book

Computer Forensics For Dummies®

by Linda Volonino, Reynaldo Anzaldua

October 2008

Beginner to intermediate

384 pages

9h 3m

English

For Dummies

Read now

Unlock full access

Who Should Read This Book?About This BookHow to Use This BookWhat You Don't Need to ReadFoolish AssumptionsHow This Book Is OrganizedPart I: Digging Out and Documenting Electronic EvidencePart II: Preparing to Crack the CasePart III: Doing Computer Forensic InvestigationsPart IV: Succeeding in CourtPart V: The Part of TensGlossaryAbout the Web Site and BlogIcons Used in This BookWhere to Go from Here
1.1. Living and Working in a Recorded World1.1.1. Deleting is a misnomer1.1.2. Getting backed up1.1.3. Delusions of privacy danced in their headsets1.2. Giving the Third Degree to Computers, Electronics, and the Internet1.3. Answering the Big Questions1.3.1. What is my computer doing behind my back?1.3.1.1. Can you hear me now?1.3.1.2. Surfers Non-Anonymous1.3.1.3. The unblinking eyes of search engines1.3.2. How does my data get out there?1.3.3. Why can data be discovered and recovered easily?1.4. Examining Investigative Methods1.4.1. Getting permission1.4.2. Choosing your forensic tools1.4.3. Knowing what to look for and where1.4.4. Gathering evidence properly1.5. Revealing Investigation Results1.5.1. Preparing bulletproof findings1.5.2. Making it through trial
2.1. Deciphering the Legal Codes2.1.1. Learning about relevancy and admissibility2.1.2. Getting started with electronic discovery2.1.3. Deciding what's in and what's not2.1.4. Playing by the rules2.2. Managing E-Discovery2.2.1. Understanding that timing is everything2.2.2. Grasping ESI discovery problems2.2.3. Avoiding overbroad requests2.2.4. Shaping the request2.2.5. Stepping through the response2.3. Conducting the Investigation in Good Faith2.4. Deciding Who's Paying the Bill
3.1. Getting Authority: Never Start Without It3.1.1. Acknowledging who's the boss (not you!)3.1.2. Putting together your team3.1.3. Involving external sources3.1.4. No warrant, no problem (if it's done legally)3.2. Criminal Cases: Papering Your Behind (CYA)3.2.1. Learning about the case and the target3.2.2. Drafting an affidavit for a search warrant3.2.3. Presenting an affidavit for judicial processing3.3. Civil Cases: Verifying Company Policy3.3.1. Searching with verbal permission (without a warrant)3.3.2. Obtaining a subpoena
4.1. Obsessing over Documentation4.1.1. Keeping the chain complete4.1.2. Dealing with carbon memories4.1.3. Deciding who gets the evidence first4.1.4. Getting to the truth4.1.4.1. Using scientific methods4.1.4.2. Recognizing Occam's razor4.2. Directing the Scene4.2.1. Papering the trail4.2.2. Recording the scene: Video4.2.3. Recording the sounds: Audio4.2.4. Getting the lead out4.3. Managing Evidence Behind the Yellow Tape4.3.1. Arriving ready to roll: Bringing the right tools4.3.2. Minimizing your presence4.4. Stepping Through the Scene4.4.1. Securing the area4.4.2. Surveying the scene4.4.3. Transporting the e-evidence

5.1. Deciding to Take On a Client5.1.1. Learning about the case and the theory5.1.2. Finding out the client's priorities5.1.3. Timing your work5.1.4. Defining the scope of work5.2. Determining Whether You Can Help the Case5.2.1. Serving as a resource for the lawyer5.2.2. Taking an active role5.2.3. Answering big, blunt questions5.2.4. Signing on the dotted line5.3. Passing the Court's Standard As a Reliable Witness5.3.1. Getting your credentials accepted5.3.2. Impressing opinions on the jury5.4. Going Forward with the Case5.4.1. Digging into the evidence5.4.2. Organizing and documenting your work5.4.3. Researching and digging for intelligence5.5. Keeping a Tight Forensic Defense5.5.1. Plugging loopholes5.5.1.1. Preinvestigation preparation5.5.1.2. Acquisition and preservation5.5.1.3. Authentication5.5.1.4. Analysis5.5.1.5. Production and reporting
6.1. Acquiring E-Evidence Properly6.2. Step 1: Determine the Type of Media You're Working With6.3. Step 2: Find the Right Tool6.3.1. Finding all the space6.3.2. A write-protect device6.3.3. Sterile media6.4. Step 3: Transfer Data6.4.1. Transferring data in the field6.4.2. From computer to computer6.4.3. From storage device to computer6.5. Step 4: Authenticate the Preserved Data6.6. Step 5: Make a Duplicate of the Duplicate
7.1. The Art of Scientific Inquiry7.2. Gearing Up for Challenges7.3. Getting a Handle on Search Terms7.3.1. Defining your search list7.3.2. Using forensic software to search7.3.2.1. Searching by keyword7.3.2.2. Expressing a search with Boolean7.3.3. Assuming risks7.4. Challenging Your Results: Plants and Frames and Being in the Wrong Place7.4.1. Knowing what can go wrong7.4.2. Looking beyond the file7.5. Finding No Evidence7.5.1. No evidence of who logged in7.5.2. No evidence of how it got there7.6. Reporting Your Analysis
8.1. Recognizing Attempts to Blind the Investigator8.1.1. Encryption and compression8.1.2. Data hiding techniques8.1.2.1. File extensions8.1.2.2. Hidden files8.1.2.3. Hidden shares8.1.2.4. Alternate data streams8.1.2.5. Layers8.1.2.6. Steganography8.2. Defeating Algorithms, Hashes, and Keys8.3. Finding Out-of-Sight Bytes8.4. Cracking Passwords8.4.1. Knowing when to crack and when not to crack8.4.2. Disarming passwords to get in8.4.3. Circumventing passwords to sneak in8.5. Decrypting the Encrypted8.5.1. Sloppiness cracks PGP8.5.2. Desperate measures
9.1. Opening Pandora's Box of E-Mail9.1.1. Following the route of e-mail packets9.1.2. Becoming Exhibit A9.1.3. Tracking the biggest trend in civil litigation9.2. Scoping Out E-Mail Architecture9.2.1. E-mail structures9.2.2. E-mail addressing9.2.3. E-mail lingo9.2.4. E-mail in motion9.3. Seeing the E-Mail Forensics Perspective9.3.1. Dissecting the message9.3.2. Expanding headers9.3.3. Checking for e-mail extras9.4. Examining Client-Based E-Mail9.4.1. Extracting e-mail from clients9.4.2. Getting to know e-mail file extensions9.4.3. Copying the e-mail9.4.4. Printing the e-mail9.5. Investigating Web-Based Mail9.6. Searching Browser Files9.6.1. Temporary files9.6.2. Internet history9.7. Looking through Instant Messages
10.1. Delving into Data Storage10.1.1. The anatomy of a disk drive10.1.2. Microsoft operating systems10.1.2.1. FAT10.1.2.2. NTFS10.1.3. Apple: HFS10.1.4. Linux/Unix10.2. Finding Digital Cavities Where Data Hides10.2.1. Deleted files10.2.1.1. Retrieving deleted files10.2.1.2. Retrieving cached files10.2.1.3. Retrieving files in unallocated space10.2.1.4. Retrieving files in file slack areas10.2.2. Non-accessible space10.2.3. RAM10.2.4. Windows Registry10.2.5. Search filtering10.3. Extracting Data10.4. Rebuilding Extracted Data
11.1. Finding Evidential Material in Documents: Metadata11.1.1. Viewing metadata11.1.2. Extracting metadata11.2. Honing In on CAM (Create, Access, Modify) Facts11.3. Discovering Documents11.3.1. Luring documents out of local storage11.3.1.1. Matching file headers to extensions11.3.1.2. Modifying the file header11.3.2. Finding links and external storage11.3.2.1. Finding external storage options11.3.2.2. Finding external networks11.3.3. Rounding up backups
12.1. Keeping Up with Data on the Move12.1.1. Shifting from desktop to handhelds12.1.2. Considering mobile devices forensically12.1.3. Recognizing the imperfect understanding of the technology12.2. Making a Device Seizure12.2.1. Mobile phones and SIM cards12.2.1.1. The cellular network12.2.1.2. The device you're investigating12.2.1.3. Phone characteristics12.2.1.4. The SIM card12.2.2. Personal digital assistants12.2.3. Digital cameras12.2.4. Digital audio recorders12.3. Cutting-Edge Cellular Extractions12.3.1. Equipping for mobile forensics12.3.2. Mobile forensic hardware12.3.3. Securing the mobile device12.3.4. Finding mobile data12.3.5. Examining a smart phone step-by-step
13.1. Mobilizing Network Forensic Power13.2. Identifying Network Components13.2.1. Looking at the Open Systems Interconnection Model (OSI)13.2.2. Cooperating with secret agents and controlling servers13.3. Saving Network Data13.3.1. Categorizing the data13.3.2. Figuring out where to store all those bytes13.3.2.1. Storage area network (SAN)13.3.2.2. Network attached storage (NAS)13.3.2.3. Direct attached storage (DAS)13.4. Re-Creating an Event from Traffic13.4.1. Analyzing time stamps13.4.2. Putting together a data sequence13.4.3. Spotting different data streams13.5. Looking at Network Forensic Tools13.5.1. Test Access Port (TAP)13.5.2. Mirrors13.5.3. Promiscuous NIC13.5.4. Wireless13.6. Discovering Network Forensic Vendors
14.1. Taking a Closer Look at Answering Machines14.2. Examining Video Surveillance Systems14.3. Cracking Home Security Systems14.4. Tracking Automobiles14.5. Extracting Information from Radio Frequency Identification (RFID)14.6. Examining Copiers14.7. Taking a Look On the Horizon
15.1. Pretrial Motions15.1.1. Motion to suppress evidence15.1.2. Motion in limine15.1.3. Motion to dismiss15.1.4. Other motions15.2. Handling Pretrial Hearings15.3. Giving a Deposition15.3.1. Swearing to tell truthful opinions15.3.2. Surviving a deposition15.3.3. Bulletproofing your opinions15.3.4. Checking your statements15.3.5. Fighting stage fright
16.1. Working Around Wrong Moves16.2. Responding to Opposing Experts16.2.1. Dealing with counterparts16.2.2. Formatting your response16.2.3. Responding to affidavits16.2.4. Hardening your testimony
17.1. Making Good on Deliverables17.2. Understanding Barroom Brawls in the Courtroom17.2.1. Managing challenging issues17.2.2. Sitting on the stand17.2.3. Instructing jurors about expert testimony17.3. Presenting E-Evidence to Persuade17.3.1. Staging a disaster17.3.2. Exhibiting like an expert17.4. Communicating to the Court17.4.1. Giving testimony about the case17.4.2. Answering about yourself17.4.3. Getting paid without conflict
18.1. The Front Ten: Certifications18.1.1. ACE: AccessData18.1.2. CCE: Certified Computer Examiner18.1.3. CFCE: Certified Forensic Computer Examiner18.1.4. CEECS: Certified Electronic Evidence Collection Specialist18.1.5. Cisco: Various certifications18.1.6. CISSP: Certified Information Systems Security Professional18.1.7. CompTia: Various certifications18.1.8. EnCE: Guidance Software18.1.9. Paraben training18.1.10. SANS and GCFA: GIAC Certified Forensics Analyst18.2. The Back Ten: Journals and Education
19.1. Stick to Finding and Telling the Truth19.2. Don't Fall for Counsel's Tricks in Court19.3. Be Irrefutable19.4. Submit a Descriptive, Complete Bill19.5. Prepare a Clear, Complete Report19.6. Understand Nonverbal Cues19.7. Look 'Em Straight in the Eye19.8. Dress for Your Role As a Professional19.9. Stay Certified and Up-to-Date19.10. Know When to Say No
20.1. Computer Forensic Software Tools20.1.1. EnCase20.1.2. Forensic ToolKit (FTK)20.1.3. Device Seizure20.2. Computer Forensic Hardware20.2.1. FRED20.2.2. WiebeTech Forensic Field Kit20.2.3. Logicube20.3. Computer Forensic Laboratories20.3.1. Computer forensic data server20.3.2. Forensic write blockers20.3.3. Media wiping equipment20.3.4. Recording equipment

Overview

Uncover a digital trail of e-evidence by using the helpful, easy-to-understand information in Computer Forensics For Dummies! Professional and armchair investigators alike can learn the basics of computer forensics, from digging out electronic evidence to solving the case. You won’t need a computer science degree to master e-discovery. Find and filter data in mobile devices, e-mail, and other Web-based technologies.

You’ll learn all about e-mail and Web-based forensics, mobile forensics, passwords and encryption, and other e-evidence found through VoIP, voicemail, legacy mainframes, and databases. You’ll discover how to use the latest forensic software, tools, and equipment to find the answers that you’re looking for in record time. When you understand how data is stored, encrypted, and recovered, you’ll be able to protect your personal privacy as well. By the time you finish reading this book, you’ll know how to:

Prepare for and conduct computer forensics investigations
Find and filter data
Protect personal privacy
Transfer evidence without contaminating it
Anticipate legal loopholes and opponents’ methods
Handle passwords and encrypted data
Work with the courts and win the case

Plus, Computer Forensics for Dummies includes lists of things that everyone interested in computer forensics should know, do, and build. Discover how to get qualified for a career in computer forensics, what to do to be a great investigator and expert witness, and how to build a forensics lab or toolkit.