AARON PHILIPP
DAVID COWEN
CHRIS DAVIS
“Hacking Exposed Computer Forensics is a ‘must-read’ for information security
professionals who want to develop their knowledge of computer forensics.”
—Jason Fruge, Director of Consulting Services, Fishnet Security
“This book provides the right mix of practical how-to knowledge in a
straightforward, informative fashion that ties all the complex pieces together with
real-world case studies. With so many books on the topic of computer forensics,
Hacking Exposed Computer Forensics, Second Edition, delivers the most valuable
insight on the market. The authors cut to the chase of what people must understand
to effectively perform computer forensic investigations.”
—Brian H. Karney, COO, AccessData Corporation
 |
| Hacking Exposed Computer Forensics 2nd Edition |
Aaron Philipp is a managing consultant in the Disputes and Investigations practice
at Navigant Consulting, which assists domestic and global corporations and their
counsel who face complex and risky legal challenges. In this capacity, he provides
consulting services in the fields of computer forensics and high-tech investigations.
Mr. Philipp specializes in complex computer forensic techniques such as
identification and tracing of IP theft, timeline creation, and correlation relating to
multiparty fraud and reconstruction of evidence after deliberate data destruction has
occurred that would nullify traditional computer forensic methodology. Mr. Philipp was
previously Managing Partner of Affect Computer Forensics, a boutique forensics firm
based in Austin, Texas, with offices in Dallas, Texas, and Hong Kong. Affect’s clients
include the nation’s top law firms, FORTUNE 500 legal departments, and government
investigatory agencies. In addition, Mr. Philipp is a regular speaker at technology and
legal conferences around the world. He has been internationally recognized for his work,
with citations of merit from the governments of Taiwan and South Africa. Mr. Philipp
has a B.S. in computer science from The University of Texas at Austin.
David Cowen is the co-author of the best-selling Hacking Exposed Computer Forensics
and the Anti-Hacker Toolkit, Third Edition. Mr. Cowen is a Partner at G-C Partners,
LLC, where he provides expert witness services and consulting to Fortune 500
companies nationwide. Mr. Cowen has testified in cases ranging from multimilliondollar
intellectual property theft to billion-dollar antitrust claims. Mr. Cowen has
over 13 years of industry experience in topics ranging from information security to computer forensics.
Chris Davis has trained and presented in information security and certification
curriculum for government, corporate, and university requirements. He is the
author of Hacking Exposed Computer Forensics, IT Auditing: Using Controls to Protect
Information Assets, and Anti-Hacker Toolkit, and he contributed to the Computer
Security Handbook, Fifth Edition. Mr. Davis holds a bachelor’s degree in nuclear
engineering technologies from Thomas Edison and a master’s in business from
The University of Texas at Austin. Mr. Davis served eight years in the U.S. Naval
Submarine Fleet, onboard the special projects Submarine NR-1 and the USS Nebraska.
About the Technical Editor
Louis S. Scharringhausen, Jr., is the director of Digital Investigations for Yarbrough
Strategic Advisors in Dallas, Texas, where he is responsible for directing, managing, and
conducting digital investigations and electronic discovery projects. Mr. Scharringhausen
was a special agent for the U.S. Environmental Protection Agency’s Criminal
Investigation Division (USEPA-CID) for ten years, conducting complex, large-scale
environmental investigations. For five of those years, he was a team leader for USEPACID’s
prestigious National Computer Forensics Laboratory-Electronic Crimes Team,
conducting forensic acquisitions and analysis in support of active investigations. After
leaving the public sector in January 2007, Mr. Scharringhausen worked with Navigant
Consulting, Inc., where he was an integral part of a digital forensics team that focused on
fraud and intellectual property investigations before coming to Yarbrough Strategic
Advisors. He has participated in numerous training sessions for Guidance Software,
Access Data, the National White Collar Crimes Center, and the Federal Law Enforcement
Training Center, among others. He holds the EnCase Certified Examiner endorsement
(EnCE) and a B.S. in environmental science from Metropolitan State College of Denver.
Introduction
“This is not an incident response handbook.” This was the first line of the introduction
for the first edition. Little did we know at the time how much computer forensics would
change since the book was first published in 2004. Computer forensics is changing the
way investigations are done, even investigations previously thought to be outside the
four corners of technology investigations.
If you look at what happened with the economy in 2008 and 2009, the subprime
mortgage meltdown, the credit crisis, and all of the associated fraud that has been
uncovered, you can see the vital role that computer forensics plays in the process. Before
the prevalence of technology in corporations, all investigators had to go on were paper
documents and financial transactions. With the addition of computer forensics as a tool,
we can better identify not only what happened at a certain point in time, but also, in
some cases, the intent of the individuals involved. Multibillion-dollar fraud schemes are
being blown open by the discovery of a single e-mail or thumb drive. Computer forensics
is front and center in changing the way these investigations are conducted.
HOW THIS BOOK IS ORGANIZED
We have broken this book into five parts, reflective of the different stages of the
investigation.
Part I: Preparing for an Incident
This section discusses how to develop a forensics process and set up the lab environment
needed to conduct your investigation in an accurate and skillful manner. In addition, it
lays the technical groundwork for the rest of the book.
Part II: Collecting the Evidence
These chapters teach you how to effectively find, capture, and prepare evidence for
investigation. Additionally, we highlight how the law applies to evidence collection.
Part III: Forensic Investigation Techniques
This section illustrates how to apply recovery techniques to investigations from the
evidence you have collected across many platforms and scenarios found in corporate
settings. We introduce field-tested methods and techniques for recovering suspect activities.
Part IV: Presenting Your Findings
The legal environment of technical forensics is the focus of this section. We discuss how
you will interact with council, testify in court, and report on your findings. In many
ways, this is the most important part of the forensics process.
Part V: Putting It All Together
This section is all about the application of what we’ve discussed in the earlier parts of the
book. We look at different types of investigations through the lens of computer forensics
and how it can help create the bigger picture.
The Basic Building Blocks: Attacks and Countermeasures
This format should be very familiar to anyone who has read a Hacking Exposed book
before. How we define attacks and countermeasures for forensics, however, is a bit
different than in past books.
HACKING EXPOSED™
COMPUTER FORENSICS
SECOND EDITION
REVIEWS
“Computer forensics has become increasingly important to modern incident
responders attempting to defend our digital castles. Hacking Exposed Computer
Forensics, Second Edition, picks up where the first edition left off and provides a
valuable reference, useful to both beginning and seasoned forensic professionals. I
picked up several new tricks from this book, which I am already putting to use.”
—Monty McDougal, Raytheon Information Security Solutions, and author of
the Windows Forensic Toolchest (WFT) (www.foolmoon.net)
“Hacking Exposed Computer Forensics, Second Edition, is an essential reference for
both new and seasoned investigators. The second edition continues to provide
valuable information in a format that is easy to understand and reference.”
—Sean Conover, CISSP, CCE, EnCE
“This book is an outstanding point of reference for computer forensics and
certainly a must-have addition to your forensic arsenal.”
—Brandon Foley, Manager of Enterprise IT Security, Harrah’s Operating Co.
“Starts out with the basics then gets DEEP technically. The addition of IP theft and
fraud issues is timely and make this second edition that much more valuable. This
is a core book for my entire forensics group.”
—Chris Joerg, CISSP CISA/M, Director of Enterprise Security,
Mentor Graphics Corporation
“A must-read for examiners suddenly faced with a Mac or Linux exam after
spending the majority of their time analyzing Windows systems.”
—Anthony Adkison, Criminal Investigator and Computer Forensic Examiner,
CFCE/EnCE
“This book is applicable to forensic investigators seeking to hone their skills, and
it is also a powerful tool for corporate management and outside counsel seeking to
limit a company’s exposure.”
—David L. Countiss, Esq., partner, Seyfarth Shaw LLP
“I have taught information security at a collegiate level and in a corporate
setting for many years. Most of the books that I have used do not make it easy
for the student to learn the material. This book gives real-world examples,
various product comparisons, and great step-by-step instruction, which makes learning easy.”
—William R Holland, Chief Security Officer, Royce LLC
Screenshot
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
File Size
| 11,895 KB |
Pages
|
545 p |
File Type
|
PDF format |
ISBN
| 978-0-07-162678-1 |
Copyright
| 2010 by The McGraw-Hill Companies |
AT A GLANCE
Part I Preparing for an Incident
▼ 1 The Forensics Process
▼ 2 Computer Fundamentals
▼ 3 Forensic Lab Environment Preparation
Part II Collecting the Evidence
▼ 4 Forensically Sound Evidence Collection
▼ 5 Remote Investigations and Collections
Part III Forensic Investigation Techniques
▼ 6 Microsoft Windows Systems Analysis
▼ 7 Linux Analysis
▼ 8 Macintosh Analysis
▼ 9 Defeating Anti-forensic Techniques
▼ 10 Enterprise Storage Analysis
▼ 11 E-mail Analysis
▼ 12 Tracking User Activity
▼ 13 Forensic Analysis of Mobile Devices
Part IV Presenting Your Findings
▼ 14 Documenting the Investigation
▼ 15 The Justice System
Part V Putting It All Together
▼ 16 IP Theft
▼ 17 Employee Misconduct
▼ 18 Employee Fraud
▼ 19 Corporate Fraud
▼ 20 Organized Cyber Crime
▼ 21 Consumer Fraud
▼ A Searching Techniques
▼ Index
Table of Contents
Acknowledgments . . . . . . . . . . . . . xix
Introduction . . . . . . . . .. . . . . . . . . . . . . xxi
Part I Preparing for an Incident
Case Study: Lab Preparations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Cashing Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Preparing for a Forensics Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
▼ 1 The Forensics Process . . . . . . . . . . . . . . . . . 5
Types of Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
The Role of the Investigator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Elements of a Good Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Cross-validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Proper Evidence Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Completeness of Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Management of Archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Technical Competency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Explicit Defi nition and Justifi cation for the Process . . . . . . . . . . . . . . 14
Legal Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Flexibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Defi ning a Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Identifi cation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Collection and Preservation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Production and Presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
After the Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
▼ 2 Computer Fundamentals . . . . . .. . . . . . . . . . 19
The Bottom-up View of a Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
It’s All Just 1s and 0s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Learning from the Past: Giving Computers Memory . . . . . . . . . . . . . 22
Basic Input and Output System (BIOS) . . . . . . . . . . . . . . . . . . . . . . . . . 24
The Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
The Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Types of Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Magnetic Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Optical Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Memory Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
▼ 3 Forensic Lab Environment Preparation . .. . . . . . . . . . 41
The Ultimate Computer Forensic Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
What Is a Computer Forensic Laboratory? . . . . . . . . . . . . . . . . . . . . . . 42
Forensic Lab Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Protecting the Forensic Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Forensic Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Components of a Forensic Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Commercially Available Hardware Systems . . . . . . . . . . . . . . . . . . . . 51
Do-It-Yourself Hardware Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Data Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Forensic Hardware and Software Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Using Hardware Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Using Software Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
The Flyaway Kit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Case Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Bonus: Linux or Windows? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Part II Collecting the Evidence
Case Study: The Collections Agency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Preparations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Revelations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Collecting Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
▼ 4 Forensically Sound Evidence Collection . . . . . . . . . 63
Collecting Evidence from a Single System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Step 1: Power Down the Suspect System . . . . . . . . . . . . . . . . . . . . . . . 65
Step 2: Remove the Drive(s) from the Suspect System . . . . . . . . . . . . 65
Step 3: Check for Other Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Step 4: Record BIOS Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Step 5: Forensically Image the Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Step 6: Record Cryptographic Hashes . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Step 7: Bag and Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Move Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Common Mistakes in Evidence Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
▼ 5 Remote Investigations and Collections . . . . . 97
Privacy Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Remote Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Remote Investigation Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Remote Collections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Remote Collection Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
The Data Is Changing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Policies and Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Encrypted Volumes or Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
USB Thumb Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Part III Forensic Investigation Techniques
Case Study: Analyzing the Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Digging for Clues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
We’re Not Done. Yet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Finally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
▼ 6 Microsoft Windows Systems Analysis . . . . . . . . 131
Windows File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Master Boot Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
FAT File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
NTFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Recovering Deleted Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Windows Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
▼ 7 Linux Analysis . . . . .. . . . . . . . . 161
The Linux File System (ext2 and ext3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
ext2 Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
ext3/ext4 Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Linux Swap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Linux Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
▼ 8 Macintosh Analysis . . . . . . . . . 175
The Evolution of the Mac OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Looking at a Mac Disk or Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
The GUID Partition Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Partition Entry Array . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Deleted Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Recovering Deleted Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Concatenating Unallocated Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Scavenging for Unindexed Files and Pruned Nodes . . . . . . . . . . . . . 190
A Closer Look at Macintosh Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Date and Time Stamps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Graphics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Web Browsing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Virtual Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
System Log and Other System Files . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Mac as a Forensics Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
▼ 9 Defeating Anti-forensic Techniques . . . . . . . 197
Obscurity Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Privacy Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
The General Solution to Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Wiping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
▼ 10 Enterprise Storage Analysis . . .. . . . . . . . 221
The Enterprise Data Universe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Rebuilding RAIDs in EnCase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Rebuilding RAIDs in Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Working with NAS Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Working with SAN Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Working with Tapes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Accessing Raw Tapes on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Accessing Raw Tapes on UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Commercial Tools for Accessing Tapes . . . . . . . . . . . . . . . . . . . . . . . . . 229
Collecting Live Data from Windows Systems . . . . . . . . . . . . . . . . . . . 231
Full-Text Indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Mail Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
▼ 11 E-mail Analysis . . . . . . . . 239
Finding E-mail Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Converting E-mail Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Obtaining Web-based E-mail (Webmail) from Online Sources . . . . . . . . . . . 241
Client-based E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Web-Based E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Internet-Hosted Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Investigating E-mail Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
▼ 12 Tracking User Activity . . . . . . . . 273
Microsoft Offi ce Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Tracking Web Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Internet Explorer Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Firefox/Mozilla Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Operating System User Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
UserAssist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
▼ 13 Forensic Analysis of Mobile Devices . . . . . . . . . . 303
Collecting and Analyzing Mobile Device Evidence . . . . . . . . . . . . . . . . . . . . 305
Password-protected Windows Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Part IV Presenting Your Findings
Case Study: Wrapping Up the Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
He Said, She Said… . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
▼ 14 Documenting the Investigation . . . . . . . . 341
Read Me . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Internal Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Construction of an Internal Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Declaration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Construction of a Declaration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Affi davit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Expert Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Construction of an Expert Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
▼ 15 The Justice System . . . . . . . . . 357
The Criminal Court System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
The Civil Justice System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Phase One: Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Phase Two: Commencing Suit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Phase Three: Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Phase Four: Trial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Expert Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Expert Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Nontestifying Expert Consultant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Testifying Expert Witness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Court-Appointed Expert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Expert Interaction with the Court . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Part V Putting It All Together
Case Study: Now What? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Mr. Blink Becomes an Investigator . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Time to Understand the Business Issues . . . . . . . . . . . . . . . . . . . . . . . . 368
▼ 16 IP Theft . . . . . . . . . . . . . . . . . . . . . 369
What Is IP Theft? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
IP Theft Ramifi cations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Loss of Customers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Loss of Competitive Advantage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Monetary Loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Types of Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Tying It Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
What Was Taken? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Looking at Intent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Estimating Damages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Working with Higher-Ups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Working with Outside Counsel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
▼ 17 Employee Misconduct . . . . . . . . . . . . . 393
What Is Employee Misconduct? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Ramifi cations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Disruptive Work Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Investigations by Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Lawsuits Against an Employer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Monetary Loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Types of Misconduct . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Inappropriate Use of Corporate Resources . . . . . . . . . . . . . . . . . . . . . 399
Making Sense of It All . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Employment Discrimination/Harassment . . . . . . . . . . . . . . . . . . . . . . 404
Violation of Non-compete/Non-solicitation Agreements . . . . . . . . . 407
Tying It Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
What Is the Risk to the Company? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Looking at Intent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Estimating Damages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Working with Higher-Ups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Working with Outside Counsel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
▼ 18 Employee Fraud . .. . . . . . 417
What Is Employee Fraud? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Ramifi cations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Monetary Loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Investigations by Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Criminal Penalties and Civil Lawsuits . . . . . . . . . . . . . . . . . . . . . . . . . 420
Types of Employee Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Asset Misappropriation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Corruption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Tying It Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
What Is the Story? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
Estimating Losses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Working with Higher-Ups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Working with Outside Counsel and Investigators . . . . . . . . . . . . . . . 434
▼ 19 Corporate Fraud . . . . . . . . . . . . . 435
What Is Corporate Fraud? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Ramifi cations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Impact to Shareholders and the Public . . . . . . . . . . . . . . . . . . . . . . . . . 437
Regulatory Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Investigations and Litigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Types of Corporate Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Accounting Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Securities Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
▼ 20 Organized Cyber Crime . . . . . . . 453
The Changing Landscape of Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
The Russian Business Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Infrastructure and Bot-Nets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
The Russian-Estonian Confl ict . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Effects on Western Companies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Types of Hacks and the Role of Computer Forensics . . . . . . . . . . . . . . . . . . . 457
Bot/Remote Control Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Traditional Hacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Money Laundering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Anti-Money Laundering Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
The Mechanics of Laundering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
The Role of Computer Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
▼ 21 Consumer Fraud . . . . .. . . 471
What Is Consumer Fraud? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Ramifi cations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Impact to Consumers and the Public . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Regulatory Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Investigations and Litigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Types of Consumer Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Identity Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Investment Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Mortgage Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
Tying It Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
▼ A Searching Techniques . . .. . . . . . . 493
Regular Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Theory and History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
The Building Blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Constructing Regular Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
▼ Index . . . . . . . . . . . . . . . . . . . . . 499
●▬▬▬▬▬❂❂❂▬▬▬▬▬●
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
