Practical Digital Forensics. Forensic Lab Setup, Evidence Analysis, and Structured Investigation Across Windows, Mobile,… (Akashdeep Bhardwaj, Keshav Kaushik) (z-library.sk, 1lib.sk, z-lib.sk)

Practical Digital Forensics Forensic Lab Setup, Evidence Analysis, and Structured Investigation Across Windows, Mobile, Browser, HDD, and Memory Dr. Akashdeep Bhardwaj Keshav Kaushik www.bpbonline.com

Copyright © 2023 BPB Online All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor BPB Online or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. BPB Online has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, BPB Online cannot guarantee the accuracy of this information. First published: 2023 Published by BPB Online WeWork 119 Marylebone Road London NW1 5PU UK | UAE | INDIA | SINGAPORE ISBN 978-93-5551-150-8 www.bpbonline.com

Dedicated to Akashdeep Bharadwaj's beloved Parents: Sh. Kailash Chand Bhardwaj, Smt. Usha Bhardwaj My wife Archana and My Daughter Raavi & Keshav Kaushik's beloved Parents: Sh. Vijay Kaushik, Smt. Saroj Kaushik My wife Priyanka and My Daughter Kashvi

About the Authors Dr. Akashdeep Bhardwaj is currently working as Professor (Cyber Security & Digital Forensics) at University of Petroleum & Energy Studies (UPES), Dehradun, India. He is an eminent industry expert with over 27 years of experience in Cybersecurity, Digital Forensics and IT Management Operations. Dr. Akashdeep mentors national & international graduate, masters and doctoral students and leads several Cybersecurity projects, including Cyber CoE. Dr. Akashdeep holds a post-doctoral in Computer Science along with over 20 IT industry certifications. Dr. Akashdeep has published over 100 research papers, chapters, books and patent. Dr. Akashdeep has worked as Technology Leader for various multinational organizations and is certified in Cybersecurity, Compliance Audits, Information Security, Microsoft, Cisco and VMware technologies. Keshav Kaushik is an experienced educator with over eight years of teaching and research experience in Cybersecurity, Digital Forensics, and the Internet of Things. He is working as an Assistant Professor (Senior Scale) in the School of Computer Science at the University of Petroleum and Energy

Studies, Dehradun, India. He has published 65+ research papers in International Journals and has presented at reputed International Conferences. He is a Certified Ethical Hacker (CEH) v11, CQI and IRCA Certified ISO/IEC 27001:2013 Lead Auditor, Quick Heal Academy Certified Cyber Security Professional (QCSP), and IBM Cybersecurity Analyst. He acted as a keynote speaker and delivered 50+ professional talks on various national and international platforms. He has edited over ten books with reputed international publishers like Springer, Taylor and Francis, IGI Global, Bentham Science, etc. He has chaired various special sessions at international conferences and also served as a reviewer in peer-reviewed journals and conferences.

About the Reviewer Dylan Waggy is a Senior Advisor, Incident Response Analyst for an American multinational technology company. He has a Bachelors of Science in Digital Forensics, a Minor in Criminal Justice, and more than 7 years of experience within the Investigative and Incident Response space. He holds the certifications: Certified Forensic Computer Examiner (CFCE), Certified Forensic Analyst (GCFA), and Reverse Engineering Malware (GREM). Dylan has completed over 300 federal crime cases assisting Law Enforcement entities with their Digital Forensic needs. He has helped in building Digital Forensics and Incident Response teams with multiple Fortune 500 companies. He takes pride in knowing he can help, proactively and retroactively, protect a company from threats, both internally and externally.

Acknowledgement There are a few people I want to thank for the continued and ongoing support they have given me during the writing of this book. First and foremost, I would like to thank my parents for continuously encouraging me for writing the book — I could have never completed this book without their support. I am grateful to the course and the companies which gave me support throughout the learning process of web scraping and it is very crucial to learn the tools related to web scraping. Thank you for all the hidden support provided. My gratitude is towards the team at BPB Publications for being supportive enough to provide me quite a long time to finish the first part of the book and also allow me to publish the book in multiple parts, since image processing, being a vast and very active area of research, it was impossible to deep-dive into different class of problems in a single book, especially by not making it too voluminous.

Preface This book dives into the basics to advanced technical details of analyzing postmortem forensic images of Windows and Linux systems which have been misused, abused, or the target of malicious attacks. It helps forensic investigators locate and analyze digital evidence found on Linux desktops, servers, and IoT devices. Throughout the book, you learn how to identify digital artifacts which may be of interest to an investigation, draw logical conclusions, and reconstruct past activity from incidents. You’ll learn how Linux works from a digital forensics and investigation perspective, and how to interpret evidence from Linux environments. The techniques shown are intended to be independent of the forensic analysis platforms and tools used. This book covers the full life cycle of conducting a mobile and computer digital forensic examination, including planning and performing an investigation as well as report writing and testifying. Case reviews in corporate, civil, and criminal situations are also described from both prosecution and defense perspectives. This book draws from years of experience in local, state, federal, and international environments and highlights the challenges inherent in deficient cyber security practices. Topics include the importance of following the scientific method and verification, legal and ethical issues, planning an investigation (including tools and techniques), incident response, case project management and authorization, social media and internet, cloud, anti-forensics, link and visual analysis, and psychological considerations. The book is a valuable resource for the academic environment, law enforcement, those in the legal profession, and those working in the cyber security field. Case reviews include cyber security breaches, anti-forensic challenges, child exploitation, and social media investigations. This book teaches you how to conduct examinations by explaining what digital forensics is, the methodologies used, key technical concepts and the tools needed to perform examinations. Readers will also learn how to collect evidence, document the scene, and recover deleted data. This is the only resource your students need to get a jump-start into digital forensics investigations. This book guide has been written to provide deep insights into

Digital Forensics. This book is organized into 11 chapters. After an introduction to the basics of digital forensics, the book proceeds with a discussion of key technical concepts, hard disks and file systems. Setting up of a digital forensic lab, acquiring and analyzing digital evidence is explained using concepts as well as hands-on sessions to replicate for the learners. The practical sessions cover digital forensic labs tools, collecting evidence, Windows system, hard disk, network, memory, email, and web browser artefacts, as well as anti-forensics. The book concludes by outlining challenges and concerns associated with digital forensics and writing forensic reports to be used by legal agencies. Chapter 1, The scope of this chapter is to introduce the history of digital forensics and explain the importance of electronic and digital evidence for solving cybercrime and investigation problems. This chapter explains the digital forensic terminology, goals of forensic analysis, the digital forensics process, and challenges for digital forensics. Chapter 2, Conducting a digital forensics investigation requires a thorough understanding of some of the main technical concepts of computing. Knowing how data is stored in computers, number theory, how digital files are structured, and the types of storage units and the difference between them are essential areas to know how to locate and handle digital evidence. This chapter will cover those basic concepts. Chapter 3, This chapter covers the computer hardware, logical disk structures, booting process, file systems that are often involved during forensic investigations to gather and analyse digital evidence. Chapter 4, In-house digital forensics analysts usually work closely with law enforcement agencies to solve cases related to their businesses. Having an in- house digital forensics lab in today’s digital age is a great investment for any company which values its data assets; however, this comes with a cost. Chapter 5, The main task of a computer forensics investigator is to acquire and analyze computing devices’ memory images. In this chapter, we will cover techniques and tools to create forensics images from both running systems (volatile memory, RAM) and hard drives (HDD, SSD, flash thumb, and any similar digital storage media). Chapter 6, All analysis work should be conducted on the forensics image only; forensic examiners should not interfere with the original suspect device

to avoid damaging original evidence accidentally and thus making the entire investigation useless in a court of law. This chapter analyzes the acquired images for gathering interesting artifacts and critical leads. Chapter 7, In this chapter, we continue our digital analysis and cover how to build in-depth digital forensics knowledge and analyze different Microsoft Windows operating systems by knowing where forensics artifacts can be found and how we can analyze them to solve the digital crime cases at hand. Chapter 8, Internet applications already installed on Windows can give important information about user actions performed previously on his/her computer. For instance, a web browser is the only way to access the Internet, and criminals are using it to commit crimes related to the Internet or to target other users online. Internet users use web browsers to socialize, purchase online items, or to send e-mails and browse the web contents, among other things. This fact makes web browsers the preferred target for malicious actors to steal confidential information like account credentials. Chapter 9, E-mails have become the primary means of communications in today’s digital age; for instance, it is rare to see a person who owns a computer, smartphone, or tablet without having an active e-mail account. Chapter 10, Antiforensics techniques are concerned with making digital forensics investigations very difficult to conduct and time consuming; they focus on frustrating digital forensics examiners through destroying digital evidence, hiding incriminating information so examiners cannot notice it, and manipulating evidence files to mislead the investigation and take it in the wrong direction. Reporting is a key issue in any type of investigation; public investigation that involves courts usually needs more technical details and comprehensive descriptions of the methodology used to acquire and analyze the digital evidence. Chapter 11, This chapter presents hands-on labs which the learners need to study and replicate in their systems. To implement these labs, Kali Linux (the latest version) or Windows 10/11 operating systems are required to be run in a Virtual Environment. Do not install the Digital Forensics tools and run these on the main physical machine.

Coloured Images Please follow the link to download the Coloured Images of the book: https://rebrand.ly/56ef48 We have code bundles from our rich catalogue of books and videos available at https://github.com/bpbpublications. Check them out! Errata We take immense pride in our work at BPB Publications and follow best practices to ensure the accuracy of our content to provide with an indulging reading experience to our subscribers. Our readers are our mirrors, and we use their inputs to reflect and improve upon human errors, if any, that may have occurred during the publishing processes involved. To let us maintain the quality and help us reach out to any readers who might be having difficulties due to any unforeseen errors, please write to us at : errata@bpbonline.com Your support, suggestions and feedbacks are highly appreciated by the BPB Publications’ Family. Did you know that BPB offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.bpbonline.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at: business@bpbonline.com for more details. At www.bpbonline.com, you can also read a collection of free

technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on BPB books and eBooks.

Piracy If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at business@bpbonline.com with a link to the material. If you are interested in becoming an author If there is a topic that you have expertise in, and you are interested in either writing or contributing to a book, please visit www.bpbonline.com. We have worked with thousands of developers and tech professionals, just like you, to help them share their insights with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea. Reviews Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions. We at BPB can understand what you think about our products, and our authors can see your feedback on their book. Thank you! For more information about BPB, please visit www.bpbonline.com.

Table of Contents 1. Introduction to Digital Forensics Introduction Structure Objectives Defining digital forensics Digital forensics goals Defining cybercrime Sources of cybercrime Computers in cybercrimes Digital forensics categories Computer forensics Mobile forensics Network forensics Database forensics Forensic data analysis Digital forensics users Law enforcement Civil ligation Intelligence and counterintelligence Digital forensics investigation types Forensics readiness Type of digital evidence User-created data Machine and network-created data Locations of electronic evidence Chain of custody Examination process Seizure Acquisition Analysis Reporting Conclusion

Multiple choice questions/questions Learning Section Answers 2. Essential Technical Concepts Introduction Structure Objectives Decimal (Base-10) Binary Hexadecimal (Base-16) Hexadecimal (Base-64) Character encoding schema File carving File structure Digital file metadata Timestamps decoder Hash analysis Calculate file hash System memory Types of computer memory storage Primary storage RAM ROM Secondary storage Backup storage HDD Hard disk storage SSD DCO and HPA Considerations for data recovery File system NTFS FAT Environment for computing Cloud computing Software as a service (SaaS)

Platform as a service (SaaS) Infrastructure as a service (SaaS) Windows versions Internet protocol (IP) address Getting an IP address Conclusion 3. Hard Disks and File Systems Introduction Structure Objectives Hard disk and file systems File systems Hard disk Hard disk forensics Analyzing the registry files Conclusion 4. Requirements for a Computer Forensics Lab Introduction Structure Objectives Digital Forensic Lab Physical requirements Environment controls Digital forensic equipment Forensic hardware Office electrical equipment Networked devices Forensic workstation Commercial digital forensic workstations Forensic software applications Commercial forensics tools Open-source forensic tools Linux distributions Virtualization Lab information management system (LIMS)

Lab policies and procedures Documentation Lab accreditation Conclusion 5. Acquiring Digital Evidence Introduction Structure Objectives Raw format Advanced forensic format EnCase: Expert witness transfers Other file formats Validation of forensic imaging files Live memory acquisition Virtual memory: Swap space Challenges acquiring RAM Administration privilege Live RAM capturer Magnet RAM capture FTK imager Acquiring nonvolatile memory Hard disk acquisition Acquiring physical resources Logical acquisition Sparse acquisition Capturing hard drives using FTK imager Network acquisition Limitations of a forensic tool Conclusion 6. Analysis of Digital Evidence Introduction Structure Objectives Arsenal Image Mounter OSFMount

Autopsy Analyzing RAM forensic image Memoryze Redline Volatility framework Conclusion 7. Windows Forensic Analysis Introduction Structure Timeline analysis tools File recovery Undeleting files Recycle bin forensics Data carving Associated user account action Windows registry analysis Windows registry architecture Acquiring windows registry Registry examination Windows registry program keys USB device forensics Most recently used list Network analysis Windows shutdown time UserAssist forensics Printer registry information File format identification Windows thumbnail forensics Windows 10 forensics Notification area database Cortana forensics Conclusion 8. Web Browser and E-mail Forensics Introduction Structure