Digital Forensics with Kali Linux - Packt


Below is an outline of the eBook “Digital Forensics with Kali Linux“ by Packt. If you’re a member, then you can log into the Library and view it in your browser using the email address you signed up with. PS. Only members can successfully log in.

  • Click HERE to log into the library (Members only).
  • Folder: Books and Guides > Security eBooks

If you are having issues logging in, please check the following help guide, HERE.



1. Introduction to Digital Forensics

What is digital forensics?
Digital forensics methodology
A brief history of digital forensics
The need for digital forensics as technology advances
Commercial tools available in the field of digital forensics
Operating systems and open source tools for digital forensics
Digital evidence and forensics toolkit Linux
Computer Aided INvestigative Environment
Kali Linux
The need for multiple forensics tools in digital investigations
Anti-forensics: threats to digital forensics
Online and offline anonymity


2. Installing Kali Linux

Software version
Downloading Kali Linux
Installing Kali Linux
Installing Kali Linux in VirtualBox
Preparing the Kali Linux virtual machine
Installing Kali Linux on the virtual machine
Partitioning the disk
Exploring Kali Linux


3. Understanding Filesystems and Storage Media

Storage media
IBM and the history of storage media
Removable storage media
Magnetic tape drives
Floppy disks
Evolution of the floppy disk
Optical storage media
Compact disks
Digital versatile disks
Blu-ray disk
Flash storage media
USB flash drives
Flash memory cards
Hard disk drives
Solid-state drives
Filesystems and operating systems
What about the data?
Data states
Slack space
Data volatility
The paging file and its importance in digital forensics


4. Incident Response and Data Acquisition

Digital evidence acquisitions and procedures
Incident response and first responders
Documentation and evidence collection
Physical evidence collection and preservation
Physical acquisition tools
Order of volatility
Chain of Custody
Powered-on versus powered-off device acquisition
Powered-on devices
Powered-off devices
Write blocking
Data imaging and hashing
Message Digest (MD5) hash
Secure Hashing Algorithm (SHA)
Device and data acquisition guidelines and best practices


5. Evidence Acquisition and Preservation with DC3DD and Guymager

Drive and partition recognition in Linux
Device identification using the fdisk command
Maintaining evidence integrity
Using DC3DD in Kali Linux
File-splitting using DC3DD
Verifying hashes of split image files
Erasing a drive using DC3DD
Image acquisition using Guymager
Running Guymager
Acquiring evidence with Guymager
Hash verification


6. File Recovery and Data Carving with Foremost, Scalpel, and Bulk Extractor

Forensic test images used in Foremost and Scalpel
Using Foremost for file recovery and data carving
Viewing Foremost results
Using Scalpel for data carving
Specifying file types in Scalpel
Using Scalpel for file carving
Viewing results of Scalpel
Comparing Foremost and Scalpel
Forensic test image for Bulk_extractor
Using Bulk_extractor
Viewing results of Bulk_extractor


7. Memory Forensics with Volatility

About the Volatility Framework
Downloading test images for use with Volatility
Image location
Using Volatility in Kali Linux
Choosing a profile in Volatility
The imageinfo plugin
Process identification and analysis
The pslist command
The pstree command
The psscan command
The psxview plugin
Analyzing network services and connections
The connections command
The connscan command
The sockets plugin
DLL analysis
The verinfo command
The dlllist plugin
The getsids command
Registry analysis
The hivescan plugin
The hivelist plugin
Password dumping
Timeline of events
The timeliner plugin
Malware analysis


8. Autopsy – The Sleuth Kit

Introduction to Autopsy – The Sleuth Kit
Sample image file used in Autopsy
Digital forensics with Autopsy
Starting Autopsy
Creating a new case
Analysis using Autopsy
Sorting files
Reopening cases in Autopsy


9. Network and Internet Capture Analysis with Xplico

Software required
Starting Xplico in Kali Linux
Starting Xplico in DEFT Linux 8.2
Packet capture analysis using Xplico
HTTP and web analysis using Xplico
VoIP analysis using Xplico
Email analysis using Xplico
SMTP exercise using Wireshark sample file


10. Revealing Evidence Using DFF

Installing DFF
Starting the DFF GUI
Recovering deleted files with DFF
File analysis with DFF



Next steps:

This article was contributed by Jason Jacobs from Guyana. Jason is a member of the Caribbean CSPA. 

Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.