Table of Contents for
System Forensics, Investigation, and Response, 3rd Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition System Forensics, Investigation, and Response, 3rd Edition by Easttom Published by Jones & Bartlett Learning, 2017
  1. Cover Page
  2. Contents
  3. System Forensics, Investigation, and Response
  4. Title Page
  5. Copyright Page
  6. Content
  7. Preface
  8. About the Author
  9. PART I Introduction to Forensics
  10. CHAPTER 1 Introduction to Forensics
  11. What Is Computer Forensics?
  12. Understanding the Field of Digital Forensics
  13. Knowledge Needed for Computer Forensics Analysis
  14. The Daubert Standard
  15. U.S. Laws Affecting Digital Forensics
  16. Federal Guidelines
  17. CHAPTER SUMMARY
  18. KEY CONCEPTS AND TERMS
  19. CHAPTER 1 ASSESSMENT
  20. CHAPTER 2 Overview of Computer Crime
  21. How Computer Crime Affects Forensics
  22. Identity Theft
  23. Hacking
  24. Cyberstalking and Harassment
  25. Fraud
  26. Non-Access Computer Crimes
  27. Cyberterrorism
  28. CHAPTER SUMMARY
  29. KEY CONCEPTS AND TERMS
  30. CHAPTER 2 ASSESSMENT
  31. CHAPTER 3 Forensic Methods and Labs
  32. Forensic Methodologies
  33. Formal Forensic Approaches
  34. Documentation of Methodologies and Findings
  35. Evidence-Handling Tasks
  36. How to Set Up a Forensic Lab
  37. Common Forensic Software Programs
  38. Forensic Certifications
  39. CHAPTER SUMMARY
  40. KEY CONCEPTS AND TERMS
  41. CHAPTER 3 ASSESSMENT
  42. PART II Technical Overview: SystemForensics Tools, Techniques, and Methods
  43. CHAPTER 4 Collecting, Seizing, and Protecting Evidence
  44. Proper Procedure
  45. Handling Evidence
  46. Storage Formats
  47. Forensic Imaging
  48. RAID Acquisitions
  49. CHAPTER SUMMARY
  50. KEY CONCEPTS AND TERMS
  51. CHAPTER 4 ASSESSMENT
  52. CHAPTER LAB
  53. CHAPTER 5 Understanding Techniques for Hiding and Scrambling Information
  54. Steganography
  55. Encryption
  56. CHAPTER SUMMARY
  57. KEY CONCEPTS AND TERMS
  58. CHAPTER 5 ASSESSMENT
  59. CHAPTER 6 Recovering Data
  60. Undeleting Data
  61. Recovering Information from Damaged Media
  62. File Carving
  63. CHAPTER SUMMARY
  64. KEY CONCEPTS AND TERMS
  65. CHAPTER 6 ASSESSMENT
  66. CHAPTER 7 Email Forensics
  67. How Email Works
  68. Email Protocols
  69. Email Headers
  70. Tracing Email
  71. Email Server Forensics
  72. Email and the Law
  73. CHAPTER SUMMARY
  74. KEY CONCEPTS AND TERMS
  75. CHAPTER 7 ASSESSMENT
  76. CHAPTER 8 Windows Forensics
  77. Windows Details
  78. Volatile Data
  79. Windows Swap File
  80. Windows Logs
  81. Windows Directories
  82. Index.dat
  83. Windows Files and Permissions
  84. The Registry
  85. Volume Shadow Copy
  86. Memory Forensics
  87. CHAPTER SUMMARY
  88. KEY CONCEPTS AND TERMS
  89. CHAPTER 8 ASSESSMENT
  90. CHAPTER 9 Linux Forensics
  91. Linux and Forensics
  92. Linux Basics
  93. Linux File Systems
  94. Linux Logs
  95. Linux Directories
  96. Shell Commands for Forensics
  97. Kali Linux Forensics
  98. Forensics Tools for Linux
  99. CHAPTER SUMMARY
  100. KEY CONCEPTS AND TERMS
  101. CHAPTER 9 ASSESSMENT
  102. CHAPTER 10 Macintosh Forensics
  103. Mac Basics
  104. Macintosh Logs
  105. Directories
  106. Macintosh Forensic Techniques
  107. How to Examine a Mac
  108. Can You Undelete in Mac?
  109. CHAPTER SUMMARY
  110. KEY CONCEPTS AND TERMS
  111. CHAPTER 10 ASSESSMENT
  112. CHAPTER 11 Mobile Forensics
  113. Cellular Device Concepts
  114. What Evidence You Can Get from a Cell Phone
  115. Seizing Evidence from a Mobile Device
  116. JTAG
  117. CHAPTER SUMMARY
  118. KEY CONCEPTS AND TERMS
  119. CHAPTER 11 ASSESSMENT
  120. CHAPTER 12 Performing Network Analysis
  121. Network Packet Analysis
  122. Network Traffic Analysis
  123. Router Forensics
  124. Firewall Forensics
  125. CHAPTER SUMMARY
  126. KEY CONCEPTS AND TERMS
  127. CHAPTER 12 ASSESSMENT
  128. PART III Incident Response and Resources
  129. CHAPTER 13 Incident and Intrusion Response
  130. Disaster Recovery
  131. Preserving Evidence
  132. Adding Forensics to Incident Response
  133. CHAPTER SUMMARY
  134. KEY CONCEPTS AND TERMS
  135. CHAPTER 13 ASSESSMENT
  136. CHAPTER 14 Trends and Future Directions
  137. Technical Trends
  138. Legal and Procedural Trends
  139. CHAPTER SUMMARY
  140. KEY CONCEPTS AND TERMS
  141. CHAPTER 14 ASSESSMENT
  142. CHAPTER 15 System Forensics Resources
  143. Tools to Use
  144. Resources
  145. Laws
  146. CHAPTER SUMMARY
  147. KEY CONCEPTS AND TERMS
  148. CHAPTER 15 ASSESSMENT
  149. APPENDIX A Answer Key
  150. APPENDIX B Standard Acronyms
  151. Glossary of Key Terms
  152. References
  153. Index

Legal and Procedural Trends

The legal environment in which forensics is conducted changes slowly, but it does change. Normally, the enactment of new laws has very little effect on how evidence is examined—rather, it affects how it is seized. For example, the U.S. Supreme Court ruled in a case in June 2013 allowing law enforcement officers to collect DNA evidence from suspects without their consent in certain cases. This significantly changes the collection of evidence, but not the analysis of it.

Changes in the Law

Some laws do make changes to the process of seizing evidence. Laws can alter the requirements for a warrant, exceptions to warrant requirements, and issues of consent to search.

The USA Patriot Act

The most obvious change to U.S. law in reference to forensics in recent years has been the USA Patriot Act. The Patriot Act was designed to combat terrorism. It was not created with computer crime as its focus; however, it has affected computer crime. For example, prior to the Patriot Act, Internet service providers were very limited in what they could share with law enforcement without warrants or subpoenas. Now, they can choose to notify law enforcement if they reasonably believe that they have found evidence of an imminent crime that would endanger lives.

Section 816 of the Patriot Act, titled “Development and Support of Cybersecurity Forensic Capabilities,” calls for the U.S. Attorney General to establish regional computer forensics laboratories. This led to the creation of the Electronic Crimes Task Force with computer forensics labs in many major cities. This task force also includes members of local law enforcement.

Private Labs

Private forensic labs are becoming more common. These laboratories handle forensic examinations for private companies, for attorneys, and sometimes for law enforcement agencies. More and more forensic investigations are being conducted in private labs. This has become routine in other areas of forensics, such as DNA testing.

In the case of civil litigation, it is usually necessary to hire private forensic labs to process evidence. Private labs can gather evidence, analyze it, and produce reports regarding their findings. This data might be used in civil litigation or simply to ascertain the cause of an incident.

Defense attorneys often want their own lab to examine evidence in order to challenge the findings of the state’s lab. The goal may be to confirm or deny what the prosecution has presented or to find some flaw in the methodology utilized by the prosecution. In some cases, the defense is simply seeking grounds for a reasonable doubt that the defendant committed the crime. For example, if the defendant is accused of sending a virus to a victim, and if that virus, along with virus creation utilities, is found on his or her computer, it may seem a hopeless case. However, if the defense can show that other people had access to the computer, or even that other users logged on around the time the virus was sent, this provides reasonable doubt.

It is becoming increasingly common for smaller police departments to outsource their computer forensics to private labs. It is often cost effective. In smaller towns and cities, the cost of equipping the police department with a full computer forensics lab and adequately trained staff may simply be outside their budgets. In those cases, it is more cost effective to outsource computer forensics examinations.

International Issues

Clearly, the cloud presents international legal issues for forensic examiners, but there are other issues as well. What happens when a case is transnational in nature? Cases of bank fraud, identity theft, and money laundering frequently cross national boundaries. Consider an identity theft scheme where a server in Malaysia is used to steal identities while the perpetrator uses his or her laptop in Spain to take money from the victim’s accounts. If the victim lives in a third country, such as the United States, this crime involves three different national jurisdictions.

You might think that in such cases the only answer is to be aware of the laws in each country and ensure they are all obeyed. However, that is rarely necessary. Usually, taking the national laws that are most restrictive to your investigation and following them will satisfy the legal requirements of the less-restrictive jurisdictions.

Techniques

Techniques are always evolving. Because the Daubert standard requires that scientific evidence presented in court be generally accepted in the relevant scientific field, new techniques need to be verified before being used in court. This means it is unlikely that a new tool will be released and immediately utilized in court. However, as time passes and the new tool has been tested, often in academic settings, it gains wide acceptance in the field and finds its way into court.

For this reason, it is important that a forensic investigator be aware of changes in technology and have at least a basic familiarity with emerging technologies and techniques. Even if they are not yet being used in court, they could be soon.