Table Of Contentwww.it-ebooks.info
HACKING EXPOSED
™
COMPUTER FORENSICS
SECOND EDITION
REVIEWS
“This book provides the right mix of practical how-to knowledge in a
straightforward, informative fashion that ties all the complex pieces together with
real-world case studies. With so many books on the topic of computer forensics,
Hacking Exposed Computer Forensics, Second Edition, delivers the most valuable
insight on the market. The authors cut to the chase of what people must understand
to effectively perform computer forensic investigations.”
—Brian H. Karney, COO, AccessData Corporation
“Hacking Exposed Computer Forensics is a ‘must-read’ for information security
professionals who want to develop their knowledge of computer forensics.”
—Jason Fruge, Director of Consulting Services, Fishnet Security
www.it-ebooks.info
00-FM.indd i 8/23/2009 3:54:42 AM
“Computer forensics has become increasingly important to modern incident
responders attempting to defend our digital castles. Hacking Exposed Computer
Forensics, Second Edition, picks up where the first edition left off and provides a
valuable reference, useful to both beginning and seasoned forensic professionals. I
picked up several new tricks from this book, which I am already putting to use.”
—Monty McDougal, Raytheon Information Security Solutions, and author of
the Windows Forensic Toolchest (WFT) (www.foolmoon.net)
“Hacking Exposed Computer Forensics, Second Edition, is an essential reference for
both new and seasoned investigators. The second edition continues to provide
valuable information in a format that is easy to understand and reference.”
—Sean Conover, CISSP, CCE, EnCE
“This book is an outstanding point of reference for computer forensics and
certainly a must-have addition to your forensic arsenal.”
—Brandon Foley, Manager of Enterprise IT Security, Harrah’s Operating Co.
“Starts out with the basics then gets DEEP technically. The addition of IP theft and
fraud issues is timely and make this second edition that much more valuable. This
is a core book for my entire forensics group.”
—Chris Joerg, CISSP CISA/M, Director of Enterprise Security,
Mentor Graphics Corporation
“A must-read for examiners suddenly faced with a Mac or Linux exam after
spending the majority of their time analyzing Windows systems.”
—Anthony Adkison, Criminal Investigator and Computer Forensic Examiner,
CFCE/EnCE
“This book is applicable to forensic investigators seeking to hone their skills, and
it is also a powerful tool for corporate management and outside counsel seeking to
limit a company’s exposure.”
—David L. Countiss, Esq., partner, Seyfarth Shaw LLP
“I have taught information security at a collegiate level and in a corporate
setting for many years. Most of the books that I have used do not make it easy
for the student to learn the material. This book gives real-world examples,
various product comparisons, and great step-by-step instruction, which makes
learning easy.”
—William R Holland, Chief Security Officer, Royce LLC
www.it-ebooks.info
00-FM.indd ii 8/23/2009 3:54:42 AM
HACKING EXPOSED
™
COMPUTER FORENSICS
SECOND EDITION
AARON PHILIPP
DAVID COWEN
CHRIS DAVIS
New York Chicago San Francisco
Lisbon London Madrid Mexico City
Milan New Delhi San Juan
Seoul Singapore Sydney Toronto
www.it-ebooks.info
00-FM.indd iii 8/23/2009 3:54:42 AM
Copyright © 2010 by The McGraw-Hill Companies. All rights reserved. Except as permitted under the United States Copyright Act of
1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval sys-
tem, without the prior written permission of the publisher.
ISBN: 978-0-07-162678-1
MHID: 0-07-162678-6
The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-162677-4, MHID: 0-07-162677-8.
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked
name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trade-
mark. Where such designations appear in this book, they have been printed with initial caps.
McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training
programs. To contact a representative please e-mail us at bulksales@mcgraw-hill.com.
Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or
mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of
any information and is not responsible for any errors or omissions or the results obtained from the use of such information.
TERMS OF USE
This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work.
Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one
copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, trans-
mit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the
work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be
terminated if you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS
TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK,
INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE,
AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not
warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or
error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of
cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed
through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive,
consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the pos-
sibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in
contract, tort or otherwise.
www.it-ebooks.info
To my mom and dad, thanks for teaching me to follow my
dreams. To my sister, Renee, for always being there for me. To
all of my friends and teachers at The University of Texas at
Austin, for making me what I am and showing me what I
can be. Hook ‘em Horns!
—Aaron
To my daughter, I can’t wait to meet you. To my wife, thank you
for supporting me through the second edition. To my mom and
dad, thank you for your enthusiasm for a book you will never
read. To my friends at G-C, thank you for all the hard work.
—Dave
www.it-ebooks.info
00-FM.indd v 8/23/2009 3:54:43 AM
About the Authors
Aaron Philipp
Aaron Philipp is a managing consultant in the Disputes and Investigations practice
at Navigant Consulting, which assists domestic and global corporations and their
counsel who face complex and risky legal challenges. In this capacity, he provides
consulting services in the fields of computer forensics and high-tech investigations.
Mr. Philipp specializes in complex computer forensic techniques such as
identification and tracing of IP theft, timeline creation, and correlation relating to
multiparty fraud and reconstruction of evidence after deliberate data destruction has
occurred that would nullify traditional computer forensic methodology. Mr. Philipp was
previously Managing Partner of Affect Computer Forensics, a boutique forensics firm
based in Austin, Texas, with offices in Dallas, Texas, and Hong Kong. Affect’s clients
include the nation’s top law firms, FORTUNE 500 legal departments, and government
investigatory agencies. In addition, Mr. Philipp is a regular speaker at technology and
legal conferences around the world. He has been internationally recognized for his work,
with citations of merit from the governments of Taiwan and South Africa. Mr. Philipp
has a B.S. in computer science from The University of Texas at Austin.
David Cowen, CISSP
David Cowen is the co-author of the best-selling Hacking Exposed Computer Forensics
and the Anti-Hacker Toolkit, Third Edition. Mr. Cowen is a Partner at G-C Partners,
LLC, where he provides expert witness services and consulting to Fortune 500
companies nationwide. Mr. Cowen has testified in cases ranging from multimillion-
dollar intellectual property theft to billion-dollar antitrust claims. Mr. Cowen has
over 13 years of industry experience in topics ranging from information security to
computer forensics.
Chris Davis
Chris Davis has trained and presented in information security and certification
curriculum for government, corporate, and university requirements. He is the
author of Hacking Exposed Computer Forensics, IT Auditing: Using Controls to Protect
Information Assets, and Anti-Hacker Toolkit, and he contributed to the Computer
Security Handbook, Fifth Edition. Mr. Davis holds a bachelor’s degree in nuclear
engineering technologies from Thomas Edison and a master’s in business from
The University of Texas at Austin. Mr. Davis served eight years in the U.S. Naval
Submarine Fleet, onboard the special projects Submarine NR-1 and the USS Nebraska.
About the Contributing Authors
Todd K. Lester is a director in the Disputes and Investigations practice of Navigant
Consulting (PI), LLC, which assists domestic and global corporations and their counsel
who face complex and risky legal challenges. He is an Accredited Senior Appraiser (ASA)
in business valuation and a Certified Fraud Examiner (CFE) with over 20 years of
experience in forensic accounting, litigation consulting, damages analysis, business
valuation, and business investigations. Mr. Lester has conducted financial investigations
www.it-ebooks.info
00-FM.indd vi 8/23/2009 3:54:43 A
of accounting irregularities, fraud, and other misconduct in a wide variety of domestic
and international forums. He also has extensive experience advising clients in complex
litigation and disputes on the financial, accounting, and data analysis aspects of
multifaceted damages calculations, especially where complex databases and business
systems are involved. Prior to joining Navigant Consulting, Mr. Lester was a director in
the Financial Advisory Services practice of PricewaterhouseCoopers. He holds a
bachelor’s of business administration in finance/international business, a B.A. in biology,
and an MBA from The University of Texas.
Jean Domalis has over eight years of investigative experience, focusing on digital
forensic techniques in the areas of IP theft, corporate espionage, embezzlement, and
securities fraud. Ms. Domalis was previously a senior consultant with Navigant
Consulting, where she participated as a key member of teams undertaking multinational
forensic investigations in the United States, Canada, and Asia. Ms. Domalis came to
Navigant with the acquisition of Computer Forensics, Inc., one of the nation’s premier
computer forensics boutique firms. Ms. Domalis attended the University of
Washington.
John Loveland specializes in providing strategic counsel and expert witness services
on matters related to computer forensic investigations and large end-to-end discovery
matters. He has over 18 years of experience in consulting multinational corporations
and law firms and has led or contributed to over 100 investigations of electronic data
theft and computer fraud and abuse and to the collection of electronic evidence from
hard drives, backup tapes, network servers, cell phones and BlackBerries, and other
storage media. Mr. Loveland was the founder and president of S3 Partners, a computer
forensics firm based in Dallas, which was acquired by Fios, Inc., in 2003. He is currently
managing director in the Computer Forensics and Electronic Discovery Services practice
for Navigant Consulting in Washington, D.C. and oversees the practice’s operations in
the Mid-Atlantic region.
David Dym has been a private computer forensics consultant for several years,
providing services at G-C Partners, LLC. Forensic services have included evidence
collection, recovery, and analysis for clients of top firms in the United States as well
as companies in the banking and mining industry. Mr. Dym has over nine years
of experience with programming, quality assurance, enterprise IT infrastructure, and
has experience with multiple network, database, and software security initiatives.
Mr. Dym has built and managed multiple teams of programmers, quality assurance
testers, and IT infrastructure administrators. He has participated in dozens of projects to
develop and deploy custom-developed business software, medical billing, inventory
management, and accounting solutions.
Rudi Peck has been a private computer forensic consultant for the last several years
providing services at G-C Partners, LLC. Forensic services have included evidence
collection, recovery, and analysis for clients of several top firms in the United States as
well as companies in the banking industry. Mr. Peck has over a decades worth of
experience in programming, software production, and test engineering with an extensive
background in Window’s security. Mr. Peck has designed several security audit tools for
companies and provided contract development work for the Center of Internet
Security.
Rafael Gorgal is a partner with the firm of G-C Partners, LLC, a computer forensics
and information security consultancy. He is the three-term past president of the Southwest
www.it-ebooks.info
00-FM.indd vii 8/23/2009 3:54:44 A
Chapter, High Technology Crime Investigations Association, and has extensive experience
in analyzing digital evidence. He has conducted numerous forensic investigations,
developed methodologies for use by incident response teams, and managed teams of
forensic consultants. He has also developed computer forensic curriculum currently
being taught to both private sector and law enforcement investigators. Mr. Gorgal has
taught information security at Southern Methodist University, the University of California
at Los Angeles, and the National Technological University.
Peter Marketos is a partner at Haynes and Boones, LLP, who practices commercial
litigation in the firm’s Dallas office. He represents clients as both plaintiffs and defendants
in business disputes from trial through appeal. Mr. Marketos has tried many cases to
juries and to the bench, obtaining favorable verdicts in disputes involving corporate
fraud, breach of contract, breach of fiduciary duty, and theft of trade secrets. He has
developed substantial expertise in the discovery and analysis of electronic evidence
through the use of technology and computer forensics.
Andrew Rosen is president of ASR Data Acquisition & Analysis, LLC. He offers
unique litigation support services to the legal, law enforcement, and investigative
communities. With over a decade of experience in the recovery of computer data and
forensic examination, Mr. Rosen regularly provides expert testimony in federal and state
courts. Along with training attorneys and law enforcement officials in computer
investigation techniques, Mr. Rosen frequently speaks and writes on emerging matters
in the field. He has a worldwide reputation for developing cutting-edge computer-crime
investigative tools and is frequently consulted by other professionals in the industry.
About the Technical Editor
Louis S. Scharringhausen, Jr., is the director of Digital Investigations for Yarbrough
Strategic Advisors in Dallas, Texas, where he is responsible for directing, managing, and
conducting digital investigations and electronic discovery projects. Mr. Scharringhausen
was a special agent for the U.S. Environmental Protection Agency’s Criminal
Investigation Division (USEPA-CID) for ten years, conducting complex, large-scale
environmental investigations. For five of those years, he was a team leader for USEPA-
CID’s prestigious National Computer Forensics Laboratory-Electronic Crimes Team,
conducting forensic acquisitions and analysis in support of active investigations. After
leaving the public sector in January 2007, Mr. Scharringhausen worked with Navigant
Consulting, Inc., where he was an integral part of a digital forensics team that focused on
fraud and intellectual property investigations before coming to Yarbrough Strategic
Advisors. He has participated in numerous training sessions for Guidance Software,
Access Data, the National White Collar Crimes Center, and the Federal Law Enforcement
Training Center, among others. He holds the EnCase Certified Examiner endorsement
(EnCE) and a B.S. in environmental science from Metropolitan State College of Denver.
www.it-ebooks.info
00-FM.indd viii 8/23/2009 3:54:44 AM
AT A GLANCE
Part I Preparing for an Incident
▼ 1 The Forensics Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
▼ 2 Computer Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
▼ 3 Forensic Lab Environment Preparation . . . . . . . . . . . . . . . . . . . 41
Part II Collecting the Evidence
▼ 4 Forensically Sound Evidence Collection . . . . . . . . . . . . . . . . . . 63
▼ 5 Remote Investigations and Collections . . . . . . . . . . . . . . . . . . . . 97
Part III Forensic Investigation Techniques
▼ 6 Microsoft Windows Systems Analysis . . . . . . . . . . . . . . . . . . . . 131
▼ 7 Linux Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
▼ 8 Macintosh Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
▼ 9 Defeating Anti-forensic Techniques . . . . . . . . . . . . . . . . . . . . . . 197
▼ 10 Enterprise Storage Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
▼ 11 E-mail Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
▼ 12 Tracking User Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
▼ 13 Forensic Analysis of Mobile Devices . . . . . . . . . . . . . . . . . . . . . . 303
ix
www.it-ebooks.info
00-FM.indd ix 8/23/2009 3:54:44 AM
