Copyrighted Material
Total Page:16
File Type:pdf, Size:1020Kb
24_038624 bindex.qxp 4/4/06 10:57 PM Page 363 Index A anti-static bags, 21, 23 Access Data’s Forensic Toolkit, 9 AOL Instant Messenger (AIM), active partition, 62 306–307 ActivePERL (ActiveState), 189 application logs, 110, 146, 250–251 adapters as keystroke recorders, 155 ARP (Address Resolution Protocol) Ad-aware Antispyware, 114 spoofing, 158, 159 Address Book Recovery tool, arp -a command, 179 319–320 at command, 186 address books, 319–320, 323, ATA hard disks, 52, 55 333–334 Autocomplete feature (IE), 132, 284 Address Resolution Protocol (ARP) autoexec.bat file, 108, 115 spoofing, 158, 159 Autoruns (SysInternals), 131, 136 ADSs (alternate data streams), 76–78, 194 B AIM (AOL Instant Messenger), backup tapes. See tapes 306–307 Bearshare clients, 297–299 AIM password decoder (Digital best evidence rules, 26, 29 Detectives),COPYRIGHTED 309 bitwise MATERIAL duplication. See forensic AIM password recovery tool duplication (ElcomSoft), 309 bitwise searching AirMagnet sniffer, 160–161 index-based searching versus, alternate data streams (ADSs), 211–212, 219–220 76–78, 194 overview, 217–219 AnaDisk recovery software (NTI), 58 regular expressions for, 212–214 AnaDisk software (NTI), 41 search methodology and, 219–220 Analog Web analyzer, 263, 270 bookmarks (Firefox), 285–288 363 24_038624 bindex.qxp 4/4/06 10:57 PM Page 364 364 Index Bookmarks.htm file (IE), 276 commercially pressed, 46 Boot and Nuke utility (Darik), 67, 96 common file types, 124 boot partition, 62 direct duplication for, 203 boot process, 60–61. See also startup for hard disk duplication storage, boot sector 205–206 FAT32 file system, 68–69, 349–351 lifespan issues for CD-Rs, 195 NTFS file system, 78–81, 353–354 rewritable, 46–47 bootable CDs scratched, repairing, 47–48 for hard disk duplication, 198, 199 volatility of data, 141–142 Helix forensics environment, write-once, 46 85, 96, 190, 199, 210 CERT (Computer Emergency Internet resources, 210 Response Team), 7, 9 with NTFS support, 85, 198 certification, 6, 8 BOOT.INI file, 99, 108 chain of custody, 25–26, 339–340 browsers. See Firefox; Internet ChaosReader tool, 162–163, 189 Explorer cipher command, 92 BVG’s Outlook Email Recovery CIRT (computer incident response tool, 338 team), 3, 6–7 bypassing NTFS permissions, 84–85 clipboard, 168, 186 ClipSrv service, 186 C clusters, 41, 66, 70–71 .cab compression, 87 CMC (Computer Management cables console), 139, 145–150 for hard disk duplication, 197 cmd.exe versus command.com, 169 as keystroke recorders, 155 collection kit for evidence, 20–21 labeling before disconnecting, 23 command line overt analysis power, removing at the PC, 23 command.com versus cmd.exe, 169 sniffer, 157, 164–165, 191 GUI-based analysis versus, cache files (Web), 281–282, 289–290 166–167 California personal information local, 169–170 disclosure law, 28, 29 redirecting output to a file, 170 cameras, covert, 144, 154–155 remote, 170–173 Camouflage steganography command.com versus cmd.exe, 169 software, 235 command-line scheduler, 186 Cantenna construction, 161, 189 compact command-line tool, 86–88 Casey, Eoghan (Digital Evidence and compression Computer Crime), 8 .cab, 87 CDFS (CD File System), 47 finding compressed files, 243–244 CDs. See also bootable CDs for forensic duplication storage, burning (case study), 125 195, 200–201 CD File System (CDFS) for, 47 GNU gzip for, 200–201 24_038624 bindex.qxp 4/4/06 10:57 PM Page 365 Index 365 lossy algorithms for, 86 cross-site scripting attacks, NTFS, 85–88 264–265, 270 Computer Emergency Response CRT (Console Registry Tool), 118 Team (CERT), 7, 9 CryptCat tool, 170, 190 computer forensic analysts, 2–3, 6, Cygwin environment, 4, 9, 67 8, 12 Computer Forensics (Kruse & D Heiser), 8 Darik’s Boot and Nuke utility, 67, 96 computer incident response team DAT files (FastTrack clients), 301 (CIRT), 3, 6–7 data recovery agents (DRAs), Computer Management console 88–89, 90 (CMC), 139, 145–150 data wiping, secure, 67, 205 computer screens, 19–20, 167 dates and times config.sys file, 108, 115 FAT format for, 73 Console Registry Tool (CRT), 118 forensic analysis and, 72 Cookie Editor (ProXoft), 309 mass deletions and, 231 cookies, 283–285, 291–292 recording for overt analysis, 174 CookieView (Digital Detectives), 309 regular expressions for, 212–213 copying. See also forensic duplication DBB files (FastTrack), 301–302 ADSs and, 78, 194 dd program best evidence rules and, 26 in barebones starter kit, 7 compression and, 87 as court tested, 26 dumping memory contents, for data wiping, 67 187–189 for dumping memory, 187–189 failings of, 193–194 for searching non-file content, 216 files from tapes, 44 for splitting drive image files, 200 forensic duplication versus, 193 website for Windows version, 210 full-screen captures, 167 Decode tool, 72 log files, 208–209 defragmentation, 71 volatile data quickly, 18 degradation The Coroners Toolkit (TCT), 8 of CDs and DVDs, 195 covert live system analysis. See also of floppy disks, 41 system state analysis of tapes, 45 defined, 139, 144 deletions. See also file recovery Internet resources, 189–191 actions taken by, 225–226 major activities, 139 data wiping, 67, 205 monitoring user activities, 154–165 mass, within short period, 231 non-digital means, 144 meta-entries and, 231 risk of detection, 140, 144 reconstructing MBR entry for system state analysis, 144–154 partitions, 64–65 CPU, volatility of data and, 141, 142 Device Manager, 147, 148 24_038624 bindex.qxp 4/4/06 10:57 PM Page 366 366 Index differential backup method, 45 drives required for analysts, 7 Digital Detectives, 309 for hard disk duplication storage, Digital Evidence and Computer Crime 205–206 (Casey), 8 lifespan issues for DVD-R Digital Intelligence write blockers media, 195 FireFly, 196, 210 rewritable, 46–47 Ultrablock, 39, 58, 196, 210 scratched, repairing, 47–48 directional antenna, wireless, UDF and UDF-Bridge file 161, 189 systems, 47 disk cache, volatility of data in, 143 volatility of data, 141–142 DiskExplorer (Runtime Software), 83 write-once, 46 diskpart command, 63 Dynamic Link Libraries (DLLs), 167 displaying. See viewing or dynamic memory-based devices, 18 displaying DLLs (Dynamic Link Libraries), 167 E DNS, 178, 294 eDonkey2000 clients, 302 documentation for equipment, 20 EEPROM, 48–49 documenting the crime scene EFS (Encrypting File System), chain of custody, 25–26, 339–340 34, 88–92 defined, 12 ElcomSoft’s AIM password recovery forensic photography for, 19 tool, 309 importance of, 18 email investigations. See also specific labeling cables, 23 clients live system analysis and, 140 email headers, 334–338 written records, 18–19 gamut of violations, 311–312 Documents and Settings directory, inappropriate usage, 312–314 98, 99–102 Internet resources, 338 DOSKEY command, 173–174 Lotus Notes, 326–334 DRAs (data recovery agents), Outlook, 314, 321–324 88–89, 90 Outlook Express, 314–320 drive mapping, 150–151 overview, 138 DSL lines, 15 store-and-forward protocol for, 311 DSniff, 158, 190 tracking an email’s source, 334–338 dtSearch Desktop search tool, Usenet and NNTP, 325–326 215–217, 225, 244 Web-based mail clients, 312 dumping memory contents, 187–189 EMC VMWare, 4, 9, 133, 135 duplication. See copying; forensic EnCase (Guidance Software) duplication for bitwise searching, 217 DVDs for bypassing NTFS commercially pressed, 46 permissions, 85 direct duplication for, 203 as court tested, 26 24_038624 bindex.qxp 4/4/06 10:57 PM Page 367 Index 367 covert monitoring and, 140 sorting, 248 described, 8 system logs, 252–253 disk wiping utility, 67 for system state analysis, 146 for negative hash analysis, 225 Event Viewer, 146, 247–248, 250 for non-Windows file systems, 63 evidence, digital for positive hash analysis, 223 chain of custody, 25–26, 339–340 regular expressions supported collection kit for, 20–21 by, 214 Federal Rules of Evidence, 26, 29 for remote acquisition and forensics and, 1–2 analysis, 202–203 locations for, 11, 13 for remote triage (case study), 16 processing the crime scene for, slack space analysis tool, 52 12, 22–23, 25 social engineering for safeguarding for court, 3 installing, 201 storage for, 27 website, 9 from tapes, 44 Encrypting File System (EFS), write blocking media for, 39, 196 34, 88–92 evidence, physical encryption chain of custody, 25–26, 339–340 cleaning up after converting, 92 collection kit for, 20 CryptCat analysis tool for, 170 items of interest, 20 data recovery agents (DRAs), 88–89 locked laptops and, 22 EFS, 34, 88–92 processing the crime scene for, finding encrypted files, 243–244 12, 19–20, 22 identifying encrypted files, 92 EVT files. See event logs public key, 88–89 ExchangeRecovery tool recovering information, 90–91 (Passware), 338 of registry information, 132–133 expand command, 87 steganography versus, 232 exporting event logs, 250 symmetric, 88–89 extended partitions, 62 environment variables overview, 105–106 F %SYSTEMROOT%, 98, 102–104 Fastbloc (Guidance Software), 39, 58 Ethereal sniffer, 161–162, 190 FastTrack clients, 301–302 Ethernet, 158, 197, 199–200 FAT file system. See also FAT32 file event logs. See also log files system application logs, 110, 146, 250–251 boot sector, 68 corrupt, repairing, 249 cluster map, 70–71 Event Viewer for, 146, 247–248, 250 date format, 73 exporting, 250 defragmentation, 70–71 filtering, 248, 250 FAT16, 32, 33 security logs, 110, 253–257 FAT12, 41, 66, 70, 226–228 24_038624 bindex.qxp 4/4/06 10:57 PM Page 368 368 Index FAT file system (continued) overview, 138 file allocation table, 68, 69–70 for paging files, 241–243 fragmentation, 70–71 positive hash analysis, 223–224 historical overview, 66, 68 for print spool files, 236–239 root directory entry, 71–72 regular expressions for searches, value for forensic examiner, 65 212–214 FAT32 file system.