Digital Forensics with Open Source Tools



Similar documents
Virtualization and Forensics

Network Security. Windows 2012 Server. Securing Your Windows. Infrastructure. Network Systems and. Derrick Rountree. Richard Hicks, Technical Editor

Paraben s P2C 4.1. Release Notes

Cyber Attacks. Protecting National Infrastructure Student Edition. Edward G. Amoroso

Managing Data in Motion

Securing the Cloud. Cloud Computer Security Techniques and Tactics. Vic (J.R.) Winkler. Technical Editor Bill Meine ELSEVIER

Risk Analysis and the Security Survey

Computer Forensics using Open Source Tools

Network Security: A Practical Approach. Jan L. Harrington

IMPROVEMENT THE PRACTITIONER'S GUIDE TO DATA QUALITY DAVID LOSHIN

CDR500 Spy Recovery Pro

Where is computer forensics used?

HARFORD COMMUNITY COLLEGE 401 Thomas Run Road Bel Air, MD Course Outline CIS INTRODUCTION TO UNIX

Computing. Federal Cloud. Service Providers. The Definitive Guide for Cloud. Matthew Metheny ELSEVIER. Syngress is NEWYORK OXFORD PARIS SAN DIEGO

Configuration. Management for. Senior Managers. Essential Product Configuration. and Lifecycle Management

Securing SQL Server. Protecting Your Database from. Second Edition. Attackers. Denny Cherry. Michael Cross. Technical Editor ELSEVIER

Automating the Computer Forensic Triage Process With MantaRay

Metrics and Methods for Security Risk Management

Supply Chain Strategies

Open Source Toolkit. Penetration Tester's. Jeremy Faircloth. Third Edition. Fryer, Neil. Technical Editor SYNGRESS. Syngrcss is an imprint of Elsevier

Master Data Management

Customer Relationship Management

Cloud Computing. Theory and Practice. Dan C. Marinescu. Morgan Kaufmann is an imprint of Elsevier HEIDELBERG LONDON AMSTERDAM BOSTON

INTERNATIONAL MONEY AND FINANCE

Example of Standard API

Rapid System Prototyping with FPGAs

Big Data Analytics From Strategie Planning to Enterprise Integration with Tools, Techniques, NoSQL, and Graph

RHCSA 7RHCE Red Haf Linux Certification Practice

Data Warehousing in the Age of Big Data

AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO Academic Press is an imprint of Elsevier

Fixed/Mobile Convergence and Beyond AMSTERDAM BOSTON. HEIDELBERG LONDON

EnCase 7 - Basic + Intermediate Topics

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

Measuring Data Quality for Ongoing Improvement

Eleventh Hour Security+

Engineering DOCUMENTATION CONTROL HANDBOOK

Setup and Configuration Setup Assistant Migration Assistant System Preferences Configuration Profiles System Information

How To Write A Diagram

Adobe CQ Digital Asset Management

1. Amendment of Section I. Invitation to Bid item no. 6 and 7 are hereby amended as follows: From:

Practical Web Analytics for User Experience

EnCase v7 Essential Training. Sherif Eldeeb

Schneps, Leila; Colmez, Coralie. Math on Trial : How Numbers Get Used and Abused in the Courtroom. New York, NY, USA: Basic Books, p i.

Understanding the Pros and Cons of Combination Networks 7. Acknowledgments Introduction. Establishing the Numbers of Clients and Servers 4

Adobe Experience Manager: Digital asset management

1! Registry. Windows System Artifacts. Understanding the Windows Registry. Organization of the Windows Registry. Windows Registry Viewer

Useful Utilities. Here are links to free third party applications that we use and recommend.

Digital Forensics Lecture 3. Hard Disk Drive (HDD) Media Forensics

HTML5 DESIGNING RICH INTERNET APPLICATIONS MATTHEW DAVID

Computer Forensics Principles and Practices

Computer Forensic Tools. Stefan Hager

Mac Marshal: A Tool for Mac OS X Operating System and Application Forensics

Kaseya 2. User Guide. Version 7.0. English

Windows PowerShell Cookbook

IIB. Complete PCB Design Using OrCAD Capture and PCB Editor. Kraig Mitzner. ~»* ' AMSTERDAM BOSTON HEIDELBERG LONDON ^ i H

Forensic Imaging and Artifacts analysis of Linux & Mac (EXT & HFS+)

for the Entire Organization

Getting Started in Red Hat Linux An Overview of Red Hat Linux p. 3 Introducing Red Hat Linux p. 4 What Is Linux? p. 5 Linux's Roots in UNIX p.

Fetch TV My Media Hub Quick Start Guide for USB Devices. Sharing your media content with the set top box from a USB device

Training on Linux System Administration, LPI Certification Level 1

Digital Forensic Techniques

Author A.Kishore/Sachin VNC Background

Just EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012

INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION

Practice Exercise March 7, 2016

The Data Access Handbook

Backup and Recovery. W. Curtis Preston O'REILLY' Beijing Cambridge Farnham Köln Paris Sebastopol Taipei Tokyo

Red Hat Certifications: Red Hat Certified System Administrator (RHCSA)

Automated Identification and Reconstruction of YouTube Video Access

EXi PREP. Solaris 10. System Administration. llllllllllllllll. Bill Calkins. ULB Darmstadt

Overview. Remote access and file transfer. SSH clients by platform. Logging in remotely

Integration in Practice

Operating Systems Forensics

IT Manager's Handbook

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

Automating System Administration with Perl

Human Performance Improvement

Agile Development & Business Goals. The Six Week Solution. Joseph Gee. George Stragand. Tom Wheeler

Cloud Storage Client Application Evidence Analysis on UNIX/Linux

SAMPLE ELECTRONIC DISCOVERY INTERROGATORIES AND REQUESTS FOR PRODUCTION

CCE Certification Competencies

Lukas Limacher Department of Computer Science, ETH. Computer Forensics. September 25, 2014

Computer Forensic Capabilities

Kaseya 2. User Guide. Version R8. English

FORENSIC ANALYSIS OF USB MEDIA EVIDENCE. Jesús Alexander García. Luis Alejandro Franco. Juan David Urrea. Carlos Alfonso Torres

The Designer's Guide to VHDL

Paul McFedries. Home Server 2011 LEASHE. Third Edition. 800 East 96th Street, Indianapolis, Indiana USA

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

PTK Forensics. Dario Forte, Founder and Ceo DFLabs. The Sleuth Kit and Open Source Digital Forensics Conference

Acquire Video Wall. Revolutionising digital interaction.

Valvation. Theories and Concepts. Rajesh Kumar. Professor of Finance, Institute of Management Technology, Dubai, UAE

Microsoft Dynamics NAV 2015 Hardware and Server Requirements. Microsoft Dynamics NAV Windows Client Requirements

Virtual machine W4M- Galaxy: Installation guide

Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers

System Administration of Windchill 10.2

Transcription:

Digital Forensics with Open Source Tools Cory Altheide Harlan Carvey Technical Editor Ray Davidson AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO SYNGRESS, Syngress is an imprint of Elsevier

About the Authors Acknowledgments Introduction xi xiii xv CHAPTER 1 Digital Forensics with Open Source Tools 1 Welcome to "Digital Forensics with Open Source Tools" 1 What Is "Digital Forensics?" 1 Goals of Forensic Analysis 2 The Digital Forensics Process 3 What Is "Open Source?" 4 "Free" vs. "Open" 4 Open Source Licenses 5 Benefits of Open Source Tools 5 Education 5 Portability and Flexibility 6 Price 6 Ground Truth 7 Summary 7 References 8 CHAPTER 2 Open Source Examination Platform 9 Preparing the Examination System 9 Building Software 9 Installing Interpreters 10 Working with Image Files 10 Working with File Systems 10 Using Linux as the Host 10 Extracting Software 11 GNU Build System 12 Version Control Systems 16 Installing Interpreters 16 Working with Images 19 Using Windows as the Host 26 Building Software 26 Installing Interpreters 27 Working with Images 31 Working with File Systems 34 Summary 37 References 37

VI Contents CHAPTER 3 Disk and File System Analysis 39 Media Analysis Concepts 39 File System Abstraction Model 40 The Sleuth Kit 41 Installing the Sleuth Kit 41 Sleuth Kit Tools 42 Partitioning and Disk Layouts 52 Partition Identification and Recovery 52 Redundant Array of Inexpensive Disks 53 Special Containers 54 Virtual Machine Disk Images 54 Forensic Containers 55 Hashing 56 Carving 58 Foremost 59 Forensic Imaging 61 Deleted Data 61 File Slack 62 dd 64 dcfldd 65 dc3dd 66 Summary 67 References 67 CHAPTER 4 Windows Systems and Artifacts 69 Introduction 69 Windows File Systems 69 File Allocation Table 69 New Technology File System 71 File System Summary 77 Registry 78 Event Logs 84 Prefetch Files 87 Shortcut Files 89 Windows Executables 89 Summary 93 References 93 CHAPTER 5 Linux Systems and Artifacts 95 Introduction 95 Linux File Systems 95

vii File System Layer 96 File Name Layer 99 Metadata Layer 101 Data Unit Layer 103 Journal Tools 103 Deleted Data 103 Linux Logical Volume Manager 104 Linux Boot Process and Services 105 System V 105 BSD 107 Linux System Organization and Artifacts 107 Partitioning 107 Filesystem Hierarchy 107 Ownership and Permissions 108 File Attributes 109 Hidden Files 109 /tmp 109 User Accounts 110 Home Directories 112 Shell History 113 ssh 113 GNOME Windows Manager Artifacts 114 Logs 116 User Activity Logs 116 Syslog 117 Command Line Log Processing 119 Scheduling Tasks 121 Summary 121 References 121 CHAPTER 6 Mac OS X Systems and Artifacts 123 Introduction 123 OS X File System Artifacts 123 HFS+ Structures 123 OS X System Artifacts 129 Property Lists 129 Bundles 130 System Startup and Services 130 Kexts 131 Network Configuration 131 Hidden Directories 132

VIII Contents Installed Applications 133 Swap and Hibernation datadata 133 System Logs 133 User Artifacts 134 Home Directories 134 Summary 141 References 141 CHAPTER 7 Internet Artifacts 143 Introduction 143 Browser Artifacts 143 Internet Explorer 144 Firefox 147 Chrome 154 Safari 156 Mail Artifacts 161 Personal Storage Table 161 mbox and maildir 163 Summary 166 References 166 CHAPTER 8 File Analysis 169 File Analysis Concepts 169 Content Identification 170 Content Examination 171 Metadata Extraction 172 Images 175 JPEG 178 GIF 183 PNG 184 TIFF 185 Audio 185 WAV 185 MPEG-3/MP3 186 MPEG-4 Audio (AAC/M4A) 186 ASF/WMA 188 Video 189 MPEG-1 and MPEG-2 189 MPEG-4 Video (MP4) 189 AVI 190 ASF/WMV 190

ix MOV (Quicktime) 191 MKV 192 Archives 192 ZIP 192 RAR 193 7-zip 195 TAR, GZIP, and BZIP2 195 Documents 196 OLE Compound Files (Office Documents) 197 Office Open XML 201 OpenDocument Format 204 Rich Text Format 205 PDF 206 Summary. 210 References 210 CHAPTER 9 Automating Analysis and Extending Capabilities 211 Introduction 211 Graphical Investigation Environments 211 PyFLAG 212 Digital Forensics Framework 221 Automating Artifact Extraction 229 Fiwalk 229 Timelines 231 Relative Times 233 Inferred Times 234 Embedded Times 236 Periodicity 236 Frequency Patterns and Outliers (Least Frequency of Occurrence) 237 Summary 239 References 239 APPENDIX A Free, Non-open Tools of Note 241 Introduction 241 Chapter 3: Disk and File System Analysis 242 FTKImager 242 ProDiscover Free 242 Chapter 4: Windows Systems and Artifacts 244 Windows File Analysis 244 Event Log Explorer 244 Log Parser 245

Chapter 7: Internet Artifacts 247 NirSoft Tools 247 Woanware Tools 247 Chapter 8: File Analysis 248 Mitec.cz: Structured Storage Viewer 248 OffVis 249 Filelnsight 250 Chapter 9: Automating Analysis and Extending Capabilities 250 Mandiant: Highlighter 250 CaseNotes 252 Validation and Testing Resources 253 Digital Corpora 253 Digital Forensics Tool Testing Images 253 Electronic Discovery Reference Model 254 Digital Forensics Research Workshop Challenges 254 Additional Images 254 References 255 Index 257

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information