Index_C

C++, 172

Cable TV Privacy Act, 401

Cache corruption, 163

California Business and Professional Code, 64

Calling Line Identification, 474

Capability Maturity Model® (CMM), 44, 47

Cellular telephones, 145, 151

CERT, see Computer Emergency Response Team

CERT Coordination Center, 468, 484, 494

Certified Information Systems Auditor (CISA), 115

CGI, see Common Gateway Interface

Chain of custody schedule, 264

Change control management, 192

Chart(s)

Critical Path Method, 12, 13

examples, 13

Gantt, 12, 13

organizational, 122

Children's Online Privacy Protection Act (COPPA), 402, 404

CIA, see Confidentiality, integrity, and availability

CIDR, see Classless Inter-Domain Routing

CIRT

ad hoc, 327

commercial, 325

communications, 329

development life cycle, 339

funding, 328

in-house, 326

management skills, 334

people skills, 335

requirements, 327

success metrics, 338

CISA, see Certified Information Systems Auditor

Civil suits, 374

civil discovery, 376

civil processes, 375

e-mail discovery, 376

federal laws applicable to computer-related crimes, 378

plaintiff's burden of proof, 375

Classless Inter-Domain Routing (CIDR), 238, 239

Classroom training sessions, 51

CLI, see Command line interface

CMM, see Capability Maturity Model®

CMOS, see Complementary Metal Oxide Semiconductor

Coaching, 18

COBIT™, 133

Code of ethics and conduct, auditor, 115

CodeRed virus, 329

Cold sites, 30

Cold telephone calls, 67

Command line interface (CLI), 293

Command post (CP), 233

Common Gateway Interface (CGI), 23, 138

Output, 201

scanner, PERL language-based, 200

vulnerabilities, 199

Common Vulnerability and Exposure (CVE), 136, 137, 186, 202

Communications sub-team, 36

Company assets, laws affecting protection of, 8, 9

Complementary Metal Oxide Semiconductor (CMOS), 272

Computer

crime, cost of, 357

Crime and Security Survey, 230

Emergency Response Team (CERT), 1

evidence, examination of, 262

forensics examiners, 81

intrusions, 258

names, 1

Security Incident Response Teams (CSIRTs), 484

Computer Security Institute (CSI), 2, 229

Computer Security Resource Clearinghouse, 496

Confidentiality, 471

attorney-client, 64

auditor, 115

integrity, and availability (CIA), 26, 154

Consultant procedures, 88

Contract language, 88

Controls

audit trail, 158

database

concurrency, 157

existence, 158

Cookie(s), 198

caches, 297

definition of, 226

disabling of, 102

Cookie Pal, 198, 199

COPPA, see Children's Online Privacy Protection Act

Copyright(s), 344

cases, criminal actions in, 345

employee, 61

infringement, 345

laws, 61

protection, 345

sample, 62

violation, 57

Corporate espionage, 343

Corrective controls, 117

Counterfeit goods, criminal prosecution for trafficking in, 346

CP, see Command post

CPM chart, see Critical Path Method chart

Crack, 503

Credit card

authentication, 215

fraud, 218

Credit-reporting agency, 400

Crime scene investigation, 250

Criminal law, 358

allegations, 359

appeals, 374

computer evidence, 366

court orders, 364

criminal discovery, 371

criminal plea bargains, 373

criminal procedure, 370

defense arguments relative to expert witnesses, 366

electronic discovery, 372

e-mail as evidence, 372

expert testimony, 365

federal legal requirements for electronic surveillance, 367

grand juries, 360

investigation, 359

means of collecting electronic evidence, 367

search warrants, 362

sentencing, 374

subpoenas and summons, 361

testimony, 365

trials, 373

witnesses, 359

Critical assets

damage to, 3

definition of, 5

management of, 112

priority-ranked, 32

safeguarding of, 119

Critical incident analysis, parts of, 11

Critical incident response and CIRT development, 229-340

CIRT composition, 331-340

CIRT development life cycle, 339-340

CIRT management skills, 334

CIRT success metrics, 338-339

communication skills, 334-335

crisis, 336

database managers, 333

engineers/software developers, 333

human resources unit, 332

incident reporting, 335-336

IT investigative, analysis, and forensic experts, 332

IT security officers, 333

legal unit, 332

people skills, 335

public relations, 332

response steps for legal actions, 336-338

system owners, 333-334

systems administrators, 333

team skills, 334

technical skills, 334

telecommunications specialists, 333

collecting evidence, 260-267

activity log, 265

chain of custody schedule, 264

common mistakes when handling evidence, 263

definition of evidence, 260-261

evidence prioritization, 261-262

evidence tags, 265

examining computer evidence, 262-263

hostile interview environments, 267

policies and procedures, 263

recorded statements, 266

witness reports, 265-266

critical incident detection, 235-260

administrator facilitated attacks, 258-259

application logging, 241-242

attack underway, 253

business considerations before legal actions, 260

business issues, 245

critical incident checklist, 249

critical incident response personnel, 247

critical incident response tools, 246-247

critical incident symptoms, 236

determining response strategy, 252

DNS, 239

frequent backups, 242-243

hardening servers, 242

interviewing managers, 252

interviewing system administrators, 251

interviewing users, 251

interviews, 250

IP addresses, 238-239

IP addressing, 237-238

law enforcement liaison, 256-257

law enforcement relations, 254-256

legal issues, 245

locating origin of denial-of-service attacks, 240

location of attacker, 253-254

mission statement, 247-248

other relative issues, 259

political issues, 245-246

resources, 240

response to scene, 248

response strategy, 236-237

restoring service operations, 253

senior manager 's approval, 259

suspicious activity reports, 256

system map, 250

system monitoring structure, 244-245

system security architecture, 243-244

time stamps, 244

types of attacks, 257-258

UNIX logging, 240-241

user security training, 243

Windows logging, 241

critical incident management, 229-235

command post operations, 233-235

critical incident planning, 232-233

critical incident response, 230-231

critical incident response strategy, 231-232

firefighter response model, 231

evidence examination, 296-307

autocomplete entries in registry, 299-300

changing user passwords, 298-299

chronology of events, 307

cracking user passwords, 299

evidence on Windows operating systems, 296-297

going native, 298

good places for evidence, 300

legal cautions, 307

logical file review in Windows, 297-298

looking at relevant files, 306-307

looking for specific words, 306

looking at Windows registry, 299

offline log reviews, 305-306

partitions, 302

partition status, 302-303

password-protected and encrypted files, 303

print spooler files, 303-304

recycle bin, 300-302

Windows NT logging, 304-305

forensic investigation, 285-293

common e-mail headers, 292

DOS-based operating systems file deletions, 287-288

e-mail with firewall headers, 290-291

e-mail processing, 288-290

file slack and free space, 287

networking review, 292-293

network resources, 292

physical level search, 286-287

reading e-mail headers, 288

relaying, 291-292

forming critical incident response team, 324-331

added CIRT responsibilities, 328

ad hoc CIRTs, 327

CIRT, 325

CIRT communications, 329-330

CIRT funding, 328-329

CIRT requirements and roles, 327

developing critical incident cost analyses, 330-331

people supported by CIRT, 329

using in-house talent, 326-327

using outside consultants, 325-326

malicious code attacks, 315-324

anonymous remailers, 323-324

digital bloodhounds, 317-318

domain registration payments, 322

dynamic host control protocol tracing, 320-321

investigating identity of attacker, 321-322

IP addresses, 318

nicks and monikers, 322-323

resolving IP addresses, 318-319

things to do after, 317

trace route, 319-320

Trojan horses and logic bombs, 316-317

viruses, 315-316

performing forensic duplication, 267-285

attaching hard drive, 271

BIOS, 271-272

BIOS passwords, 272-274

boot disk, 282, 283

different approaches to media duplication, 269-270

disabling DRVSPACE.BIN, 283-284

EnCase, 285

forensically sound duplication tools, 281

forensic media duplication tools, 281

hard disk construction, 274-275

information hiding in Windows FAT, 278

physical write blockers, 284

Power-On Self Test, 272

producing hash values, 281-282

relative addressing, 275-276

removing target hard drive, 270-271

steps to follow when collecting evidence, 268-269

undeleting in Windows-based operating systems, 277-278

UNIX dd commands, 285

UNIX file system, 279-280

using Safeback in forensic duplications, 284-285

Windows DOS-based file allocation table, 276-277

Windows NT file system, 278-279

responding to Windows NT incidents, 293-296

collecting volatile live-time evidence, 296

data storage, 293-294

open ports and listening services, 295

processes running on target computer, 295-296

responders turned off, 294

system users, 294

tolls in tool bag, 293

UNIX-based investigations, 307-315

baseline comparison for SUID/SGID files, 314

coroner's toolkit, 309-310

data hiding techniques, 309

file recovery alternatives for UNIX/Linux, 312

file stamps, 312-314

hiding files, 310-311

log files, 314-315

steganography, 311

strong encrypted protections, 312

system configuration, 314

undeleting UNIX, 308

understanding file permissions, 312

UNIX file system analysis, 307-308

user and password accounts, 314

Critical Incident Response Team, 153

Critical Path Method (CPM) chart, 12, 13

CRM, see Customer Resource Management

Crying wolf, 232

Cryptography, 468

CSI, see Computer Security Institute

CSIRTs, see Computer Security Incident Response Teams

Customer Resource Management (CRM), 52

CVE, see Common Vulnerability and Exposure

Cybersquatters, 349