Computer Forensics JumpStart

Transcription

1 Computer Forensics JumpStart Michael G. Solomon Diane Barrett Neil Broom SYBEX

2 Computer Forensics JumpStart Michael G. Solomon Diane Barrett Neil Broom San Francisco London

3 Associate Publisher: Neil Edde Acquisitions and Developmental Editor: Maureen Adams Production Editor: Lori Newman Technical Editor: Warren G. Kruse Copyeditor: Kathy Grider-Carlyle Compositor: Jeff Wilson, Happenstance Type-O-Rama Graphic Illustrator: Jeff Wilson, Happenstance Type-O-Rama Proofreaders: Ian Golder, Amy Rasmussen, Nancy Riddiough Indexer: Nancy Guenther Book Designer: Judy Fung Cover Designer: Richard Miller, Calyx Design Cover Illustrator: Richard Miller, Calyx Design Copyright 2005 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA World rights reserved. No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written permission of the publisher. Library of Congress Card Number: ISBN: X SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc. in the United States and/or other countries. JumpStart is a trademark of SYBEX Inc. Screen reproductions produced with FullShot 99. FullShot Inbit Incorporated. All rights reserved. FullShot is a trademark of Inbit Incorporated. Internet screen shot(s) using Microsoft Internet Explorer 6 reprinted by permission from Microsoft Corporation. TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from descriptive terms by following the capitalization style used by the manufacturer. The author and publisher have made their best efforts to prepare this book, and the content is based upon final release software whenever possible. Portions of the manuscript may be based upon pre-release versions supplied by software manufacturer(s). The author and the publisher make no representation or warranties of any kind with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this book. Manufactured in the United States of America

4 About the Authors Michael G. Solomon is a full-time security speaker, consultant ( trainer, and a former college instructor who specializes in development and assessment security topics. As an IT professional and consultant since 1987, he has worked on projects or trained for more than 60 major companies and organizations, including EarthLink, Nike Corporation, Lucent Technologies, BellSouth, UPS, the U.S. Coast Guard, and Norrell. From 1998 until 2001, Michael was an instructor in the Kennesaw State University s Computer Science and Information Sciences (CSIS) department, where he taught courses on software project management, C++ programming, computer organization and architecture, and data communications. Michael has an M.S. in mathematics and computer science from Emory University (1998) and a B.S. in computer science from Kennesaw State University (1987). Michael has also contributed to various security certification books for LANWrights/iLearning, including TICSA Training Guide and an accompanying Instructor Resource Kit (Que, 2002), CISSP Study Guide (Sybex, 2003), as well as Security+ Training Guide (Que, 2003). Michael co-authored Information Security Illuminated (Jones and Bartlett, 2005), Security+ Lab Manual Exam Cram 2 (Que, 2005), and authored and provided the on-camera delivery of LearnKey s CISSP Prep e-learning course. Michael s certifications include Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and TruSecure ICSA Certified Security Associate (TICSA). Diane Barrett has been involved in the IT industry since She works at Remington College where she taught in the computer networking program for two years before becoming a director. She teaches online classes that include networking, security, and virus protection, and she is the president of a security awareness corporation that specializes in training. Diane has co-authored several security and networking books, including MCSA/MCSE Exam Cram 2: Implementing and Administering Security in a Windows Server 2003 Network (Que, 2004) and Computer Networking Illuminated (Jones and Bartlett, 2005). She is currently volunteering for ISSA s Generally Accepted Information Security Principles Project in the ethical practices working group. Diane s certifications include Microsoft Certified Systems Engineer (MCSE) on Windows 2000, MCSE+I on Windows NT 4.0, Certified Information Systems Security Professional (CISSP), Cisco Certified Network Associate (CCNA), A+, Network+, i-net+, and Security+. Neil Broom is the President of the Technical Resource Center ( in Atlanta, Georgia. As a speaker, trainer, course director, and consultant in the fields of Computer Forensics, Information Assurance, and Professional Security Testing, he has over 14 years of experience providing technical education and security services to the military, law enforcement, the health care industry, financial institutions, and government agencies. Neil is the Lead Instructor and Developer of the Computer Forensics and Cyber Investigations course and the Certified Cyber Crime Examiner (C 3 E) certification and provides Computer Forensics services to clients in the Metro Atlanta area and the Southeast United States.

5 Neil is currently the Vice President of the Atlanta Chapter of the International Information Systems Forensics Association, and he is a professional member of the National Speakers Association. His past employment includes the U.S. Navy as a submariner, the Gainesville, Florida Police Department as a law enforcement officer, and Internet Security Systems (ISS) as a security trainer. Neil has multiple certifications including Certified Information Systems Security Professional (CISSP), Certified Computer Examiner (CCE), Certified Ethical Hacker (CEH), Computer Hacking Forensic Investigator (CHFI), National Security Agency s INFOSEC Assessment Methodology (IAM), Microsoft Certified Systems Engineer (MCSE 4.0 and 2000), Microsoft Certified Trainer (MCT), and TruSecure ICSA Certified Security Associate (TICSA). About the Technical Editor Warren G. Kruse II, CISSP, CFCE, is the co-author of Computer Forensics: Incident Response Essentials, published by Addison-Wesley. Warren has conducted forensics globally in support of cases involving some of the largest law firms and corporations in the world. He is a member of the New York and European Electronic Crimes Task Forces of the U.S. Secret Service. He was elected President of the High Tech Crime Investigation Association s ( International Executive Committee. Warren has extensive experience investigating cases involving the illegal use of computer and networks and received the High Tech Crime Investigation Association's (HTCIA) 2001 Case of the Year award. He is an IACIS Certified Forensic Computer Examiner (CFCE) and an (ISC) 2 Certified Information Systems Security Professional (CISSP). He lectures on computer forensics for Computer Security Institute (CSI) and has taught computer forensics at the SANS Institute and MIS Training Institute. He is the lead instructor of the handson intro and advanced Computer Forensics Bootcamps for Computer Forensic Services, LLC. Warren is a partner at Computer Forensic Services, LLC (

6 To my wife, best friend, and source of unyielding support, Stacey. Michael G. Solomon To my dad, Gerald, who has always encouraged me to be my own person. Diane Barrett To my mother, thank you for always believing in me. Neil Broom

7 Acknowledgments Anything worth doing is worth doing well, and doing anything well generally requires a lot of help. My family has helped me immensely throughout this project. Stacey, Noah, and Isaac are all great fun to be around and often serve as sounding boards. The one focal point of this book, however, is Kim Lindros at LANWrights/ ilearning. She kept the project on track and worked things out regardless of what curve balls I may have sent her way. Kim deserves a huge ovation for her work to get this book into your hands. I truly appreciate the efforts of all the people at LANWrights/iLearning and Sybex to make this project a reality. Michael G. Solomon Thanks to everyone at Sybex for making this book possible, especially Maureen Adams the acquisitions editor and Lori Newman the production editor. Thank you to the wonderful team at LANWrights/iLearning, especially Kim Lindros, who worked so hard behind the scenes to be sure that our work was accurate and completed in a timely fashion. To co-authors Michael Solomon and Neil Broom, thank you for the part each of you played in making this project successful. Thanks to Warren G. Kruse II, our technical reviewer, for making certain our writing was technically and procedurally sound. Finally, special thanks to my husband, Bill, for keeping a sense of humor during the hours I spent writing. Diane Barrett Kim Lindros, you rock! Thank you for all the support and gentle nudging you provided to keep me writing. I also wish to say thank you to the cat and kitten rescue group that I work with, Now that the book is finished, I can return to helping save the lives of our furry little friends. Neil Broom

8 Contents vii Contents Introduction xvii Chapter 1 The Need for Computer Forensics 1 Defining Computer Forensics Real-Life Examples of Computer Crime Hacker Pleads Guilty to Illegally Accessing New York Times Computer Network Man Pleads Guilty to Hacking Intrusion and Theft of Data Costing Company $5.8 Million Three Men Indicted for Hacking into Lowe s Companies Computers with Intent to Steal Credit Card Information Former Chief Computer Network Program Designer Arraigned for Alleged $10 Million Computer Software Bomb Juvenile Computer Hacker Sentenced to Six Months in Detention Facility Corporate versus Law Enforcement Concerns Corporate Concerns Focus on Detection and Prevention Law Enforcement Focuses on Prosecution Russian Computer Hacker Indicted in California for Breaking into Computer Systems and Extorting Victim Companies Training Practitioners End Users What Are Your Organization s Needs? Terms to Know Review Questions Chapter 2 Preparation What to Do Before You Start 21 Know Your Hardware What I/O Devices Are Used? Check Computers for Unauthorized Hardware Keep Up to Date with New I/O Trends

9 viii Contents Know Your Operating System Different Operating Systems Know What Filesystems Are in Use Maintain Tools and Procedures for Each Operating System and Filesystem Preinstalled Tools Make Forensics Easier Know Your Limits Legal Organizational Rights and Limits Search and Seizure Guidelines Will This End Up in Court? Develop Your Incident Response Team Organize the Team State Clear Processes Coordinate with Local Law Enforcement Terms to Know Review Questions Chapter 3 Computer Evidence 51 What Is Computer Evidence? Incidents and Computer Evidence Types of Evidence Search and Seizure Voluntary Surrender Subpoena Search Warrant Chain of Custody Definition Controls Documentation Evidence Admissibility in a Court of Law Relevance and Admissibility Techniques to Ensure Admissibility Leave No Trace Read-Only Image Software Write Blocker Hardware Write Blocker Terms to Know Review Questions Chapter 4 Common Tasks 73 Evidence Identification Physical Hardware Removable Storage Documents

10 Contents ix Evidence Preservation Pull the Plug or Shut It Down? Supply Power As Needed Provide Evidence of Initial State Evidence Analysis Knowing Where to Look Wading through the Sea of Data Sampling Data Evidence Presentation Know Your Audience Organization of Presentation Keep It Simple Terms to Know Review Questions Chapter 5 Capturing the Data Image 95 Full Volume Images Evidence Collection Order Preparing Media and Tools Collecting the Volatile Data Creating a Duplicate of the Hard Disk Extracting Data from PDAs Image and Tool Documentation Partial Volume Image Imaging/Capture Tools Utilities Commercial Software PDA Tools Terms to Know Review Questions Chapter 6 Extracting Information from Data 117 What Are You Looking For? Internet Files Headers Deleted Files Passwords How People Think Picking the Low-Hanging Fruit Hidden Evidence Trace Evidence Terms to Know Review Questions

11 x Contents Chapter 7 Passwords and Encryption 139 Passwords Finding Passwords Deducing Passwords Cracking Passwords Encryption Basics Common Encryption Practices Private Key Algorithms Public Key Algorithms Steganography Strengths and Weaknesses of Encryption Key Length Key Management Handling Encrypted Data Identifying Encrypted Files Decrypting Files Terms to Know Review Questions Chapter 8 Common Forensics Tools 161 Disk Imaging and Validation Tools ByteBack dd DriveSpy EnCase Forensic Replicator FTK Imager Norton Ghost ProDiscover SafeBack SMART WinHex Forensics Tools Software Suites Miscellaneous Software Tools Hardware Your Forensics Toolkit Each Organization Is Different Most Examiners Use Overlapping Tools Terms to Know Review Questions

12 Contents xi Chapter 9 Pulling It All Together 195 Begin with a Concise Summary Document Everything, Assume Nothing Interviews and Diagrams Videotapes and Photographs Transporting the Evidence Documenting Gathered Evidence Additional Documentation Formulating the Report Sample Analysis Reports Case #234 NextGard Technology Copyright Piracy Summary Additional Report Subsections Using Software to Generate Reports Terms to Know Review Questions Chapter 10 How to Testify in Court 221 Preparation Is Everything Understand the Case Understand the Strategy Understand Your Job Appearance Matters Clothing Grooming Attitude What Matters Is What They Hear Listening Tone Vocabulary Know Your Forensics Process and Tools Best Practices Your Process and Documentation Your Forensic Toolkit Say Only What Is Necessary Be Complete, But Not Overly Elaborate Remember Your Audience Keep It Simple Explaining Technical Concepts Use Presentation Aids When Needed Watch for Feedback Be Ready to Justify Every Step Summary Terms to Know Review Questions

13 xii Contents Appendix A Answers to Review Questions 239 Chapter Chapter Chapter Chapter Chapter Chapter Chapter Chapter Chapter Chapter Appendix B Forensics Resources 249 Information Organizations Publications Services Software Training Appendix C Forensics Certifications 253 Advanced Information Security (AIS) Certified Computer Examiner (CCE) Certified Cyber-Crime Expert (C 3 E) Certified Information Forensics Investigator (CIFI) Certified Computer Crime Investigator (CCCI) Certified Computer Forensic Technician (CCFT) Certified Forensic Computer Examiner (CFCE) Certified Information Systems Auditor (CISA) EnCase Certified Examiner Program GIAC Certified Forensic Analyst (GCFA) Professional Certified Investigator (PCI) Appendix D Forensics Tools 261 Forensics Tool Suites Ultimate Toolkit Maresware X-Ways Forensics Forensicware Password-Cracking Utilities Passware ElcomSoft

14 Contents xiii CD Analysis Utilities IsoBuster CD/DVD Inspector Metadata Viewer Utility Metadata Assistant Graphic Viewing Utility Quick View Plus Forensics Hardware Devices Intelligent Computer Solutions Computer Forensics Training Intense School Computer Forensics Training Class Glossary 267 Index 274

15