Slashdot Mirror
Computer Forensics
How do you get the evidence off of a computer, ensuring that it's capable of withstanding a defense lawyer's scrutiny? Maybe you would just unplug the machine and put it in storage awaiting a detective's arrival, but is that what we should do? What if the evidence is on a production server that can't be simply unplugged and put into storage? What if that evidence is slowly being erased as files are created and deleted on that server? How do you help build the case against a computer criminal? Hopefully you'll never have to worry about computer crime in your home or workplace but if you do have to worry, Computer Forensics will be an asset to your part of the investigation.
Who is this book for? Computer crime isn't simple -- it can range from damage done by simple script kiddies to corporate espionage by disgruntled employees, as well as sophisticated, multi-homed attacks by skilled crackers. Computer Forensics tries hard to cover a lot of these areas. The book includes a chapter dealing with laptop hardware, as well as ones on data hiding and encryption, and further chapters on putting evidence together and dealing with law enforcement. While these topics may be of interest to the Slashdot crowd, Computer Forensics focuses more on broad topics of interest to computer detectives faced with getting up to speed quickly with computer crimes and computer evidence gathering.Several chapters are downright boring for anyone who has a modicum of computer experience. Finding out where e-mail is stored on Windows and Linux machines, or understanding what a root-kit is and what it does will be pedestrian for many readers. Nestled away between the necessary-but-pedestrian topics, though, are some very useful tools. The authors use netcat with tar to copy files between machines without disturbing the modification times (something I would never have thought to use). Novice users will find a wealth of tools and examples in these chapters. The tools used in the book tend toward open source and free tools, and rely heavily on Linux as the Swiss Army knife for handling file systems and files without disturbing them. Any reader should be able to put together a decent set of tools from this book.
Making it all workPutting together a good forensic kit is all fine and good, but making sure your evidence holds up to the scrutiny of some high-powered, high-priced defense lawyer is much more important. The last chapter of Computer Forensics gives a brief introduction to the criminal justice system. The authors touch on notifying law enforcement agencies, search warrants, probable cause, interviews, subpoenas, dollar loss guidelines, and testifying as an expert witness, among other legal topics. The appendices of the book have checklists, flowcharts, and an incident report form to aid investigation and evidence gathering. These are invaluable resources for the system administrator of any public machine who needs to deal with law enforcement.
Conclusion Thinking about dealing with courts and law enforcement may not be at the forefront of any administrator's job, but it is a reality any administrator needs to think of and be aware of. Computer Forensics will at least make administrators more aware of what their legal options are, and of the form in which gathered forensic data needs to be presented as evidence. Computer detectives will find a good, if not rudimentary example of what to look for when investigating a computer crime scene. This may not be the most comprehensive book on the subject of computer crime, but it will point you in the right direction to help investigate it should it ever happen to you.You can purchase Computer Forensics from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
In other countries, this book is titled, How to Avoid a Forensic Data Trail on Computers You Compromise.
taken! (by Davidleeroth) Thanks Bingo Foo!
...any advice on how to make a computer resistant to computer forensics? I.e. how to be sure that any sensitive data will remain unrecoverable without a password etc. in the case of my PC being stolen?
Many financial firms including the one where I work, have instituted internal forensic security policies to help limit corporate liability. In our case, we have caught and successfully prosecuted employees for pornography on corporate assets (including child pornography in one case.)
There are designated employees on the forensic team in each department who are responisble for witnessing the process and documenting the chain of custody for data and items.
We've invested in specific equipment, including network sniffers (other then those used by the network group), hard drive replicators, log books, and materials for collection and storage of evidence.
Everything has a chain of custody and is then turned over to the proper authorities.
As far as the law is concerned since the employee does not have a right or expectation of privacy when working on a corporate asset, everything we take is completely legal. As long as we mantain an effective chain of custody it will likely hold up on court.
Just my two cents. Your mileage may vary.
Recently, I was contacted by the local PD in regards to a huge number of stolen CCs being used from our IP-range (Internet Café).
After getting a list of specific timestamps (along with IP-addresses), I was able to figure out who the culprit was.
That said, the man-hours I put into the whole thing seem to have been for nothing.
The PD won't do jack shit - too little resources, they say - which is why I find it funny that they can't even send a unit to pick up the frauders when they're actually on-site (yet they can be seen parading the streets, looking for minors consuming alcohol).
Just because law enforcement want your help doesn't mean they'll do anything - even if you virtually hand them the crooks on a silver platter.
Then again, things might be different elsewhere.
I work at a large semiconductor company (not to name names, but a really big, US, SC-based one) that had a recently fired employee wreak havoc on one of the factories' databases as a result of his termination. Basically he used his not-yet-cancelled remote access, and deleted a critical DB. Now this isn't hacking in the sense of rooting a remote exploit, but it's malicious intent nonetheless on computer systems. It was obvious what happened (the factory stopped running), and very quickly we were able to track down the last few commands logged, where they came from, etc., etc. How it was handled was actually an FBI case. We turned it over to the security department at our company, and they worked with the FBI; we were asked questions by the men in black, and this person was eventually arrested and put away in a dark, dank hole.
Not sure if this is the norm, but I'd figure when corporations and expensive IP is involved, government-sanctioned agencies will be in the forefront of people investigating, IMHO.
The problem with computer crimes is that they are not easy to track. On a regular PC, a cracker could break in and remove any evidence (on that PC) that the computer was ever hacked. You might catch him if you happen to be looking while he is busy, but after he is finished, there is not much you can do.
There are, however, some hardware solutions, namely, to keep track of everything that happens (this is expensive!). Software could also do that, so long at it cannot be hacked. Overall, I think the best thing to do is to keep a backup inaccessible from the network, and hope no sensitive information gets stolen.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
On FreeBSD, it's all about mtree...
In the case of HL2 code theft, Valve got lucky; they just had to wait for the hacker's ego to blow out of proportion due to the massive coverage. He emailed them. Several times. He went to a meeting for an 'interview' for a 'job'. Thank god, most hackers(as in illicit network infiltration) / criminals eventually make mistakes. In this particular case, it was pure dumbness, however. Imagine the scene :
Heh.past
Eureka Science News - automatically updated
The Sluth Kit.
Never ascribe to malice what can be adequately attributed to ignorance. -Napoleon
why the review now?
Assuming there are drunk drivers on the road, that's a better use of their time than spending hours on your stolen CC. Odds ore your CC was stolen overseas anyway.
But in the little Texas town where my Mom lives, and had her identity stolen, the local PD took her case seriously and tracked down the perp in another state, and issued warrants. Not too many drunks and speeders in that little town, and since they got audited by the Dept of Justice and can't spend their time pulling over black and hispanic drivers for no reason like they used to in the good old days, they've retrained (or just fired all the good ol boys) and I guess they have the resources to check our cybercrime.
Lock the hard drive. The ATA and SCSI spec both have provisions for locking the drive's electronics to dis-allow writes or reads for the disk's data. your copy utility or machine will not work without these keys.
HOW HDD LOCKING WORKS
The above is a quick little write-up I did to explain to all the Xbox people who want to use/access the drive that ships with the Xbox (after they've ruined their MB or sold it on e-bay) why they are really quite screwed. This is not definitive, but it is fairly accurate in what it says.
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
I really enjoyed the book myself when I read it this summer. As a compilation detailing computer law it was pretty good. Most of the tools I found to be aging or at a very low level. If you add in "Cybercrime" by Ralph D. Clifford an excellent book on computer law it opens a much broader picture. "Software Forensics" by Robert M. Slade is my current read and gets an interesting rating for now. "Computer Forensics" unfortunately is only part of the picture. With so much of the net existing in RAM and the traffic in between nodes "Network Forensics" should be the next big topic. There has to be a way of taking dynamic bits and making static evidence. There are a few other things that are going to hold back the field of forensics. The fact that the commercial forensic tool vendors have been refusing to teach the defense attorneys or experts is very scary. This is a rapidly expanding field very similar to how DNA expanding in the 70's and 80's.
--- Location Unknown
thats true. I tooke a computer forensics class at my school about a year and a half ago, it was a great class and this book was one of the ones we used. One of the main points our professor drove home was properly maintiaing a chain of evidence. This is something that would be second nature to a criminal justice major but is pretty foreign to someone in computer science. As far as being a forensic investigator, i would look for a GIAC Certified Forensic Analyst certifcation. I know that alot of people are dubious about how much stock they put in certifications but this is really a good one. To date there are only 124 people who have obtained this certification. more info about it here: http://www.giac.org/GCFA.php