24_038624 bindex.qxp 4/4/06 10:57 PM Page 363

Index

A anti-static bags, 21, 23 Access Data’s Forensic Toolkit, 9 AOL Instant Messenger (AIM), active partition, 62 306–307 ActivePERL (ActiveState), 189 application logs, 110, 146, 250–251 adapters as keystroke recorders, 155 ARP (Address Resolution Protocol) Ad-aware Antispyware, 114 spoofing, 158, 159 Address Book Recovery tool, arp -a command, 179 319–320 at command, 186 address books, 319–320, 323, ATA hard disks, 52, 55 333–334 Autocomplete feature (IE), 132, 284 Address Resolution Protocol (ARP) autoexec.bat file, 108, 115 spoofing, 158, 159 Autoruns (SysInternals), 131, 136 ADSs (alternate data streams), 76–78, 194 B AIM (AOL Instant Messenger), backup tapes. See tapes 306–307 Bearshare clients, 297–299 AIM password decoder (Digital best evidence rules, 26, 29 Detectives),COPYRIGHTED 309 bitwise MATERIAL duplication. See forensic AIM password recovery tool duplication (ElcomSoft), 309 bitwise searching AirMagnet sniffer, 160–161 index-based searching versus, alternate data streams (ADSs), 211–212, 219–220 76–78, 194 overview, 217–219 AnaDisk recovery software (NTI), 58 regular expressions for, 212–214 AnaDisk software (NTI), 41 search methodology and, 219–220 Analog Web analyzer, 263, 270 bookmarks (Firefox), 285–288

363 24_038624 bindex.qxp 4/4/06 10:57 PM Page 364

364 Index

Bookmarks.htm file (IE), 276 commercially pressed, 46 Boot and Nuke utility (Darik), 67, 96 common file types, 124 boot partition, 62 direct duplication for, 203 boot process, 60–61. See also startup for hard disk duplication storage, boot sector 205–206 FAT32 , 68–69, 349–351 lifespan issues for CD-Rs, 195 NTFS file system, 78–81, 353–354 rewritable, 46–47 bootable CDs scratched, repairing, 47–48 for hard disk duplication, 198, 199 volatility of data, 141–142 Helix forensics environment, write-once, 46 85, 96, 190, 199, 210 CERT (Computer Emergency Internet resources, 210 Response Team), 7, 9 with NTFS support, 85, 198 certification, 6, 8 BOOT.INI file, 99, 108 chain of custody, 25–26, 339–340 browsers. See Firefox; Internet ChaosReader tool, 162–163, 189 Explorer cipher command, 92 BVG’s Outlook Email Recovery CIRT (computer incident response tool, 338 team), 3, 6–7 bypassing NTFS permissions, 84–85 clipboard, 168, 186 ClipSrv service, 186 C clusters, 41, 66, 70–71 .cab compression, 87 CMC (Computer Management cables console), 139, 145–150 for hard disk duplication, 197 cmd.exe versus command.com, 169 as keystroke recorders, 155 collection kit for evidence, 20–21 labeling before disconnecting, 23 command line overt analysis power, removing at the PC, 23 command.com versus cmd.exe, 169 sniffer, 157, 164–165, 191 GUI-based analysis versus, cache files (Web), 281–282, 289–290 166–167 California personal information local, 169–170 disclosure law, 28, 29 redirecting output to a file, 170 cameras, covert, 144, 154–155 remote, 170–173 Camouflage steganography command.com versus cmd.exe, 169 software, 235 command-line scheduler, 186 Cantenna construction, 161, 189 compact command-line tool, 86–88 Casey, Eoghan (Digital Evidence and compression Computer Crime), 8 .cab, 87 CDFS (CD File System), 47 finding compressed files, 243–244 CDs. See also bootable CDs for forensic duplication storage, burning (case study), 125 195, 200–201 CD File System (CDFS) for, 47 GNU gzip for, 200–201 24_038624 bindex.qxp 4/4/06 10:57 PM Page 365

Index 365

lossy algorithms for, 86 cross-site scripting attacks, NTFS, 85–88 264–265, 270 Computer Emergency Response CRT (Console Registry Tool), 118 Team (CERT), 7, 9 CryptCat tool, 170, 190 computer forensic analysts, 2–3, 6, Cygwin environment, 4, 9, 67 8, 12 Computer Forensics (Kruse & D Heiser), 8 Darik’s Boot and Nuke utility, 67, 96 computer incident response team DAT files (FastTrack clients), 301 (CIRT), 3, 6–7 data recovery agents (DRAs), Computer Management console 88–89, 90 (CMC), 139, 145–150 data wiping, secure, 67, 205 computer screens, 19–20, 167 dates and times config.sys file, 108, 115 FAT format for, 73 Console Registry Tool (CRT), 118 forensic analysis and, 72 Cookie Editor (ProXoft), 309 mass deletions and, 231 cookies, 283–285, 291–292 recording for overt analysis, 174 CookieView (Digital Detectives), 309 regular expressions for, 212–213 copying. See also forensic duplication DBB files (FastTrack), 301–302 ADSs and, 78, 194 dd program best evidence rules and, 26 in barebones starter kit, 7 compression and, 87 as court tested, 26 dumping memory contents, for data wiping, 67 187–189 for dumping memory, 187–189 failings of, 193–194 for searching non-file content, 216 files from tapes, 44 for splitting drive image files, 200 forensic duplication versus, 193 website for Windows version, 210 full-screen captures, 167 Decode tool, 72 log files, 208–209 , 71 volatile data quickly, 18 degradation The Coroners Toolkit (TCT), 8 of CDs and DVDs, 195 covert live system analysis. See also of floppy disks, 41 system state analysis of tapes, 45 defined, 139, 144 deletions. See also file recovery Internet resources, 189–191 actions taken by, 225–226 major activities, 139 data wiping, 67, 205 monitoring user activities, 154–165 mass, within short period, 231 non-digital means, 144 meta-entries and, 231 risk of detection, 140, 144 reconstructing MBR entry for system state analysis, 144–154 partitions, 64–65 CPU, volatility of data and, 141, 142 , 147, 148 24_038624 bindex.qxp 4/4/06 10:57 PM Page 366

366 Index

differential backup method, 45 drives required for analysts, 7 Digital Detectives, 309 for hard disk duplication storage, Digital Evidence and Computer Crime 205–206 (Casey), 8 lifespan issues for DVD-R Digital Intelligence write blockers media, 195 FireFly, 196, 210 rewritable, 46–47 Ultrablock, 39, 58, 196, 210 scratched, repairing, 47–48 directional antenna, wireless, UDF and UDF-Bridge file 161, 189 systems, 47 disk cache, volatility of data in, 143 volatility of data, 141–142 DiskExplorer (Runtime Software), 83 write-once, 46 diskpart command, 63 Dynamic Link Libraries (DLLs), 167 displaying. See viewing or dynamic memory-based devices, 18 displaying DLLs (Dynamic Link Libraries), 167 E DNS, 178, 294 eDonkey2000 clients, 302 documentation for equipment, 20 EEPROM, 48–49 documenting the crime scene EFS (), chain of custody, 25–26, 339–340 34, 88–92 defined, 12 ElcomSoft’s AIM password recovery forensic photography for, 19 tool, 309 importance of, 18 email investigations. See also specific labeling cables, 23 clients live system analysis and, 140 email headers, 334–338 written records, 18–19 gamut of violations, 311–312 Documents and Settings directory, inappropriate usage, 312–314 98, 99–102 Internet resources, 338 DOSKEY command, 173–174 Lotus Notes, 326–334 DRAs (data recovery agents), Outlook, 314, 321–324 88–89, 90 , 314–320 drive mapping, 150–151 overview, 138 DSL lines, 15 store-and-forward protocol for, 311 DSniff, 158, 190 tracking an email’s source, 334–338 dtSearch Desktop search tool, Usenet and NNTP, 325–326 215–217, 225, 244 Web-based clients, 312 dumping memory contents, 187–189 EMC VMWare, 4, 9, 133, 135 duplication. See copying; forensic EnCase (Guidance Software) duplication for bitwise searching, 217 DVDs for bypassing NTFS commercially pressed, 46 permissions, 85 direct duplication for, 203 as court tested, 26 24_038624 bindex.qxp 4/4/06 10:57 PM Page 367

Index 367

covert monitoring and, 140 sorting, 248 described, 8 system logs, 252–253 disk wiping utility, 67 for system state analysis, 146 for negative hash analysis, 225 , 146, 247–248, 250 for non-Windows file systems, 63 evidence, digital for positive hash analysis, 223 chain of custody, 25–26, 339–340 regular expressions supported collection kit for, 20–21 by, 214 Federal Rules of Evidence, 26, 29 for remote acquisition and forensics and, 1–2 analysis, 202–203 locations for, 11, 13 for remote triage (case study), 16 processing the crime scene for, slack space analysis tool, 52 12, 22–23, 25 social engineering for safeguarding for court, 3 installing, 201 storage for, 27 website, 9 from tapes, 44 Encrypting File System (EFS), write blocking media for, 39, 196 34, 88–92 evidence, physical encryption chain of custody, 25–26, 339–340 cleaning up after converting, 92 collection kit for, 20 CryptCat analysis tool for, 170 items of interest, 20 data recovery agents (DRAs), 88–89 locked laptops and, 22 EFS, 34, 88–92 processing the crime scene for, finding encrypted files, 243–244 12, 19–20, 22 identifying encrypted files, 92 EVT files. See event logs public key, 88–89 ExchangeRecovery tool recovering information, 90–91 (Passware), 338 of registry information, 132–133 expand command, 87 steganography versus, 232 exporting event logs, 250 symmetric, 88–89 extended partitions, 62 environment variables overview, 105–106 F %SYSTEMROOT%, 98, 102–104 Fastbloc (Guidance Software), 39, 58 Ethereal sniffer, 161–162, 190 FastTrack clients, 301–302 Ethernet, 158, 197, 199–200 FAT file system. See also FAT32 file event logs. See also log files system application logs, 110, 146, 250–251 boot sector, 68 corrupt, repairing, 249 cluster map, 70–71 Event Viewer for, 146, 247–248, 250 date format, 73 exporting, 250 defragmentation, 70–71 filtering, 248, 250 FAT16, 32, 33 security logs, 110, 253–257 FAT12, 41, 66, 70, 226–228 24_038624 bindex.qxp 4/4/06 10:57 PM Page 368

368 Index

FAT file system (continued) overview, 138 , 68, 69–70 for paging files, 241–243 fragmentation, 70–71 positive hash analysis, 223–224 historical overview, 66, 68 for print spool files, 236–239 root directory entry, 71–72 regular expressions for searches, value for forensic examiner, 65 212–214 FAT32 file system. See also FAT file search methodology, 219–220 system steganography, 232–235 boot sector, 68–69, 349–351 for Windows shortcuts, 239–241 root directory entry, 71–72 file systems. See also FAT file system; Windows versions using, 35 file system analysis; specific file Favorites, 274–276, 285–288 systems FBI’s Infragard program, 6, 8, 9, 28 CDFS, 47 fdisk command, 63 compatibility (table), 65 Federal Rules of Evidence, 26, 29 creation by formatting, 65–66 file allocation table, 68, 69–70. EFS, 34, 88–92 See also FAT file system HPFS, 75 file permissions (NTFS), 81–82, Internet resources, 96 84–85 MBR File System Type field, 63 file recovery non-Windows, analyzing, 63 actions taken by deletion, 225–226 NTFS, 34, 75–92, 228–230 floppy disk example, 226–228 UDF, 47 fragmentation and, 231–232 UDF-Bridge, 47 meta-entries and, 231 VFAT, 68, 73–75 NTFS file system example, 228–230 FileMon (SysInternals), 136 overwriting of data space and, 232 files. See also specific kinds print spool files, 236–238 autostart file locations, 130–131 Recycle Bin and, 225, 230–231 common types for CDs, 124 file system analysis format details, 231, 244 bitwise searching, 211–212, 217–219 listing all on system, 176–177 file recovery, 225–232 NTFS metafiles, 355–356 finding compressed or encrypted pagefile, 25, 109, 114, 241–243 files, 243–244 print spool files, 236–239, 245 hash algorithm security, 221–223 registry file locations, 119–121 hash operations overview, 220–221 volatility of data, 144 index-based searching, 211–212, , 113 214–217 Windows NT/2000/XP, 107–110 index-based versus bitwise search- Windows shortcuts, 239–241, 245 ing, 211–212, 219–220 filtering event logs, 248, 250 Internet resources, 244–245 Findstr tool, 214 negative hash analysis, 224–225 fingerprints, 19–20 24_038624 bindex.qxp 4/4/06 10:57 PM Page 369

Index 369

FIRE (Forensic Incident Response Forensic Toolkit (Access Data), 9 Environment), 85, 96 forensics, defined, 1 FireFly (Digital Intelligence), formatting partitions, 65–66 196, 210 Foundstone Firefox fport tool, 181, 190 bookmarks, 285–288 IE Activity File Analysis, 309 cache, 289–290 Pasco, 277–278, 281, 309 cookies, 291–292 Rifuiti Recycle Bin tool, 245 downloads, 293 fport tool (Foundstone), 181, 190 file-based configurations, 285 fragmentation, 70–71, 219, 231–232 history folder, 288–289 FreeUndelete tool, 230, 244 market share of, 272 fsum command line tool, 224, 244 passwords, 292–293 FTP website, 309 hacker (case study), 93–95 firewalls, 251, 257–259 logs, 266–267 FireWire (IEEE 1394) hard disks, 56 packet capture, 162, 164 fixing. See repairing full backup method, 45 flash drives (USB), 48–51, 170, 203 full-screen captures, 167 floppy disks direct duplication for, 203 G file recovery, 226–228 Garfinkel (“ARemembrance hard disks versus, 51–52 of Data Passed”), 67 overview, 38, 40–41 GetSlack tool (NTI), 52, 58 repairing damaged disks, 42–43 GNU gzip program, 200–201 write blocking, 39 Gnutella-based clients, 296–300 Forensic Computers website, 29 gold-build hash set, 224–225 forensic duplication. See also copy- Google Desktop, 214–215, ing; hard disk duplication 240–241, 244 best evidence rules and, 26 GUI-based overt analysis, 166–168 copying files versus, 193 Guidance Software. See also EnCase failings of standard techniques, certification program, 8 193–194 Fastbloc write blocker, 39, 58 full forensic duplicates, 26 website, 9 hard disk duplication, 194–208 Windows-based forensic suite, 4 imaging logical drives versus, 193 Internet resources, 210 H log file duplication, 208–209 hard disk duplication overview, 138 boot disk needed for, 198, 199 Forensic Incident Response boot process, 199 Environment (FIRE), 85, 96 compression for storage, 195, forensic photography, 19 200–201 24_038624 bindex.qxp 4/4/06 10:57 PM Page 370

370 Index

hard disk duplication (continued) USB drives, 55–56, 170 direct, 203–206 USB flash drives versus, 49 EnCase Enterprise for, 202–203 write blocking, 39, 196 Ethernet for, 197, 199–200 hash analysis hard disk storage for, 205 algorithm security, 221–223 information not copied, 195 collisions, 221 in-situ, 197–201 negative, 224–225 local versus remote, 195, 197 overview, 220–221 magnetic tape storage for, 204 positive, 223–224 mass acquisition, 207–208 Heiser (Computer Forensics), 8 multi-tired storage for, 206 Helix bootable forensics environ- optical disk storage for, 205–206 ment, 85, 96, 190, 199, 210 parallel cable for, 197 hex editor. See WinHex hex editor reasons for, 194–195 (X-Ways Trace) serial cable for, 197 hiberfil.sys file, 109, 242 splitting drive image files, 200 High Performance File System USB for, 198 (HPFS), 75 wireless networks for, 198 High Technology Crime Investiga- write blocking and, 196 tion Association (HTCIA), 6, 8, 9 hard disks. See also file systems; history folders, 277–281, 288–289 partitions HKCR (HKEY_CLASSES_ROOT) ATA drives, 52, 55 hive, 116, 120, 122 data wiping, 67, 205 HKCU (HKEY_CURRENT_USER) FireWire drives, 56 hive floppy disks versus, 51–52 folder locations, 126 formatting, 65–66 general keys for analysis, 122–123 for hard disk duplication storage, IE folder locations in, 272 204, 206 Intelliforms information in, JBOD arrays, 57 132–133 mapping, 150–151 locations for, 119, 120 overview, 51–52 MRU keys, 126–128 password protection, 53–54 overview, 116 as primary non-removable startup item keys, 129 media, 38 HKEY_CURRENT_CONFIG hive, RAID arrays, 56–57 110, 116, 120 repairing, 56 HKEY_DYN_DATA hive, 117 SCSI drives, 52, 54 HKEY_USERS hive, 109, 116 sectors, 52, 195 HKLM (HKEY_LOCAL_MACHINE) slack space on, 52, 194, 216, 217 hive unallocated space on, 59, 63–65, file locations, 109 143, 216, 217 folder locations, 126 24_038624 bindex.qxp 4/4/06 10:57 PM Page 371

Index 371

general keys for analysis, 123–124 regular expressions for, 212–214 locations for, 120 search methodology and, 219–220 overview, 116 index.dat file startup item keys, 129–130 activity records, 279–280 Hosts file, 107–108, 110, 113, 276 described, 108 HPFS (High Performance File History folders, 278–281 System), 75 Temporary Internet Files folders, HTCIA (High Technology Crime 281–282 Investigation Association), 6, 8, 9 for Web activity analysis, 278–282 HTTP logs , 148–150, 190 cross-site scripting attacks and, Inetpub directory, 98, 102 264–265 Infragard program (FBI), 6, 8, 9, 28 HTTP response codes, 261–262 in-line tap, 157 in HTTPERR directory, 266 Installable File System (IFS) key fields of interest, 260–261 modules, 63 location of, 260 Instant Messaging. See IM phishing case study, 267–268 Institute of Electrical and Electronic sample, 262 Engineers (IEEE), 15, 56 SQL Injection attacks and, 264–265 Intelliforms (IE), 132–133, 284 summary analysis reports, 263 Internet Acceptable Usage policy, HTTPERR directory, 266 273, 309 hub, for covert monitoring, 157–158 Autocomplete feature, 132, 284 I cache, 281–282 identifying the crime scene, 12–14 cookies, 283–285 IEEE (Institute of Electrical and Favorites folder, 274–276 Electronic Engineers), 15, 56 folders showing Web activity, 272 IFS (Installable File System) History folders, 277–281 modules, 63 Intelliforms, 132–133, 284 IM (Instant Messaging) market share of, 272 AOL Instant Messenger, 306–307 Internet logs. See also HTTP logs Bearshare clients, 298–299 FTP logs, 266–267 Internet resources, 309 phishing case study, 267–268 Messenger, 307–308 SMTP logs, 268–270 overview, 305 Windows XP firewall logs, 257–259 imaging logical drives, 193 Internet resources incremental backup method, 45 bootable CDs with NTFS index-based searching support, 85 bitwise searching versus, 211–212, CryptCat tool, 170, 190 219–220 Decode tool, 72 overview, 214–217 for email investigations, 338 24_038624 bindex.qxp 4/4/06 10:57 PM Page 372

372 Index

Internet resources (continued) J file format details, 231, 244 JBOD (Just a Bunch of Disks) for file system analysis, 244–245 arrays, 57 for file system information, 96 JP Hide ’n Seek software, 232, 235, for forensic duplication, 210 245 general Windows forensics, 9 JSteg steganography software, 235 historical sites, 275 for Internet usage analysis, 309 K for live system analysis, 189–191 Kazaa field descriptions, 309 for log file analysis, 270 KaZALyser P2P Analyzer, 309 for media analysis, recovery, and keyboards, 19, 155 repair, 58 KeyGhost keystroke loggers, 190 Microsoft SID reference, 114 keystroke recording, 139, NTFSDOS Professional driver, 155–156, 191 85, 210 Kroll OnTrack for processing the digital crime clean room lab, 56, 58 scene, 29 PowerControls Exchange registry-related, 136 Recovery, 338 sid2user tool, 114 Kruse (Computer Forensics), 8 user2sid tool, 114 Windows history, 58 L Windows penetration in U.S., 4 laptops Internet usage analysis. See also in collection kit for evidence, 21 specific browsers hiberfil.sys file, 109, 242 additional resources, 309 locked, 20, 22 DNS logs, 294 requirements for analysts, 7 Firefox, 285–293 unplugging, 23 Instant Messaging (IM), 305–308 law enforcement agents, 2, 28–29 Internet Acceptable Usage policy, legal issues 273, 309 best evidence rules, 26 Internet Explorer, 272–285 CIRT team rights, 3 network logs, 294 for forensic duplicates, 26 overview, 138 Internet resources for, 29 peer-to-peer networking, 294–305 Nikon France v. Frederic Onos, 3 proxy logs, 294 for remote research, 17 uses for, 271 reporting IT security incidents, 28 Web toolbar history, 293 safeguarding evidence, 3 IP addresses, 178, 179, 261 security flaws, 31, 36–37 IP routing, network attacks and, 178 United States v. Sanchez, 281 ipconfig command, 178 Limeware clients, 299–300 IrfanView image viewer, 239, 245 ISO 9660 standard, 47, 58 24_038624 bindex.qxp 4/4/06 10:57 PM Page 373

Index 373

live system analysis SMTP logs, 268–270 alteration by, 140–141 SQL Injection attacks and, 264–265 basic information gathering, Web activity and, 294 173–177 Windows XP firewall logs, 257–259 covert monitoring of users, 154–165 Logicube SF-5000 Disk Duplicator, covert, overview, 139–140 196, 210 documenting, 140 Lotus Notes GUI-based (overt), 166–168 access control, 330–331 Internet resources, 189–191 accidental disclosure, 328–329 keys to success, 140–141 acquisition, 329–330 from local command line, 169–170 authentication, 326–327 main memory analysis, 186–189 folders, 332 order of volatility, 141–144 forensic analysis, 331–333 overt, overview, 140 logging, 331 powering down versus, 23–24 personal address book, 333–334 providing your own tools for, 141 replicating a database, 329–330 of registry, 121 searching in, 332–333 remote (overt), 170–173 views, 332 remote acquisition, 139 running program information, M 182–186 MAC addresses system state analysis, 144–154, finding for devices on subnet, 179 177–182 information contained in, 15 LMHOSTS file, 110, 113 ipconfig command for, 178 LNK files, 239–241, 245 nbmac for querying, 14, 16 locked laptops, 20, 22 website for organizations, 29 log files. See also specific kinds Magnetic Media’s Secure for computer usage infor- Deletion, 96 mation, 178 magnetic tape. See tapes cross-site scripting attacks and, main memory analysis, 186–189 264–265 malicious code DNS logs, 294 altered HOSTS file and, 107 enabling logging of commands, 173 anti-spyware tools, 114 event logs, 110, 247–257 confirming/refuting virus FTP logs, 266–267 infection, 250–251 HTTP logs, 260–263, 266 repairing MBR infection, 63–64 Internet logs, 257–270 rootkit infections, 167 Internet resources, 270 run as services, 184 Lotus Notes, 331 startup items and, 129 network logs, 294 Maresware hash library, 223, 245 proxy logs, 294 master file table. See MFT 24_038624 bindex.qxp 4/4/06 10:57 PM Page 374

374 Index

MBR (master boot record) monitoring user activities boot process and, 60 CMC for, 154 defined, 59 consent by users for, 154 File System Type field, 63 keystroke recording, 139, 155–156 layout, 341 network monitoring, 156–165 location of, 59 physical mechanisms for, 154–155 partition definition in, 61, 62 uses for, 154 reconstructing entry for deleted mouse activity monitoring, 139 partition, 64–65 MSConfig utility, 99 repairing, 63–64 MS-DOS, 32 viewing, 62 MTF (Microsoft Tape Format), 44, 58 virtual, for extended partitions, 62 MCSE (Microsoft Certified Software N Engineer), 137 National Software Reference Library MD5 hash algorithms, 221, 223, 224 (NSRL), 223, 224, 235, 245 memory (RAM), 142, 186–189 nbmac program, 14, 16, 29 metadata, file copying and, 194 nbtstat command, 180–181 metafiles (NTFS), 355–356 negative hash analysis, 224–225 MFT (master file table) net command, 182 described, 78 Net Optics fiber taps, 190 file recovery and, 228–229 Net Use command, 150–151 $File_Name attribute, 82–83 NetAnalysis tool, 277, 281, inodes, 79 283–284, 309 key inode attributes, 79–80 NetBIOS connections, 179–181 NTFS file permissions, 83 NetCat tool, 7, 170–173, 190, 210 $Standard_Information netstat command, 179–180 attribute, 80–81, 83 Network Associates’ Sniffer viewing information, 83 Wireless, 160–161 Microsoft. See also Windows; network connections specific Windows versions current, determining, 179–181 indexing service query language nontraceable, for remote reference, 190 research, 15 MCSE, 137 photographing, 19 Messenger, 307–308 programs listening for, 181–182 , 63–64 securing the crime scene and, 18 SID reference, 114 Network Email Examiner Strider Ghostbuster tool, 167, 191 (Paraben), 338 Tape Format (MTF), 44, 58 Network General Sniffer software, Virtual PC, 4, 9, 133, 135 161, 190 Word voice recognition, 5–6 network logs, Web activity and, 294 24_038624 bindex.qxp 4/4/06 10:57 PM Page 375

Index 375

Network News Transfer Protocol permissions, bypassing, 84–85 (NNTP), 325–326 reparse points, 84 network-based covert monitoring sparse files, 84 ARP spoofing for, 158, 159 value for forensic examiner, 65 Ethereal sniffer for, 161–162, 190 NTFSDOS Professional driver FTP packet capture, 162, 164 (SysInternals), 85, 96, 210 full-packet capture, 159, 162 NTI (NewTechInfosystems) header capture, 159, 162 AnaDisk software, 41, 58 hub and sniffer cable for, 157–158 GetSlack tool, 52, 58 in-line tap for, 157 SafeBack, 9, 26, 85 overview, 138, 139 website, 9 promiscuous mode for, 158 Windows-based forensic suite, 4, 8 reconstructing network traffic, NTLDR, 60–61 162–163 NULL Session connection, 152, 153 sniffer cable construction, 164–165 SPAN ports for, 158 O for wireless networks, 160–161 Onestat, 4 NewTechInfosystems. See NTI optical media. See CDs; DVDs NIST, 7, 9 order of volatility, 141–144 *nix environment, 3–4 Outlook *nix utilities, 4, 7, 245 access control, 322 nmap tool, 151–152, 190 acquisition, 321–322 NNTP (Network News Transfer , 323 Protocol), 325–326 Contacts functionality, 323 Nortek password recovery, 58 displaying message headers, 324 Norton Ghost, 193, 210 folders, 322 NSRL (National Software Reference forensic analysis, 322–324 Library), 223, 224, 235, 245 Journal feature, 323–324 NTFS (NT File System) overview, 321 ADSs, 76–78, 194 searching PST files, 324 boot sector, 78–81, 353–354 viewing PST files, 321–322 compression, 85–88 Outlook Email Recovery tool directories, 84 (BVG), 338 encryption with EFS, 88–92 Outlook Express file recovery, 228–230 acquisition, 315–316 $File_Name attribute, 82–83 address book, 319–320 historical overview, 75 Contact Manager, 319 introduction of, 34 displaying message headers, metafiles (table), 355–356 317–318 MFT, 78–83, 228–229 folders, 314, 317 permissions (table), 81–82 forensic analysis, 317–320 24_038624 bindex.qxp 4/4/06 10:57 PM Page 376

376 Index

Outlook Express (continued) Pasco (Foundstone), 277–278, MDX files, 315 281, 309 searching messages, 318–319 Passware, 338 viewing DBX files, 315–316 password protection Outlook Express Viewer, 338 Firefox, 292–293 Outlook Password Recovery of hard disks, 53–54 (Passware), 338 Outlook, 322 Overnet clients, 302–305 password recovery, 58, 338 overt live system analysis of USB flash drives, 50–51 basic information gathering, PDBlock write blocker, 196, 210 173–177 peer-to-peer networking forensics defined, 140, 166 Bearshare clients, 297–299 GUI-based, 166–168 caution regarding user intent, 296 Internet resources, 189–191 eDonkey2000 clients, 302 listing all files on system, 176–177 FastTrack clients, 301–302 from local command line, 169–170 Gnutella-based clients, 296–300 main memory analysis, 186–189 Internet resources, 309 overview, 166 Limeware clients, 299–300 from remote command line, new clients, 294–295 170–173 Overnet clients, 302–305 running programs and, 182–186 primary goals, 294 system state analysis, 177–182 phishing (case study), 267–268 tasks, 140 physical imaging. See forensic unlocked system needed for, 166 duplication pinging with arp -a, 179 P PMDump tool, 187, 190 pagefile, 25, 109, 114, 241–243 policy for investigations, 6–7 Paraben’s Network Email port scanning, 152, 153 Examiner, 338 positive hash analysis, 223–224 partitions POSIX (Portable active or boot, 62 Interface), 75 command-line tools for, 63 Post-it notes, 20 defined, 59 PowerControls Exchange Recovery deleted, reconstructing MBR entry (Kroll OnTrack), 338 for, 64–65 powering down equipment, 18, extended, 62 23–25 formatting, 65–66 Power-On Self Test (POST), 60 MBR for, 59, 61–65 print spool files, 236–239, 245 repairing partition tables, 64 PRN files, 236 system, 62 procedures for investigations, 7 types, 343–347 unallocated space, 59, 63–65, 143 24_038624 bindex.qxp 4/4/06 10:57 PM Page 377

Index 377

processing the digital crime scene Regedit32 program, 117 additional resources, 29 registry basic steps, 11–12 basics, 116–119 chain of custody, 25–26, 339–340 CD burning (case study), 125 collection kit for evidence, 20–21 directories for, 109–110, 113 crime scene, defined, 11 dynamic analysis, 133, 135 for digital evidence, 12, 22–23, 25 evidence of flash drive use in, 49 documenting the scene, 12, 18–19 file locations, 119–121 identifying the scene, 12–14 folder locations, 125–126 law enforcement and, 28–29 general keys for analysis, 122–124 locations for evidence, 11, 13 historical overview, 115–116 for physical evidence, 12, 19–20, 22 IE folder locations in, 272 remote research, 12, 15–17 importance of understanding, 116 securing the scene, 12, 17–18, 25 Intelliforms information, 132–133 storing evidence, 27 Internet resources, 136 profiles for Windows accounts, 104 live system analysis, 121 Program Files directory, 98 MRU keys, 126–128 promiscuous modes, 158, 160 offline analysis, 122 ProXoft Cookie Editor, 309 root hives, 116 proxy logs, Web activity and, 294 shutdown setting for pagefile, 25 PsExec (SysInternals), 202, 210 startup item keys, 128–130 PsGetSID tool (SysInternals), static analysis, 133–134 176, 190 tools for, 117–119 PsInfo tool (SysInternals), Registry Editor, 117 174–176, 190 Registry Viewer, 117, 136 PsList tool (SysInternals), 183–184, RegMon (SysInternals), 118–119, 121, 187, 190 135, 136 PsLoggedOn command RegShot tool, 133, 134, 136 (SysInternals), 177, 190 regular expressions, 212–214 PsService program (SysInternals), “ARemembrance of Data Passed” 184–186, 190 (Garfinkel and Shelat), 67 public key encryption, 88–89 remote command line overt analysis PuTTY SSH client, 265, 270 pulling from a workstation, PuTTY Telnet client, 171, 172, 191 170–171 pushing to a workstation, 170, R 171–173 RAM, 142, 186–189 remote enumeration Recycle Bin, 225, 230–231 Net Use command for, 150–151 Recycler directory, 98 when privileges are not available, Redundant Array of Inexpensive 151–154 Disks (RAID), 56–57, 206 24_038624 bindex.qxp 4/4/06 10:57 PM Page 378

378 Index

remote research running programs acquiring the remote equipment interactive, services versus, after, 17 182–183 command line overt analysis, listing processes, 183–184 170–173 as services, listing, 184–186 defined, 15 Runtime Software’s DiskExplorer, 83 described, 12 enumeration, 150–154 S invasive techniques, 15–16 SafeBack (NTI), 9, 26, 85 legal issues, 17 SANS, 8, 9 nontraceable connections for, 15 Sarbanes-Oxley Act, 28, 29 operating system detection, 29 .sav files, 120 overview, 15–16 SCSI (Small Computer Systems remote corruption case study, 16 Interface), 52, 54 technical savvy of suspect and, 15 searching when privileges are not available, for ADSs, 78 151–154 bitwise, 217–219 removable media. See also for compressed or encrypted files, specific kinds 243–244 defined, 38 index-based, 214–217 direct duplication for, 203 index-based versus bitwise, as evidence, 20 211–212, 219–220 transporting in a vehicle, 25 in Lotus Notes, 332–333 write blocking, 39 methodology for, 219–220 repairing. See also file recovery negative hash analysis, 224–225 CDs and DVDs, 47–48 Outlook Express messages, event logs, 249 318–319 floppy disks, 42–43 Outlook PST files, 324 hard disks, 56 positive hash analysis, 223–224 MBR, 63–64 regular expressions for, 212–214 partition tables, 64 sector copying. See forensic tapes, 45–46 duplication reparse points (NTFS), 84 sectors (hard disk), 52, 195. reverse lookup of SIDs, 110–112 See also boot sector Rifuiti Recycle Bin tool Secure Deletion (Magnetic (Foundstone), 245 Media), 96 roaming profiles, 104 securing the crime scene, 12, 17–18 root directory, FAT entry for, 71–72 Security Event log, 110, 146 rootkit infections, 167 security logs, 110, 253–257 routers, unauthorized (case study), 14 24_038624 bindex.qxp 4/4/06 10:57 PM Page 379

Index 379

services in-line tap for, 157 identifying remotely, 152, 153 Internet resources, 190, 191 interactive programs versus, promiscuous modes for, 158, 160 182–183 reconstructing network traffic, listing programs running as, 162–163 184–186 sniffer cable construction, 164–165 set command, 105 SPAN port for, 158 SF-5000 Disk Duplicator (Logicube), wireless networks, 160–161 196, 210 SODDI (Some Other Dude Did It) SHA hash algorithms, 221, 223, 224 defense, 36–37 sharing (peer-to-peer), 298, 300, 305 sorting event logs, 248 SHD files, 236–238, 245 SourceForge, 96 Shelat (“ARemembrance SPAN (Switch Port Analyzer) of Data Passed”), 67 ports, 158 shortcut files, 239–241 sparse files (NTFS), 84 shutdown, 23–25 Spector Pro keystroke logger, SIDs (Security Identifiers) 156, 191 Microsoft reference for, 114 SPL files, 236, 238, 245 overview, 110 SpyBot Search and Destroy, 114 PsGetSID tool for, 176, 190 spyware. See malicious code reverse lookup, 110–112 SQL Injection attacks, 264–265 well-known SIDs (table), 357–362 startup. See also bootable CDs sid2user tool, 111–112, 114 accessing startup information, 99 slack space autostart file locations, 130–131 analyzing with GetSlack, 52 boot process, 60–61 forensic duplication versus for hard disk duplication, 199 standard file copy and, 194 startup item registry keys, 128–130 searching, 216, 217 steganography, 232–235 Slammer worm analysis site, 58 StegDetect tool, 235, 245 Small Computer Systems Interface Stego Suite (Wetstone), 235, 244 (SCSI), 52, 54 store-and-forward protocol, 311 SMTP storing evidence email tracking and, 334–338 anti-static bags for, 21, 23 logs, 268–270 chain of custody, 25–26, 339–340 sniffer cable, 157, 164–165, 191 command line output, 170 Sniffer Wireless (Network data wiping for analysis disk, 67 Associates), 160–161 determining what to store, 27 sniffing storage space for, 27 ARP spoofing for, 158 Streams ADS viewer Ethernet networks, 161–162 (SysInternals), 96 hub and sniffer cable for, 157–158 24_038624 bindex.qxp 4/4/06 10:57 PM Page 380

380 Index

Strider Ghostbuster rootkit detection key subdirectories (Windows tool (Microsoft), 167, 191 NT/2000/2003/XP), 102–104 Switch Port Analyzer (SPAN) registry file locations, 120–121 ports, 158 Windows 9x, 113 symmetric encryption, 88–89 SysInternals T Autoruns autostart viewer, 131, 136 tape backup units, 7, 44 FileMon file monitor, 136 tapes NTFSDOS Professional driver, backup strategies, 43, 45 85, 96, 210 capacities, 44 PsExec, 202, 210 copying evidence from, 44 PsGetSID tool, 176, 190 degradation of, 45 PsInfo tool, 174–176, 190 files missing from backups, 43 PsList tool, 183–184, 187, 190 for hard disk duplication storage, PsLoggedOn command, 177, 190 204, 206 PsService program, 184–186, 190 hardware for, 44 RegMon, 118–119, 121, 135, 136 off-site storage for, 43 Streams ADS viewer, 96 overview, 43 support tools, 4 repairing, 45–46 website, 9 software for, 44 System Event log, 146 volatility of data, 141–142 system logs, 252–253 write blocking, 39 system partition, 62 TCP/IP statistics, 179–180 system state analysis TCT (The Coroners Toolkit), 8 CMC for, 145–150 TeleData’s Universal Network Boot covert, 144–154 Disk, 210 current network configuration, Telnet, 171–173 178–179 temporary files current network connections, Temp directory for, 98 179–181 Temporary Internet Files, 281–282 current users, 177 volatility of data, 143 overt, 177–182 386SPART.PAR file, 33 programs listening for network thumbs.db file, 108 connections, 181–182 times. See dates and times remote enumeration, 150–154 toolbars, Web, 293 system.alt file, 120 SYSTEM.INI file, 99, 110 U %SYSTEMROOT% directory UDF () file autostart file locations, 130–131 system, 47 as core Windows directory, 98 UDF-Bridge file system, 47 HTTPERR subdirectory, 266 Ultrablock write blocker (Digital Intelligence), 39, 58, 196, 210 24_038624 bindex.qxp 4/4/06 10:57 PM Page 381

Index 381

unallocated space viruses. See malicious code current and legacy data in, 59 VMWare (EMC), 4, 9, 133, 135 defined, 59 Vogon International hard disk forensic duplication versus password recovery, 58 standard file copy and, 194 volatile data, 18, 141–144 searching for, 63–65 searching in, 216, 217 W volatility of data, 143 Way Back Machine website, 275 Unicode, VFAT support for, 73–74 Web activity analysis. See also Universal Disk Format (UDF) file specific browsers system, 47 DNS logs, 294 Universal Network Boot Disk Firefox, 285–293 (TeleData), 210 Internet Explorer, 272–285 Unix time calculator, 309 Internet resources, 309 unplugging equipment, 23–24 network logs, 294 USB (Universal Serial Bus) proxy logs, 294 flash drives, 48–51, 170, 203 Web toolbar history, 293 for hard disk duplication, 198 Web toolbar history, 293 hard disks, 55–56, 170, 206 websites. See Internet resources system altered by plugging in, 170 WebTrends’ HTTP log reports, 263 versions, 55 Wetstone’s Stego Suite, 235, 244 Usenet and NNTP, 325–326 Windows (Microsoft). See also user2sid tool, 111–112, 114 specific versions analysis environment V candidates, 35 vampire tap, 157 history and versions of, 32–36 viewing or displaying history website, 58 clipboard contents, 168 identifying OS remotely, 151–152 DBX files, 315–316 *nix environment versus, 3–4 History folders, 277–278 pervasiveness of, 4, 31 MBR, 62 security flaws, 31, 36–37 MFT information, 83 usage percentages by version, 36 open applications from versions focused on, 32 the , 167 Windows 1.x, 2.x, and 3.x, 32–33 Outlook Express headers, 317–318 Windows 95, 34–35, 112–113, 120 Outlook headers, 324 Windows 98 partition information, 63 accessing startup information, 99 PST files, 321–322 directories, 112–113 Virtual FAT (VFAT) file system, files, 113 68, 73–75 historical overview, 34–35 Virtual PC (Microsoft), 4, 9, 133, 135 registry file locations, 120 24_038624 bindex.qxp 4/4/06 10:57 PM Page 382

382 Index

Windows 2000 directories, 98–104 directories, 98–104 EFS supported by, 88 EFS supported by, 88 environment variables, 105–106 environment variables, 105–106 files, 107–110 files, 107–110 Findstr tool, 214 historical overview, 33–34 firewall logs, 257–259 Microsoft Recovery Console, 63–64 historical overview, 35 registry file locations, 119–120 Microsoft Recovery Console, 63–64 Windows 2003 netstat command, 180 accessing startup information, 99 registry file locations, 119–120, 121 directories, 98–104 SP2 enhancements, 35 EFS supported by, 88 WinHex hex editor (X-Ways Trace) historical overview, 36 for analyzing main memory, 186 Microsoft Recovery Console, 63–64 in barebones starter kit, 7 netstat command, 180 for bitwise searching, 217 registry file locations, 119–120, 121 described, 65 , 319–320 for file recovery, 229–230 Windows directory, 98, 102–104 Partition Table entries in, 62 Windows Enumeration function, for reconstructing entry for deleted 152, 153 partition, 64–65 Windows for Workgroups (WFW) for searching non-file content, 216 3.11, 33 website, 9 Windows ME, 34–35, 99 WIN.INI file, 99, 110 Windows Network Monitor, 161 WinISO CD image editor, 124, 136 Windows NT WINNT directory, 98, 102–104 directories, 98–104 WinPCap, 191 environment variables, 105–106 Win386.swp file, 113 files, 107–110 wireless networks, 160–161, 189, 198 historical overview, 33–34 Word (Microsoft), 5–6 registry file locations, 119–120 Wotsit website, 231, 244 Windows Secret Explorer, 132, write blocking, 39, 58, 196 136, 309 Windows shortcuts, 239–241, 245 X Windows XP xsteg tool, 235 accessing startup information, 99 X-Ways Trace. See WinHex hex as best analysis environment, 35 editor 24_038624 bindex.qxp 4/4/06 10:57 PM Page 383 24_038624 bindex.qxp 4/4/06 10:57 PM Page 384