The Official Chfi Study Guide Exam 31249 For Computer Hacking Forensics Investigators Dave Kleiman

The Official Chfi Study Guide Exam 31249 For
Computer Hacking Forensics Investigators Dave
Kleiman download
https://ebookbell.com/product/the-official-chfi-study-guide-
exam-31249-for-computer-hacking-forensics-investigators-dave-
kleiman-4342074
Explore and download more ebooks at ebookbell.com

Here are some recommended products that we believe you will be
interested in. You can click the link to download.
Syngress The Official Chfi Study Guide Exam 31249 Gabriele Giuseppini
https://ebookbell.com/product/syngress-the-official-chfi-study-guide-
exam-31249-gabriele-giuseppini-4113020
The Official Isc2 Ccsp Cbk Reference 4th Edition 4th Aaron Kraus
https://ebookbell.com/product/the-official-isc2-ccsp-cbk-
reference-4th-edition-4th-aaron-kraus-46140154
The Official Uboat Commanders Handbook The Illustrated Edition Bob
Carruthers
https://ebookbell.com/product/the-official-uboat-commanders-handbook-
the-illustrated-edition-bob-carruthers-46272710
The Official Highway Code Driver Vehicle Standards Agency Great
Britain Department For Transport
https://ebookbell.com/product/the-official-highway-code-driver-
vehicle-standards-agency-great-britain-department-for-
transport-47368674

The Official U S Army Map Reading And Land Navigation Handbook
Department Of The Army
https://ebookbell.com/product/the-official-u-s-army-map-reading-and-
land-navigation-handbook-department-of-the-army-47710408
The Official Fivestar Fitness Boot Camp Workout Updated Edition Andrew
Flach
https://ebookbell.com/product/the-official-fivestar-fitness-boot-camp-
workout-updated-edition-andrew-flach-48747504
The Official Downton Abbey Cookbook Annie Gray
https://ebookbell.com/product/the-official-downton-abbey-cookbook-
annie-gray-48753522
The Official Act Prep Guide 2020 2021 Act
https://ebookbell.com/product/the-official-act-prep-
guide-2020-2021-act-49850514
The Official Comptia It Fundamentals Itf Student Guide Exam Fc0u61
James Pengelly
https://ebookbell.com/product/the-official-comptia-it-fundamentals-
itf-student-guide-exam-fc0u61-james-pengelly-49972584

chnical Editor
Dave Kleiman (CAS, CCE, CIFI, CISM, CISSP, ISSAP,ISSMP, MCSE, MVP) has worked in the information
technology security sector since 1990. Currently, he runs an independent computer forensic company,
DaveKleiman.com, which specializes in litigation support, computer forensic investigations, incident response, and
intrusion analysis. He developed a Windows operating system lockdown tool, S-Lok, which surpasses NSA, NIST,
and Microsoft Common Criteria Guidelines.
Dave was a contributing author for Microsoft Log ParserToolkit (Syngress Publishing, ISBN: 1-932266-52-6),
Security Lo~ Management: Ident!fyins, Patterns in the Chaos (Syngress Publishing, ISBN: 1597490423), and How to
Cheat at Windou,s System Administration (Syngress Publishing ISBN: 1597491055). Dave was technical editor for
pegCectPasswords:Selection, Protection,Authentication (Syngress Publishing, ISBN: 1597490415); Winternals
Defraymentation, Recovery,and Administration Field Guide (Syngress Publishing, ISBN: 1597490792); Windows Forensic
Analysis: Includiny, DVD Toolkit (Syngress Publishing, ISBN: 159749156X); and CD and DI/D Forensics (Syngress
Publishing, ISBN: 1597491284). He was also a technical reviewer for Enemy at the Water Cooler:Real Life Stories of
Insider Threats (Syngress Publishing, ISBN: 1597491292)
He is frequently a speaker at many national security conferences and is a regular contributor to security-
related newsletters, Web sites, and Internet forums. Dave is a member of many professional security organizations,
including the Miami Electronic Crimes Task Force (MECTF), International Association of Counter Terrorism and
Security Professionals (IACSP), International Society of Forensic Computer Examiners| (ISFCE), Information
Systems Audit and Control Association| (ISACA), High Technology Crime Investigation Association (HTCIA),
Association of Certified Fraud Examiners (ACFE), and the High Tech Crime Consortium (HTCC). He is also
the Sector Chief for Intbrmation Technology at the FBI's InfraGard|
butors
Kevin Cardwell (CEH, ECSA, LPT) works as a freelance consultant and provides consulting services for compa-
nies throughout the U.S., U.K., and Europe. He is an adjunct associate professor for the University of Maryland
University College, where he participated in the team that developed the Information Assurance Program for
Graduate Students, which is recognized as a Center of Excellence program by the National Security Agency
(NSA). He is an instructor and technical editor for computer forensics and hacking courses. He has presented at
the Blackhat USA Conference.
During a 22-year period in the U.S. Navy, Kevin tested and evaluated surveillance and weapon system soft-
ware. Some of this work was on projects like the Multi-Sensor Torpedo Alertment Processor (MSTRAP),Tactical
Decision Support System (TDSS), Computer Aided Dead Reckoning Tracer (CADRT), Advanced Radar
Periscope Discrimination and Detection (ARPDD), and the R,emote Mine Hunting System (R,MHS). He has
worked as both a software and systems engineer on a variety of Department of Defense projects and was selected
to head the team that built a Network Operations Center (NOC) that provided services to the command ashore
and ships at sea in the Norwegian Sea and Atlantic Ocean. He served as the leading chief of information security
at the NOC for six years prior to retiring from the U.S. Navy. During this time he was the leader of a five-person
Red Team.
iii

iv
Kevin wishes to thank his mother, Sally;girlfriend, Loredana; and daughter, Aspen, all of whom are sources
of his inspiration. Kevin holds a master's degree from Southern Methodist University and is a member of the
IEEE and ACM. Kevin currently resides in Cornwall, England.
Marcus J. Carey (CISSP,CTT+) is the president of Sun Tzu Data, a leading information assurance and infras-
tructure architecture firm based out of central Maryland. Marcus' specialty is network architecture, network secu-
rity, and network intrusion investigations. He served over eight years in the U.S. Navy's cryptology field. During
his military service Marcus engineered, monitored, and defended the U.S. Department of Defense's secure net-
works.
Marcus holds a master's degree from Capitol College, where he also serves as professor of information assur-
ance. Marcus currently resides in central Maryland with his family,Mandy, Erran, Kaley,and Christopher.
Timothy Clinton has held multiple roles in the EDD/ESI vendor space. He is currently employed as forensics
operations manager for the National Technology Center division of Document Technologies, Inc. (DTI), a major
ESI service. Since joining the DTI team, Mr. Clinton has served in multiple roles, including EDD production
manager, technical architect, and forensic investigator. He has conducted and managed investigations for numerous
civil cases regarding matters for Fortune 50 of law. Mr. Clinton's most notable achievement while at DTI is being
responsible for the design and implementation of a showcase data forensics laboratory in Atlanta, Georgia.
Edward Collins (CISSP,CEH, Security+, MCSE:Security, MCT) is a senior security analyst for CLAN, Inc.,
where he is responsible for conducting penetration tests, threat analysis, and security audits. CIAN (www.cian-
center.corn) provides commercial businesses and government agencies with all aspects of information security
management, including access control, penetration testing, audit procedures, incident response handling, intrusion
detection, and risk management. Edward is also a training consultant, specializing in MCSE and Security+ certifi-
cations. Edward's background includes positions as information technology manager at Aurora Flight Sciences and
senior information technology consultant at Titan Corporation.
James "Jim" Cornell (CFCE, CISSR CEECS) is an employee of Computer Sciences Corp. (CSC) and an
instructor/course developer at the Defense Cyber Investigations Training Academy (DCITA), which is part of the
Defense Cyber Crime Center (DC3) in Maryland. At the academy he teaches network intrusions and investiga-
tions, online undercover techniques, and advanced log analysis. He has over 26 years of law enforcement and over
35 years of electronics and computer experience. He is a member/coach of the International Association of
Computer Investigative Specialists (IACIS) and a member of the International Information Systems Forensics
Association (IISFA) and the International Information Systems Security Certification Consortium (ISC2). He is
currently completing the Certified Technical Trainer (CTT+) process and is a repeat speaker at the annual
Department of Defense Cyber Crime Conference.
He would like to thank his mother for more than he can say,his wife for her patience and support, and
Gilberto for being the best friend ever.
Michael Cross (MCSE, MCP+I, CNA, Network+) is an internet specialist/programmer with the Niagara
Regional Police Service. In addition to designing and maintaining the Niagara Regional Police's Web site
(www.nrps.com) and intranet, he has also provided support and worked in the areas of programming, hardware,
database administration, graphic design, and network administration. In 2007, he was awarded a Police
Commendation for work he did in developing a system to track high-risk offenders and sexual offenders in the
Niagara Region. As part of an information technology team that provides support to a user base of over 1,000
civilian and uniformed users, his theory is that when the users carry guns, you tend to be more motivated in
solving their problems.
Michael was the first computer forensic analyst in the Niagara Regional Police Service's history, and for five
years he performed computer forensic examinations on computers involved in criminal investigations. The com-
puters he examined for evidence were involved in a wide range of crimes, inclusive to homicides, fraud, and pos-
session of child pornography. In addition to this, he successfully tracked numerous individuals electronically, as in
cases involving threatening e-mail. He has consulted and assisted in numerous cases dealing with computer-
related/Internet crimes and served as an expert witness on computers for criminal trials.
Michael has previously taught as an instructor for IT training courses on the Internet, Web development, pro-
gramming, networking, and hardware repair. He is also seasoned in providing and assisting in presentations on

Internet safety and other topics related to computers and the Internet. Despite this experience as a speaker, he still
finds his wife won't listen to him.
Michael also owns KnightWare, which provides computer-related services like Web page design, and
Bookworms, which provides online sales of merchandise. He has been a freelance writer for over a decade and has
been published over three dozen times in numerous books and anthologies. When he isn't writing or otherwise
attached to a computer, he spends as much time as possible with the joys of his life: his lovely wife, Jennifer; dar-
ling daughter Sara; adorable daughter Emily; and charming son Jason.
Michael Gregg is the president of Superior Solutions, Inc. and has more than 20 years' experience in the IT
field. He holds two associate's degrees, a bachelor's degree, and a master's degree and is certified as CISSR MCSE,
MCT, CTT+, A+, N+, Security+, CNA, CCNA, CIW Security Analyst, CCE, CEH, CHFI, CEI, DCNR ES
Dragon I1)S, ES Advanced Dragon IDS, and TICSA.
Michael's primary duties are to serve as project lead for security assessments helping businesses and state
agencies secure their IT resources and assets. Michael has authored four books, including: Inside Network Security
Assessmeut, CISSP Prep Q,estions, CISSP Exam Cram2, and Certified Ethical Hacker Exam Prep2. He also was the
lead author for Hack the Stack: Usin2 Sm)rt aud Etkereal to Master the Eigkt Layers of an Insecure Network (Syngress,
ISBN: 9781597491(i)99). He has developed four high-level security classes, including Global Knowledge's
Advanced Security Boot Camp, Intense School's Professional Hacking Lab Guide, ASPE's Network Security
Essentials, and Assessing Network Vulnerabilities. He has created over 50 articles featured in magazines and Web
sites, including Cert!fication Magazine, GoCertify, The El Paso Times, and SearchSecurity.
Michael is also a faculty member of Villanova University and creator of Villanova's college-level security
classes, including Essentials of IS Security, Mastering IS Security, and Advanced Security Management. He also
serves as a site expert for four TechTarget sites, including SearchNetworking, SearchSecurity,
SearchMobileNetworking, and SearchSmallBiz. He is a member of the TechTarget Editorial Board.
Justin Peltier is a senior security consultant with Peltier Associates, with over 10 years of experience in firewall
and security technologies. As a consultant, Justin has been involved in implementing, supporting, and developing
security solutions, and he has taught courses on many facets of information security, including vulnerability assess-
ment and CISSP preparation. His previous employment was at Suntel Services, where he directed the company's
security practice development. Prior to that, Justin was with Netigy, where he was involved in the company's cor-
porate training efforts.
Justin currently holds 1() professional certifications in an array of technical disciplines.
Justin has led classes across the United States, as well as in Europe and Asia, for Peltier Associates, Sherwood
Associates, Computer Security Institute, ISC2, the Mark I. Sobell Training Institute, Netigy Corporation, and
Suntel Services.
Sondra Schneider is CEO and Founder of Security University, a Vienna, VA-based Qualified Computer
Security and Information Assurance Training Company. For the past 18 years Sondra has been traveling around
the world training network professionals to be network and security professionals. In 2004 she was awarded
Entrepreneur of the Year at the First Annual Woman of Innovation Awards from the Connecticut Technology
Council. She sits on the advisory board for three computer security technology companies and is a frequent
speaker at computer security and wireless industry events. She is a founding member of the NYC HTCIA and
IETE and she works closely with ISC2, ISSA, and ISACA chapters and the vendor community to provide quali-
fied computer security training and feedback. Sondra holds the CISSR CEH, ECSA, LPT, and CHFI credentials.
Jesse Varsalone (A+, Linux+, Net+, iNet+, Security+, Server+, CTT+, CIW Professional, CWNA, CWSR
MCT, MCSA, MSCE 2()()0/2003, MCSA/MCSE Security, MCSD, MCDBA, MCSD, CNA, CCNA, MCDST,
Oracle 8i/9i DBA, Certified Ethical Hacker) is a computer forensic senior professional at CSC. For four years, he
served as the director of the MCSE and Network Security Program at the Computer Career Institute at Johns
Hopkins University. For the 2006 academic year, he served as an assistant professor of computer information sys-
tems at Villa Julie College in Baltimore, Maryland. He taught courses in networking, Active Directory, Exchange,
Cisco, and forensics.
Jesse holds a bachelor's degree from George Mason University and a master's degree from the University of
South Florida. He runs several Web sites, including mcsecoach.com, which is dedicated to helping people obtain
their MCSE certification. He currently lives in Columbia, Maryland, with his wife, Kim, and son, Mason.

Craig Wright has personally conducted in excess of 1,200 IT security-related engagements for more than 120
Australian and international organizations in the private and government sectors and now works for BDO
Kendall's in Australia.
In addition to his consulting engagements, Craig has also authored numerous IT security-related articles. He
also has been involved with designing the architecture for the world's first online casino (Lasseter's Online) in the
Northern Territory. He has designed and managed the implementation of many of the systems that protected the
Australian Stock Exchange. He also developed and implemented the security policies and procedural practices
within Mahindra and Mahindra, India's largest vehicle manufacturer.
He holds (among others) the following industry certifications: CISSP (ISSAP & ISSMP), CISA, CISM,
CCE, GNSA, G7799, GWAS, GCFA, GLEG, GSEC, GREM, GPCI, MCSE, and GSPA. He has completed
numerous degrees in a variety of fields and is currently completing both a master's degree in statistics (at
Newcastle) and a master's degree in law (ELM) specializing in international commercial law (E-commerce Law).
Craig is planning to start his second doctorate, a PhD in economics and law in the digital age, in early 2008.
vi

Chapter 1
CHFI
Computer Forensics
in Today's World
Exam objectives in this chapter"
The History of Forensics
The Objectives of Computer Forensics
Computer-Facilitated Crimes
Reasons for Cyber Attacks
Computer Forensic Flaws and Risks
Computer Forensics: Rules, Procedures, and
Legal Issues
The Computer Forensic Lab
Laboratory Strategic Planning for Business
9 Elements of Facilities Build-out
9 Electrical and Power Plant Considerations
Essential Laboratory Tools

2 Chapter 1 9 Computer Forensicsin Today's World
Introduction
As is often the case with security compromises, it's not a matter of fyour company will be
compromised, but when.
If I had known the employee I hired was going to resign, break into my office, and damage
my computers in the span of three days, hindsight being 20/20, I would have sent notification
to the security guards at the front door placing them on high alert and made sure he was not
granted access to the building after he resigned. Of course, I in hindsight, I should have done a
better job of hiring critical personnel .He was hired as a computer security analyst and security
hacker instructor; and was (or should have been) the best example of ethical conduct.
Clearly, we see only what we want to see when hiring staff and you won't know whether
an employee is ethical until a compromise occurs. Even if my blinders had been off, I would
have never seen this compromise coming. It boggles the mind to think that anyone would ruin
or jeopardize his career in computer security for so little. But he did break into the building,
and he did damage our computers; therefore, he will be held accountable for his actions, as
detailed in the following forensic information. Pay attention when the legal issues are reviewed.
You will learn bits and pieces regarding how to make your life easier by knowing what you
really need to know "when" your computer security compromise occurs.
Computerforensics is the preservation, identification, extraction, interpretation, and docu-
mentation of computer evidence. In Chapter 9 of Cyber Crime Investigations,digital forensics is
referred to as "the scientific acquisition, analysis, and preservation of data contained in elec-
tronic media whose information can be used as evidence in a court of law.''1
In the case involving the Hewlett-Packard board of directors, seasoned investigators within
HP and the primary subcontracting company sought clarity on an investigative method they
were implementing for an investigation. The investigators asked legal counsel to determine
whether the technique being used was legal or illegal. Legal counsel determined that the tech-
nique fell within a gray area, and did not constitute an illegal act. As a result, the investigators
used it and were later arrested. This situation could befall any cyber crimes investigator.
In the Hewlett-Packard case, legal counsel did not fully understand the laws relating to
such methodologies and technological issues.The lesson for investigators here is not to assume
that an action you've taken is legal just because corporate counsel told you it was. This is espe-
cially true within the corporate arena. In the HP case, several investigators were arrested,
including legal counsel, for their actions.
In this CHFI study guide, you will learn the concepts of computer forensics and how to
prepare for the EC-Council's Computer Hacker Forensic Investigator exam. This chapter will
review the objectives of computer forensics. It will also discuss computer-facilitated crimes, the
reasons for cyber crime, the computer forensics flaws and risks, modes of attack, digital foren-
sics, and the stages of forensic investigation in tracking cyber criminals. The chapter also covers
various stages of building a computer forensics laboratory.
www.syngress.com

Computer Forensics in Today's World ~ Chapter I
The History of Forensics
Forensics has been around since the dawn ofjustice. Cavemen had justice in rules set to protect
home and hearth. Francis Galton (1822-1911) made the first recorded study of fingerprints,
Leone Lattes (1887-1954) discovered blood groupings (A, B, AB, and 0), Calvin Goddard
(1891-1955) allowed firearms and bullet comparison for solving many pending court cases,
Albert Osborn (1858-1946) developed essential features of document examination, Hans Gross
(1847-1915) made use of scientific study to head criminal investigations. And in 1932, the FBI
set up a lab to provide forensic services to all field agents and other law authorities across the
country. When you look back at these historic forensic events, you see patterns of confidence
in the forensic information recovered and analyzed.You will see in this study guide, today's
computer forensics is clearly a new pattern of confidence, acceptance, and analysis.
The Objectives of Computer Forensics
Cyber activity has become an important part of the everyday lives of the general public.
According to the EC-Council, eighty-five percent of businesses and government agencies have
detected a security breach. The examination of digital evidence (media) has provided a medium
for forensic investigators to focus on after an incident has occurred. The ultimate goal of a
computer forensic investigator is to determine the nature and events concerning a crime and to
locate the perpetrator by following a structured investigative procedure.
. . . . . . . .
. . . . . . . . . . .
~
"
! '~Working as a team, computer forensic investigators secure systems and
!!!hii!!!!!i!!{!!!!!!iiiii!!!!!
::i!ii!ii'
~
:
~
!
!
~
i
!
~
{
~
!
!
!
i
:
~
:
'
~
!
!
!
~
{
i
!
~
:
'
~
i
!
~
:
~networks. Computer forensics is one of the three main functions of com-
puter security" the TRIAD consists of vulnerability assessment and risk
management, network intrusion detection, and incident response com-
puter investigations.
What is forensic computing? A methodical series of techniques and
procedures for gathering evidence, from computing equipment
and various storage devices and digital media, that can be pre-
sented in a court of law in a coherent and meaningful format.
--Dr. H.B. Wolfe
www.syngress.com

Chapter I 9 Computer Forensics in Today's World
Investigators must apply two tests for evidence for both computer forensics and physical
forensics to survive in a court of law:
9 Authenticity Where does the evidence come from?
9 Reliability Is the evidence reliable and free of flaws?
Cyber crime includes the following:
9 Theft of intellectual property This pertains to any act that allows access to patent,
trade secrets, customer data, sales trends, and any confidential information.
9 Damage of company service networks This can occur if someone plants a
Trojan horse, conducts a denial of service attack, installs an unauthorized modem, or
installs a back door to allow others to gain access to the network or system.
9 Financial fraud This pertains to anything that uses fraudulent solicitation to
prospective victims to conduct fraudulent transactions.
r
www.syngress.com

Computer Forensicsin Today's World 9 Chapter 1
9 Hacker system penetrations These occur via the use of sniffers, rootkits, and
other tools that take advantage of vulnerabilities of systems or software.
9 Distribution and execution of viruses and worms These are some of the most
common forms of cyber crime.
Cyber crime comprises three things: tools to commit the crime, targets of the crime
(victim), and material that is tangential to the crime.
Cyber crime is motivated by many different things. Often it's the thrill of the chase, and a
desire for script kiddies to learn. Sometimes cyber crime is committed by psychologically moti-
vated criminals who need to leave a mark. Other times such crimes are committed by a person
or group that is out for revenge; perhaps it's a disgruntled employee or friend who wants to
embarrass the target. Most likely, a cyber criminal is being paid to gain information; hackers
involved in corporate espionage are the hardest to uncover and often are never seen.
Computer-Facilitated Crimes
Our dependency on the computer has given way to new criminal opportunities. Computers
are increasingly being used as a tool for committing crimes, and they are posing new challenges
for investigators, for the following reasons:
9 The proliferation of PCs and Internet access has made the exchange of information
quick and inexpensive.
9 The use of easily available hacking tools and the proliferation of underground
hacking groups have made it easier to commit cyber crimes.
9 The Internet allows anyone to hide his identity while committing crimes.

9 E-mail spoofing, creating fake profiles, and committing identity theft are common
occurrences, and there is nothing to stop it, making investigation difficult.
9 With cyber crimes, there is no collateral or forensic evidence, such as eye witnesses,
fingerprints, or DNA, making these crimes much harder to prosecute.
Reasons for Cyber Attacks
Today, cyber attacks are committed by individuals who are more organized. Cyber crime has
different connotations depending on the situation. Most of us equate cyber crime with what

Computer Forensics in Today's World 9 Chapter 1 7
we see on TV and in the news: porn, hackers gaining access to sensitive government informa-
tion, identity theft, stolen passwords, and so on. In reality, these types of computer crimes
include more often than not, theft of intellectual property, damage of company service net-
works, embezzlement, copyright piracy (software, movie, sound recording), child pornography,
planting of viruses and worms, password trafficking, e-mail bombing, and spam.
Cyber criminals are taught to be more technically advanced than the agencies that plan to
thwart them. And today's criminals are more persistent than ever. According to the EC-
Council, computer crime is any illea~alact involving a computer, its s),stem, or its applications. A com-
puter crime is intentional, not accidental (we discuss this in more detail in the "Legal Issues"
section, later in this chapter).
Computer Forensic Flaws and Risks
Computer forensics is in its developmental stage. It differs from other forensic sciences as dig-
ital evidence is examined. There is a little theoretical knowledge to base assumptions for anal-
ysis and standard empirical hypothesis testing when carried out lacks proper training or
standardization of tools, and lastly it is still more 'art" than "science.
Modes of Attack
There are two categories of cyber crime, differentiated in terms of how the attack takes place:
9 Insider attacks These involve a breach of trust from employees within an
organization.
9 External attacks These involve hackers hired by either an insider or an external
entity whose aim is to destroy a competitor's reputation.
Stages of Forensic Investigation
in Tracking Computer Crime
A computer forensic investigator follows certain stages and procedures when working on a
case. First he identifies the crime, along with the computer and other tools used to commit
the crime. Then he gathers evidence and builds a suitable chain of custody. The investigator
must follow these procedures as thoroughly as possible. Once he recovers data, he must image,
duplicate, and replicate it, and then analyze the duplicated evidence. After the evidence has
been analyzed, the investigator must act as an expert witness and present the evidence in
court. The investigator becomes the tool which law enforcement uses to track and prosecute
cyber criminals.
For a better understanding of the steps a forensic investigator typically follows, consider the
following, which would occur after an incident in which a server is compromised:
www.syngress.com

8 Chapter1 9 Computer Forensicsin Today'sWorld
1. Company personnel call the corporate lawyer for legal advice.
2. The forensic investigator prepares a First Response of Procedures (FRP).
3. The forensic investigator seizes the evidence at the crime scene and transports it to
the forensic lab.
o The forensic investigator prepares bit-stream images of the files and creates an MD5
# of the files.
5. The forensic investigator examines the evidence for proof of a crime, and prepares an
investigative report before concluding the investigation.
6. The forensic investigator hands the sensitive report information to the client, who
reviews it to see whether they want to press charges.
7. The FI destroys any sensitive client data.
It is very important that a forensic investigator follows all of these steps and that the pro-
cess contains no misinformation that could ruin his reputation or the reputation of an
organization.
=
~
N
@ .........
~':'T DAY TIP
i#. j
~ "~' Here are some great resources on computer incident handling and dig-
:,~ ~
i
~
" ital forensics:
::i':;i~i~':;
;: NIST's "Computer Security Incident Handling Guide," SP800-61,
http:llcsrc.nist.govlpublicationslnistpubs1800-611sp800-61 .pdf
NIST's "Guide to Integrating Forensic Techniques into Incident
Response," SP800-96, http:llcsrc.nist.govlpublicationslnistpubs1800-
96/sp800-96.pdf
National Institute of Justice's "Forensic Examination of Digital
Evidence: A Guide for Law Enforcement," www.ojp.usdoj.gov/nij/pubs-
sum/199408.htm
RFC 3227, "Guidelines for Evidence Collection and Archiving,"
www.faqs.org/rfcs/rfc3227.html
Computer Forensics:Rules,
Procedures, and Legal Issues
A good forensic investigator should always follow these rules:
9 Examine original evidence as little as possible. Instead, examine the duplicate evidence.
www.syngress.com

ComputerForensicsin Today'sWorld 9 ChapterI 9
9 Follow the rules of evidence and do not tamper with the evidence.
9 Always prepare a chain of custody, and handle evidence with care.
9 Never exceed the knowledge base of the FI.
9 Make sure to document any changes in evidence.
9 If you stay within these parameters your case should be valuable and defensible.
Digital Forensics
Digital forensics includes preserving, collecting, confirming, identifying, analyzing, recording,
and presenting crime scene information.
Assessing the Case"
Detecti ng/Identifyi ng the Event/Crime
In any type of investigation, the computer forensic examiner must follow an investigation pro-
cess. That process begins with the step of assessing the case, asking people questions, and docu-
menting the results in an effort to identify the crime and the location of the evidence.
Computer investigations are conducted on two types of computers: the computer used to
commit a crime, and computer that is the target of the crime.
Preservation of Evidence" Chain of Custody
Preserving the chain of custody is the next step. Identification of the evidence must be pre-
served to maintain its integrity. A chain of evidence must be prepared to know who handled
the evidence, and every step taken by the forensic investigator must be documented for inclu-
sion in the final report. Sometimes a computer and its related evidence can determine the
chain of events leading to a crime for the investigator as well as provide the evidence which
can lead to conviction.
......~ , ~ , ~ ......
,,~ii
iii{iiiliiliiii ii,,,,~
....
! DAY TIP
'~i!,,ii,!,,!i,:ji,!:!:,!i' A chain of custody is the accurate documentation of the movement and
~!!!i!i!i!iii!!i!i!!!i!i!i!i!i!ii!!ill
'~'' possessionof a piece of evidence, from the time it is taken into custody
.........
~i~
...... until it is delivered to the court. This documentation helps prevent alle-
gations of evidence tampering. It also proves that the evidence was
stored in a legally accepted location, and it documents who is in custody
and control of the evidence during the forensic testing phase.
A bit-stream image is an exact duplicate of a computer's hard drive
in which the drive is copied from one drive to another, bit by bit. This
image is then authenticated to the original by matching a digital

10 Chapter 1 9Computer Forensicsin Today'sWorld
signature, which is produced by a mathematical algorithm (usually the
MD5 standard) to ensure that no changes have occurred. This method
has become the de facto standard and is widely accepted by the
industry and the legal system.
Collection" Data Recovery, Evidence Collection
Finding the evidence, discovering relevant data, preparing an Order of Volatility, eradicating
external avenues of alteration, gathering the evidence, and preparing a chain of custody are the
recommended CHFI processes for collecting data.After you collect data, you should create an
MD5 hash of the evidence. Prior to collection, one should do preliminary assessment to search
for the evidence. After the assessment is concluded, collect and seize the equipment used in
committing the crime, document the items collected, such as floppy disks, thumb drives, CDs,
DVDs, and external back up drives.A photo of the crime scene should be taken before
removing the evidence.
After collecting all the information, the investigator can then list the steps that can be taken
during the investigation and then begin. Caution, it is not necessary to seize the entire system.
Identify the relevant data and copy that, otherwise it can result in over collection.

, iiiiiIN, DAY
.....
~'!!iiiiiiiiiiii:i}i}
i'~
..... Sterilize all the media to be used in the examination process, enter the
'i i!
~ crime scene, take a snap shot of the scene and then carefully scan the
~:!iii~i~iiiiiiiiiiii!iii!iiiii~
data sources, Retain and document the state and integrity of items at
.:~:~:~:~:~....
the crime scene then transport the evidence to the forensic facility
Examination" Tracing,
Filtering, Extracting Hidden Data
The examination process follows the collection process. The computer forensic investigator
must trace, filter, and extract hidden data during the process. Some evidence cannot stay for
long. Such evidence is called volatile evidence because it needs consistent power supply for
storage. There is also evidence that contains the information that keeps changing. CHFI investi-
gators must review registers and cache, routing tables, AP,.P cache, process tables, and kernel
statistics and modules.
In l/Vindo~t~sForensicAnalysis DVD Toolkit, Harlan Carvey looks at the order of volatility
from a "live system" view (see Chapter 1 of Windows ForensicAnalysis DVD Toolkit, Elsevier
Inc., 2007).Volatile data must be preserved in order of volatility, with the most volatile data pre-
served first. This applies to live systems for the most part, but the way in which we approach
live systems will become more important in the near future. An example of an order of
recovery of system data according to volatility looks like this:
[] Virtual memory Swap space or paging files
[] Physical disks The physical hard disks of a system

12 Chapter 1 9 Computer Forensics in Today's World
m Backups Offline back-up media such as magnetic tape or other media: It is
extremely possibly the data you are looking for may not be on the system today, but
it was there yesterday and is on last night's backup.
ii
!iiii~~ DAY TIP
~ii!iiiiiiii!iiiiiiiii!i!~'~'~'~'~'~'
It is essential there is minimal tampering with the evidence because it
~,,~,i~,,~,~,~,~; can a Ite r t he exa ct copy of t he evi dence.
. . . . . . . . . . . . .
Analysis
Analysis of the data is greatly different from retrieving the evidence and depends greatly on
exactly how the copy is. There are various techniques to capture an exact forensic copy to copy
the evidence disk so you can analyze the data. Analysis should be done on the duplicate copy
so that the original evidence can be protected from alteration because the first rule of forensics
is to preserve the original evidence. Once a copy is created, use the copy for further processes.
Analysis can be carried out using various forensic analysis tools such Encase, Access Data etc.
Continued

Approach the Crime Scene
Due to the presence of a majority of electronic documents, and the skills necessary to search
and identify data in a computer, combined with the fact that digital evidence is delicate in
nature for recovering deleted, encrypted or, corrupted files from a system there is a growing
need for Forensic Investigators to approach crime scenes.
www.syngress.com

An investigator, if trained properly, will ensure that no possible evidence is damaged,
destroyed, or compromised by the forensic procedures used to investigate the computer.
(Preservation of evidence).
No computer malware, or harmful software, is introduced to the computer being investi-
gated. (Non-contamination of evidence). Any extracted or relevant evidence is properly han-
dled and protected from later mechanical or electromagnetic damage (extraction and
preservation of evidence). A continuing chain of custody is established and maintained
(Accountability of evidence).and that normal operations are effected for a limited amount of
time. (limited interference of the crime scene on normal life).
Where and When
Do You Use Computer Forensics?
Use computer forensics when there is a need to provide real evidence such as reading bar
codes, magnetic tapes and to identify the occurrence of electronic transactions and reconstruct
an incidence with sequence of events.You use computer forensics when a breach of contract
occurs, or if copyright and intellectual property theft/misuse happens or during employee dis-
putes where there is damage to resources.
Legal Issues
It is not always possible for a computer forensics expert to separate the legal issues surrounding
the evidence from the practical aspects of computer forensics (e.g.,the issues related to authen-
ticity, reliability, and completeness and convincing). The approach of investigation diverges with
change in technology. Evidence shown is to be untampered with and fully accounted for, from
the time of collection to the time of presentation to the court. Hence, it must meet the rele-
vant evidence laws

There are legal concerns, not just technical concerns. For example, for some forensic mon-
itoring activity a certain level of security may be legally required, or your ability to monitor
certain kinds of activities may be restricted. Also, if you ever need to prosecute, your logs may
not be admissible in court. Local and federal laws must be considered when devising a security
policy.
The computer revolution has given way to white-collar crimes done on the Internet.
Remote targets are compromised by malicious users daily. While investigating these crimes,
international issues can be raised as the electronic evidence necessary to prevent, investigate, or
prosecute a crime is located outside the borders of the country, and law enforcement must seek
assistance from law enforcement authorities in the different country. Preservation of evidence
or request for evidence can be made under mutual legal assistance agreements or if no assis-
tance is forthcoming through the Letters R.ogatory process.
Consistency with all legal systems, the ability to implant confidence in the integrity of evi-
dence, allowances for the use of common language, and applicability at every level are con-
fronted by investigators.
Computer law is a large field. Areas of concern to security administrators are what consti-
tutes illegal use of a computer, what you can and can't do to detect or monitor it, the status of
any evidence you may collect, and your exposure to civil liability suits in event of a security
problem. Computer crime law is a new field. The statutes are quite recent, less than 10 years
old with little case law for guidance. Interpretations may change, and the laws themselves may
change, as legislators react to newer threats.
The Computer Forensic Lab
The process of implementing and operating a computer forensic laboratory could be the sub-
ject of an entire series of books. This section of the chapter, however, will attempt to share a
few ideas regarding core concepts to be considered during the planning, construction, and
operation of a data forensic facility. The material is intended for midsized operations (corporate
installations and stand-alone facilities) to demonstrate a diversity of concepts relating to facilities
planning, business operations, and service offerings.
Recent changes to the Federal Rules of Civil Procedure (FRCP) in December 2006 have
impacted the manner in which digital information is managed in civil litigation. The FR.CP
formalized the role of digital information in a legal environment. The rules have formally iden-
tified the role of electronically stored information (ESI) and how it will be handled and pre-
sented in a judicial setting.
The advent of personal computing empowered individuals to create and manage informa-
tion on a massive scale; the vast majority of information created now exists in digital form on
some type of computing system. An entire field of data analysis and digital investigation has
evolved in response to the threat of wrongdoing in this digital realm. The technology (laptops,
desktops, cell phones, the Internet) empowering individual productivity and creativity is the
www.syngress.com

16 Chapter 1 9 Computer Forensicsin Today'sWorld
same technology used to conduct activity against company policy or in violation of the law.
Corporate investigators and law enforcement officers need to be able to investigate these types
of digital transactions by identifying, recovering, analyzing, and reporting on the digital facts.
The role of data forensic analysis will be of increasing importance to the legal system as infor-
mation continues to evolve into the purely digital and the systems upon which that informa-
tion is stored become more technologically advanced. The need and demand for expert
forensic examiners and forensic data investigation facilities will likewise be on the rise.
Laboratory Strategic
Planning for Business
The topic of strategic planning for business development is a series of books unto itself.
In this section, we will touch on a few points of interest in developing a forensics practice:
philosophy of operation, core mission and services, revenue definition, and Standard Operating
Procedure (SOP) definition.
Philosophyof Operation
Every data forensic implementation will reflect four core modes of operation. From solo-prac-
titioner operations to government investigative arms, forensic implementations will function
according to a similar set of operating philosophies. The four core aspects of operation are the
business operations aspect, the technology venue aspect, the scientific practice aspect, and the
artistic expression aspect. Regardless of scope, a computer forensic initiative must pursue sound
business practices, must function in the realm of high technology with high-technology talent
as ongoing status quo, and must foster excellence of method and diverse, creative vision in
solving technology investigation problems.
A Forensic Laboratory Is a Business Venue
Every computer forensic laboratory is a business venue. A 1099 contract solo investigator, a
commercial forensic department in the civilian litigation support space, a city/state police
crime lab, a law firm's internal digital investigation group, and a federal network of investigative
facilities are all business venues that must behave according to the principles of sound business
management, financial profitability, core service provision, and so on.A police crime lab may
not be pursuing profit per se, but that lab has to demonstrate value of service and return on
investment (ROI) to remain funded or acquire annual budget allocations and new technologies
to continue fighting crime. A solo practitioner must remain competitive in the marketplace he
or she serves with regard to cost, service provision, and continuing education.A corporate
commercial forensic venture must demonstrate profitability and maintain high standards for
customer service and product quality to remain competitive in the marketplace.A massive
entity such as the U.S. government's network of nationally distributed forensic facilities and

Computer Forensics in Today's World 9 Chapter I 17
allied investigative entities must still obey the principles of good business management, seek
operational excellence, and demonstrate value for service and ROI to the U.S. Congress and
Senate to remain funded. Runnin~ a data forensic laboratory means running a good business at all
let,els of scope.
A Forensic Laboratory Is a Technology Venue
A data forensic facility of any size is the embodiment of front-of-the-wave mastery of data and
data storage technologies in all its various guises. Criminals often afford the newest toys and
desire the most complex technologies to hide their crimes from prying eyes, so the data
forensic community must always strive to master technology as fast as technology evolves. The
commercial consumer marketplace is always rolling out a new wave of the newest, shiniest
technologies available to keep up with consumer demand for progress; again, the forensic com-
munity is at the front of the line, dismantling and investigating every new gadget that hits the
shelves reveal its secrets.
A Forensic Laboratory Is a Scientific Venue
Understanding and implementing technology isn't sufficient, however. The practice of any
branch of forensics is a practice of science. Examiners strive to perform their duties according
to reliable, repeatable, valid, objective, consistent, and accurate methodologies to reveal facts
objectively via empirical observation, deductive reasoning, and conversion of hypothesis to
demonstrable patterns, thereby empowering the presentation of findings of value to be put
forth as facts of merit in the court of law.
A Forensic Laboratory Is an Artistic Venue
The investigative process is more than a rigid set of procedures. Intuition and creativity play as
great a role for the forensic examiner as do sound methodologies. Fact-finding in a wildly
diverse technological realm requires a great degree of technical prowess as well as a flexible
mind; forensic examiners often must be artisans of technology creation and deconstruction.
Raw technology skill does not empower an investigator to understand the interaction of man
and machine: Intuitive awareness of how the tools of technology and human nature, human
thought processes, and human frailties interact allows for much of the artistry and creativity of
forensic investigation to be revealed.
Core Mission and Services
Foremost in the consideration of a forensic facility design plan, decide what services the facility
is to provide and the scope at which it is to provide those services. A firm grasp of the prospec-
tive laboratory's core mission and scope of service will provide guidance on every aspect of
building and operating that forensic facility, touching on everything from annual budget to fur-
niture ergonomics. Based upon scope of service, a good forensic laboratory can reside in one
www.syngress.com

18 Chapter I 9 Computer Forensics in Today's World
room or it may require an entire building with multiple teams of specialists executing diverse
tasks across multiple disciplines in each of several geographic regions.A law enforcement
agency will focus upon violations of criminal statutes; a governmental agency may focus on
one or more aspects of civil litigation; a commercial venture will typically define a service
package and then market that package to any number of audiences.
Revenue Definition
A very applicable adage applies to a data forensic facility's operational capability: "Anything is
possible with enough money, manpower, and time." As always, knowing how to effectively
address the five w's (who, what, when, where, why) of a business plan will dictate the com-
pleteness of the plan from concept to execution. Implement a five-year strategic plan. Plan for
successful growth. Plan based upon the realities of the specific environment in which the
facility will reside, and to which the facility will respond. Implement a realistic and generous
budget: Justify it with a cost vs. reward argument. Define milestones to achieve and a growth
track to follow. Ultimately, the budget implemented will need to fully serve the needs of the
facility in both actual operation and realization of strategic vision.
Every forensic facility initiative, whether law enforcement, corporate, or for-profit, will
require funds to function. Developing a strong business plan based upon costs of doing business
versus profitability of work product is necessary regardless of the intended audience. Every
operation will need to demonstrate R.OI to prove the viability of the venture.
Costs of doing business will include line item tangibles such as hard dollar outlay to build,
staff, stock, operate, maintain, and grow a facility. Costs will also include intangibles such as
administrative overhead for policy and procedure creation, implementation, and ongoing pro-
cess improvement. Buffer will need to exist for known business variables such as payroll fluctu-
ation and increasing utility costs. Equipment requires maintenance and replacement. And so on.
Defining profitability in light of any given operational R.OI will vary depending on the
core service provision of the facility. A law enforcement laboratory may want to define prof-
itability in terms of metrics addressing man hours expended and cases processed vs. convic-
tions/pleas achieved; a nonprofit or government agency may want to define profitability in
terms of an annual impact statement on its sector of influence. Commercial ventures will cer-
tainly define profitability in terms of billable professional hours, machine time, and/or line item
service provision. Regardless of how profitability is qualified, profitability needs to be quanti-
fied in order to demonstrate the fitness of the venture.
"I Know How Expensive
I Am. Now, How Do I Get Paid?"
A data forensic operation will position itself as either a cost center or a revenue generator. In
most law enforcement and government agency scenarios, a forensic offering will be perceived
as a cost center and will rely on departmental budget allocations, grants, and so on for funding.

Computer Forensicsin Today's World 9 Chapter 1 19
ROI will generally be defined by demonstrating efficiency and operational excellence.
Profitability will be defined in terms of ongoing results achieved.
Corporate implementations, likely to be cost centers, may define themselves as revenue
generators by creating a "billback" or cross-charge system in which profitability is determined
by revenue tracking demonstrated by billable units (either "credit-for-time-served" being
equated to billable hours, or actual interdepartmental invoicing "billed back" to the requesting
business unit).
Commercial forensic service providers will invoice for services provided and must demon-
strate a net profit margin above operating costs.
SOP
Whether applied at the strategic, daily operations, or process-specific level, policy and proce-
dure implementation will ultimately be the measure of operational excellence by which the
caliber of a data forensic laboratory (and the product the laboratory produces) is defined. The
10k SOP should be defined while still in the planning stages of laboratory design.The ultimate
goal of aW work executed in a data forensic laboratory is to send valid, objective electronic
evidence into a court of'law. The laboratory itself must operate according to high professional
standards; the employees of the laboratory must comport themselves professionally and ethi-
cally; and the tasks executed by the employees in the investigation and handling of potential
evidence must be procedurally sound. "Soundness" of"process should be demonstrated by
testable, repeatable procedures generating predictable results. Evidence integrity must be defen-
sible; the first defense against spoliation attacks is a defensible process. For all of these things to
occur, a robust policy for procedure implementation and oversight is necessary. Workflow man-
agement, product testing, process analysis,and method execution all fall within the scope of
need for SOP development. Figure 1.1 outlines the phases of data analysis.
Figure 1.1 Data Analysis Phase Diagram

Quality Standards"Accreditation
Demonstration of operational excellence is important to any business operation. For a forensic
facility of any discipline, demonstration of operational excellence is of utmost importance and
independent certification of operational excellence is greatly desired. One route taken by many
businesses is International Organization for Standardization (ISO) certification.A forensic labo-
ratory could and should pursue ISO accreditations. An organization explicit to the universe of
forensics (but not limited to data forensics) is the American Society of Crime Laboratory
Directors/LAB (ASCLD/LAB) certifying body. ASCLD/LAB endorses a certification track for
a data forensic facility that incorporates both ISO standard 17025 and a supplemental ASCLD
requirement set explicit to laboratory operations. The certification itself includes both bench-
mark standards for operation and ongoing oversight for maintaining accreditation status.
The ASCLD/LAB model for facility operations focuses heavily on a number of areas
deemed critical to quality laboratory performance:
9 Leadership quality, hierarchy, and effectiveness
9 Guidelines regarding policy and procedure creation and execution
9 Interoffice and official communication protocols, both vertical and horizontal
9 Definition of educational standards and skills testing
9 Investment in human resources via training and development
9 Physical plant design (security, infrastructure, fixtures)
9 Locale ergonomics (personal and shared workspace)
9 Implementation of business process control systems and audit methodology
9 Explicit requirements at the level of business processes specific to the realm of evi-
dence handling and forensic data examination
Both the ISO 17025 and ASCLD/LAB documents are very useful to review when plan-
ning both the physical plant and the operational function of a data forensic laboratory.You can
contact ASCLD/LAB-International at www.ascld-lab.org.
Quality Standards"Auditing
Demonstration of operational excellence includes the need for multiple audit channels:
9 Individual procedures must be tested for validity of method and adherence to
process.
9 Hardware and software tools require testing to prove function.
9 Individual competency levels need to be performance-tested.
9 Workflow requires an audit to guarantee operational excellence.
r
www.syngress.com

9 Inventory control and chain of custody require ad hoc demonstration of 100 percent
competency.
9 Overall business SOP and mid-level operating procedure require constant reassess-
ment.
A robust audit system is required to achieve the level of process rigor required of any
forensic facility.
Human Talent
A forensic examination environment is only as good as the talent associated with the initiative.
The best hardware purchasing plan in the world won't matter if the human element does not
receive the same quality of investment. Experience gathering, knowledge sharing, continual
education, and a serious investment in human resources development are essential to the overall
success of a data forensic laboratory.
Education and Continuing Education
Bachelor's level and master's level degree programs exist that focus on forensic investigation;
several universities offer a criminal justice degree with a specialty in digital forensics. Multiple
certifications exist for the forensic examiner. Certification programs demonstrate both the
breadth of knowledge and the hands-on proficiency of the examiner. Maintaining certification
means routine retesting and accrual of classroom training hours on a regular basis.
Available certifications include:
9 Law enforcement Certified Forensic Computer Examiner, or CFCE
(www.cops.org) IACIS
9 Civilian and law enforcement Certified Computer Examiner, or CCE
(www.certified-computer-examiner.com) ISFCE; GIAC Certified Forensic Analyst,
or GCFA (www.sans.org); and Certified Hacker Forensic Investigator, or CFCI
(www.eccouncil, org)
9 Software-specific Access Data Forensic Tool Kit, or ACE (www.accessdata.com)
and Guidance Software EnCase Certified Examiner, or EnCE (www.guidancesoft-
ware. coill)
Elements of Facilities Build-out
In general, addressing any element of facilities build-out includes budgeting for construction
and operation, provision of service based upon normal operations, provision based upon
adverse events and subsequent disaster recovery, and provision based upon a roadmap for
expansion, growth, and future modernizations. These topics can tailor the design of facility ele-

22 Chapter1, ComputerForensicsin Today'sWorld
ments such as electrical or HVAC provision, or they can apply to business operations and
workflow on an ongoing basis. Size of implementation and budget constraint always delimits a
facility's complexity. Small facilities may not need to address many of the listed concepts
addressed herein, but the average corporate, law enforcement, or stand-alone facility will likely
address all of them, plus more.
Space PlanningConsiderations
In conceptualizing the overall layout of a forensic laboratory, attention should be given to at
least four functional areas: administrative area, examination space, network facilities, and evi-
dence storage. Figure 1.2 is a simple model of a facilities plan.
Figure 1.2 Forensic Laboratory Environment
Network
Facility
Administrative
Space
Examination
Space
Evidence
Storage
Administrative Area
Administrative space comprises office space for personnel associated with the forensic team
(project management, executive staff, investigators, etc.), a general meeting space for internal
personnel and clientele, and "privacy" or guest areas. This environment should provide adequate
room for team meetings and a comfortable environment for customer-facing activities. The
forensic investigation team will likely spend a lion's share of their time in the examination
space (often a shared environment with little "personal space"). Consideration should be given
www.syngress.com

to adequate private workspace where individuals can hold confidential conversations, make
telephone calls, and engage in general corporate communications.
Examination Environment
The examination space is the "lab proper," that is, all space devoted to the technical and inves-
tigative aspects of the forensic examination process. This environment is the home area for all
of the technical equipment associated with the examination process and will likely be the func-
tional area of the laboratory in which the forensic technical staff members spend a vast
majority of their time. Access to the examination space should be restricted to relevant per-
sonnel and traffic to and from the examination space should be logged. Provide plenty of sur-
face area and dedicate significant square footage per investigator (a good starting metric is 100
square feet, or the measure of a 10 ? 10-foot office space). Provide significant square footage for
the location of forensic equipment (both shared and individual assets).
Evidence Storage
Evidence storage is dedicated storage space existing for the sole purpose of warehousing digital
evidence and other evidentiary items. The evidence storage area is the physical embodiment of
chain of custody functionality. Evidence storage should be the most secure/demanding envi-
ronment to access, the most rigorously controlled area for any type of entry/egress/activity, and
the most physically segregated area of a forensic build-out. The "evidence locker" must be con-
structed to defeat forced/unauthorized entry. It should be designed such that its contents sur-
vive environmental events. All access to this environment should be controlled with the highest
rigor and restricted to key personnel, often to a single Custodian of Evidence. Multiple chal-
lenges to entry and identity should be employed. The evidence storage environment will
require, in many cases, customized abatements (such as EMI shielding). A robust information
management system should accompany an evidence storage environment: Automated security
systems should be in place challenging all accessors and logging all accesses. Inventory should
be controlled via both ink-signature and automated electronic management systems.
Information management systems employed should have a robust audit methodology that guar-
antees the completeness and accuracy of the information maintained. Any and all components
of the Evidence Storage Facility should ensure that the "who, what, when, where, and why" of
every object considered "evidence" is always known and documented.
Network Facilities
This space is the environment in which data network, security, and telecommunications equip-
ment serving the laboratory space resides. Ideally, this space should be protected from compro-
mise to the same degree that evidence storage is protected. The physical elements of data
networking and security technology warehousing, transmitting or otherwise accessing eviden-
tiary data materials, or examination process work product should be dedicated and stand-alone
www.syngress.com

infrastructure. This rule applies to data cabling, servers, switches, routers, and any other physical
element of the networked technology systems serving the forensic space. Steps should be taken
to ensure that any inbound or outward-facing day-to-day business protocols (i.e., corporate e-
mail, telephony, Internet access, etc.) provision across a completely separate physical network
architecture.
Fire Protection/Suppression
A forensic laboratory, especially a larger facility, requires a well-thought-out fire protection
plan.With regard to overall fire code, the local fire marshal can provide specifics regarding local
standards and ordinances; if the laboratory is to be built out in preexisting space, the property
may have its own supplemental fire protection requirements, especially if the need to tie into
existing infrastructure exists. Fires are classified based on the material serving as fuel for the
fires. The fire suppression methods employed will generally be determined via understanding
cost constraints, habitation zones of personnel, and the technology venue residing in the space.
In many ways, the ideal fire suppression system for a forensic facility will model after data
center or disaster recovery data co-location facility design plans. Of special concern are Class C
fires, which involve both some flammable fuel substrate and the presence of electricity. A new
facility will be presented with multiple fire protection options, and the choices made regarding
fire suppression implementation can have cost, timeline, and design impact on every other
aspect of the build-out.
Fire classification varies worldwide with regard to accepted "classes" of fire. In the United
States, fire ratings fall into five main classifications.
9 Class A Common (solid) combustibles
9 Class B Liquids and gases
9 Class C Fires involving electricity
9 Class D Combustible metals
9 Class K Cooking fluids/oils
In the forensic laboratory environment, the most common fire classes are likely to be Class
A (infrastructure materials) and Class C (electrical fires involving powered-up technology). To
protect against a Class A/C hazard, multiple options are available regarding suppression system:
9 Water dispersion systems (air-pressurized water systems)
9 Wet pipe system
9 Dry pipe system
9 Preaction system
9 Gaseous suppression (clean agents)
r
www.syngress,com

9 Inert gas
9 Flourine compound
Chemical suppression
9 Foam
9 Dry chemicals
Water Dispersion Systems
The three most common water dispersion system designs are wet pipe, dry pipe, and preaction.
Wet Pipe System
This system employs a piping scheme that maintains a constant water load. This system is gen-
erally the most cost-effective and low-maintenance of all fire protection options, but it does
have drawbacks in an environment where significant electronics and high technology reside.
Inadvertent failure or impact damage means water leaks (small or large). Typically, wet pipe sys-
tems are easy to repair and maintain, and they have a fast recovery window after activation.
Dry Pipe System
This system employs a piping scheme that maintains a pressurized air load. The pressurized air
holds back liquid flow under normal circumstances. This system relies on deployment (sprin-
kler) head events to trigger gas release, which then allows water to flow into the pipes as the
gas bleeds out. Typically, dry pipes are significantly more expensive than wet pipe systems,
taking more hardware to deploy, having a higher space requirement (for the gas storage and
pump equipmet~t), and offering the same ultimate drawbacks as wet pipe. Additionally, dry pipe
offers maintenance complexities and higher maintenance costs. Dry pipe does offer protection
from pipes bursting in cold environments.
Preaction System
Preaction systems are typically the second level of fire protection implementation to be consid-
ered in a facility build-out. This system is a modified dry pipe arrangement; the advantage of a
preaction system is the use of two triggers to release the liquid suppressant. A valve, typically an
electronic valve, acts as the release inhibitor; water is not held back by gas pressurization. The
valve will be controlled by a discrete fire sensor (i.e., one that operates independently of any
sprinkler heads, etc.). If the valve releases, the pipes fill with liquid and the system then behaves
like wet pipe. A second even{ must occur at the level of the delivery heads to release water into
the environment. Pipe impact damage and head failures offer less threat to the surrounding
environment given the fact that the pipes are in a no-load state under normal circumstances.
The potential time delay between valve sensor engagement and sprinkler engagement could

also benefit the environment, presuming some intervention is able to resolve a sensor-perceived
threat prior to head discharge. The cost factor step from wet pipe to preaction pipe can be a
significant increase as the size of the planned facility increases. Preaction systems have the
increased complexity level and maintenance disadvantages of dry pipe.
WaterDamage
Wet pipe, dry pipe, and preaction systems usually utilize water as the liquid suppressant. In any
environment where computer equipment, specialized electronics, and especially evidentiary-
grade electronic devices are present, due consideration should be given to the potential for
water damage to technology and evidence during an event.Another consideration might be
secondary Class C electrical fires spawned from a primary suppression event. In any environ-
ment that utilizes water dispersion for fire control, thought should be given to "waterproofing"
concepts for certain fixtures, such as primary evidence storage. Utilizing a waterproof fire-rated
safe inside the evidence locker as the primary storage container for evidence is a good counter-
measure against the use of water-based fire suppression systems. A fire-rated, waterproof
lockbox storage system is another option for critical-to-survive evidentiary kems.
Gaseous Suppression
Gas agent suppression systems, also known as clean agent or total flooding systems, provide a
high-end option for laboratory fire control. This class of suppressants functions in one of two
ways. One group removes heat faster than it can be generated during combustion, thereby sup-
pressing combustion. The second group depletes oxygen to deprive combustion of oxygen
fuels. Gas agent suppression systems offer advantages over water-based systems in that they can
achieve total permeability in the environment. They offer advantages over chemical suppression
systems because they tend to leave no chemical residues behind, lowering business recovery
costs. A final positive characteristic is that these materials are, in general, nonconductive and
they leave no conductive materials behind, making them ideal for areas with electronics. Gas
suppression systems can include very complex delivery systems, and the gas storage systems
generally have a large footprint. Cost for implementation and maintenance will be high. Total
flooding systems tend to require sealed environments for best effect, so other facility costs also
increase when this class of system is utilized.Although these suppressants can be used in occu-
pied space, facilities utilizing gaseous suppression should have rapid evacuation capability.
Two main classes of gas agents exist: inert gases and fluorine compound gases.
Inert Gas Suppressors
Inert gas suppressors include a number of*carbon dioxide, argon, and nitrogen blend gases. Inert
gas suppressors are generally oxygen reducers. They tend to displace oxygen and prevent com-
bustion via Fuel deprivation. Pure CO2 suppression should never be used for laboratory fire
suppression (CO2 suppression makes air completely deoxygenate and it is an active death risk
to people). Branded suppressants such as Inergen and Pro-Inert are argon/nitrogen blends that

are sold in conjunction with proprietary delivery system deployments. They can be used in
populated environments. They decompose into naturally occurring atmospheric gases and they
are environmentally friendly.
Flourine CompoundSuppressors
Flourine compound suppressors are widely utilized and they tend to be used as Halon replace-
ments when Halon systems are upgraded. Flourine gas suppressors leach heat at a very high
rate, acting as a combustion inhibitor. Branded suppressants such as Novec, FM-200, and FE-
227 are common examples of suppressors in this class.They can be used in populated environ-
ments. They are environmentally friendly.
Chemical Suppression
Moving away from water dispersion and clean agent systems, several options for chemical sup-
pression exist. Most chemical suppression methods require a significant facility investment to
implement and significantly increase costs in many other areas of build-out. For instance, her-
metically sealed environments may be required when certain area chemical suppression systems
are utilized. Both foam and dry chemical suppression systems are available, but both classes tend
to be "messy" and inappropriate for a populated environment; such systems are generally not
implemented in a data-center-style facility.
Electrical and Power Plant Considerations
Any high-tech facility is going to have an above average power demand to run, cool, and keep
stable all of its various technologies. In general, the cost of power provision to a forensic facility
will be higher per square foot than in a "regular" corporate environment. In terms of the
largest laboratory implementations, stand-alone power generation facilities and stand-by fuel
tank resources may be part of the power provision plan; dedicated water provision may also be
feasibly within scope for power, HVAC, and even site security. In the laboratory build-out,
three main categories of need should be assessed, and those categories should all be interpreted
in light of both day one and growth curve demands: regular facility load, LAN/WAN specific
load, and local examiner workspace load.
The first category is the facility load considered during every facility build-out, that is, the
electrical demand of all general infrastructure-level technology, including lighting, emergency
lighting, HVAC, security systems, automatic doors/windows, audio/visual implementations,
telephony and communication systems, corporate equipment, general electrical consumption
per employee, and so on. Power provision should be generous and be cognizant of future
growth as the built facility reaches 100 percent utilization and eventually physically expands.
The second category is the LAN/WAN load, which in any data center/forensic laboratory
setting should be given independent consideration from a power perspective. Approaching the
network plant according to data-center-grade power provision and management standards is a

good base thought process. Server rooms are generally given special consideration in any build-
out, but electrical provision to any network technology needs to recognize that the forensic
laboratory will have two fully disparate LAN provisions (a business operations LAN and an
examination environment LAN) and that the examination environment LAN will need to be
isolated from the general environment in terms of power provision, UPS/generator contin-
gency planning, and so on. The examination environment LAN may also need a more robust
failure/DR and redundancy plan with regard to power provision so that it is the first environ-
ment to recover from outage and the last environment to degrade. The examination LAN envi-
ronment should, at a minimum, be equipped with enough primary and secondary power for. a
structured, intentional safe shutdown, even under the worst external conditions. The compo-
nents of power provision to the examination LAN (and possibly all power provision) may even
require special security and anticompromise considerations, depending on the security level at
which the forensic laboratory may operate.
The third category is the examination "local workspace" load.This category applies to the
examination space in general and the individual examiner's functional workspaces specifically,
giving special consideration to the unusually high power consumption demands per capita the
forensic technical team will incur. The average corporate user group may function on a shared
20 amp circuit, powering a single workstation/monitor or laptop and a few small-load items
per person. A forensic investigator may well be able to max out a 30 amp circuit powering one
investigation's worth of equipment, and that investigator may have numerous technology pro-
cesses running concurrently in different workspaces. The examination environment of a mid-
size laboratory facility is likely to be "always-on" in terms of power consumption, so both
environmental and equipment power consumption in the examination space will draw three
times the demand experienced in the administrative portions of the facility.
Examination space needs must be assessed in terms of more than raw power consumption
as well. The density and number of electrical sockets may need to be much higher in the
examination space to account for the number of devices that may be active per square foot or
per examination. For example, the task of cloning one hard drive may require the following
devices: one forensic workstation (socket #1), the workstation monitor (socket #2), one write
blocker (socket #3), one external USB hard disk (socket #4), and the original external evi-
dence hard disk (socket #5).An investigator may have multiple cloning processes ongoing in
parallel (which could double or triple the number of needed sockets). The ergonomics of
accessing those sockets also needs consideration, favoring ease of accessibility from work sur-
faces.When this many devices are involved, it is important to consider not only the physical
frequency of socket placement, but also the density of circuit provision. It is important to pre-
vent evidence-grade materials from experiencing under-voltage or over-voltage conditions.
Significant technical or machine time investments can be lost to a sudden power outage.
Consider using a higher rated circuit in the evidence space than would be implemented in a
standard corporate environment. Consider dedicated circuits per single work area. Line quality
may need to be conditioned to guarantee the best integrity of the evidence hardware items.
www.syngress.com

Electrical conduits in the walls may need to be shielded to prevent electromagnetic fields from
compromising magnetically stored data in the evidence-handling lanes. Transformer placement
and other major electrical units need to be carefully placed on the facility plan, shielded as nec-
essary to abate adverse electrical fields, and so on.
LAN/WAN Planning
Modeling the core technology implementation of a forensic environment on data center design
is a good starting point regarding the basic requirements for a forensic laboratory technology
build-out. Additional consideration needs to be given to the global and personal workspace ele-
ments of technology provision explicit to the demands of a data forensic operation.
We have already mentioned the need to segregate the examination environment network
components from the general corporate network; in addition to the functional separation of
services a number of absolute physical boundaries should also be considered. If corporate and
examination hardware is to reside in the same server room, consider a locking cage around the
examination architecture or build internal divider walls and place the examination architecture
behind a secure door: Severely limit human access levels to physical space.Apply all the same
security restrictions and chain-of-custody protocols to the examination architecture as are
applied to the evidence room. Consider placing the examination servers and data storage inside
the examination laboratory space proper such that all servers, data warehouses, physical cabling,
switches/routers, and so on are physically protected by the same security measures restricting
laboratory accesses. Route all examination traffic through network switches dedicated to and
connected physically to only examination servers and workstations. Don't rely on virtual segre-
gations; deploy physical segregations.
When you are planning the data storage needs for the laboratory facility, emphasize disaster
recovery, redundancy, and sustainability concepts. Keep in mind that the facility needs to sup-
port large data volumes. A typical small laboratory can encounter terabytes of data on a routine
basis. Implementation of data storage for even a moderately sized facility may require an online
examination environment data storage capacity of tens or hundreds of terabytes; this architec-
ture will consume a significant footprint in a server room. It will be tied to other high-foot-
print items such as large tape backup jukeboxes, near-line storage solutions, and so on. Systems
will need to be put in place that can handle the overhead required to maintain and preserve
these enormous data volumes.
HVAC
Large numbers of computers result in enormous BTU generation (British Thermal Units, a
standard measure of heat generation). Perform very conservative calculations when determining
how many tons of AC cooling is required for the technology spaces in which large amounts of
heat-generating equipment reside. Make certain that cooling calculations are made from the
actual equipment purchasing plans and individual device specifications, as opposed to hypothet-

ical estimates. Keep in mind that human bodies also generate BTUs. Consider overcooling
maximum capacity by a factor of 2-3x across the total HVAC design. Plan for hardware
growth, and factor future hardware purchases when implementing day-one cooling services.
Consider fully redundant units in areas that cool the examination environment technology, and
make sure either/or can provide for the entire cooling burden for the space in question. Make
certain that ventilation requirements are sufficient for the spaces being cooled, and that active
and passive returns are located in effective placements. If an advanced fire suppression system is
in place that utilizes gas suppression, for instance, provide an active exhaust system to recover
the environment once a fire event has been suppressed. Consider the water and coolant provi-
sion to any HVAC units that serve various areas; is the pipe work and pump system redundant,
and does a failover system exist that guarantees the AC units will continue to be fed water? Are
these feed lines protected from compromise? Are the HVAC units serving the examination
space to be located over the examination space, or housed elsewhere? Placing HVAC units
above the lab space adds security against physical compromise, but also adds adverse risk in the
form of potential leakage and water line breakage. Environmental HVAC concerns should
include noise abatement measures: An AC unit placed above the examination space may pro-
vide positive white noise in certain laboratory designs and unwelcome noise pollution in
others.
Abatements
In any environment where mission-critical computing systems and magnetic/tape/optical data
storage reside, a number of abatement strategies need to be considered. In the forensic labora-
tory, most, if not all, of the following should be reviewed during the planning phase and then
monitored after build-out is compete.
Temperature
All equipment has a desired temperature operating range. A typical data center will maintain an
ambient temperature of 68-70~ Make sure the overall HVAC system can provide temperature
stability within the desired ranges, even during possible HVAC equipment failures. Consider a
portable cooling device standby plan. Make certain temperatures are not held at a low point
that would encourage electrostatic buildup and discharge in dry air.
Humidity
Install a humidity management system that has the ability to control humidity measure to
within +/-1 percent. Humidity control is an important factor in abating electrostatic buildup
and discharge. When assessing correct local operating values to maintain, you need to deter-
mine standards with respect to specific details regarding tolerances of the equipment to be uti-
lized in the environment and to general factors such as geographic location, elevation, and so
on.

Static Electricity
As mentioned previously, temperature and humidity are two major environmental factors to
regulate to avoid static electricity concerns. Consider workspace elements such as antistatic
flooring and actively dissipative counter surfaces and drawer linings; also, ground all metal fur-
niture to earth. An operation of"any size should make liberal use of portable antistatic mats and
gloves. Provide antistatic spray to employees wearing charge-generating fabrics.
Electromagnetic Interference
Plan the electrical plant carefully to minimize electromagnetic field generation in any data
storage/handling areas. Shield main power plant components such as transformers as required.
Consider electromagnetic interference (EMI) shielding in and around the examination labora-
tory space. Give strong consideration to shielding the evidence locker, at a minimum. Maintain
a gauss meter or series of gauss meters in the functional laboratory space, and check them regu-
larly for anomalies. EMI regulation should speak directly to ISO planning and competency
levels for any operation that specializes in electronic data handling.
Acoustic Balancing
Ambience abatements are also important in laboratory planning. Many workspaces intentionally
pipe white noise into their environments to create acoustic masking for privacy reasons and to
prevent an environment from being "too quiet"; a forensic laboratory is very likely to have
many acoustically reflective surfaces, necessitating some surface texture applications, baffling, or
other acoustically absorptive abatements.
Security
Security is of paramount concern to any forensic operation. Campus-level access, environment-
level access, and object-level access protocols must all be implemented.Video surveillance and
live surveillance by internal security are strongly recommended.With regard to general security,
the entire facility should have at a minimum a two-challenge system in place such that every
entrant will be providing at least one validator at an automated checkpoint (i.e., biometric
entry, external security card swipe, etc.) and one other independent manual or automatic val-
idator (sign-in at security desk, internal security card swipes, etc.).
Higher levels of access control should be applied to any infrastructure or workspace related
to the examination environment or to any other environment in which evidentiary grade
materials may be stored or examined. Each access attempt to the examination environment
should be challenged by dual-authentication and the access points should be under constant
independent monitoring (i.e., cameras and access logging).
www.syngress.com

Dual authentication refers to two-factor identification methodology. Two-factor identifica-
tion presumes that any two personal identification factors will be challenged and that both
challenges must be successfully responded.
Challenge factors fall into the following identification categories:
9 Something you are Biometric keys such as a fingerprint or retinal scanner
9 Something you know Password,PIN, and so on
9 Something you have Security card, digital token, bingo card, and so on
Dual authentication across two categories of factors is recommended.
A physical sign-in/out log is a useful supplemental tool for physical plant security even if a
dual-authentication protocol is in place; providing an ink-signature audit trail is useful for inde-
pendent audit of security system performance and original handwriting can be used to investi-
gate identity during security audit and review phases.
Evidence Locker Security
A good, locking, fire-rated safe in a locked room coupled with accurate hand-written access
logs may prove sufficient security for a small (e.g., solo-practitioner) environment. Other evi-
dence storage environments implement a shelf-and-cage methodology with a single portal of
entry that is key-locked and monitored for access. Depending on the needs of the facility and
other factors, such as level of national security, the build-out of an evidence locker can become
an expensive and complex endeavor.
The main security criteria to fulfill are the following:
9 Is access truly restricted to the custodian(s) of evidence?
9 Is all access to the evidence locker documented completely and without exception?
9 Is all item-level access (i.e., chain of custody) maintained correctly and without
exception?
9 Does an independent method of audit exist to confirm that the preceding criteria
have been met?
Considering security design at the corporate departmental and dedicated facility level, the
highest and most restrictive levels of access control should be applied to the evidence storage
environment. Dual challenge is mandatory. Access to the evidence storage locker must be
extremely limited. Only those persons with personal responsibility for evidence integrity
should be allowed access. In many environments, a single custodian of evidence is assigned
master access and only that person can execute chain of custody check-ins and check-outs
from the locker itself. The evidence storage environment should have dedicated security proto-
cols for access to that environment and all accesses should be logged with 100 percent accuracy.
Chain-of-custody procedures on any item entering or exiting this space should be upheld

without fail.Video surveillance of the evidence storage environment is recommended with
cameras on both the entry view and exit view of the door as well as coverage of the storage
systems where evidence items are physically stored.An alarm should be in place to expose
incursion attempts. The alarm should be robust enough to expose catastrophic entry through
ceiling, walls, floor, and so on, as well as unauthorized entry through the main door. The evi-
dence storage environment should have security features built into the infrastructure itself. The
walls, floor, and ceiling should be hardened to discourage entry via tunneling or destruction by
force; the core construction should have features such as floor-to-ceiling walls (no plenum or
raised flooring, therefore no "crawl-over" or "crawl-under" unauthorized access). Fixtures such
as fire suppression and air provision should be independently controlled such that adverse
events elsewhere in the facility do not cause unwanted effects inside the evidence locker itself.
Air ducts need to be of a size too small for human egress and weld-grated to prevent objects
from passing. No openings should be left in floor, wall, or ceiling space that could allow
unwanted items to be inserted into or evidence items to be removed from the space.
General Ambience
As in any other professional space, the general ambience of a data forensic laboratory should be
free of major distractions, providing employees an opportunity to work without disruption. The
laboratory space should be a low-foot-traffic environment. It should be physically separated
from other environments. The examination space should be well lit. The environment should
promote personal comfort and positively support both standing tasks in common areas and
seated tasks in personal space.
Spatial Ergonomics
A data forensic laboratory will in some ways function like a warehouse operation. The com-
puter hard disks the forensic examiners peruse will often be provided with the rest of the com-
puter in tow; these chassis, monitors, and other associated items will require handling and
storage. Monitors, workstations, servers, and other technology packages are often bulky, rela-
tively heavy pieces of equipment. Moving bigger items to and from evidence lockdown, lifting
and bending concerns surrounding transporting such items to workspaces, and temporary rack
system holding areas should be considered during workspace design. Safety equipment such as
lumbar harnesses should be made available to employees expected to execute the physical labor
of lifting/carrying tasks. The traffic areas of the lab should be economized to maximize the safe
execution of such tasks. Any work surface and staging area provisions should accommodate
heavy vertical lifting concerns.
A Note on "Common Office Technology"
Any evidence-handling facility needs to pay special attention to potential data repositories to
guarantee that privileged information stays confidential. A forensic laboratory should include
www.syngress.com

34 Chapter I 9 Computer Forensicsin Today'sWorld
scope of such consideration to include common office technologies such as copiers and fax
machines. Modern copiers and fax machines commonly have the ability to store data in
memory for long periods, and either technology may have a hard disk on board! Maintenance
plans for such devices should consider the possibility of privileged information being resident,
and security and audit methodology should be applied to guarantee proper handling/destruc-
tion of any storage medium's contents.
PersonalWorkspace Design
Each laboratory inhabitant should be provided a significant amount of operating space.Work
surface area should be bountiful, especially digital work surface areas (i.e., monitor footprint).
Electricity supply should be robust. The personal space of each examiner should be considered
a "mini laboratory" and that mini lab should be stocked with all the hardware and software
necessary for an examiner to perform common investigative tasks and to maintain the work
product. A dedicated investigation platform, a complete kit of write blockers and accessories, a
separate system for corporate/business communications, a workspace-level data management
system, and a close-at-hand library of reference materials are all desired elements for an active
and useful personal investigation workspace.
Common-Area Considerations
Consider providing multiple units of every technology. Multiple sets of write blockers and
multiple investigation machines allow for several parallel forensic tasks to occur. Design
workspaces with a template design to allow multiple individuals to execute similar tasks con-
currently in different workspaces, or to allow one individual to rotate between several stations
to manage multiple machine-time-intensive tasks. Design work areas to support the execution
of multiple tasks with minimal foot traffic. Deploy sufficient "shared resources" to effectively
serve the needs of staff without causing workflow bottlenecks. For example, when scoping
DVD production capability make sure the DVD burning tower has a job scheduling capability
to capitalize on a full 24-hour production cycle regardless of staffed shift availability. Determine
how many DVD burning towers are required to fully serve departmental needs. Is one large
central unit the best choice, or are four smaller units located in different areas the most effective
option?
Essential Laboratory Tools
The tools of the trade: essential and specialized technology for both field and laboratory (see
Table 1.1).
www.syngress.com

Computer Forensicsin Today's World 9 Chapter 1
....~::iiiiii!i!iiiiiiiiEil
iiii!iiiiii~i~!i!!iiiii!!ii!iii!i~ii!iii!ii!iiiil
iiiiiiiiiiiiiiii!iThe author is not attempting to endorse the use of any specific product,
i!iiii!iiiiiiii or to be exhaustive in the description of capability or utilization of any
........
"~~!i product listed herein. This chapter hopes simply to expose the reader to
a wide selection of readily available hardware and software tools.
35
Table 1.1 Vendor Reference Matrix
Vendor Product Examples Web Site
Write block devices
Tableau
Intelligent Computer
Solutions
WiebeTech
Digital Intelligence
MyKey Technology
Guidance Software
Paraben Corporation
Forensic Computers
Hardware, write
block devices
Write block devices, hardware
Write block devices,
hardware, software
Write block devices
Write block devices, software
Write block devices,
hardware, software
Hardware, software, systems
LogiCube Forensics
VOOM Technologies
DIBS USA
Fernico
Primera Technology
Project-A-Phone
Rimage
Ashby
CopyPro
Hardware, software
Hardware
Hardware, software, systems
Software/hardware
Software/hardware
Hardware
Hardware
Hardware
Hardware
www.tableau.com
www.ics-iq.com
www.wiebetech.com
www.digitalintelligence.com
www.mykeytech.com
www.g uidancesoftwa re.com
www.paraben-forensics.corn
www.forensic-
computers.com
www. logicubeforensics.com
www.voomtech.com
www.dibsusa.com
www.fernico.com
www.primera.com
www. projecta phone,corn
www.rimage.com
www.ashbyind.com
www.copypro.com

Write Blockers
No laboratory or field forensic tool kit would be complet e without write block methodology
and devices. Prevention of data spoliation (the compromise of data integrity by intentionally or
inadvertently altering the state of the data from its "original" form) is a prime directive for
forensic examiners. The courts will challenge forensic work product to leverage spoliation con-
cerns; one of the most common attacks on forensic work product focuses on the methodolo-
gies employed when handling digital evidence.Was the evidence maintained in an original
state? Were the conclusions drawn based on uncompromised materials? Were the proper tools
used in the process? In a vast number of circumstances, when an unprotected writable data
device is connected to a computer, it will incur change. Computer boot sequences, volume
mounts, and a plethora of other events can modify some component of the evidence data store
if it is not explicitly protected from write-to events.A forensic examination environment,
therefore, will host a broad range of methodologies and devices ensuring write block capability
(see Figure 1.3).
Figure 1.3 Write Blockers
In certain circumstances, utilizing the proper methodology, it is possible to achieve a no-
write status at a software level. Certain Windows Registry edits can protect USB devices from
write events; Linux volumes can be mounted in a certain way as to make data stores read-only.
Microsoft DOS and Linux operating systems can both be modified to be forensically sound
with regard to data stores, and they can be packaged as a self-contained bootable environment
from diskette, CDR., DVD, thumb drive, and so on. Of course, an investigator implementing
these techniques must repeatedly test his methodology and be able to both demonstrate and
explain proofs that the methods truly are forensically sound to defeat the inevitable court chal-
lenges to the method that will arise.
www.syngress.com

Computer Forensics in Today's World ~ Chapter 1
Hardware write block devices (aka write blockers, forensic bridges) are a flexible, extremely
useful, and core component of the forensic tool kit. They have the advantages of portability,
broad application, ease of use, and ease of function testing. It is a simpler task to visually and
conceptually demonstrate the function of a hardware write block device than to explain the
esoteric technical specifics of a Linux operating system forensic recompile to a jury of average
(and often nontechnical) citizens.
A number of major write block devices are readily available for purchase. Common write
block brands include Tableau,WiebeTech, and Intelligent Computer Solutions DriveLock.
Digital Intelligence carries the complete line of Tableau products under the brands UltraBlock
and FireFly. Guidance Software has FastBloc, based upon WiebeTech firmware. Paraben
Corporation vends LockDown. MyKey Technology vends NoWrite. A majority of these write
blockers are designed to be portable, allowing them to have equal value on a laboratory bench
or in the field.
Multiple form factors exist to serve different environmental needs. Hard-disk technology
has multiple interface types (IDE, SATA, SCSI, etc.) .Write block technology therefore inte-
grates multiple interface types to attend to the diverse connectivity needs an investigator may
encounter. Many write blockers are designed to support the IDE hard disk interface and will
have an adapter/cable kit that allows the device to also support SATA.Tableau has an explicit
forensic bridge model for each interface type: SATA (T3u and T15), IDE (T5 and T14), SCSI
(T4 and adaptor kit), USB (T8), and so on. There are advantages to both design scenarios. USB
and FireWire form factors are common interface types utilized to connect external write
blockers to examination machines. Most write blockers will be packaged with the appropriate
power supplies and cabling to support that device.
Forensic bridges can also be acquired for permanent installation into workstations.
Although not portable (unless the entire workstation is portable), the internal forensic bridges
usually have the advantage of being space-efficient, often providing several evidence drive
interfaces while consuming only one device bay on the workstation.The Tableau T35i
Combination Bridge is an example of a permanent mount device.
Write block technology also exists to support examination of non-hard-disk media. A
number of multiformat forensic card readers exist to handle SD, SDC, xD, MMC, CE and so
on. Examples include the Tableau TDA8-M 12-in-1 reader, the Addonics DigiDrive 12-in-1
Flash Media Reader, and the UltraBlock Forensic Card Reader from Digital Intelligence. In
addition to the core write block device, passive format-to-format adapters can be purchased
from retail and specialty outlets that can adapt a nonsupported card format to a supported card
format, further enhancing the interface capability of the multicard readers. (When adapting for-
mats, always test the adapter to ensure that it is indeed a passive, non-change-inducing device.)
Write Block Field Kits
Forensic Bridge field kits are an excellent addition to the forensic laboratory inventory. Aside
from the obvious (field use), a field kit can be fully functional on an examiner's laboratory
37

38 Chapter I 9 Computer Forensics in Today's World
desktop, and as such, they help reduce inventory purchase costs by minimizing the amount of
hardware per examiner required to execute data acquisition and investigation in diverse environ-
ments. Field kits tend to be lightweight, ruggedized, designed to meet air transport criteria, and
packed with device, adapter, and cabling options to address as many of the "unknowns" of field
work as possible. The Digital Intelligence UltraKit and the Ultimate Forensic Write Protection
Kits from Forensic Computers are excellent examples of single-package systems; they include a
majority of the Tableau devices referenced earlier as well as numerous supporting parts. Field kits
also commonly supply a basic multifunction hand tool kit, bit/driver set and a digital camera to
help support other aspects of field work.A good core field kit can be substantially fleshed out
with cabling, adapters, extra devices, and so on to create a very powerful and economical
portable laboratory system.Always include redundancy for high-use/fragile components: mul-
tiple AC adapters, power cords, and interface cabling units are a must. Convenience items such as
the Tableau in-line power switch (T2) add a level of protection to the examination equipment
assembly process and help protect against damage to evidence media via pilot error.
One major implementation of write block methodology focuses on protecting original
media from change during examination.Another implementation is protecting original media
from change during duplication. In many instances, field investigation practices will require the
acquisition of data from the wild for later study. This acquisition often occurs via the creation
of a forensic duplicate of original evidentiary materials for transport of evidence back to a lab-
oratory environment for analysis. In such cases, the need for write blocking will be conjoined
to the need for a duplication platform.
Hardware Duplication Platforms
A number of handheld and desktop forensic duplication systems are available. The core func-
tions they provide include write-blocking the original evidence media, performing a data
duplication process to secondary media, and measuring the correctness/completeness of the
duplication process via some measurement criteria (almost always via utilizing a hash algorithm
such as MD5 or SHA1 or both) to validate that the entire original was duplicated to the
forensic copy. Several devices of this class also integrate reporting capability (see Figure 1.4).
Figure 1.4 Hardware Duplication Devices

A number of popular models are readily available.The Logicube Forensic Talon, boasting a
data duplication rate of up to 4GB per minute, provides multiple media adapter kits and pos-
sesses extensive reporting capability. Intelligent Computer Solutions' ImageMASSter Solo-Ill
forensic duplication device handles several interface types and has the ability to write to two
output hard drives concurrently.Voom Technologies' Hardcopy II provides a simple interface
and handles IDE hard-disk duplication (expandable to SATA duplication with adapters).Voom
Technologies also produces a SCSI HardCopy for SCSI platform acquisitions. Some vendors
package multiple hardware duplication devices and accessories into a field kit: the DIBS RAID:
Rapid Action Imaging Device is an example. Many of these devices also provide the output
options of bit-for-bit duplication, one or more forensic image format acquisitions, and trans-
port media sterilization. Hardware-based duplication platforms tend to have much faster data
transcription rates than software-based duplication solutions.
Duplication hardware is a valuable addition to the examiner's toolbox, but duplication tools
generally provide no environment in which an examiner can investigate the data being dupli-
cated. Portable forensic computer systems provide an examiner with an investigation environ-
ment, expanding the examiner's field capability one step further.
Portable Forensic Systems
When the need to take the entire investigation process into the field arises, a forensic examiner
must have access to not only the protective and duplication tools available,but also fully inter-
active examination environments. Specialized portable forensic computing systems provide a
highly mobile, equipment-intensive and methodology-sound platform for the forensic exam-
iner. Complete field examination systems allow the examiner the ability to duplicate digital
evidence and analyze said evidence on one robust platform. "By-hand transport" level portable
forensic systems will generally be provided in the form of ruggedized, feature-packed laptops or
custom "suitcase-style" workstations. A second tier of"portable" forensic systems includes a class
of machines and mini networks that are heavily ruggedized for mobility but are not intended
for day-to-day high mobility. All of these investigation systems tend to have fast processor capa-
bility, copious amounts of memory, and high-volume data storage space. Most will be opti-
mized for running specific forensic software packages. Implementation of multiple operating
systems on one workstation is common.
Every examiner will need a personal field kit inventory that is easily manageable for
loading/unloading into vehicles and for air travel. High-mobility portable systems are often
designed to rely on external field kits such as the write blocker field kit and supplemental cable
and adapter solutions to make the core system smaller and more transportable. Table 1.2 refer-
ences a number of"such systems and examples of core features.

40 Chapter1 9 Computer Forensicsin Today'sWorld
Table 1.2 Laptop-Style Portable Forensic Solutions
Vendor
Forensic
Computers
System Class
Forensic Air-Lite ForensicLaptop plus
VI MKIII external bridge kit
LogiCube "PFL" Portable
Forensics Lab
Forensic Laptop plus
external duplicator kit
DIBS USA DIBS Mobile
Forensic
Workstation
Forensic Laptop Plus
external accessories
Digital FRED-L
Intelligence
Forensic Laptop plus
external bridge kit
Feature Examples
i
2GB memory; supplied
with write blocker acces-
sory kit; 25-in-1 media card
reader; ruggedized hard-
shell case; extra external
HD storage supplied
with a ForensicTalon drive
duplicator; bundled with
the forensic investigation
software suite FTK from
Access Data; ruggedized
hard-shell case
with an inkjet printer in a
hard-shell case; bundles
with preinstalled forensic
software including Access
Data FTK, CD/DVD analysis
tools, and other forensics
utilities; digital camera;
write block accessories
2GB memory; multiple
bootable operating
systems onboard; supplied
with UltraKit write block
kit; forensic card reader;
ruggedized hard-shell case
"Workstation-in-a-box"-style computers can offer a few flexibilities to field personnel that
may not be available in the laptop-style kits, such as a higher number and/or friendlier form
factor of available slots for add-on devices. The suitcase-style workstations often have a detach-
able monitor/keyboard/mouse set that can be used to work with evidence workstations (pre-
suming those components are not available at the field site) for boot-up procedures such as
BIOS checks and verifying proper suspect system reassembly (see Table 1.3).

Computer Forensicsin Today'sWorld 9 Chapter I 41
Table 1.3 SuitcaseWorkstation-Style Portable ForensicSolutions
Vendor System Class Feature Examples
Forensic Forensic
Air-Lite Forensicworkstation
Computers IV MKII (suitcase type)
Digital FREDDIE
Intelligence
Forensic workstation
(custom design)
Pentium IV 4.3GHz; 2GB
memory; external keyboard
and mouse; ruggedized
hard-shell case; LCD mon-
itor; upgradeable
4GB memory; multiple
bootable operating systems
onboard; two removable
hard disk bays; multiple
onboard write block for-
mats; supplemental toolbox
including hand tools and
camera; optional hard-shell
case; multiple accessories
and several onboard soft-
ware utilities
Portable Enterprise Systems
In some instances, field portability concerns address the need for a robust, temporary laboratory
facility at an examination location. Forensic portability can be extended to "network-in-a-box"
solutions. "Half-rack" solutions can fill this need.A portable enterprise system will offer core
components such as the examination system(s) plus integrated write block bridges plus robust
examination hard-disk storage space (multiterabyte RAID-level storage, etc.) plus all add-on
hardware such as monitors, kvm, and so on wrapped into one ruggedized cage.This type of
portable environment is usually high durability but low mobility, quite weighty, and meant to
be transported crated and packed (i.e., setup and breakdown time) as opposed to the more
"plug-and-play" high-mobility equipment (seeTable 1.4).
www.syngress.com

42 Chapter I 9 Computer Forensicsin Today'sWorld
Table 1.4 Digital Intelligence's FRED-M Portable Forensic System
Vendor System Class Feature Examples
Digital FRED-M Forensic Rack-mount enclosure;
Intelligence environment high-end forensic pro-
cessing workstation
including rack-mount mon-
itor, keyboard, and mouse
assembly; networked within
enclosure; complete write
blocking system onboard;
onboard tape backup
system; up to 6TB of RAID 5
examination drive space;
onboard uninterruptable 9
power supply (UPS); highly
customizable.
Laboratory Forensic Systems
In many instances, the high-mobility equipment that accompanies the field examiner on excur-
sions can also be utilized on the desktop. Small operations, especially solo practitioners, will find
great economy in purchasing their primary gear with both field and desktop implementation
in mind. For facilities that can support a permanent lab installation of desktop investigative gear
plus field support equipment, numerous "nonportable" investigative powerhouse systems are
available. These systems tend to offer all the various field hardware solutions found in portable
kits for write blocking and hard-disk management combined into one desktop chassis.A solo
practitioner or cost-conscious operation may find value in a "white box" approach, building a
desktop system from scratch to suit specific needs; all-in-one devices such as the Tableau T35i
Combination Bridge and Tableau T335 Drive Bay Controller are economical options for
implementing multiple write-block and multiple hard-disk solutions in a single chassis.
Prebuilt desktop forensic systems (see Table 1.5) will often have the best computing power
available at the time of purchase (portable technology historically tends to lag behind desktop
technology in terms of"bigger-better-faster-more").

Computer Forensicsin Today's World 9 Chapter 1 43
Table 1.5 Desktop Forensic Systems
Vendor System Class
DIBS USA DIBS Advanced
Forensic
Workstation
Forensic full-tower
desktop plus
accessories
Digital
Intelligence
FRED Forensic full tower
desktop plus
accessories
Forensic
Computers
Original Forensic
Tower II
Forensic full tower
desktop plus write
blocker field kit
plus accessories
Feature Examples
1GB memory; Pentium 4
processor; one operating
system hard drive and one
removable hard-drive bay;
multiple forensic applica-
tions installed; onboard
write block capability;
external supplemental USB
drive bay; DVD writer;
custom search engine soft-
ware
4GB memory; dual core
processor; onboard write
block capability; dual RAID-
capable SATAdrive con-
trollers; multiple removable
hard disk bays; onboard
forensic card reader;
optional tape backup
system; optional 2TB RAID 5
subsystem; supplemental
toolbox including hand
tools, camera, and adapter
kits; multiple bootable oper-
ating systems; onboard SCSI
controller
processor; multiple external
device bays including
Tableau T335 forensic bay
controller, two read-only
hard-disk bays, one writable
hard-disk bay, DVD writer;
supplemental Write Blocker
field kit; onboard SCSIcon-
troller; upgradeable;
optional forensic examina-
tion software preloads avail-
able
Continued

44 Chapter1 9 ComputerForensicsin Today'sWorld
Table 1.5 continued Desktop Forensic Systems
Vendor System Class
Forensic Forensic
Tower II
Computers
Forensic full tower
desktop plus write
blocker field kit
plus accessories
Feature Examples
processor; multiple external
device bays including
Tableau T335 forensic bay
controller, two read-only
hard-disk bays, one writable
hard-disk bay, DVD writer;
supplemental Write Blocker
field kit; onboard SCSIcon-
troller; available expansion
slots for add-ons; optional
forensic examination soft-
ware preloads available;
upgradeable
When you are choosing the specifications for a desktop laboratory processing system,
always target the fastest processing, largest memory allocation, and largest possible hard-disk
drive volume available at the time of purchase, subject to any budget constraints. Hardware ages
quickly, and maximizing the point of purchase processing capability of new systems maximizes
the useful lifespan of the equipment. Given the process-intensive needs of most forensic soft-
ware application suites, a fast, powerful CPU, and a large amount of RAM are critical.
Typical data storage space requirements for the forensic examiner are astronomical. As of
this writing, a single hard disk of 1TB is readily available in the retail consumer marketplace
and a 1TB hard disk is commonly available in home and corporate computers at point of sale.
Encountering hard disks of 500GB or 750GB is commonplace. Current prebuilt forensic sys-
tems offer BASE storage of 2-6 TB per system. Make maximizing storage space a priority and
consider the relatively short span of any volume's sufficiency when allocating resources to
acquire forensic computing equipment. Evaluate hardware-level redundancies and robust
backup systems for managing data volumes of this volume.
Provide considerable monitor real estate. Forensic examiners have to visualize enormous
amounts of data during an examination, and the viewable area of the computer monitors upon
which they work can have notable impact on investigation speed and efficiency. Many forensic
systems are sold with dual-head video cards, such that two or four monitors may be attached to
one system. Large (22-30-inch) flat-panel monitors are space-efficient, readily available and rea-
sonably priced.
The ability to operate under multiple operating systems is greatly desired. The forensic
examiner will use both cutting-edge and "old-school" investigation tools, requiring multiple
operating systems to support those tools. From an investigative standpoint, the investigator will
routinely analyze evidence derived from (and will therefore require access to) multiple oper-
ating system environments. Provision of multiple operating systems extends across version levels
WWW. S ngress.com

Computer Forensics in Today's World 9 Chapter I
(such as multiboot options for Microsoft DOS 6.22,Windows 98 SE,Windows 2000, and
Windows XP) and platforms (Windows and Linux boot options). The more powerful prebuilt
forensic systems will provide four or more bootable operating systems.
Media Sterilization Systems
Spoliation challenges to evidence integrity include challenges to the duplicate evidence copy;
often an argument will be made charging evidence could experience spoliation due to data
artifacts preexisting on hard drives used as duplication destination. To help prevent questions of
this type fiom arising, a solid policy for work product media sterilization should be in place for
any forensic practice. Any hard drive to be utilized as a substrate for an evidence duplicate
should be sterilized prior to use and documented as sterile. Furthermore, the sterile state of
such media should be validated by some post-sterilization procedure. Some forensic hardware
and software duplication tools sterilize in conjunction with data acquisition by hash-validating
written sectors and subsequently zeroing out all other writable space; they will validate the
acquired evidence data stream via hash methodology, then "wipe" any remaining writable data
space to a random or zero value via data overwrite methods. Relying on this process is more
complicated from an "explain-to-jury" standpoint than confirming all new substrate media as
clean and viable for use, prior to use.
Software solutions such as Guidance Software's EnCase forensic examination suite include
the capability to sterilize and subsequently validate hard-disk media; retail products such as
White Canyon Software's WipeDrive (www.whitecanyon.com) can destroy data according to a
number of data overwrite patterns. (Many retail "drive wiping" programs are ineffective at
complete data destruction. If any software data destruction method is utilized, make certain to
test results and validate any destruction attempts case by case.) Hardware sterilization devices
exist that can bulk-overwrite hard disk media.
If any evidentiary or sensitive data needs destruction after its value expires, a sterilization
process and validation process should be applied to the media to destroy data. Both hardware
and software sterilization tools exist that can destroy data. A forensic laboratory environment
will often need to demonstrate adherence to commonly accepted practice. Data destruction
practices are no exception. One of the most popular courtroom attacks on digital evidence
centers around spoliation; it behooves a forensic practice to not only practice good methods
but also adopt commonly defined "industry standard" practices with regard to work product
media consumption. Although an argument can be made that no truly "industry-standard" defi-
nition for data destruction exists, several published standards do serve as common reference
materials for most forensic practitioners on the topic of data destruction practices.
By far the most referenced document is Department of Defense (DoD) 5220.22-M.
Commercial practices especially, in order to lend market credence to their vended product, will
claim adherence to "DoD grade" destruction practices. This document, reissued in February
2006 as the NISPOM ("National Industrial Security Program Operating Manual"), is, in its
current incarnation, a high-level document and it does not speak to actual technical specifics of
45
www.syngress.com

Another Random Document on
Scribd Without Any Related Topics

civilization. Were it not for the Boer's inclination to trek, however, it
is possible there would be no gold mines on the Rand or diamond
fields in Kimberley. His battles with the native tribes and his
sufferings and hardships will never be lost sight of as the factors
through which the white man was enabled to live in that section of
"Darkest Africa."
CHAPTER VI
We take our departure from the Transvaal and make a start for
Victoria Falls, in Rhodesia, also British territory. Traveling some 300
miles out of a direct line, through Fourteen Streams, to Vryburg, on
to Mafeking, finds us nearly opposite the place started from, but
headed in the right direction. A gap of 40 miles from Zeerust to the
main line has since been closed, which makes the trip from
Johannesburg to Bulawayo much shorter. Two trains a week care for
all the business over that stretch of native territory.
From Fourteen Streams, which is only a railway junction, we start
northward over the treeless veld on our way to Rhodesia, 700 miles
beyond. Vryburg is the next place reached where white people live,
and most of the 3,000 inhabitants are engaged in business
connected with farming. Nearly a hundred miles further Mafeking
was reached, which has been made historical in virtue of the seven-
months' siege of Britishers during the Boer War. It is located near
the Transvaal border, and is a trading center for the western
Transvaal. Railway car shops are located at Mafeking, and these and
the trading industries give employment to its 3,000 inhabitants.
An hour's ride further, and we have crossed the Cape Colony-
Bechuanaland Protectorate border line. Northward from that point
we pass through what seems an uninhabited country, so far as white
people are concerned. A railway station is built here and there along

the line, where a few Europeans may be seen; but the country is
wild and populated with natives. Were one to go to sleep for six or
eight hours, upon waking up he would not know that he had moved
a mile, so far as any change in the appearance of the landscape
would indicate. At a few stations signs of industry were in evidence,
bags of corn being piled along the track.
Natives with karosses (skins of wild beasts) and native-made
souvenirs surrounded the train when stops were made, spreading
their wares on the ground and holding the objects of native
handicraft to the gaze of the passengers. The natives' souvenirs
were the images of giraffes, elephants, lions, tigers, storks and other
animals cut out of wood and painted or dyed black, but many of the
imitations were far from good. Splendid karosses are bought cheap
along the line. One can have his choice of a lion, tiger, hyena, jackal,
wildcat, monkey and baboon, and sometimes a giraffe. Many are as
large as a buffalo robe.
"How much!" shouted a splendid specimen of a Bechuana woman, in
the native language, as she held her naked pickaninny over her head
—laughing heartily at the same time—at a place where the train had
stopped and where natives and karosses were numerous.
Passengers were bartering and haggling with the natives over the
price of karosses, and others were ambitious to sell their souvenirs.
The black mother had imbibed the "shopping" spirit, when she
jocularly offered her babe for sale. "Half a crown!" (60 cents)
shouted a passenger. With that offer the semi-barbarous mother
quickly brought her pickaninny to her bosom, threw her arms about
the little one and gave it such a hug that the baby's eyes bulged,
she laughing so heartily the while as if to split her sides.
Still traveling toward the heart of Africa, we reach Mochudi and the
Kalahari Desert, the eastern fringe of which we traverse, a distance
of 200 miles. The dust had become so thick in this stretch of the
journey that the color of the passengers' clothes could not be
detected. All the way along from Mafeking I could not keep from my

mind the Americanism, "It's a great country, where nobody lives and
dogs bark at strangers."
When the train stopped at Mahalapye we entered what is known as
Khama's country. The course of the railroad is nearly on the line
taken by David Livingstone, the explorer. When Livingstone and his
band passed through that section of Africa, the grandfather of the
reigning chief offered every hospitality to the explorer, and espoused
the Christian religion. Chief Khama, the grandson, is the most
important ruler of Bechuanaland, and has spent some time in
Europe; he conforms largely to European customs. Besides being a
strict disciplinarian, he forbids the sale of liquor to his people. He
receives a pension from the English Government. Serowe, Khama's
capital, located 30 miles inland from Palapye Road station, is the
largest town in Bechuanaland, having a population of 40,000. His
subjects pay the smallest head tax of any of the tribes in South
Africa.
We were passing through a country about which the wildebeeste,
gemsbuck, eland, tiger, lion, and even the giraffe, still roam. Along
the railway may be seen the secretary bird, guinea fowl and also
handsome cranes. The secretary bird, so named from feathers
growing at the back of the head, which look like quill pens, is what is
known as "royal game." "Royal game" are beasts or fowl that must
not be killed. The reason the secretary bird is protected is because it
is a bitter foe to snakes. Snatching a snake in the middle with his
bill, he at once begins to fly upward with the reptile, and when at a
certain height will let go his prey. The snake, when he strikes the
earth, is killed.
White traders are located through these desolate tracts of country,
sometimes a hundred miles from a railway. Little cash changes
hands between natives and traders in out-of-the-way districts. For
his skins and corn, or whatever the native may have to sell, he
receives as pay bright-colored calico, Jew's-harps, concertinas,
mouth organs, tinware and such things.

Passing out of Khama's country we enter a territory known as the
Tati Concessions. Traversing this tract, we crossed the northern
boundary of Bechuanaland a few miles south of Plumtree, when we
were in Matabeleland, Rhodesia. In this section Lobengula, the
Matabele king, held undisputed sway until Cecil Rhodes decided to
annex this part of Africa to England's possessions. What Andries
Pretorius did to Dingaan at Blood River—broke forever the power of
the Zulus—Cecil Rhodes did with the powerful Lobengula in
Matabeleland.
We passed within ten miles of the Matopo Hills, on the top of which
is buried Cecil John Rhodes, "the Colossus of South Africa," as he
was termed. Whatever shortcomings Rhodes may have possessed,
or the means he resorted to to attain his ambition, one of his virtues
will always remain unquestioned—bravery. He wished his remains to
rest where his greatest feat of daring took place. It was during the
rebellion of the Matabeles in 1896-97 that Rhodes, unarmed, with a
friend accompanying him, walked up the Matopos through the files
of the warring hordes of blacks to where their chiefs were stationed.
His cool bravery and personal magnetism so impressed the chiefs
that the rebellion ceased.
"Here lie the remains of Cecil John Rhodes" is the brief inscription
carved on a granite slab that covers his grave, which was chiseled
out of a solid rock on the highest of the Matopo Hills. "World's View"
is the name Rhodes gave the place where he is buried. It is located
30 miles southeast of Bulawayo.
Bulawayo, meaning in English "the place of killing," is located in the
heart of wildest Africa. We find here splendid streets, as wide as
those of Salt Lake City, fringed with trees, with monuments erected
at convenient places in the center; a good public library, containing
5,000 volumes; hospitals, parks, a botanical garden, zoölogical park,
museum and art gallery, schools, churches, business buildings, daily
newspapers—all of a high order. Bulawayo, nearly 1,400 miles from
Capetown, has a population of 5,000 whites. It is the largest town of
Matabeleland, the center of the gold mining industry, and has had

railway connection with the Transvaal since 1897. Only four years
earlier Lobengula's Kraal occupied the land that Bulawayo is built on.
It required the sacrifice of many lives of hardy frontiersman to
conquer the Matabeles, and to pave the way for the accession of
Matabeleland, Mashonaland, Barotseland and the other sections that
comprise Rhodesia.
Industries in Bulawayo are few and small. In this respect, however, it
is no different than most African towns. But located in the country
away from the metropolis are numerous gold mines, and Bulawayo is
headquarters for that industry. The annual output from these mines
run from $12,000,000 to $15,000,000.
We find in this place the typical frontiersmen. This feature of the
country is reflected from its founder, as Rhodes was not a "toff."
Every one goes in his shirtsleeves, and derby hats are not sold in
Bulawayo. Soft, wide-brimmed hats, like those worn by the Boers,
rule the day. One occasionally sees the butt of a revolver sticking out
of a hip pocket or at the side of a belt, and hunting knives, incased
in a sheath, are carried by almost every one, particularly on leaving
town. A rifle strapped over the shoulder of men coming in from
country districts is a common thing to see. Lions and tigers are so
numerous in Rhodesia that weapons are carried to protect one's-self
from any attack that might be made by the wild beasts. Still, under
these "trouble-making" conditions, we find maintained that same
respect for law and order that was so noticeable in other parts.
A native word—"indaba"—much in use in Rhodesia, is often used in
South Africa. When the chiefs met to talk over matters pertaining to
their tribe—a native cabinet meeting—the meeting would be termed
an "indaba." When Cecil Rhodes was engaged in dissuading the
Matabele chiefs on the Matopo hill to discontinue the rebellion, the
meeting of the "great white chief" with the native chiefs was termed
an "indaba."
In the grounds of Government House stands what is known as the
"Indaba Tree." The residence of the Governor-General is built on the

site of Lobengula's home, and it was under this tree that the rulers
of the Matabele tribe assembled and dispensed native justice.
Though the altitude of Matabeleland is about 5,000 feet, the
weather is warmer in winter than it is in the Transvaal.
Mention has been made of "salted" cattle in South Africa. The only
people who can live in most parts of Rhodesia are "salted" men. If
the inhabitants are so fortunate as to take on a few pounds of flesh
at certain seasons, they lose that much, and generally more, from
fever and ague at another season. Among the creditable buildings
mentioned of Bulawayo was included "good hospitals." Wherever
hospitals are seen frequently, particularly in small settlements, one is
using sound judgment if he makes his escape from that place early,
as otherwise he will soon be personally familiar with the interior of
these institutions. Wherever hospital facilities of a small community
are of the first order, one finds a graveyard out of all proportion to
the number of people who live in the place. A hen with a brood of
chicks was crossing a sidewalk in Bulawayo, and each chick had its
head drawn back between its wings. They were so slow getting
across the walk that one had to step over them—stepping over
chunks of fever, as it were.
Rhodesia is a trap in which many poor men get caught. The riches of
the country are much advertised in England, and those who come
out and buy land soon find that their limited means are gone, and
they are practically stranded. Both Rhodesia and South Africa are
countries only for men with capital.
The railway branches in two directions from Bulawayo—one easterly
to Salisbury and out to Beira, Portuguese East Africa, the latter place
being the port for Rhodesia; and northwesterly to Victoria Falls, and
from that point 300 miles northward toward the southern border of
the Congo Free State. This branch is what is known as the Cape-to-
Cairo route.

We will start for the Falls. Fifty miles from Bulawayo we left the
plains and passed through a forest of teak trees. Further on,
growing palms indicated a warmer climate.
"Thirteen years ago," said a traveling companion, who was a trader
in these parts, "fourteen of us came up to Rhodesia. None was over
25 years of age. I'm the only one left out of the fourteen," he
concluded. Asked what had taken off his companions, he answered:
"One was killed by a lion, and the others died of fever."
Ho! a smokestack is in view. We have reached Wankie, a coal mining
district, and a rich one, too, for the mineral may be seen cropping
out of the ground on each side of the track. A big hospital is
observed, situated on a hill, which bears the usual significance in
Rhodesia.
"Do you see that low, white cloud to the right?" asked a passenger.
"That's the spray from Victoria Falls. We have several miles yet to go
before we reach the bridge," he added.
We had traveled 1,200 miles from Johannesburg to this place, the
journey taking three days. Recklessness, rather than good judgment,
marked my course, for railroad fare from and back to Johannesburg
tapped my purse for $100. Expenses on the train had increased also,
as the cheapest meal from Mafeking north was 60 cents, and the
next cheapest 75 cents. But to one whose mind inclines to seeing
the acme of nature's handicraft, promptings of this character
outweigh financial considerations. Hotel accommodation at Victoria
Falls was correspondingly high—$5 a day. One has no choice, as
there is but a single hotel there, which is the property of the railroad
company. Aside from the hotel, a photographer's studio and a few
houses comprise all there is in the way of buildings in Victoria Falls.
Some of the Boers who took part in the Great Trek from Capetown
north in 1835-38 did not stop long in what later became the
Transvaal, but kept trekking, until they reached the Zambezi River.
Most of these voortrekkers, however, were massacred by Matabeles.

This occurred from ten to fifteen years earlier than Livingstone's
visit. But it fell to David Livingstone to make known to the world the
greatest of waterfalls, on which he first set eyes in November, 1855.
For a distance of seven miles above the falls the river is dotted with
evergreen islands. Through this archipelago the waters of the
Zambezi slowly run, giving no intimation of what is taking place
several miles below. On these islands hippopotami feed when
inclination prompts, and crocodiles sun themselves and sleep when
they choose land to water rest.
Two islands—Livingstone and Cataract—are located at the edge of
the precipice, which accounts for Victoria Falls being of three parts,
namely: Rainbow, Main and Cataract Falls. The distance from one
side of the river to the other here is over a mile—5,808 feet, to be
correct. The water, unlike that of Niagara, is of a dark, sallow color,
but not muddy, and the falls are straight, instead of horseshoe
shape.
Stealthily the water moves over the wide ledge of rock, when its
dull, lifeless color in the archipelago now assumes a much brighter
shade. Save for two dark panels of unwatered space, made by two
green islands just above, there unfolds before the visitor's eye what
seems a mile-wide mantle of amber-colored, gauze-like lace. Myriads
of water crystals dart from the broad flow's filmy web and, jewel-
like, embellish the absorbing water spread for a depth of 380 feet.
Also rainbows revel in still further enhancing this crowning
masterpiece of art—these, in beautifying, sharing a radiant part—the
bars of iris, of lustrous, engrossing hues, burnishing the peerless tri-
falls' breast, as the veil-like flow descends in brilliant, multi-colored,
wavy folds from its smooth, extended crest to the roaring, misty
maw below. Clouds of spray, which may be seen 15 miles away, rise
to a height of 2,000 feet from the boiling abyss, and the thunderous
roar made by the impact of the waters is heard 12 miles beyond.
A parallel wall rises in front of the precipice over which the water
flows. A space varying from 80 to 240 feet separates the two. Into

this narrow chasm 5,000,000 gallons of water a minute dash from a
height of 380 feet, and one may imagine what pandemonium is
taking place all the time in the great vault. For three-quarters of a
mile the second, or parallel, wall, runs westward, unbroken. Then
there is a break of something like 200 feet in width, that looks as if it
had been gnarled out not only by water, but that even some other
powerful agency had taken part in making this cleavage. The wall
rises again to its full height and maintains a solid, unbroken front for
a quarter of a mile further to Cataract Falls, at the west bank of the
river. The water from Rainbow Falls, at the east bank, and from Main
Falls, in the center of the river, runs westward to the 200-foot gap in
the parallel wall, and the water from Cataract Falls runs eastward
and, boiling and foaming, intermixes with the other waters and flows
through the same opening. One may form an idea of the great depth
of water at the narrow outlet when it is borne in mind that this vast
quantity, falling over a ledge of rock a mile wide, finds its way out of
the huge rock tank through that narrow channel.

Victoria Falls.
Zambezi Bridge and Gorge Below Falls.
Note.—The parallel wall against which the
flow dashes is equal in height to the
precipice over which the water passes,
the picture being drawn with a view of
affording a clearer conception of Victoria's
wide descent.

After the water storms through the 200-foot wide channel the
torrent travels several hundred feet, when it flows under the
Zambezi railway bridge, 450 feet above. On it turbulently runs, the
water befoamed, through high, perpendicular walls of basaltic rock
for over a mile. The rocky banks then decrease, but the course of
the river remains rugged and tortuous for a distance of 40 miles.
Vegetation growing about the falls, particularly palm trees, adds
much attractiveness to the environment. The absence of
improvements—save for the bridge, together with grass-thatched
native huts showing dimly through the vegetation on the banks; the
evergreen islands; the stillness of the water before making its
plunge, contrasted with the wild-appearing, rugged, high, rocky
walls below and the foaming and billowy torrent as it dashes madly
through the narrow gorge—make Victoria, like other great works of
nature, distinctive in formation from other notable waterfalls.
Summing up the comparative grandeur and greatness of Niagara
and Victoria Falls, most persons who have seen both would decide, I
believe, that Niagara Falls is the more beautiful and Victoria the
greater. In this connection one has only to compare the grand
crescent of sky-blue water of Niagara with the dull color of Victoria
Falls, the water of Niagara, after plunging over an unbroken stretch
of rock ledge into a roomy, circular-shaped basin, assuming its true
blue color, with the gradual narrowing of the banks to the Gorge;
contrast Niagara's broad, sweeping, unconfined character with the
water of the Zambezi, hemmed in from view in tank-like walls after
passing over the falls, and then prevented from making a good
showing, as it were, by a continuation of similar walls for a distance
of 40 miles.
The bridge across the Zambezi River is a pretty one, with a single
span of 610 feet, and was constructed by an American firm. Cecil
Rhodes instructed the builders to erect it where it now stands, "so
that it would always be wet by spray from the falls."

Nature's fickleness, a trait disclosed in choosing remote regions for
some of her noted wonders, entailing, as it does, long journeys,
fatigue and much expense to reach, is conspicuous by her placing
Victoria in a country hemmed in on the west by Angola and German
West Africa, north by the Belgian Congo, northeast by German East
Africa, east by Portuguese East Africa, and south by Bechuanaland
and the Transvaal. The shortest time in which a journey could be
made from an American port to these falls is about five weeks.
Landing at Capetown, four days' travel, on a slow train, mostly over
a dry and dusty country, must be undergone to reach that point,
when Victoria Falls is viewed in all its sublimity, located in a wild,
interesting, but fever-ridden, section of Rhodesia, where only a
handful of languid white persons live, and on a continent where the
superior race number less than a million and a half.
It is dangerous to cross the Zambezi River in a rowboat, the river
being infested with crocodiles, which grow from 12 to 16 feet long.
The hippopotamus, though, starts the trouble. He hides just under
the water, and nothing can be seen of the beast until a boat is on
top of him. Then he rises, overturning the boat. "Hippo" will not
harm a person in the water; but crocodiles are generally found close
to a hippopotamus, and the former are always hungry. As soon as
the unfortunate occupants of a boat have been dumped overboard
there is a swirl of water close by, another farther off, yet more
disturbed water, when long, dull colored shapes come lashing swiftly
up. The poor swimmers disappear, the muddy water reddens for a
short time, and then becomes sallow colored again. To the Barotse
native the crocodile is a sacred animal, and, as he will not harm the
voracious beasts, deaths of both natives and Europeans by
crocodiles occur frequently in this part of Rhodesia.
The Zambezi River rises in West Portuguese Africa and empties into
the Indian Ocean at Chinde, Portuguese East Africa, about a
thousand miles from its source.
Beer and whiskey are drunk a great deal in that part of Rhodesia,
and almost every one takes quinine to allay fever. No one would

dare take a drink of water were it not boiled.
"Knocking around" is a term much in use in Rhodesia. "Have you
seen John Smith knocking around?" "Is there a boat knocking
around?" "Are there lions knocking around here?" are common
instances in which the term is used.
Tigers are so numerous about Victoria Falls that they rob hen roosts,
and even climb through pantry windows and take away what
eatables are handy.
Vegetation in these parts is interesting to visitors, as all the bushes
and trees are strange to those coming from foreign places. Nearly
every tree or shrub produces its seed in the form of a pod, like
beans. Thorn prongs, as sharp as needles and two and three inches
in length, grow on some trees. The cream-of-tartar tree, however,
will interest a visitor more. This one grows very large, and the bark
is the color of a hippopotamus' skin. In fact, the bark of all trees has
a dark color. The pod of the cream-of-tartar is the shape of a
cucumber and 10 to 12 inches long. The shell is very hard, but,
when broken open, if ripe, the substance in the pod is white, and
separates from the fibers in the form of sugar cubes. The natives eat
it. One cream-of-tartar tree seen close to the falls measured 22 feet
in diameter.
A very good tribe of natives is found in that part of Rhodesia—the
Barotse. At a kraal visited, several of the sightseers asked a native
for a drink of native beer. The liquid was brought in a large calabash,
and the drinking cup was the bowled-out end of a small calabash.
Before the native served the beer he poured out some of the brew in
the hollow of his hand and drank it. Then he tilted the vegetable
demijohn, when the beer was poured into the cup for the
Europeans. The reason of the Barotse sampling the beer first was to
allay any suspicion his white visitors might entertain concerning its
genuineness.

Natives' musical instruments are a one-string fiddle, a skin drum,
and a little wooden frame containing three and four pieces of steel a
quarter of an inch in width and four inches in length. This last is
called a "piano." The small strips of steel are fastened at one end of
the frame. By touching these with the fingers a faint musical sound
is produced. For hours at a time a husky native keeps playing the
"piano," happy in the thought that he is an accomplished pianist.
Lewanika is the head chief of the Barotse tribe.
Native wives are much cheaper in Barotseland than in Zululand,
prices ranging from two sheep to ten cows. Should the wife leave
her husband—elope, for instance—the girl's father must return the
sheep or cows to the deserted husband.
North of the Zambezi River the territory is known as Northwestern
Rhodesia, and also Barotseland. Seven miles from Victoria Falls is
located Livingstone, the capital of Northwestern Rhodesia. Here,
right in the heart of one of the fever regions of Africa, one finds
small but substantial provincial buildings, a good, roomy hotel, an
up-to-date printing office, and a small but interesting botanical
garden.
Malarial, or African, fever is very bad at Livingstone. Horses and
cattle cannot live in this part of Rhodesia unless they are well
"salted." Everything must be "salted," both man and beast.
Transport riders, when taking a load of provisions to traders or to
mining camps located far from the railway, are provided with extra
oxen. Lions are so numerous it frequently occurs that an ox is found
in the morning dead and partly eaten, the work of Leo during the
night while the cattle were resting or grazing. It is said the vital part
of the cattle where the lion makes his attack is the nose. In a second
the beast is thrown, and it is but a matter of a few minutes when
the lion will have his prey dead and badly torn.
The tsetse fly is in his own bailiwick in these parts. This fly is one of
the worst plagues of Central Africa. In size, this insect is as large as
a bumblebee, and when he bites he draws blood, whether it be man

or beast. It is said the deadly virus he injects is extracted from the
bodies of big wild game. Nagana is the name of the disease caused
by the tsetse-fly bite. The scientific name for this fly is rather prosy—
Glossina morsitans; also for a first cousin, whose bite likewise
caused nagana disease, Glossina allidipes. Mail must be carried to
the interior by immune native runners, as a bite from these flies
means a very short life for a horse. Deaths from sleeping sickness
have occurred in this section of Africa.
Machillas are the means of transportation by which people are
carried from place to place. The machilla is a long pole, with the
ends of a piece of canvas made fast, over which a cover is stretched.
The ends of the pole rest on the shoulders of four natives—eight in
all—who run along at a good gait, with their passengers in the
hammock-like device, until they reach a relay station—at intervals of
about five miles—when a fresh "team" of natives take up the
machilla and are off again at a good trot.
The European population of this large tract of land is said to be only
30,000, blacks numbering 150 to one white person—and it is
doubtful if that number will ever be greater, for the large graveyards
with numerous fresh mounds of dirt are becoming better known
through the receipt of mail by friends living in countries of the North
sent by cadaverous, shaking relatives dying in the fever glades of
Rhodesia.
From Livingstone, 1,650 miles north of Capetown, the projected
Cape-to-Cairo line extends 300 miles further, to Broken Hill, where it
stops. The route from here is to the southern borderline of the
Belgian Congo, thence through that country, crossing the equator,
until Uganda is reached. From Uganda it will traverse the Soudan,
running thence into southern Egypt. At a point in this country the
line will connect with a tongue extending southward from Cairo, the
northern terminus. When the center has been linked, the length of
the line from Capetown, the southern terminus, to Cairo, will be
about 5,000 miles.

Returning to Johannesburg, we passed through Bulawayo, then over
the Matabeleland borderline into Bechuanaland, through the Kalahari
Desert, next into Cape Colony, and thus into Boerland.
Perhaps the prettiest and most shapely mountains in the world are
those in South Africa. Though not so high as those in other
countries, their shapeliness attracts, most of them bearded with
brush at bases and sides, the tops being round and grassy. With the
deep blue sky above—the sun nearly always shining on the high
veld, except during a shower of rain—and the same colored horizon
all round, together with the rays from a bright sun lavishly diffusing
the summits, there is a tone and finish to Boerland mountains which,
in other countries, rocks, snow and timber do not bestow. The
highest mountain is Mount Aux Sources, rising 10,000 feet, located
in the Drakensburg range.
CHAPTER VII
From the Gold City we traveled southward to the Diamond City.
"You haven't been in town long?" a Kimberley policeman addressing
me, remarked, as he stepped in front. As a matter of fact, I had only
got about a hundred yards from the railway station. I surmised that I
had been taken for an "I. D. B." (illicit diamond buyer), having been
told a bird can scarcely alight in Kimberley without coming under
police surveillance. "We're from the same country, I believe," the
officer continued, when I felt easier. "My native town is St. Louis," he
added. "Come to my home this afternoon and have dinner with us,
after which we'll call on an American living in a house a few doors
below," he went on kindly. This courtesy allayed all suspicion that I
would be asked to establish my identity before staying longer in the
diamond fields. The invitation was accepted, his hospitality being
generous. The second American had been on the diamond fields for

more than 30 years, but local interest was a secondary consideration
to meeting some one just come from the United States. He had been
in British territory so long that he had acquired the British accent,
but that was the only thing foreign about him, as one would not
know where to find a more patriotic son of America. On a second
visit to the "Diamond City" every kindness was shown me by these
two "exiles."
Kimberley, with a population of about 35,000, one-third of this
number being white, is the capital of Griqualand West, a section of
Cape Colony. Before diamonds were discovered, the territory
embraced in the Kimberley district was understood to be a part of
the Orange Free State. When the diamond fields promised rich
returns, Cape Colony officials claimed this tract as being part of that
province. The matter was finally adjusted by the Free State
surrendering its claim to the Cape authorities upon payment by the
latter to the Boer republic of several million dollars. The Diamond
City has evidently stood still while other places in the sub-continent
have kept pace with the progress of the times. Its newspapers are
inferior; only one building reaches three stories; there is very little
street paving, practically no sidewalks, and public buildings are quite
ordinary; the shacks standing not far from the business center, built
by colored people out of American oil cans, are a disgrace; church
bells even are suspended from a crosspiece resting on the top of two
posts, 10 feet high, in the churchyard; the parks do not amount to
much, most of the shade trees in these being fine-bearded pine,
through which the sun beats down on one. If there was anything of
a creditable character here, save for a modern street car system, we
did not observe it. To Alexandriafontein, a fenced-in private pleasure
resort, an electric line runs, but it costs 25 cents to reach this park.
Were one in need of an object lesson to understand thoroughly what
a trust means to a municipality, he would learn that lesson in
Kimberley. A number of diamond mines are in operation in the
Kimberley district, but there is but one diamond mining company—
the De Beers. Diamond mining is the only industry in Kimberley.

Mine officials are very kind to visitors who wish to look about the
works.
"Ho! that's Kimberley rain," shouted a friend. Looking from a
window, the width of the street appeared a solid mass of dust, if the
term may be allowed, extending far above the roofs of the houses.
"That's the sort of 'rain' we get in Kimberley," he explained. No rain
had fallen for six months.
The depth of the diamond mines runs from 1,000 to 2,600 feet. The
color of the soil in which the diamonds are found is blue—blue dirt, it
is called—which is removed by explosives. Dirt, pebbles and stones
are moved in iron trucks with iron covers, and locked. On coming to
the surface it is started on gravity railways which extend from two to
four miles from the mine. The truck of dirt, weighing about a ton
and containing an average of one-third of a karat of diamond, is
here dumped on the ground. The "dirt field" contains 1,400 acres of
space. Three high barbed wire fences form the inclosure, and police
—mounted, on bicycles, and on foot—see that no stranger gets
inside the triple barbed-wire fence.
The blue dirt remains in the field from three to six months until, by
exposure to the air, it crumbles. A harrow, with teeth 10 inches long,
is drawn over the section of field ready for use, when any remaining
lumps are broken into fine dirt. The diamond soil is next loaded into
trucks and started back to the head of the mine. The dirt is here
dumped into a revolving screen, which contains holes for pebbles of
certain sizes to drop through. These drop into a revolving round
tank, or vat, 14 feet in diameter and about a foot deep, into which
water runs. Inside the vat are two large stationary rakes, around
which the tank revolves. This is called the washery. The dirt runs out
as muddy water, and the rakes serve to move the pebbles to a point
in the circular vat where there is an opening. Connecting with this
opening is a pipe, down which the stones pass into a steel truck
below. When the truck is filled with pebbles, the door is closed and
locked.

The truck is now started on a gravity railway to what is called the
pulsator, where the nuggets and diamond-bearing stones are
separated from those of no value. Here the contents of the truck
also are emptied into a revolving screen with graduated holes to
allow the pebbles to drop out. The stones of the various sizes now
drop into compartments 4 feet long and 18 inches wide—called jigs
—which move back and forth. Water runs over the pebbles in the
jigs, the light-weight ones washing out and the heavier remaining at
the bottom. The pebbles that remain in the jigs are taken out later
and put into still another revolving screen. Under the grade sizes of
this screen are inclined tables, over which water runs, these having
a thickly greased floor, or bottom, on to which the stones drop. The
nuggets and diamond-bearing stones stick in the grease, but the
non-diamondiferous pebbles pass over. To emphasize how strongly
grease acts as a magnet to the precious stones, of the millions and
millions of pebbles that are washed over the greased bottoms, which
are carefully inspected by experts, rarely is a diamond detected
among the culls.
The little lumps on the greased tables—the diamonds covered with
grease—might resemble a hand with big warts. The table is cleaned,
when the scrapings are treated by a liquid, which renders the
diamonds free of grease. They then pass to a sorting room. The
sorters are native prisoners, but a white man is over them. Then one
negro, very expert in detecting diamonds, examines the stones
sorted by the prisoners. From him they pass to a room where two
white men again examine them. They are then put into steel cups
little larger than a teacup. The cup has a lid to it and a lock. The lid
is closed, locked, and the cup labeled. The locked cups next go to
the Kimberley office. Every Monday the output of the diamond mines
is taken to a train headed for Capetown. That train makes
connection with a steamship leaving for Europe on Wednesdays.
From England most of the diamonds are sent to Amsterdam,
Holland, to be refined.

The reducing character of the diamond mining industry is apt to
astonish one. Over 200,000 trucks of dirt are treated daily, and the
product from this great quantity of soil is less than a cubic foot.
Twenty-three thousand men are engaged in digging, and the
diamonds mined by that large force are examined by but four eyes
and handled by only four hands in the examining room at the
pulsator. The yearly output of the Kimberley diamond mines is from
$35,000,000 to $40,000,000.
Credit for bringing to light the first stone found in the Kimberley
district, in 1870, is given to an Irishman named O'Reilly. A Dutch
boy, whose father's name was Van Niekerk, was playing jackstones.
O'Reilly's eye being attracted by a bright stone among those with
which the boy was playing, he told the boy's father he thought that
particular one was a diamond. O'Reilly's judgment proved to be
good, as, when weighed, it was found to be of 22½ karat. The stone
was sold for $2,500, O'Reilly and Van Niekerk dividing the money.
On the wagon containing the weekly output of diamonds of the
Kimberley mines, and which meets the train that goes to Capetown
every Monday afternoon, is seated a white man and a native driver.
No attempt has yet been made to rob the wagon while going from
the head office of the diamond company to the railway station. This
alone may serve to emphasize the grip which law and order has on
that community.
A week before a native quits the diamond mines he is kept under
strict surveillance. The natives live in compounds, as the kafirs do in
the Rand mine compounds, but, unlike the "boys" working in the
gold mines, mine "boys" of Kimberley are not allowed outside of the
compound except when going to and coming from work, and then
only under guard. They are hired for from three months to a year,
and are paid from $15 to $30 a month and board. There are seven
mines in the Kimberley district, which give employment to 20,000
natives and 3,000 Europeans. Three eight-hour shifts are worked.

Those engaged in the diamond diggings along the banks of the River
Vaal carry with them during life a characteristic by which they may
be picked out from among men following different pursuits. A
fortune—which they all hope for—may escape them if their eyes are
raised from the ground for even so brief a time as that required for
the wink of an eyelash, as they might thus have missed the fleeting
flash of a precious stone just peeping through the soil. For this
reason, when engaged in the diamond diggings their eyes are
constantly looking downward. After they leave the diggings—when
they have spent their savings and become practically starved out—
they walk about with bent head, looking at the sidewalk or ground
as they did when hand-screening soil and digging alluvial dirt. Some
have made fortunes in the diggings, but these are few and far
between.
Bloemfontein, next visited, is known as the Convention City. Because
of its location, being the most important city in the center of South
Africa and well provided with hotels and railway connections,
together with its good public buildings, it has become the favored
place for national gatherings.
After the Boer War the name of this province was changed to
Orange River Colony, against the burghers' wishes. In May, 1910,
when the Dutch again assumed power, its former name, and its
present one—Orange Free State—again came into use.
Located between hills on two sides, having good streets, shady
walks, electric light, good buildings, and a broad, treeless veld to the
east, with poverty seemingly absent, an inviting air pervades
Bloemfontein. The homes of that city, a great many of them built of
red brick, with their vari-colored painted roofs and tidy yards filled
with flowers, all nestling under and some built on the side of the
kopjes, or hills, put one in mind of that other Dutch capital—Pretoria.
Unlike Kimberley, no tin shanties were to be seen here, neither were
the streets swarming with half-castes and Hindus.

Welcome to our website – the perfect destination for book lovers and
knowledge seekers. We believe that every book holds a new world,
offering opportunities for learning, discovery, and personal growth.
That’s why we are dedicated to bringing you a diverse collection of
books, ranging from classic literature and specialized publications to
self-development guides and children's books.
More than just a book-buying platform, we strive to be a bridge
connecting you with timeless cultural and intellectual values. With an
elegant, user-friendly interface and a smart search system, you can
quickly find the books that best suit your interests. Additionally,
our special promotions and home delivery services help you save time
and fully enjoy the joy of reading.
Join us on a journey of knowledge exploration, passion nurturing, and
personal growth every day!
ebookbell.com

The Official Chfi Study Guide Exam 31249 For Computer Hacking Forensics Investigators Dave Kleiman

More Related Content

Similar to The Official Chfi Study Guide Exam 31249 For Computer Hacking Forensics Investigators Dave Kleiman (20)

Recently uploaded (20)

The Official Chfi Study Guide Exam 31249 For Computer Hacking Forensics Investigators Dave Kleiman