Computer Forensics 244
| Computer Forensics | |
| author | Warren G. Kruse II and Jay G. Heiser |
| pages | 392 |
| publisher | Addison Wesley |
| rating | 8/10 |
| reviewer | Craig Maloney |
| ISBN | 0201707195 |
| summary | A good reference for what to do when computer crime happens |
How do you get the evidence off of a computer, ensuring that it's capable of withstanding a defense lawyer's scrutiny? Maybe you would just unplug the machine and put it in storage awaiting a detective's arrival, but is that what we should do? What if the evidence is on a production server that can't be simply unplugged and put into storage? What if that evidence is slowly being erased as files are created and deleted on that server? How do you help build the case against a computer criminal? Hopefully you'll never have to worry about computer crime in your home or workplace but if you do have to worry, Computer Forensics will be an asset to your part of the investigation.
Who is this book for?
Computer crime isn't simple -- it can range from damage done by simple script kiddies to corporate espionage by disgruntled employees, as well as sophisticated, multi-homed attacks by skilled crackers. Computer Forensics tries hard to cover a lot of these areas. The book includes a chapter dealing with laptop hardware, as well as ones on data hiding and encryption, and further chapters on putting evidence together and dealing with law enforcement. While these topics may be of interest to the Slashdot crowd, Computer Forensics focuses more on broad topics of interest to computer detectives faced with getting up to speed quickly with computer crimes and computer evidence gathering.Several chapters are downright boring for anyone who has a modicum of computer experience. Finding out where e-mail is stored on Windows and Linux machines, or understanding what a root-kit is and what it does will be pedestrian for many readers. Nestled away between the necessary-but-pedestrian topics, though, are some very useful tools. The authors use netcat with tar to copy files between machines without disturbing the modification times (something I would never have thought to use). Novice users will find a wealth of tools and examples in these chapters. The tools used in the book tend toward open source and free tools, and rely heavily on Linux as the Swiss Army knife for handling file systems and files without disturbing them. Any reader should be able to put together a decent set of tools from this book.
Making it all work
Putting together a good forensic kit is all fine and good, but making sure your evidence holds up to the scrutiny of some high-powered, high-priced defense lawyer is much more important. The last chapter of Computer Forensics gives a brief introduction to the criminal justice system. The authors touch on notifying law enforcement agencies, search warrants, probable cause, interviews, subpoenas, dollar loss guidelines, and testifying as an expert witness, among other legal topics. The appendices of the book have checklists, flowcharts, and an incident report form to aid investigation and evidence gathering. These are invaluable resources for the system administrator of any public machine who needs to deal with law enforcement.
Conclusion
Thinking about dealing with courts and law enforcement may not be at the forefront of any administrator's job, but it is a reality any administrator needs to think of and be aware of. Computer Forensics will at least make administrators more aware of what their legal options are, and of the form in which gathered forensic data needs to be presented as evidence. Computer detectives will find a good, if not rudimentary example of what to look for when investigating a computer crime scene. This may not be the most comprehensive book on the subject of computer crime, but it will point you in the right direction to help investigate it should it ever happen to you.
You can purchase Computer Forensics from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
SecurityFocus (Score:5, Informative)
http://archives.neohapsis.com/archives/sf/forensi
A 'thank you' from the SF forensics moderator... (Score:4, Informative)
The security focus mailing list dedicated to forensics is also good lurking
I am the moderator of the SecurityFocus.com forensics list, and agree that it is a great resource. (Al Huger is listed in the info page as the moderator; he is actually the list owner.) The list is dedicated to discussion of technical forensics topics.
The SF forensics list archives are here [securityfocus.com]. A general listing of SF mailing list archives is here [securityfocus.com]. Those interested in subscribing to the forensics list (or other lists @SecurityFocus) can do so from the archive page.
Cheers!
Scott C. Zimmerman, CISSP
Re:SecurityFocus (Score:2)
Enterprise file forensics (Score:3, Informative)
Re:Enterprise file forensics (Score:4, Interesting)
On FreeBSD, it's all about mtree [free-x.ch]...
Re:Enterprise file forensics (Score:3, Informative)
There is a folder full of forensics tool on the knoppix security tools distro [knoppix-std.org]. There are tools like sleuthkit 1.66 which is supposed to be an extension to the coroner's toolkit. Has anyone here used these tools? If so, do you know if the results from these forensics tools are useful and/or admissible in court?
Re:Enterprise file forensics (Score:3, Informative)
Admissibility is not so much tied to the specific tools (though this can be an issue; more on this later) used, but the methodology used.
DISCLAIMER: I am not by any means a forensics expert, but I am doing an independent study in computer forensics in college.
That said, many of the standard *nix tools are, in fact, acceptable for court use. For example, it is extremely unlikely that you will have a chall
Outside the U.S. (Score:5, Interesting)
Re:Outside the U.S. (Score:2, Informative)
Re:Outside the U.S. (Score:4, Funny)
Re:Outside the U.S. (Score:2)
Time sync all your computers (Score:5, Informative)
There is no (good) exuse for not at least NTP'ing all your servers.
Re:Time sync all your computers (Score:4, Insightful)
With OpenNTPD [openntpd.org], this is no longer a valid excuse.
Re:Time sync all your computers (Score:3, Informative)
One thing people forget about is getting the STATE of the server before you off-line it. I'd suggest getting packet dumps, network routes and connections.
REMEMBER:
1. Load up a live CD with some KNOWN GOOD utilities, set the path to $CD_PATH:$PATH so it searches off the cd first or specify th
Re:Time sync all your computers (Score:2)
I was posing a general solution applicable to most operating system environments.. On a linux box I would not only get the system state, but would also dump a full disk image to tape, and possibly a memory image as well. You can sometimes glean a good bit of info looking at trashed memory pages and file locks on the disk image.
Pan
Crime On Computer ... (Score:4, Funny)
Must be old mainframes then.
CC.
Hey, that's a printer port, not a FINGER HOLE! (Score:2)
Forensic Security (Score:5, Interesting)
There are designated employees on the forensic team in each department who are responisble for witnessing the process and documenting the chain of custody for data and items.
We've invested in specific equipment, including network sniffers (other then those used by the network group), hard drive replicators, log books, and materials for collection and storage of evidence.
Everything has a chain of custody and is then turned over to the proper authorities.
As far as the law is concerned since the employee does not have a right or expectation of privacy when working on a corporate asset, everything we take is completely legal. As long as we mantain an effective chain of custody it will likely hold up on court.
Just my two cents. Your mileage may vary.
Re:Forensic Security (Score:2)
Thanks,
An interested college student(interested in the field of forensics, not work pr0n)
Re:Forensic Security (Score:2)
Re:Forensic Security (Score:2, Insightful)
It'd be a hard case to prove it created a "hostile work environment" if no one knew you had porn until an admin found it.
All this crap is just another case of moral busy-bodies hiding behind the guise of legal liability.
Re:Forensic Security (Score:2)
Both take company time and resources (bandwidth) while the employee is supposed to be doing something else.
jason
Re:Forensic Security (Score:2)
Good point. The admin coudl falsify information at their whim and get anyone they wanted fired... That would Not Good (TM).
jason
Re:Forensic Security (Score:2)
Re:Forensic Security (Score:2)
That said, that wouldn't be what the crime was, and not why you would be canned. Everywhere I've been, viewing porn is grounds for dismissal. On top of that, labor laws usually spell out exactly what would not be appropriate behavior at work, and viewing porn is no doubt there. So you are now in violation of that law, no need to be cha
Re:Forensic Security (Score:2)
Note: This does not mean I don't think that it's ok to fire people for looking at porn.
Re:Forensic Security (Score:3, Interesting)
The two times I've had to provide evidence to HR of people using company assets to view porn, both employees were fired.
but what exactly are the legal reprecussions for looking at juicyhoes.com for example?
In the above instances (at two different companies) viewing adult content at work was against a written policy. Employees were required to acknowledge the policy when hired
Were you ever actually challenged in court?
We weren't. Both people basic
It is true in the U.S. as well. (Score:2)
Cutting Loses (Score:5, Insightful)
In my company, once a machine is compromised, it's offline and ghost image taken, no questions asked, even it's a live ecommerce site. You would rather putting up a "Unscheduled Outage" notice than inflicting more damages to the server/data.
It's like a 777 pilot asking if he should make an emergency landing due to a fire alarm, because there are 350 passengers onboard and we don't want to spoil their holiday.
Actually I think pilots do that, that's why we get to read blackbox transcript like
GPWS: "Whoop, whoop. Pull up. Whoop whoop. Pull up."
CA: "Don't worry we can make it."
GPWS: "Whoop, whoop. Pull -."
Re:Cutting Loses (Score:2, Insightful)
Ideally you would take it off the network, but keep it running. Ideals rarely get practiced when it comes to security though.
Seizing the server (Score:2)
The problem with this (thus making it ideal is):
1) most corporations do not have programs like EnCase Enterprise installed prior to the attack
2) EnCase is prohibitively expensive.
You can make an image of the server in the case that it is warranted, but that requires you to have an equal or
Re:Cutting Loses (Score:2)
Been there, done that. (Score:5, Interesting)
After getting a list of specific timestamps (along with IP-addresses), I was able to figure out who the culprit was.
That said, the man-hours I put into the whole thing seem to have been for nothing.
The PD won't do jack shit - too little resources, they say - which is why I find it funny that they can't even send a unit to pick up the frauders when they're actually on-site (yet they can be seen parading the streets, looking for minors consuming alcohol).
Just because law enforcement want your help doesn't mean they'll do anything - even if you virtually hand them the crooks on a silver platter.
Then again, things might be different elsewhere.
Re:Been there, done that. (Score:3, Insightful)
Re:Been there, done that. (Score:2)
Re:Been there, done that. (Score:2)
The police department (Score:2)
Re:Been there, done that. (Score:4, Insightful)
A drunken minor behind the wheel of mom's Ford Excursion costs me far, far more than that should I encounter the illbred little monster on the road.
Hey, just presenting a contrarian view. Was it at least an interesting learning experience?
Washington DC FBI Bureau (Score:2, Insightful)
I was aghast, needless to say.
$0.02,
ptd
outdated? (Score:5, Insightful)
Re:outdated? (Score:2)
This is dangerous stuff to mess around with... (Score:5, Insightful)
Re:This is dangerous stuff to mess around with... (Score:3, Interesting)
An actual example of corporate breaches. (Score:5, Interesting)
Not sure if this is the norm, but I'd figure when corporations and expensive IP is involved, government-sanctioned agencies will be in the forefront of people investigating, IMHO.
not to name names (Score:3, Informative)
the ex-employee is David Dugan.
the case you're talking about is this one:
http://www.theregister.co.uk/2004/11/11/int
Re:not to name names (Score:2)
http://www.theregister.co.uk/2004/11/11/int e l_gun_ man/
The case you referenced was about a guy who wanted to go postal on the plant where he used to work. It didn't say anything about him dropping DBs, and implied he was a line worker until being fired for some unknown reason. Hardly someone with root level access to a production DB.
Besides, there's a world of difference between dropping a DB and sprayin' and prayin' with your trusty Kalishnikov brand happy joy
Re:not to name names (Score:2)
And yes, this is the company...
It's not easy (Score:2, Interesting)
There are, however, some hardware solutions, namely, to keep track of everything that happens (this is expensive!). Software could also do that, so long at it cannot be hacked. Overall, I think the best
Re:It's not easy (Score:2)
The computer is the victim. (Score:5, Funny)
Please, always make the computer your first priority, and be mindful that you do not damage it further in your rush to make an arrest.
Step 1 (Score:4, Insightful)
Step 2: Make a bit for bit copy of the drive (there are special devices that will ensure that NONE of the bits are changed).
Step 3: You can now run whatever forensics tools you want *on the copy*. The original has to be kept unchanged for it to be worth anything in court.
Make sure to never boot up the drive in question, a good criminal will have the drive auto-erase if it doesn't get a password in a certain amount of time, etc.
Re:Step 1 (Score:2)
VideoTape and annotate every step ! Re:Step 1 (Score:2)
Yes - an adversary can challenge everything you do in court - but, this is the only effective way to assert that you have not damaged or tainted the evidence. You can prove that you've maintained the chain-of-cu
My impression from the replies.. (Score:2)
Against a theoretical very sophisticated non-bot attacker you'd just do nothing with the machine and instead watch the network traffic for clues.
So think first, about ways to stealthily collect more information, then follow the parents advice to make a bit-by-bit copy of the harddrive after turning off the machine.
Re:Step 1 (Score:4, Informative)
On the live system you can not trust anything so a cd or other media containing your tools statically compiled to investigate are needed.
you can use dd to make a bit for bit copy of ram, pipe this through netcat to your forensics box, or cryptcat is sensitive info is on the compromised machine.
A good idea would also be to calculate an md5 checksum for the image either side of the netcat pipe to verify its not messed up.
then run lsof to check what ports are open and by what applications and pull the plug out the wall on the compromised host.
then make sure boot priority in the bios does not boot the hdd in question and run knoppix or something like F.I.R.E and run md5 on the drive, pipe it to your machine with nc and then md5 that image.
I know i missed something but am on the phone so i guess will wait to get flammed
Re:Step 1 (Score:2, Insightful)
Do not shut down the machine... yank the cord. (Score:2)
Actually, a good forensic's examiner would not "just turn off the machine." You are correct about yanking the cord. The cord, however, must be pulled from the back of the machine, not the wall.
Never go through the regular shut down process and do not pull the cord from the wall. The industry standard (and best practice) is to pull the cord from the back of the machine.
Transfering for forensics (Score:4, Informative)
Also you can pipe dd through gzip/bzip2 and netcat to give you a loopback mountable, unmodifiable image that you can look at in case you want to grab the whole drive before putting it in the evidence locker.
Re:Transfering for forensics (Score:2)
Court forensics would have to add the same write protection that would be used forany such tool that would be used. rsync would not be a replacemnt for those devices/tools.
If you've got a problem, if no one else can help, (Score:2, Funny)
Valve (Score:5, Interesting)
In the case of HL2 code theft, Valve got lucky; they just had to wait for the hacker's ego to blow out of proportion due to the massive coverage. He emailed them. Several times. He went to a meeting for an 'interview' for a 'job'. Thank god, most hackers(as in illicit network infiltration) / criminals eventually make mistakes. In this particular case, it was pure dumbness, however. Imagine the scene :
Heh.past
How would you cooperate with law enforcement? (Score:5, Funny)
Wouldn't that depend on your role in the crime, and your lawyer's advice?
Re: How would you cooperate with law enforcement? (Score:2)
Re: How would you cooperate with law enforcement? (Score:2)
If you're an employee, you can bet that the corp's lawyers are going to be involved, and they are going to be safeguarding the corp's interests, at your expense
WWYD? STFD, STFU, and DWYT. (Score:5, Insightful)
I would do whatever the nice people with the guns told me to. Nothing more, and nothing less.
The guys with the guns are not my friends, but they're pretty nice to people who help them. The most helpful thing you can do for these people is to sit the fuck down, shut the fuck up, and to do what you're told.
Unless you're being paid to perform an investigation, getting good forensic data off that drive is not your responsibility. That's the responsibility of the friends of the guys with the guns. (Are you a friend? Easy to check! Is your paycheck signed by a big guy with a really big gun? If not, you are not one of their friends!)
Going further, getting data off the drive isn't your responsibility -- but not fucking up the chain of custody is your responsibility. If you fuck up the chain of custody, the guys with the guns will be very, very, very angry with you. (You do not want this to happen.)
So:
1) Do not make the people with guns angry.
2) Do not "help" the people with guns (even if you want to), because anything you do to "help" them runs the risk of making them angry.
3) STFD. STFU. DWYT.
Y'know how we geeks have hundreds of words to express the concept of "nontechnical person who is too clueless to be allowed anywhere near a computer"?
I'll bet cops have hundreds of words that translate to "civilian who is too clueless to be allowed anywhere near an ongoing investigation".
Re:WWYD? STFD, STFU, and DWYT. (Score:2)
-nB
2 things (Score:3, Insightful)
2. for a treatise which draws a line between yourself and the guys with the guns, you come across as pretty passive aggressive
Re:WWYD? STFD, STFU, and DWYT. (Score:3, Insightful)
This is true, but not useful. It is the most helpful thing you can do for "these people", however, the most helpful thing you can do for yourself is to wait for the advice of your lawyer and do nothing and say nothing until then.
If they are asking you for help, then you are a syadmin of some sort. As such (pay attention now) YOU ARE HIGH ON THE LIST OF POSSIBLE SUSPECTS. Don't make thi
Very popular toolkit (Score:2, Interesting)
this is an old ass book.. (Score:2, Interesting)
why the review now?
Department of Justice Forensic Guide (Score:3, Informative)
http://www.ncjrs.org/pdffiles1/nij/199408.pdf
Step One: (Score:3, Insightful)
TALK TO YOUR ATTORNEY.. first.. not 2nd
Re:Step One: (Score:2)
Depending on what you are working with, patching the hole or even unplugging the computer might destroy the crime scene.
Re:Step One: (Score:2)
Id not hesitate for an instant.
Where i work the cost of the breach is MUCH higher then the potential loss of evidence or traceback. ( in my case, the admin can be *jailed* for lack of action, due to federal regulations )
Wait for a Subpoena (Score:3, Insightful)
Police are NOT your friends. (Score:2)
That's the wrong question. How would I cooperate isn't a concern because I wouldn't.
If your cooperation leads to evidence that you didn't do everything that you could have possibly done to prevent the security breach, that could expose you to financial liability. I'm not going to be the one to gathers the evidence to be used against me.
LK
Re:Failure to cooperate can lead to jail (Score:2)
There's a difference between not cooperating and actively obstructing. I'm not talking about the latter.
LK
FWIW2 (Score:2, Interesting)
research paper on visualizing intrusions (Score:2)
Re:More importantly... (Score:2)
Re:More importantly... (Score:2, Funny)
Re:More importantly... (Score:2)
That's what mnemonics are for. One word leads to another in a relatively easy to remember phrase (roughly 21 words long) and that's all your bits, or if you want to be more secure go with 2048 bytes, then you only need to remember 43 words. Granted these bytes are not all that random as they are likely to be alphanumerics but remembering 4096 bytes (86 words) is not all that hard to do (and is in fact what I use to generate the pass phrase for my encrypted vol
Re:More importantly... (Score:2)
I have one strong passphrase I use that uses non ascii chars in addition to normal alphanumeric. This is the key to an encrypted volume that contains my passwork backup library (it is also the key to nothing else). If compelled to divulge all passwords as evidence, I will hand over the file. Good luck opening it though
-nB
Re:More importantly... (Score:2)
If that's not hard enough, there's plenty of applications to encrypt specific files with higher level security.
Yes, with enough time and processing power, just about all of them can be cracked. How likely is it that anyone's goi
Re:"Windows make it fairly easy" ... to circumvent (Score:2)
Fixed in later W2K Service packs and XP (Score:2)
There are ways around it, but it's non-trivial for Joe Random computer thief. So if I'm just worried about some personal data getting found while poking around on the hard drive, I'm good. The thief would have to get my personal password somehow (I use long, random passwords, so a dictionary attack would fail) and then use a specialized tool to read the drive. Ver
Re:More importantly... (Score:2)
Bios Passwords can be removed by resetting the Bios. Not only that Bioses are for the most part no longer soldiered on the board but go in a socket and can be readily changed.
Re:More importantly... (Score:2)
Re:More importantly... (Score:3, Informative)
Unless you did some REALLY fancy soldering to set that password, simply removing the battery from the motherboard for about 10 minutes resets a bios password.
2) Store all sensitive data on an encrypted medium. Just hope no one puts a key logger on your keyboard.
That all depends on the strength of the encryption you use and the strength of the computers tr
You have to actually CONFIGURE your *nix? (Score:2)
Not that any sensible person thinks theo is correct...
and there are other tricks... (Score:2)
No soldering involved either
Re:and there are other tricks... (Score:2)
Re:Sounds good (Score:2, Insightful)
Just because you won't loose your job if you get hacked, doesn't mean you should ignore the possibility.
Re:Forensics used the other way (Score:2)
Even if you live only in RAM and don't put anything on disk, data has been recovered from powered down RAM before.
Re:Forensics used the other way (Score:3, Interesting)
HOW HDD LOCKING WORKS [networkboy.net]
The above is a quick little write-up I did to explain to all the Xbox people who want to use/access the drive that ships with the Xbox (after they've ruined their MB or sold it on e-bay) why they are really quite screwed. This is not definitive, but it is fairly accurate i
Re:Forensics used the other way (Score:2)
You can check if the hd was unplugged/the case opened, fingerprints inside, ect.
Re:netcat has cousins (Score:2)
But hopefully it will raise awareness (Score:2)
Recovering deleted files (Score:2)
Poor Billy.
Protecting the asset of *Consumer Information* (Score:2)
I know this is a troll, but I will bite.
You do realize that many corporations list their database that contains customer names, addresses, credit card numbers, etc. as an asset, right?
So, in the case of Information Security, when you are helping corporations protect their "assets," many times you are helping protect consumer privacy.
When this information is compromised,