Digital Forensics with Kali Linux E-Book

Digital Forensics with Kali Linux Second Edition

Perform data acquisition, data recovery, network forensics, and malware analysis with Kali Linux

Shiva V. N. Parasram

BIRMINGHAM—MUMBAI

Digital Forensics with Kali Linux Second Edition 

Copyright © 2020 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Vijin Boricha

Acquisition Editor: Ankita Darad

Senior Editor: Arun Nadar

Content Development Editor: Pratik Andrade

Technical Editor: Sarvesh Jaywant

Copy Editor: Safis Editing

Project Coordinator: Neil Dmello

Proofreader: Safis Editing

Indexer: Tejal Daruwale Soni

Production Designer: Jyoti Chauhan

First published: December 2017

Second Edition: April 2020

Production reference: 1160420

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-83864-080-4

www.packt.com

Packt.com

Subscribe to our online digital library for full access to over 7,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.

Contributors

About the author

Shiva V. N. Parasram is the Executive Director and CISO of the Computer Forensics and Security Institute, which specializes in penetration testing, forensics, and advanced cybersecurity training. As the only Certified EC-Council Instructor (CEI) in the Caribbean, he has also trained hundreds in CCNA, CND, CEH, CHFI, ECSA, and CCISO, among other certifications. He has partnered with international companies including Fujitsu (Trinidad) and Take It To The Top LLC as the lead trainer for advanced cybersecurity courses. Shiva is also the author of two other books from Packt Publishing and has delivered workshops, lectures, and keynote speeches regionally for ISACA, universities, law associations, and other institutions.

I'd like to thank all the loving and amazing people in my life: my guru, Pundit Hardeo Persad; my brave mom and patient dad; my beautiful wife, bestie, and biggest supporter, Savi Parasram aka Pinky Mittens aka Cuddles Kapoor (love you, babe). The NAFAD boys and the always entertaining gentlemen at the TDP group. My good friend, Beth Montoya; all my students at CFSI; Mr. Bepnesh Goolcharran; and of course, my furry little love, Bindi. Love you all.

About the reviewers

Alex Samm has over 11 years' experience in the IT field, holding a B.Sc. in computer science from the University of Hertfordshire, England. His experience includes EUC support, Linux and UNIX, server and network administration, and security, among others.

He currently works at EY Trinidad and Tobago and lectures at the Computer Forensics and Security Institute on IT security courses, including ethical hacking and penetration testing.

Alex co-authored Kali Linux 2018: Assuring Security by Penetration Testing (Fourth Edition), and reviewed Digital Forensics with Kali Linux (First Edition) by Shiva V.N. Parasram, all from Packt Publishing.

I'd like to thank my parents, Roderick and Marcia, for their continued support; Shiva and Savi for their guidance and support; and all my past and present students. Cheers!

Dale Joseph is a digital forensic expert with over 12 years' experience in high-technology investigations. He has over 21 years' Law Enforcement Investigative experience and has been involved in numerous technology-based projects. Dale is currently the Cybercrime Policy Specialist at CARICOM (Caribbean Community).

His areas of expertise are wireless and VOIP Investigations, investigative scripting, OSINT, cryptocurrency, deep and dark web investigations, network, computer, live data, mobile and malware forensics.

Dale is also a certified Digital Forensics Trainer and has conducted several workshops/seminars that have trained members of law enforcement, the private sector, and Government entities.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Preface

Section 1: Kali Linux – Not Just for Penetration Testing

Chapter 1: Introduction to Digital Forensics

What is digital forensics?18

Digital forensics methodology19

A brief history of digital forensics21

The need for digital forensics as technology advances22

Operating systems and open source tools for digital forensics24

Digital Evidence and Forensics Toolkit (DEFT) Linux25

CAINE26

Kali Linux29

The need for multiple forensics tools in digital investigations33

Commercial forensics tools34

Belkasoft Evidence Center (EC) 202034

AccessData Forensic Toolkit (FTK)35

EnCase Forensic35

Anti-forensics – threats to digital forensics37

Encryption38

Online and offline anonymity39

Summary39

Further reading40

Chapter 2: Installing Kali Linux

Software version41

Downloading Kali Linux42

Installing Kali Linux44

Installing Kali Linux in VirtualBox44

Preparing the Kali Linux virtual machine44

Installing Kali Linux on the virtual machine48

Creating a bootable Kali Linux portable drive59

Exploring Kali Linux62

Summary67

Section 2: Forensic Fundamentals and Best Practices

Chapter 3: Understanding Filesystems and Storage Media

The history of storage media72

IBM and the history of storage media72

Removable storage media73

Hard disk drives82

Filesystems and operating systems86

What about the data?88

Data states88

Metadata88

Slack space89

Data volatility89

The paging file and its importance in digital forensics91

Summary92

Chapter 4: Incident Response and Data Acquisition

Digital evidence acquisition and procedures94

Incident response and first responders95

Documentation and evidence collection97

Physical evidence collection and preservation98

Physical acquisition tools99

Order of volatility102

Chain of custody102

Live acquisition versus post-mortem acquisition103

Powered-on devices103

Powered-off devices104

Write blocking104

Data imaging and hashing106

Message Digest hash106

Secure Hashing Algorithm (SHA)107

Device and data acquisition guidelines and best practices108

Summary109

Section 3: Forensic Tools in Kali Linux

Chapter 5: Evidence Acquisition and Preservation with dc3dd and Guymager

Drive and partition recognition in Linux114

Device identification using the fdisk command115

Maintaining evidence integrity117

Using dc3dd in Kali Linux117

File-splitting using dc3dd123

Erasing a drive using dc3dd127

Image acquisition using DD129

Image acquisition using Guymager132

Running Guymager132

Acquiring evidence with Guymager134

Windows memory acquisition138

FTK Imager138

RAM acquisition with FTK Imager142

Belkasoft RAM Capturer143

Summary145

Chapter 6: File Recovery and Data Carving with foremost, Scalpel, and bulk_extractor

Forensic test images used in Foremostand Scalpel149

Using Foremost for file recovery and data carving149

Viewing the Foremost results152

Simple JPEG recovery using recoverjpeg157

Using Scalpel for data carving159

Specifying file types in Scalpel159

Using Scalpel for file carving160

Viewing the results of Scalpel162

Comparing Foremost and Scalpel163

bulk_extractor164

Forensic test image used in bulk_extractor165

Using bulk_extractor166

Viewing the results of bulk_extractor168

Summary171

Chapter 7: Memory Forensics with Volatility

Introducing the Volatility Framework174

Downloading test images for use with Volatility175

Image location176

Using Volatility in Kali Linux176

Choosing a profile in Volatility179

Process identification and analysis180

Analyzing network services and connections184

DLL analysis186

Registry analysis189

Password dumping191

Timeline of events191

Memory analysis using Evolve (a Volatility GUI) 193

Summary197

Chapter 8: Artifact Analysis

Identifying devices and operating systems with p0f 199

Information gathering and fingerprinting with Nmap204

Live Linux forensics with Linux Explorer205

Ransomware analysis 206

Downloading and extracting a sample ransomware file206

WannaCry analysis using Volatility208

swap_digger216

Installing and using swap_digger216

Password dumping with mimipenguin219

Examining Firefox artifacts with pdgmail219

Summary224

Section 4: Automated Digital Forensic Suites

Chapter 9: Autopsy

Introduction to Autopsy227

The sample image file used in Autopsy227

Digital forensics with Autopsy228

Starting Autopsy230

Creating a new case232

Analysis using Autopsy237

Reopening cases in Autopsy248

Autopsy in Windows249

Summary255

Chapter 10: Analysis with Xplico

Software requirements258

Installing Xplico in Kali Linux258

Starting Xplico in DEFT Linux 8.2261

Packet capture analysis using Xplico265

HTTP and web analysis using Xplico266

VoIP analysis using Xplico272

Email analysis using Xplico275

Network activity analysis exercise 282

Summary287

Chapter 11: Network Analysis

Capturing packets using Wireshark289

NetworkMiner296

Packet capture analysis with PcapXray306

Online PCAP analysis 313

Reporting and presentation315

Summary316

Other Books You May Enjoy

Preface

In this second edition of this book, you'll find that the theory and methodologies have remained mostly the same, as the procedures and documentation are standard throughout the field; however, you'll find that the technical chapters contain new labs using new examples. I've also decided to include two completely new chapters that go into artifact analysis and network analysis, showcasing several tools with practicals that even beginners will find easy to follow. As much as we try to secure our data, systems, and networks to the best of our abilities, breaches occur. In an effort to understand what took place, we turn to the field of digital forensics. Although still a relatively new field, forensics has become just as important as security, especially considering the wealth of information available to anyone accessing the internet with the intent of carrying out malicious activity. Thankfully, digital fingerprints and artifacts are sometimes left behind, whether in a deleted or hidden file, an email, in someone's browsing history, a remote connection list, or even a mobile text message.

Who this book is for

This book caters to beginners and digital forensics novices, as the first five chapters serve to get the reader acquainted with the technologies used and also guide the reader through setting up Kali Linux before delving into forensic analysis and investigations.

What this book covers

Chapter 1, Introduction to Digital Forensics, introduces the reader to the world of digital forensics and forensic methodology, and also introduces the reader to various forensic operating systems.

Chapter 2, Installing Kali Linux, covers the various methods that can be used to install Kali Linux as a virtual machine or as a standalone operating system, which can also be run from a flash drive or SD card.

Chapter 3, Understanding Filesystems and Storage Media, dives into the realm of operating systems and the various formats for file storage, including secret hiding places not seen by the end user or even the operating system. We also inspect data about data, known as metadata, and look at its volatility.

Chapter 4, Incident Response and Data Acquisition, asks what happens when an incident is reported or detected? Who are the first responders and what are the procedures for maintaining the integrity of the evidence? In this chapter, we look at best practices and procedures in data acquisition and evidence collection.

Chapter 5, Evidence Acquisition and Preservation with dc3dd and Guymager, helps you to harness the power of DC3DD to acquire evidence, calculate and verify hashes, split images, and even forensically erase media. We'll also look at the Guymager GUI interface to acquire evidence and introduce Windows imaging tools such as FTK Imager and Belkasoft RAM Capturer.

Chapter 6, File Recovery and Data Carving with foremost, Scalpel, and bulk_extractor, covers tools that demonstrate that deleted data can be recovered using various file-carving methods.

Chapter 7, Memory Forensics with Volatility, demonstrates the importance of preserving volatile evidence such as the contents of the RAM and the paging file. Using Volatility and Evolve, we will identify and analyze running processes and network connections, and identify existing malware.

Chapter 8, Artifact Analysis, deals with tools that we can use to identify systems, processes, passwords, emails, and other artifacts that are useful to any investigator. We also perform artifact analysis of the WannaCry ransomware.

Chapter 9, Autopsy, The Sleuth Kit, revisits Autopsy (with new labs), which is recognized as one of the very few available tools to rival commercial forensic tools. This powerful tool takes forensic abilities and investigations to a professional level, catering for all aspects of full digital forensics investigations from hashing to reporting.

Chapter 10, Analysis with Xplico, investigates and analyzes captured network and internet traffic using this powerful tool.

Chapter 11, Network Analysis, continues with network artifact analysis by demonstrating how to create packet captures with Wireshark, and then quickly moves into automated analysis using offline and online tools such as Network Miner, PcapXray, and PacketTotal.

To get the most out of this book

Knowledge of networks, protocols, and the OSI and TCP/IP models may prove to be an asset.

If you are using the digital version of this book, we advise you to type the code yourself or access the code via the GitHub repository (link available in the next section). Doing so will help you avoid any potential errors related to copy/pasting of code.

Download the example code files

You can download the example code files for this book from your account at www.packt.com. If you purchased this book elsewhere, you can visit www.packtpub.com/support and register to have the files emailed directly to you.

You can download the code files by following these steps:

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Digital-Forensics-with-Kali-Linux-Second-Edition. In case there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it from https://static.packt-cdn.com/downloads/9781838640804_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "In this example, we have specified the 11-carve-fat.dd file located on the desktop."

Any command-line input or output is written as follows:

$ volatility -f 0zapftis.vmem imageinfo

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "To begin our Kali Linux installation, click on the Kali Large 2019.3 entry to the left of the screen."

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Section 1: Kali Linux – Not Just for Penetration Testing

In our first section, we cover the fundamentals of digital forensics, various operating systems used in forensics, and repositories for forensics tools, and jump right into Kali Linux 2019.3. We'll also look at the various methods for installing Kali Linux on physical, virtual, and portable devices, and the various modes within Kali Linux. 

This part comprises the following chapters:

Chapter 1: Introduction to Digital Forensics

Welcome to the second edition of Digital Forensics with Kali Linux. For those of you who may have purchased the first edition, the practical aspects of this book have been updated with new labs, and there are several new tools (with labs) for us to explore in this updated edition, starting with Chapter 2, Installing Kali Linux, where we will set up the latest version of Kali Linux (2019.3). For readers new to this book, I recommend starting here from the first chapter.

Digital forensics has had my attention for well over 13 years. Ever since I was given my first PC (thanks, Mom and Dad), I've always wondered what happened when I deleted my files from my massively large 2-gigabyte (GB) hard drive or moved (and, most times, hid) my files to a less-than-inconspicuous 3.5-inch floppy diskette that maxed out at 1.44 megabytes (MB) in capacity.

As I soon learned, hard disk drives and floppy disk drives did not possess the digital immortality I so confidently believed in. Sadly, many files, documents, and priceless fine art created in Microsoft Paint by yours truly were lost to the digital afterlife, never to be retrieved again. Sigh. The world will never know.

It wasn't until years later that I came across an article on file recovery and associated tools while browsing the magical World Wide Web (WWW) on my lightning-fast 42-kilobits-per-second (Kbps) dial-up internet connection (made possible by my very expensive USRobotics dial-up modem, which sang the tune of the technology gods every time I'd try to connect to the realm of the internet). This process involved a stealthy ninja-like skill that would make even a black-ops team envious, as it involved doing so without my parents noticing, as this would prevent them from using the telephone line to make or receive phone calls. (Apologies, dear Mother, Father, and older teenage sister.)

The previous article on data recovery wasn't anywhere near as detailed and fact-filled as the many great peer-reviewed papers, journals, and books on digital forensics widely available today. As a total novice (also referred to as a noob) in the field, I did learn a great deal about the basics of filesystems, data and metadata, storage measurements, and the workings of various storage media.

It was at this time that, even though I had read about the Linux operating system and its various distributions, I began to get an understanding of why Linux distributions were popular in data recovery and forensics.

At this time, I managed to bravely download the Auditor and Slax Linux distributions, again on a dial-up connection. Just downloading these operating systems was quite a feat, and it left me feeling highly accomplished as I did not have any clue as to how to install them, let alone actually use them. In those days, easy installation and graphical user interfaces (GUIs) were still under heavy development, as user friendly—or, in my case, user unfriendly—as they were at the time (mostly due to my inexperience, lack of recommended hardware, and, also, a lack of resources such as online forums, blogs, and YouTube, which I did not yet know about). I'll explain more about the Auditor and Slax operating systems in Chapter 2, Installing Kali Linux, including their role in the infamous BackTrack, and now Kali Linux, operating systems.

As time passed, I researched many tools found on various platforms for Windows, Macintosh, and many Linux distributions. I found that many of the tools used in digital forensics could be installed in various Linux distributions or flavors, and many of these tools were well maintained, constantly being developed, and were widely accepted by peers in the field. Kali Linux is a Linux distribution or flavor, but before we go any further, let me explain this concept. Consider your favorite beverage: this beverage can come in many flavors, some without sweeteners or sugar, in different colors, and even in various sizes. No matter what the variations, it's still the basic ingredients that comprise the beverage at the core. In this way, too, we have Linux, and then different types and varieties of Linux. Some of the more popular Linux distributions and flavors include Parrot OS, Computer Aided INvestigative Environment (CAINE), Red Hat, CentOS, Ubuntu, Mint, Knoppix, and, of course, Kali Linux. Kali Linux will be discussed further in Chapter 2, Installing Kali Linux.

For this book, we take a very structured approach to digital forensics, as we would in forensic science. We first stroll into the world of digital forensics, its history, and some of the tools and operating systems used for forensics, and immediately introduce you to the concepts involved in evidence preservation. As far as international best practices and guidelines go, I'd recommend reading up on the Council of Europe's Budapest Convention on Cybercrime (https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=09000016800cce5b) and the Association of Chief Police Officers (ACPO) Good Practice Guide for Digital Evidence (https://www.digital-detective.net/digital-forensics-documents/ACPO_Good_Practice_Guide_for_Digital_Evidence_v5.pdf) to get a better understanding of international frameworks and digital forensics best practices.

How about we kick things off? Let's get started!

This chapter gives an introduction to the various aspects of the science of digital forensics. The topics we are going to cover in this chapter are as follows:

What is digital forensics?

The first thing I'd like to cover in this chapter is an understanding of digital forensics and its proper practices and procedures. At some point, you may have come across several books, blogs, and even videos demonstrating various aspects of digital forensics and the different tools used. It is of great importance to understand that forensics itself is a science, involving very well-documented best practices and methods in an effort to reveal whether something exists.

Digital forensics involves the preservation, acquisition, documentation, analysis, and interpretation of evidence identified from various storage media types. It is not only limited to laptops, desktops, tablets, and mobile devices, but also extends to data in transit that is transmitted across public or private networks.

In some cases, digital forensics involves the discovery and/or recovery of data using various methods and tools available to the investigator. Digital forensics investigations include, but are not limited to, the following:

Digital forensics methodology

Keeping in mind that forensics is a science, digital forensics requires appropriate best practices and procedures to be followed in an effort to produce the same results time and time again, providing proof of evidence, preservation, and integrity that can be replicated, if called upon to do so.

Although many people may not be performing digital forensics to be used as evidence in a court of law, it is best to practice in such a way as can be accepted and presented in a court of law. The main purpose of adhering to best practices set by organizations specializing in digital forensics and incident response is to maintain the integrity of the evidence for the duration of the investigation. In the event that the investigator's work must be scrutinized and critiqued by another or an opposing party, the results found by the investigator must be able to be recreated, thereby proving the integrity of the investigation. The purpose of this is to ensure that your methods can be repeated and, if dissected or scrutinized, produce the same results time and again. The methodology used, including the procedures and findings of your investigation, should always allow for the maintenance of the data's integrity, regardless of which tools are used.

The best practices demonstrated in this book ensure that the original evidence is not tampered with, or, in cases of investigating devices and data in a live or production environment, show well-documented proof that necessary steps were taken during the investigation to avoid unnecessary tampering of the evidence, thereby preserving the integrity of the evidence. For those completely new to investigations, I recommend familiarizing yourself with some of the various practices and methodologies available and widely practiced by the professional community.

As such, there exist several guidelines and methodologies that you should adopt, or at least follow, to ensure that examinations and investigations are forensically sound.

The three best practices documents mentioned in this chapter are as follows:

Although written in 2012, ACPO, now functioning as the National Police Chiefs' Council (NPCC), put forth a document in a PDF file called the ACPO Good Practice Guide for Digital Evidence regarding best practices when carrying out digital forensics investigations, particularly focusing on evidence acquisition. The ACPO Good Practice Guide for Digital Evidence was then adopted and adhered to by law enforcement agencies in England, Wales, and Northern Ireland, and can be downloaded in its entirety at https://www.npcc.police.uk/documents/FoI%20publication/Disclosure%20Logs/Information%20Management%20FOI/2013/031%2013%20Att%2001%20of%201%20ACPO%20Good%20Practice%20Guide%20for%20Digital%20Evidence%20March%202012.pdf.

Another useful and more recent document, produced in September 2014, on best practices in digital forensics was issued by the SWGDE. The SWGDE was founded in 1998 by the Federal Crime Laboratory Directors Group, with major members and contributors including the Federal Bureau of Investigation (FBI), Drug Enforcement Administration (DEA), National Aeronautics and Space Administration (NASA), and the Department of Defense (DoD) Computer Forensics Laboratory. Though this document details procedures and practices within a formal computer forensics laboratory setting, the practices can still be applied to non-laboratory investigations by those not currently in, or with access to, such an environment.

The SWGDE's Best Practices for Computer Forensics sheds light on many of the topics covered in the following chapters, including the following:

The SWGDE's Best Practices for Computer Forensics Acquisitions (April 2018) can be viewed and downloaded directly from here: https://www.swgde.org/documents/Current%20Documents/SWGDE%20Best%20Practices%20for%20Computer%20Forensic%20Acquisitions

Important note

The SWGDE has a collection of 78 documents (at the time of this publication) that detail the best practices of evidence acquisition, collection, authentication, and examination, which can all be found at https://www.swgde.org/documents/Current%20Documents/SWGDE%20Best%20Practices%20for%20Compu%20ter%20Forensics.

A brief history of digital forensics

Although forensic science itself (including the first recorded fingerprints) has been around for over 100 years, digital forensics is a much younger field as it relates to the digital world, which mainly gained popularity after the introduction of personal computers in the 1980s.

For comparative purposes in trying to grasp the concept of digital forensics as still being relatively new, consider that the first actual forensic sciences lab was developed by the FBI in 1932.

Some of the first tools used in digital forensic investigations were developed in FBI labs circa 1984, with forensic investigations being spearheaded by the FBI's specialized Computer Analysis and Response Team (CART), which was responsible for aiding in digital investigations.

Digital forensics as its own field grew substantially in the 1990s, with the collaboration of several law enforcement agencies and heads of divisions working together and even meeting regularly to bring their expertise to the table.

One of the earliest formal conferences was hosted by the FBI in 1993. The main focus of the event, called the International Law Enforcement Conference on Computer Evidence, was to address the need for formal standards and procedures with digital forensics and evidence acquisition.

Many of these conferences resulted in the formation of bodies that deal with digital forensics standards and best practices. For example, the SWGDE was formed by the Federal Crime Laboratory Directors in 1998. The SWGDE was responsible for producing the widely adopted best practices for computer evidence (discussed later in this chapter). The SWGDE also collaborated with other organizations, such as the very popular American Society of Crime Laboratory Directors (ASCLD), which was formed in 1973 and has since been instrumental in the ongoing development of best practices, procedures, and training as it relates to forensic science.

It wasn't until the early 2000s, however, that a formal Regional Computer Forensic Laboratory (RCFL) was established by the FBI. In 2002, the National Program Office (NPO) was established, and this acts as a central body, essentially coordinating and supporting efforts between RCFL's law enforcement.

Since then, we've seen several agencies, such as the FBI, Central Intelligence Agency (CIA), National Security Agency (NSA), and Government Communications Headquarters (GCHQ), each with their own full cybercrime divisions, full digital forensics labs, and dedicated onsite and field agents, collaborating assiduously in an effort to take on tasks that may be nothing short of Sisyphean, when considering the rapid growth of technology and easier access to the internet and even the Dark Web.

In the Caribbean and Latin America, there have also been several developments where cybercrime and security are concerned. The Caribbean Community Implementation Agency for Crime and Security (CARICOM IMPACS) has been formally established and has published the CARICOM Cyber Security and Cybercrime Action Plan (CCSCAP), which seeks to address vulnerabilities within the CARICOM states and also provide guidelines for best practices that would aid in cybercrime detection and investigation. The CCSCAP can be downloaded at https://www.caricomimpacs.org/Portals/0/Project%20Documents/CCSAP.pdf.