Accessing the Internet leaves a wide variety of information on a computer including Web sites, contents viewed, and newsgroups accessed. For instance, some Windows systems maintain a record of accounts that are used to connect to the Internet. Additionally, some Windows systems maintain a log of when the modem was used (e.g., ModemLog.txt) and some Internet dial-up services maintain a detailed log of connections such as the AT&T/IBM Global Network Dialer “Connection Log.txt” and “Message Log.txt” WEB BROWSING When an individual first views a Web page, the browser caches the page and associated elements such as images on disk—the creation ...
Read more
Windows systems use the Registry to store system configuration and usage details in what are called “keys.” Registry files on Windows 95 and 98 systems are located in the Windows installation folder and are named “system.dat” and “user.dat.” The Registry on Windows NT/2000/XP is comprised of several hive files located in “%systemroot%\system32\config” and a hive file named “ntuser.dat” for each user account.
Attribution is a major goal and log files can record which account was used to access a system at a given time. User accounts allow two forms of access to computers interactive login and access to shared resources. Both forms of access can significantly expand the pool of suspects in an investigation. If illegal materials are found on a computer, individuals with legitimate access to the computer are the obvious suspects. However, there is the possibility that someone gained unauthorized access to the computer and stored illegal materials on the disk. Similarly, if secret information is stolen from a computer ...
Read more
There are two main forms of data recovery in FAT and NTFS file systems: recovering deleted data from unallocated space and recovering data from slack space. WINDOWS BASED RECOVERY TOOLS EnCase, FTK, and X-Ways UNIX BASED RECOVERY TOOLS Sleuth Kit and SMART FILE CARVING WITH WINDOWS Forensic tools such as EnCase, FTK, and X-Ways have file carving functionality and can be configured with user-defined file headers and footers. In addition, specialized file carving tools such as DataLifter (Figure 17.9) can recover many types of files including graphics, word processing, and executable files. Some of these tools can extract images from ...
Read more
The simplest Windows file systems to understand are the FAT (file allocation table) file systems: FAT12, FAT16, and FAT32. Although relatively old, FAT file systems are still used on many storage systems such as removable storage media in digital cameras and mobile devices. Given their widespread use and simple structure, FAT file systems are a good starting point for forensic analysts to understand file systems and recovery of deleted data. It is also important to understand the fundamentals of NTFS, which is more complex than FAT and has substantially different structures. FAT A FAT formatted volume uses directories and ...
Read more
INTRODUCTION Powerful commercial forensic tools have been developed to facilitate the forensic examination of Windows systems. In addition to being familiar with the tools and techniques for acquiring and examining digital evidence from a computer running Microsoft Windows, digital investigators should develop a familiarity with the underlying operating systems, files systems, and applications. Individuals who attempt to dabble in digital forensics without this underlying knowledge risk making fundamental mistakes that harm not only the case at hand but also the forensic discipline as a whole. Understanding file systems helps appreciate how information is arranged, giving insight into where it can ...
Read more
Digital evidence examiners extract valuable bits from large masses of data and present them in ways that decision makers can comprehend. Flaws in the underlying material or the way it is processed reduce the value of the final product. Digital investigators often perform all of the requisite tasks from collecting, documenting, and preserving digital evidence to extracting useful data and combining them to create an increasingly clearer picture of the crime as a whole. Digital investigators need a methodology to help them perform all of these tasks properly, find the scientific truth, and ultimately have the evidence admitted in court. ...
Read more
Many kinds of files have a distinctive structure that was designed by software developers or standards bodies, and that can be useful for classifying and salvaging(Retrieve or preserve) data fragments. For instance, a graphics file format such as JPEG has a completely different structure from Microsoft Word documents, starting with the first few bytes at the beginning of the file (the “header”), continuing into the locations where data are stored in the main body of the file, and terminating with a few distinctive bytes at the end of the file (the “footer”). The headers and footers for some common file ...
Read more
Cyberstalking is the use of the Internet or other electronic means to stalk or harass an individual, a group of individuals, or an organization. HOW VICTIMS ARE STALKED? false accusations making threats identity theft the solicitation of minors for sex monitoring TYPES OF STALKERS Vindicative Cyberstalkers: They are noted for the ferocity of their attacks. Composed Cyberstalkers: Their only motive is to annoy Intimate Cyberstalkers: They’re attept is to form a relationship with the victim but turns on them if rebuffed Collective Cyberstalkers: Groups with motive. HOW DO CYBERSTALKERS MEET THEIR TARGETS? search engines online forums chat rooms online communities ...
Read more
PHYSICAL MODEL STAIRCASE MODEL The goal of any investigation is to uncover and present the truth. Digital investigations inevitably vary depending on technical factors such as the type of computing or communications device, whether the investigation is in a criminal, civil, commercial, military, or other context, and case-based factors such as the specific claims to be investigated. The most common steps for conducting a complete and competent digital investigation are: Preparation, Survey / Identification, Preservation, Examination and Analysis, Presentation APPLYING THE SCIENTIFIC METHOD IN DIGITAL INVESTIGATIONS The scientific method provides such a simple, flexible methodology. The scientific method begins ...
Read more