Guide To Computer Forensics And Investigations

Guide%20to%20Computer%20Forensics%20and%20Investigations%20by%20B.%20Nelson%2C%20A.%20Phillips%2C%20C.%20Steuart

User Manual: Pdf

Open the PDF directly: View PDF PDF.
Page Count: 715 [warning: Documents this large are best viewed by clicking the View PDF Link!]

www.cert.org - Computer Emergency Response Team Coordination
Center (CERT/CC)
www.ists.dartmouth.edu - Research and education for cyber security
www.fi rst.org - Organization of 170 incident response teams
www.sans.org - SysAdmin, Audit, Network, Security (SANS) Institute
www.infragard.net - Information sharing between private industry and
the U.S. government
www.issa.org - Information Systems Security Association (ISSA)
nsi.org - Information about security vulnerabilities and threats
csrc.nist.gov/index.html - Computer Security Resource Center (CSRC)
cve.mitre.org - Dictionary of reported information security vulnerabilities
www.mcafee.com/us/threat_center - McAfee Threat Center
www.microsoft.com/security/portal/default.aspx - Microsoft Malware
Protection Center
secureitalliance.org - Industry partners to promote software that
interoperates with Microsoft platform
www.securityfocus.com/archive/1 - Detailed information about the
latest computer security vulnerabilities and fi xes
atlas.arbor.net - Global threat analysis network
secunia.com - Information regarding security vulnerabilities,
advisories, viruses, and online vulnerability tests
www.ieee.org - Institute of Electrical and Electronics Engineers (IEEE)
www.wi-fi .org - Wi-Fi Alliance
Information Security Web Site Resources
www.fcc.gov - Federal Communications Commission
www.hhs.gov/ocr/hipaa - Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
www.sec.gov/spotlight/sarbanes-oxley.htm - Sarbanes-Oxley Act of
2002 (Sarbox)
www.ftc.gov/privacy/glbact/glbsub1.htm - Gramm-Leach-Bliley Act (GLBA)
www.fi ncen.gov/statutes_regs/patriot/index.html - USA Patriot Act (2001)
info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_
bill_20020926_chaptered.html - California Database Security Breach
Act (2003)
www.ftc.gov/bcp/conline/pubs/buspubs/coppa.shtm - Children’s Online
Privacy Protection Act of 1998 (COPPA)
secunia.com/software_inspector - Secunia Software Inspector software
www.microsoft.com/security/malwareremove/default.mspx - Microsoft
Windows Malicious Software Removal Tool
www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx
- Microsoft RootkitRevealer software
www.softdd.com/keystrokerecorder/index.html - Keyboard Collector
software
irongeek.com/i.php?page=security/thumbscrew-software-usb-write-
blocker - Thumbscrew software
www.microsoft.com/windows/products/winfamily/virtualpc/default.mspx
- Microsoft Virtual PC 2007
www.vmware.com - Vmware Workstation
www.grc.com/securable - Data Execution Prevention testing software
www.eicar.org/anti_virus_test_fi le.htm - EICAR AntiVirus test fi le
www.microsoft.com/downloads/details.aspx?FamilyID=a3d1bbed-7f35-
4e72-bfb5-b84a526c1565&displaylang=en - Microsoft Vista security
templates
www.microsoft.com/technet/security/tools/mbsahome.mspx - Microsoft
Baseline Security Analyzer (MBSA)
www.wireshark.org - Wireshark protocol analyzer
www.netstumbler.com - Netstumbler software
www.klcconsulting.net/smac - MAC spoofi ng software
ophcrack.sourceforge.net - Open-source password cracker program
that uses rainbow tables
keepass.info - KeePass password storage software
www.nessus.org/download - Nessus vulnerability scanner
www.gfi .com/lannetscan - GFI LANguard vulnerability scanner
www.threatfi re.com/download - ThreatFire behavior-based
monitoring tool
md5deep.sourceforge.net - Hash generator software
www.truecrypt.org - TrueCrypt encryption software
www.briggsoft.com - Directory Snoop software
www.heidi.ie/node/6 - File wipe software
Bill Nelson
Amelia Phillips
Christopher Steuart
Guide to
Computer Forensics
and Investigations
Guide to
Computer Forensics
and Investigations
Fourth Edition
Some of the product names and company names used in this book have been used for identification purposes
only and may be trademarks or registered trademarks of their respective manufacturers and sellers. Microsoft
and the Office logo are either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries. Course Technology, a part of Cengage Learning, is an independent entity from the
Microsoft Corporation, and not affiliated with Microsoft in any manner. Any fictional data related to persons or
companies or URLs used throughout this book is intended for instructional purposes only. At the time this book
was printed, any such data was fictional and not belonging to any real persons or companies. Course Technology
and the Course Technology logo are registered trademarks used under license. Course Technology, a part of
Cengage Learning, reserves the right to revise this publication and make changes from time to time in its
content without notice. The programs in this book are for instructional purposes only. They have been tested
with care, but are not guaranteed for any particular intent beyond educational purposes. The author and the
publisher do not offer any warranties or representations, nor do they accept any liabilities with respect to the
programs.
Printed in the United States of America
123456712111009
Guide to Computer Forensics and
Investigations, Fourth Edition
Bill Nelson, Amelia Phillips,
Christopher Steuart
Vice President, Career and
Professional Editorial: Dave Garza
Executive Editor: Stephen Helba
Managing Editor: Marah Bellegarde
Senior Product Manager: Michelle
Ruelos Cannistraci
Developmental Editor: Lisa M. Lord
Editorial Assistant: Sarah Pickering
Vice President, Career and
Professional Marketing:
Jennifer McAvey
Marketing Director: Deborah S. Yarnell
Senior Marketing Manager: Erin Coffin
Marketing Coordinator: Shanna Gibbs
Production Director: Carolyn Miller
Production Manager: Andrew Crouth
Content Project Manager:
Jessica McNavich
Art Director: Jack Pendleton
Cover photo or illustration:
Shutterstock
Production Technology Analyst:
Tom Stover
Manufacturing Coordinator:
Julio Esperas
Copyeditor: Ruth Bloom
Proofreader: Michele Callaghan
Compositor: Cadmus Communications
c2010 Course Technology, Cengage Learning
ALL RIGHTS RESERVED. No part of this work covered by the
copyright herein may be reproduced, transmitted, stored or used in
any form or by any means graphic, electronic, or mechanical,
including but not limited to photocopying, recording, scanning,
digitizing, taping, Web distribution, information networks, or
information storage and retrieval systems, except as permitted
under Section 107 or 108 of the 1976 United States Copyright Act,
without the prior written permission of the publisher.
For product information and technology assistance, contact us at
Cengage Learning Customer & Sales Support, 1-800-354-9706
For permission to use material from this text or product, submit
all requests online at cengage.com/permissions
Further permissions questions can be emailed to
permissionrequest@cengage.com
Library of Congress Control Number: 2009929885
ISBN-13: 978-1-435-49883-9
ISBN-10: 1-435-49883-6
Course Technology
20 Channel Center Street
Boston, MA 02210
Cengage Learning is a leading provider of customized learning
solutions with office locations around the globe, including Singapore,
the United Kingdom, Australia, Mexico, Brazil, and Japan. Locate
your local office at: international.cengage.com/region
Cengage Learning products are represented in Canada by Nelson
Education, Ltd.
For your lifelong learning solutions, visit course.cengage.com
Visit our corporate website at cengage.com.
Brief Table of Contents
Brief Table of Contents
PREFACE ................................................................. xv
INTRODUCTION ........................................................... xvii
CHAPTER 1
Computer Forensics and Investigations as a Profession . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
CHAPTER 2
Understanding Computer Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
CHAPTER 3
The Investigators Office and Laboratory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
CHAPTER 4
Data Acquisition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
CHAPTER 5
Processing Crime and Incident Scenes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
CHAPTER 6
Working with Windows and DOS Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
CHAPTER 7
Current Computer Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
CHAPTER 8
Macintosh and Linux Boot Processes and File Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
CHAPTER 9
Computer Forensics Analysis and Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
CHAPTER 10
Recovering Graphics Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
CHAPTER 11
Virtual Machines, Network Forensics, and Live Acquisitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
CHAPTER 12
E-mail Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
CHAPTER 13
Cell Phone and Mobile Device Forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
CHAPTER 14
Report Writing for High-Tech Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
CHAPTER 15
Expert Testimony in High-Tech Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
CHAPTER 16
Ethics for the Expert Witness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
APPENDIX A
Certification Test References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
APPENDIX B
Computer Forensics References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
iii
APPENDIX C
Computer Forensics Lab Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
APPENDIX D
DOS File System and Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
GLOSSARY............................................................... 653
INDEX .................................................................. 663
iv Brief Table of Contents
Table of Contents
Table of Contents
PREFACE ................................................................. xv
INTRODUCTION ........................................................... xvii
CHAPTER 1
Computer Forensics and Investigations as a Profession . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Understanding Computer Forensics . . ......................................................2
Computer Forensics Versus Other Related Disciplines . ....................................... 3
A Brief History of Computer Forensics. . . ................................................ 5
Understanding Case Law . . . ......................................................... 8
Developing Computer Forensics Resources ................................................ 8
Preparing for Computer Investigations ......................................................9
Understanding Law Enforcement Agency Investigations ...................................... 11
Following the Legal Processes ........................................................ 12
Understanding Corporate Investigations . . ............................................... 14
Establishing Company Policies........................................................ 14
Displaying Warning Banners . ........................................................ 15
Designating an Authorized Requester................................................... 17
Conducting Security Investigations. .................................................... 17
Distinguishing Personal and Company Property ........................................... 19
Maintaining Professional Conduct . . . .....................................................19
Chapter Summary ...................................................................20
Key Terms. . .......................................................................21
Review Questions. ...................................................................23
Hands-On Projects ...................................................................24
Case Projects .......................................................................25
CHAPTER 2
Understanding Computer Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Preparing a Computer Investigation . . .....................................................28
An Overview of a Computer Crime .................................................... 28
An Overview of a Company Policy Violation . . ........................................... 30
Taking a Systematic Approach ..........................................................30
Assessing the Case . . . ............................................................. 32
Planning Your Investigation . ........................................................ 33
Securing Your Evidence ............................................................ 35
Procedures for Corporate High-Tech Investigations............................................37
Employee Termination Cases. ........................................................ 37
Internet Abuse Investigations . ........................................................ 37
E-mail Abuse Investigations. . ........................................................ 38
Attorney-Client Privilege Investigations . . ............................................... 39
Media Leak Investigations. . . ........................................................ 40
Industrial Espionage Investigations. .................................................... 41
Interviews and Interrogations in High-Tech Investigations . . .................................. 43
Understanding Data Recovery Workstations and Software. . . . ...................................44
Setting Up Your Workstation for Computer Forensics. ...................................... 45
Conducting an Investigation . . ..........................................................46
Gathering the Evidence ............................................................. 46
Understanding Bit-stream Copies . . .................................................... 47
Acquiring an Image of Evidence Media . . ............................................... 48
Using ProDiscover Basic to Acquire a USB Drive .......................................... 48
v
Analyzing Your Digital Evidence ...................................................... 51
Completing the Case .................................................................58
Critiquing the Case. ............................................................... 59
Chapter Summary . . .................................................................59
Key Terms. . . ......................................................................60
Review Questions. . . .................................................................61
Hands-On Projects . . .................................................................62
Case Projects . ......................................................................69
CHAPTER 3
The Investigators Office and Laboratory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Understanding Forensics Lab Certification Requirements . . ......................................72
Identifying Duties of the Lab Manager and Staff. . ......................................... 72
Lab Budget Planning . . . ........................................................... 73
Acquiring Certification and Training . .................................................. 76
Determining the Physical Requirements for a Computer Forensics Lab . .............................79
Identifying Lab Security Needs ....................................................... 79
Conducting High-Risk Investigations . .................................................. 80
Using Evidence Containers . . . ....................................................... 80
Overseeing Facility Maintenance ...................................................... 82
Considering Physical Security Needs . .................................................. 82
Auditing a Computer Forensics Lab. . .................................................. 83
Determining Floor Plans for Computer Forensics Labs . ..................................... 83
Selecting a Basic Forensic Workstation. ....................................................85
Selecting Workstations for Police Labs .................................................. 85
Selecting Workstations for Private and Corporate Labs . ..................................... 86
Stocking Hardware Peripherals ....................................................... 86
Maintaining Operating Systems and Software Inventories .................................... 87
Using a Disaster Recovery Plan ....................................................... 87
Planning for Equipment Upgrades . . . .................................................. 88
Using Laptop Forensic Workstations . .................................................. 88
Building a Business Case for Developing a Forensics Lab . ......................................88
Preparing a Business Case for a Computer Forensics Lab..................................... 90
Chapter Summary . . .................................................................93
Key Terms. . . ......................................................................94
Review Questions. . . .................................................................95
Hands-On Projects . . .................................................................96
Case Projects . ......................................................................97
CHAPTER 4
Data Acquisition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Understanding Storage Formats for Digital Evidence .......................................... 100
Raw Format ................................................................... 101
Proprietary Formats .............................................................. 101
Advanced Forensic Format . . . ...................................................... 102
Determining the Best Acquisition Method . . . .............................................. 103
Contingency Planning for Image Acquisitions . .............................................. 105
Using Acquisition Tools . . ............................................................ 105
Windows XP Write-Protection with USB Devices . ........................................ 106
vi Table of Contents
Acquiring Data with a Linux Boot CD. . . .............................................. 109
Capturing an Image with ProDiscover Basic . . . .......................................... 120
Capturing an Image with AccessData FTK Imager . . . ..................................... 123
Validating Data Acquisitions . . ......................................................... 126
Linux Validation Methods . . ....................................................... 127
Windows Validation Methods ....................................................... 129
Performing RAID Data Acquisitions . .................................................... 129
Understanding RAID . ............................................................ 130
Acquiring RAID Disks ............................................................ 132
Using Remote Network Acquisition Tools . ................................................ 134
Remote Acquisition with ProDiscover . . . .............................................. 134
Remote Acquisition with EnCase Enterprise . . . .......................................... 136
Remote Acquisition with R-Tools R-Studio . . . .......................................... 136
Remote Acquisition with WetStone LiveWire . . .......................................... 137
Remote Acquisition with F-Response .................................................. 137
Remote Acquisition with Runtime Software . . . .......................................... 137
Using Other Forensics Acquisition Tools . . ................................................ 138
SnapBack DatArrest . . ............................................................ 138
NTI SafeBack. . . ................................................................ 138
DIBS USA RAID ................................................................ 138
ILook Investigator IXimager . ....................................................... 139
ASRData SMART . . . ............................................................ 139
Australian Department of Defence PyFlag .............................................. 139
Chapter Summary .................................................................. 139
Key Terms. . ...................................................................... 140
Review Questions. .................................................................. 141
Hands-On Projects .................................................................. 143
Case Projects ...................................................................... 146
CHAPTER 5
Processing Crime and Incident Scenes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Identifying Digital Evidence. . . ......................................................... 150
Understanding Rules of Evidence . . ................................................... 151
Collecting Evidence in Private-Sector Incident Scenes. . . ....................................... 157
Processing Law Enforcement Crime Scenes . ................................................ 161
Understanding Concepts and Terms Used in Warrants ..................................... 162
Preparing for a Search . . ............................................................. 163
Identifying the Nature of the Case . ................................................... 163
Identifying the Type of Computing System .............................................. 164
Determining Whether You Can Seize a Computer ......................................... 164
Obtaining a Detailed Description of the Location ......................................... 164
Determining Who Is in Charge . . . ................................................... 165
Using Additional Technical Expertise .................................................. 165
Determining the Tools You Need . ................................................... 166
Preparing the Investigation Team. . ................................................... 168
Securing a Computer Incident or Crime Scene . . . ........................................... 168
Seizing Digital Evidence at the Scene . .................................................... 169
Preparing to Acquire Digital Evidence . . . .............................................. 169
Processing an Incident or Crime Scene . . . .............................................. 170
Processing Data Centers with RAID Systems . . .......................................... 173
Using a Technical Advisor. . . ....................................................... 173
Table of Contents vii
Documenting Evidence in the Lab . . . ................................................. 174
Processing and Handling Digital Evidence . ............................................. 174
Storing Digital Evidence . . ............................................................ 174
Evidence Retention and Media Storage Needs............................................ 176
Documenting Evidence . . .......................................................... 176
Obtaining a Digital Hash . ............................................................ 177
Reviewing a Case . . . ................................................................ 179
Sample Civil Investigation .......................................................... 180
Sample Criminal Investigation . ...................................................... 181
Reviewing Background Information for a Case . . . ........................................ 181
Identifying the Case Requirements . . . ................................................. 182
Planning the Investigation .......................................................... 183
Conducting the Investigation: Acquiring Evidence withAccessData FTK . . . ...................... 183
Chapter Summary . . ................................................................ 188
Key Terms. . . ..................................................................... 190
Review Questions. . . ................................................................ 191
Hands-On Projects . . ................................................................ 192
Case Projects . ..................................................................... 195
CHAPTER 6
Working with Windows and DOS Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Understanding File Systems ............................................................ 198
Understanding the Boot Sequence . . . ................................................. 198
Understanding Disk Drives . . . ...................................................... 199
Exploring Microsoft File Structures . . . ................................................... 201
Disk Partitions . . . ............................................................... 202
Master Boot Record .............................................................. 205
Examining FAT Disks. . . .......................................................... 206
Examining NTFS Disks . . ............................................................ 208
NTFS System Files ............................................................... 210
MFT and File Attributes . .......................................................... 211
MFT Structures for File Data . ...................................................... 215
NTFS Data Streams .............................................................. 224
NTFS Compressed Files . .......................................................... 224
NTFS Encrypting File System (EFS) . . ................................................. 225
EFS Recovery Key Agent. .......................................................... 227
Deleting NTFS Files .............................................................. 227
Understanding Whole Disk Encryption ................................................... 228
Examining Microsoft BitLocker ...................................................... 229
Examining Third-Party Disk Encryption Tools . . . ........................................ 230
Understanding the Windows Registry . ................................................... 230
Exploring the Organization of the Windows Registry . . .................................... 231
Examining the Windows Registry . . . ................................................. 234
Understanding Microsoft Startup Tasks ................................................... 237
Startup in Windows NT and Later . . ................................................. 238
Startup in Windows 9x/Me . . . ...................................................... 240
Understanding MS-DOS Startup Tasks ................................................... 241
Other Disk Operating Systems. ...................................................... 242
Understanding Virtual Machines . ....................................................... 242
Creating a Virtual Machine. . . ...................................................... 244
viii Table of Contents
Chapter Summary .................................................................. 248
Key Terms. . ...................................................................... 249
Review Questions. .................................................................. 252
Hands-On Projects .................................................................. 254
Case Projects ...................................................................... 258
CHAPTER 7
Current Computer Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Evaluating Computer Forensics Tool Needs ................................................ 260
Types of Computer Forensics Tools ................................................... 261
Tasks Performed by Computer Forensics Tools. .......................................... 261
Tool Comparisons . . . ............................................................ 271
Other Considerations for Tools . . . ................................................... 272
Computer Forensics Software Tools. . .................................................... 273
Command-Line Forensics Tools. . . ................................................... 273
UNIX/Linux Forensics Tools . ....................................................... 274
Other GUI Forensics Tools . . ....................................................... 277
Computer Forensics Hardware Tools. .................................................... 278
Forensic Workstations ............................................................ 278
Using a Write-Blocker. ............................................................ 279
Recommendations for a Forensic Workstation . .......................................... 280
Validating and Testing Forensics Software . ................................................ 280
Using National Institute of Standards and Technology (NIST) Tools ........................... 281
Using Validation Protocols . . ....................................................... 282
Chapter Summary .................................................................. 283
Key Terms. . ...................................................................... 284
Review Questions. .................................................................. 284
Hands-On Projects .................................................................. 286
Case Projects ...................................................................... 294
CHAPTER 8
Macintosh and Linux Boot Processes and File Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Understanding the Macintosh File Structure and Boot Process . .................................. 298
Understanding Mac OS 9 Volumes ................................................... 299
Exploring Macintosh Boot Tasks. . ................................................... 300
Using Macintosh Forensics Software .................................................. 303
Examining UNIX and Linux Disk Structures and Boot Processes ................................. 310
UNIX and Linux Overview . . ....................................................... 314
Understanding Inodes . ............................................................ 318
Understanding UNIX and Linux Boot Processes .......................................... 319
Understanding Linux Loader and GRUB . .............................................. 321
Understanding UNIX and Linux Drives and Partition Schemes................................ 321
Examining UNIX and Linux Disk Structures . . .......................................... 322
Understanding Other Disk Structures . .................................................... 330
Examining CD Data Structures . . . ................................................... 330
Examining SCSI Disks ............................................................ 332
Examining IDE/EIDE and SATA Devices . .............................................. 333
Chapter Summary .................................................................. 335
Key Terms. . ...................................................................... 336
Table of Contents ix
Review Questions. . . ................................................................ 338
Hands-On Projects . . ................................................................ 340
Case Projects . ..................................................................... 344
CHAPTER 9
Computer Forensics Analysis and Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Determining What Data to Collect and Analyze . . . .......................................... 346
Approaching Computer Forensics Cases . . . ............................................. 346
Using AccessData Forensic Toolkit to Analyze Data . . . .................................... 348
Validating Forensic Data. . ............................................................ 351
Validating with Hexadecimal Editors . ................................................. 351
Validating with Computer Forensics Programs . . . ........................................ 355
Addressing Data-Hiding Techniques . . ................................................... 356
Hiding Partitions . ............................................................... 356
Marking Bad Clusters. . . .......................................................... 358
Bit-Shifting . ................................................................... 358
Using Steganography to Hide Data . . ................................................. 361
Examining Encrypted Files . . . ...................................................... 362
Recovering Passwords. . . .......................................................... 362
Performing Remote Acquisitions . ....................................................... 365
Remote Acquisitions with Runtime Software ............................................ 367
Chapter Summary . . ................................................................ 373
Key Terms. . . ..................................................................... 374
Review Questions. . . ................................................................ 374
Hands-On Projects . . ................................................................ 376
Case Projects . ..................................................................... 379
CHAPTER 10
Recovering Graphics Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Recognizing a Graphics File ........................................................... 382
Understanding Bitmap and Raster Images. . ............................................. 382
Understanding Vector Graphics ...................................................... 383
Understanding Metafile Graphics..................................................... 383
Understanding Graphics File Formats. ................................................. 383
Understanding Digital Camera File Formats ............................................. 384
Understanding Data Compression ....................................................... 387
Lossless and Lossy Compression ..................................................... 388
Locating and Recovering Graphics Files ................................................... 388
Identifying Graphics File Fragments . . ................................................. 389
Repairing Damaged Headers . . ...................................................... 389
Searching for and Carving Data from Unallocated Space .................................... 390
Rebuilding File Headers . .......................................................... 396
Reconstructing File Fragments . ...................................................... 399
Identifying Unknown File Formats....................................................... 405
Analyzing Graphics File Headers ..................................................... 406
Tools for Viewing Images .......................................................... 407
Understanding Steganography in Graphics Files . . ........................................ 408
Using Steganalysis Tools . .......................................................... 411
Understanding Copyright Issues with Graphics .............................................. 411
Chapter Summary . . ................................................................ 412
xTable of Contents
Key Terms. . ...................................................................... 414
Review Questions. .................................................................. 415
Hands-On Projects .................................................................. 417
Case Projects ...................................................................... 421
CHAPTER 11
Virtual Machines, Network Forensics, and Live Acquisitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Virtual Machines Overview. . . ......................................................... 424
Network Forensics Overview. . ......................................................... 428
Securing a Network . . ............................................................ 429
Performing Live Acquisitions. . ......................................................... 430
Performing a Live Acquisition in Windows.............................................. 431
Developing Standard Procedures for Network Forensics ....................................... 432
Reviewing Network Logs . . . ....................................................... 432
Using Network Tools . . . ............................................................. 434
Using UNIX/Linux Tools . . . ....................................................... 435
Using Packet Sniffers . ............................................................ 439
Examining the Honeynet Project . . ................................................... 441
Chapter Summary .................................................................. 444
Key Terms. . ...................................................................... 445
Review Questions. .................................................................. 445
Hands-On Projects .................................................................. 446
Case Projects ...................................................................... 449
CHAPTER 12
E-mail Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Exploring the Role of E-mail in Investigations . . . ........................................... 452
Exploring the Roles of the Client and Server in E-mail . ....................................... 453
Investigating E-mail Crimes and Violations. ................................................ 454
Examining E-mail Messages . ....................................................... 455
Viewing E-mail Headers ........................................................... 456
Examining E-mail Headers . . ....................................................... 463
Examining Additional E-mail Files . ................................................... 465
Tracing an E-mail Message . . ....................................................... 466
Using Network E-mail Logs . ....................................................... 466
Understanding E-mail Servers . ......................................................... 467
Examining UNIX E-mail Server Logs .................................................. 469
Examining Microsoft E-mail Server Logs . .............................................. 470
Examining Novell GroupWise E-mail Logs.............................................. 471
Using Specialized E-mail Forensics Tools . . ................................................ 473
Using AccessData FTK to Recover E-mail .............................................. 476
Using a Hexadecimal Editor to Carve E-mail Messages ..................................... 481
Recovering Outlook Files . . . ....................................................... 484
Chapter Summary .................................................................. 486
Key Terms. . ...................................................................... 487
Review Questions. .................................................................. 488
Hands-On Projects .................................................................. 490
Case Projects ...................................................................... 493
Table of Contents xi
CHAPTER 13
Cell Phone and Mobile Device Forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Understanding Mobile Device Forensics ................................................... 496
Mobile Phone Basics.............................................................. 497
Inside Mobile Devices. . . .......................................................... 499
Inside PDAs . ................................................................... 500
Understanding Acquisition Procedures for Cell Phones and Mobile Devices . . ....................... 501
Mobile Forensics Equipment . . ...................................................... 503
Chapter Summary . . ................................................................ 507
Key Terms. . . ..................................................................... 508
Review Questions. . . ................................................................ 509
Hands-On Projects . . ................................................................ 510
Case Projects . ..................................................................... 513
CHAPTER 14
Report Writing for High-Tech Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Understanding the Importance of Reports . . . .............................................. 516
Limiting a Report to Specifics . ...................................................... 517
Types of Reports . ............................................................... 518
Guidelines for Writing Reports . . ....................................................... 519
What to Include in Written Preliminary Reports . . ........................................ 520
Report Structure. . ............................................................... 521
Writing Reports Clearly . .......................................................... 522
Designing the Layout and Presentation of Reports ........................................ 523
Generating Report Findings with Forensics Software Tools ..................................... 527
Using ProDiscover Basic to Generate Reports ............................................ 527
Using AccessData FTK to Generate Reports ............................................. 529
Chapter Summary . . ................................................................ 533
Key Terms. . . ..................................................................... 534
Review Questions. . . ................................................................ 534
Hands-On Projects . . ................................................................ 536
Case Projects . ..................................................................... 539
CHAPTER 15
Expert Testimony in High-Tech Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
Preparing for Testimony . . ............................................................ 542
Documenting and Preparing Evidence ................................................. 543
Reviewing Your Role as a Consulting Expert or an Expert Witness . . .......................... 544
Creating and Maintaining Your CV. . ................................................. 544
Preparing Technical Definitions ...................................................... 545
Preparing to Deal with the News Media. . . ............................................. 545
Testifying in Court . . ................................................................ 546
Understanding the Trial Process...................................................... 546
Providing Qualifications for Your Testimony ............................................ 547
General Guidelines on Testifying ..................................................... 548
Testifying During Direct Examination ................................................. 552
Testifying During Cross-Examination. ................................................. 552
Preparing for a Deposition or Hearing . ................................................... 554
Guidelines for Testifying at Depositions . . . ............................................. 555
xii Table of Contents
Guidelines for Testifying at Hearings .................................................. 557
Preparing Forensics Evidence for Testimony ................................................ 557
Preparing Explanations of Your Evidence-Collection Methods ................................ 561
Chapter Summary .................................................................. 562
Key Terms. . ...................................................................... 562
Review Questions. .................................................................. 563
Hands-On Projects .................................................................. 566
Case Projects ...................................................................... 574
CHAPTER 16
Ethics for the Expert Witness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Applying Ethics and Codes to Expert Witnesses . . ........................................... 576
Computer Forensics ExaminersRoles in Testifying. . . ..................................... 577
Considerations in Disqualification . ................................................... 578
Traps for Unwary Experts. . . ....................................................... 579
Determining Admissibility of Evidence . . . .............................................. 580
Organizations with Codes of Ethics . . .................................................... 580
International Society of Forensic Computer Examiners ..................................... 581
International High Technology Crime Investigation Association . . . ............................ 581
International Association of Computer Investigative Specialists................................ 582
American Bar Association . . . ....................................................... 582
American Medical Association....................................................... 583
American Psychological Association................................................... 584
Ethical Difficulties in Expert Testimony . . . ................................................ 585
Ethical Responsibilities Owed to You.................................................. 586
Standard and Personally Created Forensics Tools ......................................... 586
An Ethics Exercise .................................................................. 587
Determining Hexadecimal Values for Text Strings......................................... 587
Searching for Unicode Data in ProDiscover Basic ......................................... 588
Interpreting Attribute 0x80 Data Runs. . . .............................................. 589
Carving Data Run Clusters Manually . . . .............................................. 594
Chapter Summary .................................................................. 597
Key Terms. . ...................................................................... 598
Review Questions. .................................................................. 598
Hands-On Projects .................................................................. 600
Case Projects ...................................................................... 602
APPENDIX A
Certification Test References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
NIST Computer Forensics Tool Testing . . . ................................................ 603
Types of Computer Forensics Certifications ................................................ 603
Professional Certifying Organizations.................................................. 604
Application Vendor Certifying Companies .............................................. 605
Computer Forensics Public and Private Training Groups . . . ................................. 605
APPENDIX B
Computer Forensics References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Computer Forensics Reference Books.................................................. 607
MS-DOS Reference Books. . . ....................................................... 608
Table of Contents xiii
Windows Reference Books . . . ...................................................... 608
Linux Reference Books . . .......................................................... 609
Legal Reference Books . . .......................................................... 609
Web Links. . ................................................................... 609
E-mail Lists . ................................................................... 610
Yahoo! Groups . . ............................................................... 610
Professional Journals . . . .......................................................... 611
APPENDIX C
Computer Forensics Lab Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
International Lab Certification . . ....................................................... 613
Considering Office Ergonomics . . ....................................................... 613
Considering Environmental Conditions ................................................... 614
Considering Structural Design Factors . ................................................... 615
Determining Electrical Needs. . ...................................................... 616
Planning for Communications . . . ....................................................... 616
Installing Fire-Suppression Systems . . . ................................................... 617
APPENDIX D
DOS File System and Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
Overview of FAT Directory Structures . ................................................... 619
Sample DOS Scripts . ................................................................ 623
Setting Up Your Workstation for Computer Forensics. . .................................... 628
Creating Forensic Boot Media. . . ....................................................... 631
Assembling Tools for a Forensic Boot Floppy Disk ........................................ 631
Making an Image of a Floppy Disk in MS-DOS . . ........................................ 636
Using MS-DOS Acquisition Tools ....................................................... 637
Understanding How DriveSpy Accesses Sector Ranges. . .................................... 637
Using DriveSpy Data Preservation Commands . . . ........................................ 639
Using DriveSpy Data Manipulation Commands . . ........................................ 645
Quick References for DriveSpy . . ....................................................... 648
A Sample Script for DriveSpy . ...................................................... 649
Using X-Ways Replica . . . ............................................................ 651
GLOSSARY............................................................... 653
INDEX .................................................................. 663
xiv Table of Contents
Preface
Preface
The rapid advance of technology has changed and influenced how we think about gathering digital
evidence. Soon after the attacks on the World Trade Center in New York City on September 11,
2001, many young men and women volunteered to serve their country in different ways. For those
who did not choose the military, options included positions with law enforcement and corporate
security organizations. Ultimately, the combination of a renewed emphasis on homeland security
along with the popularity of mainstream television shows, such as CSI,Forensic Files, and NCIS,
has created a huge demand for highly educated specialists in the discipline of computer forensics.
This demand is now being met by the advent of specialized forensics courses in colleges, universities,
and even high schools throughout the United States.
Computer forensics, however, is by no means a new field of endeavor. During the early 1990s,
while serving as a Special Agent with the Naval Criminal Investigative Service (NCIS), I realized
that personal computers and, more specifically, unsecured personal computers posed a potential
threat to national security. I became involved in conducting forensic investigations involving white
collar crime, network intrusions, and telecommunications fraud. Recently, the U.S. government has
taken significant steps to improve the quality and sophistication of the countrys computer forensic
capabilities, including the formation of the U.S. Cyber Command (CYBERCOM) in the Department
of Defense. Today, most new computer forensics specialists can expect to be involved in a wide vari-
ety of investigations, including terrorism counterintelligence, financial fraud issues, intellectual prop-
erty theft, data security breaches, and electronic data discovery.
The skill sets computer forensics specialists must have are varied. At a minimum, they must have an
in-depth knowledge of the criminal justice system, computer hardware and software systems, and
xv
investigative and evidence-gathering protocols. The next generation of digital detectiveswill have
to possess the knowledge, skills, and experience to conduct complex, data-intensive forensic exami-
nations involving various operating systems, platforms, and file types with data sets in the multiple-
terabyte range.
As time passes, the hybrid disciplineof computer forensics is slowly evolving into a hybrid
science”—the science of digital forensics. Many colleges and universities in the United States and
the United Kingdom have created multidiscipline curriculums that will offer undergraduate and
graduate degrees in digital forensics. Guide to Computer Forensics and Investigations, now in its
fourth edition, has emerged as a significant authoritative text for the computer and digital forensics
communities. Its my belief that this book, designed to be used primarily in an academic setting with
an enthusiastic and knowledgeable facilitator, will make for a fascinating course of instruction.
Today, its not just computers that harbor the binary code of 1s and 0s, but an infinite array of per-
sonal digital devices. If one of these devices retains evidence of a crime, it will be up to newly
trained and educated digital detectives to find the digital evidence in a forensically sound manner.
This book will assist both students and practitioners in accomplishing this goal.
Respectfully,
John A. Sgromolo
As a Senior Special Agent, John was one of the founding members of the NCIS Computer Crime
Investigations Group. John left government service to run his own company, Digital Forensics,
Inc., and has taught hundreds of law enforcement and corporate students nationwide the art and
science of computer forensics investigations. Currently, John serves as the senior forensics examiner
for digital forensic investigations at Verizon.
xvi Preface
Introduction
Introduction
Computer forensics has been a professional field for many years, but most well-established experts in
the field have been self-taught. The growth of the Internet and the worldwide proliferation of compu-
ters have increased the need for computing investigations. Computers can be used to commit crimes,
and crimes can be recorded on computers, including company policy violations, embezzlement, e-mail
harassment, murder, leaks of proprietary information, and even terrorism. Law enforcement, network
administrators, attorneys, and private investigators now rely on the skills of professional computer
forensics experts to investigate criminal and civil cases.
This book is not intended to provide comprehensive training in computer forensics. It does, however,
give you a solid foundation by introducing computer forensics to those who are new to the field.
Other books on computer forensics are targeted to experts; this book is intended for novices who
have a thorough grounding in computer and networking basics.
The new generation of computer forensics experts needs more initial training because operating sys-
tems, computer hardware, and forensics software tools are changing more quickly. This book covers
current and past operating systems and a range of computer hardware, from basic workstations to
high-end network servers. Although this book focuses on a few forensics software tools, it also
reviews and discusses other currently available tools.
The purpose of this book is to guide you toward becoming a skilled computer forensics investigator.
A secondary goal is to help you pass the appropriate certification exams. As the field of computer
forensics and investigations matures, keep in mind that certifications will change. You can find more
information on certifications in Chapter 3 and Appendix A.
xvii
Intended Audience
Although this book can be used by people with a wide range of backgrounds, its intended for those
with an A+ and Network+ certification or equivalent. A networking background is necessary so that
you understand how PCs operate in a networked environment and can work with a network admin-
istrator when needed. In addition, you must know how to use a computer from the command line
and how to use popular operating systems, including Windows, Linux, and Mac OS, and their related
hardware.
This book can be used at any educational level, from technical high schools and community colleges
to graduate students. Current professionals in the public and private sectors can also use this book.
Each group will approach investigative problems from a different perspective, but all will benefit
from the coverage.
Whats New in This Edition
The chapter flow of this book has been revised so that youre first exposed to what happens in a
computer forensics lab and how to set one up before you get into the nuts and bolts. Coverage of sev-
eral GUI tools has been added to give you a familiarity with some widely used software. In addition,
Chapter 6 includes new information on interpreting the Windows NTFS Master File Table. The
books DVD includes video tutorials for each chapter that show how to perform the steps in in-
chapter activities and explain how to use most of the forensics tools on the DVD. Corrections have
been made to this edition based on feedback from users, and all software packages and Web sites
have been updated to reflect whats current at the time of publication. A new lab manual is now
offered to go with the new fourth edition textbook (ISBN: 1-4354-9885-2).
Chapter Descriptions
Here is a summary of the topics covered in each chapter of this book:
Chapter 1, Computer Forensics and Investigations as a Profession,introduces you to the history
of computer forensics and explains how the use of electronic evidence developed. It also introduces
legal issues and compares public and private sector cases.
Chapter 2, Understanding Computer Investigations,introduces you to tools used throughout the
book and shows you how to apply scientific techniques to an investigative case. In addition, it
covers procedures for corporate investigations, such as industrial espionage and employee termina-
tion cases.
Chapter 3, The Investigators Office and Laboratory,outlines physical requirements and equip-
ment for computer forensics labs, from small private investigatorslabs to the regional FBI lab. It also
covers certifications for computing investigators and building a business case for a forensics lab.
Chapter 4, Data Acquisition,explains how to prepare to acquire data from a suspects drive and
discusses available command-line and GUI acquisition tools. This chapter also discusses acquiring
data from RAID systems and gives you an overview of tools for remote acquisitions.
Chapter 5, Processing Crime and Incident Scenes,explains search warrants and the nature of a
typical computer forensics case. It discusses when to use outside professionals, how to assemble a
team, and how to evaluate a case and explains proper procedures for searching and seizing evi-
dence. This chapter also introduces you to calculating hashes to verify data you collect.
Chapter 6, Working with Windows and DOS Systems,discusses the most common operating
systems. You learn what happens and what files are altered during computer startup and how each
xviii Introduction
system deals with deleted and slack space. In addition, a new section on working with virtual
machines has been added.
Chapter 7, Current Computer Forensics Tools,explores current computer forensics software
and hardware tools, including those that might not be readily available, and evaluates their
strengths and weaknesses.
Chapter 8, Macintosh and Linux Boot Processes and File Systems,continues the operating sys-
tem discussion from Chapter 6 by examining Macintosh and Linux operating systems. It also cov-
ers CDs, DVDs, and SCSI, IDE/EIDE, and SATA drives.
Chapter 9, Computer Forensics Analysis and Validation,covers determining what data to collect
and analyze and refining investigation plans. It also explains validation with hex editors and for-
ensics software, data-hiding techniques, and techniques for remote acquisitions.
Chapter 10, Recovering Graphics Files,explains how to recover graphics files and examines
data compression, carving data, reconstructing file fragments, and steganography and copyright
issues.
Chapter 11, Virtual Machines, Network Forensics, and Live Acquisitionscovers tools and
methods for acquiring virtual machines, conducting network investigations, performing live acqui-
sitions, and reviewing network logs for evidence. It also examines using UNIX/Linux tools and the
Honeynet Projects resources.
Chapter 12, E-mail Investigations,covers e-mail and Internet fundamentals and examines e-mail
crimes and violations. It also reviews some specialized e-mail forensics tools.
Chapter 13, Cell Phone and Mobile Device Forensics,covers investigation techniques and
acquisition procedures for recovering data from cell phones and mobile devices. It also provides
guidance on dealing with these constantly changing technologies.
Chapter 14, Report Writing for High-Tech Investigations,discusses the importance of report
writing in computer forensics examinations; offers guidelines on report content, structure, and pre-
sentation; and explains how to generate report findings with forensics software tools.
Chapter 15, Expert Testimony in High-Tech Investigations,explores the role of an expert or
technical/scientific witness, including developing a curriculum vitae, understanding the trial pro-
cess, and preparing forensics evidence for testimony. It also offers guidelines for testifying in court
and at depositions and hearings.
Chapter 16, Ethics for the Expert Witness,provides guidance in the principles and practice of
ethics for computer forensics investigators and examines other professional organizationscodes of
ethics.
Appendix A, Certification Test References,provides information on the National Institute of
Standards and Technology (NIST) testing processes for validating computer forensics tools and
covers computer forensics certifications and training programs.
Appendix B, Computer Forensics References,lists recommended books, journals, e-mail lists,
and Web sites for additional information and further study.
Appendix C, Computer Forensics Lab Considerations,provides more information on considera-
tions for forensics labs, including certifications, ergonomics, structural design, and communication
and fire-suppression systems.
Introduction xix
Appendix D, DOS File System and Forensics Tools,reviews FAT file system basics and explains
using DOS computer forensics tools, creating forensic boot media, and using scripts. It also reviews
DriveSpy commands and X-Ways Replica.
Features
To help you fully understand computer forensics, this book includes many features designed to enhance
your learning experience:
Chapter objectivesEach chapter begins with a detailed list of the concepts to be mastered in
that chapter. This list gives you a quick reference to the chapters contents and is a useful
study aid.
Figures and tablesScreenshots are used as guidelines for stepping through commands and
forensics tools. For tools not included with the book or that arent offered in free demo ver-
sions, figures have been added to illustrate the tools interface. Tables are used throughout the
book to present information in an organized, easy-to-grasp manner.
Chapter summariesEach chapters material is followed by a summary of the concepts intro-
duced in that chapter. These summaries are a helpful way to review the ideas covered in each
chapter.
Key termsFollowing the chapter summary, a list of all new terms introduced in the chapter
with boldfaced text are gathered together in the Key Terms list, with full definitions for each
term. This list encourages a more thorough understanding of the chapters key concepts and is
a useful reference.
Review questionsThe end-of-chapter assessment begins with a set of review questions that
reinforce the main concepts in each chapter. These questions help you evaluate and apply the
material you have learned.
Hands-on projectsAlthough understanding the theory behind computer technology is
important, nothing can improve on real-world experience. To this end, each chapter offers
several hands-on projects with software supplied with this book or free downloads. You can
explore a variety of ways to acquire and even hide evidence. For the conceptual chapters,
research projects are provided.
Case projectsAt the end of each chapter are several case projects, including a running case
example used throughout the book. To complete these projects, you must draw on real-world
common sense as well as your knowledge of the technical topics covered to that point in the
book. Your goal for each project is to come up with answers to problems similar to those
youll face as a working computer forensics investigator.
Video tutorialsThe books DVD includes audio-video instructions to help with learning the
tools needed to perform in-chapter activities. Each tutorial is a .wmv file that can be played in
most OSs. The skills learned from these tutorials can be applied to hands-on projects at the
end of each chapter.
Software and student data filesThis book includes a DVD containing student data files and
free software demo packages for use with activities and projects in the chapters. (Additional
software demos or freeware can be downloaded to use in some projects.) Four software com-
panies have graciously agreed to allow including their products with this book: Technology
Pathways (ProDiscover Basic), AccessData (Forensic Toolkit, Registry Viewer, and FTK
Imager), X-Ways (WinHex Demo), and Runtime Software (DiskExplorer for FAT,
xx Introduction
DiskExplorer for NTFS, and HDHOST). To check for newer versions or additional informa-
tion, visit Technology Pathways, LLC at www.techpathways.com, AccessData Corporation at
www.accessdata.com, X-Ways Software Technology AG at www.x-ways.net, and Runtime
Software at www.runtime.org.
Text and Graphic Conventions
When appropriate, additional information and exercises have been added to this book to help you
better understand the topic at hand. The following icons used in this book alert you to additional
materials:
The Note icon draws your attention to additional helpful material related to
the subject being covered.
Tips based on the authorsexperience offer extra information about how to
attack a problem or what to do in real-world situations.
The Caution icons warn you about potential mistakes or problems and
explain how to avoid them.
Each hands-on project in this book is preceded by the Hands-On icon and a
description of the exercise that follows.
These icons mark case projects, which are scenario-based assignments. In
these extensive case examples, youre asked to apply independently what you
have learned.
Instructors Resources
The following additional materials are available when this book is used in a classroom setting. All the
supplements available with this book are provided to instructors on a single CD (ISBN 1435498844).
You can also retrieve these supplemental materials from the Cengage Web site, www.cengage.com,by
going to the page for this book, under Download Instructor Files & Teaching Tools.
Electronic Instructors ManualThe Instructors Manual that accompanies this book includes
additional instructional material to assist in class preparation, including suggestions for lecture
topics, recommended lab activities, tips on setting up a lab for hands-on projects, and solu-
tions to all end-of-chapter materials.
ExamView Test BankThis cutting-edge Windows-based testing software helps instructors
design and administer tests and pretests. In addition to generating tests that can be printed and
administered, this full-featured program has an online testing component that allows students
to take tests at the computer and have their exams automatically graded.
Introduction xxi
PowerPoint presentationsThis book comes with a set of Microsoft PowerPoint slides for
each chapter. These slides are meant to be used as a teaching aid for classroom presentations,
to be made available to students on the network for chapter review, or to be printed for
classroom distribution. Instructors are also at liberty to add their own slides for other topics
introduced.
Figure filesAll the figures in the book are reproduced on the Instructors Resources CD.
Similar to the PowerPoint presentations, theyre included as a teaching aid for classroom pre-
sentation, to make available to students for review, or to be printed for classroom distribution.
Student Resources
Lab Manual for Guide to Computer Forensics and Investigations (ISBN: 1-4354-9885-2)
Companion to Guide to Computer Forensics and Investigations, Fourth Edition. This lab
manual provides students with additional hands-on experience.
Web-Based Labs for Guide to Computer Forensics and Investigations (ISBN: 1-4354-9886-0)
Using a real lab environment over the Internet, students can log on anywhere, anytime via a
Web browser to gain essential hands-on experience in computer forensics using labs from
Guide to Computer Forensics and Investigations, Fourth Edition.
Lab Requirements
The hands-on projects in this book help you apply what you have learned about computer forensics
techniques. The following sections list the minimum requirements for completing all the projects in
this book. In addition to the items listed, you must be able to download and install demo versions of
software.
Minimum Lab Requirements
Lab computers that boot to Windows XP
Computers that dual-boot to Linux or UNIX
At least one Macintosh computer running Mac OS X (although most projects are done in
Windows or Linux/UNIX)
An external USB, FireWire, or SATA drive larger than a typical 512 MB USB drive
The projects in this book are designed with the following hardware and software requirements in
mind. The lab in which most of the work takes place should be a typical network training lab with
a variety of operating systems and computers available.
Operating Systems and Hardware
Windows XP or Vista
Use a standard installation of Windows XP Professional or Vista. The computer running Windows
XP or Vista should be a fairly current model that meets the following minimum requirements:
USB ports
CD-ROM/DVD-ROM drive
xxii Introduction
VGA or higher monitor
Hard disk partition of 10 GB or more
Mouse or other pointing device
Keyboard
At least 512 MB RAM (more is recommended)
Linux
For this book, its assumed youre using an Ubuntu, Red Hat Linux 9, or Fedora standard installation,
although other Linux distributions will work with minor modifications. Also, some projects use spe-
cialized liveLinux distributions, such as BackTrack. Some optional steps require the GIMP graphics
editor, which must be installed separately in Red Hat Linux 9. Linux can be installed on a dual-boot
computer as long as one or more partitions of at least 2 GB are reserved for the Linux OS.
Hard disk partition of 2 GB or more reserved for Linux
Other hardware requirements are the same as those listed for Windows computers
This book contains a dual-layered DVD with data files, demo soft-
ware, and video tutorials. Some older computers and DVD drives
might have difficulty reading data from this type of DVD. If you
have any problems, make sure your computer has a DVD drive capa-
ble of reading dual-layer DVDs, and copy the data to an external
USB or FireWire drive before transferring it to your computer.
Computer Forensics Software
Several computer forensics programs, listed previously under Features,are supplied with this book. In
addition, there are projects using the following software, most of which can be downloaded from the
Internet as freeware, shareware, or free demo versions:
Because Web site addresses change frequently, use a search engine
to find the following software online if URLs are no longer valid.
Efforts have been made to provide information thats current at the
time of writing, but things change constantly on the Web. Learning
how to use search tools to find what you need is a valuable skill
youll use as a computer forensics investigator.
BackTrack 3: Download from www.remote-exploit.org/backtrack.html.
BitPim: Download from www.bitpim.org.
BlackBag Technologies Macintosh Forensic Software: Download a trial version from www.
blackbagtech.com/support/downloads.html. (Note that you must e-mail for a username and
password before you can download the software. In addition, this URL has recently changed
from the one given in Chapter 8.)
HexWorkshop: Download from Breakpoint Software at www.hexworkshop.com.
IrfanView: Download from www.irfanview.com.
Knoppix-STD: Download the ISO image from http://s-t-d.org and burn it to a CD.
Introduction xxiii
Microsoft Virtual PC: Download from www.microsoft.com/virtualpc. (Check with your instruc-
tor about using an ISO image that the Microsoft Academic Alliance provides to schools.)
OpenOffice (includes OpenCalc): Download from www.openoffice.org.
PsTools: Download from www.microsoft.com/technet/sysinternals/Utilities/PsTools.mspx.
SecureClean: Download from www.whitecanyon.com/secureclean.php.
SIMCon: Download a commercial version from www.simcon.no.
Sleuth Kit 2.08 and Autopsy Browser 2.07: Download from www.sleuthkit.org.
S-Tools4: Download from www.stegoarchive.com.
WinZip: Download an evaluation version from www.winzip.com/download.htm.
Wireshark: Download from www.wireshark.org.
In addition, you use Microsoft Office Word (or other word processing software) and Excel (or other
spreadsheet software) as well as a Web browser. You also need to have e-mail software installed on
your computer, as explained in Chapter 12.
About the Authors
Bill Nelson has been a lead computer forensics investigator for a Fortune 50 company for more than
11 years and has developed high-tech investigation programs for professional organizations and col-
leges. His previous experience includes Automated Fingerprint Identification System (AFIS) software
engineering and reserve police work. Bill has served as president and vice president for Computer
Technology Investigators Northwest (CTIN) and is a member of Computer Related Information
Management and Education (CRIME). He routinely lectures at several colleges and universities in
the Pacific Northwest.
Amelia Phillips is a graduate of the Massachusetts Institute of Technology with B.S. degrees in astro-
nautical engineering and archaeology and an MBA in technology management. After serving as an
engineer at the Jet Propulsion Lab, she worked with e-commerce Web sites and began her training
in computer forensics to prevent credit card numbers from being stolen from sensitive e-commerce
databases. She designed certificate and AAS programs for community colleges in e-commerce, net-
work security, computer forensics, and data recovery. She is currently tenured at Highline Commu-
nity College in Seattle, Washington. Amelia is a Fulbright Scholar who taught at Polytechnic of
Namibia in 2005 and 2006.
Christopher Steuart is a practicing attorney maintaining a general litigation practice, with experience
in information systems security for a Fortune 50 company and the U.S. Army. He is also General
Counsel for Computer Investigators Northwest (CTIN). He has presented computer forensics semi-
nars in regional and national forums, including the American Society for Industrial Security (ASIS),
Agora, Northwest Computer Technology Crime Analysis Seminar (NCT), and CTIN.
Acknowledgments
The team would like to express its appreciation to Acquisitions Editor Steve Helba, who has given us a
great deal of moral support. We would like to thank the entire editorial and production staff for their
dedication and fortitude during this project, including Michelle Ruelos Cannistraci, Senior Product
Manager, and Jessica McNavich, Content Project Manager. Our special thanks go to Lisa Lord, the
Developmental Editor. We also appreciate the careful reading and thoughtful suggestions of the
xxiv Introduction
Technical Editor, John Bosco. We would like to thank the reviewers: Dean Farwood, Heald College, and
Michael Goldner, ITT Technical Institute. We would also like to thank Franklin Clark, an investigator
for the Pierce County Prosecutor in Tacoma, Washington, for his input, and Mike Lacey for his photos.
Bill Nelson
I want to express my appreciation to my wife, Tricia, for her support during the long hours spent
writing, along with my mother, Celia, and in memory of my father, Harry for their encouragement
these past years. I would also like to express appreciation to my coauthors along with our editors
for the team effort in producing this book. And special thanks for the support and encouragement
from my computer forensics colleagues: Franklin Clark of the Pierce County Prosecutors Office,
Tacoma, Washington; Detective Mike McNown, retired, Wichita PD; Scott Larson and Don Allison
of Stoz Friedberg, LLC; Detectives Brian Palmer, Barry Walden, and Melissa Rogers of the King
County Sheriffs Office, Seattle, Washington; John Sgromolo of Verizon; Art Ehuan of Digital First;
Brett Shavers of e3Discovery; Clint Baker of the RCMP; Colin Cree of Forensic Data Recovery, Inc.;
Chris Brown of Technology Pathways; Gordon Ross, formerly of Net Nanny; and Gordon Mitchell
of Future Focus, Inc.
Amelia Phillips
My deepest gratitude goes to my coauthor Bill Nelson. I want to reiterate the thanks to Steve Helba and
Lisa Lord for their patience and support. Acknowledgments go to my students who helped with research
on determining what you can and cant do with a cell phone: Ron FryFrymier, Rachel Sundstrom,
Anne Weingart, Dave Wilson, Casey Draper, and Lynne Bowen. Acknowledgments also go to the fabu-
lous group of students who put together the firestarter/arson case project used in the book. I would also
like to thank the students from the Seattle area PDs and corporations who gave me a lot of case histo-
ries and insight. Thanks also go to Teressa Mobley, Detective Melissa Rogers, and Deb Buser who
helped me with several cases and the cell phone software. Thanks go to my friends for their support,
and special thanks to my aunties, who are all great teachers and set an excellent example for me.
Christopher K. Steuart
I would like to express my appreciation to my wife, Josephine, son, Alexander, and daughter, Isobel,
for their enthusiastic support of my commitment to Guide to Computer Forensics and Investigations,
even as it consumed time and energy that they deserved. I also want to express my thanks to my par-
ents, William and Mary, for their support of my education and development of the skills needed for
this project. I thank my coauthors for inviting me to join them in this project. I would like to express
my appreciation to the Boy Scouts of America for providing me with the first of many leadership
opportunities in my life. I want to recognize Lieutenant General (then Captain) Edward Soriano for
seeing the potential in me as a young soldier and encouraging me in learning the skills required to
administer, communicate with, and command an organization within the structure of law, regulation,
and personal commitment. I must also thank the faculty of Drake University Law School, particularly
Professor James A. Albert, for encouraging me to think and write creatively about the law. I also note
the contribution of Diane Gagon and the staff of the Seattle Mission of the Church of Scientology in
supporting my better understanding of commitment to myself and the others.
Photo Credits
Figure 1-3: 8088 computer courtesy of IBM Corporate Archives
Introduction xxv
This page intentionally left blank
chapter
chapter 1
1
Computer Forensics
and Investigations
as a Profession
Computer Forensics
and Investigations
as a Profession
After reading this chapter and completing the
exercises, you will be able to:
Define computer forensics
Describe how to prepare for computer investigations and explain the
difference between law enforcement agency and corporate
investigations
Explain the importance of maintaining professional conduct
1
In the past several years, the field of computer forensics and investigations has evolved
significantly. This chapter introduces you to computer forensics and investigations and dis-
cusses some problems and concerns prevalent in the industry. This book blends traditional
investigation methods with classic systems analysis problem-solving techniques and applies
them to computer investigations. An understanding of these disciplines combined with the
use of computer forensics tools will make you a highly skilled computer forensics examiner.
Understanding Computer Forensics
Computer forensics involves obtaining and analyzing digital information for use as evidence in
civil, criminal, or administrative cases. The Federal Rules of Evidence (FRE) has controlled the
use of digital evidence since 1970; from 1970 to 1985, state rules of evidence, as they were
adopted by each state, controlled use of this type of evidence. The FBI Computer Analysis and
Response Team (CART) was formed in 1984 to handle the increasing number of cases involving
digital evidence. Figure 1-1 shows the home page for the FBI CART. By the late 1990s, CART
had teamed up with the Department of Defense Computer Forensics Laboratory (DCFL) for
research and training. Much of the early curriculum in this field came from the DCFL.
Documents maintained on a computer are covered by different rules, depending on the nature
of the documents. Many court cases in state and federal courts have developed and clarified
how the rules apply to digital evidence. The Fourth Amendment to the U.S. Constitution
(and each states constitution) protects everyones rights to be secure in their person, residence,
and property from search and seizure, for example. Continuing development of the jurispru-
dence of this amendment has played a role in determining whether the search for digital evi-
dence has established a different precedent, so separate search warrants might not be neces-
sary. However, when preparing to search for evidence in a criminal case, many investigators
Figure 1-1 The FBI CART Web site
2Chapter 1
1
still include the suspects computer and its components in the search warrant to avoid later
admissibility problems.
In a significant case, the Pennsylvania Supreme Court addressed expectations of privacy and
whether evidence is admissible (see Commonwealth v. Copenhefer, 587 A.2d 1353, 526 Pa.
555 [1991]). Initial investigations by the FBI, state police, and local police resulted in the dis-
covery of a series of computer-generated notes and instructions, each one leading to another,
which had been concealed in hiding places in and around Corry, Pennsylvania. The investiga-
tion also produced several possible suspects, including David Copenhefer, who owned a
nearby bookstore and apparently had bad personal relations with the victim and her husband.
Examination of trash discarded from Copenhefers store revealed drafts of the ransom note
and directions. Subsequent search warrants resulted in seizure of evidence against him. Copen-
hefers computer contained several drafts and amendments of the text of the phone call to the
victim on Thursday, the phone call to the victims husband on Friday, the ransom note, the
series of hidden notes, and a plan for the entire kidnapping scheme (Copenhefer, p. 559).
On direct appeal, the Pennsylvania Supreme Court concluded that the physical evidence,
including the computer forensics evidence, was sufficient to support the bookstore owners
conviction. Copenhefers argument was that [E]ven though his computer was validly seized
pursuant to a warrant, his attempted deletion of the documents in question created an expec-
tation of privacy protected by the Fourth Amendment. Thus, he claims, under Katz v. United
States, 389 U.S. 347, 357, 88 S.Ct. 507, 19 L.Ed.2d 576 (1967), and its progeny, Agent
Johnsons retrieval of the documents, without first obtaining another search warrant, was un-
reasonable under the Fourth Amendment and the documents thus seized should have been
suppressed(Copenhefer,p.561).
The Pennsylvania Supreme Court rejected this argument, stating A defendants attempt to
secrete evidence of a crime is not synonymous with a legally cognizable expectation of pri-
vacy. A mere hope for secrecy is not a legally protected expectation. If it were, search war-
rants would be required in a vast number of cases where warrants are clearly not necessary
(Copenhefer,p.562).
Almost every United States jurisdiction now has case law related to the admissibility of evi-
dence recovered from computers. Canadian criminal law is primarily federal and generally
enforced in provincial court.
The United States Department of Justice offers a useful guide to
search and seizure procedures for computers and computer evidence
at www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm.Thisguide
includes the 2006 update on search warrants and affidavits.
Computer Forensics Versus Other Related Disciplines
According to DIBS USA, Inc., a privately owned corporation specializing in computer foren-
sics (www.dibsusa.com), computer forensics involves scientifically examining and analyzing
data from computer storage media so that the data can be used as evidence in court. You
can find a similar definition on the FBIs Web site (www.fbi.gov/hq/lab/fsc/backissu/oct2000/
computer.htm). Typically, investigating computers includes collecting computer data securely,
examining suspect data to determine details such as origin and content, presenting computer-
based information to courts, and applying laws to computer practice.
Understanding Computer Forensics 3
In general, computer forensics investigates data that can be retrieved from a computers hard
drive or other storage media. Like an archaeologist excavating a site, computer investigators
retrieve information from a computer or its component parts. The information you retrieve
might already be on the drive, but it might not be easy to find or decipher. In contrast, net-
work forensics yields information about how a perpetrator or an attacker gained access to a
network.
Network forensics investigators use log files to determine when users logged on and deter-
mine which URLs users accessed, how they logged on to the network, and from what loca-
tion. Keep in mind, however, that network forensics also tries to determine what tracks or
new files were left behind on a victims computer and what changes were made. In Chapter
11, you explore when and how network forensics should be used in your investigation.
Computer forensics is also different from data recovery, which involves recovering informa-
tion from a computer that was deleted by mistake or lost during a power surge or server
crash, for example. In data recovery, typically you know what youre looking for. Computer
forensics is the task of recovering data that users have hidden or deleted, with the goal of
ensuring that the recovered data is valid so that it can be used as evidence. The evidence can
be inculpatory (in criminal cases, the expression is incriminating)orexculpatory, meaning
it might clear the suspect. Investigators often examine a computer disk not knowing whether
it contains evidence. They must search storage media, and if they find data, they piece it
together to produce evidence. Forensics software tools can be used for most cases. In extreme
cases, investigators can use electron microscopes and other sophisticated equipment to
retrieve information from machines that have been damaged or reformatted purposefully.
This method is usually cost prohibitive, running from a low end of US$3,000 to more than
US$20,000, so its not normally used.
Like companies specializing in data recovery, companies specializing in disaster recovery use
computer forensics techniques to retrieve information their clients have lost. Disaster recovery
also involves preventing data loss by using backups, uninterruptible power supply (UPS)
devices, and off-site monitoring.
Investigators often work as a team to make computers and networks secure in an organiza-
tion. The computer investigations function is one of three in a triad that makes up computing
security. In an enterprise network environment, the triad consists of the following parts
(shown in Figure 1-2):
Vulnerability assessment and risk management
Network intrusion detection and incident response
Computer investigations
Figure 1-2 The investigations triad
4Chapter 1
1
Each side of the triad in Figure 1-2 represents a group or department responsible for per-
forming the associated tasks. Although each function operates independently, all three groups
draw from one another when a large-scale computing investigation is being conducted. By
combining these three groups into a team, all aspects of a high-technology investigation are
addressed without calling in outside specialists.
The term enterprise network environment refers to large corporate computing systems that
might include disparate or formerly independent systems. In smaller companies, one group
might perform the tasks shown in the investigations triad, or a small company might contract
with other companies for these services.
When you work in the vulnerability assessment and risk management group, you test and
verify the integrity of standalone workstations and network servers. This integrity check cov-
ers the physical security of systems and the security of operating systems (OSs) and applica-
tions. People who work in this group test for known vulnerabilities of OSs and applications
used in the network. This group also launches attacks on the network and its workstations
and servers to assess vulnerabilities. Typically, people performing this task have several years
of experience in UNIX and Windows administration.
Professionals in the vulnerability assessment and risk management group also need skills in net-
work intrusion detection and incident response. This group detects intruder attacks by using
automated tools and monitoring network firewall logs manually. When an external attack is
detected, the response team tracks, locates, and identifies the intrusion method and denies further
access to the network. If an intruder launches an attack that causes damage or potential damage,
this team collects the necessary evidence, which can be used for civil or criminal litigation against
the intruder. Litigation is the legal process of establishing criminal or civil liability in court.
If an internal user is engaged in illegal acts, the network intrusion detection and incident
response group responds by locating the user and blocking his or her access. For example,
someone at a community college sends inflammatory e-mails to other users on the network.
The network team realizes that the e-mails are coming from a node on the internal network
and dispatches a security team to the location. Vulnerability assessment staff often contribute
significantly to computing investigations.
The computer investigations group manages investigations and conducts forensic analysis of
systems suspected of containing evidence related to an incident or a crime. For complex case-
work, the computer investigations group draws on resources from those involved in vulnera-
bility assessment, risk management, and network intrusion detection and incident response.
This group resolves or terminates all case investigations.
A Brief History of Computer Forensics
Thirty years ago, most people didnt imagine that computers would be an integral part of
everyday life. Now computer technology is commonplace, as are crimes in which a computer
is the instrument of the crime, the target of the crime, and, by its nature, the location where
evidence is stored or recorded.
By the 1970s, electronic crimes were increasing, especially in the financial sector. Most com-
puters in this era were mainframes, used by trained people with specialized skills who
worked in finance, engineering, and academia. White-collar fraud began when people in
these industries saw a way to make money by manipulating computer data. One of the most
Understanding Computer Forensics 5
well-known crimes of the mainframe era is the one-half cent crime. Banks commonly tracked
money in accounts to the third decimal place or more. They used and still use the rounding
upaccounting method when paying interest. If the interest applied to an account resulted in
a fraction of a cent, that fraction was used in the calculation for the next account until the
total resulted in a whole cent. It was assumed that sooner or later every customer would ben-
efit. Some computer programmers corrupted this method by opening an account for them-
selves and writing programs that diverted all the fractional monies into their accounts. In
small banks, this practice amounted to only a few hundred dollars a month. In large banks
with many branch offices, however, the amount reached hundreds of thousands of dollars.
During this time, most law enforcement officers didnt know enough about computers to ask
the right questions or to preserve evidence for trial. Many began to attend the Federal Law
Enforcement Training Center (FLETC) programs designed to train law enforcement in recov-
ering digital data.
As PCs gained popularity and began to replace mainframe computers in the 1980s, many dif-
ferent OSs emerged. Apple released the Apple 2E in 1983 and then the Macintosh in 1984.
Computers such as the TRS-80 and Commodore 64 were the machines of the day. CP/M
machines, such as the Kaypro and Zenith, were also in demand.
Disk Operating System (DOS) was available in many varieties, including PC-DOS, QDOS,
DR-DOS, IBM-DOS, and MS-DOS. Forensics tools at that time were simple, and most were
generated by government agencies, such as the Royal Canadian Mounted Police (RCMP,
which had its own investigative tools) and the U.S. Internal Revenue Service (IRS). Most
tools were written in C and assembly language and werent available to the general public.
In the mid-1980s, a new tool, Xtree Gold, appeared on the market. It recognized file types and
retrieved lost or deleted files. Norton DiskEdit soon followed and became the preferred tool for
finding deleted files. You could use these tools on the most powerful PCs of that time; IBM-
compatible computers had 10 MB hard disks and two floppy drives, as shown in Figure 1-3.
Figure 1-3 An 8088 computer
6Chapter 1
1
In 1987, Apple produced the Mac SE, a Macintosh with an external EasyDrive hard disk
with 60 MB of storage (see Figure 1-4). At this time, the popular Commodore 64 still used
standard audiotapes to record data, so the Mac SE represented an important advance in
computer technology.
By the early 1990s, specialized tools for computer forensics were available. The International
Association of Computer Investigative Specialists (IACIS) introduced training on software
for forensics investigations, and the IRS created search-warrant programs. However, no com-
mercial GUI software for computer forensics was available until ASR Data created Expert
Witness for Macintosh. This software could recover deleted files and fragments of deleted
files. One of the ASR Data partners later left and developed EnCase, which has become a
popular computer forensics tool.
As computer technology continued to evolve, more computer forensics software was devel-
oped. The introduction of large hard disks posed new problems for investigators. Most
DOS-based software didnt recognize a hard disk larger than 8 GB. Because contemporary
computers have hard disks of 200 GB and larger, changes in forensics software were needed.
Later in this book, you explore the challenges of using older software and hardware.
Other software, such as ILook, which is currently maintained by the IRS Criminal Investiga-
tion Division and limited to law enforcement, can analyze and read special files that are cop-
ies of a disk. AccessData Forensic Toolkit (FTK) has become a popular commercial product
that performs similar tasks in the law enforcement and civilian markets, and you use it in
several projects in this book.
As software companies become savvier about computer forensics and investigations, they are
publishing more forensics tools to keep pace with technology. This book discusses as many
tools as possible. You should also refer to trade publications and Web sites, such as www.
ctin.org (Computer Technology Investigators Network) and www.usdoj.gov (U.S. Depart-
ment of Justice), to stay current.
Figure 1-4 A Mac SE with an external EasyDrive hard disk
Understanding Computer Forensics 7
Understanding Case Law
The technology of computers and other digital devices is evolving at an exponential pace.
Existing laws and statutes simply cant keep up with the rate of change. Therefore, when
statutes or regulations dont exist, case law is used. Case law allows legal counsel to use
previous cases similar to the current one and addresses the ambiguity in laws. Each new
case is evaluated on its own merit and issues. The University of Rhode Island (http://dfc.
cs.uri.edu) cites many cases in which problems occurred in the past. One example on the
Web site is about an investigator viewing computer files by using a search warrant related
to drug dealing. While viewing the files, he ran across images of child pornography.
Instead of waiting for a new warrant, he kept searching. As a result, all evidence regarding
the pictures was excluded. Investigators must be familiar with recent rulings to avoid mak-
ing similar mistakes. Be aware that case law doesnt involve creating new criminal offenses,
however.
Developing Computer Forensics Resources
To be a successful computer forensics investigator, you must be familiar with more than one
computing platform. In addition to older platforms, such as DOS and Windows 9x, you
should be familiar with Linux, Macintosh, and current Windows platforms. However, no
one can be an expert in every aspect of computing. Likewise, you cant know everything
about the technology youre investigating. To supplement your knowledge, you should
develop and maintain contact with computing, network, and investigative professionals.
Keep a log of contacts, and record the names of other professionals youve worked with,
their areas of expertise, the most recent projects you worked on together, and their
contributions.
Join computer user groups in both the public and private sectors. In the Pacific Northwest,
for example, Computer Technology Investigators Network (CTIN) meets monthly to discuss
problems that law enforcement and corporations face. This nonprofit organization also con-
ducts free training. You can probably locate a similar group in your area, such as the High
Technology Crime Investigation Association (HTCIA), an organization that exchanges infor-
mation about techniques related to computer investigations and security. (For more informa-
tion, visit www.htcia.org.) In addition, build your own network of computer forensics
experts and other professionals, and keep in touch through e-mail. Cultivate professional
relationships with people who specialize in technical areas different from your own specialty.
If youre a Windows expert, for example, maintain contact with experts in Linux, UNIX, and
Macintosh.
User groups can be especially helpful when you need information about obscure OSs. For
example, a user group helped convict a child molester in Pierce County, Washington, in
1996. The suspect installed video cameras throughout his house, served alcohol to young
women to intoxicate them, and secretly filmed them playing strip poker. When he was
accused of molesting a child, police seized his computers and other physical evidence. The
investigator discovered that the computers used CoCo DOS, an OS that had been out of use
for years. The investigator contacted a local user group, which supplied the standard com-
mands and other information needed to gain access to the system. On the suspects computer,
the investigator found a diary detailing the suspects actions over the past 15 years, including
the molestation of more than 400 young women. As a result, the suspect received a longer
sentence than if he had been convicted of molesting only one child.
8Chapter 1
1
Outside experts can provide detailed information you need to retrieve digital evidence. For
example, a recent murder case involved a husband and wife who owned a Macintosh store.
When the wife was discovered dead, apparently murdered, investigators found that she had
wanted to leave her husband but didnt because of her religious beliefs. The police got a
search warrant and confiscated the home and office computers. When the detective on the
case examined the home Macintosh, he found that the hard drive had been compressed and
erased. He contacted a Macintosh engineer, who determined the two software programs used
to compress the drive. With this knowledge, the detective could retrieve information from the
hard drive, including text files indicating that the husband spent $35,000 in business funds to
purchase cocaine and prostitution services. This evidence proved crucial in making it possible
to convict the husband of premeditated murder.
Take advantage of newsgroups, electronic mailing lists, and similar services devoted to com-
puter forensics to solicit advice from experts. In one case, investigators couldnt access the
hard disk of an Intel computer containing digital evidence without the password, which was
hard-coded in the motherboard. When they began to run out of options and time, they
posted a description of the problem on a mailing list. A list member told them that a dongle
(a mechanical device) would bypass the password problem. As a result, the investigators were
able to gather evidence to convict the perpetrator.
More recent cases involve laptops with specially designed ways of physically accessing the
hard drives. Sometimes the manufacturer wont tell the average person who calls how to
access a laptops hard drive. Several investigators have had to go through law enforcement
contacts to get this informationanother example of the importance of developing good
relationships with people in all aspects of the digital industry, not just other investigators.
Preparing for Computer Investigations
Computer investigations and forensics could be categorized several ways; for the purposes of
this discussion, it falls into two distinct categories: public investigations and private or corpo-
rate investigations (see Figure 1-5).
Public investigations involve government agencies responsible for criminal investigations and
prosecution. Government agencies range from local, county, and state or provincial police
departments to federal regulatory enforcement agencies. These organizations must observe
legal guidelines, such as Article 8 in the Charter of Rights of Canada, the Criminal Procedures
Act of the Republic of Namibia, and U.S. Fourth Amendment issues of search and seizure (see
Figure 1-6).
The law of search and seizure protects the rights of all people, including (and perhaps espe-
cially) people suspected of crimes; as a computer investigator, you must be sure to follow
these laws. The Department of Justice (DOJ) updates information on computer search and sei-
zure regularly (see www.usdoj.gov/criminal/cybercrime/).
Public investigations usually involve criminal cases and government agencies; private or corpo-
rate investigations, however, deal with private companies, non-law-enforcement government
agencies, and lawyers. These private organizations arent governed directly by criminal law
or Fourth Amendment issues but by internal policies that define expected employee behavior
and conduct in the workplace. Private corporate investigations can also involve litigation.
Preparing for Computer Investigations 9
Figure 1-5 Public and private investigations
Figure 1-6 The Fourth Amendment
10 Chapter 1
1
Although private investigations are usually conducted in civil cases, a civil case can develop
into a criminal case, and a criminal case can have implications leading to a civil case. If you
follow good forensics procedures, the evidence found in your investigations can make the
transition between civil and criminal cases.
Understanding Law Enforcement Agency Investigations
When conducting public computer investigations, you must understand city, county, state
or province, and federal or national laws on computer-related crimes, including standard
legal processes and how to build a criminal case. In a criminal case, a suspect is tried for
a criminal offense, such as burglary, murder, molestation, or fraud. To determine whether
there was a computer crime, an investigator asks questions such as the following: What
was the tool used to commit the crime? Was it a simple trespass? Was it a theft, a bur-
glary, or vandalism? Did the perpetrator infringe on someone elsesrightsbycyberstalking
or e-mail harassment?
Laws, including procedural rules, vary by jurisdiction and can be
quite different. Therefore, this book points out when items accepted
in U.S. courts dont stand up in other courts. Lately, a major issue
has been European Union (EU) privacy laws as opposed to U.S. pri-
vacy laws. Issues related to international companies are still being defined. Over the past
decade, more companies have been consolidating into global entities. As a result, internal cor-
porate investigations can involve laws of multiple countries. For example, a company has a
subsidiary operating in Australia. An employee at that subsidiary is suspected of fraud, and as
part of your investigation, you need to seize his cell phone. Under U.S. law, you can if he used
it on company property and synchronized it with the company network. Under Australian law,
you cannot.
Computers and networks might be only tools used to commit crimes and are, therefore, no
different from the lockpick a burglar uses to break into a house. For this reason, many states
have added specific language to criminal codes to define crimes involving computers. For
example, they have expanded the definition of laws for crimes such as theft to include taking
data from a computer without the owners permission, so computer theft is now on a par
with shoplifting or car theft. Other states have instituted specific criminal statutes that
address computer-related crimes but typically dont include computer-related issues in stan-
dard trespass, theft, vandalism, or burglary laws. The Computer Fraud and Abuse Act was
passed in 1986, but specific state laws werent formulated until later. To this day, many
state laws on computer crime have yet to be tested in court.
Computers are involved in many serious crimes. The most notorious are those involving sex-
ual exploitation of minors. Digital images are stored on hard disks, Zip disks, floppy disks,
USB drives, removable hard drives, and other storage media and circulated on the Internet.
Other computer crimes concern missing children and adults because information about miss-
ing people is often found on computers. Drug dealers often keep information about transac-
tions on their computers or personal digital assistants (PDAs). This information is especially
useful because it helps law enforcement officers convict the person they arrested and locate
drug suppliers and other dealers. Additionally, in stalking cases, deleted e-mail, digital
photos, and other evidence stored on a computer can help solve a case.
Preparing for Computer Investigations 11
Following the Legal Processes
When conducting a computer investigation for potential criminal violations of the law, the
legal processes you follow depend on local custom, legislative standards, and rules of evi-
dence. In general, however, a criminal case follows three stages: the complaint, the investiga-
tion, and the prosecution (see Figure 1-7). Someone files a complaint; a specialist investigates
the complaint and, with the help of a prosecutor, collects evidence and builds a case. If a
crime has been committed, the case is tried in court.
A criminal investigation can begin only when someone finds evidence of an illegal act or wit-
nesses an illegal act. The witness or victim (often referred to as the complainant) makes an
allegation to the police, an accusation or supposition of fact that a crime has been
committed.
A police officer interviews the complainant and writes a report about the crime. The police
department processes the report, and management decides to start an investigation or log
the information into a police blotter. The police blotter provides a record of clues to crimes
that have been committed previously. Criminals often repeat actions in their illegal activities,
and these habits can be discovered by examining police blotters. This historical knowledge is
useful when conducting investigations, especially in high-technology crimes. Blotters now are
generally electronic files, often databases, so they can be searched more easily than the old
paper blotters.
Not every police officer is a computer expert. Some are computer novices; others might be
trained to recognize what they can retrieve from a computer disk. To differentiate the train-
ing and experience officers have, CTIN has established three levels of law enforcement
expertise:
Level 1Acquiring and seizing digital evidence, normally performed by a police
officer on the scene.
Level 2Managing high-tech investigations, teaching investigators what to ask for,
and understanding computer terminology and what can and cant be retrieved from
digital evidence. The assigned detectives usually handle the case.
Level 3Specialist training in retrieving digital evidence, normally conducted by a
data recovery or computer forensics expert, network forensics expert, or Internet
fraud investigator. This person might also be qualified to manage a case, depending
on his or her background.
Figure 1-7 The public-sector case flow
12 Chapter 1
1
If youre an investigator assigned to a case, recognize the level of expertise of police officers
and others involved in the case. You should have Level 3 training to conduct the investiga-
tion and manage the computer forensics aspects of the case. You start by assessing the scope
of the case, which includes the computers OS, hardware, and peripheral devices. You then
determine whether resources are available to process all the evidence. For example, collecting
evidence is more difficult when information is stored on PDAs, cell phones, and other mobile
devices. Determine whether you have the right tools to collect and analyze evidence and
whether you need to call on other specialists to assist in collecting and processing evidence.
After you have gathered the resources you need, your role is to delegate, collect, and process
the information related to the complaint.
After you build a case, the information is turned over to the prosecutor. Your job is finished
when you have used all known and available methods to extract data from the digital evi-
dence that was seized. As an investigator, you must then present the collected evidence with
a report to the governments attorney. Depending on the community and the nature of the
crime, the prosecutor can be a prosecuting attorney, district attorney, state attorney, county
attorney, Crown attorney, or U.S. attorney.
In a criminal or public case, if you have enough information to support a search warrant, the
prosecuting attorney might direct you to submit an affidavit. This sworn statement of support
of facts about or evidence of a crime is submitted to a judge with the request for a search war-
rant before seizing evidence. Figure 1-8 shows a typical affidavit. Its your responsibility to
write the affidavit, which must include exhibits (evidence) that support the allegation to justify
the warrant. You must then have the affidavit notarized under sworn oath to verify that the
information in the affidavit is true. (You learn more about affidavits in Chapter 14.)
Figure 1-8 Typical affidavit language
Preparing for Computer Investigations 13
After a judge approves and signs a search warrant, its ready to be executed, meaning you
can collect evidence as defined by the warrant. After you collect the evidence, you process
and analyze it to determine whether a crime actually occurred. The evidence can then be pre-
sented in court in a hearing or trial. A judge or an administrative law judge then renders a
judgment, or a jury hands down a verdict (after which a judge can enter a judgment).
Understanding Corporate Investigations
Private or corporate investigations involve private companies and lawyers who address com-
pany policy violations and litigation disputes, such as wrongful termination. When conduct-
ing a computer investigation for a private company, remember that business must continue
with minimal interruption from your investigation. Because businesses usually focus on con-
tinuing their usual operations and making profits, many in a private corporate environment
consider your investigation and apprehension of a suspect secondary to stopping the viola-
tion and minimizing damage or loss to the business. Businesses also strive to minimize or
eliminate litigation, which is an expensive way to address criminal or civil issues. Corporate
computer crimes can involve e-mail harassment, falsification of data, gender and age discrim-
ination, embezzlement, sabotage, and industrial espionage, which involves selling sensitive or
confidential company information to a competitor. Anyone with access to a computer can
commit these crimes.
Embezzlement is a common computer crime, particularly in small firms. Typically, the owner
is busy and trusts one person, such as the office manager, to handle daily transactions. When
the office manager leaves, the owner discovers some clients were overbilled, others werent
billed at all, some payments werent credited, or false accounts exist. Rebuilding the paper
and electronic trail can be tedious. Collecting enough evidence to press charges might be
beyond the owners capabilities.
Corporate sabotage is most often committed by a disgruntled employee. For example, an
employee decides to take a job at a competitors firm and collects confidential files on a disk
or USB drive before leaving. This type of crime can also lead to industrial espionage, which
increases every year.
Investigators will soon be able to conduct digital investigations on site without a lab and
without interrupting employeeswork on a computer. Suppose an assisted-care facility has
an employee involved in an insurance scam who is overcharging the insurance company and
then funneling the monies into his or her own bank account. The facilitys network server
keeps track of patient billing and critical information, such as medication, medical condi-
tions, and treatments, for each patient. Taking that system offline for more than a short
time could result in harm to patients. For this reason, investigators cant seize the evidence;
instead, they acquire a disk image and any other pertinent information and allow the system
to go back online as quickly as possible.
Organizations can help prevent and address these crimes by creating and distributing appro-
priate policies, making employees aware of policies, and enforcing policies.
Establishing Company Policies
One way that businesses can reduce the risk of litigation is to publish and maintain policies
that employees find easy to read and follow. The most important policies are those that set
rules for using the companys computers and networks. Published company policies provide
14 Chapter 1
1
aline of authority for a business to conduct internal investigations. The line of authority
states who has the legal right to initiate an investigation, who can take possession of evi-
dence, and who can have access to evidence.
Well-defined policies give computer investigators and forensic examiners the authority to
conduct an investigation. Policies also demonstrate that an organization intends to be fair-
minded and objective about how it treats employees and state that the organization will fol-
low due process for all investigations. (Due processrefers to fairness under the law and is
meant to protect the innocent.) Without defined policies, a business risks exposing itself to lit-
igation from current or former employees. The person or committee in charge of maintaining
corporate policies must also stay current with local laws, which can vary depending on the
city, state, and country.
Displaying Warning Banners
Another way a private or public organization can avoid litigation is to display a warning
banner on computer screens. A warning banner usually appears when a computer starts or
connects to the company intranet, network, or virtual private network (VPN) and informs
end users that the organization reserves the right to inspect computer systems and network
traffic at will. (An end user is a person using a computer to perform routine tasks other
than system administration.) If this right isnt stated explicitly, employees might have an
assumed right of privacy when using a companys computer systems and network accesses.
With an assumed right of privacy, employees think their transmissions at work are protected
in much the same way that mail sent via the U.S. Postal Service is protected. Figure 1-9
shows a sample warning banner.
A warning banner establishes the right to conduct an investigation. By displaying a strong,
well-worded warning banner, an organization owning computer equipment doesnt need to
obtain a search warrant or court order as required under Fourth Amendment search and sei-
zure rules to seize the equipment. In a company with a well-defined policy, this right to
inspect or search at will applies to both criminal activity and company policy violations.
Keep in mind, however, that your countrys laws might differ. For example, in some coun-
tries, even though the company has the right to seize computers at any time, if employees
are suspected of a criminal act, they must be informed at that time.
Figure 1-9 A sample warning banner
Preparing for Computer Investigations 15
Computer system users can include employees or guests. Employees can access the intranet,
and guests can typically access only the main network. Companies can use two types of
warning banners: one for internal employee access (intranet Web page access) and another
for external visitor access (Internet Web page access). The following list recommends phrases
to include in all warning banners. Before using these warnings, consult with the organiza-
tions legal department for other required legal notices for your work area or department.
Depending on the type of organization, the following text can be used in internal warning
banners:
Access to this system and network is restricted.
Use of this system and network is for official business only.
Systems and networks are subject to monitoring at any time by the owner.
Using this system implies consent to monitoring by the owner.
Unauthorized or illegal users of this system or network will be subject to discipline
or prosecution.
The DOJ document at www.usdoj.gov/criminal/cybercrime/
s&smanual2002.htm has several examples of warning banners.
An organization such as a community college might simply state that systems and networks
are subject to observation and monitoring at any time because members of the local commu-
nity who arent staff or students might use the facilities. A for-profit organization, on the
other hand, could have proprietary information on its network and use all the phrases sug-
gested in the preceding list.
Guests, such as employees of business partners, might be allowed to use the system. The text
thats displayed when a guest attempts to log on can include warnings similar to the
following:
This system is the property of Company X.
This system is for authorized use only; unauthorized access is a violation of law and
violators will be prosecuted.
All activity, software, network traffic, and communications are subject to monitoring.
As a corporate computer investigator, make sure a company displays a well-defined warning
banner. Without a banner, your authority to inspect might conflict with the users expecta-
tion of privacy, and a court might have to determine the issue of authority to inspect. State
laws vary on the expectation of privacy, but all states accept the concept of a waiver of the
expectation of privacy. Additionally, the EU and its member nations impose strict fines for
information that crosses national boundaries without the persons consent. So if your com-
pany is conducting an investigation in a subsidiary in the EU, you might not be able to
acquire a network drive without notifying certain parties or making sure consent forms are in
place.
Some might argue that written policies are all that are necessary. However, in the actual
prosecution of cases, warning banners have been critical in determining that a system user
didnt have an expectation of privacy for information stored on the system. A warning
16 Chapter 1
1
banner has the additional advantage of being easier to present in trial as an exhibit than a
policy manual. Government agencies, such as the Department of Energy, Argonne National
Labs, and Lawrence Livermore Labs, now require warning banners on all computer term-
inals on their systems. Many corporations also require warning banners as part of the
logon/startup process.
Designating an Authorized Requester
As mentioned, investigations must establish a line of authority. In addition to using warning
banners that state a companys rights of computer ownership, businesses are advised to
specify an authorized requester who has the power to conduct investigations. Executive man-
agement should define this policy to avoid conflicts from competing interests between organi-
zations or departments. In large organizations, competition for funding or management
support can become so fierce that people sometimes create false allegations of misconduct to
prevent a competing department from delivering a proposal for the same source of funds.
To avoid trivial or inappropriate investigations, executive management must also define and
limit who is authorized to request a computer investigation and forensic analysis. Generally,
the fewer groups with authority to request a computer investigation, the better. Examples of
groups with authority to request computer investigations in a corporate environment include
the following:
Corporate security investigations
Corporate ethics office
Corporate equal employment opportunity office
Internal auditing
The general counsel or legal department
All other groups, such as the Human Resources Department, should coordinate their requests
through the corporate security investigations group. This policy separates the investigative
process from the process of employee discipline.
Conducting Security Investigations
Conducting a computer investigation in the private sector is not much different from con-
ducting one in the public sector. During public investigations, you search for evidence to sup-
port criminal allegations. During private investigations, you search for evidence to support
allegations of abuse of a companys assets and, in some cases, criminal complaints. Three
types of situations are common in corporate environments:
Abuse or misuse of computing assets
E-mail abuse
Internet abuse
Most computer investigations in the private sector involve misuse of computing assets. Typi-
cally, this misuse is referred to as employee violation of company rules.Computing abuse
complaints often center on e-mail and Internet misuse by employees but could involve other
computing resources, such as using company software to produce a product for personal
profit. The scope of an e-mail investigation ranges from excessive use of a companys e-mail
Preparing for Computer Investigations 17
system for personal use to making threats or harassing others via e-mail. Some common
e-mail abuses involve transmitting offensive messages. These types of messages can create a
hostile work environment that can result in an employee filing a civil lawsuit against a com-
pany that does nothing to prevent it (in other words, implicitly condones the e-mail abuse).
Computer investigators also examine Internet abuse. Employeesabuse of Internet privileges
ranges from excessive use, such as spending all day Web surfing, to viewing pornographic
pictures on the Web while at work. An extreme instance of Internet abuse is viewing contra-
band (illegal) pornographic images, such as child pornography. Viewing contraband images
is a criminal act in most jurisdictions, and computer investigators must handle this situation
with the highest level of professionalism. By enforcing policy consistently, a company mini-
mizes its liability exposure. The role of a computer forensics examiner is to give management
complete and accurate information so that they can verify and correct abuse problems in an
organization. (In later chapters, you learn the procedures for conducting these types of
investigations.)
Be sure to distinguish between a companys abuse problems and potential criminal violations.
Abuse problems violate company policy but might not be illegal if performed at home. Crim-
inal violations involve acts such as industrial espionage, embezzlement, and murder. How-
ever, actions that seem related to internal abuse could also have criminal or civil liability.
Because any civil investigation can become a criminal investigation, you must treat all evi-
dence you collect with the highest level of security and accountability. Later in this book,
you learn the Federal Rules of Evidence (processes to ensure the chain of custody) and how
to apply them to computing investigations.
Similarly, your private corporate investigation might seem to involve a civil, noncriminal
matter, but as you progress through your analysis, you might identify a criminal matter,
too. Because of this possibility, always remember that your work can come under the scru-
tiny of the civil or criminal legal system. The Federal Rules of Evidence are the same for
civil and criminal matters. By applying the rules to all investigations uniformly, you eliminate
any concerns. These standards are emphasized throughout this book.
Corporations can apply a principle similar to the silver-platter doctrine (no longer in
effect between state law enforcement and the federal government) when a civilian or
corporate investigative agent delivers evidence to a law enforcement officer. Remember
that a police officer is a law enforcement agent. A corporate investigatorsjobisto
minimize risk to the company. After you turn over evidence to law enforcement and
begin working under their direction, you become an agent of law enforcement, subject
to the same restrictions on search and seizure as a law enforcement agent. However,
an agent of law enforcement cant ask you, as a private citizen, to obtain evidence that
requires a warrant. The rules controlling the use of evidence collected by private citi-
zensvarybyjurisdiction, so check the law if youre investigating a case outside the
United States.
Litigation is costly, so after you have assembled evidence, offending employees are usually
disciplined or terminated with a minimum of fanfare. However, when you discover that a
criminal act involving a third-party victim has been committed, generally you have a legal
and moral obligation to turn the information over to law enforcement. In the next section,
you learn about situations in which criminal evidence must be separated from any corporate
proprietary information.
18 Chapter 1
1
Distinguishing Personal and Company Property
Many company policies distinguish between personal and company computer property; how-
ever, making this distinction can be difficult with PDAs, cell phones, and personal notebook
computers. For example, an employee has purchased a PDA and connects the device to his or
her company computer. As the employee synchronizes information on the PDA with infor-
mation in the company computers copy of Microsoft Outlook, he or she copies some data
in the PDA to the company network. During the synchronization, data on the company com-
puter or network might be placed on the PDA, too. In this case, at least one question is
Does the information on the PDA belong to the company or the employee?
Now suppose the company gave the employee the PDA as part of a holiday bonus. Can the
company claim rights to the PDA? Similar issues come up when an employee brings in a per-
sonal notebook computer and connects it to the company network. What rules apply? As
computers become more entrenched in daily life, youll encounter these issues more often.
These questions are still being debated, and companies are establishing their own policies to
handle them. The safe policy is to not allow any personally owned devices to be connected to
company-owned resources, thereby limiting the possibility of commingling personal and com-
pany data. This policy can be counterproductive; however, the risks should be identified and
addressed in company policies. Other companies simply state that if you connect a personal
device to the corporate network, it falls under the same rules as corporate property. At the
time of this writing, this policy has yet to be tested in court.
Maintaining Professional Conduct
Your professional conduct as a computer investigation and forensics analyst is critical because
it determines your credibility. Professional conduct, discussed in more detail in Chapters 15
and 16, includes ethics, morals, and standards of behavior. As a professional, you must
exhibit the highest level of ethical behavior at all times. To do so, you must maintain objectiv-
ity and confidentiality during an investigation, expand your technical knowledge continuously,
and conduct yourself with integrity. On any current crime drama, you can see how attorneys
attack the character of witnesses, so your character and especially your reputation for honesty
should be beyond reproach.
Maintaining objectivity means you must form and sustain unbiased opinions of your cases.
Avoid making conclusions about your findings until you have exhausted all reasonable leads
and considered the available facts. Your ultimate responsibility is to find digital evidence to
support or refute the allegation. You must ignore external biases to maintain the integrity of
your fact-finding in all investigations. For example, if youre employed by an attorney, do
not allow the attorneys agenda to dictate the outcome of your investigation. Your reputation
and long-term livelihood depend on being objective in all matters.
You must also maintain an investigations credibility by keeping the case confidential. Discuss
the case only with people who need to know about it, such as other investigators involved in
the case or someone in the line of authority asking for an update. If you need advice from
other professionals, discuss only the general terms and facts about the case without mention-
ing specifics. All investigations you conduct must be kept confidential, until youre designated
as a witness or required by the attorney or court to release a report.
Maintaining Professional Conduct 19
In the corporate environment, confidentiality is critical, especially when dealing with employees
who have been terminated. The agreement between the company and the employee might have
been to represent the termination as a layoff or resignation in exchange for no bad references.
If you give case details and the employees name to others, your company could be liable for
breach of contract.
In some instances, your corporate case might become a criminal case as serious as murder.
Because of the legal system, it could be years before the case goes to trial. If an investigator
talks about the digital evidence with others, the case could be damaged because of pretrial
publicity. When working for an attorney on an investigation, the attorney-work-product rule
and attorney-client privilege apply to all communication. This means you can discuss the case
only with the attorney or other members of the team working with the attorney. All commu-
nication about the case to other people requires the attorneys approval.
In addition to maintaining objectivity and confidentiality, you can enhance your professional
conduct by continuing your training. The field of computer investigations and forensics is
changing constantly. You should stay current with the latest technical changes in computer
hardware and software, networking, and forensic tools. You should also learn about the latest
investigation techniques you can use in your cases.
One way to enrich your knowledge of computer investigations is to record your fact-finding
methods in a journal. A journal can help you remember how to perform tasks and procedures
and use hardware and software tools. Be sure to include dates and important details that serve
as memory triggers. Develop a routine of reviewing your journal regularly to keep your past
achievements fresh in your mind.
To continue your professional training, you should attend workshops, conferences, and ven-
dor courses. You might also need to continue your formal education. You enhance your pro-
fessional standing if you have at least an undergraduate degree in computing or a related field.
If you dont have an advanced degree, consider graduate-level studies in a complementary area
of study, such as business law or e-commerce. Several colleges and universities now offer
associates, bachelors, and masters degrees and certificate programs in computer forensics.
Many companies are willing to reimburse your education costs, although some require com-
mitmenttoacertaintermofemploymentinexchange.
In addition to education and training, membership in professional organizations adds to your cre-
dentials. These organizations often sponsor training and offer information exchanges of the latest
technical improvements and trends in computer investigations. Also, keep up to date with the
most recent books and read as much as possible about computer investigations and forensics.
As a computer investigation and forensics professional, youre expected to maintain honesty
and integrity. You must conduct yourself with the highest levels of integrity in all aspects of
your life. Any indiscreet actions can embarrass you and give opposing attorneys opportunities
to discredit you during your testimony in court or in depositions.
Chapter Summary
Computer forensics applies forensics procedures to digital evidence. This process
involves systematically accumulating and analyzing digital information for use as evi-
dence in civil, criminal, or administrative cases. Computer forensics differs from net-
work forensics, data recovery, and disaster recovery in scope, technique, and objective.
20 Chapter 1
1
Laws relating to digital evidence were established in the 1970s.
To be a successful computer forensics investigator, you must be familiar with more
than one computing platform. To supplement your knowledge, develop and maintain
contact with computer, network, and investigative professionals.
Public and private computer investigations differ, in that public investigations typi-
cally require a search warrant before seizing digital evidence. The Fourth Amendment
to the U.S. Constitution and similar legislation in other countries apply to govern-
mental search and seizure. During public investigations, you search for evidence to
support criminal allegations. During private investigations, you search for evidence
to support allegations of abuse of assets and, in some cases, criminal complaints.
Warning banners should be used to remind employees and visitors of company policy
on computer, e-mail, and Internet use.
Companies should define and limit the number of authorized requesters who can start
an investigation.
Computer forensics investigators must maintain professional conduct to protect their
credibility.
Key Terms
affidavit The document, given under penalty of perjury, that investigators create to detail
their findings. This document is often used to justify issuing a warrant or to deal with abuse
in a corporation.
allegation A charge made against someone or something before proof has been found.
authorized requester In a corporate environment, the person who has the right to request
an investigation, such as the chief security officer or chief intelligence officer.
computer forensics The process of applying scientific methods to collect and analyze data
and information that can be used as evidence.
computer investigations Conducting forensic analysis of systems suspected of containing
evidence related to an incident or a crime.
Computer Technology Investigators Network (CTIN) A nonprofit group based in Seattle
Tacoma, WA, composed of law enforcement members, private corporation security
professionals, and other security professionals whose aim is to improve the quality of
high-technology investigations in the Pacific Northwest.
criminal case A case in which criminal law must be applied.
criminal law Statutes applicable to a jurisdiction that state offenses against the peace and
dignity of the jurisdiction and the elements that define these offenses.
data recovery A specialty field in which companies retrieve files that were deleted
accidentally or purposefully.
disaster recovery A specialty field in which companies perform real-time backups,
monitoring, data recovery, and hot site operations.
enterprise network environment A large corporate computing system that can include
formerly independent systems.
exculpatory Evidence that indicates the suspect is innocent of the crime.
Key Terms 21
exhibits Evidence used in court to prove a case.
Fourth Amendment The Fourth Amendment to the U.S. Constitution in the Bill of Rights
dictates that the government and its agents must have probable cause for search and seizure.
High Technology Crime Investigation Association (HTCIA) A nonprofit association for
solving international computer crimes.
hostile work environment An environment in which employees cannot perform their
assigned duties because of the actions of others. In the workplace, these actions include
sending threatening or demeaning e-mail or a co-worker viewing pornographic or hate sites.
inculpatory Evidence that indicates a suspect is guilty of the crime with which he or she is
charged.
industrial espionage Selling sensitive or proprietary company information to a competitor.
International Association of Computer Investigative Specialists (IACIS) An organization
created to provide training and software for law enforcement in the computer forensics field.
line of authority The order in which people or positions are notified of a problem; these
people or positions have the legal right to initiate an investigation, take possession of
evidence, and have access to evidence.
litigation The legal process leading to a trial with the purpose of proving criminal or civil
liability.
network intrusion detection and incident response Detecting attacks from intruders
by using automated tools; also includes the manual process of monitoring network
firewall logs.
notarized Having a document witnessed and a person clearly identified as the signer by a
notary public.
police blotter A log of criminal activity that law enforcement personnel can use to review
the types of crimes currently being committed.
professional conduct Behavior expected of an employee in the workplace or other
professional setting.
right of privacy The belief employees have that their transmissions at work are protected.
search and seizure The legal act of acquiring evidence for an investigation. See also Fourth
Amendment.
search warrants Legal documents that allow law enforcement to search an office, a place
of business, or other locale for evidence related to an alleged crime.
silver-platter doctrine A policy no longer in effect that allowed a state law enforcement
officer to pass illegally obtained evidence to the federal government and allowed federal
prosecution to use that evidence.
verdict The decision returned by a jury.
vulnerability assessment and risk management The group that determines the weakest
points in a system. It covers physical security and the security of OSs and applications.
warning banner Text displayed on computer screens when people log on to a company
computer; this text states ownership of the computer and specifies appropriate use of the
machine or Internet access.
22 Chapter 1
1
Review Questions
1. List two organizations mentioned in the chapter that provide computer forensics
training.
2. Computer forensics and data recovery refer to the same activities. True or False?
3. Police in the United States must use procedures that adhere to which of the following?
a. Third Amendment
b. Fourth Amendment
c. First Amendment
d. None of the above
4. The triad of computing security includes which of the following?
a. Detection, response, and monitoring
b. Vulnerability assessment, detection, and monitoring
c. Vulnerability assessment, intrusion response, and investigation
d. Vulnerability assessment, intrusion response, and monitoring
5. List three common types of digital crime.
6. A corporate investigator must follow Fourth Amendment standards when conducting
an investigation. True or False?
7. What is the purpose of maintaining a network of computer forensics specialists?
8. Policies can address rules for which of the following?
a. When you can log on to a company network from home
b. The Internet sites you can or cannot access
c. The amount of personal e-mail you can send
d. Any of the above
9. List two items that should appear on an internal warning banner.
10. Warning banners are often easier to present in court than policy manuals are. True or
False?
11. Under normal circumstances, a corporate investigator is considered an agent of law
enforcement. True or False?
12. List two types of computer investigations typically conducted in the corporate
environment.
13. What is professional conduct and why is it important?
14. What is the purpose of maintaining a professional journal?
Review Questions 23
15. Laws and procedures for PDAs are which of the following?
a. Well established
b. Still being debated
c. On the law books
d. None of the above
16. Why should companies appoint an authorized requester for computer investigations?
17. What is the purpose of an affidavit?
18. What are the necessary components of a search warrant?
Hands-On Projects
Hands-On Project 1-1
Use a Web search engine, such as Google or Yahoo!, and search for companies
specializing in computer forensics. Select three and write a two-to three-page
paper comparing what each company does.
Hands-On Project 1-2
Research criminal law related to computer crime in a jurisdiction (the one where
you live) that controls criminal law. If laws exist, list the source and how long
they have been in existence. Identify cases that have been tried using these laws.
Hands-On Project 1-3
Start your own list of professional contacts in your area who do forensic anal-
ysis. Where would you begin to find these people? How can you verify that
theyre legitimate? How should you approach them?
Hands-On Project 1-4
Compare Article 8 of the Charter of Rights of Canada or any country of your
choice to the U.S. Fourth Amendment. How do they differ? How are they sim-
ilar? Use sources such as the U.S. Department of Justice Web site to justify
your conclusions in a paper at least two pages long.
Hands-On Project 1-5
Search the Internet for articles on computer crime prosecutions. Find at least
two. Write one to two pages summarizing the two articles and identify key fea-
tures of the decisions you find in your search.
Hands-On Project 1-6
Is there a high-tech criminal investigation unit in or near your community? If
so, who are the participants? E-mail the person in charge and let him or her
24 Chapter 1
1
know you are taking a course in computer forensics. Ask what the units poli-
cies and procedures are, and then write one to two pages summarizing your
findings.
Hands-On Project 1-7
Start building a professional journal for yourself. Find at least two electronic
mailing lists you can join and three Web sites and read them on a regular
basis. The electronic mailing lists should contain areas for OSs, software and
hardware listings, people contacted or worked with, user groups, other elec-
tronic mailing lists, and the results of any research you have done thus far.
Hands-On Project 1-8
Examine and summarize your community, state, or countrys rules for search
and seizure of criminal evidence. What concerns do you have after reading
them?
Case Projects
Case Project 1-1
A lawyer in a law firm is suspected of embezzling money from a trust account.
Who should conduct the investigation? If evidence is found to support the
claim, what should be done? Write at least two pages explaining the steps to
take, who is involved, and what items must be considered.
Case Project 1-2
A private corporation suspects an employee is using password-cracking tools
to gain access to other accounts. The accounts include employees in the Payroll
and Human Resources departments. Write a two-to three-page paper outlining
what steps to take, who should be involved, and what should be considered.
Case Project 1-3
An employee is suspected of operating his llama business with a company com-
puter. Its been alleged that hes tracking the sales price of the wool and the
cost of feed and upkeep on spreadsheets. What should the employer do?
Write at least two pages explaining the tasks an investigator should perform.
Case Projects 25
This page intentionally left blank
chapter
chapter 2
2
Understanding
Computer
Investigations
Understanding
Computer
Investigations
After reading this chapter and completing
the exercises, you will be able to:
Explain how to prepare a computer investigation
Apply a systematic approach to an investigation
Describe procedures for corporate high-tech investigations
Explain requirements for data recovery workstations and software
Describe how to conduct an investigation
Explain how to complete and critique a case
27
This chapter gives you an overview of how to manage a computing investigation. You
learn about the problems and challenges forensic examiners face when preparing and proces-
sing investigations, including the ideas and questions they must consider. This chapter intro-
duces ProDiscover Basic, a GUI computer forensics tool. Throughout this chapter, you learn
details about how other computer forensics tools are used in an investigation, too. You also
explore standard problem-solving techniques.
As a basic computer user, you can solve most software problems by working with a GUI tool.
A forensics professional, however, needs to interact with primary levels of the OS that are
more fundamental than what can be accessed with GUI. Some computer forensics software
tools involve working at the command line, and you should learn how to use these tools
because in some cases, the command line is your only option. Appendix D includes examples
of how to use DOS forensics tools.
In this chapter, you work with forensic disk images from small USB drives to perform the
activities and projects in this chapter. After you know how to search for and find data on a
small storage device, you can apply the same techniques to a large disk.
Preparing a Computer Investigation
Your role as a computer forensics professional is to gather evidence from a suspects computer
and determine whether the suspect committed a crime or violated a company policy. If the evi-
dence suggests that a crime or policy violation has been committed, you begin to prepare a
case, which is a collection of evidence you can offer in court or at a corporate inquiry. This
process involves investigating the suspects computer and then preserving the evidence on a
different computer. Before you begin investigating, however, you must follow an accepted
procedure to prepare a case. By approaching each case methodically, you can evaluate the evi-
dence thoroughly and document the chain of evidence, or chain of custody, which is the route
the evidence takes from the time you find it until the case is closed or goes to court.
The following sections present two sample casesone involving a computer crime and another
involving a company policy violation. Each example describes the typical steps of a forensics
investigation, including gathering evidence, preparing a case, and preserving the evidence.
An Overview of a Computer Crime
Law enforcement officers often find computers and computer components as theyre investi-
gating crimes, gathering other evidence, or making arrests. Computers can contain informa-
tion that helps law enforcement officers determine the chain of events leading to a crime or
information providing evidence thats more likely to lead to a conviction. As an example of
a case in which computers were involved in a crime, the police raided a suspected drug deal-
ers home and found a computer, several floppy disks and USB drives (also called keychain
drives or memory sticks), a personal digital assistant (PDA), and a cell phone in a bedroom
(see Figure 2-1). The computer was bagged and tagged,meaning it was placed in evidence
bags along with the storage media and then labeled with tags as part of the search and
seizure.
28 Chapter 2
2
The lead detective on the case wants you to examine the computer to find and organize data
that could be evidence of a crime, such as files containing names of the drug dealers con-
tacts. The acquisitions officer gives you documentation of items the investigating officers col-
lected with the computer, including a list of other storage media, such as removable disks
and CDs. The acquisitions officer also notes that the computer is a Windows XP system,
and the machine was running when it was discovered. Before shutting down the computer,
the acquisitions officer photographs all open windows on the Windows desktop, including
one showing Windows Explorer, and gives you the photos. (Before shutting down the com-
puter, a live acquisition should be done to capture RAM, too. This procedure is discussed in
Chapter 11.)
As a computer forensics investigator, youre grateful the officers followed proper procedure
when acquiring the evidence. With digital evidence, its important to realize how easily key
data, such as the last access date, can be altered by an overeager investigator whos first on
the scene. The U.S. Department of Justice (DOJ) has a document you can download that
reviews proper acquisition of electronic evidence, including the search and seizure of compu-
ters (www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm). If this link has changed
because of site updates, use the search feature.
In your preliminary assessment, you assume that the hard disk and storage media include
intact files, such as e-mail messages, deleted files, and hidden files. A range of software is
available for use in your investigation; your office uses the tool Technology Pathways
ProDiscover.
This chapter introduces you to the principles applied to computer
forensics. In Chapter 7, you learn the strengths and weaknesses of
several software packages.
Figure 2-1 The crime scene
Preparing a Computer Investigation 29
Because some cases involve computers running legacy OSs, older ver-
sions of tools often need to be used in forensics investigations. For
example, Norton DiskEdit is an older tool that was last available on
the Norton System Works 2000 CD.
After your preliminary assessment, you identify the potential challenges in this case. Because
drug dealers dont usually make information about their accomplices available, the files on
the disks you received are probably password protected. You might need to acquire
password-cracking software or find an expert who can help you decrypt a file.
Later, you perform the steps needed to investigate the case, including how to address risks
and obstacles. Then you can begin the actual investigation and data retrieval.
An Overview of a Company Policy Violation
Companies often establish policies for employee use of computers. Employees surfing the
Internet, sending personal e-mail, or using company computers for personal tasks during
work hours can waste company time. Because lost time can cost companies millions of dol-
lars, computer forensics specialists are often used to investigate policy violations. The follow-
ing example describes a company policy violation.
Manager Steve Billings has been receiving complaints from customers about the job perfor-
mance of one of his sales representatives, George Montgomery. George has worked as a
representative for several years. Hes been absent from work for two days but hasnt called
in sick or told anyone why he wouldnt be at work. Another employee, Martha, is also
missing and hasnt informed anyone of the reason for her absence. Steve asks the IT Depart-
ment to confiscate Georges hard drive and all storage media in his work area. He wants to
know whether theres any information on Georges computer and storage media that might
offer a clue to Georges whereabouts and job performance concerns. To help determine
George and Marthas whereabouts, you must take a systematic approach, described in the
following section, to examining and analyzing the data found on Georges desk.
Taking a Systematic Approach
When preparing a case, you can apply standard systems analysis steps, explained in the fol-
lowing list, to problem solving. Later in this chapter, you apply these steps to cases.
Make an initial assessment about the type of case youre investigatingTo assess the
type of case youre handling, talk to others involved in the case and ask questions
about the incident. Have law enforcement or company security officers already seized
the computer, disks, and other components? Do you need to visit an office or another
location? Was the computer used to commit a crime, or does it contain evidence
about another crime?
Determine a preliminary design or approach to the caseOutline the general steps
you need to follow to investigate the case. If the suspect is an employee and you need
to acquire his or her system, determine whether you can seize the computer during
work hours or have to wait until evening or weekend hours. If youre preparing a
30 Chapter 2
2
criminal case, determine what information law enforcement officers have already
gathered.
Create a detailed checklistRefine the general outline by creating a detailed checklist
of steps and an estimated amount of time for each step. This outline helps you stay on
track during the investigation.
Determine the resources you needBased on the OS of the computer youre investi-
gating, list the software you plan to use for the investigation, noting any other
software or tools you might need.
Obtain and copy an evidence driveIn some cases, you might be seizing multiple
computers along with Zip disks, Jaz drives, CDs, USB drives, PDAs, and other
removable media. (For the examples in this chapter, youre using only USB drives.)
Make a forensic copy of the disk.
Identify the risksList the problems you normally expect in the type of case youre
handling. This list is known as a standard risk assessment. For example, if the suspect
seems knowledgeable about computers, he or she might have set up a logon scheme
that shuts down the computer or overwrites data on the hard disk when someone tries
to change the logon password.
Mitigate or minimize the risksIdentify how you can minimize the risks. For exam-
ple, if youre working with a computer on which the suspect has likely password-
protected the hard drive, you can make multiple copies of the original media before
starting. Then if you destroy a copy during the process of retrieving information from
the disk, you have additional copies.
Test the designReview the decisions youve made and the steps youve completed. If
you have already copied the original media, a standard part of testing the design
involves comparing hash values (discussed in Chapters 4 and 5) to ensure that you
copied the original media correctly.
Analyze and recover the digital evidenceUsing the software tools and other
resources youve gathered, and making sure youve addressed any risks and obstacles,
examine the disk to find digital evidence.
Investigate the data you recoverView the information recovered from the disk,
including existing files, deleted files, and e-mail, and organize the files to help prove
the suspects guilt or innocence.
Complete the case reportWrite a complete report detailing what you did and what
you found.
Critique the caseSelf-evaluation is an essential part of professional growth. After
you complete a case, review it to identify successful decisions and actions and deter-
mine how you could have improved your performance.
The amount of time and effort you put into each step varies, depending on the nature of the
investigation. For example, in most cases, you need to create a simple investigation plan so
that you dont overlook any steps. However, if a case involves many computers with complex
issues to identify and examine, a detailed plan with periodic review and updates is essential. A
systematic approach helps you discover the information you need for your case, and you
should gather as much information as possible.
Taking a Systematic Approach 31
For all computing investigations, you must be prepared for the unexpected, so you should
always have a contingency plan for the investigation. A contingency plan can consist of any-
thing to help you complete the investigation, from alternative software and hardware tools to
other methods of approaching the investigation.
Assessing the Case
As mentioned, identifying case requirements involves determining the type of case youre
investigating. Doing so means you should outline the case details systematically, including
the nature of the case, the type of evidence available, and the location of the evidence.
In the company-policy violation case, you have been asked to investigate George Montgom-
ery. Steve Billings had the IT Department confiscate all of Georges storage media that might
contain information about his whereabouts. After talking to Georges co-workers, Steve
learned that George has been conducting a personal business on the side using company
computers. Therefore, the focus of the case has changed from a missing person to a possible
employee abuse of corporate resources. You can begin assessing this case as follows:
SituationEmployee abuse case.
Nature of the caseSide business conducted on the employers computer.
Specifics of the caseThe employee is reportedly conducting a side business on his
employers computer that involves registering domain names for clients and setting up
their Web sites at local ISPs. Co-workers have complained that hes been spending too
much time on his own business and not performing his assigned work duties. Com-
pany policy states that all company-owned computing assets are subject to inspection
by company management at any time. Employees have no expectation of privacy
when operating company computer systems.
Type of evidenceSmall-capacity USB drive.
Operating systemMicrosoft Windows XP.
Known disk formatFAT16.
Location of evidenceOne USB drive recovered from the employees assigned
computer.
Based on these details, you can determine the case requirements. You now know that the
nature of the case involves employee abuse of company assets, and youre looking for evi-
dence that an employee was conducting a side business using his employers computers. On
the USB drive retrieved from Georges computer, youre looking for any information related
to Web sites, ISPs, or domain names. You know that the computer OS is Windows XP, and
the USB drive uses the FAT16 file system. To duplicate the USB drive and find deleted and
hidden files, you need a reliable computer forensics tool. Because the USB drive has already
been retrieved, you dont need to seize the drive yourself.
You call this case the Domain Name case and determine that your task is to gather data from
the storage media seized to confirm or deny the allegation that George is conducting a side busi-
ness on company time and computers. Remember that hes suspected only of asset abuse, and
the evidence you obtain might be exculpatorymeaning it could prove his innocence. You
must always maintain an unbiased perspective and be objective in your fact-findings. If you are
systematic and thorough, youre more likely to produce consistently reliable results.
32 Chapter 2
2
Planning Your Investigation
Now that you have identified the requirements of the Domain Name case, you can plan your
investigation. You have already determined the kind of evidence you need; now you can
identify the specific steps to gather the evidence, establish a chain of custody, and perform
the forensic analysis. These steps become the basic plan for your investigation and indicate
what you should do and when. To investigate the Domain Name case, you should perform
the following general steps. Most of these steps are explained in more detail in the following
sections.
1. Acquire the USB drive from Georges manager.
2. Complete an evidence form and establish a chain of custody.
3. Transport the evidence to your computer forensics lab.
4. Place the evidence in an approved secure container.
5. Prepare your forensic workstation.
6. Retrieve the evidence from the secure container.
7. Make a forensic copy of the evidence drive (in this case, the USB drive).
8. Return the evidence drive to the secure container.
9. Process the copied evidence drive with your computer forensics tools.
The approved secure container you need in Step 4 should be a
locked, fireproof locker or cabinet that has limited access. Limited
access means that only you and other authorized personnel can
open the evidence container.
The first rule for all investigations is to preserve the evidence, which means it should not be
tampered with or contaminated. Because the IT Department staff confiscated the storage
media, you need to go to them for the evidence. The IT Department manager confirms that
the storage media has been locked in a secure cabinet since it was retrieved from Georges
desk. Keep in mind that even though this case is a corporate policy matter, many cases are
thrown out because the chain of custody cant be proved or has been broken. When this hap-
pens, theres the possibility that the evidence has been compromised.
To document the evidence, you record details about the media, including who recovered the
evidence and when and who possessed it and when. Use an evidence custody form, also
called a chain-of-evidence form, which helps you document what has and has not been done
with the original evidence and forensic copies of the evidence.
Depending on whether youre working in law enforcement or private corporate security, you
can create an evidence custody form to fit your environment. This form should be easy to read
and use. It can contain information for one or several pieces of evidence. Consider creating a
single-evidence form (which lists each piece of evidence on a separate page) and a multi-
evidence form (see Figure 2-2), depending on the administrative needs of your investigation.
If necessary, document how to use your evidence custody form. Clear instructions help users
remain consistent when completing the form and ensure that everyone uses the same defini-
tions for collected items. Standardization helps maintain consistent quality for all investi-
gations and prevent confusion and mistakes about the evidence you collect.
Taking a Systematic Approach 33
An evidence custody form usually contains the following information:
Case numberThe number your organization assigns when an investigation is
initiated.
Investigating organizationThe name of your organization. In large corporations
with global facilities, several organizations might be conducting investigations in
different geographic areas.
InvestigatorThe name of the investigator assigned to the case. If many investigators
are assigned, specify the lead investigators name.
Nature of caseA short description of the case. For example, in the corporate envi-
ronment, it might be Data recovery for corporate litigationor Employee policy
violation case.
Location evidence was obtainedThe exact location where the evidence was
collected. If youre using multi-evidence forms, a new form should be created for
each location.
Description of evidenceA list of the evidence items, such as hard drive, 20 GB
or one USB drive, 128 MB.On a multi-evidence form, write a description for
each item of evidence you acquire.
Vendor nameThe name of the manufacturer of the computer evidence. List a 20 GB
hard drive, for example, as a Maxtor 20 GB hard drive, or describe a USB drive as an
Figure 2-2 A sample multi-evidence form used in a corporate environment
34 Chapter 2
2
Attache 1 GB PNY Technologies drive. In later chapters, you see how differences
among manufacturers can affect data recovery.
Model number or serial numberList the model number or serial number (if avail-
able) of the computer component. Many computer components, including hard drives,
memory chips, and expansion slot cards, have model numbers but not serial numbers.
Evidence recovered byThe name of the investigator who recovered the evidence.
The chain of custody for evidence starts with this information. If you insert your
name, for example, youre declaring that you have taken control of the evidence. Its
now your responsibility to ensure that nothing damages the evidence and no one
tampers with it. The person placing his or her name on this line is responsible for
preserving, transporting, and securing the evidence.
Date and timeThe date and time the evidence was taken into custody. This infor-
mation establishes exactly when the chain of custody starts.
Evidence placed in lockerSpecifies which approved secure container is used to store
evidence and when the evidence was placed in the container.
Item #/Evidence processed by/Disposition of evidence/Date/TimeWhen you or
another authorized investigator retrieves evidence from the evidence locker for
processing and analysis, list the item number and your name, and then describe
what was done to the evidence.
PageThe forms used to catalog all evidence for each location should have page
numbers. List the page number, and indicate the total number of pages for this group
of evidence. For example, if you collected 15 pieces of evidence at one location and
your form has only 10 lines, you need to fill out two multi-evidence forms. The first
form is noted as Page 1 of 2,and the second page is noted as Page 2 of 2.
Figure 2-3 shows a single-evidence form, which lists only one piece of evidence per page. This
form gives you more flexibility in tracking separate pieces of evidence for your chain-
of-custody log. It also has more space for descriptions, which is helpful when finalizing the
investigation and creating a case report. With this form, you can accurately account for
what was done to the evidence and what was found. Use evidence forms as a reference for
all actions taken during your investigative analysis.
You can use both multi-evidence and single-evidence forms in your investigation. By using
two forms, you can keep the single-evidence form with the evidence and the multi-evidence
form in your report file. Two forms also provide redundancy that can be used as a quality
control for your evidence.
Securing Your Evidence
Computing investigations demand that you adjust your procedures to suit the case. For
example, if the evidence for a case includes an entire computer system and associated storage
media, such as floppy disks, Zip and Jaz cartridges, 4 mm DDS digital audio tape (DAT),
and USB drives, you must be flexible when you account for all these items. Some evidence is
small enough to fit into an evidence bag. Other items, such as the CPU cabinet, monitor, key-
board, and printer, are too large.
To secure and catalog the evidence contained in large computer components, you can use
large evidence bags, tape, tags, labels, and other products available from police supply
Taking a Systematic Approach 35
vendors or office supply stores. When gathering products to secure your computer evidence,
make sure they are safe and effective to use on computer components. Be cautious when han-
dling any computer component to avoid damaging the component or coming into contact
with static electricity, which can destroy digital data. For this reason, make sure you use anti-
static bags when collecting computer evidence. Consider using an antistatic pad with an
attached wrist strap, too. Both help prevent damage to computer evidence.
Be sure to place computer evidence in a well-padded container. Padding prevents damage to
the evidence as you transport it to your secure evidence locker, evidence room, or computer
lab. Save discarded hard drive boxes, antistatic bags, and packing material for computer
hardware when you or others acquire computer devices.
Because you might not have everything needed to secure your evidence, you have to impro-
vise. Securing evidence often requires building secure containers. If the computer component
is large and contained in its own casing, such as a CPU cabinet, you can use evidence tape to
seal all openings on the cabinet. Placing evidence tape over drive bays, insertion slots for
power supply cords and USB cables, and any other openings ensures the security of evidence.
As a standard practice, you should write your initials on the tape before applying it to the
evidence. This practice makes it possible to prove later in court that the evidence hasnt been
tampered with because the casing couldnt have been opened nor could power have been sup-
plied to the closed casing with this tape in place. If the tape had been replaced, your initials
wouldnt be present, which would indicate tampering. If you transport a CPU case, place
new disks in disk drives to reduce possible drive damage while youre moving the computer.
Figure 2-3 A single-evidence form
36 Chapter 2
2
Computer components require specific temperature and humidity ranges. If its too cold, hot,
or wet, computer components and magnetic media can be damaged. Even heated car seats
can damage digital media, and placing a computer on top of a two-way car radio in the trunk
can damage magnetic media. When collecting computer evidence, make sure you have a safe
environment for transporting and storing it until a secure evidence container is available.
Procedures for Corporate High-Tech Investigations
As an investigator, you need to develop formal procedures and informal checklists to cover all
issues important to high-tech investigations. These procedures are necessary to ensure that cor-
rect techniques are used in an investigation. Use informal checklists to be certain that all evi-
dence is collected and processed properly. This section lists some sample procedures that com-
puting investigators commonly use in corporate high-tech investigations.
Employee Termination Cases
The majority of investigative work for termination cases involves employee abuse of corpo-
rate assets. Incidents that create a hostile work environment, such as viewing pornography
in the workplace and sending inappropriate e-mail messages, are the predominant types of
cases investigated. The following sections describe key points for conducting an investigation
that might lead to an employees termination. Consulting with your organizations general
counsel and Human Resources Department for specific directions on how to handle these
investigations is recommended. Your organization must have appropriate policies in place,
as described in Chapter 1.
Internet Abuse Investigations
The information in this section applies to an organizations internal private network, not a
public ISP. Consult with your organizations general counsel after reviewing this list, and
make changes according to their directions to build your own procedures. To conduct an
investigation involving Internet abuse, you need the following:
The organizations Internet proxy server logs
Suspect computers IP address obtained from your organizations network
administrator
Suspect computers disk drive
Your preferred computer forensics analysis tool (ProDiscover, Forensic Toolkit,
EnCase, X-Ways Forensics, and so forth)
The following steps outline the recommended processing of an Internet abuse case:
1. Use the standard forensic analysis techniques and procedures described in this book
for the disk drive examination.
2. Using tools such as DataLifter or Forensic Toolkits Internet keyword search option,
extract all Web page URL information.
3. Contact the network firewall administrator and request a proxy server log, if its
available, of the suspect computers network device name or IP address for the dates
of interest. Consult with your organizations network administrator to confirm that
Procedures for Corporate High-Tech Investigations 37
these logs are maintained and how long the time to live (TTL) is set for the networks
IP address assignments that use Dynamic Host Configuration Protocol (DHCP).
4. Compare the data recovered from forensic analysis to the proxy server log data to
confirm that they match.
5. If the URL data matches the proxy server log and the forensic disk examination, con-
tinue analyzing the suspect computers drive data, and collect any relevant down-
loaded inappropriate pictures or Web pages that support the allegation. If there are no
matches between the proxy server logs, and the forensic examination shows no con-
tributing evidence, report that the allegation is unsubstantiated.
Before investigating an Internet abuse case, research your state or countrys privacy laws.
Many countries have unique privacy laws that restrict the use of computer log data, such as
proxy server logs or disk drive cache files, for any type of investigation. Some state or federal
laws might supersede your organizations employee policies. Always consult with your orga-
nizations attorney. For companies with international business operations, jurisdiction is a
problem; what is legal in the United States, such as examining and investigating a proxy
server log, might not be legal in Germany, for example.
For investigations in which the proxy server log doesnt match the forensic analysis that found
inappropriate data, continue the examination of the suspect computers disk drive. Determine
when inappropriate data was downloaded to the computer and whether it was through an
organizations intranet connection to the Internet. Employees might have used their employers
laptop computers to connect to their own ISPs to download inappropriate Web content. For
these situations, you need to consult your organizations employee policy guidelines for
whats considered appropriate use of the organizations computing assets.
E-mail Abuse Investigations
E-mail investigations typically include spam, inappropriate and offensive message content,
and harassment or threats. E-mail is subject to the same restrictions as other computer evi-
dence data, in that an organization must have a defined policy, as described in Chapter 1.
The following list is what you need for an investigation involving e-mail abuse:
An electronic copy of the offending e-mail that contains message header data; consult
with your e-mail server administrator
If available, e-mail server log records; consult with your e-mail server administrator to
see whether they are available
For e-mail systems that store usersmessages on a central server, access to the server;
consult with your e-mail server administrator
For e-mail systems that store usersmessages on a computer as an Outlook .pst or .ost
file, for example, access to the computer so that you can perform a forensic analysis on it
Your preferred computer forensics analysis tool, such as Forensic Toolkit or ProDis-
cover
This is the recommended procedure for e-mail investigations:
1. For computer-based e-mail data files, such as Outlook .pst or .ost files, use the
standard forensic analysis techniques and procedures described in this book for the
drive examination.
38 Chapter 2
2
2. For server-based e-mail data files, contact the e-mail server administrator and obtain
an electronic copy of the suspect and victims e-mail folder or data.
3. For Web-based e-mail investigations, such as Hotmail or Gmail, use tools such as
Forensic Toolkits Internet keyword search option to extract all related e-mail address
information.
4. Examine header data of all messages of interest to the investigation.
Attorney-Client Privilege Investigations
When conducting a computer forensics analysis under attorney-client privilege (ACP) rules
for an attorney, you must keep all findings confidential. The attorney youre working for is
the ultimate authority over the investigation. For investigations of this nature, attorneys typi-
cally request that you extract all data from drives. Its your responsibility to comply with the
attorneys directions. Because of the large quantities of data a drive can contain, the attorney
will want to know about everything of interest on the drives.
Many attorneys like to have printouts of the data you have recovered, but printouts can pre-
sent problems when you have log files with several thousand pages of data or CAD drawing
programs that can be read only by proprietary programs. You need to persuade and educate
many attorneys on how digital evidence can be viewed electronically. In addition, learn how
to teach attorneys and paralegals to sort through files so that you can help them efficiently
analyze the huge amount of data a forensic examination produces.
You can also encounter problems if you find data in the form of binary files, such as CAD
drawings. Examining these files requires using the CAD program that created them. In addi-
tion, engineering companies often have specialized drafting programs. Discovery demands
for lawsuits involving a product that caused injury or death requires extracting design
plans for attorneys and expert witnesses to review. Youre responsible for locating the pro-
grams for these design plans so that attorneys and expert witnesses can view the evidence
files.
The following list shows the basic steps for conducting an ACP case:
1. Request a memorandum from the attorney directing you to start the investigation.
The memorandum must state that the investigation is privileged communication and
list your name and any other associatesnames assigned to the case.
2. Request a list of keywords of interest to the investigation.
3. After you have received the memorandum, initiate the investigation and analysis. Any
findings you made before receiving the memorandum are subject to discovery by the
opposing attorney.
4. For drive examinations, make two bit-stream images (discussed later in this chapter)
of the drive using a different tool for each image, such as EnCase for the first and
ProDiscover or SafeBack for the second. If you have large enough storage drives,
make each bit-stream image uncompressed so that if it becomes corrupt, you can still
examine uncorrupted areas with your preferred forensic analysis tool.
5. If possible, compare hash values on all files on the original and re-created disks.
Typically, attorneys want to view all data, even if its not relevant to the case. Many
GUI forensics tools perform this task during bit-stream imaging of the drive.
Procedures for Corporate High-Tech Investigations 39
6. Methodically examine every portion of the drive (both allocated and unallocated data
areas) and extract all data.
7. Run keyword searches on allocated and unallocated disk space. Follow up the search
results to determine whether the search results contain information that supports the
case.
8. For Windows OSs, use specialty tools to analyze and extract data from the Registry,
such as AccessData Registry Viewer or a Registry viewer program (discussed in more
detail in Chapter 6). Use the Edit, Find menu option in Registry Editor, for example,
to search for keywords of interest to the investigation.
9. For binary files such as CAD drawings, locate the correct program and, if possible,
make printouts of the binary file content. If the files are too large, load the specialty
program on a separate workstation with the recovered binary files so that the attor-
ney can view them.
10. For unallocated data (file slack space or free space, explained in Chapter 6) recovery,
use a tool that removes or replaces nonprintable data, such as X-Ways Forensics
Specialist Gather Text function.
11. Consolidate all recovered data from the evidence bit-stream image into well-
organized folders and subfolders. Store the recovered data output, using a logical and
easy-to-follow storage method for the attorney or paralegal.
Here are some other guidelines to remember for ACP cases:
Minimize all written communication with the attorney; use the telephone when you
need to ask questions or provide information related to the case.
Any documentation written to the attorney must contain a header stating that its
Privileged Legal CommunicationConfidential Work Product,as defined under the
attorney-work-product rule.
Assist the attorney and paralegal in analyzing the data.
If you have difficulty complying with the directions or dont understand the directives from the
memorandum, contact the attorney and explain the problem. Always keep an open line of verbal
communication with the attorney during these types of investigations. If youre communicating
via e-mail, use encryption (such as PGP) or another secure e-mail service for all messages.
Media Leak Investigations
In the corporate environment, controlling sensitive data can be difficult. Disgruntled employ-
ees, for example, might send an organizations sensitive data to a news reporter. The reasons
for media leaks range from employeesefforts to embarrass management to a rival conduct-
ing a power struggle between other internal organizations. Another concern is the premature
release of information about new products, which can disrupt operations and cause market
share loss for a business if the information is made public too soon. Media leak investiga-
tions can be time consuming and resource intensive. Because management wants to find
who leaked information, scope creep during the investigation is not uncommon.
Consider the following guidelines for media leak investigations:
Examine e-mail, both the organizations e-mail servers and private e-mail accounts
(Hotmail, Yahoo!, Gmail, and so on), on company-owned computers.
40 Chapter 2
2
Examine Internet message boards, and search the Internet for any information about
the company or product. Use Internet search engines to run keyword searches related
to the company, product, or leaked information. For example, you might search for
graphite-composite bicycle sprocketfor a bicycle manufacturer that was the victim
of a media leak about a new product in development.
Examine proxy server logs to check for log activities that might show use of free
e-mail services, such as Gmail. Track back to the specific workstations where these
messages originated and perform a forensic analysis on the drives to help determine
what was communicated.
Examine known suspectsworkstations, perform computer forensics examinations on
persons of interest, and develop other leads on possible associates.
Examine all company phone records for any calls to known media organizations.
The following list outlines steps to take for media leaks:
1. Interview management privately to get a list of employees who have direct knowledge
of the sensitive data.
2. Identify the media source that published the information.
3. Review company phone records to see who might have had contact with the news
service.
4. Obtain a list of keywords related to the media leak.
5. Perform keyword searches on proxy and e-mail servers.
6. Discreetly conduct forensic disk acquisitions and analysis of employees of interest.
7. From the forensic disk examinations, analyze all e-mail correspondence and trace any
sensitive messages to other people who havent been listed as having direct knowl-
edge of the sensitive data.
8. Expand the discreet forensic disk acquisition and analysis for any new persons of interest.
9. Consolidate and review your findings periodically to see whether new clues can be
discovered.
10. Report findings to management routinely, and discuss how much further to continue
the investigation.
Industrial Espionage Investigations
Industrial espionage cases, similar to media leaks, can be time consuming and are subject to
the same scope creep problems. This section offers some guidelines on how to deal with
industrial espionage investigations. Be aware that cases dealing with foreign nationals might
be violations of International Traffic in Arms Regulations (ITAR) or Export Administration
Regulations (EAR). For more information on ITAR, see the U.S. Department of States Web
site (www.state.gov; substitute the actual state name or a shortened version of it for state)or
do an Internet search for International Traffic in Arms Regulations.For EAR information,
see the U.S. Department of Commerce Web site (www.doc.gov) or do an Internet search for
Export Administration Regulations.
Unlike the other corporate investigations covered in this section, all suspected industrial espi-
onage cases should be treated as criminal investigations. The techniques described here are
Procedures for Corporate High-Tech Investigations 41
for private network environments and internal investigations that havent yet been reported
to law enforcement officials. Make sure you dont become an agent of law enforcement by
filing a complaint of a suspected espionage case before substantiating the allegation. The fol-
lowing list includes staff you might need when planning an industrial espionage investigation.
This list isnt exhaustive, so use your knowledge to improve on these recommendations:
The computing investigator who is responsible for disk forensic examinations
The technology specialist who is knowledgeable about the suspected compromised
technical data
The network specialist who can perform log analysis and set up network monitors to
trap network communication of possible suspects
The threat assessment specialist (typically an attorney) who is familiar with federal
and state laws and regulations related to ITAR or EAR and industrial espionage
In addition, consider the following guidelines when initiating an international espionage
investigation:
Determine whether this investigation involves a possible industrial espionage incident,
and then determine whether it falls under ITAR or EAR.
Consult with corporate attorneys and upper management if the investigations must be
conducted discreetly.
Determine what information is needed to substantiate the allegation of industrial
espionage.
Generate a list of keywords for disk forensics and network monitoring.
List and collect resources needed for the investigation.
Determine the goal and scope of the investigation; consult with management and the
companys attorneys on how much work you should do.
Initiate the investigation after approval from management, and make regular reports
of your activities and findings.
The following are planning considerations for industrial espionage investigations:
Examine all e-mail of suspected employees, both company-provided e-mail and free
Web-based services.
Search Internet newsgroups or message boards for any postings related to the
incident.
Initiate physical surveillance with cameras on people or things of interest to the
investigation.
If available, examine all facility physical access logs for sensitive areas, which might
include secure areas where smart badges or video surveillance recordings are used.
If theres a suspect, determine his or her location in relation to the vulnerable asset
that was compromised.
Study the suspects work habits.
Collect all incoming and outgoing phone logs to see whether any unique or unusual
places were called.
42 Chapter 2
2
When conducting an industrial espionage case, follow these basic steps:
1. Gather all personnel assigned to the investigation and brief them on the plan and any
concerns.
2. Gather the resources needed to conduct the investigation.
3. Start the investigation by placing surveillance systems, such as cameras and network
monitors, at key locations.
4. Discreetly gather any additional evidence, such as the suspects computer drive, and
make a bit-stream image for follow-up examination.
5. Collect all log data from networks and e-mail servers, and examine them for unique
items that might relate to the investigation.
6. Report regularly to management and corporate attorneys on your investigations sta-
tus and current findings.
7. Review the investigations scope with management and corporate attorneys to deter-
mine whether it needs to be expanded and more resources added.
Interviews and Interrogations in High-Tech Investigations
Becoming a skilled interviewer and interrogator can take many years of experience. Typi-
cally, a corporate computing investigator is a technical person acquiring the evidence for an
investigation. Many large organizations have full-time security investigators with years of
training and experience in criminal and civil investigations and interviewing techniques. Few
of these investigators have any computing or network technical skills, so you might be asked
to assist in interviewing or interrogating a suspect when you have performed a forensic disk
analysis on that suspects machine.
An interrogation is different from an interview. An interview is usually conducted to collect
information from a witness or suspect about specific facts related to an investigation. An
interrogation is the process of trying to get a suspect to confess to a specific incident or
crime. An investigator might change from an interview to an interrogation when talking to a
witness or suspect. The more experience and training investigators have in the art of inter-
viewing and interrogating, the more easily they can determine whether a witness is credible
and possibly a suspect.
Your role as a computing investigator is to instruct the investigator conducting the interview
on what questions to ask and what the answers should be. As you build rapport with the
investigator, he or she might ask you to question the suspect. Watching a skilled interrogator
is a learning experience in human relations skills.
If youre asked to assist in an interview or interrogation, prepare yourself by answering the
following questions:
What questions do I need to ask the suspect to get the vital information about the
case?
Do I know what Im talking about, or will I have to research the topic or technology
related to the investigation?
Do I need additional questions to cover other indirect issues related to the
investigation?
Procedures for Corporate High-Tech Investigations 43
Common interview and interrogation errors include being unprepared for the interview or
interrogation and not having the right questions or enough questions to increase your depth
of knowledge. Make sure you dont run out of conversation topics; you need to keep the
conversation friendly to gain the suspects confidence. Avoid doubting your own skills,
which might show the suspect you lack confidence in your ability.
Ingredients for a successful interview or interrogation require the following:
Being patient throughout the session
Repeating or rephrasing questions to zero in on specific facts from a reluctant witness
or suspect
Being tenacious
Understanding Data Recovery Workstations
and Software
Now you know whats involved in acquiring and documenting evidence. In Chapter 3, you
examine a complete setup of a computer forensics lab, which is where you conduct your
investigations and where most of your equipment and software are located, including secure
evidence containers. Be aware that some companies that perform computer investigations
also do data recovery, which is the more well-known and lucrative side of the business.
Remember the difference between data recovery and computer forensics. In data recovery, you
dont necessarily need a sterile target drive when restoring the forensic image. Typically, the
customer or your company just wants the data back. The other key difference is that in data
recovery, you usually know what youre trying to retrieve. In computer forensics, you might
have an idea of what youre searching for, but not necessarily.
To conduct your investigation and analysis, you must have a specially configured PC known
as a forensic workstation, which is a computer loaded with additional bays and forensics soft-
ware. Depending on your needs, most computer forensics work can be performed on the fol-
lowing Microsoft OSs:
MS-DOS 6.22
Windows 95, 98, or Me
Windows NT 3.5 or 4.0
Windows 2000
Windows XP
Windows Vista
Chapters 3 and 7 cover the software resources you need and the for-
ensics lab and workstation in detail. Visit www.digitalintel.com to
examine the specifications of the Forensic Recovery of Evidence Device
(F.R.E.D.) unit or www.forensicpc.com to examine the ForensicPC
Dual Xeon Workstation and other current products.
44 Chapter 2
2
In addition to the Windows OSs listed, you can use Linux or UNIX to
conduct your analysis. Several open-source and freeware tools are
available for this purpose. Some newer forensics tools, such as
AccessData FTK, now require dual-core processors.
If you start Windows while youre examining a hard disk, Windows alters the evidence disk
by writing data to the Recycle Bin and corrupts the quality and integrity of the evidence
youre trying to preserve. Chapter 6 covers which files Windows updates automatically at
startup. Windows XP and Vista systems also record the serial numbers of hard drives and
CPUs in a file, which can be difficult to recover.
Of all the Microsoft OSs, the least intrusive (in terms of changing data) to disks is MS-DOS
6.22. With the continued evolution of Microsoft OSs, its not always practical to use older
MS-DOS platforms, however. Newer file system formats, such as NTFS, are accessiblethat
is, readableonly from Windows NT or newer OSs. You can use one of several write-
blockers that enable you to boot to Windows without writing data to the evidence drive. In
Chapter 4, you learn more about write-blockers and some inexpensive alternatives for preserv-
ing data during an acquisition.
There are many hardware write-blockers on the market. Some are inserted between the disk
controller and the hard disk; others connect to USB or FireWire ports. Several vendors sell
write-blockers, including Technology Pathways NoWrite FPU; Digital Intelligence Ultra-Kit,
UltraBlock, FireFly, FireChief 800, and USB Write Blocker; WiebeTECH Forensic DriveDock;
Guidance Software FastBloc2; Paralans SCSI Write Blockers; and Intelligent Computer Solu-
tions (www.ics-iq.com) Image LinkMaSSter Forensics Hard Case.
Many older computer forensics acquisition tools work in the MS-DOS environment. These
tools can operate from an MS-DOS window in Windows 98 or from the command prompt
in Windows 2000 and later. Some of their functions are disabled or generate error messages
when run in these OSs, however.
Windows products are being developed that make performing disk forensics easier. However,
because Windows has limitations in performing disk forensics, you might need to develop
skills in acquiring data with MS-DOS and Linux. In later chapters, you learn more about
using these other tools. Keep in mind that no single computer forensics tool can recover every-
thing. Each tool and OS has its own strengths and weaknesses, so develop skills with as many
tools as possible to become an effective computing investigator. Appendix D has additional
information on how to use MS-DOS for data acquisitions.
Setting Up Your Workstation for Computer Forensics
With current computer forensics hardware and software, configuring a computer workstation
or laptop as a forensic workstation is simple. All thats required are the following:
A workstation running Windows XP or Vista
A write-blocker device
Computer forensics acquisition tool
Computer forensics analysis tool
Understanding Data Recovery Workstations and Software 45
A target drive to receive the source or suspect disk data
Spare PATA or SATA ports
USB ports
Additional useful items include the following:
Network interface card (NIC)
Extra USB ports
FireWire 400/800 ports
SCSI card
Disk editor tool
Text editor tool
Graphics viewer program
Other specialized viewing tools
In Chapter 3, you learn more about setting up and configuring a computer to be a forensic
workstation.
Conducting an Investigation
Now youre ready to return to the Domain Name case. You have created a plan for the inves-
tigation, set up your forensic workstation, and installed the necessary forensic analysis soft-
ware you need to examine the evidence. The type of software to install includes your preferred
analysis tool, such as ProDiscover, EnCase, FTK, or X-Ways Forensics; an office suite, such as
OpenOffice; and a graphics viewer, such as IrfanView. To begin conducting an investigation,
you start by copying the evidence using a variety of methods. No single method retrieves all
data from a disk, so using several tools to retrieve and analyze data is a good idea.
Start by gathering the resources you identified in your investigation plan. You need the fol-
lowing items:
Original storage media
Evidence custody form
Evidence container for the storage media, such as an evidence bag
Bit-stream imaging tool; in this case, the ProDiscover Basic acquisition utility
Forensic workstation to copy and examine the evidence
Secure evidence locker, cabinet, or safe
Gathering the Evidence
Now youre ready to gather evidence for the Domain Name case. Remember, you need anti-
static bags and pads with wrist straps to prevent static electricity from damaging digital evi-
dence. To acquire George Montgomerys storage media from the IT Department and then
secure the evidence, you perform the following steps:
46 Chapter 2
2
1. Arrange to meet the IT manager to interview him and pick up the storage media.
2. After interviewing the IT manager, fill out the evidence form, have him sign it, and
then sign it yourself.
3. Store the storage media in an evidence bag, and then transport it to your forensic
facility.
4. Carry the evidence to a secure container, such as a locker, cabinet, or safe.
5. Complete the evidence custody form. As mentioned, if youre using a multi-evidence
form, you can store the form in the file folder for the case. If youre also using
single-evidence forms, store them in the secure container with the evidence. Reduce
the risk of tampering by limiting access to the forms.
6. Secure the evidence by locking the container.
Understanding Bit-stream Copies
Abit-stream copy is a bit-by-bit copy (also known as a sector copy) of the original drive or
storage medium and is an exact duplicate. The more exact the copy, the better chance you
have of retrieving the evidence you need from the disk. This process is usually referred to as
acquiring an imageor making an imageof a suspect drive. A bit-stream copy is different
from a simple backup copy of a disk. Backup software can only copy or compress files that
are stored in a folder or are of a known file type. Backup software cant copy deleted files
and e-mails or recover file fragments.
Abit-stream image is the file containing the bit-stream copy of all data on a disk or disk par-
tition. For simplicity, its usually referred to as an image,”“image save,or image file.
Some manufacturers also refer to it as a forensic copy. To create an exact image of an evi-
dence disk, copying the image to a target disk thats identical to the evidence disk is prefera-
ble (see Figure 2-4). The target disks manufacturer and model, in general, should be the
same as the original disks manufacturer and model. If the target disk is identical to the origi-
nal, the size in bytes and sectors of both disks should also be the same. Some image acquisi-
tion tools can accommodate a target disk thats a different size than the original. These imag-
ing tools are discussed in Chapter 4. Older computer forensics tools designed for MS-DOS
work only on a copied disk. Current GUI tools can work on both a disk drive and copied
data sets that many manufacturers refer to as image saves.
Figure 2-4 Transfer of data from original to image to target
Conducting an Investigation 47
Occasionally, the track and sector maps on the original and target
disks dont match, even if you use disks of exactly the same size
that are different makes or models. Tools such as Guidance
EnCase and NTI SafeBack adjust for the target drivesgeometry.
Two other tools, X-Ways WinHex Specialist Edition and Technol-
ogy Pathways ProDiscover, can copy sector by sector to equal-sized
or larger disks without needing to force changes in the target
disks geometry.
Acquiring an Image of Evidence Media
After you retrieve and secure the evidence, youre ready to copy the evidence media and ana-
lyze the data. The first rule of computer forensics is to preserve the original evidence. Then
conduct your analysis only on a copy of the datathe image of the original medium. Several
vendors provide MS-DOS, Linux, and Windows acquisition tools. Windows tools, however,
require a write-blocking device (discussed in Chapter 4) when acquiring data from FAT or
NTFS file systems.
Using ProDiscover Basic to Acquire a USB Drive
ProDiscover Basic from Technology Pathways is a forensics analysis tool. You can use it to
acquire and analyze data from several different file systems, such as Microsoft FAT and
NTFS, Linux Ext2 and Ext3, and other UNIX file systems, from a Windows XP or older
OS. To use ProDiscover Basic in Windows Vista, you need to run it in Administrator mode.
See the Tip in the following steps for instructions on selecting this mode.
The DVD accompanying this book includes ProDiscover Basic. The
installation program includes a user manual, ProDiscoverManual.pdf,
in the C:\Program Files\Technology Pathways\ProDiscover folder (if
the installation defaults are used). Read the user manual for instruc-
tions, and install ProDiscover Basic on your computer before you per-
form the following activity.
Before starting this activity, you need to create a work folder on your computer for data stor-
age and other related files ProDiscover creates when acquiring and analyzing evidence. You
can use any location and name for your work folder, but youll see it referred to in activities
as C:\Work or simply your work folder.To keep your files organized, you should also cre-
ate subfolders for each chapter. For this chapter, create a Work\Chap02\Chapter folder to
store files from in-chapter activities. Note that you might see work folder pathnames in
screenshots that are slightly different from your own pathname.
The following steps show how to acquire an image of a USB drive, but you can apply them
to other media, such as disk drives and floppy disks. You can use any USB drive already con-
taining files to see how ProDiscover acquires data. To perform an acquisition on a USB drive
with ProDiscover Basic, follow these steps:
1. First, on the USB drive, locate the write-protect switch (if one is available) and place
the drive in write-protect mode. Now connect the USB drive to your computer.
48 Chapter 2
2
This activity is meant to introduce you to the ProDiscover Basic tool.
Proper forensics procedures require write-protecting any evidence
media to ensure that its not altered. In Chapter 4, you learn how to
use hardware and software write-blocking methods.
2. To start ProDiscover Basic, click Start, point to All Programs, point to ProDiscover,
and click ProDiscover Basic. If the Launch Dialog dialog box opens (see Figure 2-5),
click Cancel.
If youre using Windows Vista, right-click the ProDiscover Basic desk-
top icon (or menu item on the All Programs menu) and click Run as
administrator. In the UAC message box, click Continue.
For convenience, you can disable the display of the Launch Dialog
dialog box by clicking the check box indicated in Figure 2-5.
Tree view
Figure 2-5 The main window in ProDiscover
Conducting an Investigation 49
3. In the main window, click Action,Capture Image from the menu.
4. In the Capture Image dialog box shown in Figure 2-6, click the Source Drive list
arrow, and select the USB drive.
5. Click the >> button next to the Destination text box. When the Save As dialog box
opens, navigate to your work folder (Work\Chap02\Chapter) and enter a name for
the image youre making, such as InChp-prac. Click Save to save the file.
6. Next, in the Capture Image dialog box, type your name in the Technician Name text
box and InChp-prac-02 in the Image Number text box (see Figure 2-7). Click OK.
ProDiscover Basic then acquires an image of the USB drive. When its
finished, it displays a notice to check the log file created during the
acquisition. This log file contains additional information if errors
were encountered during the data acquisition. ProDiscover also cre-
ates an MD5 hash output file. In Chapters 4 and 5, you learn how
to use MD5 for forensic analysis and evidence validation.
7. When ProDiscover is finished, click OK in the completion message box. Click File,
Exit from the menu to exit ProDiscover.
Figure 2-6 The Capture Image dialog box
50 Chapter 2
2
This activity completes your first forensics data acquisition. Next, you learn how to locate
data in an acquisition.
Analyzing Your Digital Evidence
When you analyze digital evidence, your job is to recover the data. If users have deleted or
overwritten files on a disk, the disk contains deleted files and file fragments in addition to
existing files. Remember that as files are deleted, the space they occupied becomes free
spacemeaning it can be used for new files that are saved or files that expand as data is
added to them. The files that were deleted are still on the disk until a new file is saved to the
same physical location, overwriting the original file. In the meantime, those files can still be
retrieved. Forensics tools such as ProDiscover Basic can retrieve deleted files for use as
evidence.
In the following steps, you analyze George Montgomerys USB drive. Before beginning,
extract all compressed files from the Chap02 folder on the books DVD to your work folder.
The first task is loading the acquired image into ProDiscover Basic by following these steps:
1. Start ProDiscover Basic, as you did in the previous activity.
2. To create a new case, click File, New Project from the menu.
3. In the New Project dialog box, type InChp02 in the Project Number text box and
again in the Project File Name text box (see Figure 2-8), and then click OK.
4. In the tree view of the main window (see Figure 2-9), click to expand the Add item,
and then click Image File.
Figure 2-7 The completed Capture Image dialog box
Conducting an Investigation 51
5. In the Open dialog box, navigate to the folder containing the image, click the
InChp02.eve file, and click Open. Click Yes in the Auto Image Checksum message
box, if necessary.
The next task is to display the contents of the acquired data. Perform the following steps:
1. In the tree view, click to expand Content View, if necessary. Click to expand Images,
click the image filename path C:\Work\InChp02.eve (substituting your folder path for
Work”—for example, C:\Work\Chap02\Chapter), and then click to expand the path.
2. Next, click All Files under the image filename path. When the CAUTION dialog box
opens, click Yes. The InChp02.eve file is then loaded in the main window, as shown
in Figure 2-10.
3. In the upper-right pane (the work area), click the letter1 file to view its content in the
data area (see Figure 2-11).
4. In the data area, you see the contents of the letter1 file. Continue to navigate through
the work and data areas and inspect the contents of the recovered evidence. Note that
many of these files are deleted files that havent been overwritten. Leave ProDiscover
Basic running for the next activity.
Figure 2-8 The New Project dialog box
Figure 2-9 The tree view in ProDiscover
52 Chapter 2
2
Figure 2-11 Selecting a file in the work area and viewing its contents in the data area
Figure 2-10 The loaded InChp02.eve file
Conducting an Investigation 53
The next step is analyzing the data and searching for information related to the complaint.
Data analysis can be the most time-consuming task, even when you know exactly what to
look for in the evidence. The method for locating evidentiary artifacts is to search for specific
known data values. Data values can be unique words or nonprintable characters, such as
hexadecimal codes. There are also printable character codes that cant be generated from a
keyboard, such as the copyright (©) or registered trademark () symbols. Many computer
forensics programs can search for character strings (letters and numbers) and hexadecimal
values, such as A9 for the copyright symbol or AE for the registered trademark symbol. All
these searchable data values are referred to as keywords.
With ProDiscover Basic, you can search for keywords of interest in the case. For this case,
follow these steps to search for any reference to the name George:
1. In the tree view, click Search.
2. In the Search dialog box, click the Content Search tab, if necessary. Click the Select all
matches check box, the ASCII option button, and the Search for the pattern(s) option
button, if they arent already selected.
3. Next, in the text box under the Search for the pattern(s) option button, type George
(see Figure 2-12).
Figure 2-12 Entering a keyword in the Search dialog box
54 Chapter 2
2
You can list keywords separately or combine words with the Boolean
logic operators AND, OR, and NOT. Searching for a common key-
word produces too many hits and makes it difficult to locate evi-
dence of interest to the case. Applying Boolean logic can help reduce
unrelated excessive hits, which are called false-positive hits.
4. Under Select the Disk(s)/Image(s) you want to search in, click C:\Work\InChap02.eve
(substituting the path to your work folder), and then click OK to initiate the search.
Leave ProDiscover Basic running for the next activity.
When the search is finished, ProDiscover displays the results in the search results pane in the
work area. Note the tab labeled Search 1 in Figure 2-13. For each search you do in a case,
ProDiscover adds a new tab to help catalog your searches.
Click each file in the search results pane and examine its content in the data area. If you
locate a file of interest that displays binary (nonprintable) data in the data area, you can
double-click the file to display the data in the work area. Then you can double-click the file
in the work area, and an associated program, such as Microsoft Excel for a spreadsheet,
opens the files content. If you want to extract the file, you can right-click it and click Copy
File.
For this example, an Excel spreadsheet named Income.xls is displayed in the search results
pane. The information in the data area shows mostly unreadable character data. To examine
Figure 2-13 The search results pane
Conducting an Investigation 55
this data, you can export the data to a folder of your choice, and then open it for follow-up
examination and analysis. To export the Income.xls file, perform the following steps:
1. In the search results pane, double-click the Income.xls file, which switches the view to
the work area.
2. In the work area, right-click the Income.xls file and click Copy File.
3. In the Save As dialog box, navigate to the folder youve selected, and click Save.
4. Now that the Income.xls file has been copied to a Windows folder, start Excel (or
another spreadsheet program, such as OpenOffice Calc) to examine the files content.
Figure 2-14 shows the extracted file open in OpenOffice Calc. Repeat this data exam-
ination and file export process for the remaining files in the search results pane. Then
close all open windows except ProDiscover Basic for the next activity.
With ProDiscovers Search feature, you can also search for specific filenames. To use this fea-
ture, click the Search for files namedoption button in the Search dialog box. When youre
dealing with a very large drive with several thousand files, this useful feature minimizes
human error in looking at data.
After completing the detailed examination and analysis, you can then generate a report of
your activities. Several computer forensics programs provide a report generator or log file of
actions taken during an examination. These reports and logs are typically text or HTML
files. The text files are usually in plaintext or Rich Text Format (RTF). ProDiscover Basic
offers a report generator that produces an RTF or a plaintext file that most word processing
programs can read.
You can also select specific items and add them to the report. For example, to select a file in
the work area, click the check box in the Select column next to the file to open the Add
Comment dialog box. Enter a description and click OK. The descriptive comment is then
Figure 2-14 The extracted Income.xls file
56 Chapter 2
2
added to the ProDiscover Basic report. To create a report in ProDiscover Basic, perform the
following steps:
1. In the tree view, click Report. The report is then displayed in the right pane, as shown
in Figure 2-15.
2. To print the report, click File, Print Report from the menu.
3. In the Print dialog box, click OK.
If the report needs to be saved to a file, you use ProDiscover Basics Export feature and
choose RTF or plaintext for the file format. To export the report to a file, do the following:
1. In the tree view, click Report.
2. Click Action, Export from the menu.
3. In the Export dialog box, click the RTF Format or Text Format option button, type
InChp02 in the File Name text box, and then click OK.
To place the report in a different folder, click the Browse button and
navigate to the folder where you want to save the report. Click Save,
and then click OK in the Export dialog box.
4. Review the report, and then click File, Exit from the menu to exit ProDiscover Basic.
Figure 2-15 A ProDiscover report
Conducting an Investigation 57
This activity completes your analysis of the USB drive. In the next section, you learn how to
complete the case. In later chapters, you learn how to apply more search and analysis
techniques.
Completing the Case
After analyzing the disk, you can retrieve deleted files, e-mail, and items that have been pur-
posefully hidden, which you do in Chapters 9, 10, and 12. The files on GeorgesUSBdrive
indicate that he was conducting a side business on his company computer.
Now that you have retrieved and analyzed the evidence, you need to find the answers to the
following questions to write the final report:
How did Georges manager acquire the disk?
Did George perform the work on a laptop, which is his own property? If so, did he
conduct business transactions on his break or during his lunch hour?
At what times of the day was George using the non-work-related files? How did you
retrieve that information?
Which company policies apply?
Are there any other items that need to be considered?
When you write your report, state what you did and what you found. The report you gener-
ated in ProDiscover gives you an account of the steps you took. As part of your final report,
depending on guidance from management or legal counsel, include the ProDiscover report file
to document your work. In any computing investigation, you should be able to repeat the
steps you took and produce the same results. This capability is referred to as repeatable find-
ings; without it, your work product has no value as evidence.
Keep a written journal of everything you do. Your notes can be used in court, so be mindful
of what you write or e-mail, even to a fellow investigator. Often these journals start out as