www.sharexxx.net - free books & magazines
Hacking / Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Front Matter
Blind Folio FM:i
INCIDENT RESPONSE &
COMPUTER FORENSICS,
SECOND EDITION
P:\010Comp\Hacking\696-x\fm.vp
Friday, June 27, 2003 12:27:08 PM
Color profile: Generic CMYK printer profile
Composite Default screen
This page intentionally left blank.
Hacking / Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Front Matter
Blind Folio FM:iii
INCIDENT RESPONSE &
COMPUTER FORENSICS,
SECOND EDITION
CHRIS PROSISE
KEVIN MANDIA
McGraw-Hill/Osborne
New York Chicago San Francisco
Lisbon London Madrid Mexico City Milan
New Delhi San Juan Seoul Singapore Sydney Toronto
P:\010Comp\Hacking\696-x\fm.vp
Friday, June 27, 2003 12:27:09 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Copyright © 2003 by The McGraw-Hill Companies, Inc. All rights reserved. Manufactured in the United States of America. Except as per-
mitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any
means, or stored in a database or retrieval system, without the prior written permission of the publisher.
0-07-223037-1
The material in this eBook also appears in the print version of this title: 0-07-222696-X

All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a
trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention
of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps.
McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in cor-
porate training programs. For more information, please contact George Hoare, Special Sales, at george_hoare@mcgraw-
hill.com or (212) 904-4069.
TERMS OF USE
This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in
and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the
right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify,
create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it
without McGraw-Hill’s prior consent. You may use the work for your own noncommercial and personal use; any other use
of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS”. McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WAR-
RANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM
USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA
HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PAR-
TICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the functions contained in the work
will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors
shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any dam-
ages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work.
Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, con-
sequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised
of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such
claim or cause arises in contract, tort or otherwise.
DOI: 10.1036/0072230371
ebook_copyright 7x9.qxd 8/6/03 8:44 AM Page 1
Want to learn more?
We hope you enjoy this McGraw-Hill eBook! If you d like

more information about this book, its author, or related books
and websites, please click her
e.
,
To my mom, who had the unfortunate timing of being in the same place as a moving
green van. May her recovery continue, although her professional tennis career is
arguably in jeopardy. And to Howard, for somehow, some way, nursing her back to
recovery. Your patience is remarkable.
– Kevin
Emily and Jimmy, thanks for your patience and support.
– Chris
To James and Daniel, whose friendship and trust I am honored to hold, and to mom
and dad, who raised the three of us in a manner that could guarantee success.
– Matt
Hacking / Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Front Matter
Blind Folio FM:v
P:\010Comp\Hacking\696-x\fm.vp
Friday, June 27, 2003 12:27:09 PM
Color profile: Generic CMYK printer profile
Composite Default screen
About the Authors
Kevin Mandia
Kevin Mandia is the Director of Computer Forensics at Foundstone, Inc., an Internet
security firm. As a special agent, consultant, and instructor, Kevin has amassed a wealth
of experience performing incident response and computer forensics.
Prior to joining Foundstone, Kevin was a special agent with the Air Force Office of Spe
-
cial Investigations (AFOSI), where he specialized in investigating computer intrusion cases.
After leaving the AFOSI, Kevin developed a two-week computer intrusion response course,
specifically designed at the request of the FBI. Kevin taught at the FBI Academy for more

than a year, where over 300 FBI agents specializing in computer intrusion cases have at
-
tended his courses. The content of the courses was tailored to meet the special needs of law
enforcement, intelligence officers, and individuals who must understand theway computer
networks operate and the methods attackers use to exploit networks. Kevin has also pro
-
vided computer intrusion and forensic training courses to other customers, including the
State Department, the Royal Canadian Mounted Police, the CIA, NASA, Prudential, several
international banks, and the United States Air Force.
At Foundstone, Kevin leads a team of computer forensic specialists who have re-
sponded to more than 50 computer security incidents at e-commerce, financial service, and
health care organizations in the past two years. These incidents range from organized crime
pilfering millions of dollars’ worth of merchandise to responding to theft of intellectual
property.
Kevin holds a B.S. degree in computer science from Lafayette College and an M.S. de-
gree in Forensic Science from George Washington University. He is a Certified Informa-
tion Systems Security Professional (CISSP), and he teaches a graduate-level class on
incident response at Carnegie Mellon University.
Chris Prosise
Chris Prosise is Vice President of Professional Services for Foundstone, Inc. He
co-founded the company and launched Foundstone’s international professional services
practice. This expanding practice enables companies ranging from early-stage startups to
the largest Global 500 corporations to develop a strong, long-term security foundation
tailored to their unique business needs.
Chris has extensive experience in security consulting and incident response. An ad
-
junct professor at Carnegie Mellon University, he teaches graduate students the latest
techniques in computer security and serves as a faculty advisor. Chris is a featured
speaker at conferences such as Networld+Interop, Infragard, LegalTech, and the Forum
of Incident Response and Security Teams (FIRST), but prefers nurturing trees and wild

-
life on his farm in Virginia.
Chris began his information security career as an active duty officer at the Air Force
Information Warfare Center, where he led incident response and security missions on
top-secret government networks. He also developed automated network vulnerability
assessment software and coded real-time intrusion detection and denial software. Chris
holds a B.S. degree in electrical engineering from Duke University and is a Certified In
-
formation Systems Security Professional (CISSP).
Hacking / Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Front Matter
Blind Folio FM:vi
P:\010Comp\Hacking\696-x\fm.vp
Friday, June 27, 2003 12:27:09 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Hacking / Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Front Matter
Blind Folio FM:vii
About the Contributing Authors
Matt Pepe
Matt Pepe is a Principal Forensics Consultant at Foundstone, Inc. As a forensic analyst
and consultant, Matt has performed forensic analysis in more than 100 federal investiga
-
tions for the Air Force Office of Special Investigations (AFOSI), the FBI, and other govern
-
ment agencies.
Prior to joining Foundstone, Matt was a computer forensic analyst for the AFOSI. He
was one of the first non-agent analysts used by the organization, and he contributed to
the formation of the U.S. Department of Defense (DoD) Computer Forensics Laboratory.
In that position, he reviewed media in a large variety of cases, including unauthorized in
-

trusions, fraud, and counterintelligence matters.
Upon leaving AFOSI, Matt provided technical investigative support to the FBI National
Infrastructure Protection Center. Additionally, Matt led a network penetration testing team
and contributed to the development of an enterprise intrusion detection system.
At Foundstone, Matt leads incident response and forensic engagements, and conducts
research and development for the incident response and forensics practice.
Richard Bejtlich
Richard Bejtlich is a Principal Forensics Consultant at Foundstone, Inc. He performs inci-
dent response, digital forensics, security training, and consulting on network security
monitoring.
Prior to joining Foundstone, Richard served as senior engineer for managed network
security operations at Ball Aerospace & Technologies Corporation. Before that, Richard
defended global American information assets as a captain in the Air Force Computer
Emergency Response Team (AFCERT). He led the AFCERT’s real-time intrusion detec-
tion mission, supervising 60 civilian and military analysts.
Formally trained as a military intelligence officer, Richard holds degrees from Har
-
vard University and the United States Air Force Academy, and he is a Certified Informa
-
tion Systems Security Professional (CISSP). Richard is a contributing author to Hacking
Exposed, Fourth Edition and Incident Response & Computer Forensics.
About the Technical Editor
Curtis Rose
Curtis W. Rose is the Director of Investigations & Forensics at Sytex, Inc. Mr. Rose, a for
-
mer counterintelligence special agent, is a well-recognized forensics and incident re
-
sponse expert. He has provided the U.S. Department of Justice, FBI’s National
Infrastructure Protection Center, Air Force Office of Special Investigations, U.S. Army,
corporate entities, and state law enforcement with investigative support and training.

Mr. Rose has developed specialized software to identify, monitor, and track com
-
puter hackers. In addition, he has written affidavits and testified as an expert in U.S. Fed
-
eral Court.
P:\010Comp\Hacking\696-x\fm.vp
Friday, June 27, 2003 12:27:10 PM
Color profile: Generic CMYK printer profile
Composite Default screen
This page intentionally left blank.
ix
Hacking / Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Front Matter
AT A GLANCE
Part I Introduction
▼
1
Real-World Incidents . . . . . . . . . . . . . . 3
▼
2
Introduction to the Incident Response Process 11
▼
3
Preparing for Incident Response . . . . . . . . 33
▼
4
After Detection of an Incident . . . . . . . . . 75
Part II Data Collection
▼
5
Live Data Collection from Windows Systems 95

▼
6
Live Data Collection from Unix Systems . . . 125
▼
7
Forensic Duplication . . . . . . . . . . . . . . . 151
▼
8
Collecting Network-based Evidence . . . . . . 173
▼
9
Evidence Handling . . . . . . . . . . . . . . . 197
P:\010Comp\Hacking\696-x\fm.vp
Friday, June 27, 2003 12:27:10 PM
Color profile: Generic CMYK printer profile
Composite Default screen
For more information about this title, click here.
Copyright 2003 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.
x
Incident Response & Computer Forensics
Hacking / Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Front Matter
Part III Data Analysis
▼
10
Computer System Storage Fundamentals . . . 217
▼
11
Data Analysis Techniques . . . . . . . . . . . 239
▼
12

Investigating Windows Systems . . . . . . . . 291
▼
13
Investigating Unix Systems . . . . . . . . . . . 335
▼
14
Analyzing Network Traffic . . . . . . . . . . . 359
▼
15
Investigating Hacker Tools . . . . . . . . . . . 385
▼
16
Investigating Routers . . . . . . . . . . . . . . 415
▼
17
Writing Computer Forensic Reports . . . . . . 435
Part IV Appendixes
▼
A
Answers to Questions . . . . . . . . . . . . . . 457
▼
B
Incident Response Forms . . . . . . . . . . . . 481
Index . . . . . . . . . . . . . . . . . . . . . . . . 491
P:\010Comp\Hacking\696-x\fm.vp
Friday, June 27, 2003 12:27:10 PM
Color profile: Generic CMYK printer profile
Composite Default screen
CONTENTS
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv
Part I
Introduction
▼
1
Real-World Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Factors Affecting Response . . . . . . . . . . . . . . . . . . . . . . 4
International Crime . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Welcome to Invita . . . . . . . . . . . . . . . . . . . . . . . . 5
The PathStar Conspiracy . . . . . . . . . . . . . . . . . . . . . 6
Traditional Hacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
So What? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
▼
2
Introduction to the Incident Response Process . . . . . . . . . . . . . . . . 11
What Is a Computer Security Incident? . . . . . . . . . . . . . . . . 12
What Are the Goals of Incident Response? . . . . . . . . . . . . . . 13
Who Is Involved in the Incident Response Process? . . . . . . . . 13
Incident Response Methodology . . . . . . . . . . . . . . . . . . . 14
xi
Hacking / Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Front Matter
P:\010Comp\Hacking\696-x\fm.vp
Friday, June 27, 2003 12:27:10 PM
Color profile: Generic CMYK printer profile
Composite Default screen
For more information about this title, click here.
Copyright 2003 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.
Hacking / Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Front Matter
Pre-Incident Preparation . . . . . . . . . . . . . . . . . . . . . 16

Detection of Incidents . . . . . . . . . . . . . . . . . . . . . . 17
Initial Response . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Formulate a Response Strategy . . . . . . . . . . . . . . . . . 20
Investigate the Incident . . . . . . . . . . . . . . . . . . . . . 24
Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
So What? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
▼
3
Preparing for Incident Response . . . . . . . . . . . . . . . . . . . . . . . 33
Overview of Pre-incident Preparation . . . . . . . . . . . . . . . . 34
Identifying Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Preparing Individual Hosts . . . . . . . . . . . . . . . . . . . . . . 36
Recording Cryptographic Checksums of Critical Files . . . . 36
Increasing or Enabling Secure Audit Logging . . . . . . . . . 39
Building Up Your Host’s Defenses . . . . . . . . . . . . . . . 46
Backing Up Critical Data . . . . . . . . . . . . . . . . . . . . . 47
Educating Your Users about Host-Based Security . . . . . . 48
Preparing a Network . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Installing Firewalls and Intrusion Detection Systems . . . . 50
Using Access Control Lists on Your Routers . . . . . . . . . 50
Creating a Network Topology Conducive to Monitoring . . 50
Encrypting Network Traffic . . . . . . . . . . . . . . . . . . . 52
Requiring Authentication . . . . . . . . . . . . . . . . . . . . 52
Establishing Appropriate Policies and Procedures . . . . . . . . . 53
Determining Your Response Stance . . . . . . . . . . . . . . 54
Understanding How Policies Can Aid Investigative Steps . 56
Developing Acceptable Use Policies . . . . . . . . . . . . . . 63
Designing AUPs . . . . . . . . . . . . . . . . . . . . . . . . . 64

Developing Incident Response Procedures . . . . . . . . . . 66
Creating a Response Toolkit . . . . . . . . . . . . . . . . . . . . . . 66
The Response Hardware . . . . . . . . . . . . . . . . . . . . . 67
The Response Software . . . . . . . . . . . . . . . . . . . . . 68
The Networking Monitoring Platform . . . . . . . . . . . . . 68
Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Establishing an Incident Response Team . . . . . . . . . . . . . . . 69
Deciding on the Team’s Mission . . . . . . . . . . . . . . . . 69
Training the Team . . . . . . . . . . . . . . . . . . . . . . . . 70
So What? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
xii
Incident Response & Computer Forensics
P:\010Comp\Hacking\696-x\fm.vp
Friday, June 27, 2003 12:27:10 PM
Color profile: Generic CMYK printer profile
Composite Default screen
▼
4
After Detection of an Incident . . . . . . . . . . . . . . . . . . . . . . . . . 75
Overview of the Initial Response Phase . . . . . . . . . . . . . . . 76
Obtaining Preliminary Information . . . . . . . . . . . . . . 77
Documenting Steps to Take . . . . . . . . . . . . . . . . . . . 77
Establishing an Incident Notification Procedure . . . . . . . . . . 77
Recording the Details after Initial Detection . . . . . . . . . . . . . 78
Initial Response Checklists . . . . . . . . . . . . . . . . . . . 78
Case Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Incident Declaration . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Assembling the CSIRT . . . . . . . . . . . . . . . . . . . . . . . . . 81
Determining Escalation Procedures . . . . . . . . . . . . . . 82

Implementing Notification Procedures . . . . . . . . . . . . 83
Scoping an Incident and Assembling the
Appropriate Resources . . . . . . . . . . . . . . . . . . . . 84
Performing Traditional Investigative Steps . . . . . . . . . . . . . 86
Conducting Interviews . . . . . . . . . . . . . . . . . . . . . . . . . 87
Getting Contact Information . . . . . . . . . . . . . . . . . . 88
Interviewing System Administrators . . . . . . . . . . . . . . 88
Interviewing Managers . . . . . . . . . . . . . . . . . . . . . 89
Interviewing End Users . . . . . . . . . . . . . . . . . . . . . 90
Formulating a Response Strategy . . . . . . . . . . . . . . . . . . . 90
Response Strategy Considerations . . . . . . . . . . . . . . . 90
Policy Verification . . . . . . . . . . . . . . . . . . . . . . . . 91
So What? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Part II
Data Collection
▼
5
Live Data Collection from Windows Systems . . . . . . . . . . . . . . . . . 95
Creating a Response Toolkit . . . . . . . . . . . . . . . . . . . . . . 96
Gathering the Tools . . . . . . . . . . . . . . . . . . . . . . . . 97
Preparing the Toolkit . . . . . . . . . . . . . . . . . . . . . . . 98
Storing Information Obtained during the Initial Response . . . . . 100
Transferring Data with netcat . . . . . . . . . . . . . . . . . . 100
Encrypting Data with cryptcat . . . . . . . . . . . . . . . . . 102
Obtaining Volatile Data . . . . . . . . . . . . . . . . . . . . . . . . 103
Organizing and Documenting Your Investigation . . . . . . 103
Collecting Volatile Data . . . . . . . . . . . . . . . . . . . . . 104
Scripting Your Initial Response . . . . . . . . . . . . . . . . . 114
Performing an In-Depth Live Response . . . . . . . . . . . . . . . 115

Collecting the Most Volatile Data . . . . . . . . . . . . . . . . 115
Contents
xiii
Hacking / Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Front Matter
P:\010Comp\Hacking\696-x\fm.vp
Friday, June 27, 2003 12:27:10 PM
Color profile: Generic CMYK printer profile
Composite Default screen
xiv
Incident Response & Computer Forensics
Hacking / Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Front Matter
Creating an In-Depth Response Toolkit . . . . . . . . . . . . 115
Collecting Live Response Data . . . . . . . . . . . . . . . . . 116
Is Forensic Duplication Necessary? . . . . . . . . . . . . . . . . . . 123
So What? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
▼
6
Live Data Collection from Unix Systems . . . . . . . . . . . . . . . . . . . 125
Creating a Response Toolkit . . . . . . . . . . . . . . . . . . . . . . 126
Storing Information Obtained During the Initial Response . . . . 127
Obtaining Volatile Data Prior to Forensic Duplication . . . . . . . 128
Collecting the Data . . . . . . . . . . . . . . . . . . . . . . . . 128
Scripting Your Initial Response . . . . . . . . . . . . . . . . . 137
Performing an In-Depth, Live Response . . . . . . . . . . . . . . . 138
Detecting Loadable Kernel Module Rootkits . . . . . . . . . 138
Obtaining the System Logs During Live Response . . . . . . 140
Obtaining Important Configuration Files . . . . . . . . . . . 141
Discovering Illicit Sniffers on Unix Systems . . . . . . . . . . 141
Reviewing the /Proc File System . . . . . . . . . . . . . . . . 144

Dumping System RAM . . . . . . . . . . . . . . . . . . . . . 147
So What? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
▼
7
Forensic Duplication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Forensic Duplicates As Admissible Evidence . . . . . . . . . . . . 152
What Is a Forensic Duplicate? . . . . . . . . . . . . . . . . . . 153
What Is a Qualified Forensic Duplicate? . . . . . . . . . . . . 153
What Is a Restored Image? . . . . . . . . . . . . . . . . . . . . 153
What Is a Mirror Image? . . . . . . . . . . . . . . . . . . . . . 154
Forensic Duplication Tool Requirements . . . . . . . . . . . . . . . 155
Creating a Forensic Duplicate of a Hard Drive . . . . . . . . . . . 157
Duplicating with dd and dcfldd . . . . . . . . . . . . . . . . 157
Duplicating with the Open Data Duplicator (ODD) . . . . . 159
Creating a Qualified Forensic Duplicate of a Hard Drive . . . . . 163
Creating a Boot Disk . . . . . . . . . . . . . . . . . . . . . . . 163
Creating a Qualified Forensic Duplicate with SafeBack . . . 164
Creating a Qualified Forensic Duplicate with EnCase . . . . 168
So What? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
▼
8
Collecting Network-based Evidence . . . . . . . . . . . . . . . . . . . . . 173
What Is Network-based Evidence? . . . . . . . . . . . . . . . . . . 174
What Are the Goals of Network Monitoring? . . . . . . . . . . . . 174
P:\010Comp\Hacking\696-x\fm.vp
Friday, June 27, 2003 12:27:10 PM
Color profile: Generic CMYK printer profile
Composite Default screen

Types of Network Monitoring . . . . . . . . . . . . . . . . . . . . . 175
Event Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . 175
Trap-and-Trace Monitoring . . . . . . . . . . . . . . . . . . . 175
Full-Content Monitoring . . . . . . . . . . . . . . . . . . . . . 176
Setting Up a Network Monitoring System . . . . . . . . . . . . . . 177
Determining Your Goals . . . . . . . . . . . . . . . . . . . . . 177
Choosing Appropriate Hardware . . . . . . . . . . . . . . . . 178
Choosing Appropriate Software . . . . . . . . . . . . . . . . 180
Deploying the Network Monitor . . . . . . . . . . . . . . . . 184
Evaluating Your Network Monitor . . . . . . . . . . . . . . . 185
Performing a Trap-and-Trace . . . . . . . . . . . . . . . . . . . . . 186
Initiating a Trap-and-Trace with tcpdump . . . . . . . . . . 187
Performing a Trap-and-Trace with WinDump . . . . . . . . 188
Creating a Trap-and-Trace Output File . . . . . . . . . . . . 190
Using tcpdump for Full-Content Monitoring . . . . . . . . . . . . 190
Filtering Full-Content Data . . . . . . . . . . . . . . . . . . . 191
Maintaining Your Full-Content Data Files . . . . . . . . . . . 192
Collecting Network-based Log Files . . . . . . . . . . . . . . . . . 193
So What? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
▼
9
Evidence Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
What Is Evidence? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
The Best Evidence Rule . . . . . . . . . . . . . . . . . . . . . 198
Original Evidence . . . . . . . . . . . . . . . . . . . . . . . . . 199
The Challenges of Evidence Handling . . . . . . . . . . . . . . . . 199
Authentication of Evidence . . . . . . . . . . . . . . . . . . . 200
Chain of Custody . . . . . . . . . . . . . . . . . . . . . . . . . 200
Evidence Validation . . . . . . . . . . . . . . . . . . . . . . . 201

Overview of Evidence-Handling Procedures . . . . . . . . . . . . 202
Evidence System Description . . . . . . . . . . . . . . . . . . 203
Digital Photos . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Evidence Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Evidence Labels . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Evidence Storage . . . . . . . . . . . . . . . . . . . . . . . . . 207
The Evidence Log . . . . . . . . . . . . . . . . . . . . . . . . . 210
Working Copies . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Evidence Backups . . . . . . . . . . . . . . . . . . . . . . . . 211
Evidence Disposition . . . . . . . . . . . . . . . . . . . . . . . 212
Evidence Custodian Audits . . . . . . . . . . . . . . . . . . . 212
So What? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Contents
xv
Hacking / Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Front Matter
P:\010Comp\Hacking\696-x\fm.vp
Friday, June 27, 2003 12:27:10 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Part III
Data Analysis
▼
10
Computer System Storage Fundamentals . . . . . . . . . . . . . . . . . . 217
Hard Drives and Interfaces . . . . . . . . . . . . . . . . . . . . . . 218
The Swiftly Moving ATA Standard . . . . . . . . . . . . . . . 218
SCSI (Not Just a Bad-Sounding Word) . . . . . . . . . . . . . 223
Preparation of Hard Drive Media . . . . . . . . . . . . . . . . . . . 227
Wiping Storage Media . . . . . . . . . . . . . . . . . . . . . . 227

Partitioning and Formatting Storage Drives . . . . . . . . . . 228
Introduction to File Systems and Storage Layers . . . . . . . . . . 231
The Physical Layer . . . . . . . . . . . . . . . . . . . . . . . . 232
The Data Classification Layer . . . . . . . . . . . . . . . . . . 233
The Allocation Units Layer . . . . . . . . . . . . . . . . . . . 234
The Storage Space Management Layer . . . . . . . . . . . . . 234
The Information Classification and Application-level
Storage Layers . . . . . . . . . . . . . . . . . . . . . . . . . 236
So What? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
▼
11
Data Analysis Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Preparation for Forensic Analysis . . . . . . . . . . . . . . . . . . . 240
Restoring a Forensic Duplicate . . . . . . . . . . . . . . . . . . . . 241
Restoring a Forensic Duplication of a Hard Disk . . . . . . . 241
Restoring a Qualified Forensic Duplication of a Hard Disk . 244
Preparing a Forensic Duplication for Analysis In Linux . . . . . . 248
Examining the Forensic Duplicate File . . . . . . . . . . . . . 249
Associating the Forensic Duplicate File
with the Linux Loopback Device . . . . . . . . . . . . . . 250
Reviewing Image Files with Forensic Suites . . . . . . . . . . . . . 253
Reviewing Forensic Duplicates in EnCase . . . . . . . . . . . 253
Reviewing Forensic Duplicates in the Forensic Toolkit . . . 255
Converting a Qualified Forensic Duplicate to a Forensic Duplicate 257
Recovering Deleted Files on Windows Systems . . . . . . . . . . . 260
Using Windows-Based Tools To Recover Files on
FAT File Systems . . . . . . . . . . . . . . . . . . . . . . . . 260
Using Linux Tools To Recover Files on FAT File Systems . . 260
Running Autopsy as a GUI for File Recovery . . . . . . . . . 264

Using Foremost to Recover Lost Files . . . . . . . . . . . . . 268
Recovering Deleted Files on Unix Systems . . . . . . . . . . 271
Recovering Unallocated Space, Free Space, and Slack Space . . . . 275
Generating File Lists . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Hacking / Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Front Matter
xvi
Incident Response & Computer Forensics
P:\010Comp\Hacking\696-x\fm.vp
Friday, June 27, 2003 12:27:11 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Hacking / Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Front Matter
Listing File Metadata . . . . . . . . . . . . . . . . . . . . . . . 278
Identifying Known System Files . . . . . . . . . . . . . . . . 282
Preparing a Drive for String Searches . . . . . . . . . . . . . . . . . 282
Performing String Searches . . . . . . . . . . . . . . . . . . . 284
So What? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
▼
12
Investigating Windows Systems . . . . . . . . . . . . . . . . . . . . . . . 291
Where Evidence Resides on Windows Systems . . . . . . . . . . . 292
Conducting a Windows Investigation . . . . . . . . . . . . . . . . 293
Reviewing All Pertinent Logs . . . . . . . . . . . . . . . . . . 294
Performing Keyword Searches . . . . . . . . . . . . . . . . . 302
Reviewing Relevant Files . . . . . . . . . . . . . . . . . . . . 303
Identifying Unauthorized User Accounts or Groups . . . . . 320
Identifying Rogue Processes . . . . . . . . . . . . . . . . . . . 320
Looking for Unusual or Hidden Files . . . . . . . . . . . . . 321
Checking for Unauthorized Access Points . . . . . . . . . . . 323

Examining Jobs Run by the Scheduler Service . . . . . . . . 326
Analyzing Trust Relationships . . . . . . . . . . . . . . . . . 327
Reviewing Security Identifiers (SIDs) . . . . . . . . . . . . . 328
File Auditing and Theft of Information . . . . . . . . . . . . . . . . 328
Handling the Departing Employee . . . . . . . . . . . . . . . . . . 331
Reviewing Searches and Files Used . . . . . . . . . . . . . . 332
Conducting String Searches on Hard Drives . . . . . . . . . 332
So What? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
▼
13
Investigating Unix Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 335
An Overview of the Steps in a Unix Investigation . . . . . . . . . 336
Reviewing Pertinent Logs . . . . . . . . . . . . . . . . . . . . . . . 337
Network Logging . . . . . . . . . . . . . . . . . . . . . . . . . 337
Host Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
User Activity Logging . . . . . . . . . . . . . . . . . . . . . . 341
Performing Keyword Searches . . . . . . . . . . . . . . . . . . . . 342
String Searches with grep . . . . . . . . . . . . . . . . . . . . 343
File Searches with find . . . . . . . . . . . . . . . . . . . . . . 344
Reviewing Relevant Files . . . . . . . . . . . . . . . . . . . . . . . . 344
Incident Time and Time/Date Stamps . . . . . . . . . . . . . 345
Special Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Identifying Unauthorized User Accounts or Groups . . . . . . . . 350
User Account Investigation . . . . . . . . . . . . . . . . . . . 350
Group Account Investigation . . . . . . . . . . . . . . . . . . 351
Contents
xvii
P:\010Comp\Hacking\696-x\fm.vp
Friday, June 27, 2003 12:27:11 PM

Color profile: Generic CMYK printer profile
Composite Default screen
Identifying Rogue Processes . . . . . . . . . . . . . . . . . . . . . . 351
Checking for Unauthorized Access Points . . . . . . . . . . . . . . 352
Analyzing Trust Relationships . . . . . . . . . . . . . . . . . . . . 352
Detecting Trojan Loadable Kernel Modules . . . . . . . . . . . . . 353
LKMs on Live Systems . . . . . . . . . . . . . . . . . . . . . . 354
LKM Elements . . . . . . . . . . . . . . . . . . . . . . . . . . 354
LKM Detection Utilities . . . . . . . . . . . . . . . . . . . . . 355
So What? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
▼
14
Analyzing Network Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Finding Network-Based Evidence . . . . . . . . . . . . . . . . . . 360
Tools for Network Traffic Analysis . . . . . . . . . . . . . . . 360
Reviewing Network Traffic Collected with tcpdump . . . . 361
Generating Session Data with tcptrace . . . . . . . . . . . . . . . . 362
Parsing a Capture File . . . . . . . . . . . . . . . . . . . . . . 362
Interpreting the tcptrace Output . . . . . . . . . . . . . . . . 363
Using Snort to Extract Event Data . . . . . . . . . . . . . . . 364
Checking for SYN Packets . . . . . . . . . . . . . . . . . . . . 365
Interpreting the Snort Output . . . . . . . . . . . . . . . . . . 369
Reassembling Sessions Using tcpflow . . . . . . . . . . . . . . . . 369
Focusing on FTP Sessions . . . . . . . . . . . . . . . . . . . . 369
Interpreting the tcpflow Output . . . . . . . . . . . . . . . . 370
Reviewing SSH Sessions . . . . . . . . . . . . . . . . . . . . . 374
Reassembling Sessions Using Ethereal . . . . . . . . . . . . . . . . 376
Refining tcpdump Filters . . . . . . . . . . . . . . . . . . . . . . . . 378
So What? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
▼
15
Investigating Hacker Tools . . . . . . . . . . . . . . . . . . . . . . . . . . 385
What Are the Goals of Tool Analysis? . . . . . . . . . . . . . . . . 386
How Files Are Compiled . . . . . . . . . . . . . . . . . . . . . . . . 386
Statically Linked Programs . . . . . . . . . . . . . . . . . . . 387
Dynamically Linked Programs . . . . . . . . . . . . . . . . . 387
Programs Compiled with Debug Options . . . . . . . . . . . 387
Stripped Programs . . . . . . . . . . . . . . . . . . . . . . . . 389
Programs Packed with UPX . . . . . . . . . . . . . . . . . . . 389
Compilation Techniques and File Analysis . . . . . . . . . . 392
Static Analysis of a Hacker Tool . . . . . . . . . . . . . . . . . . . . 394
Determining the Type of File . . . . . . . . . . . . . . . . . . 394
Reviewing the ASCII and Unicode Strings . . . . . . . . . . 395
Performing Online Research . . . . . . . . . . . . . . . . . . . 397
Performing Source Code Review . . . . . . . . . . . . . . . . 398
xviii
Incident Response & Computer Forensics
Hacking / Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Front Matter
P:\010Comp\Hacking\696-x\fm.vp
Friday, June 27, 2003 12:27:11 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Contents
xix
Hacking / Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Front Matter
Dynamic Analysis of a Hacker Tool . . . . . . . . . . . . . . . . . 399
Creating the Sandbox Environment . . . . . . . . . . . . . . 399
Dynamic Analysis on a Unix System . . . . . . . . . . . . . . 401

Dynamic Analysis on a Windows System . . . . . . . . . . . 409
So What? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
▼
16
Investigating Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Obtaining Volatile Data Prior to Powering Down . . . . . . . . . . 416
Establishing a Router Connection . . . . . . . . . . . . . . . . 417
Recording System Time . . . . . . . . . . . . . . . . . . . . . 417
Determining Who Is Logged On . . . . . . . . . . . . . . . . 417
Determining the Router’s Uptime . . . . . . . . . . . . . . . 418
Determining Listening Sockets . . . . . . . . . . . . . . . . . 419
Saving the Router Configuration . . . . . . . . . . . . . . . . 420
Reviewing the Routing Table . . . . . . . . . . . . . . . . . . 421
Checking Interface Configurations . . . . . . . . . . . . . . . 422
Viewing the ARP Cache . . . . . . . . . . . . . . . . . . . . . 423
Finding the Proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Handling Direct-Compromise Incidents . . . . . . . . . . . . 423
Handling Routing Table Manipulation Incidents . . . . . . . 425
Handling Theft of Information Incidents . . . . . . . . . . . 426
Handling Denial-of-Service (DoS) Attacks . . . . . . . . . . . 426
Using Routers as Response Tools . . . . . . . . . . . . . . . . . . . 428
Understanding Access Control Lists (ACLs) . . . . . . . . . 428
Monitoring with Routers . . . . . . . . . . . . . . . . . . . . . 430
Responding to DDoS Attacks . . . . . . . . . . . . . . . . . . 431
So What? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
▼
17
Writing Computer Forensic Reports . . . . . . . . . . . . . . . . . . . . . 435

What Is a Computer Forensics Report? . . . . . . . . . . . . . . . . 436
What Is an Expert Report? . . . . . . . . . . . . . . . . . . . . 436
Report Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Report Writing Guidelines . . . . . . . . . . . . . . . . . . . . . . . 439
Document Investigative Steps Immediately and Clearly . . . 439
Know the Goals of Your Analysis . . . . . . . . . . . . . . . . 440
Organize Your Report . . . . . . . . . . . . . . . . . . . . . . 441
Follow a Template . . . . . . . . . . . . . . . . . . . . . . . . 441
Use Consistent Identifiers . . . . . . . . . . . . . . . . . . . . 441
Use Attachments and Appendixes . . . . . . . . . . . . . . . 442
Have Co-workers Read Your Reports . . . . . . . . . . . . . 442
Use MD5 Hashes . . . . . . . . . . . . . . . . . . . . . . . . . 443
Include Metadata . . . . . . . . . . . . . . . . . . . . . . . . . 443
P:\010Comp\Hacking\696-x\fm.vp
Friday, June 27, 2003 12:27:11 PM
Color profile: Generic CMYK printer profile
Composite Default screen
A Template for Computer Forensic Reports . . . . . . . . . . . . . 444
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . 445
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Computer Evidence Analyzed . . . . . . . . . . . . . . . . . 446
Relevant Findings . . . . . . . . . . . . . . . . . . . . . . . . . 447
Supporting Details . . . . . . . . . . . . . . . . . . . . . . . . 448
Investigative Leads . . . . . . . . . . . . . . . . . . . . . . . . 451
Additional Report Subsections . . . . . . . . . . . . . . . . . 451
So What? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Part IV
Appendixes
▼

A
Answers to Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Chapter 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Chapter 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Chapter 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Chapter 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Chapter 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Chapter 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Chapter 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Chapter 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Chapter 15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Chapter 16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Chapter 17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
▼
B
Incident Response Forms . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
▼
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
xx
Incident Response & Computer Forensics
Hacking / Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Front Matter
P:\010Comp\Hacking\696-x\fm.vp
Friday, June 27, 2003 12:27:11 PM
Color profile: Generic CMYK printer profile
Composite Default screen

FOREWORD
F
or over thirteen years as an FBI special agent and now as an executive
vice president of a consulting and technical services firm, I have been
involved in the prevention, detection, investigation, and collection of
evidence of high technology crimes. As an agent with the FBI, I investigated
computer intrusions, denial-of-service attacks, online child pornography,
pbx/voice mail fraud, copyright violations, malicious code/viruses/ worms,
and Internet fraud. As a certified FBI Laboratory Computer Analysis and Re-
sponse Team (CART) Forensic Field Examiner, I collected computer/elec-
tronic evidence for all types of investigations, including those mentioned
above, plus public corruption, drug trafficking, bank robberies, organized
crime, and white-collar crime. As the supervisory special agent serving as the
program manager of the Computer Investigations Unit at FBI Headquarters,
I oversaw 56 field offices in the area of computer crime. As the training devel
-
oper and program manager for the National Infrastructure Protection Cen
-
ter’s Training and Continuing Education Unit (where I saw firsthand the
knowledge, skill, and expertise of Kevin Mandia), I created and co-developed
computer crime investigations, network investigations, and infrastructure
protection curricula. Finally, as a field supervisor, I oversaw day-to-day
investigative operations for computer intrusions, denial-of-service attacks,
malicious code/viruses/worms, and illegal data intercepts (sniffers) in
-
volving counterintelligence, cyber-terrorism, criminal matters, espionage,
and private-public partnership programs to help prevent computer crime
through liaison efforts such as InfraGard and ANSIR (Awareness of Na
-
tional Security Incidents and Response).

Hacking / Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Front Matter
xxi
P:\010Comp\Hacking\696-x\fm.vp
Friday, June 27, 2003 12:27:11 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Copyright 2003 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.
xxii
Incident Response & Computer Forensics
Hacking / Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Front Matter
From my experience I can say that external and internal intrusions will continue
even in robust security infrastructures of the best government and industry systems.
The post 9-11 environment reminds us all that the global threat to our national and cyber
security is restrained only by criminal and terrorist groups’ imagination of how to create
destruction. During my time at the FBI, I saw Robert Hanssen use the FBI’s computer
system effectively to commit espionage against the United States. And terrorist groups
seek out hacking tools and techniques for illicit purposes. The need for incident response
and computer forensics will expand because of the ubiquitous nature of network com
-
puting and the motivation of criminals, hostile intelligence services, and terrorists.
The good news is that perimeter security technologies are improving in effectiveness
and analysis. So too is computer forensic technology. But the x-factor is still the human
being conducting and analyzing the computer data. Whether you are a law enforcement
officer, private investigator, information security professional, consultant, or other secu
-
rity professional, the key to successfully preventing and responding to any cyber threat is
the sound identification, collection, preservation, and analysis of computer evidence.
This book will provide you with the necessary knowledge, skills, and tools to effectively
respond to an incident, forensically collect computer evidence, and analyze the appropri-
ate logs and files. A positive by-product for any organization is improving organizational

processes from such incidents or incorporating lessons learned from the authors before
an incident occurs. An ounce of prevention is always worth a pound of cure.
In addition, this book will aid the corporate or law enforcement investigator in proactive
online investigations, such as undercover operations, by obtaining knowledge of where you
can leave footprints and possibly alert the target of an investigation. Today, the jewels of a
company are often located in computerized files vulnerable to knowledgeable insiders or
savvy computer hackers who will extort you, sell the information, and/or post it to the
Internet. Of course, if you are dealing with sensitive circumstances, you should consult your
security department, legal counsel and/or a knowledgeable computer forensic consulting
firm preferably with law enforcement or intelligence experience, and/or a law enforcement
agency before you undertake such an endeavor.
In short, every information security professional—whether a systems administrator,
investigator, consultant, or law enforcement official—should adhere to the advice in this
book. Information systems are at risk, internally and externally, and a well-trained coor
-
dinated prevention, incident response, and forensic analysis team are necessary for all or
-
ganizations to protect themselves and their assets from any potential cyber threat.
Scott K. Larson
Executive Vice President
Stroz Friedberg, LLC
www.strozllc.com
Scott Larson, former FBI special agent, is an executive vice president and managing
director of the Minneapolis Office for Stroz Friedberg, LLC. Stroz Friedberg, LLC is a
leading consulting and technical services firm specializing in cybercrime response, com
-
puter forensics, and computer security.
P:\010Comp\Hacking\696-x\fm.vp
Friday, June 27, 2003 12:27:11 PM
Color profile: Generic CMYK printer profile

Composite Default screen
ACKNOWLEDGMENTS
W
e would like to thank the following individuals: Curtis Rose, who
is still the most methodical and meticulous computer investigator
we know; Keith Jones for carrying the torch; Richard Bejtlich for
writing two chapters in this book and being a natural genius who absorbs
knowledge faster than anyone we know; Julie Darmstadt for doing all the
tasks we simply did not or could not get to; the 1988 Lafayette College foot-
ball coaching staff; Michele Dempsey for testing the boundaries of creativ
-
ity and intensity, all the while shining brighter than the sun; Dave Pahanish
for writing great songs; Bruce Springsteen for going on tour; Rick for all the
great photos; Tim McNight for showing up at places where Kevin often
goes; Mrs. Eleanor Poplar for having a great beach house and the kind heart
to let Kevin use it; Matt Frazier for accepting the position of most trusted ad
-
visor; Jay Miller for his philosophical discussions and crazy eating habits;
Stephanie for being a great confidant and yet-undiscovered literary genius;
Brian Hutchison for being an example of dedication to doing what you
should be doing; Tom Mason for plugging in and keeping on; Laine Fast for
keeping the red pen in her back pocket where it exploded; Mike Dietszch for
losing to Kevin again; and Dave Poplar, who provided timely, succinct legal
advice on a moment’s notice on dozens of occasions.
Hacking / Incident Response & Computer Forensics / Prosise & Mandia / 222696-x / Front Matter
xxiii
P:\010Comp\Hacking\696-x\fm.vp
Friday, June 27, 2003 12:27:11 PM
Color profile: Generic CMYK printer profile
Composite Default screen

Copyright 2003 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.