Albert J. Marcella Jr. - Cyber forensics: a field manual for collecting, examining, and preserving evidence of computer crimes

Contents

Founded in 1807, John Wiley & Sons is the oldest independent publishing company in the United States. With offices in North America, Europe, Asia, and Australia, Wiley is globally committed to developing and marketing print and electronic products and services for our customers professional and personal knowledge and understanding.

The Wiley Corporate F&A series provides information, tools, and insights to corporate professionals responsible for issues affecting the profitability of their company, from accounting and finance to internal controls and performance management.

Copyright 2012 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com . Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions .

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit our web site at www.wiley.com .

Library of Congress Cataloging-in-Publication Data:

Marcella, Albert J.

Cyber forensics : from data to digital evidence / Albert J. Marcella, PhD, CISA, CISM, Frederic Guillossou, CISSP, CCE.

pages cm.(The Wiley Corporate F&A series)

Includes index.

ISBN 978-1-118-27366-1 (hardback); ISBN 978-1-118-28268-7 (ebk); ISBN 978-1-118-28505-3 (ebk); ISBN 978-1-118-28731-6 (ebk)

1. Forensic sciencesTechnological innovations. 2. Electronic evidence. 3. Evidence, Criminal. 4. Criminal investigation. 5. Computer crimesInvestigation. I. Guillossou, Frederic, 1970 - II. Title.

HV8073.5.M168 2012

363.250285dc23 2011048568

Al Marcella

To my wife

Diane....

A sunbeam to warm you,

A moonbeam to charm you,

A sheltering angel, so nothing can harm you.

May you always know how happy you make me, and how much I love you! Love doesnt make the world go round; love is what makes the ride worthwhile.

Thank you for sharing with me, the ride of a lifetime.

+ 1

Fredric Guillossou

To my wife and daughter

Alexandra and Nathalie

The happy memories of the past, the joyful moments of the present, and the hope and promise of the future.

Preface

THE ROLE AND RESPONSIBILITY of a cyber forensic investigator is to accurately report upon actions taken to expertly identify, extract, and analyze those data that will ultimately represent evidential matter as part of an investigation of an individual who is suspected of engaging in unauthorized activities.

As an expert, a cyber forensic investigator who heavily relies upon the automated, generated results of a forensic software tool, without an intimate knowledge of how the results have been achieved, is risking not only his or her professional reputation but also the potential of a successful outcome to an investigation.

Data, the primordial building blocks of information as we know it, begins life as nothing more than electrical impulses representing an existence or lack thereof, of an electrical charge. Knowing just how these pulses end up as data, and how these data then end up as potential evidence, is an essential skill for a cyber forensic investigator.

The evolution of bits and bytes into data and finally into human-understandable text is not rocket science; somewhat technical yes, but not beyond the reach or understanding of the professional looking to gain a greater understanding of HOW data become digital forensic evidence, WHERE to look for this evidence, buried beneath hundreds of millions of bytes of data, and WHY specific data may lead the investigator to the proverbial smoking gun.

In communicating the results of a cyber forensic investigation, responding to the question How did you identify the specific data you examined to reach your conclusion? by eluding to your use of a specific cyber forensic tool without a thorough understanding of how that tool achieved its answer, could be professionally dangerous.

Reliance on the software to produce an answer, without a solid understanding of the HOWs, WHATs, WHYs, and the theory and logic behind how the answer was attained is akin to submitting all of the correct answers to a mathematics exam and failing, because you did not show your work. Knowing the answer without knowing how you achieved the answer or how to explain how the answer was achieved is having only half of a solution.

The book you are about to read will provide you with the specific knowledge to speak confidently about the validity of the data identified, accessed, and analyzed as part of a comprehensive cyber forensic investigation.

We start small, in fact very small... bits and bytes small, explaining the origins of data and progressing onward, addressing concepts related to data storage, boot records, partitions, volumes, and file systems, and how each of these are interrelated and essential in a cyber forensic investigation. The role each plays in an investigation and what type of evidential data may be identified within each of these areas.

Also addressed are two often overlooked topics which impact almost every cyber-based investigation: endianness and time. Each of these topics rightly deserve their own chapter and are discussed in-depth with respect to their impact and influence on data and ultimately on the identification of digital evidence.

In an effort to more effectively introduce specific information technology (IT) and cyber forensic concepts and discuss critical cyber forensic processes, we proudly introduce Ronelle Sawyer and Jose McCarthy, employees who become involved in the theft of intellectual property.

Ronelle and Joses activities and actions are discussed throughout the book as an ongoing case, designed to provide the reader with specific examples of the application of the cyber forensic concepts discussed throughout the 12 primary chapters of this book. Although the case and characters are fictitious, the scenario presented is not.