Digital Forensics for Legal Professionals
Understanding Digital Evidence from the Warrant to the Courtroom
- 1st Edition - September 2, 2011
- Authors: Larry Daniel, Lars Daniel
- Language: English
- Paperback ISBN:9 7 8 - 1 - 5 9 7 4 9 - 6 4 3 - 8
- eBook ISBN:9 7 8 - 1 - 5 9 7 4 9 - 6 4 4 - 5
Digital Forensics for Legal Professionals is a complete non-technical guide for legal professionals and students to understand digital forensics. In the authors’ years of experienc… Read more
Purchase options
Institutional subscription on ScienceDirect
Request a sales quoteDigital Forensics for Legal Professionals is a complete non-technical guide for legal professionals and students to understand digital forensics. In the authors’ years of experience in working with attorneys as digital forensics experts, common questions arise again and again: "What do I ask for?" "Is the evidence relevant?" "What does this item in the forensic report mean?" "What should I ask the other expert?" "What should I ask you?" "Can you explain that to a jury?" This book answers many of those questions in clear language that is understandable by non-technical people. With many illustrations and diagrams that will be usable in court, it explains technical concepts such as unallocated space, forensic copies, timeline artifacts and metadata in simple terms that make these concepts accessible to both attorneys and juries.
The book also explains how to determine what evidence to ask for, evidence that might be discoverable, and furthermore, it provides an overview of the current state of digital forensics, the right way to select a qualified expert, what to expect from that expert, and how to properly use experts before and during trial. With this book, readers will clearly understand different types of digital evidence and examples of direct and cross examination questions. It includes a reference of definitions of digital forensic terms, relevant case law, and resources.
This book will be a valuable resource for attorneys, judges, paralegals, and digital forensic professionals.
- Provides examples of direct and cross examination questions for digital evidence
- Contains a reference of definitions of digital forensic terms, relevant case law, and resources for the attorney
Attorneys, judges, paralegals, digital forensic professionals
- Preface
- Intended Audience
- Organization of this Book
- Acknowledgments
- Dedication
- About the Authors
- About the Tech Editors
- Section 1: What Is Digital Forensics?
- Chapter 1. Digital Evidence Is Everywhere
- Publisher Summary
- Introduction
- 1.1 What is digital forensics?
- 1.2 What is digital evidence?
- 1.3 How digital evidence is created and stored
- Summary
- Chapter 2. Overview of Digital Forensics
- Publisher Summary
- Introduction
- 2.1 Digital forensics
- 2.2 A little computer history
- 2.3 A brief history of computer forensics
- 2.4 Computer forensics becomes digital forensics
- Summary
- Chapter 3. Digital Forensics: The Subdisciplines
- Publisher Summary
- Introduction
- 3.1 The subdisciplines
- 3.2 Computer forensics
- Summary
- Chapter 4. The Foundations of Digital Forensics: Best Practices
- Publisher Summary
- Introduction
- 4.1 Who establishes best practices?
- 4.2 Who should be following best practices?
- 4.3 Summary of best practices
- 4.4 What really happens in many cases
- Summary
- Chapter 5. Overview of Digital Forensics Tools
- Publisher Summary
- Introduction
- 5.1 What makes a tool forensically sound?
- 5.2 Who performs tool testing?
- 5.3 Computer forensics tools: An overview
- 5.4 Classes of forensics tools
- 5.5 Mobile device forensics tools
- Summary
- References
- Chapter 6. Digital Forensics at Work in the Legal System
- Publisher Summary
- Introduction
- 6.1 Mitigation
- 6.2 Pre-trial motions
- 6.3 Trial preparation
- 6.4 Example trial questions
- 6.5 Trial phase
- Summary
- Chapter 1. Digital Evidence Is Everywhere
- Section 2: Experts
- Chapter 7. Why Do I Need an Expert?
- Publisher Summary
- Introduction
- 7.1 Why hire a digital forensics expert?
- 7.2 When to hire a digital forensics expert
- Summary
- Chapter 8. The Difference between Computer Experts and Digital Forensics Experts
- Publisher Summary
- Introduction
- 8.1 The computer expert
- 8.2 The digital forensics expert
- 8.3 A side-by-side comparison
- 8.4 Investigation of digital evidence
- Summary
- Chapter 9. Selecting a Digital Forensics Expert
- Publisher Summary
- Introduction
- 9.1 What is an expert?
- 9.2 Locating and selecting an expert
- 9.3 Certifications
- 9.4 Training, education, and experience
- 9.5 The right forensic tools
- Summary
- References
- Chapter 10. What to Expect from an Expert
- Publisher Summary
- Introduction
- 10.1 General expectations
- 10.2 Where to begin?
- 10.3 The examination
- 10.4 Court preparation
- 10.5 Expert advice
- Summary
- Chapter 11. Approaches by Different Types of Examiners
- Publisher Summary
- Introduction
- 11.1 Standards
- 11.2 Training and experience
- 11.3 Impact on examinations
- 11.4 Ethics
- 11.5 The approach to an examination
- Summary
- References
- Chapter 12. Spotting a Problem Expert
- Publisher Summary
- Introduction
- 12.1 Beyond the window dressings
- Summary
- Chapter 13. Qualifying an Expert in Court
- Publisher Summary
- Introduction
- 13.1 Qualifying an expert
- 13.2 Qualifying experts in court
- Summary
- Reference
- Chapter 7. Why Do I Need an Expert?
- Section 3: Motions and Discovery
- Chapter 14. Overview of Digital Evidence Discovery
- Publisher Summary
- Introduction
- 14.1 Discovery motions in civil and criminal cases
- Summary
- Chapter 15. Discovery of Digital Evidence in Criminal Cases
- Publisher Summary
- Introduction
- 15.1 Sources of digital evidence
- 15.2 Building the motion
- Summary
- Chapter 16. Discovery of Digital Evidence in Civil Cases
- Publisher Summary
- Introduction
- 16.1 Rules governing civil discovery
- 16.2 Electronic discovery in particular
- 16.3 Time is of the essence
- 16.4 Getting to the particulars
- 16.5 Getting the electronic evidence
- Summary
- References
- Chapter 17. Discovery of Computers and Storage Media
- Publisher Summary
- Introduction
- 17.1 An example of a simple consent to search agreement
- 17.2 Example of a simple order for expedited discovery
- 17.3 Example of an order for expedited discovery and temporary restraining order
- Summary
- Chapter 18. Discovery of Video Evidence
- Publisher Summary
- Introduction
- 18.1 Common issues with video evidence
- 18.2 Collecting video evidence
- 18.3 Example discovery language for video evidence
- Summary
- Chapter 19. Discovery of Audio Evidence
- Publisher Summary
- Introduction
- 19.1 Common issues with audio evidence
- 19.2 Example discovery language for audio evidence
- Summary
- Chapter 20. Discovery of Social Media Evidence
- Publisher Summary
- Introduction
- 20.1 Legal issues in social media discovery
- 20.2 Finding custodian of records contact information
- 20.3 Facebook example
- 20.4 Google information
- 20.5 Online e-mail accounts
- Summary
- References
- Chapter 21. Discovery in Child Pornography Cases
- Publisher Summary
- Introduction
- 21.1 The Adam Walsh Child Protection and Safety Act of 2006
- 21.2 The discovery process
- Summary
- References
- Chapter 22. Discovery of Internet Service Provider Records
- Publisher Summary
- Introduction
- 22.1 Internet service provider records or IP addresses
- 22.2 Example language for web-based e-mail addresses
- 22.3 What to expect from an internet service provider (ISP) subpoena
- Summary
- Chapter 23. Discovery of Global Positioning System Evidence
- Publisher Summary
- Introduction
- 23.1 GPS tracking evidence overview
- 23.2 Discovery of GPS evidence
- Summary
- Chapter 24. Discovery of Call Detail Records
- Publisher Summary
- Introduction
- 24.1 Discovery issues in cellular evidence
- 24.2 Example language for call detail records
- Summary
- Chapter 25. Obtaining Expert Funding in Indigent Cases
- Publisher Summary
- Introduction
- 25.1 Justifying extraordinary expenses
- 25.2 Example language for an ex parte motion for expert funds
- Summary
- Chapter 14. Overview of Digital Evidence Discovery
- Section 4: Common Types of Digital Evidence
- Chapter 26. Hash Values: The Verification Standard
- Publisher Summary
- Introduction
- 26.1 Hash values
- 26.2 How hash values are used in digital forensics
- Summary
- Chapter 27. Metadata
- Publisher Summary
- Introduction
- 27.1 The purpose of metadata
- 27.2 Common types of metadata
- Summary
- Chapter 28. Thumbnails and the Thumbnail Cache
- Publisher Summary
- Introduction
- 28.1 Thumbnails and the thumbnail cache
- 28.2 How thumbnails and the thumbnail cache work
- 28.3 Thumbnails and the thumbnail cache as evidence
- Summary
- Reference
- Chapter 29. Deleted Data
- Publisher Summary
- Introduction
- 29.1 How data is stored on a hard drive
- 29.2 Deleted file recovery
- 29.3 Evidence of data destruction
- Summary
- Chapter 30. Computer Time Artifacts (MAC Times)
- Publisher Summary
- Introduction
- 30.1 Computer file system time stamps
- 30.2 Fundamental Issues in forensic analysis of timeline
- 30.3 Created, modified, accessed
- 30.4 The bottom line
- Summary
- Chapter 31. Internet History (Web and Browser Caching)
- Publisher Summary
- Introduction
- 31.1 What is web caching?
- 31.2 How Internet browser (web) caching works
- 31.3 Internet (web) caching as evidence
- 31.4 What if the Internet cache is cleared by the user?
- Summary
- Chapter 32. Windows Shortcut Files (Link Files)
- Publisher Summary
- Introduction
- 32.1 The purpose of link files, how they are created, and how they work
- 32.2 How link files can be of evidentiary value
- 32.3 Link files as evidence
- Summary
- Chapter 33. Cellular System Evidence and Call Detail Records
- Publisher Summary
- Introduction
- 33.1 An overview of the cellular phone system
- 33.2 How cell phones work
- 33.3 Call detail records
- 33.4 Call detail records as evidence of cell phone location
- 33.5 Enhanced 911 wireless location services
- 33.6 The E911 system overview
- 33.7 Emergency situations: Real-time cell phone tracking
- Summary
- Reference
- Chapter 34. E-mail Evidence
- Publisher Summary
- Introduction
- 34.1 E-mail as evidence
- 34.2 E-mail storage and access: Where is it?
- 34.3 Web mail
- Summary
- Reference
- Chapter 35. Social Media
- Publisher Summary
- Introduction
- 35.1 Common forms of social networking (social media)
- 35.2 Evidence out in the open
- 35.3 Convenience versus security
- 35.4 The allure of anonymity
- 35.5 Social media as evidence
- 35.6 Getting information from online services
- Summary
- References
- Chapter 36. Peer-to-Peer Networks and File Sharing
- Publisher Summary
- Introduction
- 36.1 What is peer-to-peer file sharing?
- 36.2 How it works
- 36.3 Privacy and security issues with peer-to-peer file sharing
- 36.4 Peer-to-peer network evidence
- Summary
- Reference
- Chapter 37. Cell Phones
- Publisher Summary
- Introduction
- 37.1 The fragile nature of cellular evidence
- 37.2 Forensic acquisition methods for cellular phones
- 37.3 Subscriber identity module (SIM) cards
- 37.4 Cell phone backup files
- 37.5 Advanced cell phone data analytics
- 37.6 The future of cell phone forensics
- Summary
- References
- Chapter 38. Video and Photo Evidence
- Publisher Summary
- Introduction
- 38.1 The most critical steps in the forensic examination of video and photo evidence
- 38.2 Using video and photo evidence in cases
- Summary
- References
- Chapter 39. Databases
- Publisher Summary
- Introduction
- 39.1 Databases in everyday life
- 39.2 What is a database?
- 39.3 Database files as evidence
- 39.4 Database recovery
- 39.5 Data as evidence
- Summary
- Chapter 40. Accounting Systems and Financial Software
- Publisher Summary
- Introduction
- 40.1 Accounting and money management programs
- 40.2 Personal money management software
- 40.3 Business accounting software
- 40.4 Getting the evidence
- 40.5 Types of evidence from financial software
- 40.6 Batch files as evidence
- 40.7 Other sources of financial evidence
- Summary
- Chapter 41. Multiplayer Online Games
- Publisher Summary
- Introduction
- 41.1 The culture of Massively Multiplayer Online Role Playing Games (MMORPGs)
- 41.2 MMORPG data as evidence
- Summary
- References
- Chapter 42. Global Positioning Systems
- Publisher Summary
- Introduction
- 42.1 An overview of global positioning systems
- 42.2 An overview of the NAVSTAR Global Positioning System
- 42.3 How GPS works
- 42.4 Types of GPS evidence
- 42.5 Collection of evidence from GPS devices
- 42.6 Interpretation of GPS evidence
- Summary
- References
- Chapter 26. Hash Values: The Verification Standard
- Index
- No. of pages: 368
- Language: English
- Edition: 1
- Published: September 2, 2011
- Imprint: Syngress
- Paperback ISBN: 9781597496438
- eBook ISBN: 9781597496445
LD
Larry Daniel
LD
Lars Daniel
Lars is an EnCase Certified Examiner (EnCE), an AccessData Certified Examiner (ACE), an AccessData Certified Mobile Examiner (AME) a Certified Telecommunications Network Specialist (CTNS), Certified Wireless Analyst (CWA), a Certified Internet Protocol Telecommunications Specialist (CIPTS), and a Certified Telecommunications Analyst (CTA).
He spoke at the largest annual digital forensics conference, the Computer Enterprise and Investigations Conference (CEIC), in 2011 and 2013, and at the EnFuse conference in 2016.
Lars has qualified as an expert witness and testified in both state and federal court, qualifying as a digital forensics expert, computer forensics expert, a cell phone forensics expert, a video forensics expert, and a photo forensics expert.
He has attended over 300 hours of forensic training and has worked on over 600 cases involving murder, child pornography, terrorism, rape, kidnapping, intellectual property, fraud, wrongful death, employee wrongdoing and insurance losses among numerous other types of cases.
Lars is the co-author of the book Digital Forensics for Legal Professionals: Understanding Digital Evidence from the Warrant to the Courtroom, published by Syngess, an imprint of Elsevier Publishing.
He has extensive experience in both civil and criminal defense cases. He provides Continuing Legal Education (CLE) training classes for attorneys across the United States.