O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Digital Forensics for Legal Professionals

Book Description

Digital Forensics for Legal Professionals is a complete non-technical guide for legal professionals and students to understand digital forensics. In the authors’ years of experience in working with attorneys as digital forensics experts, common questions arise again and again: "What do I ask for?" "Is the evidence relevant?" "What does this item in the forensic report mean?" "What should I ask the other expert?" "What should I ask you?" "Can you explain that to a jury?" This book answers many of those questions in clear language that is understandable by non-technical people. With many illustrations and diagrams that will be usable in court, it explains technical concepts such as unallocated space, forensic copies, timeline artifacts and metadata in simple terms that make these concepts accessible to both attorneys and juries.

The book also explains how to determine what evidence to ask for, evidence that might be discoverable, and furthermore, it provides an overview of the current state of digital forensics, the right way to select a qualified expert, what to expect from that expert, and how to properly use experts before and during trial. With this book, readers will clearly understand different types of digital evidence and examples of direct and cross examination questions. It includes a reference of definitions of digital forensic terms, relevant case law, and resources.

This book will be a valuable resource for attorneys, judges, paralegals, and digital forensic professionals.

  • Provides examples of direct and cross examination questions for digital evidence
  • Contains a reference of definitions of digital forensic terms, relevant case law, and resources for the attorney

Table of Contents

  1. Cover image
  2. Table of Contents
  3. Front-matter
  4. Copyright
  5. Preface
  6. Dedication
  7. About the Authors
  8. About the Tech Editors
  9. Chapter 1. Digital Evidence Is Everywhere
  10. 1.1. What is digital forensics?
  11. 1.2. What is digital evidence?
  12. 1.3. How digital evidence is created and stored
  13. Chapter 2. Overview of Digital Forensics
  14. 2.1. Digital forensics
  15. 2.2. A little computer history
  16. 2.3. A brief history of computer forensics
  17. 2.4. Computer forensics becomes digital forensics
  18. Chapter 3. Digital Forensics
  19. 3.1. The subdisciplines
  20. 3.2. Computer forensics
  21. Chapter 4. The Foundations of Digital Forensics
  22. 4.1. Who establishes best practices?
  23. 4.2. Who should be following best practices?
  24. 4.3. Summary of best practices
  25. 4.4. What really happens in many cases
  26. Chapter 5. Overview of Digital Forensics Tools
  27. 5.1. What makes a tool forensically sound?
  28. 5.2. Who performs tool testing?
  29. 5.3. Computer forensics tools: An overview
  30. 5.4. Classes of forensics tools
  31. 5.5. Mobile device forensics tools
  32. Chapter 6. Digital Forensics at Work in the Legal System
  33. 6.1. Mitigation
  34. 6.2. Pre-trial motions
  35. 6.3. Trial preparation
  36. 6.4. Example trial questions
  37. 6.5. Trial phase
  38. Chapter 7. Why Do I Need an Expert?
  39. 7.1. Why hire a digital forensics expert?
  40. 7.2. When to hire a digital forensics expert
  41. Chapter 8. The Difference between Computer Experts and Digital Forensics Experts
  42. 8.1. The computer expert
  43. 8.2. The digital forensics expert
  44. 8.3. A side-by-side comparison
  45. 8.4. Investigation of digital evidence
  46. Chapter 9. Selecting a Digital Forensics Expert
  47. 9.1. What is an expert?
  48. 9.2. Locating and selecting an expert
  49. 9.3. Certifications
  50. 9.4. Training, education, and experience
  51. 9.5. The right forensic tools
  52. Chapter 10. What to Expect from an Expert
  53. 10.1. General expectations
  54. 10.2. Where to begin?
  55. 10.3. The examination
  56. 10.4. Court preparation
  57. 10.5. Expert advice
  58. Chapter 11. Approaches by Different Types of Examiners
  59. 11.1. Standards
  60. 11.2. Training and experience
  61. 11.3. Impact on examinations
  62. 11.4. Ethics
  63. 11.5. The approach to an examination
  64. Chapter 12. Spotting a Problem Expert
  65. 12.1. Beyond the window dressings
  66. Chapter 13. Qualifying an Expert in Court
  67. 13.1. Qualifying an expert
  68. 13.2. Qualifying experts in court
  69. Chapter 14. Overview of Digital Evidence Discovery
  70. 14.1. Discovery motions in civil and criminal cases
  71. Chapter 15. Discovery of Digital Evidence in Criminal Cases
  72. 15.1. Sources of digital evidence
  73. 15.2. Building the motion
  74. Chapter 16. Discovery of Digital Evidence in Civil Cases
  75. 16.1. Rules governing civil discovery
  76. 16.2. Electronic discovery in particular
  77. 16.3. Time is of the essence
  78. 16.4. Getting to the particulars
  79. 16.5. Getting the electronic evidence
  80. Chapter 17. Discovery of Computers and Storage Media
  81. 17.1. An example of a simple consent to search agreement
  82. 17.2. Example of a simple order for expedited discovery
  83. 17.3. Example of an order for expedited discovery and temporary restraining order
  84. Chapter 18. Discovery of Video Evidence
  85. 18.1. Common issues with video evidence
  86. 18.2. Collecting video evidence
  87. 18.3. Example discovery language for video evidence
  88. Chapter 19. Discovery of Audio Evidence
  89. 19.1. Common issues with audio evidence
  90. 19.2. Example discovery language for audio evidence
  91. Chapter 20. Discovery of Social Media Evidence
  92. 20.1. Legal issues in social media discovery
  93. 20.2. Finding custodian of records contact information
  94. 20.3. Facebook example
  95. 20.4. Google information
  96. 20.5. Online e-mail accounts
  97. Chapter 21. Discovery in Child Pornography Cases
  98. 21.1. The Adam Walsh Child Protection and Safety Act of 2006
  99. 21.2. The discovery process
  100. Chapter 22. Discovery of Internet Service Provider Records
  101. 22.1. Internet service provider records or IP addresses
  102. 22.2. Example language for web-based e-mail addresses
  103. 22.3. What to expect from an internet service provider (ISP) subpoena
  104. Chapter 23. Discovery of Global Positioning System Evidence
  105. 23.1. GPS tracking evidence overview
  106. 23.2. Discovery of GPS evidence
  107. Chapter 24. Discovery of Call Detail Records
  108. 24.1. Discovery issues in cellular evidence
  109. 24.2. Example language for call detail records
  110. Chapter 25. Obtaining Expert Funding in Indigent Cases
  111. 25.1. Justifying extraordinary expenses
  112. 25.2. Example language for an ex parte motion for expert funds
  113. Chapter 26. Hash Values
  114. 26.1. Hash values
  115. 26.2. How hash values are used in digital forensics
  116. Chapter 27. Metadata
  117. 27.1. The purpose of metadata
  118. 27.2. Common types of metadata
  119. Chapter 28. Thumbnails and the Thumbnail Cache
  120. 28.1. Thumbnails and the thumbnail cache
  121. 28.2. How thumbnails and the thumbnail cache work
  122. 28.3. Thumbnails and the thumbnail cache as evidence
  123. Chapter 29. Deleted Data
  124. 29.1. How data is stored on a hard drive
  125. 29.2. Deleted file recovery
  126. 29.3. Evidence of data destruction
  127. Chapter 30. Computer Time Artifacts (MAC Times)
  128. 30.1. Computer file system time stamps
  129. 30.2. Fundamental Issues in forensic analysis of timeline
  130. 30.3. Created, modified, accessed
  131. 30.4. The bottom line
  132. Chapter 31. Internet History (Web and Browser Caching)
  133. 31.1. What is web caching?
  134. 31.2. How Internet browser (web) caching works
  135. 31.3. Internet (web) caching as evidence
  136. 31.4. What if the Internet cache is cleared by the user?
  137. Chapter 32. Windows Shortcut Files (Link Files)
  138. 32.1. The purpose of link files, how they are created, and how they work
  139. 32.2. How link files can be of evidentiary value
  140. 32.3. Link files as evidence
  141. Chapter 33. Cellular System Evidence and Call Detail Records
  142. 33.1. An overview of the cellular phone system
  143. 33.2. How cell phones work
  144. 33.3. Call detail records
  145. 33.4. Call detail records as evidence of cell phone location
  146. 33.5. Enhanced 911 wireless location services
  147. 33.6. The E911 system overview
  148. 33.7. Emergency situations: Real-time cell phone tracking
  149. Chapter 34. E-mail Evidence
  150. 34.1. E-mail as evidence
  151. 34.2. E-mail storage and access: Where is it?
  152. 34.3. Web mail
  153. Chapter 35. Social Media
  154. 35.1. Common forms of social networking (social media)
  155. 35.2. Evidence out in the open
  156. 35.3. Convenience versus security
  157. 35.4. The allure of anonymity
  158. 35.5. Social media as evidence
  159. 35.6. Getting information from online services
  160. Chapter 36. Peer-to-Peer Networks and File Sharing
  161. 36.1. What is peer-to-peer file sharing?
  162. 36.2. How it works
  163. 36.3. Privacy and security issues with peer-to-peer file sharing
  164. 36.4. Peer-to-peer network evidence
  165. Chapter 37. Cell Phones
  166. 37.1. The fragile nature of cellular evidence
  167. 37.2. Forensic acquisition methods for cellular phones
  168. 37.3. Subscriber identity module (SIM) cards
  169. 37.4. Cell phone backup files
  170. 37.5. Advanced cell phone data analytics
  171. 37.6. The future of cell phone forensics
  172. Chapter 38. Video and Photo Evidence
  173. 38.1. The most critical steps in the forensic examination of video and photo evidence
  174. 38.2. Using video and photo evidence in cases
  175. Chapter 39. Databases
  176. 39.1. Databases in everyday life
  177. 39.2. What is a database?
  178. 39.3. Database files as evidence
  179. 39.4. Database recovery
  180. 39.5. Data as evidence
  181. Chapter 40. Accounting Systems and Financial Software
  182. 40.1. Accounting and money management programs
  183. 40.2. Personal money management software
  184. 40.3. Business accounting software
  185. 40.4. Getting the evidence
  186. 40.5. Types of evidence from financial software
  187. 40.6. Batch files as evidence
  188. 40.7. Other sources of financial evidence
  189. Chapter 41. Multiplayer Online Games
  190. 41.1. The culture of Massively Multiplayer Online Role Playing Games (MMORPGs)
  191. 41.2. MMORPG data as evidence
  192. Chapter 42. Global Positioning Systems
  193. 42.1. An overview of global positioning systems
  194. 42.2. An overview of the NAVSTAR Global Positioning System
  195. 42.3. How GPS works
  196. 42.4. Types of GPS evidence
  197. 42.5. Collection of evidence from GPS devices
  198. 42.6. Interpretation of GPS evidence
  199. Index