Essentials of Digital Forensics Notif ication Detected security Start incident with LAW digital devices PR used Enforcement Digital forensic action initiated in written form Security staff notified Preservation Consent form Initial Incident type identification Post-mortem Collection Invoke incident Live acquisition response team Examination Fraud Malware Analysis Unauthorised access Network related Outcome incident satisfied DoS/DDoS Domestic violence NO YES Homicide Managament Reporting Notification End Kemal Hajdarevic with Nermin Ziga and Mirza Halilovic II Essentials of Digital Forensics Kemal Hajdarevic with Nermin Ziga and Mirza Halilovic Sarajevo, 2019 III Authors: Dr. Kemal Hajdarevic with Nermin Ziga and Mirza Halilovic Proofreading: Ana Tankosic Publisher: International Burch University Editor-in-Chief: Dr. Kemal Hajdarević Reviewed by: Dr. Hamid Jahankhani, Dr Jasmin Azemovic and Dr. Colin Pattinson DTP & Design: Dr. Kemal Hajdarevic DTP and Prepress: International Burch University Circulation: electronic copy Place of Publication: Sarajevo Copyright: International Burch University, 2019 Reproduction of this Publication for educational or other non-commercial purposes is authorized without prior permission from the copyright holder. Reproduction for resale or other commercial purposes prohibited without prior written permission of the copyright holder. Disclaimer: While every effort has been made to ensure the accuracy of the information, contained in this publication, International Burch University will not assume liability for writing and any use made of the proceedings, and the presentation of the participating organizations concerning the legal status of any country, territory, or area, or of its authorities, or concerning the delimitation of its frontiers or boundaries. ----------------------------------- CIP - Katalogizacija u publikaciji Nacionalna i univerzitetska biblioteka Bosne i Hercegovine, Sarajevo 343.98:004 HAJDAREVIĆ, Kemal Essentials of digital forensics [Elektronski izvor] / Kemal Hajdarevic, Nermin Ziga, Mirza Halilovic. - El. knjiga. - Sarajevo : International Burch University, 2019 Način pristupa (URL): https://omeka.ibu.edu.ba/items/show/3447. - Nasl. sa nasl. ekrana. - Opis izvora dana 11. 7. 2019. ISBN 978-9958-834-66-0 1. Žiga, Nermin 2. Halilović, Mirza COBISS.BH-ID 27750406 ----------------------------------- IV Table of Contents Author’s Preface ......................................................................................................... XI IMPORTANT DEFINITIONS ......................................................................................XIII PURPOSE OF THIS BOOK ........................................................................................... XV COMPUTER FORENSICS AND INFORMATION SECURITY TRAINING COURSES ........ XV JOBS RELATED TO COMPUTER FORENSICS AND INFORMATION SECURITY ............ XVI ORGANISATION OF THE BOOK SECTIONS ............................................................. XVII LEARNING TRACKS ............................................................................................. XVIII 1. Introduction to digital forensics ........................................................................ 1 CHAPTER ABSTRACT .................................................................................................. 1 HISTORY OF FORENSICS .............................................................................................. 1 HISTORY OF DIGITAL FORENSICS ............................................................................... 4 DIGITAL FORENSICS – DEFINITION ............................................................................. 5 DIGITAL EVIDENCE .................................................................................................... 5 DIGITAL VS. COMPUTER FORENSICS .......................................................................... 5 DIGITAL TRANSFORMATION IMPACT ON DIGITAL FORENSICS .................................. 6 AUDIT VS. DIGITAL FORENSIC INVESTIGATION ......................................................... 7 DIGITAL FORENSIC PROCESS ...................................................................................... 8 DIGITAL FORENSIC SCOPE .......................................................................................... 8 Personal computers and servers ............................................................................. 9 Network devices and active components .............................................................. 10 Databases ............................................................................................................. 10 Mobile Devices ..................................................................................................... 11 Digital Images ...................................................................................................... 11 Multimedia .......................................................................................................... 11 Memory ................................................................................................................ 11 FORENSIC INVESTIGATION INITIATION .................................................................... 12 INCIDENT RESPONSE ................................................................................................ 13 SUMMARY ................................................................................................................ 14 KNOWLEDGE ACQUIRED .......................................................................................... 14 V REVIEW QUESTIONS.................................................................................................. 14 FURTHER READINGS ................................................................................................. 15 VIDEO RESOURCES ................................................................................................... 15 2. Digital forensics – classification ...................................................................... 17 CHAPTER ABSTRACT ................................................................................................ 17 DIGITAL FORENSIC CLASSIFICATION BASED ON DATA SOURCE .............................. 17 Forensics of general computer systems ................................................................ 18 Database forensics ................................................................................................ 19 Forensics of multimedia ....................................................................................... 23 Watermarking ...................................................................................................... 23 Digital signatures ................................................................................................ 23 Mobile device forensics ......................................................................................... 23 Network forensics ................................................................................................. 24 SUMMARY ................................................................................................................ 25 KNOWLEDGE ACQUIRED .......................................................................................... 25 REVIEW QUESTIONS.................................................................................................. 25 FURTHER READINGS ................................................................................................. 25 VIDEO RESOURCES ................................................................................................... 26 3. Digital forensics – process ................................................................................ 27 CHAPTER ABSTRACT ................................................................................................ 27 STEPS IN THE DIGITAL FORENSIC INVESTIGATION PROCESS .................................. 27 Preservation ......................................................................................................... 29 Collection ............................................................................................................. 31 Transport ............................................................................................................. 32 Examination ......................................................................................................... 32 Analysis ............................................................................................................... 33 TYPES OF DIGITAL EVIDENCE ANALYSIS ................................................................. 33 Media analysis ..................................................................................................... 34 Media management analysis ................................................................................ 34 File system analysis ............................................................................................. 34 Network analysis.................................................................................................. 35 Application analysis ............................................................................................. 35 Operating System (OS) analysis ......................................................................... 36 Executable analysis .............................................................................................. 36 Image analysis .....................................................................................................