E-Book, Englisch, 600 Seiten
Casey BS / Casey Handbook of Digital Forensics and Investigation
1. Auflage 2009
ISBN: 978-0-08-092147-1
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
E-Book, Englisch, 600 Seiten
ISBN: 978-0-08-092147-1
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
Handbook of Digital Forensics and Investigation builds on the success of the Handbook of Computer Crime Investigation, bringing together renowned experts in all areas of digital forensics and investigation to provide the consummate resource for practitioners in the field. It is also designed as an accompanying text to Digital Evidence and Computer Crime. This unique collection details how to conduct digital investigations in both criminal and civil contexts, and how to locate and utilize digital evidence on computers, networks, and embedded systems. Specifically, the Investigative Methodology section of the Handbook provides expert guidance in the three main areas of practice: Forensic Analysis, Electronic Discovery, and Intrusion Investigation. The Technology section is extended and updated to reflect the state of the art in each area of specialization. The main areas of focus in the Technology section are forensic analysis of Windows, Unix, Macintosh, and embedded systems (including cellular telephones and other mobile devices), and investigations involving networks (including enterprise environments and mobile telecommunications technology). This handbook is an essential technical reference and on-the-job guide that IT professionals, forensic practitioners, law enforcement, and attorneys will rely on when confronted with computer related crime and digital evidence of any kind.*Provides methodologies proven in practice for conducting digital investigations of all kinds
*Demonstrates how to locate and interpret a wide variety of digital evidence, and how it can be useful in investigations
*Presents tools in the context of the investigative process, including EnCase, FTK, ProDiscover, foremost, XACT, Network Miner, Splunk, flow-tools, and many other specialized utilities and analysis platforms
*Case examples in every chapter give readers a practical understanding of the technical, logistical, and legal challenges that arise in real investigations
Eoghan Casey is an internationally recognized expert in data breach investigations and information security forensics. He is founding partner of CASEITE.com, and co-manages the Risk Prevention and Response business unit at DFLabs. Over the past decade, he has consulted with many attorneys, agencies, and police departments in the United States, South America, and Europe on a wide range of digital investigations, including fraud, violent crimes, identity theft, and on-line criminal activity. Eoghan has helped organizations investigate and manage security breaches, including network intrusions with international scope. He has delivered expert testimony in civil and criminal cases, and has submitted expert reports and prepared trial exhibits for computer forensic and cyber-crime cases. In addition to his casework and writing the foundational book Digital Evidence and Computer Crime, Eoghan has worked as R&D Team Lead in the Defense Cyber Crime Institute (DCCI) at the Department of Defense Cyber Crime Center (DC3) helping enhance their operational capabilities and develop new techniques and tools. He also teaches graduate students at Johns Hopkins University Information Security Institute and created the Mobile Device Forensics course taught worldwide through the SANS Institute. He has delivered keynotes and taught workshops around the globe on various topics related to data breach investigation, digital forensics and cyber security. Eoghan has performed thousands of forensic acquisitions and examinations, including Windows and UNIX systems, Enterprise servers, smart phones, cell phones, network logs, backup tapes, and database systems. He also has information security experience, as an Information Security Officer at Yale University and in subsequent consulting work. He has performed vulnerability assessments, deployed and maintained intrusion detection systems, firewalls and public key infrastructures, and developed policies, procedures, and educational programs for a variety of organizations. Eoghan has authored advanced technical books in his areas of expertise that are used by practitioners and universities around the world, and he is Editor-in-Chief of Elsevier's International Journal of Digital Investigation.
Autoren/Hrsg.
Weitere Infos & Material
1;Front Cover;1
2;Handbook of Digital Forensics and Investigation;4
3;Copyright;5
4;Dedication;6
5;Contents;8
6;Contributors;10
7;Foreword;12
8;About the Authors;16
9;Acknowledgements;24
10;Chapter 1: Introduction;28
10.1;Forensic Soundness;30
10.2;Forensic Analysis Fundamentals;32
10.3;Crime Reconstruction;40
10.4;Networks and the Internet;42
10.5;Conclusions;43
10.6;References;43
11;Part 1: Investigative Methodology;46
11.1;Chapter 2: Forensic Analysis;48
11.1.1;Introduction;48
11.1.2;Applying the Scientific Method to Digital Forensics;50
11.1.3;Uses of Digital Forensic Analysis;53
11.1.4;Data Gathering and Observation;59
11.1.5;Hypothesis Formation;75
11.1.6;Evaluating Hypotheses;75
11.1.7;Conclusions and Reporting;83
11.1.8;Summary;88
11.1.9;References;89
11.2;Chapter 3: Electronic Discovery;90
11.2.1;Introduction to Electronic Discovery;90
11.2.2;Legal Context;93
11.2.3;Case Management;101
11.2.4;Identification OF Electronic Data;105
11.2.5;Forensic Preservation of Data;110
11.2.6;Data Processing;133
11.2.7;Production of Electronic Data;157
11.2.8;Conclusion;159
11.2.9;Cases;159
11.2.10;References;159
11.3;Chapter 4: Intrusion Investigation;162
11.3.1;Introduction;162
11.3.2;Methodologies;166
11.3.3;Preparation;170
11.3.4;Case Management and Reporting;184
11.3.5;Common Initial Observations;197
11.3.6;Scope Assessment;201
11.3.7;Collection;202
11.3.8;Analyzing Digital Evidence;206
11.3.9;Combination/Correlation;218
11.3.10;Feeding Analysis Back into the Detection Phase;229
11.3.11;Conclusion;233
11.3.12;References;233
12;Part 2: Technology;234
12.1;Chapter 5: Windows Forensic Analysis;236
12.1.1;Introduction;236
12.1.2;Windows, Windows everywhere…;237
12.1.3;NtFS Overview;242
12.1.4;Forensic Analysis of the NTFS Master File Table (MFT);250
12.1.5;Metadata;257
12.1.6;Artifacts of User Activities;262
12.1.7;Deletion and Destruction of Data;300
12.1.8;Windows Internet and Communications Activities;306
12.1.9;Windows Process Memory;312
12.1.10;BitLocker and Encrypting File System (EFS);314
12.1.11;RAIDs and Dynamic Disks;319
12.1.12;Cases;326
12.1.13;References;326
12.2;Chapter 6: UNIX Forensic Analysis;328
12.2.1;Introduction to UNIX;328
12.2.2;Boot Process;331
12.2.3;Forensic Duplication Consideration;333
12.2.4;File Systems;333
12.2.5;User Accounts;353
12.2.6;System Configuration;355
12.2.7;Artifacts of User Activities;356
12.2.8;Internet Communications;366
12.2.9;Firefox 3;366
12.2.10;Cache;371
12.2.11;Saved Session;371
12.2.12;E-Mail Analysis;372
12.2.13;Chat Analysis;377
12.2.14;Memory and Swap Space;378
12.2.15;References;378
12.3;Chapter 7: Macintosh Forensic Analysis;380
12.3.1;Introduction;380
12.3.2;Imaging and File Systems;380
12.3.3;Macintosh File Systems;382
12.3.4;Property Lists;386
12.3.5;User Accounts;386
12.3.6;Applications;391
12.3.7;System;392
12.3.8;User Folders;397
12.3.9;User Folders: Media Files;398
12.3.10;User Folders: Applications;399
12.3.11;Wrap Up;409
12.3.12;References;409
12.4;Chapter 8: Embedded Systems Analysis;410
12.4.1;Introduction;410
12.4.2;Definition and operation;411
12.4.3;Preserving traces;418
12.4.4;Data collection;424
12.4.5;Information recovery;440
12.4.6;Analysis and interpretation of results;451
12.4.7;The future;457
12.4.8;Abbreviations;458
12.4.9;References;460
12.5;Chapter 9: Network Investigations;464
12.5.1;Introduction;464
12.5.2;Overview of Enterprise Networks;466
12.5.3;Overview of Protocols;469
12.5.4;Evidence Preservation on Networks;484
12.5.5;Collecting and Interpreting Network Device Configuration;485
12.5.6;Forensic Examination of Network Traffic;506
12.5.7;Network Log Correlation-A Technical Perspective;532
12.5.8;Conclusion;543
12.5.9;References;543
12.6;Chapter 10: Mobile Network Investigations;544
12.6.1;Introduction;544
12.6.2;Mobile Network Technology;545
12.6.3;Investigations of Mobile Systems;549
12.6.4;Types of Evidence;551
12.6.5;Where to Seek Data for Investigations;560
12.6.6;Interception of Digital Evidence
on Mobile Networks;564
12.6.7;References;584
13;Index;586
About the Authors
Eoghan Casey Eoghan Casey is founding partner of cmdLabs, author of the foundational book Digital Evidence and Computer Crime, and coauthor of Malware Forensics. For over a decade, he has dedicated himself to advancing the practice of incident response and digital forensics. He helps client organizations handle security breaches and analyzes digital evidence in a wide range of investigations, including network intrusions with international scope. He has testified in civil and criminal cases, and has submitted expert reports and prepared trial exhibits for computer forensic and cyber-crime cases. As a Director of Digital Forensics and Investigations at Stroz Friedberg, he maintained an active docket of cases and co-managed the firm’s technical operations in the areas of computer forensics, cyber-crime response, incident response, and electronic discovery. He also spearheaded Stroz Friedberg’s external and in-house forensic training programs as Director of Training. Eoghan has performed thousands of forensic acquisitions and examinations, including Windows, Unix, and Macintosh systems, Enterprise servers, smart phones, cell phones, network logs, backup tapes, and database systems. He also has extensive information security experience, as an Information Security Officer at Yale University and in subsequent consulting work. He has performed vulnerability assessments, deployed and maintained intrusion detection systems, firewalls and public key infrastructures, and developed policies, procedures, and educational programs for a variety of organizations. Eoghan holds a B.S. in Mechanical Engineering from the University of California at Berkeley, and an M.A. in Educational Communication and Technology from New York University. He conducts research and teaches graduate students at Johns Hopkins University Information Security Institute, and is Editor-in-Chief of Digital Investigation: The International Journal of Digital Forensics and Incident Response. Cory Altheide Cory Altheide has been performing forensics and incident response for eight years. He has responded to numerous incidents for a variety of clients and is constantly seeking to improve the methodologies in use in the incident response field. Mr. Altheide is currently a principal consultant at Mandiant, an information security consulting firm that works with the Fortune 500, the defense industrial base and the banks of the world to secure their networks and combat cyber-crime. Prior to joining Mandiant, Mr. Altheide worked at IBM, Google and the National Nuclear Security Administration (NNSA). Mr. Altheide has authored several papers for the computer forensics journal Digital Investigation and co-authored UNIX and Linux Forensic Analysis (2008). Additionally, Mr. Altheide is a recurring member of the program committe of the Digital Forensics Research Workshop (DFRWS). Christopher Daywalt Christopher Daywalt is a founding partner of cmdLabs, and has considerable experience conducting digital investigations within large enterprises and handling security incidents involving persistent information security threats. He is dedicated to providing consistent, quality work that directly addresses the needs of organizations that experience information security events. Before working at cmdLabs, Chris was an instructor and course developer at the Defense Cyber Investigations Training Academy, where he authored and delivered instruction in digital forensics and investigation to Federal law enforcement and counter intelligence agents. While there he produced advanced material in specific areas such as live network investigation, Windows and Linux intrusion investigation, log analysis and network exploitation techniques. During this work he frequently served as the lead for development and delivery. Prior to that, he worked as an incident handler in the CSC Computer Investigations and Incident Response group, where he performed investigation, containment and remediation of enterprise-scale security incidents for large corporations. Through these endeavors he gained experience responding to a variety of events, including massive PCI/PII data breaches at corporate retailers and persistent intrusions into government-related organizations. Chris also worked as a global security architect at CSC, conducting assessment and design of security technologies and architectures for deployment in enterprise information systems. Chris earned his bachelor’s degree from UMBC, and holds an MS in Network Security from Capitol College. Andrea de Donno Andrea De Donno was born in Milan, Italy in 1975. His education focused on science. After a brief stint with the Carabinieri, in 1998 he began working for one of the major intelligence firms, providing technical investigation services and technology to the Italian Military Operations Units. In 2002, he became Managing Director of the company, increasing the company’s revenues and expanding it throughout Italy with the creation of new Operations Centers. That same year, he was also named Managing Director of an Italian consulting firm offering specialized risk analysis and risk management services to medium and large companies. Dario Forte Dario Forte, former police detective and founder and CEO of DFLabs has worked in information security since 1992. He has been involved in numerous international conferences on information warfare, including the RSA Conference, Digital Forensic Research Workshops, the Computer Security Institute, the U.S. Department of Defense Cybercrime Conference, and the U.S. Department of Homeland Security (New York Electronic Crimes Task Force). He was also the keynote speaker at the Black Hat conference in Las Vegas. Mr. Forte is Associate Professor at UAT and Adjunct Faculty at University of Milano, Crema Research Center. With more than 50 papers and book chapters written for the most important scientific publishers worldwide, he provides security consulting, incident response and forensics services to several government agencies and global private companies. James O. Holley James Holley leads a team of computer forensics and electronic evidence discovery professionals in the New York Metropolitan Area providing a wide range of dispute resolution services to clients, including Computer Forensics, Forensic Text and Data Analytics, Electronic Discovery/Discovery Response Services, and Electronic Records Management/Legal Hold services. With Ernst & Young for ten years, James is the technology leader for their U.S. Computer Forensics team. He also leads EY’s New York office of Forensic Technology and Discovery Services, a specialty practice in Fraud Investigation and Dispute Services. James has provided expert testimony in deposition and trial and has testified in arbitration proceedings. Prior to joining EY, James spent nearly ten years as a federal agent with the U.S. Air Force Office of Special Investigations. As a special agent, he gained experience conducting general criminal investigations prior to beginning a career in counterintelligence. He spent six years as an AFOSI counterintelligence case officer planning, developing and executing offensive counterintelligence operations and teaching new case officers. In his final assignment, he was an AFOSI computer crime investigator focused on integrating computer forensics and incident response capabilities into counterintelligence operations. James holds a bachelors’ degree from the United States Air Force Academy, a Master’s of Science in Computer Science from James Madison University, and is a Certified Computer Examiner (CCE). Andy Johnston Andy Johnston has been a software developer, scientific programmer, and a Unix system administrator in various capacities since 1981. For the last ten years, he was worked as IT security coordinator for the University of Maryland, Baltimore County specializing in network intrusion detection, anti-malware computer forensics, and forensic log analysis. Ronald van der Knijff Ronald van der Knijff received his B.Sc. degree in electrical engineering in 1991 from the Rijswijk Institute of Technology. After performing military service as a Signal Officer he obtained his M.Sc. degree in Information Technology in 1996 from the Eindhoven University of Technology. Since then he works at the Digital Technology and Biometrics department of the Netherlands Forensic Institute as a forensic scientist. He is responsible for the embedded systems group and is also court-appointed expert witness in this area. He is author of the (outdated) cards4labs and TULP software and founder of the TULP2G framework. He is a visiting lecturer on ‘Cards & IT’ at the Dutch Police Academy, a visiting lecturer on ‘Smart Cards and Biometrics’ at the Masters Program ‘Information Technology’ of TiasNimbas Business School and a visiting lecturer on ‘Mobile and Embedded Device Forensics’ at the Master’s in ‘Artificial Intelligence’ of the University in Amsterdam (UvA). Anthony Kokocinski Anthony Kokocinski started his forensic career working for the Illinois Attorney General directly out of college. His passion for Macintosh computers quickly led him to research and continue work on this from the number of “it’s a Mac, you do it” cases that came across his desk. During this tenure he began to work with the Macintosh Electronic Search and Seizure Course for the RCMP’s Canadien Police College. When he became...
