About the Author
Brief Contents
Contents in Detail
Foreword
Introduction
Why I Wrote This Book
How This Book Is Different
Why Use the Command Line?
Target Audience and Prerequisites
Who Should Read This Book?
Prerequisite Knowledge
Preinstalled Platform and Software
How the Book Is Organized
The Scope of This Book
Conventions and Format
Chapter 0: Digital Forensics Overview
Digital Forensics History
Pre-Y2K
2000-2010
2010-Present
Forensic Acquisition Trends and Challenges
Shift in Size, Location, and Complexity of Evidence
Multijurisdictional Aspects
Industry, Academia, and Law Enforcement Collaboration
Principles of Postmortem Computer Forensics
Digital Forensic Standards
Peer-Reviewed Research
Industry Regulations and Best Practice
Principles Used in This Book
Chapter 1: Storage Media Overview
Magnetic Storage Media
Hard Disks
Magnetic Tapes
Legacy Magnetic Storage
Non-Volatile Memory
Solid State Drives
USB Flash Drives
Removable Memory Cards
Legacy Non-Volatile Memory
Optical Storage Media
Compact Discs
Digital Versatile Discs
Blue-ray Discs
Legacy Optical Storage
Interfaces and Physical Connectors
Serial ATA
Serial Attached SCSI and Fibre Channel
Non-Volatile Memory Express
Universal Serial Bus
Thunderbolt
Legacy Interfaces
Commands, Protocols, and Bridges
ATA Commands
SCSI Commands
NVME Commands
Bridging, Tunneling, and Pass-Through
Special Topics
DCO and HPA Drive Areas
Drive Service and Maintenance Areas
USB Attached SCSI Protocol
Advanced Format 4Kn
NVME Namespaces
Solid State Hybrid Disks
Closing Thoughts
Chapter 2: Linux as a Forensic Acquisition Platform
Linux and OSS in a Forensic Context
Advantages of Linux and OSS in Forensics Labs
Disadvantages of Linux and OSS in Forensics Labs
Linux Kernel and Storage Devices
Kernel Device Detection
Storage Devices in /dev
Other Special Devices
Linux Kernel and Filesystems
Kernel Filesystem Support
Mounting Filesystems in Linux
Accessing Filesystems with Forensic Tools
Linux Distributors and Shells
Linux Distributions
The Shell
Command Execution
Piping and Redirection
Closing Thoughts
Chapter 3: Forensic Image Formats
Raw Images
Traditional dd
Forensic dd Variants
Data Recovery Tools
Forensic Formats
EnCase EWF
FTK SMART
AFF
SquashFS as a Forensic Evidence Container
SquashFS Background
SquashFS Forensic Evidence Containers
Closing Thoughts
Chapter 4: Planning and Preparation
Maintain an Audit Trail
Task Management
Taskwarrior
Todo.txt
Shell Alias
Shell History
Terminal Recorders
Linux Auditing
Organize Collected Evidence and Command Output
Naming Conventions for Files and Directories
Scalable Examination Directory Structure
Save Command Output with Redirection
Assess Acquisition Infrastructure Logisitcs
Image Sizes and Disk Space Requirements
File Compression
Sparse Files
Reported File and Image Sizes
Moving and Copying Forensic Images
Estimate Task Completion Times
Performance and Bottlenecks
Heat and Environmental Factors
Establish Forensic Write-Blocking Protection
Hardware Write Blockers
Software Write Blockers
Linux Forensic Boot CDs
Media with Physical Read-Only Modes
Closing Thoughts
Chapter 5: Attaching Subject Media to an Acquisition Host
Examine Subject PC Hardware
Physical PC Examination and Disk Removal
Subject PC Hardware Review
Attach Subject Disk to an Acquisition Host
View Acquisition Host Hardware
Identify the Subject Drive
Query the Subject Disk for Information
Document Device Identification Details
Query Disk Capabilities and Features with hdparm
Extract SMART Data with smartctl
Enable Access to Hidden Sectors
Remove a DCO
Remove a HPA
Drive Service Area Access
ATA Password Security and Self-Encrypting Drives
Identify and Unlock ATA Password-Protected Disks
Identify and Unlock Opal Self-Encrypting Drives
Encrypted Flash Thumb Drives
Attach Removable Media
Optical Media Drives
Magnetic Tape Drives
Memory Cards
Attach Other Storage
Apple Target Disk Mode
NVME SSDs
Other Devices with Block or Character Access
Closing Thoughts
Chapter 6: Forensic Image Acquisition
Acquire an Image with dd Tools
Standard Unix dd and GNU dd
The dcfldd and dc3dd Tools
Acquire an Image with Forensic Formats
The ewfacquire Tool
AccessData ftkimager
SquashFS Forensic Evidence Container
Acquire an Image to Multiple Destinations
Preserve Digital Evidence with Cryptography
Basic Cryptographic Hashing
Hash Windows
Sign an Image with PGP or S/MIME
RFC-3161 Timestampign
Manage Drive Failure and Errors
Forensic Tool Error Handling
Data Recovery Tools
SMART and Kernel Errors
Other Options for Failed Drives
Damaged Optical Discs
Image Acquisition over a Network
Remote Forensic Imaging with rdd
Secure Remote Imaging with ssh
Remote Acquisition to a SquashFS Evidence Container
Acquire a Remote Disk to EnCase or FTK Format
Live Imaging with Copy-On-Write Snapshots
Acquire Removable Media
Memory Cards
Optical Discs
Magnetic Tapes
RAID and Multidisk Systems
Proprietary RAID Acquisition
JBOD and RAID-0 Striped Disks
Microsoft Dynamic Disks
RAID-1 Mirrored Disks
Linux RAID-5
Closing Thoughts
Chapter 7: Forensic Image Management
Manage Image Compression
Standard Linux Compression Tools
EnCase EWF Compressed Format
FTK SMART Compressed Format
AFFlib Built-In Compression
SquashFS Compressed Evidence Containers
Manage Split Images
The GNU split Command
Split Images During Acquisition
Access a Set of Split Image Files
Reassemble a Split Image
Verify the Integrity of a Forensic Image
Verify the Hash Taken During Acquistion
Recalculate the Hash of a Forensic Image
Cryptographic Hashes of Split Raw Images
Identify Mismatched Hash Windows
Verify Signature and Timestamp
Convert Between Image Formats
Convert from Raw Images
Convert from EnCase/E01 Format
Manual Creation of SquashFS Container
Convert Files from EnCase to FTK
Convert from FTK Format
Convert from AFF Format
Secure an Image with Encryption
GPG Encryption
OpenSSL Encryption
Forensic Format Built-In Encryption
General Purpose Disk Encryption
Disk Cloning and Duplication
Prepare a Clone Disk
Use HPA to Replicate Sector Size
Write an Image File to a Clone Disk
Image Transfer and Storage
Write to Removable Media
Inexpensive Disks for Storage and Transfer
Perform Large Network Transfers
Secure Wiping and Data Disposal
Dispose of Individual Files
Secure Wipe a Storage Device
Issue ATA Security Erase Unit Commands
Destroy Encrypted Disk Keys
Closing Thoughts
Chapter 8: Special Image Access Topics
Forensically Acquired Image Files
Raw Image Files with Loop Devices
Forensic Format Image Files
Prepare Boot Images with xmount
VM Images
QEMU QCOW2
VirtualBox VDI
VMWare VMDK
Microsoft VHD
OS-Encrypted Filesystems
Microsoft BitLocker
Apple File Vault
Linux LUKS
TrueCrypt and VeraCrypt
Closing Thoughts
Chapter 9: Extracting Subsets of Forensic Images
Assess Partition Layout and Filesystems
Partition Scheme
Partition Tables
Filesystem Identification
Partition Extraction
Extract Individual Partitions
Find and Extract Deleted Partitions
Identify and Extract Inter-Partition Gaps
Extract HPA and DCO Sector Ranges
Other Piecewise Data Extraction
Extract Filesystem Slack Space
Extract Filesystem Unallocated Blocks
Manual Extraction Using Offsets
Closing Thoughts
Closing Remarks
Index

lgli/practicalforensicimaging.pdf

lgrsnf/practicalforensicimaging.pdf

zlib/Computers/Security/Bruce Nikkel/Practical Forensic Imaging: Securing Digital Evidence with Linux Tools_18446337.pdf

Nikkel, Bruce

Penguin Random House LLC (Publisher Services), San Francisco, 2016

United States, United States of America

Sep 01, 2016

1, PS, 2016

{"edition":"1","isbns":["1593277938","1593278004","1593278012","9781593277932","9781593278007","9781593278014"],"last_page":320,"publisher":"No Starch Press"}

Forensic image acquisition is an important part of postmortem incident response and evidence collection. Digital forensic investigators acquire, preserve, and manage digital evidence to support civil and criminal cases; examine organizational policy violations; resolve disputes; and analyze cyber attacks.
Practical Forensic Imaging takes a detailed look at how to secure and manage digital evidence using Linux-based command line tools. This essential guide walks you through the entire forensic acquisition process and covers a wide range of practical scenarios and situations related to the imaging of storage media.
You’ll learn how to:
• Perform forensic imaging of magnetic hard disks, SSDs and flash drives, optical discs, magnetic tapes, and legacy technologies
• Protect attached evidence media from accidental modification
• Manage large forensic image files, storage capacity, image format conversion, compression, splitting, duplication, secure transfer and storage, and secure disposal
• Preserve and verify evidence integrity with cryptographic and piecewise hashing, public key signatures, and RFC-3161 timestamping
• Work with newer drive and interface technologies like NVME, SATA Express, 4K-native sector drives, SSHDs, SAS, UASP/USB3x, and Thunderbolt
• Manage drive security such as ATA passwords; encrypted thumb drives; Opal self-encrypting drives; OS-encrypted drives using BitLocker, FileVault, and TrueCrypt; and others
• Acquire usable images from more complex or challenging situations such as RAID systems, virtual machine images, and damaged media
With its unique focus on digital forensic acquisition and evidence preservation, Practical Forensic Imaging is a valuable resource for experienced digital forensic investigators wanting to advance their Linux skills and experienced Linux administrators wanting to learn digital forensics. This is a must-have reference for every digital forensics lab.

Storage media overview for postmortem acquisition -- Linux as a forensic acquisition platform -- Forensic image formats and acquisition tools -- Forensic imaging preparation and setup -- Attaching physical media to an acquisition host -- Forensic image acquisition -- Forensic image management -- Accessing logical, virtual, and operating system encrypted images -- Extracting subsets of forensic images

2021-12-19