![Cover image for Computer and intrusion forensics Cover image for Computer and intrusion forensics](/client/assets/5.0.0/ctx//client/images/no_image.png)
Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
---|---|---|---|---|---|
Searching... | 30000010019179 | QA76.9.A25 C633 2003 | Open Access Book | Book | Searching... |
Searching... | 30000010059067 | QA76.9.A25 C633 2003 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
A comprehensive and broad introduction to computer and intrusion forensics, this practical work is designed to help you master the tools, techniques and underlying concepts you need to know, covering the areas of law enforcement, national security and the private sector. The text presents case studies from around the world, and treats key emerging areas such as stegoforensics, image identification, authorship categorization, link discovery and data mining. It also covers the principles and processes for handling evidence from digital sources effectively and law enforcement considerations in dealing with computer-related crimes, as well as how the effectiveness of computer forensics procedures may be influenced by organizational security policy.
Author Notes
George Mohay holds a Ph.D. in theoretical chemistry from Monash University in Melbourne.
Mohay is adjunct professor in the Information Security Research Center, Queensland University of Technology. He has done extensive research in the areas of computer security, computer forensics, concurrency, component technology and distributed systems. He has published extensively.
050
Table of Contents
Foreword | p. xi |
Preface | p. xvii |
Acknowledgments | p. xix |
Disclaimer | p. xxi |
1 Computer Crime, Computer Forensics, and Computer Security | p. 1 |
1.1 Introduction | p. 1 |
1.2 Human behavior in the electronic age | p. 4 |
1.3 The nature of computer crime | p. 6 |
1.4 Establishing a case in computer forensics | p. 12 |
1.4.1 Computer forensic analysis within the forensic tradition | p. 14 |
1.4.2 The nature of digital evidence | p. 21 |
1.4.3 Retrieval and analysis of digital evidence | p. 23 |
1.4.4 Sources of digital evidence | p. 27 |
1.5 Legal considerations | p. 29 |
1.6 Computer security and its relationship to computer forensics | p. 31 |
1.6.1 Basic communications on the Internet | p. 32 |
1.6.2 Computer security and computer forensics | p. 35 |
1.7 Overview of the following chapters | p. 37 |
References | p. 39 |
2 Current Practice | p. 41 |
2.1 Introduction | p. 41 |
2.2 Electronic evidence | p. 42 |
2.2.1 Secure boot, write blockers and forensic platforms | p. 44 |
2.2.2 Disk file organization | p. 46 |
2.2.3 Disk and file imaging and analysis | p. 49 |
2.2.4 File deletion, media sanitization | p. 57 |
2.2.5 Mobile telephones, PDAs | p. 59 |
2.2.6 Discovery of electronic evidence | p. 61 |
2.3 Forensic tools | p. 63 |
2.3.1 EnCase | p. 67 |
2.3.2 ILook Investigator | p. 69 |
2.3.3 CFIT | p. 72 |
2.4 Emerging procedures and standards | p. 76 |
2.4.1 Seizure and analysis of electronic evidence | p. 77 |
2.4.2 National and international standards | p. 86 |
2.5 Computer crime legislation and computer forensics | p. 90 |
2.5.1 Council of Europe convention on cybercrime and other international activities | p. 90 |
2.5.2 Carnivore and RIPA | p. 94 |
2.5.3 Antiterrorism legislation | p. 98 |
2.6 Networks and intrusion forensics | p. 103 |
References | p. 104 |
3 Computer Forensics in Law Enforcement and National Security | p. 113 |
3.1 The origins and history of computer forensics | p. 113 |
3.2 The role of computer forensics in law enforcement | p. 117 |
3.3 Principles of evidence | p. 121 |
3.3.1 Jurisdictional issues | p. 123 |
3.3.2 Forensic principles and methodologies | p. 123 |
3.4 Computer forensics model for law enforcement | p. 128 |
3.4.1 Computer forensic--secure, analyze, present (CFSAP) model | p. 128 |
3.5 Forensic examination | p. 133 |
3.5.1 Procedures | p. 133 |
3.5.2 Analysis | p. 143 |
3.5.3 Presentation | p. 146 |
3.6 Forensic resources and tools | p. 147 |
3.6.1 Operating systems | p. 147 |
3.6.2 Duplication | p. 149 |
3.6.3 Authentication | p. 152 |
3.6.4 Search | p. 153 |
3.6.5 Analysis | p. 154 |
3.6.6 File viewers | p. 159 |
3.7 Competencies and certification | p. 160 |
3.7.1 Training courses | p. 163 |
3.7.2 Certification | p. 164 |
3.8 Computer forensics and national security | p. 164 |
3.8.1 National security | p. 165 |
3.8.2 Critical infrastructure protection | p. 167 |
3.8.3 National security computer forensic organizations | p. 168 |
References | p. 169 |
4 Computer Forensics in Forensic Accounting | p. 175 |
4.1 Auditing and fraud detection | p. 175 |
4.1.1 Detecting fraud--the auditor and technology | p. 176 |
4.2 Defining fraudulent activity | p. 177 |
4.2.1 What is fraud? | p. 178 |
4.2.2 Internal fraud versus external fraud | p. 180 |
4.2.3 Understanding fraudulent behavior | p. 183 |
4.3 Technology and fraud detection | p. 184 |
4.3.1 Data mining and fraud detection | p. 187 |
4.3.2 Digit analysis and fraud detection | p. 188 |
4.3.3 Fraud detection tools | p. 189 |
4.4 Fraud detection techniques | p. 190 |
4.4.1 Fraud detection through statistical analysis | p. 191 |
4.4.2 Fraud detection through pattern and relationship analysis | p. 200 |
4.4.3 Dealing with vagueness in fraud detection | p. 204 |
4.4.4 Signatures in fraud detection | p. 205 |
4.5 Visual analysis techniques | p. 206 |
4.5.1 Link or relationship analysis | p. 207 |
4.5.2 Time-line analysis | p. 209 |
4.5.3 Clustering | p. 210 |
4.6 Building a fraud analysis model | p. 211 |
4.6.1 Stage 1: Define objectives | p. 212 |
4.6.2 Stage 2: Environmental scan | p. 214 |
4.6.3 Stage 3: Data acquisition | p. 215 |
4.6.4 Stage 4: Define fraud rules | p. 216 |
4.6.5 Stage 5: Develop analysis methodology | p. 217 |
4.6.6 Stage 6: Data analysis | p. 217 |
4.6.7 Stage 7: Review results | p. 218 |
References | p. 219 |
Appendix 4A | p. 221 |
5 Case Studies | p. 223 |
5.1 Introduction | p. 223 |
5.2 The case of "Little Nicky" Scarfo | p. 223 |
5.2.1 The legal challenge | p. 225 |
5.2.2 Keystroke logging system | p. 226 |
5.3 The case of "El Griton" | p. 229 |
5.3.1 Surveillance on Harvard's computer network | p. 230 |
5.3.2 Identification of the intruder: Julio Cesar Ardita | p. 231 |
5.3.3 Targets of Ardita's activities | p. 232 |
5.4 Melissa | p. 236 |
5.4.1 A word on macro viruses | p. 236 |
5.4.2 The virus | p. 237 |
5.4.3 Tracking the author | p. 239 |
5.5 The World Trade Center bombing (1993) and Operation Oplan Bojinka | p. 242 |
5.6 Other cases | p. 244 |
5.6.1 Testing computer forensics in court | p. 244 |
5.6.2 The case of the tender document | p. 248 |
References | p. 253 |
6 Intrusion Detection and Intrusion Forensics | p. 257 |
6.1 Intrusion detection, computer forensics, and information warfare | p. 257 |
6.2 Intrusion detection systems | p. 264 |
6.2.1 The evolution of IDS | p. 264 |
6.2.2 IDS in practice | p. 267 |
6.2.3 IDS interoperability and correlation | p. 274 |
6.3 Analyzing computer intrusions | p. 276 |
6.3.1 Event log analysis | p. 278 |
6.3.2 Time-lining | p. 280 |
6.4 Network security | p. 285 |
6.4.1 Defense in depth | p. 285 |
6.4.2 Monitoring of computer networks and systems | p. 288 |
6.4.3 Attack types, attacks, and system vulnerabilities | p. 295 |
6.5 Intrusion forensics | p. 303 |
6.5.1 Incident response and investigation | p. 303 |
6.5.2 Analysis of an attack | p. 306 |
6.5.3 A case study--security in cyberspace | p. 308 |
6.6 Future directions for IDS and intrusion forensics | p. 310 |
References | p. 312 |
7 Research Directions and Future Developments | p. 319 |
7.1 Introduction | p. 319 |
7.2 Forensic data mining--finding useful patterns in evidence | p. 323 |
7.3 Text categorization | p. 327 |
7.4 Authorship attribution: identifying e-mail authors | p. 331 |
7.5 Association rule mining--application to investigative profiling | p. 335 |
7.6 Evidence extraction, link analysis, and link discovery | p. 339 |
7.6.1 Evidence extraction and link analysis | p. 340 |
7.6.2 Link discovery | p. 343 |
7.7 Stegoforensic analysis | p. 345 |
7.8 Image mining | p. 349 |
7.9 Cryptography and cryptanalysis | p. 355 |
7.10 The future--society and technology | p. 360 |
References | p. 364 |
Acronyms | p. 369 |
About the Authors | p. 379 |
Index | p. 383 |