You are previewing Practical Digital Forensics.
O'Reilly logo
Practical Digital Forensics

Book Description

Get started with the art and science of digital forensics with this practical, hands-on guide!

About This Book

  • Champion the skills of digital forensics by understanding the nature of recovering and preserving digital information which is essential for legal or disciplinary proceedings

  • Explore new and promising forensic processes and tools based on 'disruptive technology' to regain control of caseloads.

  • Richard Boddington, with 10+ years of digital forensics, demonstrates real life scenarios with a pragmatic approach

  • Who This Book Is For

    This book is for anyone who wants to get into the field of digital forensics. Prior knowledge of programming languages (any) will be of great help, but not a compulsory prerequisite.

    What You Will Learn

  • Gain familiarity with a range of different digital devices and operating and application systems that store digital evidence.

  • Appreciate and understand the function and capability of forensic processes and tools to locate and recover digital evidence.

  • Develop an understanding of the critical importance of recovering digital evidence in pristine condition and ensuring its safe handling from seizure to tendering it in evidence in court.

  • Recognise the attributes of digital evidence and where it may be hidden and is often located on a range of digital devices.

  • Understand the importance and challenge of digital evidence analysis and how it can assist investigations and court cases.

  • Explore emerging technologies and processes that empower forensic practitioners and other stakeholders to harness digital evidence more effectively.

  • In Detail

    Digital Forensics is a methodology which includes using various tools, techniques, and programming language. This book will get you started with digital forensics and then follow on to preparing investigation plan and preparing toolkit for investigation.

    In this book you will explore new and promising forensic processes and tools based on ‘disruptive technology’ that offer experienced and budding practitioners the means to regain control of their caseloads. During the course of the book, you will get to know about the technical side of digital forensics and various tools that are needed to perform digital forensics. This book will begin with giving a quick insight into the nature of digital evidence, where it is located and how it can be recovered and forensically examined to assist investigators. This book will take you through a series of chapters that look at the nature and circumstances of digital forensic examinations and explains the processes of evidence recovery and preservation from a range of digital devices, including mobile phones, and other media. This book has a range of case studies and simulations will allow you to apply the knowledge of the theory gained to real-life situations.

    By the end of this book you will have gained a sound insight into digital forensics and its key components.

    Style and approach

    The book takes the reader through a series of chapters that look at the nature and circumstances of digital forensic examinations and explains the processes of evidence recovery and preservation from a range of digital devices, including mobile phones, and other media. The mystery of digital forensics is swept aside and the reader will gain a quick insight into the nature of digital evidence, where it is located and how it can be recovered and forensically examined to assist investigators.

    Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the code file.

    Table of Contents

    1. Practical Digital Forensics
      1. Table of Contents
      2. Practical Digital Forensics
      3. Credits
      4. About the Author
      5. Acknowledgment
      6. About the Reviewer
      7. www.PacktPub.com
        1. eBooks, discount offers, and more
          1. Why subscribe?
      8. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Downloading the color images of this book
          2. Errata
          3. Piracy
          4. Questions
      9. 1. The Role of Digital Forensics and Its Environment
        1. Understanding the history and purpose of forensics – specifically, digital forensics
          1. The origin of forensics
          2. Locard's exchange principle
          3. The evolution of fingerprint evidence
          4. DNA evidence
          5. The basic stages of forensic examination
        2. Defining digital forensics and its role
          1. Definitions of digital forensics
        3. Looking at the history of digital forensics
          1. The early days
          2. A paucity of reliable digital forensic tools
          3. The legal fraternity's difficulty understanding digital evidence
          4. More recent developments in digital forensics
        4. Studying criminal investigations and cybercrime
        5. Outlining civil investigations and the nature of e-discovery
        6. The role of digital forensic practitioners and the challenges they face
          1. The unique privilege of providing expert evidence and opinion
          2. Issues faced by practitioners due to inadequate forensics processes
          3. Inferior forensics tools confronting practitioners
          4. The inadequate protection of digital information confronting practitioners
          5. The tedium of forensic analysis
          6. Qualities of the digital forensic practitioner
          7. Determining practitioner prerequisites
        7. Case studies
          1. The Aaron Caffrey case – United Kingdom, 2003
          2. The Julie Amero case – Connecticut, 2007
          3. The Michael Fiola case – Massachusetts, 2008
        8. References
        9. Summary
      10. 2. Hardware and Software Environments
        1. Describing computers and the nature of digital information
          1. Magnetic hard drives and tapes
          2. Optical media storage devices
          3. Random-access memory (RAM)
          4. Solid-state drive (SSD) storage devices
          5. Network-stored data
          6. The cloud
        2. Operating systems
          1. Connecting the software application to the operating system
          2. Connecting the software application to the operating system and a device
        3. Describing filesystems that contain evidence
          1. The filesystem category
          2. The filename category
          3. The metadata category
          4. The content category
        4. Locating evidence in filesystems
          1. Determining the means of transgression
          2. Determining opportunity to transgress
          3. Determining the motive to transgress
          4. Deciding where to look for possible evidence
          5. Indexing and searching for files
          6. Unallocated data analysis
        5. Explaining password security, encryption, and hidden files
          1. User access to computer devices
          2. Understanding the importance of information confidentiality
          3. Understanding the importance of information integrity
          4. Understanding the importance of information availability
          5. User access security controls
          6. Encrypted devices and files
        6. Case study – linking the evidence to the user
        7. References
        8. Summary
      11. 3. The Nature and Special Properties of Digital Evidence
        1. Defining digital evidence
          1. The use of digital evidence
        2. The special characteristics of digital evidence
          1. The circumstantial nature of digital evidence
          2. File metadata and correlation with other evidence
        3. The technical complexities of digital evidence
          1. The malleability of digital evidence
          2. Metadata should not be taken at face value
          3. Recovering files from unallocated space (data carving)
          4. Date and time problems
        4. Determining the value and admissibility of digital evidence
          1. Explaining the evidentiary weight of digital evidence
          2. Understanding the admissibility of digital evidence
          3. Defining the lawful acquisition of digital evidence
          4. Emphasizing the importance of relevance in terms of digital evidence
          5. Outlining the reliability of digital evidence
          6. The importance of the reliability of forensic tools and processes
          7. Evaluating computer/network evidence preservation
          8. Corroborating digital evidence
        5. Case study – linking the evidence to the user
        6. References
        7. Summary
      12. 4. Recovering and Preserving Digital Evidence
        1. Understanding the chain of custody
        2. Describing the physical acquisition and safekeeping of digital evidence
          1. Explaining the chain of custody of digital evidence
          2. Outlining the seizure and initial inspection of digital devices
        3. Recovering digital evidence through forensic imaging processes
          1. Dead analysis evidence recovery
          2. Write-blocking hardware
          3. Write-blocking software
          4. Enhancing data preservation during recovery
          5. Recovering remnants of deleted memory
        4. Acquiring digital evidence through live recovery processes
          1. The benefits of live recovery
          2. The challenges of live recovery
          3. The benefits of volatile memory recovery
          4. Isolating the device from external exploits
        5. Outlining the efficacy of existing forensic tools and the emergence of enhanced processes and tools
          1. Standards for digital forensic tools
          2. The reliability of forensic imaging tools to recover and protect digital evidence
        6. Case studies – linking the evidence to the user
        7. References
        8. Summary
      13. 5. The Need for Enhanced Forensic Tools
        1. Digital forensics laboratories
          1. The purpose of digital forensics laboratories
          2. Acceptance of, consensus on, and uptake of digital forensics standards
          3. Best practices for digital forensics laboratories
          4. The physical security of digital forensic laboratories
          5. Network and electronic requirements of digital forensic laboratories
          6. Dilemmas presently confronting digital forensics laboratories
        2. Emerging problems confronting practitioners because of increasingly large and widely dispersed datasets
          1. Debunking the myth of forensic imaging
          2. Dilemmas presently confronting digital forensics practitioners
        3. Processes and forensic tools to assist practitioners to deal more effectively with these challenges
          1. E-discovery evidence recovery and preservation
          2. Enhanced digital evidence recovery and preservation
          3. The benefits of enhanced recovery tools in criminal investigations
        4. Empowering non-specialist law enforcement personnel and other stakeholders to become more effective first respondents at digital crime scenes
          1. The challenges facing non-forensic law enforcement agents
          2. Enhancing law enforcement agents as first respondents
          3. The challenges facing IT administrators, legal teams, forensic auditors, and other first respondents
          4. Enhancing IT administrators, legal team members, and other personnel as first respondents
        5. Case study – illustrating the challenges of interrogating large datasets
          1. The setting of the crime
          2. The investigation
          3. The practitioner's brief
          4. The available evidence
          5. The data extraction process
          6. The outcome of the recovery and examination
          7. Conclusion
        6. References
        7. Summary
      14. 6. Selecting and Analyzing Digital Evidence
        1. Structured processes to locate and select digital evidence
        2. Locating digital evidence
          1. Search processes
          2. Searching desktops and laptops
        3. Selecting digital evidence
          1. Seeking the truth
        4. More effective forensic tools
          1. Categorizing files
          2. Eliminating superfluous files
          3. Deconstructing files
          4. Searching for files
          5. The Event Analysis tool
          6. The Cloud Analysis tool
          7. The Lead Analysis tool
          8. Analyzing e-mail datasets
          9. Detecting scanned images
          10. Volume Shadow Copy analysis tools
          11. Timelines and other analysis tools
        5. Case study – illustrating the recovery of deleted evidence held in volume shadows
        6. Summary
      15. 7. Windows and Other Operating Systems as Sources of Evidence
        1. The Windows Registry and system files and logs as resources of digital evidence
          1. Seeking useful leads within the Registry
          2. Mapping devices through the Registry
          3. Detecting USB removable storage
          4. User activity
          5. Reviewing Most Recently Used and Jump List activity
          6. Detecting wireless connectivity
          7. Observing Windows Event Viewer logs
          8. Recovery of hidden data from a VSS
          9. Examining prefetch files
          10. Pagefiles
          11. Hibernation and sleep files
          12. Detecting steganography
        2. Apple and other operating system structures
          1. Examining Apple operating systems
          2. The Linux operating system
        3. Remote access and malware threats
          1. Remote access
          2. Detecting malware attacks and other exploits
          3. The prevalence of anti-forensics processes and tools
        4. Case study – corroborating evidence using Windows Registry
        5. References
        6. Summary
      16. 8. Examining Browsers, E-mails, Messaging Systems, and Mobile Phones
        1. Locating evidence from Internet browsing
          1. Typical web-browsing behavior
          2. Recovering browsing artifacts from slack and unallocated space
          3. Private browsing
        2. Messaging systems
          1. Examining Skype and chat room artifacts
          2. The invisible Internet
        3. E-mail analysis and the processing of large e-mail databases
          1. Recovering e-mails from desktop and laptop computers
          2. Recovering and analyzing e-mails from larger datasets
          3. Searching for scanned files
        4. The growing challenge of evidence recovery from mobile phones and handheld devices
          1. Extracting data from mobile devices
          2. Managing evidence contamination
          3. Concealing illegal activities
          4. Extracting mobile data from the cloud
          5. Analyzing GPS devices and other handheld devices
        5. Case study – mobile phone evidence in a bomb hoax
        6. Summary
      17. 9. Validating the Evidence
        1. The nature and problem of unsound digital evidence
          1. Challenges explaining the complexity of digital evidence
          2. The immaturity of the forensic subdiscipline
          3. The ineffective security integrity of computers and networks
          4. Evidence contamination
        2. Impartiality in selecting evidence
          1. Meaning is only clear in context
          2. Faulty case management and evidence validation
        3. The structured and balanced analysis of digital evidence
          1. Developing hypotheses
          2. Modeling arguments
          3. The Toulmin model of argumentation
        4. Formalizing the validation of digital evidence
          1. The perceived benefits of a formalized validation process
          2. Rationale for selection
          3. The conceptual framework of the model
          4. The validation process
          5. Applying Bayesian reasoning to the analysis of validation
            1. The comparative simplicity of the analysis of legal admissibility
            2. More complex components requiring scientific measurement
            3. Determining prior probability
            4. Setting post probabilities
            5. Checking whether the remote access application was running at the time of the transgression
            6. Present limitations and scoping
        5. The presentation of digital evidence
          1. Preparing digital forensics reports
          2. Court appearances
        6. Ethical issues confronting digital forensics practitioners
        7. Case study – presumed unauthorized use of intellectual property
          1. The background to the case
          2. The forensic recovery
          3. The forensic examination
          4. Linking the suspect to the device and the device to the server
          5. Analyzing the downloaded files
          6. Connected storage devices
          7. The illicit copying of data
          8. The outcome
        8. Summary
      18. 10. Empowering Practitioners and Other Stakeholders
        1. The evolving nature of digital evidence vis-à-vis the role of the practitioner
        2. Solutions to the challenges posed by new hardware and software
        3. More efficacious evidence recovery and preservation
        4. Challenges posed by communication media and the cloud
          1. Mobile phone evidence recovery
          2. The cloud - convenient for users but problematic for practitioners
        5. The need for effective evidence processing and validation
        6. Contingency planning
        7. References
        8. Summary
      19. Index