Digital forensics plays a crucial role in identifying, analysing, and presenting cyber threats as evidence in a court of law. Artificial intelligence, particularly machine learning and deep learning, enables automation of the digital investigation process. This book provides an in-depth look at the fundamental and advanced methods in digital forensics. It also discusses how machine learning and deep learning algorithms can be used to detect and investigate cybercrimes.
This book demonstrates digital forensics and cyber-investigating techniques with real-world applications. It examines hard disk analytics and style architectures, including Master Boot Record and GUID Partition Table as part of the investigative process. It also covers cyberattack analysis in Windows, Linux, and network systems using virtual machines in real-world scenarios.
Digital Forensics in the Era of Artificial Intelligence will be helpful for those interested in digital forensics and using machine learning techniques in the investigation of cyberattacks and the detection of evidence in cybercrimes.
Author(s): Nour Moustafa
Publisher: CRC Press
Year: 2022
Language: English
Pages: 256
City: Boca Raton
Cover
Half Title
Title Page
Copyright Page
Table of Contents
Preface
Dedication and Acknowledgment
Author
Acronyms
1. An Overview of Digital Forensics
1.1 Introduction
1.2 Practical Exercises Included in This Book
1.3 A Brief History of Digital Forensics
1.4 What Is Digital Forensics?
1.4.1 Identicfiation
1.4.2 Collection and Preservation
1.4.3 Examination and Analysis
1.4.4 Presentation
1.5 Artificial Intelligence for Digital Forensics
1.6 Digital Forensics and Other Related Disciplines
1.7 Different Types of Digital Forensics and How They Are Used
1.7.1 Types of Digital Evidence
1.7.1.1 Cloud Forensics in IoT
1.7.1.2 Digital Forensics and Artificial Intelligence
1.8 Understanding Law Enforcement Agency Investigations
1.8.1 Understanding Case Law
1.9 Significant Areas of Investigation for Digital Forensics
1.10 Following Legal Processes
1.11 The Cyber Kill Chain
1.12 Conclusion
Note
References
2. An Introduction to Machine Learning and Deep Learning for Digital Forensics
2.1 Introduction
2.2 History of Machine Learning
2.3 What Is Machine Learning?
2.3.1 Supervised Learning
2.3.1.1 Decision Trees
2.3.1.2 Support Vector Machine
2.3.1.3 K-Nearest Neighbours
2.3.1.4 Naive Bayes
2.3.1.5 Neural Networks
2.3.2 Unsupervised Learning
2.4 What Is Deep Learning
2.4.1 Discriminative Deep Learning
2.4.1.1 Recurrent Neural Network (RNN)
2.4.1.2 Convolutional Neural Network (CNN)
2.4.2 Generative Deep Learning
2.4.2.1 Deep Auto Encoder
2.4.2.2 Recurrent Neural Network (RNN)
2.5 Evaluation Criteria of Machine and Deep Learning
2.6 Case Study of Machine Learning-Based Digital Forensics
2.7 Conclusion
References
3. Digital Forensics and Computer Foundations
3.1 Introduction
3.2 Digital Investigation Process
3.2.1 System Preservation Phase
3.2.2 Evidence Searching Phase
3.2.3 Evidence Reconstruction Phase
3.3 Common Phases of Digital Forensics
3.4 Numbering Systems and Formats in Computers
3.4.1 Hexadecimal
3.4.2 Binary
3.5 Data Structures
3.5.1 Endianness
3.5.2 Character Encoding
3.5.2.1 ASCII
3.5.2.2 Unicode
3.6 Data Nature and State
3.6.1 Terms of Data
3.7 Conclusion
References
4. Fundamentals of Hard Disk Analysis
4.1 Introduction
4.2 Storage Media
4.2.1 Rigid Platter Disk Technology
4.2.2 Solid State Technology
4.3 Hard Disk Forensic Features
4.3.1 Garbage Collection
4.3.2 TRIM Command
4.3.3 Methods of Accessing Hard Disk Addresses
4.3.3.1 Cylinder-Head-Sector (CHS)
4.3.3.2 Zone-Bit Recording
4.3.3.3 Logical Block Addressing (LBA)
4.4 Hard Disk Settings
4.4.1 Disk Types
4.4.2 Partition Architectures
4.4.2.1 MBR and GPT
4.4.2.2 Primary and Extended Partitions
4.4.2.3 Volumes and Partitions
4.4.3 File Systems
4.4.4 The Boot Process
4.4.4.1 Latest BIOS
4.4.4.2 BIOS and MBR
4.5 Essential Linux Commands for Digital Forensics Basics
4.5.1 User Privileges
4.5.2 Linux System
4.5.3 Data Manipulation
4.5.4 Managing Packages and Services
4.5.5 Managing Networking
4.6 Python Scripts for Digital Forensics Basics
4.6.1 Executing a DoS Attack
4.7 Conclusion
References
5. Advanced Hard Disk Analysis
5.1 Introduction
5.2 Hard Disk Forensic Concepts
5.3 DOS-Based Partitions
5.3.1 Revisited MBR
5.4 GPT Disks
5.5 Forensic Implications
5.6 Practical Exercises for Computer Foundations ( Windows)
5.6.1 WinHex Tool
5.6.2 Recovering Deleted Partitions
5.6.3 Investigating Cyber Threat and Discovering Evidence
5.6.4 Hard Disk Analysis
5.6.4.1 Logical Access to C Drive
5.6.4.2 Accessing Drive as Physical Media
5.7 Conclusion
References
6. File System Analysis (Windows)
6.1 Introduction
6.2 What Is a File System?
6.2.1 File System Reference Model
6.2.2 Slack Space
6.2.3 Free and Inter-Partition Space
6.2.4 Content Analysis
6.3 Methods for Recovering Data from Deleted Files
6.3.1 Data Carving and Gathering Text
6.3.2 Metadata Category Analysis
6.3.3 File Name and Application Category Analysis
6.4 Practices for Using Hashing and Data Acquisition
6.4.1 Prerequisite Steps for Doing the Following Practical Exercises
6.4.2 Data Acquisition
6.4.2.1 The FTK Imager Tool
6.4.2.2 Hard Disk Analysis Using the Autopsy Tool
6.5 Conclusion
References
7. Digital Forensics Requirements and Tools
7.1 Introduction
7.2 Computer Forensic Requirements
7.3 Evaluating Needs for Digital Forensics Tools
7.3.1 Types of Digital Forensics Tools
7.3.2 Tasks Performed by Digital Forensics Tools
7.3.3 Data Acquisition Tools and Formats
7.4 Anti-Forensics
7.5 Evidence Processing Guidelines
7.6 Implementation of Data Validation and Acquisition Phases
7.6.1 Hash Functions
7.6.2 Authentication and Validation in Digital Forensics
7.6.2.1 Python Scripts for Hashing
7.6.2.2 MD5
7.6.2.3 SHA1
7.6.2.4 Example of Hashing Passwords
7.6.3 Hashing and Data Acquisition
7.6.3.1 Data Acquisition Using WinHexs
7.7 Conclusion
References
8. File Allocation Table (FAT) File System
8.1 Introduction
8.2 File Allocation Table (FAT)
8.2.1 Common Types of FAT
8.2.2 FAT Layout
8.3 FAT Layout Analysis
8.3.1 FAT Analysis
8.3.2 Disk Editor for FAT Analysis
8.3.3 WinHex Tool for FAT Analysis
8.4 Implementation of Data Acquisition and Analysis in Windows
8.4.1 Prerequisites for Doing These Exercises
8.4.2 Data Acquisition and Analysis of FAT
8.4.2.1 The FTK Imager Tool
8.4.2.2 The Autopsy Tool
8.5 Conclusion
References
9. NTFS File System
9.1 Introduction
9.2 New Technology File System (NTFS)
9.3 NTFS Architecture
9.3.1 Master File Table (MFT)
9.4 NTFS Analytical Implications
9.5 Analysis and Presentation of NTFS Partition
9.5.1 Disk Editor for NTFS Analysis
9.5.2 WinHex Tool for NTFS Analysis
9.5.3 The Autopsy Tool for FAT and NTFS Analysis
9.6 Conclusion
References
10. FAT and NTFS Recovery
10.1 Introduction
10.2 FAT and NTFS File Recovery
10.2.1 Deleting and Recovering Files in FAT File System
10.2.2 Deleting and Recovering Files in NTFS File System
10.3 Recycle Bin and Forensics Insights
10.4 Mounting Partitions Using SMB over Network
10.5 File Recovery and Data Carving Tools for File Systems
10.5.1 Foremost Tool
10.5.2 Scalpel Tool
10.5.3 Bulk Extractor Tool
10.6 Conclusion
References
11. Basic Linux for Forensics
11.1 Introduction
11.2 Overview of Linux Operating System
11.3 Linux Kernel
11.4 Linux File System
11.4.1 Linux Hard Drives and Styles
11.5 Hard Disk Analysis in Linux
11.5.1 Hard Disk Analysis Using wxHexEditor
11.5.2 Crime Investigation: Adding/Changing Files’ Content Using wxHexEditor
11.5.3 Analysis of Hard Disk Using the Disk Editor Tool
11.6 Mount File Systems in Linux
11.6.1 Remote Connection Using SSHFS
11.6.2 Remote Connection Using SSH
11.6.3 Sharing and Mounting Files/Images between Various Virtual Machines
11.7 Data Acquisition in Linux
11.7.1 The dd Command
11.7.2 The dcfldd Command
11.8 Conclusion
References
12. Advanced Linux Forensics
12.1 Introduction
12.2 Examining File Structures in Linux
12.3 Generic Linux File System Layout (EXT2, 3, 4)
12.4 Accessing Block Group Information in Linux
12.5 EXT File System Versions and Characteristics
12.5.1 EXT2 File System
12.5.2 EXT3 File System
12.5.3 EXT4 File Systems
12.6 Forensic Implications of EXT File Systems
12.6.1 Case Study: Linux’s Accounts
12.7 Data Analysis and Presentation in Linux
12.7.1 Examining Superblock and Inode Information in Disk Editor
12.7.2 Data Preparation Using Autopsy
12.7.2.1 Create a New Case in Autopsy Browser
12.8 Case Analysis Using Autopsy
12.8.1 Sorting Files
12.9 Conclusion
References
13. Network Forensics
13.1 Introduction
13.2 What Is Network Forensics?
13.2.1 Benefits and Challenges of Network Forensics
13.3 Networking Basics
13.3.1 Open System Interconnection (OSI) Model
13.3.2 TCP/IP Protocol Stack
13.4 Network Forensic Investigations
13.4.1 Practical TCP/IP Analysis
13.5 Levels of Network Traffic Capture for
Forensics Analysis
13.6 NetworkMiner Tool for Network Forensics
13.6.1 Applying the Network Forensic Investigation Process
13.6.2 Examples of Network Forensic Investigation
13.7 Conclusion
References
14. Machine Learning Trends for Digital Forensics
14.1 Introduction
14.2 Why Do We Need Artificial Intelligence in Digital Forensics?
14.2.1 Artificial Intelligence for Digital Forensics
14.2.2 Machine Learning for Digital Forensics
14.2.3 Machine Learning Basics
14.3 Machine Learning Process
14.3.1 Data Collection and Pre-Processing
14.3.2 Training and Testing Phases
14.4 Applications of Machine Learning Models
14.4.1 Machine Learning Types
14.5 Case Study: Using the TON_IoT Dataset for Forensics
14.6 Conclusion
References
Index
