In today's world, new threats, breaches, and malicious activities are discovered and published in the news, websites, and portals quite regularly. As much as we try to secure our data, systems, and networks to the best of our abilities, breaches occur. In an effort to understand what took place, we turn to the field of digital forensics. Although still a relatively new field, forensics has become just as important as security, especially when considering the wealth of information available to anyone accessing the internet with the intent of carrying out malicious activity. Thankfully, digital fingerprints and artifacts are sometimes left behind, whether in a deleted or hidden file, email, in someone's browsing history, remote connection list, or even mobile text message.
This book gives even the absolute beginner a structured approach with best practices to carry out their own investigations using the popular and powerful forensics tools in Kali Linux, many of which are used by military organizations and forensic investigators worldwide.
Chapter 1, Introduction to Digital Forensics, gives an introduction to the various aspects of the science of digital forensics.
Chapter 2, Installing Kali Linux, shows how to we install, configure, and update Kali Linux. The installation process will be followed on both physical and virtual machines to the benefit of users with both single and multiple machines for running Kali Linux. Once installed, we explore the Forensics menu in Kali Linux.
Chapter 3, Understanding Filesystems and Storage Media, dives into the realm of operating systems and the various formats for file storage, including secret hiding places not seen by the end user or even the operating system. We also inspect data about the data, known as metadata, and look at its volatility.
Chapter 4, Incident Response and Data Acquisition, asks what happens when an incident is reported or detected? Who are the first responders and what are the procedures for maintaining the integrity of the evidence? In this chapter, we look at best practices and procedures in data acquisition and evidence collection.
Chapter 5, Evidence Acquisition and Preservation with DC3DD and Guymager, focuses on one of the most important aspects of forensic acquisition. Learn to create forensic images of data and maintain integrity using hashing tools.
Chapter 6, File Recovery and Data Carving with Foremost, Scalpel, and Bulk Extractor, states that data disappears, whether accidentally, intentionally, or just hidden from plain sight and the operating system. In this chapter, we look at two powerful tools used to perform file recovery and learn about advanced search features.
Chapter 7, Memory Forensics with Volatility, states that in today's digital world we sometimes encounter scenarios that require the use of live memory forensics. Learn to use this powerful memory forensics tool to view running processes, programs, and live artifacts.
Chapter 8, Autopsy – The Sleuth Kit, introduces Autopsy which is recognized as one of the very few available tools to rival commercial forensic tools, this powerful tool takes forensic abilities and investigations to a professional level, catering for all aspects of full digital forensics investigations from hashing to reporting.
Chapter 9, Network and Internet Capture Analysis with Xplico, investigates and analyzes captured network and internet traffic using this powerful tool.
Chapter 10, Revealing Evidence Using DFF, shows how two tools are better than one. Use another advanced forensic framework tool to carry out full and professional digital forensics investigations, ensuring the integrity of your findings by comparing the results found.
To follow the exercises in this book, readers will need to download the following:
- Kali Linux 2017.2 x64 and Kali Linux 2017.1 x64
- VirtualBox 5.2 or higher
- Kali Linux 2017.2 burnt to a DVD
This book is intended for network, systems, and security administrators; information security officers; auditors; IT managers; and also students, researchers, security enthusiasts, and anyone interested in the field of digital forensics or interested in learning about specific tools for various stages of investigations, from evidence acquisition and preservation to analysis, using powerful forensic suites.
In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning. Code words in the text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "To begin installing DFF, we first need to update the sources.list with the repository used in Kali Sana."
A block of code is set as follows:
deb http://http.kali.org/kali kali-rolling main contrib non-free deb src http://http.kali.org/kali kali-rolling main contrib non-free deb http://http.kali.org/kali sana main contrib
When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:
deb http://http.kali.org/kali kali-rolling main contrib non-free
deb src http://http.kali.org/kali kali-rolling main contrib non-free
deb http://http.kali.org/kali sana main contrib Any command-line input or output is written as follows:
dc3dd if=/dev/sdb hash=sha1 log=dd_split_usb ofsz=500M ofs=split_test_usb.img.oooNew terms and important words are shown in bold.
Feedback from our readers is always welcome. Let us know what you think about this book-what you liked or disliked. Reader feedback is important to us as it helps us develop titles that you will really get the most out of. To send us general feedback, simply email [email protected], and mention the book's title in the subject of your message. If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
You can download the example code files for this book from your account at http://www.packtpub.com. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you. You can download the code files by following these steps:
- Log in or register to our website using your e-mail address and password.
- Hover the mouse pointer on the
SUPPORTtab at the top. - Click on
Code Downloads & Errata. - Enter the name of the book in the
Searchbox. - Select the book for which you're looking to download the code files.
- Choose from the drop-down menu where you purchased this book from.
- Click on
Code Download.
Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:
- WinRAR / 7-Zip for Windows
- Zipeg / iZip / UnRarX for Mac
- 7-Zip / PeaZip for Linux
The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Digital-Forensics-with-Kali-Linux. We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title. To view the previously submitted errata, go to https://www.packtpub.com/books/content/support, and enter the name of the book in the search field. The required information will appear under the Errata section.
Piracy of copyrighted material on the internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the internet, please provide us with the location address or website name immediately so that we can pursue a remedy. Please contact us at [email protected] with a link to the suspected pirated material. We appreciate your help in protecting our authors and our ability to bring you valuable content.
If you have a problem with any aspect of this book, you can contact us at [email protected], and we will do our best to address the problem.