Table of Contents for
System Forensics, Investigation, and Response, 3rd Edition
System Forensics, Investigation, and Response, 3rd Edition
Published by
Jones & Bartlett Learning, 2017
- Cover Page
- Contents
- System Forensics, Investigation, and Response
- Title Page
- Copyright Page
- Content
- Preface
- About the Author
- PART I Introduction to Forensics
- CHAPTER 1 Introduction to Forensics
- What Is Computer Forensics?
- Understanding the Field of Digital Forensics
- Knowledge Needed for Computer Forensics Analysis
- The Daubert Standard
- U.S. Laws Affecting Digital Forensics
- Federal Guidelines
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 1 ASSESSMENT
- CHAPTER 2 Overview of Computer Crime
- How Computer Crime Affects Forensics
- Identity Theft
- Hacking
- Cyberstalking and Harassment
- Fraud
- Non-Access Computer Crimes
- Cyberterrorism
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 2 ASSESSMENT
- CHAPTER 3 Forensic Methods and Labs
- Forensic Methodologies
- Formal Forensic Approaches
- Documentation of Methodologies and Findings
- Evidence-Handling Tasks
- How to Set Up a Forensic Lab
- Common Forensic Software Programs
- Forensic Certifications
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 3 ASSESSMENT
- PART II Technical Overview: SystemForensics Tools, Techniques, and Methods
- CHAPTER 4 Collecting, Seizing, and Protecting Evidence
- Proper Procedure
- Handling Evidence
- Storage Formats
- Forensic Imaging
- RAID Acquisitions
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 4 ASSESSMENT
- CHAPTER LAB
- CHAPTER 5 Understanding Techniques for Hiding and Scrambling Information
- Steganography
- Encryption
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 5 ASSESSMENT
- CHAPTER 6 Recovering Data
- Undeleting Data
- Recovering Information from Damaged Media
- File Carving
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 6 ASSESSMENT
- CHAPTER 7 Email Forensics
- How Email Works
- Email Protocols
- Email Headers
- Tracing Email
- Email Server Forensics
- Email and the Law
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 7 ASSESSMENT
- CHAPTER 8 Windows Forensics
- Windows Details
- Volatile Data
- Windows Swap File
- Windows Logs
- Windows Directories
- Index.dat
- Windows Files and Permissions
- The Registry
- Volume Shadow Copy
- Memory Forensics
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 8 ASSESSMENT
- CHAPTER 9 Linux Forensics
- Linux and Forensics
- Linux Basics
- Linux File Systems
- Linux Logs
- Linux Directories
- Shell Commands for Forensics
- Kali Linux Forensics
- Forensics Tools for Linux
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 9 ASSESSMENT
- CHAPTER 10 Macintosh Forensics
- Mac Basics
- Macintosh Logs
- Directories
- Macintosh Forensic Techniques
- How to Examine a Mac
- Can You Undelete in Mac?
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 10 ASSESSMENT
- CHAPTER 11 Mobile Forensics
- Cellular Device Concepts
- What Evidence You Can Get from a Cell Phone
- Seizing Evidence from a Mobile Device
- JTAG
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 11 ASSESSMENT
- CHAPTER 12 Performing Network Analysis
- Network Packet Analysis
- Network Traffic Analysis
- Router Forensics
- Firewall Forensics
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 12 ASSESSMENT
- PART III Incident Response and Resources
- CHAPTER 13 Incident and Intrusion Response
- Disaster Recovery
- Preserving Evidence
- Adding Forensics to Incident Response
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 13 ASSESSMENT
- CHAPTER 14 Trends and Future Directions
- Technical Trends
- Legal and Procedural Trends
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 14 ASSESSMENT
- CHAPTER 15 System Forensics Resources
- Tools to Use
- Resources
- Laws
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 15 ASSESSMENT
- APPENDIX A Answer Key
- APPENDIX B Standard Acronyms
- Glossary of Key Terms
- References
- Index
CHAPTER 3 ASSESSMENT
1. To preserve digital evidence, an investigator should ________.
make two copies of each evidence item using a single imaging tool
make a single copy of each evidence item using an approved imaging tool
make two copies of each evidence item using different imaging tools
store only the original evidence item
2. Bob was asked to make a copy of all the evidence from the compromised system. Melanie did a DOS copy of all the files on the system. What would be the primary reason for you to recommend for or against using a disk-imaging tool?
A disk-imaging tool would check for internal self-checking and validation and have an MD5 checksum.
The evidence file format will contain case data entered by the examiner and encrypted at the beginning of the evidence file.
A simple DOS copy will not include deleted files, file slack, and other information.
There is no case for an imaging tool because it will use a closed, proprietary format that if compared with the original will not match up sector for sector.
3. It takes ___________ occurrence(s) of overextending yourself during testimony to ruin your reputation.
only one if it is a major case
several
only one
at least two
4. The MD5 message-digest algorithm is used to ________.
wipe magnetic media before recycling it
make directories on an evidence disk
view graphics files on an evidence drive
hash a disk to verify that a disk is not altered when you examine it
5. You should make at least two bitstream copies of a suspect drive.
True
False
6. What is the purpose of hashing a copy of a suspect drive?
To make it secure
To remove viruses
To check for changes
To render it read-only
7. What is the most important reason that you not touch the actual original evidence any more than you have to?
Each time you touch digital data, there is some chance of altering it.
You might be accused of planting evidence.
You might accidentally decrypt files.
It can lead to data degradation.