Netwitness categorizes and organizes traffic so that:

ISSA INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES

Fundamentals of Communications and Networking, Second Edition Michael G. Solomon and David Kim

Fundamentals of Information Systems Security, Third Edition David Kim and Michael G. Solomon

Legal Issues in Information Security, Second Edition Joanna Lyn Grama

Managing Risk in Information Systems, Second Edition Darril Gibson

Security Policies and Implementation Issues, Second Edition Rob Johnson

Auditing IT Infrastructures for Compliance, Second Edition Martin Weiss and Michael G. Solomon

Access Control, Authentication, and Public Key Infrastructure, Second Edition Mike Chapple, Bill Ballad, Tricia Ballad, and Erin Banks

Security Strategies in Windows Platforms and Applications, Second Edition

Michael G. Solomon

Security Strategies in Linux Platforms and Applications, Second Edition Michael Jang and Ric Messier

Network Security, Firewalls, and VPNs, Second Edition J. Michael Stewart

Hacker Techniques, Tools, and Incident Handling, Second Edition Sean-Philip Oriyano

Internet Security: How to Defend Against Attackers on the Web, Second Edition Mike Harwood

System Forensics, Investigation, and Response, Third Edition Chuck Easttom

Cyberwarfare: Information Operations in a Connected World Mike Chapple and David Seidl

Wireless and Mobile Device Security Jim Doherty

JONES & BARTLETT LEARNING

The Information Systems Security & Assurance Series (ISSA) offers an interactive curriculum solution that covers the essential topics needed to support certification or degree programs within IT Security, Cybersecurity, Information

Assurance and Information Systems Security. Developed by certified professionals, the series delivers fundamental IT security principles and real-world applications, tools, and techniques used in today’s work force and necessary for accommodating the rapidly growing job demand for cybersecurity. The inclusion of robust courseware and innovative labs, delivered in a first-of-its kind “cloud” computing environment, offer a fully immersive cloud learning experience. Students can learn in a trial-and- error format in an experiential learning environment with no risk, gaining invaluable workplace-related skills essential to maintaining the security and confidentiality of their employers’ data assets. Visit http://www.issaseries.com/ for the most current information on text availability and additional information on the Virtual Security Cloud Labs.

http://www.issaseries.com/
System Forensics, Investigation, and Response

ISSA INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES

THIRD EDITION

Chuck Easttom

JONES & BARTLETT LEARNING

World Headquarters Jones & Bartlett Learning 5 Wall Street Burlington, MA 01803 978-443-5000 info@jblearning.com www.jblearning.com

Jones & Bartlett Learning books and products are available through most bookstores and online booksellers. To contact Jones & Bartlett Learning directly, call 800-832-0034, fax 978-443-8000, or visit our website, www.jblearning.com.

Substantial discounts on bulk quantities of Jones & Bartlett Learning publications are available to corporations, professional associations, and other qualified organizations. For details and specific discount information, contact the special sales department at Jones & Bartlett Learning via the above contact information or send an email to specialsales@jblearning.com.

Copyright © 2019 by Jones & Bartlett Learning, LLC, an Ascend Learning Company

All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the copyright owner.

mailto:info@jblearning.com
http://www.jblearning.com
http://www.jblearning.com
mailto:specialsales@jblearning.com
The content, statements, views, and opinions herein are the sole expression of the respective authors and not that of Jones & Bartlett Learning, LLC. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not constitute or imply its endorsement or recommendation by Jones & Bartlett Learning, LLC and such reference shall not be used for advertising or product endorsement purposes. All trademarks displayed are the trademarks of the parties noted herein. System Forensics, Investigation, and Response, Third Edition is an independent publication and has not been authorized, sponsored, or otherwise approved by the owners of the trademarks or service marks referenced in this product.

There may be images in this book that feature models; these models do not necessarily endorse, represent, or participate in the activities represented in the images. Any screenshots in this product are for educational and instructive purposes only. Any individuals and scenarios featured in the case studies throughout this product may be real or fictitious, but are used for instructional purposes only.

This publication is designed to provide accurate and authoritative information in regard to the Subject Matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal

advice or other expert assistance is required, the service of a competent professional person should be sought.

Production Credits VP, Executive Publisher: David D. Cella Executive Editor: Matt Kane Acquisitions Editor: Laura Pagluica Editorial Assistant: Mary Menzemer Associate Production Editor: Alex Schab Director of Marketing: Andrea DeFronzo Production Services Manager: Colleen Lamy VP, Manufacturing and Inventory Control: Therese Connell Composition: codeMantra U.S. LLC Cover Design: Scott Moden Rights & Media Specialist: Thais Miller Media Development Editor: Shannon Sheehan Cover Image (Title Page, Part Opener, Chapter Opener): © Click Bestsellers/Shutterstock Printing and Binding: Edwards Brothers Malloy Cover Printing: Edwards Brothers Malloy

Library of Congress Cataloging-in-Publication Data Names: Easttom, Chuck, author. Title: System forensics, investigation, and response / Chuck Easttom. Description: Third Edition. | Burlington, MA : Jones & Bartlett Learning, [2019] | Revised edition of the author’s System forensics, investigation, and response, c2014. Identifiers: LCCN 2017018109 | ISBN

9781284121841 Subjects: LCSH: Computer crimes—Investigation— Textbooks. Classification: LCC HV8079.C65 E37 2017 | DDC 363.25/968—dc23 LC record available at https://lccn.loc.gov/2017018109

6048

Printed in the United States of America 21 20 19 18 17 10 9 8 7 6 5 4 3 2 1

https://lccn.loc.gov/2017018109
Contents Preface

About the Author

PART I Introduction to Forensics

CHAPTER 1 Introduction to Forensics What Is Computer Forensics?

Using Scientific Knowledge

Collecting

Analyzing

Presenting

Understanding the Field of Digital Forensics

What Is Digital Evidence?

Scope-Related Challenges to System

Forensics

Types of Digital System Forensics

Analysis

General Guidelines

Knowledge Needed for Computer Forensics Analysis

Hardware

Software

Networks

Addresses

Obscured Information and Anti-Forensics

The Daubert Standard

U.S. Laws Affecting Digital Forensics

The Federal Privacy Act of 1974

The Privacy Protection Act of 1980

The Communications Assistance for Law

Enforcement Act of 1994

The Electronic Communications Privacy

Act of 1986

The Computer Security Act of 1987

The Foreign Intelligence Surveillance Act

of 1978

The Child Protection and Sexual Predator

Punishment Act of 1998

The Children’s Online Privacy Protection

Act of 1998

The Communications Decency Act of 1996

The Telecommunications Act of 1996

The Wireless Communications and Public

Safety Act of 1999

The USA Patriot Act of 2001

The Sarbanes-Oxley Act of 2002

18 U.S.C. § 1030: Fraud and Related

Activity in Connection with Computers

18 U.S.C. § 1020: Fraud and Related

Activity in Connection with Access Devices

The Digital Millennium Copyright Act

(DMCA) of 1998

18 U.S.C. § 1028A: Identity Theft and

Aggravated Identity Theft

18 U.S.C. § 2251: Sexual Exploitation of

Children

Warrants

Federal Guidelines

The FBI

The Secret Service

The Regional Computer Forensics

Laboratory Program

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 1 ASSESSMENT

CHAPTER 2 Overview of Computer Crime

How Computer Crime Affects Forensics

Identity Theft

Phishing

Spyware

Discarded Information

How Does This Crime Affect Forensics?

Hacking

SQL Injection

Cross-Site Scripting

Ophcrack

Tricking Tech Support

Hacking in General

Cyberstalking and Harassment

Real Cyberstalking Cases

Fraud

Investment Offers

Data Piracy

Non-Access Computer Crimes

Denial of Service

Viruses

Logic Bombs

Cyberterrorism

How Does This Crime Affect Forensics?

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 2 ASSESSMENT

CHAPTER 3 Forensic Methods and Labs

Forensic Methodologies

Handle Original Data as Little as Possible

Comply with the Rules of Evidence

Avoid Exceeding Your Knowledge

Create an Analysis Plan

Technical Information Collection

Considerations

Formal Forensic Approaches

Department of Defense Forensic

Standards

The Digital Forensic Research Workshop

Framework

The Scientific Working Group on Digital

Evidence Framework

An Event-Based Digital Forensics

Investigation Framework

Documentation of Methodologies and Findings

Disk Structure

File Slack Searching

Evidence-Handling Tasks

Evidence-Gathering Measures

Expert Reports

How to Set Up a Forensic Lab

Equipment

Security

American Society of Crime Laboratory

Directors

Common Forensic Software Programs

EnCase

Forensic Toolkit

OSForensics

Helix

Kali Linux

AnaDisk Disk Analysis Tool

CopyQM Plus Disk Duplication Software

The Sleuth Kit

Disk Investigator

Forensic Certifications

EnCase Certified Examiner Certification

AccessData Certified Examiner

OSForensics

Certified Cyber Forensics Professional

EC Council Computer Hacking Forensic

Investigator

High Tech Crime Network Certifications

Global Information Assurance Certification

Certifications

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 3 ASSESSMENT

PART II Technical Overview: System Forensics Tools, Techniques, and Methods

CHAPTER 4 Collecting, Seizing, and Protecting Evidence Proper Procedure

Shutting Down the Computer

Transporting the Computer System to a

Secure Location

Preparing the System

Documenting the Hardware Configuration

of the System

Mathematically Authenticating Data on All

Storage Devices

Handling Evidence

Collecting Data

Documenting Filenames, Dates, and Times

Identifying File, Program, and Storage

Anomalies

Evidence-Gathering Measures

Storage Formats

Magnetic Media

Solid-State Drives

Digital Audio Tape Drives

Digital Linear Tape and Super DLT

Optical Media

Using USB Drives

File Formats

Forensic Imaging

Imaging with EnCase

Imaging with the Forensic Toolkit

Imaging with OSForensics

RAID Acquisitions

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 4 ASSESSMENT

CHAPTER LAB

CHAPTER 5 Understanding Techniques for Hiding and Scrambling Information Steganography

Historical Steganography

Steganophony

Video Steganography

More Advanced Steganography

Steganalysis

Invisible Secrets

MP3Stego

Additional Resources

Encryption

The History of Encryption

Modern Cryptography

Breaking Encryption

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 5 ASSESSMENT

CHAPTER 6 Recovering Data Undeleting Data

File Systems and Hard Drives

Windows

Forensically Scrubbing a File or Folder

Linux

Macintosh

Recovering Information from Damaged Media

Physical Damage Recovery Techniques

Recovering Data After Logical Damage

File Carving

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 6 ASSESSMENT

CHAPTER 7 Email Forensics

How Email Works

Email Protocols

Faking Email

Email Headers

Getting Headers in Outlook

Getting Headers from Yahoo! Email

Getting Headers from Gmail

Other Email Clients

Email Files

Paraben’s Email Examiner

ReadPST

Tracing Email

Email Server Forensics

Email and the Law

The Fourth Amendment to the U.S.

Constitution

The Electronic Communications Privacy

Act

The CAN-SPAM Act

18 U.S.C. 2252B

The Communication Assistance to Law

Enforcement Act

The Foreign Intelligence Surveillance Act

The USA Patriot Act

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 7 ASSESSMENT

CHAPTER 8 Windows Forensics

Windows Details

Windows History

64-Bit

The Boot Process

Important Files

Volatile Data

Tools

Windows Swap File

Windows Logs

Windows Directories

UserAssist

Unallocated/Slack Space

Alternate Data Streams

Index.dat

Windows Files and Permissions

MAC

The Registry

USB Information

Wireless Networks

Tracking Word Documents in the Registry

Malware in the Registry

Uninstalled Software

Passwords

ShellBag

Prefetch

Volume Shadow Copy

Memory Forensics

Volatility

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 8 ASSESSMENT

CHAPTER 9 Linux Forensics

Linux and Forensics

Linux Basics

Linux History

Linux Shells

Graphical User Interface

K Desktop Environment (KDE)/Plasma

Linux Boot Process

Logical Volume Manager

Linux Distributions

Linux File Systems

Ext

The Reiser File System

The Berkeley Fast File System

Linux Logs

The /var/log/faillog Log

The /var/log/kern.log Log

The /var/log/lpr.log Log

The /var/log/mail.* Log

The /var/log/mysql.* Log

The /var/log/apache2/* Log

The /var/log/lighttpd/* Log

The /var/log/apport.log Log

Other Logs

Viewing Logs

Linux Directories

The /root Directory

The /bin Directory

The /sbin Directory

The /etc Folder

The /etc/inittab File

The /dev Directory

The /mnt Directory

The /boot Directory

The /usr Directory

The /var Directory

The /var/spool Directory

The /proc Directory

Shell Commands for Forensics

The Command

The Command

The Command

The Command

The Command

The Command

The Command

The Command

The Command

The Command

The Command

The Command

The Command

The Command

The Command

The Command

Can You Undelete in Linux?

Manual Method

Kali Linux Forensics

Forensics Tools for Linux

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 9 ASSESSMENT

CHAPTER 10 Macintosh Forensics

Mac Basics

Mac History

Mac File Systems

Partition Types

Macintosh Logs

The /var/log Log

The /var/spool/cups Folder

The /Library/Receipts Folder

The /Users//.bash_history Log

The /var/vm Folder

The /Users/ Directory

The /Users//Library/Preferences/

Folder

Directories

The /Volumes Directory

The /Users Directory

The /Applications Directory

The /Network Directory

The /etc Directory

The

/Library/Preferences/SystemConfiguration/dom.apple.preferences.plist

File

Macintosh Forensic Techniques

Target Disk Mode

Searching Virtual Memory

Shell Commands

How to Examine a Mac

Can You Undelete in Mac?

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 10 ASSESSMENT

CHAPTER 11 Mobile Forensics

Cellular Device Concepts

Terms

Operating Systems

The BlackBerry

What Evidence You Can Get from a Cell Phone

Types of Investigations

Phone states

Seizing Evidence from a Mobile Device

The iPhone

BlackBerry

JTAG

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 11 ASSESSMENT

CHAPTER 12 Performing Network Analysis Network Packet Analysis

Network Packets

Network Attacks

Network Traffic Analysis Tools

Network Traffic Analysis

Using Log Files as Evidence

Wireless

Router Forensics

Router Basics

Types of Router Attacks

Getting Evidence from the Router

Firewall Forensics

Firewall Basics

Collecting Data

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 12 ASSESSMENT

PART III Incident Response and Resources

CHAPTER 13 Incident and Intrusion Response Disaster Recovery

Incident Response Plan

Incident Response

Preserving Evidence

Adding Forensics to Incident Response

Forensic Resources

Forensics and Policy

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 13 ASSESSMENT

CHAPTER 14 Trends and Future Directions Technical Trends

What Impact Does This Have on

Forensics?

Software as a Service

The Cloud

What Impact Does Cloud Computing Have

on Forensics?

Legal and Procedural Trends

Changes in the Law

The USA Patriot Act

Private Labs

International Issues

Techniques

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 14 ASSESSMENT

CHAPTER 15 System Forensics Resources

Tools to Use

ASR Data Acquisition & Analysis

AccessData Forensic Toolkit

OSForensics

ComputerCOP

Digital Detective

Digital Intelligence

Disk Investigator

EnCase

X-Ways Software Technology AG

Other Tools

Resources

International Association of Computer

Investigative Specialists

EnCase Certified Examiner Certification

AccessData Certified Examiner

Certified Hacking Forensic Investigator

Certified Cyber Forensics Professional

SANS Institute

American Academy of Forensic Sciences

Websites

Journals

Conferences

Laws

The USA Patriot Act

The Electronic Communications Privacy

Act of 1986

The Communications Assistance to Law

Enforcement Act of 1996

The Health Insurance Portability and

Accountability Act of 1996

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 15 ASSESSMENT

APPENDIX A Answer Key

APPENDIX B Standard Acronyms

Glossary of Key Terms

References

Index

Preface Purpose of This Book This book is part of the Information Systems Security & Assurance Series from Jones & Bartlett Learning (www.jblearning.com). Designed for courses and curriculums in IT Security, Cybersecurity, Information Assurance, and Information Systems Security, this series features a comprehensive, consistent treatment of the most current thinking and trends in this critical subject area. These titles deliver fundamental information security principles packed with real-world applications and examples. Authored by Certified Information Systems Security Professionals, they deliver comprehensive information on all aspects of information security. Reviewed word-for-word by leading technical experts in the field, these books are not just current, but forward-thinking—putting you in the position to solve the cybersecurity challenges not just of today, but of tomorrow as well.

Computer crimes call for forensics specialists— people who know how to find and follow the

http://www.jblearning.com
evidence. But even aside from criminal investigations, incident response requires forensic skills. This book begins by examining the fundamentals of system forensics: what forensics is, an overview of computer crime, the challenges of system forensics, and forensics methods and labs. The second part of this book addresses the tools, techniques, and methods used to perform computer forensics and investigation. These include collecting evidence, investigating information hiding, recovering data, and scrutinizing email. It also discusses how to perform forensics in the Windows, Linux, and Macintosh operating systems; on mobile devices; and on networks. Finally, the third part explores incident and intrusion response, emerging technologies and future directions of this field, and additional system forensics resources.

Learning Features The writing style of this book is practical and conversational. Each chapter begins with a statement of learning objectives. Step-by-step examples of information security concepts and procedures are presented throughout the text. Illustrations are used both to clarify the material and to vary the presentation. The text is sprinkled with Notes, Tips, FYIs, Warnings, and sidebars to alert the reader to additional helpful information related to the subject under discussion. Chapter assessments appear at the end of each chapter, with solutions provided in the back of the book.

Chapter summaries are included in the text to provide a rapid review or preview of the material and to help students understand the relative importance of the concepts presented.

Audience The material is suitable for undergraduate or graduate computer science majors or information science majors, students at a 2-year technical college or community college who have a basic technical background, or readers who have a basic understanding of IT security and want to expand their knowledge.

This book is dedicated to all the forensic analysts who work diligently to extract the evidence necessary to find the truth in criminal and civil cases.

About the Author Chuck Easttom is an internationally renowned computer security expert and trainer. He has been in the IT industry for more than 25 years and has been training for more than 15. He routinely conducts computer security and forensics training for civilian companies, law enforcement, government agencies, and friendly foreign governments. He holds more than 40 industry certifications, including several forensics certifications such as: Certified Cyber Forensics Professional (CCFP), Certified Hacking Forensic Investigator (CHFI), Certified Criminal Investigator (CCI), Access Certified Examiner (ACE), Oxygen Certified Examiner, Certified Forensic Consultant (CFC), and others. He has served as an expert witness in U.S. court cases since 2004, and has extensive courtroom experience. He also has extensive hands-on experience conducting forensic examinations as part of both criminal investigations and incident response.

Chuck created the OSForensics certification (OSFCE) course and test. He is an associate member of the American Academy of Forensics. Chuck is a frequent speaker at universities and conferences. He has been a speaker at Columbia University’s ACM Chapter, Harvard Computer Society, (ISC) Security Congress, SecureWorld, Hakon India, Hakon Africa, Defcon, Enfuse, IAFLS, AAFS, ADFSL, and many other conferences.