Suchen und Finden
Contents
4
Foreword
5
Contributors
7
CyberForensics Chapter Abstracts
8
Introduction
8
The Complex World of Corporate CyberForensics Investigations
8
Investigating Large-Scale Data Breach Cases
9
Insider Threat Investigations
9
Accounting Forensics
9
Analyzing Malicious Software
9
Network Packet Forensics
10
RAM and File Systems Investigations
10
One Picture is Worth a Million Bytes
10
Cybercrime and Law Enforcement Cooperation
11
Technology Malpractice
11
Chaptet 1 Introduction
12
1.1 A Brief History
12
1.2 A CyberForensic Framework
14
1.3 Expert Explanations
15
Notes
16
Chaptet 2 The Complex World of Corporate CyberForensics Investigations
18
2.1 Investigation Characteristics
18
2.2 The Investigative Approach
19
2.3 Case Study
30
2.3.1 The Incident
30
2.3.2 The Environment
30
2.3.3 Initial Investigation
30
2.3.4 Extended Analysis
32
2.3.5 Investigation Conclusions
33
2.4 Issues and Trends
34
2.4.1 CyberForensics in the Corporate Environment
34
2.4.2 Considerations for the Future
35
Notes
37
Chaptet 3 Investigating Large-Scale Data Breach Cases
39
3.1 Investigation Characteristics
39
3.2 Investigation Approach
44
3.2.1 Set Investigation Control Points
44
3.2.2 Manage the Unknown Unknowns
45
3.2.3 Information Flow and Data Discovery Exercise
46
3.2.4 Network Discovery
46
3.2.5 Accurately Scope Evidence and Acquisition
47
3.2.6 Detect and Manage Misinformation
47
3.2.7 Leverage Fraud Data
47
3.3 Case Study
48
3.3.1 Company Profile
48
3.3.2 Account Data Compromise
48
3.3.3 Investigation
48
3.3.4 Investigation Control Points
49
3.3.5 Investigative Procedure
49
3.3.6 Network Analysis
49
3.3.7 Forensic Work
50
3.3.8 Scoping Exercise
50
3.3.9 Wireless Vulnerability
50
3.3.10 Lessons Learned
51
3.4 Issues and Trends
52
Notes
53
Chaptet 4 Insider Threat Investigations
54
4.1 Investigation Characteristics
54
4.2 Investigative Approach
55
4.2.1 Due Diligence
55
4.2.2 Forensic Interviews
56
4.2.3 Cyber Surveillance
56
4.3.3.1 Network Surveillance
57
4.3.3.2 Computer Surveillance
57
4.3 Case Study
58
4.3.1 Situation
58
4.3.2 Action
58
4.3.3 Outcome
59
4.4 Issues and Trends
59
4.4.1 Anatomy of a Cyber Attack
59
4.4.2 Emerging and Key Capabilities for CyberForensics
60
Chaptet 5 Accounting Forensics
61
5.1 Investigation Characteristics
61
5.2 Investigative Approach
62
5.3 Case Study
63
5.4 Issues and Trends
65
Notes
65
Chaptet 6 Analyzing Malicious Software
66
6.1 Investigation Characteristics
66
6.1.1 Malware Analysis as Partof the Forensic Investigation
66
6.1.2 Common Malware Characteristics
67
6.1.3 Dual-Phased Analysis Process
68
6.2 Investigative Approach
68
6.2.1 Malware Analysis Laboratory
68
6.3.1.1 Isolating the Malware Laboratory
69
6.2.2 Behavioral Analysis
70
6.2.2.1 Real-Time Monitoring of the System
70
6.2.2.2 Identifying Important Changes to the System
72
6.2.2.3 Monitoring the Network
72
6.2.2.4 Interacting with Malware
73
6.2.2.5 Automated Behavioral Analysis
73
6.2.3 Code Analysis
74
6.2.3.1 Structure of the Executable File
74
6.2.3.2 Embedded Strings
75
6.2.3.3 References to External Functions
75
6.2.3.4 The Executable's Instructions
75
6.2.4 Creating the Analysis Report
76
6.3 Case Study
76
6.3.1 Initial Analysis Steps
77
6.3.2 Behavioral Analysis Steps
77
6.3.3 Code Analysis Steps
80
6.4 Issues and Trends
85
6.4.1 Packed Malware
85
6.4.2 Anti-virtualization Defenses
88
6.4.3 Other Anti-analysis Trends
88
Notes
89
Chaptet 7 Network Packet Forensics
91
7.1 Investigation Characteristics
91
7.1.1 What Is Network Forensics?
92
7.2 Investigative Approach
94
7.2.1 Input Developed from Existing Security Technology Sources
95
7.2.2 Input Received from Someone in the Organization
96
7.3 Case Studies
97
7.3.1 Case Study ''1: The ''Drive by''
97
7.3.1.1 Requirements
97
7.3.1.2 Detection and Response
98
7.3.1.3 Incident Analysis
99
7.3.1.4 Resolution
100
7.3.2 Case Study #2: Covert Channels, Advanced Data Leakage, and Command Shells
101
7.3.2.1 Requirements
101
7.3.2.2 Incident Analysis
104
7.3.2.3 Resolution
104
7.4 Future Trends and the Way Forward
105
7.4.1 Network Forensics Becomes a Mainstream Process
105
7.4.2 The Continued Rise of Antiforensics Techniques
106
Notes
107
Chaptet 8 RAM and File Systems Investigations
108
8.1 Investigation Characteristics
108
8.2 Investigative Approach
110
8.2.1 General Data Acquisition
110
8.2.1.1 Volatile Data Versus Nonvolatile Data
110
8.2.1.2 Unix Versus Windows
110
8.2.2 Virtual Memory
111
8.2.2.1 RAM (Random Access Memory)
111
8.2.2.2 SWAP File
112
8.2.3 File Systems
112
8.2.3.1 Windows File Systems
112
8.2.3.2 Unix File Systems
113
8.2.4 Data Acquisition
113
8.2.4.1 Steps in the Acquisition Process
113
8.2.5 Analysis Approach
114
8.2.6 Deliberately Hidden Data
114
8.2.6.1 Hidden in the Computer
115
8.2.6.2 Hidden Within a File
116
8.3 Case Study
116
8.3.1 Background
116
8.3.2 The Investigation Process
117
8.3.3 Conclusion
119
8.4 Issues and Trends
120
8.4.1 Issues
120
8.4.1.1 Usage of Standards
120
8.4.2 Trends
120
8.4.2.1 E-Discovery
120
8.4.2.2 Anti-forensics
121
Notes
121
Chaptet 9 One Picture is Worth a Million Bytes
122
9.1 Investigation Characteristics
122
9.2 Investigative Approach
124
9.2.1 Interactive Data Visualization
124
9.2.2 Unified Data Views
124
9.2.3 Collaborative Analysis
125
9.3 Case Study
125
9.3.1 Case Background
125
9.3.2 Connecting to Data and Profiling Network Traffic
126
9.3.3 Connecting the Dots to Identify Cybercrime Suspects
128
9.3.4 Integrating Other Sources of Data to Build a Stronger Case
130
9.4 Issues and Trends
133
Notes
133
Chaptet 10 Cybercrime and Law Enforcement Cooperation
134
10.1 Investigation Characteristics
134
10.1.1 Organizational Characteristics
134
10.1.2 Technical Characteristics
136
10.1.3 Investigator Role
137
10.2 Investigative Approach
138
10.2.1 Polices and Procedures
138
10.2.2 Electronic Crime Scene
138
10.2.3 Communication Patterns
139
10.3 Case Studies
140
10.3.1 Defense Industry Case Study
140
10.3.2 Health Care Industry Case Study
141
10.3.3 Financial Industry Case Study
142
10.3.4 Court Appearances
142
10.4 Issues and Trends
142
10.4.1 International Issues
142
10.4.2 Inertia and Resistance to Cooperation
143
10.4.3 Conclusion
143
Notes
144
Chaptet 11 Technology Malpractice
145
11.1 Investigation Characteristics
145
11.2 Investigative Approach
147
11.3 Case Study
149
11.4 Issues and Trends
150
11.4.1 Managed Security Service Provider (MSSP)
150
11.4.2 Cloud Computing
151
11.4.3 Accountability
151
Notes
152
Glossary
153
Index
156
Alle Preise verstehen sich inklusive der gesetzlichen MwSt.