Table of Contents for

Practical Forensic Imaging

FOREWORD

Practical Forensic Imaging is much needed, and comes at a most opportune time. In recent years, preservation of digital evidence has become crucial in corporate governance, regulatory compliance, criminal and civil actions, and military operations. This trend is not geo-graphically constrained but applies across the majority of continents, including developing countries.

Savvy organizations preserve pertinent computer systems when handling human resource complaints, policy violations, and employment termination. Some organizations even preserve data proactively, particularly for regulatory compliance purposes. This book provides scalable solutions that can be implemented across an enterprise for reasonable cost.

Most criminal cases involve digital evidence, and responsibility to preserve the data is increasingly falling on small law enforcement agencies with limited resources or training. Practical Forensic Imaging is an invaluable resource for such agencies, delivering practical solutions to their everyday problems.

Civil matters can involve large quantities of data spread across many data sources, including computers, servers, removable media, and backup tapes. Efficient and effective methods are crucial in such circumstances, and this book satisfies these requirements as well.

Given the increasing importance of preserving digital evidence in a multitude of contexts, it is critical to use proper preservation processes. Weaknesses in the preservation process can create problems in all subsequent phases of a digital investigation, whereas evidence that has been preserved using forensically sound methods and tools provides the foundation to build a solid case.

Furthermore, the growing need to preserve digital evidence increases the demand for tools that are dependable, affordable, and adaptable to different environments and use cases.

Practical Forensic Imaging addresses these requirements by concentrating on open source technology. Open source tools have these advantages: high transparency, low cost, and potential for adaptability. Transparency enables others to evaluate the reliability of open source tools more thoroughly. In addition to black box testing using known datasets, the source code can be reviewed.

Reducing the cost of forensic preservation is important both for agencies with limited resources and for organizations that have to deal with large quantities of data.

Being able to adapt open source tools to the needs of a specific environment is a major benefit. Some organizations integrate open source tools and preservation tools into automated processes within their enterprise or forensic laboratory, while others deploy these same tools on portable systems for use in the field.

There is a steep learning curve associated with all digital forensic processes and tools, particularly open source tools. Bruce Nikkel’s extensive experience and knowledge is evident in the impressive clarity of the technical material in this book, making it accessible to novices while interesting to experts.

Starting with the theory and core requirements of forensic imaging, this book proceeds to delve into the technical aspects of acquiring forensic images using open source tools. The use of SquashFS is simple but quite clever and novel, providing a practical open source solution to a core aspect of forensic imaging. The book closes with discussion of the important steps of managing forensic images and preparing them for forensic examination.

Practical Forensic Imaging is an indispensable reference for anyone who is responsible for preserving digital evidence, including corporations, law enforcement, and counter-terrorism organizations.

Eoghan Casey, PhD

Professor in Cybercrime and Digital Investigations

School of Criminal Sciences

Faculty of Law, Criminal Sciences and Public Administration

University of Lausanne, Switzerland

August 2016