Forensic Examination of Digital Evidence
James K. Pace Senior Special Agent Chief of Computer Forensics and Investigations U.S. Army Criminal Investigation Laboratory Forest Park, Georgia Scott R. Patronik Chief, Division of Technology and Advancement Erie County Sheriff’s Office Buffalo, New York Greg Redfern Director Department of Defense Computer Investigations Training Program Linthicum, Maryland Henry R. Reeve General Counsel Second Judicial District Denver, Colorado Jim Riccardi, Jr. Electronic Crime Specialist National Law Enforcement and Corrections Technology Center–Northeast Rome, New York Greg Schmidt Investigations/Technical Computer Forensics Examiner Plano, Texas Howard Schmidt Vice Chair President’s Critical Infrastructure Protection Board Washington, D.C. Raemarie Schmidt Computer Crimes Training Specialist National White Collar Crime Center Computer Crime Section Fairmont, West Virginia John A. Sgromolo President Digital Forensics, Inc. Clearwater, Florida George Sidor Sr. Computer Forensics Investigator G-Wag, Inc. St. Albert, Alberta Canada Mike Weil Computer Forensic Examiner DoD Computer Forensics Laboratory Linthicum, Maryland viii
Contents Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii Technical Working Group for the Examination of Digital Evidence. . . . . . . . . . v Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Chapter 1. Policy and Procedure Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Chapter 2. Evidence Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Chapter 3. Evidence Acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Chapter 4. Evidence Examination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Chapter 5. Documenting and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Appendix A. Case Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Appendix B. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Appendix C. Sample Worksheets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Appendix D. Examples of Request for Service Forms . . . . . . . . . . . . . . . . . . . . . 51 Appendix E. Legal Resources List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Appendix F. Technical Resources List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Appendix G. Training Resources List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Appendix H. List of Organizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 ix
- Page 1 and 2: APR. 04 U.S. Department of Justice
- Page 3 and 4: APR. 04 Forensic Examination of Dig
- Page 5 and 6: Foreword Developments in the world
- Page 7 and 8: Technical Working Group for the Exa
- Page 9: Michael Finnie Forensic Specialist
- Page 13 and 14: SPECIAL REPORT / APR. 04 Examinatio
- Page 15 and 16: SPECIAL REPORT / APR. 04 ongoing tr
- Page 17 and 18: Chapter 2. Evidence Assessment Prin
- Page 19 and 20: FORENSIC EXAMINATION OF DIGITAL EVI
- Page 21 and 22: Chapter 3. Evidence Acquisition Pri
- Page 23 and 24: FORENSIC EXAMINATION OF DIGITAL EVI
- Page 25 and 26: SPECIAL REPORT / APR. 04 ■ File c
- Page 27 and 28: SPECIAL REPORT / APR. 04 ■ Analyz
- Page 29 and 30: SPECIAL REPORT / APR. 04 During the
- Page 31 and 32: Appendix A. Case Examples The follo
- Page 33 and 34: FORENSIC EXAMINATION OF DIGITAL EVI
- Page 35 and 36: FORENSIC EXAMINATION OF DIGITAL EVI
- Page 37 and 38: FORENSIC EXAMINATION OF DIGITAL EVI
- Page 39 and 40: FORENSIC EXAMINATION OF DIGITAL EVI
- Page 42 and 43: FORENSIC EXAMINATION OF DIGITAL EVI
- Page 44 and 45: FORENSIC EXAMINATION OF DIGITAL EVI
- Page 46 and 47: Appendix B. Glossary The following
- Page 48 and 49: FORENSIC EXAMINATION OF DIGITAL EVI
- Page 50 and 51: SPECIAL REPORT / APR. 04 Computer E
- Page 52 and 53: SPECIAL REPORT / APR. 04 Hard Drive
- Page 54 and 55: SPECIAL REPORT / APR. 04 Removable
- Page 56 and 57: Appendix D. Examples of Request for
- Page 58 and 59: FORENSIC EXAMINATION OF DIGITAL EVI
James K. Pace<br />
Senior Special Agent<br />
Chief <strong>of</strong> Computer <strong>Forensic</strong>s and<br />
Investigations<br />
U.S. Army Criminal Investigation<br />
Laboratory<br />
Forest Park, Georgia<br />
Scott R. Patronik<br />
Chief, Division <strong>of</strong> Technology and<br />
Advancement<br />
Erie County Sheriff’s Office<br />
Buffalo, New York<br />
Greg Redfern<br />
Director<br />
Department <strong>of</strong> Defense Computer<br />
Investigations Training Program<br />
Linthicum, Maryland<br />
Henry R. Reeve<br />
General Counsel<br />
Second Judicial District<br />
Denver, Colorado<br />
Jim Riccardi, Jr.<br />
Electronic Crime Specialist<br />
National Law Enforcement and Corrections<br />
Technology Center–Northeast<br />
Rome, New York<br />
Greg Schmidt<br />
Investigations/Technical<br />
Computer <strong>Forensic</strong>s Examiner<br />
Plano, Texas<br />
Howard Schmidt<br />
Vice Chair<br />
President’s Critical Infrastructure<br />
Protection Board<br />
Washington, D.C.<br />
Raemarie Schmidt<br />
Computer Crimes Training Specialist<br />
National White Collar Crime Center<br />
Computer Crime Section<br />
Fairmont, West Virginia<br />
John A. Sgromolo<br />
President<br />
<strong>Digital</strong> <strong>Forensic</strong>s, Inc.<br />
Clearwater, Florida<br />
George Sidor<br />
Sr. Computer <strong>Forensic</strong>s Investigator<br />
G-Wag, Inc.<br />
St. Albert, Alberta<br />
Canada<br />
Mike Weil<br />
Computer <strong>Forensic</strong> Examiner<br />
DoD Computer <strong>Forensic</strong>s Laboratory<br />
Linthicum, Maryland<br />
viii
Change language