TIMELY.
PRACTICAL.
RELIABLE.
Douglas Schweitzer
Incident
Response
Wiley Technology Publishing
Timely. Practical. Reliable.
Your in-depth guide to detecting network breaches, uncovering evidence,
and preventing future attacks
You’ll learn how to:
• Recognize the telltale signs of an
incident and take specific response
measures
• Search for evidence by preparing
operating systems, identifying
network devices, and collecting
data from memory
•
Analyze and detect when malicious
code enters the system and quickly
locate hidden files
• Perform keyword searches, review
browser history, and examine Web
caches to retrieve and analyze clues
• Create a forensics toolkit to prop-
erly collect and preserve evidence
• Contain an incident by severing
network and Internet connections,
and then eradicate any vulnerabili-
ties you uncover

• Anticipate future attacks and
monitor your system accordingly
• Prevent espionage, insider
attacks, and inappropriate use of
the network
• Develop policies and procedures to
carefully audit the system
Networking/Security
$45.00 USA/$67.99 CAN/£31.50 UK
Whether it’s from malicious code sent
through an e-mail or an unauthorized
user accessing company files, your
network is vulnerable to attack. Your
response to such incidents is critical.
With this comprehensive guide,
Douglas Schweitzer arms you with the
tools to reveal a security breach, gather
evidence to report the crime, and con-
duct audits to prevent future attacks.
He also provides you with a firm
understanding of the methodologies
for incident response and computer
forensics, Federal Computer Crime law
information and evidence require-
ments, legal issues, and how to work
with law enforcement.
Visit our Web site at www.wiley.com/compbooks/
Incident Response
Schweitzer
ISBN: 0-7645-2636-7

INCLUDES
CD-ROM
DOUGLAS SCHWEITZER
is an
Internet security specialist and
authority on malicious code and
computer forensics. He is a Cisco
Certified Network Associate and
Certified Internet Webmaster
Associate, and holds A+,
Network+, and i-Net+ certifica-
tions. Schweitzer is also the
author of Internet Security Made
Easy and
Securing the Network
from Malicious Code.
,!7IA7G4-fcgdgh!:p;o;p;K;K
*85555-IGFADh
Computer
Forensics
Toolkit
CD-ROM includes:
• Helpful tools to capture and
protect forensic data; search
volumes, drives, and servers for
evidence; and rebuild systems
quickly after evidence has been
obtained
• Valuable checklists developed
by the author for all aspects of

incident response and handling
526367 Cover_rb2.qxp 3/19/03 3:53 PM Page 1
Incident Response:
Computer Forensics Toolkit
a526367 FM.qxd 3/21/03 3:37 PM Page i
a526367 FM.qxd 3/21/03 3:37 PM Page ii
Incident Response:
Computer Forensics
Toolkit
Douglas Schweitzer
a526367 FM.qxd 3/21/03 3:37 PM Page iii
Incident Response: Computer Forensics Toolkit
Published by
Wiley Publishing, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256
www.wiley.com
Copyright © 2003 by Wiley Publishing, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 0-7645-2636-7
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
1O/RR/QU/QT/IN
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic,
mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States
Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy
fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8700. Requests to the
Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN
46256, (317) 572-3447, fax (317) 572-4447, E-Mail:


Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make
no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any
implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives
or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a
professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages,
including but not limited to special, incidental, consequential, or other damages.
For general information on our other products and services or to obtain technical support, please contact our Customer Care Department
within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.
Library of Congress Cataloging-in-Publication Data on file with the publisher.
Trademarks: Wiley, the Wiley Publishing logo, and related trade dress are trademarks or registered trademarks of Wiley Publishing, Inc., in
the United States and other countries, and may not be used without written permission. All other trademarks are the property of their
respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book.
a526367 FM.qxd 3/21/03 3:37 PM Page iv
About the Author
Douglas Schweitzer is an Internet security specialist with Brainbench certifications in Internet
security and ITAA Information Security Awareness. Douglas is a Certified Internet Webmaster
Associate, and he holds A+, Network+, and i-Net+ certifications from the Computing Technology
Industry Association. He has appeared as an Internet security guest speaker on several radio
shows, including KYW Philadelphia, as well as on Something You Should Know and Computer
Talk America, two nationally syndicated radio shows. He is also the author of Securing the
Network from Malicious Code: A Complete Guide to Defending Against Viruses, Worms, and
Trojans and Internet Security Made Easy: A Plain-English Guide to Protecting Yourself and Your
Company Online.
a526367 FM.qxd 3/21/03 3:37 PM Page v
Credits
ACQUISITIONS EDITOR
Katie Feltman
PROJECT EDITOR

Mark Enochs
TECHNICAL EDITOR
Russell Shumway
COPY EDITOR
Maarten Reilingh
EDITORIAL MANAGER
Mary Beth Wakefield
VICE PRESIDENT & EXECUTIVE
GROUP PUBLISHER
Richard Swadley
VICE PRESIDENT AND EXECUTIVE PUBLISHER
Bob Ipsen
EXECUTIVE EDITOR
Carol Long
EXECUTIVE EDITORIAL DIRECTOR
Mary Bednarek
PROJECT COORDINATORS
Cindy Phipps, Bill Ramsey
GRAPHICS AND PRODUCTION SPECIALISTS
Beth Brooks, Sean Decker,
LeAndra Johnson, Stephanie Jumper,
Kristin McMullan, Heather Pope,
Julia Trippetti
QUALITY CONTROL TECHNICIANS
Carl W. Pierce, Robert Springer
PERMISSIONS EDITOR
Laura Moss
MEDIA DEVELOPMENT SPECIALIST
Travis Silvers
PROOFREADING

Kim Cofer
INDEXING
Virginia Bess
a526367 FM.qxd 3/21/03 3:37 PM Page vi
This book is dedicated in loving memory of Mirhan “Mike” Arian,
whose insight and camaraderie are forever missed.
a526367 FM.qxd 3/21/03 3:37 PM Page vii
a526367 FM.qxd 3/21/03 3:37 PM Page viii
Acknowledgments
This book would not have been possible without the combined efforts of some very talented peo-
ple. I would first like to thank my agent, Carole McClendon of Waterside Productions for her assis-
tance in again finding me a superb publisher. I would also like to thank the hard-working
individuals at Wiley Publishing who helped to make this book a reality. Their enthusiasm and sup-
port were a continued shot in the arm. In particular, I would like to thank Acquisitions Editor,
Katie Feltman for her confidence in me and for helping me to shape and hone the initial outline
for the book. I am also grateful to Project Editor, Mark Enochs for all his suggestions. I would like
to say thank you to my wife and best friend, Monique, for without her help, this book would not
have been possible. I tip my hat to Russ Shumway who, as my technical editor, did a superb job
ensuring that all my facts were correct and who suggested a number of additions that kept this
book technically sound. Thanks, as well, to my sons Deran and Alex for their enduring patience
with me while I spent many long hours writing.
ix
a526367 FM.qxd 3/21/03 3:37 PM Page ix
a526367 FM.qxd 3/21/03 3:37 PM Page x
Contents at a Glance
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Chapter 1 Computer Forensics and Incident
Response Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 2 Addressing Law Enforcement Considerations . . . . . . . . . 27

Chapter 3 Forensic Preparation and Preliminary Response . . . . . . 45
Chapter 4 Windows Registry, Recycle Bin, and Data Storage . . . . . 69
Chapter 5 Analyzing and Detecting Malicious Code
and Intruders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Chapter 6 Retrieving and Analyzing Clues. . . . . . . . . . . . . . . . . . . . . 115
Chapter 7 Procedures for Collecting and
Preserving Evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Chapter 8 Incident Containment and Eradication
of Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Chapter 9 Disaster Recovery and Follow-Up . . . . . . . . . . . . . . . . . . . 177
Chapter 10 Responding to Different Types of Incidents . . . . . . . . . . 195
Chapter 11 Assessing System Security to Prevent
Further Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Chapter 12 Pulling It All Together. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Appendix A What’s on the CD-ROM . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Appendix B Commonly Attacked Ports . . . . . . . . . . . . . . . . . . . . . . . . . 257
Appendix C Field Guidance on USA Patriot Act 2001 . . . . . . . . . . . . 269
Appendix D Computer Records and the Federal Rules
of Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Appendix E Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
a526367 FM.qxd 3/21/03 3:37 PM Page xi
a526367 FM.qxd 3/21/03 3:37 PM Page xii
Contents
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Chapter 1 Computer Forensics and Incident
Response Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Catching the Criminal: The Basics of Computer Forensics . . . . 2
Recognizing the Signs of an Incident . . . . . . . . . . . . . . . . . . . . . 5

Preparing for Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Developing a Computer Security Incident
Response Capability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
The Computer Security Incident Response Team. . . . . . . . . . . 17
The Incident Reporting Process . . . . . . . . . . . . . . . . . . . . . . . . 18
Assessment and Containment . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Recovery Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Damage Analysis and Determination . . . . . . . . . . . . . . . . . . . . . . 20
Shutdown Procedures while Preserving Evidence . . . . . . . . . . . . . 21
NIPC Recommendations for Victims. . . . . . . . . . . . . . . . . . . . . . . 24
Building an Incident Response/Forensic Toolkit . . . . . . . . . . . 25
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Chapter 2 Addressing Law Enforcement Considerations . . . . . . . . . 27
A Look at the Fourth Amendment. . . . . . . . . . . . . . . . . . . . . . . 28
A Brief Primer on the Freedom of Information Act . . . . . . . . . 30
Reporting Security Breaches to Law Enforcement. . . . . . . . . . 30
Information Sharing Issues in Computer
Crime Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
The Role of the National Infrastructure
Protection Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Understanding Disclosure and Discovery . . . . . . . . . . . . . . . . . 36
Disclosure of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Federal Computer Crimes and Laws . . . . . . . . . . . . . . . . . . . . . 38
The Computer Fraud and Abuse Act of 1986 . . . . . . . . . . . . . . 39
Computer Fraud and Abuse Act of 1986 (US) 18 USC 1030 . . . . . . . 39
The Computer Abuse Amendments Act of 1994 . . . . . . . . . . . . 42
The USA Patriot Act of 2001 . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Chapter 3 Forensic Preparation and Preliminary Response . . . . . . 45
Preparing Operating Systems for Data Collection . . . . . . . . . . 45

The Significance of Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Auditing and Logging Procedures. . . . . . . . . . . . . . . . . . . . . . . . . 46
a526367 FM.qxd 3/21/03 3:37 PM Page xiii
Enabling Auditing and Logging on Windows NT . . . . . . . . . . . . . . 47
A Quick Note about Auditing, Logging, and Log File Size. . . . . . . . 49
Centralized Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Time Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Time-Stamping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Identifying Network Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Collecting Data from Memory . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Selecting the Appropriate Memory Dump Options . . . . . . . . . . . . . 57
Using Dumpchk.exe to View the Windows memory.dmp File . . . . . 58
Performing Memory Dump on Unix Systems. . . . . . . . . . . . . . . . . 58
Imaging Hard Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Following the Chain-of-Custody for Evidence Collection . . . . 61
Business Continuity and Contingency Planning . . . . . . . . . . . 63
The IT Contingency-Planning Process . . . . . . . . . . . . . . . . . . . . . 63
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Chapter 4 Windows Registry, Recycle Bin, and Data Storage . . . . . . 69
The Windows Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Registry Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Viewing and Editing the Registry . . . . . . . . . . . . . . . . . . . . . . . . . 71
Collecting Registry Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Registry Backup and Restore Procedures . . . . . . . . . . . . . . . . . . . 74
Registry Backup Programs (Shareware and Freeware) . . . . . . . . . . 78
Understanding Data Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
The Hard Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
The Floppy Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
The CD-ROM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
The Windows File Allocation Table . . . . . . . . . . . . . . . . . . . . . . 81

The Windows New Technology File System . . . . . . . . . . . . . . . 82
The Windows Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
The Bin Is Empty, yet the Evidence Remains. . . . . . . . . . . . . . . . . 83
Tracking Deleted Files Through the Windows Recycle Bin . . . . . . . 84
Recovering Deleted Data in Windows . . . . . . . . . . . . . . . . . . . . 85
Industrial-Strength Recovery Utility. . . . . . . . . . . . . . . . . . . . . . . 86
Unix/Linux Data Storage Using the ext2 File System . . . . . . . . 87
File Deletion in ext2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
File Recovery in ext2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Using e2undel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Chapter 5 Analyzing and Detecting Malicious Code
and Intruders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
System Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Detecting Abnormal System Processes . . . . . . . . . . . . . . . . . . . . . 92
Using the Windows Task Manager to View Running Processes . . . . 94
Default Processes in Windows NT, 2000, and XP . . . . . . . . . . . . . . 96
Process-Monitoring Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
xiv Table of Contents
a526367 FM.qxd 3/21/03 3:37 PM Page xiv
Unusual or Hidden Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Viewing Hidden Files in Windows. . . . . . . . . . . . . . . . . . . . . . . . . 99
Viewing Hidden Files under Unix/Linux . . . . . . . . . . . . . . . . . . . 101
Rootkits and Backdoors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Detecting the Presence of a Rootkit . . . . . . . . . . . . . . . . . . . . . . 104
Detecting the Presence of a Backdoor . . . . . . . . . . . . . . . . . . . . . 106
Removing Rootkits and Trojans . . . . . . . . . . . . . . . . . . . . . . . . . 111
Detecting and Defending Against Network Sniffers . . . . . . . . 112
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Chapter 6 Retrieving and Analyzing Clues. . . . . . . . . . . . . . . . . . . . . 115

Performing Keyword Searches . . . . . . . . . . . . . . . . . . . . . . . . 116
Industrial Strength Keyword-Searching Programs . . . . . . . . . . . 116
Freeware Keyword Search Tools . . . . . . . . . . . . . . . . . . . . . . . . . 117
Using SectorSpyXP to Perform a Keyword Search . . . . . . . . . . . . 118
General Guidelines for Hard Drive Examination . . . . . . . . . . . . . 120
Examining the Windows Swap File . . . . . . . . . . . . . . . . . . . . . 121
Locating the Windows Swap File . . . . . . . . . . . . . . . . . . . . . . . . 121
Viewing the Contents of the Swap/Page File . . . . . . . . . . . . . . . . 123
E-Mail as Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Locating E-Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Retrieving Deleted E-Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Recovering Evidence from the Web Browser . . . . . . . . . . . . . 126
Locating Browser History Evidence . . . . . . . . . . . . . . . . . . . . . . 127
Locating Web Cache Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Print Spooler Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Locating Hidden Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Password-Protected Compressed Data. . . . . . . . . . . . . . . . . . . . . 131
Example Using Ultimate ZIP Cracker . . . . . . . . . . . . . . . . . . . . . 132
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Chapter 7 Procedures for Collecting and
Preserving Evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Postcompromise Evidence Collection . . . . . . . . . . . . . . . . . . . 135
Legal Requirements for Collecting Electronic Evidence . . . . . . . . 136
Unix/Linux Login Banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
The Order of Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Understanding Volatility of Evidence . . . . . . . . . . . . . . . . . . . 140
Creating a Real-Mode Forensics Boot Disk . . . . . . . . . . . . . . . 141
The Skinny on the FAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Creating a Windows Real-Mode Boot Disk. . . . . . . . . . . . . . . . . . 142

Creating a Linux Boot Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Using Packet Sniffers to Gather Evidence. . . . . . . . . . . . . . . . 144
Building a Forensic Toolkit . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
The Coroner’s Toolkit (TCT) . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Using Grave-robber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Running Grave-robber. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Table of Contents xv
a526367 FM.qxd 3/21/03 3:37 PM Page xv
Following the Chain-of-Custody . . . . . . . . . . . . . . . . . . . . . . . 149
The Admissibility of Evidence . . . . . . . . . . . . . . . . . . . . . . . . . 150
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
The Frye Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
The Best Evidence Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
The Permissible Time Period for Examining Seized Computers. . . . 153
Evidence Preservation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Chapter 8 Incident Containment and Eradication
of Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Quarantine and Containment . . . . . . . . . . . . . . . . . . . . . . . . . 156
Determine the Risk of Continuing Operations . . . . . . . . . . . . . . . 156
Preserving Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Audit Mechanisms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
User-Detected Technical Vulnerabilities . . . . . . . . . . . . . . . . . . . 157
Vulnerability Reporting Form . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Severing Network and Internet Connections . . . . . . . . . . . . . 159
Network and File-Sharing Issues. . . . . . . . . . . . . . . . . . . . . . . 160
Configuring Windows File Sharing for Maximum Security. . . . . . 161
Windows XP File Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Windows XP Simple File Sharing . . . . . . . . . . . . . . . . . . . . . . . . 163
Creating Access Control Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Disabling File and Print Sharing under Windows 95/98/Me . . . . . 167
Recognizing the Trust Model . . . . . . . . . . . . . . . . . . . . . . . . . . 167
The Trust Model in Computer Operations . . . . . . . . . . . . . . . . . . 168
User ID and Password Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Operating System Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
The Trust Model and Identity Theft. . . . . . . . . . . . . . . . . . . . . . . 171
Computer Security Awareness. . . . . . . . . . . . . . . . . . . . . . . . . 171
Multimedia Documentation Strategies . . . . . . . . . . . . . . . . . . . . 172
The Eradication Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Harden Your Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Perform Analysis of Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . 173
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Chapter 9 Disaster Recovery and Follow-Up . . . . . . . . . . . . . . . . . . . 177
Disaster Recovery Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Developing a Disaster Recovery Plan . . . . . . . . . . . . . . . . . . . . . 180
Sample Contingency Disaster Recovery Plan . . . . . . . . . . . . . . . . 181
Electronic Recordkeeping . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Authentication of Electronic Records . . . . . . . . . . . . . . . . . . . . . 184
Electronic Records as Evidence . . . . . . . . . . . . . . . . . . . . . . . . . 185
Records Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
The Uninterruptible Power Supply . . . . . . . . . . . . . . . . . . . . . 186
How UPS Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
UPS Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Purchasing a UPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
xvi Table of Contents
a526367 FM.qxd 3/21/03 3:37 PM Page xvi
Understanding Data Backup Procedures. . . . . . . . . . . . . . . . . 187
Creating a Backup Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Data Backup Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Post-Incident Monitoring and Analysis . . . . . . . . . . . . . . . . . . 190

Anticipating Future Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Chapter 10 Responding to Different Types of Incidents . . . . . . . . . . 195
Responding to Hacker Incidents . . . . . . . . . . . . . . . . . . . . . . . 195
Identify the Hacker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Active Hacker Incidents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Monitoring Hacker Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Previous Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Follow-Up. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Responding to Malicious Code Incidents . . . . . . . . . . . . . . . . 201
Trojan Horses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Internet Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Isolate the System and Notify Appropriate Staff . . . . . . . . . . . . . . 202
Contain the Virus, Worm, or Trojan Horse . . . . . . . . . . . . . . . . . 202
Inoculate the System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Return Systems to Normal Operating Mode . . . . . . . . . . . . . . . . 202
Handling Inappropriate Use. . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Types of Harassment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Incidents Involving Sexual Harassment . . . . . . . . . . . . . . . . . . . 203
Avoiding Sexual Harassment Lawsuits . . . . . . . . . . . . . . . . . . . . 205
Guidelines for Developing a Sexual Harassment Policy . . . . . . . . 206
Preventing Workers from Viewing Inappropriate Material . . . . . . 208
Industrial Espionage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Defending Against Insider Attacks. . . . . . . . . . . . . . . . . . . . . . 211
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Chapter 11 Assessing System Security to Prevent
Further Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Assessment of Security Policies and Procedures . . . . . . . . . . 216
Developing Security Policy Checklists . . . . . . . . . . . . . . . . . . 217
Policy Audit Checklist — Sample . . . . . . . . . . . . . . . . . . . . . . . . 218

An Overview of the Computer Security Audit Process . . . . . . . . . 218
Auditing Workstations and Servers . . . . . . . . . . . . . . . . . . . . . 219
Analyzing Workstations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Analyzing Network Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
How to Disable NetBIOS Null Sessions . . . . . . . . . . . . . . . . . . . . 221
Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
In-House vs. Outsourcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Penetration-Testing Software for In-House Audits . . . . . . . . . . . . 225
Third-Party Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . 227
Health Insurance Portability and Accountability
Act of 1996 (HIPAA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
HIPAA Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Table of Contents xvii
a526367 FM.qxd 3/21/03 3:37 PM Page xvii
The Honeynet Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Chapter 12 Pulling It All Together. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Analyzing Real-World Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 236
Security Lessons Learned from Others . . . . . . . . . . . . . . . . . . 238
Lessons Learned from the Code Red Worm . . . . . . . . . . . . . . . . . 239
Lessons Learned from Hackers. . . . . . . . . . . . . . . . . . . . . . . . . . 240
Where to Go for Up-to-Date Information . . . . . . . . . . . . . . . . 242
Future Trends in Security Technology . . . . . . . . . . . . . . . . . . 244
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Appendix A What’s on the CD-ROM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Appendix B Commonly Attacked Ports . . . . . . . . . . . . . . . . . . . . . . . . . 257
Appendix C Field Guidance on USA Patriot Act 2001 . . . . . . . . . . . . 269
Appendix D Computer Records and the Federal Rules
of Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Appendix E Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
xviii Table of Contents
a526367 FM.qxd 3/21/03 3:37 PM Page xviii
xix
Introduction
On May 14, 1999, 54-year-old Sharon Guthrie drowned in the bathtub of her Wolsey, South Dakota
home. An autopsy revealed that 10 to 20 capsules containing Temazepan were present in her body.
The sleeping pills had been prescribed for her husband, the Reverend William Guthrie, pastor of
the First Presbyterian Church in Wolsey. Despite his denials of any wrongdoing in connection
with the death of his wife, police remained unconvinced of his innocence. Lacking any hard evi-
dence in the case, police decided to engage the services of computer forensics expert, Judd
Robbins. Several of the church computers frequently used by Rev. Guthrie were seized and frozen.
After several days of examining the minister’s files, Robbins eventually uncovered evidence that
Guthrie had been searching the Internet for painless and surefire killing methods. Robbins also
found detailed notes about sleeping pills and lethal household cleaning agents. On January 11,
2000, a 12-member jury convicted Guthrie of murder. Less than two weeks later, Circuit Judge
Eugene Martin sentenced him to life imprisonment.
Computer Crime
Not every crime committed with a computer is a computer crime. If someone steals a telephone
access code and makes a long-distance call, the code he has stolen is checked by a computer before
the call is processed. Nevertheless, such a case is more appropriately treated as “toll fraud,” not
computer crime. It would, however qualify as cyber crime if the code was obtained as a result of
hacking into a computer system. Although this example appears straightforward, many cases are
not so neatly categorized. A bank employee who steals money from a cash drawer is embezzling. A
bank employee who writes a computer program to randomly steal very small amounts from
numerous accounts may also be embezzling, yet committing (and prosecuting) this offense may
require a working knowledge of the bank’s computer system. As a result, such a crime may rea-
sonably be characterized as a computer offense.
According to the U.S. Department of Justice, computers generally play three distinct roles in a
criminal case. First, a computer can be the target of an offense. This occurs when conduct is

designed to take information without authorization from, or cause damage to, a computer or
computer network. The Melissa and Explore.Zip.Worm viruses, along with hacks into the White
House and other Web sites, are examples of this type of offense.
Second, a computer can be incidental to an offense yet still be significant in terms of law
enforcement purposes. For example, drug traffickers may store transactional data (such as names,
dates, and quantities) on computers, rather than in paper form.
Finally, a computer can be the tool used for committing an offense (such as fraud or the unlaw-
ful sale of prescription drugs over the Internet).
a526367 FM.qxd 3/21/03 3:37 PM Page xix
What Is Computer Forensics?
According to computer forensic expert Judd Robbins, “Computer forensics is simply the applica-
tion of computer investigation and analysis techniques in the interests of determining potential
legal evidence.” The type of evidence gathered from a forensic examination can be useful in a wide
variety of investigations:
✓
Civil litigations such as divorce, harassment, and discrimination cases
✓
Corporations seeking to acquire evidence in embezzlement, fraud, or intellectual
property theft issues
✓
Individuals seeking evidence in age discrimination, wrongful termination, or sexual
harassment claims
✓
Insurance company investigations where evidence is required relating to insurance
fraud, wrongful death, workman’s compensation, and other cases involving insurance
claims
Digital evidence may be sought in a wide array of computer-related crimes, and computer
forensic examinations use a variety of methods for discovering data that resides in a computer sys-
tem, or for recovering deleted, encrypted, or damaged file information. Any or all of this informa-
tion can be of use in the processes of discovery, deposition, or litigation.

The Importance of Incident Response
Analyzing the aftermath of a computer intrusion takes far longer than it takes a perpetrator to
commit the crime. It is often the speed of the response that determines the outcome; and the
more prepared an organization is when an incident first occurs, the quicker it can respond in the
incident’s wake. With the ever-increasing use of information technology (IT), organizations
around the globe are facing the challenge of protecting valuable resources from a never-ending
onslaught of threats. Computers, and the networks that connect them, process, store, and trans-
mit information that is crucial for successful day-to-day operations and are therefore inviting tar-
gets for hackers and malicious code. The protection of critical IT resources requires not only
adopting reasonable precautions for securing these systems and networks, but also the ability to
respond quickly and efficiently when system and network security defenses have been breached.
Unfortunately, responding to computer security incidents is generally not an easy endeavor.
Proper incident response requires technical knowledge, communication, and coordination
among personnel in charge of the response process.
In information technology, incident refers to an adverse event in an information system and/or
network or the threat of the occurrence of such an event. Examples of incidents include unautho-
rized use of another user’s account, unauthorized use of system privileges, and execution of mali-
cious code that destroys data. Other adverse events include floods, fires, electrical outages, or
excessive heat that results in system crashes. Adverse events such as natural disasters and power-
related disruptions, though certainly undesirable incidents, are not generally within the scope of
xx Introduction
a526367 FM.qxd 3/21/03 3:37 PM Page xx
incident response teams and are better addressed by an organization’s business continuity (con-
tingency) plans. For the purpose of incident response, therefore, the term incident refers to an
adverse event that is related to information security.
Similarly, an event is any observable occurrence in a system and/or network. Examples of
events include the system boot sequence, a system crash, and data packet flooding within a net-
work. Events are important because they often provide an indication that an incident is occurring.
In reality, events caused by human error (for example, unintentionally deleting a critical directory
and all files contained therein) are the most costly and disruptive. Events related to computer

security, however, are attracting an increasing amount of attention within the computing com-
munity in general as well as within the federal government. Among other reasons, the unparal-
leled growth of networking and the abundance of malicious code available to perpetrators have
resulted in greatly exposing more systems to the threat of unauthorized remote access.
Types of Incidents
According to the Federal Computer Incident Response Center (FedCIRC), the term incident
encompasses the following general categories of adverse events:
✓
Malicious code attacks. Malicious code attacks include attacks by programs such as
viruses, Trojan horse programs, worms, and scripts used by crackers/hackers to gain
privileges, capture passwords, and/or modify audit logs to exclude unauthorized activity.
Malicious code is particularly troublesome in that it is typically written in such a man-
ner that it masquerades its presence, making it difficult to detect. Furthermore, self-
replicating malicious code such as viruses and worms can replicate rapidly, thereby
making containment especially challenging.
✓
Unauthorized access. Unauthorized access encompasses a range of incidents from
improperly logging into a user’s account (for example, when a hacker logs in to a legiti-
mate user’s account) to unauthorized access to files and directories stored on a system
or storage media by obtaining superuser privileges. Unauthorized access may also entail
accessing network data by planting an unauthorized sniffer program or device to capture
all packets traversing the network at a particular point.
✓
Unauthorized utilization of services. It is not absolutely necessary to access another
user’s account to perpetrate an attack on the system or network. An intruder may also
obtain access to information or plant Trojan horse programs by misusing available ser-
vices. Examples include using the network file system (NFS) to mount the file system of
a remote server machine or interdomain access mechanisms in Windows NT to access
files and directories in another organization’s domain.
✓

Disruption of service. Users rely on services provided by network and computing ser-
vices. Those with malicious intent can disrupt these services in a variety of ways, includ-
ing erasing critical programs, mail spamming (flooding a user account with electronic
mail), and altering system functionality by installing Trojan horse programs.
Introduction xxi
a526367 FM.qxd 3/21/03 3:37 PM Page xxi
✓
Misuse. Misuse occurs when someone uses a computing system for other than official
purposes, such as when a legitimate user uses a government computer to store personal
tax records.
✓
Espionage. Espionage is stealing information to subvert the interests of a corporation
or government. Many of the cases of unauthorized access to U.S. government systems
during Operation Desert Storm and Operation Desert Shield were the manifestation of
espionage activity against the United States.
✓
Hoaxes. Hoaxes occur when false information about incidents or vulnerabilities is
spread. In early 1995, for example, several users with Internet access distributed infor-
mation about a so-called Good Times Virus, even though the virus did not exist.
It is unfortunate that despite the implementation of sophisticated firewalls, powerful intrusion
detection systems, and antivirus software, computers and the networks that connect them may
still be penetrated by hackers, crackers, and malicious code. When the unthinkable happens,
responding to incidents and events is paramount. Because law enforcement agencies have height-
ened their interest in computer crimes, the capture and preservation of critical evidence via basic
forensic methods are included in this book. Organizations require strategies for handling com-
puter-security-related events effectively. Such strategy includes preparation, detection, and
response. Adopting a hands-on approach, this book will arm readers with both the knowledge and
the tools needed to mitigate risk and limit loss.
Who Should Read This Book?
While computer forensics is naturally of great concern to those in the law enforcement commu-

nity, any computer user or owner who wants to understand how to acquire and handle potential
digital evidence will benefit from reading this book. In addition, the incident response material
presented in this book will be a tremendous advantage to network administrators, security per-
sonnel, and even executive officers who find it increasingly difficult to keep their organizational
networks free from the debilitating and costly effects of hackers and malicious code despite the
implementation of powerful security measures.
How to Read This Book
This book can be read as a complete introductory course in basic computer forensics and incident
response. However, it is also meant to serve as both a guide and a tool; and many readers will
already be somewhat familiar with the various subjects covered. Accordingly, each chapter is a
complete stand-alone component that can be read whenever the reader deems it practical or con-
venient. As the reader, you probably specialize in one or more of the areas covered in this text.
However, the information presented in this book should also provide additional knowledge and
tools in other areas with which you may not yet be familiar.
xxii Introduction
a526367 FM.qxd 3/21/03 3:37 PM Page xxii
Chapter 1
Computer Forensics and
Incident Response
Essentials
In This Chapter
✓
Catching the criminal: the basics of computer forensics
✓
Recognizing the signs of an incident
✓
The steps required to prepare for an incident
✓
Incident verification
✓

Preservation of key evidence
✓
Specific response measures
✓
Building a toolkit
THE HI-TECH REVOLUTION SWEEPING THE GLOBE in communications and information technology
has truly made the world a smaller place. With effects on both our personal and professional lives,
the United States is now investing more resources into the advancement of information technol-
ogy than into the management or manufacture of consumer goods. The Internet has become so
popular that it is now more commonplace to receive an e-mail message than a conventionally sent
letter in daily correspondence. Current estimates put the worldwide Internet population at over
580 million strong and growing.
In this ever-evolving age of information technology, the requirements of law enforcement are
shifting, as well. Some conventional crimes, especially those concerning finance and commerce,
continue to become ever more technologically sophisticated. Paper trails have given way to elec-
tronic trails. Crimes relating to the theft and exploitation of data are detected daily. As evidenced
in the murder of Sharon Guthrie, violent crime is also not immune to the use of the information
technology. Remember, Rev. Guthrie was convicted based upon forensic evidence gleaned from
his computer, namely the discovery of data indicating that he had visited Web sites that offered
instructions for carrying out a murder using tranquilizers. It is not unheard of for those dealing
in arms or drugs to store client names and contact information in databases on their computers.
1
b526367 Ch01.qxd 3/21/03 3:37 PM Page 1