System Forensics, Investigation, and Response, 3rd Edition

System Forensics, Investigation, and Response, 3rd Edition

by Chuck Easttom
Released August 2017
Publisher(s): Jones & Bartlett Learning
ISBN: 9781284121858

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description


Part of the Jones & Bartlett Learning Information Systems Security & Assurance Series! System Forensics, Investigation, and Response, Third Edition examines the fundamentals concepts readers must know as they prepare for a career in the cutting-edge field of system forensics.

Table of contents

  1. Cover Page
  2. Title Page
  3. Copyright Page
  4. Content
  5. Preface
  6. About the Author
  7. PART I Introduction to Forensics
    1. CHAPTER 1 Introduction to Forensics
      1. What Is Computer Forensics?
        1. Using Scientific Knowledge
        2. Collecting
        3. Analyzing
        4. Presenting
      2. Understanding the Field of Digital Forensics
        1. What Is Digital Evidence?
        2. Scope-Related Challenges to System Forensics
        3. Types of Digital System Forensics Analysis
        4. General Guidelines
      3. Knowledge Needed for Computer Forensics Analysis
        1. Hardware
        2. Software
        3. Networks
        4. Addresses
        5. Obscured Information and Anti-Forensics
      4. The Daubert Standard
      5. U.S. Laws Affecting Digital Forensics
        1. The Federal Privacy Act of 1974
        2. The Privacy Protection Act of 1980
        3. The Communications Assistance for Law Enforcement Act of 1994
        4. The Electronic Communications Privacy Act of 1986
        5. The Computer Security Act of 1987
        6. The Foreign Intelligence Surveillance Act of 1978
        7. The Child Protection and Sexual Predator Punishment Act of 1998
        8. The Children’s Online Privacy Protection Act of 1998
        9. The Communications Decency Act of 1996
        10. The Telecommunications Act of 1996
        11. The Wireless Communications and Public Safety Act of 1999
        12. The USA Patriot Act of 2001
        13. The Sarbanes-Oxley Act of 2002
        14. 18 U.S.C. § 1030: Fraud and Related Activity in Connection with Computers
        15. 18 U.S.C. § 1020: Fraud and Related Activity in Connection with Access Devices
        16. The Digital Millennium Copyright Act (DMCA) of 1998
        17. 18 U.S.C. § 1028A: Identity Theft and Aggravated Identity Theft
        18. 18 U.S.C. § 2251: Sexual Exploitation of Children
        19. Warrants
      6. Federal Guidelines
        1. The FBI
        2. The Secret Service
        3. The Regional Computer Forensics Laboratory Program
      7. CHAPTER SUMMARY
      8. KEY CONCEPTS AND TERMS
      9. CHAPTER 1 ASSESSMENT
    2. CHAPTER 2 Overview of Computer Crime
      1. How Computer Crime Affects Forensics
      2. Identity Theft
        1. Phishing
        2. Spyware
        3. Discarded Information
        4. How Does This Crime Affect Forensics?
      3. Hacking
        1. SQL Injection
        2. Cross-Site Scripting
        3. Ophcrack
        4. Tricking Tech Support
        5. Hacking in General
      4. Cyberstalking and Harassment
        1. Real Cyberstalking Cases
      5. Fraud
        1. Investment Offers
        2. Data Piracy
      6. Non-Access Computer Crimes
        1. Denial of Service
        2. Viruses
        3. Logic Bombs
      7. Cyberterrorism
        1. How Does This Crime Affect Forensics?
      8. CHAPTER SUMMARY
      9. KEY CONCEPTS AND TERMS
      10. CHAPTER 2 ASSESSMENT
    3. CHAPTER 3 Forensic Methods and Labs
      1. Forensic Methodologies
        1. Handle Original Data as Little as Possible
        2. Comply with the Rules of Evidence
        3. Avoid Exceeding Your Knowledge
        4. Create an Analysis Plan
        5. Technical Information Collection Considerations
      2. Formal Forensic Approaches
        1. Department of Defense Forensic Standards
        2. The Digital Forensic Research Workshop Framework
        3. The Scientific Working Group on Digital Evidence Framework
        4. An Event-Based Digital Forensics Investigation Framework
      3. Documentation of Methodologies and Findings
        1. Disk Structure
        2. File Slack Searching
      4. Evidence-Handling Tasks
        1. Evidence-Gathering Measures
        2. Expert Reports
      5. How to Set Up a Forensic Lab
        1. Equipment
        2. Security
        3. American Society of Crime Laboratory Directors
      6. Common Forensic Software Programs
        1. EnCase
        2. Forensic Toolkit
        3. OSForensics
        4. Helix
        5. Kali Linux
        6. AnaDisk Disk Analysis Tool
        7. CopyQM Plus Disk Duplication Software
        8. The Sleuth Kit
        9. Disk Investigator
      7. Forensic Certifications
        1. EnCase Certified Examiner Certification
        2. AccessData Certified Examiner
        3. OSForensics
        4. Certified Cyber Forensics Professional
        5. EC Council Computer Hacking Forensic Investigator
        6. High Tech Crime Network Certifications
        7. Global Information Assurance Certification Certifications
      8. CHAPTER SUMMARY
      9. KEY CONCEPTS AND TERMS
      10. CHAPTER 3 ASSESSMENT
  8. PART II Technical Overview: SystemForensics Tools, Techniques, and Methods
    1. CHAPTER 4 Collecting, Seizing, and Protecting Evidence
      1. Proper Procedure
        1. Shutting Down the Computer
        2. Transporting the Computer System to a Secure Location
        3. Preparing the System
        4. Documenting the Hardware Configuration of the System
        5. Mathematically Authenticating Data on All Storage Devices
      2. Handling Evidence
        1. Collecting Data
        2. Documenting Filenames, Dates, and Times
        3. Identifying File, Program, and Storage Anomalies
        4. Evidence-Gathering Measures
      3. Storage Formats
        1. Magnetic Media
        2. Solid-State Drives
        3. Digital Audio Tape Drives
        4. Digital Linear Tape and Super DLT
        5. Optical Media
        6. Using USB Drives
        7. File Formats
      4. Forensic Imaging
        1. Imaging with EnCase
        2. Imaging with the Forensic Toolkit
        3. Imaging with OSForensics
      5. RAID Acquisitions
      6. CHAPTER SUMMARY
      7. KEY CONCEPTS AND TERMS
      8. CHAPTER 4 ASSESSMENT
      9. CHAPTER LAB
    2. CHAPTER 5 Understanding Techniques for Hiding and Scrambling Information
      1. Steganography
        1. Historical Steganography
        2. Steganophony
        3. Video Steganography
        4. More Advanced Steganography
        5. Steganalysis
        6. Invisible Secrets
        7. MP3Stego
        8. Additional Resources
      2. Encryption
        1. The History of Encryption
        2. Modern Cryptography
        3. Breaking Encryption
      3. CHAPTER SUMMARY
      4. KEY CONCEPTS AND TERMS
      5. CHAPTER 5 ASSESSMENT
    3. CHAPTER 6 Recovering Data
      1. Undeleting Data
        1. File Systems and Hard Drives
        2. Windows
        3. Forensically Scrubbing a File or Folder
        4. Linux
        5. Macintosh
      2. Recovering Information from Damaged Media
        1. Physical Damage Recovery Techniques
        2. Recovering Data After Logical Damage
      3. File Carving
      4. CHAPTER SUMMARY
      5. KEY CONCEPTS AND TERMS
      6. CHAPTER 6 ASSESSMENT
    4. CHAPTER 7 Email Forensics
      1. How Email Works
      2. Email Protocols
        1. Faking Email
      3. Email Headers
        1. Getting Headers in Outlook
        2. Getting Headers from Yahoo! Email
        3. Getting Headers from Gmail
        4. Other Email Clients
        5. Email Files
        6. Paraben’s Email Examiner
        7. ReadPST
      4. Tracing Email
      5. Email Server Forensics
      6. Email and the Law
        1. The Fourth Amendment to the U.S. Constitution
        2. The Electronic Communications Privacy Act
        3. The CAN-SPAM Act
        4. 18 U.S.C. 2252B
        5. The Communication Assistance to Law Enforcement Act
        6. The Foreign Intelligence Surveillance Act
        7. The USA Patriot Act
      7. CHAPTER SUMMARY
      8. KEY CONCEPTS AND TERMS
      9. CHAPTER 7 ASSESSMENT
    5. CHAPTER 8 Windows Forensics
      1. Windows Details
        1. Windows History
        2. 64-Bit
        3. The Boot Process
        4. Important Files
      2. Volatile Data
        1. Tools
      3. Windows Swap File
      4. Windows Logs
      5. Windows Directories
        1. UserAssist
        2. Unallocated/Slack Space
        3. Alternate Data Streams
      6. Index.dat
      7. Windows Files and Permissions
        1. MAC
      8. The Registry
        1. USB Information
        2. Wireless Networks
        3. Tracking Word Documents in the Registry
        4. Malware in the Registry
        5. Uninstalled Software
        6. Passwords
        7. ShellBag
        8. Prefetch
      9. Volume Shadow Copy
      10. Memory Forensics
        1. Volatility
      11. CHAPTER SUMMARY
      12. KEY CONCEPTS AND TERMS
      13. CHAPTER 8 ASSESSMENT
    6. CHAPTER 9 Linux Forensics
      1. Linux and Forensics
      2. Linux Basics
        1. Linux History
        2. Linux Shells
        3. Graphical User Interface
        4. K Desktop Environment (KDE)/Plasma
        5. Linux Boot Process
        6. Logical Volume Manager
        7. Linux Distributions
      3. Linux File Systems
        1. Ext
        2. The Reiser File System
        3. The Berkeley Fast File System
      4. Linux Logs
        1. The /var/log/faillog Log
        2. The /var/log/kern.log Log
        3. The /var/log/lpr.log Log
        4. The /var/log/mail.* Log
        5. The /var/log/mysql.* Log
        6. The /var/log/apache2/* Log
        7. The /var/log/lighttpd/* Log
        8. The /var/log/apport.log Log
        9. Other Logs
        10. Viewing Logs
      5. Linux Directories
        1. The /root Directory
        2. The /bin Directory
        3. The /sbin Directory
        4. The /etc Folder
        5. The /etc/inittab File
        6. The /dev Directory
        7. The /mnt Directory
        8. The /boot Directory
        9. The /usr Directory
        10. The /var Directory
        11. The /var/spool Directory
        12. The /proc Directory
      6. Shell Commands for Forensics
        1. The dmesg Command
        2. The fsck Command
        3. The grep Command
        4. The history Command
        5. The mount Command
        6. The ps Command
        7. The pstree Command
        8. The pgrep Command
        9. The top Command
        10. The kill Command
        11. The file Command
        12. The su Command
        13. The who Command
        14. The finger Command
        15. The dd Command
        16. The ls Command
        17. Can You Undelete in Linux?
        18. Manual Method
      7. Kali Linux Forensics
      8. Forensics Tools for Linux
      9. CHAPTER SUMMARY
      10. KEY CONCEPTS AND TERMS
      11. CHAPTER 9 ASSESSMENT
    7. CHAPTER 10 Macintosh Forensics
      1. Mac Basics
        1. Mac History
        2. Mac File Systems
        3. Partition Types
      2. Macintosh Logs
        1. The /var/log Log
        2. The /var/spool/cups Folder
        3. The /Library/Receipts Folder
        4. The /Users/<user>/.bash_history Log
        5. The /var/vm Folder
        6. The /Users/ Directory
        7. The /Users/<user>/Library/Preferences/ Folder
      3. Directories
        1. The /Volumes Directory
        2. The /Users Directory
        3. The /Applications Directory
        4. The /Network Directory
        5. The /etc Directory
        6. The /Library/Preferences/SystemConfiguration/dom.apple.preferences.plist File
      4. Macintosh Forensic Techniques
        1. Target Disk Mode
        2. Searching Virtual Memory
        3. Shell Commands
      5. How to Examine a Mac
      6. Can You Undelete in Mac?
      7. CHAPTER SUMMARY
      8. KEY CONCEPTS AND TERMS
      9. CHAPTER 10 ASSESSMENT
    8. CHAPTER 11 Mobile Forensics
      1. Cellular Device Concepts
        1. Terms
        2. Operating Systems
        3. The BlackBerry
      2. What Evidence You Can Get from a Cell Phone
        1. Types of Investigations
        2. Phone states
      3. Seizing Evidence from a Mobile Device
        1. The iPhone
        2. BlackBerry
      4. JTAG
      5. CHAPTER SUMMARY
      6. KEY CONCEPTS AND TERMS
      7. CHAPTER 11 ASSESSMENT
    9. CHAPTER 12 Performing Network Analysis
      1. Network Packet Analysis
        1. Network Packets
        2. Network Attacks
        3. Network Traffic Analysis Tools
      2. Network Traffic Analysis
        1. Using Log Files as Evidence
        2. Wireless
      3. Router Forensics
        1. Router Basics
        2. Types of Router Attacks
        3. Getting Evidence from the Router
      4. Firewall Forensics
        1. Firewall Basics
        2. Collecting Data
      5. CHAPTER SUMMARY
      6. KEY CONCEPTS AND TERMS
      7. CHAPTER 12 ASSESSMENT
  9. PART III Incident Response and Resources
    1. CHAPTER 13 Incident and Intrusion Response
      1. Disaster Recovery
        1. Incident Response Plan
        2. Incident Response
      2. Preserving Evidence
      3. Adding Forensics to Incident Response
        1. Forensic Resources
        2. Forensics and Policy
      4. CHAPTER SUMMARY
      5. KEY CONCEPTS AND TERMS
      6. CHAPTER 13 ASSESSMENT
    2. CHAPTER 14 Trends and Future Directions
      1. Technical Trends
        1. What Impact Does This Have on Forensics?
        2. Software as a Service
        3. The Cloud
        4. What Impact Does Cloud Computing Have on Forensics?
      2. Legal and Procedural Trends
        1. Changes in the Law
        2. The USA Patriot Act
        3. Private Labs
        4. International Issues
        5. Techniques
      3. CHAPTER SUMMARY
      4. KEY CONCEPTS AND TERMS
      5. CHAPTER 14 ASSESSMENT
    3. CHAPTER 15 System Forensics Resources
      1. Tools to Use
        1. ASR Data Acquisition & Analysis
        2. AccessData Forensic Toolkit
        3. OSForensics
        4. ComputerCOP
        5. Digital Detective
        6. Digital Intelligence
        7. Disk Investigator
        8. EnCase
        9. X-Ways Software Technology AG
        10. Other Tools
      2. Resources
        1. International Association of Computer Investigative Specialists
        2. EnCase Certified Examiner Certification
        3. AccessData Certified Examiner
        4. Certified Hacking Forensic Investigator
        5. Certified Cyber Forensics Professional
        6. SANS Institute
        7. American Academy of Forensic Sciences
        8. Websites
        9. Journals
        10. Conferences
      3. Laws
        1. The USA Patriot Act
        2. The Electronic Communications Privacy Act of 1986
        3. The Communications Assistance to Law Enforcement Act of 1996
        4. The Health Insurance Portability and Accountability Act of 1996
      4. CHAPTER SUMMARY
      5. KEY CONCEPTS AND TERMS
      6. CHAPTER 15 ASSESSMENT
  10. APPENDIX A Answer Key
  11. APPENDIX B Standard Acronyms
  12. Glossary of Key Terms
  13. References
  14. Index

Product information

  • Title: System Forensics, Investigation, and Response, 3rd Edition
  • Author(s): Chuck Easttom
  • Release date: August 2017
  • Publisher(s): Jones & Bartlett Learning
  • ISBN: 9781284121858