WIXLIB

Contents19The Wireless Internet: Friend or Foe?579Summary580Chapter Review Questions and Exercises582Hands-on Projects583References584Civilian Casualties: The Victims and Refugees ofInformation Warfare585What the Cyber Masses Have to Lose587The Destruction of Personal Assets in IWs597Short- and Long-Term Personal Economic Impact on Cyber Citizens601The Violation of Privacy During Information Wars602The Individual Exposed604Identity Theft606Monitoring Private Affairs in Cyberspace609The New Order and State Medical ID Cards613Big Brother Is Here and Is Staying616Summary618Chapter Review Questions and Exercises620Hands-on Projects622References623Part V Advanced Computer Forensics Systems and Future Directions20xvAdvanced Computer Forensics625627Advanced Encryption: The Need to Conceal628Advanced Hacking640Advanced Tracker Hackers647The Problems of the Present663Summary666Chapter Review Questions and Exercises669Hands-on Projects670References671

xvi21Computer Forensics, Second EditionSummary, Conclusions, and dations684Final Word: Computer Forensic Needs and Challenges699Chapter Review Questions and Exercises700References703Appendix A Frequently Asked Questions705What Is Computer Forensics?705Why Computer Forensics?705What Is Data Recovery?705Are There Instances When Data Cannot Be Recovered?706Appendix B Computer Forensics Resources709General Forensics Resources709Computer Crime711File Formats and Extensions711Cryptography and Steganography712Appendix C Links to Computer Forensics and Related LawEnforcement Web Pages713Law Enforcement Links713Organizations714Mailing Lists714USDOJ Guidelines for Searching and Seizing Computers715Computer Forensic and Security Software Available Free ofCharge to Law Enforcement Agencies715Miscellaneous715

ContentsAppendix D More Computer Forensics Casesxvii717Case Study 1: Lost Files717Case Study 2: Corrupted Files718Case Study 3: Disappearing Files718Case Study 4: Computer Forensics718Case Study 5: Forensic Accounting719Case Study 6: Corporate Investigation into PC Pornography719Case Study 7: Data Recovery719Case Study 8: Industrial Espionage720Case Study 9: Family Members Bolt720Case Study 10: Former Employer720Case Study 11: Goods Left to Rot721Case Study 12: Managers Start New Company721Case Study 13: Family Member Steals Clients721Case Study 14: Erased Email721Case Study 15: Bank Suspects722Case Study 16: Former Managers722Case Study 17: Former Catalog Designers722Case Study 18: Model Pursued722Case Study 19: Encrypted Mail723Case Study 20: Two Attorneys Can’t Speak Civilly723Case Study 21: Big Real Estate Deal723Case Study 22: Doctor Accused723Case Study 23: Former Employee Claims724Case Study 24: Ex-Partner Claims724Case Study 25: Former Manager724

xviiiComputer Forensics, Second EditionAppendix E Answers to Review Questions and Exercises,Hands-on Projects, Case Projects, andOptional Team Case Projects by Chapter725Appendix F Checklists by Chapter747Appendix G About the CD-ROM781Appendix H Glossary of Terms and Acronyms791Index819

Acknowledgmentshere are many people whose efforts on this book have contributed to itssuccessful completion. I owe each a debt of gratitude and want to take thisopportunity to offer my sincere thanks.A very special thanks to my publisher, David Pallai, without whose initialinterest and support this book would not have been possible, for his guidance andencouragement over and above the business of being a publisher. Thanks also toBryan Davidson, Ania Wieckowski, and Jennifer Blaney of Charles River Media,whose many talents and skills are essential to a finished book. Thanks to my copyeditor, Ruth Saavedra, whose fine editorial work has been invaluable. Thanks alsoto my marketing manager, Meg Dunkerley, whose efforts on this book have beengreatly appreciated. Finally, a special thanks to Michael Erbschloe, who wrote theForeword for this book.Thanks to my wife, Bee Vacca, for her love, her help, and her understanding ofmy long work hours.Finally, I wish to thank the organizations and individuals who granted me permission to use the research material and information necessary for the completionof this book.Txix

This page intentionally left blank

Forewordomputer crime and computer-supported criminal activities are boomingbusinesses. Criminals, fraudsters, and terrorists seem to strike wheneverthere is an opportunity. In January of 2005 the FBI alerted the public to avariety of scams being facilitated online involving the solicitation of additional relief funds for the victims of the recent tsunami disaster. The FBI, through the Internet Crime Complaint Center (IC3), had received reports of Web sites beingestablished purportedly to assist with collection and relief efforts. Complaints identified several schemes that involved both unsolicited incoming emails (SPAM), aswell as reports of responses to posted email addresses, to assist for a fee in locatingloved ones who may have been victims of the disaster. A fraudulent relief donationWeb site has also been detected containing an embedded Trojan exploit which caninfect the user’s computer with a virus if accessed.There have been several major inter-agency computer crime investigationsconducted during the last several years including WEB-SNARE, which, on August26, 2004, was characterized by the Attorney General as the most successful cybercrime initiative to date. In WEB-SNARE, more than 150 investigations were successfully advanced, in which more than 150,000 victims lost more than 215 million. This initiative included 150 subjects who were charged, and the execution of170 search and/or seizure warrants. Many of the investigations included in WEBSNARE could potentially be characterized as Identity Theft, or related to IdentityTheft.Prior to WEB-SNARE, the IC3 coordinated the development and execution ofOperations E-Con and Cyber Sweep with our law enforcement and industry partners. In those initiatives, more than 200 investigations were coordinated among thevarious law enforcement agencies, resulting in arrests and/or charges of more than250 individuals for engaging in a variety of cyber crimes including Identity Theft.The FBI has also observed a continuing increase in both volume and potentialimpact of cyber crime with significant international elements. Identifying suchCxxi

xxiiComputer Forensics, Second Editiontrends, as well as formulating an aggressive and proactive counter-attack strategy,remains a fundamental objective of the FBI’s Cyber Division. In a growing numberof cases, Eastern European subjects solicit victims though job postings, email solicitations, and chat-rooms to provide detailed personal information. Once that information is obtained, they use their identities to post auctions on well-knownauction sites. Funds obtained through the auction are transferred through severalshell accounts, both in the U.S and abroad, and the items sold are never delivered.In one FBI investigation initiated in 1999, the computer network of a now defunct software e-commerce company was compromised, and credit card information for approximately eight million accounts was obtained by the hackers. Thecompromised e-commerce company was contacted via email by the hackers whodemanded money to keep them from publicly posting the obtained information onthe Internet. The FBI became aware of this crime when numerous field offices received complaints from citizens who were all incorrectly charged for similar smallamounts on their credit card statements. Through investigative efforts, these complaints were all linked to the hacking of the e-commerce company's system. Thiscase has expanded into a major FBI initiative in which field offices across the country have opened approximately 50 spin-off investigations in the network compromise and extortion of over 100 United States banks and e-commerce providers byEastern European hacking groups.Computer crimes are impacting society in numerous ways and there is a lot ofwork for the good guys. Computer forensics is one of the largest growth professionsof the twenty-first century. The soaring increase in the number of Internet userscombined with the constant computerization of business processes has created newopportunities for computer criminals and terrorists. Study after study has consistently revealed that cyber attacks, hacking, and computer-based criminal activitiesare costing businesses and government organizations billions of dollars each year.We need to train at least 100,000 more computer crime fighters in order tostem the global tide of computer attacks. Many computer professionals have askedme how they can get started in security and crime-fighting careers. My response hasconstantly been learn, study, train, and move forward. Computer Forensics, by JohnVacca, is an excellent place to start establishing the required knowledge base tomove into this fascinating new career field.Computer Forensics is an excellent book for trained law enforcement personnelwho desire to learn more about investigating and fighting computer crimes. Computer Forensics is also an excellent book for computer professionals who want tomove into the rapidly growing security field and who are considering shifting theircareer focus to law enforcement and criminal investigation.

ForewordxxiiiIt is also important that computer security personnel expand their understanding of forensic processes and keep their understanding of investigative andprevention procedures up to date. Computer Forensics is an excellent book for alllevels of computer security personnel to further their professional development.John Vacca had made an excellent contribution to the computer forensics field.I highly recommend Computer Forensics and congratulate John Vacca on a job extremely well done.Michael ErbschloeSecurity Consultant and AuthorSt. Louis, Missouri

This page intentionally left blank

Introductionyber criminals are wreaking havoc on computer systems and are capturingfront-page headlines in the bargain. It has made little difference that the Bushadministration pledged billions in additional federal funding to combat security breaches after the 9-11 terrorists attacks. The problem just keeps getting worse.Fortunately, the computer security field is also progressing at a brisk rate. Inparticular, the field of computer forensics brings new ways of preserving and analyzing evidence related to cyber crime.CGROWING PROBLEMThe numbers are chilling. According to a recent industry survey, 94% of the surveyrespondents detected cyberattacks on their companies, and 617 organizations reported 609,923,384 in financial losses.So what’s going on? It doesn’t take a computer engineer or computer scientistto learn hacking fundamentals. After spending a few nights on the Internet, highschool students discover they can master hacking fundamentals by simply downloading software. Corporations and the federal government are just beginning torealize that securing their computer networks is critical. Equally frightening is thatour national security has already been compromised. Colleges have finally startedto offer courses and concentrations in computer security and forensics, but it remains difficult to find degree programs in these disciplines.COMPUTER FORENSICSComputer forensics involves the preservation, identification, extraction, and documentation of computer evidence stored as data or magnetically encoded information.xxv

xxviComputer Forensics, Second EditionThe fascinating part of the science is that the computer evidence is often transparentlycreated by the computer’s operating system without the knowledge of the computeroperator. The information may actually be hidden from view. To find it, specialforensic software tools and techniques are required.Emerging Field–But a Shortage of ExpertsMost law enforcement agencies, especially those in large cities, are understaffed whenit comes to having trained computer forensics experts. Industry, on the other hand, hasbeen taking computer forensics seriously for several years. Sadly, it took a number ofembarrassing computer break-ins by teenage hackers to put the spotlight on it. Theproblem is, industry doesn’t know which computer forensics issues to focus on.The biggest issue surrounding the computer forensics conundrum is a shortage oftechnologists who have a working knowledge of computer forensics. Academics areteaching the subjects, but most lack real-world experience, which is critical when training students. Also, many academics are not current with forensics trends and tools.Times Are ChangingThere’s an old saying, “If you wait long enough, it’s bound to change.” The samecan be said for computer forensics training. Not only will more techies be concentrating on computer forensics, but also attorneys and judges will be taking coursesin the subject. Learning forensics basics will help attorneys especially to determinethe kinds of evidence that can be found by probing a computer’s operating systemand what techniques can be used to legally obtain it.On the academic front, full-fledged degree tracks in computer forensics arebeing developed. Certification programs already exist.Where are the jobs? Government agencies, such as the Department of Defense,FBI, CIA, NSA, and U.S. Postal Service need computer forensics specialists. Stateand local law enforcement departments are also hiring computer forensics specialists. On the corporate front, all companies (especially large and mid-size ones witha Web presence) will have serious computer forensics needs. Job titles differ, but,typically, these positions are advertised as junior computer forensics analysts forentry-level jobs and senior computer forensics analysts if you have a few years of experience in the field.PURPOSEThe purpose of this book is to show experienced (intermediate to advanced) computer forensics, security, and law enforcement professionals how to analyze and con-

Introductionxxviiduct a computer forensics examination and report the findings that will lead to the incarceration of the perpetrators. This book also provides the fundamental knowledgeyou need to analyze risks to your system and implement a workable security andforensics policy that protects your information assets from potential intrusion, damage, or theft. Through extensive hands-on examples (field and trial experiments) andcase studies, you will gain the knowledge and skills required to master the deploymentof information warfare countermeasures to thwart potential attacks.SCOPEThroughout the book, extensive hands-on examples presented at the end of eachchapter in the form of exercises, case studies, projects, and checklists (located inAppendix F), will provide you with practical experience in computer forensics evidence capture, analysis, and reporting, as well as information warfare countermeasures and future directions. In addition to advanced computer forensicstechnology considerations in commercial organizations and governments, the bookaddresses, but is not limited to, the following line items as part of the discovery ofelectronic evidence:The CD-ROM that accompanies this book contains the latest and best computer forensics software tools and documentation.You will learn how to analyze your exposure to security threats and protectyour organization’s systems and data; manage risks emanating from inside theorganization and from the Internet and extranets; protect network users fromhostile applications and viruses; reduce your susceptibility to an attack by deploying firewalls, data encryption, decryption, and other information warfarecountermeasures; and identify the security risks that need to be addressed in security and computer forensics policy.Chapters on how to gain practical experience in analyzing the security risks andinformation warfare countermeasures that need to be addressed in your organization also include maintaining strong authentication and authenticity, preventing eavesdropping, retaining integrity of information, evaluating thestrength of user passwords, selecting a firewall topology, and evaluating computer and hacker ethics.This book leaves little doubt that the new and emerging field of computerforensics is about to evolve. This new area of knowledge is now being researched,organized, and taught. No question, this book will benefit organizations and governments, as well as their computer forensics and security professionals.

xxviii Computer Forensics, Second EditionTARGET AUDIENCEWith regard to computer forensics, the book is primarily targeted at those in government and law enforcement who require the fundamental skills to develop andimplement security schemes designed to protect their organizations’ informationfrom attacks, including managers, network and systems administrators, technicalstaff, and support personnel. This also includes those involved in securing Websites, including Web developers, Webmasters, and systems, network, and securityadministrators.ORGANIZATION OF THIS BOOKThis book is organized into six parts, including the appendixes (which include aglossary of computer forensic and information warfare terms).Part I: Overview of Computer Forensics TechnologyPart I discusses computer forensics fundamentals, types of computer forensicstechnology, types of computer forensics systems, and vendor and computer forensics services.Chapter 1, Computer Forensics Fundamentals, provides an overview of computer forensics types and techniques and their electronic evidence and capture.Chapter 2, Types of Computer Forensics Technology, covers the basic issuesdealing with Windows NT, Windows XP, and 2003, and their use within law enforcement computer forensic technology. In other words, it covers security andcomputer evidence issues associated with Windows NT, Windows XP, and 2003.Chapter 3, Types of Computer Forensics Systems, covers different types ofcomputer forensics systems and identifies crucial questions for corporate planningin support of computer forensics. Answering the que

Computer Forensics Investigative Services 162 Forensic Process Improvement 167 Course Content 176 Case Histories 180 Summary 182 Chapter Review Questions and Exercises 184 Hands-On Projects 186 References 186 Part II Computer Forensics Evidence and Capture 189 5 Data Recovery 1