Book Image

Digital Forensics with Kali Linux

Book Image

Digital Forensics with Kali Linux

Overview of this book

Kali Linux is a Linux-based distribution used mainly for penetration testing and digital forensics. It has a wide range of tools to help in forensics investigations and incident response mechanisms. You will start by understanding the fundamentals of digital forensics and setting up your Kali Linux environment to perform different investigation practices. The book will delve into the realm of operating systems and the various formats for file storage, including secret hiding places unseen by the end user or even the operating system. The book will also teach you to create forensic images of data and maintain integrity using hashing tools. Next, you will also master some advanced topics such as autopsies and acquiring investigation data from the network, operating system memory, and so on. The book introduces you to powerful tools that will take your forensic abilities and investigations to a professional level, catering for all aspects of full digital forensic investigations from hashing to reporting. By the end of this book, you will have had hands-on experience in implementing all the pillars of digital forensics—acquisition, extraction, analysis, and presentation using Kali Linux tools.

Related Content you might be interested in

Current Title:

Small book image
Digital Forensics with Kali Linux
Dec, 2017 | 274 pages
Small book image
Learn Computer Forensics – 2nd edition
William Oettinger
Jul, 2022 | 434 pages
Small book image
Digital Forensics and Incident Response
Gerard Johansen
Dec, 2022 | 532 pages
Small book image
Kali Linux 2018: Assuring Security by Penetration Testing
Lee Allen | Alex Samm | Shakeel Ali | Damian Boodoo | Tedi Heriyanto | Gerard Johansen | Shiva V N Parasram
Oct, 2018 | 528 pages
Table of Contents (18 chapters)
Title Page
Title Page
Credits
Credits
Disclaimer
Disclaimer
About the Author
About the Author
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Customer Feedback
Customer Feedback
Preface
Preface
Free Chapter
1
Introduction to Digital Forensics
Introduction to Digital Forensics
What is digital forensics?
Digital forensics methodology
A brief history of digital forensics
The need for digital forensics as technology advances
Commercial tools available in the field of digital forensics
Operating systems and open source tools for digital forensics
The need for multiple forensics tools in digital investigations
Anti-forensics: threats to digital forensics
Summary
2
Installing Kali Linux
Installing Kali Linux
Software version
Downloading Kali Linux
Installing Kali Linux
Installing Kali Linux in VirtualBox
Summary
3
Understanding Filesystems and Storage Media
Understanding Filesystems and Storage Media
Storage media
Filesystems and operating systems
What about the data?
Data volatility
The paging file and its importance in digital forensics
Summary
4
Incident Response and Data Acquisition
Incident Response and Data Acquisition
Digital evidence acquisitions and procedures
Incident response and first responders
Documentation and evidence collection
Chain of Custody
Powered-on versus powered-off device acquisition
Write blocking
Data imaging and hashing
Device and data acquisition guidelines and best practices
Summary
5
Evidence Acquisition and Preservation with DC3DD and Guymager
Evidence Acquisition and Preservation with DC3DD and Guymager
Drive and partition recognition in Linux
Maintaining evidence integrity
Using DC3DD in Kali Linux
Image acquisition using Guymager
Summary
6
File Recovery and Data Carving with Foremost, Scalpel, and Bulk Extractor
File Recovery and Data Carving with Foremost, Scalpel, and Bulk Extractor
Forensic test images used in Foremost and Scalpel
Using Foremost for file recovery and data carving
Using Scalpel for data carving
Bulk_extractor
Summary
7
Memory Forensics with Volatility
Memory Forensics with Volatility
About the Volatility Framework
Downloading test images for use with Volatility
Using Volatility in Kali Linux
Summary
8
Autopsy – The Sleuth Kit
Autopsy – The Sleuth Kit
Introduction to Autopsy – The Sleuth Kit
Sample image file used in Autopsy
Digital forensics with Autopsy
Summary
9
Network and Internet Capture Analysis with Xplico
Network and Internet Capture Analysis with Xplico
Software required
Packet capture analysis using Xplico
Summary
10
Revealing Evidence Using DFF
Revealing Evidence Using DFF
Installing DFF
Summary

Maintaining evidence integrity

In an effort to provide proof that the evidence was not tampered with, a hash of the evidence should be provided before and during, or after, an acquisition.

In Kali Linux, we can use the md5sum command followed by the path of the device, to create an MD5 hash of the evidence/input file. For example, md5sum /dev/sdx.

You may also try the command with superuser privileges by typing sudo md5sum /dev/sdx.

For this example, the 2 GB flash drive that I'll be using (named test_usb) is recognized as sdb, and so the command I will be using, is shown in the following screenshot:

In the previous example, the output of the md5sum of the 2 GB flash drive is displayed as 9f038....1c7d3  /dev/sdb. When performing the acquisition or forensic imaging of the drive using DC3DD, we should also have that exact result when hashing the created image file output to ensure that both the original evidence and the copy are exactly the same, thereby maintaining the integrity of the evidence...

Previous Section
End of Section 3
Next Section