Reference 01 Reference 02 Reference 03 Reference 04 Reference 05 Reference 06 Reference 07 Reference 08 Reference 09 Reference 10 Reference 11 Reference 12 Reference 13 Reference 14 Reference 15 Reference 16 Reference 17 Reference 18 Reference 19 Reference 20 Reference 21 Reference 22 Reference 23 Reference 24 Reference 25 Reference 26 Reference 27 Reference 28 Reference 29 Reference 30 Reference 31 Reference 32 Reference 33 Reference 34 Reference 35 Reference 36 Reference 37 Reference 38 Reference 39 Reference 40 Reference 41 Reference 42 Reference 43 Reference 44 Reference 45 Reference 46 Reference 47 Reference 48 Reference 49 Reference 51
Title: High-Technology-Crime Investigator’s Handbook
Author(s): Gerald L. Kovacich and William C. Boni
Publisher: Butterworth-Heinemann
225 Wildwood Avenue
Wildwood, MA 01801-2041
(Second edition: Elsevier)
ISBN: First edition:
ISBN-13: 978-0-7506-7086-9
ISBN-10: 0-7506-7086-X
Second edition:
ISBN-13: 978-0-7506-7929-9
ISBN-10: 0-7506-7929-8
Library of Congress:

About the Author(s)

Dr. Gerald L. Kovacich holds a bachelor’s degree in Asian history and politics, a master’s degree in social science, a master’s degree in telecommunications management, and a doctorate degree in criminology. He has more than 36 years of industrial security, investigations, information systems security, and information warfare experience. He has worked for the United States government and technology-based international corporations where he developed and managed several InfoSec and high-technology-crime investigations and defensive and offensive information warfare programs, as well as lectured nationally and internationally on these topics. Dr. Kovacich is a Certified Fraud Examiner, Certified Protection Professional, and Certified Information Systems Security Professional.

Mr. William C. Boni leads Pricewaterhouse Coopers Information Protection Practice, which helps organizations safeguard their most Important assets: trade secrets and proprietary information. Over the past 22 years, Mr. Boni has helped a variety of organizations design and implement cost-effective programs to protect both tangible and intangible assets. During his career, he has worked as the Director of Information Protection Services for Amgen, was a U.S, Army counterintelligence officer, a federal agent and investigator, a security consultant with Kroll Associates, a Vice President of Information Security for a major regional bank, and a program security officer for “Star Wars” projects with defense technology companies such as Hughes Aircraft and Rockwell.

Outside Back Cover

Computer Security/Investigations

HIGH-TECHNOLOGY-CRIME INVESTIGATOR’S HANDBOOK
Working in the Global Information Environment
Dr. Gerald L. Kovacich, CFE, CPP, CISSP; and William C. Boni, MBA

High-Technology-Crime Investigator’s Handbook is coming at a time when high-technology crime is growing at a rapid pace, and private and public law enforcement are struggling to keep up. This book will inform readers about the potential of high-tech crimes, in addition to the resources that are available to combat them. The whole area of technological crime has become increasingly complex in today’s business environment and this book responds to that reality.

  • Brings to light many high-tech tools, advanced methods, and streamlined applications that can be used now and in the next century.
  • Emphasizes the management of a high-tech investigation unit.

Foreword

It really came as a surprise to me.

I recently found myself with Jerry Kovacich drinking fine British beer in a fine London drinking establishment and he asked if I would pen an introduction to the new book he was writing with Bill Boni. I was certainly honored to be offered that task, but that wasn’t the surprise. The surprise was the serendipitous timing of his request and the events that were surrounding me at the time. For, you see, a couple of my associates were themselves immersed in cyber-investigations.

Over the years I have had occasion to be on the trail of “bad guys,’” both within and outside of an organization, and I have found that in most every case, the procedures followed on the part of the victim firm were ad hoc at best.

“What is your policy for dealing with serious external hacking?” I would ask.

“Uh, er…we don’t have one,” the senior security officer would say.

“Okay, how well tuned-in is your in-house counsel for these sorts of events?”

“He’s a bean-counting lawyer…he doesn’t keep up on this sort of thing. What do you think we should do?” they would ask me.

So, it was odd indeed, that drinking fine beer with Jerry four thousand miles from home should coincide with two ongoing cases I was involved with.

In the first case, a large financial institution found itself under a fairly severe attack that had been going on for nearly two weeks. The security manager came from a legal/law enforcement background and had a healthy dose of street-fighting experience. He immediately commenced an internal investigation. Audit trails from all perimeter systems (firewalls, routers, etc.) and native host and applications were “turned up” to a greater degree of sensitivity, thus gathering greater amounts of raw audit data. Analysis was comprehensive in order to learn about the techniques of the intruder. They wanted, hopefully, to learn what his real goals were and what caliber of attacker they were dealing with.

Secondly, they quickly captured an IP address and began the laborious process of tracing and identifying the intruder who was making substantial progress through the company’s very sensitive files. By using “streetsmarts” pressure, he got the first ISP in the chain to carry on the trace to the next hop. He called the next hop during the night and was able to identify the real IP, real name, and real physical address of who had been breaking in. Throughout this process, police were neither notified nor invited to help.

Using additional investigative tools and by performing an extensive background check on their suspect, the company was confident to five-nines (99.999%) that they had the perpetrator. The security manager contacted some acquaintances and asked if they could make a house-call on the company’s behalf. They did so, and in no uncertain terms, convinced the [intruders it would be in their best interest to cease and desist their intrusions immediately]. Their not-so-subtle tactics worked.

Problem solved. Not one dime or ounce of time was spent with the police. Whether you approve of these actions or not is immaterial. The company was prepared to conduct an internal investigation without the participation of any outsiders, they implemented their plan, and within days it was over. Best of all, only a small number of top corporate officials ever knew there was a problem. No newspapers or internet rumors. From the perspective of everyone throughout the company in 50 states and many foreign countries, it was business as usual.

The second case was handled a bit differently. Although a very large company with a large number of trade secrets, they had very little security process or technology in place. They became aware of their problem not because of electronic sensors picking up illicit and abnormal behavior as in the first case, but they had discovered that they had a malicious insider because of a disturbing e-mail that inquired why extensive hacking was coming from their IP address. After a scramble, they traced down some logs and manually found activities they couldn’t explain; it did indeed seem that someone was hacking from inside their company.

Meetings were hastily called and the internal lawyer was endlessly stuck in a physical paradigm. He just didn’t understand the power of their hacker and the technical limitations the company faced. Everyone did agree to no dealings with the police. They wanted to handle it themselves even though they had little clue as to what steps to take. .

I helped them draw up a quick-and-dirty game plan, and we soon found that our likely disgruntled employee had once worked for the company that he was hacking into. Because of California law sensitivities, they did not take my advice: go lock up his machine, get a sector copy of the hard disk, and acquire some forensics tools to see what he’s been hiding through erasure, deletion, or other disguise mechanisms. Human Resources was appalled at our decision to fire the employee. They told us every reason in the book why we couldn’t do what we knew we had to do to build a case against their hacker.

Winn Schwartau