Learn Computer Forensics

Learn Computer Forensics

by William Oettinger
Released April 2020
Publisher(s): Packt Publishing
ISBN: 9781838648176

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Get up and running with collecting evidence using forensics best practices to present your findings in judicial or administrative proceedings

Key Features

  • Learn the core techniques of computer forensics to acquire and secure digital evidence skillfully
  • Conduct a digital forensic examination and document the digital evidence collected
  • Perform a variety of Windows forensic investigations to analyze and overcome complex challenges

Book Description

A computer forensics investigator must possess a variety of skills, including the ability to answer legal questions, gather and document evidence, and prepare for an investigation. This book will help you get up and running with using digital forensic tools and techniques to investigate cybercrimes successfully.

Starting with an overview of forensics and all the open source and commercial tools needed to get the job done, you'll learn core forensic practices for searching databases and analyzing data over networks, personal devices, and web applications. You'll then learn how to acquire valuable information from different places, such as filesystems, e-mails, browser histories, and search queries, and capture data remotely. As you advance, this book will guide you through implementing forensic techniques on multiple platforms, such as Windows, Linux, and macOS, to demonstrate how to recover valuable information as evidence. Finally, you'll get to grips with presenting your findings efficiently in judicial or administrative proceedings.

By the end of this book, you'll have developed a clear understanding of how to acquire, analyze, and present digital evidence like a proficient computer forensics investigator.

What you will learn

  • Understand investigative processes, the rules of evidence, and ethical guidelines
  • Recognize and document different types of computer hardware
  • Understand the boot process covering BIOS, UEFI, and the boot sequence
  • Validate forensic hardware and software
  • Discover the locations of common Windows artifacts
  • Document your findings using technically correct terminology

Who this book is for

If you're an IT beginner, student, or an investigator in the public or private sector this book is for you. This book will also help professionals and investigators who are new to incident response and digital forensics and interested in making a career in the cybersecurity domain. Individuals planning to pass the Certified Forensic Computer Examiner (CFCE) certification will also find this book useful.

Table of contents

  1. Learn Computer Forensics
  2. Why subscribe?
  3. Contributors
  4. About the author
  5. About the reviewer
  6. Packt is searching for authors like you
  7. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the color images
    4. Conventions used
    5. Get in touch
    6. Reviews
  8. Section 1: Acquiring Evidence
  9. Chapter 1: Types of Computer-Based Investigations
    1. Differences in computer-based investigations
    2. Criminal investigations
      1. First responders
    3. Corporate investigations
      1. Employee misconduct
      2. Corporate espionage
      3. Insider threat
    4. Summary
    5. Questions
    6. Further reading
  10. Chapter 2: The Forensic Analysis Process
    1. Pre-investigation considerations
      1. The forensic workstation
      2. The response kit
      3. Forensic software
      4. Forensic investigator training
    2. Understanding case information and legal issues
    3. Understanding data acquisition 
      1. Chain of custody
    4. Understanding the analysis process
      1. Dates and time zones
      2. Hash analysis
      3. File signature analysis
      4. Antivirus
    5. Reporting your findings
      1. Details to include in your report
      2. Document facts and circumstances
      3. The report conclusion
    6. Summary
    7. Questions
    8. Further reading
  11. Chapter 3: Acquisition of Evidence
    1. Exploring evidence 
    2. Understanding the forensic examination environment 
    3. Tool validation
    4. Creating sterile media 
      1. Understanding write blocking
    5. Defining forensic imaging 
      1. DD image
      2. EnCase evidence file 
      3. SSD device
      4. Imaging tools
    6. Summary
    7. Questions
    8. Further reading
  12. Chapter 4: Computer Systems
    1. Understanding the boot process
      1. Forensic boot media
      2. Hard drives
      3. MBR (Master Boot Record) partitions
      4. GPT partitions
      5. Host Protected Area (HPA) and Device Configuration Overlays (DCO)
    2. Understanding filesystems
      1. The FAT filesystem
      2. Data area
      3. Long filenames
      4. Recovering deleted files
      5. Slack space
    3. Understanding the NTFS filesystem
    4. Summary
    5. Questions
    6. Further reading
  13. Section 2: Investigation
  14. Chapter 5: Computer Investigation Process
    1. Timeline analysis
      1. X-Ways 
    2. Media analysis
    3. String search
    4. Recovering deleted data
    5. Summary
    6. Questions
    7. Further reading
  15. Chapter 6: Windows Artifact Analysis
    1. Understanding user profiles
    2. Understanding Windows Registry
    3. Determining account usage
      1. Last login/last password change
    4. Determining file knowledge
      1. Exploring the thumbcache
      2. Exploring Microsoft browsers
      3. Determining most recently used/recently used
      4. Looking into the Recycle Bin
      5. Understanding shortcut (LNK) files
      6. Deciphering JumpLists
      7. Opening shellbags
      8. Understanding prefetch
    5. Identifying physical locations
      1. Determining time zones
      2. Exploring network history
      3. Understanding the WLAN event log
    6. Exploring program execution
      1. Determining UserAssist
      2. Exploring Shimcache
    7. Understanding USB/attached devices 
    8. Summary
    9. Questions
    10. Further reading
  16. Chapter 7: RAM Memory Forensic Analysis
    1. Fundamentals of memory 
    2. Random access memory?
    3. Identifying sources of memory
    4. Capturing RAM
      1. Preparing the capturing device
      2. Exploring RAM capture tools
    5. Exploring RAM analyzing tools
      1. Using Bulk Extractor 
    6. Summary
    7. Questions
    8. Further reading
  17. Chapter 8: Email Forensics – Investigation Techniques
    1. Understanding email protocols
      1. Understanding SMTP – Simple Mail Transfer Protocol 
      2. Understanding the Post Office Protocol
      3. IMAP – Internet Message Access Protocol
      4. Understanding web-based email
    2. Decoding email
      1. Understanding the email message format
      2. Email attachments
    3. Understanding client-based email analysis
      1. Exploring Microsoft Outlook/Outlook Express
      2. Exploring Microsoft Windows Live Mail
      3. Mozilla Thunderbird
    4. Understanding WebMail analysis 
    5. Summary
    6. Questions
    7. Further reading
  18. Chapter 9: Internet Artifacts
    1. Understanding browsers
      1. Exploring Google Chrome
      2. Exploring Internet Explorer/Microsoft Edge
      3. Exploring Firefox
    2. Social media
      1. Facebook
      2. Twitter
      3. Service provider
    3. Peer-to-Peer file sharing
      1. Ares
      2. eMule
      3. Shareaza
    4. Cloud computing
    5. Summary
    6. Questions
    7. Further reading
  19. Section 3: Reporting
  20. Chapter 10: Report Writing
    1. Effective note taking
    2. Writing the report
      1. Evidence analyzed
      2. Acquisition details
      3. Analysis details
      4. Exhibits/technical details
    3. Summary
    4. Questions
    5. Further reading
  21. Chapter 11: Expert Witness Ethics
    1. Understanding the types of proceedings
    2. Beginning the preparation phase
    3. Understanding the curriculum vitae
    4. Understanding testimony and evidence
    5. Understanding the importance of ethical behavior
    6. Summary
    7. Questions
    8. Further reading
  22. Assessments
    1. Chapter 01
    2. Chapter 02
    3. Chapter 03
    4. Chapter 04
    5. Chapter 05
    6. Chapter 06
    7. Chapter 07
    8. Chapter 08
    9. Chapter 09
    10. Chapter 10
    11. Chapter 11
  23. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think

Product information

  • Title: Learn Computer Forensics
  • Author(s): William Oettinger
  • Release date: April 2020
  • Publisher(s): Packt Publishing
  • ISBN: 9781838648176