Note: Supplemental materials are not guaranteed with Rental or Used book purchases.
Purchase Benefits
What is included with this book?
Albert J. Marcella, Jr., PhD, CISA, CISM, is President of Business Automation Consultants, LLC, a global information technology and management consulting firm providing IT management consulting, audit and security reviews, and training. He is an internationally recognized public speaker, researcher, workshop and seminar leader, and an author of numerous articles and books on various IT, audit, and security related subjects.
Frederic Guillossou, CISSP, CCE, is an Information Security Analyst with TALX, a division of Equifax. He regularly trains on intrusion prevention systems and has successfully led a number of forensic investigations in the field.
Preface | p. xiii |
Acknowledgments | p. xvii |
The Fundamentals of Data | p. 1 |
Base 2 Numbering System: Binary and Character Encoding | p. 2 |
Communication in a Two-State Universe | p. 3 |
Electricity and Magnetism | p. 3 |
Building Blocks: The Origins of Data | p. 4 |
Growing the Building Blocks of Data | p. 5 |
Moving Beyond Base 2 | p. 7 |
American Standard Code for Information Interchange | p. 7 |
Character Codes: The Basis for Processing Textual Data | p. 10 |
Extended ASCII and Unicode | p. 10 |
Summary | p. 12 |
Notes | p. 13 |
Binary to Decimal | p. 15 |
American Standard Code for Information Interchange | p. 16 |
Computer as a Calculator | p. 16 |
Why Is This Important in Forensics? | p. 18 |
Data Representation | p. 18 |
Converting Binary to Decimal | p. 19 |
Conversion Analysis | p. 20 |
A Forensic Case Example: An Application of the Math | p. 20 |
Decimal to Binary: Recap for Review | p. 22 |
Summary | p. 23 |
The Power of HEX: Finding Slivers of Data | p. 25 |
What the HEX? | p. 26 |
Bits and Bytes and Nibbles | p. 27 |
Nibbles and Bits | p. 29 |
Binary to HEX Conversion | p. 30 |
Binary (HEX) Editor | p. 34 |
The Needle within the Haystack | p. 39 |
Summary | p. 41 |
Notes | p. 42 |
Files | p. 43 |
Opening | p. 44 |
Files, File Structures, and File Formats | p. 44 |
File Extensions | p. 45 |
Changing a File's Extension to Evade Detection | p. 47 |
Files and the HEX Editor | p. 53 |
Files Signature | p. 55 |
ASCII Is Not Text or HEX | p. 57 |
Value of File Signatures | p. 58 |
Complex Files: Compound, Compressed, and Encrypted Files | p. 59 |
Why Do Compound Files Exist? | p. 60 |
Compressed Files | p. 61 |
Forensics and Encrypted Files | p. 64 |
The Structure of Ciphers | p. 65 |
Summary | p. 66 |
Notes | p. 67 |
Common File Extensions | p. 68 |
Files Signature Database | p. 73 |
Magic Number Definition | p. 77 |
Compound Document Header | p. 79 |
The Boot Process and the Master Boot Record (MBR) | p. 85 |
Booting Up | p. 87 |
Primary Functions of the Boot Process | p. 87 |
Forensic Imaging and Evidence Collection | p. 90 |
Summarizing the BIOS | p. 92 |
BIOS Setup Utility: Step by Step | p. 92 |
The Master Boot Record (MBR) | p. 96 |
Partition Table | p. 102 |
Hard Disk Partition | p. 103 |
Summary | p. 110 |
Notes | p. 111 |
Endianness and the Partition Table | p. 113 |
The Flavor of Endianness | p. 114 |
Endianness | p. 116 |
The Origins of Endian | p. 117 |
Partition Table within the Master Boot Record | p. 117 |
Summary | p. 125 |
Notes | p. 127 |
Volume versus Partition | p. 129 |
Tech Review | p. 130 |
Cylinder, Head, Sector, and Logical Block Addressing | p. 132 |
Volumes and Partitions | p. 138 |
Summary | p. 142 |
Notes | p. 144 |
File Systems-FAT 12/16 | p. 145 |
Tech Review | p. 145 |
File Systems | p. 147 |
Metadata | p. 149 |
File Allocation Table (FAT) File System | p. 153 |
Slack | p. 157 |
HEX Review Note | p. 160 |
Directory Entries | p. 161 |
File Allocation Table (FAT) | p. 163 |
How Is Cluster Size Determined? | p. 167 |
Expanded Cluster Size | p. 169 |
Directory Entries and the FAT | p. 170 |
FAT Filing System Limitations | p. 174 |
Directory Entry Limitations | p. 176 |
Summary | p. 177 |
Partition Table Fields | p. 179 |
File Allocation Table Values | p. 180 |
Directory Entry Byte Offset Description | p. 181 |
FAT 12/16 Byte Offset Values | p. 182 |
FAT 32 Byte Offset Values | p. 184 |
The Power of 2 | p. 186 |
File Systems-NTFS and Beyond | p. 189 |
New Technology File System | p. 189 |
Partition Boot Record | p. 190 |
Master File Table | p. 191 |
NTFS Summary | p. 195 |
exFAT | p. 196 |
Alternative Filing System Concepts | p. 196 |
Summary | p. 203 |
Notes | p. 204 |
Common NTFS Systems Defined Attributes | p. 205 |
Cyber Forensics: Investigative Smart Practices | p. 207 |
The Forensic Process | p. 209 |
Forensic Investigative Smart Practices | p. 211 |
The Initial Contact, the Request | p. 211 |
Evidence Handling | p. 216 |
Acquisition of Evidence | p. 221 |
Data Preparation | p. 229 |
Time | p. 238 |
Summary | p. 239 |
Note | p. 240 |
Time and Forensics | p. 241 |
What Is Time? | p. 241 |
Network Time Protocol | p. 243 |
Timestamp Data | p. 244 |
Keeping Track of Time | p. 245 |
Clock Models and Time Bounding: The Foundations of Forensic Time | p. 247 |
MS-DOS 32-Bit Timestamp: Date and Time | p. 248 |
Date Determination | p. 250 |
Time Determination | p. 254 |
Time Inaccuracy | p. 258 |
Summary | p. 259 |
Notes | p. 260 |
Investigation: Incident Closure | p. 263 |
Forensic Investigative Smart Practices | p. 264 |
Investigation (Continued) | p. 264 |
Communicate Findings | p. 265 |
Characteristics of a Good Cyber Forensic Report | p. 266 |
Report Contents | p. 268 |
Retention and Curation of Evidence | p. 269 |
Investigation Wrap-Up and Conclusion | p. 273 |
Investigator's Role as an Expert Witness | p. 273 |
Summary | p. 279 |
Notes | p. 280 |
A Cyber Forensic Process Summary | p. 283 |
Binary | p. 284 |
Binary-Decimal-ASCII | p. 285 |
Data Versus Code | p. 287 |
HEX | p. 288 |
From Raw Data to Files | p. 288 |
Accessing Files | p. 289 |
Endianness | p. 290 |
Partitions | p. 291 |
File Systems | p. 291 |
Time | p. 292 |
The Investigation Process | p. 292 |
Summary | p. 295 |
Appendix: Forensic Investigations, ABC Inc. | p. 297 |
Glossary | p. 303 |
About the Authors | p. 327 |
Index | p. 329 |
Table of Contents provided by Ingram. All Rights Reserved. |
The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.
The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.