CHAPTER 23

Computer Forensics

Computer forensics (digital forensics) is the scientific procedures and accepted set of processes of examining and analyzing allegations of misuse in computer-related incidents. The end-state of digital forensics is to obtain potential legal evidence acceptable to the trier of fact. Forensic analysis uses a range of scientific processes requiring systematic examination and collection of evidence; keeping a legally sufficient set of records and reports; performing experiments; testing hypotheses; describing the process and results; and defending the forensic findings and conclusions. It comes from forensic scientist Edmond Locard’s basic exchange principle: “Every contact leaves a trace.” There are five steps that should be followed:

        1. Gather useful items and items of potential evidentiary interest.

        2. Preserve data integrity (chain of evidence).

        3. Identify evidentiary artifacts, physical, and critical information.

        4. Analyze evidence.

        5. Present evidence.

Computer forensics is the scientific bridge between law and computer science that allows digital evidence to be collected in a legally sound manner. Management must realize that every interaction with a digital device leaves a trace. The improper application of computer forensic tools may be dangerous to data and may make forensics collected unacceptable for use by the judicial system.

The computer forensics team should work closely or even be embedded into an incident-handling process (see Chapter 22). The organization may want to engage appropriate digital forensics experts as consultants or work with the appropriate national computer emergency response team (CERT) directly. When an incident occurs, the incident-handling team is often the first to arrive at the scene. Without proper computer forensic procedures in place and reinforced through organizational policy, the evidence may be tampered with or inadvertently contaminated.

The roles, responsibilities and actions performed by internal employees, a law enforcement agency, or external computer forensic experts must be defined before an incident occurs. Management needs to understand the purpose of computer forensics, the requirement to establish a computer forensic function or team if required, the rules and processes of computer forensics, and the consequences of improper handling of evidence. Remember, if the organization is planning to perform forensics, it must be willing to invest in professional training and licensing of multiple tools to cover the widest range of devices and systems and develop a culture that allows proper seizure and preservation techniques. Tools should be validated for proper data acquisition and reporting. To make sure everything works as expected, organizations should practice periodic mock examinations and incident response drills to gain an in-depth understanding of tools and subtleties of use.

Importance of Computer Forensics

It is helpful to view the relationship of computer forensics to information assurance as autopsy is to medicine. If your organization practices computer forensics too often, your information assurance process is failing! Forensic analysis is a post-event response to serious incidents or criminal actions. Computer forensics gathers admissible evidence through a systematic and formal examination procedure for either external use by courts or internal use by the organization. Dr. Rainer Böhme, Assistant Professor of Information Systems and IT Security, University of Münster, developed an ontogeny for forensics. He points out that there is an increased degree of freedom associated with analog forensics, while forge-ability, or what can be counterfeited, decreases on a continuum from computer forensics to analog forensics.

Analog forensics tries to find traces of physical evidence, digital forensics deals with observing patterns that may contain messages, and multimedia forensics focuses on manipulation of multimedia files to either change or embed information.

Cybercrimes involve any unauthorized and unlawful cyber activities. They may range from a simple denial-of-service (DOS) attack to unauthorized use or access of systems. The installation of intrusion detection systems, firewalls, or proxy services may be insufficient to prevent these activities. To successfully discover and prosecute cybercrimes, computer forensic knowledge and skills are essential.

An organization is responsible for protecting client and customer information. Senior managers have been held responsible for failing to exercise due care. (See Chapter 27 for specific examples of executives being sued by stakeholders and customers.) By using proper computer forensic personnel procedures and providing forensic tools used by qualified individuals, evidence admissible in a court of law may help organizations preserve their reputation and customers.

Prerequisites of a Computer Forensic Examiner

If an organization needs forensic skills, it typically engages the services of a competent and credentialed forensics examiner. Well-trained computer forensic examiners possess both specialized knowledge and experience. In some economies, such as Australia, examiners may also be called forensic analysts. Immature examiners may overlook a trace or destroy evidence. For example, the individual may reboot an attacked system or open files leading to a modification of system properties or erasure of electronic footprints of the criminals.

A strong general IT background is essential. The examiner should be familiar with network topology, architecture and protocols, and hardware functionality and usage, and the examiner should have a clear understanding of how software programs run. Examiners are expected to keep abreast of computer forensic techniques, methodologies, and standards. Many tools are available for computer forensics. An examiner should be familiar with these tools and be able to decide which ones to use during the forensic process.

An examiner must always observe the basic rules of the profession to produce quality forensics in an impartial and objective manner. The examiner must follow formal procedures; otherwise, the findings risk rejection in courts. An examiner should also be able to prepare proper documentation. An ideal examiner has good interpersonal and presentation skills, which help when appearing as a witness in a court case. In addition to a strong foundation in information assurance and technology, the individual must have a lifestyle and personal history that cannot damage their credibility in the eyes of the court or an aggressive defense attorney. A single questionable event from the past can cast a shadow of doubt on an otherwise outstanding individual. Remember, in many courts, the defense needs only to create a reasonable doubt for an acquittal.

Whether outsourced or in-house, the forensic team must understand the nature of the organization and its mission, customers, threats, and operating environment. The examiner will ideally understand the politics of the organization and remain impartial in the analysis. The forensic team must also be able to weather adversity and possible hostility. If a senior executive is under examination, the forensic team may become the target of retaliation. Strong whistleblower policies and anti-retaliation policies can aid in keeping forensic teams focused on collecting evidence instead of being worried about their jobs.

Forensic Skills

Management should seek assistance from individuals with skills and knowledge in the following areas to ensure successful forensic examination. The foremost common forensic skill is the scientific method in which it ensures that the examiner is merely a finder of facts. A second common forensic skill is the ability to deal with dynamic evidence shared across devices.

Antiforensic Techniques and Tools

The underlying principle of antiforensics is that if evidence cannot be found, it cannot be identified, acquired, analyzed, or explored. Merely encrypting evidence is one of the simplest and most effective techniques for hiding it. Attackers are becoming some of the most advanced users of information assurance technologies. An attacker will infiltrate an organization and locate the information they desire. They will then copy the information and encrypt it. The encrypted information is then transferred out of the organization or sometimes held for ransom after the original information is deleted. The forensic examiner should be capable of identifying fully encrypted disks as well as specific files and hidden partitions on the hard drive. Since good encryption is hard to overcome, this technique can overwhelm all but the most skilled and well-equipped examiners.

A related technique for hiding evidence in background noise is steganography. It allows the perpetrator to change selected least significant bits (LSBs) in a file so they can be used to hide a message. For example, in a given 8-bit byte, the rightmost bit is the LSB. In a large string of bits in music MP3s, changing the LSB will have little effect and can actually be used to hide information; however, it creates a difficult problem for the forensics examiner. The examiner must now try to determine how the file is structured, determine whether encryption is being used in conjunction with the LSB, and determine whether MP3 files are the only files affected! Organizations can spend countless hours and resources exhausting possibilities. A superior examiner will know when they have obtained necessary and sufficient information to act on.

Another antiforensic technique involves placing data where it is not expected. For example, data may be placed in the slack space (space not accounted for in the file system since it is between the end of a file and the end of block); unused firmware memory; unused space in the master boot record; or in the host protected area, which is not customarily available to the operating system. Refer to the Further Reading section later in the chapter for where to find more detail on antiforensics as well as the role of the digital investigator.

Forensic Techniques and Tools

Organizations can develop and support a superior forensics team by providing best in class tools that have been certified and well tested. Certified tools are important for evidence to be credible in court. The U.S. National Institute of Standards (NIST) maintains a Computer Forensics Tool Testing (CFTT) program (www.cftt.nist.gov/). Validation by CFTT allows users to make sound decisions about computer forensics tools and encourages developers to improve their tools. CFTT also provides a thorough guidance about mobile device imaging, including requirements, test plans, setup and test procedures, and tool test reports.

As discussed earlier, computer forensics requires expert identification, extraction, preservation, and documentation. To accomplish this, the expert must by supported by forensically sound skills, tools, and methods. One important method is never to conduct any examination on the original media. Creation of validated copies of original data is a keystone principle for forensics examiners. Before any forensics analysis, make sure the team is well trained and has previously used mock tests.

Media and File System Forensics

Successful forensic analysis requires a thorough knowledge of file types and digital media used to store data (one of the three states from the MSR model) and the file structures used on those devices. This analysis may require salvaging deleted data, which may be as simple as changing disc file tables to mark blocks as not deleted. However, this may require file carving techniques to recover data from unallocated space. Tools for this include DataLifter, PhotoRec, and Scalpel.

File forensics becomes more complicated if the media devices are encrypted. In addition, the examiner must be able to find hidden metadata that is frequently included during file creation. A specialized case of data hiding (steganography) was discussed in the “Antiforensic Techniques and Tools” section earlier in this chapter.

Types of Media Types and capacities of digital storage media devices are constantly evolving. Legacy storage media include media such as punch cards, punched paper tape, floppy disks of all sizes, and a plethora of magnetic gadgets. Typically, digital media have one of two access types: serial and random. Serial media devices store data elements one after another, as they arrive. Since there is no addressing scheme, usually the serial data must be read from the beginning to find a particular block. Random media devices store the data evenly distributed across the storage space and have an addressing scheme to record where the data has been stored. This allows the data to be accessed in the order needed rather than the order in which it arrived. The inherent weakness of random devices comes from the table (index) that stores where the data are and, in some cases, the associated linked lists. If the index fails, the data usually become inaccessible.

Here are some examples of media:

      • Magnetic tape A magnetic tape is a serial access medium. This feature makes it an excellent choice for the regular backup of hard disks. Magnetic tape is a strip of plastic coated in a fine magnetic powder bound with polymer glue. Data is stored in frames (usually a byte) across the width of the medium. These frames are grouped into blocks separated by inter record gaps (IRGs). The more data placed in a block, the more efficient the tape.

      • Hard disk drives Hard drives are random devices that use a similar magnetic powder as a magnetic tape; however, in the case of a hard drive, the powder is bound to a rigid platter. The disk spins underneath precision magnetic devices (heads) that turn electronic pulses representing data into magnetic fields to write, and the process is reversed to read data. The heads move in small steps over the spinning surface and create concentric tracks. The tracks are broken down into sectors like pieces of pie. The location of data is determined by indexing the location of data on the tracks and sectors. Hard disk drives are subject to physical damage such as drops and also magnetic damage from external electromagnetic sources. Solid state hard drives (SSD) are discussed next in electronic media.

      • Optical Media A compact disc (CD), Digital Versatile Disk (DVD), and Blu-Ray are polycarbonate plastic discs with at least one metal layer used to store digital data. They are written and read by reflecting precise laser light from minute pits on the surface. These can be examined by microscopes. Optical media has become a standard medium for backing up or distributing large quantities of data on dependable media. The data is stored on a track like a hard drive; however, the single track of data spirals from the center of the disc to the outside edge. Optical media is highly resistant to magnetic and electronic distortion; however, they are susceptible to damage from ultraviolet light sources, heat, and physical damage by scratching. Optical media is typically liquid resistant but prolonged exposure can break down the metal coating and damage the media.

      • Electronic media Electronic media devices are solid-state electronic storage devices. Since they have no moving parts, they are ideally suited for portable devices and those that have to be shock tolerant. There are numerous solid state drives and other electronic media for replacing hard drives and providing storage for almost any device imaginable. They are logically organized like hard drives with sectors. Each sector of flash memory can be erased and written to only a limited number of times.

         Other formats of electronic media that may need to be examined include CompactFlash (CF), Memory Stick (MS), MultiMediaCard (MMC), Secure Digital (SD), SmartMedia (SM), solid-state disks (SSDs), USB drives, and xD-Picture Card (xD). Electronic media are susceptible to electronic pulses, physical damage, and damage from liquid. They also have a finite number of write cycles.

      • Cloud Remote network repositories in the Internet cloud, mail/web servers, or FTP sites where another party other than the organization processes, stores, or transmits information on behalf of the organization. Cloud providers present all media risks described above based on their chosen technologies. Additionally, cloud providers may not provide access during a forensic investigation unless the hosted organization provides a legal search warrant or similar court order. Cloud providers often co-locate tenants so several tenants may reside on a single physical hard drive or other media device. Due to this co-location, if a drive is removed for one organization, it may cause a denial of service to another. Organizations must consider the legal costs involved in conducting a forensic investigation with cloud providers.

Sample File Systems In general, all file systems are designed to provide a standardized method for allocating storage used by systems. These systems are designed to optimize the use and reuse of space as well as the speed of reading and writing. Each type of hardware and operating system addresses this problem differently. Analysts must be familiar and capable of using all modern file systems.

Mobile Devices

As BYOD policies become more permissive, mobile device forensics is increasingly important. BYOD policies are clearly productivity multipliers; however, they potentially expose the organization to new, unmitigated risks. Forensics experts should be able to handle a broad spectrum of devices, protocols, and ISO layer 1 connections.

Devices fall into two main categories: cellular and non-cellular. Cellular devices are functionally radio telephones and may be further divided based on the protocol they use (GSM versus CDMA). All mobile devices have storage (see electronic media in this chapter) that might have to be examined. All have volatile random access memory (RAM) where the programs/applications run. Most have flash ROM, which stores the operating system, user file space, and preloaded applications. SIM cards are used in GSM devices and contain a processor, RAM, and ROM that may contain data of forensic interest.

The Netherlands Forensic Institute provides an excellent set of guidelines for preservation of data on mobile devices (www.holmes.nl/MPF/FlowChartForensicMobilePhoneExamination.htm).

Once the data is preserved, the following checklist helps make sure everything is checked.

Multimedia and Content

Although multimedia forensics is different from computer forensics, knowledge of multimedia forensics is important if there is suspicion of systems being used inappropriately. To determine this, the examiner may have to operate with very little knowledge. The examiner may have to infer the characteristics of the sensor, camera, microphone/recorder, or other acquisition device; they can be checked for their presence (identification phase) or consistence (detection phase). Artifacts of previous processing operations can be detected in the manipulation detection phase. For example, you might have concerns if copyright information is stored or distributed through multimedia files that have been manipulated and are inconsistent with others in the same group.

Network Forensics

Computer forensic teams usually retrieve information from computer disks or other physical devices; network forensics must also retrieve ephemeral information about network ports used to attack the network. There is one significant difference; network forensic teams have nothing to examine unless precautions were in place (such as packet filters, firewalls, and intrusion detection systems) before the incident occurred.

Network intrusions are difficult to detect and even more difficult to analyze. Port scans are near instantaneous, while a more serious stealth attack on critical systems and their crucial resource may be concealed by a simple innocent port scan. The forensic team should always focus on the classic journalist questions: Who? What? When? Why? Where? How? The purpose of intrusion analysis is to seek answers and evaluate their importance.

Forensic Tools

“A craftsman can never blame his tools.” This old saying is also true for forensic tools. Of course, forensic analysts can make their own tools but will be better served by using proven tools. The selection of tools may be significant from an evidentiary standpoint since the integrity of the forensic software is important. In Australia, Fixed Disk Image (FDI), developed by Rod McKemmish, is well respected and has been provided to Australian law enforcement at no cost. Others that are broadly recognized for criminal and civil cases in many jurisdictions are Forensic Toolkit (FTK) and EnCase. The following list contains a broad spectrum of forensic tools:

      • AccessData Forensic Toolkit This toolkit consists of command-line and GUI utilities used to reconstruct access activities in NT file systems.

      • Guidance Software EnCase EnCase is a widely used closed source forensic examination tool. It works on many platforms.

      • Open Source SleuthKit Use this to examine a hacked UNIX host, for example. It works on Linux, Mac OS X, Windows (Visual Studio and mingw), CYGWIN, Open and FreeBSD, and Solaris. It supplants the Coroner Toolkit.

      • ForensiX This is an all-purpose set of data collection and analysis tools that run primarily on Linux. It’s an open source joint project of University of Toronto and Portland State University available on sourcforge.net. For a full discussion of open and closed source tools for forensic analysis, see Daniel Manson’s paper “Is the open way a better way? Digital forensics using open source tools.”

Virtual System Forensics

There are two problems posed by the use of virtual machines for the forensic analyst. The first problem emerges when a virtual machine (VM) is used to analyze forensic evidence. Both VMware and Microsoft Hyper-V are common tools to provide VM capability. Initially, a VM is an attractive tool since its configuration is easily modified to match the original system that created the evidence. The operation of VMs is both transitory and ephemeral. They are a level of abstraction beyond normal hardware; the system and data are volatile. Early attempts led to questions about the suitability of the findings obtained as evidence in court since the hypervisor might modify the image. University of Western Sydney Lecturer Derek Bem notes that an image which is known to have changed would be immediately challenged in a court of law as flawed. A computer expert could argue that the changes were not relevant to the evidence being presented; however, it is unlikely that such a line of argument would be accepted by the court ruled by reasonable doubt. The acceptance of VMs has been increasing. Another forensic analysis approach uses a VM as a playback analysis on log files.

Supplemental Forensic Skills

Depending on the engagement, other knowledge and skill areas that may be important to the forensics team are client/server interactions, cloud forensics, social networks, big data paradigm, industrial control systems, critical infrastructure, and virtual/augmented reality. Organizations must consider the circumstances surrounding an incident or crime. While determining forensic skills and experience, organizations must also consider the scope of technologies and systems required to conduct a thorough, accurate, and timely forensic investigation.

Rules of Computer Forensics

To ensure the admissibility, authenticity, completeness, reliability, and integrity of evidence collected, in most jurisdictions, examiners observe these rules:

      • Knowledge level Examiners should not attempt to perform an examination that is beyond their knowledge or skill level. They should seek assistance from more experienced examiners.

      • Chain of custody Although the rules vary by jurisdiction, examiners should comply with the principle of chain of custody when collecting, handling, and examining evidence to ensure admissibility of the evidence in court. This is discussed in the next section.

      • Evidence preservation Examiners avoid degrading the integrity of the evidence and perform examinations only on an image copy of the original. The image copy should be an exact reproduction of the original. Refer also to the “Rules of Evidence” section later in this chapter.

      • Record everything Examiners must record every step taken during the examination. Changes may be unavoidable during the computer forensic process. For example, shutting down the server might affect evidence in volatile computer memory. Examiners must document the nature, effect, and reason for any change properly and be prepared to defend their reasoning.

Chain of Custody

In most jurisdictions, chain of custody is a historical view of collecting and analyzing processes, transportation, and preservation of evidence to warrant admissibility as evidence in court. The chain of custody is chronological and is particularly important with electronic evidence because of the possibility of accidental or fraudulent data alteration, deletion, or creation. For evidentiary purposes, detailed chain of custody reports are necessary to establish the physical custody of digital evidence.

When making evidentiary copies, examiners must follow standard procedures to ensure quality and integrity. They must carefully label and preserve all evidence and copies of evidence. For example, media should be write-protected, placed in a container or envelope, labeled, and secured in a fireproof safe. Carefully observe different handling and storing techniques for different types of media.

Computer Forensic Steps

Prior to any examination, the computer forensic team (or information assurance team if forensics is outsourced) should have a standard methodology and procedural documents in place. Despite the different tools and techniques used, a computer forensic methodology should at a minimum consist of the following steps:

      • Identify This is the process of identifying evidence to be collected and presented and of identifying the methods, systems, and tools used for recovery and when to involve law enforcement.

      • Acquire This is the process of preserving the integrity of the evidence and ensuring the chain of custody is maintained. The tools, processes, and storage space used to safeguard the evidence obtained, as well as the duplicating and preservation methods, must be thoroughly documented.

      • Analyze This is the process of examining and assessing the evidence collected. During this process, examiners must avoid using the original evidence collected for assessment.

      • Report The forensic analysis should result in a forensics report. The report should contain the results of the analysis, the processes used, and any implications the examiner may determine as relevant to the organization.

Rules of Evidence

There are three basic rules of evidence that computer forensic examiners in most jurisdictions should observe.

      • Authenticity This rule describes the relevancy of evidence collected. Examiners should be able to link evidence collected to the incident in a legitimate and logical method.

      • Completeness This rule explains the need for completeness of evidence collected. The evidence collected can be used to identify the real attacker and eliminate other suspects.

      • Reliability This rule addresses the integrity of evidence collected. The evidence collection and analysis process should ensure authenticity and reality of evidence collected.

Computer Forensics Teams

Although computer forensics has existed for quite some time, there are still limited formal standards, frameworks, certification, and expertise within the field. As technology evolves, more tools and reference materials are available. Dedicated computer forensic teams are an expensive endeavor. They require expensive ongoing training, are often difficult to retain, and fetch some of the highest salaries in the industry. Smaller or midsize organizations may be challenged to justify the need for a permanent computer forensics team. If your organization intends to develop a computer forensic team, consider the information in following sections. If your organization decides it will use consultants, you can still leverage the following sections as a guide to determine what qualifications and capabilities the consultant should have.

Establishing a Computer Forensics Team

When establishing a computer forensics team, management should consider the feasibility of an in-house capability. Management should determine the resources required and the demand. Sometimes engaging an external consultant team is a better alternative. The Certified Forensic Computer Examiner (CFCE) credential by the International Association of Computer Investigative Specialists (IACIS) is narrowly focused on demonstrating computer forensics for Windows-based computers. CFCE requires being in law enforcement. The establishment of broader professional certifications such as the (ISC)² Certified Computer Forensics Professional (CCFP) makes team building more reliable by ensuring individuals know more than how the tools work.

If an organization decides to have an in-house team, consider the size needed. Large organizations and law enforcement organizations require larger teams. Setting up a credible computer forensic team is a formidable process. It is difficult to find skillful and experienced individuals to handle the variety of cases involving digital evidence.

If possible, the computer forensic team should be isolated from regular information technology operations. To ensure integrity and avoid conflict of interest during the evidence collection process, computer forensic duties should not be taken by information technology departments as a part-time activity.

Further Reading

      • Alles, E. J., Z.J. Geradts, and C.J. Veenman. “Source Camera Identification for Heavily JPEG Compressed Low Resolution Still Images.” Journal of Forensic Sciences, 2009. 54(3): 628–638.

      • Bem, Derek, and Ewa Huebner. “Computer Forensic Analysis in a Virtual Environment.” International Journal of Digital Evidence, 2007. 6, no. 2: 1–13.

      • Böhme, Rainer, et al. “Multimedia Forensics Is Not Computer Forensics.” Computational Forensics, 2009. pp. 90–103.

      • Braid, M. “Collecting Electronic Evidence After a System Compromise.” AUSCERT, 2001. www.auscert.org.au/render.html?it=2247.

      • Casey, E., and G.J. Stellatos. The Impact of Full Disk Encryption on Digital Forensics. ACM SIGOPS Operating Systems Review, 2008. 42(3), 93–98.

      • Cheddad, A., et al. “Digital Image Steganography: Survey and Analysis of Current Methods. Signal Processing, 2010. 90(3), 727–752.

      • Garfinkel, Simson. “Anti-forensics: Techniques, Detection, and Countermeasures.” The 2nd International Conference on i-Warfare and Security (ICIW), 2007. pp. 77–84.

      • Jones, KJ, R. Bejtlich, and CW Rose. Real Digital Forensics: Computer Security and Incident Response. Addison-Wesley, 2005.

      • Karen, R. We’ve Had an Incident, Who Do We Get to Investigate. SANS Institute, 2002. www.sans.org/rr/whitepapers/incident/652.php.

      • Kessler, Gary C. “Anti-forensics and the Digital Investigator.” Australian Digital Forensics Conference, 2007. p. 1.

      • Kirk, P. Crime Investigation: Physical Evidence and the Police Laboratory. Interscience Publishers, 1953.

      • Kruse II, WG, and JG Heiser. Computer Forensics: Incident Response Essentials. Addison-Wesley, 2005.

      • Kurosawa, K., K. Kuroki, and N. Akiba. “Individual Camera Identification Using Correlation of Fixed Pattern Noise in Image Sensors.” Journal of Forensic Sciences, 54(3), 2009. 639–641.

      • Manson, Dan, et al. “Is the Open Way a Better Way? Digital Forensics Using Open Source Tools.” System Sciences, 2007. HICSS 2007. 40th Annual Hawaii International Conference, pp. 266b–266b. IEEE, 2007.

      • McKemmish, Rodney. “What Is Forensic Computing?” Australian Institute of Criminology, 1999.

      • Mohay, George M., et al. Computer and Intrusion Forensics. Artech House, 2003.

      • Nestler, Vincent J. Computer Security Lab Manual (Information Assurance and Security). McGraw-Hill Education, 2005.

      • Nestler, Vincent J., et al. Principles of Computer Security CompTIA Security+ and Beyond Lab Manual. McGraw-Hill Education, 2011.

      • Ng, T.T., et al. “Passive-Blind Image Forensics.” Multimedia Security Technologies for Digital Rights. Academic Press, 2006. pp. 383–412.

      • Nichols, R., D. Ryan, and J. Ryan. Defending Your Digital Assets Against Hackers, Crackers, Spies, and Thieves. McGraw-Hill Education, 2000.

      • Prosise, C., K. Mandia, and M. Pepe. Incident Response and Computer Forensics. McGraw-Hill Education, 2003.

      • Schmidt, Howard A. Patrolling Cyberspace: Lessons Learned from a Lifetime in Data Security. Larstan Publishing, 2006.

      • Conklin, Wm. Arthur. Introduction to Principles of Computer Security: Security+ and Beyond. McGraw-Hill Education, 2004.

      • Schou, Corey D., and D.P. Shoemaker. Information Assurance for the Enterprise: A Roadmap to Information Security. McGraw-Hill Education, 2007.

      • Yasinsac, Alec, and Y. Manzano. “Policies to Enhance Computer and Network Forensics.” Proceedings of the 2001 IEEE Workshop on Information Assurance and Security United States Military Academy. West Point, NY, June 5–6, 2001.

Critical Thinking Exercises

        1. A manager suspects an employee may be using an organizational computer to view and download certain illegal materials. The manager has asked the information technology manager for his advice regarding her suspicions about these materials. The IT manager states he can change the password to the user’s account, and they can log in together over the weekend while the worker is out and view materials on the workstation. Is this an acceptable approach to determine whether criminal activity is occurring on the organization’s computer?

        2. An organization is experiencing a loss of information. They find the source of the leak and grow frustrated. While the organization knows who is leaking the information, they are not sure how. The organization has blocked the use of all external media such as USB drives, CDs, and DVDs. It has also developed data loss prevention tools and procedures to prevent information from leaking outside the organization through e-mail. It has also implemented web site filtering so employees cannot use unauthorized web mail or file-sharing services. The only thing in common with the leaked information is that it coincided with new updates to images and pictures on the organization’s public web site. What could be causing the leak?