Cyber Forensics up and Running : A hands-on guide to digital forensics tools and technique 9789355517180
Learn using Cloud data technologies for improving data analytics and decision-making capabilities for your organization
137 75 25MB
English Pages 414 Year 2023
Table of contents :
Cover
Title Page
Copyright Page
Dedication Page
About the Author
About the Reviewer
Acknowledgement
Preface
Table of Contents
1. Introduction to Essential Concepts of Digital Forensics
Introduction
Structure
Objectives
What is digital forensics?
Types of cases in digital forensics
Computer crime
Corporate espionage and intellectual property theft
Financial fraud and embezzlement
Electronic discovery
Human trafficking and drug crimes
Child exploitation
Murder
Terrorism
Digital forensics and other fields of cybersecurity
Malware investigation and digital forensics overlap
Incident response and digital forensic overlap
What is an incident response?
E-Discovery
Digital and cyber technological growth
The PC revolution
The Apple MacBook
The rise of smartphones
The gaming revolution
The Internet of Things
Cloud computing
Drones and autonomous vehicles
The future of the modern cyber world
Virtual Reality
Augmented Reality
The metaverse
Modern technological explosion and its cyber security challenges
Digital forensics challenges in the cyber modern era
Phases of digital forensics
Acquisition
Examination
Analysis
Presentation/reporting
What is data acquisition?
Types of data acquisitions
Types of image formats
Locard’s exchange principle
Types of digital evidence/data
Example of digital evidence
Categories of digital evidence
Volatile
Non-volatile
Preserving digital evidence integrity
Dos
Don’ts
Methods and techniques of preserving evidence integrity
Chain of custody
Hashing algorithms
Encryption
Digital signature
Write blocker
Write protected digital evidence storage device
File carving
How is file carving different from file recovery
Digital forensics time objects: MAC(b)
Location of MAC(b) on NTFS file systems
Conclusion
Points to remember
Questions
References
2. Digital Forensics Lab Setup
Introduction
Structure
Objectives
What is a Virtual Machine Environment?
Advantages of a virtual machine environment
Host machines in virtual environments
Minimum system requirement for Ubuntu VM
Minimum system requirement for Windows 10 VM
Install and configure VirtualBox and VMs
Install VirtualBox on Ubuntu
Steps to create a virtual machine
Cloning and Snapshot in VirtualBox
Cloning
Snapshots
Reverting to a snapshot
Deleting snapshots
Essential digital forensics tools and applications
Hex Editor
The Sleuth Kit
Autopsy installation
Key features of Autopsy
Installing Autopsy on Windows OS
Installing Autopsy on MacOS
Creating a new case in Autopsy
Volatility
Setup volatility on Ubuntu
Installing Volatility 2 on Windows OS
Installing Volatility 3 on Windows OS
PowerForensics
SQLite
Installation of SQLite Studio on Windows OS
Plaso and Log2timeline.py
Plaso installation on Windows
Plaso installation on Ubuntu
Other standalone tools and utilities
Conclusion
3. Data Collection: Volatile and Non-Volatile
Introduction
Structure
Objectives
Volatile vs. non-volatile
Order of volatility
Digital forensic image formats
Hash-based validation
Volatile data collection
DumpIt
PMEM
WimPmem
FTK Imager
Linux Memory Extractor
Using LiME to capture an Android memory dump
Overview of volatility
Memory acquisition from virtual platforms
VirtualBox
VMWare
Acquiring VMware virtual machine memory using PowerShell
Memory Acquisition Using VMware Host Client
Hyper-V
Non-volatile data collection
Type of forensics images
FTK Imager
Data Duplicator
GuyMager
Steps to create a forensic image or to clone the drive
Conclusion
Points to remember
Questions
4. Forensics Analysis: Live Response
Introduction
Structure
Objectives
What is live forensics analysis or live incident response?
Why is live forensics analysis important?
Building your own volatile data collection script
Windows environment
Linux environment
Digital Forensics and Incident Response
Incident Response
Digital Forensics
DFIR
Triage in DFIR
Live Response Collection: Cedarpelta
CDIR Collector by CDI
Types of data collection on Windows OS
How to use CDIR Collector
Triage-IR: An incident response toolkit
Endpoint Detection and Response
Features of EDR
Triage Data Collection vs. Modern EDRs
Process Tree and Timeline
Process Tree in EDR
What is the timeline?
Creating a timeline
Conclusion
Points to remember
Questions
References
5. File System and Log Analysis
Introduction
Structure
Objectives
Magic header and file identification
Scenario: Uncover true file format
Master Boot Record analysis
Master Boot Record
Master Partition Table
How to access the Master Partition Table
How to access MBR
Master File Table
How to locate MFT
Attribute 0x10: Standard information
Attribute 0x30: File_Name
MFT analysis tools
Recycle Bin
What happens when a file is moved to Recycle Bin?
How Recycle Bin handles deleted files in Windows 10
Challenges in analyzing Recycle Bin
File recovery
Methods to recover deleted data
File recovery using Recuva
File recovery using Autopsy
System logs
Windows event logs
Location of Windows event logs
Structure of Windows event logs
Windows event logs artifact
Event ID: 7045 - New service added
Event Code 4688: A new process has been created
Linux system logs
Command line history
Timeline analysis
Autopsy
How to use Timeline in Autopsy
Log2timeline
What is Plaso?
Log2timeline.py
Analysis plugin
Timesketch
Conclusion
Points to remember
Questions
References
6. Windows Registry and Artifacts
Introduction
Structure
Objectives
Windows Registry analysis
The importance of Windows Registry
Location of Windows Registry hives
How to extract Windows Registry hives
How to extract Windows Registry hives
Registry hive extraction using FTK
FTK Obtain Protected Files
Extracting registry from forensics image
Analyze Registry Hives using Registry Explorer
Scenario: Find recently accessed files on a machine
RecentDocs Registry Key
Scenario: Find out system information
Scenario: Find persistence mechanism set up by threat actor on a system
What are persistence tactics?
Commonly known Registry keys used for persistence
Shimcahce
Amcache
Step to analyze Amcache
UserAssist
What is the UserAssist key?
Value for Digital Forensics and Incident Response
Prefetch
Jumplist
LNK file analysis
LNK and startup folder: Persistence
ShellBag
Shellbags locations
Recent Apps
USB drive or thumb drive analysis
Mounted devices
Conclusion
Points to remember
Questions
7. Network Data Collection and Analysis
Introduction
Structure
Objectives
Pre-requisites
What is network forensics?
Network forensics scenarios
Foundational insights for network forensics investigations
List of sources of network forensics data
Collect and access network forensics data
What are Packet Captures?
Importance of PCAPs in Digital Forensics and Incident Response
Brief history of PCAPs
Capture PCAPs on Windows environment
Wireshark
Tshark
Wireshark vs Tshark
Dumpcap.exe - Command line
Capture PCAPs on Linux environment
Berkley Packet Filters
Wireshark: Profile and preferences
Features of Wireshark
Endpoints
Conversation
Expert information
CloudShark
Features of CloudShark
Networkminer
Features of NetworkMiner
PCAP analysis scenario: Malicious file downloaded
Conclusion
Questions
References
8. Memory Forensics: Techniques and Tools
Introduction
Structure
Objectives
What is memory forensics?
Memory acquisition from virtual platforms
VirtualBox
VMWare
Hyper-V
Overview of Volatility and Rekall
Rekall
Volatility
Top 20 Volatility commands
Volatility 2 vs Volatility 3
Extracting volatile data from the memory dump
Netstat
PsList
Volatility commands for Linux, Mac, and virtual machine
Investigating suspicious files
GetSIDs
Finding malware using Volatility and Yara (Yarascan)
Alternate memory locations
Pagefile(pagefile.sys)
Importance of Pagefile digital forensics
Hibernation file (hiberfil.sys)
Swap file (swap.sys)
Volume Shadow Copy
File Carving
Bulk_extractor
Conclusion
Points to remember
Questions
9. Browser and Email Forensics
Introduction
Structure
Objectives
What is a browser?
What is browser forensics?
Importance of browser forensics
Examples of artifacts extracted from browsers
Architecture of the modern browser
Web browser features
Browser investigation
Google Chrome
Acquiring Chrome data
Analyzing the browser data
History
Downloads
Mozilla Firefox
Chromium Edge
Opera browsers
Summary
What is Email?
What is Email Analysis?
Email formats
Multipurpose Internet Mail Extensions
Electronic Mail
Microsoft Outlook Message
Mailbox
Why are email formats important for email forensics?
Email header analysis
Anatomy of an Email header
How to perform email header analysis?
Sample email header analysis
Analysis of the above email header
Email and E-discovery
Conclusion
Points to remember
Questions
References
10. Advanced Forensics Tools, Commands and Methods
Introduction
Structure
Objectives
PowerForensics
PowerForensics Windows cmdlets
Boot sector cmdlets
Ext4 Filetype cmdlets
NFTS Filetype cmdlets
How to install PowerForensics
Exploring PowerForensics commands
Autopsy
Keyword search and regular expressions
Hash Lookup
Email analysis via Autopsy
Extension Mismatch
Multimedia Analysis
File carving and recovery
Foremost
Steps to install Foremost on Linux
Foremost installation on Windows
Scalpel
Features and capabilities of Scalpel
Steps to set up Scalpel and file recovery
OSINT: Good known Hashes, Files, URLs, and Certs
OSINT for Hashes
VirusTotal
National Software Reference Library
OSINT for files
Online file analysis platforms
OSINT for URLs
OSINT for certificates
Windows 10 Feature Forensics
Notifications
Sticky Notes
Analysis of Sticky Notes
Cortana forensics
Windows Mail
Conclusion
Points to remember
Questions
References
11. Anti-Digital Forensics Techniques and Methods
Introduction
Structure
Objectives
What is anti-forensics?
Goals of anti-forensics
Anti-forensics techniques
Data Hiding
Steghide
StegDetect
OpenPuff
Alternate Data Stream
Data Obfuscation
Encryption
Polymorphism
Data Fragmentation
Encoding
Data deletion and physical storage media destruction
Wiper malware
Data manipulation and fabrication
Timestamp manipulation
Metadata alteration
Logs falsification
Decoy files
File Header modification
Scenario 1: Manipulating metadata using Exiftool
Scenario 2: Altering the timestamp
Scenario 3: Injecting log entries into log file
Anti-forensics challenges for digital forensic practitioners
Technological limitations and complexity
Personnel and resource challenges
Legal and ethical challenges
Legal challenges
Ethical challenges
Conclusion
Points to remember
Questions
References
Index
Cover
Title Page
Copyright Page
Dedication Page
About the Author
About the Reviewer
Acknowledgement
Preface
Table of Contents
1. Introduction to Essential Concepts of Digital Forensics
Introduction
Structure
Objectives
What is digital forensics?
Types of cases in digital forensics
Computer crime
Corporate espionage and intellectual property theft
Financial fraud and embezzlement
Electronic discovery
Human trafficking and drug crimes
Child exploitation
Murder
Terrorism
Digital forensics and other fields of cybersecurity
Malware investigation and digital forensics overlap
Incident response and digital forensic overlap
What is an incident response?
E-Discovery
Digital and cyber technological growth
The PC revolution
The Apple MacBook
The rise of smartphones
The gaming revolution
The Internet of Things
Cloud computing
Drones and autonomous vehicles
The future of the modern cyber world
Virtual Reality
Augmented Reality
The metaverse
Modern technological explosion and its cyber security challenges
Digital forensics challenges in the cyber modern era
Phases of digital forensics
Acquisition
Examination
Analysis
Presentation/reporting
What is data acquisition?
Types of data acquisitions
Types of image formats
Locard’s exchange principle
Types of digital evidence/data
Example of digital evidence
Categories of digital evidence
Volatile
Non-volatile
Preserving digital evidence integrity
Dos
Don’ts
Methods and techniques of preserving evidence integrity
Chain of custody
Hashing algorithms
Encryption
Digital signature
Write blocker
Write protected digital evidence storage device
File carving
How is file carving different from file recovery
Digital forensics time objects: MAC(b)
Location of MAC(b) on NTFS file systems
Conclusion
Points to remember
Questions
References
2. Digital Forensics Lab Setup
Introduction
Structure
Objectives
What is a Virtual Machine Environment?
Advantages of a virtual machine environment
Host machines in virtual environments
Minimum system requirement for Ubuntu VM
Minimum system requirement for Windows 10 VM
Install and configure VirtualBox and VMs
Install VirtualBox on Ubuntu
Steps to create a virtual machine
Cloning and Snapshot in VirtualBox
Cloning
Snapshots
Reverting to a snapshot
Deleting snapshots
Essential digital forensics tools and applications
Hex Editor
The Sleuth Kit
Autopsy installation
Key features of Autopsy
Installing Autopsy on Windows OS
Installing Autopsy on MacOS
Creating a new case in Autopsy
Volatility
Setup volatility on Ubuntu
Installing Volatility 2 on Windows OS
Installing Volatility 3 on Windows OS
PowerForensics
SQLite
Installation of SQLite Studio on Windows OS
Plaso and Log2timeline.py
Plaso installation on Windows
Plaso installation on Ubuntu
Other standalone tools and utilities
Conclusion
3. Data Collection: Volatile and Non-Volatile
Introduction
Structure
Objectives
Volatile vs. non-volatile
Order of volatility
Digital forensic image formats
Hash-based validation
Volatile data collection
DumpIt
PMEM
WimPmem
FTK Imager
Linux Memory Extractor
Using LiME to capture an Android memory dump
Overview of volatility
Memory acquisition from virtual platforms
VirtualBox
VMWare
Acquiring VMware virtual machine memory using PowerShell
Memory Acquisition Using VMware Host Client
Hyper-V
Non-volatile data collection
Type of forensics images
FTK Imager
Data Duplicator
GuyMager
Steps to create a forensic image or to clone the drive
Conclusion
Points to remember
Questions
4. Forensics Analysis: Live Response
Introduction
Structure
Objectives
What is live forensics analysis or live incident response?
Why is live forensics analysis important?
Building your own volatile data collection script
Windows environment
Linux environment
Digital Forensics and Incident Response
Incident Response
Digital Forensics
DFIR
Triage in DFIR
Live Response Collection: Cedarpelta
CDIR Collector by CDI
Types of data collection on Windows OS
How to use CDIR Collector
Triage-IR: An incident response toolkit
Endpoint Detection and Response
Features of EDR
Triage Data Collection vs. Modern EDRs
Process Tree and Timeline
Process Tree in EDR
What is the timeline?
Creating a timeline
Conclusion
Points to remember
Questions
References
5. File System and Log Analysis
Introduction
Structure
Objectives
Magic header and file identification
Scenario: Uncover true file format
Master Boot Record analysis
Master Boot Record
Master Partition Table
How to access the Master Partition Table
How to access MBR
Master File Table
How to locate MFT
Attribute 0x10: Standard information
Attribute 0x30: File_Name
MFT analysis tools
Recycle Bin
What happens when a file is moved to Recycle Bin?
How Recycle Bin handles deleted files in Windows 10
Challenges in analyzing Recycle Bin
File recovery
Methods to recover deleted data
File recovery using Recuva
File recovery using Autopsy
System logs
Windows event logs
Location of Windows event logs
Structure of Windows event logs
Windows event logs artifact
Event ID: 7045 - New service added
Event Code 4688: A new process has been created
Linux system logs
Command line history
Timeline analysis
Autopsy
How to use Timeline in Autopsy
Log2timeline
What is Plaso?
Log2timeline.py
Analysis plugin
Timesketch
Conclusion
Points to remember
Questions
References
6. Windows Registry and Artifacts
Introduction
Structure
Objectives
Windows Registry analysis
The importance of Windows Registry
Location of Windows Registry hives
How to extract Windows Registry hives
How to extract Windows Registry hives
Registry hive extraction using FTK
FTK Obtain Protected Files
Extracting registry from forensics image
Analyze Registry Hives using Registry Explorer
Scenario: Find recently accessed files on a machine
RecentDocs Registry Key
Scenario: Find out system information
Scenario: Find persistence mechanism set up by threat actor on a system
What are persistence tactics?
Commonly known Registry keys used for persistence
Shimcahce
Amcache
Step to analyze Amcache
UserAssist
What is the UserAssist key?
Value for Digital Forensics and Incident Response
Prefetch
Jumplist
LNK file analysis
LNK and startup folder: Persistence
ShellBag
Shellbags locations
Recent Apps
USB drive or thumb drive analysis
Mounted devices
Conclusion
Points to remember
Questions
7. Network Data Collection and Analysis
Introduction
Structure
Objectives
Pre-requisites
What is network forensics?
Network forensics scenarios
Foundational insights for network forensics investigations
List of sources of network forensics data
Collect and access network forensics data
What are Packet Captures?
Importance of PCAPs in Digital Forensics and Incident Response
Brief history of PCAPs
Capture PCAPs on Windows environment
Wireshark
Tshark
Wireshark vs Tshark
Dumpcap.exe - Command line
Capture PCAPs on Linux environment
Berkley Packet Filters
Wireshark: Profile and preferences
Features of Wireshark
Endpoints
Conversation
Expert information
CloudShark
Features of CloudShark
Networkminer
Features of NetworkMiner
PCAP analysis scenario: Malicious file downloaded
Conclusion
Questions
References
8. Memory Forensics: Techniques and Tools
Introduction
Structure
Objectives
What is memory forensics?
Memory acquisition from virtual platforms
VirtualBox
VMWare
Hyper-V
Overview of Volatility and Rekall
Rekall
Volatility
Top 20 Volatility commands
Volatility 2 vs Volatility 3
Extracting volatile data from the memory dump
Netstat
PsList
Volatility commands for Linux, Mac, and virtual machine
Investigating suspicious files
GetSIDs
Finding malware using Volatility and Yara (Yarascan)
Alternate memory locations
Pagefile(pagefile.sys)
Importance of Pagefile digital forensics
Hibernation file (hiberfil.sys)
Swap file (swap.sys)
Volume Shadow Copy
File Carving
Bulk_extractor
Conclusion
Points to remember
Questions
9. Browser and Email Forensics
Introduction
Structure
Objectives
What is a browser?
What is browser forensics?
Importance of browser forensics
Examples of artifacts extracted from browsers
Architecture of the modern browser
Web browser features
Browser investigation
Google Chrome
Acquiring Chrome data
Analyzing the browser data
History
Downloads
Mozilla Firefox
Chromium Edge
Opera browsers
Summary
What is Email?
What is Email Analysis?
Email formats
Multipurpose Internet Mail Extensions
Electronic Mail
Microsoft Outlook Message
Mailbox
Why are email formats important for email forensics?
Email header analysis
Anatomy of an Email header
How to perform email header analysis?
Sample email header analysis
Analysis of the above email header
Email and E-discovery
Conclusion
Points to remember
Questions
References
10. Advanced Forensics Tools, Commands and Methods
Introduction
Structure
Objectives
PowerForensics
PowerForensics Windows cmdlets
Boot sector cmdlets
Ext4 Filetype cmdlets
NFTS Filetype cmdlets
How to install PowerForensics
Exploring PowerForensics commands
Autopsy
Keyword search and regular expressions
Hash Lookup
Email analysis via Autopsy
Extension Mismatch
Multimedia Analysis
File carving and recovery
Foremost
Steps to install Foremost on Linux
Foremost installation on Windows
Scalpel
Features and capabilities of Scalpel
Steps to set up Scalpel and file recovery
OSINT: Good known Hashes, Files, URLs, and Certs
OSINT for Hashes
VirusTotal
National Software Reference Library
OSINT for files
Online file analysis platforms
OSINT for URLs
OSINT for certificates
Windows 10 Feature Forensics
Notifications
Sticky Notes
Analysis of Sticky Notes
Cortana forensics
Windows Mail
Conclusion
Points to remember
Questions
References
11. Anti-Digital Forensics Techniques and Methods
Introduction
Structure
Objectives
What is anti-forensics?
Goals of anti-forensics
Anti-forensics techniques
Data Hiding
Steghide
StegDetect
OpenPuff
Alternate Data Stream
Data Obfuscation
Encryption
Polymorphism
Data Fragmentation
Encoding
Data deletion and physical storage media destruction
Wiper malware
Data manipulation and fabrication
Timestamp manipulation
Metadata alteration
Logs falsification
Decoy files
File Header modification
Scenario 1: Manipulating metadata using Exiftool
Scenario 2: Altering the timestamp
Scenario 3: Injecting log entries into log file
Anti-forensics challenges for digital forensic practitioners
Technological limitations and complexity
Personnel and resource challenges
Legal and ethical challenges
Legal challenges
Ethical challenges
Conclusion
Points to remember
Questions
References
Index
![XBOX 360 Forensics: A Digital Forensics Guide to Examining Artifacts [1 ed.]
1597496235, 9781597496230](https://ebin.pub/img/200x200/xbox-360-forensics-a-digital-forensics-guide-to-examining-artifacts-1nbsped-1597496235-9781597496230.jpg)
![Windows Forensics Analyst Field Guide: Engage in proactive cyber defense using digital forensics techniques [1 ed.]
9781803248479](https://ebin.pub/img/200x200/windows-forensics-analyst-field-guide-engage-in-proactive-cyber-defense-using-digital-forensics-techniques-1nbsped-9781803248479.jpg)
![Malware forensics field guide for Windows systems: Digital forensics field guides [1 ed.]
1597494720, 9781597494724](https://ebin.pub/img/200x200/malware-forensics-field-guide-for-windows-systems-digital-forensics-field-guides-1nbsped-1597494720-9781597494724.jpg)
![Artificial Intelligence and Blockchain in Digital Forensics (River Publishers Series in Digital Security and Forensics) [1 ed.]
8770226881, 9788770226882](https://ebin.pub/img/200x200/artificial-intelligence-and-blockchain-in-digital-forensics-river-publishers-series-in-digital-security-and-forensics-1nbsped-8770226881-9788770226882.jpg)
