پارسی   English   العربیه

Cyber Forensics: From Data to Digital Evidence


Praise For Cyber Forensics

"For novice and experienced examiners alike, this book is unlike many of its genre and actually keeps your interest from the first to the last page. The incorporation of an event necessitating an investigative effort, combined with an overview of the computer forensic methodology, is a must-read."
—Detective Andy Hrenak, CFCE/A+/ACE/DFCB, Hazelwood Police Department, RCCEEG Forensic Examiner

"This book is a must-read for all practicing forensic professionals and students interested in gaining a deeper understanding of cyber forensics. The authors manage to explain cyber forensics in an unthreatening and understandable way! Good job, guys!"
—Bruce Monahan, Chief Audit Executive, Selective Insurance Group, Inc.

"Marcella and Guillossou have created one of the most important resources for cyber forensic professionals available today. The need for understanding electronic data at its most basic level is critical to help ensure that a cyber forensic investigator or expert witness can confidently handle any legal cross-examination. If you want to gain the detailed knowledge of how 'bits' and 'bytes' of data become digital evidence, this book is for you!"
—Doug Menendez, CISA, CIA, Audit Manager, Graybar Electric Company; coauthor, Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition

"This book is a solid foundation for anyone wishing to improve their forensic skills and provide stronger investigative and legal case support. The use of a fictitious case throughout the text to illustrate points and demonstrate process is very effective."
—Jeff Lukins, Dynetics Technical Services, Inc.

"Cyber Forensics is the only book on computer forensics in which the authors take the bottom-up approach—explaining fundamentals of digital data storage and retrieval before discussing any forensic techniques. The book focuses more on the scientific concepts of computer forensics and less on the law-enforcement-related activities. This makes the book a perfect text for college-level computer science students."
—Dr. Lydia Ray, Assistant Professor of Computer Science, Columbus State University

"The need for clear but detailed understanding is absolutely critical to effectively obtain and utilize digital data to any end, but especially for investigatory results. Messrs. Marcella and Guillossou have delivered on that need in their newest text, Cyber Forensics: From Data to Digital Evidence. This text will be added to my personal reference library immediately. Thank you, gentlemen, for your efforts and results for those of us that need this type of information."
—Don Caniglia, CGEIT, CISA, CISM, FLMI, founder/CEO, ITRisk Management Services, LLC

Albert J. Marcella, Jr., PhD, CISA, CISM, is President of Business Automation Consultants, LLC, a global information technology and management consulting firm providing IT management consulting, audit and security reviews, and training. He is an internationally recognized public speaker, researcher, workshop and seminar leader, and an author of numerous articles and books on various IT, audit, and security related subjects.

Frederic Guillossou, CISSP, CCE, is an Information Security Analyst with TALX, a division of Equifax. He regularly trains on intrusion prevention systems and has successfully led a number of forensic investigations in the field.

Preface xiii

Acknowledgments xvii

Chapter 1: The Fundamentals of Data 1

Base 2 Numbering System: Binary and Character Encoding 2

Communication in a Two-State Universe 3

Electricity and Magnetism 3

Building Blocks: The Origins of Data 4

Growing the Building Blocks of Data 5

Moving Beyond Base 2 7

American Standard Code for Information Interchange 7

Character Codes: The Basis for Processing Textual Data 10

Extended ASCII and Unicode 10

Summary 12

Notes 13

Chapter 2: Binary to Decimal 15

American Standard Code for Information Interchange 16

Computer as a Calculator 16

Why Is This Important in Forensics? 18

Data Representation 18

Converting Binary to Decimal 19

Conversion Analysis 20

A Forensic Case Example: An Application of the Math 20

Decimal to Binary: Recap for Review 22

Summary 23

Chapter 3: The Power of HEX: Finding Slivers of Data 25

What the HEX? 26

Bits and Bytes and Nibbles 27

Nibbles and Bits 29

Binary to HEX Conversion 30

Binary (HEX) Editor 34

The Needle within the Haystack 39

Summary 41

Notes 42

Chapter 4: Files 43

Opening 44

Files, File Structures, and File Formats 44

File Extensions 45

Changing a File’s Extension to Evade Detection 47

Files and the HEX Editor 53

File Signature 55

ASCII Is Not Text or HEX 57

Value of File Signatures 58

Complex Files: Compound, Compressed, and Encrypted Files 59

Why Do Compound Files Exist? 60

Compressed Files 61

Forensics and Encrypted Files 64

The Structure of Ciphers 65

Summary 66

Notes 67

Appendix 4A: Common File Extensions 68

Appendix 4B: File Signature Database 73

Appendix 4C: Magic Number Defi nition 77

Appendix 4D: Compound Document Header 79

Chapter 5: The Boot Process and the Master Boot Record (MBR) 85

Booting Up 87

Primary Functions of the Boot Process 87

Forensic Imaging and Evidence Collection 90

Summarizing the BIOS 92

BIOS Setup Utility: Step by Step 92

The Master Boot Record (MBR) 96

Partition Table 102

Hard Disk Partition 103

Summary 110

Notes 111

Chapter 6: Endianness and the Partition Table 113

The Flavor of Endianness 114

Endianness 116

The Origins of Endian 117

Partition Table within the Master Boot Record 117

Summary 125

Notes 127

Chapter 7: Volume versus Partition 129

Tech Review 130

Cylinder, Head, Sector, and Logical Block Addressing 132

Volumes and Partitions 138

Summary 142

Notes 144

Chapter 8: File Systems--FAT 12/16 145

Tech Review 145

File Systems 147

Metadata 149

File Allocation Table (FAT) File System 153

Slack 157

HEX Review Note 160

Directory Entries 161

File Allocation Table (FAT) 163

How Is Cluster Size Determined? 167

Expanded Cluster Size 169

Directory Entries and the FAT 170

FAT Filing System Limitations 174

Directory Entry Limitations 176

Summary 177

Appendix 8A: Partition Table Fields 179

Appendix 8B: File Allocation Table Values 180

Appendix 8C: Directory Entry Byte Offset Description 181

Appendix 8D: FAT 12/16 Byte Offset Values 182

Appendix 8E: FAT 32 Byte Offset Values 184

Appendix 8F: The Power of 2 186

Chapter 9: File Systems--NTFS and Beyond 189

New Technology File System 189

Partition Boot Record 190

Master File Table 191

NTFS Summary 195

exFAT 196

Alternative Filing System Concepts 196

Summary 203

Notes 204

Appendix 9A: Common NTFS System Defined Attributes 205

Chapter 10: Cyber Forensics: Investigative Smart Practices 207

The Forensic Process 209

Forensic Investigative Smart Practices 211

Step 1: The Initial Contact, the Request 211

Step 2: Evidence Handling 216

Step 3: Acquisition of Evidence 221

Step 4: Data Preparation 229

Time 238

Summary 239

Note 240

Chapter 11: Time and Forensics 241

What Is Time? 241

Network Time Protocol 243

Timestamp Data 244

Keeping Track of Time 245

Clock Models and Time Bounding: The Foundations of Forensic Time 247

MS-DOS 32-Bit Timestamp: Date and Time 248

Date Determination 250

Time Determination 254

Time Inaccuracy 258

Summary 259

Notes 260

Chapter 12: Investigation: Incident Closure 263

Forensic Investigative Smart Practices 264

Step 5: Investigation (Continued) 264

Step 6: Communicate Findings 265

Characteristics of a Good Cyber Forensic Report 266

Report Contents 268

Step 7: Retention and Curation of Evidence 269

Step 8: Investigation Wrap-Up and Conclusion 273

Investigator’s Role as an Expert Witness 273

Summary 279

Notes 280

Chapter 13: A Cyber Forensic Process Summary 283

Binary 284

Binary--Decimal--ASCII 285

Data Versus Code 287

HEX 288

From Raw Data to Files 288

Accessing Files 289

Endianness 290

Partitions 291

File Systems 291

Time 292

The Investigation Process 292

Summary 295

Appendix: Forensic Investigations, ABC Inc. 297

Glossary 303

About the Authors 327

Index 329