Computer Forensics Second Edition LIMITED WARRANTY AND DISCLAIMER OF LIABILITY THE CD-ROM THAT ACCOMPANIES THE BOOK MAY BE USED ON A SINGLE PC ONLY THE LICENSE DOES NOT PERMIT THE USE ON A NETWORK (OF ANY KIND) YOU FURTHER AGREE THAT THIS LICENSE GRANTS PERMISSION TO USE THE PRODUCTS CONTAINED HEREIN, BUT DOES NOT GIVE YOU RIGHT OF OWNERSHIP TO ANY OF THE CONTENT OR PRODUCT CONTAINED ON THIS CDROM USE OF THIRD-PARTY SOFTWARE CONTAINED ON THIS CD-ROM IS LIMITED TO AND SUBJECT TO LICENSING TERMS FOR THE RESPECTIVE PRODUCTS CHARLES RIVER MEDIA, INC (“CRM”) AND/OR ANYONE WHO HAS BEEN INVOLVED IN THE WRITING, CREATION, OR PRODUCTION OF THE ACCOMPANYING CODE (“THE SOFTWARE”) OR THE THIRD-PARTY PRODUCTS CONTAINED ON THE CD-ROM OR TEXTUAL MATERIAL IN THE BOOK, CANNOT AND DO NOT WARRANT THE PERFORMANCE OR RESULTS THAT MAY BE OBTAINED BY USING THE SOFTWARE OR CONTENTS OF THE BOOK THE AUTHOR AND PUBLISHER HAVE USED THEIR BEST EFFORTS TO ENSURE THE ACCURACY AND FUNCTIONALITY OF THE TEXTUAL MATERIAL AND PROGRAMS CONTAINED HEREIN WE HOWEVER, MAKE NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, REGARDING THE PERFORMANCE OF THESE PROGRAMS OR CONTENTS THE SOFTWARE IS SOLD “AS IS” WITHOUT WARRANTY (EXCEPT FOR DEFECTIVE MATERIALS USED IN MANUFACTURING THE DISK OR DUE TO FAULTY WORKMANSHIP) THE AUTHOR, THE PUBLISHER, DEVELOPERS OF THIRD-PARTY SOFTWARE, AND ANYONE INVOLVED IN THE PRODUCTION AND MANUFACTURING OF THIS WORK SHALL NOT BE LIABLE FOR DAMAGES OF ANY KIND ARISING OUT OF THE USE OF (OR THE INABILITY TO USE) THE PROGRAMS, SOURCE CODE, OR TEXTUAL MATERIAL CONTAINED IN THIS PUBLICATION THIS INCLUDES, BUT IS NOT LIMITED TO, LOSS OF REVENUE OR PROFIT, OR OTHER INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THE PRODUCT THE SOLE REMEDY IN THE EVENT OF A CLAIM OF ANY KIND IS EXPRESSLY LIMITED TO REPLACEMENT OF THE BOOK AND/OR CD-ROM, AND ONLY AT THE DISCRETION OF CRM THE USE OF “IMPLIED WARRANTY” AND CERTAIN “EXCLUSIONS” VARIES FROM STATE TO STATE, AND MAY NOT APPLY TO THE PURCHASER OF THIS PRODUCT Computer Forensics: Computer Crime Scene Investigation Second Edition John R Vacca CHARLES RIVER MEDIA, INC Boston, Massachusetts Copyright 2005 Career & Professional Group, a division of Thomson Learning, Inc Published by Charles River Media, an imprint of Thomson Learning Inc All rights reserved No part of this publication may be reproduced in any way, stored in a retrieval system of any type, or transmitted by any means or media, electronic or mechanical, including, but not limited to, photocopy, recording, or scanning, without prior permission in writing from the publisher Cover Design: Tyler Creative CHARLES RIVER MEDIA 25 Thomson Place Boston, Massachusetts 02210 617-757-7900 617-757-7969 (FAX) crm.info@thomson.com www.charlesriver.com This book is printed on acid-free paper John R Vacca Computer Forensics: Computer Crime Scene Investigation, Second Edition ISBN: 1-58450-389-0 ISBN-13: 978-1-58450-389-7 eISBN: 1-58450-637-7 All brand names and product names mentioned in this book are trademarks or service marks of their respective companies Any omission or misuse (of any kind) of service marks or trademarks should not be regarded as intent to infringe on the property of others The publisher recognizes and respects all marks used by companies, manufacturers, and developers as a means to distinguish their products Library of Congress Cataloging-in-Publication Data Vacca, John R Computer forensics : computer crime scene investigation / John R Vacca. 2nd ed p cm Includes bibliographical references and index ISBN 1-58450-389-0 (pbk with cd-rom : alk paper) Computer security Computer networks Security measures Forensic sciences I Title QA76.9.A25V33 2005 005.8 dc22 2005007521 Printed in the United States of America 07 CHARLES RIVER MEDIA titles are available for site license or bulk purchase by institutions, user groups, corporations, etc For additional information, please contact the Special Sales Department at 800-347-7707 Requests for replacement of a defective CD-ROM must be accompanied by the original disc, your mailing address, telephone number, date of purchase and purchase price Please state the nature of the problem, and send the information to CHARLES RIVER MEDIA, 25 Thomson Place, Boston, Massachusetts 02210 CRM’s sole obligation to the purchaser is to replace the disc, based on defective materials or faulty workmanship, but not on the operation or functionality of the product In memory of Giacchi and Agrippina This page intentionally left blank Contents Acknowledgments Foreword Introduction Part I Overview of Computer Forensics Technology xix xxi xxv Computer Forensics Fundamentals Introduction to Computer Forensics Use of Computer Forensics in Law Enforcement Computer Forensics Assistance to Human Resources/ Employment Proceedings Computer Forensics Services 10 Benefits of Professional Forensics Methodology 17 Steps Taken by Computer Forensics Specialists 18 Who Can Use Computer Forensic Evidence? 18 Case Histories 24 Case Studies 27 Summary 28 Chapter Review Questions and Exercises 31 Hands-On Projects 33 References 34 vii viii Computer Forensics, Second Edition Types of Computer Forensics Technology 35 Types of Military Computer Forensic Technology 36 Types of Law Enforcement: Computer Forensic Technology 38 Types of Business Computer Forensic Technology 52 Specialized Forensics Techniques 57 Hidden Data and How to Find It 61 Spyware and Adware 61 Encryption Methods and Vulnerabilities 63 Protecting Data from Being Compromised 64 Internet Tracing Methods 65 Security and Wireless Technologies 69 Avoiding Pitfalls with Firewalls 71 Biometric Security Systems 72 Summary 73 Chapter Review Questions and Exercises 77 Hands-On Projects 79 References 81 Types of Computer Forensics Systems 83 Internet Security Systems 84 Intrusion Detection Systems 91 Firewall Security Systems 99 Storage Area Network Security Systems 108 Network Disaster Recovery Systems 112 Public Key Infrastructure Systems 113 Wireless Network Security Systems 115 Satellite Encryption Security Systems 118 Instant Messaging (IM) Security Systems 125 Net Privacy Systems 126 Identity Management Security Systems 129 Identity Theft 137 Contents Biometric Security Systems 141 Homeland Security Systems 143 Summary 145 Chapter Review Questions and Exercises 148 Hands-on Projects 150 References 151 Vendor and Computer Forensics Services 153 Occurrence of Cyber Crime 154 Cyber Detectives 155 Fighting Cyber Crime with Risk-Management Techniques 156 Computer Forensics Investigative Services 162 Forensic Process Improvement 167 Course Content 176 Case Histories 180 Summary 182 Chapter Review Questions and Exercises 184 Hands-On Projects 186 References 186 Part II Computer Forensics Evidence and Capture ix Data Recovery 189 191 Data Recovery Defined 191 Data Backup and Recovery 192 The Role of Backup in Data Recovery 200 The Data-Recovery Solution 203 Hiding and Recovering Hidden Data 206 Case Histories 209 Summary 212 Chapter Review Questions and Exercises 214 Hands-On Projects 216 References 216 818 Computer Forensics, Second Edition Worm A class of mischievous or disruptive software whose negative effect is primarily realized through rampant proliferation (via replication and distribution of the worm’s own code) Replication is the hallmark of the worm Worm code is relatively host-independent, in that the code is self-contained enough to migrate across multiple instances of a given platform, or across multiple platforms over a network (network worm) To replicate itself, a worm needs to spawn a process; this implies that worms require a multitasking operating system to thrive A program or executable code module that resides in distributed systems or networks It will replicate itself, if necessary, in order to exercise as much of the systems’ resources as possible for its own processing Such resources may take the form of CPU time, I/O channels, or system memory It will replicate itself from machine to machine across network connections, often clogging networks and computer systems as it spreads Zip To zip (notice the lower case z) a file is to compress it into an archive so that it occupies less disk space Zip archive An archive of one or more Zip-compressed files When used as a noun, Zip is typically capitalized Compressed files can come in many formats besides Zip Zip file A Zip archive that Windows presents as a single file In general, the contents cannot be accessed unless the archive is decompressed Index 3COM Corporation, 293 8lgm, 791 12WAR defined, 802 802.11b standard, security measures in, 116, 117, 579 2600, 791 A Abuse of privilege, 791 See also Internet, abuse, detection of Acceptable level of risk, 791 See also Risk assessment Acceptable use policy, 791 Access, controlling corporate information, 295–296, 300, 312, 330 in identity management, 133, 150 in IW, 337, 477, 496 overview, 88–90, 104–106 Web services/file sharing, 325–326 AccessData, 709 Accountability, 791 Accuracy, 791 Acme of skill, 791 Acquiring bank defined, 87 ACR Data Recovery, Incorporated, 782 Active attack, 791 Act of War defined, 591–592 Adapter, 791 Addresses MAC filtering, 117, 679 source, 650–651 Administrator privileges, 529 Admissibility of evidence, 6, 29, 155, 220, 230, 235, 248, 254 Advanced Computer Forensic Checklist Form, 777–779 Advanced encryption standard (AES), 631, 632 Advanced WWW count counter, 792 Adware described, 61–63 AES (Advanced encryption standard), 631, 632 Aggregation in digital identity management, 130 Agricultural bioterrorism targets, 430–431 Air power in counterterrorism, 392–394, 462, 465, 519 Algerian Armed Islamic Group (GIA), 416 Al-Muhajiroun (The Emigrants), 417 Ambient data, 792 American Bankers Insurance Company of Florida v Caruth et al, 319 American Fundware, Inc., Computer Associates International, Inc v., 320 American International Group (AIG), 598 America Online (AOL), 605 Ames, Aldrich, 434 AnaDisk software described, 43–44 Angle of arrival method, 557 Anna Kournikova worm, 598 Anomalies, identifying, 245–246, 655–656, 792 Anonymity and IW, 604–606 in log file retrieval, 650–653 Anonymizers and encryption, 497, 604–605 Web surfing with, 650, 653 Anonymous FTP, 792 Answers to review questions and exercises, 725–745 Antennae in PLS, 556, 557, 560 Antivirus software, 792 configuring, 56, 57, 707 in IW, 388 prevalence of, 270 AOL (America Online), 605 Appliances, 656–657 Application, 792 Application gateway, 792 Application service providers (ASPs) and network security, 486, 487, 488, 665 ARP (Address Resolution Protocol) cache, 679 Article 41, US charter, 592 Article 51, US charter, 592 Artifacts as evidence, 226 ASCII, 688, 690 ASIM (Automated Security Incident Measurement), 792 ASPs See Application service providers (ASPs) and network security Assurance, 792 Asynchronous attacks, 792 Attack, 792 Attackers, identifying, 161, 167–172, 186, 453–459 Attacks archived postings, accessing, 171 data-driven, 107, 797 information, 803 from inside, 161–162 investigating, 97, 586, 658–660 leapfrog, 806 packet-level, 98 passive, 810 reconstructing, 229 responding to, 159–160 technical, 815 types of, 338, 470, 476–477, 504 wireless, 115–116 Attitudes, 792 See also Security, awareness AT&T Research, 652 Audits documents, searching, 11, 79, 273, 568 and firewalls, 103 in identity management, 133, 151 networks, 696–699, 701 of privacy policies, 489 security policy, 696–699, 813 techniques, 695–699 Audit trail, 793 Aum Shinrikyo and IW, 342, 427, 428 Authentication of cellular telephones, 611–612 of data, 76, 97, 182, 236, 243, 264, 677–678 digital signatures, 248, 259 of evidence, 182 of identity, 122, 133, 135 identity management security systems, 258–259 of images, 260–264, 266, 268, 284 of messages, 634 and offensive containment IW, 478–480 of online payment information, 87 by TCP/IP, 97–98, 288 time stamps in, 263–264 Authenticode described, 260–265, 271, 272 Autokey, 291 Automated Security Incident Measurement (ASIM), 792 Autoresponders, 793 Aviation safety, 571 AVS/Express described, 316–317 Azzam Publications, 419 B Back doors in cyberterrorism, 508, 521 819 820 Index described, 793 information, obtaining, 658 Back Orifice, 644 Backup procedures analysis of, 228–229 and data recovery, 192–203, 212–213, 243 features, recommended, 199–200 future of, 194–195 mirroring in, 201, 202, 214, 808 obstacles to, 193–194, 214–215 SANs in, 108–109, 194–195, 213 viruses and, 388 Backup window defined, 197 Bandwidth and data backup, 193 defined, 793 fiber-channel connections, 111 Bank accounts and identity theft, 140, 150 Bank defined, 793 Bankruptcy and identity theft, 140 Basic psyop study (BPS), 793 Battlefield visualization, 793 Battlespace, 793 BellSouth, 600 Berryhill Computer Forensics, 715 Best evidence rule defined, 236, 237, 239, 257, 279 Between-the-Lines entry, 793 BIND (Berkeley Internet Name Domain), 324–325 Bin Laden, Osama, 417, 418, 454–459, 461 Binning defined, 319 BioFusion, 617–618 Biological agents in terrorism, 402–403, 427–428, 431 Biometric security systems cost of, 483 described, 72–73, 78–79, 141–142, 147, 283 and offensive containment IW, 478–480 privacy and, 483 samples, collecting, 479 BIOS, 793 BIOS level copying, 269 Bioterrorism, 430–433 Bit stream image backups in evidence preservation, 239, 241, 243, 676 Black bag jobs, 552, 553 BLOB, 793 Block hash values, generating, 263–264, 268 Block-level incremental backup defined, 198 Blowfish, 631 Blue box devices, 794 Bmap tool described, 208 BMC41, 794 Bomb-making materials, obtaining, 420 Boot process, understanding, 180, 794, 795 Boot record, 794 Bootstrap, 794 BPS (Basic psyop study), 793 Brand Name Prescription Drug Antitrust Litigation, 319 Bricsnet, 665 Bristol-Meyers-Squibb Company, 291–292 Britain, IW policy, 494 Broadband Internet service, 578 Browsers and cookies, 565–566 Bugging devices See Surveillance, electronic Bulletin board, 794 Bus defined, 794 Business technology, types of, 52–61 See also individual software by name C C2 Attack, 794 C2 Protect, 794 C2W See Command and control warfare (C2W) C3, 794 C3I, 794 C4I (Command, control, communication, and computer intelligence), 495, 794 C4ISR, 794 Cache defined, 795 Call counting, 612 Calling patterns, tracking, 613 Campaign for Defense of Legitimate Rights (CDLR), 416–417 Card defined, 794 Carnivore software, 528–529, 552 Cartridges, information stored on, 272 Caruth et al, American Bankers Insurance Company of Florida v., 319 Case histories data erasure, 26–27 data recovery, 209–212 evidence integrity/reproducibility, 24–25 forensic response, planned, 180–182 fraud investigations, 25–26 Case studies civil litigation, 723, 724 computer forensics, 718–719 data recovery, 27–28, 304, 717–718, 719 email recovery, 721–723 employees, disgruntled, 722–724 industrial espionage, 720, 721 pornography, 719 CCIPS Searching and Seizing Computers, 716 cDc (Cult of the Dead Cow Communications), 421 CDLR (Campaign for Defense of Legitimate Rights), 416–417 CDMA (Code division multiple access) cellular telephones, 610 CD-ROM technology in evidence collection, 269 Cell-Loc Incorporated, 551 Cellular One, 608 Cellular telephones authentication of, 611–612 cloning of, 609, 611, 612 encryption of, 638–639 frequency bands of, 610 tracking, 549–551, 561–563, 609–613 CEMP See Comprehensive emergency management procedures (CEMP) Censorship and encryption, 637–638 Center for Democracy and Technology, 711 Central processing unit (CPU), 796 Ceramics, piezoelectric in simulation of movement, 537 CERT/CC (CERT Coordination Center), 266, 267, 654, 795 Certificate authorities described, 262–263 in identity verification, 89 Certified information systems security professional (CISSP), 173, 174, 175, 675 Certified Internet Webmaster (CIW), 173 CESA (Cyberspace Electronic Security Act), 494, 552 CFIRP See Computer Forensic Incident Response Procedures (CFIRP) overview CFX-2000 See Computer Forensics Experiment 2000 (CFX-2000) CGI-BIN, 795 CGI email, 795 Chain of custody defined, 247 documentation, 321, 695 establishing, 18, 19, 65 and evidence notebooks, 250 in evidence preservation, 228–229, 236, 251, 255, 679–680 maintaining, 281, 282 Charlemagne Hammer Skins, 420 Chemical agents in terrorism, 402–403, 427–428, 431 Chicago Convention, 596 Chief Information Officers (CIOs) functions of, 294–296, 299–300 in security policy implementation, 270, 424 Children exploitation of, evidence gathering in, 13 protecting, 128, 232, 535 tracking, 564 China See People’s Republic of China Chipping described, 388–389, 508, 521, 545, 595 Index The Chubb Group, 599 CIAO (Critical Infrastructure Assurance Office), 430, 588 CIP (Critical Infrastructure Protection), 795 CISSP See Certified information systems security professional (CISSP) Civil communication in society, 349 Civilian Casualties: The Victims and Refugees of Information Warfare Checklist Form, 776 Civilians in IW, 585–587, 618–619 networks, protecting, 544 Civil litigation case studies, 723, 724 and computer forensic specialists, 8, 18, 31, 166 electronic evidence in, 20, 74, 279 and email, 10, 319 sources of, 30–31 CIW See Certified Internet Webmaster (CIW) Click defined, 795 Clipper Chip, 494, 597 Clock filters, 290–291 Cloning of cellular telephones, 609, 611, 612 Closed community model of identity management, 134 Cluster defined, 795 CMOS defined, 795 CNN.com, 597 COCOM (Coordinating Committee for Multilateral Strategic Export Controls), 638 Code, malicious, 358, 642 Cold boot defined, 795 Cold war mentality, limitations of, 378–379 Collaborations in IW preparation, 375–376 Collaborative Virtual Workplace (CVW), 543, 544, 545 Collection of biometrics, 142 Command, control, communication, and computer intelligence (C4I), 495 Command and control warfare (C2W) applied, 383, 410 described, 380–383, 409, 794 Communications attacking, 351, 516–517 identifying, 50 and LBS, 551 and psyops, 367 systems in IW, 586 truth in, 348–350 Company private information defined, 85 Comparison/matching of biometrics, 142 Competition Act, 283 Comprehensive emergency management procedures (CEMP), 144 Computer and Internet Security Resources, 713 Computer Associates International, Inc v American Fundware, Inc, 320 Computer clocks, mechanism of, 289 Computer crime evolution of, 4, 287, 310 financial gains, average, investigating, 155 overview, 5–6, 154–155, 184 prevalence, 153, 681 regulating, 358–359 resources, 711 Computer Crimes and Technology Links, 713 Computer evidence defined, 795 See also Evidence, electronic Computer Expert and Computer Forensics Consultant, Judd Robbins, 715 Computer Forensic Incident Response Procedures (CFIRP) overview, 158–162 Computer forensics costs, personnel, 680 described, 3–8, 29–31, 35, 75–76, 297, 299, 705, 795–796 documentation in, 42, 77, 177, 227, 236, 245, 246, 321, 660, 676 future of, 684–685, 699–700 history of, 280, 495–497 limitations, 18, 281–282 methodology, 17–18, 21–24, 32, 42, 57–61, 675 priority, 6–7, 659–660, 673–674 resources, 709–712 technology checklists, 747–753 Web pages related to, 713–716 Computer Forensics, Incorporated, 782 Computer Forensics Experiment 2000 (CFX-2000), 36–38 Computer Forensics FAQ, 715 Computer Forensics Laboratories, 783 Computer Forensics Online, 715 Computer forensic specialists attributes, required, 647–648, 660, 685–701 certification, 173–175 choosing, 8–9, 660 described, 7, 19–20, 32–33, 76 employers of, 8, 18, 31, 182 salary of, 647 service levels offered, 14–15 services offered, 10–17, 55–56, 78, 162–167, 182 training, 51–52, 55, 172, 175–180, 185 Computer-free encryption, 629–630 821 Computer Image Verification and Authentication Checklist Form, 758–759 Computer investigations defined, 796 Computer Knowledge, 711 Computers architecture, changes in, 23 and cyberterrorism, 433–438, 451 disabling, 470 evolution of, 284 log files, retrieving, 650–653 molecular, 542 remote monitoring of, 52–53 role of in crime, 6, 280, 674 sabotage of, 663–666 security testing, 640–641 vulnerabilities of, 280–281, 284, 516 seizure, USDOJ guidelines, 715 stolen, recovery of, 53–55, 77 Computer searching programs described, 477 Computer Security Institute, 640, 674 Computer Security Resource Center, 640 Concept learning, supervised, 572–573 Conclusions, verifying, 30 Conditioning defined, 71 Conflict, low-level, 592 Consultation services, 7, 15–16 Containment in IW tactics, 380–383 Context menu, 796 Control of agent-based systems (CoABS) in IW, 375 Conxion, 491 Cookies, 564–566, 567, 582, 604, 796 Coordinating Committee for Multilateral Strategic Export Controls (COCOM), 638 Copper media and EMP attack, 518 Coppolino standard defined, 237 Copy mode, SafeBack, 40 Copy process, characteristics of, 250, 327 CopyQM software described, 43, 44–47 Copyright infringement, detecting, 569 Corporate information (CI) described, 292–296 Corporations and computer forensic specialists, 8, 18, 282 cybersecurity policy, implementing, 475–476 and industrial espionage, 291–296 and IW, 341–343, 364–365, 436, 469–476, 501–502 IW tactics, defensive, 472–475, 483, 487–490 offensive IW, recovery from, 476–480, 490–501 security policy, establishing, 148 822 Index and terrorist groups, 471–472 Counterpane Internet Security, Incorporated, 712 Counterterrorism activities of the FBI, air power in, 392–394, 462, 465, 519 policy, US, 390–393, 463, 466 rogue IW, 397–402 space power in, 392–394 Countries with IW capabilities, 355, 368, 461 CPU (Central processing unit), 796 Crash defined, 796 Credit card association defined, 88 Credit cards data recovery of, 210 fraud defined, 699 losses, reducing, 483 and identity theft, 139 transactions, processing, 797 Credit reports and identity theft, 608 Crime scene, preserving, 238–239 Criminal law, electronic evidence in, 20, 74, 166, 279 Criminal prosecutors and computer forensic specialists, 8, 18, 31 Criminals, tracking, 553–564, 645 Critical Infrastructure Assurance Office (CIAO), 430, 588 Critical Infrastructure Protection (CIP), 795 Cross-linked files, 796 Crowds, 652 Cryptography resources, 712 CSI/FBI Computer Crime and Security Survey, 2003 on attack points, 154, 165 on intrusion detection systems, 156 Cuba and IW, 461 Cult of the Dead Cow Communications (cDc), 421 Customer data, selling, 487, 488 Customer defined, 88 Customer Issuing Bank defined, 88 Customizable missing docs page, 796 CY4OR, 784 Cyber Agents, Incorporated, 783 CyberArmy in IW-D, 406–407 Cyberattacks economic burden of, 601 planning/launching, 481–482 CyberCash(c), 797 Cyber crime See Computer crime Cyberdisarmament, proponents of, 363 CyberEvidence, 783 Cyber forensics See Computer forensics Cyberincident Steering Group, 341–342 Cyberinsurance, 166–167 Cybersecurity, strengthening, 343 Cyberspace Electronic Security Act (CESA), 494, 552 Cyberspace Policy Institute of George Washington University, 639 Cyberterrorism back doors in, 508, 521 computers and, 433–438, 451 countermeasures, 389–394, 530–532, 680–681 described, 379, 391, 411, 423, 463 effects of, 400–402, 425, 600, 644–645 on the Internet, 417, 420, 424, 460, 597 public key encryption and, 424–425 risk management, 156–162, 502, 503 worms in, 508, 545, 595 Cyberwarfare See also Information warfare (IW) described, 340–341, 380 disadvantages, 341 military strategy in, 350–354, 359–360, 371–374, 376–377, 392–394, 580 D DARPA agent markup language (DAML), 374–375 DARPA (Defense Advanced Research Projects Agency) on IW capabilities, 354, 372–373, 588 Data ambient, 792 archiving, 198 compression, 180 converting, 304–310 copy process, characteristics of, 250 defined, 797 distribution, impact of, 570–573 duplication/preservation of, 11, 15–16, 163–164, 185 encryption, 51, 64–65 (See also Encryption) erasure case histories, 26–27 discovering, 52, 71, 95, 180 exporting, 106 hiding techniques, 43, 51–52, 71, 178, 206–209, 297–298, 498 identification of, 287–288 persistence, 213, 496 protection measure tips, 488, 683, 706–707 recovery (See Data recovery) retention in crime investigation, 359 seizure described, 11, 21, 53 rules of, 230, 715 storage/analysis of, 251–252 testing, 308 and text, structured, 575 unrecoverable, 706 vulnerability of, 628–629 Databases data mining in, 569–577, 605 files, searching, 307, 308, 309 forensic, for networks, 318–319 hidden, 71 Data-driven attacks defined, 107, 797 Data encryption standard (DES), 631, 632 DataHaven Project Inc Web site url, 421 Data mining, 569–577 Data objects defined, 327 Data recovery automated, 205–206 backup and, 192–203, 212–213, 243 case studies, 27–28, 304, 717–718, 719 described, 11, 15, 61, 191–192, 203–206, 214, 705–708 of email, 216, 467, 546, 623 exercises, 186 from fax machines, 10, 183 financial records, 10, 278 on hard disks, 7, 496 hidden, 206–209 from laptop computers, 27, 210, 240 on linux systems, 207–209, 213 principles of, international, 329 software for, 496 on Unix systems, 207, 216, 505, 677, 678, 679 Data Recovery Checklist Form, 755–756 Data storage media duplication of, 14 examination of, 22 Data theft via wireless systems, 116 Data warehouse, stages of, 317, 328 DAT (digital audio tapes) tapes, data recovery from, 28, 211 Dates, decoding, 70 Datum defined, 797 Daubert standard defined, 237 DBA (Dominant battlespace awareness), 797 DBK (Dominant battlespace knowledge), 797 DDOS attacks See Distributed denial of service (DDOS) attacks Dead Addict, 645 Deception defined, 797 Deception network as countermeasure, 530–531 Decision defined, 797 DEE See Discovery of electronic evidence (DEE) Index Defense Advanced Research Projects Agency (DARPA) on IW capabilities, 354, 372–373, 588 Defense information infrastructure (DII), 797 Defensive counterinformation, 797 Defensive Strategies for Governments and Industry Groups Checklist Form, 765–768 Defragment, 707, 797 Degradation of service, 797 Democracy and IW defense, 596–597 Denial of service (DOS) attacks See also Distributed denial of service (DDOS) attacks in cyberterrorism, 424, 597 defined, 798 and IDSs, 653–656 thwarting, 480–481, 490 Denial time defined, 798 Departmental information defined, 85 Department of Defense (DoD) in IW, 588, 594–595 Department of Health and Human Services (HHS), 432, 614, 615 DES (Data encryption standard), 631, 632 Deterrence as response to attacks, 159–160, 299, 354, 392, 590, 621 Diablo, 644 Differential GPS, 526 Diffie-Hellman scheme for data encryption, 86, 87, 291, 635, 636 Digital Angel chip, 550 Digital certificates described, 271 in PGP, 123, 124 types of, 89, 262, 264 Digital evidence bags (DEBs) described, 37 Digital identity See Digital certificates; Identity management security systems Digital Intelligence Incorporated, 709 Digital Mountain, Incorporated, 784 Digital signatures authentication of log files, 248 of software, 259 described, 263 matching, 655–656 penetration, 811 and PKI, 113, 114 RSA standard for, 64 Dig-x utility defined, 168 DII (Defense information infrastructure), 797 Direct Access Memory (DMA), 798 Directed-energy protective measures, 798 Direct information warfare, 798 Directory defined, 798 DIRT-CDS (Data Interception by Remote Transmission from Codex Data Systems) described, 52–53 Disaster recovery systems networks, 112–113 Discount rate defined, 88 Discovery of electronic evidence (DEE) as litigation tool, 278–281 overview, 277–278, 281 Discovery of Electronic Evidence (DEE) Checklist Form, 759–760 Disks See also Floppy disks; Hard disks; RAID (redundant array of independent disks) disks duplication of, 44–47 matching, 51 structure, understanding, 51, 179 Disk space defined, 798 Distributed denial of service (DDOS) attacks classification of, 117–118 and IDSs, 654 prevalence, 269, 325, 439 tracing, 183, 330–331 DLT (digital linear tapes), preserving, 33 DMA (Direct Access Memory), 798 Documentary evidence, 183, 278–279, 283 Documentation in computer forensics, 42, 77, 177, 227, 236, 245, 246, 321, 660, 676 Documents authenticity, proving, 29, 74, 312 in computer forensics, 42, 77, 177, 227, 236, 245, 246, 321, 660, 676 encrypting with PKI, 113 recovering, 61, 279 searching, 11, 79, 273, 568 storage, 76 traceable, creating, 53, 566–569, 583 DoDi, 443 Domain name registration, 798 Domain Name Service (DNS) in intrusion detection, 324–325 Dominant battlespace awareness (DBA), 797 Dominant battlespace knowledge (DBK), 797 DOS attacks See Denial of service (DOS) attacks DOS operating system, security of, 280 Dow Chemical, 616 Dragonflies, mechanical, 536–538 DRAM (Dynamic random access memory), 798 Driver defined, 799 Driver firmware, data erasure on, 26 Duplication and Preservation of Digital Evidence Checklist Form, 757–758 823 Dutch Shell Group, 295 Dynamic ports, assigning, 72 Dynamic random access memory (DRAM), 798 E Echelon, 475, 495, 616, 617 E-commerce investigations, software for, 46–47 Economic crime defined, 699 Economic espionage See Industrial espionage Economic information warfare, 799 e-Fense, Incorporated, 785 EIDE (Enhanced integrated drive electronics), 799 Electrical power, disruption of in IW, 446, 588–589 Electrohippies, 491 Electromagnetic bombs defense against, 515–517 delivery of, 513–515, 517–518 described, 509–510 limitations of, 517–518 proliferation of, 518–519 targeting, 512–513 technology of, 511 Electromagnetic intrusion, 799 Electromagnetic pulse (EMP), applications in IW, 444, 445, 509, 510–511, 546, 581 See also Electromagnetic bombs Electronic hardness defined, 510, 516 Electronic jamming, 522 Electronics intelligence (ELINT), 799 Electronics security, 799 Electronic surveillance See Surveillance, electronic Electronic warfare (EW) described, 381, 409, 799 Electro-optical intelligence (ELECTRO-OPTINT), 799 El-Hage, 455–456 Eligible Receiver, 434 e-Mag Solutions, 785 Email accounts, 799 aliases, 799 anonymous, 651 case studies, 721–723 CGI, 795 civil litigation and, 10 copies, providing, 34 data recovery of, 216, 467, 546, 623 destruction of, 319–320, 330 encryption of, 63, 64, 497 evaluation and company policy, 242 forwarding, 799 mailing lists, mini, 799–800 Majordomo list, 807 message contents, hiding, 120–121 retention policies, 320 824 Index storage of, 10, 183 tracing methods, 25, 65–69 transactions, one/two-way, 122 wiretapping, 529–532, 545 Embezzlement investigating, 185, 312 prevalence of, 241 Emergency management defined, 144 The Emigrants (Al-Muhajiroun), 417 EMP (Electromagnetic pulse) in IW, 444, 445 Employees and computer sabotage, 664, 665, 670–671, 702 in security, 267, 485, 659, 674, 720 Employer Safeguard Program described, 9–10 Employers of computer forensic specialists, 8, 182 Employment proceedings and computer forensic specialists, 9–10, 273, 312 data recovery for, 505 Encase software, 676 Encryption anonymizers, 497, 604–605 of cellular telephones, 638–639 computer-free, 629–630 of data, 51, 64–65 of email, 63, 64, 497 future of, 499–500, 666–667 hashes in, 263–264, 268, 634, 677 and IW defensive tactics, 493–495 methods/vulnerabilities, 63–64, 179, 268, 636 open-source software for, 500 prevention vs detection, 120 and privacy, 90, 627–628 public key (See Public key encryption) purpose of, 628 regulation of, 637–640 satellite (See Satellite encryption security systems) symmetric, 630–632 English Civil Evidence Act of 1968, 28, 29 Enhanced 911 (E911), 551, 554, 561 Enhanced integrated drive electronics (EIDE), 799 Enhanced signal strength (ESS) method, 560, 563 Enmeshing phenomenon, 473 Entrapment, 800 Environmentalists, terrorism by, 404 Escrowed encryption, 494–495, 597 Essential elements of friendly information, 800 Ethics of information warfare (IW), 590–597, 619–620 Eudora, 68 Event reconstruction described, 30, 303–304, 309 procedure, 304–305 Evidence admissibility, 6, 29, 155, 220, 230, 235, 248, 254 authentication, 182 collection legal requirements, 247–253, 272, 327 methodology, 164–165, 218–219, 224–230, 263 overview, 70, 217–218, 229–231, 309, 684 processing procedures, 39, 42, 58, 177, 221, 239–247, 254–255 services, obtaining, 163–164 copy process, characteristics of, 250 defined, 20 documentary, 183, 278–279, 283 electronic converting, 304–310 damaging of, 321–323 defined, 327, 700 problems with, 18, 65, 74, 75, 235, 254 procedures, 3, 19, 38, 327, 673–676, 693–695, 700 storing, 37 integrity/security of, 7, 24–25, 41, 98, 106, 258, 268, 307 legal tests for, 21–22, 58–60, 79 notebook, maintaining, 249–251, 321–322, 678 preservation, 17–18, 39, 59, 239, 241, 250, 254, 679–680, 686 proving, 23 rules of, 220–223, 232, 236–238 standards, 237, 320 trace, value of, 10 types of, 20, 219 volatile, 223 Evidence Collection and Data Seizure Checklist Form, 756–757 Evidence Identification and Retrieval Checklist Form, 747–748 EvilPing attack, 441 Exculpatory evidence defined, 220, 230 Executable defined, 800 Executive IW-D Oversight Office, 399 Executives in computer crime commission, 285 in security policy implementation, 270 Exercises, answers to, 725–745 Expansion card defined, 800 Expert witness services, 7, 12, 60, 222 Extortion in cyberspace, 439 Extract defined, 800 Extraction of biometrics, 142 F Fair Credit Reporting Act, 603, 605 Falun Dafa, 637 Falun Gong, 339–340 FAQs (Frequently Asked Questions), 705–708 Faraday cage, 516 Fast save function, 496 Fax machines, data recovery from, 10, 183 FBI survey 2003 on computer crime financial impacts, FDIC netforensics home page, 716 FDISK defined, 800 Federal Computer Incident Response Center (FCIRC), 681–682 Federal Intrusion Detection Network (FIDNet) described, 495 and intrusion detection, 384–385 Federal rules of civil procedure on data seizure, 11 Federal Rules of Evidence on electronic evidence, 29, 58, 77, 237 Federated model of identity management, 135–137 Feynman, Richard, 540 Fiber-optic connections, bandwidth of, 111, 577–578 Fidelity and Deposit Companies, 599 FIDNet See Federal Intrusion Detection Network (FIDNet) File allocation table (FAT), 800 Files contents, searching, 691 converting, 304–310 copy process, characteristics of, 250 cross-linked, 796 defined, 800 encrypted, reading, 60, 61 erased, searching for, 245, 496, 690, 691 executable, copying, 207 extensions, searching, 307, 711 formats, 305–306, 311, 711 hiding, 207, 214 (See also Data, hiding techniques) logical, listing of, 690 space, unallocated, 816 File sharing, access control for, 325–326 File slack defined, 800 evaluating, 244, 245 and evidence preservation, 42, 75, 177–178 and hidden data, 207–208, 240, 279 File system described, 800 Filter_G software described, 50–52 Final Conflict newsletter, 419 Financial records, recovery of, 10, 278 Fingerprinting as ID verification tool, 483 location, 560–561 radio frequency (RF), 609, 611 Index Fingers, silicon, 539–540 Finger utility defined, 68, 169–170 Fire damage, data recovery from, 27–28 Firewall machine defined, 801 Firewalls benefits, 103–105, 424 and data encryption, 63, 86 described, 99–103, 107–108, 146, 315, 800–801 and intrusion detection, 93–94, 148, 149, 325 limitations, 71–72, 79–80, 106–108, 667 prevalence of, 270 stateful inspection, 662 Firmware, 26, 801 First-wave warfare, 801 Fishbowl tactic, 801 Flash, organization of, 71 F-letters, 675 FloodNet attacks, 441 Floppy disks copying, 269, 271 examination of, 22, 43, 242–246 formats converting, 46 custom, 44 matching, 51, 179 as security risk, 106, 108 virus-scanned, creating, 45 and virus transmission, 57 Florida Association of Computer Crime Investigators, 716 FOCUS on incident handling pages, 716 FOCUS on intrusion detection pages, 716 Fog of war defined, 801 Forensic Challenge, 649 Forensicon, Incorporated, 785 Forensic psycholinguists in IW defensive tactics, 492 Forensic Systems Types Checklist Form, 752–753 Forensic Technology Types Checklist Form, 750–751 Forgery, demonstrating, 29 Fork bomb described, 801 Formats of files, 305–306, 311 Formmail described, 801 Forms for reporting incidents, 323–324, 329 Forward link trialteration (FLT), 557 Fragmentation defined, 801 See also Defragment Fraud investigations case histories, 25–26 electronic evidence in, 20, 278 of employees, 154 Fred Cohen and Associates, 709 Fred software, 676 Freedom Network, 652 Free for all links page, 801 Free speech, proliferation of, 438 Friction of war, 801 FrontPage extensions, 801–802 Frost & Sullivan, 655 Frye standard defined, 237 FTP (file transfer protocol) account defined, 802 anonymous, 792 encryption issues with, 63 Funds, diverting, 79 Fuzzy logic tools in text searching, 179 G G8 Group, 673, 700 Gateway defined, 119 Ghost accounts in computer sabotage, 663 GIA (Algerian Armed Islamic Group), 416 GIAC See Global Information Account Certification (GIAC) Giant magnetoresistant materials (GMRs), 541 Global Information Account Certification (GIAC), 173, 174 Global information environment, 802 Global Internet Project and cybercrime regulation, 358 Global Positioning Systems (GPS) described, 522–527, 545 and electromagnetic warhead delivery, 515 and LBS, 550, 557–558 privacy issues of, 563 server-assisted, 558–559, 564 Global System for Mobile Communications (GSM), 638–639 GLONASS, 526 GMRs (Giant magnetoresistant materials), 541 Guestbook, 802 Guidance Software, 710, 786 Gulf War, C2W in, 383 Guttoso, Herve, 420 H Hack back tactic, 491 Hacker insurance, 598–600 Hackers profile of, 422–423, 643–644, 645–647, 802 responses, studying, 531 tracking, 453–459, 647–663 Hacking access, gaining, 326, 330, 340 advanced, 640–647 evolution of, 645 exercises, 186, 467 and IW, 362, 386–387, 428–429 methodology, 661–662, 667, 669, 670 prevalence, 484, 641–642 825 punishment for, 600 tools, obtaining, 452–453, 460, 531, 642–643 Hacktivists in IW, 407, 409, 421, 501 Hamas, 415, 418 Hanssen, Robert P., 684 Hard disks backup/restoration of, 40, 41 copying, 269, 271 data recovery on, 7, 496 examination of, 22, 242–246 shipping, 707–708 Hardware evidence collection, labeling in, 231–232, 242 failures and backup procedures, 204 requirements for data conversion, 306, 311 for evidence processing, 321 Hashes block values, generating, 263–264, 268 in encryption, 263–264, 268, 634, 677 SHA256 (See Secure Hash Algorithm (SHA256)) Head defined, 802 Header of email and Internet tracing, 65–69 Health Insurance Portability and Accountability Act (HIPPA), 614, 615 Hearsay evidence defined, 20, 219 Heat sink defined, 802 Helsingus, Johann, 651 HERF (High-energy radio frequency) guns in IW, 363, 444, 445, 509 High Tech Crime Cops, 714 High Tech Crime Investigation Association, 710 Hijacking defined, 802 HIPPA (Health Insurance Portability and Accountability Act), 614, 615 History defined, 802 Hizb-ut-Tahrir (Islamic Liberation Party), 417 Holocaust deniers in IW, 419 Homeland security systems described, 143–144, 147 Honeynet described, 668 The Honeynet Project, 530–531, 649, 650 The HoneyPot Project described, 266–267 Honeypotting defined, 226, 668, 669 +host:domain name and hack command defined, 170 Hotspots, locating, 296 Human resources and computer forensic specialists, 9–10 Hycamtin, 291, 292 Hyperwar defined, 802 826 Index I IBM 3590 drive, data recovery from, 210 IBW (Information-based warfare), 803 ICMP See Internet Control Message Protocol (ICMP) ICTs See Information and communication technologies (ICTs) IDC, 655 IDEA (International Data Encryption Algorithm), 631 Identification of Data Checklist Form, 760–761 Identify-preserve-analyze-report model, 686 Identity fraud, prevalence of, 131 Identity management access, controlling, 133, 150 audits in, 133, 151 digital, aggregation in, 130 Identity management security systems in authentication, 258–259 described, 129–137, 147 Identity theft exercises, 150–151 overview, 137–141, 606–609 Identity Theft Hotline contact information, 141 IDW (Information Dominance Warfare), 804 IIW (Information in Warfare), 804 Images See also Bit stream image backups in evidence preservation authentication of, 260–264, 266, 268, 284 making, 692 protection of, 45, 46, 198, 239 Incident handling, 95, 97, 183, 249, 323–324 Incremental backup defined, 197–198 India, IW capabilities of, 355, 356, 357, 363, 368 Indirect information warfare, 803 Individuals tracing, 68 verifying, 72, 73 Industrial espionage case studies, 720, 721 and computer evidence, 74 computers in, 434–435, 593 countries engaged in, 355, 356 and the Internet, 127, 291–296 investigating, 623 and MIWT, 387 in People’s Republic of China, 436–439, 448–451 prevalence of, 469, 683 tactics, defensive, 474–475 Industrial warfare defined, 803 Industry See Corporations Info-niche attacks in netwar, 346, 347 Information collection, 804 compromise, 804 defined, 360, 803 denial, 804 destruction, 804 dominance, 804 friendly, essential elements of, 800 function, 804 protection, 805 realm, 805 superiority, 805 terrorism, 805 transport, 805 warfare (See Information warfare (IW)) Information Age defined, 803 Information Age warfare, 803 Information and communication technologies (ICTs) applications in IW, 394, 396, 415, 418, 419 C2W and, 420 Information attack, 803 Information-based warfare (IBW), 803 Information Dominance Warfare (IDW), 804 Information extraction (IE) in data mining, 576–577 Information infrastructures, importance of, 585–588, 621 Information in Warfare (IIW), 804 Information Operations, 804 Information strategies defined, 408 Information systems (INFOSYS), 805 Information systems warfare (ISW), 805 Information technology diffusion of, 587 system defined, 360, 366 Information Technology Sharing and Analysis Center (IT-ISAC) described, 343, 490 Information Warfare: Arsenal of the Future Checklist Form, 772–775 Information Warfare Arsenal and Tactics of Private Companies Checklist Form, 771–772 Information Warfare Arsenal and Tactics of Terrorists and Rogues Checklist Form, 769–771 Information Warfare Arsenal and Tactics of the Military Checklist Form, 768–769 Information warfare (IW) See also Cyberwarfare anonymity and, 604–606 countermeasures, 497–498 defensive (IW-D), 384–389, 399, 407–408, 482–487 defined, 587, 619, 805–806 direct, 798 economic, 799 ethics of, 590–597, 619–620 impact of, 482 indirect, 803 and intrusion detection, 99 limitations of, 349, 514 and the media, 345–347 military tactics (See Military strategy in cyberwarfare) objectives of, 336, 353, 367, 466, 519 offensive, 378–383 overview, 335–341, 368–369, 394–408, 507–509 personal assets, destruction of, 597–600 preventive, planning, 480–482 response to, 508 rogue, countering, 492–500 security in, 161 space power in, 531–532 and strategic diplomacy, 344–354 tools, obtaining, 452–453 weapons, future, 532–538, 543 INFOSEC certification, 173, 805 INFOSYS (Information systems), 805 InfraGard described, 159, 364–365 INMARSAT Convention, 596 Instant messaging (IM) security systems described, 125, 147 Insurance companies and computer forensic specialists, 31, 166, 183 email in litigation, 319 embezzlement exercise, 185 fraud exercise, 671 image verification exercise, 284 Integrated platforms, 564–566 Intellectual property investigation, 303, 468, 659, 682 Intelligence collection in IW, 366, 374, 376 and industrial espionage, 474 open source, 473, 809 operational, 809 reality, distorting, 544 technical, 815 Intelligent forensic filter See Filter_G software INTELSAT Convention, 596 International Association of Computer Investigative Specialists, 648, 710, 714 International Data Encryption Algorithm (IDEA), 631 International Organization on Computer Evidence (IOCE) described, 322, 329 International organizations in IW, 354–359 International Telecommunications Convention of 1982, 596 Internet abuse, detection of, 52, 74, 180, 315, 701 authentication on, 259 Index as Big Brother, 577–578 children, protecting, 128, 232, 535 and cyberterrorism, 417, 420, 424, 460 encryption described, 64 and industrial espionage, 127, 291–296 and privacy awareness, 127 security systems, 84–91, 146, 148 tactical, 815 tracing methods, 65–69, 96 wireless, 579–580 Internet Control Message Protocol (ICMP), 104, 289 Internet Merchant Account defined, 88 Internet Resources on Technology Law, 713 Internet Security Systems Incorporated (ISS), 666 Internet Service Providers (ISPs) and network security, 480–481, 484–487 Interpact Incorporated, 711 Intrusion detection systems anomaly-based, 655–656 appliance-based, 656–657 described, 91–99, 146, 148, 149, 157, 315, 329–330, 667–668 firewalls and, 93–94, 148, 149, 325 history of, 384, 653–656 implementing, 163 network signature-based, 655, 668, 669, 697 outsourcing of, 657 and packet sniffers, 528 response in, 160, 323–324 speed of, 656 IOCE See International Organization on Computer Evidence (IOCE) described Iomega Zip drives, cost of, 305 I/O port defined, 802 IPK, elements of, 504 IP spoofing described, 490 Iraq invasion, propaganda in, 345 Ira Wilsker’s Law Enforcement Sites on the Web, 713 IRQ (Interrupt request) defined, 806 Islam, dissemination of, 418 Islamic Liberation Party (Hizb-utTahrir), 417 Islamists and netwar, 395, 416 Israeli Internet Underground (IIU), 442–443 Isreal, IW capabilities of, 355, 356, 357, 363, 368, 442–444 ISW (Information systems warfare), 805 IT-ISAC See Information Technology Sharing and Analysis Center (ITISAC) described IW See Information warfare (IW) I&W (Indications and Warnings) defined, 802, 803 I&W/TA (Indications and Warnings or Threat Assessment) defined, 803 J Japan, PLS in, 554, 560 Java chat rooms, 806 Jihadists in netwar, 416 Jitter defined, 289 Joint Tactical Radio System (JTRS), 375 Jondos, 652 Jumper defined, 806 Junkbusters, 602–603 Jus ad bellum, 591, 621 Jus in bello, 592 K Kerberos described, 105, 122, 289 Kernel defined, 806 Keyboard activity, monitoring, 52, 552–553, 808 Key communicator defined, 806 Kill assessment in EMP attack, 517 Klatt, Bernard, 420 Knowledge-based warfare, 806 Knowledge defined, 806 Knowledge dominance, 806 Knowledge war See Information warfare (IW) Kroll Ontrack, Incorporated, 786 L Ladenese Epistle, 418–419 LAN 802.11b standard, security measures in, 116, 117, 579 Laptop computers damage costs, tracking, 676 data recovery from, 27, 210, 240 security vulnerabilities of, 280–281, 284 theft recovery software described, 53–55, 77 Lasers in IW, 446 Law enforcement and computer forensic specialists, 8–9, 18, 31, 282, 299 technology, types of, 38–52 (See also individual software by name) Web sites useful to, 713–715 Law Enforcement Guide to the World Wide Web, 714 LBS See Location-based services (LBS) LC Technology, 787 LC Technology International, Incorporated, 786–787 Leads, identifying, 38 Leapfrog attack, 806 Lee, Wen Ho, 434, 452 Legal/court related sites, 714 Legal issues 827 in computer forensic evidence, 20–21, 58–60, 79, 155, 247–253 in cyberwarfare, 341, 586 evidence collection, 247–253, 272, 327 overview, 21–22, 58–60, 79 Legislation for IW defensive measures, 493–494 Letter bombs, 807 Liability, demonstrating, 30 Libertarian Party, 422 Liberty virus, 115 +link:domain name command defined, 170 Linux systems data recovery on, 207–209, 213 file cleansing utilities, 208–209 Litigations, sources of, 30–31 Loc8.net, 564 Local area networks (LANs) intrusion detection on, 101, 102, 149, 316 in IW, 373 Location-based services (LBS), 549–551 Location fingerprinting, 560–561 Log files admissibility of, 248 in evidence collection, 70, 98, 221, 224–225 and firewalls, 103, 105 retrieving, 650–653, 678 Unix, 678, 679 utilities for creating, 309 Word documents, 568 Logic bombs in IW, 477, 508, 520–521, 807 Lost cluster chain, 807 Love Bug virus, losses from, 600 Low Earth orbit (LEO) network described, 120 M MAC address filtering, 117, 679 Mafiaboy, 597 Mailservers, tracing, 68, 69 Mail storm, 807 Majordomo list, 807 Managed security service providers (MSSPs), 655, 657 ManTech Security and Mission Assurance, 787–788 Mares and Company, LLC, 710 Markov, Georgi, 427 Marshall Law and cyberspace, 361–363 Marsh and McClennan Companies, 599 Marx standard defined, 237 MASINT (Measurement and Signal Intelligence) defined, 807 MD5 See Message Digest (MD5) Measurement and Signal Intelligence (MASINT) defined, 807 828 Index Measurement and Signature Intelligence defined, 807 Media conversion, 11 previewing, 687–689 Media broadcasts in IW, 345–347 Medical ID cards, 613–615 MEII (Minimum essential information infrastructure) defined, 807, 808 Memory copying, 272 dumps and evidence preservation, 42, 77 resident programs, understanding, 180 MEMS (Microelectrical and mechanical systems), 535 Merchant defined, 88 Message defined, 807 Message Digest (MD5) hash functions in, 634 in PGP, 122, 123 in timekeeping, 291 MessageID described, 67 Metal oxide semiconductor (MOS) devices in IW, 511 Microbes in IW, 521 Microelectrical and mechanical systems (MEMS), 535 Microsoft and privacy issues, 603 Microsoft Internet Explorer, 604 Microsoft Outlook/Outlook Express, viruses in, 57 Microsoft Word in crime scene investigation, 238 Microsoft WordPerfect™ in crime scene investigation, 238 Middle East cyberwars, 441–444, 464 MIE (Military Information Environment) defined, 807, 808 Military computer forensics technology, types of, 36–38 Military deception, 807 Military Information Environment (MIE) defined, 807, 808 Military information function, 808 Military Information Operations (MIOs), 360, 446 Military information warfare tactics (MIWT) described, 376–377, 387 Military operations and information systems, 587 Military strategy in cyberwarfare, 350–354, 359–360, 371–374, 376–377, 392–394, 580 Military technical revolution (MTR), 808 Minimum essential information infrastructure (MEII) defined, 807, 808 Mirkin, Chad, 540 Mirror image backup software See SafeBack software Mirroring in backup procedures, 201, 202, 214, 808 See also Bit stream image backups in evidence preservation Misbehavior in the face of the enemy defined, 477–478 Missiles and electromagnetic warheads, 514 Misuse detection, 808 Mitnick, Kevin, 422 Mitretek Systems, 713 Mockingbird, 808 Mohammed, Ali, 454, 455, 456 Mohammed, Omar Bakri, 417 Monthly traffic defined, 808 See also Bandwidth Motes, 532–536 Motherboard, 808 Motion, simulating, 537, 541–542 MSANEWS, 416, 418 mSQL database, 808 MSSPs (Managed security service providers), 655, 657 M-Sweep™ software described, 48 MTR (Military technical revolution), 808 Myatt, David, 420 N Nanomushrooms, 542 Nanoscale products, fabricating, 542 Nanotechnology in IW, 521, 538–543, 546 National Information Infrastructure (NII) defined, 808, 809 National Infrastructure Protection Center (NIPC) and cyberterrorism, 429–430 described, 641, 654 on InfraGard, 364–365 National Law Enforcement and Corrections Technology Center (NLECTC), 36, 37 National security activities of the FBI, National Security Agency (NSA) and cyberterrorism, 508 function of, 335, 379 National Security Council (NSC), 429 Navigation warfare (NAVWAR), 808 NAVWAR (Navigation warfare), 808 Neo-nazis and netwar, 395, 420 NetBIOS and hack attacks, 325 Netforensics home page, 716 NetMotion, 580 Net privacy systems described, 126–129 Netscape.hst file, 496 Netscape Navigator, log files in, 496, 604 Netstat command, 679 Net Threat Analyzer software described, 46–47 Netwar See also Cyberwarfare; Information warfare (IW) described, 344–347, 394–396, 809 and strategic diplomacy, 350–352 Networks anonymity on, 651–653 auditing, 696–699, 701 backup data path, 196 issues with, 201–203 civilian, protecting, 544 and computer forensics, 35 disaster recovery systems (NDRs), 112–113, 147, 148 encryption of, 63 forensics, 316–319 intrusion detection on, 93, 98, 326, 661–662 investigating, 242 privacy on, 105 recovery of in IW, 375 security, 86, 97, 160, 315–316, 343, 357–358 ASPs and, 486, 487, 488, 665 ISPs and, 480–481, 484–487 spoofing, 809 traffic, monitoring, 225 viruses in, 57 worms, 809 Networks Checklist Form, 762–765 Network Time Protocol (NTP), 288–291, 299 New Technologies, Incorporated, 47, 715, 788 Nida’ul Islam Web site, 419 NII (National Information Infrastructure) defined, 808, 809 NLECTC (National Law Enforcement and Corrections Technology Center), 36, 37 Nmap utility in attack identification, 364, 528, 662 Norseen, John, 617–618 North, Oliver, 319 Notebook, evidence maintaining, 249–251, 321–322, 678 Nslookup utility defined, 168 NTFS file system, 809 NTI-Computer Evidence Leaders, 710 NTP See Network Time Protocol (NTP) Nuclear weapons obtaining, 452–453 in terrorism, 402–403, 425–427, 450–451, 545 NutraSweet, intelligence unit of, 293 O Objective reasoning, threats to, 347, 350, 352, 353, 369 See also Perceptions O’Connor v Ortega, 248 Odd person out attacks described, 120–121 Offensive counterinformation, 809 Index Omega Engineering, 664 One-time pad method of encryption, 629–630 The Onion Router Project, 497–498, 653 Onion routing described, 498, 651–652 OODA loop and C2W, 382–383 defined, 809 Open-source intelligence, 809 Operational intelligence, 809 Operation Desert Storm, 519 Operation Iraqi Freedom, C2W in, 383 Operation Other Than War (OOTW), 590–591, 809 Operations security (OPSEC) defined, 381, 809 Opinion defined, 809 OPLAN 3600, 378 OPSEC (Operations security) defined, 381, 809 Optical networking and IW, 373, 518 Oracle Corporation, 297 Orientation defined, 809 Ortega, O’Connor v., 248 P Packets in intrusion detection, 98, 810 Packet sniffers described, 477, 528, 655–656, 810 PAGEFILE.SYS in evidence detection, 75 Palestine in cyberterrorism, 441 Parallel warfare described, 393–394 Partitions See also FDisk defined analyzing, 246 defined, 810 Partition table defined, 810 Passive attack defined, 810 Passive threat defined, 810 Passwords caching and identity fraud, 132 obtaining, 552, 680, 810 protection of diskette images, 45, 46 in IW, 337, 388, 483 limitations, 63–64, 216 Path defined, 810 Payment gateway defined, 88 Payments, processing, 87–88 PCPhoneHome™ software described, 54–55 Pegasus Mail, 67, 68 Penet, 651 Penetration defined, 810 Penetration signature defined, 811 Pentagon and IW, 385–386, 459–460, 588 Pentaguard, 644 People, tracking, 553–564 People’s Republic of China and encryption, 637 industrial espionage in, 436–439, 448–451 IW capabilities of, 342–343, 355, 368, 378 Perceptions See also Objective reasoning, threats to defined, 811 manipulation of, 349, 366 Performance of SANs, 111 Peripherals changes in, 23 described, 811 Personal assets, destruction of, 597–600 Personal identification numbers (PINs) and cellular telephony, 611 Personal Locator System (PLS) applications, 561–564 architecture, 555–556 implementing, 564 overview, 554 technologies, 556–561 PGP See Pretty Good Privacy (PGP) Phone tapping, 103 Phracker defined, 811 Phreak defined, 811 Phreaker defined, 811 Pierre-Louis, Herbert, 664 Ping command defined, 169 Pister, Kristopher, 532–536 PKI See Public key infrastructure (PKI) systems described Plagiarism, detecting, 569 Plants as bioterrorism targets, 430–431 PLS See Personal Locator System (PLS) Plug-and-play (PnP) defined, 811 PnP (Plug-and-play) defined, 811 The Police Officer’s Internet Directory, 714 Political extremists and netwar, 395–397 Politics and the Internet, 127, 128 Porcupine.org, 710 Pornography viewing investigating, 232, 255, 287–288, 719 statistics, 165, 241 Port numbers attack points, common, 661, 669 ranges, 71–72, 78 Position, computing, 559 Post-apocalyptic terrorist groups, 403–404 POST (Power-on self test) defined, 811 Poulsen, Kevin, 422 Pragmatic communication defined, 348–349 Premiums for hacker insurance, 598–599 Pretty Good Privacy (PGP), 64, 122–124, 636 Prevention defined, 94 Principle Forensic Activities Checklist Form, 748–750 829 Principle of least privilege defined, 102 Privacy and biometric systems, 483 encryption and, 90, 627–628 in evidence collection, 248, 267–268, 675 and firewalls, 105–106 and hacker pursuit, 460 and LBS, 550, 563 maintaining, 529–530, 602–603, 627 medical, 613–615 monitoring, 609–613 net systems described, 126–129 policy enforceability of, 489 key elements of, 132–133, 147 in Windows environments, 566–569 Privacy agreements described, 488–489 The Privacy Foundation, 529–530, 545, 566, 567, 616 Private companies See Corporations Private key encryption described, 86 Processor defined, 88 Productivity, loss of, 165 Program Loader and evidence collection, 70 Project Leadership Associates, 788 Promiscuous network cards, 527–528 Propaganda in IW, 345, 347 Proxy servers as source addresses, 650–651 Psychological operations (Psyops) described, 336–338, 367, 381, 409, 595 Psyops See Psychological operations (Psyops) Public information defined, 85 Public key encryption and cyberterrorism, 424–425 described, 63, 86, 114, 120–121, 147 for IW defensive measures, 494 limitations of, 632–636 message path, 121 in PGP, 124 in timestamping, 291 Public key infrastructure (PKI) systems described, 113–114, 147 Publisher IDs, 264 Punishment for hacking, 600 Purity Wholesale Grocers, 664 Q QuickFire attack, 441 R Radar in cyberterrorism, 451 RadioCamera system, 560 Radio frequency (RF) fingerprinting, 609, 611 830 Index RAID (redundant array of independent disks) disks data recovery from, 211 data storage on, 22, 26 management of, 110–111 RAM (Random Access Memory), 811 Random text displayer described, 812 RC4, 631 Read heads, development of, 540–541 Real evidence defined, 20, 29 Real time audio/video described, 812 Reconstructing Past Events Checklist Form, 761–762 Records, access to, 277–278, 283 ReFLEX two-way paging, 564 Registry, the, 685, 815 Reject all cookies option, 566 Relevancy test of evidence defined, 237 Reliability of SANs, 111 Remailers and encryption, 497 Remediation of IW attacks, 356–357 Renew Data, 788–789 Replay attacks, 290 Reports as evidence, 29, 317 Requirements definition, 685–700 Research in Motion (RIM) wireless technology evidentiary value of, 69–70 file system in, 70–71 Restoration ecologists, terrorism by, 404 Retina, 662 Retro-virus described, 812 Review questions, answers to, 725–745 Revolution in Military Affairs (RMA), 587, 812 Right-click defined, 812 RIM devices See Research in Motion (RIM) wireless technology The Risk Advisory Group LimitedInvestigations, 716 Risk assessment equipment purchases, 389 overview, 85, 812 procedure, 167–172 software for, 45 Risk management techniques in cyber crime fighting, 156–162, 502, 503 Rivest, Shamir, and Adleman (RSA) standard for digital signatures, 64 in encryption, 635 in PGP, 122, 123 RMA (Revolution in Military Affairs), 587, 812 Robbins, Judd, 715 Robots in IW, 536–538 Rockets in IW, 451 Roessler, Thomas, 649 ROM (Read-only memory), 812 Root access, application of, 442, 658, 682 RSA standard See Rivest, Shamir, and Adleman (RSA) standard Rules of engagement, 596 Rules of evidence See Evidence, rules of Russia infrastructure, control of, 471 IW capabilities of, 355, 363 S Sabotage of computers, 663–666 SafeBack software described, 39–43, 676 Sandboxing defined, 226 SANS See Systems Administrator Networking and Security (SANS) SANs See Storage area networks (SANs) Satellite encryption security systems, 118–124, 147 Satellites and GPS, 524 Scalability of SANs, 111 ScanDisk, 707 Scarfo, Nicodemo S., 552, 553 Scavenging defined, 812 SCPAs See Super Cyber Protection Agencies (SCPAs) in IW Script kiddies, 644 Scripts defined, 812 SCSI (Small computer system interface) defined, 812 SDRAM (Synchronous dynamic random access memory) defined, 812 Search engine defined, 813 Searching anonymous, 170 database files, 307, 308, 309 file extensions, 307, 711 files, 245, 496, 690, 691 spreadsheet files, 307, 308, 309 text, 47–50, 178–179, 207, 243–244, 560–577, 685 Windows swap files, 240, 241, 244, 279 Word processing files, 307, 308 Second-wave warfare defined, 813 Sector defined, 813 Secure Hash Algorithm (SHA256) hash functions in, 634, 678 in SafeBack, 39, 40, 41 Secure Sockets Layer (SSI) encryption, 114, 813 Secure Virtual Private Networks (SVPNs), 90 Security advice, providing, 15–16 awareness, 267, 268, 504, 641, 682 breaches, 269, 813 budgets for, 270 classification, 813 costs of, 648–650 defined, 813 electronics, 799 employees in, 267, 485, 659, 674, 720 environment, changes in, 470–471 evidence (See Evidence, integrity/security of) in image verification, 266–268 information protection strategies, 101–102, 586 layers of, 102 of LBS/PLS, 563 MIWT, 376 overview, 83–84, 145–146 policy auditing, 696–699, 813 establishing, 148, 159, 425, 426, 440 in evidence collection, 222, 674 guidelines, 96, 97 professionals, 440 reviews, software for, 47–50 of systems, 94–95, 485 testing, 640–641 threats, sources of, 5, 33–34, 42 user identity, verifying, 130–132 weaknesses, identifying, 76, 79–80 Web sites, 662 wireless, 69–71 (See also Wireless security systems) Security scanners described, 315 Select defined, 813 Semiconductor devices, damaging via EMP, 516 Sendmail program described, 476–477 Sensor-to-shooter defined, 813 Servers backup, 194–195 described, 813 in GPS, 558–559, 564 proxy as source addresses, 650–651 timestamping in, 290 tracing, 68, 69 Server side includes (SSI), 813 Service, degradation of, 797 Service level agreements (SLAs) described, 486 Service levels offered by computer forensic technicians, 14–15 Service set identifier (SSID) security measures in, 117 Session hijacking defined, 813–814 Settlement defined, 88 Sextracker survey on online pornography viewing, 165 Shared situation awareness (SSA), 814 Shipping manifests, falsifying, 439 Shopping cart described, 814 Sid-Ra, 421 SI-FI See Synthesizing Information from Forensic Investigations (SIFI) environment Signal defined, 814 Signal direction PLS, 556–557 Signal security (SIGSEC), 814 SignalSoft Corporation, 551 Signal strength method, 559–560 Index Signature matching, 655–656 SIGNCODE.EXE utility, 263 Silicon fingers, 539–540 Silo model of identity management, 134 Simple counter defined, 814 Simple Network Management Protocol (SNMP) described, 327, 328 Site submission defined, 814 Situation awareness, 536 Situation awareness (SA), 814 Slot defined, 814 Smart cards applications of, 90–91, 148–149 described, 73, 78–79 security of, 91 Smart dust, 532–536 SmithKline Beecham Corporation, 291–293 SMO Legal Reporter 06/00, 716 Sniffing See also Packet sniffers described defined, 814 passwords, obtaining, 552 tools, 527–529, 595 in wireless systems, 116 Sniffit software, 527–528 Snooping tools, 527–529 Social engineering, 376, 663, 814 Societal aspects in cyberspace, 469–470 Socket defined, 815 SODA Project, 443–444 Software antivirus (See Antivirus software) for attack detection, 156–157 backdoors, planting, 363 case-management, 282 changes in, 23, 646 copying packages, 269 for data recovery, 496 designing, 47 doomsday, 342 integrity, maintaining, 357 publisher IDs, 264 for risk assessment, 45 for security reviews, 47–50 theft recovery, 53–55, 77 tools, capabilities of, 684 useful sites, 168, 170, 179, 715 vulnerabilities communication of, 646 hacking, 662 SOS (System of systems) defined, 815 Source addresses, 650–651 Source address spoofing, 650 Soviet Union See Russia, IW capabilities of Space Imaging, 531, 532 Space power in counterterrorism, 392–394 in IW, 531–532 Spam defined, 815 Spamming defined, 470 Spectrum management defined, 815 Spreadsheet files, searching, 307, 308, 309 Spyware described, 61–63 SSI See Secure Sockets Layer (SSI) encryption SSID See Service set identifier (SSID) State tables, 679 Statistics described, 812 Steganalysis-Attacks Against Steganography and Watermaking-Countermeasures, 712 Steganography, 498 Stegonography, 712 Steinberg Diagnostic Medical Imaging, 665 Storage abstraction defined, 109 Storage area networks (SANs) as backup systems, 108–109, 194–195, 213 benefits of, 110–111 overview, 109–110, 147, 148 Storage-centric model of computing described, 110 Storage devices backup, 198–199 previewing, 687–689 Strategic diplomacy and IW, 344–354 Stupp, Samuel, 542 Subscriber fraud, cellular telephones, 609, 612–613 Subsidy fraud, cellular telephones, 609, 613 Super Cyber Protection Agencies (SCPAs) in IW, 363–365 Surfing in attack identification, 170 Surveillance electronic hacker tools, 531 overview, 552–553 services described, 13, 16 services described, 13, 16 global, 495 identification/analysis of, 291–297 workplace, 616–618 Surveillance Tools for Information Warfare Checklist Form, 775 Sydex Incorporated, 710 Symmetric encryption, 630–632 Synthesizing Information from Forensic Investigations (SI-FI) environment described, 37 System of systems (SOS) defined, 815 System Registry defined, 815 Systems Administrator Networking and Security (SANS), 173, 174 T T12, 644 Tactical Internet defined, 815 831 Taiwan, IW capabilities of, 355, 356, 368 Tape drives as backup devices, 199, 201, 269 data recovery from, 211 Target concept defined, 572 Taxol, 291 TCP/IP, authentication by, 97–98, 288 Team play in information management, 296 Technical attack, 815 Technical intelligence, 815 Technology, 23–24, 35–36 Telephone services and identity theft, 139–140 Telnet account, 815 TEMPEST surveillance, 513 Terminal hijacking, 815 Terminator described, 815 Terror Incorporated, 454–459 Terrorism, 405–406, 444–451 See also Cyberterrorism information, 805 religious, 463 state-sponsored, 464 Terrorists cells, disrupting, 457 methodology, 430–433 organization of, 395, 463, 464 profile of, 421–424, 428, 438–439, 645 recruitment of, 458–459 tactics in IW, 415–421, 424–427 Testimonial evidence defined, 20, 219 Testing evidence, 21–22, 58–60, 79 security, 640–641 of systems, 324–326 Text, searching, 47–50, 178–179, 207, 243–244, 560–577, 685 TextSearch Plus software described, 45, 47–50 TFL:IDS, 657 The Coroner’s Toolkit, 710 Theft defined, 155 Theft recovery software described, 53–55, 77 Thermionic technology and EMP attack, 517 Third-wave warfare, 815–816 Threats, passive, 810 Time bomb described, 816 Time difference of arrival (TDOA) method, 557 Time element deductibles, 599 Time stamps in authentication, 263–264 in evidence collection, 228, 243, 690 overview, 288–291 Timing attacks, 635 TJPing utility and Internet tracing, 67, 68 832 Index Total Recall (Binary Biz North America), 789 Trace evidence, value of, 10 Traceroute command defined, 169 Trade sanctions, evading, 439 Traffic amplification via Web site, 442 Transactions, electronic, demonstrating, 30 TRANSEC (Transmission Security), 816 Trans Union, 607 Trap doors in cyberterrorism, 508, 521 defined, 816 information, obtaining, 658 Triple DES (Data encryption standard), 631 Trojan horse programs described, 816 and evidence preservation, 42, 177 in IW, 336, 477, 508, 520, 521, 545, 595 protection from, 56–57, 668 Troll described, 816 TrustE, 489 TUFCOFS, 711 Tunneling defined, 94 Twofish, 631 U Unallocated file space, 816 UN Convention on Law of the Sea, 596 UNICODE, 688, 690 Unilever, 294, 295 Unintentional emission (UE), detection/tracking of, 513 United States cyberwarfare, protecting against, 462 IW capabilities of, 357, 365–366, 378, 622 IW preparation status, 335–339, 350–351, 362, 366–367, 423–424, 439, 587 PLS in, 554 on privacy issues in IW, 602 and terrorism, 391–392, 400, 408, 429–432 on weapons availability of enemies, 446–448 UNITY, 443 University of Central Florida-Orlando, 648 University of Delaware Web site url, 290 Unix systems data recovery on, 207, 216, 505, 677, 678, 679 DNS service on, 324 timekeeping in, 289, 290 Unzip defined, 816 US Secret Service, 663 Useful sites, software, 168, 170, 179, 715 Usenet in threat identification, 171 User activities in IW, 339 reconstructing, 4, 16, 17, 74, 273, 622 tracing, 95, 183, 300 User identity, verifying, 130–132, 610 UUencode, 816 V Validation of data, 76 See also Authentication Vandal described, 816 Van Eck radiation, suppressing, 513 Vector-space method of text exploitation, 575–576 Vehicles, locating, 554, 573–574 Vendor and Forensic Services Types Checklist Form, 754–755 Vendors in software evolution, 646 Verification See Authentication Verify mode, SafeBack, 40 Verisign, 89, 260–263, 271, 272 Victims of identity theft, options of, 607–609 Video adapter described, 816 Violent crime, prevalence of, Virtual battlespace, 816 Virtualization defined, 109 Virtual private networks (VPNs) budget for, 267 intrusion detection on, 99 security for, 484 Virtual realm, 817 Viruses described, 817 and employee cooperation, 267 and firewalls, 107 and IW, 387–388, 485, 508, 520, 545, 595 protection from, 56–57, 230 (See also Antivirus software) scanners and intrusion detection, 94 wireless, 115–117 Visualization interfaces in network forensics, 316–319, 326–327 Visual query interface described, 318, 328 Vogon International Data Recovery, 789 Voice identification as ID verification tool, 483 Volatile evidence, 223 Vulnerability assessment systems See Intrusion detection systems Vulnerability defined, 817 W Wal-Mart Stores, 293 War, Act of defined, 591–592 War defined, 817 War dialer defined, 817 War driving/flying defined, 296 Warfare defined, 817 Warm boot defined, 817 Wassenar Management, 639 Weapons of mass destruction electromagnetic bombs, 509–510 and IW-D, 401–402, 405 tools, obtaining, 452–453 Weapons of precise disruption, 376 Web-based Telnet, 817 Web bugs in Word documents, 566–569, 583 Web images, copying, 56 Web of Justice Links, 714 Webraska, 551 Web services access control for, 325–326 and digital identity management, 130–131 Web sites crime, case histories, 25 defacement of, 443 security of, 662 traffic amplification via, 442 WEP See Wired equivalent privacy (WEP) WetStone Technologies, 711 What’s on the Internet for Legal and Law Enforcement Personnel, 714 White-collar crime, prevalence of, White supremacists and netwar, 395 Whois command defined, 169 Wide area networks (WANs), intrusion detection on, 101, 102, 149 Wildlife, tracking, 556 Windows 2003, 38, 176, 646 Windows environments access control for, 325–326 data persistence in, 635 forensics in, 80 hacking, 646 log files in, 231, 496 privacy in, 566–569 Windows NT log files, 678, 679 Windows Registry, 685 Windows Scripting Host, disabling, 56 Windows swap files described, 817 searching, 240, 241, 244, 279 Windows XP, 38, 176, 646 WinSmurf tool, 441–442 Wired equivalent privacy (WEP), security measures in, 117, 579, 580 Wireless application protocol (WAP), security measures in, 116 ... Academics are teaching the subjects, but most lack real-world experience, which is critical when training students Also, many academics are not current with forensics trends and tools Times Are... saying, “If you wait long enough, it’s bound to change.” The same can be said for computer forensics training Not only will more techies be concentrating on computer forensics, but also attorneys and... collection, forensic analysis, expert witness, forensic litigation and insurance claims support, training, and forensic process improvement Part II: Computer Forensics Evidence and Capture The