Table of Contents for
System Forensics, Investigation, and Response, 3rd Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition System Forensics, Investigation, and Response, 3rd Edition by Easttom Published by Jones & Bartlett Learning, 2017
  1. Cover Page
  2. Contents
  3. System Forensics, Investigation, and Response
  4. Title Page
  5. Copyright Page
  6. Content
  7. Preface
  8. About the Author
  9. PART I Introduction to Forensics
  10. CHAPTER 1 Introduction to Forensics
  11. What Is Computer Forensics?
  12. Understanding the Field of Digital Forensics
  13. Knowledge Needed for Computer Forensics Analysis
  14. The Daubert Standard
  15. U.S. Laws Affecting Digital Forensics
  16. Federal Guidelines
  17. CHAPTER SUMMARY
  18. KEY CONCEPTS AND TERMS
  19. CHAPTER 1 ASSESSMENT
  20. CHAPTER 2 Overview of Computer Crime
  21. How Computer Crime Affects Forensics
  22. Identity Theft
  23. Hacking
  24. Cyberstalking and Harassment
  25. Fraud
  26. Non-Access Computer Crimes
  27. Cyberterrorism
  28. CHAPTER SUMMARY
  29. KEY CONCEPTS AND TERMS
  30. CHAPTER 2 ASSESSMENT
  31. CHAPTER 3 Forensic Methods and Labs
  32. Forensic Methodologies
  33. Formal Forensic Approaches
  34. Documentation of Methodologies and Findings
  35. Evidence-Handling Tasks
  36. How to Set Up a Forensic Lab
  37. Common Forensic Software Programs
  38. Forensic Certifications
  39. CHAPTER SUMMARY
  40. KEY CONCEPTS AND TERMS
  41. CHAPTER 3 ASSESSMENT
  42. PART II Technical Overview: SystemForensics Tools, Techniques, and Methods
  43. CHAPTER 4 Collecting, Seizing, and Protecting Evidence
  44. Proper Procedure
  45. Handling Evidence
  46. Storage Formats
  47. Forensic Imaging
  48. RAID Acquisitions
  49. CHAPTER SUMMARY
  50. KEY CONCEPTS AND TERMS
  51. CHAPTER 4 ASSESSMENT
  52. CHAPTER LAB
  53. CHAPTER 5 Understanding Techniques for Hiding and Scrambling Information
  54. Steganography
  55. Encryption
  56. CHAPTER SUMMARY
  57. KEY CONCEPTS AND TERMS
  58. CHAPTER 5 ASSESSMENT
  59. CHAPTER 6 Recovering Data
  60. Undeleting Data
  61. Recovering Information from Damaged Media
  62. File Carving
  63. CHAPTER SUMMARY
  64. KEY CONCEPTS AND TERMS
  65. CHAPTER 6 ASSESSMENT
  66. CHAPTER 7 Email Forensics
  67. How Email Works
  68. Email Protocols
  69. Email Headers
  70. Tracing Email
  71. Email Server Forensics
  72. Email and the Law
  73. CHAPTER SUMMARY
  74. KEY CONCEPTS AND TERMS
  75. CHAPTER 7 ASSESSMENT
  76. CHAPTER 8 Windows Forensics
  77. Windows Details
  78. Volatile Data
  79. Windows Swap File
  80. Windows Logs
  81. Windows Directories
  82. Index.dat
  83. Windows Files and Permissions
  84. The Registry
  85. Volume Shadow Copy
  86. Memory Forensics
  87. CHAPTER SUMMARY
  88. KEY CONCEPTS AND TERMS
  89. CHAPTER 8 ASSESSMENT
  90. CHAPTER 9 Linux Forensics
  91. Linux and Forensics
  92. Linux Basics
  93. Linux File Systems
  94. Linux Logs
  95. Linux Directories
  96. Shell Commands for Forensics
  97. Kali Linux Forensics
  98. Forensics Tools for Linux
  99. CHAPTER SUMMARY
  100. KEY CONCEPTS AND TERMS
  101. CHAPTER 9 ASSESSMENT
  102. CHAPTER 10 Macintosh Forensics
  103. Mac Basics
  104. Macintosh Logs
  105. Directories
  106. Macintosh Forensic Techniques
  107. How to Examine a Mac
  108. Can You Undelete in Mac?
  109. CHAPTER SUMMARY
  110. KEY CONCEPTS AND TERMS
  111. CHAPTER 10 ASSESSMENT
  112. CHAPTER 11 Mobile Forensics
  113. Cellular Device Concepts
  114. What Evidence You Can Get from a Cell Phone
  115. Seizing Evidence from a Mobile Device
  116. JTAG
  117. CHAPTER SUMMARY
  118. KEY CONCEPTS AND TERMS
  119. CHAPTER 11 ASSESSMENT
  120. CHAPTER 12 Performing Network Analysis
  121. Network Packet Analysis
  122. Network Traffic Analysis
  123. Router Forensics
  124. Firewall Forensics
  125. CHAPTER SUMMARY
  126. KEY CONCEPTS AND TERMS
  127. CHAPTER 12 ASSESSMENT
  128. PART III Incident Response and Resources
  129. CHAPTER 13 Incident and Intrusion Response
  130. Disaster Recovery
  131. Preserving Evidence
  132. Adding Forensics to Incident Response
  133. CHAPTER SUMMARY
  134. KEY CONCEPTS AND TERMS
  135. CHAPTER 13 ASSESSMENT
  136. CHAPTER 14 Trends and Future Directions
  137. Technical Trends
  138. Legal and Procedural Trends
  139. CHAPTER SUMMARY
  140. KEY CONCEPTS AND TERMS
  141. CHAPTER 14 ASSESSMENT
  142. CHAPTER 15 System Forensics Resources
  143. Tools to Use
  144. Resources
  145. Laws
  146. CHAPTER SUMMARY
  147. KEY CONCEPTS AND TERMS
  148. CHAPTER 15 ASSESSMENT
  149. APPENDIX A Answer Key
  150. APPENDIX B Standard Acronyms
  151. Glossary of Key Terms
  152. References
  153. Index

Resources

Numerous organizations offer certification programs for system forensics. These programs usually test a student after completing one or more training sessions successfully. Certifying organizations range from nonprofit associations to vendor-sponsored groups. All these programs charge fees for certification. Some require candidates to take vendor- or organization-sponsored training to qualify for the certification.

Some state and federal government agencies have established their own certification programs. These programs address the skills needed to conduct computing investigations at various levels. In addition, a number of universities and other organizations offer courses in system forensics.

The following sections describe some of the most prominent system forensics training programs and certifications.

International Association of Computer Investigative Specialists

The International Association of Computer Investigative Specialists (IACIS) is one of the oldest professional system forensics organizations. It was created by police officers who wanted to formalize credentials in computing investigations. Currently, IACIS limits membership. Only law enforcement personnel and government employees working as system forensics examiners may join.

IACIS conducts an annual two-week training course for qualified members. Students learn to interpret and trace email, acquire evidence properly, identify operating systems, recover data, and understand encryption theory and other topics. Students must pass a written exam before continuing to the next level.

Candidates who complete all parts of the IACIS test successfully receive Certified Forensic Computer Examiner (CFCE) certification. The CFCE process changes as technology changes. Topics include data hiding, determining the file types of disguised files, and accessing password-protected files. The program might also ask a student to find evidence and draw conclusions from it. Students must demonstrate proficiency in technical tools and deductive reasoning. For the latest information about IACIS, visit https://www.iacis.com/

IACIS requires recertification every three years to demonstrate continuing work in the field of system forensics. Recertification is less intense than the original certification.

EnCase Certified Examiner Certification

Guidance Software, the creator of EnCase, sponsors the EnCase Certified Examiner (EnCE) certification program. EnCE certification is open to the public and private sectors. This certification focuses on the use and mastery of system forensics analysis using EnCase. For more information on EnCE certification requirements, visit http://www.guidancesoftware.com.

AccessData Certified Examiner

AccessData is the creator of Forensic Toolkit (FTK) software. The company sponsors the AccessData Certified Examiner (ACE) certification program. ACE certification is open to the public and private sectors. This certification is specific to use and mastery of FTK.

Requirements for taking the ACE exam include completing the AccessData boot camp and Windows forensic courses. For more information on ACE certification, visit http://www.accessdata.com.

Certified Hacking Forensic Investigator

The EC-Council, creators of the Certified Ethical Hacker certification, also offers a forensic certification. For more information about the Certified Hacking Forensic Investigator certification, visit https://www.eccouncil.org/programs/computer-hacking-forensic-investigator-chfi/. This certification is not specific to a given tool, as are the ACE and EnCE certifications. It is a general certification covering the principles of forensics. However, the course and the certification test do cover a wide range of forensic tools.

Certified Cyber Forensics Professional

The CCFP is the forensic certification from ISC2, the oldest computer security certification vendor. This certification places heavy emphasis on legal issues and scientific processes. https://www.isc2.org/ccfp/default.aspx

SANS Institute

The SANS Institute offers a variety of network security certifications. Its forensic track offers several subdisciplines of certifications. You can find more information at http://computer-forensics.sans.org/certification. The three certification tracks are:

  • Global Information Assurance Certification (GIAC) Certified Forensic Examiner (GCFE)

  • GIAC Certified Forensic Analyst (GCFA)

  • GIAC Reverse Engineering Malware (GREM)

American Academy of Forensic Sciences

The American Academy of Forensic Sciences (AAFS) is a prestigious organization composed of forensic scientists in all the various forensic disciplines. It does not offer certifications, but does sponsor a variety of scientific conferences.

Websites

A number of websites provide information about computer forensics. Some provide articles and research, whereas others provide basic tutorials and white papers. Some simply provide an overview of relevant laws. But all are relevant to forensic investigations:

Journals

There are journals, both in print and electronic, that cover the field of digital forensics. These can be invaluable tools for keeping abreast of the latest developments.

Digital Investigation

Digital Investigation covers cutting-edge developments in digital forensics and incident response from around the globe. It covers new technologies, useful tools, relevant research, investigative techniques, and methods for handling security breaches. See http://www.journals.elsevier.com/digital-investigation/.

International Journal of Digital Crime and Forensics

The International Journal of Digital Crime and Forensics (IJDCF) provides up-to-the-minute coverage of issues related to digital evidence. IJDCF addresses the use of electronic devices and software for crime prevention and investigation. It contains high-quality theoretical and empirical research articles, research reviews, case studies, book reviews, tutorials, and editorials. See http://www.igi-global.com/journal/international-journal-digital-crime-forensics/1112.

International Journal of Digital Evidence

The International Journal of Digital Evidence (IJDE) is a forum for discussion of theory, research, policy, and practice in the rapidly changing field of digital evidence. IJDE is supported by the Economic Crime Institute (ECI) at Utica College. See http://www.informatik.uni-trier.de/~ley/db/journals/ijde/.

Journal of Digital Forensic Practice

The Journal of Digital Forensic Practice is a helpful resource for forensic specialists. Articles in the journal target both the public and private sectors. The journal presents useful information, techniques, and unbiased reviews designed to assist forensic specialists in day-today practice. See http://www.tandfonline.com/toc/udfp20/current#.Ucha3m8o6po.

Journal of Digital Forensics, Security and Law

The Journal of Digital Forensics, Security and Law (JDFSL) is a unique and innovative publication of the Association of Digital Forensics, Security and Law. The mission of JDFSL is to expand digital forensics research to a wide and eclectic audience. See http://www.adfsl.org/

Journal of Forensic Sciences

The American Academy of Forensic Sciences produces the Journal of Forensic Sciences. This organization is a multidisciplinary professional organization. The academy aims to promote integrity, competency, education, research, practice, and collaboration in the forensic sciences. See http://onlinelibrary.wiley.com/journal/10.1111/(ISSN)1556-4029

Small Scale Digital Device Forensics Journal

Conferences

In addition to journals and websites, there are a variety of conferences you might want to attend. Some of these are specifically aimed at forensics, whereas others provide information on general network security, hacking, and topics related to forensics: