E-Book, Englisch, 170 Seiten
Bayuk CyberForensics
1. Auflage 2010
ISBN: 978-1-60761-772-3
Verlag: Humana Press
Format: PDF
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
Understanding Information Security Investigations
E-Book, Englisch, 170 Seiten
ISBN: 978-1-60761-772-3
Verlag: Humana Press
Format: PDF
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
Autoren/Hrsg.
Weitere Infos & Material
1;Contents;4
2;Foreword;5
3;Contributors;7
4;CyberForensics Chapter Abstracts;8
4.1;Introduction;8
4.2;The Complex World of Corporate CyberForensics Investigations;8
4.3;Investigating Large-Scale Data Breach Cases;9
4.4;Insider Threat Investigations;9
4.5;Accounting Forensics;9
4.6;Analyzing Malicious Software;9
4.7;Network Packet Forensics;10
4.8;RAM and File Systems Investigations;10
4.9;One Picture is Worth a Million Bytes;10
4.10;Cybercrime and Law Enforcement Cooperation;11
4.11;Technology Malpractice;11
5;Chaptet 1 Introduction;12
5.1;1.1 A Brief History;12
5.2;1.2 A CyberForensic Framework;14
5.3;1.3 Expert Explanations;15
5.4;Notes;16
6;Chaptet 2 The Complex World of Corporate CyberForensics Investigations;18
6.1;2.1 Investigation Characteristics;18
6.2;2.2 The Investigative Approach;19
6.3;2.3 Case Study;30
6.3.1;2.3.1 The Incident;30
6.3.2;2.3.2 The Environment;30
6.3.3;2.3.3 Initial Investigation;30
6.3.4;2.3.4 Extended Analysis;32
6.3.5;2.3.5 Investigation Conclusions;33
6.4;2.4 Issues and Trends;34
6.4.1;2.4.1 CyberForensics in the Corporate Environment;34
6.4.2;2.4.2 Considerations for the Future;35
6.5;Notes;37
7;Chaptet 3 Investigating Large-Scale Data Breach Cases;39
7.1;3.1 Investigation Characteristics;39
7.2;3.2 Investigation Approach;44
7.2.1;3.2.1 Set Investigation Control Points;44
7.2.2;3.2.2 Manage the Unknown Unknowns;45
7.2.3;3.2.3 Information Flow and Data Discovery Exercise;46
7.2.4;3.2.4 Network Discovery;46
7.2.5;3.2.5 Accurately Scope Evidence and Acquisition;47
7.2.6;3.2.6 Detect and Manage Misinformation;47
7.2.7;3.2.7 Leverage Fraud Data;47
7.3;3.3 Case Study;48
7.3.1;3.3.1 Company Profile;48
7.3.2;3.3.2 Account Data Compromise;48
7.3.3;3.3.3 Investigation;48
7.3.4;3.3.4 Investigation Control Points;49
7.3.5;3.3.5 Investigative Procedure;49
7.3.6;3.3.6 Network Analysis;49
7.3.7;3.3.7 Forensic Work;50
7.3.8;3.3.8 Scoping Exercise;50
7.3.9;3.3.9 Wireless Vulnerability;50
7.3.10;3.3.10 Lessons Learned;51
7.4;3.4 Issues and Trends;52
7.5;Notes;53
8;Chaptet 4 Insider Threat Investigations;54
8.1;4.1 Investigation Characteristics;54
8.2;4.2 Investigative Approach;55
8.2.1;4.2.1 Due Diligence;55
8.2.2;4.2.2 Forensic Interviews;56
8.2.3;4.2.3 Cyber Surveillance;56
8.2.3.1;4.3.3.1 Network Surveillance;57
8.2.3.2;4.3.3.2 Computer Surveillance;57
8.3;4.3 Case Study;58
8.3.1;4.3.1 Situation;58
8.3.2;4.3.2 Action;58
8.3.3;4.3.3 Outcome;59
8.4;4.4 Issues and Trends;59
8.4.1;4.4.1 Anatomy of a Cyber Attack;59
8.4.2;4.4.2 Emerging and Key Capabilities for CyberForensics;60
9;Chaptet 5 Accounting Forensics;61
9.1;5.1 Investigation Characteristics;61
9.2;5.2 Investigative Approach;62
9.3;5.3 Case Study;63
9.4;5.4 Issues and Trends;65
9.5;Notes;65
10;Chaptet 6 Analyzing Malicious Software;66
10.1;6.1 Investigation Characteristics;66
10.1.1;6.1.1 Malware Analysis as Partof the Forensic Investigation;66
10.1.2;6.1.2 Common Malware Characteristics;67
10.1.3;6.1.3 Dual-Phased Analysis Process;68
10.2;6.2 Investigative Approach;68
10.2.1;6.2.1 Malware Analysis Laboratory;68
10.2.1.1;6.3.1.1 Isolating the Malware Laboratory;69
10.2.2;6.2.2 Behavioral Analysis;70
10.2.2.1;6.2.2.1 Real-Time Monitoring of the System;70
10.2.2.2;6.2.2.2 Identifying Important Changes to the System;72
10.2.2.3;6.2.2.3 Monitoring the Network;72
10.2.2.4;6.2.2.4 Interacting with Malware;73
10.2.2.5;6.2.2.5 Automated Behavioral Analysis;73
10.2.3;6.2.3 Code Analysis;74
10.2.3.1;6.2.3.1 Structure of the Executable File;74
10.2.3.2;6.2.3.2 Embedded Strings;75
10.2.3.3;6.2.3.3 References to External Functions;75
10.2.3.4;6.2.3.4 The Executable's Instructions;75
10.2.4;6.2.4 Creating the Analysis Report;76
10.3;6.3 Case Study;76
10.3.1;6.3.1 Initial Analysis Steps;77
10.3.2;6.3.2 Behavioral Analysis Steps;77
10.3.3;6.3.3 Code Analysis Steps;80
10.4;6.4 Issues and Trends;85
10.4.1;6.4.1 Packed Malware;85
10.4.2;6.4.2 Anti-virtualization Defenses;88
10.4.3;6.4.3 Other Anti-analysis Trends;88
10.5;Notes;89
11;Chaptet 7 Network Packet Forensics;91
11.1;7.1 Investigation Characteristics;91
11.1.1;7.1.1 What Is Network Forensics?;92
11.2;7.2 Investigative Approach;94
11.2.1;7.2.1 Input Developed from Existing Security Technology Sources;95
11.2.2;7.2.2 Input Received from Someone in the Organization;96
11.3;7.3 Case Studies;97
11.3.1;7.3.1 Case Study ''1: The ''Drive by'';97
11.3.1.1;7.3.1.1 Requirements;97
11.3.1.2;7.3.1.2 Detection and Response;98
11.3.1.3;7.3.1.3 Incident Analysis;99
11.3.1.4;7.3.1.4 Resolution;100
11.3.2;7.3.2 Case Study #2: Covert Channels, Advanced Data Leakage, and Command Shells;101
11.3.2.1;7.3.2.1 Requirements;101
11.3.2.2;7.3.2.2 Incident Analysis;104
11.3.2.3;7.3.2.3 Resolution;104
11.4;7.4 Future Trends and the Way Forward;105
11.4.1;7.4.1 Network Forensics Becomes a Mainstream Process;105
11.4.2;7.4.2 The Continued Rise of Antiforensics Techniques;106
11.5;Notes;107
12;Chaptet 8 RAM and File Systems Investigations;108
12.1;8.1 Investigation Characteristics;108
12.2;8.2 Investigative Approach;110
12.2.1;8.2.1 General Data Acquisition;110
12.2.1.1;8.2.1.1 Volatile Data Versus Nonvolatile Data;110
12.2.1.2;8.2.1.2 Unix Versus Windows;110
12.2.2;8.2.2 Virtual Memory;111
12.2.2.1;8.2.2.1 RAM (Random Access Memory);111
12.2.2.2;8.2.2.2 SWAP File;112
12.2.3;8.2.3 File Systems;112
12.2.3.1;8.2.3.1 Windows File Systems;112
12.2.3.2;8.2.3.2 Unix File Systems;113
12.2.4;8.2.4 Data Acquisition;113
12.2.4.1;8.2.4.1 Steps in the Acquisition Process;113
12.2.5;8.2.5 Analysis Approach;114
12.2.6;8.2.6 Deliberately Hidden Data;114
12.2.6.1;8.2.6.1 Hidden in the Computer;115
12.2.6.2;8.2.6.2 Hidden Within a File;116
12.3;8.3 Case Study;116
12.3.1;8.3.1 Background;116
12.3.2;8.3.2 The Investigation Process;117
12.3.3;8.3.3 Conclusion;119
12.4;8.4 Issues and Trends;120
12.4.1;8.4.1 Issues;120
12.4.1.1;8.4.1.1 Usage of Standards;120
12.4.2;8.4.2 Trends;120
12.4.2.1;8.4.2.1 E-Discovery;120
12.4.2.2;8.4.2.2 Anti-forensics;121
12.5;Notes;121
13;Chaptet 9 One Picture is Worth a Million Bytes;122
13.1;9.1 Investigation Characteristics;122
13.2;9.2 Investigative Approach;124
13.2.1;9.2.1 Interactive Data Visualization;124
13.2.2;9.2.2 Unified Data Views;124
13.2.3;9.2.3 Collaborative Analysis;125
13.3;9.3 Case Study;125
13.3.1;9.3.1 Case Background;125
13.3.2;9.3.2 Connecting to Data and Profiling Network Traffic;126
13.3.3;9.3.3 Connecting the Dots to Identify Cybercrime Suspects;128
13.3.4;9.3.4 Integrating Other Sources of Data to Build a Stronger Case;130
13.4;9.4 Issues and Trends;133
13.5;Notes;133
14;Chaptet 10 Cybercrime and Law Enforcement Cooperation;134
14.1;10.1 Investigation Characteristics;134
14.1.1;10.1.1 Organizational Characteristics;134
14.1.2;10.1.2 Technical Characteristics;136
14.1.3;10.1.3 Investigator Role;137
14.2;10.2 Investigative Approach;138
14.2.1;10.2.1 Polices and Procedures;138
14.2.2;10.2.2 Electronic Crime Scene;138
14.2.3;10.2.3 Communication Patterns;139
14.3;10.3 Case Studies;140
14.3.1;10.3.1 Defense Industry Case Study;140
14.3.2;10.3.2 Health Care Industry Case Study;141
14.3.3;10.3.3 Financial Industry Case Study;142
14.3.4;10.3.4 Court Appearances;142
14.4;10.4 Issues and Trends;142
14.4.1;10.4.1 International Issues;142
14.4.2;10.4.2 Inertia and Resistance to Cooperation;143
14.4.3;10.4.3 Conclusion;143
14.5;Notes;144
15;Chaptet 11 Technology Malpractice;145
15.1;11.1 Investigation Characteristics;145
15.2;11.2 Investigative Approach;147
15.3;11.3 Case Study;149
15.4;11.4 Issues and Trends;150
15.4.1;11.4.1 Managed Security Service Provider (MSSP);150
15.4.2;11.4.2 Cloud Computing;151
15.4.3;11.4.3 Accountability;151
15.5;Notes;152
16;Glossary;153
17;Index;156
