Uncover a digital trail of e-evidence by using the helpful, easy-to-understand information in Computer Forensics For Dummies! Professional and armchair investigators alike can learn the basics of computer forensics, from digging out electronic evidence to solving the case. You won't need a computer science degree to master e-discovery. Find and filter data in mobile devices, e-mail, and other Web-based technologies.
You'll learn all about e-mail and Web-based forensics, mobile forensics, passwords and encryption, and other e-evidence found through VoIP, voicemail, legacy mainframes, and databases. You'll discover how to use the latest forensic software, tools, and equipment to find the answers that you're looking for in record time. When you understand how data is stored, encrypted, and recovered, you'll be able to protect your personal privacy as well. By the time you finish reading this book, you'll know how to:
Prepare for and conduct computer forensics investigations
Find and filter data
Protect personal privacy
Transfer evidence without contaminating it
Anticipate legal loopholes and opponents' methods
Handle passwords and encrypted data
Work with the courts and win the case
Plus, Computer Forensics for Dummies includes lists of things that everyone interested in computer forensics should know, do, and build. Discover how to get qualified for a career in computer forensics, what to do to be a great investigator and expert witness, and how to build a forensics lab or toolkit.
Note: CD-ROM/DVD and other supplementary materials are not included as part of eBook file.
Frequently asked questions
Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go. Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Computer Forensics For Dummies by Carol Pollard,Reynaldo Anzaldua in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.
This part covers the basic component of computer forensic investigations: finding electronic data, documents, or dirt to use as evidence. And we tell you in Chapter 1 not only how to find it but also how to ensure that it can be used to win or prevail in a legal action. Let’s face it: If you’re involved in a computer forensic mission, it’s not because you want to recover your lost vacation photos. For less money than you would pay for an investigation, you could redo the vacation and retake those photos. Computer forensics is more like the art of war — strategies and tactics to successfully navigate a tough environment, as you find out in Chapter 2.
In the first two chapters, you start to understand the number of ways in which your data and digital content get “out there,” how investigators find and recover e-evidence, and how lawyers use the evidence to win their cases. You’ll find out about technical issues and the dumb mistakes made by users trying to erase their tracks. Big Mistake #1 is thinking that the Delete key is the cyberequivalent of a paper shredder.
Mistakes stemming from delusions of grandeur can harm an investigation, as you read in Chapter 3. If you’re about to start an examination, you have to avoid Big Mistake #2 — jumping into an investigation without appreciating how fragile electronic data, and your posterior, are. Either one might get damaged if you don’t have the authority to proceed. Then in Chapter 4 you see strategies from the trenches for documenting and managing the scene of a crime.
The thousands of criminals I have seen in 40 years of law enforcement have had one thing in common: Every single one was a liar.
— J. Edgar Hoover, FBI director (1924–1972)
Chapter 1
Knowing What Your Digital Devices Create, Capture, and Pack Away — Until Revelation Day
In This Chapter
Finding electronic evidence in the digital trails of our lives
Whipping your evidence into shape
Looking for evidence in the visible and invisible computer domain
Looking at the life cycle of a case
Defending your results
Think of computers, cell phones, PDAs, iPods, and other handheld devices as items with durable digital brains. Imagine that a detailed copy of every e-mail, text message, document, Internet upload or download, Google search, Facebook personal chat and posting, iPhone webChatter conversation, photo, financial transaction, and address book gets packed into electronic closets.
The amount of information left in each of these places is the basic reason that criminals are caught and found guilty and lawsuits are won or lost. When you use computer forensics tools to pick these digital brains or find skeletons in electronic closets, your case takes shape with e-evidence that’s tough to refute. Electronic evidence (e-evidence, for short) can play a starring role in the civil, criminal, matrimonial, or workplace cases you investigate. It’s as though people who use digital devices and social networks missed every CSI episode where incriminating e-mail, cell calls, and online activity became courtroom exhibits.
In this chapter, you become familiar with the locations and staying power of the all-too-accurate electronic records of actions, decisions, and indiscretions. You want to be smarter — or at least up to speed — with your opposition. For first responders to a crime scene and people planning litigation strategy, you learn how to answer your new call of duty. Methods used to hunt through hard drives and perform digital autopsies must be generally accepted by the legal system so that your results hold up. You need to be familiar, therefore, with rules of evidence, some legal-speak, and the concept of loopholes. And, you need good report-writing skills to explain the results of your cybersleuthing in simplified detail. If the case goes to trial, so do you as an expert witness. Testifying in court is about as much fun as one person can stand.
Living and Working in a Recorded World
Ever since the World Wide Web (WWW — the big one) dropped into our lives in 1991, rabid growth has taken place in the personal, professional, and criminal use of computers, the Internet, e-mail, wireless tech toys, and social networks. These devices create and capture greater amounts of “digital details” that are stored in more places than most people realize. You have less chance of destroying detail-trails perfectly than of committing the perfect crime. Like the fingerprint left on the seat adjustment of a car used in a crime, a rogue digital fingerprint always lives on to tell the tale.
Once in electronic form, almost all data, documents, and other file types can be analyzed offline of the application that produced it. Computer forensics software makes this process possible by converting an entire hard drive into a single searchable file — called an image — that has no hiding places.
Deleting is a misnomer
A hard drive is a big place, and data or other digital content from prior years may be retrievable in pristine condition even if someone has deleted it. In this section, we discuss how a computer operating system (OS) helps a file — and your investigation — survive.
Imagine that you compose a Word document and save it on your laptop with the filename Sand.doc. The process of saving a file on your hard disk involves three basic events:
An entry is made into the File Allocation Table (FAT) to indicate the space where Sand.doc is stored in the Data Region. Like all files, Sand.doc is assigned (allocated) space on the hard drive. Those spaces are clusters. The FAT file system is supported by virtually all existing operating systems for personal computers.
A directory entry is made to indicate Sand.doc as the filename, its size, link to the FAT, and some other information.
Sand.doc is written to the data region. That is, it’s saved to a cluster on the hard drive. (Of course, files may occupy more than one cluster, but we’re keeping it simple.)
But when you decide to delete Sand.doc, only two events happen:
The FAT entry for the file is zeroed out. That’s geek-speak for “the cluster that’s storing Sand.doc is declared digitally vacant and available to store another file.”
The first character of the directory entry filename is changed to a special character so that the operating system knows to ignore it. In effect, it’s only pretending that the file isn’t there.
Like many deleted files, Sand.doc remains intact because nothing has been done to it. For Sand.doc to be totally overwritten and (almost) unrecoverable requires two events:
The operating system must save another file (such as Water.doc) in the exact same cluster.
Water.doc must be at least as large as Sand.doc.
A computer system never truly deletes files.
If, for example, Sand.doc filled an entire cluster and Water.doc file data took up less space, remnants of Sand.doc remain and are recoverable. The unused portion of the cluster is the slack space. More precisely, it’s the portion of the cluster not used by the new file. Figure 1-1 shows how the Sand file wasn’t dissolved (so to speak) by the Water file. Slack space cannot be seen without the specialized tools you find out about in Chapter 6.
Figure 1-1: Slack space holds the content of the former file.
When it comes to operating systems, remember these two concepts:
You have no control over where the operating system saves files.
The bigger the hard drive, the lower the probability that an existing deleted file will be overwritten.
Semisavvy criminals may try to outsmart the operating system by deleting the text, replacing it with non-incriminating content, and saving it with the same filename. But if they forget to account for the file size issue and compose a shorter file, remnants of the original file remain for recovery.
Online dragnet
If you’re thinking that guilty parties would take action to avoid detection, follow any high-profile or murder case on CNN. Also consider the computer genius David L. Smith, who was charged with creating and unleashing the Melissa e-mail virus. Smith’s claim to fame is that he was the first person prosecuted for spreading a computer virus. His Melissa creation inflicted more than $80 million in damages in 1999. He was sentenced to 20 months in the federal pen.
Smith either didn’t know or didn’t care that he could be identified by serial numbers in the software he created. Antivirus researchers, who tracked the activities of known virus writers, connected Smith to the online identity VicodinES. The digital fingerprints of Melissa’s document serial number matched other documents on VicodinES’s Web site. And, the timing of his postings gave away the region where he lived. Smith had posted the virus using a stolen America Online member’s account. AOL keeps records of who c...
Table of contents
Cover
Title Page
Table of Contents
Introduction
Part I: Digging Out and Documenting Electronic Evidence
