Book Image

Digital Forensics with Kali Linux - Second Edition

By : Shiva V. N. Parasram
Book Image

Digital Forensics with Kali Linux - Second Edition

By: Shiva V. N. Parasram

Overview of this book

Kali Linux is a Linux-based distribution that's widely used for penetration testing and digital forensics. It has a wide range of tools to help for digital forensics investigations and incident response mechanisms. This updated second edition of Digital Forensics with Kali Linux covers the latest version of Kali Linux and The Sleuth Kit. You'll get to grips with modern techniques for analysis, extraction, and reporting using advanced tools such as FTK Imager, hex editor, and Axiom. Updated to cover digital forensics basics and advancements in the world of modern forensics, this book will also delve into the domain of operating systems. Progressing through the chapters, you'll explore various formats for file storage, including secret hiding places unseen by the end user or even the operating system. The book will also show you how to create forensic images of data and maintain integrity using hashing tools. Finally, you'll cover advanced topics such as autopsies and acquiring investigation data from networks, operating system memory, and quantum cryptography. By the end of this book, you'll have gained hands-on experience of implementing all the pillars of digital forensics: acquisition, extraction, analysis, and presentation, all using Kali Linux tools.

Related Content you might be interested in

Current Title:

Small book image
Digital Forensics with Kali Linux - Second Edition
Shiva V. N. Parasram
Apr, 2020 | 334 pages
Small book image
Digital Forensics and Incident Response
Gerard Johansen
Dec, 2022 | 532 pages
Small book image
Learn Computer Forensics – 2nd edition
William Oettinger
Jul, 2022 | 434 pages
Small book image
Windows Forensics Analyst Field Guide
Muhiballah Mohammed
Oct, 2023 | 318 pages
Table of Contents (17 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Download the color images
Conventions used
Get in touch
Reviews
1
Section 1: Kali Linux – Not Just for Penetration Testing
Section 1: Kali Linux – Not Just for Penetration Testing
Free Chapter
2
Chapter 1: Introduction to Digital Forensics
Chapter 1: Introduction to Digital Forensics
What is digital forensics?
Digital forensics methodology
A brief history of digital forensics
The need for digital forensics as technology advances
Operating systems and open source tools for digital forensics
The need for multiple forensics tools in digital investigations
Commercial forensics tools
Anti-forensics – threats to digital forensics
Summary
Further reading
3
Chapter 2: Installing Kali Linux
Chapter 2: Installing Kali Linux
Software version
Downloading Kali Linux
Installing Kali Linux
Installing Kali Linux in VirtualBox
Summary
4
Section 2: Forensic Fundamentals and Best Practices
Section 2: Forensic Fundamentals and Best Practices
5
Chapter 3: Understanding Filesystems and Storage Media
Chapter 3: Understanding Filesystems and Storage Media
The history of storage media
Filesystems and operating systems
What about the data?
Data volatility
The paging file and its importance in digital forensics
Summary
6
Chapter 4: Incident Response and Data Acquisition
Chapter 4: Incident Response and Data Acquisition
Digital evidence acquisition and procedures
Incident response and first responders
Documentation and evidence collection
Chain of custody
Live acquisition versus post-mortem acquisition
Write blocking
Data imaging and hashing
Device and data acquisition guidelines and best practices
Summary
7
Section 3: Forensic Tools in Kali Linux
Section 3: Forensic Tools in Kali Linux
8
Chapter 5: Evidence Acquisition and Preservation with dc3dd and Guymager
Chapter 5: Evidence Acquisition and Preservation with dc3dd and Guymager
Drive and partition recognition in Linux
Maintaining evidence integrity
Using dc3dd in Kali Linux
Image acquisition using DD
Image acquisition using Guymager
Windows memory acquisition
Summary
9
Chapter 6: File Recovery and Data Carving with foremost, Scalpel, and bulk_extractor
Chapter 6: File Recovery and Data Carving with foremost, Scalpel, and bulk_extractor
Forensic test images used in Foremost and Scalpel
Using Foremost for file recovery and data carving
Using Scalpel for data carving
bulk_extractor
Summary
10
Chapter 7: Memory Forensics with Volatility
Chapter 7: Memory Forensics with Volatility
Introducing the Volatility Framework
Downloading test images for use with Volatility
Using Volatility in Kali Linux
Summary
11
Chapter 8: Artifact Analysis
Chapter 8: Artifact Analysis
Identifying devices and operating systems with p0f
Information gathering and fingerprinting with Nmap
Live Linux forensics with Linux Explorer
Ransomware analysis
swap_digger
Password dumping with mimipenguin
Examining Firefox artifacts with pdgmail
Summary
12
Section 4: Automated Digital Forensic Suites
Section 4: Automated Digital Forensic Suites
13
Chapter 9: Autopsy
Chapter 9: Autopsy
Introduction to Autopsy
The sample image file used in Autopsy
Digital forensics with Autopsy
Summary
14
Chapter 10: Analysis with Xplico
Chapter 10: Analysis with Xplico
Software requirements
Installing Xplico in Kali Linux
Starting Xplico in DEFT Linux 8.2
Packet capture analysis using Xplico
Network activity analysis exercise
Summary
15
Chapter 11: Network Analysis
Chapter 11: Network Analysis
Capturing packets using Wireshark
NetworkMiner
Packet capture analysis with PcapXray
Online PCAP analysis
Reporting and presentation
Summary
16
Other Books You May Enjoy
Other Books You May Enjoy

The need for multiple forensics tools in digital investigations

Preservation of evidence is of the utmost importance. Using commercial and open source tools correctly will yield results; however, for forensically sound results, it is sometimes best if more than one tool can be used and produces the same results.

Another reason to use multiple tools may simply be cost. Some of us may have a large budget to work with, while others may have a limited one or none at all. Commercial tools can be costly, especially due to research and development, testing, advertising, and other factors. Additionally, many commercial tools are now subscription-based, with yearly recurring renewal fees. Open source tools, while tested by the community, may not have the available resources and funding as with commercial tools.

So, then, how do we know which tools to choose?

Digital forensics is often quite time consuming, which is one of the reasons you may wish to work with multiple forensic copies of the evidence. This way, you can use different tools simultaneously in an effort to speed up the investigation. While fast tools may be a good thing, we should also question the reliability and accuracy of the tools.

The National Institute of Standards and Technology (NIST) has developed a Computer Forensics Tool Testing (CFTT) program that tests digital forensic tools and makes all findings available to the public. Several tools are chosen based on their specific abilities and placed into testing categories such as disk imaging, carving, and file recovery. Each category has a formal test plan and strategy for testing along with a validation report, again available to the public.

More on the CFTT program can be found at https://www.cftt.nist.gov/disk_imaging.htm. Testing and validation reports on many of the tools covered in this book can be found at https://www.dhs.gov/science-and-technology/nist-cftt-reports.

To re-enforce the importance of using multiple tools in maintaining the integrity of your investigations and findings, multiple tools will be demonstrated in the third and fourth sections of this book.

Previous Section
End of Section 7
Next Section