An explanation of the basic principles of data
This book explains the basic principles of data as building blocks of electronic evidential matter, which are used in a cyber forensics investigations. The entire text is written with no reference to a particular operation system or environment, thus it is applicable to all work environments, cyber investigation scenarios, and technologies. The text is written in a step-by-step manner, beginning with the elementary building blocks of data progressing upwards to the representation and storage of information. It inlcudes practical examples and illustrations throughout to guide the reader.
Preface xiii
Acknowledgments xvii
Chapter 1: The Fundamentals of Data 1
Base 2 Numbering System: Binary and Character Encoding 2
Communication in a Two–State Universe 3
Electricity and Magnetism 3
Building Blocks: The Origins of Data 4
Growing the Building Blocks of Data 5
Moving Beyond Base 2 7
American Standard Code for Information Interchange 7
Character Codes: The Basis for Processing Textual Data 10
Extended ASCII and Unicode 10
Summary 12
Notes 13
Chapter 2: Binary to Decimal 15
American Standard Code for Information Interchange 16
Computer as a Calculator 16
Why Is This Important in Forensics? 18
Data Representation 18
Converting Binary to Decimal 19
Conversion Analysis 20
A Forensic Case Example: An Application of the Math 20
Decimal to Binary: Recap for Review 22
Summary 23
Chapter 3: The Power of HEX: Finding Slivers of Data 25
What the HEX? 26
Bits and Bytes and Nibbles 27
Nibbles and Bits 29
Binary to HEX Conversion 30
Binary (HEX) Editor 34
The Needle within the Haystack 39
Summary 41
Notes 42
Chapter 4: Files 43
Opening 44
Files, File Structures, and File Formats 44
File Extensions 45
Changing a File s Extension to Evade Detection 47
Files and the HEX Editor 53
File Signature 55
ASCII Is Not Text or HEX 57
Value of File Signatures 58
Complex Files: Compound, Compressed, and Encrypted Files 59
Why Do Compound Files Exist? 60
Compressed Files 61
Forensics and Encrypted Files 64
The Structure of Ciphers 65
Summary 66
Notes 67
Appendix 4A: Common File Extensions 68
Appendix 4B: File Signature Database 73
Appendix 4C: Magic Number Defi nition 77
Appendix 4D: Compound Document Header 79
Chapter 5: The Boot Process and the Master Boot Record (MBR) 85
Booting Up 87
Primary Functions of the Boot Process 87
Forensic Imaging and Evidence Collection 90
Summarizing the BIOS 92
BIOS Setup Utility: Step by Step 92
The Master Boot Record (MBR) 96
Partition Table 102
Hard Disk Partition 103
Summary 110
Notes 111
Chapter 6: Endianness and the Partition Table 113
The Flavor of Endianness 114
Endianness 116
The Origins of Endian 117
Partition Table within the Master Boot Record 117
Summary 125
Notes 127
Chapter 7: Volume versus Partition 129
Tech Review 130
Cylinder, Head, Sector, and Logical Block Addressing 132
Volumes and Partitions 138
Summary 142
Notes 144
Chapter 8: File Systems FAT 12/16 145
Tech Review 145
File Systems 147
Metadata 149
File Allocation Table (FAT) File System 153
Slack 157
HEX Review Note 160
Directory Entries 161
File Allocation Table (FAT) 163
How Is Cluster Size Determined? 167
Expanded Cluster Size 169
Directory Entries and the FAT 170
FAT Filing System Limitations 174
Directory Entry Limitations 176
Summary 177
Appendix 8A: Partition Table Fields 179
Appendix 8B: File Allocation Table Values 180
Appendix 8C: Directory Entry Byte Offset Description 181
Appendix 8D: FAT 12/16 Byte Offset Values 182
Appendix 8E: FAT 32 Byte Offset Values 184
Appendix 8F: The Power of 2 186
Chapter 9: File Systems NTFS and Beyond 189
New Technology File System 189
Partition Boot Record 190
Master File Table 191
NTFS Summary 195
exFAT 196
Alternative Filing System Concepts 196
Summary 203
Notes 204
Appendix 9A: Common NTFS System Defined Attributes 205
Chapter 10: Cyber Forensics: Investigative Smart Practices 207
The Forensic Process 209
Forensic Investigative Smart Practices 211
Step 1: The Initial Contact, the Request 211
Step 2: Evidence Handling 216
Step 3: Acquisition of Evidence 221
Step 4: Data Preparation 229
Time 238
Summary 239
Note 240
Chapter 11: Time and Forensics 241
What Is Time? 241
Network Time Protocol 243
Timestamp Data 244
Keeping Track of Time 245
Clock Models and Time Bounding: The Foundations of Forensic Time 247
MS–DOS 32–Bit Timestamp: Date and Time 248
Date Determination 250
Time Determination 254
Time Inaccuracy 258
Summary 259
Notes 260
Chapter 12: Investigation: Incident Closure 263
Forensic Investigative Smart Practices 264
Step 5: Investigation (Continued) 264
Step 6: Communicate Findings 265
Characteristics of a Good Cyber Forensic Report 266
Report Contents 268
Step 7: Retention and Curation of Evidence 269
Step 8: Investigation Wrap–Up and Conclusion 273
Investigator s Role as an Expert Witness 273
Summary 279
Notes 280
Chapter 13: A Cyber Forensic Process Summary 283
Binary 284
Binary Decimal ASCII 285
Data Versus Code 287
HEX 288
From Raw Data to Files 288
Accessing Files 289
Endianness 290
Partitions 291
File Systems 291
Time 292
The Investigation Process 292
Summary 295
Appendix: Forensic Investigations, ABC Inc. 297
Glossary 303
About the Authors 327
Index 329
Albert J. Marcella, Jr., PhD, CISA, CISM, is President of Business Automation Consultants, LLC, a global information technology and management consulting firm providing IT management consulting, audit and security reviews, and training. He is an internationally recognized public speaker, researcher, workshop and seminar leader, and an author of numerous articles and books on various IT, audit, and security related subjects.
Frederic Guillossou, CISSP, CCE, is an Information Security Analyst with TALX, a division of Equifax. He regularly trains on intrusion prevention systems and has successfully led a number of forensic investigations in the field.
Praise For Cyber Forensics
"For novice and experienced examiners alike, this book is unlike many of its genre and actually keeps your interest from the first to the last page. The incorporation of an event necessitating an investigative effort, combined with an overview of the computer forensic methodology, is a must–read."
Detective Andy Hrenak, CFCE/A+/ACE/DFCB, Hazelwood Police Department, RCCEEG Forensic Examiner
"This book is a must–read for all practicing forensic professionals and students interested in gaining a deeper understanding of cyber forensics. The authors manage to explain cyber forensics in an unthreatening and understandable way! Good job, guys!"
Bruce Monahan, Chief Audit Executive, Selective Insurance Group, Inc.
"Marcella and Guillossou have created one of the most important resources for cyber forensic professionals available today. The need for understanding electronic data at its most basic level is critical to help ensure that a cyber forensic investigator or expert witness can confidently handle any legal cross–examination. If you want to gain the detailed knowledge of how ′bits′ and ′bytes′ of data become digital evidence, this book is for you!"
Doug Menendez, CISA, CIA, Audit Manager, Graybar Electric Company; coauthor, Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition
"This book is a solid foundation for anyone wishing to improve their forensic skills and provide stronger investigative and legal case support. The use of a fictitious case throughout the text to illustrate points and demonstrate process is very effective."
Jeff Lukins, Dynetics Technical Services, Inc.
"Cyber Forensics is the only book on computer forensics in which the authors take the bottom–up approach explaining fundamentals of digital data storage and retrieval before discussing any forensic techniques. The book focuses more on the scientific concepts of computer forensics and less on the law–enforcement–related activities. This makes the book a perfect text for college–level computer science students."
Dr. Lydia Ray, Assistant Professor of Computer Science, Columbus State University
"The need for clear but detailed understanding is absolutely critical to effectively obtain and utilize digital data to any end, but especially for investigatory results. Messrs. Marcella and Guillossou have delivered on that need in their newest text, Cyber Forensics: From Data to Digital Evidence. This text will be added to my personal reference library immediately. Thank you, gentlemen, for your efforts and results for those of us that need this type of information."
Don Caniglia, CGEIT, CISA, CISM, FLMI, founder/CEO, ITRisk Management Services, LLC
1997-2024 DolnySlask.com Agencja Internetowa