| |
| |
| Acknowledgments | |
| |
| |
| Introduction | |
| |
| |
| |
| Getting Started | |
| |
| |
| |
| What Is Computer Forensics? | |
| |
| |
| What You Can Do with Computer Forensics | |
| |
| |
| How People Get Involved in Computer Forensics | |
| |
| |
| Law Enforcement | |
| |
| |
| Military | |
| |
| |
| University Programs | |
| |
| |
| IT or Computer Security Professionals | |
| |
| |
| Incident Response vs. Computer Forensics | |
| |
| |
| How Computer Forensic Tools Work | |
| |
| |
| Types of Computer Forensic Tools | |
| |
| |
| Professional Licensing Requirements | |
| |
| |
| |
| Learning Computer Forensics | |
| |
| |
| Where and How to Get Training | |
| |
| |
| Law Enforcement Training | |
| |
| |
| Corporate Training | |
| |
| |
| Where and How to Get Certified | |
| |
| |
| Vendor Certifications | |
| |
| |
| Vendor-Neutral Certifications | |
| |
| |
| Staying Current | |
| |
| |
| Conferences | |
| |
| |
| Blogs | |
| |
| |
| Forums | |
| |
| |
| Podcasts | |
| |
| |
| Associations | |
| |
| |
| |
| Creating a Lab | |
| |
| |
| Choosing Where to Put Your Lab | |
| |
| |
| Access Controls | |
| |
| |
| Electrical Power | |
| |
| |
| Air Conditioning | |
| |
| |
| Privacy | |
| |
| |
| Gathering the Tools of the Trade | |
| |
| |
| Write Blockers | |
| |
| |
| Drive Kits | |
| |
| |
| External Storage | |
| |
| |
| Screwdriver Kits | |
| |
| |
| Antistatic Bags | |
| |
| |
| Adaptors | |
| |
| |
| Forensic Workstation | |
| |
| |
| Choosing Forensic Software | |
| |
| |
| Open Source Software | |
| |
| |
| Commercial Software | |
| |
| |
| Storing Evidence | |
| |
| |
| Securing Your Evidence | |
| |
| |
| Organizing Your Evidence | |
| |
| |
| Disposing of Old Evidence | |
| |
| |
| |
| Your First Investigation | |
| |
| |
| |
| How to Approach a Computer Forensics Investigation | |
| |
| |
| The Investigative Process | |
| |
| |
| What Are You Being Asked to Find Out? | |
| |
| |
| Where Would the Data Exist? | |
| |
| |
| What Applications Might Have Been Used in Creating the Data? | |
| |
| |
| Should You Request to Go Beyond the Scope of the Investigation? | |
| |
| |
| Testing Your Hypothesis | |
| |
| |
| |
| Define Your Hypothesis | |
| |
| |
| |
| Determine a Repeatable Test | |
| |
| |
| |
| Create Your Test Environment | |
| |
| |
| |
| Document Your Testing | |
| |
| |
| The Forensic Data Landscape | |
| |
| |
| Active Data | |
| |
| |
| Unallocated Space | |
| |
| |
| Slack Space | |
| |
| |
| Mobile Devices | |
| |
| |
| External Storage | |
| |
| |
| What Do You Have the Authority to Access | |
| |
| |
| Who Hosts the Data? | |
| |
| |
| Who Owns the Device? | |
| |
| |
| Expectation of Privacy | |
| |
| |
| |
| Choosing Your Procedures | |
| |
| |
| Forensic Imaging | |
| |
| |
| Determining Your Comfort Level | |
| |
| |
| Forensic Imaging Method Pros and Cons | |
| |
| |
| Creating Forms and Your Lab Manual | |
| |
| |
| Chain of Custody Forms | |
| |
| |
| Request Forms | |
| |
| |
| Report Forms | |
| |
| |
| Standard Operating Procedures Manual | |
| |
| |
| |
| Testing Your Tools | |
| |
| |
| When Do You Need to Test | |
| |
| |
| Collecting Data for Public Research or Presentations | |
| |
| |
| Testing a Forensic Method | |
| |
| |
| Testing a Tool | |
| |
| |
| Where to Get Test Evidence | |
| |
| |
| Raw Images | |
| |
| |
| Creating Your Own Test Images | |
| |
| |
| Forensic Challenges | |
| |
| |
| Learn Forensics with David Cowen on YouTube | |
| |
| |
| Honeynet Project | |
| |
| |
| DC3 Challenge | |
| |
| |
| DFRWS Challenge | |
| |
| |
| SANS Forensic Challenges | |
| |
| |
| High School Forensic Challenge | |
| |
| |
| Collections of Tool Testing Images | |
| |
| |
| Digital Forensic Tool Testing Images | |
| |
| |
| NIST Computer Forensics Reference Data Sets Images | |
| |
| |
| The Hacking Case | |
| |
| |
| NIST Computer Forensics Tool Testing | |
| |
| |
| |
| Live vs. Postmortem Forensics | |
| |
| |
| Live Forensics | |
| |
| |
| When Live Forensics Is the Best Option | |
| |
| |
| Tools for Live Forensics | |
| |
| |
| Postmortem Forensics | |
| |
| |
| Postmortem Memory Analysis | |
| |
| |
| |
| Capturing Evidence | |
| |
| |
| Creating Forensic Images of Internal Hard Drives | |
| |
| |
| FTK Imager with a Hardware Write Blocker | |
| |
| |
| FTK Imager with a Software Write Blocker | |
| |
| |
| Creating Forensic Images of External Drives | |
| |
| |
| FTK Imager with a USB Write Blocker | |
| |
| |
| FTK Imager with a Software Write Blocker | |
| |
| |
| Software Write Blocking on Linux Systems | |
| |
| |
| Creating Forensic Images of Network Shares | |
| |
| |
| Capturing a Network Share with FTK Imager | |
| |
| |
| Mobile Devices | |
| |
| |
| Servers | |
| |
| |
| |
| Nontraditional Digital Forensics | |
| |
| |
| Breaking the Rules: Nontraditional Digital Forensic Techniques | |
| |
| |
| Volatile Artifacts | |
| |
| |
| Malware | |
| |
| |
| Encrypted File Systems | |
| |
| |
| Challenges to Accessing Encrypted Data | |
| |
| |
| Mobile Devices: Smart Phones and Tablets | |
| |
| |
| Solid State Drives | |
| |
| |
| Virtual Machines | |
| |
| |
| |
| Case Examples: How to Work a Case | |
| |
| |
| |
| Establishing the Investigation Type and Criteria | |
| |
| |
| Determining What Type of Investigation Is Required | |
| |
| |
| Human Resources Cases | |
| |
| |
| Administrator Abuse | |
| |
| |
| Stealing Information | |
| |
| |
| Internal Leaks | |
| |
| |
| Keyloggers and Malware | |
| |
| |
| What to Do When Criteria Causes an Overlap | |
| |
| |
| What to Do When No Criteria Matches | |
| |
| |
| Where Should the Evidence Be? | |
| |
| |
| Did This Occur over the Network? | |
| |
| |
| Nothing Working? Create a Super Timeline | |
| |
| |
| |
| Human Resources Cases | |
| |
| |
| Results of a Human Resource Case | |
| |
| |
| How to Work a Pornography Case | |
| |
| |
| Pornography Case Study | |
| |
| |
| How to Investigate a Pornography Case | |
| |
| |
| How to Work a Productivity Waste Case | |
| |
| |
| |
| Administrator Abuse | |
| |
| |
| The Abuse of Omniscience | |
| |
| |
| Scenario 1: Administrator Runs a Pornographic Site Using Company Resources | |
| |
| |
| Beginning an Investigation | |
| |
| |
| The Web Server's Role in the Network | |
| |
| |
| Directories | |
| |
| |
| Virtual Servers | |
| |
| |
| Virtual Directories | |
| |
| |
| Scenario 2: Exploiting Insider Knowledge Against an Ex-employer | |
| |
| |
| A Private Investigator Calls | |
| |
| |
| As if They're Reading Our Minds… | |
| |
| |
| What a Network Vulnerability Assessment Can Reveal | |
| |
| |
| E-mail Data Review and Server Restoration | |
| |
| |
| Stepping Up Your Game: Knowledge Meets Creativity | |
| |
| |
| |
| Stealing Information | |
| |
| |
| What Are We Looking For? | |
| |
| |
| Determining Where the Data Went | |
| |
| |
| LNK Files | |
| |
| |
| Shellbags | |
| |
| |
| Scenario: Recovering Log Files to Catch a Thief | |
| |
| |
| |
| Internal Leaks | |
| |
| |
| Why Internal Leaks Happen | |
| |
| |
| Investigating Internal Leaks | |
| |
| |
| Reviewing the Registry Files | |
| |
| |
| Identifying LNK Files | |
| |
| |
| Wrapping Up the Investigation | |
| |
| |
| Using File System Meta-data to Track Leaked or Printed Materials | |
| |
| |
| |
| Keyloggers and Malware | |
| |
| |
| Denning Keyloggers and Malware | |
| |
| |
| How to Detect Keyloggers and Malware | |
| |
| |
| Registry Files | |
| |
| |
| Prefetch Files | |
| |
| |
| Keyword Searches | |
| |
| |
| Handling Suspicious Files | |
| |
| |
| Determining How an Infection Occurred | |
| |
| |
| What We Know About This Infection | |
| |
| |
| What We Know About the Keylogger | |
| |
| |
| Identifying What Data Was Captured | |
| |
| |
| Finding Information About the Attacker | |
| |
| |
| What We Know About the Attacker | |
| |
| |
| Where to Find More About the Attacker | |
| |
| |
| |
| Defending Your Work | |
| |
| |
| |
| Documenting Your Findings with Reports | |
| |
| |
| Documenting Your Findings | |
| |
| |
| Who Asked You to Undertake the Investigation | |
| |
| |
| What You Were Asked to Do | |
| |
| |
| What You Reviewed | |
| |
| |
| What You Found | |
| |
| |
| What Your Findings Mean | |
| |
| |
| Types of Reports | |
| |
| |
| Informal Report | |
| |
| |
| Incident Report | |
| |
| |
| Internal Report | |
| |
| |
| Declaration | |
| |
| |
| Affidavit | |
| |
| |
| Explaining Your Work | |
| |
| |
| Define Technical Terms | |
| |
| |
| Provide Examples in Layperson Terms | |
| |
| |
| Explain Artifacts | |
| |
| |
| |
| Litigation and Reports for Court and Exhibits | |
| |
| |
| Important Legal Terms | |
| |
| |
| What Type of Witness Are You? | |
| |
| |
| Fact Witness | |
| |
| |
| Expert Consultant | |
| |
| |
| Expert Witness | |
| |
| |
| Special Master | |
| |
| |
| Neutral | |
| |
| |
| Writing Reports for Court | |
| |
| |
| Declarations in Support of Motions | |
| |
| |
| Expert Reports | |
| |
| |
| Creating Exhibits | |
| |
| |
| Working with Forensic Artifacts | |
| |
| |
| Glossary | |
| |
| |
| Index | |