Information Security Web Site Resources www.cert.org - Computer Emergency Response Team Coordination Center (CERT/CC) www.ists.dartmouth.edu - Research and education for cyber security www.first.org - Organization of 170 incident response teams www.sans.org - SysAdmin, Audit, Network, Security (SANS) Institute www.infragard.net - Information sharing between private industry and the U.S government www.issa.org - Information Systems Security Association (ISSA) nsi.org - Information about security vulnerabilities and threats csrc.nist.gov/index.html - Computer Security Resource Center (CSRC) cve.mitre.org - Dictionary of reported information security vulnerabilities www.mcafee.com/us/threat_center - McAfee Threat Center www.microsoft.com/security/portal/default.aspx - Microsoft Malware Protection Center secureitalliance.org - Industry partners to promote software that interoperates with Microsoft platform www.securityfocus.com/archive/1 - Detailed information about the latest computer security vulnerabilities and fixes atlas.arbor.net - Global threat analysis network secunia.com - Information regarding security vulnerabilities, advisories, viruses, and online vulnerability tests www.ieee.org - Institute of Electrical and Electronics Engineers (IEEE) www.wi-fi.org - Wi-Fi Alliance www.fcc.gov - Federal Communications Commission www.hhs.gov/ocr/hipaa - Health Insurance Portability and Accountability Act of 1996 (HIPAA) www.sec.gov/spotlight/sarbanes-oxley.htm - Sarbanes-Oxley Act of 2002 (Sarbox) www.ftc.gov/privacy/glbact/glbsub1.htm - Gramm-Leach-Bliley Act (GLBA) www.fincen.gov/statutes_regs/patriot/index.html - USA Patriot Act (2001) info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_ bill_20020926_chaptered.html - California Database Security Breach Act (2003) www.ftc.gov/bcp/conline/pubs/buspubs/coppa.shtm - Children’s Online Privacy Protection Act of 1998 (COPPA) secunia.com/software_inspector - Secunia Software Inspector software www.microsoft.com/security/malwareremove/default.mspx - Microsoft Windows Malicious Software Removal Tool www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx - Microsoft RootkitRevealer software www.softdd.com/keystrokerecorder/index.html - Keyboard Collector software irongeek.com/i.php?page=security/thumbscrew-software-usb-writeblocker - Thumbscrew software www.microsoft.com/windows/products/winfamily/virtualpc/default.mspx - Microsoft Virtual PC 2007 www.vmware.com - Vmware Workstation www.grc.com/securable - Data Execution Prevention testing software www.eicar.org/anti_virus_test_file.htm - EICAR AntiVirus test file www.microsoft.com/downloads/details.aspx?FamilyID=a3d1bbed-7f354e72-bfb5-b84a526c1565&displaylang=en - Microsoft Vista security templates www.microsoft.com/technet/security/tools/mbsahome.mspx - Microsoft Baseline Security Analyzer (MBSA) www.wireshark.org - Wireshark protocol analyzer www.netstumbler.com - Netstumbler software www.klcconsulting.net/smac - MAC spoofing software ophcrack.sourceforge.net - Open-source password cracker program that uses rainbow tables keepass.info - KeePass password storage software www.nessus.org/download - Nessus vulnerability scanner www.gfi.com/lannetscan - GFI LANguard vulnerability scanner www.threatfire.com/download - ThreatFire behavior-based monitoring tool md5deep.sourceforge.net - Hash generator software www.truecrypt.org - TrueCrypt encryption software www.briggsoft.com - Directory Snoop software www.heidi.ie/node/6 - File wipe software Guide to Computer Forensics and Investigations Fourth Edition Bill Nelson Amelia Phillips Christopher Steuart Guide to Computer Forensics and Investigations, Fourth Edition Bill Nelson, Amelia Phillips, Christopher Steuart Vice President, Career and Professional Editorial: Dave Garza Executive Editor: Stephen Helba Managing Editor: Marah Bellegarde Senior Product Manager: Michelle Ruelos Cannistraci Developmental Editor: Lisa M Lord Editorial Assistant: Sarah Pickering Vice President, Career and Professional Marketing: Jennifer McAvey Marketing Director: Deborah S Yarnell Senior Marketing Manager: Erin Coffin Marketing Coordinator: Shanna Gibbs Production Director: Carolyn Miller Production Manager: Andrew Crouth Content Project Manager: Jessica McNavich Art Director: Jack Pendleton Cover photo or illustration: Shutterstock Production Technology Analyst: Tom Stover Manufacturing Coordinator: Julio Esperas Copyeditor: Ruth Bloom Proofreader: Michele Callaghan Compositor: Cadmus Communications c 2010 Course Technology, Cengage Learning ALL RIGHTS RESERVED No part of this work covered by the copyright herein may be reproduced, transmitted, stored or used in any form or by any means graphic, electronic, or mechanical, including but not limited to photocopying, recording, scanning, digitizing, taping, Web distribution, information networks, or information storage and retrieval systems, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the publisher For product information and technology assistance, contact us at Cengage Learning Customer & Sales Support, 1-800-354-9706 For permission to use material from this text or product, submit all requests online at cengage.com/permissions Further permissions questions can be emailed to permissionrequest@cengage.com Library of Congress Control Number: 2009929885 ISBN-13: 978-1-435-49883-9 ISBN-10: 1-435-49883-6 Course Technology 20 Channel Center Street Boston, MA 02210 Cengage Learning is a leading provider of customized learning solutions with office locations around the globe, including Singapore, the United Kingdom, Australia, Mexico, Brazil, and Japan Locate your local office at: international.cengage.com/region Cengage Learning products are represented in Canada by Nelson Education, Ltd For your lifelong learning solutions, visit course.cengage.com Visit our corporate website at cengage.com Some of the product names and company names used in this book have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufacturers and sellers Microsoft and the Office logo are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries Course Technology, a part of Cengage Learning, is an independent entity from the Microsoft Corporation, and not affiliated with Microsoft in any manner Any fictional data related to persons or companies or URLs used throughout this book is intended for instructional purposes only At the time this book was printed, any such data was fictional and not belonging to any real persons or companies Course Technology and the Course Technology logo are registered trademarks used under license Course Technology, a part of Cengage Learning, reserves the right to revise this publication and make changes from time to time in its content without notice The programs in this book are for instructional purposes only They have been tested with care, but are not guaranteed for any particular intent beyond educational purposes The author and the publisher not offer any warranties or representations, nor they accept any liabilities with respect to the programs Printed in the United States of America 12 11 10 09 Brief Table of Contents PREFACE xv INTRODUCTION xvii CHAPTER Computer Forensics and Investigations as a Profession CHAPTER Understanding Computer Investigations 27 CHAPTER The Investigator’s Office and Laboratory 71 CHAPTER Data Acquisition 99 CHAPTER Processing Crime and Incident Scenes 149 CHAPTER Working with Windows and DOS Systems 197 CHAPTER Current Computer Forensics Tools 259 CHAPTER Macintosh and Linux Boot Processes and File Systems 297 CHAPTER Computer Forensics Analysis and Validation 345 CHAPTER 10 Recovering Graphics Files 381 CHAPTER 11 Virtual Machines, Network Forensics, and Live Acquisitions 423 CHAPTER 12 E-mail Investigations 451 CHAPTER 13 Cell Phone and Mobile Device Forensics 495 CHAPTER 14 Report Writing for High-Tech Investigations 515 CHAPTER 15 Expert Testimony in High-Tech Investigations 541 CHAPTER 16 Ethics for the Expert Witness 575 APPENDIX A Certification Test References 603 APPENDIX B Computer Forensics References 607 iii iv Brief Table of Contents APPENDIX C Computer Forensics Lab Considerations 613 APPENDIX D DOS File System and Forensics Tools 619 GLOSSARY 653 INDEX 663 Table of Contents PREFACE xv INTRODUCTION xvii CHAPTER Computer Forensics and Investigations as a Profession Understanding Computer Forensics Computer Forensics Versus Other Related Disciplines A Brief History of Computer Forensics Understanding Case Law Developing Computer Forensics Resources Preparing for Computer Investigations Understanding Law Enforcement Agency Investigations Following the Legal Processes Understanding Corporate Investigations Establishing Company Policies Displaying Warning Banners Designating an Authorized Requester Conducting Security Investigations Distinguishing Personal and Company Property 8 11 12 14 14 15 17 17 19 Maintaining Professional Conduct 19 Chapter Summary 20 Key Terms 21 Review Questions 23 Hands-On Projects 24 Case Projects 25 CHAPTER Understanding Computer Investigations 27 Preparing a Computer Investigation 28 An Overview of a Computer Crime 28 An Overview of a Company Policy Violation 30 Taking a Systematic Approach Assessing the Case Planning Your Investigation Securing Your Evidence 30 32 33 35 Procedures for Corporate High-Tech Investigations Employee Termination Cases Internet Abuse Investigations E-mail Abuse Investigations Attorney-Client Privilege Investigations Media Leak Investigations Industrial Espionage Investigations Interviews and Interrogations in High-Tech Investigations 37 37 37 38 39 40 41 43 Understanding Data Recovery Workstations and Software 44 Setting Up Your Workstation for Computer Forensics 45 Conducting an Investigation Gathering the Evidence Understanding Bit-stream Copies Acquiring an Image of Evidence Media Using ProDiscover Basic to Acquire a USB Drive 46 46 47 48 48 v vi Table of Contents Analyzing Your Digital Evidence 51 Completing the Case 58 Critiquing the Case 59 Chapter Summary 59 Key Terms 60 Review Questions 61 Hands-On Projects 62 Case Projects 69 CHAPTER The Investigator’s Office and Laboratory 71 Understanding Forensics Lab Certification Requirements Identifying Duties of the Lab Manager and Staff Lab Budget Planning Acquiring Certification and Training 72 72 73 76 Determining the Physical Requirements for a Computer Forensics Lab Identifying Lab Security Needs Conducting High-Risk Investigations Using Evidence Containers Overseeing Facility Maintenance Considering Physical Security Needs Auditing a Computer Forensics Lab Determining Floor Plans for Computer Forensics Labs 79 79 80 80 82 82 83 83 Selecting a Basic Forensic Workstation Selecting Workstations for Police Labs Selecting Workstations for Private and Corporate Labs Stocking Hardware Peripherals Maintaining Operating Systems and Software Inventories Using a Disaster Recovery Plan Planning for Equipment Upgrades Using Laptop Forensic Workstations 85 85 86 86 87 87 88 88 Building a Business Case for Developing a Forensics Lab 88 Preparing a Business Case for a Computer Forensics Lab 90 Chapter Summary 93 Key Terms 94 Review Questions 95 Hands-On Projects 96 Case Projects 97 CHAPTER Data Acquisition 99 Understanding Storage Formats for Digital Evidence Raw Format Proprietary Formats Advanced Forensic Format 100 101 101 102 Determining the Best Acquisition Method 103 Contingency Planning for Image Acquisitions 105 Using Acquisition Tools 105 Windows XP Write-Protection with USB Devices 106 Table of Contents vii Acquiring Data with a Linux Boot CD 109 Capturing an Image with ProDiscover Basic 120 Capturing an Image with AccessData FTK Imager 123 Validating Data Acquisitions 126 Linux Validation Methods 127 Windows Validation Methods 129 Performing RAID Data Acquisitions 129 Understanding RAID 130 Acquiring RAID Disks 132 Using Remote Network Acquisition Tools Remote Acquisition with ProDiscover Remote Acquisition with EnCase Enterprise Remote Acquisition with R-Tools R-Studio Remote Acquisition with WetStone LiveWire Remote Acquisition with F-Response Remote Acquisition with Runtime Software 134 134 136 136 137 137 137 Using Other Forensics Acquisition Tools SnapBack DatArrest NTI SafeBack DIBS USA RAID ILook Investigator IXimager ASRData SMART Australian Department of Defence PyFlag 138 138 138 138 139 139 139 Chapter Summary 139 Key Terms 140 Review Questions 141 Hands-On Projects 143 Case Projects 146 CHAPTER Processing Crime and Incident Scenes 149 Identifying Digital Evidence 150 Understanding Rules of Evidence 151 Collecting Evidence in Private-Sector Incident Scenes 157 Processing Law Enforcement Crime Scenes 161 Understanding Concepts and Terms Used in Warrants 162 Preparing for a Search Identifying the Nature of the Case Identifying the Type of Computing System Determining Whether You Can Seize a Computer Obtaining a Detailed Description of the Location Determining Who Is in Charge Using Additional Technical Expertise Determining the Tools You Need Preparing the Investigation Team 163 163 164 164 164 165 165 166 168 Securing a Computer Incident or Crime Scene 168 Seizing Digital Evidence at the Scene Preparing to Acquire Digital Evidence Processing an Incident or Crime Scene Processing Data Centers with RAID Systems Using a Technical Advisor 169 169 170 173 173 viii Table of Contents Documenting Evidence in the Lab 174 Processing and Handling Digital Evidence 174 Storing Digital Evidence 174 Evidence Retention and Media Storage Needs 176 Documenting Evidence 176 Obtaining a Digital Hash 177 Reviewing a Case Sample Civil Investigation Sample Criminal Investigation Reviewing Background Information for a Case Identifying the Case Requirements Planning the Investigation Conducting the Investigation: Acquiring Evidence withAccessData FTK 179 180 181 181 182 183 183 Chapter Summary 188 Key Terms 190 Review Questions 191 Hands-On Projects 192 Case Projects 195 CHAPTER Working with Windows and DOS Systems 197 Understanding File Systems 198 Understanding the Boot Sequence 198 Understanding Disk Drives 199 Exploring Microsoft File Structures Disk Partitions Master Boot Record Examining FAT Disks 201 202 205 206 Examining NTFS Disks NTFS System Files MFT and File Attributes MFT Structures for File Data NTFS Data Streams NTFS Compressed Files NTFS Encrypting File System (EFS) EFS Recovery Key Agent Deleting NTFS Files 208 210 211 215 224 224 225 227 227 Understanding Whole Disk Encryption 228 Examining Microsoft BitLocker 229 Examining Third-Party Disk Encryption Tools 230 Understanding the Windows Registry 230 Exploring the Organization of the Windows Registry 231 Examining the Windows Registry 234 Understanding Microsoft Startup Tasks 237 Startup in Windows NT and Later 238 Startup in Windows 9x/Me 240 Understanding MS-DOS Startup Tasks 241 Other Disk Operating Systems 242 Understanding Virtual Machines 242 Creating a Virtual Machine 244 Index HFS+ (Extended Format File System), 298, 302, 337 hidden graphics files, 408–410 hiding partitions, 356–358 Hierarchical File System (HFS), 298, 301, 337 High Performance File System (HPFS), 209, 250 High Tech Crime Network (HTCN), 77–78, 94 High Technology Crime Investigation Association (HTCIA), 8, 22, 581 Idaho public disclosure law, 157–158 IDE/EIDE devices, 333–334 iDEN (Integrated Digital Enhanced Network), 497 IDE/SATA external connector, 106 ILook Investigator IXimager, 139 IM (instant messaging) files, 466 Image File and File System Detail dialog box, Autopsy, 327 image files, creating, 174 image viewers, 382–383 high-risk documents, 520, 534 image-to-disk copies, 270 Hippocratic Oath, 583 image-to-partition copies, 270 hives, Registry, 232 HKEY, Registry, 231, 233 incident scenes See crime and incident scenes Honeynet Challenges, 443–444 inculpatory evidence, 4, 22 Honeynet Project, 441–444 independent recollection, 552 673 international espionage investigations, 42 International Organization of Standardization (ISO), 330, 337 International Organization on Computer Evidence (IOCE), 150–151, 190 International Society of Forensic Computer Examiners (ISFCE), 581 International Telecommunication Union (ITU), 498, 508 International Traffic in Arms Regulations (ITAR), 41 Internet abuse investigations, 18, 37–38, 347 Internet Address Search Results dialog box, AccessData FTK, 559–561 Internet Keyword Search Options dialog box, AccessData FTK, 559 index node, 303, 337 Internet Service Providers (ISPs), privacy laws, 157 honeystick, 443, 445 indexed searches, 267–268 interrogations, 43–44, 60 honeywalls, 443, 445 indirect pointers, 318, 337 interviews, 43–44, 60 Horton v California, 163 industrial espionage investigations, 14, 22, 41–43, 347 intranets, 453–454 host protected areas (HPAs), 123–124, 334 Info2 file, 228, 250 investigations See computer investigations hostile work environment, 18, 22 initial assessment, 30 investigations triad, 4–5 initial-response field kit, 166–168, 190 honeypots, 443, 445 innocent information, 162, 190 IOCE (International Organization on Computer Evidence), 150–151, 190 HTCIA (High Technology Crime Investigation Association), 8, 22, 581 inode blocks, UNIX, 314 Io.sys file, 240–241, 250 inode pointers, 318–320 iPhone forensics, 504 HTCN (High Tech Crime Network), 77–78, 94 inodes, 313–319, 337 IrfanView, 383, 419–420 insertion, 408–410 hypothetical questions, 519–520 instant messaging (IM) files, 466 ISFCE (International Society of Forensic Computer Examiners), 581 I Integrated Digital Enhanced Network (iDEN), 497 ISO (International Organization of Standardization), 330, 337 IACIS (International Association of Computer Investigative Specialists), 7, 22, 76–77, 582 integrity of evidence, 543 ISO images, Linux, 110 internal code of ethics, 576 IBM 8088 computer, ISPs (Internet Service Providers), privacy laws, 157 internal warning banners, 16 icon renaming, OS X, 305–306 International Association of Computer Investigative Specialists (IACIS), 7, 22, 76–77, 582 HPFS (High Performance File System), 209, 250 ID numbers, e-mail, 465 ITAR (International Traffic in Arms Regulations), 41 674 Index ITU (International Telecommunication Union), 498, 508 Launch Dialog dialog box, ProDiscover, 49 IXimager, 139 law enforcement agency investigations, 11 J Jetico BestCrypt Volume Encryption, 230 JFIF (JPEG File Interchange Format), 385–386 Joint Photographic Experts Group (JPEG) format, 384, 418–419 law enforcement officer crime scene procedure, 28–29 lay witnesses, 517, 534 layered network defense strategy, 429, 445 LCNs (logical cluster numbers), 215, 221–222, 250, 592–594 journals, 20, 58, 170, 174 leaf nodes, 303, 337 JPEG File Interchange Format (JFIF), 385–386 legal processes, following, 12–14 juries empaneling, 546 guidelines for testimony before, 548–549 lightweight workstations, 278, 280 Lilo.conf file, 321 limiting phrase, 162, 190 line of authority, 15, 22 view of graphics, 550 Linux See UNIX/Linux Kenneth C v Delonda R., 576–577 key escrow, 362, 374 keyed hash set, 178, 190 logical addresses, 202, 250 logical blocks, 299–300, 337 logical cluster numbers (LCNs), 215, 221–222, 250, 592–594 logical EOF, 299–300, 337 logs e-mail server, 467–468 evidence container, 82 Exchange Server, 470–471 forensics laboratory, 82–83, 176 Long Term Evolution (LTE), 498 licensing requirements, 577 instructions to, 546 K logical acquisition, 103–104, 141, 262 Linux Live CD lossless compression, 104, 388, 414 lossy compression, 104, 388, 414 low-level investigations, 180, 190 ls (list) command, 316–317 LTE (Long Term Evolution), 498 M dcfldd command, 119–120 Mac Mini computer, 303 dd command, 116–119 Mac SE computer, overview, 109 Macintosh OSs keyed padlocks, 81 preparing target drive for acquisition, 111–116 keys, Registry, 231 using, 110 boot tasks, 300–303 forensics software acquisition methods, 303–304 Keyword Search dialog box, Autopsy, 327 Linux-acquired evidence, validating, 127–129 keyword searches, 267, 272, 284, 349 list (ls) command, 316–317 KFF (Known File Filter), 354, 374, 477 List of Clusters dialog box, ProDiscover, 395, 401 MacLockPick II tool, 504 Knoppix-STD (Security Tools Distribution), 276–277, 435–438, 447 litigation, 5, 22 magnetic tape, 175 live acquisitions, 103, 134–135, 140, 172, 430–431 Mail Known File Filter (KFF), 354, 374, 477 live searches, AccessData FTK, 349 L LiveWire, 137 laboratories See forensics laboratories locking systems, evidence container, 81 language, report, 522–523 log file data, 171–172 laptop forensic workstations, 88 log reports, 58, 271 KFF warning, AccessData FTK, 477 BlackBag, 304–310 Mac OS volumes, 299–300 overview, 298–299 Apple, 461–462 Yahoo!, 463 mailing lists, mainframe computers, 5–6 maintenance, forensics lab, 82 malware, 361, 424, 428, 432 Index 675 managers, forensics lab, 72–73 Microsoft Excel, 55–56 MSC (mobile switching center), 499 Mantech Memory DD, 431 Microsoft Office Outlook, 455–458, 484–486 MS-DOS Manuka Project, 443 map node, 303, 337 Microsoft Office Outlook Express, 458 MAPI (Messaging Application Programming Interface), 470, 487 Microsoft OSs, 44–45 marking bad clusters, 358 Master Boot Record (MBR), 205, 250 Master Directory Block (MDB), 302, 337 Microsoft Virtual PC, 244–246 Microsoft Windows See Windows Microsoft Windows 9x, 240–241 Microsoft Windows Event Viewer, 471–472 Master File Table (MFT), 209–211, 251, 255–257, 590–591 Microsoft Windows Me, 240–241 mbox method, 481–482, 487 Microsoft Windows Messenger, 466 MBR (Master Boot Record), 205, 250 Microsoft Windows NT, 238 MD5 (Message Digest 5), 127, 177–179, 190, 361 Microsoft Windows Vista, 238 md5sum utility, Linux, 127–128 MDB (Master Directory Block), 302, 337 MDBackUp Extract tool, 504 media leak investigations, 40–41 media safes, 81 memory cards, PDA, 500 memory storage on mobile devices, 502 Memory window, New Virtual Machine Wizard, 245 memory-resident code, 320 Message Digest (MD5), 127, 177–179, 190, 361 message tracking log, Exchange Server, 471 Messaging Application Programming Interface (MAPI), 470, 487 Messenger, Windows, 466 metadata, 210–211, 251, 385–387 Microsoft Windows XP command-line tools, 273–274 startup tasks, 241–242 Msdos.sys file, 240–242, 251 multi-evidence form, 33–35, 60 MultiMedia Card (MMC) memory cards, 500 Multiple Input Multiple Output (MIMO), 498 Multipurpose Internet Mail Extensions (MIME), 481, 487 N National Institute of Standards and Technology (NIST), 177, 190, 281–282 startup tasks, 238–240 National Software Reference Library (NSRL), 264–265, 281–282, 284 USB write-protection feature, 106–109 Netdude tool, 440 mid-size computer forensics labs, 83–84 MIME (Multipurpose Internet Mail Extensions), 481, 487 MIMO (Multiple Input Multiple Output), 498 mirrored striping, 132 mke2fs command, 315–316 MMC (MultiMedia Card) memory cards, 500 network forensics computer forensics versus, defined, 445 network logs, reviewing, 432–434 overview, 428–430 securing networks, 429–430 standard procedures for, developing, 432–434 tools for mobile device forensics See cell phone and mobile device forensics Honeynet Project, 441–444 Mobile Forensics BitPim Cleaner, 505 overview, 434–435 mobile switching center (MSC), 499 packet sniffers, 439–441 Mobile WiMAX, 498 UNIX/Linux tools, 435–438 MOBILedit! tool, 505 metafile graphics, 382–383, 414 Model Code of Professional Responsibility, 582 MFT (Master File Table), 209–211, 251, 255–257, 590–591 Model Rules of Professional Conduct, 582 Microsoft BitLocker, 229 motion in limine, 546, 563 Microsoft e-mail server logs, 470–471 mounting drives, 109–110 network intrusion detection and incident response, 5, 22 New Case dialog box, AccessData FTK, 183, 478, 529, 558 New Project dialog box, ProDiscover, 51–52, 234, 392, 528 New Technology File System (NTFS) compressed files, 224–225 676 Index data streams, 224 Ntoskrnl.exe file, 239, 251 opinion shopping, 577–578 defined, 251 Nuance PaperPort program, 406 deleting files, 227–228 O Options window, New Virtual Machine Wizard, 245 driver, 111 Encrypting File System, 225–227 making image of, 117 MFT file, 211–224 overview, 208–210 order of volatility (OOV), 430, 445 Object_ID attribute 0x40, 217–219 original evidence, 156 objectivity maintaining, 19–20 Orthogonal Frequency Division Multiplexing (OFDM), 498, 508 in reports, 523 OS boot process, Macintosh, 301 OFDM (Orthogonal Frequency Division Multiplexing), 498, 508 OSs See operating systems Recovery Key Agent, 227 system files, 210–211 one-half cent crime, Outlook Express, 458 New Virtual Machine Wizard, 244–245 one-time passphrase, 229, 251 outside experts, news media, 40–41, 545–546 OOV (order of volatility), 430, 445 Ngrep tool, 439–440 Open dialog box Nigerian Scam (419 messages), 452 AccessData FTK, 183 NIST (National Institute of Standards and Technology), 177, 190, 281–282 ProDiscover, 234, 527–528, 557–558 Open Firmware, 300–301, 338 *nix platforms See UNIX/Linux Open Image dialog box, Autopsy, 325 nonkeyed hash set, 178, 190 opening statements, 546 nonresident data streams, 226 nonresident file attribute 0x80, 219–220 nonresident files, 211, 213–215 nonstandard graphics file formats, 384, 405–406, 415 Norton DiskEdit, 273, 358 notarization, 13, 22 Novell Evolution, 459–460, 481–484 Novell GroupWise, 471–473 open-source formats, 100–101 open-source software, 230, 311 Operating System window, New Virtual Machine Wizard, 245 operating systems (OSs) computer forensics business case, 90–91 identifying with disk editors, 202–204 Macintosh boot tasks, 300–303 NSRL (National Software Reference Library), 264–265, 281–282, 284 forensics software, 303–310 NT Loader (Ntldr), 238, 251 overview, 298–299 Mac OS volumes, 299–300 Outlook, 455–458, 484–486 P packet sniffers, 439–441, 445 padding, 36 padlocks, keyed, 81 Pagefile.sys file, 239, 251, 589 PaperPort, 406 Paraben Software, 504 parity, dedicated, 131–132 PARTIES (Protected Area Run Time Interface Extension Service), 334 Partition Boot Sector, 209, 251 partition gap, 202, 251, 357 partitioning FAT drives, 111–116, 145 partitions, defined, 202, 251 password dictionary attack, 268, 284, 363 password protection, 30, 60, 135 Password Recovery Toolkit (PRTK), 268–269, 363–366 NTBootdd.sys file, 239, 251 maintaining, 87 password-cracking software, 30, 60, 268–269, 362–363 NTDetect.com file, 239, 251 Microsoft, 44–45 passwords, recovering, 362–363 NTFS See New Technology File System mobile phones, 499 patches testing, 283 police lab workstations, 85–86 Patriot Act of 2001, 157–158 private lab workstations, 86 payment for testimony, 551 NTI SafeBack, 138 Ntldr (NT Loader), 238, 251 upgrading, 74–75 Index PC-DOS (Personal Computer Disk Operating System), 242 preliminary approach to case, 30–31 validation, 129 Principles of Medical Ethics, 583 viewing hidden partitions in, 357–358 PDAs (personal digital assistants), 500, 509 privacy laws, 38 PDBlock, 279 private forensics labs, workstations for, 86 PDServer, 135 peer reviews, 542 person of interest, 163, 190 Personal Computer Disk Operating System (PC-DOS), 242 personal digital assistants (PDAs), 500, 509 personal identity information (PII), 228, 251 personal property, computer property versus, 19 677 ProDiscover Incident Response, 134–135 private investigations, 9–10, 14, 17–18 ProDiscover Investigator, 134–135, 271–272 private key, 225, 251 production schedules, 73 private sector, business plans for, 89–90 professional conduct, 19–20, 22 private-sector incident scenes, 157–161 professional curiosity, 169, 191 probable cause, 161, 191 professional training, 20 Processing Files dialog box, AccessData FTK, 185–186 properties, virtual machine, 246–247 ProDiscover Basic allocated data recovery, 66–68 proprietary formats, 101–102, 121–123 prosecution, 12–14 prosecutorial misconduct, 551 PGP Whole Disk Encryption, 230 Auto Image Checksum Verification, 355–356 phase change alloy, 330, 338 capturing images with, 120 phishing, 452, 487 digital photograph evidence, 392–396 photographing crime scenes, 171–172 examples of data recovery, 62–66 PRTK (Password Recovery Toolkit), 268–269, 363–366 physical acquisitions, 262 extracting Registry files, 234 pst files, 484–486 physical addresses, 202, 251 functions, 271–272 PsTools suite, 435, 447 physical EOF, 299–300, 338 JPEG files with altered extensions, 417–418 public disclosure law, 157 PII (personal identity information), 228, 251 keyword search example, 68–69 Pine, UNIX, 459–461 making image files, 144–145 pixels, 382–383, 415 pretrial preparation, 557–558, 566–569, 572–573 plain view doctrine, 162–163, 190 plaintiffs, 546 pointers double-indirect, 318, 337 indirect, 318, 337 public investigations, 9–10 public key, 225, 251 public-sector case flow, 12 PyFlag, 139 R raw acquisition format, 123 RAID See redundant array of independent disks recovering corrupted files, 399–405 inode, 318–320 triple-indirect, 318, 338 report generation, 527–529, 537–538 police blotter, 12, 22 restore image files to drives, 143–144 police forensics labs, workstations for, 85–86 searches in, 377–379 Post Office Protocol version (POP3), 469–470, 487 protected-mode GUI, 240, 251 proprietary acquisition format, 121–123 remote network acquisition with, 134–136 portable workstations, 278, 280 Protected Area Run Time Interface Extension Service (PARTIES), 334 testing, 291–294 unicode data, 588–589 USB drives, 48–51, 418–419 RAID (Rapid Action Imaging Device), 138 RAID 0, 130 RAID 1, 130–131 RAID 2, 131 RAID 3, 131 RAID 5, 131–132 RAID 6, 132 RAID 10, 132 678 Index RAM slack, 207, 251 Refine Index – Default dialog box, AccessData FTK, 183 Rapid Action Imaging Device (RAID), 138 regional computer forensics labs, 84–85 rapid-fire questions, 553 Registry See Windows Registry raster images, 382–383, 415 Registry Editor, 107–109, 231, 233 rasterization, 382, 415 Registry Viewer, 233–234, 236–237, 425–426 raw file format defined, 141, 415 evidence storage, 100 images from Macs, 304 manual validation, 355 overview, 262, 384–385 ProDiscover Basic, 123 validation, 129 registry Web sites, 466 remote acquisitions EnCase Enterprise, 136 F-Response, 137 overview, 365–366 ProDiscover, 134–136 R-Tools R-Studio, 136–137 real-time surveillance, 181 Runtime Software, 137–138, 367–374 rebuttals, 546 WetStone LiveWire, 137 reconstruction, 269–270, 284 ProDiscover Basic, 527–529 types of, 518–519 resident file attribute 0x80, 218–219 resident files, 211–214 resolution, 382–383, 415 resource fork, 298–299, 338 reviewing cases, 179 right of privacy, 3, 22 risk management, 88, 94 router logs, 467 RPM (Red Hat Package Manager), 322, 338 R-Tools R-Studio, 133, 136–137 Runtime RAID Reconstructor tool, 133 Runtime Software, remote network acquisition with, 137–138, 367–374 Remote dialog box, Runtime DiskExplorer, 370–372 S Recover Clusters dialog box, ProDiscover, 403–404, 594–595 repeatable findings, 58, 60 SafeGuard Easy, 230 Replica tool, 334 salvaging, 267–269, 389, 415 recovering passwords, 362–363 report generators, 271 SATA devices, 333–334 recovery certificates, 225, 252 Report Location dialog box, AccessData FTK, 532, 560 Scanpst.exe recovery tool, 484–485 Report Wizard, AccessData FTK, 187–188, 560 Scientific Working Group on Digital Evidence (SWGDE), 150–151, 191 report writing scope creep, 346, 374 recordings of crime scenes, 171 Recovery Key Agent, 227 recovery keys, 225 Recycle Bin, 227–228 Red Hat Package Manager (RPM), 322, 338 redundant array of independent disks (RAID) defined, 271 guidelines for schedules, production, 73 SCSI (small computer system interface), 322, 332–333, 338 clear writing, 522–523 SCSI-to-IDE adapter cards, 334 acquiring disks, 132–134 layout and presentation, 523–527 SD (Secure Digital) memory cards, 500 defined, 141 overview, 519–520 search and seizure, 9, 22 overview, 129–132 structure, 521–522 processing, 173 Search dialog box, ProDiscover, 54, 56, 234–235, 393, 418, 528, 558 what to include, 520–521 servers, 88 references, report, 522, 526 Refine Case – Default dialog box, AccessData FTK, 183–184, 478, 530, 558 importance of, 516–517 Search Options dialog box, AccessData FTK, 350 limiting report to specifics, 517 search results pane, ProDiscover, 55 tools for search warrants AccessData FTK, 529–533 defined, 22 Index e-mail crimes, 474 limits on, 181–182 overview, 2–3, 161–163 searches, preparing for computing system, identifying type of, 164 Select Image Destination dialog box, AccessData FTK Imager, 125–126, 428 Select Image Type dialog box, AccessData FTK Imager, 124–125, 427 Select Source dialog box, AccessData FTK Imager, 124–125, 425–427 small computer system interface (SCSI), 322, 332–333, 338 SMART, 139, 274–275 smart phones, 499, 509 SMTP (Simple Mail Transfer Protocol), 469, 487 SnapBack DatArrest, 138 description of location, obtaining detailed, 164–165 self-destruct mechanisms, 171 sniffing, 181, 191 leader, determining, 165 self-evaluation, 31 software nature of case, identifying, 163 Sendmail e-mail server, 469 See also names of specific software preparing for, 163–168 sensitive data leaks, 40–41 seizing computers, determining whether possible, 164 sequential numbering system, 523–524 command-line forensics tools, 273–274 server logs team, preparing, 168 Microsoft, 470–471 tools, determining needed, 166–168 Novell GroupWise, 471–473 Second Extended File System (Ext2fs), 313, 338 sectors, 199–200, 252 Secure Digital (SD) memory cards, 500 overview, 467–468 UNIX, 469–470 Servlet utility, 136 679 covert surveillance, 181 expenses related to, 74 forensic laboratory, 73–76 image quality, 383 for Macintosh OSs, 303–310 maintaining, 87, 209, 273 overview, 6–7, 261 secure facilities, 79, 94 SHA-1 (Secure Hash Algorithm version 1), 177–179, 191 Secure Hash Algorithm version (SHA-1), 177–179, 191 sha1-sum utility, Linux, 127–128 requirements, 91–92 shadow drives, 270 UNIX/Linux forensics tools, 274–277 shell commands, 319 upgrading, 88 crime and incident scenes, 168–169 Shift Left Operation dialog box, Hex Workshop, 359–360 validating, 280–282, 355 evidence, 35–37 shutting down suspect systems, 172 networks, 429–430 SIGs (special-interest groups), 85, 94 SecureClean, 286–288 securing password-cracking, 30, 60 software duplicators, 270 software write-blockers, 279 security breaches, network, 428–429 silver-platter doctrine, 18, 22 SoftWinter Sentry 2020 for Windows XP, 230 security guards, forensics lab, 83 SIM (subscriber identity module) cards, 499–500, 502–504, 509, 510–512 sparse acquisition, 103, 141 security investigations, 17–18 security needs, identifying for forensics labs, 79–83 Sim Card Reader tool, 507 security perimeters, crime scene, 168 Simple Mail Transfer Protocol (SMTP), 469, 487 Security Tools Distribution (KnoppixSTD), 276–277, 435–438, 447 Select Drive dialog box, AccessData FTK Imager, 124, 425 Select drive dialog box, Runtime DiskExplorer, 370 special-interest groups (SIGs), 85, 94 split command, Linux, 117–119 SIMCon tool, 505–506, 510–512 Split Image Confirmation dialog box, Autopsy, 326 single-evidence form, 33, 35–36, 61 Split Image dialog box, ProDiscover, 121 skills, forensic lab staff, 73 spoliation, 520, 534 Sleuth Kit, 276, 322–330, 342–343 spoofing, 452, 464–465, 487 small computer forensics labs, 83–84 staff, forensics lab, 72–73 680 Index standard graphics file formats, 384, 415 supporting materials, report, 524 technical/scientific witnesses, 542, 563 Standard Information attribute 0x10, 216–217 swap partitions, 427 Telecommunications Industry Association (TIA), 498, 509 standard risk assessment, 31 Startup dialog box, AccessData FTK, 183, 477, 529 startup tasks MS-DOS, 241–242 overview, 237–238 Windows 9x, 240–241 Windows Me, 240–241 Windows NT, 238 Windows Vista, 238 Windows XP, 238–240 static acquisitions, 103, 141 SWGDE (Scientific Working Group on Digital Evidence), 150–151, 191 SYN flood attack, 439 TEMPEST facilities, 80, 94 synchronization, 116, 501 templates, report, 58 Sysinternals tools, 434–435 terminators, SCSI device, 333 syslog.conf file, 469 testifying See expert witnesses system backups, 87 testimony preservation deposition, 555, 563 system files, UNIX, 311–312 System Properties dialog box, Windows Vista, 107–108 System Restore Wizard, Windows Vista, 107 systematic approach assessing cases, 32 static electricity, 82 overview, 30–32 stationary workstations, 278, 280 planning investigations, 33–35 status flag bits, 317 STD (Security Tools Distribution), 276–277, 435–438, 447 steganalysis tools, 411, 415 steganography, 361–362, 374, 408–410, 420–421 stemming, AccessData FTK, 350 temperature control, 165 securing evidence, 35–37 T tables, report, 524–525 Tagged Image File (TIF) format, 384– 385, 406–407 testing computer forensics tools, 281, 291–292 third-generation (3G), 497–499, 509 TIA (Telecommunications Industry Association), 498, 509 Tidemann v Nadler Golf Car Sales, Inc., 579 TIF (Tagged Image File) format, 384– 385, 406–407 Time Division Multiple Access (TDMA), 497–498, 509 timelines, Autopsy, 328–330 TPM (Trusted Platform Module), 229, 252 track density, 200, 252 tape, evidence, 36 tracks, 199–200, 252 Steve Jackson Games v United States Secret Service and United States of America, 157 tape backup systems, 104 training tarball, 322, 338 acquiring, 76 still recordings, 171 target drives, 47–48 of outside experts, 165–166 stm database file, 470 professional, 20 S-Tools4, 420–421 TCG (Trusted Computing Group), 229, 252 storing evidence, 100–102, 174–176 TCP headers, 439 striping, data, 130–132 Tcpdstat tool, 439 subkeys, Registry, 232 Tcpdump program, 432–433 Triple Data Encryption Standard (3DES) encryption, 136–137 subscriber identity module (SIM) cards, 499–500, 502–504, 509, 510–512 Tcpreplay tool, 439 triple-indirect pointers, 318, 338 Tcpslice tool, 439 Tripwire software package, 434 substitution, 409 TDMA (Time Division Multiple Access), 497–498, 509 troubleshooting log, Exchange Server, 471 technical advisors, 173 TrueCrypt, 230 superblock, UNIX, 314 Supplementary Files dialog box, AccessData FTK, 532 technical terminology, in reports, 522 trash containers, 82 tree view, ProDiscover Basic, 52 Index Trusted Computing Group (TCG), 229, 252 Trusted Platform Module (TPM), 229, 252 trustworthiness, of digital evidence, 155 U Ubuntu Linux 8.04 virtual server, 426–428 Ultra Mobile Broadband (UTMS), 498 USB drives AccessData FTK, 286–287 acquiring images, 48–51 ProDiscover, 48–51, 418–419 681 verification of data-copying process, 263 vf (verify file) option, Linux dcfldd command, 129 SecureClean, 288 VFAT (Virtual File Allocation Table), 206 verification of evidence on, 289–291 video recordings, 171 USB IDE/SATA external connector, 106 USB write-protection Registry method, 120, 123–124 virtual cluster number (VCN), 215, 221–223, 252, 593 Virtual File Allocation Table (VFAT), 206 user groups, Virtual Hard Disk Location window, New Virtual Machine Wizard, 245 unallocated disk space, 208, 252, 390–396 UTF-8 (Unicode Transformation Format), 210, 252 Unicode, 210, 252, 587–589 Utimaco SafeGuard Easy, 230 Unicode Transformation Format (UTF-8), 210, 252 UTMS (Ultra Mobile Broadband), 498 Uniform Crime Report, 74–75, 94 V Virtual Machine Name and Location window, New Virtual Machine Wizard, 245 United States v Salgado, 153 validating evidence virtual machines Virtual Hard Disk Options window, New Virtual Machine Wizard, 245 UNIX Pine, 459–461 forensics software, 355 creating, 244–248 UNIX/Linux hexadecimal editors, 351–354 defined, 252 boot processes, 319–321 Linux-acquired, 127–129 overview, 242–244, 424–428 computer forensics tools, 274–277 overview, 126–127 Virtual PC, Microsoft, 244–246 dd command, 145–146 using hash values to discriminate data, 354–355 VMware Server, 425–426 disk structures, 322–330 Windows-acquired, 129 drives, 321–322 validation e-mail server logs, 469–470 defined, 264–266, 284 GRUB, 321 Hex Workshop, 377 inodes, 318–319 protocols, 282–283 ISO images, 110 VCB (Volume Control Block), 302, 338 Linux Loader, 321 network forensics tools, 435–438 VCN (virtual cluster number), 215, 221–223, 252, 593 overview, 310–318 vector graphics, 382–383, 415 partition schemes, 321–322 vector quantization (VQ), 388, 415 partitioning FAT drives, 145 vendor pricing, 92 upgrading vendor-supplied workstations, 279 hardware, 88 verbal reports, 518–519 software, 74–75, 283 verdicts, 13, 22 voir dire, 547–548, 563 Voltage SecureDisk, 230 Volume Bitmap, 302–303, 338 Volume Control Block (VCB), 302, 338 volumes, 208, 252 Voom Technologies Shadow Drive, 270 VQ (vector quantization), 388, 415 vulnerability assessment and risk management, 5, 22 W Wang Laboratories, Inc v Toshiba Corp., 579 warning banners, 15–17, 22, 159 warrants See search warrants watermarks, 361, 411–412 U.S Copyright Office Web site, 412 WetStone LiveWire, 137 682 Index whole disk encryption Windows XP write-blocker devices BitLocker, 229 startup tasks, 238–240 AccessData FTK Imager, 123–124 defined, 105, 141 USB write-protection feature, 106–109 acquisitions from Linux, 109 overview, 228–229 third-party tools, 229–230 Win32dd tool, 431 Windows detecting virtual machines, 424–425 forensic workstations, 44–45 image acquisitions, 105–106 live acquisitions, 431 validating evidence, 129 Windows 9x, 240–241 Windows Event Viewer, 471–472 Windows Me, 240–241 Windows Messenger, 466 Windows NT, 238 Windows Registry defined, 252 examining, 234–237 organization of, 231–233 overview, 230–231 virtual machines, 425–426 Windows Vista, 238 defined, 284 WinHex, 257, 592 overview, 279–280 Winload.exe tool, 238 ProDiscover, 120 Winresume.exe tool, 238 Wireshark, 440, 448 workstations, forensic building, 278–279 for corporate labs, 86 defined, 44, 60 disaster recovery plan, 87–88 equipment upgrades, planning for, 88 types of, 45 write-protecting, 305 written reports See report writing X XIF (eXtended Image Format) format, 405–407 X-Ways Replica tool, 334 hardware peripherals, 86–87 Y laptop, 88 Yahoo! Mail, 463 operating systems, 87 Yahoo Message Archive Decoder, 466 overview, 44–45 Z for police labs, 85–86 ZBR (zoned bit recording), 200, 252 for private, 86 zero day attacks, 442, 445 recommendations for, 280 zombies, 442, 445 setting up, 45–46 zoned bit recording (ZBR), 200, 252 software inventories, 87 write protected trusted binaries, 136 This page intentionally left blank This book is intended to be sold with a DVD If this book does not contain a DVD, you are not getting the full value of your purchase If the DVD in this book is missing or if the package containing them has been opened, this book is not returnable By opening and breaking the seal on this package, you are agreeing to be bound by the following agreement: The software included with this product may be copyrighted, in which case all rights are reserved by the respective copyright holder You are licensed to use software copyrighted by the Publisher and its licenser on a single computer You may copy and/or modify the software as needed to facilitate your use of it on a single computer Making copies of the software for any other purpose is a violation of the United States copyright laws This software is sold as is without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and fitness for a particular purpose Neither the publisher nor its dealers or distributors assume any liability for any alleged or actual damages arising from the use of this program (Some states not allow for the excusing of implied warranties, so the exclusion may not apply to you.) ... Companion to Guide to Computer Forensics and Investigations, Fourth Edition This lab manual provides students with additional hands-on experience Web-Based Labs for Guide to Computer Forensics and Investigations. .. www.heidi.ie/node/6 - File wipe software Guide to Computer Forensics and Investigations Fourth Edition Bill Nelson Amelia Phillips Christopher Steuart Guide to Computer Forensics and Investigations, Fourth Edition... via a Web browser to gain essential hands-on experience in computer forensics using labs from Guide to Computer Forensics and Investigations, Fourth Edition Lab Requirements The hands-on projects