Introduction xxv

software piracy and the alteration or theft of electronically stored information;

extortion committed with the assistance of computers; obtaining unauthorized
access to records from banks, credit card issuers, or customer reporting agencies;
traffic in stolen passwords; and transmission of destructive viruses or commands.
One of the main difficulties in defining computer crime is that situations arise
where a computer or network was not directly involved in a crime but still
contains digital evidence related to the crime. As an extreme example, take
a suspect who claims that she was using the Internet at the time of a crime.
Although the computer played no role in the crime, it contains digital evidence
relevant to the investigation. To accommodate this type of situation, the more
general term computer-related is used to refer to any crime that involves com-
puters and networks, including crimes that do not rely heavily on computers.
Notably, some organizations, such as the U.S. Department of Justice and the
Council of Europe, use the term cybercrime to refer to a wide range of crimes
that involve computers and networks.
In an effort to be inclusive and most useful for practical application, the material
in this book covers digital evidence as it applies to any crime and delves into spe-
cific computer crimes that are defined by laws in various countries. The term digital
investigation is used throughout this text to encompass any and all investigations
that involve digital evidence, including corporate, civil, criminal, and military.
The term computer forensics also means different things to different people. Computer
forensics usually refers to the forensic examination of computer components and
their contents such as hard drives, compact disks, and printers. However, the term
is sometimes used more loosely to describe the forensic examination of all forms
of digital evidence, including data traveling over networks (a.k.a. network foren-
sics). To confuse matters, the term computer forensics has been adopted by the infor-
mation security community to describe a wide range of activities that have more
to do with protecting computer systems than gathering evidence.
As the field has developed into several distinct subdisciplines, including mal-
ware forensics and mobile device forensics, the more general term digital foren-
sics has become widely used to describe the field as a whole.

ROADMAP TO THE BOOK

This book draws from four fields:

Forensic Science
Computer Science
Law
Behavioral Evidence Analysis
xxvi Introduction

Law provides the framework within which all of the concepts of this book fit.
Computer Science provides the technical details that are necessary to under-
stand specific aspects of digital evidence. Forensic Science provides a general
approach to analyzing any form of digital evidence. Behavioral Evidence
Analysis provides a systematized method of synthesizing the specific technical
knowledge and general scientific methods to gain a better understanding of
criminal behavior and motivation.
This book is divided into five parts, beginning with the fundamental concepts
and legal issues relating to digital evidence and computer crime in Part 1
(Digital Forensics: Chapters 1–5). Chapter 2 (Language of Computer Crime
Investigation) explains how terminology of computer crime developed and
provides the language needed to understand the different aspects of computer
crime investigation. Chapter 3 (Digital Evidence in the Courtroom) provides
an overview of issues that arise in court relating to digital evidence. Chapters
4 and 5 (Cybercrime Law: A United States Perspective and Cybercrime Law:
A European Perspective) discuss legal issues that arise in computer-related
investigations, presenting U.S. and European law side-by-side.
Part 2 (Digital Investigations: Chapters 6–9) discusses a systematic approach
to investigating a crime based on the scientific method, providing a context
for the remainder of this book. Chapter 7 (Handling a Digital Crime Scene)
provides guidance on how to approach and process computer systems and
their contents as a crime scene. Chapter 8 (Investigative Reconstruction with
Digital Evidence) describes how to use digital evidence to reconstruct events
and learn more about the victim and offender in a crime. Chapter 9 (Modus
Operandi, Motive, and Technology) is a discussion of the relationship between
technology and the people who use it to commit crime. Understanding the
human elements of a crime and the underlying motivations can help answer
crucial questions in an investigation, helping assess risks (will criminal activity
escalate?), develop and interview suspects (who to look for and what to say to
them), and focus inquiries (where to look and what to look for).
Part 3 (Apprehending Offenders: Chapters 10–14) focuses on specific types
of investigations with a focus on apprehending offenders, starting with vio-
lent crime in Chapter 10. Chapter 11 discusses computers as alibi. Chapter 12
details sex offenders on the Internet. Investigating computer intrusions is cov-
ered in Chapter 13. Chapter 14 covers investigations of cyberstalking.
Part 4 (Computers: Chapters 15–20) begins by introducing basic forensic sci-
ence concepts in the context of a single computer. Learning how to deal with
individual computers is crucial because even when networks are involved, it is
usually necessary to collect digital evidence stored on computers. Case exam-
ples and guidelines are provided to help apply the knowledge in this text to
investigations. The remainder of Part 4 deals with specific kinds of computers
 Introduction xxvii

and ends with a discussion of overcoming password protection and encryption

on these systems.
Part 5 (Network Forensics: Chapters 21–25) covers computer networks,
focusing specifically on the Internet. A top-down approach is used to describe
computer networks, starting with the types of data that can be found on net-
worked systems and the Internet, and progressively delving into the details of
network protocols and raw data transmitted on networks. The “top” of a com-
puter network comprises the software that people use, like e-mail and the Web.
This upper region hides the underlying complexity of computer networks, and
it is therefore necessary to examine and understand the underlying complexity
of computer networks to fully appreciate the information that we find at the
top of the network. Understanding the “bottom” of networks—the physical
media (e.g., copper and fiber-optic cables) that carry data between comput-
ers—is also necessary to collect and analyze raw network traffic.
The forensic science concepts described early on in relation to a single com-
puter are carried through to each layer of the Internet. Seeing concepts from
forensic science applied in a variety of contexts will help the reader generalize
the systematic approach to processing and analyzing digital evidence. Once
generalized, this systematic approach can be applied to situations not specifi-
cally discussed in this text.

DISCLAIMER
Tools are mentioned in this book to illustrate concepts and techniques, not
to indicate that a particular tool is best suited to a particular purpose. Digital
investigators must take responsibility to select and evaluate their tools.
Any legal issues covered in this text are provided to improve understanding
only and are not intended as legal advice. Seek competent legal advice to
address specifics of a case and to ensure that nuances of the law are considered.
Academic Press is an imprint of Elsevier
225 Wyman Street, Waltham, MA 02451, USA
525 B Street, Suite 1800, San Diego, California 92101-4495, USA
84 Theobald’s Road, London WC1X 8RR, UK

© 2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or any information storage and retrieval system, without
permission in writing from the publisher. Details on how to seek permission, further information about the
Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center
and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.
This book and the individual contributions contained in it are protected under copyright by the Publisher (other
than as may be noted herein).
Notices
Knowledge and best practice in this field are constantly changing. As new research and experience broaden our
understanding, changes in research methods, professional practices, or medical treatment may become necessary.
Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using
any information, methods, compounds, or experiments described herein. In using such information or methods
they should be mindful of their own safety and the safety of others, including parties for whom they have a
professional responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability
for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or
from any use or operation of any methods, products, instructions, or ideas contained in the material herein.
Library of Congress Cataloging-in-Publication Data
Casey, Eoghan.
Digital evidence and computer crime: forensic science, computers and the internet / by Eoghan Casey; with
contributions from Susan W. Brenner ... [et al.].—3rd ed.
p. cm.—
Includes index.
ISBN 978-0-12-374268-1
1. Computer crimes. 2. Electronic evidence. 3. Evidence, Criminal. I. Title.
HV6773.C35C35 2011
363.25’ 968—dc22
2010049562
British Library Cataloguing-in-Publication Data
A catalogue record for this book is available from the British Library.
ISBN: 978-0-12-374268-1
For information on all Academic Press publications
visit our Web site at www.elsevierdirect.com
Printed in the United States of America
11 12 13 9 8 7 6 5 4 3 2 1
Contents

ACKNOWLEDGMENTS........................................................................... xiii
AUTHOR BIOGRAPHIES .......................................................................... xv
INTRODUCTION ...................................................................................... xxi

PART 1 Digital Forensics

CHAPTER 1 Foundations of Digital Forensics ...................................... 3
Eoghan Casey
1.1 Digital Evidence .................................................................7
1.2 Increasing Awareness of Digital Evidence ......................9
1.3 Digital Forensics: Past, Present, and Future .................10
1.4 Principles of Digital Forensics .........................................14
1.5 Challenging Aspects of Digital Evidence .......................25
1.6 Following the Cybertrail ..................................................28
1.7 Digital Forensics Research ..............................................32
1.8 Summary ...........................................................................32

CHAPTER 2 Language of Computer Crime Investigation ................. 35

Eoghan Casey
2.1 Language of Computer Crime Investigation .................36
2.2 The Role of Computers in Crime .....................................39
2.3 Summary ...........................................................................47

CHAPTER 3 Digital Evidence in the Courtroom ................................. 49

Eoghan Casey
3.1 Duty of Experts .................................................................51
3.2 Admissibility.....................................................................56
3.3 Levels of Certainty in Digital Forensics .........................68
3.4 Direct versus Circumstantial Evidence ..........................72
3.5 Scientific Evidence ...........................................................73
v
vi Contents

3.6 Presenting Digital Evidence ............................................75

3.7 Summary ...........................................................................81

CHAPTER 4 Cybercrime Law: A United States Perspective ............. 85

Susan W. Brenner
4.1 Federal Cybercrime Law .................................................85
4.2 State Cybercrime Law ...................................................103
4.3 Constitutional Law .........................................................107
4.4 Fourth Amendment ........................................................107
4.5 Fifth Amendment and Encryption ................................115

CHAPTER 5 Cybercrime Law: A European Perspective ................. 123

Bert-Jaap Koops and Tessa Robinson
5.1 The European and National Legal Frameworks ..........123
5.2 Progression of Cybercrime Legislation in Europe .........126
5.3 Specific Cybercrime Offenses........................................129
5.4 Computer-Integrity Crimes ...........................................133
5.5 Computer-Assisted Crimes ...........................................149
5.6 Content-Related Cybercrimes .......................................155
5.7 Other Offenses ...............................................................173
5.8 Jurisdiction .....................................................................178
5.9 Summary .........................................................................182

PART 2 Digital Investigations

CHAPTER 6 Conducting Digital Investigations................................ 187
Eoghan Casey and Bradley Schatz
6.1 Digital Investigation Process Models ...........................187
6.2 Scaffolding for Digital Investigations ...........................197
6.3 Applying the Scientific Method in
Digital Investigations .....................................................201
6.4 Investigative Scenario: Security Breach.......................220
6.5 Summary .........................................................................224

CHAPTER 7 Handling a Digital Crime Scene.................................... 227

Eoghan Casey
7.1 Published Guidelines for Handling
Digital Crime Scenes ......................................................230
7.2 Fundamental Principles .................................................232
7.3 Authorization ..................................................................234
 Contents vii

7.4 Preparing to Handle Digital Crime Scenes ...................238

7.5 Surveying the Digital Crime Scene ...............................240
7.6 Preserving the Digital Crime Scene ..............................245
7.7 Summary .........................................................................253

CHAPTER 8 Investigative Reconstruction with

Digital Evidence ............................................................. 255
Eoghan Casey and Brent E. Turvey
8.1 Equivocal Forensic Analysis .........................................259
8.2 Victimology .....................................................................266
8.3 Crime Scene Characteristics .........................................268
8.4 Threshold Assessments ................................................273
8.5 Summary .........................................................................282

CHAPTER 9 Modus Operandi, Motive, and Technology ................. 285

Brent E. Turvey
9.1 Axes to Pathological Criminals and Other
Unintended Consequences ...........................................285
9.2 Modus Operandi .............................................................287
9.3 Technology and Modus Operandi .................................288
9.4 Motive and Technology .................................................297
9.5 Current Technologies ....................................................303
9.6 Summary .........................................................................304

PART 3 Apprehending Offenders

CHAPTER 10 Violent Crime and Digital Evidence ............................. 307
Eoghan Casey and Terrance Maguire
10.1 The Role of Computers in Violent Crime......................308
10.2 Processing the Digital Crime Scene ..............................312
10.3 Investigative Reconstruction ........................................316
10.4 Conclusions.....................................................................321

CHAPTER 11 Digital Evidence as Alibi ............................................... 323

Eoghan Casey
11.1 Investigating an Alibi ....................................................324
11.2 Time as Alibi...................................................................326
11.3 Location as Alibi .............................................................327
11.4 Summary .........................................................................328
viii Contents

CHAPTER 12 Sex Offenders on the Internet ...................................... 329

Eoghan Casey, Monique M. Ferraro, and
Michael McGrath
12.1 Old Behaviors, New Medium ........................................332
12.2 Legal Considerations .....................................................335
12.3 Identifying and Processing Digital Evidence ...............338
12.4 Investigating Online Sexual Offenders ........................341
12.5 Investigative Reconstruction ........................................349
12.6 Case Example: Scott Tyree ...........................................357
12.7 Case Example: Peter Chapman ....................................360
12.8 Summary .........................................................................362

CHAPTER 13 Computer Intrusions...................................................... 369

Eoghan Casey and Christopher Daywalt
13.1 How Computer Intruders Operate ................................371
13.2 Investigating Computer Intrusions ..............................377
13.3 Forensic Preservation of Volatile Data .........................388
13.4 Post-Mortem Investigation of a
Compromised System ....................................................401
13.5 Investigation of Malicious Computer Programs ..........403
13.6 Investigative Reconstruction ........................................406
13.7 Summary .........................................................................419

CHAPTER 14 Cyberstalking ................................................................. 421

Eoghan Casey
14.1 How Cyberstalkers Operate ..........................................423
14.2 Investigating Cyberstalking ..........................................425
14.3 Cyberstalking Case Example ........................................432
14.4 Summary .........................................................................433

PART 4 Computers
CHAPTER 15 Computer Basics for Digital Investigators ................... 437
Eoghan Casey
15.1 A Brief History of Computers ........................................437
15.2 Basic Operation of Computers ......................................439
15.3 Representation of Data ..................................................442
15.4 Storage Media and Data Hiding ....................................447
15.5 File Systems and Location of Data ................................450
 Contents ix

15.6 Dealing with Password Protection and Encryption ......458

15.7 Summary .........................................................................462

CHAPTER 16 Applying Forensic Science to Computers .................... 465

Eoghan Casey
16.1 Preparation .....................................................................466
16.2 Survey..............................................................................467
16.3 Documentation ...............................................................470
16.4 Preservation ....................................................................474
16.5 Examination and Analysis .............................................485
16.6 Reconstruction................................................................499
16.7 Reporting ........................................................................508
16.8 Summary .........................................................................510

CHAPTER 17 Digital Evidence on Windows Systems ....................... 513

Eoghan Casey
17.1 File Systems ....................................................................514
17.2 Data Recovery.................................................................529
17.3 Log Files ..........................................................................535
17.4 Registry ...........................................................................536
17.5 Internet Traces ...............................................................538
17.6 Program Analysis ...........................................................547
17.7 Summary .........................................................................548

CHAPTER 18 Digital Evidence on UNIX Systems .............................. 551

Eoghan Casey
18.1 UNIX Evidence Acquisition Boot Disk..........................552
18.2 File Systems ....................................................................552
18.3 Overview of Digital Evidence Processing Tools ..........557
18.4 Data Recovery.................................................................565
18.5 Log Files ..........................................................................574
18.6 File System Traces .........................................................575
18.7 Internet Traces ...............................................................579
18.8 Summary .........................................................................585

CHAPTER 19 Digital Evidence on Macintosh Systems ...................... 587

Eoghan Casey
19.1 File Systems ....................................................................587
19.2 Overview of Digital Evidence Processing Tools ..........590
x Contents

19.3 Data Recovery.................................................................591

19.4 File System Traces .........................................................592
19.5 Internet Traces ...............................................................597
19.6 Summary .........................................................................602

CHAPTER 20 Digital Evidence on Mobile Devices

Eoghan Casey and Benjamin Turnbull
This chapter appears online at http://www.elsevierdirect
.com/companion.jsp?ISBN=9780123742681

PART 5 Network Forensics

CHAPTER 21 Network Basics for Digital Investigators ..................... 607
Eoghan Casey and Benjamin Turnbull
21.1 A Brief History of Computer Networks ........................608
21.2 Technical Overview of Networks..................................609
21.3 Network Technologies ...................................................613
21.4 Connecting Networks Using Internet Protocols ..........619
21.5 Summary .........................................................................631

CHAPTER 22 Applying Forensic Science to Networks ...................... 633

Eoghan Casey
22.1 Preparation and Authorization......................................634
22.2 Identification ...................................................................640
22.3 Documentation, Collection,
and Preservation ............................................................646
22.4 Filtering and Data Reduction ........................................651
22.5 Class/Individual Characteristics
and Evaluation of Source ...............................................653
22.6 Evidence Recovery .........................................................657
22.7 Investigative Reconstruction ........................................659
22.8 Reporting Results ...........................................................667
22.9 Summary .........................................................................668

CHAPTER 23 Digital Evidence on the Internet .................................. 671

Eoghan Casey
23.1 Role of the Internet in Criminal
Investigations .................................................................671
23.2 Internet Services: Legitimate versus
Criminal Uses .................................................................672
 Contents xi

23.3 Using the Internet as an

Investigative Tool ...........................................................685
23.4 Online Anonymity and Self-Protection .........................691
23.5 E-mail Forgery and Tracking.........................................699
23.6 Usenet Forgery and Tracking........................................703
23.7 Searching and Tracking on IRC ....................................706
23.8 Summary .........................................................................711

CHAPTER 24 Digital Evidence on Physical and

Data-Link Layers ............................................................ 713
Eoghan Casey
24.1 Ethernet ..........................................................................714
24.2 Linking the Data-Link and Network
Layers: Encapsulation ...................................................716
24.3 Ethernet versus ATM Networks ...................................721
24.4 Documentation, Collection,
and Preservation ............................................................722
24.5 Analysis Tools and Techniques ....................................727
24.6 Summary .........................................................................736

CHAPTER 25 Digital Evidence at the Network and

Transport Layers............................................................ 737
Eoghan Casey
25.1 TCP/IP .............................................................................738
25.2 Setting up a Network .....................................................750
25.3 TCP/IP-Related Digital Evidence ..................................754
25.4 Summary .........................................................................769

CASE INDEX ........................................................................................... 771

NAME INDEX.......................................................................................... 773

SUBJECT INDEX ..................................................................................... 775