Case Study: Lab Preparations
Cashing Out
Preparing for a Forensics Operation
1 The Forensics Process
Types of Investigations
The Role of the Investigator
Elements of a Good Process
Cross-validation
Proper Evidence Handling
Completeness of Investigation
Management of Archives
Technical Competency
Explicit Definition and Justification for the Process
Legal Compliance
Flexibility
Defining a Process
Identification
Collection and Preservation
Analysis
Production and Presentation
After the Investigation
2 Computer Fundamentals
The Bottom-up View of a Computer
It’s All Just 1s and 0s
Learning from the Past: Giving Computers Memory
Basic Input and Output System (BIOS)
The Operating System
The Applications
Types of Media
Magnetic Media
Optical Media
Memory Technologies
3 Forensic Lab Environment Preparation
The Ultimate Computer Forensic Lab
What Is a Computer Forensic Laboratory?
Forensic Lab Security
Protecting the Forensic Lab
Forensic Computers
Components of a Forensic Host
Commercially Available Hardware Systems
Do-It-Yourself Hardware Systems
Data Storage
Forensic Hardware and Software Tools
Using Hardware Tools
Using Software Tools
The Flyaway Kit
Case Management
Bonus: Linux or Windows?
Part II Collecting the Evidence
Case Study: The Collections Agency
Preparations
Revelations
Collecting Evidence
4 Forensically Sound Evidence Collection
Collecting Evidence from a Single System
Step 1: Power Down the Suspect System
Step 2: Remove the Drive(s) from the Suspect System
Step 3: Check for Other Media
Step 4: Record BIOS Information
Step 5: Forensically Image the Drive
Step 6: Record Cryptographic Hashes
Step 7: Bag and Tag
Move Forward
Common Mistakes in Evidence Collection
5 Remote Investigations and Collections
Privacy Issues
Remote Investigations
Remote Investigation Tools
Remote Collections
Remote Collection Tools
The Data Is Changing
Policies and Procedures
Encrypted Volumes or Drives
USB Thumb Drives
Part III Forensic Investigation Techniques
Case Study: Analyzing the Data
Digging for Clues
We’re Not Done. Yet.
Finally
6 Microsoft Windows Systems Analysis
Windows File Systems
Master Boot Record
FAT File System
NTFS
Recovering Deleted Files
Limitations
Windows Artifacts
7 Linux Analysis
The Linux File System (ext2 and ext3)
ext2 Structure
ext3/ext4 Structure
Linux Swap
Linux Analysis
8 Macintosh Analysis
The Evolution of the Mac OS
Looking at a Mac Disk or Image
The GUID Partition Table
Partition Entry Array
Deleted Files
Recovering Deleted Files
Concatenating Unallocated Space
Scavenging for Unindexed Files and Pruned Nodes
A Closer Look at Macintosh Files
Archives
Date and Time Stamps
E-mail
Graphics
Web Browsing
Resources
Virtual Memory
System Log and Other System Files
Mac as a Forensics Platform
9 Defeating Anti-forensic Techniques
Obscurity Methods
Privacy Measures
Encryption
The General Solution to Encryption
Wiping
10 Enterprise Storage Analysis
The Enterprise Data Universe
Rebuilding RAIDs in EnCase
Rebuilding RAIDs in Linux
Working with NAS Systems
Working with SAN Systems
Working with Tapes
Accessing Raw Tapes on Windows
Accessing Raw Tapes on UNIX
Commercial Tools for Accessing Tapes
Collecting Live Data from Windows Systems
Full-Text Indexing
Mail Servers
11 E-mail Analysis
Finding E-mail Artifacts
Converting E-mail Formats
Obtaining Web-based E-mail (Webmail) from Online Sources
Client-based E-mail
Web-Based E-mail
Internet-Hosted Mail
Investigating E-mail Headers
12 Tracking User Activity
Microsoft Office Forensics
Tracking Web Usage
Internet Explorer Forensics
Firefox/Mozilla Forensics
Operating System User Logs
UserAssist
13 Forensic Analysis of Mobile Devices
Collecting and Analyzing Mobile Device Evidence
Password-protected Windows Devices
Conclusion
Part IV Presenting Your Findings
Case Study: Wrapping Up the Case
He Said, She Said
14 Documenting the Investigation
Read Me
Internal Report
Construction of an Internal Report
Declaration
Construction of a Declaration
Affidavit
Expert Report
Construction of an Expert Report
15 The Justice System
The Criminal Court System
The Civil Justice System
Phase One: Investigation
Phase Two: Commencing Suit
Phase Three: Discovery
Phase Four: Trial
Expert Status
Expert Credentials
Nontestifying Expert Consultant
Testifying Expert Witness
Court-Appointed Expert
Expert Interaction with the Court
Part V Putting It All Together
Case Study: Now What?
Mr. Blink Becomes an Investigator
Time to Understand the Business Issues
16 IP Theft
What Is IP Theft?
IP Theft Ramifications
Loss of Customers
Loss of Competitive Advantage
Monetary Loss
Types of Theft
Technology
Tying It Together
What Was Taken?
Looking at Intent
Estimating Damages
Working with Higher-Ups
Working with Outside Counsel
17 Employee Misconduct
What Is Employee Misconduct?
Ramifications
Disruptive Work Environment
Investigations by Authorities
Lawsuits Against an Employer
Monetary Loss
Types of Misconduct
Inappropriate Use of Corporate Resources
Making Sense of It All
Employment Discrimination/Harassment
Violation of Non-compete/Non-solicitation Agreements
Tying It Together
<
br /> What Is the Risk to the Company?
Looking at Intent
Estimating Damages
Working with Higher-Ups
Working with Outside Counsel
18 Employee Fraud
What Is Employee Fraud?
Ramifications
Monetary Loss
Investigations by Authorities
Criminal Penalties and Civil Lawsuits
Types of Employee Fraud
Asset Misappropriation
Corruption
Tying It Together
What Is the Story?
Estimating Losses
Working with Higher-Ups
Working with Outside Counsel and Investigators
19 Corporate Fraud
What Is Corporate Fraud?
Ramifications
Impact to Shareholders and the Public
Regulatory Changes
Investigations and Litigation
Types of Corporate Fraud
Accounting Fraud
Securities Fraud
20 Organized Cyber Crime
The Changing Landscape of Hacking
The Russian Business Network
Infrastructure and Bot-Nets
The Russian-Estonian Conflict
Effects on Western Companies
Types of Hacks and the Role of Computer Forensics
Bot/Remote Control Malware
Traditional Hacks
Money Laundering
Anti-Money Laundering Software
The Mechanics of Laundering
The Role of Computer Forensics
21 Consumer Fraud
What Is Consumer Fraud?
Ramifications
Impact to Consumers and the Public
Regulatory Environment
Investigations and Litigation
Types of Consumer Fraud
Identity Theft
Investment Fraud
Mortgage Fraud
Tying It Together
A Searching Techniques
Regular Expressions
Theory and History
The Building Blocks
Constructing Regular Expressions
Index
ACKNOWLEDGMENTS
“A good writer possesses not only his own spirit but also the spirit of his friends.”
—Friedrich Nietzsche
We simply could not have done this without the help of many, many people. It was an amazing challenge to coordinate the necessary depth of corporate, legal, criminal, and technical expertise across so many subjects. Many old and new friends donated knowledge, time, techniques, tools, and much more to make this project a success. We are truly grateful to each of you.
The wonderful and overworked team at McGraw-Hill is outstanding. We sincerely appreciate your dedication, coaching, and long hours during the course of this project. Jane Brownlow, this book is a result of your tireless dedication to the completion of this project. You are truly one of the best in the business. We would also like to extend a big round of thanks to Joya Anthony, our acquisition coordinator and honorary coxswain. Thanks to LeeAnn Pickrell for seeing us through to the finish line.
A special thank you goes to Jean Domalis, Todd Lester, John Loveland, and Louis Scharringhausen for their contributing work and thorough reviews. Jean, as always, your work is fantastic. You truly play to a standard in everything you do and it shows. Todd, you went above and beyond and the book is a world better for it. John, thank you for the vision and strategic input on the structure of the new sections. Louis, your attention to detail and desire to know the right answer is a huge asset. You were a fantastic technical editor.
Lastly, a special note of remembrance for Bill Siebert. He wrote the foreword for the first edition of the book, donating his time when none of us knew how the book would be received. Unfortunately Bill passed in December 2008. Bill, you and your family are in our thoughts.
—The Authors
I would like to thank my fellow authors for their tireless work and many long nights getting this book done.
Thanks to everyone at Navigant Consulting. A special thanks to the entire Austin office, especially Travis Casner, Cade Satterfield, Adam Scheive, and Zarin Behramsha for their assistance with the research on the new sections. Also, a special note of thanks to Kris Swanson and Todd Marlin for ideas and guidance throughout both this book and our other case work.
John, Jean, and Louis, I am proud to say that we were on the same team. You guys are great. John, you have always had my back, and I have learned a ton from you. Here is to success and building it the right way.
To Susan and Lauren, I cannot express my gratitude enough for your patience with me as Todd and I worked on the book weekend after weekend. Todd, thanks for everything, not just the book. You do the Longhorn nation proud and I will beat you one of these years at the Shiner GASP. Na zdorov’e.
Thanks to Fr. Patrick Johnson for all the sage advice and for reminding me of the importance of balance in life. St. Austin Catholic Parish in Austin, Texas, has truly become an anchor in my life.
Thanks to Chris Sweeny, Jonathan McCoy, and all of my teammates and brothers on the University of Texas Rugby Team. You taught me mental toughness, brotherhood, the value of perseverance, and how to never give up.
Thanks to Larry Leibrock and David Burns for introducing me to forensics and treating me so well while I was at the McCombs School of Business. And to every one of my computer science professors for showing me how much I still have to learn.
A huge thank you to Robert Groshon and Bradley O. Brauser for believing in me all those years ago.
Thanks to Peggy Cheung for being such a great friend. Your selling me the 2006 Rose Bowl tickets at face value goes as one of the greatest demonstrations of friendships I have ever witnessed. I am very sorry I stopped texting you game updates in the third quarter, and I still have no idea how much that phone call to Hong Kong cost me.
Finally, I would like to give another thank you to my family, my mother and father who gave me my first computer when I was seven, and my sister Renee.
—Aaron Philipp
INTRODUCTION
“This is not an incident response handbook.” This was the first line of the introduction for the first edition. Little did we know at the time how much computer forensics would change since the book was first published in 2004. Computer forensics is changing the way investigations are done, even investigations previously thought to be outside the four corners of technology investigations.
If you look at what happened with the economy in 2008 and 2009, the subprime mortgage meltdown, the credit crisis, and all of the associated fraud that has been uncovered, you can see the vital role that computer forensics plays in the process. Before the prevalence of technology in corporations, all investigators had to go on were paper documents and financial transactions. With the addition of computer forensics as a tool, we can better identify not only what happened at a certain point in time, but also, in some cases, the intent of the individuals involved. Multibillion-dollar fraud schemes are being blown open by the discovery of a single e-mail or thumb drive. Computer forensics is front and center in changing the way these investigations are conducted.
HOW THIS BOOK IS ORGANIZED
We have broken this book into five parts, reflective of the different stages of the investigation.
Part I: Preparing for an Incident
This section discusses how to develop a forensics process and set up the lab environment needed to conduct your investigation in an accurate and skillful manner. In addition, it lays the technical groundwork for the rest of the book.
Part II: Collecting the Evidence
These chapters teach you how to effectively find, capture, and prepare evidence for investigation. Additionally, we highlight how the law applies to evidence collection.
Part III: Forensic Investigation Techniques
This section illustrates how to apply recovery techniques to investigatio
ns from the evidence you have collected across many platforms and scenarios found in corporate settings. We introduce field-tested methods and techniques for recovering suspect activities.
Part IV: Presenting Your Findings
The legal environment of technical forensics is the focus of this section. We discuss how you will interact with council, testify in court, and report on your findings. In many ways, this is the most important part of the forensics process.
Part V: Putting It All Together
This section is all about the application of what we′ve discussed in the earlier parts of the book. We look at different types of investigations through the lens of computer forensics and how it can help create the bigger picture.
The Basic Building Blocks: Attacks and Countermeasures
This format should be very familiar to anyone who has read a Hacking Exposed book before. How we define attacks and countermeasures for forensics, however, is a bit different than in past books.
This is an attack icon.
In previous Hacking Exposed books, this icon was used to denote a type of attack that could be launched against your network or target. In this book, the attack icon relates to procedures, techniques, and concerns that threaten to compromise your investigation.
For instance, failing to properly image a hard drive is labeled an attack with a very high risk rating. This is because you are going to see it often; it is not difficult to create an image, and if you accidentally write to the disk when you are imaging, your whole investigation may be compromised, no matter what else you do correctly.
This is a countermeasure icon.
In this book, the countermeasure icon represents the ways that you can ensure correct completion of the investigation for the attack. In our hard drive example, this would mean correctly hashing the drive and verifying the hash after you have taken the image.
Other Visual Aides
We have also made use of several other visual icons that help point out fine details or gotchas that are frequently overlooked.
ONLINE RESOURCES
Forensics is a constantly changing field. In addition, there are things we weren′t able to include because they were outside the scope of the book. For these reasons, we have created a Web site that contains additional information, corrections for the book, and electronic versions of the things discussed in these pages. The URL is www.hackingexposedforensics.com.
Hacking Exposed Page 2