Guide to Computer Forensics and Investigations

"Information security"

Includes bibliographical references (pages 685-690) and index.

Machine generated contents note: An Overview of Digital Forensics -- Digital Forensics and Other Related Disciplines -- A Brief History of Digital Forensics -- Understanding Case Law -- Developing Digital Forensics Resources -- Preparing for Digital Investigations -- Understanding Law Enforcement Agency Investigations -- Following Legal Processes -- Understanding Private-Sector Investigations -- Maintaining Professional Conduct -- Preparing a Digital Forensics Investigation -- An Overview of a Computer Crime -- An Overview of a Company Policy Violation -- Taking a Systematic Approach -- Procedures for Private-Sector High-Tech Investigations -- Employee Termination Cases -- Internet Abuse Investigations -- E-mail Abuse Investigations -- Attorney-Client Privilege Investigations -- Industrial Espionage Investigations -- Understanding Data Recovery Workstations and Software -- Setting Up Your Workstation for Digital Forensics -- Conducting an Investigation -- Gathering the Evidence -- Understanding Bit-stream Copies -- Analyzing Your Digital Evidence -- Completing the Case -- Critiquing the Case -- Chapter Summary -- Key Terms -- Review Questions -- Hands-On Projects -- Case Projects -- Understanding Forensics Lab Accreditation Requirements -- Identifying Duties of the Lab Manager and Staff -- Lab Budget Planning -- Acquiring Certification and Training -- Determining the Physical Requirements for a Digital Forensics Lab -- Identifying Lab Security Needs -- Conducting High-Risk Investigations -- Using Evidence Containers -- Overseeing Facility Maintenance -- Considering Physical Security Needs -- Auditing a Digital Forensics Lab -- Determining Floor Plans for Digital Forensics Labs -- Selecting a Basic Forensic Workstation -- Selecting Workstations for a Lab -- Selecting Workstations for Private-Sector Labs -- Stocking Hardware Peripherals -- Maintaining Operating Systems and Software Inventories -- Using a Disaster Recovery Plan Planning for Equipment Upgrades -- Building a Business Case for Developing a Forensics Lab -- Preparing a Business Case for a Digital Forensics Lab -- Chapter Summary -- Key Terms -- Review Questions -- Hands-On Projects -- Case Projects -- Understanding Storage Formats for Digital Evidence -- Raw Format -- Proprietary Formats -- Advanced Forensic Format -- Determining the Best Acquisition Method -- Contingency Planning for Image Acquisitions -- Using Acquisition Tools -- Mini-WinFE Boot CDs and USB Drives -- Acquiring Data with a Linux Boot CD -- Capturing an Image with AccessData FTK Imager Lite -- Validating Data Acquisitions -- Linux Validation Methods -- Windows Validation Methods -- Performing RAID Data Acquisitions -- Understanding RAID -- Acquiring RAID Disks -- Using Remote Network Acquisition Tools -- Remote Acquisition with ProDiscover -- Remote Acquisition with EnCase Enterprise -- Remote Acquisition with R-Tools R-Studio -- Remote Acquisition with WetStone US-LATT PRO -- Remote Acquisition with F-Response -- Using Other Forensics Acquisition Tools -- PassMark Software ImageUSB -- ASR Data SMART -- Runtime Software -- ILookIX IXImager -- SourceForge -- Chapter Summary -- Key Terms -- Review Questions -- Hands-On Projects -- Case Projects -- Identifying Digital Evidence -- Understanding Rules of Evidence -- Collecting Evidence in Private-Sector Incident Scenes -- Processing Law Enforcement Crime Scenes -- Understanding Concepts and Terms Used in Warrants -- Preparing for a Search -- Identifying the Nature of the Case -- Identifying the Type of OS or Digital Device -- Determining Whether You Can Seize Computers and Digital Devices -- Getting a Detailed Description of the Location -- Determining Who Is in Charge -- Using Additional Technical Expertise -- Determining the Tools You Need -- Preparing the Investigation Team -- Securing a Digital Incident or Crime Scene -- Seizing Digital Evidence at the Scene -- Preparing to Acquire Digital Evidence -- Processing Incident or Crime Scenes -- Processing Data Centers with RAID Systems -- Using a Technical Advisor -- Documenting Evidence in the Lab -- Processing and Handling Digital Evidence -- Storing Digital Evidence -- Evidence Retention and Media Storage Needs -- Documenting Evidence -- Obtaining a Digital Hash -- Reviewing a Case -- Sample Civil Investigation -- An Example of a Criminal Investigation -- Reviewing Background Information for a Case -- Planning the Investigation -- Conducting the Investigation: Acquiring Evidence with OSForensics -- Chapter Summary -- Key Terms -- Review Questions -- Hands-On Projects -- Case Projects -- Understanding File Systems -- Understanding the Boot Sequence -- Understanding Disk Drives -- Solid-State Storage Devices -- Exploring Microsoft File Structures -- Disk Partitions -- Examining FAT Disks -- Examining NTFS Disks -- NTFS System Files -- MFT and File Attributes -- MFT Structures for File Data -- NTFS Alternate Data Streams -- NTFS Compressed Files -- NTFS Encrypting File System -- EFS Recovery Key Agent -- Deleting NTFS Files -- Resilient File System -- Understanding Whole Disk Encryption -- Examining Microsoft BitLocker -- Examining Third-Party Disk Encryption Tools -- Understanding the Windows Registry -- Exploring the Organization of the Windows Registry -- Examining the Windows Registry -- Understanding Microsoft Startup Tasks -- Startup in Windows 7, Windows 8, and Windows 10 -- Startup in Windows NT and Later -- Understanding Virtual Machines -- Creating a Virtual Machine -- Chapter Summary -- Key Terms -- Review Questions -- Hands-On Projects -- Case Projects -- Evaluating Digital Forensics Tool Needs -- Types of Digital Forensics Tools -- Tasks Performed by Digital Forensics Tools -- Tool Comparisons -- Other Considerations for Tools -- Digital Forensics Software Tools -- Command-Line Forensics Tools -- Linux Forensics Tools -- Other GUI Forensics Tools -- Digital Forensics Hardware Tools -- Forensic Workstations -- Using a Write-Blocker -- Recommendations for a Forensic Workstation -- Validating and Testing Forensics Software -- Using National Institute of Standards and Technology Tools -- Using Validation Protocols -- Chapter Summary -- Key Terms -- Review Questions -- Hands-On Projects -- Case Projects -- Examining Linux File Structures -- File Structures in Ext4 -- Understanding Macintosh File Structures -- An Overview of Mac File Structures -- Forensics Procedures in Mac -- Using Linux Forensics Tools -- Installing Sleuth Kit and Autopsy -- Examining a Case with Sleuth Kit and Autopsy -- Chapter Summary -- Key Terms -- Review Questions -- Hands-On Projects -- Case Projects -- Recognizing a Graphics File -- Understanding Bitmap and Raster Images -- Understanding Vector Graphics -- Understanding Metafile Graphics -- Understanding Graphics File Formats -- Understanding Digital Photograph File Formats -- Understanding Data Compression -- Lossless and Lossy Compression -- Locating and Recovering Graphics Files -- Identifying Graphics File Fragments -- Repairing Damaged Headers -- Searching for and Carving Data from Unallocated Space -- Rebuilding File Headers -- Reconstructing File Fragments -- Identifying Unknown File Formats -- Analyzing Graphics File Headers -- Tools for Viewing Images -- Understanding Steganography in Graphics Files -- Using Steganalysis Tools -- Understanding Copyright Issues with Graphics -- Chapter Summary -- Key Terms -- Review Questions -- Hands-On Projects -- Case Projects -- Determining What Data to Collect and Analyze -- Approaching Digital Forensics Cases -- Using Autopsy to Validate Data -- Collecting Hash Values in Autopsy -- Validating Forensic Data -- Validating with Hexadecimal Editors -- Validating with Digital Forensics Tools -- Addressing Data-Hiding Techniques -- Hiding Files by Using the OS -- Hiding Partitions -- Marking Bad Clusters -- Bit-Shifting -- Understanding Steganalysis Methods -- Examining Encrypted Files -- Recovering Passwords -- Chapter Summary -- Key Terms