Thông tin tài liệu
Cyber Forensics
Table of Contents
Cyber Forensics—A Field Manual for Collecting, Examining, and Preserving Evidence of
Computer Crimes 1
Disclaimer 6
Introduction 7
Background 8
Dimensions of the Problem 9
Computer Forensics 10
Works Cited 11
Section I: Cyber Forensics 13
Chapter List 13
13
Chapter 1: The Goal of the Forensic Investigation 14
Overview 14
Why Investigate 14
Internet Exceeds Norm 14
Inappropriate E−mail 16
Non−Work−Related Usage of Company Resources 17
Theft of Information 18
Violation of Security Parameters 18
Intellectual Property Infraction 19
Electronic Tampering 20
Establishing a Basis or Justification to Investigate 21
Determine the Impact of Incident 22
Who to Call/Contact 24
If You Are the Auditor/Investigator 24
Resources 25
Authority 25
Obligations/Goals 25
Reporting Hierarchy 25
Escalation Procedures 25
Time Frame 26
Procedures 26
Precedence 26
Independence 26
Chapter 2: How to Begin a Non−Liturgical Forensic Examination 27
Overview 27
Isolation of Equipment 27
Cookies 29
Bookmarks 31
History Buffer 32
Cache 34
Temporary Internet Files 35
Tracking of Logon Duration and Times 35
Recent Documents List 36
Tracking of Illicit Software Installation and Use 37
i
Table of Contents
Chapter 2: How to Begin a Non−Liturgical Forensic Examination
The System Review 38
The Manual Review 41
Hidden Files 42
How to Correlate the Evidence 43
Works Cited 44
Chapter 3: The Liturgical Forensic Examination: Tracing Activity on a Windows−Based
Desktop 45
Gathering Evidence For Prosecution Purposes 45
Gathering Evidence Without Intent to Prosecute 45
The Microsoft Windows−Based Computer 46
General Guidelines To Follow 48
Cookies 50
Bookmarks/Favorites 53
Internet Explorer's History Buffer 54
Temporary Storage on the Hard Drive 55
Temporary Internet Files 56
System Registry 57
Enabling and Using Auditing via the Windows Operating System 61
Confiscation of Computer Equipment 65
Other Methods of Covert Monitoring 66
Chapter 4: Basics of Internet Abuse: What is Possible and Where to Look Under the
Hood 68
Terms 68
Types of Users 69
E−Mail Tracking 69
IP Address Construction 69
Browser Tattoos 69
How an Internet Search works 70
Swap Files 74
ISPs 75
Servers 75
Works Cited 75
Chapter 5: Tools of the Trade: Automated Tools Used to Secure a System Throughout
the Stages of a Forensic Investigation 77
Overview 77
Detection Tools 77
Protection Tools 84
Analysis Tools 87
Chapter 6: Network Intrusion Management and Profiling 91
Overview 91
Common Intrusion Scenarios 91
Intrusion Profiling 95
Creating the Profile 96
Conclusion 103
ii
Table of Contents
Chapter 7: Cyber Forensics and the Legal System 105
Overview 105
How the System Works 105
Issues of Evidence 106
Hacker, Cracker, or Saboteur 108
Best Practices 115
Notes 115
Acknowledgments 116
Section II: Federal and International Guidelines 117
Chapter List 117
117
References 118
Chapter 8: Searching and Seizing Computers and Obtaining Electronic Evidence 118
Recognizing and Meeting Title III Concerns in Computer Investigations 123
Computer Records and the Federal Rules of Evidence 131
Proposed Standards for the Exchange of Digital Evidence 134
Recovering and Examining Computer Forensic Evidence 140
International Principles for Computer Evidence 141
Chapter 9: Computer Crime Policy and Programs 143
The National Infrastructure Protection Center Advisory 01−003 143
The National Information Infrastructure Protection Act of 1996 146
Distributed Denial of Service Attacks 157
The Melissa Virus 163
Cybercrime Summit: A Law Enforcement/Information Technology Industry Dialogue 163
Chapter 10: International Aspects of Computer Crime 165
Council of Europe Convention on Cybercrime 165
Council of Europe Convention on Cybercrime Frequently Asked Questions 168
Internet as the Scene of Crime 168
Challenges Presented to Law Enforcement by High−Tech and Computer Criminals 169
Problems of Criminal Procedural Law Connected with Information Technology 169
Combating High−Tech and Computer−Related Crime 169
Vienna International Child Pornography Conference 171
OECD Guidelines for Cryptography Policy 171
Fighting Cybercrime: What are the Challenges Facing Europe? 171
Chapter 11: Privacy Issues in the High−Tech Context 172
Law Enforcement Concerns Related to Computerized Databases 172
Enforcing the Criminal Wiretap Statute 174
Referring Potential Privacy Violations to the Department of Justice for Investigation
and Prosecution 174
Testimony on Digital Privacy 175
Chapter 12: Critical Infrastructure Protection 176
Attorney General Janet Reno's Speech on Critical Infrastructure Protection 176
Protecting the Nation's Critical Infrastructures: Presidential Decision Directive 63 176
The Clinton Administration's Policy on Critical Infrastructure Protection: Presidential
iii
Table of Contents
Chapter 12: Critical Infrastructure Protection
Decision Directive 63 177
Foreign Ownership Interests in the American Communications Infrastructure 187
Carnivore and the Fourth Amendment 188
Chapter 13: Electronic Commerce: Legal Issues 195
Overview 195
Guide for Federal Agencies on Implementing Electronic Processes 195
Consumer Protection in the Global Electronic Marketplace 196
The Government Paperwork Elimination Act 196
Internet Gambling 197
Sale of Prescription Drugs Over the Internet 197
Guidance on Implementing the Electronic Signatures in Global And National
Commerce Act (E−SIGN) 198
Part I: General Overview of the E−SIGN Act 198
The Electronic Frontier: the Challenge of Unlawful Conduct Involving the Use of the
Internet 215
Internet Health Care Fraud 217
Jurisdiction in Law Suits 218
Electronic Case Filing at the Federal Courts 225
Notes 226
Chapter 14: Legal Considerations in Designing and Implementing Electronic
Processes: A Guide for Federal Agencies 229
Executive Summary 229
Introduction 237
I. Why Agencies Should Consider Legal Risks 238
II. Legal Issues to Consider in "Going Paperless" 242
III. Reducing The Legal Risks in "Going Paperless" 255
Conclusion 266
Notes 267
Chapter 15: Encryption 273
Department of Justice FAQ on Encryption Policy (April 24, 1998) 273
Interagency and State and Federal Law Enforcement Cooperation 273
Law Enforcement's Concerns Related to Encryption 273
Privacy in a Digital Age: Encryption and Mandatory Access 274
Modification of H.R. 695 280
Security and Freedom Through Encryption Act 281
OECD Guidelines for Cryptography Policy 285
Recommended Reading 285
Chapter 16: Intellectual Property 286
Prosecuting Intellectual Property Crimes Guidance 286
Deciding Whether to Prosecute an Intellectual Property Case 286
Government Reproduction of Copyrighted Materials 286
Federal Statutes Protecting Intellectual Property Rights 286
IP Sentencing Guidelines 289
Intellectual Property Policy and Programs 292
Copyrights, Trademarks and Trade Secrets 294
iv
Table of Contents
Section III: Forensics Tools 296
Chapter List 296
296
Chapter 17: Forensic and Security Assessment Tools 297
Detection, Protection, and Analysis 297
Detection and Prevention Tools for the PC Desktop 297
Analysis Tools 299
Applications 301
Additional Free Forensics Software Tools 307
Chapter 18: How to Report Internet−Related Crime 308
Overview 308
The Internet Fraud Complaint Center (IFCC) 309
Chapter 19: Internet Security: An Auditor's Basic Checklist 310
Firewalls 310
Supported Protocols 311
Anti−Virus Updates 311
Software Management Systems 312
Backup Processes and Procedures 312
Intra−Network Security 312
Section IV: Appendices 314
Appendix List 314
314
Appendix A: Glossary of Terms 314
A−C 314
D 317
E−G 319
H−I 322
K−Q 323
R−S 324
T−W 326
Appendix B: Recommended Reading List 329
Books 329
Articles 332
Web Sites 333
List of Exhibits 337
Chapter 2: How to Begin a Non−Liturgical Forensic Examination 337
Chapter 3: The Liturgical Forensic Examination: Tracing Activity on a Windows−Based
Desktop 337
Chapter 4: Basics of Internet Abuse: What is Possible and Where to Look Under the
Hood 337
Chapter 5: Tools of the Trade: Automated Tools Used to Secure a System Throughout
the Stages of a Forensic Investigation 338
Chapter 6: Network Intrusion Management and Profiling 338
Chapter 8: Searching and Seizing Computers and Obtaining Electronic Evidence 338
v
Table of Contents
List of Exhibits
Chapter 9: Computer Crime Policy and Programs 338
Chapter 11: Privacy Issues in the High−Tech Context 338
Chapter 12: Critical Infrastructure Protection 339
Chapter 13: Electronic Commerce: Legal Issues 339
Chapter 14: Legal Considerations in Designing and Implementing Electronic
Processes: A Guide for Federal Agencies 339
Chapter 18: How to Report Internet−Related Crime 339
vi
Cyber Forensics—A Field Manual for Collecting,
Examining, and Preserving Evidence of Computer
Crimes
ALBERT J. MARCELLA, Ph.D.
ROBERT S. GREENFIELD Editors
AUERBACH PUBLICATIONS A CRC Press Company
Boca Raton London New York Washington , D.C.
Library of Congress Cataloging−in−Publication Data
Cyber forensics: a field manual for collecting, examining, and preserving evidence of
computer crimes / Albert J. Marcella, Robert Greenfield, editors.
p. cm.
Includes bibliographical references and index.
ISBN 0−8493−0955−7 (alk. paper)
1. Computer crimes−−Investigation−−Handbooks, manuals, etc. I. Marcella, Albert J. II. Greenfield,
Robert, 1961−
HV8079.C65 C93 2001
363.25'968−−dc21
2001053817
This book contains information obtained from authentic and highly regarded sources. Reprinted
material is quoted with permission, and sources are indicated. A wide variety of references are
listed. Reasonable efforts have been made to publish reliable data and information, but the authors
and the publisher cannot assume responsibility for the validity of all materials or for the
consequences of their use.
Neither this book nor any part may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, microfilming, and recording, or by any information
storage or retrieval system, without prior permission in writing from the publisher.
All rights reserved. Authorization to photocopy items for internal or personal use, or the personal or
internal use of specific clients, may be granted by CRC Press LLC, provided that $1.50 per page
photocopied is paid directly to Copyright clearance Center, 222 Rosewood Drive, Danvers, MA
01923 USA The fee code for users of the Transactional Reporting Service is ISBN
0−8493−0955−7/02/$0.00+$1.50. The fee is subject to change without notice. For organizations that
have been granted a photocopy license by the CCC, a separate system of payment has been
arranged.
1
The consent of CRC Press LLC does not extend to copying for general distribution, for promotion,
for creating new works, or for resale. Specific permission must be obtained in writing from CRC
Press LLC for such copying.
Direct all inquiries to CRC Press LLC, 2000 N.W. Corporate Blvd., Boca Raton, Florida 33431.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and
are used only for identification and explanation, without intent to infringe.
Visit the Auerbach Publications Web site at www.auerbach−publications.com
Copyright © 2002 by CRC Press LLC
Auerbach is an imprint of CRC Press LLC
No claim to original U.S. Government works
International Standard Book Number 0−8493−0955−7
Library of Congress Card Number 2001053817
Printed in the United States of America 1 2 3 4 5 6 7 8 9 0
Printed on acid−free paper
Editors and Contributors
Albert J. Marcella, Jr., Ph.D., CFSA, COAP, CQA, CSP, CDP, CISA, is an associate professor of
Management in the School of Business and Technology, Department of Management, at Webster
University, in Saint Louis, Missouri. Dr. Marcella remains the president of Business Automation
Consultants, an information technology and management−consulting firm he founded in 1984. Dr.
Marcella has completed diverse technical security consulting engagements involving disaster
recovery planning, site and systems security, IT, financial and operational audits for an international
clientele. He has contributed numerous articles to audit−related publications and has authored and
co−authored 18 audit−related texts.
Robert S. Greenfield, MCP, has over 16 years of experience as a programmer/analyst, with the
past five years as a systems consultant and software engineer in the consulting field. He has
extensive experience designing software in the client/server environment. In addition to mainframe
experience on several platforms, his background includes systems analysis, design, and
development in client/server GUI and traditional environments. His client/server expertise includes
Visual Basic, Access, SQL Server, Sybase, and Oracle 7.3 development. Mr. Greenfield has
created intranet Web sites with FrontPage and distributing applications via the Internet. He currently
holds professional accreditation as a Microsoft Certified Professional and continues self paced
training to achieve MCSE, MCSD, and MCSE/D + Internet ratings.
Abigail Abraham is an Assistant State's Attorney, prosecuting high−technology crimes for the Cook
County State's Attorney's Office in Chicago, Illinois. She was awarded her J.D. from The University
of Chicago Law School and served as an editor on the law review. Following law school, she
clerked for one year for the Honorable Danny J. Boggs, U.S. Court of Appeals for the Sixth Circuit.
She is an adjunct law professor at The University of Chicago Law School. In addition, she has
designed training for lawyers and for police officers, and lectures around the country on
2
high−technology legal issues.
Brent Deterdeing graduated from the University of Missouri with a degree in computer science and
a minor in economics. Brent's involvement with SANS is extensive. He is an author of an upcoming
book on firewalls through SANS, as well as chairing the SANS/GIAC Firewalls Advisory Board. He
has mentored both small and large classes through SANS/GIAC Security Essentials Training &
Certification (GSEC). Brent also authors, revises, and edits SANS courseware, quizzes, and tests.
He has earned the SANS/GIAC GSEC (Security Essentials), GCFW (Firewall Analyst — HONORS),
GCIA (Intrusion Analyst), and GCIH (Incident Handling) certifications, as well as being a Red Hat
Certified Engineer (RHCE). Brent participates in the St. Louis InfraGard chapter.
John W. Rado is a geospatial analyst at National Imagery and Mapping Agency (NIMA) in St.
Louis, Missouri. John has worked for NIMA since January of 1991.
William J. Sampias has been involved in the auditing profession for the past decade, with primary
emphasis on audits of information systems. Mr. Sampias has published several works in the areas
of disaster contingency planning, end−user computing, fraud, effective communications, and
security awareness. Mr. Sampias is currently director of a state agency information systems audit
group.
Steven Schlarman, CISSP, is a security consultant with PricewaterhouseCoopers. Since joining
the firm in 1998, Steve has covered a number of roles, mainly as the lead developer of the
Enterprise Security Architecture System and Services. He has published articles on the subject as
well as being one of the major thought leaders in the PricewaterhouseCoopers' Enterprise Security
Architecture Service line. Prior to joining the firm, Steve had worked on multiple platforms including
PC applications, networking, and midrange and mainframe systems. His background includes
system security, system maintenance, and application development. Steve has completed
numerous technical security consulting engagements involving security architectures, penetration
studies ("hacking studies"), network and operating system diagnostic reviews, and computer crime
investigation. He has participated in both PC computer forensic analysis and network intrusion
management and investigation. Prior to PricewaterhouseCoopers, Steve worked at a U.S. state law
enforcement agency in the information systems division.
Carol Stucki is working as a technical producer for PurchasePro.com, a rapidly growing dot.com
company that is an application service provider specializing in Internet−based procurement. Carol's
past experiences include working with GTE, Perot Systems, and Arthur Andersen as a programmer,
system analyst, project manager, and auditor.
Dedication
Erienne, Kristina, and Andy
Michael Jordan said it best, thus, what more can I say…
I approached practices the same way I approached games. You can't turn it on and
off like a faucet. I couldn't dog it during practice and then, when I needed that extra
push late in the game, expect it to be there. But that's how a lot of people fail. They
sound like they're committed to being the best they can be. They say all the right
things, make all the proper appearances. But when it comes right down to it, they're
looking for reasons instead of answers. If you're trying to achieve, there will be
roadblocks. I've had them; everybody has had them. But obstacles don't have to stop
you. If you run into a wall, don't turn around and give up. Figure out how to climb it,
3
[...]... must be on the forensic element, and it is vital to understand that forensic computing, cyber forensics, or computer forensics is not solely about computers It is about rules of evidence, legal processes, the integrity 8 and continuity of evidence, the clear and concise reporting of factual information to a court of law, and the provision of expert opinion concerning the provenance of that evidence: Companies... reservations, and access bank accounts and a wealth of worldwide information on essentially any topic Computer forensics is used to identify evidence when personal computers are used in the commission of crimes or in the abuse of company policies Computer forensic tools and procedures are also used to identify computer security weaknesses and the leakage of sensitive computer data In the past, documentary evidence. .. professionals whose insights and comments on the critically important field of cyber forensics are included in this text, and deserve substantial credit and our thanks for taking up this challenge and for their spot−on examination and evaluation of key cyber forensics issues I wish to formally recognize each contributing author here, although briefly, and have included a more extensive personal profile... field of cyber forensics that would be needed and required by all potential readers and users in a single text Thus, this field manual presents specific and selected topics in the discipline of cyber forensics, and addresses critical issues facing the reader who is engaged in or who soon will be (and you will!) engaged in the preservation, identification, extraction, and documentation of computer evidence. .. however, they are subject to the ECPA Typically, computer forensic tools exist in the form of computer software Computer forensic specialists guarantee accuracy of evidence processing results through the use of time−tested 10 evidence processing procedures and through the use of multiple software tools, developed by separate and independent developers The use of different tools that have been developed... user of this field manual, you will see that this manual' s strength lies with the inclusion of an exhaustive set of chapters covering a broad variety of forensic subjects Each chapter was thoroughly investigated; examined for accuracy, completeness, and appropriateness to the study of cyber forensics; reviewed by peers; and then compiled in a comprehensive, concise format to present critical topics of. .. Forensics Computer Forensics deals with the preservation, identification, extraction, and documentation of computer evidence The field is relatively new to the private sector but it has been the mainstay of technology−related investigations and intelligence gathering in law enforcement and military agencies since the mid−1980s Like any other forensic science, computer forensics involves the use of sophisticated... wave of new and stored digital information The massive proliferation of data creates ever−expanding digital information risks for organizations and individuals Electronic information is easy to create, inexpensive to store, and virtually effortless to replicate As a result, increasingly vast quantities of digital information reside on mass storage devices located within and without corporate information... background and library with me), and for developing the focused piece on "Basics of Internet Abuse: What is Possible and Where to Look Under the Hood." From the Financial and Computer Crime Department of the State Attorney's office of Cook County, Illinois, Attorney Abigail Abraham; thank you for your engaging examination into "Cyber Forensics and the Legal System." To my long−time colleagues and collaborators... paper and copies were made with carbon paper or photocopy machines Most documents are now stored on computer hard disk drives, floppy diskettes, Zip disks, and other forms of removable computer storage media Computer forensics deals with finding, extracting, and documenting this form of "electronic" documentary evidence (www.forensics−intl.com/def4.html) Along the way, prior to formally pursuing a cyber . Cyber Forensics
Table of Contents
Cyber Forensics—A Field Manual for Collecting, Examining, and Preserving Evidence of
Computer Crimes 1
Disclaimer. D.C.
Library of Congress Cataloging−in−Publication Data
Cyber forensics: a field manual for collecting, examining, and preserving evidence of
computer crimes
Ngày đăng: 18/01/2014, 06:20
Xem thêm: Tài liệu Cyber Forensics—A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes ppt, Tài liệu Cyber Forensics—A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes ppt, I. Why Agencies Should Consider Legal Risks, II. Legal Issues to Consider in "Going Paperless", III. Reducing The Legal Risks in "Going Paperless"