Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 417 trang
THÔNG TIN TÀI LIỆU
Cấu trúc
Computer and Intrusion
Forensics
Computer and Intrusion
Forensics
Copyright
Contents
Foreword by Eugene Spafford
Preface
Acknowledgments
Disclaimer
1 Computer Crime, Computer Forensics, and
Computer Security.
1.1 Introduction
1.2 Human behavior in the electronic age
1.3 The nature of computer crime
1.4 Establishing a case in computer forensics
1.4.1 Computer forensic analysis within the forensic tradition
1.4.2 The nature of digital evidence
1.4.3 Retrieval and analysis of digital evidence
1.4.4 Sources of digital evidence
1.5 Legal considerations
1.6 Computer security and its relationship to computer forensics
1.6.1 Basic communications on the Internet
1.6.2 Computer security and computer forensics
1.7 Overview of the following chapters
References
2 Current Practice
2.1 Introduction
2.2 Electronic evidence
2.2.1 Secure boot, write blockers and forensic platforms
2.2.2 Disk file organization
2.2.3 Disk and file imaging and analysis
2.2.4 File deletion, media sanitization
2.2.5 Mobile telephones, PDAs
2.2.6 Discovery of electronic evidence
2.3 Forensic tools
2.3.1 EnCase
2.3.2 ILook Investigator
2.3.3 CFIT1
2.4 Emerging procedures and standards
2.4.1 Seizure and analysis of electronic evidence
2.4.2 National and international standards
2.5 Computer crime legislation and computer forensics
2.5.1 Council of Europe Convention on Cybercrime and other international activities
2.5.2 Carnivore and RIPA
2.5.3 Antiterrorism legislation
2.6 Networks and intrusion forensics
References
3 Computer Forensics in Law Enforcement and
National Security
3.1 The origins and history of computer forensics
3.2 The role of computer forensics in law enforcement
3.3 Principles of evidence
3.3.1 Jurisdictional issues
3.3.2 Forensic principles and methodologies
3.4 Computer forensics model for law enforcement
3.4.1 Computer forensic ¡ª secure, analyze, present ( CFSAP) model
3.5 Forensic examination
3.5.1 Procedures
3.5.2 Analysis
3.5.3 Presentation
3.6 Forensic resources and tools
3.6.1 Operating systems
3.6.2 Duplication
3.6.3 Authentication
3.6.4 Search
3.6.5 Analysis
3.6.6 File viewers
3.7 Competencies and certification
3.7.1 Training courses
3.7.2 Certification
3.8 Computer forensics and national security
3.8.1 National security
3.8.2 Critical infrastructure protection
3.8.3 National security computer forensic organizations
References
4 Computer Forensics in Forensic Accounting
4.1 Auditing and fraud detection
4.1.1 Detecting fraud ¡ª the auditor and technology
4.2 Defining fraudulent activity
4.2.1 What is fraud?
4.2.2 Internal fraud versus external fraud
4.2.3 Understanding fraudulent behavior
4.3 Technology and fraud detection
4.3.1 Data mining and fraud detection
4.3.2 Digit analysis and fraud detection
4.3.3 Fraud detection tools
4.4 Fraud detection techniques
4.4.1 Fraud detection through statistical analysis
4.4.2 Fraud detection through pattern and relationship analysis
4.4.3 Dealing with vagueness in fraud detection
4.4.4 Signatures in fraud detection
4.5 Visual analysis techniques
4.5.1 Link or relationship analysis
4.5.2 Time- line analysis
4.5.3 Clustering
4.6 Building a fraud analysis model
4.6.1 Stage 1: Define objectives
4.6.2 Stage 2: Environmental scan
4.6.3 Stage 3: Data acquisition
4.6.4 Stage 4: Define fraud rules
4.6.5 Stage 5: Develop analysis methodology
4.6.6 Stage 6: Data analysis
4.6.7 Stage 7: Review results
References
Appendix 4A
5 Case Studies
5.1 Introduction
5.2 The case of ¡®¡® Little Nicky¡¯¡¯ Scarfo
5.2.1 The legal challenge
5.2.2 Keystroke logging system
5.3 The case of ¡®¡® El Griton¡¯¡¯
5.3.1 Surveillance on Harvard¡¯s computer network
5.3.2 Identification of the intruder: Julio Cesar Ardita
5.3.3 Targets of Ardita¡¯s activities
5.4 Melissa
5.4.1 A word on macro viruses
5.4.2 The virus
5.4.3 Tracking the author
5.5 The World Trade Center bombing ( 1993) and Operation Oplan Bojinka
5.6 Other cases
5.6.1 Testing computer forensics in court
5.6.2 The case of the tender document
References
6 Intrusion Detection and Intrusion Forensics
6.1 Intrusion detection, computer forensics, and information warfare
6.2 Intrusion detection systems
6.2.1 The evolution of IDS
6.2.2 IDS in practice
6.2.3 IDS interoperability and correlation
6.3 Analyzing computer intrusions
6.3.1 Event log analysis
6.3.2 Time- lining
6.4 Network security
6.4.1 Defense in depth
6.4.2 Monitoring of computer networks and systems
6.4.3 Attack types, attacks, and system vulnerabilities
6.5 Intrusion forensics
6.5.1 Incident response and investigation
6.5.2 Analysis of an attack
6.5.3 A case study ¡ª security in cyberspace
6.6 Future directions for IDS and intrusion forensics
References
7 Research Directions and Future Developments
7.1 Introduction
7.2 Forensic data mining ¡ª finding useful patterns in evidence
7.3 Text categorization
7.4 Authorship attribution: identifying e- mail authors
7.5 Association rule mining—application to
investigative profiling
7.6 Evidence extraction, link analysis, and link discovery
7.6.1 Evidence extraction and link analysis
7.6.2 Link discovery
7.7 Stegoforensic analysis
7.8 Image mining
7.9 Cryptography and cryptanalysis
7.10 The future ¡ª society and technology
References
Acronyms
About the Authors
Index
Nội dung
[...]... 1: Computer Crime, Computer Forensics, and Computer Security w Chapter 2: Current Practice w Chapter 3: ComputerForensics in Law Enforcement and National Security w Chapter 4: ComputerForensics in Forensic Accounting The second focus (Chapter 5 to 7) of this book is on intrusion investigation andintrusion forensics, on the inter-relationship between intrusion detection andintrusion forensics, and. .. that intrusions are a special kind of computer crime, and that intrusionforensics is correspondingly a specialization of computerforensics 1.4 Establishing a case in computerforensics Section 1.3 distinguished between crime assisted by computers and crime specifically targeting computers in order to establish the difference between computerforensicsandintrusionforensics Both, however, rely upon computer- based... Here, we explore the special characteristics of computer- based evidence, and its place within the forensic tradition We can then introduce adequate definitions for both computerforensicsandintrusionforensics 1.4 Establishing a case in computerforensics 13 Computerforensicsandintrusion forensics, in both the broad sense (using any computer evidence) and narrow sense (focusing on courtadmissible... incidentally or 4 Computer Crime, Computer Forensics, and Computer Security whether perpetrated through or against a computer We outline a spectrum of ways in which people perpetrate familiar crimes or invent new ones This chapter then highlights that while computerforensicsandintrusionforensics are rapidly gaining ground as valid subdisciplines of traditional forensics, there are both similarities and important... jurisdiction(s), the task of the computer and intrusion forensics investigator will become more critical in the future and is bound to become more complex Having standard references and resources for these personnel is an important step in the maturation of the field This book presents a careful and comprehensive treatment of the areas of computerforensicsandintrusion forensics, thus Foreword by Eugene... increase, there has been a greater need to understand the causes and effects of intrusions, on-line crimes, and network-based attacks The critical importance of the areas of computer forensics, network forensicsandintrusionforensics is growing, and will be of great importance in the years to come Recent events and recent legislation, both national and international, mean that this book is especially... otherwise involving computers 2 Intrusion forensics, which relates to the investigation of attacks or suspicious behavior directed against computers per se In both cases, information technology facilitates both the commission and the investigation of the act in question, and in that sense we see that intrusionforensics is a specific area of computer forensics, applied to computerintrusion activities... computer piracy 12 Computer Crime, Computer Forensics, and Computer Security For example, in the case of an extortion investigation, an investigator would begin by looking at the following: ‘‘ date and time stamps, e-mail, history log, Internet activity logs, temporary Internet files, and user names’’ [7] In contrast, a computerintrusion case suggests both more computer expertise and more computer- based... role computer evidence plays in information warfare (see Chapter 6) and other applications of preventative surveillance In Section 1.4.1 we overview the genesis of computerforensicsand its emergence as a professional discipline, a topic treated in detail in Chapter 3 14 Computer Crime, Computer Forensics, and Computer Security 1.4.1 Computer forensic analysis within the forensic tradition Although computer. .. take place on private networks and via specialpurpose protocols An important point to note is that while computerforensics often speaks in legal terms like evidence, seizure, and investigation, not all computer- related misdeeds are criminal, and not all investigations result in court proceedings We will introduce broad definitions for computerforensicsandintrusionforensics which include these less . between intrusion
detection and intrusion forensics, and upon future developments:
w
Chapter 5: Case Studies
w
Chapter 6: Intrusion Detection and Intrusion Forensics
w
Chapter. . . . . . . . . . . . . 253
6 Intrusion Detection and Intrusion Forensics 257
6.1 Intrusion detection, computer forensics, and
information warfare . . .