Digital Evidence and Computer Crime
- 2nd Edition - March 8, 2004
- Author: Eoghan Casey
- Language: English
- Hardback ISBN:9 7 8 - 0 - 1 2 - 1 6 3 1 0 4 - 8
- eBook ISBN:9 7 8 - 0 - 0 8 - 0 4 7 2 5 0 - 8
Digital Evidence and Computer Crime, Second Edition, is a hands-on resource that aims to educate students and professionals in the law enforcement, forensic science, computer… Read more
Digital Evidence and Computer Crime, Second Edition, is a hands-on resource that aims to educate students and professionals in the law enforcement, forensic science, computer security, and legal communities about digital evidence and computer crime. This textbook explains how computers and networks function, how they can be involved in crimes, and how they can be used as a source of evidence.
In addition to gaining a practical understanding of how computers and networks function and how they can be used as evidence of a crime, students will learn about relevant legal issues and will be introduced to deductive criminal profiling, a systematic approach to focusing an investigation and understanding criminal motivations. Readers will receive unlimited access to the author's accompanying website, which contains simulated cases that integrate many of the topics covered in the text.
This text is required reading for anyone involved in computer investigations or computer administration, including computer forensic consultants, law enforcement, computer security professionals, government agencies (IRS, FBI, CIA, Dept. of Justice), fraud examiners, system administrators, and lawyers.
- Provides a thorough explanation of how computers and networks function, how they can be involved in crimes, and how they can be used as a source of evidence
- Offers readers information about relevant legal issues
- Features coverage of the abuse of computer networks and privacy and security issues on computer networks
Computer forensic consultants, law enforcement, computer security professionals (INFOSEC), government agencies (IRS, FBI, CIA, Dept. of Justice), fraud examiners, system administrators, lawyers.
Part 1Chapter 1: Digital Evidence and Computer Crime1.1) Digital Evidence1.2) Increasing Awareness of Digital Evidence1.3) Challenging Aspects of Digital Evidence1.4) Following the Cybertrail1.5) Challenging Aspects of the Cybertrail1.6) Forensic Science and Digital Evidence1.7) SummaryChapter 2: History and Terminology of Computer Crime Investigation2.1) Brief History of Computer Crime Investigation2.2) Evolution of Investigative Tools2.3) Language of Computer Crime Investigation2.3.1) The Role of Computers in Crime2.4) SummaryChapter 3: Technology and LawPart A: Technology and Law - A United States PerspectiveRobert DunneA.1) JurisdictionA.2) Pornography and ObscenityA.3) PrivacyA.4) Copyrights and the "Theft" of Digital Intellectual PropertyPart B: Computer Misuse in AmericaEoghan CaseyPart C: Technology and Criminal Law - A European perspectiveTessa RobinsonC.1) Overview of Criminal OffensesC.2) Search and SeizureC.3) Jurisdiction and ExtraditionC.4) PenaltiesC.5) PrivacyC.6) SummaryChapter 4: The Investigative ProcessEoghan Casey and Gary Palmer4.1) The Role of Digital Evidence4.2) Investigative Methodology 4.2.1) Accusation or Incident Alert 4.2.2) Assessment of Worth 4.2.3) Incident/Crime Scene Protocols 4.2.4) Identification or Seizure 4.2.5) Preservation 4.2.6) Recovery 4.2.7) Harvesting 4.2.8) Reduction 4.2.9) Organization and Search 4.2.10) Analysis 4.2.11) Reporting 4.2.12) Persuasion and Testimony4.3) SummaryChapter 5: Investigative ReconstructionEoghan Casey and Brent Turvey5.1) Equivocal Forensic Analysis 5.1.1) Reconstruction 5.1.2) Temporal Analysis 5.1.3) Relational Analysis 5.1.4) Functional Analysis5.2) Victimology 5.2.1) Victimology5.3) Crime Scene Characteristics 5.3.1) Method of Approach and Control 5.3.2) Offender Action, Inaction and Reaction5.4) Evidence Dynamic and Introduction of Error5.5) Reporting5.6) SummaryChapter 6: Modus Operandi, Motive & TechnologyBrent Turvey6.1) Axes to Pathological Criminals, and Other Unintended Consequences6.2) Modus Operandi6.3) Technology and Modus Operandi6.4) Motive and Technology 6.4.1) Power Reassurance (Compensatory) 6.4.2) Power Assertive (Entitlement) 6.4.3) Anger Retaliatory (Anger or Displaced) 6.4.4) Anger Excitation (Sadistic) 6.4.5) Profit Oriented6.5) Current Technologies 6.5.1) A Computer Virus 6.5.2) A Public Email Discussion List6.6) SummaryChapter 7: Digital Evidence in the Courtroom7.1) Admissibility - Warrants7.2) Authenticity and Reliability7.3) Casey's Certainty Scale7.4) Best Evidence7.5) Direct versus Circumstantial Evidence7.6) Hearsay 7.6.1) Hearsay Exceptions7.7) Scientific Evidence7.8) Presenting Digital Evidence7.9) SummaryPart 2: ComputersChapter 8: Computer Basics for Digital Evidence Examiners8.1) A Brief History of Computers8.2) Basic Operation of Computers 8.2.1) Central Processing Unit (CPU) 8.2.2) Basic Input and Output System (BIOS) 8.2.3) Power-on Self Test and CMOS Configuration Tool 8.2.4) Disk Boot8.3) Representation of Data8.4) Storage Media and Data Hiding8.5) File Systems and Location of Data8.6) Overview of Encryption 8.6.1) Private Key Encryption8.6.2) Public Key Encryption8.6.3) Pretty Good Privacy 8.9) SummaryChapter 9: Applying Forensic Science to Computers 9.1) Authorization and Preparation 9.2) Identification 9.2.1) Recognizing Hardware 9.2.2) Identifying Digital Evidence 9.3) Documentation 9.3.1) Message Digests and Digital Signatures 9.4) Collection and Preservation 9.4.1) Collecting and Preserving Hardware 9.4.2) Collecting and Preserving Digital Evidence 9.5) Examination and Analysis 9.5.1) Filtering/Reduction 9.5.2) Class/Individual Characteristics and Evaluation of Source 9.5.3) Data Recovery/Salvage 9.6) Reconstruction 9.6.1) Functional Analysis 9.6.2) Relational Analysis 9.6.3) Temporal Analysis 9.6.4) Digital Stratigraphy9.7) Reporting9.8) SummaryChapter 10: Forensic Analysis of Windows Systems10.1) Windows Evidence Acquisition Boot Disk10.2) File Systems10.3) Overview of Digital Evidence Processing Tools10.4) Data Recovery 10.4.1) Windows-based Recovery Tools 10.4.2) Unix-based Recovery Tools10.4.3) File Carving with Windows10.4.4) Dealing with Password Protection and Encryption10.5) Log Files10.6) File System Traces10.7) Registry10.8) Internet Traces 10.8.1) Web Browsing 10.8.2) Usenet Access 10.8.3) E-mail 10.8.4) Other Applications 10.8.5) Network Storage10.9) Program Analysis10.10) SummaryChapter 11: Forensic Analysis of Unix Systems11.1) Unix Evidence Acquisition Boot Disk11.2) File Systems11.3) Overview of Digital Evidence Processing Tools11.4) Data Recovery 11.4.1) Unix-based Tools11.4.2) Windows-based Tools11.4.3) File Carving with Unix11.4.4) Dealing with Password Protection and Encryption11.5) Log Files11.6) File System Traces11.7) Internet Traces 11.7.1) Web Browsing11.7.2) E-mail11.7.3) Network Traces 11.8) SummaryChapter 12: Forensic Analysis of Macintosh Systems12.1) File Systems12.2) Overview of Digital Evidence Processing Tools12.3) Data Recovery12.4) File System Traces12.5) Internet Traces12.5.1) Web Activity12.5.2) E-mail12.5.3) Network Storage 12.6) SummaryChapter 13: Forensic Analysis of Handheld Devices13.1) Overview of Handheld Devices 13.1.1) Memory13.1.2) Data Storage and Manipulation13.1.3) Exploring Palm Memory13.2) Collection and Examination of Handheld Devices 13.2.1) Palm OS 13.2.2) Windows CE Devices 13.2.3) RIM Blackberry 13.2.4) Mobile Phones13.3) Dealing with Password Protection and Encryption 13.4) Related Sources of Digital Evidence 13.4.1) Removable Media 13.4.2) Neighborhood Data 13.5) SummaryPart 3: NetworksChapter 14: Network Basics for Digital Evidence Examiners14.1) A Brief History of Computer Networks14.2) Technical overview of networks14.3) Network Technologies 14.3.1) Attached Resource Computer Network (ARCNET)14.3.2) Ethernet14.3.3) Fiber Distributed Data Interface (FDDI)14.3.4) Asynchronous Transfer Mode (ATM)14.3.5) IEEE 802.11 (Wireless)14.3.6) Cellular Networks14.3.7) Satellite Networks14.4) Connecting Networks Using Internet Protocols 14.4.1) Physical and Data-Link Layers (Layers 1 & 2) 14.4.2) Network and Transport Layers (Layers 3 & 4) 14.4.3) Session Layer (Layer 5)14.4.4) Presentation Layer (Layer 6)14.4.5) Application Layer (Layer 7)14.4.6) Synopsis of the OSI Reference Model14.5) SummaryChapter 15: Applying Forensic Science to Networks15.1) Preparation and Authorization15.2) Identification15.3) Documentation, Collection, and Preservation15.4) Filtering and Data Reduction15.5) Class/Individual Characteristics and Evaluation of Source15.6) Evidence Recovery15.7) Investigative Reconstruction 15.7.1) Behavioral Evidence Analysis15.8) SummaryChapter 16: Digital Evidence on Physical and Data-Link Layers16.1) Ethernet16.1.1) 10Base516.1.2) 10/100BaseT16.1.3) CSMA/CD16.2) Linking the Data-Link and Network Layers—Encapsulation16.2.1) Address Resolution Protocol (ARP)16.2.2) Point to Point Protocol and Serial Line Internet Protocol16.3) Ethernet versus ATM Networks16.4) Documentation, Collection, and Preservation16.4.1) Sniffer Placement16.4.2) Sniffer Configuration16.4.3) Other Source of MAC Addresses16.5) Analysis Tools and Techniques16.5.1) Keyword Searches16.5.2) Filtering and Classification16.5.3) Reconstruction16.6) SummaryChapter 17: Digital Evidence on Network and Transport Layers17.1) TCP/IP17.1.1) Internet Protocol and Cellular Data Networks17.1.2) IP Addresses17.1.3) Domain Name System17.1.4) IP Routing17.1.5) Servers and Ports17.1.6) Connection Management17.1.7) Abuses of TCP/IP17.2) Setting up A Network17.2.1) Static versus Dynamic IP Address Assignment17.2.2) Protocols for Assigning IP Addresses17.3) TCP/IP Related Digital Evidence17.3.1) Authentication Logs17.3.2) Server Logs17.3.3) Operating System Logs17.3.4) Network Device Logs17.3.5) State Tables17.3.6) Random Access Memory Contents17.4) SummaryChapter 18: Digital Evidence on the Internet18.1) Role of the Internet in Criminal Investigations18.2) Internet Services: Legitimate versus Criminal Uses18.2.1) The World Wide Web18.2.2) E-mail18.2.3) Newsgroups18.2.4) Synchronous Chat Networks18.2.5) Peer-To-Peer Networks and Instant Messaging18.3) Using the Internet as an Investigative Tool18.3.1) Search Engines18.3.2) Online Databases (the Invisible Web)18.3.3) Usenet Archive versus Actual Newgroups18.4) Online Anonymity and Self-Protection18.4.1) Overview of Exposure18.4.2) Proxies18.4.3) IRC "bots"18.4.5) Encryption18.4.5) Anonymous and Pseudonymous E-mail and Usenet18.4.6) Freenet18.4.7) Anonymous Cash18.5) E-mail Forgery and Tracking18.5.1) Interpreting E-mail Headers18.6) Usenet Forgery and Tracking18.6.1) Interpreting Usenet Headers18.7) Searching and Tracking on IRC18.8) SummaryPart 4: Investigating Computer CrimeChapter 19: Investigating Computer Intrusions19.1) How Computer Intruders Operate19.2) Investigating Intrusions19.2.1) Processes as a Source of Evidence (Windows)19.2.2) Processes as a Source of Evidence (Unix)19.2.3) Windows Registry19.2.4) Acquisition over Network19.2.5) Classification, Comparison, and Evaluation of Source19.3) Investigative Reconstruction19.3.1) Parallels between Arson and Intrusion Investigations19.3.2) Crime Scene Characteristics19.3.3) Automated and Dynamic Modus Operandi19.3.4) Examining the Intruder's Computer19.4) Detailed Case Example19.5) SummaryChapter 20: Sex Offenders on the InternetEoghan Casey, Monique Mattei Ferraro, Michael McGrath20.1) Window to the World20.2) Legal Considerations20.3) Identifying and Processing Digital Evidence20.4) Investigating Online Sexual Offenders20.4.1) Undercover Investigation20.5) Investigative Reconstruction20.5.1) Analyzing Sex Offenders20.5.2) Analyzing Victim Behavior20.5.3) Crime Scene Characteristics20.5.4) Motivation20.6) SummaryChapter 21: Investigating Cyberstalking21.1) How Cyberstalkers Operate21.1.1) Acquiring Victims21.1.2) Anonymity and Surreptitious Monitoring21.1.3) Escalation and Violence21.2) Investigating Cyberstalking21.2.1) Interviews21.2.2) Victimology21.2.3) Risk Assessment21.2.4) Search21.2.5) Crime Scene Characteristics21.2.6) Motivation21.3) Cyberstalking Case Example21.4) SummaryChapter 22: Digital Evidence as Alibi22.1) Investigating an Alibi22.2) Time as Alibi22.3) Location as Alibi22.4) SummaryPart 4: GuidelinesChapter 23: Handling the Digital Crime Scene23.1) Identification or Seizure23.1.1) When the Entire Computer is Required23.2) Preservation23.2.1) If Only a Portion of the Digital Evidence on a Computer is Required23.2.2) Sample Preservation FormChapter 24: Digital Evidence Examination GuidelinesEoghan Casey and Troy Larson24.1) Preparation24.2) Processing24.2.1) DOS/Windows Command Line - Maresware24.2.2) Windows GUI - EnCase24.2.3) Windows GUI - FTK24.3) Identify and Process Special Files24.4) Summary
- Edition: 2
- Published: March 8, 2004
- Language: English
EC
Eoghan Casey
Eoghan Casey is an internationally recognized expert in data breach investigations and information security forensics. He is founding partner of CASEITE.com, and co-manages the Risk Prevention and Response business unit at DFLabs. Over the past decade, he has consulted with many attorneys, agencies, and police departments in the United States, South America, and Europe on a wide range of digital investigations, including fraud, violent crimes, identity theft, and on-line criminal activity. Eoghan has helped organizations investigate and manage security breaches, including network intrusions with international scope. He has delivered expert testimony in civil and criminal cases, and has submitted expert reports and prepared trial exhibits for computer forensic and cyber-crime cases.
In addition to his casework and writing the foundational book Digital Evidence and Computer Crime, Eoghan has worked as R&D Team Lead in the Defense Cyber Crime Institute (DCCI) at the Department of Defense Cyber Crime Center (DC3) helping enhance their operational capabilities and develop new techniques and tools. He also teaches graduate students at Johns Hopkins University Information Security Institute and created the Mobile Device Forensics course taught worldwide through the SANS Institute. He has delivered keynotes and taught workshops around the globe on various topics related to data breach investigation, digital forensics and cyber security.
Eoghan has performed thousands of forensic acquisitions and examinations, including Windows and UNIX systems, Enterprise servers, smart phones, cell phones, network logs, backup tapes, and database systems. He also has information security experience, as an Information Security Officer at Yale University and in subsequent consulting work. He has performed vulnerability assessments, deployed and maintained intrusion detection systems, firewalls and public key infrastructures, and developed policies, procedures, and educational programs for a variety of organizations. Eoghan has authored advanced technical books in his areas of expertise that are used by practitioners and universities around the world, and he is Editor-in-Chief of Elsevier's International Journal of Digital Investigation.
Affiliations and expertise
Eoghan Casey, cmdLabs, Baltimore, MD, USA