Some examiners consider incident response to be a subdiscipline of digital forensics, while others prefer to think of it as a field unto itself. There are many facets of incident response, and many books are dedicated to the field of network forensics or incident response, including network security, hacking and counterhacking, intrusion detection, malware, and rootkits. That being said, the “incident” in incident response refers to a network security breach or attack. This attack can come from the efforts of a hacker, from a person within an organization, or from malicious code in the form of a worm, Trojan horse, or other malware. An incident response expert works to identify possible attacks against a network, determine whether the problem has spread and how to contain it, and then take measures to eliminate any malicious code. If necessary, steps will be taken to restore the data that has been compromised with clean backup files. Incident response experts also work to educate information technology (IT) personnel within an organization on how to protect their network with the appropriate security measures.

For a more complete treatment of incident response, we suggest visiting the SANS Institute website at www.sans.org where you can find numerous white papers and other information explaining incident response in detail. In our opinion, the SANS institute is the de facto standard in training and education for incident response professionals. Another excellent resource to learn more about incident response is the blog of Rob Lee, who is an industry leader in the area of incident response. You can find his blog at http://computer-forensics.sans.org. We also suggest the books by Harlan Carvey, a well-known practitioner in incident response. You can find Harlan’s blog at http://windowsir.blogspot.com.

Cell phone forensics includes the examination of cell phones, as well as the records created by cell phone service providers like cell phone billing information and call detail records (CDRs).

The examination of cell phones has become as common as the examination of computers due to their widespread use. This is easy to understand; just try to think of someone you know who does not own a cell phone. Cell phones contain a wealth of information, and examining them can recover data of evidentiary value. Some examples include the contacts on a phone, text messages, images, videos, audio recordings, and e-mail. Deleted information can be recovered on some cell phones as well. Due to the thousands of different models and makes of cell phones, in addition to the different types of cell phone networks and service providers, the ability to recover data from a cell phone is on a case-by-case basis. The general rule of thumb is that the more like a computer a cell phone is, a Blackberry or iPhone for instance, the greater the likelihood of being able to recover all of the data from it, especially deleted data.

While the number of digital forensic professionals who examine cell phones is increasing, the number of those who examine call detail records (CDRs) is growing at a much slower pace. Call detail records contain information about the numbers that were called from a particular phone, the duration of the call, the date and time of the calls, and the cell site information for cell phones. Cell site information can provide information as to the general location of a person and their movement based on their cell phone activity. However, using cell phone records to establish the whereabouts of a person by their cell phone activity is highly subject to the proper analysis of the cell site location information, the call detail records, and the correct historical analysis of the cell site data. Additionally, the United States has the emergency 911 location service, which is triggered whenever a person dials 911 on their cell phone. This type of geolocation of the person’s cell phone can be very accurate and should not be confused with geolocation from cell site information. This is covered in detail in Chapter 37.

A few years ago it was uncommon to see a car with a global positioning system (GPS) in it. As prices have dropped for GPS units, and the technology has gotten better, they have become much more common. Today, many vehicles have GPS tracking devices in them, such as rental cars, that the driver probably doesn’t even know about. GPS forensics includes the examination of GPS units as well as GPS records. The examination of GPS units can yield information such as recently visited locations, favorite locations, and locations navigated to by address or street intersection. It is also possible to recover deleted information from many GPS units.

GPS records are also valuable as evidence, even if you cannot get the actual GPS unit. Records can be used to see the movement of a person or vehicle. By examining the data available in GPS units, it is possible to estimate how fast someone was driving, and if they made any stops and for how long.

If a person is suspected of a crime, GPS records can be helpful in determining if that person went to the location where the incident happened, whether they were ever near it in the vehicle, or if the timeframe even allows for the possibility of that person being a suspect. For instance, assume that a suspected person is accused of committing a murder at one location, and then dumping the body at another within a one-hour timeframe. If it takes an hour and a half to drive the distance from the scene of the incident to the location of the body, the plausibility of that argument based on GPS records takes a serious hit. However, it is also important to note that GPS units and GPS tracking are not perfect. There are situations where the recorded data can be highly suspect and have no correlation to the actual location of the GPS device. This can happen when a GPS unit’s information is being collected by a third party and errors creep in due to data errors in the transmission of the GPS unit’s locations, faulty GPS devices, and areas where the GPS unit may not have a clear view of the sky.

Digital music players, digital audio recorders, personal data assistants, USB thumb drives, portable hard drives—these are media devices. The examination of media devices can provide useful data, including the files that exist on them and the recovery of deleted files from these devices. When they are plugged into a computer, these devices also leave information about themselves, such as the files that have been transferred to or from them and the time and date when these transfers took place.

There are many possibilities of finding data of evidentiary value on media devices. For instance, on a digital audio recorder, deleted audio recordings can be recovered. A music player, like an iPod, can be used like a portable hard drive to steal or hide data. Just because these devices might be designed with the intention to play music or keep up with your calendar, at their base level they are still storage devices, and most function exactly like a normal hard drive when connected to a computer.

The past decade has seen an explosion of interest in the number and popularity of social media websites and programs. Programs like MySpace, Facebook, Twitter, and LinkedIn are commonly used social media outlets. It is common for people to have accounts with multiple social media outlets. For instance, someone might have a Facebook account to communicate with their friends and family, and a LinkedIn account to keep up with their business associates and other professionals. Social media has become the preferred method of communication for many, even surpassing e-mail in its popularity. This is especially true for the younger generations, who in many cases communicate solely via social media outlets.

Any type of communication inevitably leads to the possibility of evidence. The popularity of social media has brought about the need for social media forensics. This subdiscipline of digital forensics focuses on the ability to locate and examine social media communication on the Internet and as artifacts left on hard drives and cell phones. For instance, when a forensic examination is performed on a computer, social media programs could be installed, or data concerning websites like Facebook or MySpace could be found. This information could then be used to perform a social media investigation to find information about the online activity and communication of the person of interest.

Digital video and photo forensics are grouped together for a reason. A photo is a still image, and a video is a sequence of still images. When you watch a video, it is a sequence of still images changing so fast that it appears as continuous movement. If you watch five minutes of television, you are actually watching thousands of still images changing so fast that the human eye cannot comprehend the individual slides. You can think of this like a cartoon flipbook. Each page has a particular drawing that is a still image. When you flip the pages quickly, however, the image appears to be in motion.

Digital video and photo forensics is the enhancement and analysis of these individual slides. The primary difference between video and photo forensics is that with a photo, you would enhance them one at a time, and with a video, you might enhance a thousand at a time. Stringent care must be taken in the enhancement and analysis of videos and photos. Either too much enhancement or the wrong kind of enhancement can damage the photo or video from an evidentiary perspective, because these processes can create anomalies or features within the photo or video that were not there originally.

Digital cameras have all but replaced film cameras, with the exception of disposable cameras. A traditional film camera contains only the actual picture taken. A digital camera contains the pictures taken, and a great deal of information about the pictures themselves embedded as metadata. This metadata within a digital picture can include information of evidentiary value, like the model of camera used to take the picture, and the date and time the picture was taken.

It is possible to recover deleted pictures from a digital camera. Even if you do not have the camera itself, the pictures alone can be useful as evidence. If an examination is performed only on a computer, and pictures taken with a digital camera are found, the metadata within the pictures can be used to link them back to a specific camera.

Digital audio forensics consists of the enhancement and analysis of audio recordings created with any type of digital recording device. Audio forensics can be used to verify the integrity of audio recordings, or to show that an audio recording has been tampered with. If a recording is of poor quality, it can also be used to enhance the audio track so that voices become more legible, or background noise that is of interest could be more easily heard.

It is also possible to perform voice pattern recognition with specialized forensic software. These software programs allow for the possible identification of voices with particular people within an audio recording. The software also has safeguards to reduce the possibility of a false positive. The other method of voice pattern recognition is the manual examination of a spectrograph. A spectrograph is a visual representation of auditory data. Just as sheet music is used to explain how a song should be performed using musical notes and how long the song should be, a spectrograph represents the different sound waves over time in frequency and intensity.

The most popular form of games today is multiplayer games, especially Massively Multiplayer Online Role Playing Games (MMORPGs). There are tens of millions of people who play MMORPGs. These games typically consist of a person creating a character, with which they then explore an online world, level up, and join guilds and clans composed of other people who subscribe to the game. It is not uncommon for people to play online games for as much as 60 hours a week. We have seen instances where people have played a MMORPG for over 100 days in a single year. The 100 days is not the life of a character; it is in fact the actual amount of time a person is sitting in front of a computer, logged in to their character, and playing the game. The actual amount of time someone has spent playing one of these characters can be shown in the game itself by typing the /played command into the game interface.

These games keep track of a lot of information about the people who play them. The programs store information about each session played and the length of that session, the in-game chat logs, and the characters associated with an account.

The records created by multiplayer games can be used to build timelines, establish alibis, and find in-game chatting of interest. Multiplayer online game evidence in covered in Chapter 41.

Game consoles today, like an Xbox, Nintendo Wii, or Sony PlayStation, are all basically computers: they contain a hard drive just like a computer, and they operate using an operating system, just like a computer.

Since they are basically computers, they store information in a similar fashion. Many people use their gaming system to browse the Internet and watch movies, not just for playing games. This information is stored on the hard drive inside the gaming console. This means that information can be recovered, including deleted information from a gaming console.

To play games online using a console gaming system, a person must create an online account. With an Xbox, for instance, a person has to subscribe to Xbox Live. This creates information that can be used as evidence since that person now has an online identity, and parts of that information are saved on the gaming console.

A gaming console and a computer can be used in conjunction as evidence. With some games there is the option to have e-mails sent to you detailing your performance in a match. For instance, with the Madden football games, you can have an e-mail sent to you upon the completion of a game that details your performance. Information like this may seem insignificant, but it can be used to place the person at their gaming system at a particular date and time, and therefore establish an alibi.