465_SG_CHFI_FM.qxd 10/15/07 9:50 AM Page i for Computer Hacking Forensics Investigators Dave Kleiman Technical Editor Kevin Cardwell Timothy Clinton Michael Cross Michael Gregg Jesse Varsalone Craig Wright 465_SG_CHFI_FM.qxd 10/15/07 9:50 AM Page ii Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) not guarantee or warrant the results to be obtained from the Work There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Elsevier, Inc “Syngress:The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Elsevier, Inc Brands and product names mentioned in this book are trademarks or service marks of their respective companies KEY 001 002 003 004 005 006 007 008 009 010 SERIAL NUMBER HJIRTCV764 PO9873D5FG 829KM8NJH2 BPOQ48722D CVPLQ6WQ23 VBP965T5T5 HJJJ863WD3E 2987GVTWMK 629MP5SDJT IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc Elsevier, Inc 30 Corporate Drive Burlington, MA 01803 The Official CHFI Study Guide (Exam 312-49) for Computer Hacking Forensic Investigators Copyright © 2007 by Elsevier, Inc All rights reserved Printed in the United States of America Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication Printed in the United States of America ISBN 13: 978-159749-197-6 Publisher: Amorette Pedersen Managing Editor: Andrew Williams Technical Editor: Dave Kleiman Cover Designer: Michael Kavish Indexer: Nara Wood Project Manager: Gary Byrne Page Layout and Art: Patricia Lupien Copy Editors: Audrey Doyle, Adrienne Rebello, Mike McGee For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director; email m.pedersen@elsevier.com 465_SG_CHFI_FM.qxd 10/15/07 9:50 AM Page iii Technical Editor Dave Kleiman (CAS, CCE, CIFI, CISM, CISSP, ISSAP, ISSMP, MCSE, MVP) has worked in the information technology security sector since 1990 Currently, he runs an independent computer forensic company, DaveKleiman.com, which specializes in litigation support, computer forensic investigations, incident response, and intrusion analysis He developed a Windows operating system lockdown tool, S-Lok, which surpasses NSA, NIST, and Microsoft Common Criteria Guidelines Dave was a contributing author for Microsoft Log Parser Toolkit (Syngress Publishing, ISBN: 1-932266-52-6), Security Log Management: Identifying Patterns in the Chaos (Syngress Publishing, ISBN: 1597490423), and How to Cheat at Windows System Administration (Syngress Publishing ISBN: 1597491055) Dave was technical editor for Perfect Passwords: Selection, Protection, Authentication (Syngress Publishing, ISBN: 1597490415); Winternals Defragmentation, Recovery, and Administration Field Guide (Syngress Publishing, ISBN: 1597490792); Windows Forensic Analysis: Including DVD Toolkit (Syngress Publishing, ISBN: 159749156X); and CD and DVD Forensics (Syngress Publishing, ISBN: 1597491284) He was also a technical reviewer for Enemy at the Water Cooler: Real Life Stories of Insider Threats (Syngress Publishing, ISBN: 1597491292) He is frequently a speaker at many national security conferences and is a regular contributor to securityrelated newsletters, Web sites, and Internet forums Dave is a member of many professional security organizations, including the Miami Electronic Crimes Task Force (MECTF), International Association of Counter Terrorism and Security Professionals (IACSP), International Society of Forensic Computer Examiners® (ISFCE), Information Systems Audit and Control Association® (ISACA), High Technology Crime Investigation Association (HTCIA), Association of Certified Fraud Examiners (ACFE), and the High Tech Crime Consortium (HTCC) He is also the Sector Chief for Information Technology at the FBI’s InfraGard® Contributors Kevin Cardwell (CEH, ECSA, LPT) works as a freelance consultant and provides consulting services for companies throughout the U.S., U.K., and Europe He is an adjunct associate professor for the University of Maryland University College, where he participated in the team that developed the Information Assurance Program for Graduate Students, which is recognized as a Center of Excellence program by the National Security Agency (NSA) He is an instructor and technical editor for computer forensics and hacking courses He has presented at the Blackhat USA Conference During a 22-year period in the U.S Navy, Kevin tested and evaluated surveillance and weapon system software Some of this work was on projects like the Multi-Sensor Torpedo Alertment Processor (MSTRAP),Tactical Decision Support System (TDSS), Computer Aided Dead Reckoning Tracer (CADRT), Advanced Radar Periscope Discrimination and Detection (ARPDD), and the Remote Mine Hunting System (RMHS) He has worked as both a software and systems engineer on a variety of Department of Defense projects and was selected to head the team that built a Network Operations Center (NOC) that provided services to the command ashore and ships at sea in the Norwegian Sea and Atlantic Ocean He served as the leading chief of information security at the NOC for six years prior to retiring from the U.S Navy During this time he was the leader of a five-person Red Team iii 465_SG_CHFI_FM.qxd 10/15/07 9:50 AM Page iv Kevin wishes to thank his mother, Sally; girlfriend, Loredana; and daughter, Aspen, all of whom are sources of his inspiration Kevin holds a master’s degree from Southern Methodist University and is a member of the IEEE and ACM Kevin currently resides in Cornwall, England Marcus J Carey (CISSP, CTT+) is the president of Sun Tzu Data, a leading information assurance and infrastructure architecture firm based out of central Maryland Marcus’ specialty is network architecture, network security, and network intrusion investigations He served over eight years in the U.S Navy’s cryptology field During his military service Marcus engineered, monitored, and defended the U.S Department of Defense’s secure networks Marcus holds a master’s degree from Capitol College, where he also serves as professor of information assurance Marcus currently resides in central Maryland with his family, Mandy, Erran, Kaley, and Christopher Timothy Clinton has held multiple roles in the EDD/ESI vendor space He is currently employed as forensics operations manager for the National Technology Center division of Document Technologies, Inc (DTI), a major ESI service Since joining the DTI team, Mr Clinton has served in multiple roles, including EDD production manager, technical architect, and forensic investigator He has conducted and managed investigations for numerous civil cases regarding matters for Fortune 50 of law Mr Clinton’s most notable achievement while at DTI is being responsible for the design and implementation of a showcase data forensics laboratory in Atlanta, Georgia Edward Collins (CISSP, CEH, Security+, MCSE:Security, MCT) is a senior security analyst for CIAN, Inc., where he is responsible for conducting penetration tests, threat analysis, and security audits CIAN (www.ciancenter.com) provides commercial businesses and government agencies with all aspects of information security management, including access control, penetration testing, audit procedures, incident response handling, intrusion detection, and risk management Edward is also a training consultant, specializing in MCSE and Security+ certifications Edward’s background includes positions as information technology manager at Aurora Flight Sciences and senior information technology consultant at Titan Corporation James “Jim” Cornell (CFCE, CISSP, CEECS) is an employee of Computer Sciences Corp (CSC) and an instructor/course developer at the Defense Cyber Investigations Training Academy (DCITA), which is part of the Defense Cyber Crime Center (DC3) in Maryland At the academy he teaches network intrusions and investigations, online undercover techniques, and advanced log analysis He has over 26 years of law enforcement and over 35 years of electronics and computer experience He is a member/coach of the International Association of Computer Investigative Specialists (IACIS) and a member of the International Information Systems Forensics Association (IISFA) and the International Information Systems Security Certification Consortium (ISC2) He is currently completing the Certified Technical Trainer (CTT+) process and is a repeat speaker at the annual Department of Defense Cyber Crime Conference He would like to thank his mother for more than he can say, his wife for her patience and support, and Gilberto for being the best friend ever Michael Cross (MCSE, MCP+I, CNA, Network+) is an internet specialist/programmer with the Niagara Regional Police Service In addition to designing and maintaining the Niagara Regional Police’s Web site (www.nrps.com) and intranet, he has also provided support and worked in the areas of programming, hardware, database administration, graphic design, and network administration In 2007, he was awarded a Police Commendation for work he did in developing a system to track high-risk offenders and sexual offenders in the Niagara Region As part of an information technology team that provides support to a user base of over 1,000 civilian and uniformed users, his theory is that when the users carry guns, you tend to be more motivated in solving their problems Michael was the first computer forensic analyst in the Niagara Regional Police Service’s history, and for five years he performed computer forensic examinations on computers involved in criminal investigations.The computers he examined for evidence were involved in a wide range of crimes, inclusive to homicides, fraud, and possession of child pornography In addition to this, he successfully tracked numerous individuals electronically, as in cases involving threatening e-mail He has consulted and assisted in numerous cases dealing with computerrelated/Internet crimes and served as an expert witness on computers for criminal trials Michael has previously taught as an instructor for IT training courses on the Internet, Web development, programming, networking, and hardware repair He is also seasoned in providing and assisting in presentations on iv 465_SG_CHFI_FM.qxd 10/15/07 9:50 AM Page v Internet safety and other topics related to computers and the Internet Despite this experience as a speaker, he still finds his wife won’t listen to him Michael also owns KnightWare, which provides computer-related services like Web page design, and Bookworms, which provides online sales of merchandise He has been a freelance writer for over a decade and has been published over three dozen times in numerous books and anthologies When he isn’t writing or otherwise attached to a computer, he spends as much time as possible with the joys of his life: his lovely wife, Jennifer; darling daughter Sara; adorable daughter Emily; and charming son Jason Michael Gregg is the president of Superior Solutions, Inc and has more than 20 years’ experience in the IT field He holds two associate’s degrees, a bachelor’s degree, and a master’s degree and is certified as CISSP, MCSE, MCT, CTT+, A+, N+, Security+, CNA, CCNA, CIW Security Analyst, CCE, CEH, CHFI, CEI, DCNP, ES Dragon IDS, ES Advanced Dragon IDS, and TICSA Michael’s primary duties are to serve as project lead for security assessments helping businesses and state agencies secure their IT resources and assets Michael has authored four books, including: Inside Network Security Assessment, CISSP Prep Questions, CISSP Exam Cram2, and Certified Ethical Hacker Exam Prep2 He also was the lead author for Hack the Stack: Using Snort and Ethereal to Master the Eight Layers of an Insecure Network (Syngress, ISBN: 9781597491099) He has developed four high-level security classes, including Global Knowledge’s Advanced Security Boot Camp, Intense School’s Professional Hacking Lab Guide, ASPE’s Network Security Essentials, and Assessing Network Vulnerabilities He has created over 50 articles featured in magazines and Web sites, including Certification Magazine, GoCertify, The El Paso Times, and SearchSecurity Michael is also a faculty member of Villanova University and creator of Villanova’s college-level security classes, including Essentials of IS Security, Mastering IS Security, and Advanced Security Management He also serves as a site expert for four TechTarget sites, including SearchNetworking, SearchSecurity, SearchMobileNetworking, and SearchSmallBiz He is a member of the TechTarget Editorial Board Justin Peltier is a senior security consultant with Peltier Associates, with over 10 years of experience in firewall and security technologies As a consultant, Justin has been involved in implementing, supporting, and developing security solutions, and he has taught courses on many facets of information security, including vulnerability assessment and CISSP preparation His previous employment was at Suntel Services, where he directed the company’s security practice development Prior to that, Justin was with Netigy, where he was involved in the company’s corporate training efforts Justin currently holds 10 professional certifications in an array of technical disciplines Justin has led classes across the United States, as well as in Europe and Asia, for Peltier Associates, Sherwood Associates, Computer Security Institute, ISC2, the Mark I Sobell Training Institute, Netigy Corporation, and Suntel Services Sondra Schneider is CEO and Founder of Security University, a Vienna, VA-based Qualified Computer Security and Information Assurance Training Company For the past 18 years Sondra has been traveling around the world training network professionals to be network and security professionals In 2004 she was awarded Entrepreneur of the Year at the First Annual Woman of Innovation Awards from the Connecticut Technology Council She sits on the advisory board for three computer security technology companies and is a frequent speaker at computer security and wireless industry events She is a founding member of the NYC HTCIA and IETF, and she works closely with ISC2, ISSA, and ISACA chapters and the vendor community to provide qualified computer security training and feedback Sondra holds the CISSP, CEH, ECSA, LPT, and CHFI credentials Jesse Varsalone (A+, Linux+, Net+, iNet+, Security+, Server+, CTT+, CIW Professional, CWNA, CWSP, MCT, MCSA, MSCE 2000/2003, MCSA/MCSE Security, MCSD, MCDBA, MCSD, CNA, CCNA, MCDST, Oracle 8i/9i DBA, Certified Ethical Hacker) is a computer forensic senior professional at CSC For four years, he served as the director of the MCSE and Network Security Program at the Computer Career Institute at Johns Hopkins University For the 2006 academic year, he served as an assistant professor of computer information systems at Villa Julie College in Baltimore, Maryland He taught courses in networking, Active Directory, Exchange, Cisco, and forensics Jesse holds a bachelor’s degree from George Mason University and a master’s degree from the University of South Florida He runs several Web sites, including mcsecoach.com, which is dedicated to helping people obtain their MCSE certification He currently lives in Columbia, Maryland, with his wife, Kim, and son, Mason v 465_SG_CHFI_FM.qxd 10/15/07 9:50 AM Page vi Craig Wright has personally conducted in excess of 1,200 IT security-related engagements for more than 120 Australian and international organizations in the private and government sectors and now works for BDO Kendall’s in Australia In addition to his consulting engagements, Craig has also authored numerous IT security-related articles He also has been involved with designing the architecture for the world’s first online casino (Lasseter’s Online) in the Northern Territory He has designed and managed the implementation of many of the systems that protected the Australian Stock Exchange He also developed and implemented the security policies and procedural practices within Mahindra and Mahindra, India’s largest vehicle manufacturer He holds (among others) the following industry certifications: CISSP (ISSAP & ISSMP), CISA, CISM, CCE, GNSA, G7799, GWAS, GCFA, GLEG, GSEC, GREM, GPCI, MCSE, and GSPA He has completed numerous degrees in a variety of fields and is currently completing both a master’s degree in statistics (at Newcastle) and a master’s degree in law (LLM) specializing in international commercial law (E-commerce Law) Craig is planning to start his second doctorate, a PhD in economics and law in the digital age, in early 2008 vi 465_SG_CHFI_TOC.qxd 10/15/07 9:53 AM Page vii Contents Chapter Computer Forensics in Today’s World Introduction The History of Forensics The Objectives of Computer Forensics Computer-Facilitated Crimes Reasons for Cyber Attacks Computer Forensic Flaws and Risks Modes of Attack Computer Forensics: Rules, Procedures, and Legal Issues Digital Forensics Assessing the Case: Detecting/Identifying the Event/Crime Preservation of Evidence: Chain of Custody Collection: Data Recovery, Evidence Collection 10 Examination:Tracing, Filtering, Extracting Hidden Data 11 Analysis 12 Approach the Crime Scene 13 Where and When Do You Use Computer Forensics? 14 Legal Issues 14 The Computer Forensic Lab 15 Laboratory Strategic Planning for Business 16 Philosophy of Operation 16 Core Mission and Services 17 Revenue Definition 18 SOP 19 Human Talent 21 Elements of Facilities Build-out 21 Space Planning Considerations 22 Fire Protection/Suppression 24 Electrical and Power Plant Considerations 27 LAN/WAN Planning 29 HVAC 29 Security 31 Evidence Locker Security 32 General Ambience 33 Spatial Ergonomics 33 Essential Laboratory Tools 34 Write Blockers 36 Media Sterilization Systems 45 Data Management (Backup, Retention, Preservation) 46 Portable Device Forensics: Some Basic Tools 48 Portable Devices and Data Storage 50 Forensic Software 51 Tools in the Enterprise 54 Ad Hoc Scripts and Programs 55 Software Licensing 55 Tool Validation 55 Summary of Exam Objectives 56 Exam Objectives Fast Track 56 Exam Objectives Frequently Asked Questions 59 Notes 60 Chapter Systems, Disks, and Media 61 Introduction 62 File Systems and Hard Disks 62 Overview of a Hard Disk 62 Hard Disk Interfaces 74 File Systems 75 Windows XP 95 Forensic Tools 99 Digital Media Devices 101 Magnetic Tape 102 Floppy Disk 102 Compact Discs and DVDs 102 Blu-Ray 107 iPod 107 Zune 108 vii 465_SG_CHFI_TOC.qxd viii 10/15/07 9:53 AM Page viii Contents Flash Memory Cards 108 USB Flash Drives 108 Image File Forensics 109 Image Files 110 Image File Formats 112 Data Compression 117 Locating and Recovering Image Files 120 Image File Forensic Tools 121 Steganography in Image Files 124 Copyright Issues Regarding Graphics 124 Summary of Exam Objectives 125 Exam Objectives Fast Track 125 Exam Objectives Frequently Asked Questions 130 Chapter The Computer Investigation Process 133 Introduction 134 Investigating Computer Crime 134 How an Investigation Starts 136 The Role of Evidence 140 Investigation Methodology 141 Securing Evidence 143 Chain of Evidence Form 148 Before Investigating 149 Professional Conduct 155 Investigating Company Policy Violations 156 Policy and Procedure Development 157 Policy Violations 160 Warning Banners 162 Conducting a Computer Forensic Investigation 165 The Investigation Process 165 Evidence Assessment 171 Acquiring Evidence 176 Evidence Examination 182 Documenting and Reporting of Evidence 187 Closing the Case 189 Summary of Exam Objectives 191 Exam Objectives Fast Track 192 Exam Objectives Frequently Asked Questions 195 Chapter Acquiring Data, Duplicating Data, and Recovering Deleted Files 197 Introduction 198 Recovering Deleted Files and Deleted Partitions 198 Deleting Files 199 Recycle Bin 204 Data Recovery in Linux 211 Recovering Deleted Files 212 Deleted File Recovery Tools 214 Recovering Deleted Partitions 229 Deleted Partition Recovery Tools 235 Data Acquisition and Duplication 240 Data Acquisition Tools 243 Hardware Tools 250 Backing Up and Duplicating Data 252 Acquiring Data in Linux 254 Summary of Exam Objectives 259 Exam Objectives Fast Track 259 Exam Objectives Frequently Asked Questions 262 Chapter Windows, Linux, and Macintosh Boot Processes 265 Introduction 266 The Boot Process 266 System Startup 266 Loading MSDOS 270 Loading Windows XP 270 Loading Linux 271 The Macintosh Boot Process 272 EFI and BIOS: Similar but Different 273 Macintosh Forensic Software 274 BlackBag Forensic Suite 275 Carbon Copy Cloner 279 Summary of Exam Objectives 283 Exam Objectives Fast Track 283 Exam Objectives Frequently Asked Questions 284 465_SG_CHFI_TOC.qxd 10/15/07 9:53 AM Page ix Contents Chapter Windows and Linux Forensics 287 Introduction 288 Windows Forensics 288 Where Can You Locate and Gather Evidence on a Windows Host? 288 What Is File Slack? How Can YouInvestigate Windows File Slack? 305 How Can You Interpret the Windows Registry and Memory Dump Information? 307 How Can You Investigate Internet Traces? 313 How Do You Investigate System State Backups? 315 Linux Forensics 319 Why Use Linux as a Forensic Tool? 319 File System Description 319 The Challenges in Disk Forensics with Linux 327 Popular Linux Forensics Tools 328 Summary of Exam Objectives 347 Exam Objectives Frequently Asked Questions 348 Chapter Steganography and Application Password Crackers 351 Introduction 352 History of Steganography 352 The Future of Steganography 354 Classification of Steganography 354 Background Information to Image Steganography 354 Insertion 355 Substitution 355 Creation 356 Six Categories of Steganography in Forensics 356 Substitution System 356 Transform Domain Techniques 356 Spread Spectrum Techniques 357 Statistical Methods 357 Distortion Techniques 357 Cover Generation Methods 357 Types of Steganography 357 Linguistic Steganography 358 Text Semagrams 358 Technical Steganography 358 Embedding Methods 358 Least Significant Bit 358 Transform Techniques 358 Spread Spectrum Encoding 359 Perceptual Masking 359 Application of Steganography 360 Still Images: Pictures 360 Moving Images: Video 360 Audio Files 360 Text Files 360 Steganographic File Systems 361 Hiding in Disk Space 361 Unused Sectors 361 Hidden Partitions 361 Slack Space 361 Hiding in Network Packets 362 Issues in Information Hiding 362 Levels of Visibility 362 Robustness vs Payload 362 File Format Dependence 363 Steg Tools 363 Snow 363 Steganos 364 Gifshuffle 364 Outguess 364 Stegomagic 365 Steganography vs Watermarking 367 Fragile 368 Robust 368 Attacking Watermarking 369 Mosaic Attack 369 2Mosaic 369 Detecting and Attacking Steganography 369 Detection 369 Statistical Tests 369 Stegdetect 370 Stegbreak 370 ix 465_SG_CHFI_TOC.qxd x 10/15/07 9:53 AM Page x Contents Visible Noise 370 Appended Spaces and “Invisible” Characters 370 Color Palettes 370 Attacking Steganography 370 Application Password Cracking 372 Types of Password Cracking 373 Password-Cracking Tools 375 Common Recommendations for Improving Passwords 378 Standard Password Advice 379 Summary of Exam Objectives 380 Exam Objectives Fast Track 381 Exam Objectives Frequently Asked Questions 385 Chapter Computer-Assisted Attacks and Crimes 387 Introduction 388 E-mail Clients and Servers 388 E-mail Clients 390 E-mail Servers 390 E-mail Crimes and Violations 390 Spamming 390 Mail Bombing 391 Mail Storm 391 Sexual Abuse of Children in Chat Rooms 392 Child Pornography 392 Harassment 392 Identity Fraud 392 Chain Letter 393 Sending Fakemail 393 Investigating E-mail Crimes and Violations 394 Examining the E-mail Message 394 Copying the E-mail Message 394 Printing the E-mail Message 395 Viewing the E-mail Headers 396 Examining the E-mail Header 398 Microsoft Outlook 402 E-Mail Messages, UNIX, and More 404 Tracing an E-mail Message 404 Tools and Techniques to Investigate E-mail Messages 405 Handling Spam 410 Network Abuse Clearing House 410 Protecting Your E-mail Address from Spam 411 Anti-Spam Tools 411 Investigating Denial-of-Service Attacks 412 DoS Attacks 412 Types of DoS Attacks 413 DDoS Attacks 416 DoS Attack Modes 419 Indications of a DoS/DDoS Attack 421 Challenges in the Detection of a DoS Attack 421 Investigating Web Attacks 422 Types of Web Attacks 422 Example of an FTP Compromise 432 Intrusion Detection 433 Exam Objectives Summary 435 Exam Objectives Fast Track 435 Exam Objectives Frequently Asked Questions 438 Chapter Investigating Network Traffic and Investigating Logs 441 Introduction 442 Overview of the OSI Model 442 Layers of the OSI Model 442 Network Addresses and NAT 444 Network Information-Gathering Tools 445 Sniffers 445 Intrusion Detection 445 Snort 446 Gathering Snort Logs 446 Building an Alerts Detail Report 448 Building an Alerts Overview Report 451 Monitoring User Activity 453 Tracking Authentication Failures 454 Identifying Brute Force Attacks 458 Tracking Security Policy Violations 460 ... Burlington, MA 01803 The Official CHFI Study Guide (Exam 312-49) for Computer Hacking Forensic Investigators Copyright © 2007 by Elsevier, Inc All rights reserved Printed in the United States of... identifies the crime, along with the computer and other tools used to commit the crime.Then he gathers evidence and builds a suitable chain of custody .The investigator must follow these procedures... collecting all the information, the investigator can then list the steps that can be taken during the investigation and then begin Caution, it is not necessary to seize the entire system Identify the relevant