did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

We're the #1 textbook rental company. Let us show you why.

9780121631048

Digital Evidence and Computer Crime

by
  • ISBN13:

    9780121631048

  • ISBN10:

    0121631044

  • Edition: 2nd
  • Format: Hardcover
  • Copyright: 2004-03-08
  • Publisher: Elsevier Science
  • Purchase Benefits
  • Free Shipping Icon Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • eCampus.com Logo Get Rewarded for Ordering Your Textbooks! Enroll Now
  • Write a Review Icon Write a Review
List Price: $80.95
  • Digital
    $91.07
    Add to Cart

    DURATION
    PRICE

Supplemental Materials

What is included with this book?

Summary

Digital evidence -- evidence that is stored or transmitted using computers -- can be useful in any investigation, including homicide, child exploitation, computer intrusion, and corporate malfeasance. The scope of computer crime has expanded further with the proliferation of networks, mobile devices, and equipment with computers embedded in them. Digital evidence from these systems can help establish when events occurred, where victims and suspects were, with whom they communicated, and may even show their intent to commit a crime.

Author Biography

Eoghan Casey is a computer security and computer crime consultant based in Baltimore, MD. He was previously a System Security Administrator for Yale University, and has received his B.A. in Mechanical Engineering from University of California, Berkeley and an M.A. in Educational Communication and Technology from New York University. He is a frequent lecturer on computer security, incident response, and digital investigation

Table of Contents

INTRODUCTION 1(6)
PART 1 DIGITAL INVESTIGATION 7(184)
CHAPTER 1 DIGITAL EVIDENCE AND COMPUTER CRIME
9(16)
1.1 Digital Evidence
12(1)
1.2 Increasing Awareness of Digital Evidence
13(2)
1.3 Challenging Aspects of Digital Evidence
15(2)
1.4 Following the Cybertrail
17(3)
1.5 Challenging Aspects of the Cybertrail
20(1)
1.6 Forensic Science and Digital Evidence
20(2)
1.7 Summary
22(3)
CHAPTER 2 HISTORY AND TERMINOLOGY OF COMPUTER CRIME INVESTIGATION
25(16)
2.1 Brief History of Computer Crime Investigation
26(2)
2.2 Evolution of Investigative Tools
28(2)
2.3 Language of Computer Crime Investigation
30(9)
2.3.1 The Role of Computers In Crime
31(8)
2.4 Summary
39(2)
CHAPTER 3 TECHNOLOGY AND LAW
41(50)
PART A TECHNOLOGY AND LAW - A UNITED STATES PERSPECTIVE
41(21)
Robert Dunne
3A.1 Jurisdiction
42(3)
3A.2 Pornography and Obscenity
45(5)
3A.3 Privacy
50(7)
3A.4 Copyrights and the "Theft" of Digital Intellectual Property
57(5)
PART B COMPUTER MISUSE IN AMERICA
62(3)
Eoghan Casey
PART C TECHNOLOGY AND CRIMINAL LAW - A EUROPEAN PERSPECTIVE
65(26)
Tessa Robinson
3C.1 Overview of Criminal Offenses
66(11)
3C.2 Search and Seizure
77(1)
3C.3 Jurisdiction and Extradition
78(2)
3C.4 Penalties
80(3)
3C.5 Privacy
83(2)
3C.6 Summary
85(6)
CHAPTER 4 THE INVESTIGATIVE PROCESS
91(24)
Eoghan Casey and Gary Palmer
4.1 The Role of Digital Evidence
96(5)
4.2 Investigative Methodology
101(2)
4.2.1 Accusation or Incident Alert
103(1)
4.2.2 Assessment of Worth
104(1)
4.2.3 Incident/Crime Scene Protocols
105(1)
4.2.4 Identification or Seizure
106(2)
4.2.5 Preservation
108(1)
4.2.6 Recovery
109(1)
4.2.7 Harvesting
109(1)
4.2.8 Reduction
110(1)
4.2.9 Organization and Search
110(1)
4.2.10 Analysis
111(1)
4.2.11 Reporting
112(1)
4.2.12 Persuasion and Testimony
112(1)
4.3 Summary
113(2)
CHAPTER 5 INVESTIGATIVE RECONSTRUCTION
115(32)
Eoghan Casey and Brent Turvey
5.1 Equivocal Forensic Analysis
118(2)
5.1.1 Reconstruction
120(2)
5.1.2 Temporal Analysis
122(1)
5.1.3 Relational Analysis
122(2)
5.1.4 Functional Analysis
124(1)
5.2 Victimology
125(2)
5.2.1 Risk Assessment
127(1)
5.3 Crime Scene Characteristics
128(3)
5.3.1 Method of Approach and Control
131(1)
5.3.2 Offender Action, Inaction, and Reaction
132(1)
5.4 Evidence Dynamics and the Introduction of Error
132(2)
5.5 Reporting
134(1)
5.5.1 Threshold Assessment: Questioned Deaths
135(6)
5.5.2 Threshold Assessment: Unauthorized Access to project-db.corpX.com
141(3)
5.6 Summary
144(3)
CHAPTER 6 MODUS OPERANDI, MOTIVE, AND TECHNOLOGY
147(22)
Brent Turvey
6.1 Axes to Pathological Criminals, and Other Unintended Consequences
147(2)
6.2 Modus Operandi
149(1)
6.3 Technology and Modus Operandi
150(8)
6.4 Motive and Technology
158(1)
6.4.1 Power Reassurance (Compensatory)
159(1)
6.4.2 Power Assertive (Entitlement)
160(2)
6.4.3 Anger Retaliatory (Anger or Displaced)
162(1)
6.4.4 Anger Excitation (Sadistic)
163(1)
6.4.5 Profit Oriented
164(1)
6.5 Current Technologies
165(1)
6.5.1 A Computer Virus
165(1)
6.5.2 A Public E-mail Discussion List
166(1)
6.6 Summary
166(3)
CHAPTER 7 DIGITAL EVIDENCE IN THE COURTROOM
169(22)
7.1 Admissibility - Warrants
170(2)
7.2 Authenticity and Reliability
172(3)
7.3 Casey's Certainty Scale
175(3)
7.4 Best Evidence
178(1)
7.5 Direct versus Circumstantial Evidence
178(1)
7.6 Hearsay
179(4)
7.6.1 Hearsay Exceptions
181(2)
7.7 Scientific Evidence
183(1)
7.8 Presenting Digital Evidence
184(2)
7.9 Summary
186(5)
PART 2 COMPUTERS 191(166)
CHAPTER 8 COMPUTER BASICS FOR DIGITAL INVESTIGATORS
193(18)
8.1 A Brief History of Computers
193(2)
8.2 Basic Operation of Computers
195(3)
8.2.1 Central Processing Unit (CPU)
195(1)
8.2.2 Basic Input and Output System (BIOS)
195(1)
8.2.3 Power-on Self Test and CMOS Configuration Tool
196(1)
8.2.4 Disk Boot
197(1)
8.3 Representation of Data
198(1)
8.4 Storage Media and Data Hiding
199(3)
8.5 File Systems and Location of Data
202(4)
8.6 Overview of Encryption
206(2)
8.6.1 Private Key Encryption
207(1)
8.6.2 Public Key Encryption
207(1)
8.6.3 Pretty Good Privacy
208(1)
8.7 Summary
208(3)
CHAPTER 9 APPLYING FORENSIC SCIENCE TO COMPUTERS
211(44)
9.1 Authorization and Preparation
212(4)
9.2 Identification
216(1)
9.2.1 Identifying Hardware
216(1)
9.2.2 Identifying Digital Evidence
216(1)
9.3 Documentation
217(3)
9.3.1 Message Digests and Digital Signatures
218(2)
9.4 Collection and Preservation
220(9)
9.4.1 Collecting and Preserving Hardware
222(3)
9.4.2 Collecting and Preserving Digital Evidence
225(4)
9.5 Examination and Analysis
229(11)
9.5.1 Filtering/Reduction
229(1)
9.5.2 Class/Individual Characteristics and Evaluation of Source
230(7)
9.5.3 Data Recovery/Salvage
237(3)
9.6 Reconstruction
240(9)
9.6.1 Functional Analysis
241(2)
9.6.2 Relational Analysis
243(1)
9.6.3 Temporal Analysis
244(3)
9.6.4 Digital Stratigraphy
247(2)
9.7 Reporting
249(2)
9.8 Summary
251(4)
CHAPTER 10 FORENSIC EXAMINATION OF WINDOWS SYSTEMS
255(34)
10.1 Windows Evidence Acquisition Boot Disk
256(1)
10.2 File Systems
257(4)
10.3 Overview of Digital Evidence Processing Tools
261(3)
10.4 Data Recovery
264(7)
10.4.1 Windows-based Recovery Tools
266(1)
10.4.2 Unix-based Recovery Tools
266(1)
10.4.3 File Carving with Windows
267(3)
10.4.4 Dealing with Password Protection and Encryption
270(1)
10.5 Log Files
271(1)
10.6 File System Traces
272(4)
10.7 Registry
276(2)
10.8 Internet Traces
278(7)
10.8.1 Web Browsing
279(2)
10.8.2 Usenet Access
281(1)
10.8.3 E-mail
282(1)
10.8.4 Other Applications
283(1)
10.8.5 Network Storage
283(2)
10.9 Program Analysis
285(2)
10.10 Summary
287(2)
CHAPTER 11 FORENSIC EXAMINATION OF UNIX SYSTEMS
289(34)
11.1 Unix Evidence Acquisition Boot Disk
290(1)
11.2 File Systems
291(3)
11.3 Overview of Digital Evidence Processing Tools
294(7)
11.4 Data Recovery
301(10)
11.4.1 UNIX-based Tools
301(4)
11.4.2 Windows-based Tools
305(1)
11.4.3 File Carving with UNIX
306(4)
11.4.4 Dealing with Password Protection and Encryption
310(1)
11.5 Log Files
311(1)
11.6 File System Traces
311(5)
11.7 Internet Traces
316(5)
11.7.1 Web Browsing
316(3)
11.7.2 E-mail
319(1)
11.7.3 Network Traces
319(2)
11.8 Summary
321(2)
CHAPTER 12 FORENSIC EXAMINATION OF MACINTOSH SYSTEMS
323(14)
12.1 File Systems
323(3)
12.2 Overview of Digital Evidence Processing Tools
326(1)
12.3 Data Recovery
327(1)
12.4 File System Traces
328(3)
12.5 Internet Traces
331(4)
12.5.1 Web Activity
331(2)
12.5.2 E-mail
333(1)
12.5.3 Network Storage
334(1)
12.6 Summary
335(2)
CHAPTER 13 FORENSIC EXAMINATION OF HANDHELD DEVICES
337(20)
13.1 Overview of Handheld Devices
338(6)
13.1.1 Memory
339(1)
13.1.2 Data Storage and Manipulation
339(2)
13.1.3 Exploring Palm Memory
341(3)
13.2 Collection and Examination of Handheld Devices
344(9)
13.2.1 Palm OS
346(4)
13.2.2 Windows CE Devices
350(1)
13.2.3 RIM Blackberry
350(1)
13.2.4 Mobile Telephones
351(2)
13.3 Dealing with Password Protection and Encryption
353(1)
13.4 Related Sources of Digital Evidence
353(2)
13.4.1 Removable Media
354(1)
13.4.2 Neighborhood Data
354(1)
13.5 Summary
355(2)
PART 3 NETWORKS 357(162)
CHAPTER 14 NETWORK BASICS FOR DIGITAL INVESTIGATORS
359(24)
14.1 A Brief History of Computer Networks
360(1)
14.2 Technical Overview of Networks
361(4)
14.3 Network Technologies
365(5)
14.3.1 Attached Resource Computer Network (ARCNET)
365(1)
14.3.2 Ethernet
366(1)
14.3.3 Fiber Distributed Data Interface (FDDI)
366(1)
14.3.4 Asynchronous Transfer Mode (ATM)
367(1)
14.3.5 IEEE 802.11 (Wireless)
367(1)
14.3.6 Cellular Networks
368(2)
14.3.7 Satellite Networks
370(1)
14.4 Connecting Networks Using Internet Protocols
370(10)
14.4.1 Physical and Data-Link Layers (Layers 1 and 2)
373(2)
14.4.2 Network and Transport Layers (Layers 3 and 4)
375(1)
14.4.3 Session Layer (Layer 5)
376(1)
14.4.4 Presentation Layer (Layer 6)
377(1)
14.4.5 Application Layer (Layer 7)
378(2)
14.4.6 Synopsis of the 051 Reference Model
380(1)
14.5 Summary
380(3)
CHAPTER 15 APPLYING FORENSIC SCIENCE TO NETWORKS
383(36)
15.1 Preparation and Authorization
384(6)
15.2 Identification
390(5)
15.3 Documentation, Collection, and Preservation
395(5)
15.4 Filtering and Data Reduction
400(2)
15.5 Class/Individual Characteristics and Evaluation of Source
402(4)
15.6 Evidence Recovery
406(2)
15.7 Investigative Reconstruction
408(8)
15.7.1 Behavioral Evidence Analysis
414(2)
15.8 Reporting Results
416(1)
15.9 Summary
417(2)
CHAPTER 16 DIGITAL EVIDENCE ON PHYSICAL AND DATA-LINK LAYERS
419(22)
16.1 Ethernet
420(2)
16.1.1 10Base5
420(1)
16.1.2 10/100/1000BaseT
421(1)
16.1.3 CSMA/CD
422(1)
16.2 Linking the Data-Link and Network Layers-Encapsulation
422(5)
16.2.1 Address Resolution Protocol (ARP)
425(1)
16.2.2 Point to Point Protocol and Serial Line Internet Protocol
426(1)
16.3 Ethernet versus ATM Networks
427(1)
16.4 Documentation, Collection, and Preservation
427(5)
16.4.1 Sniffer Placement
429(1)
16.4.2 Sniffer Configuration
430(1)
16.4.3 Other Sources of MAC Addresses
431(1)
16.5 Analysis Tools and Techniques
432(7)
16.5.1 Keyword Searches
433(1)
16.5.2 Filtering and Classification
434(3)
16.5.3 Reconstruction
437(2)
16.6 Summary
439(2)
CHAPTER 17 DIGITAL EVIDENCE AT THE NETWORK AND TRANSPORT LAYERS
441(36)
17.1 TCP/IP
442(11)
17.1.1 Internet Protocol and Cellular Data Networks
443(1)
17.1.2 IP Addresses
444(1)
17.1.3 Domain Name System
445(1)
17.1.4 IP Routing
446(2)
17.1.5 Servers and Ports
448(2)
17.1.6 Connection Management
450(2)
17.1.7 Abuses of TCP/IP
452(1)
17.2 Setting up a Network
453(4)
17.2.1 Static versus Dynamic IP Address Assignment
455(2)
17.2.2 Protocols for Assigning IP Addresses
457(1)
17.3 TCP/IP Related Digital Evidence
457(16)
17.3.1 Authentication Logs
459(3)
17.3.2 Application Logs
462(2)
17.3.3 Operating System Logs
464(2)
17.3.4 Network Device Logs
466(3)
17.3.5 State Tables
469(3)
17.3.6 Random Access Memory Contents
472(1)
17.4 Summary
473(4)
CHAPTER 18 DIGITAL EVIDENCE ON THE INTERNET
477(42)
18.1 Role of the Internet in Criminal Investigations
477(2)
18.2 Internet Services: Legitimate versus Criminal Uses
479(10)
18.2.1 The World Wide Web
481(2)
18.2.2 E-mail
483(2)
18.2.3 Newsgroups
485(1)
18.2.4 Synchronous Chat Networks
486(2)
18.2.5 Peer-To-Peer Networks
488(1)
18.3 Using the Internet as an Investigative Tool
489(6)
18.3.1 Search Engines
491(2)
18.3.2 Online Databases (the Invisible Web)
493(2)
18.3.3 Usenet Archive versus Actual Newgroups
495(1)
18.4 Online Anonymity and Self-Protection
495(8)
18.4.1 Overview of Exposure
496(1)
18.4.2 Proxies
497(1)
18.4.3 IRC "bots"
497(1)
18.4.5 Encryption
498(1)
18.4.5 Anonymous and Pseudonymous E-mail and Usenet
499(3)
18.4.6 Freenet
502(1)
18.4.7 Anonymous Cash
503(1)
18.5 E-mail Forgery and Tracking
503(5)
18.5.1 Interpreting E-mail Headers
506(2)
18.6 Usenet Forgery and Tracking
508(3)
18.6.1 Interpreting Usenet Headers
509(2)
18.7 Searching and Tracking on IRC
511(6)
18.8 Summary
517(2)
PART 4 INVESTIGATING COMPUTER CRIME 519(106)
CHAPTER 19 INVESTIGATING COMPUTER INTRUSIONS
521(40)
19.1 How Computer Intruders Operate
522(3)
19.2 Investigating Intrusions
525(15)
19.2.1 Processes as a Source of Evidence (Windows)
530(6)
19.2.2 Processes as a Source of Evidence (Unix)
536(2)
19.2.3 Windows Registry
538(1)
19.2.4 Acquisition over Network
539(1)
19.2.5 Classification, Comparison, and Evaluation of Source
539(1)
19.3 Investigative Reconstruction
540(14)
19.3.1 Parallels between Arson and Intrusion Investigations
541(3)
19.3.2 Crime Scene Characteristics
544(5)
19.3.3 Automated and Dynamic Modus Operandi
549(4)
19.3.4 Examining the Intruder's Computer
553(1)
19.4 Detailed Case Example
554(4)
19.5 Summary
558(3)
CHAPTER 20 SEX OFFENDERS ON THE INTERNET
561(40)
Eoghan Casey, Monique Ferraro, and Michael McGrath
20.1 Window to the World
564(3)
20.2 Legal Considerations
567(3)
20.3 Identifying and Processing Digital Evidence
570(4)
20.4 Investigating Online Sexual Offenders
574(5)
20.4.1 Undercover Investigation
579(4)
20.5 Investigative Reconstruction
583(3)
20.5.1 Analyzing Sex Offenders
586(1)
20.5.2 Analyzing Victim Behavior
587(1)
20.5.3 Crime Scene Characteristics
588(3)
20.5.4 Motivation
591(2)
20.6 Summary
593(8)
CHAPTER 21 INVESTIGATIONS CYBERSTALKING
601(16)
21.1 How Cyberstalkers Operate
602(3)
21.1.1 Acquiring Victims
604(1)
21.1.2 Anonymity and Surreptitious Monitoring
604(1)
21.1.3 Escalation and Violence
605(1)
21.2 Investigating Cyberstalking
605(7)
21.2.1 Interviews
606(1)
21.2.2 Victimology
606(1)
21.2.3 Risk Assessment
607(1)
21.2.4 Search
608(2)
21.2.5 Crime Scene Characteristics
610(1)
21.2.6 Motivation
611(1)
21.3 Cyberstalking Case Example
612(2)
21.4 Summary
614(3)
CHAPTER 22 DIGITAL EVIDENCE AS ALIBI
617(8)
22.1 Investigating an Alibi
618(2)
22.2 Time as Alibi
620(2)
22.3 Location as Alibi
622(1)
22.4 Summary
623(2)
PART 5 GUIDELINES 625(20)
CHAPTER 23 DIGITAL EVIDENCE HANDLING GUIDELINES
627(6)
23.1 Identification or Seizure
628(2)
23.1.1 When the Entire Computer is Required
630(1)
23.2 Preservation
630(3)
23.2.1 If Only a Portion of the Digital Evidence on a Computer is Required
631(1)
23.2.2 Sample Preservation Form
632(1)
CHAPTER 24 DIGITAL EVIDENCE EXAMINATION GUIDELINES
633(12)
Eoghan Casey and Troy Larson
24.1 Preparation
634(1)
24.2 Processing
635(1)
24.2.1 DOS/Windows Command Line - Maresware
635(3)
24.2.2 Windows GUI - EnCase
638(2)
24.2.3 Windows GUI - FTK
640(3)
24.3 Identify and Process Special Files
643(1)
24.4 Summary
643(2)
BIBLIOGRAPHY 645(20)
GLOSSARY 665(10)
AUTHOR INDEX 675(2)
SUBJECT INDEX 677

Supplemental Materials

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Rewards Program