ISSA INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES
Fundamentals of Communications and Networking, Second Edition Michael G. Solomon and David Kim
Fundamentals of Information Systems Security, Third Edition David Kim and Michael G. Solomon
Legal Issues in Information Security, Second Edition Joanna Lyn Grama
Managing Risk in Information Systems, Second Edition Darril Gibson
Security Policies and Implementation Issues, Second Edition Rob Johnson
Auditing IT Infrastructures for Compliance, Second Edition Martin Weiss and Michael G. Solomon
Access Control, Authentication, and Public Key Infrastructure, Second Edition Mike Chapple, Bill Ballad, Tricia Ballad, and Erin Banks
Security Strategies in Windows Platforms and Applications, Second Edition
Michael G. Solomon
Security Strategies in Linux Platforms and Applications, Second Edition Michael Jang and Ric Messier
Network Security, Firewalls, and VPNs, Second Edition J. Michael Stewart
Hacker Techniques, Tools, and Incident Handling, Second Edition Sean-Philip Oriyano
Internet Security: How to Defend Against Attackers on the Web, Second Edition Mike Harwood
System Forensics, Investigation, and Response, Third Edition Chuck Easttom
Cyberwarfare: Information Operations in a Connected World Mike Chapple and David Seidl
Wireless and Mobile Device Security Jim Doherty
JONES & BARTLETT LEARNING
The Information Systems Security & Assurance Series (ISSA) offers an interactive curriculum solution that covers the essential topics needed to support certification or degree programs within IT Security, Cybersecurity, Information
Assurance and Information Systems Security. Developed by certified professionals, the series delivers fundamental IT security principles and real-world applications, tools, and techniques used in today’s work force and necessary for accommodating the rapidly growing job demand for cybersecurity. The inclusion of robust courseware and innovative labs, delivered in a first-of-its kind “cloud” computing environment, offer a fully immersive cloud learning experience. Students can learn in a trial-and- error format in an experiential learning environment with no risk, gaining invaluable workplace-related skills essential to maintaining the security and confidentiality of their employers’ data assets. Visit http://www.issaseries.com/ for the most current information on text availability and additional information on the Virtual Security Cloud Labs.
http://www.issaseries.com/
System Forensics, Investigation, and Response
ISSA INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES
THIRD EDITION
Chuck Easttom
JONES & BARTLETT LEARNING
World Headquarters Jones & Bartlett Learning 5 Wall Street Burlington, MA 01803 978-443-5000 info@jblearning.com www.jblearning.com
Jones & Bartlett Learning books and products are available through most bookstores and online booksellers. To contact Jones & Bartlett Learning directly, call 800-832-0034, fax 978-443-8000, or visit our website, www.jblearning.com.
Substantial discounts on bulk quantities of Jones & Bartlett Learning publications are available to corporations, professional associations, and other qualified organizations. For details and specific discount information, contact the special sales department at Jones & Bartlett Learning via the above contact information or send an email to specialsales@jblearning.com.
Copyright © 2019 by Jones & Bartlett Learning, LLC, an Ascend Learning Company
All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the copyright owner.
mailto:info@jblearning.com
http://www.jblearning.com
http://www.jblearning.com
mailto:specialsales@jblearning.com
The content, statements, views, and opinions herein are the sole expression of the respective authors and not that of Jones & Bartlett Learning, LLC. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not constitute or imply its endorsement or recommendation by Jones & Bartlett Learning, LLC and such reference shall not be used for advertising or product endorsement purposes. All trademarks displayed are the trademarks of the parties noted herein. System Forensics, Investigation, and Response, Third Edition is an independent publication and has not been authorized, sponsored, or otherwise approved by the owners of the trademarks or service marks referenced in this product.
There may be images in this book that feature models; these models do not necessarily endorse, represent, or participate in the activities represented in the images. Any screenshots in this product are for educational and instructive purposes only. Any individuals and scenarios featured in the case studies throughout this product may be real or fictitious, but are used for instructional purposes only.
This publication is designed to provide accurate and authoritative information in regard to the Subject Matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal
advice or other expert assistance is required, the service of a competent professional person should be sought.
Production Credits VP, Executive Publisher: David D. Cella Executive Editor: Matt Kane Acquisitions Editor: Laura Pagluica Editorial Assistant: Mary Menzemer Associate Production Editor: Alex Schab Director of Marketing: Andrea DeFronzo Production Services Manager: Colleen Lamy VP, Manufacturing and Inventory Control: Therese Connell Composition: codeMantra U.S. LLC Cover Design: Scott Moden Rights & Media Specialist: Thais Miller Media Development Editor: Shannon Sheehan Cover Image (Title Page, Part Opener, Chapter Opener): © Click Bestsellers/Shutterstock Printing and Binding: Edwards Brothers Malloy Cover Printing: Edwards Brothers Malloy
Library of Congress Cataloging-in-Publication Data Names: Easttom, Chuck, author. Title: System forensics, investigation, and response / Chuck Easttom. Description: Third Edition. | Burlington, MA : Jones & Bartlett Learning, [2019] | Revised edition of the author’s System forensics, investigation, and response, c2014. Identifiers: LCCN 2017018109 | ISBN
9781284121841 Subjects: LCSH: Computer crimes—Investigation— Textbooks. Classification: LCC HV8079.C65 E37 2017 | DDC 363.25/968—dc23 LC record available at https://lccn.loc.gov/2017018109
6048
Printed in the United States of America 21 20 19 18 17 10 9 8 7 6 5 4 3 2 1
https://lccn.loc.gov/2017018109
Contents Preface
About the Author
PART I Introduction to Forensics
CHAPTER 1 Introduction to Forensics What Is Computer Forensics?
Using Scientific Knowledge
Collecting
Analyzing
Presenting
Understanding the Field of Digital Forensics
What Is Digital Evidence?
Scope-Related Challenges to System
Forensics
Types of Digital System Forensics
Analysis
General Guidelines
Knowledge Needed for Computer Forensics Analysis
Hardware
Software
Networks
Addresses
Obscured Information and Anti-Forensics
The Daubert Standard
U.S. Laws Affecting Digital Forensics
The Federal Privacy Act of 1974
The Privacy Protection Act of 1980
The Communications Assistance for Law
Enforcement Act of 1994
The Electronic Communications Privacy
Act of 1986
The Computer Security Act of 1987
The Foreign Intelligence Surveillance Act
of 1978
The Child Protection and Sexual Predator
Punishment Act of 1998
The Children’s Online Privacy Protection
Act of 1998
The Communications Decency Act of 1996
The Telecommunications Act of 1996
The Wireless Communications and Public
Safety Act of 1999
The USA Patriot Act of 2001
The Sarbanes-Oxley Act of 2002
18 U.S.C. § 1030: Fraud and Related
Activity in Connection with Computers
18 U.S.C. § 1020: Fraud and Related
Activity in Connection with Access Devices
The Digital Millennium Copyright Act
(DMCA) of 1998
18 U.S.C. § 1028A: Identity Theft and
Aggravated Identity Theft
18 U.S.C. § 2251: Sexual Exploitation of
Children
Warrants
Federal Guidelines
The FBI
The Secret Service
The Regional Computer Forensics
Laboratory Program
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 1 ASSESSMENT
CHAPTER 2 Overview of Computer Crime
How Computer Crime Affects Forensics
Identity Theft
Phishing
Spyware
Discarded Information
How Does This Crime Affect Forensics?
Hacking
SQL Injection
Cross-Site Scripting
Ophcrack
Tricking Tech Support
Hacking in General
Cyberstalking and Harassment
Real Cyberstalking Cases
Fraud
Investment Offers
Data Piracy
Non-Access Computer Crimes
Denial of Service
Viruses
Logic Bombs
Cyberterrorism
How Does This Crime Affect Forensics?
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 2 ASSESSMENT
CHAPTER 3 Forensic Methods and Labs
Forensic Methodologies
Handle Original Data as Little as Possible
Comply with the Rules of Evidence
Avoid Exceeding Your Knowledge
Create an Analysis Plan
Technical Information Collection
Considerations
Formal Forensic Approaches
Department of Defense Forensic
Standards
The Digital Forensic Research Workshop
Framework
The Scientific Working Group on Digital
Evidence Framework
An Event-Based Digital Forensics
Investigation Framework
Documentation of Methodologies and Findings
Disk Structure
File Slack Searching
Evidence-Handling Tasks
Evidence-Gathering Measures
Expert Reports
How to Set Up a Forensic Lab
Equipment
Security
American Society of Crime Laboratory
Directors
Common Forensic Software Programs
EnCase
Forensic Toolkit
OSForensics
Helix
Kali Linux
AnaDisk Disk Analysis Tool
CopyQM Plus Disk Duplication Software
The Sleuth Kit
Disk Investigator
Forensic Certifications
EnCase Certified Examiner Certification
AccessData Certified Examiner
OSForensics
Certified Cyber Forensics Professional
EC Council Computer Hacking Forensic
Investigator
High Tech Crime Network Certifications
Global Information Assurance Certification
Certifications
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 3 ASSESSMENT
PART II Technical Overview: System Forensics Tools, Techniques, and Methods
CHAPTER 4 Collecting, Seizing, and Protecting Evidence Proper Procedure
Shutting Down the Computer
Transporting the Computer System to a
Secure Location
Preparing the System
Documenting the Hardware Configuration
of the System
Mathematically Authenticating Data on All
Storage Devices
Handling Evidence
Collecting Data
Documenting Filenames, Dates, and Times
Identifying File, Program, and Storage
Anomalies
Evidence-Gathering Measures
Storage Formats
Magnetic Media
Solid-State Drives
Digital Audio Tape Drives
Digital Linear Tape and Super DLT
Optical Media
Using USB Drives
File Formats
Forensic Imaging
Imaging with EnCase
Imaging with the Forensic Toolkit
Imaging with OSForensics
RAID Acquisitions
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 4 ASSESSMENT
CHAPTER LAB
CHAPTER 5 Understanding Techniques for Hiding and Scrambling Information Steganography
Historical Steganography
Steganophony
Video Steganography
More Advanced Steganography
Steganalysis
Invisible Secrets
MP3Stego
Additional Resources
Encryption
The History of Encryption
Modern Cryptography
Breaking Encryption
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 5 ASSESSMENT
CHAPTER 6 Recovering Data Undeleting Data
File Systems and Hard Drives
Windows
Forensically Scrubbing a File or Folder
Linux
Macintosh
Recovering Information from Damaged Media
Physical Damage Recovery Techniques
Recovering Data After Logical Damage
File Carving
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 6 ASSESSMENT
CHAPTER 7 Email Forensics
How Email Works
Email Protocols
Faking Email
Email Headers
Getting Headers in Outlook
Getting Headers from Yahoo! Email
Getting Headers from Gmail
Other Email Clients
Email Files
Paraben’s Email Examiner
ReadPST
Tracing Email
Email Server Forensics
Email and the Law
The Fourth Amendment to the U.S.
Constitution
The Electronic Communications Privacy
Act
The CAN-SPAM Act
18 U.S.C. 2252B
The Communication Assistance to Law
Enforcement Act
The Foreign Intelligence Surveillance Act
The USA Patriot Act
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 7 ASSESSMENT
CHAPTER 8 Windows Forensics
Windows Details
Windows History
64-Bit
The Boot Process
Important Files
Volatile Data
Tools
Windows Swap File
Windows Logs
Windows Directories
UserAssist
Unallocated/Slack Space
Alternate Data Streams
Index.dat
Windows Files and Permissions
MAC
The Registry
USB Information
Wireless Networks
Tracking Word Documents in the Registry
Malware in the Registry
Uninstalled Software
Passwords
ShellBag
Prefetch
Volume Shadow Copy
Memory Forensics
Volatility
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 8 ASSESSMENT
CHAPTER 9 Linux Forensics
Linux and Forensics
Linux Basics
Linux History
Linux Shells
Graphical User Interface
K Desktop Environment (KDE)/Plasma
Linux Boot Process
Logical Volume Manager
Linux Distributions
Linux File Systems
Ext
The Reiser File System
The Berkeley Fast File System
Linux Logs
The /var/log/faillog Log
The /var/log/kern.log Log
The /var/log/lpr.log Log
The /var/log/mail.* Log
The /var/log/mysql.* Log
The /var/log/apache2/* Log
The /var/log/lighttpd/* Log
The /var/log/apport.log Log
Other Logs
Viewing Logs
Linux Directories
The /root Directory
The /bin Directory
The /sbin Directory
The /etc Folder
The /etc/inittab File
The /dev Directory
The /mnt Directory
The /boot Directory
The /usr Directory
The /var Directory
The /var/spool Directory
The /proc Directory
Shell Commands for Forensics
The Command
The Command
The Command
The Command
The Command
The Command
The Command
The Command
The Command
The Command
The Command
The Command
The Command
The Command
The Command
The Command
Can You Undelete in Linux?
Manual Method
Kali Linux Forensics
Forensics Tools for Linux
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 9 ASSESSMENT
CHAPTER 10 Macintosh Forensics
Mac Basics
Mac History
Mac File Systems
Partition Types
Macintosh Logs
The /var/log Log
The /var/spool/cups Folder
The /Library/Receipts Folder
The /Users/<user>/.bash_history Log
The /var/vm Folder
The /Users/ Directory
The /Users/<user>/Library/Preferences/
Folder
Directories
The /Volumes Directory
The /Users Directory
The /Applications Directory
The /Network Directory
The /etc Directory
The
/Library/Preferences/SystemConfiguration/dom.apple.preferences.plist
File
Macintosh Forensic Techniques
Target Disk Mode
Searching Virtual Memory
Shell Commands
How to Examine a Mac
Can You Undelete in Mac?
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 10 ASSESSMENT
CHAPTER 11 Mobile Forensics
Cellular Device Concepts
Terms
Operating Systems
The BlackBerry
What Evidence You Can Get from a Cell Phone
Types of Investigations
Phone states
Seizing Evidence from a Mobile Device
The iPhone
BlackBerry
JTAG
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS