Introductory Computer Forensics: A Hands-on Practical Approach 3030005801, 9783030005801
This textbook provides an introduction to digital forensics, a rapidly evolving field for solving crimes. Beginning with
1,319 205 22MB
English Pages 577 [582] Year 2018
Table of contents :
Preface
Practice Exercise Environment
Book Organization
Supplements
Acknowledgments
Contents
Part I: Fundamentals of Computer Systems and Computer Forensics
Chapter 1: Introduction to Computer Forensics
1.1 Introduction
1.1.1 Young History
1.1.2 A Field on the Rise
1.1.3 Challenges
1.1.4 Privacy Risk with Digital Forensics
1.1.5 Looking Ahead
1.2 What Computer Forensics Is and Why It Is Important
1.3 Digital Evidence
1.4 Computer Forensics Procedures and Techniques
1.4.1 Preparation Stage
1.4.2 In Crime Scene Stage
1.4.3 In Digital Evidence Lab Stage
1.5 Types of Computer Forensics
1.6 Useful Resources
1.7 Exercises
References
Chapter 2: Introduction to Computer Organization
2.1 Computer Organization
2.2 Data Representation
2.3 Memory Alignment and Byte Ordering
2.4 Practice Exercise
2.4.1 Setting Up the Exercise Environment
2.4.2 Exercises
Appendix A: How to Use GDB to Debug C Programs
References
Chapter 3: Building a Forensics Workstation
3.1 The Sleuth Kit (TSK) and Autopsy Forensic Browser
3.1.1 The Sleuth Kit (TSK)
3.1.2 Autopsy Forensic Browser
3.1.3 Kali Linux Sleuth Kit and Autopsy
3.2 Virtualization
3.2.1 Why Virtualize?
3.2.2 What Are the Virtualization Options?
3.2.3 Why VMware Virtualization Platform?
3.3 Building Up Your Forensics Workstation with Kali Linux
3.4 First Forensic Examination Using TSK
3.5 Practice Exercise
3.5.1 Setting Up the Exercise Environment
3.5.2 Exercises
Appendix A Installing software in Linux
Appendix B dcfldd Cheat Sheet
References
Part II: File System Forensic Analysis
Chapter 4: Volume Analysis
4.1 Hard Disk Geometry and Disk Partitioning
4.1.1 Hard Disk Geometry
4.1.2 Disk Partitioning
4.1.3 DOS-Style Partitions
4.1.4 Sector Addressing in Partitions
4.2 Volume Analysis
4.2.1 Disk Layout Analysis
4.2.2 Partition Consistency Check
4.2.3 Partition Extraction
4.2.4 Deleted Partition Recovery
4.3 Practice Exercise
4.3.1 Setting Up the Exercise Environment
4.3.2 Exercises
4.4 Helpful Tips
References
Chapter 5: Examining FAT File System
5.1 File System Overview
5.2 FAT File Systems
5.2.1 The Partition Boot Sector
5.2.2 The File Allocation Table
5.2.3 Addressing in FAT File Systems
5.2.4 The Root Directory and Directory Entry
5.2.5 The Long File Name
5.3 Lab Exercises
5.3.1 Setting up the Exercise Environment
5.3.2 Exercises
5.4 Helpful Tips
Appendix A: Data Structure for the FAT12/16 Partition Boot Sector
Appendix B: Data Structure for the FAT32 Partition Boot Sector
Appendix C: Checksum Algorithm for LFN Entry
References
Chapter 6: Deleted File Recovery in FAT
6.1 Principles of File Recovery
6.2 File Creation and Deletion in FAT File Systems
6.2.1 File Creation
6.2.2 File Deletion
6.3 Deleted File Recovery in FAT File Systems
6.4 Practice Exercise
6.4.1 Setting Up the Exercise Environment
6.4.2 Exercises
6.5 Helpful Tips
References
Chapter 7: Examining NTFS File System
7.1 New Technology File System
7.2 The Master File Table
7.3 NTFS Indexing
7.3.1 B-Tree
7.3.2 NTFS Directory Indexing
7.4 NTFS Advanced Features
7.4.1 Encrypting File System (EFS)
7.4.2 Data Storage Efficiency
7.4.2.1 NTFS Sparse Files
7.4.2.2 NTFS Compressed Files and Folders
7.5 Practice Exercise
7.5.1 Setting Up the Exercise Environment
7.5.2 Exercises
7.6 Helpful Tips
7.6.1 Locate the Master File Table (MFT) in an NTFS Volume
7.6.2 Determine the Address of the Cluster Which Contains a Given MFT Entry
References
Chapter 8: Deleted File Recovery in NTFS
8.1 NTFS Deleted Files Recovery
8.1.1 File Creation and Deletion in NTFS File Systems
8.1.1.1 File Creation in NTFS File System (Fig. 8.1)
8.1.1.2 File Deletion (Fig. 8.2)
8.1.2 Deleted File Recovery in NTFS File System
8.2 Practical Exercise
8.2.1 Setting Up the Exercise Environment
8.2.2 Exercises
References
Chapter 9: File Carving
9.1 Principles of File Carving
9.1.1 Header/Footer Carving
9.1.2 Bifragment Gap Carving (BGC)
9.1.2.1 Selecting a Candidate Sequence of Blocks
9.1.2.2 Object Validation
9.2 File Carving Tools
9.2.1 Foremost
9.2.2 Scalpel
9.2.3 TestDisk and Photorec
9.3 Practical Exercise
9.3.1 Setting Up Practical Exercise Environment
9.3.2 Exercises
References
Chapter 10: File Signature Searching Forensics
10.1 Introduction
10.2 File Signature Search Process
10.3 File Signature Search Using hfind
10.3.1 Create a Hash Database Using md5sum
10.3.2 Create an MD5 Index File for Hash Database
10.3.3 Search Hash Database for a Given Hash Value
10.4 Practice Exercise
10.4.1 Setting Up the Exercise Environment
10.4.2 Exercises
Appendix A: Shell Script for Generating Files for File Hash Database
References
Chapter 11: Keyword Forensics
11.1 Forensic Keyword Searching Process
11.2 Grep and Regular Expressions
11.3 Case Study
11.4 Practice Exercise
11.4.1 Setting Up Practical Exercise Environment
11.4.2 Exercises
Appendix: Regular Expression Metacharacters
References
Chapter 12: Timeline Analysis
12.1 Principle of Timeline Analysis
12.1.1 Timeline
12.1.2 Timeline Event
12.1.2.1 Filesystems
12.1.2.2 Web Activity
12.1.2.3 Miscellaneous
12.2 Timeline Analysis Process
12.2.1 Timeline Creation
12.2.2 Timeline Analysis
12.2.3 MAC Timeline Creation and Analysis with TSK
12.3 Forensic Timeline Analysis Tools
12.3.1 Log2timeline
12.3.2 EnCase
12.4 Case Study
12.5 Practice Exercise
12.5.1 Setting Up the Exercise Environment
12.5.2 Exercises
References
Chapter 13: Data Hiding and Detection
13.1 Data Hiding Fundamentals
13.1.1 Hidden Files and Folders
13.1.2 Masks and Altering Names
13.1.3 Volume Slack
13.1.4 Slack Space
13.1.5 Clusters in Abnormal States
13.1.6 Bad MFT Entries
13.1.7 Alternate Data Streams
13.1.7.1 Creating an ADS File
13.1.7.2 Recovering ADS Files
13.2 Data Hiding and Detection in Office Open XML (OOXML) Documents
13.2.1 OOXML Document Fundamentals
13.2.2 Data Hiding in OOXML Documents
13.2.2.1 Data Hiding Using OOXML Relationship Structure
13.2.2.2 Data Hiding Using XML Format Feature
13.2.2.3 Data Hiding Using XML Format Feature and OOXML Relationship Structure
13.2.2.4 Data Hiding Using OOXML Flexibility for Embedded Resource Architecture
13.2.2.5 Data Hiding Using OOXML Flexibility of Swapping Parts
Scenario 1
Scenario 2
13.2.3 Hidden Data Detection in OOXML Documents
13.2.3.1 Detecting Hidden Data Using OOXML Relationship Structure
13.2.3.2 Detecting Hidden Data Using XML Format Feature and OOXML Relationship Structure
13.2.3.3 Detecting Hidden Data Using OOXML Flexibility For Embedded Resource Architecture
13.3 Practical Exercise
13.3.1 Setting Up the Exercise Environment
13.3.2 Exercises
References
Part III: Forensic Log Analysis
Chapter 14: Log Analysis
14.1 System Log Analysis
14.1.1 Syslog
14.1.1.1 Configuring and Collecting Syslog
14.1.1.2 Viewing the Log Files
14.1.2 Windows Event Log
14.1.3 Log Analytics Challenges
14.2 Security Information and Event Management System (SIEM)
14.2.1 Log Normalization and Correlation
14.2.1.1 Criterions of Correlation and Normalization
14.2.2 Log Data Analysis
14.2.2.1 Criterions of Log Analysis Process
14.2.3 Specific Features for SIEM
14.2.4 Case Study of Log Correlation
14.3 Implementing SIEM
14.3.1 How OSSIM Works
14.3.2 AlienVault Event Visualization
14.4 Practice Exercise
14.4.1 Setting Up the Exercise Environment
14.4.2 Exercises
References
Part IV: Mobile Device Forensics
Chapter 15: Android Forensics
15.1 Mobile Phone Fundamentals
15.2 Mobile Device Forensic Investigation
15.2.1 Storage Location
15.2.2 Acquisition Methods
15.2.2.1 Chip-Off
15.2.2.2 JTAG (Joint Test Action Group)
15.2.2.3 Forensic Software Suites
15.2.2.4 ADB (Android Debug Bridge)
15.2.2.5 Backup Applications
15.2.2.6 Firmware Update Protocols
15.2.2.7 Custom Recovery Image
15.2.3 Data Analysis
15.2.3.1 Facebook
15.2.3.2 WhatsApp
15.2.3.3 WeChat
15.2.3.4 Other Social Applications
15.2.4 Case Studies
15.2.4.1 Experiment Setup
15.2.4.2 Application Use
15.2.4.3 Extraction
15.2.4.4 Data Analysis
15.3 Practice Exercise
15.3.1 Setting Up Practical Exercise Environment
15.3.2 Exercises
References
Chapter 16: GPS Forensics
16.1 The GPS System
16.2 GPS Evidentiary Data
16.3 Case Study
16.3.1 Experiment Setup
16.3.2 Basic Precautions and Procedures
16.3.3 GPS Exchange Format (GPX)
16.3.3.1 Waypoint
16.3.3.2 Route
16.3.3.3 Track Point
16.3.3.4 Track Log
16.3.3.5 Track Segment
16.3.4 GPX Files
16.3.5 Extraction of Waypoints and Trackpoints
16.3.6 How to Display the Tracks on a Map
16.4 Practice Exercise
16.4.1 Setting Up Practical Exercise Environment
16.4.2 Exercises
References
Chapter 17: SIM Cards Forensics
17.1 The Subscriber Identification Module (SIM)
17.2 SIM Architecture
17.3 Security
17.4 Evidence Extraction
17.4.1 Contacts
17.4.2 Calls
17.4.3 SMS
17.5 Case Studies
17.5.1 Experiment Setup
17.5.2 Data Acquisition
17.5.3 Data Analysis
17.5.3.1 Contacts
17.5.3.2 Calls
17.5.3.3 SMS
17.5.3.4 System Data
17.6 Practice Exercise
17.6.1 Setting Up the Exercise Environment
17.6.2 Exercises
References
Part V: Malware Analysis
Chapter 18: Introductory Malware Analysis
18.1 Malware, Viruses and Worms
18.1.1 How Does Malware Get on Computers
18.1.2 Importance of Malware Analysis
18.2 Essential Skills and Tools for Malware Analysis
18.3 List of Malware Analysis Tools and Techniques
18.3.1 Dependency Walker
18.3.1.1 Let´s Create a KeyLogger.exe
18.3.2 PEview
18.3.3 W32dasm
18.3.4 OllyDbg
18.3.5 Wireshark
18.3.6 ConvertShellCode
18.3.6.1 Shellcode Analysis
18.4 Case Study
18.4.1 Objectives
18.4.2 Environment Setup
18.4.2.1 Victim´s Computer as a Server
18.4.2.2 Attacker´s Computer as a Client
18.4.2.3 Forensic Investigator
Analysis: Protocol Statistics
HTTP Analysis
TCP Analysis
18.4.3 Concluding Remarks
18.5 Practice Exercise
References
Chapter 19: Ransomware Analysis
19.1 Patterns of Ransomware
19.2 Notorious Ransomware
19.2.1 CryptoLocker Ransomware
19.2.2 Miscellaneous Ransomware
19.3 Cryptographic and Privacy-Enhancing Techniques as Malware Tools
19.3.1 RSA Cryptosystem
19.3.2 AES Cryptosystem
19.3.3 Cryptographic Techniques as Hacking Tools
19.3.4 Tor Network and Concealing Techniques
19.3.5 Digital Cash and Bitcoin as Anonymous Payment Methods
19.4 Case Study: SimpleLocker Ransomware Analysis
19.4.1 Overview of Android Framework
19.4.2 Analysis Techniques for SimpleLocker
19.4.3 Online Scan Service
19.4.4 Metadata Analysis
19.4.5 Static Analysis
19.4.5.1 Reverse Engineering
19.4.5.2 Static Code Analysis
19.4.6 Analysis of SimpleLocker Encryption Method
19.4.6.1 Java Cryptography
Padding
Modes of Encryption
19.4.6.2 File Encryption and Decryption in SimpleLocker
19.4.7 Dynamic Program Analysis
19.4.8 Removal Methods of SimpleLocker
19.5 Practice Exercise
19.5.1 Installing Android Studio
19.5.2 Creating an Android Application Project
References
Part VI: Multimedia Forensics
Chapter 20: Image Forgery Detection
20.1 Digital Image Processing Fundamentals
20.1.1 Digital Image Basis
20.1.1.1 Image and Pixel
20.1.1.2 Spatial Resolution: M N
20.1.1.3 Gray Intensity Level Resolution: L
20.1.1.4 Image Sampling and Quantization
20.1.2 Image Types
20.1.2.1 Binary Image
20.1.2.2 Grayscale Image
20.1.2.3 RGB Image
20.1.3 Basic Operation and Transform
20.1.3.1 Fourier Transforms
Fourier Series
One-Dimensional Continuous Fourier Transformation
Two-Dimensional Continuous Fourier Transformation
One-Dimensional Discrete Fourier Transformation
Two-Dimensional Discrete Fourier Transformation
20.1.3.2 Discrete Cosine Transformation
The Definition of DCT
Two-Dimensional DCT
20.1.3.3 Windowed Fourier Transform
20.2 Image Forgery Detection
20.2.1 Image Tampering Techniques
20.2.1.1 Copy-Move Forgery
20.2.1.2 Image-Splicing Forgery
20.2.2 Active Image Forgery Detection
20.2.2.1 Digital Watermarking
20.2.2.2 Digital Signature
20.2.3 Passive-Blind Image Forgery Detection
20.2.3.1 Image Processing Operation Detection
Copy-Move Forgery Detection (CMFD)
Block-Based Approach
Keypoint-Based Approach
Resampling Detection
Blurring Detection
Blurring Model
20.2.3.2 Device-Based Image Forgery Detection
Sensor Noise
Color Filter Array
Chromatic Aberration
20.2.3.3 Format-Based Image Forgery Detection
JPEG Compression
Data Unit
DCT and IDCT
Quantization
Entropy Encoding
JPEG Compression Properties Based Image Forgery Detection
JPEG Header Based Image Forgery Detection
JPEG Blocking Based Image Forensics
Double JPEG Compression
20.3 Practice Exercise
20.3.1 Setting Up Practical Exercise Environment
20.3.2 Exercises
References
Chapter 21: Steganography and Steganalysis
21.1 Steganography and Steganalysis Basis
21.1.1 Steganography Basis
21.1.2 Steganalysis Basis
21.2 Steganography Techniques and Steganography Tools
21.2.1 Steganography Techniques
21.2.1.1 LSB Approaches
21.2.1.2 DCT Based Image Steganography
21.2.2 Steganography Tools
21.3 Steganalytic Techniques and Steganalytic Tools
21.3.1 Steganalytic Techniques
21.3.1.1 Feature Extraction
21.3.1.2 Classifier
21.3.2 Steganalysis Tools
21.4 Practice Exercises
21.4.1 Setting Up the Exercise Environment
21.4.2 Exercises
References
