MAC (Media Access Control), 158
MAC addresses, 158, 280–282
Mac OS X, 177
Mac systems, 175–195
compression, 192
considerations, 177–178, 195
date/time stamps, 192
deleted files, 186–191
directories, 183
disks, 178–186
e-mail, 192–193
evolution of Mac OS, 176–178
file IDs, 186
files, 186–194
file systems, 176, 183–186
FireWire disk mode, 178
as forensics platform, 195
forensic tools, 178
memory, 194
overview, 176
partitions, 176, 178–186
pruned nodes, 190–191
resources, 193
system files, 194
unallocated space, 189–191
unindexed files, 190–191
viewing disks/images, 178–186
MAC times, 133, 153
Madoff, Bernard, 437–438, 472
magic database, 199
magnetic media, 26–35
mail clients, 234
mail servers, 234–238
mainframe systems, 376–377
malware, 457–463
bot/remote control, 457–463
in e-mail, 462
identity theft, 480–481
Internet history and, 461–463
locally installed, 481
manually installed, 481
organized cyber crime, 457–463
on USB drives, 462, 481
Mandrake Linux, 169
manuals, 56
Master Boot Record (MBR), 24, 132
Master File Table. See MFT
MBR (Master Boot Record), 24, 132
MD5 algorithm, 17, 76, 82–84, 92, 122
media
CD-ROM. See CD-ROMs
checking for, 66
DVDs, 36–37, 384–385
floppy disks, 31–32, 462
magnetic, 26–35
memory technologies, 37–40
optical, 35
rotational, 32
source, 16
tape. See tapes
types of, 25–40
Media Access Control. See MAC
MediaMerge for PC (MM/PC), 229
memory. See also cache
flip-flops, 22–23
nonvolatile, 24
overview, 22
RAM, 22, 23–24, 305
ROM, 39–40, 305
virtual, 152, 194
volatile, 22–24
memory dumps, 158, 159
memory sticks, 39
memory technologies, 37–40
MFT (Master File Table), 136–137, 213
MFT tables, 139
Microsoft Backup, 236
Microsoft Exchange, 235–237
Microsoft Exchange Server, 236
Microsoft Office
Auto Save feature, 278
document metadata, 157–158
e-mail review, 275–277
as forensics tool, 274–283
past filenames, 282–283
Quick Save feature, 277–278
recovering undo information, 277–280
Word 97 MAC address, 280–282
Microsoft Outlook, 244–251
Microsoft Outlook Express, 252–256
MIME encoding, 238, 256
misconduct. See employee misconduct
MM/PC (MediaMerge for PC), 229
MMS (Multimedia Messaging Service), 334
mobile devices, 303–338
Blackberry devices, 306, 307, 407
cell phones. See cell phones
collecting evidence on, 305–325
Device Seizure. See Device Seizure
iPhones, 307, 407
MSN Messenger, 329
overview, 304–305
Palm-based. See Palm-based devices
passwords, 330–338
PDAs, 50–51
PGP Mobile, 330–331
Pocket/Mobile Outlook e-mail, 326–328
security issues, 330–331
Terminal Services Client, 328–329
Windows-based devices, 311–317
mobile investigator, 50–51
Mobile Outlook e-mail, 326–328
mobile units, 50
Mobile Windows. See also Windows-based devices
MSN Messenger client, 329
passwords, 331–338
Terminal Services Client, 328–329
money laundering, 465–469
mortgage fraud, 486–491
most recently used (MRU), 402
motions, 346
Mozilla, 257. See also Firefox
MRU (most recently used), 402
MRU entries, 402
MSN Messenger, 329
multi-loaders, 34
Multimedia Messaging Service (MMS), 334
N
name sector, 30
NAND gates, 21
NASD (National Association of Securities Dealers), 445
NAS (Network Attached Storage) systems, 52, 53, 224
National Association of Securities Dealers (NASD), 445
National Software Reference Library (NSRL), 460
NEMX (Network E-mail Examiner), 235, 237, 238, 241
NetAnalysis tool, 292, 296–298
Netscape Navigator, 257, 271
Network Attached Storage (NAS) systems, 52, 53, 224
Network E-mail Examiner (NEMX), 235, 237, 238, 241
network logs, 463, 480
networks
access to, 43, 44–45
Distributed Network Attack, 211
remote collection tools and, 113
Russian Business Network, 455–456
social, 430–432
Storage Area Network, 52, 53
Nigerian e-mail scam, 472
NIST, 54
nodes, 184
non-compete agreements, 407–409
nonrelevant documents, 362
non-solicitation agreements, 407–412
nonvolatile memory, 24
normalizing data, 190
notepad, 55
Notes Storage Facility (NSF) files, 236–237
Novell’s GroupWise mail server, 237–238
NSF (Notes Storage Facility) files, 236–237
NSRL (National Software Reference Library), 460
NSRL hash sets, 460
NTFS alternate data streams, 204
NTFS file systems, 132, 133, 136–138, 139
O
obscurity methods, 198–205
OCE (Outlook Compressible Encryption) files, 247–248
Office
Auto Save feature, 278
document metadata, 157–158
e-mail review, 275–277
as forensics tool, 274–283
past filenames, 282–283
Quick Save feature, 277–278
recovering undo information, 277–280
Word 97 MAC address, 280–282
Ontrack PowerControls, 235
OpenSource tools, 265
operating systems. See also specific operating systems
changes to, 463
considerations, 48
overview, 25
reinstalling, 217–219
user logs, 298–302
optical media, 35
organized cyber crime, 453–469
fake identities, 466, 469
hacking attacks. See hacking
malware, 457–463
money laundering, 465–469
overview, 454
Russian Business Network, 455–456
shell companies, 466–467, 468
OST files, 241
Outlook, 244–251, 271, 275–277. See also e-mail
Outlook Compressible Encryption (OCE) files, 247–248
Outlook Express, 252–256, 271
outsourcing, 374
P
pagefile, reco
vering data from, 151–152
Palm-based devices
acquisition of, 309–311
analysis of, 317–320
collecting evidence with EnCase, 331–332
vs. Window-based devices, 319–320
Palm Operating System Emulator (POSE), 317–318
Paraben Enterprise
remote analysis with, 106–110
remote collection, 118–120
Parmalat SpA scandal, 438
partition entry array, 180
partitioning schemes, 176
partitions
FAT, 135–136
GPT, 180–183
Linux systems, 166
logical, 115–116
Mac OS, 176, 178–186
NTFS, 137–138
Pasco utility, 285–288
Password Recovery Toolkit (PRTK), 206–211
passwords
accessing with PRTK, 206–209
mobile devices, 330–338
Mobile Windows devices, 331–338
Windows-based devices, 331–332
PATA drives, 28
patents, 381–384
PCAOB (Public Company Accounting Oversight Board), 438
PDAs (personal digital assistants), 50–51. See also mobile devices
PDA Seizure, 337–338
permanent markers, 55
personal data, 481–482. See also consumer fraud; data
personal digital assistants (PDAs), 50–51
Personal Storage Table. See PST
PGP (Pretty Good Privacy), 330–331
PGP Mobile, 330–331
phishing, 478–480
phishing Web sites, 478–480
phonebook, 334
phone call logs, 407
phone records, 430–432
phones, cell. See cell phones
physical access, 43–47
physical drives, 115–116
Pine e-mail, 271
pirated software, 401–402
plaintiffs, 359–360
platters, 26, 29, 30
PMD tool, 379–380
Pocket Outlook e-mail, 326–328
policies
carrying copies of, 55–56
network collections, 122
Ponzi, Charles, 483
Ponzi schemes, 472, 483
POSE (Palm Operating System Emulator), 317–318
POST (Power On Self Test), 24
PowerControls, 235
Power On Self Test (POST), 24
power protection, 48
prefetch entries, 402
prefetch files, 463, 464
Pretty Good Privacy (PGP), 330–331
printed files, recovering, 153
printer activity, 171–172
printer spools, 152–153, 426
printing, 152–153
privacy issues, 98–99
privacy measures, 205–219
privilege, 362
privileged documents, 362
Problems Reports and Solutions Feature, 159
procedures
carrying copies of, 55–56
network collections, 122
ProDiscover, 105–106, 118, 123
Program Files directory, 401
Promise SuperTrack Series, 53
proof of income forgery, 489
proprietary information, 381–384
protective MBR, 179
protective orders, 139, 217
PRTK (Password Recovery Toolkit), 206–211
PST (Personal Storage Table), 219
PST Converter, 245–246
PST files, 241, 244–251
Public Company Accounting Oversight Board (PCAOB), 438
pump-and-dump schemes, 457, 483
.PXL files, 320
pyramid schemes, 483
R
RAID (Redundant Array of Inexpensive Disks), 53
RAID servers, 112
RAID sets, 222–224
RAM (Random Access Memory), 22, 23–24
RAM chips, 305
raw device, 227
raw images, 94
raw tapes, 227–229
RBN (Russian Business Network), 455–456
rdhtool.exe tool, 274
readDBX program, 254–256
read heads, 27
read-only mode, 39–40
readPST program, 250–251
records, 184
Recover Manager for Exchange (RME), 235–236
recovery
complete files, 144–145
deleted files, 138–150
file fragments, 146–147
INFO records, 151
limitations, 149–150
LNK files, 154
memory dumps, 159
NTFS partitions, 137–138
pagefile, 151–152
printed documents, 153
recovery mode, 236
Recycle Bin, 139, 150–151
Red Cliff Web Historian, 292
Red Hat Linux, 169
Redundant Array of Inexpensive Disks. See RAID
reformatted drives, 217–219
regex (regular expressions), 494–497
registers, 23, 24
registry keys, 458–459
regular expressions (regex), 494–497
relational databases, 376
remote collections, 112–122
remote collection tools, 113–120
remote investigations, 99–112
removable USB storage devices, 154–155
reports. See also documents
affidavits, 343, 350
declarations, 343, 346–350
definitions, 350
expert, 343, 351–355
formats, 345
generating with Device Seizure, 322–325
glossaries, 350
mainframe, 376–377
tools for, 344
repositories, identifying, 15–16
requests for production, 362
resource fork, 192
RFC-822 format, 238
RME (Recover Manager for Exchange), 235–236
RoboCopy, preserving files with, 231
ROM chips, 305
root directory, 164
ROT13 decoders, 202
ROT13 encoding, 200–202
ROT13 encryption, 159–160, 299–302
rotational media, 32
Russian Business Network (RBN), 455–456
Russian cyber crime, 453–457
Russian-Estonian conflict, 456
S
SAN (Storage Area Network), 52, 53
SAN disks, 225–226
SAN systems, 225–226
Sarbanes-Oxley Act of 2002 (SBA), 437, 445
SAS drives, 29
SATA drives, 28, 53
Satyam scandal, 438
SBA (Sarbanes-Oxley Act of 2002), 437, 445
scams. See fraud
Scientific Working Group on Digital Evidence (SWGDE), 54
screenshots, 342
SCSI drives, 28
search-and-seizure guides, 56
searches
datasets, 232
e-mail, 386
file entries in leaf nodes, 190–191
file type, 485
operators, 494–495
regular expressions, 494–497
for relevant data, 145–148
slack space, 205
source code, 379–380
searching techniques, 493–497
SEC (Securities and Exchange Commission), 418, 436, 445, 446
sectors, 30
secure deletion, 212–215
securities, 482–485
Securities and Exchange Commission (SEC), 418, 436, 445, 446
Securities Exchange Act of 1934, 445
securities fraud, 444–452
security, forensic laboratory, 43–47
self-validation, 94
SentrySafe, 47
servers
DNA, 211
Domino, 236–237
Exchange, 235–237
GroupWise, 237
mail, 234–238
Microsoft Exchange Server, 236
RAID, 112
Sun iPlanet mail server, 238
SHA-1 algorithm, 17
shell companies, 466–467, 468
shells, Linux, 170–171
Short Message Service. See SMS
signatures
digital, 14
file, 199–200, 201
single system, collecting evidence from, 64–94
slack space, 145, 204–205
slack space wiping, 215
slave computer, 455–456
Smart Acquisition Workshop, 178
SmartMedia card, 38
smartphones, 407
SMART tool
imaging drives in, 82–84
recovering complete files, 144–145
recovering deleted files, 142, 143
recovering FAT partitions, 136
recovering file fragments, 147–148
recovering INFO records, 151
recovering Linux files, 167–168
recovering NTFS partitions, 138
SMS (Short Message Service), 334
SMS/EMS data, 334
SMS messages, 407
social engineering, 44
social networks, 430–432
Social Security numbers (SSNs), 8, 469
software, pirated/malicious, 401–402
SOFTWARE registry file, 401–402
software tools, 54–55
solid-state floppy-disk card (SSFDC), 38
source code theft, 378–381
source media, 16
Soviet Union, 454–457
spam. See also e-mail
bot-nets, 455–456
detecting spam attacks, 477–478
identity theft and, 477–478
spamcop.net, 270
spindle motor, 28
spooling process, 152–153
spyware, 461–462. See also malware
SQLite database, 293
SSFDC (solid-state floppy-disk card), 38
SSNs (Social Security numbers), 8, 469
startup files, 458–459
steganography, 211–212
Stegdetect tool, 212
Stego Suite, 212
stock option backdating, 449–451
stocks. See also securities
insider trading, 445–447
investment fraud, 482–485
pump-and-dump scam, 457, 483
Storage Area Network. See SAN
Storm bot-net, 455–456
strings program, 282–283
subpoenas, 347
subtrees, 232
Sun iPlanet mail server, 238
superblock, 162–163
super DLT drives, 33–34
surge protectors, 48
SUSE Linux, 169
suspects, 66. See also users
suspect systems
BIOS information, 66
checking for other media, 66
collecting evidence from, 64–94
communicating with clients, 95
described, 64
disks on. See disks
downtime, 95
drives on. See drives
evidence on. See evidence
Hacking Exposed Page 54