Showing posts with label The Artech House. Show all posts

Michael A. Caloyannides

Artech House

Boston • London

e-books shop
Privacy Protection & Computer Forensics
Second Edition

About the Author
Michael A. Caloyannides earned his Ph.D. at Caltech in electrical engineering,
applied mathematics, and philosophy. He worked for 13 years in the
aerospace industry as a senior technical staff member in a broad spectrum of
technologies, including missile guidance, automated fingerprint recognition,
design of a complete SIGINT system, covert communications over various
radiofrequency channels, satellite communications, and digital modem
design, for which he was awarded a U.S. patent.

He then worked in a comparably broad spectrum of areas for 14 years for
the U.S. federal government, where he was awarded the prestigious Scientist
of the Year award and the Meritorious Officer award, as well as five
separate Certificates of Exceptional Accomplishment.
He is now a senior fellow for information technologies at Mitretek Systems,
a Washington area think tank where he works on information security
issues. In his spare time he consults for NASA on deep space exploration.

He has published numerous technical documents, as well as a book,
Desktop Witness (John Wiley & Sons, 2002). He has given numerous invited
seminars and technical presentations worldwide. He is an associate editor
and regular columnist for the IEEE’s magazine Security and Privacy.
He is married with two young children and was recently diagnosed with
cancer from which he is in remission. For diversion, he flies airplanes as a
commercial-licensed multiengine pilot and scuba dives with his wife. Dr.
Caloyannides can be reached at

Legal Issues
Disclaimer: Laws obviously vary widely from one country to
another, and even within one country from one day to
another. Nothing in this section should be construed as legal
advice. The reader needing legal advice should consult a local
attorney who is specifically knowledgeable about the legal
issues surrounding electronic evidence.

Because the use of computers in general and the Internet in
particular involve the full spectrum of human activities, it is
understandable that a vast body of law and legal precedent is
evolving in connection with the use and abuse of computers
and of the Internet.

This chapter deals with two separate classes of legal issues:
1. Legal issues of interest to the user of computers with or
without the Internet;
2. Legal issues pertaining to computer crime and legal

If you give me six lines written by the most honest man, I will find something in them
to hang him.
—Cardinal Richelieu

In any country’s court of law, evidence is as compelling as—and often more
compelling than—personal testimony by a credible eyewitness.
The well-known warning given to criminal suspects in American movies
“anything you say can and will be used against you” applies to any country
and is not limited to criminal proceedings, but applies to civil litigation as
well where no such warning is given. Furthermore, what “can and will be
used against you” is not only what you say, but also what evidence can be
obtained against you.

Most every person knows only too well that evidence can—and has
often been—planted, manufactured, or simply taken selectively out of context
to paint an image that bears little resemblance to reality.
Up until about a decade ago, documentary evidence was mostly on
paper. Even computer evidence amounted to reams of printed pages. This is
no longer the case. The electronic version of a file that was created by
and/or stored in a computer can be far more damaging to an individual or to
an organization because it contains not only the documentary evidence
itself but also “data about the data” (such as when it was created, when it
was revised, how it was revised, using whose software).

There is nothing “personal” about a personal computer (PC) other than
who paid the bill to buy it. Contrary to popular belief, it usually contains a
lot of data—some of it potentially quite incriminating—that got in there
without the owner’s awareness or consent. One’s PC is the most sought
after piece of evidence to be used against one. A personal computer is not at
all private in the eyes of the law; besides, most countries do not have laws
protecting privacy. If a personal computer’s data storage (hard drive, floppy
disks, tape backups, CD-ROMs, USB “keys,” etc.) is confiscated or subpoenaed—
and this is done with increasing regularity nowadays—then anything
in it “can and will be used against you”; even though a lot of it has been
entered without your consent or awareness, you can be convicted none the
less because most judges and juries are unaware of the many ways that illegal
data can enter your computer behind your back.

Most individuals and companies have always been careful of what they
commit to paper or say over the telephone; in litigious contemporary societies
cognizant of assorted discrimination laws, individuals have also learned
to be very reserved in what they say to each other, especially within a company
or other organization. Yet those very same individuals treat electronic
mail, or e-mail, like a private channel that enjoys some magic protection
from unintended recipients; comments that one normally would never put
on paper (gossip, off-color jokes, or worse) are routinely confided to personal
computers and to others through e-mail. Yet e-mail and computer
records are far more permanent than any piece of paper, and e-mail is far
more likely to reach unintended recipients than a plain old message in a
mailed envelope. Also, whereas there can only be a single “original” of a
paper document (that can haunt a company or an individual in court), a
copy of a computer record is as admissible a piece of evidence as the original record.

Society today favors more informality than in years past. This applies not
only to personal communications between individuals but also to the corporate
world that is trying to encourage creativity, esprit de corps among
employees, and candor. Whereas in the past there was a fairly rigid hierarchy
in most any organization, and one had to go through layers of management
filtering to reach upper management, e-mail has effectively allowed
anyone to bypass the hierarchy and protocol and contact anybody else
directly; this is done, ostensibly “in confidence,” when in fact the exact
opposite is true because of the permanence and indestructibility of e-mail.
It is worse than that; individuals tend to entrust personal (and corporate)
computers and e-mail with casual comments (such as gossip, innuendo,
biases, and outright illegal plans) that, if shown to a judge or a jury, can
evoke an emotional reaction resulting in unexpectedly harsh verdicts.

One often hears that statistical analyses can be presented to support just
about any preconceived notion; this is so because of selective inclusion and
exclusion of data made possible by the fact there is a lot of data to select
from to make one’s case. The same applies in spades to computer evidence:
There is usually so much data in a confiscated or subpoenaed computer that,
if judiciously selected, can present a judge or jury with what may appear on
the surface be compelling evidence of anything that an unscrupulous prosecutor
or litigant’s unethical attorney wants.

One might tend to dismiss all of the foregoing as applying to others. As
the next sections show, nothing could be further from the truth. It applies to
anyone using a computer (and that is practically everyone) for any purpose. In addition,
it is of direct interest to lawyers and future lawyers, to corporate officials,
to employees with access to employers’ computers, to sole proprietors
and individual entrepreneurs, to law enforcement officials, to politicians, to
medical doctors and other healthcare providers, to college students, to
information technology specialists, to hackers and aspiring hackers, to mental
health professionals, and so on.

And one more thing: Investigation of the contents of one’s computer
does not require physical access to that computer. In most cases it can also
be done (and has been done by assorted hackers, by software companies,
and others) while one is online (e.g., connected to the Internet or to any
other network); in many cases it can even be done by anyone with a few
hundred dollars to buy commercially available equipment while the targeted
computer user is connected to nothing and is merely using his or her
computer in the “privacy” of his or her own home. While evidence obtained
with no physical access to a targeted computer may not hold up in court in
some nations, it still provides the creative investigator with a wealth of
information about the targeted person; armed with knowledge of what to
look for and where to find it, that investigator can then home in on that
same evidence with legal means, present it in court, and never mention that
its existence became known through legally inadmissible means.
Interestingly, in the United States at least, what little privacy exists for
data stored in computers within one’s premises does not exist for data stored
off-site with third parties, such as on the Internet. Legislation is premised on
the assumption that even though information is increasingly stored in networks
off-site, such information has no legal expectation of privacy.

Unlike, say, classical mechanics or advanced mathematics, information
technology is evolving at an unprecedented rate. Even so, a concerted effort
has been made to keep this book “current” for a few years; this is done by
explaining the fundamentals (which do not change) and also by providing
directly relevant sources of information that the interested reader may
access to stay up to date on the latest.

There are plenty of books on what amounts to best practices in computer
forensics; this is not yet one more. Indeed, given how needlessly unintuitive
some of the most popular software suites for computer forensics are, the
aspiring computer forensic investigator would do better to attend the pricey
training classes offered by such software suites’ vendors.

Computer forensics is quite powerful against all but the most technically
savvy computer users. The fundamental problem that eludes most uninformed
judges and juries is that computer forensics cannot show who put
the data in the suspect’s computer; there is a large set of ways whereby
potentially incriminating data enters our personal computers without our
knowledge, let alone acquiescence. Given the ease with which a responsible,
law-abiding citizen can be convicted (or fined or lose custody of his or
her children) on the basis of such computer evidence of wrongdoing that
the accused had no part in, this book is intended for all computer users and
their lawyers. In particular, it is intended

1. For any professional or business person who has the legal and ethical
obligation to protect proprietary business information or intellectual
property stored in a computer entrusted to that person from being
stolen by an unscrupulous competitor or by a thief;
2. For attorneys defending wrongly accused individuals when the evidence
produced is in computer files, whether in criminal or civil legal proceedings;
3. For any responsible person who does not want to be unfairly persecuted
on the basis of computer data that he or she had no part in creating;
4. For the government official in a sensitive capacity where it is absolutely
essential that no data from his or her computer be retrieved by
unauthorized third parties regardless of their resources;
5. For any individual whose laptop may be among the hundreds of
thousands of laptops stolen every year and who does not want his or
her personal, medical, and financial information, let alone his or her
company’s proprietary information, to become public.
No background in information technology, beyond a typical working
familiarity with computers, is assumed; this book is intended to stand on its own two feet.

As with any tool, like a kitchen knife or a hunting rifle, or with a technique,
such as the use of chlorine to wipe out bloodstains or biological
agents, computer forensics and computer counterforensics can be used for
both legal and illegal purposes. This book emphatically does not condone
the illegal use of any of the techniques it presents.

Inevitably, some readers will ask whether law enforcers shouldn’t have
the right to monitor Internet usage and even individuals’ computers in
order to identify a crime and collect evidence to prosecute. Allow me to
answer with a few questions in the tradition of the Socratic dialogue:
1. Should law enforcers be allowed to look into citizens’ bedrooms and
bathrooms to catch criminals (e.g., those growing drugs in their
house, as happened recently in a case that went all the way to the
U.S. Supreme Court)? Where do you draw the line as to which technical
means law enforcers can use to peek into citizens’ affairs?
a. Do you draw the line to include the Internet but no more?
b. How about thermal imaging of the inside of a house?
c. How about placing hidden microphones in houses for good
d. How about placing hidden video cameras in houses?
e. How about requiring all residents to submit to monthly lie
detector exams?
2. Should law enforcers be allowed to look in all citizens’ houses as a
matter of routine screening just in case some crime is being committed?
(This is the equivalent of wholesale Internet interception
looking for keywords or other indicators to identify the perpetrators).
xviii Introduction
3. If law enforcers are only allowed to look at some citizens’ houses
(those suspected of a crime), and if they find evidence of a totally different
crime, should they discard this new evidence for which they
did not have authority to look? If not, how does that differ from
wholesale monitoring of everyone for good measure?
4. Who defines “crime” beyond the obvious (murder, arson, etc.)? In
some countries it is a crime to criticize the government. In others it is
a crime to say that its leader is ugly. Should law enforcers be allowed
to monitor Internet traffic or to do forensics on computers for evidence
that a citizen said that the leader is ugly?
5. Should the popes of years past have been allowed to monitor the
Internet (which did not exist, but never mind that) to collect evidence
that Galileo believed, horror of horrors, the earth was not the
center of the universe (a horrible crime then, punishable by death)?
In short, what social price are you willing to pay for security from
crime as defined by the state? Are you willing to surrender all freedoms
to be crime-free?
6. And assuming that some Internet connection shows evidence of a
crime (I would be interested in your definition), how are law enforcers
going to prove who did it, given that one’s IP address can be
hijacked by total strangers (e.g., by Wi-Fi war drivers).

This book deals with security from hostile computer forensics (mostly on
one’s computer, but also on one’s digital camera, fax machine, and related
computer-like electronics), as distinct from network forensics, which in this
context is snooping into users’ online activities. Computer forensics deals
with anything and everything that can be found on one’s computer. Network
forensics, on the other hand, pertains to evidence like logs kept by
Internet service providers (ISPs) and other remotely located networked
computers. Network forensics is most relevant in the investigation of remote
hackings, remote denial of service attacks, and the like. Even so, because
most computers today are connected to the Internet at one time or another,
this book also covers those aspects of network forensics that affect anyone
connecting to the Internet.

All trademarks are hereby acknowledged as the property of their respective owners.

Table of Contents
Introduction . . . . . . . . . . . . . xv
1 Computer Forensics  1
1.1 What is computer forensics? 1
1.2 Why is computer forensics of vital interest to you? 1
1.2.1 As an employee 1
1.2.2 As an employer or corporate executive 2
1.2.3 As a law enforcement official 3
1.2.4 As an individual 4
1.2.5 As a lawyer for the defense 5
1.2.6 As an insurance company 6
1.2.7 As a user of others’ computers 6
1.3 If you have done nothing illegal, you have nothing to fear: not true anywhere! 6
1.4 Computer forensics 8
1.4.1 User rights to privacy? 8
1.4.2 The forensics investigator must know up front 9
1.4.3 Forensics is deceptively simple but requires vast expertise 9
1.4.4 Computer forensics top-level procedure 11
1.4.5 Forensics specifics 13
1.4.6 Digital evidence is often evidence of nothing 16
Selected bibliography 22
2 Locating Your Sensitive Data in Your Computer  23
2.1 Deleting does not delete—what does? 23
2.1.1 General 23
2.1.2 Disk wiping 26
2.1.3 File- and disk-wiping software 28
2.1.4 Magnetic microscopy forensic examination of disks 31
2.2 Where is the sensitive data hiding? 32
2.2.1 Cluster tips or slack 32
2.2.2 Free space 33
2.2.3 The swap file 34
2.2.4 Spool and temporary files 34
2.2.5 Forensics on nonmagnetic disks 35
2.2.6 History files 35
2.2.7 Data in the registry files 35
2.2.8 Data from sloppy use of personal encryption software 36
2.2.9 Nonvolatile memory 36
2.3 The swap file as a source of forensic data 36
2.3.1 General 36
2.3.2 Securely wiping the swap file 38
2.4 The Registry as a source of forensic data 39
2.4.1 Why is the Registry a major source of forensic evidence? 39
2.4.2 Where is all this private information hiding in the Registry? 41
2.4.3 Backing up the Registry and restoring a corrupted one 42
2.4.4 Cleaning up sensitive data in the Registry 42
Reference 44
3 Specialized Forensics Applications 45
3.1 Digital watermarking 45
3.2 The British RIP Act and the US Carnivore (DCS1000) 49
Selected bibliography 51
4 How Can Sensitive Data Be Stolen from One’s Computer? 53
4.1 Physical possession of one’s computer 53
4.2 Temporary physical access to one’s computer 53
4.3 Commercial hardware keystroke loggers 54
4.4 Commercial software keystroke loggers 57
4.5 Going online 58
4.5.1 By one’s ISP or by anyone having compromised the ISP’s security 58
4.5.2 By a legal or an illegal telephone tap 59
4.5.3 By remote Web sites that one accesses 59
4.6 Spyware in your computer 60
4.6.1 By commercial spyware and adware 60
4.7 van Eck radiation using commercially available systems 64
4.7.1 General 64
4.7.2 Protective measures 65
4.7.3 Optical emanations and their interception 69
4.8 Being on a network, cable modem, or xDSL modem 69
4.9 Other means 70
4.10 Insertion of incriminating data in your computer by others 70
4.11 Security protection steps that don’t work well enough 71
4.11.1 The fallacy of CMOS password protection 71
4.11.2 The fallacy of password protection offered 
by popular commercial software 71
4.11.3 The fallacy of protection by hiding files from view 72
4.11.4 The fallacy of protection by hiding data in the slack 72
4.11.5 The fallacy of protection by placing data in 
normally unused locations of a disk 72
4.11.6 The fallacy of protecting data by repartitioning a 
disk for a smaller capacity than the disk really has 72
4.11.7 The fallacy of protection through password-protected disk access 73
4.11.8 The fallacy of protection through the use of booby-trap software 73
4.11.9 The fallacy that overwriting a file removes all traces of its existence 73
4.11.10 The fallacy of encryption protection 74
4.11.11 Other protection fallacies that don’t deliver 74
Selected bibliography 75
References 76
5 Why Computer Privacy and Anonymity?  77
5.1 Anonymity 79
5.1.1 Practical anonymity 81
5.2 Privacy 82
5.2.1 You cannot trust TRUSTe? 82
5.2.2 Is privacy a right? 83
5.2.3 The impact of technology on privacy 86
Selected bibliography 88
6 Practical Measures For Protecting Sensitive Information  91
6.1 Installing secure Windows 91
6.2 Recommended best practices 91
6.2.1 If using Windows NT 96
6.2.2 If using Windows 2000 98
6.2.3 If using Windows XP 102
6.2.4 Heroic protective measures regardless of the version of Windows 104
6.2.5 Last but not least 105
6.3 Additional privacy threats and countermeasures 106
6.3.1 Individually serial-numbered documents 106
6.3.2 Online activation and online snooping by software 106
6.3.3 Microsoft documents that call home 108
6.3.4 The NetBIOS and other threats from unneeded network services 109
6.3.5 TCPA/Palladium 109
6.3.6 The vulnerability of backups 110
6.4 Protecting sensitive data on hard disks 111
6.4.1 Full disk encryption 112
6.4.2 Encrypting disk partitions 114
Reference 114
7 Basic Protection from Computer Data Theft Online 115
7.1 Protection from which of many online threats? 117
7.2 Installation of Windows for secure online operation 117
7.3 Online security threats and issues 118
7.3.1 Web browser hijacking 118
7.3.2 The romantic e-card and related con schemes 121
7.3.3 E-mail bombs 121
7.4 Software to enhance online security 122
7.4.1 Junkbuster 122
7.4.2 SurfSecret 122
7.4.3 Assorted cleaners of browsers 122
7.5 Basic do’s and don’ts 124
7.5.1 Don’t’s 124
7.5.2 Do’s 125
8 Practical Measures for Online Computer Activities 127
8.1 Netscape Navigator/Communicator 128
8.2 Microsoft Internet Explorer 133
8.3 Desirable e-mail software configuration and modifications 138
8.3.1 Free Web-based e-mail offers that require JavaScript: don’t! 138
8.3.2 Outlook and Outlook Express 139
8.3.3 Eudora e-mail software 139
8.4 Secure e-mail conduct online 141
8.4.1 Self-protecting e-mail 144
8.4.2 Accessing e-mail from anywhere on Earth 148
8.5 E-mail forensics and traces: the anonymity that isn’t 149
8.5.1 Tracking suspect e-mail 152
8.5.2 Sending anonymous e-mail: anonymous remailers 154
8.5.3 General network tracing tools 158
9 Advanced Protection from Computer Data Theft Online  159
9.1 Virus/Trojan/worm protection 159
9.2 Protection from keyloggers 160
9.2.1 Protection from keystroke-capturing software 160
9.2.2 Protection from keystroke-capturing hardware 161
9.3 Protection from commercial adware/spyware 161
9.4 Protection from Web bugs: an insidious and far-reaching threat 163
9.5 Using encrypted connections for content protection 164
9.6 Using proxy servers for anonymity 167
9.7 Using encrypted connections to ISPs for content protection 169
9.7.1 SSL 170
9.8 SSH 171
9.9 The failed promise of peer-to-peer clouds 172
9.10 Caller ID traps to avoid 173
9.11 Traps when connecting online from a cellular phone 174
9.12 Traps when using FTP 174
9.13 Using instant messaging schemes 175
9.14 Pitfalls of online banking 175
9.15 Secure Usenet usage 176
9.15.1 Anonymity from other Usenet readers 178
9.15.2 Anonymity from one’s in-country ISP 179
9.15.3 Usenet privacy in oppressive regimes 180
9.16 Ports to protect from 181
9.17 Sniffers 184
9.18 Firewalls 185
9.18.1 Personal software-based firewalls 187
9.19 Software that calls home 188
Reference 189
10 Encryption . . . . . . . . . . . . . 191
10.1 Introduction 191
10.2 Availability and use of encryption 193
10.2.1 Old-fashioned encryption 195
10.2.2 Conventional (symmetric) encryption 195
10.2.3 Public-key encryption 197
10.2.4 Elliptic-curve encryption 200
10.2.5 Voice encryption online 200
10.3 Attempts to control against encryption 201
10.4 Legal issues 202
10.4.1 Crypto laws around the world 203
10.4.2 Can encryption bans work? 204
10.5 Societal issues 208
10.6 Technical issues 209
10.7 Countermeasures 210
10.8 State support for encryption 211
10.9 The future of encryption 212
10.10 Quantum cryptography 213
10.10.1 Quantum computing 214
10.11 DNA-based encryption 215
10.12 Comments 215
Selected bibliography 216
References 218
11 Practical Encryption . . . . . . . . . . 219
11.1 Introduction 219
11.2 Entire-disk encryption 220
11.3 Encrypting for e-mail: PGP 221
11.3.1 How PGP works 224
11.3.2 Do’s and don’ts of PGP installation and use 226
11.3.3 The need for long public keys 233
11.3.4 The man-in-the-middle problem 234
11.3.5 DH or RSA? 235
11.3.6 DSS? 235
11.3.7 Selecting the Symmetric Encryption Algorithm 236
11.3.8 A minor flaw in PGP 236
11.3.9 PGP weaknesses 238
11.3.10 Other uses of PGP 239
11.4 Encrypting one’s own files: encrypted disk partitions 239
11.5 Steganography 243
11.5.1 Practical considerations in steganography 246
11.5.2 Detecting steganography: steganalysis 246
11.5.3 Other ways that steganography can be detected 247
11.5.4 Recommendations for maintaining privacy through
steganography 248
11.6 Password cracking 249
11.7 File integrity authenticity: digital digests 252
11.8 Emergencies 253
11.8.1 Protecting sensitive data from a repressive regime 253
11.8.2 A word of caution 254
11.8.3 Getting discovered as a desirable persona 254
Selected bibliography 255
References 256
12 Link Encryption: VPNs . . . . . . . . . 259
12.1 Split tunneling 261
12.2 IPsec 262
12.3 Summary 263
Selected bibliography 264
13 Security of Wireless Connectivity: Wi-Fi and Bluetooth  265
13.1 Background 265
13.2 The 802.11 technologies 266
13.2.1 WEP insecurity 268
13.2.2 War driving and war chalking 270
13.2.3 Using Wi-Fi while traveling 271
13.2.4 WPA 272
13.2.5 Securing 802.11 273
13.3 Bluetooth wireless link security issues 274
13.3.1 Bluetooth security threats 275
13.3.2 Recommended steps for enhancing security of Bluetooth devices 277
Selected bibliography 278
14 Other Computer-Related Threats to Privacy. . . 279
14.1 Commercial GPS devices 279
14.2 RF ID devices 281
14.3 Modern vehicles’ black boxes 283
14.4 Cell phones 285
14.5 Prepaid calling cards 286
14.6 Credit cards 287
14.7 Intelligent mail 288
14.8 Fax machines and telephone answering machines 288
14.9 Office and home copiers 289
14.10 Frequent-anything clubs 289
14.11 Consumer electronics 290
References 290
15 Biometrics: Privacy Versus Nonrepudiation. . . 291
15.1 Are they effective? It depends 291
15.2 Biometrics can be easily spoofed 293
15.3 Identification is not synonymous with security 298
15.4 Societal issues 299
References 300
16 Legal Issues. . . . . . . . . . . . . 301
16.1 Software agreements that shift the legal liability to the user 301
16.2 Cyber–SLAPP suits 303
16.3 E-mail 303
16.4 Copyright 305
16.4.1 U.S. Digital Millennium Copyright Act of 1998 305
16.4.2 The Uniform Computer Information Transactions Act 308
16.5 Can one be forced to reveal a decryption key? 309
16.6 Why is electronic evidence better than paper evidence? 312
16.7 Civil legal discovery issues 315
16.8 International policy on computer-related crime 318
16.9 What is computer crime? 319
16.10 What can a business do to protect itself? 320
16.11 Criminal evidence collection issues 320
16.11.1 Collection 320
16.11.2 Handling 321
16.12 Federal guidelines for searching and seizing computers 321
16.13 Destruction of electronic evidence 326
16.14 U.S.–European data-privacy disputes 327
16.15 New international computer crime treaty 327
16.16 The post–September 11 reality 328
16.17 The sky is the limit—or is it the courts? 331
References 332
About the Author . . . . . . . . . . . 333
Index. . . . . . . . . . . . . . . 335


e-books shop

Purchase Now !
Just with Paypal

Product details
 366 p
 File Size
 4,031 KB
 File Type
 PDF format

═════ ═════

Loading... Protection Status