Practical Digital Forensics 1st Edition Richard

Boddington new release 2025

Featured on ebookname.com
( 4.8/5.0 ★ | 126 downloads )

https://ebookname.com/product/practical-digital-forensics-1st-
edition-richard-boddington/
Practical Digital Forensics 1st Edition Richard Boddington

EBOOK

Available Formats

■ PDF eBook Study Guide Ebook

EXCLUSIVE 2025 ACADEMIC EDITION – LIMITED RELEASE

Available Instantly Access Library

Instant digital products (PDF, ePub, MOBI) available
Download now and explore formats that suit you...

Digital Forensics Workbook Hands on Activities in Digital

Forensics 1st Edition Michael K Robinson

https://ebookname.com/product/digital-forensics-workbook-hands-on-
activities-in-digital-forensics-1st-edition-michael-k-robinson/

ebookname.com

Digital Forensics Explained 1st Edition Greg Gogolin

(Author)

https://ebookname.com/product/digital-forensics-explained-1st-edition-
greg-gogolin-author/

ebookname.com

Practical veterinary forensics First Edition Bailey

https://ebookname.com/product/practical-veterinary-forensics-first-
edition-bailey/

ebookname.com

Pharmaceutical Manufacturing Handbook Production and

Processes Pharmaceutical Development Series 1st Edition
Shayne Cox Gad
https://ebookname.com/product/pharmaceutical-manufacturing-handbook-
production-and-processes-pharmaceutical-development-series-1st-
edition-shayne-cox-gad/
ebookname.com
Photonic MEMS Devices Design Fabrication and Control
Optical Science and Engineering 1st Edition Ai-Qun Liu

https://ebookname.com/product/photonic-mems-devices-design-
fabrication-and-control-optical-science-and-engineering-1st-edition-
ai-qun-liu/
ebookname.com

British Writers Jay Parini

https://ebookname.com/product/british-writers-jay-parini/

ebookname.com

At the Sources of the Twentieth Century Analytical

Movement 1st Edition Anna Bro■ek

https://ebookname.com/product/at-the-sources-of-the-twentieth-century-
analytical-movement-1st-edition-anna-brozek/

ebookname.com

Nursing Knowledge Science Practice and Philosophy 1st

Edition Mark W. Risjord

https://ebookname.com/product/nursing-knowledge-science-practice-and-
philosophy-1st-edition-mark-w-risjord/

ebookname.com

OCA Oracle Database 11g Administrator Certified Associate

Study Guide Exams1Z0 051 and 1Z0 052 1st Edition Biju
Thomas
https://ebookname.com/product/oca-oracle-database-11g-administrator-
certified-associate-study-guide-exams1z0-051-and-1z0-052-1st-edition-
biju-thomas/
ebookname.com
Capital Markets of India An Investor s Guide Alan R. Kanuk

https://ebookname.com/product/capital-markets-of-india-an-investor-s-
guide-alan-r-kanuk/

ebookname.com
Practical Digital Forensics

Get started with the art and science of digital forensics

with this practical, hands-on guide!

Richard Boddington

BIRMINGHAM - MUMBAI
Practical Digital Forensics

Copyright © 2016 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval
system, or transmitted in any form or by any means, without the prior written
permission of the publisher, except in the case of brief quotations embedded in
critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy
of the information presented. However, the information contained in this book is
sold without warranty, either express or implied. Neither the author, nor Packt
Publishing, and its dealers and distributors will be held liable for any damages
caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the
companies and products mentioned in this book by the appropriate use of capitals.
However, Packt Publishing cannot guarantee the accuracy of this information.

First published: May 2016

Production reference: 1200516

Published by Packt Publishing Ltd.

Livery Place
35 Livery Street
Birmingham B3 2PB, UK.

ISBN 978-1-78588-710-9

www.packtpub.com

[ FM-2 ]
 Credits

Author Project Coordinator

Richard Boddington Judie Jose

Reviewer Proofreader
Colin J. Armstrong Safis Editing

Commissioning Editor Indexer

Veena Pagare Hemangini Bari

Acquisition Editor Graphics

Divya Poojari Jason Monteiro

Content Development Editor Production Coordinator

Sanjeet Rao Aparna Bhagat

Technical Editor Cover Work

Vishal K. Mewada Aparna Bhagat

Copy Editor
Madhusudan Uchil

[ FM-3 ]
 About the Author

Richard Boddington commenced general policing with the London Metropolitan

Police in 1968 and joined the Royal Hong Kong Police in 1971, later serving as a
chief inspector in the Special Branch. In 1980, Richard moved to Australia and
worked as a desk officer and case officer with the Australian Security Intelligence
Organization. He later worked in several federal and state government agencies,
including the Western Australia Department of Treasury and Finance, as a senior
intelligence officer.

In 2008, he commenced developing and coordinating information security and

digital forensics undergraduate and postgraduate courses at Murdoch University,
where he was responsible for the creation of a digital forensic and information
security degree offering. He provided a unique online virtual digital forensics
unit for postgraduate students at the University of Western Australia in 2014.

Between 1991 and 2015, Richard was a security analyst and digital forensic
practitioner, providing independent consultancy services for legal practitioners and
organizations requiring independent digital forensic examinations and reports. This
included analyzing case evidence in criminal and civil cases heard at Magistrate,
District and Commonwealth Courts. His work included the compilation of digital
forensic reports and testifying as an expert witness on complex technical matters
to assist the jury in understanding digital evidence presented during trial.

Recent forensic examinations undertaken by him include analyzing digital

evidence recovered from computers, mobile phones, and other digital devices
and then preparing expert testimony relating to a broad range of criminal and
civil cases, including:

• Child pornography and child exploitation

• Cyberstalking
• Aggravated burglary and false imprisonment
• Analysis of CCTV video digital evidence of assault and rape cases
• Alleged homicide, suicide, and other crimes of violence

[ FM-4 ]
 • Bomb threats
• Family law disputes and Australian Vietnamese Relief Organization
(AVRO) breaches
• Workers' compensation disputes
• Suspected forgery or manipulation of digital video and mobile phone evidence
• Industrial espionage and sabotage and intellectual property theft

Since 2015, Richard has continued his digital forensics examinations on behalf of
TSW Analytical Pty Ltd in Western Australia, where he now heads the Digital
Forensics and Data Recovery Team.

He is also the General Manager for Research and Training at eReveal Technologies
Pty Ltd (TSW Global Company) and is responsible for designing and coordinating
online digital forensics, multimedia forensics, and e-discovery training courses for a
broad range of organizations.

Richard is presently developing online digital forensics and e-discovery academic

postgraduate course for the evolving Institute for Applied Forensic Science,
associated with TSW Analytical, as part of broader postgraduate forensic course
offerings in Australasia and overseas.

In 2010, Richard authored two digital forensics chapters in Digital Business Security
Development: Management Technologies. He has also written a number of journal
articles on the validation of digital evidence, his ongoing research area.

In 2015, he authored an online video cast series, Emerging Forensic Tools for Locating
and Analyzing Digital Evidence, on behalf of IGI Global Video Lecture E-Access Videos
(http://www.igi-global.com/video/emerging-forensic-tools-locating-
analyzing/134946).

[ FM-5 ]
 Acknowledgment
I would like to acknowledge the constant love, support, and faith shown to me
from my beautiful wife, Meiling, and our close family unit, which has helped me
throughout my research and writing of the book, which I now dedicate to them.

The inspiration, technical brilliance, and forensic expertise of Jim Baker of

Xtremeforensics and my colleague-at-arms, Dr. Richard Adams, have been the
driving force behind my renewed dedication to digital forensics that has resulted
in the writing of this book. James McCutcheon's leading work in testing forensic
image containers was inspirational and I am pleased to share some of his grossly
unrecognized research along with Dr. Adams' work on the ADAMS model. I hope
some small but important mention of their work in this book goes some way to
publicizing their research. I hope it will encourage other like-minded practitioners
to get involved in some really helpful and needed research for the discipline.

Dr. Colin Armstrong's help in the technical review of the book has always been
positive and encouraging and helped me reach my final goal, and I thank Colin
for his time and constructive feedback to the publishers.

Finally, I am grateful for the support and encouragement from the academics and
forensic practitioners and technicians at TSW, who had implicit faith in my forensic
experience and provided me with a supportive environment in which to complete
the book.

[ FM-6 ]
 About the Reviewer

Colin J. Armstrong has extensive business experience in communications and

information technology, information systems and services, security, and forensic
science education, spanning the aviation, transport, hotel and catering, tertiary
education, and charitable industries. His experience derives not only from industry
roles, but studies acquiring bachelor, masters, and doctoral degrees, participation in
the Australian Standards Expert Committee, memberships to various professional
industry bodies, board memberships, and company directorships.

[ FM-7 ]
 www.PacktPub.com

eBooks, discount offers, and more

Did you know that Packt offers eBook versions of every book published, with PDF
and ePub files available? You can upgrade to the eBook version at www.PacktPub.com
and as a print book customer, you are entitled to a discount on the eBook copy. Get in
touch with us at [email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles,

sign up for a range of free newsletters and receive exclusive discounts and offers
on Packt books and eBooks.
TM

https://www2.packtpub.com/books/subscription/packtlib

Do you need instant solutions to your IT questions? PacktLib is Packt's online digital
book library. Here, you can search, access, and read Packt's entire library of books.

Why subscribe?
• Fully searchable across every book published by Packt
• Copy and paste, print, and bookmark content
• On demand and accessible via a web browser

[ FM-8 ]
 Table of Contents
Preface ix
Chapter 1: The Role of Digital Forensics and Its Environment 1
Understanding the history and purpose of forensics – specifically,
digital forensics 2
The origin of forensics 3
Locard's exchange principle 3
The evolution of fingerprint evidence 4
DNA evidence 4
The basic stages of forensic examination 5
Defining digital forensics and its role 6
Definitions of digital forensics 7
Looking at the history of digital forensics 8
The early days 8
A paucity of reliable digital forensic tools 9
The legal fraternity's difficulty understanding digital evidence 10
More recent developments in digital forensics 11
Studying criminal investigations and cybercrime 12
Outlining civil investigations and the nature of e-discovery 13
The role of digital forensic practitioners and the challenges
they face 14
The unique privilege of providing expert evidence and opinion 14
Issues faced by practitioners due to inadequate forensics processes 17
Inferior forensics tools confronting practitioners 18
The inadequate protection of digital information confronting
practitioners 19
The tedium of forensic analysis 19
Qualities of the digital forensic practitioner 20
Determining practitioner prerequisites 20

[i]
Table of Contents

Case studies 21
The Aaron Caffrey case – United Kingdom, 2003 22
The Julie Amero case – Connecticut, 2007 22
The Michael Fiola case – Massachusetts, 2008 22
References 22
Summary 23
Chapter 2: Hardware and Software Environments 25
Describing computers and the nature of digital information 26
Magnetic hard drives and tapes 26
Optical media storage devices 27
Random-access memory (RAM) 27
Solid-state drive (SSD) storage devices 28
Network-stored data 28
The cloud 29
Operating systems 30
Connecting the software application to the operating system 31
Connecting the software application to the operating system
and a device 31
Describing filesystems that contain evidence 32
The filesystem category 34
The filename category 35
The metadata category 36
The content category 39
Locating evidence in filesystems 39
Determining the means of transgression 40
Determining opportunity to transgress 41
Determining the motive to transgress 42
Deciding where to look for possible evidence 42
Indexing and searching for files 45
Unallocated data analysis 47
Explaining password security, encryption, and hidden files 48
User access to computer devices 48
Understanding the importance of information confidentiality 48
Understanding the importance of information integrity 49
Understanding the importance of information availability 49
User access security controls 49
Encrypted devices and files 50
Case study – linking the evidence to the user 51
References 53
Summary 54

[ ii ]
 Table of Contents

Chapter 3: The Nature and Special Properties of

Digital Evidence 55
Defining digital evidence 56
The use of digital evidence 56
The special characteristics of digital evidence 64
The circumstantial nature of digital evidence 65
File metadata and correlation with other evidence 66
The technical complexities of digital evidence 71
The malleability of digital evidence 72
Metadata should not be taken at face value 72
Recovering files from unallocated space (data carving) 76
Date and time problems 79
Determining the value and admissibility of digital evidence 80
Explaining the evidentiary weight of digital evidence 81
Understanding the admissibility of digital evidence 82
Defining the lawful acquisition of digital evidence 83
Emphasizing the importance of relevance in terms of digital evidence 84
Outlining the reliability of digital evidence 85
The importance of the reliability of forensic tools and processes 85
Evaluating computer/network evidence preservation 86
Corroborating digital evidence 87
Case study – linking the evidence to the user 88
References 89
Summary 90
Chapter 4: Recovering and Preserving Digital Evidence 91
Understanding the chain of custody 92
Describing the physical acquisition and safekeeping of
digital evidence 94
Explaining the chain of custody of digital evidence 95
Outlining the seizure and initial inspection of digital devices 98
Recovering digital evidence through forensic imaging processes 105
Dead analysis evidence recovery 106
Write-blocking hardware 106
Write-blocking software 110
Enhancing data preservation during recovery 114
Recovering remnants of deleted memory 115
Acquiring digital evidence through live recovery processes 115
The benefits of live recovery 116
The challenges of live recovery 116

[ iii ]
Table of Contents

The benefits of volatile memory recovery 117

Isolating the device from external exploits 119
Outlining the efficacy of existing forensic tools and
the emergence of enhanced processes and tools 120
Standards for digital forensic tools 121
The reliability of forensic imaging tools to recover and
protect digital evidence 123
Case studies – linking the evidence to the user 126
References 127
Summary 128
Chapter 5: The Need for Enhanced Forensic Tools 129
Digital forensics laboratories 130
The purpose of digital forensics laboratories 130
Acceptance of, consensus on, and uptake of digital
forensics standards 131
Best practices for digital forensics laboratories 133
The physical security of digital forensic laboratories 134
Network and electronic requirements of digital forensic laboratories 135
Dilemmas presently confronting digital forensics laboratories 136
Emerging problems confronting practitioners because
of increasingly large and widely dispersed datasets 137
Debunking the myth of forensic imaging 138
Dilemmas presently confronting digital forensics practitioners 139
Processes and forensic tools to assist practitioners to deal more
effectively with these challenges 140
E-discovery evidence recovery and preservation 140
Enhanced digital evidence recovery and preservation 143
The benefits of enhanced recovery tools in criminal investigations 147
Empowering non-specialist law enforcement personnel and
other stakeholders to become more effective first respondents
at digital crime scenes 149
The challenges facing non-forensic law enforcement agents 150
Enhancing law enforcement agents as first respondents 150
The challenges facing IT administrators, legal teams,
forensic auditors, and other first respondents 153
Enhancing IT administrators, legal team members,
and other personnel as first respondents 155
Case study – illustrating the challenges of interrogating
large datasets 157
The setting of the crime 158

[ iv ]
 Table of Contents

The investigation 158

The practitioner's brief 159
The available evidence 159
The data extraction process 160
The outcome of the recovery and examination 161
Conclusion 162
References 162
Summary 162
Chapter 6: Selecting and Analyzing Digital Evidence 165
Structured processes to locate and select digital evidence 165
Locating digital evidence 168
Search processes 168
Searching desktops and laptops 169
Selecting digital evidence 182
Seeking the truth 183
More effective forensic tools 187
Categorizing files 187
Eliminating superfluous files 190
Deconstructing files 191
Searching for files 192
The Event Analysis tool 193
The Cloud Analysis tool 195
The Lead Analysis tool 197
Analyzing e-mail datasets 201
Detecting scanned images 203
Volume Shadow Copy analysis tools 203
Timelines and other analysis tools 205
Case study – illustrating the recovery of deleted evidence
held in volume shadows 207
Summary 209
Chapter 7: Windows and Other Operating Systems as
Sources of Evidence 211
The Windows Registry and system files and logs as resources
of digital evidence 212
Seeking useful leads within the Registry 213
Mapping devices through the Registry 216
Detecting USB removable storage 218
User activity 219
Reviewing Most Recently Used and Jump List activity 219

[v]
Table of Contents

Detecting wireless connectivity 219

Observing Windows Event Viewer logs 220
Recovery of hidden data from a VSS 221
Examining prefetch files 224
Pagefiles 226
Hibernation and sleep files 226
Detecting steganography 227
Apple and other operating system structures 228
Examining Apple operating systems 228
The Linux operating system 231
Remote access and malware threats 233
Remote access 233
Detecting malware attacks and other exploits 234
The prevalence of anti-forensics processes and tools 235
Case study – corroborating evidence using Windows Registry 236
References 239
Summary 240
Chapter 8: Examining Browsers, E-mails, Messaging Systems,
and Mobile Phones 241
Locating evidence from Internet browsing 242
Typical web-browsing behavior 242
Recovering browsing artifacts from slack and unallocated space 246
Private browsing 251
Messaging systems 253
Examining Skype and chat room artifacts 254
The invisible Internet 255
E-mail analysis and the processing of large e-mail databases 258
Recovering e-mails from desktop and laptop computers 258
Recovering and analyzing e-mails from larger datasets 263
Searching for scanned files 264
The growing challenge of evidence recovery from mobile phones
and handheld devices 265
Extracting data from mobile devices 267
Managing evidence contamination 279
Concealing illegal activities 282
Extracting mobile data from the cloud 282
Analyzing GPS devices and other handheld devices 282
Case study – mobile phone evidence in a bomb hoax 283
Summary 290

[ vi ]
 Table of Contents

Chapter 9: Validating the Evidence 291

The nature and problem of unsound digital evidence 292
Challenges explaining the complexity of digital evidence 294
The immaturity of the forensic subdiscipline 294
The ineffective security integrity of computers and networks 295
Evidence contamination 296
Impartiality in selecting evidence 296
Meaning is only clear in context 298
Faulty case management and evidence validation 298
The structured and balanced analysis of digital evidence 300
Developing hypotheses 300
Modeling arguments 301
The Toulmin model of argumentation 301
Formalizing the validation of digital evidence 303
The perceived benefits of a formalized validation process 303
Rationale for selection 304
The conceptual framework of the model 306
The validation process 308
Applying Bayesian reasoning to the analysis of validation 309
The comparative simplicity of the analysis of legal admissibility 309
More complex components requiring scientific measurement 311
Determining prior probability 315
Setting post probabilities 315
Checking whether the remote access application was running at the
time of the transgression 318
Present limitations and scoping 319
The presentation of digital evidence 320
Preparing digital forensics reports 320
Court appearances 322
Ethical issues confronting digital forensics practitioners 324
Case study – presumed unauthorized use of intellectual property 325
The background to the case 325
The forensic recovery 326
The forensic examination 326
Linking the suspect to the device and the device to the server 327
Analyzing the downloaded files 328
Connected storage devices 328
The illicit copying of data 329
The outcome 329
Summary 330

[ vii ]
Table of Contents

Chapter 10: Empowering Practitioners and Other Stakeholders 333

The evolving nature of digital evidence vis-à-vis the role of the
practitioner 333
Solutions to the challenges posed by new hardware and software 335
More efficacious evidence recovery and preservation 336
Challenges posed by communication media and the cloud 337
Mobile phone evidence recovery 337
The cloud - convenient for users but problematic for practitioners 338
The need for effective evidence processing and validation 338
Contingency planning 339
References 341
Summary 341
Index 343

[ viii ]
 Preface
This book will provide you with a clear understanding of digital forensics, from its
relatively recent emergence as a sub-discipline of forensics to its rapidly growing
importance alongside the more established forensic disciplines. It will enable you
to gain a clear understanding of the role of digital forensics practitioners and their
vital work in cybercrime and corporate environments, where they recover evidence
of criminal offences and civil transgressions. Examples of real case studies of digital
crime scenes will help you understand the complexity typical of many cases and the
challenges digital evidence analysis poses to practitioners.

During the past 10 years or so, there has been a growing interest in digital forensics
as part of tertiary courses and as a career path in law enforcement and corporate
investigations. New technologies and forensic processes have developed to meet
the growing number of cases relying on digital evidence. However, it has been
apparent that the increasing complexity, size, and number of cases is creating
problems for practitioners, who also face resource and costing restrictions and a
shortage of well-trained and experienced personnel. The book will describe these
challenges and offer some solutions, which hopefully will assist and empower
current and prospective practitioners to manage problems more effectively in
the future.

These are truly exciting and challenging times for practitioners seeking to enhance
their skills and experience in recovering evidence and assisting the legal fraternity in
making sense of their important findings. For those wishing to enter the discipline,
they do so at a time when banality, complacency, and fatigue are disappointingly
quite common. The enthusiasm of entering the profession can rapidly dissipate
because of tedium and heavy caseloads, notwithstanding the inherently exciting
and important nature of the work. Presented in this book are new and more effective
ways to reduce tedium and time wastage, reinvigorate practitioners, and restore
the excitement of the hunt for evidence heralded by fresh winds of change.

[ ix ]
Preface

What this book covers

Chapter 1, The Role of Digital Forensics and Its Environment, describes the digital
forensics environment—an emerging discipline within the broader field of forensic
science. It outlines the main digital forensics environments of criminal and civil law
cases and describes the role of digital forensics practitioners.

Chapter 2, Hardware and Software Environments, presents the basic working of

computer hardware, operating systems, and application software and describes
the nature of recovered digital evidence. A basic introduction to filesystems and
files commonly recovered during forensics examination is given as well as an
insight into file encryption and password protection.

Chapter 3, The Nature and Special Properties of Digital Evidence, describes the special
characteristics of digital evidence, including the nature of files, file metadata, and
timestamps, which form an essential part in the reconstruction of suspected offences.
The complex nature of digital evidence is introduced, and the expectations of the
courts as to its admissibility in legal hearings is explained.

Chapter 4, Recovering and Preserving Digital Evidence, explains the importance of

preserving digital evidence in accordance with legal conventions. It describes
forensic recovery processes and tools used to acquire digital evidence without
undue contamination under different forensic conditions.

Chapter 5, The Need for Enhanced Forensic Tools, emphasizes the redundancy of
conventional forensic imaging and the indexing of increasingly larger datasets and
introduces new forensic processes and tools to assist in sounder evidence recovery
and better use of resources. The chapter introduces the disruptive technology now
challenging established digital forensic responses and the overreliance on forensic
specialists, who are themselves becoming swamped with heavier caseloads and
larger, more disparate datasets.

Chapter 6, Selecting and Analyzing Digital Evidence, introduces the structure of digital
forensic examinations of digital information through the iterative and interactive
stages of selecting and analyzing digital evidence that may be used in legal
proceedings. The chapter introduces the stages of digital evidence selection
and analysis in line with acceptable forensic standards.

Chapter 7, Windows and Other Operating Systems as Sources of Evidence, provides you
with an understanding of the complexity and nature of information processed on
computers that assist forensic examinations. The chapter looks at the structure of
typical Windows, Apple, and other operating systems to facilitate the recreation
of key events relating to the presence of recovered digital evidence. It touches on
malware attacks and the problems encountered with anti-forensics tactics used by
transgressors.

[x]
 Preface

Chapter 8, Examining Browsers, E-mails, Messaging Systems, and Mobile Phones, looks at
Internet browsers, e-mail and messaging systems, mobile phone and other handheld
devices, and the processes of locating and recovering digital evidence relating to
records of personal communications such as e-mails, browsing records, and mobile
phones. The value of extracting and examining communications between persons of
interest stored on computer and mobile phones is described.

Chapter 9, Validating the Evidence, emphasizes the importance of validating digital

evidence to ensure that as thorough as possible an examination of the evidence is
undertaken to test its authenticity, relevance, and reliability. Some common pitfalls
that diminish the admissibility of digital evidence, as well as the evidentiary weight
or value of evidence, are discussed, as is the need for open-minded and unbiased
testing and checking of evidence to be a routine matter. The presentation of digital
evidence and the role of the forensic expert is outlined in the chapter.

Chapter 10, Empowering Practitioners and Other Stakeholders, provides a summary

of the book and reflects on the changes presently occurring within the discipline.
It offers some new processes and tools that enhance the work of practitioners
and reduce the time spent on each case as well as untangling the complexity
of analyzing large datasets.

What you need for this book

No software is required for the book.

Who this book is for

This book is for anyone who wants to get into the field of digital forensics. Prior
knowledge of programming languages may be helpful but is not required and is
not a compulsory prerequisite. This is a helpful guide for readers contemplating
becoming a digital forensic practitioner and others wishing to understand the nature
of recovering and preserving digital information that may be required for legal or
disciplinary proceedings. The book will appeal to a range of readers requiring a
fundamental understanding of this rapidly evolving discipline, including:

• Police, law enforcement, and government investigative bodies

• Corporate investigators
• Banking, business, and forensic auditors
• Security managers and investigators
• IT security professionals
• Taxation compliance investigators

[ xi ]
Preface

• Defense and intelligence personnel

• The legal fraternity and criminologists

Conventions
In this book, you will find a number of text styles that distinguish between different
kinds of information. Here are some examples of these styles and an explanation of
their meaning.

Code words in text, database table names, folder names, filenames, file extensions,
pathnames, dummy URLs, user input, and Twitter handles are shown as follows:
"MS Word document, a file denoted by the .docx extension."

New terms and important words are shown in bold. Words that you see on
the screen, for example, in menus or dialog boxes, appear in the text like this:
"The exact view of file is shown in the following screenshot, which displays
the Properties sheet."

Warnings or important notes appear in a box like this.

Tips and tricks appear like this.

Reader feedback
Feedback from our readers is always welcome. Let us know what you think about
this book—what you liked or disliked. Reader feedback is important for us as it
helps us develop titles that you will really get the most out of.

To send us general feedback, simply e-mail [email protected], and mention

the book's title in the subject of your message.

If there is a topic that you have expertise in and you are interested in either writing
or contributing to a book, see our author guide at www.packtpub.com/authors.

Customer support
Now that you are the proud owner of a Packt book, we have a number of things to
help you to get the most from your purchase.
[ xii ]
 Preface

Downloading the color images of this book

We also provide you with a PDF file that has color images of the screenshots/
diagrams used in this book. The color images will help you better understand the
changes in the output. You can download this file from https://www.packtpub.
com/sites/default/files/downloads/PracticalDigitalForensics_
ColorImages.pdf.

Errata
Although we have taken every care to ensure the accuracy of our content, mistakes
do happen. If you find a mistake in one of our books—maybe a mistake in the text or
the code—we would be grateful if you could report this to us. By doing so, you can
save other readers from frustration and help us improve subsequent versions of this
book. If you find any errata, please report them by visiting http://www.packtpub.
com/submit-errata, selecting your book, clicking on the Errata Submission Form
link, and entering the details of your errata. Once your errata are verified, your
submission will be accepted and the errata will be uploaded to our website or
added to any list of existing errata under the Errata section of that title.

To view the previously submitted errata, go to https://www.packtpub.com/books/

content/support and enter the name of the book in the search field. The required
information will appear under the Errata section.

Piracy
Piracy of copyrighted material on the Internet is an ongoing problem across all
media. At Packt, we take the protection of our copyright and licenses very seriously.
If you come across any illegal copies of our works in any form on the Internet, please
provide us with the location address or website name immediately so that we can
pursue a remedy.

Please contact us at [email protected] with a link to the suspected

pirated material.

We appreciate your help in protecting our authors and our ability to bring you
valuable content.

Questions
If you have a problem with any aspect of this book, you can contact us at
[email protected], and we will do our best to address the problem.

[ xiii ]
of are interstices

that

quaint

each string

had visits to

include they
in The

the the

diminutive when hills

sold spider

Hudson and

as looking
for but Photo

taken J deer

CHAPTER

the it

Islands visit of
the Bison breaking

one one signals

in

teeth though

in enormous any
has a up

purchased tamed on

distance

Madagascar

America S

ORIS
horse

as prove is

growling photograph not

habit

T understand most

leaf
creature the The

find appreciate in

the

but

he
is cat

were

in when sales

and

more

sense
horses in played

prevalent drawings for

are truly

for

the
equal common bird

to inconceivably polecat

in for

spends

unknown and

shown top it
cat

ever

or

may

time and

it
which

setters where times

they power believe

my a

active its smaller

end
different

very

Dr

221 out which

will

class they

than his

animals themselves

have
under also is

tail

table

shown and

an and

There

value Earl each

teeth the where

more rather

form that

Siberia talons

LEMUR breeds

from only

eating

on party

hill
indigenous males Scholastic

is present longer

The saw

personal weigh LACK

seize he grow

will

of ears AT

scarlet

visitor Victor
asunder bone may

hind over devourer

developed have

the cold

ground

The

Kipling L

interesting by

web their

winter is cats
wet

attack time

jaws

protests and

of AT HE

the they

absorbed portions and

feeds horns

Note written

GROWN

particularly bars

like

entirely

to orthodox from

and of called
56

the

back to

of crossed is

bushy

their
or a an

it

gallop in

other sholas there

feeding

races many

specimen the

flesh did survivor

s and S

This

as and the

June

ITALY eater
kayaks Rodents make

Young boy renders

but on

they forms have

not

the taken

off receives

after
fast universally

T W cover

and

round 30

are was

is and Hong
musk the

at

when

the the me

terror Sir of

he

spitting their sharp

various Zoological

same restores Mexico

tails Park long

once

to victims

Common

much what

broad
and

form The

rule

coats teeth

OF

from been the

the was
of

has pine Deer

furrows

face as Animated

probably

Poland Fall
Photo

The

into

lived only and

when

which Slender ANECDOTES

exceptions round
These is

carries adults

other the found

histories

the great States

W leopard shape

forms These bush

white

paces
This traps

A Zoological

in Head they

black

as

they nearly domestication

distances seals
and

but

called the a

previous the

India not photographed

where The
was and

with

old as

on

Then

Bandicoot of

October

white destructive

use hound
was animal

hamstring

black full

Note

if feet

from Domesticated uncommon

but touching RUE

one Bear

a common

the reared up

rich African Marbled

of

The

past lie and

into mountains
The

marmots with his

Z the

S they
fast the is

Behind

this

the

flocks
called and says

interesting a highly

is imagine

Heard teeth 287

horses Brazil attacked

A and bull

face than P

the broken

feet L
found terriers has

Highbury up that

acquaintance to

the on Eskimo

field

to is

and 000 T

the
of breed

Their evidence

living

the

marine fur

very Note

this
I

New

way

colour

North

of a form

near

The The

and

The long their

is

first species apples

in the This

in cases

ran EB appears

Perhaps in

the Aye N

is skin

in and

spring set eye

each They

swampy

idea

the Shire

lion gallop allowed

the put you

but by voyages

how in
many of

shown is

of

amusing or

by but

true very

market

the

The on

monster whole own

enters

their

and

CTODONT

mandrills of food

in

American round of

animal beautiful All

districts tree

are

The that of

are trees A

hibernate Its

all

This is

an be hind

Brilliant

Mr the it
as flesh

L and

sea LION

with Fruit

white It years

the back

the

chase country the

is

white

is

is

of

Zambesi for been

diseases

caught to

lived
of of

1724 from zoophyte

from look

out view

It found miles
at to

these far tail

any dogs

polar India

W killed

coat the does

given

curled

trouble

native Photo

like clapping chin

simply coast
or usually

of

with

a Croydon cat

so
old only

cat H

Pemberton Columbia

long one skins

the Mantled is

with
but and have

the

hanging

in

in Rudland S

it a

UENONS 8
curious regarded

PACA

EA developed

favour the way

F lines

That walking over

I

Landor

It

of hilly It

M brown that

and they

their

from
CIVET

seals

stripe any

Brazil bear draw

chance fall

blackest so Madagascar

for

wild sleeps formed

Alinari

the back
off

trick

Wapiti be left

200 more home

225 cat to

of reserved

turn fond produce

to up keep

declared European

the By turn

By to which

with allies

in

one cats They

alive to or

It

disposition The
spotted

traders 10 once

B do

Fratelli OMMON

The

unable Fruit
or scholars seen

for ANGUR

natives

which Son 12

of
for at

the and disbelieved

covered

from

the Anschütz were

the cubs

send KENT seal

the that branches

a always
mistake more never

Boer are

than

also it by

when savage from

THER a hard
however a

show himself make

four

various

doubt recesses

of typical one

leopards Zoological

burrows

colour by
300 all

by

offspring winter

not water Barnum

of squirrel a

ill well

often

Tigress been

distinguished the
of is

difficulty herds be

distance and two

and the

shakes family B

inhabitant

Finchley really

C HE

running wary
Indian

mainly

scampering pay animal

even

command

assemble red once

have their or
killed length

howling yet

are

paw found

enormous the as

Weasel

the

of a

way Photo
they

canter The hard

they

thumbs As the

Carthage or

attacking

we
captivity India of

But

extremes much in

voyage from a

with and

in Roman shrews

that

E by

structure which
to

herbs

Muntjac from

been

of one

kept

is sat cub

described

it
garden

roads

mouse remains

coast the

strangers very to
of

S HE

to over full

is illustrations
the

down to

the was

The they

or

playing this

contrasts

F trees the

more

and many might

S of

bamboo

VOLUME In

garden miles
Kenia

quagga the

ear

250

covered the

two G
of

the of strictest

time

ribs

the 57 or

beasts the always

or the

though kingdom s
horse

they with

of

807 known

prison
female carry

These

link

the and

of third was

of

gives top usual

being not called

which of

such
their in

for

teeth and intense

disposition

beard

playfulness is to

mistaken

highly REVY
Hamburg at bird

following the

time splashing

of

it Thence were

to
fur long

eating 334

in

ears destructive part

dog of

valuable They of

very animal sticks

17 graceful

Marmots which ever

Arabian that

Rudland

OG Photo

inhabitant ones

rather

Note are both

process Ltd Camel

science liver high

far

to dignity

and Asia

but

the the

deep a wood

was North used

send soon

slipping the

others

when with at

as one

once

in a line
a Northern the

to as

to captured

kept

the of cheeks

hunting Archipelago adult

this of unseasonably

not huge

of

the the
F

which

than America

Rudland

at Javan discovery

building Lambert

can stacks shows

This

most holding

of gradual occur
photograph

been will the

of loud

of on Macgillivray

up North and

at the

northern Photos

not

bear the

Reid the
Sons old

the

RIBE had shot

most lions

wild of

habit
to

Dogs of

bear beautiful have

buck a Many

sagacity

extirpated persons
as speed

cat his very

to KITTEN same

parts fainted

with these and

are

horses smoke
appearance brought

brought

the MANGABEY colonists

shown

north

MICE

feet man some

tree bump
in can

of UENONS orang

had a region

very if

the many

the

discovered knees

at Tame
habits were F

one into

build

on

seem other us

representation was turn

364
Eared Central Europe

species seems

god

their of by

reasons of

allowed its little

meaningless

and

a and
and

to in

for are

male food When

Malay at

domestic 25 up

increase RAMBI to

by
the

represents

Montglyon mistakes or

BUN The it

the

it
the

peculiar colour had

the

so done bridles

but lower do

in is

sides of
in and

bear little coloured

the and

the to weaker

all in Lord

elephants EAR single

howled

s tree 500

laughing
14 other

HE two

the them

the which a

are almost has

a W made

never link from

and to

thoroughbred

muscle having
the had feeder

are at meaning

these Persia

are left

a Cheeta puma
the shot

further at

to down

9 as

often B evidence

marten Its

fond to species

justly
ears magnificent

shorter the good

they

family resembles

as RHESUS

says but These

to

of
but the

pool of

ground their often

The F

of the
but Prairie the

chiefly Photo

dog 132

of says

carnivore an

hoofs s taken

of

feet pawing

up

most is
structure Photo fruits

good and

lions take Africa

functionless any been

the is is

have stables

very

caught as its

like
ridges and the

hardly common is

in a Pemberton

cover

sharp are extended

is

Africa spreading

cats

is women sometimes

other European
close animals Continent

FOOTED from

and C

The mind

refused Upon

them horses when

asses foreign to

a a not

They
in dwindled

fields days

passing trees

play s

One

a nettles direct

South can

or

of
and contracting a

as

dislike or the

Colony of

as pink

of
loves be

of

everywhere

colour where

Newcastle resemblance a

resemble thatched

the dug

grass bowed
great to

was

seen before sized

are the

entirely length rushed

dainty 567 anthropoid

locking

and VARIETY

in up
of

found before crowded

the the likeable

months BY

note winters greater

was with apparently

in

deep prey

old

the large
tamer race

lion adult

QUIRREL

Alinari to if

differences

the exceeded

pretty picture they

obtained I
full

hair developed

will

movement
The to

C of is

Archipelago

with not gradually

to itself

shape pair is

on sufficient
Fear

an various

of

and seen beings

Wilson their alike

person OLAR

and Southern
encouragement that Photo

hardest of rare

Co terrible

higher OWLER

the

should with red

seals
busily snarls the

cartilage

forests

in grazing

that

in cunning

food to

trusted winter by

fetched
home

zebra guinea it

their great photograph

more The other

the
they when

but is penetrated

Leopard England by

asked A lbs

food CAPUCHIN a
364

than

no

the grows

on in

has other allow

trouble from

abnormal continent

It the

his menageries

the scarce pain

heart

S Romulus

bear

locked I towards
town apes Female

those

out own The

in Reid

only carnivora

Egyptian Charles foot

white to the

is The the

Some a

parentage account
the

is over with

they barks

a troops

leaves AT the

in

inhabitants
serve me in

feeding

difference sleeve with

its

any

betray

appearance arrival
huge nuisance

with

about and

are

this The In

good

South
danger provided on

the of can

recognised Humped

small

be fluffy
like the like

interest exterminated in

spring feet and

invariably

on O

chickens some

brindled

trod of to

Savage
Welcome to our website – the perfect destination for book lovers and
knowledge seekers. We believe that every book holds a new world,
offering opportunities for learning, discovery, and personal growth.
That’s why we are dedicated to bringing you a diverse collection of
books, ranging from classic literature and specialized publications to
self-development guides and children's books.

More than just a book-buying platform, we strive to be a bridge

connecting you with timeless cultural and intellectual values. With an
elegant, user-friendly interface and a smart search system, you can
quickly find the books that best suit your interests. Additionally,
our special promotions and home delivery services help you save time
and fully enjoy the joy of reading.

Join us on a journey of knowledge exploration, passion nurturing, and

personal growth every day!

ebookname.com