Computer Forensics Procedures and Methods
J. Philip Craiger, Ph.D., CISSP Assistant Director for Digital Evidence National Center for Forensic Science & Department of Engineering Technology University of Central Florida1 Email: firstname.lastname@example.org
To appear in H. Bigdoli (Ed.), Handbook of Information Security. John Wiley & Sons.
Digital forensics, computer forensics, network forensics, cyberforensics, digital evidence, computer evidence, computer crime, incident response, Linux forensics, Windows forensics, computer forensic tools, computer forensics procedures, disk forensics, media forensics, intrusion forensics, intrusion detection systems, Knoppix.
Computer forensics involves the preservation, identification, extraction and documentation of digital evidence in the form of magnetically, optically, or electronically stored media. It is a relatively new science that is becoming increasingly important as criminals aggressively expand the use of technology in their enterprise of illegal activities. This chapter is a technical introduction and overview to some of the fundamental methods and procedures of computer forensics. The topics covered parallel the order in which computer forensic procedures are typically conducted, beginning with process of creating a bitstream image of the evidence and subsequent verification of the evidence using one-way hash functions. Two forms of forensic analysis are covered, including logical and physical analysis procedures. Analytic procedures we demonstrate include hash and signature analysis; keyword and email searches; recovery and analysis of cookies, print spool and application residual files; slack and unallocated space analysis; manual recovery of deleted files; behavioral timelines creation; and collecting evidence from running systems. We close the chapter by describing several commercial tools.
1. Introduction a. Computer Forensic Tools b. The Forensic Server 2. Sound Computer Forensic Practice 3. Arriving at the Scene: Initial Response a. Creating a Forensic Image b. Verifying Image Integrity c. Imaging Over a Network d. Sterilizing Forensic Media 4. Analysis of a Forensic Image a. Drive Geometry b. Mounting the Image c. Reducing our Search Space i. Hash Analysis ii. Signature Analysis d. Searching A Forensic Image i. Keyword Searches ii. Finding Files by Type iii. Email Searches iv. Swap file v. Web-based Email vi. The Windows Swap File e. I know what you did with your computer last summer… i. Cookies ii. Deleted Files and the INFO2 File iii. Application Residual Files iv. UNICODE v. Print Spool Files f. Physical Analysis i. What Happens when a File is Deleted ii. Unallocated Space Revisited iii. Slack Space iv. Recovering Deleted Files v. Dealing with Formatted Drives g. Behavioral Timelines: What Happened and When? 5. Collecting Evidence from Live Systems a. Volatile Evidence b. Log Files as Digital Evidence c. Reducing the Potential for Evidence Contamination 6. Commercial Tools 7. Conclusion 8. Glossary 9. References 10. Further Reading
Computer forensics involves the preservation, identification, extraction and documentation of computer evidence stored in the form of magnetically, optically, or electronically stored media. It is a relatively new science that is becoming increasingly important as criminals aggressively expand the use of technology in their enterprise of illegal activities. Computer forensic techniques are not as advanced as those of the more mature and mainstream forensics techniques used by law enforcement, such as blood typing, ballistics, fingerprinting, and DNA testing. Its immaturity is partly attributable to fast-paced changes in computer technology, and the fact that it is a multidisciplinary subject, involving complicated associations between the legal system, law enforcement, business management, and information technology. This chapter is...