COMPUTER FORENSICS COMPUTER FORENSICS AN ESSENTIAL GUIDE FOR ACCOUNTANTS,LAWYERS, AND MANAGERS MICHAEL SHEETZ JOHN WILEY &SONS,INC. This book is printed on acid-free paper. Copyright 2007 by John Wiley & Sons, Inc. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services please contact our Customer Care Department within the U.S. at 877-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print, however, may not be available in electronic format. For more information about Wiley products, visit our Web site at http://www.wiley.com. Library of Congress Cataloging-in-Publication Data: Sheetz, Michael. Computer forensics : an essential guide for accountants, lawyers, and managers / Michael Sheetz. p. cm. Includes index. ISBN: 978-0-471-78932-1 (cloth) 1. Computer crimes–Investigation. I. Title. HV8079.C65S44 2007 363.25–dc22 2006030331 Printed in the United States of America. 10987654321 This book is dedicated to my mother and father, whose love and encouragement have given me the confidence to dare to dream, and to the memory of my grandfather, Benjamin Franklin Sheetz. His love of the written word lives on in me. CONTENTS Introduction xi Acknowledgments xvii 1 A Definition of Computer Forensics 1 Introduction 1 Forensic Science 2 History of Computer Forensics 2 World Wide Web 5 Hacker Community 6 Conclusion 10 Notes 11 Suggested Reading 12 2 Basics of Computer Forensic Concepts 13 Introduction 13 Understanding Digital Evidence 14 Input 15 Storage 15 Processing 16 What Computer Data Is 17 Output 23 Conclusion 24 Notes 24 Suggested Reading 24 3 Preservation and Collection of Digital Evidence 25 Introduction 25 Rules of Evidence 26 Preservation 27 Collection 30 Conclusion 36 Note 37 Suggested Reading 37 vii viii CONTENTS 4 Analysis of Digital Evidence 38 Introduction 38 Forensic Analysis 39 Conclusion 50 Notes 50 Suggested Reading 51 5 Reporting and Rendering the Opinion 52 Introduction 52 Preparing the Report 53 Presentation 57 Trial Process 57 Conclusion 64 Suggested Reading 65 6 Computer Attacks 66 Hackers and Phreakz Oh My 66 Hackers: Unauthorized Use and Trespassing 66 Wireless Hacking 71 Malware 75 Attacks from the Inside 79 Conclusion 85 Notes 86 Suggested Reading 87 7 Computers as Tools for Evil 88 Introduction 88 Computers and Crime 88 Identity Theft 89 Concealment 96 Auction Fraud and Retail Cons 97 Counterfeiting and Forgery 100 Prostitution 100 Securities Fraud 101 Conclusion 105 Notes 105 CONTENTS ix 8 Computer Tools and the Forensic Examination 108 Introduction 108 Assuming Control of the Case 109 Understanding the Case 109 Evaluating the Evidence 110 Examining the ‘‘Live’’ System 110 Collecting Data from a Dead System 116 Imaging the Drive 118 Data Extraction 120 Data Analysis 122 Conclusion 125 Notes 126 9 Presenting Digital Evidence in Court 127 Introduction 127 Evidence 128 Types of Evidence 129 Expert Witnesses 131 Legal Requirements of Evidence 132 Search and Seizure 137 Conclusion 142 Notes 143 Index 145 INTRODUCTION In today’s world, few areas of our lives remain untouched by high-tech gad- gets and computers. From our automobiles to the ubiquity of e-mail, the world of bits and bytes has overtaken every phase of our lives. While this ceaseless march of the tide of technology has brought wonderful benefits, as with all gains humankind has experienced, it also has brought some side effects. Although our efficiency has increased, so have the demands for our time. Not only must we learn to multitask, but we must be available 24 hours a day. Tethered to our cell phones, personal digital assistants, and palm-top computers with twenty-first-century umbilical cords, loved ones and cowork- ers alike experience withdrawal symptoms and panic attacks if their calls and e-mails remain unanswered for more than 10 minutes. Arguably nowhere has this technological onslaught had a greater impact than in the business world. E-mail, the World Wide Web, and corporate intranets have insinuated themselves into nearly every business. From the mom-and-pop market, which has a digital storefront to augment its brick-and- mortar operation, to the Fortune 500 multinational whose communications hub depends on the infrastructure of the network we call the Internet, digital traffic directs our lives—occasionally into unsightly rush-hour snarls. For the average person, the pervasiveness of computers and digital technol- ogy is little more than either a convenience or an inconvenience, depending on which side of the digital fence you sit. For others, such as managers, accountants, and lawyers, digital technology signifies much more than that; it signifies a change in the way we look at information. The “paperless office” and “electronic discovery” are only two of the many phrases that have arisen with the growth of computers, and both bring with them some very serious managerial problems. For the manager seeking to streamline and reduce costs, the paperless office might, at first glance, seem like the ideal solution to growing storage problems. Likewise, electronic discovery and the instantaneous exchange of digital evidence sound like every lawyers’ dream—at least at first blush. In reality, hidden difficulties in both areas can blindside professionals and result in tremendously higher costs. These hidden costs, the land mines of the information age, while mere speed bumps to some, are career-ending hurdles for others. What separates xi xii INTRODUCTION the two is the knowledge of the abilities and limitations of the medium. As an example, let us examine the manager who is weighing the decision to go paperless. On the plus side, there are the obvious benefits of reduced storage space, decreased access time, and, depending on implementation method- ology, reduced clerical staff. However, the digitally uninitiated may have overlooked the risks involved. One very serious risk is security. While access to paper documents such as credit memos and invoices in the traditional office is most often restricted by walls, doors, and metal filing cabinets, the cyberworld lacks those con- ventional security devices. Instead, things such as firewalls, passwords, and encryption technology stand in the way of unauthorized access. Both meth- ods can be equally secure, and both are vulnerable in their own particular ways. However, most managers understand the weaknesses and vulnerabili- ties of their physical security assets. Many do not have the same fundamental understanding of the limitations of the digital equivalent. For the attorney, the situation is similar. In a traditional plaintiff’s per- sonal injury firm, many cases follow similar schedules and proceed along the same path. One of the steps in this path is the discovery phase. Discovery is essentially where both sides learn as much about the opponent’s case as possible. While at first a counterintuitive concept in an adversarial legal sys- tem, the underlying rationale of truth seeking ultimately is supported by the put-your-cards-on-the-table process. At its heart, the discovery process involves the exchange of information by both sides. In the early days of electronic discovery (e-discovery), electronic communications wrought havoc on some firms—in part due to both the lawyer’s and the client’s lack of an understanding of the technology. Some of these difficulties centered on the interoffice memo. In the traditional office, memos circulate, get filed, and may ultimately get shredded. This is not necessarily the case in a paperless environment. Misunderstanding the permanence of e-mail memos, many firms over- looked the persistent existence of such communications on corporate servers, company Web sites, and even employee desktops. More than one case was doomed by the existence of the “smoking gun” memo in electronic form somewhere on the client’s computer infrastructure. As e-discovery became more common, a second issue emerged: informa- tion overload. Depending on the case, demands for production can constitute a sizable portion of the discovery process. In a demand for production, one side, usually the plaintiff’s, will demand the other side produce evidence, usually documents, that tend to support its theory of the case. In traditional practice, things such as memos, correspondence, personnel evaluations, and INTRODUCTION xiii the like were photocopied and turned over the demanding party.