List of Figures | Digital Evidence and Computer Crime, Second Edition

Chapter 1: Digital Evidence and Computer Crime

Figure 1.1: Conceptual depiction of data fragmants being extracted from a hard drive platter, combined, and translated into an e-mail message.
Figure 1.2: Web camera of live traffic from www.marylandroads.com.
Figure 1.3: Shoe prints preserved using dental cement.

Chapter 4: The Investigative Process

Figure 4.1: Overview of case/incident resolution process.
Figure 4.2: Locard's Exchange Principle.
Figure 4.3: Remnants of a directory listing from a UNIX system found on a Windows computer using the grep feature in EnCase to search for the pattern "[d\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-](space)."
Figure 4.4: Potential sources of evidence useful for establishing continuity of offense.
Figure 4.5: Categories of the Investigative Process Model (depicted as a flight of stairs).

Chapter 5: Investigative Reconstruction with Digital Evidence

Figure 5.1: Conceptual view of timeline and relational reconstructions.
Figure 5.2: Diagram depicting intruder gaining access to accounting server.
Figure 5.3: Offender in Europe, victim in the United States, crime scenes spread around the world on personal computers and servers (AOL in Virginia).

Chapter 8: Computer Basics for Digital Investigators

Figure 8.1: Diagram of the Atanasoff-Berry Computer (ABC). Image from http—//www.scl.ameslab.gov/ABC/Progress.html (reproduced with permission).
Figure 8.2: An electrical pulse resets the CPU, which, in turn, activates the BIOS.
Figure 8.3: Magnetic patterns on a hard disk as seen through a magnetic force microscope. Peaks indicate a one (1) and troughs signify a zero (0). Image from http—//www.ntmdt.ru/applicationnotes/MFM/ (reproduced with permission).
Figure 8.4: A depiction of platters, tracks, sectors, clusters, and heads on a computer disk.
Figure 8.5: Simplified depiction of disk structure with two partitions, each containing a FAT formatted volume.
Figure 8.6: Windows 95 boot sector viewed using Norton Diskedit.
Figure 8.7: Volume slack containing remnants of Form virus viewed using EnCase.
Figure 8.8: When old data are overwritten with new data, some of the old data can remain.

Chapter 9: Applying Forensic Science to Computers

Figure 9.1: A selection of storage media and computerized devices.
Figure 9.2: Black box concept of the message digest.
Figure 9.3: Comparing bitstream copying to regular copying.
Figure 9.4: Additional class characteristics of EXIF file displayed using ACDSee. The date and time embedded in this file (15—53 on 06/11/2000) is inaccurate because the camera's clock was not set to the correct time, emphasizing the importance of documenting system time when collecting any kind of computerized device.
Figure 9.5: Fragments of an overwritten JPEG file partially reconstituted by grafting a new header onto the file.
Figure 9.6: Histogram of date-time stamps (created and last modified) showing gaps during suspect's shifts.
Figure 9.7: Conceptual image of 24-hour clocks with MAC times for several days with a line connecting significant events on sequential days.
Figure 9.8: Forensic Date & Time Decoder. These times are generally GMT and must be adjusted for time zones.

Chapter 10: Forensic Examination of Windows Systems

Figure 10.1: Root directory (skyways-getafix.doc, starts in cluster 184) → FAT → data in clusters 184-225 (42 clusters 512 bytes/clusters = 21504 bytes).
Figure 10.2: WinHex "File Manager Compare" feature.
Figure 10.3: Norton Commander.
Figure 10.4: NTI Net Threat Analyzer—
Figure 10.5: The Sleuth Kit and Autopsy Forensic Browser being used to examine a FAT file system (checkmarks indicate files are deleted).
Figure 10.6: DataLifter being used to carve files from two blobs of unallocated space and one blob of file slack from a system.
Figure 10.7: Easy-Recovery Pro from Ontrack.
Figure 10.8: File slack of a recovered file viewed using EnCase.
Figure 10.9: Internet Account Manager.
Figure 10.10: A cookie created by MS Internet Explorer showing recent Mapquest searches viewed using CookieView (http://www.digitaldetective.co.uk)
Figure 10.11: FTK showing Word document as e-mail attachments (base 64 encoded).
Figure 10.12: Registry showing remote systems recently accessed using Telnet.
Figure 10.13: Network Neighbourhood on a Windows XP computer connected to a home network.
Figure 10.14: Active network file shares.

Chapter 11: Forensic Examination of Unix Systems

Figure 11.1: Remote view of a Windows system using FIRE with its VNC connection feature.
Figure 11.2: Conceptual representation of a directory and inode where the file types include regular, directory, symbolic link, and socket.
Figure 11.3: Overview of UNIX file systems.
Figure 11.4: Contents of the root directory's inode, interpreted as a directory using Linux Disk Editor. http://lde.sourceforge.net
Figure 11.5: inode for /etc/passwd
Figure 11.6: Viewing a Linux system using The Sleuth Kit and Autopsy Forensic Browser.
Figure 11.7: SMART file recovery process saves deleted files onto the examination system for further analysis using other tools.
Figure 11.8: FTK used to view ext2 file system in the file "honeynet.hda8.dd," available from http://www.honeynet.org/challenge/.
Figure 11.9: Lazarus from the Coroner's Toolkit used to classify data on a disk and recover deleted data such as the partial image shown here.
Figure 11.10: The Sleuth Kit showing (a) /var/log directory with inode number 502952 (b) information relating to inode number 502952, including the associated block group 31, which can also be obtained using the istat command.
Figure 11.11: A histogram of deleted inodes from a compromised machine showing a spike on November 8 as a result of an intruder's activities.

Chapter 12: Forensic Examination of Macintosh Systems

Figure 12.1: (a) File record interpreted using Norton Disk Editor. (b) Same file record in hexadecimal form.
Figure 12.2: HFS viewed in EnCase showing Catalog file record from Figure 12.1.
Figure 12.3: Norton Unerase.
Figure 12.4: IE Cache.waf file viewed using WAFInspec.

Chapter 13: Forensic Examination of Handheld Devices

Figure 13.1: Warning message displayed by Palm OS Emulator when loading a copy of ROM that has been modified using FlashPro.
Figure 13.2: Print screen of PDA Seizure showing logical databases.
Figure 13.3: Image/data being viewed using Palm OS Emulator (POSE).
Figure 13.5: A SIM card viewed using Card Editor SIM Manager Pro.
Figure 13.4: Text messages on a SIM card viewed using SIM Manager Pro.
Figure 13.6: A memory module for a Palm OS device along with a PCMCIA interface card. This type of adapter is useful for acquiring digital evidence from memory modules using Windows and Unix based tools such as EnCase and dd.

Chapter 14: Network Basics for Digital Investigators

Figure 14.1: Map of ARPANET.
Figure 14.2: Time line of key events.
Figure 14.3: Depiction of hosts with NICs connected to a router to form a network.
Figure 14.4: Hosts connected to a central hub (star typology).
Figure 14.5: Normal FDDI communication versus backup communication when a host is down (double ring topology).
Figure 14.6: Wireless IEEE 802.11 network with a PDA and PC connected to an AP. Also shown is the AP connected to the Internet.
Figure 14.7: Dissimilar networks connected using a common language to form an internet.
Figure 14.8: Barb the Bookie's Network.
Figure 14.9: Conceptual depiction of TCP/IP with arrows indicating communication between modules.
Figure 14.10: A simplified depiction of the Open System Interconnection layers showing where TCP/IP fits.
Figure 14.11: Graphical synopsis of the OSI reference model.
Figure 14.12: How a Web browser accesses the Internet as seen through the OSI model.
Figure 14.13: NetIntercept (http://www.sandstorm.com) showing components of a Web page both in OSI layers and content recovered from network traffic.

Chapter 15: Applying Forensic Science to Networks

Figure 15.1: Search circles that may contain digital evidence.
Figure 15.2: Sample digital evidence map.
Figure 15.3: HyperTerminal has the capability to record the results of a router examination in a file. The "Capture Text" option is on the "Transfer" menu.
Figure 15.4: Ethereal (www.ethereal.com) used to reconstruct a TCP Stream relating to one component of a Web page being downloaded.
Figure 15.5: Network traffic depicted in IP address-IP address connections creating a circular mesh using NetIntercept.
Figure 15.6: VPN connection makes an offender in California appear to be in Connecticut, throwing investigators off track and giving the victim a false sense of security.

Chapter 16: Digital Evidence on Physical and Data-Link Layers

Figure 16.1: Old Ethernet configuration (modern configurations are conceptually the same).
Figure 16.2: Computers on a 10BaseT network plugged into a hub.
Figure 16.3: Computer A sending data to computer Z.
Figure 16.4: Ethereal classification of NIC addresses.
Figure 16.5: Summary diagram of TCP/IP separated by OSI layer.
Figure 16.6: Computers connected at the physical level are vulnerable to eavesdropping.
Figure 16.7: Ethereal showing packet in "hotmail-02242003.dmp" file containing the keyword "POST," corresponding to the act of sending the message through Hotmail.
Figure 16.8: (a) Using the NetIntercept forensics view to examine network traffic and locate important items such as an "HTTP POST." (b) Using NetIntercept to view the same packet as Figure 16.7 containing the "POST" keyword.
Figure 16.9: Hotmail Inbox recovered using Ethereal.
Figure 16.10: Hotmail Inbox extracted from a tcpdump file and displayed using NetIntercept.
Figure 16.11: MIME encoded e-mail attachments containing data in a ZIP file extracted from a tcpdump file and displayed using NetIntercept.

Chapter 17: Digital Evidence at the Network and Transport Layers

Figure 17.1: TCP/IP diagram with OSI layers superimposed.
Figure 17.2: IP addresses are conceptually the same as telephone numbers.
Figure 17.3: A zone transfer using NetScanTools Pro requires the DNS server to be set to one of the target system's DNS servers under Advanced Query Options (accesses using the "Adv Qry Setup" button).
Figure 17.4: IP Routing.
Figure 17.5: UDP packet with port number in the heading being transmitted to a server.
Figure 17.6: TCP establishing a connection using a three-way handshake.
Figure 17.7: Internet caf with several kiosks, Ethernet ports for customer laptops, and a wireless access point connected together with an Ethernet switch and connected to an ISP's router by a firewall performing NAT.
Figure 17.8: VPN concentrator (172.16.1.219), IAS server (172.16.1.45), and connecting host (64.252.248.133; 172.16.19.53).

Chapter 18: Digital Evidence on the Internet

Figure 18.1: A list of a few IRC chat channels.
Figure 18.2: KaZaA Media Desktop (KMD).
Figure 18.3: Java client providing links to Freenet.
Figure 18.4: Message, Transfer Agent.
Figure 18.5: Logging configuration, accessed via the File - Options menu item.
Figure 18.6: Results of the who command on IRC.
Figure 18.7: Results of the whois and dns commands on IRC.
Figure 18.8: DataGrab.
Figure 18.9: Chat Monitor.

Chapter 19: Investigating Computer Intrusions

Figure 19.1: Unusual process viewed using All-Ctrl-Del.
Figure 19.2: EnCase used to analyze Linux system showing rootkit installations script.

Chapter 20: Sex Offenders on the Internet

Figure 20.1: Possible sources of evidence in a sex offense investigation.

Chapter 23: Digital Evidence Handling Guidelines

Figure 23.1: Overview of identification and seizure process.

Chapter 24: Digital Evidence Examination Guidelines

Figure 24.1: (a) Hash set organizer using the NIST NSRL hash set (http—//www.nsrl.nist.gov/). (b) Calculate MD5 values and identify file extension mismatches.
Figure 24.2: Exporting a file list using EnCase.
Figure 24.3: Exporting slack space using EnCase.
Figure 24.4: EnCase Table view sorted first by tagged files and then by file extension.
Figure 24.5: Calculate hash values of files and identify known files when adding evidence to FTK.
Figure 24.6: Export a list of files with associated properties.
Figure 24.7: Exporting unallocated space using FTK.
Figure 24.8: FTK File Filter Manager.