Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Learn Computer Forensics
Learn Computer Forensics

Learn Computer Forensics: A beginner's guide to searching, analyzing, and securing digital evidence

eBook
€24.99 €35.99
Paperback
€44.99
Subscription
Free Trial
Renews at €18.99p/m

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
Table of content icon View table of contents Preview book icon Preview Book

Learn Computer Forensics

Chapter 1: Types of Computer-Based Investigations

Welcome to the 21st century, where almost everything in life is connected to an electronic device. There are digital cameras inside doorbells; your smartphone tracks your daily progress from work to home and back again; you get social media updates when you go to the gym, a show, or travel to a new city.

Your phone calls, bank access, and medical appointments are all tracked via digital technology. If it tracks your mundane daily activity, what about criminal or unethical behavior? That activity is also followed, and if you are a digital forensic investigator, you must know the repositories of the digital evidence and how to analyze it. There is almost no criminal activity that will not have digital evidence associated with it and, as an investigator, it is your job to find all available evidence, process it, and present findings to the finder of fact.

This chapter will introduce you to the different topics of computer-based investigations, from criminal acts investigated by the police to civil and potentially illegal actions performed by an employee or external third party that are examined by a nongovernmental investigator.

While the goal is the same, to present evidence about an incident, the methods for each are slightly different. It is essential for you to understand the similarities between the investigations; being able to present evidence in a judicial proceeding and recognize the differences. 

The topics that will be covered in this chapter are as follows:

  • Differences in computer-based investigations
  • Criminal investigations
  • Corporate investigations

Differences in computer-based investigations

This book is all about introducing a beginner to the realm of digital forensics. What is digital forensics? It is a division of forensics involving the recovery and analysis of data that has been recovered from digital devices. At one time, the term digital forensics was treated as a synonym for computer forensics, but now it involves all devices capable of storing digital data. No matter what term is used, the goal is to identify, collect, and examine/analyze digital data while preserving its integrity. Digital forensics is not only about finding the artifact, it is a formal examination/analysis of the digital evidence to prove or to disprove whether the accused committed the violation.

It is not always about demonstrating that the suspect is guilty; as a forensic examiner, you also have that ethical obligation to find exculpatory evidence that will prove the subject's innocence. Your duty is to be an unbiased third party in presenting the findings of the investigation. In a criminal examination, your findings could deprive someone of their liberty, and in a corporate investigation, your findings may lead to a criminal investigation or cost someone their livelihood. As a digital forensic examiner, your conclusions can have an extraordinary impact on the subjects of the investigation.

To be a digital forensic examiner, you need to have a desire to ask questions, have specialized equipment, and have the required training. From teaching people interested in the field, I have found the best students can critically examine the facts and circumstances being presented and, using that ability, can focus their efforts on efficiently reaching an accurate conclusion. Unfortunately, I find many students want to use a "find evidence" button, find all the artifacts, and print up a thousand-page report and call it a day. That is not digital forensics.

Digital forensics is not finding the artifact. By artifact, I am talking about an incriminating Google search in browser history, an incriminating email between the subject and a co-conspirator, and illicit images found in the filesystem. Artifacts are breadcrumbs leading to the identity of the person conducting the illegal activity. However, on their own, they do not identify the user who created these artifacts or the one who is responsible for their creation indirectly. One of the biggest challenges in this field is to determine what is colloquially known as the "idiot behind the keyboard." You want to tie the user to the specific subject and to do that, you have to analyze – that is the key word–the digital evidence to associate it with a particular user.

If you are in the IT field, you will understand networking and computer operating systems, but you will lack knowledge of how to preserve evidence, maintain a chain of custody, and present it in a criminal/administrative proceeding.

If you are an investigator, you will understand the chain of custody, evidence preservation, and testifying in a criminal/administrative proceeding. However, you may lack experience in the digital field. To be an effective digital forensic examiner, you have to be part of both those worlds. You have to understand how data is created, shared, and saved in the digital realm and be able to preserve that evidence in a forensically sound manner and testify in proceedings. Sometimes, the ability to talk in front of a large group while answering hard questions posed to you by attorneys from both sides is the hardest part of the field.

As with any field, the way you get better and more effective is to practice, to conduct real and mock examinations, to receive training, and have the willingness to reach out to your peers for advice. Since you are reading this book, you are taking that first step. You could be reading the text on your own, using it as a textbook for a college course you are taking, or using it in a corporate training session. The reason does not matter. Reading this book will put you on the road to be a more effective digital forensic examiner.

What is cybercrime? What crimes does a digital forensic examiner investigate? A digital forensic examiner may investigate any alleged wrongdoing that touches on the digital world. Nearly everyone possesses a mobile device. Sometimes, a person owns or uses multiple mobile devices and laptops and the traditional desktop. All of these sources have the ability to maintain a significant amount of information as it relates to the investigation. For example, I investigated a crime against a person where the victim was physically unable to communicate with the police. How does that become a crime that requires the use of a digital forensic examiner?

Well, in this case, she had maintained communication with the suspect of that crime via a website and instant messaging on her mobile device. While they did not directly have evidence relating to the crime being investigated, they had evidence about the relationship between the victim and the suspect. In the 21st century, almost any crime may have evidence stored in a digital format. Now, there are some crimes where someone will have used their computer as a tool to commit the crime, such as sending harassing emails, fraud and forgery, hacking, corporate espionage, or the trafficking of illicit images.

Your occupation will dictate your response to a situation; if you are law enforcement, you will have one set of procedures to follow, while if you are in the corporate world, you will have a different set of procedures to follow. While some processes may overlap in different fields, each one has its unique differences, which is what we will discuss next.

Criminal investigations

As a law enforcement professional, your first consideration will be officer safety. Is the scene secure to process and secure evidence? When the investigation starts, you may take part in one or more roles. The most basic positions are as follows:

  • The first responder
  • The investigator
  • Crime scene technician

Depending on the size of your agency, you may fill one position or all three, and you may report to one or more supervisors. Now, in the matter of digital evidence, it is preferable that the person in charge of the crime scene has some knowledge of the fragility of digital evidence. That allows personnel to enact the proper procedures to ensure that the evidence is not corrupted.

Let's talk about what each role does.

First responders

The first responders are the first ones on the scene. They secure what may be a chaotic scene. They will identify the following:

  • Potential victims
  • Witnesses
  • Potential suspects
  • How best to maintain control

They will do this until the investigator arrives. The first responder's primary mission is to make the scene safe and secure and ensure that no one can contaminate the evidence. As you can imagine, crime scenes can vary from a dynamic crime scene to the relatively static crime scene, depending on the nature of the crime. In both scenarios, the first responder must have basic knowledge of what items could contain digital evidence when they secure the scene. We would not want to have subjects grabbing cell phones or laptops and using them for any activity.

So, how does a first responder protect the crime scene? Just like you see in TV shows and movies, yellow crime scene tape is the most common method. It is the most straightforward visible sign of a crime scene barrier, and in our culture, people recognize the barrier being presented by that thin piece of yellow plastic. One or more personnel will have to monitor the crime scene to regulate who can cross that line and enter the scene.

Investigators

The investigator will respond to the scene after being requested by the first responder. Upon arriving at the scene, the first responder and the investigator will coordinate, and information sharing will now start. The first responder will provide the basic information, which typically involves the five Ws and one H, specifically the who, what, when, where, why, and how, about the incident.

The first responder will also provide information about any actions they or anyone else had taken before the arrival of the investigator. For example, the investigator will want to know whether the first responder(s) touched anything, moved anything, or changed anything within the crime scene. This could be a physical action such as applying first aid to a victim or turning a computer on or off. I remember an examination I did where the first responders did not reveal that they had accessed the victim's computer. While conducting my examination, I did a timeline analysis and saw an abnormality in the activity after the victim had died. The abnormality was caused by the unreported actions of the first responders. What's important to understand here is that the first responders' actions were not wrong. What created complications is that they did not report the actions, which led to additional work and explanations.

The investigator takes charge of the scene and directs all activity. They will direct the other team members' investigative efforts to ensure the proper documentation is completed regarding the seizure of evidence. Sometimes, the first responder will seize evidence and turn it over to the investigator. A chain of custody document must be completed and maintained showing who found the item and who maintained control until the completion of the judicial or administrative proceeding.

Crime scene technician

Finally, we come to the crime scene technician. This can be a sworn or unsworn position within the law enforcement agency. They have specialized training in the collection of evidence. This could be physical evidence, such as fingerprints, tool comparison, the collection of biological fluids, and crime scene photography, all of which require specialized training and equipment. The collection of digital evidence requires the same level of expertise that the collection of physical evidence does.

Note

We can put law enforcement jobs into two basic groups: Sworn: May take an oath to support the laws in their jurisdiction; they have the power to make arrests and carry firearms. Non-sworn: May take an oath but do not have powers to arrest. These positions are typically crime scene analyst or law enforcement support technicians.

The crime scene technician is responsible for the preservation of evidence and starting the chain of custody. Some actions they could carry out include the acquisition of volatile memory of a computer system, creating forensic images of the storage devices, or creating the logical forensic image of logical files from a server. The evidence will be bagged and tagged and transported to a secure location. What do I mean by bagged and tagged? They will place all the evidence or the containers holding the digital evidence in the appropriate storage container. A tag will then be filled out with the identifiers to specify which investigation the evidence belongs to, who collected it, and what evidence is contained within the container.

As we go through the rest of this book, we will cover the duties of the crime scene technician in greater detail.

A law enforcement officer may be a first responder, investigator, or crime scene technician and, in all roles, is an agent of the government. Depending on your jurisdiction, the government may restrict how and when the property can be seized and searched. I will discuss the judicial process in the United States; your locality may have different laws and procedures.

In the United States, a citizen's rights to privacy are protected by the fourth amendment of the US Constitution, which states the following:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

At a basic level, this means that before the government can seize any evidence, there must be (a) a search warrant based upon probable cause or (b) the consent of the owner. The consent given by the owner must be willingly given and must be able to be revoked, which can create an issue in some jurisdictions where the processing of digital evidence can take months, and in some jurisdictions, years. If the owner revokes their consent or refuses to give it, what options does law enforcement have? A search warrant.

How does a member of law enforcement get a warrant? As we learned from the preceding passage, it must be based on probable cause. The definition of probable cause is a reasonable standard that the applicant must reasonably believe that the items being searched for are at that location. Who determines what is reasonable? This would be the judicial official, such as a judge, Justice of the Peace, and so on.

The law enforcement officer makes the written request, while the judge reviews it and will either approve/disapprove it. If approved, then the law enforcement officer can then seize and search the property within the guidelines specified by the judicial official. The law requires only agents of the government to get a search warrant to seize and search property. If you work in the corporate world, this process will not pertain to you.

Now, let's talk about some potential crimes someone might call you to investigate. This will be a high-level overview of the crime itself, and later on in this book, we will address the specific artifacts we should analyze to determine whether criminal actions occurred.

Illicit images

Nearly everyone is connected to the many different forms of digital networks via our mobile devices, tablets, laptops, and computers–we are always connected in one manner or another. Depending on who you ask, it is either the best thing in the world or the worst. There are some excellent aspects; social media allows people/family members to stay in contact, no matter where they are in the world. The totality of the world's knowledge is just a few clicks away. You can read news reports from portions of the world that you previously did not know existed. It is an adventure waiting to happen. Now, it is not all unicorns and rainbows out there. Like any society, there are dark and dangerous portions of the internet where you should be hesitant to travel. That includes the sourcing and sharing of illicit images. For our purposes, an illicit image is an image whose subject matter is offensive or illegal, depending on your cultural or legal landscape.

Before the advent and widespread use of the internet, trafficking in illicit images was almost eradicated, so what changed? The consumer of illicit images no longer had to be physically present to pick up the physical images. The internet allows the user to be relatively anonymous and to access the illicit images with minimal exposure. I have read reports that state that the high-speed data network that most of us enjoy is because of the consumer wanting faster throughput speeds to download illicit images.

Consumers of illicit images have free access to terabytes of data with simple clicks of the mouse. If the consumer wants higher quality or a specific subject matter, then it is not a complicated process to find a vendor to meet the needs of the consumer for a price.

Your jurisdiction will determine what is or is not an illicit image and the level of criminality associated with the possession and/or distribution of the contraband images. I will not differentiate or specify a subject to define illicit images. I will discuss them using the generic title of illicit images or contraband images. You can use either phrase depending on what may be legal/illegal in your jurisdiction.

How do people share contraband images? At a basic level, a file is a file. A JPEG image of a sunset does not differ from a JPEG image of a contraband subject. Anyone can use any aspect of the internet to share files–the content of the files is irrelevant. If the system allows the user to share data, then the contents of those shared files can be legal or illegal content. Let's look at some media through which illicit images could be exchanged.

Email-based communications

Email is one of the easiest ways to share information through files between two or more people. An email address does not automatically point to a specific user. There are service providers who actively advertise anonymity for users of their email accounts. The service provider states that they do not save users' transactional information, such as source IP, dates and times of connection, or billing information. The service provider may be located outside of the jurisdiction investigating the contraband, which will allow the service provider to ignore the judicial paperwork requesting the subscriber information.

Newsgroups/USENET

This is one of the first components of the internet, and one that has fallen off the radar for the everyday user. Initially, the internet comprised the World Wide Web, with components such as web browsing, email, and USENET. Web browsing and email are known by nearly every user of the internet, while USENET has faded out of public perception. This does not mean it is not being used. USENET is like the old bulletin board system, where you had specific groups, and users could post messages, attach files, and other users could download the files and comments. The user can post just a text message or attach a file to the message. This file is known as a binary.

A binary is a file type–digital images, video, audio software, or any other file type. The user has to use a newsreader to access USENET. There are free and paid versions of newsreaders available in which the user can subscribe to a USENET service. Just like the email service providers that we discussed earlier, one selling point for USENET service providers is anonymity, where they explicitly state that they maintain no user transactional data or billing records or they are in jurisdictions whose laws may not adequately address the contraband contained on the server:

Figure 1.1 – Unison application

The preceding screenshot shows you the Unison program running on macOS and accessing the service provider Astraweb.

Looking from left to right, you can see the hierarchical system used by USENET. At the far-left column, I have selected alt, which then populates the next column with many named folders. The folders' naming convention shows the subject of the group. I have selected binaries, which means I am looking for attached files to the postings. In the third column, we can see folder icons and a brown folder icon with papers coming out the top. The folder icon shows that there are additional groups contained within, while the brown folder icon shows that this is a newsgroup.

As you can see from the preceding screenshot, there are a variety of subjects for the user to explore; some groups may or may not contain contraband images/files. Your jurisdiction will determine what is legal or not as you conduct your investigation.

Peer-to-Peer file sharing  

Peer-to-Peer (P2P) file sharing is a decentralized method of file sharing. In traditional file sharing, a server hosts the file and the client accesses the server to download the file. In the early days of Napster and music sharing, this became a liability for copyright violations. The service provider was served with judicial processes and was found to be liable for hosting a directory of copyrighted files.

In response, the P2P method was changed; no longer was a centralized database created, but rather users were able to directly search for other users' shared folders on the network. Users connected to a shared network and acted as both a server and a client. In P2P file sharing, when a user identifies a file they want to download, the software reaches out to the other users who possess the desired file. Each user then provides a piece of the file to the recipient. When all the pieces are collected, the software puts them back to the original configuration. The user could then participate as a node and start sharing the file they just downloaded:

Figure 1.2 – Transmission application

The preceding screenshot shows the Transmission program running on macOS. I am downloading a movie from the public domain (archive.org), and in the bottom portion of the preceding screenshot, you can see that the file has been broken into much smaller bits. The highlighted bits show which parts of the file I have downloaded. Later, we will go into much greater detail about P2P file sharing and the artifacts that will be left in the filesystem.

The crime of stalking

For all of the good that the internet provides, it also provides a conduit for people to exploit, harass, and bully other people. The victim could be known to the subject or could have interacted with the victim's online persona in some manner and felt the victim had wronged them. A lot of the bad behavior we see with online activities is because of the anonymity that the internet provides the attacker/subject. When eyes are watching or when we know the true identity of the attacker, they change their behavior to conform to societal norms. Unfortunately, it takes time for society to recognize the criminality of specific actions via the digital medium.

Cyberstalking or cyberbullying is now being regulated and is now considered an actual crime. Depending on your jurisdiction, the definition will vary, and what resources the government will spend in the prosecution of these crimes will vary too. Remember, the identity of the user at the other end of the digital world can be challenging to prove to the high standard required by a court of law.

According to the National Center for Victims of Crime, https://members.victimsofcrime.org/our-programs/past-programs/stalking-resource-center/stalking-information, historically, in the United States, almost 1,500,000 people, the majority of them women, have been victimized, harassed, and bullied via the digital medium, with the attacks lasting in excess of 2 years. The attacks increased in length if the participants had been intimate partners.

The impact of this criminal behavior is immense; the victim will lose time from work, have to move residences (several times, sometimes), and suffer from the physical and mental effects such as the anxiety and depression that comes from being targeted. The ability to stalk a former intimate partner in the digital world opens the door to the ability to inflict significant violence on a former partner and, in some cases, bring about their death.

What behaviors make up cyberstalking? There have been documented incidents where a terminated employee has sent manipulated, compromising images of their supervisor to members of the organization and to the general public. This activity continued for months before it was stopped. Despite the harassment ending and the perpetrator being identified, the supervisor still felt the need to leave their job, change their name, and move to another community.

So, where do we begin in our attempts to investigate this crime? The interview will be the best starting place. Asking the victim if they know or suspect who may be behind the harassment is the first question asked. In my experience and most of the time, the victim will have a general idea of who the harasser is, especially if it is a former intimate partner. Now, there will be some victims who may suffer from mental health issues that could complicate the assessment. As an investigator, you have to listen to the whole story to understand the totality of events. Just because someone is paranoid does not mean someone is not out to get them. As an investigator, you have to have an open mind and not allow your preconceptions to make you miss evidence or indicators that may be visible.

If the victim has an idea of who the harasser may be, make sure you record all the pertinent information they can provide you with. Names, addresses, usernames, email addresses, screen names, and social media locations will all give you valuable information so that you can start your investigation.

Establish the method of the harassment and when it started. Was it a Facebook group? Snapchat? Text messages? Chat rooms? Is a mobile device involved in terms of text messages, missed calls, and more? Has the harassment gone old-school with the use of the post office with physical letters?

Threats of violence may increase the severity of the crime and should not be discounted.

The investigator will need to ensure they get forensically sound copies of the digital evidence to start the investigation. This starts the chain of custody of the digital evidence and is the beginning of the investigation.

We will go into much greater detail about the specific artifacts found in digital evidence, but once you have account usernames and IP addresses that the attacker is using to facilitate their attacks, you have a starting point to identify them.

In the United States, a subpoena is required to obtain subscriber information. This information includes the user's first and last names, physical address, how often they access the account, and the IP address that was used to access the account. It varies between service providers as to how long this information is maintained. Sometimes, it could be as little as weeks and as much as years, depending on the provider. You can also submit legal paperwork asking them to "freeze" the account so that the user cannot disable it or delete any incriminating information.

To gain access to the information contained within the account, such as email content, contents of messages, or anything having to do with content, a search warrant signed by a judge will have to be served on the service provider. If the service provider is within the same jurisdiction of the judicial authority, there are typically no issues. When the service provider is in another jurisdiction within the United States or a jurisdiction outside the borders of the United States, this is when the process becomes much more difficult and sometimes impossible to proceed with.

Some subscriber information you get may or may not be accurate. It is not unusual for a user to complete the registration forms with false information. But what you can do, for example, if you have an email address, is you can do an open source search and see whether the email address was used anywhere else. For example, some online forums will use the email address as a username, and if so, the user may post identifying information in their communications with the other users. That forum now becomes a source of information for which you can issue a subpoena to get the subscriber information.

As you can see, following breadcrumbs of information may lead you to sources you never even considered. It can be quite complicated and time-consuming.

Criminal conspiracy 

Criminal conspiracy and digital forensics: how do these aspects intersect in the world of the digital forensic investigator? First, let's define what a conspiracy is: a conspiracy occurs when two or more people agreed to commit an illegal act. However, just deciding to commit the illegal act is not enough; there also have to be actions taken in furtherance of the conspiracy. What does all that mean? For the physical crime of robbery, criminal A contacts criminal B to discuss robbing victim C. The conversation between criminals A and B does not meet the statutory definition of a conspiracy. If criminal A paid criminal B and agreed on the number of funds in exchange for the service of the robbing of victim C, then we have an act in furtherance of the conspiracy to commit robbery. So, what crimes can the digital forensic investigator find within the digital realm? Almost any crime imaginable. Let's take a look at an example of such a crime:

"Michelle Theer was convicted of a crime against a person. She conspired with John Diamond to commit the crime against her husband, Marty. Investigators had no direct evidence, no physical evidence, and no eyewitness evidence, but they had digital evidence showing the conspiracy to commit the crime. Investigators recovered over 80,000 emails and instant messages between Diamond and Michelle that showed a personal relationship between the two and the messages showing the conspiracy between them to commit the crime."

You can read about this case in more detail at https://caselaw.findlaw.com/nc-court-of-appeals/1201672.html.

Now more than ever, people are connected to their devices for their everyday activities. It is not a stretch of the imagination that criminals also use their devices to help organize their criminal activities. The digital forensic investigator has to know of all potential sources of digital evidence and recognize that the Internet of Things (IoT) is an untapped bonanza of digital evidence. What is the Internet of Things?

Home assistance programs such as Siri and Alexa, smartwatches, home security systems, and GPS devices – anything that has an app – might contain evidence and show the intent on the criminals' part to commit the crime. Failure to recognize the digital devices can result in significant damage to your investigation. There have been instances where the subject of an investigation was placed in the interrogation room, and the investigator did not recognize the suspect was wearing a smartwatch. While they left the subject unattended in the interrogation room, the subject was able to communicate with their co-conspirators and direct their efforts in the destruction of evidence and interfere with the investigation. Once the investigators caught on to the subject's actions, they then used the smartwatch to show the criminal conspiracy and used the evidence to generate additional charges for the suspect in custody and their co-conspirators.

Social media is also a source of digital evidence for showing a conspiracy. For example, take the case of Larry Jo Thomas. The government convicted Thomas of committing a crime against Rito Llamas-Juarez. Initially, investigators only knew that Llamas-Juarez was harmed by a specific type of item. As investigators processed the crime scene, a bracelet that was "distinctive" was found and collected as evidence. The investigators examined Thomas's Facebook page and found a photo of Thomas posing with an item similar to what was used at the crime scene. In a different photo, they found the "distinctive" bracelet being worn by Thomas. While the digital evidence did not have a direct impact on the criminality being investigated, it showed how the subject had the means and had been at the crime scene.

Vehicles are also a source of evidence to prove the conspiracy. Newer vehicles are connected to the network and have their own Wi-Fi connection and sync data between mobile devices, GPS data, and the vehicle's black box. Potentially, the investigator can show the subjects performing reconnaissance on their targets, meetings between the conspirators at a shared location, or where they have traveled to and returned using toll passes.

Technology is rapidly changing and advancing as the general population uses technology, and so do the criminals. The general population plans out their day by utilizing technology; criminals also plan out their day of criminal activity using the same technology. I am always amazed when criminals use their mobile devices to plan and execute criminal activity and then take pictures to memorialize their illegal business.

Now that we have learned about criminal investigations, its roles, and the means by which information is being shared, let's move on to the next type of investigation, which is corporate investigations.

Corporate investigations

We will now discuss computer forensics on the civilian side, or non-law enforcement side. Since you are not an agent of the government, the search warrant requirement does not pertain to you. (Your specific jurisdiction may be different.) While you may not have the search warrant requirement, you cannot seize and analyze private property. What do I mean by that? You are the investigator for a large multinational corporation; you have an employee you believe is harassing other employees and may have viewed illicit images on their company laptop. What is the legal requirement for you to examine the contents of the employee's laptop? If you are an agent of the government, the employee has an expectation of privacy. As an employee utilizing the company's equipment, the courts have held that the employee has a limited expectation of privacy on the data in the device. 

Important note

This may differ, depending on your local jurisdiction. I was teaching a class in Germany and as I was teaching, the students explained that German law gave an employee a high expectation of privacy. In their jurisdiction, there were specific requirements that had to be met before they could examine an employee's computer.

Other than the search warrant requirement, the corporate investigator's duties are similar to those of law enforcement. They still must acquire the evidence, they must analyze the evidence, and they must present their findings. They could present their findings in an administrative proceeding, or they may forward their findings to law enforcement where they may have to testify in a judicial proceeding. In either case, the digital forensic investigator must ensure that the digital evidence was collected in a forensically sound manner while maintaining the chain of custody of the digital evidence.

If the digital forensic examiner cannot authenticate the evidence, then they cannot testify or present it in the administrative/judicial proceeding. The corporate digital forensic investigator also investigates a wide variety of crimes. Typically, they will not be investigating a crime where a person was hurt or killed, but they can still investigate fraud, forgery, a violation of the company's policies and procedures, corporate espionage, or if they believe an employee has stolen intellectual property or is trying to harm the corporation itself. So, let's now talk about employee misconduct.

Employee misconduct

As a condition of the employee's employment, they must abide by the policies created by their organization. Typically, an employer has an "Employee Handbook" or has a set of policies and procedures that dictate what behaviors are acceptable and which ones are not acceptable. Such policies also include laying out specifications to ensure that the organization treats all employees with dignity and respect in the daily operations of the organization. There may be rules that may specify what is an acceptable use of the organization's desktop and laptop computers, and a violation of those rules could result in an investigation analyzing those devices, as we mentioned earlier.

Now, I use the term "policy and procedures," and I have found there is a large amount of confusion with those two terms, primarily when used together. A policy is a statement from the organization addressing a specific issue, while the procedure is the specific instructions regarding how to accomplish the goals of the policy. For example, the organization could enact a policy to restrict employees from accessing non-organizational emails using the organization's computers. The procedure would have two audiences, all the employees, and the IT staff. The procedure would inform the employees of how to access the organization's email while directing the IT staff regarding how to block non-organizational emails from being accessed.

You need to follow some general guidelines as your organization drafts and implements policies and the accompanying procedures, as follows:

  • The policy should be simple to understand. Short and sweet – do not overcomplicate it. If there is a way for an employee to "misunderstand" the policy, then they will dispute whether their actions violated the policy.
  • The procedure should specify all the steps needed to implement the task outlined in the policy. Don't assume the reader will understand if you are not specific in what you want them to do.
  • The organization must inform the employee of the potential consequences of violating the policy.
  • The organization cannot implement policies that violate the law.
  • The organization must enforce the policies. There have been many investigations I have conducted where multiple employees have violated the policy, but the organization never enforced the policy. If they do not enforce the policy for 51 weeks and then, during the 52nd week, the organization enforces the policy against some employees and not others, how can the employees be held accountable during week 52?
  • There must be documentation that the employee knew and understood that the organization implemented the policy and the penalties for violating the policy.

If an employee violates the organizations' policies or procedures, does law enforcement have to get involved? Of course not. It would depend on the violation and whether it was a criminal act and if the organization had a responsibility to notify law enforcement. Sometimes, the law may mandate the organization to notify law enforcement if they discover the employee has committed a criminal violation. Make sure you are aware of the statutory requirements in your jurisdiction and communicate with in-house counsel during the investigation.

As a digital forensic investigator, it is not typically your decision about whether to notify law enforcement. After you consult with the organizations' legal counsel and C-level executives, they will make that decision. For the digital forensic investigator's purposes, it does not matter whether the investigation relates to a criminal or noncriminal matter.

Remember, we treat every investigation as if we may have to go to court and testify because, while the initial investigation may deal with policy violations, during the investigation, you may discover there have been criminal violations that mandate the involvement of law enforcement. The prosecution and defense will scrutinize all of your investigative endeavors before the involvement of law enforcement. If you do not maintain the standards of the investigative process, it could weaken the prosecution.

As a digital forensic investigator for a corporate organization, there are a variety of violations the organization may call on you to investigate. One of the more common incidents is the complaint of harassment or a hostile work environment. This is where one person causes one or more people to be intimidated, harassed, physically threatened, humiliated, or any other activity where it makes the workplace offensive. How would you investigate someone for a hostile work environment? After conducting the interviews with the complaining employees, they may provide statements on how the harassment/hostile work environment was created, if at all.

Your investigation will determine whether the actions were physical, verbal, or carried out on digital media and the frequency of the offending conduct. Was there a single employee whose behavior was offensive or is there a culture within the organization? If a supervisor was notified or if someone asked the offender to stop, what resulted from the efforts to stop the offending behavior? The offending employee could send offensive text messages, emails, or instant messages utilizing the organization's communication network. If the alleged behavior occurred or was facilitated with the organization's devices, you should be conducting your examination to determine whether there is any digital evidence to support or refute the allegations since the property belongs to the organization, which limits the employee's expectation of privacy. (Remember, this may vary by jurisdiction.)

Once you have supervisory approval to conduct the digital forensic examination, the investigation can proceed. With the information at hand, you can filter out a large amount of additional data that may be contained on the storage device. To be efficient while dealing with the extraordinarily large datasets contained within today's high capacity devices, you have to filter out data that is not pertinent to your investigation. For example, if we are dealing with harassing emails, you may restrict your examination to only email traffic.

Now, your investigation may grow based on your findings on the initial exam. For example, while viewing emails, you observe the subject sending out illicit images to other employees. Your investigation has now increased based on the violation and the potential number of violators. Do not limit yourself to only the suspect's computer; you need to examine both the suspect and the complaining witness.

The complaining witness may have evidence of the offending email, while the suspect may have used anti-forensic techniques to remove the source email from their computer. Or you may find the complaining witness had changed the email to contain offensive material. You want to be as thorough as possible and that dictates an examination of the emails from both the sender and the recipient. 

You are not typically called upon to determine whether the conduct was offensive – that is a very subjective determination. What one employee considers offensive, another employee may not. Your job will be to recover the artifacts to allow the fact finder to make a well-informed decision as to whether the complaining witness' statement can be substantiated. Human resources or in-house legal counsel will determine whether the employee's conduct was offensive. Your job is to be an impartial third party and to present the findings. This could be through an administrative proceeding such as a hearing, or you could make a presentation to a senior executive. Remember that the organization may be held liable in situations where they have been informed of the employee's offensive behavior and did not take action.

Corporate espionage

In the corporate environment, no matter how large or small, there are specifics about your organization you don't want to share with the entire world. You could provide a proprietary widget to another organization, or you have an exclusive recipe for a consumer food product. In almost every case, your organization is providing a service, and they get paid to provide that service. If a competitor could look inside the internal workings of the organization, that look may mitigate any advantage the organization has over the competition.

We can define corporate espionage as one organization spying on another organization to achieve commercial or financial gain. The same tactics that nation states use against each other are utilized by corporate actors against each other; for example:

  • Physical or digital trespassing to gain access to data or information
  • Impersonating any employee to gain physical access to an organization's buildings or other facilities
  • Intercepting voice or data communications or manipulating a competitor's website
  • Manipulating social media against a competitor

Some actions I just listed are not in the digital realm, so how can a digital forensic investigator determine what occurred?

Security

It comes down to physical and digital security. The organization has to be proactive and identify the critical infrastructure that needs protection. Once the critical infrastructure has been identified, the organization can then implement controls for security and documentation. If an attacker is successful, the digital forensic investigator will have to determine how the attacker got past the established protocols. The organization's physical and digital defenses should be multifaceted and not rely on a single aspect. What I mean by this is that there should be a mixture of physical and digital mitigation efforts to protect the organization. Access control is essential; a locked door could be access control, such as controlling access to the server room. Now, the door could be locked and unlocked with a biometric or a physical token. The organization should maintain the access control logs at an off-site facility.

If an employee's access control token was compromised and used by the attacker, a digital forensic investigator can analyze the logs and determine which user identity accessed the server room. Implementing digital surveillance recordings will allow the investigator to observe the compromise and determine whether it was the employee or an unknown third party. With a digital attack, you will have to analyze the logs from the network security devices, for example, antivirus logs, authentication servers, routers, and firewalls, all of which are detective controls. While a detective control allows you to investigate what occurred, it doesn't prevent the incident, nor is it a deterrent. Access control is about protecting an asset; you are controlling users and preventing unauthorized access.

Hackers

You may be the victim of an attack from a "hacker." What is a hacker? Typically, it's a malicious user gaining access to information systems that belong to another. You may see the term "black hat" or "white hat" hacker, where the color of the hat determines the hacker's intent. 

A "white hat" hacker is a positive actor. This is a person or persons whose goal is to identify vulnerabilities in the system so that the owner or the vendor of the organization may correct them. A "black hat" hacker is someone who is attacking the system with malicious intent; their goal is to violate and exploit the organization's data system. There is also the "activist hacker," who is looking to exploit vulnerabilities in the system for political reasons. The attack could be the compromising of information maintained in the system or a distributed denial-of-service attack on the organization. The following is a table to help highlight the differences:

A bad actor will not only rely on accessing the system through technical means; they will also attack an organization through the employees. This is known as using social engineering, which is what we will discuss next.  

Social engineering

Social engineering is another attack that is relatively common in the corporate environment. One aspect is a "phishing attack," where the attacker attempts to trick the user into gaining access to confidential information such as a username and passwords. Typically, this attack is made via email, where the sender purports to be a bank, someone in authority, where they're asking the user to provide biographical information, name, date of birth, governmental identification number, username, and passwords.

If the user believes the email and provides that information, the attacker can then impersonate the user and attempt to gain a foothold into the organization's data systems.

There are automated tools designed to use social engineering, such as a phishing attack, against organizations. These tools do not require a significant amount of specialized knowledge to implement. The users of these tools are referred to as a "script kiddies" and could attack your organization using these automated tools. The vendors of the tools state they are to be used by the organization as a method to test their defenses, but there is no method to control what the user does with the software once downloaded.

Gophish

Gophish is one such automated tool. It works on all three of the major operating systems and is freely available for anyone to download. It does not require significant installation skills; you can extract it and run the executable, and the program will be up and running. The following screenshot shows the initial login screen when the software is up and running:

Figure 1.3 – Gophish login

Once you log in, you will be presented with the Dashboard of the service.

Note

This book is not about running Gophish or any other program; it is merely to give you an idea of what is available out there.

Please follow all applicable laws and regulations.

You can create email templates that you can send out to organizations. You can capture members of the organization's emails using open source intelligence techniques (OSINTs) and import them into the program:

Figure 1.4 – Gophish import emails

A common theme when it comes to phishing the user's credentials is to send them an email asking them to reset their password, and when they do so, it directs them to a clone of the official landing page. After the attackers capture the username and password, the user is redirected to the official page, and they never know what occurred.

Real-world experience

One time, I was hired to conduct a vulnerability analysis of an organization. As part of the scenario, they did not provide me with any information about the internal workings of the data network or the physical security of the building. The building had public access during regular business hours. During regular business hours, I walked around the organization and conducted my reconnaissance to see whether I could identify any vulnerabilities. 

To go to the executive levels of the building, I was required to sign in at the security desk and receive a radiofrequency identification (RFID) pass. As I signed in, they did not require me to show any identification, nor was I required to state my business or my destination. I signed in and was given a visitor RFID card and was sent on my way. I took the elevator to the top floor and walked around the executive level. I was dressed in the typical business casual clothing, carrying my laptop case. I found an unlocked training room in which I entered and set up my laptop. I plugged into the network and accessed the system. While I was inside the training room, several employees walked in, but none of them questioned why I was there, sitting alone, typing furiously at my computer. I stayed in the room until 4 hours after the building closed. During that time, no one questioned why I was in there. I packed up my laptop and had free rein of the executive level for the rest of the evening.

If I was an actual attacker, how would you be able to investigate what happened? What sources of evidence, maintained by the organization, could you process? The first step would be to identify a potential timeline for what occurred. One control put into place for this vulnerability test was to not damage the network and to access the control file. A control file is a plain document of no value and can be safely manipulated to show unauthorized access. The manipulated file will contain the timestamps to show when the unauthorized access happened. The timestamps will give the investigator a starting point of where to start the investigation.

This will be achieved by examining server logs, firewall logs, and trying to identify my digital footprints within the network. Once they identify the physical device location where the compromise occurred, then they can review the surveillance footage to work backward on how I gained access to the executive level, to the RFID protected elevator, and to the physical security log I completed. Typing out the reaction to the compromise in the system does not address the enormity of the task facing the digital forensic investigator. If the organization identifies the compromise within a timely fashion, that makes the investigation more straightforward, but consider if the compromise isn't recognized for days, weeks, or months. How hard would it be to determine what occurred months later, after the compromise?

Consider the compromise of Sony Pictures in 2014. While the exact duration of the attack is unknown, the attackers spent at least 2 months inside the network copying files, with some reports saying the attackers had access to the internal network for a year. Although it has never been confirmed, the attackers claim to have compromised and transferred over 100 TB of data from Sony Pictures.

The compromise of information was not the only vector of attack; they made employees' computers inoperable, and also compromised some social media accounts for the organization. The employees of the organization were also victimized with the compromising of their personal information by the attackers.

Insider threat

An organization cannot assume the attack will come from an external threat. While the design of most protocols and mitigations is to safeguard the organization from the external threat, the internal threat can be more dangerous than the external threat. No longer can the organization rely upon outward-facing security such as firewalls, building access control systems, intrusion prevention systems, or intrusion detection systems; they must also assess internal vulnerabilities to mitigate the threat from the inside. This is not an easy task; the insider threat has knowledge of the security protocols, the organization's policies, and potential vulnerabilities that the external threat does not.

In 2016, almost 1/3 of all electronic crimes were known/suspected to be caused by the insider threat. The damage caused by the insider was more significant than an external attack. No sector is protected from the internal attacker; in fact, if you are a US federal agency or a defense contractor, the government requires you to create a formal insider threat program, which is not surprising since there have been nearly 100 insider threat incidents within the last 10 years. (We are not talking about espionage incidents.) Almost 3/4 of the insider attackers were actively employed by the federal agency, while 1/3 were not directly employed, such as a contractor or an employee of another agency. A majority of the federal cases dealt with fraud and were committed by the insider for financial gain.

Who typically commits insider attacks? Is it a new employee? A veteran? Remember, for an insider attack to be effective, the insider has to be trusted. If we look at the federal government sector, nearly half of the insiders had been with the organization for over 5 years, with a majority of them abusing their access and creating fraudulent documents. Now, in the information technology sector, the demographics of the insider attack are a bit different. Nearly 75 percent were former employees and were with the organization for less than a year. Almost 20 percent did not have their accounts deactivated when they left the organization. That means they could use their credentials to access the confidential information, despite leaving their employment.

As an investigator, this should be a warning that there is an issue with that organization's policies and procedures that needs to be immediately corrected. Having a procedure at hand to deactivate an employee's account either before termination or shortly after they give their resignation would have stopped 1/5 of the documented attacks.

Investigating an insider threat will be difficult. You are dealing with people/employees who, at some level, have gained the trust of the organization. The investigator has to try and determine what the insider's mindset is underneath the persona that is being shown every day. Are they an opportunist? Are they a disgruntled employee? Are they someone out for revenge against an executive? Those are the potential attackers you may have to deal with. You want to create the groundwork before the attack happens. 

Various sections of the organization – Human Resources, Legal, and IT – will be part of planning any potential response as well as being part of the response. The response team will identify who may be involved in an insider threat, such as the following:

  • Executive staff
  • Directors
  • Employees with access to data

If you have to identify any potential "data source(s)" for when we have an investigation, you will need to examine the following:

  • Company-issued laptops
  • Company-issued tablets
  • Cell phones or mobile devices
  • Any cloud account access

You will have to correlate the user and the user's devices with access to the critical data, and the team will have to identify the critical data beforehand. When should insider threat investigation be initiated? Typically, this will start with a notification from Legal or Human Resources. The organization could also implement a policy in terms of investigating when an employee leaves the organization. If the employee's position gives them access to sensitive or privileged information, then a review of their activities within the organization should be conducted. This could start in a broad sense; you are looking to gather data from their mobile devices, laptops, desktops, and potentially the cloud. Then, you take that dataset and filter it so that it reflects access to the critical information.

Once the employee has given their resignation or the organization has decided to terminate the employee, the data collection process should start. The data collection process should begin before the employee is told they will be terminated. I recommend that the organization collects between 30 and 90 days' worth of activity for the employee. The more data that's acquired, the better informed the investigator will be of the employee's actions. Some of the artifacts that may help determine whether the employee has exfiltrated data are as follows:

  • USB devices
  • Cloud accounts
  • Sharing of files via social media
  • Burning a CD/DVD

You will also analyze the activity around the critical data. This should be a standard activity so that there is an understanding of what is normal. You have to monitor the data to get that normal baseline so that you understand when the unusual traffic occurs. For example, you could monitor the traffic to the critical data and suddenly, access to that data spikes. Does an attack cause this spike or is it normal because it is the end of the pay period and the accountants are accessing the data as part of standard processing?

Another example could be whether the data is being accessed after regular business hours. Is there a legitimate reason for that access? These are the circumstances that need to be identified before the investigation starts. This foreknowledge will allow you to filter out all the baseline information and to only focus on that data outside of the norms.

The investigation may show no malicious intent, or it may indicate there was malicious intent. Either way, you report the findings to the team to determine the next steps. This could lead to a review of policies and procedures and the implementation of new controls to mitigate future attacks.

Summary

In this chapter, you have gained an understanding of the different types of issues you may encounter during a digital forensic examination. You have learned about how the digital world and the physical world interact and how to use the digital world to help prove or disprove allegations. You have gained an understanding of the different procedures and how to collect and manage evidence when investigating allegations of wrongdoing. 

In the next chapter, we will discuss the forensic analysis process to maximize the efficiency of your investigation.

Questions

  1. Peer-to-Peer filesharing is used to share illegal files only.

    a. True

    b. False

  2. What will the first responder identify?

    a. Potential victims

    b. Witnesses

    c. Subjects

    d. All of the above

  3. You may find digital evidence in every type of investigation.

    a. True

    b. False

  4. Which amendment of the U.S. Constitution protects the rights of citizens from unlawful search and seizure?

    a. First

    b. Second

    c. Third

    d. Fourth

  5. What is a "binary"?

    a. A star

    b. An attached file

    c. A USENET post

    d. A web browsing artifact

  6. What is required in the United States to obtain subscriber information?

    a. A search warrant

    b. A subpoena

    c. Consent

    d. Hacking

  7. Criminals use social media for illegal purposes.

    a. True

    b. False

The answers can be found in the back of this book, under Assessments

Further reading

John Vacca and Michael Erbschloe. Computer Forensics: Computer Crime Scene Investigation. Charles River Media, 2002 (available at https://www.amazon.com/Computer-Forensics-Investigation-CD-ROM-Networking/dp/1584500182.)

Left arrow icon Right arrow icon
Download code icon Download Code

Key benefits

  • Learn the core techniques of computer forensics to acquire and secure digital evidence skillfully
  • Conduct a digital forensic examination and document the digital evidence collected
  • Perform a variety of Windows forensic investigations to analyze and overcome complex challenges

Description

A computer forensics investigator must possess a variety of skills, including the ability to answer legal questions, gather and document evidence, and prepare for an investigation. This book will help you get up and running with using digital forensic tools and techniques to investigate cybercrimes successfully. Starting with an overview of forensics and all the open source and commercial tools needed to get the job done, you'll learn core forensic practices for searching databases and analyzing data over networks, personal devices, and web applications. You'll then learn how to acquire valuable information from different places, such as filesystems, e-mails, browser histories, and search queries, and capture data remotely. As you advance, this book will guide you through implementing forensic techniques on multiple platforms, such as Windows, Linux, and macOS, to demonstrate how to recover valuable information as evidence. Finally, you'll get to grips with presenting your findings efficiently in judicial or administrative proceedings. By the end of this book, you'll have developed a clear understanding of how to acquire, analyze, and present digital evidence like a proficient computer forensics investigator.

Who is this book for?

If you're an IT beginner, student, or an investigator in the public or private sector this book is for you. This book will also help professionals and investigators who are new to incident response and digital forensics and interested in making a career in the cybersecurity domain. Individuals planning to pass the Certified Forensic Computer Examiner (CFCE) certification will also find this book useful.

What you will learn

  • Understand investigative processes, the rules of evidence, and ethical guidelines
  • Recognize and document different types of computer hardware
  • Understand the boot process covering BIOS, UEFI, and the boot sequence
  • Validate forensic hardware and software
  • Discover the locations of common Windows artifacts
  • Document your findings using technically correct terminology
Estimated delivery fee Deliver to Belgium

Premium delivery 7 - 10 business days

€17.95
(Includes tracking information)

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Apr 30, 2020
Length: 368 pages
Edition : 1st
Language : English
ISBN-13 : 9781838648176
Category :
Concepts :
Tools :

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
Estimated delivery fee Deliver to Belgium

Premium delivery 7 - 10 business days

€17.95
(Includes tracking information)

Product Details

Publication date : Apr 30, 2020
Length: 368 pages
Edition : 1st
Language : English
ISBN-13 : 9781838648176
Category :
Concepts :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
€18.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
€189.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
€264.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 131.97
Digital Forensics and Incident Response
€44.99
Mastering Windows Security and Hardening
€41.99
Learn Computer Forensics
€44.99
Total 131.97 Stars icon

Table of Contents

16 Chapters
Section 1: Acquiring Evidence Chevron down icon Chevron up icon
Chapter 1: Types of Computer-Based Investigations Chevron down icon Chevron up icon
Chapter 2: The Forensic Analysis Process Chevron down icon Chevron up icon
Chapter 3: Acquisition of Evidence Chevron down icon Chevron up icon
Chapter 4: Computer Systems Chevron down icon Chevron up icon
Section 2: Investigation Chevron down icon Chevron up icon
Chapter 5: Computer Investigation Process Chevron down icon Chevron up icon
Chapter 6: Windows Artifact Analysis Chevron down icon Chevron up icon
Chapter 7: RAM Memory Forensic Analysis Chevron down icon Chevron up icon
Chapter 8: Email Forensics – Investigation Techniques Chevron down icon Chevron up icon
Chapter 9: Internet Artifacts Chevron down icon Chevron up icon
Section 3: Reporting Chevron down icon Chevron up icon
Chapter 10: Report Writing Chevron down icon Chevron up icon
Chapter 11: Expert Witness Ethics Chevron down icon Chevron up icon
Assessments Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Most Recent
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.8
(20 Ratings)
5 star 90%
4 star 5%
3 star 0%
2 star 5%
1 star 0%
Filter icon Filter
Most Recent

Filter reviews by




Patrick Mar 03, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I use it for my school studies.
Amazon Verified review Amazon
Stephen Jul 30, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
William Oettinger is an expert author with expert computer forensic skills, knowledge, and experience!Both complete beginners and DFIR professionals starting out will get something substantial out of this book! As a “one-stop guide”, this will definitely help readers become well-rounded computer forensic professionals. The focus of the book is on “searching, analyzing, acquiring, and securing digital evidence” - it delivers on all counts and then some in the context of a singular resource.The book is heavily focused on solid fundamentals and making sure that the reader understands the process of forensic analysis including acquisition of evidence, and relevant technical knowledge relating to how computers and networks work. In particular, the sections covering analysis of Windows artifacts, RAM memory analysis, internet artifacts, and email forensics will be particularly valuable for those just starting out or wanting to see what being a computer forensic professional entails.The inclusion of report writing is fantastic and immediately draws attention to the importance of having effective note taking and how to write reports to officially document forensic examination results.There are many case studies and real-world examples that can immediately be put to use. Everything is well-written, factually correct, and presented in an order that makes sense - credit to both Steve Whalen as the reviewer/editor and Oettinger!Last but not least, it is clear that the expert witness ethics section draws upon Oettinger’s unique combination of professional experience as a retired police officer, a computer forensic subject-matter expert, and veteran technical trainer/investigator.
Amazon Verified review Amazon
Fortuner Apr 03, 2022
Full star icon Full star icon Empty star icon Empty star icon Empty star icon 2
I am a practising lawyer and into this profession from quite sometime. The things mentioned in the book are already available on internet free of cost. The price 2k bucks is not justified. This should be priced at max 500/-If you know your questions, you can search on internet and you will get exactly what is written in this book.
Amazon Verified review Amazon
Shinjoy C. Jan 02, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book give you complete knowledge of cyber forensic(computer). Just go for it.
Amazon Verified review Amazon
Isha F. Sep 28, 2021
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I’m still reading, however this book is amazing with real life examples, how to pictorials and scenarios a must buy if you’re looking to get into forensics!
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is the delivery time and cost of print book? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela
What is custom duty/charge? Chevron down icon Chevron up icon

Customs duty are charges levied on goods when they cross international borders. It is a tax that is imposed on imported goods. These duties are charged by special authorities and bodies created by local governments and are meant to protect local industries, economies, and businesses.

Do I have to pay customs charges for the print book order? Chevron down icon Chevron up icon

The orders shipped to the countries that are listed under EU27 will not bear custom charges. They are paid by Packt as part of the order.

List of EU27 countries: www.gov.uk/eu-eea:

A custom duty or localized taxes may be applicable on the shipment and would be charged by the recipient country outside of the EU27 which should be paid by the customer and these duties are not included in the shipping charges been charged on the order.

How do I know my custom duty charges? Chevron down icon Chevron up icon

The amount of duty payable varies greatly depending on the imported goods, the country of origin and several other factors like the total invoice amount or dimensions like weight, and other such criteria applicable in your country.

For example:

  • If you live in Mexico, and the declared value of your ordered items is over $ 50, for you to receive a package, you will have to pay additional import tax of 19% which will be $ 9.50 to the courier service.
  • Whereas if you live in Turkey, and the declared value of your ordered items is over € 22, for you to receive a package, you will have to pay additional import tax of 18% which will be € 3.96 to the courier service.
How can I cancel my order? Chevron down icon Chevron up icon

Cancellation Policy for Published Printed Books:

You can cancel any order within 1 hour of placing the order. Simply contact customercare@packt.com with your order details or payment transaction id. If your order has already started the shipment process, we will do our best to stop it. However, if it is already on the way to you then when you receive it, you can contact us at customercare@packt.com using the returns and refund process.

Please understand that Packt Publishing cannot provide refunds or cancel any order except for the cases described in our Return Policy (i.e. Packt Publishing agrees to replace your printed book because it arrives damaged or material defect in book), Packt Publishing will not accept returns.

What is your returns and refunds policy? Chevron down icon Chevron up icon

Return Policy:

We want you to be happy with your purchase from Packtpub.com. We will not hassle you with returning print books to us. If the print book you receive from us is incorrect, damaged, doesn't work or is unacceptably late, please contact Customer Relations Team on customercare@packt.com with the order number and issue details as explained below:

  1. If you ordered (eBook, Video or Print Book) incorrectly or accidentally, please contact Customer Relations Team on customercare@packt.com within one hour of placing the order and we will replace/refund you the item cost.
  2. Sadly, if your eBook or Video file is faulty or a fault occurs during the eBook or Video being made available to you, i.e. during download then you should contact Customer Relations Team within 14 days of purchase on customercare@packt.com who will be able to resolve this issue for you.
  3. You will have a choice of replacement or refund of the problem items.(damaged, defective or incorrect)
  4. Once Customer Care Team confirms that you will be refunded, you should receive the refund within 10 to 12 working days.
  5. If you are only requesting a refund of one book from a multiple order, then we will refund you the appropriate single item.
  6. Where the items were shipped under a free shipping offer, there will be no shipping costs to refund.

On the off chance your printed book arrives damaged, with book material defect, contact our Customer Relation Team on customercare@packt.com within 14 days of receipt of the book with appropriate evidence of damage and we will work with you to secure a replacement copy, if necessary. Please note that each printed book you order from us is individually made by Packt's professional book-printing partner which is on a print-on-demand basis.

What tax is charged? Chevron down icon Chevron up icon

Currently, no tax is charged on the purchase of any print book (subject to change based on the laws and regulations). A localized VAT fee is charged only to our European and UK customers on eBooks, Video and subscriptions that they buy. GST is charged to Indian customers for eBooks and video purchases.

What payment methods can I use? Chevron down icon Chevron up icon

You can pay with the following card types:

  1. Visa Debit
  2. Visa Credit
  3. MasterCard
  4. PayPal
What is the delivery time and cost of print books? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela