COMPUTER FORENSICS JUMPSTART VOL.2

Dear eForensic Readers!

We would like to present you new issue of Computer Forensics , devoted to Computer Forensics JumpStart Vol. 2 – this time second issue of the series for beginners.

In front of you you have the best practical pill for everyone who’d like to become en expert in digital forensics field.  100 pages of practical tips, trials and tutorials for everyone who’d like to dive into Computer Forensics. Go from ZERO to HERO with eForensics!

Check what you can find inside:

FORENSICS ON LINUX

by Barry Kokotailo    

The majority of forensics examinations conducted today comprise Windows machines. Considering that the vast majority of desktops in use today are Windows based, this should not be of a surprise.  However a good majority of servers and workstations are Linux based and running interesting services such as databases, web and file services.  During the career span of a forensics professional you will need to perform a forensic examination of a Linux machine. This article will give you the step by step procedure in order to acquire an image, analysis, and report on the findings.

HOW TO PERFORM FORENSIC ANALYSIS ON IOS OPERATING AND FILE SYSTEMS

by Deivison Pinheiro Franco and Nágila Magalhães Cardoso

With Apple Operation System (iOS) design and the large amount of storage space available, records of emails, text messages, browsing history, chat, map searching, and more are all being kept. With the amount of information available to forensic analysts on iOS, this article will cover the basics to accurately retrieve evidence from this platform and build forensically analysis when applicable. Once the image logically, via backup or physically has been obtained, files of interest will be highlighted for a forensic examiner to review.

PLACING THE SUSPECT BEHIND THE KEYBOARD

by Brett Shavers

Perhaps the most important and nearly impossible task in digital forensics is placing the suspect behind the keyboard.  Digital evidence alone doesn’t do it.  Assumptions and preconceived beliefs don’t do it.  Luckily, most cases involving digital forensics are solved without having to physically place the suspect at the machine.  Unfortunately, there are those cases in which the suspect does not admit to using the device or there is no other evidence proving it.

EDISCOVERY 101: AN INTRODUCTION TO EDISCOVERY

by Dauda Sule

Volonino and Redpath (2010) quoted Judge Shira A. Scheindlin as follow: “We used to say there’s e-discovery as if it was a subset of all discovery. But now there’s no other discovery.” The Law has been taking its course, technology has been developing; the result is the evolution of Law to keep up with technological advancements.

HARD DRIVE FORENSIC PROCEDURES

by Krystina Horvath and Thomas J. Bray

Would hard drives obtained with digital forensics standards, require alternative methods of investigation? In this article, the forensic collection and preservation of data off of hard drives using AccessData’s FTK Imager and Forensic Toolkit, will be presented. Metadata will also be considered during the forensic collection procedure.

THE INTERVIEW WITH TERRY TANG, FOUNDER OF WISECLEANER

by Aby Rao

DIGGING INTO MOZILLA FIREFOX ARTEFACTS

by Gabriele Biondo

Mozilla Firefox has been the most widespread web browser for years, and nowadays is the second most popular browser.  From a computer forensics point of view, understanding how the caching mechanism works, is a key aspect . Although Mozilla Firefox is Open Source, auditing over 30 MB of source code is not viable. A quick’n’dirty, but effective approach, could be regarded as a type of gray box test.

THE GOLDEN NUGGET

by Paul Gwinnett

In writing an article about computer forensics for beginners I had to consider my ‘Hi Tech/e forensics’ introduction, which couldn’t really be classed an ‘exact science’, more a case of various “digital journeys”, stepping into the unknown and seeking reassurance by way of experiments and ‘sound boarding’ with my old mentor. In this article, I have tried to be as candid and practical as possible in the hope that those in the early stages of their e-forensics’ career can have an insight into some of the issues I faced in my early years and how I dealt with them.

TWELVE OPEN-SOURCE LINUX FORENSIC TOOLS

by Priscilla Lopez

There are several open-source Linux forensic tool suites and tools such as Kali Linux, DEFT, HELIX, Backtrack, CAINE, Knoppix STD, FCCU, The Penguin Sleuth Kit, ADIA, DFF, SMART, and SIFT. This article will give you a brief overview of the available tool suites. Afterwards, I will show you step-by-step how to install one of the tool suites and run a practice case sample.

FOUR WINDOWS XP FORENSIC ANALYSIS TIPS & TRICKS

by Davide Barbato

When conducting forensics analysis of a Windows XP system, it must be taken into account some particular behaviors that can lead to misleading conclusions if not properly handled.

A BEGINNER’S GUIDE TO FORENSIC IMAGING

by Madeline Cheah

Are you starting on the road to a career in digital forensics? Or perhaps a student looking to get onto a course in this field? Maybe you just need a refresher after a little time away?  This is a simple guide introducing you to one of the fundamentals of digital forensics, with a legislative narrative to set things in context.

WINDOWS MEMORY FORENSICS & MEMORY ACQUISITION

by Dr Craig S. Wright, GSE, GSM, LLM, MStat

This article takes the reader through the process of imaging memory on a live Windows host. This is part one of a six part series and will introduce the reader to the topic before we go into the details of memory forensics. The first step in doing any memory forensics on a Windows host involves acquisition. If we do not have a sample of the memory image from a system we cannot analyze it. This sounds simple, but memory forensics is not like imaging an unmounted hard drive. Memory is powered and dynamic, and changes as we attempt to image it. This means it is not a repeatable process. Not that there is a requirement at all times for the results of a forensic process to provide the same output; in this it is not necessary to be able to repeat a process and obtain exactly the same results. It does not mean we cannot use a variable process in a forensic investigation. What it does mean is we have a set of steps that will allow us to image memory but that every time we do those the results will change.

EXAMINING EXIF DATA IN DIGITAL PHOTOGRAPHS

by Irv Schlanger MSIS, ACE, Security+ and Ruth Forese

Digital photographs have become common as a source of evidence in forensic investigations. However, pixels alone do not tell the entire story—modern digital cameras also record Global Positioning Satellite (GPS) information as well as date and clock time into photographs using metadata known as EXIF tags. One of the main tasks of a forensic investigator is to extract useful evidence from a photograph and proving this information’s authenticity. EXIF metadata in JPEG photographs can provide proof that a suspect was or was not at the scene of a crime. Because EXIF data can be altered by the very same software and techniques detailed below, law enforcement should take precautions and use established forensic practices when using metadata in investigations.

DIGITAL FORENSICS ON CLOUD STORAGE

by Richard Leitz

Digital Forensics experts in both law enforcement, and the corporate arena, have typically had either complete physical access to digital media, or live access to running servers, or the other computers that required examination.  Due to the move from local storage of data and servers, to cloud based storage and services, the world of digital forensics has changed.  This article will discuss how cloud based technology is making it more difficult for the digital forensics expert to gain access, and to examine digital media, that is stored on a cloud server in either the same country, or even worse, a different country.

DETECT AND PREVENT FILE TAMPERING IN MULTIMEDIA FILES

by Doug Carner, CPP/CHS-III

Electronic files are vulnerable to tampering and corruption. Undetected, these changes can alter the meaning and value of critical evidence. By implementing a few simple steps, you can ensure that everyone is working from the exact same set of facts, and be able to prove if a file was altered prior to arriving into your care.