Home > Store

Computer Forensics: Incident Response Essentials

Register your product to gain access to bonus material or receive a coupon.

Computer Forensics: Incident Response Essentials


  • Sorry, this book is no longer in print.
Not for Sale

eBook (Watermarked)

  • Your Price: $35.19
  • List Price: $43.99
  • Includes EPUB, MOBI, and PDF
  • About eBook Formats
  • This eBook includes the following formats, accessible from your Account page after purchase:

    ePub EPUB The open industry format known for its reflowable content and usability on supported mobile devices.

    MOBI MOBI The eBook format compatible with the Amazon Kindle and Amazon Kindle applications.

    Adobe Reader PDF The popular standard, used most often with the free Adobe® Reader® software.

    This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.


  • Copyright 2002
  • Dimensions: 7-3/8" x 9-1/4"
  • Edition: 1st
  • Book
  • ISBN-10: 0-201-70719-5
  • ISBN-13: 978-0-201-70719-9

Every computer crime leaves tracks—you just have to know where to find them. This book shows you how to collect and analyze the digital evidence left behind in a digital crime scene.

Computers have always been susceptible to unwanted intrusions, but as the sophistication of computer technology increases so does the need to anticipate, and safeguard against, a corresponding rise in computer-related criminal activity.

Computer forensics, the newest branch of computer security, focuses on the aftermath of a computer security incident. The goal of computer forensics is to conduct a structured investigation to determine exactly what happened, who was responsible, and to perform the investigation in such a way that the results are useful in a criminal proceeding.

Written by two experts in digital investigation, Computer Forensics provides extensive information on how to handle the computer as evidence. Kruse and Heiser walk the reader through the complete forensics process—from the initial collection of evidence through the final report. Topics include an overview of the forensic relevance of encryption, the examination of digital evidence for clues, and the most effective way to present your evidence and conclusions in court. Unique forensic issues associated with both the Unix and the Windows NT/2000 operating systems are thoroughly covered.

This book provides a detailed methodology for collecting, preserving, and effectively using evidence by addressing the three A's of computer forensics:

  • Acquire the evidence without altering or damaging the original data.
  • Authenticate that your recorded evidence is the same as the original seized data.
  • Analyze the data without modifying the recovered data.

Computer Forensics is written for everyone who is responsible for investigating digital criminal incidents or who may be interested in the techniques that such investigators use. It is equally helpful to those investigating hacked web servers, and those who are investigating the source of illegal pornography.



Author's Site

Click below for Web Resources related to this title:
Author Web Site

Sample Content

Online Sample Chapter

Computer Forensics: Tracking an Offender

Downloadable Sample Chapter

Click below for Sample Chapter related to this title:

Sample Pages

Download the sample pages (includes Chapter 2 and Index)

Table of Contents



 1. Introduction to Computer Forensics.

 2. Tracking an Offender.

 3. The Basics of Hard Drives and Storage.

 4. Encryption and Forensics.

 5. Data Hiding.

 6. Hostile Code.

 7. Your Electronic Toolkit.

 8. Investigating Windows Computers.

 9. Introduction to Unix for Forensic Examiners.

10. Compromising a Unix Host.

11. Investigating a Unix Host.

12. Introduction to the Criminal Justice System.

13. Conclusion.

Appendix A. Internet Data Center Response Plan.

Appendix B. Incident Response Triage Questionnaire.

Appendix C. How to Become a Unix Guru.

Appendix D. Exporting a Windows 2000 Personal Certificate.

Appendix E. How to Crowbar Unix Hosts.

Appendix F. Creating a Linux Boot CD.

Appendix G. Contents of a Forensic CD.

Annotated Bibliography.

Index. 0201707195T09182001



Billions of dollars are lost annually to crime, and computers are increasingly involved. It is clear that law enforcement agencies need to investigate digital evidence, but does it make sense to encourage a bunch of computer administrators to become junior g-men? Do we really need amateur digital sleuths? In a word, yes. Bad things are happening on computers and to computers, and the organizations responsible for these computers have a need to find out what exactly happened. You probably cannot pick up the phone and bring in law enforcement officials every time something anomalous happens on one of your servers and expect them to send out a team of forensic specialists, and even if you could, your corporate executives may not want that. All major corporations have internal security departments that are quite busy performing internal investigations. However, the security professionals who typically fill this role are accustomed to dealing with theft and safety issues and are often ill-prepared to deal with computer crime.

This book is inspired by the needs of the people who attend the author's seminars on computer forensics. If for no other reason than these sold-out seminars, we know that there is a big demand for greater expertise in digital investigations. System administrators and corporate security staff are the people we've designed the book for. Most of the seminar attendees are fairly skilled in the use and maintenance of Microsoft environments. Some of them are Unix specialists, but many students have expressed a strong desire to learn more about Unix. Once a corporation discovers that they know someone who can investigate Windows incidents, it is assumed that he or she knows everything about computers, and it is usually only a matter of time until this person is pressured into taking a look at a suspect Unix system.

Our students come from a wide variety of backgrounds and have diverse investigatory needs and desires. We try to accommodate these varying agendas in this book, to which we bring our experience in investigation and incident response. Warren Kruse is a former police officer who regularly performs computer forensic examinations inside and outside of Lucent Technologies. Jay Heiser is an information security consultant who has been on the response teams for numerous hacked Internet servers. To the maximum extent possible, this book contains everything useful that we've learned from performing investigations and teaching others to do so for themselves. We know what questions will be asked, and this book is designed to answer them. It is a practical guide to the techniques used by real people to investigate real computer crimes.

How to Read This Book

This book can be read cover to cover, as a complete introductory course in computer forensics. However, it is also meant to serve as a handbook, and we expect many readers to be familiar with some of the subjects we cover. For that reason, each chapter is a complete unit and can be read when convenient or necessary. You probably specialize in one or more of the areas covered in this text. However, we believe that the information presented in this book is at the minimum required level of legal and computer literacy, and we urge you to become knowledgeable in all of the areas we cover: legal, procedural, and technical.

A brief description of the information covered in each chapter is provided in the sections that follow.

Introduction to Computer Forensics

Chapter 1 outlines the basic process of evidence collection and analysis, which is the meat of computer forensics. Even those readers with a background in law enforcement will find new techniques in this chapter that are specific to computer forensics.

Tracking an Offender

The Internet is pervasive, and a high percentage of your investigations will involve either incoming or outgoing Internet traffic. The material in Chapter 2 will help you interpret the clues inside of email messages and news postings. It will also start you on the path toward becoming an Internet detective, using standard Internet services to perform remote investigations.

The Basics of Hard Drives and Storage Media

For the computer sleuth, hard drives are the most significant containers of evidence. Chapter 3 provides an understanding of both their logical and their physical configurations. It covers partitions and low-level formatting, filesystems, and hardware drive interfaces.

Encryption and Forensics

Cryptography has become ubiquitous in the virtual world of the Internet. A skilled investigator must have a solid understanding of the technology and goals of modern cryptography. It is relevant both in understanding evidence and, interestingly, in the preservation of evidence. Many investigators lack a necessary level of crypto-literacy, so Chapter 4 provides a broad introduction to encryption with special emphasis on its significance and application in computer forensics. We also discuss common encoding and archiving formats (such as uuencode and PKZIP) that can complicate your keyword searches. As digital signature technology grows in legal significance and finds new uses, forensic investigators will be expected to understand its limitations and must have a firm grasp of the ways in which a digital identity can be stolen. The digital timestamping of forensic evidence will soon become standard procedure in digital investigations. If you already have a background in these encryption concepts, then you may wish to skim this chapter.

Data Hiding

Being able to find hidden data is a crucial investigative skill. Even if you are highly crypto-literate, you still may not be aware of steganography (the art of hiding information by embedding covert messages within other messages) and other data-hiding techniques. Continuing the subject of encryption, Chapter 5 describes the use of specific password-cracking tools that we have successfully used during our investigations. This chapter categorizes and describes the ways that data can be hidden–not just by encryption–and provides practical guidance on how to find and read hidden data.

Hostile Code

Being able to identify and understand the implications of criminal tools is a skill that every investigator needs. Given that hostile code can be arcane and that few readers have a background in it, Chapter 6 provides an introduction to the topic and an overview of the types and capabilities of digital criminal tools that the investigator may encounter. We've included a couple of war stories involving the recent use of "hacker tools" on corporate PCs, which is becoming increasingly common.

Your Electronic Toolkit

Although forensic-specific tools have a certain James Bond—like appeal–and we cover these products–a large percentage of your work will be done with system tools that were not specifically created for the unique needs of forensic investigation. Chapter 7 will introduce you to a wide variety of utility types and specific brand name tools, along with instructions in their use in a digital investigation.

Investigating Windows Computers

Microsoft Windows, in all its various flavors, is the most widely used family of operating systems. While Chapter 8 assumes some background in Windows, you don't need to be a Microsoft Certified Systems Engineer in order to apply the techniques and tricks we discuss. Emphasis is placed on Windows NT 4.0 and Windows 9x, but several important new Windows 2000 features, such as the Encrypting File System, are covered. An experienced investigator soon learns that nothing is too obsolete to be in daily use somewhere, so the chapter concludes with Windows 3.1—specific material.

Introduction to Unix for Forensic Examiners

For those readers with no prior Unix experience, Chapter 9 provides an introduction with special emphasis on Unix characteristics that are most significant for the forensic investigator. Experienced Unix users can skim or skip this chapter.

Compromising a Unix Host

Chapter 10 is intended as background material for the investigation of hacked Internet hosts. It describes the process that Unix attackers typically use and provides an understanding of the goals of typical system hackers.

Investigating a Unix Host

While emphasizing the investigation of hacked Unix hosts, Chapter 11 describes techniques that are applicable to all forms of Unix investigation. It contains a detailed set of Unix-specific techniques and processes that use common Unix utilities for collecting and evaluating evidence. It also contains instructions on using a Unix boot CD to capture information over a network when you can't attach hardware directly to a suspect system.

Introduction to the Criminal Justice System

The final chapter explains what you need to do after you have begun collecting evidence and provides an overview of the criminal justice process. Legal concepts such as affidavits, subpoenas, and warrants are described. You will be a more effective interface between your organization and law enforcement agents if you understand what they do and how both investigations and prosecutions are structured by the legal system.


As in most books, the appendixes in this one contain information that doesn't fit neatly anywhere else. They are standalone guides to specific needs.

Appendix A, Internet Data Center Response Plan, defines a process for handling computer security incidents in Internet Data Centers.

Appendix B, Incident Response Triage, provides a list of general questions that should be asked during the investigation of a computer crime incident.

Appendix C, How to Become a Unix Guru, provides self-study suggestions for forensic examiners who want to improve their ability to investigate Unix hosts.

Appendix D, Exporting a Windows 2000 Personal Certificate, graphically depicts the process of exporting a Personal Certificate from a Windows 2000 computer. Investigators should practice this process to prepare themselves for incidents involving the Encrypted File System.

Appendix E, How to Crowbar Unix Hosts, describes the process of gaining administrative access to a Unix system by booting it from a floppy or CD.

Appendix F, Creating a Linux Boot CD, provides several suggestions on techniques and technology sources that are useful in the creation of bootable Linux CDs that can be used to crowbar Unix or NT systems. Booting from a Linux CD can also provide a trusted environment useful for examining or collecting evidence when it is not feasible to remove the hard drive from a system.

Appendix G, Contents of a Forensic CD, provides a shopping list of useful tools that should be considered the minimum set of forensic utilities that an examiner brings during an incident response.




Access control circumvention, 141-143
AccessData, 111, 114
Accounting, 296, 298
application, 33-32
IP, 22-28
media access control (MAC), 25, 22-28
private, 25
registries, 63
uniqueness of, 22-26
Address Resolution Protocol (ARP), 22-28
Advanced ZIP Password Recovery (AZPR), 114
AFind, 164
Aimpw, 145
America Online (AOL), 34, 135, 141, 247
"Analysis of Security Incidents on the Internet 1981-1995, An" (Howard), 242-247
Antivirus (AV) software, 128, 146
Application addresses, 33-32
Application Developer/Administrator (AA), 330
Application Owner (AO), 323-330
Application Programming Interface (API), 70
Archive file, 101, 102, 242-243
ASCII (American Standard Code for Information Interchange), 83, 100
Asymmetric encryption, 91
AT&T, 207
Attachments, email, 47
attrib command, 119
Auditing, 292-296
Authentication of evidence, 13
AutoComplete, 183, 1854


Back doors, 252-255
Back Orifice, 133, 142
Backups, 11-15, 174
Bash (Bourne Again Shell), 211
Berkeley R utilities, 298
BinHex, 101
!Bios, 145
Bit stream, 15
Block device, 212-220
Blocks, 73
Blowfish, 90
Bombs, logic and time, 139
Bootable Business Card, 114
Bootable Recovery Disk, 151
Boot sector, analysis of, 16
Bots, 137
Bourne shell, 210
Breaking, 84
Brute force attack, 84, 144
BSD, 202-208
Buffer overflow attack, 141-143
Business Records Exception, 323-322


CAB, 102
CAIN tool, 85, 110, 141-145, 191
Caldera, 208
Caligula MS Word virus, 135
Carrier, 123
Carvey, Harlan, 122
Case folder, 11
cat, 285, 286
CD, contents of forensic, 373-380
CD-R Diagnostics, 156, 157
CD-Rs, 151-158
CD Universe, 9
CERT, 297
Certificate authority (CA), 99-98
Certificate Policy (CP), 98
Certificate Revocation List (CRL), 98
Certification practice statements (CPS), 98
Certs (digital certificates), 96
Chain of custody, 6, 9-9, 315
Checksums, 89, 241
Citrix WinFrame, 133
Client application, 35
Clusters, 73
Codes, 83, 101-101, 344
analysis of hostile, 282-283, 303-303
Cohen, Fred, 167, 169
Collision free, 89
Compression, 101-103
Compromise, 85
Computationally infeasible, 88
Computer crime, categories of, 2
Computer forensics
defined, 3-3
goals of, 4
history of, 3
steps in, 3, 2-20
Computers, search of personally owned, 323-321
Connection laundering, 248
Conversions Plus, 151-153
Core dumps, 303-305
Courtroom presentation, tips for, 12-20
cp, 285
C programming language, 238
Cracking, 84
CRCMD5, 13, 150, 169
crontab, 303-303
Crowbarring Unix hosts, 373-376
CrucialADS, 122
Crucial Security, 122
Cryptanalysis, 84
Cryptographer, 84
defined, 84
integrity services, 89-90
privacy services, 99-99
steganography, 121-127
Cryptologists, 84
Cryptology, 84
C shell, 22-211
Cyclic redundancy checks, 89
Cylinder, 67


Data center application profile, 334, 353-351
Data hiding
See also Passwords
changing file's extension, 111-118
changing system environment, 121-128
encryption, using and cracking, 105, 101-113
finding, 111-120
methods for, 101-107
off of the computer, 121-123
steganography, 121-127
streams, 121-122
Data in unallocated spaces, finding, 77-77
Data mining, 134
Data recovery services, 77-78
Data Viz, 151
dd, 242-244, 273, 282-286
Deleted files, retrieving, 17
Denial-of-service, 131-139, 276, 343-343
DES, 90
/dev, 303
Dial-up service, 33-35
Dictionaries, 144
diff, 242-241
dig, 30
Digests, 51
DigiStamp, 100
Digital certificates 99-99
Digital notary, 91-100
Digital signatures, 99-94
Digital timestamping, 91-100
Digital watermarks, 121-127
Directories, 72
analysis of, 303-301, 303-304
hidden, 303-301
user, 304
Directory listing, analysis of, 11-16
Directory service, 98
unerase, 156
wiping, 163
DiskScrub, 163, 169
DiskSig, 150, 169
Distributed denial-of-service (DDoS), 138
Distributed Network Attack (DNA) program, 111-112
Documentation, collecting evidence and, 12
Domain name resolution, 28
Domain Name Service (DNS), 23-30
Dot files, Unix, 307
Drive-imaging programs, 161-163
dtSearch, 151-161
Dynamically linked libraries (DLLs), 121-128
Dynamic Host Configuration Protocol (DHCP), 26


Elliptic curve, 92
analysis of, 306
attachments, 47
bombs, 139
compared to news groups, 35
deciphering headers, 44-48
faking return addresses, 33-38
signatures, 191-195
tracking, 34-48
Web-based, 39
Web resources, 64
Windows, 191-195
Emergency Response Core Team (ERCT), 329
EnCase, 17, 76, 107, 117, 118, 171-174
Encoding, 83, 101
Encrypted file system (EFS), 202-204
asymmetric, 91
compression, 101-103
defined, 88-84
digital signatures, 99-94
methods for attacking encrypted text, 88-88
private key, 99-95
public key, 99-92, 94
secret key, 99-91
session key, 94
symmetric, 90
trusted third parties, 99-96
using and cracking, 105, 101-113
Enhanced Integrated Drive Electronics (EIDE), 66
Environment variables, 212-214
Eudora, 35, 46
analysis of, 12-20
authenticating, 13
checklists, 11-19
information resources, 21
log, 8
presenting, in court, 12-20
preservation of, 19, 315
rule of best, 313-319
techniques for collecting, 262-269
Evidence, acquiring
chain of custody, 6, 9-9
collection process, 9
comparison of approaches to, 7
documenting, 12
identification, 1-11
photographs, taking, 11-11
pulling the plug versus not pulling the plug, 6-6
storage, 12
transportation, 11-12
Exabyte Mammoth drives, 174
Executable files, 304
Explore/RunMRU, 186


Farmer, Dan, 164, 167, 263, 269
fdisk, 151, 222-221, 282-285
FDISK, 68, 76
Federal Computer Fraud and Abuse Act, 323
file, 232-233
File Allocation Table (FAT), 16, 72
FileList, 170
Files, hidden, 303-301
FileStat, 164
Filesystem, 77-74, 212-221
analysis of, 282-298
block device, 212-220
copying, 282-295
device number, 219
imaging, 282-289
permissions, 212-219
File viewers, 151-153
Filter_we, 170
find, 222-230, 233, 297
Firewall Administrator (FA), 332
Forensic-Computers.com, 80, 171-176
Forensics, defined, 1
Forensic Toolkit, 122, 161-164
ForensiX, 161-169, 266
Format, 68, 73
Foundstone, 122
FreeBSD, 208


Gammaprog, 145
GetFree, 170
GetSlack, 170
GetTime, 170
Ghost, 161-163
GIF, 102
Gnome, 300
Google, 51
grave-robber tool, 165
Greenwich mean time (GMT), 221
grep, 222-228
Guidance Software, 17, 174
GUIDs (Globally Unique Identifiers), 171-180


Hacking Exposed (Scambray, McClure, and Kurtz), 122
Hard drives
controllers, 66-67
copying, 282-285
defined, 65
erasing, 77-78
finding data in unallocated spaces, 77-77
kits, 174
in laptops, 78-81
operating systems, 77-72
parameters, 66-68
partition table, viewing and operating, 67-70
soft configuration on, 68
tools for partition-viewing, 151
Hard link, 228
Hardware, 171-176
Hash function, 89, 90
Hash table, 89
Hash value, 13, 89-90
Hex editor, 16, 17
HFind, 164
Higbee, Aaron, 34
High Technology Crime Investigation Association (HTCIA), 312
Hostile code (malware), 6
access exploits, 141-143
antivirus (AV) software, 128, 146
bombs, logic and time, 139
bots, 137
categories of, 131-132
cracking programs, 141-145
defined, 121-130
denial-of-service, 131-139
to hide tracks, 140
purpose of, 131-136
resource/identity theft, 131-137
Trojan horse, 141-142
vulnerability scanners, 141-144
Hostile processes, signs of, 279
Howard, John D., 242-247
Hypertext Transfer Protocol (HTTP), 32, 275, 295
Hypnopaedia, 145


icq bombs, 139
ICSA Labs, 146
Identification of evidence, 1-11
Identity theft, 131-137
I Love You/Lovebug worm, 131, 141
Image MaSSter, 11-15, 81, 141, 175
Image tape, creating an, 15
Imaging filesystems, 282-289
Incident response, 2
data center application profile, 334, 353-351
form, 353-361
goals of, 323-328
priorities, 332, 335
roles and responsibilities of organizations involved in, 323-333
steps in, 333-349
what to record, 353-352
Information resources
See also Web resources
for hostile code, 141-148
on intrusion detection systems, 66-63
Inode list, 214
Inode table, 72, 212-215
INSO, 117
Integrated Drive Electronics (IDE), 66
Intelligent Computer Solutions (ICS), 175
Internet, basics of, 22-28
Internet Assigned Numbers Authority (IANA), 26
Internet Corporation for Assigned Names and Numbers (ICANN), 29
Internet Explore Key, 112, 181-188
Internet Explorer, 116, 117
Internet Mail Access Protocol (IMAP), 36
Internet service providers (ISPs)
logs of, 9, 247
obtaining information from, 33-35
Interviewing suspects, 314
Intrusion detection systems (IDS), 66-63
Inverse lookup, 30
Iomega Zip Guest, 15
IP address, 25
reading obfuscated, 22-27
registries, 63
ISS, 143


Jetform, 10
John the Ripper, 145
Joy, Bill, 363
JPEG, 102


KDE, 300
Kernel attacks, 121-128
Key-cracking programs, 88-85
Key escrow, 88
Key recovery, 88
Keyword searches, 11-17, 303-308
Klaus, Christopher, 143
Korn, David, 211
Korn shell (ksh), 211
Kurtz, George, 122


Laptops, hard drives in, 78-81
Large Block Addressing (LBA), 68
Lazarus tool, 161-167
Legal issues
court orders, obtaining, 322
criminal versus civil courts, 323-324
dollar loss valuations, 315
grand jury versus preliminary hearing, 315
information protection laws, 323
law enforcement, working with tips, 313-318, 313-320
legal access issues, 323-322
notifying agencies, 312
preservation of evidence, 19, 315
recidivism, 316
rule of best evidence, 313-319
search warrants and probable cause, 313-314
subpoenas, 314
testifying as an expert witness, 322
wiretap laws, 323-323
Lightweight Directory Access Protocol (LDAP), 216
Link, 215
boot CD, creating a, 373-378
crowbarring, 375
ForensiX, 161-169
Linux kernel, 111-114
attacks, 121-128
Log editors, 254
Logic bombs, 139
analysis of, 292-295
legal issues regarding, 323-322
logon, 292-295
signs of suspicious, 292-293
usefulness of, 291
Loopback device, 289
L0phtCrack, 88-85, 112, 113, 144
L0pht Heavy Industries, 144
LostPassword.com, 112
lsof, 278


MacOpener, 151
mactime, 292-291
Mail API (MAPI), 36
Mail bombs, 139
Mailboxes, 36
Mail server, 36
Mail transfer agents (MTAs), 37
Malware. See Hostile code (malware)
Manchurian Candidate syndrome, 264
man pages, 222-236
Maresware's Disk_crc, 150
Master drive, 66
McClure, Stuart, 122
MD5, 13, 15, 89, 90, 282-289
Media access control (MAC), 25, 22-28
Melissa virus, 131, 141, 177
Memory, copying system, 272-274
Message digest, 89
Microsoft, 36
See also Windows 95 and 98; Windows NT; Wndows3.1; Windows 2000
filesystem, 77-73
format, 73
Office, 107
operating system, 72
Outlook, 35, 42, 151-161
Outlook Express, 44-42
streams, 121-122
Systems Management Server, 133
Word, 77-75, 101-107
mkfs, 73
Morse Code, 83
mount, 222-224, 282-284
Mount directory, 224
Mounting, 73
Mount point, 224
MPEG, 102
MSNBC, 9-9
Mssqlpwd, 145
M-Sweep, 170
Multimedia Internet Mail Extension (MIME), 101


NATShell, 58
NBScan, 58
nbtstat, 55-57, 58
Neotrace, 57
Nessus, 141-144
NetBIOS, 55-57
Auditing Tool (NAT), 58
over TCP/IP (NBT), 55
tool, 55-58
NetBus, 133, 142
netcat, 248, 267, 262-269, 286
NetScanTools Pro, 30, 42, 57
netstat, 58, 272-275
Net Threat Analyzer, 170
NetTools, 55-58
Network Administrator (NA), 333-332
Network Associates, 95
Network connections, analysis of, 272-276
Network Information System (NIS), 212-217
Network interface card (NIC), 28
Network News Transfer Protocol (NNTP), 54
Network scanning, 134
Network sniffing, 131-135
Network Solutions, 30
New session, 156
News groups
compared to email, 35
Usenet, 45-54
New Technologies Inc. (NTI), 13, 17, 150, 163, 161-170
Nmap, 143
Northwest Airlines, 321
Norton Utilities, 17, 156
Notes, 35
nslookup, 29, 30
ntaccess, 114
NTFS. See Windows NT File System
NTLast, 164
ntpassword, 111-114


Office, 107
OnTrack, 78
OpenBSD, 208
Open Systems Interconnection (OSI), 24
Operating environment, 14
Operating systems, 77-72
Order of volatility, 262-281
Outlook, 35, 42, 151-161
Outlook Express, 44-42


Packet mode, 156
Packets, 25
Pager bombs, 139
PalmCrack, 145
Parity bits, 89
Partinfo, 67-70, 151
PartitionMagic, 67-70, 151
Partition table
analysis of, 15
viewing and operating, 67-70, 151
Partition types, 69
changing, 111-116
cracking, 141-145
encrypting, 88-88
possible locations for, 109
recovery tools, 111-113
reusable, 33-34, 111-111
sniffers, 131-135
pcAnywhere, 133
pcat, 281
Perl (Practical Extraction and Report Language), 122, 240
PGP, 37
Photographing evidence, 11-11
ping, 27, 28, 32
PkCrack, 145
PKCS #7, 94
Platters, 68
Point of Presence (POP), 32
Point to Point Protocol (PPP), 32
Post Office Protocol (POP), 36
Partinfo, 67-70
PartitionMagic, 67-70
Pretty Good Privacy (PGP), 99-96
Private key, 99-95
/proc, 272-279
Process accounting, 296
Process identity (PID), 272-280
Process information utilities, 277
Process status commands, 278
ps, 277, 278
PST file, 181-186
PTable, 170
Public key encryption, 99-92, 94
Public Key Infrastructure (PKI), 92, 99-99
Public Switched Telephone Network (PSTN), 26
PWLTool, 191-192


Quick View Plus (QVP), 16, 117, 151, 152


RADIUS (Remote Authentication Dial-In User Service), 33-34, 247
on evidence, 21
RC5, 90
Read/write head, 67
RedHat, 208
Registry, Windows, 181-188
Reid and Associates, John E., 314
Remote copy (rcp), 298
Remote login (rlogin), 298
Remote shell (rsh), 267, 268, 298
Repudiation, 92
Researching Internet inhabitants, Web resources for, 66-64
Resource theft, 131-137
Reverse lookups, 29
Rivest, Shamir, and Adleman (RSA), 90, 91, 94
Rootkits, 127, 138, 252-260
Rootshell, 283
Rosenblatt, Ken, 322
Roth, Dave, 122
Routers, 22-26
Running processes, analysis of, 272-281


SAFESuite, 143
Samba, 58
Sam Spade, 30
SANS Institute, 139
SATAN (System Administrator's Tool for Analyzing Networks), 134, 143
Scambray, Joel, 122
script, 227
Script kiddie, 84
Secret key encryption, 99-91
Secure Multipurpose Internet Mail Extensions (S/MIME), 37
Secure shell (scp), 268
Security Account Manager (SAM), 112, 113
Security Consultant (SC), 333-333
Security Investigator (SI), 333
Seized, 170
Session key, 94
Set group ID (SGID), 212-218, 302
Set user ID (SUID), 212-218, 302
Sfind, 122, 164
SHA, 13, 89, 90
Shells, 202-211, 267, 268, 303-306
Shell scripts, 202-210
ShowFL, 170
Simple Mail Transfer Protocol (SMTP), 37
server logs, 49
Slack space
analysis of, 11-18
defined, 73, 74
Slave drive, 66
Slaves, 138
Slurpie, 145

Small Computer Systems Interface (SCSI), 66-67

SmartWhois, 55-59
Smith, David, 177
Software, forensic
See also under name of program
CD-Rs, examining, 151-158
disk wiping, 163
drive-imaging, 161-163
file viewers, 151-153
hard drive tools, 151
images, examining, 151-155
text searches, 151-161
tips before using, 141-150
unerase tools, 156
Solaris, 127, 128, 207
crowbarring, 373-376
Sony, digital camera, 11
Steganography, 121-127
Steganos, 124, 125
Stevens, W. Richard, 23
S-Tools, 121-126
Storage of evidence, 12
strings, 232-236
Subdirectories, analysis of, 11-16
SubSeven.Trojan, 141
sum, 241
Superblock, 221
Surety, 100
Swap space, 209
Symantec pcAnywhere, 133
Symbolic link, 215, 228
Symmetric encryption, 90
SysInternals, 122
syslog, 291
System auditing, 292-296
System compromise, levels of, 265
System environment, hiding data by changing, 121-128
System Owner/Administrator (SA), 333-331
Systems Management Server (SMS), 133
System V, 207


tar archive file, 242-243, 282-288
Tarball, 241
TCPDump, 134
TCP/IP (Transmission Control Protocol/ Internet Protocol), 23, 24
TCP/IP Illustrated (Stevens), 23
TCP Wrapper, 292-295
tcsh, 211
Text filters, 232-238
Text searches, 151-161
TextSearch Plus, 170
The Coroner's Toolkit (TCT), 128, 161-167, 266, 281
ThumbsPlus, 151-155
TIFF, 102
Time, UNIX, 221
Time bombs, 139
Timestamping, 13, 91-100
/tmp, 301
tomsrtbt, 114
touch, 232-240
Traceback, 138
traceroute, 27, 33-31, 57
tracert, 30
Tracks, 67
Transporting evidence, 11-12
Triple DES (3DES), 90
Tripwire, 13, 62, 264, 266, 297
Trojan horse, 141-142, 255
TruSecure, 146
Trust relationships, 293-300


Unallocated space
analysis of, 11-18
finding data in, 77-77
Unerase tools, 17, 156
Universal Coordinated Time, 221
Universal Resource Locators (URLs), 33-32
University of California, Berkeley, 207
archives, 242-243
comparison tools, 242-241
components, 202-214
dd, 242-244
dot files, 307
file command, 119
filesystem, 72, 73, 212-221
file time attributes, 221
format, 73
history of, 202-208
how to learn, 363-365
logon logs, 294
man pages and commands, 222-236
mount, 222-224
operating system, 77-72
programming language, 232-240
text filters, 232-238
Unix host attacks
attackers, characteristics of, 245, 246
back door creation, 252-255
chain of, 242-248, 249
covering of tracks, 252-254
goals of, 242-250
initial compromise, 251
intelligence gathering, 252-251
inventory, 255
locating potential victims, 250
log editors, 254
privilege escalation, 251
reconnaissance, 252-253
rootkits, 252-260
signs of, 279
summary of attack types and characteristic evidence, 249
Unix host attacks, what to examine
accounting, 296, 298
auditing, 292-296
core dumps, 303-305
directories and files, 303-301, 303-304
email, 306
filesystem, 282-298
hostile codes, 282-283, 303-303
keywords, 303-308
levels of attacks, 264
Manchurian Candidate syndrome, 264
order of volatility, 262-281
process accounting, 296
shells, 303-306
system compromise, levels of, 265
techniques for collecting evidence, 262-269<
trust relationships, 293-300
Unix to Unix Copy (UUCP), 101
UnixWare, 207
Usenet, 45-54
deciphering headers, 55-53
tracking posts, 55-54
User Datagram Protocol (UPD), 57
utmp, 254
UUCP (Unix to Unix Copy), 101


vCards, 194
Venema, Wietse, 164, 263, 269, 293
vi, 363
Video display, 272-273
Viewers, file, 151-153
antivirus (AV) software, 128, 146
Caligula MS Word virus, 135
Melissa, 131, 141, 177
Volatility, order of, 262-281
Vulnerability scanners, 141-144


Weaver, Robert, 324
Webcracker, 145
Web resources
See also Information resources
on analysis, 309
on evidence, 21
for hostile code, 148
for researching Internet inhabitants, 66-64
on training, 21
Wells, Joe, 146
What's Up Gold, 28
whois, 23-30
SmartWhois, 55-59
WildList Organization International, 146
Windows Internet Naming Service (WINS), 26
Windows 95 and 98
email, 193
email signatures, 191-195
investigating, 171-182
registry, 181-188
what to look for, 181-192
Windows NT, 111-113
changing passwords, 111-116
investigating, 191-197
kernel attacks, 121-128
rootkits, 127
streams, 121-122
Windows NT File System (NTFS), 15, 191-197
streams, 121-122
Windows 3.1, investigating, 202-205
Windows 2000, 121
dynamic disks, 198
encrypted file system, 202-204
exporting private key, 363-373
investigating, example of, 192-204
persistent connections, 202-201
registry, 183, 184
system administration tools, 192-200<
user home directories, 201
winipcfg, 56-61
Win32 Perl Scripting: The Administrator's Handbook (Roth), 122
WinZip, 101, 102, 114, 182, 243
Wiretap laws, 323-323
backup copies, 101-109
Caligula MS Word virus, 135
Word 97, slack space in, 77-75
Worms, 131, 141
Wotsit's Format, 111-119
wtmp, 254


xargs, 230
X.509, 98
X Windows System, 272


Zipcrack, 145
Zip Guest, 15
ZipPassword, 114
Zombies, 138


Submit Errata

More Information

Unlimited one-month access with your purchase
Free Safari Membership