Investigating Computer-Related Crime

Written by an experienced information security specialist Investigating Computer-Related Crime discusses the nature of cyber crime, its impact in the 21st century, its investigation and the difficulties encountered by both public law enforcement officials as well as private investigators.

It is tailored especially for corporate information professionals and investigators to offer a step-by-step approach to understanding and investigating security problems, technical and legal information, and computer forensic techniques.

In detailing an investigation, this book offers insights into collecting and preserving evidence; interrogating suspects and witnesses; handling the crime in progress; and involving the authorities.

Investigating Computer-Related Crime offers valuable information on using the forensic utilities for preserving evidence and searching for hidden information in the process of devising solutions to computer related crime.

Features

• Examines the potential impact of cyber crime
• Contains step-by-step investigative and computer forensic techniques
• Explores techniques for preserving evidence, searching for hidden information, and handling floppy disks
• Includes helpful case studies

• Section 1 — The Nature of Cyber Crime
1. Cyber Crime as We Enter the Twenty-First Century
• What Is Cyber Crime?
• How Does Today's Cyber Crime Differ from the Hacker Exploits of Yesterday?
• The Reality of Information Warfare in the Corporate Environment
• Industrial Espionage — Hackers for Hire
• Public Law Enforcement's Role in Cyber Crime Investigations
• The Role of Private Cyber Crime Investigators and Security Consultants in Investigations
• References
2. The Potential Impacts of Cyber Crime
• Data Thieves
• How Data Thieves Avoid Detection During an Attack
• Masking Logins
• Masking Telnet
• How Data Thieves "Clean Up" After an Attack
• Techniques for Detecting File Reads and Uploads
• Misinformation
• Denial of Service
• Data Floods and Mail Bombs
• Attacks from Inside the Organization
• Attacks Which Require Access to the Computer
• Chapter Review
3. Rogue Code Attacks
• Viruses, Trojan Horses, and Worms
• Types of Viruses
• File Infector
• Resident Program Infector
• Boot Sector Infector
• Multi-Partite Virus
• Dropper
• Stealth Virus
• Companion Virus
• Polymorphic Virus
• Mutation Engine
• Detection Methods
• Pattern Scanners
• Integrity Checkers
• Behavior Blockers
• Trojan Horses
• Worms
• Logic Bombs
• Modifying System Files
• Responding to Rogue Code Attacks
• Viruses
• Trojan Horses and Logic Bombs
• Protection of Extended Mission-Critical Computer Systems
• Post-Attack Inspection for Rogue Code
• Summary
• Reference
4. Surgical Strikes and Shotgun Blasts
• Denial of Service Attacks
• Service Overloading
• Message Flooding
• Signal Grounding
• Other Attacks
• Attacking from the Outside
• Attacking from the Inside
• Dumping Core
• Symptoms of a Surgical Strike
• Panics
• Other Surgical Attacks
• Masquerading
• User Masquerades
• System Masquerades
• Spoofing
• E-Mail
• Web Site
• IP Spoofing
• Case Study: The Case of the Cyber Surgeon
• Symptoms of Shotgun Blasts
• "Up Yours" — Mail Bombs
• Flooding Attacks
• Summary
• References
• Section 2 — Investigating Cyber Crime
5. A Framework for Conducting an Investigation of a Computer Security Incident
• Managing Intrusions
• Why We Need an Investigative Framework
• What Should an Investigative Framework Provide?
• One Approach to Investigating Intrusions
• Drawbacks for the Corporate Investigator
• A Generalized Investigative Framework for Corporate Investigators
• Eliminate the Obvious
• Hypothesize the Attack
• Reconstruct the Crime
• Perform a Traceback to the Suspected Source Computer
• Analyze the Source, Target, and Intermediate Computers
• Collect Evidence, Including, Possible, The Computers Themselves
• Turn Your Findings and Evidentiary Material over to Corporate Investigators or Law Enforcement for Follow-Up
• Summary
• References
6. Look for the Hidden Flaw
• The Human Aspects of Computer Crime and the FBI Adversarial Matrix
• Crackers
• Criminals
• Vandals
• Motive, Means, and Opportunity
• Evidence and Proof
• Look for the Logical Error
• Vanity
• Summary
• Reference
7. Analyzing the Remnants of a Computer Security Incident
• What We Mean by a Computer Security Incident
• We Never Get the Call Soon Enough
• Computer Forensic Analysis — Computer Crimes at the Computer
• DOS Disks — A Brief Tutorial
• Stack Space
• Unallocated Space
• Windows Swap Files and Web Browser Caches
• Processing Forensic Data — Part One: Collection
• Collection Techniques
• Analysis Tools and Techniques
• Chaining
• Unix and Other Non-DOS Computers
• Cyber Forensic Analysis — Computer Crimes Involving Networks
• Software Forensic Analysis — Who Wrote the Code?
• The Limitations of System Logs
• The Logs May Tell the Tale — But What If There Are No Logs?
• Multiple Log Analysis
• Summary
• References
8. Launching the Investigation
• Launching the Investigation
• Analyzing the Incident
• Analyzing the Evidence and Preparing Your Presentation
• Securing the Virtual Crime Scene
• Clear Everyone away from the Computer Under Investigation
• Examine for Communications Connections, Document All Connections, and Unplug Communications from the Computer
• Pull the Plug
• Collecting and Preserving Evidence
• Rules of Evidence
• Interrogating and Interviewing Witnesses
• Preparation and Strategy
• The Interview
• Establishing Credibility
• Reducing Resistance
• Obtaining the Admission
• Developing the Admission
• The Professional Close
• Developing and Testing an Intrusion Hypothesis
• Investigating Alternative Explanations
• You May Never Catch the Culprit
• Damage Control and Containment
• Summary
• References
9. Determining If a Crime Has Taken Place
• Statistically, You Probably Don't Have a Crime
• Believe Your Indications
• Using Tools to Verify That a Crime Has Occurred
• Unix Crash Dump Analysis
• Identifying the Unix Release and Hardware Architecture
• The Message Buffers
• Other Unix Utilities
• Recovering Data from Damaged Disks
• Recovering Passwords
• Physical Password Recovery
• Password Cracking
• By Inference
• Examining Logs — Special Tools Can Help
• Investigating Non-Crime Abuses of Corporate Policy
• Clues from Witness Interviews
• Maintaining Crime Scene Integrity Until You Can Make a Determination
• Case Study: The Case of the CAD/CAM Cad
• Case Study: The Case of the Client/Server Tickle
• Summary
• Reference
10. Handling the Crime in Progress
• Intrusions — This Intruder Is Still Online
• Direct Dial-In
• Should You Trap, Shut Down, or Scare Off the Intruder?
• Trap-and-Trace
• Network Trap-and-Trace Techniques
• Legal Issues in Trap-and-Trace
• Back Doors — How Intruders Get Back In
• Back Doors in the Unix and NT Operating Systems
• Password Cracking Back Door
• Rhosts + + Backdoor
• Checksum and Timestamping Back Doors
• Login Back Doot
• Services Back Door
• Cronjob Back Door
• Library Back Doors
• Kernel Back Doors
• File System Back Doors
• Bootblock Back Doors
• Process Hiding Back Doors
• Rootkit
• Network Traffic Back Doors
• TCP Shell Back Doors
• UDP Shell Back Doors
• ICMP Shell Back Doors
• Encrypted Link
• Windows NT
• Stinging — Goat Files and Honey Pots
• Summary
• Reference
11. "It Never Happened" — Cover-Ups Are Common
• Case Study: The Case of the Innocent Intruder
• The Importance of Well-Documented Evidence
• Maintaining a Chain of Custody
• Politically Incorrect — Understanding Why People Cover Up for a Cyber Crook
• Before the Investigation
• During the Investigation
• After the Investigation
• When Cover-Ups Appear Legitimate
12. Involving the Authorities
• When to Involve Law Enforcement
• Who Has Jurisdiction?
• What Happens When You Involve Law Enforcement Agencies?
• Making the Decision
• Summary
13. When an Investigation Can't Continue
• When and Why Should You Stop an Investigation?
• Legal Liabilities and Fiduciary Duty
• Political Issues
• Before the Investigation Begins
• During the Investigation
• After the Investigation is Completed
• Civil vs. Criminal Actions
• Privacy Issues
• Salvaging Some Benefit
• Summary
• Section 3 — Preparing for Cyber Crime
14. Building a Corporate Cyber "SWAT Team"
• Why Do Organizations Need a Cyber SWAT Team?
• What Does a Cyber SWAT Team Do?
• A Standard Practice Example
• Who Belongs on a Cyber SWAT Team?
• Training Investigative Teams
• Summary
15. Privacy and Computer Crime
• The Importance of Formal Policies
• Who Owns the E-Mail?
• The Disk Belongs to the Organization, But What About the Data?
• The "Privacy Act(s)"
• The Computer Fraud and Abuse Act
• Electronic Communications Privacy Act
• The Privacy Protection Act
• State and Local Laws
• Wiretap Laws
• Fourth Amendment to the U.S. Constitution
• Summary
• Reference
• Section 4 — Using the Forensic Utilities
16. Preserving Evidence — Basic Concepts
• Timely Evidence Collection and Chain of Custody
• "Marking" Evidence with an MD5 Hash and Encryption — CRCMD5 and PGP
• FileList
• CRCMD5
• Sealing Evidence
• Summary
17. Collecting Evidence — First Steps
• Using SafeBack 2.0 to Take an Image of a Fixed Disk
• Taking a Hard Disk Inventory with FileList
• Summary
• Reference
18. Searching for Hidden Information
• The Intelligent Filter — Filter_I v. 4.1
• IP Filter — v. 2.2
• GetStack and GetFree
• TextSearch Plus v. 2.04
• Using the Norton Utilities
• Summary
19. Handling Floppy Disks
• AnaDisk v. 2.10LE
• Copying Floppies to a Work Disk
• Summary

1. Introduction to Denial of Service Attacks
• Foreword
• Introduction
• What Is a Denial of Service Attack?
• Why Would Someone Crash a System?
• Introduction
• Subcultural Status
• To Gain Access
• Revenge
• Political Reasons
• Economic Reasons
• Nastiness
• Are Some Operating Systems More Secure?
• What Happens When a Machine Crashes?
• How Do I Know If a Host Is Dead?
• Using Flooding — Which Protocol Is Most Effective?
• Attacking from the Outside
• Taking Advantage of Finger
• UDP and SUNOS 4.13
• Freezing Up X-Windows
• Malicious Use of UDP Services
• Attacking with Lynx Clients
• Malicious Use of Telnet
• ICMP Redirect Attacks
• E-Mail Bombing and Spamming
• Hostile Applets
• Attacking Name Servers
• Attacking from the Inside
• Malicious Use of Fork()
• Creating Files That Are Hard to Remove
• Directory Name Lookupcache
• How Do I Protect a System Against Denial of Service Attacks?
• Basic Security Protection
• Introduction
• Security Patches
• Port Scanning
• Check the Outside Attacks Described in This Paper
• Check the Inside Attacks Described in This Paper
• Tools That Help You Check
• Extra Security Systems
• Monitoring Security
• Keeping Up to Date
• Read Something Better
• Monitoring Performance
• Introduction
• Commands and Services
• Programs
• Accounting
• Some Basic Targets for an Attack, Explanations of Words, Concepts
• Swap Space
• Bandwidth
• Kernel Tables
• RAM
• Disks
• Caches
• Inetd
• Tmpfs
• Loopback
• NFS
• Suggested Reading — Information for Deeper Knowledge
2. Technical Report 540-96
• Introduction
• Spoofing Attacks
• Security-Relevant Decisions
• Context
• TCP and DNS Spoofing
• Web Spoofing
• Consequences
• Surveillance
• Tampering
• Spoofing the Whole Web
• How the Attack Works
• URL Rewriting
• Forms
• Starting the Attack
• Completing the Illusion
• The Status Line
• The Location Line
• Viewing the Document Source
• Bookmarks
• Tracing the Attacker
• Remedies
• Short-Term Solution
• Long-Term Solution
• Related Work
• Acknowledgments
• For More Information
• References

A vey down-to-earth book about investigating crime with computers in them. It is written with the realisation that not everything is a technical question, but that you need to understand the technical bits while investigating crime (from a corporate perspective, not a legal one). A decent read.