Privacy Protection and Computer Forensics Second Edition Forquitealongtime,computersecuritywasarathernarrowfieldofstudythatwaspopu- latedmainlybytheoreticalcomputerscientists,electricalengineers,andappliedmathema- ticians.Withtheproliferationofopensystemsingeneral,andoftheInternetandtheWorld Wide Web (WWW) in particular, this situation has changed fundamentally. Today, com- puter and network practitioners are equally interested in computer security, since they require technologies and solutions that can be used to secure applications related to elec- tronic commerce. Against this background, the field of computer security has become very broadandincludesmanytopicsofinterest.Theaimofthisseriesistopublishstate-of-the- art,highstandardtechnicalbooksontopicsrelatedtocomputersecurity.Furtherinforma- tion about the series can be found on the WWW at the following URL: http://www.esecurity.ch/serieseditor.html Also, if you’d like to contribute to the series by writing a book about a topic related to computersecurity,feelfreetocontacteithertheCommissioningEditorortheSeriesEditor at Artech House. ForalistingofrecenttitlesintheArtechHouse ComputerSecuritySeries,turntothebackofthisbook. Privacy Protection and Computer Forensics Second Edition Michael A. Caloyannides Artech House Boston (cid:127) London www.artechhouse.com LibraryofCongressCataloging-in-PublicationData AcatalogrecordforthisbookisavailablefromtheU.S.LibraryofCongress. BritishLibraryCataloguinginPublicationData AcatalogrecordforthisbookisavailablefromtheBritishLibrary. CoverdesignbyYekaterinaRatner ©2004ARTECHHOUSE,INC. 685CantonStreet Norwood,MA02062 Allrightsreserved.PrintedandboundintheUnitedStatesofAmerica.Nopartofthisbookmaybereproduced orutilizedinanyformorbyanymeans,electronicormechanical,includingphotocopying,recording,orbyany informationstorageandretrievalsystem,withoutpermissioninwritingfromthepublisher. Alltermsmentionedinthisbookthatareknowntobetrademarksorservicemarkshavebeenappropriately capitalized.ArtechHousecannotattesttotheaccuracyofthisinformation.Useofaterminthisbookshouldnot beregardedasaffectingthevalidityofanytrademarkorservicemark. InternationalStandardBookNumber:1-58053-830-4 10987654321 Tomylateparents,AkylasandEtta.Parentsneverdie;theylivethroughtheirchildren’s thoughtsandactionsandthroughtheirchildren’schildren. . Contents Introduction . . . . . . . . . . . . . xv 1 Computer Forensics . . . . . . . . . . . 1 1.1 Whatiscomputerforensics? 1 1.2 Whyiscomputerforensicsofvitalinteresttoyou? 1 1.2.1 Asanemployee 1 1.2.2 Asanemployerorcorporateexecutive 2 1.2.3 Asalawenforcementofficial 3 1.2.4 Asanindividual 4 1.2.5 Asalawyerforthedefense 5 1.2.6 Asaninsurancecompany 6 1.2.7 Asauserofothers’computers 6 1.3 Ifyouhavedonenothingillegal,youhavenothingtofear: nottrueanywhere! 6 1.4 Computerforensics 8 1.4.1 Userrightstoprivacy? 8 1.4.2 Theforensicsinvestigatormustknowupfront 9 1.4.3 Forensicsisdeceptivelysimplebutrequiresvastexpertise 9 1.4.4 Computerforensicstop-levelprocedure 11 1.4.5 Forensicsspecifics 13 1.4.6 Digitalevidenceisoftenevidenceofnothing 16 Selectedbibliography 22 2 Locating Your Sensitive Data in Your Computer . . 23 2.1 Deletingdoesnotdelete—whatdoes? 23 2.1.1 General 23 2.1.2 Diskwiping 26 2.1.3 File-anddisk-wipingsoftware 28 vii viii Contents 2.1.4 Magneticmicroscopyforensicexaminationofdisks 31 2.2 Whereisthesensitivedatahiding? 32 2.2.1 Clustertipsorslack 32 2.2.2 Freespace 33 2.2.3 Theswapfile 34 2.2.4 Spoolandtemporaryfiles 34 2.2.5 Forensicsonnonmagneticdisks 35 2.2.6 Historyfiles 35 2.2.7 Dataintheregistryfiles 35 2.2.8 Datafromsloppyuseofpersonalencryptionsoftware 36 2.2.9 Nonvolatilememory 36 2.3 Theswapfileasasourceofforensicdata 36 2.3.1 General 36 2.3.2 Securelywipingtheswapfile 38 2.4 TheRegistryasasourceofforensicdata 39 2.4.1 WhyistheRegistryamajorsourceofforensicevidence? 39 2.4.2 WhereisallthisprivateinformationhidingintheRegistry? 41 2.4.3 BackinguptheRegistryandrestoringacorruptedone 42 2.4.4 CleaningupsensitivedataintheRegistry 42 Reference 44 3 Specialized Forensics Applications . . . . . . 45 3.1 Digitalwatermarking 45 3.2 TheBritishRIPActandtheUSCarnivore(DCS1000) 49 Selectedbibliography 51 4 How Can Sensitive Data Be Stolen from One’s Computer? . . . . . . . . . . . . . 53 4.1 Physicalpossessionofone’scomputer 53 4.2 Temporaryphysicalaccesstoone’scomputer 53 4.3 Commercialhardwarekeystrokeloggers 54 4.4 Commercialsoftwarekeystrokeloggers 57 4.5 Goingonline 58 4.5.1 Byone’sISPorbyanyonehavingcompromisedtheISP’s security 58 4.5.2 Byalegaloranillegaltelephonetap 59 4.5.3 ByremoteWebsitesthatoneaccesses 59 4.6 Spywareinyourcomputer 60 4.6.1 Bycommercialspywareandadware 60 4.7 vanEckradiationusingcommerciallyavailablesystems 64 4.7.1 General 64 Contents ix 4.7.2 Protectivemeasures 65 4.7.3 Opticalemanationsandtheirinterception 69 4.8 Beingonanetwork,cablemodem,orxDSLmodem 69 4.9 Othermeans 70 4.10 Insertionofincriminatingdatainyourcomputerbyothers 70 4.11 Securityprotectionstepsthatdon’tworkwellenough 71 4.11.1 ThefallacyofCMOSpasswordprotection 71 4.11.2 Thefallacyofpasswordprotectionofferedbypopular commercialsoftware 71 4.11.3 Thefallacyofprotectionbyhidingfilesfromview 72 4.11.4 Thefallacyofprotectionbyhidingdataintheslack 72 4.11.5 Thefallacyofprotectionbyplacingdatainnormallyunused locationsofadisk 72 4.11.6 Thefallacyofprotectingdatabyrepartitioningadiskfora smallercapacitythanthediskreallyhas 72 4.11.7 Thefallacyofprotectionthroughpassword-protecteddisk access 73 4.11.8 Thefallacyofprotectionthroughtheuseofbooby-trap software 73 4.11.9 Thefallacythatoverwritingafileremovesalltracesofits existence 73 4.11.10 Thefallacyofencryptionprotection 74 4.11.11 Otherprotectionfallaciesthatdon’tdeliver 74 Selectedbibliography 75 References 76 5 Why Computer Privacy and Anonymity? . . . . 77 5.1 Anonymity 79 5.1.1 Practicalanonymity 81 5.2 Privacy 82 5.2.1 YoucannottrustTRUSTe? 82 5.2.2 Isprivacyaright? 83 5.2.3 Theimpactoftechnologyonprivacy 86 Selectedbibliography 88 6 Practical Measures For Protecting Sensitive Information . . . . . . . . . . . . . 91 6.1 InstallingsecureWindows 91 6.2 Recommendedbestpractices 91 6.2.1 IfusingWindowsNT 96 6.2.2 IfusingWindows2000 98 6.2.3 IfusingWindowsXP 102 x Contents 6.2.4 Heroicprotectivemeasuresregardlessoftheversionof Windows 104 6.2.5 Lastbutnotleast 105 6.3 Additionalprivacythreatsandcountermeasures 106 6.3.1 Individuallyserial-numbereddocuments 106 6.3.2 Onlineactivationandonlinesnoopingbysoftware 106 6.3.3 Microsoftdocumentsthatcallhome 108 6.3.4 TheNetBIOSandotherthreatsfromunneedednetwork services 109 6.3.5 TCPA/Palladium 109 6.3.6 Thevulnerabilityofbackups 110 6.4 Protectingsensitivedataonharddisks 111 6.4.1 Fulldiskencryption 112 6.4.2 Encryptingdiskpartitions 114 Reference 114 7 Basic Protection from Computer Data Theft Online 115 7.1 Protectionfromwhichofmanyonlinethreats? 117 7.2 InstallationofWindowsforsecureonlineoperation 117 7.3 Onlinesecuritythreatsandissues 118 7.3.1 Webbrowserhijacking 118 7.3.2 Theromantice-cardandrelatedconschemes 121 7.3.3 E-mailbombs 121 7.4 Softwaretoenhanceonlinesecurity 122 7.4.1 Junkbuster 122 7.4.2 SurfSecret 122 7.4.3 Assortedcleanersofbrowsers 122 7.5 Basicdo’sanddon’ts 124 7.5.1 Don’t’s 124 7.5.2 Do’s 125 8 Practical Measures for Online Computer Activities 127 8.1 NetscapeNavigator/Communicator 128 8.2 MicrosoftInternetExplorer 133 8.3 Desirablee-mailsoftwareconfigurationandmodifications 138 8.3.1 FreeWeb-basede-mailoffersthatrequireJavaScript:don’t! 138 8.3.2 OutlookandOutlookExpress 139 8.3.3 Eudorae-mailsoftware 139 8.4 Securee-mailconductonline 141 8.4.1 Self-protectinge-mail 144 8.4.2 Accessinge-mailfromanywhereonEarth 148