Sign in  |  Register
Advanced search
Publication Cover

CITATION

Cowen, David. Computer Forensics InfoSec Pro Guide. US: McGraw-Hill Osborne Media, 2013.

Computer Forensics InfoSec Pro Guide

Authors: David Cowen

Published:  March 2013

eISBN: 9780071742467 0071742468 | ISBN: 9780071742450
Open eBook
  • Cover
  • About the Author
  • Title Page
  • Copyright Page
  • Contents at a Glance
  • Contents
  • Acknowledgments
  • Introduction
  • Who Should Read This Book
  • What This Book Covers
  • How to Use This Book
  • How Is This Book Organized?
  • About the Series
  • Lingo
  • IMHO
  • Budget Note
  • In Actual Practice
  • Your Plan
  • Into Action
  • Part I: Getting Started
  • Chapter 1: What Is Computer Forensics?
  • What You Can Do with Computer Forensics
  • How People Get Involved in Computer Forensics
  • Law Enforcement
  • Military
  • University Programs
  • IT or Computer Security Professionals
  • Incident Response vs. Computer Forensics
  • How Computer Forensic Tools Work
  • Types of Computer Forensic Tools
  • Professional Licensing Requirements
  • Chapter 2: Learning Computer Forensics
  • Where and How to Get Training
  • Law Enforcement Training
  • Corporate Training
  • Where and How to Get Certified
  • Vendor Certifications
  • Vendor-Neutral Certifications
  • Staying Current
  • Conferences
  • Blogs
  • Forums
  • Podcasts
  • Associations
  • Chapter 3: Creating a Lab
  • Choosing Where to Put Your Lab
  • Access Controls
  • Electrical Power
  • Air Conditioning
  • Privacy
  • Gathering the Tools of the Trade
  • Write Blockers
  • Drive Kits
  • External Storage
  • Screwdriver Kits
  • Antistatic Bags
  • Adaptors
  • Forensic Workstation
  • Choosing Forensic Software
  • Open Source Software
  • Commercial Software
  • Storing Evidence
  • Securing Your Evidence
  • Organizing Your Evidence
  • Disposing of Old Evidence
  • Part II: Your First Investigation
  • Chapter 4: How to Approach a Computer Forensics Investigation
  • The Investigative Process
  • What Are You Being Asked to Find Out?
  • Where Would the Data Exist?
  • What Applications Might Have Been Used in Creating the Data?
  • Should You Request to Go Beyond the Scope of the Investigation?
  • Testing Your Hypothesis
  • Step 1. Define Your Hypothesis
  • Step 2. Determine a Repeatable Test
  • Step 3. Create Your Test Environment
  • Step 4. Document Your Testing
  • The Forensic Data Landscape
  • Active Data
  • Unallocated Space
  • Slack Space
  • Mobile Devices
  • External Storage
  • What Do You Have the Authority to Access
  • Who Hosts the Data?
  • Who Owns the Device?
  • Expectation of Privacy
  • Chapter 5: Choosing Your Procedures
  • Forensic Imaging
  • Determining Your Comfort Level
  • Forensic Imaging Method Pros and Cons
  • Creating Forms and Your Lab Manual
  • Chain of Custody Forms
  • Request Forms
  • Report Forms
  • Standard Operating Procedures Manual
  • Chapter 6: Testing Your Tools
  • When Do You Need to Test
  • Collecting Data for Public Research or Presentations
  • Testing a Forensic Method
  • Testing a Tool
  • Where to Get Test Evidence
  • Raw Images
  • Creating Your Own Test Images
  • Forensic Challenges
  • Learn Forensics with David Cowen on YouTube
  • Honeynet Project
  • DC3 Challenge
  • DFRWS Challenge
  • SANS Forensic Challenges
  • High School Forensic Challenge
  • Collections of Tool Testing Images
  • Digital Forensic Tool Testing Images
  • NIST Computer Forensics Reference Data Sets Images
  • The Hacking Case
  • NIST Computer Forensics Tool Testing
  • Chapter 7: Live vs. Postmortem Forensics
  • Live Forensics
  • When Live Forensics Is the Best Option
  • Tools for Live Forensics
  • Postmortem Forensics
  • Postmortem Memory Analysis
  • Chapter 8: Capturing Evidence
  • Creating Forensic Images of Internal Hard Drives
  • FTK Imager with a Hardware Write Blocker
  • FTK Imager with a Software Write Blocker
  • Creating Forensic Images of External Drives
  • FTK Imager with a USB Write Blocker
  • FTK Imager with a Software Write Blocker
  • Software Write Blocking on Linux Systems
  • Creating Forensic Images of Network Shares
  • Capturing a Network Share with FTK Imager
  • Mobile Devices
  • Servers
  • Chapter 9: Nontraditional Digital Forensics
  • Breaking the Rules: Nontraditional Digital Forensic Techniques
  • Volatile Artifacts
  • Malware
  • Encrypted File Systems
  • Challenges to Accessing Encrypted Data
  • Mobile Devices: Smart Phones and Tablets
  • Solid State Drives
  • Virtual Machines
  • Part III: Case Examples: How to Work a Case
  • Chapter 10: Establishing the Investigation Type and Criteria
  • Determining What Type of Investigation Is Required
  • Human Resources Cases
  • Administrator Abuse
  • Stealing Information
  • Internal Leaks
  • Keyloggers and Malware
  • What to Do When Criteria Causes an Overlap
  • What to Do When No Criteria Matches
  • Where Should the Evidence Be?
  • Did This Occur over the Network?
  • Nothing Working? Create a Super Timeline
  • Chapter 11: Human Resources Cases
  • Results of a Human Resource Case
  • How to Work a Pornography Case
  • Pornography Case Study
  • How to Investigate a Pornography Case
  • How to Work a Productivity Waste Case
  • Chapter 12: Administrator Abuse
  • The Abuse of Omniscience
  • Scenario 1: Administrator Runs a Pornographic Site Using Company Resources
  • Beginning an Investigation
  • The Web Server’s Role in the Network
  • Directories
  • Virtual Servers
  • Virtual Directories
  • Scenario 2: Exploiting Insider Knowledge Against an Ex-employer
  • A Private Investigator Calls…
  • As if They’re Reading Our Minds…
  • What a Network Vulnerability Assessment Can Reveal
  • E-mail Data Review and Server Restoration
  • Stepping Up Your Game: Knowledge Meets Creativity
  • Chapter 13: Stealing Information
  • What Are We Looking For?
  • Determining Where the Data Went
  • LNK Files
  • Shellbags
  • Scenario: Recovering Log Files to Catch a Thief
  • Chapter 14: Internal Leaks
  • Why Internal Leaks Happen
  • Investigating Internal Leaks
  • Reviewing the Registry Files
  • Identifying LNK Files
  • Wrapping Up the Investigation
  • Using File System Meta-data to Track Leaked or Printed Materials
  • Chapter 15: Keyloggers and Malware
  • Defining Keyloggers and Malware
  • How to Detect Keyloggers and Malware
  • Registry Files
  • Prefetch Files
  • Keyword Searches
  • Handling Suspicious Files
  • Determining How an Infection Occurred
  • What We Know About This Infection
  • What We Know About the Keylogger
  • Identifying What Data Was Captured
  • Finding Information About the Attacker
  • What We Know About the Attacker
  • Where to Find More About the Attacker
  • Part IV: Defending Your Work
  • Chapter 16: Documenting Your Findings with Reports
  • Documenting Your Findings
  • Who Asked You to Undertake the Investigation
  • What You Were Asked to Do
  • What You Reviewed
  • What You Found
  • What Your Findings Mean
  • Types of Reports
  • Informal Report
  • Incident Report
  • Internal Report
  • Declaration
  • Affidavit
  • Explaining Your Work
  • Define Technical Terms
  • Provide Examples in Layperson Terms
  • Explain Artifacts
  • Chapter 17: Litigation and Reports for Court and Exhibits
  • Important Legal Terms
  • What Type of Witness Are You?
  • Fact Witness
  • Expert Consultant
  • Expert Witness
  • Special Master
  • Neutral
  • Writing Reports for Court
  • Declarations in Support of Motions
  • Expert Reports
  • Creating Exhibits
  • Working with Forensic Artifacts
  • InfoSec Pro Series: Glossary
  • Index