Sign in
|
Register
|
Mobile
Home
Browse
About us
Help/FAQ
Advanced search
Home
>
Browse
>
Computer Forensics InfoSec Pro Guide
CITATION
Cowen, David
.
Computer Forensics InfoSec Pro Guide
.
US
: McGraw-Hill Osborne Media, 2013.
Add to Favorites
Email to a Friend
Download Citation
Computer Forensics InfoSec Pro Guide
Authors:
David Cowen
Published:
March 2013
eISBN:
9780071742467 0071742468
|
ISBN:
9780071742450
Open eBook
Book Description
Table of Contents
Cover
About the Author
Title Page
Copyright Page
Contents at a Glance
Contents
Acknowledgments
Introduction
Who Should Read This Book
What This Book Covers
How to Use This Book
How Is This Book Organized?
About the Series
Lingo
IMHO
Budget Note
In Actual Practice
Your Plan
Into Action
Part I: Getting Started
Chapter 1: What Is Computer Forensics?
What You Can Do with Computer Forensics
How People Get Involved in Computer Forensics
Law Enforcement
Military
University Programs
IT or Computer Security Professionals
Incident Response vs. Computer Forensics
How Computer Forensic Tools Work
Types of Computer Forensic Tools
Professional Licensing Requirements
Chapter 2: Learning Computer Forensics
Where and How to Get Training
Law Enforcement Training
Corporate Training
Where and How to Get Certified
Vendor Certifications
Vendor-Neutral Certifications
Staying Current
Conferences
Blogs
Forums
Podcasts
Associations
Chapter 3: Creating a Lab
Choosing Where to Put Your Lab
Access Controls
Electrical Power
Air Conditioning
Privacy
Gathering the Tools of the Trade
Write Blockers
Drive Kits
External Storage
Screwdriver Kits
Antistatic Bags
Adaptors
Forensic Workstation
Choosing Forensic Software
Open Source Software
Commercial Software
Storing Evidence
Securing Your Evidence
Organizing Your Evidence
Disposing of Old Evidence
Part II: Your First Investigation
Chapter 4: How to Approach a Computer Forensics Investigation
The Investigative Process
What Are You Being Asked to Find Out?
Where Would the Data Exist?
What Applications Might Have Been Used in Creating the Data?
Should You Request to Go Beyond the Scope of the Investigation?
Testing Your Hypothesis
Step 1. Define Your Hypothesis
Step 2. Determine a Repeatable Test
Step 3. Create Your Test Environment
Step 4. Document Your Testing
The Forensic Data Landscape
Active Data
Unallocated Space
Slack Space
Mobile Devices
External Storage
What Do You Have the Authority to Access
Who Hosts the Data?
Who Owns the Device?
Expectation of Privacy
Chapter 5: Choosing Your Procedures
Forensic Imaging
Determining Your Comfort Level
Forensic Imaging Method Pros and Cons
Creating Forms and Your Lab Manual
Chain of Custody Forms
Request Forms
Report Forms
Standard Operating Procedures Manual
Chapter 6: Testing Your Tools
When Do You Need to Test
Collecting Data for Public Research or Presentations
Testing a Forensic Method
Testing a Tool
Where to Get Test Evidence
Raw Images
Creating Your Own Test Images
Forensic Challenges
Learn Forensics with David Cowen on YouTube
Honeynet Project
DC3 Challenge
DFRWS Challenge
SANS Forensic Challenges
High School Forensic Challenge
Collections of Tool Testing Images
Digital Forensic Tool Testing Images
NIST Computer Forensics Reference Data Sets Images
The Hacking Case
NIST Computer Forensics Tool Testing
Chapter 7: Live vs. Postmortem Forensics
Live Forensics
When Live Forensics Is the Best Option
Tools for Live Forensics
Postmortem Forensics
Postmortem Memory Analysis
Chapter 8: Capturing Evidence
Creating Forensic Images of Internal Hard Drives
FTK Imager with a Hardware Write Blocker
FTK Imager with a Software Write Blocker
Creating Forensic Images of External Drives
FTK Imager with a USB Write Blocker
FTK Imager with a Software Write Blocker
Software Write Blocking on Linux Systems
Creating Forensic Images of Network Shares
Capturing a Network Share with FTK Imager
Mobile Devices
Servers
Chapter 9: Nontraditional Digital Forensics
Breaking the Rules: Nontraditional Digital Forensic Techniques
Volatile Artifacts
Malware
Encrypted File Systems
Challenges to Accessing Encrypted Data
Mobile Devices: Smart Phones and Tablets
Solid State Drives
Virtual Machines
Part III: Case Examples: How to Work a Case
Chapter 10: Establishing the Investigation Type and Criteria
Determining What Type of Investigation Is Required
Human Resources Cases
Administrator Abuse
Stealing Information
Internal Leaks
Keyloggers and Malware
What to Do When Criteria Causes an Overlap
What to Do When No Criteria Matches
Where Should the Evidence Be?
Did This Occur over the Network?
Nothing Working? Create a Super Timeline
Chapter 11: Human Resources Cases
Results of a Human Resource Case
How to Work a Pornography Case
Pornography Case Study
How to Investigate a Pornography Case
How to Work a Productivity Waste Case
Chapter 12: Administrator Abuse
The Abuse of Omniscience
Scenario 1: Administrator Runs a Pornographic Site Using Company Resources
Beginning an Investigation
The Web Server’s Role in the Network
Directories
Virtual Servers
Virtual Directories
Scenario 2: Exploiting Insider Knowledge Against an Ex-employer
A Private Investigator Calls…
As if They’re Reading Our Minds…
What a Network Vulnerability Assessment Can Reveal
E-mail Data Review and Server Restoration
Stepping Up Your Game: Knowledge Meets Creativity
Chapter 13: Stealing Information
What Are We Looking For?
Determining Where the Data Went
LNK Files
Shellbags
Scenario: Recovering Log Files to Catch a Thief
Chapter 14: Internal Leaks
Why Internal Leaks Happen
Investigating Internal Leaks
Reviewing the Registry Files
Identifying LNK Files
Wrapping Up the Investigation
Using File System Meta-data to Track Leaked or Printed Materials
Chapter 15: Keyloggers and Malware
Defining Keyloggers and Malware
How to Detect Keyloggers and Malware
Registry Files
Prefetch Files
Keyword Searches
Handling Suspicious Files
Determining How an Infection Occurred
What We Know About This Infection
What We Know About the Keylogger
Identifying What Data Was Captured
Finding Information About the Attacker
What We Know About the Attacker
Where to Find More About the Attacker
Part IV: Defending Your Work
Chapter 16: Documenting Your Findings with Reports
Documenting Your Findings
Who Asked You to Undertake the Investigation
What You Were Asked to Do
What You Reviewed
What You Found
What Your Findings Mean
Types of Reports
Informal Report
Incident Report
Internal Report
Declaration
Affidavit
Explaining Your Work
Define Technical Terms
Provide Examples in Layperson Terms
Explain Artifacts
Chapter 17: Litigation and Reports for Court and Exhibits
Important Legal Terms
What Type of Witness Are You?
Fact Witness
Expert Consultant
Expert Witness
Special Master
Neutral
Writing Reports for Court
Declarations in Support of Motions
Expert Reports
Creating Exhibits
Working with Forensic Artifacts
InfoSec Pro Series: Glossary
Index