CHFI computer hacking forensic investigator certification all in one exam guide 1st edition

Criminal Investigations The Forensics InvestigatorChapter Review QuestionsAnswersReferences Chapter 2 The Nature of Digital Evidence What Is Digital Evidence?. Consider a ScenarioExculpa

publication may be reproduced or distributed in any form or by any means, orstored in a database or retrieval system, without the prior written permission ofthe publisher, with the exception that the program listings may be entered,

stored, and executed in a computer system, but they may not be reproduced forpublication

ISBN: 978-0-07-183155-0

MHID: 0-07-183155-X

The material in this eBook also appears in the print version of this title: ISBN:978-0-07-183156-7, MHID: 0-07-183156-8

McGraw-Hill Education eBooks are available at special quantity discounts to use

as premiums and sales promotions or for use in corporate training programs Tocontact a representative, please visit the Contact Us page at

www.mhprofessional.com

All trademarks or copyrights mentioned herein are the possession of their

respective owners and McGraw-Hill Education makes no claim of ownership bythe mention of products that contain these marks

Figure 4-2 courtesy of ErrantX

Figure 6-3 courtesy of Evan-Amos with permission granted under the terms ofthe Creative Commons Attribution-Share Alike 3.0 Unported license,

http://creativecommons.org/licenses/by-sa/3.0/legalcode

Figure 10-6 courtesy of Viljo Viitanen

Figure ll-5 courtesy of Ale2006-from-en with permission granted under the

terms of the Creative Commons Attribution-Share Alike 3.0 Unported license,https://creativecommons.org/licenses/by-sa/3.0/legalcode

believed to be reliable However, because of the possibility of human or

Hill Education does not guarantee the accuracy, adequacy, or completeness ofany information and is not responsible for any errors or omissions or the resultsobtained from the use of such information

mechanical error by our sources, McGraw-Hill Education, or others, McGraw-TERMS OF USE

This is a copyrighted work and McGraw-Hill Education and its licensors reserveall rights in and to the work Use of this work is subject to these terms Except aspermitted under the Copyright Act of 1976 and the right to store and retrieve onecopy of the work, you may not decompile, disassemble, reverse engineer,

reproduce, modify, create derivative works based upon, transmit, distribute,disseminate, sell, publish or sublicense the work or any part of it without

McGraw-Hill Education’s prior consent You may use the work for your ownnoncommercial and personal use; any other use of the work is strictly prohibited.Your right to use the work may be terminated if you fail to comply with theseterms

THE WORK IS PROVIDED “AS IS.” MCGRAW-HILL EDUCATION ANDITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TOTHE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS

TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY

INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIAHYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY

WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED

TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR

A PARTICULAR PURPOSE McGraw-Hill Education and its licensors do notwarrant or guarantee that the functions contained in the work will meet yourrequirements or that its operation will be uninterrupted or error free NeitherMcGraw-Hill Education nor its licensors shall be liable to you or anyone else forany inaccuracy, error or omission, regardless of cause, in the work or for anydamages resulting therefrom McGraw-Hill Education has no responsibility forthe content of any information accessed through the work Under no

circumstances shall McGraw-Hill Education and/or its licensors be liable for anyindirect, incidental, special, punitive, consequential or similar damages thatresult from the use of or inability to use the work, even if any of them has beenadvised of the possibility of such damages This limitation of liability shall apply

to any claim or cause whatsoever whether such claim or cause arises in contract,

tort or otherwise.

This book is dedicated to my wife, Helyn Pultz.

analysis, and advanced analysis and forensics He has written and contributed toseveral technical training books, as well as continued to develop graduate-levelcourses in network security, secure software development, software securitytesting, and securing virtualized and cloud infrastructures Charles has taught atseveral colleges and technical institutes in the Greater Boston area, and currentlyteaches at Brandeis University in the Rabb School/GPS MSIS program, as well

accreditation efforts He retired after 21 years in the United States Air Force,serving as a network security engineer and instructor, and has secured networksall over the world Bobby has a master’s degree in information assurance (IA),and is pursuing a doctoral degree in IA from Capitol College, Maryland Hismany certifications include CompTIA A+, CompTIA Network+, CompTIASecurity+, and CompTIA Mobility+ certifications, as well as CISSP-ISSEP,CEH, and MCSE: Security

AcknowledgmentsIntroduction

Chapter 1 Computer Forensics Today

So What Is This Computer Forensics Business Anyway?

The History of Computer ForensicsObjectives and Benefits

Corporate vs Criminal Investigations

The Forensics InvestigatorChapter Review

QuestionsAnswersReferences

Chapter 2 The Nature of Digital Evidence

What Is Digital Evidence?

Anti-Digital ForensicsLocard’s Exchange PrincipleFederal Rules of Evidence (FRE)

Computer-Generated vs Computer-Stored RecordsEssential Data

Best EvidenceInternational Principles of Computer Evidence

International Organization on Computer EvidenceScientific Working Group on Digital EvidenceEvidence Collection

Consider a ScenarioExculpatory EvidenceChapter Review

QuestionsAnswersReferences

Chapter 3 The Investigation Process

The Process Is Key

OverviewBefore the InvestigationPreparing the InvestigationSeizing the Evidence

Analyzing the EvidenceReporting and TestifyingChapter Review

QuestionsAnswersReferences

Chapter 4 Computer Forensics Labs

What Services Are You Offering?

Staffing Requirements and PlanningBecoming Certified

Setting Up Your Lab

Physical Location NeedsSoftware Requirements

Hardware Requirements

Field Tools

QuestionsAnswersReferences

Chapter 5 Getting the Goods

Searching and Seizing Computers

Is Your Search and Seizure Unwarranted?

You Have a WarrantElectronic SurveillancePost-seizure IssuesFirst Responder Procedures

First on the SceneManaging the Crime SceneCollecting and Transporting the EvidenceCollecting and Preserving Electronic EvidenceThe Crime Scene Report

A Checklist for First RespondersData Acquisition and Duplication

Data Acquisition: A DefinitionStatic vs Live AcquisitionValidating the AcquisitionAcquisition Issues: SSDs, RAID, and CloudConcepts in Practice: Data Acquisition Software and ToolsChapter Review

QuestionsAnswersReferences

Disk Drives and File Systems

Everything You Wanted to Know About Disk DrivesFile Systems

Getting the BootBooting from a Live CDRecovering Deleted Files and Partitions

Recovering Disk PartitionsRecovering File Systems and FilesTheory into Practice: File and Partition Recovery ToolsSteganography and Graphics File Formats

Graphics FilesSteganographyTheory into Practice: Graphics File Tools and SteganographyDetection Tools

Chapter Review

QuestionsAnswersReferences

Chapter 7 Windows Forensics

Windows Forensics Analysis

Live Investigations: Volatile InformationLive Investigations: Nonvolatile InformationForensic Investigation of a Windows SystemWindows Log Analysis

Windows Password StorageTheory into Practice: Forensics Tools for WindowsCracking Passwords

Passwords: The Good, the Bad, and the UglyPassword-Cracking Types

QuestionsAnswersReferences

Chapter 8 Forensic Investigations

Forensic Investigations

Installation and ConfigurationCreating the Case and Adding DataAnalyzing the Data

Generating the ReportChoosing the Proper Forensic SoftwareForensic Investigations Using FTK

Installation and ConfigurationCreating the Case and Adding DataAnalyzing the Data

Generating the ReportForensic Investigations Using EnCase

Installation and ConfigurationCreating the Case and Adding DataAnalyzing the Data

Chapter 9 Network Forensics

Investigating Network TrafficNetwork Forensics: Attack and DefendNetwork Security Monitoring

Theory into Practice: Network Forensic ToolsNetwork Forensics and Wireless Networks

What’s Different About Wireless?

The Saga of Wireless EncryptionInvestigating Wireless AttacksTheory into Practice: Wireless Forensic ToolsLog Capturing and Event Correlation

Logs, Logs, LogsLegal Issues and LoggingSynchronizing TimeSIM, SEM, SIEM—Everybody Wants OneTheory into Practice: Log Capturing and Analysis ToolsChapter Review

QuestionsAnswersReferences

Chapter 10 Mobile Forensics

Cellular NetworksCellular DataMobile DevicesPDAsPlain Ol’ Cell PhonesMusic Players (Personal Entertainment Devices)Smart Phones

Tablets and Phablets

Challenges in Mobile ForensicsPrecautions to Take Before InvestigatingThe Process in Mobile Forensics

Theory into Practice: Mobile Forensic ToolsChapter Review

QuestionsAnswersReferences

Chapter 11 Attacking Applications

Web-based AttacksWeb Applications: A DefinitionMounting the Attack

Web Applications: Attack and DefendWeb Tools

Follow the LogsInvestigating the BreachE-mail Attacks

E-mail ArchitectureE-mail CrimesLaws Regarding E-mailE-mail Headers and Message StructureE-mail Investigation

Concepts in Practice: E-mail Forensic ToolsChapter Review

QuestionsAnswersReferences

Can I Get a Witness?

Technical vs Expert WitnessesPre-trial Report Preparation

I Just Want to TestifyWriting a Good ReportWhat Makes an Effective Report?

Documenting the CaseTheory into Practice: Generating a ReportDo’s and Don’ts for a DFI

Resting the CaseChapter ReviewQuestionsAnswersReferences

Appendix A Acronyms

Appendix B About the Download

System RequirementsInstalling and Running Total TesterAbout Total Tester

Technical Support

Glossary Index

First of all, thanks to Carole Jelen, my literary agent at Waterside Productions,for putting me in contact with Meghan Manfre, my acquisitions editor at

McGraw-Hill Education, and to Meghan for getting this process started andbringing me up to speed Mary Demery, my acquisitions coordinator, kept me onthe straight and narrow and offered guidance and encouragement throughout theproject Thanks as well to Raghavi Khullar, associate project manager at CenveoPublisher Services, who shepherded this book through copy editing and

production, and to Lisa McCoy for copy editing the manuscript and making mytortured prose less so I’m sure that there are others at McGraw-Hill Educationwho have worked on this book, and I thank them for their contributions as well

A huge measure of thanks is due to my technical editor, Bobby Rogers

Bobby provided a wealth of constructive criticism and suggestions on how toimprove the material, as well as pointing out areas that I needed to clarify andexpand The book is better because of his contributions, and I’m a better writerfor having worked with him I won’t forget the three-sentences rule!

A nod and a tip of the hat to my friend and colleague, Ric Messier, for

commentary, perspective, and “talking the talk and walking the walk” when it

comes to digital forensics

Finally, all credit goes to my beautiful and talented wife, Helyn Pultz, forencouragement, speaking the truth to me with love, and understanding when Ivanished upstairs to my office in the evening for too many nights in a row Thisbook would not have been possible without her love and support

Congratulations! By picking up this book, thumbing through it, and starting toread the introduction, you’ve taken your first step toward a deeper understanding

of computer (digital) forensics, and perhaps a career in this field Before we dive

into the details, I want to make one thing clear This book will help you pass your

test It will help you do so by teaching you what you need to know to pass this

certification exam It will not tell you how to pass the certification exam To beblunt, this book alone will not allow you to pass this exam; no single sourcecould You’ll need to supplement this book with other texts that deal with digitalforensics, Internet research, and getting some hands-on practice by downloadingsome of the software mentioned in this book and experimenting with it

How to Use This Book

This book covers the exam objectives for EC-Council’s Computer Hacking

Forensic Investigator (CHFI) v8 certification examination Each chapter coversspecific objectives and details for the exam EC-Council has defined 22 areas ofstudy for this exam, and the book is divided into 12 chapters I’ve consolidatedcertain areas where they made sense to me For example, the last chapter in thebook covers the objectives for writing a report and for acting as an expert

witness If you’re engaged as an expert witness, you are going to need to write areport

Each chapter has several features designed to communicate effectively theinformation you’ll need to know for the exam:

• The Certification Objectives covered in each chapter are listed first These

identify the major topics within the chapter, and help you to map out yourstudy Since several chapters cover information in multiple areas, some ofthe objectives have been combined into a single sentence Fear not: Theinformation is there

• Sidebars are included in each chapter and are designed to point out

information, tips, and stories that will be helpful in your day-to-day

responsibilities:

• Exam Tips are exactly what they sound like These are included to point

• Specially called out Notes are part of each chapter too These interesting

tidbits of information are relevant to the discussion and point out extrainformation Don’t discount them

in more detail, from the initial involvement with a case through writing a reportand perhaps acting as a witness Along the way, the book covers what I think of

as “traditional” forensics, including evidence acquisition from disk drives andcomputer memory The book also covers forensics as applied to other digitalcommunications, including mobile devices, network-based attack and defense,and attacks against e-mail and web-based applications

The Intended Audience

There a couple of groups of people who will benefit from this book The first arepeople who are interested in having a career in the field of digital forensics, orare just interested in the topic Unfortunately, this book doesn’t provide all theinformation that you need to start your career EC-Council recommends thatpeople who wish to obtain this certification should have already obtained theCertified Ethical Hacker (CEH) certification This book assumes that you have abackground in how computers are actually built (CPU, memory, persistent

storage, and so on) and that you have some familiarity with current operatingsystems such as Linux, Microsoft Windows, Mac OS X, and Oracle Solaris.Without this background, I think you’ll find this book rather tough sledding.Remember, though, that I wrote this book for beginners in the field of digitalforensics, so you will gain valuable information from reading this book

The second group of people who will benefit from this book are those whohave this basic knowledge already, as well as some knowledge and experience in

the material covered in the CEH certification (the CEH Certified Ethical Hacker

All-in-One Exam Guide is a good place to start) These folks may be looking for

a career change or simply expanding their knowledge and expertise If you’re

You may also encounter a set of certifications and tools that are reserved forpeople in law enforcement Frankly, there are elements of digital forensics thatyou will probably never get to do unless you are in law enforcement However,the principles and processes that we cover in this book are appropriate for those

of you who will be involved in incident response or internal investigations, sinceforensics techniques and technology are increasingly a part of incident response

The Examination

Before you take that next step in your career, you need to pass the CHFI

certification examination Passing this exam is complicated because of the

breadth of the material covered (EC-Council lists 22 different subject areas).Nevertheless, take heart! This book will help you gain the knowledge needed foryou to pass the exam Read on!

Exam Details

The exam itself is computer-based and contains 150 multiple-choice questionswith a few true/false questions thrown in You have four hours to complete theexam That’s a little under 40 questions an hour, or 1 question every minute and

30 seconds Go ahead, take a deep breath, and count from 1 to 90 slowly (onethousand one, one thousand two…) That’s how long you could spend on everyquestion and still complete the exam in the allotted time Since there are somequestions you can answer immediately, within five seconds or so, you don’t need

to worry about running out of time A passing score for the exam is 70 percent.For the mathematically inclined, that means that you need to answer 105

questions correctly to pass Not quite as daunting as 150 questions, is it?

You will need to register for the exam at the EC-Council web site

(www.eccouncil.org) The first step in the process is to apply to actually take theexam Once you’ve been approved, you can purchase an exam voucher at theEC-Council online store, after which you can schedule your exam at a Prometric

or VUE testing center

Preparing for the Exam

I want to be very clear about this This book will help you pass the exam It willprovide you with information you need to know to pass your exam, but it willnot give you all the information and experience you need to pass the exam.Instead, it should help point you toward areas where you need more study orbackground Take the practice exams, available for download EC-Council alsooffers an online assessment that will give you a feel for the actual exam Betough on yourself while practicing with these exams If you get a question rightand you guessed the answer, you need to know what the correct answer is andwhy the other answers aren’t correct

Exam Strategies

I’ve sat for a number of examinations, and I’ve developed a personal strategythat works for me First, arrive early for the examination Take a bio break anddrink some water Get loose Walk around, shake your fingers, do whatever youlike to do and need to do to loosen up Don’t try to cram until the last minute Ifyou have a “cheat sheet” (a quick summary of important points), review that Aschool of thought says you’ll remember the last thing you put into your head.Your moment of exam Zen: Remember everything and nothing For most tests,you’ll be provided with an erasable pad and a marking pen If you need to writedown some information, write it on the pad before you even start the exam Thiscan save you time later and increase your accuracy, since you won’t have to rackyour brains trying to remember details after you’ve been staring at a computerscreen for an hour or so

While you’re taking the exam, answer the question if you can If you’re indoubt, mark the question and skip it The answer may come to you as you

proceed, or another question later in the exam may jog your memory or start youthinking in the right direction Make sure that you read the question and all ofthe answer choices! If you choose the first answer choice that “looks right,” youmay ignore a better answer choice following it

After you’ve completed 30 questions or so, force yourself to stop, relax, take

When you’ve completed the exam, take a minute or three to relax before youstart reviewing the questions you’ve marked Then go back and look at the

questions you marked If you’re still unclear, leave the question marked andproceed to the next question you’ve marked If you can eliminate one or two ofthe answer choices, you’ll have a better chance of narrowing the choice betweenthe other two As far as I know, there is no penalty for wrong answers, so, ifworse comes to worst, choose the answer that “feels” correct Remember,

everything you read or studied in the course of preparing for this exam is stored

in your memory, and although you may not be able to recall it, you may do sosubliminally—the answer just “feels right” or “looks right.” Trust me: It works.When you’ve answered the question, unmark it Repeat until you have no

marked questions, you run out of time, or you can’t stand to look at the screenany longer

Thank you for picking up this book and reading I truly hope that this bookwill help you along your career path, as well as helping you fulfill your dreamsand ambitions Digital forensics is a fascinating, constantly changing, constantlychallenging endeavor You may become frustrated, but you won’t be bored! Thework that you do can help catch the bad guys and exonerate the good guys

Moreover, at the end of the day, that’s not such a bad way to occupy your time

Objective Map

The following table has been constructed to allow you to cross-reference theofficial exam objectives with the objectives as they are presented and covered inthis book References have been provided for the objective exactly as the examvendor presents it, the section of the exam guide that covers that objective, and achapter and page reference

CHFI v8 312-49

increasingly widespread in the data center, with businesses reporting that over 50percent of their servers are virtualized Advances in virtualization technologieshave enabled Cloud (with a capital C) computing, the ability for vendors to offersoftware (SAAS), platform (PAAS), or infrastructure (IAAS) as a service

Amazon introduced its Amazon Web Services (AWS) in 2006; today, anyonewith a credit card can rent a high-powered Amazon virtual machine image

(VMI), and you pay based on use Microsoft’s BitLocker software (full diskencryption) was available in the Ultimate and Enterprise versions of Vista andcontinues in Windows 7 and Windows 8 All of the things I’ve mentioned

represent profound changes as to how we practice computer forensics

Interesting times, indeed

So What Is This Computer Forensics Business

Anyway?

forensics had been going on long before the UNIVAC 1101 ever saw the light ofday The actual scientific discipline of forensics has existed for a long, long timeand has multiple areas of practice, while computer forensics is relatively new.Today, computer forensics is a subset of the larger category of digital forensicsthat also includes forensic data analysis, database forensics, network forensics,mobile device forensics, and video and audio forensics We’ll be covering fourout of the seven topics listed here in upcoming chapters

For the purposes of this book, we’ll define computer forensics as “the

discipline that combines elements of law and computer science to collect andanalyze data from computer systems, networks, wireless communications, andstorage devices in a way that is admissible as evidence in a court of law.”1

One of the many complexities of computer forensics is determining the role

of the computer in the particular incident we’re considering A computer canplay one of two roles: a tool that was used to support the activity we’re

identical

There is a third aspect regarding how a computer might be used in the

commission of a crime We can view the computer itself as a digital crime scene,containing evidence that helps us determine when and how the attack took place(as well as the who, the what, and maybe the why)

The History of Computer Forensics

When it comes to computer forensics, separating the legal from the technical can

be difficult Technical advances alter the kinds of evidence we can collect;

changes in laws affect how we collect that evidence and whether that evidencewill be admissible

Technical

In the beginning, there was forensics Table 1-1 shows a much-abbreviated set ofsignificant dates from a technical perspective Forensics has been around for along, long time in many different areas

Forensics: Investigation Procedures and Responses (MA: Cengage, 2010), p 1:2.)

One of the most significant development in forensics was a principle

formulated by Edmond Locard, who built the first police laboratory in Lyon,France, in 1910 His principle was succinct: “Every contact leaves a trace.”Practically, this means that the criminal always leaves some bit of evidence atthe crime scene and always take some bit of evidence from the crime scene, nomatter how small Consider the following description of fiber analysis:

person contact, and investigators hope that fiber traceable back to theoffender can be found at the crime scene, as well as vice versa Success insolving the crime often hinges on the ability to narrow the sources for thetype of fiber found.2

Cross-transfers of fiber often occur in cases in which there is person-to-So there it is Physical actions leave physical evidence in the physical world;digital actions leave digital evidence in the digital world (cyberspace), as we willsee in later chapters

NOTE I sometimes think of this as the “Tommy Boy” principle from the

movie of the same name In it, Chris Farley plays Tommy, a character who is

“OWWW! %^&*@#!! That’s going to leave a mark!”

Although there were advancements in forensics techniques in the early years

of the 20th century, it wasn’t until 1932 that the Federal Bureau of Investigation(FBI) set up a laboratory to provide general forensic services As we can seefrom Table 1-1, formal recognition at the national level of the importance offorensic examinations of computers starts in 1984, when the FBI developed theComputer Analysis and Response Team (CART) to support computer forensicsinvestigations, which was furthered by the Regional Computer Forensics

system Access to machine memory no longer required access to the actual

machine; access to a file server—whether it be network attached storage (NAS)

or storage area network (SAN)–was enough

In 2006, Amazon introduced Amazon Web Services (AWS) that includedtheir Simple Storage Service (S3) and the Elastic Compute Cloud (EC2)

Anyone within reach of a credit card could store files in Amazon’s Cloud orcould rent a virtual service, called an Amazon Machine Instance (AMI), and paybased on use and the relative power of the virtual machine (disk space, memory,CPU) Microsoft offered BitLocker (full-disk encryption) in the Ultimate andEnterprise versions of Windows Vista, thereby making full-disk encryption

In 2003, H D Moore and his colleagues released the original Metasploitframework What is more significant for us is the incorporation of Vincent Liu’s

Timestomp program into that distribution around 2005 Timestomp is an

antiforensics program that overwrites the MACE file system attributes—the time