Computer Forensics
JumpStart™
Michael G. Solomon
Diane Barrett
Neil Broom
SYBEX®
San Francisco ◆ London
JumpStart
™
Computer Forensics
Michael G. Solomon
Diane Barrett
Neil Broom
Associate Publisher: Neil Edde
Acquisitions and Developmental Editor: Maureen Adams Production Editor: Lori Newman
Technical Editor: Warren G. Kruse Copyeditor: Kathy Grider-Carlyle
Compositor: Jeff Wilson, Happenstance Type-O-Rama Graphic Illustrator: Jeff Wilson, Happenstance Type-O-Rama Proofreaders: Ian Golder, Amy Rasmussen, Nancy Riddiough Indexer: Nancy Guenther
Book Designer: Judy Fung
Cover Designer: Richard Miller, Calyx Design Cover Illustrator: Richard Miller, Calyx Design
Copyright © 2005 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. No part of this pub-lication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, pho-tograph, magnetic, or other record, without the prior agreement and written permission of the publisher.
Library of Congress Card Number: 2004113397 ISBN: 0-7821-4375-X
SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc. in the United States and/or other countries. JumpStart is a trademark of SYBEX Inc.
Screen reproductions produced with FullShot 99. FullShot 99 © 1991-1999 Inbit Incorporated. All rights reserved. FullShot is a trademark of Inbit Incorporated.
Internet screen shot(s) using Microsoft Internet Explorer 6 reprinted by permission from Microsoft Corporation.
TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from descriptive terms by fol-lowing the capitalization style used by the manufacturer.
The author and publisher have made their best efforts to prepare this book, and the content is based upon final release software whenever possible. Portions of the manuscript may be based upon pre-release versions supplied by software manufacturer(s). The author and the publisher make no representation or warranties of any kind with regard to the completeness or accuracy of the con-tents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this book.
Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1
About the Authors
Michael G. Solomon is a full-time security speaker, consultant (http://www.solomonconsulting.com/), trainer, and a former college instructor who specializes in development and assessment security topics. As an IT professional and consultant since 1987, he has worked on projects or trained for more than 60 major com-panies and organizations, including EarthLink, Nike Corporation, Lucent Technologies, BellSouth, UPS, the U.S. Coast Guard, and Norrell.
From 1998 until 2001, Michael was an instructor in the Kennesaw State University’s Computer Science and Information Sciences (CSIS) department, where he taught courses on software project management, C++ programming, computer organization and architecture, and data communications. Michael has an M.S. in mathematics and computer science from Emory University (1998) and a B.S. in computer science from Kennesaw State University (1987).
Michael has also contributed to various security certification books for LANWrights/iLearning, includ-ing TICSA Training Guide and an accompanying Instructor Resource Kit (Que, 2002), CISSP Study Guide (Sybex, 2003), as well as Security+ Training Guide (Que, 2003). Michael co-authored Informa-tion Security Illuminated (Jones and Bartlett, 2005), Security+ Lab Manual Exam Cram 2 (Que, 2005), and authored and provided the on-camera delivery of LearnKey’s CISSP Prep e-Learning course. Michael’s certifications include Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and TruSecure ICSA Certified Security Associate (TICSA).
Diane Barrett has been involved in the IT industry since 1993. She works at Remington College where she taught in the computer networking program for two years before becoming a director. She teaches online classes that include networking, security, and virus protection, and she is the president of a secu-rity awareness corporation that specializes in training.
Diane has co-authored several security and networking books, including MCSA/MCSE 70-299 Exam
Cram 2: Implementing and Administering Security in a Windows Server 2003 Network (Que, 2004) and
Computer Networking Illuminated (Jones and Bartlett, 2005). She is currently volunteering for ISSA’s Generally Accepted Information Security Principles Project in the ethical practices working group. Diane’s certifications include Microsoft Certified Systems Engineer (MCSE) on Windows 2000, MCSE+I on Windows NT 4.0, Certified Information Systems Security Professional (CISSP), Cisco Certified Net-work Associate (CCNA), A+, NetNet-work+, i-Net+, and Security+.
Neil Broom is the President of the Technical Resource Center (http://www.trcglobal.com) in Atlanta, Georgia. As a speaker, trainer, course director, and consultant in the fields of Computer Foren-sics, Information Assurance, and Professional Security Testing, he has over 14 years of experience pro-viding technical education and security services to the military, law enforcement, the health care industry, financial institutions, and government agencies.
Neil is the Lead Instructor and Developer of the Computer Forensics and Cyber Investigations course and the Certified Cyber Crime Examiner (C3E) certification and provides Computer Forensics services to clients in the Metro Atlanta area and the Southeast United States.
Neil is currently the Vice President of the Atlanta Chapter of the International Information Systems Forensics Association, and he is a professional member of the National Speakers Association. His past employment includes the U.S. Navy as a submariner, the Gainesville, Florida Police Department as a law enforcement officer, and Internet Security Systems (ISS) as a security trainer.
Neil has multiple certifications including Certified Information Systems Security Professional (CISSP), Certified Computer Examiner (CCE), Certified Ethical Hacker (CEH), Computer Hacking Forensic Investigator (CHFI), National Security Agency’s INFOSEC Assessment Methodology (IAM), Microsoft Certified Systems Engineer (MCSE 4.0 and 2000), Microsoft Certified Trainer (MCT), and TruSecure ICSA Certified Security Associate (TICSA).
About the Technical Editor
Warren G. Kruse II, CISSP, CFCE, is the co-author of Computer Forensics: Incident Response Essen-tials, published by Addison-Wesley. Warren has conducted forensics globally in support of cases involving some of the largest law firms and corporations in the world. He is a member of the New York and Euro-pean Electronic Crimes Task Forces of the U.S. Secret Service. He was elected President of the High Tech Crime Investigation Association’s(www.htcia.org) 2005 International Executive Committee.Warren has extensive experience investigating cases involving the illegal use of computer and networks and received the High Tech Crime Investigation Association's (HTCIA) “2001 Case of the Year” award. He is an IACIS Certified Forensic Computer Examiner (CFCE) and an (ISC)2 Certified Information Systems Security
Pro-fessional (CISSP). He lectures on computer forensics for Computer Security Institute (CSI) and has taught computer forensics at the SANS Institute and MIS Training Institute. He is the lead instructor of the hands-on intro and advanced Computer Forensics Bootcamps for Computer Forensic Services, LLC. Warren is a
partner at Computer Forensic Services, LLC (www.computer-forensic.com).
To my wife, best friend, and source of unyielding support, Stacey.
—Michael G. Solomon To my dad, Gerald, who has always encouraged me to be my own person.
—Diane Barrett To my mother, thank you for always believing in me.
—Neil Broom
Acknowledgments
Anything worth doing is worth doing well, and doing anything well generally requires a lot of help. My family has helped me immensely throughout this project. Stacey, Noah, and Isaac are all great fun to be around and often serve as sounding boards. The one focal point of this book, however, is Kim Lindros at LANWrights/ iLearning. She kept the project on track and worked things out regardless of what curve balls I may have sent her way. Kim deserves a huge ovation for her work to get this book into your hands. I truly appreciate the efforts of all the people at LANWrights/iLearning and Sybex to make this project a reality.
—Michael G. Solomon
Thanks to everyone at Sybex for making this book possible, especially Maureen Adams the acquisitions editor and Lori Newman the production editor. Thank you to the wonderful team at LANWrights/iLearning, espe-cially Kim Lindros, who worked so hard behind the scenes to be sure that our work was accurate and com-pleted in a timely fashion. To co-authors Michael Solomon and Neil Broom, thank you for the part each of you played in making this project successful. Thanks to Warren G. Kruse II, our technical reviewer, for making cer-tain our writing was technically and procedurally sound. Finally, special thanks to my husband, Bill, for keep-ing a sense of humor durkeep-ing the hours I spent writkeep-ing.
—Diane Barrett
Kim Lindros, you rock! Thank you for all the support and gentle nudging you provided to keep me writing. I also wish to say thank you to the cat and kitten rescue group that I work with, www.FurKids.org. Now that the book is finished, I can return to helping save the lives of our furry little friends.
—Neil Broom
Contents vii
Contents
Introduction xvii
Chapter 1 The Need for Computer Forensics 1
Defining Computer Forensics . . . 2
Real-Life Examples of Computer Crime . . . 4
Hacker Pleads Guilty to Illegally Accessing New York Times Computer Network . . . 4
Man Pleads Guilty to Hacking Intrusion and Theft of Data Costing Company $5.8 Million . . . 5
Three Men Indicted for Hacking into Lowe’s Companies’ Computers with Intent to Steal Credit Card Information . . . 6
Former Chief Computer Network Program Designer Arraigned for Alleged $10 Million Computer Software Bomb . . . 7
Juvenile Computer Hacker Sentenced to Six Months in Detention Facility . . . 8
Corporate versus Law Enforcement Concerns . . . 9
Corporate Concerns Focus on Detection and Prevention . . . 9
Law Enforcement Focuses on Prosecution . . . 11
Russian Computer Hacker Indicted in California for Breaking into Computer Systems and Extorting Victim Companies . . . 11
Training . . . 13
Practitioners . . . 13
End Users . . . 15
What Are Your Organization’s Needs? . . . 18
Terms to Know . . . 19
Review Questions . . . 20
Chapter 2 Preparation—What to Do Before You Start 21 Know Your Hardware . . . 22
What I/O Devices Are Used? . . . 22
Check Computers for Unauthorized Hardware . . . 28
Keep Up to Date with New I/O Trends . . . 32
viii Contents
Know Your Operating System . . . 35
Different Operating Systems . . . 35
Know What Filesystems Are in Use . . . 38
Maintain Tools and Procedures for Each Operating System and Filesystem . . . 40
Preinstalled Tools Make Forensics Easier . . . 41
Know Your Limits . . . 42
Legal Organizational Rights and Limits . . . 43
Search and Seizure Guidelines . . . 44
Will This End Up in Court? . . . 45
Develop Your Incident Response Team . . . 45
Organize the Team . . . 46
State Clear Processes . . . 46
Coordinate with Local Law Enforcement . . . 47
Terms to Know . . . 48
Review Questions . . . 49
Chapter 3 Computer Evidence 51 What Is Computer Evidence? . . . 52
Incidents and Computer Evidence . . . 52
Types of Evidence . . . 52
Search and Seizure . . . 58
Voluntary Surrender . . . 58 Subpoena . . . 59 Search Warrant . . . 59 Chain of Custody . . . 60 Definition . . . 60 Controls . . . 61 Documentation . . . 64
Evidence Admissibility in a Court of Law . . . 66
Relevance and Admissibility . . . 66
Techniques to Ensure Admissibility . . . 67
Leave No Trace . . . 68
Read-Only Image . . . 68
Software Write Blocker . . . 69
Hardware Write Blocker . . . 69
Terms to Know . . . 70
Review Questions . . . 71
Chapter 4 Common Tasks 73 Evidence Identification . . . 74
Physical Hardware . . . 75
Removable Storage . . . 78
Documents . . . 79
Contents ix
Evidence Preservation . . . 80
Pull the Plug or Shut It Down? . . . 81
Supply Power As Needed . . . 82
Provide Evidence of Initial State . . . 83
Evidence Analysis . . . 85
Knowing Where to Look . . . 85
Wading through the Sea of Data . . . 87
Sampling Data . . . 88
Evidence Presentation . . . 88
Know Your Audience . . . 89
Organization of Presentation . . . 91
Keep It Simple . . . 92
Terms to Know . . . 93
Review Questions . . . 94
Chapter 5 Capturing the Data Image 95 Full Volume Images . . . 96
Evidence Collection Order . . . 96
Preparing Media and Tools . . . 97
Collecting the Volatile Data . . . 100
Creating a Duplicate of the Hard Disk . . . 103
Extracting Data from PDAs . . . 107
Image and Tool Documentation . . . 108
Partial Volume Image . . . 109
Imaging/Capture Tools . . . 111 Utilities . . . 112 Commercial Software . . . 113 PDA Tools . . . 115 Terms to Know . . . 115 Review Questions . . . 116
Chapter 6 Extracting Information from Data 117 What Are You Looking For? . . . 118
Internet Files . . . 118
E-mail Headers . . . 122
Deleted Files . . . 126
Passwords . . . 127
How People Think . . . 129
Picking the Low-Hanging Fruit . . . 130
Hidden Evidence . . . 131
Trace Evidence . . . 135
Terms to Know . . . 137
Review Questions . . . 138
x Contents
Chapter 7 Passwords and Encryption 139
Passwords . . . 140
Finding Passwords . . . 141
Deducing Passwords . . . 142
Cracking Passwords . . . 143
Encryption Basics . . . 146
Common Encryption Practices . . . 147
Private Key Algorithms . . . 148
Public Key Algorithms . . . 150
Steganography . . . 151
Strengths and Weaknesses of Encryption . . . 152
Key Length . . . 153
Key Management . . . 153
Handling Encrypted Data . . . 154
Identifying Encrypted Files . . . 154
Decrypting Files . . . 155
Terms to Know . . . 159
Review Questions . . . 160
Chapter 8 Common Forensics Tools 161 Disk Imaging and Validation Tools . . . 162
ByteBack . . . 163 dd . . . 164 DriveSpy . . . 165 EnCase . . . 165 Forensic Replicator . . . 166 FTK Imager . . . 167 Norton Ghost . . . 168 ProDiscover . . . 168 SafeBack . . . 170 SMART . . . 170 WinHex . . . 171 Forensics Tools . . . 172 Software Suites . . . 172
Miscellaneous Software Tools . . . 184
Hardware . . . 187
Your Forensics Toolkit . . . 190
Each Organization Is Different . . . 192
Most Examiners Use Overlapping Tools . . . 192
Terms to Know . . . 192
Review Questions . . . 193
Contents xi
Chapter 9 Pulling It All Together 195
Begin with a Concise Summary . . . 196
Document Everything, Assume Nothing . . . 197
Interviews and Diagrams . . . 198
Videotapes and Photographs . . . 200
Transporting the Evidence . . . 201
Documenting Gathered Evidence . . . 201
Additional Documentation . . . 204
Formulating the Report . . . 205
Sample Analysis Reports . . . 206
Case #234—NextGard Technology Copyright Piracy Summary . . . 207
Additional Report Subsections . . . 213
Using Software to Generate Reports . . . 214
Terms to Know . . . 218
Review Questions . . . 219
Chapter 10 How to Testify in Court 221 Preparation Is Everything . . . 222
Understand the Case . . . 224
Understand the Strategy . . . 225
Understand Your Job . . . 225
Appearance Matters . . . 226
Clothing . . . 226
Grooming . . . 226
Attitude . . . 227
What Matters Is What They Hear . . . 227
Listening . . . 228
Tone . . . 228
Vocabulary . . . 229
Know Your Forensics Process and Tools . . . 229
Best Practices . . . 230
Your Process and Documentation . . . 230
Your Forensic Toolkit . . . 231
Say Only What Is Necessary . . . 231
Be Complete, But Not Overly Elaborate . . . 231
Remember Your Audience . . . 232
Keep It Simple . . . 234
Explaining Technical Concepts . . . 234
Use Presentation Aids When Needed . . . 234
Watch for Feedback . . . 235
Be Ready to Justify Every Step . . . 235
Summary . . . 236
Terms to Know . . . 236
Review Questions . . . 237
xii Contents
Appendix A Answers to Review Questions 239
Chapter 1 . . . 239 Chapter 2 . . . 240 Chapter 3 . . . 240 Chapter 4 . . . 241 Chapter 5 . . . 242 Chapter 6 . . . 243 Chapter 7 . . . 244 Chapter 8 . . . 245 Chapter 9 . . . 246 Chapter 10 . . . 247
Appendix B Forensics Resources 249 Information . . . 249 Organizations . . . 249 Publications . . . 249 Services . . . 250 Software . . . 250 Training . . . 251
Appendix C Forensics Certifications 253 Advanced Information Security (AIS) . . . 254
Certified Computer Examiner (CCE) . . . 254
Certified Cyber-Crime Expert (C3E) . . . 255
Certified Information Forensics Investigator (CIFI) . . . . 255
Certified Computer Crime Investigator (CCCI) . . . 256
Certified Computer Forensic Technician (CCFT) . . . 256
Certified Forensic Computer Examiner (CFCE) . . . 257
Certified Information Systems Auditor (CISA) . . . 257
EnCase Certified Examiner Program . . . 258
GIAC Certified Forensic Analyst (GCFA) . . . 258
Professional Certified Investigator (PCI) . . . 258
Appendix D Forensics Tools 261 Forensics Tool Suites . . . 261
Ultimate Toolkit . . . 261 Maresware . . . 261 X-Ways Forensics . . . 262 Forensicware . . . 262 Password-Cracking Utilities . . . 262 Passware . . . 262 ElcomSoft . . . 263
Contents xiii
CD Analysis Utilities . . . 263
IsoBuster . . . 263
CD/DVD Inspector . . . 264
Metadata Viewer Utility . . . 264
Metadata Assistant . . . 264
Graphic Viewing Utility . . . 265
Quick View Plus . . . 265
Forensics Hardware Devices . . . 265
Intelligent Computer Solutions . . . 265
Computer Forensics Training . . . 266
Intense School Computer Forensics Training Class . . 266
Glossary 267
Index 274
