Table Of ContentLearn L Learn
e
a
Computer Forensics
r
n
Computer
C
o
m
A computer forensics investigator must information from different places, such as p
possess a variety of skills, including the fi lesystems, e-mails, browser histories, and u
ability to answer legal questions, gather search queries, and capture data remotely.
t Forensics
and document evidence, and prepare for As you advance, this book will guide you e
an investigation. This book will help you through implementing forensic techniques r
get up and running with using digital on multiple platforms, such as Windows, F
forensic tools and techniques to investigate Linux, and macOS, to demonstrate how to o
cybercrimes successfully. recover valuable information as evidence. r
e
Finally, you'll get to grips with presenting
Starting with an overview of forensics n
your fi ndings effi ciently in judicial or
and all the open source and commercial s
administrative proceedings. i
tools needed to get the job done, you'll c
learn core forensic practices for searching By the end of this book, you'll have developed s
databases and analyzing data over networks, a clear understanding of how to acquire,
personal devices, and web applications. analyze, and present digital evidence like a
You'll then learn how to acquire valuable profi cient computer forensics investigator.
W A beginner's guide to searching, analyzing, and securing digital evidence
illia
m
O
e
t
Things you will learn: t
in
g
e
• Understand investigative processes, the • Validate forensic hardware and software r
rules of evidence, and ethical guidelines
• Discover the locations of common
• Recognize and document different types Windows artifacts
of computer hardware
• Document your fi ndings using technically
• Understand the boot process covering correct terminology
BIOS, UEFI, and the boot sequence
www.packt.com www.packt.com
William Oettinger
Learn Computer
Forensics
A beginner's guide to searching, analyzing,
and securing digital evidence
William Oettinger
BIRMINGHAM—MUMBAI
Learn Computer Forensics
Copyright © 2020 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or
transmitted in any form or by any means, without the prior written permission of the publisher,
except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the
information presented. However, the information contained in this book is sold without warranty,
either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors,
will be held liable for any damages caused or alleged to have been caused directly or indirectly
by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies
and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing
cannot guarantee the accuracy of this information.
Commissioning Editor: Vijin Boricha
Acquisition Editor: Shrilekha Inani
Senior Editor: Rahul D'souza
Content Development Editor: Ronn Kurien
Technical Editor: Dinesh Pawar
Copy Editor: Safis Editing
Project Coordinator: Neil D'mello
Proofreader: Safis Editing
Indexer: Priyanka Dhadke
Production Designer: Nilesh Mohite
First published: April 2020
Production reference: 1240420
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-83864-817-6
www.packt.com
This book is dedicated to IACIS and the pioneers of this field whom
I have had the privilege of meeting and learning from. Mike Anderson and
Will Docken were some of the first professionals I met and they had
a significant impact on me as I started in this field. I want to thank
Eric Zimmerman, Harlan Carvey, Brett Shavers, and Steve Whalen for
all of the work they do for the forensics community. Your information
sharing and work have impacted me and helped me grow as an examiner.
There is a long list of people who contributed to my success that I want
to thank: Larry Smith, David Papargiris, Tom Keller, Dave McCain,
Steve Williams, Scott Pearson, Scot Bradeen, Matt Presser, Mike Webber,
and everyone else who has helped me along the way.
Packt.com
Subscribe to our online digital library for full access to over 7,000 books and videos,
as well as industry leading tools to help you plan your personal development and
advance your career. For more information, please visit our website.
Why subscribe?
• Spend less time learning and more time coding with practical eBooks and videos
from over 4,000 industry professionals
• Improve your learning with Skill Plans built especially for you
• Get a free eBook or video every month
• Fully searchable for easy access to vital information
• Copy and paste, print, and bookmark content
Did you know that Packt offers eBook versions of every book published, with PDF and
ePub files available? You can upgrade to the eBook version at packt.com and, as a print
book customer, you are entitled to a discount on the eBook copy. Get in touch with us at
[email protected] for more details.
At www.packt.com, you can also read a collection of free technical articles, sign up
for a range of free newsletters, and receive exclusive discounts and offers on Packt books
and eBooks.
Contributors
About the author
William Oettinger is a veteran technical trainer and investigator. He is a retired police
officer with the Las Vegas Metropolitan Police Department and a retired CID agent with
the United States Marine Corps. He is a professional with over 20 years' experience in
academic, local, military, federal, and international law enforcement organizations, where
he acquired his multifaceted experience in IT, digital forensics, security operations, law
enforcement, criminal investigations, policy, and procedure development. He has earned
an MSc from Tiffin University, Ohio. He works for Bilecki and Tipon LLLC and the
University of Maryland Global Campus (UMGC). When not working, he likes to spend
time with his wife and his two miniature schnauzers.
About the reviewer
Peter Phurchpean is an investigator with the Computer Crimes Investigation Unit,
California Highway Patrol. He has been with the California Highway Patrol (CHP) since
2002. He has been a member of the CHP's Computer Crimes Investigation Unit for the
past 7 years as a digital forensic analyst and investigator. During his time with the unit,
he has been responsible for investigating computer crimes against the State of California,
ranging from network intrusions against State agencies to child exploitation cases. He is
experienced in the analysis of computers, smartphones, and network systems. He has also
successfully obtained computer forensic certifications through the California Department
of Justice and many other institutions besides.
Packt is searching for authors like you
If you're interested in becoming an author for Packt, please visit authors.
packtpub.com and apply today. We have worked with thousands of developers and
tech professionals, just like you, to help them share their insight with the global tech
community. You can make a general application, apply for a specific hot topic that we
are recruiting an author for, or submit your own idea.
Table of Contents
Preface
Section 1: Acquiring Evidence
1
Types of Computer-Based Investigations
Differences in computer-based Employee misconduct 19
investigations 4 Corporate espionage 22
Criminal investigations 6 Insider threat 27
First responders 6 Summary 29
Corporate investigations 18 Questions 30
Further reading 31
2
The Forensic Analysis Process
Pre-investigation considerations 34 Understanding the analysis
process 53
The forensic workstation 35
The response kit 36 Dates and time zones 54
Forensic software 40 Hash analysis 54
Forensic investigator training 43 File signature analysis 57
Antivirus 59
Understanding case
information and legal issues 44 Reporting your findings 63
Understanding data acquisition 47 Details to include in your report 63
Chain of custody 49 Document facts and circumstances 65
The report conclusion 66
ii Table of Contents
Summary 67 Further reading 69
Questions 68
3
Acquisition of Evidence
Exploring evidence 72 DD image 90
Understanding the forensic EnCase evidence file 91
examination environment 75 SSD device 92
Imaging tools 93
Tool validation 76
Creating sterile media 81 Summary 106
Understanding write blocking 86 Questions 107
Further reading 108
Defining forensic imaging 89
4
Computer Systems
Understanding the boot Data area 131
process 110 Long filenames 134
Forensic boot media 112 Recovering deleted files 134
Hard drives 115 Slack space 137
MBR (Master Boot Record) partitions 117
Understanding the NTFS
GPT partitions 121
filesystem 137
Host Protected Area (HPA) and Device
Summary 149
Configuration Overlays (DCO) 125
Questions 149
Understanding filesystems 126
Further reading 150
The FAT filesystem 126
Section 2: Investigation
5
Computer Investigation Process
Timeline analysis 154 Media analysis 172
X-Ways 156 String search 174
Table of Contents iii
Recovering deleted data 176 Questions 179
Summary 179 Further reading 181
6
Windows Artifact Analysis
Understanding user profiles 184 Understanding prefetch 207
Understanding Windows
Identifying physical locations 209
Registry 186
Determining time zones 209
Determining account usage 189
Exploring network history 210
Last Login/Last Password Change 189 Understanding the WLAN event log 211
Determining file knowledge 195 Exploring program execution 213
Exploring the thumbcache 195
Deter
mining UserAssist 213
Exploring Microsoft browsers 198
Exploring Shimcache 214
Determining most recently used/
recently used 199
Understanding USB/attached
Looking into the Recycle Bin 202
devices 215
Understanding shortcut (LNK) files 203
Summary 218
Deciphering JumpLists 204
Questions 218
Opening shellbags 206
Further reading 219
7
RAM Memory Forensic Analysis
Fundamentals of memory 222 Exploring RAM analyzing tools 232
Random access memory? 223 Using Bulk Extractor 232
Identifying sources of memory 225
Summary 240
Capturing RAM 227
Questions 240
Preparing the capturing device 227
Further reading 241
Exploring RAM capture tools 228
