Hacking Exposed, Computer Forensic (Second Edition) by Aaron Philip, David Cowen and Chris Davis (2010).
Finished. Big book, lots of words…
Few interesting places:
White Hat intruders use known Black Hat techniques to perform covert investigation:
- Minimize the number of simultaneous operations to minimize system resource usage. For example, don’t perform a keyword search, file signature analysis, and hash analysis all at the same time.
- Give the remote investigative agent an operating system–friendly name such as svchost.exe and run it from the system directory, or in the case of Paraben Enterprise, choose Secure Mode.
- If your organization uses personal firewalls, make sure a standard policy is in place to allow inbound connections from the examiner’s machine. Otherwise, the subject could be alerted by the firewall that somebody is trying to connect to his or her system.
- Ensure that the remote investigative agent does not leave any events in the event logs, because many savvy users check them regularly.
- Minimize the number of people who know about the investigation to reduce the risk of the subject finding out accidentally or intentionally that he or she is being investigated.
-To keep from alerting the subject, try to use an agent that runs as a system service each time the machine is started. That way, you aren’t required to connect to the remote machine and start the service before beginning the examination.
-For sensitive cases, conduct the investigation during the evening when the suspect is most likely not at his or her machine.
- Time the investigation for periods when the subject expects a lot of hard drive activity, such as during regular antivirus scans or recent security vulnerability announcements.
- Search only the data that is relevant to the case. For instance, if you are looking for documents, narrow your search to specific areas and data types.
- Determine whether the target machine is a laptop or desktop machine. If the suspect is using a laptop, sustained hard drive activity can alert him or her to the investigation.
- Be patient and don’t rush the investigation; if necessary, break it up into several phases.
Well, the only difference between good and bad is piece of paper, sighned by employer?
New for me was UserAssist service and additional logging options:
Use UserAssist log to review user activity (in NTUSER.DAT):
Encrypted with ROT13 (Caesar cipher) – letter +13 next alphabetic symbols. store all major user activity.
One of most frustrating part of book is Chapter 9 – Defeating Anti-Forensics.
I was expecting a lot of elite technics for anti-forensics defeating, but it was quite regular – use backups, restored files and in case You got any PGP traces – just leave it – “You have nothing to do with it“.
And another sentence: “Increasing globalization and the spread of capitalism has brought about a new day in malicious hacking, where threats no longer involve the kid in the basement, but organized, multinational corporations and crime syndicates that have one goal in mind: to use technology to defraud the western society.” (page 454). Oooooo, poor western [censored] – everyone “have in mind” to offend you…
Anyway, based on book recommendations I created some anti-forensics manual, now I will fill it with tools and examples and add here to.
BTW – for those who work in US – all Lawyers part of book should be quite interesting.