Preface Our Purpose and Approach Welcome to the book named Real Digital Forensics. When we conceived this book, we wanted to give forensic investigators more than words to learn new skills. Many people express to us in our classes and speaking engagements a simple sentence we have heard hundreds of times: "How do I get into the field of computer forensics?" In our opinion, you cannot learn forensics unless you have hands-on practical experience. This brings up a more important question we usually hear next: "How do I get my hands on data to gain that experience?" This question is much more difficult to answer because the only data most people have to practice with comes from real casesand we all know that our clients do not want their data disseminated for learning tools! Therefore, it is difficult for most people to find data to practice with in order to sharpen their computer forensic skills. To answer this second question, we decided to publish this book with a DVD containing realistic evidence collected from several fictitious scenarios for the sole purpose of teaching the computer forensic tradecraft. Most of the scenarios you will find throughout this book are very similar to types of cases that we investigate every day. We used the same tools attackers use when establishing a foothold in your network, the same methods rogue employees make use of to steal your trade secrets, and the same media we typically collect when we created the evidence files found on the D
About the Authors.
I. LIVE INCIDENT RESPONSE.
1. Windows Live Response.
2. Unix Live Response.
II. NETWORK-BASED FORENSICS.
3. Collecting Network-Based Evidence.
4. Analyzing Network-Based Evidence for a Windows Intrusion.
5. Analyzing Network-Based Evidence for a Unix Intrusion.
III. ACQUIRING A FORENSIC DUPLICATION.
6. Before You Jump Right In…
7. Commercial-Based Forensic Duplications.
8. Noncommercial-Based Forensic Duplications.
IV. FORENSIC ANALYSIS TECHNIQUES.
9. Common Forensic Analysis Techniques.
10. Web Browsing Activity Reconstruction.
11. E-Mail Activity Reconstruction.
12. Microsoft Windows Registry Reconstruction.
13. Forensic Tool Analysis: An Introduction to Using Linux for Analyzing Files of Unknown Origin.
14. Forensic Tool Analysis: A Hands-On Analysis of the Linux File aio.
15. Forensic Tool Analysis: Analyzing Files of Unknown Origin (Windows).
V. CREATING A COMPLETE FORENSIC TOOL KIT.
16. Building the Ultimate Response CD.
17. Making Your CD-ROM a Bootable Environment.
VI. MOBILE DEVICE FORENSICS.
18. Forensic Duplication and Analysis of Personal Digital Assistants.
19. Forensic Duplication of USB and Compact Flash Memory Devices.
20. Forensic Analysis of USB and Compact Flash Memory Devices.
VII. ONELINE-BASED FORENSCIS.
21. Tracing E-Mail.
22. Domain Name Ownership.
Appendix: An Introduction to Perl.