Acquiring Editor: Chris Katsaropoulos
Development Editor: Heather Scherer
Project Manager: Danielle S. Miller
Designer: Alisa Andreola
Syngress is an imprint of Elsevier
225 Wyman Street, Waltham, MA 02451, USA
2012 Elsevier, Inc. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher's permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.
This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).
Notices
Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary.
Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.
Library of Congress Cataloging-in-Publication Data
Sammons, John.
The basics of digital forensics : the primer for getting started in digital forensics / John Sammons.
p. cm.
ISBN 978-1-59749-661-2
1. Computer crimesInvestigation. I. Title.
HV8079.C65S35 2012
363.25'968dc23
2011047052
British Library Cataloguing-in-Publication Data
A catalogue record for this book is available from the British Library.
For information on all Syngress publications visit our website at: www.syngress.com
Typeset by: diacriTech, Chennai, India
Printed in the United States of America
12 13 14 15 10 9 8 7 6 5 4 3 2 1
Dedication
For Lora, Abby, and Rae for making me a truly blessed and lucky man.
To my mother Juanita, and my grandmother Grace. For the many sacrifices you made and the example you set I miss you.
Preface
Seal Team Six tore the hard drives from Osama bin Laden's computers. Some of Michael Jackson's final words were captured on an iPhone. Google searches for chloroform played a central role in the trial of Casey Anthony. This list could go on and on. Digital forensics is used to keep us safe, to ensure justice is done and company and taxpayer resources aren't abused. This book is your first step into the world of digital forensics. Welcome!
Digital forensics is used in a number of arenas, not just in catching identity thieves and Internet predators. For example, it's being used on the battlefields of Afghanistan to gather intelligence. The rapid exploitation of information pulled from cell phones and other devices is helping our troops identify and eliminate terrorists and insurgents.
It's being used in the multibillion-dollar world of civil litigation. Gone are the days when opposing parties exchanged boxes of paper memos, letters, and reports as part of the litigation process. Today, those documents are written in 1s and 0s rather than ink. They are stored on hard drives and backup tapes rather than in filing cabinets.
Digital forensics helps combat the massive surge in cybercrime. Identity thieves, child pornographers, and old school criminals are all using and leveraging technology to facilitate their illegal activities.
Finally, it's being used in the workplace to help protect both companies and government entities from the misuse of their computer systems.
Intended Audience
As the title suggests, this is a beginner's book. The only assumption is that you have a fundamental understanding or familiarity of computers and other digital devices. If you have a moderate or advanced understanding of digital forensics, this book may not be for you. As part of Syngress's Basics series, I wrote this book more as a broad introduction to the subject rather than an all-encompassing tome. I've tried to use as much plain English as possible, making it (hopefully) an easier read.
I'd like to emphasize that this is an introductory book that is deliberately limited in length. Given that, there is much that couldn't be covered in depth or even covered at all. Each chapter could be a book all by itself. There are many wonderful books out there that can help further your understanding. I sincerely hope you don't stop here.
Organization of This Book
The book is organized in a fairly straightforward way. Each chapter covers a specific type of technology and begins with a basic explanation of the technology involved. This is a necessity in order to really understand the forensic material that follows.
To help reinforce the material, the book also contains stories from the field, case examples, and Q and A with a cryptanalyst as well as a specialist in cell phone forensics.
Introduction
What exactly is digital forensics? seeks to define digital forensics and examine how it's being used. From the battlefield to the boardroom to the courtroom, digital forensics is playing a bigger and bigger role.
Key Technical Concepts
Understanding how computers create and store digital information is a perquisite for the study of digital forensics. It is this understanding that enables us to answer questions like How was that artifact created? and Was that generated by the computer itself, or was it a result of some user action? We'll look at binary, how data are stored, storage media, and more.
Labs and Tools
In Labs and Tools, we look at the digital forensic environment and hardware and software that are used on a regular basis. We will also examine standards used to accredit labs and validate tools. Those standards are explored along with quality assurance, which is the bedrock of any forensic operation. Quality assurance seeks to ensure that results generated by the forensic examination are accurate.
Collecting Evidence
How the digital evidence is handled will play a major role in getting that evidence admitted into court. covers fundamental forensically sound practices that you can use to collect the evidence and establish a chain of custody.