You are previewing System Forensics, Investigation, and Response.
O'Reilly logo
System Forensics, Investigation, and Response

Book Description

PART OF THE NEW JONES & BARTLETT LEARNING INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES! Computer crimes call for forensics specialists, people who know how to find and follow the evidence. System Forensics, Investigation, and Response begins by examining the fundamentals of system forensics, such as what forensics is, the role of computer forensics specialists, computer forensic evidence, and application of forensic analysis skills. It also gives an overview of computer crimes, forensic methods, and laboratories. It then addresses the tools, techniques, and methods used to perform computer forensics and investigation. Finally, it explores emerging technologies as well as future directions of this interesting and cutting-edge field.

Table of Contents

  1. Copyright
  2. Preface
    1. Purpose of This Book
    2. Learning Features
    3. Audience
  3. Acknowledgments
  4. About the Authors
  5. ONE. The System Forensics Landscape
    1. 1. System Forensics Fundamentals
      1. Understanding System Forensics
        1. Who Uses Forensics?
      2. How Computers Are Used in Crimes
      3. System Forensics Specialists and What They Do
        1. Tasks of a Forensic Specialist
        2. How a Forensic Specialist Begins an Investigation
      4. System Forensics Evidence: Its Use and Handling
        1. Digital Evidence Challenges
        2. Protecting Evidence
        3. Testing Forensic Evidence
      5. Applying Forensic Analysis Skills
        1. Following Proper Forensic Procedures
        2. Types of System Forensics Analysis
        3. Examples of Forensic Investigations
      6. CHAPTER SUMMARY
      7. KEY CONCEPTS AND TERMS
      8. CHAPTER 1 ASSESSMENT
    2. 2. Overview of Computer Crime
      1. Types of Cybercrime
        1. DoS and DDoS Attacks
        2. Intellectual Property Theft
        3. Child Exploitation, Abuse, and Pornography
        4. Identity Theft
        5. Fraud
        6. Extortion
        7. Cyberstalking
        8. Transmission of Malware
        9. Hacking
        10. Spamming
        11. Sale and Purchase of Narcotics Over the Internet
        12. Gambling
      2. Sources of Cybercrime Threats
        1. Nation-States
        2. Cyberterrorists
        3. Other Threats
      3. Means, Motives, and Opportunities of Cybercriminals
        1. Means: Tools and Techniques of Cybercriminals
        2. Motives of Cybercriminals
        3. Opportunities for Cybercriminals
      4. Reporting Cybercrimes
        1. What to Report
        2. Where to Report Computer Crimes
        3. Applicable Laws
      5. The Role of System Forensics in Solving Crimes
      6. CHAPTER SUMMARY
      7. KEY CONCEPTS AND TERMS
      8. CHAPTER 2 ASSESSMENT
    3. 3. Challenges of System Forensics
      1. Difficulties in Obtaining Forensic Digital Evidence
        1. What Is Digital Evidence?
        2. Data Access
          1. Creating a Data Analysis Plan
          2. Overcoming Search and Seizure Restrictions
        3. Technical Data Collection Considerations
          1. Considering the Life Span of Data
          2. Collecting Data Quickly
          3. Collecting Bit-Level Data
        4. Obscured Data and Anti-Forensics
          1. Obscured Data
          2. Anti-Forensics
      2. The Role Evidence Dynamics Plays in System Forensics
      3. Scope-Related Challenges to System Forensics
        1. Large Volumes of Data
        2. System Complexity
        3. Distributed Crime Scenes
        4. Growing Caseload and Limited Resources
      4. The Need for Professionalization
      5. CHAPTER SUMMARY
      6. KEY CONCEPTS AND TERMS
      7. CHAPTER 3 ASSESSMENT
    4. 4. Forensics Methods and Labs
      1. Forensic Soundness
      2. Forensic Frameworks and Processes
        1. The DFRWS Framework
        2. An Event-Based Digital Forensic Investigation Framework
      3. Building a Business Case for Creating a Forensics Lab
      4. Setting Up a Forensics Lab
        1. The Duties of a Lab Manager and Staff
        2. Planning a Forensics Lab Budget
          1. Estimating Facility Costs
          2. Estimating Hardware Needs and Costs
          3. Estimating Software Needs and Costs
          4. Considering Miscellaneous Costs
        3. Determining Physical Requirements for a Computer Forensics Lab
          1. Identifying Lab Security Needs
          2. Conducting High-Risk Investigations
          3. Using Evidence Storage Containers
          4. Overseeing Facility Maintenance
          5. Auditing a Computer Forensics Lab
          6. Determining the Floor Plan for a Computer Forensics Lab
        4. Stocking a Forensics Lab
          1. Selecting Forensic Workstations
            1. Selecting workstations for police labs.
            2. Selecting workstations for private and corporate labs.
          2. Maintaining Operating Systems and Software Inventories
          3. Stocking Other Items
      5. Policies, Processes, and Procedures for Maintaining a Lab
        1. Creating a Disaster Recovery Plan
        2. Planning for Equipment Upgrades
      6. CHAPTER SUMMARY
      7. KEY CONCEPTS AND TERMS
      8. CHAPTER 4 ASSESSMENT
  6. TWO. Technical Overview: System Forensics Tools, Techniques, and Methods
    1. 5. System Forensics Technologies
      1. How the Military Uses System Forensics
      2. Which Technologies Law Enforcement Agencies Use
        1. Evidence Preservation
        2. Trojan Horse Programs
        3. Documentation of Methodologies and Findings
        4. Disk Structure
        5. File Slack Searching
        6. Data-Hiding Techniques
        7. Fuzzy Logic Tools for Identifying Unknown Text
        8. Data Encryption
        9. Disk-to-Computer Matching
        10. Data Compression
        11. Recovery of Erased Files
        12. Internet Abuse Identification and Detection
        13. The Boot Process and Memory-Resident Programs
        14. Flash Memory Media Processing
      3. How Businesses Use System Forensics Technologies
        1. Remote Monitoring of Target Computers
        2. Trackable Electronic Documents
        3. Theft Recovery Software for Laptops and PCs
        4. Handling Evidence
          1. Evidence-Handling Tasks
          2. Evidence-Gathering Measures
        5. Encryption Methods and Vulnerabilities
          1. How Encryption Works
          2. Problems with Encryption
        6. Security and Wireless Technologies
          1. Forensics on iPhones
          2. Forensics on BlackBerry Smartphones
        7. Firewall Forensics
      4. Commonly Used System Forensics Tools
        1. EnCase
        2. Forensic Toolkit (FTK)
        3. Helix
        4. AnaDisk Disk Analysis Tool
        5. CopyQM Plus Disk Duplication Software
        6. TextSearch Plus
        7. Filter_G Intelligent Forensic Filter
        8. UFED
        9. Device Seizure
        10. The Zdziarski Technique
      5. CHAPTER SUMMARY
      6. KEY CONCEPTS AND TERMS
      7. CHAPTER 5 ASSESSMENT
    2. 6. Controlling a Forensic Investigation
      1. Preserving a Digital Crime Scene
      2. Considerations in Collecting Evidence
        1. Securing the Physical Evidence
        2. Volatile Data: Two Schools of Thought
        3. Determining How Much to Duplicate
          1. Balancing Speed and Thoroughness
          2. Approaches to Duplicating Data
        4. Making a Bit Stream Backup
        5. Booting a Computer
        6. Examining Evidence
      3. Physical Analysis and Logical Analysis
        1. Physical Analysis
          1. The Swap File
          2. Unallocated (Free) Space
          3. File Slack
          4. Shadow Data
        2. Logical Analysis
      4. Legal Aspects of Acquiring Evidence
        1. The Fourth Amendment
        2. Processing and Logging Evidence
          1. Documentation
          2. Preservation
          3. Authenticity
        3. The Computer Evidence Collection Process
          1. Computer Forensics Policies
      5. CHAPTER SUMMARY
      6. KEY CONCEPTS AND TERMS
      7. CHAPTER 6 ASSESSMENT
    3. 7. Collecting, Seizing, and Protecting Evidence
      1. Collecting Forensic Evidence
        1. Obstacles to Data Collection
        2. Types of Forensic Evidence
        3. The Rules of Evidence
        4. Do's and Don'ts of Data Collection
        5. Logging and Monitoring
        6. Methods of Data Collection: Freezing the Scene and Honeypotting
      2. The Steps in Seizing Forensic Evidence
        1. Shutting Down the Computer
        2. Documenting the Hardware Configuration of the System
        3. Transporting the Computer System to a Secure Location
        4. Mathematically Authenticating Data on All Storage Devices
        5. Making a List of Key Search Words
          1. Evaluating the Windows Swap File
          2. Evaluating File Slack
          3. Evaluating Unallocated Space
        6. Searching Files, File Slack, and Unallocated Space for Keywords
        7. Documenting Filenames, Dates, and Times
        8. Identifying File, Program, and Storage Anomalies
        9. Evaluating Program Functionality
        10. Documenting Findings
        11. Retaining Copies of Software Used
      3. Protecting Evidence: Controlling Contamination
        1. Creating a Timeline
        2. Forensic Analysis of Backups
        3. Reconstructing an Attack
      4. CHAPTER SUMMARY
      5. KEY CONCEPTS AND TERMS
      6. CHAPTER 7 ASSESSMENT
    4. 8. Understanding Information-Hiding Techniques
      1. History of Data Hiding
      2. Alternate Data Streams (ADS)
        1. Risks Associated with ADS
          1. Using ADS to Hide Data
          2. Destructive and Other Uses for ADS
        2. Executing Code from ADS
      3. Rootkits
      4. Steganography Concepts and Tools
        1. Types of Steganography
        2. Steganography Algorithms
        3. Steganography Software
          1. EzStego
          2. MandelSteg
          3. Spam Mimic
          4. Snow
          5. OutGuess
          6. appendX
          7. Invisible Secrets
      5. Defeating Steganography
        1. Detecting the Use of Steganography Software
          1. Traces of Steganography Software
          2. Location of Pairs of Carrier/Stego Files
          3. Keyword Search and Activity Monitoring
          4. Suspect's Computer Knowledge
          5. Unlikely Files
          6. Location of Steganography Keys
        2. Strengths and Weaknesses of Today's Detection Methods
        3. Steganalysis
          1. File Signatures
          2. File Anomalies
          3. Visual Attacks
        4. Extracting Hidden Information
        5. Steganalysis Software
          1. StegSpy
          2. Stegdetect
          3. Stegbreak
          4. Stego Suite
          5. StegAlyzer
      6. CHAPTER SUMMARY
      7. KEY CONCEPTS AND TERMS
      8. CHAPTER 8 ASSESSMENT
    5. 9. Recovering Data
      1. What Is Data Recovery?
      2. Disk Structure and Recovery Techniques
        1. Recovering Data After Physical Damage
          1. Physical Damage Recovery Techniques
        2. Recovering Data After Logical Damage
          1. Preventing Logical Damage
          2. Logical Damage Recovery Techniques
            1. Consistency checking.
            2. Zero-knowledge analysis.
      3. Data Backup and Recovery
        1. Obstacles to Data Backup
        2. Key Elements of Data Backup
          1. The Backup Device
          2. The Network Data Path
          3. The Backup Window
          4. Backup Storage Devices
          5. Recommended Backup Features
        3. The Role of Backups in Data Recovery
      4. Data Recovery Today
        1. Handling Failures
        2. Critical Thinking and Creative Problem Solving
        3. Preparing for Recovery
          1. Evaluating Procedures
          2. Ensuring That Resources Are Available
          3. Automating Recovery
          4. Making Recovery Efficient
      5. CHAPTER SUMMARY
      6. KEY CONCEPTS AND TERMS
      7. CHAPTER 9 ASSESSMENT
    6. 10. Investigating and Scrutinizing E-mail
      1. The Roles of Mail Servers and E-mail Clients
      2. Understanding E-mail Headers
        1. Viewing an E-mail Header
        2. Interpreting an E-mail Header
      3. E-mail Tracing
        1. Faking E-mail
          1. Spoofing
          2. Anonymous Remailing
          3. Using Mail Relays
          4. Spamming
          5. Stealing
          6. Using Bogus Accounts
        2. E-mail Tracing in Forensic Investigations
        3. An E-mail Tracing Example
      4. Legal Considerations in Investigating E-mail
        1. The Fourth Amendment to the U.S. Constitution
        2. The Electronic Communications Privacy Act
      5. CHAPTER SUMMARY
      6. KEY CONCEPTS AND TERMS
      7. CHAPTER 10 ASSESSMENT
    7. 11. Performing Network Analysis
      1. Network Basics
        1. Wireless Networks
        2. Common Network Protocols
      2. Types of Network-Related Attacks
        1. Types of Router Attacks
        2. DoS Attacks
        3. Web Attacks
      3. Investigating Network Traffic
        1. Using Log Files as Evidence
        2. Firewall Forensics
        3. Using Sniffers and Other Traffic Analysis Tools
      4. Investigating Router Attacks
        1. Collecting Router Evidence
        2. Router Logs
      5. CHAPTER SUMMARY
      6. KEY CONCEPTS AND TERMS
      7. CHAPTER 11 ASSESSMENT
    8. 12. Searching Memory in Real Time with Live System Forensics
      1. The Need for Live System Forensics
      2. Live System Forensics Versus Dead System Analysis
        1. Problems with Dead System Forensics
        2. Live Forensic Acquisition
        3. Benefits and Limitations of Live Acquisition
      3. Live System Forensics Consistency Issues
        1. Understanding the Consistency Problem
        2. Locating Different Memory Segments in UNIX
      4. Tools for Analyzing Computer Memory
        1. Live Response
          1. PsList
          2. ListDLLs
          3. Handle
          4. Netstat
          5. FPort
          6. Userdump
          7. PsLoggedOn
        2. Volatile Memory Analysis
          1. The Volatility Framework
          2. PTFinder
        3. Analysis of Live Response Versus Volatile Memory Analysis
      5. CHAPTER SUMMARY
      6. KEY CONCEPTS AND TERMS
      7. CHAPTER 12 ASSESSMENT
  7. THREE. Incident Response, Future Directions, and Resources
    1. 13. Incident and Intrusion Response
      1. Minimizing Incidents
        1. Events and Incidents
      2. Assembling an Incident Response Team
        1. Establishing Team Roles
        2. Coordinating a Response
      3. Defining an Incident Response Plan
        1. Assessment
        2. Communication
        3. Containment
        4. Evaluation
          1. Collecting Data
          2. Protecting Evidence
          3. Notifying External Agencies
        5. Recovery
        6. Document and Review
          1. Assessing Incident Damage and Cost
          2. Reviewing the Response and Updating Policies
      4. CHAPTER SUMMARY
      5. KEY CONCEPTS AND TERMS
      6. CHAPTER 13 ASSESSMENT
    2. 14. Trends and Future Directions
      1. Hardware Trends
        1. What Moore's Law Means to System Forensics
        2. Device Overload
      2. Software Trends
        1. Proliferation of Software Products
        2. Software as a Service
        3. Forensic Support Software
        4. Proliferation of Software Development Models
      3. The Changing Uses of Technology
        1. Collaborative Investigations
      4. The Changing Legal Environment
        1. The Computer Fraud and Abuse Act (1984)
        2. Computer Trespass or Intrusion
        3. Theft of Information
        4. Interception of Communications Laws
        5. Spam and Phishing Laws
        6. Cybersquatting
        7. Malicious Acts
        8. Evolving Cybercrime Laws
      5. Trends in Professionalization and Certification
      6. CHAPTER SUMMARY
      7. KEY CONCEPTS AND TERMS
      8. CHAPTER 14 ASSESSMENT
    3. 15. System Forensics Resources
      1. System Forensics Certification and Training
        1. International Association of Computer Investigative Specialists (IACIS)
        2. High Tech Crime Network (HTCN)
        3. EnCase Certified Examiner (EnCE) Certification
        4. AccessData Certified Examiner (ACE)
        5. Defense Cyber Investigations Training Academy (DCITA)
        6. Other Training Programs and Certifications
      2. User Groups
      3. Online Resources
        1. System Forensics Organizations and Information
        2. Discussion List Servers
        3. Forensic Journals
        4. Conferences
        5. Forensic Tools
          1. Open Source Software Tools
          2. Commercial Software Tools and Vendors
          3. Commercial Hardware Tools and Vendors
      4. CHAPTER SUMMARY
      5. KEY CONCEPTS AND TERMS
      6. CHAPTER 15 ASSESSMENT
  8. A. Answer Key
  9. B. Standard Acronyms
  10. Glossary of Key Terms
  11. References