ebook img

Digital Forensics PDF

373 Pages·2018·32.778 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Digital Forensics

Digital Forensics Digital Forensics Edited by André Årnes Norwegian University of Technology and Science (NTNU), Norway and Telenor Group, Norway This edition first published 2018 2018 John Wiley & Sons Ltd All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions. The right of André Årnes to be identified as the author(s) of the editorial material in this work has been asserted in accordance with law. RegisteredOffices John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, UK EditorialOffice The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, UK For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com. Wiley also publishes its books in a variety of electronic formats and by print-on-demand. Some content that appears in standard print versions of this book may not be available in other formats. LimitofLiability/DisclaimerofWarranty While the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials or promotional statements for this work. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or services the organization, website, or product may provide or recommendations it may make. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. LibraryofCongressCataloging-in-PublicationData Names: Årnes, André, 1976-editor. Title: Digital forensics / edited by André Årnes. Description: Hoboken, NJ : John Wiley & Sons Inc., 2018. | Includes bibliographical references and index. Identifiers: LCCN 2017004725 (print) | LCCN 2017003533 (ebook) | ISBN 9781119262381 (paperback) | ISBN 9781119262404 (Adobe PDF) | ISBN 9781119262411 (ePub) Subjects: LCSH: Computer crimes–Investigation. | Computer security. | Electronic discovery (Law) | Forensic sciences. | BISAC: MEDICAL / Forensic Medicine. Classification: LCC HV8079.C65 D53 2018 (ebook) | LCC HV8079.C65 (print) | DDC 363.25/968–dc23 LC record available at https://lccn.loc.gov/2017004725 ISBN: 9781119262381 Cover Design: Wiley Cover Images: (Background) © alengo/Gettyimages; Figures: Courtesy of Petter Bjelland Set in 10/12pt WarnockPro-Regular by Thomson Digital, Noida, India 10 9 8 7 6 5 4 3 2 1 v Contents Preface xv ListofContributors xvii ListofFigures xxi ListofTables xxv ListofExamples xxvii ListofDefinitions xxix ListofAbbreviations xxxi 1 Introduction 1 AndréÅrnes 1.1 ForensicScience 1 1.1.1 HistoryofForensicScience 2 1.1.2 Locard’sExchangePrinciple 2 1.1.3 CrimeReconstruction 3 1.1.4 Investigations 3 1.1.5 EvidenceDynamics 4 1.2 DigitalForensics 4 1.2.1 CrimesandIncidents 5 1.2.2 DigitalDevices,Media,andObjects 5 1.2.3 ForensicSoundnessandFundamentalPrinciples 5 1.2.4 CrimeReconstructioninDigitalForensics 6 1.3 DigitalEvidence 7 1.3.1 LayersofAbstraction 7 1.3.2 Metadata 7 1.3.3 Error,Uncertainty,andLoss 7 1.3.4 OnlineBankFraud–AReal-WorldExample 8 1.3.4.1 ModusOperandi 8 1.3.4.2 TheSpyEyeCase 8 1.4 FurtherReading 9 1.5 ChapterOverview 10 1.6 CommentsonCitationandNotation 10 vi Contents 2 TheDigitalForensicsProcess 13 AndersO.Flaglien 2.1 Introduction 13 2.1.1 WhyDoWeNeedaProcess? 14 2.1.2 PrinciplesofaForensicsProcess 15 2.1.3 FindingtheDigitalEvidence 15 2.1.4 IntroducingtheDigitalForensicsProcess 16 2.2 TheIdentificationPhase 17 2.2.1 PreparationsandDeploymentofTools andResources 18 2.2.2 TheFirstResponder 19 2.2.3 AttheSceneoftheIncident 21 2.2.3.1 PreservationTasks 22 2.2.4 DealingwithLiveandDeadSystems 22 2.2.5 ChainofCustody 23 2.3 TheCollectionPhase 24 2.3.1 SourcesofDigitalEvidence 26 2.3.2 SystemsPhysicallyTiedtoaLocation 28 2.3.3 MultipleEvidenceSources 28 2.3.4 Reconstruction 28 2.3.5 EvidenceIntegrityandCryptographicHashes 29 2.3.6 OrderofVolatility 30 2.3.7 Dual-ToolVerification 32 2.3.8 RemoteAcquisition 32 2.3.9 ExternalCompetencyandForensicsCooperation 33 2.4 TheExaminationPhase 33 2.4.1 InitialDataSourceExaminationandPreprocessing 34 2.4.2 ForensicFileFormatsandStructures 35 2.4.3 DataRecovery 35 2.4.4 DataReductionandFiltering 36 2.4.5 Timestamps 37 2.4.6 Compression,EncryptionandObfuscation 37 2.4.7 DataandFileCarving 38 2.4.8 Automation 39 2.5 TheAnalysisPhase 39 2.5.1 LayersofAbstraction 40 2.5.2 EvidenceTypes 40 2.5.3 StringandKeywordSearches 41 2.5.4 Anti-Forensics 42 2.5.4.1 ComputerMediaWiping 42 2.5.4.2 AnalysisofEncryptedandObfuscatedData 42 2.5.5 AutomatedAnalysis 43 2.5.6 TimeliningofEvents 43 2.5.7 GraphsandVisualRepresentations 43 2.5.8 LinkAnalysis 44 Contents vii 2.6 ThePresentationPhase 45 2.6.1 TheFinalReports 46 2.6.2 PresentationofEvidenceandWorkConducted 46 2.6.3 TheChainofCustodyCircleCloses 47 2.7 Summary 47 2.8 Exercises 48 3 CybercrimeLaw 51 IngerMarieSunde 3.1 Introduction 51 3.2 TheInternationalLegalFrameworkofCybercrimeLaw 54 3.2.1 TheIndividualsInvolvedinCriminalActivityandinCrime- PreventingInitiatives 54 3.2.2 TheNationalLegalSystemversustheInternationalLegal Framework 55 3.2.3 FundamentalRightsRelatingtoCybercrimeLaw–TheECHR 56 3.2.3.1 TheECtHRasaDrivingForceforDevelopmentof HumanRights 57 3.2.3.2 TheRighttoBringaCasebeforetheECtHR 57 3.2.3.3 ASpecialNoteonTransborderSearchand Surveillance 58 3.2.3.4 TheConnectionbetweenFundamentalRightsandthe RuleofLaw 60 3.2.3.5 ThePrincipleofLegalityintheContextofCrime 60 3.2.3.6 ThePrincipleofLegalityintheContextofaCriminal Investigation 61 3.2.3.7 ThePositiveObligationoftheNationState 63 3.2.3.8 TheRighttoFairTrial 64 3.2.3.9 ASpecialNoteonEvidenceRulesinDifferentLegal Systems 68 3.2.3.10 PossibleOutcomesofaViolationofFundamental Rights 69 3.2.4 SpecialLegalFramework:TheCybercrimeConvention 69 3.2.5 InterpretationofCybercrimeLaw 72 3.2.5.1 InterpretationofSubstantiveCriminalLaw 72 3.2.5.2 ApplicationofOldCriminalProvisionstoNewModes ofConduct 74 3.2.5.3 InterpretationofProceduralProvisionsAuthorizing CoerciveMeasures 75 3.3 DigitalCrime–SubstantiveCriminalLaw 76 3.3.1 GeneralConditionsforCriminalLiability 77 3.3.2 Real-LifeModusOperandi 80 3.3.3 OffensesagainsttheConfidentiality,Integrity,andAvailabilityof ComputerDataandSystems 81 3.3.3.1 IllegalAccessandIllegalInterception 82 3.3.3.2 DataandSystemInterference 85 3.3.3.3 MisuseofDevices 88 viii Contents 3.3.4 Computer-RelatedOffenses 89 3.3.5 Content-RelatedOffenses 91 3.3.6 OffensesRelatedtoInfringementsofCopyrightandRelated Rights 93 3.3.7 RacistandXenophobicSpeech 94 3.4 InvestigationMethodsforCollectingDigitalEvidence 95 3.4.1 TheDigitalForensicProcessintheContextofCriminal Procedure 95 3.4.2 ComputerDataThatArePubliclyAvailable 97 3.4.2.1 TransborderAccesstoStoredComputerDataWhere PubliclyAvailable 98 3.4.2.2 OnlineUndercoverOperations 98 3.4.3 ScopeandSafeguardsoftheInvestigationMethods 99 3.4.3.1 Suspicion-BasedInvestigationMethods 99 3.4.3.2 TheScopeoftheInvestigationMethods(Article14) 99 3.4.3.3 ConditionsandSafeguards(Article15) 100 3.4.3.4 ConsiderationsRelatingtoThirdParties 102 3.4.4 SearchandSeizure(Article19) 103 3.4.4.1 MainRules 103 3.4.4.2 SpecialIssues 104 3.4.5 ProductionOrder 106 3.4.6 ExpeditedPreservationandPartialDisclosureofTrafficData 107 3.4.6.1 Real-TimeInvestigationMethods(Articles20and 21) 107 3.5 InternationalCooperationinOrdertoCollectDigitalEvidence 109 3.5.1 NarrowingtheFocus 109 3.5.2 ASpecialNoteonTransborderAccesstoDigitalEvidence 110 3.5.3 MutualLegalAssistance 111 3.5.3.1 BasicPrinciplesandFormalStepsofthe Procedure 111 3.5.3.2 InternationalConventionsConcerningMutualLegal Assistance 112 3.5.4 InternationalPoliceCooperationandJointInvestigation Teams 114 3.6 Summary 115 3.7 Exercises 115 4 DigitalForensicReadiness 117 AusraDilijonaite 4.1 Introduction 117 4.2 Definition 117 4.3 LawEnforcementversusEnterpriseDigitalForensicReadiness 118 4.4 Why?ARationaleforDigitalForensicReadiness 119 4.4.1 Cost 119 4.4.2 UsefulnessofDigitalEvidence 120 4.4.2.1 ExistenceofDigitalEvidence 121 4.4.2.2 EvidentiaryWeightofDigitalEvidence 121

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.