Digital Forensics, Investigation, and Response

Title Page
Copyright Page
Contents
Preface
Dedication Page
About the Author
CHAPTER 1 Introduction to Forensics
	What Is Computer Forensics?
		Using Scientific Knowledge
		Collecting
		Analyzing
		Presenting
	Understanding the Field of Digital Forensics
		What Is Digital Evidence?
		Scope-Related Challenges to System Forensics
		Types of Digital System Forensics Analysis
		General Guidelines
	Knowledge Needed for Computer Forensics Analysis
		Hardware
		Software
		Networks
		Addresses
		Obscured Information and Anti-Forensics
	The Daubert Standard
		U.S. Laws Affecting Digital Forensics
		The Federal Privacy Act of 1974
		The Privacy Protection Act of 1980
		The Communications Assistance to Law Enforcement Act of 1994
		Unlawful Access to Stored Communications: 18 U.S.C. § 2701
		The Electronic Communications Privacy Act of 1986
		The Computer Security Act of 1987
		The Foreign Intelligence Surveillance Act of 1978
		The Child Protection and Sexual Predator Punishment Act of 1998
		The Children’s Online Privacy Protection Act of 1998
		The Communications Decency Act of 1996
		The Telecommunications Act of 1996
		The Wireless Communications and Public Safety Act of 1999
		The USA PATRIOT Act
		The Sarbanes-Oxley Act of 2002
		18 USC 1030 Fraud and Related Activity in Connection with Computers
		18 USC 1020 Fraud and Related Activity in Connection with Access Devices
		The Digital Millennium Copyright Act (DMCA)
		18 USC § 1028A Identity Theft and Aggravated Identity Theft
		18 USC § 2251 Sexual Exploitation of Children
		Warrants
	Federal Guidelines
		The FBI
		The Secret Service
		The Regional Computer Forensics Laboratory Program
	CHAPTER SUMMARY
	KEY CONCEPTS AND TERMS
	CHAPTER 1 ASSESSMENT
	REFERENCES
CHAPTER 2 Overview of Computer Crime
	How Computer Crime Affects Forensics
	Identity Theft
		Phishing
		Spyware
		Discarded Information
		How Does This Crime Affect Forensics?
	Hacking
		Structured Query Language Injection
		Cross-Site Scripting
		Ophcrack
		Tricking Tech Support
		Hacking in General
	Cyberstalking and Harassment
		Real Cyberstalking Cases
	Fraud
		Investment Offers
		Data Piracy
	Non-Access Computer Crimes
		Denial of Service
		Viruses
		Logic Bombs
	Cyberterrorism
		How Does This Crime Affect Forensics?
	CHAPTER SUMMARY
	KEY CONCEPTS AND TERMS
	CHAPTER 2 ASSESSMENT
CHAPTER 3 Forensic Methods and Labs
	Forensic Methodologies
		Handle Original Data as Little as Possible
		Comply with the Rules of Evidence
		Avoid Exceeding Your Knowledge
		Create an Analysis Plan
		Technical Information Collection Considerations
	Formal Forensic Approaches
		DoD Forensic Standards
		The DFRWS Framework
		The SWGDE Framework
		An Event-Based Digital Forensics Investigation Framework
	Documentation of Methodologies and Findings
		Disk Structure
		File Slack Searching
	Evidence-Handling Tasks
		Evidence-Gathering Measures
		Expert Reports
	How to Set Up a Forensics Lab
		Equipment
		Security
		American Society of Crime Laboratory Directors
	Common Forensic Software Programs
		EnCase
		Forensic Toolkit
		OSForensics
		Helix
		Kali Linux
		AnaDisk Disk Analysis Tool
		CopyQM Plus Disk Duplication Software
		The Sleuth Kit
		Disk Investigator
	Forensic Certifications
		EnCase Certified Examiner Certification
		AccessData Certified Examiner
		OSForensics
		EC Council Certified Hacking Forensic Investigator
		GIAC Certifications
	CHAPTER SUMMARY
	KEY CONCEPTS AND TERMS
	CHAPTER 3 ASSESSMENT
	REFERENCES
CHAPTER 4 Collecting, Seizing, and Protecting Evidence
	Proper Procedure
		Shutting Down the Computer
		Transporting the Computer System to a Secure Location
		Preparing the System
		Documenting the Hardware Configuration of the System
		Mathematically Authenticating Data on All Storage Devices
	Handling Evidence
		Collecting Data
		Documenting Filenames, Dates, and Times
		Identifying File, Program, and Storage Anomalies
		Evidence-Gathering Measures
		What to Examine
	Storage Formats
		Magnetic Media
		Solid-State Drives
		Digital Audio Tape Drives
		Digital Linear Tape and Super DLT
		Optical Media
		Using USB Drives
		File Formats
	Forensic Imaging
		Imaging with EnCase
		Imaging with the Forensic Toolkit
		Imaging with OSForensics
	RAID Acquisitions
	CHAPTER SUMMARY
	KEY CONCEPTS AND TERMS
	CHAPTER 4 ASSESSMENT
	CHAPTER LAB
CHAPTER 5 Understanding Techniques for Hiding and Scrambling Information
	Steganography
		Historical Steganography
		Steganophony
		Video Steganography
		More Advanced Steganography
		Steganalysis
		Invisible Secrets
		MP3Stego
		Deep Sound
		Additional Resources
	Encryption
		The History of Encryption
		Modern Cryptography
		Breaking Encryption
		Quantum Computing and Cryptography
	CHAPTER SUMMARY
	KEY CONCEPTS AND TERMS
	CHAPTER 5 ASSESSMENT
	REFERENCES
CHAPTER 6 Recovering Data
	Undeleting Data
		File Systems and Hard Drives
		Windows
		Forensically Scrubbing a File or Folder
		Linux
		Mac OS
	Recovering Information from Damaged Media
		Physical Damage Recovery Techniques
		Recovering Data After Logical Damage
	File Carving
	CHAPTER SUMMARY
	KEY CONCEPTS AND TERMS
	CHAPTER 6 ASSESSMENT
	REFERENCES
CHAPTER 7 Incident Response
	Disaster Recovery
		ISO 27001
		NIST 800-34
		NFPA 1600
	Business Impact Analysis
	Describing the Incident
		Common Vulnerability Scoring System
		DREAD
		RMON
		Mean Squared Deviation
		Mean Percentage Error
		Ishikawa Diagram
	The Recovery Plan
	The Post Recovery Follow-Up
	Incident Response
		Detection
		Containment
		Eradication
		Recovery
		Follow-up
	Preserving Evidence
	Adding Forensics to Incident Response
		Forensic Resources
		Forensics and Policy
	CHAPTER SUMMARY
	KEY CONCEPTS AND TERMS
	CHAPTER 7 ASSESSMENT
	REFERENCE
CHAPTER 8 Windows Forensics
	Windows Details
		Windows History
		64-Bit Processing
		The Boot Process
		Important Files
	Volatile Data
		Tools
	Windows Swap File
	Volume Shadow Copy
	Windows Logs
	Windows Directories
		UserAssist
		Unallocated/Slack Space
		Alternate Data Streams
	Index.dat
	Windows Files and Permissions
		MAC
	The Registry
		USB Information
		Wireless Networks
		Tracking Word Documents in the Registry
		Malware in the Registry
		Uninstalled Software
		Passwords
		ShellBag
		Shimcache
		Amcache
		Prefetch
		SRUM
		BAM and DAM
	Recycle Bin
	The $I30 Attribute
	PowerShell Forensics
	CHAPTER SUMMARY
	KEY CONCEPTS AND TERMS
	CHAPTER 8 ASSESSMENT
	REFERENCES
CHAPTER 9 Linux Forensics
	Linux and Forensics
	Linux Basics
		Linux History
		Linux Shells
		Graphical User Interface
		Linux Boot Process
		Logical Volume Management
		Linux Distributions
	Linux File Systems
		Ext
		The Reiser File System
		The Berkeley Fast File System
	Linux Logs
		The /var/log/faillog Log
		The /var/log/kern.log Log
		The /var/log/lpr.log Log
		The /var/log/mail.* Log
		The /var/log/mysql.* Log
		The /var/log/apache2/* Log
		The /var/log/lighttpd/* Log
		The /var/log/apport.log Log
		Other Logs
		Viewing Logs
	Linux Directories
		The /root Directory
		The /bin Directory
		The /sbin Directory
		The /etc Folder
		The /etc/inittab File
		The /dev Directory
		The /mnt Directory
		The /boot Directory
		The /usr Directory
		The /tmp Directory
		The /var Directory
		The /proc Directory
		The /run Directory
	Tmpfs
	Shell Commands for Forensics
		The dmesg Command
		The fsck Command
		The grep Command
		The history Command
		The mount Command
		The ps Command
		The pstree Command
		The pgrep Command
		The top Command
		The kill Command
		The file Command
		The su Command
		The who Command
		The finger Command
		The dd Command
		The ls Command
		Find Executables
		Checking Scheduled Tasks
		Finding Oddities
	Can You Undelete in Linux?
		Manual Method
	Kali Linux Forensics
	Forensics Tools for Linux
	More Linux Forensics
		Documenting
		Advanced Commands
	CHAPTER SUMMARY
	KEY CONCEPTS AND TERMS
	CHAPTER 9 ASSESSMENT
	REFERENCE
CHAPTER 10 Mac OS Forensics
	Mac Basics
		Apple History
		Mac File Systems
		Partition Types
		Boot Camp Assistant
	Mac OS Logs
		The /var/log Log
		The /var/spool/cups Folder
		The /private/var/audit logs
		The /private/var/VM Folder
		The /Library/Receipts Folder
		/Library/Mobile Documents
		The /Users//.bash_history Log
		The var/vm Folder
		The /Users/ Directory
		The /Users//Library/Preferences Folder
	Directories
		The /Volumes Directory
		The /Users Directory
		The /Applications Directory
		The /Network Directory
		The /etc Directory
		The /Library/Preferences/SystemConfiguration/dom.apple.preferences.plist File
	Mac OS Forensic Techniques
		Target Disk Mode
		Searching Virtual Memory
		Shell Commands
	How to Examine an Apple Device
	MacQuisition
		Reading Apple Drives
	Can You Undelete in Mac OS?
	Mac OS Password Recovery
	CHAPTER SUMMARY
	KEY CONCEPTS AND TERMS
	CHAPTER 10 ASSESSMENT
CHAPTER 11 Email Forensics
	How Email Works
		Email Protocols
		Faking Email
	Email Headers
		Getting Headers in Outlook 2019
		Getting Headers from Yahoo! Email
		Getting Headers from Gmail
		Other Email Clients
		Email Files
		Paraben’s Email Examiner
		ReadPST
	Tracing Email
	Email Server Forensics
	Email and the Law
		The Fourth Amendment to the U.S. Constitution
		The Electronic Communications Privacy Act
		The CAN-SPAM Act
		18 U.S.C. 2252B
		The Communication Assistance to Law Enforcement Act
		The Foreign Intelligence Surveillance Act
		The USA PATRIOT Act
	CHAPTER SUMMARY
	KEY CONCEPTS AND TERMS
	CHAPTER 11 ASSESSMENT
CHAPTER 12 Mobile Forensics
	Cellular Device Concepts
		Terms
		Networks
		Operating Systems
	Evidence You Can Get from a Cell Phone
		SWGDE Guidelines
		Types of Investigations
		Types of Information
	Seizing Evidence from a Mobile Device
		SQLite
		The iPhone
	CHAPTER SUMMARY
	KEY CONCEPTS AND TERMS
	CHAPTER 12 ASSESSMENT
	REFERENCES
CHAPTER 13 Network Forensics
	Network Basics
		IP Addresses and MAC Addresses
		Open Systems Interconnection Model
	Network Packet Analysis
		Network Packets
		Packet Headers
		Network Attacks
	Network Traffic Analysis Tools
		Wireshark
		Nmap
		Tcpdump
		Snort
		NetWitness
	Network Traffic Analysis
		Using Log Files as Evidence
	Wireless
		Wi-Fi Security
		Other Wireless Protocols
	Router Forensics
		Router Basics
		Types of Router Attacks
		Getting Evidence from the Router
	Firewall Forensics
		Firewall Basics
		Packet Filer
		Stateful Packet Inspection
		Collecting Data
	CHAPTER SUMMARY
	KEY CONCEPTS AND TERMS
	CHAPTER 13 ASSESSMENT
CHAPTER 14 Memory Forensics
	How Computer Memory Works
		Stack Versus Heap
		Paging
	Capturing Memory
	Analyzing Memory with Volatility
	Analyzing Memory with OSForensics
		Understanding the Output
		Putting It All Together
	Malware Techniques
		Viruses
		Worms
		Spyware
		Logic Bomb
		Trojan Horse
		Malware Hiding Techniques
	Density Scout
	CHAPTER SUMMARY
	KEY CONCEPTS AND TERMS
	CHAPTER 14 ASSESSMENT
CHAPTER 15 Trends and Future Directions
	Technical Trends
		What Impact Does This Have on Forensics?
		Software as a Service
		The Cloud
		New Devices
	Legal and Procedural Trends
		Changes in the Law
		Private Labs
		International Issues
		Techniques
	CHAPTER SUMMARY
	KEY CONCEPTS AND TERMS
	CHAPTER 15 ASSESSMENT
	REFERENCES
APPENDIX A Answer Key
APPENDIX B Standard Acronyms
Glossary
Index