Preface
Acknowledgments
Chapter 1: The Fundamentals of Data
Base 2 Numbering System: Binary and Character Encoding
Communication in a Two State Universe
Electricity and Magnetism
Building Blocks: The Origins of Data
Growing the Building Blocks of Data
Moving Beyond Base 2
American Standard Code for Information Interchange
Character Codes: The Basis for Processing Textual Data
Extended ASCII and Unicode
Summary
Notes
Chapter 2: Binary to Decimal
American Standard Code for Information Interchange
Computer as a Calculator
Why Is This Important In Forensics?
Data Representation
Converting Binary to Decimal
Conversion Analysis
A Forensic Case Example: An Application of the Math
Decimal to Binary: Recap for Review
Summary
Chapter 3: The Power of HEX: Finding Slivers of Data
What the HEX?
Bits and Bytes and Nibbles
Nibbles and Bits
Binary to HEX Conversion
Binary (HEX) Editor
The Needle within the Haystack
Summary
Note
Chapter 4: Files
Introduction
Files, File Structures, and File Formats
File Extensions
Changing a File's Extension to Evade Detection
Files and the HEX Editor
File Signature
ASCII is Not Text nor HEX
Value of File Signatures
Complex Files: Compound, Compressed, and Encrypted Files
Why Do Compound Files Exist?
Compressed Files and Magic Numbers
Forensics and Encrypted Files
The Structure of Ciphers
Summary
Notes
Appendix 4A: Common File Extensions
Appendix 4B: File Signature/Magic Number Database
Appendix C: Magic Number Definition
Appendix 4D: Compound Document Header
Chapter 5: The Boot Process and the Master Boot Record (MBR)
Booting Up
Primary Functions of the Boot Process
Forensic Imaging and Evidence Collection
Summarizing the BIOS
The Master Boot Record (MBR)
Partition Table
Hard Disk Partition
Summary
Notes
Chapter 6: Endianness and the Partition Table
The Flavor of Endianness
Endianness
The Origins of Endian
Partition Table within the Master Boot Record
Summary
Notes
Chapter 7: Volume versus Partition
Tech Review
Cylinder, Head, Sector and Logical Block Addressing
Volumes and Partitions
Summary
Notes
Chapter 8: File Systems – FAT 12/16
Tech Review
File Systems
Metadata
File Allocation Table (FAT) File System
Slack
HEX Review Note
Directory Entries
File Allocation Table (FAT)
How is Cluster Size Determined?
Expanded Cluster Size
Directory Entries and the FAT Table
FAT Filing System Limitations
Directory Entry Limitations
Summary
Appendix 8A: Partition Table Fields
Appendix 8B: FAT Table Values
Appendix 8C: Directory Entry Byte Offset Description
Appendix 8D: FAT12/16 Byte Offset Values
Appendix 8E: FAT 32 Byte Offset Values
Appendix 8F: The Power of 2
Chapter 9: File Systems – NTFS and Beyond
New Technology File System
Partition Boot Record
Master File Table
NTFS Summary
exFAT
Alternative Filing System Concepts
Summary
Notes
Appendix 9A: Common NTFS System Defined Attributes
Box Analogy
Chapter 10: Cyber Forensics: Investigative Smart Practices
The Forensic Process
Forensic Investigative Smart Practices (ISPs)
Time
Summary
Note
Chapter 11: Time and Forensics
Network Time Protocol
Timestamp Data
Keeping Track of Time
Clock Models and Time Bounding: The Foundations of Forensic Time
MS-DOS 32 Bit Time Stamp: Date and Time
Date Determination
Time Determination
Time Inaccuracy
Summary
Notes
Chapter 12: Investigation: Incident Closure
Step 5: Investigation
Step 6: Communicate Findings
Characteristics of a Good Cyber Forensic Report
Report Contents
Step 7: Retention and Curation of Evidence
Step 8: Investigation Wrap Up and Conclusion
Investigator’s Role as an Expert Witness
Summary
Notes
Chapter 13: A Cyber Forensic Process Summary
Binary
Binary – Decimal - ASCII
Data versus Code
HEX
From Raw Data to Files
Accessing Files
Endianness
Partitions
File Systems
Time
The Investigation Process
Summary
Appendix: Forensic Report: Forensic Investigations, ABC Inc.
Glossary
About the Authors
Index
