Roadmap to the Book

This book draws from four fields: Law, Computer Science, Forensic Science, and Behavioral Evidence Analysis. The Law provides the framework within which all of the concepts of this book fit. Computer Science provides the technical details that are necessary to understand specific aspects of digital evidence. Forensic Science provides a general approach to analyzing any form of digital evidence. Behavioral Evidence Analysis provides a systematized method of synthesizing the specific technical knowledge and general scientific methods to gain a better understanding of criminal behavior and motivation.

This book is divided into five parts, beginning with a presentation of relevant legal issues and investigative methods in Part 1 (Chapters 1–7). Chapter 1 provides an overview. Chapter 2 (History and Terminology) provides relevant background, history, and terminology. Chapter 3 (Technology and Law) discusses legal issues that arise in computer related investigations, comparing US and European law. Chapter 4 (Investigative Process) discusses a systematic approach to investigating a crime based on the scientific method, providing a context for the remainder of this book. Chapter 5 (Investigative Reconstruction) describes how to use digital evidence to reconstruct events and learn more about the victim and the offender in a crime. Chapter 6 (Technology, MO, and Motive) is a discussion of the relationship between technology and the people who use it to commit crime. Understanding criminal motivation and behavior is key to assessing risks (will criminal activity escalate?), developing and interviewing suspects (who to look for and what to say to them), and focusing investigations (where to look and what to look for). Chapter 7 (Digital Evidence in Court) provides an overview of issues that arise in court relating to digital evidence.

Part 2 of this book (Chapters 8–13) begins by introducing basic Forensic Science concepts in the context of a single computer. Learning how to deal with individual computers is crucial because even when networks are involved, it is usually necessary to collect digital evidence stored on computers. Case examples and guidelines are provided to help apply the knowledge in this text to investigations. The remainder of Part 2 deals with specific kinds of computers and ends with a discussion of overcoming password protection and encryption on these systems.

Part 3 (Chapters 14–18) covers computer networks, focusing specifically on the Internet. A bottom-up approach is used to describe computer networks, starting with the raw data transmitted on networks and progressively building up to the types of data that can be found on networked systems and the Internet. The "top" of a computer network is comprised of the software that people use, like e-mail and the Web. This upper region hides the underlying complexity of computer networks and it is, therefore, necessary to examine and understand the underlying complexity of computer networks to appreciate fully the information found at the top of the network. Understanding the "bottom" of networks - the physical media (e.g. copper and fiber optic cables) that carry data between computers is also necessary to collect and analyze raw network traffic.

Part 4 of this book (Chapters 19–22) focuses on specific types of investigations starting with Computer Intrusions in Chapter 19. Tools and techniques specific to this type of investigation are presented and detailed case examples are used to demonstrate key points. Chapter 20 covers investigations of Cyberstalking. Chapter 21 details Sexual Predators on the Internet and Chapter 22 discusses computers as alibi.

Part 5 is a short segment that provides guidelines for handling and processing digital evidence. This text does not cover forensic image, video and audio analysis. For information about image/video/audio enhancement and other aspects of this kind of analysis, see Electronic Evidence by Gruber (Gruber 1995).

The Forensic Science concepts described early on in relation to a single computer are carried through to each layer of the Internet. Seeing concepts from Forensic Science applied in a variety of contexts will help the reader generalize the systematic approach to processing and analyzing digital evidence. Once generalized, this systematic approach can be applied to situations not specifically discussed in this text. In place of the CD-ROM in the first edition of this book, an interactive Web site (www.disclosedigital.com) provides practical exercises based on actual cases to demonstrate key aspects of investigating computer related crimes and to help the reader apply the concepts in this book to his/her own investigations. This Web site epitomizes a general educational model that others can replicate or borrow from to create inexpensive, educational resources to assist investigators.