Practical forensic imaging : securing digital evidence with Linux tools /
by Bruce Nikkel ; foreword by Eoghan Casey.
Bok Engelsk 2016 · Electronic books.
| Medvirkende | Casey, Eoghan, ( writer of foreword. )
|
|---|---|
| Omfang | 1 online resource (324 pages) : : illustrations
|
| Utgave | 1st edition
|
| Opplysninger | Includes index.. - Intro -- Title Page -- Copyright Page -- Dedication -- About the Author -- Brief Contents -- Contents in Detail -- Foreword by Eoghan Casey -- Introduction -- Why I Wrote This Book -- How This Book Is Different -- Why Use the Command Line? -- Target Audience and Prerequisites -- Who Should Read This Book? -- Prerequisite Knowledge -- Preinstalled Platform and Software -- How the Book Is Organized -- The Scope of This Book -- Conventions and Format -- Chapter 0: Digital Forensics Overview -- Digital Forensics History -- Pre-Y2K -- 2000-2010 -- 2010-Present -- Forensic Acquisition Trends and Challenges -- Shift in Size, Location, and Complexity of Evidence -- Multijurisdictional Aspects -- Industry, Academia, and Law Enforcement Collaboration -- Principles of Postmortem Computer Forensics -- Digital Forensic Standards -- Peer-Reviewed Research -- Industry Regulations and Best Practice -- Principles Used in This Book -- Chapter 1: Storage Media Overview -- Magnetic Storage Media -- Hard Disks -- Magnetic Tapes -- Legacy Magnetic Storage -- Non-Volatile Memory -- Solid State Drives -- USB Flash Drives -- Removable Memory Cards -- Legacy Non-Volatile Memory -- Optical Storage Media -- Compact Discs -- Digital Versatile Discs -- Blu-ray Discs -- Legacy Optical Storage -- Interfaces and Physical Connectors -- Serial ATA -- Serial Attached SCSI and Fibre Channel -- Non-Volatile Memory Express -- Universal Serial Bus -- Thunderbolt -- Legacy Interfaces -- Commands, Protocols, and Bridges -- ATA Commands -- SCSI Commands -- NVME Commands -- Bridging, Tunneling, and Pass-Through -- Special Topics -- DCO and HPA Drive Areas -- Drive Service and Maintenance Areas -- USB Attached SCSI Protocol -- Advanced Format 4Kn -- NVME Namespaces -- Solid State Hybrid Disks -- Closing Thoughts -- Chapter 2: Linux as a Forensic Acquisition Platform.. - Chapter 7: Forensic Image Management -- Manage Image Compression -- Standard Linux Compression Tools -- EnCase EWF Compressed Format -- FTK SMART Compressed Format -- AFFlib Built-In Compression -- SquashFS Compressed Evidence Containers -- Manage Split Images -- The GNU split Command -- Split Images During Acquisition -- Access a Set of Split Image Files -- Reassemble a Split Image -- Verify the Integrity of a Forensic Image -- Verify the Hash Taken During Acquisition -- Recalculate the Hash of a Forensic Image -- Cryptographic Hashes of Split Raw Images -- Identify Mismatched Hash Windows -- Verify Signature and Timestamp -- Convert Between Image Formats -- Convert from Raw Images -- Convert from EnCase/E01 Format -- Convert from FTK Format -- Convert from AFF Format -- Secure an Image with Encryption -- GPG Encryption -- OpenSSL Encryption -- Forensic Format Built-In Encryption -- General Purpose Disk Encryption -- Disk Cloning and Duplication -- Prepare a Clone Disk -- Use HPA to Replicate Sector Size -- Write an Image File to a Clone Disk -- Image Transfer and Storage -- Write to Removable Media -- Inexpensive Disks for Storage and Transfer -- Perform Large Network Transfers -- Secure Wiping and Data Disposal -- Dispose of Individual Files -- Secure Wipe a Storage Device -- Issue ATA Security Erase Unit Commands -- Destroy Encrypted Disk Keys -- Closing Thoughts -- Chapter 8: Special Image Access Topics -- Forensically Acquired Image Files -- Raw Image Files with Loop Devices -- Forensic Format Image Files -- Prepare Boot Images with xmount -- VM Images -- QEMU QCOW2 -- VirtualBox VDI -- VMWare VMDK -- Microsoft VHD -- OS-Encrypted Filesystems -- Microsoft BitLocker -- Apple FileVault -- Linux LUKS -- TrueCrypt and VeraCrypt -- Closing Thoughts -- Chapter 9: Extracting Subsets of Forensic Images -- Assess Partition Layout and Filesystems.. - Identify the Subject Drive -- Query the Subject Disk for Information -- Document Device Identification Details -- Query Disk Capabilities and Features with hdparm -- Extract SMART Data with smartctl -- Enable Access to Hidden Sectors -- Remove a DCO -- Remove an HPA -- Drive Service Area Access -- ATA Password Security and Self-Encrypting Drives -- Identify and Unlock ATA Password-Protected Disks -- Identify and Unlock Opal Self-Encrypting Drives -- Encrypted Flash Thumb Drives -- Attach Removable Media -- Optical Media Drives -- Magnetic Tape Drives -- Memory Cards -- Attach Other Storage -- Apple Target Disk Mode -- NVME SSDs -- Other Devices with Block or Character Access -- Closing Thoughts -- Chapter 6: Forensic Image Acquisition -- Acquire an Image with dd Tools -- Standard Unix dd and GNU dd -- The dcfldd and dc3dd Tools -- Acquire an Image with Forensic Formats -- The ewfacquire Tool -- AccessData ftkimager -- SquashFS Forensic Evidence Container -- Acquire an Image to Multiple Destinations -- Preserve Digital Evidence with Cryptography -- Basic Cryptographic Hashing -- Hash Windows -- Sign an Image with PGP or S/MIME -- RFC-3161 Timestamping -- Manage Drive Failure and Errors -- Forensic Tool Error Handling -- Data Recovery Tools -- SMART and Kernel Errors -- Other Options for Failed Drives -- Damaged Optical Discs -- Image Acquisition over a Network -- Remote Forensic Imaging with rdd -- Secure Remote Imaging with ssh -- Remote Acquisition to a SquashFS Evidence Container -- Acquire a Remote Disk to EnCase or FTK Format -- Live Imaging with Copy-On-Write Snapshots -- Acquire Removable Media -- Memory Cards -- Optical Discs -- Magnetic Tapes -- RAID and Multidisk Systems -- Proprietary RAID Acquisition -- JBOD and RAID-0 Striped Disks -- Microsoft Dynamic Disks -- RAID-1 Mirrored Disks -- Linux RAID-5 -- Closing Thoughts.. - Linux and OSS in a Forensic Context -- Advantages of Linux and OSS in Forensics Labs -- Disadvantages of Linux and OSS in Forensics Labs -- Linux Kernel and Storage Devices -- Kernel Device Detection -- Storage Devices in /dev -- Other Special Devices -- Linux Kernel and Filesystems -- Kernel Filesystem Support -- Mounting Filesystems in Linux -- Accessing Filesystems with Forensic Tools -- Linux Distributions and Shells -- Linux Distributions -- The Shell -- Command Execution -- Piping and Redirection -- Closing Thoughts -- Chapter 3: Forensic Image Formats -- Raw Images -- Traditional dd -- Forensic dd Variants -- Data Recovery Tools -- Forensic Formats -- EnCase EWF -- FTK SMART -- AFF -- SquashFS as a Forensic Evidence Container -- SquashFS Background -- SquashFS Forensic Evidence Containers -- Closing Thoughts -- Chapter 4: Planning and Preparation -- Maintain an Audit Trail -- Task Management -- Shell History -- Terminal Recorders -- Linux Auditing -- Organize Collected Evidence and Command Output -- Naming Conventions for Files and Directories -- Scalable Examination Directory Structure -- Save Command Output with Redirection -- Assess Acquisition Infrastructure Logistics -- Image Sizes and Disk Space Requirements -- File Compression -- Sparse Files -- Reported File and Image Sizes -- Moving and Copying Forensic Images -- Estimate Task Completion Times -- Performance and Bottlenecks -- Heat and Environmental Factors -- Establish Forensic Write-Blocking Protection -- Hardware Write Blockers -- Software Write Blockers -- Linux Forensic Boot CDs -- Media with Physical Read-Only Modes -- Closing Thoughts -- Chapter 5: Attaching Subject Media to an Acquisition Host -- Examine Subject PC Hardware -- Physical PC Examination and Disk Removal -- Subject PC Hardware Review -- Attach Subject Disk to an Acquisition Host -- View Acquisition Host Hardware.. - Partition Scheme -- Partition Tables -- Filesystem Identification -- Partition Extraction -- Extract Individual Partitions -- Find and Extract Deleted Partitions -- Identify and Extract Inter-Partition Gaps -- Extract HPA and DCO Sector Ranges -- Other Piecewise Data Extraction -- Extract Filesystem Slack Space -- Extract Filesystem Unallocated Blocks -- Manual Extraction Using Offsets -- Closing Thoughts -- Closing Remarks -- Index -- Updates -- "An indispensible reference for anyone responsible for preserving digital evidence." -Professor Eoghan Casey, University of Lausanne -- Footnotes -- Chapter 0: Digital Forensics Overview -- Chapter 1: Storage Media Overview -- Chapter 2: Linux as a Forensic Acquisition Platform -- Chapter 3: Forensic Image Formats -- Chapter 4: Planning and Preparation -- Chapter 5: Attaching Subject Media to an Acquisition Host -- Chapter 6: Forensic Image Acquisition -- Chapter 7: Forensic Image Management -- Chapter 8: Special Image Access Topics.. - Practical Forensic Imaging takes a detailed look at how to secure and manage digital evidence using Linux-based command line tools.
|
| Emner | |
| Sjanger | |
| Dewey | |
| ISBN | 1-4920-1804-X. - 1-59327-793-8. - 1-59327-800-4
|
