9781422273418

Digital Forensics Investigating Data

Crime Scene Collecting Physical Evidence Digital Forensics

Investigating Data DNA Profiling

Linking the Suspect to the Evidence Forensic Anthropology Identifying Human Remains Forensic Chemistry Detecting Drugs and Poisons Forensic Psychology

Probing the Criminal Mind Impression Evidence Identifying Fingerprints, Bite Marks, and Tire Treads Pathology Examining the Body for Clues

Digital Forensics Investigating Data

By Amy Sterling Casil

MASON CREST PH I L ADELPH I A | MI AMI

Mason Crest PO Box 221876, Hollywood, FL 33022 (866) MCP-BOOK (toll-free) • www.masoncrest.com

Copyright © 2022 by Mason Crest, an imprint of National Highlights, Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, taping, or any information storage and retrieval system, without permission in writing from the publisher. Printed in the United States of America First printing 9 8 7 6 5 4 3 2 1 Series ISBN: 978-1-4222-4464-7 Hardcover ISBN: 978-1-4222-4466-1 ebook ISBN: 978-1-4222-7341-8 Cataloging-in-Publication Data on file with the Library of Congress

Developed and Produced by Print Matters Productions, Inc. Cover and Interior Design by Torque Advertising+Design

Publisher’s Note: Websites listed in this book were active at the time of publication. The publisher is not responsible for websites that have changed their address or discontinued operation since the date of publication. The publisher reviews and updates the websites each time the book is reprinted.

QR CODES AND LINKS TO THIRD-PARTY CONTENT You may gain access to certain third-party content (“Third-Party Sites”) by scanning and using the QR Codes that appear in this publication (the “QR Codes”). We do not operate or control in any respect any information, products, or services on such Third-Party Sites linked to by us via the QR Codes included in this publication, and we assume no responsibility for any materials you may access using the QR Codes. Your use of the QR Codes may be subject to terms, limitations, or restrictions set forth in the applicable terms of use or otherwise established by the owners of the Third-Party Sites. Our linking to such Third-Party Sites via the QR Codes does not imply an endorsement or sponsorship of such Third-Party Sites or the information, products, or services offered on or through the Third-Party Sites, nor does it imply an endorsement or sponsorship of this publication by the owners of such Third-Party Sites.

Introduction: Digital Forensics: Fast-Growing

Future Career . ....................................................... 7 Chapter 1: The Beginning of Digital Forensics ................... 17 Chapter 2: Investigating Operating and File Systems . ..... 31 Chapter 3: Investigating Digital Applications .................... 45 Chapter 4: Social Media and Mobile Forensics ................... 59 Chapter 5: Emerging Technologies and the Future of Digital Forensics .................................................. 73 Series Glossary of Key Terms ................................................. 86 Further Reading & Internet Resources ................................. 90 Index . ........................................................................................ 92 Author’s Biography ................................................................. 95 Credits . ..................................................................................... 96 K E Y I C O N S T O L O O K F O R Words to Understand: These words with their easy-to-understand definitions will increase reader’s understanding of the text while building vocabulary skills. Sidebars: This boxed material within the main text allows readers to build knowledge, gain insights, explore possibilities, and broaden their perspectives by weaving together additional information to provide realistic and holistic perspectives. Educational Videos: Readers can view videos by scanning our QR codes, providing them with additional educational content to supplement the text.

Text-Dependent Questions: These questions send the reader back to the text for more careful attention to the evidence presented there.

Research Projects: Readers are pointed toward areas of further inquiry connected to each chapter. Suggestions are provided for projects that encourage deeper research and analysis. Series Glossary of Key Terms: This back-of-the-book glossary contains terminology used throughout this series. Words found here increase the reader’s ability to read and comprehend higher-level books and articles in this field.

Although their work may seem removed from crime scenes and physical evidence, digital forensics investigators perform vital functions in the legal system.

6

Digital Forensics: Fast-Growing Future Career

Digital forensics is also called “computer forensics.” People who work in digital forensics can recover data from devices used to commit crimes, collect digital evidence, and maintain a chain of custody for legal proceedings. (In law enforcement, a chain of custody is a formal way to identify where a piece of evidence is at all times and who is in charge of it.) They also can determine how people hack into computer systems and can maintain system security to stop hackers. They can analyze data discovered during investigations, and they can serve as expert witnesses in court. Digital forensics experts who work in private industry often have different expertise from counterparts who work for law enforcement or government agencies. According to the Bureau of Labor Statistics (BLS), over 112,000 people worked as information security analysts in 2018. Not all of these analysts are working in digital forensics, but many of them are. Information security is expected to grow much more quickly than the average field, with more than 35,000 new jobs to be added between 2018 and 2028. Although their work may seem removed from crime scenes and physical evidence, digital forensics investigators perform vital functions in the legal system. According to Jason Jordaan, principal forensic scientist at DFIRLABS in South Africa, “Their evidence can be responsible for sending someone to prison, paying a significant fine, or keeping someone from escaping justice.” Education Requirements Most people who work in cybersecurity should have a high-school diploma and certifications in their specialty. Computer-focused careers include certifications that can be obtained through free online open education resources. Many programs offer education and training for free, but the certificate must be paid for in order to certify that the training has been completed. Because cybersecurity is so specialized, many people are

7

working successfully in the field based on their on-the-job experience and certifications. Some digital forensics areas require higher education, including cryptography and cryptoanalysis. The digital forensics professionals in these fields protect information by using encryption techniques, which translate sensitive information into code so that only authorized people can access it. They also decode encrypted messages and can work in highly secure environments, including national security. Cryptographers and cryptoanalysts need to have strong advanced mathematics skills. They should have a master’s degree in math or computer science. Cyber forensics experts need a bachelor’s degree in cybersecurity or computer science. They usually investigate data breaches and security incidents. They also can help to rebuild damaged networks and uncover cyber attacks. They must also be able to prepare and give evidence in legal cases. Cyber operators also need a bachelor’s degree in computer science and additional certificates that prepare them to protect computer and wireless networks against intrusions. They should be prepared to test networks for their vulnerability against cyber attacks. Cybercrime investigators don’t need a bachelor’s degree but do need certifications in cybersecurity and computer science. Related jobs in cybersecurity and digital forensics include: • Multi-Disciplined Language Analyst: Requires a bachelor’s degree and computer science and foreign language skills. • Information Systems Security Administrator: Requires a bachelor’s degree in cybersecurity or computer science. • Chief Security Officer: Requires at least a bachelor’s degree in cybersecurity or computer science and management experience. • Cyber Security Engineer: Requires a bachelor’s degree in cybersecurity or computer science. • Cyber Legal Advisor: Requires a bachelor’s degree and a Juris Doctor (J.D.) degree, as this is a lawyer with cybercrime experience. Digital Forensic Specialties “Digital forensics” refers to all aspects of investigating crime related to a device that can store and transmit digital data. In the early days of digital forensics, all devices that fit this definition were computers. Early digital

8

Digital Forensics

forensics experts worked on large mainframe computers or desktop computers. Today, digital forensics can investigate crimes committed using mobile devices, like phones and tablets, and even IoT (Internet of Things) devices, including smart TVs, smart appliances, and computers used in transportation, like trucks, cars, ships, and aircraft. The main branches of digital forensics include: • Computer forensics: Computer forensic investigations examine individual computers for evidence, including the computer’s operating system, storage medium, and documents on the computer. These investigations can uncover crimes planned on a computer or committed using a computer. • Database forensics: Digital forensic investigations examine the use of a database to uncover evidence related to unauthorized use of the database or to build a timeline of events related to a criminal or civil legal case. • Forensic data analysis: Forensic data analysis focuses on analyzing data related to financial transactions to uncover fraud or misuse of funds. • Mobile device forensics: Mobile device forensic investigations attempt to answer the question: Where was someone located when a crime was committed? The investigations use cell phone and call data to determine location, track criminals, and analyze data sent via cell phones and other mobile devices. • Network forensics: Network forensics focuses on detecting and preventing intrusions (hacks) into computer networks. • Other device forensics: With increased numbers of devices able to store data and connect to the Internet, digital forensics can also include the ability to examine gaming consoles, smart TVs, storage devices, and IoT devices, like computers found in cars, aircraft, and appliances. Department of Homeland Security The Department of Homeland Security (DHS) sponsors the National Integrated Cyber Education Research Center (NICERC) and its Cyber Security Education Training Assistance Program (CETAP). The program’s goal is to develop and distribute cybersecurity educational materials to teachers and schools across the United States. The curriculum helps

9

Introduction: Digital Forensics: Fast-Growing Future Career

Early digital forensics experts worked on large mainframe computers.

teachers and students to understand cybersecurity and use it in real-world scenarios. As of 2019, over 13,500 teachers and 2.1 million students have used CETAP curriculum in the classroom. Other educational programs sponsored by DHS include the National Centers of Academic Excellence in Cyber Defense (CAE-CD), which provide training and education for cybersecurity graduates who will go to work for the federal government as well as state and local governments and industry. The CyberCorps Scholarship for Service provides education and training to computer professionals who are already on the job and to students in colleges and universities. The scholarship can provide up to $25,000 per year for three years for graduate-level education in cybersecurity. Over 2,500 CyberCorps scholarship recipients have graduated and are working for over 140 government organizations.

10

Digital Forensics

Court Testimony

Digital forensics professionals who testify in court are considered expert witnesses. They are responsible for obeying Federal Rules of Evidence or similar state rules which have been adapted from the federal rules. They need to be able to clearly identify how the evidence they’re presenting was obtained and verify the chain of custody of the evidence. Chain of custody verifies that no one outside investigators could have tampered with or altered evidence. Digital forensics investigators must maintain current certifications in their specialty to be allowed to testify as expert witnesses in court.

Digital forensics professionals who testify in court are considered expert witnesses.

11

Introduction: Digital Forensics: Fast-Growing Future Career

Legal and Ethical Responsibilities Digital forensics experts don’t have a single code of ethics or standards they must comply with. There are guidelines for court testimony, including the Federal Rules of Evidence, which apply to all expert witnesses in court proceedings. The International Society of Forensics Computer Examiners (ISFCE) offers guidelines that help digital forensics investigators tomaintain a professional and fair approach in legal proceedings. The ISFCE guidelines include: • In all forensic examinations, investigators should maintain the greatest objectivity and present accurate findings. • All matters should be testified to truthfully before the court. • The examiner should avoid conflicts of interest. • Examinations must be based on well-established principles. • The examiner is forbidden to reveal confidential information without a court order or client permission. • The investigator can’t misrepresent credentials or memberships in professional associations. Other associations, including the High Technology Crime Investigation Association (HTCIA) and International Association of Computer Investigative Specialists (IACIS), have requirements for their members, which include: • Using specialized techniques and advanced technologies to uncover the truth. • Emphasizing integrity and truth in the course of investigation. • Maintaining objectivity and presenting facts of a case accurately. • Providing unbiased opinions. In addition, all computer forensics associations prohibit members from concealing anything they find in the course of an investigation that could prevent justice from being served or permit the facts of an investigation to be misrepresented. Work Environment Digital forensics experts can work in a variety of environments. They may work in a digital forensics lab, which will contain equipment they

12

Digital Forensics

use to secure, examine, and analyze devices that are used as evidence. Regional Computer Forensics Laboratories (RCFLs) provide a glimpse into the environment that many digital forensics investigators work in. RCFLs are located in 17 regional areas across the United States. They support local and regional law enforcement agencies and the Federal Bureau of Investigation (FBI). RCFLs are a specialized type of law enforcement office containing computer and other digital equipment, secure evidence storage, and specialized equipment required to test evidence. Digital forensics labs can look like a combination of a computer-repair facility, a law enforcement agency, and a storage facility with temperature control.

Digital forensics labs contain equipment used to secure, examine, and analyze devices that are used as evidence.

13

Introduction: Digital Forensics: Fast-Growing Future Career

Other digital forensics investigators can work in the field, securing evidence and analyzing communications. They might work out of mobile vans or be part of law enforcement stakeouts. Digital forensics investigators who work for corporations can be based in corporate offices or sent to locations to analyze evidence and conduct investigations. Investigators can be called to examine evidence in highly dangerous and risky situations. National security—related investigations can include suspected terrorism. Other investigations can involve high-profile hacking and theft of personal information from databases that include information on millions of people. There are cyber squads at law enforcement agencies across the United States, including at FBI headquarters in Quantico, Virginia, and the agency’s 56 field offices. Cyber squads tend to be office-based, but cyber action teams can travel worldwide and gather information about cybercrimes that threaten national security and the economy. Career Outlook The career outlook for digital forensics investigators and related professionals is bright. According to the Bureau of Labor Statistics (BLS), more than 112,000 people were already employed in digital forensics in 2018. This number includes people who are network administrators or technicians who perform digital forensics as part of their job. The field is expected to grow by 32 percent between 2018 and 2028, much more quickly than other career fields. Median pay for information security professionals was over $98,000 per year in 2018, according to the BLS. With computer hacking on the rise and increases in all forms of computer-related crime, digital forensics professionals will continue to be in high demand.

14

Digital Forensics