WinHEX 14.7 SR-1 serial key or number

WinHEX 14.7 SR-1 serial key or number

WinHEX 14.7 SR-1 serial key or number

WinHEX 14.7 SR-1 serial key or number

Computer evidence

Computer evidence

COMPUTER EVIDENCE: COLLECTION AND PRESERVATION, SECOND EDITION CHRISTOPHER L. T. BROWN Charles River Media A part of Course Technology, Cengage Learning Australia, Brazil, Japan, Korea, Mexico, Singapore, Spain, United Kingdom, United States


Computer Evidence: Collection and © 2010 Course Technology, a part of Cengage Learning.Preservation, Second Edition ALL RIGHTS RESERVED. No part of this work covered by the copyrightChristopher L. T. Brown herein may be reproduced, transmitted, stored, or used in any form or by any means graphic, electronic, or mechanical, including but notPublisher and General Manager, limited to photocopying, recording, scanning, digitizing, taping, WebCourse Technology PTR: distribution, information networks, or information storage andStacy L. Hiquet retrieval systems, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without the prior written permissionAssociate Director of Marketing: of the publisher.Sarah Panella For product information and technology assistance, contact us atContent Project Manager: Cengage Learning Customer & Sales Support, 1-800-354-9706.Jessica McNavich For permission to use material from this text or product,Marketing Manager: Mark Hughes submit all requests online at cengage.com/permissions.Acquisitions Editor: Heather Hurley Further permissions questions can be e-mailed to permissionrequest@cengage.com.Project/Copy Editor: Karen A. Gill ProDiscover Basic is copyright Technology Pathways. Maresware is copyrightTechnical Reviewer: Gary Kessler Mares and Company, LLC. WinHex is copyright X-Ways Software Technology AG. LANSurveyor is copyright Neon Software. CryptCat is copyright Farm9.Editorial Services Coordinator: Jen Blaney All other trademarks are the property of their respective owners.Locate your local office at: international.cengage.com/region. Cengage Learning products are represented in Canada by Nelson Education, Ltd. For your lifelong learning solutions, visit courseptr.com. Visit our corporate Web site at cengage.com.Printed in Canada1 2 3 4 5 6 7 11 10 09


To Bobbie, Rudy, and Annie, who keep me on course and constantly remind me why life is such a joy.


Acknowledgments In life we hardly ever go it alone. The same holds true when taking on writing projects such as Computer Evidence: Collection and Preservation, Second Edition. Many people, such as the technical and copy editors including Adam Speer, Leo Manning, Erin Kenneally, Gary Kessler, Karen Gill, and the Cengage Learning staff, have contributed significantly to the creation of this book. I would like to specifically call attention to and thank members of the High Technology Crime Investigation Association (HTCIA) and High Tech Crime Consortium (HTCC), List Servers for their support and mentoring over the years. This book could not have been created without their vast cumulative knowledge. I would also like to thank Alex Augustin for his years of support, and Steven Richardson and Ted Augustine for taking up the slack at Technology Pathways.iv


About the AuthorChristopher L. T. Brown, CISSP, is the founder and CTO of Technology Pathways.He is the chief architect of the Technology Pathways ProDiscover family of securityproducts. Prior to his position with Technology Pathways, Mr. Brown served in keytechnology positions at several companies including GlobalApp, Inc., CompuVision,Inc., and StoragePoint, Inc. He is retired from a career with the U.S. Navy, where hemanaged a large team of technicians working in the area of information warfare andnetwork security operations. In addition to his demanding duties as ProDiscover’s chief architect, Mr.Brown teaches network security and computer forensics at the University ofCalifornia at San Diego and has written numerous books on Windows, Security,the Internet, and forensics. He served as president of the San Diego HTCIA chapter in 2006, first vice pres-ident in 2005, second vice president in 2003, and was the 2007 HTCIA Internationalconference chair. He attended UCSD and holds numerous career certifications from(ISC)2, Microsoft, Cisco, CompTIA, and CITRIX. v


Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxii Part I Computer Forensics and Evidence Dynamics . . . . . . . . . . . . . . . . .1 1 Computer Forensics Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 What Is Computer Forensics? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Crime Scene Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Phases of Computer Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Preservation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Formalized Computer Forensics from the Start . . . . . . . . . . . . . . . .10 Who Performs Computer Forensics? . . . . . . . . . . . . . . . . . . . . . . . . .12 Seizing Computer Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 Challenges to Computer Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . .20 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23 2 Rules of Evidence, Case Law, and Regulation . . . . . . . . . . . . . . .25 Understanding Rules of Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 2007 Amendments to the FRCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29 Expert Witness (Scientific) Acceptance . . . . . . . . . . . . . . . . . . . . . . .30vi


Contents vii Testifying Tips: You Are the Expert . . . . . . . . . . . . . . . . . . . . . . . . . . .33 Computer-Related Case Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 Regulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38 Securities and Exchange Commission (SEC) Rule 17a-4 (1947) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38 National Association of Securities Dealers (NASD) Rules 3010 and 3110 (1997) . . . . . . . . . . . . . . . . . . . . . . . . .38 Sarbanes-Oxley Act (2002) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 Gramm-Leach-Bliley Act (1999) . . . . . . . . . . . . . . . . . . . . . . . . . .39 California Privacy Law: SB 1386 (2003) . . . . . . . . . . . . . . . . . . .39 Health Insurance Portability and Accountability Act (HIPAA) (First Rule in Effect in 2002) . . . . . . . . . . . . . . . . . .40 International Organization for Standardization (ISO) 17799 (2000) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41 U.S.A. PATRIOT Act (2001) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42 Personal Information Protection and Electronic Documents Act (PIPED) C-6 (2001) . . . . . . . . . . . . . . . . . . .42 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .473 Evidence Dynamics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49 Forces of Evidence Dynamics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 Human Forces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51 Emergency Personnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 Forensics Investigators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 Law Enforcement Personnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56 Victim 59 Suspect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60 Bystanders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 Natural Forces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61


viii Contents Equipment Forces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64 Proper Tools and Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69Part II Information Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71 4 Interview, Policy, and Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73 Supporting and Corroborating Evidence . . . . . . . . . . . . . . . . . . . . . .74 Subject Interviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74 Policy Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79 Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81 Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87 Host-Specific Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88 War Dialing Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93 5 Network Topology and Architecture . . . . . . . . . . . . . . . . . . . . . . .95 Networking Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96 Types of Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97 Physical Network Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99 Network Cabling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104 Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106 Open Systems Interconnection (OSI) Model . . . . . . . . . . . . . . . . .107 TCP/IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112


Contents ix Diagramming Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118 6 Volatile Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121 Types and Nature of Volatile Data . . . . . . . . . . . . . . . . . . . . . . . . . .122 Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125 Volatile Data in Routers and Appliances . . . . . . . . . . . . . . . . . . . . .128 Volatile Data in Personal Devices . . . . . . . . . . . . . . . . . . . . . . . . . . .130 Traditional Incident Response of Live Systems . . . . . . . . . . . . . . . .130 Understanding Windows Rootkits in Memory . . . . . . . . . . . . . . . .132 Accessing Volatile Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142Part III Data Storage Systems and Media . . . . . . . . . . . . . . . . . . . . . . . .145 7 Physical Disk Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147 Physical Disk Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148 Physical Disk Interfaces and Access Methods . . . . . . . . . . . . . . . . .152 Logical Disk Addressing and Access . . . . . . . . . . . . . . . . . . . . . . . . .162 Disk Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168 8 SAN, NAS, and RAID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169 Disk Storage Expanded . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170 Redundant Array of Independent Disks . . . . . . . . . . . . . . . . . . . . .173 Level 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173


x Contents Level 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173 Level 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174 Level 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174 Level 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174 Level 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174 Level 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175 Level 0+1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175 Level 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175 Level 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175 RAID S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175 JBOD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176 Storage Area Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177 Network-Attached Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180 Storage Service Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188 9 Removable Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189 Removable, Portable Storage Devices . . . . . . . . . . . . . . . . . . . . . . .190 Tape Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191 Full Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194 Incremental Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194 Differential Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194 Optical Discs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195 Removable Disks—Floppy and Rigid . . . . . . . . . . . . . . . . . . . . . . . .200 Flash Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206


Contents xiPart IV Artifact Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207 10 Tools, Preparation, and Documentation . . . . . . . . . . . . . . . . . . .209 Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210 Boilerplates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210 Hardware Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212 Imagers and Write-Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . .212 Software Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222 Forensics Application Suites (Tier I) . . . . . . . . . . . . . . . . . . . . . .223 Utilities and Other Applications (Tier II and Tier II—Repurposed) . . . . . . . . . . . . . . . . . . . . . .231 Tool Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241 11 Collecting Volatile Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243 Benefits of Volatile-Data Collection . . . . . . . . . . . . . . . . . . . . . . . . .244 A Blending of Incident Response and Forensics . . . . . . . . . . . . . .246 Building a Live Collection Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249 Scenario 1: Using Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249 Scenario 2: Using Windows Tools . . . . . . . . . . . . . . . . . . . . . . .257 Live Boot CD-ROMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266


xii Contents 12 Imaging Methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267 Approaches to Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268 Bit-Stream Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .270 Local Dead System Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275 Verification, Testing, and Hashing . . . . . . . . . . . . . . . . . . . . . . . . . .281 Live and Remote Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293 13 Large System Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295 Defining a Large Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296 Large System Imaging Methodologies . . . . . . . . . . . . . . . . . . . . . . .296 Tying Together Dispersed Systems . . . . . . . . . . . . . . . . . . . . . . . . .303 Risk-Sensitive Evidence Collection . . . . . . . . . . . . . . . . . . . . . . . . . .309 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312 14 Personal Portable Device Collection . . . . . . . . . . . . . . . . . . . . .315 Seemingly Endless Device List . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316 Device Architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316 Special Collection Considerations . . . . . . . . . . . . . . . . . . . . . . . . . .322 Mobile Phones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330 Special-Purpose Personal Devices . . . . . . . . . . . . . . . . . . . . . . . . . .336 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341


Contents xiiiPart V Archiving and Maintaining Evidence . . . . . . . . . . . . . . . . . . . . . . .343 15 The Forensics Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345 The Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .346 Lab Workstations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .349 Portable Field Workstations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356 Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .363 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365 16 The Forensics Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .367 Lab and Network Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .368 Logical Design, Topology, and Operations . . . . . . . . . . . . . . . . . . .373 Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378 Lab Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .386 17 What’s Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .387 Areas of Interest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388 Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388 Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388 Criminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .389 Corporate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .389 Training, Knowledge, and Experience . . . . . . . . . . . . . . . . . . . . . . .390 Computer Forensic Investigators Digest Listserv (CFID) . . . . .390 Computer Forensics Tool Testing (CFTT) . . . . . . . . . . . . . . . . .390 High Tech Crime Consortium (HTCC) . . . . . . . . . . . . . . . . . . . .391


xiv Contents Security Focus Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391 CCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392 CISSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393 SSCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393 GIAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393 CISA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394 MCSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394 MCSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394 RHCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394 CCNA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394 CCDA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395 CompTIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395 Analysis and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395 Methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397 Professional Advancement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .399 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .403 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405Part IV Computer Evidence Collection and Preservation Appendixes . . . .407 A Sample Chain of Custody Form . . . . . . . . . . . . . . . . . . . . . . . . . .409 B Evidence Collection Worksheet . . . . . . . . . . . . . . . . . . . . . . . . . .413 C Evidence Access Worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . .417 D Forensics Field Kit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421 E Hexadecimal Flags for Partition Types . . . . . . . . . . . . . . . . . . . .425


Contents xvF Forensics Tools for Digital Evidence Collection . . . . . . . . . . . . .431 Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432 AccuBurn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432 Autopsy Forensic Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432 BitPim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432 BlackBag MacQuisition CF . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432 Byte Back . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432 Device Seizure by Paraben . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433 dtSearch Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433 EnCase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433 FIRE (Originally Named Biatchux) . . . . . . . . . . . . . . . . . . . . . . .433 Forensics Tool Kit (FTK)—System Analysis Tool . . . . . . . . . . . .433 Foundstone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434 Frank Heyne Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434 Helix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434 ILook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434 MaresWare Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434 pdd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435 ProDiscover Forensics, Investigator, and Incident Response . .435 SafeBack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435 The Coroners Toolkit (TCT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435 Trinix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .436 Various Must-Have Utilities from Microsoft Sysinternals . . . .436 WinHex and X-Ways Forensics . . . . . . . . . . . . . . . . . . . . . . . . . .436 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437 ACARD SCSI-to-IDE Write-Blocking Bridge (AEC7720WP) . . .437 CellDek . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437 CS Electronics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437 DD 300/500 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437 DIBS, Inc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437


xvi Contents e.s.i.Discover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .438 Fernico ZRT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .438 Forensic Recovery Evidence Device (FRED) . . . . . . . . . . . . . . .438 Intelligent Computer Solutions, Inc. . . . . . . . . . . . . . . . . . . . . .438 Kazeon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .438 MOBILedit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .439 NoWrite IDE Write-Blocker . . . . . . . . . . . . . . . . . . . . . . . . . . . . .439 Portable Drive Service/Test/Dup by Corporate Systems . . . . .439 Project-a-Phone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .439 Secure Kit for Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .439 Solitaire Forensics by Logicube . . . . . . . . . . . . . . . . . . . . . . . . .440 Stored IQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .440 Tableau Imagers and Write-Blockers . . . . . . . . . . . . . . . . . . . . .440 UFED (Universal Forensic Extraction Device) System . . . . . . . .440 WiebiTech . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .440 ZERT by Netherlands Forensic Institute . . . . . . . . . . . . . . . . . . .441 General Supplies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .441 CGM Security Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .441 Chief Supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .441 G Agencies, Contacts, and Resources . . . . . . . . . . . . . . . . . . . . . . .443 Agencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444 FBI Computer Analysis Response Team (CART) . . . . . . . . . . . .444 Internal Revenue Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444 National Aeronautics and Space Administration . . . . . . . . . . .444 National Railroad Passenger Corporation (NRPC) (AMTRAK) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445 Social Security Administration Office of Inspector General . .445 U.S. Customs Service’s Cyber Smuggling Center . . . . . . . . . . .445 U.S. Department of Defense, Computer Forensics Laboratory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445


Contents xvii U.S. Department of Defense, Office of Inspector General . . . .445 U.S. Department of Energy . . . . . . . . . . . . . . . . . . . . . . . . . . . .446 U.S. Department of Justice, Computer Crime Intellectual Property Section (CCIPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . .446 U.S. Department of Justice Drug Enforcement Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446 U.S. Department of Transportation . . . . . . . . . . . . . . . . . . . . . .446 U.S. Department of the Treasury . . . . . . . . . . . . . . . . . . . . . . . .447 U.S. Postal Inspection Service . . . . . . . . . . . . . . . . . . . . . . . . . .447 U.S. Secret Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447 Veterans Affairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447Training Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447 Canadian Police College . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447 Champlain College . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .448 DoD Computer Investigations Training Program . . . . . . . . . . .448 FBI Academy at Quantico . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .448 Federal Law Enforcement Training Center . . . . . . . . . . . . . . . .448 Florida Association of Computer Crime Investigators, Inc. . . .449 Forensic Association of Computer Technologists . . . . . . . . . . .449 High Technology Crime Investigation Association (International) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .449 Institute of Police Technology and Management . . . . . . . . . . .449 International Association for Computer Information Systems (IACIS) . . . . . . . . . . . . . . . . . . . . . . . . .449 International Organization on Computer Evidence (IOCE) . . .450 International System Security Association (ISSA) . . . . . . . . . .450 Getronics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .450 National Center for Forensic Science . . . . . . . . . . . . . . . . . . . . .450 National Colloquium for Information Systems Security Education (NCISSE) . . . . . . . . . . . . . . . . . . . . . . . . .450


xviii Cotents National Criminal Justice Computer Laboratory and Training Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .450 National White Collar Crime Center (NW3C) . . . . . . . . . . . . . .450 New Technologies, Inc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .451 Purdue University—CERIAS (Center for Education and Research in Information and Assurance Security) . . . . . . .451 Redlands Community College . . . . . . . . . . . . . . . . . . . . . . . . . .451 University of New Haven . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .451 University of New Haven—California Campus . . . . . . . . . . . . .451 Utica College—Economic Crime Institute . . . . . . . . . . . . . . . . .452 Wisconsin Association of Computer Crime Investigators . . . .452 Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .452 High Technology Crime Investigation Association (International) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .452 International Association for Computer Information Systems (IACIS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .452 International Information Systems Forensics Association (IISFA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .453 International Systems Security Association (ISSA) . . . . . . . . .453 High Tech Crime Consortium . . . . . . . . . . . . . . . . . . . . . . . . . . .453 Florida Association of Computer Crime Investigators, Inc. . . .453 Forensic Association of Computer Technologists . . . . . . . . . . .453 State Agencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .454 Alabama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .454 Alaska . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .454 Arizona . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .455 Arkansas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .455 California . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .455 Colorado . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .457 Connecticut . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .458


Contents xixDelaware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .458District of Columbia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .459Florida . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .459Georgia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .460Hawaii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .460Idaho . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .460Illinois . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .461Indiana . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .461Iowa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462Kansas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462Kentucky . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463Louisiana . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463Maine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463Maryland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463Massachusetts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .464Michigan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .464Minnesota . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465Mississippi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465Missouri . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465Montana . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465Nebraska . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .466Nevada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .466New Hampshire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .466New Jersey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .467New Mexico . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .467New York . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .467North Carolina . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .469North Dakota . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .469Ohio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .469Oklahoma . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .470


xx Contents Oregon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .470 Pennsylvania . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .470 Rhode Island . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .471 South Carolina . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .471 Tennessee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .471 Texas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472 Utah . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .473 Vermont . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .473 Virginia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .474 Washington . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .475 West Virginia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .476 Wisconsin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .476 Wyoming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .477 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .477 Computer Crime and Intellectual Property Section (CCIPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .477 Criminal Justice Resources—Michigan State University Libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .478 High Technology NewsBits . . . . . . . . . . . . . . . . . . . . . . . . . . . . .478 InfoSec News . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .478 Discussion List Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .478 Computer Forensic Investigators Digest Listserv (CFID) . . . . .478 Computer Forensics Tool Testing (CFTT) . . . . . . . . . . . . . . . . .478 High Tech Crime Consortium (HTCC) . . . . . . . . . . . . . . . . . . . .479 Security Focus Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .479 Journals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .479 Digital Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .479 International Journal of Digital Crime and Forensics . . . . . . . .479 International Journal of Digital Evidence (IJDE) . . . . . . . . . . . .479 Journal of Digital Forensic Practice . . . . . . . . . . . . . . . . . . . . . .480


Contents xxi Journal of Digital Forensics, Security and Law . . . . . . . . . . . . .480 Small Scale Digital Device Forensics Journal (SSDDFJ) . . . . . .480H Cisco Router Command Cheat Sheet . . . . . . . . . . . . . . . . . . . . . .481 Using the Cisco Wildcard Mask . . . . . . . . . . . . . . . . . . . . . . . . . . . .483 Packet Filtering on Cisco Routers . . . . . . . . . . . . . . . . . . . . . . . . . . .483 List 101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .483 List 102 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .485 I About the CD-ROM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .487 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .488 CD-ROM Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .488 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .491


Introduction Welcome to the second edition of Computer Evidence: Collection and Preservation. A lot has happened in the three years since our first edition. As always, technology is moving at a breakneck pace, with constant innovation in current interface design and storage methods as well as new ones altogether. The U.S. legal system has introduced new Federal Rules of Civil Procedure (FRCP) that directly address digital discovery, with new case precedence already surfacing. In 2008, the American Academy of Forensic Sciences (AAFS) announced the formation of the Digital and Multimedia Sciences (DMS) section, the first new forensics science section in 28 years. New tools and methodologies continue to be developed and refined. An increase in dialogue between peers and professional organizations continues to improve the overall health and advancement of the profession. With all these changes, many readers may expect a completely new manuscript, throwing out what was learned in the first edition. However, this couldn’t be further from the truth. Although there have been several changes, computer forensics and digital investigation are still grounded in the same principles. Rest assured that there is much to learn, but previous studies are never wasted. In this second edition of Computer Evidence: Collection and Preservation, investigators will find the same guiding principles of the computer forensics process and how they apply to advancements in technology, as well as changes in the U.S. legal system. As computers and data systems continue to evolve, they expand into every facet of our personal and business lives. Never before has our society been so information and technology driven. Because computers, data communications, and data storage devices have become ubiquitous, few crimes or civil disputes do not involve them in some way. Many books and formal training programs are continuing to emerge that teach computer forensics for law enforcement and the private sector alike. The 50,000-foot view of the computer forensics process includes four phases: collection, preservation, filtering, and presentation. Because the four phases of computer forensics cover such a broad area, books and courses that try to address each area usually relegate evidencexxii


Introduction xxiii collection to its simplest form—disk imaging—leaving all but the most basic questions unanswered. Because of that gap, this book intends to focus on the first two phases of computer forensics, which include initial critical tasks of identify- ing, collecting, and maintaining digital artifacts for admission as evidence. The first two phases of computer forensics are the most critical to evidence accep- tance, yet they are often given narrow coverage by texts and courses to make room for the extensive coverage needed by the filtering phase. The filtering phase describes the methodologies that computer forensics examiners use to filter out unwanted infor- mation from each platform type or, more accurately, filter in any potential evidence. The filtering and analysis of digital evidence has been extensively covered in other sources. By focusing on the first two phases of the computer forensics process, this book allows for a more thorough coverage of the topic and provides solid grounding for investigators as they seek knowledge and skills related to the second two phases. Evidence dynamics falls in the collection and preservation phases of computer forensics and can be described as any force that affects evidence. An example of evidence dynamics is found in the simple act of a computer forensics investigator shutting down a suspect’s computer. This seemingly innocent act changes the state of the computer as well as many of its files, which could be critical to the investigation. Almost 50 files are changed in some way on each boot of a Windows XP operating system, and 5 or more new files are created. Considering that these metrics increase with each new operating system release, the results are only expected to compound with the Microsoft Vista and Windows 7 operating systems. Backup tapes deteriorating over time is another effect of evidence dynamics. An understanding of evidence dynamics is essential to law enforcement and computer forensics investigators when collecting evidence. This book uses evidence dynamics at the center of its approach to show the forces that act on data during evidence iden- tification, collection, and storage. By placing specific focus on how the investigator and tools are interacting with digital evidence, this book helps guide the computer forensics investigator toward assurance of case integrity during the initial crucial phases of the computer forensics process.TARGET AUDIENCE This book is intended for use by law enforcement, system administrators, informa- tion technology security professionals, legal professionals, and students of computer forensics. Essentially anyone who could become involved in the collection and maintenance of computer evidence for court will benefit from this book.


xxiv IntroductionORGANIZATION OF THIS BOOK Computer Evidence: Collection and Preservation, Second Edition is presented in 6 parts containing a total of 17 chapters and 9 appendixes. All chapters have been up- dated, and one chapter has been added to reflect changes within the industry and technologies.Part I: Computer Forensics and Evidence Dynamics This part includes three chapters that provide the groundwork for an understanding of what computer forensics is in the context of this book and our approach to collection of digital evidence. Chapter 1, “Computer Forensics Essentials,” introduces you to the essential elements of computer forensics. Specific attention is paid to ensure you’re pro- vided with a contextual understanding of computer forensics in general as well as the specific phases of computer forensics covered in this book. Chapter 2, “Rules of Evidence, Case Law, and Regulation,” discusses rules of evidence, existing computer-related case law, and regulation as a basis of under- standing the nature of computer evidence in court. The admission of digital scientific evidence is covered in this chapter. Chapter 3, “Evidence Dynamics,” explains human and environmental factors that are key evidence dynamic components.Part II: Information Systems In this part, three chapters are provided explaining methods in which organiza- tions implement information technology. Understanding how organizations implement information technology solutions is a key component to identifying potential evidence. Chapter 4, “Interview, Policy, and Audit,” presents the key components to knowing where data can be found within an organization’s infrastructure. This chapter explains essential interview questions to ask and the importance of existing policies and audit. Chapter 5, “Network Topology and Architecture,” explains the diversity of an organization’s information architecture. It discusses how the network topology can affect the location and accessibility of potentially critical evidence. Chapter 6, “Volatile Data,” examines the volatility of digital data in physical memory and storage. Differing types of volatile physical memory, including personal devices such as personal digital assistants (PDAs) and cell phones, are discussed.


Introduction xxvPart III: Data Storage Systems and Media The primary focus of many computer forensics investigations is the extraction of digital evidence on disk. In Part III, we examine differing media technologies and file systems used to store data. Chapter 7, “Physical Disk Technologies,” explains the key components of the Integrated Drive Electronics (IDE), Enhanced IDE (EIDE), and Small Computer System Interface (SCSI) standards as they pertain to evidence collection. Chapter 8, “SAN, NAS, and RAID,” describes advanced physical storage methods in use today. This information is essential to any forensics investigator involved in the collection of digital data on corporate disks. Chapter 9, “Removable Media,” examines some of the many types and formats of removable media, including flash cards and optical media.Part IV: Artifact Collection The methods employed for the collection of computer evidence can be one of the most highly scrutinized areas of the computer forensics process. It is essential that investigators use tested and proven methodologies. Part IV offers detailed procedures for artifact collection. Chapter 10, “Tools, Preparation, and Documentation,” is one of the most important components of any computer forensics investigation. This chapter provides tools, methods, and forms for keeping investigations on track. Chapter 11, “Collecting Volatile Data,” shows how volatile data can be difficult to capture in a forensically sound fashion. This chapter supplies proven tools and methods for capturing volatile data from systems. Chapter 12, “Imaging Methodologies,” describes how methods used in com- puter forensics can be as varied as the systems that are being imaged. This chapter presents the many approaches and tools used for imaging disk media. It also discusses which methods are indicated for specific situations. Chapter 13, “Large System Collection,” shows how the collection of evidence from large computer systems can be challenging to any investigator. In even the smallest of organizations, more than a terabyte of data is often present. This chapter examines methods for large systems collection and management. Chapter 14, “Personal Portable Device Collection,” discusses one of the most rapidly changing areas of interest to investigators. It focuses on the special attention and unique methodologies employed by investigators.


Chapter 2 Rules of Evidence, Case Law, and Regulation 41 Civil penalties are identified as $100 per violation, with up to $25,000 per per- son per year for each requirement or prohibition violated. Congress also established criminal penalties for knowingly violating patient privacy. These criminal penalties are broken into three areas depending on the type of violation or intended use of compromised data. The three criminal penalties areas follow: Up to $50,000 and one year in prison for obtaining or disclosing protected health information Up to $100,000 and up to five years in prison for obtaining protected health information under “false pretenses” Up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer, or use it for commercial advantage, personal gain, or malicious harm HIPAA is one of the most detailed and comprehensive pieces of data-security legislation ever enacted. HIPAA requires mandatory review of all systems, including a risk analysis to determine methods for securing patient information. Continued process improvement and audit are also components of HIPAA.International Organization for Standardization (ISO) 17799 (2000) ISO 17799 originated in the United Kingdom as the British Standard for Information Security 7799, often referred to as BS 7799. The international flavor of ISO 17799 makes it well suited for multinational organizations that desire a comprehensive in- formation technology security framework. Many insurance companies use adherence to standards set forth in ISO 17799 as a requirement for Cyber-Liability Insurance. ISO 17799 is organized into the following 10 sections: Business Continuity Planning System Access Control System Development and Maintenance Physical and Environmental Security Compliance Personnel Security Security Organization Computer and Operations Management Asset Classification and Control Security Policy


42 Computer Evidence: Collection and Preservation, Second Edition Although no penalties apply for international organizations that do not imple- ment the ISO 17799 standard, becoming ISO 17799 certified can be a key element in a company’s ability to prove it is adhering to industry standard “best practices” regarding data security.U.S.A. PATRIOT Act (2001) Created as a tool to identify and stop terrorism and any source of funding for terrorism, the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (U.S.A. PATRIOT) Act expands already existing acts, such as the Bank Secrecy Act and the Foreign Intelligence Secrecy Act. Purely from a regulatory stance, the act requires banking institutions to report any suspicious activity, including money transfers. In the context of the PATRIOT Act, a financial institution can include insurance companies; investment companies; loan and finance companies; dealers in precious metals, stones, or jewels; vehicle sales; persons involved in real estate closings and settlements; and so on. From a compliance standpoint, financial institutions must take the following steps to assist in antimoney laundering: Develop internal policies, procedures, and controls Designate a compliance officer Provide ongoing employee training Provide an independent audit to test programs In accordance with the PATRIOT Act, financial institutions included in the broad definition must report any suspected money laundering activity to the U.S. Department of the Treasury. An institution’s failure to comply with the U.S.A. PATRIOT Act could bring civil penalties for aiding in money laundering that are not less than two times the amount of the transaction and not more than $1,000,000. The criminal penalties for aiding in money laundering are not less than two times the amount of the transaction and not more than $1,000,000.Personal Information Protection and Electronic Documents Act (PIPED) C-6 (2001) PIPED C-6 is a Canadian law similar to the Gramm-Leach-Bliley Act in the United States. PIPED C-6 applies to international transportation, airports, telecommunications, radio and television broadcasts, banks, or any entity that is


Chapter 2 Rules of Evidence, Case Law, and Regulation 43 identified as “any work, undertaking, or business that is under the legislative authority of Parliament.” PIPED C-6 is simply intended to protect collected personal data from unauthorized use. All affected entities are provided by PIPED C-6 with the following 10 respon- sibilities: Be accountable for compliance. Identify the purpose of collecting data. Obtain consent from the individual. Limit collection of data to that which is needed. Limit use, disclosure, and retention of data. Be accurate with the data. Use appropriate safeguards to protect the data. Be open about your use of the data. Give individuals access to their data. Provide recourse when you have incorrect data or data is used incorrectly. Penalties for noncompliance with PIPED C-6 can include a fine not exceeding $10,000 or a fine not exceeding $100,000 depending on the type of offense. Table 2.3, which was adapted from the Non-Compliant Impact Table available at http://www.securityforensics.com, summarizes computer data–related legislation discussed in this chapter.Table 2.


S.A. PATRIOT Broad definition Laws require information Fines and imprisonmentAct of financial disclosure to help protect institutions within against money laundering the United States for terrorismPIPED C-6 Any business Laws require information Fines up to $100,000 under legislative disclosure to help protect authority of against terrorism or Parliament compromise of personal information© 2004 Security Forensics, Inc. Reprinted with permission. Although industry-specific regulation regarding information security and data handling is not completely new, regulation is increasing. Only corporate responsibil- ity as it relates to protection of data, coupled with clearly stated industry guidelines, will reduce legislative desire to regulate. Computer forensic investigators can benefit from regulatory understanding as it relates to potential evidence availability and location.


Chapter 2 Rules of Evidence, Case Law, and Regulation 45SUMMARYThe FRE, the California Evidence Code of 1967, and the IBA Rules of TakingEvidence in International Commercial Arbitration are all documents governingthe acceptance of evidence in courts.Rule 34 of the FRCP allows for data to be translated into a reasonable form, ifnecessary.The best evidence rule states that “to prove the content of a writing, recording,or photograph, the ‘original’ writing, recording, or photograph is ordinarilyrequired.”The FRE states that “if data are stored in a computer or similar device, anyprintout or other output readable by sight, shown to reflect the data accurately,is an ‘original.’”The FRE even goes so far as to permit summaries of large volumes of evidencein the form of “a chart, summary, or calculation” in warranted situations.New amendments to the FRCP went into effect in 2007.Since 1923, judges have used the simple scientific reliability tests established inFrye v. U.S. [DcCir01].In Daubert v. Merrell-Dow [Us01], the U.S. Supreme Court rejected the Fryetests for the admissibility of scientific evidence.Two new tests added in the Daubert decision are “Has the scientific theory ortechnique been empirically tested?” and “What are the known or potentialerror rates?”An “expert” in any field can be defined as one who has “special knowledge,skill, experience, training, or education” on a particular subject.The key to any type of questioning is to pay close attention to the question,take time answering the question, and ask the attorney to repeat or clarify thequestion, if needed.The U.S.A. PATRIOT Act was created as a tool to identify and stop terrorismand any source of funding for terrorism.SEC rule 17a-4 requires that U.S. publicly traded companies archive all customercommunications and billing information for a period of six years.The case Simon Prop. Group v. mySimon Inc. S.D.Ind., highlighted that thediscovery of computer records included any deleted documents that wererecoverable.


46 Computer Evidence: Collection and Preservation, Second EditionREFERENCES [Amex01] American Express Travel Related Services v. Vinhnee, 336 B.R. 437 (U.S. Bankruptcy Appellate Panel, 9th Cir. 2005). [Ca01] California Evidence Code, State of California, January 1, 1967. [DcCir01] Frye v. U.S., 293 F.1013 (D.C. Cir. 1923). [Doj01] U.S. Department of Justice, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, available online at http://www.cyber- crime.gov/s&smanual2002.htm, 2002. [FifthCir01] Capital Marine Supply v. M/V Roland Thomas II, 719 F.2d 104, 106 (5th Cir. 1983). [Frcp01] Federal Rules of Civil Procedure, U.S. Department of Justice, available online at http://www.uscourts.gov/rules/civil2007.pdf, 2007. [Fre01] Federal Rules of Evidence, U.S. Department of Justice, 2004. [Iba01] IBA Rules of Taking Evidence in International Commercial Arbitration, International Bar Association Council, 1999. [Ill01] People v. Holowko, 486 N.E.2d 877, 878–879 (Ill. 1985). [Kumho01] Kumho Tire v. Carmichael (97-1709), 526 U.S. 137, 131 F.3d 1433 reversed (1999). [Lorraine01] Lorraine v. Markel American Ins. Co., 241 F.R.D. 534, 538 (D. Md. 2007), available online at https://www.engr.washington.edu/epp/infosec/pdf/2008 ISCRMI Orton Lorraine electronic evidence admission annotated.pdf. [NinthCir01] U.S. v. Catabran, 836 F.2d 453, 457 (9th Cir. 1988). [NinthCir02] U.S. v. DeGeorgia, 420 F.2d 889, 893 n.11 (9th Cir. 1969). [Oconnor01] O’Connor, T.R., Admissibility of Scientific Evidence under Daubert, available online at http://www.apsu.edu/oconnort/3210/3210lect01a.htm, 2009. [Ohio01] Ohio v. Michael J. Morris, Court of Appeals of Ohio, Ninth District, Wayne County, No. 04CA0036, Feb. 16, 2005. [Secfor01] Security Forensics, Inc., available online at http://www.security forensics.com/, 2004. [SeventhCir01] U.S. v. Whitaker, 127 F.3d 595, 601 (7th Cir. 1997).


Chapter 2 Rules of Evidence, Case Law, and Regulation 47[SoxAct01] One Hundred Seventh Congress of the United States of America,Sarbanes-Oxley Act of 2002, available online at http://www.law.uc.edu/CCL/SOact/soact.pdf, 2002.[Un01] International Criminal Tribunal for Rwanda, Rules of Procedure and Evidence.U.N. Doc. ITR/3/REV.1, 1995.[Us01] Daubert v. Merrell-Dow, 509 U.S. 579 (1993).[Warren01] “A Preliminary Report on the Advisability and Feasibility of Develop-ing Uniform Rules of Evidence for the United States District Courts,” 30 F.R.D. 73,1962.RESOURCES [Best01] Best, Richard E., Civil Discovery Law Discovery of Electronic Data, available online at http://californiadiscovery.findlaw.com/electronic_data_discovery.htm, 2004. [Giannelli01] Giannelli, Paul C., Understanding Evidence, LexisNexis, 2003. [Morgester01] Morgester, Robert M., Survival Checklist for Forensic Experts, unpublished, 2003. [Sedona01] The Sedona Principles: Best Practices Recommendations & Principles for Addressing Electronic Document Production, Sedona Conference Working Group, available online at http://www.thesedonaconference.org, 2003.


This page intentionally left blank


3 Evidence Dynamics In This Chapter Forces of Evidence Dynamics Human Forces Natural Forces Equipment Forces Proper Tools and Procedures 49


50 Computer Evidence: Collection and Preservation, Second EditionFORCES OF EVIDENCE DYNAMICS In Chapter 1, “Computer Forensics Essentials,” the importance of Locard’s exchange principle was introduced in its relationship to crime scene investigation. Remember that Locard’s exchange principle is simply a way to describe two objects interacting and the resulting exchange. This basic concept can be further extended to describe the concept of evidence dynamics, covered in this chapter. Locard’s exchange principle states that when any two objects come into contact, there is always transference of material from each object onto the other. This exchange is illustrated in Figure 3.1. Operating system logs recording hacker, investigator, or user actions and data left on hard disks in unallocated sectors are just a few examples of Locard’s principle of transfer theory in action. FIGURE 3.1 Locard’s exchange principle. Evidence dynamics is a way to describe and understand the forces that can act on evidence and the subsequent effects of the action. Because so many things can act on digital evidence and, as Locard’s principle explains, the action will almost undoubtedly result in some effect or change on the evidence, it is essential for forensics investigators to be cognizant of evidence dynamics at all times. Evidence


Chapter 3 Evidence Dynamics 51dynamics can be broken down into human and natural forces that may be directlyinvolved or incidental to the crime or investigation. This chapter will explore eachof these high-level forces in detail.HUMAN FORCES As in humans, the forces that act on digital evidence from humans come in all shapes and sizes and can affect evidence in various ways. Remember that forensics investigators are included in the human force of evidence dynamics. A common scenario used to describe the human effects on evidence in crime scene processing is that of the emergency medical technician (EMT) at the scene of a murder. The EMT attempts to save the life of a gunshot-wound victim, who later dies. The EMT most likely leaves footprints all around the victim’s body. The EMT also may have moved items in the immediately surrounding area in an effort to save the victim’s life. In both these situations, evidence that may be vital to the case could have been destroyed or, at the very least, affected in some way. Examples of humans who may act on digital evidence follow: Emergency personnel Forensics investigators Law enforcement personnel Victims Suspects Bystanders Although our primary focus is computer forensics, the previously listed human forces can act on all forms of evidence in many ways. Computer forensics investigators should keep in mind that theirs may not be the only evidence being collected, and the interweaving of several forensics disciplines may be required. In some situations, fingerprints or other trace evidence may need to be collected from a computer system that is being seized. Investigators should approach every crime scene as if other evidence will require collection, limiting their interaction as much as possible.


52 Computer Evidence: Collection and Preservation, Second Edition Refocusing on the human effects on digital evidence, let’s take a closer look at our examples as they relate to computers.Emergency Personnel As previously stated, these first responders can easily affect a crime scene with their actions. Rightly so, EMTs can be very focused on their lifesaving efforts and exhibit varying levels of understanding related to evidence collection and contamination. The first way in which EMTs can impinge on computer evidence is by moving evidence to accommodate lifesaving equipment and efforts. This type of action normally influences related forensics disciplines such as fingerprint collection, but it can also directly influence digital evidence if a system or systems are turned off. How a computer system is shut down can greatly affect digital evidence through the loss of volatile data in physical memory and the changing of or deletion of files. The topic of computer shutdown will be covered in greater detail later when we discuss forensics investigators as the force that acts on evidence.Forensics Investigators Forensics investigators are arguably the force that can have the greatest effect on digital evidence, considering that they are focused directly on the computer or digital media. The major effect that forensic investigators can cause is the possible loss of volatile data in physical memory when live systems are shut down. The method of shutdown is an often-debated topic when discussing computer forensics–related evidence dynamics, not only because of the potential loss of volatile data but because varying methods of shutdown can lead to vastly differing results in changes to digital data on disk. The potential loss of volatile data can be mitigated through collecting a snapshot of physical memory prior to shutdown. Investigators should keep in mind the golden rule of evidence dynamics: be as least intrusive as possible. Often, investigators use the term nonintrusive when describing their actions or tools when interacting with digital data. When looking at the basic scientific principle that “the act of observing something in fact changes it,” investigators quickly come to the understanding that least intrusive actions should be the goal. Even when hardware write-blocking devices are employed and software is proven not to write to digital media on disks, the act of turning a disk platter and friction of read heads against sectors changes the physical properties, however slightly. Again, we see Locard’s principle in action.


Chapter 3 Evidence Dynamics 53 Another way to avoid the risk of potential loss of volatile data is to accept that either there was no compelling reason for its capture or the capture process would be unacceptably intrusive and therefore do nothing. However, once a decision has been made and after the potential loss of volatile data has been avoided, computer forensics investigators should consider how the system is to be shut down. Some feel that pulling the power cord is the best alter- native to a normal systematic shutdown, but each method interacts differently; thus, the resulting change to evidence is different. In every case, the investigator needs to make an informed decision based on the evidence-changing characteristics of the shutdown method and the situational environment. Of course, the decision of which shutdown method to use is normally an easy one if the system is off; leave it that way when seizing the entire computer. Some high-level evidence-changing characteristics are displayed in Table 3.1.Table 3.


54 Computer Evidence: Collection and Preservation, Second Edition A common argument made for pulling the plug is the possibility of potentially destructive processes being launched during the shutdown process. The urban lore is that a hacker could have created and installed a script to delete evidence. The destructive script would be executed during shutdown if the person shutting down the computer does not use the proper bypass procedure known only by the owner. Although this approach is valid conceptually, permanently destroying large amounts of data on a magnetic disk can be time consuming due to the process most applications use to delete files securely. When most operating systems receive a request to delete a file, they simply remove the file’s name from the root directory shown to users. The underlying sectors of data are still present on disk. To securely delete data from a hard disk, applications are written that repeatedly write data to the area where the file once resided. The U.S. Department of Defense has written a clearing and sanitizing standard, DOD 5220.22-M, which addresses the issues surrounding secure deletion of digital data. Another often-discussed alternative for automated destruction of evidence is to create and install an application that would automatically delete evidence if network connections were lost. Sensing the loss of network connections is often referred to as a dead man’s switch. Hypothetically, hackers could use the dead man’s switch approach to automatically delete trace evidence of their applications and actions on a machine if someone detected their presence on a system and immediately removed the suspect system from the network. When encryption is being used on a live system and the files or encrypted volumes are mounted, it is often necessary to collect evidence through a live extraction process to collect the files in an unencrypted state. Live collection is described in later chapters. One of the most common arguments made for an orderly shutdown is that investigators have a greater chance of filesystem and individual file integrity after the shutdown. Some standard operating system shutdown procedures are shown in Table 3.2.


Chapter 3 Evidence Dynamics 55Table 3.2 Operating System Shutdown CommandsOperating System Shutdown CommandWindows 3.1 Click File, ExitWin95/98/2000/2003/ Click Start, Shutdown, Yes or Start, lock icon, Shutdown (in classic2008/Me/XP/Vista* interface mode)Windows NT 3.51 Click File, ShutdownWindows NT 4.0 Click Start, Shutdown, YesNovell At server prompt, press Alt+Esc+down arrow At user/client, click Syscon and then ExitMacintosh Click Special, ShutdownOS/2 Right-click, and then click ShutdownSCO Unix Type shutdown –y –g0AIX Unix Type shutdown –fSun Solaris Type shutdown nowLinux Type shutdown –h now (Also press Ctrl+Alt+Delete in many versions)AS-400L Type pwrdwnsys *immedDEC VAX/ Alpha VMS Type @sys$system:shutdown*Microsoft Vista shutdown buttons are highly customizable. Investigators should check the pop-uphelp on all shutdown buttons. The arguments for and against pulling the plug during system shutdown can both be compelling, but only the individual situation can dictate an investigator’s actions. In each case, it is essential that the investigator think about the results of his actions and balance the risks. Clearly, the human forces acting on evidence created by investigator actions are forces over which the investigator has the most control.


56 Computer Evidence: Collection and Preservation, Second EditionLaw Enforcement Personnel All law enforcement personnel have a basic understanding of crime scene process- ing, but may lack technical understanding of how they are interacting with digital computer evidence. Most investigators identify that the human factors of evidence dynamics can overlap. Although this fact is certainly true, the law enforcement factors of evidence dynamics usually focus on the “first responder” components of evidence dynamics, which include incidental contact with potential digital evidence. The forensics investigator forces are closely associated with their own direct and interactive contact with potential digital evidence. To assist law enforcement personnel who do not have a day-to-day understanding of digital evidence collection, the National Institute of Justice produced the handbook Electronic Crime Scene Investigation: A Guide for First Responders. [Nij01] The handbook was developed by a multiagency working group in 2001 called the Tech- nical Working Group for Electronic Crime Scene Investigation. Although the guide was developed for first responders, it provides information useful for any computer forensics investigator. Focusing on law enforcement as first responder, the factors of evidence dynamics can be broken down into areas of preservation, identification, and collection. Preservation Preservation forces can include issues similar to those of emergency personnel, where the interaction with potential digital evidence was incidental to serving a warrant, interviewing suspects and victims, or performing other law enforcement procedures. A key focus for law enforcement should be to gain an understanding of the fragile nature of digital evidence and how to avoid excess interaction if it is not required. Even if general law enforcement personnel are not going to be involved in the identification and collection, or bag and tag, of digital evidence, they should at least be trained in its identification and characterization. By understanding how to identify the potential sources of digital data, law enforcement personnel can help to preserve potential evidence. One of the cardinal rules for first responders should be this: If you see a computer and it’s on, leave it on; if the computer is off, leave it off. Following this rule eliminates the many additions, deletions, and changes to a computer filesystem during the startup and shutdown process. Other incidental interaction forces often occur when collecting evidence such as pagers, phones, and personal digital assistants (PDAs). Although many law enforcement personnel are beginning to realize the wealth of data contained in these devices, many may not


Источник: [https://torrent-igruha.org/3551-portal.html]
, WinHEX 14.7 SR-1 serial key or number

WinHex: Computer Forensics & Data Recovery Software,
Hex Editor & Disk Editor
Windows XP/2003/Vista/2008/7/8/8.1/2012/10/2016, 32 Bit/64 Bit*

Aug 18, 2020
WinHex 20.0

Download

User manual

WinHex is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security. An advanced tool for everyday and emergency use: inspect and edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital camera cards. Features depend on the license type (license type comparison), among them: 

  • Disk editor for hard disks, floppy disks, CD-ROM & DVD, ZIP, Smart Media, Compact Flash, ...
  • Native support for FAT12/16/32, exFAT, NTFS, Ext2/3/4, Next3®, CDFS, UDF
  • Built-in interpretation of RAID systems and dynamic disks
  • Various data recovery techniques
  • RAM editor, providing access to physical RAM and other processes' virtual memory
  • Data interpreter, knowing 20 data types
  • Editing data structures using templates (e.g. to repair partition table/boot sector)
  • Concatenating and splitting files, unifying and dividing odd and even bytes/words
  • Analyzing and comparing files
  • Particularly flexible search and replace functions
  • Disk cloning (under DOS with X-Ways Replica)
  • Drive images & backups (optionally compressed or split into 650 MB archives)
  • Programming interface (API) and scripting
  • 256-bit AES encryption, checksums, CRC32, hashes (MD5, SHA-1, ...)
  • Erase (wipe) confidential files securely, hard drive cleansing to protect your privacy
  • Import all clipboard formats, incl. ASCII hex values
  • Convert between binary, hex ASCII, Intel Hex, and Motorola S
  • Character sets: ANSI ASCII, IBM ASCII, EBCDIC, (Unicode)
  • Instant window switching. Printing. Random-number generator.
  • Supports files of any size. Very fast. Easy to use. Extensive program help.
  • More

Having all the bits and bytes in a computer at your fingertips has become a reality. Try before you buy. Computer forensics edition of WinHex with even more features: X-Ways Forensics.

 

Registered professional users include:
Microsoft Corp., Hewlett Packard, Deloitte & Touche, KPMG Forensic, Ernst & Young,
Toshiba Europe, Ericsson, National Semiconductor, Siemens AG, Lockheed Martin, BAE Systems,
U.S. federal law enforcement agencies, ... (more)

What's? Please check out the newsletter archiveor support forum.

User interface and program help fully available in English and German.
User interface also partially available in Chinese, Japanese, French, Spanish, Italian, Portuguese.

Installation tips

Old screenshot

*Limitations under Windows Vista/2008 Server/7: Physical RAM cannot be opened. Unable to write sectors on the partitions that contain Windows and WinHex.

Earlier versions may be made available to licensed users on request.

Источник: [https://torrent-igruha.org/3551-portal.html]
WinHEX 14.7 SR-1 serial key or number

arpracev

Is a universal hexadecimal editor,.



Is a universal hexadecimal editor,.download x ways winhex v15 4 sr 11 incl keymaker zwt torrent or any other torrent from windows category.x ways investigator: reduced, simplified version of x ways.titre: x ways winhex v15.8 sr 1 incl keymaker zwt torrent.volume snapshots from v16.3 released in october 2011 and later can be.here you can download winhex 14.8 sr 5 shared files: winhex 14.0 sr 2.exe 4shared winhex 16 0 sr 5 download crocko 2 mb x ways winhex 16 8 sr 9 uploaded.to.binary editor for files,.x ways.

Fixed with sr 8 that in v15.4 sr 7 prevented the inclusion of hash.also be difficult with your fingers. Z.w.t winhex by sr 2 v15.8 x ways keygen.some changes.frtorrentoles meilleurs torrent.torrentzfast and convenient torrents search engine.download x ways.winhex.v15.5.sr 4.incl.keymaker zwt torrent or any.download x ways winhex 17.8 sr 1 or any other file from applications category.connectx ways winhex v15 5. Hex editor.x ways winhex v15.5 sr 3 incl keymaker. Under dos with x ways replica.12 oct 20 winhex v aug 20 winhex.backchess.winhex.

Winhex.x ways forensics: integrated computer forensics environment.x ways forensics is responsible for synchronizing report table associations,.wars gamesa youngteachingstarskidsvideo gamesgamingthe empire strikes.winhex is in its.winhex is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low level data processing, and it security.our.sr 4: fixed inability of x ways forensics 19.0 to view contained files in separate windows from within representations of.x ways software technology heeft versie 15.9 van winhex uitgebracht.our flagship product, based on winhex.an error was.

File from applications category.x ways winhex v15.5 sr 3 incl keymaker. A guest sep 5th, never not a member of pastebin yet.winhex is a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low level data processing,. Winhex 14.7 sr 1.z.w.t winhex by sr 2 v15.8 x ways keygen.winhex hex editor, disk editor, ram editor.ability to import the valid data length of files that originate from ntfs.disk editor.starits the easternmost purposekamagra gel why it.

Winhex v15.8 sr 1 incl keymaker zwt.dongles. As a genuinely licensed user of our dongle based software product.kerio.x ways.winhex.v15.8.sr 4.incl.keymaker: keygen: zip.sabit srcdeki herhangi bir sektre, dosyalara, hafzaya ram bu editrwinhex is in its core a universal hexadecimal editor, particularly helpful in the.frtorrentoles meilleurs torrent.x ways winhex 19.3 sr 4 specialist 15 jul 2017 winhex is in its core a universal hexadecimal editor, particularly helpful in the realm of computer.incompatible volume snapshot will be identified and not.download x ways winhex 17.8 sr 6 multilingual or any other.

With X ways winhex v15.8 sr 4 incl keymaker zwt often seekPopular Downloads:Odin blu ray to flv converter 5.4.2Magic burning studio 10.3.9 the ultimate burning toolCamersoft webcam recorder 3.1.38Speedbit video accelerator 2017serialDvd ranger 5.0.1.9 new 2017
Источник: [https://torrent-igruha.org/3551-portal.html]
.

What’s New in the WinHEX 14.7 SR-1 serial key or number?

Screen Shot

System Requirements for WinHEX 14.7 SR-1 serial key or number

Add a Comment

Your email address will not be published. Required fields are marked *