Real Digital Forensics Computer Security and Incident Response,9780321240699

Real Digital Forensics Computer Security and Incident Response

by ; ;
Edition: 1st
ISBN13: 9780321240699
ISBN10: 0321240693
Format: Paperback
Pub. Date: 2005-09-23
Publisher(s): Addison-Wesley Professional
  • Free Shipping Icon

    This Item Qualifies for Free Shipping!*

    *Excludes marketplace orders.

List Price: $89.24

Buy New

Arriving Soon. Will ship when available.
$84.99
Add to Cart

Rent Book

Select for Price
Add to Cart
There was a problem. Please try again later.

Used Book

We're Sorry
Sold Out

eBook

We're Sorry
Not Available

Buy from our Marketplace starting at $1.49

How Marketplace Works:

  • This item is offered by an independent seller and not shipped from our warehouse
  • Item details like edition and cover design may differ from our description; see seller's comments before ordering.
  • Sellers much confirm and ship within two business days; otherwise, the order will be cancelled and refunded.
  • Marketplace purchases cannot be returned to eCampus.com. Contact the seller directly for inquiries; if no response within two days, contact customer service.
  • Additional shipping costs apply to Marketplace purchases. Review shipping costs at checkout.

Summary

You can't succeed in the field of computer forensics without hands-on practice-and you can't get hands-on practice without real forensic data. The solution: Real Digital Forensics. In this book, a team of world-class computer forensics experts walks you through six detailed, highly realistic investigations and provides a DVD with all the data you need to follow along and practice.

Table of Contents

Preface xv
Acknowledgments xix
About the Authors xxi
Case Studies xxv
Part I Live Incident Response
1(72)
Windows Live Response
3(44)
Analyzing Volatile Data
5(24)
The System Date and Time
6(1)
Current Network Connections
6(3)
Open TCP or UDP Ports
9(1)
Executables Opening TCP or UDP Ports
10(2)
Cached NetBIOS Name Tables
12(1)
Users Currently Logged On
13(1)
The Internal Routing Table
14(1)
Running Processes
15(2)
Running Services
17(1)
Scheduled Jobs
18(1)
Open Files
19(1)
Process Memory Dumps
20(6)
Full System Memory Dumps
26(3)
Analyzing Nonvolatile Data
29(14)
System Version and Patch Level
30(1)
File System Time and Date Stamps
31(4)
Registry Data
35(1)
The Auditing Policy
36(1)
A History of Logins
37(1)
System Event Logs
37(1)
User Accounts
38(1)
IIS Logs
38(4)
Suspicious Files
42(1)
Putting It All Together
43(4)
Unix Live Response
47(26)
Analyzing Volatile Data
48(10)
The System Date and Time
49(1)
Current Network Connections
49(1)
Open TCP or UDP Ports
50(1)
Executables Opening TCP or UDP Ports
51(2)
Running Processes
53(2)
Open Files
55(1)
The Internal Routing Table
56(1)
Loaded Kernel Modules
57(1)
Mounted File Systems
57(1)
Analyzing Nonvolatile Data
58(12)
System Version and Patch Level
58(1)
File System Time and Date Stamps
59(2)
File System MD5 Checksum Values
61(1)
Users Currently Logged On
62(1)
A History of Logins
62(2)
Syslog Logs
64(2)
User Accounts
66(1)
User History Files
67(2)
Suspicious Files
69(1)
Putting It All Together
70(3)
Part II Network-Based Forensics
73(88)
Collecting Network-Based Evidence
75(20)
Full Content Data
76(2)
Session Data
78(1)
Alert Data
79(1)
Statistical Data
80(1)
Putting NBE to Work
81(1)
A Standard Intrusion Scenario
82(2)
Using Full Content Data
84(1)
Using Session Data
85(1)
Using Alert Data
86(1)
Using Statistical Data
87(1)
Data Collection
88(5)
Accessing the Wire
88(3)
Collecting and Storing Traffic
91(1)
Full Content Data Tools
91(1)
Session Data Tools
92(1)
Alert Data Tools
93(1)
Statistical Data Tools
93(1)
Putting It All Together
93(2)
Analyzing Network-Based Evidence for a Windows Intrusion
95(34)
Statistical Data: First Trace
96(1)
Alert Data: First Trace
97(5)
Session Data: First Trace
102(4)
Full Content Data: First Trace
106(2)
Statistical Data: Second Trace
108(2)
Alert Data: Second Trace
110(4)
Session Data: Second Trace
114(2)
Full Content Data: Second Trace
116(11)
Putting It All Together
127(2)
Analyzing Network-Based Evidence for a Unix Intrusion
129(32)
Statistical Data
130(1)
Alert Data
131(4)
Session Data
135(5)
Full Content Data
140(19)
Putting It All Together
159(2)
Part III Acquiring a Forensic Duplication
161(44)
Before You Jump Right In. . .
163(8)
Preparing for a Forensic Duplication
163(3)
Document, Document, Document
166(5)
Commercial-Based Forensic Duplications
171(16)
The Read-Only IDE-to-Firewire Device
171(4)
Acquiring a Forensic Duplication with EnCase
175(6)
Acquiring a Forensic Duplication with FTK
181(6)
Noncommercial-Based Forensic Duplications
187(18)
DD
187(6)
Creating an Evidence File
188(4)
Creating an Evidence Hard Drive
192(1)
DD Rescue
193(2)
DCFLDD
195(2)
NED---The Open Source Network Evidence Duplicator
197(8)
Part IV Forensic Analysis Techniques
205(276)
Common Forensic Analysis Techniques
207(40)
Recovering Deleted Files
207(11)
Open Source Solutions
207(7)
Commercial Solutions
214(4)
Production of Time Stamps and Other Metadata for Files
218(7)
Open Source Solutions
218(3)
Commercial Solutions
221(4)
Removing Known Files
225(8)
Open Source Solutions
225(5)
Commercial Solutions
230(3)
File Signatures and Electronic Discovery
233(5)
Open Source Solutions
233(3)
Commercial Solutions
236(2)
String Searching and File Fragments
238(9)
Open Source Solutions
238(6)
Commercial Solutions
244(3)
Web Browsing Activity Reconstruction
247(26)
Commercial Forensic Tools
248(12)
Open Source Solutions
260(11)
Pasco---An Open Source Web Browsing Investigation Tool
260(8)
Galleta---An Open Source IE Cookie Investigation Tool
268(3)
Putting It All Together
271(2)
E-Mail Activity Reconstruction
273(18)
Commercial Forensic Tools
273(2)
Open Source Solutions
275(16)
Outlook Express
275(16)
Microsoft Windows Registry Reconstruction
291(10)
Identifying Installed Programs
292(4)
Identifying ``Most Recently Used'' Documents
296(5)
Forensic Tool Analysis: An Introduction to Using Linux for Analyzing Files of Unknown Origin
301(45)
Case Background
302(1)
A Hands-On Introduction to Forensic Tool Analysis: Hello World!
303(40)
Static Analysis of Hello
305(30)
Dynamic Analysis of Hello
335(8)
Putting It All Together
343(3)
Forensic Tool Analysis: A Hands-On Analysis of the Linux File aio
346(63)
Static Analysis of aio
346(7)
md5sum
346(1)
Is -al
346(1)
file
347(1)
strings
347(1)
Hexadecimal Viewer
348(1)
nm
349(1)
Idd
350(1)
readelf
350(2)
objdump
352(1)
Dynamic Analysis of aio
353(55)
System Call Trace (strace)
353(5)
GNU Debugger
358(6)
Recovering the Uncompressed aio Binary
364(10)
Recovery by Identifying the Packer That Was Used
374(3)
Static Analysis of the Recovered Uncompressed Binary
377(20)
Dynamic Analysis of the Recovered Uncompressed Binary
397(11)
md5sum
408(1)
Putting It All Together
408(1)
Forensic Tool Analysis: Analyzing Files of Unknown Origin (Windows)
409(72)
Case Background
409(1)
A Hands-On Introduction to Forensic Tool Analysis: Hello World!
410(34)
Static Analysis of hello.exe
415(23)
Dynamic Analysis of hello.exe
438(6)
Summary of hello.exe
444(1)
A Hands-On Forensic Tool Analysis: sak.exe
444(35)
Static Analysis of sak.exe
444(13)
Dynamic Analysis of sak.exe
457(22)
Putting It All Together
479(2)
Part V Creating a Complete Forensic Tool Kit
481(32)
Building the Ultimate Response CD
483(20)
Preparing the Windows Live Response Tools
483(9)
Preparing the Unix Live Response Tools
492(8)
Forensic Duplication Tools
500(3)
DCFLDD
501(1)
NED
502(1)
Making Your CD-ROM a Bootable Environment
503(10)
Knoppix---A Linux Distribution on a CD-ROM
503(1)
The Knoppix CD-Rom
504(9)
Part VI Mobile Device Forensics
513(82)
Forensic Duplication and Analysis of Personal Digital Assistants
515(56)
Case Background
515(2)
Forensic Acquisition Utilizing EnCase
517(14)
Initial Setup
518(4)
EnCase
522(9)
Forensic Acquisition Utilizing Paraben's PDA Seizure
531(9)
Forensic Acquisition Utilizing Palm Debugger
540(16)
Forensic Analysis of the Palm IIIc
556(3)
Forensic Analysis of the HP iPAQ Pocket PC 2003
559(4)
Forensic Analysis of the Palm m505
563(7)
Putting It All Together
570(1)
Forensic Duplication of USB and Compact Flash Memory Devices
571(6)
Duplicating USB Devices
571(4)
Duplicating Compact Flash Cards
575(2)
Forensic Analysis of USB and Compact Flash Memory Devices
577(18)
USB Memory Devices
577(11)
Open Source Solutions
578(7)
Commercial Solutions
585(3)
Compact Flash Cards
588(7)
Open Source Solutions
589(4)
Commercial Solutions
593(2)
Part VII Online-Based Forensics
595(30)
Tracing E-Mail
597(12)
Hotmail
597(3)
Yahoo!
600(1)
Netscape
601(2)
Other E-Mail Services
603(2)
Anonymous Remailers
605(4)
Domain Name Ownership
609(16)
Importing the TLD Zone Files into Postgres
610(6)
Translating FQDNs to IP Addresses
616(3)
Searching for Domains
619(1)
Searching for DNSs
620(5)
Appendix An Introduction to Perl
625(12)
Reading Input
625(3)
Matching Text
628(1)
Regular Expressions
629(3)
Formatting Output
632(2)
Processing Live IR Data Collected
634(1)
The Data Problem with Microsoft Excel
635(2)
Index 637

Excerpts

Preface Preface Our Purpose and Approach Welcome to the book namedReal Digital Forensics. When we conceived this book, we wanted to give forensic investigators more than words to learn new skills. Many people express to us in our classes and speaking engagements a simple sentence we have heard hundreds of times: "How do I get into the field of computer forensics?" In our opinion, you cannot learn forensics unless you have hands-on practical experience. This brings up a more important question we usually hear next: "How do I get my hands on data to gain that experience?" This question is much more difficult to answer because the only data most people have to practice with comes from real cases--and we all know that our clients do not want their data disseminated for learning tools! Therefore, it is difficult for most people to find data to practice with in order to sharpen their computer forensic skills. To answer this second question, we decided to publish this book with a DVD containing realistic evidence collected from several fictitious scenarios for the sole purpose of teaching the computer forensic tradecraft. Most of the scenarios you will find throughout this book are very similar to types of cases that we investigate every day. We used the same tools attackers use when establishing a foothold in your network, the same methods rogue employees make use of to steal your trade secrets, and the same media we typically collect when we created the evidence files found on the DVD. Although we attempted to thoroughly investigate each company name we used for our scenarios, we want to state thatnone of this data was collected from computers within companies with coincidentally similar names or IP addresses. The book begins by presenting methodologies used for the collection and analysis of computer forensic data. Then the book presents methods for compiling tool kits you can take with you to the scene of a computer-related crime. The book concludes by providing methodologies for deeper forensic analysis and solutions for when you run into other types of computer media such as USB memory and Palm devices. Although computer forensic software tends to be commercially dominated, which means you would have to pay a hefty licensing fee just to get your feet wet, we wholeheartedly believe in open source because of the documented methodologies and availability of the source code. Reproducibility and documentation of methodologies is the cornerstone of any forensic science. Therefore, you will find that most techniques we recommend utilize a freely available and publicly documented toolset. This will enable you to examine the evidence found on the DVD without having to purchase additional software. When we do talk about commercial software to help round out your knowledge base, we will point it out in the text so that you are fully aware. You will find that this book takes a practical, hands-on approach to solving problems that we frequently encounter when performing computer-related investigations. This book will not contain pages and pages about the theory of computer forensics. What it will contain are techniques you can employ immediately to solve your problems when performing an analysis. We hope you enjoy theReal Digital Forensicsexperience. The Prerequisites and Target Audiences Some of the techniques we discuss in this book are considered more advanced than common forensic knowledge. If you are just starting out in the computer forensic field, we suggest a basic understanding of computer forensics to more fully enjoy the content within this book. For an understanding of computer forensics that will help you work through the investigations throughout this book, we recommend you review the following publications: <

An electronic version of this book is available through VitalSource.

This book is viewable on PC, Mac, iPhone, iPad, iPod Touch, and most smartphones.

By purchasing, you will be able to view this book online, as well as download it, for the chosen number of days.

Digital License

You are licensing a digital product for a set duration. Durations are set forth in the product description, with "Lifetime" typically meaning five (5) years of online access and permanent download to a supported device. All licenses are non-transferable.

More details can be found here.

A downloadable version of this book is available through the eCampus Reader or compatible Adobe readers.

Applications are available on iOS, Android, PC, Mac, and Windows Mobile platforms.

Please view the compatibility matrix prior to purchase.