| |
| |
Preface | |
| |
| |
Acknowledgments | |
| |
| |
About the Authors | |
| |
| |
Case Studies | |
| |
| |
| |
Live Incident Response | |
| |
| |
| |
Windows Live Response | |
| |
| |
Analyzing Volatile Data | |
| |
| |
The System Date and Time | |
| |
| |
Current Network Connections | |
| |
| |
Open TCP or UDP Ports | |
| |
| |
Executables Opening TCP or UDP Ports | |
| |
| |
Cached NetBIOS Name Tables | |
| |
| |
Users Currently Logged On | |
| |
| |
The Internal Routing Table | |
| |
| |
Running Processes | |
| |
| |
Running Services | |
| |
| |
Scheduled Jobs | |
| |
| |
Open Files | |
| |
| |
Process Memory Dumps | |
| |
| |
Full System Memory Dumps | |
| |
| |
Analyzing Nonvolatile Data | |
| |
| |
System Version and Patch Level | |
| |
| |
File System Time and Date Stamps | |
| |
| |
Registry Data | |
| |
| |
The Auditing Policy | |
| |
| |
A History of Logins | |
| |
| |
System Event Logs | |
| |
| |
User Accounts | |
| |
| |
IIS Logs | |
| |
| |
Suspicious Files | |
| |
| |
Putting It All Together | |
| |
| |
| |
Unix Live Response | |
| |
| |
Analyzing Volatile Data | |
| |
| |
The System Date and Time | |
| |
| |
Current Network Connections | |
| |
| |
Open TCP or UDP Ports | |
| |
| |
Executables Opening TCP or UDP Ports | |
| |
| |
Running Processes | |
| |
| |
Open Files | |
| |
| |
The Internal Routing Table | |
| |
| |
Loaded Kernel Modules | |
| |
| |
Mounted File Systems | |
| |
| |
Analyzing Nonvolatile Data | |
| |
| |
System Version and Patch Level | |
| |
| |
File System Time and Date Stamps | |
| |
| |
File System MD5 Checksum Values | |
| |
| |
Users Currently Logged On | |
| |
| |
A History of Logins | |
| |
| |
Syslog Logs | |
| |
| |
User Accounts | |
| |
| |
User History Files | |
| |
| |
Suspicious Files | |
| |
| |
Putting It All Together | |
| |
| |
| |
Network-Based Forensics | |
| |
| |
| |
Collecting Network-Based Evidence | |
| |
| |
Full Content Data | |
| |
| |
Session Data | |
| |
| |
Alert Data | |
| |
| |
Statistical Data | |
| |
| |
Putting NBE to Work | |
| |
| |
A Standard Intrusion Scenario | |
| |
| |
Using Full Content Data | |
| |
| |
Using Session Data | |
| |
| |
Using Alert Data | |
| |
| |
Using Statistical Data | |
| |
| |
Data Collection | |
| |
| |
Accessing the Wire | |
| |
| |
Collecting and Storing Traffic | |
| |
| |
Full Content Data Tools | |
| |
| |
Session Data Tools | |
| |
| |
Alert Data Tools | |
| |
| |
Statistical Data Tools | |
| |
| |
Putting It All Together | |
| |
| |
| |
Analyzing Network-Based Evidence for a Windows Intrusion | |
| |
| |
Statistical Data: First Trace | |
| |
| |
Alert Data: First Trace | |
| |
| |
Session Data: First Trace | |
| |
| |
Full Content Data: First Trace | |
| |
| |
Statistical Data: Second Trace | |
| |
| |
Alert Data: Second Trace | |
| |
| |
Session Data: Second Trace | |
| |
| |
Full Content Data: Second Trace | |
| |
| |
Putting It All Together | |
| |
| |
| |
Analyzing Network-Based Evidence for a Unix Intrusion | |
| |
| |
Statistical Data | |
| |
| |
Alert Data | |
| |
| |
Session Data | |
| |
| |
Full Content Data | |
| |
| |
Putting It All Together | |
| |
| |
| |
Acquiring a Forensic Duplication | |
| |
| |
| |
Before You Jump Right In... | |
| |
| |
Preparing for a Forensic Duplication | |
| |
| |
Document, Document, Document! | |
| |
| |
| |
Commercial-Based Forensic Duplications | |
| |
| |
The Read-Only IDE-to-Firewire Device | |
| |
| |
Acquiring a Forensic Duplication with EnCase | |
| |
| |
Acquiring a Forensic Duplication with FTK | |
| |
| |
| |
Noncommercial-Based Forensic Duplications | |
| |
| |
DD | |
| |
| |
Creating an Evidence File | |
| |
| |
Creating an Evidence Hard Drive | |
| |
| |
DD Rescue | |
| |
| |
DCFLDD | |
| |
| |
NED-The Open Source Network Evidence Duplicator | |
| |
| |
| |
Forensic Analysis Techniques | |
| |
| |
| |
Common Forensic Analysis Techniques | |
| |
| |
Recovering Deleted Files | |
| |
| |
Open Source Solutions | |
| |
| |
Commercial Solutions | |
| |
| |
Production of Time Stamps and Other Metadata for Files | |
| |
| |
Open Source Solutions | |
| |
| |
Commercial Solutions | |
| |
| |
Removing Known Files | |
| |
| |
Open Source Solutions | |
| |
| |
Commercial Solutions | |
| |
| |
File Signatures and Electronic Discovery | |
| |
| |
Open Source Solutions | |
| |
| |
Commercial Solutions | |
| |
| |
String Searching and File Fragments | |
| |
| |
Open Source Solutions | |
| |
| |
Commercial Solutions | |
| |
| |
| |
Web Browsing Activity Reconstruction | |
| |
| |
Commercial Forensic Tools | |
| |
| |
Open Source Solutions | |
| |
| |
Pasco-An Open Source Web Browsing Investigation Tool | |
| |
| |
Galleta-An Open Source IE Cookie Investigation Tool | |
| |
| |
Putting It All Together | |
| |
| |
| |
E-Mail Activity Reconstruction | |
| |
| |
Commercial Forensic Tools | |
| |
| |
Open Source Solutions | |
| |
| |
Outlook Express | |
| |
| |
| |
Microsoft Windows Registry Reconstruction | |
| |
| |
Identifying Installed Programs | |
| |
| |
Identifying "Most Recently Used" Documents | |
| |
| |
| |
Forensic Tool Analysis: An Introduction to Using Linux for Analyzing Files of Unknown Origin | |
| |
| |
Case Background | |
| |
| |
A Hands-On Introduction to Forensic Tool Analysis: Hello World! | |
| |
| |
Static Analysis of Hello | |
| |
| |
Dynamic Analysis of Hello | |
| |
| |
Putting It All Together | |
| |
| |
| |
Forensic Tool Analysis: A Hands-On Analysis of the Linux File aio | |
| |
| |
Static Analysis of aio | |
| |
| |
md5sum | |
| |
| |
ls -al | |
| |
| |
file | |
| |
| |
strings | |
| |
| |
Hexadecimal Viewer | |
| |
| |
nm | |
| |
| |
ldd | |
| |
| |
readelf | |
| |
| |
objdump | |
| |
| |
Dynamic Analysis of aio | |
| |
| |
System Call Trace (strace) | |
| |
| |
GNU Debugger | |
| |
| |
Recovering the Uncompressed aio Binary | |
| |
| |
Recovery by Identifying the Packer That Was Used | |
| |
| |
Static Analysis of the Recovered Uncompressed Binary | |
| |
| |
Dynamic Analysis of the Recovered Uncompressed Binary | |
| |
| |
md5sum | |
| |
| |
Putting It All Together | |
| |
| |
| |
Forensic Tool Analysis: Analyzing Files of Unknown Origin (Windows) | |
| |
| |
Case Background | |
| |
| |
A Hands-On Introduction to Forensic Tool Analysis: Hello World! | |
| |
| |
Static Analysis of hello.exe | |
| |
| |
Dynamic Analysis of hello.exe | |
| |
| |
Summary of hello.exe | |
| |
| |
A Hands-On Forensic Tool Analysis: sak.exe | |
| |
| |
Static Analysis of sak.exe | |
| |
| |
Dynamic Analysis of sak.exe | |
| |
| |
Putting It All Together | |
| |
| |
| |
Creating a Complete Forensic Tool Kit | |
| |
| |
| |
Building the Ultimate Response CD | |
| |
| |
Preparing the Windows Live Response Tools | |
| |
| |
Preparing the Unix Live Response Tools | |
| |
| |
Forensic Duplication Tools | |
| |
| |
DCFLDD | |
| |
| |
NED | |
| |
| |
| |
Making Your CD-ROM a Bootable Environment | |
| |
| |
Knoppix-A Linux Distribution on a CD-ROM | |
| |
| |
The Knoppix CD-Rom | |
| |
| |
| |
Mobile Device Forensics | |
| |
| |
| |
Forensic Duplication and Analysis of Personal Digital Assistants | |
| |
| |
Case Background | |
| |
| |
Forensic Acquisition Utilizing EnCase | |
| |
| |
Initial Setup | |
| |
| |
EnCase | |
| |
| |
Forensic Acquisition Utilizing Paraben's PDA Seizure | |
| |
| |
Forensic Acquisition Utilizing Palm Debugger | |
| |
| |
Forensic Analysis of the Palm IIIc | |
| |
| |
Forensic Analysis of the HP iPAQ Pocket PC 2003 | |
| |
| |
Forensic Analysis of the Palm m505 | |
| |
| |
Putting It All Together | |
| |
| |
| |
Forensic Duplication of USB and Compact Flash Memory Devices | |
| |
| |
Duplicating USB Devices | |
| |
| |
Duplicating Compact Flash Cards | |
| |
| |
| |
Forensic Analysis of USB and Compact Flash Memory Devices | |
| |
| |
USB Memory Devices | |
| |
| |
Open Source Solutions | |
| |
| |
Commercial Solutions | |
| |
| |
Compact Flash Cards | |
| |
| |
Open Source Solutions | |
| |
| |
Commercial Solutions | |
| |
| |
| |
Online-Based Forensics | |
| |
| |
| |
Tracing E-Mail | |
| |
| |
Hotmail | |
| |
| |
Yahoo! | |
| |
| |
Netscape | |
| |
| |
Other E-Mail Services | |
| |
| |
Anonymous Remailers | |
| |
| |
| |
Domain Name Ownership | |
| |
| |
Importing the TLD Zone Files into Postgres | |
| |
| |
Translating FQDNs to IP Addresses | |
| |
| |
Searching for Domains | |
| |
| |
Searching for DNSs | |
| |
| |
| |
An Introduction to Perl | |
| |
| |
Reading Input | |
| |
| |
Matching Text | |
| |
| |
Regular Expressions | |
| |
| |
Formatting Output | |
| |
| |
Processing Live IR Data Collected | |
| |
| |
The Date Problem with Microsoft Excel | |
| |
| |
Index | |