book

Computer Forensics For Dummies®

Name: Computer Forensics For Dummies®
ISBN: 9780470371916

by Linda Volonino, Reynaldo Anzaldua

October 2008

Beginner to intermediate

384 pages

9h 3m

English

For Dummies

Read now

Unlock full access

Copyright
About The Authors
Authors' Acknowledgments
Publisher's Acknowledgments
Introduction
Who Should Read This Book?About This BookHow to Use This BookWhat You Don't Need to ReadFoolish AssumptionsHow This Book Is OrganizedPart I: Digging Out and Documenting Electronic EvidencePart II: Preparing to Crack the CasePart III: Doing Computer Forensic InvestigationsPart IV: Succeeding in CourtPart V: The Part of TensGlossaryAbout the Web Site and BlogIcons Used in This BookWhere to Go from Here
I. Digging Out and Documenting Electronic Evidence
1. Knowing What Your Digital Devices Create, Capture, and Pack Away — Until Revelation Day
1.1. Living and Working in a Recorded World1.1.1. Deleting is a misnomer1.1.2. Getting backed up1.1.3. Delusions of privacy danced in their headsets1.2. Giving the Third Degree to Computers, Electronics, and the Internet1.3. Answering the Big Questions1.3.1. What is my computer doing behind my back?1.3.1.1. Can you hear me now?1.3.1.2. Surfers Non-Anonymous1.3.1.3. The unblinking eyes of search engines1.3.2. How does my data get out there?1.3.3. Why can data be discovered and recovered easily?1.4. Examining Investigative Methods1.4.1. Getting permission1.4.2. Choosing your forensic tools1.4.3. Knowing what to look for and where1.4.4. Gathering evidence properly1.5. Revealing Investigation Results1.5.1. Preparing bulletproof findings1.5.2. Making it through trial
2. Suiting Up for a Lawsuit or Criminal Investigation
2.1. Deciphering the Legal Codes2.1.1. Learning about relevancy and admissibility2.1.2. Getting started with electronic discovery2.1.3. Deciding what's in and what's not2.1.4. Playing by the rules2.2. Managing E-Discovery2.2.1. Understanding that timing is everything2.2.2. Grasping ESI discovery problems2.2.3. Avoiding overbroad requests2.2.4. Shaping the request2.2.5. Stepping through the response2.3. Conducting the Investigation in Good Faith2.4. Deciding Who's Paying the Bill
3. Getting Authorized to Search and Seize
3.1. Getting Authority: Never Start Without It3.1.1. Acknowledging who's the boss (not you!)3.1.2. Putting together your team3.1.3. Involving external sources3.1.4. No warrant, no problem (if it's done legally)3.2. Criminal Cases: Papering Your Behind (CYA)3.2.1. Learning about the case and the target3.2.2. Drafting an affidavit for a search warrant3.2.3. Presenting an affidavit for judicial processing3.3. Civil Cases: Verifying Company Policy3.3.1. Searching with verbal permission (without a warrant)3.3.2. Obtaining a subpoena
4. Documenting and Managing the Crime Scene
4.1. Obsessing over Documentation4.1.1. Keeping the chain complete4.1.2. Dealing with carbon memories4.1.3. Deciding who gets the evidence first4.1.4. Getting to the truth4.1.4.1. Using scientific methods4.1.4.2. Recognizing Occam's razor4.2. Directing the Scene4.2.1. Papering the trail4.2.2. Recording the scene: Video4.2.3. Recording the sounds: Audio4.2.4. Getting the lead out4.3. Managing Evidence Behind the Yellow Tape4.3.1. Arriving ready to roll: Bringing the right tools4.3.2. Minimizing your presence4.4. Stepping Through the Scene4.4.1. Securing the area4.4.2. Surveying the scene4.4.3. Transporting the e-evidence

II. Preparing to Crack the Case
5. Minding and Finding the Loopholes
5.1. Deciding to Take On a Client5.1.1. Learning about the case and the theory5.1.2. Finding out the client's priorities5.1.3. Timing your work5.1.4. Defining the scope of work5.2. Determining Whether You Can Help the Case5.2.1. Serving as a resource for the lawyer5.2.2. Taking an active role5.2.3. Answering big, blunt questions5.2.4. Signing on the dotted line5.3. Passing the Court's Standard As a Reliable Witness5.3.1. Getting your credentials accepted5.3.2. Impressing opinions on the jury5.4. Going Forward with the Case5.4.1. Digging into the evidence5.4.2. Organizing and documenting your work5.4.3. Researching and digging for intelligence5.5. Keeping a Tight Forensic Defense5.5.1. Plugging loopholes5.5.1.1. Preinvestigation preparation5.5.1.2. Acquisition and preservation5.5.1.3. Authentication5.5.1.4. Analysis5.5.1.5. Production and reporting
6. Acquiring and Authenticating E-Evidence
6.1. Acquiring E-Evidence Properly6.2. Step 1: Determine the Type of Media You're Working With6.3. Step 2: Find the Right Tool6.3.1. Finding all the space6.3.2. A write-protect device6.3.3. Sterile media6.4. Step 3: Transfer Data6.4.1. Transferring data in the field6.4.2. From computer to computer6.4.3. From storage device to computer6.5. Step 4: Authenticate the Preserved Data6.6. Step 5: Make a Duplicate of the Duplicate
7. Examining E-Evidence
7.1. The Art of Scientific Inquiry7.2. Gearing Up for Challenges7.3. Getting a Handle on Search Terms7.3.1. Defining your search list7.3.2. Using forensic software to search7.3.2.1. Searching by keyword7.3.2.2. Expressing a search with Boolean7.3.3. Assuming risks7.4. Challenging Your Results: Plants and Frames and Being in the Wrong Place7.4.1. Knowing what can go wrong7.4.2. Looking beyond the file7.5. Finding No Evidence7.5.1. No evidence of who logged in7.5.2. No evidence of how it got there7.6. Reporting Your Analysis
8. Extracting Hidden Data
8.1. Recognizing Attempts to Blind the Investigator8.1.1. Encryption and compression8.1.2. Data hiding techniques8.1.2.1. File extensions8.1.2.2. Hidden files8.1.2.3. Hidden shares8.1.2.4. Alternate data streams8.1.2.5. Layers8.1.2.6. Steganography8.2. Defeating Algorithms, Hashes, and Keys8.3. Finding Out-of-Sight Bytes8.4. Cracking Passwords8.4.1. Knowing when to crack and when not to crack8.4.2. Disarming passwords to get in8.4.3. Circumventing passwords to sneak in8.5. Decrypting the Encrypted8.5.1. Sloppiness cracks PGP8.5.2. Desperate measures
III. Doing Computer Forensics Investigations
9. E-Mail and Web Forensics
9.1. Opening Pandora's Box of E-Mail9.1.1. Following the route of e-mail packets9.1.2. Becoming Exhibit A9.1.3. Tracking the biggest trend in civil litigation9.2. Scoping Out E-Mail Architecture9.2.1. E-mail structures9.2.2. E-mail addressing9.2.3. E-mail lingo9.2.4. E-mail in motion9.3. Seeing the E-Mail Forensics Perspective9.3.1. Dissecting the message9.3.2. Expanding headers9.3.3. Checking for e-mail extras9.4. Examining Client-Based E-Mail9.4.1. Extracting e-mail from clients9.4.2. Getting to know e-mail file extensions9.4.3. Copying the e-mail9.4.4. Printing the e-mail9.5. Investigating Web-Based Mail9.6. Searching Browser Files9.6.1. Temporary files9.6.2. Internet history9.7. Looking through Instant Messages
10. Data Forensics
10.1. Delving into Data Storage10.1.1. The anatomy of a disk drive10.1.2. Microsoft operating systems10.1.2.1. FAT10.1.2.2. NTFS10.1.3. Apple: HFS10.1.4. Linux/Unix10.2. Finding Digital Cavities Where Data Hides10.2.1. Deleted files10.2.1.1. Retrieving deleted files10.2.1.2. Retrieving cached files10.2.1.3. Retrieving files in unallocated space10.2.1.4. Retrieving files in file slack areas10.2.2. Non-accessible space10.2.3. RAM10.2.4. Windows Registry10.2.5. Search filtering10.3. Extracting Data10.4. Rebuilding Extracted Data
11. Document Forensics
11.1. Finding Evidential Material in Documents: Metadata11.1.1. Viewing metadata11.1.2. Extracting metadata11.2. Honing In on CAM (Create, Access, Modify) Facts11.3. Discovering Documents11.3.1. Luring documents out of local storage11.3.1.1. Matching file headers to extensions11.3.1.2. Modifying the file header11.3.2. Finding links and external storage11.3.2.1. Finding external storage options11.3.2.2. Finding external networks11.3.3. Rounding up backups
12. Mobile Forensics
12.1. Keeping Up with Data on the Move12.1.1. Shifting from desktop to handhelds12.1.2. Considering mobile devices forensically12.1.3. Recognizing the imperfect understanding of the technology12.2. Making a Device Seizure12.2.1. Mobile phones and SIM cards12.2.1.1. The cellular network12.2.1.2. The device you're investigating12.2.1.3. Phone characteristics12.2.1.4. The SIM card12.2.2. Personal digital assistants12.2.3. Digital cameras12.2.4. Digital audio recorders12.3. Cutting-Edge Cellular Extractions12.3.1. Equipping for mobile forensics12.3.2. Mobile forensic hardware12.3.3. Securing the mobile device12.3.4. Finding mobile data12.3.5. Examining a smart phone step-by-step
13. Network Forensics
13.1. Mobilizing Network Forensic Power13.2. Identifying Network Components13.2.1. Looking at the Open Systems Interconnection Model (OSI)13.2.2. Cooperating with secret agents and controlling servers13.3. Saving Network Data13.3.1. Categorizing the data13.3.2. Figuring out where to store all those bytes13.3.2.1. Storage area network (SAN)13.3.2.2. Network attached storage (NAS)13.3.2.3. Direct attached storage (DAS)13.4. Re-Creating an Event from Traffic13.4.1. Analyzing time stamps13.4.2. Putting together a data sequence13.4.3. Spotting different data streams13.5. Looking at Network Forensic Tools13.5.1. Test Access Port (TAP)13.5.2. Mirrors13.5.3. Promiscuous NIC13.5.4. Wireless13.6. Discovering Network Forensic Vendors
14. Investigating X-Files: eXotic Forensics
14.1. Taking a Closer Look at Answering Machines14.2. Examining Video Surveillance Systems14.3. Cracking Home Security Systems14.4. Tracking Automobiles14.5. Extracting Information from Radio Frequency Identification (RFID)14.6. Examining Copiers14.7. Taking a Look On the Horizon
IV. Succeeding in Court
15. Holding Up Your End at Pretrial
15.1. Pretrial Motions15.1.1. Motion to suppress evidence15.1.2. Motion in limine15.1.3. Motion to dismiss15.1.4. Other motions15.2. Handling Pretrial Hearings15.3. Giving a Deposition15.3.1. Swearing to tell truthful opinions15.3.2. Surviving a deposition15.3.3. Bulletproofing your opinions15.3.4. Checking your statements15.3.5. Fighting stage fright
16. Winning a Case Before You Go to Court
16.1. Working Around Wrong Moves16.2. Responding to Opposing Experts16.2.1. Dealing with counterparts16.2.2. Formatting your response16.2.3. Responding to affidavits16.2.4. Hardening your testimony
17. Standing Your Ground in Court
17.1. Making Good on Deliverables17.2. Understanding Barroom Brawls in the Courtroom17.2.1. Managing challenging issues17.2.2. Sitting on the stand17.2.3. Instructing jurors about expert testimony17.3. Presenting E-Evidence to Persuade17.3.1. Staging a disaster17.3.2. Exhibiting like an expert17.4. Communicating to the Court17.4.1. Giving testimony about the case17.4.2. Answering about yourself17.4.3. Getting paid without conflict
V. The Part of Tens
18. Ten Ways to Get Qualified and Prepped for Success
18.1. The Front Ten: Certifications18.1.1. ACE: AccessData18.1.2. CCE: Certified Computer Examiner18.1.3. CFCE: Certified Forensic Computer Examiner18.1.4. CEECS: Certified Electronic Evidence Collection Specialist18.1.5. Cisco: Various certifications18.1.6. CISSP: Certified Information Systems Security Professional18.1.7. CompTia: Various certifications18.1.8. EnCE: Guidance Software18.1.9. Paraben training18.1.10. SANS and GCFA: GIAC Certified Forensics Analyst18.2. The Back Ten: Journals and Education
19. Ten Tactics of an Excellent Investigator and a Dangerous Expert Witness
19.1. Stick to Finding and Telling the Truth19.2. Don't Fall for Counsel's Tricks in Court19.3. Be Irrefutable19.4. Submit a Descriptive, Complete Bill19.5. Prepare a Clear, Complete Report19.6. Understand Nonverbal Cues19.7. Look 'Em Straight in the Eye19.8. Dress for Your Role As a Professional19.9. Stay Certified and Up-to-Date19.10. Know When to Say No
20. Ten Cool Tools for Computer Forensics
20.1. Computer Forensic Software Tools20.1.1. EnCase20.1.2. Forensic ToolKit (FTK)20.1.3. Device Seizure20.2. Computer Forensic Hardware20.2.1. FRED20.2.2. WiebeTech Forensic Field Kit20.2.3. Logicube20.3. Computer Forensic Laboratories20.3.1. Computer forensic data server20.3.2. Forensic write blockers20.3.3. Media wiping equipment20.3.4. Recording equipment
Glossary

Content preview from Computer Forensics For Dummies®

Chapter 11. Document Forensics

In This Chapter

Finding data about data
Finding the CAM
Where documents are found

What a document says about the person who created it is almost as important as what the document's intended purpose appears to be. You have a document that has smoking gun evidence, but how do you really know that the suspect wrote the document and when it was written? Just extracting a document and intending to use it as evidence of a crime aren't enough to do a complete analysis. You must link the evidence to the suspect in some way, and that's where document forensics and the use of metadata come into play.

Metadata is simply data about data. Because the computer field is huge, metadata is necessarily different for many individual computer fields or domains. For example, document metadata is much different from Web page metadata, but they both describe in some form the characteristics of the data they represent. For example, one piece of metadata for a digital photo is the time stamp indicating when the photo was taken.

When you're doing an investigation, one of the classic questions any television investigator would ask is, "Where were you on January 2, 2008, and can you prove it?" Computer forensics and, by association, document forensics have the same goal as your regular physical forensic counterpart — computer forensics wants the truth, but needs hard digital evidence to prove that truth. The key with computers is not only knowing the right question to ask, but how ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9780470371916Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Computer Forensics For Dummies®

by Linda Volonino, Reynaldo Anzaldua

Chapter 11. Document Forensics

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.