35,99 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Fachliteratur
- Sprache: Englisch
Computer Forensics, being a broad topic, involves a variety of skills which will involve seizing electronic evidence, acquiring data from electronic evidence, data analysis, and finally developing a forensic report.
This book will help you to build up the skills you need to work in a highly technical environment. This book's ideal goal is to get you up and running with forensics tools and techniques to successfully investigate crime and corporate misconduct. You will discover ways to collect personal information about an individual from online sources. You will also learn how criminal investigations are performed online while preserving data such as e-mails, images, and videos that may be important to a case. You will further explore networking and understand Network Topologies, IP Addressing, and Network Devices. Finally, you will how to write a proper forensic report, the most exciting portion of the forensic exam process.
By the end of this book, you will have developed a clear understanding of how to acquire, analyze, and present digital evidence, like a proficient computer forensics investigator.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 513
Veröffentlichungsjahr: 2022
Ähnliche
Learn Computer Forensics
Second Edition
Your one-stop guide to searching, analyzing, acquiring, and securing digital evidence
William Oettinger
BIRMINGHAM—MUMBAI
Learn Computer Forensics
Second Edition
Copyright © 2022 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Senior Publishing Product Manager: Aaron Tanna
Acquisition Editor – Peer Reviews: Saby Dsilva
Project Editor: Amisha Vathare
Content Development Editor: Liam Draper
Copy Editor: Safis Editing
Technical Editor: Aniket Shetty
Proofreader: Safis Editing
Indexer: Manju Arasan
Presentation Designer: Pranit Padwal
First published: April 2020
Second edition: July 2022
Production reference: 2050822
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-80323-830-2
www.packt.com
Contributors
About the author
William Oettinger is a veteran technical trainer and investigator. He is a retired police officer with the Las Vegas Metropolitan Police Department and a retired CID agent with the United States Marine Corps. He is a professional with over 20 years of experience in academic, local, military, federal, and international law enforcement organizations, where he acquired his multifaceted experience in IT, digital forensics, security operations, law enforcement, criminal investigations, policy, and procedure development. He has earned an MSc from Tiffin University, Ohio. When not working, he likes to spend time with his wife and his three miniature schnauzers.
This book is dedicated to IACIS and the pioneers of this field whom I have had the privilege of meeting and learning from. Mike Anderson and Will Docken were some of the first professionals I met, and they had a significant impact on me as I started in this field. I want to thank Eric Zimmerman, Harlan Carvey, Brett Shavers, and Steve Whalen for their work for the forensics community. Your information sharing and work have impacted me and helped me grow as an examiner. There is a long list of people who contributed to my success that I want to thank: Larry Smith, David Papargiris, Tom Keller, Dave McCain, Steve Williams, Scott Pearson, Scot Bradeen, Matt Presser, Mike Webber, and everyone else who has helped me along the way.
About the reviewer
Steve Whalen is a Certified Computer Forensic Examiner (CFCE) with degrees in Psychology and Sociology and served as a Delaware State Trooper. As a state trooper, Steve worked as a detective with the Criminal Investigations Unit and served as their first full-time forensic examiner for digital evidence. Building off this experience, Steve helped the Delaware State Police develop its first High Technology Crimes Unit in 2001, where he processed thousands of electronic devices and media containing digital evidence from hundreds of cases relating to intrusion, financial crimes, child sexual exploitation, narcotics, stalking and homicides.
After retiring from law enforcement, Steve co-founded SUMURI, a leading provider of hardware, software, training and services relating to digital evidence and computer forensics worldwide. Steve was the designer of the successful Macintosh Forensic Survival Courses, RAPTOR, PALADIN, CARBON and RECON forensic software, and TALINO workstations.
Steve has developed and delivered forensic training to thousands of investigators and examiners around the world through organizations such as the International Association of Computer Investigative Specialists (IACIS), the High Technology Crimes International Association (HTCIA) and the US Department of State Anti-Terrorism Assistance Program. Steve has over 20 years of experience in computer forensics and has provided training throughout North America, Asia, Europe, the Middle East, the Caribbean, Africa and Oceania.
Wanting to do more, Steve founded the non-profit company Red Stapler Inc. and used his knowledge of digital forensics, psychology, sociology to create a “first of its kind” software solution (https://www.catchapredator.org/) to combat the sexual exploitation of children in a way that has never been done in all of history.
Join our community on Discord
Join our community’s Discord space for discussions with the author and other readers:
https://packt.link/CyberSec
Contents
Preface
Who this book is for
What this book covers
Get in touch
Types of Computer-Based Investigations
Introduction to computer-based investigations
Criminal investigations
First responders
Investigators
Crime scene technician
Illicit images
The crime of stalking
Criminal conspiracy
Corporate investigations
Employee misconduct
Corporate espionage
Security
Threat Actors
Social engineering
Real-world experience
Insider threat
Case studies
Dennis Rader
Silk Road
San Bernardino terror attack
Theft of intellectual property
Summary
Questions
Further reading
The Forensic Analysis Process
Pre-investigation considerations
The forensic workstation
The response kit
Forensic software
Forensic investigator training
Understanding case information and legal issues
Understanding data acquisition
Chain of custody
Understanding the analysis process
Dates and time zones
Hash analysis
File signature analysis
Antivirus
Reporting your findings
Details to include in your report
Document facts and circumstances
The report conclusion
Summary
Questions
Further reading
Acquisition of Evidence
Exploring evidence
Understanding the forensic examination environment
Tool validation
Creating sterile media
Understanding write blocking
Hardware write blocker
Software write blocker
Defining forensic imaging
DD image
EnCase evidence file
SSD device
Imaging tools
FTK Imager
PALADIN
Summary
Questions
Further reading
Computer Systems
Understanding the boot process
Forensic boot media
Creating a bootable forensic device
Hard drives
Drive geometry
MBR (Master Boot Record) partitions
Extended partitions
GPT partitions
Host Protected Area (HPA) and Device Configuration Overlay (DCO)
Understanding filesystems
The FAT filesystem
Boot record
File allocation table
Data area
Long filenames
Recovering deleted files
Slack space
Understanding the NTFS filesystem
Summary
Questions
Further reading
Computer Investigation Process
Timeline analysis
X-Ways
Plaso (Plaso Langar Að Safna Öllu)
Media analysis
String search
Recovering deleted data
Summary
Questions
Further reading
Exercise
Data set
Software needed
Email exercise
Data carving exercise
Windows Artifact Analysis
Understanding user profiles
Understanding Windows Registry
Determining account usage
Last login/last password change
Determining file knowledge
Exploring the thumbcache
Exploring Microsoft browsers
Determining most recently used/recently used
Looking into the Recycle Bin
Understanding shortcut (LNK) files
Deciphering JumpLists
Opening shellbags
Understanding prefetch
Identifying physical locations
Determining time zones
Exploring network history
Understanding the WLAN event log
Exploring program execution
Determining UserAssist
Exploring the Shimcache
Understanding USB/attached devices
Summary
Questions
Further reading
Exercise
Data set
Software needed
Scenario
RAM Memory Forensic Analysis
Fundamentals of memory
Random access memory?
Identifying sources of memory
Capturing RAM
Preparing the capturing device
Exploring RAM capture tools
Using DumpIt
Using FTK Imager
Exploring RAM analyzing tools
Using Bulk Extractor
Using VOLIX II
Summary
Questions
Further reading
Email Forensics – Investigation Techniques
Understanding email protocols
Understanding SMTP – Simple Mail Transfer Protocol
Understanding the Post Office Protocol
IMAP – Internet Message Access Protocol
Understanding web-based email
Decoding email
Understanding the email message format
Email attachments
Understanding client-based email analysis
Exploring Microsoft Outlook/Outlook Express
Exploring Microsoft Windows Live Mail
Mozilla Thunderbird
Understanding WebMail analysis
Summary
Questions
Further reading
Exercise
Data set
Software needed
Scenario
Interviews
Email accounts
Question to answer
Internet Artifacts
Understanding browsers
Exploring Google Chrome
Understanding bookmarks
Understanding the Chrome history file
Cookies
Cache
Passwords
Exploring Internet Explorer/Microsoft Edge (Old Version)
Bookmarks
IE history
Typed URL
Cache
Cookies
Exploring Firefox
Profiles
Cache
Cookies
History
Passwords
Bookmarks
Social media
Service provider
P2P file sharing
Ares
eMule
Shareaza
Cloud computing
Summary
Questions
Further reading
Online Investigations
Undercover investigations
Undercover platform
Online persona
Background searches
Preserving online communications
Summary
Questions
Further reading
Networking Basics
The Open Source Interconnection (OSI) model
Physical (Layer 1)
Data link (Layer 2)
Network (Layer 3)
Transport (Layer 4)
Session (Layer 5)
Presentation (Layer 6)
Application (Layer 7)
Encapsulation
TCP/IP
IPv4
Port numbers
IPv6
Application layer protocols
Transport layer protocols
Internet layer protocols
Summary
Questions
Further reading
Report Writing
Effective note taking
Writing the report
Evidence analyzed
Acquisition details
Analysis details
Exhibits/technical details
Summary
Questions
Further reading
Expert Witness Ethics
Understanding the types of proceedings
Beginning the preparation phase
Understanding the curriculum vitae
Understanding testimony and evidence
Understanding the importance of ethical behavior
Summary
Questions
Further reading
Assessments
Chapter 01
Chapter 02
Chapter 03
Chapter 04
Chapter 05
Chapter 06
Chapter 07
Chapter 08
Chapter 09
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Other Books You May Enjoy
Index
Landmarks
Cover
Index
Preface
Welcome to the world of digital forensics! In this book, you will be going into the depths of the Windows operating system to determine the user’s actions on the system. You will also learn about the different filesystems used by the Windows operating system. The role of the examiner is not only about the examination, but also about the report you generate and how you explain your findings. You will learn how to prepare for a digital investigation, including equipment selection, training, and planning a response to the crime scene. It is my hope that this book will be your resource if you are a novice examiner or an experienced examiner.
This book teaches forensic examiners and those who want to become forensic examiners about the various skills and tasks required to be a forensic examiner, completing forensic analyses in either criminal or civil matters. This book will deliver information through the lens of the author’s experience in the United States of America so references to criminal matters will involve American law.
Who this book is for
This book is for the novice and experienced examiner in private or public employment sectors. While an understanding of operating systems, file systems is helpful, it is not required.
What this book covers
Chapter 1, Types of Computer-Based Investigations, introduces to the reader the different topics of computer-based investigations, from criminal acts investigated by the police to potentially illegal actions performed by an employee or third parties and examined by a non-governmental investigator. While the goal is the same—to present evidence about an incident—the methods of the two slightly differ. It is essential for the reader to understand the similarities, that is, being able to present evidence in judicial proceedings, and recognize the differences, that is, search warrant requirements for a government agent.
Chapter 2, The Forensic Analysis Process, details the critical thinking in the planning of providing digital investigative services. This topic will allow the reader to create a strategy to conduct an efficient investigation. The reader will learn to offer different approaches to conduct an investigation depending on the unique set of circumstances for each matter.
Chapter 3, Acquisition of Evidence, explains that digital evidence is one of the most volatile pieces of evidence an investigator can handle. The mishandling of digital evidence can severely impact an investigation. Additionally, you may destroy the entire dataset. This chapter will address how to minimize or eliminate these issues when using a validation process to create a forensic image.
Chapter 4, Computer Systems, explains that the investigator must control the computer processes while acquiring digital evidence. When dealing with the many combinations of operating systems and hardware, you must implement controls to protect the integrity of the evidence. This chapter will discuss the boot process in detail and identify the most commonly used filesystems.
Chapter 5, Computer Investigation Process, explains that being a forensic examiner is much more than pushing a button. Once the evidence has been collected, you have to analyze the dataset. It is not about finding artifacts but rather examining the data and putting it into a context that will either support or not support the hypothesis about the user’s actions on the system.
Chapter 6, Windows Artifact Analysis, explains that Microsoft Windows is by far the most common operating system today. In this chapter, we will look at the different versions of Windows and will show the reader how to identify and recover common artifacts based on the release of Windows being examined.
Chapter 7, RAM Memory Forensic Analysis, covers the analysis of RAM, which is a source of evidence that has recently been recognized as containing vital information about the user’s actions on the system. RAM is very volatile evidence and can provide data that cannot be found anywhere else on the computer system.
Chapter 8, Email Forensics – Investigation Techniques, discusses email, which is a part of everyday life. This communication vector can be one of the primary communication tools for the majority of the population. These communications can contain incredible amounts of data related to an investigation. The investigator must be able to reconstruct the path that email took from the source to the destination to determine its validity.
Chapter 9, Internet Artifacts, explains that using the internet is a daily activity for the majority of the population. Like any other activity, the internet can be used for legal, law-abiding business, or for criminal activity. The internet can be accessed in a variety of ways. The forensic investigator must be able to analyze all these different aspects of the internet to get to the truth of the matter.
Chapter 10, Online Investigations, discusses how to use open-source intelligence techniques to learn about the target of the investigations. Also discussed are the steps an investigator can take to hide their true identity and create an undercover online persona.
Chapter 11, Networking Basics, explains some of the common network protocols, hardware and models that are being used to connect devices and share information. The ability to understand how information is shared between devices is a critical skill for the online investigator.
Chapter 12, Report Writing, covers report writing, which is not the most exciting portion of the forensic exam process. The forensic examiner must be able to explain a technical topic to a non-technical user. As a forensic examiner, you must be able to place that artifact into a context that the audience understands. This ability is a critical skill that you need to master to be a competent forensic examiner.
Chapter 13, Expert Witness Ethics, explains that a forensic examiner must be objective, truthful, honest, and perform their due diligence when conducting an examination. The examiner will be providing testimony that may result in someone losing their freedom. The ultimate goal of the investigation conducted by the forensic examiner is to provide testimony or evidence in a judicial or administrative proceeding to stop the cybercriminal’s activity.
Download the exercise files
You can download exercise files for this book from at https://github.com/bill-lcf/Learn-Computer-Forensics.
Employed academic faculty can also download PowerPoints for each chapter and a question bank after validation. Send an email to [email protected] from an .edu email address requesting access. If you do not have an .edu email address, please send proof that you are an instructor.
Once the files are downloaded, please make sure that you unzip or extract the folder using the latest version of:
WinRAR / 7-Zip for WindowsZipeg / iZip / UnRarX for Mac7-Zip / PeaZip for LinuxWe also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!
Download the color images
We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781803238302_ColorImages.pdf.
Conventions used
There are a number of text conventions used throughout this book.
CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. For example: “Outlook stores email information in several file types, such as .pst, .mdb, and .ost.”
A block of code is set as follows:
MIME-Version: 1.0 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bitWhen we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:
{"endpoint_info_list":[{"endpoint":"smtp:[email protected]", "c_id":"d24c.2d00", "c_name":"Joe Badguy Smith"}, {"endpoint":"smtp:[email protected]", "c_id":"e80f.5b71","c_name":"John Badguy Smith"}, {"endpoint":"smtp:[email protected]", "c_id":"624f.10f0","c_name":"Yahoo! Inc."}]}Any command-line input or output is written as follows:
$USER$\AppData\Local\Google\Chrome\User Data\DefaultBold: Indicates a new term, an important word, or words that you see on the screen. For instance, words in menus or dialog boxes appear in the text like this. For example: “The MSF files are Mail Summary files, one part of the email.”
Warnings or important notes appear like this.
Tips and tricks appear like this.
Get in touch
Feedback from our readers is always welcome.
General feedback: Email [email protected] and mention the book’s title in the subject of your message. If you have questions about any aspect of this book, please email us at [email protected].
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you reported this to us. Please visit http://www.packtpub.com/submit-errata, click Submit Errata, and fill in the form.
Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit http://authors.packtpub.com.
Share your thoughts
Once you’ve read Learn Computer Forensics, Second Edition, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.
Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.
1
Types of Computer-Based Investigations
Welcome to the 21st century, where almost everything in life is connected to an electronic device. There are digital cameras inside doorbells; your smartphone tracks your daily progress from work to home and back again; you get social media updates when you go to the gym, a show, or travel to a new city.
Your phone calls, bank access, and medical appointments are tracked via digital technology. If it tracks your mundane daily activity, what about criminal or unethical behavior? Of course, that activity is also followed, and if you are a digital forensic investigator, you must know the repositories of the digital evidence and how to analyze it. All activity, benign or criminal, will most likely generate some sort of digital evidence. As an investigator, it is your job to locate all data of interest, process it, and present the evidence to the finder of fact. This chapter will introduce you to the different topics of computer-based investigations, from criminal acts investigated by the police to civil and potentially illegal actions performed by an employee, and an external third party examined by a nongovernmental investigator.
While the goal is the same, to present evidence related to an incident, the methods for evidence gathering and for evidence presentation are slightly different. Therefore, you need to understand where there are similarities and where there are differences.
The topics that will be covered in this chapter are as follows:
Differences in computer-based investigationsCriminal investigationsCorporate investigationsIntroduction to computer-based investigations
This book is all about introducing a beginner to the realm of digital forensics. What is digital forensics? It is a division of forensics involving the recovery and analysis of data that has been recovered from digital devices. At one time, the term digital forensics was treated as a synonym for computer forensics, but now it involves all devices capable of storing digital data. No matter what term is used, the goal is to identify, collect, and examine/analyze digital data while preserving its integrity. Digital forensics is not only about finding the artifact; it is a formal examination/analysis of the digital evidence to prove or disprove whether the accused committed the violation.
It is not always about demonstrating that the suspect is guilty; as a forensic examiner, you also have that ethical obligation to find exculpatory evidence that will prove the subject’s innocence. In addition, you must be an unbiased third party in presenting the investigation’s findings. In a criminal examination, your findings could deprive someone of their liberty, and in a corporate investigation, your findings may lead to a criminal investigation or cost someone their livelihood. As a digital forensic examiner, your conclusions can have an extraordinary impact on the subjects of the investigation.
To be a digital forensic examiner, you need to have a desire to ask questions, have specialized equipment, and have the required training. From teaching people interested in the field, I have found the best students can critically examine the facts and circumstances being presented and, using that ability, can focus their efforts on efficiently reaching an accurate conclusion. Unfortunately, I find many students want to use a “find evidence” button, find all the artifacts, and print up a thousand-page report and call it a day. That is not digital forensics.
Digital forensics is not finding the artifact. By artifact, I am talking about an incriminating Google search in browser history, an incriminating email between the subject and a co-conspirator, and illicit images found in the filesystem. Artifacts are breadcrumbs leading to the identity of the person conducting the illegal activity. However, on their own, they do not identify the user who created these artifacts or the one who is responsible for their creation indirectly. One of the biggest challenges in this field is identifying the user who is physically operating the device. You want to tie the user to the specific subject, and to do that, you have to analyze – that is the keyword – the digital evidence to associate it with a particular user.
If you are in the IT field, you will understand networking and computer operating systems, but you will lack knowledge of how to preserve evidence, maintain a chain of custody, and present it in criminal/administrative proceedings.
If you are an investigator, you will understand the chain of custody, evidence preservation, and testifying in criminal/administrative proceedings. However, you may lack experience in the digital field. To be an effective digital forensic examiner, you must be part of both those worlds. You must understand how data is created, shared, and saved in the digital realm and preserve that evidence in a forensically sound manner and be able to testify in proceedings. Sometimes, the ability to talk in front of a large group while answering challenging questions posed to you by attorneys from both sides is the hardest part of the field.
As with any field, the way you get better and more effective is to practice, conduct real and mock examinations, receive training, and have the willingness to reach out to your peers for advice. Since you are reading this book, you are taking that first step. You could be reading the text on your own, using it as a textbook for a college course you are taking, or using it in a corporate training session. The reason does not matter. Reading this book will put you on the road to becoming a more effective digital forensic examiner.
What is cybercrime? What crimes does a digital forensic examiner investigate? A digital forensic examiner may investigate any alleged wrongdoing that touches the digital world. Nearly everyone possesses a mobile device. Sometimes, a person owns or uses multiple mobile devices, laptops, and the traditional desktop. All of these sources can maintain a significant amount of information related to the investigation. For example, I investigated a crime against a person where the victim was physically unable to communicate with the police. How does that become a crime that requires the use of a digital forensic examiner?
Well, in this case, she had maintained communication with the suspect of that crime via a website and instant messaging on her mobile device. So, while they did not directly have evidence relating to the crime being investigated, they had evidence about the relationship between the victim and the suspect. In the 21st century, almost any crime may have evidence stored in a digital format. Now, there are some crimes where someone will have used their computer as a tool to commit the crime, such as sending harassing emails, fraud and forgery, hacking, corporate espionage, or the trafficking of illicit images. Your occupation will dictate your response to a situation; if you are law enforcement, you will have one set of procedures to follow, while if you are in the corporate world, you will have a different set of procedures to follow. While some processes may overlap in different fields, each one has its unique differences, which is what we will discuss next.
Criminal investigations
As a law enforcement professional, your first consideration will be officer safety. Is the scene safe and secure to process and secure evidence? When the investigation starts, you may participate in one or more roles. The most basic positions are as follows:
The first responderThe investigatorCrime scene technicianDepending on the size of your agency, you may fill one position or all three, and you may report to one or more supervisors. Now, with digital evidence, the person in charge of the crime scene should know the fragility of digital evidence. That allows personnel to enact the proper procedures to ensure that the evidence is not corrupted.
Let’s talk about what each role does.
First responders
The first responders are the first ones on the scene. They secure what may be a chaotic scene. They will identify the following:
Potential victimsWitnessesPotential suspectsHow best to maintain controlThey will do this until the investigator arrives. The first responder’s primary mission is to make the scene safe and secure and ensure that no one can contaminate the evidence. As you can imagine, crime scenes can vary from a dynamic crime scene to a relatively static crime scene, depending on the nature of the crime. In both scenarios, the first responder must have basic knowledge of what items could contain digital evidence when they secure the scene. We would not want subjects grabbing cell phones or laptops and using them for any activity.
So, how does a first responder protect the crime scene? Like you see in TV shows and movies, yellow crime scene tape is the most common method. It is the most straightforward visible sign of a crime scene barrier, and in our culture, people recognize the barrier being presented by that thin piece of yellow plastic. One or more personnel will have to monitor the crime scene to regulate who can cross that line and enter the scene.
Investigators
The investigator will respond to the scene after being requested by the first responder. Upon arriving at the scene, the first responder and the investigator will coordinate, and information sharing will now start. The first responder will provide the basic information, which typically involves the five Ws and one H, specifically the who, what, when, where, why, and how, about the incident.
The first responder will also provide information about any actions they or anyone else had taken before the arrival of the investigator. For example, the investigator will want to know whether the first responder(s) touched anything, moved anything, or changed anything within the crime scene. This could be a physical action such as applying first aid to a victim or turning a computer on or off. I remember an examination I did where the first responders did not reveal that they had accessed the victim’s computer. While conducting my examination, I did a timeline analysis and saw an abnormality in the activity after the victim had died. The abnormality was caused by the unreported actions of the first responders. What’s important to understand here is that the first responders’ actions were not wrong. What created complications was that they did not report the actions, which led to additional work and explanations.
The investigator takes charge of the scene and directs all activity. They will direct the other team members’ investigative efforts to ensure the proper documentation is completed regarding the seizure of evidence. Sometimes, the first responder will seize evidence and turn it over to the investigator. A chain of custody document must be completed and maintained showing who found the item and who maintained control until the completion of the judicial or administrative proceedings.
Crime scene technician
Finally, we come to the crime scene technician. This can be a sworn or unsworn position within the law enforcement agency. They have specialized training in the collection of evidence. This could be physical evidence, such as fingerprints, tool comparison, the collection of biological fluids, and crime scene photography, all of which require specialized training and equipment. The collection of digital evidence requires the same level of expertise that the collection of physical evidence does.
Note
We can put law enforcement jobs into two basic groups.
Sworn: May take an oath to support the laws in their jurisdiction; they have the power to make arrests and carry firearms.
Unsworn: May take an oath but do not have powers to arrest. These positions are typically crime scene analysts or law enforcement support technicians (this will be dependent on your jurisdiction).
The crime scene technician is responsible for preserving evidence and starting the chain of custody. Some actions they could carry out include acquiring the volatile memory of a computer system, creating forensic images of the storage devices, or creating the logical forensic image of logical files from a server. Next, the evidence will be bagged, tagged, and transported to a secure location. What do I mean by bagged and tagged? They will place the physical evidence or the items holding the digital evidence in the appropriate storage container. A tag will then be filled out with identifiers to specify which investigation the evidence belongs to, who collected it, and what evidence is contained within the container.
As we go through the rest of this book, we will cover the duties of the crime scene technician in greater detail.
A law enforcement officer may be a first responder, investigator, or crime scene technician and, in all roles, is an agent of the government. Depending on your jurisdiction, the government may restrict how and when the property can be seized and searched. I will discuss the judicial process in the United States; your locality may have different laws and procedures.
In the United States, a citizen’s rights to privacy are protected by the fourth amendment of the US Constitution, which states the following:
”The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
At a basic level, this means that before the government can seize any evidence, there must be (a) a search warrant based upon probable cause or (b) the owner’s consent. The consent given by the owner must be willingly given and must be able to be revoked, which can create an issue in some jurisdictions where the processing of digital evidence can take months and, in some jurisdictions, years. If the owner revokes their consent or refuses to give it, what options does law enforcement have? A search warrant.
How does a member of law enforcement get a warrant? As we learned from the preceding passage, it must be based on probable cause. The definition of probable cause is a reasonable standard that the applicant must reasonably believe that the items being searched for are at that location. Who determines what is reasonable? This would be the judicial official, such as a judge, Justice of the Peace, and so on.
The law enforcement officer makes the written request while the judge reviews it and will approve/disapprove it. If approved, the law enforcement officer can seize and search the property within the guidelines specified by the judicial official. The law requires only agents of the government to get a search warrant to seize and search property. This process will not pertain to you if you work in the corporate world.
Now, let’s talk about some potential crimes someone might call you to investigate. This will be a high-level overview of the crime itself. Later in this book, we will address the specific artifacts we should analyze to determine whether criminal actions occurred.
Illicit images
Nearly everyone is connected to the many different forms of digital networks via our mobile devices, tablets, laptops, and computers–we are always connected in one manner or another. Depending on who you ask, it is either the best thing in the world or the worst. There are some excellent aspects; social media allows people/family members to stay in contact, no matter where they are in the world. The totality of the world’s knowledge is just a few clicks away. You can read news reports from portions of the world that you previously did not know existed. It is an adventure waiting to happen. Now, it is not all unicorns and rainbows out there. Like any society, there are dark and dangerous portions of the internet where you should be hesitant to travel. That includes the sourcing and sharing of illicit images. For our purposes, an illicit image is an image whose subject matter is offensive or illegal, depending on your cultural or legal landscape.
Before the advent and widespread use of the internet, trafficking in illicit images was almost eradicated, so what changed? The consumer of illicit images no longer had to be physically present to pick up the physical images. The internet allows the user to be relatively anonymous and access illicit images with minimal exposure. I have read reports stating that the high-speed data network that most of us enjoy is because the consumer wants faster throughput speeds to download illicit images.
Consumers of illicit images have free access to terabytes of data with simple clicks of the mouse. If the consumer wants higher quality or a specific subject matter, then it is not a complicated process to find a vendor to meet the consumer’s needs for a price.
Your jurisdiction will determine what is or is not an illicit image and the level of criminality associated with the contraband images’ possession and/or distribution. I will not differentiate or specify a subject to define illicit images. Instead, I will discuss them using the generic title of illicit images or contraband images. You can use either phrase depending on what may be legal/illegal in your jurisdiction.
How do people share contraband images? At a basic level, a file is a file. A JPEG image of a sunset does not differ from a JPEG image of a contraband subject. Anyone can use any aspect of the internet to share files–the content of the files is irrelevant. If the system allows the user to share data, then the contents of those shared files can be legal or illegal content. Let’s look at some media through which illicit images could be exchanged.
Email-based communications
Email is one of the easiest ways to share information through files between two or more people. An email address does not automatically point to a specific user. Some service providers actively advertise anonymity for users of their email accounts. The service provider states that they do not save transactional information, such as source IP, dates and times of connection, or billing information. The service provider may be located outside of the jurisdiction investigating the contraband, which will allow the service provider to ignore the judicial paperwork requesting the subscriber information.
Newsgroups/USENET
This is one of the first components of the internet and has fallen off the radar for the everyday user. Initially, the internet comprised the World Wide Web, with components such as web browsing, email, and USENET. Web browsing and email are known by nearly every internet user, while USENET has faded out of public perception. However, this does not mean it is not being used. USENET is like the old bulletin board system, where you had specific groups, and users could post messages, attach files, and other users could download the files and comments. The user can post just a text message or attach a file to the message. This attached file is known as a binary.
This USENET attachment will be a file type, such as digital images, video, audio software, or any other file type a user can access. The user must use a newsreader to access USENET. There are free and paid versions of newsreaders available in which the user can subscribe to a USENET service. Just like the email service providers that we discussed earlier, one selling point for USENET service providers is anonymity; they explicitly state that they maintain no user transactional data or billing records or they are in jurisdictions whose laws may not adequately address the contraband contained on the server:
Figure 1.1: Unison application
The preceding screenshot shows you the Unison program running on macOS and accessing the service provider Astraweb.
Looking from left to right, you can see the hierarchical system used by USENET. I have selected alt in the far-left column, which then populates the next column with many named folders. The folders’ naming convention shows the subject of the group. I have selected binaries, which means I am looking for attached files to the postings. We can see folder icons in the third column and a brown folder icon with papers coming out the top. The folder icon shows that additional groups are contained within, while the brown folder icon indicates a newsgroup.
As you can see from the preceding screenshot, there are a variety of subjects for the user to explore; some groups may or may not contain contraband images/files. Your jurisdiction will determine what is legal or not as you conduct your investigation.
Peer-to-Peer file sharing
Peer-to-Peer (P2P) file-sharing is a decentralized method of file sharing. In traditional file sharing, a server hosts the file, and the client accesses the server to download the file. In the early days of Napster and music sharing, this became a liability for copyright violations. The service provider was served with judicial processes and was liable for hosting a directory of copyrighted files.
In response, the P2P method was changed; no longer was a centralized database created, but instead, users were able to directly search for other users’ shared folders on the network. Users connected to a shared network and acted as servers and clients. In P2P file sharing, when users identify a file they want to download, the software reaches out to the other users who possess the desired file. Each user then provides a piece of the file to the recipient. When all the pieces are collected, the software returns them to the original configuration. The user could then participate as a node (the term “node,” when discussing P2P, refers to the user’s system connected to the P2P network and sharing files) and start sharing the file they just downloaded:
Figure 1.2: Transmission application
The preceding screenshot shows the Transmission program running on macOS. I am downloading a movie from the public domain (archive.org), and in the bottom portion of the preceding screenshot, you can see that the file has been broken into much smaller bits. The highlighted bits show which parts of the file I have downloaded. Later, we will go into much greater detail about P2P file sharing and the artifacts left in the filesystem.
The crime of stalking
For all of the good that the internet provides, it also provides a conduit for people to exploit, harass, and bully others. The victim could be known to the subject or could have interacted with the victim’s online persona in some manner and felt the victim had wronged them. A lot of the bad behavior we see with online activities is because of the anonymity that the internet provides the attacker/subject. When eyes are watching or when we know the attacker’s true identity, they change their behavior to conform to societal norms. Unfortunately, it takes time for society to recognize the criminality of specific actions via the digital medium.
Cyberstalking or cyberbullying is now being regulated and considered an actual crime. Depending on your jurisdiction, the definition will vary, and what resources the government will spend on prosecuting these crimes will differ. Remember, the user’s identity at the other end of the digital world can be challenging to prove to the high standard required by a court of law.
According to the National Center for Victims of Crime, https://web.archive.org/web/20201028110630/https://members.victimsofcrime.org/our-programs/past-programs/stalking-resource-center/stalking-information, historically, in the United States, almost 1,500,000 people, the majority of them women, have been victimized, harassed, and bullied via the digital medium, with the attacks lasting more than two years. In addition, the attacks increased in length if the participants had been intimate partners.
The impact of this criminal behavior is immense; the victim may lose time from work, may have to move residences (several times, sometimes), and potentially suffer from the physical and mental effects such as the anxiety and depression that come from being targeted. In addition, the ability to stalk a former intimate partner in the digital world opens the door to the ability to inflict significant violence on a former partner and, in some cases, bring about their death.
What behaviors can make up cyberstalking? Generally cyberstalking is where the stalker engages in a series of actions, which can cause the subject of the efforts to be fearful and concerned about their well-being. An example of this is where a terminated employee has sent manipulated, compromising images of their supervisor to members of the organization and the general public. This activity continued for months before it was stopped. Despite the harassment ending and the perpetrator being identified, the supervisor still felt the need to leave their job, change their name, and move to another community.
So, where do we begin in our attempts to investigate this crime? The interview will be the best starting place. Asking the victim if they know or suspect who may be behind the harassment is the first question asked.
In my experience and most of the time, the victim will have a general idea of who the harasser is, especially if it is a former intimate partner. Now, some victims may suffer from mental health issues that could complicate the assessment. As an investigator, you must listen to the whole story to understand the totality of events. Just because someone may appear paranoid does not mean that their concerns or fears are unfounded. As an investigator, you must have an open mind and not allow your preconceptions to make you miss evidence or indicators that may be visible.
If the victim has an idea of who the harasser may be, make sure you record all the pertinent information they can provide you. Names, addresses, usernames, email addresses, screen names, and social media locations will all give you valuable information so that you can start your investigation.
Establish the method of the harassment and when it started. For example, was it a Facebook group? Snapchat? Text messages? Chat rooms? Is a mobile device involved in text messages, missed calls, and more? Has the harassment gone old-school with the use of the post office with physical letters?
Threats of violence may increase the severity of the crime and should not be discounted.
The investigator will need to ensure they get forensically sound copies of the digital evidence to start the investigation. This creates the chain of custody of the digital evidence and is the beginning of the investigation.
We will go into much greater detail about the specific artifacts found in digital evidence, but once you have account usernames and IP addresses that the attacker is using to facilitate their attacks, you have a starting point to identify them.
In the United States, a subpoena is required to obtain subscriber information. This information includes the user’s first and last names, physical address, how often they access the account, and the IP address used to access the account. It varies between service providers as to how long this information is maintained. Sometimes, it could be as little as weeks or as much as years, depending on the provider. You can also submit legal paperwork asking them to “freeze” the account so that the user cannot disable it or delete any incriminating information.
To gain access to the information contained within the account, such as email content, contents of messages, or anything having to do with content, a search warrant signed by a judge will have to be served on the service provider. If the service provider is within the same jurisdiction as the judicial authority, there are typically no issues. However, when the service provider is in another jurisdiction within the United States or a jurisdiction outside the borders of the United States, this is when the process becomes much more difficult, and sometimes it’s impossible to proceed.
Some subscriber information you get may or may not be accurate. It is not unusual for a user to complete the registration forms with false information. But what you can do, for example, if you have an email address, is you can do an open-source search and see whether the user used the email address anywhere else. For example, some online forums will use the email address as a username, and if so, the user may post identifying information in their communications with the other users. That forum now becomes a source of information for which you can issue a subpoena to get the subscriber information.
As you can see, following breadcrumbs of information may lead you to sources you never even considered. Moreover, it can be quite complicated and time-consuming.
Criminal conspiracy
Criminal conspiracy and digital forensics: how do these aspects intersect in the world of the digital forensic investigator? First, let’s define what a conspiracy is: when two or more people agree to commit an illegal act. However, just deciding to commit the unlawful act is not enough; actions also have to be taken to further the conspiracy. What does all that mean? For the physical crime of robbery, criminal A contacts criminal B to discuss robbing victim C. The conversation between criminals A and B does not meet the statutory definition of a conspiracy. However, suppose criminal A paid criminal B and agreed on the amount of funds in exchange for the service of the robbing of victim C. In that case, we have an act in furtherance of the conspiracy to commit robbery. So, what crimes can the digital forensic investigator find within the digital realm? Almost any crime imaginable. Let’s take a look at an example of such a crime:
”Michelle Theer was convicted of a crime against a person. She conspired with John Diamond to commit the crime against her husband, Marty. Investigators had no direct evidence, no physical evidence, and no eyewitness evidence, but they had digital evidence showing the conspiracy to commit the crime. Investigators recovered over 80,000 emails and instant messages between Diamond and Theer that showed a personal relationship between the two and the messages showing the conspiracy between them to commit the crime.”
You can read about this case in more detail at https://caselaw.findlaw.com/nc-court-of-appeals/1201672.html.
Now more than ever, people are connected to their devices for their everyday activities. It is not a stretch of the imagination that criminals also use their devices to help organize their criminal activities. The digital forensic investigator has to know of all potential sources of digital evidence and recognize that the Internet of Things (IoT) is an untapped bonanza of digital evidence. What is the Internet of Things?
Home assistance programs such as Siri and Alexa, smartwatches, home security systems, and GPS devices – anything that has an app – might contain evidence and show the criminals’ intent to commit the crime. Failure to recognize digital devices can result in significant damage to your investigation. For example, there have been instances where the subject of an investigation was placed in the interrogation room, and the investigator did not recognize the suspect was wearing a smartwatch. While they left the subject unattended in the interrogation room, the subject was able to communicate with their co-conspirators and direct their efforts to destroy evidence and interfere with the investigation. Once the investigators caught on to the subject’s actions, they used the smartwatch to show the criminal conspiracy. They used the evidence to generate additional charges for the suspect in custody and their co-conspirators.
Social media is also a source of digital evidence for showing a conspiracy. For example, take the case of Larry Jo Thomas. The government convicted Thomas of committing a crime against Rito Llamas-Juarez. Initially, investigators only knew that a specific type of item harmed Llamas-Juarez. However, as investigators processed the crime scene, a bracelet that was “distinctive” was found and collected as evidence. The investigators examined Thomas’s Facebook page and saw a photo of Thomas posing with an item similar to what was used at the crime scene. In a different photo, they found the “distinctive” bracelet being worn by Thomas. While the digital evidence did not directly impact the criminality being investigated, it showed how the subject had the means and had been at the crime scene.
Vehicles are also a source of evidence to prove the conspiracy. New vehicles are connected to the network and have their own Wi-Fi connection and sync data between mobile devices, GPS data, and the vehicle’s black box. Potentially, the investigator can show the subjects performing reconnaissance on their targets, meetings between the conspirators at a shared location, or where they have traveled to and returned from using toll passes.
Technology is rapidly changing and advancing as the general population uses technology, and so do the criminals. The general population plans out their day by utilizing technology; criminals also plan out their day of criminal activity using the same technology. I am always amazed when criminals use their mobile devices to plan and execute criminal activity and then take pictures to memorialize their illegal business.
Now that we have learned about criminal investigations, the roles, and the means by which information is being shared, let’s move on to the next type of investigation, which is corporate investigations.
Corporate investigations
We will now discuss computer forensics from a civilian or non-law enforcement perspective. Since you are not an agent of the government, the search warrant requirement does not pertain to you. (Your specific jurisdiction may be different.) While you may not have the search warrant requirement, you cannot seize and analyze private property. What do I mean by that? You are the investigator for a large multinational corporation; you have an employee you believe is harassing other employees and may have viewed illicit images on their company laptop. What is the legal requirement for you to examine the contents of the employee’s laptop? If you are an agent of the government, the employee has an expectation of privacy. However, as an employee utilizing the company’s equipment, in the United States the courts have held that the employee has a limited expectation of privacy on the data in the device.
Important note
This may differ, depending on your local jurisdiction. I was teaching a class in Germany and as I was teaching, the students explained that German law gave an employee a high expectation of privacy. In their jurisdiction, there were specific requirements that had to be met before they could examine an employee’s computer.
Other than the search warrant requirement, the corporate investigator’s duties are similar to law enforcement’s. They still must acquire the evidence, analyze the evidence, and present their findings. They could present their findings in an administrative proceeding or, if necessary, forward them to law enforcement, where they may have to testify in a judicial proceeding. In either case, the digital forensic investigator must ensure that the digital evidence was collected in a forensically sound manner while maintaining the chain of custody of the digital evidence.
If the digital forensic examiner cannot authenticate the evidence, they cannot testify or present it in the administrative/judicial proceeding. The corporate digital forensic investigator also investigates a wide variety of allegations. Typically, they will not be investigating a crime where a person was hurt or killed. However, they can still investigate fraud, forgery, a violation of the company’s policies and procedures, corporate espionage, or if they believe an employee has stolen intellectual property or is trying to harm the corporation itself. So, let’s now talk about employee misconduct.
Employee misconduct
As a condition of the employee’s employment, they must abide by the policies created by their organization. Typically, an employer has an “Employee Handbook” or has a set of policies and procedures that dictate what behaviors are acceptable and which ones are not acceptable. Such policies also include laying out specifications to ensure that the organization treats all employees with dignity and respect in the organization’s daily operations. There may be rules that specify an acceptable use of the organization’s desktop and laptop computers, and a violation of those rules could result in an investigation analyzing those devices, as we mentioned earlier.
Now, I use the term “policy and procedures,” and I have found a large amount of confusion with those two terms, primarily when used together. A policy is a statement from the organization addressing a specific issue, while the procedure is the specific instructions regarding how to accomplish the goals of the policy. For example, the organization could enact a policy to restrict employees from accessing non-organizational emails using the organization’s computers. The procedure would have two audiences: all the employees and the IT staff. The procedure would inform the employees of how to access the organization’s email while directing the IT staff regarding how to block non-organizational emails from being accessed.
You need to follow some general guidelines as your organization drafts and implements policies and the accompanying procedures, as follows:
The policy should be simple to understand. Short and sweet – do not overcomplicate it. If there is a way for an employee to “misunderstand” the policy, then they will dispute whether their actions violated the policy.The procedure should specify all the steps needed to implement the task outlined in the policy. Don’t assume the reader will understand if you are not specific in what you want them to do.The organization must inform the employee of the potential consequences of violating the policy.The organization cannot implement policies that violate the law.The organization must enforce the policies. There have been many investigations I have conducted where multiple employees have violated the policy, but the organization never enforced the policy. If they do not enforce the policy for 51 weeks and then, during the 52nd week, the organization enforces the policy against some employees and not others, how can the employees be held accountable during week 52?There must be documentation that the employee knew and understood that the organization implemented the policy and the penalties for violating the policy.If an employee violates the organizations’ policies or procedures, does law enforcement have to get involved? Of course not. It would depend on the violation, whether it was a criminal act, and whether the organization had a responsibility to notify law enforcement. Sometimes, the law may mandate the organization to notify law enforcement if they discover the employee has committed a criminal violation. Make sure you know the statutory requirements in your jurisdiction and communicate with in-house counsel during the investigation.
As a digital forensic investigator, it is not typically your decision to notify law enforcement. Instead, after you consult the organization’s legal counsel and C-level executives, they will make that decision. It does not matter whether the investigation relates to a criminal or non-criminal matter for the digital forensic investigator’s purposes.
Remember, we treat every investigation as if we may have to go to court and testify. While the initial investigation may deal with policy violations, you may discover there have been criminal violations that mandate law enforcement involvement in the inquiry. The prosecution and defense will scrutinize all of your investigative endeavors before law enforcement involvement. If you do not maintain the standards of the investigative process, it could weaken the prosecution.
As a digital forensic investigator for a corporate organization, there are a variety of violations the organization may call on you to investigate. One of the more common incidents is the complaint of harassment or a hostile work environment. This is where one person causes one or more people to be intimidated, harassed, physically threatened, humiliated, or any other activity that makes the workplace offensive. How would you investigate someone for a hostile work environment? After conducting the interviews with the complaining employees, they may provide statements on how the subject created the harassment/hostile work environment, if at all.
Your investigation will determine whether the actions were physical, verbal, or carried out on digital media and the frequency of the offending conduct. Was there a single employee whose behavior was offensive, or is there a culture within the organization? If a supervisor was notified or asked the offender to stop, what resulted from the efforts to stop the offending behavior? The offending employee could send offensive text messages, emails, or instant messages utilizing the organization’s communication network. Suppose the alleged behavior occurred on or was facilitated with the organization’s devices. In that case, you should be conducting your examination to determine whether there is any digital evidence to support or refute the allegations since the property belongs to the organization, limiting the employee’s expectation of privacy. (Remember, this may vary by jurisdiction.)
The investigation can proceed once you have supervisory approval to conduct the digital forensic examination. With the information at hand, you can filter out a large amount of additional data that may be contained on the storage device. To be efficient while dealing with the extraordinarily large datasets in today’s high-capacity devices, you have to filter out data that is not pertinent to your investigation. For example, if we deal with harassing emails, you may restrict your examination to only email traffic.
Now, your investigation may grow based on your findings on the initial exam. For example, while viewing emails, you observe the subject sending illicit images to other employees. Your investigation has now increased based on the violation and the potential number of violators. Do not limit yourself to only the suspect’s computer; you need to examine both the suspect and the complaining witness.
The complaining witness may have evidence of the offending email, while the suspect may have used anti-forensic techniques to remove the source email from their computer. Or you may find the complaining witness had changed the email to contain offensive material. You want to be as thorough as possible, which dictates an examination of the emails from both the sender and the recipient.
