Muutke küpsiste eelistusi

Practical Forensic Imaging [Pehme köide]

4.15/5 (53 hinnangut Goodreads-ist)
  • Formaat: Paperback / softback, 324 pages, kõrgus x laius: 234x178 mm
  • Ilmumisaeg: 01-Sep-2016
  • Kirjastus: No Starch Press,US
  • ISBN-10: 1593277938
  • ISBN-13: 9781593277932
Teised raamatud teemal:
Practical Forensic ImagingSuurem pilt
  • Formaat: Paperback / softback, 324 pages, kõrgus x laius: 234x178 mm
  • Ilmumisaeg: 01-Sep-2016
  • Kirjastus: No Starch Press,US
  • ISBN-10: 1593277938
  • ISBN-13: 9781593277932
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9781593277932.html
Märksõnad:

Forensic image acquisition is an important part of post-mortem incident response and evidence collection. Digital forensic investigators acquire, preserve, and manage digital evidence to support civil and criminal cases, examine organizational policy violations, resolve disputes, and analyze cyber attacks. Practical Forensic Imaging takes a detailed look at how to secure and manage digital evidence using Linux-based command line tools. This essential guide walks you through the entire forensic acquisition process and covers a wide range of practical scenarios and situations related to the imaging of storage media.

You'll learn how to:

  • Use Linux and command line tools to perform to forensic imaging of magnetic hard disks, SSD and flash, optical discs, magnetic tapes, and legacy technologies.
  • Protect attached evidence media from accidental alteration and modification by using hardware and software write blockers, and ensuring read-only access.
  • Manage large forensic image files, storage capacity planning, image format conversion, compression, splitting, duplication, secure transfer and storage, and secure disposal.
  • Preserve and verify evidence integrity with cryptographic hashing and piece-wise hashing, public key signatures, and RFC-3161 time-stamping.
  • Work with new drive and interface technologies such as NVME, SATA Express, 4K-native sector drives, Hybrid SSDs, SAS, UASP/USB3x, Thunderbolt, and more.
  • Manage drive security such as ATA passwords, encrypted thumb drives, Opal self encrypting drives, Bitlocker, FileVault, Truecrypt, and others.
  • Acquire usable images from more complex or challenging situations such as RAID systems, virtual machine images, and damaged media.
With its unique focus on digital forensic acquisition and evidence preservation, Practical Forensic Imaging is a valuable resource for experienced digital forensic investigators wanting to advance their Linux skills, and experienced Linux administrators wanting to learn digital forensics. This is a must have reference for every digital forensics lab.

Arvustused

Despite the huge impact of this subject matter, there have been precious few books on the topic to date. Luckily, Practical Forensic Imaging steps in now to fill the gap. An excellent addition to any bookshelf. Forensic Focus

I am a big fan of this book, and found it to contain the right amount of technical content coupled with important concepts and concerns surrounding forensic imaging. Id encourage anyone in DFIR who is imaging regularly or looking to increase their Linux skills to check out a copy of the book. 505 Forensics

Cybercrime and digital forensics expert Bruce Nikkel describes the use of open source command line technology to obtain and manage forensic data. Target readers are the expanding number of forensic practitioners including forensic and electronic discovery technicians in legal, auditing, and consulting firms; incident response teams; law enforcement forensic specialists; and forensic investigators. The Lawyer's PC

It's commonly said that you should assume the bad guys have already breached your networks. The ability to carry out forensic examinations is one of the key skills you'll need in response to that risk, and this book is a solid introduction to acquiring those skills. Network Security Newsletter

"I loved Bruce Nikkel's book Practical Forensic Imaging from @nostarch - but his new book Practical Linux Forensics is [ fire]. Beginner to intermediate, and a good desktop reference." DFIRScience, @DFIRScience

Foreword xvii
Eoghan Casey
Introduction xix
Why I Wrote This Book xix
How This Book Is Different xx
Why Use the Command Line? xx
Target Audience and Prerequisites xxii
Who Should Read This Book? xxii
Prerequisite Knowledge xxii
Preinstalled Platform and Software xxii
How the Book Is Organized xxii
The Scope of This Book xxv
Conventions and Format xxv
0 Digital Forensics Overview
1(10)
Digital Forensics History
1(3)
Pre-Y2K
1(1)
2000--2010
2(1)
2010--Present
3(1)
Forensic Acquisition Trends and Challenges
4(1)
Shift in Size, Location, and Complexity of Evidence
4(1)
Multijurisdictional Aspects
5(1)
Industry, Academia, and Law Enforcement Collaboration
5(1)
Principles of Postmortem Computer Forensics
5(6)
Digital Forensic Standards
6(1)
Peer-Reviewed Research
7(1)
Industry Regulations and Best Practice
8(1)
Principles Used in This Book
9(2)
1 Storage Media Overview
11(36)
Magnetic Storage Media
12(3)
Hard Disks
12(1)
Magnetic Tapes
13(2)
Legacy Magnetic Storage
15(1)
Non-Volatile Memory
15(4)
Solid State Drives
16(1)
USB Flash Drives
17(1)
Removable Memory Cards
17(2)
Legacy Non-Volatile Memory
19(1)
Optical Storage Media
19(3)
Compact Discs
20(1)
Digital Versatile Discs
21(1)
Blu-ray Discs
21(1)
Legacy Optical Storage
22(1)
Interfaces and Physical Connectors
22(12)
Serial ATA
22(3)
Serial Attached SCSI and Fibre Channel
25(2)
Non-Volatile Memory Express
27(2)
Universal Serial Bus
29(1)
Thunderbolt
30(2)
Legacy Interfaces
32(2)
Commands, Protocols, and Bridges
34(5)
ATA Commands
34(2)
SCSI Commands
36(1)
NVME Commands
37(1)
Bridging, Tunneling, and Pass-Through
38(1)
Special Topics
39(7)
DCO and HPA Drive Areas
39(1)
Drive Service and Maintenance Areas
40(1)
USB Attached SCSI Protocol
40(1)
Advanced Format 4Kn
41(3)
NVME Namespaces
44(1)
Solid State Hybrid Disks
45(1)
Closing Thoughts
46(1)
2 Linux As A Forensic Acquisition Platform
47(12)
Linux and OSS in a Forensic Context
48(2)
Advantages of Linux and OSS in Forensics Labs
48(1)
Disadvantages of Linux and OSS in Forensics Labs
49(1)
Linux Kernel and Storage Devices
50(2)
Kernel Device Detection
50(1)
Storage Devices in /dev
51(1)
Other Special Devices
52(1)
Linux Kernel and Filesystems
52(3)
Kernel Filesystem Support
52(1)
Mounting Filesystems in Linux
53(1)
Accessing Filesystems with Forensic Tools
54(1)
Linux Distributions and Shells
55(2)
Linux Distributions
55(1)
The Shell
56(1)
Command Execution
56(1)
Piping and Redirection
56(1)
Closing Thoughts
57(2)
3 Forensic Image Formats
59(10)
Raw Images
60(2)
Traditional dd
60(1)
Forensic dd Variants
61(1)
Data Recovery Tools
61(1)
Forensic Formats
62(1)
EnCase EWF
62(1)
FTK SMART
62(1)
AFF
62(1)
SquashFS as a Forensic Evidence Container
63(4)
SquashFS Background
63(1)
SquashFS Forensic Evidence Containers
64(3)
Closing Thoughts
67(2)
4 Planning And Preparation
69(32)
Maintain an Audit Trail
70(6)
Task Management
70(3)
Shell History
73(2)
Terminal Recorders
75(1)
Linux Auditing
76(1)
Organize Collected Evidence and Command Output
76(7)
Naming Conventions for Files and Directories
76(3)
Scalable Examination Directory Structure
79(2)
Save Command Output with Redirection
81(2)
Assess Acquisition Infrastructure Logistics
83(10)
Image Sizes and Disk Space Requirements
83(2)
File Compression
85(1)
Sparse Files
85(1)
Reported File and Image Sizes
86(1)
Moving and Copying Forensic Images
87(1)
Estimate Task Completion Times
87(1)
Performance and Bottlenecks
88(3)
Heat and Environmental Factors
91(2)
Establish Forensic Write-Blocking Protection
93(7)
Hardware Write Blockers
94(3)
Software Write Blockers
97(2)
Linux Forensic Boot CDs
99(1)
Media with Physical Read-Only Modes
100(1)
Closing Thoughts
100(1)
5 Attaching Subject Media To An Acquisition Host
101(40)
Examine Subject PC Hardware
101(1)
Physical PC Examination and Disk Removal
102(1)
Subject PC Hardware Review
102(1)
Attach Subject Disk to an Acquisition Host
102(5)
View Acquisition Host Hardware
103(2)
Identify the Subject Drive
105(2)
Query the Subject Disk for Information
107(11)
Document Device Identification Details
107(1)
Query Disk Capabilities and Features with hdparm
108(4)
Extract SMART Data with smartctl
112(6)
Enable Access to Hidden Sectors
118(7)
Remove a DCO
118(3)
Remove an HPA
121(1)
Drive Service Area Access
122(3)
ATA Password Security and Self-Encrypting Drives
125(7)
Identify and Unlock ATA Password-Protected Disks
126(2)
Identify and Unlock Opal Self-Encrypting Drives
128(3)
Encrypted Flash Thumb Drives
131(1)
Attach Removable Media
132(4)
Optical Media Drives
132(1)
Magnetic Tape Drives
133(3)
Memory Cards
136(1)
Attach Other Storage
136(4)
Apple Target Disk Mode
137(1)
NVME SSDs
138(2)
Other Devices with Block or Character Access
140(1)
Closing Thoughts
140(1)
6 Forensic Image Acquisition
141(46)
Acquire an Image with dd Tools
142(3)
Standard Unix dd and GNU dd
142(2)
The dcfldd and dc3dd Tools
144(1)
Acquire an Image with Forensic Formats
145(5)
The ewfacquire Tool
145(2)
AccessData ftkimager
147(2)
SquashFS Forensic Evidence Container
149(1)
Acquire an Image to Multiple Destinations
150(1)
Preserve Digital Evidence with Cryptography
150(9)
Basic Cryptographic Hashing
151(1)
Hash Windows
152(2)
Sign an Image with PGP or S/MIME
154(3)
RFC-3161 Timestamping
157(2)
Manage Drive Failure and Errors
159(7)
Forensic Tool Error Handling
160(2)
Data Recovery Tools
162(1)
SMART and Kernel Errors
163(1)
Other Options for Failed Drives
164(1)
Damaged Optical Discs
165(1)
Image Acquisition over a Network
166(6)
Remote Forensic Imaging with rdd
166(2)
Secure Remote Imaging with ssh
168(1)
Remote Acquisition to a SquashFS Evidence Container
169(2)
Acquire a Remote Disk to EnCase or FTK Format
171(1)
Live Imaging with Copy-On-Write Snapshots
172(1)
Acquire Removable Media
172(6)
Memory Cards
173(1)
Optical Discs
174(2)
Magnetic Tapes
176(2)
RAID and Multidisk Systems
178(7)
Proprietary RAID Acquisition
178(1)
JBOD and RAID-0 Striped Disks
179(2)
Microsoft Dynamic Disks
181(1)
RAID-1 Mirrored Disks
182(1)
Linux RAID-5
183(2)
Closing Thoughts
185(2)
7 Forensic Image Management
187(42)
Manage Image Compression
187(4)
Standard Linux Compression Tools
188(1)
EnCase EWF Compressed Format
189(1)
FTK SMART Compressed Format
190(1)
AFFlib Built-in Compression
190(1)
SquashFS Compressed Evidence Containers
191(1)
Manage Split Images
191(6)
The GNU split Command
192(1)
Split Images During Acquisition
192(2)
Access a Set of Split Image Files
194(1)
Reassemble a Split Image
195(2)
Verify the Integrity of a Forensic Image
197(5)
Verify the Hash Taken During Acquisition
197(1)
Recalculate the Hash of a Forensic Image
198(1)
Cryptographic Hashes of Split Raw Images
199(1)
Identify Mismatched Hash Windows
199(1)
Verify Signature and Timestamp
200(2)
Convert Between Image Formats
202(9)
Convert from Raw Images
202(3)
Convert from EnCase/E01 Format
205(3)
Convert from FTK Format
208(1)
Convert from AFF Format
209(2)
Secure an Image with Encryption
211(8)
GPG Encryption
211(2)
OpenSSL Encryption
213(1)
Forensic Format Built-in Encryption
214(2)
General Purpose Disk Encryption
216(3)
Disk Cloning and Duplication
219(2)
Prepare a Clone Disk
219(1)
Use HPA to Replicate Sector Size
219(1)
Write an Image File to a Clone Disk
220(1)
Image Transfer and Storage
221(3)
Write to Removable Media
221(2)
Inexpensive Disks for Storage and Transfer
223(1)
Perform Large Network Transfers
223(1)
Secure Wiping and Data Disposal
224(4)
Dispose of Individual Files
224(1)
Secure Wipe a Storage Device
225(1)
Issue ATA Security Erase Unit Commands
226(1)
Destroy Encrypted Disk Keys
227(1)
Closing Thoughts
228(1)
8 Special Image Access Topics
229(30)
Forensically Acquired Image Files
230(7)
Raw Image Files with Loop Devices
230(3)
Forensic Format Image Files
233(2)
Prepare Boot Images with xmount
235(2)
VM Images
237(6)
QEMU QCOW2
237(2)
VirtualBox VDI
239(1)
VMWare VMDK
240(1)
Microsoft VHD
241(2)
OS-Encrypted Filesystems
243(15)
Microsoft BitLocker
243(5)
Apple FileVault
248(3)
Linux LUKS
251(3)
TrueCrypt and VeraCrypt
254(4)
Closing Thoughts
258(1)
9 Extracting Subsets Of Forensic Images
259(16)
Assess Partition Layout and Filesystems
259(5)
Partition Scheme
260(1)
Partition Tables
261(2)
Filesystem Identification
263(1)
Partition Extraction
264(7)
Extract Individual Partitions
264(2)
Find and Extract Deleted Partitions
266(3)
Identify and Extract Inter-Partition Gaps
269(1)
Extract HPA and DCO Sector Ranges
269(2)
Other Piecewise Data Extraction
271(3)
Extract Filesystem Slack Space
271(1)
Extract Filesystem Unallocated Blocks
272(1)
Manual Extraction Using Offsets
272(2)
Closing Thoughts
274(1)
Closing Remarks 275(2)
Index 277
Bruce Nikkel is the director of Cyber-Crime / IT Investigation & Forensics at a global financial institution. Nikkel has headed the bank's global IT forensics unit since 2005, and worked for the bank's IT Security and Risk departments since 1997. Nikkel has published a number of research papers in the digital forensics field, is an editor for Digital Investigation journal, and holds a PhD in network forensics.