Best Damn Cybercrime and Digital Forensics Book Period (eBook)

Front Cover 1
The Best Damn Cybercrime and Digital Forensics Book Period 2
Copyright Page 3
Contributing Authors 4
Contents 14
Chapter 1: Computer Forensics in Today’s World 36
Introduction 37
History of Forensics 38
Objectives of Computer Forensics 38
Computer-Facilitated Crimes 39
Reasons for Cyber Attacks 41
Computer Forensic Flaws and Risks 41
Modes of Attack 41
Stages of Forensic Investigation in Tracking Computer Crime 41
Rules of Computer Forensics 42
Digital Forensics 42
Assessing the Case: Detecting/Identifying the Event/Crime 43
Preservation of Evidence: Chain of Custody 43
Collection: Data Recovery, Evidence Collection 43
Examination: Tracing, Filtering, Extracting Hidden Data 45
Analysis 45
Approach the Crime Scene 46
Where and When Do You Use Computer Forensics? 47
Legal Issues 47
The Computer Forensics Lab 48
Laboratory Strategic Planning for Business 49
Philosophy of Operation 49
A Forensics Laboratory Is a Business Venue 49
A Forensics Laboratory Is a Technology Venue 50
A Forensics Laboratory Is a Scientific Venue 50
A Forensics Laboratory Is an Artistic Venue 50
Core Mission and Services 50
Revenue Definition 51
“I Know How Expensive I Am. Now, How Do I Get Paid?” 51
SOP (Standard Operating Procedure) 52
Quality Standards: Accreditation 52
Quality Standards: Auditing 53
Human Talent 53
Education and Continuing Education 54
Elements of Facilities Build-out 54
Space Planning Considerations 55
Examination Environment 55
Evidence Storage 55
Network Facilities 56
Fire Protection/Suppression 56
Water Dispersion Systems 57
Gaseous Suppression 58
Chemical Suppression 59
Electrical and Power Plant Considerations 59
LAN/WAN Planning 61
HVAC 62
Abatements 62
Static Electricity 63
EMI (electromagnetic interference) 63
Acoustic Balancing 63
Security 64
Evidence Locker Security 64
General Ambience 65
Spatial Ergonomics 65
A Note on “common office technology” 66
Personal Workspace Design 66
Common Area Considerations 66
Essential Laboratory Tools 67
Write Blockers 68
Write Block Field Kits 69
Hardware Duplication Platforms 70
Portable Forensics Systems 71
Portable Enterprise Systems 73
Laboratory Forensics Systems 73
Media Sterilization Systems 75
Data Management (Backup, Retention, Preservation) 76
CD/DVD Hardware Solutions 77
Portable Device Forensics, Some Basic Tools 78
Faraday Devices as Applied to Forensics 78
Real-World Examples 79
Portable Devices and Data Storage 80
Locating the Data 80
Power 80
Readers, readers, readers! 80
Cables, cables, cables! 80
Forensic Software 81
Operating Systems 82
File Systems 82
Investigative Platforms 83
Other/Specialty Tools 84
Tools in the Enterprise 84
Ad Hoc scripts and programs 85
Software Licensing 85
Tool Validation 85
Chapter 2: Digital Forensics: An Overview 88
Introduction 89
Digital Forensic Principles 89
Practice Safe Forensics 89
Establish and Maintain a Chain of Custody 90
Minimize Interaction with Original Evidence 92
Use Proven Tools and Know How They Work 94
Is the Tool in General Use? 95
What Is the History of the Developer and the Tool? 95
Do You Know How the Tool Works? 96
Conduct Objective Analysis and Reporting 97
Digital Environments 98
Corporate 98
Government 98
Academic 99
The Internet 99
The Home 99
Digital Forensic Methodologies 99
Litigation Support 100
Identification 100
Collection 101
Organization 101
Presentation 102
Digital Media Analysis 102
Identification 103
Collection 104
Analysis 106
Network Investigations 108
Identification 109
Collection 110
Analysis 112
Summary 113
Solutions Fast Track 113
Frequently Asked Questions 115
Chapter 3: Developing an Enterprise Digital Investigative/Electronic Discovery Capability 118
Introduction 119
Identifying Requirements for an Enterprise Digital Investigative/Electronic Discovery Capability 120
Costs 122
Time 123
Resources 124
Allies 124
Administrative Considerations for an Enterprise Digital Investigative/Electronic Discovery Capability 125
Policy and Standard Operating Procedures 126
Funding 136
Organizational Framework 137
Training 138
Tool Validation 138
Certification 139
Accreditation 140
Identifying Resources (Software/Hardware/Facility) for Your Team 140
Software 141
Hardware and Storage 141
Hardware 142
Storage 142
Write Blockers 143
Facility 143
Location 143
Security 145
Ventilation and Air-Conditioning Systems 145
Electrical and Power Systems 145
Summary 147
References 147
Frequently Asked Questions 148
Chapter 4: Integrating a Quality Assurance Program in a Digital Forensic Laboratory 150
Introduction 151
Quality Planning, Quality Reviews, and Continuous Quality Improvement 152
Defi ciencies and Driving Out Error 152
Meeting Client Stated and Implied Needs 155
Continuous Quality Improvement 157
Laboratory Planning 158
The Structure of an Organization’s SOPs or QAMs 160
“Do” or Executing the Plan 163
“Check” or Study Processes 166
“Act” or Adapt and Refine the Plan 167
Continuous Upward Spiral of Excellence 168
Cost of Quality: Why Bother? 168
Other Challenges: Ownership, Responsibility and Authority 170
Management’s Responsibility for Ownership in the Quality System 171
The Quality Manager 172
Personalities and Patience 174
Assess Your Client’s Needs 176
Adapt to Your Client’s Needs 177
Private Sector Challenge 177
Summary 179
Frequently Asked Questions 180
Chapter 5: Balancing E-discovery Challenges with Legal and IT Requirements 182
Introduction 183
Drivers of E-discovery Engineering 183
Storage 184
Federal Rules of Civil Procedure 185
Purpose 185
Costs 186
Locations, Forms and Preservation of Electronically Stored Information 187
Locations of ESI 188
Forms of ESI 189
File Types 189
Metadata Fields 190
Legal and IT Team Considerations for Electronic Discovery 191
IT Members within the Legal Team 192
Records and Information Managers 193
Information Lifecycle Managers 194
E-mail, IM, and PDA Managers 194
Backup and Archiving Managers 196
Are You Litigation Ready? 197
Served with a Request 197
Contact Your Chief Information Officer or Equivalent 197
Be Prepared to Field Questions from the Professionals 197
Be Prepared to Ask Questions 198
Interviews 198
Inventory 199
Discovery Readiness Planning 200
Project Scope/Collect Available Information 201
Interviews 201
Data Cataloging/Mapping 203
Review of Information Collected 205
Gap Analysis 205
Findings and Recommendations 205
Business Process Improvement 207
E-discovery Tools 207
Summary 209
Frequently Asked Questions 210
Chapter 6: Forensic Software and Hardware 212
Introduction 213
Part 1: Forensic Software Tools 213
Visual TimeAnalyzer 213
X-Ways Forensics 214
Evidor 216
Slack Space & Data Recovery Tools
Ontrack 216
DriveSpy 217
Data Recovery Tools 217
Device Seizure 217
Forensic Sorter 218
Directory Snoop 219
Permanent Deletion of Files 219
PDWipe 219
Darik’s Boot and Nuke (DBAN) 220
File Integrity Checker 220
FileMon 220
File Date Time Extractor (FDTE) 221
Decode - Forensic Date/Time Decoder 221
Disk Imaging Tools 221
Snapback DatArrest 222
Partition Managers: Partimage 222
Linux/UNIX Tools: Ltools and Mtools 222
LTools 222
MTools 223
The Coroner’s Toolkit (TCT) and Tctutils 223
Password Recovery Tools 223
@Stake 223
Decryption Collection Enterprise 224
AIM Password Decoder 224
MS Access Database Password Decoder 224
FavURLView - Favorite Viewer 224
NetAnalysis 225
Multipurpose Tools 225
Maresware 225
LC Technologies Software 226
WinHex Specialist Edition 226
Prodiscover DFT 226
Toolkits 227
NTI Tools 227
R-Studio 228
Datalifter 228
Forensic Toolkit (FTK) 229
Image Master Solo and Fastbloc 229
Encase 230
E-mail Recovery Tools 231
Network E-mail Examiner 232
Oxygen Phone Manager 232
SIM Card Seizure 233
Autoruns 234
HashDig 235
Patchit 235
PowerGREP 235
Reverse Engineering Compiler 235
Part 2: Forensic Hardware Tools 268
Hard Disk Write Protection Tools 268
NoWrite 268
FireWire DriveDock 269
LockDown 269
Write Protect Card Reader 270
Drive Lock IDE 270
Serial-ATA DriveLock Kit 270
Wipe MASSter 271
ImageMASSter Solo-3 IT 271
ImageMASSter 4002i 272
ImageMASSter 3002SCSI 273
Image MASSter 3004 SATA 274
Summary 276
Frequently Asked Questions 277
Chapter 7: Incident Response: Live Forensics and Investigations 278
Introduction 279
Postmortmem versus Live Forensics 279
Evolution of the Enterprise 280
Evolution of Storage 280
Encrypted File Systems 282
Today’s Live Methods 290
Case Study: Live vs. Postmortem 291
Computer Analysis for the Hacker Defender Program 295
Network Analysis 296
Summary 297
Special Thanks 297
References 297
Frequently Asked Questions 298
Chapter 8: Seizure of Digital Information 300
Introduction 301
Defining Digital Evidence 304
Digital Evidence Seizure Methodology 307
Seizure Methodology in Depth 309
Step 1: Digital Media Identification 310
Step 2: Minimizing the Crime Scene by Prioritizing the Physical Media 310
Step 3: Seizure of Storage Devices and Media 311
To Pull the Plug or Not to Pull the Plug, that Is the Question 312
Factors Limiting the Wholesale Seizure of Hardware 313
Factors Limiting Wholesale Seizure: Size of Media 314
Factors Limiting Wholesale Seizure: Disk Encryption 314
Factors Limiting Wholesale Seizure: Privacy Concerns 315
Factors Limiting Wholesale Seizure: Delays Related to Laboratory Analysis 316
Protecting the Time of the Most Highly Trained Personnel 317
The Concept of the First Responder 319
Other Options for Seizing Digital Evidence 321
Responding to a Victim of a Crime Where Digital Evidence Is Involved 323
Seizure Example 324
Previewing Information On-scene to Determine the Presence and Location of Evidentiary Data Objects 326
Obtaining Information from a Running Computer 327
Imaging Information On-Scene 329
Imaging Finite Data Objects On-Scene 330
Use of Tools for Digital Evidence Collection 332
Common Threads within Digital Evidence Seizure 334
Determining the Most Appropriate Seizure Method 337
Summary 339
Works Cited 341
Additional Relevant Resources 343
Frequently Asked Questions 344
Chapter 9: Conducting Cyber Investigations 346
Introduction 347
Demystifying Computer/Cyber Crime 347
Understanding IP Addresses 350
The Explosion of Networking 353
Hostname 355
MAC Address 355
The Explosion of Wireless Networks 357
Hotspots 357
Wardriving 358
Wireless Storage Devices 360
Interpersonal Communication 360
E-mail 361
Chat/Instant Messaging 362
Social Networking and Blogging 362
Media and Storage 363
Summary 364
Frequently Asked Questions 365
Chapter 10: Acquiring Data, Duplicating Data, and Recovering Deleted Files 368
Introduction 369
Recovering Deleted Files and Deleted Partitions 369
Deleting Files 370
Command Line Delete 370
Moving Files 372
Disk Cleanup 373
Permanently Destroying Data 374
Recycle Bin 375
What Gets Deleted 376
Configuring the Recycle Bin 376
Storage Locations of the Recycle Bin 378
Undeleting or Permanently Deleting a File 379
Damaged Recycle Bins 380
Data Recovery in Linux 382
Recovering Deleted Files 383
Deleted File Recovery Tools 384
Undelete Tools 384
Recycle Bin Replacements 393
CD/DVD Data Recovery 394
Microsoft Office Repair and Recovery 395
Compressed Files 396
Deleted Images 397
Recovering Deleted Partitions 399
Deleting Partitions Using Windows 399
Deleting Partitions from the Command Line 400
Deleted Partition Recovery Tools 404
Active@ Partition Recovery 405
Active@ Disk Image 406
DiskInternals Partition Recovery 406
GetDataBack 407
NTFS Deleted Partition Recovery 407
Handy Recovery 407
Acronis Recovery Expert 408
TestDisk 408
Scaven 408
Recover It All! 408
Partition Table Doctor 408
Data Acquisition and Duplication 409
Data Acquisition Tools 412
FTK Imager 412
SafeBack 414
DriveSpy 414
Mount Image Pro 415
DriveLook 415
DiskExplorer 416
SnapBack DatArrest 418
SCSIPAK 418
IBM DFSMSdss 418
Hardware Tools 418
ImageMASSter Solo-3 Forensic 419
LinkMASSter-2 Forensic 419
ImageMASSter 6007SAS 419
RoadMASSter-3 419
Disk Jockey IT 420
Backing Up and Duplicating Data 420
Acquiring Data in Linux 421
DD 421
Netcat 423
Summary 426
Frequently Asked Questions 427
Chapter 11: Forensic Discovery and Analysis Using BackTrack 428
Introduction 429
Digital Forensics 431
Acquiring Images 431
Linux dd 433
Linux dcfldd 443
dd_rescue 446
Forensic Analysis 448
Autopsy 449
mboxgrep 452
memfetch 454
Memfetch Find 457
pasco 459
Rootkit Hunter 461
The Sleuth Kit 463
The Sleuth Kit Continued: Allin1 for The Sleuth Kit 468
Vinetto 472
File Carving 476
Foremost 478
Magicrescue 480
Case Studies: Digital Forensics with the BackTrack Distribution 483
Summary 494
Chapter 12: Windows, Linux, and Macintosh Boot Processes 496
Introduction 497
The Boot Process 497
System Startup 497
POST: Power On Self Test 498
The Master Boot Record 499
Loading MSDOS 501
Loading Windows XP 502
Loading Linux 503
LILO Booting 504
GRUB Booting 504
The Macintosh Boot Process 504
EFI and BIOS: Similar but Different 505
DARWIN 505
Macintosh Forensic Software 506
BlackBag Forensic Suite 507
Directory Scan 508
FileSpy 508
HeaderBuilder 509
Other Tools 510
Carbon Copy Cloner 511
MacDrive6/7 513
Summary 516
Frequently Asked Questions 517
Chapter 13: Windows and Linux Forensics 518
Introduction 519
Windows Forensics 519
Where Can You Locate and Gather Evidence on a Windows Host? 519
How Can You Gather Volatile Evidence? 520
The Features and Advantages of Windows Forensics Tools 521
What Is File Slack? How Can You Investigate Windows File Slack? 530
How Do You Examine File Systems? 531
Built-in Tool: Sigverif 531
The Word Extractor Forensic Tool 532
How Can You Interpret the Windows Registry and Memory Dump Information? 532
HKEY_LOCAL_MACHINE 532
Summary of the Features and Importance of Memory Dump 534
What Is Virtual Memory? 534
System Scanner 535
Integrated Windows Forensics Software: X-Ways Forensics and its Features 536
How Can You Investigate Internet Traces? 538
Traces Viewer 538
IECookiesView 538
IE History Viewer 538
Cache Monitor 539
How Do You Investigate System State Backups? 539
Investigating ADS Streams 540
Creating a CD-ROM Bootable for Windows XP 541
Linux Forensics 542
Why Use Linux as a Forensic Tool? 543
File System Description 543
The Primary Linux Directories 544
Mount Command 547
The Linux Boot Sequence 548
The Challenges in Disk Forensics with Linux 549
Popular Linux Forensics Tools 550
The Sleuth Kit 550
Autopsy 553
SMART for Linux 555
Penguin Sleuth 555
Forensix 557
Maresware 557
Captain Nemo 558
The Farmer’s Boot CD 559
Summary 561
Frequently Asked Questions 562
Chapter 14: Investigating Network Traffic and Investigating Logs 564
Introduction 565
Overview of the OSI Model 565
Layers of the OSI Model 565
The Physical Layer 565
The Data Link Layer 565
The Network Layer 566
The Transport Layer 566
The Session Layer 566
The Presentation Layer 566
The Application Layer 566
Network Addresses and NAT 566
Network Information-Gathering Tools 567
Sniffers 568
Intrusion Detection 568
Snort 569
Gathering Snort Logs 569
Building an Alerts Detail Report 571
Alerts by IP Address 571
Building an Alerts Overview Report 574
Monitoring User Activity 576
Tracking Authentication Failures 577
Listing Failed Logons 577
Identifying Single versus Multiple Failed Logons 578
Identifying Brute Force Attacks 579
Identifying a Brute Force Authentication Attack 580
Tracking Security Policy Violations 582
Determining Logon/Logoff Behavior 582
Auditing Successful and Unsuccessful File Access Attempts 584
Auditing Unsuccessful File Access Attempts 584
Auditing Successful File Access Attempts 585
Summary 586
Frequently Asked Questions 587
Chapter 15: Router Forensics and Network Forensics 588
Introduction 589
Network Forensics 589
The Hacking Process 589
The Intrusion Process 589
Searching for Evidence 590
An Overview of Routers 591
What Is a Router? 591
The Function of a Router 591
The Role of a Router 591
Routing Tables 591
Router Architecture 592
Routing Protocols 593
RIP 593
OSPF 593
Hacking Routers 594
Router Attacks 594
Router Attack Topology 594
Denial-of-Service Attacks 595
Routing Table Poisoning 596
Hit-and-Run Attacks and Persistent Attacks 596
Investigating Routers 597
Chain of Custody 597
Volatility of Evidence 597
Case Reports 598
Incident Response 599
Compromises 599
Summary 600
Frequently Asked Questions 601
Chapter 16: Investigating Wireless Attacks 604
Introduction 605
Basics of Wireless 606
Advantages of a Wireless Network 607
Disadvantages of a Wireless Network 607
Association of Wireless AP and a Device 608
Access Control 608
Encryption 608
MAC Filtering 611
Cloaking the SSID 611
Wireless Penetration Testing 613
Search Warrants 613
Direct Connections to Wireless Access Point 614
Scanning for Wireless Access Points with Nmap 614
Scanning for Wireless Access Points with Nessus 615
Rogue Access Points 615
Wireless Connect to a Wireless Access Point 616
Information Gathering 617
Injection 619
Cracking 620
Passive and Active Sniffing 621
Logging 622
Summary 623
Frequently Asked Questions 624
Chapter 17: E-mail Forensics 626
Introduction 627
Where to Start? 627
E-mail Terminology 627
Here is an Example HELO Exchange from Wikipedia 628
Functions of E-mail 629
Archive Types 629
Server Storage Archives 629
Lotus Notes 630
Novell GroupWise 631
Local Level Archives 631
Ingredients of E-mail 632
Mailbox Archive 633
Other Associated Files of the Archive 633
Message 634
Attachments 635
Forensic Acquisition 635
Processing Local Mail Archives 636
Step 1-Acquisition Outlook PST file 636
Step 2-Processing 637
Using Paraben’s E-mail Examiner 637
Using MS Outlook for processing Outlook Express files 640
Processing Server Level Archives 641
Step 1 Acquisition 642
Step 2 Processing 642
Using OnTrack PowerControls 642
Using Paraben’s Network E-mail Examiner (NEMX) 645
Deleted E-mail Recovery 648
Eudora Mail 648
Outlook PST 648
Network Archives 648
Chapter 18: Steganography and Application Password Crackers 650
Introduction 651
History of Steganography 651
The Greeks 651
The Chinese 651
The Culpers 652
Civil War Rugs 652
World War I 652
World War II 652
The Vietnam War 653
Terrorists 653
The Future of Steganography 653
Classifi cation of Steganography 653
Background Information to Image Steganography 654
Insertion 654
Substitution 654
Example 1 654
Creation 655
Six Categories of Steganography in Forensics 655
Substitution System 655
Transform Domain Techniques 655
Spread Spectrum Techniques 656
Statistical Methods 656
Distortion Techniques 656
Cover Generation Methods 656
Types of Steganography 656
Linguistic Steganography 657
Text Semagrams 657
Technical Steganography 657
Embedding Methods 657
Least Signifi cant Bit 657
Transform Techniques 657
Spread-Spectrum Encoding 658
Perceptual Masking 658
Application of Steganography 659
Still Images: Pictures 659
Moving Images: Video 659
Audio Files 659
Text Files 660
Steganographic File Systems 660
Hiding in Disk Space 660
Unused Sectors 660
Hidden Partitions 661
Slack Space 661
Hiding in Network Packets 661
Issues in Information Hiding 661
Levels of Visibility 661
Robustness vs. Payload 662
File Format Dependence 662
Steg Tools 662
Snow 662
Steganos 663
Gifshuffle 663
Outguess 664
Stegomagic 664
Steganography vs. Watermarking 667
Fragile 667
Robust 668
Attacking Watermarking 668
Mosaic Attack 668
2Mosaic 668
Detecting and Attacking Steganography 668
Detection 669
Statistical Tests 669
Stegdetect 669
Stegbreak 669
Visible Noise 669
Appended Spaces and “Invisible” Characters 669
Color Palettes 670
Attacking Steganography 670
Steg-Only Attack 670
Known-Cover Attack 670
Known-Message Attack 670
Known-Stego Attack 670
Chosen-Stego Attack 671
Chosen-Message Attack 671
Disabling or Active Attacks 671
Application Password Cracking 672
Types of Password Cracking 672
Guessing 672
Dictionary 672
Brute Force 673
Syllable Attack 673
Rule-Based 673
Hybrid 673
Rainbow 673
Password-Cracking Tools 674
Cain and Abel 674
LCP 675
Ophcrack 676
John the Ripper 676
Brutus 676
Rock XP 677
Common Recommendations for Improving Passwords 677
No Dictionary Words 678
No Personal Data 678
Multiple Character Sets 678
Do Not Store Weak Hashes 678
Standard Password Advice 678
Change 678
Not in More Than One Place 678
Size 679
Creation 679
Summary 680
Chapter 19: PDA and Blackberry 682
Introduction 683
PDA Background Information 683
Components of a PDA 683
PDA Forensics 683
Investigative Methods 683
Step 1: Examination 684
Step 2: Identification 684
Step 3: Collection 684
Step 4: Documentation 685
PDA Investigative Tips 685
Device Switched On 685
Device Switched Off 686
Device in Its Cradle 686
Device Not in Its Cradle 686
Wireless Connection 686
Expansion Card in Slot 686
Expansion Sleeve Removed 686
Deploying PDA Forensic Tools 687
PDA Secure 687
PDA Seizure 687
EnCase 688
Introduction to the Blackberry 688
Operating System of the Blackberry 688
Blackberry Operation and Security 688
Wireless Security 688
Security for Stored Data 689
Forensic Examination of a Blackberry 689
Acquisition of Information Considerations 689
Device is in the “Off ” State 689
Device is in the “On” State 690
Password Protected 690
Evidence Collection 690
Unit Control Functions 690
Imaging and Profiling 691
Attacking the Blackberry 691
Securing the Blackberry 691
Information Hiding in a Blackberry 691
Blackberry Signing Authority Tool 692
Summary 693
Frequently Asked Questions 694
Chapter 20: MP3 Forensics 696
Introduction 697
History 697
Why Is an iPod Considered Alternative Media? 698
Imaging and Hashing 698
Hardware vs. Nonhardware Imaging 699
Removing the Hard Drive 699
Linux 700
Registry Keys 706
Types of iPods 707
File Types Supported 707
File Systems 707
“Hacking Tools” and Encrypted Home Directories 708
Evidence: Normal vs. Not Normal 708
Uncovering What Should Not Be There 716
Analysis Tools 720
Summary 721
Index 722