Practical Forensic Imaging: Securing Digital Evidence with Linux Tools

Book Description

Forensic image acquisition is an important part of postmortem incident response and evidence collection. Digital forensic investigators acquire, preserve, and manage digital evidence to support civil and criminal cases; examine organizational policy violations; resolve disputes; and analyze cyber attacks.

Practical Forensic Imaging takes a detailed look at how to secure and manage digital evidence using Linux-based command line tools. This essential guide walks you through the entire forensic acquisition process and covers a wide range of practical scenarios and situations related to the imaging of storage media.

You’ll learn how to:

• Perform forensic imaging of magnetic hard disks, SSDs and flash drives, optical discs, magnetic tapes, and legacy technologies
• Protect attached evidence media from accidental modification
• Manage large forensic image files, storage capacity, image format conversion, compression, splitting, duplication, secure transfer and storage, and secure disposal
• Preserve and verify evidence integrity with cryptographic and piecewise hashing, public key signatures, and RFC-3161 timestamping
• Work with newer drive and interface technologies like NVME, SATA Express, 4K-native sector drives, SSHDs, SAS, UASP/USB3x, and Thunderbolt
• Manage drive security such as ATA passwords; encrypted thumb drives; Opal self-encrypting drives; OS-encrypted drives using BitLocker, FileVault, and TrueCrypt; and others
• Acquire usable images from more complex or challenging situations such as RAID systems, virtual machine images, and damaged media

With its unique focus on digital forensic acquisition and evidence preservation, Practical Forensic Imaging is a valuable resource for experienced digital forensic investigators wanting to advance their Linux skills and experienced Linux administrators wanting to learn digital forensics. This is a must-have reference for every digital forensics lab.

Table of Contents

Chapter 0: Digital Forensics Overview
Chapter 1: Storage Media Overview
Chapter 2: Linux as a Forensic Acquisition Platform
Chapter 3: Forensic Image Formats
Chapter 4: Planning and Preparation
Chapter 5: Attaching Subject Media to an Acquisition Host
Chapter 6: Forensic Image Acquisition
Chapter 7: Forensic Image Management
Chapter 8: Special Image Access Topics
Chapter 9: Extracting Subsets of Forensic Images

中文：

书名：实用法医影像：使用Linux工具保护数字证据

法医图像采集是尸检事件应对和取证的重要组成部分。数字法医调查人员获取、保存和管理数字证据，以支持民事和刑事案件；审查违反组织政策的行为；解决纠纷；以及分析网络攻击。

实用法医影像学 详细介绍了如何使用基于Linux的命令行工具保护和管理数字证据。本基本指南将指导您完成整个取证获取过程，并涵盖与存储介质映像相关的各种实际场景和情况。

您将学习如何：

• 对磁盘、SSD和闪存驱动器、光盘、磁带和传统技术执行取证成像
• 保护附带的证据介质不会被意外修改
• 管理大型取证图像文件、存储容量、图像格式转换、压缩、拆分、复制、安全传输和存储以及安全处置
• 使用加密和分段散列、公钥签名和RFC-3161时间戳保护和验证证据的完整性
• 使用较新的驱动器和接口技术，如NVMe、SATA Express、4K本机扇区驱动器、SSHD、SAS、UASP/USB3x和迅雷
• 管理驱动器安全性，如ATA密码、加密拇指驱动器、Opal自加密驱动器、使用BitLocker、FileVault和TrueCrypt的操作系统加密驱动器等
• 从更复杂或更具挑战性的情况下获取可用的映像，例如RAID系统、虚拟机映像和损坏的介质

凭借其对数字法医采集和证据保存的独特关注， 实用法医影像学 对于想要提高他们的Linux技能的有经验的数字法医调查人员和想要学习数字取证的有经验的Linux管理员来说，是一个宝贵的资源。这是每个数字取证实验室的必备参考资料。

目录表

第0章：数字取证概述
第1章：存储介质概述
第2章：作为取证获取平台的Linux
第3章：取证图像格式
第四章：规划和准备
第5章：将主题媒体附加到采购方
第六章：取证图像采集
第7章：取证图像管理
第8章：特殊映像访问主题
第9章：法医图像子集提取