Table of Contents for
System Forensics, Investigation, and Response, 3rd Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition System Forensics, Investigation, and Response, 3rd Edition by Easttom Published by Jones & Bartlett Learning, 2017
  1. Cover Page
  2. Contents
  3. System Forensics, Investigation, and Response
  4. Title Page
  5. Copyright Page
  6. Content
  7. Preface
  8. About the Author
  9. PART I Introduction to Forensics
  10. CHAPTER 1 Introduction to Forensics
  11. What Is Computer Forensics?
  12. Understanding the Field of Digital Forensics
  13. Knowledge Needed for Computer Forensics Analysis
  14. The Daubert Standard
  15. U.S. Laws Affecting Digital Forensics
  16. Federal Guidelines
  17. CHAPTER SUMMARY
  18. KEY CONCEPTS AND TERMS
  19. CHAPTER 1 ASSESSMENT
  20. CHAPTER 2 Overview of Computer Crime
  21. How Computer Crime Affects Forensics
  22. Identity Theft
  23. Hacking
  24. Cyberstalking and Harassment
  25. Fraud
  26. Non-Access Computer Crimes
  27. Cyberterrorism
  28. CHAPTER SUMMARY
  29. KEY CONCEPTS AND TERMS
  30. CHAPTER 2 ASSESSMENT
  31. CHAPTER 3 Forensic Methods and Labs
  32. Forensic Methodologies
  33. Formal Forensic Approaches
  34. Documentation of Methodologies and Findings
  35. Evidence-Handling Tasks
  36. How to Set Up a Forensic Lab
  37. Common Forensic Software Programs
  38. Forensic Certifications
  39. CHAPTER SUMMARY
  40. KEY CONCEPTS AND TERMS
  41. CHAPTER 3 ASSESSMENT
  42. PART II Technical Overview: SystemForensics Tools, Techniques, and Methods
  43. CHAPTER 4 Collecting, Seizing, and Protecting Evidence
  44. Proper Procedure
  45. Handling Evidence
  46. Storage Formats
  47. Forensic Imaging
  48. RAID Acquisitions
  49. CHAPTER SUMMARY
  50. KEY CONCEPTS AND TERMS
  51. CHAPTER 4 ASSESSMENT
  52. CHAPTER LAB
  53. CHAPTER 5 Understanding Techniques for Hiding and Scrambling Information
  54. Steganography
  55. Encryption
  56. CHAPTER SUMMARY
  57. KEY CONCEPTS AND TERMS
  58. CHAPTER 5 ASSESSMENT
  59. CHAPTER 6 Recovering Data
  60. Undeleting Data
  61. Recovering Information from Damaged Media
  62. File Carving
  63. CHAPTER SUMMARY
  64. KEY CONCEPTS AND TERMS
  65. CHAPTER 6 ASSESSMENT
  66. CHAPTER 7 Email Forensics
  67. How Email Works
  68. Email Protocols
  69. Email Headers
  70. Tracing Email
  71. Email Server Forensics
  72. Email and the Law
  73. CHAPTER SUMMARY
  74. KEY CONCEPTS AND TERMS
  75. CHAPTER 7 ASSESSMENT
  76. CHAPTER 8 Windows Forensics
  77. Windows Details
  78. Volatile Data
  79. Windows Swap File
  80. Windows Logs
  81. Windows Directories
  82. Index.dat
  83. Windows Files and Permissions
  84. The Registry
  85. Volume Shadow Copy
  86. Memory Forensics
  87. CHAPTER SUMMARY
  88. KEY CONCEPTS AND TERMS
  89. CHAPTER 8 ASSESSMENT
  90. CHAPTER 9 Linux Forensics
  91. Linux and Forensics
  92. Linux Basics
  93. Linux File Systems
  94. Linux Logs
  95. Linux Directories
  96. Shell Commands for Forensics
  97. Kali Linux Forensics
  98. Forensics Tools for Linux
  99. CHAPTER SUMMARY
  100. KEY CONCEPTS AND TERMS
  101. CHAPTER 9 ASSESSMENT
  102. CHAPTER 10 Macintosh Forensics
  103. Mac Basics
  104. Macintosh Logs
  105. Directories
  106. Macintosh Forensic Techniques
  107. How to Examine a Mac
  108. Can You Undelete in Mac?
  109. CHAPTER SUMMARY
  110. KEY CONCEPTS AND TERMS
  111. CHAPTER 10 ASSESSMENT
  112. CHAPTER 11 Mobile Forensics
  113. Cellular Device Concepts
  114. What Evidence You Can Get from a Cell Phone
  115. Seizing Evidence from a Mobile Device
  116. JTAG
  117. CHAPTER SUMMARY
  118. KEY CONCEPTS AND TERMS
  119. CHAPTER 11 ASSESSMENT
  120. CHAPTER 12 Performing Network Analysis
  121. Network Packet Analysis
  122. Network Traffic Analysis
  123. Router Forensics
  124. Firewall Forensics
  125. CHAPTER SUMMARY
  126. KEY CONCEPTS AND TERMS
  127. CHAPTER 12 ASSESSMENT
  128. PART III Incident Response and Resources
  129. CHAPTER 13 Incident and Intrusion Response
  130. Disaster Recovery
  131. Preserving Evidence
  132. Adding Forensics to Incident Response
  133. CHAPTER SUMMARY
  134. KEY CONCEPTS AND TERMS
  135. CHAPTER 13 ASSESSMENT
  136. CHAPTER 14 Trends and Future Directions
  137. Technical Trends
  138. Legal and Procedural Trends
  139. CHAPTER SUMMARY
  140. KEY CONCEPTS AND TERMS
  141. CHAPTER 14 ASSESSMENT
  142. CHAPTER 15 System Forensics Resources
  143. Tools to Use
  144. Resources
  145. Laws
  146. CHAPTER SUMMARY
  147. KEY CONCEPTS AND TERMS
  148. CHAPTER 15 ASSESSMENT
  149. APPENDIX A Answer Key
  150. APPENDIX B Standard Acronyms
  151. Glossary of Key Terms
  152. References
  153. Index

Forensic Certifications

You have a lab, you have software, but what about personnel? When considering potential candidates, looking for candidates who have taken a forensic class is a very good first step, but you should also look for candidates who have earned industry certifications. Before looking at specific certifications, let’s discuss computer certifications in general.

Certifications have always been a controversial topic. Some people swear by them and won’t even interview a candidate who does not have a few. Other people are convinced they are worthless. The issue stems from a misunderstanding of what a certification means. It is not meant to certify the person as an expert or master in a specific field. But a certification would imply a person has a working knowledge comparable to that certification.

It is meant to demonstrate a baseline of competence. Think about a medical degree. Simply having an MD does not guarantee the person is a brilliant physician. It just shows that the person achieved a certain minimum skill level. There is certainly a wide variation in skills among physicians. The same thing occurs with IT certifications. There are people with the Certified Information Systems Security Professional (CISSP®) credential from the International Information Systems Security Certification Consortium (ISC) who are brilliant security professionals with a very deep understanding of security and a wide set of skills. There are others with that credential who are only moderately competent.

Another issue with certifications is the boot camp. These programs are usually four or five days of intense study where the materials needed to pass a certification test are crammed into the students. On the final day, when it is all still fresh in their minds, they take the relevant certification test. This does lead to many boot camp attendees forgetting everything a few months later; however, this can be seen not as a failure of the training, but rather of the student. If you attend a boot camp, it is incumbent upon you to keep your skills up after the training is over.

Regardless of your personal feelings about certifications, it is a fact that they can only help your résumé as a forensic analyst. That doesn’t mean, however, that you should ever hire any IT professional based solely on certifications. But they are one part of the total résumé. A combination of the right certifications along with formal education and experience make an ideal candidate.

So what are the right certifications? Forensics is a very broad topic that requires analysts to have both broad and deep knowledge. Some of this knowledge is obtained in a formal degree program, whereas some is obtained on the job. But anywhere you have a gap in your knowledge, or simply want to enhance your résumé, is a good place to add a certification. You need to know the following areas:

  • PC hardware: This can be obtained in a basic hardware course at a college or via the CompTIA A+ certification.

  • Basic networking: Most computer science–related degrees include a course in basic networking. This satisfies your needs as a forensic expert. However, you might consider the CompTIA Network+ or the Cisco Certified Network Associate certifications.

  • Security: You must have a general knowledge of security. This can be best demonstrated with the (ISC)2 CISSP certification or the CompTIA Security+ certification.

  • Hacking: Yes, you do need to know what the hackers know. A few certifications for this area of study exist. One is Offensive Security’s test, which requires hands-on hacking. Additionally, there are the Certified Ethical Hacker from EC Council and the GIAC Penetration Tester (GPEN) from SANS.

Now that you have learned about certifications in general, it’s time to consider specific forensic certifications. The following sections examine two vendor certifications. Clearly, if your lab uses a specific tool, it is a good idea to have analysts who are certified in that tool. Subsequent sections explore a few general forensic certifications. These tests are about forensic methodologies rather than a specific tool.

EnCase Certified Examiner Certification

Guidance Software, the creator of EnCase, sponsors the EnCase Certified Examiner (EnCE) certification program. EnCE certification is open to the public and private sectors. This certification focuses on the use and mastery of system forensics analysis using EnCase. For more information on EnCE certification requirements, visit http://www.guidancesoftware.com.

AccessData Certified Examiner

AccessData is the creator of Forensic Toolkit (FTK) and sponsors the AccessData Certified Examiner (ACE) certification program. ACE certification is open to the public and private sectors. This certification is specific to the use and mastery of FTK. Requirements for taking the ACE exam include completing the AccessData boot camp and Windows forensic courses. For more information on ACE certification, visit http://www.accessdata.com.

OSForensics

OSForensics has a certification test that covers a few basics of forensic methodology, but focuses on the use of the OSForensics tool. This certification does not have specific educational requirements. You can take an online course, a self-study, or an in-person course. For more information visit http://www.osforensics.com.

Certified Cyber Forensics Professional

The Certified Cyber Forensics Professional (CCFP) is a test from ISC2, the same organization that created the CISSP certification. This test is about forensic science, legal principles, and forensic concepts. It does not deal with specific tools.

EC Council Computer Hacking Forensic Investigator

The EC Council Computer Hacking Forensic Investigator (CHFI) certification is a good general forensic certification. EC Council is more widely known for its Certified Ethical Hacker test, but its forensic test is a solid choice. It covers the general principles and techniques of forensics rather than specific tools like EnCase or FTK. This is a good starting point for learning forensics. You can learn more at its website at https://www.eccouncil.org/programs/computer-hacking-forensic-investigator-chfi/.

High Tech Crime Network Certifications

This specific certification is solid and well designed, but is not as widely known as some of the other certifications. High Tech Crime Network (HTCN) offers several levels of certification, with different requirements:

  • Certified Computer Crime Investigator, Basic

  • Certified Computer Crime Investigator, Advanced

  • Certified Computer Forensic Technician, Basic

  • Certified Computer Forensic Technician, Advanced

HTCN certification is open to anyone in a computing investigations profession.

HTCN requires a review of all related training. This includes training in one of its approved courses, a written test for the specific certification, and a review of the candidate’s work history. It is the review of the candidate’s work history that makes this certification stand out from the others. The HTCN website, http://www.htcn.org, specifies requirements for the various certification levels.

Global Information Assurance Certification Certifications

The Global Information Assurance Certification (GIAC) certifications are well respected in the IT industry. The company has security, hacking, and forensic certifications. GIAC provides several levels of certification, beginning with the GIAC Certified Forensic Analyst (GCFA) and culminating with the GIAC Certified Forensic Examiner (GCFE). You can learn more about the certifications at the GIAC website at http://www.giac.org/certifications.