Guide to Computer Forensics and Investigations 7th Edition by Bill Nelson, ISBN-13: 978-0357672884

Description

Guide to Computer Forensics and Investigations 7th Edition by Bill Nelson, ISBN-13: 978-0357

[PDF eBook eTextbook] – Available Instantly

• Publisher: ‎ Cengage Learning; 7th edition (April 8, 2024)
• Language: ‎ English
• 768 pages
• ISBN-10: ‎ 0357672887
• ISBN-13: ‎ 978-0357672884

Master the skills you need to conduct a successful digital investigation with Nelson/Phillips/Steuart’s GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS, 7th Edition. Combining the latest advances in computer forensics with all-encompassing topic coverage, authoritative information from seasoned experts and real-world applications, you get the most comprehensive forensics resource available. While other resources offer an overview of the field, the hands-on learning in GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS teaches you the tools and techniques of the trade, introducing you to every step of the digital forensics investigation process, from lab setup to testifying in court. Designed to provide the most modern approach to the ins and outs of the profession of digital forensics investigation, it is appropriate for learners new to the field and an excellent refresher and technology update for current law enforcement, investigations or information security professionals.

Table of Contents:

Cover Page

Title Page

Copyright Page

Introduction

About the Authors

Acknowledgments

Bill Nelson

Amelia Phillips

Christopher K. Steuart

Robert S. Wilson

Module 1. Understanding the Digital Forensics Profession and Investigations

Manage. An Overview of Digital Forensics

Digital Forensics and Other Related Disciplines

A Brief History of Digital Forensics Tools

Understanding Case Law

Developing Digital Forensics Resources

Manage. Preparing for Digital Investigations

Understanding Public-Sector Investigations

Understanding Private-Sector Investigations

Manage. Maintaining Professional Conduct

Manage. Managing a Digital Forensics Investigation

Five Steps of an Investigation

An Overview of a Computer Crime

An Overview of a Company Policy Violation

Taking a Systematic Approach

Examine. Procedures for Private-Sector High-Tech Investigations

Employee Termination Cases

Internet Abuse Investigations

Email Abuse Investigations

Attorney-Client Privilege Investigations

Industrial Espionage Investigations

Interviews and Interrogations in High-Tech Investigations

Analyze. Understanding Data Recovery Workstations and Software

Setting Up Your Workstation for Digital Forensics

Manage. Conducting an Investigation

Gathering the Evidence

Understanding Bit-Stream Copies

Analyzing Your Digital Evidence

Critiquing the Case

Module Summary

Key Terms

Review Questions

Hands-On Projects

Case Projects

Module 2. Report Writing and Testimony for Digital Investigations

Manage. Understanding the Importance of Reports with a View to Testifying

Limiting a Report to Specifics

Types of Reports

Analyze. Guidelines for Writing Reports

What to Include in Written Preliminary Reports

Report Structure

Writing Reports Clearly

Designing the Layout and Presentation of Reports

Manage. Generating Report Findings and Writing the Digital Forensics Report

Building Report Resources

Determine Who Will Read the Report

Putting the Digital Forensics Report Together

Examine. Preparing for Testimony

Documenting and Preparing Evidence

Creating and Maintaining Your CV

Preparing Technical Definitions

Preparing to Deal with the News Media

Examine. Testifying in Court and Depositions

Understanding the Trial Process

Providing Qualifications for Your Testimony

General Guidelines on Testifying

Testifying during Direct Examination

Testifying during Cross-Examination

Preparing for a Deposition or Hearing

Guidelines for Testifying at Hearings

Testimony Planning Review

Module Summary

Key Terms

Review Questions

Hands-On Projects

Case Projects

Module 3. The Investigator’s Laboratory and Digital Forensics Tools

Manage. Understanding Forensics Lab Accreditation Requirements

Identifying Duties of the Lab Manager and Staff

Lab Budget Planning

Acquiring Certification and Training

Examine. Determining the Physical Requirements for a Digital Forensics Lab

Access and Security

Security for High-Risk Investigations

Evidence Storage Containers

Facility Maintenance

Auditing a Digital Forensics Lab

Floor Plans for Digital Forensics Labs

Manage. Selecting a Basic Forensic Workstation

Selecting Workstations for a Lab

Selecting Workstations for Private-Sector Labs

Stocking Hardware Peripherals

Maintaining Operating Systems and Software Inventories

Using a Disaster Recovery Plan

Planning for Equipment Upgrades

Manage. Building a Business Case for Developing a Forensics Lab

Preparing a Business Case for a Digital Forensics Lab

Analyze. Evaluating Digital Forensics Tools

Types of Digital Forensics Tools

Tasks Performed by Digital Forensics Tools

Tool Comparisons

Other Considerations for Tools

Manage. Digital Forensics Software Tools

Command-Line Forensics Tools

Linux Forensics Tools

Other GUI Forensics Tools

Manage. Digital Forensics Hardware Tools

Forensic Workstations

Using a Write-Blocker

Recommendations for a Forensic Workstation

Analyze. Validating and Testing Forensics Software

Using National Institute of Standards and Technology Tools

Using Validation Protocols

Module Summary

Key Terms

Review Questions

Hands-On Projects

Case Projects

Module 4. Data Acquisition

Analyze. Understanding Storage Formats for Digital Evidence

Open-Source Imaging Formats

Proprietary Formats

Manage. Acquisition Planning

Developing an Acquisition Action Plan

Determining the Best Acquisition Method

Calculating Acquisition Times

Manage. Contingency Planning for Image Acquisitions

Manage. Using Acquisition Tools

Using Linux Live CD/DVD and USB Distributions

Mini-WinFE Boot CDs and USB Drives

Kali Linux Live Features

FTK Imager Features

Preparing a Target Drive for a Forensic Acquisition

Understanding the Boot Sequence

Using xcopy to Collect Evidence

Using robocopy to Collect Evidence

Analyze. Validating Data Acquisitions

Linux Validation Methods

Windows Validation Methods

Solid-State Drive Concerns

Media Failure Concerns

Using Compare Functions to Validate Data

Manage. Performing RAID Data Acquisitions

Understanding RAID

Acquiring RAID Disks

Manage. Using Other Forensics Acquisition Tools

ASR Data SMART

ILookIX IXImager

PassMark Software OSForensics OSFClone

Runtime Software DiskExplorer

ForensicSoft SAFE Boot Disk

X-Ways Imager

Module Summary

Key Terms

Review Questions

Hands-On Projects

Case Projects

Module 5. Processing Crime and Incident Scenes

Manage. Identifying Digital Evidence

Understanding Rules of Evidence

Examine. Collecting Evidence at Private-Sector Incident Scenes

Examine. Processing Law Enforcement Crime Scenes

Understanding Concepts and Terms Used in Warrants

Examine. Preparing for a Search

Identifying the Nature of the Case

Identifying the Type of OS or Digital Device

Determining Whether You Can Seize Computers and Digital Devices

Getting a Detailed Description of the Location

Determining Who Is in Charge

Using Additional Technical Expertise

Determining the Tools You Need

Preparing the Investigation Team

Examine. Securing a Digital Incident or Crime Scene

Manage. Seizing Digital Evidence at the Scene

Preparing to Acquire Digital Evidence

Processing Incident or Crime Scenes

Processing Data Centers with RAID Systems

Using a Technical Advisor

Documenting Evidence in the Lab

Processing and Handling Digital Evidence

Special Situation Needs

Manage. Archival Storage and Transportation of Digital Evidence

Archiving of Digital Evidence

Evidence Retention and Media Storage Needs

Documenting Evidence

Managing Digital Evidence Forms

Transporting Digital Evidence

Analyze. Obtaining a Digital Hash

Manage. Employee Compliance Investigations

Module Summary

Key Terms

Review Questions

Hands-On Projects

Case Projects

Module 6. Working with Microsoft File Systems and the Windows Registry

Analyze. Understanding File Systems

Understanding Disk Drives

Examine. Exploring Microsoft File Structures

Disk Partitions

Examine. Examining FAT Disks

FAT Sector and Cluster Configurations

Drive Slack Space

File Fragmentation

Deleting FAT Files

Examine. Exploring NTFS Disks

NTFS System Files

$UsnJrnl System File

Prefetch

NTFS Alternate Data Streams

NTFS Compressed Files

NTFS Encrypting File System

Deleting NTFS Files

Resilient File System Overview

Examine. Understanding Whole Disk Encryption

Examining Microsoft BitLocker

Examining Third-Party Disk Encryption Tools

Examine. Understanding the Windows Registry

Data Types in the Registry

Exploring the Organization of the Windows Registry

Examine. Windows Forensics Artifacts

The hiberfile.sys File

Internet History Files

The pagefile.sys File

The $Recycle.Bin Folder

Module Summary

Key Terms

Review Questions

Hands-On Projects

Case Projects

Module 7. Linux and Macintosh File Systems

Examine. Examining Linux File Structures

File Structures in ext4

Inodes

Hard Links and Symbolic Links

Examine. Understanding Macintosh File Structures

An Overview of Mac File Structures

Apple File System

Forensics Procedures in macOS

Acquisition Methods in macOS

Analyze. Using Linux Forensics Tools

Using the dc3dd Command

Using the Kali Linux Forensics Tools

Exploring Sleuth Kit

Module Summary

Key Terms

Review Questions

Hands-On Projects

Case Projects

Module 8. Media Files and Digital Forensics

Manage. Media Files

Understanding Digital Photograph File Formats

Understanding Bitmap and Raster Images

Understanding Vector Graphics

Understanding Metafile Graphics Files

Graphics File Formats

Audio and Video File Formats

Viewing and Examining Media Files

Analyze. Data Compression and Obfuscation

Understanding Data Compression

Steganography in Graphics Files

Understanding Copyright Issues with Graphics

Analyze. Additional Data-Hiding Techniques

Bit-Shifting

Encrypted Files

Hiding Data

Marking Bad Clusters in FAT

Using Passwords to Protect Files

Examine. Locating and Recovering Media Files

Identifying Media File Fragments

Determining Unknown File Formats

Repairing Damaged Headers

Searching for and Carving Data

Rebuilding File Headers

Reconstructing File Fragments

Examine. Digital Evidence Validation and Discrimination

Using Hash Values to Discriminate Data

Manage. Examination Planning

Preparing for the Examination

Planning the Examination

Performing the Examination

Module Summary

Key Terms

Review Questions

Hands-On Projects

Case Projects

Module 9. Virtual Machine Forensics and Live Acquisitions Forensics

Analyze. An Overview of Virtual Machine Forensics

Investigating Hypervisor Systems

Other VM Examination Methods

Analyze. Performing Live Acquisitions

Performing a Live RAM Acquisition in Windows

Performing a Live Acquisition in Linux

Selective File Live Acquisitions

Manage. Remote Acquisition Tools

Belkasoft Remote Acquisition

F-Response Collect

Magnet AXIOM Cyber – Remote Acquisition

Analyze. Using Microsoft’s File System Utility Command

Module Summary

Key Terms

Review Questions

Hands-On Projects

Case Projects

Module 10. Network Forensics

Manage. Network Forensics Overview

Manage. Network Forensics Standard Procedures

Securing a Network

Developing Procedures and Models for Network Forensics

Effectively Reading Network Logs

Examine. Exploring Common Network Forensics Tools

Packet Analyzers

Intrusion Detection and Intrusion Prevention Tools

Manage. Investigating Virtual Networks

Manage. Researching and Investigating Types of Attacks

Module Summary

Key Terms

Review Questions

Hands-On Projects

Case Projects

Module 11. Cloud Forensics and the Internet of Anything

Manage. An Overview of Cloud Computing

History of the Cloud

Cloud Service Levels and Deployment Methods

Cloud Vendors

Basic Concepts of Cloud Forensics

Manage. Legal Challenges in Cloud Forensics

Service-Level Agreements

Jurisdiction Issues

Accessing Evidence in the Cloud

Analyze. Technical Challenges in Cloud Forensics

Architecture

Analysis of Cloud Forensic Data

Anti-Forensics

Incident First Responders

Role Management

Standards and Training

Acquisitions in the Cloud

Analyze. Conducting a Cloud Investigation

Investigating CSPs

Investigating Cloud Customers

Understanding Prefetch Files and Artifacts

Examining Stored Cloud Data on a PC

Using Cloud Forenics Tools

Manage. An Overview of the Internet of Things, the Internet of Anything, and the Internet of Everything

Technologies Supporting the Growth of the Internet of Things

Manage. Categories of the Internet of Anything

Consumer Internet of Things

Commercial Internet of Things

Industrial Internet of Things

Infrastructure Internet of Things

Internet of Military Things

Analyze. Forensics of the Internet of Anything

Module Summary

Key Terms

Review Questions

Hands-On Projects

Case Projects

Module 12. Mobile Device Forensics

Manage. Understanding Mobile Devices and Cellular Networks

Types of Mobile Devices

Cellular Networks

Cell Phone Tower Communications

Cell Phone Tracking

Cell Phone Data Logs

Examine. Mobile Device Evidence Sources

Inside Mobile Devices

Mobile Device Data

Apple Advanced Data Protection

SQLite Databases

Examine. Mobile Device Security

Mobile Device Management

Apple Lost Mode

File System Encryption

Manage. Seizing and Securing Mobile Devices

Isolating the Mobile Device

Protecting the Mobile Device’s Data

Analyze. Mobile Device Evidence Extraction and Examination

Preparing for an Acquisition

Perform the Extraction

Apple iOS Encrypted Backup

Common Extraction Methods

Advanced Extraction Methods

Workflow Documentation and Verification

Analyze. Mobile Device Forensics Tools

Andriller CE

Belkasoft

Cellebrite

CellHawk

DataPilot

FQLite

Magnet Forensics

Micro Systemation AB

MOBILedit Forensic

Oxygen Forensics

Paraben Software

Module Summary

Key Terms

Review Questions

Hands-On Projects

Case Projects

Module 13. Email and Social Media Investigations

Manage. Exploring the Role of Email in Investigations

Manage. Exploring the Client and Server Roles in Email

Examine. Investigating Email Crimes and Violations

Understanding Forensic Linguistics

Examining Email Messages

Copying an Email Message

Viewing Email Headers

Examining Email Headers

Examining Additional Email Files

Tracing an Email Message

Using Network Email Logs

Manage. Understanding Email Servers and Server Logs

Examining UNIX/Linux Email Server Logs

Examining Microsoft Email Server Logs

Examine. Using Specialized Email Forensics Tools

Using a Hex Editor to Carve Email Messages

Recovering Outlook Files

Email Case Studies

Examine. Applying Digital Forensics Methods to Social Media Communications and Channel-Based Messaging Tools

Social Media Forensics on Mobile Devices

Forensics Tools for Social Media Investigations

Investigating Channel-Based Messaging Tools

Module Summary

Key Terms

Review Questions

Hands-On Projects

Case Projects

Module 14. e-Discovery

Manage. Overview of e-Discovery, Rules, and Policies

The Relationship between e-Discovery and Digital Forensics

Rules, Laws, and Regulations Impacting e-Discovery

Manage. The Impact of Case Law on e-Discovery

Case Law in the United States

Enron e-Discovery

Manage. EDRM and e-Discovery Case Flow

Information Governance Reference Model

Stages of the ERDM

Analyze. Common e-Discovery Tools

Module Summary

Key Terms

Review Questions

Hands-On Projects

Case Projects

Module 15. Ethics and Professional Responsibilities

Analyze. Applying Ethics and Codes to Expert Witnesses

Forensics Examiners’ Roles in Testifying

Considerations in Disqualification

Factors to Consider for All Cases

Determining Admissibility of Evidence

Manage. Organizations with Codes of Ethics

International Society of Forensic Computer Examiners

International High Technology Crime Investigation Association

International Association of Computer Investigative Specialists

American Bar Association

American Psychological Association

Analyze. Dealing with Ethical Challenges

Ethical Responsibilities Owed to You

Standard Forensics Tools and Tools You Create

Using an Intake Form

Analysis. Performing Peer Reviews for Digital Forensics

How to Peer-Review a Case

Writing a Peer Review

Module Summary

Key Terms

Review Questions

Case Projects

Appendix A. Certification Testing References

Appendix B. Digital Forensics References

Appendix C. Digital Forensics Lab Considerations

Appendix D. Legacy File Systems

Appendix E. NICE Framework and CAE Knowledge Units

Appendix F. Shell Command Examples

Bill Nelson has worked for two global Fortune 100 companies in information technologies for over 32 years, including 18-plus years in corporate digital forensics and information security. In addition, he has taught digital forensics classes at the City University of Seattle and the University of Washington’s Professional and Continuing Education Department for 10 years. He also has experience in Automated Fingerprint Identification System software engineering and reserve police work. A former president and vice president for Computer Technology Investigators Northwest, he routinely lectures at several colleges and universities in the Pacific Northwest.

Amelia Phillips is a tenured faculty member at Highline College in Seattle, Washington. After serving as an engineer at the Jet Propulsion Laboratory, she worked with e-commerce websites and began training in computer forensics to prevent credit card numbers from being stolen from sensitive e-commerce databases. Dr. Phillips designed certificate and AAS programs for community colleges in e-commerce, network security, computer forensics and data recovery. She designed the Bachelor of Applied Science in Cybersecurity and Forensics, which was approved in 2014. A Fulbright Scholar, Dr. Phillips taught at Polytechnic of Namibia in 2005 and 2006 and continues her work with developing nations, traveling there frequently. She earned BS degrees in astronautical engineering and archaeology and an MBA in technology management from the Massachusetts Institute of Technology, and an interdisciplinary Ph.D. in computer security from the University of Alaska, Fairbanks.

Christopher K. Steuart is a practicing attorney maintaining a general litigation practice, with experience in information systems security for a Fortune 50 company and the U.S. Army. He is also an honorary life member and the former general counsel for Computer Technology Investigators Northwest. He has presented computer forensics seminars in regional and national forums, including the American Society for Industrial Security, Agora, Northwest Computer Technology Crime Analysis Seminar and CTIN.

What makes us different?

• Instant Download

• Always Competitive Pricing

• 100% Privacy

• FREE Sample Available

• 24-7 LIVE Customer Support

672884