| EC-Council Press The Experts: EC-Council EC-Council’s mission is to address the need for well educated and certified information security and e-business practitioners EC-Council is a global, member based organization comprised of hundreds of industry and subject matter experts all working together to set the standards and raise the bar in Information Security certification and education EC-Council certifications are viewed as the essential certifications needed where standard configuration and security policy courses fall short Providing a true, hands-on, tactical approach to security, individuals armed with the knowledge disseminated by EC-Council programs are securing networks around the world and beating the hackers at their own game The Solution: EC-Council Press The EC-Council | Press marks an innovation in academic text books and courses of study in information security, computer forensics, disaster recovery, and end-user security By repurposing the essential content of EC-Council’s world class professional certification programs to fit academic programs, the EC-Council | Press was formed With Full Series, comprised of 27 different books, the EC-Council | Press is set to revolutionize global information security programs and ultimately create a new breed of practitioners capable of combating this growing epidemic of cybercrime and the rising threat of cyber war This Certification: C|HFI – Computer Hacking Forensic Investigator Computer Hacking Forensic Investigation is the process of detecting hacking attacks and properly extracting evidence to report the crime and conduct audits to prevent future attacks The C|HFI materials will give participants the necessary skills to identify an intruder’s footprints and to properly gather the necessary evidence to prosecute Additional Certifications Covered By EC-Council Press: Security|5 Security|5 is an entry level certification for anyone interested in learning computer networking and security basics Security|5 means components of IT security: firewalls, anti-virus, IDS, networking, and web security E|DRP – EC-Council Disaster Recovery Professional E|DRP covers disaster recovery topics, including identifying vulnerabilities, establishing policies and roles to prevent and mitigate risks, and developing disaster recovery plans Wireless|5 Wireless|5 introduces learners to the basics of wireless technologies and their practical adaptation Learners are exposed to various wireless technologies; current and emerging standards; and a variety of devices C|EH - Certified Ethical Hacker Information assets have evolved into critical components of survival The goal of the Ethical Hacker is to help the organization take preemptive measures against malicious attacks by attacking the system himself or herself; all the while staying within legal limits Network|5 Network|5 covers the ‘Alphabet Soup of Networking’ – the basic core knowledge to know how infrastructure enables a work environment, to help students and employees succeed in an integrated work environment E|NSA – EC-Council Network Security Administrator The E|NSA program is designed to provide fundamental skills needed to analyze the internal and external security threats against a network, and to develop security policies that will protect an organization’s information E|CSA - EC-Council Certified Security Analyst The objective of E|CSA is to add value to experienced security professionals by helping them analyze the outcomes of their tests It is the only in-depth Advanced Hacking and Penetration Testing certification available that covers testing in all modern infrastructures, operating systems, and application environments Investigating Network Intrusions and Cybercrime EC-Council | Press Volume of mapping to ™ C HFI Computer Hacking Forensic INVESTIGATOR Certification Australia • Brazil • Japan • Korea • Mexico • Singapore • Spain • United Kingdom • United States Investigating Network Intrusions and Cybercrime: EC-Council | Press Course Technology/Cengage Learning Staff: Vice President, Career and Professional Editorial: Dave Garza © 2010 EC-Council ALL RIGHTS RESERVED No part of this work covered by the copyright herein may be reproduced, transmitted, stored, or used in any form or by any means graphic, electronic, or mechanical, including but not limited to photocopying, recording, scanning, digitizing, taping, Web distribution, information networks, or information storage and retrieval systems, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the publisher Director of Learning Solutions: Matthew Kane Executive Editor: Stephen Helba Managing Editor: Marah Bellegarde Editorial Assistant: Meghan Orvis Vice President, Career and Professional Marketing: Jennifer Ann Baker Marketing Director: Deborah Yarnell For product information and technology assistance, contact us at Cengage Learning Customer & Sales Support, 1-800-354-9706 For permission to use material from this text or product, submit all requests online at www.cengage.com/permissions Further permissions questions can be e-mailed to permissionrequest@cengage.com Marketing Manager: Erin Coffin Marketing Coordinator: Shanna Gibbs Production Director: Carolyn Miller Library of Congress Control Number: 2009933550 Production Manager: Andrew Crouth ISBN-13: 978-1-4354-8352-1 Content Project Manager: Brooke Greenhouse ISBN-10: 1-4354-8352-9 Senior Art Director: Jack Pendleton Cengage Learning Maxwell Drive Clifton Park, NY 12065-2919 USA EC-Council: President | EC-Council: Sanjay Bavisi Sr Director US | EC-Council: Steven Graham Cengage Learning is a leading provider of customized learning solutions with office locations around the globe, including Singapore, the United Kingdom, Australia, Mexico, Brazil, and Japan Locate your local office at: international.cengage.com/region Cengage Learning products are represented in Canada by Nelson Education, Ltd For more learning solutions, please visit our corporate website at www.cengage.com NOTICE TO THE READER Cengage Learning and EC-Council not warrant or guarantee any of the products described herein or perform any independent analysis in connection with any of the product information contained herein Cengage Learning and EC-Council not assume, and expressly disclaim, any obligation to obtain and include information other than that provided to it by the manufacturer The reader is expressly warned to consider and adopt all safety precautions that might be indicated by the activities described herein and to avoid all potential hazards By following the instructions contained herein, the reader willingly assumes all risks in connection with such instructions Cengage Learning and EC-Council make no representations or warranties of any kind, including but not limited to, the warranties of fitness for particular purpose or merchantability, nor are any such representations implied with respect to the material set forth herein, and Cengage Learning and EC-Council take no responsibility with respect to such material Cengage Learning and EC-Council shall not be liable for any special, consequential, or exemplary damages resulting, in whole or part, from the readers’ use of, or reliance upon, this material Printed in the United States of America 12 11 10 09 Brief Table of Contents TABLE OF CONTENTS v PREFACE xvii CHAPTER Network Forensics and Investigating Logs 1-1 CHAPTER Investigating Network Traffic 2-1 CHAPTER Investigating Web Attacks 3-1 CHAPTER Router Forensics 4-1 CHAPTER Investigating DoS Attacks 5-1 CHAPTER Investigating Internet Crime 6-1 CHAPTER Tracking E-Mails and Investigating E-Mail Crime 7-1 CHAPTER Investigating Corporate Espionage 8-1 CHAPTER Investigating Trademark and Copyright Infringement 9-1 CHAPTER 10 Investigating Sexual Harassment Incidents 10-1 CHAPTER 11 Investigating Child Pornography 11-1 INDEX I-1 iii This page intentionally left blank Table of Contents PREFACE xvii CHAPTER Network Forensics and Investigating Logs 1-1 Objectives 1-1 Key Terms 1-1 Case Example 1-1 Introduction to Network Forensics and Investigating Logs 1-2 Network Forensics 1-2 Analyzing Network Data 1-2 The Intrusion Process 1-2 Looking for Evidence 1-3 End-To-End Forensic Investigation 1-3 Log Files as Evidence 1-3 Legality of Using Logs 1-4 Examining Intrusion and Security Events 1-4 Using Multiple Logs as Evidence 1-5 Maintaining Credible IIS Log Files 1-5 Importance of Audit Logs 1-8 Syslog 1-8 Tool: Syslog-ng .1-10 Tool: Socklog 1-10 Tool: Kiwi Syslog Daemon 1-12 Tool: Microsoft Log Parser 1-12 Tool: Firewall Analyzer 1-13 Tool: Adaptive Security Analyzer (ASA) Pro 1-14 Tool: GFI EventsManager 1-15 Tool: Activeworx Security Center 1-17 Linux Process Accounting 1-18 Configuring Windows Logging 1-19 Tool: NTsyslog 1-19 Tool: EventReporter 1-20 Tool: EventLog Analyzer 1-20 Why Synchronize Computer Times? 1-21 What Is NTP? 1-21 Configuring the Windows Time Service 1-27 Chapter Summary 1-28 Review Questions 1-28 Hands-On Projects 1-29 CHAPTER Investigating Network Traffic 2-1 Objectives 2-1 Key Terms 2-1 Case Example 2-2 Introduction to Investigating Network Traffic 2-2 Network Addressing Schemes 2-2 LAN Addressing 2-2 Internetwork Addressing 2-2 OSI Reference Model 2-3 Overview of Network Protocols Data Link Layer Network Layer Transport Layer Session Layer, Presentation Layer, and Application Layer 2-3 2-4 2-4 2-4 2-4 Overview of Physical and Data Link Layers of the OSI Model 2-5 The Physical Layer 2-5 The Data Link Layer 2-5 v vi Table of Contents Overview of Network and Transport Layers of the OSI Model 2-5 The Network Layer 2-5 The Transport Layer 2-6 Types of Network Attacks 2-6 Why Investigate Network Traffic? 2-6 Evidence Gathering at the Physical Layer 2-6 Shared Ethernet 2-6 Switched Ethernet 2-7 DNS Poisoning Techniques Intranet DNS Spoofing (Local Network) Internet DNS Spoofing (Remote Network) Proxy Server DNS Poisoning DNS Cache Poisoning 2-7 2-8 2-8 2-8 2-8 Evidence Gathering from ARP Table 2-9 Evidence Gathering at the Data Link Layer: DHCP Database 2-10 Gathering Evidence from an IDS 2-10 Tool: Tcpdump 2-10 Tool: WinDump 2-11 Tool: NetIntercept 2-12 Tool: Wireshark 2-13 Tool: CommView 2-14 Tool: SoftPerfect Network Protocol Analyzer 2-15 Tool: HTTP Sniffer .2-16 Tool: EtherDetect Packet Sniffer 2-18 Tool: OmniPeek 2-19 Tool: Iris Network Traffic Analyzer 2-19 Tool: SmartSniff 2-21 Tool: NetSetMan 2-21 Tool: Distinct Network Monitor 2-23 Tool: MaaTec Network Analyzer 2-23 Tool: ntop 2-24 Tool: EtherApe 2-24 Tool: Colasoft Capsa Network Analyzer 2-24 Tool: Colasoft EtherLook 2-26 Tool: AnalogX PacketMon 2-26 Tool: BillSniff 2-27 Tool: IE HTTP Analyzer 2-29 Tool: EtherScan Analyzer 2-29 Tool: Sniphere 2-29 Tool: IP Sniffer 2-30 Tool: Atelier Web Ports Traffic Analyzer 2-30 Tool: IPgrab 2-32 Tool: Nagios 2-33 Tool: Give Me Too 2-33 Tool: Sniff-O-Matic 2-33 Tool: EtherSnoop 2-35 Tool: GPRS Network Sniffer: Nokia LIG 2-35 Tool: Siemens Monitoring Center 2-36 Tool: NetWitness 2-37 Tool: NetResident 2-38 Tool: InfiniStream 2-38 Tool: eTrust Network Forensics 2-39 Table of Contents vii Tool: ProDiscover Investigator 2-41 Tool: P2 Enterprise Shuttle 2-41 Tool: Show Traffic 2-42 Tool: Network Probe 2-43 Tool: Snort Intrusion Detection System 2-43 Snort Rules 2-44 Tool: IDS Policy Manager 2-45 Documenting the Evidence Gathered on a Network 2-45 Evidence Reconstruction for Investigation 2-46 Chapter Summary 2-47 Review Questions 2-47 Hands-On Projects 2-48 CHAPTER Investigating Web Attacks 3-1 Objectives 3-1 Key Terms 3-1 Introduction to Investigating Web Attacks 3-1 Indications of a Web Attack 3-2 Types of Web Attacks 3-2 Cross-Site Scripting (XSS) 3-2 Cross-Site Request Forgery (CSRF) 3-3 SQL Injection Attacks 3-4 Code Injection Attack 3-5 Parameter Tampering 3-5 Cookie Poisoning 3-5 Buffer Overflow 3-6 Cookie Snooping 3-7 DMZ Protocol Attack 3-7 Zero-Day Attack 3-7 Authentication Hijacking 3-7 Log Tampering 3-8 Directory Traversal 3-9 Cryptographic Interception 3-9 URL Interpretation Attack 3-9 Impersonation Attack 3-10 Overview of Web Logs 3-10 Log Security 3-10 Log File Information 3-11 Investigating a Web Attack 3-11 Example of FTP Compromise 3-11 Investigating FTP Logs 3-11 Investigating FTP Servers 3-12 Investigating IIS Logs 3-12 Investigating Apache Logs 3-12 Investigating Web Attacks in Windows-Based Servers 3-13 Web Page Defacement 3-13 Defacement Using DNS Compromise 3-14 Intrusion Detection 3-15 Security Strategies for Web Applications 3-15 Investigating Static and Dynamic IP Addresses 3-16 Checklist for Web Security 3-16 Statistics 3-16 Tools for Web Attack Investigations 3-16 Analog 3-16 Deep Log Analyzer 3-18 viii Table of Contents AWStats Server Log Analysis WebLog Expert AlterWind Log Analyzer Webalizer eWebLog Analyzer N-Stealth Acunetix Web Vulnerability Scanner dotDefender AppScan AccessDiver Falcove Web Vulnerability Scanner Emsa Web Monitor WebWatchBot Paros HP WebInspect keepNI Wikto Mapper N-Stalker Web Application Security Scanner Scrawlr Exploit-Me 3-19 3-20 3-20 3-22 3-22 3-23 3-23 3-24 3-25 3-26 3-26 3-28 3-28 3-29 3-29 3-30 3-31 3-32 3-32 3-33 3-34 3-34 Tools for Locating IP Addresses Nslookup Traceroute McAfee Visual Trace WHOIS Hide Real IP www.whatismyip.com IP Detective Suite Enterprise IP-Address Manager Whois Lookup SmartWhois ActiveWhois LanWhoIs CountryWhois IP2country CallerIP Whois.Net 3-34 3-34 3-36 3-37 3-38 3-40 3-40 3-40 3-42 3-42 3-44 3-44 3-45 3-46 3-46 3-47 3-47 Other Tools WebAgain Pandora FMS UV Uptime Website Defacement Detector CounterStorm-1 3-47 3-47 3-49 3-49 3-49 Chapter Summary 3-50 Review Questions 3-50 Hands-On Projects 3-51 CHAPTER Router Forensics 4-1 Objectives 4-1 Key Terms 4-1 Introduction to Router Forensics 4-2 Functions of a Router A Router in the OSI Model Router Architecture The Routing Table and Its Components 4-2 4-2 4-2 4-3 Router Vulnerabilities 4-4 Router Attacks 4-4 Types of Router Attacks 4-4 Router Forensics Versus Traditional Forensics 4-5 Investigating Router Attacks 4-6 Investigation Steps 4-6 11-36 Chapter 11 Source: http://www.protectchildren.ca/app/en/ Accessed 2/2007 Figure 11-24 The CCCP educates the public about child exploitation on the Internet Source: http://www.cybertip.ca/ Accessed 2/2007 Figure 11-25 of children Cybertip.ca allows people to report the online sexual exploitation Cybertip.ca Cybertip.ca is Canada’s national tip line for reporting the online sexual exploitation of children The following is the procedure for reporting about child pornography on Cybertip.ca: Go to http://cybertip.ca Click on Click here to report (Figure 11-25) Anti-Child-Pornography Organizations 11-37 Write details about the site Submit the report Association of Sites Advocating Child Protection The Association of Sites Advocating Child Protection (ASACP) is a nonprofit organization dedicated to eliminating child pornography from the Internet It battles child pornography through its reporting hotline and by organizing the efforts of online organizations to combat the sexual abuse of children It also works to help parents prevent children from viewing age-inappropriate material online Figure 11-26 shows the ASACP Web site Web Sites Against Child Porn Web Sites Against Child Porn (WSACP) is an anti-child-pornography organization Its goal is to stop as many child pornography Web sites as possible and make the Internet a better place for everyone It provides feedback on all reports submitted with a valid e-mail address When a user submits a suspect site online, the staff of WSACP will inform the user if the suspect site has been reported to the authorities or not, if they were unable to report the suspect site to the authorities, and any reasons why they were unable to report the site Report Child Porn Report Child Porn is a hotline for Webmasters and surfers to report suspected child pornography It offers the following: • A way to report child pornography • An avenue to discuss problems related to child pornography Figure 11-27 shows the Report Child Porn Web site Child Focus The European Centre for Missing and Sexually Exploited Children, operating under the name of Child Focus, is a foundation under Belgian law It acts on an independent basis and only in the interest of children Source: http://www.asacp.org/ Accessed 2/2007 Figure 11-26 Internet ASACP is dedicated to eliminating child pornography from the 11-38 Chapter 11 Source: http://www.reportchildporn.com/ Accessed 2/2007 Figure 11-27 Report Child Porn allows people to report child pornography Web sites Source: http://www.childfocus.be/en/index.php Accessed 2/2007 Figure 11-28 Child Focus is a Belgian organization that fights child exploitation The following are the features of Child Focus: • It provides active support in the investigation of the disappearance, abduction, or sexual exploitation of children • It supports and encourages investigations and legal measures • It ensures follow-up to the cases that are entrusted to it and participates in the counseling of victims Figure 11-28 shows the Child Focus Web site Chapter Summary 11-39 Source: http://www.stopchildporno.be/index.php?language=en Accessed 2/2007 Figure 11-29 StopChildPorno.be is a Belgian Web site for reporting child pornography images StopChildPorno.be StopChildPorno.be is the Belgian civil hotline for reporting child abuse images found on the Internet It informs citizens about the problem of child pornography on the Internet, Belgian legislation concerning this matter, different possibilities to report, procedures, and addresses of other hotlines abroad The following steps explain how to report a Web site: Go to http://www.stopchildporno.be/index.php?language=en The Web site is shown in Figure 11-29 Click on Report a Site Check either I want to be anonymous or I want to be informed and click Continue Indicate which type of report to submit Copy and paste the URL of the Web site Submit the report Chapter Summary ■ Child pornography is defined as any work that centers on activities involving the sexual behavior of children Such works include drawings, cartoons, sculptures, paintings, photography, films, videos, images, and pictures, whether made or produced by electronic, mechanical, or other means It also includes distribution and possession of pornographic materials ■ Criminals involved in pornographic cases are generally unmarried, separated, divorced, or widowed Motives of people can range from mere money making to sexual perversion Child pornographers attract children by coercion, seduction, payment, blackmail, and solicitation 11-40 Chapter 11 ■ The Internet provides easy access to a number of pornographic materials and reduces the cost of production and distribution of such materials An offender can easily distribute the materials through e-mails, newsgroups, and webcams ■ Child pornography affects children physically, socially, and psychologically ■ ISPs (Internet service providers) play an important role in reducing the problem of child pornography They can block illegal sites, apply filters to browsers and search engines, and create complaint sites ■ The police play a crucial role in investigating pornographic sites They may use computer forensic tools and techniques to investigate such sites They may also use honeytrap sites to find offenders ■ The challenges in controlling child pornography include the large amount of Internet traffic, a lack of rules and regulations in certain countries, and the advanced techniques offenders use ■ An offender’s computer, handheld devices, and servers are the main sources of evidence for an investigation ■ There are many anti-child-pornography organizations around the globe that seek to stop the sexual exploitation of children; these organizations offer reporting capabilities, education, training, and other services Review Questions What are the motives of people involved in child pornography? _ _ Explain the role of the Internet in promoting child pornography _ _ What are the effects of child pornography on children? _ _ How can the dissemination of child pornography be prevented? _ _ What are the challenges involved in controlling child pornography? _ _ List the guidelines for investigating child pornography cases _ _ List the sources of digital evidence during an investigation _ _ List the guidelines for parents to reduce the risk of their children becoming exposed to child pornography _ _ Hands-On Projects 11-41 Describe four tools that parents can use to protect their children from accessing pornography _ _ 10 Describe the various anti-child-pornography organizations _ _ Hands-On Projects Perform the following steps: ■ Go to the National Child Exploitation Coordination Centre (NCECC) Web site at http:// www.ncecc.ca ■ Click on the Reporting child exploitation link ■ Read “How to Report Internet Pornography or Internet Luring Related to Children.” Perform the following steps: ■ Go to the Project Safe Childhood (PSC) Web site at http://www.projectsafechildhood.gov ■ Click on PSC Media Fact Sheet and read about Project Safe Childhood’s initiatives Perform the following steps: ■ Navigate to Chapter 11 of the Student Resource Center ■ Install and launch iProtectYou ■ Explore the various options This page intentionally left blank Index 18 U.S.C § 2252A/B, 7-27 BillSniff, 2-27, 2-28 investigation steps, 11-4–11-11 A BrowseControl, 11-15 investigation tools for, 11-12–11-16 Buffer overflow attacks, 3-6–3-7, 5-4 Japanese laws against, 11-24 Acceptable level of loss, 8-5 C legislation survey, 11-17–11-22, 11-17–11-22 AccessDiver, 3-26, 3-27 Cache, 11-8 ActiveWhois, 3-44, 3-45 Cache poisoning, 2-8–2-9 Activeworx Security Center, 1-17, 1-18 CallerIP, 3-47 Activity Monitor, 8-8–8-9 Canadian Centre for Child Protection (CCCP), 11-35, 11-36 Abuse.Net, 7-5 Activity profiling, 5-8 Acunetix Web Vulnerability Scanner, 3-24–3-25 Canadian laws, for trademarks and copyright, 9-38 Michigan laws against, 11-23 people involved in, 11-2 people’s motives behind, 11-2 Philippine laws against, 11-26 precaution before investigating, 11-4 preventing dissemination of, 11-3–11-4 CAN-SPAM Act, 7-26 reducing risk for exposure to, 11-12 CenterTrack method, 5-14 Scottish laws against, 11-25 Admin’s Server Monitor, 5-17, 5-18 Centralized binary logging, 1-7–1-8 sources of digital evidence, 11-11 AlterWind Log Analyzer, 3-22 CentralOps.net, 6-12–6-13 South African laws against, 11-24–11-25 Analog (tool), 3-16, 3-18 CERT Coordination Center/SEI Study on insider threats, 8-7 U.K laws against, 11-25 Adaptive Security Analyzer (ASA) Pro, 1-14–1-15, 1-16 AnalogX PacketMon, 2-26, 2-28 Anti-Child Porn Organization (ACPO), 11-28–11-29 AOL, viewing and copying e-mail headers in, 7-10 Apache logs, investigating, 3-12–3-13 Application layer, of main protocols, 2-4–2-5 AppScan, 3-26, 3-27 ARP table, evidence gathering from, 2-9 Association of Sites Advocating Child Protection (ASACP), 11-37 Atelier Web Ports Traffic Analyzer, 2-30, 2-31 Attacks, types of, 2-6 Audit logs, 1-8 Australian laws against child pornography, 11-23 on sexual harassment, 10-11–10-12 for trademarks and copyright, 9-35–9-37 Austrian laws, against child pornography, 11-23 Authentication hijacking, 3-7, 3-8 AWStats, 3-19, 3-20 Chain of custody, 1-7, 4-6 ChatGuard, 11-15, 11-16 Chat rooms, 7-7 CHECK, 9-14 Child Exploitation and Online Protection (CEOP), 11-29 Child Exploitation Tracking System (CETS), 11-17 Child Focus, 11-37–11-38 Child pornography anti-child-pornography organizations, 11-26–11-39 U.S laws against, 11-22–11-23 Children’s Internet Protection Act (CIPA), 11-26 Child Victim Identification Program (CVIP), 11-33, 11-34 Chinese laws on sexual harassment, 10-12 for trademarks and copyright, 9-38 Cisco NetFlow, for DoS attack detection, 5-9 Civil Rights Act (1964), Title VII, 10-10 Civil Rights Act (1991), 10-10 Code injection attacks, 3-5 Australian laws against, 11-23 Colasoft Capsa Network Analyzer, 2-24, 2-26 Austrian laws against, 11-23 Colasoft EtherLook, 2-26, 2-27 Belgian laws against, 11-23–11-24 Common headers, 7-13–7-15 Children’s Internet Protection Act (CIPA), 11-26 Common law torts, 10-11 citizen responsibility in fighting, 11-11 control challenges of, 11-4 Cypriot laws against, 11-24 defined, 11-2 B effects of, on children, 11-3 Backscatter traceback, 5-11–5-13 English and Welsh laws against, 11-25 Belgian laws guidelines to avoiding, 11-11–11-12 against child pornography, 11-23–11-24 Internet role in, 11-3 for trademarks and copyright, 9-39 introduction, 11-2 CommView, 2-14–2-15 Computer times, synchronizing, 1-21–1-28 Control channel detection, 5-14–5-15 Cookie poisoning, 3-5–3-6 Cookies, 11-8, 11-9 Cookie snooping, 3-7 Cookie Viewer, 6-15, 6-17 CopyCatch, 9-12, 9-13 Copy Protection System (COPS), 9-12–9-13, 9-14 I-1 I-2 Index Copyright Act (1968), 9-36–9-37 D E Copyright Management Business Law (4.2.2.3) (2000), 9-35 Data link layer E-mail Copyrights Australian laws for, 9-35–9-37 Belgian laws for, 9-39 Canadian laws for, 9-38 Chinese laws for, 9-38 enforcement of, 9-10–9-11 Indian laws for, 9-33–9-34 introduction, 9-1–9-2 Japanese laws for, 9-34–9-35 length of, 9-9–9-10 plagiarism, 9-11–9-23 South African laws for, 9-38 South Korean laws for, 9-39 status investigation, 9-9 U.K laws for, 9-37–9-38 U.S laws for, 9-30–9-33 Corporate espionage evidence gathering from, 2-10 specialized forensic tools for, 7-17–7-26 of main protocols, 2-4 tracing, 7-22–7-24 of OSI model, 2-5 Data Recovery Wizard, 11-5, 11-6 E-mail addresses, tracing, 6-22–6-25 E-mail crime DDoS attacks, 5-5–5-7 investigating, 7-8–7-17, 7-18, 7-19 Deep Log Analyzer, 3-18–3-19 overview, 7-4–7-7 Denial-of-service (DoS) attacks, 4-4 RCW 19.190.020, 7-27 DDoS attacks, 5-5–5-7 types of, 7-4–7-7 defined, 5-2 U.S laws against (CAN-SPAM Act), 7-26–7-27 detection techniques, 5-8–5-9 indications of, 5-2 introduction, 5-2 investigating, 5-9–5-15 investigation challenges, 5-16 investigation tools for, 5-16–5-20 modes of, 5-7–5-8 types of, 5-2–5-4 E-Mail Detective, 7-20 Email Dossier, 7-16 E-Mail Examiner by Paraben, 7-21, 7-22 E-mail headers common, 7-13–7-15 examining, 7-11–7-15 “received”, 7-13 viewing and copying in AOL, 7-10 defenses against, 8-4–8-5 DHCP database, evidence gathering from, 2-10 defined, 8-1–8-2 Digital evidence, 11-11 viewing and copying in Hotmail, 7-10 information sought by spies, 8-2–8-3 Digital Millennium Copyright Act (DMCA) (1998), 9-30–9-31 viewing and copying in Microsoft Outlook, 7-9 Digital rights management (DRM), 9-26–9-29 viewing and copying in Yahoo! Mail, 7-11, 7-12 insider/outsider threat, 8-3 introduction, 8-1–8-2 motives behind, 8-2 prevention steps, 8-5–8-7 spying techniques, 8-3–8-4 threat due to aggregate of information, 8-3 Directory reversals, 3-9 Diskinternals Outlook Recovery, 7-22, 7-23 Distinct Network Monitor, 2-23 CounterSpy, 8-16, 8-17 Distributed denial-of-service (DDoS) attacks, 5-5–5-7 CounterStorm-1, 3-49 DMZ protocol attacks, 3-7 CountryWhois, 3-46 DNS (Domain Name Service) CPU utilization, for DoS attack detection, 5-9 Critical assets, 8-5 viewing and copying in Gmail, 7-10–7-11 E-mails chain messages, 7-8 copying messages, 7-9 examining messages, 7-9 investigating crimes and violations, 7-8–7-17, 7-18, 7-19 obtaining bit-by-bit image information, 7-9 poisoning techniques, 2-7–2-9 online programs, 7-15 Web page defacement using, 3-14 personal address book, 7-15 DNS root name servers, 6-7 printing messages, 7-9 Documentation, of evidence gathered on network, 2-45–2-46 spoofing, 7-8 Cross-site scripting (XSS) attacks, 3-2–3-3 Cryptographic interceptions, 3-9 Domain name infringement, 9-25 Cyberbullying, 10-2 Domain Name System (DNS), Internet crimes and, 6-6–6-8 Cross-site request forgery (CSRF), 3-3–3-4 Cyberstalking, 10-6 Cybertip.ca, 11-36–11-37 CyperTipline, 11-33, 11-34 Cypriot laws, against child pornography, 11-24 DoSHTTP, 5-20 dotDefender, 3-25, 3-26 systems, 7-2–7-4 tracking and investigating crimes, 7-2 viewing and copying e-mail headers in AOL, 7-10 eMailTrackerPro, 7-24, 7-25 Dupli Checker, 9-21, 9-22 Employee-monitoring policies, writing guidelines, 8-19–8-20 Dynamic IP addresses, investigating, 3-16 Employee responsibilities, 10-7 Index I-3 Emsa Web Monitor, 3-28 G Industry self-regulation (ISP), 11-3 End-to-end forensic investigation, 1-3 InfiniStream, 2-38–2-39, 2-40 English laws, against child pornography, 11-25 General Packet Radio Service (GPRS), 2-35–2-36 Enterprise IP-Address Manager, 3-42, 3-43 German laws, on sexual harassment, 10-12 Innocent Images National Initiative (IINI), 11-27–11-28 Ephemeral, 6-4 GFI EventsManager, 1-15–1-17 Insider threats, 8-3, 8-7 Equal Protection Clause of 14th Amendment, 10-11 Give Me Too, 2-33, 2-34 Intellectual property, 9-25–9-26, 9-39 Glatt, 9-21 IntelliProtector, 9-28, 9-29 EtherApe, 2-24, 2-25 EtherDetect Packet Sniffer, 2-18–2-19 Gmail, viewing and copying e-mail headers in, 7-10–7-11 Intermediate System to Intermediate System (IS-IS), 4-4 Ethernets GPRS Network Sniffer- Nokia LIG, 2-35–2-36 International Centre for Missing & Exploited Children (ICMEC), 11-31–11-33 shared, 2-6–2-7 Grab-a-Site, 6-18–6-19 switched, 2-7 Grooming, 6-3 EtherScan Analyzer, 2-29 H EtherSnoop, 2-35 Haihaisoft Media DRM Platform, 9-28 eTrust Network Forensics, 2-39–2-41 Hash-based IP tracebacks, 5-13 EVE2 (Essay Verification Engine), 9-19, 9-21 Hide Real IP, 3-40, 3-41 EventLog Analyzer, 1-20–1-21 Hit-and-run attacks, 4-5 EventReporter, 1-20 Honeypots, 8-5–8-6 Evidence Honeytokens, 8-5–8-6 log files as, 1-3–1-8 looking for, 1-3 multiple logs as, 1-5 at physical layer, 2-6–2-7 eWebLog Analyzer, 3-23, 3-24 Exchange Message Tracking Center, 7-16, 7-17 Exploit-Me, 3-34 Hong Kong laws, for intellectual property, 9-39 Hop-by-Hop IP traceback, 5-10–5-11 Hostlie work environment harassment, 10-3–10-4 Hotmail, viewing and copying e-mail headers in, 7-10 HP WebInspect, 3-30 HTTP Sniffer, 2-16, 2-18 Internet, role in child pornography, 11-3 Internet Assigned Numbers Authority (IANA), 6-6 Internet crimes Internet forensics, 6-4 introduction, 6-2 investigation goals, 6-4 investigation steps, 6-4–6-8 investigation tools for, 6-8–6-27 types of, 6-2–6-3 Internet Crimes Against Children Task Force (ICAC), 11-28 Internet DNS spoofing (remote network), 2-8 Internet Service provider (ISP), 6-6 Internet Spy Filter, 8-12, 8-13 Internet Watch Foundation, 11-31 Internetwork addressing, 2-2–2-3 Intranet DNS spoofing (local network), 2-8 F I Intrusion detection, 1-5, 3-15 Fair Use Doctrine, 9-31–9-32 ICMP traceback, 5-10 Falcove Web Vulnerability Scanner, 3-28 Identity theft, 7-8 Intrusion detection system (IDS), evidence gathering from, 2-10 FINALeMAIL, 7-20 ID Protect, 7-26 Financial Coalition Against Child Pornography (FCACP), 11-33 IDS (intrusion detection system), evidence gathering from, 2-10 Firefox, 6-15, 6-16, 6-18, 6-22 IDS Policy Manager, 2-45, 2-46 examining the origin of, 7-16 Firewall Analyzer, 1-13–1-14, 1-15 IE HTTP Analyzer, 2-29 Internet crimes and, 6-5–6-6 Forensic Linguistics Institute, 9-22–9-23 IISLogger, 1-8, 1-9 investigating, 3-16 Forensics, vs router forensics, 4-5 IIS logs, 1-5–1-6 locating, 5-15 Forensic Toolkit (FTK), 7-19–7-20 investigating, 3-12 Intrusion process, 1-2 IP2country, 3-46 IP addresses IP Address Locator, 6-12, 6-13 Fourteenth Amendment, 10-11 IMAP (Internet Message Access Protocol), 7-4 IP.com, 9-24–9-25 Fraggle attacks, 5-3–5-4 iMonitorPC, 8-17, 8-19 IP Detective Suite, 3-40, 3-41 Friendly Pinger, 5-16–5-17 Impersonation attacks, 3-10 IPgrab, 2-32 FTP compromises, 3-11 Indian laws IPHost Network Monitor, 5-17, 5-18 FTP logs, investigating, 3-11–3-12 on sexual harassment, 10-12 iProtectYou, 11-12–11-13 FTP servers, investigating, 3-12 for trademarks and copyright, 9-33–9-34 IPSec, 5-13 I-4 Index IP Sniffer, 2-30, 2-31 Mail user agent (MUA), 7-2 Network Probe, 2-43 Iris Network Traffic Analyzer, 2-19–2-20, 2-21 Malaysian penal code, on sexual harassment, 10-12 Network protocols, overview, 2-3–2-5 IS-IS (Intermediate System to Intermediate System), 4-4 Mapper, 3-32 Network Time Protocol (NTP), 1-21–1-27 McAfee Visual Trace, 3-37, 3-38 Network traffic iThenticate, 9-20, 9-21 J Japanese laws against child pornography, 11-24 for trademarks and copyright, 9-34–9-35 JavaScript, 6-17–6-18 JPlag, 9-15 Media Access Control (MAC) address, 2-2 data link layer of OSI model, 2-5 Michigan laws, against child pornography, 11-23 DNS poisoning techniques, 2-7–2-9 Microsoft Log Parser, 1-12–1-13, 1-14 Microsoft Outlook, 7-15 viewing and copying e-mail headers in, 7-9 Moles, detecting, 8-6 Monitoring, 8-6 K keepNI, 3-31–3-32 Multiple logs, 1-5 My Offline Browser, 6-19–6-20 Kiwi Syslog Daemon, 1-12, 1-13 L LAN addressing, 2-2 LAND attacks, 5-3 Lanham (Trademark) Act, 9-31–9-32 LanWhoIs, 3-45 Link Logger, 4-17–4-18 Linux, process accounting, 1-18–1-19 Local area network (LAN), 2-2 LOCIS, 9-9, 9-10 LockLizard, 9-28, 9-29 Log files authenticity of, 1-7 as evidence, 1-3–1-8 missing, 1-7 multiple, 1-5 tampering with, 3-8 Log-input, tracing with, 5-14 Logs, investigating introduction, 1-2 log files as evidence, 1-3–1-8 tools for, 1-8–1-21 LoPe, 7-24, 7-25 M documenting evidence, 2-45–2-46 evidence gathering at data link layerDHCP database, 2-10 evidence gathering at physical layer, 2-6–2-7 evidence gathering from ARP table, 2-9 evidence gathering from IDS, 2-10 introduction, 2-2 investigation tools for, 2-10–2-45 N network addressing, 2-2–2-3 Nagios, 2-33 network layer of OSI model, 2-5–2-6 National Center for Missing & Exploited Children (NCMEC), 11-33 OSI reference model, 2-3 National Society for the Prevention of Cruelty to Children (NSPCC), 11-35 physical layer of OSI model, 2-5 protocols overview, 2-3–2-5 NeoTrace (McAfee Visual Trace), 6-25, 6-26 reasons for investigating, 2-6 NETGEAR router logs, 4-13–4-14, 4-15 reconstructing evidence for investigation, 2-46–2-47 NetIntercept, 2-12, 2-13 NetResident, 2-38 NetScan Tools, 6-26, 6-27 NetSetMan, 2-21–2-22 Netspionage, 8-7 NetVizor, 8-11 NetWitness, 2-37 Network Abuse Clearinghouse, 7-5 Network E-Mail Examiner by Paraben, 7-22 Network forensics data analysis, 1-2 end-to-end, 1-3 introduction, 1-2 intrusion process, 1-2–1-3 transport layer of OSI model, 2-6 types of attacks, 2-6 NIC (network interface card), 2-2 NIDS (Network Intrusion Detection System), for DoS attack detection, 5-9 Nmap, 5-16 Nokia LIG, 2-35–2-36 Nslookup, 3-34, 3-36, 6-8–6-9 N-Stalker, 3-33 N-Stealth, 3-23, 3-24 ntop, 2-24, 2-25 NTP (Network Time Protocol), 1-21–1-27 NTsyslog, 1-19–1-20 Nuke attacks, 5-4 looking for evidence, 1-3 NTP, 1-21–1-28 MaaTec Network Analyzer, 2-23, 2-24 Network Intrusion Detection System (NIDS), for DoS attack detection, 5-9 MAC (Media Access Control) address, 2-2 Network interface card (NIC), 2-2 Mail bombing, 7-6–7-7 Network layer O ODBC logging, 1-8 OmniPeek, 2-19 Online Copyright Infringement Liability Limitation Act, 9-32–9-33 MailDetective, 7-16–7-17, 7-18 of main protocols, 2-4 OOB attacks, 5-4 Mail storm, 7-7 of OSI model, 2-5–2-6 Open Shortest Path First (OSPF), 4-4 Index OSI reference model Project Safe Childhood (PSC), 11-27 Sexual harassment overview, 2-3 Promiscuous attacks, 2-7 Australian laws on, 10-11–10-12 routers on, 4-2 Protocols, overview, 2-3–2-5 Chinese laws on, 10-12 Proxy servers, DNS poisoning on, 2-8, 2-9 complaint procedures, 10-7–10-8 Q consequences of, 10-4 OSPF (Open Shortest Path First), 4-4 Outsider threats, 8-3 P Quid pro quo harassment, 10-3 P2 Enterprise Shuttle, 2-41 defined, 10-2 dos and don’ts for employees, 10-5 R employee responsibilities, 10-7 “Received” headers, 7-13 German laws on, 10-12 Pandora FMS, 3-49 Recover My Email for Microsoft Outlook, 7-22 Indian laws on, 10-12 Paper mills, 9-11 Reflected attacks, 5-4 Parameter tampering, 3-5 Reliance party, 9-10 Paros, 3-29–3-30 Remote logging, 1-9–1-10 Packet marking, 5-14 Packet-mistreating attacks, 4-5 Patents, 9-23–9-25 infringement, 9-24 introduction, 9-23 search for, 9-24 types of, 9-23–9-24 Report Child Porn, 11-37, 11-38 Reveal, 11-12 R-Mail, 7-20, 7-21 Router Audit Tool (RAT), 4-16–4-17 Router forensics Patents (Amendment) Act (1999), 9-33 definition of router, 4-2 Path identification (Pi) method, 5-15 functions of a router, 4-2–4-4 PC Inspector File Recovery, 11-5, 11-6 introduction, 4-2 Persistent attacks, 4-5 investigating router attacks, 4-6–4-16 Perverted Justice, 11-35 router attacks, 4-4–4-5 Philippine laws, against child pornography, 11-26 router vulnerabilities, 4-4 tools for, 4-16–4-18 Phishing, 7-8, 7-17, 7-18 vs traditional forensics, 4-5 Physical layer, of OSI model, 2-5 Ping of death attacks, 5-2 Router logs, 4-12–4-13 Plagiarism Routing Information Protocol (RIP), 4-3–4-4 detection factors, 9-11–9-12 detection tools, 9-12–9-23 introduction, 10-2 investigation process, 10-8–10-9 Malaysian penal code on, 10-12 policies, 10-9 preventive steps, 10-9–10-10 stalking, 10-5–10-6 stalking laws, 10-15 statistics, 10-4 supervisors responsibilities, 10-7 types of, 10-2–10-4 U.K laws on, 10-12 U.S laws on, 10-10–10-11 Sherlock, 9-17, 9-19 Show Traffic, 2-42 Siemens Monitoring Center, 2-36–2-37 Signature analysis, 8-6–8-7 Simple Mail Transfer Protocol (SMTP), 7-3 SIM (Software Similarity Tester), 9-16, 9-17 SmartSniff, 2-21, 2-22 Routing table, 4-3–4-4 SmartWhois, 3-44 Routing table poisoning, 4-5 SMTP (Simple Mail Transfer Protocol), 7-3 S Smurf attacks, 5-3 prevention steps, 9-11 types of, 9-11 I-5 PlagiarismDetect.com, 9-21, 9-22 SafeAssignment, 9-19, 9-20 PLAGUE, 9-16–9-17 Sample complaint form, 10-12–10-14 POP3 (Post Office Protocol version 3), 7-3–7-4 Samspade, 6-12 Post Office Protocol version (POP3), 7-3–7-4 Sawmill, 4-18 PRAISE, 9-19, 9-20 Scottish laws, against child pornography, 11-25 Presentation layer, of main protocols, 2-4–2-5 Scrawlr, 3-34 Privatefirewall, 8-11–8-12 Search warrants, 6-4–6-5, 7-8–7-9 Probabilistic packet monitoring (PPM), 5-14 Security, for Web applications, 3-15 Process accounting, 1-18–1-19 Sequential change-point detection, 5-8 ProDiscover Investigator, 2-41, 2-42 Server Log Analysis (tool), 3-20 Profiling, 8-6 Session layer, of main protocols, 2-4–2-5 Sniff-O-Matic, 2-33, 2-34 Sniphere, 2-29–2-30 Snork attacks, 5-4 Snort Intrusion Detection System, 2-43–2-44 Socklog, 1-10–1-11 SoftPerfect Network Protocol Analyzer, 2-15–2-16, 2-17 South African laws against child pornography, 11-24–11-25 for trademarks and copyright, 9-38 South Korean laws, for trademarks and copyright, 9-39 I-6 Index Spam Arrest, 7-6, 7-7 South African laws for, 9-38 Spamming, 7-5–7-6 South Korean laws for, 9-39 indications of, 3-2 SPAM Punisher, 7-5–7-6 trade dress and, 9-2 introduction, 3-1 Spector CNE, 8-9 U.K laws for, 9-37–9-38 intrusion detection, 3-15 SPlaT, 9-17, 9-18 U.S laws for, 9-30–9-33 investigating, 3-11–3-13 Spybot-Search & Destroy, 8-12, 8-13 Trade Marks Act (1995), 9-35–9-36 SpyBuddy, 8-10–8-11 Trade Marks Act (1999), 9-33–9-34 SpyCop, 8-12–8-13, 8-14 Trademarks Act (TMA) (1994), 9-37–9-38 Spy Sweeper, 8-14, 8-16 Transport layer Spyware Terminator, 8-14, 8-15 of main protocols, 2-4 SQL injection attacks, 3-4–3-5 of OSI model, 2-6 SQL Inject-Me, 3-34, 3-35 Stalking, 10-5–10-6, 10-15 Stanford Copy Analysis Mechanism (SCAM), 9-14, 9-15 Static IP addresses, investigating, 3-16 Web attacks investigating static and dynamic IP addresses, 3-16 investigation tools for, 3-16–3-34, 3-47–3-49 overview of web logs, 3-10–3-11 security strategies for Web applications, 3-15 statistics, 3-16 tools for locating IP addresses, 3-34–3-47 Turnitin, 9-12, 9-13 types of, 3-2–3-10 U web page defacement, 3-13–3-15 Uniform Resource Locator (URL), 3-5 Web security checklist, 3-16 United Kingdom laws Web Control for Parents, 11-13, 11-14 Status2k, 5-19 against child pornography, 11-25 WebLog Expert, 3-20–3-21 StopChildPorno.be, 11-39 on sexual harassment, 10-12 Web logs, 3-10–3-11 Stratum levels, 1-22–1-27 for trademarks and copyright, 9-37–9-38 Web page defacement, 3-13–3-15 SUPERAntiSpyware, 8-17, 8-18 United States laws Web pages, recovering information from, 6-22 Supervisors responsibilities, 10-7 against child pornography, 11-22–11-23 Web Sites Against Child Porn (WSACP), 11-37 SurfOffline, 6-19, 6-20 for trademarks and copyright, 9-30–9-33 WebWatchBot, 3-29 SYN flooding, 5-3 Syslog, 1-8–1-9 Syslog-ng, 1-10, 1-11 United States Patent and Trademark Office (USPTO), 9-2 Urkund, 9-19 URL interpretation attacks, 3-9 T URL redirection, 6-15, 6-17 Tail4Win, 5-18, 5-19 Tcpdump, 2-10, 2-11 Teardrop attacks, 5-3 Think U Know, 11-29–11-30 Three-way handshake, 5-3 Title VII of Civil Rights Act (1964), 10-10 Traceroute, 3-36–3-37, 6-13–6-14 Track4Win, 8-9, 8-10 Trademarks Australian laws for, 9-35–9-37 URL (Uniform Resource Locator), 3-5 Welsh laws, against child pornography, 11-25 WHOIS, 3-38–3-40, 6-9–6-12 Whois Lookup, 3-42, 3-43 Whois.Net, 3-47, 3-48 Wikto, 3-32 U.S Copyright Office, 9-10 Windows-based servers, investigating attacks in, 3-13 U.S Secret Service, 8-7 Windows logging, 1-19 UTC time, 1-6 Windows Media Digital Rights Management (DRM), 9-26, 9-27 UV Uptime Website Defacement Detector, 3-49 V VAST, 9-15–9-16 Victim, interviewing, 6-5 Windows time service, 1-27–1-28 WinDump, 2-11–2-12 Wireshark, 2-13–2-14 Www.whatismyip.com, 3-40, 3-41 Virtual Global Taskforce (VGT), 11-30 X VisualRoute, 6-22, 6-23 XoftSpySE, 8-14, 8-15 Volatile evidence, 4-9–4-11 XSS-Me, 3-34, 3-35 Indian laws for, 9-33–9-34 W Y infringement, 9-3–9-9 Wavelet-based signal analysis, 5-9 introduction, 9-1 Wayback Machine, 6-21 Yahoo! Mail, viewing and copying e-mail headers in, 7-11, 7-12 Japanese laws for, 9-34–9-35 WCopyfind, 9-20 Z registration eligibility and benefits, 9-2 WebAgain, 3-47, 3-48 Zero-day attacks, 3-7 vs service mark, 9-2 Webalizer, 3-22, 3-23 Zombies, 5-5 Belgian laws for, 9-39 Canadian laws for, 9-38 Chinese laws for, 9-38 This page intentionally left blank General Notice The EC-Council | Press Series’ mission is to educate, introduce and demonstrate Information Security related tools and techniques for internal security analysis purposes only You will not use the newly acquired skills for illegal or malicious attacks and you will not use such tools in an attempt to compromise any computer system, and you shall indemnify EC-Council and its partners from all liability with respect to the use or misuse of these tools, regardless of intent EC-Council provides the hacking skills and tools presented throughout the EC-Council | Press for educational use The hacking tools are not authored by EC-Council, and in many cases are submitted by the security community EC-Council will not be held accountable for any damages caused by the proper or improper usage of these materials, and makes no guarantee in regards to their operation or suitability for any specific purpose The hacking tools used in the EC-Council | Press programs are meant for research and educational purposes only The primary intent of these tools is to provide the user with hard to find content for research or self education relevant to network security and various protection methods and their intrinsic flaws by demonstrating exploitation methods and techniques used to circumvent them We hope that you become more aware of the dangers that lurk in society today and learn how to protect yourself from them with the knowledge you are about to learn In order to continue you must accept that you are going to use this information only for educational and research purposes only While possession of information or programs included in this training violates no laws, actually using or implementing some of the programs or content may violate U.S Federal and other laws For this reason, the user is instructed not to use any programs or content contained in this training which may violate any laws or infringe on the rights, including intellectual property rights, of others We provide them for research and educational purposes only ... in learning computer networking and security basics Security|5 means components of IT security: firewalls, anti-virus, IDS, networking, and web security E|DRP – EC- Council Disaster Recovery Professional... • Computer Forensics: Investigating Hard Disks, File and Operating Systems/1435483502 • Computer Forensics: Investigating Data and Image Files/1435483510 • Computer Forensics: Investigating Network...| EC- Council Press The Experts: EC- Council EC- Council s mission is to address the need for well educated and certified information security and e-business practitioners EC- Council is