A Practical Guide to Computer Forensics Investigations

Купить бумажную книгу и читать

Название:Practical Guide to Computer Forensics Investigations

Автор:Darren R. Hayes

Издательство: Pearson IT Certification

Год: 2014

Страниц: 600

Язык: English

Формат: pdf

Размер: 15,1 Mb

All you need to know to succeed in digital forensics: technical and investigative skills, in one book

Complete, practical, and up-to-date

Thoroughly covers digital forensics for Windows, Mac, mobile, hardware, and networks

Addresses online and lab investigations, documentation, admissibility, and more

By Dr. Darren Hayes, founder of Pace University’s Code Detectives forensics lab–one of America’s “Top 10 Computer Forensics Professors”

Perfect for anyone pursuing a digital forensics career or working with examiners

Criminals go where the money is. Today, trillions of dollars of assets are digital, and digital crime is growing fast. In response, demand for digital forensics experts is soaring. To succeed in this exciting field, you need strong technical and investigative skills. In this guide, one of the world’s leading computer orensics experts teaches you all the skills you’ll need.

Writing for students and professionals at all levels, Dr. Darren Hayes presents complete best practices for capturing and analyzing evidence, protecting the chain of custody, documenting investigations, and scrupulously adhering to the law, so your evidence can always be used.

Hayes introduces today’s latest technologies and technical challenges, offering detailed coverage of crucial topics such as mobile forensics, Mac forensics, cyberbullying, and child endangerment.

This guide’s practical activities and case studies give you hands-on mastery of modern digital forensics tools and techniques. Its many realistic examples reflect the author’s extensive and pioneering work as a forensics examiner in both criminal and civil investigations.

Understand what computer forensics examiners do, and the types of digital evidence they work with

Explore Windows and Mac computers, understand how their features affect evidence gathering, and use free tools to investigate their contents

Extract data from diverse storage devices

Establish a certified forensics lab and implement good practices for managing and processing evidence

Gather data and perform investigations online

Capture Internet communications, video, images, and other content

Write comprehensive reports that withstand defense objections and enable successful prosecution

Follow strict search and surveillance rules to make your evidence admissible

Investigate network breaches, including dangerous Advanced Persistent Threats (APTs)

Retrieve immense amounts of evidence from smartphones, even without seizing them

Successfully investigate financial fraud performed with digital devices

Use digital photographic evidence, including metadata and social media images

Introduction xx

Chapter 1: The Scope of Computer Forensics 2

Introduction.. . . . . . . . . . . . . . 2

Popular Myths about Computer Forensics.. . . . . . . 3

Types of Computer Forensics Evidence Recovered.. . . . . . 5

Electronic Mail (Email).. . . . . . . . . . . 5

Images.. . . . . . . . . . . . . . 7

Video. . . . . . . . . . . . . . 8

Websites Visited and Internet Searches.. . . . . . . 9

Cellphone Forensics.. . . . . . . . . . . 10

What Skills Must a Computer Forensics Investigator Possess?.. . . 10

Computer Science Knowledge. . . . . . . . . 10

Legal Expertise.. . . . . . . . . . . . 11

Communication Skills.. . . . . . . . . . . 11

Linguistic Abilities.. . . . . . . . . . . 11

Continuous Learning.. . . . . . . . . . . 11

An Appreciation for Confidentiality. . . . . . . . 12

The Importance of Computer Forensics.. . . . . . . . 12

Job Opportunities.. . . . . . . . . . . 12

A History of Computer Forensics.. . . . . . . . . 14

1980s: The Advent of the Personal Computer.. . . . . . 14

1990s: The Impact of the Internet.. . . . . . . . 15

Training and Education. . . . . . . . . . . . 19

Law Enforcement Training.. . . . . . . . . . 19

Summary.. . . . . . . . . . . . . . 25

Chapter 2: Windows Operating and File Systems 32

Introduction.. . . . . . . . . . . . . . 32

Physical and Logical Storage.. . . . . . . . . . 34

File Storage.. . . . . . . . . . . . . 34

File Conversion and Numbering Formats.. . . . . . . . 37

Conversion of Binary to Decimal.. . . . . . . . 37

Hexadecimal Numbering. . . . . . . . . . 37

Conversion of Hexadecimal to Decimal. . . . . . . 38

Conversion of Hexadecimal to ASCII (American Standard Code) for Information Interchange.. . . . . . . . . 38

Unicode.. . . . . . . . . . . . . 42

Operating Systems.. . . . . . . . . . . . 42

The Boot Process.. . . . . . . . . . . 42

Windows File Systems.. . . . . . . . . . 44

Windows Registry.. . . . . . . . . . . . . 50

Registry Data Types.. . . . . . . . . . . 52

FTK Registry Viewer.. . . . . . . . . . . 52

Microsoft Windows Features.. . . . . . . . . . 53

Windows Vista.. . . . . . . . . . . . 53

Windows 7.. . . . . . . . . . . . . 59

Windows 8.1. . . . . . . . . . . . . 70

Summary.. . . . . . . . . . . . . . 73

Chapter 3: Handling Computer Hardware 80

Introduction.. . . . . . . . . . . . . . 80

Hard Disk Drives.. . . . . . . . . . . . . 81

Small Computer System Interface (SCSI).. . . . . . . 81

Integrated Drive Electronics (IDE). . . . . . . . 82

Serial ATA (SATA).. . . . . . . . . . . 83

Cloning a PATA or SATA Hard Disk.. . . . . . . . . 86

Cloning Devices.. . . . . . . . . . . . 86

Removable Memory.. . . . . . . . . . . . 93

FireWire. . . . . . . . . . . . . . 94

USB Flash Drives.. . . . . . . . . . . . 94

External Hard Drives.. . . . . . . . . . . 95

MultiMedia Cards (MMCs).. . . . . . . . . . 96

Summary.. . . . . . . . . . . . . . 109

References.. . . . . . . . . . . . . . 114

Chapter 4: Acquiring Evidence in a Computer Forensics Lab 116

Introduction.. . . . . . . . . . . . . . 116

Lab Requirements. . . . . . . . . . . . 117

American Society of Crime Laboratory Directors.. . . . . 117

American Society of Crime Laboratory Directors/Lab Accreditation Board (ASCLD/LAB). . . . . . . . 117

ASCLD/LAB Guidelines for Forensic Laboratory Management Practices.. . . . . . . . . . . . . 117

Scientific Working Group on Digital Evidence (SWGDE).. . . 119

Private Sector Computer Forensics Laboratories.. . . . . . 119

Evidence Acquisition Laboratory.. . . . . . . . 120

Email Preparation Laboratory.. . . . . . . . . 120

Inventory Control.. . . . . . . . . . . 120

Web Hosting. . . . . . . . . . . . 121

Computer Forensics Laboratory Requirements.. . . . . . 121

Laboratory Layout.. . . . . . . . . . . 121

Laboratory Management. . . . . . . . . . 141

Laboratory Access. . . . . . . . . . . 141

Extracting Evidence from a Device.. . . . . . . . . 144

Using the dd Utility.. . . . . . . . . . . 144

Using Global Regular Expressions Print (GREP). . . . . 145

Skimmers. . . . . . . . . . . . . . 152

Summary.. . . . . . . . . . . . . . 156

Chapter 5: Online Investigations 162

Introduction.. . . . . . . . . . . . . . 162

Working Undercover. . . . . . . . . . . . 163

Generate an Identity.. . . . . . . . . . . 164

Generate an Email Account.. . . . . . . . . 165

Mask Your Identity. . . . . . . . . . . 167

Website Evidence.. . . . . . . . . . . . 171

Website Archives.. . . . . . . . . . . 171

Website Statistics.. . . . . . . . . . . 172

Background Searches on a Suspect. . . . . . . . . 173

Personal Information: Mailing Address, Email Address, Telephone Number, and Assets. . . . . . . . 174

Personal Interests and Membership of User Groups.. . . . 178

Searching for Stolen Property.. . . . . . . . . 179

Online Crime.. . . . . . . . . . . . . 195

Identity Theft.. . . . . . . . . . . . 195

Credit Cards for Sale. . . . . . . . . . . 195

Electronic Medical Records.. . . . . . . . . 196

Cyberbullying.. . . . . . . . . . . . 196

Social Networking.. . . . . . . . . . . 196

Capturing Online Communications.. . . . . . . . . 197

Using Screen Captures.. . . . . . . . . . 197

Using Video.. . . . . . . . . . . . 199

Viewing Cookies.. . . . . . . . . . . 199

Using Windows Registry.. . . . . . . . . . 200

Summary.. . . . . . . . . . . . . . 202

Chapter 6: Documenting the Investigation 210

Introduction.. . . . . . . . . . . . . . 210

Obtaining Evidence from a Service Provider.. . . . . . . 211

Documenting a Crime Scene.. . . . . . . . . . 211

Seizing Evidence. . . . . . . . . . . . . 213

Crime Scene Examinations. . . . . . . . . 213

Documenting the Evidence.. . . . . . . . . . 214

Completing a Chain of Custody Form.. . . . . . . 215

Completing a Computer Worksheet. . . . . . . . 216

Completing a Hard Disk Drive Worksheet.. . . . . . 217

Completing a Server Worksheet. . . . . . . . 218

Using Tools to Document an Investigation. . . . . . . 220

CaseNotes.. . . . . . . . . . . . . 220

FragView. . . . . . . . . . . . . 220

Helpful Mobile Applications (Apps).. . . . . . . . 221

Network Analyzer. . . . . . . . . . . 221

System Status.. . . . . . . . . . . . 221

The Cop App.. . . . . . . . . . . . 221

Lock and Code. . . . . . . . . . . . 221

Digital Forensics Reference.. . . . . . . . . 221

Federal Rules of Civil Procedure (FRCP).. . . . . . . 222

Federal Rules of Evidence (FREvidence).. . . . . . . 222

Writing Reports.. . . . . . . . . . . . . 222

Time Zones and Daylight Saving Time (DST).. . . . . . 222

Creating a Comprehensive Report. . . . . . . . 224

Using Expert Witnesses at Trial. . . . . . . . . . 227

The Expert Witness.. . . . . . . . . . . 228

The Goals of the Expert Witness.. . . . . . . . 228

Preparing an Expert Witness for Trial.. . . . . . . 228

Summary.. . . . . . . . . . . . . . 231

Chapter 7: Admissibility of Digital Evidence 238

Introduction.. . . . . . . . . . . . . . 238

History and Structure of the United States Legal System. . . . 239

Origins of the U.S. Legal System.. . . . . . . . 240

Overview of the U.S. Court System.. . . . . . . . 241

In the Courtroom.. . . . . . . . . . . 245

Evidence Admissibility.. . . . . . . . . . . 248

Constitutional Law.. . . . . . . . . . . . 248

First Amendment.. . . . . . . . . . . 248

First Amendment and the Internet.. . . . . . . . 249

Fourth Amendment.. . . . . . . . . . . 251

Fifth Amendment.. . . . . . . . . . . 263

Sixth Amendment.. . . . . . . . . . . 264

Congressional Legislation. . . . . . . . . . 265

Rules for Evidence Admissibility. . . . . . . . 271

Criminal Defense.. . . . . . . . . . . 276

When Computer Forensics Goes Wrong.. . . . . . . . 277

Pornography in the Classroom. . . . . . . . . 277

Structure of the Legal System in the European Union (E.U.).. . . . 278

Origins of European Law. . . . . . . . . . 278

Structure of European Union Law.. . . . . . . . 279

Structure of the Legal System in Asia. . . . . . . . 282

China. . . . . . . . . . . . . . 282

India.. . . . . . . . . . . . . . 282

Summary.. . . . . . . . . . . . . . 283

Chapter 8: Network Forensics 292

Introduction.. . . . . . . . . . . . . . 292

The Tools of the Trade.. . . . . . . . . . . 293

Networking Devices.. . . . . . . . . . . . 294

Proxy Servers. . . . . . . . . . . . 295

Web Servers. . . . . . . . . . . . 295

DHCP Servers.. . . . . . . . . . . . 298

SMTP Servers.. . . . . . . . . . . . 299

DNS Servers. . . . . . . . . . . . 301

Routers.. . . . . . . . . . . . . 302

IDS.. . . . . . . . . . . . . . 304

Firewalls.. . . . . . . . . . . . . 304

Ports.. . . . . . . . . . . . . . 305

Understanding the OSI Model.. . . . . . . . . . 305

The Physical Layer. . . . . . . . . . . 306

The Data Link Layer. . . . . . . . . . . 306

The Network Layer. . . . . . . . . . . 306

The Transport Layer.. . . . . . . . . . . 307

The Session Layer.. . . . . . . . . . . 308

The Presentation Layer.. . . . . . . . . . 308

The Application Layer.. . . . . . . . . . 309

Advanced Persistent Threats. . . . . . . . . . 310

Cyber Kill Chain.. . . . . . . . . . . . 310

Indicators of Compromise (IOC). . . . . . . . 312

Investigating a Network Attack.. . . . . . . . . . 313

Summary.. . . . . . . . . . . . . . 314

Chapter 9: Mobile Forensics 320

Introduction.. . . . . . . . . . . . . . 320

The Cellular Network.. . . . . . . . . . . . 322

Base Transceiver Station.. . . . . . . . . . 322

Mobile Station.. . . . . . . . . . . . 326

Cellular Network Types.. . . . . . . . . . 331

SIM Card Forensics.. . . . . . . . . . . 334

Types of Evidence.. . . . . . . . . . . 337

Handset Specifications.. . . . . . . . . . . 338

Memory and Processing.. . . . . . . . . . 338

Battery.. . . . . . . . . . . . . 338

Other Hardware.. . . . . . . . . . . . 338

Mobile Operating Systems. . . . . . . . . . . 339

Android OS. . . . . . . . . . . . . 339

Windows Phone. . . . . . . . . . . . 347

Standard Operating Procedures for Handling Handset Evidence.. . . 347

National Institute of Standards and Technology .. . . . . 348

Preparation and Containment. . . . . . . . . 349

Wireless Capabilities.. . . . . . . . . . . 352

Documenting the Investigation. . . . . . . . . 354

Handset Forensics.. . . . . . . . . . . . 354

Cellphone Forensic Software.. . . . . . . . . 354

Cellphone Forensics Hardware.. . . . . . . . 357

Logical versus Physical Examination.. . . . . . . 358

Manual Cellphone Examinations.. . . . . . . . . 358

Flasher Box.. . . . . . . . . . . . 359

Global Satellite Service Providers.. . . . . . . . . 360

Satellite Communication Services.. . . . . . . . 360

Legal Considerations.. . . . . . . . . . . . 360

Carrier Records.. . . . . . . . . . . . 361

Other Mobile Devices.. . . . . . . . . . . . 361

Tablets.. . . . . . . . . . . . . 361

GPS Devices.. . . . . . . . . . . . 362

Summary.. . . . . . . . . . . . . . 364

Chapter 10: Photograph Forensics 372

Introduction.. . . . . . . . . . . . . . 372

Understanding Digital Photography.. . . . . . . . . 375

File Systems.. . . . . . . . . . . . 375

Digital Photography Applications and Services.. . . . . 376

Examining Picture Files.. . . . . . . . . . . 377

Exchangeable Image File Format (EXIF).. . . . . . . 377

Evidence Admissibility.. . . . . . . . . . . 380

Federal Rules of Evidence (FRE).. . . . . . . . 380

Analog vs. Digital Photographs.. . . . . . . . 381

Case Studies.. . . . . . . . . . . . . 382

Worldwide Manhunt.. . . . . . . . . . . 382

NYPD Facial Recognition Unit.. . . . . . . . . 383

Summary.. . . . . . . . . . . . . . 384

Chapter 11: Mac Forensics 390

Introduction.. . . . . . . . . . . . . . 390

A Brief History.. . . . . . . . . . . . . 391

Macintosh. . . . . . . . . . . . . 391

Mac Mini with OS X Server.. . . . . . . . . 391

iPod. . . . . . . . . . . . . . 393

iPhone. . . . . . . . . . . . . . 394

iPad. . . . . . . . . . . . . . 394

Apple Wi-Fi Devices.. . . . . . . . . . . 395

Macintosh File Systems.. . . . . . . . . . . 397

Forensic Examinations of a Mac.. . . . . . . . . 398

IOReg Info.. . . . . . . . . . . . . 398

PMAP Info.. . . . . . . . . . . . . 399

Epoch Time.. . . . . . . . . . . . 399

Recovering Deleted Files.. . . . . . . . . . 401

Journaling. . . . . . . . . . . . . 401

DMG File System.. . . . . . . . . . . 401

PList Files.. . . . . . . . . . . . . 401

SQLite Databases.. . . . . . . . . . . 404

Macintosh Operating Systems.. . . . . . . . . . 404

Mac OS X.. . . . . . . . . . . . . 405

Target Disk Mode.. . . . . . . . . . . 408

Apple Mobile Devices. . . . . . . . . . . . 409

iOS.. . . . . . . . . . . . . . 410

iOS 7.. . . . . . . . . . . . . . 410

iOS 8.. . . . . . . . . . . . . . 410

Security and Encryption.. . . . . . . . . . 411

iPod. . . . . . . . . . . . . . 412

iPhone. . . . . . . . . . . . . . 413

Enterprise Deployment of iPhone and iOS Devices.. . . . 426

Case Studies.. . . . . . . . . . . . . 426

Find My iPhone.. . . . . . . . . . . . 427

Wanted Hactevist.. . . . . . . . . . . 427

Michael Jackson.. . . . . . . . . . . 427

Stolen iPhone. . . . . . . . . . . . 427

Drug Bust.. . . . . . . . . . . . . 427

Summary.. . . . . . . . . . . . . . 428

Chapter 12: Case Studies 436

Introduction.. . . . . . . . . . . . . . 436

Zacharias Moussaoui.. . . . . . . . . . . . 437

Background.. . . . . . . . . . . . 437

Digital Evidence.. . . . . . . . . . . . 438

Standby Counsel Objections.. . . . . . . . . 439

Prosecution Affidavit.. . . . . . . . . . . 440

Exhibits.. . . . . . . . . . . . . 440

Email Evidence. . . . . . . . . . . . 440

BTK (Bind Torture Kill) Killer. . . . . . . . . . 441

Profile of a Killer. . . . . . . . . . . . 441

Evidence.. . . . . . . . . . . . . 442

Cyberbullying.. . . . . . . . . . . . . 443

Federal Anti-harassment Legislation.. . . . . . . 443

State Anti-harassment Legislation.. . . . . . . . 443

Warning Signs of Cyberbullying.. . . . . . . . 443

What Is Cyberbullying?.. . . . . . . . . . 444

Phoebe Prince.. . . . . . . . . . . . 444

Ryan Halligan.. . . . . . . . . . . . 445

Megan Meier.. . . . . . . . . . . . 445

Tyler Clementi.. . . . . . . . . . . . 445

Sports.. . . . . . . . . . . . . . . 447

Summary.. . . . . . . . . . . . . . 449