Hacking Exposed

by Aaron Philipp

hostile environment, 112

  mission-critical systems, 95

  powering down, 65

  preventing modification to, 67–92

  recording cryptographic hashes, 92

  remote collections, 112–122

  remote investigations, 99–112

  removing drives from, 65

  unverifiable images, 93–94

  swap files, 194

  SWGDE (Scientific Working Group on Digital Evidence), 54

  SWGDE Validation guidelines, 54

  symmetric key encryption, 206–209

  system downtime, 95

  systems

  accounting, 427, 484–485

  binary number, 20–22

  dtSearch, 233–234

  hardware, 51–52

  suspect. See suspect systems

  T

  tape backup drives, 32–35

  tape robots, 226–227

  tapes, 226–231

  commercial tools for, 229–231

  formats, 226

  identifying, 227

  imaging, 229–230

  preserving, 229

  raw, 227–229

  reading, 227

  write protect tab, 227

  TASK toolkit, 167

  tcsh shell, 171

  TCT (The Coroner’s Toolkit), 172–173

  technology theft, 378–380

  temperature control, 48

  temporary files, 463

  Terminal Services Client, 328–329

  testimony

  deposition, 363

  trial, 364

  Text Searcher, 234

  The Coroner’s Toolkit (TCT), 172–173

  theft

  of customer data, 374–375

  source code/program, 378–381

  of technology, 378–380

  of trade secrets, 6–7, 381–384

  thumb drives. See USB thumb drives

  tracking systems, 58

  tracks, 30

  trademarks, 381–384

  trade secrets, 6–7, 381–384

  transcription, 363

  Transend Migrator, 237–238, 241–243

  transistors, 21, 22

  trees, 184

  trial phase, 364

  trial testimony, 364

  U

  Ubuntu Linux, 169

  unallocated data, 142–148

  unallocated space

  finding data in, 218

  keyword searching, 218

  Linux, 172–173

  Mac systems, 189–191

  parsing, 148

  recovering data in, 216–217

  Windows systems, 142–148

  wiping, 216–217

  unanimous written consents (UWCs), 451

  undo information, 277–280

  uninterruptible power supplies (UPSs), 48

  UNIX file command, 199

  UNIX systems

  accessing raw tapes, 228–229

  e-mail, 256–257

  Windows emulation, 228

  UPSs (uninterruptible power supplies), 48

  URLs, 283

  USB drives, 88–92

  files copied to, 387–388

  IP theft and, 386–388

  malware on, 462, 481

  matching up, 388

  USB flash drives, 38

  USB storage devices, 154–155

  USBSTOR key, 154–155

  USB thumb drives

  copying to, 386–388

  identifying, 154–155

  investment fraud and, 485

  overview, 38

  remote investigations, 125–126

  searching for evidence on, 424–425

  US Department of Defense. See DOD

  US Department of Justice (DOJ), 418

  user activity, 273–302. See also UserAssist entries

  considerations, 222

  Microsoft Office forensics, 274–283

  tracking web usage, 283–298

  UserAssist feature, 298–302

  overview, 159–160, 298

  tips for, 302

  working with, 299–302

  UserAssist keys, 159, 298, 299

  UserAssist logs, 213–214, 402, 464

  users

  activities of. See user activity

  cookies, 288–290, 293

  logging in/out, 157

  suspects, 66

  tracking via e-mail, 275–277

  undo information, 277–280

  US Patent and Trademark Office (USPTO), 381

  USPTO (US Patent and Trademark Office), 381

  UWCs (unanimous written consents), 451

  V

  Verity, 234

  VFAT (Virtual File Allocation Table), 132

  Virtual File Allocation Table (VFAT), 132

  virtual memory, 152, 194

  virus scanner logs, 459

  voice mail, 431

  volatile memory, 22–24

  volume header, 184–185

  volumes, encrypted, 122–125

  W

  Web. See Internet

  web-based e-mail

  determining when opened, 448–449

  Hotmail, 265

  Hushmail, 265–267

  obtaining from online sources, 241–243

  overview, 240, 261–262

  Yahoo! e-mail, 262–265

  web browsers, 262, 334. See also Internet cache; specific browsers

  Webglimpse package, 233

  web history, 284–288

  Web sites

  cookies, 283, 288–290, 293

  phishing, 478–480

  whistleblowers, 421

  windows, 46

  Windows-based devices

  acquisition of, 311–314

  analysis of, 314–317

  password-protected, 331–332

  vs. Palm devices, 319–320

  Windows CE. See Windows-based devices

  Windows Installer registry, 402

  Windows operating system, 59–60

  Windows systems, 131–160

  accessing raw tapes, 227–228

  artifacts, 150–160

  collecting live data from, 231

  crashes, 158–159

  determining programs run, 159

  downtime and, 95

  drive-wiping, 149–150

  error handlers, 158–159

  file systems, 132–138

  fragmentation, 140, 146–148

  FTK Imager, 88–92

  memory dumps, 158, 159

  Office document metadata, 157–158

  printer spools, 152–153

  recovering deleted files, 138–150

  Recycle Bin, 150–151

  removable storage devices, 154–155

  shutdown time, 156–157

  unallocated space, 142–148

  UserAssist. See UserAssist feature

  user login/logout, 157

  versions, 155–156

  vs. Linux systems, 59–60

  wiping drives, 68–71

  WinHex, 54

  wiping, 212–215

  disks, 217

  slack space, 215

  tools for, 149–150

  unallocated space, 216–217

  witnesses

  employees as, 343–344

  expert. See expert witnesses

  testimony, 363–364

  Word 97 MAC address, 280–282

  Word documents, 158

  workplace privacy, 98–99

  write-blockers, 54, 78–81

  write heads, 27

  X

  XXCopy tool, 231

  Y

  Yahoo!, 271

  Yahoo! e-mail, 262–265

  Z

  zip disks, 26

  zombies, 455–456

 

 

 
le = " -webkit-filter: grayscale(100%); -moz-filter: grayscale(100%); -o-filter: grayscale(100%); -ms-filter: grayscale(100%); filter: grayscale(100%); " class="sharethis-inline-share-buttons">share