HACKING EXPOSED ™ COMPUTER FORENSICS SECOND EDITION REVIEWS “This book provides the right mix of practical how-to knowledge in a straightforward, informative fashion that ties all the complex pieces together with real-world case studies. With so many books on the topic of computer forensics, Hacking Exposed Computer Forensics, Second Edition, delivers the most valuable insight on the market. The authors cut to the chase of what people must understand to effectively perform computer forensic investigations.” —Brian H. Karney, COO, AccessData Corporation “Hacking Exposed Computer Forensics is a ‘must-read’ for information security professionals who want to develop their knowledge of computer forensics.” —Jason Fruge, Director of Consulting Services, Fishnet Security “Computer forensics has become increasingly important to modern incident responders attempting to defend our digital castles. Hacking Exposed Computer Forensics, Second Edition, picks up where the first edition left off and provides a valuable reference, useful to both beginning and seasoned forensic professionals. I picked up several new tricks from this book, which I am already putting to use.” —Monty McDougal, Raytheon Information Security Solutions, and author of the Windows Forensic Toolchest (WFT) (www.foolmoon.net) “Hacking Exposed Computer Forensics, Second Edition, is an essential reference for both new and seasoned investigators. The second edition continues to provide valuable information in a format that is easy to understand and reference.” —Sean Conover, CISSP, CCE, EnCE “This book is an outstanding point of reference for computer forensics and certainly a must-have addition to your forensic arsenal.” —Brandon Foley, Manager of Enterprise IT Security, Harrah’s Operating Co. “Starts out with the basics then gets DEEP technically. The addition of IP theft and fraud issues is timely and make this second edition that much more valuable. This is a core book for my entire forensics group.” —Chris Joerg, CISSP CISA/M, Director of Enterprise Security, Mentor Graphics Corporation “A must-read for examiners suddenly faced with a Mac or Linux exam after spending the majority of their time analyzing Windows systems.” —Anthony Adkison, Criminal Investigator and Computer Forensic Examiner, CFCE/EnCE “This book is applicable to forensic investigators seeking to hone their skills, and it is also a powerful tool for corporate management and outside counsel seeking to limit a company’s exposure.” —David L. Countiss, Esq., partner, Seyfarth Shaw LLP “I have taught information security at a collegiate level and in a corporate setting for many years. Most of the books that I have used do not make it easy for the student to learn the material. This book gives real-world examples, various product comparisons, and great step-by-step instruction, which makes learning easy.” —William R Holland, Chief Security Officer, Royce LLC HACKING EXPOSED ™ COMPUTER FORENSICS SECOND EDITION AARON PHILIPP DAVID COWEN CHRIS DAVIS New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto 00-FM.indd iii 8/23/2009 3:54:42 AM Copyright © 2010 by The McGraw-Hill Companies. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval sys- tem, without the prior written permission of the publisher. ISBN: 978-0-07-162678-1 MHID: 0-07-162678-6 The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-162677-4, MHID: 0-07-162677-8. All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trade- mark. Where such designations appear in this book, they have been printed with initial caps. McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. To contact a representative please e-mail us at [email protected]. Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information. TERMS OF USE This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, trans- mit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms. THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the pos- sibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise. To my mom and dad, thanks for teaching me to follow my dreams. To my sister, Renee, for always being there for me. To all of my friends and teachers at The University of Texas at Austin, for making me what I am and showing me what I can be. Hook ‘em Horns! —Aaron To my daughter, I can’t wait to meet you. To my wife, thank you for supporting me through the second edition. To my mom and dad, thank you for your enthusiasm for a book you will never read. To my friends at G-C, thank you for all the hard work. —Dave 00-FM.indd v 8/23/2009 3:54:43 AM About the Authors Aaron Philipp Aaron Philipp is a managing consultant in the Disputes and Investigations practice at Navigant Consulting, which assists domestic and global corporations and their counsel who face complex and risky legal challenges. In this capacity, he provides consulting services in the fields of computer forensics and high-tech investigations. Mr. Philipp specializes in complex computer forensic techniques such as identification and tracing of IP theft, timeline creation, and correlation relating to multiparty fraud and reconstruction of evidence after deliberate data destruction has occurred that would nullify traditional computer forensic methodology. Mr. Philipp was previously Managing Partner of Affect Computer Forensics, a boutique forensics firm based in Austin, Texas, with offices in Dallas, Texas, and Hong Kong. Affect’s clients include the nation’s top law firms, FORTUNE 500 legal departments, and government investigatory agencies. In addition, Mr. Philipp is a regular speaker at technology and legal conferences around the world. He has been internationally recognized for his work, with citations of merit from the governments of Taiwan and South Africa. Mr. Philipp has a B.S. in computer science from The University of Texas at Austin. David Cowen, CISSP David Cowen is the co-author of the best-selling Hacking Exposed Computer Forensics and the Anti-Hacker Toolkit, Third Edition. Mr. Cowen is a Partner at G-C Partners, LLC, where he provides expert witness services and consulting to Fortune 500 companies nationwide. Mr. Cowen has testified in cases ranging from multimillion- dollar intellectual property theft to billion-dollar antitrust claims. Mr. Cowen has over 13 years of industry experience in topics ranging from information security to computer forensics. Chris Davis Chris Davis has trained and presented in information security and certification curriculum for government, corporate, and university requirements. He is the author of Hacking Exposed Computer Forensics, IT Auditing: Using Controls to Protect Information Assets, and Anti-Hacker Toolkit, and he contributed to the Computer Security Handbook, Fifth Edition. Mr. Davis holds a bachelor’s degree in nuclear engineering technologies from Thomas Edison and a master’s in business from The University of Texas at Austin. Mr. Davis served eight years in the U.S. Naval Submarine Fleet, onboard the special projects Submarine NR-1 and the USS Nebraska. About the Contributing Authors Todd K. Lester is a director in the Disputes and Investigations practice of Navigant Consulting (PI), LLC, which assists domestic and global corporations and their counsel who face complex and risky legal challenges. He is an Accredited Senior Appraiser (ASA) in business valuation and a Certified Fraud Examiner (CFE) with over 20 years of experience in forensic accounting, litigation consulting, damages analysis, business valuation, and business investigations. Mr. Lester has conducted financial investigations 00-FM.indd vi 8/23/2009 3:54:43 A of accounting irregularities, fraud, and other misconduct in a wide variety of domestic and international forums. He also has extensive experience advising clients in complex litigation and disputes on the financial, accounting, and data analysis aspects of multifaceted damages calculations, especially where complex databases and business systems are involved. Prior to joining Navigant Consulting, Mr. Lester was a director in the Financial Advisory Services practice of PricewaterhouseCoopers. He holds a bachelor’s of business administration in finance/international business, a B.A. in biology, and an MBA from The University of Texas. Jean Domalis has over eight years of investigative experience, focusing on digital forensic techniques in the areas of IP theft, corporate espionage, embezzlement, and securities fraud. Ms. Domalis was previously a senior consultant with Navigant Consulting, where she participated as a key member of teams undertaking multinational forensic investigations in the United States, Canada, and Asia. Ms. Domalis came to Navigant with the acquisition of Computer Forensics, Inc., one of the nation’s premier computer forensics boutique firms. Ms. Domalis attended the University of Washington. John Loveland specializes in providing strategic counsel and expert witness services on matters related to computer forensic investigations and large end-to-end discovery matters. He has over 18 years of experience in consulting multinational corporations and law firms and has led or contributed to over 100 investigations of electronic data theft and computer fraud and abuse and to the collection of electronic evidence from hard drives, backup tapes, network servers, cell phones and BlackBerries, and other storage media. Mr. Loveland was the founder and president of S3 Partners, a computer forensics firm based in Dallas, which was acquired by Fios, Inc., in 2003. He is currently managing director in the Computer Forensics and Electronic Discovery Services practice for Navigant Consulting in Washington, D.C. and oversees the practice’s operations in the Mid-Atlantic region. David Dym has been a private computer forensics consultant for several years, providing services at G-C Partners, LLC. Forensic services have included evidence collection, recovery, and analysis for clients of top firms in the United States as well as companies in the banking and mining industry. Mr. Dym has over nine years of experience with programming, quality assurance, enterprise IT infrastructure, and has experience with multiple network, database, and software security initiatives. Mr. Dym has built and managed multiple teams of programmers, quality assurance testers, and IT infrastructure administrators. He has participated in dozens of projects to develop and deploy custom-developed business software, medical billing, inventory management, and accounting solutions. Rudi Peck has been a private computer forensic consultant for the last several years providing services at G-C Partners, LLC. Forensic services have included evidence collection, recovery, and analysis for clients of several top firms in the United States as well as companies in the banking industry. Mr. Peck has over a decades worth of experience in programming, software production, and test engineering with an extensive background in Window’s security. Mr. Peck has designed several security audit tools for companies and provided contract development work for the Center of Internet Security. Rafael Gorgal is a partner with the firm of G-C Partners, LLC, a computer forensics and information security consultancy. He is the three-term past president of the Southwest 00-FM.indd vii 8/23/2009 3:54:44 A Chapter, High Technology Crime Investigations Association, and has extensive experience in analyzing digital evidence. He has conducted numerous forensic investigations, developed methodologies for use by incident response teams, and managed teams of forensic consultants. He has also developed computer forensic curriculum currently being taught to both private sector and law enforcement investigators. Mr. Gorgal has taught information security at Southern Methodist University, the University of California at Los Angeles, and the National Technological University. Peter Marketos is a partner at Haynes and Boones, LLP, who practices commercial litigation in the firm’s Dallas office. He represents clients as both plaintiffs and defendants in business disputes from trial through appeal. Mr. Marketos has tried many cases to juries and to the bench, obtaining favorable verdicts in disputes involving corporate fraud, breach of contract, breach of fiduciary duty, and theft of trade secrets. He has developed substantial expertise in the discovery and analysis of electronic evidence through the use of technology and computer forensics. Andrew Rosen is president of ASR Data Acquisition & Analysis, LLC. He offers unique litigation support services to the legal, law enforcement, and investigative communities. With over a decade of experience in the recovery of computer data and forensic examination, Mr. Rosen regularly provides expert testimony in federal and state courts. Along with training attorneys and law enforcement officials in computer investigation techniques, Mr. Rosen frequently speaks and writes on emerging matters in the field. He has a worldwide reputation for developing cutting-edge computer-crime investigative tools and is frequently consulted by other professionals in the industry. About the Technical Editor Louis S. Scharringhausen, Jr., is the director of Digital Investigations for Yarbrough Strategic Advisors in Dallas, Texas, where he is responsible for directing, managing, and conducting digital investigations and electronic discovery projects. Mr. Scharringhausen was a special agent for the U.S. Environmental Protection Agency’s Criminal Investigation Division (USEPA-CID) for ten years, conducting complex, large-scale environmental investigations. For five of those years, he was a team leader for USEPA- CID’s prestigious National Computer Forensics Laboratory-Electronic Crimes Team, conducting forensic acquisitions and analysis in support of active investigations. After leaving the public sector in January 2007, Mr. Scharringhausen worked with Navigant Consulting, Inc., where he was an integral part of a digital forensics team that focused on fraud and intellectual property investigations before coming to Yarbrough Strategic Advisors. He has participated in numerous training sessions for Guidance Software, Access Data, the National White Collar Crimes Center, and the Federal Law Enforcement Training Center, among others. He holds the EnCase Certified Examiner endorsement (EnCE) and a B.S. in environmental science from Metropolitan State College of Denver. 00-FM.indd viii 8/23/2009 3:54:44 AM AT A GLANCE Part I Preparing for an Incident ▼ 1 The Forensics Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 ▼ 2 Computer Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 ▼ 3 Forensic Lab Environment Preparation . . . . . . . . . . . . . . . . . . . 41 Part II Collecting the Evidence ▼ 4 Forensically Sound Evidence Collection . . . . . . . . . . . . . . . . . . 63 ▼ 5 Remote Investigations and Collections . . . . . . . . . . . . . . . . . . . . 97 Part III Forensic Investigation Techniques ▼ 6 Microsoft Windows Systems Analysis . . . . . . . . . . . . . . . . . . . . 131 ▼ 7 Linux Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 ▼ 8 Macintosh Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 ▼ 9 Defeating Anti-forensic Techniques . . . . . . . . . . . . . . . . . . . . . . 197 ▼ 10 Enterprise Storage Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 ▼ 11 E-mail Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 ▼ 12 Tracking User Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 ▼ 13 Forensic Analysis of Mobile Devices . . . . . . . . . . . . . . . . . . . . . . 303 ix 00-FM.indd ix 8/23/2009 3:54:44 AM