book

Learn Computer Forensics

by William Oettinger

April 2020

Beginner

368 pages

8h 12m

English

Packt Publishing

Read now

Unlock full access

Why subscribe?ContributorsAbout the authorAbout the reviewerPackt is searching for authors like you
Who this book is forWhat this book coversTo get the most out of this bookDownload the color imagesConventions usedGet in touchReviews
Differences in computer-based investigationsCriminal investigationsFirst respondersCorporate investigationsEmployee misconductCorporate espionageInsider threatSummaryQuestionsFurther reading
Pre-investigation considerationsThe forensic workstationThe response kitForensic softwareForensic investigator trainingUnderstanding case information and legal issuesUnderstanding data acquisition Chain of custodyUnderstanding the analysis processDates and time zonesHash analysisFile signature analysisAntivirusReporting your findingsDetails to include in your reportDocument facts and circumstancesThe report conclusionSummaryQuestionsFurther reading
Exploring evidence Understanding the forensic examination environment Tool validationCreating sterile media Understanding write blockingDefining forensic imaging DD imageEnCase evidence file SSD deviceImaging toolsSummaryQuestionsFurther reading
Understanding the boot processForensic boot mediaHard drivesMBR (Master Boot Record) partitionsGPT partitionsHost Protected Area (HPA) and Device Configuration Overlays (DCO)Understanding filesystemsThe FAT filesystemData areaLong filenamesRecovering deleted filesSlack spaceUnderstanding the NTFS filesystemSummaryQuestionsFurther reading
Timeline analysisX-Ways Media analysisString searchRecovering deleted dataSummaryQuestionsFurther reading
Understanding user profilesUnderstanding Windows RegistryDetermining account usageLast login/last password changeDetermining file knowledgeExploring the thumbcacheExploring Microsoft browsersDetermining most recently used/recently usedLooking into the Recycle BinUnderstanding shortcut (LNK) filesDeciphering JumpListsOpening shellbagsUnderstanding prefetchIdentifying physical locationsDetermining time zonesExploring network historyUnderstanding the WLAN event logExploring program executionDetermining UserAssistExploring ShimcacheUnderstanding USB/attached devices SummaryQuestionsFurther reading

Fundamentals of memory Random access memory?Identifying sources of memoryCapturing RAMPreparing the capturing deviceExploring RAM capture toolsExploring RAM analyzing toolsUsing Bulk Extractor SummaryQuestionsFurther reading
Understanding email protocolsUnderstanding SMTP – Simple Mail Transfer Protocol Understanding the Post Office ProtocolIMAP – Internet Message Access ProtocolUnderstanding web-based emailDecoding emailUnderstanding the email message formatEmail attachmentsUnderstanding client-based email analysisExploring Microsoft Outlook/Outlook ExpressExploring Microsoft Windows Live MailMozilla ThunderbirdUnderstanding WebMail analysis SummaryQuestionsFurther reading
Understanding browsersExploring Google ChromeExploring Internet Explorer/Microsoft EdgeExploring FirefoxSocial mediaFacebookTwitterService providerPeer-to-Peer file sharingAreseMuleShareazaCloud computingSummaryQuestionsFurther reading
Effective note takingWriting the reportEvidence analyzedAcquisition detailsAnalysis detailsExhibits/technical detailsSummaryQuestionsFurther reading
Understanding the types of proceedingsBeginning the preparation phaseUnderstanding the curriculum vitaeUnderstanding testimony and evidenceUnderstanding the importance of ethical behaviorSummaryQuestionsFurther reading
Chapter 01Chapter 02Chapter 03Chapter 04Chapter 05Chapter 06Chapter 07Chapter 08Chapter 09Chapter 10Chapter 11
Leave a review - let other readers know what you think

Content preview from Learn Computer Forensics

Chapter 5: Computer Investigation Process

Being a digital forensic examiner requires you to have a plan to conduct the investigation. For instance, there is the kitchen sink approach – where the person requesting the examination states, I want it all. However, this is not practical when the smallest drive from a system might contain hundreds of thousands of pages or events. While the kitchen sink approach is a plan, it may not be the most efficient.

In reality, your search method will depend on the crime you are investigating, and whether there are limitations to the scope of the search. In some investigations, the judicial authority may restrict an investigator's access to digital evidence to only email messages, or you may be limited to a ...