Index
Note: Page numbers followed by t indicates tables; f indicates figures; b indicates boxes.
A
Address Book, Macintosh analysis
379,
380fAlibi, digital forensic analysis assessment
28–29Attribution, digital forensic analysis applications
27–28B
Backlog, management with limited resources
33bBackup tape, data preservation and collection
105–106,
106bBind Torture Kill (BTK) case
27–28Bitlocker, analysis in Windows
288–290Broccoli v. Echostar Communications
67–68C
Catalog Node Identifier (CNID), Macintosh
356Central processing unit (CPU)
386Chief operating officer (COO), electronic discovery
82bCisco routers
IOS command line interface
459b,
460show tech-support command
462bCode Division Multiple Access (CDMA), mobile networks
520Coleman v. Morgan Stanley
64bCommon Log Format (CLF)
451Compression
New Technology File System data compression
222Corrupted files, repair
39Crime reconstruction, overview
13–15D
Data abstraction, layers
6–9Date-time stamp
New Technology File System
timestamp analysis in embedded systems
424–426Digital camera, embedded metadata
40–48,
41bDigital clone, creation and use
54bDigital document, authentication
31–32Disk image, Macintosh analysis
369–370Distributed Network Attack (DNA)
39–40Domain name server (DNS), tracking in intrusion investigation
165bDuncan, John Edward, III
29b,
32bDynamic Host Configuration Protocol (DHCP), lease
441bE
Electrically erasable programmable read only memory (EEPROM), features
387Electronic discovery
criminal procedure utilization for accentuation
72–74data accessibility assessment
71–72data preservation and collection
evidence chain of custody and control
104–105transactional systems and databases
102–104data processing
compressed or encrypted files
109–110data transformation and review
130deleted file fragment recovery from unallocated space
114–116deleted files and folders
109e-mail, file servers, and backup tapes
113–114high-priority custodian computers
110documentation importance
76b,
77telectronically stored information preservation obligations
66–70,
67binitial meeting, disclosures, and agreements
70–71international considerations
66binterviews
information technology personnel
79–81E-Mail
preservation and collection
processing in electronic discovery
113–114Embedded system
cell phones
video file system information and metadata
428tcentral processing unit
386data collection
physical data acquisition
chip cleaning, connecting, and reading
411–413electrical diagram reconstruction
430information recovery
Samsung SGH-D500 phone example
software reconstruction
430EnCase
Encrypted File System analysis
291f,
292bMacintosh inode file display
358fWindows Enhanced Metafile conversion
252fWindows file permissions display
220bEncryption
mobile network data protection
541Enhanced Cell Identification, positioning of mobile devices
524Enhanced Observed Time Difference (E-OTD), positioning of mobile devices
525Erasable programmable read only memory (EPROM), features
387Event Viewer, Windows
242fEvidence dynamics
minimization in intrusion investigation
160bExmerge tool, e-mail preservation and collection
88b,
89fF
Ferro electric random access memory (FeRAM), features
389Filename Attribute (FNA), New Technology File System
225FileVault, accessing data
370bFirewall
intruder connection through virtual private network
465bForensic residue, identification
49,
50bF-Response
e-mail preservation and collection
92b,
93f,
94fintrusion investigation
205FTK Imager
Windows file permissions display
220bWindows shadow copies
268fFunctional analysis, overview
14Fuzzy hatching, intrusion investigation
185–186G
Global Positioning System (GPS)
embedded information in mobile devices
12bpositioning of mobile devices
524SatNav artifact analysis
54bGlobally Unique Identifier (GUID), Office files
30Gmail, reconstruction of account setup page
47fThe Good Practice Guide for Computer-Based Electronic Evidence
84–85Google Maps, reconstruction of page
52fGoogle Spreadsheet, data extraction
58bGramm-Leach-Bliley Act (GLBA)
137H
Hash correlation, intrusion investigation
185Header signatures, graphics files
8bHealth Insurance Portability and Accountability Act (HIPAA)
137Hex editor, data record recovery from embedded systems
414–415,
415fHome Location Register (HLR), mobile networks
521Hypertext Transfer Protocol (HTTP)
I
IDA Pro, data record recovery from embedded systems
415–417,
416fIntegrated Service Solutions, Inc. v. Rodman
70bIntent, digital forensic analysis determination
29–30Interception, mobile network data
authentication systems
538encryption and data protection
541information system documentation
540–541intercept related information report
cell information IRI record format
546–549International Mobile Equipment Identifier (IMEI)
521–522,
522bInternet Explorer, analysis in Windows 00005:b0210
280–282,
281fIntrusions
case management
attributes
configuration settings
166network transmissions and sessions
167containment/remediation versus investigative success
163–164evidence dynamics minimization
160bproject management comparison
162bcollection of evidence
forensic acquisition of memory
177–178domain/directory preparation
155–156feeding analysis back into detection phase
network-based intrusion detection
205–206rootkit interference circumvention for artificial sweeps
204host-based analysis
process structure correlation
186initial observations
e-mail with suspicious contents
171–172intrusion detection system alert
171network traffic abnormalities
173preparation for security breach
inventory of assets and data
145–146reporting of investigations
written authorizations for investigation
143bIP address, searching in packet contents
494,
494fiPod, sharing analysis
368bJ
Jamming device, technical specification
527tJohnson v. Wells Fargo
216bL
LADS, alternate data stream display
221bLeon v. IDX Systems Corp.
274bLogging
network-level logging
151bLogical Disk Manager (LDM), analysis in Windows
294–295,
295bLotus Domino server, e-mail preservation and collection
96–97,
96bM
Macintosh
file systems
data versus resource forks
356,
357fMalware
digital forensic analysis rationale
44unknown code assessment in intrusion investigation
187–188Master File Table (MFT), New Technology File System
data runs with negative offsets
228bStandard Information Attribute
223–225Memory management unit (MMU), features
389–390Metadata
Windows
extraction from Microsoft Office
233b,
234fMicrosoft Backup, data preservation and collection
101–102Microsoft Exchange servers, e-mail preservation and collection
86–96,
91f,
92b,
95bMicrosoft Office, metadata extraction
233b,
234fMobile networks
evidence types
positioning of mobile devices
524–526remote activation of electronic devices
526–527usage logs and billing records
527–529interception
authentication systems
538encryption and data protection
541information system documentation
540–541intercept related information report
cell information IRI record format
546–549mobile device definition
518telephony versus telematic services
519tMultimedia Message Service (MMS), evidence
531N
NetIntercept, intrusion investigation
495fNetWitness, capture file profiling
483bNetwork-attached storage (NAS), analysis in Windows
298–299Network-based intrusion detection (NIDS), intrusion investigation
205–206Network investigations
authentication
intruder connection to router through dialup
477bchallenges in evidence collection
15–16computer tracking within network
441bcredit card theft case
452bcybertrail case example
438btraffic analysis
capture files
filtering to reduce size
490bfile extraction from TCP session
IP address searching in packet contents
494,
494ftools
Wireshark
482–483,
482t,
487–488,
488f,
489f,
490t,
491–494,
492b,
492f,
492t,
494f,
498bNetwork Miner, file extraction from TCP session
495b,
496fNew Technology File System (NTFS)
Master File Table
data runs with negative offsets
228bStandard Information Attribute
223–225Ngrep, network traffic analysis
ASCII and hex value searches
491,
491tNotepad, Macintosh analysis
382fO
Occam's razor, intrusion investigation
182–184Operating system, configuration and usage
42–48,
42bOptical character recognition (OCR)
38P
Pagefile, security risks
149bPasswords, Macintosh analysis
362–364Payment Card Industry Data Security Standard (PCI DSS)
137Programmable read only memory (PROM), features
387Proximity searching, caveats
9bQ
Qualcomm, Inc. v. Broadcom Corp.
69bR
Random access memory (RAM)
Read only memory (ROM), features
387Redundant array of inexpensive disks (RAID)
Relational analysis, overview
14Remote Authentication Dial In User Service (RADIUS)
473–475,
473tReparse points, New Technology File System
222–223,
223fResource fork, Macintosh analysis
356,
357fRobocopy, data preservation and collection
101–102,
102fS
Sarbanes-Oxley Act (SOX)
137SatNav, artifact analysis
54bScientific method
application to digital forensics
5–13,
10bSegmentation hashing, intrusion investigation
185–186Semantic Intelligence, mobile network analysis
556–557Server Message Block (SMB)
anonymous connections
457bShort Message Service (SMS)
Skimming, magnetic cards
392bSource
digital forensic analysis
30–31evidence relationship
10–13Spoliation, Leon v. IDX Systems Corp.
274bStandard Information Attribute (SIA), New Technology File System
223–225Steganography, overview
33–37Storage area network, analysis in Windows
298–299Stroz Discovery, document categorization
129,
129fT
Tcpdump, network traffic analysis
Temporal analysis, overview
14–15Thin Small-Outline Package (TSOP) chip, removal and analysis
410f,
411Time difference of arrival (TDOA), positioning of mobile devices
524Time Division Multiple Access (TDMA), mobile networks
520Time of arrival (TOA), positioning of mobile devices
524–525Time synchronization, intrusion investigation
156,
156bTime zone, case complications
51bTrojan horse, digital forensic analysis rationale
44Tshark, network traffic analysis
U
Unallocated space
deleted file fragment recovery
114–116Unix
commercial operating systems
303–304system configuration and scheduled tasks
328–329user activity artifacts
data deletion and destruction
338–339V
Virginia Prescription Marketing Program (VPMP)
Virtual identity, versus actual identity
441bVirtual private network (VPN)
firewall connection through virtual private network
465bW
Web browsers
artifact interpretation
52bWindows
communications activity analysis
metadata
extraction from Microsoft Office
233b,
234fnetwork-attached storage (NAS)
298–299New Technology File System
Master File Table
data runs with negative offsets
228bStandard Information Attribute
223–225redundant array of inexpensive disks
Windows Mobile
logical acquisition using .XRY
8fphysical acquisition using XACT
7fWinhex, data record recovery from embedded systems
415fWireshark
anonymous connections
457bEthernet frame display
444fWireshark, network traffic analysis
file extraction from packet containing unknown protocol
496bfile extraction from TCP session containing unknown protocol
498bport and protocol searches
490tX
XACT, information recovery from embedded systems
418–419,
420fxxcopy, data preservation and collection
100,
101fZ
Zubulake v. UBS Warburg
67b,
75
..................Content has been hidden....................
You can't read the all page of ebook, please click
here login for view all page.