Table of Contents for
System Forensics, Investigation, and Response, 3rd Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition System Forensics, Investigation, and Response, 3rd Edition by Easttom Published by Jones & Bartlett Learning, 2017
  1. Cover Page
  2. Contents
  3. System Forensics, Investigation, and Response
  4. Title Page
  5. Copyright Page
  6. Content
  7. Preface
  8. About the Author
  9. PART I Introduction to Forensics
  10. CHAPTER 1 Introduction to Forensics
  11. What Is Computer Forensics?
  12. Understanding the Field of Digital Forensics
  13. Knowledge Needed for Computer Forensics Analysis
  14. The Daubert Standard
  15. U.S. Laws Affecting Digital Forensics
  16. Federal Guidelines
  17. CHAPTER SUMMARY
  18. KEY CONCEPTS AND TERMS
  19. CHAPTER 1 ASSESSMENT
  20. CHAPTER 2 Overview of Computer Crime
  21. How Computer Crime Affects Forensics
  22. Identity Theft
  23. Hacking
  24. Cyberstalking and Harassment
  25. Fraud
  26. Non-Access Computer Crimes
  27. Cyberterrorism
  28. CHAPTER SUMMARY
  29. KEY CONCEPTS AND TERMS
  30. CHAPTER 2 ASSESSMENT
  31. CHAPTER 3 Forensic Methods and Labs
  32. Forensic Methodologies
  33. Formal Forensic Approaches
  34. Documentation of Methodologies and Findings
  35. Evidence-Handling Tasks
  36. How to Set Up a Forensic Lab
  37. Common Forensic Software Programs
  38. Forensic Certifications
  39. CHAPTER SUMMARY
  40. KEY CONCEPTS AND TERMS
  41. CHAPTER 3 ASSESSMENT
  42. PART II Technical Overview: SystemForensics Tools, Techniques, and Methods
  43. CHAPTER 4 Collecting, Seizing, and Protecting Evidence
  44. Proper Procedure
  45. Handling Evidence
  46. Storage Formats
  47. Forensic Imaging
  48. RAID Acquisitions
  49. CHAPTER SUMMARY
  50. KEY CONCEPTS AND TERMS
  51. CHAPTER 4 ASSESSMENT
  52. CHAPTER LAB
  53. CHAPTER 5 Understanding Techniques for Hiding and Scrambling Information
  54. Steganography
  55. Encryption
  56. CHAPTER SUMMARY
  57. KEY CONCEPTS AND TERMS
  58. CHAPTER 5 ASSESSMENT
  59. CHAPTER 6 Recovering Data
  60. Undeleting Data
  61. Recovering Information from Damaged Media
  62. File Carving
  63. CHAPTER SUMMARY
  64. KEY CONCEPTS AND TERMS
  65. CHAPTER 6 ASSESSMENT
  66. CHAPTER 7 Email Forensics
  67. How Email Works
  68. Email Protocols
  69. Email Headers
  70. Tracing Email
  71. Email Server Forensics
  72. Email and the Law
  73. CHAPTER SUMMARY
  74. KEY CONCEPTS AND TERMS
  75. CHAPTER 7 ASSESSMENT
  76. CHAPTER 8 Windows Forensics
  77. Windows Details
  78. Volatile Data
  79. Windows Swap File
  80. Windows Logs
  81. Windows Directories
  82. Index.dat
  83. Windows Files and Permissions
  84. The Registry
  85. Volume Shadow Copy
  86. Memory Forensics
  87. CHAPTER SUMMARY
  88. KEY CONCEPTS AND TERMS
  89. CHAPTER 8 ASSESSMENT
  90. CHAPTER 9 Linux Forensics
  91. Linux and Forensics
  92. Linux Basics
  93. Linux File Systems
  94. Linux Logs
  95. Linux Directories
  96. Shell Commands for Forensics
  97. Kali Linux Forensics
  98. Forensics Tools for Linux
  99. CHAPTER SUMMARY
  100. KEY CONCEPTS AND TERMS
  101. CHAPTER 9 ASSESSMENT
  102. CHAPTER 10 Macintosh Forensics
  103. Mac Basics
  104. Macintosh Logs
  105. Directories
  106. Macintosh Forensic Techniques
  107. How to Examine a Mac
  108. Can You Undelete in Mac?
  109. CHAPTER SUMMARY
  110. KEY CONCEPTS AND TERMS
  111. CHAPTER 10 ASSESSMENT
  112. CHAPTER 11 Mobile Forensics
  113. Cellular Device Concepts
  114. What Evidence You Can Get from a Cell Phone
  115. Seizing Evidence from a Mobile Device
  116. JTAG
  117. CHAPTER SUMMARY
  118. KEY CONCEPTS AND TERMS
  119. CHAPTER 11 ASSESSMENT
  120. CHAPTER 12 Performing Network Analysis
  121. Network Packet Analysis
  122. Network Traffic Analysis
  123. Router Forensics
  124. Firewall Forensics
  125. CHAPTER SUMMARY
  126. KEY CONCEPTS AND TERMS
  127. CHAPTER 12 ASSESSMENT
  128. PART III Incident Response and Resources
  129. CHAPTER 13 Incident and Intrusion Response
  130. Disaster Recovery
  131. Preserving Evidence
  132. Adding Forensics to Incident Response
  133. CHAPTER SUMMARY
  134. KEY CONCEPTS AND TERMS
  135. CHAPTER 13 ASSESSMENT
  136. CHAPTER 14 Trends and Future Directions
  137. Technical Trends
  138. Legal and Procedural Trends
  139. CHAPTER SUMMARY
  140. KEY CONCEPTS AND TERMS
  141. CHAPTER 14 ASSESSMENT
  142. CHAPTER 15 System Forensics Resources
  143. Tools to Use
  144. Resources
  145. Laws
  146. CHAPTER SUMMARY
  147. KEY CONCEPTS AND TERMS
  148. CHAPTER 15 ASSESSMENT
  149. APPENDIX A Answer Key
  150. APPENDIX B Standard Acronyms
  151. Glossary of Key Terms
  152. References
  153. Index

Network Traffic Analysis

Once you have access to the appropriate tools, you can examine either the live traffic or logs to determine if a crime has been (or is being) committed and to gather evidence about that crime.

Using Log Files as Evidence

An end-to-end investigation looks at an entire attack. It looks at how an attack starts, at the intermediate devices, and at the result of the attack. Evidence may reside on each device in the path from the attacking system to the victim. Routers, virtual private networks (VPNs), and other devices produce logs. Network security devices, such as firewalls and intrusion detection systems (IDSs), also generate logs. An IDS is software that automates the process of monitoring events occurring in a computer system or network, analyzing them for signs of possible incidents, and attempting to stop detected possible incidents.

A device’s log files contain the primary records of a person’s activities on a system or network. For example, authentication logs show accounts related to a particular event and the authenticated user’s IP address. They contain date and timestamps as well as the user-name and IP address of the requestor. Application logs record the time, date, and application identifier. When someone uses an application, it produces a text file on the desktop system containing the application identifier, the date and time the user started the application, and how long that person used the application.

Operating systems log certain events, such as the use of devices, errors, and reboots. Operating system logs can be analyzed to identify patterns of activity and unusual events. Network device logs, such as firewall and router logs, provide information about the activities that take place on the network. You can also coordinate and synchronize them with logs provided by other systems to create a more complete picture of an attack.

For example, a firewall log may show access attempts that the firewall blocked. These attempts may indicate an attack. Log files can show how an attacker entered a network. They can also help find the source of illicit activities. Log files from servers and Windows security event logs on domain controllers, for instance, can attribute activities to a specific user account. This may lead you to the person responsible.

Intrusion detection systems record events that match known attack signatures, such as buffer overflows or malicious code execution. Configure an IDS to capture all the network traffic associated with a specific event. In this way, you can discover which commands an attacker ran and which files he or she accessed. You can also determine which files the criminal downloaded, such as malicious code, or uploaded, such as files copied from the system.

You bump into a few problems when using log files, however. One is that logs change rapidly, and getting permission to collect evidence from some sources, such as Internet service providers (ISPs), takes time. In addition, volatile evidence is easily lost. Another is that hackers can easily alter logs to include false information.

Wireless

Wireless networks are almost everywhere today. Some cities even provide wireless network access to citizens in their areas. In fact, you can often access wireless networks while on an airplane in flight. Wireless connections allow devices to connect to a network without having to physically connect via a cord. This makes it easy to connect computers and devices when running an actual physical cord is either difficult or not practical.

There are some basics of wireless networks you should know:

  • 802.11a—This was the first widely used Wi-Fi standard; it operated at 5 GHz and was relatively slow.

  • 802.11b—This standard operated at 2.4 GHz and had an indoor range of 125 feet with a bandwidth of 11 megabits per second (Mbps).

  • 802.11g—There are still many of these wireless networks in operation, but you can no longer purchase new Wi-Fi access points that use 802.11g. This standard includes backward compatibility with 802.11b. 802.11g has an indoor range of 125 feet and a bandwidth of 54 Mbps.

  • 802.11n—This standard was a tremendous improvement over preceding wireless networks. It obtained a bandwidth of 100 to 140 Mbps. It operates at frequencies of 2.4 or 5.0 GHz, and has an indoor range of up to 230 feet.

  • IEEE 802.11n-2009—This technology gets bandwidth of up to 600 Mbps with the use of four spatial streams at a channel width of 40 MHz. It uses multiple-input multiple-output (MIMO), which uses multiple antennas to coherently resolve more information than is possible using a single antenna.

  • IEEE 802.11ac—This standard was approved in January 2014. It has throughput of up to 1 Gbps with at least 500 Mbps. It uses up to eight MIMO.

  • IEEE 802.11ad Wireless Gigabyte Alliance—This supports data transmission rates up to 7 Gbps—more than 10 times faster than the highest 802.11n rate.

Many wireless local area networks (LANs) are either not secured or not well secured. Attackers may compromise a server to allow public access to stolen software, music, movies, or pornography.

The following are the most important forensic concerns with wireless networks:

  • Did a perpetrator use a wireless network entry point for a direct network attack or theft of data?

  • Did an attacker use a third-party wireless network, such as a hotel hotspot, to conceal his or her identity?

In addition to evidence that moves across wireless networking devices, you may find evidence in wireless storage devices. These devices include wireless digital and video cameras, wireless printers with storage capacity, wireless network-attached storage (NAS) devices, tablets and smartphones, wireless digital video recorders (DVRs), and wireless game consoles.

Several tools are available just for discovering wireless networks. Some of the more popular tools include the following:

There are even apps available for both iPhone and Android that can scan for wireless networks. So Wi-Fi scanning can be accomplished with relative ease. If a hacker discovers a poorly secured wireless network, one thing he or she may try is to access the wireless access point’s administrative screen. Unfortunately, too many people turn on these devices and don’t think to change the default settings. There are websites that store default passwords that anyone can look up. One very popular website is http://www.routerpasswords.com.