’s interface. Tables are used throughout the book to present information in an organized, easy-to-grasp manner. Chapter summaries—Each chapter’s material is followed by a summary of the concepts introduced in that chapter. These summaries are a helpful way to review the ideas covered in each chapter. Key terms—Following the chapter summary, all new terms introduced in the chapter with boldfaced text are gathered together in the Key Terms list. This list encourages a more thorough understanding of the chapter’s key concepts and is a useful reference. Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 68944_fm_hr_i-xxx.indd 22 3/15/18 3:10 PM Introduction xxiii Review questions—The end-of-chapter assessment begins with a set of review questions that reinforce the main concepts in each chapter. These questions help you evaluate and apply the material you have learned. Hands-on projects—Although understanding the theory behind digital technology is important, nothing can improve on real-world experience. To this end, each chapter offers several hands-on projects with software supplied as free downloads on the student companion site and in MindTap. You can explore a variety of ways to acquire and even hide evidence. For the conceptual chapters, research projects are supplied. Case projects—At the end of each chapter are case projects. To do these projects, you must draw on real-world common sense as well as your knowledge of the technical topics covered to that point in the book. Your goal for each project is

Guide to Computer Forensics and Investigations 6th Edition PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue