What this book covers

Chapter 1, Types of Computer-Based Investigations, introduces to the reader the different topics of computer-based investigations, from criminal acts investigated by the police to potentially illegal actions performed by an employee or third parties and examined by a non-governmental investigator. While the goal is the same—to present evidence about an incident—the methods of the two slightly differ. It is essential for the reader to understand the similarities, that is, being able to present evidence in judicial proceedings, and recognize the differences, that is, search warrant requirements for a government agent.

Chapter 2, The Forensic Analysis Process, details the critical thinking in the planning of providing digital investigative services. This topic will allow the reader to create a strategy to conduct an efficient investigation. The reader will learn to offer different approaches to conduct an investigation depending on the unique set of circumstances for each matter.

Chapter 3, Acquisition of Evidence, explains that digital evidence is one of the most volatile pieces of evidence an investigator can handle. The mishandling of digital evidence can severely impact an investigation. Additionally, you may destroy the entire dataset. This chapter will address how to minimize or eliminate these issues when using a validation process to create a forensic image.

Chapter 4, Computer Systems, explains that the investigator must control the computer processes while acquiring digital evidence. When dealing with the many combinations of operating systems and hardware, you must implement controls to protect the integrity of the evidence. This chapter will discuss the boot process in detail and identify the most commonly used filesystems.

Chapter 5, Computer Investigation Process, explains that being a forensic examiner is much more than pushing a button. Once the evidence has been collected, you have to analyze the dataset. It is not about finding artifacts but rather examining the data and putting it into a context that will either support or not support the hypothesis about the user’s actions on the system.

Chapter 6, Windows Artifact Analysis, explains that Microsoft Windows is by far the most common operating system today. In this chapter, we will look at the different versions of Windows and will show the reader how to identify and recover common artifacts based on the release of Windows being examined.

Chapter 7, RAM Memory Forensic Analysis, covers the analysis of RAM, which is a source of evidence that has recently been recognized as containing vital information about the user’s actions on the system. RAM is very volatile evidence and can provide data that cannot be found anywhere else on the computer system.

Chapter 8, Email Forensics – Investigation Techniques, discusses email, which is a part of everyday life. This communication vector can be one of the primary communication tools for the majority of the population. These communications can contain incredible amounts of data related to an investigation. The investigator must be able to reconstruct the path that email took from the source to the destination to determine its validity.

Chapter 9, Internet Artifacts, explains that using the internet is a daily activity for the majority of the population. Like any other activity, the internet can be used for legal, law-abiding business, or for criminal activity. The internet can be accessed in a variety of ways. The forensic investigator must be able to analyze all these different aspects of the internet to get to the truth of the matter.

Chapter 10, Online Investigations, discusses how to use open-source intelligence techniques to learn about the target of the investigations. Also discussed are the steps an investigator can take to hide their true identity and create an undercover online persona.

Chapter 11, Networking Basics, explains some of the common network protocols, hardware and models that are being used to connect devices and share information. The ability to understand how information is shared between devices is a critical skill for the online investigator.

Chapter 12, Report Writing, covers report writing, which is not the most exciting portion of the forensic exam process. The forensic examiner must be able to explain a technical topic to a non-technical user. As a forensic examiner, you must be able to place that artifact into a context that the audience understands. This ability is a critical skill that you need to master to be a competent forensic examiner.

Chapter 13, Expert Witness Ethics, explains that a forensic examiner must be objective, truthful, honest, and perform their due diligence when conducting an examination. The examiner will be providing testimony that may result in someone losing their freedom. The ultimate goal of the investigation conducted by the forensic examiner is to provide testimony or evidence in a judicial or administrative proceeding to stop the cybercriminal’s activity.

Download the exercise files

You can download exercise files for this book from at https://github.com/bill-lcf/Learn-Computer-Forensics.

Employed academic faculty can also download PowerPoints for each chapter and a question bank after validation. Send an email to [email protected] from an .edu email address requesting access. If you do not have an .edu email address, please send proof that you are an instructor.

Once the files are downloaded, please make sure that you unzip or extract the folder using the latest version of:

• WinRAR / 7-Zip for Windows
• Zipeg / iZip / UnRarX for Mac
• 7-Zip / PeaZip for Linux

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781803238302_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. For example: “Outlook stores email information in several file types, such as .pst, .mdb, and .ost.”

A block of code is set as follows:

MIME-Version: 1.0 
Content-Type: text/html; charset=us-ascii 
Content-Transfer-Encoding: 7bit

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

{"endpoint_info_list":[{"endpoint":"smtp:[email protected]",
"c_id":"d24c.2d00",
"c_name":"Joe Badguy Smith"},
{"endpoint":"smtp:[email protected]",
"c_id":"e80f.5b71","c_name":"John Badguy Smith"},
{"endpoint":"smtp:[email protected]",
"c_id":"624f.10f0","c_name":"Yahoo! Inc."}]}

Any command-line input or output is written as follows:

$USER$\AppData\Local\Google\Chrome\User Data\Default

Bold: Indicates a new term, an important word, or words that you see on the screen. For instance, words in menus or dialog boxes appear in the text like this. For example: “The MSF files are Mail Summary files, one part of the email.”