System Forensics, Investigation, and Response



Similar documents
Cybercrime in Canadian Criminal Law

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

EC-Council Ethical Hacking and Countermeasures

Writing Grant Proposals That Win

Scene of the Cybercrime Second Edition. Michael Cross

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Certified Cyber Security Analyst VS-1160

Certified Cyber Security Analyst VS-1160

MSc Computer Security and Forensics. Examinations for / Semester 1

External Supplier Control Requirements

PRINCIPLES AND PRACTICE OF INFORMATION SECURITY

Hands-On How-To Computer Forensics Training

Cybercrimes: A Multidisciplinary Analysis

Digital Forensics: The aftermath of hacking attacks. AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC

How To Get A Computer Hacking Program

Digital Forensic. A newsletter for IT Professionals. I. Background of Digital Forensic. Definition of Digital Forensic

ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING

C HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR

Computer Security. Principles and Practice. Second Edition. Amp Kumar Bhattacharjee. Lawrie Brown. Mick Bauer. William Stailings

How To Be A Computer Forensics Examiner

CESG Certification of Cyber Security Training Courses

Cyber Attacks. Protecting National Infrastructure Student Edition. Edward G. Amoroso

Simulated Health Records Simplified

C HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers Your Interactive Guide to the Digital World

RARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE. CISY-274 Privacy, Ethics & Computer Forensics

Contents. vii. Preface. P ART I THE HONEYNET 1 Chapter 1 The Beginning 3. Chapter 2 Honeypots 17. xix

Detailed Description about course module wise:

STATISTICAL APPLICATIONS for. HEALTH INFORMATION MANAGEMENT Second Edition

Security Intelligence Services. Cybersecurity training.

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

GUJARAT TECHNOLOGICAL UNIVERSITY MASTER OF COMPUTER APPLICATIONS (MCA) SEMESTER: V

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Computer Security Literacy

Course Title: Computer Forensic Specialist: Data and Image Files

Loophole+ with Ethical Hacking and Penetration Testing

INCIDENT RESPONSE CHECKLIST

Information Technology Audit & Forensic Techniques. CMA Amit Kumar

Network Security: A Practical Approach. Jan L. Harrington

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

COB 302 Management Information System (Lesson 8)

Bellevue University Cybersecurity Programs & Courses

CYBER FORENSICS (W/LAB) Course Syllabus

Computer Hacking Forensic Investigator v8

External Supplier Control Requirements

FORBIDDEN - Ethical Hacking Workshop Duration

"Charting the Course to Your Success!" MOC D Windows 7 Enterprise Desktop Support Technician Course Summary

Information Security Policy

Global Cyber Range (GCR) Empowering the Cybersecurity Professional (CyPro)

Table of Contents. Introduction. Audience. At Course Completion

INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION

ITM 642: Digital Forensics Sanjay Goel School of Business University at Albany, State University of New York

Essentials of Public Health

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

The Role of Digital Forensics within a Corporate Organization

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

CYBER SECURITY. II. SCANDALOUS HACKINGS To show the seriousness of hacking we have included some very scandalous hacking incidences.

Defending Against Data Beaches: Internal Controls for Cybersecurity

GFSU Certified Cyber Crime Investigator GFSU-CCCI. Training Partner. Important dates for all batches

Fostering Incident Response and Digital Forensics Research

Track 2: Introductory Track PREREQUISITE: BASIC COMPUTER EXPERIENCE

IT Networking and Security

Network Incident Report

Network Security Policy

WILLIAM OETTINGER PHONE (702)

Chapter 7 Securing Information Systems

The Protection Mission a constant endeavor

Basics of the U.S. Health Care System

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Computer Forensics Preparation

Incident Response and Computer Forensics

(Instructor-led; 3 Days)

Certified Digital Forensics Examiner

Certified Digital Forensics Examiner

I N T E L L I G E N C E A S S E S S M E N T

Managing internet security

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

AN INVESTIGATION INTO COMPUTER FORENSIC TOOLS

e-discovery Forensics Incident Response

Presented by Evan Sylvester, CISSP

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

What Data? I m A Trucking Company!

Build Your Own Security Lab

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO p f

FBLA Cyber Security aligned with Common Core FBLA: Cyber Security RST RST RST RST WHST WHST

Critical Controls for Cyber Security.

How To Manage Security On A Networked Computer System

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis

^H 3RD EDITION ITGOVERNANCE A MANAGER'S GUIOE TO OATA SECURITY ANO DS 7799/IS ALAN CALDER STEVE WATKINS. KOGAN PAGE London and Sterling, VA

Digital Forensic Techniques

Framework for Live Digital Forensics using Data Mining

Section 12 MUST BE COMPLETED BY: 4/22

INFORMATION SECURITY FOR YOUR AGENCY

COMPUTER FORENSICS (EFFECTIVE ) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE CATE STUDENT REPORTING PROCEDURES MANUAL)

Information Security Incident Management Guidelines

Transcription:

JONES AND & BARTLETT LEARNING INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES System Forensics, Investigation, and Response JOHN R. VACCA AND K RUDOLPH

World Headquarters Jones & Bartlett Learning 40 Tall Pine Drive Sudbury, MA 01776 978-443-5000 info@jblearning.com www.jblearning.com Jones & Bartlett Learning Canada 6339 Ormindale Way Mississauga, Ontario L5V 1J2 Canada Jones & Bartlett Learning International Barb House, Barb Mews London W6 7PA United Kingdom Jones & Bartlett Learning books and products are available through most bookstores and online booksellers. To contact Jones & Bartlett Learning directly, call 800-832-0034, fax 978-443-8000, or visit our website, www.jblearning.com. Substantial discounts on bulk quantities of Jones & Bartlett Learning publications are available to corporations, professional associations, and other qualified organizations. For details and specific discount information, contact the special sales department at Jones & Bartlett Learning via the above contact information or send an email to specialsales@jblearning.com. Copyright 2011 by Jones & Bartlett Learning, LLC All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the copyright owner. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, the service of a competent professional person should be sought. Production Credits Chief Executive Officer: Ty Field President: James Homer SVP, Chief Operating Officer: Don Jones, Jr. SVP, Chief Technology Officer: Dean Fossella SVP, Chief Marketing Officer: Alison M. Pendergast SVP, Chief Financial Officer: Ruth Siporin SVP, Business Development: Christopher Will VP, Design and Production: Anne Spencer VP, Manufacturing and Inventory Control: Therese Connell Editorial Management: High Stakes Writing, LLC, Editor and Publisher: Lawrence J. Goodrich Reprints and Special Projects Manager: Susan Schultz Associate Production Editor: Tina Chen Director of Marketing: Alisha Weisman Sernior Marketing Manager: Andrea DeFronzo Cover Design: Anne Spencer Composition: Sara Arand Cover Image: ErickN/ShutterStock, Inc. Chapter Opener Image: Rodolfo Clix/Dreamstime.com Printing and Binding: Malloy, Inc. Cover Printing: Malloy, Inc. ISBN: 978-0-7637-9134-6 8639 Printed in the United States of America 14 13 12 11 10 10 9 8 7 6 5 4 3 2 1

Contents Preface xiii Acknowledgments xv PART one The System Forensics Landscape 1 CHAPTER 1 System Forensics Fundamentals 2 Understanding System Forensics 3 Who Uses Forensics? 4 How Computers Are Used in Crimes 6 System Forensics Specialists and What They Do 8 Tasks of a Forensic Specialist 8 How a Forensic Specialist Begins an Investigation 10 System Forensics Evidence: Its Use and Handling 11 Digital Evidence Challenges 12 Protecting Evidence 12 Testing Forensic Evidence 12 Applying Forensic Analysis Skills 13 Following Proper Forensic Procedures 14 Types of System Forensics Analysis 14 Examples of Forensic Investigations 15 CHAPTER SUMMARY 16 KEY ConCEPTS And TERMS 16 CHAPTER 1 ASSESSMEnT 17 CHAPTER 2 overview of Computer Crime 18 Types of Cybercrime 19 DoS and DDoS Attacks 19 Intellectual Property Theft 20 Child Exploitation, Abuse, and Pornography 20 Identity Theft 20 Fraud 21 Extortion 22 Cyberstalking 22 iii

iv Contents Transmission of Malware 22 Hacking 22 Spamming 22 Sale and Purchase of Narcotics Over the Internet 24 Gambling 24 Sources of Cybercrime Threats 25 Nation-States 25 Cyberterrorists 25 Other Threats 26 Means, Motives, and Opportunities of Cybercriminals 27 Means: Tools and Techniques of Cybercriminals 27 Motives of Cybercriminals 28 Opportunities for Cybercriminals 30 Reporting Cybercrimes 30 What to Report 31 Where to Report Computer Crimes 32 Applicable Laws 35 The Role of System Forensics in Solving Crimes 36 CHAPTER SUMMARY 38 Key Concepts and Terms 38 Chapter 2 Assessment 39 CHAPTER 3 Challenges of System Forensics 40 Difficulties in Obtaining Forensic Digital Evidence 41 What Is Digital Evidence? 41 Data Access 43 Technical Data Collection Considerations 45 Obscured Data and Anti-Forensics 46 The Role Evidence Dynamics Plays in System Forensics 47 Scope-Related Challenges to System Forensics 49 Large Volumes of Data 50 System Complexity 51 Distributed Crime Scenes 52 Growing Caseload and Limited Resources 52 The Need for Professionalization 54 CHAPTER SUMMARY 55 Key Concepts and Terms 55 Chapter 3 Assessment 56

Contents v CHAPTER 4 Forensics Methods and Labs 57 Forensic Soundness 58 Forensic Frameworks and Processes 60 The DFRWS Framework 60 An Event-Based Digital Forensic Investigation Framework 60 Building a Business Case for Creating a Forensics Lab 62 Setting Up a Forensics Lab 64 The Duties of a Lab Manager and Staff 65 Planning a Forensics Lab Budget 65 Determining Physical Requirements for a Computer Forensics Lab 69 Stocking a Forensics Lab 74 Policies, Processes, and Procedures for Maintaining a Lab 77 Creating a Disaster Recovery Plan 77 Planning for Equipment Upgrades 78 CHAPTER SUMMARY 79 KEY ConCEPTS And TERMS 79 CHAPTER 4 ASSESSMEnT 80 PART TWo Technical Overview: System Forensics Tools, Techniques, and Methods 81 CHAPTER 5 System Forensics Technologies 82 How the Military Uses System Forensics 83 Which Technologies Law Enforcement Agencies Use 83 Evidence Preservation 84 Trojan Horse Programs 84 Documentation of Methodologies and Findings 85 Disk Structure 85 File Slack Searching 85 Data-Hiding Techniques 85 Fuzzy Logic Tools for Identifying Unknown Text 88 Data Encryption 88 Disk-to-Computer Matching 88 Data Compression 88 Recovery of Erased Files 89 Internet Abuse Identification and Detection 89 The Boot Process and Memory-Resident Programs 89 Flash Memory Media Processing 89

vi Contents How Businesses Use System Forensics Technologies 89 Remote Monitoring of Target Computers 92 Trackable Electronic Documents 92 Theft Recovery Software for Laptops and PCs 92 Handling Evidence 93 Encryption Methods and Vulnerabilities 95 Security and Wireless Technologies 98 Firewall Forensics 100 Commonly Used System Forensics Tools 102 EnCase 102 Forensic Toolkit (FTK) 102 Helix 102 AnaDisk Disk Analysis Tool 103 CopyQM Plus Disk Duplication Software 103 TextSearch Plus 103 Filter_G Intelligent Forensic Filter 104 UFED 104 Device Seizure 104 The Zdziarski Technique 105 CHAPTER SUMMARY 106 Key Concepts and Terms 106 Chapter 5 Assessment 106 CHAPTER 6 Controlling a Forensic Investigation 108 Preserving a Digital Crime Scene 109 Considerations in Collecting Evidence 111 Securing the Physical Evidence 112 Volatile Data: Two Schools of Thought 112 Determining How Much to Duplicate 113 Making a Bit Stream Backup 114 Booting a Computer 116 Examining Evidence 116 Physical Analysis and Logical Analysis 118 Physical Analysis 118 Logical Analysis 121 Legal Aspects of Acquiring Evidence 122 The Fourth Amendment 123 Processing and Logging Evidence 124 The Computer Evidence Collection Process 126 CHAPTER SUMMARY 128 Key Concepts and Terms 128 Chapter 6 Assessment 129

Contents vii chapter 7 Collecting, Seizing, and Protecting Evidence 130 Collecting Forensic Evidence 131 Obstacles to Data Collection 132 Types of Forensic Evidence 133 The Rules of Evidence 133 Do s and Don ts of Data Collection 134 Logging and Monitoring 136 Methods of Data Collection: Freezing the Scene and Honeypotting 136 The Steps in Seizing Forensic Evidence 138 Shutting Down the Computer 138 Documenting the Hardware Configuration of the System 139 Transporting the Computer System to a Secure Location 139 Mathematically Authenticating Data on All Storage Devices 139 Making a List of Key Search Words 140 Searching Files, File Slack, and Unallocated Space for Keywords 141 Documenting Filenames, Dates, and Times 142 Identifying File, Program, and Storage Anomalies 142 Evaluating Program Functionality 143 Documenting Findings 143 Retaining Copies of Software Used 143 Protecting Evidence: Controlling Contamination 143 Creating a Timeline 144 Forensic Analysis of Backups 145 Reconstructing an Attack 145 CHAPTER SUMMARY 146 Key Concepts and Terms 146 Chapter 7 Assessment 147 CHAPTER 8 Understanding Information-Hiding Techniques 148 History of Data Hiding 149 Alternate Data Streams (ADS) 151 Risks Associated With ADS 151 Executing Code From ADS 153 Rootkits 154 Steganography Concepts and Tools 155 Types of Steganography 155 Steganography Algorithms 156 Steganography Software 158

viii Contents Defeating Steganography 161 Detecting the Use of Steganography Software 161 Strengths and Weaknesses of Today s Detection Methods 163 Steganalysis 164 Extracting Hidden Information 165 Steganalysis Software 166 CHAPTER SUMMARY 167 Key Concepts and Terms 168 Chapter 8 Assessment 168 CHAPTER 9 Recovering Data 170 What Is Data Recovery? 171 Disk Structure and Recovery Techniques 172 Recovering Data After Physical Damage 172 Recovering Data After Logical Damage 174 Data Backup and Recovery 176 Obstacles to Data Backup 177 Key Elements of Data Backup 178 The Role of Backups in Data Recovery 182 Data Recovery Today 183 Handling Failures 184 Critical Thinking and Creative Problem Solving 184 Preparing for Recovery 185 CHAPTER SUMMARY 187 Key Concepts and Terms 187 Chapter 9 Assessment 188 CHAPTER 10 Investigating and Scrutinizing E-mail 189 The Roles of Mail Servers and E-mail Clients 190 Understanding E-mail Headers 192 Viewing an E-mail Header 193 Interpreting an E-mail Header 194 E-mail Tracing 195 Faking E-mail 196 E-mail Tracing in Forensic Investigations 200 An E-mail Tracing Example 201 Legal Considerations in Investigating E-mail 203 The Fourth Amendment to the U.S. Constitution 204 The Electronic Communications Privacy Act 204

Contents ix CHAPTER SUMMARY 205 Key Concepts and Terms 205 Chapter 10 Assessment 206 CHAPTER 11 Performing Network Analysis 207 Network Basics 208 Wireless Networks 209 Common Network Protocols 211 Types of Network-Related Attacks 211 Types of Router Attacks 213 DoS Attacks 213 Web Attacks 214 Investigating Network Traffic 215 Using Log Files as Evidence 216 Firewall Forensics 217 Using Sniffers and Other Traffic Analysis Tools 221 Investigating Router Attacks 221 Collecting Router Evidence 223 Router Logs 224 CHAPTER SUMMARY 226 Key Concepts and Terms 226 Chapter 11 Assessment 227 CHAPTER 12 Searching Memory in Real Time with Live System Forensics 228 The Need for Live System Forensics 229 Live System Forensics Versus Dead System Analysis 230 Problems with Dead System Forensics 231 Live Forensic Acquisition 232 Benefits and Limitations of Live Acquisition 235 Live System Forensics Consistency Issues 237 Understanding the Consistency Problem 238 Locating Different Memory Segments in UNIX 240 Tools for Analyzing Computer Memory 240 Live Response 241 Volatile Memory Analysis 243 Analysis of Live Response Versus Volatile Memory Analysis 245 CHAPTER SUMMARY 247 Key Concepts and Terms 248 Chapter 12 Assessment 248

x Contents PART THREE Incident Response, Future Directions, and Resources 249 CHAPTER 13 Incident and Intrusion Response 250 Minimizing Incidents 251 Events and Incidents 253 Assembling an Incident Response Team 254 Establishing Team Roles 255 Coordinating a Response 256 Defining an Incident Response Plan 257 Assessment 258 Communication 259 Containment 260 Evaluation 262 Recovery 266 Document and Review 267 CHAPTER SUMMARY 268 KEY ConCEPTS And TERMS 268 CHAPTER 13 ASSESSMEnT 269 CHAPTER 14 Trends and Future directions 270 Hardware Trends 271 What Moore s Law Means to System Forensics 272 Device Overload 273 Software Trends 274 Proliferation of Software Products 274 Software as a Service 275 Forensic Support Software 275 Proliferation of Software Development Models 276 The Changing Uses of Technology 276 Collaborative Investigations 278 The Changing Legal Environment 278 The Computer Fraud and Abuse Act (1984) 278 Computer Trespass or Intrusion 280 Theft of Information 281 Interception of Communications Laws 281 Spam and Phishing Laws 282 Cybersquatting 283 Malicious Acts 284 Evolving Cybercrime Laws 285 Trends in Professionalization and Certification 285

Contents xi CHAPTER SUMMARY 287 Key Concepts and Terms 287 Chapter 14 Assessment 288 CHAPTER 15 System Forensics Resources 289 System Forensics Certification and Training 290 International Association of Computer Investigative Specialists (IACIS) 290 High Tech Crime Network (HTCN) 291 EnCase Certified Examiner (EnCE) Certification 291 AccessData Certified Examiner (ACE) 291 Defense Cyber Investigations Training Academy (DCITA) 292 Other Training Programs and Certifications 292 User Groups 293 Online Resources 293 System Forensics Organizations and Information 293 Discussion List Servers 294 Forensic Journals 295 Conferences 295 Forensic Tools 296 CHAPTER SUMMARY 305 Key Concepts and Terms 305 Chapter 15 Assessment 305 Appendix A Answer Key 307 appendix b Standard Acronyms 309 Glossary of Key Terms 311 References 323 Index 329

Preface Purpose of This book This book is part of the Information Systems Security & Assurance Series from Jones & Bartlett Learning (www.jblearning.com). Designed for courses and curriculums in IT Security, Cybersecurity, Information Assurance, and Information Systems Security, this series features a comprehensive, consistent treatment of the most current thinking and trends in this critical subject area. These titles deliver fundamental informationsecurity principles packed with real-world applications and examples. Authored by Certified Information Systems Security Professionals (CISSPs), they deliver comprehensive information on all aspects of information security. Reviewed word for word by leading technical experts in the field, these books are not just current, but forward-thinking putting you in the position to solve the cybersecurity challenges not just of today, but of tomorrow, as well. Computer crimes call for forensics specialists people who know how to find and follow the evidence. This book begins by examining the fundamentals of system forensics: what forensics is, an overview of computer crime, the challenges of system forensics, and forensics methods and labs. The second part of this book addresses the tools, techniques, and methods used to perform computer forensics and investigation. These include collecting evidence, investigating information-hiding, recovering data, scrutinizing e-mail, and searching memory in real time. Finally, the third part explores incident and intrusion response, emerging technologies and future directions of this field, and additional system forensics resources. Learning Features The writing style of this book is practical and conversational. Each chapter begins with a statement of learning objectives. Step-by-step examples of information security concepts and procedures are presented throughout the text. Illustrations are used both to clarify the material and to vary the presentation. The text is sprinkled with Notes, Tips, FYIs, Warnings, and sidebars to alert the reader to additional helpful information related to the subject under discussion. Chapter Assessments appear at the end of each chapter, with solutions provided in the back of the book. xiii

xiv Preface Chapter summaries are included in the text to provide a rapid review or preview of the material and to help students understand the relative importance of the concepts presented. Audience The material is suitable for undergraduate or graduate computer science majors or information science majors, students at a two-year technical college or community college who have a basic technical background, or readers who have a basic understanding of IT security and want to expand their knowledge.

Acknowledgments The authors would like to thank the following individuals and organizations for granting permission to re-use materials in this book: Matthew Braid, Carnegie Mellon Software Engineering Institute (SEI), Computer Forensic Services, Inc., Andreas Furuseth, Frank Y. M. Law, NTI/Armor Forensics, Dr. Thomas O Connor, and Golden Richard III and Vassil Roussev (through IGI Global). The publisher wishes to extend special thanks to Kitty Wilson, whose yeoman efforts made this book possible. xv

About the Authors John R. Vacca is an information technology consultant and internationally known bestselling author based in Pomeroy, Ohio. Since 1982, John has written 62 books and more than 600 articles in the areas of advanced storage, computer security, and aerospace technology. John was also a configuration management specialist, computer specialist, and the computer security official (CSO) for NASA s space station program (Freedom) and the International Space Station Program from 1988 until his retirement from NASA in 1995. In addition, John is an independent online book reviewer. He was also one of the security consultants for the MGM movie AntiTrust, which was released in 2001. K Rudolph is a Certified Information Systems Security Professional (CISSP) with a degree from Johns Hopkins University. She is the primary author of the chapter on security awareness from the Computer Security Handbook, Vol. 5, and is also the author of the chapter on security awareness in the Handbook of Information Security published in 2006 and 2009. K is a named contributor to and participant in the work group that created NIST Special Publication 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model. K has presented at conferences that include the Computer Security Institute Security Exchange (CSI SX) Conference in 2008, the New York Cyber Security Conference (2006 and 2007), the Annual CSI Computer Security Conferences (2005, 2007), and Information Assurance and Security Conferences held by FISSEA, FIAC, and egov. In March 2006, K was honored by the Federal Information Systems Security Educators Association (FISSEA) as the Security Educator of the Year.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information