KEYWORDS
digital forensics, cyber forensics, cyber crime, incident response, data recovery
To my parents, Reni and Rosen, for their love and for opening all of life’s opportunities.
To my wife, Laura, for her love and unconditional support.
To my advisor, Prasun, for his patience and the enduring wisdom of his lessons.
Contents
3.2 Digial Forensic Science Definitions
3.2.2 Working Technical Definition
3.3 Models of Forensic Analysis
4.1.3 Forensic Image Formats
4.1.4 Filesystem Analysis
4.1.5 Case Study: FAT32
4.1.6 Case Study: NTFS
4.1.7 Data Recovery and File Content Carving
4.1.8 File Fragment Classification
4.2 Main Memory Forensics
4.2.1 Memory Acquisition
4.2.2 Memory Image Analysis
4.3 Network Forensics
4.4 Real-time Processing and Triage
4.4.1 Real-time Computing
4.4.2 Forensic Computing with Deadlines
4.4.3 Triage
4.5 Application Forensics
4.5.1 Web Browser
4.5.2 Cloud Drives
4.6 Cloud Forensics
4.6.1 Cloud Basics
4.6.2 The Cloud Forensics Landscape
4.6.3 IaaS Forensics
4.6.4 SaaS Forensics
5.1 Finding Known Objects: Cryptographic Hashing
5.2 Block-level Analysis
5.3 Efficient Hash Representation: Bloom Filters
5.4 Approximate Matching
5.4.1 Content-defined Data Chunks
5.4.2 Ssdeep
5.4.3 Sdhash
5.4.4 Evaluation
5.5 Cloud-native Artifacts
6.1 Scalability
6.2 Visualization and Collaboration
6.3 Automation and Intelligence
6.4 Pervasive Encryption
6.5 Cloud Computing
6.5.1 From SaaP to SaaS
6.5.2 Separating Cloud Services from their Implementation
6.5.3 Research Challenges
6.6 Internet of Things (IoT)
CHAPTER 1
Introduction
In a word, the computer scientist is a toolsmith—no more, but no less. It is an honorable calling.
Frederick P. Brooks, Jr. [66]
Forensic science (or forensics) is dedicated to the systematic application of scientific methods to gather and analyze evidence for a legal purpose. Digital forensics—a.k.a. cyber or computer forensics—is a subfield within forensics, which deals specifically with digital artifacts, such as files, and computer systems and networks used to create, transform, transmit, and store them.
The rapid adoption of information technology (IT) in all aspects of modern life means that it bears witness to an ever expanding number of human- and machine-initiated interactions and transactions. It is increasingly the case that the only historical trace