第1页 / 共690页
第2页 / 共690页
第3页 / 共690页
第4页 / 共690页
第5页 / 共690页
第6页 / 共690页
第7页 / 共690页
第8页 / 共690页
guide to computer forensics.pdf
Brief Table of Contents�
Table of Contents�
Preface
Introduction
Ch 1: Understanding the Digital Forensics Profession and Investigations
An Overview of Digital Forensics
Preparing for Digital Investigations
Maintaining Professional Conduct
Preparing a Digital Forensics Investigation
Procedures for Private-Sector High-Tech Investigations
Understanding Data Recovery Workstations and Software
Conducting an Investigation
Chapter Summary
Key Terms
Review Questions
Hands-On Projects
Case Projects
Ch 2: The Investigator's Office and Laboratory
Understanding Forensics Lab Accreditation Requirements
Determining the Physical Requirements for a Digital Forensics Lab
Selecting a Basic Forensic Workstation
Building a Business Case for Developing a Forensics Lab
Chapter Summary
Key Terms
Review Questions
Hands-On Projects
Case Projects
Ch 3: Data Acquisition
Understanding Storage Formats for Digital Evidence
Determining the Best Acquisition Method
Contingency Planning for Image Acquisitions
Using Acquisition Tools
Validating Data Acquisitions
Performing RAID Data Acquisitions
Using Remote Network Acquisition Tools
Using Other Forensics Acquisition Tools
Chapter Summary
Key Terms
Review Questions
Hands-On Projects
Case Projects
Ch 4: Processing Crime and Incident Scenes
Identifying Digital Evidence
Collecting Evidence in Private-Sector Incident Scenes
Processing Law Enforcement Crime Scenes
Preparing for a Search
Securing a Computer Incident or Crime Scene
Seizing Digital Evidence at the Scene
Storing Digital Evidence
Obtaining a Digital Hash
Reviewing a Case
Chapter Summary
Key Terms
Review Questions
Hands-On Projects
Case Projects
Ch 5: Working with Windows and CLI Systems
Understanding File Systems
Exploring Microsoft File Structures
Examining NTFS Disks
Understanding Whole Disk Encryption
Understanding the Windows Registry
Understanding Microsoft Startup Tasks
Understanding Virtual Machines
Chapter Summary
Key Terms
Review Questions
Hands-On Projects
Case Projects
Ch 6: Current Digital Forensics Tools
Evaluating Digital Forensics Tool Needs
Digital Forensics Software Tools
Digital Forensics Hardware Tools
Validating and Testing Forensics Software
Chapter Summary
Key Terms
Review Questions
Hands-On Projects
Case Projects
Ch 7: Linux and Macintosh File Systems
Examining Linux File Structures
Understanding Macintosh File Structures
Using Linux Forensics Tools
Chapter Summary
Key Terms
Review Questions
Hands-On Projects
Case Projects
Ch 8: Recovering Graphics Files
Recognizing a Graphics File
Understanding Data Compression
Locating and Recovering Graphics Files
Identifying Unknown File Formats
Understanding Copyright Issues with Graphics
Chapter Summary
Key Terms
Review Questions
Hands-On Projects
Case Projects
Ch 9: Digital Forensics Analysis and Validation
Determining What Data to Collect and Analyze
Validating Forensic Data
Addressing Data-Hiding Techniques
Chapter Summary
Key Terms
Review Questions
Hands-On Projects
Case Projects
Ch 10: Virtual Machine Forensics, Live Acquisitions, and Network Forensics
An Overview of Virtual Machine Forensics
Performing Live Acquisitions
Network Forensics Overview
Chapter Summary
Key Terms
Review Questions
Hands-On Projects
Case Projects
Ch 11: E-mail and Social Media Investigations
Exploring the Role of E-mail in Investigations
Exploring the Roles of the Client and Server in E-mail
Investigating E-mail Crimes and Violation
Understanding E-mail Servers
Using Specialized E-mail Forensics Tools
Applying Digital Forensics to Social Media
Chapter Summary
Key Terms
Review Questions
Hands-On Projects
Case Projects
Ch 12: Mobile Device Forensics
Understanding Mobile Device Forensics
Understanding Acquisition Procedures for Mobile Devices
Chapter Summary
Key Terms
Review Questions
Hands-On Projects
Case Projects
Ch 13: Cloud Forensics
An Overview of Cloud Computing
Legal Challenges in Cloud Forensics
Technical Challenges in Cloud Forensics
Acquisitions in the Cloud
Conducting a Cloud Investigation
Tools for Cloud Forensics
Chapter Summary
Key Terms
Review Questions
Hands-On Projects
Case Projects
Ch 14: Report Writing for High-Tech Investigations
Understanding the Importance of Reports
Guidelines for Writing Reports
Generating Report Findings with Forensics Software Tools
Chapter Summary
Key Terms
Review Questions
Hands-On Projects
Case Projects
Ch 15: Expert Testimony in Digital Investigations
Preparing for Testimony
Testifying in Court
Preparing for a Deposition or Hearing
Preparing Forensics Evidence for Testimony
Chapter Summary
Key Terms
Review Questions
Hands-On Projects
Case Projects
Ch 16: Ethics for the Expert Witness
Applying Ethics and Codes to Expert Witnesses
Organizations with Codes of Ethics
Ethical Difficulties in Expert Testimony
An Ethics Exercise
Chapter Summary
Key Terms
Review Questions
Hands-On Projects
Case Projects
Appendix A: Certification Test References
Appendix B: Digital Forensics References
Appendix C: Digital Forensics Lab Considerations
Appendix D: DOS File System and Forensics Tools
Glossary
Index
Guide to Computer
Forensics and
Investigations: Processing
Digital Evidence
Fifth Edition
Bill Nelson
Amelia Phillips
Christopher Steuart
Australia Brazil Mexico Singapore United Kingdom United States
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
This is an electronic version of the print textbook. Due to electronic rights restrictions,
some third party content may be suppressed. Editorial review has deemed that any suppressed
content does not materially affect the overall learning experience. The publisher reserves the right
to remove content from this title at any time if subsequent rights restrictions require it. For
valuable information on pricing, previous editions, changes to current editions, and alternate
formats, please visit www.cengage.com/highered to search by ISBN#, author, title, or keyword for
materials in your areas of interest.
Important Notice: Media content referenced within the product description or the product
text may not be available in the eBook version.
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Guide to Computer Forensics and
Investigations: Processing Digital Evidence,
Fifth Edition
ª 2016 Cengage Learning
WCN: 02-200-203
Bill Nelson, Amelia Phillips,
Christopher Steuart
Product Director: Kathleen McMahon
Senior Director of Development:
Marah Bellegarde
Product Team Manager: Kristin McNary
Product Development Manager:
Leigh Hefferon
Senior Content Developer: Julia McGuirk
Developmental Editor: Lisa M. Lord
Product Assistant: Scott Finger
Marketing Director: Michele McTighe
Marketing Manager: Eric La Scola
Marketing Coordinator: Will Guiliani
Production Director: Patty Stephan
Senior Content Project Manager:
Brooke Greenhouse
Managing Art Director: Jack Pendleton
Cover photo or illustration: ª Mega Pixel/
Shutterstock
Manufacturing Planner: Ron Montgomery
Compositor: Cenveo Publisher Services
Quality Assurance Tester: Serge Palladino
ALL RIGHTS RESERVED. No part of this work covered by the
copyright herein may be reproduced, transmitted, stored or used
in any form or by any means graphic, electronic, or mechanical,
including but not limited to photocopying, recording, scanning,
digitizing, taping, Web distribution, information networks, or
information storage and retrieval systems, except as permitted
under Section 107 or 108 of the 1976 United States Copyright Act,
without the prior written permission of the publisher.
For product information and technology assistance, contact us at
Cengage Learning Customer & Sales Support, 1-888-354-9706
For permission to use material from this text or product, submit
all requests online at cengage.com/permissions
Further permissions questions can be emailed to
permissionrequest@cengage.com
Library of Congress Control Number: 2014958600
ISBN: 978-1-285-06003-3
Cengage Learning
20 Channel Center Street
Boston, MA 02210
Cengage Learning is a leading provider of customized learning
solutions with office locations around the globe, including Singapore,
the United Kingdom, Australia, Mexico, Brazil, and Japan. Locate your
local office at: www.cengage.com/global
Cengage Learning products are represented in Canada by Nelson
Education, Ltd.
To learn more about Cengage Learning, visit www.cengage.com
Purchase any of our products at your local college store or at our
preferred online store www.cengagebrain.com.
Publisher does not warrant or guarantee any of the products described herein or perform any independent analysis in
connection with any of the product information contained herein. Publisher does not assume, and expressly disclaims,
any obligation to obtain and include information other than that provided to it by the manufacturer. The reader is
expressly warned to consider and adopt all safety precautions that might be indicated by the activities described herein
and to avoid all potential hazards. By following the instructions contained herein, the reader willingly assumes all risks
in connection with such instructions. The publisher makes no representations or warranties of any kind, including but
not limited to, the warranties of fitness for particular purpose or merchantability, nor are any such representations
implied with respect to the material set forth herein, and the publisher takes no responsibility with respect to such
material. The publisher shall not be liable for any special, consequential, or exemplary damages resulting, in whole or
part, from the readers’ use of, or reliance upon, this material.
Printed in the United States of America
Print Number: 01 Print Year: 2015
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Brief Table of Contents
Brief Table of Contents
PREFACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
CHAPTER 1
Understanding the Digital Forensics Profession and Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
CHAPTER 2
The Investigator’s Office and Laboratory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
CHAPTER 3
Data Acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
CHAPTER 4
Processing Crime and Incident Scenes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
CHAPTER 5
Working with Windows and CLI Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
CHAPTER 6
Current Digital Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
CHAPTER 7
Linux and Macintosh File Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
CHAPTER 8
Recovering Graphics Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
CHAPTER 9
Digital Forensics Analysis and Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
CHAPTER 10
Virtual Machine Forensics, Live Acquisitions, and Network Forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
CHAPTER 11
E-mail and Social Media Investigations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
CHAPTER 12
Mobile Device Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
CHAPTER 13
Cloud Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
CHAPTER 14
Report Writing for High-Tech Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
CHAPTER 15
Expert Testimony in Digital Investigations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
CHAPTER 16
Ethics for the Expert Witness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
APPENDIX A
Certification Test References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
APPENDIX B
Digital Forensics References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
iii
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
iv
Brief Table of Contents
APPENDIX C
Digital Forensics Lab Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
APPENDIX D
DOS File System and Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
INDEX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Table of Contents
Table of Contents
PREFACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
CHAPTER 1
Understanding the Digital Forensics Profession and Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
An Overview of Digital Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Digital Forensics and Other Related Disciplines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
A Brief History of Digital Forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Understanding Case Law. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Developing Digital Forensics Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Preparing for Digital Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Understanding Law Enforcement Agency Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Following Legal Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Understanding Private-Sector Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Maintaining Professional Conduct . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Preparing a Digital Forensics Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
An Overview of a Computer Crime. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
An Overview of a Company Policy Violation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Taking a Systematic Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Procedures for Private-Sector High-Tech Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Employee Termination Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Internet Abuse Investigations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
E-mail Abuse Investigations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Attorney-Client Privilege Investigations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Industrial Espionage Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Interviews and Interrogations in High-Tech Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Understanding Data Recovery Workstations and Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Setting Up Your Workstation for Digital Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Conducting an Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Gathering the Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Understanding Bit-stream Copies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Acquiring an Image of Evidence Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Using ProDiscover Basic to Acquire a USB Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Analyzing Your Digital Evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Completing the Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Critiquing the Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
CHAPTER 2
The Investigator’s Office and Laboratory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Understanding Forensics Lab Accreditation Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Identifying Duties of the Lab Manager and Staff. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Lab Budget Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Acquiring Certification and Training. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
v
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
vi
Table of Contents
Determining the Physical Requirements for a Digital Forensics Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Identifying Lab Security Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Conducting High-Risk Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Using Evidence Containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Overseeing Facility Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Considering Physical Security Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Auditing a Digital Forensics Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Determining Floor Plans for Digital Forensics Labs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Selecting a Basic Forensic Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Selecting Workstations for a Lab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Selecting Workstations for Private and Corporate Labs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Stocking Hardware Peripherals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Maintaining Operating Systems and Software Inventories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Using a Disaster Recovery Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Planning for Equipment Upgrades. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Building a Business Case for Developing a Forensics Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Preparing a Business Case for a Digital Forensics Lab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
CHAPTER 3
Data Acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Understanding Storage Formats for Digital Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Raw Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Proprietary Formats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Advanced Forensic Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Determining the Best Acquisition Method. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Contingency Planning for Image Acquisitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Using Acquisition Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Mini-WinFE Boot CDs and USB Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Acquiring Data with a Linux Boot CD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Capturing an Image with ProDiscover Basic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Capturing an Image with AccessData FTK Imager Lite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Validating Data Acquisitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Linux Validation Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Windows Validation Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Performing RAID Data Acquisitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Understanding RAID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Acquiring RAID Disks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Using Remote Network Acquisition Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Remote Acquisition with ProDiscover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Remote Acquisition with EnCase Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Remote Acquisition with R-Tools R-Studio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Remote Acquisition with WetStone US-LATT PRO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Remote Acquisition with F-Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Using Other Forensics Acquisition Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
PassMark Software ImageUSB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
ASRData SMART . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
