Get up and running with collecting evidence using forensics best practices to present your findings in judicial or administrative proceedings
Key Features
- Learn the core techniques of computer forensics to acquire and secure digital evidence skillfully
- Conduct a digital forensic examination and document the digital evidence collected
- Analyze security systems and overcome complex challenges with a variety of forensic investigations
Book Description
A computer forensics investigator must possess a variety of skills, including the ability to answer legal questions, gather and document evidence, and prepare for an investigation. This book will help you get up and running with using digital forensic tools and techniques to investigate cybercrimes successfully.
Starting with an overview of forensics and all the open source and commercial tools needed to get the job done, you'll learn core forensic practices for searching databases and analyzing data over networks, personal devices, and web applications. You'll then learn how to acquire valuable information from different places, such as filesystems, e-mails, browser histories, and search queries, and capture data remotely. As you advance, this book will guide you through implementing forensic techniques on multiple platforms, such as Windows, Linux, and macOS, to demonstrate how to recover valuable information as evidence. Finally, you'll get to grips with presenting your findings efficiently in judicial or administrative proceedings.
By the end of this book, you'll have developed a clear understanding of how to acquire, analyze, and present digital evidence like a proficient computer forensics investigator.
What you will learn
- Understand investigative processes, the rules of evidence, and ethical guidelines
- Recognize and document different types of computer hardware
- Understand the boot process covering BIOS, UEFI, and the boot sequence
- Validate forensic hardware and software
- Discover the locations of common Windows artifacts
- Document your findings using technically correct terminology
Who this book is for
If you're an IT beginner, student, or an investigator in the public or private sector this book is for you.This book will also help professionals and investigators who are new to incident response and digital forensics and interested in making a career in the cybersecurity domain.
Table of Contents
- Types of Computer-Based Investigations
- The Forensic Analysis Process
- Acquisition of Evidence
- Computer Systems
- Computer Investigation Process
- Windows Artifact Analysis
- RAM Memory Forensic Analysis
- Email Forensics – Investigation Techniques
- Internet Artifacts
- Report Writing
- Expert Witness Ethics
Reviews (15)
Outstanding Book for use for Introduction to Digital Forensic Courses
This book is very well written and covers all aspects of the digital forensic process, from identification, preservation , acquition and processing of the digital evidence. This book walks you through a digital crime scene and obstacles and planning that should be done. The chapter on Memory forensics was very clearly stated from acquiring it and processing it to the knowledge that some data will change while capturing the RAM. The book is laid out nicely to include report writing and testifying. The author covers both criminal and civil exams, mentions numerous tools from open source to vendor specific. Over all very well written and easy to follow along with the authors numerous real life examples from his years of experiance.
Good Introduction to Windows Computer Forensics
While I have not met the author in person, we are both members of the International Association of Computer Investigative Specialists (IACIS), and I have seen his involvement within our community, and know that he is always happy to share what he knows with others in our community. With this book, he has stepped up to the plate to share what is, in my opinion, a really good and solid introductory book in the digital forensics field. The book itself is written in an easy to read tone, and while technically accurate, is not so technically complex that it would throw off someone entering digital forensics for the first time. The book covers the types of investigations that are typical in digital forensics, the various states of the digital forensics process from start to finish, and specific issues with regards typical forensic artefacts that you will encounter when dealing with a typical Windows endpoint system such as a laptop of desktop. That being said, I think it is important to point out that this book will provide the most value when dealing with the forensic examination and analysis of computer running the Windows operating system, as the majority of the book focuses on these. If you are looking for the examination and analysis of other operating systems, then this book is not for you (unless of course you are new to the field in which case you would benefit). While it is not specifically stated in the book, the material covered in the book addresses most of the certification objectives for the Certified Forensic Computer Examiner (CFCE) certification, offered by IACIS. If you are an external candidate planning to achieve this certification, then I would highly recommend this book. In fact, even if you have attended the IACIS BCFE training course and are going to do the certification exam, I would certainly recommend this book to complement your certification preparations. Well done on a really good book.
Great introduction to digital forensics
I am a relatively newcomer to the filed of digital/computer forensics, having just completed my college degree in December 2019. Since I am new to the field, I have had the opportunity to read several of the other books out there that are introductions to this type of work. Many of those books have been confusing and often difficult to follow, often assuming that the reader already has a fairly extensive knowledge of computer forensics to begin with. Mr. Oettingers book follows an easy to read and understand pattern and includes several helpful links to resources from NIST, digital forensic software providers, and other reading resources. The breakdown of areas such as file systems, choosing the right forensic tools, how to create a forensic image and then how to investigate and analyze that image has been very insightful. Sometimes authors of these types of books can confuse their readers by not writing in a logical manner or by using too much technological language for someone that is just starting out in this field. This book has not only refreshed my memory of somethings that I have already learned about but it has also provided a lot more information that is brand new to me. I have a colleague that is looking for a new introductory level text book to use in his Cybersecurity curriculum at a local community college and I am most definitely going to recommend this book.
Good introduction to the field of digital forensics
For anyone considering entering the field of digital forensics, this book provides the reader with a good overview of the field, with simple explanations of the various facets and techniques involved. Whether you're a young student trying to decide on a college major or a seasoned investigator looking to move your career in a new direction, the content of this book could help in making such decisions. The book is not overly detailed, so don't expect to find explanations or examples of every possible scenario, but the information that is contained within this book is presented in a concise and easy to follow manner. The book does make some mention of digital forensics in the private sector, but the majority of the material is presented from the law enforcement perspective. This does not, however, make the book any less useful for those doing forensics in the private sector, as the various tools, techniques, concepts, and artifacts are the same in both arenas. This book is a recommended read for anyone trying to get a high level to mid level overview of digital forensics.
Easy to Read- Details the go-to artifacts
An attempt to capture the entire field of computer forensics in a single volume is a seemingly impossible task. The author does an excellent job of highlighting the most commonly used forensic artifacts in the Windows environment. In addition to covering commonly used artifacts, the author discusses the importance of and format of report writing, ethics, testifying, and digital forensic ideology. I was sold on the book after the author made the following statement, "Unfortunately, I find many students want to use a "find evidence" button, find all the artifacts, and print up a thousand-page report and call it a day. That is not digital forensics." I would replace the "students" with investigators/digital forensic analysts as I have seen this many times, especially as the paid-tools become more powerful and able to present artifacts in an easy-to-read format. As I read the line, I paused and immediately messaged another examiner with a different agency, as this sentiment is often brought up in our discussions. Paid-tools tempt practitioners to focus on single artifacts as evidence, but the author reminds the reader, "we cannot construe the mere presence of the artifact as a sign of the suspect's guilt (or innocence). The artifact needs to be placed within the context of the user and system activity." New and old forensic examiners need to remember that they are the skilled practitioner, whose job is to speak for the digital evidence. Our job is to examine the evidence as it exists and use the data found to present the truth without regard to the side of the courtroom we sit on. Through the book, the author reminds the reader that the forensic analyst role is to be a neutral evaluator of the evidence. The book provides an excellent introduction for new examiners or those looking to expand their understanding of the results provided by forensic examiners. The book also can be used as a high-level reference for aspects of Windows forensics that an examiner may not use every day. The author takes time to direct the reader to free tools and other resources. While he does declare his preference for one of the paid-tool over others, he does explain the free tools and how they can impact the review of a variety of artifacts. I appreciate him directing the reader to outside resources, collections of data, and information that should be marked in everyone's bookmarks. I found his explanation of the thumbcache's relationship with Windows.edb to be the most concise and useful explanation of how to provide context to thumbcache databases. Thumbcache is a topic I have researched ad nauseam. As an ICAC investigator, items of interest are often found in the thumbcache databases; the ability to put a name on the image allows the image to be tied to other activities to provide context and value. There are many little nuggets of gold scattered through the book that will be a value to nearly all examiners, if for no other purpose to provide a prewritten, easy-to-understand explanation of the artifacts. The author's experience and professionalism shine through his writing.
Excellent beginning source
I have been involved in practicing and teaching computer forensics for over ten years and was asked to read this book and tender my opinion on both content and concepts. I read the entire book and definitely recommend it as an introduction to computer forensics. The book is organized and written in a simple, logical, and practical way. The author does a great job of describing computer terms and functions in easy to understand ways. I would highly recommend this book to both those interested in conducting computer forensics as well as a reference for those teaching computer forensic theory and application.
Great for beginners and experienced examiners alike
This is a great book for beginners but also great for experienced examiners to brush up on the fundamentals. For instance, I've been using the E01 evidence file format for years but I didn't realize there is a CRC calculation every 64 bytes as the forensic image is created. I learned something new about something I thought I knew everything about given that I deal with E01's on a daily basis. That is just one example for me personally in this book where I learned something. Knowledge is perishable no one should be above learning something new, even if it means revisiting the basics from time to time. This book should be a good reference for many years to come. I highly recommend it!
Very Good Introduction to Windows-Forensics
I do not know the William Oettinger in person, but we are both members of the International Association of Computer Investigative Specialists (IACIS). I've enjoyed reading this book. William Oettinger managed to write about very technical subject in a manner that a non-technical person will understand. A skill that he calls one of the hardest things you can do as a digital forensic examiner. In this book you can learn about Windows-Forensics from the collection of the evidence to the presentation of the evidence in court. William Oettinger enriched the book by including many real life situations examiners may face during their work. I have particularly appreciated the chapter about the Code of Ethics in Digital Forensics. I can recommend the book especially to novice examiner but also to everyone else interested to learn about Windows-Forensics. Next time someone asks me about Windows-Forensics I will point that person to this book.
A great book for beginners in the Computer Forensic field
Great book. I had read many books related to computer forensics but this book is by far the best one about this topic. The author was able to share his many years of experience in this book. I love the screenshots that he uses as an example. They are easy to follow. What I like the most about this book are the references that he makes to several open (free) source technology for several forensic tasks. The end of chapter questions should incorporate some practical exercises. In summary I will recommend this book to any Computer Forensic student and a very good reference for a Computer Forensic Laboratory.
Great book, easy to read and follow, fantastic examples
This book is a great read, written in an easy fashion which is easy to follow and understand. I love the examples the author included in the book as he discusses digital forensics investigations and provides life-like examples of the types of simple to advance cases a forensic examiner would face on a day-to-day basis. Highly recommend.
Outstanding Book for use for Introduction to Digital Forensic Courses
This book is very well written and covers all aspects of the digital forensic process, from identification, preservation , acquition and processing of the digital evidence. This book walks you through a digital crime scene and obstacles and planning that should be done. The chapter on Memory forensics was very clearly stated from acquiring it and processing it to the knowledge that some data will change while capturing the RAM. The book is laid out nicely to include report writing and testifying. The author covers both criminal and civil exams, mentions numerous tools from open source to vendor specific. Over all very well written and easy to follow along with the authors numerous real life examples from his years of experiance.
Good Introduction to Windows Computer Forensics
While I have not met the author in person, we are both members of the International Association of Computer Investigative Specialists (IACIS), and I have seen his involvement within our community, and know that he is always happy to share what he knows with others in our community. With this book, he has stepped up to the plate to share what is, in my opinion, a really good and solid introductory book in the digital forensics field. The book itself is written in an easy to read tone, and while technically accurate, is not so technically complex that it would throw off someone entering digital forensics for the first time. The book covers the types of investigations that are typical in digital forensics, the various states of the digital forensics process from start to finish, and specific issues with regards typical forensic artefacts that you will encounter when dealing with a typical Windows endpoint system such as a laptop of desktop. That being said, I think it is important to point out that this book will provide the most value when dealing with the forensic examination and analysis of computer running the Windows operating system, as the majority of the book focuses on these. If you are looking for the examination and analysis of other operating systems, then this book is not for you (unless of course you are new to the field in which case you would benefit). While it is not specifically stated in the book, the material covered in the book addresses most of the certification objectives for the Certified Forensic Computer Examiner (CFCE) certification, offered by IACIS. If you are an external candidate planning to achieve this certification, then I would highly recommend this book. In fact, even if you have attended the IACIS BCFE training course and are going to do the certification exam, I would certainly recommend this book to complement your certification preparations. Well done on a really good book.
Great introduction to digital forensics
I am a relatively newcomer to the filed of digital/computer forensics, having just completed my college degree in December 2019. Since I am new to the field, I have had the opportunity to read several of the other books out there that are introductions to this type of work. Many of those books have been confusing and often difficult to follow, often assuming that the reader already has a fairly extensive knowledge of computer forensics to begin with. Mr. Oettingers book follows an easy to read and understand pattern and includes several helpful links to resources from NIST, digital forensic software providers, and other reading resources. The breakdown of areas such as file systems, choosing the right forensic tools, how to create a forensic image and then how to investigate and analyze that image has been very insightful. Sometimes authors of these types of books can confuse their readers by not writing in a logical manner or by using too much technological language for someone that is just starting out in this field. This book has not only refreshed my memory of somethings that I have already learned about but it has also provided a lot more information that is brand new to me. I have a colleague that is looking for a new introductory level text book to use in his Cybersecurity curriculum at a local community college and I am most definitely going to recommend this book.
Good introduction to the field of digital forensics
For anyone considering entering the field of digital forensics, this book provides the reader with a good overview of the field, with simple explanations of the various facets and techniques involved. Whether you're a young student trying to decide on a college major or a seasoned investigator looking to move your career in a new direction, the content of this book could help in making such decisions. The book is not overly detailed, so don't expect to find explanations or examples of every possible scenario, but the information that is contained within this book is presented in a concise and easy to follow manner. The book does make some mention of digital forensics in the private sector, but the majority of the material is presented from the law enforcement perspective. This does not, however, make the book any less useful for those doing forensics in the private sector, as the various tools, techniques, concepts, and artifacts are the same in both arenas. This book is a recommended read for anyone trying to get a high level to mid level overview of digital forensics.
Easy to Read- Details the go-to artifacts
An attempt to capture the entire field of computer forensics in a single volume is a seemingly impossible task. The author does an excellent job of highlighting the most commonly used forensic artifacts in the Windows environment. In addition to covering commonly used artifacts, the author discusses the importance of and format of report writing, ethics, testifying, and digital forensic ideology. I was sold on the book after the author made the following statement, "Unfortunately, I find many students want to use a "find evidence" button, find all the artifacts, and print up a thousand-page report and call it a day. That is not digital forensics." I would replace the "students" with investigators/digital forensic analysts as I have seen this many times, especially as the paid-tools become more powerful and able to present artifacts in an easy-to-read format. As I read the line, I paused and immediately messaged another examiner with a different agency, as this sentiment is often brought up in our discussions. Paid-tools tempt practitioners to focus on single artifacts as evidence, but the author reminds the reader, "we cannot construe the mere presence of the artifact as a sign of the suspect's guilt (or innocence). The artifact needs to be placed within the context of the user and system activity." New and old forensic examiners need to remember that they are the skilled practitioner, whose job is to speak for the digital evidence. Our job is to examine the evidence as it exists and use the data found to present the truth without regard to the side of the courtroom we sit on. Through the book, the author reminds the reader that the forensic analyst role is to be a neutral evaluator of the evidence. The book provides an excellent introduction for new examiners or those looking to expand their understanding of the results provided by forensic examiners. The book also can be used as a high-level reference for aspects of Windows forensics that an examiner may not use every day. The author takes time to direct the reader to free tools and other resources. While he does declare his preference for one of the paid-tool over others, he does explain the free tools and how they can impact the review of a variety of artifacts. I appreciate him directing the reader to outside resources, collections of data, and information that should be marked in everyone's bookmarks. I found his explanation of the thumbcache's relationship with Windows.edb to be the most concise and useful explanation of how to provide context to thumbcache databases. Thumbcache is a topic I have researched ad nauseam. As an ICAC investigator, items of interest are often found in the thumbcache databases; the ability to put a name on the image allows the image to be tied to other activities to provide context and value. There are many little nuggets of gold scattered through the book that will be a value to nearly all examiners, if for no other purpose to provide a prewritten, easy-to-understand explanation of the artifacts. The author's experience and professionalism shine through his writing.