IT/INFORMATION SECURITY/FORENSIC

Digital Forensics Investigations

Sachowski

Digital Forensics
and
People, Process, and Technologies to Defend the Enterprise

and Investigations
Digital forensics has been a discipline of Information Security for decades now.

Digital Forensics and Investigations

Its principles, methodologies, and techniques have remained consistent despite
the evolution of technology, and, ultimately, it and can be applied to any form of
digital data. However, within a corporate environment, digital forensic professionals
are particularly challenged. They must maintain the legal admissibility and forensic
viability of digital evidence in support of a broad range of different business functions
that include incident response, electronic discovery (ediscovery), and ensuring the
controls and accountability of such information across networks.
People, Process, and Technologies
Digital Forensics and Investigations: People, Process, and Technologies to to Defend the Enterprise
Defend the Enterprise provides the methodologies and strategies necessary for
these key business functions to seamlessly integrate digital forensic capabilities
to guarantee the admissibility and integrity of digital evidence. In many books, the
focus on digital evidence is primarily in the technical, software, and investigative
elements, of which there are numerous publications. What tends to get overlooked
are the people and process elements within the organization.

Taking a step back, the book outlines the importance of integrating and accounting for
the people, process, and technology components of digital forensics. In essence, to
establish a holistic paradigm—and best-practice procedure and policy approach—
to defending the enterprise. This book serves as a roadmap for professionals to
successfully integrate an organization’s people, process, and technology with other
key business functions in an enterprise’s digital forensic capabilities.

Selling Points:

• Focuses on the strategic implementation of a digital forensic program within

an enterprise

• Addresses the administrative, technical, and physical components required

for enterprise digital forensic capabilities

• Details the people, process, and technology requirements for integrating digital
forensic capabilities throughout the enterprise

• Emphasizes the inherent benefits of infusing forensic processes and procedures

throughout the enterprise itself, building from the inside out

• Highlights the organizational, training, and implementation hurdles that can

derail sound forensic practices within a business organization

an informa business
w w w. c r c p r e s s . c o m
Jason Sachowski
K32256
6000 Broken Sound Parkway, NW
Suite 300, Boca Raton, FL 33487
711 Third Avenue
New York, NY 10017
2 Park Square, Milton Park
Abingdon, Oxon OX14 4RN, UK

K32256_cover.indd 1 4/2/18 2:37 PM

 Digital Forensics and
Investigations

9781138720930_C000.indd Page i 12/04/18 12:27 PM

9781138720930_C000.indd Page ii 12/04/18 12:27 PM
 Digital Forensics and
Investigations
People, Processes, and Technologies to
Defend the Enterprise

Jason Sachowski
CRC Press
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742

© 2018 by Taylor & Francis Group, LLC

CRC Press is an imprint of Taylor & Francis Group, an Informa business

No claim to original U.S. Government works

Printed on acid-free paper

International Standard Book Number-13: 978-1-138-72093-0 (Hardback)

This book contains information obtained from authentic and highly regarded sources. Reasonable efforts
have been made to publish reliable data and information, but the author and publisher cannot assume
responsibility for the validity of all materials or the consequences of their use. The authors and publishers
have attempted to trace the copyright holders of all material reproduced in this publication and apologize
to copyright holders if permission to publish in this form has not been obtained. If any copyright material
has not been acknowledged please write and let us know so we may rectify in any future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced,
transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter
invented, including photocopying, microfilming, and recording, or in any information storage or retrieval
system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, please access www.copyright.
com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood
Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and
registration for a variety of users. For organizations that have been granted a photocopy license by the CCC,
a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are
used only for identification and explanation without intent to infringe.

Visit the Taylor & Francis Web site at

http://www.taylorandfrancis.com

and the CRC Press Web site at

http://www.crcpress.com
Contents

Preface.................................................................................................................xi
Acknowledgments.............................................................................................xiii
About the Author............................................................................................... xv
Introduction.....................................................................................................xvii

Section I ENABLING DIGITAL FORENSICS

1 Introduction to Digital Forensics............................................................3
A Brief History of Forensics and Technology.................................................3
Evolutionary Cycle of Digital Forensics.........................................................7
Technical and Scientific Working Groups......................................................9
Scientific Working Group on Digital Evidence (SWGDE)..........................12
Principles of Digital Forensics.....................................................................13
Summary....................................................................................................17
Glossary......................................................................................................17
2 Investigative Process Methodologies.....................................................19
Existing Process Models..............................................................................19
Mapping Out Process Models.....................................................................22
The Process Methodology Workflow...........................................................24
Summary....................................................................................................33
Glossary......................................................................................................33
3 Education, Training, and Awareness.....................................................35
Organizational Roles and Responsibilities...................................................35
Types of Training and Awareness.................................................................39
Specializations.............................................................................................41
An Educational Roadmap...........................................................................42
Nontechnical Knowledge............................................................................45
Educational Resources.................................................................................50
Summary....................................................................................................51
Glossary......................................................................................................51

v
 vi ◾ Contents

4 Laws, Standards, and Regulations........................................................53

The Role of Technology in Crime................................................................53
A Brief History of Crime and Technology...................................................55
Types of Laws..............................................................................................56
Federal Rules of Evidence............................................................................59
Good Practices for Computer-Based
Electronic Evidence....................................................................................61
Legal Precedence.........................................................................................61
Search Warrants......................................................................................... 64
Subpoenas...................................................................................................65
Jurisdiction................................................................................................ 66
Summary....................................................................................................66
Glossary..................................................................................................... 66
5 Ethics and Professional Conduct..........................................................69
Importance of Ethics...................................................................................69
Principles of Ethics......................................................................................70
Ethics in Digital Forensics...........................................................................72
Certifications and Accreditations.................................................................77
Summary....................................................................................................78
Glossary......................................................................................................78

Section II ENHANCING DIGITAL FORENSIC CAPABILITIES

6 The Business of Digital Forensics..........................................................81
The Role of Digital Forensics in an Enterprise.............................................81
Starting a Digital Forensic Program.............................................................82
Maintaining a Digital Forensic Program......................................................97
Challenges and Strategies..........................................................................102
Industry Regulation..................................................................................102
Political Influences....................................................................................103
Summary..................................................................................................103
Resources..................................................................................................104
Glossary....................................................................................................104
7 Controlling Mobile Devices................................................................107
Brief History of Mobile Devices................................................................107
Persistent Threats and Challenges..............................................................108
Mobile Device Governance.......................................................................111
Enterprise Management Strategies.............................................................114
Device Management Methodologies.........................................................116
Device Management Capabilities..............................................................117
Mobile Device Process Methodology.........................................................120

9781138720930_C000.indd Page vi 12/04/18 12:27 PM

 Contents ◾ vii

Legal Considerations.................................................................................129
Summary..................................................................................................130
Resources..................................................................................................130
Glossary....................................................................................................131
8 Cloud Computing Enablement............................................................133
Brief History of Cloud Computing...........................................................133
What is Cloud Computing?......................................................................134
Persistent Threats and Challenges..............................................................137
Cloud Computing Governance.................................................................139
Enterprise Management Strategies.............................................................141
Cloud Computing Process Methodology...................................................147
Legal Considerations.................................................................................153
Summary..................................................................................................154
Resources.................................................................................................. 155
Glossary.................................................................................................... 155
9 Combatting Antiforensics...................................................................157
What Are Antiforensics?............................................................................157
Traditional Techniques..............................................................................158
Detection Methods...................................................................................167
Strategic Countermeasures........................................................................171
Summary..................................................................................................172
Resources..................................................................................................172
Glossary....................................................................................................173
10 Digital Evidence Management............................................................175
Types of Digital Evidence..........................................................................175
Evidence Gathering Considerations..........................................................182
Cause and Effect.......................................................................................186
Data Security Requirements......................................................................188
Preservation Strategies...............................................................................191
Enterprise Log Management.....................................................................196
Summary..................................................................................................200
Resources..................................................................................................200
Glossary....................................................................................................201
11 Digital Forensic Readiness..................................................................203
Forensic Readiness 101.............................................................................203
Cost versus Benefit....................................................................................204
Ten Steps to Forensic Readiness................................................................205
Achieving Forensic Readiness....................................................................216
Summary..................................................................................................216
Glossary....................................................................................................217

9781138720930_C000.indd Page vii 12/04/18 12:27 PM

 viii ◾ Contents

Section III INTEGRATING DIGITAL FORENSIC CAPABILITIES

12 Incident Management and Response...................................................221
Understanding the Incident Response Workflow.......................................221
The Incident Response Team (IRT)...........................................................227
What to Expect During an Incident..........................................................229
Investigative Techniques............................................................................235
Reverse Engineering Malware....................................................................237
Timeline Analysis......................................................................................238
Summary..................................................................................................239
Glossary....................................................................................................240
13 Electronic Discovery and Litigation Support......................................241
What is Electronic Discovery (eDiscovery)?...............................................241
Understanding the eDiscovery Workflow..................................................248
Managing Litigation Discovery.................................................................257
The Role of Digital Forensics in a Litigation..............................................259
Discovering Electronically Stored Information (ESI).................................261
Summary..................................................................................................263
Resources..................................................................................................263
Glossary....................................................................................................263
14 Information Security and Cybersecurity.............................................265
Information Security vs Cybersecurity.......................................................265
Digital Forensics in Enterprise Security.....................................................269
Security Investigations...............................................................................283
Summary..................................................................................................290
Resources..................................................................................................291
Glossary....................................................................................................291

Section IV APPENDIXES
Appendix A: Investigative Process Models...................................................295
[P01] Computer Forensic Investigative Process (1995)..............................297
[P02] Computer Forensic Process Model (2001).......................................297
[P03] Digital Forensic Research Workshop (DFRWS) Investigative
Model (2001)............................................................................................298
[P04] Scientific Crime Scene Investigation Model (2001).........................298
[P05] Abstract Model of the Digital Forensic Procedures (2002)...............298
[P06] Integrated Digital Investigation Process (2003)...............................299
[P07] End-to-End Digital Investigation (2003).........................................299
[P08] Enhanced Integrated Digital Investigation Process (2004)...............300
[P09] Extended Model of Cybercrime Investigation (2004)......................300
[P10] A Hierarchical, Objective-Based Framework for the Digital
Investigations Process (2004)....................................................................301

9781138720930_C000.indd Page viii 12/04/18 12:27 PM

 Contents  ◾ ix

[P11] Event-Based Digital Forensic Investigation Framework (2004)........301

[P12] Four Step Forensic Process (2006)...................................................301
[P13] Framework for a Digital Forensic Investigation (2006)....................302
[P14] Computer Forensic Field Triage Process Model (2006)....................302
[P15] FORZA: Digital Forensics Investigation Framework (2006)............302
[P16] Process Flows for Cyber Forensics Training and
Operations (2006)....................................................................................303
[P17] Common Process Model for Incident and Computer
Forensics (2007).......................................................................................303
[P18] Dual Data Analysis Process (2007)................................................. 304
[P19] Digital Forensic Investigations Framework (2008).......................... 304
[P20] Digital Forensic Model Based on Malaysian Investigation
Process (2009)......................................................................................... 304
[P21] Generic Framework for Network Forensics (2010)..........................305
[P22] Generic Computer Forensic Investigation Model (2011).................305
[P23] Systematic Digital Forensic Investigation Model (2011)................. 306
[P24] Advanced Data Acquisition Model (ADAM) (2011)...................... 306
Appendix B: Education and Professional Certifications..............................307
Professional Certifications.........................................................................307
Formal Education Programs......................................................................309

Section V TEMPLATES
Template A: Investigator Logbook...............................................................323
Template B: Chain of Custody��������������������������������������������������������������������325
Bibliography.................................................................................................329
Index�����������������������������������������������������������������������������������������������������������337
9781138720930_C000.indd Page x 12/04/18 12:27 PM
 Preface

At the beginning of all experimental work stands the choice of the appropriate technique
of investigation.

—Walter Rudolf Hess

xi

9781138720930_C000.indd Page xi 12/04/18 12:27 PM

9781138720930_C000.indd Page xii 12/04/18 12:27 PM
 Acknowledgments

I would like to most of all thank my wife and my children for showing me that no
matter what I do in my lifetime, they will always be my greatest success.
Thank you to my parents for providing me with countless opportunities to
become who I am today and for encouraging me to keep pushing my boundaries.
Thank you to my colleagues for allowing me the honor to work with you and
for the infinite wisdom and knowledge you have given me.
Lastly, thank you to Blair for opening doors.

xiii

9781138720930_C000.indd Page xiii 12/04/18 12:27 PM

9781138720930_C000.indd Page xiv 12/04/18 12:27 PM
About the Author

Jason Sachowski has over 13 years of experience in digital forensic investiga-

tions, secure software development, and information security architecture. He cur-
rently manages a team delivering Digital Forensic, Electronic Discovery, and Data
Loss Assessments for The Bank of Nova Scotia, commonly known as Scotiabank,
Canada’s third largest and most international bank.
Throughout his career, Sachowski has led and conducted hundreds of digital
forensic investigations involving enterprise servers, network logs, smart phones, and
database systems. Complementary to his technical experiences and skills, he has
also developed and maintained processes and procedures, managed large informa-
tion security budgets, and governed the negotiation of third-party contracts.
In addition to his professional career, Sachowski is also the author of the book
Implementing Digital Forensic Readiness: From Reactive to Proactive Process, he serves
as a contributing author and content moderator for Dark Reading online publica-
tions, is a subject matter expert for the professional development of information
security certifications, and volunteers as an advocate for CyberBullying prevention
and CyberSecurity awareness.
Sachowski holds several Information Security and Digital Forensic certifications
including: Certified Information Systems Security Professional—Information Systems
Security Architecture Professional (CISSP—ISSAP), Certified Cyber Forensics
Professional (CCFP), Certified Secure Software Lifecycle Professional (CSSLP), Systems
Security Certified Practitioner (SSCP), and EnCase Certified Examiner (EnCE).

xv
9781138720930_C000.indd Page xvi 12/04/18 12:27 PM
 Introduction

Since the digital forensic profession was formalized as a scientific discipline decades
ago, its principles, methodologies, and techniques have remained consistent despite
the evolution of technology and can ultimately be applied to any form of digital
data. Within a corporate environment, digital forensic practitioners are often relied
upon to maintain the legal admissibility and forensic viability of digital evidence in
support of a broad range of different business functions.

Why This Book

For the most part, where digital forensic education and training is provided today,
focus is commonly placed on the “hands-on” and “how to” aspects of the disci-
pline; such as how to forensically acquire a hard drive. Understandably, academics
will primarily concentrate on the technical execution of digital forensics because it
universally translates across every industry and geo-location where the discipline is
practiced.
In some cases, the nontechnical side of digital forensics can be overlooked as
an importance contributor to achieving true synergies in a business environment.
Taking a step back, the importance of realizing a seamless integration among the
people, process, and technology areas of digital forensics is essential in establishing
a holistic approach to defending an enterprise.
This book was written from the business perspective of the digital forensics
profession that examines all three areas of enterprise’s digital forensic capabilities
required to successfully integrate with other key business functions, including

◾◾ Focusing on the implementation aspects of a digital forensic program within

an enterprise
◾◾ Encompassing the administrative, technical, and physical components required
for enterprise digital forensic capabilities
◾◾ Detailing the people, process, and technology requirements for integrating
digital forensic capabilities throughout the enterprise

xvii

9781138720930_C000.indd Page xvii 12/04/18 12:27 PM

 xviii ◾ Introduction

Who Will Benefit from This Book

This book was written from a nontechnical, business perspective to provide readers
with realistic methodologies and strategies to how the people, process, and technol-
ogy aspects of digital forensics are integrated throughout an enterprise to support
different business operations.
While this book does cover the fundamental principles, methodologies, and
techniques of digital forensics, it largely focuses on outlining how the people, pro-
cess, and technology areas are used to defend the enterprise through integrating
digital forensic capabilities with key business functions.
The information contained in this book has been written to benefit people who

◾◾ Are employed, both directly and indirectly, in the digital forensic profession
and are working to expand their organization’s digital forensic capabilities
◾◾ Are employed in the information security profession and are interested in
either (1) becoming directly involved in the digital forensic profession or
(2) enhancing their organization’s defenses
◾◾ An academic scholar pursuing nontechnical, business knowledge about digi-
tal forensics to provide them with education to become employed in the digi-
tal forensic profession

Who Will Not Benefit from This Book

This book is not designed to provide readers with the technical knowledge about
digital forensics; including the “hands-on” and “how to” aspects of the discipline
such as how to forensically acquire a hard drive.

How This Book Is Organized

This book is organized into five thematic sections:

◾◾ Part 1: Enabling Digital Forensics outlines the fundamental principles, meth-

odologies, and techniques applied unanimously throughout the digital foren-
sic discipline.
◾◾ Part 2: Enhancing Digital Forensics analyses additional considerations for
enabling and enhancing digital forensic capabilities throughout an enterprise
environment.
◾◾ Part 3: Integrating Digital Forensics addresses best practices for integrating the
people, process, and technologies components of digital forensics across an
enterprise environment.
◾◾ Part 4: Appendixes provides supplementary content that expand topics and
subject areas discussed in throughout other sections of this book.
◾◾ Part 5: Templates supply structured templates and forms used in support of
the digital forensic and business functions/processes covered throughout.

9781138720930_C000.indd Page xviii 12/04/18 12:27 PM

 ENABLING DIGITAL I
FORENSICS

The use of technology in criminal activities has evolved significantly over the past
50 years. With this evolution, the digital forensic profession was born through the
work of pioneers who strived to expand their interest in technology advancement
into what is now a well-established and recognized professional discipline.
Because of their work, digital forensics has become a profession that strictly fol-
lows forensic science disciplines consisting of the best practices of proven method-
ologies, techniques, and principles. Applying these best practices and the ability to
make use of them within an organization provides an additional defense-in-depth
layer to ensure that digital evidence is forensically viable in a court of law. In other
words, digital forensics is the application of science to law.
Organizations that demonstrate a good understanding of the requirements for
implementing digital forensic capabilities within their environment are much better
equipped to gather and process digital evidence in line with the legal requirements
for prosecuting criminals. However, if these requirements are ignored or otherwise
not followed, not only do organizations run the risk of digital evidence being either
compromised, lost, or overlooked, but also that it will not be admissible in a court
of law based on concerns about integrity or authenticity.
Even though legal prosecution might not be the end goal, such as cases where
an employee has violated a corporate policy, there is always the potential that some
form of disciplinary action will take place, such as employment termination. In
all cases, it is fundamentally important that organizations consistently follow the
digital forensic best practices because evidence used during an investigation may
wind up in a court of law.
In this section, we will look at the principles, methodologies, and techniques
applied unanimously throughout the digital forensic discipline, and the best prac-
tices that organizations must adhere to.

9781138720930_S001.indd Page 1 19/01/18 8:31 AM

9781138720930_S001.indd Page 2 19/01/18 8:31 AM
 Chapter 1

Introduction to
Digital Forensics

The profession now commonly referred to as digital forensics was once made up of
unstructured processes; custom, home-grown toolsets; and knowledge based on
the collective work of hobbyists. Over the past 50 years, the digital forensic profes-
sion evolved alongside advancements in technology to become a mature discipline
where a common body of knowledge (CBK)1 made up of proven scientific prin-
ciples, methodologies, and techniques brought about a level of standardization and
formal structure to the profession.

A Brief History of Forensics and Technology

Technology, or all sorts, has evolved throughout human history. The beginning
of digital forensics dates to the 1970s when crimes involving technology were
first committed (refer to Chapter 4 titled “Laws, Standards, and Regulations” for a
­history of crime and technology).
Throughout the history of digital forensics, there were specific eras where the
efforts and work of key individuals evolved digital forensics into the mature sci-
entific discipline it is today. Like other forms of human and industrial history, it’s
beneficial to learn about the events that happened beforehand that have paved the
path for where we are today.

Preface (1960–1980)
From the 1960s forward until the mid-1980s, computer systems were predomi-
nantly used to perform data-processing operations and were not typically connected

9781138720930_C001.indd Page 3 13/03/18 5:15 PM

 4 ◾ Digital Forensics and Investigations

to other systems outside of an organization. System administrators were largely

responsible for securing their own systems, work which comprised primarily of
system audits to ensure the efficiency and accuracy of the data-processing func-
tions. When it came time to investigate a computer system for legal issues, law
enforcement would turn to skilled system administrators who used common sys-
tem administration tools, such as data recovery and backup utilities, to gather and
process electronically stored information (ESI).2
Most technology-related investigations performed during this time were rudi-
mentary at best, because there was a misunderstanding of goals; absence of struc-
ture (i.e., laws, principles); and lack of tools, processes, and training. This era is
considered the ad hoc era of digital forensics.

Infancy (1980–1995)
When the personal computer (PC) made its debut, there was a sudden burst of
interest in computer systems that incited hobbyists to get a better understanding of
how the internal components of these technologies worked. Among these hobby-
ists were individuals from law enforcement, government agencies, and corporations
who started sharing what they had learned about technology and what informa-
tion could be extracted. These individuals are considered the pioneers of computer
forensics, as the field was initially known.
It was during this era that government agencies came to realize that the skilled
individuals who were assisting them with technology-related investigations needed
better and more formalized training, better structure in the processes they fol-
lowed, and better tools. In one stream, development of software-based programs,
like Maresware or AccessData, emerged with capabilities to facilitate specific ­digital
forensic activities (i.e., forensic imaging). In another stream of work, several agen-
cies built small groups of specialized and trained individuals who would be used
to gather evidence from computer systems to be used in legal proceedings. One of
the earliest groups created was the Federal Bureau of Investigation (FBI) Computer
Analysis Response Team (CART), established in 1984.
This structure is primarily attributed to the collective efforts of the pioneers
who brought about a new level of acceptable procedures, specialty-built tools, and
improved education and training. This era is when ad hoc efforts transitioned into
a structured state to address technology-related investigations.

Childhood (1995–2005)
Starting in 1995, new technical working groups (TWG) and scientific working
groups (SWG) followed the lead of the FBI CART with the goal of creating a
CBK of principles, methodologies, and techniques that could standardize and
bring about further formal structure to computer forensics. Work done by the
Scientific Working Group on Digital Evidence (SWGDE), in collaboration with

9781138720930_C001.indd Page 4 13/03/18 5:15 PM

 Introduction to Digital Forensics ◾ 5

the International Organization on Computer Evidence (IOCE) and G8 High Tech

Crime Subcommittee, resulted in the first publication of digital forensic principles,
which proved to be a major step forward in formalizing digital forensics as a science.
In the 2000s, digital forensics was recognized as a science having established
structured procedures and making significant advancements in education and
training. With the technology explosion, such as the Internet and mobile devices,
the term computer forensics was becoming increasingly more difficult to use because
of how digital evidence was now distributed across multiple interconnected tech-
nologies. Recognizing this, the Digital Forensic Research Workshop (DFRWS)
proposed in 2001 to update the descriptor computer forensics into the term d­ igital
forensics. This proposal initiated an expansion of new specializations, such as
­network forensics and mobile forensics, which led to increased scrutiny over the previ-
ously established digital forensics principles.
This era saw the establishment of more structure in processes, education, and
technologies. It was during this time when the formalization of digital forensics as a
professional discipline occurred as result of establishing a consistent set of scientific
principles, methodologies, and techniques.

Adolescence (2005–2015)
In 2008 the American Academy of Forensic Sciences (AAFS) responded to the
scrutiny by creating the Digital and Multimedia Sciences (DMS) section, which led
to major advancements by providing a common foundation by which groups can
share knowledge and resolve digital-forensic challenges.
With the expanding scope of digital forensics, both academic curriculum and
professional certification programs were offered to educate, train, and accredit
professional knowledge and experience in the field. Likewise, digital forensic tools
underwent a major evolution away from the home-grown applications into feature-
robust and enterprise-capable commercial software suites that not only supported
digital forensics, but also provided functionality to the fields of incident response,
electronic discovery (eDiscovery), and information governance.
Today, what started out as the pastime of hobbyists has arrived at a point of conver-
gence between various law enforcement agencies, organizations large and small, and
several intelligence agencies where well-established best practices u ­ niversally follow
consistent and scientifically proven principles, methodologies, and techniques. This era
is defined as enhancing the structure of digital forensics into an enterprise state.

Thoughts for the Future

Digital forensics has made significant advancements over the past 50 years to
be­come the mature scientific discipline it is today. Predicting the future is a
gambler’s game; but if history has taught us anything, it is that technology and
digital forensics will continue to evolve in parallel to each other.

9781138720930_C001.indd Page 5 13/03/18 5:15 PM

 6 ◾ Digital Forensics and Investigations

One thing for certain is that the digital-forensic CBK will continue to develop
and mature. At the end of the day, practitioners of the future will be better edu-
cated and trained because they have decades of knowledge from every ­individual
who has contributed before them. On the other hand, future t­echnology
advancements will respectively introduce unique challenges that the digital-
forensic community will need to address. Two examples of where the future of
digital forensics will see development are cloud and quantum computing.

Cloud Computing
Over the past several years, cloud computing has made significant shifts in how
­organizations have transformed their business operations. Generally, there is no limit
to the type of business services that can moved into cloud environments, which means
that the applications and data reside on systems external to the ­business itself. This
presents a challenge to digital forensics, as organizations do not have physical access
to the computer systems that might need to be seized and searched as part of an
investigation.
In 2014 the National Institute of Standards and Technology (NIST) released
a draft publication entitled NIST Cloud Computing Forensic Science Challenges
based on the research performed by the NIST Cloud Computing Forensic
Science Working Group. The document pulls together a list of challenges faced
by ­digital forensic practitioners when managing incidents and investigations in
a cloud-­computing ecosystem. The goal of this publication is to put structure
around ­conducting ­digital forensics involving cloud-based systems and to establish
­consistent principles, methodologies, and techniques.
For example, challenges identified by NIST working group specific to cloud-
computing ­ecosystems include, but are not limited to:

◾◾ Recovery of deleted data in shared environments

◾◾ Evidence correlation across multiple cloud service providers (CSP)
◾◾ Segregation of electronically stored information (ESI) in multitenant systems
◾◾ Competence and trustworthiness of CSP as an effective and immediate first
responder
◾◾ Jurisdiction over interconnected devices anywhere around the world

The full list of challenges are in NIST Cloud Computing Forensic Science Challenges,
available on the NIST website (http://csrc.nist.gov/publications/drafts/nistir-8006/
draft_nistir_8006.pdf).

Quantum Computing
Currently, despite much theory and experimentation, quantum computing is still
in its infancy, and the topic of quantum forensics has received minimal attention

9781138720930_C001.indd Page 6 13/03/18 5:15 PM

 Introduction to Digital Forensics ◾ 7

from research communities. From research completed so far, there are theories
of potential impact in the capability to conduct live forensics on a quantum
system, leaving practitioners with the only option to conduct forensic analysis
postmortem.
Discussed further in Chapter 2 titled “Investigative Process Methodologies,” data
that exists within a live, or dynamic, state can provide practitioners with a great
deal of potential evidence; however, it is extremely volatile. This means that if crim-
inals gained access to a quantum system to commit their crimes, there could be
minimal artifacts recoverable for use in any type of investigation.
Addressing concerns about the impact quantum computing could have on
live forensics, organizations will need to invest resources into understanding their
potential to extract the maximum amount of evidence from recoverable data
elements.

Evolutionary Cycle of Digital Forensics

Digital forensics has become the scientific discipline it is today because of the work
done by those involved in computer forensics in the 1970s. Driving structure and
maturity in the profession is the product of influences both tactical, such as tech-
nology advancements, and strategic, such as the creation of global working groups
dedicated to digital forensics.
Making a prediction as to what the future holds for digital forensics is not a
trivial question. If we have learned anything about how the past has shaped digital
forensics into what it is today, the best and most educated prediction is that history
will repeat itself. This does not mean that the digital forensics profession will revert
back to the way it was in the 1970s; rather, that maturity of the discipline will be
subject to continuous improvement that follows a cyclical methodology like the one
illustrated in Figure 1.1 below.

Ad Hoc Phase
The ad hoc phase between the 1970s and the mid-1980s is an example of a starting
point in the continuous improvement of digital forensics. Otherwise referred to as
the preforensics or protoforensics era, this phase is characterized by the absence of
structure; ambiguous goals; and an overall lack of tools, processes, and training.
Looking at the history of digital forensics and crime, discussed in Chapter 4
titled “Laws, Standards, and Regulations,” it is evident that both technological
advancements and legal precedence are the major contributors for evolution within
the digital forensic profession. Generally, the term ad hoc refers to something new
that has been created (i.e., technology, law) and, because of this, the approach is
disorganized or not theory driven. This is not to say that we ignore everything that

9781138720930_C001.indd Page 7 13/03/18 5:15 PM

 8 ◾ Digital Forensics and Investigations

Ad-hoc

Sc
ien
Law

ce
Evolutionary
cycle
En

d
ter

re
ctu
p
ris

ru
e

St
Technology

Figure 1.1 Digital forensics evolutionary cycle.

came previously and start anew, but that with new developments in technology,
there is a need to circle back to ensure structure is provided in terms of digital
forensic capabilities.

Structured Phase
The structured phase from the mid-1980s through the 1990s is an example of the
next period in the evolution of digital forensics. This phase is characterized by the
development of complex solutions, which brings harmony and structure to pro-
cesses and tools that were identified as challenges faced during the ad hoc phase.
Elements specifically addressed during this phase include:

◾◾ Establishment of policy-based programs (i.e., laws, regulations)

◾◾ Definition and coordination of processes that align with established policies
◾◾ Requirement for forensically sound3 tools

Foremost, for investigative processes to be clearly defined and documented

there needs to be policies in place, such as laws and regulations, to establish
a foundation for investigation. In turn, these policies drive the need to legiti-
mize processes and tools to ensure they are consistently applied to ensure
repeatable and —­reproducible outcomes. Ultimately, if the tools used cannot

9781138720930_C001.indd Page 8 13/03/18 5:15 PM

 Introduction to Digital Forensics ◾ 9

consistently reproduce results, its legitimacy can be called into question and
the forensic viability of evidence g­ athered or processed cannot be guaranteed.
For processes and tools to produce credible evidence that is forensically sound
requires it be:

◾◾ Verifiable as authentic to its original source data

◾◾ Collected and preserved in a manner that preserves its integrity
◾◾ Analyzed using tools and techniques that maintain its integrity

At the end of this phase, the formal structure brings digital forensic processes and
tools in line with the scientific principles, methodologies, and techniques required
for achieving a state of maturity.

Enterprise Phase
The enterprise phase in the 2000s is an example of the final era in the maturity of
digital forensics. This phase is characterized by the recognition of processes and
tools to be a science that involves the real-time collection of evidence; the general
acceptance for the development of effective tools and processes; and the application
of formally structured principles, methodologies, and techniques
Ultimately, this phase of the digital forensic evolution came about from
the need to automate digital forensic processes. Not only does this automa-
tion s­upport the ability to perform proactive evidence collection, but it also
allows for methodologies and techniques to be consistently applied that main-
tain ­standards set out by the legal system to ensure the legal admissibility of
evidence.
The evolution of digital forensics is cyclical when it comes to maturing exist-
ing scientific principles, methodologies, and techniques for new technologies and
standards (i.e., laws and regulations). However, at the same time the evolution of
digital forensics is linear in the sense that the scientific principles, methodologies,
and techniques are maturing, the continued development and contribution to the
digital forensic CBK persists.

Technical and Scientific Working Groups

Throughout the evolution of digital forensics, several different working groups
were created to develop a CBK of principles, methodologies, and techniques
that could standardize and bring formal structure to computer/digital foren-
sics. Over the years, more than 30 different working groups have been estab-
lished. Each of these groups have played, and continue to play, a large role in the
­development of standards and guidelines, facilitating the research and develop-
ment of ­forensic science, and several other disciplines related to law enforcement
and security.

9781138720930_C001.indd Page 9 13/03/18 5:15 PM

 10 ◾ Digital Forensics and Investigations

As early as 1984, law enforcement agencies developed programs to e­xamine

­ igital evidence. As mentioned earlier, one of the earliest groups created was CART
d
by the FBI in 1984, established to address the growing need for a structured and
programmatic approach to handling the challenges of digital evidence. Even
though CART was unique to the FBI, its basic functions and general organization
were replicated by many foreign law enforcement agencies.
In the early 1990s, scientists gathered to form technical working groups (TWG)
during the structured phase of digital forensics. Predominantly, these TWGs
were of short duration and usually had a single deliverable, such as guidebooks.
While not directly related to the digital forensic profession, the FBI created the
first TWG, a group of scientists meeting to discuss the challenges being faced by
the i­ntroduction of DNA evidence into the legal system. Finalized in 1993, the
work completed by the Technical Working Group for DNA Analysis Methods
(TWGDAM) created guidelines for proficiency testing and quality assurance,
which gave DNA evidence a solid scientific foundation when presented in a court
of law. At the same time, the U.S. Department of Justice’s (DOJ) National Institute
of Justice (NIJ) recognized the work being done by the FBI’s working group and
decided to borrow their model to further expand on it. The NIJ created several of its
own TWGs to address the technical needs of the U.S. criminal justice system and
to recommend initiatives the NIG should fund. Instead of limiting membership
to scientists, the NIJ invited experts and professionals—including p ­ ractitioners,
­engineers, attorneys, academics, and other agencies—to broaden the range of
knowledge and experience of those contributing to the TWGs.

International Organization on Computer Evidence (IOCE)

In 1995 the International Organization on Computer Evidence (IOCE) was
­created to provide international law enforcement agencies a forum to collaborate
and exchange information about computer crime investigations and other foren-
sics issues involving technology. In response to the G8 Communique and action
plans of December 1997, working groups from around the world—­including
Canada, Europe, and the United States—began developing international stan-
dards for the handling and recovery of digital evidence. The standardized interna-
tional principles for the recovery of digital evidence are governed by the following
attributes:

◾◾ Consistency with all legal systems

◾◾ Allowance for the use of a common language
◾◾ Durability
◾◾ Ability to cross international boundaries
◾◾ Ability to instill confidence in the integrity of evidence
◾◾ Applicability to all forensic evidence
◾◾ Applicability at every level, including that of individual, agency, and country

9781138720930_C001.indd Page 10 13/03/18 5:15 PM

 Introduction to Digital Forensics ◾ 11

At the International Hi-Tech Crime and Forensics Conference (IHCFC) in 1999,

the IOCE proposed the following principles that were unanimously approved by
member countries:

◾◾ Upon seizing digital evidence, actions taken should not change that evidence.
◾◾ When it is necessary for a person to access original digital evidence, that per-
son must be forensically competent.
◾◾ All activity relating to the seizure, access, storage, or transfer of digital
­evidence must be fully documented, preserved, and available for review.
◾◾ An individual is responsible for all actions taken with respect to digital
­evidence while the digital evidence is in their possession.
◾◾ Any agency that is responsible for seizing, accessing, storing, or transferring
digital evidence is responsible for compliance with these principles.

G8 High-Tech Crime Subcommittee

In 1997 the G8 States (France, Germany, Italy, the United Kingdom, Japan,
the United States, Canada, and Russia) established the Subgroup of High-Tech
Crime. The goal of this subcommittee was “to ensure that law enforcement agen-
cies can quickly respond to serious cyber-threats and incidents” by guaranteeing
that no criminal receives safe havens anywhere in the world. From the work of
the G8 Subgroup, the Principles On Transborder Access to Stored Computer Data—
Data Principles on Accessing Data Stored in a Foreign State were approved by the
G8 Group containing the following series of principles to combat computer
crime, which should be applied when law enforcement agencies are investigating
­technology-related crimes in other countries:

◾◾ Preservation of stored data in a computer system

– Each state shall ensure its ability to secure rapid preservation of data
that is stored in a computer in particular data held by third parties
such as service providers, and that is subject to short retention practices
or is otherwise particularly vulnerable to loss or modification, for the
purpose of seeking its access, search, copying, seizure or disclosure,
and ensure that preservation is possible even if necessary only to assist
another State.
– A State may request another State to secure rapid preservation of data
stored in a computer system located in that other State.
– Upon receiving a request from another State, the requested State shall
take all appropriate means, in accordance with its national law, to pre-
serve such data expeditiously. Such preservation shall be for a reasonable
time to permit the making of a formal request for the access, search,
copying, seizure or disclosure of such data.

9781138720930_C001.indd Page 11 13/03/18 5:15 PM

 12 ◾ Digital Forensics and Investigations

◾◾ Expedited mutual legal assistance

– Upon receiving a formal request for access, search, copying, seizure or
disclosure of data, including data that has been preserved, the requested
State shall, in accordance with its national law, execute the request as
expeditiously as possible, by:
• Responding pursuant to traditional legal assistance procedure
• Ratifying or endorsing any judicial or other legal authorization that
was granted in the requesting State and, pursuant to traditional legal
assistance procedures, disclosing any data seized to the requesting
State
• Using any other method of assistance permitted by the law of the
requested State
– Each State shall, in appropriate circumstances, accept and respond to
legal assistance requests made under these Principles by expedited but
reliable means of communications, including voice, fax or e-mail, with
written confirmation to follow where required.
◾◾ Transborder access to stored data not requiring legal assistance
– Notwithstanding anything in these Principles, a State need not obtain
authorization from another State when it is acting in accordance with its
national law for the purpose of:
• Accessing publicly available (open source) data, regardless of where
the data is geographically located
• Accessing, searching, copying, or seizing data stored in a com-
puter system located in another State, if acting in accordance
with the lawful and voluntary consent of a person who has the
lawful a­uthority to disclose to it that data. The searching State
should ­consider notifying the searched State, if such notification
is p
­ ermitted by national law and the data reveals a violation of
­criminal law or otherwise appears to be of interest to the searched
State.

Scientific Working Group on Digital Evidence (SWGDE)

In 1998 the Technical Working Group on Digital Evidence (TWGDE) held their
first meeting, consisting of members from several government and law enforce-
ment agencies. With rapid adoption of the work generated by the TWGDE,
the name was changed to the Scientific Working Group on Digital Evidence
(SWGDE) to distinguish the group’s long-term focus on forensic science to con-
tinue developing and standardizing forensic protocols and analytical practices.
The SWGDE, functioning as the US-based representation for IOCE efforts, is
responsible for “the development of cross-disciplinary guidelines and standards
for the recovery, preservation, and examination of digital evidence, including

9781138720930_C001.indd Page 12 13/03/18 5:15 PM

 Introduction to Digital Forensics ◾ 13

audio, imaging, and electronic devices.” The standards and principles defined by
the SWGDE are as follows:

◾◾ Principle 1: In order to ensure that digital evidence is collected, preserved,

examined, or transferred in a manner safeguarding the accuracy and reliability
of the evidence, law enforcement and forensic organizations must establish and
maintain an effective quality system. Standard Operating Procedures (SOPs)
are documented quality-control guidelines that must be supported by proper
case records and use broadly accepted procedures, equipment, and materials.
– Standards and Criteria 1.1: All agencies that seize and/or examine digital
evidence must maintain an appropriate SOP document. All elements of
an agency’s policies and procedures concerning digital evidence must be
clearly set forth in this SOP document, which must be issued under the
agency’s management authority.
– Standards and Criteria 1.2: Agency management must review the SOPs
on an annual basis to ensure their continued suitability and effectiveness.
– Standards and Criteria 1.3: Procedures used must be generally accepted in
the field or supported by data gathered and recorded in a scientific manner.
– Standards and Criteria 1.4: The agency must maintain written copies of
appropriate technical procedures.
– Standards and Criteria 1.5: The agency must use hardware and software
that is appropriate and effective for the seizure or examination procedure.
– Standards and Criteria 1.6: All activity relating to the seizure, storage,
examination, or transfer of digital evidence must be recorded in writing
and be available for review and testimony.
– Standards and Criteria 1.7: Any action that has the potential to alter,
damage, or destroy any aspect of original evidence must be performed by
qualified persons in a forensically sound manner

Principles of Digital Forensics

Digital forensics is the application of science to law, and, subsequently, must follow
the scientific principles, methodologies, and technique required for admissibility in
a court of law. Even if legal prosecution is not the end goal of an investigation, such
as corporate policy violations, there may be a requirement for legal action at some
point. Therefore, it is important to handle all potential digital evidence in a manner
that guarantees it will remain admissible in a court of law.

Evidence Exchange
One of the main goals in conducting a forensic investigation is to establish factual
conclusions that are based on credible evidence. According to the Locard’s Exchange
Principle, illustrated in Figure 1.2, anyone or anything entering a crime scene takes

9781138720930_C001.indd Page 13 13/03/18 5:15 PM

 14 ◾ Digital Forensics and Investigations

Exchange

Suspect Digital
Victim
evidence

Exchange

Crime scene

Figure 1.2 Locard’s Exchange Principle.

something in with them and leaves something behind when they leave. The Locard’s
Exchange Principle states that with contact between entities, there will be an exchange.
In the physical world, an example of this exchange can occur where a p ­ erpetrator
might inadvertently leave their fingerprints or traces of blood at the crime scene.
Alternatively, another example could be where a perpetrator might take a crucial
piece of evidence away from the crime scene, such as a knife, to make the job of
identifying evidence more challenging. In both examples, these exchanges produce
tangible forms of evidence that demonstrate both class and individual character-
istics. Evidence that possesses class c­ haracteristics, ­otherwise referred to as class
evidence, have features that group items by type, such as hair color. On its own,
this type of evidence does not provide conclusive identification of a perpetrator and
individualizing characteristics. What individualizes evidence, such as hair color,
are those characteristics that possess unique qualities that differentiate one from
another and help to narrow down the group to a single item. Using the analogy of
hair color, examples of ­individual ­characteristics can include, but are not limited to,
length, style (e.g., straight, wavy), or highlights.
In the digital world, evidence exists in a logical state that is intangible in c­ omparison
to physical evidence. However, exchanges like those in the physical world can per-
sist and are equally as relevant in the digital world. Email ­communication and web
browsing are clear examples of how these exchanges occur within the digital world.
If a threatening email message is sent, the individual’s computer will contain arti-
facts of this, as will the email servers used to transmit the message between people.
Practitioners can identify and gather a copious amount of evidence relating to this
threatening email in the form of access logs, email logs, and other artifacts within
computer systems.

Forensic Soundness
Evidence can make or break an investigation. Equally important in both the
­physical and digital worlds, it is critical that evidence is handling in a way that will
not raise questions when later presented in a court of law.

9781138720930_C001.indd Page 14 13/03/18 5:15 PM

 Introduction to Digital Forensics ◾ 15

Forensically sound is a term used to qualify and, in some cases, justify the use
of a technology or methodology. Likewise, forensic soundness occurs when ESI,2 as
digital evidence, remains complete and materially unaltered as a result of using a
technology or methodology. This means that during every digital investigation,
proper forensic techniques are used following consistent methodologies that are
based on established scientific principles.
While Chapter 2 titled “Investigative Process Methodologies” discusses this
­further, the below principles must be followed to achieve forensic soundness ­specific
to ­digital evidence:

◾◾ Minimally Handle the Original: Digital forensic process should be minimally

applied to original data sources. Instead, a forensic image of ESI should be
taken and used to perform investigative processes and techniques.
◾◾ Account for Any Change: In some instances, digital evidence can change from
its original state. When change occurs, it should be documented to note the
nature, extent, and reason for the change.
◾◾ Comply with the Rules of Evidence: Throughout an investigation, ­applicable
rules of evidence (ex. laws and regulations) should be considered. Refer to
Chapter 4 titled “Laws, Standards, and Regulations” for additional information.
◾◾ Avoid Exceeding One’s Knowledge: Do not undertake any activity or task that
is beyond your current level of knowledge and skill.

Perhaps one of the biggest causes for why digital evidence does not ­maintain ­forensic
soundness is human error. To guarantee forensic soundness, digital ­evidence must
be gathered, processed, and maintained following principles, m ­ ethodologies, and
techniques that do not alter its state at any time; thus, demonstrating the ­evidence
is authentic and has integrity.

Authenticity and Integrity

The goal for maintaining the authenticity of digital evidence is to demonstrate
that it is the same data as what was originally seized. From a technical perspective,
there are times when digital evidence cannot be compared to its original state;
such as with random access memory (RAM) that is constantly in a state of change.
For these occurrences, point- in-time snapshots are taken that demonstrate the state
of the technology at that moment. From a legal perspective, authentication means
satisfying the legal systems that the:

◾◾ Content of the record has remained unchanged

◾◾ Information in the record does in fact originate from its original source
◾◾ Extraneous information about the record is accurate (i.e., timestamp)

Supporting the need to establish authenticity, the goal for maintaining the integrity
of digital evidence is to demonstrate that it has not been changed since the time it

9781138720930_C001.indd Page 15 13/03/18 5:15 PM

 16 ◾ Digital Forensics and Investigations

was first gathered. In digital forensics, verifying integrity involves comparing the
digital fingerprint of digital evidence when it is first gathered and subsequently
throughout its lifecycle. Currently, the most common means of generating a digital
fingerprint in digital forensics is to use a one-way cryptographic hash ­a lgorithm
such as the Message Digest Algorithm family (i.e., MD5, MD6)4 or the Secure
Hashing Algorithm family (i.e., SHA-1, SHA-2, SHA-3).5

In 2004–2005, experts identified that the MD5 and SHA-1 algorithms con-
tained flaws where two unique inputs, having distinctively different properties
and characteristic, would result in the same computational hash value being
outputted.
Dubbed a “ hash collision,” this meant that the same computational hash
value could be engineered in a way that multiple pieces of digital evidence could
return the same hash value. Naturally, this raised concerns in the digital forensic
community about the impact it would have on the legal admissibility of digital
evidence.
In 2009 during the matter of United States vs. Joseph Schmidt III, the
court rules that chance of a hash collision is not significant and is not an issue.
Specifically, a digital fingerprint of a file still produces a digital algorithm that
uniquely identified that file.
This ruling meant that the integrity of digital evidence that was done using
either the MD5 or SHA-1 algorithms can be relied upon as legally admissible.

The uniqueness of these cryptographic algorithms makes them an important

technique for documenting the integrity of digital evidence. While the potential
for “hash collisions” exists, the use of the Message Digest Algorithm family or
Secure Hashing Algorithm family remains an acceptable way of demonstrating the
authenticity and integrity of digital evidence.

Chain of Custody
Perhaps the most important aspect of maintaining authenticity and integrity is
documenting the continuity of possession for digital evidence. This chain of cus-
tody is used to demonstrate the transfer of ownership over digital evidence between
entities and can be used to validate the integrity of evidence being presented in
court. Without a chain of custody in place, arguments can be made that evidence
has been tampered, altered, or improperly handled, which can lead to potential
evidence contamination of other consequences. It is best to keep the number of
custody transfers to a minimum, as these individuals can be called upon to provide
testimony on the handling of evidence during the time they controlled it.

9781138720930_C001.indd Page 16 13/03/18 5:15 PM

 Introduction to Digital Forensics ◾ 17

A sample template that can be used as a chain-of-custody form has been

­provided in the Templates section of this book.

Summary
Digital forensics is the application of science to law and must follow established and
scientifically proven principles, methodologies, and techniques required to legally
admit evidence in a court of law. If history has taught us anything, it is that the
advancement in technology will stand as the catalyst to new and evolved digital
forensic principles, methodologies, and techniques.

Glossary
1. Common body of knowledge (CBK) is the complete concepts, terms, and
activities that make up a professional domain.
2. Electronically stored information (ESI) is information created, manipulated,
communicated, stored, and best utilized in digital form and requiring the use of
computer hardware and software.
3. Forensically sound qualifies and, in some cases, justifies the use of a forensic
technology or methodology.
4. Message Digest Algorithm family is a suite of one-way cryptographic hashing
algorithms that is commonly used to verify data integrity through the creation
of a unique digital fingerprint of differing length based on version used.
5. Secure Hashing Algorithm family is a suite of one-way cryptographic hashing
algorithms that is commonly used to verify data integrity through the creation
of a unique digital fingerprint of differing length based on version used.

9781138720930_C001.indd Page 17 13/03/18 5:15 PM

References
Adams, Richard ; Hobbs, Val ; Mann, Graham . The advanced data acquisition model (Adam): A process model for digital forensic
practice. Journal of Digital Forensics, Security and Law, 8(4), Article 2, 2013, 25–48.
http://ojs.jdfsl.org/index.php/jdfsl/article/download/110/198
Ahmad, Atif . The Forensic Chain-of-Evidence Model: Improving the Process of Evidence Collection in Incident Handling Procedures.
Proceedings of the 6th Pacific Asia Conference on Information Systems, Tokyo, Japan, 2002.
Association of Chief Police Officers . Good Practice Guide for Computer-Based Electronic Evidence. 2007.
https://www.7safe.com/docs/default-source/default-document-library/acpo_guidelines_computer_evidence_v4_web.pdf
Australian Signal Directorate . Strategies to Mitigate Cyber Security Incidents. Australian Government—Department of Defense, 2017.
Ayers, Rick ; Brothers, Sam ; Jansen, Wayne . Special Publication 800-101 Revision 1: Guidelines on Mobile Device Forensics. Virginia:
National Institute of Standards and Technology (NIST), 2014.
Ballou, Susan . Scientific and Technical Working Groups: An Overview. 2009.
Barymureeba, Venansius ; Tushabe, Florence . The Enhanced Digital Investigation Process Model. Digital Forensics Research Workshop
(DFRWS), 2004.
Beebe, Nicole ; Clark, Jan. A Hierarchical, Objectives-Based Framework for the Digital Investigations Process. Digital Forensics Research
Workshop (DFRWS), 2004.
Bem, Derek ; Huebner, Ewa . Computer forensic analysis in a virtual environment. International Journal of Digital Evidence, 6(2), 2007,
1–13.
Bennett, Brian T. Understanding, Assessing, and Responding to Terrorism: Protecting Critical Infrastructure and Personnel. John Wiley &
Sons, 2007.
Bradley, Jaron . OS X Incident Response: Scripting and Analysis. Cambridge: Syngress, 2016. ISBN# 9780128045039.
Bretherton, F.P. ; Singley, P.T. Metadata: A User's View. Institute of Electrical and Electronics Engineers (IEEE), 1994.
Bunting, Steve . EnCase Computer Forensics—The Official EnCE: EnCase Certified Examiner Study Guide. John Wiley & Sons, 2012.
Business Dictionary . Jurisdiction. WebFinance Inc, 2017.
California Department of Health Care Services . Health Insurance Portability and Accountability Act. State of California, 2016.
Campagna, Rich ; Iyer, Subbu ; Krishnan, Ashwin . Mobile Device Security for Dummies. Hoboken, NJ: John Wiley & Sons, 2011.
Canadian Criminal Law Notebook . Section 487: Search Warrants. 2017.
Carminati, F. ; Betev, L. ; Grigoras, A. Grid and Cloud Computing: Concepts and Practical Applications. IOS Press, 2016.
Carrier, Brian D. ; Spafford, Eugene H. An Event-Based Digital Forensic Investigation Framework. Digital Forensics Research Workshop
(DFRWS), 2004.
Casey, Eoghan . Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. Boston, MA: Academic Press,
2004.
Casey, Eoghan . Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet, 3rd Edition. Boston, MA: Academic
Press, 2011.
Ceresini, T. Maintaining the Forensic Viability of Log Files. System Administration, Networking, and Security Institute (SANS)—Global
Information Assurance Certification (GIAC), 2001.
Charters, Ian . The Evolution of Digital Forensics: Civilizing the Cyber Frontier. 2009.
Choksy, Carol. E.B. Ph.D. 8 Steps to develop a taxonomy. The Information Management Journal, 2006. http://www.guerilla-ciso.com/wp-
content/uploads/2009/01/the-evolution-of-digital-forensics-ian-charters.pdf
Chow, Kam-Pui ; Shenoi, Sujeet (Eds.). Advances in Digital Forensics VI. New York, NY: Springer, 2010.
Ciardhuáin, Séamus Ó. An extended model of cybercrime investigations. International Journal of Digital Evidence, 3(1), 2004, 1–22.
https://www.utica.edu/academic/institutes/ecii/publications/articles/A0B70121-FD6C-3DBA-0EA5C3E93CC575FA.pdf
Cichonski, Paul ; Millar, Tom ; Grance, Tim ; Scarfone, Karen . Computer Security Incident Handling Guide. Gaithersburg, MD: National
Institute of Standards and Technology (NIST), 2012.
Cloud Security Alliance . Quick Guide to the Reference Architecture: Trusted Cloud Initiative. 2011.
Cloud Security Alliance . Security Guidance for Critical Areas of Focus in Cloud Computing V3.0. 2011.
Computer Ethics Institute . The Ten Commandments of Computer Ethics. 1992.
Conlan, Kevin ; Baggili, Ibrahim ; Breitinger, Frank . Anti-Forensics: Furthering Digital Forensic Science through a New Extended, Granular
Taxonomy. Digital Forensics Research Workshop (DFRWS)—Proceedings of the 16th Annual USA Digital Forensics Research
Conference, 2016.
Contesti, Diana-Lynn ; Andre, Douglas ; Henry, Paul A ; Goins, Bonnie A ; Waxvik, Eric . Official (ISC)2 Guide to the SSCP CBK.
Cambridge: CRC Press, 2007. ISBN# 9780203331576.
Cornell Law Review . Evidence—Admissibility of evidence—Frye standard of general acceptance for admissibility of scientific evidence
rejected in favor of balancing test. Cornell Law School 64, 1979.
Daluz, Hillary Moses . Fingerprint Analysis Laboratory Workbook. CRC Press, 2014.
Dawson, Maurice . New Threats and Countermeasures in Digital Crime and Cyber Terrorism. Pennsylvania, PA: IGI Global, 2015.
Digital Forensics Association . A Word on Education. 2017.
Digital Forensics Association . Associate Level Programs. 2017.
Digital Forensics Association . Bachelor Level Programs. 2017.
Digital Forensics Association . Certificate Programs. 2017.
Digital Forensics Association . Doctoral Programs. 2017.
Digital Forensics Association . Master Degree Programs. 2017.
Digital Forensics Certification Board . Code of Ethics and Standards of Professional Conduct. 2016.
Duke Law Center for Judicial Studies . Electronic Discovery Reference Model. 2016.
Duke Law Center for Judicial Studies . Project Management Guide. 2017.
Duke Law Center for Judicial Studies . Technology Assisted Review. 2012.
Dykstra, Josiah ; Sherman, Alan . Acquiring Forensic Evidence from Infrastructure-as-a-Service Cloud Computing. Digital Forensics
Research Workshop (DFRWS), 2012.
EC-Council . Computer Forensics: Investigating Network Intrusions and Cybercrime (CHFI). Nelson Education, 2016.
eLaw Exchange . What Are the Different Types and Locations of ESI Should I Request. Law Partner Publishing, 2010.
EUR-Lex . Directive 2013/40/EU. European Union, 2013.
EUR-Lex . Directive 2002/58/EU. European Union, 2014.
EUR-Lex . General Data Protection Regulation (GDPR)—Directive 95/46/EC. European Union, 2016.
Eilam, Eldad . Reversing: Secrets of Reverse Engineering. John Wiley & Sons, 2011.
Federal Bureau of Investigations . Forensic science communications. Digital Evidence: Standards and Principles, 2(3) 2000.
https://archives.fbi.gov/archives/about-us/lab/forensic-science-communications/fsc/april2000/swgde.htm
Federal Register of Legislation . Cybercrime Act. Australian Government, 2001.
Fenu, Gianni ; Solinas, Fabrizio . Computer Forensics Investigation an Approach to Evidence in Cyberspace. Society of Digital Information
and Wireless Communications (SDIWC), 2013.
Fernando, A.C. Business Ethics and Corporate Governance. New Delhi: Pearson Education India, 2010.
Flynn, Nancy . The Social Media Handbook: Rules, Policies, and Best Practices to Successfully Manage Your Organization's Social Media
Presence, Posts, and Potential. Hoboken, NJ: John Wiley & Sons, 2012.
Forensic Focus . Computer Forensics Education. 2017.
Forensic Science Laboratories Facilities Technical Working Group . Handbook for Facility Planning, Design, Construction, and Relocation.
National Institute of Standards and Technology (NIST), 2013.
Fowler, Kevvie . Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Syngress, 2016.
Freiling, Felix C. ; Schwittay, Bastian . A Common Process Model for Incident Response and Computer Forensics. Laboratory for
Dependable Distributed Systems, New York, NY: University of Mannheim, Germany, 2007.
Garrison, Clint P. Digital Forensics for Network, Internet, and Cloud Computing: A Forensic Evidence Guide for Moving Targets and Data.
Syngress, 2010. ISBN# 9781597495387.
Gogolin, Greg . Digital Forensics Explained. CRC Press, 2012.
Goodwin, Richard . The History of Mobile Phones From 1973 To 2008: The Handsets That Made It ALL Happen. Know Your Mobile, 2016.
Graves, Michael W. Digital Archaeology: The Art and Science of Digital Forensics. Addison-Wesley, 2013.
Gricks, Thomas C. III ; Ambrogi, Robert J. A Brief History of Technology Assisted Review. Law Technology Today, 2015.
Grobler, C.P. ; Louwrens, C.P. Digital Forensic Readiness as a Component of Information Security Best Practice. Boston, MA: Springer,
2007.
Grobler, M.M. ; Dlamini, I.Z. Managing digital evidence–the governance of digital forensics. Journal of Contemporary Management, 7,
2010, 1–21.
HG Legal Resources . Information Technology Law. HGExperts, 2015.
Harrington, Sean . Professional Ethics in the Digital Forensics Discipline: Part 1. 2014.
Harrington, Sean . Professional Ethics in the Digital Forensics Discipline: Part 2. 2014.
Herzig, Terrell W. ; Walsh, Tom ; Gallagher, Lisa A. Implementing Information Security in Healthcare: Building a Security Program.
Chicago, IL: HIMSS, 2013.
Holt, Thomas J. ; Bossler, Adam M. ; Seigfried-Spellar, Kathryn C. Cybercrime and Digital Forensics: An Introduction. New York, NY:
Routledge, 2015.
Hoog, Andrew . Android Forensics: Investigation, Analysis, and Mobile Security for Google Android. Elsevier, 2011.
Hrycko, Oleh . Electronic Discovery in Canada: Best Practices and Guidelines. Canada: CCH Canadian Limited, 2007.
Hutchins, Eric M. ; Cloppert, Micheal J. ; Amin, Rohan M Ph.D. Intelligence-Driven Computer Network Defense Informed by Analysis of
Adversary Campaigns and Instrusion Kill Chains. Lockheed Martin Corporation, 2011.
IFSEC Global . The Forensic Technologist: Data Privacy and Digital Forensics. UBM, 2012.
IT@Cornell . Cornell Project Management Methodology (CPMM) Guidebook. Cornell University, 2005.
Ieong, Ricci Sze-Chung . FORZA: Digital Forensics Investigation Framework that Incorporate Legal Issues. Digital Forensics Research
Workshop (DFRWS), 2006.
Imperial War Museums . How Alan Turing Cracked the Enigma Code. 2017.
International Association of Computer Investigative Specialists (IACIS) . Code of Ethics. Austin, TX: University of Texas, 2017.
International Information System Security Certification Consortium (ISC)2 . Certified Cyber Forensics Professional. 2017.
International Information System Security Certification Consortium (ISC)2 . Code of Ethics. 2016.
International Society of Forensic Computer Examiners (ISFCE) . Certified Computer Examiner (CCE) Certification. 2017.
International Society of Forensic Computer Examiners (ISFCE) . Code of Ethics and Professional Responsibility. 2017.
Jarrett, H. Marshall ; Bailie, Michael W. Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations.
Washington, DC: Department of Justice—Computer Crime and Intellectual Property Section Criminal Division, 2009.
Johnson, Leighton . Computer Incident Response and Forensics Team Management: Conducting a Successful Incident Response.
Newnes, 2013.
Kabay, M.E.. Ph.D. A Brief History of Computer Crime: An Introduction for Students. 2008.
Kanellis, Panagiotis ; Kiountouzis, Evangelos ; Kolokotronis, Nicholas . Digital Crime and Forensic Science in Cyberspace. Idea Group Inc,
2006.
Karake-Shalhoub, Zeinab ; Al Qasimi, Lubna . Cyber Law and Cyber Security in Developing and Emerging Economies. Edward Elgar
Publishing, 2010.
Kent, Karen ; Chevalier, Suzanne ; Grance, Tim ; Dang, Hung . Special Publication 800-86: Guide to Integrating Forensic Techniques into
Incident Response. National Institute of Standards and Technology (NIST), 2006.
Kershaw, Anne . Automated Document Review Proves Its Reliability. Pike & Fischer, 2005.
Kissel, Richard ; Stine, kevin ; Scholl, Matthew ; Rossman, Hart ; Fahlsing, Jim ; Gulick, Jessica . Special Publication 800-64 Revision 2:
Security Considerations in the System Development Life Cycle. National Institute of Standards and Technology (NIST), 2008.
Kohn, Michael ; Eloff, J.H.P. ; Olivier, M.S. Framework for a Digital Forensic Investigation. Information and Computer Security
Architectures Research Group (ICSA), Department of Computer Science, University of Pretoria. 2006
Kruse, Warren G II ; Heiser, Jay G. Computer Forensics: Incident Response Essentials. Indianapolis: Pearson, 2001.
Law Crossing . Information Technology Attorney Job Description. Employment Research Institute, 2015.
Lawson, Ben . The Data Centric Security Model. 2012.
Lectric Law Library . Precedent. 2017. https://www.lectlaw.com/def2/p069.htm
Legal Information Institute . Brady Rule. Cornell Law School, 2015.
Legal Information Institute . Daubert Standard. Cornell Law School, 2015.
Legal Information Institute . Federal Rules of Evidence. Cornell Law School, 2015.
Legal Information Institute . Federal Rules of Civil Procedure (FRCP). Cornell Law School, 2016.
Legal Information Institute . Best Evidence Rule. Cornell Law School, 2017.
Lim, Sungsu ; Yoo, Byeongyeong ; Park, Jungheum ; Byun, KeunDuck ; Lee, Sangjin . A Research on the Investigation Method of Digital
Forensics for a VMware Workstation's Virtual Machine. Elsevier, 2012.
Lloyd, Ian . Information Technology Law. Oxford University Press, 2014.
Marcella, Albert Jr ; Menendez, Doug . Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer
Crimes, Second Edition. CRC Press, 2007.
Masys, Anthony J. Disaster Forensics: Understanding Root Cause and Complex Causality. Springer, 2016.
MathWorks . Unsupervised Learning. 2017.
McKemmish, Rodney . When is Digital Evidence Forensically Sound. Advances in Digital Forensics IV. Springer, 2008.
Mell, Peter ; Grance, Timothy . Special Publication 800-145: The NIST Definition of Cloud Computing. National Institute of Standards and
Technology (NIST), 2011.
Mena, Jesus . Machine Learning Forensics for Law Enforcement, Security, and Intelligence. CRC Press, 2016.
Microsoft TechNet . Secure Boot Overview. Microsoft, 2014.
Microsoft TechNet . Responding to IT Security Incidents. Microsoft, 2017.
Ministry of Justice . Civil Procedure Rules (CPR). Government of the United Kingdom, 2017.
Mohay, George M. Computer and Intrusion Forensics. Artech House, 2003.
Murphy, Cynthia A. Developing Process for Mobile Device Forensics V3. System Administration, Networking, and Security Institute
(SANS), 2013.
National Crime Victim Law Institute . What are the Differences between the Civil and Criminal Justice System. Lewis & Clark, 2010.
Nelson, Bill ; Phillips, Amelia ; Enfinger, Frank ; Steuart, Chris . Guide to Computer Forensics and Investigations. Boston, MA: Thomson
Learning, 2004.
Nelson, Bill ; Phillips, Amelia ; Steuart, Christopher . Guide to Computer Forensics and Investigations. Nelson Education, 2009.
Neto, Maximilliano Destefani . A Brief History of Cloud Computing. IBM, 2014.
Nikkel, Bruce J. The Role of Digital Forensics within a Corporate Organization. IBSA Conference, 2006.
NIST Cloud Computing Forensic Science Working Group Information Technology Laboratory . NIST Cloud Computing Forensic Science
Challenges. National Institute of Standards and Technology (NIST), 2014.
NIST Cloud Computing Security Working Group Information Technology Laboratory . Special Publication 500-299: NIST Cloud Computing
Security Reference Architecture. National Institute of Standards and Technology (NIST), 2013.
Office of the Auditor General of British Columbia . Guide for Developing Relevant Key Performance Indicators for Public Sector Reporting.
Government of British Columbia, 2010.
Ontario Bar Association . Checklist for Preparing a Discovery Plan V2.1. 2010.
Overill, Richard E. Digital Quantum Forensics: Challenges and Responses. 2011.
O'Loughlin, Mark . The Service Catalog: Best Practices. Van Haren, 2010.
Pajek, Przemyslaw ; Pimenidis, Elias . Computer Anti-Forensics Methods and Their Impact on Computer Forensic Investigation. Springer,
2009.
Pangalos, Georgios ; Vasilios, Katos . Information Assurance and Forensic Readiness. Technological and Legal Issues—Third
International Conference, 2009.
Parinita Bahadur . Difference between Guideline, Procedure, Standard and Policy. HR Success Guide, 2014.
Parliament of the United Kingdom . Computer Misuse Act. 1990.
Payment Card Industry (PCI) Security Standards Council, LLC . PCI Data Security Standards (DSS). 2016.
Peterson, Gilbert ; Shenoi, Sujeet . Advances in Digital Forensics V. 5th IFIP WG 11.9 International Conference on Digital Forensics.
Springer, 2009.
Peterson, Gilbert ; Shenoi, Sujeet . Advances in Digital Forensics XII. 12th IFIP WG 11.9 International Conference on Digital Forensics.
Springer, 2016.
Philips, Amelia ; Godfrey, Ronald ; Steuart, Christopher ; Brown, Christine . E-Discovery: An Introduction to Digital Evidence. Nelson
Education, 2013.
Pilli, Emmanuel S. ; Joshi, R.C. ; Niyogi, Rajdeep . A generic framework for network forensics. International Journal of Computer
Applications, 1(11), 2010.
Pollitt, Mark ; Shenoi, Sujeet . Advances in Digital Forensics. IFIP International Conference on Digital Forensics, National Center for
Forensic Science, Orlando, FL, Spring 2006.
Porterfield, Jason . File Sharing: Rights and Risks. The Rosen Publishing Group, 2014.
Ray, Daniel A. ; Bradford, Phillip G. Models of Models: Digital Forensics and Domain Specific Languages. Department of Computer
Science—University of Alabama, 2007.
Republic of the Philippines, Official Gazette . Republic Act No. 10175. 2012.
Rowlingson, Robert Ph.D. A Ten step process for forensic readiness. International Journal of Digital Evidence, 2(3), 2004, 1–28.
Ruan, Keyun ; Carthy, Joe ; Kechadi, Tahar ; Crosbie, Mark . Cloud Forensics, Advances in Digital Forensics VII Springer, 2011.
Sachowski, Jason . Implementing Digital Forensic Readiness: From Reactive to Proactive Process. Syngress, 2016.
Sammons, John . Digital Forensics: Threatscape and Best Practices. Syngress, 2015.
Schjolberg, Stein . The History of Global Harmonization on Cybercrime Legislation—The Road to Geneva. 2008.
http://www.cybercrimelaw.net/documents/cybercrime_history.pdf
Schmitt, Veronia ; Jordaan, Jason . Establishing the validity of MD5 and SHA-1 hashing in digital Forensic practice in light of recent
research demonstrating cryptographic weaknesses in these algorithms. International Journal of Computer Applications, 68(23), 2013,
40–43.
Schroader, Amber ; Cohen, Tyler . Alternate Data Storage Forensics. Elsevier, 2011.
Selamat, S. ; Yusof, R. ; Sahib, S. Mapping process of digital forensic investigation framework. International Journal of Computer Science
and Network Security, 8(10), 2008.
Shaler, Robert C. Crime Scene Forensics: A Scientific Method Approach. Taylor & Francis, 2011.
Smallwood, Robert F. Information Governance: Concepts, Strategies, and Best Practices. John Wiley & Sons, 2014.
Smith, Ashley . Mobile Device Management: What's Legal, What's Not?. Tom's IT Pro, 2016.
mith, Fred Chris ; Bace, Rebecca Gurley . A Guide to Forensic Testimony – The Art and Practice of Presenting Testimony as an Expert
Technical Witness. Addison-Wesley, 2002.
SOX Law . The Sarbanes-Oxley Act. 2006.
Speaker, Paul J. Key Performance Indicators and Managerial Analysis for Forensic Laboratories. Forensic Science Policy & Management:
An International Journal. Taylor and Francis, 1, 2009, 32–42.
Spreitzenbarth, Michael Dr. ; Uhrmann, Johann Dr. Mastering Python Forensics. Packt Publishing, 2015.
Stephenson, Peter . A Comprehensive Approach to Digital Incident Investigation. Elsevier, 2003.
Stephenson, Peter . (ISC)2 Official Guide to the CCFP CBK. CRC Press. 2014.
Sule, Dauda . Importance of forensic readiness. ISACA Journal, 1, 2014.
Sutton, Jennifer Hyman . BYOD, CYOD, COPE: What Does It All Mean. Business 2 Community, 2014.
https://www.isaca.org/Journal/archives/2014/Volume-1/Pages/JOnline-Importance-of-Forensic-Readiness.aspx
Tan, John . Forensic Readiness. 2001.
Techtarget . Principle of Least Privilege (POLP). 2017.
The Sedona Conference . The Sedona Canada Principles 2015.
The Sedona Conference . The Sedona Conference Commentary on Rule 34 and Rule 45 “Possession, Custody, or Control.” 2016.
The Sedona Conference . The Sedona Principles. 2017.
Thompson, Kevin Ph.D. How to Estimate Capacity for Work in Agile Teams: Learn How to Estimate How Much Work Your Team Can
Accomplish. cPrime, 2012.
Tipton, Harold F. (ISC)2 Official Guide to the ISSAP CBK. CRC Press. 2011.
Tipton, Harold F. (ISC)2 Official Guide to the ISSMP CBK. CRC Press. 2011.
US Department of Justice . Electronic Communications Privacy Act. 2013.
US Department of Justice . Principles on Transborder Access to Stored Computer Data. 2004.
US Legal . Binding Precedent. 2016.
US Legal . Frye Test Law & Legal Definition. 2016.
US Legal . Persuasive Precedent. 2016.
United States District Court . United States of America v Joseph Schmidt, III. United States Government Publishing Office, 2009.
University of Rochester . Mobile Device User Agreement. 2016.
Vacca, John R. ; Rudolph, K. System Forensics, Investigation, and Response. Jones & Bartlett Publishers, 2010.
van der Molen, Fred . Get Ready for Cloud Computing, 2nd edition. Van Haren, 2012.
Venter, JP . Process Flows for Cyber Forensics Training and Operations. CSIR Defencetek, 2006.
Volonino, Linda ; Redpath, Ian . E-Discovery for Dummies. John Wiley & Sons, 2009.
Von Solms, Sebastiaan ; Louwrens, Cecil ; Reekie, Colette ; Grobler, Talania . A Control Framework for Digital Forensics. In Advances in
Digital Forensics IV. Springer, 2008. https://link.springer.com/content/pdf/10.1007/0-387-36891-4_27.pdf
Whitcomb, Carrie Morgan . An historical perspective of digital evidence: A forensic scientist's view. International Journal of Digital
Evidence, 1(1), 2002. https://www.utica.edu/academic/institutes/ecii/publications/articles/9C4E695B-0B78-1059-3432402909E27BB4.pdf
Whitman, Michael E. Dr. ; Mattord, Herbert J. Principles of Information Security. Thomson Learning, 2003.
Wilson, Mark ; Hash, Joan . Special Publication 800-50: Building an Information Technology Security Awareness and Training Program.
National Institute of Standards and Technology (NIST), 2003.
Yasinsac, A. ; Manzano, Y. Policies to Enhance Computer and Network Forensics. IEEE Workshop on Information Assurance and
Security, 2001.
Yusoff, Yunus ; Ismail, Roslan ; Hassan, Zainuddin . Common phases of computer forensics investigation models. International Journal of
Computer Science & Information Technology (IJCSIT), 3(3), 2011. http://airccse.org/journal/jcsit/0611csit02.pdf
Zeltser, Lenny . The Many Fields of Digital Forensics and Incident Response. System Administration, Networking, and Security Institute
(SANS) Digital Forensics and Incident Response, 2014.