1) I concure with Mr. Woody, I suggest that you learn how to improve "reference skills". Don't feel to bad. Most people don't have them and because of that have major problem using libraries, the internet and other store houses of knowledge. It is a learned art and is a skill that helps shortens the way.
2) I am reposting this list that I have posted on forensics and can be found by search on "Recommended Books". Any one who is want to add something, please do so. Regards, David R. Hibbeln **************************************************************************** ********************************* Here is a list that I have been compling of books and links re computer forenics and security from the lists. Oh, commments are not mine, cuts from various posts. List is little out of date... I have been way to busy with The American Red Cross In Greater New York Take a look at this page at NIJ http://www.ojp.usdoj.gov/nij/lawedocs2001.htm Check out "Electronic Crime Scene Investigation" PDA Forenics Disclaimer, I have not used it, but saw a demo and Amber the owner (I think) has been in the forensics biz forever. http://www.paraben.com/html/pda/index.html For those who are not aware, Pike & Fisher launched a new publication this year focusing on computer evidence and discovery issues -- Digital Discovery and e-Evidence. The emphasis is mostly on civil litigation issues, but the publication is an excellent overall resource and a must for any attorney interested in computer forensics law, as well as litigation support consultants. http://www.pf.com/law_internet_digitaldisc.asp The site contains a free sample issue (May 2001) that is well worth reading. I second your opinion about "Forensic Computing" by Sammes and Jenkinson. In addition to (very) thoroughly covering disk functions and formats, they introduce issues relating to handheld devices. For more advanced aspects of forensic analysis, I recommend the "Handbook of Computer Crime Investigation: Forensic Tools and Technology" coming out in mid-October. This work is the collective effort of many experienced examiners, as you can see from the Table of Contents and About the Authors available at (click on Sample Chapter): http://www.harcourt-international.com/catalogue/title.cfm?ISBN=0121631036 As we approach the release date for this book, additional information (supplementary materials, commentary, etc.) will be available at: http://www.academicpress.com/aps/apforensics.htm Eoghan Casey Yale University "Gary L. Palmer" wrote: > > There are several on-line references I like and I will try to get them > out to you. However, a recent book has come on the scene that I think ( > my opinion only) is very good. It is: > > Forensic Computing: A Practitioners Guide > Tony Sammes and Brian Jenkinson, ISBN: 1-85233-299-9 > > Also, the documentation and man pages that come with TCT (The Coroners > Toolkit) at www.fish.com. is pretty good at helping you with some > aspects of unix file system specifics. > Computer Forensics: Incident Response Essentials Jay G. Heiser Warren G. Kruse II Publisher: Addison Wesley Copyright: 2002 Format: Paper, 416 pp ISBN: 0-201-70719-5 Status: Coming 09/21/2001 Retail Price: $39.99 US Professors, contact your bookstore for bookstore price. Computer forensics is any form of thorough and organized computer security investigation that seeks to determine what sequence of events occurred when a misuse or crime is suspected. Now, two leading investigators present the first complete guide to the field: investigative methods, tracking, evidence collecting, reporting, tools, legal issues, and more. With this practical book, any computer or legal professional can master the key skills of the professional computer forensics expert. The authors introduce the basic processes of computer forensics, evidence collection and analysis, demonstrating how to interpret clues inside mail messages and news postings, on hard drives and other computer storage media. The book contains forensics-oriented introductions to cryptography and encryption, digital signatures and time stamping, finding hidden data, handling hostile code, and contending with other hacker tools and robots. The final chapter provides an overview of the criminal justice process as it relates to computer security investigations -- including topics such as affidavits, subpoenas, warrants, and the chain of custody. For computer security professionals, system and network administrators, and law enforcement officials and consultants concerned with computer crime and investigations. http://www.aw.com/product/0,2627,0201707195,00.html The O'Reilley book Computer Crime is nice. They actually have a table for the rules of evidence. Nice! TRAINING VENUES: I know a few people have mentioned some of these already but I thought I would give my list of references. Went through some previous posts and noticed someone has already compiled a larger list than this the url for this list is http://www.ne-htcia.org/conted.html Guidance Software (encase) http://www.guidancesoftware.com/training/frame_fst.html New Technologies, Inc. http://www.forensics-intl.com/training.html AccessData http://www.accessdata.com/index.html Key Computer Services, Inc. http://www.keycomputer.net/ IACIS CFCE training http://www.cops.org/training.htm Computer Forensics Services http://www.computer-forensic.com/computer_forensic_training.htm CompuForensics for Computer Forensics http://www.compuforensics.com/training.htm Redlands Community College http://www.redlandscc.net/fcsc/FCSCWEB.htm Wright State University http://www.wright.edu/cpd/forensics1.html The HoneyNet Project http://project.honeynet.org/ end of training venues > Gray, General A. M., Warfighting, United States Marine Corps, New York, > NY: Doubleday, 1989 (ISBN 0-385-47834-8 ? ) Hardening NT Servers: Todd Mather's book "Windows NT/2000 Thin Client Solutions: >Implementing Terminal Services and Citrix MetaFrame" >I would recommend the Windows 2000 Security Handbook (www.windows2000securityhandbook.com) A book by Ian McLean titled Windows 2000 Security, Little Black Books ISBN 1-57610-387-0 is a great source of info. > > Securing Windows NT/2000 Servers for the Internet > by Stefan Nordberg O'Reilly > http://www.oreilly.com/catalog/securwinserv/ Try http://www.openna.com/books/book.htm . The book "Securing and Optimizing Linux: Red Hat Edition (6.2)" is online. Have a look at the linux section on http://www.securityfocus.com and have a poke around the Library. There's loads of excellent stuff. I think Lance Spitzners "Armoring Linux" is a good starting point too. http://www.enteract.com/~lspitz/ A good starting point may be "Maximum Linux Security". The book is outdated, and contains pages and pages of source code (no need for that when it includes a cd), but it is worth a read. If you want to get familiar with some security tools, try out "Linux System Security", PGP <http://www.pgp.com> 5. Restorer2000 Platforms: Windows NT by BitMart Inc. Relevant URL: http://www.restorer2000.com/dwnld/r2k_demo.exe Restorer2000 is a powerful utility, which can undelete files being deleted accidentally in NTFS partitions and even reconstruct formatted and corrupted drives. Restorer2000 can restore files such non-trivial cases as national language filenames, very long filenames, NTFS compressed filenames and files with an alternative data streams - such as Windows 2000 file information. Unique SmartScan technology combined with flexibility of adjusting all parameters gives you real control over fastest data reconstruction ever seen. Usage of Drive Images is very useful for such tasks as recovering drive with a lot of bad sectors. Detailed context sensitive information and ability to adjust as much as possible bring you incredible quality and data safety in extremely non-ordinal situations. You can find and restore deleted files in a few seconds using program's powerful algorithms. > > Solaris Security by Peter Gregory. A very useful review of the > > Solaris-specific configuration options affecting system security. > > > > Decrypted Secrets by Fredrich Bauer. More a discussion of > > cryptography, it > > is interspersed with vingittes about how bad crypto led to security > > breaches. > > > > Intrusion Detection by Becky Bace. Part of the same Macmillan > > Technical Series that Carlisle Adams' PKI book belongs to. > > > > > > Digital Evidence and Computer Crime by Eoghan Casey > > > > > > Secureing Windows NT/2000 Servers for the Internet: A checklist for > > > system administrators - O'Reilly > > > > > > Practical Unix and Interet Security - O'Reilly > > > > > > TCP/IP Network Administration - O'Reilly Books > > > > > > TCP/IP Illustrated, Volume 1 : The Protocols (Addison-Wesley > > > Professional Computing Series) > > > by W. Richard Stevens > > > > > > Secrets and Lies: Digital Security in a Networked World > > > By Bruce Schneier > > > > > > Hacking Exposed: Network Security Secrets & Solutions, Second > > > Edition > > > By Joel Scambray, Stuart McClure, George Kurtz > > > > > > Information Security Management Handbook 2001 > > > by Harold F. Tipton and Micki Krause > > > > > > Hack Proofing Your Network : Internet Tradecraft > > > By Syngress Media - Ryan Russell > > > > > > CyberShock: Surviving Hackers, Phreakers, Identity Thieves, > > > Internet Terrorists and Weapons of Mass Disruption > > > By Winn Schwartau > > > > > > Maximum Security : A Hacker's Guide to Protecting Your Internet > > > Site and Network, Second Edition > > > -- http://www.ods.com.ua/win/eng/security/Max_Security/ > > > > > > The Code Book : The Science of Secrecy from Ancient Egypt to > > > Quantum Cryptography > > > By Simon Singh > > > > > > Information Security : Protecting the Global Empire > > > By Donald Pipkin > > > > > > Intrusion Detection - An Analysts Guide, 2nd edition > > > By Stephen Northcutts > > > > > > Security in Computing > > > By Charles Pfleeger > > > > > > Cryptography and Network Security - Principles and Practice > > > By William Stallings > > > > > > Internet Security Protocols : Protecting IP Traffic > > > By Uyless D. Black > > > > > > Internetworking Technologies Handbook, Second Edition > > > By Merilee Ford, H. Kim Lew, Et Al. > > > > > > Advanced Programming in the UNIX Environment > > > By W. Richard Stevens > > > > > > Sun Tzu > > > http://www.clas.ufl.edu/users/gthursby/taoism/suntext.htm > > > > > > Websites: > > > > > > http://www.sans.org > > > > > > http://www.securityfocus.com > > > > > > http://jackmccarthy.com/security > > > > > > > > > > > > CERT Coordination Center http://www.cert.org/ > > > Forum of Incident Response and Security Teams > > > http://www.first.org/team-info/ > > > (List of major companies and countries CERT teams) > > > National Infrastructure Protection Center (FBI) http://www.nipc.gov > > > SANs http://www.sans.org > > > > > > > > http://staff.washington.edu/dittrich/talks/blackhat/blackhat/f > > orensics.htm > > > l Basic Steps in Forensic Analysis of Unix Systems Introduction > > > > > > > > > Searching and Seizing Computers and Obtaining Electronic Evidence in > > > Criminal Investigations > > > http://www.cybercrime.gov/searching.html#FED_GUID > > > > > > > > > The Computer Crime and Intellectual Property Section's List > > of Relevant > > > Web Sites > > > http://www.cybercrime.gov/links.html > > > > > > IACIS is an international volunteer non-profit corporation > > composed of > > > law enforcement professionals dedicated to education in the field of > > > forensic computer science > > > http://www.cops.org/ > > > > > > The High Technology Crime Investigation Association (HTCIA) > > is designed > > > to encourage, promote, aid and effect the voluntary > > interchange of data, > > > information, experience, ideas and knowledge about methods, > > processes, > > > and techniques relating to investigations and security in advanced > > > technologies among its membership > > > http://htcia.org/index.html > > > > > > InfraGard program (FBI) > > > As part of its mission, the NIPC conducts outreach and information > > > sharing with the public and private-sector owners and operators of > > > critical > > > infrastructures. The InfraGard program is now an essential > > part of the > > > NIPC's nationwide outreach efforts. The program establishes > > a mechanism > > > for two-way information sharing about intrusion incidents and system > > > vulnerabilities and provides a channel for the NIPC to disseminate > > > analytical threat products to the private sector. > > > http://www.nipc.gov/infragard/infragard.htm > > > If you are interested in very detailed accounts of how scientific evidence is viewed and handled in the courts I would recommend two books dealing with the topic. They tend toward the traditional forensic disciplines but the underlying relation between science and the courts is very telling. 1.Judging Science : Scientific Knowledge and the Federal Courts by Kenneth R. Foster, Peter William Huber, 1999 2.Science at the Bar : Law, Science, and Technology in America by Sheila Jasanoff 3.Legal Alchemy : The Use and Misuse of Science in the Law by David L. Faigman <<<<<<<<< Digital Notarization I would offer that Digital Notarization offers a neutral, third-party non-repudiation of the file hash which addresses the "when" and "what" questions you posed. Long story short, a file hash (referred to by some as "digital fingerprint") is calculated and sent to the third-party Notary. Here, the "fingerprint" is notarized- timestamps, certificates, hash and super-hash values are created. The original forensic examiner/investigator would receive a "Notary Record" which which contains the digital equivalent of a Notary Public's seal, date, and signature on a paper document. This entire process takes approximately 10 seconds per transaction and transactions may also be accumulated and submitted in batch. In cases where forensic investigators need to notarize large numbers of files such as a hard drive(s), one would properly image the drive and then proceed to digitally notarize any/all log files found therein. The company that owns the patent on this technology is Surety.com and it has been implemented in various incarnations already. (see, http://www.securityautomation.com/scorpian/dnexplanation.htm) . As far as this technology being taken to task in a court of law in the context of logs, I have been unable to determine thusfar. However, I doubt very highly that it has. From what I can tell, courts have not yet grasped the need for such offers of proof..................however, I believe its only a matter of time. I would offer that DC offers a neutral, third-party non-repudiation of the file hash which addresses the "when" and "what" questions you posed. Long story short, a file hash (referred to by some as "digital fingerprint") is calculated and sent to the third-party Notary. Here, the "fingerprint" is notarized- timestamps, certificates, hash and super-hash values are created. The original forensic examiner/investigator would receive a "Notary Record" which which contains the digital equivalent of a Notary Public's seal, date, and signature on a paper document. This entire process takes approximately 10 seconds per transaction and transactions may also be accumulated and submitted in batch. In cases where forensic investigators need to notarize large numbers of files such as a hard drive(s), one would properly image the drive and then proceed to digitally notarize any/all log files found therein. The company that owns the patent on this technology is Surety.com and it has been implemented in various incarnations already. (see, http://www.securityautomation.com/scorpian/dnexplanation.htm) . As far as this technology being taken to task in a court of law in the context of logs, I have been unable to determine thusfar. However, I doubt very highly that it has. From what I can tell, courts have not yet grasped the need for such offers of proof..................however, I believe its only a matter of time. ****************************************** "original" computer data. Without question, computer forensic investigators should be very familiar with the Federal Rule of Evidence 1001(3), which defines what constitutes "original" computer data. "(3) Original. An 'original' of a writing or recording is the writing or recording itself or any counterpart intended to have the same effect by a person executing or issuing it. ... If data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an 'original.' Under this definition, the courts require that the examiner demonstrate that the computer data being presented accurately reflects the data in the computer when that data was recovered. The definition allows for the possibility of an infinite number of "originals" if such "originals" produce an accurate visual output. Oftentimes a hard copy printout will suffice. The Federal Guidelines to searching and Seizing Computers ( http://www.cybercrime.gov/searchmanual.htm) states that "an accurate printout of computer data always satisfies the best evidence rule." However, at least one court has suggested that, in the context of e-mail, the importance of the header info and other metadata require more than just the simple hardcopy printout of that e-mail. Thus, an incomplete printout may not be an "accurate" printout. For this reason, some prosecutors like to present screenshots directly from the computer forensic analysis to show the full context of the data in question. The best evidence rule has been raised in the context of an entire drive image as well as an individual file. A Texas Appellate Court recently ruled that an image copy of a hard drive qualifies as an "original" for the purposes of the best evidence rule. Broderick v. State (2000) 35 S.W.3d 67. Federal Rule of Evidence 901(b)(9) is another important rule that has been cited to support the authenticity of recovered computer evidence. Rule 901(b)(9) provides a presumption of authenticity to "evidence describing a process or system used to produce a result and showing that the process or system produces an accurate result." <snip> >From Cano Ian McLean titled Windows 2000 Security, Little Black Books ISBN 1-57610-387-0 is a great source of info. - CASEY, E (2000) Digital Evidence. Academic Press. - STEPHENSON, P (1999) Investigating Computer-related crime. CRC Press. - PFLEEGER, C. (1996) Security in computing. Englewood Cliffs, NJ: Prentice Hall. Second Edition. - KOVACICH, G. y BONI, W (2000) High technology crime. Investigator�s handbook. Butterworth Heinemman. - KRAUSE, M. y TRIPTON, H. (1999) Handbook of Information Security Management 1999. CRC Press - NORTHCUTT, S (1999) Network intrusion detection. An analyst�s handbook. News Riders. - NORTHCUTT, S. et al (2001) Intrusion Signatures and Analysis. News Riders. - SAMMES, J. y JENKINSON, J, A. (2000) Forensic Computing. A practitioner guide. Springer Verlag. - POWER, R. (2000) Tangled Web. Tales of digital crime from the shadows of cyberspace. QUE Corporation. - PARKER, D (1998) Fighting Computer Crime. John Wiley & Son. - SHAW, P. (1998) Legal and Security Risks in Computing and Communications. Butterworth Heinemann. - BOLOGNA, J y SHAW, P. (2000) Avoiding cyberfraud in small business. Wiley & Son. - WRIGHT, M. (1998) The need for information security education. Computer Fraud & Security. - BOHM, N. (2000) How strong do plataforms need to be from legal perspective?. Information Security Technical Report. Vol.5. No.1 - JOHNSON, J. (2000) The joy of incident handling response process. Securityportal.com. May 15. - Scientific Working Group on Digital Evidence -SWGDE. (2000) Digital evidence: Standards and Principles. Forensic Science Communications. April. Vol2. No.2 - ARMSTRONG, I. (2000) Computer Forensic. Secure Computing Magazine. April. - SIGFRIED, K. (2000) Electronic Forensic. Securityportal.com. May 8. - SCHNEIER, B. (2000) Secure Logs. http://www.counterpane.com/secure-logs.html Internet Sites: - ftp://ftp.net.ohio-state.edu/users/romig/other-papers/intrusion%20investiga tion.doc - Byron Collie�s paper about intrusion investigation. - http://www.forensic-computing.com - International Journal of Forensic Computing - http://www.fbi.gov/programs/lab/fsc/current/index.htm - Forensic Science Communications - http://www.sans.org/y2k/finding.htm - Finding listening processes under NT with Inzider. - http://www.washington.edu/People/dad David Dittrich�s page. - http://www.forensic.to/forensic.html - Zeno�s Forensics Site - http://haven.ios.com/~nyrc/homepage.html - Reddy�s Forensics Home Page - http://www.fsu.edu/~crimdo/misc.html - FSU Criminology Page - www.incident-response.org - Incident Respond International Associations http://www.gocsi.com - Computer Security Institute http://www.acfe.org - Assoc. Certified Fraud Examiners http://www.icsa.com - International Information Systems Security Assoc. http://www.htcia.org - High Technology crime investigation Assoc. http://www.cops.org - International Assoc. of Computer Investigative Specialist (IACIS) http://www.isaca.org - CISA http://www.isc2.org - CISSP http://www.sans.org http://www.cert.org
