Table of Contents for
System Forensics, Investigation, and Response, 3rd Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition System Forensics, Investigation, and Response, 3rd Edition by Easttom Published by Jones & Bartlett Learning, 2017
  1. Cover Page
  2. Contents
  3. System Forensics, Investigation, and Response
  4. Title Page
  5. Copyright Page
  6. Content
  7. Preface
  8. About the Author
  9. PART I Introduction to Forensics
  10. CHAPTER 1 Introduction to Forensics
  11. What Is Computer Forensics?
  12. Understanding the Field of Digital Forensics
  13. Knowledge Needed for Computer Forensics Analysis
  14. The Daubert Standard
  15. U.S. Laws Affecting Digital Forensics
  16. Federal Guidelines
  17. CHAPTER SUMMARY
  18. KEY CONCEPTS AND TERMS
  19. CHAPTER 1 ASSESSMENT
  20. CHAPTER 2 Overview of Computer Crime
  21. How Computer Crime Affects Forensics
  22. Identity Theft
  23. Hacking
  24. Cyberstalking and Harassment
  25. Fraud
  26. Non-Access Computer Crimes
  27. Cyberterrorism
  28. CHAPTER SUMMARY
  29. KEY CONCEPTS AND TERMS
  30. CHAPTER 2 ASSESSMENT
  31. CHAPTER 3 Forensic Methods and Labs
  32. Forensic Methodologies
  33. Formal Forensic Approaches
  34. Documentation of Methodologies and Findings
  35. Evidence-Handling Tasks
  36. How to Set Up a Forensic Lab
  37. Common Forensic Software Programs
  38. Forensic Certifications
  39. CHAPTER SUMMARY
  40. KEY CONCEPTS AND TERMS
  41. CHAPTER 3 ASSESSMENT
  42. PART II Technical Overview: SystemForensics Tools, Techniques, and Methods
  43. CHAPTER 4 Collecting, Seizing, and Protecting Evidence
  44. Proper Procedure
  45. Handling Evidence
  46. Storage Formats
  47. Forensic Imaging
  48. RAID Acquisitions
  49. CHAPTER SUMMARY
  50. KEY CONCEPTS AND TERMS
  51. CHAPTER 4 ASSESSMENT
  52. CHAPTER LAB
  53. CHAPTER 5 Understanding Techniques for Hiding and Scrambling Information
  54. Steganography
  55. Encryption
  56. CHAPTER SUMMARY
  57. KEY CONCEPTS AND TERMS
  58. CHAPTER 5 ASSESSMENT
  59. CHAPTER 6 Recovering Data
  60. Undeleting Data
  61. Recovering Information from Damaged Media
  62. File Carving
  63. CHAPTER SUMMARY
  64. KEY CONCEPTS AND TERMS
  65. CHAPTER 6 ASSESSMENT
  66. CHAPTER 7 Email Forensics
  67. How Email Works
  68. Email Protocols
  69. Email Headers
  70. Tracing Email
  71. Email Server Forensics
  72. Email and the Law
  73. CHAPTER SUMMARY
  74. KEY CONCEPTS AND TERMS
  75. CHAPTER 7 ASSESSMENT
  76. CHAPTER 8 Windows Forensics
  77. Windows Details
  78. Volatile Data
  79. Windows Swap File
  80. Windows Logs
  81. Windows Directories
  82. Index.dat
  83. Windows Files and Permissions
  84. The Registry
  85. Volume Shadow Copy
  86. Memory Forensics
  87. CHAPTER SUMMARY
  88. KEY CONCEPTS AND TERMS
  89. CHAPTER 8 ASSESSMENT
  90. CHAPTER 9 Linux Forensics
  91. Linux and Forensics
  92. Linux Basics
  93. Linux File Systems
  94. Linux Logs
  95. Linux Directories
  96. Shell Commands for Forensics
  97. Kali Linux Forensics
  98. Forensics Tools for Linux
  99. CHAPTER SUMMARY
  100. KEY CONCEPTS AND TERMS
  101. CHAPTER 9 ASSESSMENT
  102. CHAPTER 10 Macintosh Forensics
  103. Mac Basics
  104. Macintosh Logs
  105. Directories
  106. Macintosh Forensic Techniques
  107. How to Examine a Mac
  108. Can You Undelete in Mac?
  109. CHAPTER SUMMARY
  110. KEY CONCEPTS AND TERMS
  111. CHAPTER 10 ASSESSMENT
  112. CHAPTER 11 Mobile Forensics
  113. Cellular Device Concepts
  114. What Evidence You Can Get from a Cell Phone
  115. Seizing Evidence from a Mobile Device
  116. JTAG
  117. CHAPTER SUMMARY
  118. KEY CONCEPTS AND TERMS
  119. CHAPTER 11 ASSESSMENT
  120. CHAPTER 12 Performing Network Analysis
  121. Network Packet Analysis
  122. Network Traffic Analysis
  123. Router Forensics
  124. Firewall Forensics
  125. CHAPTER SUMMARY
  126. KEY CONCEPTS AND TERMS
  127. CHAPTER 12 ASSESSMENT
  128. PART III Incident Response and Resources
  129. CHAPTER 13 Incident and Intrusion Response
  130. Disaster Recovery
  131. Preserving Evidence
  132. Adding Forensics to Incident Response
  133. CHAPTER SUMMARY
  134. KEY CONCEPTS AND TERMS
  135. CHAPTER 13 ASSESSMENT
  136. CHAPTER 14 Trends and Future Directions
  137. Technical Trends
  138. Legal and Procedural Trends
  139. CHAPTER SUMMARY
  140. KEY CONCEPTS AND TERMS
  141. CHAPTER 14 ASSESSMENT
  142. CHAPTER 15 System Forensics Resources
  143. Tools to Use
  144. Resources
  145. Laws
  146. CHAPTER SUMMARY
  147. KEY CONCEPTS AND TERMS
  148. CHAPTER 15 ASSESSMENT
  149. APPENDIX A Answer Key
  150. APPENDIX B Standard Acronyms
  151. Glossary of Key Terms
  152. References
  153. Index

Handling Evidence

Once you have appropriately transported the device and prepared it for forensic examination, you have to handle the evidence. There are specific steps to utilize.

Preserving computer evidence requires planning and training in incident discovery procedures. The following sections describe tasks related to handling evidence and measures to take when gathering evidence. To review, a system forensics specialist has three basic tasks related to handling evidence:

  • Find evidence

  • Preserve evidence

  • Prepare evidence

Collecting Data

There are three primary types of data that a forensic investigator must collect: volatile data, temporary data, and persistent data. As an investigator, you must attempt to avoid permanently losing data. Therefore, you must carefully secure the physical evidence. Then you can collect volatile and temporary data. Such data is lost whenever a system is used. You should collect it first to minimize corruption or loss. The following are examples of volatile data:

  • Swap file: The swap file is used to optimize the use of random access memory (RAM). Data is frequently found in the swap file. The details on how to extract data from the swap file vary depending on the installed operating system.

  • State of network connections: This data is captured before the system is shut down.

  • State of running processes: This data is captured before the system is shut down.

After collecting volatile data, you collect temporary data—data that an operating system creates and overwrites without the computer user taking a direct action to save this data. The likelihood of corrupting temporary data is less than that of volatile data. But temporary data is just that—temporary—and you must collect it before it is lost. Only after collecting volatile and temporary data should you begin to collect persistent data.

Documenting Filenames, Dates, and Times

From an evidence standpoint, filenames, creation dates, and last modified dates and times can be relevant. Therefore, it is important to catalog all allocated and “erased” files. Sort the files based on the filename, file size, file content, creation date, and last modified date and time. Such sorted information can provide a timeline of computer usage. The output should be in the form of a word processing–compatible file to help document computer evidence issues tied to specific files.

Identifying File, Program, and Storage Anomalies

Encrypted, compressed, and graphics files store data in binary format. As a result, text search programs can’t identify text data stored in these file formats. These files require manual evaluation, which may involve a lot of work, especially with encrypted files. Depending on the type of file, view and evaluate the content as potential evidence. Reviewing the partitioning on seized hard disk drives is also important. Evaluate hidden partitions for evidence and document their existence. With Windows operating systems, you should also evaluate the files contained in the Recycle Bin. The Recycle Bin is the repository of files selected for deletion by the computer user. The fact that they have been selected for deletion may have some relevance from an evidentiary standpoint. If you find relevant files, thoroughly document the issues involved. Those issues can include the following:

  • How did you find the files?

  • What condition were they in (i.e., did you recover the entire file or just part of the file)?

  • When was the file originally saved?

Remember that the more information you document about evidence, the better.

Evidence-Gathering Measures

Forensic specialists should take the following measures when gathering evidence:

  • Avoid changing the evidence: Before removing any equipment, forensic specialists should photograph equipment in place and label wires and sockets so that computers and peripherals can be reassembled in a laboratory exactly as they were in the original location. When transporting computers, peripherals, and media, forensic specialists must be careful to avoid heat damage, jostling, or touching original computer hard disks and compact discs (CDs). Forensic specialists should also make exact bit-by-bit copies, storing the copies on an unalterable medium, such as a CD-ROM.

  • Determine when evidence was created: Timelines of computer usage and file accesses can be valuable sources of computer evidence. The times and dates when files were created, last accessed, or modified can make or break a case. However, forensic specialists should not trust a computer’s internal clock or activity logs. It is possible that the internal clock is wrong, that a suspect tampered with logs, or that simply turning on the computer changes a log irrevocably. Before logs disappear, an investigator should capture the time a document was created, the last time it was opened, and the last time it was changed. The investigator can then calibrate or recalibrate evidence, based on a time standard, and work around log tampering.

  • Search throughout a device: Forensic specialists must search at the bit level (the level of 1s and 0s) across a wide range of areas inside a computer. This includes email, temporary files, swap files, logical file structures, and slack and free space on the hard drive. They must also search software settings, script files, web browser data caches, bookmarks and history, and session logs. Forensic specialists can then correlate evidence to activities and sources.

  • Determine information about encrypted and steganized files: Investigators should usually not attempt to decode encrypted files. Rather, investigators should look for evidence in a computer that tells them what is in the encrypted file. Frequently, this evidence has been erased, but unencrypted traces remain and can be used to make a case. For steganized information, concealed within other files or buried inside the 1s and 0s of a picture, for example, an investigator can tell if the data is there even though it is inaccessible. The investigator can compare nearly identical files to identify minute differences.

  • Present the evidence well: Forensic examiners must present computer evidence in a logical, compelling, and persuasive manner. The jury must be able to understand the evidence, and the evidence must be solid enough that a defense counsel cannot rebut it. The forensic examiner must be able to create a step-by-step reconstruction of actions, with documented dates and times. In addition, the forensic examiner must prepare charts, graphs, and exhibits that explain both what was done and how it was done, and also can withstand scrutiny. The forensic examiner’s testimony must explain simply and clearly what a suspect did or did not do. The forensic examiner should remember that the jury and judge are rarely savvy computer technologists, and the ability of a forensic examiner to explain technical points clearly in plain English can make or break a case.

This chapter has so far discussed general preparations involved in the initial seizing, duplication, and finding of digital evidence. There’s much more to learn, especially about examining data to find incriminating evidence—evidence that shows, or tends to show, a person’s involvement in an act, or evidence that can establish guilt. One of the three techniques of forensic analysis is live analysis, which is the recording of any ongoing network processes. The remaining two techniques are physical analysis and logical analysis, which both deal with hard drive structures and file formats.

Physical analysis is offline analysis conducted on an evidence disk or forensic duplicate after booting from a CD or another system. Logical analysis involves using the native operating system, on the evidence disk or a forensic duplicate, to peruse the data. Put another way, physical analysis is looking for things that may have been overlooked, or are invisible, to the user. Logical analysis is looking for things that are visible, known about, and possibly controlled by the user.

Physical Analysis

Two of the easiest things to extract during physical analysis are a list of all website uniform resource locators (URLs) and a list of all email addresses on the computer. The user may have attempted to delete these, but you can reconstruct them from various places on the hard drive. Next, you should index the different kinds of file formats.

The file format you start with depends on the type of case. For example, you might want to start with graphics file formats or document formats in a pornography or forgery case. There are lots of other file formats: multimedia, archive, binary, database, font, game, and Internet-related. Computers generally save things in file formats beyond the user’s control. For example, all graphics files have header information. Collectors of pornography usually don’t go to the trouble of removing this header information, so it’s an easy matter of finding, for example, one graphics header at the beginning of a JPEG (Joint Photographic Experts Group) file and doing a string search for all other graphics of that type.

The following sections describe some of the places that an investigator must physically analyze.

The swap file

You read briefly about the swap file earlier in this chapter. A swap file is the most important type of ambient data. Windows uses a swap file on each system as a “scratch pad” to write data to when additional RAM is needed. A swap file is a virtual memory extension of RAM. Most computer users are unaware of the existence of swap files. The size of these files is usually about 1.5 times the size of the physical RAM in the machine. Swap files contain remnants of word processing documents, emails, Internet browsing activity, database entries, and almost any other work that has occurred during past Windows sessions. Swap files can be temporary or permanent, depending on the version of Windows installed and the settings selected by the computer user. Permanent swap files are of the greatest forensic value because they hold larger amounts of information for longer periods of time. However, temporary, or dynamic, swap files are more common. These files shrink and expand as necessary. When a dynamic swap file reduces its size to close to zero, it sometimes releases the file’s content to unallocated space, which you can also forensically examine.

Unallocated space, or free space, is the area of a hard drive that has never been allocated for file storage, or the leftover area that the computer regards as unallocated after file deletion. The only way to clean unallocated space is with cleansing devices known as sweepers or scrubbers. Although the term “scrubber” implies they clean, they are actually writing over the unallocated old fragments to remove that evidence. A few commercial products scrub free space to Department of Defense (DoD) standards, meaning they rewrite up to seven times, but more often the process is done once or twice. The fragments of old files in free space can be anywhere on the disk, even on a different partition, but they tend to fall next to partition headers, file allocation tables (FAT), and the last sectors of a cluster.

Logical Analysis

You must examine the logical file and directory structure to reconstruct what the user was doing with his or her computer. Rarely does an investigator run across a signed confession in the My Documents folder. Most perpetrators are smarter than that. They use various tactics to hide what they’ve been doing. For example, perpetrators often use unusual file paths. In addition, many try to thwart investigators by using encryption to scramble information or steganography to hide information, or both together. Or they may use metadata to combine different file formats into one format. You can also expect to find lots of deleted, professionally scrubbed data.

An investigator hopes to trace the uses that a suspect computer has been set up for. Certain types of criminals optimize their systems for different uses. For example, a programmer optimizes for speed, a pornographer for storage, and a stalker for messaging. You must go about logical analysis methodically. Divide the data on the hard drive into layers and try to find evidentiary information at each layer. Look for peculiarities on each layer and then choose the right extraction tool.

Creating a Timeline

To reconstruct the events that led to corruption of a system, create a timeline. This can be particularly difficult when it comes to computers, however. Clock drift, delayed reporting, and different time zones can create confusion. Never change the clock on a suspect system. Instead, record any clock drift and the time zone in use.