Governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by U.S. federal agencies.
The Privacy Protection Act of 1980 (PPA)
Protects journalists from being required to turn over to law enforcement any work product and documentary materials, including sources, before it is disseminated to the public.
The Communications Assistance to Law Enforcement Act of 1994 (CALEA)
Wiretap law
18 U.S.C. § 2701
The focus is on any facility, server, or device used to store electronic communications.
The Electronic Communications Privacy Act of 1986 (ECPA)
Governs the privacy and disclosure, access, and interception of content and traffic data
The Computer Security Act of 1987 (CSA)
Requires the establishment of minimum acceptable security practices, creation of computer security plans, and training of system users or owners of facilities that house sensitive information.
The Foreign Intelligence Surveillance Act of 1978
Allows for collection of “foreign intelligence information” between foreign powers and agents of foreign powers using physical and electronic surveillance.
The Child Protection and Sexual Predator Punishment Act of 1998
The Children’s Online Privacy Protection Act of 1998 (COPPA)
Protects children 13 years of age and under from the collection and use of their personal information by websites.
The Communications Decency Act of 1996
Protect persons 18 years of age and under from downloading or viewing material considered indecent
The Telecommunications Act of 1996
Related to the privacy and disclosure of information in motion through and across telephony and computer networks
The Wireless Communications and Public Safety Act of 1999
Allows for collection and use of “empty” communications, which means nonverbal and nontext communications
The USA PATRIOT Act
The primary law under which a wide variety of internet and communications information content and metadata is currently collected.
The Sarbanes-Oxley Act of 2002 (SOX)
Related to the recordkeeping and destruction of electronic records relating to the management and operation of publicly held companies
18 USC 1030 Fraud and Related Activity in Connection with Computers
Covers a wide range of crimes involving illicit access of any computer
18 USC 1020 Fraud and Related Activity in Connection with Access Devices
Closely related to 1030 but covers access devices (such as routers)
The Digital Millennium Copyright Act (DMCA)
Makes it a crime to publish methods or techniques to circumvent copyright protection
18 USC § 1028A Identity Theft and Aggravated Identity Theft
This law targets any crime related to identity theft
18 USC § 2251 Sexual Exploitation of Children
Covers a range of child exploitation crimes
18 U.S.C. § 2260
Production of sexually explicit depictions of a minor for importation into the United States
18 U.S.C. § 2252
Certain activities relating to material involving the sexual exploitation of minors (possession, distribution, and receipt of child pornography)
18 U.S.C. § 2252A
Certain activities relating to material constituting or containing child pornography
Forensic Analysis
Email
.pst (Outlook)
.ost (Offline Outlook Storage)
.mbx or .dbx (Outlook Express)
.mbx (Eudora)
.emi (common to several email clients)
Storage
Features
HPA
Protected from user activities
MBR
Only requires a single sector, leaving 62 empty sectors of MBR space for hidden data
Volume Slack
This is the space that remains on a hard drive if the partitions do not use all the available space
File Slack
File slack is the unused space that is created between the end of the last data cluster assigned to a file
Unallocated Space
An operating system can’t access any unallocated space in a partition.
Connectors
Integrated Drive Electronics (IDE)
Extended Integrated Drive Electronics (EIDE)
Parallel Advanced Technology Attachment (PATA)
Serial Advanced Technology Attachment (SATA)
Serial SCSI
Magnetic
Data is organized by sectors and clusters, which are in turn organized in tracks around the platter
A typical sector is 512 bytes, although newer drives use 4096-byte sectors, and a cluster can be from 1 to 128 sectors
Solid-State
Most SSDs use Negated AND (NAND) gate–based flash memory, which retains memory even without power.
No moving parts.
File Formats
The Advanced Forensic Format (AFF)
The AFF file format is part of the AFF Library and Toolkit, which is a set of open-source computer forensics programs.
Autopsy and Sleuth Kit
Forensic Software
EnCase
Guidance Software
This tool allows the examiner to connect an Ethernet cable or null modem cable to a suspect machine and to view the data on that machine
prevents the examiner from making any accidental changes to the suspect machine.
The evidence file is an exact copy of the hard drive.
EnCase calculates an MD5 hash when the drive is acquired.
This hash is used to check for changes, alterations, or errors.
FTK
AccessData
Forensic Toolkit is particularly useful at cracking passwords
FTK also provides tools to search and analyze the Windows Registry.
Windows
Security log: This is probably the most important log from a forensics point of view. It has both successful and unsuccessful login events. [anything about external connections]
Application log: This log contains various events logged by applications or programs. Many applications record their errors here in the Application log.
System log: The System log contains events logged by Windows system components. This includes events like driver failures. This particular log is not as interesting from a forensics perspective as the other logs are.
ForwardedEvents log: The ForwardedEvents log is used to store events collected from remote computers. This has data in it only if event forwarding has been configured.
Applications and Services logs: This log is used to store events from a single application or component rather than events that might have system-wide impact.
This is a full forensic tool capable of imaging and examining iPhones and Android phones. It provides a number of user-friendly tools for extracting specific data such as contacts, social media data, etc.
Cellebrite
This is probably the most widely known phone forensics tool. It is used heavily by federal law enforcement. It is a very robust and effective tool. The only downside to Cellebrite that I am aware of is its high cost. It is the most expensive phone forensics tool on the market.
MobileEdit
There are several variations of this product. MobileEdit Lite is the most forensically advanced version of MobileEdit. This is a very easy-to-use tool that can aid a forensic examiner in extracting data from cell phones.
Data Doctor
This product recovers all Inbox and Outbox data and all contacts data, and has an easy-to-use interface. Most important, it has a free trial version, but there is a cost for the full version. It is available from http://www.simrestore.com/.
Device Seizure
This is available from Paraben Software at http://www.paraben.com/. There is a license fee associated with this product. Paraben makes a number of forensic products.
Forensic SIM Cloner
This tool is used to clone SIM cards, allowing you to perform forensic analysis of the SIM card.
Steganography
Concepts
LSB
One of the most common methods of performing stego is the least significant bit (LSB) method (when the last bit or least significant bit is used to store data)
Payload
The information to be covertly communicated
Carrier
The signal, stream, or file in which the payload is hidden
Channel
The type of medium used
Tools
QuickStego
Easy to use, but very limited.
Invisible Secrets
More robust, with both a free and a commercial version.
MP3Stego
Hides a payload in MP3 files
Stealth Files 4
Works with sound files, video files, and image files