book

Cyber Forensics: From Data to Digital Evidence

Name: Cyber Forensics: From Data to Digital Evidence
ISBN: 9781118273661

by Frederic Guillossou, Albert J. Marcella

May 2012

Beginner

342 pages

8h 6m

English

Wiley

Read now

Unlock full access

Cover
Contents
Title
Copyright
Dedication
Preface
Acknowledgments
Chapter One: The Fundamentals of Data
Base 2 Numbering System: Binary and Character EncodingCommunication in a Two-State UniverseElectricity and MagnetismBuilding Blocks: The Origins of DataGrowing the Building Blocks of DataMoving Beyond Base 2American Standard Code for Information InterchangeCharacter Codes: The Basis for Processing Textual DataExtended ASCII and UnicodeSummaryNotes
Chapter Two: Binary to Decimal
American Standard Code for Information InterchangeComputer as a CalculatorWhy is this Important in Forensics?Data RepresentationConverting Binary to DecimalConversion AnalysisA Forensic Case Example: An Application of the MathDecimal to Binary: Recap for ReviewSummary
Chapter Three: The Power of HEX: Finding Slivers of Data
What the HEX?Bits and Bytes and NibblesNibbles and BitsBinary to HEX ConversionBinary (HEX) EditorThe Needle within the HaystackSummaryNotes

Chapter Four: Files
OpeningFiles, File Structures, and File FormatsFile ExtensionsChanging a File’s Extension to Evade DetectionFiles and the HEX EditorFile SignatureASCII is not Text or HEXValue of File SignaturesComplex Files: Compound, Compressed, and Encrypted FilesWhy do Compound Files Exist?Compressed FilesForensics and Encrypted FilesThe Structure of CiphersSummaryNotesAppendix 4A: Common File ExtensionsAppendix 4B: File Signature DatabaseAppendix 4C: Magic Number DefinitionAppendix 4D: Compound Document Header
Chapter Five: The Boot Process and the Master Boot Record (MBR)
Booting UpPrimary Functions of the Boot ProcessForensic Imaging and Evidence CollectionSummarizing the BIOSBIOS Setup Utility: Step by StepThe Master Boot Record (MBR)Partition TableHard Disk PartitionSummaryNotes
Chapter Six: Endianness and the Partition Table
The Flavor of EndiannessEndiannessThe Origins of EndianPartition Table within the Master Boot RecordSummaryNotes
Chapter Seven: Volume versus Partition
Tech ReviewCylinder, Head, Sector, and Logical Block AddressingVolumes and PartitionsSummaryNotes
Chapter Eight: File Systems—FAT 12/16
Tech ReviewFile SystemsMetadataFile Allocation Table (FAT) File SystemSlackHEX Review NoteDirectory EntriesFile Allocation Table (FAT)How is Cluster Size Determined?Expanded Cluster SizeDirectory Entries and the FATFAT Filing System LimitationsDirectory Entry LimitationsSummaryAppendix 8A: Partition Table FieldsAppendix 8B: File Allocation Table ValuesAppendix 8C: Directory Entry Byte Offset DescriptionAppendix 8D: FAT 12/16 Byte Offset ValuesAppendix 8E: FAT 32 Byte Offset ValuesAppendix 8F: The Power of 2
Chapter Nine: File Systems—NTFS and Beyond
New Technology File SystemPartition Boot RecordMaster File TableNTFS SummaryexFATAlternative Filing System ConceptsSummaryNotesAppendix 9A: Common NTFS System Defined Attributes
Chapter Ten: Cyber Forensics: Investigative Smart Practices
The Forensic ProcessForensic Investigative Smart PracticesTimeSummaryNote
Chapter Eleven: Time and Forensics
What is Time?Network Time ProtocolTimestamp DataKeeping Track of TimeClock Models and Time Bounding: The Foundations of Forensic TimeMS-DOS 32-Bit Timestamp: Date and TimeDate DeterminationTime DeterminationTime InaccuracySummaryNotes
Chapter Tweleve: Investigation: Incident Closure
Forensic Investigative Smart PracticesStep 5: Investigation (Continued)Step 6: Communicate FindingsCharacteristics of a Good Cyber Forensic ReportReport ContentsStep 7: Retention and Curation of EvidenceStep 8: Investigation Wrap-Up and ConclusionInvestigator’s Role as an Expert WitnessSummaryNotes
Chapter Thirteen: A Cyber Forensic Process Summary
BinaryBinary—Decimal—ASCIIData Versus CodeHEXFrom Raw Data to FilesAccessing FilesEndiannessPartitionsFile SystemsTimeThe Investigation ProcessSummary
Appendix
Glossary
About the Authors
Index

Content preview from Cyber Forensics: From Data to Digital Evidence

Appendix Forensic Investigations, ABC Inc.

Ronelle Sawyer

June 12, 2009

Forensic Report

Case # 000029

Distribution List

Group, Contact Name	Location	Title/Department/Business Unit
Legal	ABC Inc. Headquarters	Security Operations
HR	ABC Inc. Headquarters	Security Operations

DOCUMENT RELEASE AND CONFIDENTIALITY

This document is proprietary and confidential and has been released only to the persons listed above. It may not be distributed outside the organization without written approval from ABC Inc. Legal department.

1 EXECUTIVE SUMMARY

On April 1, 2009, ABC Inc. Legal department contacted the ABC Inc. Forensic Investigations department regarding the cyber forensic examination of a hard drive belonging to Jose McCarthy. There were suspicions that McCarthy was attempting to sell intellectual property belonging to ABC Inc. to a competitor, XYZ Company. The hard drive used by McCarthy was forensically examined to determine if there were any indications of intellectual property theft.

After careful cyber forensic analysis of McCarthy’s hard drive a letter was found showing intent to sell proprietary information.

2 FORENSIC ACQUISITION

2.1 Custody and Storage

On April 6, 2009 Ronelle Sawyer, cyber forensic investigator with ABC Inc., received McCarthy’s hard drive for analysis. Ronelle Sawyer performed Chain of Custody with Legal and took possession of the evidence (see the following graphic). Evidence was locked in a security vault until acquisition was performed.

2.2 Forensic ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Cyber Crime and Cyber Terrorism Investigator's Handbook

Publisher Resources

ISBN: 9781118273661Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Cyber Forensics: From Data to Digital Evidence

by Frederic Guillossou, Albert J. Marcella

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.