INDEX
References to figures and illustrations are in italics.
Aacceptable use policies
creating separate policies
designing
developing
access control lists
configuring
using on routers
access to stored communications
ACLs. See access control lists
administrative action
administrative shares
advisories, publishing
AFind
allocation units layer
analysis, forensic
AntiSniff
anti-virus programs, using on rogue applications
application logging, configuring
application-level storage layer
arp
ARP cache, viewing
ASCII strings
assets, critical
ATA bridges
ATA standard
audit logging, increasing or enabling
auditing
directory
enabling
evidence custodian audits
file
AUP. See acceptable use policies
authentication
of evidence
requiring
servers
automating pre-incident checksums
Autopsy Forensic Browser
performing string searches with
BBackGate trojan
backups
evidence
file recovery
limitations of
Unix tools
Windows tools
baseline information, storing
binary code
binutils
blocking
boot media
creating a boot disk
creating for Linux
bridges
business issues
Ccables
SCSI cables and connectors
capture files, parsing
case notes
See also documentation
CATALOG
chain of custody
See also evidence
checklists, initial response
checksums
recording cryptographic
checksums of critical files
Cheng, Yong-Qing
chkrootkit utility
CIRT. See Computer Security Incident Response Team
Cisco Internetwork Operating System
clusters
cmd.exe, executing a trusted
compilers
compilation techniques and file analysis
computer forensics reports
attacker methodology
computer evidence analyzed
executive summary
Internet activity or Web browsing history
investigative leads
objectives
recommendations
relevant findings
supporting details
template
user applications
See also reporting
Computer Incident Response Team.
See Computer Security Incident
Response Team
computer security incident. See incident
Computer Security Incident Response Team
assembling
assembling appropriate resources
assigning a team leader
assigning technical staff
conducting interviews
establishing
mission
performing traditional
investigative steps
preparing
training
computer security personnel
professional organizations
See also pesonnel
ComTriad Technologies
connectionless TCP attacks
connection-oriented TCP attacks
connections, listing current and recent
consensual monitoring logs
contact information, getting
corporate objectives
corporate security personnel
CPUs, for monitoring
crime
international
traditional
critical assets
critical files, recording cryptographic
checksums of
cron logs
cryptcat
See also encryption
cryptographic checksums
automating pre-incident
checksums
MD5 algorithm
recording
CSIRT. See Computer Security Incident
Response Team
Ddata classification layer
data collection
forensic duplication
live
data transfer rates
Datang Telecom
Daubert v. Merrell Dow
Pharmaceuticals
dcfldd
duplicating a hard drive with
dd command
duplicating a hard drive with
DDoS attack. See distributed
denial-of-service attack
debug options, programs compiled with
debugfs
using to recover previously
deleted files of unknown
content
using to relink a file to
Lost+Found
debugging
decompiling
deleted files
recovering on Window systems
See also file recovery
denial-of-service attacks
and routers
detection of incidents
Dialup Networking
dir command
direct memory access
distributed denial-of-service attack
responding to
DMA. See direct memory access
documentation
case notes
commands used during initial
response, documenting investigative steps
documenting the investigation
recording cryptographic
checksums
recording file modification, access
and inode change times
recording modification, creation
and access time of all files
recording steps taken
recording system time and date
steps to take
DoS attacks. See denial-of-service attacks
doskey /history command
dynamically linked programs
EeBay
editors
educating users about host-based security
electronic communications
email
proprietary files
spam or harassment
embezzlement
employees
departing
See also personnel; users
EnCase
creating a hash set of system
files
creating a qualified forensic
duplicate with
as evidence
listing file metadata
performing string searches with
restoring an evidence file
reviewing forensic duplicates
reviewing relevant files
using a script to search evidence files
encryption
with cryptcat
network traffic
escalation procedures
Ethereal
reassembling sessions using
event monitoring
See also monitoring
Event Viewer
evidence
auditing custodians
authentication of
backups
best evidence rule
chain of custody
challenges of evidence handling
custodians
defined
digital photos
disposition
ensuring integrity using
md5sum
evidence-handling process
Federal Rules of Evidence
finding network-based evidence
forensic duplication as admissible
evidence
host-based
labels
logs
network-based
original
overview of evidence-handling
procedures
relevant
restoring an EnCase evidence file
restoring a SafeBack evidence file
safe
shipping evidence media
storage
system description
tags
testimonial data
transporting on an airplane
validation
where to look for evidence on
Windows systems
working copies
executable code
exetype command
expert reports
extortion
FFAT file systems
using Linux tools to recover files on
using Windows-based tools to recover files on
FatBack
file auditing
file command
file formats
file lists, generating
file metadata, listing
file recovery
backups
factors affecting
Recycle Bin
running Autopsy as a GUI for
temporary files
undelete tools
on Unix systems
using debugfs to recover
previously deleted files of
unknown content
using debugfs to relink a file to
Lost+Found
using FatBack
using Foremost
using Linux tools to recover
files
using TASK
using Windows-based tools to recover files
File Scavenger
file slack
file systems
common sizes of allocation units
FAT
hidden files
introduction to
and Windows NT
Filemon
filenames, maintaining consistent
naming conventions
files, determining the type of
filtering
full-content data
tcpdump
find command
fingerprints
See also cryptographic checksums
firewalls
installing
logs
FIRST. See Forum of Incident Response
and Security Teams
Foremost
forensic analysis
preparation for
preparing for in Linux
forensic duplication
as admissible evidence
converting a qualified forensic
duplicate to a forensic duplicate
creating a qualified forensic
duplicate of a hard drive
defined
of a hard drive
keeping up to date with tools
necessity of
restoring a forensic duplicate
reviewing image files with forensic
suites
tool requirements
Forensic SF
Forensic Toolkit
converting a qualified forensic
duplicate to a forensic duplicate
reviewing forensic duplicates
forensics reports. See computer
forensics reports
formatting drives
with Linux
with Windows XP
Forum of Incident Response and
Security Teams
Fourth Amendment
See also legal issues
Fport
fraud
free space
FreeBSD
Frye test
FTK. See Forensic Toolkit
FTP sessions
full-content monitoring
filtering
maintaining data files
using tcpdump
See also monitoring
GGNU utility
Gorshkov, Vasily
grep, performing string searches with
Hhacker tools
dynamic analysis
goals of tool analysis
static analysis
hacks, traditional
hard drives
cabling
forensic duplication of
and interfaces
for monitoring
partitioning and formatting
preparation of media
preparing for string searches
restoring a forensic duplicate of a
hard disk
restoring a qualified forensic
duplication of a hard disk
size boundaries
wiping storage media
hardware specifications
for monitoring
Hickman v. Taylor
hidden files
Higbee, Aaron
High Technology Crime Investigation
Association
hosts
building up your host’s defenses
host-based evidence
host-based information
host-based security
logging
preparing individual hosts
hot fixes
HTCIA. See High Technology Crime
Investigation Association
IIDA Pro
identifying known system files
IDS. See intrusion detection systems
IDS logs
IIS. See Internet Information Services
Image MASSter Solo Professional
Plus
incident declaration
incident notification procedure
establishing
incident response. See responses
incident response team. See Computer
Security Incident Response Team
incident time and time/date stamps
incidents
defined
detection of
investigating
pre-incident preparation
reporting
resolution
information classification layer
Information Systems Security
Association
InfraGard
initial response
checklists
documenting commands used
during
overview
recommended practices
scripting
storing information obtained
during
interception of real-time
communications
interfaces
international crime
Invita
PathStar
Internet Explorer, history files
Internet Information Services, logs
Internet usage policy
interviews
conducting
of end users
of managers
of system administrators
intrusion detection systems
installing
logs
intrusions into computing systems
investigating the incident
examining jobs run by the
scheduler service
obtaining preliminary
information
organizing and documenting the
investigation
performing keyword searches
performing traditional
investigative steps
possible investigation phase steps
Registry
reviewing pertinent logs on
Windows
reviewing relevant files
on a Unix system
on a Windows system
Invita
IOS. See Cisco Internetwork Operating
System
IP address spoofing
ISSA. See Information Systems Security Association
Ivanov, Alexy
JJohn the Ripper
KKendall, Kris
kernel loadable modules. See loadable kernel modules
keyword searches
Kim, Gene
known system files, identifying
Kornblum, Jesse
KSTAT utility
Kumho Tire Co et al. v. Carmichael
et al.
LL0phtcrack
Lan Analyzer
laptops
law enforcement
objectives
professional organizations
layers
legal action
legal issues
acceptable use policies
accessing unread mail vs
previously read mail
evidence handling
reporting
trap-and-traces
Lin, Hai
link count
linked programs
links, broken
Linux
associating the forensic duplicate
with the loopback device
binutils
creating boot media
examining the forensic duplicate
file
partitioning and formatting drives
with
preparing a forensic duplication
for analysis
using Linux tools to recover files
on FAT file systems
ListDLLs
live data collection
live response
collecting live response data
obtaining event logs during
obtaining the system logs during
performing an in-depth live response
reviewing the Registry during
LKMs. See loadable kernel modules
loadable kernel modules
chkrootkit utility
detection utilities
elements
KSTAT utility
on live systems
logon attempt logs
logs
collecting network-based log
files
configuring application logging
configuring Unix logging
configuring Windows logging
consensual monitoring
cron
event log drawbacks
event log dumps
evidence
firewall
host
IDS
IIS
increasing or enabling secure audit logging
on a live system
logged-on user logs
logon attempt
network
obtaining event logs during live response
obtaining the system logs during live response
offline investigation of
process accounting
remote logging
remote syslog server logs
reviewing on Unix systems
reviewing on Windows systems
router
Security log event IDs
sniffers
su command
TCP Wrappers
user activity logging
loopback
Lucent, PathStar
Mmail, accessing
management support
managers, interviewing
maps
network architecture
network topology
Maresware
MD5 algorithm
md5sum
as evidence
MDAC
message digests
See also cryptographic checksums
Microsoft Outlook mail
mirror images
See also forensic duplication
monitoring
choosing appropriate hardware
CPU and RAM
data file formats
deploying the network monitor
evaluating your network monitor
event
example of network monitor setup
full-content
goals of network monitoring
network
network monitoring platform
operating systems
remote access
with routers
setting up a network monitoring system
sniffers
software
trap-and-trace
types of network monitoring
MRTG
Multi Router Traffic Grapher. See MRTG
Nnbtstat
netcat
transferring data with
Netscape, history files
Netscape Messenger mail
netstat
Network Time Protocol
networks
closed
collecting network-based log files
encrypting network traffic
finding network-based evidence
full-content monitoring
goals of network monitoring
logging
network monitoring platform
network topologies
network-based evidence
preparing a network
setting up a network monitoring
system
supporting network monitoring
tools for traffic analysis
types of network monitoring
See also traffic
nm command
NMap
nonconsensual wiretaps
nonpersistent writes
Norton Utilities Protect
notification procedures
implementing
when to initiate
NTOP
NTP. See Network Time Protocol
0object code
ODD. See Open Data Duplicator
online research
Open Data Duplicator
duplicating a hard drive
operating systems
Outlook mail
Ppages
partitioning drives
with Linux
with Windows XP
partitions
passwords
obtaining system passwords
patch levels
PathStar
PayPal
pen registers
Personal Privacy Act
See also legal issues
personnel
corporate security vs. computer security
handling the departing employee
managers
orientation
system administrators
See also users
physical layer
policies
acceptable use policies
as an aid to investigations
benefits of
establishing
Internet usage policy
remote access policy
search
user account policy
verification
political issues
pornography
ports
determining open ports
Fport
listing applications associated with
open ports
PPA. See Personal Privacy Act
pre-incident preparation
overview
preparing the CSIRT
preparing the organization
preliminary information, obtaining
/proc file system
cmdline file
exe link
fd subdirectory
where to look for evidence
procedures, establishing
process accounting
logs
process table attacks
processes
identifying rogue processes
listing all running
professional organizations
ps command
PsList
publishing advisories
pwdump3e
Qqualified forensic duplicates
converting to a forensic duplicate
creating with EnCase
creating with SafeBack
of a hard drive
restoring of a hard disk
See also forensic duplication
Quickview Plus
Rrack-mounted systems
RAM
dumping on Unix systems
dumping on Windows systems
for monitoring
slack
Recycle Bin
Registry
investigating
reviewing during a live response
where to look for evidence
Regmon
remote access
checking for unauthorized access points
determining who’s logged into system
for monitoring
policy
Remote Access Services
remote logging
remote syslog server logs
reporting
attachments and appendices
computer forensics reports
documenting investigative steps
expert reports
goals
guidelines
having co-workers read reports
including metadata
legal issues
MD5 hashes
oral vs. written reports
organizing reports
templates
using consistent identifiers
resolution of the incident
resource allocation attacks
responses
administrative action
components of
Computer Security Incident
Response Team (CSIRT)
considering appropriate responses
considering the best time for
determining your response stance
developing incident response procedures
factors affecting
formulating a strategy
goals of
hardware
initial
legal action
live
methodology
possible (table)
posture
response toolkit
software
See also initial response; live response
restored images
See also forensic duplication
Rifiuti
risk, identifying
rootkits
routers
access control lists
checking interface configurations
denial-of-service attacks
determining uptime
determining who’s logged into system
direct-compromise incidents
establishing a router connection
IP address spoofing
listening services
listening sockets
logs
monitoring with
passwords
responding to DDoS attacks
reviewing the routing table
routing table manipulation
incidents
saving the router configuration
specialized hardware
theft of information incidents
using as response tools
viewing the ARP cache
SSabin, Todd
SafeBack
creating a qualified forensic
duplicate with
restoring an evidence file
SCSI
cables and connectors
high-voltage differential signaling
low-voltage
differential/multimode
signaling
low-voltage differential
signaling
major standards
signaling types
single-ended signaling
termination
searches
keyword
policies
reviewing
Secure Shell
reviewing sessions
Secure Sockets Layer
security auditing, enabling
security identifiers
Security log, event IDs
Sega Dreamcast
segmented images
SFind
SGID files
shares
shell histories
SIDs. See security identifiers
silent sniffers
slack space
slices
Sniffer Network Analyzer
sniffers
discovering on Unix systems
logs
silent
Snort
interpreting the output
using to extract event data
SoftICE
software specifications
for monitoring
source code review
Spafford, Gene
SPAN. See switched port analysis
SSH. See Secure Shell
SSL. See Secure Sockets Layer
startup files
static analysis
statically linked programs
storage layers
storage media wiping
storage space management layer
strace
examining output
shortcuts
strategy
considering appropriate responses
considering the totality of the circumstances
recommended practices
response strategy considerations
Streams
string searches
conducting on hard drives
with grep
performing with EnCase
preparing a drive for
stripped programs
su command logs
subscriber information
SubSeven trojan
SUID files
Surveyor/Explorer
swap files
switched port analysis
symbol extraction
SYN packets, checking for
syslog
system administrators, interviewing
system files
creating a hash set of
identifying known
system time, recording
TTASK
TCP Wrappers logs
tcpdump
refining filters
reviewing network traffic collected
with
using for full-content monitoring
tcpflow
interpreting the output
reassembling sessions using
tcptrace
generating session data with
interpreting the output
parsing a capture file
technical capabilities
technical editors
temporary files
threats
timestamps
tmp directory
toolkit
checking for dependencies with Filemon
creating an in-depth response toolkit
creating checksums
labeling media
preparing
tools
for Unix systems
for Windows systems
write-protecting floppies
tools
dynamic analysis
goals of tool analysis
static analysis
using routers as response tools
topologies, network
tortious interference of business
relations
trade secrets, theft of
traffic
encrypting network traffic
reviewing network traffic collected
with tcpdump
tools for network traffic analysis
See also networks
transactional information
transfer rates
trap-and-traces
creating an output file
initiating with tcpdump
legal issues
performing
with WinDump
Tripwire trojans
BackGate
SubSeven
trust relationships, analyzing
trusted cmd.exe, executing
trusted shell, executing
UUltimate Packer for eXecutables
See UPX
Ultra-DMA
unallocated space
Unicode strings
Unix
backup tools
changing a program’s command line at runtime
checking for unauthorized access points
configuration files
configuring logging
creating a response toolkit
dd command
deleting files
detecting trojan loadable kernel modules
discovering illicit sniffers
dynamic analysis
executing a trusted shell
file command
find command
hidden files
identifying rogue processes
identifying unauthorized user
accounts or groups
investigating steps
keyword searches
link count
loadable kernel modules
nm command
obtaining important configuration
files
performing an in-depth live response
ps command
recovering deleted files
renaming trusted tools
reviewing pertinent logs
reviewing relevant files
reviewing the /proc file system
shell histories
startup files
strace
su command logs
SUID and SGID files
syslog
time and time/date stamps
tmp directory
trust relationships
trusted commands
unlinked files
using debugfs to recover
previously deleted files of
unknown content
using debugfs to relink a file to
Lost+Found
w command
unlinked files
upstream sources, coordinating with
UPX
user account policy
using in large organizations
user space
userdump.exe
users
determining who’s logged into system
educating about host-based security
identifying unauthorized user accounts or groups
interviewing
logged-on user logs
user activity logging
VVMware
volatile data
collecting
obtaining
obtaining prior to forensic duplication
obtaining prior to powering down
Ww command
warez
Web browser files
Windows
administrative shares
backup tools
basic investigative steps
broken links
checking for unauthorized access points
configuring logging
desktop
detailed tracking
Dialup Networking
dynamic analysis
exetype command
file auditing
Filemon
Fport
IDA Pro
identifying rogue processes
identifying unauthorized user accounts or groups
ListDLLs
NT system processes
obtaining volatile data
partitioning and formatting drives with Windows XP
performing an in-depth live response
performing keyword searches
proprietary email files
PsList
recovering deleted files
Recycle Bin
Registry
Regmon
Remote Access Services
response toolkit
reviewing all pertinent logs
reviewing relevant files
scheduled jobs
security identifiers (SIDs)
service packs
SoftICE
storing information obtained during initial response
swap files
time and time/date stamps
trust relationships
where to look for evidence
WinDump
wiping storage media
wiretaps
exception to statutes
nonconsensual
working copies
XXu, Kai
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.