Operating System Forensics
eBook - ePub

Operating System Forensics

Ric Messier

  1. 386 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Operating System Forensics

Ric Messier

Book details
Book preview
Table of contents
Citations

About This Book

Operating System Forensics is the first book to cover all three critical operating systems for digital forensic investigations in one comprehensive reference.

Users will learn how to conduct successful digital forensic examinations in Windows, Linux, and Mac OS, the methodologies used, key technical concepts, and the tools needed to perform examinations.

Mobile operating systems such as Android, iOS, Windows, and Blackberry are also covered, providing everything practitioners need to conduct a forensic investigation of the most commonly used operating systems, including technical details of how each operating system works and how to find artifacts.

This book walks you through the critical components of investigation and operating system functionality, including file systems, data recovery, memory forensics, system configuration, Internet access, cloud computing, tracking artifacts, executable layouts, malware, and log files. You'll find coverage of key technical topics like Windows Registry, /etc directory, Web browers caches, Mbox, PST files, GPS data, ELF, and more. Hands-on exercises in each chapter drive home the concepts covered in the book. You'll get everything you need for a successful forensics examination, including incident response tactics and legal requirements. Operating System Forensics is the only place you'll find all this covered in one book.

  • Covers digital forensic investigations of the three major operating systems, including Windows, Linux, and Mac OS
  • Presents the technical details of each operating system, allowing users to find artifacts that might be missed using automated tools
  • Hands-on exercises drive home key concepts covered in the book.
  • Includes discussions of cloud, Internet, and major mobile operating systems such as Android and iOS

Frequently asked questions

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access Operating System Forensics by Ric Messier in PDF and/or ePUB format, as well as other popular books in Ciencia de la computación & Ciberseguridad. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Syngress
Year
2015
ISBN
9780128019634
Topic
Ciencia de la computación
Subtopic
Ciberseguridad
Chapter 1

Forensics and Operating Systems

Abstract

This chapter describes the digital forensics with a specific focus on the growing need to understand the operating system details to be able to perform a forensic analysis. It also describes what an operating system is and why you need to understand the details of the operating systems to be effective.

Keywords

operating systems
forensics
operating environments
INFORMATION INCLUDED IN THIS CHAPTER:
A definition of forensics
Description of some relevant laws
A definition of operating systems
A description of operating environments and shells

Introduction

While my most interesting experience in the field of forensics was trying to determine whether a coworker had been viewing and making use of pornography at his desk. My first experience with forensics was about 15 years ago, when I was working at a company that offered web hosting for customers. Certainly the pornography makes a more interesting story. At the time of my first experience, though, there was not a lot of information about how to perform a forensic analysis, though Wietse Venema and Dan Farmer had put together a course about that time and they had posted some notes to a website. That and the software they wrote, The Coroner’s Toolkit, was what was available. As a result, I had to rely on what I knew about the underlying details of the operating system and the applications that were running on it. It is one thing to take one of the commercial software tools that will automate a lot of the forensic analysis for you. However, I find it useful to know what is happening under the hood, so I can not only interpret the results correctly, but also, I can see if they make sense based on the input that has been provided.
While there are several things that have changed over the years since I was first an undergraduate, one thing that really stands out for me is how technology is abstracting the user experience from the underlying system, both software and hardware. This is also true for developers. Where you used to know a lot about the system architecture to be successful as a programmer because resources were limited and you needed to make the best use of the resources you have, now resources like memory and disk are very cheap. Additionally, there are more than enough programming libraries that take care of a lot of the low level details. Programming languages such as Java and Python also take away a lot of the need to understand what is going on underneath.
The reason for bringing this up is that educating information technology students has changed along with the times. There is no longer the need to teach some of the deeper concepts of operating systems and system architecture to the majority of students and practitioners because they just do not need to know them. All of the details are being handled for them so it is better to let them focus on the aspects of technology that they will be impacted by in their day-to-day professional lives.
However, when a forensic investigator gets handed a system that has been involved in a crime, it is helpful for the investigator to know more than just how to run an application that is going to generate a report. The investigator needs to know what makes sense and where to follow up more deeply. In this regard, they should know more about operating systems and where critical information is stored, not to mention where a user may hide information. Every operating system has nooks and crannies along with various quirks. Understanding these nuances will allow an investigator to validate his results by examining the actual location of items that were parsed out with an automated process. This can provide evidence that the tools are working correctly.
And we now rejoin our regularly scheduled program already in progress. Knowing the details of each of the operating systems is helpful. That is where this book comes in. The idea behind this book is to talk about the details of the Windows, Linux, and Mac OS X operating systems in the context of a forensic analysis. Having said that, it is worth talking about what forensics and operating systems are before we jump into the deep end.

Forensics

You may be aware of how computer forensics works from watching shows like NCIS where the law enforcement investigators quickly and easily break into systems, through firewalls and around encryption to obtain information. In the real world, it does not work like that. First of all, we have legal issues to contend with. In fact, the word forensics itself comes from the Latin forensis, meaning public. It is related to the word forum, which meant a marketplace or public square in a Roman city. The word forensics, specifically, is about public debate or discussion, though it is commonly used to refer to things that relate to a court or legal proceeding. Our legal proceedings are a form of public discourse or debate, so the word forensics came to relate to legal matters and in the case of the topic for this book, it is about evidence that is prepared to present at trial.
Because of this, while there is an enormous technical aspect to forensics, there is also at its foundation, an understanding of the legal aspects of the tasks at hand. We often talk about performing a forensic investigation even when there isn’t anything legal involved. You may be asked to perform an investigation on a corporate system because of a policy violation. This was the case when I was asked to take a look at the system of the employee who was looking at pornography at his desktop. He was likely going to be fired just based on the evidence of his manager, a woman, who was walking by his desk and witnessed the activity. However, they were looking for some amount of corroboration, so I was asked to take a look.
This was a case of a policy violation and a firing. However, there is always something to be taken into consideration when performing an investigation. At some point, there may be a need to go to court. If there were child pornography on the computer, for instance, it would need to be referred to law enforcement for appropriate prosecution. Anything I do to the system might compromise a prosecution of the employee, so I have to be very careful about what I do. I always need to be concerned with the handling of the evidence. It may also not be a case of a prosecution of the employee. The employee may make a case for wrongful termination, arguing something like malware on his system displaying pornographic images. Of course, if he was caught hat in hand, so to speak, that would be a different story, but it may not change the fact that he may sue the company. Once again, how I handle the evidence is incredibly important.
Along these lines, one of the most important concepts to talk about is the chain of custody. A chain of custody is the documentation of everywhere a piece of evidence has been as well as who the evidence has been handed off to. When someone hands the evidence off to someone else, both parties need to be documented. Additionally, there should be a way to verify that nothing has been changed. As a result, it is good to indicate what was done with the evidence and how it was validated as not having been tampered with along the way. With digital evidence, this is easily handled. Other types of evidence are less easily validated.

Evidence Inclusion and Exclusion

Regarding the handling of evidence; as it turns out, we have rules for that. Lawyers write them and they take some getting used to. They are also open to interpretation. It is worth mentioning at this point that there are three kinds of legal systems in the world currently. The following are the three different legal systems you will run across in different countries around the world.
Civil law: Civil law originated in Europe and in terms of geography, it is the most predominant legal system you will find. Civil law countries define a set of laws and those laws are used to base legal decisions on. This may seem like something that is intuitive. After all, if we didn’t base legal decisions on laws, what do we base them on? The difference here is that each individual judge is allowed to make his or her own interpretation of the law as it is written.
Common law: Like civil law, common law makes use of a set of laws but assumes those laws need to be interpreted by judges. Those interpretations build into what is called case law, where the set of rulings made by previous judges can be used as a precedent to base new rulings on. While the legal system is founded on laws and statutes, the rulings take precedence over the plain details of the law. Civil law systems put the written laws over previous rulings, which is the major difference between the two systems.
Sharia (Islamic law): Sharia is used in Islamic countries. Countries that use Islamic law use the Qu’ran as the basis for a moral code and a set of laws. These codes and laws are used to hold the citizens of the country accountable. Where legislatures commonly develop laws in other countries, there is no such process in countries bound by Islamic law. There are also no lawyers or juries. Defendants and plaintiffs are expected to represent themselves. The ruling of the judge is final. There are no statutes to rely on and the ruling of the judge does not bind any subsequent judges to a particular ruling.
The United States is a common law country, as is Canada, Australia, and a small handful of other countries. In the United States, the interpretation of the laws by judges builds up case law, which is what is used for subsequent judges to base decisions and rulings on. This is why it is relevant to talk about the types of legal systems when we talk about federal rules of evidence, since there is a set of case law built up around these rules. We base all of our evidence handling processes and procedures around this case law, so it is useful to know and understand it.
One of the first things to know about these rules is that they are bound up with the constitutional idea that everyone has the right to face those who provide evidence against them. This is in the sixth amendment, which also specifies that you have the right to a speedy trial. This is a challenge in the case of computer-based evidence since you cannot confront, challenge or question a computer. As a result, computer evidence has a challenge inherent in it. Any time you have evidence that is introduced in court by a person who is not called to provide the evidence or testimony directly, you are introducing hearsay and because everyone on trial has the right to question those providing evidence, it is not admissible as a way to establish a set of facts. Hearsay is a statement that took place out of court used to prove the truth. It is worth keeping in mind that the goal of any trial or court case is to find the truth of any particular matter. The court, meaning the judge or jury, is the trier of facts and the goal of anyone involved is to introduce facts and evidence to help the court come to the truth.
The truth is something of a lofty goal, of course, considering that in many cases the strategy will be to obfuscate information and in many other cases, there simply is not enough information to come to a conclusive truth. So, the goal is to come to enough of the truth to make the right decision. The purpose of introducing evidence is to help arrive at the truth in a fair way. Introducing evidence that cannot be appropriately questioned or examined is not considered to be fair. As a result, it is excluded. You might think that if I find a file on a computer, it must belong to the owner of the computer, and so why does this file need to be questioned? Even if a file is found on a computer it does not guarantee that the file belongs to the computer’s owner. If you are connected to a network, someone could have placed it there. You may have acquired some malicious software that put it there. There is nothing about the file being on the computer that necessarily makes it the property of the computer’s owner. It is important to place the suspect behind the keyboard, meaning put them at the scene of the crime when it happened. When a system has multiple users, this can be more challenging.
This does not mean that all digital evidence is excluded. There are circumstances where digital evidence can be admitted in court. A common exclusion to the hearsay rule is the allowance of business records. Records kept in the ordinary course of operating the business are exempt from the hearsay rule. Any activity that does not involve a human, meaning that it is something a computer program generates on its own, is not subject to the hearsay ru...

Table of contents

  1. Cover
  2. Title page
  3. Table of Contents
  4. Copyright
  5. Dedication
  6. Foreword
  7. Preface
  8. Chapter 1: Forensics and Operating Systems
  9. Chapter 2: File Systems
  10. Chapter 3: Data and File Recovery
  11. Chapter 4: Memory Forensics
  12. Chapter 5: System Configuration
  13. Chapter 6: Web Browsing
  14. Chapter 7: Tracking Artifacts
  15. Chapter 8: Log Files
  16. Chapter 9: Executable Programs
  17. Chapter 10: Malware
  18. Chapter 11: Mobile Operating Systems
  19. Chapter 12: Newer Technologies
  20. Chapter 13: Reporting
  21. Subject Index