Library of Congress Cataloging-in-Publication Data
Computer and intrusion forensics / George Mohay [et al.].
p. cm.—(Artech House computer security series)
Includes bibliographical references and index.
ISBN 1-58053-369-8 (alk. paper)
1. Computer security. 2. Data protection. 3. Forensic sciences.
I. Mohay, George M., 1945–
QA76.9.A25C628 2003
005.8—dc21 2002044071
British Library Cataloguing in Publication Data
Computer and intrusion forensics—(Artech House computer security series)
1. Computer security 2. Computer networks—Security measures 3. Forensic sciences
4. Computing crimes—Investigation
I. Mohay, George M., 1945–
005.8
ISBN 1-58053-369-8
Cover design by Igor Valdman
q 2003 ARTECH HOUSE, INC.
685 Canton Street
Norwood, MA 02062
All rights reserved. Printed and bound in the United States of America. No part of this book may be reproduced
or utilized in any form or by any means, electronic or mechanical, including photocopying, recording, or by any
information storage and retrieval system without permission in writing from the publisher.
All terms mentioned in this book that are known to be trademarks or service marks have been appropriately
capitalized. Artech House cannot attest to the accuracy of this information. Use of a term in this book should not
be regarded as affecting the validity of any trademark or service mark.
International Standard Book Number: 1-58053-369-8
Library of Congress Catalog Card Number: 2002044071
10987654321
Contents
Foreword by Eugene Spafford xi
Preface
xvii
Acknowledgments
xix
Disclaimer
xxi
1 Computer Crime, Computer Forensics, and
Computer Security
1
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Human behavior in the electronic age. . . . . . . . . . . . . . . . . . 4
1.3 The nature of computer crime . . . . . . . . . . . . . . . . . . . . . . . 6
1.4 Establishing a case in computer forensics. . . . . . . . . . . . . . . . 12
1.4.1 Computer forensic analysis within the forensic tradition 14
1.4.2 The nature of digital evidence 21
1.4.3 Retrieval and analysis of digital evidence 23
1.4.4 Sources of digital evidence 27
1.5 Legal considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
1.6 Computer security and its relationship
to computer forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
1.6.1 Basic communications on the Internet 32
1.6.2 Computer security and computer forensics 35
v
1.7 Overview of the following chapters. . . . . . . . . . . . . . . . . . . . 37
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2 Current Practice 41
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
2.2 Electronic evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
2.2.1 Secure boot, write blockers and forensic platforms 44
2.2.2 Disk file organization 46
2.2.3 Disk and file imaging and analysis 49
2.2.4 File deletion, media sanitization 57
2.2.5 Mobile telephones, PDAs 59
2.2.6 Discovery of electronic evidence 61
2.3 Forensic tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
2.3.1 EnCase 67
2.3.2 ILook Investigator 69
2.3.3 CFIT 72
2.4 Emerging procedures and standards . . . . . . . . . . . . . . . . . . . 76
2.4.1 Seizure and analysis of electronic evidence 77
2.4.2 National and international standards 86
2.5 Computer crime legislation and computer forensics . . . . . . . . 90
2.5.1 Council of Europe convention on cybercrime and
other international activities 90
2.5.2 Carnivore and RIPA 94
2.5.3 Antiterrorism legislation 98
2.6 Networks and intrusion forensics . . . . . . . . . . . . . . . . . . . . . 103
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
3 Computer Forensics in Law Enforcement and
National Security
113
3.1 The origins and history of computer forensics . . . . . . . . . . . . 113
3.2 The role of computer forensics in law enforcement . . . . . . . . 117
vi Contents
3.3 Principles of evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
3.3.1 Jurisdictional issues 123
3.3.2 Forensic principles and methodologies 123
3.4 Computer forensics model for law enforcement . . . . . . . . . . . 128
3.4.1 Computer forensic—secure, analyze,
present (CFSAP) model 128
3.5 Forensic examination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
3.5.1 Procedures 133
3.5.2 Analysis 143
3.5.3 Presentation 146
3.6 Forensic resources and tools . . . . . . . . . . . . . . . . . . . . . . . . . 147
3.6.1 Operating systems 147
3.6.2 Duplication 149
3.6.3 Authentication 152
3.6.4 Search 153
3.6.5 Analysis 154
3.6.6 File viewers 159
3.7 Competencies and certification . . . . . . . . . . . . . . . . . . . . . . . 160
3.7.1 Training courses 163
3.7.2 Certification 164
3.8 Computer forensics and national security . . . . . . . . . . . . . . . 164
3.8.1 National security 165
3.8.2 Critical infrastructure protection 167
3.8.3 National security computer forensic organizations 168
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
4 Computer Forensics in Forensic Accounting 175
4.1 Auditing and fraud detection . . . . . . . . . . . . . . . . . . . . . . . . 175
4.1.1 Detecting fraud—the auditor and technology 176
4.2 Defining fraudulent activity . . . . . . . . . . . . . . . . . . . . . . . . . 177
4.2.1 What is fraud? 178
Contents vii
4.2.2 Internal fraud versus external fraud 180
4.2.3 Understanding fraudulent behavior 183
4.3 Technology and fraud detection . . . . . . . . . . . . . . . . . . . . . . 184
4.3.1 Data mining and fraud detection 187
4.3.2 Digit analysis and fraud detection 188
4.3.3 Fraud detection tools 189
4.4 Fraud detection techniques. . . . . . . . . . . . . . . . . . . . . . . . . . 190
4.4.1 Fraud detection through statistical analysis 191
4.4.2 Fraud detection through pattern
and relationship analysis 200
4.4.3 Dealing with vagueness in fraud detection 204
4.4.4 Signatures in fraud detection 205
4.5 Visual analysis techniques . . . . . . . . . . . . . . . . . . . . . . . . . . 206
4.5.1 Link or relationship analysis 207
4.5.2 Time-line analysis 209
4.5.3 Clustering 210
4.6 Building a fraud analysis model . . . . . . . . . . . . . . . . . . . . . . 211
4.6.1 Stage 1: Define objectives 212
4.6.2 Stage 2: Environmental scan 214
4.6.3 Stage 3: Data acquisition 215
4.6.4 Stage 4: Define fraud rules 216
4.6.5 Stage 5: Develop analysis methodology 217
4.6.6 Stage 6: Data analysis 217
4.6.7 Stage 7: Review results 218
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Appendix 4A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
5 Case Studies 223
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
5.2 The case of ‘‘Little Nicky’’ Scarfo. . . . . . . . . . . . . . . . . . . . . . 223
5.2.1 The legal challenge 225
5.2.2 Keystroke logging system 226
viii Contents
5.3 The case of ‘‘El Griton’’ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
5.3.1 Surveillance on Harvard’s computer network 230
5.3.2 Identification of the intruder: Julio Cesar Ardita 231
5.3.3 Targets of Ardita’s activities 232
5.4 Melissa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
5.4.1 A word on macro viruses 236
5.4.2 The virus 237
5.4.3 Tracking the author 239
5.5 The World Trade Center bombing (1993) and
Operation Oplan Bojinka . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
5.6 Other cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
5.6.1 Testing computer forensics in court 244
5.6.2 The case of the tender document 248
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
6 Intrusion Detection and Intrusion Forensics 257
6.1 Intrusion detection, computer forensics, and
information warfare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
6.2 Intrusion detection systems . . . . . . . . . . . . . . . . . . . . . . . . . 264
6.2.1 The evolution of IDS 264
6.2.2 IDS in practice 267
6.2.3 IDS interoperability and correlation 274
6.3 Analyzing computer intrusions . . . . . . . . . . . . . . . . . . . . . . . 276
6.3.1 Event log analysis 278
6.3.2 Time-lining 280
6.4 Network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
6.4.1 Defense in depth 285
6.4.2 Monitoring of computer networks and systems 288
6.4.3 Attack types, attacks, and system vulnerabilities 295
6.5 Intrusion forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
6.5.1 Incident response and investigation 303
Contents ix
6.5.2 Analysis of an attack 306
6.5.3 A case study—security in cyberspace 308
6.6 Future directions for IDS and intrusion forensics . . . . . . . . . . 310
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
7 Research Directions and Future Developments 319
7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
7.2 Forensic data mining—finding useful patterns
in evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
7.3 Text categorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
7.4 Authorship attribution: identifying e-mail authors . . . . . . . . . 331
7.5 Association rule mining—application to
investigative profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
7.6 Evidence extraction, link analysis, and link discovery . . . . . . 339
7.6.1 Evidence extraction and link analysis 340
7.6.2 Link discovery 343
7.7 Stegoforensic analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
7.8 Image mining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
7.9 Cryptography and cryptanalysis . . . . . . . . . . . . . . . . . . . . . . 355
7.10 The future—society and technology . . . . . . . . . . . . . . . . . . 360
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Acronyms 369
About the Authors
379
Index
383
x Contents
Foreword by Eugene Spafford
C
omputer science is a relatively new field, dating back about 60 years.
The oldest computing society, the ACM, is almost 55 years old. The
oldest degree-granting CS department in academia (the one at Purdue) is 40
years old. Compared to other sciences and engineering disciplines,
computing is very young.
In its brief lifespan, the focus of the field has evolved and changed, with
new branches forming to explore new problems. In particular, at a very high
level of abstraction, we can see computing having several major phases of
system understanding. In the first phase, starting in the 1940s, scientists and
engineers were concerned with discovery of what could be computed. This
included the development of new algorithms, theory, and hardware. This
pursuit continues today. When systems did not work as expected (from
hardware or software failures), debugging and system analysis tools were
needed to discover why. The next major phase of computing started in the
the 1960s with growing concern over how to minimize the cost and
maximize the speed of computing. From this came software engineering,
reliability, new work in language and OS development, and many new
developments in hardware and networks. The testing and debugging
technology of the prior phase continued to be improved, this time with
more sophisticated trace facilities and data handling. Then in the 1980s,
there was growing interest in how to make computations robust and reliable.
This led to work in fault tolerance and an increasing focus on security. New
tools for vulnerability testing and reverse engineering were developed, along
with more complex visualization tools to understand network state.
Another 20 years later, and we are seeing another phase of interest
develop: forensics. We are still interested in understanding what is hap-
xi
pening on our computers and networks, but now we are trying to recreate
behavior resulting from malicious acts. Rather than exploring faulty
behavior, or probing efficiency, or disassembling viruses and Y2K code, we
are now developing tools and methodologies to understand misbehavior
given indirect evidence, and do so in a fashion that is legally acceptable. The
problem is still one of understanding ‘‘what happened’’ using indirect
evidence, but the evidence itself may be compromised or destroyed by
an intelligent adversary. This context is very different from what came
before.
The history of computer forensics goes back to the late 1980s and early
1990s. Disassembly of computer viruses and worms by various people, my
research on software forensics with Steve Weeber and Ivan Krsul, and
evidentiary audit trail issues explored by Peter Sommer at the London
School of Economics were some of the earliest academic works in this area.
The signs were clearly present then that forensic technologies would need to
be developed in the coming years—technologies that have resulted in the
emergence and consolidation of a new and important specialist field, a field
that encompasses both technology and the law. There are professional
societies, training programs, accreditation programs and qualifications dedi-
cated to computer forensics. Computer forensics is routinely employed by
law enforcement, by government and by commercial organizations in-
house.
The adoption of personal (desktop) computers by domestic users and by
industry in the 1980s and early 1990s (and more recently the widespread use
of laptop computers, PDA’s and cell phones since the 1990s) has resulted in
an enormous volume of persistent electronic material that may, in the
relevant circumstances, constitute electronic evidence of criminal or
suspicious activity. Such stored material—files, log records, documents,
residual information, and information hidden in normally inaccessible areas
of secondary storage—is all valid input for computer forensic analysis. The
1990s also saw enormously increased network connectivity and increased
ease of access to the Internet via the WWW. This has led to an explosion in
the volume of e-mail and other communications traffic, and correspondingly
in the volume of trace information or persistent electronic evidence of the
occurrence of such communication. The Internet and the Web present
forensic investigators with an entirely new perspective on computer
forensics, namely, the application of computer forensics to the investigation
of computer networks. In a sense, networks are simply other—albeit, large
and complex—repositories of electronic evidence. The projected increase in
wireless and portable computing will further add to the scale and complexity
of the problems.
xii Foreword by Eugene Spafford
Increased connectivity and use of the WWW has also led to the large-
scale adoption of distributed computing—a paradigm that includes heavy-
weight government and commercial applications employing large distributed
databases accessed through client-server applications to provide consumers
with access to data, for example, their bank accounts and medical records.
Society relies on the security of such distributed applications, and the
security of the underlying Internet and Web, for its proper functioning.
Unfortunately, the rush to market and the shortage of experts has led
to many infrastructure components being deployed full of glaring errors
and subject to compromise. As a result, network and computer attacks
and intrusions that target this trust have become a prime concern for
government, law enforcement and industry, as well as a growing sector of
academia.
The investigation of such attacks or suspected attacks (termed ‘‘intrusion
forensics’’ in this book) has become a key area of interest. The earliest widely
publicized large-scale attack on the Internet was the Morris Internet Worm,
which took place in 1988 and that I analyzed and described at the time. (It
appears that my analysis was the first detailed forensic report of a such an
attack.) The Worm incident demonstrated how vulnerable the Internet was
and indicated the need for improved system and network security.
Unfortunately, for a number of reasons including cost, increased connectiv-
ity and time-to-market pressures, our overall infrastructure security may be
worse today than it was in 1988. Our systems today are still vulnerable and
still need improved security. The Carnegie Mellon University CERT Coordina-
tion Center reported an increase by a factor of five in incidents handled from
1999 to 2001, from approximately 10,000 in 1999 to over 50,000 in 2001,
and an increase by a factor of six in the number of vulnerabilities reported,
from approximately 400 in 1999 to over 2,400 in 2001. With this increase,
there has been a greater need to understand the causes and effects of
intrusions, on-line crimes, and network-based attacks. The critical impor-
tance of the areas of computer forensics, network forensics and intrusion
forensics is growing, and will be of great importance in the years to come.
Recent events and recent legislation, both national and international,
mean that this book is especially timely. The September 11, 2001 terrorist
attacks have led directly to the passage of legislation around the world that is
focused on providing national authorities with streamlined access to
communications information that may be relevant in the investigation of
suspected terrorist activity. (It is important to note that the increased access
can also be used to suppress political or religious activity and invade privacy;
we must all ensure these changes are not so sweeping as to be harmful to
society in the long run.)
Foreword by Eugene Spafford xiii
Không có nhận xét nào:
Đăng nhận xét