363_Web_App_FM.qxd 12/19/06 10:46 AM Page ii 425_Cyber_FM.qxd 2/23/07 1:15 PM Page i Visit us at www.syngress.com Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our cus- tomers. We are also committed to extending the utility of the book you pur- chase via additional materials available from our Web site. SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions. Once registered, you can access our [email protected] Web pages. There you may find an assort- ment of value-added features related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s). ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of expertise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few. DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in down- loadable Adobe PDF form. These e-books are often available weeks before hard copies, and are priced affordably. SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings. SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations. Contact us at [email protected] for more information. CUSTOM PUBLISHING Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use. Contact us at [email protected] for more information. 425_Cyber_FM.qxd 2/23/07 1:15 PM Page ii 425_Cyber_FM.qxd 2/23/07 1:15 PM Page iii Cyber Crime Investigations Bridging the Gaps Between Security Professionals, Law Enforcement, and Prosecutors Anthony Reyes New York City Police Department’s Computer Crimes Squad Detective, Retired Kevin O’Shea Jim Steele Jon R. Hansen Captain Benjamin R. Jean Thomas Ralph 425_Cyber_FM.qxd 2/23/07 1:15 PM Page iv Elsevier,Inc.,the author(s),and any person or firm involved in the writing,editing,or production (collec- tively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind,expressed or implied,regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights,which vary from state to state. In no event will Makers be liable to you for damages,including any loss of profits,lost savings,or other incidental or consequential damages arising out from the Work or its contents.Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages,the above limitation may not apply to you. You should always use reasonable care,including backup and other appropriate precautions,when working with computers,networks,data,and files. Syngress Media®,Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author UPDATE®,”and “Hack Proofing®,”are registered trademarks of Elsevier,Inc.“Syngress:The Definition of a Serious Security Library”™,“Mission Critical™,”and “The Only Way to Stop a Hacker is to Think Like One™”are trademarks of Elsevier,Inc.Brands and product names mentioned in this book are trade- marks or service marks of their respective companies. KEY SERIAL NUMBER 001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004 78SPLBBC72 005 CVPLQ6WQ23 006 VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010 IMWQ295T6T PUBLISHED BY Syngress Publishing,Inc. 800 Hingham Street Rockland,MA 02370 Cyber Crime Investigations: Bridging the Gaps Between, Security Professionals, Law Enforcement, and Prosecutors Copyright © 2007 by Elsevier,Inc.All rights reserved.Printed in the United States of America.Except as permitted under the Copyright Act of 1976,no part of this publication may be reproduced or distributed in any form or by any means,or stored in a database or retrieval system,without the prior written per- mission of the publisher,with the exception that the program listings may be entered,stored,and executed in a computer system,but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN-10:1-59749-133-0 ISBN-13:978-1-59749-133-4 Publisher:Amorette Pedersen Project manager:Gary Byrne Acquisitions Editor:Andrew Williams Page Layout and Art:Patricia Lupien Technical Editor:Anthony Reyes Copy Editors:Michael McGee,Adrienne Rebello Cover Designer:Michael Kavish Indexer:Michael Ferreira For information on rights,translations,and bulk sales,contact Matt Pedersen,Commercial Sales Director and Rights,at Syngress Publishing;email [email protected]. 425_Cyber_FM.qxd 2/23/07 1:15 PM Page v Lead Author and Technical Editor Anthony Reyes is a retired New York City Police Department Computer Crimes Detective.While employed for the NYPD,he investigated computer intrusions,fraud,identity theft,child exploitation, intellectual property theft,and software piracy. He was an alternate member of New York Governor George E.Pataki’s Cyber-Security Task Force,and he currently serves as President for the High Technology Crime Investigation Association. He is the Education & Training Working Group Chair for the National Institute of Justice’s Electronic Crime Partner Initiative. Anthony is also an Associate Editor for the Journal of Digital Forensic Practice and an editor for The International Journal of Forensic Computer Science. He is an Adjutant Professor and is the Chief Executive Officer for the Arc Enterprises of New York,Inc.on Wall Street.Anthony has over 20 years of experience in the IT field.He teaches for sev- eral government agencies and large corporations in the area of com- puter crime investigations,electronic discovery,and computer forensics.He also lectures around the world. Anthony dedicates his chapters to “the breath of his soul”:his sons, Richie and Chris,and his mother,Hilda.He would like to thank his family and friends who endured his absence during the writing of this book.He also thanks Kevin O’Shea,Jim Steele,Jon R Hansen,Benjamin R.Jean, Thomas Ralph,Chet Hosmer,Christopher L.T.Brown,Doctor Marcus Rogers,and Paul Cibas for their contributions in making this book happen. Anthony wrote Chapters 1,4,and 5. v 425_Cyber_FM.qxd 2/23/07 1:15 PM Page vi Contributors Kevin O’Shea is currently employed as a Homeland Security and Intelligence Specialist in the Justiceworks program at the University of New Hampshire.In this capacity,Mr.O’Shea supports the implementation of tools,technology,and training to assist law enforcement in the investigation of crimes with a cyber component.In one of Kevin’s recent projects,he was a technical consultant and developer of a training program for a remote computer-foren- sics-viewing technology,which is now in use by the state of New Hampshire.He also has developed a computer-crime-investigative curriculum for the New Hampshire Police Standards and Training. Kevin dedicates his chapters to his family—“his true angels,”Leighsa, Fiona,and Mairead,for their patience,love,and encouragement.He would also like to thank Tony Reyes and the other authors of this book (it was a pleasure to work with all of you),as well as the TAG team,Stacy and Andrew,for their unbending support and friendship. Kevin wrote Chapters 2 and 7;he also cowrote Chapter 6. James “Jim”Steele (CISSP,MCSE:Security, Security+) has a career rich with experience in the security,computer forensics,network development, and management fields.For over 15 years he has played integral roles regarding project management, systems administration,network administration,and enterprise security management in public safety and mission-critical systems.As a Senior Technical Consultant assigned to the NYPD E-911 Center,he designed and managed implementation of multiple systems for enter- prise security;he also performed supporting operations on-site during September 11,2001,and the blackout of 2003.Jim has also partici- pated in foreign projects such as the development of the London vi 425_Cyber_FM.qxd 2/23/07 1:15 PM Page vii Metropolitan Police C3i Project,for which he was a member of the Design and Proposal Team.Jim’s career as a Technical Consultant also includes time with the University of Pennsylvania and the FDNY.His time working in the diverse network security field and expert knowl- edge of operating systems and network products and technologies have prepared him for his current position as a Senior Digital Forensics Investigator with a large wireless carrier.His responsibilities include performing workstation,server,PDA,cell phone,and network forensics as well as acting as a liaison to multiple law enforcement agencies,including the United States Secret Service and the FBI.On a daily basis he investigates cases of fraud,employee integrity,and compromised systems.Jim is a member of HTCC,NYECTF, InfraGard,and the HTCIA. Jim dedicates his chapters to his Mom,Dad,and Stephanie. Jim wrote Chapter 9. Jon R. Hansen is Vice-President of Sales and Business Development for AccessData.He is a com- puter specialist with over 24 years of experience in computer technologies,including network security, computer forensics,large-scale software deployment, and computer training on various hardware and soft- ware platforms. He has been involved with defining and devel- oping policies and techniques for safeguarding com- puter information,recovering lost or forgotten passwords,and acquiring forensic images.Jon has presented at conferences all over the world,addressing audiences in the United States,Mexico,Brazil, England,Belgium,Italy,The Netherlands,New Zealand,Australia, Singapore,Hong Kong,Korea,Japan,and South Africa. As the former Microsoft Regional Director for the State of Utah,Jon has represented many companies as a consultant and liaison administrator,including Microsoft,WordPerfect,Lotus Corporation,and Digital Electronic Corporation (DEC). Jon dedicates his chapters to the “love of his live,”his wife,Tammy. Jon wrote Chapter 10. vii 425_Cyber_FM.qxd 2/23/07 1:15 PM Page viii Captain Benjamin R. Jean has spent his entire law enforcement career in the State of New Hampshire, starting in 1992 for the Deerfield Police Department. He is currently employed as a Law Enforcement Training Specialist for the New Hampshire Police Standards & Training Council and is Chief of the Training Bureau.Captain Jean teaches classes in var- ious law enforcement topics,including computer crime investigation,and is an active member of the New Hampshire Attorney General’s Cyber Crime Initiative.He was recently awarded the 2006 Cyber Crime Innovation Award and holds an Associate’s Degree in Criminal Justice from New Hampshire Community Technical College and a Bachelor’s Degree in Information Technology from Granite State College. Benjamin dedicates his chapter to his kids,whom he does everything for, and his wife,who makes it all possible. Benjamin wrote Chapter 8. Thomas Ralph graduated cum laude from Case Western Reserve University School of Law,where he served as editor on the school’s Law Review.In 1998,after serving as legal counsel at MassHighway, Mr.Ralph joined the Middlesex District Attorney’s Office,where he performed trial work in the District and Superior Courts.Mr.Ralph became Deputy Chief of the Appeals Bureau,Captain of the Search Warrant Team,and Captain of the Public Records Team.Mr.Ralph has appeared dozens of times in the Massachusetts Appeals Court and Supreme Judicial Court.In 2005, Mr.Ralph became an Assistant Attorney General in the New Hampshire Attorney General’s office.His responsibilities there included spearheading the New Hampshire Attorney General’s Cybercrime Initiative,an innovative program for processing and handling electronic evidence that has received national recognition, viii