Computer Forensics JumpStart

Michael G. Solomon
Diane Barrett
Neil Broom

Associate Publisher:
Neil Edde

Acquisitions and Developmental Editor:
Maureen Adams

Production Editor:
Lori Newman

Technical Editor:
Warren G. Kruse

Copyeditor:
Kathy Grider-Carlyle

Compositor:
Jeff Wilson, Happenstance Type-O-Rama

Graphic Illustrator:
Jeff Wilson, Happenstance Type-O-Rama

Proofreaders:
Ian Golder
Amy Rasmussen
Nancy Riddiough

Indexer:
Nancy Guenther

Book Designer:
Judy Fung

Cover Designer:
Richard Miller, Calyx Design

Cover Illustrator:
Richard Miller, Calyx Design

Copyright 2005 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written permission of the publisher.

Library of Congress Card Number: 2004113397

ISBN: 0-7821-4375-X

SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc. in the United States and/or other countries .

JumpStart is a trademark of SYBEX Inc.

Screen reproductions produced with FullShot 99. FullShot 99 1991-1999 Inbit Incorporated. All rights reserved. FullShot is a trademark of Inbit Incorporated.

Internet screen shot(s) using Microsoft Internet Explorer 6 reprinted by permission from Microsoft Corporation.

TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from descriptive terms by following the capitalization style used by the manufacturer.

The author and publisher have made their best efforts to prepare this book, and the content is based upon final release software whenever possible. Portions of the manuscript may be based upon pre-release versions supplied by software manufacturer(s). The author and the publisher make no representation or warranties of any kind with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this book.

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

About the Authors

Michael G. Solomon is a full-time security speaker, consultant (http://www.solomonconsulting.com/), trainer, and a former college instructor who specializes in development and assessment security topics. As an IT professional and consultant since 1987, he has worked on projects or trained for more than 60 major companies and organizations, including EarthLink, Nike Corporation, Lucent Technologies, BellSouth, UPS, the U.S. Coast Guard, and Norrell.

From 1998 until 2001, Michael was an instructor in the Kennesaw State University's Computer Science and Information Sciences (CSIS) department, where he taught courses on software project management, C++ programming, computer organization and architecture, and data communications. Michael has an M.S. in mathematics and computer science from Emory University (1998) and a B.S. in computer science from Kennesaw State University (1987).

Michael has also contributed to various security certification books for LANWrights/iLearning, including TICSA Training Guide and an accompanying Instructor Resource Kit (Que, 2002), CISSP Study Guide (Sybex, 2003), as well as Security+ Training Guide (Que, 2003). Michael co- authored Information Security Illuminated (Jones and Bartlett, 2005), Security+ Lab Manual Exam Cram 2 (Que, 2005), and authored and provided the on-camera delivery of LearnKey's CISSP Prep e-Learning course.

Michael's certifications include Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and TruSecure ICSA Certified Security Associate (TICSA).

Diane Barrett has been involved in the IT industry since 1993. She works at Remington College where she taught in the computer networking program for two years before becoming a director. She teaches online classes that include networking, security, and virus protection, and she is the president of a security awareness corporation that specializes in training.

Diane has co-authored several security and networking books, including MCSA/MCSE 70-299 Exam Cram 2: Implementing and Administering Security in a Windows Server 2003 Network (Que, 2004) and Computer Networking Illuminated (Jones and Bartlett, 2005). She is currently volunteering for ISSA's Generally Accepted Information Security Principles Project in the ethical practices working group .

Diane's certifications include Microsoft Certified Systems Engineer (MCSE) on Windows 2000, MCSE+I on Windows NT 4.0, Certified Information Systems Security Professional (CISSP), Cisco Certified Network Associate (CCNA), A+, Network+, i-Net+, and Security+.

Neil Broom is the President of the Technical Resource Center (http://www.trcglobal.com) in Atlanta, Georgia. As a speaker, trainer, course director, and consultant in the fields of Computer Forensics, Information Assurance, and Professional Security Testing, he has over 14 years of experience providing technical education and security services to the military, law enforcement, the health care industry, financial institutions, and government agencies.

Neil is the Lead Instructor and Developer of the Computer Forensics and Cyber Investigations course and the Certified Cyber Crime Examiner (C3E) certification and provides Computer Forensics services to clients in the Metro Atlanta area and the Southeast United States.

Neil is currently the Vice President of the Atlanta Chapter of the International Information Systems Forensics Association, and he is a professional member of the National Speakers Association. His past employment includes the U.S. Navy as a submariner, the Gainesville, Florida Police Department as a law enforcement officer, and Internet Security Systems (ISS) as a security trainer.

Neil has multiple certifications including Certified Information Systems Security Professional (CISSP), Certified Computer Examiner (CCE), Certified Ethical Hacker (CEH), Computer Hacking Forensic Investigator (CHFI), National Security Agency's INFOSEC Assessment Methodology (IAM), Microsoft Certified Systems Engineer (MCSE 4.0 and 2000), Microsoft Certified Trainer (MCT), and TruSecure ICSA Certified Security Associate (TICSA).

About the Technical Editor

Warren G. Kruse II, CISSP, CFCE, is the co-author of Computer Forensics: Incident Response Essentials , published by Addison-Wesley. Warren has conducted forensics globally in support of cases involving some of the largest law firms and corporations in the world. He is a member of the New York and European Electronic Crimes Task Forces of the U.S. Secret Service. He was elected President of the High Tech Crime Investigation Association's (www.htcia.org) 2005 International Executive Committee. Warren has extensive experience investigating cases involving the illegal use of computer and networks and received the High Tech Crime Investigation Association's (HTCIA) '2001 Case of the Year' award. He is an IACIS Certified Forensic Computer Examiner (CFCE) and an (ISC) ² Certified Information Systems Security Professional (CISSP). He lectures on computer forensics for Computer Security Institute (CSI) and has taught computer forensics at the SANS Institute and MIS Training Institute. He is the lead instructor of the handson intro and advanced Computer Forensics Bootcamps for Computer Forensic Services, LLC. Warren is a partner at Computer Forensic Services, LLC (www.computer-forensic.com).

To my wife, best friend, and source of unyielding support, Stacey.

-Michael G. Solomon

To my dad, Gerald, who has always encouraged me to be my own person.

-Diane Barrett

To my mother, thank you for always believing in me.

-Neil Broom

Acknowledgments

Anything worth doing is worth doing well, and doing anything well generally requires a lot of help. My family has helped me immensely throughout this project. Stacey, Noah, and Isaac are all great fun to be around and often serve as sounding boards . The one focal point of this book, however, is Kim Lindros at LANWrights/iLearning. She kept the project on track and worked things out regardless of what curve balls I may have sent her way. Kim deserves a huge ovation for her work to get this book into your hands. I truly appreciate the efforts of all the people at LANWrights/iLearning and Sybex to make this project a reality.

-Michael G. Solomon

Thanks to everyone at Sybex for making this book possible, especially Maureen Adams the acquisitions editor and Lori Newman the production editor. Thank you to the wonderful team at LANWrights/iLearning, especially Kim Lindros, who worked so hard behind the scenes to be sure that our work was accurate and completed in a timely fashion. To co-authors Michael Solomon and Neil Broom, thank you for the part each of you played in making this project successful. Thanks to Warren G. Kruse II, our technical reviewer, for making certain our writing was technically and procedurally sound. Finally, special thanks to my husband, Bill, for keeping a sense of humor during the hours I spent writing.

-Diane Barrett

Kim Lindros, you rock! Thank you for all the support and gentle nudging you provided to keep me writing. I also wish to say thank you to the cat and kitten rescue group that I work with, www.FurKids.org . Now that the book is finished, I can return to helping save the lives of our furry little friends .

-Neil Broom