Introduction
As an auditor as well as researcher and author, I realize and value the importance of timely,
well−focused, accurate information. It is with this philosophy in mind that the development of this
project was undertaken.
To the reader, a note of explanation…. This is not a text, but rather a field manual. It has been
written — better yet, compiled — and edited in a manner that will allow you to rapidly access a
specific area of interest or concern and not be forced to sequentially wade through an entire text,
chapter by chapter, to get to what is important to you.
In the true sense of a field manual, each "chapter" (and we use that term loosely) stands on its own
and presents focused, timely information on a specific topic related to cyber forensics. The author of
each "chapter" was selected for his or her expertise in a specific area within the very broad field of
cyber forensics.
Often a limiting aspect of most projects, especially those written on emerging technical topics, is the
inability to cover every aspect of the topic in a single all−inclusive text. This truth befalls this field
manual that you are about to use.
Initial research into this growing discipline proved that it would be next to impossible to include all
the areas of both interest and importance in the field of cyber forensics that would be needed and
required by all potential readers and users in a single text. Thus, this field manual presents specific
and selected topics in the discipline of cyber forensics, and addresses critical issues facing the
reader who is engaged in or who soon will be (and you will!) engaged in the preservation,
identification, extraction, and documentation of computer evidence.
As a user of this field manual, you will see that this manual's strength lies with the inclusion of an
exhaustive set of chapters covering a broad variety of forensic subjects. Each chapter was
thoroughly investigated; examined for accuracy, completeness, and appropriateness to the study of
cyber forensics; reviewed by peers; and then compiled in a comprehensive, concise format to
present critical topics of interest to professionals working in the growing field of cyber forensics.
We finally had to select several key areas and put pen to paper, entice several colleagues to share
their ideas, and resign ourselves to the fact that we cannot say all that needs to be said in one text,
book, or manual. We trust the material we have included will serve as a starting point for the many
professionals who are beginning their journey into this exciting discipline.
We begin our journey into the realm of this relatively new discipline by opening with a brief
discussion as to the current state of the environment relating to the need for this new field of
forensics and then a brief examination of the origins of cyber forensics. Along the way, we will
establish several basic definitions designed to assist the reader in moving easily through what could
be difficult and confusing terrain.
Although e−mail is becoming more mission−critical for enterprises, it also has the
ability to haunt a company in times of trouble, because records of e−mail messages
remain in the company systems after deletion — a feature highlighted during the
Microsoft anti−trust trial. The case has featured critical testimony derived from old
Microsoft e−mail messages.
—InfoWorld, 10/25/99
7
Background
The ubiquitous use of computers and other electronic devices is creating a rapidly rising wave of
new and stored digital information. The massive proliferation of data creates ever−expanding digital
information risks for organizations and individuals. Electronic information is easy to create,
inexpensive to store, and virtually effortless to replicate. As a result, increasingly vast quantities of
digital information reside on mass storage devices located within and without corporate information
systems. Information risks associated with this data are many. For example, electronic data can
often show — with a high degree of reliability — who said, knew, took, shared, had and did what,
and who else might be involved in the saying, knowing, taking, sharing, having, and doing. For the
corporation, the free flow of digital information means that the backdoor is potentially always open to
loss.
To put the explosive growth of electronic data in perspective, consider that Americans were
expected to send and receive approximately 6.8 trillion e−mail messages in 2000 — or about 2.2
billion messages per day. [1] Although some of this e−mail is sent and received by individuals, most
of it is being created by and sent from corporate mail servers.
In 2000, the World Wide Web consisted of 21 terabytes of static HTML pages and is growing at a
rate of 100 percent per year. [2] There are now about 2.5 billion indexed Web pages, increasing at
the rate of 7.3 million pages per day.
Demand for digital storage is expected to grow by more than 1800 percent between 1998 and 2003.
A midrange estimate of the amount of data currently stored on magnetic tape is 2.5 exabytes (an
exabyte is 1 million terabytes), with another 2.5 exabytes stored on computer hard drives. [3]
Contrasting the growth of paper pages and electronic documents adds additional perspective. The
growth of recorded information doubles every three to four years. Over 93 percent of all information
produced in 1999 was in digital format. About 80 percent of corporate information currently exists in
digital form. Companies are expected to generate some 17.5 trillion electronic documents by 2005,
up from approximately 135 billion in 1995. [4] Some 550 billion documents now exist online.
There is more to this explosive growth than just "documents." Additional forms of electronic data
originate from:
Internet−based electronic commerce, online banking, and stock trading •
Corporate use and storage of phone mail messages and electronic logs •
Personal organizers, such as the Palm Pilot (worldwide PDA sales were expected to total
about 6 million units in 2000 rising to 17 million in 2004.)
•
Wireless devices such as cell phones and pagers with contacts and task list storage
(worldwide mobile phone sales were expected to total about 400 million in 2000, rising to
560 million in 2004 [5] )
•
Digital cameras •
Corporate use and storage of graphic images, audio, and video •
These are several of the factors now at work in corporations that increase the risk of litigation and
loss of confidential corporate data (from www.fiosinc.com/digital_risk.html, Fios, Inc. (877)
700−3467, 921 S.W. Washington Street, Suite 850, Portland, Oregon 97205)
It is best to state up−front that the emphasis in any cyber forensic examination must be on the
forensic element, and it is vital to understand that forensic computing, cyber forensics, or computer
forensics is not solely about computers. It is about rules of evidence, legal processes, the integrity
8
and continuity of evidence, the clear and concise reporting of factual information to a court of law,
and the provision of expert opinion concerning the provenance of that evidence:
Companies are very concerned about the notion that anything they write
electronically can be used again at any time. If you have to discipline yourself to
think, "can this be misconstrued?" that greatly hampers your ability to communicate
and introduces a huge level of inefficiency.
—David Ferris, president of Ferris Research (San Francisco)
[1] University of California at Berkeley, School of Information Management and Systems, October
2000, http://www.sims.berkeley.edu/how−much−info/.
[2] University of California at Berkeley, School of Information Management and Systems, October
2000, http://www.sims.berkeley.edu/how−much−info/.
[3] University of California at Berkeley, School of Information Management and Systems, October
2000, http://www.sims.berkeley.edu/how−much−info/.
[4] Designing a Document Strategy: Documents…Technology…People. Craine, K., MC2 Books,
2000.
[5] University of California at Berkeley, School of Informatio
