Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Digital Forensics with Kali Linux
Digital Forensics with Kali Linux

Digital Forensics with Kali Linux: Perform data acquisition, digital investigation, and threat analysis using Kali Linux tools

eBook
€26.99
Paperback
€32.99
Subscription
Free Trial
Renews at €18.99p/m

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Table of content icon View table of contents Preview book icon Preview Book

Digital Forensics with Kali Linux

Introduction to Digital Forensics

Digital forensics has had my attention for well over 13  years. Ever since I was given my first PC (thanks, Mom and Dad), I've always wondered what happened when I deleted my files from my massively large 2 GB hard drive or moved (and most times hid) my files to a less-than-inconspicuous 3.5-inch floppy diskette which maxed out at 1.44 MB (Megabytes) in capacity.

As I soon learned, hard disk drives and floppy disk drives did not possess the digital immortality I so confidently believed in. Sadly, many files, documents, and priceless fine art created in Microsoft Paint by yours truly were lost to the digital afterlife, never to be retrieved again. Sigh. The world shall never know.

It wasn't until years later that I came across an article on file recovery and associated tools while browsing the magical World Wide Web (WWW) on my lightning-fast 42 Kbps dial-up internet connection (made possible by my very expensive USRobotics dial-up modem), which sang the tune of the technology gods every time I'd try to connect to the realm of the internet. This process involved a stealthy ninja-like skill that would make even a black-ops team envious, as it involved doing so without my parents noticing, as this would prevent them from using the telephone line to make or receive phone calls. (Apologies dear Mother, Father, and older teenage sister).

The previous article on data recovery wasn't anywhere near as detailed and fact-filled as the many great peer-reviewed papers, journals, and books on digital forensics widely-available today. As a total novice (also referred to as a noob) in the field, I did learn a great deal about the basics of file systems, data and metadata, storage measurements, and the workings of various storage media.

It was at this time that, even though I had read about the Linux operating system and its various distributions (or distros), I began to get an understanding of why Linux distros were popular in data recovery and forensics.

At this time, I managed to bravely download the Auditor and Slax Linux distributions, again on a dial-up connection. Just downloading these operating systems was quite a feat, which left me feeling highly accomplished as I did not have any clue as to how to install them, let alone actually use them. In those days, easy-installation and GUIs were still under heavy development, as user friendly, or in my case, user unfriendly, as they were at the time (mostly due to my inexperience, lack of recommended hardware, and also lack of resources such as online forums, blogs, and YouTube...which I did not yet know about). I'll explain more about the Auditor and Slax operating systems in Chapter 2, Installing Kali Linux, including their role in the infamous BackTrack, and now Kali Linux, operating systems.

As time passed, I researched many tools found on various platforms for Windows, Macintosh, and many Linux distributions. I found that many of the tools used in digital forensics could be installed in various Linux distributions or flavors and many of these tools were well maintained, constantly being developed and were widely accepted by peers in the field. Kali Linux is a Linux distribution or flavor, but before we go any further, let me explain the concept of  Linux distribution or flavor. Consider your favorite beverage: this beverage can come in many flavors, some without sweeteners or sugar, in different colors, and even in various sizes. No matter what the variations, it's still the basic ingredients that comprise the beverage, at the core. In this way, too, we have Linux, and then different types and varieties of Linux. Some more popular Linux distros and flavors include RedHat, CentOS, Ubuntu, Mint, Knoppix, and, of course, Kali Linux. More on Kali Linux will be discussed in  Chapter 2Installing Kali Linux.

For this book, we take a very structured approach to digital forensics, as we would in forensic science. We first stroll into the world of digital forensics, its history, some of the tools and operating systems used for forensics, and immediately introduce you to the concepts involved in evidence preservation.

How about we kick things off. Let's get started!

This chapter gives an introduction to the various aspects of the science of digital forensics. 

The topics we are going to cover in this chapter are:

  • What is digital forensics?
  • Digital forensics methodology.
  • A brief history of digital forensics.
  • The need for digital forensics as technology advances.
  • Anti-forensics: threats to digital forensics
  • Commercial tools available in the field of digital forensics.
  • Open source tools.
  • Operating systems with built-in tools for digital forensics.
  • The need for using multiple forensics tools in investigations in an effort to provide strong proof of integrity.

What is digital forensics?

The first thing I’d like to cover in this chapter is an understanding of digital forensics and its proper practices and procedures. At some point, you may have come across several books, blogs, and even videos demonstrating various aspects of digital forensics and different tools used. It is of great importance to understand that forensics itself is a science, involving very well documented best practices and methods in an effort to reveal whether something exists or does not.

Digital forensics involves the preservation, acquisition, documentation, analysis, and interpretation of evidence from various storage media types found. It is not only limited to laptops, desktops, tablets, and mobile devices, but also extends to data in transit which is transmitted across public or private networks.

In most cases, digital forensics involves the discovery and/or recovery of data using various methods and tools available to the investigator. Digital forensics investigations include, but are not limited to:

  • Data recovery: Investigating and recovering data that may have been deleted, changed to different file extensions, and even hidden.
  • Identity theft: Many fraudulent activities ranging from stolen credit card usage to fake social media profiles usually involve some sort of identity theft.
  • Malware and ransomware investigations: To date, ransomware spread by Trojans and worms across networks and the internet are some of the biggest threats to companies, military organizations, and individuals. Malware can also be spread to and by mobile devices and smart devices.
  • Network and internet investigations: Investigating DoS (known as Denial-of-Service) and DDoS (known as Distributed DoS) attacks and tracking down accessed devices including printers and files.
  • Email investigations: Investigating the source and IP origins, attached content, and geo-location information can all be investigated.
  • Corporate espionage: Many companies are moving away from print copies and toward cloud and traditional disk media. As such, a digital footprint is always left behind; should sensitive information be accessed or transmitted?
  • Child pornography investigations: Sadly, the reality is that children are widely exploited on the internet and within the Deep Web. With the use of technology and highly-skilled forensic analysts, investigations can be carried out in bringing down exploitation rings by analyzing internet traffic, browser history, payment transactions, email records, and images.

Digital forensics methodology

Keeping in mind that forensics is a science, digital forensics requires that one follow appropriate best practices and procedures in an effort to produce the same results time and time again providing proof of evidence, preservation, and integrity which can be replicated ;if called upon to do so.

Although many people may not be performing digital forensics to be used as evidence in a court of law, it is best to practice in such a way as can be accepted and presented in a court of law. The main purpose of adhering to best-practices set by organizations specializing in digital forensics and incident response is to maintain the integrity of the evidence for the duration of the investigation. In the event that the investigator's work must be scrutinized and critiqued by another or an opposing party, the results found by the investigator must be able to be recreated, thereby proving the integrity of the investigation. The purpose of this is to ensure that your methods can be repeated and, if dissected or scrutinized, produce the same results time and again. The methodology used, including the procedures and findings of your investigation, should always allow for the maintenance of the data’s integrity, regardless of what tools are used.

The best practices demonstrated in this book, ensure that the original evidence is not tampered with, or in cases of investigating devices and data in a live or production environment, show well-documented proof that necessary steps were taken during the investigation to avoid unnecessary tampering of the evidence, thereby preserving the integrity of the evidence. For those completely new to investigations, I recommend familiarizing yourself with some of the various practices and methodologies available and widely practiced by the professional community.

As such, there exist several guidelines and methodologies that one should adopt, or at least follow, to ensure that examinations and investigations are forensically sound.

The 2 best-practices documents mentioned in this chapter are:

  • the ACPO's Good Practice Guide for Digital Evidence
  • the SWGDE's Best Practices for Computer Forensics.

Although written in 2012, the Association of Chief Police Officers, known as the ACPO, and now functioning as the National Police Chiefs' Council, or NPCO, put forth a document in a PDF file called The ACPO Good Practice Guide for Digital Evidence in best practices when carrying out digital forensics investigations, particularly focusing on evidence acquisition. The ACPO Good Practice Guide for Digital Evidence was then adopted and adhered to by Law Enforcement agencies in England, Wales, and Northern Ireland and can be downloaded in its entirety at https://www.7safe.com/docs/default-source/default-document-library/acpo_guidelines_computer_evidence_v4_web.pdf.

Another useful and more recent document, produced in September 2014, on best practices in digital forensics was issued by the Scientific Working Group on Digital Evidence (SWGDE). The SWGDE was founded in 1998 by the Federal Crime Laboratory Directors Group with major members and contributors including the FBI, DEA, NASA, and the Department of Defense Computer Forensics Laboratory. Though this document details procedures and practices within a formal computer forensics laboratory setting, the practices can still be applied to non-laboratory investigations by those not currently in or with access to such an environment.

The SWGDE Best Practices for Computer Forensics sheds light on many of the topics covered in the following chapters, including:

  • Evidence collection and acquisition
  • Investigating devices that are powered on and powered off
  • Evidence handling
  • Analysis and reporting

A brief history of digital forensics

 Although forensic science itself (including the first recorded fingerprints) has been around for over 100 years, digital forensics is a much younger field as it relates to the digital world, which mainly gained popularity after the introduction of personal computers in the 1980s.

For comparative purposes in trying to grasp the concept of digital forensics as still being relatively new, consider that the first actual forensic sciences lab was developed by the FBI in 1932.

Some of the first tools used in digital forensic investigations were developed in FBI labs circa 1984, with forensic investigations being spearheaded by the FBI’s specialized CART (Computer Analysis and Response Team) which was responsible for aiding in digital investigations.

Digital forensics as its own field grew substantially in the 1990s, with the collaboration of several law enforcement agencies and heads of divisions working together and even meeting regularly to bring their expertise to the table.

One of the earliest formal conferences was hosted by the FBI in 1993. The main focus of the event, called the International Law Enforcement Conference on Computer Evidence, was to address the need for formal standards and procedures with digital forensics and evidence acquisition.

Many of these conferences resulted in the formation of bodies that deal with digital forensics standards and best practices. For example, the SWGDE was formed by the Federal Crime Laboratory Directors in 1998. The SWGDE was responsible for producing the widely adopted best practices for computer evidence (discussed later in this chapter). The SWGDE also collaborated with other organizations, such as the very popular American Society of Crime Laboratory Directors (ASCLDs), which was formed in 1973 and has since been instrumental in the ongoing development of best practices, procedures, and training as it relates to forensic science.

It wasn’t until the early 2000s, however, that a formal Regional Computer Forensic Laboratory (RCFL) was established by the FBI. In 2002, the National Program Office (NPO) was established and acts as a central body, essentially coordinating and supporting efforts between RCFL’s law enforcement.

Since then, we've seen several agencies, such as the FBI, CIA, NSA, and GCHQ, each with their own full cyber crime divisions, full digital forensics labs, dedicated onsite and field agents, collaborating assiduously in an effort to take on tasks that may be nothing short of Sisyphean, when considering the rapid growth of technology and easier access to the internet and even the Dark Web.

With the advancement of technology, the tools for digital forensics must be regularly updated, not only in the fight against cyber crime, but in the ability to provide accountability and for the retrieval of lost data. We've come a long way since the days of floppy disks, magnetic drives, and dial-up internet access, and are now presented with  SD cards, solid-state drives, and fiber-optic internet connections at Gigabit speeds.

The need for digital forensics as technology advances

Some of you may be young-at-heart enough to remember the days of Windows 95, 3.x, and even DOS (Disk Operating System). Smart watches, calculators, and many IoT devices today are much faster than the first generation of personal computers and servers. In 1995, it was common to come across hard disk drives between 4 GB to 10 GB, whereas today you can easily purchase drives with capacities of 2 TB and up.

Consider also the various types of storage media today, including Flash drives, SD cards, CDs, DVDs, Blu-ray discs, hybrid and solid-state drives, as compared to the older floppy disks, which at their most compact and efficient only stored 1.44 MB of data on a 3 ¼ inch disk. Although discussed in detail in a later chapter, we now have many options for not only storing data but also losing and hiding data.

With the advancement of technology also comes a deeper understanding of programming languages, operating systems both average and advanced, and knowledge and utilization of digital devices. This also translates into more user-friendly interfaces which can accomplish many of the same tasks as with the CLI, used mainly by advanced users. Essentially, today’s simple GUI, together with a wealth of resources readily found on search engines, can make certain tasks, such as hiding data, far easier than before.

Hiding large amounts of data is also simpler today, considering the speed of processors, combined with large amounts of RAM, including devices which can also act as RAM, far surpass those of as recent as five years ago. Graphics cards must also be mentioned and taken into consideration, as more and more mobile devices are being outfitted with very powerful high-end onboard NVIDIA and ATI cards which also have their own separate RAM, aiding the process. Considering all these factors does lend support to the idea put forth by Gordon E. Moore in the 1970s that states that computing power doubles every two years, commonly known as Moore’s Law.  

However, Jensen Huang, CEO of NVIDIA, has recently stated that Moore's Law is dying as GPUs (Graphic Processing Units) will ultimately replace CPUs due to the GPU's performance, technological advancements and abilities in handling artificial intelligence. Huang's statement was also mirrored by Intel CEO Brian Krzanich.

All things considered, several avenues for carrying out cyber crimes are now available, including malware and ransomware distribution, DoS and DDoS attacks, espionage, blackmail, identity theft, data theft, illegal online activities and transactions and a plethora of other malicious activities. Many of these activities are anonymous as they occur over the internet and often take place using masked IP addresses and public networks and so, make investigations that much harder for the relevant agencies in pinpointing locations and apprehending suspects.

With cyber crime being such a big business, the response from law enforcement officials and agencies must be equally impressive in their research, development, intelligence, and training divisions if they are to put up a fight in what may seem like a never-ending battle in the digital world.

Digital forensics not only applies to storage media but also to network and internet connections, mobile devices, IoT devices, and in reality, any device that can store, access, or transmit data. As such, we have a variety of tools, both commercial and open source, available to us depending on the task at hand.

Commercial tools available in the field of digital forensics

Although this book focuses on tools within the Kali Linux operating system, it’s important to recognize the commercially-available tools available to us, many of which you can download as trial or demo versions before determining a preference.

Because this book focuses primarily on open source tools, I'll just make mention of some of the more popular commercial tools available along with their homepages.  The tools are listed only in alphabetical order and do not reflect any ratings, reviews, or the author's personal preference:

Many of the commercial tools available all allow for the following features and also offer several proprietary features, including:

  • Write blocking
  • Bit-by-bit or bit-stream copies and disk cloning/evidence cloning
  • Forensically sound evidence acquisition
  • Evidence preservation using hashes
  • File recovery (hidden and deleted)
  • Live and remote acquisition of evidence
  • RAM and swap/paging file analysis
  • Image mounting (supporting various formats)
  • Advanced data and metadata (data about data) searches and filtering
  • Bookmarking of files and sectors
  • Hash and password cracking
  • Automatic report generation

The main advantage of commercial tools is that they are usually automated and are actually a suite of tools that can almost always perform entire investigations, from start to finish, with a few clicks. Another advantage that I must mention is the support for the tools that are given with the purchase of a license. The developers of these tools also employ research and development teams to ensure constant testing and review of their current and new products.

Operating systems and open source tools for digital forensics

Just as there are several commercial tools available, there exist many open source tools available to investigators, amateur and professional alike. Many of these tools are Linux-based and can be found on several freely-available forensic distributions.

The main question that usually arises when choosing tools is usually based on commercial versus open source. Whether using commercial tools or open source tools, the end result should be the same, with preservation and integrity of the original evidence being the main priority.

Budget is always an issue and some commercial tools (as robust, accurate, and user-friendly as they might be) can cost thousands of dollars.

The open source tools are free to use under various open source licenses and should not be counted out just because they are not backed by enterprise developers and researchers. Many of the open source tools are widely reviewed by the forensic community and may be open to more scrutiny, as they are more widely available to the public and are built in non-proprietary code.

Though the focus of this book is on the forensic tools found in Kali Linux, which we will begin looking at toward the end of this section and onward, here are some of the more popular open source forensic distributions, or distros, available.

Each of the distros mentioned in the following sections is freely available at many locations but, for security reasons, we will provide the direct link from their homepages. The operating systems featured in this section are listed only in alphabetical order and do not reflect any ratings, reviews, or even the author's personal preference.

Digital evidence and forensics toolkit Linux

Digital Evidence and Forensics Toolkit (DEFT) Linux comes in a full version and a lighter version called DEFT Zero. For forensic purposes, you may wish to download the full version as the Zero version, does not support mobile forensics and password-cracking features.

Like the other distros mentioned in this list, DEFT, as shown in the following screenshot, is also a fully capable live response forensic tool that can be used on the go in situations where shutting down the machine is not possible and also allows for on-the-fly analysis of RAM and the swap file:

When booting from the DEFT Linux DVD, bootable flash, or other media, the user is presented with various options, including the options to install DEFT Linux to the hard disk, or use as a live-response tool or operating system by selecting the DEFT Linux 8 live option, as shown here:

In the previous screenshot, it can be seen that there are several forensic categories in DEFT Linux 8 such as Antimalware, Data Recovery, Hashing, Imaging, Mobile Forensics, and Network Forensics, Password recovery, and Reporting tools. Within each category exist several tools created by various developers, giving the investigator quite a variety from which to choose.

For a full list of the features and packages included in the Digital Evidence Forensic Toolkit (DEFT) Linux OS at the time of this publishing, please visit the following link:

http://www.deftlinux.net/package-list/

Computer Aided INvestigative Environment

The Computer Aided INvestigative Environment (CAINE) is a live-response bootable CD/DVD with options for booting in safe mode, text mode, as a live system, or in RAM, as shown here:

One of the most noticeable features of CAINE after selecting your boot option is the easy way to find the write-blocker feature, seen and labeled as a BlockON/OFF icon, as shown in the following screenshot. Activating this feature prevents the writing of data by the CAINE OS to the evidence machine or drive:

Forensic Tools is the first menu listed in CAINE. Like DEFT Linux, there are several categories in the menu, as seen in the following screenshot, with several of the more popular tools used in open source forensics. Besides the categories, there are direct links to some of the more well-known tools, such as Guymager and Autopsy, which will both be covered in detail in later chapters:

For a full list of the features and packages included in CAINE at the time of this publishing, please visit the following link:

http://www.caine-live.net/page11/page11.html

Kali Linux

Finally, we get to this lovely gem, Kali Linux, fully discussed in detail from its installation to advanced forensics usage in the next chapter and throughout this book.

  • Homepage: https://www.kali.org/
  • Based on: Debian
  • Distribution type: Penetration testing, forensics, and anti-forensics

Kali Linux was created as a penetration testing or pen-testing distro under the name BackTrack, which then evolved into Kali Linux, in 2015. This powerful tool is the definite tool of choice for penetration testers and security enthusiasts worldwide. As a Certified EC-Council Instructor (CEI) for the Certified Ethical Hacker (CEH) course, this operating system is usually the star of the class due to its many impressive bundled security programs, ranging from scanning and reconnaissance tools to advanced exploitation tools and reporting tools.

Like the above-mentioned tools, Kali Linux can be used as a live response forensic tool, as it contains many of the tools required for full investigations. Kali, however, can also be used as a complete operating system, as it can be fully installed to a hard disk or flash drive and also contains several tools for productivity and entertainment. It comes with many of the required drivers for successful use of hardware, graphics, and networking, and also runs smoothly on both 32 bit and 64 bit systems with minimal resources; it can also be installed on certain mobile devices, such as Nexus and OnePlus phones and tablets.

Adding to its versatility, upon booting from a live CD/DVD or flash drive, the investigator has several options to choose from, including Live (forensic mode), which leaves the evidence drive intact and does not tamper with it by also disabling any auto-mounting of flash drives and other storage media, providing for integrity of the original evidence throughout the investigation.

When booting to Kali Linux from a DVD or flash drive, the user is first presented with options for a live environment and installation. Choosing the third option from the list carries us into Live (forensic mode), as seen in the following screenshot:

Once Kali Live (forensic mode) has booted, the investigator is presented with the exact same home screen as would be seen if using any of the GUIs in Kali, as shown in the following screenshot:

The Kali menu can be found at the top left corner by clicking on Applications. This brings the user to the menu listing which shows the forensics category lower down, as 11 - Forensics. The following screenshot gives an idea of some of the Forensic tools available in Kali that we'll be using later on in the book:

It should be noted that the tools listed are not the only tools available in Kali. There are several other tools that can be brought up via the Terminal, as we'll see in later chapters.

It's also noteworthy that, when it is in forensic mode, not only does Kali not tamper with the original evidence drive but also does not write data to the swap file, where important data that was recently accessed and stored in memory may reside.

The following screenshot shows another view of accessing the Forensic tools menu using the last icon in the list on the sidebar menu (resembling nine dots in a square formation):

For a full list of the features and packages included in the Kali Linux operating system at the time of this publishing, please visit the following link:

https://tools.kali.org/tools-listing

Out of the three forensic distros mentioned, Kali can operate as a live response forensic tool, but can also be used as a full operating system, just like Windows, Mac, and Android as it contains several built-in tools for productivity and everyday use. The fact that Kali can be installed to a hard disk means that several other tools can be downloaded and updated regularly, giving continuous access to all IT security and forensic tools, allowing the user to save progress as they use the tools and not have to worry too much about restarting their machine should they decide to use it as a full operating system.

Using these open source forensic operating systems, such as Kali, gives us a range of tools to choose from and work with. There exist many tools for performing the same tasks within each category in the distros. This is good, because our findings should be able to be replicated using different tools. This is especially good in instances where the investigator's work may be critiqued and the integrity of the case and evidence questioned and scrutinized; using multiple tools correctly will yield consistent results.

The need for multiple forensics tools in digital investigations

Preservation of evidence is of the utmost importance. Using commercial and open source tools correctly will yield results; however, for forensically sound results, it is sometimes best if more than one tool can be used and produce the same results.

Another reason to use multiple tools may simply be cost. Some of us may have a large budget to work with, while others may have a limited one or none at all. Commercial tools can be costly, especially due to research and development, testing, advertising, and other factors. Open source tools, while tested by the community, may not have the available resources and funding as with commercial tools.

So then, how do we know which tools to choose?

Digital forensics is often quite time-consuming, which is one of the reasons you may wish to work with multiple forensic copies of the evidence. This way you can use different tools simultaneously in an effort to speed up the investigation. While fast tools may be a good thing, we should also question the reliability and accuracy of the tools.

The National Institute of Standards and Technology (NIST) has developed a Computer Forensics Tool Testing (CFTT) program that tests digital forensic tools and makes all findings available to the public. Several tools are chosen based on their specific abilities and placed into testing categories such as disk imaging, carving, and file recovery. Each category has a formal test plan and strategy for testing along with a validation report, again available to the public.

More on the CFTT program can be found at https://www.cftt.nist.gov/disk_imaging.htm. Testing and validation reports on many of the tools covered in this book can be found at https://www.dhs.gov/science-and-technology/nist-cftt-reports.

To re-enforce the importance of using multiple tools in maintaining the integrity of your investigations and findings, multiple tools will be demonstrated in the third and fourth sections of this book.

Anti-forensics: threats to digital forensics

As much as we would like the tasks involved in digital forensics to be as easy as possible, we do encounter situations which make investigations, and life as a forensics investigator, not-so-simple and sometimes stressful. People wishing to hide information, cover their tracks, and even those who have malicious intent or actually participate in cyber crimes often employ various methods to try to foil the attempts of forensic investigators with the hope of hampering or halting investigations.

Within somewhat recent times we've seen several major digital breaches online, especially from 2011 onward. Many of these attacks allegedly came from, or were claimed to be the work of, infamous hacker groups such as LulzSec, Anonymous, Lizard Squad, and many others, including individuals and Hacktivists (people that hack for a specific cause or reason and are less concerned about doing time in prison). Some of these hacks and attacks not only brought down several major networks and agencies, but also cost millions in damage, directly and indirectly; as a result, the loss of public confidence in the companies contributed to further increases in damages.

These daring, creative, and public attacks saw the emergence of many other new groups that learned from the mistakes of past breaches of Anonymous and others. Both social media and underground communication channels soon became the easiest forms of communication between like-minded hackers and hacktivists. With the internet and World Wide Web becoming easily accessible, this also saw the competition not only between IPs, but also private companies and corporations, which lead to the creation of free wireless hotspots on almost every street with businesses, small or large.

The result of having internet access at just about every coffee shop enabled anyone with a smartphone, tablet, laptop, or other devices to acquire almost unauthenticated access to the internet. This gave them access to hacker sites and portals, along with the ability to download tools, upload malware, send infected emails, or even carry out attacks.

Encryption

Adding to this scenario is the availability of more user-friendly tools to aid in the masking of Publicly Identifiable Information (PII), or any information that would aid in the discovery of unveiling suspects involved in cyber-crimes during forensic investigations. Tools used for encryption of data and anonymity, such as masking of IP addresses, are readily and easily available to anyone, most of which were and are increasingly more and more user-friendly.

It should also be noted that many Wi-Fi hotspots themselves can be quite dangerous, as these can be easily set up to intercept personal data, such as login and password information together with PII (such as social security numbers, date of birth info, and phone numbers) from any user that may connect to the Wi-Fi and enter such information.

The process of encryption provides confidentiality between communication parties and uses technology in very much the same way we use locks and keys to safeguard our personal and private belongings. For a lock to open, there must be a specific matching key. So too, in the digital world, data is encrypted or locked using an encryption algorithm and must use either the same key to decrypt or unlock the data. There also exists another scenario where one key may be used to encrypt or lock the data and another used to decrypt the data. Two such very popular encryption tools are TrueCrypt and VeraCrypt.

These two encryption tools use very high encryption methods that keep data very confidential. The main barrier to forensics may be acquiring the decryption key to decrypt or unlock access to the data.

TrueCrypt and VeraCrypt not only encrypt files but also encrypt folders, partitions, and entire drives!

Online and offline anonymity

Encryption, in particular, can make investigations rather difficult, but there is also the concept of anonymity which adds to the complexity of maintaining an accuracy of the true sources found in investigations. Like encryption, there exist several free and open source tools for all operating system platforms, such as Windows, Mac, Linux, and Android, which attempt and most often successfully mask the hiding of someone's digital footprint. This digital footprint usually identifies a device by its IP address and MAC (Media Access Control) address. Without going into the network aspect of things, these two digital addresses can be compared to a person's full name and home address, respectively.

Even though a person's IP address can change according to their private network (home and work) and public network (internet) access, the MAC address remains the same. However, various tools are also freely available to spoof or fake one's IP and MAC addresses for the purpose of privacy and anonymity. Adding to that, users can use a system of routing their data through online servers and devices to make the tracing of the source of the sent data quite difficult. This system is referred to as proxy chaining and does keep some of the user's identity hidden.

A good example of this would be the Tor browser; it uses onion routing and several proxies worldwide to route or passes the data along from proxy to proxy, making the tracing of the source very difficult, but not impossible. You can think of proxy chains as a relay race, but instead of having four people, one passing the baton to the next, the data is passed between hundreds of proxy devices, worldwide.

Summary

Congratulations! You made it to the end of the first chapter. Before we jump into the second chapter, let's have a look at what was just covered.

We saw that digital forensics is still a relatively new field, although forensic science has been around for a very long time, as far back as the early 1900s. Although digital forensics may have only been on the scene since the early 2000s, as a science, we have certain best practices, procedures, and standards, such as those created by the ACPO and SWGDE, to adhere to. These maintain accuracy and the integrity of both the findings and the actual evidence when carrying out investigations, whether as an amateur or professional Digital Forensic Investigator.

Some of the commercial tools mentioned were EnCase, FTK, and Magnet Forensics. Many of the open source tools available are made for Linux-based distributions and can be downloaded individually, but many are readily and easily available within certain Forensic and Security Operating Systems or distributions. Some of these distros are DEFT Linux, CAINE, and of course, Kali Linux; all of these are freely available for download at the links provided.

I hope this introduction to digital forensics was informative and fun for you. Now that we've gotten a foundation of forensics, let's go deeper into Kali Linux as we learn how to download, install and update Kali in Chapter 2, Installing Kali Linux. See you on the next page.

 

 

 

 

 

 

Left arrow icon Right arrow icon
Download code icon Download Code

Key benefits

  • • Master powerful Kali Linux tools for digital investigation and analysis
  • • Perform evidence acquisition, preservation, and analysis using various tools within Kali Linux
  • • Implement the concept of cryptographic hashing and imaging using Kali Linux
  • • Perform memory forensics with Volatility and internet forensics with Xplico.
  • • Discover the capabilities of professional forensic tools such as Autopsy and DFF (Digital Forensic Framework) used by law enforcement and military personnel alike

Description

Kali Linux is a Linux-based distribution used mainly for penetration testing and digital forensics. It has a wide range of tools to help in forensics investigations and incident response mechanisms. You will start by understanding the fundamentals of digital forensics and setting up your Kali Linux environment to perform different investigation practices. The book will delve into the realm of operating systems and the various formats for file storage, including secret hiding places unseen by the end user or even the operating system. The book will also teach you to create forensic images of data and maintain integrity using hashing tools. Next, you will also master some advanced topics such as autopsies and acquiring investigation data from the network, operating system memory, and so on. The book introduces you to powerful tools that will take your forensic abilities and investigations to a professional level, catering for all aspects of full digital forensic investigations from hashing to reporting. By the end of this book, you will have had hands-on experience in implementing all the pillars of digital forensics—acquisition, extraction, analysis, and presentation using Kali Linux tools.

Who is this book for?

This book is targeted at forensics and digital investigators, security analysts, or any stakeholder interested in learning digital forensics using Kali Linux. Basic knowledge of Kali Linux will be an advantage.

What you will learn

  • • Get to grips with the fundamentals of digital forensics and explore best practices
  • • Understand the workings of file systems, storage, and data fundamentals
  • • Discover incident response procedures and best practices
  • • Use DC3DD and Guymager for acquisition and preservation techniques
  • • Recover deleted data with Foremost and Scalpel
  • • Find evidence of accessed programs and malicious programs using Volatility.
  • • Perform network and internet capture analysis with Xplico
  • • Carry out professional digital forensics investigations using the DFF and Autopsy automated forensic suites
Estimated delivery fee Deliver to Spain

Premium delivery 7 - 10 business days

€17.95
(Includes tracking information)

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Dec 19, 2017
Length: 274 pages
Edition : 1st
Language : English
ISBN-13 : 9781788625005
Vendor :
Offensive Security
Category :
Concepts :
Tools :

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Estimated delivery fee Deliver to Spain

Premium delivery 7 - 10 business days

€17.95
(Includes tracking information)

Product Details

Publication date : Dec 19, 2017
Length: 274 pages
Edition : 1st
Language : English
ISBN-13 : 9781788625005
Vendor :
Offensive Security
Category :
Concepts :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
€18.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
€189.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
€264.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 99.97
Digital Forensics with Kali Linux
€32.99
Kali Linux Wireless Penetration Testing Beginner???s Guide
€29.99
Kali Linux - An Ethical Hacker's Cookbook
€36.99
Total 99.97 Stars icon

Table of Contents

10 Chapters
Introduction to Digital Forensics Chevron down icon Chevron up icon
Installing Kali Linux Chevron down icon Chevron up icon
Understanding Filesystems and Storage Media Chevron down icon Chevron up icon
Incident Response and Data Acquisition Chevron down icon Chevron up icon
Evidence Acquisition and Preservation with DC3DD and Guymager Chevron down icon Chevron up icon
File Recovery and Data Carving with Foremost, Scalpel, and Bulk Extractor Chevron down icon Chevron up icon
Memory Forensics with Volatility Chevron down icon Chevron up icon
Autopsy – The Sleuth Kit Chevron down icon Chevron up icon
Network and Internet Capture Analysis with Xplico Chevron down icon Chevron up icon
Revealing Evidence Using DFF Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.3
(11 Ratings)
5 star 72.7%
4 star 0%
3 star 9.1%
2 star 18.2%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




Amazon Customer Dec 22, 2017
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book is the go-to book for digital forensics using kali linux. The author is well versed in his field and this is apparent in his masterful explanations of the history, evolution and current techniques used in digital forensics. Each chapter is nicely illustrated with practical step by step instructions and pictures to further provide clarity and insight. The learning points are then reinforced with good summaries. Overall, a very resourceful and educational tool, and a must have in your library.
Amazon Verified review Amazon
Glen Feb 22, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
The knowledge provided within this book assisted me to better understand the forensics features within the Kali Linux OS. I would definitely recommend this title to anyone who's interesting in learning both Kali Linux and forensics.
Amazon Verified review Amazon
Anand R Dec 20, 2017
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Good stuff.
Amazon Verified review Amazon
Anslem John Feb 06, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Well detailed and put together. Kali Linux is one of the most versatile Linux OS for Forensics and Pen testing. The Author has a wealth of knowledge and this was conveyed in the Book.....I highly recommend this book to anyone wanting to learn Digital forensics.
Amazon Verified review Amazon
Dale Joseph Mar 10, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
A great resource and a must have for IT professionals.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is the delivery time and cost of print book? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela
What is custom duty/charge? Chevron down icon Chevron up icon

Customs duty are charges levied on goods when they cross international borders. It is a tax that is imposed on imported goods. These duties are charged by special authorities and bodies created by local governments and are meant to protect local industries, economies, and businesses.

Do I have to pay customs charges for the print book order? Chevron down icon Chevron up icon

The orders shipped to the countries that are listed under EU27 will not bear custom charges. They are paid by Packt as part of the order.

List of EU27 countries: www.gov.uk/eu-eea:

A custom duty or localized taxes may be applicable on the shipment and would be charged by the recipient country outside of the EU27 which should be paid by the customer and these duties are not included in the shipping charges been charged on the order.

How do I know my custom duty charges? Chevron down icon Chevron up icon

The amount of duty payable varies greatly depending on the imported goods, the country of origin and several other factors like the total invoice amount or dimensions like weight, and other such criteria applicable in your country.

For example:

  • If you live in Mexico, and the declared value of your ordered items is over $ 50, for you to receive a package, you will have to pay additional import tax of 19% which will be $ 9.50 to the courier service.
  • Whereas if you live in Turkey, and the declared value of your ordered items is over € 22, for you to receive a package, you will have to pay additional import tax of 18% which will be € 3.96 to the courier service.
How can I cancel my order? Chevron down icon Chevron up icon

Cancellation Policy for Published Printed Books:

You can cancel any order within 1 hour of placing the order. Simply contact customercare@packt.com with your order details or payment transaction id. If your order has already started the shipment process, we will do our best to stop it. However, if it is already on the way to you then when you receive it, you can contact us at customercare@packt.com using the returns and refund process.

Please understand that Packt Publishing cannot provide refunds or cancel any order except for the cases described in our Return Policy (i.e. Packt Publishing agrees to replace your printed book because it arrives damaged or material defect in book), Packt Publishing will not accept returns.

What is your returns and refunds policy? Chevron down icon Chevron up icon

Return Policy:

We want you to be happy with your purchase from Packtpub.com. We will not hassle you with returning print books to us. If the print book you receive from us is incorrect, damaged, doesn't work or is unacceptably late, please contact Customer Relations Team on customercare@packt.com with the order number and issue details as explained below:

  1. If you ordered (eBook, Video or Print Book) incorrectly or accidentally, please contact Customer Relations Team on customercare@packt.com within one hour of placing the order and we will replace/refund you the item cost.
  2. Sadly, if your eBook or Video file is faulty or a fault occurs during the eBook or Video being made available to you, i.e. during download then you should contact Customer Relations Team within 14 days of purchase on customercare@packt.com who will be able to resolve this issue for you.
  3. You will have a choice of replacement or refund of the problem items.(damaged, defective or incorrect)
  4. Once Customer Care Team confirms that you will be refunded, you should receive the refund within 10 to 12 working days.
  5. If you are only requesting a refund of one book from a multiple order, then we will refund you the appropriate single item.
  6. Where the items were shipped under a free shipping offer, there will be no shipping costs to refund.

On the off chance your printed book arrives damaged, with book material defect, contact our Customer Relation Team on customercare@packt.com within 14 days of receipt of the book with appropriate evidence of damage and we will work with you to secure a replacement copy, if necessary. Please note that each printed book you order from us is individually made by Packt's professional book-printing partner which is on a print-on-demand basis.

What tax is charged? Chevron down icon Chevron up icon

Currently, no tax is charged on the purchase of any print book (subject to change based on the laws and regulations). A localized VAT fee is charged only to our European and UK customers on eBooks, Video and subscriptions that they buy. GST is charged to Indian customers for eBooks and video purchases.

What payment methods can I use? Chevron down icon Chevron up icon

You can pay with the following card types:

  1. Visa Debit
  2. Visa Credit
  3. MasterCard
  4. PayPal
What is the delivery time and cost of print books? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela