MINI CASE
Enterprise Architecture
at Nationstate Insurance5
Jane Denton looked around at her assembled senior IT leadership team waiting to hear
what she was going to say. Most were leaning forward eagerly, though some appeared
more cautious. They were a good team, she knew, and she wanted to lead them well.
A seasoned CIO, with a whole career behind her in IT, Jane was the newly appointed
global CIO of Nationstate Insurance. This would be her last job before retirement in
three years and she wanted to find a way to make a lasting difference in this company.
Nationstate was an excellent company—Jane had done her homework. It was one of
the largest in the United States, with a worldwide presence in personal and commercial
insurance, and had recently been voted one of Forbes’ “Best Big Companies.” It had
good systems, good user–IT relationships, and good people. But the company aspired
to be great and Jane wanted to help them by taking IT to the next level. She knew that
the world was changing—largely as a result of technology—and she knew that IT and
its traditional approach to systems development was also going to have to change.
“Our IT function needs to become more cutting edge in adopting emerging technolo-
HJFT
u�TIF�IBE�UPME�UIF�Jane Denton looked around at her assembled senior IT leadership team waiting to hear
what she was going to say. Most were leaning forward eagerly, though some appeared
more cautious. They were a good team, she knew, and she wanted to lead them well.
A seasoned CIO, with a whole career behind her in IT, Jane was the newly appointed
global CIO of Nationstate Insurance. This would be her last job before retirement in
three years and she wanted to find a way to make a lasting difference in this company.
Nationstate was an excellent company—Jane had done her homework. It was one of
the largest in the United States, with a worldwide presence in personal and commercial
insurance, and had recently been voted one of Forbes’ “Best Big Companies.” It had
good systems, good user–IT relationships, and good people. But the company aspired
to be great and Jane wanted to help them by taking IT to the next level. She knew that
the world was changing—largely as a result of technology—and she knew that IT and
its traditional approach to systems development was also going to have to change.
“Our IT function needs to become more cutting edge in adopting emerging technolo-
HJFT
u�TIF�IBE�UPME�UIF�$&0�TIPSUMZ�BGUFS�TIF�XBT�IJSFE
�iBOE�XF�OFFE�UP�CFDPNF�NPSF�
flexible and agile in our approach to development work.” Now she had this time and
this team to accomplish her goals.
0�TIPSUMZ�BGUFS�TIF�XBT�IJSFE
�iBOE�XF�OFFE�UP�CFDPNF�NPSF�
flexible and agile in our approach to development work.” Now she had this time and
this team to accomplish her goals.
However, it was much easier said than done. Like almost every large organiza-
tion, Nationstate had a hodgepodge of different systems, data, and processes—most
serving just one of its six business units (BUs). Nationstate’s decentralized structure
had served it well in the past by enabling individual BUs to respond quickly to chang-
ing market needs but a couple of years before Jane’s arrival, recognizing the need for
TPNF�FOUFSQSJTF�UIJOLJOH
�UIF�However, it was much easier said than done. Like almost every large organiza-
tion, Nationstate had a hodgepodge of different systems, data, and processes—most
serving just one of its six business units (BUs). Nationstate’s decentralized structure
had served it well in the past by enabling individual BUs to respond quickly to chang-
ing market needs but a couple of years before Jane’s arrival, recognizing the need for
TPNF�FOUFSQSJTF�UIJOLJOH
�UIF�$&0�IBE�DSFBUFE�B�GFEFSBUFE�TUSVDUVSF�XJUI�TPNF�DFOUSBM-
ized functions, including parts of IT. So some of IT was now centralized and shared by
all the BUs (e.g., operations) and reported directly to Jane, while the rest (e.g., system
EFWFMPQNFOU
�XBT�EFDFOUSBMJ[FE��&BDI�#6�IBE�JUT�PXO�$*0�BOE�*5�TUBGG�XIP�SFQPSUFE�
jointly to the BU’s president and to Jane.
0�IBE�DSFBUFE�B�GFEFSBUFE�TUSVDUVSF�XJUI�TPNF�DFOUSBM-
ized functions, including parts of IT. So some of IT was now centralized and shared by
all the BUs (e.g., operations) and reported directly to Jane, while the rest (e.g., system
EFWFMPQNFOU
�XBT�EFDFOUSBMJ[FE��&BDI�#6�IBE�JUT�PXO�$*0�BOE�*5�TUBGG�XIP�SFQPSUFE�
jointly to the BU’s president and to Jane.
This potentially unwieldy structure was made more palatable by the fact that the
business unit CIOs had great business knowledge and were well trusted by their presi-
dents. In fact, it was central IT that was often seen as the roadblock by the BUs. She had
never led an IT organization like it, she reflected, and in her first few months, she had
made a considerable effort to understand the strengths and weaknesses of this model
and how responsibilities had been divided between centralized enterprise services
and the decentralized IT groups (each quite large themselves) in the business units.
5 4NJUI
�)��”�
�BOE�+��%��.D,FFO��i&OUFSQSJTF�”SDIJUFDUVSF�BU�/BUJPOTUBUF�*OTVSBODF�u����-��������
�2VFFO�T�
4DIPPM�PG�#VTJOFTT
�4FQUFNCFS�������3FQSPEVDFE�CZ�QFSNJTTJPO�PG�2VFFO�T�6OJWFSTJUZ
�4DIPPM�PG�#VTJOFTT
�
Kingston, Ontario, Canada.
160
� &OUFSQSJTF�”SDIJUFDUVSF�BU�/BUJPOTUBUF�*OTVSBODF� 161
Now she thought she had a good enough handle on these that she could begin work
with her senior leadership team (the BU CIOs) to develop a plan to transform IT into
the kind of technology function Nationstate would need in the years to come.
“I know you are both enthusiastic and apprehensive about transformation,”
she said. “We have a great organization and no one wants to lose that. We need to be
responsive to our business needs but we also need to incorporate new development
techniques into our work, do a better job with emerging technologies, and begin to
rationalize our application and technology portfolios. We have duplicate systems, data
BOE�TPGUXBSF�BMM�PWFS�UIF�QMBDF��0VS�“I know you are both enthusiastic and apprehensive about transformation,”
she said. “We have a great organization and no one wants to lose that. We need to be
responsive to our business needs but we also need to incorporate new development
techniques into our work, do a better job with emerging technologies, and begin to
rationalize our application and technology portfolios. We have duplicate systems, data
BOE�TPGUXBSF�BMM�PWFS�UIF�QMBDF��0VS�$&0�BOE�UIF�#6�1SFTJEFOUT�XBOU�UP�TFF�VT�VTF�PVS�
technology resources more efficiently, but more than that, they want our leadership in
using technology effectively for the organization as a whole. We can’t do this if we’re all
working in separate silos.”
0�BOE�UIF�#6�1SFTJEFOUT�XBOU�UP�TFF�VT�VTF�PVS�
technology resources more efficiently, but more than that, they want our leadership in
using technology effectively for the organization as a whole. We can’t do this if we’re all
working in separate silos.”
Heads began nodding around the room as she continued. “At present, every busi-
ness unit has its own IT architecture and architects and each of you believe you are mak-
ing the ‘right’ technology decisions but you are all doing it differently.” The head nodding
stopped and a mood of wariness took over. “No one in our organization has the big pic-
ture of what we have and where we need to go. We have to learn what makes sense for
us to do at an enterprise level and what’s best left in the business units. Architecting our
technology, information, business and applications properly is the key to doing it right.”
“What exactly are you proposing?” asked Owen Merton, CIO of the Casualty
Division. “I think you’re right that we need an enterprise architecture, but I don’t want
to lose the good work we’ve done at the BU level.”
“Well, I really want to centralize all architecture,” said Jane. “I think that’s what
works best in other organizations and that’s going to be the most effective way to make
it work here. BUT . . .” she added, “I’d like to speak with each of you individually and
with your senior architects before I do. I’m open to your ideas as long as they address
the needs that I’ve just outlined.”
Over the next two weeks, Jane listened carefully to what the divisional CIOs had
to say. They all agreed with Merton that the relationships with the BUs were extremely
important and centralizing architecture had to be done carefully. All of them had heard
horror stories about the “architecture police” in other companies—hard-line techies
who set standards and created blueprints and insisted on them being followed in spite
of the difficulties their policies caused for the business.
“Architecture can’t live in an ivory tower,” explained Vic Toregas, CIO of Claims.
“It has to be rooted in the reality of our business and it can’t be seen to slow things
down.” Jane agreed. “We must make sure that our architecture function is designed and
managed to ensure rapid delivery to the business.”
0O�UIF�PUIFS�IBOE
�/JDL�7BSHP
�$*0�PG�(SPVQ�)FBMUI
�XBT�DPODFSOFE�UIBU�XJUIPVU�
a strong enforcement mechanism, standards wouldn’t be followed. “What’s the point of
having standards if we don’t enforce them?” he asked.
Jane’s head whirled. It wasn’t going to be easy to strike the right balance
between developing a good, sustainable process that would provide a blueprint for
where the company needed to go and enable the company to build the common capa-
bilities it would need for the future, while delivering solutions quickly and flexibly
for the BUs. “What we don’t need is a ‘Winchester Mystery House’,” she reflected,
recalling the famous local house whose owners kept adding to it over many years
with no overall plan.
162� 4FDUJPO�**� r� *5�(PWFSOBODF
She became more worried when she began to speak with the BU architects, with
an eye to appointing one of them as her chief enterprise architect. They seemed to be
technically competent but were not what she would call “relationship people” or busi-
ness strategists. The job, as she envisioned it, would combine strong leadership skills,
a good understanding of the business, and excellent communication skills to translate
why the business should care about architecture, with strong technical skills. Her day
became a bit brighter when she began her final interview with Seamus O’Malley, the
senior architecture manager of the commercial BU.
As they spoke, Jane was impressed with his vision and pragmatism, as well as his
strong communication skills. By the end of the hour she knew she had found her new
chief enterprise architect. “I’d like you to take this new job,” she told him. “I think you
are the right person to ensure we have the standards, tools and practices in place to
develop a common architecture for Nationstate.” Seamus thought for a moment before
replying. It was a great offer but he had his doubts that Jane’s plan would work and this
situation had to be carefully handled.
“Thank you for your faith in me,” he began diplomatically, “but I would like to
suggest a slight modification to your plan. You see, I’ve been an architect in central-
ized organizations and there has always been an ‘us versus them’ mentality between
the architecture group and both the rest of IT and the business units.” Jane recalled
the horror stories of the “architecture police.” “So what I’d like to propose is a com-
QSPNJTF��*�XPVME�CFDPNF�$IJFG�&OUFSQSJTF�”SDIJUFDU�CVU�*�XPVME�BMTP�SFNBJO�4FOJPS�
Architecture for Commercial and involve the other BU Senior Architects in creating a
strong enterprise architecture that works for us all. That way, no one will see me as just
‘the enterprise guy’ and whatever standards we set and decisions we make centrally
will affect me in Commercial, just like they’ll affect all the other BUs. When the other
business units see that I’m willing to eat my own dog food, I think they’ll be more ready
to accept the standards and changes we’ll be introducing.”
While not sure the compromise would work, Jane agreed to try it for a year and
Seamus set out to build a centralized architecture function from scratch. With the
authority given to him by Jane, all of the BU senior architects now had a dual reporting
relationship—to their CIO and to him as the chief architect.
At their first weekly meeting with the BU senior architects, Seamus outlined
his role and agenda. “As you know, each of us has been individually responsible for
developing an effective IT architecture for our business units but we haven’t done any
coordination between them. That is no longer good enough for our business needs and
I, with your help, have been given the job of establishing an enterprise architecture that
will create an enterprise technology blueprint for Nationstate, which we will all have to
follow in the business units. I want to work collaboratively with you so that we come
up with a plan and processes that will work for each of us in the business units, as well
as for the enterprise as a whole. We will need to build our enterprise architecture slowly
but steadily so that people will trust us, and that means having good governance, good
processes and a collaborative approach to this work,” he stated. “Our first priority is
building strong relationships with both Jane and the other CIOs and our BU Presidents.
&OUFSQSJTF�”SDIJUFDUVSF�TJUT�JO�UIF�NJEEMF�CFUXFFO�UIFTF�HSPVQT
�TP�HPPE�SFMBUJPOTIJQT�
are essential.” “However,” he continued. “We are going to need a way to establish and
enforce standards—enterprise ones, not the ones you have now—and this is going to be
difficult to explain.”
� &OUFSQSJTF�”SDIJUFDUVSF�BU�/BUJPOTUBUF�*OTVSBODF� 163
“I’ll say,” remarked Sarah Jensen, the senior architecture manager from Personal
Insurance. “What do we say when the business asks why they can’t do something that’s
important to them because our ‘standards’ won’t let them?”
“That’s a good question Sarah,” said Seamus. “And it gets right to the heart of
why architecture is important. We need to present architecture in ways that are easy for
the business to understand, without scaring or threatening them. For example, we need
an application reduction strategy designed to eliminate duplication, reduce complexity
and save money. The business already understands the pain of having to jump from
system to system and knows that owning two cars is more expensive than one. If we
explain it to them in this way, they will understand the advantages of having a single
system and a single workflow.”
“But isn’t good architecture about more than cost savings?” asked Michael Lee,
senior architecture manager from Claims. “We need to develop a foundation of com-
mon information, tools and processes so that we’re not reinventing the wheel going into
the future. And someone needs to decide what new technologies we’re going to need
and where we’re going to use them. There are so many new applications and devices
coming out every day now, we’re going to be in a real mess if we don’t do this properly.”
“You’re exactly right,” said Seamus. “These things do have to be managed for
the good of the enterprise—both to make it more effective and more efficient. But it’s
how we manage them that’s important. If we put lots of bureaucracy in place and don’t
add value, no one is going to support us and they’ll find ways to undermine what we
are trying to do. We can’t take a ‘field of dreams’ approach to architecture. We need to
attach our work to real business value and real projects. Once our leaders understand
this, we’ll get their support.”
“So here’s our challenge,” Seamus told his assembled team a few minutes later.
i8F�OFFE�UP�EFTJHO�BO�&OUFSQSJTF�”SDIJUFDUVSF�GVODUJPO�UIBU�EPFT�BMM�UIFTF�UIJOHT��*U�T�
got to be a process that comes up with the standards and guidelines that each of you
can live with and support in the BUs. And, as you know, I myself will have to live with
them in Commercial as well.”
“Here’s what I believe we need to accomplish as soon as possible,” he stated,
flashing a PowerPoint slide on the screen:
1. An enterprise governance process to set architecture strategy, policies and stan-
dards for technology, applications, and information that reflects the federated struc-
ture in the organization.
2. A means of monitoring that all new projects comply with the agreed-upon archi-
tecture while ensuring that this process doesn’t present an obstacle to getting IT
projects completed quickly.
3. A process for allowing “variances” to the current standards, if necessary, and a way
to manage them back to the agreed-on standards.
4. A means of identifying important new IT capabilities and services that should be
shared by the enterprise.
5. A means of evaluating emerging new technologies and setting standards for them.
6. Identifying roles and responsibilities for the enterprise architecture function and
the LOB architecture functions.
7. Developing a means of incorporating feedback and continuous improvement into
our work.
164� 4FDUJPO�**� r� *5�(PWFSOBODF
“I want to blend and weave our work into the architecture teams we already have
in the business units as much as possible,” Seamus concluded. “This will keep us close
to business needs and enable us to get enterprise value from the teams we have in place.
And I don’t want to add any more process than we need to at an enterprise level. For
example, if the Claims group needs a new technology, their architecture group could do
the preliminary evaluation and make recommendations for what we should do. But we
need to ensure that the resulting decision is a good one for the entire enterprise.”
“I’ve got to report back to Jane in a month, so I’d like you to think about what
might and might not work for your division and for us as an enterprise. I’ve scheduled
a couple of working sessions for us over the next two weeks so we can hash this out.
We have an exciting opportunity to take IT to the next level at Nationstate if we do this
right, so let’s not mess this up.”
Discussion Questions
1. List and describe all of the potential benefits (and costs) that Nationstate would
realize from the establishment of an enterprisewide architecture as envisioned by
Jane Denton?
2. Build a business case for Seamus O’Malley to present to the senior management
team at Nationstate in order to get their buy-in. In addition to benefits and costs, the
business case must answer the “what’s in it for me” question that the BU 3presidents
all have.
3. Seamus O’Malley is rightfully worried about governance (i.e., making sure that the
enterprise architectural standards are adopted by all BUs). Both he and Jane are
wary of forced compliance because such measures lead to “architecture police.”
What governance procedures could they put in place that would win “hearts and
minds”; that is, BU architects would comply with the enterprise architecture stan-
dards because they believe in them—not because they are forced to comply with them?
Running Head: THE SCIENTIFIC METHOD APPLIED TO DIGITAL FORENSICS
1
THE SCIENTIFIC METHOD APPLIED TO DIGITAL FORENSICS 7
The Scientific Method Applied To Digital Forensics
by student name
Professor D. Barrett
University
Course
Todays date
Abstract
Computer forensics is the process of digital investigation combining technology, the science of discovery and the methodical application of legal procedures. Judges and jurors often do not understand the inner workings of computers and rely on digital forensics experts to seek evidence and provide reliable, irrefutable testimony based on their findings. The scientific method is the process of diligent, disciplined discovery where a hypothesis is formed without bias, and analysis and testing is performed with the goal of effectively proving or disproving a sound hypothesis. When investigative teams do not follow standard investigative procedures it can lead to inappropriate and inaccurate evidentiary presentations that are extremely difficult for non-technical participants to refute. The practitioners of digital forensics can make strides to measure and improve the accuracy of their findings using the scientific method. This paper includes a summary of the scientific method as applied to the emerging and growing field of digital forensics and presents details of a specific case where both the prosecution and defense would have benefitted greatly from the use of this proven method of discovery and analysis. Findings can only be deemed reasonably conclusive when the scientific process is correctly applied to an investigation, findings are repeatable and verifiable, and where both the evidence collected and the tools used are subject to the utmost scrutiny.
The Scientific Method Applied To Digital Forensics
The forensic analyst and investigator must use a unique combination of technical, investigative, and scientific skills when approaching a forensic case. Most adults remember the Scientific Method from their middle school science class as a set of six steps beginning with stating a problem, gathering information, forming a hypothesis, testing the hypothesis, analyzing the data and drawing conclusions that either support or do not support the hypothesis. Peisert, Bishop, & Marzullo (2008) note that the term computer forensics has evolved to mean “scientific tests of techniques used with the detection of crime” yet note that many academic computer scientists also use the term to refer to the “process of logging, collecting, auditing or analyzing data in a post hoc investigation”. The necessity to maintain chain of custody requires methodical and detailed procedures, as does the formulation of a legitimate and unbiased hypothesis and conclusion using the scientific method. Since many judges and jurors assume that computer forensic evidence is as “reliable and conclusive” as it is depicted on television, the legal system is unaware of the volatile nature of computer forensics investigations and the significance of a scientific approach to evidence gathering and analysis (Peisert et al., 2008).
The Scientific Process as Applied to Computer Forensics
Peisert et al. (2008) discuss in detail the need for the use of the scientific method in forensic investigations, not only for the process of discovery and analysis of evidence, but for measuring the accuracy of the forensic tools used in an investigation. Casey (2010) agrees, and cautions that evidence must be compared to known samples so that investigators better understand the scope and context of the evidence that is discovered or presented and to better understand the output of forensic tools. Casey (2010) further elaborates that the scientific method is a powerful tool for forensic investigators who must be neutral fact finders rather than advocates for one side of a case or the other.
The process of creating a hypothesis and completing experiments to prove or disprove them allows an investigator to gain a concrete understanding of the digital evidence or mere traces of evidence under analysis. Casey (2010) also notes that while there is no ethical requirement to do so and may be impractical, a thorough investigative practice would consider investigation of alternate scenarios presented by defense.
Forensic examination tools can contain bugs, or behave differently with various types of data and forensic images. Casey (2010) recommends that investigators examine evidence at both the physical and logical layers since both methods can provide unique perspectives, and the physical layer may not yield deleted, corrupted or hidden data. Suspects with limited technical experience can rename image files with different extensions not used for images, and those with more technical knowledge can use advanced steganography techniques to embed data within other data in an attempt to defy detection.
The 2004 case of State of Connecticut v. Julie Amero in Norwich, Connecticut is one where the scientific method was clearly missing from both the defense and prosecution. Eckelberry, Dardick, Folkerts, Shipp, Sites, Stewart, & Stuart (2007) completed a comprehensive post-trial analysis of the evidence as provided to the defense and discovered very different evidentiary results using a structured scientific approach to their investigation. Amero was a substitute elementary teacher accused of displaying pornographic images that appeared on pop-up’s to her students from what ultimately was proven to be a spyware-infected school computer. The credibility of the legal system was compromised and the prosecution made a numerous incorrect assumptions based on results provided from inadequate forensic tools and poor investigative techniques (Eckelberry et al., 2007).
The computer that Amero was using in her classroom was a Windows 98 machine running Internet Explorer 6.0.2800 and a trial version of Cheyenne AntiVirus that had not received an update in several years. The content filtering at the school had expired several months prior to the incident. The prosecution presented non-factual statements that may easily have been misconstrued by a non-technical jury and that likely caused a guilty verdict. The false testimony made by the school IT specialist indicated that the virus protection was updated weekly when in fact they were not since computer logs and the signatures clearly showed that virus updates were no longer supported by the vendor. The updates may have been performed but against files that had no new updates for many months. The IT Manager who testified also incorrectly claimed that adware was not able to generate pornography and especially not “endless loop pornography”. This information was received as a fact by the non-technical jury and incredibly not refuted by the defense. The detective for the prosecution also stated that his testimony was based completely on the product ComputerCop which the vendor admits is incapable of determining if a website was visited purposefully or unintentionally. The forensic detective astoundingly admitted that he did not examine the computer for the presence of adware (Eckelberry et al., 2007, p. 7-10).
The case against Amero was largely based on testimony stating that she deliberately visited the offensive pornographic websites and that the sites visited subsequently showed the links in red. The post-trial investigative team quickly verified that the ‘sites visited’ color setting in Internet Explorer on the suspect machine was set to “96,100,32” which is a greenish-gray color. One of the web pages that the defendant allegedly visited had an HTML override to highlight one of the links presented in red and was not colored based on a deliberate visit to the site. According to Eckelberry et al. (2007) the page in question was not discovered in “any of the caches or Internet history files or the Internet History DAT files. The post-trial investigative team through meticulous investigation and use of the scientific method were able to present facts that were “exculpatory evidence showing that the link was never clicked on by the defendant” or any other person, and disproved most of the statements made by the forensics examiner and the witnesses for the prosecution (Eckelberry et al., 2007, p. 12-14).
The prosecution testimony stated that there was no evidence of uncontrollable pop ups found on the suspect machine, however, the post-trial investigative team discovered irrefutable evidence that the page in question was loaded twenty-one times in one second using a computer forensics tool called X-Ways Trace. Eckleberry et al. (2007) detail many other instances where testimony was haphazard and discovered that a Halloween screen saver was the source of the adware that presented the continuous stream of pornographic sites. The chain of custody was also compromised in that the disk image was from a Dell PC but the defense witness saw a Gateway PC stored at the police station. The officer reportedly seized a computer but the police report contradicts this and states that only a drive was taken (Eckelberry et al., 2007, p. 14-17).
The case described and investigated by Eckelberry et al. (2007) resembles a staged blunder designed as a humorous sample case for beginning forensic students to discuss. The case was however very real and even though the defendant was eventually acquitted she suffered lasting harm from the notoriety based on the initial conviction of contributing to the delinquency of minors. If the prosecution or defense had investigated the evidence using the scientific method and maintained a credible chain of custody, or at least used clear critical thinking while performing a thorough forensic investigation this case may never have gone to trial. It wasted the time and resources of judge, jury, and countless other participants in the trial and permanently damaged an innocent victim (Eckelberry et al., 2007).
Conclusion
The scientific method is a process that allows confidence in a hypothesis when it can be subjected to repeated identical tests. The use of the scientific method not only provides a methodical structure to a forensic investigation, it lends credibility to a case in the very nature of the steps used to document and diligently test any given hypothesis. The case independently investigated post-trial by Eckelberry et al. (2007) was performed by a team of trained experts who were well aware of the necessity of the methodical requirements and necessity of the scientific method of discovery. Their findings proved that the suspect was in fact a victim of poorly maintained computers by a local Connecticut school system, that the forensic expert and witnesses who testified in the case were untrained and uninformed and used inadequate tools for the investigation. Cases such as State of Connecticut v. Julie Amero illustrate the importance of using the scientific method, and the necessity of proper training in the art and science of digital forensics.
References
Carrier, B. (2002, October). Open Source Digital Forensics Tools: The Legal Argument. In @ Stake Inc. Retrieved September 8, 2011, from
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.19.7899&rep=rep1&type=pdf
Casey, E. (Ed.). (2010). Handbook of Digital Forensics and Investigation (Kindle ed.). Burlington, MA: Elsevier, Inc.
Eckelberry, A., Dardick, G., Folkerts, J., Shipp, A., Sites, E., Stewart, J., & Stuart, R. (2007, March 21). Technical Review of the Trial Testimony of State of Connecticut vs. Julie Amero. Retrieved September 9, 2011, from
http://www.sunbelt-software.com/ihs/alex/julieamerosummary
Nelson, B., Phillips, A., & Steuart, C. (2010). Guide to Computer Forensics and Investigations (4th ed.). Boston, MA: Course Technology, Cengage Learning.
Peisert, S., Bishop, M., & Marzullo, K. (2008, April). Computer Forensics in Forensis. Retrieved September 8, 2011, from
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.140.3949&rep=rep1&type=pdf