Table of Contents for
System Forensics, Investigation, and Response, 3rd Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition System Forensics, Investigation, and Response, 3rd Edition by Easttom Published by Jones & Bartlett Learning, 2017
  1. Cover Page
  2. Contents
  3. System Forensics, Investigation, and Response
  4. Title Page
  5. Copyright Page
  6. Content
  7. Preface
  8. About the Author
  9. PART I Introduction to Forensics
  10. CHAPTER 1 Introduction to Forensics
  11. What Is Computer Forensics?
  12. Understanding the Field of Digital Forensics
  13. Knowledge Needed for Computer Forensics Analysis
  14. The Daubert Standard
  15. U.S. Laws Affecting Digital Forensics
  16. Federal Guidelines
  17. CHAPTER SUMMARY
  18. KEY CONCEPTS AND TERMS
  19. CHAPTER 1 ASSESSMENT
  20. CHAPTER 2 Overview of Computer Crime
  21. How Computer Crime Affects Forensics
  22. Identity Theft
  23. Hacking
  24. Cyberstalking and Harassment
  25. Fraud
  26. Non-Access Computer Crimes
  27. Cyberterrorism
  28. CHAPTER SUMMARY
  29. KEY CONCEPTS AND TERMS
  30. CHAPTER 2 ASSESSMENT
  31. CHAPTER 3 Forensic Methods and Labs
  32. Forensic Methodologies
  33. Formal Forensic Approaches
  34. Documentation of Methodologies and Findings
  35. Evidence-Handling Tasks
  36. How to Set Up a Forensic Lab
  37. Common Forensic Software Programs
  38. Forensic Certifications
  39. CHAPTER SUMMARY
  40. KEY CONCEPTS AND TERMS
  41. CHAPTER 3 ASSESSMENT
  42. PART II Technical Overview: SystemForensics Tools, Techniques, and Methods
  43. CHAPTER 4 Collecting, Seizing, and Protecting Evidence
  44. Proper Procedure
  45. Handling Evidence
  46. Storage Formats
  47. Forensic Imaging
  48. RAID Acquisitions
  49. CHAPTER SUMMARY
  50. KEY CONCEPTS AND TERMS
  51. CHAPTER 4 ASSESSMENT
  52. CHAPTER LAB
  53. CHAPTER 5 Understanding Techniques for Hiding and Scrambling Information
  54. Steganography
  55. Encryption
  56. CHAPTER SUMMARY
  57. KEY CONCEPTS AND TERMS
  58. CHAPTER 5 ASSESSMENT
  59. CHAPTER 6 Recovering Data
  60. Undeleting Data
  61. Recovering Information from Damaged Media
  62. File Carving
  63. CHAPTER SUMMARY
  64. KEY CONCEPTS AND TERMS
  65. CHAPTER 6 ASSESSMENT
  66. CHAPTER 7 Email Forensics
  67. How Email Works
  68. Email Protocols
  69. Email Headers
  70. Tracing Email
  71. Email Server Forensics
  72. Email and the Law
  73. CHAPTER SUMMARY
  74. KEY CONCEPTS AND TERMS
  75. CHAPTER 7 ASSESSMENT
  76. CHAPTER 8 Windows Forensics
  77. Windows Details
  78. Volatile Data
  79. Windows Swap File
  80. Windows Logs
  81. Windows Directories
  82. Index.dat
  83. Windows Files and Permissions
  84. The Registry
  85. Volume Shadow Copy
  86. Memory Forensics
  87. CHAPTER SUMMARY
  88. KEY CONCEPTS AND TERMS
  89. CHAPTER 8 ASSESSMENT
  90. CHAPTER 9 Linux Forensics
  91. Linux and Forensics
  92. Linux Basics
  93. Linux File Systems
  94. Linux Logs
  95. Linux Directories
  96. Shell Commands for Forensics
  97. Kali Linux Forensics
  98. Forensics Tools for Linux
  99. CHAPTER SUMMARY
  100. KEY CONCEPTS AND TERMS
  101. CHAPTER 9 ASSESSMENT
  102. CHAPTER 10 Macintosh Forensics
  103. Mac Basics
  104. Macintosh Logs
  105. Directories
  106. Macintosh Forensic Techniques
  107. How to Examine a Mac
  108. Can You Undelete in Mac?
  109. CHAPTER SUMMARY
  110. KEY CONCEPTS AND TERMS
  111. CHAPTER 10 ASSESSMENT
  112. CHAPTER 11 Mobile Forensics
  113. Cellular Device Concepts
  114. What Evidence You Can Get from a Cell Phone
  115. Seizing Evidence from a Mobile Device
  116. JTAG
  117. CHAPTER SUMMARY
  118. KEY CONCEPTS AND TERMS
  119. CHAPTER 11 ASSESSMENT
  120. CHAPTER 12 Performing Network Analysis
  121. Network Packet Analysis
  122. Network Traffic Analysis
  123. Router Forensics
  124. Firewall Forensics
  125. CHAPTER SUMMARY
  126. KEY CONCEPTS AND TERMS
  127. CHAPTER 12 ASSESSMENT
  128. PART III Incident Response and Resources
  129. CHAPTER 13 Incident and Intrusion Response
  130. Disaster Recovery
  131. Preserving Evidence
  132. Adding Forensics to Incident Response
  133. CHAPTER SUMMARY
  134. KEY CONCEPTS AND TERMS
  135. CHAPTER 13 ASSESSMENT
  136. CHAPTER 14 Trends and Future Directions
  137. Technical Trends
  138. Legal and Procedural Trends
  139. CHAPTER SUMMARY
  140. KEY CONCEPTS AND TERMS
  141. CHAPTER 14 ASSESSMENT
  142. CHAPTER 15 System Forensics Resources
  143. Tools to Use
  144. Resources
  145. Laws
  146. CHAPTER SUMMARY
  147. KEY CONCEPTS AND TERMS
  148. CHAPTER 15 ASSESSMENT
  149. APPENDIX A Answer Key
  150. APPENDIX B Standard Acronyms
  151. Glossary of Key Terms
  152. References
  153. Index
image

Contents

Preface

About the Author

PART I                 Introduction to Forensics

CHAPTER 1      Introduction to Forensics

What Is Computer Forensics?

Using Scientific Knowledge

Collecting

Analyzing

Presenting

Understanding the Field of Digital Forensics

What Is Digital Evidence?

Scope-Related Challenges to System Forensics

Types of Digital System Forensics Analysis

General Guidelines

Knowledge Needed for Computer Forensics Analysis

Hardware

Software

Networks

Addresses

Obscured Information and Anti-Forensics

The Daubert Standard

U.S. Laws Affecting Digital Forensics

The Federal Privacy Act of 1974

The Privacy Protection Act of 1980

The Communications Assistance for Law Enforcement Act of 1994

The Electronic Communications Privacy Act of 1986

The Computer Security Act of 1987

The Foreign Intelligence Surveillance Act of 1978

The Child Protection and Sexual Predator Punishment Act of 1998

The Children’s Online Privacy Protection Act of 1998

The Communications Decency Act of 1996

The Telecommunications Act of 1996

The Wireless Communications and Public Safety Act of 1999

The USA Patriot Act of 2001

The Sarbanes-Oxley Act of 2002

18 U.S.C. § 1030: Fraud and Related Activity in Connection with Computers

18 U.S.C. § 1020: Fraud and Related Activity in Connection with Access Devices

The Digital Millennium Copyright Act (DMCA) of 1998

18 U.S.C. § 1028A: Identity Theft and Aggravated Identity Theft

18 U.S.C. § 2251: Sexual Exploitation of Children

Warrants

Federal Guidelines

The FBI

The Secret Service

The Regional Computer Forensics Laboratory Program

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 1 ASSESSMENT

CHAPTER 2      Overview of Computer Crime

How Computer Crime Affects Forensics

Identity Theft

Phishing

Spyware

Discarded Information

How Does This Crime Affect Forensics?

Hacking

SQL Injection

Cross-Site Scripting

Ophcrack

Tricking Tech Support

Hacking in General

Cyberstalking and Harassment

Real Cyberstalking Cases

Fraud

Investment Offers

Data Piracy

Non-Access Computer Crimes

Denial of Service

Viruses

Logic Bombs

Cyberterrorism

How Does This Crime Affect Forensics?

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 2 ASSESSMENT

CHAPTER 3      Forensic Methods and Labs

Forensic Methodologies

Handle Original Data as Little as Possible

Comply with the Rules of Evidence

Avoid Exceeding Your Knowledge

Create an Analysis Plan

Technical Information Collection Considerations

Formal Forensic Approaches

Department of Defense Forensic Standards

The Digital Forensic Research Workshop Framework

The Scientific Working Group on Digital Evidence Framework

An Event-Based Digital Forensics Investigation Framework

Documentation of Methodologies and Findings

Disk Structure

File Slack Searching

Evidence-Handling Tasks

Evidence-Gathering Measures

Expert Reports

How to Set Up a Forensic Lab

Equipment

Security

American Society of Crime Laboratory Directors

Common Forensic Software Programs

EnCase

Forensic Toolkit

OSForensics

Helix

Kali Linux

AnaDisk Disk Analysis Tool

CopyQM Plus Disk Duplication Software

The Sleuth Kit

Disk Investigator

Forensic Certifications

EnCase Certified Examiner Certification

AccessData Certified Examiner

OSForensics

Certified Cyber Forensics Professional

EC Council Computer Hacking Forensic Investigator

High Tech Crime Network Certifications

Global Information Assurance Certification Certifications

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 3 ASSESSMENT

PART II                Technical Overview: System
Forensics Tools, Techniques, and Methods

CHAPTER 4      Collecting, Seizing, and Protecting Evidence

Proper Procedure

Shutting Down the Computer

Transporting the Computer System to a Secure Location

Preparing the System

Documenting the Hardware Configuration of the System

Mathematically Authenticating Data on All Storage Devices

Handling Evidence

Collecting Data

Documenting Filenames, Dates, and Times

Identifying File, Program, and Storage Anomalies

Evidence-Gathering Measures

Storage Formats

Magnetic Media

Solid-State Drives

Digital Audio Tape Drives

Digital Linear Tape and Super DLT

Optical Media

Using USB Drives

File Formats

Forensic Imaging

Imaging with EnCase

Imaging with the Forensic Toolkit

Imaging with OSForensics

RAID Acquisitions

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 4 ASSESSMENT

CHAPTER LAB

CHAPTER 5      Understanding Techniques for Hiding and Scrambling Information

Steganography

Historical Steganography

Steganophony

Video Steganography

More Advanced Steganography

Steganalysis

Invisible Secrets

MP3Stego

Additional Resources

Encryption

The History of Encryption

Modern Cryptography

Breaking Encryption

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 5 ASSESSMENT

CHAPTER 6      Recovering Data

Undeleting Data

File Systems and Hard Drives

Windows

Forensically Scrubbing a File or Folder

Linux

Macintosh

Recovering Information from Damaged Media

Physical Damage Recovery Techniques

Recovering Data After Logical Damage

File Carving

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 6 ASSESSMENT

CHAPTER 7      Email Forensics

How Email Works

Email Protocols

Faking Email

Email Headers

Getting Headers in Outlook

Getting Headers from Yahoo! Email

Getting Headers from Gmail

Other Email Clients

Email Files

Paraben’s Email Examiner

ReadPST

Tracing Email

Email Server Forensics

Email and the Law

The Fourth Amendment to the U.S. Constitution

The Electronic Communications Privacy Act

The CAN-SPAM Act

18 U.S.C. 2252B

The Communication Assistance to Law Enforcement Act

The Foreign Intelligence Surveillance Act

The USA Patriot Act

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 7 ASSESSMENT

CHAPTER 8      Windows Forensics

Windows Details

Windows History

64-Bit

The Boot Process

Important Files

Volatile Data

Tools

Windows Swap File

Windows Logs

Windows Directories

UserAssist

Unallocated/Slack Space

Alternate Data Streams

Index.dat

Windows Files and Permissions

MAC

The Registry

USB Information

Wireless Networks

Tracking Word Documents in the Registry

Malware in the Registry

Uninstalled Software

Passwords

ShellBag

Prefetch

Volume Shadow Copy

Memory Forensics

Volatility

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 8 ASSESSMENT

CHAPTER 9      Linux Forensics

Linux and Forensics

Linux Basics

Linux History

Linux Shells

Graphical User Interface

K Desktop Environment (KDE)/Plasma

Linux Boot Process

Logical Volume Manager

Linux Distributions

Linux File Systems

Ext

The Reiser File System

The Berkeley Fast File System

Linux Logs

The /var/log/faillog Log

The /var/log/kern.log Log

The /var/log/lpr.log Log

The /var/log/mail.* Log

The /var/log/mysql.* Log

The /var/log/apache2/* Log

The /var/log/lighttpd/* Log

The /var/log/apport.log Log

Other Logs

Viewing Logs

Linux Directories

The /root Directory

The /bin Directory

The /sbin Directory

The /etc Folder

The /etc/inittab File

The /dev Directory

The /mnt Directory

The /boot Directory

The /usr Directory

The /var Directory

The /var/spool Directory

The /proc Directory

Shell Commands for Forensics

The dmesg Command

The fsck Command

The grep Command

The history Command

The mount Command

The ps Command

The pstree Command

The pgrep Command

The top Command

The kill Command

The file Command

The su Command

The who Command

The finger Command

The dd Command

The ls Command

Can You Undelete in Linux?

Manual Method

Kali Linux Forensics

Forensics Tools for Linux

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 9 ASSESSMENT

CHAPTER 10    Macintosh Forensics

Mac Basics

Mac History

Mac File Systems

Partition Types

Macintosh Logs

The /var/log Log

The /var/spool/cups Folder

The /Library/Receipts Folder

The /Users/<user>/.bash_history Log

The /var/vm Folder

The /Users/ Directory

The /Users/<user>/Library/Preferences/ Folder

Directories

The /Volumes Directory

The /Users Directory

The /Applications Directory

The /Network Directory

The /etc Directory

The /Library/Preferences/SystemConfiguration/dom.apple.preferences.plist File

Macintosh Forensic Techniques

Target Disk Mode

Searching Virtual Memory

Shell Commands

How to Examine a Mac

Can You Undelete in Mac?

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 10 ASSESSMENT

CHAPTER 11    Mobile Forensics

Cellular Device Concepts

Terms

Operating Systems

The BlackBerry

What Evidence You Can Get from a Cell Phone

Types of Investigations

Phone states

Seizing Evidence from a Mobile Device

The iPhone

BlackBerry

JTAG

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 11 ASSESSMENT

CHAPTER 12    Performing Network Analysis

Network Packet Analysis

Network Packets

Network Attacks

Network Traffic Analysis Tools

Network Traffic Analysis

Using Log Files as Evidence

Wireless

Router Forensics

Router Basics

Types of Router Attacks

Getting Evidence from the Router

Firewall Forensics

Firewall Basics

Collecting Data

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 12 ASSESSMENT

PART III                Incident Response and Resources

CHAPTER 13    Incident and Intrusion Response

Disaster Recovery

Incident Response Plan

Incident Response

Preserving Evidence

Adding Forensics to Incident Response

Forensic Resources

Forensics and Policy

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 13 ASSESSMENT

CHAPTER 14    Trends and Future Directions

Technical Trends

What Impact Does This Have on Forensics?

Software as a Service

The Cloud

What Impact Does Cloud Computing Have on Forensics?

Legal and Procedural Trends

Changes in the Law

The USA Patriot Act

Private Labs

International Issues

Techniques

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 14 ASSESSMENT

CHAPTER 15    System Forensics Resources

Tools to Use

ASR Data Acquisition & Analysis

AccessData Forensic Toolkit

OSForensics

ComputerCOP

Digital Detective

Digital Intelligence

Disk Investigator

EnCase

X-Ways Software Technology AG

Other Tools

Resources

International Association of Computer Investigative Specialists

EnCase Certified Examiner Certification

AccessData Certified Examiner

Certified Hacking Forensic Investigator

Certified Cyber Forensics Professional

SANS Institute

American Academy of Forensic Sciences

Websites

Journals

Conferences

Laws

The USA Patriot Act

The Electronic Communications Privacy Act of 1986

The Communications Assistance to Law Enforcement Act of 1996

The Health Insurance Portability and Accountability Act of 1996

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 15 ASSESSMENT

APPENDIX A     Answer Key

APPENDIX B     Standard Acronyms

Glossary of Key Terms

References

Index