Professional Documents
Culture Documents
PDF Implementing Digital Forensic Readiness From Reactive To Proactive Process 2Nd Edition Jason Sachowski Ebook Full Chapter
PDF Implementing Digital Forensic Readiness From Reactive To Proactive Process 2Nd Edition Jason Sachowski Ebook Full Chapter
https://textbookfull.com/product/digital-forensics-and-
investigations-people-process-and-technologies-to-defend-the-
enterprise-1st-edition-jason-sachowski-author/
https://textbookfull.com/product/veterinary-forensic-
pathology-2-1st-edition-jason-w-brooks/
https://textbookfull.com/product/forensic-uses-of-digital-
imaging-second-edition-russ/
https://textbookfull.com/product/nato-and-the-western-balkans-
from-neutral-spectator-to-proactive-peacemaker-1st-edition-niall-
mulchinock-auth/
Forensic Data Collections 2.0: A Selection of Trusted
Digital Forensics Content 2nd Edition Robert B. Fried
https://textbookfull.com/product/forensic-data-
collections-2-0-a-selection-of-trusted-digital-forensics-
content-2nd-edition-robert-b-fried/
https://textbookfull.com/product/digital-forensic-art-techniques-
a-professionals-guide-to-corel-painter-first-edition-natalie-
murry/
https://textbookfull.com/product/cybersecurity-readiness-first-
edition-dave-chatterjee/
https://textbookfull.com/product/the-law-enforcement-and-
forensic-examiner-s-introduction-to-linux-a-comprehensive-
beginner-s-guide-to-linux-as-a-digital-forensic-platform-barry-j-
grundy/
https://textbookfull.com/product/feedstock-technology-for-
reactive-metal-injection-molding-process-design-and-
application-1st-edition-peng-cao/
Implementing Digital
Forensic Readiness
Implementing Digital
Forensic Readiness
From Reactive to Proactive Process
Second Edition
Jason Sachowski
CRC Press
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742
This book contains information obtained from authentic and highly regarded sources. Reasonable efforts
have been made to publish reliable data and information, but the author and publisher cannot assume
responsibility for the validity of all materials or the consequences of their use. The authors and publishers
have attempted to trace the copyright holders of all material reproduced in this publication and apologize
to copyright holders if permission to publish in this form has not been obtained. If any copyright material
has not been acknowledged please write and let us know so we may rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, trans-
mitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter
invented, including photocopying, microfilming, and recording, or in any information storage or retrieval
system, without written permission from the publishers.
For permission to photocopy or use material electronically from this work, please access www.copyright.com
(http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Dan-
vers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a
variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of
payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are
used only for identification and explanation without intent to infringe.
Visit the Taylor & Francis Web site at
http://www.taylorandfrancis.com
Preface xvii
Acknowledgments xviii
Introduction xix
Author xxi
Section I
ENABLING DIGITAL FORENSICS
v
vi Contents
Section II
ENHANCING DIGITAL FORENSICS
Benefits Analysis 83
Implementing Forensics Readiness 85
Summary 86
Intermediate 190
Advanced 191
Digital Forensics Experts 192
Summary 194
Section III
INTEGRATING DIGITAL FORENSICS
18 Forensics Readiness in Cloud Environments 218
Introduction 218
Brief History of Cloud Computing 218
What Is Cloud Computing? 219
Characteristics 220
Service Models 221
Delivery Models 221
Isolation Models 222
Challenges with Cloud Environments 223
Mobility 223
Hyper-Scaling 223
Containerization 224
First Responders 224
Evidence Gathering and Processing 224
Forensics Readiness Methodology 225
Step #1: Define Business Risk Scenarios 225
Step #2: Identify Potential Data Sources 226
Step #3: Determine Collection Requirements 227
Enterprise Management Strategies 228
Cloud Computing Governance 228
Security and Configuration Standards 229
Reference Architectures 229
Step #4: Establish Legal Admissibility 232
Layers of Trust 232
Step #5: Establish Secure Storage and Handling 234
Step #6: Enable Targeted Monitoring 235
Step #7: Map Investigative Workflows 236
Phase #1: Preparation 236
Phase #2: Gathering 237
Phase #3: Processing 238
Phase #4: Presentation 238
Step #8: Establish Continuing Education 238
General Awareness 239
Basic Training 239
Formal Education 239
Step #9: Maintain Evidence-Based Presentations 240
Step #10: Ensure Legal Review 240
Contractual Agreements 241
Summary 242
xiv Contents
Section IV
ADDENDUMS
Section V
APPENDIXES
Section VI
TEMPLATES
The art of war teaches us to rely not on the likelihood of the enemy’s not coming,
but on our own readiness to receive him; not on the chance of his not attack-
ing, but rather on the fact that we have made our position unassailable.
—Sun Tzu
The Art of War
xvii
Acknowledgments
I would like to most of all thank my wife and my children for showing me that
no matter what I do in my lifetime, they will always be my greatest success.
Thank you to my parents for providing me with countless opportuni-
ties to become who I am today and for encouraging me to keep pushing my
boundaries.
Thank you to my colleagues for allowing me the honor of working with
you and for the infinite wisdom and knowledge you have given me.
Lastly, thank you to Blair for opening doors.
xviii
Introduction
xix
xx Introduction
the people, process, and technology areas are used to defend the enterprise
through integrating digital forensics capabilities with key business functions.
The information contained in this book has been written to benefit peo-
ple who:
xxi
Enabling
Digital Forensics I
Understanding
Digital Forensics
1
Introduction
Prologue (1960s–1980s)
From the 1960s to 1980s, computers were owned and operated by corporations,
universities, research centers, and government agencies. Computers were used
primarily as industrial systems largely supporting data processing functions and
were, for the most part, not connected to the outside world. Responsibility for
securing these computer systems was left to administrators who would perform
routine audits to ensure the efficiency and accuracy of the data processing
functions. These activities were essentially the first systematic approach to a
computer security discipline.
It was during this time that the computer first became a point of
interest to the information security, legal, and law enforcement communities.
Several government agencies started creating small ad hoc groups of
individuals who were then provided with basic training on computer systems.
These “investigators” would work with administrators to gather information
from the computer systems to be used as evidence in criminal matters.
Prior to the 1980s, computer crimes were largely dealt with under existing
laws. However, in response to an increasing number of computer crimes,
law enforcement agencies began establishing new laws to address computer
crimes. The first computer crime law, the Florida Computer Crimes Act, was
created in 1978 to address fraud, intrusion, and all unauthorized access to
computer systems. The evolution of crime into computer systems during this
time led to new terms such as computer forensics, forensics computer analysis,
and forensics computing.
Infancy (1980–1995)
With the arrival of the IBM personal computer (PC), there was a sudden
explosion of computer hobbyists around the world. These PCs had very few
applications and were not user friendly, which enticed hobbyists to write
program code and access the internals of both the hardware and operating
system (OS) to better understand how they worked. Amongst the hobbyists
were individuals from law enforcement, government agencies, and other
organizations who collectively shared their understanding of computer
systems and how technology could play a larger role as a source of evidence.
Much of the time and money spent by these individuals to learn about these
modern technologies was done of their own accord because their respective
agencies did not necessarily support their efforts.
Investigations performed by these pioneers were rudimentary from
today’s perspective. The Internet was not yet widely available for consumer use,
which limited the scope of most investigations to data recovery on standalone
computer systems. Cyber criminals mostly consisted of a mix of traditional
criminals who used technology to support their activities (e.g., phreaking)
and people who used their technical skills to illegally access other computers.
During this time, there were very few tools available, which left
investigators to either build their own or use available data protection and
recovery applications to perform analysis. Additionally, the only means of
preserving evidence was taking logical backups of data onto magnetic tape,
hoping that the original attributes were preserved, and restoring the data to
another disk, where analysis was performed using command-line utilities.
Throughout the 1990s, forensics tools began to emerge from both the hob-
byists (e.g., Dan J. Mare’s Maresware, Gord Hama’s RCMP Utilities) and larger
software vendors (e.g., Norton’s Utilities, Mace Utilities). These applications and
software suites were developed to solve specific forensics activities (e.g., imaging,
file recovery) and proved to be powerful tools for the computer forensics practice.
As technology became more widely available and reports of different
types of computer crimes were becoming more widely known, law
enforcement agencies around the world started responding by enacting laws
similar to that passed by Florida. In 1983, Canada was the first to respond by
6 Understanding Digital Forensics
Childhood (1995–2005)
The next decade proved to be a major step forward in the maturity of digital
forensics. Technology quickly became pervasive amongst consumers, where
it was embedded in many facets of our daily lives, which drove significant
technology innovation (e.g., mobile devices). Plus, the Internet had gained
enough momentum for it to become more readily available for use in homes
and businesses, introducing personal accessibility to email and web browsing.
Accompanied by these advances in technology was the opportunity for
criminals to commit new cybercrimes. An example of this opportunity
being made available through technology occurred following the events on
September 11, 2001, when investigators realized that digital evidence of the
attack was recoverable on computers located across the world. This revelation
reinforced the fact that criminals were using technology in the same
ubiquitous ways as the everyday consumer.
From the technology-sponsored growth of digital crime, the term computer
forensics became increasing challenging to use because both crimes and evidence
could now be found throughout networks, printers, and other devices. In 2001,
the first annual Digital Forensics Research Workshop (DFRWS) recognized
that computer forensics was considered a specialization and proposed the use of
the term digital forensics to describe the discipline as a whole.
Expansion of the field into the all-encompassing digital forensics resulted
in the creation of specializations for investigating different technologies.
In addition to the traditional computer forensics becoming a concentration,
there was the introduction of network forensics and mobile forensics.
However, with the formation of these specializations came increased
technical sophistication and legal scrutiny over requirements to follow
standardized principles, methodologies, and techniques.
The formalization of digital forensics led to the first publication of
standardized principles being issued between 1999 and 2000 from the
Another random document with
no related content on Scribd:
TO STEW A SHOULDER OF VENISON.
92. Minced collops of venison may be prepared exactly like those of beef; and
venison-cutlets like those of mutton: the neck may be taken for both of these.
(Superior Receipt.)
A hare may be rendered far more plump in appearance, and
infinitely easier to carve, by taking out the bones of the back and
thighs, or of the former only: in removing this a very sharp knife
should be used, and much care will be required to avoid cutting
through the skin just over the spine, as it adheres closely to the
bone. Nearly double the usual quantity of forcemeat must be
prepared: with this restore the legs to their original shape, and fill the
body, which should previously be lined with delicate slices of the
nicest bacon, of which the rind and edges have been trimmed away.
Sew up the hare, truss it as usual; lard it or not, as is most
convenient, keep it basted plentifully with butter while roasting, and
serve it with the customary sauce. We have found two
tablespoonsful of the finest currant jelly, melted in half a pint of rich
brown gravy, an acceptable accompaniment to hare, when the taste
has been in favour of a sweet sauce.
To remove the back-bone, clear from it first the flesh in the inside;
lay this back to the right and left from the centre of the bone to the
tips; then work the knife on the upper side quite to the spine, and
when the whole is detached except the skin which adheres to this,
separate the bone at the first joint from the neck-bone or ribs (we
know not how more correctly to describe it), and pass the knife with
caution under the skin down the middle of the back. The directions
for boning the thighs of a fowl will answer equally for those of a hare,
and we therefore refer the reader to them.
STEWED HARE.
Wash and soak the hare thoroughly, wipe it very dry, cut it down
into joints dividing the largest, flour and brown it slightly in butter with
some bits of lean ham, pour to them by degrees a pint and a half of
gravy, and stew the hare very gently from an hour and a half to two
hours: when it is about one third done add the very thin rind of half a
large lemon, and ten minutes before it is served stir to it a large
dessertspoonful of rice-flour, smoothly mixed with two tablespoonsful
of good mushroom catsup, a quarter of a teaspoonful or more of
mace, and something less of cayenne. This is an excellent plain
receipt for stewing a hare; but the dish may be enriched with
forcemeat (No. 1, Chapter VIII.) rolled into small balls, and simmered
for ten minutes in the stew, or fried and added to it after it is dished;
a higher seasoning of spice, a couple of glasses of port wine, with a
little additional thickening and a tablespoonful of lemon-juice, will all
serve to give it a heightened relish.
Hare, 1; lean of ham or bacon, 4 to 6 oz.; butter, 2 oz.; gravy, 1-1/2
pint; lemon-rind: 1 hour and 20 to 50 minutes. Rice-flour, 1 large
dessertspoonful; mushroom catsup, 2 tablespoonsful; mace, 1/3 of
teaspoonful; little cayenne (salt, if needed): 10 minutes.
TO ROAST A RABBIT.
After the rabbit has been emptied, thoroughly washed and soaked,
should it require it to remove any mustiness of smell, blanch it, that is
to say, put it into boiling water and let it boil from five to seven
minutes; drain it, and when cold or nearly so, cut it into joints, dip
them into beaten egg, and then into fine bread-crumbs, seasoned
with salt and pepper, and when all are ready, fry them in butter over
a moderate fire, from twelve to fifteen minutes. Simmer two or three
strips of lemon-rind in a little gravy, until it is well flavoured with it;
boil the liver of the rabbit for five minutes, let it cool, and then mince
it; thicken the gravy with an ounce of butter and a small teaspoonful
of flour, add the liver, give the sauce a minute’s boil, stir in two
tablespoonsful of cream if at hand, and last of all, a small quantity of
lemon-juice. Dish the rabbit, pour the sauce under it, and serve it
quickly. If preferred, a gravy can be made in the pan as for veal
cutlets, and the rabbit may be simply fried.
TO ROAST A PHEASANT.
Take, quite clear from the bones, and from all skin and sinew, the
flesh of a half-roasted pheasant; mince, and then pound it to the
smoothest paste; add an equal bulk of the floury part of some fine
roasted potatoes, or of such as have been boiled by Captain Kater’s
receipt (see Chapter XVII.), and beat them together until they are
well blended; next throw into the mortar something less (in volume)
of fresh butter than there was of the pheasant-flesh, with a high
seasoning of mace, nutmeg, and cayenne, and a half-teaspoonful or
more of salt; pound the mixture afresh for ten minutes or a quarter of
an hour, keeping it turned from the sides of the mortar into the
middle; then add one by one, after merely taking out the germs with
the point of a fork, two whole eggs and a yolk or two without the
whites, if these last will not render the mixture too moist. Mould it into
the form of a roll, lay it into a stewpan rubbed with butter, pour boiling
water on it and poach it gently from ten to fifteen minutes. Lift it out
with care, drain it on a sieve, and when it is quite cold cover it
equally with beaten egg, and then with the finest bread-crumbs, and
broil it over a clear fire, or fry it in butter of a clear golden brown. A
good gravy should be made of the remains of the bird and sent to
table with it; the flavour may be heightened with ham and eschalots,
as directed in Chapter IV., page 96, and small mushrooms, sliced
sideways, and stewed quite tender in butter, may be mixed with the
boudin after it is taken from the mortar; or their flavour may be given
more delicately by adding to it only the butter in which they have
been simmered, well pressed, from them through a strainer. The
mixture, which should be set into a very cool place before it is
moulded, may be made into several small rolls, which will require
four or five minutes’ poaching only. The flesh of partridges will
answer quite as well as that of pheasants for this dish.
SALMI OF PHEASANT.
(See page 292.)
PHEASANT CUTLETS.
(See page 275.)
TO ROAST PARTRIDGES.
(Breakfast Dish.)
“Split a young and well-kept partridge, and wipe it with a soft clean
cloth inside and out, but do not wash it; broil it delicately over a very
clear fire, sprinkling it with a little salt and cayenne; rub a bit of fresh
butter over it the moment it is taken from the fire, and send it quickly
to table with a sauce made of a good slice of butter browned with
flour, a little water, cayenne, salt, and mushroom-catsup, poured
over it.” We give this receipt exactly as we received it from a house
where we know it to have been greatly approved by various guests
who have partaken of it there.
BROILED PARTRIDGE.
(French Receipt.)
After having prepared the bird with great nicety, divided, and
flattened it, season it with salt, and pepper, or cayenne, dip it into
clarified butter, and then into very fine bread-crumbs, and take care
that every part shall be equally covered: if wanted of particularly
good appearance dip it a second time into the butter and crumbs.
Place it over a very clear fire, and broil it gently from twenty to thirty
minutes. Send it to table with brown mushroom sauce, or some
Espagnole.
THE FRENCH, OR RED-LEGGED PARTRIDGE.
This delicate and excellent bird is in its full season at the end of
August and early in September, when it abounds often in the
poulterers’ shops. Its plumage resembles that of the partridge, but it
is of smaller size and of much more slender shape. Strip off the
feathers, draw and prepare the bird as usual for the spit, truss it like
a snipe, and roast it quickly at a brisk but not a fierce fire from fifteen
to eighteen minutes. Dish it on fried bread-crumbs, or omit these and
serve it with gravy round it, and more in a tureen, and with well made
bread sauce. Three or even four of the birds will be required for a
dish. One makes a nice dinner for an invalid.
TO ROAST BLACK COCK AND GRAY HEN.
In season during the same time as the common grouse, and found like them on
the moors, but less abundantly.
These birds, so delicious when well kept and well roasted, are
tough and comparatively flavourless when too soon dressed. They
should hang therefore till they give unequivocal indication of being
ready for the spit. Pick and draw them with exceeding care, as the
skin is easily broken; truss them like pheasants, lay them at a
moderate distance from a clear brisk fire, baste them plentifully and
constantly with butter, and serve them on a thick toast which has
been laid under them in the dripping-pan for the last ten minutes of
their roasting, and which will have imbibed a high degree of savour:
some cooks squeeze a little lemon-juice over it before it is put into
the pan. Send rich brown gravy and bread sauce to table with the
birds. From three quarters of an hour to a full hour will roast them.
Though kept to the point which we have recommended, they will not
offend even the most fastidious eater after they are dressed, as,
unless they have been too long allowed to hang, the action of the fire
will remove all perceptible traces of their previous state. In the earlier
part of the season, when warm and close packing have rendered
either black game or grouse, in their transit from the North,
apparently altogether unfit for table, the chloride of soda, well-
diluted, may be used with advantage to restore them to a fitting state
for it; though the copious washings which must then be resorted to,
may diminish something of their fine flavour.
3/4 to 1 hour.