Table of Contents for
System Forensics, Investigation, and Response, 3rd Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition System Forensics, Investigation, and Response, 3rd Edition by Easttom Published by Jones & Bartlett Learning, 2017
  1. Cover Page
  2. Contents
  3. System Forensics, Investigation, and Response
  4. Title Page
  5. Copyright Page
  6. Content
  7. Preface
  8. About the Author
  9. PART I Introduction to Forensics
  10. CHAPTER 1 Introduction to Forensics
  11. What Is Computer Forensics?
  12. Understanding the Field of Digital Forensics
  13. Knowledge Needed for Computer Forensics Analysis
  14. The Daubert Standard
  15. U.S. Laws Affecting Digital Forensics
  16. Federal Guidelines
  17. CHAPTER SUMMARY
  18. KEY CONCEPTS AND TERMS
  19. CHAPTER 1 ASSESSMENT
  20. CHAPTER 2 Overview of Computer Crime
  21. How Computer Crime Affects Forensics
  22. Identity Theft
  23. Hacking
  24. Cyberstalking and Harassment
  25. Fraud
  26. Non-Access Computer Crimes
  27. Cyberterrorism
  28. CHAPTER SUMMARY
  29. KEY CONCEPTS AND TERMS
  30. CHAPTER 2 ASSESSMENT
  31. CHAPTER 3 Forensic Methods and Labs
  32. Forensic Methodologies
  33. Formal Forensic Approaches
  34. Documentation of Methodologies and Findings
  35. Evidence-Handling Tasks
  36. How to Set Up a Forensic Lab
  37. Common Forensic Software Programs
  38. Forensic Certifications
  39. CHAPTER SUMMARY
  40. KEY CONCEPTS AND TERMS
  41. CHAPTER 3 ASSESSMENT
  42. PART II Technical Overview: SystemForensics Tools, Techniques, and Methods
  43. CHAPTER 4 Collecting, Seizing, and Protecting Evidence
  44. Proper Procedure
  45. Handling Evidence
  46. Storage Formats
  47. Forensic Imaging
  48. RAID Acquisitions
  49. CHAPTER SUMMARY
  50. KEY CONCEPTS AND TERMS
  51. CHAPTER 4 ASSESSMENT
  52. CHAPTER LAB
  53. CHAPTER 5 Understanding Techniques for Hiding and Scrambling Information
  54. Steganography
  55. Encryption
  56. CHAPTER SUMMARY
  57. KEY CONCEPTS AND TERMS
  58. CHAPTER 5 ASSESSMENT
  59. CHAPTER 6 Recovering Data
  60. Undeleting Data
  61. Recovering Information from Damaged Media
  62. File Carving
  63. CHAPTER SUMMARY
  64. KEY CONCEPTS AND TERMS
  65. CHAPTER 6 ASSESSMENT
  66. CHAPTER 7 Email Forensics
  67. How Email Works
  68. Email Protocols
  69. Email Headers
  70. Tracing Email
  71. Email Server Forensics
  72. Email and the Law
  73. CHAPTER SUMMARY
  74. KEY CONCEPTS AND TERMS
  75. CHAPTER 7 ASSESSMENT
  76. CHAPTER 8 Windows Forensics
  77. Windows Details
  78. Volatile Data
  79. Windows Swap File
  80. Windows Logs
  81. Windows Directories
  82. Index.dat
  83. Windows Files and Permissions
  84. The Registry
  85. Volume Shadow Copy
  86. Memory Forensics
  87. CHAPTER SUMMARY
  88. KEY CONCEPTS AND TERMS
  89. CHAPTER 8 ASSESSMENT
  90. CHAPTER 9 Linux Forensics
  91. Linux and Forensics
  92. Linux Basics
  93. Linux File Systems
  94. Linux Logs
  95. Linux Directories
  96. Shell Commands for Forensics
  97. Kali Linux Forensics
  98. Forensics Tools for Linux
  99. CHAPTER SUMMARY
  100. KEY CONCEPTS AND TERMS
  101. CHAPTER 9 ASSESSMENT
  102. CHAPTER 10 Macintosh Forensics
  103. Mac Basics
  104. Macintosh Logs
  105. Directories
  106. Macintosh Forensic Techniques
  107. How to Examine a Mac
  108. Can You Undelete in Mac?
  109. CHAPTER SUMMARY
  110. KEY CONCEPTS AND TERMS
  111. CHAPTER 10 ASSESSMENT
  112. CHAPTER 11 Mobile Forensics
  113. Cellular Device Concepts
  114. What Evidence You Can Get from a Cell Phone
  115. Seizing Evidence from a Mobile Device
  116. JTAG
  117. CHAPTER SUMMARY
  118. KEY CONCEPTS AND TERMS
  119. CHAPTER 11 ASSESSMENT
  120. CHAPTER 12 Performing Network Analysis
  121. Network Packet Analysis
  122. Network Traffic Analysis
  123. Router Forensics
  124. Firewall Forensics
  125. CHAPTER SUMMARY
  126. KEY CONCEPTS AND TERMS
  127. CHAPTER 12 ASSESSMENT
  128. PART III Incident Response and Resources
  129. CHAPTER 13 Incident and Intrusion Response
  130. Disaster Recovery
  131. Preserving Evidence
  132. Adding Forensics to Incident Response
  133. CHAPTER SUMMARY
  134. KEY CONCEPTS AND TERMS
  135. CHAPTER 13 ASSESSMENT
  136. CHAPTER 14 Trends and Future Directions
  137. Technical Trends
  138. Legal and Procedural Trends
  139. CHAPTER SUMMARY
  140. KEY CONCEPTS AND TERMS
  141. CHAPTER 14 ASSESSMENT
  142. CHAPTER 15 System Forensics Resources
  143. Tools to Use
  144. Resources
  145. Laws
  146. CHAPTER SUMMARY
  147. KEY CONCEPTS AND TERMS
  148. CHAPTER 15 ASSESSMENT
  149. APPENDIX A Answer Key
  150. APPENDIX B Standard Acronyms
  151. Glossary of Key Terms
  152. References
  153. Index

Fraud

Fraud is a broad category of crime that can encompass many different activities. Essentially, any attempt to gain financial reward through deception is fraud. Two major subclasses of fraud are as follows:

  • Investment offers

  • Data piracy

The following sections briefly examine these classes of computer fraud.

Investment Offers

Investment offers are neither new nor necessarily illegal. In fact, cold-calling is a legitimate sales technique when selling stocks. However, the process can be used to artificially and fraudulently inflate the value of a target stock. The most common version of this is called the “pump and dump.” In this scheme, the perpetrators buy significant amounts of stock in a company that is relatively cheap, often penny stocks. Then, they fuel false rumors that the company is on the verge of some large contract or other business deal that would increase its value significantly. This artificially drives up the price of the stock. Once the rumors have raised the stock as high as the criminals think it will go, they dump their stock at an inflated price, thus making substantial profits. Eventually, once it is clear the rumors were not true, the stock’s value will drop again. The people who purchased the stock at an inflated price, but were not in on the scam and did not know to sell their stock before its value plummeted, lose significant amounts of money.

The growth of the Internet did not create these scams—they existed long before the Internet. But the widespread popularity and speed of the Internet simply made scams easier to perpetrate. For example, with the pump and dump, the Internet allows the perpetrator to create fake blogs, bulletin board postings, and emails, all claiming the target stock is likely to rise in value. The key to Internet-based fraud of this kind is, instead of cold-calling via the phone, to send an enticing email to as many recipients as possible. Of course, the perpetrator realizes that most people will not respond to the email, but if even a tiny percentage do, and the perpetrator sends out a million emails, he or she can still pull in a significant amount of money.

One of the more common Internet schemes involves sending out an email that suggests that you can make a large sum of money with a very minimal investment. It may be a processing fee you must submit in order to receive some lottery winnings, or perhaps legal fees in order to receive some inheritance. Perhaps the most famous of these schemes has been the Nigerian fraud. In this scenario, an email is sent to a large number of random email addresses. Each email contains a message purporting to be from a relative of some deceased Nigerian doctor or government official, always of significant social standing. (It’s more likely to convince victims that the arrangement is legitimate if it seems to involve people of good social standing.) The offer goes like this: A person has a sum of money he or she wants to transfer out of his country, and he or she cannot use normal channels. He or she wants to use your bank account to “park” the funds temporarily. If you allow the person access to your account, you will receive a hefty fee. If you do agree to this arrangement, you will receive, via normal mail, a variety of very official-looking documents—enough to convince most casual observers that the arrangement is legitimate. You will then be asked to advance some money to cover items such as taxes and wire fees. Should you actually send any money, however, you will lose it, and you will never hear from these individuals again. The U.S. FBI has issued a bulletin detailing this particular fraud scheme. Further FBI Internet crime information is available at http://www.fbi.gov/scams-safety/fraud/internet_fraud.

How Does This Crime Affect Forensics?

The key in this sort of crime is to begin by tracing the communications. If it is a fake blog that is endorsing some investment, then someone had to register the domain for that blog. If there are emails involved, they had to come from somewhere. Of course, the more sophisticated the attacker, the less evidence there will be. Another way to seek evidence outside computer forensics is to follow the money. Someone is reaping financial rewards from the scheme.

Data Piracy

Intellectual property is a very real commodity. Large companies spend millions of dollars on filing patents and defending their patents and copyrights. The Internet makes distribution of illegally copied materials, or data piracy, very easy. You are probably quite familiar with illegal music downloads; however, that is only one aspect of intellectual property theft.

Illegal copies of software can be found on the Internet. There are websites that have such copies or the activation codes for software. These sites are colloquially referred to as warez (pronounced like wares) sites. As a consumer, the best advice to follow is “If it seems too good to be true, it is probably not true.” In other words, if a website boasts of a $400 software package for $89, that is probably illegally copied software.

How Does This Crime Affect Forensics?

The investigation of this sort of crime involves trying to trace the owners of the website that is distributing the intellectual property. This involves finding out who registered the domain and performing a Who is search on that domain. If the perpetrator is clever, he or she will hide behind several identities. However, the starting point is to track the website distributing the intellectual property.