Book Image

Digital Forensics with Kali Linux - Second Edition

By : Shiva V. N. Parasram
Book Image

Digital Forensics with Kali Linux - Second Edition

By: Shiva V. N. Parasram

Overview of this book

Kali Linux is a Linux-based distribution that's widely used for penetration testing and digital forensics. It has a wide range of tools to help for digital forensics investigations and incident response mechanisms. This updated second edition of Digital Forensics with Kali Linux covers the latest version of Kali Linux and The Sleuth Kit. You'll get to grips with modern techniques for analysis, extraction, and reporting using advanced tools such as FTK Imager, hex editor, and Axiom. Updated to cover digital forensics basics and advancements in the world of modern forensics, this book will also delve into the domain of operating systems. Progressing through the chapters, you'll explore various formats for file storage, including secret hiding places unseen by the end user or even the operating system. The book will also show you how to create forensic images of data and maintain integrity using hashing tools. Finally, you'll cover advanced topics such as autopsies and acquiring investigation data from networks, operating system memory, and quantum cryptography. By the end of this book, you'll have gained hands-on experience of implementing all the pillars of digital forensics: acquisition, extraction, analysis, and presentation, all using Kali Linux tools.
Table of Contents (17 chapters)
1
Section 1: Kali Linux – Not Just for Penetration Testing
4
Section 2: Forensic Fundamentals and Best Practices
7
Section 3: Forensic Tools in Kali Linux
12
Section 4: Automated Digital Forensic Suites
16
Other Books You May Enjoy

Digital forensics methodology

Keeping in mind that forensics is a science, digital forensics requires appropriate best practices and procedures to be followed in an effort to produce the same results time and time again, providing proof of evidence, preservation, and integrity that can be replicated, if called upon to do so.

Although many people may not be performing digital forensics to be used as evidence in a court of law, it is best to practice in such a way as can be accepted and presented in a court of law. The main purpose of adhering to best practices set by organizations specializing in digital forensics and incident response is to maintain the integrity of the evidence for the duration of the investigation. In the event that the investigator's work must be scrutinized and critiqued by another or an opposing party, the results found by the investigator must be able to be recreated, thereby proving the integrity of the investigation. The purpose of this is to ensure that your methods can be repeated and, if dissected or scrutinized, produce the same results time and again. The methodology used, including the procedures and findings of your investigation, should always allow for the maintenance of the data's integrity, regardless of which tools are used.

The best practices demonstrated in this book ensure that the original evidence is not tampered with, or, in cases of investigating devices and data in a live or production environment, show well-documented proof that necessary steps were taken during the investigation to avoid unnecessary tampering of the evidence, thereby preserving the integrity of the evidence. For those completely new to investigations, I recommend familiarizing yourself with some of the various practices and methodologies available and widely practiced by the professional community.

As such, there exist several guidelines and methodologies that you should adopt, or at least follow, to ensure that examinations and investigations are forensically sound.

The three best practices documents mentioned in this chapter are as follows:

  • The ACPO Good Practice Guide for Digital Evidence
  • The Scientific Working Group on Digital Evidence's (SWGDE) Best Practices for Computer Forensics
  • The Budapest Convention on Cybercrime (CETS No. 185)

Although written in 2012, ACPO, now functioning as the National Police Chiefs' Council (NPCC), put forth a document in a PDF file called the ACPO Good Practice Guide for Digital Evidence regarding best practices when carrying out digital forensics investigations, particularly focusing on evidence acquisition. The ACPO Good Practice Guide for Digital Evidence was then adopted and adhered to by law enforcement agencies in England, Wales, and Northern Ireland, and can be downloaded in its entirety at https://www.npcc.police.uk/documents/FoI%20publication/Disclosure%20Logs/Information%20Management%20FOI/2013/031%2013%20Att%2001%20of%201%20ACPO%20Good%20Practice%20Guide%20for%20Digital%20Evidence%20March%202012.pdf.

Another useful and more recent document, produced in September 2014, on best practices in digital forensics was issued by the SWGDE. The SWGDE was founded in 1998 by the Federal Crime Laboratory Directors Group, with major members and contributors including the Federal Bureau of Investigation (FBI), Drug Enforcement Administration (DEA), National Aeronautics and Space Administration (NASA), and the Department of Defense (DoD) Computer Forensics Laboratory. Though this document details procedures and practices within a formal computer forensics laboratory setting, the practices can still be applied to non-laboratory investigations by those not currently in, or with access to, such an environment.

The SWGDE's Best Practices for Computer Forensics sheds light on many of the topics covered in the following chapters, including the following:

  • Evidence collection and acquisition
  • Investigating devices that are powered on and off
  • Evidence handling
  • Analysis and reporting

The SWGDE's Best Practices for Computer Forensics Acquisitions (April 2018) can be viewed and downloaded directly from here: https://www.swgde.org/documents/Current%20Documents/SWGDE%20Best%20Practices%20for%20Computer%20Forensic%20Acquisitions

Important note

The SWGDE has a collection of 78 documents (at the time of this publication) that detail the best practices of evidence acquisition, collection, authentication, and examination, which can all be found at https://www.swgde.org/documents/Current%20Documents/SWGDE%20Best%20Practices%20for%20Compu%20ter%20Forensics.