Chomsky hierarchy of languages, 494
civil discovery, 8–9
civil justice system, 359–364
civil lawsuit, 359–364
client-based e-mail, 240, 243–261
clients
mail, 234
MSN Messenger client, 329
Terminal Services Client, 328–329
CMP utility, 380
collecting evidence. See evidence collection
collection/preservation phase, 16–17
collections. See also acquisitions
live file, 230–231
network, 122
remote, 112–122
collections agency case study, 62
communications
corporate fraud and, 442
employee fraud, 430–432
indicating corruption, 430–432
communications chatter, 489–490
CompactFlash cards, 39
compressed files, accessing, 202–203
compression
during data acquisition, 95, 117
described, 202
Mac systems, 192
methods for, 202–203
computer forensic laboratory. See forensic laboratory
computer forensics. See forensics
computers. See also operating systems
acquisition units, 49
analysis units, 49–50
BIOS, 24–25, 66
bottom-up view of, 20–25
ERP systems, 377
forensic, 48–53
host, 48
layers of, 20, 21
mainframe, 376–377
memory. See memory
mobile, 50–51
role of, 49
suspect. See suspect systems
conflicts of interest, 427
consumer fraud, 471–491
accounting fraud, 440–444, 484–485
check fraud, 425–426, 489
communications chatter, 489–490
data destruction, 490–491
falsification of official documents, 485–486
fraud for profit schemes, 486–489
identity theft, 475–477, 480–482
impact on consumers/public, 474
investigations, 474–475
investment fraud, 482–485
litigation, 474–475
mortgage fraud, 486–491
overview, 472–473, 491
phishing Web sites, 478–480
proof of income forgery, 489
pump-and-dump schemes, 457, 483
pyramid schemes, 483
ramifications of, 473–475
regulatory environment, 474
remote transfer of personal data, 482
spam attacks, 477–478
theft of credit card data, 8, 475–477
theft of personal records, 481–482
types of, 475–491
cookies
embezzlement and, 426–427
finding information in, 288–290, 293, 327, 328
Internet browsing, 193, 288–290, 293
webmail and, 327, 328
Web sites, 283, 288–290, 293
copyrights, 381–384
corporate fraud, 435–452
accounting fraud, 440–444
“creative accounting,” 440–441
data destruction, 443–444
defined, 437
detecting file modification, 444, 451–452
Enron scandal, 437–438
fighting, 436–437
fraud for profit schemes, 403–404
growth of, 436
identifying involved parties, 442
impact on shareholders/public, 437–438
insider trading, 445–447
investigations, 439
litigation, 439
overview, 7, 436–437
ramifications of, 437–439
regulatory changes and, 438–439
securities fraud, 444–452
stock option backdating, 449–451
types of fraud, 439–452
types of investigations, 7
corporations
external breaches, 8
resources, 399–404
trade secrets, 6–7, 381–384
as victims of fraud, 284
corruption, 427–432
court-appointed experts, 365
court reporter, 363
covert collections, 120–121
covert investigations, 110–112
credit card data, theft of, 8, 475–477
crimes. See also cyber crime; specific crimes
considerations, 359
federal vs. state, 358–359
financial, 436–437, 439
criminal court system, 358–359
criminal investigations, 9
cross-validation, 12
cryptographic hashes, 14, 17, 92
customer data, 374–378, 481–482
customers, loss of, 372, 412–414
cyber crime, 453–469. See also crimes
fake identities, 466, 469
hacking attacks, 457–465
malware, 457–463
money laundering, 465–469
overview, 454
Russian Business Network, 455–456
shell companies, 466–467, 468
Cygwin, 227–228
cylinder, 30
D
data
access to, 375–378
acquisition parameters, 16
analyzing, 128–129
changing, 122
collection of, 16–17
customer, 374–378, 481–482
destruction of. See data destruction
identification of, 15–16
missing during indexing, 232–234
normalizing, 190
personal, 481–482
preservation of, 16–17
previewing, 16
quantity, 15
recovering. See data recovery
scope, 15
source, 16
subtrees, 232
theft of, 374–375
unallocated, 142–148
wiped, 212–215, 217
databases
financial, 484, 485
magic, 199
relational, 376
SQLite, 293
data carving, 219
data destruction
backups and, 443
consumer fraud, 490–491
corporate fraud, 443–444
e-mail, 443
files, 59
finding evidence of, 443–444
in mortgage cases, 491
outsourcing, 59
data recovery
complete files, 144–145
deleted files, 138–150
file fragments, 146–147
INFO records, 151
limitations, 149–150
LNK files, 154
memory dumps, 159
NTFS partitions, 137–138
pagefile, 151–152
printed documents, 153
datasets, 14, 232
data storage, 52–53
DAT (digital audio tape) drives, 33
DBX files, 252–256
dcfldd tool, 82
DDS (Digital Data Storage), 33
DDS drives, 33
dd tool, 81–82, 228, 229
Debian Linux, 169
declarations, 343, 346–350
defragment utility, 140
Deleted items, 139
deponents, 363
depositions, 363
deposition testimony, 363
Device Seizure, 306–325
bookmarking data, 320–321, 322
cell phone data, analyzing, 336–337
cell phone evidence, collecting, 332–336
exporting files with, 322
older versions, 337–338
Palm-based devices, acquisition of, 309–311
Palm-based devices, analysis of, 317
–320
plug-ins, 306–309
reporting with, 322–325
running programs with, 321
Windows-based devices, 311–317
Device Seizure Toolbox, 50–51
DIFF utility, 380
digital audio tape (DAT) drives, 33
digital camera, 55
Digital Data Storage (DDS), 33
digital linear tape (DLT), 33–34
digital signatures, 14
digital video disc (DVD) format, 36–37
directories, 134, 164, 183, 401
directory entries, 133–134
disasters, 44, 47
discovery
civil, 8–9
electronic, 15, 222
discovery phase, 361
discrimination, 404–405
disk images. See images
disks. See also drives
floppy, 31–32
GPT, 179
hard, 26–30, 133, 134, 462
Mac systems, 178–186
recovering data remnants, 217
wiped, 212–215, 217
Distributed Network Attack (DNA), 211
.DLL files, 313–314
DLT (digital linear tape), 33–34
DLT drives, 33–34
DNA (Distributed Network Attack), 211
documents, 341–355. See also files; reports
affidavits, 343, 350
authorship history, 16
changes to, 444, 451–452
declarations, 343, 346–350
detecting modification of, 444, 451–452
expert reports, 343, 351–355
falsified, 485–486
internal reports, 343–346
links to, 16
modified times, 16
overview, 342–343
screenshots, 342
DOD guidelines, 68
DOJ (US Department of Justice), 418
Domino server, 236–237
doors, 46
DOS boot disk, 71–92
DOS systems
acquiring evidence in, 71
downtime and, 95
Dr. Watson error handler, 158–159
drives. See also disks
accidentally writing to, 67–68
bagging/tagging, 93
DAT, 33
DDS, 33
DLT, 33–34
encrypted, 122–125
FireWire, 125–126
floppy, 31–32
forensically imaging, 66–92
fragmented, 140, 146–148
IDE, 30
imaging in Helix, 84–88
imaging SMART, 82–84
imaging with dd, 81–82
imaging with FTK Imager, 88–92
imaging with Linux, 81–82
imaging with write-blockers, 78–81
LTO, 34
Master Boot Record, 132
MD5 hash of, 76
multi-loaders, 34
physical, 115–116
preventing modification to, 67–92
recording cryptographic hashes, 92
reformatting, 217–219
remote collections, 112–122
removing from suspect system, 65
SAS, 29
tape backup, 32–35
thumb. See USB thumb drives
USB. See USB drives
wiping before using, 68–71
drive-wiping, 149–150
dtSearch system, 233–234
dump files, 376, 377–378
DVD (digital video disc) format, 36–37
DVDs, burning, 384–385
E
EDB dumpsters, 443
EDRM (Electronic Discovery Reference Model), 15
EEOC (Equal Employment Opportunity Commission), 396, 404
EEO (Equal Employment Opportunity) laws, 396
EIDE drives, 28
electronically stored information (ESI), 361
electronic discovery, 15, 222
Electronic Discovery Reference Model (EDRM), 15
e-mail, 239–271. See also web-based e-mail
aliases, 430–431
analyzing artifacts, 240, 244–265
analyzing headers, 267–271
AOL, 257–261, 271
client-based, 240, 243–261
converting formats, 241
corporate fraud and, 442
date range filtering, 442
destruction of, 443
determining when opened, 448–449
in embezzlement/larceny, 425
evidence of personal profit, 403
Exchange, 449
gap analysis, 443
Hotmail, 265
Hushmail, 265–267
indicating corruption, 430–432
IP theft and, 385–386
Mac systems, 192–193
malware on, 462
Mobile Outlook, 326–328
from online sources, 241–243
personal, 431
phishing timeline, 480
Pocket Outlook, 326–328
remnants, 261
securities fraud and, 448–449
sender/receiver message counts, 444
shell companies and, 468
spam. See spam
threatening/discriminatory messages, 406–407
tracking users via, 275–277
UNIX, 256–257
Yahoo!, 262–265
E-mail Detective, 258
E-mail Examiner
examining AOL artifacts, 258–261
examining OE artifacts, 252–253
examining Outlook artifacts, 244–247
examining UNIX artifacts, 256
embezzlement, 421–427
employee fraud, 417–434
asset misappropriation, 421–427
bribery, 428–431
check fraud, 425–426
civil lawsuits, 420
communications, 430–432
conflicts of interest, 427
corruption, 427–432
criminal penalties, 420
determining “story” of, 432–433
embezzlement, 421–427
estimating losses, 433
handling, 432–434
increase in, 418
investigating, 419–420
kickbacks, 428–431
larceny, 421–427
monetary loss from, 419
overview, 7, 418–419
ramifications of, 419–420
social networks, 430–432
tracing assets, 426–427
types of fraud, 420–432
types of investigations, 7
working with outside specialists, 434
working with senior management, 433
employee misconduct, 393–415
analyzing incidents, 412–415
determining intent, 413–414
discriminatory messages, 406–407
disruptive work environment, 395–396
employment agreement violations, 407–412
estimating damages, 414
harassment, 404–405
inappropriate use of resources, 399–404
investigations by authorities, 396
IP theft, 409–410
job discrimination, 404–405
lawsuits against employer, 396–397
monetary loss, 397–398
overview, 394–395, 412–413
pirated/malicious installed software, 401–402
ramifications of, 395–398, 412, 413
threatening messages, 406–407
types of, 398–412
using resources for personal gain, 403–404
working with outside counsel, 415
working with senior management, 414–415
employees
discrimination, 404–405
as fact witnesses, 343–344
fraud. See employee fraud
harassment, 404–407
insider trading, 445–447
IP theft
, 409–410
misconduct. See employee misconduct
non-compete agreements, 407–409
non-solicitation agreements, 407–412
privacy issues, 98–99
securities fraud, 444–452
employment discrimination/harassment, 404–405
EnCase DOS boot disk, 71–92
EnCase Enterprise tool, 44–45, 123
EnCase Forensic Edition, 122
EnCase tool
accessing compressed files with, 203
collecting PDA evidence, 331–332
consecutive sectors analyzer, 213
drive wiping with, 68–71
examining AOL artifacts, 260
examining OE artifacts, 253, 254
examining Outlook artifacts, 247–248
examining UNIX artifacts, 256
examining Yahoo! artifacts, 263
FASTBLOC and, 54
file signature analysis, 199–200, 201
image indexing, 234
rebuilding RAIDs, 223
recovering complete files, 144
recovering deleted files, 141–142
recovering FAT partitions, 135–136
recovering file fragments, 146–147
recovering INFO records, 151
recovering NTFS partitions, 137–138
remote analysis with, 100–105
remote collections with, 113–117
searching IE history, 284
verifying images with, 94
encoding, 200
encoding methods, 200–202
encrypted files, 124–125
encrypted volumes/drives, 122–125
encryption, 205–215. See also anti-forensic techniques
alternate ledgers, 485
asymmetric key, 209–211
OCE, 247–248
Pretty Good Privacy, 330–331
ROT13, 159–160, 299–302
solutions to, 211–215
steganography detection tools, 211–212
symmetric key, 206–209
Enron scandal, 437–438
EnScript feature, 144, 151, 284
enterprise environment, 222–224
enterprise storage analysis, 221–238
entropy testing, 206
environmental damage, 47–48
environmental safeguards, 44
Equal Employment Opportunity Commission (EEOC), 396, 404
Equal Employment Opportunity (EEO) laws, 396
Equallogic unit, 53
equipment manuals, 56
ERP systems, 377
ESI (electronically stored information), 361
Estonian-Russian conflict, 456
event logs, 464
evidence
access to, 43–47
attacks on network-collected, 121
bagging/tagging, 93
on cell phones, 332–336
chain of custody. See chain of custody
challenging authenticity of, 121
collecting. See evidence collection
communicating with clients, 95
custodians of, 360
destruction of. See data destruction
on disks/drives. See disks; drives
DOS systems, 71
embezzlement/larceny, 421–427
handling, 13, 57–58
of improper competition, 411–412
investigator use of, 11
Hacking Exposed Page 52