| |
| |
Acknowledgments | |
| |
| |
Introduction | |
| |
| |
| |
Getting Started | |
| |
| |
| |
What Is Computer Forensics? | |
| |
| |
What You Can Do with Computer Forensics | |
| |
| |
How People Get Involved in Computer Forensics | |
| |
| |
Law Enforcement | |
| |
| |
Military | |
| |
| |
University Programs | |
| |
| |
IT or Computer Security Professionals | |
| |
| |
Incident Response vs. Computer Forensics | |
| |
| |
How Computer Forensic Tools Work | |
| |
| |
Types of Computer Forensic Tools | |
| |
| |
Professional Licensing Requirements | |
| |
| |
| |
Learning Computer Forensics | |
| |
| |
Where and How to Get Training | |
| |
| |
Law Enforcement Training | |
| |
| |
Corporate Training | |
| |
| |
Where and How to Get Certified | |
| |
| |
Vendor Certifications | |
| |
| |
Vendor-Neutral Certifications | |
| |
| |
Staying Current | |
| |
| |
Conferences | |
| |
| |
Blogs | |
| |
| |
Forums | |
| |
| |
Podcasts | |
| |
| |
Associations | |
| |
| |
| |
Creating a Lab | |
| |
| |
Choosing Where to Put Your Lab | |
| |
| |
Access Controls | |
| |
| |
Electrical Power | |
| |
| |
Air Conditioning | |
| |
| |
Privacy | |
| |
| |
Gathering the Tools of the Trade | |
| |
| |
Write Blockers | |
| |
| |
Drive Kits | |
| |
| |
External Storage | |
| |
| |
Screwdriver Kits | |
| |
| |
Antistatic Bags | |
| |
| |
Adaptors | |
| |
| |
Forensic Workstation | |
| |
| |
Choosing Forensic Software | |
| |
| |
Open Source Software | |
| |
| |
Commercial Software | |
| |
| |
Storing Evidence | |
| |
| |
Securing Your Evidence | |
| |
| |
Organizing Your Evidence | |
| |
| |
Disposing of Old Evidence | |
| |
| |
| |
Your First Investigation | |
| |
| |
| |
How to Approach a Computer Forensics Investigation | |
| |
| |
The Investigative Process | |
| |
| |
What Are You Being Asked to Find Out? | |
| |
| |
Where Would the Data Exist? | |
| |
| |
What Applications Might Have Been Used in Creating the Data? | |
| |
| |
Should You Request to Go Beyond the Scope of the Investigation? | |
| |
| |
Testing Your Hypothesis | |
| |
| |
| |
Define Your Hypothesis | |
| |
| |
| |
Determine a Repeatable Test | |
| |
| |
| |
Create Your Test Environment | |
| |
| |
| |
Document Your Testing | |
| |
| |
The Forensic Data Landscape | |
| |
| |
Active Data | |
| |
| |
Unallocated Space | |
| |
| |
Slack Space | |
| |
| |
Mobile Devices | |
| |
| |
External Storage | |
| |
| |
What Do You Have the Authority to Access | |
| |
| |
Who Hosts the Data? | |
| |
| |
Who Owns the Device? | |
| |
| |
Expectation of Privacy | |
| |
| |
| |
Choosing Your Procedures | |
| |
| |
Forensic Imaging | |
| |
| |
Determining Your Comfort Level | |
| |
| |
Forensic Imaging Method Pros and Cons | |
| |
| |
Creating Forms and Your Lab Manual | |
| |
| |
Chain of Custody Forms | |
| |
| |
Request Forms | |
| |
| |
Report Forms | |
| |
| |
Standard Operating Procedures Manual | |
| |
| |
| |
Testing Your Tools | |
| |
| |
When Do You Need to Test | |
| |
| |
Collecting Data for Public Research or Presentations | |
| |
| |
Testing a Forensic Method | |
| |
| |
Testing a Tool | |
| |
| |
Where to Get Test Evidence | |
| |
| |
Raw Images | |
| |
| |
Creating Your Own Test Images | |
| |
| |
Forensic Challenges | |
| |
| |
Learn Forensics with David Cowen on YouTube | |
| |
| |
Honeynet Project | |
| |
| |
DC3 Challenge | |
| |
| |
DFRWS Challenge | |
| |
| |
SANS Forensic Challenges | |
| |
| |
High School Forensic Challenge | |
| |
| |
Collections of Tool Testing Images | |
| |
| |
Digital Forensic Tool Testing Images | |
| |
| |
NIST Computer Forensics Reference Data Sets Images | |
| |
| |
The Hacking Case | |
| |
| |
NIST Computer Forensics Tool Testing | |
| |
| |
| |
Live vs. Postmortem Forensics | |
| |
| |
Live Forensics | |
| |
| |
When Live Forensics Is the Best Option | |
| |
| |
Tools for Live Forensics | |
| |
| |
Postmortem Forensics | |
| |
| |
Postmortem Memory Analysis | |
| |
| |
| |
Capturing Evidence | |
| |
| |
Creating Forensic Images of Internal Hard Drives | |
| |
| |
FTK Imager with a Hardware Write Blocker | |
| |
| |
FTK Imager with a Software Write Blocker | |
| |
| |
Creating Forensic Images of External Drives | |
| |
| |
FTK Imager with a USB Write Blocker | |
| |
| |
FTK Imager with a Software Write Blocker | |
| |
| |
Software Write Blocking on Linux Systems | |
| |
| |
Creating Forensic Images of Network Shares | |
| |
| |
Capturing a Network Share with FTK Imager | |
| |
| |
Mobile Devices | |
| |
| |
Servers | |
| |
| |
| |
Nontraditional Digital Forensics | |
| |
| |
Breaking the Rules: Nontraditional Digital Forensic Techniques | |
| |
| |
Volatile Artifacts | |
| |
| |
Malware | |
| |
| |
Encrypted File Systems | |
| |
| |
Challenges to Accessing Encrypted Data | |
| |
| |
Mobile Devices: Smart Phones and Tablets | |
| |
| |
Solid State Drives | |
| |
| |
Virtual Machines | |
| |
| |
| |
Case Examples: How to Work a Case | |
| |
| |
| |
Establishing the Investigation Type and Criteria | |
| |
| |
Determining What Type of Investigation Is Required | |
| |
| |
Human Resources Cases | |
| |
| |
Administrator Abuse | |
| |
| |
Stealing Information | |
| |
| |
Internal Leaks | |
| |
| |
Keyloggers and Malware | |
| |
| |
What to Do When Criteria Causes an Overlap | |
| |
| |
What to Do When No Criteria Matches | |
| |
| |
Where Should the Evidence Be? | |
| |
| |
Did This Occur over the Network? | |
| |
| |
Nothing Working? Create a Super Timeline | |
| |
| |
| |
Human Resources Cases | |
| |
| |
Results of a Human Resource Case | |
| |
| |
How to Work a Pornography Case | |
| |
| |
Pornography Case Study | |
| |
| |
How to Investigate a Pornography Case | |
| |
| |
How to Work a Productivity Waste Case | |
| |
| |
| |
Administrator Abuse | |
| |
| |
The Abuse of Omniscience | |
| |
| |
Scenario 1: Administrator Runs a Pornographic Site Using Company Resources | |
| |
| |
Beginning an Investigation | |
| |
| |
The Web Server's Role in the Network | |
| |
| |
Directories | |
| |
| |
Virtual Servers | |
| |
| |
Virtual Directories | |
| |
| |
Scenario 2: Exploiting Insider Knowledge Against an Ex-employer | |
| |
| |
A Private Investigator Calls | |
| |
| |
As if They're Reading Our Minds… | |
| |
| |
What a Network Vulnerability Assessment Can Reveal | |
| |
| |
E-mail Data Review and Server Restoration | |
| |
| |
Stepping Up Your Game: Knowledge Meets Creativity | |
| |
| |
| |
Stealing Information | |
| |
| |
What Are We Looking For? | |
| |
| |
Determining Where the Data Went | |
| |
| |
LNK Files | |
| |
| |
Shellbags | |
| |
| |
Scenario: Recovering Log Files to Catch a Thief | |
| |
| |
| |
Internal Leaks | |
| |
| |
Why Internal Leaks Happen | |
| |
| |
Investigating Internal Leaks | |
| |
| |
Reviewing the Registry Files | |
| |
| |
Identifying LNK Files | |
| |
| |
Wrapping Up the Investigation | |
| |
| |
Using File System Meta-data to Track Leaked or Printed Materials | |
| |
| |
| |
Keyloggers and Malware | |
| |
| |
Denning Keyloggers and Malware | |
| |
| |
How to Detect Keyloggers and Malware | |
| |
| |
Registry Files | |
| |
| |
Prefetch Files | |
| |
| |
Keyword Searches | |
| |
| |
Handling Suspicious Files | |
| |
| |
Determining How an Infection Occurred | |
| |
| |
What We Know About This Infection | |
| |
| |
What We Know About the Keylogger | |
| |
| |
Identifying What Data Was Captured | |
| |
| |
Finding Information About the Attacker | |
| |
| |
What We Know About the Attacker | |
| |
| |
Where to Find More About the Attacker | |
| |
| |
| |
Defending Your Work | |
| |
| |
| |
Documenting Your Findings with Reports | |
| |
| |
Documenting Your Findings | |
| |
| |
Who Asked You to Undertake the Investigation | |
| |
| |
What You Were Asked to Do | |
| |
| |
What You Reviewed | |
| |
| |
What You Found | |
| |
| |
What Your Findings Mean | |
| |
| |
Types of Reports | |
| |
| |
Informal Report | |
| |
| |
Incident Report | |
| |
| |
Internal Report | |
| |
| |
Declaration | |
| |
| |
Affidavit | |
| |
| |
Explaining Your Work | |
| |
| |
Define Technical Terms | |
| |
| |
Provide Examples in Layperson Terms | |
| |
| |
Explain Artifacts | |
| |
| |
| |
Litigation and Reports for Court and Exhibits | |
| |
| |
Important Legal Terms | |
| |
| |
What Type of Witness Are You? | |
| |
| |
Fact Witness | |
| |
| |
Expert Consultant | |
| |
| |
Expert Witness | |
| |
| |
Special Master | |
| |
| |
Neutral | |
| |
| |
Writing Reports for Court | |
| |
| |
Declarations in Support of Motions | |
| |
| |
Expert Reports | |
| |
| |
Creating Exhibits | |
| |
| |
Working with Forensic Artifacts | |
| |
| |
Glossary | |
| |
| |
Index | |