ebook img

The Basics of Digital Forensics, Second Edition: The Primer for Getting Started in Digital Forensics PDF

184 Pages·2014·6.59 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview The Basics of Digital Forensics, Second Edition: The Primer for Getting Started in Digital Forensics

The Basics of Digital Forensics The Primer for Getting Started in Digital Forensics Second Edition John Sammons AMSTERDAM • BOSTON • HEIDELBERG • LONDON NEW YORK • OXFORD • PARIS • SAN DIEGO SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO Syngress is an Imprint of Elsevier Copyright Acquiring Editor: Chris Katsaropoulos Editorial Project Manager: Benjamin Rearick Project Manager: Surya Narayanan Jayachandran Designer: Mathew Limbert Syngress is an imprint of Elsevier 225 Wyman Street, Waltham, MA 02451, USA Copyright © 2015 Elsevier Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, elec- tronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions. This book and the individual contributions contained in it are protected under copyright by the Pub- lisher (other than as may be noted herein). Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treat- ment may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, includ- ing parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein. British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library Library of Congress Cataloging-in-Publication Data A catalog record for this book is available from the Library of Congress ISBN: 978-0-12-801635-0 For information on all Syngress publications visit our website at http://store.elsevier.com/ To Lora, Abby, and Rae for making me a truly blessed and lucky man. To my Aunt Ruth, whose love, support, and encouragement means so much. To my mother, Juanita, and my grandmother, Grace, for the many sacrifices you made and the example you set … I miss you. v Preface Seal Team Six tore the hard drives from Osama bin Laden’s computers. Some of Michael Jackson’s final words were captured on an iPhone. Google searches for chloroform played a central role in the trial of Casey Anthony. This list could go on and on. Digital forensics is used to keep us safe, and to ensure justice is done and company and taxpayer resources aren’t abused. This book is your first step into the world of digital forensics. Welcome! Digital forensics is used in a number of arenas, not just in catching identity thieves and Internet predators. For example, it’s being used on the battlefields of Afghanistan to gather intelligence. The rapid exploitation of information pulled from cell phones and other devices is helping our troops identify and eliminate terrorists and insurgents. It’s being used in the multibillion-dollar world of civil litigation. Gone are the days when opposing parties exchanged boxes of paper memos, letters, and reports as part of the litigation process. Today, those documents are written in 1s and 0s rather than ink. They are stored on hard drives and backup tapes rather than in filing cabinets. Digital forensics helps combat the massive surge in cybercrime. Identity thieves, child pornographers, and “old school” criminals are all using and leveraging technol- ogy to facilitate their illegal activities. Finally, it’s being used in the workplace to help protect both companies and gov- ernment entities from the misuse of their computer systems. INTENDED AUDIENCE As the title suggests, this is a beginner’s book. The only assumption is that you have a fundamental understanding of or familiarity with computers and other digital devices. If you have a moderate or advanced understanding of digital forensics, this book may not be for you. As part of Syngress’s “Basics” series, I wrote this book more as a broad introduction to the subject rather than an all-encompassing tome. I’ve tried to use as much “Plain English” as possible, making it (hopefully) an easier read. I’d like to emphasize that this is an introductory book that is deliberately limited in length. Given that, there is much that couldn’t be covered in depth or even covered at all. Each chapter could be a book all by itself. There are many wonderful books out there that can help further your understanding. I sincerely hope you don’t stop here. xv xvi Preface ORGANIZATION OF THIS BOOK The book is organized in a fairly straightforward way. Each chapter covers a specific type of technology and begins with a basic explanation of the technology involved. This is a necessity to really understand the forensic material that follows. To help reinforce the material, the book also contains stories from the field, case examples, and Q and As with a cryptanalyst and a specialist in cell phone forensics. CHAPTER 1–INTRODUCTION What exactly is digital forensics? This chapter seeks to define digital forensics and examine how it’s being used. From the battlefield to the boardroom to the courtroom, digital forensics is playing a bigger and bigger role. CHAPTER 2–KEY TECHNICAL CONCEPTS Understanding how computers create and store digital information is a perquisite for the study of digital forensics. It is this understanding that enables us to answer ques- tions like “How was that artifact created?” and “Was that generated by the computer itself, or was it a result of some user action?” We’ll look at binary, how data are stored, storage media, and more. CHAPTER 3–LABS AND TOOLS In “Labs and Tools,” we look at the digital forensic environment and hardware and software that are used on a regular basis. We will also examine standards used to accredit labs and validate tools. Those standards are explored along with quality as- surance, which is the bedrock of any forensic operation. Quality assurance seeks to ensure that results generated by the forensic examination are accurate. CHAPTER 4–COLLECTING EVIDENCE How the digital evidence is handled will play a major role in getting that evidence admitted into court. This chapter covers fundamental forensically sound practices that you can use to collect evidence and establish a chain of custody. CHAPTER 5–WINDOWS SYSTEM ARTIFACTS The overwhelming odds are that you have a Windows-based computer on your desk, in your briefcase, or both. It’s a Windows world. (No disrespect, Mac people. I’m one of you.) With a market share of more than 90%, it clearly represents the bulk of our work. This chapter looks at many of the common Windows artifacts and how they are created. Preface xvii CHAPTER 6–ANTI-FORENSICS The word is out. Digital forensics is not the secret it once was. Recovering digital evidence, deleted files, and the like is now commonplace. It’s regularly seen on such shows as NCIS and CSI. The response has been significant. They are now many tools and techniques out there that are used to hide or destroy data. These are examined in this chapter. CHAPTER 7–LEGAL Although a “forensic” science, the legal aspects of digital forensics can’t be divorced from the technical. In all but certain military/intelligence applications, the legal au- thority to search is a perquisite for a digital forensics examination. This chapter ex- amines the Fourth Amendment, as well as reasonable expectations of privacy, private searches, searching with and without a warrant, and the Stored Communications Act. CHAPTER 8–INTERNET AND E-MAIL Social networks, e-mail, chat logs, and Internet history represent some of the best evidence we can find on a computer. How does this technology work? Where is this evidence located? These are just a few of the questions we’ll answer in this chapter. CHAPTER 9–NETWORK FORENSICS We can find a network almost anywhere, from small home networks to huge corpo- rate ones. As with computers and cell phones, we must first understand how these work. To that end, this chapter begins with networking basics. Next, we start looking at how networks are attacked and what role digital forensics plays in not only the response, but in how perpetrators can be traced. CHAPTER 10–MOBILE DEVICE FORENSICS Small-scale mobile devices such as cell phones and GPS units are everywhere. These devices are, in many respects, pocket computers. They have a huge potential to store evidence. Digital forensics must be as proficient with these devices as they are with desktop computers. We’ll look at the underlying technology powering cell phones and GPS units, as well as the potential evidence they could contain. CHAPTER 11–LOOKING AHEAD: CHALLENGES AND CONCERNS Two “game-changing” technologies are upon us that will have a huge impact on not only the technical aspect of digital forensics but the legal piece as well. The technol- ogy driving solid state hard drives negates much of the traditional “bread and butter” of digital forensics. That is our ability to recover deleted data. As of today, there is no answer to this problem. xviii Preface Cloud computing creates another major hurdle. In the cloud, data are stored in a complex virtual environment that could physically be located anywhere in the world. This creates two problems; from a technical standpoint, there is an alarming lack of forensic tools that work in this environment, an deleted files are also nearly impos- sible to recover. Legally, it’s a nightmare. With data potentially being scattered across the globe, the legal procedures and standards vary wildly. Although steps are being taken to mitigate this legal dilemma, the situation still persists today. Being in its infancy, the digital forensics community still has work to do regard- ing how it conducts its business, especially in relation to the other more traditional disciplines. This chapter will explore this issue. Acknowledgments Although my name may be on the cover, this book would not have been possible without the help and support of many people. First, I’d like to thank my family, par- ticularly my wife Lora and my two girls, Abby and Rae. Their patience, understand- ing, and willingness to “pick up my slack” while I wrote was invaluable. Thank you, ladies. Next I’d like to thank Nick Drehel, Rob Attoe, Lt. Lannie Hilboldt, Chris Vance, and Nephi Allred for sharing their expertise and experiences. I have no doubt their contributions made this a better book. My previous chair, Dr. Mike Little, and my dean, Dr. Charles Somerville, also helped make this book a reality. It would have been impossible for me to write this book and still do my “day job” without their support and assistance. Thank you, gentlemen. I’d like to thank Ben Rearick and Chris Katsaropoulos from Syngress for keeping me on task, as well as for their support and encouragement. Thanks to my tech editor, Jonathan Rajewski, for keeping me on point. Many thanks go to Bryanne Edmonds, Jennifer Rehme, and Jonathan Sisson. These current and former Marshall University students proved invaluable in the cre- ation of this book. I have no doubt that each will be a successful contributor to the forensic science community. I wish all of you nothing but continued success. xix CHAPTER 1 Introduction “Each betrayal begins with trust.” —“Farmhouse” by the band Phish INFORMATION IN THIS CHAPTER: • What is Forensic Science? • What is Digital Forensics? • Uses of Digital Forensics • Role of the Forensic Examiner in the Judicial System INTRODUCTION Your computer will betray you. This is a lesson that many CEOs, criminals, politi- cians, and ordinary citizens have learned the hard way. You are leaving a trail, albeit a digital one; it’s a trail nonetheless. Like a coating of fresh snow, these 1s and 0s capture our “footprints” as we go about our daily life. Cell phone records, ATM transactions, web searches, e-mails, and text messag- es are a few of the footprints we leave. As a society, our heavy use of technology means that we are literally drowning in electronically stored information. And the tide keeps rolling in. Don’t believe me? Check out these numbers from the research company IDC: • The digital universe (all the digital information in the world) will reach 1.2 million petabytes in 2010. That’s up by 62% from 2009. If you can’t get your head around a petabyte, maybe this will help: “One petabyte is equal to: 20 million, four-drawer filing cabinets filled with text or 13.3 years of HD-TV video” (Mozy, 2009). The impact of our growing digital dependence is being felt in many domains, not the least of which is the legal system. Everyday, digital evidence is finding its way into the world’s courts. This is definitely not your father’s litigation. Gone are the days when records were strictly paper. This new form of evidence presents some very significant challenges to our legal system. Digital evidence is considerably different from paper documents and can’t be handled in the same way. Change, therefore, is 1 The Basics of Digital Forensics Copyright © 2015 Elsevier Inc. All rights reserved. 2 CHAPTER 1 Introduction inevitable. But the legal system doesn’t turn on a dime. In fact, it’s about as nimble as the Titanic. It’s struggling now to catch up with the blinding speed of technology. Criminal, civil, and administrative proceedings often focus on digital evidence, which is foreign to many of the key players, including attorneys and judges. We all know folks who don’t check their own e-mail or even know how to surf the Internet. Some lawyers, judges, businesspeople, and cops fit squarely into that category as well. Unfortunately for those people, this blissful ignorance is no longer an option. Where law-abiding society goes, the bad guys will be very close behind (if not slightly ahead). They have joined us on our laptops, cell phones, iPads, and the In- ternet. Criminals will always follow the money and leverage any tools, including technology, that can aid in the commission of their crimes. Although forensic science has been around for years, digital forensics is still in its infancy. It’s still finding its place among the other more established forensic dis- ciplines, such as DNA and toxicology. As a discipline, it is where DNA was many years ago. Standards and best practices are still being developed. Digital forensics can’t be done without getting under the hood and getting your hands dirty, so to speak. It all starts with the 1s and 0s. This binary language under- pins not only the function of the computer but how it stores data as well. We need to understand how these 1s and 0s are converted into the text, images, and videos we routinely consume and produce on our computers. WHAT IS FORENSIC SCIENCE? Let’s start by examining what it’s not. It certainly isn’t Humvees, sunglasses, and expensive suits. It isn’t done without lots of paperwork, and it’s never wrapped up in 60 minutes (with or without commercials). Now that we know what it isn’t, let’s examine what it is. Simply put, forensics is the application of science to solve a legal problem. In forensics, the law and science are forever integrated. Neither can be ap- plied without paying homage to the other. The best scientific evidence in the world is worthless if it’s inadmissible in a court of law. WHAT IS DIGITAL FORENSICS? There are many ways to define digital forensics. In Forensic Magazine, Ken Zatyko defined digital forensics this way: “The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatabil- ity, reporting, and possible expert presentation” (Zatyko, 2007). Digital forensics encompasses much more than just laptop and desktop computers. Mobile devices, networks, and “cloud” systems are very much within the scope of

Description:
The Basics of Digital Forensics provides a foundation for people new to the digital forensics field. This book teaches you how to conduct examinations by discussing what digital forensics is, the methodologies used, key tactical concepts, and the tools needed to perform examinations. Details on digi
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.