ebook img

Digital Forensics in the Era of Artificial Intelligence PDF

257 Pages·2022·13.855 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Digital Forensics in the Era of Artificial Intelligence

Digital Forensics in the Era of Artificial Intelligence Digital forensics plays a crucial role in identifying, analysing, and presenting cyber threats as evidence in a court of law. Artificial intelligence, particularly machine learning and deep learning, enables automation of the digital inves- tigation process. This book provides an i n-depth look at the fundamental and advanced methods in digital forensics. It also discusses how machine learning and deep learning algorithms can be used to detect and investigate cybercrimes. This book demonstrates digital forensics and c yber-investigating tech- niques with real-world applications. It examines hard disk analytics and style architectures, including Master Boot Record and GUID Partition Table as part of the investigative process. It also covers cyberattack analysis in Windows, Linux, and network systems using virtual machines in r eal-world scenarios. Digital Forensics in the Era of Artificial Intelligence will be helpful for those interested in digital forensics and using machine learning techniques in the investigation of cyberattacks and the detection of evidence in cybercrimes. Digital Forensics in the Era of Artificial Intelligence Dr. Nour Moustafa First Edition published 2023 by CRC Press 6000 Broken Sound Parkway NW, Suite 300, Boca Raton, FL 33487-2742 and by CRC Press 4 Park Square, Milton Park, Abingdon, Oxon, OX14 4RN CRC Press is an imprint of Taylor & Francis Group, LLC © 2023 Nour Moustafa Reasonable efforts have been made to publish reliable data and information, but the author and pub- lisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, access www.copyright. com or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. For works that are not available on CCC please contact m pkbookspermissions@ tandf.co.uk Trademark notice: Product or corporate names may be trademarks or registered trademarks and are used only for identification and explanation without intent to infringe. ISBN: 978-1-032-24493-8 (hbk) ISBN: 978-1-032-24468-6 (pbk) ISBN: 978-1-003-27896-2 (ebk) DOI: 10.1201/9781003278962 Typeset in Palatino by codeMantra Contents Preface ...................................................................................................................xiii Dedication and Acknowledgment ......................................................................xv Author ..................................................................................................................xvii Acronyms .............................................................................................................xix 1. An Overview of Digital Forensics ..............................................................1 1.1 Introduction ...........................................................................................1 1.2 Practical Exercises Included in This Book .........................................1 1.3 A Brief History of Digital Forensics ...................................................2 1.4 What Is Digital Forensics? ...................................................................3 1.4.1 Identification .............................................................................5 1.4.2 Collection and Preservation ...................................................5 1.4.3 Examination and Analysis .....................................................6 1.4.4 Presentation ..............................................................................6 1.5 Artificial Intelligence for Digital Forensics .......................................7 1.6 Digital Forensics and Other Related Disciplines .............................8 1.7 Different Types of Digital Forensics and How They Are Used .....8 1.7.1 Types of Digital Evidence .......................................................9 1.7.1.1 Cloud Forensics in IoT .............................................9 1.7.1.2 Digital Forensics and Artificial Intelligence .......11 1.8 Understanding Law Enforcement Agency Investigations ............11 1.8.1 Understanding Case Law .....................................................12 1.9 Significant Areas of Investigation for Digital Forensics ................13 1.10 Following Legal Processes .................................................................14 1.11 The Cyber Kill Chain ..........................................................................15 1.12 Conclusion ............................................................................................17 Note ................................................................................................................18 References .......................................................................................................18 2. An Introduction to Machine Learning and Deep Learning for Digital Forensics ...........................................................................................21 2.1 Introduction .........................................................................................21 2.2 History of Machine Learning ............................................................22 2.3 What Is Machine Learning? ..............................................................23 2.3.1 Supervised Learning .............................................................23 2.3.1.1 Decision Trees .........................................................24 2.3.1.2 Support Vector Machine ........................................24 2.3.1.3 K-Nearest Neighbours ...........................................26 2.3.1.4 Naive Bayes .............................................................27 v vi Contents 2.3.1.5 Neural Networks ....................................................28 2.3.2 Unsupervised Learning ........................................................29 2.4 What Is Deep Learning ......................................................................30 2.4.1 Discriminative Deep Learning ............................................30 2.4.1.1 Recurrent Neural Network ( RNN) ......................31 2.4.1.2 Convolutional Neural Network ( CNN) ..............31 2.4.2 Generative Deep Learning ...................................................32 2.4.2.1 Deep Auto Encoder ................................................32 2.4.2.2 Recurrent Neural Network ( RNN) ......................32 2.5 Evaluation Criteria of Machine and Deep Learning .....................32 2.6 Case Study of Machine Learning-Based Digital Forensics ...........34 2.7 Conclusion ............................................................................................38 References .......................................................................................................39 3. Digital Forensics and Computer Foundations ........................................41 3.1 Introduction .........................................................................................41 3.2 Digital Investigation Process .............................................................41 3.2.1 System Preservation Phase ...................................................42 3.2.2 Evidence Searching Phase ....................................................42 3.2.3 Evidence Reconstruction Phase ...........................................43 3.3 Common Phases of Digital Forensics ...............................................43 3.4 Numbering Systems and Formats in Computers ...........................44 3.4.1 Hexadecimal ...........................................................................44 3.4.2 Binary ......................................................................................45 3.5 Data Structures ....................................................................................48 3.5.1 Endianness ..............................................................................48 3.5.2 Character Encoding ...............................................................49 3.5.2.1 ASCII ........................................................................49 3.5.2.2 Unicode ....................................................................49 3.6 Data Nature and State ........................................................................49 3.6.1 Terms of Data..........................................................................50 3.7 Conclusion ............................................................................................50 References .......................................................................................................50 4. Fundamentals of Hard Disk Analysis ......................................................53 4.1 Introduction .........................................................................................53 4.2 Storage Media ......................................................................................53 4.2.1 Rigid Platter Disk Technology .............................................53 4.2.2 Solid State Technology ..........................................................55 4.3 Hard Disk Forensic Features .............................................................56 4.3.1 Garbage Collection ................................................................56 4.3.2 TRIM Command ....................................................................56 4.3.3 Methods of Accessing Hard Disk Addresses ....................57 4.3.3.1 Cylinder- Head-Sector ( CHS) ................................57 4.3.3.2 Zone-Bit Recording ................................................57 Contents vii 4.3.3.3 Logical Block Addressing ( LBA) ..........................57 4.4 Hard Disk Settings..............................................................................57 4.4.1 Disk Types ...............................................................................58 4.4.2 Partition Architectures ..........................................................58 4.4.2.1 MBR and GPT .........................................................59 4.4.2.2 Primary and Extended Partitions ........................59 4.4.2.3 Volumes and Partitions .........................................59 4.4.3 File Systems.............................................................................59 4.4.4 The Boot Process ....................................................................60 4.4.4.1 Latest BIOS ..............................................................60 4.4.4.2 BIOS and MBR ........................................................61 4.5 Essential Linux Commands for Digital Forensics Basics ..............62 4.5.1 User Privileges .......................................................................62 4.5.2 Linux System ..........................................................................62 4.5.3 Data Manipulation .................................................................64 4.5.4 Managing Packages and Services........................................65 4.5.5 Managing Networking .........................................................66 4.6 Python Scripts for Digital Forensics Basics .....................................67 4.6.1 Executing a DoS Attack ........................................................67 4.7 Conclusion ............................................................................................68 References .......................................................................................................68 5. Advanced Hard Disk Analysis ..................................................................73 5.1 Introduction .........................................................................................73 5.2 Hard Disk Forensic Concepts ............................................................73 5.3 DOS-Based Partitions .........................................................................74 5.3.1 Revisited MBR ........................................................................75 5.4 GPT Disks .............................................................................................76 5.5 Forensic Implications ..........................................................................78 5.6 Practical Exercises for Computer Foundations ( Windows) ..........79 5.6.1 WinHex Tool ...........................................................................79 5.6.2 Recovering Deleted Partitions .............................................83 5.6.3 Investigating Cyber Threat and Discovering Evidence ...85 5.6.4 Hard Disk Analysis ...............................................................85 5.6.4.1 Logical Access to C Drive .....................................86 5.6.4.2 Accessing Drive as Physical Media .....................87 5.7 Conclusion ............................................................................................87 References .......................................................................................................88 6. File System Analysis ( Windows) ...............................................................91 6.1 Introduction .........................................................................................91 6.2 What Is a File System? ........................................................................91 6.2.1 File System Reference Model ................................................93 6.2.2 Slack Space ..............................................................................94 6.2.3 Free and Inter-Partition Space ..............................................94 viii Contents 6.2.4 Content Analysis ....................................................................95 6.3 Methods for Recovering Data from Deleted Files ..........................96 6.3.1 Data Carving and Gathering Text .......................................96 6.3.2 Metadata Category Analysis ................................................97 6.3.3 File Name and Application Category Analysis .................98 6.4 Practices for Using Hashing and Data Acquisition .......................98 6.4.1 Prerequisite Steps for Doing the Following Practical Exercises ..................................................................................99 6.4.2 Data Acquisition.....................................................................99 6.4.2.1 The FTK Imager Tool .............................................99 6.4.2.2 Hard Disk Analysis Using the Autopsy Tool ...102 6.5 Conclusion ..........................................................................................105 References .....................................................................................................105 7. Digital Forensics Requirements and Tools ...........................................107 7.1 Introduction .......................................................................................107 7.2 Computer Forensic Requirements ..................................................107 7.3 Evaluating Needs for Digital Forensics Tools ...............................108 7.3.1 Types of Digital Forensics Tools ........................................108 7.3.2 Tasks Performed by Digital Forensics Tools ....................109 7.3.3 Data Acquisition Tools and Formats .................................110 7.4 Anti-Forensics ....................................................................................111 7.5 Evidence Processing Guidelines .....................................................112 7.6 Implementation of Data Validation and Acquisition Phases ....................................................................113 7.6.1 Hash Functions ....................................................................114 7.6.2 Authentication and Validation in Digital Forensics .......114 7.6.2.1 Python Scripts for Hashing ................................115 7.6.2.2 MD5 ........................................................................115 7.6.2.3 SHA1 ......................................................................116 7.6.2.4 Example of Hashing Passwords .........................116 7.6.3 Hashing and Data Acquisition ..........................................117 7.6.3.1 Data Acquisition Using WinHexs ......................117 7.7 Conclusion ..........................................................................................118 References .....................................................................................................119 8. File Allocation Table ( FAT) File System .................................................121 8.1 Introduction .......................................................................................121 8.2 File Allocation Table ( FAT) ..............................................................121 8.2.1 Common Types of FAT ........................................................122 8.2.2 FAT Layout ............................................................................122 8.3 FAT Layout Analysis .........................................................................123 8.3.1 FAT Analysis .........................................................................126 8.3.2 Disk Editor for FAT Analysis .............................................128 8.3.3 WinHex Tool for FAT Analysis ..........................................129 Contents ix 8.4 Implementation of Data Acquisition and Analysis in Windows ...130 8.4.1 Prerequisites for Doing These Exercises ..........................130 8.4.2 Data Acquisition and Analysis of FAT..............................130 8.4.2.1 The FTK Imager Tool ...........................................131 8.4.2.2 The Autopsy Tool .................................................133 8.5 Conclusion ..........................................................................................135 References .....................................................................................................135 9. NTFS File System .......................................................................................137 9.1 Introduction .......................................................................................137 9.2 New Technology File System ( NTFS) .............................................137 9.3 NTFS Architecture ............................................................................138 9.3.1 Master File Table ( MFT) ......................................................139 9.4 NTFS Analytical Implications .........................................................144 9.5 Analysis and Presentation of NTFS Partition ...............................145 9.5.1 Disk Editor for NTFS Analysis ..........................................145 9.5.2 WinHex Tool for NTFS Analysis .......................................145 9.5.3 The Autopsy Tool for FAT and NTFS Analysis ...............146 9.6 Conclusion ..........................................................................................149 References .....................................................................................................149 10. FAT and NTFS Recovery ...........................................................................151 10.1 Introduction .......................................................................................151 10.2 FAT and NTFS File Recovery ..........................................................151 10.2.1 Deleting and Recovering Files in FAT File System .........152 10.2.2 Deleting and Recovering Files in NTFS File System ......154 10.3 Recycle Bin and Forensics Insights .................................................154 10.4 Mounting Partitions Using SMB over Network ...........................158 10.5 File Recovery and Data Carving Tools for File Systems ..............159 10.5.1 Foremost Tool .......................................................................159 10.5.2 Scalpel Tool ...........................................................................159 10.5.3 Bulk Extractor Tool ..............................................................162 10.6 Conclusion ..........................................................................................163 References .....................................................................................................163 11. Basic Linux for Forensics ..........................................................................165 11.1 Introduction .......................................................................................165 11.2 Overview of Linux Operating System ...........................................165 11.3 Linux Kernel ......................................................................................166 11.4 Linux File System ..............................................................................167 11.4.1 Linux Hard Drives and Styles............................................169 11.5 Hard Disk Analysis in Linux ..........................................................171 11.5.1 Hard Disk Analysis Using wxHexEditor .........................171 11.5.2 Crime Investigation: Adding/ Changing Files’ Content Using wxHexEditor ..............................................172

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.