ebook img

Computer forensics jumpstart PDF

302 Pages·2005·6.378 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Computer forensics jumpstart

Computer Forensics JumpStart™ Michael G. Solomon Diane Barrett Neil Broom SYBEX® 4375.book Page i Monday, October 18, 2004 3:13 PM Computer Forensics JumpStart ™ Michael G. Solomon Diane Barrett Neil Broom San Francisco ◆ London 4375.book Page ii Monday, October 18, 2004 3:13 PM Associate Publisher: Neil Edde Acquisitions and Developmental Editor: Maureen Adams Production Editor: Lori Newman Technical Editor: Warren G. Kruse Copyeditor: Kathy Grider-Carlyle Compositor: Jeff Wilson, Happenstance Type-O-Rama Graphic Illustrator: Jeff Wilson, Happenstance Type-O-Rama Proofreaders: Ian Golder, Amy Rasmussen, Nancy Riddiough Indexer: Nancy Guenther Book Designer: Judy Fung Cover Designer: Richard Miller, Calyx Design Cover Illustrator: Richard Miller, Calyx Design Copyright © 2005 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. No part of this pub- lication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, pho- tograph, magnetic, or other record, without the prior agreement and written permission of the publisher. Library of Congress Card Number: 2004113397 ISBN: 0-7821-4375-X SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc. in the United States and/or other countries. JumpStart is a trademark of SYBEX Inc. Screen reproductions produced with FullShot 99. FullShot 99 © 1991-1999 Inbit Incorporated. All rights reserved. FullShot is a trademark of Inbit Incorporated. Internet screen shot(s) using Microsoft Internet Explorer 6 reprinted by permission from Microsoft Corporation. TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from descriptive terms by fol- lowing the capitalization style used by the manufacturer. The author and publisher have made their best efforts to prepare this book, and the content is based upon final release software whenever possible. Portions of the manuscript may be based upon pre-release versions supplied by software manufacturer(s). The author and the publisher make no representation or warranties of any kind with regard to the completeness or accuracy of the con- tents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this book. Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 4375.book Page iii Monday, October 18, 2004 3:13 PM About the Authors Michael G. Solomon is a full-time security speaker, consultant (http://www.solomonconsulting.com/), trainer, and a former college instructor who specializes in development and assessment security topics. As an IT professional and consultant since 1987, he has worked on projects or trained for more than 60 major com- panies and organizations, including EarthLink, Nike Corporation, Lucent Technologies, BellSouth, UPS, the U.S. Coast Guard, and Norrell. From 1998 until 2001, Michael was an instructor in the Kennesaw State University’s Computer Science and Information Sciences (CSIS) department, where he taught courses on software project management, C++ programming, computer organization and architecture, and data communications. Michael has an M.S. in mathematics and computer science from Emory University (1998) and a B.S. in computer science from Kennesaw State University (1987). Michael has also contributed to various security certification books for LANWrights/iLearning, includ- ing TICSA Training Guide and an accompanying Instructor Resource Kit (Que, 2002), CISSP Study Guide (Sybex, 2003), as well as Security+ Training Guide (Que, 2003). Michael co-authored Informa- tion Security Illuminated (Jones and Bartlett, 2005), Security+ Lab Manual Exam Cram 2 (Que, 2005), and authored and provided the on-camera delivery of LearnKey’s CISSP Prep e-Learning course. Michael’s certifications include Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and TruSecure ICSA Certified Security Associate (TICSA). Diane Barrett has been involved in the IT industry since 1993. She works at Remington College where she taught in the computer networking program for two years before becoming a director. She teaches online classes that include networking, security, and virus protection, and she is the president of a secu- rity awareness corporation that specializes in training. Diane has co-authored several security and networking books, including MCSA/MCSE 70-299 Exam Cram 2: Implementing and Administering Security in a Windows Server 2003 Network (Que, 2004) and Computer Networking Illuminated (Jones and Bartlett, 2005). She is currently volunteering for ISSA’s Generally Accepted Inform ation Security Principles Project in the ethical practices working group. Diane’s certifications include Microsoft Certified Systems Engineer (MCSE) on Windows 2000, MCSE+I on Windows NT 4.0, Certified Information Systems Security Professional (CISSP), Cisco Certified Net- work Associate (CCNA), A+, Network+, i-Net+, and Security+. Neil Broom is the President of the Technical Resource Center (http://www.trcglobal.com) in Atlanta, Georgia. As a speaker, trainer, course director, and consultant in the fields of Computer Foren- sics, Information Assurance, and Professional Security Testing, he has over 14 years of experience pro- viding technical education and security services to the military, law enforcement, the health care industry, financial institutions, and government agencies. Neil is the Lead Instructor and Developer of the Computer Forensics and Cyber Investigations course and the Certified Cyber Crime Examiner (C3E) certification and provides Computer Forensics services to clients in the Metro Atlanta area and the Southeast United States. 4375.book Page iv Monday, October 18, 2004 3:13 PM Neil is currently the Vice President of the Atlanta Chapter of the International Information Systems Forensics Association, and he is a professional member of the National Speakers Association. His past employment includes the U.S. Navy as a submariner, the Gainesville, Florida Police Department as a law enforcement officer, and Internet Security Systems (ISS) as a security trainer. Neil has multiple certifications including Certified Information Systems Security Professional (CISSP), Certified Computer Examiner (CCE), Certified Ethical Hacker (CEH), Computer Hacking Forensic Investigator (CHFI), National Security Agency’s INFOSEC Assessment Methodology (IAM), Microsoft Certified Systems Engineer (MCSE 4.0 and 2000), Microsoft Certified Trainer (MCT), and TruSecure ICSA Certified Security Associate (TICSA). About the Technical Editor Warren G. Kruse II, CISSP, CFCE, is the co-author of Computer Forensics: Incident Response Essen- tials, published by Addison-Wesley. Warren has conducted forensics globally in support of cases involving some of the largest law firms and corporations in the world. He is a member of the New York and Euro- pean Electronic Crimes Task Forces of the U.S. Secret Service. He was elected President of the High Tech Crime Investigation Association’s (www.htcia.org) 2005 International Executive Committee. Warren has extensive experience investigating cases involving the illegal use of computer and networks and received the High Tech Crime Investigation Association's (HTCIA) “2001 Case of the Year” award. He is an IACIS Certified Forensic Computer Examiner (CFCE) and an (ISC)2 Certified Information Systems Security Pro- fessional (CISSP). He lectures on computer forensics for Computer Security Institute (CSI) and has taught computer forensics at the SANS Institute and MIS Training Institute. He is the lead instructor of the hands- on intro and advanced Computer Forensics Bootcamps for Computer Forensic Services, LLC. Warren is a partner at Computer Forensic Services, LLC (www.computer-forensic.com). 4375.book Page v Monday, October 18, 2004 3:13 PM To my wife, best friend, and source of unyielding support, Stacey. —Michael G. Solomon To my dad, Gerald, who has always encouraged me to be my own person. —Diane Barrett To my mother, thank you for always believing in me. —Neil Broom 4375.book Page vi Monday, October 18, 2004 3:13 PM Acknowledgments Anything worth doing is worth doing well, and doing anything well generally requires a lot of help. My family has helped me immensely throughout this project. Stacey, Noah, and Isaac are all great fun to be around and often serve as sounding boards. The one focal point of this book, however, is Kim Lindros at LANWrights/ iLearning. She kept the project on track and worked things out regardless of what curve balls I may have sent her way. Kim deserves a huge ovation for her work to get this book into your hands. I truly appreciate the efforts of all the people at LANWrights/iLearning and Sybex to make this project a reality. —Michael G. Solomon Thanks to everyone at Sybex for making this book possible, especially Maureen Adams the acquisitions editor and Lori Newman the production editor. Thank you to the wonderful team at LANWrights/iLearning, espe- cially Kim Lindros, who worked so hard behind the scenes to be sure that our work was accurate and com- pleted in a timely fashion. To co-authors Michael Solomon and Neil Broom, thank you for the part each of you played in making this project successful. Thanks to Warren G. Kruse II, our technical reviewer, for making cer- tain our writing was technically and procedurally sound. Finally, special thanks to my husband, Bill, for keep- ing a sense of humor during the hours I spent writing. —Diane Barrett Kim Lindros, you rock! Thank you for all the support and gentle nudging you provided to keep me writing. I also wish to say thank you to the cat and kitten rescue group that I work with, www.FurKids.org. Now that the book is finished, I can return to helping save the lives of our furry little friends. —Neil Broom 4375.book Page vii Monday, October 18, 2004 3:13 PM Contents vii Contents Introduction xvii Chapter 1 The Need for Computer Forensics 1 Defining Computer Forensics . . . . . . . . . . . . . . . . . . . . . . . 2 Real-Life Examples of Computer Crime . . . . . . . . . . . . . . . 4 Hacker Pleads Guilty to Illegally Accessing New York Times Computer Network . . . . . . . . . . . . . 4 Man Pleads Guilty to Hacking Intrusion and Theft of Data Costing Company $5.8 Million . . . . . . . . . . . 5 Three Men Indicted for Hacking into Lowe’s Companies’ Computers with Intent to Steal Credit Card Information . . . . . . . . . . . . . . . . . . . 6 Former Chief Computer Network Program Designer Arraigned for Alleged $10 Million Computer Software Bomb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Juvenile Computer Hacker Sentenced to Six Months in Detention Facility . . . . . . . . . . . . . . . . . 8 Corporate versus Law Enforcement Concerns . . . . . . . . . . 9 Corporate Concerns Focus on Detection and Prevention . . . . . . . . . . . . . . . . . . . . . . 9 Law Enforcement Focuses on Prosecution . . . . . . . . . . 11 Russian Computer Hacker Indicted in California for Breaking into Computer Systems and Extorting Victim Companies . . . . . . . . . . . . . . . . . . . 11 Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Practitioners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 End Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 What Are Your Organization’s Needs? . . . . . . . . . . . . . . 18 Terms to Know . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Chapter 2 Preparation—What to Do Before You Start 21 Know Your Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 What I/O Devices Are Used? . . . . . . . . . . . . . . . . . . . . 22 Check Computers for Unauthorized Hardware . . . . . . 28 Keep Up to Date with New I/O Trends . . . . . . . . . . . . 32 4375.book Page viii Monday, October 18, 2004 3:13 PM viii Contents Know Your Operating System . . . . . . . . . . . . . . . . . . . . . 35 Different Operating Systems . . . . . . . . . . . . . . . . . . . . 35 Know What Filesystems Are in Use . . . . . . . . . . . . . . . 38 Maintain Tools and Procedures for Each Operating System and Filesystem . . . . . . . . . . . 40 Preinstalled Tools Make Forensics Easier . . . . . . . . . . . 41 Know Your Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Legal Organizational Rights and Limits . . . . . . . . . . . . 43 Search and Seizure Guidelines . . . . . . . . . . . . . . . . . . . 44 Will This End Up in Court? . . . . . . . . . . . . . . . . . . . . . 45 Develop Your Incident Response Team . . . . . . . . . . . . . . 45 Organize the Team . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 State Clear Processes . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Coordinate with Local Law Enforcement . . . . . . . . . . 47 Terms to Know . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Chapter 3 Computer Evidence 51 What Is Computer Evidence? . . . . . . . . . . . . . . . . . . . . . . 52 Incidents and Computer Evidence . . . . . . . . . . . . . . . . 52 Types of Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Search and Seizure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Voluntary Surrender . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Subpoena . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Search Warrant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Chain of Custody . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Evidence Admissibility in a Court of Law . . . . . . . . . . . . . 66 Relevance and Admissibility . . . . . . . . . . . . . . . . . . . . 66 Techniques to Ensure Admissibility . . . . . . . . . . . . . . . 67 Leave No Trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Read-Only Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Software Write Blocker . . . . . . . . . . . . . . . . . . . . . . . . 69 Hardware Write Blocker . . . . . . . . . . . . . . . . . . . . . . . 69 Terms to Know . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Chapter 4 Common Tasks 73 Evidence Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Physical Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Removable Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 4375.book Page ix Monday, October 18, 2004 3:13 PM Contents ix Evidence Preservation . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Pull the Plug or Shut It Down? . . . . . . . . . . . . . . . . . . 81 Supply Power As Needed . . . . . . . . . . . . . . . . . . . . . . . 82 Provide Evidence of Initial State . . . . . . . . . . . . . . . . . 83 Evidence Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Knowing Where to Look . . . . . . . . . . . . . . . . . . . . . . . 85 Wading through the Sea of Data . . . . . . . . . . . . . . . . . 87 Sampling Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Evidence Presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Know Your Audience . . . . . . . . . . . . . . . . . . . . . . . . . 89 Organization of Presentation . . . . . . . . . . . . . . . . . . . . 91 Keep It Simple . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Terms to Know . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Chapter 5 Capturing the Data Image 95 Full Volume Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Evidence Collection Order . . . . . . . . . . . . . . . . . . . . . . 96 Preparing Media and Tools . . . . . . . . . . . . . . . . . . . . . 97 Collecting the Volatile Data . . . . . . . . . . . . . . . . . . . 100 Creating a Duplicate of the Hard Disk . . . . . . . . . . . 103 Extracting Data from PDAs . . . . . . . . . . . . . . . . . . . . 107 Image and Tool Documentation . . . . . . . . . . . . . . . . 108 Partial Volume Image . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Imaging/Capture Tools . . . . . . . . . . . . . . . . . . . . . . . . . 111 Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Commercial Software . . . . . . . . . . . . . . . . . . . . . . . . 113 PDA Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Terms to Know . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Chapter 6 Extracting Information from Data 117 What Are You Looking For? . . . . . . . . . . . . . . . . . . . . . 118 Internet Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 E-mail Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Deleted Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 How People Think . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Picking the Low-Hanging Fruit . . . . . . . . . . . . . . . . . . . 130 Hidden Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Trace Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Terms to Know . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.