The first thing I’d like to cover in this chapter is an understanding of digital forensics and its proper practices and procedures. At some point, you may have come across several books, blogs, and even videos demonstrating various aspects of digital forensics and different tools used. It is of great importance to understand that forensics itself is a science, involving very well documented best practices and methods in an effort to reveal whether something exists or does not.

Digital forensics involves the preservation, acquisition, documentation, analysis, and interpretation of evidence from various storage media types found. It is not only limited to laptops, desktops, tablets, and mobile devices, but also extends to data in transit which is transmitted across public or private networks.

In most cases, digital forensics involves the discovery and/or recovery of data using various methods and tools available to the investigator. Digital forensics investigations include, but are not limited to:

• Data recovery: Investigating and recovering data that may have been deleted, changed to different file extensions, and even hidden.
• Identity theft: Many fraudulent activities ranging from stolen credit card usage to fake social media profiles usually involve some sort of identity theft.
• Malware and ransomware investigations: To date, ransomware spread by Trojans and worms across networks and the internet are some of the biggest threats to companies, military organizations, and individuals. Malware can also be spread to and by mobile devices and smart devices.
• Network and internet investigations: Investigating DoS (known as Denial-of-Service) and DDoS (known as Distributed DoS) attacks and tracking down accessed devices including printers and files.
• Email investigations: Investigating the source and IP origins, attached content, and geo-location information can all be investigated.
• Corporate espionage: Many companies are moving away from print copies and toward cloud and traditional disk media. As such, a digital footprint is always left behind; should sensitive information be accessed or transmitted?
• Child pornography investigations: Sadly, the reality is that children are widely exploited on the internet and within the Deep Web. With the use of technology and highly-skilled forensic analysts, investigations can be carried out in bringing down exploitation rings by analyzing internet traffic, browser history, payment transactions, email records, and images.

Keeping in mind that forensics is a science, digital forensics requires that one follow appropriate best practices and procedures in an effort to produce the same results time and time again providing proof of evidence, preservation, and integrity which can be replicated ;if called upon to do so.

Although many people may not be performing digital forensics to be used as evidence in a court of law, it is best to practice in such a way as can be accepted and presented in a court of law. The main purpose of adhering to best-practices set by organizations specializing in digital forensics and incident response is to maintain the integrity of the evidence for the duration of the investigation. In the event that the investigator's work must be scrutinized and critiqued by another or an opposing party, the results found by the investigator must be able to be recreated, thereby proving the integrity of the investigation. The purpose of this is to ensure that your methods can be repeated and, if dissected or scrutinized, produce the same results time and again. The methodology used, including the procedures and findings of your investigation, should always allow for the maintenance of the data’s integrity, regardless of what tools are used.

The best practices demonstrated in this book, ensure that the original evidence is not tampered with, or in cases of investigating devices and data in a live or production environment, show well-documented proof that necessary steps were taken during the investigation to avoid unnecessary tampering of the evidence, thereby preserving the integrity of the evidence. For those completely new to investigations, I recommend familiarizing yourself with some of the various practices and methodologies available and widely practiced by the professional community.

As such, there exist several guidelines and methodologies that one should adopt, or at least follow, to ensure that examinations and investigations are forensically sound.

The 2 best-practices documents mentioned in this chapter are:

• the ACPO's Good Practice Guide for Digital Evidence
• the SWGDE's Best Practices for Computer Forensics.

Although written in 2012, the Association of Chief Police Officers, known as the ACPO, and now functioning as the National Police Chiefs' Council, or NPCO, put forth a document in a PDF file called The ACPO Good Practice Guide for Digital Evidence in best practices when carrying out digital forensics investigations, particularly focusing on evidence acquisition. The ACPO Good Practice Guide for Digital Evidence was then adopted and adhered to by Law Enforcement agencies in England, Wales, and Northern Ireland and can be downloaded in its entirety at https://www.7safe.com/docs/default-source/default-document-library/acpo_guidelines_computer_evidence_v4_web.pdf.

Another useful and more recent document, produced in September 2014, on best practices in digital forensics was issued by the Scientific Working Group on Digital Evidence (SWGDE). The SWGDE was founded in 1998 by the Federal Crime Laboratory Directors Group with major members and contributors including the FBI, DEA, NASA, and the Department of Defense Computer Forensics Laboratory. Though this document details procedures and practices within a formal computer forensics laboratory setting, the practices can still be applied to non-laboratory investigations by those not currently in or with access to such an environment.

The SWGDE Best Practices for Computer Forensics sheds light on many of the topics covered in the following chapters, including:

• Evidence collection and acquisition
• Investigating devices that are powered on and powered off
• Evidence handling
• Analysis and reporting

 Although forensic science itself (including the first recorded fingerprints) has been around for over 100 years, digital forensics is a much younger field as it relates to the digital world, which mainly gained popularity after the introduction of personal computers in the 1980s.

For comparative purposes in trying to grasp the concept of digital forensics as still being relatively new, consider that the first actual forensic sciences lab was developed by the FBI in 1932.

Some of the first tools used in digital forensic investigations were developed in FBI labs circa 1984, with forensic investigations being spearheaded by the FBI’s specialized CART (Computer Analysis and Response Team) which was responsible for aiding in digital investigations.

Digital forensics as its own field grew substantially in the 1990s, with the collaboration of several law enforcement agencies and heads of divisions working together and even meeting regularly to bring their expertise to the table.

One of the earliest formal conferences was hosted by the FBI in 1993. The main focus of the event, called the International Law Enforcement Conference on Computer Evidence, was to address the need for formal standards and procedures with digital forensics and evidence acquisition.

Many of these conferences resulted in the formation of bodies that deal with digital forensics standards and best practices. For example, the SWGDE was formed by the Federal Crime Laboratory Directors in 1998. The SWGDE was responsible for producing the widely adopted best practices for computer evidence (discussed later in this chapter). The SWGDE also collaborated with other organizations, such as the very popular American Society of Crime Laboratory Directors (ASCLDs), which was formed in 1973 and has since been instrumental in the ongoing development of best practices, procedures, and training as it relates to forensic science.

It wasn’t until the early 2000s, however, that a formal Regional Computer Forensic Laboratory (RCFL) was established by the FBI. In 2002, the National Program Office (NPO) was established and acts as a central body, essentially coordinating and supporting efforts between RCFL’s law enforcement.

Since then, we've seen several agencies, such as the FBI, CIA, NSA, and GCHQ, each with their own full cyber crime divisions, full digital forensics labs, dedicated onsite and field agents, collaborating assiduously in an effort to take on tasks that may be nothing short of Sisyphean, when considering the rapid growth of technology and easier access to the internet and even the Dark Web.

With the advancement of technology, the tools for digital forensics must be regularly updated, not only in the fight against cyber crime, but in the ability to provide accountability and for the retrieval of lost data. We've come a long way since the days of floppy disks, magnetic drives, and dial-up internet access, and are now presented with  SD cards, solid-state drives, and fiber-optic internet connections at Gigabit speeds.

Some of you may be young-at-heart enough to remember the days of Windows 95, 3.x, and even DOS (Disk Operating System). Smart watches, calculators, and many IoT devices today are much faster than the first generation of personal computers and servers. In 1995, it was common to come across hard disk drives between 4 GB to 10 GB, whereas today you can easily purchase drives with capacities of 2 TB and up.

Consider also the various types of storage media today, including Flash drives, SD cards, CDs, DVDs, Blu-ray discs, hybrid and solid-state drives, as compared to the older floppy disks, which at their most compact and efficient only stored 1.44 MB of data on a 3 ¼ inch disk. Although discussed in detail in a later chapter, we now have many options for not only storing data but also losing and hiding data.

With the advancement of technology also comes a deeper understanding of programming languages, operating systems both average and advanced, and knowledge and utilization of digital devices. This also translates into more user-friendly interfaces which can accomplish many of the same tasks as with the CLI, used mainly by advanced users. Essentially, today’s simple GUI, together with a wealth of resources readily found on search engines, can make certain tasks, such as hiding data, far easier than before.

Hiding large amounts of data is also simpler today, considering the speed of processors, combined with large amounts of RAM, including devices which can also act as RAM, far surpass those of as recent as five years ago. Graphics cards must also be mentioned and taken into consideration, as more and more mobile devices are being outfitted with very powerful high-end onboard NVIDIA and ATI cards which also have their own separate RAM, aiding the process. Considering all these factors does lend support to the idea put forth by Gordon E. Moore in the 1970s that states that computing power doubles every two years, commonly known as Moore’s Law.  

However, Jensen Huang, CEO of NVIDIA, has recently stated that Moore's Law is dying as GPUs (Graphic Processing Units) will ultimately replace CPUs due to the GPU's performance, technological advancements and abilities in handling artificial intelligence. Huang's statement was also mirrored by Intel CEO Brian Krzanich.

All things considered, several avenues for carrying out cyber crimes are now available, including malware and ransomware distribution, DoS and DDoS attacks, espionage, blackmail, identity theft, data theft, illegal online activities and transactions and a plethora of other malicious activities. Many of these activities are anonymous as they occur over the internet and often take place using masked IP addresses and public networks and so, make investigations that much harder for the relevant agencies in pinpointing locations and apprehending suspects.

With cyber crime being such a big business, the response from law enforcement officials and agencies must be equally impressive in their research, development, intelligence, and training divisions if they are to put up a fight in what may seem like a never-ending battle in the digital world.

Digital forensics not only applies to storage media but also to network and internet connections, mobile devices, IoT devices, and in reality, any device that can store, access, or transmit data. As such, we have a variety of tools, both commercial and open source, available to us depending on the task at hand.

Although this book focuses on tools within the Kali Linux operating system, it’s important to recognize the commercially-available tools available to us, many of which you can download as trial or demo versions before determining a preference.

Because this book focuses primarily on open source tools, I'll just make mention of some of the more popular commercial tools available along with their homepages.  The tools are listed only in alphabetical order and do not reflect any ratings, reviews, or the author's personal preference:

• EnCase® Forensic: https://www.guidancesoftware.com/encase-forensic
• F-Response: https://www.f-response.com/
• Forensic Toolkit: http://accessdata.com/products-services/forensic-toolkit-ftk
• Helix Enterprise: http://www.e-fense.com/h3-enterprise.php
• Magnet Axiom: https://www.magnetforensics.com/computer-forensics/
• X-Ways Forensics: http://www.x-ways.net/forensics/index-m.html

Many of the commercial tools available all allow for the following features and also offer several proprietary features, including:

• Write blocking
• Bit-by-bit or bit-stream copies and disk cloning/evidence cloning
• Forensically sound evidence acquisition
• Evidence preservation using hashes
• File recovery (hidden and deleted)
• Live and remote acquisition of evidence
• RAM and swap/paging file analysis
• Image mounting (supporting various formats)
• Advanced data and metadata (data about data) searches and filtering
• Bookmarking of files and sectors
• Hash and password cracking
• Automatic report generation

The main advantage of commercial tools is that they are usually automated and are actually a suite of tools that can almost always perform entire investigations, from start to finish, with a few clicks. Another advantage that I must mention is the support for the tools that are given with the purchase of a license. The developers of these tools also employ research and development teams to ensure constant testing and review of their current and new products.

Just as there are several commercial tools available, there exist many open source tools available to investigators, amateur and professional alike. Many of these tools are Linux-based and can be found on several freely-available forensic distributions.

The main question that usually arises when choosing tools is usually based on commercial versus open source. Whether using commercial tools or open source tools, the end result should be the same, with preservation and integrity of the original evidence being the main priority.

The open source tools are free to use under various open source licenses and should not be counted out just because they are not backed by enterprise developers and researchers. Many of the open source tools are widely reviewed by the forensic community and may be open to more scrutiny, as they are more widely available to the public and are built in non-proprietary code.

Though the focus of this book is on the forensic tools found in Kali Linux, which we will begin looking at toward the end of this section and onward, here are some of the more popular open source forensic distributions, or distros, available.

Each of the distros mentioned in the following sections is freely available at many locations but, for security reasons, we will provide the direct link from their homepages. The operating systems featured in this section are listed only in alphabetical order and do not reflect any ratings, reviews, or even the author's personal preference.

Digital Evidence and Forensics Toolkit (DEFT) Linux comes in a full version and a lighter version called DEFT Zero. For forensic purposes, you may wish to download the full version as the Zero version, does not support mobile forensics and password-cracking features.

• Homepage: http://www.deftlinux.net/about/
• Based on: Ubuntu Desktop
• Distribution type: Forensics and incident response

Like the other distros mentioned in this list, DEFT, as shown in the following screenshot, is also a fully capable live response forensic tool that can be used on the go in situations where shutting down the machine is not possible and also allows for on-the-fly analysis of RAM and the swap file:

When booting from the DEFT Linux DVD, bootable flash, or other media, the user is presented with various options, including the options to install DEFT Linux to the hard disk, or use as a live-response tool or operating system by selecting the DEFT Linux 8 live option, as shown here:

In the previous screenshot, it can be seen that there are several forensic categories in DEFT Linux 8 such as Antimalware, Data Recovery, Hashing, Imaging, Mobile Forensics, and Network Forensics, Password recovery, and Reporting tools. Within each category exist several tools created by various developers, giving the investigator quite a variety from which to choose.

For a full list of the features and packages included in the Digital Evidence Forensic Toolkit (DEFT) Linux OS at the time of this publishing, please visit the following link:

http://www.deftlinux.net/package-list/

The Computer Aided INvestigative Environment (CAINE) is a live-response bootable CD/DVD with options for booting in safe mode, text mode, as a live system, or in RAM, as shown here:

One of the most noticeable features of CAINE after selecting your boot option is the easy way to find the write-blocker feature, seen and labeled as a BlockON/OFF icon, as shown in the following screenshot. Activating this feature prevents the writing of data by the CAINE OS to the evidence machine or drive:

Forensic Tools is the first menu listed in CAINE. Like DEFT Linux, there are several categories in the menu, as seen in the following screenshot, with several of the more popular tools used in open source forensics. Besides the categories, there are direct links to some of the more well-known tools, such as Guymager and Autopsy, which will both be covered in detail in later chapters:

For a full list of the features and packages included in CAINE at the time of this publishing, please visit the following link:

http://www.caine-live.net/page11/page11.html

Finally, we get to this lovely gem, Kali Linux, fully discussed in detail from its installation to advanced forensics usage in the next chapter and throughout this book.

• Homepage: https://www.kali.org/
• Based on: Debian
• Distribution type: Penetration testing, forensics, and anti-forensics

Kali Linux was created as a penetration testing or pen-testing distro under the name BackTrack, which then evolved into Kali Linux, in 2015. This powerful tool is the definite tool of choice for penetration testers and security enthusiasts worldwide. As a Certified EC-Council Instructor (CEI) for the Certified Ethical Hacker (CEH) course, this operating system is usually the star of the class due to its many impressive bundled security programs, ranging from scanning and reconnaissance tools to advanced exploitation tools and reporting tools.

Like the above-mentioned tools, Kali Linux can be used as a live response forensic tool, as it contains many of the tools required for full investigations. Kali, however, can also be used as a complete operating system, as it can be fully installed to a hard disk or flash drive and also contains several tools for productivity and entertainment. It comes with many of the required drivers for successful use of hardware, graphics, and networking, and also runs smoothly on both 32 bit and 64 bit systems with minimal resources; it can also be installed on certain mobile devices, such as Nexus and OnePlus phones and tablets.

Adding to its versatility, upon booting from a live CD/DVD or flash drive, the investigator has several options to choose from, including Live (forensic mode), which leaves the evidence drive intact and does not tamper with it by also disabling any auto-mounting of flash drives and other storage media, providing for integrity of the original evidence throughout the investigation.

When booting to Kali Linux from a DVD or flash drive, the user is first presented with options for a live environment and installation. Choosing the third option from the list carries us into Live (forensic mode), as seen in the following screenshot:

Once Kali Live (forensic mode) has booted, the investigator is presented with the exact same home screen as would be seen if using any of the GUIs in Kali, as shown in the following screenshot:

The Kali menu can be found at the top left corner by clicking on Applications. This brings the user to the menu listing which shows the forensics category lower down, as 11 - Forensics. The following screenshot gives an idea of some of the Forensic tools available in Kali that we'll be using later on in the book:

It should be noted that the tools listed are not the only tools available in Kali. There are several other tools that can be brought up via the Terminal, as we'll see in later chapters.

It's also noteworthy that, when it is in forensic mode, not only does Kali not tamper with the original evidence drive but also does not write data to the swap file, where important data that was recently accessed and stored in memory may reside.

The following screenshot shows another view of accessing the Forensic tools menu using the last icon in the list on the sidebar menu (resembling nine dots in a square formation):

For a full list of the features and packages included in the Kali Linux operating system at the time of this publishing, please visit the following link:

https://tools.kali.org/tools-listing

Out of the three forensic distros mentioned, Kali can operate as a live response forensic tool, but can also be used as a full operating system, just like Windows, Mac, and Android as it contains several built-in tools for productivity and everyday use. The fact that Kali can be installed to a hard disk means that several other tools can be downloaded and updated regularly, giving continuous access to all IT security and forensic tools, allowing the user to save progress as they use the tools and not have to worry too much about restarting their machine should they decide to use it as a full operating system.

Using these open source forensic operating systems, such as Kali, gives us a range of tools to choose from and work with. There exist many tools for performing the same tasks within each category in the distros. This is good, because our findings should be able to be replicated using different tools. This is especially good in instances where the investigator's work may be critiqued and the integrity of the case and evidence questioned and scrutinized; using multiple tools correctly will yield consistent results.

Preservation of evidence is of the utmost importance. Using commercial and open source tools correctly will yield results; however, for forensically sound results, it is sometimes best if more than one tool can be used and produce the same results.

Another reason to use multiple tools may simply be cost. Some of us may have a large budget to work with, while others may have a limited one or none at all. Commercial tools can be costly, especially due to research and development, testing, advertising, and other factors. Open source tools, while tested by the community, may not have the available resources and funding as with commercial tools.

So then, how do we know which tools to choose?

Digital forensics is often quite time-consuming, which is one of the reasons you may wish to work with multiple forensic copies of the evidence. This way you can use different tools simultaneously in an effort to speed up the investigation. While fast tools may be a good thing, we should also question the reliability and accuracy of the tools.

The National Institute of Standards and Technology (NIST) has developed a Computer Forensics Tool Testing (CFTT) program that tests digital forensic tools and makes all findings available to the public. Several tools are chosen based on their specific abilities and placed into testing categories such as disk imaging, carving, and file recovery. Each category has a formal test plan and strategy for testing along with a validation report, again available to the public.

More on the CFTT program can be found at https://www.cftt.nist.gov/disk_imaging.htm. Testing and validation reports on many of the tools covered in this book can be found at https://www.dhs.gov/science-and-technology/nist-cftt-reports.

To re-enforce the importance of using multiple tools in maintaining the integrity of your investigations and findings, multiple tools will be demonstrated in the third and fourth sections of this book.

As much as we would like the tasks involved in digital forensics to be as easy as possible, we do encounter situations which make investigations, and life as a forensics investigator, not-so-simple and sometimes stressful. People wishing to hide information, cover their tracks, and even those who have malicious intent or actually participate in cyber crimes often employ various methods to try to foil the attempts of forensic investigators with the hope of hampering or halting investigations.

Within somewhat recent times we've seen several major digital breaches online, especially from 2011 onward. Many of these attacks allegedly came from, or were claimed to be the work of, infamous hacker groups such as LulzSec, Anonymous, Lizard Squad, and many others, including individuals and Hacktivists (people that hack for a specific cause or reason and are less concerned about doing time in prison). Some of these hacks and attacks not only brought down several major networks and agencies, but also cost millions in damage, directly and indirectly; as a result, the loss of public confidence in the companies contributed to further increases in damages.

These daring, creative, and public attacks saw the emergence of many other new groups that learned from the mistakes of past breaches of Anonymous and others. Both social media and underground communication channels soon became the easiest forms of communication between like-minded hackers and hacktivists. With the internet and World Wide Web becoming easily accessible, this also saw the competition not only between IPs, but also private companies and corporations, which lead to the creation of free wireless hotspots on almost every street with businesses, small or large.

The result of having internet access at just about every coffee shop enabled anyone with a smartphone, tablet, laptop, or other devices to acquire almost unauthenticated access to the internet. This gave them access to hacker sites and portals, along with the ability to download tools, upload malware, send infected emails, or even carry out attacks.

Adding to this scenario is the availability of more user-friendly tools to aid in the masking of Publicly Identifiable Information (PII), or any information that would aid in the discovery of unveiling suspects involved in cyber-crimes during forensic investigations. Tools used for encryption of data and anonymity, such as masking of IP addresses, are readily and easily available to anyone, most of which were and are increasingly more and more user-friendly.

It should also be noted that many Wi-Fi hotspots themselves can be quite dangerous, as these can be easily set up to intercept personal data, such as login and password information together with PII (such as social security numbers, date of birth info, and phone numbers) from any user that may connect to the Wi-Fi and enter such information.

The process of encryption provides confidentiality between communication parties and uses technology in very much the same way we use locks and keys to safeguard our personal and private belongings. For a lock to open, there must be a specific matching key. So too, in the digital world, data is encrypted or locked using an encryption algorithm and must use either the same key to decrypt or unlock the data. There also exists another scenario where one key may be used to encrypt or lock the data and another used to decrypt the data. Two such very popular encryption tools are TrueCrypt and VeraCrypt.

These two encryption tools use very high encryption methods that keep data very confidential. The main barrier to forensics may be acquiring the decryption key to decrypt or unlock access to the data.

Encryption, in particular, can make investigations rather difficult, but there is also the concept of anonymity which adds to the complexity of maintaining an accuracy of the true sources found in investigations. Like encryption, there exist several free and open source tools for all operating system platforms, such as Windows, Mac, Linux, and Android, which attempt and most often successfully mask the hiding of someone's digital footprint. This digital footprint usually identifies a device by its IP address and MAC (Media Access Control) address. Without going into the network aspect of things, these two digital addresses can be compared to a person's full name and home address, respectively.

Even though a person's IP address can change according to their private network (home and work) and public network (internet) access, the MAC address remains the same. However, various tools are also freely available to spoof or fake one's IP and MAC addresses for the purpose of privacy and anonymity. Adding to that, users can use a system of routing their data through online servers and devices to make the tracing of the source of the sent data quite difficult. This system is referred to as proxy chaining and does keep some of the user's identity hidden.

A good example of this would be the Tor browser; it uses onion routing and several proxies worldwide to route or passes the data along from proxy to proxy, making the tracing of the source very difficult, but not impossible. You can think of proxy chains as a relay race, but instead of having four people, one passing the baton to the next, the data is passed between hundreds of proxy devices, worldwide.

Congratulations! You made it to the end of the first chapter. Before we jump into the second chapter, let's have a look at what was just covered.

We saw that digital forensics is still a relatively new field, although forensic science has been around for a very long time, as far back as the early 1900s. Although digital forensics may have only been on the scene since the early 2000s, as a science, we have certain best practices, procedures, and standards, such as those created by the ACPO and SWGDE, to adhere to. These maintain accuracy and the integrity of both the findings and the actual evidence when carrying out investigations, whether as an amateur or professional Digital Forensic Investigator.

Some of the commercial tools mentioned were EnCase, FTK, and Magnet Forensics. Many of the open source tools available are made for Linux-based distributions and can be downloaded individually, but many are readily and easily available within certain Forensic and Security Operating Systems or distributions. Some of these distros are DEFT Linux, CAINE, and of course, Kali Linux; all of these are freely available for download at the links provided.

I hope this introduction to digital forensics was informative and fun for you. Now that we've gotten a foundation of forensics, let's go deeper into Kali Linux as we learn how to download, install and update Kali in Chapter 2, Installing Kali Linux. See you on the next page.