Home > Store

Computer Forensics: Incident Response Essentials

Register your product to gain access to bonus material or receive a coupon.

Computer Forensics: Incident Response Essentials


  • Sorry, this book is no longer in print.
Not for Sale


  • Copyright 2002
  • Dimensions: 7-3/8" x 9-1/4"
  • Edition: 1st
  • Book
  • ISBN-10: 0-201-70719-5
  • ISBN-13: 978-0-201-70719-9

Every computer crime leaves tracks—you just have to know where to find them. This book shows you how to collect and analyze the digital evidence left behind in a digital crime scene.

Computers have always been susceptible to unwanted intrusions, but as the sophistication of computer technology increases so does the need to anticipate, and safeguard against, a corresponding rise in computer-related criminal activity.

Computer forensics, the newest branch of computer security, focuses on the aftermath of a computer security incident. The goal of computer forensics is to conduct a structured investigation to determine exactly what happened, who was responsible, and to perform the investigation in such a way that the results are useful in a criminal proceeding.

Written by two experts in digital investigation, Computer Forensics provides extensive information on how to handle the computer as evidence. Kruse and Heiser walk the reader through the complete forensics process—from the initial collection of evidence through the final report. Topics include an overview of the forensic relevance of encryption, the examination of digital evidence for clues, and the most effective way to present your evidence and conclusions in court. Unique forensic issues associated with both the Unix and the Windows NT/2000 operating systems are thoroughly covered.

This book provides a detailed methodology for collecting, preserving, and effectively using evidence by addressing the three A's of computer forensics:

  • Acquire the evidence without altering or damaging the original data.
  • Authenticate that your recorded evidence is the same as the original seized data.
  • Analyze the data without modifying the recovered data.

Computer Forensics is written for everyone who is responsible for investigating digital criminal incidents or who may be interested in the techniques that such investigators use. It is equally helpful to those investigating hacked web servers, and those who are investigating the source of illegal pornography.



Author's Site

Click below for Web Resources related to this title:
Author Web Site

Sample Content

Online Sample Chapter

Computer Forensics: Tracking an Offender

Downloadable Sample Chapter

Click below for Sample Chapter related to this title:

Sample Pages

Download the sample pages (includes Chapter 2 and Index)

Table of Contents



 1. Introduction to Computer Forensics.

 2. Tracking an Offender.

 3. The Basics of Hard Drives and Storage.

 4. Encryption and Forensics.

 5. Data Hiding.

 6. Hostile Code.

 7. Your Electronic Toolkit.

 8. Investigating Windows Computers.

 9. Introduction to Unix for Forensic Examiners.

10. Compromising a Unix Host.

11. Investigating a Unix Host.

12. Introduction to the Criminal Justice System.

13. Conclusion.

Appendix A. Internet Data Center Response Plan.

Appendix B. Incident Response Triage Questionnaire.

Appendix C. How to Become a Unix Guru.

Appendix D. Exporting a Windows 2000 Personal Certificate.

Appendix E. How to Crowbar Unix Hosts.

Appendix F. Creating a Linux Boot CD.

Appendix G. Contents of a Forensic CD.

Annotated Bibliography.

Index. 0201707195T09182001



Billions of dollars are lost annually to crime, and computers are increasingly involved. It is clear that law enforcement agencies need to investigate digital evidence, but does it make sense to encourage a bunch of computer administrators to become junior g-men? Do we really need amateur digital sleuths? In a word, yes. Bad things are happening on computers and to computers, and the organizations responsible for these computers have a need to find out what exactly happened. You probably cannot pick up the phone and bring in law enforcement officials every time something anomalous happens on one of your servers and expect them to send out a team of forensic specialists, and even if you could, your corporate executives may not want that. All major corporations have internal security departments that are quite busy performing internal investigations. However, the security professionals who typically fill this role are accustomed to dealing with theft and safety issues and are often ill-prepared to deal with computer crime.

This book is inspired by the needs of the people who attend the author's seminars on computer forensics. If for no other reason than these sold-out seminars, we know that there is a big demand for greater expertise in digital investigations. System administrators and corporate security staff are the people we've designed the book for. Most of the seminar attendees are fairly skilled in the use and maintenance of Microsoft environments. Some of them are Unix specialists, but many students have expressed a strong desire to learn more about Unix. Once a corporation discovers that they know someone who can investigate Windows incidents, it is assumed that he or she knows everything about computers, and it is usually only a matter of time until this person is pressured into taking a look at a suspect Unix system.

Our students come from a wide variety of backgrounds and have diverse investigatory needs and desires. We try to accommodate these varying agendas in this book, to which we bring our experience in investigation and incident response. Warren Kruse is a former police officer who regularly performs computer forensic examinations inside and outside of Lucent Technologies. Jay Heiser is an information security consultant who has been on the response teams for numerous hacked Internet servers. To the maximum extent possible, this book contains everything useful that we've learned from performing investigations and teaching others to do so for themselves. We know what questions will be asked, and this book is designed to answer them. It is a practical guide to the techniques used by real people to investigate real computer crimes.

How to Read This Book

This book can be read cover to cover, as a complete introductory course in computer forensics. However, it is also meant to serve as a handbook, and we expect many readers to be familiar with some of the subjects we cover. For that reason, each chapter is a complete unit and can be read when convenient or necessary. You probably specialize in one or more of the areas covered in this text. However, we believe that the information presented in this book is at the minimum required level of legal and computer literacy, and we urge you to become knowledgeable in all of the areas we cover: legal, procedural, and technical.

A brief description of the information covered in each chapter is provided in the sections that follow.

Introduction to Computer Forensics

Chapter 1 outlines the basic process of evidence collection and analysis, which is the meat of computer forensics. Even those readers with a background in law enforcement will find new techniques in this chapter that are specific to computer forensics.

Tracking an Offender

The Internet is pervasive, and a high percentage of your investigations will involve either incoming or outgoing Internet traffic. The material in Chapter 2 will help you interpret the clues inside of email messages and news postings. It will also start you on the path toward becoming an Internet detective, using standard Internet services to perform remote investigations.

The Basics of Hard Drives and Storage Media

For the computer sleuth, hard drives are the most significant containers of evidence. Chapter 3 provides an understanding of both their logical and their physical configurations. It covers partitions and low-level formatting, filesystems, and hardware drive interfaces.

Encryption and Forensics

Cryptography has become ubiquitous in the virtual world of the Internet. A skilled investigator must have a solid understanding of the technology and goals of modern cryptography. It is relevant both in understanding evidence and, interestingly, in the preservation of evidence. Many investigators lack a necessary level of crypto-literacy, so Chapter 4 provides a broad introduction to encryption with special emphasis on its significance and application in computer forensics. We also discuss common encoding and archiving formats (such as uuencode and PKZIP) that can complicate your keyword searches. As digital signature technology grows in legal significance and finds new uses, forensic investigators will be expected to understand its limitations and must have a firm grasp of the ways in which a digital identity can be stolen. The digital timestamping of forensic evidence will soon become standard procedure in digital investigations. If you already have a background in these encryption concepts, then you may wish to skim this chapter.

Data Hiding

Being able to find hidden data is a crucial investigative skill. Even if you are highly crypto-literate, you still may not be aware of steganography (the art of hiding information by embedding covert messages within other messages) and other data-hiding techniques. Continuing the subject of encryption, Chapter 5 describes the use of specific password-cracking tools that we have successfully used during our investigations. This chapter categorizes and describes the ways that data can be hidden–not just by encryption–and provides practical guidance on how to find and read hidden data.

Hostile Code

Being able to identify and understand the implications of criminal tools is a skill that every investigator needs. Given that hostile code can be arcane and that few readers have a background in it, Chapter 6 provides an introduction to the topic and an overview of the types and capabilities of digital criminal tools that the investigator may encounter. We've included a couple of war stories involving the recent use of "hacker tools" on corporate PCs, which is becoming increasingly common.

Your Electronic Toolkit

Although forensic-specific tools have a certain James Bond—like appeal–and we cover these products–a large percentage of your work will be done with system tools that were not specifically created for the unique needs of forensic investigation. Chapter 7 will introduce you to a wide variety of utility types and specific brand name tools, along with instructions in their use in a digital investigation.

Investigating Windows Computers

Microsoft Windows, in all its various flavors, is the most widely used family of operating systems. While Chapter 8 assumes some background in Windows, you don't need to be a Microsoft Certified Systems Engineer in order to apply the techniques and tricks we discuss. Emphasis is placed on Windows NT 4.0 and Windows 9x, but several important new Windows 2000 features, such as the Encrypting File System, are covered. An experienced investigator soon learns that nothing is too obsolete to be in daily use somewhere, so the chapter concludes with Windows 3.1—specific material.

Introduction to Unix for Forensic Examiners

For those readers with no prior Unix experience, Chapter 9 provides an introduction with special emphasis on Unix characteristics that are most significant for the forensic investigator. Experienced Unix users can skim or skip this chapter.

Compromising a Unix Host

Chapter 10 is intended as background material for the investigation of hacked Internet hosts. It describes the process that Unix attackers typically use and provides an understanding of the goals of typical system hackers.

Investigating a Unix Host

While emphasizing the investigation of hacked Unix hosts, Chapter 11 describes techniques that are applicable to all forms of Unix investigation. It contains a detailed set of Unix-specific techniques and processes that use common Unix utilities for collecting and evaluating evidence. It also contains instructions on using a Unix boot CD to capture information over a network when you can't attach hardware directly to a suspect system.

Introduction to the Criminal Justice System

The final chapter explains what you need to do after you have begun collecting evidence and provides an overview of the criminal justice process. Legal concepts such as affidavits, subpoenas, and warrants are described. You will be a more effective interface between your organization and law enforcement agents if you understand what they do and how both investigations and prosecutions are structured by the legal system.


As in most books, the appendixes in this one contain information that doesn't fit neatly anywhere else. They are standalone guides to specific needs.

Appendix A, Internet Data Center Response Plan, defines a process for handling computer security incidents in Internet Data Centers.

Appendix B, Incident Response Triage, provides a list of general questions that should be asked during the investigation of a computer crime incident.

Appendix C, How to Become a Unix Guru, provides self-study suggestions for forensic examiners who want to improve their ability to investigate Unix hosts.

Appendix D, Exporting a Windows 2000 Personal Certificate, graphically depicts the process of exporting a Personal Certificate from a Windows 2000 computer. Investigators should practice this process to prepare themselves for incidents involving the Encrypted File System.

Appendix E, How to Crowbar Unix Hosts, describes the process of gaining administrative access to a Unix system by booting it from a floppy or CD.

Appendix F, Creating a Linux Boot CD, provides several suggestions on techniques and technology sources that are useful in the creation of bootable Linux CDs that can be used to crowbar Unix or NT systems. Booting from a Linux CD can also provide a trusted environment useful for examining or collecting evidence when it is not feasible to remove the hard drive from a system.

Appendix G, Contents of a Forensic CD, provides a shopping list of useful tools that should be considered the minimum set of forensic utilities that an examiner brings during an incident response.




Access control circumvention, 141-143
AccessData, 111, 114
Accounting, 296, 298
application, 33-32
IP, 22-28
media access control (MAC), 25, 22-28
private, 25
registries, 63
uniqueness of, 22-26
Address Resolution Protocol (ARP), 22-28
Advanced ZIP Password Recovery (AZPR), 114
AFind, 164
Aimpw, 145
America Online (AOL), 34, 135, 141, 247
"Analysis of Security Incidents on the Internet 1981-1995, An" (Howard), 242-247
Antivirus (AV) software, 128, 146
Application addresses, 33-32
Application Developer/Administrator (AA), 330
Application Owner (AO), 323-330
Application Programming Interface (API), 70
Archive file, 101, 102, 242-243
ASCII (American Standard Code for Information Interchange), 83, 100
Asymmetric encryption, 91
AT&T, 207
Attachments, email, 47
attrib command, 119
Auditing, 292-296
Authentication of evidence, 13
AutoComplete, 183, 1854


Back doors, 252-255
Back Orifice, 133, 142
Backups, 11-15, 174
Bash (Bourne Again Shell), 211
Berkeley R utilities, 298
BinHex, 101
!Bios, 145
Bit stream, 15
Block device, 212-220
Blocks, 73
Blowfish, 90
Bombs, logic and time, 139
Bootable Business Card, 114
Bootable Recovery Disk, 151
Boot sector, analysis of, 16
Bots, 137
Bourne shell, 210
Breaking, 84
Brute force attack, 84, 144
BSD, 202-208
Buffer overflow attack, 141-143
Business Records Exception, 323-322


CAB, 102
CAIN tool, 85, 110, 141-145, 191
Caldera, 208
Caligula MS Word virus, 135
Carrier, 123
Carvey, Harlan, 122
Case folder, 11
cat, 285, 286
CD, contents of forensic, 373-380
CD-R Diagnostics, 156, 157
CD-Rs, 151-158
CD Universe, 9
CERT, 297
Certificate authority (CA), 99-98
Certificate Policy (CP), 98
Certificate Revocation List (CRL), 98
Certification practice statements (CPS), 98
Certs (digital certificates), 96
Chain of custody, 6, 9-9, 315
Checksums, 89, 241
Citrix WinFrame, 133
Client application, 35
Clusters, 73
Codes, 83, 101-101, 344
analysis of hostile, 282-283, 303-303
Cohen, Fred, 167, 169
Collision free, 89
Compression, 101-103
Compromise, 85
Computationally infeasible, 88
Computer crime, categories of, 2
Computer forensics
defined, 3-3
goals of, 4
history of, 3
steps in, 3, 2-20
Computers, search of personally owned, 323-321
Connection laundering, 248
Conversions Plus, 151-153
Core dumps, 303-305
Courtroom presentation, tips for, 12-20
cp, 285
C programming language, 238
Cracking, 84
CRCMD5, 13, 150, 169
crontab, 303-303
Crowbarring Unix hosts, 373-376
CrucialADS, 122
Crucial Security, 122
Cryptanalysis, 84
Cryptographer, 84
defined, 84
integrity services, 89-90
privacy services, 99-99
steganography, 121-127
Cryptologists, 84
Cryptology, 84
C shell, 22-211
Cyclic redundancy checks, 89
Cylinder, 67


Data center application profile, 334, 353-351
Data hiding
See also Passwords
changing file's extension, 111-118
changing system environment, 121-128
encryption, using and cracking, 105, 101-113
finding, 111-120
methods for, 101-107
off of the computer, 121-123
steganography, 121-127
streams, 121-122
Data in unallocated spaces, finding, 77-77
Data mining, 134
Data recovery services, 77-78
Data Viz, 151
dd, 242-244, 273, 282-286
Deleted files, retrieving, 17
Denial-of-service, 131-139, 276, 343-343
DES, 90
/dev, 303
Dial-up service, 33-35
Dictionaries, 144
diff, 242-241
dig, 30
Digests, 51
DigiStamp, 100
Digital certificates 99-99
Digital notary, 91-100
Digital signatures, 99-94
Digital timestamping, 91-100
Digital watermarks, 121-127
Directories, 72
analysis of, 303-301, 303-304
hidden, 303-301
user, 304
Directory listing, analysis of, 11-16
Directory service, 98
unerase, 156
wiping, 163
DiskScrub, 163, 169
DiskSig, 150, 169
Distributed denial-of-service (DDoS), 138
Distributed Network Attack (DNA) program, 111-112
Documentation, collecting evidence and, 12
Domain name resolution, 28
Domain Name Service (DNS), 23-30
Dot files, Unix, 307
Drive-imaging programs, 161-163
dtSearch, 151-161
Dynamically linked libraries (DLLs), 121-128
Dynamic Host Configuration Protocol (DHCP), 26


Elliptic curve, 92
analysis of, 306
attachments, 47
bombs, 139
compared to news groups, 35
deciphering headers, 44-48
faking return addresses, 33-38
signatures, 191-195
tracking, 34-48
Web-based, 39
Web resources, 64
Windows, 191-195
Emergency Response Core Team (ERCT), 329
EnCase, 17, 76, 107, 117, 118, 171-174
Encoding, 83, 101
Encrypted file system (EFS), 202-204
asymmetric, 91
compression, 101-103
defined, 88-84
digital signatures, 99-94
methods for attacking encrypted text, 88-88
private key, 99-95
public key, 99-92, 94
secret key, 99-91
session key, 94
symmetric, 90
trusted third parties, 99-96
using and cracking, 105, 101-113
Enhanced Integrated Drive Electronics (EIDE), 66
Environment variables, 212-214
Eudora, 35, 46
analysis of, 12-20
authenticating, 13
checklists, 11-19
information resources, 21
log, 8
presenting, in court, 12-20
preservation of, 19, 315
rule of best, 313-319
techniques for collecting, 262-269
Evidence, acquiring
chain of custody, 6, 9-9
collection process, 9
comparison of approaches to, 7
documenting, 12
identification, 1-11
photographs, taking, 11-11
pulling the plug versus not pulling the plug, 6-6
storage, 12
transportation, 11-12
Exabyte Mammoth drives, 174
Executable files, 304
Explore/RunMRU, 186


Farmer, Dan, 164, 167, 263, 269
fdisk, 151, 222-221, 282-285
FDISK, 68, 76
Federal Computer Fraud and Abuse Act, 323
file, 232-233
File Allocation Table (FAT), 16, 72
FileList, 170
Files, hidden, 303-301
FileStat, 164
Filesystem, 77-74, 212-221
analysis of, 282-298
block device, 212-220
copying, 282-295
device number, 219
imaging, 282-289
permissions, 212-219
File viewers, 151-153
Filter_we, 170
find, 222-230, 233, 297
Firewall Administrator (FA), 332
Forensic-Computers.com, 80, 171-176
Forensics, defined, 1
Forensic Toolkit, 122, 161-164
ForensiX, 161-169, 266
Format, 68, 73
Foundstone, 122
FreeBSD, 208


Gammaprog, 145
GetFree, 170
GetSlack, 170
GetTime, 170
Ghost, 161-163
GIF, 102
Gnome, 300
Google, 51
grave-robber tool, 165
Greenwich mean time (GMT), 221
grep, 222-228
Guidance Software, 17, 174
GUIDs (Globally Unique Identifiers), 171-180


Hacking Exposed (Scambray, McClure, and Kurtz), 122
Hard drives
controllers, 66-67
copying, 282-285
defined, 65
erasing, 77-78
finding data in unallocated spaces, 77-77
kits, 174
in laptops, 78-81
operating systems, 77-72
parameters, 66-68
partition table, viewing and operating, 67-70
soft configuration on, 68
tools for partition-viewing, 151
Hard link, 228
Hardware, 171-176
Hash function, 89, 90
Hash table, 89
Hash value, 13, 89-90
Hex editor, 16, 17
HFind, 164
Higbee, Aaron, 34
High Technology Crime Investigation Association (HTCIA), 312
Hostile code (malware), 6
access exploits, 141-143
antivirus (AV) software, 128, 146
bombs, logic and time, 139
bots, 137
categories of, 131-132
cracking programs, 141-145
defined, 121-130
denial-of-service, 131-139
to hide tracks, 140
purpose of, 131-136
resource/identity theft, 131-137
Trojan horse, 141-142
vulnerability scanners, 141-144
Hostile processes, signs of, 279
Howard, John D., 242-247
Hypertext Transfer Protocol (HTTP), 32, 275, 295
Hypnopaedia, 145


icq bombs, 139
ICSA Labs, 146
Identification of evidence, 1-11
Identity theft, 131-137
I Love You/Lovebug worm, 131, 141
Image MaSSter, 11-15, 81, 141, 175
Image tape, creating an, 15
Imaging filesystems, 282-289
Incident response, 2
data center application profile, 334, 353-351
form, 353-361
goals of, 323-328
priorities, 332, 335
roles and responsibilities of organizations involved in, 323-333
steps in, 333-349
what to record, 353-352
Information resources
See also Web resources
for hostile code, 141-148
on intrusion detection systems, 66-63
Inode list, 214
Inode table, 72, 212-215
INSO, 117
Integrated Drive Electronics (IDE), 66
Intelligent Computer Solutions (ICS), 175
Internet, basics of, 22-28
Internet Assigned Numbers Authority (IANA), 26
Internet Corporation for Assigned Names and Numbers (ICANN), 29
Internet Explore Key, 112, 181-188
Internet Explorer, 116, 117
Internet Mail Access Protocol (IMAP), 36
Internet service providers (ISPs)
logs of, 9, 247
obtaining information from, 33-35
Interviewing suspects, 314
Intrusion detection systems (IDS), 66-63
Inverse lookup, 30
Iomega Zip Guest, 15
IP address, 25
reading obfuscated, 22-27
registries, 63
ISS, 143


Jetform, 10
John the Ripper, 145
Joy, Bill, 363
JPEG, 102


KDE, 300
Kernel attacks, 121-128
Key-cracking programs, 88-85
Key escrow, 88
Key recovery, 88
Keyword searches, 11-17, 303-308
Klaus, Christopher, 143
Korn, David, 211
Korn shell (ksh), 211
Kurtz, George, 122


Laptops, hard drives in, 78-81
Large Block Addressing (LBA), 68
Lazarus tool, 161-167
Legal issues
court orders, obtaining, 322
criminal versus civil courts, 323-324
dollar loss valuations, 315
grand jury versus preliminary hearing, 315
information protection laws, 323
law enforcement, working with tips, 313-318, 313-320
legal access issues, 323-322
notifying agencies, 312
preservation of evidence, 19, 315
recidivism, 316
rule of best evidence, 313-319
search warrants and probable cause, 313-314
subpoenas, 314
testifying as an expert witness, 322
wiretap laws, 323-323
Lightweight Directory Access Protocol (LDAP), 216
Link, 215
boot CD, creating a, 373-378
crowbarring, 375
ForensiX, 161-169
Linux kernel, 111-114
attacks, 121-128
Log editors, 254
Logic bombs, 139
analysis of, 292-295
legal issues regarding, 323-322
logon, 292-295
signs of suspicious, 292-293
usefulness of, 291
Loopback device, 289
L0phtCrack, 88-85, 112, 113, 144
L0pht Heavy Industries, 144
LostPassword.com, 112
lsof, 278


MacOpener, 151
mactime, 292-291
Mail API (MAPI), 36
Mail bombs, 139
Mailboxes, 36
Mail server, 36
Mail transfer agents (MTAs), 37
Malware. See Hostile code (malware)
Manchurian Candidate syndrome, 264
man pages, 222-236
Maresware's Disk_crc, 150
Master drive, 66
McClure, Stuart, 122
MD5, 13, 15, 89, 90, 282-289
Media access control (MAC), 25, 22-28
Melissa virus, 131, 141, 177
Memory, copying system, 272-274
Message digest, 89
Microsoft, 36
See also Windows 95 and 98; Windows NT; Wndows3.1; Windows 2000
filesystem, 77-73
format, 73
Office, 107
operating system, 72
Outlook, 35, 42, 151-161
Outlook Express, 44-42
streams, 121-122
Systems Management Server, 133
Word, 77-75, 101-107
mkfs, 73
Morse Code, 83
mount, 222-224, 282-284
Mount directory, 224
Mounting, 73
Mount point, 224
MPEG, 102
MSNBC, 9-9
Mssqlpwd, 145
M-Sweep, 170
Multimedia Internet Mail Extension (MIME), 101


NATShell, 58
NBScan, 58
nbtstat, 55-57, 58
Neotrace, 57
Nessus, 141-144
NetBIOS, 55-57
Auditing Tool (NAT), 58
over TCP/IP (NBT), 55
tool, 55-58
NetBus, 133, 142
netcat, 248, 267, 262-269, 286
NetScanTools Pro, 30, 42, 57
netstat, 58, 272-275
Net Threat Analyzer, 170
NetTools, 55-58
Network Administrator (NA), 333-332
Network Associates, 95
Network connections, analysis of, 272-276
Network Information System (NIS), 212-217
Network interface card (NIC), 28
Network News Transfer Protocol (NNTP), 54
Network scanning, 134
Network sniffing, 131-135
Network Solutions, 30
New session, 156
News groups
compared to email, 35
Usenet, 45-54
New Technologies Inc. (NTI), 13, 17, 150, 163, 161-170
Nmap, 143
Northwest Airlines, 321
Norton Utilities, 17, 156
Notes, 35
nslookup, 29, 30
ntaccess, 114
NTFS. See Windows NT File System
NTLast, 164
ntpassword, 111-114


Office, 107
OnTrack, 78
OpenBSD, 208
Open Systems Interconnection (OSI), 24
Operating environment, 14
Operating systems, 77-72
Order of volatility, 262-281
Outlook, 35, 42, 151-161
Outlook Express, 44-42


Packet mode, 156
Packets, 25
Pager bombs, 139
PalmCrack, 145
Parity bits, 89
Partinfo, 67-70, 151
PartitionMagic, 67-70, 151
Partition table
analysis of, 15
viewing and operating, 67-70, 151
Partition types, 69
changing, 111-116
cracking, 141-145
encrypting, 88-88
possible locations for, 109
recovery tools, 111-113
reusable, 33-34, 111-111
sniffers, 131-135
pcAnywhere, 133
pcat, 281
Perl (Practical Extraction and Report Language), 122, 240
PGP, 37
Photographing evidence, 11-11
ping, 27, 28, 32
PkCrack, 145
PKCS #7, 94
Platters, 68
Point of Presence (POP), 32
Point to Point Protocol (PPP), 32
Post Office Protocol (POP), 36
Partinfo, 67-70
PartitionMagic, 67-70
Pretty Good Privacy (PGP), 99-96
Private key, 99-95
/proc, 272-279
Process accounting, 296
Process identity (PID), 272-280
Process information utilities, 277
Process status commands, 278
ps, 277, 278
PST file, 181-186
PTable, 170
Public key encryption, 99-92, 94
Public Key Infrastructure (PKI), 92, 99-99
Public Switched Telephone Network (PSTN), 26
PWLTool, 191-192


Quick View Plus (QVP), 16, 117, 151, 152


RADIUS (Remote Authentication Dial-In User Service), 33-34, 247
on evidence, 21
RC5, 90
Read/write head, 67
RedHat, 208
Registry, Windows, 181-188
Reid and Associates, John E., 314
Remote copy (rcp), 298
Remote login (rlogin), 298
Remote shell (rsh), 267, 268, 298
Repudiation, 92
Researching Internet inhabitants, Web resources for, 66-64
Resource theft, 131-137
Reverse lookups, 29
Rivest, Shamir, and Adleman (RSA), 90, 91, 94
Rootkits, 127, 138, 252-260
Rootshell, 283
Rosenblatt, Ken, 322
Roth, Dave, 122
Routers, 22-26
Running processes, analysis of, 272-281


SAFESuite, 143
Samba, 58
Sam Spade, 30
SANS Institute, 139
SATAN (System Administrator's Tool for Analyzing Networks), 134, 143
Scambray, Joel, 122
script, 227
Script kiddie, 84
Secret key encryption, 99-91
Secure Multipurpose Internet Mail Extensions (S/MIME), 37
Secure shell (scp), 268
Security Account Manager (SAM), 112, 113
Security Consultant (SC), 333-333
Security Investigator (SI), 333
Seized, 170
Session key, 94
Set group ID (SGID), 212-218, 302
Set user ID (SUID), 212-218, 302
Sfind, 122, 164
SHA, 13, 89, 90
Shells, 202-211, 267, 268, 303-306
Shell scripts, 202-210
ShowFL, 170
Simple Mail Transfer Protocol (SMTP), 37
server logs, 49
Slack space
analysis of, 11-18
defined, 73, 74
Slave drive, 66
Slaves, 138
Slurpie, 145

Small Computer Systems Interface (SCSI), 66-67

SmartWhois, 55-59
Smith, David, 177
Software, forensic
See also under name of program
CD-Rs, examining, 151-158
disk wiping, 163
drive-imaging, 161-163
file viewers, 151-153
hard drive tools, 151
images, examining, 151-155
text searches, 151-161
tips before using, 141-150
unerase tools, 156
Solaris, 127, 128, 207
crowbarring, 373-376
Sony, digital camera, 11
Steganography, 121-127
Steganos, 124, 125
Stevens, W. Richard, 23
S-Tools, 121-126
Storage of evidence, 12
strings, 232-236
Subdirectories, analysis of, 11-16
SubSeven.Trojan, 141
sum, 241
Superblock, 221
Surety, 100
Swap space, 209
Symantec pcAnywhere, 133
Symbolic link, 215, 228
Symmetric encryption, 90
SysInternals, 122
syslog, 291
System auditing, 292-296
System compromise, levels of, 265
System environment, hiding data by changing, 121-128
System Owner/Administrator (SA), 333-331
Systems Management Server (SMS), 133
System V, 207


tar archive file, 242-243, 282-288
Tarball, 241
TCPDump, 134
TCP/IP (Transmission Control Protocol/ Internet Protocol), 23, 24
TCP/IP Illustrated (Stevens), 23
TCP Wrapper, 292-295
tcsh, 211
Text filters, 232-238
Text searches, 151-161
TextSearch Plus, 170
The Coroner's Toolkit (TCT), 128, 161-167, 266, 281
ThumbsPlus, 151-155
TIFF, 102
Time, UNIX, 221
Time bombs, 139
Timestamping, 13, 91-100
/tmp, 301
tomsrtbt, 114
touch, 232-240
Traceback, 138
traceroute, 27, 33-31, 57
tracert, 30
Tracks, 67
Transporting evidence, 11-12
Triple DES (3DES), 90
Tripwire, 13, 62, 264, 266, 297
Trojan horse, 141-142, 255
TruSecure, 146
Trust relationships, 293-300


Unallocated space
analysis of, 11-18
finding data in, 77-77
Unerase tools, 17, 156
Universal Coordinated Time, 221
Universal Resource Locators (URLs), 33-32
University of California, Berkeley, 207
archives, 242-243
comparison tools, 242-241
components, 202-214
dd, 242-244
dot files, 307
file command, 119
filesystem, 72, 73, 212-221
file time attributes, 221
format, 73
history of, 202-208
how to learn, 363-365
logon logs, 294
man pages and commands, 222-236
mount, 222-224
operating system, 77-72
programming language, 232-240
text filters, 232-238
Unix host attacks
attackers, characteristics of, 245, 246
back door creation, 252-255
chain of, 242-248, 249
covering of tracks, 252-254
goals of, 242-250
initial compromise, 251
intelligence gathering, 252-251
inventory, 255
locating potential victims, 250
log editors, 254
privilege escalation, 251
reconnaissance, 252-253
rootkits, 252-260
signs of, 279
summary of attack types and characteristic evidence, 249
Unix host attacks, what to examine
accounting, 296, 298
auditing, 292-296
core dumps, 303-305
directories and files, 303-301, 303-304
email, 306
filesystem, 282-298
hostile codes, 282-283, 303-303
keywords, 303-308
levels of attacks, 264
Manchurian Candidate syndrome, 264
order of volatility, 262-281
process accounting, 296
shells, 303-306
system compromise, levels of, 265
techniques for collecting evidence, 262-269<
trust relationships, 293-300
Unix to Unix Copy (UUCP), 101
UnixWare, 207
Usenet, 45-54
deciphering headers, 55-53
tracking posts, 55-54
User Datagram Protocol (UPD), 57
utmp, 254
UUCP (Unix to Unix Copy), 101


vCards, 194
Venema, Wietse, 164, 263, 269, 293
vi, 363
Video display, 272-273
Viewers, file, 151-153
antivirus (AV) software, 128, 146
Caligula MS Word virus, 135
Melissa, 131, 141, 177
Volatility, order of, 262-281
Vulnerability scanners, 141-144


Weaver, Robert, 324
Webcracker, 145
Web resources
See also Information resources
on analysis, 309
on evidence, 21
for hostile code, 148
for researching Internet inhabitants, 66-64
on training, 21
Wells, Joe, 146
What's Up Gold, 28
whois, 23-30
SmartWhois, 55-59
WildList Organization International, 146
Windows Internet Naming Service (WINS), 26
Windows 95 and 98
email, 193
email signatures, 191-195
investigating, 171-182
registry, 181-188
what to look for, 181-192
Windows NT, 111-113
changing passwords, 111-116
investigating, 191-197
kernel attacks, 121-128
rootkits, 127
streams, 121-122
Windows NT File System (NTFS), 15, 191-197
streams, 121-122
Windows 3.1, investigating, 202-205
Windows 2000, 121
dynamic disks, 198
encrypted file system, 202-204
exporting private key, 363-373
investigating, example of, 192-204
persistent connections, 202-201
registry, 183, 184
system administration tools, 192-200<
user home directories, 201
winipcfg, 56-61
Win32 Perl Scripting: The Administrator's Handbook (Roth), 122
WinZip, 101, 102, 114, 182, 243
Wiretap laws, 323-323
backup copies, 101-109
Caligula MS Word virus, 135
Word 97, slack space in, 77-75
Worms, 131, 141
Wotsit's Format, 111-119
wtmp, 254


xargs, 230
X.509, 98
X Windows System, 272


Zipcrack, 145
Zip Guest, 15
ZipPassword, 114
Zombies, 138


Submit Errata

More Information

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020