book

Digital Forensics, Investigation, and Response 5E, 5th Edition

Name: Digital Forensics, Investigation, and Response 5E, 5th Edition
Author: Chuck Easttom
ISBN: 9781284305951

by Chuck Easttom

February 2026

Intermediate to advanced

456 pages

17h 3m

English

Jones & Bartlett Learning

Read now

Unlock full access

Cover
Title Page
Copyright Page
Brief Contents
Contents
Preface
Dedication
About the Author
CHAPTER 1 Introduction to Forensics
What Is Computer Forensics?
Using Scientific KnowledgeCollectingAnalyzingPresenting

Understanding the Field of Digital Forensics
What Is Digital Evidence?Scope-Related Challenges to System ForensicsTypes of Digital System Forensics AnalysisGeneral Guidelines
Knowledge Needed for Computer Forensics Analysis
HardwareSoftwareNetworksAddressesWorking with ipconfigUsing pingWorking with tracertObscured Information and Anti-Forensics
The Daubert Standard
U.S. Laws Affecting Digital Forensics
The Federal Privacy Act of 1974The Privacy Protection Act of 1980The Communications Assistance to Law Enforcement Act of 1994Unlawful Access to Stored Communications: 18 U.S.C. § 2701The Electronic Communications Privacy Act of 1986The Computer Security Act of 1987The Foreign Intelligence Surveillance Act of 1978The Child Protection and Sexual Predator Punishment Act of 1998The Children’s Online Privacy Protection Act of 1998The Communications Decency Act of 1996The Telecommunications Act of 1996The Wireless Communications and Public Safety Act of 1999The USA PATRIOT ActThe Sarbanes-Oxley Act of 200218 USC 1030 Fraud and Related Activity in Connection with Computers18 USC 1020 Fraud and Related Activity in Connection with Access DevicesThe Digital Millennium Copyright Act (DMCA)18 USC § 1028A Identity Theft and Aggravated Identity Theft18 USC § 2251 Sexual Exploitation of ChildrenWarrants
Federal Guidelines
The FBIThe Secret ServiceThe Regional Computer Forensics Laboratory Program
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 1 ASSESSMENT
References
CHAPTER 2 Overview of Computer Crime
How Computer Crime Affects Forensics
Identity Theft
How Is Information Gathered?
PhishingSpywareDiscarded InformationHow Does This Crime Affect Forensics?
Hacking
Structured Query Language InjectionCross-Site ScriptingWindows Password CrackersTricking Tech SupportHacking in General
Cyberstalking and Harassment
Real Cyberstalking Cases
Fraud
Investment OffersData Piracy
Non-Access Computer Crimes
Denial of ServiceVirusesLogic Bombs
Cyberterrorism
How Does This Crime Affect Forensics?
AI Threats
How Does This Crime Affect Forensics?
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 2 ASSESSMENT
CHAPTER 3 Forensic Methods and Labs
Forensic Methodologies
Handle Original Data as Little as PossibleComply with the Rules of EvidenceAvoid Exceeding Your KnowledgeCreate an Analysis PlanTechnical Information Collection Considerations
Formal Forensic Approaches
DoD Forensic StandardsThe DFRWS FrameworkThe SWGDE FrameworkAn Event-Based Digital Forensics Investigation Framework
Documentation of Methodologies and Findings
Disk StructureFile Slack Searching
Evidence-Handling Tasks
Evidence-Gathering MeasuresExpert Reports
How to Set Up a Forensics Lab
EquipmentSecurityAmerican Society of Crime Laboratory Directors
Common Forensic Software Programs
EnCaseForensic ToolkitOSForensicsHelixKali LinuxAnaDisk Disk Analysis ToolCopyQM Plus Disk Duplication SoftwareThe Sleuth KitDisk InvestigatorKasewareCAINESIFT
Forensic Certifications
EnCase Certified Examiner CertificationAccessData Certified ExaminerOSForensicsEC Council Certified Hacking Forensic InvestigatorGIAC CertificationsCDFE
Forensic Imaging
Imaging with the Forensic ToolkitImaging with OSForensicsImaging with Specialized DevicesRAID AcquisitionsMathematically Authenticating Data on All Storage Devices
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 3 ASSESSMENT
References
CHAPTER 4 Understanding Techniques for Hiding and Scrambling Information
Steganography
Historical SteganographySteganophonyVideo SteganographyMore Advanced SteganographySteganalysisInvisible SecretsMP3StegoDeep SoundAdditional Resources
Encryption
The History of EncryptionModern CryptographyBreaking EncryptionQuantum Computing and Cryptography
Other Methods of Hiding Evidence
Hidden PartitionsSlack SpaceFile System Manipulation
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 4 ASSESSMENT
References
CHAPTER 5 Recovering Data
Undeleting Data
File Systems and Hard DrivesWindowsDiskDiggerForensically Scrubbing a File or FolderWinUndeleteFreeUndeleteOSForensicsAutopsyLinuxMacOS
Recovering Information from Damaged Media
Physical Damage Recovery TechniquesRecovering Data After Logical DamageConsistency CheckingZero-Knowledge Analysis
File Carving
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 5 ASSESSMENT
References
CHAPTER 6 Windows Forensics
Windows Details
Windows HistoryThe Boot ProcessWindows File SystemImportant Files
Volatile Data
Tools
Windows Swap File
Volume Shadow Copy
Windows Logs
Windows Directories
UserAssistUnallocated/Slack SpaceAlternate Data Streams
Index.dat
Windows Files and Permissions
MAC
The Registry
USB InformationWireless NetworksTracking Word Documents in the RegistryMalware in the RegistryUninstalled SoftwarePasswordsShellBagsShimcacheAmcachePrefetchSRUMBAM and DAMMuiCacheRegistry Tools
Recycle Bin
The $I30 Attribute
PowerShell Forensics
Other Artifacts
Windows Error ReportsCloud StorageRemote Desktop CacheWindows Timeline
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 6 ASSESSMENT
References
CHAPTER 7 Linux Forensics
Linux and Forensics
Linux Basics
Linux HistoryLinux ShellsLinux DistributionsGraphical User InterfaceLinux Boot ProcessLogical Volume Management
Linux File Systems
ExtThe Reiser File SystemJFSBtrfsThe Berkeley Fast File System
Linux Logs
The /var/log/faillog LogThe /var/log/kern.log LogThe /var/log/lpr.log LogThe /var/log/mail.* LogThe /var/log/mysql.* LogThe /var/log/apache2/* LogThe /var/log/lighttpd/* LogThe /var/log/apport.log LogOther LogsViewing Logs
Linux Directories
The /root DirectoryThe /bin DirectoryThe /sbin DirectoryThe /etc FolderThe /etc/inittab FileThe /dev DirectoryThe /mnt DirectoryThe /boot DirectoryThe /usr DirectoryThe /tmp DirectoryThe /var DirectoryThe /proc DirectoryThe /run Directory
Essential Linux Artifacts
Bash HistorySyslogSudo logs
Tmpfs
Shell Commands for Forensics
The dmesg CommandThe fsck CommandThe grep CommandThe history CommandThe mount CommandThe ps CommandThe pstree CommandThe pgrep CommandThe top CommandThe kill CommandThe file CommandThe su CommandThe who CommandThe finger CommandThe dd CommandThe ls CommandFind ExecutablesChecking Scheduled TasksUser LoginsFinding OdditiesSearching installed programsFirewall RulesSearching by DateFinding Applications with Privilege EscalationCreate a Timeline from the File System
Can You Undelete in Linux?
Manual Method
Kali Linux Forensics
Forensics Tools for Linux
More Linux Forensics
DocumentingAdvanced Commands
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 7 ASSESSMENT
Reference
CHAPTER 8 macOS Forensics
Mac Basics
Apple HistoryMac File SystemsPartition TypesBoot Camp Assistant
MacOS Architecture
MacOS Logs
Mac Unified LogIndividual Logs
AirDrop
How to Use AirDrop on macOS
Application/Software Artifacts
Important Locations to Look
KnowledgeC
Directories
The /Volumes DirectoryThe /Users DirectoryThe var/vm FolderThe /Users/ DirectoryThe /Users/<user>/Library/Preferences FolderThe /Applications DirectoryThe /Network DirectoryThe /etc DirectoryThe /Library/Preferences/SystemConfiguration/dom.apple.preferences.plist File
MacOS Forensic Techniques
Target Disk ModeSearching Virtual MemoryShell Commands
How to Examine an Apple Device
MacQuisition
Reading Apple Drives
Can You Undelete in macOS?
MacOS Password Recovery
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 8 ASSESSMENT
CHAPTER 9 Email Forensics
How Email Works
Email ProtocolsFaking Email
Email Headers
Getting Headers in Outlook 2019Getting Headers from Yahoo! EmailGetting Headers from GmailOther Email ClientsEmail FilesParaben’s Email ExaminerReadPST
Tracing Email
Email Server Forensics
Email and the Law
The Fourth Amendment to the U.S. ConstitutionThe Electronic Communications Privacy ActThe CAN-SPAM Act18 U.S.C. 2252BThe Communication Assistance to Law Enforcement ActThe Foreign Intelligence Surveillance ActThe USA PATRIOT Act
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 9 ASSESSMENT
CHAPTER 10 Mobile Forensics
Cellular Device Concepts
TermsNetworksOperating SystemsRooting AndroidAndroid Free ToolsAndroid App De-compiling
Evidence You Can Get from a Cell Phone
NIST SP 800-101SWGDE GuidelinesTypes of InvestigationsTypes of Information
Seizing Evidence from a Mobile Device
SQLiteThe iPhone
Tools
Tools for AndroidTools for iOSJTAG and Chip Off
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 10 ASSESSMENT
References
CHAPTER 11 Network Forensics
Network Basics
IP Addresses and MAC AddressesOther stateful configuration flag (O flag)M flagOpen Systems Interconnection Model
Network Packet Analysis
Network PacketsPacket HeadersFIN scanXmas tree scanNull scanNetwork Attacks
Network Traffic Analysis Tools
WiresharkNmapTcpdumpSnortNetWitness
Network Traffic Analysis
Using Log Files as Evidence
Network Utilities
NetstatIpconfigPing and tracertPathping
Wireless
Wi-Fi SecurityOther Wireless Protocols
Router Forensics
Router BasicsTypes of Router AttacksGetting Evidence from the Router
Firewall Forensics
Firewall BasicsPacket FilterStateful Packet InspectionCollecting Data
The Cloud
What Impact Does Cloud Computing Have on Forensics?
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 11 ASSESSMENT
CHAPTER 12 Memory Forensics
How Computer Memory Works
Stack Versus HeapPaging
Capturing Memory
Analyzing Memory with Volatility
Analyzing Memory with OSForensics
Understanding the OutputPutting it all Together
Malware Techniques
VirusesWormsSpywareLogic BombTrojan HorseMalware Hiding Techniques
Density Scout
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 12 ASSESSMENT
CHAPTER 13 New Device Forensics
First Section
Smart Televisions
IoT
IoT BasicsIoT Forensics
Medical Devices
Challenges in Medical Device Digital ForensicsLegal and Regulatory Considerations
Automobile Forensics
Drone Forensics
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 13 ASSESSMENT
CHAPTER 14 Incident Response
Disaster Recovery
ISO 27001ISO 27035ENISAPCI DSS Incident Response GuidelinesGDPR (General Data Protection Regulation) - Breach Notification and Incident ResponseNIST 800-34NFPA 1600
Business Impact Analysis
Describing the Incident
Common Vulnerability Scoring SystemDREADRMONMean Squared DeviationMean Percentage ErrorIshikawa Diagram
The Recovery Plan
The Post Recovery Follow-Up
Incident Response
DetectionContainmentEradicationRecoveryFollow-Up
Preserving Evidence
Adding Forensics to Incident Response
Forensic ResourcesForensics and Policy
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 14 ASSESSMENT
Reference
CHAPTER 15 Trends and Future Directions
Machine Learning and AI
AI/ML and Cybersecurity
Deep Fakes
Standards
Machine Learning and Digital Forensics
Legal Issues
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 15 ASSESSMENT
APPENDIX A Answer Key
APPENDIX B Standard Acronyms
Glossary of Key Terms
Index

Content preview from Digital Forensics, Investigation, and Response 5E, 5th Edition

MacOS Forensic Techniques

This section covers some general forensic techniques to use on macOS systems. In the preceding sections, you learned about the macOS operating system, and you learned where to look for important logs, which is a valuable step in any forensic investigation. Now, you will learn a variety of forensic techniques.

Target Disk Mode

One of the most fundamental steps in forensics is to create a bit-level copy of the suspect drive. If the suspect drive uses macOS, all the techniques you know from Linux or Windows can still be used. You can utilize the dd command along with netcat to make a forensic copy. You can also use the imaging tools within EnCase or Forensic Toolkit. However, macOS provides another way to make a forensically ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781284305951

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Digital Forensics, Investigation, and Response 5E, 5th Edition

by Chuck Easttom

MacOS Forensic Techniques

Target Disk Mode

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

More than 5,000 organizations count on O’Reilly

Julian F.

Addison B.

Amir M.

Mark W.

You might also like

The Three Traps That Stymie Reinvention

What Successful Brick-and-Mortar Retailers Get Right

Three Essentials for Agentic AI Security

Tips for Designing Effective Presentation Slide Decks

Publisher Resources