Front Cover -- The Best Damn Cybercrime and Digital Forensics Book Period -- Copyright Page -- Contributing Authors -- Contents -- Chapter 1: Computer Forensics in Today's World -- Introduction -- History of Forensics -- Objectives of Computer Forensics -- Computer-Facilitated Crimes -- Reasons for Cyber Attacks -- Computer Forensic Flaws and Risks -- Modes of Attack -- Stages of Forensic Investigation in Tracking Computer Crime -- Rules of Computer Forensics -- Digital Forensics -- Assessing the Case: Detecting/Identifying the Event/Crime -- Preservation of Evidence: Chain of Custody -- Collection: Data Recovery, Evidence Collection -- Examination: Tracing, Filtering, Extracting Hidden Data -- Analysis -- Approach the Crime Scene -- Where and When Do You Use Computer Forensics? -- Legal Issues -- The Computer Forensics Lab -- Laboratory Strategic Planning for Business -- Philosophy of Operation -- A Forensics Laboratory Is a Business Venue -- A Forensics Laboratory Is a Technology Venue -- A Forensics Laboratory Is a Scientific Venue -- A Forensics Laboratory Is an Artistic Venue -- Core Mission and Services -- Revenue Definition -- "I Know How Expensive I Am. Now, How Do I Get Paid?" -- SOP (Standard Operating Procedure) -- Quality Standards: Accreditation -- Quality Standards: Auditing -- Human Talent -- Education and Continuing Education -- Elements of Facilities Build-out -- Space Planning Considerations -- Examination Environment -- Evidence Storage -- Network Facilities -- Fire Protection/Suppression -- Water Dispersion Systems -- Gaseous Suppression -- Chemical Suppression -- Electrical and Power Plant Considerations -- LAN/WAN Planning -- HVAC -- Abatements -- Static Electricity -- EMI (electromagnetic interference) -- Acoustic Balancing -- Security -- Evidence Locker Security -- General Ambience -- Spatial Ergonomics.

A Note on "common office technology" -- Personal Workspace Design -- Common Area Considerations -- Essential Laboratory Tools -- Write Blockers -- Write Block Field Kits -- Hardware Duplication Platforms -- Portable Forensics Systems -- Portable Enterprise Systems -- Laboratory Forensics Systems -- Media Sterilization Systems -- Data Management (Backup, Retention, Preservation) -- CD/DVD Hardware Solutions -- Portable Device Forensics, Some Basic Tools -- Faraday Devices as Applied to Forensics -- Real-World Examples -- Portable Devices and Data Storage -- Locating the Data -- Power -- Readers, readers, readers! -- Cables, cables, cables! -- Forensic Software -- Operating Systems -- File Systems -- Investigative Platforms -- Other/Specialty Tools -- Tools in the Enterprise -- Ad Hoc scripts and programs -- Software Licensing -- Tool Validation -- Chapter 2: Digital Forensics: An Overview -- Introduction -- Digital Forensic Principles -- Practice Safe Forensics -- Establish and Maintain a Chain of Custody -- Minimize Interaction with Original Evidence -- Use Proven Tools and Know How They Work -- Is the Tool in General Use? -- What Is the History of the Developer and the Tool? -- Do You Know How the Tool Works? -- Conduct Objective Analysis and Reporting -- Digital Environments -- Corporate -- Government -- Academic -- The Internet -- The Home -- Digital Forensic Methodologies -- Litigation Support -- Identification -- Collection -- Organization -- Presentation -- Digital Media Analysis -- Identification -- Collection -- Analysis -- Network Investigations -- Identification -- Collection -- Analysis -- Summary -- Solutions Fast Track -- Frequently Asked Questions -- Chapter 3: Developing an Enterprise Digital Investigative/Electronic Discovery Capability -- Introduction.

Identifying Requirements for an Enterprise Digital Investigative/Electronic Discovery Capability -- Costs -- Time -- Resources -- Allies -- Administrative Considerations for an Enterprise Digital Investigative/Electronic Discovery Capability -- Policy and Standard Operating Procedures -- Funding -- Organizational Framework -- Training -- Tool Validation -- Certification -- Accreditation -- Identifying Resources (Software/Hardware/Facility) for Your Team -- Software -- Hardware and Storage -- Hardware -- Storage -- Write Blockers -- Facility -- Location -- Security -- Ventilation and Air-Conditioning Systems -- Electrical and Power Systems -- Summary -- References -- Frequently Asked Questions -- Chapter 4: Integrating a Quality Assurance Program in a Digital Forensic Laboratory -- Introduction -- Quality Planning, Quality Reviews, and Continuous Quality Improvement -- Defi ciencies and Driving Out Error -- Meeting Client Stated and Implied Needs -- Continuous Quality Improvement -- Laboratory Planning -- The Structure of an Organization's SOPs or QAMs -- "Do" or Executing the Plan -- "Check" or Study Processes -- "Act" or Adapt and Refine the Plan -- Continuous Upward Spiral of Excellence -- Cost of Quality: Why Bother? -- Other Challenges: Ownership, Responsibility and Authority -- Management's Responsibility for Ownership in the Quality System -- The Quality Manager -- Personalities and Patience -- Assess Your Client's Needs -- Adapt to Your Client's Needs -- Private Sector Challenge -- Summary -- Frequently Asked Questions -- Chapter 5: Balancing E-discovery Challenges with Legal and IT Requirements -- Introduction -- Drivers of E-discovery Engineering -- Storage -- Federal Rules of Civil Procedure -- Purpose -- Costs -- Locations, Forms and Preservation of Electronically Stored Information -- Locations of ESI -- Forms of ESI -- File Types.

Metadata Fields -- Legal and IT Team Considerations for Electronic Discovery -- IT Members within the Legal Team -- Records and Information Managers -- Information Lifecycle Managers -- E-mail, IM, and PDA Managers -- Backup and Archiving Managers -- Are You Litigation Ready? -- Served with a Request -- Contact Your Chief Information Officer or Equivalent -- Be Prepared to Field Questions from the Professionals -- Be Prepared to Ask Questions -- Interviews -- Inventory -- Discovery Readiness Planning -- Project Scope/Collect Available Information -- Interviews -- Data Cataloging/Mapping -- Review of Information Collected -- Gap Analysis -- Findings and Recommendations -- Business Process Improvement -- E-discovery Tools -- Summary -- Frequently Asked Questions -- Chapter 6: Forensic Software and Hardware -- Introduction -- Part 1: Forensic Software Tools -- Visual TimeAnalyzer -- X-Ways Forensics -- Evidor -- Slack Space & Data Recovery Tools -- Ontrack -- DriveSpy -- Data Recovery Tools -- Device Seizure -- Forensic Sorter -- Directory Snoop -- Permanent Deletion of Files -- PDWipe -- Darik's Boot and Nuke (DBAN) -- File Integrity Checker -- FileMon -- File Date Time Extractor (FDTE) -- Decode - Forensic Date/Time Decoder -- Disk Imaging Tools -- Snapback DatArrest -- Partition Managers: Partimage -- Linux/UNIX Tools: Ltools and Mtools -- LTools -- MTools -- The Coroner's Toolkit (TCT) and Tctutils -- Password Recovery Tools -- @Stake -- Decryption Collection Enterprise -- AIM Password Decoder -- MS Access Database Password Decoder -- FavURLView - Favorite Viewer -- NetAnalysis -- Multipurpose Tools -- Maresware -- LC Technologies Software -- WinHex Specialist Edition -- Prodiscover DFT -- Toolkits -- NTI Tools -- R-Studio -- Datalifter -- Forensic Toolkit (FTK) -- Image Master Solo and Fastbloc -- Encase -- E-mail Recovery Tools.

Network E-mail Examiner -- Oxygen Phone Manager -- SIM Card Seizure -- Autoruns -- HashDig -- Patchit -- PowerGREP -- Reverse Engineering Compiler -- Part 2: Forensic Hardware Tools -- Hard Disk Write Protection Tools -- NoWrite -- FireWire DriveDock -- LockDown -- Write Protect Card Reader -- Drive Lock IDE -- Serial-ATA DriveLock Kit -- Wipe MASSter -- ImageMASSter Solo-3 IT -- ImageMASSter 4002i -- ImageMASSter 3002SCSI -- Image MASSter 3004 SATA -- Summary -- Frequently Asked Questions -- Chapter 7: Incident Response: Live Forensics and Investigations -- Introduction -- Postmortmem versus Live Forensics -- Evolution of the Enterprise -- Evolution of Storage -- Encrypted File Systems -- Today's Live Methods -- Case Study: Live vs. Postmortem -- Computer Analysis for the Hacker Defender Program -- Network Analysis -- Summary -- Special Thanks -- References -- Frequently Asked Questions -- Chapter 8: Seizure of Digital Information -- Introduction -- Defining Digital Evidence -- Digital Evidence Seizure Methodology -- Seizure Methodology in Depth -- Step 1: Digital Media Identification -- Step 2: Minimizing the Crime Scene by Prioritizing the Physical Media -- Step 3: Seizure of Storage Devices and Media -- To Pull the Plug or Not to Pull the Plug, that Is the Question -- Factors Limiting the Wholesale Seizure of Hardware -- Factors Limiting Wholesale Seizure: Size of Media -- Factors Limiting Wholesale Seizure: Disk Encryption -- Factors Limiting Wholesale Seizure: Privacy Concerns -- Factors Limiting Wholesale Seizure: Delays Related to Laboratory Analysis -- Protecting the Time of the Most Highly Trained Personnel -- The Concept of the First Responder -- Other Options for Seizing Digital Evidence -- Responding to a Victim of a Crime Where Digital Evidence Is Involved -- Seizure Example.

Previewing Information On-scene to Determine the Presence and Location of Evidentiary Data Objects.