Index
A
- Access Control Lists (ACLs)
- about / File permissions
- Acquire
- Amazon Web Services (AWS) / Amazon Web Services
- analysis
- defining / Analysis
- analysis approaches
- about / The analysis approach
- investigation types / Types of investigation
- analysis concepts
- Anomaly/Outlier / Forensic analysis concepts
- Bias / Forensic analysis concepts
- Completeness / Forensic analysis concepts
- Data reduction / Forensic analysis concepts
- False negative / Forensic analysis concepts
- False positive / Forensic analysis concepts
- analysis environment
- preparing / Preparing the analysis environment
- analysis phase
- goals / Analysis
- plan, developing / The forensic analysis process
- preparing / Analysis preparation
- analysis techniques
- known facts and events, isolating / Isolating known facts and events
- grouping / Grouping and clustering
- clustering / Grouping and clustering
- histograms / Histograms
- time series analysis / The time series analysis
- anomaly detection / Anomaly detection
- disparate data sets, analyzing / Analyzing disparate data sets
- keyword searching / Keyword searching
- anomaly detection
- about / Anomaly detection
- rule-based identification / Anomaly detection
- statistical identification / Anomaly detection
- rule-based analysis / Rule-based analysis
- duplication analysis / Duplication analysis
- Benford's law / Benford's law
- aggregation analysis / Aggregation analysis
- outliers, plotting on timeline / Plotting outliers on a timeline
- Apache Phoenix
- about / The HBase query collection
- appendix and exhibit
- types / Using exhibits or appendices
- including / Using exhibits or appendices
- application-based collections
- advantages, over filesystem-based collections / Application collection approaches
- application collection approaches
- defining / Application collection approaches
- backups / Backups
- query extractions / Query extractions
- script extractions / Script extractions
- software extractions / Software extractions
- application collections
- validating / Validating application collections
- Autopsy
- Autopsy timeline
- Zoom / File activity timeline analysis
- Filters / File activity timeline analysis
- Table/Thumbnail Preview / File activity timeline analysis
- Avro
- about / Data serialization
- AWS
- data, loading into / Importing sample data for testing
- AWS account
- URL / Amazon Web Services
B
- backup-based collection
- Benford's law / Benford's law
- Big Data
- about / What is Big Data?
- four Vs / The four Vs of Big Data
- volume / The four Vs of Big Data
- velocity / The four Vs of Big Data
- variety / The four Vs of Big Data
- veracity / The four Vs of Big Data
- architecture / Big Data architecture and concepts
- concepts / Big Data architecture and concepts
- requirements / Compiling data requirements
- Big Data forensics
- about / Big Data forensics
- metadata preservation / Metadata preservation
- collection methods / Collection methods
- collection verification / Collection verification
- Bulk Extractor
- about / Bulk Extractor
- URL / Bulk Extractor
C
- chain of custody
- challenges, forensic analysis
- anti-forensic techniques / Anti-forensic techniques
- encryption / Data encryption
- Cloud computing
- advantages / Analysis preparation
- cluster system
- collecting / Forensically collecting a cluster system
- collection, via Sqoop
- about / Collection via Sqoop
- collection phase
- Physical collection / Collection
- Logical collection / Collection
- Targeted collection / Collection
- compression formats, Hadoop
- defining / File compression and splitting
- computer forensics
- about / An overview of computer forensics
- forensic process / The forensic process
- investigation considerations / Other investigation considerations
- configuration files
- types / Configuration file analysis
- Linux configuration files / Linux configuration files
- Hadoop configuration files / Hadoop configuration files
- Hadoop application configuration files / Hadoop application configuration files
- configuration files, Hadoop
- hadoop-default.xml / The Hadoop configuration files
- hadoop-site.xml / The Hadoop configuration files
- mapred-default.xml / The Hadoop configuration files
- job.xml / The Hadoop configuration files
- defining / Hadoop configuration files
- cross-validation
- about / Analysis
D
- data
- loading, into AWS / Importing sample data for testing
- analyzing / Analyzing data
- data, loading
- defining / Loading data
- pre-load data transformations / Preload data transformations
- data, surveying
- benefits / Data surveying
- data analysis
- analysis approaches / The analysis approach
- analysis techniques / Analysis techniques
- findings, validating / Validating the findings
- findings, documenting / Documenting the findings
- data analysis tools, Hadoop
- about / Hadoop data analysis tools
- Hive / Hive
- HBase / HBase
- Pig / Pig
- database management system (DBMS)
- about / LightHadoop
- data collection
- requirements / Data collection requirements
- data collection request
- about / The data collection request
- data collection types
- about / Data collection types
- in-house / In-house or third-party collection
- third-party collection / In-house or third-party collection
- investigator-led collection / An investigator-led collection
- data flows, in Hadoop
- considerations / Collecting other Hadoop application data and non-Hadoop data
- data model, HBase
- defining / HBase
- data requests
- types / The types of data to request
- data requirements
- compiling / Compiling data requirements
- data scripting
- benefits / The Hive script collection
- data source identification
- defining / Data source identification
- data sources
- considerations / Identifying evidence
- identifying, in noncooperative situations / Identifying data sources in noncooperative situations
- data transformation
- defining / Transforming data
- considerations / Transforming data
- nonrelational data, transforming / Transforming nonrelational data
- data viability
- assessing / Assessing data viability
- dd tool
- about / Imaging the host operating system
- advantages / Imaging the host operating system
- documentation review process
- Domain Name System (DNS)
- about / Amazon Web Services
E
- EDRM
- about / The forensic process
- URL / The forensic process
- Elastic MapReduce (EMR)
- about / Amazon Web Services
- evidence
- identifying / Identifying evidence
- expectation-maximization (EM)
- about / Grouping and clustering
F
- features, tools
- fields, file header
- Version / Hadoop SequenceFile
- keyClassName / Hadoop SequenceFile
- valueClassName / Hadoop SequenceFile
- Compression / Hadoop SequenceFile
- blockCompression / Hadoop SequenceFile
- Compression Codec / Hadoop SequenceFile
- Metadata / Hadoop SequenceFile
- Sync / Hadoop SequenceFile
- file-level analyses
- keyword searching / Keyword searching and file and data carving
- file and data carving / Keyword searching and file and data carving
- metadata analysis / Metadata analysis
- deleted files, analysis / The analysis of deleted files
- HDFS data extraction / HDFS data extraction
- cluster reconstruction / Cluster reconstruction
- configuration file analysis / Configuration file analysis
- log file analysis / Log file analysis
- File Allocation Table (FAT)
- file deletions
- types / The analysis of deleted files
- file permissions, HDFS
- Read (r) / File permissions
- Write (w) / File permissions
- Execute (x) / File permissions
- files, Hadoop
- defining / Managing files in Hadoop
- file permissions / File permissions
- trash feature / Trash
- log files / Log files
- file compression and splitting / File compression and splitting
- SequenceFile / Hadoop SequenceFile
- Hadoop archive files / The Hadoop archive files
- data serialization / Data serialization
- packaged jobs / Packaged jobs and JAR files
- JAR files / Packaged jobs and JAR files
- forensic analysis
- goals / Forensic analysis goals
- concepts / Forensic analysis concepts
- challenges / The challenges of forensic analysis
- forensic analysis process
- defining / The forensic analysis process
- forensic data, Hadoop
- supporting information / The Hadoop forensic evidence ecosystem
- record evidence / The Hadoop forensic evidence ecosystem
- user and application evidence / The Hadoop forensic evidence ecosystem
- forensic process
- identification phase / Identification
- collection phase / Collection
- analysis phase / Analysis
- presentation phase / Presentation
- FUSE
G
- Graphical User Interface (GUI)
- about / Loading data
H
- Hadoop
- components / The components of Hadoop
- configuration files / The Hadoop configuration files
- forensic evidence ecosystem / The Hadoop forensic evidence ecosystem
- running / Running Hadoop
- LightHadoop / LightHadoop
- Amazon Web Services (AWS) / Amazon Web Services
- data, loading / Loading Hadoop data
- Hadoop application backup methods
- defining / Backups
- Hadoop application data
- Hadoop architecture
- about / The Hadoop architecture
- operating system layer / The Hadoop architecture
- Hadoop layer / The Hadoop architecture
- DBMS layer / The Hadoop architecture
- application layer / The Hadoop architecture
- Hadoop Archive (HAR) files
- about / The Hadoop archive files
- Hadoop daemons
- about / Hadoop daemons
- Hadoop data
- sample data, importing for testing / Importing sample data for testing
- about / Application collection approaches
- Hadoop distributed filesystem
- about / The Hadoop Distributed File System
- need for / The Hadoop Distributed File System
- Hadoop Distributed File System (HDFS)
- Hadoop encryption
- URL / Data encryption
- Hadoop evidence
- collecting, from host operating system / HDFS collections through the host operating system
- Hadoop implementations
- Hadoop Key Management Server (KMS)
- about / Data encryption
- Hadoop log files
- Daemon logs / Log file analysis
- Job configuration / Log file analysis
- Job statistics / Log file analysis
- log4j / Log file analysis
- Hadoop Offline Image Viewer
- defining / Hadoop Offline Image and Edits Viewers
- NameNode / Hadoop Offline Image and Edits Viewers
- Inode / Hadoop Offline Image and Edits Viewers
- Hadoop shell command collection
- about / The Hadoop shell command collection
- HDFS files, collecting / Collecting HDFS files
- HDFS targeted data collection / HDFS targeted data collection
- Hadoop Offline Image Viewer / Hadoop Offline Image and Edits Viewers
- edits viewer / Hadoop Offline Image and Edits Viewers
- HAR format
- defining / The Hadoop archive files
- HBase / HBase
- data storage / Collecting HBase evidence
- tables / Collecting HBase evidence
- NoSQL (Not only SQL) / Collecting HBase evidence
- Key-pair values / Collecting HBase evidence
- shell / Collecting HBase evidence
- Master node and regionservers / Collecting HBase evidence
- ZooKeeper / Collecting HBase evidence
- HFile / Collecting HBase evidence
- Memstore / Collecting HBase evidence
- -ROOT- table / Collecting HBase evidence
- .META. table / Collecting HBase evidence
- Clients / Collecting HBase evidence
- HBase data, accessing
- HBase evidence
- collecting / Collecting HBase evidence
- HBase data, loading / Loading HBase data
- identifying / Identifying HBase evidence
- HBase backup collection / The HBase backup collection
- HBase query collection / The HBase query collection
- HBase collection, via scripts / HBase collection via scripts
- HBase control totals / HBase control totals
- HBase metadata and log collection / HBase metadata and log collection
- HDFS
- built-in commands / Loading Hadoop data
- mounting / HDFS collections through the host operating system
- advantages / The Hadoop shell command collection
- HDFS collection approaches
- about / Other HDFS collection approaches
- HDFS contents
- collecting / Targeted collection from a Hadoop client
- HDFS data extraction
- about / HDFS data extraction
- hex editors / Hex editors
- Helix
- hex editor
- URL / Hex editors
- hex editors
- about / Hex editors
- HFiles
- Hive / Hive
- Data Storage / Collecting Hive evidence
- Metastore / Collecting Hive evidence
- QL / Collecting Hive evidence
- Databases and Tables / Collecting Hive evidence
- Shell / Collecting Hive evidence
- Clients / Collecting Hive evidence
- replicating / Hive backup collection
- Hive clients
- Thrift Client / Collecting Hive evidence
- JDBC Client / Collecting Hive evidence
- ODBC Client / Collecting Hive evidence
- Hive evidence
- collecting / Collecting Hive evidence
- Hive Data, loading / Loading Hive data
- identifying / Identifying Hive evidence
- Hive backup collection / Hive backup collection
- Hive query collection / Hive query collection
- Hive metadata and log collection / Hive metadata and log collection
- Hive script collection / The Hive script collection
- Hive libraries
- HiveQL
- about / Collecting Hive evidence
- commands / Identifying Hive evidence
- Hive query collection
- about / Hive query collection
- Hive query control totals / Hive query control totals
- Hive query commands
- about / Hive query control totals
- host operating system
- defining / HDFS collections through the host operating system
- imaging / Imaging the host operating system
- mounted HDFS partition, imaging / Imaging a mounted HDFS partition
- targeted collection, from Hadoop client / Targeted collection from a Hadoop client
I
- identification phase
- considerations / Identification
- goals / Identification
- investigation considerations
- equipment / Equipment
- evidence management / Evidence management
- investigator training and certification / Investigator training and certification
- post-investigation process / The post-investigation process
- investigation types, analysis approaches
- Consumer Fraud / Types of investigation
- Corporate Fraud / Types of investigation
- Employee Fraud / Types of investigation
- Government Fraud / Types of investigation
- Intellectual Property / Types of investigation
- Unauthorized Access / Types of investigation
- Class Action / Types of investigation
J
- Java Archive (JAR)
- about / Packaged jobs and JAR files
- Java Database Connectivity (JDBC)
- about / Collecting Hive evidence
- Java Virtual Machine (JVM)
L
- library types, Hive script collection
- about / The Hive script collection
- LightHadoop / LightHadoop
- LightHadoop VM
- URL / LightHadoop
- Linux configuration files
- /etc/hosts / Linux configuration files
- /etc/hosts.allow (deny) / Linux configuration files
- /etc/rc.d/rc/rcX.d / Linux configuration files
- /etc/fstab / Linux configuration files
- /etc/group / Linux configuration files
- /etc/syslogd.conf / Linux configuration files
- log file analysis
- cross-validation / Log file analysis
- user activity analysis / Log file analysis
- system change analysis / Log file analysis
- log files
- types / Log file analysis
- defining / Log file analysis
- logs, Hadoop cluster
M
- MapReduce
- about / The components of Hadoop
- URL / The components of Hadoop
- Master Node
- about / The components of Hadoop
- Metadata
- about / Metadata preservation
- metadata
- analyzing / Other metadata analysis
- metadata analysis
- about / Metadata analysis
- file activity timeline analysis / File activity timeline analysis
- other metadata analysis / Other metadata analysis
- methods
- used, for performing comparison / Targeted collection from a Hadoop client
- Modified, Accessed, and Created (MAC)
- about / File activity timeline analysis
- mounted HDFS partition
- advantages / Imaging a mounted HDFS partition
- mounting tools
- about / Imaging a mounted HDFS partition
N
- NameNode
- NameNode tree structure
- directories and files / Targeted collection from a Hadoop client
- network-attached storage (NAS)
- about / Analysis preparation
- non-Hadoop data
O
- Open Database Connectivity (ODBC)
- about / Software extractions
- Oracle VM VirtualBox installation file
- URL / LightHadoop
P
- personally identifiable information (PII)
- about / The data collection request
- physical collection
- versus remote collection / Physical versus remote collections
- Pig / Pig
- about / HBase collection via scripts
- Pig scripts, for HBase
- Platform as a Service (PaaS)
- pre-analysis steps
- defining / Pre-analysis steps
- data, loading / Loading data
- data, surveying / Data surveying
- data, transforming / Transforming data
- pre-load data transformations
- file types / Preload data transformations
- running / Preload data transformations
- presentation phase
- goals / Presentation
- presentations
- defining / Testimony and other presentations
Q
- query-based collection
R
- relational database management system (RDBMS)
- about / Collection via Sqoop
- remote collection
- versus physical collection / Physical versus remote collections
- report
- developing / Developing the report
- process, explaining / Explaining the process
- findings, displaying / Showing the findings
- exhibits, using / Using exhibits or appendices
- appendices, using / Using exhibits or appendices
- report types
- about / Types of reports
- Internal investigation / Types of reports
- Affidavit / Types of reports
- Declaration / Types of reports
- Expert report / Types of reports
- sample reports / Sample reports
S
- sample data, for testing
- sample reports
- internal investigation report / Internal investigation report
- affidavit and declaration / Affidavit and declaration
- expert report / Expert report
- script-based collection
- Secure File Transfer Protocol (SFTP)
- about / The data collection request
- Secure Shell (SSH)
- about / Amazon Web Services
- semi-structured data
- about / The four Vs of Big Data
- SequenceFiles
- Uncompressed / Hadoop SequenceFile
- Record-compressed / Hadoop SequenceFile
- Blocked-compressed / Hadoop SequenceFile
- serialization frameworks, Hadoop
- about / Data serialization
- Slave Node
- about / The components of Hadoop
- software-based collection
- sources of data
- locating / Locating sources of data
- spoliation
- about / The analysis of deleted files
- SQL
- about / Collecting HBase evidence
- SQL Server 2014 Express LocalDB
- SQL Server 2014 Management Studio
- SQL Server Management Studio (SSMS)
- about / Loading data
- Sqoop
- about / Collection via Sqoop
- data, importing in databases / Collection via Sqoop
- SQuirreL
- about / Hive backup collection
- staff interview
- staff types
- structure, directories and files
- structured data
- subset
- collecting / Application collection approaches
- system architecture
- reviewing / Reviewing the system architecture
T
- testimony
- timeline analysis
- performing / File activity timeline analysis
- time series analysis
- about / The time series analysis
- change over time, measuring / Measuring change over time
- tools, Hadoop
- HBase / The components of Hadoop
- Hive / The components of Hadoop
- Sqoop / The components of Hadoop
- Pig / The components of Hadoop
- Flume / The components of Hadoop
U
- unstructured data
V
- virtual machine (VM)
- about / LightHadoop
W
- write-ahead log (WAL)
- about / HBase
Z
- ZooKeeper
- about / HBase