Computer Forensics Incident Response Essentials 1st Edition Warren G. Kruse Ii 2024 Scribd Download

Full download ebook at ebookname.
com
Computer Forensics Incident Response Essentials

1st Edition Warren G. Kruse Ii
https://ebookname.com/product/computer-forensics-incident-
response-essentials-1st-edition-warren-g-kruse-ii/
OR CLICK BUTTON
DOWLOAD NOW
Download more ebook from https://ebookname.com

More products digital (pdf, epub, mobi) instant
download maybe you interests ...
Incident Response and Computer Forensics 2nd Edition

Chris Prosise
https://ebookname.com/product/incident-response-and-computer-
forensics-2nd-edition-chris-prosise/
Computer Forensics JumpStart 2nd Edition Michael G.

Solomon
https://ebookname.com/product/computer-forensics-jumpstart-2nd-
edition-michael-g-solomon/
Investigation Procedures and Response With Access Code

1 Computer Forensics 1 Pap/Psc Edition Stephen Helba
https://ebookname.com/product/investigation-procedures-and-
response-with-access-code-1-computer-forensics-1-pap-psc-edition-
stephen-helba/
Hacking Exposed Computer Forensics 2nd Edition Michael

Bass
https://ebookname.com/product/hacking-exposed-computer-
forensics-2nd-edition-michael-bass/
Guide to Computer Forensics and Investigations 4th
Edition Bill Nelson
https://ebookname.com/product/guide-to-computer-forensics-and-
investigations-4th-edition-bill-nelson/
Essentials of DAS II Assessment Essentials of

Psychological Assessment 1st Edition Ron Dumont
https://ebookname.com/product/essentials-of-das-ii-assessment-
essentials-of-psychological-assessment-1st-edition-ron-dumont/
Emerging Technology Programs ADM Hybrids Computer

Forensics and MEMS 1st Edition John Vanston
https://ebookname.com/product/emerging-technology-programs-adm-
hybrids-computer-forensics-and-mems-1st-edition-john-vanston/
The Ethics of Sankara and Santideva A Selfless Response

to an Illusory World Warren Lee Todd
https://ebookname.com/product/the-ethics-of-sankara-and-
santideva-a-selfless-response-to-an-illusory-world-warren-lee-
todd/
Engineering Response to Climate Change Second Edition

Robert G. Watts
https://ebookname.com/product/engineering-response-to-climate-
change-second-edition-robert-g-watts/
Computer
Forensics
This page intentionally left blank
Computer
Forensics
Incident Response
Essentials
Warren G. Kruse II
Jay G. Heiser
Addison-Wesley
Boston • San Francisco • New York • Toronto
Montreal • London • Munich • Paris • Madrid • Capetown
Sydney • Tokyo • Singapore • Mexico City
Many of the designations used by manufacturers and sellers to distinguish their products are
claimed as trademarks. Where those designations appear in this book, and Addison-Wesley, Inc.,
was aware of a trademark claim, the designations have been printed in initial capital letters
or in all capitals.
The authors and publisher have taken care in the preparation of this book, but make no
expressed or implied waranty of any kind and assume no responsibility for errors or omis-
sions. No liability is assumed for incidental or consequential damages in connection with or
arising out of the use of the information or programs contained herin.
Screen shots reprinted with permission from Microsoft.
The publisher offers discounts on this book when ordered in quantity for special sales. For
more information, please contact:
Pearson Education Corporate Sales Division
201 W. 103rd Street
Indianapolis, IN 46290
(800) 428-5331
[email protected]
Visit AW on the Web: www.awl.com/cseng/
Library of Congress Cataloging-in-Publication Data
Kruse, Warren G.
Computer forensics : incident response essentials / Warren G. Kruse II, Jay G. Heiser.
p. cm.
Includes bibliographical references and index.
ISBN 0-201-70719-5
1. Computer security. 2. Computer networks—Security measures. 3. Forensic sciences.
I. Heiser, Jay G. II. Title
QA76.9.A25 K78 2001
005.8—dc21 2001034106
Copyright © 2002 by Lucent Technologies

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system,
or transmitted, in any form, or by any means, electronic, mechanical, photocopying, recording, or
otherwise, without the prior consent of the publisher. Printed in the United States of America.
Published simultaneously in Canada.
ISBN 0-201-70719-5
Text printed in the United States on recycled paper at RR Donnelley Crawfordsville in Crawfordsville, Indiana.
14th Printing March 2010
CONTENTS
Preface vii
Acknowledgments xiii
Chapter 1 Introduction to Computer Forensics 1
Chapter 2 Tracking an Offender 23
Chapter 3 The Basics of Hard Drives and Storage Media 65
Chapter 4 Encryption and Forensics 83
Chapter 5 Data Hiding 105
Chapter 6 Hostile Code 129
Chapter 7 Your Electronic Toolkit 149
Chapter 8 Investigating Windows Computers 177
Chapter 9 Introduction to Unix for Forensic Examiners 207
Chapter 10 Compromising a Unix Host 245
Chapter 11 Investigating a Unix Host 263
Chapter 12 Introduction to the Criminal Justice System 311
Chapter 13 Conclusion 325
v
vi CONTENTS
Appendix A Internet Data Center Response Plan 327
Appendix B Incident Response Triage Questionnaire 353
Appendix C How to Become a Unix Guru 363
Appendix D Exporting a Windows 2000 Personal Certificate 367
Appendix E How to Crowbar Unix Hosts 375
Appendix F Creating a Linux Boot CD 377
Appendix G Contents of a Forensic CD 379
Annotated Bibliography 381
Index 385
Preface
Billions of dollars are lost annually to crime, and computers are increasingly
involved. It is clear that law enforcement agencies need to investigate digital evi-
dence, but does it make sense to encourage a bunch of computer administrators to
become junior g-men? Do we really need amateur digital sleuths? In a word, yes.
Bad things are happening on computers and to computers, and the organizations
responsible for these computers have a need to find out what exactly happened. You
probably cannot pick up the phone and bring in law enforcement officials every time
something anomalous happens on one of your servers and expect them to send out a
team of forensic specialists, and even if you could, your corporate executives may not
want that. All major corporations have internal security departments that are quite
busy performing internal investigations. However, the security professionals who
typically fill this role are accustomed to dealing with theft and safety issues and are
often ill-prepared to deal with computer crime.
This book is inspired by the needs of the people who attend the author’s semi-
nars on computer forensics. If for no other reason than these sold-out seminars, we
know that there is a big demand for greater expertise in digital investigations. Sys-
tem administrators and corporate security staff are the people we’ve designed the
book for. Most of the seminar attendees are fairly skilled in the use and maintenance
of Microsoft environments. Some of them are Unix specialists, but many students
have expressed a strong desire to learn more about Unix. Once a corporation discov-
ers that they know someone who can investigate Windows incidents, it is assumed
that he or she knows everything about computers, and it is usually only a matter of
time until this person is pressured into taking a look at a suspect Unix system.
Our students come from a wide variety of backgrounds and have diverse investi-
gatory needs and desires. We try to accommodate these varying agendas in this
book, to which we bring our experience in investigation and incident response. War-
ren Kruse is a former police officer who regularly performs computer forensic exam-
inations inside and outside of Lucent Technologies. Jay Heiser is an information
security consultant who has been on the response teams for numerous hacked Inter-
net servers. To the maximum extent possible, this book contains everything useful
that we’ve learned from performing investigations and teaching others to do so for
themselves. We know what questions will be asked, and this book is designed to
answer them. It is a practical guide to the techniques used by real people to investi-
gate real computer crimes.
vii
viii P R E FAC E
How to Read This Book

This book can be read cover to cover, as a complete introductory course in computer
forensics. However, it is also meant to serve as a handbook, and we expect many
readers to be familiar with some of the subjects we cover. For that reason, each chap-
ter is a complete unit and can be read when convenient or necessary. You probably
specialize in one or more of the areas covered in this text. However, we believe that
the information presented in this book is at the minimum required level of legal and
computer literacy, and we urge you to become knowledgeable in all of the areas we
cover: legal, procedural, and technical.
A brief description of the information covered in each chapter is provided in the
sections that follow.
Introduction to Computer Forensics

Chapter 1 outlines the basic process of evidence collection and analysis, which is the
meat of computer forensics. Even those readers with a background in law enforce-
ment will find new techniques in this chapter that are specific to computer forensics.
Tracking an Offender
The Internet is pervasive, and a high percentage of your investigations will involve
either incoming or outgoing Internet traffic. The material in Chapter 2 will help you
interpret the clues inside of email messages and news postings. It will also start you
on the path toward becoming an Internet detective, using standard Internet services
to perform remote investigations.
The Basics of Hard Drives and Storage Media

For the computer sleuth, hard drives are the most significant containers of evidence.
Chapter 3 provides an understanding of both their logical and their physical config-
urations. It covers partitions and low-level formatting, filesystems, and hardware
drive interfaces.
Encryption and Forensics

Cryptography has become ubiquitous in the virtual world of the Internet. A skilled
investigator must have a solid understanding of the technology and goals of modern
P R E FAC E ix
cryptography. It is relevant both in understanding evidence and, interestingly, in

the preservation of evidence. Many investigators lack a necessary level of crypto-
literacy, so Chapter 4 provides a broad introduction to encryption with special
emphasis on its significance and application in computer forensics. We also discuss
common encoding and archiving formats (such as uuencode and PKZIP) that can
complicate your keyword searches. As digital signature technology grows in legal
significance and finds new uses, forensic investigators will be expected to under-
stand its limitations and must have a firm grasp of the ways in which a digital iden-
tity can be stolen. The digital timestamping of forensic evidence will soon become
standard procedure in digital investigations. If you already have a background in
these encryption concepts, then you may wish to skim this chapter.
Data Hiding
Being able to find hidden data is a crucial investigative skill. Even if you are highly
crypto-literate, you still may not be aware of steganography (the art of hiding infor-
mation by embedding covert messages within other messages) and other data-
hiding techniques. Continuing the subject of encryption, Chapter 5 describes the use
of specific password-cracking tools that we have successfully used during our inves-
tigations. This chapter categorizes and describes the ways that data can be hidden—
not just by encryption—and provides practical guidance on how to find and read
hidden data.
Hostile Code
Being able to identify and understand the implications of criminal tools is a skill
that every investigator needs. Given that hostile code can be arcane and that few
readers have a background in it, Chapter 6 provides an introduction to the topic and
an overview of the types and capabilities of digital criminal tools that the investiga-
tor may encounter. We’ve included a couple of war stories involving the recent use of
“hacker tools” on corporate PCs, which is becoming increasingly common.
Your Electronic Toolkit

Although forensic-specific tools have a certain James Bond–like appeal—and we
cover these products—a large percentage of your work will be done with system
tools that were not specifically created for the unique needs of forensic investigation.
Chapter 7 will introduce you to a wide variety of utility types and specific brand
name tools, along with instructions in their use in a digital investigation.
x P R E FAC E
Investigating Windows Computers

Microsoft Windows, in all its various flavors, is the most widely used family of oper-
ating systems. While Chapter 8 assumes some background in Windows, you don’t
need to be a Microsoft Certified Systems Engineer in order to apply the techniques
and tricks we discuss. Emphasis is placed on Windows NT 4.0 and Windows 9x, but
several important new Windows 2000 features, such as the Encrypting File System,
are covered. An experienced investigator soon learns that nothing is too obsolete to
be in daily use somewhere, so the chapter concludes with Windows 3.1–specific
material.
Introduction to Unix for Forensic Examiners

For those readers with no prior Unix experience, Chapter 9 provides an introduction
with special emphasis on Unix characteristics that are most significant for the
forensic investigator. Experienced Unix users can skim or skip this chapter.
Compromising a Unix Host

Chapter 10 is intended as background material for the investigation of hacked
Internet hosts. It describes the process that Unix attackers typically use and pro-
vides an understanding of the goals of typical system hackers.
Investigating a Unix Host

While emphasizing the investigation of hacked Unix hosts, Chapter 11 describes
techniques that are applicable to all forms of Unix investigation. It contains a
detailed set of Unix-specific techniques and processes that use common Unix utili-
ties for collecting and evaluating evidence. It also contains instructions on using a
Unix boot CD to capture information over a network when you can’t attach hard-
ware directly to a suspect system.
Introduction to the Criminal Justice System

The final chapter explains what you need to do after you have begun collecting evi-
dence and provides an overview of the criminal justice process. Legal concepts such
as affidavits, subpoenas, and warrants are described. You will be a more effective
interface between your organization and law enforcement agents if you understand
P R E FAC E xi
what they do and how both investigations and prosecutions are structured by the
legal system.
Appendixes
As in most books, the appendixes in this one contain information that doesn’t fit
neatly anywhere else. They are standalone guides to specific needs.
Appendix A, Internet Data Center Response Plan, defines a process for handling
computer security incidents in Internet Data Centers.
Appendix B, Incident Response Triage, provides a list of general questions that
should be asked during the investigation of a computer crime incident.
Appendix C, How to Become a Unix Guru, provides self-study suggestions for
forensic examiners who want to improve their ability to investigate Unix hosts.
Appendix D, Exporting a Windows 2000 Personal Certificate, graphically depicts
the process of exporting a Personal Certificate from a Windows 2000 computer. Inves-
tigators should practice this process to prepare themselves for incidents involving
the Encrypted File System.
Appendix E, How to Crowbar Unix Hosts, describes the process of gaining
administrative access to a Unix system by booting it from a floppy or CD.
Appendix F, Creating a Linux Boot CD, provides several suggestions on tech-
niques and technology sources that are useful in the creation of bootable Linux CDs
that can be used to crowbar Unix or NT systems. Booting from a Linux CD can also
provide a trusted environment useful for examining or collecting evidence when it is
not feasible to remove the hard drive from a system.
Appendix G, Contents of a Forensic CD, provides a shopping list of useful tools
that should be considered the minimum set of forensic utilities that an examiner
brings during an incident response.
Acknowledgments
First, we would like to thank the many people who have patiently helped us write
this book (not all of whom realized they were doing it at the time): Nate Miller, Geoff
Silver, Felix Lindner, Tom Shevock, Tim Lunsford, Dan Farmer, Wietse Venema,
Aaron Higbee, Bill Brad, Aaron Kramer, Curt Bryson, Wil Harris, Dave Dittrich,
James Holley, Tim O’Neill, Fred Cohen, Lance Spitzner, Gene Spafford, Theresa Ho,
Joe Ippolito, Abigail Abraham, and Robert Weaver.
Our technical reviewers were invaluable for their careful scrutiny and sugges-
tions. They included: Joe Balsama, Steve Rago, Ed Skoudis, Steve Romig, David
Rhoades, Vernon Schryver, Peter Gutmann, John Sinteur, Will Morse, John Sebes,
Howard Harkness, Chris Kostick, Bruce Schneier, Elizabeth Zinkann, David Weis-
man, Alain Mayer, John Stewart, Joshua Guttman, and Harlan Carvey.
Mary Hart, Emily Frey, and Patrick Peterson, and the rest of the staff at Addison-
Wesley have done a phenomenal job in disciplining us and turning our experience
into a real book. We’d especially like to thank our editor, Karen Gettman, who talked
us into doing this and saw the project through to the end.
We dedicate this book to our children, Bobby, Caity, and Cassidy Kruse, and Kirk
Heiser, and to our wives, Maryann Kruse and Elizabeth Heiser, for their incredible
patience over the last two years when we were writing instead of spending time
with them.
Now is your time!
W.G.K and J.G.H
xiii
Chapter
1
Introduction to
Computer Forensics
Whenever we tell people that we work in “computer forensics,” they invariably

respond “that’s interesting” and then ask, “what is that?” Although relatively few
people are aware that computers can be examined to learn about human activities,
most people are not only aware of more traditional forms of forensics, but are actu-
ally quite interested in the subject. This familiarity makes it easy to explain what
we do for a living.
What Is Forensics?
During the twentieth century, the coherent application of methodical investigatory
techniques to solve crime cases has steadily increased and so has public interest in
what detectives do. Not only are Patricia Cornwell novels (starring heroine Kay
Scarpetta, a fictional state coroner) a great read, but they also provide a relatively
sophisticated understanding of forensic pathology. It isn’t surprising that they are
among the most popular books at the start of the twenty-first century. Continued
public interest in forensic methodology has resulted in a string of morbidly fascinat-
ing documentaries on cable television, and the fall 2000 season opened with a drama
that explicitly dealt with the adventures of police forensic technicians. Finally the
popular media is shifting its focus from the cadaver to the rest of the crime scene. It’s
apparent that forensics, and computer forensics,1 are becoming popular subjects.
Why? Because it is both fascinating and necessary. Everyone likes a mystery, but
interest in crime scene investigation strikes some deeper chord. The application of
human skills, high-tech tools, and precise methodology in the fight for justice is a
compelling story that is hard to resist.
1. Computer forensics involves the preservation, identification, extraction, documentation, and interpreta-
tion of computer media for evidentiary and/or root cause analysis. Read on for a more detailed description.
1
2 INTRODUCTION TO COMPUTER FORENSICS
The Growing Problem of Computer Crime

Computer misuse tends to fall into two categories. Either a computer is used to com-
mit a crime, or the computer itself is the target of a crime. Computers are ubiquitous
within modern organizations, and it is inevitable that illegal activities will involve
computers. Child pornography, threatening letters, fraud, and theft of intellectual
property are all crimes that leave digital tracks. Investigations into these types of
crimes usually include searching computers that are suspected of being involved in
their commission. Such analysis involves sifting through gigabytes of data looking
for specific keywords, examining log files to see what happened at certain times, and
hopefully providing evidence that a specific person did a specific illegal act—or that
a specific person apparently did NOT commit an illegal act.
The other category of crime, when the computer itself is the victim, is commonly
referred to as incident response. This refers to the examination of systems that have
been remotely attacked. During the 1980s, such attacks were carried out over phone
lines through modems, but now they originate almost exclusively from the Inter-
net. Remote attacks have become far more common, taking advantage of in-
creasingly complex and vulnerable network services. The ever-growing sophistication
and frequency of remote attacks has made the job of the incident response team quite
challenging.
Not only is the legal and regulatory environment constantly evolving, but so is
the nature of computer crime and the techniques used to investigate it. Computer
technology continues to evolve rapidly, new Internet crime tools are constantly
appearing, and new security tools are being developed to counter these new threats.
In common-law countries like the United States, Canada, and the United Kingdom,
legal precedent provides significant guidance in court cases. Computer crime involves
many new issues that haven’t been subjected to the conservative legal processes that
result in precedences that can be referred to in the future. Cyber lawyers have to deal
with a greater level of ambiguity than do many other legal specialists. All of this
means that the digital sleuth needs to be flexible and continually learning. It is not
an appropriate career for the complacent, but it is an exciting and challenging place
for someone seeking constant challenge and personal growth.
What Exactly Is Computer Forensics?

Computer forensics involves the preservation, identification, extraction, documenta-
tion and interpretation of computer data. It is often more of an art than a science,
but as in any discipline, computer forensic specialists follow clear, well-defined
methodologies and procedures, and flexibility is expected and encouraged when
encountering the unusual.
W H AT E X AC T LY I S C O M P U T E R F O R E N S I C S ? 3
It is unfortunate that computer forensics is sometimes misunderstood as being

somehow different from other types of investigations. For instance, if you were investi-
gating a murder that took place in Times Square, you would photograph the scene, look
for evidence, and take samples of the crime scene, including control samples to compare
to the evidence.The collection of evidence proceeds similarly in a computer investigation,
but for some reason, some people want to recreate the entire system, be it a standalone
PC, a server with a terabyte RAID system, or even an entire network. Nobody expects the
prosecution to rebuild Times Square in the courtroom, but that is often the expecta-
tion in a computer crime case. Admittedly, digital data can be highly volatile. General
unfamiliarity not only with computer forensics, but also with computers themselves,
makes this field a highly challenging one, but this book can help you prepare for it.
This is a good place to remind ourselves that we have to treat every case as if it
will end up in court. Take a minute to think of the consequences; don’t start poking
around a computer, decide that you have a problem, and then start handling it as
evidence. It is easier to regard the computer as evidence from the start, easing up on
the evidentiary process if you discover that a crime wasn’t committed. The opposite
approach is more difficult, if not impossible. However, if you reasonably (“reason-
ableness” is a key to most laws) believe when you start “looking around” on the com-
puter that it doesn’t warrant a forensic analysis and later discover an overtly illicit
act was committed, make sure that you fully document what you did and why. Your
evidence may still be defensible if explained to a judge and jury that you initially
had no reason to suspect that the computer was involved in a criminal act, and sub-
sequently discovered the crime when conducting routine troubleshooting, but only if
you fully documented your activities. The key to any investigation, particularly a
computer crime investigation, is documentation.
Computer forensics has a brief history. It has been only a few short years since
the largest drives available were under 20MB and a zip drive, a DOS disk, and a hex
editor were a sufficient forensic toolset. You would be hard-pressed today to find
enough zip disks in a computer store to capture the hard drive image of a standard
PC, but the highly conservative criminal justice world strongly encourages the con-
tinued use of the same techniques we used in the zip drive days. In this book,
we share some new techniques appropriate for rapidly changing technology, but
remember that basic forensic methodology remains consistent—it doesn’t change
just because drives get bigger and computers get smaller.
The basic methodology consists of what you can think of as the three As:
1. Acquire the evidence without altering or damaging the original.

2. Authenticate that your recovered evidence is the same as the originally seized
data.
3. Analyze the data without modifying it.
We expand on each of these three topics in the sections that follow; they are the
framework of every forensic game plan. The details of your specific game plan will
depend upon the circumstances and your goals, but the plan will always follow these
same three steps.
There are many possible goals other than successful criminal prosecution.
Sometimes forensics is conducted to determine the root cause of an event to ensure
that it will not happen again. This goal is important—you have to fully understand
the extent of your problem before you can be reasonably sure that it will not be
exploited again. You also have to fully understand a problem before you know how to
respond to it. A friend recently confided a story about unexpectedly finding a high-
port telnet daemon. After removing it, he thought that he had removed the intruder
and “resecured” his system, but two weeks later, he found the same unauthorized
process running. If you do not conduct a complete analysis and find the entire extent
of the compromise, it is only a matter of time before you have a bigger problem. It’s
kind of like termites, but worse—termites don’t deliberately retaliate!
In addition to helping us determine what happened, forensics can also address
the question of who was responsible. Forensics are used in investigations internal to
private organizations and, increasingly, by law enforcement during investigations of
all sorts of illegal activity that isn’t necessarily characterized as computer crime.
Just a few short years ago, as members of an emergency response team, we assisted
in a raid on a drug dealer’s home. While the detectives were collecting anything that
they thought had potential as evidence, we asked if they were going to seize the drug
dealer’s personal computer. The lead detective replied with certainty that they did
not need it. Perhaps they didn’t realize how rich a source of information a computer
can be about its user’s activities. This attitude is much less common today, although
the need for law enforcement officers trained for digital investigations still far out-
weighs the supply.
Most computer crime cases are not prosecuted, but we should still consider
acceptability in a court of law as our standard for investigative practice. We can
debate whether or not to pull the plug, or if we should use DOS/ Windows or Linux
for our analysis, but those are minor details. Our ultimate goal is to conduct our
investigation in a manner that will stand up to legal scrutiny. Treat every case like a
court case, and you will develop good investigative habits.
If your company has been lucky enough to avoid the need for computer forensics
(or so you think), congratulations; it will come soon enough. What do you do when
you are asked to investigate an incident, but your management wants the server
reloaded and backed up as soon as possible? Do you tell the boss that you need sev-
eral hours, if not several days, to analyze the system? Instead, you end up perform-
ing a watered-down version of forensics, and your results reflect the effort. Even
under less-than-ideal circumstances, whatever level of rigor you can apply to the
STEP 1: ACQUIRE THE EVIDENCE 5
investigation will bear some fruit, and maybe it will convince your boss to give you
more leeway during future events.
For the purposes of this chapter, it matters little what operating system, hard-
ware, or software the suspect or victim is using. We discuss examination specifics for
both Windows and Unix in Chapters 8 and 11, respectively. For now, let’s acquaint
ourselves with the three As so that when you are asked to investigate a computer
incident, you know what to do.
Step 1: Acquire the Evidence

When it comes to computer forensics, the only thing you can be certain of is uncer-
tainty. We often hear people say “I always do this” or “I always do that” but how can
that kind of certainty be possible when there are so many unknowns? A recently
published book contains the admonition that an investigator should never directly
examine the original storage media. Life should be that easy, but every case is differ-
ent. In some situations, especially Internet intrusions, the evidence may be found
only in RAM, and if you disconnect or turn off the computer before capturing an
image of the computer, you will destroy what little evidence exists. (In Chapter 7 we
discuss a toolset designed to retrieve evidence off a live system that would otherwise
be lost.) It may not be your proudest moment when you explain to your boss that you
took down a production server just to avoid examining the original media.
In a perfect world, every computer in need of analysis could be powered off, could
boot off a floppy disk, and maybe it would even be mirrored so that all you had to do
was remove one of the computer’s hard drives and not have to worry about backing
up and restoring the evidence on your analysis workstation. But we are not that
lucky. The challenge is in encountering unknown elements and thinking fast on your
feet. Whatever action you take during an investigation, remember to make sure you
act in ways that you can easily explain, and always document all of your actions.
Deciding whether to let a machine continue to run, to pull the power plug from
the back of the computer, or to perform the normal administrative shutdown process
is one of the longest running arguments in the computer forensics field. Many inves-
tigators claim that they always pull the plug, arguing that it is the only way to freeze
the computer at its current state. There is precedent for doing this, but it will result
in the loss of any data associated with an attack in process, and it may corrupt data
on the hard drive. We are not here to tell anyone that immediately pulling the power
plug is right or wrong; be flexible, because no two investigations are the same, and
there are no cookie-cutter approaches. There are some valid reasons to pull the plug.
If you make a mistake on a live system, you can’t just click the Undo button—you
are stuck with the consequences of your actions. However, if you pull the plug, then
you have more time to formulate a game plan and to perform a backup. If you knew
for certain that a computer criminal had left behind a software bomb that would
destroy all data the next time an administrator logged on, pulling the plug would be
a no-brainer, but you will never encounter that level of certainty.
The ideal way to examine a system and maintain the most defensible evidence is
to freeze it and examine a copy of the original data. However, this method is not
always practical and may be politically unacceptable. Management often refuses to
allow the shutdown of a system, especially if the system will be down for an indeter-
minate length of time. Just remember, you can lower your level of rigor after it is
determined that the case will not be prosecuted. Also keep in mind that if the system
actually has hostile code (or malware) running on it, information associated with
that malware will be lost if the system is powered down. Unfortunately, you may not
be able to tell whether or not such code is running.
If you do perform an investigation on a live system, you need to be aware that
a computer criminal may have anticipated such an investigation and altered some
of the system’s binaries. This is a long-standing problem on Unix systems (see
Chapter 10), and increasingly a problem on Windows systems. You cannot examine a
compromised system using the utilities found on that system and have a reasonable
expectation that those utilities will accurately report the true state of the system. As
summarized in Table 1-1, the examination of a system always involves choosing
tradeoffs between quality and convenience.
Handling the Evidence

As stated previously, the first actions a system administrator or investigator takes
may make or blow a case. If you don’t take care of your evidence, the rest of the
investigation will be compromised. All the hard work you do processing evidence will
come to naught when the court throws it out because of inadequacies in your
process. We will talk about the major events in the life of your evidence, including
the initial collection of the evidence and its eventual surrender to law enforcement
or the victim. Data handling, especially transportation and storage, is a recurring
theme during the entire investigation.
Chain of Custody
While this topic should be second nature for readers experienced in law enforce-
ment, it may be a new concept for others. The goal of carefully maintaining the chain
of custody is not only to protect the integrity of your evidence, but also to make it dif-
ficult for a defense attorney to successfully argue that the evidence was tampered
with while it was in your custody. The chain of custody procedure is a simple yet
Table 1-1 Level of Effort to Protect Evidence and Avoid Hostile Code
Method Advantages Disadvantages
Use a dedicated forensic No concern about the Inconvenient, time-

workstation to examine validity of either the soft- consuming. May result
a write-protected hard ware or hardware on the in loss of volatile
drive or image of suspect suspect host. Produces information.
hard drive. evidence most easily defended
in court.
Boot the system using a Convenient, quick. Evidence Assumes that hardware
verified, write-protected is defensible if suspect has not been compromised
floppy disk or CD with drives are mounted as read- (which is rare). May
kernel and tools. only. result in loss of volatile
information.
Build a new system Completely replicates oper- Requires availability of
containing an image of ational environment of hardware that is identi-
the suspect system and suspect computer, without cal to suspect computer.
examine it. running the risk of changing May result in loss of
its information. volatile information.
Examine the system Convenient, quick. Allows If a kernel is compro-
using external media examination of volatile mised, results may be
with verified software information. misleading. External
on it. media may not have
every necessary utility
on it.
Verify the software on Requires minimal prepara- Lack of write-protection
the suspect system, and tion. Allows examination of for suspect drives makes
then use the verified local volatile information. Can evidence difficult to
software to conduct be performed remotely. defend in court. Finding
examination. sources for hash values
and verifying the local
software requires a min-
imum of several hours,
unless Tripwire was
used ahead of time.
Examine the suspect Requires least amount of Least reliable method.
system using the software preparation. Allows examina- This is exactly what
on the suspect system tion of volatile information. cyber attackers are hop-
(without verifying the Can be performed remotely. ing you will do. Often a
software). complete waste of time.
effective process of documenting the complete journey of your evidence during the
life of the case, including answers to the following questions:
• Who collected it?

• How and where?
• Who took possession of it?
• How was it stored and protected in storage?
• Who took it out of storage and why?
Anyone who has possession of the evidence, the time at which they took and
returned possession, and why they were in possession of the evidence must be docu-
mented. Be assured that a defense attorney will carefully review the records associ-
ated with evidence, cross-referencing it to other documents in an attempt to find
discrepancies that can be used to weaken the case against his or her client.
To facilitate record keeping, you can create professional-looking forms or use a
spreadsheet program and create a few cells, as shown in Figure 1-1.
You can be creative and include more information, but the table shown in
Figure 1-1 will do the trick as long as it is completely filled out.
The fewer people who have access to your evidence room or locker, the better.
Defense attorneys love to argue that everyone who had access to the evidence could
have altered it. They don’t have to prove that the evidence was in fact altered for this
tactic to work. They only have to show that the evidence was not adequately safe-
guarded and hope the jury buys the argument that someone could have planted the
evidence.
We don’t have to look too far to find a reason why the chain of custody is a crucial
aspect of the forensic process. MSNBC reported on June 8, 2000, that the investigation
Item Date Time Location Name Reason

Toshiba Tecra 8000 serial # 1234 5/30/2000 9:00 AM Locked cabinet in room 123 Kruse Safekeeping
Toshiba Tecra 8000 serial # 1234 5/31/2000 10:53 PM Removed from locked cabinet Kruse Analysis
Toshiba Tecra 8000 serial # 1234 5/31/2000 11:48 PM Returned to locked cabinet in Kruse Safekeeping
room 123
Figure 1-1 Example evidence log

of the CD Universe Web site intrusion had “a problem with the preservation of the evi-
dence.”2 Two sources familiar with the investigation were quoted by MSNBC: “the
chain of custody was not established properly.” MSNBC quoted another source who
said, “It’s like the O.J. Simpson case, the evidence is tainted. Even if you find
whomever is responsible, how do you prosecute it?” Being compared to the O.J. Simp-
son case should not be one of the goals of your investigation. It is not clear exactly how
the evidence was compromised, but MSNBC reported it apparently occurred in the ini-
tial investigation in CD Universe’s headquarters as FBI agents and employees from
three computer security firms worked to determine how the intruder got into the com-
pany’s network to steal over 300,000 credit card numbers.
Collection
Obviously, you want the evidence collection process to support your case. The com-
plexity of the collection process usually corresponds to the complexity of an incident.
When you collect evidence, try to collect everything you can legally get your hands
on. This may seem like trivial advice now, but remember this tip when you’re in cri-
sis mode in the early stages of incident investigation. Once you leave that data cen-
ter, there is usually no going back. The computer, backup tape, floppy disk, or scrap
of paper that you initially thought was of no evidentiary value will probably be gone
when you decide you have to return for additional evidence. This is especially true
for log files.
Depending on the computer producing the logs, the data may be overwritten
routinely in intervals ranging from a few minutes to a few months. If you are dealing
with an Internet service provider (ISP), remember that they are not in the business
of storing logs; act quickly or the logs will be long gone. A rule of thumb for most ISPs
is 30 days, but because the cost of storing huge log files is high and the business ben-
efit is low, they have little incentive to save huge amounts of data. If you are going to
subpoena the logs from an ISP and you want to ensure that the evidence will not be
overwritten, you can ask them to preserve the logs while you are going through the
legal process. Most ISPs will comply; just try to make sure that your contact at the
ISP is not a suspect. We have heard accounts of ISPs being asked to preserve logs,
but when the subpoena showed up the data was missing.
Identification
Every single item that comes out of the suspect’s or victim’s location has to be identi-
fied and labeled. Most police departments are skilled in the methodical collection of
2. http://www.msnbc.com /news/417406.asp
evidence. In a large investigation, a law enforcement agency assigns a person to be

the evidence custodian at the scene. This ensures that a specific individual is respon-
sible for evidence collection instead of everyone walking out of the door with some-
thing under his or her arm. You should not collect evidence by yourself; get someone
to go with you as a witness. Ask your coworker to document the evidence while you
are collecting it.
If you are involved in a large-scale investigation involving numerous computers,
an easy way to simplify collection is to position your evidence custodian at the door
with a laptop computer, a portable printer, and a label printer such as the Casio
Smart Label printer (if such equipment is not available, handwritten labels will do
just fine). While your investigators are bringing out hand trucks full of equipment,
your evidence custodian can fill out the evidence log online and print labels for the
equipment. By creating reports ahead of time that automatically fill in the identical
information on sequential reports, labels, and so on, you save a lot of time. Your
favorite word processor probably has some of this functionality, but if you want full
electronic forms and form flow capability, reasonably priced and easily programmed,
check out Jetform.3 This software makes it easy to create, or re-create, your paper-
based forms. You can fill in header information so it automatically appears on every
form associated with your case.
You must accurately count and identify the evidence. You can use a label maker
for identification, or you can use stickers or tags, as long as they will not easily come
off and they are large enough to include
• The case number

• A brief description (in case the label comes off )
• Your signature (on each item)
• The date and time the evidence was collected
You should also photograph the crime scene. Take pictures of the entire scene,
gradually getting closer to the suspect computer until you are close enough to take
clear photographs of both the front and back while it is still connected to most of its
cables. This will help you later if you are questioned about the environment. The rea-
son we say “most of the cables” is because in some cases, you may decide to pull the
power cord. If you have reason to believe that destructive code is running and evi-
dence is being destroyed, then the best course of action is to immediately pull the
plug. Then photograph the scene as is and document in your reports the condition
and state (on, off, screen locked, etc.) of the computer system upon your arrival. If
3. http://www.jetform.com
you have no reason to believe that the computer is running anything destructive,
your first step should be to take a picture of the screen, followed by a complete pho-
tographic documentation of the machine. If you have made the decision to pull the
plug, it is best to wait until after you have completed your photographic evidence col-
lection. Obviously do not plug the computer back in just to take a picture. You should
try to photograph any serial numbers or other identifying features. It is difficult, but
not impossible, to photograph the serial number. You will probably have to use a
flash, and because most serial numbers are on a metal or shiny label, the flash cre-
ates a glare in the photograph. If you have a digital camera, you can experiment
with different angles without wasting film. The camera that we use, manufactured
by Sony, enables you to put a 3.5-inch floppy in the camera on which to store pho-
tographs. You can print the pictures and store the floppy disk in your file folder. If
you do not have a digital camera, store the prints and the negatives too, in case you
ever need to have more prints developed.
Your photographs and all the other evidence and reports should be stored in a
file folder, also known as a case folder, so that all of the information pertaining to
this specific incident are stored together. Clearly mark on the front of the folder the
same “header” information that we referred to earlier (case or incident number, loca-
tion, brief description, and so forth). If you are using a label printer, simply print one
more label for the front of your case folder. We prefer to use folders that can be
closed. Since you may have floppy disks and small scraps of paper in your folder,
being able to close it will reduce loss.
Transportation
Keep in mind that your evidence generally is not made to be moved, so be careful
when transporting it. Even laptops can be damaged if not handled properly. Hard
drives can easily be damaged from the read-write heads coming in contact with the
platter. A damaged hard drive is not going to be a happy hard drive, and you might
not be a happy camper either if the area of the drive that contains the evidence is
damaged and can no longer be read. Remember to use static-free packaging; the
grayish plastic is impregnated with graphite dust, making it static-free, and usually
pink bubble wrap is static-free.
When the person closing the packaging seals the container, a signature across
the seal will indicate that it has not been opened by anyone other than an autho-
rized person. When you do need to open the sealed container, document in your
reports that the seal was still intact and why you needed to unseal the package.
Once you are finished using the evidence, reseal the container with a new label,
preferably in another package, and secure it in a locked evidence locker. By placing
the original sealed container or bag inside another sealed bag, you can preserve the
original container and label. Your reports must note the person handling the
evidence as well as the dates, times, and reason for removing the evidence and the
date and time the evidence was returned to the locker.
Storage
Not only is it important to store the evidence in a cool, dry environment appropriate
for valuable electronic equipment, but because it is evidence and has legal sig-
nificance, you need to be even more careful. It has to be in sealed containers, in a
secure area with limited access. Controlling access to the evidence is important; the
original and still highly popular defense attorney trick is to argue that someone
tainted the evidence. When evidence is accessible to everyone and anyone, the
defense attorney can argue that any one of the people who had access to the secure
storage area could have tainted the evidence. To preemptively strike down that
argument, limit the number of persons with access to one primary custodian and
one alternate.
Documenting the Investigation

This step may be the most difficult for computer professionals. Most technically
adroit people can fix a computer blindfolded, but when you ask them how they did it,
they might not be able to tell you. If you fall into this category, it is another good rea-
son to work with a partner. One person works on the computer, and the other person
takes notes. You will find that once you start finding evidence, you will be drawn to
further exploration and find even more evidence. If you aren’t careful, you can
become so engrossed in your analysis that you totally forget to take notes. Keep that
writing pad handy and don’t leave the details to memory.
Document your actions in thorough reports with extensive details including the
software and version numbers of your software evidence, collection tools, the meth-
ods you used to collect and analyze the computer media, and the explanation of why
you did what you did. (Make sure you use only software that you are legally licensed
to have. It is embarrassing to be asked in a court of law, with the judge and jury
watching, if you were using illegally obtained software.)
Fortunately, the decisions you make in an investigation will not be judged on
whether or not you were right or wrong. Your value to the prosecution is usually the
“reasonableness” of your actions. If your notes thoroughly document everything you
did, they will greatly facilitate your explanation when asked about the incident
tomorrow by your boss, next week by your victim, the following month by a union or
attorney, and then three years from now when the case goes to trial in either a civil
or criminal court. If you believe that your memory alone is sufficient, think back to
the last time your computer did not boot properly. What exactly did you do to remedy
the problem?
STEP 2: AUTHENTICATE THE EVIDENCE 13
Step 2: Authenticate the Evidence

It is difficult to show that evidence (any kind of evidence) that you’ve collected is the
same as what was left behind by a criminal. Crime scenes age, and computers are
no exception. Evidence can be damaged by adverse environmental conditions (for
example, mold and dust) and by insects. You can show that the investigator intro-
duced no changes, and that if changes exist, they are due to the nature of computers
and don’t effect the evidentiary value of the evidence. Computer drives slowly dete-
riorate, but neither readable text nor pornographic pictures appear at random
through the action of digital wear and tear. Any text or pictures found on a computer
drive has a deliberate human source. The chain of custody and other evidentiary
handling rules assure the jury that no unanticipated or introduced changes
occurred and that it is reasonable to extrapolate from the point of collection back to
the time of the incident. In the digital world, we even have an advantage in that we
can show that the evidence did not change at all after we’ve collected it. While we
cannot show exactly when the evidence was collected, simple techniques enable us
to timestamp it, so we can at least show that it was in existence at a specific point
in time. Neither of these authentication techniques is possible with other forms of
evidence.
Both proof of integrity and timestamping are provided by calculating a value
that functions as a sort of electronic fingerprint for an individual file or even an
entire floppy or hard drive. This is a cryptographic technique, and the value is called
a hash. We discuss this concept in Chapter 4, so for now let’s say that a hash value is
calculated with the use of software, and that all forensic utility suites include such a
capability. When you initially collect data, you should create a hash value and record
it. After doing so, you can prove that the copies of the data you are using for your
examination are identical to what was originally collected.
Two algorithms, MD5 and SHA, are in common use today. If possible, create a
hash of the entire drive and the individual files. If you have a program like New
Technologies’ CRCMD5, use it (it creates both a CRC and an MD5). Increasingly,
applications such as Tripwire4 are using multiple hash algorithms. That way, if a
cryptological attack is discovered against a single algorithm in the future, the data
from the other algorithm will still be valid. CRC is already obsolete, and we predict
that the use of two hash routines will soon become common practice. We also see an
advantage in digital timestamping. While this is not yet a usual part of most investi-
gations, we’re giving you a leg up on the future by informing you about this simple
but effective method of evidence authentication.
4. http://www.tripwire.com
Step 3: Analysis
You are now in the home stretch of basic computer forensics and ready for the most
gratifying step, the analysis. After you back up the original drive to the Image
MaSSter (or other hard drive), use your tape drive to create a second copy, using the
Image MaSSter as the original this time. While you must continue to treat your col-
lected evidence with respect and care during the analysis phase, it is interesting to
be actively analyzing the evidence instead of doing paperwork. Remember to include
a note in your reports and your chain-of-custody records whenever you obtain and
return the original evidence to your secure storage cabinet.
The field of computer forensics has been undergoing a transition from conduct-
ing analysis within a command-line environment, such as DOS, to a graphical envi-
ronment, such as Windows. While image acquisition still must be performed in an
environment that does not alter the original evidence, which can mean that you are
limited to whatever operating system you can boot from a floppy disk, the analysis
can be done in the environment you prefer. Religious wars over operating systems
rage, but the fact of the matter is that you should use the one that you are comfort-
able with.
No matter what operating environment you choose, no single program on it will
do everything you require for this phase. You must become proficient with a lot of
them. Try to collect a variety of tools to meet unforeseen circumstances.
We discuss platform-specific techniques in Chapters 8 through 11. For now, let’s
discuss the basic methodology, which is the same on every operating system: “Do no
harm!” Whatever else you do, try not to damage your evidence, and never overstep
legal boundaries. (We discuss criminal justice regulatory issues in Chapter 12.)
Whenever a crime scene investigator lifts a print, he or she destroys the original—or
changes it considerably, but the damage is defensible. Computer forensic examiners
must develop the same level of standards and acceptable practices that physical
investigators adhere to. A little bit of knowledge can be dangerous, so try not to be
your own worst enemy and overstep your knowledge. Since we often work at a phys-
ical level, it is possible to alter evidence accidentally. Whenever possible, protect
your original physical evidence by working with a digital copy so that if you do make
a mistake, you can wipe the analysis drive, restore your image once again, and con-
tinue your analysis.
We recommend making two backups of the original drive. For the first backup,
we use the forensic version of the Image MaSSter, which comes in either a desktop
version, which is useful if you are primarily in a lab, or the Solo Forensic unit, which
is a portable unit slightly larger than a hard drive.5 With Image MaSSter you can
5. http://www.ics-iq.com
S T E P 3 : A N A LY S I S 15
make a drive-to-drive copy that is usually the fastest type of backup. After you back
up the original drive, you mount the copy to create an image tape. This tape is useful
for both archival purposes and for restoring the image. We prefer an initial drive-to-
drive copy instead of a drive-to-tape copy. We try to use the original drive as little as
possible, and the drive-to-drive copy is the fastest and most reliable way to collect
and secure the original evidence. The fewer steps needed to perform a backup, the
fewer things can go wrong, which is especially important when you are dealing with
critical original evidence.
Several commercial products are available for drive imaging that are acceptable
for use in forensics. A forensic backup is important because you want to make a bit-
for-bit (also known as a bit stream) clone of the original drive. A “normal” backup
doesn’t copy deleted files and the other parts of a hard drive that we want to investi-
gate for clues. Hard drives are such a significant part of an examination that we
have dedicated an entire chapter to the subject, Chapter 3. Chapter 7 on tools dis-
cusses specific utilities that are appropriate for making forensic backups.
Always make an MD5 hash of newly created drive images before doing any
analysis. If you are using Unix, don’t even mount the filesystem before creating a
hash value. You may be tempted to look at a directory listing to take a peek, but hold
off until after the MD5 hash is complete. After you have obtained your hash value
and recorded it in your notes, you can start your analysis.
With a notepad at your side, you usually start an analysis by looking at the par-
tition table on the suspect drive. Not only is the partition information important to
document in your reports, but it is also helpful to know what type of partitions you
are dealing with so you know what software tools you can use. For instance, if the
partition reports that it is NTFS (Windows NT File System), you can put away Nor-
ton Unerase because it doesn’t support NTFS.
After you note what partitions the drive has, look at a directory listing, including
subdirectories, to get a feel for what you are up against. Send the directory listing to
a printer. If you are in DOS and have a local printer attached, the command is:
c:\ dir /a /s >lpt1
The /a displays files with specified attributes such as hidden files, and the /s recur-
sively searches subdirectories.
If you want to create a file, the syntax is the same except that you replace lpt1
with the filename:
dir /s >e:\dirlist.txt
e is the drive designation of the external storage device. An Iomega zip drive works
well for this purpose, and an Iomega Tool for DOS, the Zip Guest program, recog-
nizes a parallel zip drive from a DOS prompt.
From a UNIX or Linux environment, you redirect the standard output to an

external device. In the following example, the data collection device is mounted as
/mnt/export:
ls –al >/mnt/export/dirlist
or
find . –ls >/mnt/export/dirlist
We prefer to save directory listings in electronic form. After you have your direc-
tory listing in a file, you can open it in a spreadsheet, or with a viewer such as Quick
View Plus, and use the find capability to access the data you are looking for. Using
a spreadsheet also gives you the advantage of being able to sort the data by
any field.
You should have developed a sense of your suspect’s technical prowess when you
were gathering physical evidence. Now you can evaluate your suspect’s capabilities
by understanding what is on his or her computer. For example, if the suspect
appears to have been using standard software, he or she may not be as sophisticated
as others you may encounter. Not that you should relax your guard; the suspect’s use
of standard software simply means that you might not encounter encrypted docu-
ments or other schemes to conceal evidence. If your suspect has certain programs
such as a steganography utility or password-cracking software, that is a clear sign
that you should keep your eyes open for sophisticated attempts to hide data.
You can use a hex editor or a forensic program to view the master boot record
and the boot sector. (You should use a hex editor only if you are well versed in its use.
For those who have never used a hex editor, at the end of this chapter is a list that
provides sources for excellent hands-on training.) For those who are comfortable
using a hex editor or forensic program, note the cluster size, and if the evidence
drive was using the DOS filesystem, view the File Allocation Table, or FAT, as well.
Look for clusters that are marked bad, and then using your hex editor, view the bad
clusters as HEX. Check if any data is hidden in the bad blocks. This is especially
important if observing your suspect’s directory listing and office environment gave
you reason to suspect a more advanced user.
If your hex editor or forensic program has a search capability, search for terms
related to your case. Avoid overly broad search terms so you don’t get too many false
positive hits. Because hard drives today have such large capacities, you cannot go
through every single sector manually looking for evidence. A powerful forensic pro-
gram with a sophisticated search capability is essential. Words such as “options,”
“soft,” and “setting,” return many false positives. Your analysis should include run-
ning searches for key terms but should not be limited to just running string
S T E P 3 : A N A LY S I S 17
searches. If you are searching for Easton Ave. but unknown to you, your suspect calls
the street Eastern Ave., you could miss critical data unless you also conduct a
through analysis of individual files. When you notice that your suspect is spelling
terms differently or you discover new details that are important to the case, you can,
and should, conduct additional searches.
After doing a keyword search, one of the next things you can do is to retrieve
deleted files. A thrilling moment in any forensic case is retrieving deleted files and
then sliding the recovered files across the table to the suspect during an interview.
Files can be recovered manually using a hex editor—if you have a lot of patience.
Files stored on a drive are usually fragmented. In order to reconstruct deleted files,
you have to chain the clusters together again to make a complete file. When you
delete a file in a Windows environment, the first character of the directory entry is
changed to a sigma character, the hex value of E5. The operating system recognizes
that the sigma indicates that this directory entry should not be displayed because
the file has been deleted. The entries in the File Allocation Table assigned to the
deleted file are changed to zero, indicating that the sectors they point to are unused
and available to the operating system for data storage. The operating system does
not do anything to the actual data until another file happens to be saved at the same
location, which is why you may be able to find incriminating data that the suspect
thought he or she had deleted.
If you are using file retrieval software such as Norton Unerase, it prompts you to
change the first character of each recovered file’s name to something that the oper-
ating system can recognize. When you replace the first character, don’t try to guess
what the original character was, simply replace the first character with a dash or
something that you can say you added to identify it as a retrieved file. Once you are
done, presto! Instant heartburn for your suspect. You will have to practice this tech-
nique to become proficient at it.
Manual retrieval of deleted files that are fragmented is a complex subject. To
study it in detail, we recommend you attend a course in computer forensics or one
given by a forensic software vendor. A company that provides excellent instruction is
New Technologies Inc. (NTI), which offers a three-day basic forensic class.6 Guidance
Software, the makers of EnCase, a popular forensic program, also offers classes.7
After you have retrieved the deleted files, the next step is to check unallocated
and slack space for residual data (see Chapter 3 for details and Chapter 7 for pro-
grams). Again, the easiest way to check unallocated and slack space is with software
tools specifically designed for this purpose. You will be amazed at the amount of data
located in these areas.
6. The syllabus can be viewed at http://www.forensics-intl.com.

7. Information is available at http://www.encase.com.
As you locate evidence, save copies of it on the hard drive of your analysis work-
station. You may also want to clean up the formatting to make the file more legible
and for inclusion in your reports. When you save the file to your computer, the file’s
properties change. You might be thinking “why I am changing any formatting on
the evidence?” You are not changing evidence; your evidence is safely locked in your
cabinet. The changes are being made only on an electronic transcript of the rele-
vant parts intended for reporting purposes. You are merely presenting a piece of
relevant evidence in such a way that it substantiates your case. For example, you
might have a file that contains incriminating evidence. If you were to print the
entire file, you would have a hundred pages of nothing and one page of data.
Instead, copy and paste the relevant text into a file. In your documentation, specify
the logical position within the document where the data was found (page, row, para-
graph, and so on). If the data is recovered, and the original file is not intact, or can-
not be shown as intact, your documentation should include information on exactly
where on the drive you recovered that data, including the cylinder, head, and sector
of the physical drive. Just saying it was located in the My Documents folder is not
adequate.
Depending on your case, this part of the process may be the end of your analysis
or just the beginning. After you retrieve all the files, you may have to start unzipping
them, searching for and attempting to crack passwords. Don’t forget to perform the
analysis procedures we have described on all the removable media you have col-
lected. The next chapters in the book will help you in those areas. But for now, let’s
discuss more basics.
Check This
After a class, we are often asked for a checklist to make it easier to remember all the
detailed steps. Checklists can help structure an activity and jog your memory, but
we refrain from the use of checklists because the steps we take probably won’t be the
same in every case. If you had only one list that contained all the possible steps for
every single one of your cases, it would be filled with items that are irrelevant to
other cases. You could just write “N/A” next to those boxes, but the last thing you
want is for a lawyer to ask why you didn’t check that area and if exculpatory infor-
mation could have been located there. Here’s another guideline: Don’t encourage the
other side to ask a question that you don’t want to answer.
If you want to create a “cheat sheet” of things to look for in order to refresh your
memory at 2 a.m., that is perfectly fine. Just don’t include checkboxes next to the
steps, and as we said previously, keep the list very general without too many
specifics like “check cookie file,” and “check browsing history.” If you want to use a
cheat sheet, don’t write notes on it, because then it would be a record that has to be
included in your case file. You can refer to a list that is as detailed as you want, but
CHECK THIS 19
as long as you don’t put marks or notes on it, it won’t be considered as evidence.
Remember that if you go to court, anything in your case file can be subpoenaed and
could wind up in the defense attorney’s hands.
Preservation
The preservation of computer evidence is grunt work. It is tedious, but lack of atten-
tion to boring details can blow your case. You must be able to account for the evi-
dence the entire time it is in your custody. If you cannot do this, none of the results of
your efforts spent collecting and analyzing data will be admissible in court. Remem-
ber to keep a complete chain-of-custody document and store the evidence some-
where where it will not get damaged. The last thing you want to do is have to replace
a confiscated computer that was damaged or lose a case because the original evi-
dence is no longer in working order.
Presentation in Court
This is the part that people who are not lawyers dread the most and have the least
practice in, but it is one of the most crucial steps in your case. In addition, it keeps us
honest—our legal system, for all its faults, has built-in protection mechanisms and
works fairly well. If it were not for the potential, slim as it may be, of having to pre-
sent your evidence in a court of law, what would we use as a gauge to judge our-
selves? Continually remind yourself that you may have to explain what you did in
front of a judge and jury. If you can articulate what you did, why you did it, and why
your actions were reasonable, you should have no problems. We discuss the reason-
ableness theory and how it pertains to a court of law in Chapter 12.
Some Tips for Courtroom Presentation

Wear appropriate business attire. Even if your normal work attire is “business
casual,” this is a court of law, not Cape May. Your khakis and polo shirt may be
acceptable at a resort, but they are not acceptable in a court of law. A judge works
hard to get on the bench, and as the judge in A Few Good Men stated, “I deserve
some respect; I know I earned it!”
When you are on the stand, if you do not understand a question, ask for it to be
repeated. Don’t be shy. This is not the place to guess at what you think the lawyer is
asking.
During cross-examination, give your attorney a chance to object to every ques-
tion. If an attorney asks you a question and you answer it right away, you are not giv-
ing your attorney enough time to object. Don’t waste too much time answering, and
don’t look to your lawyer for guidance. A brief pause to collect your thoughts will do.
Be honest. If you have an airtight case, the defense is going to attack your credi-
bility. Don’t give them any reason to cast doubt on your testimony. If you don’t know
something, say so. Don’t get caught up in any tricks to get you to answer a question
incorrectly. Remember, a lawyer never asks a question that he or she doesn’t already
know the answer to. If the lawyer appears to be asking dumb questions, watch out!
He or she may just be setting you up. Some defense attornies may try to act like your
buddy before a trial begins. They are looking for an advantage for their client. Be
respectful, but don’t let them schmooze you.
Don’t let a lawyer call you out of the blue and ask you a few quick questions off
the top of your head. Make an appointment and have your attorney present. You
don’t want to let the other side find out that you forgot to mention something, or that
the summary has changed from one recount to another. When talking with lawyers,
always use your notes! When you are testifying, you may not be able to use your
notes, so make sure that you know everything on the reports. Dates, times, and loca-
tions are important, and you can’t get them wrong. If you do, the opposing lawyer
will find a way to bring it to the attention of the jury. If you are not sure of an answer,
ask to check your notes. Make sure that you thoroughly review your notes before tes-
tifying in case you cannot use them while you are testifying. It does not reflect poorly
on you to use your notes. After all, a trial can take place months or years after the
incident, so don’t be afraid to ask. If an attorney starts hooting and hollering that
you should not be able to use your notes, just calmly remind him or her that it has
been a long time since the events in question occurred, and that you created the
notes in the first place so that an accurate record would be available when it was
needed in the future. If you can do this as calmly as possible, the jury may think no
less of you for admitting that you don’t remember, but they might think less of the
attorney for pressuring you. As the saying goes, “never let them see you sweat!”
Our final piece of advice on the basics of forensics is “don’t take anything for
granted.” Here are a few things to not take for granted:
• Check every data tape that you find when you are collecting evidence.
• Check every floppy disk. They are a hassle to process, but you never know what
they can contain.
• Check CD-ROMs, or DVDs (especially recordable CDs or DVDs).
• Look in books, manuals, Rolodexes, under the keyboard, on the monitor, and so
on for passwords or other pertinent information.
• Double-check the analysis. It is surprising what you will find the second time
through the evidence. Even better, have someone else look at it. You’d be amazed
at what a fresh perspective has on locating evidence. Dealing with computer
forensics requires talent, but patience and perseverance make miracles happen.
CONCLUSION 21
Conclusion
The meat of computer forensics is the process of acquiring evidence, authenticating
evidence, and analyzing that evidence. Successful investigations require both reli-
gious adherence to the rigorous standard procedures of evidence collection and cus-
tody, while simultaneously being flexible and imaginative in locating and analyzing
that evidence. It is a difficult balance between being highly disciplined while also
being willing to experiment with new ideas. Depending upon your personal
approach, this tension between process and flexibility will be either totally frustrat-
ing or highly stimulating. The more knowledge and practice you have, the better
prepared you will be to overcome this challenge.
Further Resources
Listserv
Computer Forensic Investigators Digest (CFID) at http://www.infobin.org/cfid
Organizations
High Technology Crime Investigative Association (HTCIA) at http://www.htcia.org
Conferences
HTCIA at http://www.htcia.org
Techno Security at http://www.thetrainingco.com /html/Conferences.html
Formal Training
You can access a list of training and college programs at http://www.ne-htcia.org/training.html.
New Technologies Incorporated (NTI) at http://www.forensics-intl.com
SEARCH at http://www.search.org
Guidance Software at http://www.guidancesoftware.com or http://www.encase.com
Reid Institute—Interviewing and Interrogation http://www.reid.com /training.htm /
Other Web Resources

Best Practices For Seizing Electronic Evidence, http://www.treas.gov/usss/index.htm?elec-
tronic_evidence.htm&1>
United States Department of Justice, Computer Crime and Intellectual Property Section
(CCIPS), Searching and Seizing Computers Web page, http://www.usdoj.gov/criminal/
cybercrime/searching.html
Chapter
2
Tracking an Offender
In this age of pervasive connectivity, it is unrealistic to expect cyber crime incidents

to be isolated to a single system. Like characters in a William Gibson novel, cyber
sleuths often have to track offenders across the digital matrix. While the techniques
of network forensics are still largely undeveloped, it would be a disservice to devote
an entire book to computer forensics without any discussion of Internet methods
that you can use to find leads to suspect computers.
When tracking cyber offenders across the Internet, you use many of the same
software tools that system and network administrators use to monitor and test net-
work connectivity. Many of these programs are included in modern operating
systems, and you may already be familiar with them. Even if you are already com-
fortable with the tools we discuss in this chapter, you may not have considered their
use during an investigation. Unfortunately, many of our most common Internet
application protocols make no provisions for strongly authenticating the transmit-
ter of a communication. Services like email and Usenet are based on simple text-
based initiation protocols and basically use the honor system. This complicates
investigations because you cannot necessarily trust the identification information
contained within Internet messages. The better you understand the underlying pro-
tocols and processes, the better you can evaluate the validity of the names and Inter-
net addresses associated with Internet communications.
Internet Fundamentals
This book is intended to be an introduction to computer investigations, not to
TCP/IP. If you want to be an effective network tracker, you need a thorough under-
standing of the Internet protocol suite. Many books are available on this subject.
W. Richard Stevens’ three-volume set, TCP/IP Illustrated, published by Addison-
Wesley (1993, 1995, 1996), is considered one of the definitive references. The more
comprehensive and detailed your understanding of Internet technology, the greater
your skill at investigating network-enabled crime.
23
24 TRACKING AN OFFENDER
The Internet and many private networks run a set of protocols commonly
referred to as TCP/IP, which stands for Transmission Control Protocol/Internet Pro-
tocol. The label “TCP/IP” is a convenient abbreviation for a set of related network
protocols, the development of which effectively started in the late 1960s and is ongo-
ing today. More precisely referred to as “the Internet protocol suite,” it is a set of
communication conventions that a device must implement in order to participate on
the Internet. TCP/IP is not specific to any operating system, programming language,
or network hardware. It is an equal opportunity set of standards that enables Macs,
Windows, Unix, routers, switches, and a variety of mainframe environments to
communicate with each other. It is not specific to network topology, meaning that
Ethernet, token ring, and wireless networks can also interoperate. This universal
interoperability is a prerequisite to both modern computer crime and investigations.
Plenty of books and essays exhaustively discuss the Open Systems Interconnec-
tion (OSI) seven-layer Network Reference model, so we won’t spend a great deal of
time on it. The model is illustrated in Figure 2-1. The original seven-layer model was
conceived as an abstraction that didn’t apply to any currently existing technology—
especially not the burgeoning suite of Internet protocols—and the exact labeling of
Internet services and protocols within this model continues to be a matter of
tremendous debate (especially the session and presentation layers). But it is a
debate of no consequence because after all, the Internet still functions whatever
abstract labels are assigned to its protocols. The important lesson to learn from this
model is that certain infrastructural services provide the foundation for the actual
file sharing and distributed applications that are the reason the network exists in
the first place. These services are stacked on top of each other like Lego building
OSI Internet
Layer Protocol
7. Application NFS
Web
Browser
E-Mail
Client Windows
Ping File & Print Sharing
6. Presentation XDR HTML MIME
RPC & SMB

5. Session RPC HTTP SMTP
NetBEUI
4. Transport ICMP UDP TCP
3. Network IP
2. Datalink 802.2
1. Physical Ethernet
Figure 2-1 OSI seven-layer model

INTERNET FUNDAMENTALS 25
blocks. Its relevance to forensic investigations is that you cannot interpret evidence
without understanding its place within the hierarchy of stacked services. Let’s look
at a concrete example to see how this layering works.
You might not have realized that when you send and receive email, you are deal-
ing with three different addresses, each within a different network layer. Every net-
work interface has a unique hardware address burned into it at the factory. This
address is called the MAC (media access control) address. (We discuss an unusual
use Microsoft makes of this address in Chapter 8.) This address enables all of the
devices on a LAN segment—those devices that can see each other’s network traffic—
to refer to each other. At the network layer, devices recognize traffic intended for
themselves on the basis of the MAC addresses incorporated within the chunks of
data on the network, which are called packets. It is entirely impractical for every
device on the Internet to refer to devices outside of their LAN segment by this hard-
ware address, so when a computer joins the Internet, it has a numeric IP address
assigned to it. An IP address is usually written as a series of four numbers in the
range 0–255, separated by dots, such as 192.168.0.55.
Certain IP addresses, or ranges of addresses, are reserved for special purposes.
For example, IP addresses that end with 0 denote a network address, such as
192.168.0.0. An IP address that ends with 255 denotes a broadcast address, such as
192.168.0.255. “Private addresses” in the 192.168.0.0 to 192.168.255.255 range may
be used on internal networks. These addresses “are intended for intra-enterprise
communications, without any intention to ever directly connect to other enterprises
or the Internet itself.”1 When tracking offenders, if you locate an address within this
range, don’t pack your bags for California (the location of the Internet Assigned
Numbers Authority2); you have to determine the suspects’ external IP address to
locate them.
An Internet address actually contains two parts. The network portion is unique
among all the networks interconnected to the LAN segment (which often means the
entire Internet), and the host section is unique among all the devices using the same
network portion. The effect is that all IP addresses on the Internet are both unique
and identifiable as being within a specific network. Private networks use addressing
that is unique within their networks, but any two private networks can use the
same “address space” as long as they are not interconnected to each other.
The uniqueness of addresses and the distinction between network and host por-
tions of the address make it practical for routers to know where to route to. Entire
books have been written about routing. For our simplified purposes, routers are
1. From RFC 1918. (For more information on private addresses, see http:// www.isi.edu/in-notes/
rfc1918.txt.)
2. http://www.iana.org
devices that automatically forward your data packets to another network when the
destination is not your network. Routers base their decision on where to forward
your packet on current conditions and their programmed instructions—routers do
whatever is most expedient, which means that the route between any two points can
change. This is completely different from the Public Switched Telephone Network
(PSTN). When you make a telephone call, the switches within the PSTN sequen-
tially establish a circuit from end to end, and it is maintained throughout the dura-
tion of the call. On the Internet, it may often seem as if you are using a circuit, but
the actual path taken by each individual packet is dependent upon the whims of the
intermediate routers.
The network part of an Internet address is assigned by the Internet Assigned
Numbers Authority (IANA) to each network owner, and the host part is assigned to
individual hosts and devices by the network owner. The network may be run by an
organization (business or government agency), or it may be run by an Internet ser-
vice provider (ISP) to provide Internet access to its customers. In the latter case, the
IP addresses may be used by individuals or multiple organizations. Because IP
addresses are used for routing, when a device is moved to a new network, it often
requires a new address.
IP address can be statically or dynamically assigned. Computers that are
assigned a static IP address always use the same IP address until it is manually
changed to a new address, which is becoming increasingly less convenient in a time
of constant reorganizations and mobile computers. Dynamic addresses are automat-
ically assigned to a computer when it registers itself on a network using a protocol
called Dynamic Host Configuration Protocol (DHCP) or Windows Internet Naming
Service (WINS), a Microsoft protocol that is rapidly becoming obsolete. For network
administrators, DHCP neatly solves the tedium and confusion of manually assign-
ing constantly moving Internet devices. Virtually all ISPs use DHCP to assign
addresses to their dial-up customers, and many permanently connected home users
have dynamically assigned addresses that can change whenever their cable modems
are powered off and on. Use of DHCP is definitely on the increase, but unfortunately,
DHCP makes detective work a little more difficult.
Reading Obfuscated IP Addresses

Those who send spam, unsolicited commercial junk mail, usually try to keep
their true identities secret—otherwise, they would be overwhelmed by dis-
gruntled Internet citizens who wish to retaliate. In addition to using a bogus
return email address, they often include obfuscated URLs. Instead of having
a human-readable name, or the dotted-decimal format such as 135.17.243.191,
a URL may appear in 10 Digit Integer Format (base 256), so it appears like
this: http://2280853951.
It’s fairly easy to convert a number in this format back into the normal quad
format so that you can research the ownership of a Web site.
1. Open Windows Calculator in scientific mode (in the Calculator win-

dow, choose View | Scientific).
2. Convert 2280853951 to hexadecimal format = 87F311BF.
3. Now convert each pair to decimal notation and add the dots:
87 = 135
F3 = 243
11 = 17
BF = 191
135.17.243.191
Dotted Quad to 10 Digit Decimal (base 256):

Dotted Quad format: A.B.C.D = 10 Digit Decimal #
A(2563) + B(2562) + C(2561) + D =
Example:
185.127.185.152 =
185(2563) + 127(2562) + 185(2561) + 152 =
3103784960 + 8323072 + 47360 + 152 = 3112155544
Or if you hate math like we do, the easiest way to convert is to let ping or
traceroute do it for you. Running ping or traceroute on the 10 Digit Decimal
Number will resolve its Dotted Decimal notation, showing you the dotted
quad format equivalent. For example:
C:\>ping 2280853951
Pinging 135.17.243.191 with 32 bytes of data:
In case you were worried that we hadn’t figured out what to do with media
address control (MAC) addresses, don’t worry, we still need them. Remember that
devices on the same LAN segment are somewhat on a first-name basis. They don’t
refer to each other by the formal IP addresses used on the Internet. However, the
MAC address is used only at the hardware layer, so when a process or application
“up the stack” specifies another device on a network segment by IP address, it has to
be translated into a MAC address. This is done by looking it up in the ARP table,
which is automatically created by the Address Resolution Protocol. ARP is just one
of a number of network services that run in the background, invisible to most users
but essential to the operation of a network. Networked computers can be quite
chatty, constantly comparing notes on routing tables, network conditions, and each
other’s presence.
There is a common belief that because MAC addresses are burned into the net-
work interface card (NIC), they never can be changed. The MAC address can be
changed by using the ifconfig command in Unix. Given that MAC addresses are
sometimes used to identify the source of hostile activity, it should also come as no
surprise that programs are available that can randomly change a MAC address.3
Don’t automatically assume that a piece of equipment is useless as evidence because
its MAC is different than you expected. The MAC you are seeking may have been
changed through software, or the NIC may have been changed.
You probably already have used the most common tool for network debugging,
ping. (By the way, the name is not an acronym; it is a reference to the underwater
echolocation system called SONAR.) ping is a simple, yet greatly valuable program,
that uses Internet Control Message Protocol’s ECHO_REQUEST datagram. This
datagram sends a request to the target machine and listens for an ICMP response.
You can use ping to determine when a machine is alive and sometimes the DNS
name of the machine. If you want to continuously keep checking for a “live” machine,
you can use a program like What’s Up Gold. With this program and others, you can
input the IP address, and at preset intervals, it automatically checks to ensure that
a specific service on a specific host is still reachable. Be aware that ping is a rela-
tively noisy process—it is easily detected by the remote system. Assume that a mod-
erately savvy Internet criminal may be monitoring all forms of connection to his or
her host, so don’t ping someone when you don’t want that person to know about it.
Domain Name Service (DNS)

We expect computers to refer to each other by numbers—not by name. Unfortu-
nately, most humans don’t do as well with numbers and prefer to use names that can
be easily remembered, spoken, and typed, such as www.cia.gov or www.amazon.com.
To accommodate this difference between humans and machine, the Domain Name
Service (DNS) was developed. Internet DNS is effectively a huge global database,
usable from any point in the Internet and capable of mapping human-readable
names such as www.lucent.com to a corresponding numeric IP address. This process
is called domain name resolution. Use of domain names and associated IP address
3. http://galeb.etf.bg.ac.yu/~azdaja/changemac.html
ranges is controlled by the Internet Corporation for Assigned Names and Numbers
(ICANN) through accredited registrars.4 The owner of each domain is responsible
for placing all host names and corresponding IP addresses on a name server so that
outsiders can resolve their names. Most name servers also support reverse lookups,
which is the process of providing the human-readable domain name that corre-
sponds to a specific numeric IP address. Many Internet applications perform reverse
lookups as a simple security measure, checking to ensure that the IP address associ-
ated with an incoming connection attempt is associated with a registered domain
name—a weak but useful test.
The domain name server responsible for a particular domain may resolve any
query with any IP address. The IP address may not be one within an IP address
range assigned to that organization, and that doesn’t matter. The owners of a partic-
ular domain, such as bubbabbq.com, may choose to host their Web site at someone
else’s facility. In this case, the specific machine, www.billybob.com, won’t have an IP
address contiguous with the rest of bubbabbq.com. This provides a great deal of flex-
ibility, allowing organizations to move their machines from network to network,
changing Web host service providers or ISPs without having to change their human-
readable domain names.
Another type of network tool that will be useful to you in tracking an offender is
one that can be manually used to resolve a domain name. The classic tool for this
purpose, nslookup, is available on Unix, Windows NT, and Windows 2000. You can
use nslookup to perform both forward and reverse lookups, resolving the IP address
associated with a specific host name or obtaining the name associated with a
numeric address.
In order to use a domain name, the owner must register it with the appropriate
authority—a task that is usually facilitated by an ISP or one of several online ser-
vices. At the time of registration—and ideally whenever it is changed—the owner of
the domain is required to include name and contact information for a domain
administrator. This person is expected to respond to email messages or telephone
calls regarding activities associated with his or her domain. It should come as no
surprise that these people are frequently not easy to contact. The whois utility can
be used to obtain contact information on a specific domain from a server maintained
by the appropriate Internet naming authority. Remember that whois information is
furnished by the person who provided the registration information. It isn’t really
verified for accuracy; either through deliberate deception or an innocent mistake, it
is possible to register an address and include inaccurate or totally false contact
names, addresses, and phone numbers.
4. http://www.icann.org/registrars/accredited-list.html
After pinging a system that we’re researching (from a computer that is not going
to resolve to our company in case the suspect is watching his or her network), we like
to perform a whois just to see what comes up, keeping in mind that the information
can be bogus. You don’t have to have a whois utility on your workstation because
several sites enable you to perform a whois over the Web. One of the most popular is
the Sam Spade Web site.5 Another popular and reliable Web-based whois service is
provided by Network Solutions.6
After we perform a whois, we like to follow up with an inverse name server
lookup to see what it provides and compare the results to the whois output. The
inverse lookup can be accomplished on a Unix or Linux machine (or with software
such as NetScanTools Pro for Windows) with either the nslookup or the dig –x com-
mand, and Sam Spade provides reverse lookup services also. You can use dig on an
IP address like this:
dig –x @123.456.789.000
or
dig –x %domainname.com
dig is an alternative to nslookup, but we usually run nslookup again just to compare
the results to all the previous queries.
After we have obtained contact information using the tools previously described,
we usually run traceroute (or tracert) to see what route the packets are taking to get
to their destination. Like ping, this handy utility sends your packets to the computer
you are examining, so don’t use it if you don’t want to tip off the suspect that you are
watching. We use the results from traceroute to help confirm or question the results
of whois (see the example in Figure 2-2). For example, if the site is registered to the
Netherlands but traceroute takes a few hops and stops at an ISP in Philadelphia, we
might suspect that something is amiss. Be aware that many corporations have their
Web sites hosted by an ISP, and not necessarily an ISP in their home town—or even
their home country.
5. http://samspade.org/.
6. http://networksolutions.com /cgi-bin/whois/whois.
APPLICATION ADDRESSES 31
Tracing route to awl.com [204.179.152.52]over a maximum of 30 hops:
1 240 ms 231 ms 220 ms 208.164.95.36

2 260 ms 230 ms 211 ms lonukr1-e0.ins.com [208.164.95.1]
3 330 ms 371 ms 380 ms svlcar1-s3-30.ins.com [192.168.200.129]
4 511 ms 491 ms 420 ms 192.168.210.2
5 460 ms 411 ms 461 ms svlcar3-fe0.ins.com [192.168.100.3]
6 451 ms * 491 ms charon-inner.ins.com [199.0.207.49]
7 501 ms 651 ms 510 ms svlcar6-e0.ins.com [199.0.207.34]
8 431 ms 450 ms 511 ms bordercore1-serial5-0-0-13.SanFrancisco.
cw.net [166.48.12.53]
9 420 ms 441 ms 491 ms corerouter1.SanFrancisco.cw.net
[204.70.9.131]
10 510 ms 501 ms 501 ms corerouter2.WestOrange.cw.net [204.70.9.139]
11 521 ms 511 ms 511 ms hs-core7-loopback.WestOrange.cw.net
[166.49.67.97]
12 501 ms 501 ms 571 ms savvis-communications-hou.WestOrange.
cw.net [166.49.67.106]
13 551 ms 511 ms 561 ms 216.90.236.210
14 581 ms 560 ms 491 ms 204.179.152.52
Trace complete.
Figure 2-2 Example traceroute output
Application Addresses
We’re almost done with our discussion of Internet addresses—we just have one
more layer to discuss: application addresses. Email, Web browsing, ICQ, and Inter-
net Relay Chat (IRC) are just a few of the services that have their own application-
specific addressing. When you send email, you know to use a two-part address that
includes both a mailbox and a domain, such as [email protected]. You
can’t send email to wkruse, nor can you just send it to computer-forensic.com—you
need to specify both in order for a message to reach a destination.
Another ubiquitous form of Internet addressing that includes both domain- and
application-specific information is the Universal Resource Locators (URLs) used

with Web browsers. For instance, the URL http://www.lucent.com /services provides
three types of information. The letters “http:// ” indicate the application protocol,
which in this case is Hypertext Transfer Protocol (HTTP). “www.lucent.com,” of
course, represents a specific numeric IP address, and “services” points to a specific
page.
Stalking the Stalker

When using programs such as ping, and some of the scanning tools, keep in mind
that their use may easily tip off even a novice computer crook that he or she is under
investigation. In the online world of spy versus spy, you often use the same tools to
track an intruder that an intruder uses. Clever attackers are like careful scouts.
Those who suspect that they are being tracked will try to cover their tracks (see
Chapter 10), and they also sometimes will backtrack to see if someone is following
them. Skillful hackers carefully monitor systems they’ve compromised for signs of
unwelcome attention. If your goal is to track and catch your prey, you don’t want to
be blasting away at the suspect’s box—especially from machines that easily resolve
back to your company’s name. To use the SONAR analogy, there are both passive
and active surveillance techniques. ping and traceroute are active and cannot be
hidden from the object of the scan. While pings cannot be hidden from the object of
the ping, it is easy enough to perform the scans from a system that isn’t obviously
associated with your organization. You can maintain a few accounts with a dial-up
ISP for just this purpose. When it’s time to start investigating, unplug the work-
station, set it for DHCP, dial your ISP, and you’re off the company network. The
intruder who has been breaking into CorpNet does not suddenly see CorpNet prob-
ing back.
A Dial-Up Session
Now that you have an understanding of some Internetworking basics, let’s take a look
at how a typical Internet dial-up session works (see Figure 2-3). When you dial to an
ISP with a modem, you might use a layer 3 protocol called Point to Point Protocol
(PPP). Referring back to Figure 2-1, layer 3 is the network layer, and in the case of a
dial-up connection, PPP replaces IP. Connectivity is not automatic, though. A dial-up
session must first be authenticated, and then an IP address is assigned. The modem
at the ISP’s Point of Presence (POP) is directly connected to—or even a component
within—a router that is designed to accommodate PPP connections. When a connec-
tion attempt occurs, the dial-up router first prompts the user for a login name and
password. A single ISP may have hundreds of POPs spread over an entire continent—
A DIAL-UP SESSION 33
ISP
Point of Presence
RADIUS
Server
Internet
PPP
Modem Modem
User Dial-up
Router
DHCP
Server
Figure 2-3 Connecting to the Internet through an ISP’s dial-up service
it is certainly not practical for each dial-up router to maintain a list of all users and
their encrypted passwords. A centralized directory contains this list, and the RADIUS
protocol is used to support the authentication request between the dial-up routers
and the centralized user directory.
After a user is authenticated to the ISP, an IP address is dynamically assigned
to that user with DHCP. Although it is possible for individual subscribers to have
their own permanently assigned IP addresses, such an inefficient use of valuable IP
address space is virtually unheard of. The IP address is almost always associated
with a DNS name, allowing reverse lookups. The name will be something generic,
such as ppp589.city.isp.com.
RADIUS is used not just for authentication; it is also used for accounting. The
RADIUS server is normally the only ISP device that maintains records that can be
used to track an offender, so it is very important to your investigation. The server
normally maintains records of every login attempt, both successful and unsuccess-
ful, and also every logoff or session end. This information is necessary so the ISP
can keep track of subscriber connection time. The information associated with a
RADIUS session also includes the IP address assigned to a specific login during a
session, and ISPs often use caller ID to keep track of the telephone number used to
originate the session. This allows the ISP to determine which login name was using
a specific IP address at a specific time, but the association of this login with a specific
individual is only as good as the authentication mechanism. Most dial-up accounts
authenticate with reusable passwords, and it is common for cyber criminals to guess
or otherwise steal passwords (most subscribers have no way of knowing that their
accounts are sometimes being abused by someone else). America Online (AOL) users
have been especially prone to ID theft, and AOL is just one of many ISPs that pro-
vide free trial accounts that are frequently associated with phony names.
Because the RADIUS logs are used for accounting purposes, an ISP has to main-
tain them for at least a one-month billing cycle. In practice, ISPs keep them for peri-
ods of up to a year in order to respond to customer complaints about billing
mistakes. Even relatively small ISPs are used to responding to court orders that
require providing the Internet equivalent of a trap and trace record. According to
Lucent consultant Aaron Higbee, who has worked with the abuse departments of
several large Internet service providers:
ISPs do not like abusers because their mischief affects the bottom line and gives the
ISP a black eye within the Internet community. If you want to identify an abuser,
these are the necessary steps:
1. Document the abuse with dates, time, time zone, and logs.
2. Send the logs as a complaint to [email protected].
3. Follow up your email with a phone call. (Do not call a tech support or customer
service line.) Ask for the legal department’s fax number or ask to speak directly
with the abuse/security department.
4. Fax the same logs to the legal staff and let them know that you will follow up your
complaint with a court-ordered subpoena for any and all subscriber information
including all captured caller IDs.
You must assume the subscriber information is fraudulent unless the account has a
bill payment history and the session in question can be pinpointed as originating in
the same calling area as the rest of the subscriber’s usage history. If you are lucky,
the caller ID will be captured for the session you are interested in. You then sub-
poena the local phone company for subscriber information for the phone number
that was captured in the caller ID. Sometimes reverse telephone lookup sites like
http://www.anywho.com /telq.html can give you clues as to who you are tracking, but
the definitive answer will come from the subpoenaed subscriber information.
You might think the biggest problem with obtaining information from ISPs
would be the result of the terms of service and confidentiality agreements that most
service providers have with their customers. But to the contrary, most service
providers are willing to assist you because they do not want anyone misusing their
system. In a prominent privacy case several years ago, AOL was sued by a sub-
scriber who accused the company of illegally providing sensitive personal informa-
tion to a law enforcement agency, so ISPs are now very sensitive to the correct legal
procedures.
When you obtain the information from the service provider, keep in mind that the
subscriber information can be completely bogus. There is little to no authentication
TRACKING EMAIL 35
for any of the information associated with the subscriber. The value of the informa-
tion is in determining the telephone number that was used to connect to the ISP. If
you can obtain the phone number and the date and time that a session was set up,
you are yet another step closer to finding your suspect. You can then start the sub-
poena process again and try to find other connections originating from that same
phone number. This still might not lead directly to your suspect, but you’re getting
closer and closer to a suspect who thought he or she was well hidden by the free
service.
Tracing Email and News Postings

Before heading down the messaging path and looking for tracks in the sand, let’s
quickly discuss how these messaging services operate. News groups and email are
cousins. Descending from original siblings on pre-Internet Unix systems, they have
continued to evolve in parallel, with much sharing of genetic material. Both services
have the following attributes:
• Simple Internet application protocols that use text commands

• Store-and-forward architecture allowing messages to be shuttled through a
series of intermediate systems
• Message body composed entirely of printable characters (7-bit, not 8-bit)
• Human-readable message headers indicating the path between sender and
receiver
You’ll need the assistance of systems administrators, perhaps on every system the
message transited, and they won’t be able to help you unless they have logging infor-
mation on their messaging hosts. If the originator wants to cover his or her tracks,
determining the real sender of either bogus news postings or suspicious email can be
challenging. News is probably a bit easier, but email is more common today, so let’s
start with it.
Tracking Email
An email program such as Outlook, Notes, or Eudora is considered a client applica-
tion, which means that it is network-enabled software that is intended to interact
with a server. In the case of email, it is normal to interact with two different servers:
one for outgoing and one for incoming mail. When you want to read email, your
client connects to a mail server using one of three different protocols:
Another random document with
no related content on Scribd:
Gettysburg
Gingall or Jingal
Glacis
Gneisenau
Godfrey of Bouillon
Goeben
Gorchakov
Gorget
Goring
Gouvion St. Cyr
Granby
Grand Alliance, War of the
Grant, U. S.
Grape
Great Rebellion
Greco-Turkish War
Greek Fire
Greek Independence, War of
Greene, F. V.
Greene, Nathanael
Grenade
Grenadier
Grenville, Sir Bevil
Gribeauval
Grouchy
Guards and Household Troops
Guardship
Guibert, Comte de
Guichard, Karl Gottlieb
Gun
Guncotton
Gunner
Gunpowder
Gun-Room
Gustavus Adolphus
Halbert
Halleck, H. W.
Hamley, Sir Edward
Hancock
Hannibal
Hanno
Hardee
Harper’s Ferry, W. Va.
Harrison, Thomas
Hasdrubal
Hastings
Haversack
Heliograph
Helmet
Henderson, G. F. R.
Henry V (of England)
Henry VI (Roman Emperor)
Herodotus
Herrings, Battle of the
Hess
Hill, A. P.
Hill, D. H.
Hill, Lord Rowland
Hohenfriedberg
Hohenlohe-Ingelfingen
Holster
Hood
Hooker
Hopton, Baron
Hostage
Hotham, John
Howard, O. O.
Howe, William
Howitzer
Hull, William
Hundred Years’ War
Hussar
Infantry
Inkerman
Inouye
Isly
Italian Wars
Jackson, Andrew
Jackson, T. J. (“Stonewall”)
James IV (of Scotland)
Japan, Army
Jemappes
Joan of Arc
John of Bohemia
John II of France
Johnston, A. S.
Johnston, J. E.
Jomini, Baron A. H.
Joubert, P. J.
Jourdan
Jugurtha
Junot
Kalb
Kalckreuth
Kearny
Keith, F. E. J.
Kellermann
Khaki
Khevenhüller, L. A.
Kinglake
King’s Mountain
Kitchener, Lord
Kite
Kléber
Knobkerrie
Knox, Henry
Kray von Krajova
Kriegspiel
Kruger
Kunersdorf
Kuroki
Kuropatkin
Kutusov
Laager
Lafayette
Lally, Comte de
Lambert, John
La Marmora
Lancaster, House of
Lance
Landsknecht
Landsturm
Landwehr
Langlois, H.
Lannes
Lasalle
Lauriston
Leboeuf
Lee, Fitz-Hugh
Lee, Henry
Lee, R. E.
Lefebvre-Desnoëttes
Legion
Leipzig
Le Mans
Leonidas
Leuthen
Leven
Lexington
Ligonier
Linstock
Logan, J. A.
Long Island, N. Y.
Longstreet
Lorraine, Charles of
Loudon
Louis IX (of France)
Louis XIV
Louvois
Lützen
Luxembourg
Luxembourg, Duke of
Lord Lynedoch
Lyon, Nathaniel
McClellan
McClernand
McCook, A. McD.
Macdonald
McDowell
McPherson
Macedon
Machine Gun
MacMahon
Mago
Major
Malleson, George Bruce
Malplaquet
Mameluke
Manchester, 2d Earl of
Military Manoeuvres
Mansfeld
Manteuffel
Mantineia
Marathon
Marceau
March
Marengo
Marietta, Ga.
Marignan
Marion, Francis
Marius
Marlborough
Marmont
Marston Moor
Martello Tower
Martial Law
Martinet
Masséna
Massenbach
Massinissa
Matross
Maurice of Nassau
Mavrocordato
Maximilian I (of Bavaria)
Meade
Meagher, T. F.
Menshikov
Mercenary
Mercy
Merritt
Metz
Meuse Line
Milan of Servia
Miles
Military Law
Militia
Miltiades
Minden
Minute Men
Mitchel, O. M.
Moat
Moltke
Moncey
Monmouth
Montalembert
Montcalm
Montecucculi
Montgomery, Richard
Montmorency (constable)
Montrose
Moore, Sir John
Moreau
Morgan, Daniel
Morgan, J. H.
Morion
Mortier
Moselle Line
Moultrie, William
Mounted Infantry
Murat
Musket
Muster
Mutiny
Napier, Sir William
Napoleon
Napoleonic Campaigns
Napoleon III
Naseby
Nashville
Navarro
Needle-gun
Neerwinden
Newark, Lord
Newcastle, Duke of
New Orleans
Ney
Niel
Nitro-glycerine
Noailles
Nördlingen
Norfolk, 3rd Duke
Nozu
O’Donnell, H. J.
Officers
Oku
Olynthus
Onosander
Ordnance
Orleans
Osman
Oudenarde
Oudinot
Oyama
Pajol
Palafox y Melzi
Panoply
Parade
Parados
Parallels
Paris
Parole
Partisan
Paskevich
Pasley, Sir C. W.
Patrol
Pavis, or Pavise
Pelissier
Peloponnesian War
Peninsular War
Pericles
Perseus
Pescara
Petard
Peterborough
Petersburg Campaign
Petronel
Petty-Officer
Phalanx
Philip II (of Macedon)
Philip II (of France)
Philip VI
Piccolomini
Pichegru
Pickens, Andrew
Picket
Picton
Pigeon Post
Pike
Pistol
Platoon
Pneumatic Gun
Poitiers
Polish Succession, War of the
Polyaenus
Pompey
Poniard
Pontoon
Pope
Porter, Fitz-John
Press Gang
Propellants
Punic Wars
Purser
Putnam, Israel
Putnam, Rufus
Pylos
Pyrrhus
Quadrilateral
Quiver
Radetzky
Raglan
Ramillies
Range-finder, Telemeter or Position-finder
Rapier
Rapparee
Ravenna
Raymund of Toulouse
Razzia
Reconnaissance
Redan
Redoubt
Regiment
Retrenchment
Réveillé
Reynolds, John F.
Richard I (of England)
Ricochet
Richmond
Rifle
Roberts, Lord
Rocket
Rohan, duc de
Roosevelt
Ropes, J. C.
Rosecrans
Roses, Wars of the
Rossbach
Rupert, Prince
Russo-Japanese War
Russo-Turkish Wars
Rüstow, Friedrich W.
Ruvigny
Sackville, 1st Viscount
Saint Arnaud
St. Quentin
Salade, Sallet or Salet
Saladin
Salamanca
Salamis
Saratoga, Battles of
Saxe, Comte de (marshal)
Scabbard
Scarlett
Scharnhorst
Schiavone
Schofield
Schwarzenberg
Schwerin, Count von
Scimitar
Scipio Aemilianus
Scipio Africanus
Scout
Sebastiani
Seckendorf
Sedan
Sedgwick, John
Senarmont
Sentinel or Sentry
Sepoy
Serjeant
Sertorius
Servo-Bulgarian War
Sérurier
Seven Days’ Battle
Seven Weeks’ War
Seven Years’ War
Seydlitz
Shenandoah Valley Campaign
Sheridan
Sherman, W. T.
Shield
Shiloh
Shipka Pass
Sickles
Siege
Sigel
Sights
Signal
Silesian Wars
Sirdar
Skippon
Skobelev
Sling
Slocum
Smith, C. F.
Smith, Sir W. Sidney
Soubise
Souham
Soult
Sowar
Spahis
Spanish-American War
Spanish Succession, War of The
Spear
Spontoon
Spottsylvania
Spur
Spy
Squadron
Staff, military
Standard, Battle of
Stark, John
Steenkirk
Steinmetz
Stiletto
Stone River
Stony Point
Strategy
Strelitz
Stuart, J. E. B.
Suchet
Sulla
Sullivan, John
Sumner, E. V.
Sumter, Thomas
Supply and Transport (Military)
Sutler
Suvarov
Swold
Sword
Tactics
Talavera de la Reina
Target
Tarleton
Tattoo
Thermopylae
Thielmann
Thirty Years’ War
Thomas, G. H.
Thucydides
Ticonderoga, N. Y.
Tilly
Todleben
Torstensson
Towton
Transvaal
Trasimene
Traun
Traverse
Trébuchet
Trenton and Princeton
Troop
Turenne
Ulan
Uniforms
Vandamme
Van Dorn
Vauban
Vedette
Vegetius
Vendée
Vendôme
Verdun
Verdy du Vernois
Veteran
Vexillum
Vicksburg
Victor-Perrin
Villars
Villeroi
Vinoy
Visor
Vitoria
Volunteers
Wagram
Wallace, Lewis
Waller, Sir William
Wallenstein
Ward Room
War Game
Warrant Officer
Warren, G. K.
Warren, Joseph
Warwick, Earl of
Washington, George
Waterloo Campaign
Wattignies
Wayne, Anthony
Weapon
Wellington
Werder
Wheeler, Joseph
White, Sir George
Wilderness, Va.
Wilkinson, James
William the Silent
William I (of England)
William III (of England)
William I (of Germany)
Wilson, J. H.
Wimpffen
Wittgenstein
Wolfe
Wood, Sir H. E.
Worth
Wrangel
Wrede
Xenophon
Yataghan
Yeomanry
Yorck von Wartenburg
Yorktown, Va.
Ypsilanti
Zieten
Zouave
CHAPTER XXX
FOR NAVAL OFFICERS
The scope of a naval officer’s professional interests is so broad that

the present chapter of this Guide could not, without duplicating
other chapters, indicate all the aspects of the Britannica with which
he is directly concerned. And he will find that his use of the
Britannica is simplified by the subdivisions about to be specified,
which virtually present his subjects under four different heads. Of
course he may be called upon, in the exercise of his duties,
simultaneously to think and to act in all his capacities, to concentrate
upon the swift solution of one problem his knowledge of warfare, of
shipbuilding, of navigation and of mechanical engineering; but his
reading upon these topics naturally divides itself into these four
parts.
Three Other Inasmuch as army officers, even
Relevant when they are at sea, are passengers,
Chapters and, save in relation to the discipline of
their troops, have nothing to do with
the ship’s management, it could not be assumed that the present
chapter would appeal to them. But naval officers, when co-operating
in a land expedition, need to employ every kind of knowledge that is
of use to army officers, and as the chapter For Army Officers in this
Guide would therefore in any case be read by them, it has seemed
convenient to include in it the description of those articles in the
Britannica which deal with war in general.
The chapter For Marine Transportation Men in this Guide is also
one to which the naval officer should refer, as it deals with ships and
navigation in general. The articles Ship and Shipbuilding
mentioned in that chapter are (except for the historical section of the
former) by Sir Philip Watts, designer of the British “Dreadnoughts”
and “Super-Dreadnoughts;” and the article Shipping is by Douglas
Owen, of the Royal Naval War College at Portsmouth. Obviously
these and many other articles described in that chapter are of the
greatest importance to naval officers.
The chapter For Engineers in this Guide describes the articles
dealing with steam engines, internal combustion engines, electrical
machinery and fuels of all kinds; and it would be a waste of space to
repeat in this chapter a summary of the Britannica treatment of these
subjects.
All three of the chapters mentioned should therefore be treated as
forming constituent parts of the general plan of this present chapter,
in which the naval officer will find no repetition of their contents.
The Key Article The article to which he will naturally
first turn is Navy and Navies (Vol. 19,
p. 299), by David Hannay, author of A Short History of the Royal
Navy. This article is equivalent to 60 pages of this Guide in length. It
contains:
Naval Personnel.
Sketches of the Administrative History of navies: Athenian; Roman;
Byzantine; Medieval; British, with special attention to the period since the
Restoration, and the reforms under James II when Samuel Pepys was secretary;
French—modern navy dating from the time of Richelieu;
Spanish—a great navy without an organization before the 18th century;
Dutch—good seamen and well-fed, led by able admirals, but unorganized, and
unimportant after the 17th century;
United States—the first great extra-European power on the sea;
Russian—dating from the reign of Peter the Great, when it was organized and
led by foreigners.
The Balance of Navies in History: influence of sea-power—“when Napoleon
fell, the navy of Great Britain was not merely the first in the world; it was the
only powerful navy in existence.” Modern Rivalry between Italy and Germany
(1871), United States (1890), Japan; England and the Dual Alliance—“naval
scares” since 1874; British Naval Defence Act of 1889; Russia’s navy crushed
(1904); new navies rivalling Great Britain and France,—Italy, Germany, United
States, Japan.
Latest developments: “Dreadnoughts”; Building Programmes.
Bibliography (about 1800 words).
Naval Strategy and Tactics.
Historical evolution: inter-relation of the ship’s capacity and armament.
Early history: ramming demanded oars for propulsion; small warships, large
fighting crews,—no blockade, short cruises;
Greek and Roman methods: boarding introduced by Romans; “bearding,” that
is, fortifying with iron bands across the bows, an early form of armor plate.
Sailing ships: ramming discarded; “line ahead” formation displaces “line
abreast”; principles of fighting tactics—order at beginning to be kept throughout,
thus no advantage taken of enemy’s disorder; Clerk’s theories (1790–97)—not
maximum safety but immediate mêlée the desideratum; Suffren, Rodney and
Howe and their disregard of accepted tactics.
Improved shipbuilding and modern times: New problems—steam propulsion,
its gain in speed, but its dependence on fuel; fleet in being; risk of transporting
troops while enemy is unbeaten; ramming and pell-mell battles forbidden by
torpedoes; searchlight as check to torpedoes; failure of attempts to “bottle up”
harbours; gun-fire still the great factor; position; speed; submarines still an
unknown factor.
Bibliography.
Naval The first part of this article Navy
Administration and Navies should be supplemented
by the article Admiralty
Administration (Vol. 1, p. 195), by Admiral Sir R. Vesey Hamilton,
and, for the United States, the late Admiral W. T. Sampson. The
American part of this article describes the divisions and the working
of the Navy Department, its bureaus, judge advocate-general, office
of naval intelligence, boards etc.; and there is additional information
on the subject in such articles as Dockyards, and United States
Naval Academy.
For the legal side of naval administration the reader should study
the article Admiralty Jurisdiction (Vol. 1, p. 205), by Sir Walter
Phillimore, former president of the International Law Association
(and author of the Britannica article Admiralty, High Court of),
and, for the United States, by J. Arthur Barrett; and also the general
articles International Law (Vol. 14, p. 694), by Sir Thomas Barclay,
author of Problems of International Practice and Diplomacy, and
International Law, Private (Vol. 14, p. 701), by Dr. John Westlake,
formerly professor of international law, Cambridge University, and
member for the United Kingdom of the International (Hague) Court
of Arbitration; as well as such special articles as Search (Vol. 24, p.
560), by Sir Thomas Barclay, and Sea Laws (Vol. 24, p. 535), by Sir
Travers Twiss.
Policy, Strategy, It has already been noticed that the
Tactics closing part of the article Navy and
Navies dealt with strategy and tactics
in a general way. This subject is treated in fuller detail by Admiral Sir
Cyprian Bridge, G.C.B. (former Director of Naval Intelligence, British
Navy, author of Sea-Power and other Studies) in two articles Sea-
Power (Vol. 24, p. 548) and Sea, Command of the (Vol. 24, p. 529).
Each of these articles will be of great value and interest to the naval
officer as a summary and criticism of the theories of Captain A. T.
Mahan and Vice-Admiral P. H. Colomb; and this will be made
evident by the brief outline of the two articles which follows.
Article, Sea-Power—Use of the term to mean (1) a state pre-eminently strong
at sea; and (2)—as in this article—the various factors in a state’s naval strength.
Thucydides as a forerunner of Mahan; he makes Pericles in comparing Athenian
resources with those of her enemies comment on the importance of “sea-power.”
The meaning of sea-power can only be learned historically. Although there
have been more land-wars, “the course of history has been profoundly changed
more often by contests on the water.” Salamis saved Greece and held back
Oriental invasion. The loss of the Peloponnesian War by Athens was due to her
weakening sea-power. The First Punic War, Roman rather than Carthaginian
control of the Mediterranean, was won by Roman naval predominance.
Mahommedan conquest spread west in Africa only with the creation of a navy.
The crusades could not have continued had not Mahommedan naval power sunk
as the Venetian, Pisan, and Genoese grew. The defeat of Genoa by Venice gave
the latter a right to perform the ceremony of “wedding the sea” with a ring as
token of “perpetual sway.” Lepanto (1571) the end of Turkish sea-power.
Spanish and Portuguese sea-power crushed by English growth and the loss of
the Armada. Early English naval history: the importance of the battle of Dover in
1217. Appearance of standing navies. The New World and its influence on sea-
power. The sea-power of the Dutch; its sudden rise; its basis in foreign trade; the
Dutch wars with England resulted in England’s becoming the first great naval
power, but did not crush the United Provinces because of their sea-power.
Torrington and the “Fleet in Being” in 1690. Change in naval operations in 17th
century—the scene thereafter in the enemy’s waters, not near the coast of
England.
The 18th century. Rise of Russia’s sea-power—an artificial creation. Seven
Years’ War and its gains to Great Britain. War of American Independence:
British mistakes—the enemy’s coast not considered the frontier. Wars of the
French Revolution and Empire: Great Britain’s advantage not in organization,
discipline or “science,” but in sea-experience.
The War of 1812. “The British had now to meet the élite of one of the finest
communities of seamen ever known.... In any future war British sea-power, great
as it may be, should not receive shocks like those that it unquestionably did
suffer in 1812.”
Later Manifestations of Sea-Power. American Civil War—“By dominating the
rivers the Federals cut the Confederacy asunder; and, by the power they
possessed of moving troops by sea at will, perplexed and harassed the defence,
and facilitated the occupation of important points.” Russo-Turkish War of 1877–
78—Turkish control of Black Sea forced Russians to invade by land through the
difficult Balkans. Chilean Civil War of 1891—an army defeated by a navy. Chino-
Japanese War of 1894–95—Japanese navy in transport work and in crushing last
resistance. Spanish-American War: “Spaniards were defeated by the superiority
of the American sea-power.”
Article, Sea, Command of the—Sketch of Sovereignty of the Sea; Command
different from Sovereignty or Dominion.
Attempts to gain Command: Dutch Wars.
Strategic Command or Control—largely the power of carrying out considerable
over-sea expeditions at will. Seeking the enemy’s fleet. Temporary command in
smaller operations.
Special As for the army officer, so the
Historical Britannica has for the naval officer
Articles many separate articles on wars,
campaigns, battles, generals,
commanders. The following list of articles will serve as a guide to a
course of reading constituting a history of naval warfare, furnishing
the concrete separate facts on which are based the articles already
described.
Ancient History.
Greece: articles Salamis, Themistocles, Xerxes I, Peloponnesian War,
Pericles.
Rome: articles Punic Wars, Carthage, Pompey, Actium.
Medieval History.
Crusades; Swold; Dover, Battle of; Sluys, Battle of; Espagnols sur Mer (and
article Edward III), Chioggia (and articles Venice and Genoa).
16th Century.
Lepanto (and article Don John of Austria).
Armada (and articles on Howard, Hawkins, Drake, Frobisher, Raleigh,
Richard Grenville, and the other heroes of this first bright glow of England’s
naval glory).
The Era of Sailing Vessels.
Dutch Wars (and articles Tromp, Robert Blake, Ayscue, De Ruyter, Cornelius
De Witt, William Penn, George Monk, Sir John Lawson, James II, Prince
Rupert, First Earl of Sandwich, Abraham Duquesne).
Grand Alliance, Naval Operations (and articles Earl of Torrington, and
Beachy Head, Battle of; La Hogue, Earl of Oxford [Edward Russell] and
Tourville).
Spanish Succession, Naval Operations (and Château-Renault, Benbow,
Rooke, Cloudesley Shovel, Duguay-Trouin, Forbin).
Austrian Succession, Naval Operations (and the articles Edward Vernon,
Lord Anson, Toulon, Battle of, and Thomas Mathews, marking the official
sanction in England of an absurd formal system of tactics).
Seven Years’ War, Naval Operations (and Boscawen, Byng, Hawke, Pocock,
Quiberon).
American War of Independence, Naval Operations (and Esek Hopkins, John
Paul Jones, Comte d’Estaing, Suffren St. Tropez, Thomas Truxtun, Lord Howe,
John Byron, Hotham, Hyde Parker, Rodney, Guichen, Comte de Grasse).
French Revolutionary Wars, Naval Operations (and First of June, Battle of,
Howe, Villaret de Joyeuse, Lord Bridport, Lord Hood, Earl of St. Vincent [John
Jervis], St. Vincent, Battle of, Lord Keith, Lord Duncan, Nile, Nelson, Sir
Thomas Troubridge).
Napoleonic Campaigns, Naval Operations (and Baron de Saumarez,
Copenhagen, Battle of, Sir Hyde Parker, Sir Robert Calder, Villeneuve,
Trafalgar, Lord Collingwood).
American War of 1812 (and John Rodgers, Isaac Hull, William Bainbridge,
Stephen Decatur, David Porter, Oliver Hazard Perry, Sir Philip Broke, Thomas
Macdonough).
And Lissa (1811), closely resembling Trafalgar, and Navarino, decisive for
Greek Independence.
The Era of Steam.
American Civil War (and Hampton Roads, Andrew Hull Foote, New Madrid,
D. G. Farragut, D. D. Porter, W. B. Cushing).
Chile-Peruvian War.
Chilean Civil War.
Chino-Japanese War (and see Ito).
Spanish-American War (and see the articles W. T. Sampson, W. S. Schley,
George Dewey, Pascual Cervera y Topete Cervera).
Russo-Japanese War (and Togo, Dogger Bank, Tsushima).
Armaments The subject of armaments is treated
in the articles Ship and Shipbuilding
(see chapter For Marine Transportation Men), Armour Plates,
with illustrations, by Major William Egerton Edwards, late lecturer
at the Royal Naval War College, Greenwich, Ordnance,
Ammunition, Torpedo, etc.
The following is an alphabetical list of articles in the Britannica of
especial interest to naval officers or other students of naval warfare.
Actium
Admiral
Admiralty Administration
Admiralty Jurisdiction
American Civil War
American War of Independence
American War of 1812
Ammunition
Anson, Lord
Armada
Armour Plates
Arms and Armour
Ayscue
Bainbridge, William
Beachy Head
Benbow
Beresford
Blake, Robert
Boscawen
Bridport, Lord
Broke, Sir Philip
Byng
Byron, John
Calder, Sir Robert
Camperdown
Carthage
Casemate
Case-shot
Cervera
Château-Renault
Chile-Peruvian War
Chilean Civil War
Chino-Japanese War
Chioggia
Coaling Stations
Coast Defence
Coast Guard
Codrington
Coligny
Collingwood, Lord
Colomb
Commodore
Copenhagen, Battle of
Crusades
Cushing, W. B.
Decatur, Stephen
d’Estaing
De Ruyter
De Saumarez, Baron
Dewey, George
De Witt, Cornelius
Dockyards
Dogger Bank
Dover, Battle of (1217)
Drake
Duguay-Trouin
Duilius
Duncan, Lord
Duquesne, Abraham
Dutch Wars
Edward III
Espagnols sur Mer
Farragut, D. G.
Fireship
First of June
Flagship
Fleet
Flying Column
Foote, Andrew Hull
Forbin
French Revolutionary Wars
Frigate
Frobisher
Genoa
Grand Alliance
Grasse, Comte de
Grenville, Richard
Greek Independence
Guardship Perry,
Guichen
Hampton Roads
Hawke
Hawkins
Hood, Lord
Hopkins, Esek
Hotham
Howard
Howe, Lord
Hull, Isaac

Computer Forensics Incident Response Essentials 1st Edition Warren G. Kruse Ii 2024 Scribd Download

Uploaded by

Copyright:

Available Formats

Computer Forensics Incident Response Essentials 1st Edition Warren G. Kruse Ii 2024 Scribd Download

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Computer Forensics Incident Response Essentials 1st Edition Warren G. Kruse Ii 2024 Scribd Download

Uploaded by

Copyright:

Available Formats

Full download ebook at ebookname.

Computer Forensics Incident Response Essentials

Download more ebook from https://ebookname.com

Incident Response and Computer Forensics 2nd Edition

Computer Forensics JumpStart 2nd Edition Michael G.

Investigation Procedures and Response With Access Code

Hacking Exposed Computer Forensics 2nd Edition Michael

Essentials of DAS II Assessment Essentials of

Emerging Technology Programs ADM Hybrids Computer

The Ethics of Sankara and Santideva A Selfless Response

Engineering Response to Climate Change Second Edition

Copyright © 2002 by Lucent Technologies

Chapter 1 Introduction to Computer Forensics 1

Chapter 2 Tracking an Offender 23

Chapter 3 The Basics of Hard Drives and Storage Media 65

Chapter 4 Encryption and Forensics 83

Chapter 5 Data Hiding 105

Chapter 6 Hostile Code 129

Chapter 7 Your Electronic Toolkit 149

Chapter 8 Investigating Windows Computers 177

Chapter 9 Introduction to Unix for Forensic Examiners 207

Chapter 10 Compromising a Unix Host 245

Chapter 11 Investigating a Unix Host 263

Chapter 12 Introduction to the Criminal Justice System 311

Chapter 13 Conclusion 325

Appendix A Internet Data Center Response Plan 327

Appendix B Incident Response Triage Questionnaire 353

Appendix C How to Become a Unix Guru 363

Appendix D Exporting a Windows 2000 Personal Certiﬁcate 367

Appendix E How to Crowbar Unix Hosts 375

Appendix F Creating a Linux Boot CD 377

Appendix G Contents of a Forensic CD 379

Annotated Bibliography 381

How to Read This Book

Introduction to Computer Forensics

The Basics of Hard Drives and Storage Media

Encryption and Forensics

cryptography. It is relevant both in understanding evidence and, interestingly, in

Your Electronic Toolkit

Investigating Windows Computers

Introduction to Unix for Forensic Examiners

Compromising a Unix Host

Investigating a Unix Host

Introduction to the Criminal Justice System

Whenever we tell people that we work in “computer forensics,” they invariably

The Growing Problem of Computer Crime

What Exactly Is Computer Forensics?

It is unfortunate that computer forensics is sometimes misunderstood as being

1. Acquire the evidence without altering or damaging the original.

Step 1: Acquire the Evidence

Handling the Evidence

Method Advantages Disadvantages

Use a dedicated forensic No concern about the Inconvenient, time-

• Who collected it?

Item Date Time Location Name Reason

Figure 1-1 Example evidence log

evidence. In a large investigation, a law enforcement agency assigns a person to be

• The case number

Documenting the Investigation