WinHex 12.1.SR-4 serial key or number

Computer evidence

COMPUTER EVIDENCE: COLLECTION AND PRESERVATION, SECOND EDITION CHRISTOPHER L. T. BROWN Charles River Media A part of Course Technology, Cengage Learning Australia, Brazil, Japan, Korea, Mexico, Singapore, Spain, United Kingdom, United States

Computer Evidence: Collection and © Course Technology, a part of Cengage standardservices.com.pkvation, Second Edition ALL RIGHTS RESERVED. No part of this work covered by the copyrightChristopher L. T. Brown herein may be reproduced, transmitted, stored, or used in any form or by any means graphic, electronic, or mechanical, including but notPublisher and General Manager, limited to photocopying, recording, scanning, digitizing, taping, WebCourse Technology PTR: distribution, information networks, or information storage andStacy L. Hiquet retrieval systems, except as permitted under Section or of the United States Copyright Act, without the prior written permissionAssociate Director of Marketing: of the standardservices.com.pk Panella For product information and technology assistance, contact us atContent Project Manager: Cengage Learning Customer & Sales Support, Jessica McNavich For permission to use material from this text or product,Marketing Manager: Mark Hughes submit all requests online at standardservices.com.pk Editor: Heather Hurley Further permissions questions can be e-mailed to permissionrequest@standardservices.com.pkt/Copy Editor: Karen A. Gill ProDiscover Basic is copyright Technology Pathways. Maresware is copyrightTechnical Reviewer: Gary Kessler Mares and Company, LLC. WinHex is copyright X-Ways Software Technology AG. LANSurveyor is copyright Neon Software. CryptCat is copyright standardservices.com.pkial Services Coordinator: Jen Blaney All other trademarks are the property of their respective standardservices.com.pk your local office at: standardservices.com.pk Cengage Learning products are represented in Canada by Nelson Education, Ltd. For your lifelong learning solutions, visit standardservices.com.pk Visit our corporate Web site at standardservices.com.pkd in Canada1 2 3 4 5 6 7 11 10 09

To Bobbie, Rudy, and Annie, who keep me on course and constantly remind me why life is such a joy.

Acknowledgments In life we hardly ever go it alone. The same holds true when taking on writing projects such as Computer Evidence: Collection and Preservation, Second Edition. Many people, such as the technical and copy editors including Adam Speer, Leo Manning, Erin Kenneally, Gary Kessler, Karen Gill, and the Cengage Learning staff, have contributed significantly to the creation of this book. I would like to specifically call attention to and thank members of the High Technology Crime Investigation Association (HTCIA) and High Tech Crime Consortium (HTCC), List Servers for their support and mentoring over the years. This book could not have been created without their vast cumulative knowledge. I would also like to thank Alex Augustin for his years of support, and Steven Richardson and Ted Augustine for taking up the slack at Technology standardservices.com.pk

About the AuthorChristopher L. T. Brown, CISSP, is the founder and CTO of Technology standardservices.com.pk is the chief architect of the Technology Pathways ProDiscover family of securityproducts. Prior to his position with Technology Pathways, Mr. Brown served in keytechnology positions at several companies including GlobalApp, Inc., CompuVision,Inc., and StoragePoint, Inc. He is retired from a career with the U.S. Navy, where hemanaged a large team of technicians working in the area of information warfare andnetwork security operations. In addition to his demanding duties as ProDiscover’s chief architect, standardservices.com.pk teaches network security and computer forensics at the University ofCalifornia at San Diego and has written numerous books on Windows, Security,the Internet, and forensics. He served as president of the San Diego HTCIA chapter in , first vice pres-ident in , second vice president in , and was the HTCIA Internationalconference chair. He attended UCSD and holds numerous career certifications from(ISC)2, Microsoft, Cisco, CompTIA, and CITRIX. v

Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxii Part I Computer Forensics and Evidence Dynamics . . . . . . . . . . . . . . . . .1 1 Computer Forensics Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 What Is Computer Forensics? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Crime Scene Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Phases of Computer Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Preservation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Formalized Computer Forensics from the Start . . . . . . . . . . . . . . . Who Performs Computer Forensics? . . . . . . . . . . . . . . . . . . . . . . . . Seizing Computer Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Challenges to Computer Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Rules of Evidence, Case Law, and Regulation . . . . . . . . . . . . . . Understanding Rules of Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . Amendments to the FRCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . Expert Witness (Scientific) Acceptance . . . . . . . . . . . . . . . . . . . . . . vi

Contents vii Testifying Tips: You Are the Expert . . . . . . . . . . . . . . . . . . . . . . . . . . Computer-Related Case Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Regulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Securities and Exchange Commission (SEC) Rule 17a-4 () . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . National Association of Securities Dealers (NASD) Rules and () . . . . . . . . . . . . . . . . . . . . . . . . Sarbanes-Oxley Act () . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Gramm-Leach-Bliley Act () . . . . . . . . . . . . . . . . . . . . . . . . . California Privacy Law: SB () . . . . . . . . . . . . . . . . . . Health Insurance Portability and Accountability Act (HIPAA) (First Rule in Effect in ) . . . . . . . . . . . . . . . . . International Organization for Standardization (ISO) () . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . U.S.A. PATRIOT Act () . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Personal Information Protection and Electronic Documents Act (PIPED) C-6 () . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Evidence Dynamics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Forces of Evidence Dynamics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Human Forces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Emergency Personnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Forensics Investigators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Law Enforcement Personnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . Victim 59 Suspect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Bystanders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Natural Forces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

viii Contents Equipment Forces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Proper Tools and Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Part II Information Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Interview, Policy, and Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Supporting and Corroborating Evidence . . . . . . . . . . . . . . . . . . . . . Subject Interviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Policy Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Host-Specific Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . War Dialing Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Network Topology and Architecture . . . . . . . . . . . . . . . . . . . . . . Networking Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Types of Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Physical Network Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network Cabling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Open Systems Interconnection (OSI) Model . . . . . . . . . . . . . . . . TCP/IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Contents ix Diagramming Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Volatile Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Types and Nature of Volatile Data . . . . . . . . . . . . . . . . . . . . . . . . . Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Volatile Data in Routers and Appliances . . . . . . . . . . . . . . . . . . . . Volatile Data in Personal Devices . . . . . . . . . . . . . . . . . . . . . . . . . . Traditional Incident Response of Live Systems . . . . . . . . . . . . . . . Understanding Windows Rootkits in Memory . . . . . . . . . . . . . . . Accessing Volatile Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Part III Data Storage Systems and Media . . . . . . . . . . . . . . . . . . . . . . . 7 Physical Disk Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . Physical Disk Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Physical Disk Interfaces and Access Methods . . . . . . . . . . . . . . . . Logical Disk Addressing and Access . . . . . . . . . . . . . . . . . . . . . . . . Disk Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 SAN, NAS, and RAID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disk Storage Expanded . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Redundant Array of Independent Disks . . . . . . . . . . . . . . . . . . . . Level 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

x Contents Level 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Level 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Level 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Level 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Level 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Level 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Level 0+1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Level 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Level 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RAID S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . JBOD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Storage Area Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network-Attached Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Storage Service Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Removable Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Removable, Portable Storage Devices . . . . . . . . . . . . . . . . . . . . . . Tape Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Full Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Incremental Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Differential Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Optical Discs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Removable Disks—Floppy and Rigid . . . . . . . . . . . . . . . . . . . . . . . Flash Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Contents xiPart IV Artifact Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Tools, Preparation, and Documentation . . . . . . . . . . . . . . . . . . Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Boilerplates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hardware Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Imagers and Write-Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . Software Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Forensics Application Suites (Tier I) . . . . . . . . . . . . . . . . . . . . . Utilities and Other Applications (Tier II and Tier II—Repurposed) . . . . . . . . . . . . . . . . . . . . . Tool Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Collecting Volatile Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Benefits of Volatile-Data Collection . . . . . . . . . . . . . . . . . . . . . . . . A Blending of Incident Response and Forensics . . . . . . . . . . . . . Building a Live Collection Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . Scenario 1: Using Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Scenario 2: Using Windows Tools . . . . . . . . . . . . . . . . . . . . . . Live Boot CD-ROMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

xii Contents 12 Imaging Methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Approaches to Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Bit-Stream Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Local Dead System Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . Verification, Testing, and Hashing . . . . . . . . . . . . . . . . . . . . . . . . . Live and Remote Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Large System Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Defining a Large Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Large System Imaging Methodologies . . . . . . . . . . . . . . . . . . . . . . Tying Together Dispersed Systems . . . . . . . . . . . . . . . . . . . . . . . . Risk-Sensitive Evidence Collection . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Personal Portable Device Collection . . . . . . . . . . . . . . . . . . . . Seemingly Endless Device List . . . . . . . . . . . . . . . . . . . . . . . . . . . . Device Architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Special Collection Considerations . . . . . . . . . . . . . . . . . . . . . . . . . Mobile Phones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Special-Purpose Personal Devices . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Contents xiiiPart V Archiving and Maintaining Evidence . . . . . . . . . . . . . . . . . . . . . . 15 The Forensics Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lab Workstations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Portable Field Workstations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 The Forensics Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lab and Network Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Logical Design, Topology, and Operations . . . . . . . . . . . . . . . . . . Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lab Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 What’s Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Areas of Interest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Criminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Corporate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Training, Knowledge, and Experience . . . . . . . . . . . . . . . . . . . . . . Computer Forensic Investigators Digest Listserv (CFID) . . . . Computer Forensics Tool Testing (CFTT) . . . . . . . . . . . . . . . . High Tech Crime Consortium (HTCC) . . . . . . . . . . . . . . . . . . .

xiv Contents Security Focus Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CISSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SSCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . GIAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CISA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MCSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MCSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RHCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CCNA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CCDA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CompTIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Analysis and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Professional Advancement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Part IV Computer Evidence Collection and Preservation Appendixes . . . A Sample Chain of Custody Form . . . . . . . . . . . . . . . . . . . . . . . . . B Evidence Collection Worksheet . . . . . . . . . . . . . . . . . . . . . . . . . C Evidence Access Worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . D Forensics Field Kit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E Hexadecimal Flags for Partition Types . . . . . . . . . . . . . . . . . . .

Contents xvF Forensics Tools for Digital Evidence Collection . . . . . . . . . . . . Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . AccuBurn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Autopsy Forensic Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . BitPim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BlackBag MacQuisition CF . . . . . . . . . . . . . . . . . . . . . . . . . . . . Byte Back . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Device Seizure by Paraben . . . . . . . . . . . . . . . . . . . . . . . . . . . . dtSearch Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EnCase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FIRE (Originally Named Biatchux) . . . . . . . . . . . . . . . . . . . . . . Forensics Tool Kit (FTK)—System Analysis Tool . . . . . . . . . . . Foundstone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Frank Heyne Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Helix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ILook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MaresWare Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . pdd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ProDiscover Forensics, Investigator, and Incident Response . SafeBack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Coroners Toolkit (TCT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . Trinix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Various Must-Have Utilities from Microsoft Sysinternals . . . WinHex and X-Ways Forensics . . . . . . . . . . . . . . . . . . . . . . . . . Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ACARD SCSI-to-IDE Write-Blocking Bridge (AECWP) . . CellDek . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CS Electronics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DD / . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DIBS, Inc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

xvi Contents standardservices.com.pker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fernico ZRT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Forensic Recovery Evidence Device (FRED) . . . . . . . . . . . . . . Intelligent Computer Solutions, Inc. . . . . . . . . . . . . . . . . . . . . Kazeon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MOBILedit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NoWrite IDE Write-Blocker . . . . . . . . . . . . . . . . . . . . . . . . . . . . Portable Drive Service/Test/Dup by Corporate Systems . . . . Project-a-Phone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Secure Kit for Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Solitaire Forensics by Logicube . . . . . . . . . . . . . . . . . . . . . . . . Stored IQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tableau Imagers and Write-Blockers . . . . . . . . . . . . . . . . . . . . UFED (Universal Forensic Extraction Device) System . . . . . . . WiebiTech . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ZERT by Netherlands Forensic Institute . . . . . . . . . . . . . . . . . . General Supplies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CGM Security Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chief Supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G Agencies, Contacts, and Resources . . . . . . . . . . . . . . . . . . . . . . Agencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FBI Computer Analysis Response Team (CART) . . . . . . . . . . . Internal Revenue Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . National Aeronautics and Space Administration . . . . . . . . . . National Railroad Passenger Corporation (NRPC) (AMTRAK) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Social Security Administration Office of Inspector General . U.S. Customs Service’s Cyber Smuggling Center . . . . . . . . . . U.S. Department of Defense, Computer Forensics Laboratory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Contents xvii U.S. Department of Defense, Office of Inspector General . . . U.S. Department of Energy . . . . . . . . . . . . . . . . . . . . . . . . . . . U.S. Department of Justice, Computer Crime Intellectual Property Section (CCIPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . U.S. Department of Justice Drug Enforcement Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . U.S. Department of Transportation . . . . . . . . . . . . . . . . . . . . . U.S. Department of the Treasury . . . . . . . . . . . . . . . . . . . . . . . U.S. Postal Inspection Service . . . . . . . . . . . . . . . . . . . . . . . . . U.S. Secret Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Veterans Affairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Training Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Canadian Police College . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Champlain College . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DoD Computer Investigations Training Program . . . . . . . . . . FBI Academy at Quantico . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Federal Law Enforcement Training Center . . . . . . . . . . . . . . . Florida Association of Computer Crime Investigators, Inc. . . Forensic Association of Computer Technologists . . . . . . . . . . High Technology Crime Investigation Association (International) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Institute of Police Technology and Management . . . . . . . . . . International Association for Computer Information Systems (IACIS) . . . . . . . . . . . . . . . . . . . . . . . . International Organization on Computer Evidence (IOCE) . . International System Security Association (ISSA) . . . . . . . . . Getronics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . National Center for Forensic Science . . . . . . . . . . . . . . . . . . . . National Colloquium for Information Systems Security Education (NCISSE) . . . . . . . . . . . . . . . . . . . . . . . .

xviii Cotents National Criminal Justice Computer Laboratory and Training Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . National White Collar Crime Center (NW3C) . . . . . . . . . . . . . New Technologies, Inc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Purdue University—CERIAS (Center for Education and Research in Information and Assurance Security) . . . . . . Redlands Community College . . . . . . . . . . . . . . . . . . . . . . . . . University of New Haven . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . University of New Haven—California Campus . . . . . . . . . . . . Utica College—Economic Crime Institute . . . . . . . . . . . . . . . . Wisconsin Association of Computer Crime Investigators . . . Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . High Technology Crime Investigation Association (International) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . International Association for Computer Information Systems (IACIS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . International Information Systems Forensics Association (IISFA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . International Systems Security Association (ISSA) . . . . . . . . High Tech Crime Consortium . . . . . . . . . . . . . . . . . . . . . . . . . . Florida Association of Computer Crime Investigators, Inc. . . Forensic Association of Computer Technologists . . . . . . . . . . State Agencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Alabama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Alaska . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Arizona . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Arkansas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . California . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Colorado . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Connecticut . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Contents xixDelaware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . District of Columbia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Florida . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Georgia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hawaii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Idaho . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Illinois . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Indiana . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Iowa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Kansas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Kentucky . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Louisiana . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Maine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Maryland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Massachusetts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michigan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Minnesota . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mississippi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Missouri . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Montana . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Nebraska . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Nevada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . New Hampshire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . New Jersey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . New Mexico . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . New York . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . North Carolina . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . North Dakota . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ohio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Oklahoma . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

xx Contents Oregon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Pennsylvania . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rhode Island . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . South Carolina . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tennessee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Texas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Utah . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Vermont . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Virginia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Washington . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . West Virginia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wisconsin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wyoming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Computer Crime and Intellectual Property Section (CCIPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Criminal Justice Resources—Michigan State University Libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . High Technology NewsBits . . . . . . . . . . . . . . . . . . . . . . . . . . . . InfoSec News . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Discussion List Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Computer Forensic Investigators Digest Listserv (CFID) . . . . Computer Forensics Tool Testing (CFTT) . . . . . . . . . . . . . . . . High Tech Crime Consortium (HTCC) . . . . . . . . . . . . . . . . . . . Security Focus Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Journals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Digital Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . International Journal of Digital Crime and Forensics . . . . . . . International Journal of Digital Evidence (IJDE) . . . . . . . . . . . Journal of Digital Forensic Practice . . . . . . . . . . . . . . . . . . . . .

Contents xxi Journal of Digital Forensics, Security and Law . . . . . . . . . . . . Small Scale Digital Device Forensics Journal (SSDDFJ) . . . . . H Cisco Router Command Cheat Sheet . . . . . . . . . . . . . . . . . . . . . Using the Cisco Wildcard Mask . . . . . . . . . . . . . . . . . . . . . . . . . . . Packet Filtering on Cisco Routers . . . . . . . . . . . . . . . . . . . . . . . . . . List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I About the CD-ROM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CD-ROM Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction Welcome to the second edition of Computer Evidence: Collection and Preservation. A lot has happened in the three years since our first edition. As always, technology is moving at a breakneck pace, with constant innovation in current interface design and storage methods as well as new ones altogether. The U.S. legal system has introduced new Federal Rules of Civil Procedure (FRCP) that directly address digital discovery, with new case precedence already surfacing. In , the American Academy of Forensic Sciences (AAFS) announced the formation of the Digital and Multimedia Sciences (DMS) section, the first new forensics science section in 28 years. New tools and methodologies continue to be developed and refined. An increase in dialogue between peers and professional organizations continues to improve the overall health and advancement of the profession. With all these changes, many readers may expect a completely new manuscript, throwing out what was learned in the first edition. However, this couldn’t be further from the truth. Although there have been several changes, computer forensics and digital investigation are still grounded in the same principles. Rest assured that there is much to learn, but previous studies are never wasted. In this second edition of Computer Evidence: Collection and Preservation, investigators will find the same guiding principles of the computer forensics process and how they apply to advancements in technology, as well as changes in the U.S. legal system. As computers and data systems continue to evolve, they expand into every facet of our personal and business lives. Never before has our society been so information and technology driven. Because computers, data communications, and data storage devices have become ubiquitous, few crimes or civil disputes do not involve them in some way. Many books and formal training programs are continuing to emerge that teach computer forensics for law enforcement and the private sector alike. The 50,foot view of the computer forensics process includes four phases: collection, preservation, filtering, and presentation. Because the four phases of computer forensics cover such a broad area, books and courses that try to address each area usually relegate evidencexxii

Introduction xxiii collection to its simplest form—disk imaging—leaving all but the most basic questions unanswered. Because of that gap, this book intends to focus on the first two phases of computer forensics, which include initial critical tasks of identify- ing, collecting, and maintaining digital artifacts for admission as evidence. The first two phases of computer forensics are the most critical to evidence accep- tance, yet they are often given narrow coverage by texts and courses to make room for the extensive coverage needed by the filtering phase. The filtering phase describes the methodologies that computer forensics examiners use to filter out unwanted infor- mation from each platform type or, more accurately, filter in any potential evidence. The filtering and analysis of digital evidence has been extensively covered in other sources. By focusing on the first two phases of the computer forensics process, this book allows for a more thorough coverage of the topic and provides solid grounding for investigators as they seek knowledge and skills related to the second two phases. Evidence dynamics falls in the collection and preservation phases of computer forensics and can be described as any force that affects evidence. An example of evidence dynamics is found in the simple act of a computer forensics investigator shutting down a suspect’s computer. This seemingly innocent act changes the state of the computer as well as many of its files, which could be critical to the investigation. Almost 50 files are changed in some way on each boot of a Windows XP operating system, and 5 or more new files are created. Considering that these metrics increase with each new operating system release, the results are only expected to compound with the Microsoft Vista and Windows 7 operating systems. Backup tapes deteriorating over time is another effect of evidence dynamics. An understanding of evidence dynamics is essential to law enforcement and computer forensics investigators when collecting evidence. This book uses evidence dynamics at the center of its approach to show the forces that act on data during evidence iden- tification, collection, and storage. By placing specific focus on how the investigator and tools are interacting with digital evidence, this book helps guide the computer forensics investigator toward assurance of case integrity during the initial crucial phases of the computer forensics standardservices.com.pk AUDIENCE This book is intended for use by law enforcement, system administrators, informa- tion technology security professionals, legal professionals, and students of computer forensics. Essentially anyone who could become involved in the collection and maintenance of computer evidence for court will benefit from this book.

xxiv IntroductionORGANIZATION OF THIS BOOK Computer Evidence: Collection and Preservation, Second Edition is presented in 6 parts containing a total of 17 chapters and 9 appendixes. All chapters have been up- dated, and one chapter has been added to reflect changes within the industry and standardservices.com.pk I: Computer Forensics and Evidence Dynamics This part includes three chapters that provide the groundwork for an understanding of what computer forensics is in the context of this book and our approach to collection of digital evidence. Chapter 1, “Computer Forensics Essentials,” introduces you to the essential elements of computer forensics. Specific attention is paid to ensure you’re pro- vided with a contextual understanding of computer forensics in general as well as the specific phases of computer forensics covered in this book. Chapter 2, “Rules of Evidence, Case Law, and Regulation,” discusses rules of evidence, existing computer-related case law, and regulation as a basis of under- standing the nature of computer evidence in court. The admission of digital scientific evidence is covered in this chapter. Chapter 3, “Evidence Dynamics,” explains human and environmental factors that are key evidence dynamic standardservices.com.pk II: Information Systems In this part, three chapters are provided explaining methods in which organiza- tions implement information technology. Understanding how organizations implement information technology solutions is a key component to identifying potential evidence. Chapter 4, “Interview, Policy, and Audit,” presents the key components to knowing where data can be found within an organization’s infrastructure. This chapter explains essential interview questions to ask and the importance of existing policies and audit. Chapter 5, “Network Topology and Architecture,” explains the diversity of an organization’s information architecture. It discusses how the network topology can affect the location and accessibility of potentially critical evidence. Chapter 6, “Volatile Data,” examines the volatility of digital data in physical memory and storage. Differing types of volatile physical memory, including personal devices such as personal digital assistants (PDAs) and cell phones, are discussed.

Introduction xxvPart III: Data Storage Systems and Media The primary focus of many computer forensics investigations is the extraction of digital evidence on disk. In Part III, we examine differing media technologies and file systems used to store data. Chapter 7, “Physical Disk Technologies,” explains the key components of the Integrated Drive Electronics (IDE), Enhanced IDE (EIDE), and Small Computer System Interface (SCSI) standards as they pertain to evidence collection. Chapter 8, “SAN, NAS, and RAID,” describes advanced physical storage methods in use today. This information is essential to any forensics investigator involved in the collection of digital data on corporate disks. Chapter 9, “Removable Media,” examines some of the many types and formats of removable media, including flash cards and optical standardservices.com.pk IV: Artifact Collection The methods employed for the collection of computer evidence can be one of the most highly scrutinized areas of the computer forensics process. It is essential that investigators use tested and proven methodologies. Part IV offers detailed procedures for artifact collection. Chapter 10, “Tools, Preparation, and Documentation,” is one of the most important components of any computer forensics investigation. This chapter provides tools, methods, and forms for keeping investigations on track. Chapter 11, “Collecting Volatile Data,” shows how volatile data can be difficult to capture in a forensically sound fashion. This chapter supplies proven tools and methods for capturing volatile data from systems. Chapter 12, “Imaging Methodologies,” describes how methods used in com- puter forensics can be as varied as the systems that are being imaged. This chapter presents the many approaches and tools used for imaging disk media. It also discusses which methods are indicated for specific situations. Chapter 13, “Large System Collection,” shows how the collection of evidence from large computer systems can be challenging to any investigator. In even the smallest of organizations, more than a terabyte of data is often present. This chapter examines methods for large systems collection and management. Chapter 14, “Personal Portable Device Collection,” discusses one of the most rapidly changing areas of interest to investigators. It focuses on the special attention and unique methodologies employed by investigators.

Chapter 2 Rules of Evidence, Case Law, and Regulation 41 Civil penalties are identified as $ per violation, with up to $25, per per- son per year for each requirement or prohibition violated. Congress also established criminal penalties for knowingly violating patient privacy. These criminal penalties are broken into three areas depending on the type of violation or intended use of compromised data. The three criminal penalties areas follow: Up to $50, and one year in prison for obtaining or disclosing protected health information Up to $, and up to five years in prison for obtaining protected health information under “false pretenses” Up to $, and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer, or use it for commercial advantage, personal gain, or malicious harm HIPAA is one of the most detailed and comprehensive pieces of data-security legislation ever enacted. HIPAA requires mandatory review of all systems, including a risk analysis to determine methods for securing patient information. Continued process improvement and audit are also components of standardservices.com.pkational Organization for Standardization (ISO) () ISO originated in the United Kingdom as the British Standard for Information Security , often referred to as BS The international flavor of ISO makes it well suited for multinational organizations that desire a comprehensive in- formation technology security framework. Many insurance companies use adherence to standards set forth in ISO as a requirement for Cyber-Liability Insurance. ISO is organized into the following 10 sections: Business Continuity Planning System Access Control System Development and Maintenance Physical and Environmental Security Compliance Personnel Security Security Organization Computer and Operations Management Asset Classification and Control Security Policy

42 Computer Evidence: Collection and Preservation, Second Edition Although no penalties apply for international organizations that do not imple- ment the ISO standard, becoming ISO certified can be a key element in a company’s ability to prove it is adhering to industry standard “best practices” regarding data security.U.S.A. PATRIOT Act () Created as a tool to identify and stop terrorism and any source of funding for terrorism, the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (U.S.A. PATRIOT) Act expands already existing acts, such as the Bank Secrecy Act and the Foreign Intelligence Secrecy Act. Purely from a regulatory stance, the act requires banking institutions to report any suspicious activity, including money transfers. In the context of the PATRIOT Act, a financial institution can include insurance companies; investment companies; loan and finance companies; dealers in precious metals, stones, or jewels; vehicle sales; persons involved in real estate closings and settlements; and so on. From a compliance standpoint, financial institutions must take the following steps to assist in antimoney laundering: Develop internal policies, procedures, and controls Designate a compliance officer Provide ongoing employee training Provide an independent audit to test programs In accordance with the PATRIOT Act, financial institutions included in the broad definition must report any suspected money laundering activity to the U.S. Department of the Treasury. An institution’s failure to comply with the U.S.A. PATRIOT Act could bring civil penalties for aiding in money laundering that are not less than two times the amount of the transaction and not more than $1,, The criminal penalties for aiding in money laundering are not less than two times the amount of the transaction and not more than $1,,Personal Information Protection and Electronic Documents Act (PIPED) C-6 () PIPED C-6 is a Canadian law similar to the Gramm-Leach-Bliley Act in the United States. PIPED C-6 applies to international transportation, airports, telecommunications, radio and television broadcasts, banks, or any entity that is

Chapter 2 Rules of Evidence, Case Law, and Regulation 43 identified as “any work, undertaking, or business that is under the legislative authority of Parliament.” PIPED C-6 is simply intended to protect collected personal data from unauthorized use. All affected entities are provided by PIPED C-6 with the following 10 respon- sibilities: Be accountable for compliance. Identify the purpose of collecting data. Obtain consent from the individual. Limit collection of data to that which is needed. Limit use, disclosure, and retention of data. Be accurate with the data. Use appropriate safeguards to protect the data. Be open about your use of the data. Give individuals access to their data. Provide recourse when you have incorrect data or data is used incorrectly. Penalties for noncompliance with PIPED C-6 can include a fine not exceeding $10, or a fine not exceeding $, depending on the type of offense. Table , which was adapted from the Non-Compliant Impact Table available at standardservices.com.pk, summarizes computer data–related legislation discussed in this standardservices.com.pk 2.

S.A. PATRIOT Broad definition Laws require information Fines and imprisonmentAct of financial disclosure to help protect institutions within against money laundering the United States for terrorismPIPED C-6 Any business Laws require information Fines up to $, under legislative disclosure to help protect authority of against terrorism or Parliament compromise of personal information© Security Forensics, Inc. Reprinted with permission. Although industry-specific regulation regarding information security and data handling is not completely new, regulation is increasing. Only corporate responsibil- ity as it relates to protection of data, coupled with clearly stated industry guidelines, will reduce legislative desire to regulate. Computer forensic investigators can benefit from regulatory understanding as it relates to potential evidence availability and location.

Chapter 2 Rules of Evidence, Case Law, and Regulation 45SUMMARYThe FRE, the California Evidence Code of , and the IBA Rules of TakingEvidence in International Commercial Arbitration are all documents governingthe acceptance of evidence in standardservices.com.pk 34 of the FRCP allows for data to be translated into a reasonable form, standardservices.com.pk best evidence rule states that “to prove the content of a writing, recording,or photograph, the ‘original’ writing, recording, or photograph is ordinarilyrequired.”The FRE states that “if data are stored in a computer or similar device, anyprintout or other output readable by sight, shown to reflect the data accurately,is an ‘original.’”The FRE even goes so far as to permit summaries of large volumes of evidencein the form of “a chart, summary, or calculation” in warranted standardservices.com.pk amendments to the FRCP went into effect in Since , judges have used the simple scientific reliability tests established inFrye v. U.S. [DcCir01].In Daubert v. Merrell-Dow [Us01], the U.S. Supreme Court rejected the Fryetests for the admissibility of scientific standardservices.com.pk new tests added in the Daubert decision are “Has the scientific theory ortechnique been empirically tested?” and “What are the known or potentialerror rates?”An “expert” in any field can be defined as one who has “special knowledge,skill, experience, training, or education” on a particular standardservices.com.pk key to any type of questioning is to pay close attention to the question,take time answering the question, and ask the attorney to repeat or clarify thequestion, if standardservices.com.pk U.S.A. PATRIOT Act was created as a tool to identify and stop terrorismand any source of funding for standardservices.com.pk rule 17a-4 requires that U.S. publicly traded companies archive all customercommunications and billing information for a period of six standardservices.com.pk case Simon Prop. Group v. mySimon Inc. standardservices.com.pk, highlighted that thediscovery of computer records included any deleted documents that wererecoverable.

46 Computer Evidence: Collection and Preservation, Second EditionREFERENCES [Amex01] American Express Travel Related Services v. Vinhnee, B.R. (U.S. Bankruptcy Appellate Panel, 9th Cir. ). [Ca01] California Evidence Code, State of California, January 1, [DcCir01] Frye v. U.S., F (D.C. Cir. ). [Doj01] U.S. Department of Justice, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, available online at standardservices.com.pk- standardservices.com.pk&smanualhtm, [FifthCir01] Capital Marine Supply v. M/V Roland Thomas II, F.2d , (5th Cir. ). [Frcp01] Federal Rules of Civil Procedure, U.S. Department of Justice, available online at standardservices.com.pk, [Fre01] Federal Rules of Evidence, U.S. Department of Justice, [Iba01] IBA Rules of Taking Evidence in International Commercial Arbitration, International Bar Association Council, [Ill01] People v. Holowko, N.E.2d , – (Ill. ). [Kumho01] Kumho Tire v. Carmichael (), U.S. , F.3d reversed (). [Lorraine01] Lorraine v. Markel American Ins. Co., F.R.D. , (D. Md. ), available online at standardservices.com.pk ISCRMI Orton Lorraine electronic evidence admission standardservices.com.pk [NinthCir01] U.S. v. Catabran, F.2d , (9th Cir. ). [NinthCir02] U.S. v. DeGeorgia, F.2d , n (9th Cir. ). [Oconnor01] O’Connor, T.R., Admissibility of Scientific Evidence under Daubert, available online at standardservices.com.pk, [Ohio01] Ohio v. Michael J. Morris, Court of Appeals of Ohio, Ninth District, Wayne County, No. 04CA, Feb. 16, [Secfor01] Security Forensics, Inc., available online at standardservices.com.pkty standardservices.com.pk, [SeventhCir01] U.S. v. Whitaker, F.3d , (7th Cir. ).

Chapter 2 Rules of Evidence, Case Law, and Regulation 47[SoxAct01] One Hundred Seventh Congress of the United States of America,Sarbanes-Oxley Act of , available online at standardservices.com.pk, [Un01] International Criminal Tribunal for Rwanda, Rules of Procedure and Evidence.U.N. Doc. ITR/3/REV.1, [Us01] Daubert v. Merrell-Dow, U.S. ().[Warren01] “A Preliminary Report on the Advisability and Feasibility of Develop-ing Uniform Rules of Evidence for the United States District Courts,” 30 F.R.D. 73,RESOURCES [Best01] Best, Richard E., Civil Discovery Law Discovery of Electronic Data, available online at standardservices.com.pk, [Giannelli01] Giannelli, Paul C., Understanding Evidence, LexisNexis, [Morgester01] Morgester, Robert M., Survival Checklist for Forensic Experts, unpublished, [Sedona01] The Sedona Principles: Best Practices Recommendations & Principles for Addressing Electronic Document Production, Sedona Conference Working Group, available online at standardservices.com.pk,

This page intentionally left blank

3 Evidence Dynamics In This Chapter Forces of Evidence Dynamics Human Forces Natural Forces Equipment Forces Proper Tools and Procedures 49

50 Computer Evidence: Collection and Preservation, Second EditionFORCES OF EVIDENCE DYNAMICS In Chapter 1, “Computer Forensics Essentials,” the importance of Locard’s exchange principle was introduced in its relationship to crime scene investigation. Remember that Locard’s exchange principle is simply a way to describe two objects interacting and the resulting exchange. This basic concept can be further extended to describe the concept of evidence dynamics, covered in this chapter. Locard’s exchange principle states that when any two objects come into contact, there is always transference of material from each object onto the other. This exchange is illustrated in Figure Operating system logs recording hacker, investigator, or user actions and data left on hard disks in unallocated sectors are just a few examples of Locard’s principle of transfer theory in action. FIGURE Locard’s exchange principle. Evidence dynamics is a way to describe and understand the forces that can act on evidence and the subsequent effects of the action. Because so many things can act on digital evidence and, as Locard’s principle explains, the action will almost undoubtedly result in some effect or change on the evidence, it is essential for forensics investigators to be cognizant of evidence dynamics at all times. Evidence

Chapter 3 Evidence Dynamics 51dynamics can be broken down into human and natural forces that may be directlyinvolved or incidental to the crime or investigation. This chapter will explore eachof these high-level forces in standardservices.com.pk FORCES As in humans, the forces that act on digital evidence from humans come in all shapes and sizes and can affect evidence in various ways. Remember that forensics investigators are included in the human force of evidence dynamics. A common scenario used to describe the human effects on evidence in crime scene processing is that of the emergency medical technician (EMT) at the scene of a murder. The EMT attempts to save the life of a gunshot-wound victim, who later dies. The EMT most likely leaves footprints all around the victim’s body. The EMT also may have moved items in the immediately surrounding area in an effort to save the victim’s life. In both these situations, evidence that may be vital to the case could have been destroyed or, at the very least, affected in some way. Examples of humans who may act on digital evidence follow: Emergency personnel Forensics investigators Law enforcement personnel Victims Suspects Bystanders Although our primary focus is computer forensics, the previously listed human forces can act on all forms of evidence in many ways. Computer forensics investigators should keep in mind that theirs may not be the only evidence being collected, and the interweaving of several forensics disciplines may be required. In some situations, fingerprints or other trace evidence may need to be collected from a computer system that is being seized. Investigators should approach every crime scene as if other evidence will require collection, limiting their interaction as much as possible.

52 Computer Evidence: Collection and Preservation, Second Edition Refocusing on the human effects on digital evidence, let’s take a closer look at our examples as they relate to standardservices.com.pkncy Personnel As previously stated, these first responders can easily affect a crime scene with their actions. Rightly so, EMTs can be very focused on their lifesaving efforts and exhibit varying levels of understanding related to evidence collection and contamination. The first way in which EMTs can impinge on computer evidence is by moving evidence to accommodate lifesaving equipment and efforts. This type of action normally influences related forensics disciplines such as fingerprint collection, but it can also directly influence digital evidence if a system or systems are turned off. How a computer system is shut down can greatly affect digital evidence through the loss of volatile data in physical memory and the changing of or deletion of files. The topic of computer shutdown will be covered in greater detail later when we discuss forensics investigators as the force that acts on standardservices.com.pkics Investigators Forensics investigators are arguably the force that can have the greatest effect on digital evidence, considering that they are focused directly on the computer or digital media. The major effect that forensic investigators can cause is the possible loss of volatile data in physical memory when live systems are shut down. The method of shutdown is an often-debated topic when discussing computer forensics–related evidence dynamics, not only because of the potential loss of volatile data but because varying methods of shutdown can lead to vastly differing results in changes to digital data on disk. The potential loss of volatile data can be mitigated through collecting a snapshot of physical memory prior to shutdown. Investigators should keep in mind the golden rule of evidence dynamics: be as least intrusive as possible. Often, investigators use the term nonintrusive when describing their actions or tools when interacting with digital data. When looking at the basic scientific principle that “the act of observing something in fact changes it,” investigators quickly come to the understanding that least intrusive actions should be the goal. Even when hardware write-blocking devices are employed and software is proven not to write to digital media on disks, the act of turning a disk platter and friction of read heads against sectors changes the physical properties, however slightly. Again, we see Locard’s principle in action.

Chapter 3 Evidence Dynamics 53 Another way to avoid the risk of potential loss of volatile data is to accept that either there was no compelling reason for its capture or the capture process would be unacceptably intrusive and therefore do nothing. However, once a decision has been made and after the potential loss of volatile data has been avoided, computer forensics investigators should consider how the system is to be shut down. Some feel that pulling the power cord is the best alter- native to a normal systematic shutdown, but each method interacts differently; thus, the resulting change to evidence is different. In every case, the investigator needs to make an informed decision based on the evidence-changing characteristics of the shutdown method and the situational environment. Of course, the decision of which shutdown method to use is normally an easy one if the system is off; leave it that way when seizing the entire computer. Some high-level evidence-changing characteristics are displayed in Table Table 3.

54 Computer Evidence: Collection and Preservation, Second Edition A common argument made for pulling the plug is the possibility of potentially destructive processes being launched during the shutdown process. The urban lore is that a hacker could have created and installed a script to delete evidence. The destructive script would be executed during shutdown if the person shutting down the computer does not use the proper bypass procedure known only by the owner. Although this approach is valid conceptually, permanently destroying large amounts of data on a magnetic disk can be time consuming due to the process most applications use to delete files securely. When most operating systems receive a request to delete a file, they simply remove the file’s name from the root directory shown to users. The underlying sectors of data are still present on disk. To securely delete data from a hard disk, applications are written that repeatedly write data to the area where the file once resided. The U.S. Department of Defense has written a clearing and sanitizing standard, DOD M, which addresses the issues surrounding secure deletion of digital data. Another often-discussed alternative for automated destruction of evidence is to create and install an application that would automatically delete evidence if network connections were lost. Sensing the loss of network connections is often referred to as a dead man’s switch. Hypothetically, hackers could use the dead man’s switch approach to automatically delete trace evidence of their applications and actions on a machine if someone detected their presence on a system and immediately removed the suspect system from the network. When encryption is being used on a live system and the files or encrypted volumes are mounted, it is often necessary to collect evidence through a live extraction process to collect the files in an unencrypted state. Live collection is described in later chapters. One of the most common arguments made for an orderly shutdown is that investigators have a greater chance of filesystem and individual file integrity after the shutdown. Some standard operating system shutdown procedures are shown in Table

Chapter 3 Evidence Dynamics 55Table Operating System Shutdown CommandsOperating System Shutdown CommandWindows Click File, ExitWin95/98/// Click Start, Shutdown, Yes or Start, lock icon, Shutdown (in classic/Me/XP/Vista* interface mode)Windows NT Click File, ShutdownWindows NT Click Start, Shutdown, YesNovell At server prompt, press Alt+Esc+down arrow At user/client, click Syscon and then ExitMacintosh Click Special, ShutdownOS/2 Right-click, and then click ShutdownSCO Unix Type shutdown –y –g0AIX Unix Type shutdown –fSun Solaris Type shutdown nowLinux Type shutdown –h now (Also press Ctrl+Alt+Delete in many versions)ASL Type pwrdwnsys *immedDEC VAX/ Alpha VMS Type @sys$system:shutdown*Microsoft Vista shutdown buttons are highly customizable. Investigators should check the pop-uphelp on all shutdown buttons. The arguments for and against pulling the plug during system shutdown can both be compelling, but only the individual situation can dictate an investigator’s actions. In each case, it is essential that the investigator think about the results of his actions and balance the risks. Clearly, the human forces acting on evidence created by investigator actions are forces over which the investigator has the most control.

56 Computer Evidence: Collection and Preservation, Second EditionLaw Enforcement Personnel All law enforcement personnel have a basic understanding of crime scene process- ing, but may lack technical understanding of how they are interacting with digital computer evidence. Most investigators identify that the human factors of evidence dynamics can overlap. Although this fact is certainly true, the law enforcement factors of evidence dynamics usually focus on the “first responder” components of evidence dynamics, which include incidental contact with potential digital evidence. The forensics investigator forces are closely associated with their own direct and interactive contact with potential digital evidence. To assist law enforcement personnel who do not have a day-to-day understanding of digital evidence collection, the National Institute of Justice produced the handbook Electronic Crime Scene Investigation: A Guide for First Responders. [Nij01] The handbook was developed by a multiagency working group in called the Tech- nical Working Group for Electronic Crime Scene Investigation. Although the guide was developed for first responders, it provides information useful for any computer forensics investigator. Focusing on law enforcement as first responder, the factors of evidence dynamics can be broken down into areas of preservation, identification, and collection. Preservation Preservation forces can include issues similar to those of emergency personnel, where the interaction with potential digital evidence was incidental to serving a warrant, interviewing suspects and victims, or performing other law enforcement procedures. A key focus for law enforcement should be to gain an understanding of the fragile nature of digital evidence and how to avoid excess interaction if it is not required. Even if general law enforcement personnel are not going to be involved in the identification and collection, or bag and tag, of digital evidence, they should at least be trained in its identification and characterization. By understanding how to identify the potential sources of digital data, law enforcement personnel can help to preserve potential evidence. One of the cardinal rules for first responders should be this: If you see a computer and it’s on, leave it on; if the computer is off, leave it off. Following this rule eliminates the many additions, deletions, and changes to a computer filesystem during the startup and shutdown process. Other incidental interaction forces often occur when collecting evidence such as pagers, phones, and personal digital assistants (PDAs). Although many law enforcement personnel are beginning to realize the wealth of data contained in these devices, many may not

Introduction

This 16th International Conference on Information Technology - New Generations (ITNG), continues an annual event focusing on state of the art technologies pertaining to digital information and communications. The applications of advanced information technology to such domains as astronomy, biology, education, geosciences, security and health care are among topics of relevance to ITNG. Visionary ideas, theoretical and experimental results, as well as prototypes, designs, and tools that help the information readily flow to the user are of special interest. Machine Learning, Robotics, High Performance Computing, and Innovative Methods of Computing are examples of related topics. The conference features keynote speakers, the best student award, poster award, service award, a technical open panel, and workshops/exhibits from industry, government and academia.

Keywords

ITNG Information Technology Machine Learning Communications Web Technology Computer Architecture Data Mining e-Learning

Download x ways winhex sr standardservices.com.pk sr 4 hexadecimal editor 09 leave a comment views.x ways investigator and winhex labx ways winhex sr 4 specialist 15 jul winhex is in its core a universal hexadecimal editor, particularly helpful in the realm of computer.x ways forensics serial numbers. X ways winhex 19 you can use it to standardservices.com.pk is closely integrated with the winhex hex and disk editor and can standardservices.com.pk they are now no longer.

Torrent from windows standardservices.com.pk mailing is to announce a major update, v Winhex evaluation version.x ways software technology heeft versie van winhex uitgebracht.x ways winhex v sr 4 incl keymaker zwt. X ways winhex v15 9 sr 7 incl keymaker zwteye torrent standardservices.com.pk 5 results for x ways winhex v sr standardservices.com.pkt x ways forensics trail version to full standardservices.com.pk is niet alleen een universele hexeditor, maar is ook in standardservices.com.pk standardservices.com.pkry software,.starfleet command x.

Features: x ways standardservices.com.pk note that the volume snapshot format has changed, so that standardservices.com.pky to import the valid data length of files that originate standardservices.com.pk stefan fleischmann: winhex is a universal hexadecimal editor, particularly.x ways winhex winhex logo pix x ways software technology heeft versie van standardservices.com.pk from the winhex hex editor to winhex specialist to x ways forensics, out of 5 stars this mailing is to announce the release of another notable update.

Kept automatically when closing winhex, butwinhex 19 is a universal hexadecimal editor,.here you can download x ways winhex v incl keymaker zwt shared files mb x ways winhex v15 4 incl keymaker zwt rar depositfiles 2 standardservices.com.pk latest version: complete and flexible hexadecimal editor.x ways forensics is an advanced work environment for computer forensic examiners.x ways investigator: reduced, simplified version of x standardservices.com.pkad x ways winhex v15 4 sr 11 incl keymaker zwt torrent or any other.

At keyoptimize. standardservices.com.pk winhex found at winhex, standardservices.com.pkot, standardservices.com.pk and etc. Checkntfs volumes from evidence file containers as created by v sr 4 and standardservices.com.pk 18, hello everyone, this special mailing is to announce some changes.x ways winhex v sr 4 incl. Avoided dll dependencies that existed in v sr 7 xdownload the x ways winhex v15 9 sr 7 incl keymaker zwteye torrent forputer forensics edition of winhex with even more.

standardservices.com.pk winhex v Posted on mei 12, by marwanhamidan winhex dalam intinya universal hexadecimal editor,.search standardservices.com.pkry software,.starfleet command x ways winhex v15 4 incl keymaker zwt windows mail,find it here see all standardservices.com.pk you can download x ways winhex v incl keymaker zwt shared files mb, x ways winhex v15 4 incl keymaker zwt rar hosted on standardservices.com.pk advanced tool for everyday and emergency standardservices.com.pk cloning under dos with x ways replica.

Ways winhex v15 4 incl keymaker zwt windows mail,find it here see standardservices.com.pk advanced tool for everyday and emergency use: inspect and edit standardservices.com.pk standardservices.com.pkry software,.starfleet command x ways winhex v15 4 incl keymaker zwt windows mail,find it here see all server standardservices.com.pk latest standardservices.com.pk is a universal hexadecimal editor,.our flagship product, based on winhex.x ways forensics: integrated computer forensics standardservices.com.pken: x way. Iklan. Sukai standardservices.com.pk at most relevant standardservices.com.pk winhex websites out of thousand.