Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Digital Forensics with Kali Linux
  • Toc
  • feedback
Digital Forensics with Kali Linux

Digital Forensics with Kali Linux

By : Shiva V. N. Parasram
2 (1)
close
Digital Forensics with Kali Linux

Digital Forensics with Kali Linux

2 (1)
By: Shiva V. N. Parasram

Overview of this book

Kali Linux is a Linux-based distribution that's widely used for penetration testing and digital forensics. It has a wide range of tools to help for digital forensics investigations and incident response mechanisms. This updated second edition of Digital Forensics with Kali Linux covers the latest version of Kali Linux and The Sleuth Kit. You'll get to grips with modern techniques for analysis, extraction, and reporting using advanced tools such as FTK Imager, hex editor, and Axiom. Updated to cover digital forensics basics and advancements in the world of modern forensics, this book will also delve into the domain of operating systems. Progressing through the chapters, you'll explore various formats for file storage, including secret hiding places unseen by the end user or even the operating system. The book will also show you how to create forensic images of data and maintain integrity using hashing tools. Finally, you'll cover advanced topics such as autopsies and acquiring investigation data from networks, operating system memory, and quantum cryptography. By the end of this book, you'll have gained hands-on experience of implementing all the pillars of digital forensics: acquisition, extraction, analysis, and presentation, all using Kali Linux tools.
Table of Contents (17 chapters)
close
close
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Download the color images
Conventions used
Get in touch
Reviews
1
Section 1: Kali Linux – Not Just for Penetration Testing
Section 1: Kali Linux – Not Just for Penetration Testing
Free Chapter
2
Chapter 1: Introduction to Digital Forensics
chevron up
Chapter 1: Introduction to Digital Forensics
What is digital forensics?
Digital forensics methodology
A brief history of digital forensics
The need for digital forensics as technology advances
Operating systems and open source tools for digital forensics
The need for multiple forensics tools in digital investigations
Commercial forensics tools
Anti-forensics – threats to digital forensics
Summary
Further reading
3
Chapter 2: Installing Kali Linux
Chapter 2: Installing Kali Linux
Software version
Downloading Kali Linux
Installing Kali Linux
Installing Kali Linux in VirtualBox
Summary
4
Section 2: Forensic Fundamentals and Best Practices
Section 2: Forensic Fundamentals and Best Practices
5
Chapter 3: Understanding Filesystems and Storage Media
Chapter 3: Understanding Filesystems and Storage Media
The history of storage media
Filesystems and operating systems
What about the data?
Data volatility
The paging file and its importance in digital forensics
Summary
6
Chapter 4: Incident Response and Data Acquisition
Chapter 4: Incident Response and Data Acquisition
Digital evidence acquisition and procedures
Incident response and first responders
Documentation and evidence collection
Chain of custody
Live acquisition versus post-mortem acquisition
Write blocking
Data imaging and hashing
Device and data acquisition guidelines and best practices
Summary
7
Section 3: Forensic Tools in Kali Linux
Section 3: Forensic Tools in Kali Linux
8
Chapter 5: Evidence Acquisition and Preservation with dc3dd and Guymager
Chapter 5: Evidence Acquisition and Preservation with dc3dd and Guymager
Drive and partition recognition in Linux
Maintaining evidence integrity
Using dc3dd in Kali Linux
Image acquisition using DD
Image acquisition using Guymager
Windows memory acquisition
Summary
9
Chapter 6: File Recovery and Data Carving with foremost, Scalpel, and bulk_extractor
Chapter 6: File Recovery and Data Carving with foremost, Scalpel, and bulk_extractor
Forensic test images used in Foremost and Scalpel
Using Foremost for file recovery and data carving
Using Scalpel for data carving
bulk_extractor
Summary
10
Chapter 7: Memory Forensics with Volatility
Chapter 7: Memory Forensics with Volatility
Introducing the Volatility Framework
Downloading test images for use with Volatility
Using Volatility in Kali Linux
Summary
11
Chapter 8: Artifact Analysis
Chapter 8: Artifact Analysis
Identifying devices and operating systems with p0f
Information gathering and fingerprinting with Nmap
Live Linux forensics with Linux Explorer
Ransomware analysis
swap_digger
Password dumping with mimipenguin
Examining Firefox artifacts with pdgmail
Summary
12
Section 4: Automated Digital Forensic Suites
Section 4: Automated Digital Forensic Suites
13
Chapter 9: Autopsy
Chapter 9: Autopsy
Introduction to Autopsy
The sample image file used in Autopsy
Digital forensics with Autopsy
Summary
14
Chapter 10: Analysis with Xplico
Chapter 10: Analysis with Xplico
Software requirements
Installing Xplico in Kali Linux
Starting Xplico in DEFT Linux 8.2
Packet capture analysis using Xplico
Network activity analysis exercise
Summary
15
Chapter 11: Network Analysis
Chapter 11: Network Analysis
Capturing packets using Wireshark
NetworkMiner
Packet capture analysis with PcapXray
Online PCAP analysis
Reporting and presentation
Summary
16
Other Books You May Enjoy
Other Books You May Enjoy

Commercial forensics tools

Although this book focuses on tools within the Kali Linux operating system, it's important to recognize the commercially available tools available to us, many of which you can download as trial or demo versions before determining a preference.

Because this book focuses primarily on open source tools, I'll just cover some of the more popular commercial tools available, along with their home pages. The tools are listed only in alphabetical order as follows, and do not reflect any ratings, reviews, or the author's personal preference:

Belkasoft Evidence Center (EC) 2020

Website: https://belkasoft.com/

Belkasoft EC is an automated incident response and forensic tool that is capable of analyzing acquired images of memory dumps, virtual machines, and cloud and mobile backups, as well as physical and logical drives.

Belkasoft EC is also capable of searching for, recovering, and analyzing the following types of artifacts:

  • Office documents
  • Browser activity and information
  • Email
  • Social media activity
  • Mobile applications
  • Messenger applications (WhatsApp, Facebook Messenger, and even BlackBerry Messenger)

Belkasoft also has a free acquisition tool and RAM Capturer tool, available along with a trial version of their Evidence Center, available at https://belkasoft.com/get

AccessData Forensic Toolkit (FTK)

Website: https://accessdata.com/products-services/forensic-toolkit-ftk

FTK has been around for some time and is used professionally by forensics investigators and law enforcement agencies worldwide. AccessData has also recently announced integration with Belkasoft for a better experience. Some features of FTK include the following:

  • Fast processing with multi-core support using four engines
  • Ability to process large amounts of data
  • Indexing of data, to allow faster and easier searching and analysis
  • Password cracking and file decryption
  • Automated analysis
  • Ability to perform customized data carving
  • Advanced data recovery

The trial version of FTK can be downloaded at https://accessdata.com/product-download/forensic-toolkit-ftk-international-version-7-0-0. AccessData also has an image acquisition tool that is free to download and use, available at https://accessdata.com/product-download/ftk-imager-version-4-2-1.

EnCase Forensic

Website: https://www.guidancesoftware.com/encase-forensic

Created by Guidance Software, EnCase Forensic has also been at the forefront for many years and has been used internationally by professionals and law enforcement agencies alike for almost two decades. Much like FTK, EnCase comes with several solutions for incident response, e-discovery, and endpoint and mobile forensics.

Apart from being a full digital forensics solution and suite, some of the other features of EnCase include the following:

  • The ability to acquire images from over 25 different types of mobile devices, including phones, tablets, and even Global Positioning System (GPS) devices
  • Support for Microsoft Office 365
  • Evidence decryption using Check Point Full Disk Encryption (FDE)
  • Deep forensic and triage analysis

Other commercial tools also worth mentioning are the following:

Many of the preceding commercial tools offer several (with many being proprietary) features, including the following:

  • Write blocking
  • Bit-by-bit or bit-stream copies and disk cloning/evidence cloning
  • Forensically sound evidence acquisition
  • Evidence preservation using hashes
  • File recovery (hidden and deleted)
  • Live and remote acquisition of evidence
  • RAM and swap/paging file analysis
  • Image mounting (supporting various formats)
  • Advanced data and metadata (data about data) searches and filtering
  • Bookmarking of files and sectors
  • Hash and password cracking
  • Automatic report generation

The main advantage of commercial tools is that they are usually automated and are actually a suite of tools that can almost always perform entire investigations, from start to finish, with a few clicks. Another advantage that I must mention is the support for the tools that are given with the purchase of a license. The developers of these tools also employ research and development teams to ensure constant testing and reviewing of their current and new products.

End of Section 8
Next Section
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete