Table of Contents for
System Forensics, Investigation, and Response, 3rd Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition System Forensics, Investigation, and Response, 3rd Edition by Easttom Published by Jones & Bartlett Learning, 2017
  1. Cover Page
  2. Contents
  3. System Forensics, Investigation, and Response
  4. Title Page
  5. Copyright Page
  6. Content
  7. Preface
  8. About the Author
  9. PART I Introduction to Forensics
  10. CHAPTER 1 Introduction to Forensics
  11. What Is Computer Forensics?
  12. Understanding the Field of Digital Forensics
  13. Knowledge Needed for Computer Forensics Analysis
  14. The Daubert Standard
  15. U.S. Laws Affecting Digital Forensics
  16. Federal Guidelines
  17. CHAPTER SUMMARY
  18. KEY CONCEPTS AND TERMS
  19. CHAPTER 1 ASSESSMENT
  20. CHAPTER 2 Overview of Computer Crime
  21. How Computer Crime Affects Forensics
  22. Identity Theft
  23. Hacking
  24. Cyberstalking and Harassment
  25. Fraud
  26. Non-Access Computer Crimes
  27. Cyberterrorism
  28. CHAPTER SUMMARY
  29. KEY CONCEPTS AND TERMS
  30. CHAPTER 2 ASSESSMENT
  31. CHAPTER 3 Forensic Methods and Labs
  32. Forensic Methodologies
  33. Formal Forensic Approaches
  34. Documentation of Methodologies and Findings
  35. Evidence-Handling Tasks
  36. How to Set Up a Forensic Lab
  37. Common Forensic Software Programs
  38. Forensic Certifications
  39. CHAPTER SUMMARY
  40. KEY CONCEPTS AND TERMS
  41. CHAPTER 3 ASSESSMENT
  42. PART II Technical Overview: SystemForensics Tools, Techniques, and Methods
  43. CHAPTER 4 Collecting, Seizing, and Protecting Evidence
  44. Proper Procedure
  45. Handling Evidence
  46. Storage Formats
  47. Forensic Imaging
  48. RAID Acquisitions
  49. CHAPTER SUMMARY
  50. KEY CONCEPTS AND TERMS
  51. CHAPTER 4 ASSESSMENT
  52. CHAPTER LAB
  53. CHAPTER 5 Understanding Techniques for Hiding and Scrambling Information
  54. Steganography
  55. Encryption
  56. CHAPTER SUMMARY
  57. KEY CONCEPTS AND TERMS
  58. CHAPTER 5 ASSESSMENT
  59. CHAPTER 6 Recovering Data
  60. Undeleting Data
  61. Recovering Information from Damaged Media
  62. File Carving
  63. CHAPTER SUMMARY
  64. KEY CONCEPTS AND TERMS
  65. CHAPTER 6 ASSESSMENT
  66. CHAPTER 7 Email Forensics
  67. How Email Works
  68. Email Protocols
  69. Email Headers
  70. Tracing Email
  71. Email Server Forensics
  72. Email and the Law
  73. CHAPTER SUMMARY
  74. KEY CONCEPTS AND TERMS
  75. CHAPTER 7 ASSESSMENT
  76. CHAPTER 8 Windows Forensics
  77. Windows Details
  78. Volatile Data
  79. Windows Swap File
  80. Windows Logs
  81. Windows Directories
  82. Index.dat
  83. Windows Files and Permissions
  84. The Registry
  85. Volume Shadow Copy
  86. Memory Forensics
  87. CHAPTER SUMMARY
  88. KEY CONCEPTS AND TERMS
  89. CHAPTER 8 ASSESSMENT
  90. CHAPTER 9 Linux Forensics
  91. Linux and Forensics
  92. Linux Basics
  93. Linux File Systems
  94. Linux Logs
  95. Linux Directories
  96. Shell Commands for Forensics
  97. Kali Linux Forensics
  98. Forensics Tools for Linux
  99. CHAPTER SUMMARY
  100. KEY CONCEPTS AND TERMS
  101. CHAPTER 9 ASSESSMENT
  102. CHAPTER 10 Macintosh Forensics
  103. Mac Basics
  104. Macintosh Logs
  105. Directories
  106. Macintosh Forensic Techniques
  107. How to Examine a Mac
  108. Can You Undelete in Mac?
  109. CHAPTER SUMMARY
  110. KEY CONCEPTS AND TERMS
  111. CHAPTER 10 ASSESSMENT
  112. CHAPTER 11 Mobile Forensics
  113. Cellular Device Concepts
  114. What Evidence You Can Get from a Cell Phone
  115. Seizing Evidence from a Mobile Device
  116. JTAG
  117. CHAPTER SUMMARY
  118. KEY CONCEPTS AND TERMS
  119. CHAPTER 11 ASSESSMENT
  120. CHAPTER 12 Performing Network Analysis
  121. Network Packet Analysis
  122. Network Traffic Analysis
  123. Router Forensics
  124. Firewall Forensics
  125. CHAPTER SUMMARY
  126. KEY CONCEPTS AND TERMS
  127. CHAPTER 12 ASSESSMENT
  128. PART III Incident Response and Resources
  129. CHAPTER 13 Incident and Intrusion Response
  130. Disaster Recovery
  131. Preserving Evidence
  132. Adding Forensics to Incident Response
  133. CHAPTER SUMMARY
  134. KEY CONCEPTS AND TERMS
  135. CHAPTER 13 ASSESSMENT
  136. CHAPTER 14 Trends and Future Directions
  137. Technical Trends
  138. Legal and Procedural Trends
  139. CHAPTER SUMMARY
  140. KEY CONCEPTS AND TERMS
  141. CHAPTER 14 ASSESSMENT
  142. CHAPTER 15 System Forensics Resources
  143. Tools to Use
  144. Resources
  145. Laws
  146. CHAPTER SUMMARY
  147. KEY CONCEPTS AND TERMS
  148. CHAPTER 15 ASSESSMENT
  149. APPENDIX A Answer Key
  150. APPENDIX B Standard Acronyms
  151. Glossary of Key Terms
  152. References
  153. Index

What Evidence You Can Get from a Cell Phone

A cell phone, or tablet, can be a treasure trove of forensic information. This is one area of digital forensics that definitely extends well beyond the scope of computer crimes. With mobile devices, the evidence found can be relevant to any crime.

Items you should attempt to recover from a mobile device include the following:

  • Call history

  • Emails, texts, and/or other messages

  • Photos and video

  • Phone information

  • Global positioning system (GPS) information

  • Network information

The call history lets you know who the user has spoken to and for how long. Yes, this is easily erasable, but many users don’t erase their call history. Or perhaps the suspect intended to delete this data and simply did not get to it yet. In either case, call history does not provide direct evidence of a crime—with the exception of cyberstalking cases. In a cyberstalking case, the call history can show a pattern of contact with the victim. However, in other cases, it provides only circumstantial evidence. For example, if John Smith is suspected of drug dealing and his call history shows a pattern of regular calls to a known drug supplier, by itself this is not adequate evidence of any crime. However, it aids the investigators in getting an accurate picture of the entire situation.

Most phones allow sending and receiving emails and messages in SMS or other formats. Gathering this evidence from a mobile device can be very important. Both the parties that the suspect is communicating with and the actual content of the communications are very important.

Photos and video can provide direct evidence of a crime. In the case of child pornography cases, the relevance is obvious. However, it may surprise you to know that it is not uncommon for some criminals to actually photograph or videotape themselves committing serious crimes. This is particularly true of young criminals conducting unplanned crimes or conducting crimes under the influence of drugs or alcohol.

Information about the phone should be one of the first things you document in your investigation. This will include model number, serial number of the SIM card, operating system, and other similar information. The more detailed, descriptive information you can document, the better.

Global positioning system information has become increasingly important in a variety of cases. So many individuals have devices with GPS enabled, it would seem negligent for a forensic analyst not to retrieve this information. GPS information has begun to play a significant role in contentious divorces, for instance. If someone suspects a spouse of being unfaithful, determining that the spouse’s phone and his or her car were at a specific motel when he or she claimed to be at work can be important.

It should be noted that until recently, many cell phones did not provide true GPS. Rather than use GPS satellites to determine location (which is the most reliable method) they instead would use triangulation of signal strength with various cell towers. This could lead to inaccuracies of up to 50 to 100 feet. However, this situation has changed. Many modern phones and/or the apps on the phone use true GPS for much more accurate data.

The use of Wi-Fi along with GPS will improve the accuracy of GPS. The reason for this is that various organizations, including Google, track the Basic Service Set Identifier (BSSID) used by wireless routers, and correlate this with physical addresses. The BSSID is a unique address that identifies the access point/router that creates the wireless network. The access point’s MAC address is used. This means that if your phone connects to a wireless access point, then even with no other data, the phone’s location can be pinpointed to within 100 yards or so of that access point.

Network information is also important. What Wi-Fi networks does the phone recognize? This might give you an indication of where the phone has been. For example, if the phone belongs to someone suspected of stalking a victim, and the suspect’s phone network records show he or she has frequently been using Wi-Fi networks in close proximity to the victim’s home, this can be important evidence.

Types of Investigations

It is important to keep in mind that cell phone forensics extends beyond traditional cyber crime. In fact, few crimes today do not involve at least some aspect of cyber forensics of the phones of the suspects. The aforementioned GPS information can be important in drug cases, burglaries, homicides, and a variety of other crimes. A few examples are given here:

  • Adam Howe took a “selfie” photo of himself at the scene of a church burglary. This evidence led to a search of the suspect’s property, which turned up the stolen goods from the church.

  • A cell phone was accidently dropped near a crime scene and was used to identify the alleged perpetrator.

  • In 2013, cell phone pictures led to an arrest in a burglary of a Jared jewelry store. The alleged thief discarded clothing and accidently dropped his cell phone behind a nearby 7–11. The cell phone photos positively identified him.

Phone states

The National Institute of Standards and Technology (NIST) guidelines at http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-72.pdf list four different states a mobile device can be in when you extract data:

  • Nascent state—Devices are in the nascent state when received from the manufacturer— the device contains no user data and has its original factory configuration settings.

  • Active state—Devices that are in the active state are powered on, performing tasks, and able to be customized by the user and have their file systems populated with data.

  • Quiescent state—The quiescent state is a dormant mode that conserves battery life while maintaining user data and performing other background functions. Context information for the device is preserved in memory to allow a quick resumption of processing when returning to the active state.

  • Semi-active state—The semi-active state is a state partway between active and quiescent. The state is reached by a timer, which is triggered after a period of inactivity, allowing battery life to be preserved by dimming the display and taking other appropriate actions.

You should document what state the device is in when you conduct your investigation and analysis. If you change state—for example, by turning on the device—that should also be documented.