It includes the most up-to-date coverage available of Linux and Macintosh, virtual machine software such as VMware and Virtual Box, Android, mobile devices, handheld devices, cloud forensics, email, social media and the Internet of Anything.
With its practical applications, you can immediately put what you learn into practice. This proven author team's wide ranging areas of expertise mirror the breadth of coverage provided in the book, which focuses on techniques and practices for gathering and analyzing evidence used to solve crimes involving computers. Providing clear instruction on the tools and techniques of the trade, it introduces readers to every step of the computer forensics investigation-from lab set-up to testifying in court.
It also details step-by-step guidance on how to use current forensics software. Appropriate for learners new to the field, it is also an excellent refresher and technology update for professionals in law enforcement, investigations, or computer security. It is also designed as an accompanying text to Digital Evidence and Computer Crime. This unique collection details how to conduct digital investigations in both criminal and civil contexts, and how to locate and utilize digital evidence on computers, networks, and embedded systems.
Specifically, the Investigative Methodology section of the Handbook provides expert guidance in the three main areas of practice: Forensic Analysis, Electronic Discovery, and Intrusion Investigation. The Technology section is extended and updated to reflect the state of the art in each area of specialization.
The main areas of focus in the Technology section are forensic analysis of Windows, Unix, Macintosh, and embedded systems including cellular telephones and other mobile devices , and investigations involving networks including enterprise environments and mobile telecommunications technology. This handbook is an essential technical reference and on-the-job guide that IT professionals, forensic practitioners, law enforcement, and attorneys will rely on when confronted with computer related crime and digital evidence of any kind.
This book merges a digital analysis examiner's work with the work of a case investigator in order to build a solid case to identify and prosecute cybercriminals. Brett Shavers links traditional investigative techniques with high tech crime analysis in a manner that not only determines elements of crimes, but also places the suspect at the keyboard. This book is a first in combining investigative strategies of digital forensics analysis processes alongside physical investigative techniques in which the reader will gain a holistic approach to their current and future cybercrime investigations.
You'll later get up to speed with digital forensic techniques, from acquiring evidence and examining volatile memory through to hard drive examination and network-based evidence. As you progress, you'll discover the role that threat intelligence plays in the incident response process. You'll also learn how to prepare an incident response report that documents the findings of your analysis. Finally, in addition to various incident response activities, the book will address malware analysis, and demonstrate how you can proactively use your digital forensic skills in threat hunting.
By the end of this book, you'll have learned how to efficiently investigate and report unwanted security breaches and incidents in your organization. What you will learn Create and deploy an incident response capability within your own organization Perform proper evidence acquisition and handling Analyze the evidence collected and determine the root cause of a security incident Become well-versed with mem. This book answers many of those questions in clear language that is understandable by non-technical people.
With many illustrations and diagrams that will be usable in court, they explain technical concepts such as unallocated space, forensic copies, timeline artifacts and metadata in simple terms that make these concepts accessible to both attorneys and juries. The authors also explain how to determine what evidence to ask for, evidence might be that could be discoverable, and the methods for getting to it including relevant subpoena and motion language. Additionally, this book provides an overview of the current state of digital forensics, the right way to select a qualified expert, what to expect from a qualified expert and how to properly use experts before and during trial.
Includes a companion Web site with: courtroom illustrations, and examples of discovery motions Provides examples of direct and cross examination questions for digital evidence Contains a reference of definitions of digital forensic terms, relevant case law, and resources for the attorney. This has allowed the development of the internet. In turn, the Internet has brought many benefits, but the internet has also contributed to the rise of cyber-crime.
So, with the rise of cybercrime, it has become critical to increase and develop computer systems security. Each time, the techniques used by cybercriminals are more sophisticated, making it more difficult to protect corporate networks. Because of this, the computer security of these companies has been violated, and it is here at this point when digital analysis forensic is needed to discover cybercriminals.
So, with the rise of cybercrime, digital forensics is increasingly gaining importance in the area of information technology. For this reason, when a crime is done, the crime information is stored digitally. Therefore, it must use appropriate mechanisms for the collection, preservation, protection, analysis and presentation of digital evidence stored in electronic devices.
It is here that the need arises for digital forensics. In this report, I am going to explain what digital forensics is. Also, I will describe some forensic software and hardware and the importance of suitable forensic labs. So, let's start. These two fields are finding increasing importance in law enforcement and the investigation of cybercrime as the ubiquity of personal computing and the internet becomes ever-more apparent.
Digital forensics involves investigating computer systems and digital artefacts in general, while multimedia forensics is a sub-topic of digital forensics focusing on evidence extracted from both normal computer systems and special multimedia devices, such as digital cameras. This book focuses on the interface between digital forensics and multimedia forensics, bringing two closely related fields of forensic expertise together to identify and understand the current state-of-the-art in digital forensic investigation.
Both fields are expertly attended to by contributions from researchers and forensic practitioners specializing in diverse topics such as forensic authentication, forensic triage, forensic photogrammetry, biometric forensics, multimedia device identification, and image forgery detection among many others. Key features: Brings digital and multimedia forensics together with contributions from academia, law enforcement, and the digital forensics industry for extensive coverage of all the major aspects of digital forensics of multimedia data and devices Provides comprehensive and authoritative coverage of digital forensics of multimedia data and devices Offers not only explanations of techniques but also real-world and simulated case studies to illustrate how digital and multimedia forensics techniques work Includes a companion website hosting continually updated supplementary materials ranging from extended and updated coverage of standards to best practice guides, test datasets and more case studies.
This book teaches you how to conduct examinations by discussing what digital forensics is, the methodologies used, key technical concepts and the tools needed to perform examinations.
Details on digital forensics for computers, networks, cell phones, GPS, the cloud, and Internet are discussed. Also learn how to collect evidence, document the scene, and how deleted data is recovered. Learn all about what Digital Forensics entails Build a toolkit and prepare an investigative plan Understand the common artifacts to look for during an exam. Let say net share to find the information of the share folder and other shared resources, for example a printer.
You don't need to get any forensics tool at the moment to investigate the suspicious Linux machine. Linux native commands are handy and they provide a great deal of information to the investigator.
Logged on Users In this section, we will try to extract the information of the legitimate users on the suspicious machine. What is the total number of authorized users? Moreover, what are their names and profiles? Access time, remote access or local access? PSLoggedon: is the part of Pstools and it allows you to see the locally and remotely logged on users: Net user: It is the native windows command to find the local and remote users of the suspicious machine.
On Linux machine, last is one of the important command. It allows an investigator to see history of logged on users local or remote. Getting evidence is not enough; management of evidence is the art. Strict policies and procedures should be created to manage the evidence. Make sure to maintain the integrity of the data, chain of custody should not be broken. Evidence management guide should be created and your organizational policy should emphasize to implement it.
Modes of Attack Computer forensics and digital investigation depend on the nature of cyber-crime occurred. First, the identification of the crime informs the investigator to take the possible steps. What kind of crime should an investigator investigate? In this section, the answers of the aforementioned questions will be addressed.
Computer Forensics - Systematic Approach An investigator should have a standard guideline and steps to use during the investigation, which we call a systematic approach.
Every step is based on specific reasons and they are linked together. Systematic approaches may differ, and it depends on the local laws and your own organization policy. Initial assessment of the case: Before starting the actual investigation, you should look at the broader prospective of the case and the possible outcomes.
Keep in mind that you have to be suspicious of everyone and everything. Do not try to imagine the result at first, because if you do so then you unintentionally work in that particular direction. Communicate with the relevant people about the incident; try to gather as much information as you can. What is the nature of the case? What is the situation after the incident? Create a design to approach the case: You should have everything, every possible step in your mind and you should write them down.
Create the process to handle this particular case. How you are going to approach the authority, the victim and the suspect? How you are going to seize the machines?
What legal documents you might need to do this and how you are going to get the legal documents? Required resources: What resources this case might require? Human resources, technical, and the software that required. Do you have the necessary software or do you need to get it? If you need assistance from any other company or team, this also comes under the required resources, create the list and get them at first place. Identify the risks: Risk assessment should be done to evaluate the possible risks that are involved in the particular case.
Based on the experience, your organization should have the list of possible problems occurred during an investigation, even you can judge the risk based on your own experience. After identification, take the necessary steps to minimize or mitigate the risks. Investigation: All right, you have collected the data. Now investigate the extracted evidence and point out the culprit.
Critique the case: Self-evaluation is the key, since you need to forward your report to court. After completing the report, you should thoroughly review the entire case. Find your weaknesses and improve them for future cases. You can't simply investigate or seize any machine without following the proper laws and regulations. The legal aspects are important, since the case will go to the court and apart from the hearing, you need to follow laws while investigating otherwise you will find yourself in trouble.
Legal Process: The legal process depends on your local laws and rules. In the first stage, a complaint received, the investigator will investigate the complaint, and with the help of prosecutor, collect, analyze and report to build a case. You can't start a criminal investigation by yourself.
A criminal investigation requires evidence of an illegal act. If evidence is not found, then the criminal investigation cannot be started. Someone should inform the local police about the crime that has been committed and based on receiving the complaint the further investigation would be started.
At the very first step, the local police investigate the crime. They report the type of the case to the top management and then a specialist will be assigned to look after the case.
Not every policeman is not a computer expert. Sometimes they only know the basics about digital devices.
During the seizure process, they might damage the critical evidence. To avoid any mishaps, CTIN has defined levels of law enforcement expertise. The Police officer is responsible for acquiring and seizing the digital evidence on the crime scene. The assigned detectives usually handle the case. Specialist training in retrieving digital evidence, normally conducted by a data recovery or computer forensics expert, network forensics expert, or Internet fraud investigator.
This person might also be qualified to manage a case, depending on his or her background. You, as an investigator should have knowledge and expertise of computer forensics, and how to handle cyber-crime cases. You have to judge the level of expertise of the other team members and assign their roles, responsibilities and the expected performance.
Follow the systematic approach discussed in the previous chapter, look for the evidence and then create a strong case supported by the evidences. Your job as a computer investigator is to investigate the digital devices, extract the evidence and create the report. From this point onward, the job of a prosecutor is started. As an investigator, you need to submit the final report with the evidences to the government attorney, the level of authority depends on the nature of the case, and your local laws.
You can find the available guides on evidence management and other topics related to computer forensics. As it was discussed that you should collect evidence in a way that is legally admissible in a court. There are two core areas of law related to cyber-crime. Because individuals generally retain a reasonable expectation of privacy in the contents of closed containers, see United States v.
Ross, U. See United States v. Barth, 26 F. Reyes, F. Lynch, F. Chan, F. If it finds that the process, methodology and tools have violated 4th amendment while recovering the evidence, then the information or evidence will become inadmissible by the courts. The word memorized is very important in this context; keep in mind that the key passkey is never written on anywhere. The 5th amendment protects an individual from being compelled to provide the incriminating testimony.
Remember, it does not provide protection if the evidence is written somewhere. The first two laws 18 U. Let discuss the real-time electronic communication first.
Before discussing the exceptions and prohibited acts, we should discuss the electronic communication based on OSI model. I will explain the both from the OSI point of view. Well, the legal document provides the admissible definition and they are: 18 U. Some prohibitions are: 1. Intellectual property laws can be further divided into copyright laws, trademark and trade secret laws, etc.
According to 18 U. This is the end of second module; we will discuss the file system from the next module. What kind of the storage devices do we have and what are their structures. This module discusses the technicalities of modern computer devices with the aim to provide the inside and understanding of storage medium and architecture of the current famous operating systems.
This chapter does not aim to differentiate drive with another type of drive, but this chapter aims to discuss the structure of different drives. Yes, fixed storage are the built-in storage space available in any electronic device and the external or removal is the one that you can plug and play with.
The rapid growth in computer industry has introduced many storage mediums, apart from the traditional media types, for example hard-drive and CD compact disk , files can be stored in USB drive, mp3 player, mobile phones, digital camera, etc. Hard Drive To understand the file, file system, how OS interact with storage media hard-drive , how the flow of information works, etc.
It is also important to understand the place where data actually store, so that you will be able to retrieve it during your investigation. A hard drive is made up of one or more platters coated with magnetic material, data stored or recorded magnetically onto the disk. The hard-drive platter is made up of aluminum alloy, glass and ceramic is also used in the creation of platter.
It is important to understand that the area where data stores composed of magnetic media coating done by iron oxide substance. Data is stored on the both front and back sides of the platter which is also known as side0 and side1. The data of each platter are physically stored into tracks and sectors. Every track has its own unique identification number for tracking, and the number starts from 0 at outer edge and moves an inner portion till the center of the circle reaching the value around The size of a sector is bytes.
Cluster: Cluster is an important component that we should discuss, it is somehow linked to the sector discussed above or it may be referred as the group of sectors. The cluster is an allocation unit and a space allocated for files and directories to be stored. If small files store on a file system with large cluster will waste the disk space, and this wasted space is called slack space. Cluster size or number of cluster is always calculated of an exponent of 2.
Hence the size is bytes. Slack Space: Cluster Infosec Institute ehacking File Slack Space Refer to the concept created above, slack space is the free or unused space in a cluster, this space is available between the end of the actual file and the allocated data unit end of cluster. Slack space and investigating slack space are way too important for forensics expert because this space can contain salient information about the suspect and evidence can be retrieved from this space.
For example, if suspect deleted all of the files and directories that filled the entire cluster and then saved or created some new files that filled half of the cluster only to mislead the investigator, the other half of the cluster may have the information of the deleted file which can be retrieved and can be used as evidence against the suspect.
The file can be made up of many data types for example, audio, video, text, etc. The file system is the workflow, process and method that defines how the data is stored and where they are placed on logical volumes.
The logical volume is the result of the partition process, and it is a partition acting as a single entity that has been formatted with a file system. Understanding the file system is crucial for forensics investigator, as you must know the location and distribution of various types of files and how they structured on mapped in the memory. Before the hard drive or any other storage media are used to store the file, the disk must be partitioned and formatted into multiple logical volumes.
Hidden partitions can also be created to hide the intended data; this space can created between the primary partition and the first logical partition.
This unused space is referred as partition gap, hidden data can alter by using the disk editor utility. Different operating systems may have different file systems and structure. However, there are some common traits that you can find in every file system, for example, the concept of directories and files. Nice for floppies, but useless on hard drives. Technically interesting file system available for the Amiga, performs very well under a lot of circumstances.
Very simple and elegant. That system was based on the BASIC programming language and allowed programs and data to be stored on a floppy disk. Since that time, the FAT file system has been improved upon multiple times to take advantage of advances in computer technology, and to further refine and enrich the FAT file system itself. Today, the FAT file system has become the ubiquitous format used for interchange of media between computers, and, since the advent of inexpensive, removable flash memory, also between digital devices.
The FAT file system is now supported by a wide variety of OSs running on all sizes of computers, from servers to personal digital assistants. In addition, many digital devices such as still and video cameras, audio recorders, video game systems, scanners, and printers make use of FAT file system technology. It has a limited amount of storage, volume not more than 16 MB. It uses bit file allocation table entry to address an entry into file system. It was created for large disk and it can handle the storage capacity up to 2 GB, and for some newer OSs the capacity is up to 4GB.
It uses bit file allocation table where the top 4 bits are reserved. Cluster size used: bytes. It can access up to 2 TB of disk storage. NTFS supports large file names and it supports the large storage media. It is known as a recoverable file system; it can automatically recover or restore the consistency of the file system when an error occurs.
Root directory. This file is always located at the first clusters on the volume. Now we will use the hex workshop to analyze the partition physical level. You need to understand the hexadecimal codes to understand the file systems of various operating systems. Here is the list of the hexadecimal codes with the respectable file system.
Download Hex workshop www. In the example below, I have clicked on my C: drive to analyze it. If you see MSD0S5. Windows Registry Windows registry is the hierarchical database; it contains the information of the users, applications, hardware, etc.
Windows registry know everything about a program, where the program is stored, its version and every setting of that program. During execution of any task, windows continuously refer to the registry. Data in registry stores at Binary file. Information including the configuration and preference settings. Before discussing the file systems, we should discuss some basic concept related to file system in Linux.
What is a File? In Linux, everything is file while the others are processes, file is connected with the storage media and whatever you store, it informs the file. The file is the collection of data; data may be your text, image, video, etc.
To manage the files on Linux, ordered tree structure has been created where the root contains large branches, and the branches contain a regular file leaves of a tree for that matter. What is Directory?
Directory is a special file that contains other files and sub-directories. You can't change the root directory, you can't rename it. Inodes The inode is the basic concept in Linux file system, each file in Linux is represented by inodes which is the structure of the file system. Each inode contains the information of the file, timestamps, size, file type, owner of the file, permission, etc. If we summarize, then it is the database stores metadata about each file and directory.
It is used to track the file on the hard- drive. The inode contains entries and each entry is bytes in size. The first output shows the identification number of this particular file, while the second output provides more details about the file. Journaling File System Journaling file system introduced in Linux is the main reason that many corporations switched to Linux, however it is no longer a unique reason because there are other file systems available having capability.
The file systems before Ext3 are based on static structure, they don't have journaling functionality. However, Ext3 and beyond file system has journaling capability.
So what journaling file system is all about?
0コメント