Computer Forensics: Incident Response Essentials

Paperback (Print)
Buy New
Buy New from
Used and New from Other Sellers
Used and New from Other Sellers
from $1.99
Usually ships in 1-2 business days
(Save 96%)
Other sellers (Paperback)
  • All (23) from $1.99   
  • New (8) from $18.39   
  • Used (15) from $1.99   


Every computer crime leaves tracks—you just have to know where to find them. This book shows you how to collect and analyze the digital evidence left behind in a digital crime scene.

Computers have always been susceptible to unwanted intrusions, but as the sophistication of computer technology increases so does the need to anticipate, and safeguard against, a corresponding rise in computer-related criminal activity.

Computer forensics, the newest branch of computer security, focuses on the aftermath of a computer security incident. The goal of computer forensics is to conduct a structured investigation to determine exactly what happened, who was responsible, and to perform the investigation in such a way that the results are useful in a criminal proceeding.

Written by two experts in digital investigation, Computer Forensics provides extensive information on how to handle the computer as evidence. Kruse and Heiser walk the reader through the complete forensics process—from the initial collection of evidence through the final report. Topics include an overview of the forensic relevance of encryption, the examination of digital evidence for clues, and the most effective way to present your evidence and conclusions in court. Unique forensic issues associated with both the Unix and the Windows NT/2000 operating systems are thoroughly covered.

This book provides a detailed methodology for collecting, preserving, and effectively using evidence by addressing the three A's of computer forensics:

  • Acquire the evidence without altering or damaging the original data.
  • Authenticate that your recorded evidence is the same as the original seized data.
  • Analyze the data without modifying the recovered data.

Computer Forensics is written for everyone who is responsible for investigating digital criminal incidents or who may be interested in the techniques that such investigators use. It is equally helpful to those investigating hacked web servers, and those who are investigating the source of illegal pornography.


Read More Show Less

Product Details

  • ISBN-13: 9780201707199
  • Publisher: Addison-Wesley
  • Publication date: 10/28/2001
  • Pages: 416
  • Product dimensions: 7.40 (w) x 9.10 (h) x 0.87 (d)

Meet the Author


Read More Show Less

Read an Excerpt

Chapter: 2 Tracking an Offender

In this age of pervasive connectivity, it is unrealistic to expect cyber crime incidents to be isolated to a single system. Like characters in a William Gibson novel, cyber sleuths often have to track offenders across the digital matrix. While the techniques of network forensics are still largely undeveloped, it would be a disservice to devote an entire book to computer forensics without any discussion of Internet methods that you can use to find leads to suspect computers.

When tracking cyber offenders across the Internet, you use many of the same software tools that system and network administrators use to monitor and test network connectivity. Many of these programs are included in modern operating systems, and you may already be familiar with them. Even if you are already comfortable with the tools we discuss in this chapter, you may not have considered their use during an investigation. Unfortunately, many of our most common Internet application protocols make no provisions for strongly authenticating the transmitter of a communication. Services like email and Usenet are based on simple textbased initiation protocols and basically use the honor system. This complicates investigations because you cannot necessarily trust the identification information contained within Internet messages. The better you understand the underlying protocols and processes, the better you can evaluate the validity of the names and Internet addresses associated with Internet communications.

Internet Fundamentals

This book is intended to be an introduction to computer investigations, not to TCP/IP. If you want to be an effective network tracker, you need a thorough understanding of the Internet protocol suite. Many books are available on this subject. W. Richard Stevens' three-volume set, TCP/IP Illustrated, published by Addison-Wesley (1993, 1995, 1996), is considered one of the definitive references. The more comprehensive and detailed your understanding of Internet technology, the greater your skill at investigating network-enabled crime.

The Internet and many private networks run a set of protocols commonly referred to as TCP/IP, which stands for Transmission Control Protocol/ Internet Protocol. The label "TCP/IP" is a convenient abbreviation for a set of related network protocols, the development of which effectively started in the late 1960s and is ongoing today. More precisely referred to as "the Internet protocol suite," it is a set of communication conventions that a device must implement in order to participate on the Internet. TCP/IP is not specific to any operating system, programming language, or network hardware. It is an equal opportunity set of standards that enables Macs, Windows, Unix, routers, switches, and a variety of mainframe environments to communicate with each other. It is not specific to network topology, meaning that Ethernet, token ring, and wireless networks can also interoperate. This universal interoperability is a prerequisite to both modern computer crime and investigations.

Plenty of books and essays exhaustively discuss the Open Systems Interconnection (OSI) seven-layer Network Reference model, so we won't spend a great deal of time on it. The model is illustrated in Figure 2-1. The original seven-layer model was conceived as an abstraction that didn't apply to any currently existing technology— especially not the burgeoning suite of Internet protocols—and the exact labeling of Internet services and protocols within this model continues to be a matter of tremendous debate (especially the session and presentation layers). But it is a debate of no consequence because after all, the Internet still functions whatever abstract labels are assigned to its protocols. The important lesson to learn from this model is that certain infrastructural services provide the foundation for the actual file sharing and distributed applications that are the reason the network exists in the first place. These services are stacked on top of each other like Lego building blocks. Its relevance to forensic investigations is that you cannot interpret evidence without understanding its place within the hierarchy of stacked services. Let's look at a concrete example to see how this layering works.

You might not have realized that when you send and receive email, you are dealing with three different addresses, each within a different network layer. Every network interface has a unique hardware address burned into it at the factory. This address is called the MAC (media access control) address. (We discuss an unusual use Microsoft makes of this address in Chapter 8.) This address enables all of the devices on a LAN segment—those devices that can see each other's network traffic— to refer to each other. At the network layer, devices recognize traffic intended for themselves on the basis of the MAC addresses incorporated within the chunks of data on the network, which are called packets. It is entirely impractical for every device on the Internet to refer to devices outside of their LAN segment by this hardware address, so when a computer joins the Internet, it has a numeric IP address assigned to it. An IP address is usually written as a series of four numbers in the range 0–255, separated by dots, such as

Certain IP addresses, or ranges of addresses, are reserved for special purposes. For example, IP addresses that end with 0 denote a network address, such as An IP address that ends with 255 denotes a broadcast address, such as "Private addresses" in the to range may be used on internal networks. These addresses "are intended for intra-enterprise communications, without any intention to ever directly connect to other enterprises or the Internet itself."1 When tracking offenders, if you locate an address within this range, don't pack your bags for California (the location of the Internet Assigned Numbers Authority2 ); you have to determine the suspects' external IP address to locate them.

An Internet address actually contains two parts. The network portion is unique among all the networks interconnected to the LAN segment (which often means the entire Internet), and the host section is unique among all the devices using the same network portion. The effect is that all IP addresses on the Internet are both unique and identifiable as being within a specific network. Private networks use addressing that is unique within their networks, but any two private networks can use the same "address space" as long as they are not interconnected to each other.

The uniqueness of addresses and the distinction between network and host portions of the address make it practical for routers to know where to route to. Entire books have been written about routing. For our simplified purposes, routers are devices that automatically forward your data packets to another network when the destination is not your network. Routers base their decision on where to forward your packet on current conditions and their programmed instructions—routers do whatever is most expedient, which means that the route between any two points can change. This is completely different from the Public Switched Telephone Network (PSTN). When you make a telephone call, the switches within the PSTN sequentially establish a circuit from end to end, and it is maintained throughout the duration of the call. On the Internet, it may often seem as if you are using a circuit, but the actual path taken by each individual packet is dependent upon the whims of the intermediate routers.

The network part of an Internet address is assigned by the Internet Assigned Numbers Authority (IANA) to each network owner, and the host part is assigned to individual hosts and devices by the network owner. The network may be run by an organization (business or government agency), or it may be run by an Internet service provider (ISP) to provide Internet access to its customers. In the latter case, the IP addresses may be used by individuals or multiple organizations. Because IP addresses are used for routing, when a device is moved to a new network, it often requires a new address.

IP address can be statically or dynamically assigned. Computers that are assigned a static IP address always use the same IP address until it is manually changed to a new address, which is becoming increasingly less convenient in a time of constant reorganizations and mobile computers. Dynamic addresses are automatically assigned to a computer when it registers itself on a network using a protocol called Dynamic Host Configuration Protocol (DHCP) or Windows Internet Naming Service (WINS), a Microsoft protocol that is rapidly becoming obsolete. For network administrators, DHCP neatly solves the tedium and confusion of manually assigning constantly moving Internet devices. Virtually all ISPs use DHCP to assign addresses to their dial-up customers, and many permanently connected home users have dynamically assigned addresses that can change whenever their cable modems are powered off and on. Use of DHCP is definitely on the increase, but unfortunately, DHCP makes detective work a little more difficult....

1. From RFC 1918. (For more information on private addresses, see


Read More Show Less

Table of Contents



1. Introduction to Computer Forensics.

2. Tracking an Offender.

3. The Basics of Hard Drives and Storage.

4. Encryption and Forensics.

5. Data Hiding.

6. Hostile Code.

7. Your Electronic Toolkit.

8. Investigating Windows Computers.

9. Introduction to Unix for Forensic Examiners.

10. Compromising a Unix Host.

11. Investigating a Unix Host.

12. Introduction to the Criminal Justice System.

13. Conclusion.

Appendix A. Internet Data Center Response Plan.

Appendix B. Incident Response Triage Questionnaire.

Appendix C. How to Become a Unix Guru.

Appendix D. Exporting a Windows 2000 Personal Certificate.

Appendix E. How to Crowbar Unix Hosts.

Appendix F. Creating a Linux Boot CD.

Appendix G. Contents of a Forensic CD.

Annotated Bibliography.

Index. 0201707195T09182001

Read More Show Less



Billions of dollars are lost annually to crime, and computers are increasingly involved. It is clear that law enforcement agencies need to investigate digital evidence, but does it make sense to encourage a bunch of computer administrators to become junior g-men? Do we really need amateur digital sleuths? In a word, yes. Bad things are happening on computers and to computers, and the organizations responsible for these computers have a need to find out what exactly happened. You probably cannot pick up the phone and bring in law enforcement officials every time something anomalous happens on one of your servers and expect them to send out a team of forensic specialists, and even if you could, your corporate executives may not want that. All major corporations have internal security departments that are quite busy performing internal investigations. However, the security professionals who typically fill this role are accustomed to dealing with theft and safety issues and are often ill-prepared to deal with computer crime.

This book is inspired by the needs of the people who attend the author's seminars on computer forensics. If for no other reason than these sold-out seminars, we know that there is a big demand for greater expertise in digital investigations. System administrators and corporate security staff are the people we've designed the book for. Most of the seminar attendees are fairly skilled in the use and maintenance of Microsoft environments. Some of them are Unix specialists, but many students have expressed a strong desire to learn more about Unix. Once a corporation discovers that they know someone who can investigate Windows incidents, it is assumed that he or she knows everything about computers, and it is usually only a matter of time until this person is pressured into taking a look at a suspect Unix system.

Our students come from a wide variety of backgrounds and have diverse investigatory needs and desires. We try to accommodate these varying agendas in this book, to which we bring our experience in investigation and incident response. Warren Kruse is a former police officer who regularly performs computer forensic examinations inside and outside of Lucent Technologies. Jay Heiser is an information security consultant who has been on the response teams for numerous hacked Internet servers. To the maximum extent possible, this book contains everything useful that we've learned from performing investigations and teaching others to do so for themselves. We know what questions will be asked, and this book is designed to answer them. It is a practical guide to the techniques used by real people to investigate real computer crimes.

How to Read This Book

This book can be read cover to cover, as a complete introductory course in computer forensics. However, it is also meant to serve as a handbook, and we expect many readers to be familiar with some of the subjects we cover. For that reason, each chapter is a complete unit and can be read when convenient or necessary. You probably specialize in one or more of the areas covered in this text. However, we believe that the information presented in this book is at the minimum required level of legal and computer literacy, and we urge you to become knowledgeable in all of the areas we cover: legal, procedural, and technical.

A brief description of the information covered in each chapter is provided in the sections that follow.

Introduction to Computer Forensics

Chapter 1 outlines the basic process of evidence collection and analysis, which is the meat of computer forensics. Even those readers with a background in law enforcement will find new techniques in this chapter that are specific to computer forensics.

Tracking an Offender

The Internet is pervasive, and a high percentage of your investigations will involve either incoming or outgoing Internet traffic. The material in Chapter 2 will help you interpret the clues inside of email messages and news postings. It will also start you on the path toward becoming an Internet detective, using standard Internet services to perform remote investigations.

The Basics of Hard Drives and Storage Media

For the computer sleuth, hard drives are the most significant containers of evidence. Chapter 3 provides an understanding of both their logical and their physical configurations. It covers partitions and low-level formatting, filesystems, and hardware drive interfaces.

Encryption and Forensics

Cryptography has become ubiquitous in the virtual world of the Internet. A skilled investigator must have a solid understanding of the technology and goals of modern cryptography. It is relevant both in understanding evidence and, interestingly, in the preservation of evidence. Many investigators lack a necessary level of crypto-literacy, so Chapter 4 provides a broad introduction to encryption with special emphasis on its significance and application in computer forensics. We also discuss common encoding and archiving formats (such as uuencode and PKZIP) that can complicate your keyword searches. As digital signature technology grows in legal significance and finds new uses, forensic investigators will be expected to understand its limitations and must have a firm grasp of the ways in which a digital identity can be stolen. The digital timestamping of forensic evidence will soon become standard procedure in digital investigations. If you already have a background in these encryption concepts, then you may wish to skim this chapter.

Data Hiding

Being able to find hidden data is a crucial investigative skill. Even if you are highly crypto-literate, you still may not be aware of steganography (the art of hiding information by embedding covert messages within other messages) and other data-hiding techniques. Continuing the subject of encryption, Chapter 5 describes the use of specific password-cracking tools that we have successfully used during our investigations. This chapter categorizes and describes the ways that data can be hidden–not just by encryption–and provides practical guidance on how to find and read hidden data.

Hostile Code

Being able to identify and understand the implications of criminal tools is a skill that every investigator needs. Given that hostile code can be arcane and that few readers have a background in it, Chapter 6 provides an introduction to the topic and an overview of the types and capabilities of digital criminal tools that the investigator may encounter. We've included a couple of war stories involving the recent use of "hacker tools" on corporate PCs, which is becoming increasingly common.

Your Electronic Toolkit

Although forensic-specific tools have a certain James Bond—like appeal–and we cover these products–a large percentage of your work will be done with system tools that were not specifically created for the unique needs of forensic investigation. Chapter 7 will introduce you to a wide variety of utility types and specific brand name tools, along with instructions in their use in a digital investigation.

Investigating Windows Computers

Microsoft Windows, in all its various flavors, is the most widely used family of operating systems. While Chapter 8 assumes some background in Windows, you don't need to be a Microsoft Certified Systems Engineer in order to apply the techniques and tricks we discuss. Emphasis is placed on Windows NT 4.0 and Windows 9x, but several important new Windows 2000 features, such as the Encrypting File System, are covered. An experienced investigator soon learns that nothing is too obsolete to be in daily use somewhere, so the chapter concludes with Windows 3.1—specific material.

Introduction to Unix for Forensic Examiners

For those readers with no prior Unix experience, Chapter 9 provides an introduction with special emphasis on Unix characteristics that are most significant for the forensic investigator. Experienced Unix users can skim or skip this chapter.

Compromising a Unix Host

Chapter 10 is intended as background material for the investigation of hacked Internet hosts. It describes the process that Unix attackers typically use and provides an understanding of the goals of typical system hackers.

Investigating a Unix Host

While emphasizing the investigation of hacked Unix hosts, Chapter 11 describes techniques that are applicable to all forms of Unix investigation. It contains a detailed set of Unix-specific techniques and processes that use common Unix utilities for collecting and evaluating evidence. It also contains instructions on using a Unix boot CD to capture information over a network when you can't attach hardware directly to a suspect system.

Introduction to the Criminal Justice System

The final chapter explains what you need to do after you have begun collecting evidence and provides an overview of the criminal justice process. Legal concepts such as affidavits, subpoenas, and warrants are described. You will be a more effective interface between your organization and law enforcement agents if you understand what they do and how both investigations and prosecutions are structured by the legal system.


As in most books, the appendixes in this one contain information that doesn't fit neatly anywhere else. They are standalone guides to specific needs.

Appendix A, Internet Data Center Response Plan, defines a process for handling computer security incidents in Internet Data Centers.

Appendix B, Incident Response Triage, provides a list of general questions that should be asked during the investigation of a computer crime incident.

Appendix C, How to Become a Unix Guru, provides self-study suggestions for forensic examiners who want to improve their ability to investigate Unix hosts.

Appendix D, Exporting a Windows 2000 Personal Certificate, graphically depicts the process of exporting a Personal Certificate from a Windows 2000 computer. Investigators should practice this process to prepare themselves for incidents involving the Encrypted File System.

Appendix E, How to Crowbar Unix Hosts, describes the process of gaining administrative access to a Unix system by booting it from a floppy or CD.

Appendix F, Creating a Linux Boot CD, provides several suggestions on techniques and technology sources that are useful in the creation of bootable Linux CDs that can be used to crowbar Unix or NT systems. Booting from a Linux CD can also provide a trusted environment useful for examining or collecting evidence when it is not feasible to remove the hard drive from a system.

Appendix G, Contents of a Forensic CD, provides a shopping list of useful tools that should be considered the minimum set of forensic utilities that an examiner brings during an incident response.


Read More Show Less

Customer Reviews

Average Rating 4
( 6 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing all of 6 Customer Reviews
  • Anonymous

    Posted August 30, 2014

    Breeze & Storm

    The two cats follow Echosong relieved but still wary.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted August 29, 2014


    The little ginger cat with green eyes and a twisted fore paw padded up to the beginning of the trees. "I really hope the group of cats exists. I they don't, l'll have to go back to my housefolk. I don't like the vet, and they'll most surely take me to the Cutter!" She continue to walk, the foliage thickening.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted August 28, 2014


    Looked around feeling uncomfortable with less trees. He quickly madea sent and chased a rabit as far as he could before moving on

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted August 28, 2014

    Edge of Forest, Beginning of Plains and Border

    Here is where the forest ends. You will notice it by the trees starting to thin, and the undergrowth replaced by grasses. Some rabbits are here, but they are hard to catch, and if thwy cross the border, you cannot follow them. Eventially, the trees will be gone completely, and then, you have come to the edge of our territory. The scent-marker must be laid daily here.<br>

    Was this review helpful? Yes  No   Report this review
  • Posted June 8, 2013

    WOW... I love MyDeals247 model - they create competition among t

    WOW... I love MyDeals247 model - they create competition among the sellers real-time.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted June 7, 2006

    Great primer

    This is one of the best primers on Computer Forensics out there. It is comprehensive, covers in enough depth to be useful, and is practical in its use. I would recommend this book to anyone interested in getting started in Forensics. The only negative is the dating - this would be better if it were

    Was this review helpful? Yes  No   Report this review
Sort by: Showing all of 6 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)