Computer and intrusion forensics

Title:

Publication Information:

Boston : Artech House, c2003

ISBN:

9781580533690

Subject Term:

Computer security

Data protection

Forensic sciences

Added Author:

Mohay, George M., 1945-

Available:*

Library	Item Barcode	Call Number	Material Type	Item Category 1	Status
Searching... PSZ JB	30000010019179	QA76.9.A25 C633 2003	Open Access Book	Book	Searching... Unknown
Searching... PSZ KL	30000010059067	QA76.9.A25 C633 2003	Open Access Book	Book	Searching... Unknown

A comprehensive and broad introduction to computer and intrusion forensics, this practical work is designed to help you master the tools, techniques and underlying concepts you need to know, covering the areas of law enforcement, national security and the private sector. The text presents case studies from around the world, and treats key emerging areas such as stegoforensics, image identification, authorship categorization, link discovery and data mining. It also covers the principles and processes for handling evidence from digital sources effectively and law enforcement considerations in dealing with computer-related crimes, as well as how the effectiveness of computer forensics procedures may be influenced by organizational security policy.

Author Notes

George Mohay holds a Ph.D. in theoretical chemistry from Monash University in Melbourne.

Mohay is adjunct professor in the Information Security Research Center, Queensland University of Technology. He has done extensive research in the areas of computer security, computer forensics, concurrency, component technology and distributed systems. He has published extensively.

050

Eugene Spafford

Foreword	p. xi
Preface	p. xvii
Acknowledgments	p. xix
Disclaimer	p. xxi
1 Computer Crime, Computer Forensics, and Computer Security	p. 1
1.1 Introduction	p. 1
1.2 Human behavior in the electronic age	p. 4
1.3 The nature of computer crime	p. 6
1.4 Establishing a case in computer forensics	p. 12
1.4.1 Computer forensic analysis within the forensic tradition	p. 14
1.4.2 The nature of digital evidence	p. 21
1.4.3 Retrieval and analysis of digital evidence	p. 23
1.4.4 Sources of digital evidence	p. 27
1.5 Legal considerations	p. 29
1.6 Computer security and its relationship to computer forensics	p. 31
1.6.1 Basic communications on the Internet	p. 32
1.6.2 Computer security and computer forensics	p. 35
1.7 Overview of the following chapters	p. 37
References	p. 39
2 Current Practice	p. 41
2.1 Introduction	p. 41
2.2 Electronic evidence	p. 42
2.2.1 Secure boot, write blockers and forensic platforms	p. 44
2.2.2 Disk file organization	p. 46
2.2.3 Disk and file imaging and analysis	p. 49
2.2.4 File deletion, media sanitization	p. 57
2.2.5 Mobile telephones, PDAs	p. 59
2.2.6 Discovery of electronic evidence	p. 61
2.3 Forensic tools	p. 63
2.3.1 EnCase	p. 67
2.3.2 ILook Investigator	p. 69
2.3.3 CFIT	p. 72
2.4 Emerging procedures and standards	p. 76
2.4.1 Seizure and analysis of electronic evidence	p. 77
2.4.2 National and international standards	p. 86
2.5 Computer crime legislation and computer forensics	p. 90
2.5.1 Council of Europe convention on cybercrime and other international activities	p. 90
2.5.2 Carnivore and RIPA	p. 94
2.5.3 Antiterrorism legislation	p. 98
2.6 Networks and intrusion forensics	p. 103
References	p. 104
3 Computer Forensics in Law Enforcement and National Security	p. 113
3.1 The origins and history of computer forensics	p. 113
3.2 The role of computer forensics in law enforcement	p. 117
3.3 Principles of evidence	p. 121
3.3.1 Jurisdictional issues	p. 123
3.3.2 Forensic principles and methodologies	p. 123
3.4 Computer forensics model for law enforcement	p. 128
3.4.1 Computer forensic--secure, analyze, present (CFSAP) model	p. 128
3.5 Forensic examination	p. 133
3.5.1 Procedures	p. 133
3.5.2 Analysis	p. 143
3.5.3 Presentation	p. 146
3.6 Forensic resources and tools	p. 147
3.6.1 Operating systems	p. 147
3.6.2 Duplication	p. 149
3.6.3 Authentication	p. 152
3.6.4 Search	p. 153
3.6.5 Analysis	p. 154
3.6.6 File viewers	p. 159
3.7 Competencies and certification	p. 160
3.7.1 Training courses	p. 163
3.7.2 Certification	p. 164
3.8 Computer forensics and national security	p. 164
3.8.1 National security	p. 165
3.8.2 Critical infrastructure protection	p. 167
3.8.3 National security computer forensic organizations	p. 168
References	p. 169
4 Computer Forensics in Forensic Accounting	p. 175
4.1 Auditing and fraud detection	p. 175
4.1.1 Detecting fraud--the auditor and technology	p. 176
4.2 Defining fraudulent activity	p. 177
4.2.1 What is fraud?	p. 178
4.2.2 Internal fraud versus external fraud	p. 180
4.2.3 Understanding fraudulent behavior	p. 183
4.3 Technology and fraud detection	p. 184
4.3.1 Data mining and fraud detection	p. 187
4.3.2 Digit analysis and fraud detection	p. 188
4.3.3 Fraud detection tools	p. 189
4.4 Fraud detection techniques	p. 190
4.4.1 Fraud detection through statistical analysis	p. 191
4.4.2 Fraud detection through pattern and relationship analysis	p. 200
4.4.3 Dealing with vagueness in fraud detection	p. 204
4.4.4 Signatures in fraud detection	p. 205
4.5 Visual analysis techniques	p. 206
4.5.1 Link or relationship analysis	p. 207
4.5.2 Time-line analysis	p. 209
4.5.3 Clustering	p. 210
4.6 Building a fraud analysis model	p. 211
4.6.1 Stage 1: Define objectives	p. 212
4.6.2 Stage 2: Environmental scan	p. 214
4.6.3 Stage 3: Data acquisition	p. 215
4.6.4 Stage 4: Define fraud rules	p. 216
4.6.5 Stage 5: Develop analysis methodology	p. 217
4.6.6 Stage 6: Data analysis	p. 217
4.6.7 Stage 7: Review results	p. 218
References	p. 219
Appendix 4A	p. 221
5 Case Studies	p. 223
5.1 Introduction	p. 223
5.2 The case of "Little Nicky" Scarfo	p. 223
5.2.1 The legal challenge	p. 225
5.2.2 Keystroke logging system	p. 226
5.3 The case of "El Griton"	p. 229
5.3.1 Surveillance on Harvard's computer network	p. 230
5.3.2 Identification of the intruder: Julio Cesar Ardita	p. 231
5.3.3 Targets of Ardita's activities	p. 232
5.4 Melissa	p. 236
5.4.1 A word on macro viruses	p. 236
5.4.2 The virus	p. 237
5.4.3 Tracking the author	p. 239
5.5 The World Trade Center bombing (1993) and Operation Oplan Bojinka	p. 242
5.6 Other cases	p. 244
5.6.1 Testing computer forensics in court	p. 244
5.6.2 The case of the tender document	p. 248
References	p. 253
6 Intrusion Detection and Intrusion Forensics	p. 257
6.1 Intrusion detection, computer forensics, and information warfare	p. 257
6.2 Intrusion detection systems	p. 264
6.2.1 The evolution of IDS	p. 264
6.2.2 IDS in practice	p. 267
6.2.3 IDS interoperability and correlation	p. 274
6.3 Analyzing computer intrusions	p. 276
6.3.1 Event log analysis	p. 278
6.3.2 Time-lining	p. 280
6.4 Network security	p. 285
6.4.1 Defense in depth	p. 285
6.4.2 Monitoring of computer networks and systems	p. 288
6.4.3 Attack types, attacks, and system vulnerabilities	p. 295
6.5 Intrusion forensics	p. 303
6.5.1 Incident response and investigation	p. 303
6.5.2 Analysis of an attack	p. 306
6.5.3 A case study--security in cyberspace	p. 308
6.6 Future directions for IDS and intrusion forensics	p. 310
References	p. 312
7 Research Directions and Future Developments	p. 319
7.1 Introduction	p. 319
7.2 Forensic data mining--finding useful patterns in evidence	p. 323
7.3 Text categorization	p. 327
7.4 Authorship attribution: identifying e-mail authors	p. 331
7.5 Association rule mining--application to investigative profiling	p. 335
7.6 Evidence extraction, link analysis, and link discovery	p. 339
7.6.1 Evidence extraction and link analysis	p. 340
7.6.2 Link discovery	p. 343
7.7 Stegoforensic analysis	p. 345
7.8 Image mining	p. 349
7.9 Cryptography and cryptanalysis	p. 355
7.10 The future--society and technology	p. 360
References	p. 364
Acronyms	p. 369
About the Authors	p. 379
Index	p. 383

Available:*

On Order

Summary

Summary

Author Notes

Table of Contents