Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben

2024 | Buch

What Is Digital Forensics? Kapitel lesen Erstes Kapitel lesen

Fundamentals of Digital Forensics

A Guide to Theory, Research and Applications

verfasst von: Joakim Kävrestad, Marcus Birath, Nathan Clarke

Verlag: Springer International Publishing

Buchreihe : Texts in Computer Science

Enthalten in: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Einloggen, um Zugang zu erhalten
insite
SUCHEN

Über dieses Buch

This textbook describes the theory and methodology of digital forensic examinations, presenting examples developed in collaboration with police authorities to ensure relevance to real-world practice. The coverage includes discussions on forensic artifacts and constraints, as well as forensic tools used for law enforcement and in the corporate sector. Emphasis is placed on reinforcing sound forensic thinking, and gaining experience in common tasks through hands-on exercises.

This enhanced third edition describes practical digital forensics with open-source tools and includes an outline of current challenges and research directions.

Topics and features:

Outlines what computer forensics is, and what it can do, as well as what its limitations areDiscusses both the theoretical foundations and the fundamentals of forensic methodologyReviews broad principles that are applicable worldwideExplains how to find and interpret several important artifactsDescribes free and open-source software toolsFeatures content on corporate forensics, ethics, SQLite databases, triage, and memory analysisIncludes new supporting video lectures on YouTube

This easy-to-follow primer is an essential resource for students of computer forensics, and will also serve as a valuable reference for practitioners seeking instruction on performing forensic examinations.

Inhaltsverzeichnis

Frontmatter

Theory

Frontmatter
1. What Is Digital Forensics?
Abstract
This chapter introduces the concept of digital forensics and provides a discussion of what computer forensics is, examining data in order to reconstruct what happened in a digital environment. Further, the chapter discusses the steps involved in a forensic examination in a digital environment, from collecting evidence to reporting on the findings of the examination. Common constraints and processes handled during a forensics examination are also introduced. Emphasis is put on making the reader understand the reason for a computer forensic examination and the fact computer forensics follows the same rules and regulations as traditional forensic disciplines. The fact that a forensic examination is commonly initiated for a reason, answering some question, is also described. The aim of the chapter is to provide the reader with a brief and non-technical overview of the subject. As such, the chapter can be read and understood without any technical knowledge.
Joakim Kävrestad, Marcus Birath, Nathan Clarke
2. Ethics and Privacy
Abstract
The world is becoming more and more digitalized and so is the way that crimes are committed. It goes without saying that criminals act using digital means and digital environments play a big role in modern crime investigations. While this means that much information of evidentiary value can be found using various digital sources, the way in which the information can be accessed is controlled by law. It is an undeniable fact that many actions taken during a criminal investigation are, by definition, actions that compromise the privacy of the suspect and it is important to take note of that fact as a forensic examiner. This chapter discusses ethical (and legal) dilemmas that are part of the day-to-day life for a forensic examiner. The chapter will also present and discuss ethical questions concerning measures that are discussed or implemented around the world, such as police hacking and key disclosure laws.
Joakim Kävrestad, Marcus Birath, Nathan Clarke
3. Computer Theory
Abstract
Perhaps the most important skill for someone working with computer forensics is to know how computers work. In order to locate digital traces of an e-mail, the examiner must know what such traces may look like. While this book is intended for someone who is fairly skilled in the computer world, there is theory that is extra important for a forensic examiner, and this computer theory is presented in this chapter. This includes an overview of encryption as well as a presentation of how data is represented in the digital world, in binary, hexadecimal, and plain ASCII. Further, this chapter introduces theory that is often overlooked by disciplines other than computer forensics. This includes an overview of the NTFS file system and the Windows registry—which is one of the most valuable sources of information during an examination of a Windows computer. The chapter also describes what happens when files are deleted, both from the perspective of the file system and the actual hard drive.
Joakim Kävrestad, Marcus Birath, Nathan Clarke
4. Types of Forensic Evidence
Abstract
Forensic evidence is data with evidentiary value. Such data is typically referred to as forensic artifacts and those come in many different shapes and sizes. The value of an artifact will depend on where it is found and circumstances around the artifact. Consider, for instance, a photo portraying narcotics. If that is found as a temporary Internet file, or in a user's download folder, the evidentiary value is quite limited. However, the value may increase if it is instead found in a folder with a lot of personal photos. What if there is also additional data which shows that it was actually taken with the suspects camera, at the suspects address? This chapter will describe different types of forensic artifacts and discuss how they should be interpreted based on how and where they are found.
Joakim Kävrestad, Marcus Birath, Nathan Clarke
5. Decryption and Password Cracking
Abstract
In modern computing in general, and in forensic examinations in particular, encrypted data is common. Traditionally, this has been because criminals tend to want to hide their traces, and encryption is a way to do that. In the modern world, encryption has become increasingly common due to the fact that, nowadays, encryption is often a default option for data on a computer, and encryption applications come shipped with the operating system. This makes for a case where a user’s data can be encrypted even if the user never intended to use encryption. When faced with encrypted data, a forensic expert has to find a way to crack the encryption to make the data readable. This chapter discusses common practices for doing that with a focus on password theory and dictionary-based password guessing attacks. Let’s starts with a background section on password theory to give you the theoretical background needed to launch successful password guessing attacks.
Joakim Kävrestad, Marcus Birath, Nathan Clarke

The Forensic Process

Frontmatter
6. Cyber-Dependent Crime, Cyber-Enabled Crime, and Digital Evidence
Abstract
Computer forensic experts are commonly faced with the misconception that they work primarily on cybercrime. The reality is quite opposite, namely, that digital forensics is of importance in pretty much every possible type of crime, ranging from computer intrusions to theft. This chapter provides a discussion on what cybercrime is, but more importantly, gives the reader a presentation on how and in what cases digital evidence can be of use during criminal investigations. The aim of the chapter is to make the reader understand that in the modern world, we leave digital traces almost all the time. We may not always be aware of this fact, but knowing and understanding how digital traces are left behind are of great importance for a computer forensic expert. For instance, even if a criminal is conducting a crime without so much as looking at her phone or computer, chances are that she is using a chat client to talk to some friend about what she did. This action can leave incriminating evidence that can be valuable in court.
Joakim Kävrestad, Marcus Birath, Nathan Clarke
7. Incident Response
Abstract
Turning away from law enforcement, computer forensics is a common part of modern-day incident response. Incident response is essentially the practice of handling computer-related incidents such as intrusions, denial of service attacks, or malware. Since most modern organizations rely on information technology for daily work routines, having the ability to swiftly identify and mitigate attacks is vital in order to maintain normal operations. This chapter introduces the reader to the topic of incident response and presents the major processes involved in establishing incident response capabilities and handling incidents when they happen.
Joakim Kävrestad, Marcus Birath, Nathan Clarke
8. Collecting Evidence
Abstract
Digital forensics is all about examining digital evidence, and that implies that you need to collect the evidence before it can be examined. Every action that you carry out on a computer will leave traces, and that contradicts with the facts that evidence must be handled in a way that ensures that it is not altered. This chapter discusses the key points of securing digital evidence in a forensically sound manner. Doing that ensures that the examination can be conducted in a way that does not contaminate the evidence. The concept of using a write blocker to create a forensic copy of the evidence is also introduced. The reminder of the chapter provides an in-depth discussion on live investigations, examining computers that are running. A model that can be used to plan forensically sound live investigations is presented as well as the constraints that must be taken into consideration when working with live evidence.
Joakim Kävrestad, Marcus Birath, Nathan Clarke
9. Triage
Abstract
Two major challenges in modern-day forensics are urgency and volume of data. Needless to say, modern computers can carry large amounts of data, and sorting through all that data is a very difficult task. Most examinations are also urgent in the sense that you are expected to deliver results quickly. Consider a case where a multimillion company is at a stand-still because of an incident that needs to be resolved by the forensic team before normal operations can resume! To manage accurate and timely examinations, triage comes into play. As outlined in this chapter, triage is essentially the practice of prioritizing tasks so that the most important tasks are done first. This chapter outlines how triage is used in forensic examination and describes some commonly used triaging techniques.
Joakim Kävrestad, Marcus Birath, Nathan Clarke
10. Analyzing Data and Writing Reports
Abstract
This chapter describes the actual examination process and the general demands for a forensic examination. A basic rule is that the results presented in a forensic examination must be objective and true. Digital forensics is comparable to academic work in this manner. This chapter discusses key concepts used to ensure that the results of a forensic examination meet those demands and discusses the concepts of being unbiased and producing reproducible results. The final target of any examination is to provide answers to some questions or requests. This chapter ends with a discussion on reporting and includes a scale that can be used to grade the strength of the conclusions drawn during the examination. As it is of great importance that a forensic report is interpreted the same way no matter who the reader is, using a common scale is of great help. Further, this chapter aims to provide the reader with an understanding of the key elements in the forensic process.
Joakim Kävrestad, Marcus Birath, Nathan Clarke

Get Practical

Frontmatter
11. Collecting Data
Abstract
The common and best practice for conducting a forensic examination is to create a bit-by-bit copy of the storage device that you are set to examine and then analyze the copy. Working in this manner ensures that the actual storage device is not contaminated and can even provide performance benefits. This chapter begins with a description of how to create this bit-by-bit copy, called a disk image, using the tool Forensic ToolKit (FTK) Imager on a running or turned-off computer. The chapter then describes how to collect volatile data including taking a memory dump and extracting registry hives from a Windows computer during a live examination. At times, you find a computer that is turned on and you are not able to extract any data from the computer because it is logged out or likewise. In those cases, it is possible to extract information from memory using invasive techniques. This chapter introduces two such techniques, direct memory access (DMA) attack and cold boot attack. At the end of the chapter, some constraints and considerations relating to analyzing running machines during house searches are presented.
Joakim Kävrestad, Marcus Birath, Nathan Clarke
12. Indexing and Searching
Abstract
While browsing around in locations known to hold artifacts is a common forensic practice, it is not always enough. An equally common practice is to actually search for what you want and let the computer do the heavy lifting. It is not uncommon for a case to hold information about interesting names, e-mail addresses, or other keywords that are related to the case. In such a scenario, a search over all case data is usually the preferable starting point for an examination. The intent of this chapter is to provide the reader with a discussion on different search techniques as well as to demonstrate how to set up a case for fast searching using a text index. Further, the chapter will introduce the reader to the art of regular expressions and demonstrate how they can be leveraged in computer forensics.
Joakim Kävrestad, Marcus Birath, Nathan Clarke
13. Cracking
Abstract
When working as a forensic examiner, it is not uncommon to encounter encrypted files, entire partitions, or even devices. When that is the case, the encrypted data must be decrypted in order for the forensic expert to be able to examine it. The intent of this chapter is to provide the reader with a practical overview of the steps commonly involved in the process of cracking encrypted data. While know-how and experience may be the most important skills in successful cracking, everyone needs a good tool for assistance. As such, this chapter also presents and discusses the open-source tool Hashcat that can be used for the purpose of password cracking. The chapter will also present tools for creating custom wordlists which can be utilized by Hashcat. Thus, this chapter provides the reader with a practical implementation of the theoretical knowledge that was previously introduced.
Joakim Kävrestad, Marcus Birath, Nathan Clarke
14. Finding Artifacts
Abstract
The essence of any forensic examination is to look for data, artifacts. While it is impossible to describe all possible artifacts that may be of interest in any given investigation, this chapter aims to describe how to find some artifacts that are very common to look for. The chapter first describes how to find information such as install date and time zone settings from the Windows registry. Next, the chapter provides a rather detailed description of how to analyze a partition table in order to ensure that all drive space is allocated to a partition. An overview of how to search for deleted files is also included. A lot of good information can be found in file metadata, which includes information such as when a file was created and by whom. Analyzing different kinds of metadata is described before the chapter presents an approach on how to analyze log files. At the end by presenting ways to analyze other useful types of information such as link files and thumbcaches.
Joakim Kävrestad, Marcus Birath, Nathan Clarke
15. Common Questions and Tasks
Abstract
In some cases, a forensic examination is just about finding a picture, text, or e-mail. However, it is very common that the forensic expert is tasked with answering more complex questions such as determining who the user of a computer is or if a computer was remote controlled. While providing a definite answer to such a question is often almost impossible, this chapter introduces three methods that can be used to tackle those requests. First, analysis of applications is an attempt to complete a deep examination of applications related to a specific task, for instance, remote controlling computers. The idea is that analyzing the computer for any trace of such software could provide an indication of whether it existed or not. The next method is scenario testing where the forensic expert tries to find evidence that is in favor of, or disproves, a stated scenario. The final method, useful for tying a person to some action, is timelining where the forensic expert tries to cross-reference criminal actions with actions that can identify the computer user.
Joakim Kävrestad, Marcus Birath, Nathan Clarke
16. Autopsy Forensics
Abstract
While skill, knowledge, and experience are the most important building blocks of a forensic examiner, having a competent tool is really helpful. This chapter provides an introduction to Autopsy which is one such tool. Autopsy is a multi-platform open-source tool which is heavily used by both law enforcement and companies when conducting forensic examinations. This chapter starts with outlining how to create a case in Autopsy before describing the Autopsy interface. Then, the true power of Autopsy is discussed, ingest modules. Ingest modules can be described as scripts which automatically runs various forensic tasks. In addition to describing the default ingest modules, the chapter also describes how Autopsy can be further extended by installing third-party modules. In summary, this chapter provides you with the knowledge you need to start using Autopsy forensics efficiently.
Joakim Kävrestad, Marcus Birath, Nathan Clarke
17. Open-Source or Freeware Tools
Abstract
This chapter provides the reader with an overview to several forensic tools that are available for free use. The first sections of the chapter provide a listing of special purpose tools that can be useful for interpreting certain artifacts in a neat manner; this includes prefetch data, shellbags, and more. The chapter continues with an overview of the tool Registry Explorer which is an open-source tool for browsing the Windows Registry hives. The intent of providing this demonstration of tools is to introduce the reader to a toolset so you can start working with forensic products in a structured way.
Joakim Kävrestad, Marcus Birath, Nathan Clarke

Memory Forensics

Frontmatter
18. Memory Analysis
Abstract
Computer memory (RAM) is a great source of forensic artifacts as it contains information that the computer worked on since the last reboot. Also, information must take its true unencrypted form in memory, in order to be meaningful for the user. From a forensic perspective, a memory dump can contain vital information such as passwords, decrypted versions of encrypted data, and malware in its true form. It is therefore an important place to look. However, the way that memory is structured is somewhat unlike how secondary storage is structured, and the intent of this chapter is to introduce the reader to some central concepts relating to memory management. While an in-depth discussion on all that has to do with memory management seems over the top, a forensic examiner should be familiar with the key concept presented in this chapter in order to understand the constraints and possibilities with a memory analysis.
Joakim Kävrestad, Marcus Birath, Nathan Clarke
19. Memory Analysis Tools
Abstract
As has been discussed throughout this book, the computer memory is a good source of information that should not be overlooked during a forensic examination. However, the traditional tools used for forensic examination are not built to handle memory dumps very well. As has been discovered in the previous chapter, the memory structure is vastly different from the structure of a secondary storage device. Further, there are differences in how memory is allocated between different operating system versions. For that reason, a forensic examiner needs to have a tool for memory analysis, which is capable of interpreting memory dumps from different operating system versions. One such tool is Volatility, which is introduced and described in this chapter in a practical manner. Conveniently enough, Volatility is open source and free to use. Another tool introduced in this chapter is Redline, that is, a graphical tool designed for malware analysis in memory dumps.
Joakim Kävrestad, Marcus Birath, Nathan Clarke
20. Memory Analysis in Criminal Investigations
Abstract
This chapter provides the reader with an introduction to memory analysis, in a law enforcement, using the open-source tool Volatility 2.6. Using Volatility rather than treating a memory dump as a big blob of data allows the examiner to complete a more structured analysis. This chapter demonstrates how to use Volatility to find several key artifacts including list of users on the system, files loaded into memory, and using YARA to do free-text searches. Looking at memory analysis for use in law enforcement, it usually comes down to analyzing a memory dump in order to find information about how a computer has been used. The aim of the chapter is to demonstrate how to accomplish that by showing the reader the basic functionality of Volatility so that the reader can continue to learn memory analysis on his own.
Joakim Kävrestad, Marcus Birath, Nathan Clarke
21. Malware Analysis
Abstract
This chapter provides the reader with an introduction to memory analysis, used for malware detection, using the open-source tool Volatility. Using Volatility rather than treating a memory dump as a big blob of data allows the examiner to complete a more structured analysis. This chapter demonstrates how to use Volatility to find several key artifacts including different ways of listing processes, finding network connections, and using the module malfind that can detect suspicious instructions. Looking at memory analysis for use as a part of incident response, it usually comes down to finding signs of intrusions or malicious code. It is about finding illegal behaviors in the processes loaded into memory. The aim of the chapter is to demonstrate how to accomplish that by showing the reader the basic functionality of Volatility and Redline so that the reader can continue to learn memory analysis on his own.
Joakim Kävrestad, Marcus Birath, Nathan Clarke

Digital Forensics Research

Frontmatter
22. Challenges and Opportunities
Abstract
Digital forensic research is vital to the continued successful adoption of electronic evidence by the legal systems. Used extensively by law enforcement, digital forensics is also an integral component of an organizations’ incident response team and increasingly provide an efficient and effective means to investigate a wide range of non-cyber-related incidents. However, as the scale, nature and speed of the technology evolves, there is increasing pressure on the research community to ensure digital forensic capability exists to perform reliable and thorough investigations. This chapter explores the key research challenges faced by the community.
Joakim Kävrestad, Marcus Birath, Nathan Clarke
23. Research into the Challenges
Abstract
The chapter draws upon a series of research studies as a means of exploring the opportunities that exist to address the challenges that exist across computer, mobile, and network-based investigations. The examples help to illustrate where wider computer science research can be leveraged to benefit digital forensic tools and capabilities.
Joakim Kävrestad, Marcus Birath, Nathan Clarke
Backmatter
Metadaten
Titel
Fundamentals of Digital Forensics
verfasst von
Joakim Kävrestad
Marcus Birath
Nathan Clarke
Copyright-Jahr
2024
Electronic ISBN
978-3-031-53649-6
Print ISBN
978-3-031-53648-9
DOI
https://doi.org/10.1007/978-3-031-53649-6

Premium Partner

    Bildnachweise