Hiding Behind the Keyboard: Uncovering Covert Communication Methods with Forensic Analysis exposes the latest electronic covert communication techniques used by cybercriminals, along with the needed investigative methods for identifying them.The book shows how to use the Internet for legitimate covert communication, while giving investigators the information they need for detecting cybercriminals who attempt to hide their true identity. Intended for practitioners and investigators, the book offers concrete examples on how to communicate securely, serving as an ideal reference for those who truly need protection, as well as those who investigate cybercriminals.Covers high-level strategies, what they can achieve, and how to implement themShows discovery and mitigation methods using examples, court cases, and moreExplores how social media sites and gaming technologies can be used for illicit communications activitiesExplores the currently in-use technologies such as TAILS and TOR that help with keeping anonymous online
Muu info
Provides concrete examples of covert electronic communication techniques for those who truly need protection, as well as those who investigate cybercriminals
| Foreword |
|
ix | |
| Introduction |
|
xi | |
| About The Authors |
|
xv | |
| Acknowledgments |
|
xvii | |
|
Chapter 1 Laying the Foundation of Covert Communications |
|
|
1 | (10) |
|
|
|
1 | (1) |
|
A Brief History of Covert Communication |
|
|
2 | (4) |
|
Covert Communication Overload |
|
|
6 | (2) |
|
Covert Communication Goals |
|
|
8 | (2) |
|
|
|
10 | (1) |
|
|
|
10 | (1) |
|
Chapter 2 The Tor Browser |
|
|
11 | (24) |
|
|
|
11 | (1) |
|
History and Intended Use of The Onion Router |
|
|
11 | (1) |
|
How The Onion Router Works |
|
|
12 | (8) |
|
Forensic Analysis of The Onion Router |
|
|
20 | (6) |
|
Tracking Criminals Using Tor |
|
|
26 | (3) |
|
Used in Combination of Other Tools and Methods |
|
|
29 | (1) |
|
|
|
29 | (2) |
|
Related Tor Tools and Applications |
|
|
31 | (2) |
|
|
|
33 | (1) |
|
|
|
33 | (2) |
|
Chapter 3 Triaging Mobile Evidence |
|
|
35 | (34) |
|
|
|
35 | (1) |
|
|
|
36 | (1) |
|
Examples of Logical and Physical Data |
|
|
37 | (1) |
|
|
|
38 | (1) |
|
|
|
38 | (1) |
|
Mobile Virtual Network Operator |
|
|
38 | (1) |
|
Determining Target Number |
|
|
39 | (1) |
|
|
|
39 | (2) |
|
Number Portability Administration Center |
|
|
41 | (1) |
|
|
|
41 | (2) |
|
Subscriber Identity Module |
|
|
43 | (1) |
|
Internal Hardware of a SIM |
|
|
44 | (1) |
|
|
|
45 | (1) |
|
|
|
46 | (3) |
|
|
|
49 | (5) |
|
|
|
54 | (4) |
|
|
|
58 | (1) |
|
|
|
58 | (2) |
|
|
|
60 | (1) |
|
|
|
61 | (1) |
|
|
|
62 | (2) |
|
|
|
64 | (3) |
|
|
|
67 | (1) |
|
References for Manual Tools |
|
|
67 | (2) |
|
Chapter 4 Mobile Extraction Issues |
|
|
69 | (46) |
|
|
|
69 | (2) |
|
Embedded Multimedia Card, Embedded Multichip Package, and Multichip Package |
|
|
71 | (4) |
|
|
|
75 | (2) |
|
|
|
77 | (6) |
|
|
|
83 | (3) |
|
Cellebrite Physical Analyzer |
|
|
86 | (9) |
|
User-Installed Applications |
|
|
95 | (3) |
|
|
|
98 | (8) |
|
|
|
106 | (8) |
|
References for Listed Tools |
|
|
114 | (1) |
|
|
|
115 | (18) |
|
|
|
115 | (1) |
|
|
|
115 | (1) |
|
|
|
116 | (9) |
|
|
|
125 | (5) |
|
|
|
130 | (1) |
|
|
|
131 | (1) |
|
|
|
131 | (1) |
|
|
|
131 | (2) |
|
Chapter 6 Cryptography and Encryption |
|
|
133 | (20) |
|
|
|
133 | (1) |
|
Brief History of Encryption and Cryptography |
|
|
133 | (1) |
|
|
|
134 | (3) |
|
|
|
137 | (3) |
|
|
|
140 | (6) |
|
|
|
146 | (1) |
|
So Tell Me Something I Can Do About This! |
|
|
147 | (4) |
|
|
|
151 | (1) |
|
|
|
151 | (1) |
|
|
|
151 | (2) |
|
|
|
153 | (20) |
|
|
|
153 | (1) |
|
The Easy and Very Effective Methods |
|
|
154 | (2) |
|
The Best Methods Aren't the Most Commonly Used Methods |
|
|
156 | (1) |
|
|
|
156 | (1) |
|
File Signature Manipulation |
|
|
157 | (2) |
|
|
|
159 | (2) |
|
|
|
161 | (2) |
|
|
|
163 | (1) |
|
|
|
164 | (1) |
|
|
|
165 | (3) |
|
Planning Against Antiforensics |
|
|
168 | (1) |
|
Finding Communication Records on Hard Drives |
|
|
169 | (2) |
|
When All Else Fails or Is Likely to Fail |
|
|
171 | (1) |
|
|
|
171 | (1) |
|
|
|
172 | (1) |
|
Chapter 8 Electronic Intercepts |
|
|
173 | (14) |
|
|
|
173 | (1) |
|
Value of Electronically Intercepted Communications |
|
|
174 | (1) |
|
|
|
174 | (1) |
|
|
|
175 | (5) |
|
|
|
180 | (2) |
|
Finding Cell Phone Numbers |
|
|
182 | (3) |
|
|
|
185 | (1) |
|
|
|
185 | (2) |
|
Chapter 9 Digital Identity |
|
|
187 | (16) |
|
|
|
187 | (1) |
|
|
|
187 | (7) |
|
Finding the Digital Identity |
|
|
194 | (7) |
|
|
|
201 | (1) |
|
|
|
202 | (1) |
|
Chapter 10 Putting It All Together |
|
|
203 | (20) |
|
|
|
203 | (1) |
|
Collecting Real-Time Communications |
|
|
203 | (2) |
|
Collecting Historical Communications |
|
|
205 | (1) |
|
Turning Information Into Intelligence |
|
|
206 | (5) |
|
The (Virtually) Impossible |
|
|
211 | (3) |
|
|
|
214 | (2) |
|
Putting the Case Together |
|
|
216 | (4) |
|
|
|
220 | (1) |
|
|
|
221 | (2) |
|
Chapter 11 Closing Thoughts |
|
|
223 | (6) |
|
|
|
223 | (1) |
|
|
|
223 | (1) |
|
Legal and Technical Considerations |
|
|
224 | (4) |
|
|
|
228 | (1) |
|
|
|
228 | (1) |
| Index |
|
229 | |
Brett Shavers is a former law enforcement officer of a municipal police department. He has been an investigator assigned to state and federal task forces. Besides working many specialty positions, Brett was the first digital forensics examiner at his police department, attended over 2000 hours of forensic training courses across the country, collected more than a few certifications along the way, and set up the departments first digital forensics lab in a small, cluttered storage closet. John Bair is currently employed as a detective with the Tacoma Police Department. He has been commissioned as a law enforcement officer since May 1989. During his assignment in the homicide unit he began specializing in Cell Phone Forensics.
In 2006 John created the current forensic lab that focuses on mobile evidence related to violent crimes. His case experience shortly thereafter gained the attention of Mobile Forensics Incorporated (MFI) where he was hired and spent several years serving as a contract instructor. MFI soon merged with AccessData to become the only training vendor for their mobile forensics core. This relationship fostered direct contact with engineers who assist in criminal cases which need anomalies and exploits addressed within their forensics products.
July 2013 he was hired as a contract instructor by Fox Valley Technical College to assist in training for the Department Of Justice - Amber Alert Program. His expertize with mobile forensics is being utilized to structure a digital evidence module for investigators responding to scenes where children had been abducted. The program promotes how to prevent mobile evidence contamination and how to triage live devices under exigent circumstances.
Within in Pierce County, he began a mobile forensics training program for Superior Court Prosecutors and Judicial Officers which is currently in its fourth year. The program stresses the technical origins of the warrant language, what to check for, validation of evidence and how to present this dynamic content in court.
In December 2013, Detective Bair gave a presentation to the University Of Washington Tacoma (UWT) Institute of Technology which provided an outline to merge digital solutions between the Tacoma Police Department and UWT. The relationship will focus on building a digital forensic lab that will be modeled after the Marshall University Forensic Science Center in West Virginia. The lab proposal also includes the ability to conduct advanced destructive forensics which will be a one of kind facility on the west coast. Based upon the proposal to create a combined lab, John created a mobile forensic course and began part time lecturing at UWT in April 2014. The course covers legal concepts, logical, physical searching methods and manual carving”. John authored his own student and lab manuals for these courses. In March 2015, John started an intern program within the lab at the Tacoma Police which involved students from this program. In late August 2015, one of the interns was able to use advance python writing to assist with parsing over 3300 deleted messages in a homicide that took place earlier that year.
John Bair has instructed at various federal labs within the United States (Secret Service, ICE). He has presented on mobile evidence as a guest speaker at Parabens Innovative Conference, Washington State Association of Prosecuting Attorneys (WAPA) Summit, and the Computer Technology Investigations Network Digital Forensics Conference. Recently he spoke at the 16th Annual Conference on Information Technology Education / 4th Annual Research in IT Conference in Chicago Illinois. These conferences are sponsored by the ACM Special Interest Group for Information Technology Education (SIGITE). John and two other professors from the University Of Washington Tacoma (UWT) recently co-authored a paper regarding the current Mobile Forensic Program.
John has over 42 certifications related to digital evidence training. The following reflect the most significant related to mobile forensics: Mobile Forensics Certified Examiner (MFCE), Cellebrite Certified Mobile Examiner (CCME), Cellebrite Certified Physical Analyst (CCPA), Cellebrite Certified Logical Operator (CCLO), AccessData Certified Examiner (ACE), Cellebrite Mobile Forensics Fundamentals (CMFF), AccessData Mobile Examiner (AME), and Cellebrite Certified Task Instructor.
John is also the co-owner of the forensics expert services firm, NAND Forensics (www.nandforensics.com).
Lisainfo e-raamatute kohta