Investigating Computer-Related Crime

Abstract

Forward by Michael Anderson-New Technologies, Inc., Former Special Agent IRS Preface What This Book is About Who Should Read This Book THE NATURE OF CYBER CRIME Cyber Crime as We Enter the 21st Century What is Cyber Crime? How Does Today's Cyber Crime Differ From the Hacker Exploits of Yesterday? The Reality of Information Warfare in the Corporate Environment Industrial Espionage-Hackers For Hire Public Law Enforcement's Role in Cyber Crime Investigations The Role of Private Cyber Crime Investigators and Security Consultants in Investigations The Potential Impacts of Cyber Crime Data Thieves Misinformation Denial of Service Rogue Code Attacks Viruses, Trojan Horses and Worms Logic Bombs Responding to Rogue Code Attacks Protection of Extended Mission Critical Systems Surgical Strikes and Shotgun Blasts Symptoms of a Surgical Strike Masquerading Case Study: The Case of the Cyber Surgeon Symptoms of Shotgun Blasts Yours-Mailbombs Data Floods INVESTIGATING CYBER CRIME A Framework for Conducting an Investigation of a Security Managing Intrusions Why We Need an Investigative Framework What Should an Investigative Framework Provide? Drawbacks for the Corporate Investigator A Generalized Investigative Framework for Corporate Investigators Look for the Hidden Flaw The Human Aspects of Cyber Crime Investigation Motive, Means and Opportunity The Difference Between and Proof Look for the Logical Error Vanity Analyzing the Remnants of a Security What We Mean by a Computer Security Incident We Never Get the Call Soon Enough Cyber Forensic Analysis-Computer Crimes Involving Networks Forensic Analysis-Computer Crimes at the Software Forensic Analysis-Who Wrote the Code? The Limitations of System Logs The Logs May Tell the Tale-But There are No Logs Multiple Log Analysis Launching an Investigation Securing the Virtual Crime Scene Collecting and Preserving Evidence Interrogating and Interviewing Suspects and Witnesses Developing and Testing an Intrusion Hypothesis Investigating Alternative Explanations You May Never Catch the Culprit Damage Control and Containment Determining if a Crime Has Taken Place Statistically, You Probably Don't Have a Crime Believe Your Indications What Constitutes Evidence? Using Tools to Verify That a Crime Has Occurred Unix Crash Dump Analysis Recovering Data From Damaged Disks Examining Logs-Special Tools Can Help Clues From Witness Interviews Maintaining Crime Scene Integrity Until You Make a Determination Case Study: The Case of the CAD/CAM Cad Case Study: The Case of the Client-Server Handling the Crime in Progress Intrusions-The Intruder is Still On-Line Should You Trap, Shut Down or Scare Off the Intruder? Trap and Trace Techniques Legal Issues in Trap and Trace Stinging-Goat Files and Honey Pots It Never Happened-Cover-Ups are Common Case Study: The Case of the Innocent Intruder The Importance of Well Documented Evidence Maintaining a Chain of Custody Politically Incorrect-Understanding Why People Cover Up for a Cyber Crook Involving the Authorities Who Has Jurisdiction? What Happens When You Involve Law Enforcement Agencies? Making the Decision When an Investigation Can't Continue When and Why Should You Stop an Investigation? Legal Liability and Fiduciary Duty Political Issues PREPARING FOR CYBER CRIME Building a Corporate Cyber Why Do Organizations Need a Cyber SWAT Team? What Does a Cyber SWAT Team Do? Who Belongs on a Cyber SWAT Team? Training Investigative Teams and Crime The Importance of Formal Policies Who Owns the E-mail? The Disk Belongs to the Organization, But What About the Data? The Privacy Act(s) Wiretap Laws USING THE FORENSIC UTILITIES Preface To This Section-How the Section is Organized Preserving Evidence-First Steps Marking Evidence With an MD5 Hash and M-Crypt Taking a Hard Disk Inventory with FileList Using SafeBack 2.0 To Take an Image of a Fixed Disk Searching For Hidden Information The Intelligent Filter IP Filter GetSlack GetFree SeeJunk Text Search Pro Using the Norton Utilities Handling Floppy Disks AnaDisk Copying Floppies to a Work Disk Disks Within Disks