526367 Cover_rb2.qxp 3/19/03 3:53 PM Page 1 Networking/Security $45.00 USA/$67.99 CAN/£31.50 UK TIMELY. PRACTICAL. RELIABLE. INCLUDES CD-ROM Your in-depth guide to detecting network breaches, uncovering evidence, Incident I and preventing future attacks n c i Whether it’s from malicious code sent You’ll learn how to: DOUGLAS SCHWEITZERis an d through an e-mail or an unauthorized Internet security specialist and • Recognize the telltale signs of an user accessing company files, your authority on malicious code and e incident and take specific response network is vulnerable to attack. Your computer forensics. He is a Cisco Response measures n response to such incidents is critical. Certified Network Associate and With this comprehensive guide, • Search for evidence by preparing Certified Internet Webmaster t Douglas Schweitzer arms you with the operating systems, identifying Associate, and holds A+, tools to reveal a security breach, gather network devices, and collecting Network+, and i-Net+certifica- R evidence to report the crime, and con- data from memory tions.Schweitzer is also the duct audits to prevent future attacks. author of Internet Security Made e • Analyze and detect when malicious He also provides you with a firm Easyand Securing the Network code enters the system and quickly s understanding of the methodologies from Malicious Code. locate hidden files p for incident response and computer forensics, Federal Computer Crime law • Perform keyword searches, review o information and evidence require- browser history, and examine Web ments, legal issues, and how to work caches to retrieve and analyze clues n CD-ROM includes: with law enforcement. • Create a forensics toolkit to prop- • Helpful tools to capture and s erly collect and preserve evidence protect forensic data; search e volumes, drives, and servers for • Contain an incident by severing Computer evidence; and rebuild systems network and Internet connections, quickly after evidence has been and then eradicate any vulnerabili- obtained ties you uncover Forensics • Valuable checklists developed • Anticipate future attacks and by the author for all aspects of monitor your system accordingly incident response and handling Toolkit • Prevent espionage, insider attacks, and inappropriate use of the network • Develop policies and procedures to carefully audit the system Wiley Technology Publishing Timely. Practical. Reliable. Visit our Web site at www.wiley.com/compbooks/ Schweitzer ISBN: 0-7645-2636-7 Douglas Schweitzer *85555-IGFADh ,!7IA7G4-fcgdgh!:p;o;p;K;K a526367 FM.qxd 3/21/03 3:37 PM Page i Incident Response: Computer Forensics Toolkit a526367 FM.qxd 3/21/03 3:37 PM Page ii a526367 FM.qxd 3/21/03 3:37 PM Page iii Incident Response: Computer Forensics Toolkit Douglas Schweitzer a526367 FM.qxd 3/21/03 3:37 PM Page iv Incident Response: Computer Forensics Toolkit Published by Wiley Publishing, Inc. 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright © 2003 by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 0-7645-2636-7 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 1O/RR/QU/QT/IN No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8700. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4447, E-Mail: [email protected]. Limit of Liability/Disclaimer of Warranty:While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. Library of Congress Cataloging-in-Publication Data on file with the publisher. Trademarks:Wiley, the Wiley Publishing logo, and related trade dress are trademarks or registered trademarks of Wiley Publishing, Inc., in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book. a526367 FM.qxd 3/21/03 3:37 PM Page v About the Author Douglas Schweitzer is an Internet security specialist with Brainbench certifications in Internet security and ITAA Information Security Awareness. Douglas is a Certified Internet Webmaster Associate, and he holds A+, Network+, and i-Net+ certifications from the Computing Technology Industry Association. He has appeared as an Internet security guest speaker on several radio shows, including KYW Philadelphia, as well as on Something You Should Know and Computer Talk America, two nationally syndicated radio shows. He is also the author of Securing the Network from Malicious Code: A Complete Guide to Defending Against Viruses, Worms, and Trojansand Internet Security Made Easy: A Plain-English Guide to Protecting Yourself and Your Company Online. a526367 FM.qxd 3/21/03 3:37 PM Page vi Credits ACQUISITIONS EDITOR PROJECT COORDINATORS Katie Feltman Cindy Phipps, Bill Ramsey PROJECT EDITOR GRAPHICS AND PRODUCTION SPECIALISTS Mark Enochs Beth Brooks, Sean Decker, LeAndra Johnson, Stephanie Jumper, TECHNICAL EDITOR Kristin McMullan, Heather Pope, Russell Shumway JuliaTrippetti COPY EDITOR QUALITY CONTROL TECHNICIANS Maarten Reilingh Carl W. Pierce, Robert Springer EDITORIAL MANAGER PERMISSIONS EDITOR Mary Beth Wakefield Laura Moss VICE PRESIDENT & EXECUTIVE MEDIA DEVELOPMENT SPECIALIST GROUP PUBLISHER Travis Silvers Richard Swadley PROOFREADING VICE PRESIDENT AND EXECUTIVE PUBLISHER Kim Cofer Bob Ipsen INDEXING EXECUTIVE EDITOR Virginia Bess Carol Long EXECUTIVE EDITORIAL DIRECTOR Mary Bednarek a526367 FM.qxd 3/21/03 3:37 PM Page vii This book is dedicated in loving memory of Mirhan “Mike” Arian, whose insight and camaraderie are forever missed. a526367 FM.qxd 3/21/03 3:37 PM Page viii