cover

Computer Forensics JumpStart

Second Edition

Michael G. Solomon

K Rudolph

Ed Tittel

Neil Broom

Diane Barrett

images

Dear Reader,

Thank you for choosing Computer Forensics JumpStart, Second Edition. This book is part of a family of premium-quality Sybex books, all of which are written by outstanding authors who combine practical experience with a gift for teaching.

Sybex was founded in 1976. More than 30 years later, we’re still committed to producing consistently exceptional books. With each of our titles, we’re working hard to set a new standard for the industry. From the paper we print on, to the authors we work with, our goal is to bring you the best books available.

I hope you see all that reflected in these pages. I’d be very interested to hear your comments and get your feedback on how we’re doing. Feel free to let me know what you think about this or any other Sybex book by sending me an email at nedde@wiley.com. If you think you’ve found a technical error in this book, please visit http://sybex.custhelp.com. Customer feedback is critical to our efforts at Sybex.

Best regards,

edde_sig.tif

Neil Edde

Vice President and Publisher

Sybex, an Imprint of Wiley

To begin with, I’d like to welcome Mary Kyle to our merry band, and to thank her for bulldogging this project in fine fashion. Thanks also to Kim Lindros, Agatha Kim, Jeff Kellum, and the rest of the Sybex/Wiley gang. Dearer to my heart, I’d like to thank my lovely wife, Dina, and my son, Gregory, for once again putting up with the old man when he’s in the throes of creating and finishing another book. You two make everything else worthwhile, and I’m really looking forward to a fun, frenetic, and distraction-free holiday season. Best to one and all, and thanks to our readers who provide the justification for all this learning and hard work. May it do much good, and very little harm!

—Ed Tittel

To God, who has richly blessed me in so many ways, and to my wife and best friend, Stacey.

—Michael G. Solomon

To Richard Kane

—K Rudolph

To my mother, you gave me everything. I love you.

—Neil Broom

Acknowledgments

The authors of this book are a sizable and rowdy crowd, including Michael G. Solomon, Diane Barrett, K Rudolph, Neil Broom, and Ed Tittel. We’ll start off by thanking each other for hanging together, rather than separately, in compiling this second edition. Next, we’d like to thank our able and capable project managers, Mary Kyle Inks and Kim Lindros, both of whom help herd the rest of us cats across the finish line. To our Waterside agent, Carole Jelen, who help put the deal together and shot trouble whenever and wherever she saw it: Thanks, and keep up the good work! After that, it’s time for the folks at Sybex/Wiley to take a bow and accept our thanks, too: Agatha Kim, our intrepid acquisitions editor; Stef Jones, our masterful development editor; Jenni Housh, our editorial assistant and Jill of all processes and procedures; Dassi Zeidel, our amazing production editor; as well as Pete Gaughan, our dazzling editorial manager. We’re sure there are plenty of others we would be thanking, if only we knew their names and roles. Please accept this shout out, in lieu of something more personal and informed. Believe it or not, we are quite grateful! And finally, to all the vendors who contributed software, hardware, and even the rights to reproduce screenshots or photographs: Thanks for creating the technologies that helped to make this book possible, and we hope also, its contents useful. We literally could not have done it without you.

—Ed Tittel

Thanks to the wonderful team that made this a fun and productive project. Mary did an outstanding job of managing the flow of tons of content and materials, as well as managing the authors and editors. Our technical editor, Neil, made all of our work better through his insightful comments and suggestions. And finally, Ed and K are both outstanding authors who make it all look easy. I’d love to work with this team again.

—Michael G. Solomon

This book would not have been possible without the support of Mary Kyle, Michael G. Solomon, Ed Tittel, Neil Broom, John B. Ippolito, Sam Carter, and Richard Kane. I am deeply grateful for their fantastic suggestions and unbelievable patience. I am fortunate and happy to be surrounded by such great people.

—K Rudolph

Thank you to my aunt, Jeanne Starnes, for your great advice, help, and love throughout the years. Special thanks to Gary Harbin for showing me how to build my first computer—look what you started. Bryan Bain, Lee Ann Bain, David Klukowski, Kenny Wilkins, and Doug Moore, you all made my first IT job great. Thank you for helping me get started in the field. Thanks to Brad Reninger and Will Dean for working so hard every day to make TRC successful. Your professionalism, dedication, and friendship are what make the company great. It is always a pleasure to work with legal professionals as dedicated as Jennifer Georges, Brian Saulnier, Hank Fellows, and Christine Tenley. Shauna Waters, thank you for always being upbeat and for teaching me how to sell. Thanks to the wonderful people at Intelligent Computer Solutions, especially Ezra Kohavi, Gonen Ravid, San Casas, Karen Benzakein, and Viviana Meneses, who help me stay on the cutting edge of new technology in this ever-changing field. Thank you, Amber Schroader and Shannon Honea at Paraben, for all the support. And finally, thank you to Ted Augustine and Chris Brown at Technology Pathways. Chris, you have been a great friend and a wonderful mentor.

—Neil Broom

About the Authors

Ed Tittel is a 28-year veteran of the IT industry. After spending his first seven years writing code (mostly for database engines and applications), he switched to a networking focus. After working for Excelan/Novell from 1987 to 1994, he became a full-time freelance writer, consultant, and trainer. He has contributed to more than 100 books on a variety of subjects, including the Sybex CISSP Study Guide, Fifth Edition, and many For Dummies titles. He also blogs regularly for TechTarget.com, and writes for a variety of IT certification-oriented Web sites.

Michael G. Solomon, CISSP, PMP, CISM, GSEC, is a full-time security speaker, consultant, and author specializing in achieving and maintaining secure IT environments. An IT professional and consultant since 1987, he has worked on projects for more than 100 major organizations and authored and contributed to numerous books and training courses. From 1998 to 2001, he was an instructor in the Kennesaw State University’s Computer Science and Information Sciences (CSIS) department, where he taught courses on software project management, C++ programming, computer organization and architecture, and data communications. Michael holds an M.S. in Mathematics and Computer Science from Emory University (1998), a B.S. in Computer Science from Kennesaw State University (1987), and is currently pursuing a Ph.D. in Computer Science and Informatics at Emory University. He has also contributed to various security certification books for LANWrights, including TICSA Training Guide (Que, 2002) and an accompanying Instructor Resource Kit (Que, 2002), CISSP Study Guide (Sybex, 2003), as well as Security+ Training Guide (Que, 2003). Michael coauthored Information Security Illuminated (Jones & Bartlett, 2005), Security+ Lab Guide (Sybex, 2005), Computer Forensics JumpStart (Sybex, 2005), PMP ExamCram2 (Que, 2005) and authored and provided the on-camera delivery of LearnKey’s CISSP Prep and PMP Prep e-Learning course.

K Rudolph is the founder and CIO (Chief Inspiration Officer) of Native Intelligence, Inc. She is a Certified Information Systems Security Professional (CISSP) with a degree from Johns Hopkins University. K creates entertaining educational materials that have been presented to more than 400,000 learners and translated into five languages. She has contributed to eight books on security topics including the Handbook of Information Security, Computer Security Handbook, System Forensics, Investigation, and Response, and NIST Special Publication 800–16, Information Technology Security Training Requirements: A Role- and Performance-Based Model. K has presented at numerous conferences, including the Computer Security Institute Security Exchange (CSI SX) Conference, CSI Annual Security Conferences, New York Cyber Security Conferences, and Information Assurance and Security Conferences held by the FISSEA, FIAC, and eGOV. She has been a speaker for Security Awareness Day events held by the Army, Census Bureau, DLA, IHS, IRS, NOAA, NRC, and the government of Johnson County, Kansas. K volunteers with (ISC)2’s Safe and Secure Online program, which brings awareness presentations for 11- to 14-year-olds to local schools. In March 2006, the Federal Information Systems Security Educators’ Association (FISSEA) honored K as the Security Educator of the Year. K is interested in just about everything, including contact juggling, mind mapping, storytelling, core work, aviation, teaching analogies, and photography.

Neil Broom is the President and Laboratory Director of Technical Resource Center, Inc. (www.trcglobal.com) in Atlanta, Georgia. TRC is the only private lab east of the Mississippi that earned the prestigious ASCLD/LAB accreditation in the field of Digital Evidence (Computer Forensics) from the American Society of Crime Laboratory Directors/Laboratory Accreditation Board as an expert witness, investigator, speaker, trainer, course director, and consultant in the fields of computer forensics, network and computer security, information assurance, and professional security testing. Neil has more than 15 years of experience providing investigative, technical, educational, and security services to the military, attorneys, law enforcement, the health care industry, financial institutions, and government agencies. Neil is a Certified Computer Examiner (CCE), Certified Information Systems Security Professional (CISSP), and Certified Fraud Examiner (CFE). He is a licensed Georgia private detective and private detective instructor. TRC is a licensed Georgia private detective agency. Neil has presented testimony as an expert witness many times. He has also provided training in the fields of computer forensics and information security to more than 3,000 students in the U.S. government, U.S. military, U.S. intelligence agencies, and Fortune 500 companies in the United States and abroad. Neil was the Chairman of the Digital Evidence Subcommittee for the International Association for Identification (IAI) and is a current member of the ASCLD/LAB Delegate Assembly. His past employment includes the U.S. Navy as a submariner, a law enforcement officer for the Gainesville Police Department, system administrator for the S1 Corporation, and a security trainer for Internet Security Systems (now a division of IBM).

Diane Barrett has been involved in the IT industry for about 20 years and has been active in education, security, and forensics for the past 10 years. She holds an M.S. degree in Technology with a specialization in Information Security and will be starting Ph.D. dissertation work shortly. Diane is currently a forensic trainer for Paraben and has been doing contract forensic work for the past several years in the Phoenix area. In addition to developing forensic curriculum for American Military University, she was the program champion for the Technology Forensics program at the University of Advancing Technology. She holds many industry certifications including CISSP, ISSMP, and DCFP. Diane has either coauthored or been the lead author on several computer forensics and security books. She is also a regular committee member for the Conference on Digital Forensics, Security and Law and presenter at Paraben’s Forensic Innovations Conference.

Introduction

Want to know what computer forensic examiners really do? This book covers the essentials of computer forensics, and it’s especially designed for those new to the field or who simply wish to learn more about undertaking this type of work. Many news stories and television shows highlight the role of forensic investigators in solving cases. It all seems so exciting, doesn’t it? Computer forensics is really not that different from what you see on TV. Although it’s quite a bit less glamorous, you’ll find similarities in the real world.

After a crime or incident that involves a computer occurs, a specialist trained in computer forensics examines the computer to find clues about what happened. That is the role of the computer forensic examiner. This specialist may work with law enforcement or with a corporate incident response team. Although the rules governing each activity can be dramatically different depending on who your client is, the approach to the investigation remains roughly the same.

This book covers the basic elements, concepts, tools, and common activities to equip you with a solid understanding of the field of computer forensics. Although this book is not a definitive training guide for specific forensic tools, you will learn about the most common tasks that you’ll encounter during any investigation. After reading this book, you will be able to participate in investigations and understand the process of finding, collecting, and analyzing the evidence gathered.

A heightened awareness of security in the wake of the attacks on September 11, 2001, has also provided many nontechnical people with an awareness of security issues previously known only in security specialist circles. Computers play a central role in all activities, both legal and illegal. The material in this book can be applied to both criminal investigations and corporate incident response. You don’t have to be a member of law enforcement to benefit from the material presented here. Nontechnical people can also benefit from this book because it covers the basic approach computer examiners take in an investigation.

If you like the introduction to computer forensics we present in this book, you can pursue the topic further in several ways. Most major forensic tools vendors offer training on their own products and teach how to use them in investigations. See Chapter 8, “Common Forensic Tools,” and Appendix D, “Forensic Tools,” for more information. Appendix B, “Forensic Resources,” contains many references to resources where you can obtain more information. If you decide to pursue computer forensic certification, Appendix C, “Forensic Certifications and More,” provides a list of common certifications and contact information for each. If your job involves computer investigations, this book can help you expand your knowledge and abilities. Keep it handy as a resource as you acquire more experience and knowledge. And good luck with your pursuit!

Who Should Read This Book

Anyone fulfilling, or aspiring to fulfill, the responsibilities of a computer forensic examiner can benefit from this book. Also, if you just want to know more about what computer forensic examiners do, this book will fill you in on the details. The material is organized to provide a high-level view of the process and methods used in an investigation. Both law enforcement personnel and non-law enforcement can benefit from the topics presented here.

Because you are reading this introduction, you must have some interest in computer forensics. Why are you interested? Are you just curious, do you want to start working in computer forensics, or have you just been given the responsibility of conducting or managing an investigation? This book addresses readers in all of these categories.

Although we recommend that you read the book from start to finish for a complete overview of the topics, you can jump right to an area of interest. If you bought this book for a concise list of forensic tools, go right to Chapter 8. But don’t forget the other chapters! You’ll find a wealth of information in all chapters that will expand your understanding of computer forensics.

What This Book Covers

Chapter 1: “The Need for Computer Forensics” This chapter lays the foundation for the rest of the book. It discusses the need for computer forensics and how the examiners’ activities meet the need.

Chapter 2: “Preparation—What to Do Before You Start” This chapter addresses the necessary knowledge you must have before you start. When you finish this chapter, you will know how to prepare for an investigation.

Chapter 3: “Computer Evidence” This chapter discusses computer evidence and focuses on identifying, collecting, preserving, and analyzing evidence.

Chapter 4: “Common Tasks” Most investigations include similar common tasks. This chapter outlines those tasks you are likely to see again and again. It sets the stage for the action items you will use in your activities.

Chapter 5: “Capturing the Data Image” This chapter covers the first functional step in many investigations. You will learn the reason for and the process of creating media images for analysis.

Chapter 6: “Extracting Information from Data” After you have an exact media image, you can start analyzing it for evidence. This chapter covers the basics of data analysis. You will learn what to look for and how to find it.

Chapter 7: “Passwords and Encryption” Sooner or later, you will run into password-protected resources and encrypted files. This chapter covers basic encryption and password issues and discusses how to deal with them.

Chapter 8: “Common Forensic Tools” Every computer forensic examiner needs a toolbox. This chapter covers many popular hardware and software forensic tools.

Chapter 9: “Pulling It All Together” When the analysis is done, you need to present the results. This chapter covers the elements and flow of an investigation report.

Chapter 10: “How to Testify in Court” If your evidence ends up in court, you need to know how to effectively present it. This chapter covers many ins and outs of being an expert witness and presenting evidence in court.

Appendix A: “Answers to Review Questions” Answers to the Review Questions

Appendix B: “Forensic Resources” A list of forensic resources you can use for further research

Appendix C: “Forensic Certifications and More” A list of computer forensic certifications and contact information

Appendix D: “Forensic Tools” A summary list of forensic tools, several of which are discussed in the text, with contact information

Glossary A list of terms used throughout the book

Making the Most of This Book

At the beginning of each chapter you’ll find a list of topics that the chapter covers. You’ll find new terms (specific terminology) defined in the margins of the pages to help you quickly get up to speed on computer forensics. In addition, several special elements highlight important information:

You’ll find Review Questions at the end of each chapter to test your knowledge of the material covered. The answers to the Review Questions may be found in Appendix A. You’ll also find a list of Terms to Know at the end of each chapter to help you review key terms introduced in that chapter. These terms are also included in the Glossary at the end of this book.

You’ll also find special sidebars in each chapter titled “Tales from the Trenches,” written by Neil Broom. These are war stories Neil has acquired throughout his career as a computer forensic examiner. They are written in first person, so you’ll really get a sense of what it’s like to go “on scene” and get your hands dirty. Enjoy!

How to Contact the Authors

The authors welcome feedback from you about this book or about books you’d like to see in the future. You can reach the authors by writing to them at the addresses below. For more information about their work, please visit their respective Web sites.

Ed Tittel: ed@edtittel.com; learn more about Ed at http://www.edtittel.com.

Michael G. Solomon: michael@solomonconsulting.com; learn more about Michael at http://www.solomonconsulting.com/.

K Rudolph: Kaie@NativeIntelligence.com; learn more about K at www.NativeIntelligence.com.

Neil Broom: nbroom@trcglobal.com; learn more about Neil at www.trcglobal.com.

Sybex strives to keep you supplied with the latest tools and information you need for your work. Please check their Web site at www.sybex.com, where we’ll post additional content and updates that supplement this book if the need arises. Enter Computer Forensics in the Search box (or type the book’s ISBN—9780470931660), and click Go to get to the book’s update page.