Computer Forensics Infosec Pro Guide

A hands-on guide to using a variety of tools to conduct computer forensics investigations and verify findings Computer Forensics, A Beginner's Guideoffers a complete overview of computer forensics, includes insider tips, and highlights the essential skills required for success in the field of computer forensics. The book discusses techniques for gathering types of data, how to determine if the information is correct and valid, and how to present that information in a way that shows the complete picture of what happened. Using the tested and proven processes developed by the author, you will learn how to set up a forensics lab, ensure that none of the evidence is tampered with, and what legal pitfalls and issues to be aware of when working with electronic evidence. Computer Forensics, A Beginner's Guide Explains the basics of conducting computer forensics using free, open source, interactive tools Features case studies that uncover common mistakes made by beginning computer forensic investigators and how to avoid them Written by a computer forensics expert and speaker who is internationally recognized for his work Contains global examples throughout the book Includes ready-made forms and checklists you can use to ensure proper evidence handling Provides a flexible, tested framework for you to use to perform forensic investigations

Introduction
PART I: Getting Started
Chapter 1: What Is Computer Forensics?
What You Can Do with Computer Forensics
How People Get Involved in Computer Forensics
Law Enforcement
Military
University Programs
IT or Computer Security Professionals
Incident Response vs. Computer Forensics
How Computer Forensic Tools Work
Types of Computer Forensic Tools
Professional Licensing Requirements
Chapter 2: Learning Computer Forensics
Where and How to Get Training
Law Enforcement Training
Corporate Training
Where and How to Get Certified
Vendor Certifications
Vendor-Neutral Certifications
Staying Current
Conferences
Blogs
Forums
Podcasts
Associations
Chapter 3: Creating a Lab
Choosing Where to Put Your Lab
Access Controls
Electrical Power
Air Conditioning
Privacy
Gathering the Tools of the Trade
Write Blockers
Drive Kits
External Storage
Screwdriver Kits
Antistatic Bags
Adaptors
Forensic Workstation
Choosing Forensic Software
Open Source Software
Commercial Software
Storing Evidence
Securing Your Evidence
Organizing Your Evidence
Disposing of Old Evidence
PART II: Your First Investigation
Chapter 4: How to Approach a Computer Forensics Investigation
The Investigative Process
What Are You Being Asked to Find Out?
Where Would the Data Exist?
What Applications Might Have Been Used in Creating the Data?
Should You Request to Go Beyond the Scope of the Investigation?
Testing Your Hypothesis
Step 1. Define Your Hypothesis
Step 2. Determine a Repeatable Test
Step 3. Create Your Test Environment
Step 4. Document Your Testing
The Forensic Data Landscape
Active Data
Unallocated Space
Slack Space
Mobile Devices
External Storage
What Do You Have the Authority to Access
Who Hosts the Data?
Who Owns the Device?
Expectation of Privacy
Chapter 5: Choosing Your Procedures
Forensic Imaging
Determining Your Comfort Level
Forensic Imaging Method Pros and Cons
Creating Forms and Your Lab Manual
Chain of Custody Forms
Request Forms
Report Forms
Standard Operating Procedures Manual
Chapter 6: Testing Your Tools
When Do You Need to Test
Collecting Data for Public Research or Presentations
Testing a Forensic Method
Testing a Tool
Where to Get Test Evidence
Raw Images
Creating Your Own Test Images
Forensic Challenges
Learn Forensics with David Cowen on YouTube
Honeynet Project
DC3 Challenge
DFRWS Challenge
SANS Forensic Challenges
High School Forensic Challenge
Collections of Tool Testing Images
Digital Forensic Tool Testing Images
NIST Computer Forensics Reference Data Sets Images
The Hacking Case
NIST Computer Forensics Tool Testing
Chapter 7: Live vs. Postmortem Forensics
Live Forensics
When Live Forensics Is the Best Option
Tools for Live Forensics
Postmortem Forensics
Postmortem Memory Analysis
Chapter 8: Capturing Evidence
Creating Forensic Images of Internal Hard Drives
FTK Imager with a Hardware Write Blocker
FTK Imager with a Software Write Blocker
Creating Forensic Images of External Drives
FTK Imager with a USB Write Blocker
FTK Imager with a Software Write Blocker
Software Write Blocking on Linux Systems
Creating Forensic Images of Network Shares
Capturing a Network Share with FTK Imager
Mobile Devices
Servers
Chapter 9: Nontraditional Digital Forensics
Breaking the Rules: Nontraditional Digital Forensic Techniques
Volatile Artifacts
Malware
Encrypted File Systems
Challenges to Accessing Encrypted Data
Mobile Devices: Smart Phones and Tablets
Solid State Drives
Virtual Machines
PART III: Case Examples: How to Work a Case
Chapter 10: Establishing the Investigation Type and Criteria
Determining What Type of Investigation Is Required
Human Resources Cases
Administrator Abuse
Stealing Information
Internal Leaks
Keyloggers and Malware
What to Do When Criteria Causes an Overlap
What to Do When No Criteria Matches
Where Should the Evidence Be?
Did This Occur over the Network?
Nothing Working? Create a Super Timeline
Chapter 11: Human Resources Cases
Results of a Human Resource Case
How to Work a Pornography Case
Pornography Case Study
How to Investigate a Pornography Case
How to Work a Productivity Waste Case
Chapter 12: Administrator Abuse
The Abuse of Omniscience
Scenario 1: Administrator Runs a Pornographic Site Using Company Resources
Beginning an Investigation
The Web Server’s Role in the Network
Directories
Virtual Servers
Virtual Directories
Scenario 2: Exploiting Insider Knowledge Against an Ex-employer
A Private Investigator Calls…
As if They’re Reading Our Minds…
What a Network Vulnerability Assessment Can Reveal
E-mail Data Review and Server Restoration
Stepping Up Your Game: Knowledge Meets Creativity
Chapter 13: Stealing Information
What Are We Looking For?
Determining Where the Data Went
LNK Files
Shellbags
Scenario: Recovering Log Files to Catch a Thief
Chapter 14: Internal Leaks
Why Internal Leaks Happen
Investigating Internal Leaks
Reviewing the Registry Files
Identifying LNK Files
Wrapping Up the Investigation
Using File System Meta-data to Track Leaked or Printed Materials
Chapter 15: Keyloggers and Malware
Defining Keyloggers and Malware
How to Detect Keyloggers and Malware
Registry Files
Prefetch Files
Keyword Searches
Handling Suspicious Files
Determining How an Infection Occurred
What We Know About This Infection
What We Know About the Keylogger
Identifying What Data Was Captured
Finding Information About the Attacker
What We Know About the Attacker
Where to Find More About the Attacker
PART IV: Defending Your Work
Chapter 16: Documenting Your Findings with Reports
Documenting Your Findings
Who Asked You to Undertake the Investigation
What You Were Asked to Do
What You Reviewed
What You Found
What Your Findings Mean
Types of Reports
Informal Report
Incident Report
Internal Report
Declaration
Affidavit
Explaining Your Work
Define Technical Terms
Provide Examples in Layperson Terms
Explain Artifacts
Chapter 17: Litigation and Reports for Court and Exhibits
Important Legal Terms
What Type of Witness Are You?
Fact Witness
Expert Consultant
Expert Witness
Special Master
Neutral
Writing Reports for Court
Declarations in Support of Motions
Expert Reports
Creating Exhibits
Working with Forensic Artifacts
InfoSec Pro Series: Glossary
Index