CyberForensics - Understanding Information Security Investigations

Contents

Foreword

Contributors

CyberForensics Chapter Abstracts

Introduction

The Complex World of Corporate CyberForensics Investigations

Investigating Large-Scale Data Breach Cases

Insider Threat Investigations

Accounting Forensics

Analyzing Malicious Software

Network Packet Forensics

RAM and File Systems Investigations

One Picture is Worth a Million Bytes

Cybercrime and Law Enforcement Cooperation

Technology Malpractice

Chaptet 1 Introduction

1.1 A Brief History

1.2 A CyberForensic Framework

1.3 Expert Explanations

Notes

Chaptet 2 The Complex World of Corporate CyberForensics Investigations

2.1 Investigation Characteristics

2.2 The Investigative Approach

2.3 Case Study

2.3.1 The Incident

2.3.2 The Environment

2.3.3 Initial Investigation

2.3.4 Extended Analysis

2.3.5 Investigation Conclusions

2.4 Issues and Trends

2.4.1 CyberForensics in the Corporate Environment

2.4.2 Considerations for the Future

Notes

Chaptet 3 Investigating Large-Scale Data Breach Cases

3.1 Investigation Characteristics

3.2 Investigation Approach

3.2.1 Set Investigation Control Points

3.2.2 Manage the Unknown Unknowns

3.2.3 Information Flow and Data Discovery Exercise

3.2.4 Network Discovery

3.2.5 Accurately Scope Evidence and Acquisition

3.2.6 Detect and Manage Misinformation

3.2.7 Leverage Fraud Data

3.3 Case Study

3.3.1 Company Profile

3.3.2 Account Data Compromise

3.3.3 Investigation

3.3.4 Investigation Control Points

3.3.5 Investigative Procedure

3.3.6 Network Analysis

3.3.7 Forensic Work

3.3.8 Scoping Exercise

3.3.9 Wireless Vulnerability

3.3.10 Lessons Learned

3.4 Issues and Trends

Notes

Chaptet 4 Insider Threat Investigations

4.1 Investigation Characteristics

4.2 Investigative Approach

4.2.1 Due Diligence

4.2.2 Forensic Interviews

4.2.3 Cyber Surveillance

4.3.3.1 Network Surveillance

4.3.3.2 Computer Surveillance

4.3 Case Study

4.3.1 Situation

4.3.2 Action

4.3.3 Outcome

4.4 Issues and Trends

4.4.1 Anatomy of a Cyber Attack

4.4.2 Emerging and Key Capabilities for CyberForensics

Chaptet 5 Accounting Forensics

5.1 Investigation Characteristics

5.2 Investigative Approach

5.3 Case Study

5.4 Issues and Trends

Notes

Chaptet 6 Analyzing Malicious Software

6.1 Investigation Characteristics

6.1.1 Malware Analysis as Partof the Forensic Investigation

6.1.2 Common Malware Characteristics

6.1.3 Dual-Phased Analysis Process

6.2 Investigative Approach

6.2.1 Malware Analysis Laboratory

6.3.1.1 Isolating the Malware Laboratory

6.2.2 Behavioral Analysis

6.2.2.1 Real-Time Monitoring of the System

6.2.2.2 Identifying Important Changes to the System

6.2.2.3 Monitoring the Network

6.2.2.4 Interacting with Malware

6.2.2.5 Automated Behavioral Analysis

6.2.3 Code Analysis

6.2.3.1 Structure of the Executable File

6.2.3.2 Embedded Strings

6.2.3.3 References to External Functions

6.2.3.4 The Executable's Instructions

6.2.4 Creating the Analysis Report

6.3 Case Study

6.3.1 Initial Analysis Steps

6.3.2 Behavioral Analysis Steps

6.3.3 Code Analysis Steps

6.4 Issues and Trends

6.4.1 Packed Malware

6.4.2 Anti-virtualization Defenses

6.4.3 Other Anti-analysis Trends

Notes

Chaptet 7 Network Packet Forensics

7.1 Investigation Characteristics

7.1.1 What Is Network Forensics?

7.2 Investigative Approach

7.2.1 Input Developed from Existing Security Technology Sources

7.2.2 Input Received from Someone in the Organization

7.3 Case Studies

7.3.1 Case Study ''1: The ''Drive by''

7.3.1.1 Requirements

7.3.1.2 Detection and Response

7.3.1.3 Incident Analysis

7.3.1.4 Resolution

7.3.2 Case Study #2: Covert Channels, Advanced Data Leakage, and Command Shells

7.3.2.1 Requirements

7.3.2.2 Incident Analysis

7.3.2.3 Resolution

7.4 Future Trends and the Way Forward

7.4.1 Network Forensics Becomes a Mainstream Process

7.4.2 The Continued Rise of Antiforensics Techniques

Notes

Chaptet 8 RAM and File Systems Investigations

8.1 Investigation Characteristics

8.2 Investigative Approach

8.2.1 General Data Acquisition

8.2.1.1 Volatile Data Versus Nonvolatile Data

8.2.1.2 Unix Versus Windows

8.2.2 Virtual Memory

8.2.2.1 RAM (Random Access Memory)

8.2.2.2 SWAP File

8.2.3 File Systems

8.2.3.1 Windows File Systems

8.2.3.2 Unix File Systems

8.2.4 Data Acquisition

8.2.4.1 Steps in the Acquisition Process

8.2.5 Analysis Approach

8.2.6 Deliberately Hidden Data

8.2.6.1 Hidden in the Computer

8.2.6.2 Hidden Within a File

8.3 Case Study

8.3.1 Background

8.3.2 The Investigation Process

8.3.3 Conclusion

8.4 Issues and Trends

8.4.1 Issues

8.4.1.1 Usage of Standards

8.4.2 Trends

8.4.2.1 E-Discovery

8.4.2.2 Anti-forensics

Notes

Chaptet 9 One Picture is Worth a Million Bytes

9.1 Investigation Characteristics

9.2 Investigative Approach

9.2.1 Interactive Data Visualization

9.2.2 Unified Data Views

9.2.3 Collaborative Analysis

9.3 Case Study

9.3.1 Case Background

9.3.2 Connecting to Data and Profiling Network Traffic

9.3.3 Connecting the Dots to Identify Cybercrime Suspects

9.3.4 Integrating Other Sources of Data to Build a Stronger Case

9.4 Issues and Trends

Notes

Chaptet 10 Cybercrime and Law Enforcement Cooperation

10.1 Investigation Characteristics

10.1.1 Organizational Characteristics

10.1.2 Technical Characteristics

10.1.3 Investigator Role

10.2 Investigative Approach

10.2.1 Polices and Procedures

10.2.2 Electronic Crime Scene

10.2.3 Communication Patterns

10.3 Case Studies

10.3.1 Defense Industry Case Study

10.3.2 Health Care Industry Case Study

10.3.3 Financial Industry Case Study

10.3.4 Court Appearances

10.4 Issues and Trends

10.4.1 International Issues

10.4.2 Inertia and Resistance to Cooperation

10.4.3 Conclusion

Notes

Chaptet 11 Technology Malpractice

11.1 Investigation Characteristics

11.2 Investigative Approach

11.3 Case Study

11.4 Issues and Trends

11.4.1 Managed Security Service Provider (MSSP)

11.4.2 Cloud Computing

11.4.3 Accountability

Notes

Glossary

Index