Big Data Forensics – Learning Hadoop Investigations

By Joe Sremack

Perform forensic investigations on Hadoop clusters with cutting-edge tools and techniques

About This Book

• Identify, collect, and analyze Hadoop evidence forensically
• Learn about Hadoop's internals and Big Data file storage concepts
• A step-by-step guide to help you perform forensic analysis using freely available tools

Who This Book Is For

This book is meant for statisticians and forensic analysts with basic knowledge of digital forensics. They do not need to know Big Data Forensics. If you are an IT professional, law enforcement professional, legal professional, or a student interested in Big Data and forensics, this book is the perfect hands-on guide for learning how to conduct Hadoop forensic investigations. Each topic and step in the forensic process is described in accessible language.

What You Will Learn

• Understand Hadoop internals and file storage
• Collect and analyze Hadoop forensic evidence
• Perform complex forensic analysis for fraud and other investigations
• Use state-of-the-art forensic tools
• Conduct interviews to identify Hadoop evidence
• Create compelling presentations of your forensic findings
• Understand how Big Data clusters operate
• Apply advanced forensic techniques in an investigation, including file carving, statistical analysis, and more

In Detail

Big Data forensics is an important type of digital investigation that involves the identification, collection, and analysis of large-scale Big Data systems. Hadoop is one of the most popular Big Data solutions, and forensically investigating a Hadoop cluster requires specialized tools and techniques. With the explosion of Big Data, forensic investigators need to be prepared to analyze the petabytes of data stored in Hadoop clusters. Understanding Hadoop's operational structure and performing forensic analysis with court-accepted tools and best practices will help you conduct a successful investigation.

Discover how to perform a complete forensic investigation of large-scale Hadoop clusters using the same tools and techniques employed by forensic experts. This book begins by taking you through the process of forensic investigation and the pitfalls to avoid. It will walk you through Hadoop's internals and architecture, and you will discover what types of information Hadoop stores and how to access that data. You will learn to identify Big Data evidence using techniques to survey a live system and interview witnesses. After setting up your own Hadoop system, you will collect evidence using techniques such as forensic imaging and application-based extractions. You will analyze Hadoop evidence using advanced tools and techniques to uncover events and statistical information. Finally, data visualization and evidence presentation techniques are covered to help you properly communicate your findings to any audience.

Style and approach

This book is a complete guide that follows every step of the forensic analysis process in detail. You will be guided through each key topic and step necessary to perform an investigation. Hands-on exercises are presented throughout the book, and technical reference guides and sample documents are included for real-world use.

• Language: English
• Publisher: Packt Publishing
• Release date: Aug 24, 2015
• ISBN: 9781785281211

Joe Sremack

Joe Sremack is a director at Berkeley Research Group, a global expert services firm. He conducts digital investigations and advises clients on complex data and investigative issues. He has worked on some of the largest civil litigation and corporate fraud investigations, including issues involving Ponzi schemes, stock option backdating, and mortgage-backed security fraud. He is a member of the Association of Certified Fraud Examiners and the Sedona Conference.

Book preview

���1^book_preview_excerpt.html�}�㶕��֦�J���k��u��=��gj?mA"$�M�l�|�V�v_b_c%Or��%Rd���~��#� pp��߁��>��k�Զ�|�V-��u��V���}}��� �vq���o��M�L5*{ak]9�r�?����+���T��;�[��^V��5f�c+̸�&�uw4��Z禙v��m�5[�]�����������z�����F�vy������v��u��M��"�O����ύ[ٶj��kz�"SU��D����m�k�nU�������֙Z��sٚ��+���-�[���Z�f�L���eK�c���3����*�s^b7��6ld�S|d���Y,��VD�lM�Z�&gn]cKz������ª"
\ق�oJ���6����6u��V��Ԩ�����yt��6�n��7$B{�l���6X;j�)��2� �T
۵ �!*�� �-��lW[f��g^����Y�y�(�j���Jg����z�bⓔ�D%�-1�<]��}kv%�or�=MZ����"���Hw��ZV�`�����������s�q�N!���Ԓ�3m���Eo.��q�^mMC<ђ���Z"�n�^�f��kݨO��3��C9��d�i{�=A�8��n۲T���y|��T��4D��O@�N2#*�:�����>c+vk���$�_����fIJ*�^���n�ѓnA21��lZ�^����O�J�3>����X[L?i�'i���&��Oq6��A(`��g�D��4��Qok�S�^�ͼ�ස�H�z�\�+Löq�����--O�@N���PV3�1�*�/���"��<��.E"�r�㼗%���Xk�W�͒��*����l�ͼ�ץ����N/���k��w�ʻj�,M��~ r�����^�g l�4w�Ԧ�̼s��ѦD�=�����g^Yl���J<�94yJ�b <ȣkb|S�g1��S�e�AQ�l]�dz�kf�7onWm9��vRvsoԒ6�L�XJq~2P��^E�q;s$��4�<���|�����Y���<��mꖩ�31��u�a��U7�ݴ0��.��%�#�b�_�(9���PP����e��d�y6 ��G)�1��|Q����^mɧ���f~x���(�̂ة�1Gg��"CU�)!0�V�Q�,�p�=�,pJ]��mtB�i��ً���f[�v�e��Rȑyك�������-�z����yy�`i3�-T��M��ֵ%�=��̈�����(�֔���Дk��y�,F6aǒ5σz�^�U�h)!�s��m^R/ w��n��p"$?�L�(HU����g��gC�x�#�+�YY�d�G-� ���nr�_[M;�(�'�����=a��^���3#�7�T���� 8���~�w��,�1q �&��cz����|j�PEd=53�,CRZP��0�s8a��SL�>����������'|�ݣ>L~j�W�B�����>���_��QZQ�>N$;NM���B��:�_/�]S$W����&�{�똦���|q����8����f.�/JGQ�����'���\ħ(��V^�����>����՚|�y���-|�{[����T7��C|EA�t���-��b�f.����$����lކ�qaU��6���V�}\|��o3ű�t���|��_�y��� �v�k��Z�����,%u�ӝM�W�j?�����?���Q����< ����^f虷a�K�=@��V��(|�����zYz:!<�|($r��¹:~��y�l!a�]e�$�m$3���پ�m��QQ,s��Y�M��Y�J���͖��Za)d�ɠs ^f���-����y�ۏm�/���W���}�3OtE<��B�'7���z��VJ<�m ��L�|�0��]8=�G�n���om��:Mx�[|�s3��F�
/��苙o�bO����T��*��ѡ}�T����]����C��W�L���������i������{��PxX�_�n���\�WF�Y"GN-)tM��(���K[������?�_V9���������t�k[����6���5ʟ���w���G�y��M�,�� b��E��H�P�������>�T�l�\Vۼ]�|An�E��@�՚�_}O#Y�E&�ʕ�i�(:Ox�jy���F,?��������UIe_�C�ˮt� �B���B�� Z�B����^��R繬aE�r
���Z[���%��{Nl�א��"�hZ[�r^�F�=�5��L��$���U�H<�SEG/08N�;�'��A���W��C?�o�G:�UM�oD"�£?0B!c�!�S>f����r���p*d8ת��c��������c�i�a�0*�8�\ �q�ZX}|Z�"�R��sC!VC��X���m��� ��H�hu�,Jo"�E<�k� w=�*F����ӡ*q��Lx�(P z����J-+�/�y+̸R;��Xr�'�]���M�iMq�q�r� ��Ԯ�"��]��3E+�ROv'�m�k$+��=�ӧ_�{*��?�ӫ&_�+��tS�xx�>���ۦֺ��pp�Ue����'����_����ٟ>������_|����/}z����_�{� �F1߉r��#�:bӇ_���ۚX�A��cR�����5�'騧&�����zJ���t��:3�o���F���z�z�'��眄���ۚ"��I{tyҖ�y������U$[���V�D�Ӑ#C���mM�~ΞR�=� lnl����|QՒ�������H�Ϥ'q�59e�ܤO��4� ��8)i>���>6�V�Ia�����rS���nU5N�ok�� &v����j��U�v�v�C���f?�r%�iΜ$��w��ө��1л2�?R�4�7�0�M�D�w�Ї�G-�a�Y��٦��*-1�ȷ5�O�N\�#�� lV?�C��{�`�R�A/,eA^t,�$�����j�/�Q���^@EK���-P�'3�2�$��j�l`S׵j�e-�߫��T��l�I�[�b2����7�ͬ� Pd��8v�4Ro�B#�&�48��7��.�N�a���ٕ�~�S����k}�A�m >�չ%%��X�cK5�� ��Gk���oỬ�JGʍ�?��<37.Oҿp:LȪ�:Qg�ɬ�N�����S�yL?�ʓ[r7�=��H`�9.�y��EI#u����u����Qw+Y?�T�ܠ ( ~�� >��uI���+!�����'�����i��H>�̈́L������&���&qY�%��(x�@�{
�ȑ$~�`�����{��)� $�gؐ��+�Uv_�|#lGa��.=�BmZ͆HP{���Yv��L��\frtJ����=z�5?M� l.��ٚ�8#&M�#�#�OG����6J=�����#:i ����-��5�2�p���O�g/�f螙��CA}��Ǚ�j� cA�?�5���1��Rv�셔j��a���U�9�wz��Y�۰.c���o�{5�ѓ�2��������A�~ƫ��n !�J�J^����2�VKJ˶���[���.ۿ���7,X|t�nh?���F������d���*�*�z�L�>`��)��9[fzJ(�����Wz� �F΃�W��nPc��'�|���(�i���lD;�6��}yuE;|܋�x�+�R͞�_��y޴]߲�`:��Z+�R@����T�gY�+����� �����s3�лkU��j��8�н�3 s�Lj�� ��'��c���-��Z�ֹA���Agc`��&��Sqvn���9�T�x�8DB��
����^f����I��~n{�Q^��h��ND|NԍL5!VH���F��y���*q7����!��������l��u.^�l̔��9-)o��]~���,-5b�n8�頮鄃狷��=�r��gK���P�^��)��F�qc��"��5vG>-���.WyW�,����U�"Ǵ��u��P`�% T����r�1��/��ϻF^x1��4;��g�l���`��Q(�C��Q���!(FAY�6�����*�c��� %��Um���PA"L����O?�e��-��KN�7���E҈DO!�Fم�H|��ސ$-��\6FI9h��ʮ�1%���W�1,5��vWKEQzw�}&H�3�@ zT�fߒw�ۍ-A�%ɯN �[I�s�l4g�����Sb���MH�w"���>ߵ��d%�|"$V�#��׈�-� Y$ΥzG�Q���IE�R�!���zQ�a{G�I�H,,_aNw;�@|;�"�3֠1�����:��7���%A��_�B[ N 1���J�>to(�_rƩ�@X�]�Z�#~� �ư����By��4���IN3OB#U�(y�s����x�\�K��iG$"��R�H�����R��ِ�!�2�+�c4�]t����l[80q�0���͵p<���E��#=�������)���?:Yc*t��\yn��Y� 瘘yzK��5n&�"��v3c�C�9a,����J���V˨$L�ϊDJq-\�emPHvЮ�����S��D�a�*bj�l�]ÀP�4x�E���# ���.
��5�I���k\YI�.�*�M-_+��;��w0�Q+ ��S!- !��*9��ԅa0x���-b.d�S uΙ� B�"?��[�t�tP�R��~O�r�n"�}���W��վY�L!�/R���K[x'D�5�ĩ��crS���O�wq��9��ː��Y�9���W���K�{M/�ѱ,��C�g�C��m�E�;�f���0�&�%�V��RYK�S6ׄ.\�Y���])�G�Y��b�s~EZ`���P(Z1��ئw�% 4�̸�}��Ҍ��K�9�l�Q$�̒�U ��_�S��C�[p$vlz�{E�}�#���1ø�+�Q ��I�� r�������!��h�!�����8�X�!�5jI,��5yL �ɿ�/uOQpdp@-��(���uBK��=�ڨ珥�ƸD������I�@��B�ޙ��'2:+U)�O\t�]�Z�w�A^�(�
~���?�>��V�W�&�(� ��=�{^�_�_����b �� �@ �`ui�5@_J�`�6�G��Ú��N}�.x�^C�Ga�雇~����{�BǼo�㿓��j�N?��qG�ߝ�����-������� \�n���C��6��p�]�r��y(1,��y 0{��*x���1s�Z�����U��4���s�̰�;������n������H�f�O�I��8��������q%�_q�_��?�W�TqD��3��=Vh�i� ���Yf4?0��c+�8�Nq(!x�!�kFX�\<-��={�S[�&c�r�d��� �i� o��*�vo+X8��\��hn޹pp<��Mk��8�B$-��ۿQv�PЋ�M@��2c�9��W��N��R[�p�)�K���'�t0�F>[ɒ�N� ~O����BI� A�o�ڜE=�1��f����JqJvͅ��/�Wɟh��9 ߩf��۲|g����ģ��i��~��.������6j� ^+�!y�T��n� ��}���5�3���y�mM��/�3����cu�0�W������(��@���+/�W$�tzfڇsF��ηE�|�8��)4ోN
x��3M]1W��|$H ��Z�����'��7-�&���������_�Cv�
�+.JrZ����WM��=\��ЂB��NY0:X�%:�Z,� (����^�?S{��"
��)6��[}_�7�A�qDT��GU 0�̷��Xta�)�%zO;��d�Th7��#�CʅM��KK,����T �j
����Sn$�ґ�������a�tN���:q|j��;����;Fa�t�>I�6�Ԧ\�к�‡����G�O�U-����]F8a�G�{x� ܗ��� "���|Z�^��h��xa�W_<��on��)ʷ��]�����#\s]�mt���Ш;2��Z���H+X�c�(d�`�ula���2�()�� ̧���L@���R�GE+�
������.�`W�H�ȫ���U��Jn���U� K�+(of�u�:� IqpB����Ց㋻�5����E�|�K��#�-Ugx�]���92� �m5�(����G������܉�ED��!O��<}��Ab'�����6�o�&yE�P����d���}�[S������{���z��F�U$��X;���F;l*�6"�C�p�p(vrk ��*���a�DX#O`���
��s`z�������9J�G7��Um�oK ?����+c�h�.�:�������Hox�d�V$�$�,��Hƶ`t���e�ˈ���D%�bD��9��N��q��(A����a6\���q���:D#� +'�ׂ�hk�j���Ɯ�������~�x��wU"QN|��ք��k�N
;S3�-��y����c3��X͘*�_1� �A/�]�Ȣ՞c�{U��y�������ϙ�0:H�k>%�W��dM��T���=�b��6���(� ��PC��|`�D�g�%�}t)���?V4B��na��Ӛ���e��P�W!��5"�������]��t#q�vK8-��s� 7���܀�����-�F�m�ap�0��
�]����Y�a�������q#��F+��]��$E%����%#N���+4� �6�Ib,��}�ijfﰈd2�1zu�S�I`載K����+�� ���P7��{h�/! �b���f��L�~��YF�`�X�s��RD#��G����؊N�T[�;���b�!.�]~�|?���t�bgZ�q�Ӏ�J{,]o��ki�o��òփ��wZW��b���1��b$����Z����O^t8�>�Σ�v���r�
fj��0J_%���h�|���T�d�X���_�h�I���s �s\2O��A��N
r�խ�SB}$ۙ����"�@�@��D).\k_�L��#H�u��ad�9��)��}�=��t����?,����n��F�,%�`
�6i�i<��-_�� ����?���y?�]q
Y��|���Z@���[��jB����UC�3w��%�����Xv�U-��T��?y�H�~��I�ܝŒ��6��9c�njt�2(�/-!��C���Q�:)�z9z�}y|��ƀ]`���[�5�� w�������1�O���:L��RBM��(���B��z�<�ǵ�_�� �i�4_`��VH�!'6�=^$̇�=�/=�e!bN���#�H�N}Q׸������x�1?UG�H}
/7E�ʬ�:������:9�����.�\Rx�
pap"�+NV�q�d�y��ő&�k��7��_`�Ð0
��pZ kN��o)�w�2� ����H��]gʿ�u��L���;xe���;\���; ��no�J~*a&�Z��"���/r*�E5�o�㛻�5v>�uJx�b+k�%%�P����5�C8�{u������֜��Ow$�}���H�B�*סLp��t<�o|�^I
�n���!�����&�/V�����^�>���?U$ϡ���a��"��_����w���,��ZH�J���7>�vr�a��
���7ܸ�jO-�y���N�k\\��>�e�7����f��
g�����J4V�~�ߋ.�?W⠥ ���V����vH����c����Z�~�cבݧ�?b%9��\��M�~�` ?j���1_�[�� M'/�M�b��ȷ���!�N��G�~�F�|+�e�?�7u�Uy��kǁc���ak|8�i����58�����:����֬����^���񫥼N��-�\�.�'�J���s�|������"�^� ���+�>��H��=�Vΐ�����0|��4T�����n�cg��D����Go��0`2��$����J�nPw l2����g=;{�v���lЅ9��V��g����慼�ї�b�?��Z�i�