Investigating Computer-Related Crime

Forward by Michael Anderson-New Technologies, Inc., Former Special Agent IRS Preface What This Book is About Who Should Read This Book THE NATURE OF CYBER CRIME Cyber Crime as We Enter the 21st Century What is Cyber Crime? How Does Today's Cyber Crime Differ From the Hacker Exploits of Yesterday? The Reality of Information Warfare in the Corporate Environment Industrial Espionage-Hackers For Hire Public Law Enforcement's Role in Cyber Crime Investigations The Role of Private Cyber Crime Investigators and Security Consultants in Investigations The Potential Impacts of Cyber Crime Data Thieves Misinformation Denial of Service Rogue Code Attacks Viruses, Trojan Horses and Worms Logic Bombs Responding to Rogue Code Attacks Protection of Extended Mission Critical Computer Systems Surgical Strikes and Shotgun Blasts Symptoms of a Surgical Strike Masquerading Case Study: The Case of the Cyber Surgeon Symptoms of Shotgun Blasts "Up Yours"-Mailbombs Data Floods INVESTIGATING CYBER CRIME A Framework for Conducting an Investigation of a Computer Security Incident Managing Intrusions Why We Need an Investigative Framework What Should an Investigative Framework Provide? Drawbacks for the Corporate Investigator A Generalized Investigative Framework for Corporate Investigators Look for the Hidden Flaw The Human Aspects of Cyber Crime Investigation Motive, Means and Opportunity The Difference Between "Evidence" and "Proof" Look for the Logical Error Vanity Analyzing the Remnants of a Computer Security Incident What We Mean by a "Computer Security Incident" We Never Get the Call Soon Enough Cyber Forensic Analysis-Computer Crimes Involving Networks Computer Forensic Analysis-Computer Crimes at the Computer Software Forensic Analysis-Who Wrote the Code? The Limitations of System Logs The Logs May Tell the Tale-But There are No Logs Multiple Log Analysis Launching an Investigation Securing the Virtual Crime Scene Collecting and Preserving Evidence Interrogating and Interviewing Suspects and Witnesses Developing and Testing an Intrusion Hypothesis Investigating Alternative Explanations You May Never Catch the Culprit Damage Control and Containment Determining if a Crime Has Taken Place Statistically, You Probably Don't Have a Crime Believe Your Indications What Constitutes Evidence? Using Tools to Verify That a Crime Has Occurred Unix Crash Dump Analysis Recovering Data From Damaged Disks Examining Logs-Special Tools Can Help Clues From Witness Interviews Maintaining Crime Scene Integrity Until You Make a Determination Case Study: The Case of the CAD/CAM Cad Case Study: The Case of the Client-Server Handling the Crime in Progress Intrusions-The Intruder is Still On-Line Should You Trap, Shut Down or Scare Off the Intruder? Trap and Trace Techniques Legal Issues in Trap and Trace Stinging-Goat Files and Honey Pots "It Never Happened"-Cover-Ups are Common Case Study: The Case of the Innocent Intruder The Importance of Well Documented Evidence Maintaining a Chain of Custody Politically Incorrect-Understanding Why People Cover Up for a Cyber Crook Involving the Authorities Who Has Jurisdiction? What Happens When You Involve Law Enforcement Agencies? Making the Decision When an Investigation Can't Continue When and Why Should You Stop an Investigation? Legal Liability and Fiduciary Duty Political Issues PREPARING FOR CYBER CRIME Building a Corporate Cyber "SWAT Team" Why Do Organizations Need a Cyber SWAT Team? What Does a Cyber SWAT Team Do? Who Belongs on a Cyber SWAT Team? Training Investigative Teams Privacy and Computer Crime The Importance of Formal Policies Who Owns the E-mail? The Disk Belongs to the Organization, But What About the Data? The "Privacy Act"(s) Wiretap Laws USING THE FORENSIC UTILITIES Preface To This Section-How the Section is Organized Preserving Evidence-First Steps "Marking" Evidence With an MD5 Hash and M-Crypt Taking a Hard Disk Inventory with FileList Using SafeBack 2.0 To Take an Image of a Fixed Disk Searching For Hidden Information The Intelligent Filter IP Filter GetSlack GetFree SeeJunk Text Search Pro Using the Norton Utilities Handling Floppy Disks AnaDisk Copying Floppies to a Work Disk Disks Within Disks

[1]  Martin C. Libicki What Is Information Warfare , 1995 .

[2]  M. Zigman,et al.  Under the Law , 1999 .

[3]  Kevin Brownlow,et al.  In the First Place , 1995 .

[4]  Dan Farmer,et al.  Improving the Security of Your Site by Breaking Into it , 2000 .

[5]  Anil K. Makhija,et al.  Throwing good money after bad?: Nuclear power plant investment decisions and the relevance of sunk costs☆ , 1988 .

[6]  Eugene H. Spafford,et al.  Software forensics: Tracking code to its authors , 1993 .

[7]  S. M. Bellovin,et al.  Security problems in the TCP/IP protocol suite , 1989, CCRV.

[8]  Peter G. Neumann,et al.  Computer-related risks , 1994 .

[9]  George C. Stierhoff Suggested reading , 1994 .

[10]  David L. Mills Exterior Gateway Protocol formal specification , 1984, RFC.

[11]  Gary McGraw,et al.  Java security: hostile applets, holes&antidotes , 1997 .

[12]  Steven M. Bellovin,et al.  Using the Domain Name System for System Break-ins , 1995, USENIX Security Symposium.

[13]  Robert Morris A Weakness in the 4.2BSD Unix† TCP/IP Software , 1999 .

[14]  Christopher Honeyma,et al.  Two out of Three , 1995 .

[15]  Roger M. Needham,et al.  Denial of service , 1993, CCS '93.

[16]  Jon Postel,et al.  Internet Control Message Protocol , 1981, RFC.

[17]  Scott Oaks,et al.  Java Security , 1998 .

[18]  Lisa J. Carnahan,et al.  Security in Open Systems , 1994 .

[19]  Charles L. Hedrick,et al.  Routing Information Protocol , 1988, RFC.

[20]  Roger Neustadter,et al.  Beat the Clock , 1992 .

[21]  C. Lambert Here's Why , 1978 .

[22]  Andrei Codrescu In the Act , 1974 .