Learn Computer Forensics
eBook - ePub

Learn Computer Forensics

A beginner's guide to searching, analyzing, and securing digital evidence

William Oettinger

Share book
  1. 368 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Learn Computer Forensics

A beginner's guide to searching, analyzing, and securing digital evidence

William Oettinger

Book details
Book preview
Table of contents
Citations

About This Book

Get up and running with collecting evidence using forensics best practices to present your findings in judicial or administrative proceedings

Key Features

  • Learn the core techniques of computer forensics to acquire and secure digital evidence skillfully
  • Conduct a digital forensic examination and document the digital evidence collected
  • Perform a variety of Windows forensic investigations to analyze and overcome complex challenges

Book Description

A computer forensics investigator must possess a variety of skills, including the ability to answer legal questions, gather and document evidence, and prepare for an investigation. This book will help you get up and running with using digital forensic tools and techniques to investigate cybercrimes successfully. Starting with an overview of forensics and all the open source and commercial tools needed to get the job done, you'll learn core forensic practices for searching databases and analyzing data over networks, personal devices, and web applications. You'll then learn how to acquire valuable information from different places, such as filesystems, e-mails, browser histories, and search queries, and capture data remotely. As you advance, this book will guide you through implementing forensic techniques on multiple platforms, such as Windows, Linux, and macOS, to demonstrate how to recover valuable information as evidence. Finally, you'll get to grips with presenting your findings efficiently in judicial or administrative proceedings.By the end of this book, you'll have developed a clear understanding of how to acquire, analyze, and present digital evidence like a proficient computer forensics investigator.

What you will learn

  • Understand investigative processes, the rules of evidence, and ethical guidelines
  • Recognize and document different types of computer hardware
  • Understand the boot process covering BIOS, UEFI, and the boot sequence
  • Validate forensic hardware and software
  • Discover the locations of common Windows artifacts
  • Document your findings using technically correct terminology

Who this book is for

If you're an IT beginner, student, or an investigator in the public or private sector this book is for you. This book will also help professionals and investigators who are new to incident response and digital forensics and interested in making a career in the cybersecurity domain. Individuals planning to pass the Certified Forensic Computer Examiner (CFCE) certification will also find this book useful.

]]>

Frequently asked questions

How do I cancel my subscription?
Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Learn Computer Forensics an online PDF/ePUB?
Yes, you can access Learn Computer Forensics by William Oettinger in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Packt Publishing
Year
2020
ISBN
9781838641092
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science

Section 1: Acquiring Evidence

You will learn about the forensic process and the importance of obtaining forensically sound data and the procedures to achieve that goal.
The following chapters are in the section:
  • Chapter 1, Types of Computer-Based Investigations
  • Chapter 2, The Forensic Analysis Process
  • Chapter 3, Acquisition of Evidence
  • Chapter 4, Computer Systems

Chapter 1: Types of Computer-Based Investigations

Welcome to the 21st century, where almost everything in life is connected to an electronic device. There are digital cameras inside doorbells; your smartphone tracks your daily progress from work to home and back again; you get social media updates when you go to the gym, a show, or travel to a new city.
Your phone calls, bank access, and medical appointments are all tracked via digital technology. If it tracks your mundane daily activity, what about criminal or unethical behavior? That activity is also followed, and if you are a digital forensic investigator, you must know the repositories of the digital evidence and how to analyze it. There is almost no criminal activity that will not have digital evidence associated with it and, as an investigator, it is your job to find all available evidence, process it, and present findings to the finder of fact.
This chapter will introduce you to the different topics of computer-based investigations, from criminal acts investigated by the police to civil and potentially illegal actions performed by an employee or external third party that are examined by a nongovernmental investigator.
While the goal is the same, to present evidence about an incident, the methods for each are slightly different. It is essential for you to understand the similarities between the investigations; being able to present evidence in a judicial proceeding and recognize the differences.
The topics that will be covered in this chapter are as follows:
  • Differences in computer-based investigations
  • Criminal investigations
  • Corporate investigations

Differences in computer-based investigations

This book is all about introducing a beginner to the realm of digital forensics. What is digital forensics? It is a division of forensics involving the recovery and analysis of data that has been recovered from digital devices. At one time, the term digital forensics was treated as a synonym for computer forensics, but now it involves all devices capable of storing digital data. No matter what term is used, the goal is to identify, collect, and examine/analyze digital data while preserving its integrity. Digital forensics is not only about finding the artifact, it is a formal examination/analysis of the digital evidence to prove or to disprove whether the accused committed the violation.
It is not always about demonstrating that the suspect is guilty; as a forensic examiner, you also have that ethical obligation to find exculpatory evidence that will prove the subject's innocence. Your duty is to be an unbiased third party in presenting the findings of the investigation. In a criminal examination, your findings could deprive someone of their liberty, and in a corporate investigation, your findings may lead to a criminal investigation or cost someone their livelihood. As a digital forensic examiner, your conclusions can have an extraordinary impact on the subjects of the investigation.
To be a digital forensic examiner, you need to have a desire to ask questions, have specialized equipment, and have the required training. From teaching people interested in the field, I have found the best students can critically examine the facts and circumstances being presented and, using that ability, can focus their efforts on efficiently reaching an accurate conclusion. Unfortunately, I find many students want to use a "find evidence" button, find all the artifacts, and print up a thousand-page report and call it a day. That is not digital forensics.
Digital forensics is not finding the artifact. By artifact, I am talking about an incriminating Google search in browser history, an incriminating email between the subject and a co-conspirator, and illicit images found in the filesystem. Artifacts are breadcrumbs leading to the identity of the person conducting the illegal activity. However, on their own, they do not identify the user who created these artifacts or the one who is responsible for their creation indirectly. One of the biggest challenges in this field is to determine what is colloquially known as the "idiot behind the keyboard." You want to tie the user to the specific subject and to do that, you have to analyze – that is the key word–the digital evidence to associate it with a particular user.
If you are in the IT field, you will understand networking and computer operating systems, but you will lack knowledge of how to preserve evidence, maintain a chain of custody, and present it in a criminal/administrative proceeding.
If you are an investigator, you will understand the chain of custody, evidence preservation, and testifying in a criminal/administrative proceeding. However, you may lack experience in the digital field. To be an effective digital forensic examiner, you have to be part of both those worlds. You have to understand how data is created, shared, and saved in the digital realm and be able to preserve that evidence in a forensically sound manner and testify in proceedings. Sometimes, the ability to talk in front of a large group while answering hard questions posed to you by attorneys from both sides is the hardest part of the field.
As with any field, the way you get better and more effective is to practice, to conduct real and mock examinations, to receive training, and have the willingness to reach out to your peers for advice. Since you are reading this book, you are taking that first step. You could be reading the text on your own, using it as a textbook for a college course you are taking, or using it in a corporate training session. The reason does not matter. Reading this book will put you on the road to be a more effective digital forensic examiner.
What is cybercrime? What crimes does a digital forensic examiner investigate? A digital forensic examiner may investigate any alleged wrongdoing that touches on the digital world. Nearly everyone possesses a mobile device. Sometimes, a person owns or uses multiple mobile devices and laptops and the traditional desktop. All of these sources have the ability to maintain a significant amount of information as it relates to the investigation. For example, I investigated a crime against a person where the victim was physically unable to communicate with the police. How does that become a crime that requires the use of a digital forensic examiner?
Well, in this case, she had maintained communication with the suspect of that crime via a website and instant messaging on her mobile device. While they did not directly have evidence relating to the crime being investigated, they had evidence about the relationship between the victim and the suspect. In the 21st century, almost any crime may have evidence stored in a digital format. Now, there are some crimes where someone will have used their computer as a tool to commit the crime, such as sending harassing emails, fraud and forgery, hacking, corporate espionage, or the trafficking of illicit images.
Your occupation will dictate your response to a situation; if you are law enforcement, you will have one set of procedures to follow, while if you are in the corporate world, you will have a different set of procedures to follow. While some processes may overlap in different fields, each one has its unique differences, which is what we will discuss next.

Criminal investigations

As a law enforcement professional, your first consideration will be officer safety. Is the scene secure to process and secure evidence? When the investigation starts, you may take part in one or more roles. The most basic positions are as follows:
  • The first responder
  • The investigator
  • Crime scene technician
Depending on the size of your agency, you may fill one position or all three, and you may report to one or more supervisors. Now, in the matter of digital evidence, it is preferable that the person in charge of the crime scene has some knowledge of the fragility of digital evidence. That allows personnel to enact the proper procedures to ensure that the evidence is not corrupted.
Let's talk about what each role does.

First responders

The first responders are the first ones on the scene. They secure what may be a chaotic scene. They will identify the following:
  • Potential victims
  • Witnesses
  • Potential suspects
  • How best to maintain control
They will do this until the investigator arrives. The first responder's primary mission is to make the scene safe and secure and ensure that no one can contaminate the evidence. As you can imagine, crime scenes can vary from a dynamic crime scene to the relatively static crime scene, depending on the nature of the crime. In both scenarios, the first responder must have basic knowledge of what items could contain digital evidence when they secure the scene. We would not want to have subjects grabbing cell phones or laptops and using them for any activity.
So, how does a first responder protect the crime scene? Just like you see in TV shows and movies, yellow crime scene tape is the most common method. It is the most straightforward visible sign of a crime scene barrier, and in our culture, people recognize the barrier being presented by that thin piece of yellow plastic. One or more personnel will have to monitor the crime scene to regulate who can cross that line and enter the scene.

Investigators

The investigator will respond to the scene after being requested by the first responder. Upon arriving at the scene, the first responder and the investigator will coordinate, and information sharing will now start. The first responder will provide the basic information, which typically involves the five Ws and one H, specifically the who, what, when, where, why, and how, about the incident.
The first responder will also provide information about any actions they or anyone else had taken before the arrival of the investigator. For example, the investigator will want to know whether the first responder(s) touched anything, moved anything, or changed anything within the crime scene. This could be a physical action such as applying first aid to a victim or turning a computer on or off. I remember an examination I did where the first responders did not reveal that they had accessed the victim's computer. While conducting my examination, I did a timeline analysis and saw an abnormality in the activity after the victim had died. The abnormality was caused by the unreported actions of the first responders. What's important to understand here is that the first responders' actions were not wrong. What created complications is that they did not report the actions, which led to additional work and explanations.
The investigator takes charge of the scene and directs all activity. They will direct the other team members' investigative efforts to ensure the proper documentation is completed regarding the seizure of evidence. Sometimes, the first responder will seize evidence and turn it over to the investigator. A chain of custody document must be completed and maintained showing who found the item and who maintained control until the completion of the judicial or administrative proceeding.

Crime scene technician

Finally, we come to the crime scene technician. This can be a sworn or unsworn position within the law enforcement agency. They have specialized training in the collection of evidence. This could be physical evidence, such as fingerprints, tool comparison, the collection of biological fluids, and crime scene photography, all of which require specialized training and equipment. The collection of digital evidence requires the same level of expertise that the collection of physical evidence does.
Note
We can put law enforcement jobs into two basic groups: Sworn: May take an oath to support the laws in their jurisdiction; they have the power to make arrests and carry firearms. Non-sworn: May take an oath but do not have powers to arrest. These positions are typically crime scene analyst or law enforcement support technicians.
The crime scene technician is responsible for the preservation of evidence and starting the chain of custody. Some actions they could carry out include the acquisition of volatile memory of a computer system, creating forensic images of the storage devices, or creating the logical forensic image of logical files from a server. The evidence will be bagged and tagged and transported to a secure location. What do I mean by bagged and tagged? They will place all the evidence or the containers holding the digital evidence in the appropriate storage container. A tag will then be filled out with the identifiers to specify which investigation the evidence belongs to, who collected it, and what evidence is contained within the container.
As we go through the rest of this book, we will cover the duties of the crime scene technician in greater detail.
A law enforcement officer may be a first responder, investigator, or crime scene technician and, in all roles, is an agent of the government. Depending on your...

Table of contents