Cyber Forensics

ALBERT J. MARCELLA, JR., PHD, CISA, CISM, is President of Business Automation Consultants, LLC, a global information technology and management consulting firm providing IT management consulting, audit and security reviews, and training. He is an internationally recognized public speaker, researcher, workshop and seminar leader, and an author of numerous articles and books on various IT, audit, and security related subjects. FREDERIC GUILLOSSOU, CISSP, CCE, is an Information Security Analyst with TALX, a division of Equifax. He regularly trains on intrusion prevention systems and has successfully led a number of forensic investigations in the field.

• Preface xiiiAcknowledgments xviiChapter 1: The Fundamentals of Data 1Base 2 Numbering System: Binary and Character Encoding 2Communication in a Two-State Universe 3Electricity and Magnetism 3Building Blocks: The Origins of Data 4Growing the Building Blocks of Data 5Moving Beyond Base 2 7American Standard Code for Information Interchange 7Character Codes: The Basis for Processing Textual Data 10Extended ASCII and Unicode 10Summary 12Notes 13Chapter 2: Binary to Decimal 15American Standard Code for Information Interchange 16Computer as a Calculator 16Why Is This Important in Forensics? 18Data Representation 18Converting Binary to Decimal 19Conversion Analysis 20A Forensic Case Example: An Application of the Math 20Decimal to Binary: Recap for Review 22Summary 23Chapter 3: The Power of HEX: Finding Slivers of Data 25What the HEX? 26Bits and Bytes and Nibbles 27Nibbles and Bits 29Binary to HEX Conversion 30Binary (HEX) Editor 34The Needle within the Haystack 39Summary 41Notes 42Chapter 4: Files 43Opening 44Files, File Structures, and File Formats 44File Extensions 45Changing a File’s Extension to Evade Detection 47Files and the HEX Editor 53File Signature 55ASCII Is Not Text or HEX 57Value of File Signatures 58Complex Files: Compound, Compressed, and Encrypted Files 59Why Do Compound Files Exist? 60Compressed Files 61Forensics and Encrypted Files 64The Structure of Ciphers 65Summary 66Notes 67Appendix 4A: Common File Extensions 68Appendix 4B: File Signature Database 73Appendix 4C: Magic Number Defi nition 77Appendix 4D: Compound Document Header 79Chapter 5: The Boot Process and the Master Boot Record (MBR) 85Booting Up 87Primary Functions of the Boot Process 87Forensic Imaging and Evidence Collection 90Summarizing the BIOS 92BIOS Setup Utility: Step by Step 92The Master Boot Record (MBR) 96Partition Table 102Hard Disk Partition 103Summary 110Notes 111Chapter 6: Endianness and the Partition Table 113The Flavor of Endianness 114Endianness 116The Origins of Endian 117Partition Table within the Master Boot Record 117Summary 125Notes 127Chapter 7: Volume versus Partition 129Tech Review 130Cylinder, Head, Sector, and Logical Block Addressing 132Volumes and Partitions 138Summary 142Notes 144Chapter 8: File Systems—FAT 12/16 145Tech Review 145File Systems 147Metadata 149File Allocation Table (FAT) File System 153Slack 157HEX Review Note 160Directory Entries 161File Allocation Table (FAT) 163How Is Cluster Size Determined? 167Expanded Cluster Size 169Directory Entries and the FAT 170FAT Filing System Limitations 174Directory Entry Limitations 176Summary 177Appendix 8A: Partition Table Fields 179Appendix 8B: File Allocation Table Values 180Appendix 8C: Directory Entry Byte Offset Description 181Appendix 8D: FAT 12/16 Byte Offset Values 182Appendix 8E: FAT 32 Byte Offset Values 184Appendix 8F: The Power of 2 186Chapter 9: File Systems—NTFS and Beyond 189New Technology File System 189Partition Boot Record 190Master File Table 191NTFS Summary 195exFAT 196Alternative Filing System Concepts 196Summary 203Notes 204Appendix 9A: Common NTFS System Defined Attributes 205Chapter 10: Cyber Forensics: Investigative Smart Practices 207The Forensic Process 209Forensic Investigative Smart Practices 211Step 1: The Initial Contact, the Request 211Step 2: Evidence Handling 216Step 3: Acquisition of Evidence 221Step 4: Data Preparation 229Time 238Summary 239Note 240Chapter 11: Time and Forensics 241What Is Time? 241Network Time Protocol 243Timestamp Data 244Keeping Track of Time 245Clock Models and Time Bounding: The Foundations of Forensic Time 247MS-DOS 32-Bit Timestamp: Date and Time 248Date Determination 250Time Determination 254Time Inaccuracy 258Summary 259Notes 260Chapter 12: Investigation: Incident Closure 263Forensic Investigative Smart Practices 264Step 5: Investigation (Continued) 264Step 6: Communicate Findings 265Characteristics of a Good Cyber Forensic Report 266Report Contents 268Step 7: Retention and Curation of Evidence 269Step 8: Investigation Wrap-Up and Conclusion 273Investigator’s Role as an Expert Witness 273Summary 279Notes 280Chapter 13: A Cyber Forensic Process Summary 283Binary 284Binary—Decimal—ASCII 285Data Versus Code 287HEX 288From Raw Data to Files 288Accessing Files 289Endianness 290Partitions 291File Systems 291Time 292The Investigation Process 292Summary 295Appendix: Forensic Investigations, ABC Inc. 297Glossary 303About the Authors 327Index 329