Why Is This Book Necessary?
Billions of dollars are lost annually to crime, and computers are increasingly involved. It is clear that law enforcement needs to investigate digital evidence, but does it make sense to encourage a bunch of computer administrators to become Junior G-Men? Do we really need amateur digital sleuths? In a word, yes. Bad things are happening on computers and to computers, and the organizations responsible for these computers have a need to find out what exactly happened. You probably cannot pick up the phone and bring in law enforcement every time something anomalous happens on one of your servers and expect them to send out a team of forensic specialists, and even if you could, it may not be what your corporate executive staff wants. All major corporations have internal security departments that are quite busy performing internal investigations. However, the security professionals who typically fulfill this role are accustomed to dealing with theft and safety issues and are often ill-prepared to deal with computer crime.
Computer Forensics is inspired by the needs of the people who attend Warren's seminars on computer forensics. If for no other reason than these sold-out seminars, we know that there is a large demand for greater expertise in digital investigations. System administrators and corporate security staff are the people we've designed the book around. Most of the seminar attendees are fairly skillful in the use and maintenance of Microsoft environments. Some of them are Unix specialists, but many students have expressed a strong desire to learn more about Unix. Once a corporation discovers that they have somebody with the ability to investigate Windows incidents, it is assumed that they know everything about computers, and it is usually only a matter of time until they are pressured into taking a look at a suspect Unix system.
Warren's students come from a wide variety of backgrounds and have diverse investigatory needs and desires. We try to accommodate these varying agendas in this book, to which we bring our experience in investigation and incident response. Warren is a former police officer who regularly performs computer forensic examinations inside and outside of Lucent. Jay is an information security consultant who has been on the response teams for numerous hacked Internet servers. To the maximum extent possible, this book contains everything useful that we've learned from performing investigations and teaching others to do it for themselves. We know what questions will be asked, and this book is designed to answer them. It is a practical guide to the techniques used by real people to investigate real computer crimes.
How to Read This Book
This book can be read cover to cover, as a complete introductory course in computer forensics. However, it is also meant to serve as a handbook, and we expect many of the readers to have familiarity with some of the subjects we cover. For that reason, every chapter is self-standing, and can be read when convenient or necessary. Undoubtedly, you will specialize in one or more of the areas covered in this text. However, we believe that the information presented in this book is a MINIMUM required level of legal and computer literacy, and we urge you to become knowledgeable in all of the areas we cover: legal, procedural, and technical.
Introduction to Computer Forensics
This chapter outlines the basic process of evidence collection and analysis, which is the meat of computer forensics. Even those with a background in law enforcement will find new techniques in this chapter that are specific to computer forensics.
Tracking an Offender
The Internet is pervasive today, and a high percentage of your investigations will involve either incoming or outgoing Internet traffic. The material in this chapter will help you understand how to interpret the clues inside of mail messages and news postings. It will also start you on the path towards becoming an Internet detective, using standard Internet services to perform remote investigations.
Hard Drives and Storage Media Basics
For the computer sleuth, hard drives are the most significant containers of evidence. This chapter provides an understanding of both their logical and their physical configuration. It covers partitions and low-level formatting, file systems, and hardware drive interfaces.
Encryption and Forensics
Cryptography has become ubiquitous in the virtual world of the Internet. A good investigator must have a solid understanding of the technology and goals of modern cryptography. It is relevant both in understanding evidence, and interestingly enough, in the preservation of evidence. Many investigators lack what we feel is a necessary level of crypto-literacy, so this chapter provides a broad-brush introduction to encryption with special emphasis on its significance and application in computer forensics. We also discuss common encoding and archiving formats that can complicate your key word searches (uuencode, pkzip, etc.). We believe that as digital signature grows in legal significance and continues to find new uses, that forensic investigators will be expected to understand the limitations of digital signature and have a firm grasp of the ways in which a digital identity can be stolen. We also believe that the digital timestamping of forensic evidence will soon become standard procedure in digital investigations. If you already have a good background in these encryption concepts, then you may wish to skim this chapter.
Data Hiding
Being able to find hidden data is a crucial investigative skill. Even if you are very crypto-literate, you still may not be aware of steganography and other data hiding techniques. Continuing the subject of encryption, this chapter provides hands-on applications of cracking techniques, describing the use of specific software tools that we have successfully used during our investigations. This chapter categorizes and describes the ways that data can be hidden--not just encryption--and provides practical guidance on how to find and read hidden data.
Hostile Code
Being able to identify and understand the implications of criminal tools is a skill that every investigator needs. Given that hostile code can be very arcane and is not something that all of our readers have a background in, this chapter provides an introduction to the topic and an overview of the types and capabilities of digital criminal tools that the investigator may encounter. We've included a couple of recent war stories involving incidents of 'hacker tools' on corporate PCs, which is becoming increasingly common.
Your Electronic Toolkit
Although forensic-specific tools have a certain James Bond-like appeal--and we certainly cover these products also--a large percentage of your work will be done with system tools that were not specifically created for the unique needs of forensic investigation. This chapter will introduce you to a wide variety of utility types and specific brand name tools, along with instructions in their appropriate use within a digital investigation. . .
Investigating Windows Computers
Microsoft Windows--in all its various flavors--is the most widely used family of personal productivity operating systems. While this chapter assumes some background in Windows, you don't need to be a Microsoft Certified Systems Engineer in order to apply the techniques and tricks we discuss. Emphasis is placed on NT 4.0 and Windows 9X, but several important new Windows 2000 features, such as the Encrypting File System, are covered. An experienced investigator soon learns that nothing is too obsolete to be in daily use somewhere, so the chapter concludes with Windows 3.1-specific material.
Introduction to Unix for Forensic Examiners
For those readers with no prior experience with Unix, this chapter provides an introduction with special emphasis on Unix characteristics that are most significant for the forensic investigator. Experienced Unix users can safely skim or skip this chapter.
Compromising a Unix Host
This chapter is intended as background material for the investigation of hacked Internet hosts. It describes the process that Unix attackers typically use, and provides an understanding of the goals of typical system hackers.
Investigating a Unix Host
While emphasizing the investigation of hacked Unix hosts, the techniques taught in this chapter are applicable to all forms of Unix investigation. It contains a very detailed set of Unix-specific techniques and processes that use common Unix utilities for collecting and evaluating evidence. It also contains instructions on using a Unix boot CD to capture information over a network when you do not have the ability to attach hardware directly to a suspect system.
Introduction to the Criminal Justice System
The final chapter in the book explains what you need to do once you have begun collecting evidence, and provides an overview of the criminal justice process. Legal concepts such as affidavits, subpoenas, and warrants are described. You will be a much more effective interface between your organization and law enforcement agents if you understand what they do and how both investigations and prosecutions are structured by the legal system.
Appendixes
Like any book, the appendixes are little bits that don't fit neatly anywhere else. These are standalone guides to very specific needs. Be sure to take a look at these to see which specific appendices meet your personal needs.