List of Tables

Chapter 3: Technology and Law

Table 3.1: Summary of the Computer Fraud and Abuse Act of 1986.

Chapter 7: Digital Evidence in the Courtroom

Table 7.1: A proposed scale for categorizing levels of certainty in digital evidence.

Chapter 8: Computer Basics for Digital Investigators

Table 8.1: ASCII and hexadecimal values of some capital case letters.

Table 8.2: Segment of a Word document shown in hexadecimal and ASCII format.

Table 8.3: Viewing two tcpdump files created on Intel-based and Sun systems shows the difference between little-and big-endian representations of the same UNIX date (in bold).

Chapter 9: Applying Forensic Science to Computers

Table 9.1: Two files on a Windows machine that differ by only one letter have significantly different MD5 values.

Table 9.2: Advantages and disadvantages of the three collection options described in Section 9.4.2.

Table 9.3: Header of a JPEG file viewed in hexadecimal (left) and ASCII (right) showing the signature "JFIF".

Table 9.4: Headers of Netscape history databases from different systems.

Table 9.5: User account (know) and group (grp13) information preserved in a TAR file.

Table 9.6: Relationships between evidence and its source.

Table 9.7: Timeline of activities on victim's computer show e-mail correspondences, online chat sessions, deleted files, Web searching for maps, and online travel plans.

Table 9.8: Grid showing e-mail message sent by a suspect over several months to several members of a criminal group.

Chapter 10: Forensic Examination of Windows Systems

Table 10.1: Windows NT Event Logs.

Table 10.2: Date-time stamp behavior on FAT and NTFS file systems.

Chapter 11: Forensic Examination of Unix Systems

Table 11.1: Utilities from The Coroner's Toolkit being used to access a hard drive directly, illustrating the previewing capabilities of many UNIX-based tools.

Table 11.2: Date-time stamp behavior on UNIX.

Chapter 12: Forensic Examination of Macintosh Systems

Table 12.1: Date-lime stamp behavior on MacOS 9.

Chapter 13: Forensic Examination of Handheld Devices

Table 13.1: PDB format.

Table 13.2: Feature comparison of tools for processing Palm OS devices.

Table 13.3: Memory sizes detected by each tool.

Chapter 14: Network Basics for Digital Investigators

Table 14.1: Examples of log files and active state data relating to various networked systems.

Chapter 15: Applying Forensic Science to Networks

Table 15.1: Sample chart created in preparation for acquiring digital evidence from a small corporate network.

Table 15.2: Connections between hosts, ordered by total number of application bytes transferred. Data extracted from tcpdump file (available on book Web site) using Argus "ramon -c -A -M Matrix". The same summary can be obtained using the NetIntercept "Traffic Load" report (available on the Web site).

Table 15.3: Communication between hosts, ordered by number of connections. Data extracted from tcpdump file using the NetIntercept "Top N" report (available on book Web site).

Chapter 16: Digital Evidence on Physical and Data-Link Layers

Table 16.1: Different types of Ethernet.

Table 16.2: An IEEE 802.3 standard Ethernet frame (shaded) encapsulating an IP packet.

Table 16.3: MAC addresses of different manufacturers.

Table 16.4: Break down of an Ethernet frame in hexadecimal.

Chapter 17: Digital Evidence at the Network and Transport Layers

Table 17.1: IP address classes.

Table 17.2: Log files on various types of UNIX.

Chapter 19: Investigating Computer Intrusions

Table 19.1: Different attack methods. (Dunne, Long, Casey 2000)

Table 19.2: Comparison of features in arson and computer crime.

Table 19.3: Comparison of crime scene characteristics in arson and computer intrusions where "cwd" refers to the current working directory of a process (where it was started).