Download - Foreign Military Studies Office - U.S. Army

More documents

Recommendations

Info

each element is a standard way of fleshing out the activities and, perhaps, even the intent of the crime. In cyberspace, this is a little bit more difficult because a suspect can be miles away from the scene. Still a useful tool for a forensic examination of a computer system is a timeline analysis. A timeline analysis includes important files or data obtained from the physical and logical level analyses, users and dates, and times of computer usage, file creation, file deletion, or file changes that might pertain to the case. It is imperative to know who created or downloaded a file of information with value to the computer being analyzed, how it got there, and when it got there. Many case types benefit from this type of analysis, such as intrusion cases, fraud cases, and plagiarism cases. Login logs, audit logs, system logs, and dial-up logs may provide additional information for this type of analysis. Intrusion cases are especially dependent on the sequence and timeline analysis of events. System logs include Intrusion Detection System (IDS) logs, web application logs, firewall logs, router logs, operating system logs and other application logs. The file attributes that an operating system’s file system stores about a file can include such important timeline items as file creation date (when a file was created), file modified date (the last time it was changed), last file access date (last time that file was opened or viewed), and last archived date (last time the file was backed up or archived). An example would be a co-conspirator of a hacker who broke into a computer card site. A timeline analysis could show when the subject acquired the information as, for example, an attachment to an email from the original hacker. This type of information may help make the case to prove that the subject was part of the crime and decided what to do with the information. Perhaps the file was attached to another email and sent out to another coconspirator as proof of his hacker buddy’s “work well done.” 2. Technology Used in Network Forensics or Investigations Today many crimes have associated network data that can be used as evidentiary information. If a crime is committed at work, the Local Area Network (LAN) can offer additional information. An example of this is an individual who uses a workplace computer to download or upload pornography from the Internet, communicates with others about uploading and downloading pornography, or uses the Internet chat rooms to converse about illicit sexual conduct. The network file server could contain some of the images if the worker used his network home directory or perhaps the public areas of the file server’s disk to place some of the evidence. The network server probably has logs regarding when the worker’s account was logged in, and it may also contain the download records of what account downloaded what file and from where. This type of evidence would be obtained from the servers on the network and not the worker’s computer. Other areas on the network that may 324
contain evidence are mail servers, which could contain not only email but also attachments to the email, and the email logs. The site may keep web server logs that would show which websites a user may have visited. The network or domain servers may show login data, file download data, application usage, privilege levels, directory permissions, and a multitude of other data that may be useful in an investigation. Security testing records may show the configuration of a user’s workstation that may be helpful in certain types of investigations. Besides the computers on the network, other network devices may contain useful information. These devices include firewalls which may have some useful data in the firewall logs, border or intranet segregating routers which may have data in router logs, intrusion detection systems, web servers, DNS servers, and so on. Any of these devices, logs, or information may help in an investigation to determine what happened, when it happened, how it happened, and to or by whom. Network forensics is time consuming and usually requires the assistance of the network administrator or expert help. Since, in most cases, a court is not going to give law enforcement permission to seize a whole network, it usually requires that a search be completed on-site. This increases the possibility of missing valuable information. Usually the search has to be completed within a time limit, and that means that law enforcement has little time to respond to a configuration or system that is not familiar to them. Much preparation is required to conduct a network search. Law enforcement officials can help themselves by gathering data that helps determine configurations such as operating system types, hardware issues, storage issues, application issues, and so on. If an investigator knows he is going to have to search a local area network with one file server running an NT server with ten workstations running Windows 98 and that the application most likely to have the data they are seeking is Microsoft Access, then he should prepare for this eventuality. He must insure he has the capability on hand to search the network. There are many methods to uncover data from a remote access, or to change or acquire data. The system logs may be the best starting place. If data were changed, older versions of the file should then be compared. Some files are stored temporarily, and these may also be a source for comparison. If this system were part of a network, file servers may store backups of these files. Again, a file comparison can be used. All network access devices have the capability to store audit or login logs, and these may be very useful in determining the source of a remote entry into a system. 325
Page 2:
Cover: The cover highlights four st
Page 6 and 7:
DEDICATION This book is dedicated t
Page 9 and 10:
TABLE OF CONTENTS TABLE OF CONTENTS
Page 11 and 12:
IT Databases and Policekeeping ....
Page 13 and 14:
FOREWORD This book explores the imp
Page 15 and 16:
INTRODUCTION This book examines the
Page 17 and 18:
cultural awareness, psychological o
Page 19 and 20:
PART ONE: UNDERSTANDING OUR CYBER E
Page 21 and 22:
CHAPTER ONE: ENGAGING CYBER OR INFO
Page 23 and 24:
Jihad” listed the terms cyberatta
Page 25 and 26:
screening methods were used to chec
Page 27 and 28:
more than 194 million in China. But
Page 29 and 30:
as armies do on the battlefield to
Page 31 and 32:
date, military opponents have been
Page 33 and 34:
usurp adversarial human and automat
Page 35 and 36:
However, just as cyber activities h
Page 37 and 38:
ought Keyhole and now offers free a
Page 39 and 40:
The important point to underscore i
Page 41 and 42:
that may or may not result in blood
Page 43 and 44:
web allows an uncensored and unfilt
Page 45 and 46:
The Internet can help a poorly fund
Page 47 and 48:
audiences, while one set to use Ara
Page 49 and 50:
of icons can change as well. Messag
Page 51 and 52:
The Internet takes advantage of leg
Page 53 and 54:
without physically meeting their fo
Page 55 and 56:
conflict. It is a protracted politi
Page 57 and 58:
Adaptive Insurgent Organization and
Page 59 and 60:
It is clear that Osama bin Laden re
Page 61 and 62:
With no filter or censor, the Inter
Page 63 and 64:
was killed as a result. Public opin
Page 65 and 66:
material is visual as well as writt
Page 67 and 68:
PART TWO: TERMINOLOGY AND CONCEPTS
Page 69 and 70:
CHAPTER FOUR: IS THE IW PARADIGM OU
Page 71 and 72:
Webster’s is necessary. Secondly,
Page 73 and 74:
war.” 118 If the definition of wa
Page 75 and 76:
of near total “information superi
Page 77 and 78:
across broad geographical areas. Ho
Page 79 and 80:
mind, whether electronic, laser, or
Page 81 and 82:
necessarily mean that other nations
Page 83 and 84:
views network-centric operations in
Page 85 and 86:
making while protecting our own.”
Page 87 and 88:
telecommunication assets; and they
Page 89 and 90:
eligious propaganda aspect of IW. T
Page 91 and 92:
Mianheng, by the way, was reported
Page 93 and 94:
China’s networks according to som
Page 95 and 96:
• Form a psychological-warfare me
Page 97 and 98:
CHAPTER SIX: CHINESE AND AMERICAN N
Page 99 and 100:
military deception, and physical de
Page 101 and 102:
transformation is to emphasize both
Page 103 and 104:
Network-Centric Warfare Early in 20
Page 105 and 106:
latter perhaps mimicking the Americ
Page 107 and 108:
authors appeared to be describing w
Page 109 and 110:
• Overestimates man’s capacity
Page 111 and 112:
Cultures eventually produce metapho
Page 113 and 114:
PART THREE: APPLICATIONS AND CASE S
Page 115 and 116:
CHAPTER SEVEN: VIRTUAL PEACEMAKING:
Page 117 and 118:
The most important part of this def
Page 119 and 120:
warplanes were very capable of prec
Page 121 and 122:
advantage of contemporary technolog
Page 123 and 124:
• Communicate commitments to take
Page 125 and 126:
9. Crises can demonstrate the power
Page 127 and 128:
whether they realize it or not, thr
Page 129 and 130:
since many can help slow or prevent
Page 131 and 132:
Superimposing these three ideas on
Page 133 and 134:
5. Offer improved upgradeability fo
Page 135 and 136:
How nations learn to manage or leve
Page 137 and 138:
There are various scenarios through
Page 139 and 140:
There remains an entire series of q
Page 141 and 142:
CHAPTER EIGHT: KOSOVO AND THE CURRE
Page 143 and 144:
information while exploiting or den
Page 145 and 146:
can a real assessment of accuracy b
Page 147 and 148:
agreement less acceptable to Yugosl
Page 149 and 150:
In September, a Pentagon review of
Page 151 and 152:
damning comment could prove to be f
Page 153 and 154:
of support. The second objective wa
Page 155 and 156:
and logic. But the point to again b
Page 157 and 158:
It also will be interesting to watc
Page 159 and 160:
press and police headquarters, and
Page 161 and 162:
CHAPTER NINE: “POLICEKEEPING” A
Page 163 and 164:
Conflict. 270 It is still a year or
Page 165 and 166:
a virtual library and electronic pu
Page 167 and 168:
other hard-to-find structures. Know
Page 169 and 170:
Policekeepers would benefit greatly
Page 171 and 172:
IT also offers systems that create
Page 173 and 174:
• Developing an information block
Page 175 and 176:
human-based, data-processor compone
Page 177 and 178:
software by using special programmi
Page 179 and 180:
international and state control ove
Page 181 and 182:
a real disadvantage since its radar
Page 183 and 184:
forces. Their system’s ability to
Page 185 and 186:
and digital ortho-photomaps that we
Page 187 and 188:
One of the earliest definitions of
Page 189 and 190:
value of destroying targets with pr
Page 191 and 192:
The Use of Information-Psychologica
Page 193 and 194:
off a Russian prisoner. This film w
Page 195 and 196:
Russian infospace created to manipu
Page 197 and 198:
The Chechens were easily able to pr
Page 199 and 200:
One of the amino.com sites, for exa
Page 201 and 202:
Another site available is daimohk.o
Page 203 and 204:
How long the government’s picture
Page 205 and 206:
negating similar actions by Chechny
Page 207 and 208:
Russian armed forces cannot stall m
Page 209 and 210:
PART FOUR: CYBER THREATS TO THE MIN
Page 211 and 212:
initiated by the US. In this sense
Page 213 and 214:
Within this digitized context a sho
Page 215 and 216:
emained maddeningly undefinable, so
Page 217 and 218:
Another problem of the human dimens
Page 219 and 220:
worldwide may enter their own cultu
Page 221 and 222:
CHAPTER TWELVE: THE AGE OF THE NEW
Page 223 and 224:
as a weapon for conducting psycholo
Page 225 and 226:
Cease Fires Anytime there was a cha
Page 227 and 228:
companies try to persuade or manipu
Page 229 and 230:
These devices are associated with t
Page 231 and 232:
the Soviets wanted to only shoot do
Page 233 and 234:
down the bodily functions of more t
Page 235 and 236:
TV reporting to avert a panic while
Page 237 and 238:
229
Page 239 and 240:
wealth of outstanding mathematician
Page 241 and 242:
switching on air defense radars, or
Page 243 and 244:
Upon closer analysis, the “not fi
Page 245 and 246:
Today, simulation, stealth, and var
Page 247 and 248:
impact of what they term “new-con
Page 249 and 250:
Thus, an information weapon could b
Page 251 and 252:
operations on a strategic scale. Th
Page 253 and 254:
opponent to “see through” an RC
Page 255 and 256:
CHAPTER FOURTEEN: RUSSIA’S REFLEX
Page 257 and 258:
The Soviet and Russian armed forces
Page 259 and 260:
method or technology of obtaining,
Page 261 and 262:
possible to influence his combat pl
Page 263 and 264:
maneuvers, weapons tests, denying e
Page 265 and 266:
Computer technology increases the e
Page 267 and 268:
econsider the wisdom of his decisio
Page 269 and 270:
(5) transfer of an image of one’s
Page 271 and 272:
might try to overpower them. 483 Th
Page 273 and 274:
control against a state, and inform
Page 275 and 276:
PART FIVE: CONCLUSIONS AND APPENDIX
Page 277 and 278:
oadband migration. These are the de
Page 279 and 280:
technical developments that are pro
Page 281 and 282: software 491 for peacekeeping utili
Page 283 and 284: attack against Arab and Muslim righ
Page 285 and 286: Structurally the brigade has three
Page 287 and 288: War. 507 Thus the situational setti
Page 289 and 290: enabling network-centric operations
Page 291 and 292: While it is good to have people wit
Page 293 and 294: fact. 518 It is this focus on cultu
Page 295 and 296: C4ISR technology to ensure that the
Page 297 and 298: 289
Page 299 and 300: 1999 “Information Technology: US/
Page 301 and 302: APPENDIX TWO: DECIPHERING ASYMMETRY
Page 303 and 304: The term apparently assumes whateve
Page 305 and 306: something new, he reminds us, notin
Page 307 and 308: intelligence capability. In the cit
Page 309 and 310: “singing in the rain,” then dec
Page 311 and 312: the attack. Law enforcement agencie
Page 313 and 314: Cybercrime is a more accurate defin
Page 315 and 316: computers. The process can be made
Page 317 and 318: them. This device is composed of a
Page 319 and 320: technology to investigate and estab
Page 321 and 322: e stored and/or through which data
Page 323 and 324: 2. European Union - This is an orga
Page 325 and 326: enforcement as another avenue for p
Page 327 and 328: transferred to a physical medium su
Page 329 and 330: sectors as bad. A person wanting to
Page 331: • Compressing/Decompressing Files
Page 335 and 336: FBI created a partnership program w
Page 337 and 338: • Subpoenas - These must be obtai
Page 339 and 340: search warrants for email, and dete
Page 341 and 342: originating from country X, law enf
Page 343 and 344: system is globally distributed and
Page 345: About the author: Timothy L. Thomas
show all

Download - Foreign Military Studies Office - U.S. Army

Create successful ePaper yourself

Delete template?

Save as template?