Ch1 - Cyber Forensics & Cyber Crime Investigation

Chapter-1

CYBER FORENSICS & CYBER CRIME INVESTIGATION

Session Objectives:
At the end of this Session, you will be able to understand – Role of Cyber Forensics in this E-World. What is Cyber Crime? Latest Examples of Cyber Crime. Specific Computer Crimes. Reasons for Computer Crime. Industrial Espioage. Role of Public & Private Cyber Crime Investigators. Cyber Evidence Collection Process.

All Rights Reserved. www.sedulitygroups.com

1

Introduction__________________________________________
Computer Forensics is the application of scientifically proven methods to gather, process, interpret, and to use digital evidence to provide a conclusive description of Cyber Crime activities. Cyber Forensics also includes the act of making digital data suitable for inclusion into a criminal investigation. Cyber Forensics can be defined as the process of extracting information and data from the computer storage media and guaranteeing its accuracy and reliability. The challenge of course is actually to finding out this data, collecting it, preserving it, and presenting it in a manner that is acceptable in a court of law. Electronic evidence is fragile and can easily be modified. Additionally, cyber thieves, criminals, dishonest and even honest employees hide, wipe, disguise, cloak, encrypt and destroy evidence from storage media using a variety of freeware, shareware and commercially available utility programs. A global dependency on technology combined with the expanding presence of the Internet as a key and strategic resource requires that corporate assets are well protected and safeguarded. When those assets come under attack, or are misused, information security professionals must be able to gather electronic evidence of such misuse and utilize that evidence to bring to justice those who misuse the technology. Cyber forensics, while firmly established as both an art as well as a science, is at its infancy. With technology evolving, mutating, and changing at such a rapid pace, the rules governing the application of cyber forensics to the fields of auditing, security, and law enforcement are changing as well. Almost daily, new techniques and procedures are designed to provide information security professionals a better means of finding electronic evidence, collecting, preserving, and presenting it to the client management for potential use in the prosecution of Cyber Criminals. The anonymity provide by the Internet, and the ability for society’s criminal element, to use information technology as a tool for social and financial discourse, mandates that those professionals charged with the responsibility of protecting critical infrastructure resources, have the tools to do so.

1.1 Cyber Crime as We Enter the Twenty-First Century______
The term ‘Cyber Crime’ is the latest and perhaps the most complicated problem in the cyber world. “Cyber Crime may be said to be those species, of which, genus is the conventional crime, and where either the computer is an object or subject of the conduct constituting crime. It can also be defined as any Criminal activity that uses a Computer either as an instrument, target or a means for perpetuating further crimes comes within the ambit of “Cyber Crime”. The concept of Cyber Crime is not radically different from the concept of conventional crime. Both include conduct whether act or omission, which cause breach of rules of law and counterbalanced by the sanction of the state.

2

All Rights Reserved. www.sedulitygroups.com

A generalized definition of Cyber Crime may be defined as “unlawful acts wherein the computer is either a tool or target or both” The computer may be used as a tool in the following kinds of activities like Phishing, Steganography, Sale of illegal articles, Pornography, Online Gambling, intellectual property crime, E-Mail Spoofing, Forgery, Cyber Defamation, Cyber Stalking etc. The computer may however be target for unlawful acts in the following cases like; Unauthorized access to a computer or computer system or even a computer network, theft of information contained in the electronic form, e-mail bombing, data theft, salami attacks, Worms, Trojan attacks, information thefts, website defacement, theft of computer system, physically damaging the computer system etc. Computer Crime takes several forms. For the purposes of this work, we have coined the term “Cyber Crime.” Strictly speaking things “Cyber” tend to deal with networked issues, especially including global networks such as the Internet. Here, we will use the term generically, even though we might be discussing crimes targeted at a single, standalone computer. Now that we’ve set the ground rules, so to speak, let’s move ahead and begin with a discussion of Cyber Crime in today’s environment.

1.2 WHAT IS CYBER CRIME?___________________________
Cyber Crime can broadly be defined as “A Criminal Activity involving an Information Technology Infrastructure, including illegal access (unauthorized access), illegal interception (by technical means of non-public transmissions of computer data to, from or within a computer system), data interference (unauthorized damaging, deletion, deterioration, alteration or suppression of computer data), systems interference (interfering with the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data), misuse of devices, forgery (ID theft), and electronic fraud”. The easy definition of cyber crime is “The Crimes directed at a computer or a computer system.” The nature of Cyber Crime, however, is far more complex. As we will see later, cyber crime can take the form of simple snooping into a computer system for which we have no authorization. It can be the freeing of a computer virus into the wild. It may be malicious vandalism by a disgruntled employee. Or it may be theft of data, money, or sensitive information using a computer system. Cyber crime can come from many sources. The cyberpunk who explores a computer system without authorization is, by most current definitions, performing a criminal act. We might find ourselves faced with theft of sensitive marketing data by one of our competitors. A virus may bring down our system or one of its components. There is no single, easy profile of Cyber Crime or the Cyber Criminal. If these are elements of Cyber Crime, what constitutes Computer Security? Let’s consider the above examples for a moment. They all have a single element in common, no matter what their individual natures might be. They are all concerned with compromise or destruction of computer data. Thus, our security objective must be information protection. What we call computer security is simply the means to that end. It is sufficient to say at this point that we are concerned with protecting information and, should our protection efforts fail us, with determining the nature, extent, and source of the compromise.
All Rights Reserved. www.sedulitygroups.com

3

We can see from this that it is the data and not the computer system that is the target of Cyber Crime. Theft of a computer printout may be construed as Cyber Crime. The planting of a computer virus causes destruction of data, not the computer itself. It becomes clear, from this perspective, that the computer system is the means, not the end. A wag once said that computer crime has always been with us. It’s just in recent years that we’ve added the computer. However, investigating crimes against data means we must investigate the crime scene: the computer system itself. Here is where we will collect clues as to the nature, source, and extent of the crime against the data. And it is here that we will meet our biggest obstacle to success. If we are going to investigate a murder, we can expect to have a corpse as a starting point. If a burglary is our target, there will be signs of breaking and entering. However, with cyber crime we may find that there are few, if any, good clues to start with. In fact, we may only suspect that a crime has taken place at all. There may be no obvious signs. Another aspect of cyber crime is that, for some reason, nobody wants to admit that it ever occurred. Supervisors have been known to cover up for obviously guilty employees. Corporations refuse to employ the assistance of law enforcement. Companies refuse to prosecute guilty individuals. So where, as computer security and audit professionals, does that leave us in our efforts to curb cyber crimes against our organizations? It means we have a thankless job, often lacking in support from senior executives, frequently understaffed and under-funded. That, though, doesn’t mean that we can’t fight the good fight and do it effectively. It certainly does mean that we have to work smarter and harder. It also means that we will have to deal with all sorts of political issues. Finally, there are techniques to learn Technical, Investigative, and Information Gathering Techniques. It is a combination of these learned techniques, the personal nature that seeks answers, and the honesty that goes with effective investigations that will help us become good cyber cops and investigators of crimes against information on the information superhighway, or on its back roads. Cyber Crime encompasses a broad range of potentially illegal activities. Generally, however, it may be divided into one of two types of categories; Crimes that target computer networks or devices directly; Crimes facilitated by computer networks or devices, the primary target of which is independent of the computer network or device. Examples of crimes that primarily target computer networks or devices would include, Malware & Malicious code : Denial-of-service attacks Computing viruses

1.2.1 Malware
Malware is software that is designed to infiltrate a computer without the owner’s information. Malware is a malicious code planted on your computer, and it can give the attacker a truly alarming degree of control over your system, network, and data-all without your knowledge! 4
All Rights Reserved. www.sedulitygroups.com

Malicious code is a set of instructions that runs on your computer and makes your system do something that you do not want it to do. For example, it can delete sensitive configuration files from your hard drive, rendering your computer completely inoperable; infect your computer and use it as a jumping-off point to spread to all of your buddies' computers; and steal files from your machine. Malicious code in the hands of a crafty attacker is indeed powerful. It's becoming even more of a problem because many of the very same factors fueling the evolution of the computer industry are making our systems even more vulnerable to malicious code. Specifically, malicious code writers benefit from the trends toward mixing static data and executable instructions, increasingly homogenous computing environments, unprecedented connectivity, an ever-larger clueless user base, and an unfriendly world. Malware is based on the perceived intent of the creator rather than any particular features. Malware includes Computer Viruses, Worms, Trojan Horses, most Rootkits, Spyware, Dishonest Adware, Crimeware and other Malicious and Unwanted software.

1.2.2 Denial of Service Attacks
A Denial-of-Service Attack (DoS attack) or Distributed Denial-of-Service Attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root name servers. A denial of service (DoS) attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have. In a distributed denialof-service, large numbers of compromised systems (sometimes called a botnet) attack a single target. Although a DoS attack does not usually result in the theft of information or other security loss, it can cost the target person or company a great deal of time and money. Typically, the loss of service is the inability of a particular network service, such as e-mail, to be available or the temporary loss of all network connectivity and services. A denial of service attack can also destroy programming and files in affected computer systems. In some cases, DoS attacks have forced Web sites accessed by millions of people to temporarily cease operation. One common method of attack involves saturating the target (victim) machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately. Denial-of-service attacks are considered violations of the IAB's Internet proper use policy, and also violate the acceptable use policies of virtually all Internet Service Providers. They also commonly constitute violations of the laws of individual nations.

All Rights Reserved. www.sedulitygroups.com

5

1.2.3 Computing Viruses:
Computing Viruses are the computer programs that can copy itself and infect a computer without the permission or knowledge of the owner. The term "virus" is also commonly but erroneously used to refer to other types of Malware, Adware, and Spyware programs that do not have the reproductive ability. A true virus can only spread from one computer to another when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive. Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer. The term "Computer Virus" is sometimes used as a catch-all phrase to include all types of Malware. Malware includes computer viruses, worms, trojan horses, most Rootkits, Spyware, Dishonest Adware, Crimeware, and other Malicious and unwanted software), including True Viruses. Viruses are sometimes confused with computer worms and Trojan Horses, which are technically different. A worm can exploit security vulnerabilities to spread itself to other computers without needing to be transferred as part of a host, and a Trojan horse is a program that appears harmless but has a hidden agenda. Worms and Trojans, like viruses, may cause harm to eithera computer system's hosted data, functional performance, or networking throughput, when they are executed. Some viruses and other Malware have symptoms noticeable to the computer user, but many are surreptitious. Most personal computers are now connected to the Internet and to Local Area Networks, facilitating the spread of malicious code. Today's viruses may also take advantage of network services such as the World Wide Web, E-Mail, Instant Messaging, and File Sharing Systems to spread. Examples of crimes that merely use computer networks or devices would include, Cyber Stalking Fraud and Identity Theft Phishing Scams 1.2.3.1 Cyber Stalking: “Cyber Stalking” is also known as Cyber Crime/ Cyber Harassment which is rising up day-by-day. Cyber Stalking is a condition where in a person try to track and hunt someone online and try to assault someone’s privacy or some confidential information. It is a kind of annoyance that can be done online and can upset the life of anyone and make them feeling very Scared and Susceptible. A Cyber Stalker looks for various weak points in people and tries to enter in their life by giving many promotions or offers online related to dating, romance, to make friends and even to sell very expensive items at an unbelievable prize in order to start capturing the interest of the people in order to harass them specially girls or women.

6

All Rights Reserved. www.sedulitygroups.com

Today, in the world of Computer Modernization where everything is available on internet and on the other hand, Cyber Crime is also rising up Day-by-Day which reflects the normal life of the people who have been harassed by the stalkers. Cyber Stalking usually occurs with girls/ women, who are stalked by men, children and also by adult prowler. A cyber stalker does not have to come out of his home in order to find or harass his targets. Stalker also thinks that he cannot be physically contacted in this cyberspace as he is harassing someone through the internet. Also Stalker can be anyone; he could be your own friend, relative or someone who is anonymous to you to whom you never meet with in your life. Victims, who have been stalked on the internet, are generally those people who are new on the internet or who are not familiar with the internet security. Stalkers try to target those women, children and man who are mostly new internet users or those who can be easily vulnerable. There are many reasons which came into the picture which motivate the Stalkers to do these kinds of activities. Stalkers stalk because of fun/ enjoyment, Egoistic Nature, hatred, fascination for love and sex etc. In order to stop all these Internet crimes which are keep on increasing day-by-day, our Law-Enforcement agencies are becoming more technically strong and they take support from industrial experts as well at times so that they’ll be able to solve the cases which have been registered under Cyber Crime. 1.2.3.2 Identity Theft: Identity theft, also known as ID theft is a crime in which a criminal obtains key pieces of personal information, such as Social Security or driver's license numbers, in order to pose as someone else. The information can be used to obtain credit, merchandise, and services using the victims’ name. Identity theft can also provide a thief with false credentials for immigration or other applications. One of the biggest problems with identity theft is that very often the crimes committed by the identity theft expert are often attributed to the victim. There are two main types of identity theft – account takeover and true name theft. Account takeover identity theft refers to the type of situation where an imposter uses the stolen personal information to gain access to the person’s existing accounts. Often the identity thief will use the stolen identity to acquire even more credit products by changing your address so that you never see the credit card bills that the thief runs up. True name identity theft means that the thief uses personal information to open new accounts. The thief might open a new credit card account, establish cellular phone service, or open a new checking account in order to obtain blank checks. The Internet has made it easier for an identity thief to use the information they've stolen because transactions can be made without any real verification of someone’s identity. All a thief really needs today is a series of correct numbers to complete the crime. Some types of identity thieves hack into databases to steal personal information. However this type of thievery is much rarer than the use of old fashioned methods such as scouring the garbage for old receipts or looking over someone’s shoulder while they are doing a financial transaction. You should also be wary of such criminals at the Department of Motor Vehicles or anywhere else where filling out a long application could provide a thief with enough information to inspire an identity theft.
All Rights Reserved. www.sedulitygroups.com

7

1.2.3.3 Phishing Scams: Phishing is a scam in which the attacker sends an email purporting to be from a valid financial or E-Commerce provider. The email often uses fear tactics in an effort to entice the intended victim into visiting a fraudulent website. Once on the website, which generally looks and feels much like the valid eCommerce/banking site, the victim is instructed to login to their account and enter sensitive financial information such as their bank PIN number, their Social Security number, mother's maiden name, etc. This information is then surreptitiously sent to the attacker who then uses it to engage in credit card and bank fraud - or outright identity theft. Most of these phishing emails appear to be quite legitimate. Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Even when using server authentication, it may require tremendous skill to detect that the website is fake. Phishing is an example of social engineering techniques used to fool users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.

1.3 Specific computer crimes___________________________
1.3.1 Spam
Spam, or the unsolicited sending of bulk email for commercial purposes, is unlawful to varying degrees. As applied to email, specific anti-spam laws are relatively new, however limits on unsolicited electronic communications have existed in some forms for some time.

1.3.2 Fraud
Computer fraud is any dishonest misrepresentation of fact intended to induce another to do or refrain from doing something which causes loss. In this context, the fraud will result in obtaining a benefit by: Altering computer input in an unauthorized way. This requires little technical expertise and is not an uncommon form of theft by employees altering the data before entry or entering false data, or by entering unauthorized instructions or using unauthorized processes; Altering, destroying, suppressing, or stealing output, usually to conceal unauthorized transactions: this is difficult to detect; Altering or deleting stored data; or Altering or misusing existing system tools or software packages, or altering or writing code for fraudulent purposes. This requires real programming skills and is not common. 8
All Rights Reserved. www.sedulitygroups.com

Other forms of fraud may be facilitated using computer systems, including bank fraud, identity theft, extortion, and theft of classified information.

1.3.3 Obscene or offensive content
The content of websites and other electronic communications may be distasteful, obscene or offensive for a variety of reasons. In some instances these communications may be illegal. Many jurisdictions place limits on certain speech and ban racist, blasphemous, politically subversive, libelous or slanderous, seditious, or inflammatory material that tends to incite hate crimes. The extent to which these communications are unlawful varies greatly between countries, and even within nations. It is a sensitive area in which the courts can become involved in arbitrating between groups with entrenched beliefs.

1.3.4 Harassment
Whereas content may be offensive in a non-specific way, harassment directs obscenities and derogatory comments at specific individuals focusing for example on gender, race, religion, nationality, sexual orientation. This often occurs in chat rooms, through newsgroups, and by sending hate e-mail to interested parties. Any comment that may be found derogatory or offensive is considered harassment.

1.3.5 Drug Trafficking
Drug traffickers are increasingly taking advantage of the Internet to sell their illegal substances through encrypted e-mail and other Internet Technology. Some drug traffickers arrange deals at internet cafes, use courier Web sites to track illegal packages of pills, and swap recipes for amphetamines in restricted-access chat rooms. The rise in Internet drug trades could also be attributed to the lack of face-to-face communication. These virtual exchanges allow more intimidated individuals to more comfortably purchase illegal drugs. The sketchy effects that are often associated with drug trades are severely minimized and the filtering process that comes with physical interaction fades away. Furthermore, traditional drug recipes were carefully kept secrets. But with modern computer technology, this information is now being made available to anyone with computer access.

1.3.6 Cyber-Terrorism
Government officials and Information Technology security specialists have documented a significant increase in Internet problems and server scans since early 2001. But there is a growing concern among federal officials that such intrusions are part of an organized effort by Cyber Terrorists, foreign intelligence services, or other groups to map potential security holes in critical systems. A Cyber Terrorist is someone who intimidates or coerces a government or organization to advance his or her political or social objectives by launching computer-based attack against computers, network, and the information stored on them. Cyber Terrorism in general, can be defined as an act of terrorism committed through the use of cyberspace or computer resources. As such, a simple propaganda in the Internet, that there will be bomb attacks during the holidays can be considered Cyber Terrorism.
All Rights Reserved. www.sedulitygroups.com

9

At worst, Cyber Terrorists may use the Internet or computer resources to carry out an actual attack. As well there are also hacking activities directed towards individuals, families, organized by groups within networks, tending to cause fear among people, demonstrate power, collecting information relevant for ruining peoples' lives, robberies, blackmailing etc.

1.4 HOW DOES TODAY’S CYBER CRIME DIFFER FROM THE HACKER EXPLOITS OF YESTERDAY?
A Young, inexperienced, and possessing Cyber Criminal/ Cracker with vast quantities of time to waste, to get into just one more system. However, there is a far more dangerous type of system cracker out there. One who knows the ins and outs of the latest security auditing and cracking tools, who can modify them for specific attacks, and who can write his/her own programs. One who not only reads about the latest security holes, but also personally discovers bugs and vulnerabilities. A deadly creature that can both strike poisonously and hide its tracks without a whisper or hint of a trail. Today’s computer criminal is motivated by any of several things. He or she (an increasing number of hackers are women) is in the hacking game for financial gain, revenge, or political motivation. There are other aspects of the modern hacker that are disturbing. Most proficient hackers are accomplished code writers. They not only understand the systems they attack, most write their own tools. While it is true that many hacking tools are readily available on the Internet, the really effective ones are in the private tool kits of professional intruders, just as lock-picking kits are the work tools of the professional burglar. In the late 1980s and early 1990s, the personal computer revolution brought us the virus writer. Early viruses were, by accounts of the period, a vicious breed of bug. As virus writing became a popular underground pastime, virus construction kits appeared. Now anyone with a compiler and a PC could write a virus. The problem, of course, was that these kits were, essentially, cut-and-paste affairs. No really new viruses appeared — just different versions of the same ones. The antivirus community caught up, breathed a sigh of relief, and waited for the next wave. Today, profilers have a much more difficult time sorting out the antisocial hacker from the cold-blooded professional on a salary from his current employer’s competitor. Today, the intrusion into the marketing files of a major corporation may be accomplished so smoothly and with such skill that a computer crime investigator has a difficult time establishing that an intrusion has even occurred, much less establishing its source and nature. However, in most organizations, one thing has not changed much. The computers are still vulnerable. The logging is still inadequate. The policies, standards, and practices are still outdated. So the environment is still fertile ground for attack. Even though today’s cyber crook has a specific goal in mind — to steal or destroy your data — he or she still has an inviting playing field. Yesterday’s intruder came searching for knowledge — the understanding of as many computer systems as possible. Today’s intruder already has that understanding. He or she wants your data. Today’s cyber crook will either make money off you or get revenge against you. He or she will not simply learn about your system. 10
All Rights Reserved. www.sedulitygroups.com

That difference — the fact that you will lose money — is the biggest change in the evolution of the computer cracker. Much has been made in the computer community about the evolution of the term “hacker.” Hacker, in the early days of computing, was a proud label. It meant that its owner was an accomplished and elegant programmer. It meant that the hacker’s solutions to difficult problems were effective, compact, efficient, and creative. The popular press has, the “real” Hackers say, twisted the connotation of the term into something evil. “Call the bad guys ‘Crackers,’” they say. “You insult the true computer Hacker by equating him or her with Criminal acts.” If we look at the professional “Cracker” of today, however, we find that he or she is a “Hacker” in the purest traditions of the term. However, like Darth Vader, or the gun in the hands of a murderer (“guns don’t kill, people do”) these hackers have found the “dark side” of computing. Let’s call them what they are — Hackers — and never forget not to underestimate our adversary. Though India has developed a full fledged indigenous Cyber Forensic Labs, Software Package, etc. however, we have a vary long way to go and we are still in the process of evolving systems and methodologies to stem the menace.

1.5 REASONS FOR CYBER CRIME_______________________
The Concept of Law has said that the ‘Human Beings are Vulnerable so rule of law is required to protect them’. Applying this to the Cyberspace, we may say that computers are vulnerable so rule of law is required to protect and safeguard them against the Cyber Crime. The reasons for the vulnerability of computers may be said to be:

1.5.1 Capacity to store data in comparatively small spaceThe computer has unique characteristic of storing data in a very small space. This affords to remove or derive information either through physical or virtual medium makes it much easier.

1.5.2 Easy to accessThe problem encountered in guarding a computer system from unauthorised access is that there is every possibility of breach not due to human error but due to the complex technology. By secretly implanted logic bomb, key loggers that can steal access codes, advanced voice recorders; retina imagers etc. that can fool biometric systems and even bypass firewalls can also be utilized to get past many a security system.

1.5.3 ComplexThe computers work on operating systems and these operating systems in turn are composed of millions of codes. Human mind is fallible and it is not possible that there might not be a lapse at any stage. The cyber criminals take advantage of these lacunas and penetrate into the computer system.

All Rights Reserved. www.sedulitygroups.com

11

1.5.4 NegligenceNegligence is very closely connected with human conduct. It is therefore very probable that while protecting the computer system there might be any negligence, which in turn provides a Cyber Criminal to gain access and control over the computer system.

1.5.5 Loss of evidenceLoss of evidence is a very common & obvious problem as all the data are routinely destroyed. Further collection of data outside the territorial extent also paralyses this system of Crime Investigation.

1.6 INDUSTRIAL ESPIONAGE — HACKERS FOR HIRE______
Let’s consider the following scenario. A very large public utility with several nuclear power plants experiences a minor glitch with no real consequences. One evening, a hacker in the employ of an anti-nuclear activist group, using information provided by a disgruntled employee, gains access to the utility’s network, searches file servers until he finds one at the nuclear plant, and, after compromising it, locates copies of several of the lessons-learned memos. The Hacker delivers the memos to his employers who doctor them up a bit and deliver them with a strongly worded press release to a local reporter who has made a life-long career out of bashing the nuclear industry. Imagine the potential public relations consequences. Or, how about this: a large corporation with only one major competitor hires an accomplished hacker. The hacker’s job is to apply at the competitor for a job in the computer center. Once hired, the Hacker routinely collects confidential information and, over the Internet, passes it to his real employer. Such a situation was alleged in 1995 when a Chinese student, working in the United States for a software company, started stealing information and source code and funneling it to his real employer, a stateowned company in China. There are many instances of such espionage. Unfortunately, most of them don’t get reported. Why? The loss of confidence in a company that has been breached is one reason. Another is the threat of shareholder lawsuits if negligence can be proved. Estimates of the success of prosecuting computer crime vary, but the most common ones tell us that there is less than a 1% probability that a computer criminal will be reported, caught, tried, and prosecuted successfully. With those odds, it’s no wonder that the professional criminal is turning to the computer instead of the gun as a way to steal money. Rob Kelly, writing in Information Week back in 1992 (“Do You Know Where Your Laptop Is?”), tells of a wife who worked for the direct competitor to her husband’s employer. While her husband was sleeping, she logged onto his company’s mainframe using his laptop and downloaded confidential data which she then turned over to her employer. A favorite scam in airports is to use the backups at security checkpoints to steal laptops. Two thieves work together. One goes into the security scanner just ahead of the laptop owner, who has placed his or her laptop on the belt into the X-ray machine. 12
All Rights Reserved. www.sedulitygroups.com

This person carries metal objects that cause the scanner to alarm. He or she then engages in an argument with the security personnel operating the scanner. In the meantime, the victim’s laptop passes through the X-ray scanner. While the victim waits in line for the argument ahead to be settled, the confederate steals the laptop from the X-ray belt and disappears. You can bet that the few dollars the thieves will get for the laptop itself are only part of the reward they expect. Rumors in the underground suggest that as much as $10,000 is available as a bounty on laptops stolen from top executives of Fortune 500 companies. To paraphrase a popular political campaign slogan, “It’s the data, stupid!” Information in today’s competitive business world is more precious than gold. Today’s thieves of information are well-paid professionals with skills and tools and little in the way of ethics. These examples show some of the ways industrial espionage has moved into the computer age. There is another way, this one more deadly, potentially, than the other two. It is called “Denial of Service” and is the province of computer vandals. These vandals may be competitors, activist’s intent on slowing or stopping progress of a targeted company, or disgruntled employees getting even for perceived wrongs. Denial of service attacks is attacks against networks or computers that prevent proper Data handling. They could be designed to flood a firewall with packets so that it cannot transfer data. It could be an attack intended to bring a mainframe process down and stop processing. Or, it could be an attack against a database with the intent of destroying it. While the data could be restored from backups, it is likely that some time will pass while the application is brought down, the data restored, and the application restarted. “How can we prevent this type of activity?” The answer is complex. As you will see in the emerging glut of computer security books, planning by implementing policies, standards and practices, implementation of correct security architectures and countermeasures, and a good level of security awareness is the key. If your system is wide open, you’ll be hit. There is, in this day and age, no way to avoid that. What you can do is ensure that your controls are in place and robust and that you are prepared for the inevitable. That won’t stop the hacker from trying, but it may ensure that you’ll avoid most of the consequences.

1.6.1 Five basic ways that Computer Criminals get information on the companies they attack:
Observing equipment and events Using public information Dumpster Diving Compromising systems Compromising people (social engineering) These five attack strategies suggest that you can apply appropriate countermeasures to lessen the chances of the attack being successful. That, as it turns out, is the case. The purpose of risk assessments and the consequent development of appropriate policies, standards, practices, and security architectures are to identify the details of these risks and develop appropriate responses.
All Rights Reserved. www.sedulitygroups.com

13

However, in the final section of this book, we will recap some key things you can do to simplify the task of fighting computer crime by preparing for it. In that section we will discuss how to be proactive, build a corporate cyber SWAT team, and take appropriate precautions in the form of countermeasures. Of the five strategies, arguably the wave of the future is number five: Social Engineering. The professional information thief is a con artist par excellence. These smooth-talking men and women talk their way into systems instead of using brute force. The Jargon File version 3.3.1 defines social engineering thus: social engineering. Term used among crackers and samurai for Cracking Techniques that rely on weaknesses in wetware rather than software; the aim is to trick people into revealing passwords or other information that compromises a target system’s security. Classic scams include phoning up a mark that has the required information and posing as a field service tech or a fellow employee with an urgent access problem … Let’s consider the case of “Susan Thunder,” a Hacker who turned as a consultant and specializes in Social Engineering. Thunder, whose real name, like many Hackers, never appears in public, is one of the early Hackers who ran with “Roscoe” and Kevin Mitnick in the late 1970s and early 1980s. When, after a number of exploits that finally resulted in jail for Roscoe and probation for Mitnick, things got a bit too hot for her, she dropped her alias and became a Security Consultant. According to Thunder, in 1983 she appeared before a group of high-ranking military officials from all branches of the service. She was handed a sealed envelope with the name of a computer system in it and asked to break into the system. She logged into an open system and located the target and its administrator. From there it was a snap, as she relates the story, to social engineer everything she needed to log into the system from an unsuspecting support technician and display classified information to the stunned brass. Let’s get the technique from Thunder, in her own words, as she posts on the Internet to the alt.2600 newsgroup in 1995: Social Engineering has been defined as the art of manipulating information out of a given person with a view towards learning information about or from a given EDP system. The techniques are relatively simple, and I will go into greater detail and provide examples in a future tutorial. Essentially, the methodology consists of pulling off a telephone ruse to get the person at the other end of the line to give you passwords or read your data off of their computer screen. Sometimes the techniques involve intimidation or blackmail.

1.6.2 The differences between Social Engineering and Psychological Subversion.
Psychological Subversion (PsySub) is a very advanced technique that employs neural linguistic programming (nlp), subconscious suggestions, hypnotic suggestions, and subliminal persuasion. Essentially, you want to plant the idea in the subject’s mind that it’s okay to provide you with the information you seek to obtain. 14
All Rights Reserved. www.sedulitygroups.com

There is, of course, some question about how much of her exploits are real and how much is in her head. However, there is one important point: social engineering techniques work and they work well. The professional hacker will use those techniques in any way he or she can to get information. When I am performing intrusion testing for clients, I always include the element of social engineering in my tests. It adds the realism that allows the testing to simulate the approach of professional hackers accurately. Time is the Hacker’s worst enemy. The longer he or she is “on the line,” the higher the probability of discovery and tracing is there. Most professional Hackers will do whatever they can to collect as much information as possible prior to starting the actual attack. How much easier it is to talk the root password out of a careless or overworked technician than it is to crack the system, steal the password file, and hope that you can crack the root password!

1.7 PUBLIC LAW ENFORCEMENT’S ROLE IN CYBER CRIME INVESTIGATIONS
Make no mistake about it. If you involve law enforcement in your investigation, you’ll have to turn over control to them. That may be a reason not to call in the authorities. Then again, maybe it’s a reason to get on the phone to them ASAP. The abilities of local law enforcement and their investigative resources vary greatly with geographic territory. The spectrum ranges from the ever-improving capabilities of the FBI and the Secret Service to the essentially worthless efforts of local police forces in isolated rural locations. Since computers and computer systems are pervasive, that lack of evenness poses problems for many organizations. There are times when not calling in law enforcement is not an option. If you are a federally regulated organization, such as a bank, not involving law enforcement in a formal investigation can leave you open to investigation yourself. However, the decision to call or not to call should never wait until the event occurs. Make that decision well in advance so that valuable time won’t be lost in arguing the merits of a formal investigation. There are, by most managers’ reckonings, some good reasons not to call in the law. First, there is a higher probability that the event will become public. No matter how hard responsible investigators try to keep a low profile, it seems that the media, with its attention ever-focused on the police, always get the word and, of course, spread it. Public knowledge of the event usually is not limited to the facts, either. The press, always on the lookout for the drama that sells ad space, tends toward a significant ignorance of things technical. But, no matter — facts never got in the way of a good story before, why should your story be any different. Another issue is that law enforcement tends to keep their actions secret until the investigation is over. While that certainly must be considered appropriate in the investigation of Computer Crime, it often closes the communications lines with key company staff like the CEO, auditors, and security personnel. Some organizations find it difficult or impossible to live with that sort of lack of communication during a critical incident involving their organizations.
All Rights Reserved. www.sedulitygroups.com

15

A major benefit of involving Law Enforcement is the availability of sophisticated technical capabilities in the form of techniques, expensive equipment, and software. The CBI crime lab is known for its capabilities in all areas of Forensic Analysis, including computer forensics. Recovering lost data that could lead to the solution of a computer crime, for example, is a difficult, expensive, and, often, unsuccessful undertaking. The CBI has experts in their lab who can recover that data, even if it has been overwritten. However, if you call the CBI, there are some things you should remember. If they take the case (there is no guarantee that they will), they will take over completely. Everyone will become a suspect until cleared and you can expect little or nothing in the way of progress reporting until the crime is solved and the perpetrator captured. The CBI doesn’t have the resources to investigate every case. First, the case has to have a significant loss attached to it. Second, it has to be within the CBI jurisdiction: interstate banking, public interstate transportation, etc. Finally, there has to be some hope of a solution. That means that it may be in your best interests to conduct a preliminary investigation to determine if the crime fits into the CBI pattern of cases and what you can provide the CBI investigators as a starting They will have the same downsides, though, as does the CBI. The difference is that they may not have the resources needed to bring the investigation to a suitable conclusion. In larger cities, and many smaller ones, there will be someone on the local, state, or county force who can at least begin an investigation. It is often a good idea, if you decide to use Law-Enforcement in the future, to become acquainted with the computer crime investigators in advance of an incident. An informal meeting can gain a wealth of information for you. It also can set the stage for that panic call in the future when the intruder is on your doorstep.

1.8 THE ROLE OF PRIVATE CYBER CRIME INVESTIGATORS AND SECURITY CONSULTANTS IN INVESTIGATIONS
Most of the Govt. Law-Enforcement agencies are not fully equipped to investigate computer crime. Although they may have the resources to get the process started, an in-depth technical investigation is usually beyond their scope. It means these organizations have two alternatives. They can call in Law Enforcement or they can employ consultants from the private sector. Many organizations prefer to do the latter. Calling in consultants is not a step to take lightly, however. The world is full of self-styled security consultants, “Reformed Hackers” and other questionable individuals who are riding the computer security wave. Finding the right consultant is not a trivial task and should be commenced prior to the first incident. The first question, of course, is what role the consultant will play. Once you have created SWAT team, you must then decide what gaps are present and which can be filled by consultants. One area where some interesting things are taking place is in the business of Private Investigation. Private Investigators, traditionally involved with physical crime and civil matters, are looking at the world of virtual crime as a growth area for their businesses. If you use one of these firms, be sure that they have the requisite experience in Cyber Crime Investigation. 16
All Rights Reserved. www.sedulitygroups.com

The best general source for Investigative consultants is within the computer security community. Here, however, you must use care in your selection, because all the consultants are not created equal. The best requirement for your request for proposal, then, is likely to be references. References can be hard to get in some cases, of course, since most clients are understandably reluctant to discuss their problems with the outside world. Consultants can fill a number of roles on your investigative team. The most common is the role of technical specialist. Most consultants are more familiar with the security technologies involved than they are with the legal and investigative issues. It will be easier to find technical experts than it will to find full-fledged investigators. The other side of technology is the “people” side. If social engineering is the emerging threat of the 1990s, the ability to interview, interrogate, and develop leads is about as old school investigation style as can be. In this instance good, old fashioned Police legwork pays big dividends, if it is performed by an investigative professional with experience. Another area where a consultant can help is the audit function. Many computer crimes involve fraud and money. An experienced information systems auditor with fraud investigation experience is worth whatever you pay in cases of large-scale Computer Fraud. The bottom line is that you can, and should, use qualified consultants to beef up your internal investigative capabilities. Remember, though, that you are opening up your company’s deepest secrets to these consultants. It is a very good idea to develop relationships in advance and develop a mutual trust so that, when the time comes, you’ll have no trouble working together. I have told numerous clients that they can get technology anywhere. It’s the trust factor that can be hard to come by.

1.9 The Initial Contact__________________________________
When you are first contacted by a client, whether it could be in person, over the telephone, or via e-mail, before you plunge headlong into the new case, there are some specific questions requiring answers up front. The answers to these questions will help you to be much better prepared when you actually arrive at the client’s site to collect evidence and interview personnel. Also remember that the cases you may be involved with vary tremendously. A short listing of case types would be: Web page defacement Hospital patient databases maliciously altered Engineering design databases maliciously altered Murder Alibis Sabotage Trade secret theft Stolen corporate marketing plans Computer network being used as a jump-off point to attack other networks Computer-controlled building environmental controls maliciously modified Stolen corporate bid and proposal information Military weapons systems altered Satellite communication system takeover
All Rights Reserved. www.sedulitygroups.com

17

Since there are so many different types of cases, review the questions listed below and choose those that apply to your situation. Also, depending on your situation, think about the order in which you ask the questions. Note that your client may or may not know the answers to certain questions. Even if the client does not know the answers, these questions begin the thinking process for both you and the client. Add additional questions as you see fit, but keep in mind that this should be a short discussion: its purpose is to help you be better prepared when you arrive at the client’s site, not to have the answers to every question you can think of at this time. Questions you should ask will be as follows; Note: Make sure that the communication medium you are using is secure regarding the client and the information you are collecting, i.e., should you use encrypted e-mail? Do you have an IDS (Intrusion Detection System) in place? If so, which vendor? Who first noticed the incident? Is the attacker still online? Are there any suspects? Are security policy/procedures in place? Have there been any contacts with ISPs, LEO (law enforcement organizations)? Why do you think there was a break-in? How old is the equipment? Can you quickly provide me with an electronic copy of your network architecture over a secure medium? What operating systems are utilized at your facility? If these are NT systems, are the drives FAT or NTFS? What type of hardware platforms are utilized at your facility (Intel, Sparc, RISC, etc.)? Do the compromised systems have CD-ROM drives, diskette drives, etc.? Are these systems classified or is the area I will be in classified? What level? Where do I fax my clearance? What size are the hard drives on the compromised systems? Will the System Administrator be available, at my disposal, when I arrive, along with any other experts you may have for the compromised system (platform level, operating system level, critical applications running on the system)? What type of information did the compromised system hold? Is this information crucial to your business? Will one of your network infrastructure experts be at my disposal when I arrive on-site (personnel who know the organization’s network: routers, hubs, switches, firewalls, etc.)? Have your Physical Security personnel secured the area surrounding the compromised systems so that no one enters the area? If not, please do so. Does the crime scene area forbid or preclude the use of electronic communication devices such as cellular telephones, pagers, etc.? Please have a copy of the system backup tapes available for me for the past 30 days.
All Rights Reserved. www.sedulitygroups.com

18

Please put together a list of all the personnel involved with the compromised system and any projects the system is involved with. Please check your system logs. Have a listing when I arrive that shows, who accessed the compromised system in the past 24 hours. Do the compromised systems have SCSI or parallel ports (or both)? Tell the client not to touch anything. Do not turn off any systems or power, etc. What is the name of hotels close by where I can stay? It will be supper time when I arrive. Will you have food available to me while I am working? Provide the client with your expected arrival time. Tell the client not to mention the incident to anyone who does not absolutely need to know.

1.10 Client Site Arrival_________________________________
On the way to the client’s site (whether by car, train, or aircraft), do not waste time. Focus on reviewing the answers the client gave to the above questions. If you were able to obtain it, review the network topology diagram that was sent to you. Discuss with your team members (if you are operating as part of a team) various approaches to the problem at hand. Know what your plan of attack is going to be by the time you arrive onsite at the client’s premises. If you are part of a team, remember that there is only one person in charge. Everyone on the team must completely support the team leader at the client site. The first thing to do at the client’s site is to go through a pre-briefing. This is about a 15minute period (do not spend much time here … begin the evidence collection process as quickly as possible) in which you interface with the client and the personnel he has gathered to help in your investigation, giving you the opportunity to ask some additional questions, meet key personnel you will be working with (Managers, System Administrators, key project personnel that used the compromised system, security personnel, etc.), and obtain an update on the situation (something new might have occurred while you were en route). Once again, there are a variety of questions. Depending on the case, you will choose to ask some of the questions and ignore others. Again, also consider the order of the questions. These questions should also help generate some other questions. When the questions refer to “personnel,” the reference is to those who (in some way, shape, or form) had access to the compromised system(s). Some of the questions can be asked to the entire pre-briefing group, whereas others may need to be asked privately. Use discretion and tact. Again, remember that you can ask questions now, but someone may have to go find the answers and report back to you. Was it normal for these persons to have been on the system during the past 24 hours? Who was the last person on the system? Does this person normally work these hours? Do any of your personnel have a habit of working on weekends, arriving very early, or staying very late? What are the work patterns of these personnel?
All Rights Reserved. www.sedulitygroups.com

19

At what time(s) did the incident occur? What was on the computer screen? When the system was last backed up? How long have these persons been with the organization? Have any of these persons behaved in a strange manner? Do any have unusual habits or an adverse relationship with other employees? Have there been any other unusual network occurrences during the past 30 days? Can you provide me with an overview of what has happened here? What programs/contracts were the compromised systems involved with? What personnel work on these programs/contracts? Is there anything different about the area where the systems reside? Does anything look out of place? What level of access (clearance) does each of the individuals have for the compromised system and the area where it resides? Are any of the personnel associated with the systems not United States citizens? Are any cameras or microphones in the area that could track personnel movements at or near the compromised system area? Are there access logs into/out of the building and area? Do people share passwords or user IDs? Does the organization have any financial problems or critical schedule slippages? Have any personnel taken extended vacations, had unexplained absences, or visited foreign countries for business/pleasure during the past 90 days? Have any personnel been reprimanded in the past for system abuse or any other issues? Are any personnel having financial or marital hardships? Are any having intimate relations with any fellow employee or contractor? Are any personnel contractors/part-time or not full-time employees? Who else had access to the area that was compromised? What are the educational levels and computer expertise levels of each of the personnel involved with the system? What type of work is this organization involved with (current and past)? Who first noticed the incident? Who first reported the incident? When? Did the person who noticed the incident touch anything besides the telephone? Does anyone else in the company know of this? Based on records from Physical Security, what time did each of the personnel arrive in the building today? Based on records from Physical Security, if any personnel arrived early, was anyone else already in the building? Was this normal for them? For the past 30 days, provide me with a listing of everyone who was on the compromised system, along with their dates/times of access. What was the purpose of that specific system? Has the employment of anyone in the organization been terminated during the past 90 days? Can you give me a copy of the organization’s security policy/procedures. Why do you think there was a break-in? (Try to get people to talk.) Obtain any records available for the compromised system, such as purchasing records (see original configuration of box) and service records (modifications, problems the box had, etc.). 20
All Rights Reserved. www.sedulitygroups.com

Obtain a diagram of the network architecture (if you have not already obtained one). Verify that any experts associated with the system are present. Obtain their names and contact information. Briefly spell out the evidence collection procedure you will be following to those in the pre-briefing. Have you received the backup tape requested for the compromised system? If not, are backups done on a regularly scheduled basis? Was the system serviced recently? By whom? Were any new applications recently added to the compromised systems? Were any patches or operating system upgrades recently done on the compromised system? Were any suspicious personnel in the area of the compromised systems during the past 30 days? Were any abnormal access rights given to any personnel in the past 90 days who are not normally associated with the system? Are there any known disgruntled employees, contractors, etc.? Were any new contractors, employees, etc. hired in the past month? Are there any human resources, union, or specific organizational policies or regulations that I need to abide by while conducting this investigation?

1.11 Evidence Collection Procedures_____________________
1.11.1 What is Locard’s Exchange Principle?
Anyone, or anything, entering a crime scene takes something of the crime scene with them. They also leave behind something of themselves when they depart. To what Web site should you go to read computer search and seizure guidelines that are accepted in a court of law?

1.11.2 List the six investigative techniques, in order, used by the FBI:
1. Check records, logs, and documentation. 2. Interview personnel. 3. Conduct surveillance. 4. Prepare search warrant. 5. Search the suspect’s premises if necessary. 6. Seize evidence if necessary.

1.11.3 You are at the crime scene with a system expert and a network infrastructure specialist. What should be your first steps?
If allowed, photograph the crime scene. This includes the area in general, computer monitors, electronic instrument information from devices that are in the area (cellular telephones, pagers, etc.), and cabling connections (including under the floor if the floor is raised). Make sketches as necessary. If there is an active modem connection (flashing lights indicating communication in progress), quickly unplug it and obtain internal modem information via an rs-232 connection to your laptop. Is it normal for a modem to be here? If so, is it normal for it to be active at this time? Lift ceiling tiles and look around. All Rights Reserved. www.sedulitygroups.com 21

1.11.4 What are the six steps, in order, that a computer crime investigator would normally follow?
Secure the crime scene (if attacker still online, initiate backtrace). Note that a backtrace (also called a traceback) is an attempt to obtain the geographical location(s) of the attacker(s) using specialized software tools. Collect evidence (assume it will go to court). Interview witnesses. Plant sniffers (if no IDS [Intrusion Detection System] is in place). Obtain laboratory analysis of collected evidence. Turn findings and recommendations over to the proper authority.

1.11.5 What tools could be used to obtain the bitstream backup of the hard drive(s)?
SafeBack, DD (UNIX), and Encase are examples. There are others, but the focus will be on these since they are the ones the author has experience with.

1.11.6 Detailed Procedures for Obtaining a Bitstream Backup of a Hard Drive
You are sitting in front of a victim system at the client’s site. The system is still on, but the client removed the system from the network while you were en route to the site. Otherwise, the system has been left untouched since you were contacted. Observe that this is an Intel platform running Microsoft Windows 98. You could choose to either use SafeBack or EnCase to obtain the bitstream backup. In this case, choose SafeBack. Look on the back of the system and see that there is a parallel port, but no SCSI port. The bitstream backup of the hard drive will take much less time if a SCSI connection can be used instead of the parallel port. Therefore, also go through the process of installing a SCSI card in the victim system (I always carry a SCSI card as part of a standard toolkit). The steps taken are as follows: 1. Pull the power plug from the back of the computer (not from the wall). 2. Look carefully for booby traps (unlikely, but possible) as you open the case of the computer. Look inside for anything unusual. Disconnect the power plugs from the hard drives to prevent them from accidentally booting. 3. Choose a SCSI card. The SCSI card I prefer to use for Microsoft Windows-based systems that have a PCI bus is the Adaptec 19160 because of its high performance and reliability. Adaptec 19160 comes with EZ-SCSI software and updated driver software can be obtained automatically over the Internet. Adaptec rigorously tests their card with hundreds of SCSI systems. I have never had a problem with one of their cards, so I highly recommend them. The card has a 5year warranty and free technical support (if I need help with configuration, etc.) for 2 years. It is a great bargain. (Just so you know, Adaptec has no idea I am saying good things about their product — I am just impressed with it.) 4. Now install the SCSI card into an open 32-bit PCI expansion slot in the victim system. Read the small manual that comes with the SCSI card. Remove one of the silver (usually) expansion slot covers. Handle the card carefully. It is inside a static protection bag. Be sure to discharge any static electricity from your body before handling the card to avoid damaging it. 22
All Rights Reserved. www.sedulitygroups.com

Do this by touching a grounded metal object (such as the back of a computer that is plugged in). PCI expansion slots are normally white or ivory colored. Once the card clicks in place (you may have to press down somewhat firmly), use the slot cover screw that you had to remove to secure the card in place. 5. Plug the system power cable back into the back of the computer. 6. Insert the DOS boot diskette and power up the computer. I will discuss this boot diskette for a moment. The DOS boot diskette is a diskette that goes in the A: drive of the target system (Note: This boot media could just as easily be on a CD-ROM, Jaz, or Zip Disk. What you use depends on what is available to you on the target system.) I will discuss the contents of this boot diskette shortly. 7. Turn on the system and press the proper key to get into the CMOS BIOS area. On some systems the proper key to press is displayed on the screen. If not, some common keys to get into the CMOS BIOS area is: Dell computers F12 Compaq F10 IBM F1 PC clones Delete, Ctrl-Alt-Esc, Ctrl-Alt-Enter 8. Run the CMOS setup and ensure that the computer will boot first from the diskette. While in the CMOS BIOS setup, note the time and compare it to the time on your watch. Make a note of any difference for future reference with your own time keeping and the times that are running on other systems (such as router time, firewall time, etc.). The NTI forensics utility “gettime” may also be used before beginning the evidence collection process (bitstream backup) if preferred. 9. Exit the CMOS BIOS routine and save changes. 10. Let the computer now continue to boot itself from the diskette. Now you know that the system will boot first from your diskette and will not boot from the system hard drive. 11. Power off the computer, disconnect the power cable from the back of the computer, and reconnect the hard drive power cables. 12. Put the cover back on the computer and plug the power cable back into the computer. Does not turn the computer back on yet? 13. Choose a medium to backup the victim hard drive. In this example, I will use the Ecrix VXA-1 tape drive. (Once again, I highly recommend this tape backup unit. Learn more about this tape drive by going to http://www.ecrix.com. Each tape for Ecrix holds up to 66 GB of data and the maximum data transfer rate is around 6 MB/sec. 14. Place a SCSI terminator on the bottom SCSI connection of the Ecrix tape drive. Be sure there are no SCSI ID conflicts. (Read the short manuals that come with the Ecrix tape drive and the Adaptec SCSI card for more information. You probably will not have to do anything, but read them just in case.) 15. Connect the 50-pin SCSI cable from the back of the Ecrix tape drive to the Adaptec SCSI card external connector on the back of the victim system. With the following changes to the standard SCSI settings, Ecrix VXA-1 works excellently with SafeBack. Do not start yet. 1.11.6.1 Follow these steps when I actually tell you to boot the system with your boot diskette: 1. When your system boots, wait for the “Press Ctrl-A for SCSI Setup” message to appear, and then press Ctrl-A.
All Rights Reserved. www.sedulitygroups.com

23

2. When the SCSI setup menu appears, choose “Configure/View Host Adapter Settings.” 3. Then choose “SCSI Device Configuration.” 4. Set “Initiate Sync Negotiation” to NO for all SCSI IDs. 5. Set “Maximum Sync Transfer Rate” to 10.0 for all IDs. 6. Set “Enable Disconnection” to NO for all IDs. 7. Press “ESC” and save all changes. The boot diskette I will use needs to contain some basic DOS commands, Ecrix and Adaptec software drivers, SafeBack’s Master.exe file that runs Safe- Back, and a few other forensic tools. The DOS boot diskette I am creating will also work with Jaz Drives and Zip Drives (as well as the Ecrix tape drive I am using). To create your DOS boot diskette (which you would have done before coming to the client site): 1. Place the diskette in the A: drive of a system you know and trust and type “format a: /s” (do not type the quotes) from the DOS command line prompt. 2. Once the formatting is complete, load the following files on the diskette: config.sys, autoexec.bat, master.exe, aspi8u2.sys, guest.ini, himem.sys, fdisk.exe, format.com, smartdrv.exe, restpart.exe, aspiatap.sys, aspippm2.sys, advaspi.sys, aspicd.sys, aspippm1.sys, guest.exe, 3. aspi1616.sys, nibble2.ilm, nibble.ilm, aspiide.sys, aspi8dos.sys, drvspace.bin, driver.sys., crcmd5.exe, disksig.exe, doc.exe, filelist.exe, getfree.exe, getslack.exe, getswap.exe, gettime.exe. 4. Some of these files are not necessary, but I have found them to be helpful in the past so will I include them. Where do you obtain these files? The DOS commands/drivers may be obtained from a trusted machine in the c:\windows and c:\windows\command directories. The driver files and some of the executables may be obtained from the media provided with the Adaptec SCSI card and from Ecrix and Iomega media provided with those products. You may also obtain files from their respective Web sites. The autoexec.bat file mentioned above should contain the following statements: smartdrv The config.sys file mentioned above should contain the following statements: files=30 buffers=8 lastdrive=z dos=high,umb device=himem.sys device=aspi8u2.sys /D Now place your boot diskette (be sure it is virus free) into the victim machine, turn on the system, and watch the system prompts as they display on the screen. When the system boots, wait for the “Press Ctrl-A for SCSI Setup” message to appear, and then press Ctrl-A. When the SCSI setup menu appears, choose “Configure/View Host Adapter Settings.” Then choose “SCSI Device Configuration.” Set “Initiate Sync Negotiation” to NO for all SCSI IDs. Set “Maximum Sync Transfer Rate” to 10.0 for all IDs. Set “Enable Disconnection” to NO for all IDs.
All Rights Reserved. www.sedulitygroups.com

5. 6.

7. 8.

24

9. Press “ESC” and save all changes. Let the system continue to boot to a DOS prompt. 10. Start SafeBack (run the Master.exe program that is on your diskette). 11. Enter audit file name. (It cannot be the same location where your evidence will go.) 12. Choose these settings in SafeBack: Backup, Local, No Direct Access, Auto for XBIOS use, Auto adjust partitions Yes to Backfill on restore, No to compress sector data. 13. Now select what is to be backed up using arrow keys, space bar, appropriate letters, and then press <enter> when done. 14. Enter the name of the file that will contain the backup image. 15. Follow prompts as required. 16. Enter text for the comment record. Include information on the case, the machine, and unusual items or procedures. 17. Press ESC when done with text comment record. The bitstream backup will now begin. 1.11.6.2 When the backup is completed, ESC back to the proper screen and perform Be sure to immediately make a duplicate of the disks/tapes before leaving the client site. Do not keep duplicate backup tapes in the same container. Send one to your lab via DCFL guidelines (http://www.dcfl.gov) and take the other copy of the evidence with you to your analysis lab. Now, be sure to run DiskSig from NTI to obtain a CRC checksum and MD5 digest of the victim hard drive. See the section on DiskSig for more information. This will take time, depending on the size of the victim hard drive. It takes hours for the bitstream backups to be made. 1.8.6.3 What should you do in the meantime? First ensure that your bitstream backup will be secure while the process is ongoing. As long as it is secure, discuss the network topology diagram with the network infrastructure experts. If possible, take a physical walk-through of the infrastructure. Follow the cables from the victim system to the ports, switches, routers, hubs — whatever the system is connected to. System/infrastructure experts at the client site will help you collect log information from relevant firewalls, routers, switches, etc. For all evidence collected, be sure to always maintain chain of custody and keep the evidence in a secured area that has proper access controls.

All Rights Reserved. www.sedulitygroups.com

25