Tài liệu Hacking Exposed Computer Forensics, Second Edition pot

www.it-ebooks.info

HACKING EXPOSED™

COMPUTER FORENSICS

SECOND EDITION

REVIEWS

“This book provides the right mix of practical how-to knowledge in a

straightforward, informative fashion that ties all the complex pieces together with

real-world case studies. With so many books on the topic of computer forensics,

Hacking Exposed Computer Forensics, Second Edition, delivers the most valuable

insight on the market. The authors cut to the chase of what people must understand

to effectively perform computer forensic investigations.”

—Brian H. Karney, COO, AccessData Corporation

“Hacking Exposed Computer Forensics is a ‘must-read’ for information security

professionals who want to develop their knowledge of computer forensics.”

—Jason Fruge, Director of Consulting Services, Fishnet Security

00-FM.indd i 8/23/2009 3:54:42 AM

www.it-ebooks.info

“Computer forensics has become increasingly important to modern incident

responders attempting to defend our digital castles. Hacking Exposed Computer

Forensics, Second Edition, picks up where the first edition left off and provides a

valuable reference, useful to both beginning and seasoned forensic professionals. I

picked up several new tricks from this book, which I am already putting to use.”

—Monty McDougal, Raytheon Information Security Solutions, and author of

the Windows Forensic Toolchest (WFT) (www.foolmoon.net)

“Hacking Exposed Computer Forensics, Second Edition, is an essential reference for

both new and seasoned investigators. The second edition continues to provide

valuable information in a format that is easy to understand and reference.”

—Sean Conover, CISSP, CCE, EnCE

“This book is an outstanding point of reference for computer forensics and

certainly a must-have addition to your forensic arsenal.”

—Brandon Foley, Manager of Enterprise IT Security, Harrah’s Operating Co.

“Starts out with the basics then gets DEEP technically. The addition of IP theft and

fraud issues is timely and make this second edition that much more valuable. This

is a core book for my entire forensics group.”

—Chris Joerg, CISSP CISA/M, Director of Enterprise Security,

Mentor Graphics Corporation

“A must-read for examiners suddenly faced with a Mac or Linux exam after

spending the majority of their time analyzing Windows systems.”

—Anthony Adkison, Criminal Investigator and Computer Forensic Examiner,

CFCE/EnCE

“This book is applicable to forensic investigators seeking to hone their skills, and

it is also a powerful tool for corporate management and outside counsel seeking to

limit a company’s exposure.”

—David L. Countiss, Esq., partner, Seyfarth Shaw LLP

“I have taught information security at a collegiate level and in a corporate

setting for many years. Most of the books that I have used do not make it easy

for the student to learn the material. This book gives real-world examples,

various product comparisons, and great step-by-step instruction, which makes

learning easy.”

—William R Holland, Chief Security Officer, Royce LLC

00-FM.indd ii 8/23/2009 3:54:42 AM

www.it-ebooks.info

HACKING EXPOSED™

COMPUTER FORENSICS

SECOND EDITION

AARON PHILIPP

DAVID COWEN

CHRIS DAVIS

New York Chicago San Francisco

Lisbon London Madrid Mexico City

Milan New Delhi San Juan

Seoul Singapore Sydney Toronto

00-FM.indd iii 8/23/2009 3:54:42 AM

www.it-ebooks.info

Copyright © 2010 by The McGraw-Hill Companies. All rights reserved. Except as permitted under the United States Copyright Act of

1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval sys￾tem, without the prior written permission of the publisher.

ISBN: 978-0-07-162678-1

MHID: 0-07-162678-6

The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-162677-4, MHID: 0-07-162677-8.

All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked

name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trade￾mark. Where such designations appear in this book, they have been printed with initial caps.

McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training

programs. To contact a representative please e-mail us at [email protected].

Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or

mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of

any information and is not responsible for any errors or omissions or the results obtained from the use of such information.

TERMS OF USE

This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work.

Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one

copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, trans￾mit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the

work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be

terminated if you fail to comply with these terms.

THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS

TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK,

INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE,

AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED

WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not

warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or

error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of

cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed

through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive,

consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the pos￾sibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in

contract, tort or otherwise.

www.it-ebooks.info

To my mom and dad, thanks for teaching me to follow my

dreams. To my sister, Renee, for always being there for me. To

all of my friends and teachers at The University of Texas at

Austin, for making me what I am and showing me what I

can be. Hook ‘em Horns!

—Aaron

To my daughter, I can’t wait to meet you. To my wife, thank you

for supporting me through the second edition. To my mom and

dad, thank you for your enthusiasm for a book you will never

read. To my friends at G-C, thank you for all the hard work.

—Dave

00-FM.indd v 8/23/2009 3:54:43 AM

www.it-ebooks.info

About the Authors

Aaron Philipp

Aaron Philipp is a managing consultant in the Disputes and Investigations practice

at Navigant Consulting, which assists domestic and global corporations and their

counsel who face complex and risky legal challenges. In this capacity, he provides

consulting services in the fields of computer forensics and high-tech investigations.

Mr. Philipp specializes in complex computer forensic techniques such as

identification and tracing of IP theft, timeline creation, and correlation relating to

multiparty fraud and reconstruction of evidence after deliberate data destruction has

occurred that would nullify traditional computer forensic methodology. Mr. Philipp was

previously Managing Partner of Affect Computer Forensics, a boutique forensics firm

based in Austin, Texas, with offices in Dallas, Texas, and Hong Kong. Affect’s clients

include the nation’s top law firms, FORTUNE 500 legal departments, and government

investigatory agencies. In addition, Mr. Philipp is a regular speaker at technology and

legal conferences around the world. He has been internationally recognized for his work,

with citations of merit from the governments of Taiwan and South Africa. Mr. Philipp

has a B.S. in computer science from The University of Texas at Austin.

David Cowen, CISSP

David Cowen is the co-author of the best-selling Hacking Exposed Computer Forensics

and the Anti-Hacker Toolkit, Third Edition. Mr. Cowen is a Partner at G-C Partners,

LLC, where he provides expert witness services and consulting to Fortune 500

companies nationwide. Mr. Cowen has testified in cases ranging from multimillion￾dollar intellectual property theft to billion-dollar antitrust claims. Mr. Cowen has

over 13 years of industry experience in topics ranging from information security to

computer forensics.

Chris Davis

Chris Davis has trained and presented in information security and certification

curriculum for government, corporate, and university requirements. He is the

author of Hacking Exposed Computer Forensics, IT Auditing: Using Controls to Protect

Information Assets, and Anti-Hacker Toolkit, and he contributed to the Computer

Security Handbook, Fifth Edition. Mr. Davis holds a bachelor’s degree in nuclear

engineering technologies from Thomas Edison and a master’s in business from

The University of Texas at Austin. Mr. Davis served eight years in the U.S. Naval

Submarine Fleet, onboard the special projects Submarine NR-1 and the USS Nebraska.

About the Contributing Authors

Todd K. Lester is a director in the Disputes and Investigations practice of Navigant

Consulting (PI), LLC, which assists domestic and global corporations and their counsel

who face complex and risky legal challenges. He is an Accredited Senior Appraiser (ASA)

in business valuation and a Certified Fraud Examiner (CFE) with over 20 years of

experience in forensic accounting, litigation consulting, damages analysis, business

valuation, and business investigations. Mr. Lester has conducted financial investigations

00-FM.indd vi 8/23/2009 3:54:43 A

www.it-ebooks.info

of accounting irregularities, fraud, and other misconduct in a wide variety of domestic

and international forums. He also has extensive experience advising clients in complex

litigation and disputes on the financial, accounting, and data analysis aspects of

multifaceted damages calculations, especially where complex databases and business

systems are involved. Prior to joining Navigant Consulting, Mr. Lester was a director in

the Financial Advisory Services practice of PricewaterhouseCoopers. He holds a

bachelor’s of business administration in finance/international business, a B.A. in biology,

and an MBA from The University of Texas.

Jean Domalis has over eight years of investigative experience, focusing on digital

forensic techniques in the areas of IP theft, corporate espionage, embezzlement, and

securities fraud. Ms. Domalis was previously a senior consultant with Navigant

Consulting, where she participated as a key member of teams undertaking multinational

forensic investigations in the United States, Canada, and Asia. Ms. Domalis came to

Navigant with the acquisition of Computer Forensics, Inc., one of the nation’s premier

computer forensics boutique firms. Ms. Domalis attended the University of

Washington.

John Loveland specializes in providing strategic counsel and expert witness services

on matters related to computer forensic investigations and large end-to-end discovery

matters. He has over 18 years of experience in consulting multinational corporations

and law firms and has led or contributed to over 100 investigations of electronic data

theft and computer fraud and abuse and to the collection of electronic evidence from

hard drives, backup tapes, network servers, cell phones and BlackBerries, and other

storage media. Mr. Loveland was the founder and president of S3 Partners, a computer

forensics firm based in Dallas, which was acquired by Fios, Inc., in 2003. He is currently

managing director in the Computer Forensics and Electronic Discovery Services practice

for Navigant Consulting in Washington, D.C. and oversees the practice’s operations in

the Mid-Atlantic region.

David Dym has been a private computer forensics consultant for several years,

providing services at G-C Partners, LLC. Forensic services have included evidence

collection, recovery, and analysis for clients of top firms in the United States as well

as companies in the banking and mining industry. Mr. Dym has over nine years

of experience with programming, quality assurance, enterprise IT infrastructure, and

has experience with multiple network, database, and software security initiatives.

Mr. Dym has built and managed multiple teams of programmers, quality assurance

testers, and IT infrastructure administrators. He has participated in dozens of projects to

develop and deploy custom-developed business software, medical billing, inventory

management, and accounting solutions.

Rudi Peck has been a private computer forensic consultant for the last several years

providing services at G-C Partners, LLC. Forensic services have included evidence

collection, recovery, and analysis for clients of several top firms in the United States as

well as companies in the banking industry. Mr. Peck has over a decades worth of

experience in programming, software production, and test engineering with an extensive

background in Window’s security. Mr. Peck has designed several security audit tools for

companies and provided contract development work for the Center of Internet

Security.

Rafael Gorgal is a partner with the firm of G-C Partners, LLC, a computer forensics

and information security consultancy. He is the three-term past president of the Southwest

00-FM.indd vii 8/23/2009 3:54:44 A

www.it-ebooks.info

Chapter, High Technology Crime Investigations Association, and has extensive experience

in analyzing digital evidence. He has conducted numerous forensic investigations,

developed methodologies for use by incident response teams, and managed teams of

forensic consultants. He has also developed computer forensic curriculum currently

being taught to both private sector and law enforcement investigators. Mr. Gorgal has

taught information security at Southern Methodist University, the University of California

at Los Angeles, and the National Technological University.

Peter Marketos is a partner at Haynes and Boones, LLP, who practices commercial

litigation in the firm’s Dallas office. He represents clients as both plaintiffs and defendants

in business disputes from trial through appeal. Mr. Marketos has tried many cases to

juries and to the bench, obtaining favorable verdicts in disputes involving corporate

fraud, breach of contract, breach of fiduciary duty, and theft of trade secrets. He has

developed substantial expertise in the discovery and analysis of electronic evidence

through the use of technology and computer forensics.

Andrew Rosen is president of ASR Data Acquisition & Analysis, LLC. He offers

unique litigation support services to the legal, law enforcement, and investigative

communities. With over a decade of experience in the recovery of computer data and

forensic examination, Mr. Rosen regularly provides expert testimony in federal and state

courts. Along with training attorneys and law enforcement officials in computer

investigation techniques, Mr. Rosen frequently speaks and writes on emerging matters

in the field. He has a worldwide reputation for developing cutting-edge computer-crime

investigative tools and is frequently consulted by other professionals in the industry.

About the Technical Editor

Louis S. Scharringhausen, Jr., is the director of Digital Investigations for Yarbrough

Strategic Advisors in Dallas, Texas, where he is responsible for directing, managing, and

conducting digital investigations and electronic discovery projects. Mr. Scharringhausen

was a special agent for the U.S. Environmental Protection Agency’s Criminal

Investigation Division (USEPA-CID) for ten years, conducting complex, large-scale

environmental investigations. For five of those years, he was a team leader for USEPA￾CID’s prestigious National Computer Forensics Laboratory-Electronic Crimes Team,

conducting forensic acquisitions and analysis in support of active investigations. After

leaving the public sector in January 2007, Mr. Scharringhausen worked with Navigant

Consulting, Inc., where he was an integral part of a digital forensics team that focused on

fraud and intellectual property investigations before coming to Yarbrough Strategic

Advisors. He has participated in numerous training sessions for Guidance Software,

Access Data, the National White Collar Crimes Center, and the Federal Law Enforcement

Training Center, among others. He holds the EnCase Certified Examiner endorsement

(EnCE) and a B.S. in environmental science from Metropolitan State College of Denver.

00-FM.indd viii 8/23/2009 3:54:44 AM

www.it-ebooks.info

ix

AT A GLANCE

Part I Preparing for an Incident

▼ 1 The Forensics Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

▼ 2 Computer Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

▼ 3 Forensic Lab Environment Preparation . . . . . . . . . . . . . . . . . . . 41

Part II Collecting the Evidence

▼ 4 Forensically Sound Evidence Collection . . . . . . . . . . . . . . . . . . 63

▼ 5 Remote Investigations and Collections . . . . . . . . . . . . . . . . . . . . 97

Part III Forensic Investigation Techniques

▼ 6 Microsoft Windows Systems Analysis . . . . . . . . . . . . . . . . . . . . 131

▼ 7 Linux Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

▼ 8 Macintosh Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

▼ 9 Defeating Anti-forensic Techniques . . . . . . . . . . . . . . . . . . . . . . 197

▼ 10 Enterprise Storage Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

▼ 11 E-mail Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

▼ 12 Tracking User Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

▼ 13 Forensic Analysis of Mobile Devices . . . . . . . . . . . . . . . . . . . . . . 303

00-FM.indd ix 8/23/2009 3:54:44 AM

www.it-ebooks.info

x Hacking Exposed Computer Forensics

Part IV Presenting Your Findings

▼ 14 Documenting the Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . 341

▼ 15 The Justice System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

Part V Putting It All Together

▼ 16 IP Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

▼ 17 Employee Misconduct . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

▼ 18 Employee Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

▼ 19 Corporate Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435

▼ 20 Organized Cyber Crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

▼ 21 Consumer Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471

▼ A Searching Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493

▼ Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

00-FM.indd x 8/23/2009 3:54:44 AM

www.it-ebooks.info

xi

CONTENTS

Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Part I Preparing for an Incident

Case Study: Lab Preparations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Cashing Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Preparing for a Forensics Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

▼ 1 The Forensics Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Types of Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

The Role of the Investigator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Elements of a Good Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Cross-validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Proper Evidence Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Completeness of Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Management of Archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Technical Competency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Explicit Defi nition and Justifi cation for the Process . . . . . . . . . . . . . . 14

Legal Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Flexibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Defi ning a Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Identifi cation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

00-FM.indd xi 8/23/2009 3:54:44 AM

www.it-ebooks.info

xii Hacking Exposed Computer Forensics

Collection and Preservation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Production and Presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

After the Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

▼ 2 Computer Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

The Bottom-up View of a Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

It’s All Just 1s and 0s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Learning from the Past: Giving Computers Memory . . . . . . . . . . . . . 22

Basic Input and Output System (BIOS) . . . . . . . . . . . . . . . . . . . . . . . . . 24

The Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

The Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Types of Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Magnetic Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Optical Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Memory Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

▼ 3 Forensic Lab Environment Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

The Ultimate Computer Forensic Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

What Is a Computer Forensic Laboratory? . . . . . . . . . . . . . . . . . . . . . . 42

Forensic Lab Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Protecting the Forensic Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Forensic Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Components of a Forensic Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Commercially Available Hardware Systems . . . . . . . . . . . . . . . . . . . . 51

Do-It-Yourself Hardware Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Data Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Forensic Hardware and Software Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Using Hardware Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Using Software Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

The Flyaway Kit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Case Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Bonus: Linux or Windows? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Part II Collecting the Evidence

Case Study: The Collections Agency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Preparations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Revelations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Collecting Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

▼ 4 Forensically Sound Evidence Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Collecting Evidence from a Single System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Step 1: Power Down the Suspect System . . . . . . . . . . . . . . . . . . . . . . . 65

00-FM.indd xii 8/23/2009 3:54:44 AM

www.it-ebooks.info

Contents xiii

Step 2: Remove the Drive(s) from the Suspect System . . . . . . . . . . . . 65

Step 3: Check for Other Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Step 4: Record BIOS Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Step 5: Forensically Image the Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Step 6: Record Cryptographic Hashes . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Step 7: Bag and Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Move Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Common Mistakes in Evidence Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

▼ 5 Remote Investigations and Collections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Privacy Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Remote Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Remote Investigation Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Remote Collections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Remote Collection Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

The Data Is Changing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Policies and Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Encrypted Volumes or Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

USB Thumb Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Part III Forensic Investigation Techniques

Case Study: Analyzing the Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Digging for Clues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

We’re Not Done. Yet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Finally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

▼ 6 Microsoft Windows Systems Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Windows File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Master Boot Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

FAT File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

NTFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Recovering Deleted Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Windows Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

▼ 7 Linux Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

The Linux File System (ext2 and ext3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

ext2 Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

ext3/ext4 Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Linux Swap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Linux Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

00-FM.indd xiii 8/23/2009 3:54:44 AM

www.it-ebooks.info

xiv Hacking Exposed Computer Forensics

▼ 8 Macintosh Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

The Evolution of the Mac OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Looking at a Mac Disk or Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

The GUID Partition Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Partition Entry Array . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Deleted Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Recovering Deleted Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Concatenating Unallocated Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Scavenging for Unindexed Files and Pruned Nodes . . . . . . . . . . . . . 190

A Closer Look at Macintosh Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Date and Time Stamps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Graphics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Web Browsing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Virtual Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

System Log and Other System Files . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Mac as a Forensics Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

▼ 9 Defeating Anti-forensic Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Obscurity Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Privacy Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

The General Solution to Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Wiping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

▼ 10 Enterprise Storage Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

The Enterprise Data Universe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Rebuilding RAIDs in EnCase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Rebuilding RAIDs in Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Working with NAS Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Working with SAN Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

Working with Tapes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Accessing Raw Tapes on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Accessing Raw Tapes on UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

Commercial Tools for Accessing Tapes . . . . . . . . . . . . . . . . . . . . . . . . . 229

Collecting Live Data from Windows Systems . . . . . . . . . . . . . . . . . . . 231

Full-Text Indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Mail Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

▼ 11 E-mail Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Finding E-mail Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

Converting E-mail Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Obtaining Web-based E-mail (Webmail) from Online Sources . . . . . . . . . . . 241

00-FM.indd xiv 8/23/2009 3:54:44 AM

www.it-ebooks.info