Contents

Preface

Acknowledgments

Introduction

Author

Section I
ENABLING DIGITAL FORENSICS

1    Understanding Digital Forensics

Introduction

The Role of Technology in Crime

History of Digital Crime and Forensics

Prologue (1960s–1980s)

Infancy (1980–1995)

Childhood (1995–2005)

Adolescence (2005–2015)

The Future (2015 and Beyond)

Evolutionary Cycle of Digital Forensics

“Ad Hoc” Phase

“Structured” Phase

“Enterprise” Phase

Principles of Digital Forensics

Evidence Exchange

Forensics Soundness

Authenticity and Integrity

Chain of Custody

Types of Forensics Investigations

Legal Aspects

Jurisdiction

Digital Forensics Resources

Summary

2    Investigative Process Methodology

Introduction

Existing Process Models

Digital Forensics Readiness Model

Summary

3    Digital Evidence Management

Introduction

Types of Digital Evidence

Common Sources of Digital Evidence

Log Files

Computer Systems

Infrastructure Devices

Virtual Systems

Cloud Computing

Mobile Devices

External Sources

Federal Rules of Evidence

Investigative Process Methodology

Preparation

Information Security Management

Lab Environment

Hardware and Software

Gathering

Operating Procedures

Processing

Presentation

Evidence Storage Networks

Summary

4    Ethics and Conduct

Introduction

Importance of Ethics

Principles of Ethics

Personal Ethics

Professional Ethics

Computer Ethics

Business Ethics

Ethics in Digital Forensics

Certifications and Professional Organizations

Digital Forensics Certification Board (DFCB)

International Association of Computer Investigative Specialists (IACIS)

International Society of Forensics Computer Examiners (ISFCE)

Principles for Digital Forensics

Impartiality and Objectivity

Openness and Disclosure

Confidentiality and Trust

Due Diligence and Duty of Care

Certifications and Accreditations

Summary

5    Digital Forensics as a Business

Introduction

The Role of Digital Forensics in an Enterprise

Starting a Digital Forensics Program

Step #1: Understand Business Risks

Step #2: Outline Business Scenarios

Step #3: Establish Governance Framework

Step #4: Enable Technical Execution

Step #5: Define Service Offerings

Maintaining a Digital Forensics Program

Educational Roadmap

Forensics Toolkit Maintenance

Key Performance Indicators (KPI)

Resource Capacity

Challenges and Strategies

Team Placement

Industry Regulation

Political Influences

Summary

Section II
ENHANCING DIGITAL FORENSICS

6    Understanding Digital Forensic Readiness

Introduction

What Is Digital Forensics Readiness?

Costs and Benefits of Digital Forensics Readiness

Cost Assessment

Benefits Analysis

Implementing Forensics Readiness

Summary

7    Defining Business Risk Scenarios

Introduction

What Is Business Risk?

Forensics Readiness Scenarios

Scenario #1: Reduce the Impact of Cybercrime

Scenario #2: Validate the Impact of Cybercrime or Disputes

Mitigating Control Logs

Overhead Time and Effort

Indirect Business Loss

Recovery and Continuity Expenses

Scenario #3: Produce Evidence to Support Organizational Disciplinary Issues

Scenario #4: Demonstrating Compliance with Regulatory or Legal Requirements

Scenario #5: Effectively Manage the Release of Court-Ordered Data

Scenario #6: Support Contractual and Commercial Agreements

Scenario Assessment

Summary

8    Identify Potential Data Sources

Introduction

What Is a Data Source?

Background Evidence

Foreground Evidence

Cataloguing Data Sources

Phase #1: Prepare an Action Plan

Phase #2: Identify Data Sources

Phase #3: Document Deficiencies

Insufficient Data Availability

Unidentified Data Sources

External Data Considerations

Data Exposure Concerns

Forensic Architectures

Systems Lifecycle

Waterfall and Agile Models

Summary

9    Determine Collection Requirements

Introduction

Pre-collection Questions

Evidence Collection Factors

Best Evidence Rule

Time

Metadata

Cause and Effect

Correlation and Association

Corroboration and Redundancy

Storage Duration

Storage Infrastructure

Data Security Requirements

Summary

10    Establishing Legal Admissibility

Introduction

Legal Admissibility

Preservation Challenges

Preservation Strategies

Administrative Controls

Policies

Guidelines

Standards

Procedures

Technical Controls

Storage Security

Integrity Monitoring

Cryptographic Algorithms

Remote Logging

Secure Delivery

Physical Controls

Deter

Detect

Deny

Delay

Summary

11    Establish Secure Storage and Handling

Introduction

Secure Storage Attributes

Least Privilege Access

End-to-End Cryptography

Integrity Checking

Physical Security

Administrative Governance Foundations

Personnel

Evidence Storage

Evidence Handling

Incident and Investigative Response

Assurance Controls

Backup and Restoration Strategies

Near Real-Time Data Replication

Data Replication

Data Restoration from On-line Backup Media

Data Restoration from Off-line Backup Media

Summary

12    Enabling Targeted Monitoring

Introduction

What Is (un)acceptable Activity?

Digital Forensics in Enterprise Security

Information Security vs. Cyber Security

Defense-in-Depth

Traditional Security Monitoring

Modern Security Monitoring

Positive Security

Australian Signal Directorate (ASD)

Analytical Techniques

Misuse Detection

Anomaly Detection

Specification-Based Detection

Machine Learning

Extractive Forensics

Inductive Forensics

Deductive Forensics

Implementation Concerns

Summary

13    Mapping Investigative Workflows

Introduction

Incident Management Lifecycle

Integrating the Digital Forensic Readiness Model

Incident Handling and Response

Phase #1: Preparation

“Event” versus “Incident”

Policies, Plans, and Procedures

Team Structure and Models

Communication and Escalation

Escalation Management

Phase #2: Respond

Detection

Analysis

Prioritization

Phase #3: Restore

Containment

Eradication and Recovery

Phase #4: Learn

The Incident Response Team (IRT)

The Role of Digital Forensics During an Incident

Practitioner

Advisor

Investigation Workflow

Types of Security Investigations

Summary

14    Establish Continuing Education

Introduction

Types of Education and Training

Awareness

Basic Knowledge

Functional Knowledge

Professional Certification

Specialized Knowledge

Organizational Roles and Responsibilities

The Digital Forensics Team

Roles

Titles

An Educational Roadmap

Technical Knowledge

Introductory

Intermediate

Advanced

Non-Technical Knowledge

Introductory

Intermediate

Advanced

Digital Forensics Experts

Summary

15    Maintaining Evidence-Based Reporting

Introduction

Importance of Factual Reports

Types of Reports

Creating Understandable Reports

Arranging Written Reports

Inculpatory and Exculpatory Evidence

Summary

16    Ensuring Legal Review

Introduction

The Role of Technology in Crime

Laws and Regulations

Information Technology (IT) Law

Cyberlaw or Internet Law

Computer Law

Legal Precedence

Brady Rule: Inculpatory and Exculpatory Evidence

Frye versus Daubert Standard: General Acceptance Testing

Jurisdiction

Technology Counselling

Obtaining Legal Advice

Constraints

Disputes

Employees

Liabilities

Prosecution

Communication

Involving Law Enforcement

Summary

17    Accomplishing Digital Forensic Readiness

Introduction

Maintain a Business-Centric Focus

Don’t Reinvent the Wheel

Understand Costs and Benefits

Summary

Section III
INTEGRATING DIGITAL FORENSICS

18    Forensics Readiness in Cloud Environments

Introduction

Brief History of Cloud Computing

What Is Cloud Computing?

Characteristics

Service Models

Delivery Models

Isolation Models

Challenges with Cloud Environments

Mobility

Hyper-Scaling

Containerization

First Responders

Evidence Gathering and Processing

Forensics Readiness Methodology

Step #1: Define Business Risk Scenarios

Step #2: Identify Potential Data Sources

Step #3: Determine Collection Requirements

Enterprise Management Strategies

Cloud Computing Governance

Security and Configuration Standards

Reference Architectures

Step #4: Establish Legal Admissibility

Layers of Trust

Step #5: Establish Secure Storage and Handling

Step #6: Enable Targeted Monitoring

Step #7: Map Investigative Workflows

Phase #1: Preparation

Phase #2: Gathering

Phase #3: Processing

Phase #4: Presentation

Step #8: Establish Continuing Education

General Awareness

Basic Training

Formal Education

Step #9: Maintain Evidence-Based Presentations

Step #10: Ensure Legal Review

Contractual Agreements

Summary

19    Forensics Readiness with Mobile Devices

Introduction

Brief History of Mobile Devices

Challenges with Mobile Devices

Loss

Theft

Replacement

Local Storage

Cloud Storage

Encryption

“Burner” Phones

Forensics Readiness Methodology

Step #1: Define Business Risk Scenarios

Step #2: Identify Potential Data Sources

Step #3: Determine Collection Requirements

Enterprise Management Strategies

Step #4: Establish Legal Admissibility

Step #5: Establish Secure Storage and Handling

Step #6: Enable Targeted Monitoring

Step #7: Map Investigative Workflows

Phase #1: Preparation

Phase #2: Gathering

Phase #3: Processing

Phase #4: Presentation

Step #8: Establish Continuing Education

General Awareness

Basic Training

Formal Education

Step #9: Maintain Evidence-Based Presentation

Step #10: Ensure Legal Review

Summary

20    Forensics Readiness and the Internet of Things

Introduction

Brief History of the Internet of Things (IoT)

What Is the Internet of Things (IoT)?

Challenges with the Internet of Things (IoT)

Form Factor

Security

Privacy

Evidence Gathering and Processing

Forensics Toolkits

Forensics Readiness Methodology

Step #1: Define Business Risk Scenarios

Step #2: Identify Potential Data Sources

Step #3: Determine Collection Requirements

Step #4: Establish Legal Admissibility

Zones of Trust

Step #5: Establish Secure Storage and Handling

Step #6: Enable Targeted Monitoring

Step #7: Map Investigative Workflows

Phase #1: Preparation

Phase #2: Gathering

Phase #3: Processing

Phase #4: Presentation

Step #8: Establish Continuing Education

General Awareness

Basic Training

Formal Education

Step #9: Maintain Evidence-Based Presentation

Step #10: Ensure Legal Review

Discrimination

Privacy

Security

Consent

Summary

Section IV
ADDENDUMS

Addendum A: Tool and Equipment Validation Program

Addendum B: Service Catalog

Addendum C: Cost-Benefit Analysis

Addendum D: Building a Taxonomy

Addendum E: Risk Assessment

Addendum F: Threat Modeling

Addendum G: Data Warehousing Introduction

Addendum H: Requirements Analysis

Section V
APPENDIXES

Appendix A: Investigative Process Models

Appendix B: Education and Professional Certifications

Appendix C: Investigative Workflow

Section VI
TEMPLATES

Template 1: Test Case

Template 2: Logbook

Template 3: Chain of Custody

Template 4: Investigative Final Report

Template 5: Service Catalog

Template 6: Business Case

Template 7: Net Present Value (NPV)

Template 8: Threat Risk Assessment

Template 9: Data Source Inventory Matrix

Template 10: Project Charter

Template 11: Requirement Analysis Report

Bibliography

Resources

Glossary

Index

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.225.98.18