eBook - ePub
Handbook of Digital Forensics and Investigation
Eoghan Casey
This is a test
Share book
- 600 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Handbook of Digital Forensics and Investigation
Eoghan Casey
Book details
Book preview
Table of contents
Citations
About This Book
Handbook of Digital Forensics and Investigation builds on the success of the Handbook of Computer Crime Investigation, bringing together renowned experts in all areas of digital forensics and investigation to provide the consummate resource for practitioners in the field. It is also designed as an accompanying text to Digital Evidence and Computer Crime.
This unique collection details how to conduct digital investigations in both criminal and civil contexts, and how to locate and utilize digital evidence on computers, networks, and embedded systems. Specifically, the Investigative Methodology section of the Handbook provides expert guidance in the three main areas of practice: Forensic Analysis, Electronic Discovery, and Intrusion Investigation. The Technology section is extended and updated to reflect the state of the art in each area of specialization. The main areas of focus in the Technology section are forensic analysis of Windows, Unix, Macintosh, and embedded systems (including cellular telephones and other mobile devices), and investigations involving networks (including enterprise environments and mobile telecommunications technology).
This handbook is an essential technical reference and on-the-job guide that IT professionals, forensic practitioners, law enforcement, and attorneys will rely on when confronted with computer related crime and digital evidence of any kind.
*Provides methodologies proven in practice for conducting digital investigations of all kinds
*Demonstrates how to locate and interpret a wide variety of digital evidence, and how it can be useful in investigations
*Presents tools in the context of the investigative process, including EnCase, FTK, ProDiscover, foremost, XACT, Network Miner, Splunk, flow-tools, and many other specialized utilities and analysis platforms
*Case examples in every chapter give readers a practical understanding of the technical, logistical, and legal challenges that arise in real investigations
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlegoâs features. The only differences are the price and subscription period: With the annual plan youâll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weâve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Handbook of Digital Forensics and Investigation an online PDF/ePUB?
Yes, you can access Handbook of Digital Forensics and Investigation by Eoghan Casey in PDF and/or ePUB format, as well as other popular books in Computer Science & Information Technology. We have over one million books available in our catalogue for you to explore.
Information
Chapter 1
Introduction
Eoghan Casey
Publisher Summary
Digital forensics has progressed rapidly, but much more is required, including developing more sophisticated techniques for acquiring and analyzing digital evidence, increasing scientific rigor in our work, and professionalizing the field. In modern digital investigations, practitioners must deal with growing numbers of computer systems in a single investigation, particularly in criminal investigations of organized groups, electronic discovery of major corporations, and intrusion investigations of international scope. This chapter introduces the book that aims to contribute to the advancement of the field by expanding knowledge in the major specializations in digital forensics and improving our ability to locate and utilize digital evidence on computers, networks, and embedded systems. The chapter provides expert guidance in the three main areas of practice: forensic analysis, electronic discovery, and intrusion investigation. The main areas of focus in the chapter are forensic analysis of Windows, Unix, Macintosh, and embedded systems (including cellular telephones and other mobile devices), and investigations involving networks (including enterprise environments and mobile telecommunications technology).
Computers and networks have become so ubiquitous in our society, such an integral part of our daily lives, that any investigation or legal dispute will likely involve some form of digital evidence. Crimes like child exploitation, fraud, drug trafficking, terrorism, and homicide usually involve computers to some degree (see Chapter 2, âForensic Analysisâ). Electronic discovery has become so common in civil disputes that countries are updating their legal guidelines to address digital evidence (see Chapter 3, âElectronic Discoveryâ). Investigations of intrusions into corporate and government IT systems rely heavily on digital evidence, and are becoming more challenging as offenders become more adept at covering their tracks (see Chapter 4, âIntrusion Investigationâ).
Media reports at the time of this writing clearly demonstrate the wide diversity of cases that involve digital evidence:
Criminals are becoming more aware of digital forensic and investigation capabilities, and are making more sophisticated use of computers and networks to commit their crimes. Some are even developing âanti-forensicâ methods and tools specifically designed to conceal their activities and destroy digital evidence, and generally undermine digital investigators. The integration of strong encryption into operating systems is also creating challenges for forensic examiners, potentially preventing us from recovering any digital evidence from a computer (Casey & Stellatos, 2008).
Over the past few years, practitioners and researchers have made significant advances in digital forensics. Our understanding of technology has improved and we have gained the necessary experiences to further refine our practices. We have overcome major technical challenges, giving practitioners greater access to digital evidence. New forensic techniques and tools are being created to support forensic acquisition of volatile data, inspection of remote systems, and analysis of network traffic. Detailed technical coverage of forensic analysis of Windows, Unix, and Macintosh systems is provided in Chapters 5, 6, and 7, respectively.
These advances bring with them great promise, and place new demands on digital forensics and investigations, changing the terrain of the field and causing new practices to evolve, including forensic analysis of embedded systems (Chapter 8), enterprise networks (Chapter 9), and mobile telecommunications systems (Chapter 10). The recent advances and some of the current challenges were recognized in the 2009 National Academy of Sciences report:
Digital evidence has undergone a rapid maturation process. This discipline did not start in forensic laboratories. Instead, computers taken as evidence were studied by police officers and detectives who had some interest or expertise in computers. Over the past 10 years, this process has become more routine and subject to the rigors and expectations of other fields of forensic science. Three holdover challenges remain: (1) the digital evidence community does not have an agreed certification program or list of qualifications for digital forensic examiners; (2) some agencies still treat the examination of digital evidence as an investigative rather than a forensic activity; and (3) there is wide variability in and uncertainty about the education, experience, and training of those practicing this discipline. (National Academy of Sciences, 2009)
All of these advancements and challenges bring us to the underlying motivations of this work; to improve technical knowledge, standards of practice, and research in digital forensics and investigation. Furthermore, by presenting state-of-the-art practices and tools alongside the real-world challenges that practitioners are facing in the field and limitations of forensic tools, the Handbook hopes to inspire future research and development in areas of greatest need. As far and quickly as this discipline has progressed, we continue to face major challenges in the future.
Forensic Soundness
As the field of digital forensics evolved from primarily dealing with hard drives to include any and all types of computer systems, one of the most fundamental challenges has been updating the generally accepted practices. There is an ongoing effort to balance the need to extract the most useful digital evidence as efficiently as possible, and the desire to acquire a pristine copy of all available data without altering anything in the process. In many situations involving new technology, particularly when dealing with volatile data in computer memory, mobile devices, and other embedded systems it is not feasible to extract valuable evidence without altering the original in some manner. Similarly, when dealing with digital evidence distributed across many computer systems, it may not be feasible to preserve everything.
In modern digital investigations, practitioners must deal with growing numbers of computer systems in a single investigation, particularly in criminal investigations of organized groups, electronic discovery of major corporations, and intrusion investigations of international scope. In such large-scale digital investigations, it is necessary to examine hundreds or thousands of computers as well as network-level logs for related evidence, making it infeasible to create forensic duplicates of every system.
Existing best practice guidelines are becoming untenable even in law enforcement digital forensic laboratories where growing caseloads and limited resources are combining to create a crisis. To address this issue, the latest edition of The Good Practice Guide for Computer-Based Electronic Evidence from the UKâs Association of Chief Police Officers has been updated to include preservation of data from live systems, as discussed in Chapter 3 (ACPO, 2008). As the quantity of digital evidence grows and case backlogs mount, we are moving away from the resource intensive approach of creating a forensic duplicate and conducting an in-depth forensic examination of every item. A tiered approach to digital forensic examinations is being used to promptly identify items of greatest evidentiary value and produce actionable results, reserving in-depth forensic analysis for particular situations (Casey, 2009).
At the same time, there have been developments in preserving and utilizing more volatile data that can be useful in a digital investigation. Memory in computer systems can include passwords, encrypted volumes that are locked when the computer is turned off, and running programs that a suspect or computer intruder is using. Developments in memory forensics, mobile device forensics, and network forensics enable practitioners to acquire a forensic duplicate of full memory contents and extract meaningful information. The DFRWS2005 Forensic Challenge (www.dfrws.org) sparked developments in analysis of physical memory on Microsoft Windows systems, leading to ongoing advances in tools for extracting useful information from Windows, Unix, and Macintosh operating systems. Techniques have even been developed to recover data from random access memory chips after a computer has been turned off (Halderman, 2008). For...