Part I: Basic Concepts

In the first two chapters we lay out the framework and introduce the basic ideas that we will use throughout the rest of the book. What is the impact of user activity versus system activity? What is the impact of computer architectures and implementations? How long does data persist, and why? Why is the notion of time so important?

Chapter 1, "The spirit of forensic discovery", is arguably the most accessible and most important chapter. At a relatively high level it introduces the key forensic concepts of volatility, layering, and trust. We ask you to take a few things on faith until we cover them in more depth in chapters to come.

Chapter 2, "Time Machines", introduces the concept of timelining, with examples from the file system (MACtimes), from network traffic statistics, and even from the domain name service. We develop an understanding of the sources of time and where it is stored, illustrate why we place so much emphasis on data within a host rather than what is found in networks, and present the first examples of our out-of-the-box thinking.

Very experienced readers may want to skim over this first section rather than read it closely, but we would urge at least a cursory glance, as we rely on the concepts brought up here in the rest of the work.