A comprehensive and broad introduction to computer and intrusion forensics, this practical book helps you master the tools, techniques and underlying concepts you need to know, covering the areas of law enforcement, national security and the private sector. The book presents case studies from around the world, and treats key emerging areas such as stegoforensics, image identification, authorship categorization, link discovery and data mining. You also learn the principles and processes for effectively handling evidence from digital sources and law enforcement considerations in dealing with computer-related crimes, as well as how the effectiveness of computer forensics procedures may be influenced by organizational security policy. The book opens with a comprehensive introduction to computer and intrusion forensics and relates them to computer security in general and computer network security. It details the current practice of computer forensics and its role in combating computer crime, and examines the relationship between intrusion detection and intrusion forensics. What’s more, the book explores the most important new areas for future research in computer forensics. This leading-edge resource is an indispensable reference for working professionals and post-graduate students alike. Computer and Intrusion Forensics 4 Computer and Intrusion Forensics 4 Copyright 5 Contents 6 Foreword by Eugene Spafford 12 Preface 18 Acknowledgments 20 Disclaimer 22 1 Computer Crime, Computer Forensics, and Computer Security. 23 1.1 Introduction 23 1.2 Human behavior in the electronic age 26 1.3 The nature of computer crime 28 1.4 Establishing a case in computer forensics 34 1.4.1 Computer forensic analysis within the forensic tradition 36 1.4.2 The nature of digital evidence 43 1.4.3 Retrieval and analysis of digital evidence 45 1.4.4 Sources of digital evidence 49 1.5 Legal considerations 51 1.6 Computer security and its relationship to computer forensics 53 1.6.1 Basic communications on the Internet 54 1.6.2 Computer security and computer forensics 57 1.7 Overview of the following chapters 59 References 61 2 Current Practice 63 2.1 Introduction 63 2.2 Electronic evidence 64 2.2.1 Secure boot, write blockers and forensic platforms 66 2.2.2 Disk file organization 68 2.2.3 Disk and file imaging and analysis 71 2.2.4 File deletion, media sanitization 79 2.2.5 Mobile telephones, PDAs 81 2.2.6 Discovery of electronic evidence 83 2.3 Forensic tools 85 2.3.1 EnCase 89 2.3.2 ILook Investigator 91 2.3.3 CFIT1 94 2.4 Emerging procedures and standards 98 2.4.1 Seizure and analysis of electronic evidence 99 2.4.2 National and international standards 108 2.5 Computer crime legislation and computer forensics 112 2.5.1 Council of Europe Convention on Cybercrime and other international activities 112 2.5.2 Carnivore and RIPA 116 2.5.3 Antiterrorism legislation 120 2.6 Networks and intrusion forensics 125 References 126 3 Computer Forensics in Law Enforcement and National Security 135 3.1 The origins and history of computer forensics 135 3.2 The role of computer forensics in law enforcement 139 3.3 Principles of evidence 143 3.3.1 Jurisdictional issues 145 3.3.2 Forensic principles and methodologies 145 3.4 Computer forensics model for law enforcement 150 3.4.1 Computer forensic ¡a secure, analyze, present ( CFSAP) model 150 3.5 Forensic examination 155 3.5.1 Procedures 155 3.5.2 Analysis 165 3.5.3 Presentation 168 3.6 Forensic resources and tools 169 3.6.1 Operating systems 169 3.6.2 Duplication 171 3.6.3 Authentication 174 3.6.4 Search 175 3.6.5 Analysis 176 3.6.6 File viewers 181 3.7 Competencies and certification 182 3.7.1 Training courses 185 3.7.2 Certification 186 3.8 Computer forensics and national security 186 3.8.1 National security 187 3.8.2 Critical infrastructure protection 189 3.8.3 National security computer forensic organizations 190 References 191 4 Computer Forensics in Forensic Accounting 197 4.1 Auditing and fraud detection 197 4.1.1 Detecting fraud ¡a the auditor and technology 198 4.2 Defining fraudulent activity 199 4.2.1 What is fraud? 200 4.2.2 Internal fraud versus external fraud 202 4.2.3 Understanding fraudulent behavior 205 4.3 Technology and fraud detection 206 4.3.1 Data mining and fraud detection 209 4.3.2 Digit analysis and fraud detection 210 4.3.3 Fraud detection tools 211 4.4 Fraud detection techniques 212 4.4.1 Fraud detection through statistical analysis 213 4.4.2 Fraud detection through pattern and relationship analysis 222 4.4.3 Dealing with vagueness in fraud detection 226 4.4.4 Signatures in fraud detection 227 4.5 Visual analysis techniques 228 4.5.1 Link or relationship analysis 229 4.5.2 Time- line analysis 231 4.5.3 Clustering 232 4.6 Building a fraud analysis model 233 4.6.1 Stage 1: Define objectives 234 4.6.2 Stage 2: Environmental scan 236 4.6.3 Stage 3: Data acquisition 237 4.6.4 Stage 4: Define fraud rules 238 4.6.5 Stage 5: Develop analysis methodology 239 4.6.6 Stage 6: Data analysis 239 4.6.7 Stage 7: Review results 240 References 241 Appendix 4A 243 5 Case Studies 245 5.1 Introduction 245 5.2 The case of ¡®¡® Little Nicky¡ ̄¡ ̄ Scarfo 245 5.2.1 The legal challenge 247 5.2.2 Keystroke logging system 248 5.3 The case of ¡®¡® El Griton¡ ̄¡ ̄ 251 5.3.1 Surveillance on Harvard¡ ̄s computer network 252 5.3.2 Identification of the intruder: Julio Cesar Ardita 253 5.3.3 Targets of Ardita¡ ̄s activities 254 5.4 Melissa 258 5.4.1 A word on macro viruses 258 5.4.2 The virus 259 5.4.3 Tracking the author 261 5.5 The World Trade Center bombing ( 1993) and Operation Oplan Bojinka 264 5.6 Other cases 266 5.6.1 Testing computer forensics in court 266 5.6.2 The case of the tender document 270 References 275 6 Intrusion Detection and Intrusion Forensics 279 6.1 Intrusion detection, computer forensics, and information warfare 279 6.2 Intrusion detection systems 286 6.2.1 The evolution of IDS 286 6.2.2 IDS in practice 289 6.2.3 IDS interoperability and correlation 296 6.3 Analyzing computer intrusions 298 6.3.1 Event log analysis 300 6.3.2 Time- lining 302 6.4 Network security 307 6.4.1 Defense in depth 307 6.4.2 Monitoring of computer networks and systems 310 6.4.3 Attack types, attacks, and system vulnerabilities 317 6.5 Intrusion forensics 325 6.5.1 Incident response and investigation 325 6.5.2 Analysis of an attack 328 6.5.3 A case study ¡a security in cyberspace 330 6.6 Future directions for IDS and intrusion forensics 332 References 334 7 Research Directions and Future Developments 341 7.1 Introduction 341 7.2 Forensic data mining ¡a finding useful patterns in evidence 345 7.3 Text categorization 349 7.4 Authorship attribution: identifying e- mail authors 353 7.5 Association rule mining—application to investigative profiling 357 7.6 Evidence extraction, link analysis, and link discovery 361 7.6.1 Evidence extraction and link analysis 362 7.6.2 Link discovery 365 7.7 Stegoforensic analysis 367 7.8 Image mining 371 7.9 Cryptography and cryptanalysis 377 7.10 The future ¡a society and technology 382 References 386 Acronyms 391 About the Authors 401 Index 405
A comprehensive and broad introduction to computer and intrusion forensics, this practical book helps you master the tools, techniques and underlying concepts you need to know, covering the areas of law enforcement, national security and corporate fraud. The book presents case studies from around the world, and treats key emerging areas such as stego-forensics, image identification, authorship categorization, link discovery and data mining. You also learn the principles and processes for effectively handling evidence from digital sources and law enforcement considerations in dealing with computer-related crimes, as well as how the effectiveness of computer forensics procedures may be influenced by organizational security policy.
The book opens with a comprehensive introduction to computer and intrusion forensics and relates them to computer security in general and computer network security. It details the current practice of computer forensics and its role in combating computer crime, and examines the relationship between intrusion detection and intrusion forensics. What's more, the book explores the most important new areas for future research in computer forensics. This leading-edge resource is an indispensable reference for working professionals and post-graduate students alike.
A comprehensive and broad introduction to computer and intrusion forensics, this practical work is designed to help you master the tools, techniques and underlying concepts you need to know, covering the areas of law enforcement, national security and the private sector. The text presents case studies from around the world, and treats key emerging areas such as stegoforensics, image identification, authorship categorization, link discovery and data mining. It also covers the principles and processes for handling evidence from digital sources effectively and law enforcement considerations in dealing with computer-related crimes, as well as how the effectiveness of computer forensics procedures may be influenced by organizational security policy. Annotation A Comprehensive And Broad Introduction To Computer And Intrusion Forensics, Covering The Areas Of Law Enforcement, National Security And Corporate Fraud, This Practical Book Helps Professionals Understand Case Studies From Around The World, And Treats Key Emerging Areas Such As Stegoforensics, Image Identification, Authorship Categorization, And Machine Learning. A comprehensive and broad introduction to computer and intrusion forensics, designed to help you master the tools, techniques and underlying concepts. It presents case studies from around the world, and covers the areas of law enforcement, national security and the private sector.