You are previewing Practical Forensic Imaging.
O'Reilly logo
Practical Forensic Imaging

Book Description

Practical Forensic Imaging takes a detailed look at how to secure and manage digital evidence using Linux-based command line tools.

Table of Contents

    1. Why I Wrote This Book
    2. How This Book Is Different
    3. Why Use the Command Line?
    4. Target Audience and Prerequisites
      1. Who Should Read This Book?
      2. Prerequisite Knowledge
      3. Preinstalled Platform and Software
    5. How the Book Is Organized
    6. The Scope of This Book
    7. Conventions and Format
    1. Digital Forensics History
      1. Pre-Y2K
      2. 2000–2010
      3. 2010–Present
    2. Forensic Acquisition Trends and Challenges
      1. Shift in Size, Location, and Complexity of Evidence
      2. Multijurisdictional Aspects
      3. Industry, Academia, and Law Enforcement Collaboration
    3. Principles of Postmortem Computer Forensics
      1. Digital Forensic Standards
      2. Peer-Reviewed Research
      3. Industry Regulations and Best Practice
      4. Principles Used in This Book
    1. Magnetic Storage Media
      1. Hard Disks
      2. Magnetic Tapes
      3. Legacy Magnetic Storage
    2. Non-Volatile Memory
      1. Solid State Drives
      2. USB Flash Drives
      3. Removable Memory Cards
      4. Legacy Non-Volatile Memory
    3. Optical Storage Media
      1. Compact Discs
      2. Digital Versatile Discs
      3. Blu-ray Discs
      4. Legacy Optical Storage
    4. Interfaces and Physical Connectors
      1. Serial ATA
      2. Serial Attached SCSI and Fibre Channel
      3. Non-Volatile Memory Express
      4. Universal Serial Bus
      5. Thunderbolt
      6. Legacy Interfaces
    5. Commands, Protocols, and Bridges
      1. ATA Commands
      2. SCSI Commands
      3. NVME Commands
      4. Bridging, Tunneling, and Pass-Through
    6. Special Topics
      1. DCO and HPA Drive Areas
      2. Drive Service and Maintenance Areas
      3. USB Attached SCSI Protocol
      4. Advanced Format 4Kn
      5. NVME Namespaces
      6. Solid State Hybrid Disks
    7. Closing Thoughts
    1. Linux and OSS in a Forensic Context
      1. Advantages of Linux and OSS in Forensics Labs
      2. Disadvantages of Linux and OSS in Forensics Labs
    2. Linux Kernel and Storage Devices
      1. Kernel Device Detection
      2. Storage Devices in /dev
      3. Other Special Devices
    3. Linux Kernel and Filesystems
      1. Kernel Filesystem Support
      2. Mounting Filesystems in Linux
      3. Accessing Filesystems with Forensic Tools
    4. Linux Distributions and Shells
      1. Linux Distributions
      2. The Shell
      3. Command Execution
      4. Piping and Redirection
    5. Closing Thoughts
    1. Raw Images
      1. Traditional dd
      2. Forensic dd Variants
      3. Data Recovery Tools
    2. Forensic Formats
      1. EnCase EWF
      2. FTK SMART
      3. AFF
    3. SquashFS as a Forensic Evidence Container
      1. SquashFS Background
      2. SquashFS Forensic Evidence Containers
    4. Closing Thoughts
    1. Maintain an Audit Trail
      1. Task Management
      2. Shell History
      3. Terminal Recorders
      4. Linux Auditing
    2. Organize Collected Evidence and Command Output
      1. Naming Conventions for Files and Directories
      2. Scalable Examination Directory Structure
      3. Save Command Output with Redirection
    3. Assess Acquisition Infrastructure Logistics
      1. Image Sizes and Disk Space Requirements
      2. File Compression
      3. Sparse Files
      4. Reported File and Image Sizes
      5. Moving and Copying Forensic Images
      6. Estimate Task Completion Times
      7. Performance and Bottlenecks
      8. Heat and Environmental Factors
    4. Establish Forensic Write-Blocking Protection
      1. Hardware Write Blockers
      2. Software Write Blockers
      3. Linux Forensic Boot CDs
      4. Media with Physical Read-Only Modes
    5. Closing Thoughts
    1. Examine Subject PC Hardware
      1. Physical PC Examination and Disk Removal
      2. Subject PC Hardware Review
    2. Attach Subject Disk to an Acquisition Host
      1. View Acquisition Host Hardware
      2. Identify the Subject Drive
    3. Query the Subject Disk for Information
      1. Document Device Identification Details
      2. Query Disk Capabilities and Features with hdparm
      3. Extract SMART Data with smartctl
    4. Enable Access to Hidden Sectors
      1. Remove a DCO
      2. Remove an HPA
      3. Drive Service Area Access
    5. ATA Password Security and Self-Encrypting Drives
      1. Identify and Unlock ATA Password-Protected Disks
      2. Identify and Unlock Opal Self-Encrypting Drives
      3. Encrypted Flash Thumb Drives
    6. Attach Removable Media
      1. Optical Media Drives
      2. Magnetic Tape Drives
      3. Memory Cards
    7. Attach Other Storage
      1. Apple Target Disk Mode
      2. NVME SSDs
      3. Other Devices with Block or Character Access
    8. Closing Thoughts
    1. Acquire an Image with dd Tools
      1. Standard Unix dd and GNU dd
      2. The dcfldd and dc3dd Tools
    2. Acquire an Image with Forensic Formats
      1. The ewfacquire Tool
      2. AccessData ftkimager
      3. SquashFS Forensic Evidence Container
      4. Acquire an Image to Multiple Destinations
    3. Preserve Digital Evidence with Cryptography
      1. Basic Cryptographic Hashing
      2. Hash Windows
      3. Sign an Image with PGP or S/MIME
      4. RFC-3161 Timestamping
    4. Manage Drive Failure and Errors
      1. Forensic Tool Error Handling
      2. Data Recovery Tools
      3. SMART and Kernel Errors
      4. Other Options for Failed Drives
      5. Damaged Optical Discs
    5. Image Acquisition over a Network
      1. Remote Forensic Imaging with rdd
      2. Secure Remote Imaging with ssh
      3. Remote Acquisition to a SquashFS Evidence Container
      4. Acquire a Remote Disk to EnCase or FTK Format
      5. Live Imaging with Copy-On-Write Snapshots
    6. Acquire Removable Media
      1. Memory Cards
      2. Optical Discs
      3. Magnetic Tapes
    7. RAID and Multidisk Systems
      1. Proprietary RAID Acquisition
      2. JBOD and RAID-0 Striped Disks
      3. Microsoft Dynamic Disks
      4. RAID-1 Mirrored Disks
      5. Linux RAID-5
    8. Closing Thoughts
    1. Manage Image Compression
      1. Standard Linux Compression Tools
      2. EnCase EWF Compressed Format
      3. FTK SMART Compressed Format
      4. AFFlib Built-In Compression
      5. SquashFS Compressed Evidence Containers
    2. Manage Split Images
      1. The GNU split Command
      2. Split Images During Acquisition
      3. Access a Set of Split Image Files
      4. Reassemble a Split Image
    3. Verify the Integrity of a Forensic Image
      1. Verify the Hash Taken During Acquisition
      2. Recalculate the Hash of a Forensic Image
      3. Cryptographic Hashes of Split Raw Images
      4. Identify Mismatched Hash Windows
      5. Verify Signature and Timestamp
    4. Convert Between Image Formats
      1. Convert from Raw Images
      2. Convert from EnCase/E01 Format
      3. Convert from FTK Format
      4. Convert from AFF Format
    5. Secure an Image with Encryption
      1. GPG Encryption
      2. OpenSSL Encryption
      3. Forensic Format Built-In Encryption
      4. General Purpose Disk Encryption
    6. Disk Cloning and Duplication
      1. Prepare a Clone Disk
      2. Use HPA to Replicate Sector Size
      3. Write an Image File to a Clone Disk
    7. Image Transfer and Storage
      1. Write to Removable Media
      2. Inexpensive Disks for Storage and Transfer
      3. Perform Large Network Transfers
    8. Secure Wiping and Data Disposal
      1. Dispose of Individual Files
      2. Secure Wipe a Storage Device
      3. Issue ATA Security Erase Unit Commands
      4. Destroy Encrypted Disk Keys
    9. Closing Thoughts
    1. Forensically Acquired Image Files
      1. Raw Image Files with Loop Devices
      2. Forensic Format Image Files
      3. Prepare Boot Images with xmount
    2. VM Images
      1. QEMU QCOW2
      2. VirtualBox VDI
      3. VMWare VMDK
      4. Microsoft VHD
    3. OS-Encrypted Filesystems
      1. Microsoft BitLocker
      2. Apple FileVault
      3. Linux LUKS
      4. TrueCrypt and VeraCrypt
    4. Closing Thoughts
    1. Assess Partition Layout and Filesystems
      1. Partition Scheme
      2. Partition Tables
      3. Filesystem Identification
    2. Partition Extraction
      1. Extract Individual Partitions
      2. Find and Extract Deleted Partitions
      3. Identify and Extract Inter-Partition Gaps
      4. Extract HPA and DCO Sector Ranges
    3. Other Piecewise Data Extraction
      1. Extract Filesystem Slack Space
      2. Extract Filesystem Unallocated Blocks
      3. Manual Extraction Using Offsets
    4. Closing Thoughts
    1. Chapter 0: Digital Forensics Overview
    2. Chapter 1: Storage Media Overview
    3. Chapter 2: Linux as a Forensic Acquisition Platform
    4. Chapter 3: Forensic Image Formats
    5. Chapter 4: Planning and Preparation
    6. Chapter 5: Attaching Subject Media to an Acquisition Host
    7. Chapter 6: Forensic Image Acquisition
    8. Chapter 7: Forensic Image Management
    9. Chapter 8: Special Image Access Topics