ebook img

Cyber Forensics PDF

346 Pages·2002·3.728 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Cyber Forensics

Cyber Forensics Table of Contents Cyber Forensics—A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes..............................................................................................................................1 Disclaimer...........................................................................................................................................6 Introduction........................................................................................................................................7 Background..............................................................................................................................8 Dimensions of the Problem......................................................................................................9 Computer Forensics...............................................................................................................10 Works Cited......................................................................................................................11 Section I: Cyber Forensics.............................................................................................................13 Chapter List............................................................................................................................13 ........................................................................................................................................13 Chapter 1: The Goal of the Forensic Investigation.......................................................................14 Overview................................................................................................................................14 Why Investigate.....................................................................................................................14 Internet Exceeds Norm..........................................................................................................14 Inappropriate E−mai.l.............................................................................................................16 Non−Work−Related Usage of Company Resources.............................................................17 Theft of Information................................................................................................................18 Violation of Security Parameters............................................................................................18 Intellectual Property Infraction...............................................................................................19 Electronic Tampering.............................................................................................................20 Establishing a Basis or Justification to Investigate................................................................21 Determine the Impact of Incident...........................................................................................22 Who to Call/Contact...............................................................................................................24 If You Are the Auditor/Investigator.........................................................................................24 Resources..............................................................................................................................25 Authority.................................................................................................................................25 Obligations/Goals...................................................................................................................25 Reporting Hierarchy...............................................................................................................25 Escalation Procedures...........................................................................................................25 Time Frame............................................................................................................................26 Procedures.............................................................................................................................26 Precedence............................................................................................................................26 Independence........................................................................................................................26 Chapter 2: How to Begin a Non−Liturgical Forensic Examination.............................................27 Overview................................................................................................................................27 Isolation of Equipment...........................................................................................................27 Cookies..................................................................................................................................29 Bookmarks.............................................................................................................................31 History Buffer.........................................................................................................................32 Cache.....................................................................................................................................34 Temporary Internet Files........................................................................................................35 Tracking of Logon Duration and Times..................................................................................35 Recent Documents List..........................................................................................................36 Tracking of Illicit Software Installation and Use.....................................................................37 i Table of Contents Chapter 2: How to Begin a Non−Liturgical Forensic Examination The System Review...............................................................................................................38 The Manual Review...............................................................................................................41 Hidden Files...........................................................................................................................42 How to Correlate the Evidence..............................................................................................43 Works Cited......................................................................................................................44 Chapter 3: The Liturgical Forensic Examination: Tracing Activity on a Windows−Based Desktop............................................................................................................................................45 Gathering Evidence For Prosecution Purposes.....................................................................45 Gathering Evidence Without Intent to Prosecute...................................................................45 The Microsoft Windows−Based Computer.............................................................................46 General Guidelines To Follow................................................................................................48 Cookies..................................................................................................................................50 Bookmarks/Favorites.............................................................................................................53 Internet Explorer's History Buffer...........................................................................................54 Temporary Storage on the Hard Drive...................................................................................55 Temporary Internet Files........................................................................................................56 System Registry.....................................................................................................................57 Enabling and Using Auditing via the Windows Operating System.........................................61 Confiscation of Computer Equipment....................................................................................65 Other Methods of Covert Monitoring......................................................................................66 Chapter 4: Basics of Internet Abuse: What is Possible and Where to Look Under the Hood.................................................................................................................................................68 Terms.....................................................................................................................................68 Types of Users.......................................................................................................................69 E−Mail Tracking.....................................................................................................................69 IP Address Construction........................................................................................................69 Browser Tattoos.....................................................................................................................69 How an Internet Search works...............................................................................................70 Swap Files.............................................................................................................................74 ISPs.......................................................................................................................................75 Servers...................................................................................................................................75 Works Cited......................................................................................................................75 Chapter 5: Tools of the Trade: Automated Tools Used to Secure a System Throughout the Stages of a Forensic Investigation.........................................................................................77 Overview................................................................................................................................77 Detection Tools......................................................................................................................77 Protection Tools.....................................................................................................................84 Analysis Tools........................................................................................................................87 Chapter 6: Network Intrusion Management and Profiling...........................................................91 Overview................................................................................................................................91 Common Intrusion Scenarios.................................................................................................91 Intrusion Profiling...................................................................................................................95 Creating the Profile................................................................................................................96 Conclusion...........................................................................................................................103 ii Table of Contents Chapter 7: Cyber Forensics and the Legal System....................................................................105 Overview..............................................................................................................................105 How the System Works........................................................................................................105 Issues of Evidence...............................................................................................................106 Hacker, Cracker, or Saboteur..............................................................................................108 Best Practices......................................................................................................................115 Notes..............................................................................................................................115 Acknowledgments..........................................................................................................116 Section II: Federal and International Guidelines........................................................................117 Chapter List..........................................................................................................................117 ......................................................................................................................................117 References.....................................................................................................................118 Chapter 8: Searching and Seizing Computers and Obtaining Electronic Evidence...............118 Recognizing and Meeting Title III Concerns in Computer Investigations.............................123 Computer Records and the Federal Rules of Evidence.......................................................131 Proposed Standards for the Exchange of Digital Evidence.................................................134 Recovering and Examining Computer Forensic Evidence...................................................140 International Principles for Computer Evidence...................................................................141 Chapter 9: Computer Crime Policy and Programs.....................................................................143 The National Infrastructure Protection Center Advisory 01−003..........................................143 The National Information Infrastructure Protection Act of 1996...........................................146 Distributed Denial of Service Attacks...................................................................................157 The Melissa Virus................................................................................................................163 Cybercrime Summit: A Law Enforcement/Information Technology Industry Dialogue........163 Chapter 10: International Aspects of Computer Crime..............................................................165 Council of Europe Convention on Cybercrime.....................................................................165 Council of Europe Convention on Cybercrime Frequently Asked Questions.......................168 Internet as the Scene of Crime............................................................................................168 Challenges Presented to Law Enforcement by High−Tech and Computer Criminals..........169 Problems of Criminal Procedural Law Connected with Information Technology.................169 Combating High−Tech and Computer−Related Crime........................................................169 Vienna International Child Pornography Conference...........................................................171 OECD Guidelines for Cryptography Policy..........................................................................171 Fighting Cybercrime: What are the Challenges Facing Europe?.........................................171 Chapter 11: Privacy Issues in the High−Tech Context..............................................................172 Law Enforcement Concerns Related to Computerized Databases......................................172 Enforcing the Criminal Wiretap Statute................................................................................174 Referring Potential Privacy Violations to the Department of Justice for Investigation and Prosecution..................................................................................................................174 Testimony on Digital Privacy................................................................................................175 Chapter 12: Critical Infrastructure Protection.............................................................................176 Attorney General Janet Reno's Speech on Critical Infrastructure Protection......................176 Protecting the Nation's Critical Infrastructures: Presidential Decision Directive 63.............176 The Clinton Administration's Policy on Critical Infrastructure Protection: Presidential iii Table of Contents Chapter 12: Critical Infrastructure Protection Decision Directive 63..........................................................................................................177 Foreign Ownership Interests in the American Communications Infrastructure....................187 Carnivore and the Fourth Amendment.................................................................................188 Chapter 13: Electronic Commerce: Legal Issues.......................................................................195 Overview..............................................................................................................................195 Guide for Federal Agencies on Implementing Electronic Processes...................................195 Consumer Protection in the Global Electronic Marketplace.................................................196 The Government Paperwork Elimination Act.......................................................................196 Internet Gambling................................................................................................................197 Sale of Prescription Drugs Over the Internet.......................................................................197 Guidance on Implementing the Electronic Signatures in Global And National Commerce Act (E−SIGN)....................................................................................................198 Part I: General Overview of the E−SIGN Act.......................................................................198 The Electronic Frontier: the Challenge of Unlawful Conduct Involving the Use of the Internet................................................................................................................................215 Internet Health Care Fraud..................................................................................................217 Jurisdiction in Law Suits.......................................................................................................218 Electronic Case Filing at the Federal Courts.......................................................................225 Notes..............................................................................................................................226 Chapter 14: Legal Considerations in Designing and Implementing Electronic Processes: A Guide for Federal Agencies.................................................................................229 Executive Summary.............................................................................................................229 Introduction..........................................................................................................................237 I. Why Agencies Should Consider Legal Risks....................................................................238 II. Legal Issues to Consider in "Going Paperless"...............................................................242 III. Reducing The Legal Risks in "Going Paperless"............................................................255 Conclusion...........................................................................................................................266 Notes..............................................................................................................................267 Chapter 15: Encryption.................................................................................................................273 Department of Justice FAQ on Encryption Policy (April 24, 1998)......................................273 Interagency and State and Federal Law Enforcement Cooperation....................................273 Law Enforcement's Concerns Related to Encryption...........................................................273 Privacy in a Digital Age: Encryption and Mandatory Access...............................................274 Modification of H.R. 695.......................................................................................................280 Security and Freedom Through Encryption Act...................................................................281 OECD Guidelines for Cryptography Policy..........................................................................285 Recommended Reading................................................................................................285 Chapter 16: Intellectual Property.................................................................................................286 Prosecuting Intellectual Property Crimes Guidance............................................................286 Deciding Whether to Prosecute an Intellectual Property Case............................................286 Government Reproduction of Copyrighted Materials...........................................................286 Federal Statutes Protecting Intellectual Property Rights.....................................................286 IP Sentencing Guidelines.....................................................................................................289 Intellectual Property Policy and Programs...........................................................................292 Copyrights, Trademarks and Trade Secrets........................................................................294 iv Table of Contents Section III: Forensics Tools..........................................................................................................296 Chapter List..........................................................................................................................296 ......................................................................................................................................296 Chapter 17: Forensic and Security Assessment Tools..............................................................297 Detection, Protection, and Analysis.....................................................................................297 Detection and Prevention Tools for the PC Desktop...........................................................297 Analysis Tools......................................................................................................................299 Applications..........................................................................................................................301 Additional Free Forensics Software Tools...........................................................................307 Chapter 18: How to Report Internet−Related Crime...................................................................308 Overview..............................................................................................................................308 The Internet Fraud Complaint Center (IFCC)......................................................................309 Chapter 19: Internet Security: An Auditor's Basic Checklist....................................................310 Firewalls...............................................................................................................................310 Supported Protocols............................................................................................................311 Anti−Virus Updates..............................................................................................................311 Software Management Systems..........................................................................................312 Backup Processes and Procedures.....................................................................................312 Intra−Network Security........................................................................................................312 Section IV: Appendices.................................................................................................................314 Appendix List.......................................................................................................................314 ......................................................................................................................................314 Appendix A: Glossary of Terms...........................................................................................314 A−C................................................................................................................................314 D..........................................................................................................................................317 E−G......................................................................................................................................319 H−I.......................................................................................................................................322 K−Q......................................................................................................................................323 R−S......................................................................................................................................324 T−W.....................................................................................................................................326 Appendix B: Recommended Reading List..................................................................................329 Books...................................................................................................................................329 Articles.................................................................................................................................332 Web Sites.............................................................................................................................333 List of Exhibits...............................................................................................................................337 Chapter 2: How to Begin a Non−Liturgical Forensic Examination.......................................337 Chapter 3: The Liturgical Forensic Examination: Tracing Activity on a Windows−Based Desktop...............................................................................................................................337 Chapter 4: Basics of Internet Abuse: What is Possible and Where to Look Under the Hood...................................................................................................................................337 Chapter 5: Tools of the Trade: Automated Tools Used to Secure a System Throughout the Stages of a Forensic Investigation................................................................................338 Chapter 6: Network Intrusion Management and Profiling....................................................338 Chapter 8: Searching and Seizing Computers and Obtaining Electronic Evidence.............338 v Table of Contents List of Exhibits Chapter 9: Computer Crime Policy and Programs...............................................................338 Chapter 11: Privacy Issues in the High−Tech Context........................................................338 Chapter 12: Critical Infrastructure Protection.......................................................................339 Chapter 13: Electronic Commerce: Legal Issues.................................................................339 Chapter 14: Legal Considerations in Designing and Implementing Electronic Processes: A Guide for Federal Agencies..........................................................................339 Chapter 18: How to Report Internet−Related Crime............................................................339 vi Cyber Forensics—A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes ALBERT J. MARCELLA, Ph.D. ROBERT S. GREENFIELD Editors AUERBACH PUBLICATIONS A CRC Press Company Boca Raton London New York Washington , D.C. Library of Congress Cataloging−in−Publication Data Cyber forensics: a field manual for collecting, examining, and preserving evidence of computer crimes / Albert J. Marcella, Robert Greenfield, editors. p. cm. Includes bibliographical references and index. ISBN 0−8493−0955−7 (alk. paper) 1. Computer crimes−−Investigation−−Handbooks, manuals, etc. I. Marcella, Albert J. II. Greenfield, Robert, 1961− HV8079.C65 C93 2001 363.25'968−−dc21 2001053817 This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publish reliable data and information, but the authors and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use. Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior permission in writing from the publisher. All rights reserved. Authorization to photocopy items for internal or personal use, or the personal or internal use of specific clients, may be granted by CRC Press LLC, provided that $1.50 per page photocopied is paid directly to Copyright clearance Center, 222 Rosewood Drive, Danvers, MA 01923 USA The fee code for users of the Transactional Reporting Service is ISBN 0−8493−0955−7/02/$0.00+$1.50. The fee is subject to change without notice. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. 1 The consent of CRC Press LLC does not extend to copying for general distribution, for promotion, for creating new works, or for resale. Specific permission must be obtained in writing from CRC Press LLC for such copying. Direct all inquiries to CRC Press LLC, 2000 N.W. Corporate Blvd., Boca Raton, Florida 33431. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation, without intent to infringe. Visit the Auerbach Publications Web site at www.auerbach−publications.com Copyright © 2002 by CRC Press LLC Auerbach is an imprint of CRC Press LLC No claim to original U.S. Government works International Standard Book Number 0−8493−0955−7 Library of Congress Card Number 2001053817 Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 Printed on acid−free paper Editors and Contributors Albert J. Marcella, Jr., Ph.D., CFSA, COAP, CQA, CSP, CDP, CISA, is an associate professor of Management in the School of Business and Technology, Department of Management, at Webster University, in Saint Louis, Missouri. Dr. Marcella remains the president of Business Automation Consultants, an information technology and management−consulting firm he founded in 1984. Dr. Marcella has completed diverse technical security consulting engagements involving disaster recovery planning, site and systems security, IT, financial and operational audits for an international clientele. He has contributed numerous articles to audit−related publications and has authored and co−authored 18 audit−related texts. Robert S. Greenfield, MCP, has over 16 years of experience as a programmer/analyst, with the past five years as a systems consultant and software engineer in the consulting field. He has extensive experience designing software in the client/server environment. In addition to mainframe experience on several platforms, his background includes systems analysis, design, and development in client/server GUI and traditional environments. His client/server expertise includes Visual Basic, Access, SQL Server, Sybase, and Oracle 7.3 development. Mr. Greenfield has created intranet Web sites with FrontPage and distributing applications via the Internet. He currently holds professional accreditation as a Microsoft Certified Professional and continues self paced training to achieve MCSE, MCSD, and MCSE/D + Internet ratings. Abigail Abraham is an Assistant State's Attorney, prosecuting high−technology crimes for the Cook County State's Attorney's Office in Chicago, Illinois. She was awarded her J.D. from The University of Chicago Law School and served as an editor on the law review. Following law school, she clerked for one year for the Honorable Danny J. Boggs, U.S. Court of Appeals for the Sixth Circuit. She is an adjunct law professor at The University of Chicago Law School. In addition, she has designed training for lawyers and for police officers, and lectures around the country on 2 high−technology legal issues. Brent Deterdeing graduated from the University of Missouri with a degree in computer science and a minor in economics. Brent's involvement with SANS is extensive. He is an author of an upcoming book on firewalls through SANS, as well as chairing the SANS/GIAC Firewalls Advisory Board. He has mentored both small and large classes through SANS/GIAC Security Essentials Training & Certification (GSEC). Brent also authors, revises, and edits SANS courseware, quizzes, and tests. He has earned the SANS/GIAC GSEC (Security Essentials), GCFW (Firewall Analyst — HONORS), GCIA (Intrusion Analyst), and GCIH (Incident Handling) certifications, as well as being a Red Hat Certified Engineer (RHCE). Brent participates in the St. Louis InfraGard chapter. John W. Rado is a geospatial analyst at National Imagery and Mapping Agency (NIMA) in St. Louis, Missouri. John has worked for NIMA since January of 1991. William J. Sampias has been involved in the auditing profession for the past decade, with primary emphasis on audits of information systems. Mr. Sampias has published several works in the areas of disaster contingency planning, end−user computing, fraud, effective communications, and security awareness. Mr. Sampias is currently director of a state agency information systems audit group. Steven Schlarman, CISSP, is a security consultant with PricewaterhouseCoopers. Since joining the firm in 1998, Steve has covered a number of roles, mainly as the lead developer of the Enterprise Security Architecture System and Services. He has published articles on the subject as well as being one of the major thought leaders in the PricewaterhouseCoopers' Enterprise Security Architecture Service line. Prior to joining the firm, Steve had worked on multiple platforms including PC applications, networking, and midrange and mainframe systems. His background includes system security, system maintenance, and application development. Steve has completed numerous technical security consulting engagements involving security architectures, penetration studies ("hacking studies"), network and operating system diagnostic reviews, and computer crime investigation. He has participated in both PC computer forensic analysis and network intrusion management and investigation. Prior to PricewaterhouseCoopers, Steve worked at a U.S. state law enforcement agency in the information systems division. Carol Stucki is working as a technical producer for PurchasePro.com, a rapidly growing dot.com company that is an application service provider specializing in Internet−based procurement. Carol's past experiences include working with GTE, Perot Systems, and Arthur Andersen as a programmer, system analyst, project manager, and auditor. Dedication Erienne, Kristina, and Andy Michael Jordan said it best, thus, what more can I say… I approached practices the same way I approached games. You can't turn it on and off like a faucet. I couldn't dog it during practice and then, when I needed that extra push late in the game, expect it to be there. But that's how a lot of people fail. They sound like they're committed to being the best they can be. They say all the right things, make all the proper appearances. But when it comes right down to it, they're looking for reasons instead of answers. If you're trying to achieve, there will be roadblocks. I've had them; everybody has had them. But obstacles don't have to stop you. If you run into a wall, don't turn around and give up. Figure out how to climb it, 3

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.