You are previewing Computer Forensics InfoSec Pro Guide.
O'Reilly logo
Computer Forensics InfoSec Pro Guide

Book Description

Security Smarts for the Self-Guided IT Professional Find out how to excel in the field of computer forensics investigations. Learn what it takes to transition from an IT professional to a computer forensic examiner in the private sector. Written by a Certified Information Systems Security Professional,Computer Forensics: InfoSec Pro Guide is filled with real-world case studies that demonstrate the concepts covered in the book.

Table of Contents

  1. Cover 
  2. About the Author
  3. Title Page
  4. Copyright Page
  5. Contents at a Glance
  6. Contents 
  7. Acknowledgments
  8. Introduction
  9. PART I: Getting Started
    1. Chapter 1: What Is Computer Forensics?
      1. What You Can Do with Computer Forensics
      2. How People Get Involved in Computer Forensics
        1. Law Enforcement
        2. Military
        3. University Programs
        4. IT or Computer Security Professionals
      3. Incident Response vs. Computer Forensics
      4. How Computer Forensic Tools Work
        1. Types of Computer Forensic Tools
      5. Professional Licensing Requirements
    2. Chapter 2: Learning Computer Forensics
      1. Where and How to Get Training
        1. Law Enforcement Training
        2. Corporate Training
      2. Where and How to Get Certified
        1. Vendor Certifications
        2. Vendor-Neutral Certifications
      3. Staying Current
        1. Conferences
        2. Blogs
        3. Forums
        4. Podcasts
        5. Associations
    3. Chapter 3: Creating a Lab
      1. Choosing Where to Put Your Lab
        1. Access Controls
        2. Electrical Power
        3. Air Conditioning
        4. Privacy
      2. Gathering the Tools of the Trade
        1. Write Blockers
        2. Drive Kits
        3. External Storage
        4. Screwdriver Kits
        5. Antistatic Bags
        6. Adaptors
        7. Forensic Workstation
      3. Choosing Forensic Software
        1. Open Source Software
        2. Commercial Software
      4. Storing Evidence
        1. Securing Your Evidence
        2. Organizing Your Evidence
        3. Disposing of Old Evidence
  10. PART II: Your First Investigation
    1. Chapter 4: How to Approach a Computer Forensics Investigation
      1. The Investigative Process
        1. What Are You Being Asked to Find Out?
        2. Where Would the Data Exist?
        3. What Applications Might Have Been Used in Creating the Data?
        4. Should You Request to Go Beyond the Scope of the Investigation?
      2. Testing Your Hypothesis
        1. Step 1. Define Your Hypothesis
        2. Step 2. Determine a Repeatable Test
        3. Step 3. Create Your Test Environment
        4. Step 4. Document Your Testing
      3. The Forensic Data Landscape
        1. Active Data
        2. Unallocated Space
        3. Slack Space
        4. Mobile Devices
        5. External Storage
      4. What Do You Have the Authority to Access
        1. Who Hosts the Data?
        2. Who Owns the Device?
        3. Expectation of Privacy
    2. Chapter 5: Choosing Your Procedures
      1. Forensic Imaging
        1. Determining Your Comfort Level
        2. Forensic Imaging Method Pros and Cons
      2. Creating Forms and Your Lab Manual
        1. Chain of Custody Forms
        2. Request Forms
        3. Report Forms
        4. Standard Operating Procedures Manual
    3. Chapter 6: Testing Your Tools
      1. When Do You Need to Test
        1. Collecting Data for Public Research or Presentations
        2. Testing a Forensic Method
        3. Testing a Tool
      2. Where to Get Test Evidence
        1. Raw Images
        2. Creating Your Own Test Images
      3. Forensic Challenges
        1. Learn Forensics with David Cowen on YouTube
        2. Honeynet Project
        3. DC3 Challenge
        4. DFRWS Challenge
        5. SANS Forensic Challenges
        6. High School Forensic Challenge
      4. Collections of Tool Testing Images
        1. Digital Forensic Tool Testing Images
        2. NIST Computer Forensics Reference Data Sets Images
        3. The Hacking Case
        4. NIST Computer Forensics Tool Testing
    4. Chapter 7: Live vs. Postmortem Forensics
      1. Live Forensics
        1. When Live Forensics Is the Best Option
        2. Tools for Live Forensics
      2. Postmortem Forensics
        1. Postmortem Memory Analysis
    5. Chapter 8: Capturing Evidence
      1. Creating Forensic Images of Internal Hard Drives
        1. FTK Imager with a Hardware Write Blocker
        2. FTK Imager with a Software Write Blocker
      2. Creating Forensic Images of External Drives
        1. FTK Imager with a USB Write Blocker
        2. FTK Imager with a Software Write Blocker
        3. Software Write Blocking on Linux Systems
      3. Creating Forensic Images of Network Shares
        1. Capturing a Network Share with FTK Imager
      4. Mobile Devices
      5. Servers
    6. Chapter 9: Nontraditional Digital Forensics
      1. Breaking the Rules: Nontraditional Digital Forensic Techniques
      2. Volatile Artifacts
        1. Malware
      3. Encrypted File Systems
        1. Challenges to Accessing Encrypted Data
      4. Mobile Devices: Smart Phones and Tablets
      5. Solid State Drives
      6. Virtual Machines
  11. PART III: Case Examples: How to Work a Case
    1. Chapter 10: Establishing the Investigation Type and Criteria
      1. Determining What Type of Investigation Is Required
        1. Human Resources Cases
        2. Administrator Abuse
        3. Stealing Information
        4. Internal Leaks
        5. Keyloggers and Malware
      2. What to Do When Criteria Causes an Overlap
      3. What to Do When No Criteria Matches
        1. Where Should the Evidence Be?
        2. Did This Occur over the Network?
        3. Nothing Working? Create a Super Timeline
    2. Chapter 11: Human Resources Cases
      1. Results of a Human Resource Case
      2. How to Work a Pornography Case
        1. Pornography Case Study
        2. How to Investigate a Pornography Case
      3. How to Work a Productivity Waste Case
    3. Chapter 12: Administrator Abuse
      1. The Abuse of Omniscience
      2. Scenario 1: Administrator Runs a Pornographic Site Using Company Resources
        1. Beginning an Investigation
        2. The Web Server’s Role in the Network
        3. Directories
        4. Virtual Servers
        5. Virtual Directories
      3. Scenario 2: Exploiting Insider Knowledge Against an Ex-employer
        1. A Private Investigator Calls…
        2. As if They’re Reading Our Minds…
        3. What a Network Vulnerability Assessment Can Reveal
        4. E-mail Data Review and Server Restoration
        5. Stepping Up Your Game: Knowledge Meets Creativity
    4. Chapter 13: Stealing Information
      1. What Are We Looking For?
      2. Determining Where the Data Went
        1. LNK Files
        2. Shellbags
      3. Scenario: Recovering Log Files to Catch a Thief
    5. Chapter 14: Internal Leaks
      1. Why Internal Leaks Happen
      2. Investigating Internal Leaks
        1. Reviewing the Registry Files
        2. Identifying LNK Files
        3. Wrapping Up the Investigation
      3. Using File System Meta-data to Track Leaked or Printed Materials
    6. Chapter 15: Keyloggers and Malware
      1. Defining Keyloggers and Malware
      2. How to Detect Keyloggers and Malware
        1. Registry Files
        2. Prefetch Files
        3. Keyword Searches
        4. Handling Suspicious Files
      3. Determining How an Infection Occurred
        1. What We Know About This Infection
        2. What We Know About the Keylogger
      4. Identifying What Data Was Captured
      5. Finding Information About the Attacker
        1. What We Know About the Attacker
        2. Where to Find More About the Attacker
  12. PART IV: Defending Your Work
    1. Chapter 16: Documenting Your Findings with Reports
      1. Documenting Your Findings
        1. Who Asked You to Undertake the Investigation
        2. What You Were Asked to Do
        3. What You Reviewed
        4. What You Found
        5. What Your Findings Mean
      2. Types of Reports
        1. Informal Report
        2. Incident Report
        3. Internal Report
        4. Declaration
        5. Affidavit
      3. Explaining Your Work
        1. Define Technical Terms
        2. Provide Examples in Layperson Terms
        3. Explain Artifacts
    2. Chapter 17: Litigation and Reports for Court and Exhibits
      1. Important Legal Terms
      2. What Type of Witness Are You?
        1. Fact Witness
        2. Expert Consultant
        3. Expert Witness
        4. Special Master
        5. Neutral
      3. Writing Reports for Court
        1. Declarations in Support of Motions
        2. Expert Reports
      4. Creating Exhibits
        1. Working with Forensic Artifacts
  13. InfoSec Pro Series: Glossary
  14. Index