363_Web_App_FM.qxd 12/19/06 10:46 AM Page ii 425_Cyber_FM.qxd 2/23/07 1:15 PM Page i Visit us at www.syngress.com Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our customers We are also committed to extending the utility of the book you purchase via additional materials available from our Web site SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions Once registered, you can access our solutions@syngress.com Web pages There you may find an assortment of value-added features related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s) ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form These CDs are the perfect way to extend your reference library on key topics pertaining to your area of expertise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in downloadable Adobe PDF form These e-books are often available weeks before hard copies, and are priced affordably SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations Contact us at sales@syngress.com for more information CUSTOM PUBLISHING Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use Contact us at sales@syngress.com for more information 425_Cyber_FM.qxd 2/23/07 1:15 PM Page ii 425_Cyber_FM.qxd 2/23/07 1:15 PM Page iii Cyber Crime Investigations Bridging the Gaps Between Security Professionals, Law Enforcement, and Prosecutors Anthony Reyes New York City Police Department’s Computer Crimes Squad Detective, Retired Kevin O’Shea Jim Steele Jon R Hansen Captain Benjamin R Jean Thomas Ralph 425_Cyber_FM.qxd 2/23/07 1:15 PM Page iv Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) not guarantee or warrant the results to be obtained from the Work There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Elsevier, Inc “Syngress:The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Elsevier, Inc Brands and product names mentioned in this book are trademarks or service marks of their respective companies KEY SERIAL NUMBER 001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004 78SPLBBC72 005 CVPLQ6WQ23 006 VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010 IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc 800 Hingham Street Rockland, MA 02370 Cyber Crime Investigations: Bridging the Gaps Between, Security Professionals, Law Enforcement, and Prosecutors Copyright © 2007 by Elsevier, Inc All rights reserved Printed in the United States of America Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication Printed in the United States of America ISBN-10: 1-59749-133-0 ISBN-13: 978-1-59749-133-4 Publisher: Amorette Pedersen Acquisitions Editor: Andrew Williams Technical Editor: Anthony Reyes Cover Designer: Michael Kavish Project manager: Gary Byrne Page Layout and Art: Patricia Lupien Copy Editors: Michael McGee, Adrienne Rebello Indexer: Michael Ferreira For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights, at Syngress Publishing; email m.pedersen@syngress.com 425_Cyber_FM.qxd 2/23/07 1:15 PM Page v Lead Author and Technical Editor Anthony Reyes is a retired New York City Police Department Computer Crimes Detective While employed for the NYPD, he investigated computer intrusions, fraud, identity theft, child exploitation, intellectual property theft, and software piracy He was an alternate member of New York Governor George E Pataki’s Cyber-Security Task Force, and he currently serves as President for the High Technology Crime Investigation Association He is the Education & Training Working Group Chair for the National Institute of Justice’s Electronic Crime Partner Initiative Anthony is also an Associate Editor for the Journal of Digital Forensic Practice and an editor for The International Journal of Forensic Computer Science He is an Adjutant Professor and is the Chief Executive Officer for the Arc Enterprises of New York, Inc on Wall Street Anthony has over 20 years of experience in the IT field He teaches for several government agencies and large corporations in the area of computer crime investigations, electronic discovery, and computer forensics He also lectures around the world Anthony dedicates his chapters to “the breath of his soul”: his sons, Richie and Chris, and his mother, Hilda He would like to thank his family and friends who endured his absence during the writing of this book He also thanks Kevin O’Shea, Jim Steele, Jon R Hansen, Benjamin R Jean, Thomas Ralph, Chet Hosmer, Christopher L.T Brown, Doctor Marcus Rogers, and Paul Cibas for their contributions in making this book happen Anthony wrote Chapters 1, 4, and v 425_Cyber_FM.qxd 2/23/07 1:15 PM Page vi Contributors Kevin O’Shea is currently employed as a Homeland Security and Intelligence Specialist in the Justiceworks program at the University of New Hampshire In this capacity, Mr O’Shea supports the implementation of tools, technology, and training to assist law enforcement in the investigation of crimes with a cyber component In one of Kevin’s recent projects, he was a technical consultant and developer of a training program for a remote computer-forensics-viewing technology, which is now in use by the state of New Hampshire He also has developed a computer-crime-investigative curriculum for the New Hampshire Police Standards and Training Kevin dedicates his chapters to his family—“his true angels,” Leighsa, Fiona, and Mairead, for their patience, love, and encouragement He would also like to thank Tony Reyes and the other authors of this book (it was a pleasure to work with all of you), as well as the TAG team, Stacy and Andrew, for their unbending support and friendship Kevin wrote Chapters and 7; he also cowrote Chapter James “Jim” Steele (CISSP, MCSE: Security, Security+) has a career rich with experience in the security, computer forensics, network development, and management fields For over 15 years he has played integral roles regarding project management, systems administration, network administration, and enterprise security management in public safety and mission-critical systems As a Senior Technical Consultant assigned to the NYPD E-911 Center, he designed and managed implementation of multiple systems for enterprise security; he also performed supporting operations on-site during September 11, 2001, and the blackout of 2003 Jim has also participated in foreign projects such as the development of the London vi 425_Cyber_FM.qxd 2/23/07 1:15 PM Page vii Metropolitan Police C3i Project, for which he was a member of the Design and Proposal Team Jim’s career as a Technical Consultant also includes time with the University of Pennsylvania and the FDNY His time working in the diverse network security field and expert knowledge of operating systems and network products and technologies have prepared him for his current position as a Senior Digital Forensics Investigator with a large wireless carrier His responsibilities include performing workstation, server, PDA, cell phone, and network forensics as well as acting as a liaison to multiple law enforcement agencies, including the United States Secret Service and the FBI On a daily basis he investigates cases of fraud, employee integrity, and compromised systems Jim is a member of HTCC, NYECTF, InfraGard, and the HTCIA Jim dedicates his chapters to his Mom, Dad, and Stephanie Jim wrote Chapter Jon R Hansen is Vice-President of Sales and Business Development for AccessData He is a computer specialist with over 24 years of experience in computer technologies, including network security, computer forensics, large-scale software deployment, and computer training on various hardware and software platforms He has been involved with defining and developing policies and techniques for safeguarding computer information, recovering lost or forgotten passwords, and acquiring forensic images Jon has presented at conferences all over the world, addressing audiences in the United States, Mexico, Brazil, England, Belgium, Italy,The Netherlands, New Zealand, Australia, Singapore, Hong Kong, Korea, Japan, and South Africa As the former Microsoft Regional Director for the State of Utah, Jon has represented many companies as a consultant and liaison administrator, including Microsoft, WordPerfect, Lotus Corporation, and Digital Electronic Corporation (DEC) Jon dedicates his chapters to the “love of his live,” his wife,Tammy Jon wrote Chapter 10 vii 425_Cyber_FM.qxd 2/23/07 1:15 PM Page viii Captain Benjamin R Jean has spent his entire law enforcement career in the State of New Hampshire, starting in 1992 for the Deerfield Police Department He is currently employed as a Law Enforcement Training Specialist for the New Hampshire Police Standards & Training Council and is Chief of the Training Bureau Captain Jean teaches classes in various law enforcement topics, including computer crime investigation, and is an active member of the New Hampshire Attorney General’s Cyber Crime Initiative He was recently awarded the 2006 Cyber Crime Innovation Award and holds an Associate’s Degree in Criminal Justice from New Hampshire Community Technical College and a Bachelor’s Degree in Information Technology from Granite State College Benjamin dedicates his chapter to his kids, whom he does everything for, and his wife, who makes it all possible Benjamin wrote Chapter Thomas Ralph graduated cum laude from Case Western Reserve University School of Law, where he served as editor on the school’s Law Review In 1998, after serving as legal counsel at MassHighway, Mr Ralph joined the Middlesex District Attorney’s Office, where he performed trial work in the District and Superior Courts Mr Ralph became Deputy Chief of the Appeals Bureau, Captain of the Search Warrant Team, and Captain of the Public Records Team Mr Ralph has appeared dozens of times in the Massachusetts Appeals Court and Supreme Judicial Court In 2005, Mr Ralph became an Assistant Attorney General in the New Hampshire Attorney General’s office His responsibilities there included spearheading the New Hampshire Attorney General’s Cybercrime Initiative, an innovative program for processing and handling electronic evidence that has received national recognition, viii 425_Cyber_AB.qxd 398 2/23/07 1:05 PM Page 398 Appendix B • Investigating Insider Threat Using Enterprise Security Management Conclusion The type of fraud we discussed in this Appendix would result not only in the loss of a job, but also in legal ramifications.The employees and the company in this case are fictitious, but this type of thing happens every day and is very hard to detect If you consider all the information that is floating around your organization, imagine having to track where it is going externally, let alone internally.These are the types of processes that we can streamline and automate through ESM and the convergence of new data sources Although these data sources present some challenges, such as the collection of the e-mail messages and some of the parsing of the VoIP CDRs, these are things that will only improve over time as companies tell their vendors that they need manageable logs and the ability to collect those logs in a convenient manner Once they are collected, there are worlds of possibilities for analysis www.syngress.com 425_Cyber_Index.qxd 2/23/07 12:53 PM Page 399 Index A Absolute immunity, 83-84 Access points description of, 113, 128 encryption schemes used with, 116 ACFE See Association of Certified Fraud Examiners Admissibility of evidence, 52-55, 180, 225 “Agent of the government,” 76-78, 87 American Academy of Forensic Sciences, American Management Association, 73 Analysis phase, of digital forensics binary analysis, 248 challenges, 245 data carving, 250 deleted items, 249 description of, 223, 244-245 e-mail analysis, 250 enterprise events, 251-252 example of, 245 exchangeable image file format, 248 flow charts, 251-252 metadata, 247 single-computer analysis, 247-250 timelines, 252 tools used in, 253-255 Andersen Consulting LLP v UOP, 122 Anti-forensics, 246-247 Anti-spyware software, 272-273 Anti-virus software, 272 Application stupidity, 197-198, 218 Association of Certified Fraud Examiners, 276, 283 ATMs, 230 Authentication admissibility of evidence and, correlation between, 180 digital evidence, 57-58, 65-66, 178179 in 802.11 standard, 114 encryption used for, 115 investigator’s testimony used for, 179 open system, 115-116 B Backups, 228 Barbera v Smith, 83-84 BestCrypt, 96-97 Binary analysis, 248 BIOS, 167 BitLocker Drive Encryption, 151 Bit-stream copy, 171, 222 Bit-stream image criticisms of, 16 definition of, 14, 171 description of, 13 evidence tampering and, 15 Bloombecker, Buck, 161-162 Booting, accidental, 147 Britz, Marjorie, 28 Burns v Reed, 83-84 Business-targeted crime, 275-277 Byte conversions, 92 399 425_Cyber_Index.qxd 400 2/23/07 12:53 PM Page 400 Index C California v Ciraolo, 125 Casey, Eoghan, 26 CD, 167 Cellular phones, 230-231, 271 Certification of personnel, 191-192 CFAA See Computer Fraud and Abuse Act Chain of custody authenticating of evidence through, 56-58 cyber crime investigator’s use of, 57 definition of, 13-14 Chat messaging, 213 Chat sessions, 168-169 Child pornography, 4-6, 71, 180-181 Civil cases, 64 Collection of data and evidence admissibility concerns, 225 from cell phones, 230-231 criteria for, 225 description of, 222-223 from digital entertainment systems, 229-230 from digital video recorders, 233234 from flash memory, 231-232 from gaming machines, 232-233 from global positioning system, 233 from hard drive interfaces, 229 from MP3 players, 229-230 from NAS devices, 238 from PBX systems, 234 from PDAs, 230-231 preparation for, 226-229 from Raid arrays, 236-237 from SANs, 236-238 tools necessary for, 226-228 from virtual machines, 238-239 from VoIP systems, 234 Common carrier, 122 Companies concerns of, 79-80 confidential information held by, 80-81 corporate practices of, 81-82 media avoidance by, 81 Compression, 93 Computer accidental booting of, 147 Computer Fraud and Abuse Act definition of, 31 crimes determined without presence of, 11-12 criminal involvement, 7-8 definitions of, 31, 33 digital evidence from, 26 disassembly of, 181 as evidence, 137-138, 141 familiarity with, as incidental to crime, 26 as instrument of crime, 26 IP addresses, 198-202 MAC addresses of, 115-116, 205206 nondigital evidence associated with, 181-182 operating system of, 148-149 personal See Personal computers storage on, 92-93 system time, 181 as target of crime, 26 transporting of, 147 of victims of crime, 163 Computer abuse, 25 425_Cyber_Index.qxd 2/23/07 12:53 PM Page 401 Index Computer crime categories of, 26 crime as central focus of, 40-41 cyber crime vs., 33-40 defining of, 24-31, 33, 195 evolution of, 31-33 focus of, 40 laws pertaining to, 46-47 legal definition of, 29, 31 linguistic confusion associated with, 34 word origin of, 33 Computer Crime and Intellectual Property Section, 29, 139-140 Computer crime investigations communities involved in, 24 evolution of, 32 Computer focused crimes, 27 Computer forensics analysis programs used in, 138 best practices for, 220-221 description of, 90 evolution of, 220-222 future of, 106 preview software packages used in, 167-168 specialists in, 155 Computer Fraud and Abuse Act description of, 29-31 statutory violations under, 123-124 WiFi transmission eavesdropping and, 123-124, 127 Computer hardware seizure See Hardware seizure Computer system Computer Fraud and Abuse Act provisions regarding access to, 127 401 mission critical, 93 network infrastructure, 161-162 pulling-the-plug on, 148-149, 160 shutting down, 90, 148, 151 user-friendliness of, 197 Computer tampering, Computer trespasser, 122 Computer viruses, 272, 276 Computer-assisted crimes, 27 Confidential information, 80-81 Crime computer See Computer crime cyber See Cyber crime during cyber crime investigation, 20, 87 desensitizing of, 9-10 perpetuation methods, 195-196 Crime scene digital media identified at, 145-146 seizure method that minimizes, 178 “Crimes with a cyber-component,” 40-43, 47 Criminal cases, 64 Cross examination, 62-63 Cryptographic algorithms, 16 Cyber crime absence of laws for, 20 computer crime vs., 33-40 computer involvement, 11-12 crime as central focus of, 40-41 “crimes with a cyber-component” term vs., 40-43, 47 defining of, 28, 33, 42 desensitization associated with, 9-10 legal categories of, 27-28 local agency reporting, 162-163 media use of, 42 myths regarding, 7-11 425_Cyber_Index.qxd 402 2/23/07 12:53 PM Page 402 Index personal computer effects on, 141, 162 persons who commit, 265 public perceptions of, 24 scene of See Crime scene substantiation of, 163 traditional crime and, 8-10 victims of, 162-164 Cyber crime investigations crime committed during course of, 20, 87 description of, 2-3 in-house, 71 tools used in, 174-177 Cyber crime investigators authentication of seized evidence by, 179 bridging the gaps among, 38-40, 42 case study involving, 2-3 elistist mentality of, 10-11 foundation of the crime established by, 82 getting started as, 217-218 jargon use by, 35-36, 41 as percipient witnesses, 51-52 prosecutor’s relationship with, 58-59 role of, 72-78, 85-86 testifying by See Testifying training of, 20, 217 Cyber crime laws, 4-6 Cyber crime prevention business-targeted crime, 275-277 family-targeted crime, 268-271 government agency-targeted crime, 278-280 motives analysis, 264-265 organization-targeted crime, 277278 overview of, 263-268 personal property-targeted crime, 272-275 summary of, 281-282 Cyber crime prevention organizations, 283 Cyber stalking, Cyber-deceptions and thefts, 27 Cyberethics, 29 Cyber-handshake, 127 Cyber-pornography, 27 Cyber-trespass, 27 Cyber-violence, 28 D Dante, Data collection of See Collection of data and evidence encrypted, 109 live, examination of, 16 storage of, on alternative media, 230 volatility of, 228 Data carving, 250 Data objects definition of, 134-135, 138, 189 discovery of, after seizure, 143 finite, on-scene imaging of, 171174 physical container vs., 139 Databases, 253-254 dcfldd, 240 dd, 240 Defense counsel alternative defenses presented by, 63 cross examination by, 62-63 425_Cyber_Index.qxd 2/23/07 12:53 PM Page 403 Index digital evidence admissibility challenges, 53 technical expertise level of, 60-61 Defiler’s Toolkit, 246 Deleted items, 249 Denial-of-service attack, 26 Deposition, 64 Dial-up modem, 199 Digital entertainment systems, 229230 Digital evidence See also Evidence admissibility of, 52-55, 180, 225 authenticating of, 57-58, 65-66, 178-179, 225 believability of, 225 completeness of, 225 criteria for, 225 defining of, 137-141 description of, 26 hash values of, 57-58, 65-66, 180 identification of, 145-146 law enforcement officer training in, 159 on-scene assessment of, 142 original computer used to view, 138 previewing of, on-scene, 167, 180181, 183 reliability of, 225 tools for collection of, 174-177 Digital evidence seizure common threads in, 177-180 description of, 135 example of, 164-166 importance of, 159-160 methodology used in, 141-149, 178, 180-182, 189 options for, 159-177 steps involved in, 144, 160-161 403 warrant for, 173 Digital forensics analysis phase of See Analysis phase, of digital forensics best practices of, 223 collection phase of See Collection of data and evidence definition of, 220 examination phase of, 223, 241-244 phases of, 222-256, 258 reporting phase of, 223, 255-256 software, 259 Digital media See also Media convergence of, 155 documentation of, 146 identification of, at crime scene, 145-146 prioritizing of, 146 pulling-the-plug on, 148-149, 160 seizure of, 147 size of, 150-151 stolen, 192 Digital protocols, 119 Digital video recorders, 233-234 Direct connect model, 100 Direct examination, 62 Direct sequence spread spectrum, 120 Documentation, 146, 177, 235-236 DSL, 199-200 DSSS See Direct sequence spread spectrum DVD, 167, 214 DVR See Digital video recorders Dynamic addressing, 200-201 Dynamic analysis, 248 425_Cyber_Index.qxd 404 2/23/07 12:53 PM Page 404 Index E Eavesdropping WiFi See WiFi transmission eavesdropping on wired network, 115 ECPA See Electronic Communications Privacy Act 802.3 standard, 113 802.11 standard authentication in, 114 definition of, 113 nonencrypted nature of, 122 privacy in, 115-116 summary of, 126 802.11a standard, 114, 118 802.11b standard, 114, 118 802.11g standard, 114, 118 Electronic Communications Privacy Act “access” terminology used in, 130 description of, 73, 75 “electronic communications” provisions, 121 WiFi transmission eavesdropping and, 121-122, 126 Electronic evidence, 13 Electronic Frontier Foundation, 153 E-mail analysis of, 250 description of, 211-212 from e-mail programs, 212 free, 212 harassment using, 163 monitoring of, 73-74, 87 original computer used to view, 138 phishing scam using, 194 tracing of, 6, 212 Employee(s) monitoring of, 74-75, 87 privacy of, 74 Encryption authentication through, 115 file level, 94-95 full disk, 243-244 of police transmissions, 119 volume level, 95 whole disk, 95, 99, 151-152 End-user license agreement, 274 Enterprise network, 91 Ethernet, 113 Evidence See also Digital evidence authenticating of, 56-58 chain of custody for, 13-14, 56-58 computer as, 137-138, 141 definition of, 137 electronic, 13 hearsay requirements for, 15 information as, 141, 161 preservation of, 13 prioritizing of, 11-13 testimony about, 14 weight of, 50, 55 Evidence tampering bit-stream image standard and, 15 standards for preventing, 14 Exabyte, 92t Examination phase, of digital forensics, 223, 241-244 Exchangeable image file format, 248 EXIF See Exchangeable image file format Expert witness definition of, 52 expertise of, 55-56 425_Cyber_Index.qxd 2/23/07 12:53 PM Page 405 Index 405 F G Facebook, 213 Faraday device, 222 Fast forensics, 244 Federal Rules of Criminal Procedure, 139 Federal Rules of Evidence, 139, 178 FHSS See Frequency hopping spread spectrum Fiber channel, 229 Fiber-channel storage area networks, 237 File level encryption, 94-95 File slack space, 135 Finder of fact, 62 Fingerprints, 221 Firewalls, 273-275 First responders definition of, 157-158 seizure method selected by, 180 training of, 158, 184 Flash drives, 145, 214 Flash memory, 231-232 Flow charts, 251-252, 256 Forensic image, 223 Forensics See Computer forensics; Digital forensics; Live forensics Fourth Amendment, 125, 129 FRCP See Federal Rules of Criminal Procedure FRE See Federal Rules of Evidence Free Internet-based e-mail, 212 Frequency hopping spread spectrum, 120 Friends network, 213 FTK, 138 Full disk encryption, 243-244 Full disk imaging, 183 Gaming machines, 232-233, 271 Gateways, 203-204 Gigabyte, 92t Global positioning system, 233 Government agency-targeted crime, 278-280 GPS See Global positioning system GREP, 253 Grice, Paul, 34 H Hacker Defender, 104-105, 105f Hanson, Kirk, 70 Hard drive copying files from, 109 difficulty in accessing, 181 encryption of, 243 failure of, 179 finite sections of, 171-174 on-scene imaging of, 170-171, 173174, 183 Hard drive interfaces, 229 Hardware documentation, 235-236 Hardware seizure description of, 142-143 encryption concerns, 151-152 factors that limit, 149-157, 183 labeling of hardware, 147 laboratory analysis delays after, 153155 privacy concerns, 152-153 steps involved in, 143 Hash sets, 242 Hash values, 57-58, 65-66, 180 Hashes, 171, 224 425_Cyber_Index.qxd 406 2/23/07 12:53 PM Page 406 Index Hearsay, 15 Heatherington, Cynthia, 266 Helix, 167, 175 Hewlett-Packard, 2-3, 6, 70 High Technology Crime Investigation Association, 85, 283 Homeland Security Presidential Directive #5, 35 Host bus adapter, 237 Hostnames, 204 Hotspots, 207-208 HTCIA See High Technology Crime Investigation Association I Identity protection, 266 Identity theft, 194 IEEE standards definition of, 112-113 802.3, 113 802.11, 113-114 IM See Instant messaging ImageMaster, 175 Imaging copying vs., 171 of finite data objects on-scene, 171174 full disk, 183 of information on-scene, 170-171, 183 Immunity, 82-84 Industrial, scientific, and medical band, 118 Information duplicates of, 179 as evidence, 141, 161 imaging of, 170 on-scene, 167-168, 170 previewing of, 167, 180-181, 183 as property, 139 in RAM, 169 from running computer, 168-170 In-groups, 36-39 In-house investigations, 71 Instant messaging, 196, 213 Institute of Electrical and Electronics Engineers standards See IEEE standards Internet connection methods, 199 description of, 268 identity protection recommendations, 266 recommendations for using, 269270 Internet Crimes Against Children Task Forces, 173 Internet service providers data retention by, 87 Internet access by, 199-200 Interpersonal communication chat messaging, 213 description of, 211 e-mail See E-mail instant messaging, 196, 213 social networking, 32, 213-214 IP addresses, 198-202, 216 ipconfig, 201, 205 iPods, 229-230, 271 iSCSI, 237 IT personnel as “agent of the government,” 76-78 crimes committed by, 75 information provided by, 78 in live forensic environment, 91 425_Cyber_Index.qxd 2/23/07 12:53 PM Page 407 Index J 407 Jargon cyber crime community’s use of, 35-36, 41 in-group’s use of, 36-39 postmortem forensics vs., 90-99, 101-104, 107 software manufacturers, 99-100 storage, 92-93 Local area network, 113 Logical unit numbers, 237 K M Katz v United States, 125 Kilobyte, 92t Klismafile, 246 Knoppix, 167 MAC addresses, 115-116, 205-206 MAC spoofing, 205 Malicious software, 104 Malware analysis of, 248-249 description of, 239, 275-276 Malware viruses, 273 Maxims, 34 MD5 algorithm, 14-15 MD5 hash, 171 Media See also Digital media avoidance of, 81 portability of, 214 technophobe portrayals by, 38 types of, 214 Megabyte, 92 Memory acquisition, 240 Memory analysis, 239-241 Metadata, 247 Metasploit, 246 Meterpreter, 246 Mini smart cards, 214 Modem dial-up, 199 external, 200 MP3 players, 229-230, 271 Musiker, Jean A., 74 MySpace, 213-214 L Laboratory analysis-related delays, 153-155 Law enforcement officers acting as agent of, 76-78, 87 awareness-level training for, 159 computer-related training for, 156, 158-159 concerns of, 75-78 corporate practices understood by, 79-82 digital evidence training for, 159 role of, 79-82, 86 tools used by, 176-177 Linux operating system, 167, 227 Live forensics case study of, 101-104 encrypted file systems, 94-99 enterprise network, 91 Hacker Defender, 104-105 information gathered using, 101 IT security personnel in, 91 methods of, 100 425_Cyber_Index.qxd 408 2/23/07 12:53 PM Page 408 Index N NAS devices, 238 National Incident Management System, 35-36 National Institute for Standards and Technology, 176 National Institute of Justice, Necrofile, 246 Network analysis, 105 Network infrastructure, 161-162 Network interface cards, 114-115, 200 Network intrusion detection software, 275 Networking, 202-204, 216 NIST See National Institute for Standards and Technology *nix, 227, 240 O On demand connection model, 100 One-party consent, 4-5 Online predators, 218 On-scene imaging of finite data objects, 171-174 of hard drive, 170-171 On-scene previewing of information, 167, 180-181, 183 On-scene responders, 142 Open system authentication, 115-116 Operating systems description of, 148-149 evolution of, 221 flow charts, 251-252, 256 hash sets of, 242 Optical media, 146 Organization-targeted crime, 277-278 Out-groups, 36-39 Outlook, 212 Outlook Express, 212 P Packet sniffer, 105 Paraben Forensics Mail Examiner, 250 Parker, Donn, 24-25 Passwords encryption of, 244 trafficking of, 124 PBX systems, 234 PCI card, 240 PDAs, 230-231, 262, 271 Percipient witnesses, 51-52 Personal computers computer crime affected by, 141, 162 development of, 32 storage size of, 150, 161 Personal firewalls, 273-275 Petabyte, 92t PGP, 151 Phishing scam, 194 Physical memory capturing of, 103 imaging of, 96, 97f Plea bargain, 50-51 Pod slurping, 230 Postmortem forensics, 90-99, 101104, 107 PPA See Privacy Protection Act Pre-deployed agent model, 100 Pretexting, 425_Cyber_Index.qxd 2/23/07 12:53 PM Page 409 Index Pretrial motions, 50-51 Prevention See Cyber crime prevention Privacy of cellular conversations, 119-120 in 802.11 standard, 115-116 of employees, 74 Fourth Amendment expectation of, 125, 129 hardware seizure and, 152-153 in wireless local area networks, 115, 1245 Privacy Protection Act, 152, 183 Private networks, 203 ProDiscover IR, 98 Property access to, 265-266 cyber crime that targets, 272-275 definition of, 139-140 information as, 139 Prosecutor case discussions with, 59-60 guidance provided by, 82 immunity of, 82-84 role of, 82-84, 86 technical expertise level of, 58-59, 67 “Pulling-the-plug,” 148-149, 160 Q Qualified immunity, 83 R RAID arrays, 150, 236-237 RAM data held in, 169 409 “dumping” of, 168-169, 183 Linux operating system’s use of, 167 recovery of, 168-169 Remote access Trojan, 79-80 Report definition of, 255 elements of, 255 review of, before testifying, 61 Responders first, 157-159 non-technical, 157 training of, 155-157, 184 Richards v NYC, 83 Rootkits, 104, 109 Routers, 203, 208 RTA v Mitchell, 16 Running processes, 101, 108 Running services, 101, 102, 107-108 S Sam Juicer, 246 SANs, 236-238 Sarbanes–Oxley Act, 70 SATA, 229 Scanner, 119 SEARCH, 168-169 Search and seizures by civilians, 76-77 digital evidence See Digital evidence seizure hardware See Hardware seizure unreasonable, 125 Security event management systems, 254-255 Seizures See Search and seizures 425_Cyber_Index.qxd 410 2/23/07 12:53 PM Page 410 Index SEM systems See Security event management systems Slammer virus, 276 Smyth v.The Pillsbury Company, 73 Snort, 254 Social networking, 32, 213-214 Spada, 167 Specialist-level responders, 156 Spreadsheets, 253 Spyware, 272-273 SQL databases, 254 Static addressing, 200-201 Static analysis, 248 Steve Jackson Games, Inc v Secret Service, 153 Storage, 92-93 Storage area networks See SANs Storage media evolution of, 221 on-scene previewing of information on, 167, 180-181, 183 preparation of, 226-227 prioritizing of, 146 seizure of, 147 size of, 150-151, 154 types of, 279 wireless, 210-211 System flow charts, 251-252 System time, 181 T Taylor, Robert, 26 Technician-level responders, 156 Technophiles definition of, 24 jargon developed by, 35 Technophobes alienation of, 39-40 description of, 7, 9, 24 distancing from technology by, 37 media portrayals of, 38 as out-group, 37 Telecommunications Act, 123 Telephone Disclosure and Dispute Resolution Act, 119-120 Terabytes, 92, 150-151 Testifying See also Witness assessment of defense counsel before, 60-61 cross examination, 62-63 during deposition, 64 digital evidence admissibility established while, 52-55 direct examination, 62 discussion with prosecutor before, 59-60 effective presentation during, 61-63 expertise level necessary for, 51-52 keys to, 58-64 listening to question, 61 misconceptions about, 51-56 report review before, 61 summary of, 65 theory of the case understood while, 63-64 Theory of the case, 63 Timelines, 252, 256 Timestomp, 246 TiVo, 233 TPM chip, 152 Transmogrify, 246 Trap and trace, Trojan defense, 249 425_Cyber_Index.qxd 2/23/07 12:53 PM Page 411 Index Trojan horse, 78 Trusted Platform Module, 243-244 Two-party consent, U U3 Smart Drives, 232 Unauthorized access, 29-30 United States v Bonallo, 15 United States v Granderson, 125 United States v Jarrett, 77-78 United States v Knotts, 125 United States v Steiger, 78 United States v Stephenson, 179 United States v.Whitaker, 15 Unreasonable searches, 125 U.S Department of Justice, 29, 160161, 278 USB Hacksaw, 232 V Virtual machines, 238-239, 249 Viruses, 272, 276 VoIP systems, 234 Volume level encryption, 95 W Wardriving, 124, 208-210 Warrant legality of, 50 limitations of, 173 need for, reasons for issuing, 139 Weight of the evidence, 50, 55 WEP See Wired Equivalency Protocol 411 Whole disk encryption, 95, 99, 151152 WiFi access points, 113, 116, 128 description of, 112 free access to, 112 summary of, 126, 128 WiFi networks illegal access to, 130 Wired Equivalency Protocol, 117 WiFi protected access, 115-117 WiFi radio frequency industrial, scientific, and medical band, 118 overview of, 117-118 scanning, 118-120, 129 WiFi transmission(s) Computer Fraud and Abuse Act applicability to, 123-124 eavesdropping See WiFi transmission eavesdropping Electronic Communications Privacy Act applicability to, 120-122 interception of, 112-131 over common carrier, 122 privacy expectations, 125 Telecommunications Act applicability to, 122 WiFi transmission eavesdropping federal statutes regarding, 121-124 hardware and software needed for, 120 passive manner of, 124, 127 summary of, 129 Wired equivalency protocol, 115-117 Wireless fidelity See WiFi Wireless local area networks 425_Cyber_Index.qxd 412 2/23/07 12:53 PM Page 412 Index description of, 113 encryption schemes used by, 115 privacy in, 115, 125 Wireless networks hotspots, 207-208 investigating of, 209-210 overview of, 206-207 summary of, 216-217 wardriving, 208-210 Wireless routers, 208 Wireless storage devices, 210-211 Witness See also Testifying cross examination of, 62-63 direct examination of, 62 effective presentation as, 61-63 expert See Expert witness percipient, 51-52 WPA See WiFi protected access Write-blocker, 224 X Xbox, 232, 270-271 Y Yar, Majid, 27-28 ... PM Page iii Cyber Crime Investigations Bridging the Gaps Between Security Professionals, Law Enforcement, and Prosecutors Anthony Reyes New York City Police Department’s Computer Crimes Squad... Publishing, Inc 800 Hingham Street Rockland, MA 02370 Cyber Crime Investigations: Bridging the Gaps Between, Security Professionals, Law Enforcement, and Prosecutors Copyright © 2007 by Elsevier,... Problem at Hand The Gaps in Cyber Crime Law When I started my stint as a ? ?Cyber Detective” many cyber crime laws were nonexistent, information on the topic was scarce, and there were only a handful