Computer Forensics JumpStart



Similar documents
Computer Forensics JumpStart. Second Edition

Forensic Certifications

C HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR

How To Get A Computer Hacking Program

EC-Council Ethical Hacking and Countermeasures

Certified Digital Forensics Examiner

C HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR

WILLIAM OETTINGER PHONE (702)

To Catch a Thief: Computer Forensics in the Classroom

InfoSec Academy Forensics Track

Chapter 7 Securing Information Systems

COMPUTER FORENSICS (EFFECTIVE ) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE CATE STUDENT REPORTING PROCEDURES MANUAL)

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

CERTIFIED DIGITAL FORENSICS EXAMINER

Computer Forensics JumpStart Second Edition

Computer Hacking Forensic Investigator v8

Certification and Training

CONTENTS AT A GMi#p. Chapter I Ethical Hacking Basics I Chapter 2 Cryptography. Chapter 3 Reconnaissance: Information Gathering for the Ethical Hacker

Course Title: Computer Forensic Specialist: Data and Image Files

CURRICULUM VITAE JAMES R. SWAUGER Digital Forensic Examiner

Information Technologies and Fraud

JAMES R. SWAUGER Digital Forensic Examiner

Certified Digital Forensics Examiner

Certified Digital Forensics Examiner

Scene of the Cybercrime Second Edition. Michael Cross

ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING

IT Security Management 100 Success Secrets

Social Media Security Training and Certifications. Stay Ahead. Get Certified. Ultimate Knowledge Institute. ultimateknowledge.com

Certified Digital Forensics Examiner (CDFE)

How To Do Digital Forensics

Computer Security and Investigations

RARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE. CISY-274 Privacy, Ethics & Computer Forensics

MARK J. ESKRIDGE, OWNER / INVESTIGATOR DIGITAL FORENSIC INVESTIGATIONS, INC. California Private Investigator license #26633

The Basics of Digital Forensics; John Sammons; Syngress, 2011; ISBN-13:

e-discovery Forensics Incident Response

Expert Reference Series of White Papers. 10 Security Concerns for Cloud Computing

Computer Forensics JumpStart Michael G. Solomon, Diane Barrett, Neil Broom

Ernesto F. Rojas CISSP, DFCP, IAM, IEM, DABRI, PSC, MBA

MSc Computer Security and Forensics. Examinations for / Semester 1

CYBER FORENSICS (W/LAB) Course Syllabus

Overview of Computer Forensics

Digital Forensic Techniques

Digital Forensics. Tom Pigg Executive Director Tennessee CSEC

Future of Digital Forensics: A Survey of Available Training

Minnesota State Community and Technical College Detroit Lakes Campus

Boost elearning IT Training INSTRUCTIONAL DESIGN, LEARNING PATHS, AND COURSE CATALOGUE

Digital Forensics Tutorials Acquiring an Image with FTK Imager

Kevin Savoy, CPA, CISA, CISSP Director of Information Technology Audits Brian Daniels, CISA, GCFA Senior IT Auditor

Incident Response. Summary of Expertise and Experience

RE: School of Computer Forensic Investigation, Class 7, Eastern Michigan University

Field of Study Area of Expertise Certification Vendor Course

Modern Digital Forensics!!

CDFE Certified Digital Forensics Examiner (CFED Replacement)

Hands-On How-To Computer Forensics Training

Information Security Specialist Training on the Basis of ISO/IEC 27002

DoD Directive (DoDD) 8570 & GIAC Certification

Principles of Information Assurance Syllabus

Module 1: Introduction to Designing Security

Digital Forensics & e-discovery Services

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

Certified Penetration. Testing Consultant (CPTC)

SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles

CURRICULUM VITAE. David T. Gallant (USAF Retired) President, Gallant Computer Investigative Services, LLC


Anthony Reyes. Curriculum Vitae

InfoSec Academy Pen Testing & Hacking Track

Information Technology Fundamentals

Incident Response and Forensics

BDO CONSULTING FORENSIC TECHNOLOGY SERVICES

Programming Interviews Exposed: Secrets to Landing Your Next Job

Computer and Information Science

Computer Forensics Preparation

CTC 328: Computer Forensics

Computer Forensic Capabilities

Digital Forensics: The aftermath of hacking attacks. AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC

INNOVATION. Campus Box 154 P.O. Box Denver, CO Website:

Digital Forensics. Larry Daniel

CFIR - Finance IT 2015 Cyber security September 2015

ASK PC Certified Information Systems Security Expert - CISSE

Syllabus. No: CIS 207. Title: Intro to Computer Forensics. Credits: 3. Coordinator: Dr. B. Dike-Anyiam, Computer Science & Networking Lecturer

Large Scale Cloud Forensics

Technology Approved Certifications

SECURITY CERTIFICATIONS

Services. Computer Forensic Investigations

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

Design and Implementation of a Live-analysis Digital Forensic System

Certification for Information System Security Professional (CISSP)

To Catch a Thief II: Computer Forensics in the Classroom

Information Technology Audit & Forensic Techniques. CMA Amit Kumar

Jibran Ilyas DIRECTOR

Federal Bureau of Investigation. Los Angeles Field Office Computer Crime Squad

Transcription:

Computer Forensics JumpStart Michael G. Solomon Diane Barrett Neil Broom SYBEX

Computer Forensics JumpStart Michael G. Solomon Diane Barrett Neil Broom San Francisco London

Associate Publisher: Neil Edde Acquisitions and Developmental Editor: Maureen Adams Production Editor: Lori Newman Technical Editor: Warren G. Kruse Copyeditor: Kathy Grider-Carlyle Compositor: Jeff Wilson, Happenstance Type-O-Rama Graphic Illustrator: Jeff Wilson, Happenstance Type-O-Rama Proofreaders: Ian Golder, Amy Rasmussen, Nancy Riddiough Indexer: Nancy Guenther Book Designer: Judy Fung Cover Designer: Richard Miller, Calyx Design Cover Illustrator: Richard Miller, Calyx Design Copyright 2005 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written permission of the publisher. Library of Congress Card Number: 2004113397 ISBN: 0-7821-4375-X SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc. in the United States and/or other countries. JumpStart is a trademark of SYBEX Inc. Screen reproductions produced with FullShot 99. FullShot 99 1991-1999 Inbit Incorporated. All rights reserved. FullShot is a trademark of Inbit Incorporated. Internet screen shot(s) using Microsoft Internet Explorer 6 reprinted by permission from Microsoft Corporation. TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from descriptive terms by following the capitalization style used by the manufacturer. The author and publisher have made their best efforts to prepare this book, and the content is based upon final release software whenever possible. Portions of the manuscript may be based upon pre-release versions supplied by software manufacturer(s). The author and the publisher make no representation or warranties of any kind with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this book. Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1

About the Authors Michael G. Solomon is a full-time security speaker, consultant (http://www.solomonconsulting.com/), trainer, and a former college instructor who specializes in development and assessment security topics. As an IT professional and consultant since 1987, he has worked on projects or trained for more than 60 major companies and organizations, including EarthLink, Nike Corporation, Lucent Technologies, BellSouth, UPS, the U.S. Coast Guard, and Norrell. From 1998 until 2001, Michael was an instructor in the Kennesaw State University s Computer Science and Information Sciences (CSIS) department, where he taught courses on software project management, C++ programming, computer organization and architecture, and data communications. Michael has an M.S. in mathematics and computer science from Emory University (1998) and a B.S. in computer science from Kennesaw State University (1987). Michael has also contributed to various security certification books for LANWrights/iLearning, including TICSA Training Guide and an accompanying Instructor Resource Kit (Que, 2002), CISSP Study Guide (Sybex, 2003), as well as Security+ Training Guide (Que, 2003). Michael co-authored Information Security Illuminated (Jones and Bartlett, 2005), Security+ Lab Manual Exam Cram 2 (Que, 2005), and authored and provided the on-camera delivery of LearnKey s CISSP Prep e-learning course. Michael s certifications include Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and TruSecure ICSA Certified Security Associate (TICSA). Diane Barrett has been involved in the IT industry since 1993. She works at Remington College where she taught in the computer networking program for two years before becoming a director. She teaches online classes that include networking, security, and virus protection, and she is the president of a security awareness corporation that specializes in training. Diane has co-authored several security and networking books, including MCSA/MCSE 70-299 Exam Cram 2: Implementing and Administering Security in a Windows Server 2003 Network (Que, 2004) and Computer Networking Illuminated (Jones and Bartlett, 2005). She is currently volunteering for ISSA s Generally Accepted Information Security Principles Project in the ethical practices working group. Diane s certifications include Microsoft Certified Systems Engineer (MCSE) on Windows 2000, MCSE+I on Windows NT 4.0, Certified Information Systems Security Professional (CISSP), Cisco Certified Network Associate (CCNA), A+, Network+, i-net+, and Security+. Neil Broom is the President of the Technical Resource Center (http://www.trcglobal.com) in Atlanta, Georgia. As a speaker, trainer, course director, and consultant in the fields of Computer Forensics, Information Assurance, and Professional Security Testing, he has over 14 years of experience providing technical education and security services to the military, law enforcement, the health care industry, financial institutions, and government agencies. Neil is the Lead Instructor and Developer of the Computer Forensics and Cyber Investigations course and the Certified Cyber Crime Examiner (C 3 E) certification and provides Computer Forensics services to clients in the Metro Atlanta area and the Southeast United States.

Neil is currently the Vice President of the Atlanta Chapter of the International Information Systems Forensics Association, and he is a professional member of the National Speakers Association. His past employment includes the U.S. Navy as a submariner, the Gainesville, Florida Police Department as a law enforcement officer, and Internet Security Systems (ISS) as a security trainer. Neil has multiple certifications including Certified Information Systems Security Professional (CISSP), Certified Computer Examiner (CCE), Certified Ethical Hacker (CEH), Computer Hacking Forensic Investigator (CHFI), National Security Agency s INFOSEC Assessment Methodology (IAM), Microsoft Certified Systems Engineer (MCSE 4.0 and 2000), Microsoft Certified Trainer (MCT), and TruSecure ICSA Certified Security Associate (TICSA). About the Technical Editor Warren G. Kruse II, CISSP, CFCE, is the co-author of Computer Forensics: Incident Response Essentials, published by Addison-Wesley. Warren has conducted forensics globally in support of cases involving some of the largest law firms and corporations in the world. He is a member of the New York and European Electronic Crimes Task Forces of the U.S. Secret Service. He was elected President of the High Tech Crime Investigation Association s (www.htcia.org) 2005 International Executive Committee. Warren has extensive experience investigating cases involving the illegal use of computer and networks and received the High Tech Crime Investigation Association's (HTCIA) 2001 Case of the Year award. He is an IACIS Certified Forensic Computer Examiner (CFCE) and an (ISC) 2 Certified Information Systems Security Professional (CISSP). He lectures on computer forensics for Computer Security Institute (CSI) and has taught computer forensics at the SANS Institute and MIS Training Institute. He is the lead instructor of the handson intro and advanced Computer Forensics Bootcamps for Computer Forensic Services, LLC. Warren is a partner at Computer Forensic Services, LLC (www.computer-forensic.com).

To my wife, best friend, and source of unyielding support, Stacey. Michael G. Solomon To my dad, Gerald, who has always encouraged me to be my own person. Diane Barrett To my mother, thank you for always believing in me. Neil Broom

Acknowledgments Anything worth doing is worth doing well, and doing anything well generally requires a lot of help. My family has helped me immensely throughout this project. Stacey, Noah, and Isaac are all great fun to be around and often serve as sounding boards. The one focal point of this book, however, is Kim Lindros at LANWrights/ ilearning. She kept the project on track and worked things out regardless of what curve balls I may have sent her way. Kim deserves a huge ovation for her work to get this book into your hands. I truly appreciate the efforts of all the people at LANWrights/iLearning and Sybex to make this project a reality. Michael G. Solomon Thanks to everyone at Sybex for making this book possible, especially Maureen Adams the acquisitions editor and Lori Newman the production editor. Thank you to the wonderful team at LANWrights/iLearning, especially Kim Lindros, who worked so hard behind the scenes to be sure that our work was accurate and completed in a timely fashion. To co-authors Michael Solomon and Neil Broom, thank you for the part each of you played in making this project successful. Thanks to Warren G. Kruse II, our technical reviewer, for making certain our writing was technically and procedurally sound. Finally, special thanks to my husband, Bill, for keeping a sense of humor during the hours I spent writing. Diane Barrett Kim Lindros, you rock! Thank you for all the support and gentle nudging you provided to keep me writing. I also wish to say thank you to the cat and kitten rescue group that I work with, www.furkids.org. Now that the book is finished, I can return to helping save the lives of our furry little friends. Neil Broom

Contents vii Contents Introduction xvii Chapter 1 The Need for Computer Forensics 1 Defining Computer Forensics....................... 2 Real-Life Examples of Computer Crime............... 4 Hacker Pleads Guilty to Illegally Accessing New York Times Computer Network............. 4 Man Pleads Guilty to Hacking Intrusion and Theft of Data Costing Company $5.8 Million........... 5 Three Men Indicted for Hacking into Lowe s Companies Computers with Intent to Steal Credit Card Information................... 6 Former Chief Computer Network Program Designer Arraigned for Alleged $10 Million Computer Software Bomb.............................. 7 Juvenile Computer Hacker Sentenced to Six Months in Detention Facility................. 8 Corporate versus Law Enforcement Concerns.......... 9 Corporate Concerns Focus on Detection and Prevention...................... 9 Law Enforcement Focuses on Prosecution.......... 11 Russian Computer Hacker Indicted in California for Breaking into Computer Systems and Extorting Victim Companies................... 11 Training...................................... 13 Practitioners................................ 13 End Users.................................. 15 What Are Your Organization s Needs?.............. 18 Terms to Know................................ 19 Review Questions.............................. 20 Chapter 2 Preparation What to Do Before You Start 21 Know Your Hardware........................... 22 What I/O Devices Are Used?.................... 22 Check Computers for Unauthorized Hardware...... 28 Keep Up to Date with New I/O Trends............ 32

viii Contents Know Your Operating System..................... 35 Different Operating Systems.................... 35 Know What Filesystems Are in Use............... 38 Maintain Tools and Procedures for Each Operating System and Filesystem........... 40 Preinstalled Tools Make Forensics Easier........... 41 Know Your Limits.............................. 42 Legal Organizational Rights and Limits............ 43 Search and Seizure Guidelines................... 44 Will This End Up in Court?..................... 45 Develop Your Incident Response Team.............. 45 Organize the Team........................... 46 State Clear Processes.......................... 46 Coordinate with Local Law Enforcement.......... 47 Terms to Know................................ 48 Review Questions............................... 49 Chapter 3 Computer Evidence 51 What Is Computer Evidence?...................... 52 Incidents and Computer Evidence................ 52 Types of Evidence............................ 52 Search and Seizure.............................. 58 Voluntary Surrender.......................... 58 Subpoena................................... 59 Search Warrant.............................. 59 Chain of Custody............................... 60 Definition.................................. 60 Controls.................................... 61 Documentation.............................. 64 Evidence Admissibility in a Court of Law............. 66 Relevance and Admissibility.................... 66 Techniques to Ensure Admissibility............... 67 Leave No Trace................................ 68 Read-Only Image............................. 68 Software Write Blocker........................ 69 Hardware Write Blocker....................... 69 Terms to Know................................ 70 Review Questions............................... 71 Chapter 4 Common Tasks 73 Evidence Identification........................... 74 Physical Hardware............................ 75 Removable Storage........................... 78 Documents.................................. 79

Contents ix Evidence Preservation........................... 80 Pull the Plug or Shut It Down?.................. 81 Supply Power As Needed....................... 82 Provide Evidence of Initial State................. 83 Evidence Analysis............................... 85 Knowing Where to Look....................... 85 Wading through the Sea of Data................. 87 Sampling Data............................... 88 Evidence Presentation........................... 88 Know Your Audience......................... 89 Organization of Presentation.................... 91 Keep It Simple............................... 92 Terms to Know................................ 93 Review Questions.............................. 94 Chapter 5 Capturing the Data Image 95 Full Volume Images............................. 96 Evidence Collection Order...................... 96 Preparing Media and Tools..................... 97 Collecting the Volatile Data................... 100 Creating a Duplicate of the Hard Disk........... 103 Extracting Data from PDAs.................... 107 Image and Tool Documentation................ 108 Partial Volume Image........................... 109 Imaging/Capture Tools......................... 111 Utilities................................... 112 Commercial Software........................ 113 PDA Tools................................. 115 Terms to Know............................... 115 Review Questions............................. 116 Chapter 6 Extracting Information from Data 117 What Are You Looking For?..................... 118 Internet Files............................... 118 E-mail Headers............................. 122 Deleted Files............................... 126 Passwords................................. 127 How People Think............................. 129 Picking the Low-Hanging Fruit................... 130 Hidden Evidence.............................. 131 Trace Evidence................................ 135 Terms to Know............................... 137 Review Questions............................. 138

x Contents Chapter 7 Passwords and Encryption 139 Passwords.................................... 140 Finding Passwords........................... 141 Deducing Passwords......................... 142 Cracking Passwords.......................... 143 Encryption Basics.............................. 146 Common Encryption Practices.................... 147 Private Key Algorithms....................... 148 Public Key Algorithms........................ 150 Steganography.............................. 151 Strengths and Weaknesses of Encryption............ 152 Key Length................................ 153 Key Management............................ 153 Handling Encrypted Data........................ 154 Identifying Encrypted Files..................... 154 Decrypting Files............................. 155 Terms to Know............................... 159 Review Questions.............................. 160 Chapter 8 Common Forensics Tools 161 Disk Imaging and Validation Tools................ 162 ByteBack.................................. 163 dd....................................... 164 DriveSpy.................................. 165 EnCase.................................... 165 Forensic Replicator.......................... 166 FTK Imager................................ 167 Norton Ghost.............................. 168 ProDiscover................................ 168 SafeBack.................................. 170 SMART................................... 170 WinHex................................... 171 Forensics Tools................................ 172 Software Suites............................. 172 Miscellaneous Software Tools.................. 184 Hardware................................. 187 Your Forensics Toolkit.......................... 190 Each Organization Is Different................. 192 Most Examiners Use Overlapping Tools.......... 192 Terms to Know............................... 192 Review Questions.............................. 193

Contents xi Chapter 9 Pulling It All Together 195 Begin with a Concise Summary................... 196 Document Everything, Assume Nothing............ 197 Interviews and Diagrams...................... 198 Videotapes and Photographs................... 200 Transporting the Evidence..................... 201 Documenting Gathered Evidence................ 201 Additional Documentation.................... 204 Formulating the Report......................... 205 Sample Analysis Reports........................ 206 Case #234 NextGard Technology Copyright Piracy Summary........................... 207 Additional Report Subsections................. 213 Using Software to Generate Reports............... 214 Terms to Know............................... 218 Review Questions............................. 219 Chapter 10 How to Testify in Court 221 Preparation Is Everything........................ 222 Understand the Case......................... 224 Understand the Strategy...................... 225 Understand Your Job........................ 225 Appearance Matters............................ 226 Clothing.................................. 226 Grooming................................. 226 Attitude................................... 227 What Matters Is What They Hear................. 227 Listening.................................. 228 Tone..................................... 228 Vocabulary................................ 229 Know Your Forensics Process and Tools............ 229 Best Practices............................... 230 Your Process and Documentation............... 230 Your Forensic Toolkit........................ 231 Say Only What Is Necessary..................... 231 Be Complete, But Not Overly Elaborate.......... 231 Remember Your Audience..................... 232 Keep It Simple................................ 234 Explaining Technical Concepts................. 234 Use Presentation Aids When Needed............. 234 Watch for Feedback......................... 235 Be Ready to Justify Every Step.................... 235 Summary.................................... 236 Terms to Know............................... 236 Review Questions............................. 237

xii Contents Appendix A Answers to Review Questions 239 Chapter 1.................................... 239 Chapter 2.................................... 240 Chapter 3.................................... 240 Chapter 4.................................... 241 Chapter 5.................................... 242 Chapter 6.................................... 243 Chapter 7.................................... 244 Chapter 8.................................... 245 Chapter 9.................................... 246 Chapter 10................................... 247 Appendix B Forensics Resources 249 Information.................................. 249 Organizations................................. 249 Publications.................................. 249 Services...................................... 250 Software..................................... 250 Training..................................... 251 Appendix C Forensics Certifications 253 Advanced Information Security (AIS)............... 254 Certified Computer Examiner (CCE)............... 254 Certified Cyber-Crime Expert (C 3 E)................ 255 Certified Information Forensics Investigator (CIFI).... 255 Certified Computer Crime Investigator (CCCI)....... 256 Certified Computer Forensic Technician (CCFT)...... 256 Certified Forensic Computer Examiner (CFCE)....... 257 Certified Information Systems Auditor (CISA)........ 257 EnCase Certified Examiner Program............... 258 GIAC Certified Forensic Analyst (GCFA)............ 258 Professional Certified Investigator (PCI)............. 258 Appendix D Forensics Tools 261 Forensics Tool Suites........................... 261 Ultimate Toolkit............................ 261 Maresware................................. 261 X-Ways Forensics........................... 262 Forensicware............................... 262 Password-Cracking Utilities...................... 262 Passware.................................. 262 ElcomSoft................................. 263

Contents xiii CD Analysis Utilities........................... 263 IsoBuster.................................. 263 CD/DVD Inspector.......................... 264 Metadata Viewer Utility......................... 264 Metadata Assistant.......................... 264 Graphic Viewing Utility......................... 265 Quick View Plus............................ 265 Forensics Hardware Devices..................... 265 Intelligent Computer Solutions................. 265 Computer Forensics Training..................... 266 Intense School Computer Forensics Training Class.. 266 Glossary 267 Index 274

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information