Digital Forensics with Kali Linux

File analysis with DFF

Recovering deleted files with DFF

Starting the DFF GUI

Installing DFF

Revealing Evidence Using DFF

Summary

SMTP exercise using Wireshark sample file

Email analysis using Xplico

VoIP analysis using Xplico

HTTP and web analysis using Xplico

Packet capture analysis using Xplico

Starting Xplico in DEFT Linux 8.2

Starting Xplico in Kali Linux

Software required

Network and Internet Capture Analysis with Xplico

Summary

Reopening cases in Autopsy

Sorting files

Analysis using Autopsy

Creating a new case

Starting Autopsy

Digital forensics with Autopsy

Sample image file used in Autopsy

Introduction to Autopsy – The Sleuth Kit

Autopsy – The Sleuth Kit

Summary

Malware analysis

The timeliner plugin

Timeline of events

Password dumping

The hivelist plugin

The hivescan plugin

Registry analysis

The getsids command

The dlllist plugin

The verinfo command

DLL analysis

The sockets plugin

The connscan command

The connections command

Analyzing network services and connections

The psxview plugin

The psscan command

The pstree command

The pslist command

Process identification and analysis

The imageinfo plugin

Choosing a profile in Volatility

Using Volatility in Kali Linux

Image location

Downloading test images for use with Volatility

About the Volatility Framework

Memory Forensics with Volatility

Summary

Viewing results of Bulk_extractor

Using Bulk_extractor

Forensic test image for Bulk_extractor

Bulk_extractor

Comparing Foremost and Scalpel

Viewing results of Scalpel

Using Scalpel for file carving

Specifying file types in Scalpel

Using Scalpel for data carving

Viewing Foremost results

Using Foremost for file recovery and data carving

Forensic test images used in Foremost and Scalpel

File Recovery and Data Carving with Foremost Scalpel and Bulk Extractor

Summary

Hash verification

Acquiring evidence with Guymager

Running Guymager

Image acquisition using Guymager

Erasing a drive using DC3DD

Verifying hashes of split image files

File-splitting using DC3DD

Using DC3DD in Kali Linux

Maintaining evidence integrity

Device identification using the fdisk command

Drive and partition recognition in Linux

Evidence Acquisition and Preservation with DC3DD and Guymager

Summary

Device and data acquisition guidelines and best practices

Secure Hashing Algorithm (SHA)

Message Digest (MD5) hash

Data imaging and hashing

Write blocking

Powered-off devices

Powered-on devices

Powered-on versus powered-off device acquisition

Chain of Custody

Order of volatility

Physical acquisition tools

Physical evidence collection and preservation

Documentation and evidence collection

Incident response and first responders

Digital evidence acquisitions and procedures

Incident Response and Data Acquisition

Summary

The paging file and its importance in digital forensics

Data volatility

Slack space

Metadata

Data states

What about the data?

Filesystems and operating systems

Solid-state drives

SATA HDDs

IDE HDDs

Hard disk drives

Flash memory cards

USB flash drives

Flash storage media

Blu-ray disk

Digital versatile disks

Compact disks

Optical storage media

Evolution of the floppy disk

Floppy disks

Magnetic tape drives

Removable storage media

IBM and the history of storage media

Storage media

Understanding Filesystems and Storage Media

Summary

Exploring Kali Linux

Partitioning the disk

Installing Kali Linux on the virtual machine

Preparing the Kali Linux virtual machine

Installing Kali Linux in VirtualBox

Installing Kali Linux

Downloading Kali Linux

Software version

Installing Kali Linux

Summary

Online and offline anonymity

Encryption

Anti-forensics: threats to digital forensics

The need for multiple forensics tools in digital investigations

Kali Linux

Computer Aided INvestigative Environment

Digital evidence and forensics toolkit Linux

Operating systems and open source tools for digital forensics

Commercial tools available in the field of digital forensics

The need for digital forensics as technology advances

A brief history of digital forensics

Digital forensics methodology

What is digital forensics?

Introduction to Digital Forensics

Questions

Piracy

Errata

Downloading the example code

Customer support

Reader feedback

Conventions

Who this book is for

What you need for this book

What this book covers

Preface

Customer Feedback

Why subscribe?

www.PacktPub.com

About the Reviewers

About the Author

Disclaimer

Credits

版权信息

封面

封面

版权信息

Credits

Disclaimer

About the Author

About the Reviewers

www.PacktPub.com

Why subscribe?

Customer Feedback

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Errata

Piracy

Questions

Introduction to Digital Forensics

What is digital forensics?

Digital forensics methodology

A brief history of digital forensics

The need for digital forensics as technology advances

Commercial tools available in the field of digital forensics

Operating systems and open source tools for digital forensics

Digital evidence and forensics toolkit Linux

Computer Aided INvestigative Environment

Kali Linux

The need for multiple forensics tools in digital investigations

Anti-forensics: threats to digital forensics

Encryption

Online and offline anonymity

Summary

Installing Kali Linux

Software version

Downloading Kali Linux

Installing Kali Linux

Installing Kali Linux in VirtualBox

Preparing the Kali Linux virtual machine

Installing Kali Linux on the virtual machine

Partitioning the disk

Exploring Kali Linux

Summary

Understanding Filesystems and Storage Media

Storage media

IBM and the history of storage media

Removable storage media

Magnetic tape drives

Floppy disks

Evolution of the floppy disk

Optical storage media

Compact disks

Digital versatile disks

Blu-ray disk

Flash storage media

USB flash drives

Flash memory cards

Hard disk drives

IDE HDDs

SATA HDDs

Solid-state drives

Filesystems and operating systems

What about the data?

Data states

Metadata

Slack space

Data volatility

The paging file and its importance in digital forensics

Summary

Incident Response and Data Acquisition

Digital evidence acquisitions and procedures

Incident response and first responders

Documentation and evidence collection

Physical evidence collection and preservation

Physical acquisition tools

Order of volatility

Chain of Custody

Powered-on versus powered-off device acquisition

Powered-on devices

Powered-off devices

Write blocking

Data imaging and hashing

Message Digest (MD5) hash

Secure Hashing Algorithm (SHA)

Device and data acquisition guidelines and best practices

Summary

Evidence Acquisition and Preservation with DC3DD and Guymager

Drive and partition recognition in Linux

Device identification using the fdisk command

Maintaining evidence integrity

Using DC3DD in Kali Linux

File-splitting using DC3DD

Verifying hashes of split image files

Erasing a drive using DC3DD

Image acquisition using Guymager

Running Guymager

Acquiring evidence with Guymager

Hash verification

Summary

File Recovery and Data Carving with Foremost Scalpel and Bulk Extractor

Forensic test images used in Foremost and Scalpel

Using Foremost for file recovery and data carving

Viewing Foremost results

Using Scalpel for data carving

Specifying file types in Scalpel

Using Scalpel for file carving

Viewing results of Scalpel

Comparing Foremost and Scalpel

Bulk_extractor

Forensic test image for Bulk_extractor

Using Bulk_extractor

Viewing results of Bulk_extractor

Summary

Memory Forensics with Volatility

About the Volatility Framework

Downloading test images for use with Volatility

Image location

Using Volatility in Kali Linux

Choosing a profile in Volatility

The imageinfo plugin

Process identification and analysis

The pslist command

The pstree command

The psscan command

The psxview plugin

Analyzing network services and connections

The connections command

The connscan command

The sockets plugin

DLL analysis

The verinfo command

The dlllist plugin

The getsids command

Registry analysis

The hivescan plugin

The hivelist plugin

Password dumping

Timeline of events

The timeliner plugin

Malware analysis

Summary

Autopsy – The Sleuth Kit

Introduction to Autopsy – The Sleuth Kit

Sample image file used in Autopsy

Digital forensics with Autopsy

Starting Autopsy

Creating a new case

Analysis using Autopsy

Sorting files

Reopening cases in Autopsy

Summary

Network and Internet Capture Analysis with Xplico

Software required

Starting Xplico in Kali Linux

Starting Xplico in DEFT Linux 8.2

Packet capture analysis using Xplico

HTTP and web analysis using Xplico

VoIP analysis using Xplico

Email analysis using Xplico

SMTP exercise using Wireshark sample file

Summary

Revealing Evidence Using DFF

Installing DFF

Starting the DFF GUI

Recovering deleted files with DFF

File analysis with DFF