eBook - ePub
Handbook of Computer Crime Investigation
Forensic Tools and Technology
Eoghan Casey
This is a test
- 448 páginas
- English
- ePUB (apto para móviles)
- Disponible en iOS y Android
eBook - ePub
Handbook of Computer Crime Investigation
Forensic Tools and Technology
Eoghan Casey
Detalles del libro
Vista previa del libro
Índice
Citas
Información del libro
Following on the success of his introductory text, Digital Evidence and Computer Crime, Eoghan Casey brings together a few top experts to create the first detailed guide for professionals who are already familiar with digital evidence. The Handbook of Computer Crime Investigation helps readers master the forensic analysis of computer systems with a three-part approach covering tools, technology, and case studies.
The Tools section provides the details on leading software programs, with each chapter written by that product's creator. The section ends with an objective comparison of the strengths and limitations of each tool.
The main Technology section provides the technical "how to" information for collecting and analyzing digital evidence in common situations, starting with computers, moving on to networks, and culminating with embedded systems. The Case Examples section gives readers a sense of the technical, legal, and practical challenges that arise in real computer investigations.
- The Tools section provides details of leading hardware and software
- The main Technology section provides the technical "how to" information for collecting and analysing digital evidence in common situations
- Case Examples give readers a sense of the technical, legal, and practical challenges that arise in real computer investigations
Preguntas frecuentes
¿Cómo cancelo mi suscripción?
¿Cómo descargo los libros?
Por el momento, todos nuestros libros ePub adaptables a dispositivos móviles se pueden descargar a través de la aplicación. La mayor parte de nuestros PDF también se puede descargar y ya estamos trabajando para que el resto también sea descargable. Obtén más información aquí.
¿En qué se diferencian los planes de precios?
Ambos planes te permiten acceder por completo a la biblioteca y a todas las funciones de Perlego. Las únicas diferencias son el precio y el período de suscripción: con el plan anual ahorrarás en torno a un 30 % en comparación con 12 meses de un plan mensual.
¿Qué es Perlego?
Somos un servicio de suscripción de libros de texto en línea que te permite acceder a toda una biblioteca en línea por menos de lo que cuesta un libro al mes. Con más de un millón de libros sobre más de 1000 categorías, ¡tenemos todo lo que necesitas! Obtén más información aquí.
¿Perlego ofrece la función de texto a voz?
Busca el símbolo de lectura en voz alta en tu próximo libro para ver si puedes escucharlo. La herramienta de lectura en voz alta lee el texto en voz alta por ti, resaltando el texto a medida que se lee. Puedes pausarla, acelerarla y ralentizarla. Obtén más información aquí.
¿Es Handbook of Computer Crime Investigation un PDF/ePUB en línea?
Sí, puedes acceder a Handbook of Computer Crime Investigation de Eoghan Casey en formato PDF o ePUB, así como a otros libros populares de Informatik y Informationstechnologie. Tenemos más de un millón de libros disponibles en nuestro catálogo para que explores.
Información
Categoría
InformatikCategoría
InformationstechnologieCHAPTER 1 INTRODUCTION
In June 2000, when the home of alleged serial killer John Robinson was searched, five computers were collected as evidence. Robinson used the Internet to find victims and persuade them into meeting him, at which time he allegedly sexually assaulted some and killed others (McClintock 2001). More recently, several hard drives were seized from the home of FBI spy Robert Hanssen. In addition to searching private government computer systems to ensure that he was not under investigation, Hanssen hid and encrypted data on floppy disks that he allegedly passed to the KGB, and used handheld devices to communicate securely with his collaborators as detailed in the following communication that he sent to them.
As you implied and I have said, we do need a better form of secure communication – faster. In this vein, I propose (without being attached to it) the following: One of the commercial products currently available is the Palm VII organizer. I have a Palm III, which is actually a fairly capable computer. The VII version comes with wireless internet capability built in. It can allow the rapid transmission of encrypted messages, which if used on an infrequent basis, could be quite effective in preventing confusions if the existance [sic] of the accounts could be appropriately hidden as well as the existance [sic] of the devices themselves. Such a device might even serve for rapid transmittal of substantial material in digital form. (US vs Hanssen)
As more criminals utilize technology to achieve their goals and avoid apprehension, there is a developing need for individuals who can analyze and utilize evidence stored on and transmitted using computers. This book grew out of the authors’ shared desire to create a resource for forensic examiners1 who deal regularly with crimes involving networked computers, wireless devices, and embedded systems. This work brings together the specialized technical knowledge and investigative experience of many experts, and creates a unique guide for forensic scientists, attorneys, law enforcement, and computer professionals who are confronted with digital evidence of any kind.
To provide examiners with an understanding of the relevant technology, tools, and analysis techniques, three primary themes are treated: Tools, Technology, and Case Examples. Chapter 2 (The Other Side of Civil Discovery) unites all three themes, detailing tools and techniques that forensic examiners can use to address the challenges of digital discovery. The Tools section presents a variety of tools along with case examples that demonstrate their usefulness. Additionally, each chapter in this section contains valuable insights into specific aspects of investigating computer-related crime.
The Technology section forms the heart of the book, providing in-depth technical descriptions of digital evidence analysis in commonly encountered situations, starting with computers, moving on to networks, and culminating with embedded systems. This section demonstrates how forensic science is applied in different technological contexts, providing forensic examiners with technical information and guidance that is useful at the crime scene. Demonstrative case examples are provided throughout this section to convey complex concepts.
In the final Case Examples section, experienced investigators and examiners present cases to give readers a sense of the technical, legal, and practical challenges that arise in investigations involving computers and networks.
There are several dichotomies that examiners must be cognizant of before venturing into the advanced aspects of forensic examination of computer systems. These fundamental issues are introduced here.
LIVE VERSUS DEAD SYSTEMS
It is accepted that the action of switching off the computer may mean that a small amount of evidence may be unrecoverable if it has not been saved to the memory but the integrity of the evidence already present will be retained. (ACPO 1999)
Individuals are regularly encouraged to turn a computer off immediately to prevent deletion of evidence. However, the unceremonious cutting of a computer’s power supply incurs a number of serious risks. Turning off a computer causes information to be cleared from its memory; processes that were running, network connections, mounted file systems are all lost. This loss of evidence may not be significant when dealing with personal computers – some information may even be retained on disk in RAM slack (NTI 2000) or virtual memory in the form of swap and page files.2 However, shutting down a system before collecting volatile data can result in major evidence loss when dealing with systems that have several gigabytes of random access memory or have active network connections that are of critical importance to an investigation. Additionally, an abrupt shutdown may corrupt important data or damage hardware, preventing the system from rebooting. Shutting down a system can also mean shutting down a company, causing significant disruption and financial loss for which the investigator may be held liable. Finally, there is the physical risk that the computer could be rigged to explode if the power switch is toggled.3 Therefore, attention must be given to this crucial stage of the collection process.
In many cases, it may not be desirable or necessary to shut a system down as the first step. For example, volatile data may need to be collected before a suspect system is shut down. Some disk editing programs (e.g. Norton Diskedit) can capture the entire contents of RAM, and various tools are available for collecting portions of memory. For instance, fport (www.foundstone.com), handleex (www.sysinternals.com), ps and pulist from the Windows 2000 resource kit all provide information about the processes that are running on a system. Also, tools such as carbonite (www.foundstone.com) have been developed to counteract loadable kernel modules on Linux. Additionally, applications such as The Coroner’s Toolkit (TCT) are being developed to formalize and automate the collection of volatile information from live computer systems.4
Once volatile information has been collected, it is generally safe to unplug the power cord from the back of the computer. Except in the context of networks and embedded systems, this book presumes that examiners are dealing with dead systems that have been delivered to them for examination.
LOGICAL VERSUS PHYSICAL ANALYSIS
From an examination standpoint, the distinction between the physical media that holds binary data and the logical representation of that information is extremely important. In certain instances, forensic examiners will want to perform their analysis on the raw data and in other instances they will want to examine the data as they are arranged by the operating system. Take a Palm V handheld device as an example. An examination of the full contents of the device’s physical RAM and ROM can reveal passwords that are hidden by the Palm OS interface. On the other hand, viewing the data logically using the Palm OS or Palm Desktop enables the examiner to determine which data were stored in the Memo application and the category in which they were stored.
Take the Linux operating system as another example. When instructed to search for child pornography on a computer running Linux, an inexperienced examiner might search at the file system (logical) level for files with a GIF or JPG extension (find / -iname *.jpg -print). In some cases this may be sufficient to locate enough pornographic images to obtain a search warrant for a more extensive search or to discipline an employee for violation of company policy. However, in most cases, this approach will fail to uncover all of the available evidence. It is a simple matter to change a file extension from JPG to DOC, thus foiling a search based on these characteristics. Also, some relevant files might be deleted but still resident in unallocated space. Therefore, it is usually desirable to search every sector of the physical disk for certain file types (strings - /dev/hda | grep JFIF).
Searching at the physical level also has potential pitfalls. For instance, if a file is fragmented, with portions in non-adjacent clusters, keyword searches may give inaccurate results.
if an examiner were to enter the keyword ‘Manhattan Project’ and a file containing that text was arranged in several fra...
Índice
Estilos de citas para Handbook of Computer Crime Investigation
APA 6 Citation
[author missing]. (2001). Handbook of Computer Crime Investigation ([edition unavailable]). Elsevier Science. Retrieved from https://www.perlego.com/book/1836089/handbook-of-computer-crime-investigation-forensic-tools-and-technology-pdf (Original work published 2001)
Chicago Citation
[author missing]. (2001) 2001. Handbook of Computer Crime Investigation. [Edition unavailable]. Elsevier Science. https://www.perlego.com/book/1836089/handbook-of-computer-crime-investigation-forensic-tools-and-technology-pdf.
Harvard Citation
[author missing] (2001) Handbook of Computer Crime Investigation. [edition unavailable]. Elsevier Science. Available at: https://www.perlego.com/book/1836089/handbook-of-computer-crime-investigation-forensic-tools-and-technology-pdf (Accessed: 15 October 2022).
MLA 7 Citation
[author missing]. Handbook of Computer Crime Investigation. [edition unavailable]. Elsevier Science, 2001. Web. 15 Oct. 2022.