The Basics of Digital Forensics provides a foundation for people new to the digital forensics field. This book teaches you how to conduct examinations by discussing what digital forensics is, the methodologies used, key tactical concepts, and the tools needed to perform examinations. Details on digital forensics for computers, networks, cell phones, GPS, the cloud and the Internet are discussed. Also, learn how to collect evidence, document the scene, and how deleted data can be recovered. The new Second Edition of this book provides you with completely up-to-date real-world examples and all the key technologies used in digital forensics, as well as new coverage of network intrusion response, how hard drives are organized, and electronic discovery. You'll also learn how to incorporate quality assurance into an investigation, how to prioritize evidence items to examine (triage), case processing, and what goes into making an expert witness. The Second Edition also features expanded resources and references, including online resources that keep you current, sample legal documents, and suggested further reading.* Learn what Digital Forensics entails* Build a toolkit and prepare an investigative plan* Understand the common artifacts to look for in an exam* Second Edition features all-new coverage of hard drives, triage, network intrusion response, and electronic discovery; as well as updated case studies, expert interviews, and expanded resources and references
Preface xv
Acknowledgments xix
Chapter 1 Introduction 1 (14)
What is Forensic Science? 2 (1)
What is Digital Forensics? 2 (1)
Uses of Digital Forensics 3 (4)
Criminal Investigations 3 (1)
Civil Litigation 4 (1)
Intelligence 5 (1)
Administrative Matters 5 (2)
The Digital Forensics Process 7 (2)
Locard's Exchange Principle 9 (1)
Scientific Method 10 (1)
Organizations of Note 10 (2)
Scientific Working Group on Digital 10 (1)
Evidence
American Academy of Forensic Sciences 11 (1)
American Society of Crime Laboratory 11 (1)
Directors/Laboratory Accreditation Board
National Institute of Standards and 12 (1)
Technology
American Society for Testing and 12 (1)
Materials
Role of the Forensic Examiner in the 12 (2)
Judicial System
The CSI Effect 13 (1)
References 14 (1)
Chapter 2 Key Technical Concepts 15 (16)
Bits, Bytes, and Numbering Schemes 15 (2)
Hexadecimal 16 (1)
Binary to Text: ASCII and Unicode 17 (1)
File Extensions and File Signatures 17 (1)
Storage and Memory 18 (3)
Magnetic Disks 19 (1)
Flash Memory 20 (1)
Optical Storage 20 (1)
Volatile versus Nonvolatile Memory 20 (1)
Computing Environments 21 (1)
Cloud Computing 21 (1)
Data Types 22 (1)
Active Data 22 (1)
Latent Data 22 (1)
Archival Data 23 (1)
File Systems 23 (1)
Allocated and Unallocated Space 24 (1)
Data Persistence 24 (1)
How Magnetic Hard Drives Store Data 25 (4)
References 29 (2)
Chapter 3 Labs and Tools 31 (16)
Forensic Laboratories 31 (3)
Virtual Labs 32 (1)
Lab Security 32 (1)
Evidence Storage 33 (1)
Policies and Procedures 34 (1)
Quality Assurance 34 (3)
Tool Validation 35 (1)
Documentation 35 (2)
Digital Forensic Tools 37 (4)
Tool Selection 38 (1)
Hardware 38 (2)
Software 40 (1)
Additional Resources 41 (1)
Open Source Tools 41 (1)
Alert! 42 (1)
Dependence on the Tools 42 (1)
Accreditation 43 (2)
Accreditation versus Certification 44 (1)
References 45 (2)
Chapter 4 Collecting Evidence 47 (18)
Crime Scenes and Collecting Evidence 48 (2)
Removable Media 48 (1)
Cell Phones 49 (1)
Alert! 50 (1)
Protecting Cell Phones from Network 50 (1)
Signals
Alert! 50 (1)
Power 50 (1)
Order of Volatility 51 (1)
Documenting the Scene 51 (2)
Photography 52 (1)
Notes 52 (1)
Chain of Custody 53 (1)
Marking Evidence 54 (1)
Cloning 54 (4)
Purpose of Cloning 55 (1)
The Cloning Process 56 (1)
Forensically Clean Media 56 (1)
Forensic Image Formats 57 (1)
Risks and Challenges 57 (1)
Value in eDiscovery 57 (1)
Alert! 58 (1)
Sanctions in Electronic Discovery 58 (1)
Live System versus Dead System 58 (1)
Live Acquisition Concerns 58 (1)
More Advanced 59 (1)
Preserving Evidence in Ram 59 (1)
Advantage of Live Collection 59 (1)
Principles of Live Collection 59 (1)
Alert! 60 (1)
Evidence in Ram 60 (1)
Conducting and Documenting a Live 60 (1)
Collection
Hashing 61 (1)
Types of Hashing Algorithms 61 (1)
Hashing Example 61 (1)
Uses of Hashing 62 (1)
Final Report 62 (2)
References 64 (1)
Chapter 5 Windows System Artifacts 65 (18)
Deleted Data 66 (1)
More Advanced 66 (1)
File Carving 66 (1)
Hibernation File (Hiberfile.sys) 66 (1)
Sleep 67 (1)
Hibernation 67 (1)
Hybrid Sleep 67 (1)
Registry 67 (5)
Registry Structure 68 (3)
Attribution 71 (1)
External Drives 72 (1)
Print Spooling 72 (1)
Recycle Bin 73 (1)
Alert! 73 (1)
Recycle Bin Function 73 (1)
More Advanced 74 (1)
Recycle Bin Bypass 74 (1)
Metadata 75 (1)
Alert! 76 (2)
Date and Time Stamps 76 (1)
Removing Metadata 76 (2)
Thumbnail Cache 78 (1)
Most Recently Used 78 (1)
Restore Points and Shadow Copy 79 (1)
Restore Points 79 (1)
Shadow Copies 79 (1)
Prefetch 80 (1)
Link Files 81 (1)
Installed Programs 81 (1)
References 82 (1)
Chapter 6 Anti-Forensics 83 (22)
Hiding Data 84 (7)
Encryption 85 (1)
What is Encryption? 85 (1)
Early Encryption 85 (1)
Algorithms 86 (2)
Key Space 88 (1)
Some Common Types of Encryption 88 (2)
Breaking Passwords 90 (1)
Password Attacks 91 (2)
Brute Force Attacks 91 (1)
Password Reset 91 (1)
Dictionary Attack 91 (2)
Additional Resources 93 (1)
Encryption 93 (1)
Steganography 93 (2)
Data Destruction 95 (1)
Drive Wiping 96 (1)
More Advanced 96 (5)
Defragmentation as Anti-Forensic 96 (5)
Technique
References 101(4)
Chapter 7 Legal 105(14)
The Fourth Amendment 106(1)
Criminal Law---searches without a Warrant 106(2)
Reasonable Expectation of Privacy 106(1)
Private Searches 107(1)
E-mail 107(1)
The Electronic Communications Privacy 107(1)
Act
Exceptions to the Search Warrant 107(1)
Requirement
More Advanced 108(2)
Consent Forms 108(2)
Alert! 110(1)
Cell Phone Searches: The Supreme Court 110(1)
Weighs In
Searching with a Warrant 111(2)
Seize the Hardware or Just the 111(1)
Information?
Particularity 111(1)
Establishing Need for Offsite Analysis 112(1)
Stored Communications Act 113(1)
Electronic Discovery 113(2)
Duty to Preserve 114(1)
Private Searches in the Workplace 115(1)
Alert! 115(1)
International e-Discovery 115(1)
Expert Testimony 116(1)
Additional Resources 117(1)
Expert Testimony 117(1)
References 117(2)
Chapter 8 Internet and E-mail 119(14)
Internet Overview 119(1)
Additional Resources 120(1)
Web Technology 120(1)
Peer-to-peer (P2P) 121(1)
More Advanced 121(1)
Gnutella Requests 121(1)
The INDEX.DAT file 121(1)
Web Browsers---Internet Explorer 122(2)
Cookies 122(1)
Temporary Internet Files, a.k.a. Web 122(1)
Cache
Internet History 123(1)
More advanced 124(3)
The NTUSER.DAT File 124(1)
Internet Explorer Artifacts in the 124(1)
Registry
Chat Clients 125(1)
Internet Relay Chat 126(1)
"I Seek You" 126(1)
E-mail 127(1)
Accessing E-mail 127(1)
E-mail Protocols 127(1)
E-Mail as Evidence 128(1)
E-Mail---Covering the Trail 128(1)
Alert! 128(2)
Shared E-Mail Accounts 128(1)
Tracing E-Mail 129(1)
Reading E-Mail Headers 129(1)
Social Networking Sites 130(1)
Additional Resources 130(1)
Casey Anthony Trial Testimony 130(1)
References 131(2)
Chapter 9 Network Forensics 133(12)
Introduction 133(1)
Social Engineering 134(1)
Network Fundamentals 134(2)
Network Types 135(1)
Network Security Tools 136(1)
Network Attacks 137(1)
Alert! 138(1)
Inside Threat 138(1)
Incident Response 139(1)
Network Evidence and Investigations 140(3)
Network Investigation Challenges 142(1)
Additional Resources 143(1)
Training and Research 143(1)
References 143(2)
Chapter 10 Mobile Device Forensics 145(18)
Cellular Networks 146(3)
Cellular Network Components 147(1)
Types of Cellular Networks 148(1)
Operating Systems 149(1)
Cell Phone Evidence 150(5)
Call Detail Records 151(1)
Collecting and Handling Cell Phone 152(2)
Evidence
Subscriber Identity Modules 154(1)
Cell Phone Acquisition: Physical and 154(1)
Logical
Cell Phone Forensic Tools 155(2)
Global Positioning Systems 157(3)
References 160(3)
Chapter 11 Looking Ahead: Challenges and 163(10)
Concerns
Standards and Controls 163(2)
Cloud Forensics 165(1)
What Is Cloud Computing? 165(1)
Additional Resources 165(1)
Public Clouds 165(1)
Benefits of the Cloud 166(1)
Cloud Forensics and Legal Concerns 166(1)
Alert! 166(1)
Cloud Persistence---Dropbox 166(1)
Solid State Drives 167(1)
How Solid State Drives Store Data 167(1)
More Advanced 168(1)
File Translation Layer 168(1)
The Problem: Taking out the Trash 168(1)
Speed of Change 168(1)
Additional Resources 169(1)
Twitter 169(1)
References 170(3)
Index 173
新书报道