Index
A
- abductive reasoning / Rationale for selection
- Achilles heel
- about / Encrypted devices and files
- admissibility, digital evidence
- evidentiary weight, explaining / Explaining the evidentiary weight of digital evidence
- about / Understanding the admissibility of digital evidence
- lawful acquisition, defining / Defining the lawful acquisition of digital evidence
- relevance, emphasizing / Emphasizing the importance of relevance in terms of digital evidence
- reliability, defining / Outlining the reliability of digital evidence
- reliability of forensic tools / The importance of the reliability of forensic tools and processes
- computer / network evidence preservation, evaluating / Evaluating computer/network evidence preservation
- corroborating / Corroborating digital evidence
- Advanced Data Acquisition Model (ADAM)
- American Society of Crime Laboratory Directors/Laboratory Accreditation Board (ASCLD/LAB) / Acceptance of, consensus on, and uptake of digital forensics standards
- anti-forensics processes
- anti-forensics tools
- Apple operating systems
- about / Examining Apple operating systems
- user domain / Examining Apple operating systems
- local domain / Examining Apple operating systems
- network domain / Examining Apple operating systems
- system domain / Examining Apple operating systems
B
- basic input/output system (BIOS) / Write-blocking software
- Bayesian network / Formalizing the validation of digital evidence
- Bayesian probability theory / Rationale for selection
- Bayesian reasoning, applying to analysis of validation
- about / Applying Bayesian reasoning to the analysis of validation
- comparative simplicity, of analysis of legal admissibility / The comparative simplicity of the analysis of legal admissibility
- complex components, requiring scientific measurement / More complex components requiring scientific measurement
- prior probability, determining / Determining prior probability
- post probabilities, setting / Setting post probabilities
- remote access application, checking at time of transgression / Checking whether the remote access application was running at the time of the transgression
- limitations / Present limitations and scoping
- scoping / Present limitations and scoping
C
- camera ballistics processes / Analyzing GPS devices and other handheld devices
- case studies, digital forensics
- Aaron Caffrey case / The Aaron Caffrey case – United Kingdom, 2003
- Julie Amero case / The Julie Amero case – Connecticut, 2007
- Michael Fiola case / The Michael Fiola case – Massachusetts, 2008
- case study
- reference link / Case studies – linking the evidence to the user
- Central Processing Unit (CPU)
- about / Random-access memory (RAM)
- chain of custody
- about / Understanding the chain of custody
- of digital evidence, describing / Explaining the chain of custody of digital evidence
- challenges, of interrogating large datasets
- illustrating / Case study – illustrating the challenges of interrogating large datasets
- crime setting / The setting of the crime
- investigation / The investigation
- practitioner's brief / The practitioner's brief
- available evidence / The available evidence
- data extraction process / The data extraction process
- recovery, outcome / The outcome of the recovery and examination
- examination, outcome / The outcome of the recovery and examination
- conclusion / Conclusion
- challenges, posed by new hardware and software
- challenges of evidence recovery, from mobile phones
- about / The growing challenge of evidence recovery from mobile phones and handheld devices
- data, extracting from mobile devices / Extracting data from mobile devices
- evidence contamination, managing / Managing evidence contamination
- illegal activities, concealing / Concealing illegal activities
- mobile data, extracting from cloud / Extracting mobile data from the cloud
- GPS devices, analyzing / Analyzing GPS devices and other handheld devices
- handheld devices, analyzing / Analyzing GPS devices and other handheld devices
- civil investigations
- cloud
- Cloud Analysis tool
- about / The Cloud Analysis tool
- communication media
- Computer Analysis and Response Team (CART) / More recent developments in digital forensics
- computer devices
- user access / User access to computer devices
- computer forensics / Qualities of the digital forensic practitioner
- Computer Incident Response Team (CIRT) / Contingency planning
- content category
- about / The content category
- contingency planning
- about / Contingency planning
- Coordinated Universal Time (UTC)
- about / Date and time problems
- Crime Scene Investigation (CSI) syndrome / More recent developments in digital forensics
- criminal investigations
- cybercrime
- cyber forensics / Qualities of the digital forensic practitioner
D
- data, organizing
- about / More effective forensic tools
- files, categorizing / Categorizing files
- superfluous files, eliminating / Eliminating superfluous files
- files, deconstructing / Deconstructing files
- files, searching for / Searching for files
- e-mail datasets, analyzing / Analyzing e-mail datasets
- scanned images, detecting / Detecting scanned images
- timelines / Timelines and other analysis tools
- analysis tools / Timelines and other analysis tools
- denial of availability attacks
- Deoxyribo Nucleic Acid (DNA) / DNA evidence
- design-based model / The perceived benefits of a formalized validation process
- device
- and operating systems, connecting with software application / Connecting the software application to the operating system and a device
- Device Configuration Overlay (DCO) / Outlining the efficacy of existing forensic tools and the emergence of enhanced processes and tools
- digital evidence
- defining / Defining digital evidence
- usage / The use of digital evidence
- characteristics / The special characteristics of digital evidence
- circumstantial nature / The circumstantial nature of digital evidence
- file metadata / File metadata and correlation with other evidence
- correlation, with other evidence / File metadata and correlation with other evidence
- technical complexities / The technical complexities of digital evidence
- value, determining / Determining the value and admissibility of digital evidence
- admissibility, determining / Determining the value and admissibility of digital evidence
- case study / Case study – linking the evidence to the user, Case study – illustrating the recovery of deleted evidence held in volume shadows
- references / References
- physical acquisition, describing / Describing the physical acquisition and safekeeping of digital evidence
- safekeeping, describing / Describing the physical acquisition and safekeeping of digital evidence
- chain of custody, explaining / Explaining the chain of custody of digital evidence
- seizure, outlining / Outlining the seizure and initial inspection of digital devices
- initial inspection, outlining / Outlining the seizure and initial inspection of digital devices
- recovering, through forensic imaging processes / Recovering digital evidence through forensic imaging processes
- linking to user / Case studies – linking the evidence to the user
- locating, with structured processes / Structured processes to locate and select digital evidence
- selecting, with structured processes / Structured processes to locate and select digital evidence
- selecting / Selecting digital evidence
- truth, seeking / Seeking the truth
- formalized validation process / Formalizing the validation of digital evidence
- digital evidence / The presentation of digital evidence
- digital forensics reports, preparing / Preparing digital forensics reports
- court appearances / Court appearances
- evolving nature / The evolving nature of digital evidence vis-à-vis the role of the practitioner
- digital evidence, acquiring through live recovery processes
- about / Acquiring digital evidence through live recovery processes
- benefits / The benefits of live recovery
- challenges / The challenges of live recovery
- volatile memory recovery, benefits / The benefits of volatile memory recovery
- device, isolating from external exploits / Isolating the device from external exploits
- digital evidence, locating
- about / Locating digital evidence
- processes, searching / Search processes
- desktops, searching / Searching desktops and laptops
- laptops, searching / Searching desktops and laptops
- digital evidence, recovering through forensic imaging processes
- about / Recovering digital evidence through forensic imaging processes
- dead analysis evidence recovery / Dead analysis evidence recovery
- write-blocking hardware / Write-blocking hardware
- write-blocking software / Write-blocking software
- data preservation, enhancing / Enhancing data preservation during recovery
- remnants of deleted memory, recovering / Recovering remnants of deleted memory
- digital evidence validation
- digital forensic practitioners
- challenges / The unique privilege of providing expert evidence and opinion, Issues faced by practitioners due to inadequate forensics processes, Inferior forensics tools confronting practitioners, The inadequate protection of digital information confronting practitioners, The tedium of forensic analysis
- qualities / Qualities of the digital forensic practitioner
- prerequisites, determining / Determining practitioner prerequisites
- digital forensic recovery
- collection rules / Understanding the chain of custody
- digital forensics
- defining / Defining digital forensics and its role, Definitions of digital forensics
- history / Looking at the history of digital forensics
- origins / The early days
- paucity of reliable digital forensic tools / A paucity of reliable digital forensic tools
- legal fraternity's difficulty / The legal fraternity's difficulty understanding digital evidence
- recent developments / More recent developments in digital forensics
- practitioners / The role of digital forensic practitioners and the challenges they face
- challenges / The role of digital forensic practitioners and the challenges they face
- case studies / Case studies
- references / References
- digital forensics laboratories
- about / Digital forensics laboratories
- purpose / The purpose of digital forensics laboratories
- digital forensics standards, acceptance / Acceptance of, consensus on, and uptake of digital forensics standards
- digital forensics standards, consensus / Acceptance of, consensus on, and uptake of digital forensics standards
- digital forensics standards uptake / Acceptance of, consensus on, and uptake of digital forensics standards
- best practices / Best practices for digital forensics laboratories
- physical security / The physical security of digital forensic laboratories
- network requirement / Network and electronic requirements of digital forensic laboratories
- electronic requirement / Network and electronic requirements of digital forensic laboratories
- dilemmas / Dilemmas presently confronting digital forensics laboratories
- Digital Forensics Method Validation / Standards for digital forensic tools
- digital forensics practitioners
- ethical issues / Ethical issues confronting digital forensics practitioners
- Digital Forensics Research Workshop (DFRWS) / Issues faced by practitioners due to inadequate forensics processes
- digital forensic tools
- standards / Standards for digital forensic tools
- digital information
- about / Describing computers and the nature of digital information
- magnetic hard drives / Magnetic hard drives and tapes
- tapes / Magnetic hard drives and tapes
- optical media storage devices / Optical media storage devices
- random-access memory (RAM) / Random-access memory (RAM)
- solid-state drive (SSD) storage devices / Solid-state drive (SSD) storage devices
- network-stored data / Network-stored data
- cloud / The cloud
- case study / Case study – linking the evidence to the user
- references / References
- direct evidence
- Dynamic Link Library (DLL) files / Recovering and analyzing e-mails from larger datasets
E
- e-discovery / Outlining civil investigations and the nature of e-discovery
- e-mail analysis
- about / E-mail analysis and the processing of large e-mail databases
- large e-mail databases, processing / E-mail analysis and the processing of large e-mail databases
- e-mails, recovering from desktop and laptop computers / Recovering e-mails from desktop and laptop computers
- e-mails, recovering from larger datasets / Recovering and analyzing e-mails from larger datasets
- e-mails, analyzing from larger datasets / Recovering and analyzing e-mails from larger datasets
- searching, for scanned files / Searching for scanned files
- effective evidence processing and validation
- electronically stored information (ESI) / Recovering and analyzing e-mails from larger datasets
- Electronically Stored Information (ESI) / E-discovery evidence recovery and preservation
- EnCase / The reliability of forensic imaging tools to recover and protect digital evidence
- encrypted devices
- about / Encrypted devices and files
- encrypted files
- about / Encrypted devices and files
- encryption
- enhanced processes and tools
- enhanced recovery tools
- benefits, in criminal investigations / The benefits of enhanced recovery tools in criminal investigations
- eReveal website
- reference link / Enhanced digital evidence recovery and preservation
- Event Analysis tool
- about / The Event Analysis tool
- evidence, filesystems
- locating / Locating evidence in filesystems
- means of transgression, determining / Determining the means of transgression
- opportunity, determining to transgress / Determining opportunity to transgress
- motive, determining to transgress / Determining the motive to transgress
- possible evidence, locating / Deciding where to look for possible evidence
- files, indexing / Indexing and searching for files
- files, searching / Indexing and searching for files
- unallocated data analysis / Unallocated data analysis
- evidence, locating from internet browsing
- about / Locating evidence from Internet browsing
- typical web-browsing behavior / Typical web-browsing behavior
- browsing artifacts, recovering from slack and unallocated space / Recovering browsing artifacts from slack and unallocated space
- private browsing / Private browsing
- evidence recovery and preservation / More efficacious evidence recovery and preservation
- examiner bias
- Exchangeable Image File Format (EXIF)
- about / The metadata category
- exculpatory evidence / Seeking the truth
- existing forensic tools
F
- filename category
- about / The filename category
- files
- indexing / Indexing and searching for files
- searching / Indexing and searching for files
- filesystem category
- about / The filesystem category
- filesystems
- describing / Describing filesystems that contain evidence
- filesystem category / The filesystem category
- filename category / The filename category
- metadata category / The metadata category
- content category / The content category
- evidence, locating / Locating evidence in filesystems
- forensic auditors
- forensic image file
- about / The use of digital evidence
- forensic imaging processes
- used, for recovering digital evidence / Recovering digital evidence through forensic imaging processes
- forensic imaging tools
- reliability, checking for digital evidence recovery / The reliability of forensic imaging tools to recover and protect digital evidence
- reliability, checking for digital evidence protection / The reliability of forensic imaging tools to recover and protect digital evidence
- forensics
- about / Understanding the history and purpose of forensics – specifically, digital forensics
- origin / The origin of forensics
- Locard's exchange principle / Locard's exchange principle
- evolution of fingerprint evidence / The evolution of fingerprint evidence
- Deoxyribo Nucleic Acid (DNA) evidence / DNA evidence
- basic stages of forensic examination / The basic stages of forensic examination
- Forensic Toolkit (FTK) / The reliability of forensic imaging tools to recover and protect digital evidence
- forensic tools
- about / More effective forensic tools
- formalized validation process, digital evidence
- about / Formalizing the validation of digital evidence, The validation process
- benefits / The perceived benefits of a formalized validation process
- rationale, for selection / Rationale for selection
- conceptual framework / The conceptual framework of the model
- Bayesian reasoning, applying / Applying Bayesian reasoning to the analysis of validation
G
- global position system (GPS)
- about / The use of digital evidence
- Google Chrome
- about / Private browsing
- Graphical User Interface (GUI)
- about / The filename category
H
- hashing / Enhancing data preservation during recovery
- hearsay evidence
- hidden files
- High Technology Criminal Investigators Association (HTCIA) / More recent developments in digital forensics
- Host Protected Sectors (HPA) / Outlining the efficacy of existing forensic tools and the emergence of enhanced processes and tools
- hot-tubbing hearings
I
- (International Standard Organization's Joint Technical Committee) ISO/IEC JTC 1 / More recent developments in digital forensics
- ILookIX
- impartiality, in selecting evidence
- about / Impartiality in selecting evidence
- meaning, clear in context / Meaning is only clear in context
- faulty case management / Faulty case management and evidence validation
- evidence validation / Faulty case management and evidence validation
- index-based searches
- about / Indexing and searching for files
- indirect evidence
- information and communications technology (ICT) / Standards for digital forensic tools
- Information and Communications Technology (ICT) / Determining practitioner prerequisites
- information availability
- information confidentiality
- information integrity
- Information Systems (IS) / More recent developments in digital forensics
- Information Technology (IT) / More recent developments in digital forensics
- International Association of Computer Investigative Specialists (IACIS) / More recent developments in digital forensics
- International Mobile Station Equipment Identity (IMEI) / Extracting data from mobile devices
- International Mobile Subscriber Identity (IMSI) / Extracting data from mobile devices
- International Organization on Computer Evidence (IOCE) / Standards for digital forensic tools
- Internet Explorer
- about / Private browsing
- interrogating large datasets
- challenges, illustrating / Case study – illustrating the challenges of interrogating large datasets
- IT administrators
J
- Jump Lists / Reviewing Most Recently Used and Jump List activity
L
- law enforcement agents
- enforcing, as first respondents / Enhancing law enforcement agents as first respondents
- Lead Analysis tool
- about / The Lead Analysis tool
- legal team members
- legal teams
- Linux operating system
- about / The Linux operating system
- live recovery processes
- used, for acquiring digital evidence / Acquiring digital evidence through live recovery processes
- benefits / The benefits of live recovery
M
- magnetic hard drives
- about / Magnetic hard drives and tapes
- malware threats
- malware attacks, detecting / Detecting malware attacks and other exploits
- exploits / Detecting malware attacks and other exploits
- Master File Table (MFT)
- messaging systems
- about / Messaging systems
- Skype, examining / Examining Skype and chat room artifacts
- chat room artifacts, examining / Examining Skype and chat room artifacts
- invisible Internet / The invisible Internet
- metadata
- metadata category
- about / The metadata category
- Microsoft Disk Operating System (MS DOS) / A paucity of reliable digital forensic tools
- mobile phone evidence case study
- mobile phone evidence recovery / Mobile phone evidence recovery
- Most Recently Used (MRU) lists / Reviewing Most Recently Used and Jump List activity
- Mozilla Firefox
- about / Private browsing
N
- National Institute of Justice (NIJ) / More recent developments in digital forensics
- National Institute of Standards and Technology (NIST)
- about / Date and time problems
- Negative AND (NAND) transistors
- network-stored data
- about / Network-stored data
- non-forensic law enforcement agents
- facing, challenges / The challenges facing non-forensic law enforcement agents
- non-specialist law enforcement
- non-volatile memory
- about / Magnetic hard drives and tapes
O
- operating systems
- about / Operating systems
- software application, connecting / Connecting the software application to the operating system
- and device, connecting with software application / Connecting the software application to the operating system and a device
- operating system structures
- about / Apple and other operating system structures
- Apple operating systems / Examining Apple operating systems
- Linux operating system / The Linux operating system
- optical character recognition (OCR) / Searching for scanned files
- optical media storage devices
- about / Optical media storage devices
P
- Paintshop
- password security
- about / Explaining password security, encryption, and hidden files
- user access, to computer devices / User access to computer devices
- information confidentiality / Understanding the importance of information confidentiality
- information integrity / Understanding the importance of information integrity
- information availability / Understanding the importance of information availability
- user access security controls / User access security controls
- encrypted devices / Encrypted devices and files
- encrypted files / Encrypted devices and files
- posterior odds / Rationale for selection
- Post Office Protocol (POP) / Typical web-browsing behavior
- problems confronting practitioners
- emerging / Emerging problems confronting practitioners because of increasingly large and widely dispersed datasets
- forensic imaging myth, debunking / Debunking the myth of forensic imaging
- dilemmas / Dilemmas presently confronting digital forensics practitioners
- processes and forensic tools
- for assisting practitioners / Processes and forensic tools to assist practitioners to deal more effectively with these challenges
- e-discovery evidence preservation / E-discovery evidence recovery and preservation
- e-discovery evidence recovery / E-discovery evidence recovery and preservation
- enhanced digital evidence preservation / Enhanced digital evidence recovery and preservation
- enhanced digital evidence recovery / Enhanced digital evidence recovery and preservation
R
- RAM slack / Recovering remnants of deleted memory
- random-access memory (RAM)
- about / Random-access memory (RAM)
- Redundant Array of Independent Disks (RAID) / Enhancing law enforcement agents as first respondents
- references / References, References, References
- Registry Explorer
- about / The Windows Registry and system files and logs as resources of digital evidence
- useful leads, seeking / Seeking useful leads within the Registry
- devices, mapping through / Mapping devices through the Registry
- USB removable storage, detecting / Detecting USB removable storage
- user activity / User activity
- most recently used list, reviewing / Reviewing Most Recently Used and Jump List activity
- jump list activity, reviewing / Reviewing Most Recently Used and Jump List activity
- wireless connectivity, detecting / Detecting wireless connectivity
- Windows Event Viewer logs, observing / Observing Windows Event Viewer logs
- hidden data, recovering from VSS / Recovery of hidden data from a VSS
- prefetch files, examining / Examining prefetch files
- pagefiles / Pagefiles
- hibernation and sleep files / Hibernation and sleep files
- steganography, detecting / Detecting steganography
- remote access
- research repository
S
- Sally Clark case
- reference / The basic stages of forensic examination
- Scientific Working Group on Digital Evidence (SWGDE) / More recent developments in digital forensics
- search category
- archive files / Deciding where to look for possible evidence
- audio / Deciding where to look for possible evidence
- databases / Deciding where to look for possible evidence
- emails / Deciding where to look for possible evidence
- internet browser files / Deciding where to look for possible evidence
- link files / Deciding where to look for possible evidence
- Microsoft Office suite / Deciding where to look for possible evidence
- recycler / Deciding where to look for possible evidence
- registry files / Deciding where to look for possible evidence
- system files / Deciding where to look for possible evidence
- video / Deciding where to look for possible evidence
- security protection
- reference link / Corroborating digital evidence
- Service Set Identifiers (SSID) / Detecting wireless connectivity
- software application
- connecting, to operating systems / Connecting the software application to the operating system
- connecting, to operating systems and device / Connecting the software application to the operating system and a device
- solid-state drive (SSD) storage devices
- Solid-State Drives (SSDs)
- about / Magnetic hard drives and tapes
- steganalysis
- about / Detecting steganography
- steganography
- about / Detecting steganography
- structured and balanced analysis, digital evidence
- about / The structured and balanced analysis of digital evidence
- hypotheses, developing / Developing hypotheses
- arguments, modeling / Modeling arguments
- Toulmin model of argumentation / The Toulmin model of argumentation
- structured processes
- for locating digital evidence / Structured processes to locate and select digital evidence
- for selecting digital evidence / Structured processes to locate and select digital evidence
T
- tapes
- about / Magnetic hard drives and tapes
- technical complexities, digital evidence
- about / The technical complexities of digital evidence
- malleability / The malleability of digital evidence
- metadata, avoiding as face value / Metadata should not be taken at face value
- files, recovering from unallocated space / Recovering files from unallocated space (data carving)
- date and time problems / Date and time problems
- Technical Working Group on Digital Evidence (TWGDE) / More recent developments in digital forensics
- testimonial evidence
- Transmission Control Protocol (TCP) / The benefits of volatile memory recovery
U
- unallocated data analysis
- about / Unallocated data analysis
- unsound digital evidence
- about / The nature and problem of unsound digital evidence
- issues / The nature and problem of unsound digital evidence
- challenges / Challenges explaining the complexity of digital evidence
- immaturity, of forensic subdiscipline / The immaturity of the forensic subdiscipline
- ineffective security integrity, of computers and networks / The ineffective security integrity of computers and networks
- evidence contamination / Evidence contamination
- user access
- to computer devices / User access to computer devices
- user access security controls
- about / User access security controls
- User Datagram Protocol (UDP) / The benefits of volatile memory recovery
V
- voir dire hearings
- Volume Shadow Copy analysis tools
- Volume Snapshot Service (VSS)
W
- Win32 Application Programming Interface (Win32 API) / Seeking useful leads within the Registry
- Windows Registry
- witness evidence
- about / The special characteristics of digital evidence
- reference link / The circumstantial nature of digital evidence
- write blocker
- about / The use of digital evidence
X
- Xtreme File Recovery (XFR) / Standards for digital forensic tools