CyberForensics (eBook)

Understanding Information Security Investigations

Jennifer Bayuk (Herausgeber)

eBook Download: PDF
2010 | 2010
XIV, 170 Seiten
Humana Press (Verlag)
978-1-60761-772-3 (ISBN)

Lese- und Medienproben

CyberForensics -
Systemvoraussetzungen
106,99 inkl. MwSt
  • Download sofort lieferbar
  • Zahlungsarten anzeigen
Cyberforensics is a fairly new word in the technology our industry, but one that n- ertheless has immediately recognizable meaning. Although the word forensics may have its origins in formal debates using evidence, it is now most closely associated with investigation into evidence of crime. As the word cyber has become synonymous with the use of electronic technology, the word cyberforensics bears no mystery. It immediately conveys a serious and concentrated endeavor to identify the evidence of crimes or other attacks committed in cyberspace. Nevertheless, the full implications of the word are less well understood. Cyberforensic activities remain a mystery to most people, even those fully immersed in the design and operation of cyber te- nology. This book sheds light on those activities in a way that is comprehensible not only to technology professionals but also to the technology hobbyist and those simply curious about the ?eld. When I started contributing to the ?eld of cybersecurity, it was an obscure ?eld, rarely mentioned in the mainstream media. According to the FBI, by 2009 organized crime syndicates were making more money via cybercrime than in drug traf?- ing. In spite of the rise in cybercrime and the advance of sophisticated threat actors online, the cyber security profession continues to lag behind in its ability to inves- gate cybercrime and understand the root causes of cyber attacks. In the late 1990s I worked to respond to sophisticated attacks as part of the U. S.
Cyberforensics is a fairly new word in the technology our industry, but one that n- ertheless has immediately recognizable meaning. Although the word forensics may have its origins in formal debates using evidence, it is now most closely associated with investigation into evidence of crime. As the word cyber has become synonymous with the use of electronic technology, the word cyberforensics bears no mystery. It immediately conveys a serious and concentrated endeavor to identify the evidence of crimes or other attacks committed in cyberspace. Nevertheless, the full implications of the word are less well understood. Cyberforensic activities remain a mystery to most people, even those fully immersed in the design and operation of cyber te- nology. This book sheds light on those activities in a way that is comprehensible not only to technology professionals but also to the technology hobbyist and those simply curious about the ?eld. When I started contributing to the ?eld of cybersecurity, it was an obscure ?eld, rarely mentioned in the mainstream media. According to the FBI, by 2009 organized crime syndicates were making more money via cybercrime than in drug traf?- ing. In spite of the rise in cybercrime and the advance of sophisticated threat actors online, the cyber security profession continues to lag behind in its ability to inves- gate cybercrime and understand the root causes of cyber attacks. In the late 1990s I worked to respond to sophisticated attacks as part of the U. S.

Contents 4
Foreword 5
Contributors 7
CyberForensics Chapter Abstracts 8
Introduction 8
The Complex World of Corporate CyberForensics Investigations 8
Investigating Large-Scale Data Breach Cases 9
Insider Threat Investigations 9
Accounting Forensics 9
Analyzing Malicious Software 9
Network Packet Forensics 10
RAM and File Systems Investigations 10
One Picture is Worth a Million Bytes 10
Cybercrime and Law Enforcement Cooperation 11
Technology Malpractice 11
Chaptet 1 Introduction 12
1.1 A Brief History 12
1.2 A CyberForensic Framework 14
1.3 Expert Explanations 15
Notes 16
Chaptet 2 The Complex World of Corporate CyberForensics Investigations 18
2.1 Investigation Characteristics 18
2.2 The Investigative Approach 19
2.3 Case Study 30
2.3.1 The Incident 30
2.3.2 The Environment 30
2.3.3 Initial Investigation 30
2.3.4 Extended Analysis 32
2.3.5 Investigation Conclusions 33
2.4 Issues and Trends 34
2.4.1 CyberForensics in the Corporate Environment 34
2.4.2 Considerations for the Future 35
Notes 37
Chaptet 3 Investigating Large-Scale Data Breach Cases 39
3.1 Investigation Characteristics 39
3.2 Investigation Approach 44
3.2.1 Set Investigation Control Points 44
3.2.2 Manage the Unknown Unknowns 45
3.2.3 Information Flow and Data Discovery Exercise 46
3.2.4 Network Discovery 46
3.2.5 Accurately Scope Evidence and Acquisition 47
3.2.6 Detect and Manage Misinformation 47
3.2.7 Leverage Fraud Data 47
3.3 Case Study 48
3.3.1 Company Profile 48
3.3.2 Account Data Compromise 48
3.3.3 Investigation 48
3.3.4 Investigation Control Points 49
3.3.5 Investigative Procedure 49
3.3.6 Network Analysis 49
3.3.7 Forensic Work 50
3.3.8 Scoping Exercise 50
3.3.9 Wireless Vulnerability 50
3.3.10 Lessons Learned 51
3.4 Issues and Trends 52
Notes 53
Chaptet 4 Insider Threat Investigations 54
4.1 Investigation Characteristics 54
4.2 Investigative Approach 55
4.2.1 Due Diligence 55
4.2.2 Forensic Interviews 56
4.2.3 Cyber Surveillance 56
4.3.3.1 Network Surveillance 57
4.3.3.2 Computer Surveillance 57
4.3 Case Study 58
4.3.1 Situation 58
4.3.2 Action 58
4.3.3 Outcome 59
4.4 Issues and Trends 59
4.4.1 Anatomy of a Cyber Attack 59
4.4.2 Emerging and Key Capabilities for CyberForensics 60
Chaptet 5 Accounting Forensics 61
5.1 Investigation Characteristics 61
5.2 Investigative Approach 62
5.3 Case Study 63
5.4 Issues and Trends 65
Notes 65
Chaptet 6 Analyzing Malicious Software 66
6.1 Investigation Characteristics 66
6.1.1 Malware Analysis as Partof the Forensic Investigation 66
6.1.2 Common Malware Characteristics 67
6.1.3 Dual-Phased Analysis Process 68
6.2 Investigative Approach 68
6.2.1 Malware Analysis Laboratory 68
6.3.1.1 Isolating the Malware Laboratory 69
6.2.2 Behavioral Analysis 70
6.2.2.1 Real-Time Monitoring of the System 70
6.2.2.2 Identifying Important Changes to the System 72
6.2.2.3 Monitoring the Network 72
6.2.2.4 Interacting with Malware 73
6.2.2.5 Automated Behavioral Analysis 73
6.2.3 Code Analysis 74
6.2.3.1 Structure of the Executable File 74
6.2.3.2 Embedded Strings 75
6.2.3.3 References to External Functions 75
6.2.3.4 The Executable's Instructions 75
6.2.4 Creating the Analysis Report 76
6.3 Case Study 76
6.3.1 Initial Analysis Steps 77
6.3.2 Behavioral Analysis Steps 77
6.3.3 Code Analysis Steps 80
6.4 Issues and Trends 85
6.4.1 Packed Malware 85
6.4.2 Anti-virtualization Defenses 88
6.4.3 Other Anti-analysis Trends 88
Notes 89
Chaptet 7 Network Packet Forensics 91
7.1 Investigation Characteristics 91
7.1.1 What Is Network Forensics? 92
7.2 Investigative Approach 94
7.2.1 Input Developed from Existing Security Technology Sources 95
7.2.2 Input Received from Someone in the Organization 96
7.3 Case Studies 97
7.3.1 Case Study ''1: The ''Drive by'' 97
7.3.1.1 Requirements 97
7.3.1.2 Detection and Response 98
7.3.1.3 Incident Analysis 99
7.3.1.4 Resolution 100
7.3.2 Case Study #2: Covert Channels, Advanced Data Leakage, and Command Shells 101
7.3.2.1 Requirements 101
7.3.2.2 Incident Analysis 104
7.3.2.3 Resolution 104
7.4 Future Trends and the Way Forward 105
7.4.1 Network Forensics Becomes a Mainstream Process 105
7.4.2 The Continued Rise of Antiforensics Techniques 106
Notes 107
Chaptet 8 RAM and File Systems Investigations 108
8.1 Investigation Characteristics 108
8.2 Investigative Approach 110
8.2.1 General Data Acquisition 110
8.2.1.1 Volatile Data Versus Nonvolatile Data 110
8.2.1.2 Unix Versus Windows 110
8.2.2 Virtual Memory 111
8.2.2.1 RAM (Random Access Memory) 111
8.2.2.2 SWAP File 112
8.2.3 File Systems 112
8.2.3.1 Windows File Systems 112
8.2.3.2 Unix File Systems 113
8.2.4 Data Acquisition 113
8.2.4.1 Steps in the Acquisition Process 113
8.2.5 Analysis Approach 114
8.2.6 Deliberately Hidden Data 114
8.2.6.1 Hidden in the Computer 115
8.2.6.2 Hidden Within a File 116
8.3 Case Study 116
8.3.1 Background 116
8.3.2 The Investigation Process 117
8.3.3 Conclusion 119
8.4 Issues and Trends 120
8.4.1 Issues 120
8.4.1.1 Usage of Standards 120
8.4.2 Trends 120
8.4.2.1 E-Discovery 120
8.4.2.2 Anti-forensics 121
Notes 121
Chaptet 9 One Picture is Worth a Million Bytes 122
9.1 Investigation Characteristics 122
9.2 Investigative Approach 124
9.2.1 Interactive Data Visualization 124
9.2.2 Unified Data Views 124
9.2.3 Collaborative Analysis 125
9.3 Case Study 125
9.3.1 Case Background 125
9.3.2 Connecting to Data and Profiling Network Traffic 126
9.3.3 Connecting the Dots to Identify Cybercrime Suspects 128
9.3.4 Integrating Other Sources of Data to Build a Stronger Case 130
9.4 Issues and Trends 133
Notes 133
Chaptet 10 Cybercrime and Law Enforcement Cooperation 134
10.1 Investigation Characteristics 134
10.1.1 Organizational Characteristics 134
10.1.2 Technical Characteristics 136
10.1.3 Investigator Role 137
10.2 Investigative Approach 138
10.2.1 Polices and Procedures 138
10.2.2 Electronic Crime Scene 138
10.2.3 Communication Patterns 139
10.3 Case Studies 140
10.3.1 Defense Industry Case Study 140
10.3.2 Health Care Industry Case Study 141
10.3.3 Financial Industry Case Study 142
10.3.4 Court Appearances 142
10.4 Issues and Trends 142
10.4.1 International Issues 142
10.4.2 Inertia and Resistance to Cooperation 143
10.4.3 Conclusion 143
Notes 144
Chaptet 11 Technology Malpractice 145
11.1 Investigation Characteristics 145
11.2 Investigative Approach 147
11.3 Case Study 149
11.4 Issues and Trends 150
11.4.1 Managed Security Service Provider (MSSP) 150
11.4.2 Cloud Computing 151
11.4.3 Accountability 151
Notes 152
Glossary 153
Index 156

Erscheint lt. Verlag 10.9.2010
Reihe/Serie Springer’s Forensic Laboratory Science Series
Springer’s Forensic Laboratory Science Series
Zusatzinfo XIV, 170 p.
Verlagsort Totowa
Sprache englisch
Themenwelt Informatik Office Programme Outlook
Mathematik / Informatik Informatik Theorie / Studium
Medizin / Pharmazie Medizinische Fachgebiete
Studium 1. Studienabschnitt (Vorklinik) Biochemie / Molekularbiologie
Recht / Steuern Strafrecht Kriminologie
Sozialwissenschaften
Wirtschaft Betriebswirtschaft / Management Marketing / Vertrieb
Schlagworte child pornography • Computer • Computer forensics • Crime • cybercrime • cyberforensics, security, computers, internet • Data Security • Identity Theft • Internet • Mainframe • Methodology • search engine marketing (SEM) • Technology
ISBN-10 1-60761-772-2 / 1607617722
ISBN-13 978-1-60761-772-3 / 9781607617723
Haben Sie eine Frage zum Produkt?
PDFPDF (Wasserzeichen)
Größe: 6,6 MB

DRM: Digitales Wasserzeichen
Dieses eBook enthält ein digitales Wasser­zeichen und ist damit für Sie persona­lisiert. Bei einer missbräuch­lichen Weiter­gabe des eBooks an Dritte ist eine Rück­ver­folgung an die Quelle möglich.

Dateiformat: PDF (Portable Document Format)
Mit einem festen Seiten­layout eignet sich die PDF besonders für Fach­bücher mit Spalten, Tabellen und Abbild­ungen. Eine PDF kann auf fast allen Geräten ange­zeigt werden, ist aber für kleine Displays (Smart­phone, eReader) nur einge­schränkt geeignet.

Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen dafür einen PDF-Viewer - z.B. den Adobe Reader oder Adobe Digital Editions.
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen dafür einen PDF-Viewer - z.B. die kostenlose Adobe Digital Editions-App.

Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.

Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.

Mehr entdecken
aus dem Bereich