Forensic Science / History of Forensic Science / Locard's Exchange Principle / Crime Reconstruction / Investigations / Evidence Dynamics / Digital Forensics / Crimes and Incidents / Digital Devices, Media, and Objects / Forensic Soundness and Fundamental Principles / Crime Reconstruction in Digital Forensics / Digital Evidence / Layers of Abstraction / Metadata / Error, Uncertainty, and Loss / Online Bank Fraud -- A Real-World Example / Modus Operandi / SpyEye Case / Further Reading / Chapter Overview / Comments on Citation and Notation / Introduction / Why Do We Need a Process? / Principles of a Forensics Process / Finding the Digital Evidence / Introducing the Digital Forensics Process / Identification Phase / Preparations and Deployment of Tools and Resources / First Responder / At the Scene of the Incident / Preservation Tasks / Dealing with Live and Dead Systems / Chain of Custody / Collection Phase / Sources of Digital Evidence / Systems Physically Tied to a Location / Multiple Evidence Sources / Reconstruction / Evidence Integrity and Cryptographic Hashes / Order of Volatility / Dual-Tool Verification / Remote Acquisition / External Competency and Forensics Cooperation / Examination Phase / Initial Data Source Examination and Preprocessing / Forensic File Formats and Structures / Data Recovery / Data Reduction and Filtering / Timestamps / Compression, Encryption and Obfuscation / Data and File Carving / Automation / Analysis Phase / Layers of Abstraction / Evidence Types / String and Keyword Searches / Anti-Forensics / Computer Media Wiping / Analysis of Encrypted and Obfuscated Data / Automated Analysis / Timelining of Events / Graphs and Visual Representations / Link Analysis / Presentation Phase / Final Reports / Presentation of Evidence and Work Conducted / Chain of Custody Circle Closes / Summary / Exercises

Introduction / International Legal Framework of Cybercrime Law / Individuals Involved in Criminal Activity and in Crime-Preventing Initiatives / National Legal System versus the International Legal Framework / Fundamental Rights Relating to Cybercrime Law -- The ECHR / ECtHR as a Driving Force for Development of Human Rights / Right to Bring a Case before the ECtHR / Special Note on Transborder Search and Surveillance / Connection between Fundamental Rights and the Rule of Law / Principle of Legality in the Context of Crime / Principle of Legality in the Context of a Criminal Investigation / Positive Obligation of the Nation State / Right to Fair Trial / Special Note on Evidence Rules in Different Legal Systems / Possible Outcomes of a Violation of Fundamental Rights / Special Legal Framework: The Cybercrime Convention / Interpretation of Cybercrime Law / Interpretation of Substantive Criminal Law / Application of Old Criminal Provisions to New Modes of Conduct / Interpretation of Procedural Provisions Authorizing Coercive Measures / Digital Crime -- Substantive Criminal Law / General Conditions for Criminal Liability / Real-Life Modus Operandi / Offenses against the Confidentiality, Integrity, and Availability of Computer Data and Systems / Illegal Access and Illegal Interception / Data and System Interference / Misuse of Devices / Computer-Related Offenses / Content-Related Offenses / Offenses Related to Infringements of Copyright and Related Rights / Racist and Xenophobic Speech / Investigation Methods for Collecting Digital Evidence / Digital Forensic Process in the Context of Criminal Procedure / Computer Data That Are Publicly Available / Transborder Access to Stored Computer Data Where Publicly Available / Online Undercover Operations / Scope and Safeguards of the Investigation Methods / Suspicion-Based Investigation Methods / Scope of the Investigation Methods (Article 14) / Conditions and Safeguards (Article 15) / Considerations Relating to Third Parties / Search and Seizure (Article 19) / Main Rules / Special Issues / Production Order / Expedited Preservation and Partial Disclosure of Traffic Data / Real-Time Investigation Methods (Articles 20 and 21) / International Cooperation in Order to Collect Digital Evidence / Narrowing the Focus / Special Note on Transborder Access to Digital Evidence / Mutual Legal Assistance / Basic Principles and Formal Steps of the Procedure / International Conventions Concerning Mutual Legal Assistance / International Police Cooperation and Joint Investigation Teams / Summary / Exercises / Introduction / Definition / Law Enforcement versus Enterprise Digital Forensic Readiness / Why? A Rationale for Digital Forensic Readiness / Cost / Usefulness of Digital Evidence / Existence of Digital Evidence / Evidentiary Weight of Digital Evidence / Frameworks, Standards, and Methodologies / Standards / ISO/IEC 27037 / ISO/IEC 17025 / NIST SP 800-86 / Guidelines / IOCE Guidelines / Scientific Working Group on Digital Evidence (SWGDE) / ENFSI Guidelines / Research / Rowlingson's Ten-Step Process / Grobler et al.'s Forensic Readiness Framework / Endicott-Popovsky et al.'s Forensic Readiness Framework / Becoming "Digital Forensic" Ready / Enterprise Digital Forensic Readiness / Legal Aspects / Policy, Processes, and Procedures / Risk-Based Approach

Incident Response versus Digital Forensics / Policy / Processes and Procedures / People / Roles and Responsibilities / Skills, Competencies, and Training / Awareness Training / Technology: Digital Forensic Laboratory / Accreditation and Certification / Organizational Framework / Security Policy or Framework / Control of Records / Processes, Procedures, and Lab Routines / Methodology and Methods / Personnel / Code of Conduct / Tools / Technology: Tools and Infrastructure / Sources of the Digital Evidence / Validation and Verification of Digital Forensic Tools / Preparation of Infrastructure / Outsourcing Digital Forensic Capabilities / Continuous Improvement / Considerations for Law Enforcement / Summary / Exercises / Introduction / Evidence Collection / Data Acquisition / Live Data (Including Memory) / Forensic Image / Forensic Copy / Examination / Disk Structures / Physical Disk Structures / Logical Disk Structures / File Systems / NTFS (New Technology File System) / INDX (Index) / Orphan Files / EXT2/ 3/4 (Second, Third, and Fourth Extended Filesystems) / Operating System Artifacts / Linux Distributions / Analysis / Analysis Tools / Timeline Analysis / File Hashing / Filtering / Data Carving / Files / Records / Index Search / Memory Analysis / Summary / Exercises / Introduction / Embedded Systems and Consumer Electronics / Mobile Phones / UICC (Formerly Known as a SIM Card) / Telecommunication Networks / GSM Network / UMTS Networks / Evolved Packet System (EPS)-Long-Term Evolution (LTE) Networks / Evidence in the Mobile Network / Mobile Devices and Embedded Systems as Evidence / Malware and Security Considerations / Ontologies for Mobile and Embedded Forensics / Acquisition Method Ontology / Technical Qualities / Tools Used for Acquisition / Data Acquisition Methods / Collection Phase / Special Considerations for Embedded Systems and Mobile Devices / Functionality / Stored Data / Storage Media / Security Measures / Communication Ports and Protocols / Handling Electronics -- ESD / First Contact / Hazards / Preservation of Other Traces / Damages and Unique Characteristics / State and Information / Clock Setting / Investigative Value of Information / Physical Acquisition / Two Approaches to Physical Acquisition / Chip-Off/In Vitro Acquisition / JTAG/In-System Acquisition / Logical Acquisition of Data / Manual Inspection / SIM Acquisition / SIM Replacement / Device Backup / USB Mass Storage / Media Transfer Protocol / OBEX / AT Commands / Vendor-Specific Protocols / Android Debug Bridge (ADB) / Somewhere between Physical and Logical / Root Access / Boot Access / Encryption Keys / Flasher Tools / Chip-Off Continued / Commercial Forensic Products / What about RAM? / Damaged Devices / External Force / Water, Liquids, and Blood / Wrapping It Up / Matrix of Information Availability / Cheat Sheet / On or Off? / Examination Phase / Top-Down: Flash Translation Layer (FTL) / Top-Down: Flash File Systems / Bottom-Up: Carving / Bottom-Up: Keyword Search / Technical Deep-Dive: FTL from Nokia 7610 Supernova / Technical Deep-Dive: Flash File System -- YAFFS / Technical Deep-Dive: Structure -- SMS PDU / Technical Deep-Dive: Structure -- SQLite3 Database / Technical Deep-Dive: Timestamps / Reverse Engineering and Analysis of Applications / Methods / Black Box Testing / Static Code Analysis / Runtime Analysis / Targets / Program Functionality / Data Structures / Protocols / Encryption / Summary / Exercises / Introduction / Computer Networking / Layers of Network Abstraction

Physical Layer / Data Link, Network, and Transport Layers / IP Addresses / Session, Presentation, and Application Layers / Internet / Internet Backbone / Autonomous System (AS) / Border Gateway Protocol (BGP) / Internet Service Providers (ISPs) / Common Applications / Domain Name System (DNS) / Email / World Wide Web (WWW) / Peer-to-Peer Networks / Other Media / Caveats / Network Address Translation (NAT) / Onion Routing / Web Shells / Tracing Information on the Internet / DNS and Reverse DNS / Whois and Reverse Whois / Ping and Port Scan / Traceroute / IP Geolocation / Tracing BitTorrent Peers / Bitcoin Unconfirmed Transaction Tracing / Collection Phase -- Local Acquisition

Browser History / Browser Cache / Browser Cookies / Email / Messaging and Chats / Internet of Things / Collection Phase -- Network Acquisition / tcpdump and pcap / Netflow / DHCP Logs / Collection Phase -- Remote Acquisition / Server / Web Server Logs / Web Application Logs / Virtual Hosts / Cloud Services / Open Sources / Personal Information / User Accounts / Contact Lists / Publication of Content / Interaction with Content / Public Interaction / Association with Groups and Communities / Other Considerations / Application Programming Interfaces (APIs) / Accessing User Accounts / Integrity of Remote Artifacts / Examination and Analysis Phases / Finding Interesting Nodes in Large Networks / Divide and Conquer Large Networks / Clustering / Community Detection / Making Sense of Millions of Events / Aggregated Timelines / Temporal Networks / Heat Maps / Summary / Exercises / Computational Forensics / Objectives of Computational Forensics / Large-Scale Investigations / Automation / Analysis / Forensic Soundness / Disciplines of Computational Forensics / Automation and Standardization / Research Agenda / Summary / Teacher's Guide / Student's Guide / Journals / Conferences and Organizations / Professional and Training Organizations / Tools / Corpuses / Summary