Computer Forensics Infosec Pro Guide / Edition 1

Computer Forensics Infosec Pro Guide / Edition 1

by David Cowen, John Loveland

View All Available Formats & Editions

ISBN-10: 007174245X

ISBN-13: 9780071742450

Pub. Date: 04/12/2013

Publisher: McGraw-Hill Professional Publishing

Security Smarts for the Self-Guided IT Professional

Find out how to excel in the field of computer forensics investigations. Learn what it takes to transition from an IT professional to a computer forensic examiner in the private sector. Written by a Certified Information Systems Security Professional, Computer Forensics: InfoSec Pro Guide is


Security Smarts for the Self-Guided IT Professional

Find out how to excel in the field of computer forensics investigations. Learn what it takes to transition from an IT professional to a computer forensic examiner in the private sector. Written by a Certified Information Systems Security Professional, Computer Forensics: InfoSec Pro Guide is filled with real-world case studies that demonstrate the concepts covered in the book.

You’ll learn how to set up a forensics lab, select hardware and software, choose forensic imaging procedures, test your tools, capture evidence from different sources, follow a sound investigative process, safely store evidence, and verify your findings. Best practices for documenting your results, preparing reports, and presenting evidence in court are also covered in this detailed resource.

Computer Forensics: InfoSec Pro Guide features:

  • Lingo—Common security terms defined so that you’re in the know on the job
  • IMHO—Frank and relevant opinions based on the author’s years of industry experience
  • Budget Note—Tips for getting security technologies and processes into your organization’s budget
  • In Actual Practice—Exceptions to the rules of security explained in real-world contexts
  • Your Plan—Customizable checklists you can use on the job now
  • Into Action—Tips on how, why, and when to apply new skills and techniques at work

Product Details

McGraw-Hill Professional Publishing
Publication date:
Beginner's Guide Series
Edition description:
New Edition
Sales rank:
Product dimensions:
7.30(w) x 9.00(h) x 0.70(d)

Related Subjects

Table of Contents

Acknowledgments xix

Introduction xxi

Part I Getting Started

1 What Is Computer Forensics? 3

What You Can Do with Computer Forensics 4

How People Get Involved in Computer Forensics 5

Law Enforcement 6

Military 6

University Programs 7

IT or Computer Security Professionals 7

Incident Response vs. Computer Forensics 9

How Computer Forensic Tools Work 10

Types of Computer Forensic Tools 10

Professional Licensing Requirements 12

2 Learning Computer Forensics 15

Where and How to Get Training 16

Law Enforcement Training 17

Corporate Training 17

Where and How to Get Certified 18

Vendor Certifications 19

Vendor-Neutral Certifications 20

Staying Current 22

Conferences 23

Blogs 24

Forums 26

Podcasts 26

Associations 27

3 Creating a Lab 29

Choosing Where to Put Your Lab 31

Access Controls 31

Electrical Power 35

Air Conditioning 35

Privacy 37

Gathering the Tools of the Trade 38

Write Blockers 38

Drive Kits 41

External Storage 43

Screwdriver Kits 43

Antistatic Bags 43

Adaptors 44

Forensic Workstation 44

Choosing Forensic Software 45

Open Source Software 46

Commercial Software 47

Storing Evidence 49

Securing Your Evidence 48

Organizing Your Evidence 49

Disposing of Old Evidence 50

Part II Your First Investigation

4 How to Approach a Computer Forensics Investigation 55

The Investigative Process 56

What Are You Being Asked to Find Out? 56

Where Would the Data Exist? 57

What Applications Might Have Been Used in Creating the Data? 57

Should You Request to Go Beyond the Scope of the Investigation? 58

Testing Your Hypothesis 59

Step 1 Define Your Hypothesis 60

Step 2 Determine a Repeatable Test 61

Step 3 Create Your Test Environment 61

Step 4 Document Your Testing 61

The Forensic Data Landscape 62

Active Data 62

Unallocated Space 62

Slack Space 63

Mobile Devices 65

External Storage 66

What Do You Have the Authority to Access 66

Who Hosts the Data? 66

Who Owns the Device? 67

Expectation of Privacy 68

5 Choosing Your Procedures 71

Forensic Imaging 72

Determining Your Comfort Level 73

Forensic Imaging Method Pros and Cons 78

Creating Forms and Your Lab Manual 80

Chain of Custody Forms 80

Request Forms 82

Report Forms 82

Standard Operating Procedures Manual 84

6 Testing Your Tools 85

When Do You Need to Test 86

Collecting Data for Public Research or Presentations 87

Testing a Forensic Method 87

Testing a Tool 87

Where to Get Test Evidence 88

Raw Images 89

Creating Your Own Test Images 89

Forensic Challenges 91

Learn Forensics with David Cowen on YouTube 91

Honeynet Project 91

DC3 Challenge 92

DFRWS Challenge 92

SANS Forensic Challenges 93

High School Forensic Challenge 93

Collections of Tool Testing Images 93

Digital Forensic Tool Testing Images 93

NIST Computer Forensics Reference Data Sets Images 94

The Hacking Case 94

NIST Computer Forensics Tool Testing 94

7 Live vs. Postmortem Forensics 97

Live Forensics 99

When Live Forensics Is the Best Option 100

Tools for Live Forensics 103

Postmortem Forensics 106

Postmortem Memory Analysis 106

8 Capturing Evidence 109

Creating Forensic Images of Internal Hard Drives 110

FTK Imager with a Hardware Write Blocker 111

FTK Imager with a Software Write Blocker 120

Creating Forensic Images of External Drives 123

FTK Imager with a USB Write Blocker 124

FTK Imager with a Software Write Blocker 125

Software Write Blocking on Linux Systems 125

Creating Forensic Images of Network Shares 128

Capturing a Network Share with FTK Imager 129

Mobile Devices 133

Servers 133

9 Nontraditional Digital Forensics 135

Breaking the Rules: Nontraditional Digital Forensic Techniques 137

Volatile Artifacts 138

Malware 139

Encrypted File Systems 141

Challenges to Accessing Encrypted Data 144

Mobile Devices: Smart Phones and Tablets 145

Solid State Drives 147

Virtual Machines 149

Part III Case Examples: How to Work a Case

10 Establishing the Investigation Type and Criteria 153

Determining What Type of Investigation Is Required 154

Human Resources Cases 154

Administrator Abuse 156

Stealing Information 158

Internal Leaks 158

Keyloggers and Malware 159

What to Do When Criteria Causes an Overlap 161

What to Do When No Criteria Matches 161

Where Should the Evidence Be? 162

Did This Occur over the Network? 162

Nothing Working? Create a Super Timeline 163

11 Human Resources Cases 167

Results of a Human Resource Case 168

How to Work a Pornography Case 169

Pornography Case Study 169

How to Investigate a Pornography Case 174

How to Work a Productivity Waste Case 179

12 Administrator Abuse 185

The Abuse of Omniscience 186

Scenario 1: Administrator Runs a Pornographic Site Using Company Resources 188

Beginning an Investigation 189

The Web Server's Role in the Network 190

Directories 193

Virtual Servers 194

Virtual Directories 194

Scenario 2: Exploiting Insider Knowledge Against an Ex-employer 196

A Private Investigator Calls 197

As if They're Reading Our Minds… 197

What a Network Vulnerability Assessment Can Reveal 198

E-mail Data Review and Server Restoration 200

Stepping Up Your Game: Knowledge Meets Creativity 201

13 Stealing Information 205

What Are We Looking For? 206

Determining Where the Data Went 209

LNK Files 209

Shellbags 212

Scenario: Recovering Log Files to Catch a Thief 214

14 Internal Leaks 217

Why Internal Leaks Happen 218

Investigating Internal Leaks 220

Reviewing the Registry Files 221

Identifying LNK Files 226

Wrapping Up the Investigation 231

Using File System Meta-data to Track Leaked or Printed Materials 232

15 Keyloggers and Malware 235

Denning Keyloggers and Malware 236

How to Detect Keyloggers and Malware 237

Registry Files 238

Prefetch Files 242

Keyword Searches 242

Handling Suspicious Files 243

Determining How an Infection Occurred 243

What We Know About This Infection 247

What We Know About the Keylogger 247

Identifying What Data Was Captured 249

Finding Information About the Attacker 251

What We Know About the Attacker 252

Where to Find More About the Attacker 252

Part IV Defending Your Work

16 Documenting Your Findings with Reports 257

Documenting Your Findings 258

Who Asked You to Undertake the Investigation 259

What You Were Asked to Do 259

What You Reviewed 260

What You Found 261

What Your Findings Mean 262

Types of Reports 263

Informal Report 263

Incident Report 263

Internal Report 265

Declaration 265

Affidavit 267

Explaining Your Work 268

Define Technical Terms 268

Provide Examples in Layperson Terms 268

Explain Artifacts 269

17 Litigation and Reports for Court and Exhibits 271

Important Legal Terms 272

What Type of Witness Are You? 273

Fact Witness 274

Expert Consultant 275

Expert Witness 275

Special Master 276

Neutral 277

Writing Reports for Court 277

Declarations in Support of Motions 278

Expert Reports 279

Creating Exhibits 279

Working with Forensic Artifacts 281

Glossary 283

Index 303

Customer Reviews

Average Review:

Write a Review

and post it to your social network


Most Helpful Customer Reviews

See all customer reviews >