Hacking Exposed Read online

  Case Study: Lab Preparations

  Cashing Out

  Preparing for a Forensics Operation

  1 The Forensics Process

  Types of Investigations

  The Role of the Investigator

  Elements of a Good Process

  Cross-validation

  Proper Evidence Handling

  Completeness of Investigation

  Management of Archives

  Technical Competency

  Explicit Definition and Justification for the Process

  Legal Compliance

  Flexibility

  Defining a Process

  Identification

  Collection and Preservation

  Analysis

  Production and Presentation

  After the Investigation

  2 Computer Fundamentals

  The Bottom-up View of a Computer

  It’s All Just 1s and 0s

  Learning from the Past: Giving Computers Memory

  Basic Input and Output System (BIOS)

  The Operating System

  The Applications

  Types of Media

  Magnetic Media

  Optical Media

  Memory Technologies

  3 Forensic Lab Environment Preparation

  The Ultimate Computer Forensic Lab

  What Is a Computer Forensic Laboratory?

  Forensic Lab Security

  Protecting the Forensic Lab

  Forensic Computers

  Components of a Forensic Host

  Commercially Available Hardware Systems

  Do-It-Yourself Hardware Systems

  Data Storage

  Forensic Hardware and Software Tools

  Using Hardware Tools

  Using Software Tools

  The Flyaway Kit

  Case Management

  Bonus: Linux or Windows?

  Part II Collecting the Evidence

  Case Study: The Collections Agency

  Preparations

  Revelations

  Collecting Evidence

  4 Forensically Sound Evidence Collection

  Collecting Evidence from a Single System

  Step 1: Power Down the Suspect System

  Step 2: Remove the Drive(s) from the Suspect System

  Step 3: Check for Other Media

  Step 4: Record BIOS Information

  Step 5: Forensically Image the Drive

  Step 6: Record Cryptographic Hashes

  Step 7: Bag and Tag

  Move Forward

  Common Mistakes in Evidence Collection

  5 Remote Investigations and Collections

  Privacy Issues

  Remote Investigations

  Remote Investigation Tools

  Remote Collections

  Remote Collection Tools

  The Data Is Changing

  Policies and Procedures

  Encrypted Volumes or Drives

  USB Thumb Drives

  Part III Forensic Investigation Techniques

  Case Study: Analyzing the Data

  Digging for Clues

  We’re Not Done. Yet.

  Finally

  6 Microsoft Windows Systems Analysis

  Windows File Systems

  Master Boot Record

  FAT File System

  NTFS

  Recovering Deleted Files

  Limitations

  Windows Artifacts

  7 Linux Analysis

  The Linux File System (ext2 and ext3)

  ext2 Structure

  ext3/ext4 Structure

  Linux Swap

  Linux Analysis

  8 Macintosh Analysis

  The Evolution of the Mac OS

  Looking at a Mac Disk or Image

  The GUID Partition Table

  Partition Entry Array

  Deleted Files

  Recovering Deleted Files

  Concatenating Unallocated Space

  Scavenging for Unindexed Files and Pruned Nodes

  A Closer Look at Macintosh Files

  Archives

  Date and Time Stamps

  E-mail

  Graphics

  Web Browsing

  Resources

  Virtual Memory

  System Log and Other System Files

  Mac as a Forensics Platform

  9 Defeating Anti-forensic Techniques

  Obscurity Methods

  Privacy Measures

  Encryption

  The General Solution to Encryption

  Wiping

  10 Enterprise Storage Analysis

  The Enterprise Data Universe

  Rebuilding RAIDs in EnCase

  Rebuilding RAIDs in Linux

  Working with NAS Systems

  Working with SAN Systems

  Working with Tapes

  Accessing Raw Tapes on Windows

  Accessing Raw Tapes on UNIX

  Commercial Tools for Accessing Tapes

  Collecting Live Data from Windows Systems

  Full-Text Indexing

  Mail Servers

  11 E-mail Analysis

  Finding E-mail Artifacts

  Converting E-mail Formats

  Obtaining Web-based E-mail (Webmail) from Online Sources

  Client-based E-mail

  Web-Based E-mail

  Internet-Hosted Mail

  Investigating E-mail Headers

  12 Tracking User Activity

  Microsoft Office Forensics

  Tracking Web Usage

  Internet Explorer Forensics

  Firefox/Mozilla Forensics

  Operating System User Logs

  UserAssist

  13 Forensic Analysis of Mobile Devices

  Collecting and Analyzing Mobile Device Evidence

  Password-protected Windows Devices

  Conclusion

  Part IV Presenting Your Findings

  Case Study: Wrapping Up the Case

  He Said, She Said

  14 Documenting the Investigation

  Read Me

  Internal Report

  Construction of an Internal Report

  Declaration

  Construction of a Declaration

  Affidavit

  Expert Report

  Construction of an Expert Report

  15 The Justice System

  The Criminal Court System

  The Civil Justice System

  Phase One: Investigation

  Phase Two: Commencing Suit

  Phase Three: Discovery

  Phase Four: Trial

  Expert Status

  Expert Credentials

  Nontestifying Expert Consultant

  Testifying Expert Witness

  Court-Appointed Expert

  Expert Interaction with the Court

  Part V Putting It All Together

  Case Study: Now What?

  Mr. Blink Becomes an Investigator

  Time to Understand the Business Issues

  16 IP Theft

  What Is IP Theft?

  IP Theft Ramifications

  Loss of Customers

  Loss of Competitive Advantage

  Monetary Loss

  Types of Theft

  Technology

  Tying It Together

  What Was Taken?

  Looking at Intent

  Estimating Damages

  Working with Higher-Ups

  Working with Outside Counsel

  17 Employee Misconduct

  What Is Employee Misconduct?

  Ramifications

  Disruptive Work Environment

  Investigations by Authorities

  Lawsuits Against an Employer

  Monetary Loss

  Types of Misconduct

  Inappropriate Use of Corporate Resources

  Making Sense of It All

  Employment Discrimination/Harassment

  Violation of Non-compete/Non-solicitation Agreements

  Tying It Together
<
br />   What Is the Risk to the Company?

  Looking at Intent

  Estimating Damages

  Working with Higher-Ups

  Working with Outside Counsel

  18 Employee Fraud

  What Is Employee Fraud?

  Ramifications

  Monetary Loss

  Investigations by Authorities

  Criminal Penalties and Civil Lawsuits

  Types of Employee Fraud

  Asset Misappropriation

  Corruption

  Tying It Together

  What Is the Story?

  Estimating Losses

  Working with Higher-Ups

  Working with Outside Counsel and Investigators

  19 Corporate Fraud

  What Is Corporate Fraud?

  Ramifications

  Impact to Shareholders and the Public

  Regulatory Changes

  Investigations and Litigation

  Types of Corporate Fraud

  Accounting Fraud

  Securities Fraud

  20 Organized Cyber Crime

  The Changing Landscape of Hacking

  The Russian Business Network

  Infrastructure and Bot-Nets

  The Russian-Estonian Conflict

  Effects on Western Companies

  Types of Hacks and the Role of Computer Forensics

  Bot/Remote Control Malware

  Traditional Hacks

  Money Laundering

  Anti-Money Laundering Software

  The Mechanics of Laundering

  The Role of Computer Forensics

  21 Consumer Fraud

  What Is Consumer Fraud?

  Ramifications

  Impact to Consumers and the Public

  Regulatory Environment

  Investigations and Litigation

  Types of Consumer Fraud

  Identity Theft

  Investment Fraud

  Mortgage Fraud

  Tying It Together

  A Searching Techniques

  Regular Expressions

  Theory and History

  The Building Blocks

  Constructing Regular Expressions

  Index

  ACKNOWLEDGMENTS

  “A good writer possesses not only his own spirit but also the spirit of his friends.”

  —Friedrich Nietzsche

  We simply could not have done this without the help of many, many people. It was an amazing challenge to coordinate the necessary depth of corporate, legal, criminal, and technical expertise across so many subjects. Many old and new friends donated knowledge, time, techniques, tools, and much more to make this project a success. We are truly grateful to each of you.

  The wonderful and overworked team at McGraw-Hill is outstanding. We sincerely appreciate your dedication, coaching, and long hours during the course of this project. Jane Brownlow, this book is a result of your tireless dedication to the completion of this project. You are truly one of the best in the business. We would also like to extend a big round of thanks to Joya Anthony, our acquisition coordinator and honorary coxswain. Thanks to LeeAnn Pickrell for seeing us through to the finish line.

  A special thank you goes to Jean Domalis, Todd Lester, John Loveland, and Louis Scharringhausen for their contributing work and thorough reviews. Jean, as always, your work is fantastic. You truly play to a standard in everything you do and it shows. Todd, you went above and beyond and the book is a world better for it. John, thank you for the vision and strategic input on the structure of the new sections. Louis, your attention to detail and desire to know the right answer is a huge asset. You were a fantastic technical editor.

  Lastly, a special note of remembrance for Bill Siebert. He wrote the foreword for the first edition of the book, donating his time when none of us knew how the book would be received. Unfortunately Bill passed in December 2008. Bill, you and your family are in our thoughts.

  —The Authors

  I would like to thank my fellow authors for their tireless work and many long nights getting this book done.

  Thanks to everyone at Navigant Consulting. A special thanks to the entire Austin office, especially Travis Casner, Cade Satterfield, Adam Scheive, and Zarin Behramsha for their assistance with the research on the new sections. Also, a special note of thanks to Kris Swanson and Todd Marlin for ideas and guidance throughout both this book and our other case work.

  John, Jean, and Louis, I am proud to say that we were on the same team. You guys are great. John, you have always had my back, and I have learned a ton from you. Here is to success and building it the right way.

  To Susan and Lauren, I cannot express my gratitude enough for your patience with me as Todd and I worked on the book weekend after weekend. Todd, thanks for everything, not just the book. You do the Longhorn nation proud and I will beat you one of these years at the Shiner GASP. Na zdorov’e.

  Thanks to Fr. Patrick Johnson for all the sage advice and for reminding me of the importance of balance in life. St. Austin Catholic Parish in Austin, Texas, has truly become an anchor in my life.

  Thanks to Chris Sweeny, Jonathan McCoy, and all of my teammates and brothers on the University of Texas Rugby Team. You taught me mental toughness, brotherhood, the value of perseverance, and how to never give up.

  Thanks to Larry Leibrock and David Burns for introducing me to forensics and treating me so well while I was at the McCombs School of Business. And to every one of my computer science professors for showing me how much I still have to learn.

  A huge thank you to Robert Groshon and Bradley O. Brauser for believing in me all those years ago.

  Thanks to Peggy Cheung for being such a great friend. Your selling me the 2006 Rose Bowl tickets at face value goes as one of the greatest demonstrations of friendships I have ever witnessed. I am very sorry I stopped texting you game updates in the third quarter, and I still have no idea how much that phone call to Hong Kong cost me.

  Finally, I would like to give another thank you to my family, my mother and father who gave me my first computer when I was seven, and my sister Renee.

  —Aaron Philipp

  INTRODUCTION

  “This is not an incident response handbook.” This was the first line of the introduction for the first edition. Little did we know at the time how much computer forensics would change since the book was first published in 2004. Computer forensics is changing the way investigations are done, even investigations previously thought to be outside the four corners of technology investigations.

  If you look at what happened with the economy in 2008 and 2009, the subprime mortgage meltdown, the credit crisis, and all of the associated fraud that has been uncovered, you can see the vital role that computer forensics plays in the process. Before the prevalence of technology in corporations, all investigators had to go on were paper documents and financial transactions. With the addition of computer forensics as a tool, we can better identify not only what happened at a certain point in time, but also, in some cases, the intent of the individuals involved. Multibillion-dollar fraud schemes are being blown open by the discovery of a single e-mail or thumb drive. Computer forensics is front and center in changing the way these investigations are conducted.

  HOW THIS BOOK IS ORGANIZED

  We have broken this book into five parts, reflective of the different stages of the investigation.

  Part I: Preparing for an Incident

  This section discusses how to develop a forensics process and set up the lab environment needed to conduct your investigation in an accurate and skillful manner. In addition, it lays the technical groundwork for the rest of the book.

  Part II: Collecting the Evidence

  These chapters teach you how to effectively find, capture, and prepare evidence for investigation. Additionally, we highlight how the law applies to evidence collection.

  Part III: Forensic Investigation Techniques

  This section illustrates how to apply recovery techniques to investigatio
ns from the evidence you have collected across many platforms and scenarios found in corporate settings. We introduce field-tested methods and techniques for recovering suspect activities.

  Part IV: Presenting Your Findings

  The legal environment of technical forensics is the focus of this section. We discuss how you will interact with council, testify in court, and report on your findings. In many ways, this is the most important part of the forensics process.

  Part V: Putting It All Together

  This section is all about the application of what we′ve discussed in the earlier parts of the book. We look at different types of investigations through the lens of computer forensics and how it can help create the bigger picture.

  The Basic Building Blocks: Attacks and Countermeasures

  This format should be very familiar to anyone who has read a Hacking Exposed book before. How we define attacks and countermeasures for forensics, however, is a bit different than in past books.

  This is an attack icon.

  In previous Hacking Exposed books, this icon was used to denote a type of attack that could be launched against your network or target. In this book, the attack icon relates to procedures, techniques, and concerns that threaten to compromise your investigation.

  For instance, failing to properly image a hard drive is labeled an attack with a very high risk rating. This is because you are going to see it often; it is not difficult to create an image, and if you accidentally write to the disk when you are imaging, your whole investigation may be compromised, no matter what else you do correctly.

  This is a countermeasure icon.

  In this book, the countermeasure icon represents the ways that you can ensure correct completion of the investigation for the attack. In our hard drive example, this would mean correctly hashing the drive and verifying the hash after you have taken the image.

  Other Visual Aides

  We have also made use of several other visual icons that help point out fine details or gotchas that are frequently overlooked.

  ONLINE RESOURCES

  Forensics is a constantly changing field. In addition, there are things we weren′t able to include because they were outside the scope of the book. For these reasons, we have created a Web site that contains additional information, corrections for the book, and electronic versions of the things discussed in these pages. The URL is www.hackingexposedforensics.com.