INVESTIGATING C OMPUTER-RELATED C RIME A HANDBOOK FOR CORPORATE INVESTIGATORS Peter Stephenson Author CRC PRESS Boca Raton London New York Washington, D.C. Library of Congress Cataloging-in-Publication Data Stephenson, Peter. Investigating computer-related crime : handbook for corporate investigators / Peter Stephenson. p. cm. Includes bibliographical references and index. ISBN 0-8493-2218-9 (alk. paper) 1. Computer crimes—United States—Investigation. I. Title. HV6773.2.S74 1999 363.25′968—dc21 99-34206 CIP This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use. Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior permission in writing from the publisher. The consent of CRC Press LLC does not extend to copying for general distribution, for promotion, for creating new works, or for resale. Specific permission must be obtained in writing from CRC Press LLC for such copying. Direct all inquiries to CRC Press LLC, 2000 Corporate Blvd., N.W., Boca Raton, Florida 33431. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are only used for identification and explanation, without intent to infringe. © 2000 by CRC Press LLC No claim to original U.S. Government works International Standard Book Number 0-8493-2218-9 Library of Congress Card Number 99-34206 Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 Printed on acid-free paper Preface The introduction of the IBM Personal Computer in 1982 fostered a technology revolution that has changed the way the world does business. Prior to that historic milestone, several personal computers existed, e.g., Apple, TRS 80, but they were primarily used by individuals, schools, and small businesses. When computer main- frame giant, International Business Machines (IBM) entered the personal computer market in 1982, the event quickly captured the attention of corporations and gov- ernment agencies worldwide. Personal computers were no longer thought of as toys and almost overnight they were accepted as reliable business computers. Since their introduction, IBM PCs and compatible computers have evolved into powerful corporate network servers, desktop computers, and notebook computers. They have also migrated into millions of households, and their popularity exploded during the 1990s when the world discovered the Internet. The worldwide popularity of both personal computers and the Internet has been a mixed blessing. The immediate popularity of the IBM PC was not anticipated. The DOS operating system installed on the original personal computers back in 1982 was never intended for commercial use and therefore was not designed to be secure. In the interest of maintaining compatibility with the early versions of DOS, upgrades to the operating system could not adequately address security issues. As a result, most corporate desktop PCs and notebook computers lack adequate secu- rity. Millions of personal computers are used as tools to conduct financial transactions and to store trade secrets, sensitive personal medical data, and employment infor- mation. Many of these computers and more are also connected to the Internet to send and receive e-mail and to browse the wealth of information on the World Wide Web. The designers of the Internet never envisioned that it would become the hub of international commerce. As a result, security was not built into the original design of the Internet. The wide acceptance of the personal computer and the Internet has created some concerns for security that are just now being realized. The dramatic increase in computing speeds has added to the dilemma because such speeds aid hackers in breaking into systems. The inherent security problems associated with personal computers, tied to their popularity in the workplace, have fostered new corporate problems. Now internal audits involve the examination of computer records. Criminal investigations and civil investigations routinely involve computer evidence and such inquiries require new methods and tools for investigators and internal auditors alike. That is what this book is all about, and its coming has been long overdue. It deals with practical methods and techniques that have proven to be effective in law enforcement and ©2000 by CRC Press LLC military circles for years. Only recently has this type of information and tools been available to corporate auditors and investigators. Michael R. Anderson Mr. Anderson retired after 25 years of federal law enforcement service and is currently the president of New Technologies, Inc., a corporation that provides train- ing and develops specialized forensic tools for use in computer evidence processing. While employed by the federal government, he developed some of the original computer evidence training courses for the federal government and is currently a member of the faculty of the University of New Haven, Connecticut. He is also a co-founder of the International Association of Computer Investigative Specialists and is a training advisor to the National White Collar Crime Center. He can be reached via e-mail at mrande@teleport.com regarding computer evidence- and security review-related questions. ©2000 by CRC Press LLC About the Author Peter Stephenson has been a network consultant and lecturer for 18 years, special- izing in information protection for large enterprises. His seminars on information security have been presented around the world. Mr. Stephenson founded Intrusion Management and Forensics Group with approximately 20 associates and independent contractors, to test networks for secu- rity problems and devise solutions. After 15 years of consulting, he joined Enterprise Networking Systems, Inc., Redwood City, CA, as Director of Technology for the Global Security Practice. ©2000 by CRC Press LLC Acknowledgments My thanks to Nan Poulios, my business partner of more than ten years, who con- tributed to this in ways not immediately obvious, like writing reports I should have been writing while I wrote this. I am grateful to Michael Anderson and the folks at NTI for their support as I wrote this. I recommend their products and training. Also, although we have never spoken directly, I, and all computer incident investigators, owe a debt of thanks to Ken Rosenblatt for his contributions to our art. I can think of no other book* than his that I would want as a companion to this one on my bookshelf. I have also benefited from the expertise of Chuck Guzis — for some of the finest evidence-processing tools an investigator could want. Don’t stop now, Chuck! To Rich O’Hanley at Auerbach Publications for his encouragement and help to find this book a home after wandering in the publishing wilderness for nearly a year. And, finally, my thanks to Becky McEldowney, my editor at CRC Press LLC, for not nagging me when the manuscript was late and for providing encouragement and support as I made changes to keep up with technologies that never seem to slow down. Oh, and to Andrea Demby, CRC Press Production, who left this book substan- tially as I wrote it, a rare circumstance, indeed. Thanks, Andrea — let’s do this again sometime. * Rosenblatt, K.S., High Technology Crime — Investigating Cases Involving Computers, KSK Publica- tions, San Jose, CA, 1995. ©2000 by CRC Press LLC Dedication For Debbie, who thought this book would never get written. ©2000 by CRC Press LLC Contents Section 1 — The Nature of Cyber Crime Chapter 1 Cyber Crime as We Enter the Twenty-First Century What Is Cyber Crime? How Does Today’s Cyber Crime Differ from the Hacker Exploits of Yesterday? The Reality of Information Warfare in the Corporate Environment Industrial Espionage — Hackers for Hire Public Law Enforcement’s Role in Cyber Crime Investigations The Role of Private Cyber Crime Investigators and Security Consultants in Investigations References Chapter 2 The Potential Impacts of Cyber Crime Data Thieves How Data Thieves Avoid Detection During an Attack Masking Logins Masking Telnet How Data Thieves “Clean Up” After an Attack Techniques for Detecting File Reads and Uploads Misinformation Denial of Service Data Floods and Mail Bombs Attacks from Inside the Organization Attacks Which Require Access to the Computer Chapter Review Chapter 3 Rogue Code Attacks Viruses, Trojan Horses, and Worms Types of Viruses File Infector Resident Program Infector Boot Sector Infector Multi-Partite Virus Dropper Stealth Virus Companion Virus Polymorphic Virus Mutation Engine ©2000 by CRC Press LLC Detection Methods Pattern Scanners Integrity Checkers Behavior Blockers Trojan Horses Worms Logic Bombs Modifying System Files Responding to Rogue Code Attacks Viruses Trojan Horses and Logic Bombs Protection of Extended Mission-Critical Computer Systems Post-Attack Inspection for Rogue Code Summary Reference Chapter 4 — Surgical Strikes and Shotgun Blasts Denial of Service Attacks Service Overloading Message Flooding Signal Grounding Other Attacks Attacking from the Outside Attacking from the Inside Dumping Core Symptoms of a Surgical Strike Panics Other Surgical Attacks Masquerading User Masquerades System Masquerades Spoofing E-Mail Web Site IP Spoofing Case Study: The Case of the Cyber Surgeon Symptoms of Shotgun Blasts “Up Yours” — Mail Bombs Flooding Attacks Summary References Section 2 — Investigating Cyber Crime Chapter 5 A Framework for Conducting an Investigation of a Computer Security Incident ©2000 by CRC Press LLC Managing Intrusions Why We Need an Investigative Framework What Should an Investigative Framework Provide? One Approach to Investigating Intrusions Drawbacks for the Corporate Investigator A Generalized Investigative Framework for Corporate Investigators Eliminate the Obvious Hypothesize the Attack Reconstruct the Crime Perform a Traceback to the Suspected Source Computer Analyze the Source, Target, and Intermediate Computers Collect Evidence, Including, Possibly, the Computers Themselves Turn Your Findings and Evidentiary Material over to Corporate Investigators or Law Enforcement for Follow-Up Summary References Chapter 6 Look for the Hidden Flaw The Human Aspects of Computer Crime and the FBI Adversarial Matrix Crackers Criminals Vandals Motive, Means, and Opportunity Evidence and Proof Look for the Logical Error Vanity Summary Reference Chapter 7 Analyzing the Remnants of a Computer Security Incident What We Mean by a Computer Security Incident We Never Get the Call Soon Enough Computer Forensic Analysis — Computer Crimes at the Computer DOS Disks — A Brief Tutorial Slack Space Unallocated Space Windows Swap Files and Web Browser Caches Processing Forensic Data — Part One: Collection Collection Techniques Analysis Tools and Techniques Chaining Unix and Other Non-DOS Computers Cyber Forensic Analysis — Computer Crimes Involving Networks ©2000 by CRC Press LLC [...]... Issues Salvaging Some Benefit Summary Section 3 — Preparing for Cyber Crime Chapter 14 — Building a Corporate Cyber “SWAT Team” Why Do Organizations Need a Cyber SWAT Team? What Does a Cyber SWAT Team Do? A Standard Practice Example Who Belongs on a Cyber SWAT Team? Training Investigative Teams Summary Chapter 15 — Privacy and Computer Crime The Importance of Formal Policies Who Owns the E-Mail? The... electronic warfare (EW), psychological warfare (PSYW), hacker warfare, economic information warfare (EIW), and cyberwarfare His essay, written for the Institute for National Strategic Studies, begins by quoting Thomas Rona, an early proponent of information warfare: The strategic, operation, and tactical level competitions across the spectrum of peace, crisis, crisis escalation, conflict, war, war termination,... that export environmental variables) Skilled intruders will change the environmental variables on a machine used as an intermediate before attacking the next target This will make it more difficult for the investigator to trace backward through each purloined account on intermediate machines to the actual source of the attack HOW DATA THIEVES “CLEAN UP” AFTER AN ATTACK There are a couple of things a. .. provider with a denial of service attack We will explore each of these aspects — data theft, misinformation, and denial of service — in detail We will also get a top level look at the elements of these three aspects, as well as a brief introduction to the concepts behind their investigation Along the way we will begin to form an approach for investigating computer crimes and computer- related crimes, and see... and Testing an Intrusion Hypothesis Investigating Alternative Explanations You May Never Catch the Culprit Damage Control and Containment Summary References Chapter 9 Determining If a Crime Has Taken Place Statistically, You Probably Don’t Have a Crime Believe Your Indications Using Tools to Verify That a Crime Has Occurred Unix Crash Dump Analysis Identifying the Unix Release and Hardware Architecture... corporate “SWAT team” created to investigate cyber crime Once you have created such a team, you must then decide what gaps are present and which can be filled by consultants One area where some interesting things are taking place is in the business of private investigation Private investigators, traditionally involved with physical crime and civil matters, are looking at the world of virtual crime as a. .. Northrup Grumman, in an advertisement for its services, defines information warfare as “The ability to exploit, deceive, and disrupt adversary information systems while simultaneously protecting our own.” Martin Libicki, in his essay, “What Is Information Warfare?”3 tells us: Seven forms of information warfare vie for the position of central metaphor: commandand-control (C2W), intelligence-based warfare (IBW),... this day and age, no way to avoid that What you can do is ensure that your controls are in place and robust and that you are prepared for the inevitable That won’t stop the hacker from trying, but it may ensure that you’ll avoid most of the consequences David Icove, Karl Seger, and William VonStorch, writing in Computer Crime — A Crimefighter’s Handbook, list five basic ways that computer criminals get... capabilities of the FBI and the Secret Service to the essentially worthless efforts of local police forces in isolated rural locations Since computers and computer systems are pervasive, that lack of evenness poses problems for many organizations There are times when not calling in law enforcement is not an option If you are a federally regulated organization, such as a bank, not involving law enforcement... the computer crime investigators in advance of an incident An informal meeting can gain a wealth of information for you It also can set the stage for that panic call in the future when the intruder is on your doorstep In Chapter 11 we’ll discuss the involvement of law enforcement in more depth THE ROLE OF PRIVATE CYBER CRIME INVESTIGATORS AND SECURITY CONSULTANTS IN INVESTIGATIONS Most organizations are . Telnet How Data Thieves “Clean Up” After an Attack Techniques for Detecting File Reads and Uploads Misinformation Denial of Service Data Floods and Mail Bombs Attacks from Inside the Organization Attacks. is also a co-founder of the International Association of Computer Investigative Specialists and is a training advisor to the National White Collar Crime Center. He can be reached via e-mail at. 2000 Corporate Blvd., N.W., Boca Raton, Florida 33431. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are only used for identification and explanation,