System Forensics, Investigation, and Response

Transcription

1 JONES AND & BARTLETT LEARNING INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES System Forensics, Investigation, and Response JOHN R. VACCA AND K RUDOLPH

2 World Headquarters Jones & Bartlett Learning 40 Tall Pine Drive Sudbury, MA Jones & Bartlett Learning Canada 6339 Ormindale Way Mississauga, Ontario L5V 1J2 Canada Jones & Bartlett Learning International Barb House, Barb Mews London W6 7PA United Kingdom Jones & Bartlett Learning books and products are available through most bookstores and online booksellers. To contact Jones & Bartlett Learning directly, call , fax , or visit our website, Substantial discounts on bulk quantities of Jones & Bartlett Learning publications are available to corporations, professional associations, and other qualified organizations. For details and specific discount information, contact the special sales department at Jones & Bartlett Learning via the above contact information or send an to Copyright 2011 by Jones & Bartlett Learning, LLC All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the copyright owner. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, the service of a competent professional person should be sought. Production Credits Chief Executive Officer: Ty Field President: James Homer SVP, Chief Operating Officer: Don Jones, Jr. SVP, Chief Technology Officer: Dean Fossella SVP, Chief Marketing Officer: Alison M. Pendergast SVP, Chief Financial Officer: Ruth Siporin SVP, Business Development: Christopher Will VP, Design and Production: Anne Spencer VP, Manufacturing and Inventory Control: Therese Connell Editorial Management: High Stakes Writing, LLC, Editor and Publisher: Lawrence J. Goodrich Reprints and Special Projects Manager: Susan Schultz Associate Production Editor: Tina Chen Director of Marketing: Alisha Weisman Sernior Marketing Manager: Andrea DeFronzo Cover Design: Anne Spencer Composition: Sara Arand Cover Image: ErickN/ShutterStock, Inc. Chapter Opener Image: Rodolfo Clix/Dreamstime.com Printing and Binding: Malloy, Inc. Cover Printing: Malloy, Inc. ISBN: Printed in the United States of America

3 Contents Preface xiii Acknowledgments xv PART one The System Forensics Landscape 1 CHAPTER 1 System Forensics Fundamentals 2 Understanding System Forensics 3 Who Uses Forensics? 4 How Computers Are Used in Crimes 6 System Forensics Specialists and What They Do 8 Tasks of a Forensic Specialist 8 How a Forensic Specialist Begins an Investigation 10 System Forensics Evidence: Its Use and Handling 11 Digital Evidence Challenges 12 Protecting Evidence 12 Testing Forensic Evidence 12 Applying Forensic Analysis Skills 13 Following Proper Forensic Procedures 14 Types of System Forensics Analysis 14 Examples of Forensic Investigations 15 CHAPTER SUMMARY 16 KEY ConCEPTS And TERMS 16 CHAPTER 1 ASSESSMEnT 17 CHAPTER 2 overview of Computer Crime 18 Types of Cybercrime 19 DoS and DDoS Attacks 19 Intellectual Property Theft 20 Child Exploitation, Abuse, and Pornography 20 Identity Theft 20 Fraud 21 Extortion 22 Cyberstalking 22 iii

4 iv Contents Transmission of Malware 22 Hacking 22 Spamming 22 Sale and Purchase of Narcotics Over the Internet 24 Gambling 24 Sources of Cybercrime Threats 25 Nation-States 25 Cyberterrorists 25 Other Threats 26 Means, Motives, and Opportunities of Cybercriminals 27 Means: Tools and Techniques of Cybercriminals 27 Motives of Cybercriminals 28 Opportunities for Cybercriminals 30 Reporting Cybercrimes 30 What to Report 31 Where to Report Computer Crimes 32 Applicable Laws 35 The Role of System Forensics in Solving Crimes 36 CHAPTER SUMMARY 38 Key Concepts and Terms 38 Chapter 2 Assessment 39 CHAPTER 3 Challenges of System Forensics 40 Difficulties in Obtaining Forensic Digital Evidence 41 What Is Digital Evidence? 41 Data Access 43 Technical Data Collection Considerations 45 Obscured Data and Anti-Forensics 46 The Role Evidence Dynamics Plays in System Forensics 47 Scope-Related Challenges to System Forensics 49 Large Volumes of Data 50 System Complexity 51 Distributed Crime Scenes 52 Growing Caseload and Limited Resources 52 The Need for Professionalization 54 CHAPTER SUMMARY 55 Key Concepts and Terms 55 Chapter 3 Assessment 56

5 Contents v CHAPTER 4 Forensics Methods and Labs 57 Forensic Soundness 58 Forensic Frameworks and Processes 60 The DFRWS Framework 60 An Event-Based Digital Forensic Investigation Framework 60 Building a Business Case for Creating a Forensics Lab 62 Setting Up a Forensics Lab 64 The Duties of a Lab Manager and Staff 65 Planning a Forensics Lab Budget 65 Determining Physical Requirements for a Computer Forensics Lab 69 Stocking a Forensics Lab 74 Policies, Processes, and Procedures for Maintaining a Lab 77 Creating a Disaster Recovery Plan 77 Planning for Equipment Upgrades 78 CHAPTER SUMMARY 79 KEY ConCEPTS And TERMS 79 CHAPTER 4 ASSESSMEnT 80 PART TWo Technical Overview: System Forensics Tools, Techniques, and Methods 81 CHAPTER 5 System Forensics Technologies 82 How the Military Uses System Forensics 83 Which Technologies Law Enforcement Agencies Use 83 Evidence Preservation 84 Trojan Horse Programs 84 Documentation of Methodologies and Findings 85 Disk Structure 85 File Slack Searching 85 Data-Hiding Techniques 85 Fuzzy Logic Tools for Identifying Unknown Text 88 Data Encryption 88 Disk-to-Computer Matching 88 Data Compression 88 Recovery of Erased Files 89 Internet Abuse Identification and Detection 89 The Boot Process and Memory-Resident Programs 89 Flash Memory Media Processing 89

6 vi Contents How Businesses Use System Forensics Technologies 89 Remote Monitoring of Target Computers 92 Trackable Electronic Documents 92 Theft Recovery Software for Laptops and PCs 92 Handling Evidence 93 Encryption Methods and Vulnerabilities 95 Security and Wireless Technologies 98 Firewall Forensics 100 Commonly Used System Forensics Tools 102 EnCase 102 Forensic Toolkit (FTK) 102 Helix 102 AnaDisk Disk Analysis Tool 103 CopyQM Plus Disk Duplication Software 103 TextSearch Plus 103 Filter_G Intelligent Forensic Filter 104 UFED 104 Device Seizure 104 The Zdziarski Technique 105 CHAPTER SUMMARY 106 Key Concepts and Terms 106 Chapter 5 Assessment 106 CHAPTER 6 Controlling a Forensic Investigation 108 Preserving a Digital Crime Scene 109 Considerations in Collecting Evidence 111 Securing the Physical Evidence 112 Volatile Data: Two Schools of Thought 112 Determining How Much to Duplicate 113 Making a Bit Stream Backup 114 Booting a Computer 116 Examining Evidence 116 Physical Analysis and Logical Analysis 118 Physical Analysis 118 Logical Analysis 121 Legal Aspects of Acquiring Evidence 122 The Fourth Amendment 123 Processing and Logging Evidence 124 The Computer Evidence Collection Process 126 CHAPTER SUMMARY 128 Key Concepts and Terms 128 Chapter 6 Assessment 129

7 Contents vii chapter 7 Collecting, Seizing, and Protecting Evidence 130 Collecting Forensic Evidence 131 Obstacles to Data Collection 132 Types of Forensic Evidence 133 The Rules of Evidence 133 Do s and Don ts of Data Collection 134 Logging and Monitoring 136 Methods of Data Collection: Freezing the Scene and Honeypotting 136 The Steps in Seizing Forensic Evidence 138 Shutting Down the Computer 138 Documenting the Hardware Configuration of the System 139 Transporting the Computer System to a Secure Location 139 Mathematically Authenticating Data on All Storage Devices 139 Making a List of Key Search Words 140 Searching Files, File Slack, and Unallocated Space for Keywords 141 Documenting Filenames, Dates, and Times 142 Identifying File, Program, and Storage Anomalies 142 Evaluating Program Functionality 143 Documenting Findings 143 Retaining Copies of Software Used 143 Protecting Evidence: Controlling Contamination 143 Creating a Timeline 144 Forensic Analysis of Backups 145 Reconstructing an Attack 145 CHAPTER SUMMARY 146 Key Concepts and Terms 146 Chapter 7 Assessment 147 CHAPTER 8 Understanding Information-Hiding Techniques 148 History of Data Hiding 149 Alternate Data Streams (ADS) 151 Risks Associated With ADS 151 Executing Code From ADS 153 Rootkits 154 Steganography Concepts and Tools 155 Types of Steganography 155 Steganography Algorithms 156 Steganography Software 158

8 viii Contents Defeating Steganography 161 Detecting the Use of Steganography Software 161 Strengths and Weaknesses of Today s Detection Methods 163 Steganalysis 164 Extracting Hidden Information 165 Steganalysis Software 166 CHAPTER SUMMARY 167 Key Concepts and Terms 168 Chapter 8 Assessment 168 CHAPTER 9 Recovering Data 170 What Is Data Recovery? 171 Disk Structure and Recovery Techniques 172 Recovering Data After Physical Damage 172 Recovering Data After Logical Damage 174 Data Backup and Recovery 176 Obstacles to Data Backup 177 Key Elements of Data Backup 178 The Role of Backups in Data Recovery 182 Data Recovery Today 183 Handling Failures 184 Critical Thinking and Creative Problem Solving 184 Preparing for Recovery 185 CHAPTER SUMMARY 187 Key Concepts and Terms 187 Chapter 9 Assessment 188 CHAPTER 10 Investigating and Scrutinizing 189 The Roles of Mail Servers and Clients 190 Understanding Headers 192 Viewing an Header 193 Interpreting an Header 194 Tracing 195 Faking Tracing in Forensic Investigations 200 An Tracing Example 201 Legal Considerations in Investigating 203 The Fourth Amendment to the U.S. Constitution 204 The Electronic Communications Privacy Act 204

9 Contents ix CHAPTER SUMMARY 205 Key Concepts and Terms 205 Chapter 10 Assessment 206 CHAPTER 11 Performing Network Analysis 207 Network Basics 208 Wireless Networks 209 Common Network Protocols 211 Types of Network-Related Attacks 211 Types of Router Attacks 213 DoS Attacks 213 Web Attacks 214 Investigating Network Traffic 215 Using Log Files as Evidence 216 Firewall Forensics 217 Using Sniffers and Other Traffic Analysis Tools 221 Investigating Router Attacks 221 Collecting Router Evidence 223 Router Logs 224 CHAPTER SUMMARY 226 Key Concepts and Terms 226 Chapter 11 Assessment 227 CHAPTER 12 Searching Memory in Real Time with Live System Forensics 228 The Need for Live System Forensics 229 Live System Forensics Versus Dead System Analysis 230 Problems with Dead System Forensics 231 Live Forensic Acquisition 232 Benefits and Limitations of Live Acquisition 235 Live System Forensics Consistency Issues 237 Understanding the Consistency Problem 238 Locating Different Memory Segments in UNIX 240 Tools for Analyzing Computer Memory 240 Live Response 241 Volatile Memory Analysis 243 Analysis of Live Response Versus Volatile Memory Analysis 245 CHAPTER SUMMARY 247 Key Concepts and Terms 248 Chapter 12 Assessment 248

10 x Contents PART THREE Incident Response, Future Directions, and Resources 249 CHAPTER 13 Incident and Intrusion Response 250 Minimizing Incidents 251 Events and Incidents 253 Assembling an Incident Response Team 254 Establishing Team Roles 255 Coordinating a Response 256 Defining an Incident Response Plan 257 Assessment 258 Communication 259 Containment 260 Evaluation 262 Recovery 266 Document and Review 267 CHAPTER SUMMARY 268 KEY ConCEPTS And TERMS 268 CHAPTER 13 ASSESSMEnT 269 CHAPTER 14 Trends and Future directions 270 Hardware Trends 271 What Moore s Law Means to System Forensics 272 Device Overload 273 Software Trends 274 Proliferation of Software Products 274 Software as a Service 275 Forensic Support Software 275 Proliferation of Software Development Models 276 The Changing Uses of Technology 276 Collaborative Investigations 278 The Changing Legal Environment 278 The Computer Fraud and Abuse Act (1984) 278 Computer Trespass or Intrusion 280 Theft of Information 281 Interception of Communications Laws 281 Spam and Phishing Laws 282 Cybersquatting 283 Malicious Acts 284 Evolving Cybercrime Laws 285 Trends in Professionalization and Certification 285

11 Contents xi CHAPTER SUMMARY 287 Key Concepts and Terms 287 Chapter 14 Assessment 288 CHAPTER 15 System Forensics Resources 289 System Forensics Certification and Training 290 International Association of Computer Investigative Specialists (IACIS) 290 High Tech Crime Network (HTCN) 291 EnCase Certified Examiner (EnCE) Certification 291 AccessData Certified Examiner (ACE) 291 Defense Cyber Investigations Training Academy (DCITA) 292 Other Training Programs and Certifications 292 User Groups 293 Online Resources 293 System Forensics Organizations and Information 293 Discussion List Servers 294 Forensic Journals 295 Conferences 295 Forensic Tools 296 CHAPTER SUMMARY 305 Key Concepts and Terms 305 Chapter 15 Assessment 305 Appendix A Answer Key 307 appendix b Standard Acronyms 309 Glossary of Key Terms 311 References 323 Index 329

12

13 Preface Purpose of This book This book is part of the Information Systems Security & Assurance Series from Jones & Bartlett Learning ( Designed for courses and curriculums in IT Security, Cybersecurity, Information Assurance, and Information Systems Security, this series features a comprehensive, consistent treatment of the most current thinking and trends in this critical subject area. These titles deliver fundamental informationsecurity principles packed with real-world applications and examples. Authored by Certified Information Systems Security Professionals (CISSPs), they deliver comprehensive information on all aspects of information security. Reviewed word for word by leading technical experts in the field, these books are not just current, but forward-thinking putting you in the position to solve the cybersecurity challenges not just of today, but of tomorrow, as well. Computer crimes call for forensics specialists people who know how to find and follow the evidence. This book begins by examining the fundamentals of system forensics: what forensics is, an overview of computer crime, the challenges of system forensics, and forensics methods and labs. The second part of this book addresses the tools, techniques, and methods used to perform computer forensics and investigation. These include collecting evidence, investigating information-hiding, recovering data, scrutinizing , and searching memory in real time. Finally, the third part explores incident and intrusion response, emerging technologies and future directions of this field, and additional system forensics resources. Learning Features The writing style of this book is practical and conversational. Each chapter begins with a statement of learning objectives. Step-by-step examples of information security concepts and procedures are presented throughout the text. Illustrations are used both to clarify the material and to vary the presentation. The text is sprinkled with Notes, Tips, FYIs, Warnings, and sidebars to alert the reader to additional helpful information related to the subject under discussion. Chapter Assessments appear at the end of each chapter, with solutions provided in the back of the book. xiii

14 xiv Preface Chapter summaries are included in the text to provide a rapid review or preview of the material and to help students understand the relative importance of the concepts presented. Audience The material is suitable for undergraduate or graduate computer science majors or information science majors, students at a two-year technical college or community college who have a basic technical background, or readers who have a basic understanding of IT security and want to expand their knowledge.

15 Acknowledgments The authors would like to thank the following individuals and organizations for granting permission to re-use materials in this book: Matthew Braid, Carnegie Mellon Software Engineering Institute (SEI), Computer Forensic Services, Inc., Andreas Furuseth, Frank Y. M. Law, NTI/Armor Forensics, Dr. Thomas O Connor, and Golden Richard III and Vassil Roussev (through IGI Global). The publisher wishes to extend special thanks to Kitty Wilson, whose yeoman efforts made this book possible. xv

16 About the Authors John R. Vacca is an information technology consultant and internationally known bestselling author based in Pomeroy, Ohio. Since 1982, John has written 62 books and more than 600 articles in the areas of advanced storage, computer security, and aerospace technology. John was also a configuration management specialist, computer specialist, and the computer security official (CSO) for NASA s space station program (Freedom) and the International Space Station Program from 1988 until his retirement from NASA in In addition, John is an independent online book reviewer. He was also one of the security consultants for the MGM movie AntiTrust, which was released in K Rudolph is a Certified Information Systems Security Professional (CISSP) with a degree from Johns Hopkins University. She is the primary author of the chapter on security awareness from the Computer Security Handbook, Vol. 5, and is also the author of the chapter on security awareness in the Handbook of Information Security published in 2006 and K is a named contributor to and participant in the work group that created NIST Special Publication , Information Technology Security Training Requirements: A Role- and Performance-Based Model. K has presented at conferences that include the Computer Security Institute Security Exchange (CSI SX) Conference in 2008, the New York Cyber Security Conference (2006 and 2007), the Annual CSI Computer Security Conferences (2005, 2007), and Information Assurance and Security Conferences held by FISSEA, FIAC, and egov. In March 2006, K was honored by the Federal Information Systems Security Educators Association (FISSEA) as the Security Educator of the Year.