Index
Access Data, 228 HEX equivalent to, 32–34, 55, Active partition, 96, 97, 57–58, 66, 77, 154–155, 101, 102, 109, 117, 161, 248–249, 288 118, 119, 120 overview of, 7–9 Address: HEX editor address panel, 37 Bad clusters, 164, 167, 180 Logical Block Address (LBA), Base 2 numbering system, 2–3. 130, 132–133 See also Binary system Adobe, 41, 46, 287 Binary system: Advanced Encryption Standard ASCII equivalents to, 8–9, (AES), 65 16, 17, 32–34, 57, 66, Apple/Macintosh: 285–286, 288 boot process in, 86 binary (HEX) editor, 34–39, endian designation by, 117 43, 53–57, 66, 98–101, fi le extensions for, 70–72 117–125, 289 fi le signature information binary tree fi ling system, for, 76 196–200 fi le systems of, 152, 153, 202 bits as building blocks of, 4–7, hard drive removalhttp://www.pbookshop.com from, 91 165–166, 284 operating systems, 44, 76, 86, b-tree fi ling system, 200–202 152, 153, 202 character codes using, 7–13, ASCII (American Standard 25–42 (see also ASCII; Code for Information Inter- Hexadecimal characters; change):COPYRIGHTED Unicode)MATERIAL binary and decimal values decimal equivalents of, 15–24, assigned to, 8–9, 16, 26, 29, 32–34, 252–253, 17, 32–34, 57, 66, 285–287 285–286, 288 electricity and magnetism extended, 10–11 relationship to, 3–4
329
bbindex.inddindex.indd 329329 114/03/124/03/12 77:55:55 AAMM 330 Ⅲ Index
Binary system (Continued) HEX editor in, 98–101, exponents/power of 2 in, 5–7, 117–125 165–166, 186–187, Master Boot Record in, 251–252, 255–256 95–110, 117–125 fundamentals of, 2–3 partitions/partition table in, HEX representation of, 22, 23, 96–97, 101, 102–107, 109, 25–42, 43, 53–58, 66, 77, 117–125, 130, 132–144, 98–101, 117–125, 227, 288 179, 190–191, 192 origins of data in, 4–5 POST function in, 87–88, 92 BIOS (Basic Input Output System), setup utility in, 92–96 86, 88–96, 107–108 signature words in, 96–97, $Bitmap, 195, 206 101, 107, 109 Bits: summary of, 86–87, 107–111 ASCII coding scheme using, Volume Boot Record in, 98, 7–9 153–157, 179–185 as binary system building write blocking or protection in, blocks, 4–7, 165–166, 284 88, 90–91 bit-for-bit imaging of evidence, Braille Encoding System, 10 225–226 Bytes: bytes as eight, 8, 18, 27–30, 31 byte offsets, 37, 98–101, (see also Bytes) 120–121, 124, 130, 154, exponential combinations of, 162–163, 179–185, 5–7, 165–166, 186–187, 190–193, 248–258 251–252, 255–256 character codes using, 8, 10, HEX system using, 27–30, 31 18, 27–30, 31 as origins of data, 4–5 cluster size in, 157, 167–170 Unicode/UCS using, 8, 10–12 endianness by signifi cance of, Books, cataloginghttp://www.pbookshop.com of, 147–149, 114–117 150, 151, 153, 177 HEX system using, 27–30, 31 Boot process: partition size in, 121, 138 BIOS function in, 86, 88–96, per sector, 59, 80, 97, 130, 138, 107–108 155–156 boot device sequence, 89, signature, 96–97, 101, 93–95 107, 109 booting up, 86, 87 boot loader in, 92–93, 96, Case study, 20–22, 25–26, 101–102, 109 30 –39, 143–144, 208, evidence corruption during, 214–216, 228–229, 90–93, 94–96, 289–290 232–234, 235–237, fi le mounting in, 85–86, 264–265, 268–269, 87, 289 297–302
bbindex.inddindex.indd 330330 114/03/124/03/12 7:557:55 AMAM Index Ⅲ 331
Cataloging systems, 147–149, 164–170, 171–173, 150, 151, 153, 177. See also 194–195, 206 File systems number of clusters needed, 171 Chain of custody, 218–221, sectors per cluster, 156–157 222–223, 228–229, 268 Complex fi les, 59–65, 79–83, 229 Character codes: Compound fi les, 59–61, 79–83 ASCII as, 7–9, 10–11, 16, 17, Compressed fi les, 61–64.See also 32–34, 55, 57–58, 66, 77, ZIP fi le format 154–155, 160–161, Confi dentiality of data, 64–65, 248–249, 285–286, 288 270, 276–277, 297 binary system basis for, 7–13, Coordinated Universal Time 25–42 (UTC), 242, 247, 259 decimal value for, 16–24, 26, Creation date and time, 237–238, 29, 32, 34, 55, 120–121, 244, 253, 258 155–156, 172–173, Cyber forensic concepts. See also 192–193, 249, 257 Cyber forensic practices HEX as, 22, 23, 25–42, 43, boot process (see Boot process) 53–58, 66, 77, 98–101, endianness (see Endianness) 117–125, 130, 154–156, evidential data (see Data; 161, 162–163, 170–173, Evidence) 179–185, 190–193, 227–229, fi les see( Files; File systems) 248–258, 288, 289 hard drives (see Hard drives; HEX editor character panel, Partition; Volumes) 38–39 Cyber forensic practices. See also textual data processing Cyber forensic concepts using, 10 case study, 20–22, 25–26, Unicode/UCS as, 8, 10–12, 16, 30–39, 143–144, 208, 18, 57 http://www.pbookshop.com214–216, 228–229, Ciphers, 64–65 232–234, 235–237, Clocks. See also Time 264–265, 268–269, clock manipulation, 246–247 297–302 clock model, 247–248 data preparation, 229–234, clock skew, 245–246, 292 240, 293 system clock verifi cation, 89 evidence acquisition, Clusters: 221–229, 239–240, 293 allocation of, 132, 195, 206 evidence handling, 216–221, bad, 164, 167, 180 222, 239, 293 cluster size, 104, 106, 132, evidence retention and cura- 140, 157, 167–170 tion, 269–273, 294 fi le system use of, 106, 132, forensic process, 208, 146–147, 153, 156–157, 209–211, 283–295
bbindex.inddindex.indd 331331 114/03/124/03/12 7:557:55 AMAM 332 Ⅲ Index
Cyber forensic data preparation in cyber foren- practices (Continued) sics, 229–234, 240, 293 investigation, 234–238, 240, decimal system, 15–24, 26, 263–280, 293–294 29, 32–34, 55, 120–121, Investigative Smart Practices, 155–156, 172–173, 192–193, 207–208, 209, 211–238, 249, 252–253, 257, 285–287 239–240, 264–273, 292–294 electricity and magnetism quality control assessment, relationship to, 3–4 278–279 encryption of, 64–65 reporting, 265–269, 294, endianness of, 113–125, 297–302 155–156, 193, 290–291 request for investigation, fi les of see( Files) 211–216, 239, 293 forensic imaging of, 47, 90–92, time and, 238–239, 241–260, 110, 221–223, 225–226, 292 227–229, 239, 269, 293 Cylinders: fundamentals of, 1–13 Cylinder, Head and Sector hexadecimal representation (CHS) fi elds, 130, 132–138 of, 22, 23, 25–42, 43, hard drive tracks and cylin- 53–58, 66, 77, 98–101, ders, 130, 132 117–125, 130, 154–156, 160 –161, 162–163, 170–173, Data. See also Evidence 179–185, 190–193, 227–229, ASCII coding scheme of, 7–9, 248–258, 288, 289 10–11, 16, 17, 32–34, 55, HEX-data panel, 38, 40 57–58, 66, 77, 154–155, indexing, 231–232, 234 160 –161, 248–249, metadata, 45, 59–60, 78, 285–286, 288 148–153, 191, 206, binary system,http://www.pbookshop.com 2–13, 15–24, 237–238, 242, 244–245 25–42, 43, 53–58, 66, 77, native format of, 18, 41, 287 98–101, 117–125, 165–166, origins of, 4–5 186–187, 196–202, 227, resident, 194 251–253, 255–256, searching, 232–234 284–287, 288, 289 timestamp, 242, 244–250, bits as building blocks of, 4–9, 252–259, 292 18, 165–166, 284 Unicode/UCS standard for, 8, character codes for, 7–13 (see 10–12, 16, 18, 57 also ASCII; Hexadecimal verifying, 231 characters; Unicode) write blocking or protection confi dentiality of, 64–65, 270, of, 88, 90–91, 224–225, 276–277, 297 226, 228
bbindex.inddindex.indd 332332 114/03/124/03/12 7:557:55 AMAM Index Ⅲ 333
Data preparation: Defragmentation of hard drives, data verifi cation in, 231 146–147, 173 deleted fi le recovery in, Directory entries, 162–163, 229–231, 234 167, 170–173, 176–177, indexing in, 231–232, 234 181, 244. See also Master mounting in, 229 File Table preprocessing in, 229 Domino, 226 searching in, 232–234 DOS (Disk Operating System), steps in, 229–234, 240, 293 Microsoft: Dates. See also Time boot process in, 92, 101, accessed/last accessed date 118, 122 and time, 245 fi le extensions used by, 71 chain of custody including, fi le signatures for, 75 218–220 fi le system of, 152 creation date and time, partitions in, 118, 122 237–238, 244, 253, 258 time and date stamps in, date stamps, 243, 248–250 248–250, 252–259, 292 days, 251, 253 Dwords, 114, 126 determination of, 250–254 directory entry including, Electricity and magnetism, 3–4 162–163, 181 Electronic Communications Pri- investigation noting discrepan- vacy Act, 213 cies in, 237–238 Email, evidence acquisition of, last modifi ed date and time, 226 238, 244, 253, 258 EnCase, 176, 228–229 months, 251, 253 Encrypted fi les, 64–65 order and interpretation of, Endianness: 113–114 http://www.pbookshop.combig vs. little, 114–117, 290 search criteria including, of data, 113–125, 155–156, 214, 216 193, 290–291 years, 252–253 origins of, 117 Decimal system: partition tables and, 117–125 binary equivalents of, 15–24, Evidence: 26, 29, 32–34, 252–253, access rights to, securing, 285–287 276–277 HEX character equivalents acquisition of, 221–229, to, 26, 29, 32, 34, 55, 239–240, 293 120–121, 155–156, best evidence rule, 224 172–173, 192–193, bit-for-bit imaging of, 249, 257 225–226
bbindex.inddindex.indd 333333 114/03/124/03/12 7:557:55 AMAM 334 Ⅲ Index
Evidence (Continued) FAT (File Allocation Table) fi le boot process corruption of, systems, 152, 153–187, 90–92, 94–96, 289–290 196, 244, 259. See also File chain of custody for, 218–221, systems 222–223, 228–229, 268 cluster size determination in, confi dentiality of, 270, 167–170 276–277, 297 directory entries in, 162–163, data as (see Data) 167, 170–173, 176–177, duplicate, 224 181, 244 forensic imaging of, 47, 90–92, exFAT, 196 110, 221–223, 225–226, FAT 12, 165–166, 180, 227–229, 239, 269, 293 182–183 handling of, 216–221, 222, FAT 16, 166, 174–176, 180, 239, 293 182–183 hashing, 227–229 FAT 32, 166, 180, 184–185 ISO standards for, 271–273 fi le allocation table in, 153, original, 223 163–167, 180 privacy laws related to, 213 HEX in, 154–156, 161, reporting fi ndings from, 170–173, 179–185 265–269, 294, 297–302 limitations of, 174–177 retention and curation of, slack space in, 157–161, 170 269–273, 294 time and date stamps in, types/classifi cation of, 223–224 244, 259 write blocking or protection of, Volume Boot Record in, 88, 90–91, 224–225, 153–157, 179–185 226, 228 FDISK partition editors, 101, Excel, Microsoft, 46, 68, 74 106–107 Exchange, 226 http://www.pbookshop.comFiles: exFAT (extended fi le allocation boot process allowing access to table) fi le system, 196 (see Boot process) Expert witness testimony, changing fi le extensions as 273–277, 279 deception, 47–53, 231, Exponents, law of, 5–7, 165–166, 235–237 186–187, 251–252, 255–256 complex, 59–65, 79–83, 229 Extended partition, 119, 122, compound, 59–61, 79–83 140 –142 compressed, 61–64 (see also Extensions, fi le, 18, 45–53, 61, ZIP fi le format) 68–72, 73–76, 78, 163, 231, encrypted, 64–65 235–237 fi le attributes, 194–195, EXT fi le systems, 202–203 205–206, 243, 259
bbindex.inddindex.indd 334334 114/03/124/03/12 7:557:55 AMAM Index Ⅲ 335
fi le extensions, 18, 45–53, 61, boot process allowing access to 68–72, 73–76, 78, 163, 231, (see Boot process) 235–237 b-tree fi le systems, 200–202 fi le formats and structures, bytes per sector in, 155–156 44–45, 68–72, 288–289 cluster allocation in, 131–132, fi le headers, 37, 41, 45, 59–60, 195, 206 78, 79–83, 194, 206, cluster size determination in, 287–288, 288–289 167–170 fi le signature databases, directory entries in, 162–163, 59, 73–76 167, 170–173, 176–177, fi le signature information, 45, 181, 244 (see also Master File 55–57, 58–59, 61–62, 63, Table) 66, 73–78, 236, 288–289 exFAT fi le systems, 196 fi le slack, 158–161, 170 EXT fi le systems, 202–203 fi le systems, 123–125, 132, FAT (File Allocation Table) fi le 139–140, 147–187, systems, 152, 153–187, 196, 189–206, 237–238, 242, 244, 259 243, 244–245, 259, fi le allocation table in, 153, 291–292 163–167, 180 fragmentation of, 132, fi le attributes in, 194–195, 146–147, 164, 173 205–206, 243, 259 HEX editor viewing, 53–58, 66, HEX in, 154–156, 160–161, 77, 99–101, 154–155, 289 170–173, 179–185, metadata in, 45, 59–60, 190–193 78, 148–153, 191, 206, Hierarchical File System, 202 237–238, 242, 244–245 library cataloging systems mounting, 63, 85–86, 87, comparison to, 147–149, 229, 289 http://www.pbookshop.com150, 151, 153, 177 native format of, 18, 41, 287 limitations of, 174–177, 196 object linking and embedding Master File Table in, 191–195, in, 60 244 (see also Directory recovering deleted, 229–231, entries) 234 metadata in, 148–153, 191, value of fi le signatures, 58–59 206, 237–238, 242, 244–245 verifi cation of, 231 NTFS (New Technology File File systems: System), 189–196, 205–206, alternative, 196–203 244, 259 binary tree fi le systems, overview of, 147–149, 291–292 196–200 Partition Boot Record in, $Bitmap in, 195, 206 190–191, 192
bbindex.inddindex.indd 335335 114/03/124/03/12 7:557:55 AMAM 336 Ⅲ Index
Files systems (Continued) labels, 233 partitions, volumes and, partition of, 96–97, 101, 123–125, 139–140, 179 (see 102–107, 109, 117–125, 130, also Partition Boot Record 132–144, 147, 179, 190 –191, and Volume Boot Record 231, 232–234, 291 subentries) removal of, 91 sectors per cluster in, 156–157 sectors of (see Sectors) slack space in, 158–161, 170 technology of, 130–132 system ID fi eld, 123–124 tracks and cylinders of, time and date stamps in, 130, 132 244, 259 volumes of, 138–142, 147, 291 UNIX File System, 202, 203 Hash values, 227–229 Volume Boot Record in, Headers, fi le: 153–155, 179–185 compound fi le, 59–60, 79–83 Forensic imaging, 47, 90–92, data in, 41, 287–288 110, 221–223, 225–226, fi le format/attributes identi- 227–229, 239, 269, 293 fi ed in, 45, 60, 194, 206, Forensic process, 208, 209–211, 288–289 283–295. See also Cyber HEX editor header panel, 37 forensic practices metadata in, 45, 59–60, Forensic report, 265–269, 294, 78, 206 297–302 Hexadecimal (HEX) characters: Fourth Amendment, 213 ASCII equivalent of, 32–34, FTK, 228 55, 57–58, 66, 77, 154–155, 160–161, GIF (Graphic Interchange Format) 248–249, 288 fi le format, 45, 55, 77 binary to HEX conversion, Google searches,http://www.pbookshop.com 55, 231–232 30–34, 288 Guidance Software, 176, 228 binary values represented by, 22, 23, 25–42, 43, 53–58, Hard drives: 66, 77, 98–101, 117–125, boot process (see Boot process) 227, 288 clusters on, 104, 106, 131–132, bit, byte and nibble equivalents 140, 146–147, 153, 156–157, to, 27–30, 31 164–170, 171–173, 180, boot process using, 98–101, 194–195, 206 117–125 defragmentation of, 146–147, decimal equivalents to, 26, 173 29, 32, 34, 55, 120–121, evidence corruption on, 155–156, 172–173, 90–92, 94–95, 289–290 192–193, 249, 257
bbindex.inddindex.indd 336336 114/03/124/03/12 7:557:55 AMAM Index Ⅲ 337
fi le identifi cation using, 53–58, privacy laws impacting, 213 66, 77, 99–101, 154–155, report communicating fi nd- 289 ings of, 265–269, 294, fi le system use of, 154–156, 297–302 160–161, 170–173, request for, 211–216, 239, 293 179–185, 190–193 search criteria in, 214, 216, hashes displayed in, 227–229 232, 234 HEX editor, 34–39, 43, 53–58, wrap-up and conclusion of, 66, 77, 98–101, 117–125, 273–279, 294 154–155, 289 ISO standards: offsets relative to, 37, 98–101, 14721:2003, 272–273 120–121, 124, 130, 154, 15489:2001, 271–272 162–163, 179–185, 190 – 193, 248–258 Java Virtual Machine, 116 time and date stamps using, JPEG (Joint Photographic Experts 248–258 Group) fi le format, 45, 52, Hierarchical File System (HFS), 55–56, 74, 77 202 HTML (hypertext markup Keywords, 41, 59, 214, 216, 232, language) fi le format, 45, 234, 236–237, 287 77–78 Last modifi ed date and time, 238, Indexing data, 231–232, 234 244, 253, 258 Intel processors, 116, 117 Library cataloging systems, Investigation. See also Cyber 147–149, 150, 151, 153, 177 forensic practices Linux, 44, 78, 122, 152, 153, closing case fi les in, 278 202–203 defi nition of, http://www.pbookshop.com264 Logical Block Address (LBA), 130, document initiating, 211–212 132–133 expert witness role of investi- Logical partition, 122–123 gator, 273–277, 279 Macintosh: Investigative Smart Practices, boot process in, 86 207–208, 209, 211–238, endian designation by, 117 239–240, 264–273, 292–294 fi le extensions for, 70–72 legitimacy and scope of, fi le signature information 212–216, 293 for, 76 objectives of/steps in, 234–238, fi le systems of, 152, 153, 202 240, 263–280, 293–294 hard drive removal from, 91 post-investigation quality con- operating systems, 44, 76, 86, trol assessment, 278–279 152, 153, 202
bbindex.inddindex.indd 337337 114/03/124/03/12 7:557:55 AMAM 338 Ⅲ Index
Magic number, 55, 77–78, 202. 78, 86, 92, 107, 118–119, See also Files: fi le signature 122, 125, 150, 152, 153, information 163, 189–196, 205–206, Magnetism, 3–4 244, 245, 259 Master Boot Record (MBR), Word, 18, 41, 46, 52–53, 95–110, 117–125 56, 57, 58, 61–62, 63, 68, Master File Table, 191–195, 244. 73, 147, 150, 231, See also Directory entries 236–237, 287 Metadata, 45, 59–60, 78, Motorola processors, 116 148–153, 191, 206, Mounting fi les, 63, 85–86, 87, 237–238, 242, 244–245 229, 289 Microprocessor calculations, 16–17 Native format, 18, 41, 287 Microsoft: Network acquisitions, 222–223, Compound File Binary 226 Format, 59 Network Time Protocol (NTP), DOS, 71, 75, 92, 101, 118, 122, 243, 250 152, 248–250, 252–259, 292 Nibbles, 27–30, 31 Excel, 46, 68, 74 Non-disclosure agreements, 212 fi le extensions used by, 18, Novell, 122 45–53, 61, 68–72, 73–76, NTFS (New Technology File 78, 163 System), 189–196, 205–206, fi le signatures of MS products, 244, 259 56–58, 61–62, 63, $Bitmap in, 195, 206 73–76, 236 fi le attributes in, 194–195, fi le system of, 150, 152, 205–206, 259 153–157, 189–196, limitations of, 196 205–206, 244,http://www.pbookshop.com 259 Master File Table in, 191–195, Head values bug in, 138 244 Offi ce 2003, 58, 63 Partition Boot Record in, Offi ce 2007, 58, 63 190–191, 192 Offi ce Open XML format, 58, 61, 68, 74 OAIS (open archival information Outlook, 226 systems), 271, 272–273 PowerPoint, 68, 73 Object linking and embedding time and date stamps by, 244, (OLE), 60 245, 248–250, 252–259, Obsolescence, technological, 43, 292 153, 177, 271 Windows Operating System, OEM (original equipment manu- 43, 45–53, 68–72, 73–76, facturer), 190
bbindex.inddindex.indd 338338 114/03/124/03/12 7:557:55 AMAM Index Ⅲ 339
Offi ce, Microsoft. See also specifi c Novell, 122 software by name OEM (original equipment Offi ce 2003, 58, 63 manufacturer) of, 190 Offi ce 2007, 58, 63 partitions and, 102, 103–104, Offi ce Open XML format, 58, 106, 107, 118–119, 121–125, 61, 68, 74 138–144, 291 Offsets, 37, 98–101, 120–121, registry, 46 124, 130, 154, 162–163, time and date stamps by, 179–185, 190–193, 248–258 244–245, 248–259, 292 Operating systems: Unix and Unix-like, 44, 78, Apple/Macintosh, 44, 76, 86, 152, 153, 202, 203 152, 153, 202 variety of and changes to, boot process in, 85–86, 88, 89, 264–265 91–92, 94, 96–97, 101–104, volumes recognized by, 106–109, 118–119, 122 138–142, 291 decimal value references by, 18 Order of data. See Endianness endian designation in, 116, Outlook, Microsoft, 226 117, 120, 290–291 fi le extensions used by, 18, Partition: 45–53, 61, 68–72, 73–76, active, 96, 97, 101, 102, 109, 78, 163 117, 118, 119, 120 fi le folder structure of, 53 Cylinder, Head and Sector fi le formats executed by, (CHS) fi elds of, 130, 132–138 44–45, 287–288, 288–289 deletion and recovery of, fi le systems of, 123–125, 143–144, 231, 232–234 132, 139–140, 147–187, extended, 119, 122, 140–142 189–206, 237–238, 242, FDISK partition editors, 101, 243, 244–245,http://www.pbookshop.com 259, 291–292 106–107 HEX longevity vs., 43 fi le systems in see( File systems) Linux, 44, 78, 122, 152, 153, HEX starting value of, 202–203 deciphering, 120 Microsoft DOS, 71, 75, 92, 101, logical, 122–123 118, 122, 152, 248–250, Logical Block Address in, 130, 252–259, 292 132–133 Microsoft Windows, 43, Partition Boot Record, 96, 101, 45–53, 68–72, 73–76, 78, 109, 190–191, 192 86, 92, 107, 118–119, 122, partition table, 96–97, 101, 125, 150, 152, 153, 163, 102–107, 109, 117–125, 189–196, 205–206, 244, 130, 134–142, 179, 233 245, 259 primary, 117, 122–123
bbindex.inddindex.indd 339339 114/03/124/03/12 7:557:55 AMAM 340 Ⅲ Index
Partition (Continued) clusters of, 104, 106, 131–132, size of, 121, 138 140, 146–147, 153, start of, 119–120 156–157, 164–170, system ID fi eld, 123–124 171–173, 180, 194–195, type of, 121–125 206 volumes vs., 138–142, 147, 291 compound fi le, 59, 80–82 POST (Power On Self Test), Cylinder, Head and Sector 87–88, 92 fi elds, 130, 132–138 PowerPC processors, 116 fi le systems use of see( File PowerPoint, Microsoft, 68, 73 systems) Primary partition, 117, 122–123 in hard drive structure, Privacy Protection Act, 213 130–138 Processors, endian designation Logical Block Address of, 130, in, 116, 117, 120. See also 132–133 Operating systems Master Boot Record as fi rst, 95–110, 117–125 Quality control assessment, number of, 121, 124, 138 278–279 partition as collection of, QuickTime fi le format, 45 138–139, 291 (see also Partition) Registry, operating systems, 46 Partition Boot Record sector, 96, Report, forensic: 101, 109, 190–191, 192 characteristics of, 266–268 SecID of, 81–82 contents of, 268–269, 297–302 Sector Allocation Table, 81–82 purpose of, 265–266, 294 signature words as end of sec- sample of, 297–302 tor markers, 96–97, 101, Resident data, 194 107, 109 http://www.pbookshop.comslack as unused, 157–161, 170 Searches: volume as collection of, data preparation searches, 138–139, 291 (see also 232–234 Volumes) Google searches, 55, 231–232 Volume Boot sector, 98, investigation search criteria, 153–157, 179–185 214, 216, 232, 234 Setup utility, 92–96 keyword, 41, 59, 214, 216, Signature, fi le, 45, 55–57, 58–59, 232, 234, 236–237, 287 61–62, 63, 66, 73–78, 236, Sectors: 288–289 bytes per, 59, 80, 97, 130, 138, Signature words/bytes, 96–97, 155–156 101, 107, 109
bbindex.inddindex.indd 340340 114/03/124/03/12 7:557:55 AMAM Index Ⅲ 341
Slack space, 157–161, 170 Network Time Protocol, Stevens, Malcolm, 247 243, 250 Sun’s SPARC, 116 search criteria including, System ID fi eld, 123–124 214, 216 seconds, 254, 255–257 Technological obsolescence, 43, system clock verifi cation, 89 153, 177, 271 time-bounding techniques, TIF (Tagged Image File) fi le for- 247–248 mat, 52, 74–75 timelines, 242, 292 Time. See also Dates timestamps, 242, 244–250, accessed/last accessed date 252–259, 292 and time, 245 chain of custody including, Unallocated space, 142, 159, 218–220 160, 161–163, 164, 167, clock manipulation impacting, 178, 180, 195, 206, 226, 246–247 229–231, 232 clock model of, 247–248 Unicode/Universal Character Set clock skew impacting, (UCS): 245–246, 292 ASCII as foundation of, 8, 10–12 Coordinated Universal Time decimal values for, 16, 18 (UTC), 242, 247, 259 HEX equivalent of, 57 creation date and time, Unix and Unix-like operating 237–238, 244, 253, 258 systems, 44, 78, 152, 153, cyber forensics and, 238–239, 202, 203 241–260, 292 Unix File System (UFS), 202, 203 defi nition of, 241–243 UTC (Coordinated Universal determination of, 254–258 Time), 242, 247, 259 directory entryhttp://www.pbookshop.com including, 162–163, 181 Volumes: hours, 254, 255, 257 fi le systems in see( File systems) inaccuracy of, 258–260, 292 partitions vs., 138–142, 147, investigation noting discrepan- 291 cies in, 237–238 Volume Boot Record (VBR), 98, keeping track of, 245–247 153–157, 179–185 last modifi ed date and time, 238, 244, 253, 258 Windows Operating System. See minutes, 254, 255, 257 also Microsoft MS-DOS 32-bit timestamp, boot process in, 86, 92, 107, 248–250, 252–259, 292 118–119
bbindex.inddindex.indd 341341 114/03/124/03/12 7:557:55 AMAM 342 Ⅲ Index
Windows Operating Word, Microsoft, 18, 41, 46, System (Continued) 52–53, 56, 57, 58, 61–62, fi le extensions used by, 45–53, 63, 68, 73, 147, 150, 231, 68–72, 73–76, 78 236–237, 287 fi le folder structure of, 53 Write blocking or protection, 88, fi le system of, 150, 152, 153, 90–91, 224–225, 226, 228 189–196, 205–206, 244, 259 XHTML (extended HTML) fi le HEX longevity vs., 43 format, 78 metadata information via, 150 XML (extensible markup lan- partitions in, 107, 118–119, guage) fi le format, 58, 61, 122, 125 68, 74, 78 time and date stamps by, 244, 245, 259 ZIP fi le format, 58, 61, 63, 229
http://www.pbookshop.com
bbindex.inddindex.indd 342342 114/03/124/03/12 7:557:55 AMAM http://www.pbookshop.com
bbindex.inddindex.indd 343343 114/03/124/03/12 7:557:55 AMAM http://www.pbookshop.com
bbindex.inddindex.indd 344344 114/03/124/03/12 7:557:55 AMAM http://www.pbookshop.com
bbindex.inddindex.indd 345345 114/03/124/03/12 7:557:55 AMAM http://www.pbookshop.com
bbindex.inddindex.indd 346346 114/03/124/03/12 7:557:55 AMAM