Cyber Forensics Table of Contents Cyber Forensics—A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes 1 Disclaimer 6 Introduction 7 Background 8 Dimensions of the Problem 9 Computer Forensics 10 Works Cited 11 Section I: Cyber Forensics 13 Chapter List 13 13 Chapter 1: The Goal of the Forensic Investigation 14 Overview 14 Why Investigate 14 Internet Exceeds Norm 14 Inappropriate E−mail 16 Non−Work−Related Usage of Company Resources 17 Theft of Information 18 Violation of Security Parameters 18 Intellectual Property Infraction 19 Electronic Tampering 20 Establishing a Basis or Justification to Investigate 21 Determine the Impact of Incident 22 Who to Call/Contact 24 If You Are the Auditor/Investigator 24 Resources 25 Authority 25 Obligations/Goals 25 Reporting Hierarchy 25 Escalation Procedures 25 Time Frame 26 Procedures 26 Precedence 26 Independence 26 Chapter 2: How to Begin a Non−Liturgical Forensic Examination 27 Overview 27 Isolation of Equipment 27 Cookies 29 Bookmarks 31 History Buffer 32 Cache 34 Temporary Internet Files 35 Tracking of Logon Duration and Times 35 Recent Documents List 36 Tracking of Illicit Software Installation and Use 37 i Table of Contents Chapter 2: How to Begin a Non−Liturgical Forensic Examination The System Review 38 The Manual Review 41 Hidden Files 42 How to Correlate the Evidence 43 Works Cited 44 Chapter 3: The Liturgical Forensic Examination: Tracing Activity on a Windows−Based Desktop 45 Gathering Evidence For Prosecution Purposes 45 Gathering Evidence Without Intent to Prosecute 45 The Microsoft Windows−Based Computer 46 General Guidelines To Follow 48 Cookies 50 Bookmarks/Favorites 53 Internet Explorer's History Buffer 54 Temporary Storage on the Hard Drive 55 Temporary Internet Files 56 System Registry 57 Enabling and Using Auditing via the Windows Operating System 61 Confiscation of Computer Equipment 65 Other Methods of Covert Monitoring 66 Chapter 4: Basics of Internet Abuse: What is Possible and Where to Look Under the Hood 68 Terms 68 Types of Users 69 E−Mail Tracking 69 IP Address Construction 69 Browser Tattoos 69 How an Internet Search works 70 Swap Files 74 ISPs 75 Servers 75 Works Cited 75 Chapter 5: Tools of the Trade: Automated Tools Used to Secure a System Throughout the Stages of a Forensic Investigation 77 Overview 77 Detection Tools 77 Protection Tools 84 Analysis Tools 87 Chapter 6: Network Intrusion Management and Profiling 91 Overview 91 Common Intrusion Scenarios 91 Intrusion Profiling 95 Creating the Profile 96 Conclusion 103 ii Table of Contents Chapter 7: Cyber Forensics and the Legal System 105 Overview 105 How the System Works 105 Issues of Evidence 106 Hacker, Cracker, or Saboteur 108 Best Practices 115 Notes 115 Acknowledgments 116 Section II: Federal and International Guidelines 117 Chapter List 117 117 References 118 Chapter 8: Searching and Seizing Computers and Obtaining Electronic Evidence 118 Recognizing and Meeting Title III Concerns in Computer Investigations 123 Computer Records and the Federal Rules of Evidence 131 Proposed Standards for the Exchange of Digital Evidence 134 Recovering and Examining Computer Forensic Evidence 140 International Principles for Computer Evidence 141 Chapter 9: Computer Crime Policy and Programs 143 The National Infrastructure Protection Center Advisory 01−003 143 The National Information Infrastructure Protection Act of 1996 146 Distributed Denial of Service Attacks 157 The Melissa Virus 163 Cybercrime Evidence of Evolution Evidence of Evolution Bởi: OpenStaxCollege The evidence for evolution is compelling and extensive Looking at every level of organization in living systems, biologists see the signature of past and present evolution Darwin dedicated a large portion of his book, On the Origin of Species, identifying patterns in nature that were consistent with evolution and since Darwin our understanding has become clearer and broader Fossils Fossils provide solid evidence that organisms from the past are not the same as those found today; fossils show a progression of evolution Scientists determine the age of fossils and categorize them all over the world to determine when the organisms lived relative to each other The resulting fossil record tells the story of the past, and shows the evolution of form over millions of years ([link]) For example, highly detailed fossil records have been recovered for sequences of species in the evolution of whales and modern horses The fossil record of horses in North America is especially rich and many contain transition fossils: those showing intermediate anatomy between earlier and later forms The fossil record extends back to a dog-like ancestor some 55 million years ago that gave rise to the first horse-like species 55 to 42 million years ago in the genus Eohippus The series of fossils tracks the change in anatomy resulting from a gradual drying trend that changed the landscape from a forested one to a prairie Successive fossils show the evolution of teeth shapes and foot and leg anatomy to a grazing habit, with adaptations for escaping predators, for example in species of Mesohippus found from 40 to 30 million years ago Later species showed gains in size, such as those of Hipparion, which existed from about 23 to million years ago The fossil record shows several adaptive radiations in the horse lineage, which is now much reduced to only one genus, Equus, with several species 1/6 Evidence of Evolution This illustration shows an artist’s renderings of these species derived from fossils of the evolutionary history of the horse and its ancestors The species depicted are only four from a very diverse lineage that contains many branches, dead ends, and adaptive radiations One of the trends, depicted here is the evolutionary tracking of a drying climate and increase in prairie versus forest habitat reflected in forms that are more adapted to grazing and predator escape through running Przewalski's horse is one of a few living species of horse Anatomy and Embryology Another type of evidence for evolution is the presence of structures in organisms that share the same basic form For example, the bones in the appendages of a human, dog, bird, and whale all share the same overall construction ([link]) That similarity results from their origin in the appendages of a common ancestor Over time, evolution led to changes in the shapes and sizes of these bones in different species, but they have maintained the same overall layout, evidence of descent from a common ancestor Scientists call these synonymous parts homologous structures Some structures exist in organisms that have no apparent function at all, and appear to be residual parts from a past ancestor For example, some snakes have pelvic bones despite having no legs because they descended from reptiles that did have legs These unused structures without function are called vestigial structures Other examples of vestigial structures are wings on flightless birds (which may have other functions), leaves on some cacti, traces of pelvic bones in whales, and the sightless eyes of cave animals 2/6 Evidence of Evolution The similar construction of these appendages indicates that these organisms share a common ancestor Concept in Action Click through the activities at this interactive site to guess which bone structures are homologous and which are analogous, and to see examples of all kinds of evolutionary adaptations that illustrate these concepts Another evidence of evolution is the convergence of form in organisms that share similar environments For example, species of unrelated animals, such as the arctic fox and ptarmigan (a bird), living in the arctic region have temporary white coverings during winter to blend with the snow and ice ([link]) The similarity occurs not because of common ancestry, indeed one covering is of fur and the other of feathers, but because of similar selection pressures—the benefits of not being seen by predators The white winter coat of (a) the arctic fox and (b) the ptarmigan’s plumage are adaptations to their environments (credit a: modification of work by Keith Morehouse) Embryology, the study of the development of the anatomy of an organism to its adult form also provides evidence of relatedness between now widely divergent groups of organisms Structures that are absent in some groups often appear in their embryonic forms and disappear by the time the adult or juvenile form is reached For example, ...[...]... one of the major difficulties facing the theory of evolution Another terrible dilemma from the point of view of evolution is the DNA molecule in the nucleus of the living cell, a coding system with 3.5 billion units containing all the details of life DNA was first discovered using X-ray crystallography in the late 1940s and early 1950s, and is a giant molecule with THE COLLAPSE OF THE THEORY OF EVOLUTION. .. have made them In all discernible morphological features, the feet of the individuals that made the trails are indistinguishable from those of modern humans 9 THE COLLAPSE OF THE THEORY OF EVOLUTION IN 20 QUESTIONS Impartial examinations of the footprints revealed their real owners In reality, these footprints consisted of 20 fossilized footprints of a 10-year-old modern human and 27 footprints of an... the theory of evolution, because evolution maintains that living phyla increased in stages, like the branches of a tree The evolutionists who drew up the figure try to gloss over this gap by talking about "theoretical links." We can see pale lines at the bottom of the figure joining the coloured boxes (in other words, genuine phyla of which fossil remains have been found) These are imaginary links... by the theory of evolution, but of which no evidence has ever been found If the theory of evolution were true, if these links were real and not imaginary, then fossils of transitional groups should have been discovered Despite all the fossil research of the last 150 years, the fact that these links are still just a dream shows that the theory of evolution is nothing but a fantasy THE COLLAPSE OF THE. .. fossil remains Evolutionists look for 17 THE COLLAPSE OF THE THEORY OF EVOLUTION IN 20 QUESTIONS 18 From the time Darwin's theory came to dominate science to the present day, paleontology has considered the theory its very basis Despite this, however, excavations in many parts of the world have produced results that conflict with the theory instead of backing it up Fossils show that different living groups... come about by chance in the primitive and uncontrolled conditions in the early days of the Earth, as evolutionists would have us believe, it cannot even be synthesized in the most advanced laboratories of the twentieth century Amino acids, the building blocks of the proteins that make up the living cell, cannot of themselves build such organelles in the cell Why is the Theory of Evolution not Scientifically... hundred years of intense collecting efforts since the time of Darwin's death, the fossil record still does not yield the picture of infinitely numerous transitional links that he expected 5 22 The Cambrian Explosion is enough to tear down the theory of evolution The world of living things is divided by BioMed Central Page 1 of 16 (page number not for citation purposes) Virology Journal Open Access Research Temporal and geographic evidence for evolution of Sin Nombre virus using molecular analyses of viral RNA from Colorado, New Mexico and Montana William C Black IV 1 , Jeffrey B Doty 2 , Mark T Hughes 2 , Barry J Beaty 2 and Charles H Calisher* 2 Address: 1 Department of Microbiology, Immunology & Pathology, College of veterinary Medicine and Biomedical Sciences, Colorado State University, Fort Collins, Colorado, USA and 2 Arthropod-borne and Infectious Diseases Laboratory, Department of Microbiology, Immunology & Pathology, College of veterinary Medicine and Biomedical Sciences, Colorado State University, Fort Collins, Colorado, USA Email: William C Black - wcb4@lamar.colostate.edu; Jeffrey B Doty - jdoty@colostate.edu; Mark T Hughes - mthughes@lamar.colostate.edu; Barry J Beaty - bbeaty@colostate.edu; Charles H Calisher* - calisher@cybersafe.net * Corresponding author Abstract Background: All viruses in the family Bunyaviridae possess a tripartite genome, consisting of a small, a medium, and a large RNA segment. Bunyaviruses therefore possess considerable evolutionary potential, attributable to both intramolecular changes and to genome segment reassortment. Hantaviruses (family Bunyaviridae, genus Hantavirus) are known to cause human hemorrhagic fever with renal syndrome or hantavirus pulmonary syndrome. The primary reservoir host of Sin Nombre virus is the deer mouse (Peromyscus maniculatus), which is widely distributed in North America. We investigated the prevalence of intramolecular changes and of genomic reassortment among Sin Nombre viruses detected in deer mice in three western states. Methods: Portions of the Sin Nombre virus small (S) and medium (M) RNA segments were amplified by RT-PCR from kidney, lung, liver and spleen of seropositive peromyscine rodents, principally deer mice, collected in Colorado, New Mexico and Montana from 1995 to 2007. Both a 142 nucleotide (nt) amplicon of the M segment, encoding a portion of the G2 transmembrane glycoprotein, and a 751 nt amplicon of the S segment, encoding part of the nucleocapsid protein, were cloned and sequenced from 19 deer mice and from one brush mouse (P. boylii), S RNA but not M RNA from one deer mouse, and M RNA but not S RNA from another deer mouse. Results: Two of 20 viruses were found to be reassortants. Within virus sequences from different rodents, the average rate of synonymous substitutions among all pair-wise comparisons (π s ) was 0.378 in the M segment and 0.312 in the S segment sequences. The replacement substitution rate (π a ) was 7.0 × 10 -4 in the M segment and 17.3 × 10 -4 in the S segment sequences. The low π a relative to π s suggests strong purifying selection and this was confirmed by a Fu and Li analysis. The absolute rate of molecular evolution of the M segment was 6.76 × 10 -3 substitutions/site/year. The absolute age of the M segment tree was estimated to be 37 years. In the S segment the rate of molecular evolution was 1.93 × 10 -3 substitutions/site/year and the absolute age of the tree was 106 years. Assuming that mice were infected with a single Sin Nombre virus genotype, phylogenetic analyses revealed that 10% (2/20) of viruses were reassortants, similar to the 14% (6/43) found in a previous report. Conclusion: Age estimates from both segments suggest that Sin Nombre virus has evolved within the past 37–106 years. The rates of evolutionary changes reported here suggest that Sin Nombre virus M and S segment reassortment occurs frequently in nature. Published: 14 July 2009 Virology Journal 2009, 6:102 doi:10.1186/1743-422X-6-102 Received: 8 April 2009 Accepted: 14 July 2009 This article is available from: http://www.virologyj.com/content/6/1/102 © 2009 Black et al; licensee BioMed Central Ltd. This is an Open Access article distributed under the terms of the Creative Commons Attribution License BioMed Central Page 1 of 16 (page number not for citation purposes) Virology Journal Open Access Research Temporal and geographic evidence for evolution of Sin Nombre virus using molecular analyses of viral RNA from Colorado, New Mexico and Montana William C Black IV 1 , Jeffrey B Doty 2 , Mark T Hughes 2 , Barry J Beaty 2 and Charles H Calisher* 2 Address: 1 Department of Microbiology, Immunology & Pathology, College of veterinary Medicine and Biomedical Sciences, Colorado State University, Fort Collins, Colorado, USA and 2 Arthropod-borne and Infectious Diseases Laboratory, Department of Microbiology, Immunology & Pathology, College of veterinary Medicine and Biomedical Sciences, Colorado State University, Fort Collins, Colorado, USA Email: William C Black - wcb4@lamar.colostate.edu; Jeffrey B Doty - jdoty@colostate.edu; Mark T Hughes - mthughes@lamar.colostate.edu; Barry J Beaty - bbeaty@colostate.edu; Charles H Calisher* - calisher@cybersafe.net * Corresponding author Abstract Background: All viruses in the family Bunyaviridae possess a tripartite genome, consisting of a small, a medium, and a large RNA segment. Bunyaviruses therefore possess considerable evolutionary potential, attributable to both intramolecular changes and to genome segment reassortment. Hantaviruses (family Bunyaviridae, genus Hantavirus) are known to cause human hemorrhagic fever with renal syndrome or hantavirus pulmonary syndrome. The primary reservoir host of Sin Nombre virus is the deer mouse (Peromyscus maniculatus), which is widely distributed in North America. We investigated the prevalence of intramolecular changes and of genomic reassortment among Sin Nombre viruses detected in deer mice in three western states. Methods: Portions of the Sin Nombre virus small (S) and medium (M) RNA segments were amplified by RT-PCR from kidney, lung, liver and spleen of seropositive peromyscine rodents, principally deer mice, collected in Colorado, New Mexico and Montana from 1995 to 2007. Both a 142 nucleotide (nt) amplicon of the M segment, encoding a portion of the G2 transmembrane glycoprotein, and a 751 nt amplicon of the S segment, encoding part of the nucleocapsid protein, were cloned and sequenced from 19 deer mice and from one brush mouse (P. boylii), S RNA but not M RNA from one deer mouse, and M RNA but not S RNA from another deer mouse. Results: Two of 20 viruses were found to be reassortants. Within virus sequences from different rodents, the average rate of synonymous substitutions among all pair-wise comparisons (π s ) was 0.378 in the M segment and 0.312 in the S segment sequences. The replacement substitution rate (π a ) was 7.0 × 10 -4 in the M segment and 17.3 × 10 -4 in the S segment sequences. The low π a relative to π s suggests strong purifying selection and this was confirmed by a Fu and Li analysis. The absolute rate of molecular evolution of the M segment was 6.76 × 10 -3 substitutions/site/year. The absolute age of the M segment tree was estimated to be 37 years. In the S segment the rate of molecular evolution was 1.93 × 10 -3 substitutions/site/year and the absolute age of the tree was 106 years. Assuming that mice were infected with a single Sin Nombre virus genotype, phylogenetic analyses revealed that 10% (2/20) of viruses were reassortants, similar to the 14% (6/43) found in a previous report. Conclusion: Age estimates from both segments suggest that Sin Nombre virus has evolved within the past 37–106 years. The rates of evolutionary changes reported here suggest that Sin Nombre virus M and S segment reassortment occurs frequently in nature. Published: 14 July 2009 Virology Journal 2009, 6:102 doi:10.1186/1743-422X-6-102 Received: 8 April 2009 Accepted: 14 July 2009 This article is available from: http://www.virologyj.com/content/6/1/102 © 2009 Black et al; licensee BioMed Central Ltd. This is an Open Access article distributed under the terms of the Creative Commons Attribution License Genome Biology 2005, 6:P8 Deposited research article Evidence of functional selection pressure for alternative splicing events that accelerate evolution of protein subsequences Yi Xing and Christopher Lee Address: Molecular Biology Institute, Center for Genomics and Proteomics, Dept. of Chemistry and Biochemistry, University of California, Los Angeles, Los Angeles, CA 90095-1570, USA. Correspondence: Christopher Lee. E-mail: leec@mbi.ucla.edu comment reviews reports deposited research interactions information refereed research .deposited research AS A SERVICE TO THE RESEARCH COMMUNITY, GENOME BIOLOGY PROVIDES A 'PREPRINT' DEPOSITORY TO WHICH ANY ORIGINAL RESEARCH CAN BE SUBMITTED AND WHICH ALL INDIVIDUALS CAN ACCESS FREE OF CHARGE. ANY ARTICLE CAN BE SUBMITTED BY AUTHORS, WHO HAVE SOLE RESPONSIBILITY FOR THE ARTICLE'S CONTENT. THE ONLY SCREENING IS TO ENSURE RELEVANCE OF THE PREPRINT TO GENOME BIOLOGY'S SCOPE AND TO AVOID ABUSIVE, LIBELLOUS OR INDECENT ARTICLES. ARTICLES IN THIS SECTION OF THE JOURNAL HAVE NOT BEEN PEER-REVIEWED. EACH PREPRINT HAS A PERMANENT URL, BY WHICH IT CAN BE CITED. RESEARCH SUBMITTED TO THE PREPRINT DEPOSITORY MAY BE SIMULTANEOUSLY OR SUBSEQUENTLY SUBMITTED TO GENOME BIOLOGY OR ANY OTHER PUBLICATION FOR PEER REVIEW; THE ONLY REQUIREMENT IS AN EXPLICIT CITATION OF, AND LINK TO, THE PREPRINT IN ANY VERSION OF THE ARTICLE THAT IS EVENTUALLY PUBLISHED. IF POSSIBLE, GENOME BIOLOGY WILL PROVIDE A RECIPROCAL LINK FROM THE PREPRINT TO THE PUBLISHED ARTICLE. Posted: 11 April 2005 Genome Biology 2005, 6:P8 The electronic version of this article is the complete one and can be found online at http://genomebiology.com/2005/6/5/P8 © 2005 BioMed Central Ltd Received: 6 April 2005 This is the first version of this article to be made available publicly and no other version is available at present. This information has not been peer-reviewed. Responsibility for the findings rests solely with the author(s). 1 Evidence of Functional Selection Pressure for Alternative Splicing Events that Accelerate Evolution of Protein Subsequences Yi Xing, Christopher Lee Molecular Biology Institute Center for Genomics and Proteomics Dept. of Chemistry & Biochemistry University of California, Los Angeles Los Angeles, CA 90095-1570 EMAIL: leec@mbi.ucla.edu TEL: 310-825-7374 FAX: 310-206-7286 Draft 13 February 11, 2005 2 Abstract Recently, it was proposed that alternative splicing may act as a mechanism for opening accelerated paths of evolution, by reducing negative selection pressure, but there has been little evidence so far whether this could produce adaptive benefit. Here we employ metrics of very different types of selection pressures (e.g. against amino acid mutations (Ka/Ks); against mutations at synonymous sites (Ks); and for protein reading-frame preservation) to address this question via genome-wide analyses of human, chimpanzee, mouse, and rat. These data show that alternative splicing relaxes Ka/Ks selection pressure up to seven-fold, but intriguingly that this effect is accompanied by a strong increase in selection pressure against synonymous mutations, which propagates into the adjacent intron, and correlates strongly with the alternative splicing level observed for each exon. These effects are highly local to the alternatively spliced exon. Comparisons of these four genomes consistently show an increase in the density of amino acid mutations (Ka) in alternatively spliced exons, and a decrease in the density of synonymous mutations (Ks). This selection pressure against synonymous mutations in alternatively spliced exons was accompanied in all four genomes by a striking increase in selection pressure for protein reading-frame preservation, and both increased markedly with increasing evolutionary age. Restricting our analysis to a subset of exons with strong evidence for biologically functional alternative splicing produced identical results. Thus alternative splicing apparently can create ... mainlands 4/6 Evidence of Evolution Molecular Biology Like anatomical structures, the structures of the molecules of life reflect descent with modification Evidence of a common ancestor for all of life... are analogous, and to see examples of all kinds of evolutionary adaptations that illustrate these concepts Another evidence of evolution is the convergence of form in organisms that share similar.. .Evidence of Evolution This illustration shows an artist’s renderings of these species derived from fossils of the evolutionary history of the horse and its ancestors