All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions.
The right of André Årnes to be identified as the author(s) of the editorial material in this work has been asserted in accordance with law.
Registered Offices
John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA
John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, UK
Editorial Office
The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, UK
For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com.
Wiley also publishes its books in a variety of electronic formats and by print-on-demand. Some content that appears in standard print versions of this book may not be available in other formats.
Limit of Liability/Disclaimer of Warranty
While the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials or promotional statements for this work. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or services the organization, website, or product may provide or recommendations it may make. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.
Library of Congress Cataloging-in-Publication Data
Names: Årnes, André, 1976- editor.
Title: Digital forensics / edited by André Årnes.
Description: Hoboken, NJ : John Wiley & Sons Inc., 2018. | Includes bibliographical references and index.
Identifiers: LCCN 2017004725 (print) | LCCN 2017003533 (ebook) | ISBN 9781119262381 (paperback) | ISBN 9781119262404 (Adobe PDF) | ISBN 9781119262411 (ePub)
You are holding in your hand a copy of the Digital Forensics textbook written by faculty, associates, and former students of the Norwegian Information Security Laboratory (NISlab) at the Norwegian University of Science and Technology (NTNU). Some of the authors of this textbook have themselves studied digital forensics at NISlab. The textbook is based on teaching material, academic research, experiences, and student feedback over almost ten years of teaching digital forensics, and it represents our common philosophy of how digital forensics should be learned.
Digital forensics is a unique field of research, in that new information technology and new ways of exploiting information technology are introduced at an astonishing rate. Both researchers and practitioners regularly face new technical challenges, forcing them to continuously develop their inquisitive and creative abilities. While digital forensics requires a strict adherence to process and procedures, it is the creative abilities that will make one excel in this area.
This textbook starts with an introduction of forensic sciences that establishes the foundation for understanding the more specific area of digital forensics (Chapter 1). We introduce the fundamental principles of digital forensics, evidence dynamics, and chain of custody, followed by the digital forensics process, introduced by Anders O. Flaglien in Chapter 2. The introductory chapters introduce the main building blocks of any digital investigation, and these serve as a common thread through all the chapters in this textbook.
With the forensic principles and process in mind, Inger Marie Sunde, a Professor of law, takes us through a deep dive into the legal aspects of cybercrime and digital evidence, supported by a range of international examples and legal provisions. Chapter 3 serves as a comprehensive overview of the areas that will benefit technical, legal, and tactical professionals alike.
Further building upon the digital forensics process and the legal framework, Ausra Dilijonaite introduces us to the area of digital forensic readiness in Chapter 4. While we are often left with the impression that investigations depend on ingenious and heroic efforts after the fact, we intuitively understand that the key to successful investigations is the readiness of people, processes, and tools. Ausra builds the case for planning and preparations as a key success factor for digital forensics.
The three technical chapters in this textbook are written by digital forensics practitioners – Jeff Hamm, Jens-Petter Sandvik, and Petter Christian Bjelland. They discuss in detail how to handle evidence in computer systems (Chapter 5), in embedded and mobile devices (Chapter 6), and on the Internet (Chapter 7). The chapters leverage the forensic process and share a common format. However, the evidence dynamics and the technical expertise required for the three areas are quite different.
Following the technical chapters, we provide an overview of research topics and open research questions within the field of digital forensics, supported by examples from research at NTNU. The purpose of Chapter 8 is to provide inspiration for further research for the readers of the textbook.
In the final chapter (Chapter 9), Stefan Axelsson provides advice and “lessons learned” to the educators and students using this textbook. Stefan is currently teaching digital forensics using an early version of this textbook as the curriculum, and he has played an important role in ensuring that the textbook is suitable for educational use. As inspiration to future studies and research, his chapter provides references to the main conferences, journals, and training programs in the field of digital forensics.
We would like to thank the chapter authors for their dedicated and collaborative efforts over more than one year of writing, proofreading, and editing, as well as the proofreaders Carl Leichter, Tyler Maldonado, Svein Johan Knapskog, and Arlene Marie Pearce for their contributions to this book. The Digital Forensics classes of 2015 and 2016 also provided important feedback and guidance with regard to the scope of the book.
We are grateful for the support from our publisher, John Wiley & Sons, Inc., who chose to believe in our proposal and who has provided valuable support over the course of one year. We are further grateful for the financial support provided by the Norwegian Information Security Laboratory at NTNU, the Centre for Cyber and Information Security (CCIS), the Testimon Forensic Group, the Norwegian Police Directorate, and the Norwegian Research Council toward this work.
Finally, on behalf of the authors, we would like to thank our loved ones, family, and friends for their support and for bearing with us during the preparation of this textbook.
Good luck with learning Digital Forensics!
André Årnes and Katrin Franke
Testimon Forensic Group
Norwegian Information Security Laboratory
Norwegian University of Science and Technology
Norway, September 2016
List of Contributors
This textbook has been written as a collaborative project with contributions from academic, law enforcement, and industry experts in the field.
André Årnes, PhD, Siv.ing. (MSc) – Oslo, Norway
Associate Professor, Testimon Forensic Laboratory, Norwegian University of Science and Technology (NTNU); and Senior Vice President and Chief Security Officer, Telenor Group, Oslo, Norway
Telenor, 2010–current: currently Senior Vice President and Chief Security Officer (from 2015)
National Criminal Investigation Service (Kripos), 2003–2007: Special Investigator within computer crime and digital forensics
PhD and MSc in information security from NTNU; visiting researcher at University of California, Santa Barbara, USA, and Queens's University, Canada
GIAC Certified Forensic Analyst (GCFA), IEEE Senior Member, and member of the Europol Cyber Crime Centre (EC3) Advisory Group for communications providers.
Stefan Axelsson, PhD, MSc – Gothenburg, Sweden
Associate Professor, Norwegian Information Security Laboratory (NISlab), Norwegian University of Science and Technology (NTNU), Gjøvik, Norway
Blekinge Institute of Technology, 2007–present: Associate Professor
Research in computer security since 1996
Worked in telecoms industry seven years with security and forensics
Research cited more than 2000 times
Program committee member of DFRWS and IFIP WG 11.9.
Petter Christian Bjelland, MSc – Oslo, Norway
Manager, Fraud Investigation & Dispute Services, Ernst & Young AS
Advisor, National Criminal Investigation Service (NCIS Norway/Kripos), 2015-2016 Norwegian Defense, 2011–2015: Senior Software Engineer
MSc in Digital Forensics from Gjøvik University College, 2014
Peer-reviewed paper at DFRWS Europa 2014 and in Elsevier Digital Investigation.
Ausra Dilijonaite, MSc – Oslo, Norway
Manager, Cyber Risk Services, Deloitte AS
MSc in Digital Forensics from Gjøvik University College, with a thesis on Forensic Readiness in Digital Forensics
Deloitte AS, Cyber Security Services, 2016–current: roles include Manager and Senior Consultant
Mnemonic AS, Governance, Risk Management and Compliance, Managed Security Services, 2011–2016: roles include Senior Security Consultant and Consultant-Analyst
Ernst & Young Baltics UAB, Technology Risk Security Services, IT Risk Advisory, 2007–2010: roles include Senior Consultant and Consultant
Various professional certifications, including CISA, ISMS (ISO 27001) auditor/lead auditor, and RSA Certified Security Professional.
Anders Orsten Flaglien, MSc – Oslo, Norway
Security Architect, Central Bank of Norway
Central Bank of Norway, 2016–current: Security Architect
Accenture, 2010–2016: Security Consultant
Gjøvik University College, 2012–2015: Teaching Coordinator in Digital Forensics
Best Master Thesis award (2010), and papers in peer-reviewed publications
CISSP Certified.
Katrin Franke, PhD, MSc – Gjøvik, Norway
Professor, Head of Testimon Forensics Group, Norwegian University of Science and Technology (NTNU)
PhD in Artificial Intelligence, University of Groningen, The Netherlands; and MSc in Electrical Engineering, Technical University Dresden, Germany
Fraunhofer Society, Germany, 1994–2006: Researcher, then Scientific Project Manager
Joined the Norwegian Information Security Lab in 2007; mission to establish research and education in digital and computational forensics
20+ years of experience in basic and applied research, working closely with financial services and law enforcement agencies in Europe, North America, and Asia
Founding member and first chair of the TC6 on Computational Forensics under the auspice of the International Organization of Pattern Recognition (IAPR)
IAPR Young Investigator Awardee in the year 2009 for contributions on computational forensics.
Jeff Hamm, A.S. Criminal Justice – Mainz, Germany
Manager of Consulting Services, Mandiant, a FireEye company
Mandiant, 2010–current: Manager of Consulting Services in digital forensics and incident response
NTNU, 2011–current: Adjunct Lecturer in Digital Forensics