book

Learn Computer Forensics

by William Oettinger

April 2020

Beginner

368 pages

8h 12m

English

Packt Publishing

Read now

Unlock full access

Why subscribe?ContributorsAbout the authorAbout the reviewerPackt is searching for authors like you
Who this book is forWhat this book coversTo get the most out of this bookDownload the color imagesConventions usedGet in touchReviews
Differences in computer-based investigationsCriminal investigationsFirst respondersCorporate investigationsEmployee misconductCorporate espionageInsider threatSummaryQuestionsFurther reading
Pre-investigation considerationsThe forensic workstationThe response kitForensic softwareForensic investigator trainingUnderstanding case information and legal issuesUnderstanding data acquisition Chain of custodyUnderstanding the analysis processDates and time zonesHash analysisFile signature analysisAntivirusReporting your findingsDetails to include in your reportDocument facts and circumstancesThe report conclusionSummaryQuestionsFurther reading
Exploring evidence Understanding the forensic examination environment Tool validationCreating sterile media Understanding write blockingDefining forensic imaging DD imageEnCase evidence file SSD deviceImaging toolsSummaryQuestionsFurther reading
Understanding the boot processForensic boot mediaHard drivesMBR (Master Boot Record) partitionsGPT partitionsHost Protected Area (HPA) and Device Configuration Overlays (DCO)Understanding filesystemsThe FAT filesystemData areaLong filenamesRecovering deleted filesSlack spaceUnderstanding the NTFS filesystemSummaryQuestionsFurther reading
Timeline analysisX-Ways Media analysisString searchRecovering deleted dataSummaryQuestionsFurther reading
Understanding user profilesUnderstanding Windows RegistryDetermining account usageLast login/last password changeDetermining file knowledgeExploring the thumbcacheExploring Microsoft browsersDetermining most recently used/recently usedLooking into the Recycle BinUnderstanding shortcut (LNK) filesDeciphering JumpListsOpening shellbagsUnderstanding prefetchIdentifying physical locationsDetermining time zonesExploring network historyUnderstanding the WLAN event logExploring program executionDetermining UserAssistExploring ShimcacheUnderstanding USB/attached devices SummaryQuestionsFurther reading

Fundamentals of memory Random access memory?Identifying sources of memoryCapturing RAMPreparing the capturing deviceExploring RAM capture toolsExploring RAM analyzing toolsUsing Bulk Extractor SummaryQuestionsFurther reading
Understanding email protocolsUnderstanding SMTP – Simple Mail Transfer Protocol Understanding the Post Office ProtocolIMAP – Internet Message Access ProtocolUnderstanding web-based emailDecoding emailUnderstanding the email message formatEmail attachmentsUnderstanding client-based email analysisExploring Microsoft Outlook/Outlook ExpressExploring Microsoft Windows Live MailMozilla ThunderbirdUnderstanding WebMail analysis SummaryQuestionsFurther reading
Understanding browsersExploring Google ChromeExploring Internet Explorer/Microsoft EdgeExploring FirefoxSocial mediaFacebookTwitterService providerPeer-to-Peer file sharingAreseMuleShareazaCloud computingSummaryQuestionsFurther reading
Effective note takingWriting the reportEvidence analyzedAcquisition detailsAnalysis detailsExhibits/technical detailsSummaryQuestionsFurther reading
Understanding the types of proceedingsBeginning the preparation phaseUnderstanding the curriculum vitaeUnderstanding testimony and evidenceUnderstanding the importance of ethical behaviorSummaryQuestionsFurther reading
Chapter 01Chapter 02Chapter 03Chapter 04Chapter 05Chapter 06Chapter 07Chapter 08Chapter 09Chapter 10Chapter 11
Leave a review - let other readers know what you think

Content preview from Learn Computer Forensics

Chapter 7: RAM Memory Forensic Analysis

RAM is a vital source of digital evidence that, historically, has been neglected and ignored. As our knowledge of digital evidence grew, examiners began to realize the source of potential digital evidence that existed in RAM. Ultimately, you have an additional multi-gigabyte source of information that needs to be examined and may contain digital artifacts that do not exist in the traditional locations of the system.

In this chapter, we will cover the fundamentals of memory. We will then look at the different sources of memory and learn to capture RAM using RAM capture tools. By the end of this chapter, you will be able to understand the various methods and tools that can process volatile memory.

We'll ...