0
Module XVI – Data Acquisition and
Duplication
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: White House Email Fore...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Scenario
Adams Central Band’...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• Determini...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Data Acquisition...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Acquisition
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Acquisition
Forensic da...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Types of Data Acquisition
Sy...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Types of Data Acquisition
Sy...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Determining the Best Acquisi...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Recovery Contingencies
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Acquisition Mistakes
Ch...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Duplication
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Duplication
Data duplic...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Issues with Data Duplication...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Duplication in a Mobile...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Duplication System Used...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Backup
Backup is the ac...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Acquisition Tools and
C...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MS-DOS Data Acquisition Tool...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Using Windows Data Acquisiti...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
FTK Imager
FTK Imager allows...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Acquiring Data on Linux
Fore...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
dd Command
dd if=<source> of...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Extracting the MBR
To see th...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Netcat Command
• dd if=/dev/...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
dd Command (Windows XP
Versi...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Mount Image Pro
Mount Image ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Mount Image Pro
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Snapshot Tool
Snapshot is a ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Snapback DatArrest
SnapBack ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Acquisition Toolbox
Dat...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Acquisition Toolbox:
Sc...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Acquisition Tool: SafeB...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hardware Tool: Image MASSter...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Image MASSter Solo-3 Forensi...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Image MASSter: RoadMASSter -...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Image MASSter: Wipe MASSter
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Image MASSter: DriveLock
Ima...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hardware Tool: LinkMASSter-2...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
LinkMASSter-2 Forensic (cont...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hardware Tool: RoadMASSter-2...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
RoadMASSter-2 (cont’d)
• MD5...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: Echo PLUS & Sonix
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube : OmniClone Xi Seri...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube : OmniClone Xi Seri...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: OmniPORT
Forensic ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: OmniWipe & Clone
C...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: Forensic MD5
Foren...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: Forensic Talon
For...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: RAID I/O Adapter
R...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: GPStamp
• Computes...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: Portable Forensic ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: CellDEK
Logicube C...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: Desktop WritePROte...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: USB Adapter
• Stor...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: Adapters
• F-ADP-1...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: Cables
• F-CABLE-3...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: Cables (Cont’d)
• ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Duplication Tools
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Duplication Tool: R-dri...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
R-drive Image: Screenshot
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Duplication Tool: Drive...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Drivelook: Screenshot
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Duplication Tool:
DiskE...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
DiskExplorer: Screenshot
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Save-N-Sync
The quickest, ea...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Save-N-Sync
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hardware Tool: ImageMASSter
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ImageMASSter 6007SAS
(cont’d...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hardware Tool: Disk Jockey I...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Disk Jockey IT (cont’d)
• St...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SCSIPAK
SCSIPAK is a set of ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IBM DFSMSdss
A reliable util...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tape Duplication System:
Qui...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
DeepSpar: Disk Imager Forens...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
DeepSpar: 3D Data Recovery
•...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Phase 1 Tool: PC-3000 Drive
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Phase 2 Tool: DeepSpar Disk
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Phase 3 Tool: PC-3000 Data
E...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MacQuisition
MacQuisition is...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MacQuisition: Screenshot
Ste...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MacQuisition: Screenshot (co...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Athena Archiver
Athena Archi...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Investigators can ac...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Upcoming SlideShare
Loading in...5
×

File000129

233

Published on

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
233
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "File000129"

  1. 1. Module XVI – Data Acquisition and Duplication
  2. 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: White House Email Forensics Case Won’t be Easy to Crack Source: http://www.fcw.com/
  3. 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Scenario Adams Central Band’s Director Jeremy Johnson, 26, of 227 West South St., was formally charged on September 21, 2006 with seven counts of child seduction and 41 counts of possession of child pornography. Investigators found hundreds of images of child pornography on Johnson’s home computer. Johnson was accused of seducing a senior female student at Adams Central when she was aged 18. Johnson had been taking part in a special sharing service over the Internet and appeared to have been trading child porn back and forth with other collectors. Det. Sgt. Steve Cale and Det. Gary Burkhart initiated the investigation and collected Johnson’s Desktop computer and his laptop. During investigation, they found that there were over 500 images that appeared to be of children less than 18 years of age in a state of nudity engaged in various stages of sexual activity. They also found some e- mails that consisted of pornographic messages. Source: http://www.news-banner.com/index/news-app/story.4999
  4. 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Determining the Best Data Acquisition Methods • Understanding the Data Recovery Contingencies • Data Acquisition Tools • The Need for Data Duplication • Data Duplication Tools This module will familiarize you with:
  5. 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Data Acquisition Methods Need for Data Duplication Data Acquisition Tools Data Recovery Contingencies Data Duplication Tools
  6. 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Acquisition
  7. 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Acquisition Forensic data acquisition is a process of collecting information from various media in accordance with certain standards for the purpose of analyzing its forensic value Some common terminologies used in data acquisition: • The small signal increment that can be detected by a data acquisition systemResolution: • Commonly used terminology, but supports only one connection at a time and transmission distance up to 50 feet RS232: • Rarely used terminology, but supports communication to more than one device on the bus at a time and supports transmission distances of approximately 5,000 feet RS485: • Speed at which a data acquisition system collects data normally expressed in samples per second Sample Rate: • Denotes how a signal is inputted to a data acquisition device Single-ended Input
  8. 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Data Acquisition Systems Serial Communication Data Acquisition Systems • It is used when the actual location of the data is at some distance from the computer • Communication standards such as RS232 and RS485 are used in this system depending on the distance to be supported USB Data Acquisition Systems • Peripheral devices such as printers, monitors, modems, and data acquisition devices can be attached with the use of USB • It is an easy option as it requires only one cable to connect the data acquisition device to the PC
  9. 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Data Acquisition Systems (cont’d) Data Acquisition Plug-in Boards • These boards are directly plugged into the computer bus • Each board has unique I/O map location Parallel Port Data Acquisition Systems • Parallel port used for the printer connection is used for the data acquisition device • It supports high sample rate even if the distance between the computer and acquisition device is limited
  10. 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Determining the Best Acquisition Methods • Creating a bit-stream disk-to-image file • Making a bit-stream disk-to-disk copy • Creating a sparse data copy of a folder or file Forensic investigators acquire digital evidence using the following methods:
  11. 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Recovery Contingencies Investigators must make contingency plans when data acquisition fails To preserve digital evidence, investigators need to create a duplicate copy of the evidence files In case the original data recovered is corrupted, investigators can make use of the second copy Use at least two data acquisition tools to create copy of the evidence incase the investigator’s preferred tool does not properly recover data
  12. 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Acquisition Mistakes Choosing wrong resolution for data acquisition Using wrong cables and cabling techniques Not enough time for system development Making the wrong connections Having poor instrument knowledge
  13. 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Duplication
  14. 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Duplication Data duplication is useful for the preservation of the original evidence Preserve the data • All the tests to be carried out on the data are generally carried out on the copy of the original data keeping the original data safe Never work on the original data • Use special tools and software for imaging the data devices • This data will be treated as forensically sound copy
  15. 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Issues with Data Duplication Data duplication may contaminate the original data Contaminated data is not accepted as evidence There are chances of tampering the duplicate data Data fragments can be overwritten and data stored in the Windows swap file can be altered or destroyed If the original data is contaminated, then important evidence is lost which causes problems in the investigation process
  16. 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Duplication in a Mobile Multi-Database System Duplication of the database results in fault tolerance It can be used even if the software and hardware fails Data duplication increases the reliability of the system Requests for particular data items can be handled by different nodes concurrently It increases the response time and gives an improved performance
  17. 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Duplication System Used in USB Devices Data duplication method is used to control the data transmission between USB devices Data is transmitted between two USB devices without the help of the computer The duplication system consists of at least serial interface engine circuit, a CPU, and a data buffer unit CPU is connected between the source SUB and target USB with the help of serial interface engine circuit Data buffer is used as a memory buffer space while the digital data is transmitted between the source and the destination USB devices
  18. 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Backup Backup is the activity of copying files or databases so that they will be preserved in case of equipment failure or other catastrophe Backup approach can be categorized as local, remote, online, or offline It is important to: • Restore the original data after a data breach or disaster • Restore some files if they are accidentally deleted or corrupted It may serve as an image file that can be used for forensic investigation and analysis of evidence in a cyber crime It may be used as an evidence in trials of computer crimes
  19. 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Acquisition Tools and Commands
  20. 20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MS-DOS Data Acquisition Tool: DriveSpy DriveSpy enables the investigator to direct data from one particular sector range to another sector It provides two methods in accessing disk sector ranges: A built in Sector (and Cluster) Hex Viewer which can be used to examine DOS and non-DOS partitions Configurable logging capabilities to document the investigation (keystroke-by- keystroke if desired) The ability to create and restore the compressed forensic images of the drive partitions Full scripting capabilities to automate processing activities
  21. 21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Using Windows Data Acquisition Tools Windows data acquisition tools allow the investigator to acquire evidence from a disk with the help of removable media such as USB storage devices These tools can use Firewire to connect hard disks to the forensic lab systems Data acquisition tools in Windows cannot acquire data from the host protected area of the disk
  22. 22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited FTK Imager FTK Imager allows you to acquire physical device images and logically view data from FAT, NTFS, EXT 2 and 3, as well as HFS and HFS+ file systems
  23. 23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Acquiring Data on Linux Forensic investigators use the built- in Linux command “dd” to copy data from a disk drive This command can make a bit-stream disk-to-disk file, disk-to-image file, block- to-block copy/ block-to-file copy The “dd” command can copy the data from any disk that Linux can mount and access Other forensic tools such as AccessData FTK and Ilook can read dd image files • dd if=/*source* of=/*destination* where: if = infile, or evidence you are copying (a hard disk, tape, etc.) source = source of evidence of = outfile, or copy of evidence destination = where you want to put the copy Syntax:
  24. 24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited dd Command dd if=<source> of=<target> bs=<byte size>("USUALLY" some power of 2, not less than 512 bytes(ie, 512, 1024, 2048, 4096, 8192, 16384, but can be ANY reasonable number.) skip= seek= conv=<conversion> Suppose a 2GB hard disk is seized as evidence. use DD to make a complete physical backup of the hard disk: •dd if=/dev/hda of=/dev/case5img1 Copy one hard disk partition to another hard disk: •dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror Make an ISO image of a CD: •dd if=/dev/hdc of=/home/sam/mycd.iso bs=2048 conv=notrunc Copy a floppy disk: •dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc Restore a disk partition from an image file: •dd if=/home/sam/partition.image of=/dev/sdb2 bs=4096 conv=notrunc,noerror Copy ram memory to a file: •dd if=/dev/mem of=/home/sam/mem.bin bs=1024
  25. 25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Extracting the MBR To see the contents of MBR, use this command: •# dd if=/dev/hda of=mbr.bin bs=512 count=1 # od -xa mbr.bin The dd command, which needs to be run from root, reads the first 512 bytes from /dev/hda (the first Integrated Drive Electronics, or IDE drive) and writes them to the mbr.bin file The od command prints the binary file in hex and ASCII formats
  26. 26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Netcat Command • dd if=/dev/hda bs=16065b | netcat targethost-IP 1234 Source Machine • netcat -l -p 1234 | dd of=/dev/hdc bs=16065b Target Machine
  27. 27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited dd Command (Windows XP Version) Linux dd utility ported to Windows: dd.exe if=.PhysicalDrive0 of=d:imagesPhysicalDrive0.img --md5sum --verifymd5 -- md5out=d:imagesPhysicalDrive0.img.md5
  28. 28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mount Image Pro Mount Image Pro is a computer forensics tool for Computer Forensics investigations. It enables the mounting of: • EnCase • Unix/Linux DD images • SMART • ISO It mounts image files as a drive letter under the Windows file system It maintains the MD5 HASH integrity which can be tested by the reacquisition of the mounted drive and a comparison of MD5 checksums It will also open EnCase password protected image files without the password
  29. 29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mount Image Pro
  30. 30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Snapshot Tool Snapshot is a Data acquisition tool
  31. 31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Snapback DatArrest SnapBack Live, which allows it to perform a "True Image Backup" of a server while it is live and in use If the "bad guys" see you coming and start deleting files, DatArrest recovers all the files, including the deleted files The DatArrest Suite provides the ability to copy: • Server hard drive to tape • PC hard drive to tape • Server or PC hard drive to removable media • Hard drive to hard drive • Tape to tape
  32. 32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Acquisition Toolbox Data Acquisition Toolbox provides tools for analog input, analog output, and digital Input/Output It supports variety of PC-compatible data acquisition hardware • Customizing the acquisition process • Accessing built-in features of hardware devices • Incorporating the analysis and visualization features • Saving data for post-processing • Updating test setup for result analysis Data Acquisition Toolbox enables:
  33. 33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Acquisition Toolbox: Screenshot
  34. 34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Acquisition Tool: SafeBack SafeBack is an industry standard self-authenticating computer forensics tool that is used to create evidence grade backups of hard drives It is used to create mirror-image (bit-stream) backup files of hard disks or to make a mirror-image copy of an entire hard disk drive or partition It creates a log file of all transactions it performs
  35. 35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hardware Tool: Image MASSter Solo-3 Forensic The ImageMASSter Solo-3 Forensic data imaging tool is a light weight, portable hand-held device that can acquire data to one or two evidence drives at speeds exceeding 3GB/Min Designed exclusively for Forensic data acquisition Figure: Image MASSter Solo-3 Forensic
  36. 36. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Image MASSter Solo-3 Forensic (cont’d) • MD5 and CRC32 Hashing • Touch Screen User Interface • High Speed Operation • Built in Write Protection • Built in FireWire 1394B and USB 2.0 Interface • Captures to Two Evidence Drives Simultaneously • Multiple Capture Methods • WipeOut • Audit Trail and Logs • Multiple Media Support • Upgradeable Features: • Device Configuration Overlay (DCO) Option • Host Protected Area (HPA) Option • WipeOut DoD Option • WipeOut Fast Option • LinkMASSter Application • Linux-DD Capture Option Software features: Figure: Image MASSter Solo-3 Forensic
  37. 37. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Image MASSter: RoadMASSter -3 Road MASSter 3 is a portable computer forensic lab used to: • Acquire data • Preview and image hard drives • Analyze data in the field It is designed to perform both as a fast and reliable hard drive imaging and data analysis It can acquire or analyze data from FireWire 1394A/B, USB, IDE, SATA, SAS, and SCSI Figure: Road MASSter-3
  38. 38. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Image MASSter: Wipe MASSter Wipe MASSter is designed to erase and sanitize hard drives It ensures that there are no traces of the previous data on the hard drive Intuitive menu provides simple pattern-based scan to sanitize the hidden partition on any hard drive Figure: Wipe MASSter
  39. 39. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Image MASSter: DriveLock Image MASSter DriveLock device is a hardware write protect solution which prevents data writes It has four versions: • Serial-ATA DriveLock Kit USB/1394B • DriveLock Firewire/USB • DriveLock IDE • DriveLock In Bay
  40. 40. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hardware Tool: LinkMASSter-2 Forensic The LinkMASSter 2 is High Speed Forensic Data Acquisition device that provides the tools necessary to seize data from a Suspect’s unopened Notebook or PC using the FireWire 1394A/B or USB 1.0/2.0 interface The device supports the MD5, CRC32 or SHA1 hashing methods during data capture, ensuring that the transferred data is an exact replica of the suspect’s data without modification Seize the data from P-ATA, S-ATA, SCSI or Notebook drives Data transfer rates can exceed 3GB/min Figure: Link MASSter -2 Forensic
  41. 41. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited LinkMASSter-2 Forensic (cont’d) Features: • FireWire 1394B and USB 2.0 Interface • MD5 and CRC32 and SHA1 Hashing • Forensic Toolkit Graphical User Interface • High Speed Operation • Multiple Capture Methods • Write Protection • Multiple Media Support • WipeOut • Audit Trail and Logs Software Features: • LinkMASSter Application • Hashing • Single Capture Option • Linux-DD Capture Option • Intelligent Capture Option • WipeOut DoD Option • WipeOut Fast Option Figure: Link MASSter-2 Forensic
  42. 42. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hardware Tool: RoadMASSter-2 The RoadMASSter -2 Forensics data acquisition and analysis tool is designed to perform both as a fast and reliable hard drive imaging and data analysis This computer forensic system is built for the road with all the tools necessary to acquire or analyze data from today’s common interface technologies including FireWire, USB, Flash, ATA, S-ATA, and SCSI This computer forensic portable lab is used by law enforcement agencies as well as corporate security to acquire data and analyze data in the field Figure: Road MASSter-2
  43. 43. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited RoadMASSter-2 (cont’d) • MD5 and CRC32 and SHA1 Hashing • Forensic Toolkit Graphical User Interface • High Speed Operation • Multiple Capture Methods • Built in Write Protection • Built in LinkMASSter FireWire 1394B and USB 2.0 Interface • Multiple Media Support • Preview and Analyze • WipeOut • Audit Trail and Logs Features: • WipeOut DoD Option • WipeOut Fast Option • LinkMASSter Application • Linux-DD Capture Mode • Single Capture Mode • Intelligent Capture Mode Software Features: Figure: Road MASSter-2
  44. 44. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: Echo PLUS & Sonix • It is the portable hard drive cloning solution • Data Transfer Rate: Speeds up to 1.8 GB/min (UDMA 2 Mode) • Hard drive duplication: Single-target, drive-to-drive duplicator for IDE, UDMA, and SATA drives Echo PLUS • Sonix transfers data to and from a hard drive at 3.3GB/min • It allows the user to configure up to 24 partitions for various loads and applications Sonix
  45. 45. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube : OmniClone Xi Series • The OmniClone Xi supports UDMA-5 transfer speeds for cloning IDE, EIDE, UDMA, & SATA drives at up to 3.5 GB/min10 Xi • All information with current system software release is stored on the Omniclone's 64 MB compact flash card2 Xi Figure: OmniClone 2XiFigure: OmniClone 10Xi
  46. 46. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube : OmniClone Xi Series (cont’d) • It offers an optional Database software program that enables the user to scan and log hard drive cloning sessions which include hard drive make, model, serial number, and firmware revision 5 Xi Figure: OmniClone 5Xi
  47. 47. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: OmniPORT Forensic OmniPort device allows immediate access to the majority of the current USB Flash devices It captures and deploys data to or from most USB Flash drives It is compatible with Thumb Drives, Pen Drive type devices, Flash Memory Cards using USB Card readers, and 2.5” and 3.5” external USB drives It can be connected directly to a PC’s motherboard and booted as an IDE device It allows data cloning to or from the attached USB drive by the Logicube Echo Plus, Sonix, OmniClone 10Xi/5Xi/2Xi, Forensic Talon Figure: OmniPORT
  48. 48. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: OmniWipe & Clone Card Pro • OmniWipe sanitizes multiple IDE, EIDE, UDMA, and SATA drives simultaneously at up to 2.3GB/min • It performs quick one-pass wipe and high-speed Security Erase OmniWipe • It is a PCMCIA adapter that allows hard drive data recovery transfer rates up to 175 MB/Min • It clones the data to and from a laptop computer Clone Card Pro Figure: OmniWipe
  49. 49. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: Forensic MD5 Forensic MD5 is a forensic hard disk data recovery system for law enforcement, corporate security, and cybercrime investigation It’s in-built MD-5 engine allows for imaging speed up to 3.3 GB/min It ensures bit-for-bit accuracy, guaranteeing zero chance of alteration of the suspect and evidence drives Forensic MD5 Features: • Number of connectivity options • MD5 verification • Creates DD images • Field-Tested ruggedized case • On-site reporting • It is portable • Unidirectional data transfer Figure: Forensic MD5
  50. 50. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: Forensic Talon Forensic Talon Features: • Advanced keyword search • MD5 or SHA-256 Authentication • Unidirectional data transfer • Creates DD images on-the-fly • HPA and DCO capture • Portable and high-speed data capturing Forensic Talon is a forensic data capture system specifically designed for the requirements of law enforcement, military, corporate security, and investigators It simultaneously images and verifies data up to 4 GB/min It captures IDE/UDMA/SATA drives, and can capture SCSI drives via USB cable Figure: Forensic Talon
  51. 51. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: RAID I/O Adapter RAID I/O Adapter enables the Forensic Talon to capture a suspect RAID drive pair directly to 1 destination drive, and 1 suspect drive to 2 destination drives Features of RAID I/O Adapter: • Captures RAID-0, RAID-1, and JBOD configurations • Supports MD5/SHA-256 scan and keyword search mode during any 1-to-2 capture • Supports both native and DD image operation modes during 1-to-2 and 2-to-1 capturing • Supports drive defect scan and WipeClean modes during 1- to-2 Figure: RAID I/O Adapter
  52. 52. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: GPStamp • Computes the exact location of capture in 3D space; accurate to within 50 meters • Adds accurate latitude, longitude, and time to the capture report and log • It is capable of acquiring satellites and fixes within most buildings GPStamp Features: Logicube GPStamp is a device that produces a verified fix on the location, time, and date of the data captured Investigators can bolster their credibility by specifying when and where data captures are performed Figure: GPStamp
  53. 53. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: Portable Forensic Lab The Portable Forensic Lab (PFL) is a portable computer forensic field lab housed in a special ruggedized carrying case This tool gives the investigator a head start, often cutting the time to acquire critical data The PFL includes all that a computer forensic examiner needs to such as: • Data capture evidence at high speed from multiple sources • Browse data from multiple types of digital media • Analyze the data capture material using computer forensic analysis software such as FTK from AccessData Figure: Portable Forensic Lab
  54. 54. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: CellDEK Logicube CellDEK is a cell phone data extraction device which identifies devices by brand, model number, dimensions, and photographs It is portable and compatible with over 1100 of the most popular cell phones and PDAs It captures the data within 5 minutes and displays on screen, and prompts for downloading to a portable USB device Investigators can immediately gain access to vital information, saving days of waiting for a report from a crime lab Figure: CellDEK
  55. 55. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: Desktop WritePROtects Logicube Desktop WritePROtects is a data recovery adapter used to protect the hard drives It has two versions: • IDE Destop WritePROtect • SATA Destop WritePROtect It allows only a small subset of the ATA specification commands to flow to the protected drive and blocks all other commands It connects via IDE or SATA cable to the HDD forensic tools for data capture It guarantees read-only access when analyzing the captured or cloned drive under Windows Figure: Desktop WritePROtects
  56. 56. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: USB Adapter • Store/restore images to a network server • Modify a drive's contents • Defragment the master drive • Reformat the master drive • Manage partitions using third party software It allows the investigator to: USB Adapter allows for cloning and drive management directly through the USB (1.1 or 2.0) port on a PC or laptop It is capable of cloning at speeds up to 750 MB/min Figure: USB Adapter
  57. 57. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: Adapters • F-ADP-1.8 • F-ADP-COMP-FL • F-ADP-DOM • F-ADP-HITACHI-DS • F-ADP-STND • F-ADP-STND-3A • F-ADP-STND-6A • F-ADP-ZIF • F-ADP-IDE OmniClone IDE laptop Adapters • F-ADP-SCSI-50 • F-ADP-SCSI-80 OmniClone SCSI Adapters
  58. 58. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: Cables • F-CABLE-30A • F-CABLE-5 • F-CABLE-9 • F-CABLE-RP10 • F-CABLE-RP15 • F-CABLE-RP2 • F-CABLE-RP5 • F-CABLE-SOL OmniClone IDE Cables • F-CABLE-SAS5 • F-CABLE-SATA • F-CABLE-SATA18 • F-CABLE-SATAEP • F-CABLE-SATAXI OmniClone SATA Cables
  59. 59. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: Cables (Cont’d) • F-CABLE-RP2U • F-CABLE-RP5U • F-CABLE-RP10U • F-CABLE-RP15U • F-CABLE-SOLU • F-CABLE-5U • F-CABLE-9U • F-CABLE-30U • F-CABLE-XI, F-CABLE-2XI • F-CABLE-5XI, F-CABLE-10XI OmniClone UDMA IDE Cables • F-CABLE-SCSI • F-CABLE-SCSI2 • F-CABLE-SCSI4 OmniClone SCSI Cables
  60. 60. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Duplication Tools
  61. 61. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Duplication Tool: R-drive Image R-Drive Image is an important tool that provides disk image files creation for backup or duplication purposes Disk image file contains exact, byte-by-byte copy of a hard drive, partition or logical disk R-Drive can create partitions with various compression levels freely without stopping Windows OS These drive image files can then be stored in a variety of places, including various removable media such as CD-R(W) or DVD-R(W) , Iomega Zip or Jazz disks
  62. 62. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited R-drive Image: Screenshot
  63. 63. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Duplication Tool: DriveLook • Indexes the hard drive for the text that was written to it • Searches through a list of all words stored on the drive • View the location of words in the disk editor • Switches between different views • Uses image file as input • Access remote drives through serial cable or TCP/IP The DriveLook Tool has the following features:
  64. 64. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Drivelook: Screenshot
  65. 65. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Duplication Tool: DiskExplorer DiskExplorer aides examiners to investigate any drive and recover data Two versions of DiskExplorer exist: • DiskExplorer for FAT • DiskExplorer for NTFS The tool also has provisions to navigate through the drive by jumping to: • Partition table • Boot record • Master file table • Root directory
  66. 66. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DiskExplorer: Screenshot
  67. 67. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Save-N-Sync The quickest, easiest, and economical way to synchronize small number of folders It allows you to synchronize and backup files from a source folder on one computer to a target folder on a second networked computer or storage device
  68. 68. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Save-N-Sync
  69. 69. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hardware Tool: ImageMASSter 6007SAS The ImageMASSter 6007SAS is the only hard drive duplication unit in the market that supports SAS (Serial Attach SCSI) hard drives It copies simultaneously at high speed from SATA/SAS/SCSI/IDE hard drives to any 7 SAS/SATA/IDE target hard drives It is a Windows based machine with one Giga-Bit Network connection, which allows downloading or uploading files to or from drives using network drive Figure: Image MASSter 6007SAS
  70. 70. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited ImageMASSter 6007SAS (cont’d) • High Speed Copy Operation • SAS and SATA duplicator • SCSI Duplicator • Server Migration • All Operating Systems can be copied • Multiple Copy Modes • Supports Any File System • Network Connectivity • WipeOut • Mount and Modify Drives • Hot Swap Drives • Scale Partitions • Windows based Features: • MultiMASSter • IQCOPY • Auto Scale and Format Partitions • Image Copy • WipeOut DoD • WipeOut Fast Option • Store Log Information • Error Detection and Verification • Manage User Defined Settings Software Features: Figure: Image MASSter 6007SAS
  71. 71. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hardware Tool: Disk Jockey IT Designed exclusively for IT data duplication The Disk Jockey IT data imaging tool is a light weight, portable hand-held device that can copy data to one or two target drives at speeds exceeding 2GB/Min Mirror two hard disk drives for real-time backup (RAID level 1) and data is stored simultaneously on both drives Data can be copied from one disk to another without using a computer at speeds of up to 2 GB/min Figure: Disk Jockey IT
  72. 72. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Disk Jockey IT (cont’d) • Standalone HD Mode • Mirroring • Spanning • Fast Disk to Disk Copies • Disk Copy Compare / Verification • Hard Disk Read Test • Two levels of erase Features: Figure: Disk Jockey IT
  73. 73. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited SCSIPAK SCSIPAK is a set of system tools which extend the support of tape drives under Microsoft Windows NT and Windows 2000 operating systems It is a software and tape based data conversion-duplication system Data can be downloaded from a tape or optical disk and then written simultaneously upto seven drives at once The image file from the tape or optical medium is stored under NT along with an index file which contains details of tape file and set marks, directory partitions, or unused optical sectors This allows for the duplication of even complex format tapes and optical disks
  74. 74. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited IBM DFSMSdss A reliable utility to quickly move, copy, and backup data Functions: • Moves and replicates data • Manages storage space efficiently • Backups and recovers data • Converts data sets and volumes FlashCopy in DFSMSdss: • FlashCopy provides a fast data duplication capability • This option helps to eliminate the need to stop applications for extended periods of time in order to perform backups and restores
  75. 75. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tape Duplication System: QuickCopy QuickCopy is the premier tape duplication system for data/software distribution applications It is a complete production system for software and data distribution • Duplicate Master tape to one or more Target tapes • Duplicate from Master Images stored on hard drives • Multi-tasking for mixed jobs • 100% Verification of all copies made at user option • Microsoft NT Operating System and User Interface (GUI) • Available CD-R copying with QuickCopy-CD option Features: Figure: QuickCopy
  76. 76. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DeepSpar: Disk Imager Forensic Edition • Reading the status of each retrieved sector • Data being imaged • Types of imaging files Visualize the imaging process by: DeepSpar Disk Imager Forensic Edition is a portable version of DeepSpar Disk Imager Data Recovery Edition with addition of forensic- specific functionality and used to handle disk-level problems Figure: Disk Imager Forensic Edition
  77. 77. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DeepSpar: 3D Data Recovery • This phase deals with drives that are not responding, and drives that appear functional and can be imaged, but produces useless data • Recommended tool: PC-3000 Drive Restoration System Phase 1: Drive Restoration • This phase deals with creating a clean duplicate of the disk contents on a new disk that can be used as a stable platform for phase 3 • Recommended tool: DeepSpar Disk Imager Phase 2: Disk Imaging • This phase involves rebuilding the file system, extracting user’s data, and verifying the integrity of files • Recommended tool: PC-3000 Data Extractor Phase 3: Data Retrieval DeepSpar data recovery systems pioneered the 3D Data Recovery process - a professional approach to data recovery centered on the following three phases:
  78. 78. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Phase 1 Tool: PC-3000 Drive Restoration System • Designed for the data recovery of businesses • Universal utilities give faster drive diagnostics • Repairs the drive and secures every data of the user • Software included with PC-3000 features a user-friendly Microsoft Windows XP/2000 interface • PC-3000 has built-in features to treat particular drives for their most common failures Features of PC-3000 Drive Restoration System: PC-3000 Drive Restoration System tool is used for drive restoration It fixes firmware issues for all hard disk drive manufacturers and virtually all drive families Figure: PC-3000 Drive Restoration System
  79. 79. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Phase 2 Tool: DeepSpar Disk Imager The disk imaging device built to recover bad sectors on a hard drive DeepSpar Disk Imager Features: • Retrieves up to 90 percent of bad sectors • Special vendor-specific ATA commands are used that pre-configure the hard drive for imaging • Reduces the time it takes to image a disk with bad sectors • Failing hard drives are imaged with care and intelligence • Real-time reporting gives a window on the type and quality of data imaging Figure: Disk Imager
  80. 80. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Phase 3 Tool: PC-3000 Data Extractor • Retrieves the user’s data from drives with damaged logical structures • Allows to analyze the logical structure of a damaged drive and depending on the severity of damage, selects specific files that the user wants to recover • If the drive's translator module is damaged, it creates a virtual translator to create a map of offsets and copies the necessary data PC-3000 Data Extractor Features: PC-3000 Data Extractor is a software add-on to PC-3000 that diagnoses and fixes file system issues It works in tandem with PC-3000 hardware to recover data from any media (IDE HDD, SCSI HDD, and flash memory readers)
  81. 81. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MacQuisition MacQuisition is a forensic acquisition tool used to safely image Mac source drives using the source system • Identifies the source device • Configures the destination’s location • Images directly over the network • Uses the command line • Log case, exhibit, and evidence tracking numbers and notes • Automatically generates MD5, SHA1, and SHA 256 hashes Features:
  82. 82. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MacQuisition: Screenshot Step1: Source Identification Step3: Case Information
  83. 83. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MacQuisition: Screenshot (cont’d) Step5: Imaging/ Status Information
  84. 84. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Athena Archiver Athena Archiever is an email archiving and storage management system Features: • Tag and organize millions of emails instantly Email review and classification • Ensure email compliance with regulations and acceptable use policies Enforceable email policy management • It moves the bulk of email information stored to cheaper near line drives, which can be replicated offsite to ensure high level of reliability Flexible storage management
  85. 85. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Investigators can acquire data in three ways: creating a bit-stream, disk-to-image file, making a bit-stream disk-to-disk copy, or creating a sparse data copy of a specific folder path or file Data duplication is essential for the proper preservation of the digital evidence Windows data acquisition tools allow the investigator to acquire evidence from a disk with the help of removable media such as USB storage devices Forensic investigators use the built- in Linux command “dd” to copy data from a disk drive The SavePart command retrieves information about the partition space in the hard disk
  86. 86. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  87. 87. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×