Front Cover -- Digital Forensics for Legal Professionals -- Copyright Page -- Contents -- Preface -- Intended Audience -- Organization of this Book -- Section I: Overview of Digital Forensics -- Section II: Experts -- Section III: Motions and Discovery -- Section IV: Common Types of Digital Evidence -- About the Authors -- About the Tech Editors -- 1 WHAT IS DIGITAL FORENSICS? -- 1 Digital Evidence Is Everywhere -- Introduction -- 1.1 What is Digital Forensics? -- 1.2 What is Digital Evidence? -- 1.3 How Digital Evidence is Created And Stored -- Summary -- 2 Overview of Digital Forensics -- Introduction -- 2.1 Digital Forensics -- 2.1.1 Acquisition -- 2.1.2 Preservation -- 2.1.3 Analysis -- 2.1.4 Presentation -- 2.2 A Little Computer History -- 2.3 A Brief History of Computer Forensics -- 2.4 Computer Forensics Becomes Digital Forensics -- Summary -- 3 Digital Forensics: The Subdisciplines -- Introduction -- 3.1 The Subdisciplines -- 3.2 Computer Forensics -- 3.2.1 Incident response -- 3.2.2 Cell phone forensics -- 3.2.3 GPS forensics -- 3.2.4 Media device forensics -- 3.2.5 Social media forensics -- 3.2.6 Digital video and photo forensics -- 3.2.7 Digital camera forensics -- 3.2.8 Digital audio forensics -- 3.2.9 Multiplayer game forensics -- 3.2.10 Game console forensics -- Summary -- 4 The Foundations of Digital Forensics: Best Practices -- Introduction -- 4.1 Who Establishes Best Practices? -- 4.2 Who should be Following Best Practices? -- 4.3 Summary of Best Practices -- 4.3.1 Volatile data and live forensics -- 4.3.2 Preservation best practices -- 4.3.3 Acquisition best practices -- 4.4 What Really Happens in Many Cases -- Summary -- 5 Overview of Digital Forensics Tools -- Introduction -- 5.1 What Makes a Tool Forensically Sound? -- 5.2 Who Performs Tool Testing? -- 5.3 Computer Forensics Tools: An Overview.

5.4 Classes of Forensics Tools -- 5.5 Mobile Device Forensics Tools -- Summary -- References -- 6 Digital Forensics at Work in the Legal System -- Introduction -- 6.1 Mitigation -- 6.2 Pre-trial Motions -- 6.3 Trial Preparation -- 6.4 Example Trial Questions -- 6.4.1 A civil case example -- 6.4.2 Criminal trial example -- 6.5 Trial Phase -- Summary -- 2 EXPERTS -- 7 Why Do I Need an Expert? -- Introduction -- 7.1 Why Hire a Digital Forensics Expert? -- 7.2 When to Hire a Digital Forensics Expert -- Summary -- 8 The Difference between Computer Experts and Digital Forensics Experts -- Introduction -- 8.1 The Computer Expert -- 8.2 The Digital Forensics Expert -- 8.3 A Side-by-Side Comparison -- 8.4 Investigation of Digital Evidence -- 8.4.1 What does it mean to "investigate"? -- Summary -- 9 Selecting a Digital Forensics Expert -- Introduction -- 9.1 What is an Expert? -- 9.2 Locating and Selecting an Expert -- 9.2.1 Establishing your selection criteria -- 9.2.2 What evidence is part of your case? -- 9.2.3 What type of case do you have? -- 9.2.4 The prequalification process -- 9.2.5 What is a reasonable fee? -- 9.2.6 How can you tell what is a reasonable fee quote? -- 9.3 Certifications -- 9.4 Training, Education, and Experience -- 9.5 The Right Forensic Tools -- Summary -- References -- 10 What to Expect from an Expert -- Introduction -- 10.1 General Expectations -- 10.2 Where to Begin? -- 10.2.1 Sample protocol for evidence collection by a third or opposing party -- 10.3 The Examination -- 10.4 Court Preparation -- 10.5 Expert Advice -- Summary -- 11 Approaches by Different Types of Examiners -- Introduction -- 11.1 Standards -- 11.2 Training and Experience -- 11.3 Impact on Examinations -- 11.4 Ethics -- 11.5 The Approach to an Examination -- Summary -- References -- 12 Spotting a Problem Expert -- Introduction -- 12.1 Beyond the Window Dressings.

12.1.1 Verifiable experience and criminal records -- 12.1.2 Attitude -- 12.1.3 The bull factor -- 12.1.4 Appearance matters -- 12.1.5 The big problems -- 12.1.6 Aversion -- Summary -- 13 Qualifying an Expert in Court -- Introduction -- 13.1 Qualifying an Expert -- 13.1.1 Federal Rules of Evidence: Rule 702 Expert Witnesses -- 13.1.2 The resume or curriculum vitae -- 13.1.3 Certifications -- 13.1.4 Training -- 13.1.5 Experience -- 13.1.6 Education -- 13.2 Qualifying Experts in Court -- 13.2.1 Sample qualification questions -- Summary -- Reference -- 3 MOTIONS AND DISCOVERY -- 14 Overview of Digital Evidence Discovery -- Introduction -- 14.1 Discovery Motions in Civil and Criminal Cases -- 14.1.1 Common challenges in criminal and civil cases -- Summary -- 15 Discovery of Digital Evidence in Criminal Cases -- Introduction -- 15.1 Sources of Digital Evidence -- 15.2 Building the Motion -- 15.2.1 Discovery motion specifics -- Summary -- 16 Discovery of Digital Evidence in Civil Cases -- Introduction -- 16.1 Rules Governing Civil Discovery -- 16.2 Electronic Discovery in Particular -- 16.3 Time is of the Essence -- 16.4 Getting to the Particulars -- 16.4.1 What happened? -- 16.4.2 Who was involved? -- 16.4.3 How would electronic evidence be involved? -- 16.4.4 Where might electronic evidence be stored? -- 16.4.5 Who has control of the electronic evidence you need to collect? -- 16.5 Getting the Electronic Evidence -- Summary -- References -- 17 Discovery of Computers and Storage Media -- Introduction -- 17.1 An Example of a Simple Consent to Search Agreement -- 17.2 Example of a Simple Order for Expedited Discovery -- 17.3 Example of an Order for Expedited Discovery and Temporary Restraining Order -- Summary -- 18 Discovery of Video Evidence -- Introduction -- 18.1 Common Issues with Video Evidence -- 18.1.1 Collecting and preserving tape media.

18.1.2 Video recording devices -- 18.2 Collecting Video Evidence -- 18.3 Example Discovery Language for Video Evidence -- Summary -- 19 Discovery of Audio Evidence -- Introduction -- 19.1 Common Issues with Audio Evidence -- 19.1.1 Audio recording devices -- 19.1.2 Tape media -- 19.1.3 Audio metadata -- 19.1.4 File formats and audio programs -- 19.2 Example Discovery Language for Audio Evidence -- Summary -- 20 Discovery of Social Media Evidence -- Introduction -- 20.1 Legal Issues in Social Media Discovery -- 20.2 Finding Custodian of Records Contact Information -- 20.3 Facebook Example -- 20.3.1 Sample language to include for Facebook -- 20.4 Google Information -- 20.4.1 Google blogger example -- 20.4.2 Sample language for Google Blogger accounts and posts -- 20.5 Online E-Mail Accounts -- Summary -- References -- 21 Discovery in Child Pornography Cases -- Introduction -- 21.1 The Adam Walsh Child Protection and Safety Act of 2006 -- 21.2 The Discovery Process -- 21.2.1 First round of discovery -- 21.2.2 The second round of discovery -- Summary -- References -- 22 Discovery of Internet Service Provider Records -- Introduction -- 22.1 Internet Service Provider Records or IP Addresses -- 22.1.1 How to find the Internet service provider for an IP address step by step -- 22.1.2 Motion language once you know the IP address -- 22.2 Example Language for Web-Based E-Mail Addresses -- 22.3 What to Expect From an Internet Service Provider (ISP) Subpoena -- Summary -- 23 Discovery of Global Positioning System Evidence -- Introduction -- 23.1 GPS Tracking Evidence Overview -- 23.1.1 Categories of potential GPS tracking evidence -- 23.2 Discovery of GPS Evidence -- 23.2.1 Language for getting a GPS device for examination -- 23.2.2 Language for getting information from a manufacturer about a device -- 23.2.3 Language for getting GPS evidence from a third party.

Summary -- 24 Discovery of Call Detail Records -- Introduction -- 24.1 Discovery Issues in Cellular Evidence -- 24.2 Example Language for Call Detail Records -- Summary -- 25 Obtaining Expert Funding in Indigent Cases -- Introduction -- 25.1 Justifying Extraordinary Expenses -- 25.2 Example Language for an Ex Parte Motion for Expert Funds -- Summary -- 4 COMMON TYPES OF DIGITAL EVIDENCE -- 26 Hash Values: The Verification Standard -- Introduction -- 26.1 Hash Values -- 26.2 How Hash Values are Used in Digital Forensics -- 26.2.1 Using hash values to find hidden files -- 26.2.2 How to determine whether a file exists on a computer -- 26.2.3 De-duplicating data in e-discovery -- 26.2.4 The dangers of court testimony without verification -- 26.2.5 What if an opposing expert did not verify evidence? -- Summary -- 27 Metadata -- Introduction -- 27.1 The Purpose of Metadata -- 27.2 Common Types of Metadata -- 27.2.1 File system metadata -- 27.2.2 Internet metadata -- 27.2.3 Document metadata -- 27.2.4 Picture metadata -- Summary -- 28 Thumbnails and the Thumbnail Cache -- Introduction -- 28.1 Thumbnails and the Thumbnail Cache -- 28.2 How Thumbnails and the Thumbnail Cache Work -- 28.2.1 When are these thumbs.db cache files created? -- 28.2.2 Changes in Windows Vista and Windows 7 -- 28.2.3 Thumbs.db and networked drives -- 28.3 Thumbnails and the Thumbnail Cache as Evidence -- Summary -- Reference -- 29 Deleted Data -- Introduction -- 29.1 How Data is Stored on a Hard Drive -- 29.1.1 Hard drive data storage structure -- 29.2 Deleted File Recovery -- 29.2.1 Simple file recovery -- 29.2.2 Advanced file recovery: file carving -- 29.3 Evidence of Data Destruction -- 29.3.1 Physical destruction -- Summary -- 30 Computer Time Artifacts (MAC Times) -- Introduction -- 30.1 Computer File System Time Stamps -- 30.2 Fundamental Issues in Forensic Analysis of Timeline.

30.3 Created, Modified, Accessed.