You are previewing Operating System Forensics.
O'Reilly logo
Operating System Forensics

Book Description

Operating System Forensics is the first book to cover all three critical operating systems for digital forensic investigations in one comprehensive reference. 

Users will learn how to conduct successful digital forensic examinations in Windows, Linux, and Mac OS, the methodologies used, key technical concepts, and the tools needed to perform examinations.

Mobile operating systems such as Android, iOS, Windows, and Blackberry are also covered, providing everything practitioners need to conduct a forensic investigation of the most commonly used operating systems, including technical details of how each operating system works and how to find artifacts.

This book walks you through the critical components of investigation and operating system functionality, including file systems, data recovery, memory forensics, system configuration, Internet access, cloud computing, tracking artifacts, executable layouts, malware, and log files. You'll find coverage of key technical topics like Windows Registry, /etc directory, Web browers caches, Mbox, PST files, GPS data, ELF, and more. Hands-on exercises in each chapter drive home the concepts covered in the book. You'll get everything you need for a successful forensics examination, including incident response tactics and legal requirements. Operating System Forensics is the only place you'll find all this covered in one book.



  • Covers digital forensic investigations of the three major operating systems, including Windows, Linux, and Mac OS
  • Presents the technical details of each operating system, allowing users to find artifacts that might be missed using automated tools
  • Hands-on exercises drive home key concepts covered in the book.
  • Includes discussions of cloud, Internet, and major mobile operating systems such as Android and iOS

Table of Contents

  1. Cover
  2. Title page
  3. Table of Contents
  4. Copyright
  5. Dedication
  6. Foreword
  7. Preface
  8. Chapter 1: Forensics and Operating Systems
    1. Abstract
    2. Introduction
    3. Forensics
    4. Operating systems
    5. Conclusions
    6. Summary
    7. Exercises
  9. Chapter 2: File Systems
    1. Abstract
    2. Introduction
    3. Disk geometry
    4. Master boot record
    5. Unified extensible firmware interface
    6. Windows file systems
    7. Linux file systems
    8. Apple file systems
    9. Slack space
    10. Conclusions
    11. Summary
    12. Exercises
  10. Chapter 3: Data and File Recovery
    1. Abstract
    2. Introduction
    3. Data carving
    4. Searching and deleted files
    5. Slack space and sparse files
    6. Data hiding
    7. Time stamps/stomps
    8. Time lines
    9. Volume shadow copies
    10. Summary
    11. Exercises
  11. Chapter 4: Memory Forensics
    1. Abstract
    2. Introduction
    3. Real memory and addressing
    4. Virtual memory
    5. Memory layout
    6. Capturing memory
    7. Analyzing memory captures
    8. Page files and swap space
    9. Summary
    10. Exercises
  12. Chapter 5: System Configuration
    1. Abstract
    2. Introduction
    3. Windows
    4. Mac OS X
    5. Linux
    6. Summary
    7. Exercises
  13. Chapter 6: Web Browsing
    1. Abstract
    2. Introduction
    3. A primer on structured query language (SQL)
    4. Web browsing
    5. Messaging services
    6. E-mail
    7. Conclusions
    8. Exercises
  14. Chapter 7: Tracking Artifacts
    1. Abstract
    2. Introduction
    3. Location information
    4. Document tracking
    5. Shortcuts
    6. Conclusions
    7. Exercises
  15. Chapter 8: Log Files
    1. Abstract
    2. Introduction
    3. Windows event logs
    4. Unix syslog
    5. Application logs
    6. Mac OS X logs
    7. Security logs
    8. Auditing
    9. Summary
    10. Exercises
  16. Chapter 9: Executable Programs
    1. Abstract
    2. Introduction
    3. Stacks and heaps
    4. Portable executables
    5. Linux executable and linkable format (ELF)
    6. Apple OS X application bundles
    7. .NET common language runtime (CLR) / Java
    8. Debugging/disassembly
    9. System calls and tracing
    10. Finding the program impact
    11. Conclusions
    12. Exercises
  17. Chapter 10: Malware
    1. Abstract
    2. Introduction
    3. Malware categories
    4. Using research
    5. Getting infected
    6. Staying resident (persistence)
    7. Artifacts
    8. Automated analysis
    9. Manual analysis
    10. Conclusions
    11. Exercises
  18. Chapter 11: Mobile Operating Systems
    1. Abstract
    2. Introduction
    3. Encryption and remote control
    4. Rooting/jailbreaking
    5. Android
    6. BlackBerry
    7. IOS
    8. Windows mobile
    9. Conclusions
    10. Exercises
  19. Chapter 12: Newer Technologies
    1. Abstract
    2. Introduction
    3. Virtualization
    4. Cloud computing
    5. Wearables
    6. Drones
    7. Conclusions
    8. Exercises
  20. Chapter 13: Reporting
    1. Abstract
    2. Introduction
    3. Writing style
    4. Artifacts
    5. Reporting requirements
    6. Reporting considerations
    7. Report sample formats
    8. Conclusions
  21. Subject Index