Thông tin tài liệu
INVESTIGATING
C
OMPUTER-RELATED
C
RIME
A HANDBOOK FOR
CORPORATE INVESTIGATORS
Peter Stephenson
Author
CRC PRESS
Boca Raton London New York Washington, D.C.
Library of Congress Cataloging-in-Publication Data
Stephenson, Peter.
Investigating computer-related crime : handbook for corporate
investigators / Peter Stephenson.
p. cm.
Includes bibliographical references and index.
ISBN 0-8493-2218-9 (alk. paper)
1. Computer crimes—United States—Investigation. I. Title.
HV6773.2.S74 1999
363.25′968—dc21 99-34206
CIP
This book contains information obtained from authentic and highly regarded sources. Reprinted
material is quoted with permission, and sources are indicated. A wide variety of references are listed.
Reasonable efforts have been made to publish reliable data and information, but the author and the
publisher cannot assume responsibility for the validity of all materials or for the consequences of their use.
Neither this book nor any part may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, microfilming, and recording, or by any information
storage or retrieval system, without prior permission in writing from the publisher.
The consent of CRC Press LLC does not extend to copying for general distribution, for promotion,
for creating new works, or for resale. Specific permission must be obtained in writing from CRC Press
LLC for such copying.
Direct all inquiries to CRC Press LLC, 2000 Corporate Blvd., N.W., Boca Raton, Florida 33431.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and
are only used for identification and explanation, without intent to infringe.
© 2000 by CRC Press LLC
No claim to original U.S. Government works
International Standard Book Number 0-8493-2218-9
Library of Congress Card Number 99-34206
Printed in the United States of America 1 2 3 4 5 6 7 8 9 0
Printed on acid-free paper
Preface
The introduction of the IBM Personal Computer in 1982 fostered a technology
revolution that has changed the way the world does business. Prior to that historic
milestone, several personal computers existed, e.g., Apple, TRS 80, but they were
primarily used by individuals, schools, and small businesses. When computer main-
frame giant, International Business Machines (IBM) entered the personal computer
market in 1982, the event quickly captured the attention of corporations and gov-
ernment agencies worldwide.
Personal computers were no longer thought of as toys and almost overnight they
were accepted as reliable business computers. Since their introduction, IBM PCs
and compatible computers have evolved into powerful corporate network servers,
desktop computers, and notebook computers. They have also migrated into millions
of households, and their popularity exploded during the 1990s when the world
discovered the Internet.
The worldwide popularity of both personal computers and the Internet has been
a mixed blessing. The immediate popularity of the IBM PC was not anticipated.
The DOS operating system installed on the original personal computers back in
1982 was never intended for commercial use and therefore was not designed to be
secure. In the interest of maintaining compatibility with the early versions of DOS,
upgrades to the operating system could not adequately address security issues. As
a result, most corporate desktop PCs and notebook computers lack adequate secu-
rity.
Millions of personal computers are used as tools to conduct financial transactions
and to store trade secrets, sensitive personal medical data, and employment infor-
mation. Many of these computers and more are also connected to the Internet to
send and receive e-mail and to browse the wealth of information on the World Wide
Web. The designers of the Internet never envisioned that it would become the hub
of international commerce. As a result, security was not built into the original design
of the Internet. The wide acceptance of the personal computer and the Internet has
created some concerns for security that are just now being realized. The dramatic
increase in computing speeds has added to the dilemma because such speeds aid
hackers in breaking into systems.
The inherent security problems associated with personal computers, tied to their
popularity in the workplace, have fostered new corporate problems. Now internal
audits involve the examination of computer records. Criminal investigations and civil
investigations routinely involve computer evidence and such inquiries require new
methods and tools for investigators and internal auditors alike. That is what this
book is all about, and its coming has been long overdue. It deals with practical
methods and techniques that have proven to be effective in law enforcement and
©2000 by CRC Press LLC
military circles for years. Only recently has this type of information and tools been
available to corporate auditors and investigators.
Michael R. Anderson
Mr. Anderson retired after 25 years of federal law enforcement service and is
currently the president of New Technologies, Inc., a corporation that provides train-
ing and develops specialized forensic tools for use in computer evidence processing.
While employed by the federal government, he developed some of the original
computer evidence training courses for the federal government and is currently a
member of the faculty of the University of New Haven, Connecticut. He is also a
co-founder of the International Association of Computer Investigative Specialists
and is a training advisor to the National White Collar Crime Center. He can be
reached via e-mail at mrande@teleport.com regarding computer evidence- and
security review-related questions.
©2000 by CRC Press LLC
About the Author
Peter Stephenson has been a network consultant and lecturer for 18 years, special-
izing in information protection for large enterprises. His seminars on information
security have been presented around the world.
Mr. Stephenson founded Intrusion Management and Forensics Group with
approximately 20 associates and independent contractors, to test networks for secu-
rity problems and devise solutions. After 15 years of consulting, he joined Enterprise
Networking Systems, Inc., Redwood City, CA, as Director of Technology for the
Global Security Practice.
©2000 by CRC Press LLC
Acknowledgments
My thanks to Nan Poulios, my business partner of more than ten years, who con-
tributed to this in ways not immediately obvious, like writing reports I should have
been writing while I wrote this.
I am grateful to Michael Anderson and the folks at NTI for their support as I
wrote this. I recommend their products and training.
Also, although we have never spoken directly, I, and all computer incident
investigators, owe a debt of thanks to Ken Rosenblatt for his contributions to our
art. I can think of no other book* than his that I would want as a companion to this
one on my bookshelf.
I have also benefited from the expertise of Chuck Guzis — for some of the finest
evidence-processing tools an investigator could want. Don’t stop now, Chuck!
To Rich O’Hanley at Auerbach Publications for his encouragement and help to
find this book a home after wandering in the publishing wilderness for nearly a year.
And, finally, my thanks to Becky McEldowney, my editor at CRC Press LLC, for
not nagging me when the manuscript was late and for providing encouragement and
support as I made changes to keep up with technologies that never seem to slow
down.
Oh, and to Andrea Demby, CRC Press Production, who left this book substan-
tially as I wrote it, a rare circumstance, indeed. Thanks, Andrea — let’s do this again
sometime.
* Rosenblatt, K.S., High Technology Crime — Investigating Cases Involving Computers, KSK Publica-
tions, San Jose, CA, 1995.
©2000 by CRC Press LLC
Dedication
For Debbie, who thought this book would never get written.
©2000 by CRC Press LLC
Contents
Section 1 — The Nature of Cyber Crime
Chapter 1 Cyber Crime as We Enter the Twenty-First Century
What Is Cyber Crime?
How Does Today’s Cyber Crime Differ from the Hacker Exploits of
Yesterday?
The Reality of Information Warfare in the Corporate Environment
Industrial Espionage — Hackers for Hire
Public Law Enforcement’s Role in Cyber Crime Investigations
The Role of Private Cyber Crime Investigators and Security Consultants in
Investigations
References
Chapter 2 The Potential Impacts of Cyber Crime
Data Thieves
How Data Thieves Avoid Detection During an Attack
Masking Logins
Masking Telnet
How Data Thieves “Clean Up” After an Attack
Techniques for Detecting File Reads and Uploads
Misinformation
Denial of Service
Data Floods and Mail Bombs
Attacks from Inside the Organization
Attacks Which Require Access to the Computer
Chapter Review
Chapter 3 Rogue Code Attacks
Viruses, Trojan Horses, and Worms
Types of Viruses
File Infector
Resident Program Infector
Boot Sector Infector
Multi-Partite Virus
Dropper
Stealth Virus
Companion Virus
Polymorphic Virus
Mutation Engine
©2000 by CRC Press LLC
Detection Methods
Pattern Scanners
Integrity Checkers
Behavior Blockers
Trojan Horses
Worms
Logic Bombs
Modifying System Files
Responding to Rogue Code Attacks
Viruses
Trojan Horses and Logic Bombs
Protection of Extended Mission-Critical Computer Systems
Post-Attack Inspection for Rogue Code
Summary
Reference
Chapter 4 — Surgical Strikes and Shotgun Blasts
Denial of Service Attacks
Service Overloading
Message Flooding
Signal Grounding
Other Attacks
Attacking from the Outside
Attacking from the Inside
Dumping Core
Symptoms of a Surgical Strike
Panics
Other Surgical Attacks
Masquerading
User Masquerades
System Masquerades
Spoofing
E-Mail
Web Site
IP Spoofing
Case Study: The Case of the Cyber Surgeon
Symptoms of Shotgun Blasts
“Up Yours” — Mail Bombs
Flooding Attacks
Summary
References
Section 2 — Investigating Cyber Crime
Chapter 5 A Framework for Conducting an Investigation of a
Computer Security Incident
©2000 by CRC Press LLC
Managing Intrusions
Why We Need an Investigative Framework
What Should an Investigative Framework Provide?
One Approach to Investigating Intrusions
Drawbacks for the Corporate Investigator
A Generalized Investigative Framework for Corporate Investigators
Eliminate the Obvious
Hypothesize the Attack
Reconstruct the Crime
Perform a Traceback to the Suspected Source Computer
Analyze the Source, Target, and Intermediate Computers
Collect Evidence, Including, Possibly, the Computers
Themselves
Turn Your Findings and Evidentiary Material over to Corporate
Investigators or Law Enforcement for Follow-Up
Summary
References
Chapter 6 Look for the Hidden Flaw
The Human Aspects of Computer Crime and the FBI Adversarial
Matrix
Crackers
Criminals
Vandals
Motive, Means, and Opportunity
Evidence and Proof
Look for the Logical Error
Vanity
Summary
Reference
Chapter 7 Analyzing the Remnants of a Computer Security
Incident
What We Mean by a Computer Security Incident
We Never Get the Call Soon Enough
Computer Forensic Analysis — Computer Crimes at the Computer
DOS Disks — A Brief Tutorial
Slack Space
Unallocated Space
Windows Swap Files and Web Browser Caches
Processing Forensic Data — Part One: Collection
Collection Techniques
Analysis Tools and Techniques
Chaining
Unix and Other Non-DOS Computers
Cyber Forensic Analysis — Computer Crimes Involving Networks
©2000 by CRC Press LLC
[...]... Issues Salvaging Some Benefit Summary Section 3 — Preparing for Cyber Crime Chapter 14 — Building a Corporate Cyber “SWAT Team” Why Do Organizations Need a Cyber SWAT Team? What Does a Cyber SWAT Team Do? A Standard Practice Example Who Belongs on a Cyber SWAT Team? Training Investigative Teams Summary Chapter 15 — Privacy and Computer Crime The Importance of Formal Policies Who Owns the E-Mail? The... electronic warfare (EW), psychological warfare (PSYW), hacker warfare, economic information warfare (EIW), and cyberwarfare His essay, written for the Institute for National Strategic Studies, begins by quoting Thomas Rona, an early proponent of information warfare: The strategic, operation, and tactical level competitions across the spectrum of peace, crisis, crisis escalation, conflict, war, war termination,... that export environmental variables) Skilled intruders will change the environmental variables on a machine used as an intermediate before attacking the next target This will make it more difficult for the investigator to trace backward through each purloined account on intermediate machines to the actual source of the attack HOW DATA THIEVES “CLEAN UP” AFTER AN ATTACK There are a couple of things a. .. provider with a denial of service attack We will explore each of these aspects — data theft, misinformation, and denial of service — in detail We will also get a top level look at the elements of these three aspects, as well as a brief introduction to the concepts behind their investigation Along the way we will begin to form an approach for investigating computer crimes and computer- related crimes, and see... and Testing an Intrusion Hypothesis Investigating Alternative Explanations You May Never Catch the Culprit Damage Control and Containment Summary References Chapter 9 Determining If a Crime Has Taken Place Statistically, You Probably Don’t Have a Crime Believe Your Indications Using Tools to Verify That a Crime Has Occurred Unix Crash Dump Analysis Identifying the Unix Release and Hardware Architecture... corporate “SWAT team” created to investigate cyber crime Once you have created such a team, you must then decide what gaps are present and which can be filled by consultants One area where some interesting things are taking place is in the business of private investigation Private investigators, traditionally involved with physical crime and civil matters, are looking at the world of virtual crime as a. .. Northrup Grumman, in an advertisement for its services, defines information warfare as “The ability to exploit, deceive, and disrupt adversary information systems while simultaneously protecting our own.” Martin Libicki, in his essay, “What Is Information Warfare?”3 tells us: Seven forms of information warfare vie for the position of central metaphor: commandand-control (C2W), intelligence-based warfare (IBW),... this day and age, no way to avoid that What you can do is ensure that your controls are in place and robust and that you are prepared for the inevitable That won’t stop the hacker from trying, but it may ensure that you’ll avoid most of the consequences David Icove, Karl Seger, and William VonStorch, writing in Computer Crime — A Crimefighter’s Handbook, list five basic ways that computer criminals get... capabilities of the FBI and the Secret Service to the essentially worthless efforts of local police forces in isolated rural locations Since computers and computer systems are pervasive, that lack of evenness poses problems for many organizations There are times when not calling in law enforcement is not an option If you are a federally regulated organization, such as a bank, not involving law enforcement... the computer crime investigators in advance of an incident An informal meeting can gain a wealth of information for you It also can set the stage for that panic call in the future when the intruder is on your doorstep In Chapter 11 we’ll discuss the involvement of law enforcement in more depth THE ROLE OF PRIVATE CYBER CRIME INVESTIGATORS AND SECURITY CONSULTANTS IN INVESTIGATIONS Most organizations are . Telnet How Data Thieves “Clean Up” After an Attack Techniques for Detecting File Reads and Uploads Misinformation Denial of Service Data Floods and Mail Bombs Attacks from Inside the Organization Attacks. is also a co-founder of the International Association of Computer Investigative Specialists and is a training advisor to the National White Collar Crime Center. He can be reached via e-mail at. 2000 Corporate Blvd., N.W., Boca Raton, Florida 33431. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are only used for identification and explanation,
Ngày đăng: 25/03/2014, 11:47
Xem thêm: investigating computer - related crime - a handbook for corporate investigators, investigating computer - related crime - a handbook for corporate investigators