Computer Forensics and Investigations,9781592003822

Computer Forensics and Investigations

by ; ; ;
Edition: 1st
ISBN13: 9781592003822
ISBN10: 1592003826
Format: Paperback
Pub. Date: 2004-03-26
Publisher(s): Cengage Learning Ptr
List Price: $42.79

Rent Book

Select for Price
Add to Cart
There was a problem. Please try again later.

New Book

We're Sorry
Sold Out

Used Book

We're Sorry
Sold Out

eBook

We're Sorry
Not Available

Buy from our Marketplace starting at $7.63

How Marketplace Works:

  • This item is offered by an independent seller and not shipped from our warehouse
  • Item details like edition and cover design may differ from our description; see seller's comments before ordering.
  • Sellers much confirm and ship within two business days; otherwise, the order will be cancelled and refunded.
  • Marketplace purchases cannot be returned to eCampus.com. Contact the seller directly for inquiries; if no response within two days, contact customer service.
  • Additional shipping costs apply to Marketplace purchases. Review shipping costs at checkout.

Summary

An introduction to the growing field of computer forensics provides a hands-on guide that explains how to conduct an investigation involving digital media, discussing how computer operating systems work, a wide variety of forensic tools, how to be an expert witness during a trial, and key concepts including chain of custody and evidence documentation procedures. Original. (Intermediate)

Author Biography

Bill Nelson is a computer forensics investigator Amelia Phillips is a graduate of the Massachusetts Institute of Technology and has worked for over 20 years in government, private industry, and academics Frank Enfinger is a tenured faculty member at North Seattle Community College and a Computer Forensics Specialist with a local police department. He holds a degree in Computer Science Chris Steuart is one of the founders and the staff attorney for itforensics.com. Previously, he was an Information Security Officer

Table of Contents

Preface xiii
Read This Before You Begin xix
CHAPTER 1 Computer Forensics and Investigations as a Profession 1(26)
Understanding Computer Forensics
2(7)
Comparing Definitions of Computer Forensics
2(3)
Exploring a Brief History of Computer Forensics
5(2)
Developing Computer Forensics Resources
7(2)
Preparing for Computing Investigations
9(11)
Understanding Enforcement Agency Investigations
10(3)
Understanding Corporate Investigations
13(7)
Maintaining Professional Conduct
20(2)
Chapter Summary
22(1)
Key Terms
23(4)
CHAPTER 2 Understanding Computer Investigations 27(34)
Preparing a Computer Investigation
28(2)
Examining a Computer Crime
28(1)
Examining a Company-Policy Violation
29(1)
Taking a Systematic Approach
30(9)
Assessing the Case
32(1)
Planning Your Investigation
33(4)
Securing Your Evidence
37(2)
Understanding Data-Recovery Workstations and Software
39(7)
Setting Up Your Workstation for Computer Forensics
40(6)
Executing an Investigation
46(10)
Gathering the Evidence
46(2)
Copying the Evidence Disk
48(3)
Analyzing Your Digital Evidence
51(5)
Completing the Case
56(1)
Critiquing the Case
57(1)
Chapter Summary
58(1)
Key Terms
58(3)
CHAPTER 3 Working with Windows and DOS Systems 61(42)
Understanding File Systems
62(4)
Understanding the Boot Sequence
62(1)
Examining Registry Data
63(1)
Disk Drive Overview
64(2)
Exploring Microsoft File Structures
66(9)
Disk Partition Concerns
67(4)
Boot Partition Concerns
71(1)
Examining FAT Disks
71(4)
Examining NIFS Disks
75(8)
NIFS System Files
76(2)
NIFS Attributes
78(2)
NIFS Data Streams
80(1)
NIFS Compressed Files
80(1)
NTFS Encrypted File Systems (EFS)
81(1)
EFS Recovery Key Agent
81(1)
Deleting NTFS Files
82(1)
Understanding Microsoft Boot Tasks
83(5)
Windows XP, 2000, and NT Startup
83(2)
Windows XP System Files
85(3)
Understanding MS-DOS Startup Tasks
88(10)
Other DOS Operating Systems
89(9)
Chapter Summary
98(1)
Key Terms
99(4)
CHAPTER 4 Macintosh and Linux Boot Processes and Disk Structures 103(30)
Understanding the Macintosh File Structure
104(2)
Understanding Volumes
105(1)
Exploring Macintosh Boot Tasks
106(1)
Examining UNIX and Linux Disk Structures
107(10)
UNIX and Linux Overview
110(5)
Understanding Inodes
115(2)
Understanding UNIX and Linux Boot Processes
117(2)
Understanding Linux Loader
118(1)
UNIX and Linux Drives and Partition Scheme
118(1)
Examining Compact Disc Data Structures
119(2)
Understanding Other Disk Structures
121(7)
Examining SCSI Disks
121(1)
Examining IDE/EIDE Devices
122(6)
Chapter Summary
128(1)
Key Terms
129(4)
CHAPTER 5 The Investigator's Office and Laboratory 133(36)
Understanding Forensic Lab Certification Requirements
134(6)
Identifying Duties of the Lab Manager and Staff
134(1)
Balancing Costs and Needs
135(3)
Acquiring Certification and Training
138(2)
Determining the Physical Layout of a Computer Forensics Lab
140(14)
Identifying Lab Security Needs
141(1)
Conducting High-Risk Investigations
141(1)
Considering Office Ergonomics
142(2)
Environmental Conditions
144(1)
Lighting
145(1)
Structural Design Considerations
146(1)
Electrical Needs
147(1)
Communications
147(1)
Fire-suppression Systems
148(1)
Evidence Lockers
149(1)
Facility Maintenance
150(1)
Physical Security Needs
151(1)
Auditing a Computer Forensics Lab
151(1)
Computer Forensics Lab Floor Plan Ideas
152(2)
Selecting a Basic Forensic Workstation
154(3)
Selecting Workstations for Police Labs
154(1)
Selecting Workstations for Private and Corporate Labs
155(1)
Stocking Hardware Peripherals
155(1)
Maintaining Operating Systems and Application Software Inventories
156(1)
Using a Disaster Recovery Plan
156(1)
Planning for Equipment Upgrades
157(1)
Using Laptop Forensic Workstations
157(1)
Building a Business Case for Developing a Forensics Lab
157(2)
Creating a Forensic Boot Floppy Disk
159(6)
Assembling the Tools for a Forensic Boot Floppy Disk
159(6)
Retrieving Evidence Data Using a Remote Network Connection
165(1)
Chapter Summary
166(1)
Key Terms
167(2)
CHAPTER 6 Current Computer Forensics Tools 169(40)
Evaluating Your Computer Forensics Software Needs
170(13)
Using National Institute of Standards and Technology (NIST) Tools
170(2)
Using National Institute of Justice (NIJ) Methods
172(1)
Validating Computer Forensics Tools
173(10)
Using Command-Line Forensics Tools
183(5)
Exploring NTI Tools
183(2)
Exploring Ds2dump
185(1)
Reviewing DriveSpy
185(1)
Exploring PDBlock
186(1)
Exploring PDWipe
186(1)
Reviewing Image
186(1)
Exploring Part
187(1)
Exploring SnapBack DatArrest
187(1)
Exploring Byte Back
187(1)
Exploring MaresWare
187(1)
Exploring DIGS Mycroft v3
188(1)
Exploring Graphical User Interface (GUI) Forensics Tools
188(8)
Exploring AccessData Programs
188(1)
Exploring Guidance Software EnCase
189(1)
Exploring Ontrack
190(1)
Using LC Technologies Software
191(1)
Using BIAProtect
191(2)
Exploring WinHex Specialist Edition
193(1)
Exploring DIBS Analyzer Professional Forensic Software
194(1)
Exploring ProDiscover DFT
194(1)
Exploring DataLifter
195(1)
Exploring ASRData
195(1)
Exploring the Internet History Viewer
196(1)
Exploring Other Useful Computer Forensics Tools
196(5)
Exploring LTOOLS
197(1)
Exploring Mtools
197(1)
Exploring R-Tools
197(1)
Using Explore2fs
198(1)
Exploring @stake
199(1)
Exploring TCT and TCTUTILs
200(1)
Exploring ILook
200(1)
Exploring HashKeeper
200(1)
Using Graphic Viewers
200(1)
Exploring Hardware Tools
201(6)
Computing-Investigation Workstations
201(1)
Budding Your Own Workstation
202(1)
Using a Write-blocker
202(1)
Using LC Technology International Hardware
202(1)
Forensic Computers
203(1)
DIGS
203(1)
Digital Intelligence
203(2)
Image MASSter Solo
205(1)
FastBloc
206(1)
Acard
206(1)
NoWrite
206(1)
Wiebe Tech Forensic DriveDock
207(1)
Recommendations for a Forensic Workstation
207(1)
Chapter Summary
207(1)
Key Terms
208(1)
CHAPTER 7 Digital Evidence Controls 209(22)
Identifying Digital Evidence
210(4)
Understanding Evidence Rules
211(3)
Securing Digital Evidence at an Incident Scene
214(2)
Cataloging Digital Evidence
216(3)
Lab Evidence Considerations
218(1)
Processing and Handling Digital Evidence
219(1)
Storing Digital Evidence
219(3)
Evidence Retention and Media Storage Needs
221(1)
Documenting Evidence
222(1)
Obtaining a Digital Signature
222(6)
Chapter Summary
228(1)
Key Terms
229(2)
CHAPTER 8 Processing Crime and Incident Scenes 231(30)
Processing Private-Sector Incident Scenes
232(4)
Processing Law Enforcement Crime Scenes
236(2)
Understanding Concepts and Terms Used in Warrants
238(1)
Preparing for a Search
238(8)
Identifying the Nature of the Case
239(1)
Identifying the Type of Computing System
239(1)
Determining Whether You Can Seize a Computer
240(1)
Obtaining a Detailed Description of the Location
240(2)
Determining Who Is in Charge
242(1)
Using Additional Technical Expertise
242(1)
Determining the Tools You Need
243(3)
Preparing the Investigation Team
246(1)
Securing a Computer Incident or Crime Scene
246(1)
Seizing Digital Evidence at the Scene
247(6)
Processing a Major Incident or Crime Scene
248(1)
Processing Data Centers with an Array of RAIDS
249(1)
Using a Technical Advisor at an Incident or Crime Scene
250(1)
Sample Civil Investigation
250(2)
Sample Criminal Investigation
252(1)
Collecting Digital Evidence
253(1)
Reviewing a Case
254(4)
Identifying the Case Requirements
255(1)
Planning Your Investigation
255(3)
Chapter Summary
258(1)
Key Terms
259(2)
CHAPTER 9 Data Acquisition 261(36)
Determining the Best Acquisition Method
262(2)
Planning Data Recovery Contingencies
264(1)
Using MS-DOS Acquisition Tools
265(14)
Understanding How DriveSpy Accesses Sector Ranges
265(2)
Data Preservation Commands
267(9)
Using DriveSpy Data Manipulation Commands
276(3)
Using Windows Acquisition Tools
279(5)
AccessData FTK Explorer
279(5)
Acquiring Data on Linux Computers
284(8)
Using Other Forensics Acquisition Tools
292(2)
Exploring SnapBack DatArrest
292(1)
Exploring SafeBack
293(1)
Exploring EnCase
293(1)
Chapter Summary
294(1)
Key Terms
294(3)
CHAPTER 10 Computer Forensic Analysis 297(52)
Understanding Computer Forensic Analysis
298(1)
Refining the Investigation Plan
298(1)
Using DriveSpy to Analyze Computer Data
299(16)
DriveSpy Command Switches
306(1)
DriveSpy Keyword Searching
306(1)
DriveSpy Scripts
306(2)
DriveSpy Data-Integrity Tools
308(3)
DriveSpy Residual Data Collection Tools
311(1)
Other Useful DriveSpy Command Tools
312(3)
Using Other Digital Intelligence Computer Forensics Tools
315(1)
Using PDBlock and PDWipe
315(1)
Using AccessData's Forensic Toolkit
315(3)
Performing a Computer Forensic Analysis
318(17)
Setting Up Your Forensic Workstation
319(1)
Performing Forensic Analysis on Microsoft File Systems
320(12)
UNIX and Linux Forensic Analysis
332(3)
Macintosh Investigations
335(1)
Addressing Data Hiding Techniques
335(9)
Hiding Partitions
335(2)
Marking Bad Clusters
337(1)
Bit-Shifting
338(4)
Using Steganography
342(1)
Examining Encrypted Files
343(1)
Recovering Passwords
343(1)
Chapter Summary
344(1)
Key Terms
345(4)
CHAPTER 11 E-mail Investigations 349(36)
Understanding Internet Fundamentals
350(3)
Understanding Internet Protocols
352(1)
Exploring the Roles of the Client and Server in E-mail
353(2)
Investigating E-mail Crimes and Violations
355(16)
Identifying E-mail Crimes and Violations
355(1)
Examining E-mail Messages
355(1)
Copying an E-mail Message
356(1)
Printing an E-mail Message
357(1)
Viewing E-mail Headers
357(9)
Examining an E-mail Header
366(3)
Examining Additional E-mail Files
369(1)
Tracing an E-mail Message
370(1)
Using Network Logs Related to E-mail
370(1)
Understanding E-mail Servers
371(8)
Examining UNIX E-mail Server Logs
373(3)
Examining Microsoft E-mail Server Logs
376(2)
Examining Novell GroupWise E-mail Logs
378(1)
Using Specialized E-mail Forensics Tools
379(3)
Chapter Summary
382(1)
Key Terms
383(2)
CHAPTER 12 Recovering Image Files 385(40)
Recognizing an Image File
386(3)
Understanding Bitmap and Raster Images
386(2)
Understanding Vector Images
388(1)
Metafile Graphics
388(1)
Understanding Image File Formats
388(1)
Understanding Data Compression
389(1)
Reviewing Lossless and Lossy Compression
390(1)
Locating and Recovering Image Files
390(22)
Identifying Image File Fragments
391(1)
Repairing Damaged Headers
391(10)
Reconstructing File Fragments
401(10)
Identifying Unknown File Formats
411(1)
Analyzing Image File Headers
412(8)
Tools for Viewing Images
414(2)
Understanding Steganography in Image Files
416(3)
Using Steganalyses Tools
419(1)
Identifying Copyright Issues with Graphics
420(2)
Chapter Summary
422(2)
Key Terms
424(1)
CHAPTER 13 Writing Investigation Reports 425(40)
Understanding the Importance of Reports
426(4)
Limiting the-Report to Specifics
427(1)
Types of Reports
427(3)
Expressing an Opinion
430(6)
Designing the Layout and Presentation
434(2)
Litigation Support Reports versus Technical Reports
436(1)
Writing Clearly
436(4)
Providing Supporting Material
436(1)
Formatting Consistently
437(1)
Explaining Methods
437(1)
Data Collection
437(1)
Including Calculations
437(1)
Providing for Uncertainty and Error Analysis
438(1)
Explaining Results
438(1)
Discussing Results and Conclusions
438(1)
Providing References
438(2)
Including Appendices
440(1)
Providing Acknowledgments
440(1)
Formal Report Format
440(1)
Writing the Report
440(22)
Using FTK Demo Version
441(21)
Chapter Summary
462(1)
Key Terms
462(3)
CHAPTER 14 Becoming an Expert Witness 465(22)
Comparing Technical and Scientific Testimony
466(1)
Preparing for Testimony
466(4)
Documenting and Preparing Evidence
467(1)
Keeping Consistent Work Habits
467(1)
Processing Evidence
468(1)
Serving as a Consulting Expert or an Expert Witness
468(1)
Creating and Maintaining Your CV
469(1)
Preparing Technical Definitions
470(1)
Testifying in Court
470(7)
Understanding the Trial Process
470(1)
Qualifying Your Testimony and Voir Dire
471(1)
Addressing Potential Problems
471(1)
Testifying in General
472(1)
Presenting Your Evidence
472(1)
Using Graphics in Your Testimony
473(1)
Helping Your Attorney
474(1)
Avoiding Testimony Problems
474(1)
Testifying During Direct Examination
475(1)
Using Graphics During Testimony
476(1)
Testifying During Cross-Examination
477(4)
Exercising Ethics When Testifying
480(1)
Understanding Prosecutorial Misconduct
480(1)
Preparing for a Deposition
481(3)
Guidelines for Testifying at a Deposition
481(1)
Recognizing Deposition Problems
482(1)
Public Release: Dealing with Reporters
483(1)
Forming an Expert Opinion
484(1)
Determining the Origin of a Floppy Disk
484(1)
Chapter Summary
485(1)
Key Terms
486(1)
IACIS Certification
487(1)
APPENDIX A Certification Test References 487(4)
IACIS Computer Forensics Skills Expectations
488(1)
Looking Up URLs
489(2)
Quick References for Computing Investigators
491(1)
DriveSpy Command Switch References
491(1)
APPENDIX B Computer Forensics References 491(12)
UNIX and Linux Common Shell Commands
493(2)
Sample Script for DriveSpy
495(1)
Overview of FAT Directory Structures
496(6)
Computer Forensics References
502(1)
APPENDIX C Procedures for Corporate High-Technology Investigations 503(10)
Procedures for Investigations
503(1)
Employee Termination Cases
503(2)
Internet Web Abuse Investigations
503(1)
E-mail Abuse Investigations
504(1)
Attorney-Client Privileged Investigations
505(2)
Media Leak Investigations
507(2)
Industrial Espionage Investigations
509(1)
Interviews and Interrogation in High-Technology Investigations
510(3)
Glossary 513(12)
Index 525

An electronic version of this book is available through VitalSource.

This book is viewable on PC, Mac, iPhone, iPad, iPod Touch, and most smartphones.

By purchasing, you will be able to view this book online, as well as download it, for the chosen number of days.

Digital License

You are licensing a digital product for a set duration. Durations are set forth in the product description, with "Lifetime" typically meaning five (5) years of online access and permanent download to a supported device. All licenses are non-transferable.

More details can be found here.

A downloadable version of this book is available through the eCampus Reader or compatible Adobe readers.

Applications are available on iOS, Android, PC, Mac, and Windows Mobile platforms.

Please view the compatibility matrix prior to purchase.