Computer Evidence: Collection and Preservation, Second Edition

This document was uploaded by one of our users. The uploader already confirmed that they had the permission to publish it. If you are author/publisher or own the copyright of this documents, please report to us by using this DMCA report form.

Simply click on the Download Book button.

Yes, Book downloads on Ebookily are 100% Free.

Sometimes the book is free on Amazon As well, so go ahead and hit "Search on Amazon"

As computers and data systems continue to evolve, they expand into every facet of our personal and business lives. Never before has our society been so information and technology driven. Because computers, data communications, and data storage devices have become ubiquitous, few crimes or civil disputes do not involve them in some way. This book teaches law enforcement, system administrators, information technology security professionals, legal professionals, and students of computer forensics how to identify, collect, and maintain digital artifacts to preserve their reliability for admission as evidence. It has been updated to take into account changes in federal rules of evidence and case law that directly address digital evidence, as well as to expand upon portable device collection.

Author(s): Christopher LT Brown
Edition: 2
Year: 2009

Language: English
Pages: 549

Contents......Page 7
Introduction......Page 23
Part I: Computer Forensics and Evidence Dynamics......Page 30
1 Computer Forensics Essentials......Page 32
What Is Computer Forensics?......Page 33
Crime Scene Investigation......Page 34
Phases of Computer Forensics......Page 36
Formalized Computer Forensics from the Start......Page 39
Who Performs Computer Forensics?......Page 41
Seizing Computer Evidence......Page 46
Challenges to Computer Evidence......Page 49
Summary......Page 50
References......Page 51
Resources......Page 52
2 Rules of Evidence, Case Law, and Regulation......Page 54
Understanding Rules of Evidence......Page 55
2007 Amendments to the FRCP......Page 58
Expert Witness (Scientific) Acceptance......Page 59
Testifying Tips: You Are the Expert......Page 62
Computer-Related Case Law......Page 63
Regulation......Page 67
Summary......Page 74
References......Page 75
Resources......Page 76
3 Evidence Dynamics......Page 78
Forces of Evidence Dynamics......Page 79
Human Forces......Page 80
Natural Forces......Page 90
Equipment Forces......Page 93
Proper Tools and Procedures......Page 95
References......Page 97
Resources......Page 98
Part II: Information Systems......Page 100
4 Interview, Policy, and Audit......Page 102
Subject Interviews......Page 103
Policy Review......Page 108
Audit......Page 110
Recommendations......Page 115
Scope......Page 116
Host-Specific Findings......Page 117
Conclusion......Page 119
References......Page 121
Resources......Page 122
5 Network Topology and Architecture......Page 124
Networking Concepts......Page 125
Types of Networks......Page 126
Physical Network Topology......Page 128
Network Cabling......Page 133
Wireless Networks......Page 135
Open Systems Interconnection (OSI) Model......Page 136
TCP/IP Addressing......Page 141
Diagramming Networks......Page 143
Summary......Page 146
Resources......Page 147
6 Volatile Data......Page 150
Types and Nature of Volatile Data......Page 151
Operating Systems......Page 154
Volatile Data in Routers and Appliances......Page 157
Traditional Incident Response of Live Systems......Page 159
Understanding Windows Rootkits in Memory......Page 161
Accessing Volatile Data......Page 168
References......Page 171
Part III: Data Storage Systems and Media......Page 174
7 Physical Disk Technologies......Page 176
Physical Disk Characteristics......Page 177
Physical Disk Interfaces and Access Methods......Page 181
Logical Disk Addressing and Access......Page 191
Disk Features......Page 193
References......Page 196
Resources......Page 197
8 SAN, NAS, and RAID......Page 198
Disk Storage Expanded......Page 199
Redundant Array of Independent Disks......Page 202
Storage Area Networks......Page 206
Network-Attached Storage......Page 209
Storage Service Providers......Page 213
Summary......Page 216
Resources......Page 217
9 Removable Media......Page 218
Removable, Portable Storage Devices......Page 219
Tape Systems......Page 220
Optical Discs......Page 224
Removable Disks–Floppy and Rigid......Page 229
Flash Media......Page 230
Summary......Page 234
Resources......Page 235
Part IV: Artifact Collection......Page 236
10 Tools, Preparation, and Documentation......Page 238
Boilerplates......Page 239
Hardware Tools......Page 241
Software Tools......Page 251
Tool Testing......Page 262
Documentation......Page 264
Summary......Page 267
References......Page 268
Resources......Page 270
11 Collecting Volatile Data......Page 272
Benefits of Volatile-Data Collection......Page 273
A Blending of Incident Response and Forensics......Page 275
Building a Live Collection Disk......Page 278
Live Boot CD-ROMs......Page 291
Summary......Page 293
References......Page 294
Resources......Page 295
12 Imaging Methodologies......Page 296
Approaches to Collection......Page 297
Bit-Stream Images......Page 299
Local Dead System Collection......Page 304
Verification, Testing, and Hashing......Page 310
Live and Remote Collection......Page 313
Summary......Page 319
References......Page 320
Resources......Page 322
13 Large System Collection......Page 324
Large System Imaging Methodologies......Page 325
Tying Together Dispersed Systems......Page 332
Risk-Sensitive Evidence Collection......Page 338
Summary......Page 340
References......Page 341
14 Personal Portable Device Collection......Page 344
Device Architectures......Page 345
Special Collection Considerations......Page 351
Mobile Phones......Page 359
Special-Purpose Personal Devices......Page 365
References......Page 368
Resources......Page 370
Part V: Archiving and Maintaining Evidence......Page 372
15 The Forensics Workstation......Page 374
The Basics......Page 375
Lab Workstations......Page 378
Portable Field Workstations......Page 385
Configuration Management......Page 389
Summary......Page 392
References......Page 393
Resources......Page 394
16 The Forensics Lab......Page 396
Lab and Network Design......Page 397
Logical Design, Topology, and Operations......Page 402
Storage......Page 407
Lab Certifications......Page 410
Summary......Page 413
References......Page 415
17 What’s Next......Page 416
Areas of Interest......Page 417
Training, Knowledge, and Experience......Page 419
Analysis and Reporting......Page 424
Methodologies......Page 426
Professional Advancement......Page 428
Summary......Page 432
References......Page 433
Resources......Page 434
Part IV: Computer Evidence Collection and Preservation Appendixes......Page 436
A: Sample Chain of Custody Form......Page 438
B: Evidence Collection Worksheet......Page 442
C: Evidence Access Worksheet......Page 446
D: Forensics Field Kit......Page 450
E: Hexadecimal Flags for Partition Types......Page 454
F: Forensics Tools for Digital Evidence Collection......Page 460
Software......Page 461
Hardware......Page 466
General Supplies......Page 470
G: Agencies, Contacts, and Resources......Page 472
Agencies......Page 473
Training Resources......Page 476
Associations......Page 481
State Agencies......Page 483
General......Page 506
Discussion List Servers......Page 507
Journals......Page 508
H: Cisco Router Command Cheat Sheet......Page 510
Packet Filtering on Cisco Routers......Page 512
I: About the CD-ROM......Page 516
CD-ROM Folders......Page 517
A......Page 520
B......Page 521
C......Page 522
D......Page 525
E......Page 526
F......Page 527
H......Page 529
I–J......Page 530
L......Page 532
M......Page 534
N......Page 535
O......Page 536
P–Q......Page 537
R......Page 539
S......Page 540
U......Page 543
W......Page 544
Z......Page 547