Cyber Forensics - From Data to Digital Evidence

Read more

Informationen zum Autor ALBERT J. MARCELLA, JR., PHD, CISA, CISM, is President of Business Automation Consultants, LLC, a global information technology and management consulting firm providing IT management consulting, audit and security reviews, and training. He is an internationally recognized public speaker, researcher, workshop and seminar leader, and an author of numerous articles and books on various IT, audit, and security related subjects. FREDERIC GUILLOSSOU, CISSP, CCE, is an Information Security Analyst with TALX, a division of Equifax. He regularly trains on intrusion prevention systems and has successfully led a number of forensic investigations in the field. Klappentext An explanation of the basic principles of dataThis book explains the basic principles of data as building blocks of electronic evidential matter, which are used in a cyber forensics investigations. The entire text is written with no reference to a particular operation system or environment, thus it is applicable to all work environments, cyber investigation scenarios, and technologies. The text is written in a step-by-step manner, beginning with the elementary building blocks of data progressing upwards to the representation and storage of information. It inlcudes practical examples and illustrations throughout to guide the reader. Zusammenfassung An explanation of the basic principles of data This book explains the basic principles of data as building blocks of electronic evidential matter, which are used in a cyber forensics investigations. Inhaltsverzeichnis Preface xiii Acknowledgments xvii Chapter 1: The Fundamentals of Data 1 Base 2 Numbering System: Binary and Character Encoding 2 Communication in a Two-State Universe 3 Electricity and Magnetism 3 Building Blocks: The Origins of Data 4 Growing the Building Blocks of Data 5 Moving Beyond Base 2 7 American Standard Code for Information Interchange 7 Character Codes: The Basis for Processing Textual Data 10 Extended ASCII and Unicode 10 Summary 12 Notes 13 Chapter 2: Binary to Decimal 15 American Standard Code for Information Interchange 16 Computer as a Calculator 16 Why Is This Important in Forensics? 18 Data Representation 18 Converting Binary to Decimal 19 Conversion Analysis 20 A Forensic Case Example: An Application of the Math 20 Decimal to Binary: Recap for Review 22 Summary 23 Chapter 3: The Power of HEX: Finding Slivers of Data 25 What the HEX? 26 Bits and Bytes and Nibbles 27 Nibbles and Bits 29 Binary to HEX Conversion 30 Binary (HEX) Editor 34 The Needle within the Haystack 39 Summary 41 Notes 42 Chapter 4: Files 43 Opening 44 Files, File Structures, and File Formats 44 File Extensions 45 Changing a File's Extension to Evade Detection 47 Files and the HEX Editor 53 File Signature 55 ASCII Is Not Text or HEX 57 Value of File Signatures 58 Complex Files: Compound, Compressed, and Encrypted Files 59 Why Do Compound Files Exist? 60 Compressed Files 61 Forensics and Encrypted Files 64 The Structure of Ciphers 65 Summary 66 Notes 67 Appendix 4A: Common File Extensions 68 Appendix 4B: File Signature Database 73 Appendix 4C: Magic Number Defi nition 77 Appendix 4D: Compound Document Header 79 Chapter 5: The Boot Process and the Master Boot Record (MBR) 85 Booting Up 87 Primary Functions of the Boot Process 87 Forensic Imaging and Evidence Collection 90 Summarizing the BIOS 92 BIOS Setup Utility: Step by Step 92 The Master Boot Record (MBR) 96 Partition Table 102 Ha...

List of contents

Preface xiii
 
Acknowledgments xvii
 
Chapter 1: The Fundamentals of Data 1
 
Base 2 Numbering System: Binary and Character Encoding 2
 
Communication in a Two-State Universe 3
 
Electricity and Magnetism 3
 
Building Blocks: The Origins of Data 4
 
Growing the Building Blocks of Data 5
 
Moving Beyond Base 2 7
 
American Standard Code for Information Interchange 7
 
Character Codes: The Basis for Processing Textual Data 10
 
Extended ASCII and Unicode 10
 
Summary 12
 
Notes 13
 
Chapter 2: Binary to Decimal 15
 
American Standard Code for Information Interchange 16
 
Computer as a Calculator 16
 
Why Is This Important in Forensics? 18
 
Data Representation 18
 
Converting Binary to Decimal 19
 
Conversion Analysis 20
 
A Forensic Case Example: An Application of the Math 20
 
Decimal to Binary: Recap for Review 22
 
Summary 23
 
Chapter 3: The Power of HEX: Finding Slivers of Data 25
 
What the HEX? 26
 
Bits and Bytes and Nibbles 27
 
Nibbles and Bits 29
 
Binary to HEX Conversion 30
 
Binary (HEX) Editor 34
 
The Needle within the Haystack 39
 
Summary 41
 
Notes 42
 
Chapter 4: Files 43
 
Opening 44
 
Files, File Structures, and File Formats 44
 
File Extensions 45
 
Changing a File's Extension to Evade Detection 47
 
Files and the HEX Editor 53
 
File Signature 55
 
ASCII Is Not Text or HEX 57
 
Value of File Signatures 58
 
Complex Files: Compound, Compressed, and Encrypted Files 59
 
Why Do Compound Files Exist? 60
 
Compressed Files 61
 
Forensics and Encrypted Files 64
 
The Structure of Ciphers 65
 
Summary 66
 
Notes 67
 
Appendix 4A: Common File Extensions 68
 
Appendix 4B: File Signature Database 73
 
Appendix 4C: Magic Number Defi nition 77
 
Appendix 4D: Compound Document Header 79
 
Chapter 5: The Boot Process and the Master Boot Record (MBR) 85
 
Booting Up 87
 
Primary Functions of the Boot Process 87
 
Forensic Imaging and Evidence Collection 90
 
Summarizing the BIOS 92
 
BIOS Setup Utility: Step by Step 92
 
The Master Boot Record (MBR) 96
 
Partition Table 102
 
Hard Disk Partition 103
 
Summary 110
 
Notes 111
 
Chapter 6: Endianness and the Partition Table 113
 
The Flavor of Endianness 114
 
Endianness 116
 
The Origins of Endian 117
 
Partition Table within the Master Boot Record 117
 
Summary 125
 
Notes 127
 
Chapter 7: Volume versus Partition 129
 
Tech Review 130
 
Cylinder, Head, Sector, and Logical Block Addressing 132
 
Volumes and Partitions 138
 
Summary 142
 
Notes 144
 
Chapter 8: File Systems--FAT 12/16 145
 
Tech Review 145
 
File Systems 147
 
Metadata 149
 
File Allocation Table (FAT) File System 153
 
Slack 157
 
HEX Review Note 160
 
Directory Entries 161
 
File Allocation Table (FAT) 163
 
How Is Cluster Size Determined? 167
 
Expanded Cluster Size 169
 
Directory Entries and the FAT 170
 
FAT Filing System Limitations 174
 
Directory Entry Limitations 176
 
Summary 177
 
Appendix 8A: Partition Table Fields 179
 
Appendix 8B: File Allocation Table Values 180
 
Appendix