book

Learn Computer Forensics - Second Edition

by William Oettinger

July 2022

Beginner

434 pages

10h 15m

English

Packt Publishing

Read now

Unlock full access

Who this book is forWhat this book coversGet in touch
Introduction to computer-based investigationsCriminal investigationsFirst respondersInvestigatorsCrime scene technicianIllicit imagesThe crime of stalkingCriminal conspiracyCorporate investigationsEmployee misconductCorporate espionageSecurityThreat ActorsSocial engineeringReal-world experienceInsider threatCase studiesDennis RaderSilk RoadSan Bernardino terror attackTheft of intellectual propertySummaryQuestionsFurther reading
Pre-investigation considerationsThe forensic workstationThe response kitForensic softwareForensic investigator trainingUnderstanding case information and legal issuesUnderstanding data acquisitionChain of custodyUnderstanding the analysis processDates and time zonesHash analysisFile signature analysisAntivirusReporting your findingsDetails to include in your reportDocument facts and circumstancesThe report conclusionSummaryQuestionsFurther reading
Exploring evidenceUnderstanding the forensic examination environmentTool validationCreating sterile mediaUnderstanding write blockingHardware write blockerSoftware write blockerDefining forensic imagingDD imageEnCase evidence fileSSD deviceImaging toolsFTK ImagerPALADINSummaryQuestionsFurther reading
Understanding the boot processForensic boot mediaCreating a bootable forensic deviceHard drivesDrive geometryMBR (Master Boot Record) partitionsExtended partitionsGPT partitionsHost Protected Area (HPA) and Device Configuration Overlay (DCO)Understanding filesystemsThe FAT filesystemBoot recordFile allocation tableData areaLong filenamesRecovering deleted filesSlack spaceUnderstanding the NTFS filesystemSummaryQuestionsFurther reading
Timeline analysisX-WaysPlaso (Plaso Langar Að Safna Öllu)Media analysisString searchRecovering deleted dataSummaryQuestionsFurther readingExerciseData setSoftware neededEmail exerciseData carving exercise
Understanding user profilesUnderstanding Windows RegistryDetermining account usageLast login/last password changeDetermining file knowledgeExploring the thumbcacheExploring Microsoft browsersDetermining most recently used/recently usedLooking into the Recycle BinUnderstanding shortcut (LNK) filesDeciphering JumpListsOpening shellbagsUnderstanding prefetchIdentifying physical locationsDetermining time zonesExploring network historyUnderstanding the WLAN event logExploring program executionDetermining UserAssistExploring the ShimcacheUnderstanding USB/attached devicesSummaryQuestionsFurther readingExerciseData setSoftware neededScenario
Fundamentals of memoryRandom access memory?Identifying sources of memoryCapturing RAMPreparing the capturing deviceExploring RAM capture toolsUsing DumpItUsing FTK ImagerExploring RAM analyzing toolsUsing Bulk ExtractorUsing VOLIX IISummaryQuestionsFurther reading
Understanding email protocolsUnderstanding SMTP – Simple Mail Transfer ProtocolUnderstanding the Post Office ProtocolIMAP – Internet Message Access ProtocolUnderstanding web-based emailDecoding emailUnderstanding the email message formatEmail attachmentsUnderstanding client-based email analysisExploring Microsoft Outlook/Outlook ExpressExploring Microsoft Windows Live MailMozilla ThunderbirdUnderstanding WebMail analysisSummaryQuestionsFurther readingExerciseData setSoftware neededScenarioInterviewsEmail accountsQuestion to answer
Understanding browsersExploring Google ChromeUnderstanding bookmarksUnderstanding the Chrome history fileCookiesCachePasswordsExploring Internet Explorer/Microsoft Edge (Old Version)BookmarksIE historyTyped URLCacheCookiesExploring FirefoxProfilesCache CookiesHistoryPasswordsBookmarksSocial mediaFacebookTwitterService providerP2P file sharingAreseMuleShareazaCloud computingSummaryQuestionsFurther reading

Undercover investigationsUndercover platformOnline personaBackground searchesPreserving online communicationsSummaryQuestionsFurther reading
The Open Source Interconnection (OSI) modelPhysical (Layer 1)Data link (Layer 2)Network (Layer 3)Transport (Layer 4)Session (Layer 5)Presentation (Layer 6)Application (Layer 7)EncapsulationTCP/IPIPv4Port numbersIPv6Application layer protocolsTransport layer protocolsInternet layer protocolsSummaryQuestionsFurther reading
Effective note takingWriting the reportEvidence analyzedAcquisition detailsAnalysis detailsExhibits/technical detailsSummaryQuestionsFurther reading
Understanding the types of proceedingsBeginning the preparation phaseUnderstanding the curriculum vitaeUnderstanding testimony and evidenceUnderstanding the importance of ethical behaviorSummaryQuestionsFurther reading
Chapter 01Chapter 02Chapter 03Chapter 04Chapter 05Chapter 06Chapter 07Chapter 08Chapter 09Chapter 10Chapter 11Chapter 12Chapter 13

Content preview from Learn Computer Forensics - Second Edition

7 RAM Memory Forensic Analysis

RAM is a vital source of digital evidence that has been neglected and ignored historically. As our knowledge of digital evidence grew, examiners realized the source of potential digital evidence that existed in RAM. Ultimately, you have an additional multi-gigabyte source of information that needs to be examined and may contain digital artifacts that do not exist in the traditional locations of the system.

In this chapter, we will cover the fundamentals of memory. We will then look at the different sources of memory and learn to capture RAM using RAM capture tools. By the end of this chapter, you will understand the various methods and tools that can process volatile memory.

We’ll be covering the following topics ...