Hello,
I have had the absolute pleasure to be reading and working though this book ` Learn Computer Forensics: Your one-stop guide to searching, analysing, acquiring, and securing digital evidence, 2nd Edition`.
“Computer Forensics, being a broad topic, involves a variety of skills which will involve seizing electronic evidence, acquiring data from electronic evidence, data analysis, and finally developing a forensic report.
This book will help you to build up the skills you need to work in a highly technical environment. This book’s ideal goal is to get you up and running with forensics tools and techniques to successfully investigate crime and corporate misconduct. You will discover ways to collect personal information about an individual from online sources. You will also learn how criminal investigations are performed online while preserving data such as e-mails, images, and videos that may be important to a case. You will further explore networking and understand Network Topologies, IP Addressing, and Network Devices. Finally, you will how to write a proper forensic report, the most exciting portion of the forensic exam process.
By the end of this book, you will have developed a clear understanding of how to acquire, analyze, and present digital evidence, like a proficient computer forensics investigator.”
And who is William?
“William Oettinger is a veteran technical trainer and investigator. He is a retired police officer with the Las Vegas Metropolitan Police Department and a retired CID agent with the United States Marine Corps.
He is a professional with over 20 years of experience in academic, local, military, federal, and international law enforcement organizations, where he acquired his multifaceted experience in IT, digital forensics, security operations, law enforcement, criminal investigations, policy, and procedure development.
He has earned an MSc from Tiffin University, Ohio. When not working, he likes to spend time with his wife and his three miniature schnauzers.”
This book is pretty massive and full of so much information on everything from `Types of Computer-Based Investigations`, ` The Forensic Analysis Process` up to ` Windows Artifact Analysis`, ` Email Forensics – Investigation Techniques’ and EVERYTHING in between.
Look at this.
Chapter 1: Types of Computer-Based Investigations
- Introduction to computer-based investigations
- Criminal investigations
- First responders
- Investigators
- Crime scene technician
- Illicit images
- The crime of stalking
- Criminal conspiracy
- Corporate investigations
- Employee misconduct
- Corporate espionage
- Security
- Threat Actors
- Social engineering
- Real-world experience
- Insider threat
- Case studies
- Dennis Rader
- Silk Road
- San Bernardino terror attack
- Theft of intellectual property
- Summary
- Questions
- Further reading
Chapter 2: The Forensic Analysis Process
- Pre-investigation considerations
- The forensic workstation
- The response kit
- Forensic software
- Forensic investigator training
- Understanding case information and legal issues
- Understanding data acquisition
- Chain of custody
- Understanding the analysis process
- Dates and time zones
- Hash analysis
- File signature analysis
- Antivirus
- Reporting your findings
- Details to include in your report
- Document facts and circumstances
- The report conclusion
- Summary
- Questions
- Further reading
Chapter 3: Acquisition of Evidence
- Exploring evidence
- Understanding the forensic examination environment
- Tool validation
- Creating sterile media
- Understanding write blocking
- Hardware write blocker
- Software write blocker
- Defining forensic imaging
- DD image
- EnCase evidence file
- SSD device
- Imaging tools
- FTK Imager
- PALADIN
- Summary
- Questions
- Further reading
Chapter 4: Computer Systems
- Understanding the boot process
- Forensic boot media
- Creating a bootable forensic device
- Hard drives
- Drive geometry
- MBR (Master Boot Record) partitions
- Extended partitions
- GPT partitions
- Host Protected Area (HPA) and Device Configuration Overlay (DCO)
- Forensic boot media
- Understanding filesystems
- The FAT filesystem
- Boot record
- File allocation table
- Data area
- Long filenames
- Recovering deleted files
- Slack space
- The FAT filesystem
- Understanding the NTFS filesystem
- Summary
- Questions
- Further reading
Chapter 5: Computer Investigation Process 157
- Timeline analysis
- X-Ways
- Plaso (Plaso Langar Að Safna Öllu)
- X-Ways
- Media analysis
- String search
- Recovering deleted data
- Summary
- Questions
- Further reading
- Exercise
- Data set
- Software needed
- Email exercise
- Data carving exercise
Chapter 6: Windows Artifact Analysis
- Understanding user profiles
- Understanding Windows Registry
- Determining account usage
- Last login/last password change
- Determining file knowledge
- Exploring the thumbcache
- Exploring Microsoft browsers
- Determining most recently used/recently used
- Looking into the Recycle Bin
- Understanding shortcut (LNK) files
- Deciphering JumpLists
- Opening shellbags
- Understanding prefetch
- Identifying physical locations
- Determining time zones
- Exploring network history
- Understanding the WLAN event log
- Exploring program execution
- Determining UserAssist
- Exploring the Shimcache
- Understanding USB/attached devices
- Summary
- Questions
- Further reading
- Exercise
- Data set
- Software needed
- Scenario
Chapter 7: RAM Memory Forensic Analysis
- Fundamentals of memory
- Random access memory?
- Identifying sources of memory
- Capturing RAM
- Preparing the capturing device
- Exploring RAM capture tools
- Using DumpIt
- Using FTK Imager
- Exploring RAM analyzing tools
- Using Bulk Extractor
- Using VOLIX II
- Summary
- Questions
- Further reading
Chapter 8: Email Forensics – Investigation Techniques
- Understanding email protocols
- Understanding SMTP – Simple Mail Transfer Protocol
- Understanding the Post Office Protocol
- IMAP – Internet Message Access Protocol
- Understanding web-based email
- Decoding email
- Understanding the email message format
- Email attachments
- Understanding client-based email analysis
- Exploring Microsoft Outlook/Outlook Express
- Exploring Microsoft Windows Live Mail
- Mozilla Thunderbird
- Understanding WebMail analysis
- Summary
- Questions
- Further reading
- Exercise
- Data set
- Software needed
- Scenario
- Interviews
- Email accounts
- Question to answer
Chapter 9: Internet Artifacts
- Understanding browsers
- Exploring Google Chrome
- Understanding bookmarks
- Understanding the Chrome history file
- Cookies
- Cache
- Passwords
- Exploring Internet Explorer/Microsoft Edge (Old Version)
- Bookmarks
- IE history
- Typed URL
- Cache
- Cookies
- Exploring Firefox
- Profiles
- Cache
- Cookies
- History
- Passwords
- Bookmarks
- Exploring Google Chrome
- Social media
- Service provider
- P2P file sharing
- Ares
- eMule
- Shareaza
- Cloud computing
- Summary
- Questions
- Further reading
Chapter 10: Online Investigations
- Undercover investigations
- Undercover platform
- Online persona
- Background searches
- Preserving online communications
- Summary
- Questions
- Further reading
Chapter 11: Networking Basics
- The Open Source Interconnection (OSI) model
- Physical (Layer 1)
- Data link (Layer 2)
- Network (Layer 3)
- Transport (Layer 4)
- Session (Layer 5)
- Presentation (Layer 6)
- Application (Layer 7)
- Encapsulation
- TCP/IP
- IPv4
- Port numbers
- IPv6
- Application layer protocols
- Transport layer protocols
- Internet layer protocols
- IPv4
- Summary
- Questions
- Further reading
Chapter 12: Report Writing
- Effective note taking
- Writing the report
- Evidence analyzed
- Acquisition details
- Analysis details
- Exhibits/technical details
- Summary
- Questions
- Further reading
Chapter 13: Expert Witness Ethics
- Understanding the types of proceedings
- Beginning the preparation phase
- Understanding the curriculum vitae
- Understanding testimony and evidence
- Understanding the importance of ethical behaviour
- Summary
- Questions
- Further reading
Assessments
- Chapter 01
- Chapter 02
- Chapter 03
- Chapter 04
- Chapter 05
- Chapter 06
- Chapter 07
- Chapter 08
- Chapter 09
- Chapter 10
- Chapter 11
- Chapter 12
- Chapter 13
What’s new in this second edition?
He has gone through the entire book to ensure that he enhanced anything he didn’t like in the previous edition. He also updated some parts to reflect new or changed features in software or operating system artifacts. Finally, he added two new chapters covering online investigations and networking basics, along with academic resources available for educators teaching computer forensics.
As most of you are aware I work in the digital forensics and incident response field, and I don’t mind telling you this is hands down the best and most thorough book on the subject I have.
This book Is a very thorough in its going through Digital Forensics, the author William Oettinger is extremely knowledgeable in the subject and is a great teacher.
Throughout the thirteen chapters it covers everything from the introduction to computer-based investigations and the forensic analysis process to more hands-on acquisition of evidence, computer systems layout, windows & RAM artifact analysis, email, internet forensics, network basics and more finishing with some great and practical chapters on report writing and being an expert witness ethics.
I personally found the Windows and Internet Artifact chapters extremely interesting and very pertinent to my job role in DFIR, it was great learning more in-depth about stuff like LNK Files, JumpLists, Shellbags, Prefecth and the like.
Definitely recommend anyone interested in learning more about DFIR either fresh to the field or already working in it.
I can easily tell you that chapters four through nine are ones I will keep going back to and was already taking notes when working through it.
Loved how much of Paladin there was as I have never used it but keep meaning to install it on my lab to play with and now when I do I will have a much better understanding of it.
Rating books is not something I usually do but I will give this 10/10 it really is a fantastic book to read through and now to use as a reference manual too.
Regards
Alex