book

System Forensics, Investigation, and Response, 3rd Edition

Name: System Forensics, Investigation, and Response, 3rd Edition
Author: Chuck Easttom
ISBN: 9781284121858

by Chuck Easttom

August 2017

Intermediate to advanced

336 pages

11h 39m

English

Jones & Bartlett Learning

Read now

Unlock full access

Cover Page
Title Page
Copyright Page
Content
Preface
About the Author
PART I Introduction to Forensics
CHAPTER 1 Introduction to Forensics
What Is Computer Forensics?
Using Scientific KnowledgeCollectingAnalyzingPresenting
Understanding the Field of Digital Forensics
What Is Digital Evidence?Scope-Related Challenges to System ForensicsTypes of Digital System Forensics AnalysisGeneral Guidelines

Knowledge Needed for Computer Forensics Analysis
HardwareSoftwareNetworksAddressesObscured Information and Anti-Forensics
The Daubert Standard
U.S. Laws Affecting Digital Forensics
The Federal Privacy Act of 1974The Privacy Protection Act of 1980The Communications Assistance for Law Enforcement Act of 1994The Electronic Communications Privacy Act of 1986The Computer Security Act of 1987The Foreign Intelligence Surveillance Act of 1978The Child Protection and Sexual Predator Punishment Act of 1998The Children’s Online Privacy Protection Act of 1998The Communications Decency Act of 1996The Telecommunications Act of 1996The Wireless Communications and Public Safety Act of 1999The USA Patriot Act of 2001The Sarbanes-Oxley Act of 200218 U.S.C. § 1030: Fraud and Related Activity in Connection with Computers18 U.S.C. § 1020: Fraud and Related Activity in Connection with Access DevicesThe Digital Millennium Copyright Act (DMCA) of 199818 U.S.C. § 1028A: Identity Theft and Aggravated Identity Theft18 U.S.C. § 2251: Sexual Exploitation of ChildrenWarrants
Federal Guidelines
The FBIThe Secret ServiceThe Regional Computer Forensics Laboratory Program
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 1 ASSESSMENT
CHAPTER 2 Overview of Computer Crime
How Computer Crime Affects Forensics
Identity Theft
PhishingSpywareDiscarded InformationHow Does This Crime Affect Forensics?
Hacking
SQL InjectionCross-Site ScriptingOphcrackTricking Tech SupportHacking in General
Cyberstalking and Harassment
Real Cyberstalking Cases
Fraud
Investment OffersData Piracy
Non-Access Computer Crimes
Denial of ServiceVirusesLogic Bombs
Cyberterrorism
How Does This Crime Affect Forensics?
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 2 ASSESSMENT
CHAPTER 3 Forensic Methods and Labs
Forensic Methodologies
Handle Original Data as Little as PossibleComply with the Rules of EvidenceAvoid Exceeding Your KnowledgeCreate an Analysis PlanTechnical Information Collection Considerations
Formal Forensic Approaches
Department of Defense Forensic StandardsThe Digital Forensic Research Workshop FrameworkThe Scientific Working Group on Digital Evidence FrameworkAn Event-Based Digital Forensics Investigation Framework
Documentation of Methodologies and Findings
Disk StructureFile Slack Searching
Evidence-Handling Tasks
Evidence-Gathering MeasuresExpert Reports
How to Set Up a Forensic Lab
EquipmentSecurityAmerican Society of Crime Laboratory Directors
Common Forensic Software Programs
EnCaseForensic ToolkitOSForensicsHelixKali LinuxAnaDisk Disk Analysis ToolCopyQM Plus Disk Duplication SoftwareThe Sleuth KitDisk Investigator
Forensic Certifications
EnCase Certified Examiner CertificationAccessData Certified ExaminerOSForensicsCertified Cyber Forensics ProfessionalEC Council Computer Hacking Forensic InvestigatorHigh Tech Crime Network CertificationsGlobal Information Assurance Certification Certifications
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 3 ASSESSMENT
PART II Technical Overview: SystemForensics Tools, Techniques, and Methods
CHAPTER 4 Collecting, Seizing, and Protecting Evidence
Proper Procedure
Shutting Down the ComputerTransporting the Computer System to a Secure LocationPreparing the SystemDocumenting the Hardware Configuration of the SystemMathematically Authenticating Data on All Storage Devices
Handling Evidence
Collecting DataDocumenting Filenames, Dates, and TimesIdentifying File, Program, and Storage AnomaliesEvidence-Gathering Measures
Storage Formats
Magnetic MediaSolid-State DrivesDigital Audio Tape DrivesDigital Linear Tape and Super DLTOptical MediaUsing USB DrivesFile Formats
Forensic Imaging
Imaging with EnCaseImaging with the Forensic ToolkitImaging with OSForensics
RAID Acquisitions
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 4 ASSESSMENT
CHAPTER LAB
CHAPTER 5 Understanding Techniques for Hiding and Scrambling Information
Steganography
Historical SteganographySteganophonyVideo SteganographyMore Advanced SteganographySteganalysisInvisible SecretsMP3StegoAdditional Resources
Encryption
The History of EncryptionModern CryptographyBreaking Encryption
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 5 ASSESSMENT
CHAPTER 6 Recovering Data
Undeleting Data
File Systems and Hard DrivesWindowsForensically Scrubbing a File or FolderLinuxMacintosh
Recovering Information from Damaged Media
Physical Damage Recovery TechniquesRecovering Data After Logical Damage
File Carving
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 6 ASSESSMENT
CHAPTER 7 Email Forensics
How Email Works
Email Protocols
Faking Email
Email Headers
Getting Headers in OutlookGetting Headers from Yahoo! EmailGetting Headers from GmailOther Email ClientsEmail FilesParaben’s Email ExaminerReadPST
Tracing Email
Email Server Forensics
Email and the Law
The Fourth Amendment to the U.S. ConstitutionThe Electronic Communications Privacy ActThe CAN-SPAM Act18 U.S.C. 2252BThe Communication Assistance to Law Enforcement ActThe Foreign Intelligence Surveillance ActThe USA Patriot Act
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 7 ASSESSMENT
CHAPTER 8 Windows Forensics
Windows Details
Windows History64-BitThe Boot ProcessImportant Files
Volatile Data
Tools
Windows Swap File
Windows Logs
Windows Directories
UserAssistUnallocated/Slack SpaceAlternate Data Streams
Index.dat
Windows Files and Permissions
MAC
The Registry
USB InformationWireless NetworksTracking Word Documents in the RegistryMalware in the RegistryUninstalled SoftwarePasswordsShellBagPrefetch
Volume Shadow Copy
Memory Forensics
Volatility
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 8 ASSESSMENT
CHAPTER 9 Linux Forensics
Linux and Forensics
Linux Basics
Linux HistoryLinux ShellsGraphical User InterfaceK Desktop Environment (KDE)/PlasmaLinux Boot ProcessLogical Volume ManagerLinux Distributions
Linux File Systems
ExtThe Reiser File SystemThe Berkeley Fast File System
Linux Logs
The /var/log/faillog LogThe /var/log/kern.log LogThe /var/log/lpr.log LogThe /var/log/mail.* LogThe /var/log/mysql.* LogThe /var/log/apache2/* LogThe /var/log/lighttpd/* LogThe /var/log/apport.log LogOther LogsViewing Logs
Linux Directories
The /root DirectoryThe /bin DirectoryThe /sbin DirectoryThe /etc FolderThe /etc/inittab FileThe /dev DirectoryThe /mnt DirectoryThe /boot DirectoryThe /usr DirectoryThe /var DirectoryThe /var/spool DirectoryThe /proc Directory
Shell Commands for Forensics
The dmesg CommandThe fsck CommandThe grep CommandThe history CommandThe mount CommandThe ps CommandThe pstree CommandThe pgrep CommandThe top CommandThe kill CommandThe file CommandThe su CommandThe who CommandThe finger CommandThe dd CommandThe ls CommandCan You Undelete in Linux?Manual Method
Kali Linux Forensics
Forensics Tools for Linux
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 9 ASSESSMENT
CHAPTER 10 Macintosh Forensics
Mac Basics
Mac HistoryMac File SystemsPartition Types
Macintosh Logs
The /var/log LogThe /var/spool/cups FolderThe /Library/Receipts FolderThe /Users/<user>/.bash_history LogThe /var/vm FolderThe /Users/ DirectoryThe /Users/<user>/Library/Preferences/ Folder
Directories
The /Volumes DirectoryThe /Users DirectoryThe /Applications DirectoryThe /Network DirectoryThe /etc DirectoryThe /Library/Preferences/SystemConfiguration/dom.apple.preferences.plist File
Macintosh Forensic Techniques
Target Disk ModeSearching Virtual MemoryShell Commands
How to Examine a Mac
Can You Undelete in Mac?
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 10 ASSESSMENT
CHAPTER 11 Mobile Forensics
Cellular Device Concepts
TermsOperating SystemsThe BlackBerry
What Evidence You Can Get from a Cell Phone
Types of InvestigationsPhone states
Seizing Evidence from a Mobile Device
The iPhoneBlackBerry
JTAG
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 11 ASSESSMENT
CHAPTER 12 Performing Network Analysis
Network Packet Analysis
Network PacketsNetwork AttacksNetwork Traffic Analysis Tools
Network Traffic Analysis
Using Log Files as EvidenceWireless
Router Forensics
Router BasicsTypes of Router AttacksGetting Evidence from the Router
Firewall Forensics
Firewall BasicsCollecting Data
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 12 ASSESSMENT
PART III Incident Response and Resources
CHAPTER 13 Incident and Intrusion Response
Disaster Recovery
Incident Response PlanIncident Response
Preserving Evidence
Adding Forensics to Incident Response
Forensic ResourcesForensics and Policy
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 13 ASSESSMENT
CHAPTER 14 Trends and Future Directions
Technical Trends
What Impact Does This Have on Forensics?Software as a ServiceThe CloudWhat Impact Does Cloud Computing Have on Forensics?
Legal and Procedural Trends
Changes in the LawThe USA Patriot ActPrivate LabsInternational IssuesTechniques
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 14 ASSESSMENT
CHAPTER 15 System Forensics Resources
Tools to Use
ASR Data Acquisition & AnalysisAccessData Forensic ToolkitOSForensicsComputerCOPDigital DetectiveDigital IntelligenceDisk InvestigatorEnCaseX-Ways Software Technology AGOther Tools
Resources
International Association of Computer Investigative SpecialistsEnCase Certified Examiner CertificationAccessData Certified ExaminerCertified Hacking Forensic InvestigatorCertified Cyber Forensics ProfessionalSANS InstituteAmerican Academy of Forensic SciencesWebsitesJournalsConferences
Laws
The USA Patriot ActThe Electronic Communications Privacy Act of 1986The Communications Assistance to Law Enforcement Act of 1996The Health Insurance Portability and Accountability Act of 1996
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 15 ASSESSMENT
APPENDIX A Answer Key
APPENDIX B Standard Acronyms
Glossary of Key Terms
References
Index

Content preview from System Forensics, Investigation, and Response, 3rd Edition

Proper Procedure

It is important to follow proper procedure when examining a suspect machine. This chapter covers specific details on the proper procedure to follow when collecting, seizing, and protecting evidence.

Shutting Down the Computer

At one time it was recommended that the first step to analyzing a computer was to shut it down. However, it soon became apparent that one could lose valuable evidence found in running processes or memory. It also may be the case that the computer is using hard drive encryption. If you simply shut the system down, you may not be able to get back into the system. Before you shut the system down, at a minimum, you need to see what is currently running on the computer. Remember, you want to touch it as ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Scene of the Cybercrime: Computer Forensics Handbook

Publisher Resources

ISBN: 9781284121858

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

System Forensics, Investigation, and Response, 3rd Edition

by Chuck Easttom

Proper Procedure

Shutting Down the Computer

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

More than 5,000 organizations count on O’Reilly

Julian F.

Addison B.

Amir M.

Mark W.

You might also like

Scene of the Cybercrime: Computer Forensics Handbook

Network Forensics

Cybercrime Investigators Handbook

Forensic Analytics: Methods and Techniques for Forensic Accounting Investigations

Publisher Resources