Your SlideShare is downloading. ×
File000120
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

File000120

596
views

Published on

Published in: Technology, Education

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
596
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Module VII – Computer Forensics Lab
  • 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: CSI Stick Grabs Data From Cell Phones Source: http://news.cnet.com/
  • 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Computer Forensic Lab • Planning for a Forensic Lab • Budget Allocation for a Forensic Lab • Physical Location and Structural Design Considerations • Work Area Considerations • Human Resource Considerations • Technical Specification of the Laboratory-based Imaging System • Auditing a Computer Forensic Lab • Basic Hardware Requirements • Paraben Forensics Hardware and Hard Drive Forensics • Wiebetech, DeepSpar, InfinaDyne, and Logicube Forensic Hardware • DIBS® Mobile Forensic Workstation • Basic Software Requirements • Paraben Hard Drive Forensics • TEEL Technologies SIM Tools This module will familiarize you with:
  • 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Auditing a Computer Forensic Lab Wiebetech, DeepSpar, InfinaDyne, and Logicube Forensic Hardware Paraben Forensics Hardware and Hard Drive Forensics Paraben Hard Drive Forensics Basic Software Requirements DIBS® Mobile Forensic Workstation Basic Hardware Requirements TEEL Technologies SIM Tools Planning for a Forensics Lab Computer Forensics Lab Technical Specification of the Laboratory-based Imaging System Budget Allocation for a Forensics Lab Human Resource Considerations Physical Location and Structural Design Considerations Work Area Considerations
  • 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hardware Requirements Setting a Computer Forensics Lab Software Requirements
  • 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Lab • Planning • Budgeting • Physical location and structural design considerations • Work area considerations • Physical security recommendations • Human resource considerations • Forensic lab licensing Setting a forensic lab includes: A Computer Forensic Lab (CFL) is a designated location for conducting computer based investigation on the collected evidence
  • 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Planning for a Forensics Lab • Types of investigation being conducted • Workstations, both forensic and non-forensic • UPS as a preventive measure against power failure • Necessary software and hardware • Book racks for the library • Reference materials • Safe locker to store evidence • LAN and Internet connectivity • Storage shelves for unused equipment • Numbers of investigators/examiners to be involved A list of elements that should be planned before building the computer forensics lab:
  • 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Budget Allocation for a Forensics Lab Budget for a forensic lab is allocated by calculating the expected number of cases that would be examined Crime statistics of the previous year and the expected trend plays an important role in budgeting Space occupied, equipments required, personnel, training, software, and hardware requirements are taken into account while allocating a specific amount for the forensics lab The nature of the forensic lab is also a determining factor
  • 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Physical Location Needs of a Forensic Lab • Site of the lab • Access to the emergency services • Lighting at the lab • Physical milieu of the lab • Design of parking facility Physical location requirements of a forensics lab:
  • 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Structural Design Considerations • It must be a secure place • It must be constructed with heavy materials • It must not have any openings in the walls, ceilings, and floors • It must not have windows in the lab’s exterior Structural design considerations for a lab:
  • 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Environmental Conditions The environmental conditions required for proper lab functioning are as follows: • Large dimensions of the room • High exchange rate of air per minute(in the lab) • Good cooling system to overcome excess heat generated by the work station • Allocation of workstations as per the room dimensions • Arrangement of computers as per the architecture of the lab • It must be able to handle RAID server’s heat output
  • 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electrical Needs The lab must be supplied with good amperage It must have easy electrical outlets There must be an Uninterrupted Power Supply (UPS) installed on all the computers
  • 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Communication Needs • Broadband for network and voice communications • Fax communications • Dial-up Internet access must also be available • A dedicated network is preferred for the forensic computers Ensure the following communication factors:
  • 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Work Area of a Computer Forensic Lab An ideal lab consists of two forensic workstations and one ordinary workstation with Internet connectivity Forensics workstations vary according to the types of cases and processes handled in the lab The work area should have ample space so that there is space for case discussions among investigators
  • 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ambience of a Forensic Lab Investigators spend long hours in a forensic lab, so it is important to keep the lab environment comfortable The height of ceilings, walls, flooring, and so on contribute to the ambience of a forensics lab Ergonomics, lighting, room temperature, and communications form an important factor while considering the ambience of a computer forensics lab
  • 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ambience of a Forensic Lab: Ergonomics • “Ergon” which means “work” • “Nomoi” which means “natural laws” Taken from Greek words • “The study of conniving equipment to meet the human requirements of comfort without affecting the efficiency” Ergonomics is defined as:
  • 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Physical Security Recommendations There should be only one entrance to a forensics lab Do not keep the windows of the forensics lab open Maintain a log book at the entrance of the lab to log in the timings and name of the person who visited the lab Place an intrusion alarm system in the entrance Place fire fighting equipments within and outside the lab
  • 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Fire-Suppression Systems In fire suppression system, ensure that you: • Install a dry chemical fire- suppression system • Check the installation of sprinklers • Have access to chemical fire extinguishers
  • 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Locker Recommendations The locker must be located in a restricted area that is only accessible to the lab personnel Authorize few people to access the locker All the lockers must be monitored properly and they must be locked when they are not under supervision
  • 20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensic Investigator Computer forensic investigator must have knowledge of general computer skills such as hardware, software, OS, applications, etc. The investigator must perform a proper investigation to protect the digital evidence The investigator must be certified from the authorized organizations
  • 21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Law Enforcement Officer Law enforcement officer must be a lawyer with knowledge of general computer skills The officer must have knowledge of all the cyber crime laws The officer must know how to write an appropriate warrant for searching and seizing of the computer
  • 22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensic Lab Licensing Requisite • ISO/IEC 17025:1999, General Requirements for the Competence of Testing and Calibration Laboratories • ASCLD/LAB-International Supplemental Requirements for the Accreditation of Forensic Science Testing and Calibration Laboratories Forensics labs around the globe seeking ASCLD/LAB certificate have to adhere to: The American Society of Crime Laboratory Directors (ASCLD) is an international body certifying forensics labs that investigate criminal cases by analyzing evidence
  • 23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Features of the Laboratory Imaging System Automatic write protection Preview capability Password cracking pod (optional) Unlimited theoretical capacity Choice of LTO Ultrium or DAT drives (optional) Optional second tape drive Hard drive connectivity Other media Convenience
  • 24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Technical Specification of the Laboratory-based Imaging System High performance workstation PC Remote preview and imaging pod Password cracking pod (optional) LTO Ultrium tape drives (optional) DDS-4 DAT tape drives (optional) LTO Ultrium-1 and 2 recording format DDS-4 DAT recording format Image capture rate Anti-repudiation techniques
  • 25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensics Lab
  • 26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensics Lab
  • 27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensics Lab
  • 28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensics Lab
  • 29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensics Lab
  • 30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensics Lab
  • 31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensics Lab
  • 32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensics Lab
  • 33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensics Lab
  • 34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Auditing a Computer Forensic Lab Forensics lab should be under surveillance to protect it from intrusions Inspect the lab on a regular basis to check if the policies and procedures implemented are followed Verify the log file at the entrance of the lab Manually check the fire extinguishers to ensure their function
  • 35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Auditing a Computer Forensic Lab (cont’d) • Examine the ceiling, floor, roof, and exterior walls • Examine the doors and locks • Check if the locks are working properly • Check out the visitors’ log • Examine the logs for evidence containers • Acquire evidence that is not being processed and store it at a secure place Steps to audit the computer forensic lab:
  • 36. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Recommendations to Avoid Eyestrain • Keep optimum distance from the monitor • Use Zoom option to vary the font’s size • Use screen filters to clear the glare • Lab must have proper ventilation • Purge direct light on the monitor • Get an eye check-up done regular intervals • Take breaks at frequent intervals Recommendations to avoid eyestrain:
  • 37. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensic Labs, Inc. Source: http://www.computerforensiclabsinc.com/
  • 38. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensic Labs, Inc. (cont’d) Computer Forensic Labs (CFL) is one of the leading providers of investigative services in computer forensics, forensic data recovery, and electronic evidence discovery CFL can conduct the following types of computer forensic investigations: • Child pornography and sexual exploitation • Use of e-mail, instant messaging, and chat • Computer hacking and network intrusion • Copyright infringement • Software piracy • Intellectual property disputes • Identity theft • Online auction fraud • Credit card fraud • Other financial fraud and schemes
  • 39. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensic Labs, Inc. (cont’d) CFL can conduct the following types of computer forensic investigation: • Telecommunications fraud • Threats, harassment, and/or stalking • Extortion and/or black mail • Gambling • Drug abuse and/or distribution • Divorce • Adult sexual assault • Assault and battery • Domestic violence • Death investigation • Employee or employer’s misconduct • Theft, robbery, and/or burglary
  • 40. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Procedures at Computer Forensic Labs (CFL), Inc. CFL recommends that you do not attempt to search for the evidence yourself because this can change the important date/ time stamps as well as user information, thus, possibly obstructing the investigation • CFL will create an exact replica of the hard disk drive or other storage device so the evidence can be evaluated and processed from a forensic evidence file which guarantees the preservation of the best evidence and eliminates any possible guess work by the computer investigator • Identify leads and computer evidence contained in files and slack space, which can determine the outcome of the case • Document the findings and provide expert witness testimony to help clarify technical computer issues in the litigation process • Deleted data, hidden data, and password-protected data can be retrieved in many instances • The forensic investigators at Computer Forensic Labs, Inc. can find data on a formatted hard drive, deleted e-mail, intentionally altered data and in some cases media that has been physically damaged • The recovered data is then carefully documented, analyzed, and recorded in reports which are presented to the client and/or in litigation
  • 41. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Destruction Industry Standards American: DoD 5220.22-M American: NAVSO P-5239-26 (RLL) American: NAVSO P-5239-26 (MFM) German: VSITR Russian: Russian Standard, GOST P50739-95
  • 42. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Case Study: San Diego Regional Computer Forensics Laboratory (RCFL) Source: http://rcfl.org/
  • 43. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hardware Requirements Setting a Computer Forensic Lab Software Requirements
  • 44. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Equipment Required in a Forensics Lab Equipment required for a forensics lab depends on the nature of the forensics investigation carried out in the lab Below listed are the common equipments that are necessary in a computer forensics lab: • Computer Forensic towers • Printers • Cables • Additional hard drives • Storage networks
  • 45. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensic Workstations • Includes S/W for imaging, processing, and investigation Mobile Forensic Workstation: • Ideal for data capture only Mobile Imaging Workstation: • Includes the complete range of forensic software Lab-based Forensic Workstation: • For in-house data capture Lab-based imaging Workstation:
  • 46. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Basic Workstation Requirements in a Forensic Lab • Intel Dual Core Processor with high computing speed • 2 GB RAM for satisfying minimum processing requirements • DVD-ROM with read/write facility • Motherboard which supports IDE, SCSI ,USB/2, FireWire; slot for LAN/WAN card and a fan attached for cooling the processor • Tape drive, USB drive • Removable drive bays • Monitor , keyboard , and mouse according to comfort of the investigator • Minimum two hard drives for loading two different OS on each • For emergencies, keep spare RAM & hard disk A basic forensics workstation should have the following:
  • 47. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Stocking the Hardware Peripherals The following hardware peripherals must be stocked as back-up: • 40-pin 18-inch and 36-inch IDE cables, both ATA-33 and ATA-100 or faster • Ribbon cables for floppy disks • Extra SCSI cards • Graphics cards, PSI, and AGP • Extra power cords • A variety of hard disk drives • Laptop hard drive connectors • Handheld devices
  • 48. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Paraben Forensics Hardware: Handheld First Responder Kit • Wireless StrongHold Bag • Remote Charger • First responder cards for handling PDAs and Cell Phones The Kit includes: Figure: Handheld First Responder Kit Handheld First Responder Kit secures the device from unwanted wireless signals that could contaminate or eliminate data and provides power to the device to prevent loss of data
  • 49. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Paraben Forensics Hardware: Wireless StrongHold Bag • Unique design that prevents data cables from acting as signal conduits • Shielding Effectiveness: Average 85db from 30 MHz to 10 GHz Features: Figure: Wireless StrongHold Bag First responders can use this bag to ensure that proper wireless procedures are kept and that the evidence is protected from potential case killers - after seizure of wireless communications It is made of a nickel, copper, and silver-plated nylon plain woven fabric. This fabric is the key in preventing unwanted signals from your evidence Figure: Tri-weave material
  • 50. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Paraben Forensics Hardware: Remote Charger Figure: Remote Charger The battery powered remote charger uses multiple charging tips to keep your device powered It is perfect for the first responder to ensure that seized devices remain powered and potential evidence is preserved It is included in the Device Seizure Toolbox The charger is manufactured by : • Motorola • Nokia • Samsung • Siemens • Sony Ericsson
  • 51. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Paraben Forensics Hardware: Device Seizure Toolbox The Device Seizure Toolbox includes: • Remote Charger • Power Adaptor • USB Serial DB9 Adapter • 1-Nylon Carrying Case Figure: Device Seizure Toolbox Paraben's Device Seizure Toolbox is designed as a collection of the items that would be needed in different scenarios for device seizure The items in this toolbox in combination with the appropriate software, allow for acquisitions of hundreds of cell phones & PDAs
  • 52. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Paraben Forensics Hardware: Wireless StrongHold Tent Paraben's Wireless StrongHold Tent (Patent Pending) was designed to allow for the safe acquisition of the data from wireless devices by blocking wireless signals from getting to the device The tent is portable and can fit one person using a laptop to perform the acquisition Features: • Portable and easy to set up and carry • Lightweight and compact for excellent portability • Includes durable, custom carrying case Figure: Wireless StrongHold Tent
  • 53. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Paraben Forensics Hardware: Passport StrongHold Bag Paraben’s Passport StrongHold Bag protects your RFID Passport It is a protective barrier wrapping your information in a signal blocking fortress These bags are perfect for storing anything using RFID chips so no one can steal the information from your chip Figure: Passport StrongHold Bag
  • 54. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Paraben Forensics Hardware: Project-a-Phone • Software can simultaneously display multiple screens • Fits most major mobile phones and handheld devices • Delivers live video or still images • Allows the user to record audio and video and take screen captures • Is lightweight and compact for excellent portability Features: Figure: Project-a-Phone Project-a-Phone securely clamps your handheld device in place and delivers a clear video image of the screen to your computer, so you can show it on your monitor, display it through your projector, or share it on the web It provides an easy access to the controls, while stabilizing your device, so you can run live demonstrations
  • 55. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Paraben Forensics Hardware: SATA Adaptor Male/Data Cable for Nokia 7110/6210/6310/i • SATA Adaptor Male adds Serial ATA support for Paraben's LockDown as well as ICS's ImageMASSter Solo-2 • It can be used in combination with these products to prevent altering any of the Serial-ATA or P-ATA drive’s data during a Forensic Data Seizure SATA Adaptor Male • Popular cable for Nokia phones in Europe Serial DLR3 Compatible Data Cable for Nokia 7110/6210/6310/i Figure: SATA Adaptor Male Figure: Serial DLR3 Compatible Data Cable for Nokia 7110/6210/6310/i
  • 56. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Paraben Forensics Hardware: Lockdown • Small size (4"W x 3"D x 1"H) allows for complete portability and ease of use in the field • IDE ports for both "desktop IDE" and "laptop IDE" media, negating the need for a desktop-to-laptop IDE adapter • Acquires drives through Windows, which is substantially faster than DOS-based acquisitions Features:Figure: Paraben's LockDown Paraben's Lockdown is an advanced Firewire or USB to IDE write-blocker that combines speed and portability to allow IDE media to be acquired quickly and safely in Windows
  • 57. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Paraben Forensics Hardware: SIM Card Reader/Sony Clie N & S Series Serial Data Cable SIM Card Reader • SIM Card Reader has the ability to acquire and analyze SIM card data • It is compatible with both programs and when used by either program, acts as a forensic SIM card reader Sony Clie N & S Series Serial Data Cable • Sony Clie serial cable supports all N & S series Sony Clie PDAs for use with Paraben's PDA Seizure or normal HotSync operations are formerly included in the PDA Seizure Toolbox Figure: SIM Card Reader Figure: Sony Clie N & S Series Serial Data Cable
  • 58. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Paraben Forensics Hardware: CSI Stick Paraben's CSI Stick is a portable cell phone forensic and data gathering tool It acquires data that can only be read and analyzed in Paraben's Device Seizure or DS Lite It currently supports certain Motorola and Samsung phone models • One CSI Stick base unit • Two Motorola tips • One Samsung tip • One remote charger • Carrying case The CSI Stick tool includes:
  • 59. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Paraben Forensics Hardware: USB Serial DB9 Adapter USB Serial DB9 Adapter • Most adapters have different drivers making it nearly impossible to support USB to serial adaptors for PDA Seizure, Cell Seizure, & SIM Card Seizure Specifications: • Over 230kbps data transfer rate • Supports remote wake-up and power management • 96 byte buffer each for upstream and downstream data flow • Easy installation • Works with cellular phones, PDA, digital cameras, modems, and ISDN terminal adapters Figure: USB Serial DB9 Adapter
  • 60. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Portable Forensic Systems and Towers: Forensic Air-Lite VI MKII laptop Forensic Air-Lite VI-MK II has been tested to meet the strict requirements of conducting a proper forensic acquisition and analysis The system is packaged with Ultimate Forensic Write Protection Kit and a Maxtor 300GB external hard drive It includes: • LCD Panel • Video Controller • DVD Burner • FireWire IEEE-1394 • Flash Media Reader • Software • Ultimate Forensic Write Protection Kit Figure: Air-Lite VI-MK II
  • 61. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Portable Forensic Systems and Towers: Original Forensic Tower II Figure: Forensic Solid Steel Tower™ Figure: Original Forensic Tower II Original Forensic Tower II • Original Forensic Tower II is the updated initial version of the Forensic-Computer’s forensic system • It includes the Ultimate Forensic Write Protection Kit Forensic Solid Steel Tower™ • Forensic Solid Steel Tower™ case has ten 5.25-inch bays that gives flexibility in configuring a lab system to meet the differing needs of your clients • It includes the Ultimate Forensic Write Protection Kit
  • 62. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Portable Forensic Systems and Towers: Portable Forensic Workhorse V • External Drive Bay Configuration • Bay 1: Tableau T335 Forensic Drive Bay Controller00 It includes: Portable Forensic Workhorse V is the latest model that sports an AMD Athlon 64 Processor to handle the most demanding keyword searches and graphics examinations It is compatible with all commercial forensic acquisition and analysis software including EnCase®, Forensic Tool Kit®, SMART®, SafeBack®, all of the Mares tools, and other older MS-DOS® based legacy tools Figure: Portable Forensic Workhorse V
  • 63. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Portable Forensic Workhorse V: Tableau 335 Forensic Drive Bay Controller Tableau's T335 Forensic Drive Bay Controller provides three independent bridges, two SATA and one IDE, each of which can be configured for read-only or read-write operation at system build time It is designed to be mounted in a 5.25" half-height drive bay on the front of a forensic workstation or tower It is specifically designed to work in conjunction with SATA and IDE removable drive trays, which should be mounted in close proximity to the T335 in the host computer Figure: T335 Forensic Drive Bay Controller
  • 64. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Portable Forensic Systems and Towers: Forensic Air-Lite IV MK II The Forensic Air-Lite IV MK II is the Pentium 4 replacement of the legendary Forensic Air-Lite IV It was initially designed to be an evidence acquisition system It is compatible with all commercial forensic acquisition and analysis software including EnCase®, Forensic Tool Kit®, SMART®, SafeBack®, all of the Mares tools, and other older MS-DOS® based legacy tools Figure: Forensic Air-Lite IV MK II Figure: Forensic Air-Lite V
  • 65. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Portable Forensic Systems and Towers: Forensic Tower II Forensic Tower II is a powerful forensic workstation It has been tested to meet the strict requirements of conducting a proper forensic acquisition and analysis It includes the Ultimate Forensic Write Protection Kit II Figure: Forensic Tower II
  • 66. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensic Write Protection Devices and Kits: Ultimate Forensic Write Protection Kit Some of the tools include: • Forensic Bridges • Cables • Adapters • Power Assembly • Media Reader • Carrier Case Ultimate Forensic Write Protection Kit is used for the following media types: IDE, IDE Notebook, SATA, SCSI (50-pin, 68-pin, and SCA-80) PLUS seven varieties of flash media Figure: Ultimate Forensic Write Protection Kit
  • 67. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tableau T3u Forensic SATA Bridge Write Protection Kit The T3u Forensic SATA Bridge is a write-blocker for use with Serial ATA (SATA) hard disks Unlike many other SATA write-blocking solutions, the T3u has native support for SATA hard disks The Tableau T3u includes FireWire800, FireWire400, and USB 2.0 host interfaces, offering maximum flexibility when connecting the T3u to the host’s computer It is ideal for field and lab settings Figure: T3u Forensic SATA Bridge
  • 68. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tableau T8 Forensic USB Bridge Kit/Addonics Mini DigiDrive READ ONLY 12-in-1 Flash Media Reader • Brings secure, hardware-based write blocking to the world of USB mass storage devices • T8 also incorporates a major new enhancement in the realm of forensic bridges and write-blockers, a built-in LCD user interface Tableau's Forensic USB Bridge • (12 different popular digital media types including - CF-I, CF-II, Smart Media™, Memory Stick™, Memory Stick Pro™, Micro Drive™, Multimedia Card™ and Secure Digital Card™) Addonics Mini DigiDrive READ ONLY 12- in-1 Flash Media Reader Figure: Tableau's Forensic USB Bridge Figure: READ ONLY 12-in-1 Flash Media Reader
  • 69. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tableau TACC 1441 Hardware Accelerator Tableau's TACC 1441 hardware acceleration sets a new standard in the password recovery performance It works in conjunction with AccessData company software and delivers unprecedented password attack rates Multiple TACC1441 units can be connected to a single host to boost performance Figure: Tableau's TACC 1441 hardware accelerator
  • 70. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Multiple TACC1441 Units Tableau's unit has single CPUs with four TACC1441 accelerators running in excess of 250,000 passwords per second
  • 71. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Intelligence Forensic Hardware: FRED SR (Dual Xeon) FRED SR (Dual Xeon) is a member of the FRED forensic workstations It has all the functional capabilities of a FRED system with the addition of components optimized for the highest level of processor, memory, and I/O performance It is built on a dual-processor 64-bit Xeon motherboard, with good flexibility, integrated peripheral support, and performance Figure: FRED SR (Dual Xeon)
  • 72. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Intelligence Forensic Hardware: FRED-L Forensic Recovery of Evidence Device – Laptop (FRED-L) is a mobile field forensic acquisition kit It comes with UltraKit and is used to quickly, efficiently, and securely image IDE, SATA, and SCSI hard drives It is built in Core 2 Duo Mobile Processor technology FRED-L kit includes: • 3GB RAM • FireWire 1394a • FireWire 1394b ExpressCard • Four USB 2.0/1.X ports • Wireless 802.11a/b/g • Integrated 1.3 MP Video/Web Camera • Gigabit (10/100/1000 Mb/s) Ethernet support Figure: FRED-L
  • 73. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Intelligence Forensic Hardware: Forensic Recovery of Evidence Data Center (FREDC) FREDC provides fully integrated processing power and flexibility It is capable of housing up to 8 completely independent forensic processing systems It is fully extensible to provide forensic network services and storage to pre-existing forensic workstations in your network The design of FREDC allows for customization to meet any forensic requirement Features of FREDC: • Faster than a local hard drive • Centralized file storage • Centralized access control/security • Centralized file sharing • Centralized data backup • Easy to maintain and use Figure: FREDC
  • 74. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Intelligence Forensic Hardware: Rack-A-TACC Rack-A-TACC is a rack mounted network appliance that leverages multiple Tableau TACC1441 accelerators to recover passwords from: • Encrypted files using dictionary and brute-force attack methods • Individual stand alone system Its units integrate four accelerators into a single 2U chassis controlled by a quad core host computer with optimized I/O channels Its units can be configured in a DNA cluster to increase decryption capabilities Figure: Rack-A-TACC
  • 75. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Rack-A-TACC Performance Data
  • 76. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Intelligence Forensic Hardware: FREDDIE Forensic Recovery of Evidence Device Diminutive Interrogation Equipment (FREDDIE) is a portable solution which meets both imaging and processing requirements It is used to acquire and analyze the computer forensics evidence and is used in mobile forensic processing It is designed to acquire data directly from IDE/EIDE/ATA/SATA/ATAPI/ SCSI I/SCSI II/SCSI III hard drives and storage devices It is capable of handling 3½ inch floppies as well as CD- ROM and DVD Figure: FREDDIE
  • 77. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Intelligence Forensic Hardware: UltraKit • UltraBlock bridges • Power supplies • Drive interface cables • Computer interface Cables/Adapters • UltraKit case Contents of UltraKit: The UltraKit is a portable kit and is used to acquire a forensically sound image of any hard drive It is a complete arsenal of FireWire (A/B) / USB (1.x/2.0) Interface Parallel IDE, Serial ATA, and SCSI Hardware Write Blockers Figure: UltraKit
  • 78. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Intelligence Forensic Hardware: UltraBay The Digital Intelligence UltraBay is used to acquire a forensically sound image of IDE, SATA, and SCSI drives using your choice of forensic imaging software The IDE, SATA, and SCSI drives may be connected and removed from the UltraBay without having to shut down the workstation or leaving the GUI Figure: UltraBay
  • 79. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Intelligence Forensic Hardware: UltraBlock The UltraBlock SCSI is used to acquire data from a SCSI hard drive in a forensically sound write-protected environment It is a FireWire/USB to SCSI Bridge Board with Forensic Write Protection It can be connected to a laptop or desktop using the FireWire-A (400 Mb/s), the FireWire-B (800 Mb/s), or the USB 1.X/2.0 interface Figure: UltraBlock
  • 80. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Intelligence Forensic Hardware: Micro Forensic Recovery of Evidence Device (µFRED) µFRED is an integrated, flexible, full-powered FRED system, and includes DI's exclusive UltraBay Write Protected Imaging Bay It has all the processing power of a full size FRED system It has an integrated Gigabit Ethernet (10/100/1000 Mb) for network connectivity It includes two hard drives: • Internal hard drive to support the operating systems and application software • Second hard drive in a shock-mounted Hot Swap bay used for the storage and processing of case work and digital evidence Figure: µFRED
  • 81. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Wiebetech: Forensics DriveDock v4 • Unique design allows direct access to hard drive by directly connecting to the Dock • Dual Write-Blocked FireWire 400 Ports • USB 2.0 Read/Write Port • Multiple powering options such as Disk Drive Power In and Disk Drive Power In LED • High-speed transfer rates Forensics DriveDock v4 Features: Forensic DriveDock v4 is a write-block forensic solution to access bare hard drives such as SATA or IDE drives It quickly attaches drives via FireWire 400 compatible (for write-block mode) and USB (for read and write mode) Figure: Forensics DriveDock v4
  • 82. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Wiebetech: Forensics UltraDock v4 • Write-blocked • HPA/DCO detection • eSATA port • DC Power in • Disk drive power In • DC Power input LED • Disk drive power in LED • Write-block LED • FireWire host detection LED • USB host detection LED Features of Forensics UltraDock v4: Forensic UltraDock v4 is a hard drive forensics field imager Its write-blocked technology offers easy read-only access to suspect hard drives through eSATA ,USB, and FireWire 800/400 for maximum versatility Figure: Forensics UltraDock v4
  • 83. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Wiebetech: Drive eRazer • Power status LED verifies that the unit is switched on (or off) • Status LED shows how much time remains in the erasing process • Portability • Comes in Professional (Secure Erase) or Standard (Single-Pass) varieties DRZR-3 DRZR-1 & DRZR-2 Drive eRazer Features: Drive eRazer is a Wiebetech's hardware solution that completely erases all data from a hard drive quickly It is faster than software programs and does not require a computer Figure: Drive eRazer
  • 84. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Wiebetech: v4 Combo Adapters Wiebetech v4 Combo Adapter is a device to transfer write- protected data to the standard devices It works on Mac OS, Window, and forensics imaging software v4 Combo Adapter Features: • Shrouded IDE interface connector helps to protect the delicate IDE pins while connecting the adapter to the dock • IDE interface faces upward for better accessibility • Adapters share a smaller and more consistent size • SATA adapter has been streamlined to 25% of its former size Figure: v4 Combo Adapters
  • 85. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Wiebetech: ProSATA SS8 Wiebetech’s ProSATA SS8 is a portable and high capacity SCSI RAID with SATA drives It combines up to 8TB of storage in a compact, transportable enclosure It has built in RAID controller which supports every kind of RAID, including JBOD, 0, 1, 0+1, 3, 5, and 6 It is ideal for applications requiring mobile transport of up to 8TB of data Figure: ProSATA SS8
  • 86. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Wiebetech: HotPlug Wiebetech's HotPlug is used to transport a live computer without shutting it down It allows hot seizure and removal of computers from the field to the forensics lab It keeps the power flowing to the computer while transferring the computer's power input from one A/C source to another (a portable UPS) and back again HotPlug Features: • It moves a computer without shutting it down • It instantly reroutes power of a target device to a UPS for transport Figure: HotPlug
  • 87. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited CelleBrite: UFED System • It is portable and easy to use • It is a standalone kit, with no computer required for extraction • It generates complete MD5 verified evidence reports • It supports over 1,400 handset models, with automatic software updates for newly released devices UFED System features: The Cellebrite Universal Forensic Extraction Device (UFED) forensics system extracts vital data from most of all cell phones or PDAs It extracts data such as phonebook, pictures, videos, text messages, call logs, ESN, and IMEI information from 1400+ models of handsets sold worldwide It supports CDMA, GSM, IDEN, and TDMA technologies and is compatible with any wireless carrier Figure: UFED System
  • 88. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DeepSpar: Disk Imager Forensic Edition • Reading the status of each retrieved sector • Data being imaged • Type of imaging files You can visualize the imaging process by: DeepSpar Disk Imager Forensic Edition is a portable version of DeepSpar Disk Imager Data Recovery Edition with addition of forensic- specific functionality and is used to handle disk-level problems Figure: Disk Imager Forensic Edition
  • 89. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DeepSpar: 3D Data Recovery • This phase deals with drives that are not responding and drives that appear functional and can be imaged, but produce useless data • Recommended tool: PC-3000 Drive Restoration System Phase 1: Drive Restoration • This phase deals with creating a clean duplicate of the disk contents on a new disk that can be used as a stable platform for phase 3 • Recommended tool: DeepSpar Disk Imager Phase 2: Disk Imaging • This phase involves rebuilding the file system, extracting the user’s data, and verifying the integrity of files • Recommended tool: PC-3000 Data Extractor Phase 3: Data Retrieval DeepSpar data recovery systems pioneered the 3D Data Recovery process - a professional approach to data recovery centered on the following three phases:
  • 90. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Phase 1 Tool: PC-3000 Drive Restoration System • Designed for the data recovery of businesses • Universal utilities give faster drive diagnostics • Repairs the drive and secures all user data • Software that comes with PC-3000 features a user-friendly Microsoft Windows XP/2000 interface • PC-3000 has built-in features to treat particular drives for their most common failures Features of PC-3000 Drive Restoration System: PC-3000 Drive Restoration System tool deals with drive restoration It fixes firmware issues for all hard disk drive manufacturers and virtually all drive families Figure: PC-3000 Drive Restoration System
  • 91. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Phase 2 Tool: DeepSpar Disk Imager The disk imaging device is built to recover bad sectors on a hard drive DeepSpar Disk Imager features: • Retrieves up to 90 percent of bad sectors • Special vendor-specific ATA commands are used that pre-configure the hard drive for imaging • Reduces the time it takes to image a disk with bad sectors • Failing hard drives are imaged with care and intelligence • Real-time reporting with the type and quality of data imaging Figure: DeepSpar Disk Imager
  • 92. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Phase 3 Tool: PC-3000 Data Extractor • Retrieves the user’s data from drives with damaged logical structures • Allows to analyze the logical structure of a damaged drive and depending on the severity of damage, selects specific files that the user wants to recover • If the drive's translator module is damaged, it creates a virtual translator to create a map of offsets and copies the necessary data PC-3000 Data Extractor features: PC-3000 Data Extractor is a software add-on to PC-3000 that diagnoses and fixes file system issues It works in tandem with PC-3000 hardware to recover data from any media (IDE HDD, SCSI HDD, and flash memory readers)
  • 93. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited InfinaDyne Forensic Products: Robotic Loader Extension for CD/DVD Inspector The robotic loader extension allows CD/DVD Inspector to control a robotic CD/DVD loader device This system processes up to 100 discs at a time Robotic Loader system that is equipped with a camera, will be capable of capturing individual photographs of each disc processed • These will be stored in JPEG format with the content and reports about the disc Figure: Robotic Loader
  • 94. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited InfinaDyne Forensic Products: Rimage Evidence Disc System Rimage Evidence Disc System is a hardware device which collects optical media evidence and archives case files to a long life media It is fully integrated with CD/DVD Inspector for 24x7 unattended collection of disc evidence Types of Rimage Evidence Disc System are: • Rimage 5100N • Rimage 5300N • Rimage 7100N These systems are self-contained and requires power and a network connection to your lab network to begin operation, it does not require any external computer Figure: Rimage 5100N Figure: Rimage 5300N Figure: Rimage 7100N
  • 95. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited CD DVD Forensic Disc Analyzer with Robotic Disc Loader Features: • Reads and analyzes CD/DVD discs • Stores disc data to hard drive or network • Creates MD5 hash codes • Examines CD/DVDs to locate the hidden files • Automated system saves time for forensic examiners CD/DVD Forensic Disc Analyzer with Robotic Disc Loader is a professional tool for intensive analysis and extraction of data from CD and DVD media It saves time for forensic examiners, data recovery technicians, and law enforcement professionals involved in computer forensic investigations Figure: CD DVD Forensic Disc Analyzer
  • 96. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Image MASSter: RoadMASSter- 3 RoadMASSter- 3 features: • High speed forensic tool with drive interfaces • High speed operation • Multiple capture methods • Multi drive copy • Previews and analyzes The RoadMASSter 3 Forensics data acquisition and analysis tool is designed to perform both as a fast and reliable hard drive imaging and data analysis unit It is an advanced computer forensics tool used by the law enforcement agencies as well as corporate security to acquire and analyze data It can image hard drives of any kind as well as capture data from other media and unopened computers, and support different copy formats and hashing methods Figure: RoadMASSter- 3
  • 97. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Image MASSter: Solo-3 Forensic • MD5/SHA-1/SHA-2 and CRC32 hashing • Touch screen user interface • High speed operation • Built in write protection • Built in FireWire 1394B and USB 2.0 interface • Multiple media support Features of Solo-3 Forensic: Image MASSter Solo-3 Forensic data imaging tool is a portable hand-held device that can acquire data from one or two evidence drives at speeds exceeding 3GB/min It is capable of capturing data from IDE and laptop drives, Serial ATA and SCSI drives, as well as Flash Cards Figure: Solo-3 Forensic
  • 98. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Image MASSter: WipeMASSter • High speed wipe operation • Sanitize multiple drives simultaneously • Multiple media support • Multiple sanitizing modes • Partitions and formats drives • Sanitize different drive models and sizes Features of WipeMASSter: WipeMASSter product is designed to erase data and sanitize up to nine hard drives simultaneously at speeds exceeding 3GB/min It can erase data and sanitize hard drives of different sizes and models in the same operation It has an add-on option for formatting the sanitized drives Figure: WipeMASSter
  • 99. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Image MASSter: DriveLock Image MASSter DriveLock device is a hardware write protect solution which prevents data writes Serial-ATA DriveLock Kit USB/1394B DriveLock Firewire/USB DriveLock IDE DriveLock In Bay • Serial-ATA DriveLock Kit USB/1394B • DriveLock Firewire/USB • DriveLock IDE • DriveLock In Bay It is available in four versions:
  • 100. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: Forensic MD5 Forensic MD5 is a forensic hard disk data recovery system for law enforcement, corporate security, and cybercrime investigation It’s in-built MD-5 engine allows for imaging speed up to 3.3 GB/min It ensures bit-for-bit accuracy, guaranteeing zero chance of alteration of the suspect and evidence drives Forensic MD5 features: • Number of connectivity options • MD5 verification • Creates DD images • Field-tested ruggedized case • On-site reporting • It is portable • Unidirectional data transfer Figure: Forensic MD5
  • 101. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: Forensic Talon® Forensic Talon® features: • Advanced keyword search • MD5 or SHA-256 Authentication • Unidirectional data transfer • Creates DD images on-the-fly • HPA and DCO capture • Portable and high-speed data capturing Forensic Talon® is a forensic data capture system , specifically designed for the requirements of law enforcement, military, corporate security, and investigators It simultaneously images and verifies data up to 4 GB/min It captures IDE/UDMA/SATA drives, and can capture SCSI drives via USB cable Figure: Forensic Talon®
  • 102. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: RAID I/O Adapter™ RAID I/O Adapter™ enables the Forensic Talon® to capture a suspect RAID drive pair directly to 1 destination drive, and 1 suspect drive to 2 destination drives Features of RAID I/O Adapter™ • Captures RAID-0, RAID-1, and JBOD configurations • Supports MD5/SHA-256 scan and keyword search mode during any 1-to-2 capture • Supports both native and DD image operation modes during 1-to-2 and 2-to-1 capturing • Supports drive defect scan and WipeClean modes during 1-to-2 Figure: RAID I/O Adapter™
  • 103. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: GPStamp™ • Computes the exact location of capture in 3D space; accurate within 50 meters • Adds accurate latitude, longitude, and time to the capture report and log • It is capable of acquiring satellites and fixes within most buildings GPStamp™ features: Logicube GPStamp™ is a device that produces a verified fix on the location, time, and date of the data captured Investigators can bolster their credibility by specifying when and where data captures are performed Figure: GPStamp™
  • 104. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: Portable Forensic Lab™ The Portable Forensic Lab™ (PFL) is a portable computer forensic field lab housed in a special ruggedized carrying case This tool gives the investigator a head start, often cutting the time to acquire the critical data The PFL includes all that a computer forensic examiner needs to: • Data capture evidence at high speed from multiple sources • Browse data from multiple types of digital media • Analyze the data capture material using the computer forensic analysis software such as FTK™ from AccessData Figure: Portable Forensic Lab™
  • 105. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: CellDEK® Logicube CellDEK® is a cell phone data extraction device which identifies devices by brand, model number, dimensions, and photographs It is portable and compatible with over 1100 of the most popular cell phones and PDAs It captures the data within 5 minutes and displays on screen, and prompts for downloading to a portable USB device Investigators can immediately gain access to vital information, saving days of waiting for a report from a crime lab Figure: CellDEK®
  • 106. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: OmniPort Forensic OmniPort device allows immediate access to the majority of the current USB Flash devices It captures and deploys data to or from most USB Flash drives It is compatible with Thumb Drives, Pen Drive type devices, Flash Memory Cards using USB Card readers, and 2.5” and 3.5” external USB drives It can be connected directly to a PC’s motherboard and booted as an IDE device It allows data cloning to or from the attached USB drive by the Logicube Echo Plus®, Sonix®, OmniClone® 10Xi/5Xi/2Xi, and Forensic Talon® Figure: OmniPort
  • 107. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: Desktop WritePROtects Logicube Desktop WritePROtects is a data recovery adapter used to protect the hard drives It comes in two versions: • IDE Desktop WritePROtect • SATA Desktop WritePROtect It allows only a small subset of the ATA specification commands to flow to the protected drive and blocks all other commands It connects via IDE or SATA cable to the HDD forensic tools for data capture It guarantees read-only access when analyzing the captured or cloned drive under Windows Figure: Desktop WritePROtects
  • 108. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: USB Adapter • Store/restore images to a network server • Modify a drive's contents • Defragment the master drive • Reformat the master drive • Manage partitions using the third party software It allows the investigator to: USB Adapter allows for cloning and drive management directly through the USB (1.1 or 2.0) port on a PC or laptop It is capable of cloning at speeds up to 750 MB/min Figure: USB Adapter
  • 109. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited OmniClone IDE Laptop Adapters
  • 110. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: Cables • F-CABLE-30A • F-CABLE-5 • F-CABLE-9 • F-CABLE-RP10 • F-CABLE-RP15 • F-CABLE-RP2 • F-CABLE-RP5 • F-CABLE-SOL OmniClone IDE Cables • F-CABLE-SAS5 • F-CABLE-SATA • F-CABLE-SATA18 • F-CABLE-SATAEP • F-CABLE-SATAXI OmniClone SATA Cables • F-CABLE-RP2U • F-CABLE-RP5U • F-CABLE-RP10U • F-CABLE-RP15U • F-CABLE-SOLU • F-CABLE-5U • F-CABLE-9U • F-CABLE-30U • F-CABLE-XI, F-CABLE-2XI • F-CABLE-5XI, F-CABLE-10XI OmniClone UDMA IDE Cables • F-CABLE-SCSI • F-CABLE-SCSI2 • F-CABLE-SCSI4 OmniClone SCSI Cables
  • 111. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Power Supplies and Switches Tableau products share common power supply requirements Tableau T2 Drive Power Switch: • Using the T2, you can safely connect and disconnect a device from a power supply without having to turn off the power supply • No forensic kit bag should be without a T2 Tableau TP1 Power Supply: • Ensures that a single power supply would work across full lines of Tableau products • Tableau sells the TP1 under two part numbers: • Part number "TP1" includes the power supply and a 6' US-style IEC line cord • Part number "TP1-NC" includes only the power supply itself Figure: T2 Drive Power Switch Figure: TP1 Power Supply
  • 112. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DIBS Mobile Forensic Workstation • Full size laptop with Intel Pentium M Centrino 1.7 GHz processor • 1GB DDR2 SDRAM 533MHZ • 80GB ATA-100 forensic hard drive running Windows XP • Forensic software and operating systems are fully installed and configured on the hard drive Major Specifications: DIBS® computer forensic equipment is designed for easy operation under standard operating conditions Figure: DIBS Mobile Forensic Workstation
  • 113. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DIBS Advanced Forensic Workstation DIBS® Advanced Forensic Workstation is a highly developed and versatile item of the forensic equipment and yet it is easy and intuitive to learn and use It provides copying and analysis of drives using the Windows XP operating system The custom designed unit uses standard components and sub-assemblies of the highest quality, configured in such a way so as to maintain maximum evidential integrity Hardware and software modifications are tailored according to the needs of the forensic investigation, enabling the investigator to accurately and efficiently perform computer forensic analysis Figure: DIBS Advanced Forensic Workstation
  • 114. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DIBS® RAID: Rapid Action Imaging Device DIBS® RAID is a tough yet lightweight unit designed to enable copying of a suspect computer hard disk onto another clean hard disk The average copying speed can be as fast as 2.4GB per minute and depending on the specifications of the hard drives, up to 4GB per minute Two complete copying units are included together with a selection of hard disks to which copies can be madeFigure: Rapid Action Imaging Device
  • 115. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensic Archive and Restore Robotic Devices: Forensic Archive and Restore (FAR Pro) The system includes an all in one Robotic Duplicator, with a 100 disk capacity and customized software Achieves forensic investigative data The software performs MD5 and SHA1 hashes to validate the archive The unit will also print labels Figure: FAR Pro
  • 116. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hardware Requirements Setting a Computer Forensic Lab Software Requirements
  • 117. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Basic Software Requirements in a Forensic Lab • To make an exact copy of the target hard disk data without altering data Imaging software: • To convert one type of file into another typeConversion software: • To compare different files and convert documentsAnalysis software: • To view the different types of image and graphic filesViewing software: • To gather and examine data on a real-time basisMonitoring software: • To get the information from the encrypted files, hash sets, and erase utilities Security utility software: Computer forensics lab should have the following basic software:
  • 118. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Maintain Operating System and Application Inventories The following are the application inventories and operating systems that must be maintained: • Windows XP, 2003, and Windows 2000 operating system • Linux / Unix / Mac OS X / iMac operating system • EnCase, FTK, and other forensic software • Imaging tools like R-drive, SafeBack etc. • Programming language applications such as Visual Studio Suite • Graphics tools such as Adobe Photoshop, CorelDraw etc. • Specialized viewers such as QuickView and ACDC • MS Office Corel Office Suite / StarOffice/OpenOffice
  • 119. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Paraben Forensics Software: Device Seizure Device Seizure v2.1 is a software that acquires and analyzes data from over 1,950 mobile phones, PDAs, and GPS devices including iPhones It was designed from a forensic grade tool that has been upheld in countless court cases Device Seizure can acquire the following data: • SMS history (Text Messages) • Deleted SMS (Text Messages) • Phonebook • Call history • File system (physical memory dumps) • GPS waypoints, tracks, routes, etc. • PDA databases • Registry (Windows Mobile Devices)
  • 120. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Device Seizure: Screenshot 1
  • 121. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Device Seizure: Screenshot 2
  • 122. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Paraben Hard Drive Forensics: P2 Commander • Back end Firebird database for supporting massive amounts of data • Multi-threading and task scheduling capabilities to process more data in less time • Examines logical and physical disks as well as individual files and folders with FAT12, FAT16, FAT32, and NTFS file systems • Chat database plug-in supports many chat clients for viewing chat database contents • Forensic Sorter plugs-in sorts data into relevant categories P2 Commander Features: Paraben's P2 Commander is a comprehensive digital forensic tool designed to handle more data efficiently during the entire forensic process It utilizes Paraben's advanced plug-in architecture to create specialized engines that focus on things such as e-mail, network e- mail, chat logs, and file sorting
  • 123. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited P2 Commander Screenshot
  • 124. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Paraben Hard Drive Forensics: P2 eXplorer Paraben's P2 eXplorer mounts the forensic image on the machine while preserving the forensic nature of the evidence The image is mounted as the actual bitstream image, preserving unallocated, slack, and deleted data Features: • Mounts Paraben's Forensic Replicator images (PFR) • Mounts compressed & encrypted PFR images • Mounts WinImage non-compressed images • Mounts EnCase images (up to v4.02a) • Mounts RAW images from Linux DD & other tools
  • 125. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited P2eXplorer Screenshot
  • 126. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Crucial Vision http://crucialsecurity.com/ Crucial Vision is a digital forensics bulk-process preview and holistic examination tool It performs faster searching and processing by implementing the patent-pending algorithm to find more files in the FAT file system It employs unique file recovery technology Forensics analysts can encounter large volumes of data by providing a holistic view of all their data
  • 127. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Crucial Vision: Screenshot 1 Source: http://crucialsecurity.com/
  • 128. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Crucial Vision: Screenshot 2 Source: http://crucialsecurity.com/
  • 129. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited InfinaDyne Forensic Products: CD/DVD Inspector CD/DVD Inspector Features: • Complete CD imaging • Supports creation of ZIP images from media • Supports DVD media recovery • File scanning • Built-in image viewer • Low-level sector examination and scanning • CD Text, ISRC, and RID audio disc display CD/DVD Inspector is a software for intensive analysis and extraction of data from CD-R, CD-RW, and DVD media It reads all major CD and DVD file system formats including ISO-9660, Joliet, UDF, HFS, and HFS+
  • 130. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited InfinaDyne Forensic Products: AccuBurn-R for CD/DVD Inspector AccuBurn-R produces exact copies of discs that have been imaged using CD/DVD Inspector It supports all type of discs, such as: • VCD / SVCD / XVCD video discs • Karaoke discs • Unfinalized drag-and-drop discs (write-once media) • Discs with read errors • DVD Video
  • 131. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited InfinaDyne Forensic Products: Flash Retriever Forensic Edition • Complete imaging of flash devices in raw format • Use with EnCase E01 image files • Multiple-media support • Thumbnail display for photos • Report generator • Supports row camera files Flash Retriever Forensic Edition features: Flash Retriever Forensic Edition is a professional tool for examining, recovering, and documenting flash-based media It recovers pictures and files from all types of flash media and creates hashed image file and restores image file to media
  • 132. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Flash Retriever Forensic Edition Screenshot 1
  • 133. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Flash Retriever Forensic Edition Screenshot 2
  • 134. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited InfinaDyne Forensic Products: ThumbsDisplay • Shows all thumbnail file: thumbs.db, thumbcache_idx.db, thumbcache_32.db etc. • Displays all thumbnail images with original file name and timestamp • Prints individual image and copies to the clipboard for inclusion in a document • Displays thumbnail in three sizes: 96x96 (original) 150x150 or 200x200 ThumbsDisplay features: ThumbsDisplay is a tool for examining and reporting on the contents of Thumbs.db files used by Windows
  • 135. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited TEEL Technologies SIM Tools: SIMIS SIMIS mobile handheld reader enables the investigator to collect data from multiple SIM cards for on-site analysis and later to review by using SIMIS PC software Its independent testing and wide range of support of SIMs enables examiners to get maximum data from the SIM Features of SIMIS: • Complete analysis and data dump of SIM cards • Easy interfacing and reporting • Unicode supported to display native language characters • MD5 and SHA-256 hashing of data • Nextel, Thuraya, Irridium, and Inmarsat SIM supported • "Hot Number" enables identification of special interest numbers during reads Figure: SIMIS mobile handheld reader
  • 136. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited TEEL Technologies SIM Tools: SIMulate SIMulate features: • Recovers and duplicates all available data from a SIM card • Produces a working duplicate or many duplicates for evidence recovery and analysis • Generates report with encrypted security hashes • Generates any number of cards SIMulate - Forensic SIM duplication tool recovers all available data from a SIM Card under forensics examination and produces a working duplicate for evidence recovery and analysis Cards produced with SIMulate can be reused - It irretrievably erases data on the SIMulate duplicate before writing new data to the card
  • 137. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited TEEL Technologies SIM Tools: SIMgen SIMgen is a SIM card creation tool for handset interrogation and is used to unlock data on phones with missing SIM cards It allows the creation of a generic SIM card with user- configurable IMSI, ICCID, and MSISDN It allows the card details obtained from the handset’s physical memory (typically) to be generated on a generic SIM SIMgen features: • Used for interrogating phones with SIM cards missing • Enables examiners to program a blank SIM card with IMSI, ICCID, and MSISDN • No network connection • Generates any number of cards • SIMGen cards can be reused
  • 138. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited LiveDiscover™ Forensic Edition • Live forensic network mapping • Live forensic vulnerability assessment • Recognizes Windows, Unix, Linux, Macintosh, VMS, Novell, OS/2, and Sun operating systems • Modifies or adds custom vulnerability scripts • Generates the detailed forensic report Features of LiveDiscover™ FE: LiveDiscover™ scans a range of the selected IP addresses and generates comprehensive forensic reports It allows for the creation of customized vulnerability scripts and provides a comprehensive view of the enterprise under investigation
  • 139. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tools: LiveWire Investigator • Examines a running computer while it continues to operate • Conducts investigations without disrupting operations • Maintains functionality of the critical systems • Captures and records running state (Volatile Memory Snapshot, Live Registry Examination, System Log) • Collects key information on running programs, network connections, and data transmissions (IP, NetBIOS, Routing table acquisition) • Obtains information that would be lost if the system was shut down (Running processes) • Investigates and documents suspicious activity as it is occurs Features of LiveWire Investigator: LiveWire Investigator examines computer systems quickly and inconspicuously, capturing relevant data, including running state, while the system being investigated continues to operate It is simple to operate; it adheres to digitals forensics best practices, and provides an extensive array of data acquisition options and analytical tools
  • 140. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary A Computer Forensics Lab (CFL) is a designated location for conducting computer based investigation on the collected evidence Budget for a forensic lab is allocated by estimating the number of cases that would be examined An ideal lab consists of two forensic workstations and one ordinary workstation with Internet connectivity The lab should be inspected on a regular basis to check if the policies and procedures implemented are followed Forensics lab should be under surveillance to protect it from intrusions The American Society of Crime Laboratory Directors (ASCLD) is an international body certifying forensics labs that investigate criminal cases by analyzing evidence
  • 141. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 142. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

×