misplacing, 57–58
on mobile devices, 305–325
modifying original, 67–68
of non-traceable assets, 467
overabundance of, 230–231
of personal profit schemes, 403–404
privacy issues, 98–99
protecting, 45–47
protective orders and, 139, 217
remote collections, 112–122
remote investigations, 99–112
of shell companies, 468
of solicitation, 411
subpoenaed, 347
tracking systems, 58
evidence collection
common mistakes in, 94–95
importance of, 64
overview, 64
from single system, 64–94
evidence files, naming, 117
evidence lockers, 46–47
evidence logs, 57–58
Exchange dumpsters, 443
Exchange e-mail, 449
Exchange servers, 235–237
expert consultants, 344, 364–365
expert reports, 343, 351–355
expert status, 364–366
expert witnesses
reports by, 343, 351–355
role of, 344
testimony by, 364–366
expressions, regular, 494–497
ext2 structure, 162–164
ext3/ext4 structure, 165
extents overflow file, 186
external breach investigations, 8
F
fake identities, 466, 469
falsified documents, 485–486
FASB (Financial Accounting Standards Board), 440
FASTBLOC, 50, 54
FastBloc Hardware Write-Blocker, 78–81
FAT (File Allocation Table), 183
FAT directories, 134
FAT file systems, 132–136, 139
FAT tables, 139
FBI (Federal Bureau of Investigation), 396
Federal Bureau of Investigation (FBI), 396
Federal Trade Commission (FTC), 473, 474
Fedora Linux, 169
File Allocation Table. See FAT
file command, 199
file destruction, 59
file extension renaming, 198–200
file fragments, 146–148
FILE ID attribute, 186
filenames, changes to, 424, 484–485
files. See also documents
active, 230–231
compressed, 202–203
DBX, 252–256
deleted, 138–150, 186–191
.DLL, 313–314
dump, 376, 377–378
encrypted, 124–125
hostname lookup, 459–460
inodes, 163–164
link, 387, 402
LNK, 153–154, 486
log. See log files
Mac systems, 186–194
NSF, 236–237
OCE, 247–248
Office, 157–158
OST, 241
pagefile, 152
past filenames, 282–283
prefetch, 463, 464
preserving with RoboCopy, 231
preserving with XXCopy, 231
printed, 153
.PXL, 320
recovering complete files, 144–145
recovering deleted, 138–150
recovering from slack space, 215–216
startup, 458–459
swap, 194
temporary, 463
wiping, 212–215
Word, 158
file signaturing, 199–200, 201
file systems
analysis of, 465
FAT, 132–136, 139
HFS, 176, 183
Joliet, 35–36
Linux systems, 162–167
Mac OS, 176, 183–186
NTFS, 132, 133, 136–138, 139
Windows, 132–138
file type searches, 485
file wiping, 212–215
Financial Accounting Standards Board (FASB), 440
finding items. See searches
Firefox, 291–298
FireFox Forensics tool, 292
fire protection, 47
fires, 44, 47
FireWire disk mode, 178
FireWire IDE drives, 125–126
FLINKS (forward links), 184
flip-flops, 22–23
floods/flooding, 44, 48
floppy disks, 31–32, 462
fls tool, 167
flyaway kit, 55–56
folders, recovering, 218
foreign banks, 467
forensic accountants, 427
forensic computers, 48–53
forensic evidence. See evidence
forensic hosts, 48–51
forensic imaging, 64, 66–92
forensic investigations. See investigations
forensic investigators. See investigators
forensic laboratory, 42–60
computers, 48–53
environmental damage, 47–48
flyaway kit, 55–56
hardware tools, 53–55
network access, 43, 44–45
overview, 42
physical access, 43–47
“poor man’s shop”
protecting, 44
security, 43–47
software tools, 54–55
spoliation of evidence, 43–44
forensics, 1–18. See also investigations
accounting systems, 427
archive management, 13, 18
collection/preservation phase, 16–17
considerations, 93
cross-validation, 12
defined, 6
defining a process, 15–17
elements of a good process, 12–15
identification phase, 15–16
increased use of, 358
money laundering, 467–469
technical competency, 13–14
forensic science. See forensics
forensic system, 64
Forensic Talon tool, 50
Forensic Toolkit. See FTK
forensic tools, 53–55
forgery, 425, 426, 433, 489
forms, 55, 56–57
forward links (FLINKS), 184
Fowler-Nordheim tunneling, 38
fragmentation, 140, 146–148
fraud
accounting, 440–444, 484–485
check, 425–426, 489
consumer. See consumer fraud
corporate. See corporate fraud
employee. See employee fraud
increase in, 418
investment, 482–485
mortgage, 486–491
Nigerian e-mail scam, 472
pump-and-dump scam, 457, 483
securities, 444–452
fraud for profit schemes, 403–404, 486–489
FTC (Federal Trade Commission), 473, 474
FTK (Forensic Toolkit)
accessing compressed files with, 203
data-carving functionality, 219
dtSearch indexing engine, 233–234
examining AOL artifacts, 260–261
examining OE artifacts, 253, 255
examining Outlook artifacts, 248–249
examining UNIX artifacts, 257
examining Yahoo! artifacts, 264
identifying asymmetric key encryption, 210
identifying symmetric key encryption, 206
parsing unallocated space, 148
FTK Imager, 88–92
FTL (Forensic Tool Kit), 148
full-text indexing, 231–234
G
GAAP (generally accepted accounting principles), 440, 441
GAAS (generally accepted auditing standards), 440
Galleta program, 289–290
gap analysis, 443
generally accepted accounting principles (GAAP), 440, 441
generally accepted auditing standards (GAAS), 440
Gentoo Linux, 169
Glimpse program, 233
GPT (GUID Partition Table), 176, 179
GPT disk, 179
GPT partitions, 180–183
Grep tool, 257
grey codes, 28
group descriptors, 163
GroupWise server, 237
GUID Partition Table. See GPT
H
hackers, tracking activity of, 464–465
hacking
bots, 455–463
hack reconstruction, 464–465
malware, 457–463
traditional hacks, 463–465
types of hacks, 457–465
harassment, employee, 404–407
HardCopy tool, 50
hard disks, 26–30, 133, 134, 462
hard drive interface, 28–29
hard drive layout, 133, 134
hardware
labeling, 55, 57
mobile investigator, 50–51
poorly configured, 49
hardware systems, 51–52
hardware tools, 53–55
hash analysis, 14, 92, 388, 460
hashes, cryptographic, 14, 17, 92
head, 30
head actuators, 27–28
head number, 30
Helix, imaging drives with, 84–88
HFS (Hierarchical File System), 176, 183
HFS+ volume, 176
Hierarchical File System (HFS), 176, 183
history. See Internet history
host computers, 48
hostname lookup files, 459–460
Hotmail, 265, 271
Hushmail, 265–267
I
ICAT tool, 167
IDE drives, 30, 53
identity theft, 475–477, 480–482
Image MASSter Solo 3 Forensic system, 54
images
authentication, 17
creation of, 17
mounting (Linux), 172
raw, 94
verification of, 93–94
imaging, forensic, 64, 66–92
IMs (Instant Messages), 406
indexing, 231–234
INFO records, 151
injunctive relief, 360
inodes, 163–164
insider trading, 445–447
Instant Messages (IMs), 406
intellectual property. See IP theft
internal reports, 343–346
Internet. See also Web sites
tracking activity on, 283–298
using during investigations, 45
Internet browsing
cache, 290–295
cookies, 193, 288–290, 293
Internet cache. See also cache
browsing and, 290–295
e-mail recovery, 261–267
embezzlement and, 426–427
IP theft and, 377–378, 384, 388
Internet Explorer, 283–291
Internet history
detecting phishing access, 478–479
determining malware capabilities, 462–463
determining malware entry vector, 461
determining when e-mail was opened, 448–449
embezzlement and, 426–427
hack reconstruction, 465
IP theft and, 377–378, 384, 388
malware and, 461, 463
Internet-hosted e-mail. See web-based e-mail
Internet SCSI (iSCSI), 224
interrogatories, 362
investigations. See also forensics
accounting fraud, 440–444, 468, 484–485
analysis phase, 17
archive management, 13, 18
check fraud, 425–426, 489
civil discovery and, 8–9
collection/preservation phase, 16–17
consumer fraud. See consumer fraud
corporate fraud. See corporate fraud
corruption, 428–432
covert, 110–112
criminal, 9
cross-validation, 12
defining a process, 15–17
documenting. See documents
elements of a good process, 12–15
embezzlement/larceny, 421–427
employee fraud. See employee fraud
employee misconduct. See employee misconduct
external breach, 8
flexibility, need for, 14–15
identification phase, 15–16
investment fraud, 483–485
IP theft. See IP theft
lawsuits and, 360
legal issues. See lawsuits; litigation
money laundering, 467–469
mortgage fraud, 486–491
post-investigation activities, 18
privacy issues, 98–99
production/presentation phase, 17
remote, 99–112
technical competency, 13–14
theft of trade secrets, 6–7, 381–384
tracing assets, 426–427
types of, 6–9
investigators
bias, 10
credibility of, 9
handling of evidence, 11, 13, 57–58
liability, 11
“newbies,” 10–11, 14
qualifications, 10–11
role of, 9–12
technical competency, 13–14
tips for, 11–12
investment fraud, 482–485
iPhones, 307, 407
iPlanet mail server, 238
IP theft
analyzing incidents, 389–392
burning CDs/DVDs, 384–385
customer data access, 375–378
customer data theft, 374–375
detecting wiping, 388–389
determining intent, 390
e-mail and, 385–386
employees and, 409–410
estimating damages, 390–391
“insiders” and, 375
Internet cache and, 377–378, 384, 388
loss of competitive advantage, 372
loss of customers, 372
monetary loss, 372–373
outsourcing and, 374
overview, 370–371
proprietary information, 381–384
ramifications of, 371–373
source code/program theft, 378–381
technology theft, 378–380
trade secrets, 6–7, 381–384
types of, 373–389
USB drives and, 386–388
working with outside counsel, 392
working with senior management, 391–392
iSCSI (Internet SCSI), 224
J
Joliet file system, 35–36
journal entries, 431
journaling, 165
justice system, 357–366. See also lawsuits
civil, 359–364
consultants, 364–366
criminal, 358–359
depositions, 363
discovery phase, 361
interrogatories, 362
overview, 358
plaintiffs, 359–360
requests for production, 362
trial phase, 364
witnesses. See witnesses
K
keyloggers, 128
keyname, 154–155
keyword searching, 218
kickbacks, 428–431
Kleene, Stephen, 494
L
labels, 55, 57
laboratory. See forensic laboratory
lab preparations, 2–3
larceny, 421–427
Large Block Addressing (LBA), 30
laundering accounting ledgers, 468
lawsuits. See also justice system; litigation
appeals, 18
civil, 359–364
civil discovery, 8–9
consultants, 364–366
criminal, 358–359
depositions, 363
discovery phase, 361
against employer, 396–397
interrogatories, 362
involving employee misconduct, 397
legal compli
ance, 14
motions, 346
nonrelevant documents, 362
patent-related, 373
plaintiffs, 359–360
privileged documents, 362
protective orders, 139, 217
requests for production, 362
subpoenas, 347
testimony, 363–366
trial phase, 364
witnesses. See witnesses
Lazarus tool, 172–173, 219
LBA (Large Block Addressing), 30
legal compliance, 14
legal issues. See lawsuits; litigation
liability, investigator, 11
libDBX program, 254–256
libPST package, 250–251
linear tape-open (LTO), 34
link files, 387, 402
Linux systems, 161–174
analyzing swap space, 174
BASH shell, 170
Debian Linux, 169
deleted files/partitions, 167–168
determining printer auditing, 171–172
directories, 164
distributions, 168–170
downtime and, 95
e-mail, 256–257
Fedora Linux, 169
file systems, 162–167
Gentoo Linux, 169
group descriptors, 163
imaging drives with, 81–82
inode structure, 163–164
investigating, 166–174
Mandrake Linux, 169
mounting images, 172
overview, 162
partitions, 166
printer activity, 171–172
rebuilding RAIDs, 223–224
recovering deleted files, 167–168
Red Hat Linux, 169
root directory, 164
SAN disks, 225–226
searching/recovery process, 174
searching unallocated space, 172–173
shells, 170–171
SMART drive imaging, 82–84
SUSE Linux, 169
swap methods, 166
tcsh shell, 171
tracking user activity, 170–171
Ubuntu Linux, 169
vs. Windows systems, 59–60
wiping drives, 71
litigation. See also lawsuits
appeals, 18
civil discovery, 8–9
consumer fraud, 474–475
corporate fraud, 439
legal compliance, 14
testimony, 363–366
live file collections, 230–231
LNK files, 153–154, 486
lock-out controls, 46
log files
chat logs, 406
event logs, 464
evidence logs, 57–58
network logs, 463, 480
OS user logs, 298–302
phone logs, 407
UserAssist logs, 213–214, 402, 464
logging in/out, 157
logical partitions, 115–116
logical volumes, 53
lookup files, 459–460
Lotus Domino Mail Server, 236–237
Lotus Notes, 236–237
LTO (linear tape-open), 34
LTO drives, 34
M
Hacking Exposed Page 53