First Responders Guide to Computer Forensics: Advanced Topics

Abstract

First Responders Guide to Computer Forensics: Advanced Topics expands on the technical material presented in SEI handbook CMU/SEI-2005-HB-001, First Responders Guide to Computer Forensics [Nolan 05]. While the latter presented techniques for forensically sound collection of data and reviewed the fundamentals of admissibility pertaining to electronic files, this handbook focuses exclusively on more advanced technical operations like process characterization and spoofed email. It is designed for experienced security and network professionals who already have a fundamental understanding of forensic methodology. Therefore, emphasis is placed on technical procedures and not forensic methodology. The first module focuses on log file analysis as well as exploring techniques for using common analysis tools such as Swatch and Log Parser. The second module focuses on advanced techniques for process characterization, analysis, and volatile data recovery. The third module demonstrates advanced usage of the dd command-line utility. Topics include how to slice an image and reassemble it with dd, carving out a section of data with dd, and imaging a running process with dd. The fourth and final module examines spoofed email messages. This module looks at the RFCs for email, describes how email messages are spoofed, and presents some techniques for identifying and tracing spoofed email. Our focus is to provide system and network administrators with advanced methodologies, tools, and procedures for applying sound computer forensics best practices when performing routine log file reviews, network alert verifications, and other routine interactions with systems and networks. The final goal is to create trained system and network professionals who are able to understand the fundamentals of computer forensics so that in the normal course of their duties they can safely preserve technical information related to network alerts and other security issues.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Sep 01, 2005
Accession Number
ADA443137

Entities

People

  • Cal Waits
  • Elizabeth Schweinsberg
  • Jake Branson
  • Josh Hammerstein
  • Kris Rush
  • Marie Baker
  • Richard Nolan

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Application Protocols
  • Application Software
  • Authentication
  • Basic Programming Language
  • Computational Forensics
  • Computer Network Security
  • Computer Programming
  • Computer Programs
  • Computers
  • Cybersecurity
  • Electronic Mail
  • First Responders
  • Graphical User Interface
  • Operating Systems
  • Security
  • Shell Scripts
  • Websites

Fields of Study

  • Computer science

Readers

  • Agent-Based Social Robotics and Mobile-Assisted Learning in Virtual Environments.
  • Cybersecurity.
  • Instructional Design and Training Evaluation.

Technology Areas

  • Microelectronics