Table of Contents for
System Forensics, Investigation, and Response, 3rd Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition System Forensics, Investigation, and Response, 3rd Edition by Easttom Published by Jones & Bartlett Learning, 2017
  1. Cover Page
  2. Contents
  3. System Forensics, Investigation, and Response
  4. Title Page
  5. Copyright Page
  6. Content
  7. Preface
  8. About the Author
  9. PART I Introduction to Forensics
  10. CHAPTER 1 Introduction to Forensics
  11. What Is Computer Forensics?
  12. Understanding the Field of Digital Forensics
  13. Knowledge Needed for Computer Forensics Analysis
  14. The Daubert Standard
  15. U.S. Laws Affecting Digital Forensics
  16. Federal Guidelines
  17. CHAPTER SUMMARY
  18. KEY CONCEPTS AND TERMS
  19. CHAPTER 1 ASSESSMENT
  20. CHAPTER 2 Overview of Computer Crime
  21. How Computer Crime Affects Forensics
  22. Identity Theft
  23. Hacking
  24. Cyberstalking and Harassment
  25. Fraud
  26. Non-Access Computer Crimes
  27. Cyberterrorism
  28. CHAPTER SUMMARY
  29. KEY CONCEPTS AND TERMS
  30. CHAPTER 2 ASSESSMENT
  31. CHAPTER 3 Forensic Methods and Labs
  32. Forensic Methodologies
  33. Formal Forensic Approaches
  34. Documentation of Methodologies and Findings
  35. Evidence-Handling Tasks
  36. How to Set Up a Forensic Lab
  37. Common Forensic Software Programs
  38. Forensic Certifications
  39. CHAPTER SUMMARY
  40. KEY CONCEPTS AND TERMS
  41. CHAPTER 3 ASSESSMENT
  42. PART II Technical Overview: SystemForensics Tools, Techniques, and Methods
  43. CHAPTER 4 Collecting, Seizing, and Protecting Evidence
  44. Proper Procedure
  45. Handling Evidence
  46. Storage Formats
  47. Forensic Imaging
  48. RAID Acquisitions
  49. CHAPTER SUMMARY
  50. KEY CONCEPTS AND TERMS
  51. CHAPTER 4 ASSESSMENT
  52. CHAPTER LAB
  53. CHAPTER 5 Understanding Techniques for Hiding and Scrambling Information
  54. Steganography
  55. Encryption
  56. CHAPTER SUMMARY
  57. KEY CONCEPTS AND TERMS
  58. CHAPTER 5 ASSESSMENT
  59. CHAPTER 6 Recovering Data
  60. Undeleting Data
  61. Recovering Information from Damaged Media
  62. File Carving
  63. CHAPTER SUMMARY
  64. KEY CONCEPTS AND TERMS
  65. CHAPTER 6 ASSESSMENT
  66. CHAPTER 7 Email Forensics
  67. How Email Works
  68. Email Protocols
  69. Email Headers
  70. Tracing Email
  71. Email Server Forensics
  72. Email and the Law
  73. CHAPTER SUMMARY
  74. KEY CONCEPTS AND TERMS
  75. CHAPTER 7 ASSESSMENT
  76. CHAPTER 8 Windows Forensics
  77. Windows Details
  78. Volatile Data
  79. Windows Swap File
  80. Windows Logs
  81. Windows Directories
  82. Index.dat
  83. Windows Files and Permissions
  84. The Registry
  85. Volume Shadow Copy
  86. Memory Forensics
  87. CHAPTER SUMMARY
  88. KEY CONCEPTS AND TERMS
  89. CHAPTER 8 ASSESSMENT
  90. CHAPTER 9 Linux Forensics
  91. Linux and Forensics
  92. Linux Basics
  93. Linux File Systems
  94. Linux Logs
  95. Linux Directories
  96. Shell Commands for Forensics
  97. Kali Linux Forensics
  98. Forensics Tools for Linux
  99. CHAPTER SUMMARY
  100. KEY CONCEPTS AND TERMS
  101. CHAPTER 9 ASSESSMENT
  102. CHAPTER 10 Macintosh Forensics
  103. Mac Basics
  104. Macintosh Logs
  105. Directories
  106. Macintosh Forensic Techniques
  107. How to Examine a Mac
  108. Can You Undelete in Mac?
  109. CHAPTER SUMMARY
  110. KEY CONCEPTS AND TERMS
  111. CHAPTER 10 ASSESSMENT
  112. CHAPTER 11 Mobile Forensics
  113. Cellular Device Concepts
  114. What Evidence You Can Get from a Cell Phone
  115. Seizing Evidence from a Mobile Device
  116. JTAG
  117. CHAPTER SUMMARY
  118. KEY CONCEPTS AND TERMS
  119. CHAPTER 11 ASSESSMENT
  120. CHAPTER 12 Performing Network Analysis
  121. Network Packet Analysis
  122. Network Traffic Analysis
  123. Router Forensics
  124. Firewall Forensics
  125. CHAPTER SUMMARY
  126. KEY CONCEPTS AND TERMS
  127. CHAPTER 12 ASSESSMENT
  128. PART III Incident Response and Resources
  129. CHAPTER 13 Incident and Intrusion Response
  130. Disaster Recovery
  131. Preserving Evidence
  132. Adding Forensics to Incident Response
  133. CHAPTER SUMMARY
  134. KEY CONCEPTS AND TERMS
  135. CHAPTER 13 ASSESSMENT
  136. CHAPTER 14 Trends and Future Directions
  137. Technical Trends
  138. Legal and Procedural Trends
  139. CHAPTER SUMMARY
  140. KEY CONCEPTS AND TERMS
  141. CHAPTER 14 ASSESSMENT
  142. CHAPTER 15 System Forensics Resources
  143. Tools to Use
  144. Resources
  145. Laws
  146. CHAPTER SUMMARY
  147. KEY CONCEPTS AND TERMS
  148. CHAPTER 15 ASSESSMENT
  149. APPENDIX A Answer Key
  150. APPENDIX B Standard Acronyms
  151. Glossary of Key Terms
  152. References
  153. Index

Email and the Law

There are specific laws in the United States that are applicable to email investigations. It is critical that you be aware of the relevant laws. Failure to adhere to the legal guidelines can render evidence inadmissible.

The Fourth Amendment to the U.S. Constitution

If an email message resides on a sender’s or recipient’s computer or other device, the Fourth Amendment to the U.S. Constitution and state requirements govern the seizure and collection of the message. Determine whether the person on whose computer the evidence resides has a reasonable expectation of privacy on that computer. The Fourth Amendment requires a search warrant or one of the recognized exceptions to the search warrant requirements, such as consent from the device owner.

The Electronic Communications Privacy Act

If an Internet service provider (ISP) or any other communications network stores an email, retrieval of that evidence must be analyzed under the Electronic Communications Privacy Act (ECPA). The ECPA creates statutory restrictions on government access to such evidence from ISPs or other electronic communications service providers.

The ECPA requires different legal processes to obtain specific types of information:

  • Basic subscriber information—This information includes name, address, billing information including a credit card number, telephone toll billing records, subscriber’s telephone number, type of service, and length of service. An investigator can obtain this type of information with a subpoena, court order, or search warrant.

  • Transactional information—This information includes websites visited, email addresses of others with whom the subscriber exchanged email, and buddy lists. An investigator can obtain this type of information with a court order or search warrant.

  • Content information—An investigator who has a search warrant can obtain content information from retrieved email messages and also acquire unretrieved stored emails.

  • Real-time access—To intercept traffic as it is sent or received, an investigator needs to obtain a wiretap order.

The CAN-SPAM Act

The CAN-SPAM Act of 2003 was the first law meant to curtail unsolicited email, often referred to as spam. However, the law has many loopholes. For example, you do not need permission before sending email. This means that unsolicited email, what most people consider spam to be, is not prohibited. The second issue is that it applies only to commercial emails—emails that are trying to sell some product or service. Therefore, mass emailings for political, religious, or ideological purposes are not covered by the CAN-SPAM Act.

The only requirement of CAN-SPAM is that the sender must provide some mechanism whereby the receiver can opt out of future emails, and that method cannot require the receiver to pay in order to opt out.

The law defines commercial email as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose).” This means that any mass emails that have no commercial purpose are not covered by this law.

All commercial email is required to offer ways for the recipient to opt out. Those methods must meet the following guidelines:

  • A visible and operable unsubscribe mechanism is present in all emails.

  • Consumer opt-out requests are honored within 10 days.

  • Opt-out lists, also known as suppression lists, can be used only for compliance purposes, not to be sold to other vendors/senders.

There are also restrictions on how the sender can acquire the recipient’s email address and how the sender can actually transmit the email. Those requirements are as follows:

  • A message cannot be sent through an open relay.

  • A message cannot be sent to a harvested email address.

  • A message cannot contain a false header.

This is important because these are the methods often used by people who send spam email. Spam is one crime that obviously lends itself to email forensics. Tracking down the original sender of the email is the first step in investigating spam. Unfortunately, the email is sometimes sent from offshore sites or relayed through an innocent third party’s servers. This makes prosecuting spam very difficult, and even if a judgment is obtained, in most cases it is impossible to enforce.

18 U.S.C. 2252B

You might already be at least somewhat familiar with the laws already discussed in this chapter. However, this law is less well known. To begin, read the actual law. Findlaw.com details the law as:

  1. Whoever knowingly uses a misleading domain name on the Internet with the intent to deceive a person into viewing material constituting obscenity shall be fined under this title or imprisoned not more than 2 years, or both.

  2. Whoever knowingly uses a misleading domain name on the Internet with the intent to deceive a minor into viewing material that is harmful to minors on the Internet shall be fined under this title or imprisoned not more than 4 years, or both.

  3. For the purposes of this section, a domain name that includes a word or words to indicate the sexual content of the site, such as “sex” or “porn,” is not misleading.

  4. For the purposes of this section, the term “material that is harmful to minors” means any communication, consisting of nudity, sex, or excretion, that, taken as a whole and with reference to its context—

    1. predominantly appeals to a prurient interest of minors;

    2. is patently offensive to prevailing standards in the adult community as a whole with respect to what is suitable material for minors; and

    3. lacks serious literary, artistic, political, or scientific value for minors.

  5. For the purposes of subsection (d), the term “sex” means acts of masturbation, sexual intercourse, or physical contact with a person’s genitals, or the condition of human male or female genitals when in a state of sexual stimulation or arousal.

This law is about perpetrators who attempt to hide the pornographic nature of their website, often to make it more accessible to minors. This is a very serious concern, and one that sometimes arises in child predator cases.

The Communication Assistance to Law Enforcement Act

The Communication Assistance to Law Enforcement Act (CALEA), not to be confused with the law enforcement standards certification of the same name, is a U.S. wiretapping law passed in 1994.

CALEA’s purpose is to allow law enforcement and intelligence agencies to lawfully conduct electronic surveillance. It requires that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband Internet, and VoIP traffic in real time. CALEA is widely used, and a basic awareness of CALEA should be a part of every forensic investigator’s base knowledge.

The Foreign Intelligence Surveillance Act

The Foreign Intelligence Surveillance Act (FISA) of 1978 is a U.S. law that prescribes procedures for the physical and electronic surveillance and collection of “foreign intelligence information” between foreign powers and agents of foreign powers, which may include U.S. citizens and permanent residents suspected of espionage or terrorism. The law does not apply outside the United States but may be encountered by a forensic investigator in researching intelligence even if it does not specifically regard espionage or terrorism. The law is an important part of many agencies’ approaches to information gathering. It has been amended frequently, so it is important to stay current on the latest revisions and court cases.

The USA Patriot Act

The USA Patriot Act of 2001 incorporates in its name a 10-letter acronym standing for Uniting (and) Strengthening America (by) Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism. The act was passed into law as a response to the terrorist attacks of September 11, 2001. It significantly reduced restrictions on law enforcement agencies’ gathering of intelligence within the United States; expanded the Secretary of the Treasury’s authority to regulate financial transactions, particularly those involving foreign individuals and entities; and broadened the discretion of law enforcement and immigration authorities in detaining and/or deporting immigrants suspected of terrorism and related acts. The act also expanded the definition of terrorism to include domestic terrorism, thus enlarging the number of activities to which the USA Patriot Act’s expanded law enforcement powers can be applied.

In May 2011, President Barack Obama signed the Patriot Sunsets Extension Act of 2011, which was a four-year extension of three key provisions in the Patriot Act: roving wiretaps, searches of business records, and conducting surveillance of individuals suspected of terrorist-related activities who are not linked to terrorist groups, and so are known as lone wolves. The Patriot Act gives law enforcement dramatically enhanced powers for information gathering and should be a part of a comprehensive knowledge base for any forensic investigator. As of this writing, the Patriot Act has again be extended and is still in force as of 2017.