Computer Forensics: Incident Response Essentials

Description

• Copyright 2002
• Dimensions: 7-3/8" x 9-1/4"
• Edition: 1st

• Book
• ISBN-10: 0-201-70719-5
• ISBN-13: 978-0-201-70719-9

Every computer crime leaves tracks—you just have to know where to find them. This book shows you how to collect and analyze the digital evidence left behind in a digital crime scene.

Computers have always been susceptible to unwanted intrusions, but as the sophistication of computer technology increases so does the need to anticipate, and safeguard against, a corresponding rise in computer-related criminal activity.

Computer forensics, the newest branch of computer security, focuses on the aftermath of a computer security incident. The goal of computer forensics is to conduct a structured investigation to determine exactly what happened, who was responsible, and to perform the investigation in such a way that the results are useful in a criminal proceeding.

Written by two experts in digital investigation, Computer Forensics provides extensive information on how to handle the computer as evidence. Kruse and Heiser walk the reader through the complete forensics process—from the initial collection of evidence through the final report. Topics include an overview of the forensic relevance of encryption, the examination of digital evidence for clues, and the most effective way to present your evidence and conclusions in court. Unique forensic issues associated with both the Unix and the Windows NT/2000 operating systems are thoroughly covered.

This book provides a detailed methodology for collecting, preserving, and effectively using evidence by addressing the three A's of computer forensics:

• Acquire the evidence without altering or damaging the original data.
• Authenticate that your recorded evidence is the same as the original seized data.
• Analyze the data without modifying the recovered data.

Computer Forensics is written for everyone who is responsible for investigating digital criminal incidents or who may be interested in the techniques that such investigators use. It is equally helpful to those investigating hacked web servers, and those who are investigating the source of illegal pornography.

0201707195B09052001



Extras

Author's Site

Click below for Web Resources related to this title:
Author Web Site



Sample Content

Online Sample Chapter

Computer Forensics: Tracking an Offender

Downloadable Sample Chapter

Click below for Sample Chapter related to this title:
krusech02.pdf

Sample Pages

Download the sample pages (includes Chapter 2 and Index)

Table of Contents

Preface.


Acknowledgments.


 1. Introduction to Computer Forensics.


 2. Tracking an Offender.


 3. The Basics of Hard Drives and Storage.


 4. Encryption and Forensics.


 5. Data Hiding.


 6. Hostile Code.


 7. Your Electronic Toolkit.


 8. Investigating Windows Computers.


 9. Introduction to Unix for Forensic Examiners.


10. Compromising a Unix Host.


11. Investigating a Unix Host.


12. Introduction to the Criminal Justice System.


13. Conclusion.


Appendix A. Internet Data Center Response Plan.


Appendix B. Incident Response Triage Questionnaire.


Appendix C. How to Become a Unix Guru.


Appendix D. Exporting a Windows 2000 Personal Certificate.


Appendix E. How to Crowbar Unix Hosts.


Appendix F. Creating a Linux Boot CD.


Appendix G. Contents of a Forensic CD.


Annotated Bibliography.


Index. 0201707195T09182001

Preface

Preface

Billions of dollars are lost annually to crime, and computers are increasingly involved. It is clear that law enforcement agencies need to investigate digital evidence, but does it make sense to encourage a bunch of computer administrators to become junior g-men? Do we really need amateur digital sleuths? In a word, yes. Bad things are happening on computers and to computers, and the organizations responsible for these computers have a need to find out what exactly happened. You probably cannot pick up the phone and bring in law enforcement officials every time something anomalous happens on one of your servers and expect them to send out a team of forensic specialists, and even if you could, your corporate executives may not want that. All major corporations have internal security departments that are quite busy performing internal investigations. However, the security professionals who typically fill this role are accustomed to dealing with theft and safety issues and are often ill-prepared to deal with computer crime.

This book is inspired by the needs of the people who attend the author's seminars on computer forensics. If for no other reason than these sold-out seminars, we know that there is a big demand for greater expertise in digital investigations. System administrators and corporate security staff are the people we've designed the book for. Most of the seminar attendees are fairly skilled in the use and maintenance of Microsoft environments. Some of them are Unix specialists, but many students have expressed a strong desire to learn more about Unix. Once a corporation discovers that they know someone who can investigate Windows incidents, it is assumed that he or she knows everything about computers, and it is usually only a matter of time until this person is pressured into taking a look at a suspect Unix system.

Our students come from a wide variety of backgrounds and have diverse investigatory needs and desires. We try to accommodate these varying agendas in this book, to which we bring our experience in investigation and incident response. Warren Kruse is a former police officer who regularly performs computer forensic examinations inside and outside of Lucent Technologies. Jay Heiser is an information security consultant who has been on the response teams for numerous hacked Internet servers. To the maximum extent possible, this book contains everything useful that we've learned from performing investigations and teaching others to do so for themselves. We know what questions will be asked, and this book is designed to answer them. It is a practical guide to the techniques used by real people to investigate real computer crimes.

How to Read This Book

This book can be read cover to cover, as a complete introductory course in computer forensics. However, it is also meant to serve as a handbook, and we expect many readers to be familiar with some of the subjects we cover. For that reason, each chapter is a complete unit and can be read when convenient or necessary. You probably specialize in one or more of the areas covered in this text. However, we believe that the information presented in this book is at the minimum required level of legal and computer literacy, and we urge you to become knowledgeable in all of the areas we cover: legal, procedural, and technical.

A brief description of the information covered in each chapter is provided in the sections that follow.

Introduction to Computer Forensics

Chapter 1 outlines the basic process of evidence collection and analysis, which is the meat of computer forensics. Even those readers with a background in law enforcement will find new techniques in this chapter that are specific to computer forensics.

Tracking an Offender

The Internet is pervasive, and a high percentage of your investigations will involve either incoming or outgoing Internet traffic. The material in Chapter 2 will help you interpret the clues inside of email messages and news postings. It will also start you on the path toward becoming an Internet detective, using standard Internet services to perform remote investigations.

The Basics of Hard Drives and Storage Media

For the computer sleuth, hard drives are the most significant containers of evidence. Chapter 3 provides an understanding of both their logical and their physical configurations. It covers partitions and low-level formatting, filesystems, and hardware drive interfaces.

Encryption and Forensics

Cryptography has become ubiquitous in the virtual world of the Internet. A skilled investigator must have a solid understanding of the technology and goals of modern cryptography. It is relevant both in understanding evidence and, interestingly, in the preservation of evidence. Many investigators lack a necessary level of crypto-literacy, so Chapter 4 provides a broad introduction to encryption with special emphasis on its significance and application in computer forensics. We also discuss common encoding and archiving formats (such as uuencode and PKZIP) that can complicate your keyword searches. As digital signature technology grows in legal significance and finds new uses, forensic investigators will be expected to understand its limitations and must have a firm grasp of the ways in which a digital identity can be stolen. The digital timestamping of forensic evidence will soon become standard procedure in digital investigations. If you already have a background in these encryption concepts, then you may wish to skim this chapter.

Data Hiding

Being able to find hidden data is a crucial investigative skill. Even if you are highly crypto-literate, you still may not be aware of steganography (the art of hiding information by embedding covert messages within other messages) and other data-hiding techniques. Continuing the subject of encryption, Chapter 5 describes the use of specific password-cracking tools that we have successfully used during our investigations. This chapter categorizes and describes the ways that data can be hidden–not just by encryption–and provides practical guidance on how to find and read hidden data.

Hostile Code

Being able to identify and understand the implications of criminal tools is a skill that every investigator needs. Given that hostile code can be arcane and that few readers have a background in it, Chapter 6 provides an introduction to the topic and an overview of the types and capabilities of digital criminal tools that the investigator may encounter. We've included a couple of war stories involving the recent use of "hacker tools" on corporate PCs, which is becoming increasingly common.

Your Electronic Toolkit

Although forensic-specific tools have a certain James Bond—like appeal–and we cover these products–a large percentage of your work will be done with system tools that were not specifically created for the unique needs of forensic investigation. Chapter 7 will introduce you to a wide variety of utility types and specific brand name tools, along with instructions in their use in a digital investigation.

Investigating Windows Computers

Microsoft Windows, in all its various flavors, is the most widely used family of operating systems. While Chapter 8 assumes some background in Windows, you don't need to be a Microsoft Certified Systems Engineer in order to apply the techniques and tricks we discuss. Emphasis is placed on Windows NT 4.0 and Windows 9x, but several important new Windows 2000 features, such as the Encrypting File System, are covered. An experienced investigator soon learns that nothing is too obsolete to be in daily use somewhere, so the chapter concludes with Windows 3.1—specific material.

Introduction to Unix for Forensic Examiners

For those readers with no prior Unix experience, Chapter 9 provides an introduction with special emphasis on Unix characteristics that are most significant for the forensic investigator. Experienced Unix users can skim or skip this chapter.

Compromising a Unix Host

Chapter 10 is intended as background material for the investigation of hacked Internet hosts. It describes the process that Unix attackers typically use and provides an understanding of the goals of typical system hackers.

Investigating a Unix Host

While emphasizing the investigation of hacked Unix hosts, Chapter 11 describes techniques that are applicable to all forms of Unix investigation. It contains a detailed set of Unix-specific techniques and processes that use common Unix utilities for collecting and evaluating evidence. It also contains instructions on using a Unix boot CD to capture information over a network when you can't attach hardware directly to a suspect system.

Introduction to the Criminal Justice System

The final chapter explains what you need to do after you have begun collecting evidence and provides an overview of the criminal justice process. Legal concepts such as affidavits, subpoenas, and warrants are described. You will be a more effective interface between your organization and law enforcement agents if you understand what they do and how both investigations and prosecutions are structured by the legal system.

Appendixes

As in most books, the appendixes in this one contain information that doesn't fit neatly anywhere else. They are standalone guides to specific needs.

Appendix A, Internet Data Center Response Plan, defines a process for handling computer security incidents in Internet Data Centers.

Appendix B, Incident Response Triage, provides a list of general questions that should be asked during the investigation of a computer crime incident.

Appendix C, How to Become a Unix Guru, provides self-study suggestions for forensic examiners who want to improve their ability to investigate Unix hosts.

Appendix D, Exporting a Windows 2000 Personal Certificate, graphically depicts the process of exporting a Personal Certificate from a Windows 2000 computer. Investigators should practice this process to prepare themselves for incidents involving the Encrypted File System.

Appendix E, How to Crowbar Unix Hosts, describes the process of gaining administrative access to a Unix system by booting it from a floppy or CD.

Appendix F, Creating a Linux Boot CD, provides several suggestions on techniques and technology sources that are useful in the creation of bootable Linux CDs that can be used to crowbar Unix or NT systems. Booting from a Linux CD can also provide a trusted environment useful for examining or collecting evidence when it is not feasible to remove the hard drive from a system.

Appendix G, Contents of a Forensic CD, provides a shopping list of useful tools that should be considered the minimum set of forensic utilities that an examiner brings during an incident response.

0201707195P09182001

Index

A

Access control circumvention, 141-143

AccessData, 111, 114

Accounting, 296, 298

Addresses

application, 33-32

IP, 22-28

media access control (MAC), 25, 22-28

private, 25

registries, 63

uniqueness of, 22-26

Address Resolution Protocol (ARP), 22-28

Advanced ZIP Password Recovery (AZPR), 114

AFind, 164

Aimpw, 145

America Online (AOL), 34, 135, 141, 247

"Analysis of Security Incidents on the Internet 1981-1995, An" (Howard), 242-247

Antivirus (AV) software, 128, 146

Application addresses, 33-32

Application Developer/Administrator (AA), 330

Application Owner (AO), 323-330

Application Programming Interface (API), 70

Archive file, 101, 102, 242-243

ASCII (American Standard Code for Information Interchange), 83, 100

Asymmetric encryption, 91

AT&T, 207

Attachments, email, 47

attrib command, 119

Auditing, 292-296

Authentication of evidence, 13

AutoComplete, 183, 1854

B

Back doors, 252-255

Back Orifice, 133, 142

Backups, 11-15, 174

Bash (Bourne Again Shell), 211

Berkeley R utilities, 298

BinHex, 101

!Bios, 145

Bit stream, 15

Block device, 212-220

Blocks, 73

Blowfish, 90

Bombs, logic and time, 139

Bootable Business Card, 114

Bootable Recovery Disk, 151

Boot sector, analysis of, 16

Bots, 137

Bourne shell, 210

Breaking, 84

Brute force attack, 84, 144

BSD, 202-208

Buffer overflow attack, 141-143

Business Records Exception, 323-322

C

CAB, 102

CAIN tool, 85, 110, 141-145, 191

Caldera, 208

Caligula MS Word virus, 135

Carrier, 123

Carvey, Harlan, 122

Case folder, 11

cat, 285, 286

CD, contents of forensic, 373-380

CD-R Diagnostics, 156, 157

CD-Rs, 151-158

CD Universe, 9

CERT, 297

Certificate authority (CA), 99-98

Certificate Policy (CP), 98

Certificate Revocation List (CRL), 98

Certification practice statements (CPS), 98

Certs (digital certificates), 96

Chain of custody, 6, 9-9, 315

Checksums, 89, 241

Citrix WinFrame, 133

Client application, 35

Clusters, 73

Codes, 83, 101-101, 344

analysis of hostile, 282-283, 303-303

Cohen, Fred, 167, 169

Collision free, 89

Compression, 101-103

Compromise, 85

Computationally infeasible, 88

Computer crime, categories of, 2

Computer forensics

defined, 3-3

goals of, 4

history of, 3

steps in, 3, 2-20

Computers, search of personally owned, 323-321

Connection laundering, 248

Conversions Plus, 151-153

Core dumps, 303-305

Courtroom presentation, tips for, 12-20

cp, 285

C programming language, 238

Cracking, 84

CRCMD5, 13, 150, 169

crontab, 303-303

Crowbarring Unix hosts, 373-376

CrucialADS, 122

Crucial Security, 122

Cryptanalysis, 84

Cryptographer, 84

Cryptography

defined, 84

integrity services, 89-90

privacy services, 99-99

steganography, 121-127

Cryptologists, 84

Cryptology, 84

C shell, 22-211

Cyclic redundancy checks, 89

Cylinder, 67

D

Data center application profile, 334, 353-351

Data hiding

See also Passwords

changing file's extension, 111-118

changing system environment, 121-128

encryption, using and cracking, 105, 101-113

finding, 111-120

methods for, 101-107

off of the computer, 121-123

steganography, 121-127

streams, 121-122

Data in unallocated spaces, finding, 77-77

Data mining, 134

Data recovery services, 77-78

Data Viz, 151

dd, 242-244, 273, 282-286

Deleted files, retrieving, 17

Denial-of-service, 131-139, 276, 343-343

DES, 90

/dev, 303

Dial-up service, 33-35

Dictionaries, 144

diff, 242-241

dig, 30

Digests, 51

DigiStamp, 100

Digital certificates 99-99

Digital notary, 91-100

Digital signatures, 99-94

Digital timestamping, 91-100

Digital watermarks, 121-127

Directories, 72

analysis of, 303-301, 303-304

hidden, 303-301

user, 304

Directory listing, analysis of, 11-16

Directory service, 98

Disks

unerase, 156

wiping, 163

DiskScrub, 163, 169

DiskSig, 150, 169

Distributed denial-of-service (DDoS), 138

Distributed Network Attack (DNA) program, 111-112

Documentation, collecting evidence and, 12

Domain name resolution, 28

Domain Name Service (DNS), 23-30

Dot files, Unix, 307

Drive-imaging programs, 161-163

dtSearch, 151-161

Dynamically linked libraries (DLLs), 121-128

Dynamic Host Configuration Protocol (DHCP), 26

E

Elliptic curve, 92

Email

analysis of, 306

attachments, 47

bombs, 139

compared to news groups, 35

deciphering headers, 44-48

faking return addresses, 33-38

signatures, 191-195

tracking, 34-48

Web-based, 39

Web resources, 64

Windows, 191-195

Emergency Response Core Team (ERCT), 329

EnCase, 17, 76, 107, 117, 118, 171-174

Encoding, 83, 101

Encrypted file system (EFS), 202-204

Encryption

asymmetric, 91

compression, 101-103

defined, 88-84

digital signatures, 99-94

methods for attacking encrypted text, 88-88

private key, 99-95

public key, 99-92, 94

secret key, 99-91

session key, 94

symmetric, 90

trusted third parties, 99-96

using and cracking, 105, 101-113

Enhanced Integrated Drive Electronics (EIDE), 66

Environment variables, 212-214

Eudora, 35, 46

Evidence

analysis of, 12-20

authenticating, 13

checklists, 11-19

information resources, 21

log, 8

presenting, in court, 12-20

preservation of, 19, 315

rule of best, 313-319

techniques for collecting, 262-269

Evidence, acquiring

chain of custody, 6, 9-9

collection process, 9

comparison of approaches to, 7

documenting, 12

identification, 1-11

photographs, taking, 11-11

pulling the plug versus not pulling the plug, 6-6

storage, 12

transportation, 11-12

Exabyte Mammoth drives, 174

Executable files, 304

Explore/RunMRU, 186

F

Farmer, Dan, 164, 167, 263, 269

fdisk, 151, 222-221, 282-285

FDISK, 68, 76

Federal Computer Fraud and Abuse Act, 323

file, 232-233

File Allocation Table (FAT), 16, 72

FileList, 170

Files, hidden, 303-301

FileStat, 164

Filesystem, 77-74, 212-221

analysis of, 282-298

block device, 212-220

copying, 282-295

device number, 219

imaging, 282-289

permissions, 212-219

File viewers, 151-153

Filter_we, 170

find, 222-230, 233, 297

Firewall Administrator (FA), 332

Forensic-Computers.com, 80, 171-176

Forensics, defined, 1

Forensic Toolkit, 122, 161-164

ForensiX, 161-169, 266

Format, 68, 73

Foundstone, 122

FreeBSD, 208

G

Gammaprog, 145

GetFree, 170

GetSlack, 170

GetTime, 170

Ghost, 161-163

GIF, 102

Gnome, 300

Google, 51

grave-robber tool, 165

Greenwich mean time (GMT), 221

grep, 222-228

Guidance Software, 17, 174

GUIDs (Globally Unique Identifiers), 171-180

H

Hacking Exposed (Scambray, McClure, and Kurtz), 122

Hard drives

controllers, 66-67

copying, 282-285

defined, 65

erasing, 77-78

finding data in unallocated spaces, 77-77

kits, 174

in laptops, 78-81

operating systems, 77-72

parameters, 66-68

partition table, viewing and operating, 67-70

soft configuration on, 68

tools for partition-viewing, 151

Hard link, 228

Hardware, 171-176

Hash function, 89, 90

Hash table, 89

Hash value, 13, 89-90

Hex editor, 16, 17

HFind, 164

Higbee, Aaron, 34

High Technology Crime Investigation Association (HTCIA), 312

HKEY_CURRENT_USER, 183

HKEY_LOCAL_MACHINE, 187

HKEY_USERS, 183

Hostile code (malware), 6

access exploits, 141-143

antivirus (AV) software, 128, 146

bombs, logic and time, 139

bots, 137

categories of, 131-132

cracking programs, 141-145

defined, 121-130

denial-of-service, 131-139

to hide tracks, 140

purpose of, 131-136

resource/identity theft, 131-137

Trojan horse, 141-142

vulnerability scanners, 141-144

Hostile processes, signs of, 279

Howard, John D., 242-247

Hypertext Transfer Protocol (HTTP), 32, 275, 295

Hypnopaedia, 145

I

icq bombs, 139

ICSA Labs, 146

Identification of evidence, 1-11

Identity theft, 131-137

I Love You/Lovebug worm, 131, 141

Image MaSSter, 11-15, 81, 141, 175

Image tape, creating an, 15

Imaging filesystems, 282-289

Incident response, 2

data center application profile, 334, 353-351

form, 353-361

goals of, 323-328

priorities, 332, 335

roles and responsibilities of organizations involved in, 323-333

steps in, 333-349

what to record, 353-352

Information resources

See also Web resources

for hostile code, 141-148

on intrusion detection systems, 66-63

Inodes,

Inode list, 214

Inode table, 72, 212-215

INSO, 117

Integrated Drive Electronics (IDE), 66

Intelligent Computer Solutions (ICS), 175

Internet, basics of, 22-28

Internet Assigned Numbers Authority (IANA), 26

Internet Corporation for Assigned Names and Numbers (ICANN), 29

Internet Explore Key, 112, 181-188

Internet Explorer, 116, 117

Internet Mail Access Protocol (IMAP), 36

Internet service providers (ISPs)

logs of, 9, 247

obtaining information from, 33-35

Interviewing suspects, 314

Intrusion detection systems (IDS), 66-63

Inverse lookup, 30

Iomega Zip Guest, 15

IP address, 25

reading obfuscated, 22-27

registries, 63

ISS, 143

J

Jetform, 10

John the Ripper, 145

Joy, Bill, 363

JPEG, 102

K

KDE, 300

Kernel attacks, 121-128

Key-cracking programs, 88-85

Key escrow, 88

Key recovery, 88

Keyword searches, 11-17, 303-308

Klaus, Christopher, 143

Korn, David, 211

Korn shell (ksh), 211

Kurtz, George, 122

L

Laptops, hard drives in, 78-81

Large Block Addressing (LBA), 68

Lazarus tool, 161-167

Legal issues

court orders, obtaining, 322

criminal versus civil courts, 323-324

dollar loss valuations, 315

grand jury versus preliminary hearing, 315

information protection laws, 323

law enforcement, working with tips, 313-318, 313-320

legal access issues, 323-322

notifying agencies, 312

preservation of evidence, 19, 315

recidivism, 316

rule of best evidence, 313-319

search warrants and probable cause, 313-314

subpoenas, 314

testifying as an expert witness, 322

wiretap laws, 323-323

Lightweight Directory Access Protocol (LDAP), 216

Link, 215

Linux

boot CD, creating a, 373-378

crowbarring, 375

ForensiX, 161-169

Linux kernel, 111-114

attacks, 121-128

Log editors, 254

Logic bombs, 139

Logs

analysis of, 292-295

legal issues regarding, 323-322

logon, 292-295

signs of suspicious, 292-293

usefulness of, 291

Loopback device, 289

L0phtCrack, 88-85, 112, 113, 144

L0pht Heavy Industries, 144

LostPassword.com, 112

lsof, 278

M

MacOpener, 151

mactime, 292-291

Mail API (MAPI), 36

Mail bombs, 139

Mailboxes, 36

Mail server, 36

Mail transfer agents (MTAs), 37

Malware. See Hostile code (malware)

Manchurian Candidate syndrome, 264

man pages, 222-236

Maresware's Disk_crc, 150

Master drive, 66

McClure, Stuart, 122

MD5, 13, 15, 89, 90, 282-289

Media access control (MAC), 25, 22-28

Melissa virus, 131, 141, 177

Memory, copying system, 272-274

Message digest, 89

Microsoft, 36

See also Windows 95 and 98; Windows NT; Wndows3.1; Windows 2000

filesystem, 77-73

format, 73

Office, 107

operating system, 72

Outlook, 35, 42, 151-161

Outlook Express, 44-42

streams, 121-122

Systems Management Server, 133

Word, 77-75, 101-107

mkfs, 73

Morse Code, 83

mount, 222-224, 282-284

Mount directory, 224

Mounting, 73

Mount point, 224

MPEG, 102

MSNBC, 9-9

Mssqlpwd, 145

M-Sweep, 170

Multimedia Internet Mail Extension (MIME), 101

N

NATShell, 58

NBScan, 58

nbtstat, 55-57, 58

Neotrace, 57

Nessus, 141-144

NetBIOS, 55-57

Auditing Tool (NAT), 58

over TCP/IP (NBT), 55

tool, 55-58

NetBus, 133, 142

netcat, 248, 267, 262-269, 286

NetScanTools Pro, 30, 42, 57

netstat, 58, 272-275

Net Threat Analyzer, 170

NetTools, 55-58

Network Administrator (NA), 333-332

Network Associates, 95

Network connections, analysis of, 272-276

Network Information System (NIS), 212-217

Network interface card (NIC), 28

Network News Transfer Protocol (NNTP), 54

Network scanning, 134

Network sniffing, 131-135

Network Solutions, 30

New session, 156

News groups

compared to email, 35

Usenet, 45-54

New Technologies Inc. (NTI), 13, 17, 150, 163, 161-170

Nmap, 143

Northwest Airlines, 321

Norton Utilities, 17, 156

Notes, 35

nslookup, 29, 30

ntaccess, 114

NTFS. See Windows NT File System

NTFSDOS, 195

NTLast, 164

ntpassword, 111-114

O

Office, 107

OnTrack, 78

OpenBSD, 208

Open Systems Interconnection (OSI), 24

Operating environment, 14

Operating systems, 77-72

Order of volatility, 262-281

Outlook, 35, 42, 151-161

Outlook Express, 44-42

P

Packet mode, 156

Packets, 25

Pager bombs, 139

PalmCrack, 145

Parity bits, 89

Partinfo, 67-70, 151

PartitionMagic, 67-70, 151

Partition table

analysis of, 15

viewing and operating, 67-70, 151

Partition types, 69

Passwords

changing, 111-116

cracking, 141-145

encrypting, 88-88

possible locations for, 109

recovery tools, 111-113

reusable, 33-34, 111-111

sniffers, 131-135

pcAnywhere, 133

pcat, 281

Perl (Practical Extraction and Report Language), 122, 240

PGP, 37

PGPPASS, 145

Photographing evidence, 11-11

ping, 27, 28, 32

PkCrack, 145

PKCS #7, 94

Platters, 68

Point of Presence (POP), 32

Point to Point Protocol (PPP), 32

Post Office Protocol (POP), 36

PowerQuest

Partinfo, 67-70

PartitionMagic, 67-70

Pretty Good Privacy (PGP), 99-96

Private key, 99-95

/proc, 272-279

Process accounting, 296

Process identity (PID), 272-280

Process information utilities, 277

Process status commands, 278

ps, 277, 278

PST file, 181-186

PTable, 170

Public key encryption, 99-92, 94

Public Key Infrastructure (PKI), 92, 99-99

Public Switched Telephone Network (PSTN), 26

PWLTool, 191-192

Q

Quick View Plus (QVP), 16, 117, 151, 152

R

RADIUS (Remote Authentication Dial-In User Service), 33-34, 247

on evidence, 21

RC5, 90

Read/write head, 67

RedHat, 208

Registry, Windows, 181-188

Reid and Associates, John E., 314

Remote copy (rcp), 298

Remote login (rlogin), 298

Remote shell (rsh), 267, 268, 298

Repudiation, 92

Researching Internet inhabitants, Web resources for, 66-64

Resource theft, 131-137

Reverse lookups, 29

Rivest, Shamir, and Adleman (RSA), 90, 91, 94

Rootkits, 127, 138, 252-260

Rootshell, 283

Rosenblatt, Ken, 322

Roth, Dave, 122

Routers, 22-26

Running processes, analysis of, 272-281

S

SAFESuite, 143

Samba, 58

Sam Spade, 30

SANS Institute, 139

SATAN (System Administrator's Tool for Analyzing Networks), 134, 143

Scambray, Joel, 122

script, 227

Script kiddie, 84

Secret key encryption, 99-91

Secure Multipurpose Internet Mail Extensions (S/MIME), 37

Secure shell (scp), 268

Security Account Manager (SAM), 112, 113

Security Consultant (SC), 333-333

Security Investigator (SI), 333

Seized, 170

Session key, 94

Set group ID (SGID), 212-218, 302

Set user ID (SUID), 212-218, 302

Sfind, 122, 164

SHA, 13, 89, 90

Shells, 202-211, 267, 268, 303-306

Shell scripts, 202-210

ShowFL, 170

Simple Mail Transfer Protocol (SMTP), 37

server logs, 49

Slack space

analysis of, 11-18

defined, 73, 74

Slave drive, 66

Slaves, 138

Slurpie, 145

Small Computer Systems Interface (SCSI), 66-67

SmartWhois, 55-59

Smith, David, 177

Software, forensic

See also under name of program

CD-Rs, examining, 151-158

disk wiping, 163

drive-imaging, 161-163

file viewers, 151-153

hard drive tools, 151

images, examining, 151-155

text searches, 151-161

tips before using, 141-150

unerase tools, 156

Solaris, 127, 128, 207

crowbarring, 373-376

SONAR, 32

Sony, digital camera, 11

Steganography, 121-127

Steganos, 124, 125

Stevens, W. Richard, 23

S-Tools, 121-126

Storage of evidence, 12

strings, 232-236

Subdirectories, analysis of, 11-16

SubSeven.Trojan, 141

sum, 241

Superblock, 221

Surety, 100

Swap space, 209

Symantec pcAnywhere, 133

Symbolic link, 215, 228

Symmetric encryption, 90

SysInternals, 122

syslog, 291

System auditing, 292-296

System compromise, levels of, 265

System environment, hiding data by changing, 121-128

System Owner/Administrator (SA), 333-331

Systems Management Server (SMS), 133

System V, 207

T

tar archive file, 242-243, 282-288

Tarball, 241

TCPDump, 134

TCP/IP (Transmission Control Protocol/ Internet Protocol), 23, 24

TCP/IP Illustrated (Stevens), 23

TCP Wrapper, 292-295

tcsh, 211

Text filters, 232-238

Text searches, 151-161

TextSearch Plus, 170

The Coroner's Toolkit (TCT), 128, 161-167, 266, 281

ThumbsPlus, 151-155

TIFF, 102

Time, UNIX, 221

Time bombs, 139

Timestamping, 13, 91-100

/tmp, 301

tomsrtbt, 114

touch, 232-240

Traceback, 138

traceroute, 27, 33-31, 57

tracert, 30

Tracks, 67

Transporting evidence, 11-12

Triple DES (3DES), 90

Tripwire, 13, 62, 264, 266, 297

Trojan horse, 141-142, 255

TruSecure, 146

Trust relationships, 293-300

U

Unallocated space

analysis of, 11-18

finding data in, 77-77

Unerase tools, 17, 156

Universal Coordinated Time, 221

Universal Resource Locators (URLs), 33-32

University of California, Berkeley, 207

Unix

archives, 242-243

comparison tools, 242-241

components, 202-214

dd, 242-244

dot files, 307

file command, 119

filesystem, 72, 73, 212-221

file time attributes, 221

format, 73

history of, 202-208

how to learn, 363-365

logon logs, 294

man pages and commands, 222-236

mount, 222-224

operating system, 77-72

programming language, 232-240

text filters, 232-238

Unix host attacks

attackers, characteristics of, 245, 246

back door creation, 252-255

chain of, 242-248, 249

covering of tracks, 252-254

goals of, 242-250

initial compromise, 251

intelligence gathering, 252-251

inventory, 255

locating potential victims, 250

log editors, 254

privilege escalation, 251

reconnaissance, 252-253

rootkits, 252-260

signs of, 279

summary of attack types and characteristic evidence, 249

Unix host attacks, what to examine

accounting, 296, 298

auditing, 292-296

core dumps, 303-305

directories and files, 303-301, 303-304

email, 306

filesystem, 282-298

hostile codes, 282-283, 303-303

keywords, 303-308

levels of attacks, 264

Manchurian Candidate syndrome, 264

order of volatility, 262-281

process accounting, 296

shells, 303-306

system compromise, levels of, 265

techniques for collecting evidence, 262-269<

trust relationships, 293-300

Unix to Unix Copy (UUCP), 101

UnixWare, 207

Usenet, 45-54

deciphering headers, 55-53

tracking posts, 55-54

User Datagram Protocol (UPD), 57

utmp, 254

UUCP (Unix to Unix Copy), 101

V

vCards, 194

Venema, Wietse, 164, 263, 269, 293

vi, 363

Video display, 272-273

Viewers, file, 151-153

Viruses

antivirus (AV) software, 128, 146

Caligula MS Word virus, 135

Melissa, 131, 141, 177

Volatility, order of, 262-281

Vulnerability scanners, 141-144

W

Weaver, Robert, 324

Webcracker, 145

Web resources

See also Information resources

on analysis, 309

on evidence, 21

for hostile code, 148

for researching Internet inhabitants, 66-64

on training, 21

Wells, Joe, 146

What's Up Gold, 28

whois, 23-30

SmartWhois, 55-59

WildList Organization International, 146

Windows Internet Naming Service (WINS), 26

Windows 95 and 98

email, 193

email signatures, 191-195

investigating, 171-182

registry, 181-188

what to look for, 181-192

Windows NT, 111-113

changing passwords, 111-116

investigating, 191-197

kernel attacks, 121-128

rootkits, 127

streams, 121-122

Windows NT File System (NTFS), 15, 191-197

streams, 121-122

Windows 3.1, investigating, 202-205

Windows 2000, 121

dynamic disks, 198

encrypted file system, 202-204

exporting private key, 363-373

investigating, example of, 192-204

persistent connections, 202-201

registry, 183, 184

system administration tools, 192-200<

user home directories, 201

winipcfg, 56-61

Win32 Perl Scripting: The Administrator's Handbook (Roth), 122

WinZip, 101, 102, 114, 182, 243

Wiretap laws, 323-323

Word

backup copies, 101-109

Caligula MS Word virus, 135

Word 97, slack space in, 77-75

Worms, 131, 141

Wotsit's Format, 111-119

wtmp, 254

X

xargs, 230

X.509, 98

X Windows System, 272

Z

Zipcrack, 145

Zip Guest, 15

ZipPassword, 114

Zombies, 138



Updates

Submit Errata

