New York London

CYBER FORENSICS

Albert J. Marcella, Jr.

  

Doug Menendez

Second Edition

A Field Manual for Collecting, Examining, and

Preserving Evidence of Computer Crimes Auerbach Publications Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2008 by Taylor & Francis Group, LLC Auerbach is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Printed in the United States of America on acid-free paper 10 9 8 7 6 5 4 3 2 1 International Standard Book Number-13: 978-0-8493-8328-1 (Hardcover)

This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted

with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to

publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of

all materials or for the consequences of their use.

  

No part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or

other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any informa-

tion storage or retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://

www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC) 222 Rosewood Drive, Danvers, MA 01923,

978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For orga-

nizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.

  Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe.

  

Library of Congress Cataloging-in-Publication Data

Cyber forensics : a field manual for collecting, examining, and preserving evidence of computer crimes

/ Albert J. Marcella and Doug Menendez. -- 2nd ed. p. cm. Includes bibliographical references and index.

  ISBN 978-0-8493-8328-1 (alk. paper)

  HV8079.C65C93 2008 363.25’968--dc22 2007029431

  Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com

Disclaimer As always with any book of this nature, here is the disclaimer …

  Th e information contained within this book is intended to be used as a reference and not as an endorsement, of the included providers, vendors, and informational resources. Reference herein to any specifi c commercial product, process, or service by trade name, trademark, service mark, man- ufacturer, or otherwise does not constitute or imply endorsement, recommendation, or favoring by the authors or the publisher.

  As such, users of this information are advised and encouraged to confi rm specifi c claims for product performance as necessary and appropriate. Th e legal or fi nancial materials and information that are available for reference through this book are not intended as a substitute for legal or fi nancial advice and representation obtained through legal or fi nancial counsel. It is advisable to seek the advice and representation of legal or fi nancial counsel as may be appropriate for any matters to which the legal or fi nancial materials and information may pertain.

  Web sites included in this book are intended to provide current and accurate information, neither the authors, publisher, nor any of its employees, agencies, and offi cers can warranty the information contained on the sites and shall not be held liable for any losses caused on the reliance of information provided. Relying on information contained on these sites is done at one’s own risk. Use of such information is voluntary, and reliance on it should only be undertaken after an inde- pendent review of its accuracy, completeness, effi cacy, and timeliness.

  Th roughout this book, reference “links” to other Internet addresses have been included. Such external Internet addresses contain information created, published, maintained, or otherwise posted by institutions or organizations independent of the authors and the publisher. Th e authors and the publisher do not endorse, approve, certify, or control these external Internet addresses and do not guarantee the accuracy, completeness, effi cacy, timeliness, or correct sequencing of information located at such addresses. Use of such information is voluntary, and reliance on it should only be undertaken after an independent review of its accuracy, completeness, effi cacy, and timeliness.

  Any mention of commercial products or reference to commercial organizations is for informa- tion only; it does not imply recommendation or endorsement by the authors, publisher, reviewers,

Dedication

  Given that a dedication’s main objective is to honor the person, place, or event to which the author has a deep emotional connection, this book is dedicated to my family, which has had such a profound eff ect on my life in so many wonderful, beautiful ways.

  Searching for the words to capture the emotions, the feelings, I have borrowed from universal proverbs, from cultures rich and varied, young and ancient. Proverbs, which speak from the heart, which speak words of truth and thought.

  In the years to come, always know that Kristina, Erienne, Andy and Diane, you have always been my greatest source of inspiration, pride, joy and love. Kristina Th ere is nothing noble in being superior to some other person. Th e true nobility is in being superior to your previous self. Erienne You already possess everything necessary to become great. Andy When you were born, you cried and the world rejoiced. Live your life so that when you die, the world cries and you rejoice. Diane All the fl owers of all our tomorrows are in the seeds of today. Th ank you for all the beauty that you have sown. We will be known forever by the tracks we leave.

  Th e Dakota

  Al Marcella

Dedication

  Th anks to my family: Marcene, Emily and Matt, for their love and support throughout this project. Also, thanks to Al Marcella for the opportunity to co-author this book and for his friendship over the years.

  Douglas A. Menendez

Contents

  

Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii

About the Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii

Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

  1 Technology Abuses Aff ecting Corporate and Personal Securities ................................. 2

  Defi ning Cyber Forensics ............................................................................................ 4 Working Defi nitions for the Advancement of the Profession .............................. 5

  Cyber Forensic Investigation Process ........................................................................... 5 Illegal Activities Warranting Cyber Forensic Investigation .................................. 6 Cyber Forensics: Th warting Corporate Risk ....................................................... 7 Trends: Th e Increasing Need for Proactive Cyber Forensic

  Investigative Abilities .............................................................................. 8 Evidence: Separating the Wheat from the Chaff .................................................. 11 Who Should Be Aware of or Knowledgeable of

  Cyber Forensics? .......................................................................................... 13 Why Employ Cyber Forensic Analysis? ................................................................ 14

  Driving Force behind Implementing Corporate Cyber Forensic Capabilities ................................................................................ 15

  Sarbanes–Oxley Act of 2002 (SoX) ..................................................................... 15 Gramm–Leach–Bliley Act (GLBA) ..................................................................... 16 California Security Breach Information Act (SB 1386) ....................................... 17 Health Insurance Portability and Accountability Act

  (HIPAA) of 1996 ..................................................................................... 17 Basel II Capital Accord ........................................................................................ 18 USA PATRIOT and Terrorism Prevention Reauthorization

  xii 䡲 Contents

  No Electronic Th eft (“NET”) Act ....................................................................... 19 Economic Espionage Act ..................................................................................... 19

  Rounding Out the Field ................................................................................................ 19 Child Pornography Prevention Act (2005) ......................................................... 20 Local Law Enforcement Hate Crimes Prevention Act (2001) .............................. 20 Computer Fraud and Abuse Act (2001) .............................................................. 20 Digital Millennium Copyright Act (1998) ........................................................... 21 Identity Th eft and Assumption Deterrence Act (1998) ........................................ 21 Children’s Online Protection Act (1998) .............................................................. 21 Wire Fraud Act (1997) ......................................................................................... 21 National Information Infrastructure Protection Act (1996) ................................. 21 Computer Security Act (1987) ............................................................................. 21 Electronic Communication Privacy Act (1986) ................................................... 21

  Auditing vs. Cyber Forensic Investigation ................................................................... 22 Summary .................................................................................................................... 24 References ..................................................................................................................... 25

Chapter 2 Cyber Forensic Tools and Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Introduction ............................................................................................................... 27 Examining a Breadth of Products ...................................................................... 28 Cyber Forensic Tools ........................................................................................................... 28 Good, Better, Best: What’s the Right Incident Response Tool for Your Organization? ................................................................................................... 29 Tool Review .................................................................................................................. 31 Coroner’s Toolkit .............................................................................................................. 32 EnCase Forensic ............................................................................................................ 33 Forensic Toolkit ................................................................................................................... 34

  i2 Analyst’s Notebook ................................................................................................... 35 LogLogic’s LX 2000 ............................................................................................................ 36 Mandiant First Response .................................................................................................... 37 NetWitness .......................................................................................................................... 38 ProDiscover Incident Response .......................................................................................... 40 Sleuth Kit and Autopsy Browser ................................................................................... 41 Best Buy or Recommended ................................................................................................ 42 Additional Tools for the Investigator’s Tool Bag ............................................................... 42

  ComputerCOP (www.computercop.com) ............................................................... 42 Mares and Company (www.dmares.com) ................................................................ 44

  New Technologies, Inc. (NTI) ...................................................................................... 45 Computer Incident Response Suite (www.forensics-intl.com) .............................. 45

  Web Sites for Additional Forensic Tool Information and Products ................................. 46 Final Note ..................................................................................................................... 47 Postscript .............................................................................................................................. 48 Reference .............................................................................................................................. 48

  

Chapter 3 Concealment Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Contents 䡲 xiii

  Types of Cryptographic Algorithms ................................................................... 51 Secret Key Cryptography ............................................................................................ 52 Public-Key Cryptography ........................................................................................... 55 Hash Functions ................................................................................................................. 56 Cryptography: Th e Untold Story ..................................................................................... 57 Spoofi ng ............................................................................................................................. 58 Internet Protocol ............................................................................................................... 58 Transmission Control Protocol ........................................................................................ 58 Hijacked Session Attacks ............................................................................................ 59 Polymorphism ...................................................................................................................... 60 Steganography ............................................................................................................ 61 Reversing the Steganographic Process .............................................................................. 62 Counter- or Anti-Forensics ................................................................................................. 64 Anti-Forensics: A View from the Edge ........................................................................ 67 Windows XP Command Line Program Cipher .............................................................. 72 Cloaking Techniques: Data Hide and Seek ..................................................................... 72

  Swap Files ................................................................................................................. 72 File Slack .................................................................................................................. 73

  Renaming Files ........................................................................................................... 74 File Name Modifi cation ..................................................................................... 74 Playing with Attributes–Hiding Files in Plain Sight ............................................. 79 Ghosting ............................................................................................................ 81 Compressed Files ..................................................................................................... 82

  Manipulating File Systems ............................................................................................... 87 File Allocation Table ............................................................................................... 87 NTFS File System ..................................................................................................... 88 File Storage Hardware and Disk Organization ..................................................... 89 Sectors and Clusters .................................................................................................. 90 Slack Space—Forensic Nirvana ............................................................................... 90 Hiding Data in Filesystem Slack Space with Bmap .............................................. 92

  Data Hiding on NTFS with Alternate Data Streams ..................................................... 93 Additional Ways in Which Data May Be Concealed from Investigators ........... 93 Host-Protected Areas and Disk Confi guration Overlay ........................................ 94 Hiding in File or Slack Space .................................................................................. 94 Wiping Tools (aka Destroying Data) ..................................................................... 94 More on Data Wiping Tools ................................................................................... 95 Rootkits .......................................................................................................... 95 Forensic Eavesdropping: Analyzing Voice Over IP ................................................ 97 Making Sure Security Logs Exhibit Accurate Time with NTP .......................... 102 Find the Time .................................................................................................... 103 Coordinate the Time ......................................................................................... 103 Make the Time Secure ....................................................................................... 104 Making Time .................................................................................................... 104 Synchronize a Cisco Router’s Clock with Network Time Protocol .................... 105

  xiv 䡲 Contents

  Hooking ............................................................................................................ 108 API Hooking ..................................................................................................... 109

  IAT Hooking ..................................................................................................... 109 Inline Hooking (aka Detouring—aka Jmp Hooking) ....................................... 109 Direct Kernel Object Manipulation ................................................................... 109 Hash Collisions ................................................................................................. 110 Social Engineering ............................................................................................. 111

  Summary .................................................................................................................... 112 Web Sites .................................................................................................................... 113 References ................................................................................................................... 113 Bibliography ............................................................................................................... 116

  

Chapter 4 Hardware: Model System Platforms . . . . . . . . . . . . . . . . . . . . 117

Introduction ............................................................................................................... 117 Computers .................................................................................................................. 117 Power Supply .............................................................................................................. 121 Hard Drive ........................................................................................................................ 122 Motherboard ..................................................................................................... 125 Laptops ............................................................................................................................... 126 Tablets ........................................................................................................................ 131 External Storage .......................................................................................................... 131 Servers ................................................................................................................................ 134 _ iPods ......................................................................................................................... 135

  PDAs .................................................................................................................................. 136 Summary .................................................................................................................... 141

  Chapter 5 Software: Operating Systems, Network Traffi

   c, and Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

  Introduction ............................................................................................................... 143 National Institute of Standards and Technology (NIST) ............................................ 144 Using Data from Operating Systems ........................................................................... 144

  Operating System Basics .................................................................................... 144 Non-Volatile Data .................................................................................. 145

  Basic Input or Output System (BIOS) ........................................................................ 146 Volatile Data ............................................................................................................... 147

  Collecting Operating System Data .................................................................... 148 Collecting Volatile Operating System Data ............................................ 148 Types of Volatile Operating System Data ............................................... 149 Prioritizing Data Collection ................................................................... 150 Collecting Non-Volatile Operating System Data .................................... 151

  Examining and Analyzing Operating System Data ........................................... 154 Recommendations for Using Data from Operating Systems .............................. 154

  Using Data from Network Traffi c ............................................................................... 155 TCP or IP Basics ............................................................................................... 155

  Layers’ Signifi cance in Network Forensics .............................................. 156

Contents 䡲 xv

  Intrusion Detection Systems (IDS) ........................................................ 158 Remote Access ........................................................................................ 158 Security Event Management Software .................................................... 159

  Network Forensic Analysis Tools ................................................................................ 159 Other Sources ............................................................................................................. 160 Collecting Network Traffi c Data ................................................................................ 160 Examining and Analyzing Network Traffi c Data ........................................................ 161 Identify an Event of Interest ........................................................................................ 161 Examine Data Sources ................................................................................................ 162 Data Source Value ...................................................................................................... 163 Examination and Analysis Tools ................................................................................. 165 Draw Conclusions ....................................................................................................... 166 Attacker Identifi cation ................................................................................................ 166 Recommendations for Using Data from Network Traffi c ........................................... 168 Using Data from Applications .................................................................................... 169 Application Components ............................................................................................ 169

  Confi guration Settings ...................................................................................... 169 Authentication ................................................................................................... 170 Logs ................................................................................................................... 171 Data ................................................................................................................... 171 Supporting Files ................................................................................................. 172

  Types of Applications .................................................................................................. 172 E-Mail ........................................................................................................................ 173 Web Usage .................................................................................................................. 173 Interactive Communications ....................................................................................... 174 Document Usage ........................................................................................................ 175 Security Applications .................................................................................................. 175 Data Concealment Tools ............................................................................................ 175 Collecting Application Data ....................................................................................... 176 Examining and Analyzing Application Data .............................................................. 177 Recommendations for Using Data from Applications ................................................. 177 Conclusion .................................................................................................................. 177 Reference .................................................................................................................... 178

  Chapter 6 Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards . . . . . . . . . . . . . . . . . . . . 179 Introduction ............................................................................................................... 179 Digital Forensic Laboratory Accreditation Standards .................................................. 180 Grading Criteria ................................................................................................ 180 Standard Operating Procedures Checklist ......................................................... 180 Laboratory Manager Checklist ................................................................................... 181 Digital Forensic Examiner Checklist .......................................................................... 182 Technician or Assistant Checklist ............................................................................... 183 Budget Checklist ........................................................................................................ 184

  xvi 䡲 Contents

  Equipment Checklist .................................................................................................. 188 Health and Safety Checklist ....................................................................................... 189 Laboratory Facilities Checklist .................................................................................... 189 Conclusion .................................................................................................................. 191

  Chapter 7 Performing a Cyber Forensic Investigation: Flowchart

for the Seizure of Electronic Evidence and Associated

Internal Control Questionnaires . . . . . . . . . . . . . . . . . . . . . . 193

  Introduction ............................................................................................................... 193 Charting Your Way through an Investigation ............................................................. 193 What Is an Internal Control? ...................................................................................... 195 Cyber Forensic Investigation and Internal Auditing .................................................... 195 Internal Control Questionnaire (ICQ) ....................................................................... 196 Cyber Crime: Incident Response and Digital Forensics—Internal

  Control Questionnaire ....................................................................................... 196 Purpose .............................................................................................................. 196

  General Incident Response Questionnaire .................................................................. 197 Specifi c Incident Response Questionnaire ......................................................... 199 Intrusion Incident Response Questionnaire ........................................................... 200 Denial-of-Service Incident Response Questionnaire ............................................. 200 Malicious Code Incident Response Questionnaire ................................................ 200 Malicious Communication Incident Response Questionnaire ........................... 215 Misuse of Resources Incident Response Questionnaire ...................................... 219

  Virus-Related Incident Questionnaire .............................................................................. 223 Virus Reporting Questionnaire ......................................................................................... 223 Virus Discovered on Network Server ................................................................................ 223 Virus Detected on Workstations ........................................................................................ 224 Organizational Questionnaire .......................................................................................... 225 Post-Incident Questionnaire ............................................................................................... 227 Additional Questions .......................................................................................................... 228 Acknowledgment ................................................................................................................. 228 References .......................................................................................................................... 229

  

Chapter 8 Privacy and Cyber Forensics: An Australian Perspective . . . . . 231

Introduction ............................................................................................................... 231 Law Relating to Privacy ......................................................................................... 232 Common Law Privacy ...................................................................................................... 232 Australian Broadcasting Corporation (ABC) vs. Lenah Game Meats Pty Ltd .............................................................................................. 232 Privacy: Legislative Intervention ................................................................................. 233 Law Relating to Access to Private Information ...................................................... 234 Access to Government-Held Information by Governments ................................ 235 Access to Non-Government Information by the Private Sector ............................ 236 Legal Liability for Mistakes .............................................................................................. 238 Conclusion ......................................................................................................................... 239

  Contents 䡲 xvii

Chapter 9 Forensic Black Bag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Introduction ............................................................................................................... 241 Packing for Success ..................................................................................................... 241 What’s in Your Bag? ............................................................................................................ 242 Laptop to IDE Hard Drive Adapter ........................................................................ 242 Adaptec SCSI Card 29160 ........................................................................................ 242 Small Computer System Interface (SCSI) Adapter ................................................ 244 AEC-7720WP Ultra Wide SCSI-to-IDE Bridge, with Write Blocked Function .......... 244 Devices Compatibility List ......................................................................................... 245 FireFly IDE and FireFly SATA ................................................................................... 245 FireFly SATA ..................................................................................................... 245 FireFly Read or Write ................................................................................................ 246 IDE Adapter ........................................................................................................................ 246 Serial ATA (AT Bus Attachment)-to-IDE Drive Converter ............................... 247 Additional Miscellaneous and Crucial Supplies or Tools ............................................ 247 ADP31 Adaptor SCSI 3 to SCSI 1 ......................................................................... 249 ADP32 Adaptor SCSI 3 to High Density ............................................................. 249 Fastbloc Unit Blocker ........................................................................................ 250 Logicube ............................................................................................................ 250 Ultra Block Portable Device .............................................................................. 250 Xbox 360 Adapters and Kit ............................................................................... 252 Software ............................................................................................................ 252 Conclusion .................................................................................................................. 253 Chapter 10 Digital Multifunctional Devices: Forensic Value and Corporate Exposure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

  Introduction ............................................................................................................... 255 Assessment of Products ............................................................................................... 255 Data Security and Latent Electronic Evidence ............................................................ 257 Issues and Concerns .................................................................................................... 259 Technical Stuff ..................................................................................................................... 260 How the Process Works .............................................................................................. 261 Forensic Application ................................................................................................... 261 Enter the MFD .................................................................................................................. 262

  Examination Process ............................................................................................... 262 Step-by-Step Look at Examining an MFD’s Hard Drive ......................... 263

  Th ere Are No Absolutes ......................................................................................... 263 Summary .............................................................................................................................. 264 Acknowledgments ...................................................................................................... 264 References ............................................................................................................................ 264

  

Chapter 11 Cyber Forensics and the Law: Legal Considerations . . . . . . . . 267

Introduction ...................................................................................................................... 267 Objectives .......................................................................................................................... 267 Cyber Forensics Defi ned ..................................................................................................... 268

  xviii 䡲 Contents

  Digital Forensics Complexity Problem ............................................................................ 269 Proliferation of Digital Evidence ................................................................................. 270

  Slack Space ........................................................................................................ 271 RAM Slack ........................................................................................................ 271 Drive Slack ........................................................................................................ 271 Swap File .................................................................................................................. 272

  From Frye to FER ............................................................................................................. 272 Article IV Relevancy and Its Limits ................................................................................. 273 Authentication ................................................................................................................... 273 Best Evidence Rule ..................................................................................................... 274 Article VII Opinions and Expert Testimony ............................................................... 274 Daubert Test for Reliability ........................................................................................ 276 Daubert Factors .......................................................................................................... 276 Searching and Seizing Computers ..................................................................................... 277 Junk Science Attack ............................................................................................................ 277 Chain of Custody .............................................................................................................. 279 Discredit the Witness (aka Refute the Cyber Forensic Expert) ....................................... 280 Outline of an Investigation ............................................................................................... 282 Obtaining Proper Authorization ...................................................................................... 283 Who Are You Going to Call? ........................................................................................... 285 Secure the Scene of the Alleged E-Crime ......................................................................... 286 Seizing Evidence .................................................................................................................. 286 Chain of Evidence ............................................................................................................... 288 Chain-of-Evidence Model ................................................................................................. 289

  Seizing a Computer .......................................................................................... 290 Pros and Cons of Pulling the Plug .............................................................................. 291 Conclusion .................................................................................................................. 293 References .......................................................................................................................... 293

  Chapter 12 Cyber Forensics and the Changing Face of Investigating Criminal Behavior . . . . . . . . . . . . . . . . . . . . . 297 Introduction ...................................................................................................................... 297 Evidence in the 21st Century ........................................................................................... 298 Cyber Crime Defi ned ....................................................................................................... 299 Economic Aspects of Cyber Forensics ............................................................................... 300 Practical Issues ............................................................................................................ 301 Competence ...................................................................................................................... 302 Targeted Prosecutions ......................................................................................................... 304 Planning for and Prosecuting Cyber Crime ..................................................................... 304 Cooperative Eff orts ........................................................................................................... 305 Recommendations ............................................................................................................... 306 Conclusion ........................................................................................................................... 308 References ............................................................................................................................ 309

Chapter 13 Electronically Stored Information and Cyber Forensics . . . . . 311

Contents 䡲 xix

  Federal Rules of Civil Procedure: December 1, 2006 .................................................. 313 Ready or Not … It’s the Law ...................................................................................... 315 Cost Shifting .............................................................................................................. 316 How Likely Are You to Face a Need to Produce ESI? ................................................. 316 What Is Document Management Anyway? ................................................................ 318 Document Management: Th e Basics ........................................................................... 319 Hold Everything—or Not! ............................................................................................... 320 Safe Harbor ....................................................................................................................... 320 Planning a Shredding Party? ....................................................................................... 321 Document Management—Flavor of the Month ............................................................. 322 Paying Special Attention to Daily Document Flow ........................................................ 322 Establishing a Proactive Document Management Program ........................................... 323 Eff ects of FRCP Amendments on Organizational IT Policies and Practices ................ 324 Assessing Corporate Readiness: Are You Prepared for E-Discovery? ........................... 325 Remember … “It Is Not Going to Be

  If But, When!!” .................................................... 328

  References .......................................................................................................................... 328

  

Chapter 14 Cyber Forensic Awareness: Management Survey . . . . . . . . . . . 331