www.sharexxx.net - free books & magazines Hacking / Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Front Matter Blind Folio FM:i INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION P:\010Comp\Hacking\696-x\fm.vp Friday, June 27, 2003 12:27:08 PM Color profile: Generic CMYK printer profile Composite Default screen This page intentionally left blank. Hacking / Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Front Matter Blind Folio FM:iii INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION CHRIS PROSISE KEVIN MANDIA McGraw-Hill/Osborne New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto P:\010Comp\Hacking\696-x\fm.vp Friday, June 27, 2003 12:27:09 PM Color profile: Generic CMYK printer profile Composite Default screen Copyright © 2003 by The McGraw-Hill Companies, Inc. All rights reserved. Manufactured in the United States of America. Except as per- mitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher. 0-07-223037-1 The material in this eBook also appears in the print version of this title: 0-07-222696-X All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps. McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in cor- porate training programs. For more information, please contact George Hoare, Special Sales, at george_hoare@mcgraw- hill.com or (212) 904-4069. TERMS OF USE This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms. THE WORK IS PROVIDED “AS IS”. McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WAR- RANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PAR- TICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any dam- ages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, con- sequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise. DOI: 10.1036/0072230371 ebook_copyright 7x9.qxd 8/6/03 8:44 AM Page 1 Want to learn more? We hope you enjoy this McGraw-Hill eBook! If you d like more information about this book, its author, or related books and websites, please click her e. , To my mom, who had the unfortunate timing of being in the same place as a moving green van. May her recovery continue, although her professional tennis career is arguably in jeopardy. And to Howard, for somehow, some way, nursing her back to recovery. Your patience is remarkable. – Kevin Emily and Jimmy, thanks for your patience and support. – Chris To James and Daniel, whose friendship and trust I am honored to hold, and to mom and dad, who raised the three of us in a manner that could guarantee success. – Matt Hacking / Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Front Matter Blind Folio FM:v P:\010Comp\Hacking\696-x\fm.vp Friday, June 27, 2003 12:27:09 PM Color profile: Generic CMYK printer profile Composite Default screen About the Authors Kevin Mandia Kevin Mandia is the Director of Computer Forensics at Foundstone, Inc., an Internet security firm. As a special agent, consultant, and instructor, Kevin has amassed a wealth of experience performing incident response and computer forensics. Prior to joining Foundstone, Kevin was a special agent with the Air Force Office of Spe - cial Investigations (AFOSI), where he specialized in investigating computer intrusion cases. After leaving the AFOSI, Kevin developed a two-week computer intrusion response course, specifically designed at the request of the FBI. Kevin taught at the FBI Academy for more than a year, where over 300 FBI agents specializing in computer intrusion cases have at - tended his courses. The content of the courses was tailored to meet the special needs of law enforcement, intelligence officers, and individuals who must understand theway computer networks operate and the methods attackers use to exploit networks. Kevin has also pro - vided computer intrusion and forensic training courses to other customers, including the State Department, the Royal Canadian Mounted Police, the CIA, NASA, Prudential, several international banks, and the United States Air Force. At Foundstone, Kevin leads a team of computer forensic specialists who have re- sponded to more than 50 computer security incidents at e-commerce, financial service, and health care organizations in the past two years. These incidents range from organized crime pilfering millions of dollars’ worth of merchandise to responding to theft of intellectual property. Kevin holds a B.S. degree in computer science from Lafayette College and an M.S. de- gree in Forensic Science from George Washington University. He is a Certified Informa- tion Systems Security Professional (CISSP), and he teaches a graduate-level class on incident response at Carnegie Mellon University. Chris Prosise Chris Prosise is Vice President of Professional Services for Foundstone, Inc. He co-founded the company and launched Foundstone’s international professional services practice. This expanding practice enables companies ranging from early-stage startups to the largest Global 500 corporations to develop a strong, long-term security foundation tailored to their unique business needs. Chris has extensive experience in security consulting and incident response. An ad - junct professor at Carnegie Mellon University, he teaches graduate students the latest techniques in computer security and serves as a faculty advisor. Chris is a featured speaker at conferences such as Networld+Interop, Infragard, LegalTech, and the Forum of Incident Response and Security Teams (FIRST), but prefers nurturing trees and wild - life on his farm in Virginia. Chris began his information security career as an active duty officer at the Air Force Information Warfare Center, where he led incident response and security missions on top-secret government networks. He also developed automated network vulnerability assessment software and coded real-time intrusion detection and denial software. Chris holds a B.S. degree in electrical engineering from Duke University and is a Certified In - formation Systems Security Professional (CISSP). Hacking / Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Front Matter Blind Folio FM:vi P:\010Comp\Hacking\696-x\fm.vp Friday, June 27, 2003 12:27:09 PM Color profile: Generic CMYK printer profile Composite Default screen Hacking / Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Front Matter Blind Folio FM:vii About the Contributing Authors Matt Pepe Matt Pepe is a Principal Forensics Consultant at Foundstone, Inc. As a forensic analyst and consultant, Matt has performed forensic analysis in more than 100 federal investiga - tions for the Air Force Office of Special Investigations (AFOSI), the FBI, and other govern - ment agencies. Prior to joining Foundstone, Matt was a computer forensic analyst for the AFOSI. He was one of the first non-agent analysts used by the organization, and he contributed to the formation of the U.S. Department of Defense (DoD) Computer Forensics Laboratory. In that position, he reviewed media in a large variety of cases, including unauthorized in - trusions, fraud, and counterintelligence matters. Upon leaving AFOSI, Matt provided technical investigative support to the FBI National Infrastructure Protection Center. Additionally, Matt led a network penetration testing team and contributed to the development of an enterprise intrusion detection system. At Foundstone, Matt leads incident response and forensic engagements, and conducts research and development for the incident response and forensics practice. Richard Bejtlich Richard Bejtlich is a Principal Forensics Consultant at Foundstone, Inc. He performs inci- dent response, digital forensics, security training, and consulting on network security monitoring. Prior to joining Foundstone, Richard served as senior engineer for managed network security operations at Ball Aerospace & Technologies Corporation. Before that, Richard defended global American information assets as a captain in the Air Force Computer Emergency Response Team (AFCERT). He led the AFCERT’s real-time intrusion detec- tion mission, supervising 60 civilian and military analysts. Formally trained as a military intelligence officer, Richard holds degrees from Har - vard University and the United States Air Force Academy, and he is a Certified Informa - tion Systems Security Professional (CISSP). Richard is a contributing author to Hacking Exposed, Fourth Edition and Incident Response & Computer Forensics. About the Technical Editor Curtis Rose Curtis W. Rose is the Director of Investigations & Forensics at Sytex, Inc. Mr. Rose, a for - mer counterintelligence special agent, is a well-recognized forensics and incident re - sponse expert. He has provided the U.S. Department of Justice, FBI’s National Infrastructure Protection Center, Air Force Office of Special Investigations, U.S. Army, corporate entities, and state law enforcement with investigative support and training. Mr. Rose has developed specialized software to identify, monitor, and track com - puter hackers. In addition, he has written affidavits and testified as an expert in U.S. Fed - eral Court. P:\010Comp\Hacking\696-x\fm.vp Friday, June 27, 2003 12:27:10 PM Color profile: Generic CMYK printer profile Composite Default screen This page intentionally left blank. [...]... the Incident Response Process 11 12 13 13 14 3 What Is a Computer Security Incident? What Are the Goals of Incident Response? Who Is Involved in the Incident Response Process? Incident Response Methodology xi Copyright 2003 by The McGraw-Hill Companies, Inc Click Here for Terms of Use xii Incident Response. .. baseline of knowledge necessary for performing incident response and computer forensics The chapters in this part provide enough real-world examples for you to get a strong sense of what we mean by computer security incident We discuss the overall incident response and computer security investigation process, and how an organization can develop an incident response capability that successfully protects... to respond to computer security incidents Therefore, we wrote this book to illustrate a professional approach to investigating computer security incidents in an effort to help organizations comply with the new standards and regulatory requirements, as well as to minimize losses xxv Copyright 2003 by The McGraw-Hill Companies, Inc Click Here for Terms of Use xxvi Incident Response & Computer Forensics... Scripting Your Initial Response Performing an In-Depth Live Response Collecting the Most Volatile Data 95 96 97 98 100 100 102 103 103 104 114 115 115 xiii xiv Incident Response & Computer Forensics Creating an In-Depth Response Toolkit Collecting Live Response Data Is Forensic Duplication... of forms that are useful for performing incident response, such as sample evidence tags, sample “fly-away kit” checklists, and other forms that many computer security incident response teams will use frequently ONLINE RESOURCES We hope this book will be useful to you whether you are preparing your network defenses or responding to incidents Because incident response is often very technology specific... connectivity, and the ubiquitous Internet Any computer can be used for many purposes—just because a computer is located in the workplace does not mean that the computer is used only for work The pervasive nature of computers and networks means that they are increasingly connected to incidents and crimes Many incidents not traditionally thought of as computer crime involve computer investigations For example,... organization’s computer incident and computer forensic matters I Provide on-site assistance for computer search and seizures L Adhere to new regulations, standards, and statutes that promote an incident response capability Introduction EASY TO NAVIGATE WITH UNIQUE DESIGN ELEMENTS Icons The following icons represent headings you’ll see throughout the book: What Can Happen We briefly describe an incident that... xi Copyright 2003 by The McGraw-Hill Companies, Inc Click Here for Terms of Use xii Incident Response & Computer Forensics Pre -Incident Preparation Detection of Incidents Initial Response Formulate a Response Strategy Investigate the Incident Reporting Resolution So What? Questions ... Policies and Procedures Determining Your Response Stance Understanding How Policies Can Aid Investigative Steps Developing Acceptable Use Policies Designing AUPs Developing Incident Response Procedures Creating a Response Toolkit The Response Hardware The Response Software The Networking...For more information about this title, click here AT A GLANCE Part I Introduction M M M M Real-World Incidents Introduction to the Incident Response Process Preparing for Incident Response After Detection of an Incident 1 2 3 4 Part II Data Collection M M M M M Live Data Collection from Windows Systems Live Data Collection from Unix Systems