Table of Contents for
System Forensics, Investigation, and Response, 3rd Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition System Forensics, Investigation, and Response, 3rd Edition by Easttom Published by Jones & Bartlett Learning, 2017
  1. Cover Page
  2. Contents
  3. System Forensics, Investigation, and Response
  4. Title Page
  5. Copyright Page
  6. Content
  7. Preface
  8. About the Author
  9. PART I Introduction to Forensics
  10. CHAPTER 1 Introduction to Forensics
  11. What Is Computer Forensics?
  12. Understanding the Field of Digital Forensics
  13. Knowledge Needed for Computer Forensics Analysis
  14. The Daubert Standard
  15. U.S. Laws Affecting Digital Forensics
  16. Federal Guidelines
  17. CHAPTER SUMMARY
  18. KEY CONCEPTS AND TERMS
  19. CHAPTER 1 ASSESSMENT
  20. CHAPTER 2 Overview of Computer Crime
  21. How Computer Crime Affects Forensics
  22. Identity Theft
  23. Hacking
  24. Cyberstalking and Harassment
  25. Fraud
  26. Non-Access Computer Crimes
  27. Cyberterrorism
  28. CHAPTER SUMMARY
  29. KEY CONCEPTS AND TERMS
  30. CHAPTER 2 ASSESSMENT
  31. CHAPTER 3 Forensic Methods and Labs
  32. Forensic Methodologies
  33. Formal Forensic Approaches
  34. Documentation of Methodologies and Findings
  35. Evidence-Handling Tasks
  36. How to Set Up a Forensic Lab
  37. Common Forensic Software Programs
  38. Forensic Certifications
  39. CHAPTER SUMMARY
  40. KEY CONCEPTS AND TERMS
  41. CHAPTER 3 ASSESSMENT
  42. PART II Technical Overview: SystemForensics Tools, Techniques, and Methods
  43. CHAPTER 4 Collecting, Seizing, and Protecting Evidence
  44. Proper Procedure
  45. Handling Evidence
  46. Storage Formats
  47. Forensic Imaging
  48. RAID Acquisitions
  49. CHAPTER SUMMARY
  50. KEY CONCEPTS AND TERMS
  51. CHAPTER 4 ASSESSMENT
  52. CHAPTER LAB
  53. CHAPTER 5 Understanding Techniques for Hiding and Scrambling Information
  54. Steganography
  55. Encryption
  56. CHAPTER SUMMARY
  57. KEY CONCEPTS AND TERMS
  58. CHAPTER 5 ASSESSMENT
  59. CHAPTER 6 Recovering Data
  60. Undeleting Data
  61. Recovering Information from Damaged Media
  62. File Carving
  63. CHAPTER SUMMARY
  64. KEY CONCEPTS AND TERMS
  65. CHAPTER 6 ASSESSMENT
  66. CHAPTER 7 Email Forensics
  67. How Email Works
  68. Email Protocols
  69. Email Headers
  70. Tracing Email
  71. Email Server Forensics
  72. Email and the Law
  73. CHAPTER SUMMARY
  74. KEY CONCEPTS AND TERMS
  75. CHAPTER 7 ASSESSMENT
  76. CHAPTER 8 Windows Forensics
  77. Windows Details
  78. Volatile Data
  79. Windows Swap File
  80. Windows Logs
  81. Windows Directories
  82. Index.dat
  83. Windows Files and Permissions
  84. The Registry
  85. Volume Shadow Copy
  86. Memory Forensics
  87. CHAPTER SUMMARY
  88. KEY CONCEPTS AND TERMS
  89. CHAPTER 8 ASSESSMENT
  90. CHAPTER 9 Linux Forensics
  91. Linux and Forensics
  92. Linux Basics
  93. Linux File Systems
  94. Linux Logs
  95. Linux Directories
  96. Shell Commands for Forensics
  97. Kali Linux Forensics
  98. Forensics Tools for Linux
  99. CHAPTER SUMMARY
  100. KEY CONCEPTS AND TERMS
  101. CHAPTER 9 ASSESSMENT
  102. CHAPTER 10 Macintosh Forensics
  103. Mac Basics
  104. Macintosh Logs
  105. Directories
  106. Macintosh Forensic Techniques
  107. How to Examine a Mac
  108. Can You Undelete in Mac?
  109. CHAPTER SUMMARY
  110. KEY CONCEPTS AND TERMS
  111. CHAPTER 10 ASSESSMENT
  112. CHAPTER 11 Mobile Forensics
  113. Cellular Device Concepts
  114. What Evidence You Can Get from a Cell Phone
  115. Seizing Evidence from a Mobile Device
  116. JTAG
  117. CHAPTER SUMMARY
  118. KEY CONCEPTS AND TERMS
  119. CHAPTER 11 ASSESSMENT
  120. CHAPTER 12 Performing Network Analysis
  121. Network Packet Analysis
  122. Network Traffic Analysis
  123. Router Forensics
  124. Firewall Forensics
  125. CHAPTER SUMMARY
  126. KEY CONCEPTS AND TERMS
  127. CHAPTER 12 ASSESSMENT
  128. PART III Incident Response and Resources
  129. CHAPTER 13 Incident and Intrusion Response
  130. Disaster Recovery
  131. Preserving Evidence
  132. Adding Forensics to Incident Response
  133. CHAPTER SUMMARY
  134. KEY CONCEPTS AND TERMS
  135. CHAPTER 13 ASSESSMENT
  136. CHAPTER 14 Trends and Future Directions
  137. Technical Trends
  138. Legal and Procedural Trends
  139. CHAPTER SUMMARY
  140. KEY CONCEPTS AND TERMS
  141. CHAPTER 14 ASSESSMENT
  142. CHAPTER 15 System Forensics Resources
  143. Tools to Use
  144. Resources
  145. Laws
  146. CHAPTER SUMMARY
  147. KEY CONCEPTS AND TERMS
  148. CHAPTER 15 ASSESSMENT
  149. APPENDIX A Answer Key
  150. APPENDIX B Standard Acronyms
  151. Glossary of Key Terms
  152. References
  153. Index

Forensic Methodologies

You will learn very specific techniques for computer forensics; however, it is important that you have a general framework for approaching forensics. This section examines general principles and specific methodologies you can apply to your own forensic investigations. First, here are some basic principles to consider.

Handle Original Data as Little as Possible

A forensic specialist should touch the original data as little as possible. Instead, information should be copied prior to examination. This means that the first step in any investigation is to make a copy of the suspected storage device. In the case of computer hard drives, you make a complete copy. That means a bit-level copy. Tools like EnCase, Forensic Toolkit, and OSForensics will do this for you; it is also possible to do this with basic Linux commands. In addition, it is a common practice to make two copies of the drive. This gives you one to work with and a backup in the event you need it.

The idea of handling original information as little as possible is a critical philosophy that should permeate your approach to forensics. But the real question is, why? Why is it so important that you not touch the actual original evidence any more than you have to? The first answer to that question is that each time you touch digital information, there is some chance of altering it. Even such a simple thing as changing the time/date stamp on a file is altering it. And if you alter the file, you cannot be certain that the evidence you find is valid.

Another reason is that there may be a need for another investigator to do his or her own examination. If you have worked with the original information, you may have altered it so that another person cannot now do a fresh analysis. There are many situations in which another examiner will need to review the original information. The most obvious situation is when the opposing counsel hires his or her own expert who wants to do his or her own examination.

This stems from a principle known in forensics as Locard’s principle of transference. Edmond Locard was a pioneer in forensics. Although he dealt with physical forensics (hair, blood, etc.) and lived long before the advent of the computer age, his concepts are still applicable. Essentially, he stated that you cannot interact in an environment without leaving some trace. This is true in computers. For example, the moment you log in to a Windows system, you have changed a few Windows Registry keys, added to the log, and changed a few temp files.

There are times when live forensics may be needed; however, that is always a secondary choice. The preference is to work with an image of a drive, rather than the actual drive.

Comply with the Rules of Evidence

During an investigation, a forensic specialist should keep in mind the relevant rules of evidence. The chain of custody and the Daubert standard, for instance, are just two of these that you must follow.

Rules of evidence govern whether, when, how, and why proof of a legal case can be placed before a judge or jury. A forensic specialist should have a good understanding of the rules of evidence in the given type of court and jurisdiction.

As one example, the Federal Rules of Evidence (FRE) is a code of evidence law. The FRE governs the admission of facts by which parties in the U.S. federal court system may prove their cases. The FRE provides guidelines for the authentication and identification of evidence for admissibility under rules 901 and 902. The following is an excerpt from rule 901 of the FRE from Cornell University Law School (2011), with the portions relevant to computer forensics shown:

  1. In General. To satisfy the requirement of authenticating or identifying an item of evidence, the proponent must produce evidence sufficient to support a finding that the item is what the proponent claims it is.…

(1) Testimony of a Witness with Knowledge. Testimony that an item is what it is claimed to be.…

(3) Comparison by an Expert Witness or the Trier of Fact. A comparison with an authenticated specimen by an expert witness or the trier of fact.…

(9) Evidence About a Process or System. Evidence describing a process or system and showing that it produces an accurate result.

Item 1 refers to expert testimony. You, as a forensic examiner, may be called upon to authenticate evidence. Item 3 refers to a comparison between a given specimen and another item. This can be used to authenticate evidence. Item 9 is critical for computer forensics. Even if you use automated tools such as EnCase from Guidance Software or Forensic Toolkit from AccessData, you should understand how the tools work in detail so you can authenticate the process if need be.

Individual jurisdictions may have some additional rules particular to that jurisdiction. It is critical that you be aware of the rules in your jurisdiction as well as general rules of evidence.

Avoid Exceeding Your Knowledge

A forensic specialist should not undertake an examination that is beyond his or her current level of knowledge and skill. This might seem obvious, but it is a problem that you can observe not just in forensics, but in the IT industry in general. Most other professions are more than happy to refer a client to a specialist. For example, if you see your family doctor and she discovers an anomaly regarding your heart, she will refer you to a cardiologist. Certainly she studied cardiology in medical school, but she will still send you to someone who specializes in cardiology. However, IT professionals all too often believe that if they have a little knowledge, that is enough to proceed.

This can be very problematic in forensics. Suppose you are a very skilled forensic examiner, and you have extensive experience with Microsoft Windows and Linux. But a computer is brought to you that runs Mac OS X. Now it is very likely that your skills would allow you to extract data. And it is true that OS X is based on a Linux-like system (FreeBSD). But is that enough? Very likely it is not. It is very likely that if you insist on doing the investigation yourself, you may miss key evidence or, at the very least, the opposition’s attorney can claim in court that you have.

These basic principles should guide your forensic investigation. These are not specific procedures, but rather general philosophical approaches to investigation.

Create an Analysis Plan

Before you begin any forensic examination, you should have an analysis plan. This plan is a guide for your work. How will you gather evidence? Are there concerns about evidence being changed or destroyed? What tools are most appropriate for this specific investigation? Is this a federal or state case? Will this affect admissibility rules? You should address all of these issues in your data analysis plan. It is advisable to have a standard data analysis plan that you simply customize for specific situations.

Technical Information Collection Considerations

System forensics specialists must keep in mind three main technical data collection considerations: understanding the life span of information, collecting information quickly, and collecting bit-level information.

Considering the Life Span of Information

In planning collection efforts, a forensic specialist must be aware that information has a life span. Life span refers to how long information is valid. The term is related to volatility. More volatile information tends to have a shorter life span. The nature of the information as well as organizational policies and practices determine the information’s life span. For example, data regarding network traffic and the messages themselves may exist only for the time the transmission is passing through a router. This may be only milliseconds. Information stored in computer memory may have a life span of a millisecond, such as the complete packet. Or, in the case of a cached IP address, the life span may be 20 minutes. In either case, memory is volatile because it lasts only for as long as the device is powered, so the forensic specialist must act accordingly.

As information life spans increase, the life span determinant is typically related to organizational practice. For example, an organization may establish an email retention policy that an email message may be stored within the email system for only 30 days. After 30 days, any message that is not moved to alternate storage is deleted. Log files may be retained for months or years, in accordance with an organization’s audit policy. Finance and accounting information may have a multiple-year life span that corresponds with requirements established by state or federal governments.

In planning a collection effort, forensic specialists must be aware of the life span of the information with which they are working. They must use collection techniques appropriate to the information’s life span.

Collecting Information Quickly

Once the collection effort is announced or in process, it is important to collect the evidence as quickly as possible. It is frequently not possible or practical to determine who made a change or when. In addition, the target of an investigation may try to conceal information, which further obscures changes. Networking systems also increase the potential for unauthorized changes. The person making a change on a network does not have to be local to the device on which the information is stored.

Collecting Bit-Level Information

To be useful, 1 and 0 bits must be converted through hardware and software into text, pictures, screen displays, videos, audio, or other usable formats. Investigators also look for whether unrelated bits were inserted, such as trade secrets buried within other files. Forensic specialists must therefore have tools that allow manipulation and evaluation of bit-level information. Use of bit-level tools also enables an investigator to reconstruct file fragments if files have been deleted or overwritten.

Basically, bit-level information is information at the level of actual 1s and 0s stored in memory or on the storage device, as opposed to going through the file system’s interpretation. Whatever operating system is being used simply shows its representation of the data. Going to a bit-level view gives the most accurate view of how the information is actually stored on the hardware. If you use the file system to copy a suspect drive, you probably won’t get slack space or hidden partitions. But you will get those items with a bit-level copy.