Practical Cyber Intelligence A Hands-On Guide to Digital Forensics
"Cyber forensics is the process of using forensic and investigative techniques to identify and analyze digital events. This involves collecting and analyzing digital evidence from various sources, such as computers, networks, and mobile devices, to identify perpetrators. When discussing cyber i...
| Autor principal: | |
|---|---|
| Formato: | Libro electrónico |
| Idioma: | Inglés |
| Publicado: |
Newark :
John Wiley & Sons, Incorporated
2024.
|
| Edición: | 1st ed |
| Materias: | |
| Ver en Biblioteca Universitat Ramon Llull: | https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009843335406719 |
Tabla de Contenidos:
- Cover
- Title Page
- Copyright
- Contents
- About the Author
- Preface
- Acknowledgments
- Introduction
- Chapter 1 Intelligence Analysis
- 1.1 Intelligence Life Cycle
- 1.1.1 Direction and Planning
- 1.1.2 Collection
- 1.1.3 Processing
- 1.1.4 Analysis
- 1.1.4.1 Structured Analytic Techniques (SAT)
- 1.1.4.2 Timeline Analysis
- 1.1.4.3 Competing Hypotheses
- 1.1.4.4 Link Analysis
- 1.1.4.5 Attribution
- 1.1.5 Dissemination
- 1.2 Cyber Threat Intelligence Frameworks
- 1.2.1 Cyber Kill Chain
- 1.2.2 The Diamond Models
- 1.3 Summary
- Chapter 2 Digital Forensics
- 2.1 Device Collection
- 2.2 Preservation
- 2.3 Acquisition
- 2.4 Processing
- 2.4.1 Datetime
- 2.5 Analysis
- 2.5.1 Detecting Evidence Destruction
- 2.5.2 Evaluating the Result
- 2.6 Documentation and Reporting
- 2.7 Summary
- Chapter 3 Disk Forensics
- 3.1 Acquisition
- 3.2 Preparation
- 3.2.1 Verify Integrity
- 3.2.2 Write Protection
- 3.3 Analysis
- 3.3.1 Installing Sleuthkit
- 3.3.2 Determine the Partition Structure
- 3.3.3 Determine the File System Type
- 3.3.4 Identify Files Within the File System
- 3.3.5 Extraction of Files
- 3.3.6 Creation of a Timeline
- 3.3.7 Autopsy
- 3.3.8 SMART Metrics
- 3.4 File and Data Carving
- 3.5 Summary
- Chapter 4 Memory Forensics
- 4.1 Acquisition
- 4.2 Analysis
- 4.3 Summary
- Chapter 5 SQLite Forensics
- 5.1 Analyzing
- 5.1.1 Timestamps
- 5.1.2 Temporary Files
- 5.1.3 Deleted Content
- 5.2 Summary
- Chapter 6 Windows Forensics
- 6.1 New Technology File System (NTFS)
- 6.1.1 MFT (Master File Table)
- 6.1.2 I30
- 6.1.3 Journal
- 6.1.4 Alternate Data Stream Zone Identifier (ADS)
- 6.1.5 Volume Shadow Copy
- 6.1.6 BitLocker Encryption
- 6.2 Acquisition
- 6.3 Analysis
- 6.3.1 Registry
- 6.3.2 Event Logs
- 6.3.3 Memory Forensics
- 6.3.4 Timestamps.
- 6.3.5 Creation of Timeline of Activity
- 6.3.5.1 Plaso
- 6.3.5.2 Volatility 3 Timeline
- 6.3.5.3 Creating a Super Timeline
- 6.4 Evidence Location
- 6.4.1 System Information
- 6.4.1.1 Time Zone Information
- 6.4.1.2 Network Interfaces
- 6.4.2 Account Usage
- 6.4.2.1 SAM Accounts
- 6.4.2.2 Security Events
- 6.4.2.3 Dead Box Password Cracking
- 6.4.2.4 User Access Logging
- 6.4.3 User Activity
- 6.4.3.1 Search History
- 6.4.3.2 Typed Path
- 6.4.3.3 LastVisitedMRU (Windows common dialog box)
- 6.4.3.4 XP Search
- 6.4.3.5 Thumbnails
- 6.4.3.6 Remote Desktop Protocol (RDP)
- 6.4.4 File or Folder Opening
- 6.4.4.1 Recent Files
- 6.4.4.2 Shortcut (.LNK) Files
- 6.4.4.3 Office Recent Files
- 6.4.4.4 Shellbag
- 6.4.4.5 Open/Save MRU
- 6.4.5 Program and File Execution
- 6.4.5.1 UserAssist
- 6.4.5.2 MUICache
- 6.4.5.3 Windows 10 Timeline
- 6.4.5.4 BAM and DAM
- 6.4.5.5 Amcache.hve
- 6.4.5.6 Jump List
- 6.4.5.7 Last‐Visited MRU
- 6.4.5.8 RecentApp
- 6.4.5.9 Prefetch
- 6.4.5.10 LastVisitedMRU
- 6.4.5.11 Taskbar Feature Usage
- 6.4.5.12 CapabilityAccessManager
- 6.4.5.13 RUN Box Execution
- 6.4.6 External Device/USB Usage
- 6.4.6.1 USB Device Types
- 6.4.6.2 Plugged in USB
- 6.4.6.3 Setupapi
- 6.4.6.4 Plug‐and‐Play Cleanup
- 6.4.6.5 PnP Events
- 6.4.6.6 MTP Device
- 6.4.6.7 User USB Device
- 6.4.6.8 Removable Devices Logs
- 6.4.7 Network Activity Artifacts
- 6.4.7.1 Network Mapping
- 6.4.7.2 Network History
- 6.4.7.3 Network Profiles Key
- 6.4.7.4 IP Address
- 6.4.8 Commands
- 6.4.8.1 Powershell History
- 6.4.8.2 WMI
- 6.4.8.3 WMI Database
- 6.4.8.4 Command Line Event Log
- 6.4.8.5 WMI Event Log
- 6.4.9 Browser Usage Artifacts
- 6.4.9.1 Account Records
- 6.4.9.2 Cookies
- 6.4.9.3 History
- 6.4.9.4 Cache
- 6.4.9.5 Internet Explorer
- 6.4.9.6 Browser Download Manager
- 6.4.9.7 Session Restore.
- 6.4.9.8 Browser Password
- 6.4.9.9 Supercookies
- 6.4.10 Mail
- 6.4.10.1 Mail Archives
- 6.4.10.2 Offline Folder Files
- 6.4.10.3 Unread Mail
- 6.4.11 Persistence
- 6.4.11.1 Auto Start Programs
- 6.4.11.2 Scheduled Tasks
- 6.4.11.3 Service
- 6.4.12 Evidence Destruction
- 6.4.12.1 Log Clearing
- 6.4.12.2 File Deletion Detection Using J
- 6.5 Summary
- Chapter 7 macOS Forensics
- 7.1 File System
- 7.1.1 Native File Types
- 7.2 Security
- 7.3 Acquisition
- 7.3.1 Memory
- 7.3.1.1 Hibernation and RAM
- 7.4 Analysis
- 7.5 Evidence Location
- 7.5.1 System Configuration
- 7.5.2 User Accounts and Activity
- 7.5.2.1 Keychain
- 7.5.2.2 Notes
- 7.5.2.3 Recent Items
- 7.5.3 System Logs
- 7.5.4 Browser Usage
- 7.5.5 Email
- 7.5.6 Persistence Mechanisms
- 7.5.6.1 Login Item
- 7.5.6.2 Launch Items (Agents and Daemons)
- 7.5.6.3 Log In/Log Out Hooks
- 7.5.6.4 Dynamic Libraries (dylib)
- 7.5.6.5 At Tasks
- 7.5.6.6 Event Monitor Rules
- 7.5.6.7 Re‐opened Applications
- 7.5.7 Evidence of Destruction
- 7.6 Summary
- Chapter 8 Linux Forensics
- 8.1 File System
- 8.1.1 File System Timestamps
- 8.2 Security
- 8.3 Acquisition
- 8.3.1 Dump Memory
- 8.4 Analysis
- 8.4.1 chroot
- 8.5 Evidence Location
- 8.5.1 System Info
- 8.5.1.1 System Version
- 8.5.1.2 Computer Name
- 8.5.1.3 Localtime Settings
- 8.5.1.4 Boot Logs
- 8.5.1.5 Kernel Logs
- 8.5.1.6 Apt Install Repository Sources
- 8.5.1.7 Hosts File
- 8.5.1.8 Root UUID
- 8.5.1.9 Services
- 8.5.1.10 Syslogs
- 8.5.1.11 Background Processes
- 8.5.1.12 Disk Partitions
- 8.5.2 User Activity
- 8.5.2.1 Accounts and Groups
- 8.5.2.2 Group Information
- 8.5.2.3 Command History
- 8.5.2.4 Authentication
- 8.5.2.5 Last Login
- 8.5.2.6 Failed Logon Attempts
- 8.5.2.7 Installation of Software
- 8.5.2.8 File Edit
- 8.5.3 Network
- 8.5.3.1 Interfaces.
- 8.5.3.2 DNS Configuration
- 8.5.3.3 Wi‐Fi SSID
- 8.5.4 File Execution and Information
- 8.5.4.1 Cronjobs
- 8.5.4.2 Processes
- 8.5.4.3 SGID
- 8.5.4.4 SUID
- 8.5.5 External Drive
- 8.5.5.1 Dmesg
- 8.5.5.2 USB Log
- 8.5.6 Persistence
- 8.5.6.1 Cron Jobs
- 8.5.6.2 SSH Key Authentication
- 8.6 Summary
- Chapter 9 iOS
- 9.1 File System
- 9.2 Security
- 9.2.1 Keychain
- 9.3 Applications
- 9.4 Acquisition
- 9.4.1 Jailbreaking
- 9.4.2 Locked Devices
- 9.5 iCloud
- 9.6 Analysis
- 9.6.1 KnowledgeC
- 9.7 Evidence of Location
- 9.7.1 Device Info
- 9.7.1.1 General Device Info
- 9.7.1.2 Operating System Version
- 9.7.1.3 Last Boot Time
- 9.7.2 User Settings
- 9.7.2.1 Homescreen Icon Layout
- 9.7.2.2 Cloud Sync Settings
- 9.7.2.3 iCloud Offline Cache
- 9.7.2.4 Blocked Dialers
- 9.7.3 Account and Password
- 9.7.3.1 Account Information
- 9.7.3.2 Account Information Used to Set Up Apps
- 9.7.3.3 iCloud Email Account Information
- 9.7.4 Communication
- 9.7.4.1 Call Log
- 9.7.4.2 SMS, iMessage, and FaceTime
- 9.7.4.3 Voicemail
- 9.7.5 Application Usage
- 9.7.5.1 TCC.db
- 9.7.5.2 Application Snapshots
- 9.7.5.3 Contacts
- 9.7.5.4 Contact Images
- 9.7.5.5 Calendar
- 9.7.5.6 Notes
- 9.7.5.7 Health Data
- 9.7.6 Device Backup
- 9.7.6.1 iTunes Backup
- 9.7.7 Third‐Party Apps
- 9.7.7.1 App‐Specific Data
- 9.7.7.2 App‐Specific Cache
- 9.7.8 Multimedia
- 9.7.8.1 User Created/Saved Photos
- 9.7.8.2 Picture Thumbnails Databases
- 9.7.8.3 Photo Albums Metadata
- 9.7.8.4 Photos and Videos Database
- 9.7.9 Browser Activity
- 9.7.9.1 History
- 9.7.9.2 Safari Bookmarks
- 9.7.9.3 Safari Cookies
- 9.7.9.4 Safari Download History
- 9.7.9.5 Safari Tabs Screenshots
- 9.7.10 Location
- 9.7.10.1 Apple Maps History
- 9.7.10.2 Application Traces and GeoFence Information
- 9.7.10.3 Cache&
- uscore
- encryptedB.
- 9.7.11 Cellular Location
- 9.7.12 Network Connection
- 9.7.12.1 Wi‐Fi
- 9.7.12.2 Seen Bluetooth Devices
- 9.7.12.3 Paired Bluetooth Devices
- 9.7.12.4 iTunes Prefs Computer Connections
- 9.7.13 Evidence Destruction
- 9.7.13.1 Restore Information
- 9.8 Summary
- Chapter 10 Android
- 10.1 File Systems
- 10.2 Security
- 10.3 Application
- 10.4 Acquisition
- 10.4.1 Android Debug Bridge (ADB)
- 10.4.1.1 ADB Server
- 10.4.1.2 Extract APK from Android
- 10.4.2 Forensics Tools
- 10.4.2.1 Avilla
- 10.4.3 Downgrading Applications
- 10.4.3.1 Rooting
- 10.5 Analysis
- 10.6 Evidence of Location
- 10.6.1 System Information
- 10.6.1.1 Sim Card Info
- 10.6.2 User Settings
- 10.6.2.1 Accounts
- 10.6.2.2 Timezone
- 10.6.2.3 Dump User Data with adb
- 10.6.3 Communication
- 10.6.3.1 Call Logs
- 10.6.3.2 SMS/MMS
- 10.6.3.3 Email Information
- 10.6.4 Application Usage
- 10.6.4.1 APK Files Used for Installing Application
- 10.6.4.2 Dumpsys Usagestats
- 10.6.4.3 Application Traces
- 10.6.4.4 install&
- uscore
- requests
- 10.6.4.5 Application Usage
- 10.6.4.6 Application Notifications
- 10.6.4.7 Application Permissions and Metadata
- 10.6.4.8 Application Snapshots
- 10.6.4.9 Downloads
- 10.6.4.10 Calendar
- 10.6.4.11 Pictures
- 10.6.5 Wi‐Fi
- 10.6.6 Location
- 10.6.7 Evidence Destruction
- 10.6.7.1 Factory Reset
- 10.6.8 Summary
- Chapter 11 Network Forensics
- 11.1 Acquisition
- 11.1.1 Pcap
- 11.1.1.1 File Extraction from Network
- 11.1.1.2 Geolocation with Wireshark
- 11.1.2 Netflow
- 11.1.3 Logs
- 11.2 Analysis
- 11.2.1 Connected Devices
- 11.2.2 Statistical Analysis
- 11.2.3 Expected Protocol and Connection Architecture
- 11.2.4 Encrypted Network Activity Classification
- 11.2.5 Identifying Network Beacons Using Historical Network Data with RITA
- 11.2.6 Domain Analysis
- 11.3 Summary.
- Chapter 12 Malware Analysis.
