SlideShare is now on Android. 15 million presentations at your fingertips.  Get the app

×
  • Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
 

Forensic imaging tools draft v1

by Consultant at University of Western Australia on Jul 15, 2013

  • 6,506 views

This is an extract from ongoing research made available as a draft for comments and recommendations. All tools were tested in the same virtual configuration providing a consistent test platform.

This is an extract from ongoing research made available as a draft for comments and recommendations. All tools were tested in the same virtual configuration providing a consistent test platform.

Statistics

Views

Total Views
6,506
Views on SlideShare
6,178
Embed Views
328

Actions

Likes
5
Downloads
0
Comments
12

5 Embeds 328

http://www.linkedin.com 269
https://twitter.com 28
http://ucifserver 22
https://www.f-response.com 7
https://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via SlideShare as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

110 of 12 previous next Post a comment

  • VijayNair9 Vijay Nair **Guymager missing !!! Try them on a 64 bit distros and they r lightning fast. Try these tests on them.

    **The virtual environment wont work for real life tests, try a benchmark on the same hardware and then run over the imagers.

    **Test the 64 bit variants with 32 bit variants for imaging. Both systems run in different ways. Speeds vary

    **Speeds with Write blockers and speeds without them.

    **Over the network imaging as well

    **Measure amount of CPU used by the threads/app
    1 month ago
    Are you sure you want to
    Your message goes here
    Processing…
  • RichardBoddington Richard Boddington @RichardMarchewka here! here! Richard 1 month ago
    Are you sure you want to
    Your message goes here
    Processing…
  • RichardAdams3 Richard Adams, Consultant at University of Western Australia @RichardMarchewka Thanks for your comment Richard. I recently started a debate on this very topic in the Yahoo digital forensic group. Unfortunately there seems to be a lack of understanding of the key point - digital forensics is not a science nor are the tools being used 'scientific'. If you continue to claim scientific status then digital evidence will be inappropriately tested in court using scientific criteria. I have however suggested that the processes being used can have scientific rigor and this is an important area we should be developing (actually 'back-filling'). 1 month ago
    Are you sure you want to
    Your message goes here
    Processing…
  • RichardMarchewka Richard Marchewka, Digital Forensic Examiner at Kansas Bureau of Investigation What you find in your testing is endemic of all in this field who want to 'make this more scientific'. I have been in this field for over 20 years. There is nothing scientific about digital forensics. If it were a science one could test a hypothesis in a consistent manner and the results would either be, or not be, consistently what is expected. I have found numerous times that what is expected may be achieved x number of times and then x+1 is different. There are so many variable in this field, hardware and software. All, please stop trying to make this a science rather than an investigative tool, which it was when those in the law enforcement community were the pioneers in the field. 1 month ago
    Are you sure you want to
    Your message goes here
    Processing…
  • RichardAdams3 Richard Adams, Consultant at University of Western Australia For those that have requested details of my previous research in relation to a process model for acquiring digital evidence here is the link to the full thesis - the model itself is in Appendix 2 but there may be some useful references elsewhere in the document : http://researchrepository.murdoch.edu.au/14422/2/02Whole.pdf 6 months ago
    Are you sure you want to
    Your message goes here
    Processing…
  • RichardAdams3 Richard Adams, Consultant at University of Western Australia @speedimager I think there may be some misunderstanding as to my intention for the tests. The scenario I use is one in which you need to use a boot disk in order to acquire from a single machine (although of course in reality it may have multiple disks). For those tools that are not supplied with a write-blocking environment the next stage will use either SafeBoot or WinFE as the platform although the testing so far has simply run a native Windows O/S with the drives unmounted. I will carry out some comparison checks using different setups to see if they do in fact impact on relative acquisition speeds. 8 months ago
    Are you sure you want to
    Your message goes here
    Processing…
  • speedimager speedimager @RichardAdams3 Thanks for the answer. if I understood you well, we both agree that the setup strongly influences the measurements. I understand that it is not possible nor desirable to to test each and every situation we could think of. I think we also can agree that a test environment with only1 CPU core is not realistic for today's hardware. I therefore would suggest a 'medium setup', for example as follows: VM with 4 CPU cores, 2GB RAM, 2 HDDs to be imaged. Such a machine is nothing special nor expensive. Everybody can easily afford such an imaging station and it can be found in many offices (your case 'boot disk on source machine). Concerning the 2 HDDs to be imaged: This would be a small case, for example a PC that was seized with a SSD and a HDD or two home PCs, each one with only 1 HDD. Concerning VM: I would prefer bare metal, but understand that tests can be done easier in a VM. What do you think? 8 months ago
    Are you sure you want to
    Your message goes here
    Processing…
  • RichardAdams3 Richard Adams, Consultant at University of Western Australia @speedimager The problem is where do you stop? Do you test with 2 cores, 4 cores, 8 cores, 16 cores or what? Intel or AMD, IDE, SCSI,or SATA? It may be useful if you are looking at configuring a lab machine but you don't have a choice if you are using a boot disk on the source machine!
    It is up to the forensic practitioner to determine the validity of the tests and they may wish to see if the relative differences are seen across different platforms. When you say three or four disks in parallel, which is it, 3 or 4? How often does this occur, if not in the majority of cases then this is obviously not realistic. The results are not for any particular environment and I suggest your lab is not a typical example but you are still able to re-run the tests yourself under different conditions and publish the results.

    If you can define a 'real' situation or point to some definitive research that provides a benchmark that everybody else is happy with then I will be happy to include this in my testing.
    8 months ago
    Are you sure you want to
    Your message goes here
    Processing…
  • speedimager speedimager @RichardAdams3 : What I would like to say about performance: Let's say you have an imager A and an imager B. A and B both run with the same speed when running on a single core system and imaging 1 HDD.

    But the difference between both comes to light when giving them 4 CPU cores: A isn't able to do anything with the 3 extra cores, whiles B runs with quad speed.

    Guymager is heavily optimised for running on several on cores in parallel. As well, Guymager has better performance than others when it comes to imaging several disks in parallel.
    8 months ago
    Are you sure you want to
    Your message goes here
    Processing…
  • RichardAdams3 Richard Adams, Consultant at University of Western Australia @speedimager Thanks for your comments. I am going to be testing Guymager in the next round of tests. You miss the point bwith regard to using VM for the tests. I am not saying that these speeds are 'typical' or obtainable in 'normal' situations. What I am doing is showing relative speeds in the same environment and really it doesn't matter what that environment is for relative testing. This also applies to your suggestion of the number of cores and hard disk drives - perhaps the images will be acquired a little faster but the relative speeds should be the same. As it happens I observed at least one of the tools go through an optimisation stage within the virtual environment and drive the resources to close to 100% disk access for most of the time. I am not sure running multiple disks at once is any more of a 'real' test than the one I have already performed. In relation to your point regarding Linux boot disks, I ran the Windows tools that required writeblockers in a configuration in which the source drive was not mounted and therefore effectively blocked. I had no problems with running any of the tools within the virtual environment beyond the odd screen resolution problem that I have found to be an issue on many physical machines in the past. 9 months ago
    Are you sure you want to
    Your message goes here
    Processing…

110 of 12 previous next

Post Comment
Edit your comment

Forensic imaging tools draft v1 Forensic imaging tools draft v1 Presentation Transcript