Practical forensic imaging : securing digital evidence with Linux tools

Practical forensic imaging securing digital evidence with Linux tools

Practical Forensic Imaging takes a detailed look at how to secure and manage digital evidence using Linux-based command line tools.

Detalles Bibliográficos
Otros Autores: Nikkel, Bruce, author (author), Casey, Eoghan, writer of foreword (writer of foreword)
Formato: Libro electrónico
Idioma:Inglés
Publicado: San Francisco, California : No Starch Press 2016.
Edición:1st edition
Materias:
Linux.
Computer crimes > Investigation.
Data recovery (Computer science)
Data encryption (Computer science)
Evidence, Criminal.
Ver en Biblioteca Universitat Ramon Llull:https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009629897406719
Tabla de Contenidos:
  • Intro
  • Title Page
  • Copyright Page
  • Dedication
  • About the Author
  • Brief Contents
  • Contents in Detail
  • Foreword by Eoghan Casey
  • Introduction
  • Why I Wrote This Book
  • How This Book Is Different
  • Why Use the Command Line?
  • Target Audience and Prerequisites
  • Who Should Read This Book?
  • Prerequisite Knowledge
  • Preinstalled Platform and Software
  • How the Book Is Organized
  • The Scope of This Book
  • Conventions and Format
  • Chapter 0: Digital Forensics Overview
  • Digital Forensics History
  • Pre-Y2K
  • 2000-2010
  • 2010-Present
  • Forensic Acquisition Trends and Challenges
  • Shift in Size, Location, and Complexity of Evidence
  • Multijurisdictional Aspects
  • Industry, Academia, and Law Enforcement Collaboration
  • Principles of Postmortem Computer Forensics
  • Digital Forensic Standards
  • Peer-Reviewed Research
  • Industry Regulations and Best Practice
  • Principles Used in This Book
  • Chapter 1: Storage Media Overview
  • Magnetic Storage Media
  • Hard Disks
  • Magnetic Tapes
  • Legacy Magnetic Storage
  • Non-Volatile Memory
  • Solid State Drives
  • USB Flash Drives
  • Removable Memory Cards
  • Legacy Non-Volatile Memory
  • Optical Storage Media
  • Compact Discs
  • Digital Versatile Discs
  • Blu-ray Discs
  • Legacy Optical Storage
  • Interfaces and Physical Connectors
  • Serial ATA
  • Serial Attached SCSI and Fibre Channel
  • Non-Volatile Memory Express
  • Universal Serial Bus
  • Thunderbolt
  • Legacy Interfaces
  • Commands, Protocols, and Bridges
  • ATA Commands
  • SCSI Commands
  • NVME Commands
  • Bridging, Tunneling, and Pass-Through
  • Special Topics
  • DCO and HPA Drive Areas
  • Drive Service and Maintenance Areas
  • USB Attached SCSI Protocol
  • Advanced Format 4Kn
  • NVME Namespaces
  • Solid State Hybrid Disks
  • Closing Thoughts
  • Chapter 2: Linux as a Forensic Acquisition Platform.
  • Linux and OSS in a Forensic Context
  • Advantages of Linux and OSS in Forensics Labs
  • Disadvantages of Linux and OSS in Forensics Labs
  • Linux Kernel and Storage Devices
  • Kernel Device Detection
  • Storage Devices in /dev
  • Other Special Devices
  • Linux Kernel and Filesystems
  • Kernel Filesystem Support
  • Mounting Filesystems in Linux
  • Accessing Filesystems with Forensic Tools
  • Linux Distributions and Shells
  • Linux Distributions
  • The Shell
  • Command Execution
  • Piping and Redirection
  • Closing Thoughts
  • Chapter 3: Forensic Image Formats
  • Raw Images
  • Traditional dd
  • Forensic dd Variants
  • Data Recovery Tools
  • Forensic Formats
  • EnCase EWF
  • FTK SMART
  • AFF
  • SquashFS as a Forensic Evidence Container
  • SquashFS Background
  • SquashFS Forensic Evidence Containers
  • Closing Thoughts
  • Chapter 4: Planning and Preparation
  • Maintain an Audit Trail
  • Task Management
  • Shell History
  • Terminal Recorders
  • Linux Auditing
  • Organize Collected Evidence and Command Output
  • Naming Conventions for Files and Directories
  • Scalable Examination Directory Structure
  • Save Command Output with Redirection
  • Assess Acquisition Infrastructure Logistics
  • Image Sizes and Disk Space Requirements
  • File Compression
  • Sparse Files
  • Reported File and Image Sizes
  • Moving and Copying Forensic Images
  • Estimate Task Completion Times
  • Performance and Bottlenecks
  • Heat and Environmental Factors
  • Establish Forensic Write-Blocking Protection
  • Hardware Write Blockers
  • Software Write Blockers
  • Linux Forensic Boot CDs
  • Media with Physical Read-Only Modes
  • Closing Thoughts
  • Chapter 5: Attaching Subject Media to an Acquisition Host
  • Examine Subject PC Hardware
  • Physical PC Examination and Disk Removal
  • Subject PC Hardware Review
  • Attach Subject Disk to an Acquisition Host
  • View Acquisition Host Hardware.
  • Identify the Subject Drive
  • Query the Subject Disk for Information
  • Document Device Identification Details
  • Query Disk Capabilities and Features with hdparm
  • Extract SMART Data with smartctl
  • Enable Access to Hidden Sectors
  • Remove a DCO
  • Remove an HPA
  • Drive Service Area Access
  • ATA Password Security and Self-Encrypting Drives
  • Identify and Unlock ATA Password-Protected Disks
  • Identify and Unlock Opal Self-Encrypting Drives
  • Encrypted Flash Thumb Drives
  • Attach Removable Media
  • Optical Media Drives
  • Magnetic Tape Drives
  • Memory Cards
  • Attach Other Storage
  • Apple Target Disk Mode
  • NVME SSDs
  • Other Devices with Block or Character Access
  • Closing Thoughts
  • Chapter 6: Forensic Image Acquisition
  • Acquire an Image with dd Tools
  • Standard Unix dd and GNU dd
  • The dcfldd and dc3dd Tools
  • Acquire an Image with Forensic Formats
  • The ewfacquire Tool
  • AccessData ftkimager
  • SquashFS Forensic Evidence Container
  • Acquire an Image to Multiple Destinations
  • Preserve Digital Evidence with Cryptography
  • Basic Cryptographic Hashing
  • Hash Windows
  • Sign an Image with PGP or S/MIME
  • RFC-3161 Timestamping
  • Manage Drive Failure and Errors
  • Forensic Tool Error Handling
  • Data Recovery Tools
  • SMART and Kernel Errors
  • Other Options for Failed Drives
  • Damaged Optical Discs
  • Image Acquisition over a Network
  • Remote Forensic Imaging with rdd
  • Secure Remote Imaging with ssh
  • Remote Acquisition to a SquashFS Evidence Container
  • Acquire a Remote Disk to EnCase or FTK Format
  • Live Imaging with Copy-On-Write Snapshots
  • Acquire Removable Media
  • Memory Cards
  • Optical Discs
  • Magnetic Tapes
  • RAID and Multidisk Systems
  • Proprietary RAID Acquisition
  • JBOD and RAID-0 Striped Disks
  • Microsoft Dynamic Disks
  • RAID-1 Mirrored Disks
  • Linux RAID-5
  • Closing Thoughts.
  • Chapter 7: Forensic Image Management
  • Manage Image Compression
  • Standard Linux Compression Tools
  • EnCase EWF Compressed Format
  • FTK SMART Compressed Format
  • AFFlib Built-In Compression
  • SquashFS Compressed Evidence Containers
  • Manage Split Images
  • The GNU split Command
  • Split Images During Acquisition
  • Access a Set of Split Image Files
  • Reassemble a Split Image
  • Verify the Integrity of a Forensic Image
  • Verify the Hash Taken During Acquisition
  • Recalculate the Hash of a Forensic Image
  • Cryptographic Hashes of Split Raw Images
  • Identify Mismatched Hash Windows
  • Verify Signature and Timestamp
  • Convert Between Image Formats
  • Convert from Raw Images
  • Convert from EnCase/E01 Format
  • Convert from FTK Format
  • Convert from AFF Format
  • Secure an Image with Encryption
  • GPG Encryption
  • OpenSSL Encryption
  • Forensic Format Built-In Encryption
  • General Purpose Disk Encryption
  • Disk Cloning and Duplication
  • Prepare a Clone Disk
  • Use HPA to Replicate Sector Size
  • Write an Image File to a Clone Disk
  • Image Transfer and Storage
  • Write to Removable Media
  • Inexpensive Disks for Storage and Transfer
  • Perform Large Network Transfers
  • Secure Wiping and Data Disposal
  • Dispose of Individual Files
  • Secure Wipe a Storage Device
  • Issue ATA Security Erase Unit Commands
  • Destroy Encrypted Disk Keys
  • Closing Thoughts
  • Chapter 8: Special Image Access Topics
  • Forensically Acquired Image Files
  • Raw Image Files with Loop Devices
  • Forensic Format Image Files
  • Prepare Boot Images with xmount
  • VM Images
  • QEMU QCOW2
  • VirtualBox VDI
  • VMWare VMDK
  • Microsoft VHD
  • OS-Encrypted Filesystems
  • Microsoft BitLocker
  • Apple FileVault
  • Linux LUKS
  • TrueCrypt and VeraCrypt
  • Closing Thoughts
  • Chapter 9: Extracting Subsets of Forensic Images
  • Assess Partition Layout and Filesystems.
  • Partition Scheme
  • Partition Tables
  • Filesystem Identification
  • Partition Extraction
  • Extract Individual Partitions
  • Find and Extract Deleted Partitions
  • Identify and Extract Inter-Partition Gaps
  • Extract HPA and DCO Sector Ranges
  • Other Piecewise Data Extraction
  • Extract Filesystem Slack Space
  • Extract Filesystem Unallocated Blocks
  • Manual Extraction Using Offsets
  • Closing Thoughts
  • Closing Remarks
  • Index
  • Updates
  • "An indispensible reference for anyone responsible for preserving digital evidence." -Professor Eoghan Casey, University of Lausanne
  • Footnotes
  • Chapter 0: Digital Forensics Overview
  • Chapter 1: Storage Media Overview
  • Chapter 2: Linux as a Forensic Acquisition Platform
  • Chapter 3: Forensic Image Formats
  • Chapter 4: Planning and Preparation
  • Chapter 5: Attaching Subject Media to an Acquisition Host
  • Chapter 6: Forensic Image Acquisition
  • Chapter 7: Forensic Image Management
  • Chapter 8: Special Image Access Topics.

Ejemplares similares