Investigating computer-related crime : a handbook for corporate investigators

Section 1 — The Nature of Cyber Crime Chapter 1 Cyber Crime as We Enter the Twenty-First Century What Is Cyber Crime? How Does Today’s Cyber Crime Differ from the Hacker Exploits of Yesterday? The Reality of Information Warfare in the Corporate Environment Industrial Espionage — Hackers for Hire Public Law Enforcement’s Role in Cyber Crime Investigations The Role of Private Cyber Crime Investigators and Security Consultants in Investigations References Chapter 2 The Potential Impacts of Cyber Crime Data Thieves How Data Thieves Avoid Detection During an Attack Masking Logins Masking Telnet How Data Thieves “Clean Up” After an Attack Techniques for Detecting File Reads and Uploads Misinformation Denial of Service Data Floods and Mail Bombs Attacks from Inside the Organization Attacks Which Require Access to the Computer Chapter Review Chapter 3 Rogue Code Attacks Viruses, Trojan Horses, and Worms Types of Viruses File Infector Resident Program Infector Boot Sector Infector Multi-Partite Virus Dropper Stealth Virus Companion Virus Polymorphic Virus Mutation Engine ©2000 by CRC Press LLC Detection Methods Pattern Scanners Integrity Checkers Behavior Blockers Trojan Horses Worms Logic Bombs Modifying System Files Responding to Rogue Code Attacks Viruses Trojan Horses and Logic Bombs Protection of Extended Mission-Critical Computer Systems Post-Attack Inspection for Rogue Code Summary Reference Chapter 4 — Surgical Strikes and Shotgun Blasts Denial of Service Attacks Service Overloading Message Flooding Signal Grounding Other Attacks Attacking from the Outside Attacking from the Inside Dumping Core Symptoms of a Surgical Strike Panics Other Surgical Attacks Masquerading User Masquerades System Masquerades Spoofing E-Mail Web Site IP Spoofing Case Study: The Case of the Cyber Surgeon Symptoms of Shotgun Blasts “Up Yours” — Mail Bombs Flooding Attacks Summary References Section 2 — Investigating Cyber Crime Chapter 5 A Framework for Conducting an Investigation of a Computer Security Incident ©2000 by CRC Press LLC Managing Intrusions Why We Need an Investigative Framework What Should an Investigative Framework Provide? One Approach to Investigating Intrusions Drawbacks for the Corporate Investigator A Generalized Investigative Framework for Corporate Investigators Eliminate the Obvious Hypothesize the Attack Reconstruct the Crime Perform a Traceback to the Suspected Source Computer Analyze the Source, Target, and Intermediate Computers Collect Evidence, Including, Possibly, the Computers Themselves Turn Your Findings and Evidentiary Material over to Corporate Investigators or Law Enforcement for Follow-Up Summary References Chapter 6 Look for the Hidden Flaw The Human Aspects of Computer Crime and the FBI Adversarial Matrix Crackers Criminals Vandals Motive, Means, and Opportunity Evidence and Proof Look for the Logical Error Vanity Summary Reference Chapter 7 Analyzing the Remnants of a Computer Security Incident What We Mean by a Computer Security Incident We Never Get the Call Soon Enough Computer Forensic Analysis — Computer Crimes at the Computer DOS Disks — A Brief Tutorial Slack Space Unallocated Space Windows Swap Files and Web Browser Caches Processing Forensic Data — Part One: Collection Collection Techniques Analysis Tools and Techniques Chaining Unix and Other Non-DOS Computers Cyber Forensic Analysis — Computer Crimes Involving Networks ©2000 by CRC Press LLC Software Forensic Analysis — Who Wrote the Code? The Limitations of System Logs The Logs May Tell the Tale — But What If There Are No Logs? Multiple Log Analysis Summary References Chapter 8 Launching the Investigation Launching the Investigation Analyzing the Incident Analyzing the Evidence and Preparing Your Presentation Securing the Virtual Crime Scene Clear Everyone away from the Computer Under Investigation Examine for Communications Connections, Document All Connections, and Unplug Communications from the Computer Pull the Plug Collecting and Preserving Evidence Rules of Evidence Interrogating and Interviewing Witnesses Preparation and Strategy The Interview Establishing Credibility Reducing Resistance Obtaining the Admission Developing the Admission The Professional Close Developing and Testing an Intrusion Hypothesis Investigating Alternative Explanations You May Never Catch the Culprit Damage Control and Containment Summary References Chapter 9 Determining If a Crime Has Taken Place Statistically, You Probably Don’t Have a Crime Believe Your Indications Using Tools to Verify That a Crime Has Occurred Unix Crash Dump Analysis Identifying the Unix Release and Hardware Architecture The Message Buffer Other Unix Utilities Recovering Data from Damaged Disks Recovering Passwords ©2000 by CRC Press LLC Physical Password Recovery Password Cracking By Inference Examining Logs — Special Tools Can Help Investigating Non-Crime Abuses of Corporate Policy Clues from Witness Interviews Maintaining Crime Scene Integrity Until You Can Make a Determination Case Study: The Case of the CAD/CAM Cad Case Study: The Case of the Client/Server Tickle Summary Reference Chapter 10 Handling the Crime in Progress Intrusions — The Intruder Is Still Online Direct Dial-In Should You Trap, Shut Down, or Scare Off the Intruder? Trap-and-Trace Network Trap-and-Trace Techniques Legal Issues in Trap-and-Trace Back Doors — How Intruders Get Back In Back Doors in the Unix and NT Operating Systems Password Cracking Back Door Rhosts + + Back Door Checksum and Timestamp Back Doors Login Back Door Telnetd Back Door Services Back Door Cronjob Back Door Library Back Doors Kernel Back Doors File System Back Doors Bootblock Back Doors Process Hiding Back Doors Rootkit Network Traffic Back Doors TCP Shell Back Doors UDP Shell Back Doors ICMP Shell Back Doors Encrypted Link Windows NT Stinging — Goat Files and Honey Pots Summary Reference ©2000 by CRC Press LLC Chapter 11 — “It Never Happened” — Cover-Ups Are Common Case Study: The Case of the Innocent Intruder The Importance of Well-Documented Evidence Maintaining a Chain of Custody Politically Incorrect — Understanding Why People Cover Up for a Cyber Crook Before the Investigation During the Investigation After the Investigation When Cover-Ups Appear Legitimate Summary Chapter 12 — Involving the Authorities When to Involve Law Enforcement Who Has Jurisdiction? What Happens When You Involve Law Enforcement Agencies? Making the Decision Summary Chapter 13 — When an Investigation Can’t Continue When and Why Should You Stop an Investigation? Legal Liability and Fiduciary Duty Political Issues Before the Investigation Begins During the Investigation After the Investigation Is Completed Civil vs. Criminal Actions Privacy Issues Salvaging Some Benefit Summary Section 3 — Preparing for Cyber Crime Chapter 14 — Building a Corporate Cyber “SWAT Team” Why Do Organizations Need a Cyber SWAT Team? What Does a Cyber SWAT Team Do? A Standard Practice Example Who Belongs on a Cyber SWAT Team? Training Investigative Teams Summary Chapter 15 — Privacy and Computer Crime The Importance of Formal Policies Who Owns the E-Mail? The Disk Belongs to the Organization, But What About the Data? The “Privacy Act(s)” ©2000 by CRC Press LLC The Computer Fraud and Abuse Act Electronic Communications Privacy Act The Privacy Protection Act State and Local Laws Wiretap Laws Fourth Amendment to the U.S. Constitution Summary Reference Section 4 — Using the Forensic Utilities Preface — How the Section Is Organized Chapter 16 Preserving Evidence — Basic Concepts Timely Evidence Collection and Chain of Custody “Marking” Evidence with an MD5 Hash and Encryption — CRCMD5 and PGP FileList CRCMD5 Sealing Evidence Summary Chapter 17 Collecting Evidence — First Steps Using SafeBack 2.0 to Take an Image of a Fixed Disk Taking a Hard Disk Inventory with FileList Summary Reference Chapter 18 Searching for Hidden Information The Intelligent Filter — Filter_I v. 4.1 IP Filter — v. 2.2 GetSlack and GetFree TextSearch Plus v. 2.04 Using the Norton Utilities Summary Chapter 19 Handling Floppy Disks AnaDisk v. 2.10LE Copying Floppies to a Work Disk Summary Appendix A Introduction to Denial of Service Attacks Foreword Introduction What Is a Denial of Service Attack? Why Would Someone Crash a System? ©2000 by CRC Press LLC Introduction Subcultural Status To Gain Access Revenge Political Reasons Economic Reasons Nastiness Are Some Operating Systems More Secure? What Happens When a Machine Crashes? How Do I Know If a Host Is Dead? Using Flooding — Which Protocol Is Most Effective? Attacking from the Outside Taking Advantage of Finger UDP and SUNOS 4.1.3 Freezing Up X-Windows Malicious Use of UDP Services Attacking with Lynx Clients Malicious Use of Telnet ICMP Redirect Attacks E-Mail Bombing and Spamming Hostile Applets Attacking Name Servers Attacking from the Inside Malicious Use of Fork() Creating Files That Are Hard to Remove Directory Name Lookupcache How Do I Protect a System Against Denial of Service Attacks? Basic Security Protection Introduction Security Patches Port Scanning Check the Outside Attacks Described in This Paper Check the Inside Attacks Described in This Paper Tools That Help You Check Extra Security Systems Monitoring Security Keeping Up to Date Read Something Better Monitoring Performance Introduction Commands and Services Programs Accounting Some Basic Targets for an Attack, Explanations of Words, Concepts Swap Space Bandwidth ©2000 by CRC Press LLC Kernel Tables RAM Disks Caches Inetd Tmpfs Loopback NFS Suggested Reading — Information for Deeper Knowledge Appendix B Technical Report 540-96 Introduction Spoofing Attacks Security-Relevant Decisions Context TCP and DNS Spoofing Web Spoofing Consequences Surveillance Tampering Spoofing the Whole Web How the Attack Works URL Rewriting Forms Starting the Attack Completing the Illusion The Status Line The Location Line Viewing the Document Source Bookmarks Tracing the Attacker Remedies Short-Term Solution Long-Term Solution Related Work Acknowledgments For More Information References