eBook - ePub
Digital Forensics Explained
Greg Gogolin, Greg Gogolin
This is a test
Compartir libro
- 242 páginas
- English
- ePUB (apto para móviles)
- Disponible en iOS y Android
eBook - ePub
Digital Forensics Explained
Greg Gogolin, Greg Gogolin
Detalles del libro
Vista previa del libro
Índice
Citas
Información del libro
This book covers the full life cycle of conducting a mobile and computer digital forensic examination, including planning and performing an investigation as well as report writing and testifying. Case reviews in corporate, civil, and criminal situations are also described from both prosecution and defense perspectives.
Digital Forensics Explained, Second Edition draws from years of experience in local, state, federal, and international environments and highlights the challenges inherent in deficient cyber security practices. Topics include the importance of following the scientific method and verification, legal and ethical issues, planning an investigation (including tools and techniques), incident response, case project management and authorization, social media and internet, cloud, anti-forensics, link and visual analysis, and psychological considerations.
The book is a valuable resource for the academic environment, law enforcement, those in the legal profession, and those working in the cyber security field. Case reviews include cyber security breaches, anti-forensic challenges, child exploitation, and social media investigations.
Greg Gogolin, PhD, CISSP, is a Professor of Information Security and Intelligence at Ferris State University and a licensed Professional Investigator. He has worked more than 100 cases in criminal, civil, and corporate environments.
Preguntas frecuentes
¿Cómo cancelo mi suscripción?
¿Cómo descargo los libros?
Por el momento, todos nuestros libros ePub adaptables a dispositivos móviles se pueden descargar a través de la aplicación. La mayor parte de nuestros PDF también se puede descargar y ya estamos trabajando para que el resto también sea descargable. Obtén más información aquí.
¿En qué se diferencian los planes de precios?
Ambos planes te permiten acceder por completo a la biblioteca y a todas las funciones de Perlego. Las únicas diferencias son el precio y el período de suscripción: con el plan anual ahorrarás en torno a un 30 % en comparación con 12 meses de un plan mensual.
¿Qué es Perlego?
Somos un servicio de suscripción de libros de texto en línea que te permite acceder a toda una biblioteca en línea por menos de lo que cuesta un libro al mes. Con más de un millón de libros sobre más de 1000 categorías, ¡tenemos todo lo que necesitas! Obtén más información aquí.
¿Perlego ofrece la función de texto a voz?
Busca el símbolo de lectura en voz alta en tu próximo libro para ver si puedes escucharlo. La herramienta de lectura en voz alta lee el texto en voz alta por ti, resaltando el texto a medida que se lee. Puedes pausarla, acelerarla y ralentizarla. Obtén más información aquí.
¿Es Digital Forensics Explained un PDF/ePUB en línea?
Sí, puedes acceder a Digital Forensics Explained de Greg Gogolin, Greg Gogolin en formato PDF o ePUB, así como a otros libros populares de Computer Science y Cyber Security. Tenemos más de un millón de libros disponibles en nuestro catálogo para que explores.
Información
Chapter 1
What is digital forensics, and what should you know about it?
Introduction
Over the years I have read many technical books that provide screenshots of particular tools and their operations. Whenever a tool is updated, such books become obsolete. This book focuses on the methodologies, techniques, resources, and mind-set that is necessary in understanding the digital forensics process. My philosophy, and that of my chapter contributors, is that an understanding of the process is primary. Adapting that understanding to tools and technologies can then be effectively realized. Attempting to develop high levels of skill with a particular tool or technology before an understanding of the big picture is attained is shortsighted and invites error. Discipline is necessary in any science and digital forensics is no different.
Digital forensics is the application of scientific principles to the process of discovering information from a digital device or medium. A form of digital forensics has been around nearly as long as computers were invented, but forensic capabilities have witnessed many advances in the past years as digital forensic processes have matured and needs have become more prevalent. Digital forensics can involve nearly any digital device, not just computers, although technology often evolves faster than forensic capabilities do. Some of the common areas in which digital forensics are used include computers, printers, cell phones, mobile devices, game systems, applications (apps), global positioning systems (GPSs), biometric systems, and storage media. Rapidly expanding areas include automobile systems, Internet of Things devices, office equipment, and other programmable devices. Big Data, which is typically stored external to a device, has become a rich source of information for digital forensic examiners.
Forensic science
The precise date of when forensic science began is unclear as there are many different fields in which forensic science can be applied. Certainly, people have been trying to determine how people died for thousands of years. In the Chinese book Hsi Duan Yu (The Washing Away of Wrongs), which appeared about 1248, the author details methods to distinguish the effects of different ways of dying, for example, death by drowning as opposed to death by strangulation (Kind and Overman, 1972). Nearly 700 years later, the first crime laboratory was established in the United States by the Los Angeles Sheriff Department in 1930 (De Forest et al., 1983). Howard Schmidt, who served as an advisor to President George W. Bush and President Barack Obama, is credited with establishing the first U.S. government digital forensics laboratory (Defense News, 2010). Although forensic science has been evolving for many centuries, digital forensics is a relatively new development.
For something to be considered a science it has to study, describe, and investigate phenomena within its field. A key aspect of this is that new knowledge generated by the study and investigation has to be repeatable. A peer review process is often followed, including within a lab and in the publication process. A complex investigation can have many opportunities for error or misinterpretation, and the review process helps reduce the instances of error. In the digital forensics field, tools and techniques are often reviewed but it is not uncommon for the findings that are presented in court cases to be the work of a single investigator and therefore unverified. In many situations, digital forensics does not have the necessary scientific rigor behind it which is present in other forensic areas such as wet labs. Part of the reason is that digital forensics is a relatively new science, and another reason is that digital technology progresses at such a rapid rate that the digital forensic processes tend to lag the pace of technological innovation. Figure 1.1 is a flowchart representation of the scientific process.
Figure 1.1 The scientific process.
There are three aspects of the scientific process that I want to highlight. The first is to clearly define the question or purpose of the investigation. The second is to define a hypothesis. A hypothesis is a potential explanation for a phenomenon. A digital forensic investigator often needs to develop a hypothesis to explain what happened on a device and what it was used for. The third aspect that I want to emphasize is that many discussions of the scientific process overlook verification of results. Too often this is not done and improper results are reported. Digital forensic cases can be life changing for many individuals, and every effort must be taken to ensure that the findings of the investigation are accurate. I do not want to discount the other steps in the scientific process, but I wanted to emphasize those three aspects – and in particular, verification of results.
Digital forensics is not limited to criminal investigation. It can be used to solve problems in a corporate setting such as recovering lost files and reconstructing information from damaged equipment and also to test for changes to devices that are subject to a stimulus. Malware and botnet research are other areas that use digital forensics, particularly when trying to determine impacts. An example would be to use forensic processes to establish the baseline state of a device, introduce the stimulus, and then compare the resulting state with the baseline. Civil cases, which are not considered criminal, often involve digital forensics. Types of civil matters that may have a digital forensic component include litigation such as divorce cases and tort law.
What does it take to be a digital forensic investigator?
Digital forensic investigators need skills and interests in a variety of areas. The first question I ask someone who is considering this field is if they like puzzles. When investigating a case, you may not know any details other than that something has happened. So if someone needs to be shown or told what has occurred, they may not be a good fit for this field. Sometimes cases come to an investigator’s attention with instructions to find out what the computer or device was used for. At times this may be an open request, whereas other times it is within a specific time frame.
Many cases follow a similar pattern and a methodology similar to that outlined in Chapter 2 can help with a consistent investigation. However, many times the investigator needs to improvise an approach as there is not always a clear way to do things. This can be the result of new technology in which a methodology has not been developed, due to cost issues, or simply because it is the first time the investigator has encountered that situation. The point is that an investigator needs to be someone who can figure things out and not rely solely on others to do so. Another important characteristic is the ability to handle frustration because investigative tools and software do not always function without their challenges. This can be a fairly common occurrence when dealing with cell phones and small devices. I have had many students who stop their investigation in class at the first sign of difficulty rather than working through the challenges. They do not even try to find insight into their difficulty through the web or help system provided with the tool. Someone needs to be persistent and creative to be a successful investigator – they need to be a problem solver.
Another critical aspect of being a forensic investigator is the ability to keep your mouth closed. Case specifics usually require some level of confidentiality, and this must be maintained. Similarly, if someone is looking to enter the field as a private investigator or law enforcement professional, lack of a criminal record may be mandatory. Within a corporate setting, investigators may not need to be licensed, but they do need to maintain a high degree of integrity within the context of the corporation. I have gone through many smartphones and computers covertly to determine the degree of an employee’s misconduct. The result is that I know what personnel changes are likely to occur before anyone else.
Irrespective of whether the environment is corporate, law enforcement, or as a private investigator, a background check is likely to occur. Particularly in law enforcement and private investigator licensing, fingerprint registration is likely a requirement. Private investigators also need bonding and/or liability insurance. Most states require that private investigators have experience before becoming licensed, so students who are fresh out of college may find that they need to work for someone else under their license before becoming individually licensed.
The work itself seems to follow a sine wave rather than a consistent flow. Cases often explode into multiple devices and locations, which can mean long and inconsistent hours. After-hours investigation may be the rule for some cases, and often this may be at a distant site. What does seem to be the rule is that cases appear when they are not expected, and it is good practice to be ready. For example, computer forensics investigations usually include taking forensic images of the computers under investigation. Typically, this means taking a forensic image of the storage devices. The location where the images are being copied to should be forensically prepared in advance. If a computer has a 1-TB hard drive, the forensic image could be taken on another 1-TB hard drive. This forensic image hard drive should not just be a new hard drive that is in an unopened box from a retail store because it is unknown what may already be stored on that drive. New hard drives commonly come with utilities and other programs preinstalled. A hard drive should be completely erased and reformatted before it is used. Experienced investigators often wipe a hard drive and then overwrite the entire drive with a hex character. This process takes time, and when time is of the essence, preparing forensic storage media in advance can save considerable time.
The forensic process is discussed later in this book, including Chapter 2, but let us complete the thought on forensically prepared storage media. The purpose of forensically prepared storage media is that it allows the investigator to testify that the only information contained on the forensically imaged drive is the information from the suspect device and that there is no evidence of contamination. Anything that is not part of the forensic image would be the hex character that was due to the wiping process if the target/destination drive was wiped with a hex character. Hash algorithms, such as MD5 and SHA-1, are also used to verify that an exact copy has been taken and using at least two forms of hashing should be standard procedure whenever possible.
Educational opportunities
Education is necessary to become competent in any profession, and digital forensics is no exception. Education can take many forms including university instruction, attendance at conferences, vendor classes, workshops, and self-study. Each of these should be evaluated to determine if it helps move someone toward their educational goal. College and university educational opportunities can be evaluated in a number of ways such as asking previous students and those affiliated with the courses and programs. Several designations and accreditation levels can help determine the maturity of the offerings. For example, the National Security Agency (NSA) has the Center of Academic Excellence criteria that is rigorous and appropriate. The Department of Defense has the Center of Digital Forensic Academic Excellence, which is a specific set of criteria that colleges need to meet in order to receive the CDFAE designation. The Accreditation Board for Engineering and Technology (ABET) accredits college programs in fields related to digital forensics including cybersecurity.
An additional factor to help determine the strength of an academic program would be to inquire regarding the experience of the faculty. Some questions may include the following: Do the faculty actively research and/or consult in digital forensics? Are they licensed and/or certified as investigators? How many cases have they investigated? What tools and technologies will the student be exposed to? How large are the classes and do they have a hands-on component? How long has the institution been offering courses? Are the courses available online?
Vendor classes focus on tools that they market, although instructors will often provide insight into complimentary tools and techniques that are not part of the vendor’s products. Some of these classes are offered online, which provides convenience in logistics and can help minimize costs. Commer...