Index
Note: Page numbers followed by t indicates tables; f indicates figures; b indicates boxes.
A
ACK bit
446–447Alibi, digital forensic analysis assessment
28–29AMX Corp
1–2Attribution, digital forensic analysis applications
27–28B
Backlog, management with limited resources
33bBGA chip
Bind Torture Kill (BTK) case
27–28Bitlocker, analysis in Windows
288–290Broccoli v. Echostar Communications
67–68Browsers
seeWeb browsers
BSD, see Unix
302–303BTK case
C
Carr, Maxine
28bCatalog Node Identifier (CNID), Macintosh
356Central processing unit (CPU)
386Chapman, Jessica
28bChief operating officer (COO), electronic discovery
82bCLF
CNID
Code Division Multiple Access (CDMA), mobile networks
520Coleman v. Morgan Stanley
64bCommand history, Unix
332–334Common Log Format (CLF)
451COO
Corrupted files, repair
39CPU
Creston Electronics
1–2Crime reconstruction, overview
13–15D
Data abstraction, layers
6–9Desoldering, chips
410–411Digital clone, creation and use
54bDigital document, authentication
31–32Discover
Disk image, Macintosh analysis
369–370Distributed Network Attack (DNA)
39–40DNS
Domain name server (DNS), tracking in intrusion investigation
165bDurall, Robert
29–30Dynamic Host Configuration Protocol (DHCP), lease
441bE
EFS
Electrically erasable programmable read only memory (EEPROM), features
387Electronic discovery
criminal procedure utilization for accentuation
72–74data accessibility assessment
71–72data preservation and collection
cell phones
104e-Mail
live servers
85–86evidence chain of custody and control
104–105Microsoft Backup
101–102transactional systems and databases
102–104data processing
compressed or encrypted files
109–110data transformation and review
130deleted file fragment recovery from unallocated space
114–116deleted files and folders
109e-mail, file servers, and backup tapes
113–114forensic images
108–113high-priority custodian computers
110image files
110indexing of documents
120–124overview
106–130personal data
111–112Web usage exploration
112–113data storage locations
78initial meeting, disclosures, and agreements
70–71international considerations
66blegal basis
66overview
63–65presentation of data
130–132quality assurance
131bE-Mail
intrusion alerts
171–172preservation and collection
live servers
85–86processing in electronic discovery
113–114Unix analysis
345–350Embedded system
acronyms
431–433cell phones
classification
426–428file traces
429multimedia data
428–429video file system information and metadata
428tcentral processing unit
386data collection
brute force
403–404correlation measurements
402–403manual examination
404–405physical data acquisition
boot loaders
407–408chip cleaning, connecting, and reading
411–413definition
406–413desoldering
410–411reballing of chips
411software
407procedural access
398–399definition
384–391devices
385–386electrical diagram reconstruction
430functionality determination
429–430information recovery
data carving
418file system recovery
417–418overview
413–424tools
418–419overview
383–384prospects for analysis
430–431software reconstruction
430timestamp analysis
424–426EMF
EnCase
Macintosh inode file display
358fWindows Enhanced Metafile conversion
252fWindows file permissions display
220bwork flow
112bEnhanced Cell Identification, positioning of mobile devices
524Enhanced Observed Time Difference (E-OTD), positioning of mobile devices
525Enron
106bEntwistle, Neil
29Erasable programmable read only memory (EPROM), features
387Event Viewer, Windows
242fF
Fax, electronic
38Ferro electric random access memory (FeRAM), features
389Filename Attribute (FNA), New Technology File System
225FileVault, accessing data
370bFlow-tools
seeNetFlow
FNA
Forensic soundness
3–5Functional analysis, overview
14Fuzzy hatching, intrusion investigation
185–186G
GLBA
Global Positioning System (GPS)
embedded information in mobile devices
12bpositioning of mobile devices
524SatNav artifact analysis
54bGlobally Unique Identifier (GUID), Office files
30Gmail, reconstruction of account setup page
47fGoldenberg, David
1–2The Good Practice Guide for Computer-Based Electronic Evidence
84–85Google Maps, reconstruction of page
52fGoogle Spreadsheet, data extraction
58bGramm-Leach-Bliley Act (GLBA)
137Grepmail, Unix analysis
347–348GUID
Guthrie, William
29H
Hash correlation, intrusion investigation
185Header signatures, graphics files
8bHealth Insurance Portability and Accountability Act (HIPAA)
137Heyne, Frank
221bHiberfil.sys
261–263HLR
Home Location Register (HLR), mobile networks
521HTTP
Huntley, Ian
28bI
Integrated Service Solutions, Inc. v. Rodman
70bIntent, digital forensic analysis determination
29–30Interception, mobile network data
audit logs
540authentication systems
538data deletion
539–540definition
532–533encryption and data protection
541evolution
541information system documentation
540–541intercept related information report
cell information IRI record format
546–549privacy concerns
537–540separate data storage
538–539Interviews
Intrusions
case management
attributes
configuration settings
166files of system
166indicators of execution
166–167network transmissions and sessions
167communication channels
162–163containment/remediation versus investigative success
163–164evidence dynamics minimization
160bproject management comparison
162bcollection of evidence
forensic acquisition of memory
177–178live collection
176–177log copying
179bnetwork packet capture
178–179overview
175–179domain/directory preparation
155–156evidence sources
138bfeeding analysis back into detection phase
enterprise-wide visibility
203–204hardware load
204host-based detection
202–203network-based intrusion detection
205–206rootkit interference circumvention for artificial sweeps
204host-based analysis
directory correlation
186fuzzy hatching
185–186hash correlation
185keyword search
186–187process structure correlation
186segmentation hashing
185–186initial observations
blacklist violations
173crashes
172–173e-mail with suspicious contents
171–172intrusion detection system alert
171network traffic abnormalities
173network architecture
154–155preparation for security breach
host preparation
147–150inventory of assets and data
145–146log retention
147–150policies and procedures
146–147tools
157btraining and drills
156–157written authorizations for investigation
143biPod, sharing analysis
368bK
Kercher, Meredith
517bL
LADS, alternate data stream display
221bLDM
Leon v. IDX Systems Corp.
274bLinux
seeUnix
Lumumba, Patrick
517bM
Macintosh
application analysis
364–365disk images
369–370imaging
353–355log on and off
369logs
367–369Notepad
382fsystem configuration files
365–370Mairix, Unix analysis
348–350Malware
digital forensic analysis rationale
44unknown code assessment in intrusion investigation
187–188Master File Table (MFT), New Technology File System
data access control
219–221data compression
222data runs with negative offsets
228bFilename Attribute
225overview
216–217querying
204records
223$Secure
219–221Standard Information Attribute
223–225Memory management unit (MMU), features
389–390Memory
Metadata
Metaviewer, output
234fMFT
Microsoft Backup, data preservation and collection
101–102Microsoft Windows
seeWindows
MIME encoding
38–39MMU
Mobile networks
evidence types
intercepted data
532–533localization parameters
524–527positioning of mobile devices
524–526remote activation of electronic devices
526–527text/multimedia messages
529–532usage logs and billing records
527–529interception
audit logs
540authentication systems
538data deletion
539–540definition
532–533encryption and data protection
541evolution
541information system documentation
540–541intercept related information report
cell information IRI record format
546–549privacy concerns
537–540separate data storage
538–539mobile device definition
518Semantic Intelligence
556–557telephony versus telematic services
519ttraffic analysis
553–556usage log analysis
553Multimedia Message Service (MMS), evidence
531N
NAS
NetIntercept, intrusion investigation
495fNetWitness, capture file profiling
483bNetwork-attached storage (NAS), analysis in Windows
298–299Network-based intrusion detection (NIDS), intrusion investigation
205–206Network investigations
challenges in evidence collection
15–16computer tracking within network
441bcredit card theft case
452bcybertrail case example
438bdata theft case
456bevidence preservation
457–458firewalls
463–464log correlation
505–516mobile networks
overview
437–439protocol types
442–457New Technology File System (NTFS)
data access control
219–221data compression
222file deletion detection
229–230Master File Table
data runs with negative offsets
228bFilename Attribute
225overview
216–217records
223Standard Information Attribute
223–225$Secure
219–221Notepad, Macintosh analysis
382fNTFS
O
Occam's razor, intrusion investigation
182–184Office
Optical character recognition (OCR)
38OS X
seeMacintosh
P
Pagefile, security risks
149bPagefile.sys
261–263Passwords, Macintosh analysis
362–364Payment Card Industry Data Security Standard (PCI DSS)
137PDF, searching
38Programmable read only memory (PROM), features
387Proximity searching, caveats
9bQ
Qualcomm, Inc. v. Broadcom Corp.
69bR
RAM
Read only memory (ROM), features
387Reballing, chips
411Relational analysis, overview
14ROM
Root directory, Unix
316–318RP
S
Salvaging
Sarbanes-Oxley Act (SOX)
137SatNav, artifact analysis
54bScientific method
$Secure
219–221Secure Shell, Unix
339Security breach
seeIntrusions
Segmentation hashing, intrusion investigation
185–186Semantic Intelligence, mobile network analysis
556–557Server Message Block (SMB)
anonymous connections
457bcommand codes
454tmessage exchange
446foverview
452–457Skimming, magnetic cards
392bSMB
SMS
SOX
Spoliation, Leon v. IDX Systems Corp.
274bStandard Information Attribute (SIA), New Technology File System
223–225Steganography, overview
33–37Storage area network, analysis in Windows
298–299Swap space, Unix
351SYN bit
446–447SYN packet
446–447System V, Unix
305–306T
TDOA
Temporal analysis, overview
14–15Time difference of arrival (TDOA), positioning of mobile devices
524Time Division Multiple Access (TDMA), mobile networks
520Time of arrival (TOA), positioning of mobile devices
524–525Time zone, case complications
51bTimestamp
TOA
Travis, Maury
27bTrojan horse, digital forensic analysis rationale
44TSOP chip
U
Unix
BSD programs
302–303commercial operating systems
303–304definitions
301–302Linux
302swap space
351system configuration and scheduled tasks
328–329user accounts
326–328V
Validation, tools
26Virginia Prescription Marketing Program (VPMP)
2Virtual identity, versus actual identity
441bVirtual private network (VPN)
firewall connection through virtual private network
465bVista
seeWindows
VPN
W
Wells, Holly
28bWindows
autorun locations
148bcommunications activity analysis
emulators
209Event Viewer
242fnetwork-attached storage (NAS)
298–299New Technology File System
data access control
219–221data compression
222file deletion detection
229–230Master File Table
data runs with negative offsets
228bFilename Attribute
225overview
216–217records
223Standard Information Attribute
223–225$Secure
219–221storage area network
298–299versions
210Windows 7
213–214Windows XP
211–212WinFS
214–215Winhex, data record recovery from embedded systems
415fWireshark
anonymous connections
457bEthernet frame display
444fHTTP GET request
449fTCP header display
447fX
XP
seeWindows
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.