Open Source Software for Digital Forensics

Chapter 1
The Case for Open Source Software in Digital Forensics
1.1 Introduction
1.2 Definitions
1.3 Making the Case for Open Source Software
1.4 Conclusions
References
Chapter 2
Computer Forensics Education – the Open Source Approach
2.1 Introduction
2.2 Computer Forensics Software Tools
2.3 Case Study
2.3.1 Computer Forensics Workshop - Content and Outcomes
2.3.2 Workshop Requirements
2.3.3 Laboratory Structure
2.3.3.1 FAT File System Investigation
2.3.3.2 Ext File System Investigation
2.3.3.3 NTFS File System Investigation
2.3.3.4 Media Preparation and Imaging
2.3.3.5 Network Forensics Modules
Network Activity Reconstruction
Web Browsing Activity Reconstruction
Email Extraction and Reconstruction
2.3.3.6 Applied Cryptography Modules
2.3.3.7 Live System Analysis
2.4 Commercial Software Alternative
2.5 Conclusions and Future Work
References
Chapter 3
Virtual Machine for Computer Forensics – the Open Source Perspective
3.1 Introduction
3.2 Overview of Virtualisation Methods
3.3 Virtual Environments in Computer Forensics Investigations
3.3.1 Booting Acquired Disk Image in Virtual Environment to Recreate Investigated Computer
3.2 Accessing Disk Images From Different Operating Systems
3.3.3 Shifting of Computer Forensics Environment From Windows to Linux
3.4 openSUSE And Other Linux Distributions
3.4.1 openSUSE and VirtualBox
3.4.2 openSUSE and Xen
3.5 Conclusions and Future Work
References
Chapter 4
Open Computer Forensic Architecture a Way to Process Terabytes of Forensic Disk Images
4.1 Introduction
4.1.1 Problem Statement
4.1.2 Overview
4.2 Technical Description
4.2.1 Recursive Processing of Data
4.2.2 The ocfa Library
4.2.3 The Repository
4.2.4 Storage of (Dynamic) Metadata
4.2.5 Interprocess Communication between Modules
4.2.6 The AnycastRelay and the Router
4.2.7 The Router Module
4.2.7.1 Rules and the Rulelist
4.2.8 Available ocfa Modules
4.2.8.1 The Kickstart Module
4.2.8.2 Datastore Module
4.2.8.3 Miscellaneous Modules
4.2.9 Database Layout and Reporting
4.2.9.1 The Core Tables
4.2.9.2 Additional Metadata Tables
Example Generating an Overview of Encountered Mimetypes
4.2.9.3 Searching for Specific Values and Creating Export Shell Commands
4.3 User Interface
4.3.1 Command Line Administration Interface
4.3.2 Web Interface
4.3.3 Security
4.4 Discussion
4.4.1 Evaluation
4.4.2 Future Work
References
Chapter 5
Open Source Live Distributions for Computer Forensics
5.1 Introduction
5.2 Related Work
5.3 Phases of Digital Investigation
5.3.1 Information Gathering
5.3.2 Collection
5.3.3 Examination and Analysis
5.4 CAINE Architecture
5.4.1 Software Wrapper
5.4.2 Graphical Interface
5.5 Tools Integrated in CAINE
5.5.1 Information Gathering
5.5.2 Collection
5.5.3 Examination and Analysis
5.6 Report Building Phase
5.7 CAINE Evolution and Validation
5.7.1 Beta Release
5.7.2 Early Releases
5.7.3 Swap Issue and Current Release
5.8 Conclusions
References
Chapter 6
VALI: A Visual Correlation Tool Based on Vector Clocks
6.1 Introduction
6.2 Alert Correlation
6.3 Previous Works
6.4 Vector Clocks
6.5 Alert Correlation Model Based on Vector Clocks
6.5.1 Example of the Correlation Model
6.6 VALI
6.6.1 VALI Components
6.7 Experiments and Results
6.8 Distributed Alert Correlation Model
6.9 Conclusions and Future Work
References
Chapter 7
An Open Architecture for Distributed Malware Collection and Analysis
7.1 Introduction
7.2 Background and Related Work
7.3 Implementation of HIVE
7.3.1 Honeynet Sensors
7.3.2 Core Infrastructure
7.3.3 Data Analysis and Active Monitoring
7.3.4 Caveats and Pitfalls
7.4 Experimental Results
7.5 Conclusions and Future Work
7.6 Availability
References
Chapter 8
Selective File Dumper
8.1 Introduction
8.2 The Script in Action
8.3 The GUI Version
8.4 Conclusion
References