Learn Computer Forensics E-Book

Learn Computer Forensics

A beginner's guide to searching, analyzing, and securing digital evidence

William Oettinger

BIRMINGHAM—MUMBAI

Learn Computer Forensics

Copyright © 2020 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Vijin Boricha

Acquisition Editor: Shrilekha Inani

Senior Editor: Rahul D'souza

Content Development Editor: Ronn Kurien

Technical Editor: Dinesh Pawar

Copy Editor: Safis Editing

Project Coordinator: Neil D'mello

Proofreader: Safis Editing

Indexer: Priyanka Dhadke

Production Designer: Nilesh Mohite

First published: April 2020

Production reference: 2110620

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-83864-817-6

www.packt.com

This book is dedicated to IACIS and the pioneers of this field whom I have had the privilege of meeting and learning from. Mike Anderson and Will Docken were some of the first professionals I met and they had a significant impact on me as I started in this field. I want to thank Eric Zimmerman, Harlan Carvey, Brett Shavers, and Steve Whalen for all of the work they do for the forensics community. Your information sharing and work have impacted me and helped me grow as an examiner. There is a long list of people who contributed to my success that I want to thank: Larry Smith, David Papargiris, Tom Keller, Dave McCain, Steve Williams, Scott Pearson, Scot Bradeen, Matt Presser, Mike Webber, and everyone else who has helped me along the way.

Packt.com

Subscribe to our online digital library for full access to over 7,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at packt.com and, as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.

Contributors

About the author

William Oettinger is a veteran technical trainer and investigator. He is a retired police officer with the Las Vegas Metropolitan Police Department and a retired CID agent with the United States Marine Corps. He is a professional with over 20 years' experience in academic, local, military, federal, and international law enforcement organizations, where he acquired his multifaceted experience in IT, digital forensics, security operations, law enforcement, criminal investigations, policy, and procedure development. He has earned an MSc from Tiffin University, Ohio. He works for Bilecki and Tipon LLLC and the University of Maryland Global Campus (UMGC). When not working, he likes to spend time with his wife and his two miniature schnauzers.

About the reviewer

Peter Phurchpean is an investigator with the Computer Crimes Investigation Unit, California Highway Patrol. He has been with the California Highway Patrol (CHP) since 2002. He has been a member of the CHP's Computer Crimes Investigation Unit for the past 7 years as a digital forensic analyst and investigator. During his time with the unit, he has been responsible for investigating computer crimes against the State of California, ranging from network intrusions against State agencies to child exploitation cases. He is experienced in the analysis of computers, smartphones, and network systems. He has also successfully obtained computer forensic certifications through the California Department of Justice and many other institutions besides.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Table of Contents

Learn Computer Forensics2

Why subscribe?4

Contributors

About the author5

About the reviewer6

Packt is searching for authors like you6

Preface

Who this book is forvii

What this book coversvii

To get the most out of this bookix

Download the color imagesix

Conventions usedix

Get in touchx

Reviewsxi

Section 1: Acquiring Evidence

Chapter 1: Types of Computer-Based Investigations

Differences in computer-based investigations4

Criminal investigations6

First responders6

Corporate investigations18

Employee misconduct19

Corporate espionage22

Insider threat27

Summary29

Questions30

Further reading31

Chapter 2: The Forensic Analysis Process

Pre-investigation considerations34

The forensic workstation35

The response kit36

Forensic software40

Forensic investigator training43

Understanding case information and legal issues44

Understanding data acquisition 47

Chain of custody49

Understanding the analysis process53

Dates and time zones54

Hash analysis54

File signature analysis57

Antivirus59

Reporting your findings63

Details to include in your report63

Document facts and circumstances65

The report conclusion66

Summary67

Questions68

Further reading69

Chapter 3: Acquisition of Evidence

Exploring evidence 72

Understanding the forensic examination environment 75

Tool validation76

Creating sterile media 81

Understanding write blocking86

Defining forensic imaging 89

DD image90

EnCase evidence file 91

SSD device92

Imaging tools93

Summary106

Questions107

Further reading108

Chapter 4: Computer Systems

Understanding the boot process110

Forensic boot media112

Hard drives115

MBR (Master Boot Record) partitions117

GPT partitions121

Host Protected Area (HPA) and Device Configuration Overlays (DCO)125

Understanding filesystems126

The FAT filesystem126

Data area131

Long filenames134

Recovering deleted files134

Slack space137

Understanding the NTFS filesystem137

Summary149

Questions149

Further reading150

Section 2: Investigation

Chapter 5: Computer Investigation Process

Timeline analysis153

X-Ways 156

Media analysis172

String search174

Recovering deleted data176

Summary179

Questions179

Further reading181

Chapter 6: Windows Artifact Analysis

Understanding user profiles184

Understanding Windows Registry186

Determining account usage189

Last login/last password change189

Determining file knowledge195

Exploring the thumbcache195

Exploring Microsoft browsers198

Determining most recently used/recently used199

Looking into the Recycle Bin202

Understanding shortcut (LNK) files203

Deciphering JumpLists204

Opening shellbags206

Understanding prefetch207

Identifying physical locations209

Determining time zones209

Exploring network history210

Understanding the WLAN event log211

Exploring program execution213

Determining UserAssist213

Exploring Shimcache214

Understanding USB/attached devices 215

Summary218

Questions218

Further reading219

Chapter 7: RAM Memory Forensic Analysis

Fundamentals of memory 222

Random access memory?223

Identifying sources of memory225

Capturing RAM227

Preparing the capturing device227

Exploring RAM capture tools228

Exploring RAM analyzing tools232

Using Bulk Extractor 232

Summary240

Questions240

Further reading241

Chapter 8: Email Forensics – Investigation Techniques

Understanding email protocols244

Understanding SMTP – Simple Mail Transfer Protocol 244

Understanding the Post Office Protocol245

IMAP – Internet Message Access Protocol246

Understanding web-based email247

Decoding email247

Understanding the email message format248

Email attachments252

Understanding client-based email analysis252

Exploring Microsoft Outlook/Outlook Express253

Exploring Microsoft Windows Live Mail253

Mozilla Thunderbird254

Understanding WebMail analysis 256

Summary259

Questions260

Further reading261

Chapter 9: Internet Artifacts

Understanding browsers264

Exploring Google Chrome264

Exploring Internet Explorer/Microsoft Edge271

Exploring Firefox279

Social media286

Facebook288

Twitter290

Service provider291

Peer-to-Peer file sharing291

Ares292

eMule293

Shareaza296

Cloud computing297

Summary300

Questions301

Further reading302

Section 3: Reporting

Chapter 10: Report Writing

Effective note taking305

Writing the report307

Evidence analyzed310

Acquisition details311

Analysis details312

Exhibits/technical details313

Summary315

Questions315

Further reading316

Chapter 11: Expert Witness Ethics

Understanding the types of proceedings318

Beginning the preparation phase320

Understanding the curriculum vitae321

Understanding testimony and evidence324

Understanding the importance of ethical behavior326

Summary329

Questions330

Further reading331

Assessments

Chapter 01333

Chapter 02333

Chapter 03334

Chapter 04334

Chapter 05334

Chapter 06335

Chapter 07335

Chapter 08335

Chapter 09336

Chapter 10336

Chapter 11336

Other Books You May Enjoy

Leave a review - let other readers know what you think339

Preface

Welcome to the world of digital forensics! In this book, you will be going into the depths of the Windows operating system to determine the user's actions on the system. You will also learn about the different filesystems used by the Windows operating system. The role of the examiner is not only about the examination, but also about the report you generate and how you explain your findings. You will learn how to prepare for the digital investigation, including equipment selection, training, and planning a response to the crime scene. It is my hope this book will be your resource if you are a novice examiner or an experienced examiner.

Who this book is for

This book is for the novice and experienced examiner. While an understanding of operating systems and filesystems would be helpful, it is not required.

What this book covers

Chapter 1, Types of Computer-Based Investigations, introduces to the reader the different topics of computer-based investigations, from criminal acts investigated by the police to potentially illegal actions performed by an employee or third parties and examined by a non-governmental investigator. While the goal is the same—to present evidence about an incident—the methods of the two slightly differ. It is essential for the reader to understand the similarities, that is, being able to present evidence in judicial proceedings, and recognize the differences, that is, search warrant requirements for a government agent.

"Chapter 2: The Forensic Analysis Process" on page vii, The Forensic Analysis Process, details the critical thinking in the planning of providing digital investigative services. This topic will allow the reader to create a strategy to conduct an efficient investigation. The reader will learn to offer different approaches to conduct the investigation depending on the unique set of circumstances for each matter.

Chapter 3, Acquisition of Evidence, explains that digital evidence is one of the most volatile pieces of evidence an investigator can handle. Mishandling of digital evidence can severely impact the investigation. Additionally, you may destroy the entire dataset. This chapter will address how to minimize or eliminate these issues when using a validation process to create a forensic image.

Chapter 4, Computer Systems, explains that the investigator must control the computer processes while acquiring digital evidence. When dealing with the many combinations of operating systems and hardware, you must implement controls to protect the integrity of the evidence. This chapter will discuss the boot process in detail and identify the most commonly used filesystems.

Chapter 5, Computer Investigation Process, explains that being a forensic examiner is much more than pushing a button. Once the evidence has been collected, you have to analyze the dataset. It is not about finding artifacts but rather examining the data and putting it into a context that will either support or not support the hypothesis about the user's actions on the system.

Chapter 6, Windows Artifact Analysis, explains that Microsoft Windows is by far the most common operating system today. In this chapter, we will look at the different versions of Windows and will show the reader how to identify and recover common artifacts based on the release of Windows being examined.

Chapter 7, RAM Memory Forensic Analysis, covers the analysis of RAM, which is a source of evidence that has recently been recognized to contain vital information about the user's actions on the system. RAM is very volatile evidence and can provide data that cannot be found anywhere else on the computer system.

Chapter 8, Email Forensics — Investigation Techniques, discusses email, which is a part of everyday life. This communication vector can be one of the primary communication tools for the majority of the population. These communications can contain incredible amounts of data related to an investigation. The investigator must be able to reconstruct the path that email took from the source to the destination to determine its validity.

Chapter 9, Internet Artifacts, explains that using the internet is a daily activity for the majority of the population. Like any other activity, the internet can be used for legal, law-abiding business, or for criminal activity. The internet can be accessed in a variety of ways. The forensic investigator must be able to analyze all these different aspects of the internet to get to the truth of the matter.

Chapter 10, Report Writing, covers report writing, which is not the most exciting portion of the forensic exam process. The forensic examiner must be able to explain a technical topic to a non-technical user. As a forensic examiner, you must be able to place that artifact into a context that the audience understands. This ability is a critical skill that you need to master to be a competent forensic examiner.

Chapter 11, Expert Witness Ethics, explains that a forensic examiner must be objective, truthful, honest, and perform their due diligence when conducting an examination. The examiner will be providing testimony that may result in someone losing their freedom. The ultimate goal of the investigation conducted by the forensic examiner is to provide testimony or evidence in a judicial or administrative proceeding to stop the cybercriminal's activity.

To get the most out of this book

It will be helpful if you have access to a computer and the commercial and open source forensic tools, such as X-Ways Forensics or Paladin, described in this book. It is not required. If you have access to any of the commonly available forensic (open source or commercial) tools you will be able to follow along as you are reading the different chapters.

If you are using the digital version of this book, we advise you to type the code yourself. Doing so will help you avoid any potential errors related to copy/pasting of code.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781838648176_ColorImages.pdf

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Mount the downloaded WebStorm-10*.dmg disk image file as another disk in your system."

A block of code is set as follows:

html, body, #map {

height: 100%;

margin: 0;

padding: 0

}

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

[default]

exten => s,1,Dial(Zap/1|30)

exten => s,2,Voicemail(u100)

exten => s,102,Voicemail(b100)

exten => i,1,Voicemail(s0)

Any command-line input or output is written as follows:

$ mkdir css

$ cd css

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Select System info from the Administration panel."

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Section 1: Acquiring Evidence

You will learn about the forensic process and the importance of obtaining forensically sound data and the procedures to achieve that goal.

The following chapters are in the section:

Chapter 1: Types of Computer-Based Investigations

Welcome to the 21st century, where almost everything in life is connected to an electronic device. There are digital cameras inside doorbells; your smartphone tracks your daily progress from work to home and back again; you get social media updates when you go to the gym, a show, or travel to a new city.

Your phone calls, bank access, and medical appointments are all tracked via digital technology. If it tracks your mundane daily activity, what about criminal or unethical behavior? That activity is also followed, and if you are a digital forensic investigator, you must know the repositories of the digital evidence and how to analyze it. There is almost no criminal activity that will not have digital evidence associated with it and, as an investigator, it is your job to find all available evidence, process it, and present findings to the finder of fact.

This chapter will introduce you to the different topics of computer-based investigations, from criminal acts investigated by the police to civil and potentially illegal actions performed by an employee or external third party that are examined by a nongovernmental investigator.

While the goal is the same, to present evidence about an incident, the methods for each are slightly different. It is essential for you to understand the similarities between the investigations; being able to present evidence in a judicial proceeding and recognize the differences. 

The topics that will be covered in this chapter are as follows:

Differences in computer-based investigations

This book is all about introducing a beginner to the realm of digital forensics. What is digital forensics? It is a division of forensics involving the recovery and analysis of data that has been recovered from digital devices. At one time, the term digital forensics was treated as a synonym for computer forensics, but now it involves all devices capable of storing digital data. No matter what term is used, the goal is to identify, collect, and examine/analyze digital data while preserving its integrity. Digital forensics is not only about finding the artifact, it is a formal examination/analysis of the digital evidence to prove or to disprove whether the accused committed the violation.

It is not always about demonstrating that the suspect is guilty; as a forensic examiner, you also have that ethical obligation to find exculpatory evidence that will prove the subject's innocence. Your duty is to be an unbiased third party in presenting the findings of the investigation. In a criminal examination, your findings could deprive someone of their liberty, and in a corporate investigation, your findings may lead to a criminal investigation or cost someone their livelihood. As a digital forensic examiner, your conclusions can have an extraordinary impact on the subjects of the investigation.

To be a digital forensic examiner, you need to have a desire to ask questions, have specialized equipment, and have the required training. From teaching people interested in the field, I have found the best students can critically examine the facts and circumstances being presented and, using that ability, can focus their efforts on efficiently reaching an accurate conclusion. Unfortunately, I find many students want to use a "find evidence" button, find all the artifacts, and print up a thousand-page report and call it a day. That is not digital forensics.

Digital forensics is not finding the artifact. By artifact, I am talking about an incriminating Google search in browser history, an incriminating email between the subject and a co-conspirator, and illicit images found in the filesystem. Artifacts are breadcrumbs leading to the identity of the person conducting the illegal activity. However, on their own, they do not identify the user who created these artifacts or the one who is responsible for their creation indirectly. One of the biggest challenges in this field is to determine what is colloquially known as the "idiot behind the keyboard." You want to tie the user to the specific subject and to do that, you have to analyze – that is the key word–the digital evidence to associate it with a particular user.

If you are in the IT field, you will understand networking and computer operating systems, but you will lack knowledge of how to preserve evidence, maintain a chain of custody, and present it in a criminal/administrative proceeding.

If you are an investigator, you will understand the chain of custody, evidence preservation, and testifying in a criminal/administrative proceeding. However, you may lack experience in the digital field. To be an effective digital forensic examiner, you have to be part of both those worlds. You have to understand how data is created, shared, and saved in the digital realm and be able to preserve that evidence in a forensically sound manner and testify in proceedings. Sometimes, the ability to talk in front of a large group while answering hard questions posed to you by attorneys from both sides is the hardest part of the field.

As with any field, the way you get better and more effective is to practice, to conduct real and mock examinations, to receive training, and have the willingness to reach out to your peers for advice. Since you are reading this book, you are taking that first step. You could be reading the text on your own, using it as a textbook for a college course you are taking, or using it in a corporate training session. The reason does not matter. Reading this book will put you on the road to be a more effective digital forensic examiner.

What is cybercrime? What crimes does a digital forensic examiner investigate? A digital forensic examiner may investigate any alleged wrongdoing that touches on the digital world. Nearly everyone possesses a mobile device. Sometimes, a person owns or uses multiple mobile devices and laptops and the traditional desktop. All of these sources have the ability to maintain a significant amount of information as it relates to the investigation. For example, I investigated a crime against a person where the victim was physically unable to communicate with the police. How does that become a crime that requires the use of a digital forensic examiner?

Well, in this case, she had maintained communication with the suspect of that crime via a website and instant messaging on her mobile device. While they did not directly have evidence relating to the crime being investigated, they had evidence about the relationship between the victim and the suspect. In the 21st century, almost any crime may have evidence stored in a digital format. Now, there are some crimes where someone will have used their computer as a tool to commit the crime, such as sending harassing emails, fraud and forgery, hacking, corporate espionage, or the trafficking of illicit images.

Your occupation will dictate your response to a situation; if you are law enforcement, you will have one set of procedures to follow, while if you are in the corporate world, you will have a different set of procedures to follow. While some processes may overlap in different fields, each one has its unique differences, which is what we will discuss next.

Criminal investigations

As a law enforcement professional, your first consideration will be officer safety. Is the scene secure to process and secure evidence? When the investigation starts, you may take part in one or more roles. The most basic positions are as follows:

Depending on the size of your agency, you may fill one position or all three, and you may report to one or more supervisors. Now, in the matter of digital evidence, it is preferable that the person in charge of the crime scene has some knowledge of the fragility of digital evidence. That allows personnel to enact the proper procedures to ensure that the evidence is not corrupted.

Let's talk about what each role does.

First responders

The first responders are the first ones on the scene. They secure what may be a chaotic scene. They will identify the following:

They will do this until the investigator arrives. The first responder's primary mission is to make the scene safe and secure and ensure that no one can contaminate the evidence. As you can imagine, crime scenes can vary from a dynamic crime scene to the relatively static crime scene, depending on the nature of the crime. In both scenarios, the first responder must have basic knowledge of what items could contain digital evidence when they secure the scene. We would not want to have subjects grabbing cell phones or laptops and using them for any activity.

So, how does a first responder protect the crime scene? Just like you see in TV shows and movies, yellow crime scene tape is the most common method. It is the most straightforward visible sign of a crime scene barrier, and in our culture, people recognize the barrier being presented by that thin piece of yellow plastic. One or more personnel will have to monitor the crime scene to regulate who can cross that line and enter the scene.

Investigators

The investigator will respond to the scene after being requested by the first responder. Upon arriving at the scene, the first responder and the investigator will coordinate, and information sharing will now start. The first responder will provide the basic information, which typically involves the five Ws and one H, specifically the who, what, when, where, why, and how, about the incident.

The first responder will also provide information about any actions they or anyone else had taken before the arrival of the investigator. For example, the investigator will want to know whether the first responder(s) touched anything, moved anything, or changed anything within the crime scene. This could be a physical action such as applying first aid to a victim or turning a computer on or off. I remember an examination I did where the first responders did not reveal that they had accessed the victim's computer. While conducting my examination, I did a timeline analysis and saw an abnormality in the activity after the victim had died. The abnormality was caused by the unreported actions of the first responders. What's important to understand here is that the first responders' actions were not wrong. What created complications is that they did not report the actions, which led to additional work and explanations.

The investigator takes charge of the scene and directs all activity. They will direct the other team members' investigative efforts to ensure the proper documentation is completed regarding the seizure of evidence. Sometimes, the first responder will seize evidence and turn it over to the investigator. A chain of custody document must be completed and maintained showing who found the item and who maintained control until the completion of the judicial or administrative proceeding.

Crime scene technician

Finally, we come to the crime scene technician. This can be a sworn or unsworn position within the law enforcement agency. They have specialized training in the collection of evidence. This could be physical evidence, such as fingerprints, tool comparison, the collection of biological fluids, and crime scene photography, all of which require specialized training and equipment. The collection of digital evidence requires the same level of expertise that the collection of physical evidence does.

Note

We can put law enforcement jobs into two basic groups: Sworn: May take an oath to support the laws in their jurisdiction; they have the power to make arrests and carry firearms. Non-sworn: May take an oath but do not have powers to arrest. These positions are typically crime scene analyst or law enforcement support technicians.

The crime scene technician is responsible for the preservation of evidence and starting the chain of custody. Some actions they could carry out include the acquisition of volatile memory of a computer system, creating forensic images of the storage devices, or creating the logical forensic image of logical files from a server. The evidence will be bagged and tagged and transported to a secure location. What do I mean by bagged and tagged? They will place all the evidence or the containers holding the digital evidence in the appropriate storage container. A tag will then be filled out with the identifiers to specify which investigation the evidence belongs to, who collected it, and what evidence is contained within the container.

As we go through the rest of this book, we will cover the duties of the crime scene technician in greater detail.

A law enforcement officer may be a first responder, investigator, or crime scene technician and, in all roles, is an agent of the government. Depending on your jurisdiction, the government may restrict how and when the property can be seized and searched. I will discuss the judicial process in the United States; your locality may have different laws and procedures.

In the United States, a citizen's rights to privacy are protected by the fourth amendment of the US Constitution, which states the following:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

At a basic level, this means that before the government can seize any evidence, there must be (a) a search warrant based upon probable cause or (b) the consent of the owner. The consent given by the owner must be willingly given and must be able to be revoked, which can create an issue in some jurisdictions where the processing of digital evidence can take months, and in some jurisdictions, years. If the owner revokes their consent or refuses to give it, what options does law enforcement have? A search warrant.

How does a member of law enforcement get a warrant? As we learned from the preceding passage, it must be based on probable cause. The definition of probable cause is a reasonable standard that the applicant must reasonably believe that the items being searched for are at that location. Who determines what is reasonable? This would be the judicial official, such as a judge, Justice of the Peace, and so on.

The law enforcement officer makes the written request, while the judge reviews it and will either approve/disapprove it. If approved, then the law enforcement officer can then seize and search the property within the guidelines specified by the judicial official. The law requires only agents of the government to get a search warrant to seize and search property. If you work in the corporate world, this process will not pertain to you.

Now, let's talk about some potential crimes someone might call you to investigate. This will be a high-level overview of the crime itself, and later on in this book, we will address the specific artifacts we should analyze to determine whether criminal actions occurred.

Illicit images

Nearly everyone is connected to the many different forms of digital networks via our mobile devices, tablets, laptops, and computers–we are always connected in one manner or another. Depending on who you ask, it is either the best thing in the world or the worst. There are some excellent aspects; social media allows people/family members to stay in contact, no matter where they are in the world. The totality of the world's knowledge is just a few clicks away. You can read news reports from portions of the world that you previously did not know existed. It is an adventure waiting to happen. Now, it is not all unicorns and rainbows out there. Like any society, there are dark and dangerous portions of the internet where you should be hesitant to travel. That includes the sourcing and sharing of illicit images. For our purposes, an illicit image is an image whose subject matter is offensive or illegal, depending on your cultural or legal landscape.

Before the advent and widespread use of the internet, trafficking in illicit images was almost eradicated, so what changed? The consumer of illicit images no longer had to be physically present to pick up the physical images. The internet allows the user to be relatively anonymous and to access the illicit images with minimal exposure. I have read reports that state that the high-speed data network that most of us enjoy is because of the consumer wanting faster throughput speeds to download illicit images.

Consumers of illicit images have free access to terabytes of data with simple clicks of the mouse. If the consumer wants higher quality or a specific subject matter, then it is not a complicated process to find a vendor to meet the needs of the consumer for a price.

Your jurisdiction will determine what is or is not an illicit image and the level of criminality associated with the possession and/or distribution of the contraband images. I will not differentiate or specify a subject to define illicit images. I will discuss them using the generic title of illicit images or contraband images. You can use either phrase depending on what may be legal/illegal in your jurisdiction.

How do people share contraband images? At a basic level, a file is a file. A JPEG image of a sunset does not differ from a JPEG image of a contraband subject. Anyone can use any aspect of the internet to share files–the content of the files is irrelevant. If the system allows the user to share data, then the contents of those shared files can be legal or illegal content. Let's look at some media through which illicit images could be exchanged.

Email-based communications

Email is one of the easiest ways to share information through files between two or more people. An email address does not automatically point to a specific user. There are service providers who actively advertise anonymity for users of their email accounts. The service provider states that they do not save users' transactional information, such as source IP, dates and times of connection, or billing information. The service provider may be located outside of the jurisdiction investigating the contraband, which will allow the service provider to ignore the judicial paperwork requesting the subscriber information.

Newsgroups/USENET

This is one of the first components of the internet, and one that has fallen off the radar for the everyday user. Initially, the internet comprised the World Wide Web, with components such as web browsing, email, and USENET. Web browsing and email are known by nearly every user of the internet, while USENET has faded out of public perception. This does not mean it is not being used. USENET is like the old bulletin board system, where you had specific groups, and users could post messages, attach files, and other users could download the files and comments. The user can post just a text message or attach a file to the message. This file is known as a binary.

A binary is a file type–digital images, video, audio software, or any other file type. The user has to use a newsreader to access USENET. There are free and paid versions of newsreaders available in which the user can subscribe to a USENET service. Just like the email service providers that we discussed earlier, one selling point for USENET service providers is anonymity, where they explicitly state that they maintain no user transactional data or billing records or they are in jurisdictions whose laws may not adequately address the contraband contained on the server:

Figure 1.1 – Unison application

The preceding screenshot shows you the Unison program running on macOS and accessing the service provider Astraweb.

Looking from left to right, you can see the hierarchical system used by USENET. At the far-left column, I have selected alt, which then populates the next column with many named folders. The folders' naming convention shows the subject of the group. I have selected binaries, which means I am looking for attached files to the postings. In the third column, we can see folder icons and a brown folder icon with papers coming out the top. The folder icon shows that there are additional groups contained within, while the brown folder icon shows that this is a newsgroup.

As you can see from the preceding screenshot, there are a variety of subjects for the user to explore; some groups may or may not contain contraband images/files. Your jurisdiction will determine what is legal or not as you conduct your investigation.

Peer-to-Peer file sharing  

Peer-to-Peer (P2P) file sharing is a decentralized method of file sharing. In traditional file sharing, a server hosts the file and the client accesses the server to download the file. In the early days of Napster and music sharing, this became a liability for copyright violations. The service provider was served with judicial processes and was found to be liable for hosting a directory of copyrighted files.

In response, the P2P method was changed; no longer was a centralized database created, but rather users were able to directly search for other users' shared folders on the network. Users connected to a shared network and acted as both a server and a client. In P2P file sharing, when a user identifies a file they want to download, the software reaches out to the other users who possess the desired file. Each user then provides a piece of the file to the recipient. When all the pieces are collected, the software puts them back to the original configuration. The user could then participate as a node and start sharing the file they just downloaded:

Figure 1.2 – Transmission application

The preceding screenshot shows the Transmission program running on macOS. I am downloading a movie from the public domain (archive.org), and in the bottom portion of the preceding screenshot, you can see that the file has been broken into much smaller bits. The highlighted bits show which parts of the file I have downloaded. Later, we will go into much greater detail about P2P file sharing and the artifacts that will be left in the filesystem.

The crime of stalking

For all of the good that the internet provides, it also provides a conduit for people to exploit, harass, and bully other people. The victim could be known to the subject or could have interacted with the victim's online persona in some manner and felt the victim had wronged them. A lot of the bad behavior we see with online activities is because of the anonymity that the internet provides the attacker/subject. When eyes are watching or when we know the true identity of the attacker, they change their behavior to conform to societal norms. Unfortunately, it takes time for society to recognize the criminality of specific actions via the digital medium.

Cyberstalking or cyberbullying is now being regulated and is now considered an actual crime. Depending on your jurisdiction, the definition will vary, and what resources the government will spend in the prosecution of these crimes will vary too. Remember, the identity of the user at the other end of the digital world can be challenging to prove to the high standard required by a court of law.

According to the National Center for Victims of Crime, https://members.victimsofcrime.org/our-programs/past-programs/stalking-resource-center/stalking-information, historically, in the United States, almost 1,500,000 people, the majority of them women, have been victimized, harassed, and bullied via the digital medium, with the attacks lasting in excess of 2 years. The attacks increased in length if the participants had been intimate partners.

The impact of this criminal behavior is immense; the victim will lose time from work, have to move residences (several times, sometimes), and suffer from the physical and mental effects such as the anxiety and depression that comes from being targeted. The ability to stalk a former intimate partner in the digital world opens the door to the ability to inflict significant violence on a former partner and, in some cases, bring about their death.

What behaviors make up cyberstalking? There have been documented incidents where a terminated employee has sent manipulated, compromising images of their supervisor to members of the organization and to the general public. This activity continued for months before it was stopped. Despite the harassment ending and the perpetrator being identified, the supervisor still felt the need to leave their job, change their name, and move to another community.

So, where do we begin in our attempts to investigate this crime? The interview will be the best starting place. Asking the victim if they know or suspect who may be behind the harassment is the first question asked. In my experience and most of the time, the victim will have a general idea of who the harasser is, especially if it is a former intimate partner. Now, there will be some victims who may suffer from mental health issues that could complicate the assessment. As an investigator, you have to listen to the whole story to understand the totality of events. Just because someone is paranoid does not mean someone is not out to get them. As an investigator, you have to have an open mind and not allow your preconceptions to make you miss evidence or indicators that may be visible.

If the victim has an idea of who the harasser may be, make sure you record all the pertinent information they can provide you with. Names, addresses, usernames, email addresses, screen names, and social media locations will all give you valuable information so that you can start your investigation.

Establish the method of the harassment and when it started. Was it a Facebook group? Snapchat? Text messages? Chat rooms? Is a mobile device involved in terms of text messages, missed calls, and more? Has the harassment gone old-school with the use of the post office with physical letters?

Threats of violence may increase the severity of the crime and should not be discounted.

The investigator will need to ensure they get forensically sound copies of the digital evidence to start the investigation. This starts the chain of custody of the digital evidence and is the beginning of the investigation.

We will go into much greater detail about the specific artifacts found in digital evidence, but once you have account usernames and IP addresses that the attacker is using to facilitate their attacks, you have a starting point to identify them.

In the United States, a subpoena is required to obtain subscriber information. This information includes the user's first and last names, physical address, how often they access the account, and the IP address that was used to access the account. It varies between service providers as to how long this information is maintained. Sometimes, it could be as little as weeks and as much as years, depending on the provider. You can also submit legal paperwork asking them to "freeze" the account so that the user cannot disable it or delete any incriminating information.

To gain access to the information contained within the account, such as email content, contents of messages, or anything having to do with content, a search warrant signed by a judge will have to be served on the service provider. If the service provider is within the same jurisdiction of the judicial authority, there are typically no issues. When the service provider is in another jurisdiction within the United States or a jurisdiction outside the borders of the United States, this is when the process becomes much more difficult and sometimes impossible to proceed with.

Some subscriber information you get may or may not be accurate. It is not unusual for a user to complete the registration forms with false information. But what you can do, for example, if you have an email address, is you can do an open source search and see whether the email address was used anywhere else. For example, some online forums will use the email address as a username, and if so, the user may post identifying information in their communications with the other users. That forum now becomes a source of information for which you can issue a subpoena to get the subscriber information.

As you can see, following breadcrumbs of information may lead you to sources you never even considered. It can be quite complicated and time-consuming.

Criminal conspiracy 

Criminal conspiracy and digital forensics: how do these aspects intersect in the world of the digital forensic investigator? First, let's define what a conspiracy is: a conspiracy occurs when two or more people agreed to commit an illegal act. However, just deciding to commit the illegal act is not enough; there also have to be actions taken in furtherance of the conspiracy. What does all that mean? For the physical crime of robbery, criminal A contacts criminal B to discuss robbing victim C. The conversation between criminals A and B does not meet the statutory definition of a conspiracy. If criminal A paid criminal B and agreed on the number of funds in exchange for the service of the robbing of victim C, then we have an act in furtherance of the conspiracy to commit robbery. So, what crimes can the digital forensic investigator find within the digital realm? Almost any crime imaginable. Let's take a look at an example of such a crime:

"Michelle Theer was convicted of a crime against a person. She conspired with John Diamond to commit the crime against her husband, Marty. Investigators had no direct evidence, no physical evidence, and no eyewitness evidence, but they had digital evidence showing the conspiracy to commit the crime. Investigators recovered over 80,000 emails and instant messages between Diamond and Michelle that showed a personal relationship between the two and the messages showing the conspiracy between them to commit the crime."

You can read about this case in more detail at https://caselaw.findlaw.com/nc-court-of-appeals/1201672.html.

Now more than ever, people are connected to their devices for their everyday activities. It is not a stretch of the imagination that criminals also use their devices to help organize their criminal activities. The digital forensic investigator has to know of all potential sources of digital evidence and recognize that the Internet of Things (IoT) is an untapped bonanza of digital evidence. What is the Internet of Things?

Home assistance programs such as Siri and Alexa, smartwatches, home security systems, and GPS devices – anything that has an app – might contain evidence and show the intent on the criminals' part to commit the crime. Failure to recognize the digital devices can result in significant damage to your investigation. There have been instances where the subject of an investigation was placed in the interrogation room, and the investigator did not recognize the suspect was wearing a smartwatch. While they left the subject unattended in the interrogation room, the subject was able to communicate with their co-conspirators and direct their efforts in the destruction of evidence and interfere with the investigation. Once the investigators caught on to the subject's actions, they then used the smartwatch to show the criminal conspiracy and used the evidence to generate additional charges for the suspect in custody and their co-conspirators.

Social media is also a source of digital evidence for showing a conspiracy. For example, take the case of Larry Jo Thomas. The government convicted Thomas of committing a crime against Rito Llamas-Juarez. Initially, investigators only knew that Llamas-Juarez was harmed by a specific type of item. As investigators processed the crime scene, a bracelet that was "distinctive" was found and collected as evidence. The investigators examined Thomas's Facebook page and found a photo of Thomas posing with an item similar to what was used at the crime scene. In a different photo, they found the "distinctive" bracelet being worn by Thomas. While the digital evidence did not have a direct impact on the criminality being investigated, it showed how the subject had the means and had been at the crime scene.

Vehicles are also a source of evidence to prove the conspiracy. Newer vehicles are connected to the network and have their own Wi-Fi connection and sync data between mobile devices, GPS data, and the vehicle's black box. Potentially, the investigator can show the subjects performing reconnaissance on their targets, meetings between the conspirators at a shared location, or where they have traveled to and returned using toll passes.

Technology is rapidly changing and advancing as the general population uses technology, and so do the criminals. The general population plans out their day by utilizing technology; criminals also plan out their day of criminal activity using the same technology. I am always amazed when criminals use their mobile devices to plan and execute criminal activity and then take pictures to memorialize their illegal business.

Now that we have learned about criminal investigations, its roles, and the means by which information is being shared, let's move on to the next type of investigation, which is corporate investigations.

Corporate investigations

We will now discuss computer forensics on the civilian side, or non-law enforcement side. Since you are not an agent of the government, the search warrant requirement does not pertain to you. (Your specific jurisdiction may be different.) While you may not have the search warrant requirement, you cannot seize and analyze private property. What do I mean by that? You are the investigator for a large multinational corporation; you have an employee you believe is harassing other employees and may have viewed illicit images on their company laptop. What is the legal requirement for you to examine the contents of the employee's laptop? If you are an agent of the government, the employee has an expectation of privacy. As an employee utilizing the company's equipment, the courts have held that the employee has a limited expectation of privacy on the data in the device. 

Important note

This may differ, depending on your local jurisdiction. I was teaching a class in Germany and as I was teaching, the students explained that German law gave an employee a high expectation of privacy. In their jurisdiction, there were specific requirements that had to be met before they could examine an employee's computer.

Other than the search warrant requirement, the corporate investigator's duties are similar to those of law enforcement. They still must acquire the evidence, they must analyze the evidence, and they must present their findings. They could present their findings in an administrative proceeding, or they may forward their findings to law enforcement where they may have to testify in a judicial proceeding. In either case, the digital forensic investigator must ensure that the digital evidence was collected in a forensically sound manner while maintaining the chain of custody of the digital evidence.

If the digital forensic examiner cannot authenticate the evidence, then they cannot testify or present it in the administrative/judicial proceeding. The corporate digital forensic investigator also investigates a wide variety of crimes. Typically, they will not be investigating a crime where a person was hurt or killed, but they can still investigate fraud, forgery, a violation of the company's policies and procedures, corporate espionage, or if they believe an employee has stolen intellectual property or is trying to harm the corporation itself. So, let's now talk about employee misconduct.

Employee misconduct

As a condition of the employee's employment, they must abide by the policies