• Like
File000162
Upcoming SlideShare
Loading in...5
×

File000162

  • 84 views
Uploaded on

 

More in: Technology , Design
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
84
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
8
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Module XLIX - Investigating Search Keywords
  • 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Logicube Launches Digital Forensic Data Capture Device Logicube® Inc., the industry’s leader in hard drive duplication technology, has launched the Forensic Dossier™, the newest addition to its line of eForensics data capture solutions. The Dossier is the fastest digital forensic data capture device on the market today, allowing investigators to capture and authenticate at speeds approaching 6GB/min. Users can capture data from one or two suspect drives to one or two evidence drives. This sophisticated solution provides built-in support for capture from a RAID drive pair (0, 1, JBOD) and can capture data from a variety of flash media devices with a built-in media reader. The versatile Dossier features built-in support for SATA and IDE drives with optional support for SCSI and SAS drives scheduled to be available in late spring of this year. The Dossier also provides built-in USB and firewire connectivity and features support for most solid state drives and supports microSATA and eSATA drives with optional cables. “Developed to meet the complex challenges of digital forensic investigators, the Dossier is the cornerstone of a future- focused platform of forensic products from Logicube. Sophisticated but easy to use, the Dossier’s design ensures investigators will keep pace with advanced digital technology used in criminal activities”, commented Farid Emrani, Vice President and COO of Logicube. The Dossier features the highest level of authentication with the ability to compute MD5 and SHA-256 hash concurrently. The Dossier also includes a drive spanning feature (scheduled to be available in spring 2009) that allows users to capture from one large suspect drive to two smaller evidence drives. Other features include DD image files, keyword search, audit trail reporting, and an internal flash memory to store keyword lists, software updates and reports and a touch screen display for easy navigation. The Dossier will be featured in the Logicube booth (#73640) at the 2009 International CES show held in Las Vegas, Nevada January 8th through January 11th. Source: http://pr-usa.net/
  • 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Keyword Search • Keyword Search List • Index-Based Keyword Searching • Bitwise Searching • Keyword Search Techniques • Odyssey Keyword Search This module will familiarize you with:
  • 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Odyssey Keyword Search Bitwise SearchingKeyword Search Index-Based Keyword Searching Keyword Search List Keyword Search Techniques
  • 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Keyword Search Keywords are also known as Seed Information as they are the starting point of the investigation Keyword searching for terms relating to a case can be an important source for experts charged with uncovering digital clues in a forensic investigation Experts frequently conduct keyword searches of active files, deleted files, unallocated space, cookies, logs, temporary Internet files, etc. to search for evidence Crafting a keyword search term list that will help pinpoint relevant information is crucial to successful keyword search results Crafting the best keyword search may require trial and error, and the list may need to be refined as the expert begins to uncover virtual clues
  • 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Keyword Search (cont’d) An experienced investigator usually maintains a collection of search lists from his previous cases Keyword search list can be built on an existing list Keyword list can be re-used for a similar case directly Search list is a part of systematic mechanism for knowledge collection, management, sharing, and reuse that offer decision support for the investigators
  • 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Developing a Keyword Search List • The number of keywords in a given list will vary depending upon the type of the forensic investigation and the facts of the case • When choosing which words to incorporate in the list, concentrate on the terms that are at the heart of the case • Focusing on the most relevant terms will avoid being over inclusive of the irrelevant data while offering the greatest likelihood of finding responsive information Select keywords with care: • Searching for “whole words,” which match exact instances of a word, will significantly cut down on search time • For example, the term Sally (instead of Sal) will avoid finding irrelevant words like salmon, salamander or salt Reduce search time using “whole words”: When formulating a keyword search list, consider the following tips:
  • 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Developing a Keyword Search List (cont’d) • When looking for a particular document, isolating specific phrases likely to be found in the document can help achieve good results Consider multiple word phrases: • Noise words, such as “it, a, an, and, the,” initials, numbers, and acronyms can result in an unreasonably high number of matches being returned Avoid noise words, initials, numbers, and acronyms: • In addition to sorting through gigabytes of information during a keyword search, a computer forensic expert can assist users in selecting a set of keywords most likely to yield relevant results Engage expert assistance:
  • 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Index-Based Keyword Searching Indexing is the process of pre-calculating the location of keywords in advance of the search in order to speed up the search process Indexing allows the time consuming task of keyword searching to be divided into an indexing phase which may run unattended and an interactive searching phase where the index is used to rapidly locate keywords An index is in a sense simply a list of offsets for occurrences of keywords
  • 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Bitwise Searching Bitwise searching looks for simple text strings or regular expression matches in any sectors on a drive including both unallocated and slack space A full bitwise search may be more relevant if a hard disk is being searched for deleted files or residual fragments of their content and when searching for complex regular expressions(for example, looking for all strings that match a credit card number or phone number) The ability to perform regular expression searches enables the examiner to search for non-text (binary) values such as file headers as well as complex text terms The criminal might change the extension of files to hide the files but the investigator can find all files of the given type even if someone has changed his name by searching for files based on signatures in his header
  • 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Keyword Search Techniques • Regular expressions provide a more expressible language for describing objects of interest than keywords • Apart from formulating keyword searches, regular expressions can be used to specify searches for Internet e-mail addresses and files of specific type • Forensic utilities such as EnCase can be used for regular expression searches • Regular expression searches suffer from false positives and false negatives because not all types of data can be adequately defined using regular expressions Regular expression search: • It uses matching algorithm that permits character mismatches when searching for keyword or pattern • User must specify the degree of mismatches allowed • Approximate matching can detect misspelled words, but mismatches also increase the number of false positives Approximate matching search:
  • 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Keyword Search Techniques (cont’d) • Custom searches are programmed using a general purpose programming language for satisfying more complex criteria Custom searches: • Search of modification is an automated search for data objects that have been modified since specified moments in the past • Modification of data objects that are not usually modified, such as operating system utilities, can be detected by comparing their current hash with their expected hash • A library of expected hashes must be built prior to the search • Modification of a file can also be inferred from modification of its timestamp • Investigator assumes that a file is always modified simultaneously with its timestamp, and since the timestamp is modified, he infers that the file was modified too Search of modifications:
  • 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Choice of Searching Methodology Investigations require a combination of context specific searching techniques and the methodology Factors affecting the choice and order of searching include: • If the suspect is aware that he is under investigation, file-based content may have been deleted, which leans toward bitwise searching • If the content is likely to be present on the drive intact, index-based searching may be more effective Awareness of suspect: • If there is a chance that the content resides in PDF, XLS, or HWP file, index-based searching will be more thorough • A preliminary bitwise search for the header bytes from these file types and subsequent recovery of deleted files before the index-based search will combine both techniques for the maximum effectiveness Likely data format:
  • 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Issues with Keyword Searching Keywords are rarely sufficient to specify the desired type of data objects precisely Output of keyword search can contain false positives and negatives Encryption, compression, or inability of the search utility to interpret certain data format lead to false negative
  • 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Odyssey Keyword Search http://basistech.com/ Odyssey Digital Forensics is software that finds all keyword variations with one search Odyssey combines industry-leading language technology from Basis Technology, the Rosette® Linguistics Platform, with a high-performance search system that can analyze disk image files acquired from standard forensic tools • Displayed left to right or right to left (as in Middle-Eastern languages) • Stored with bits aligned left to right or right to left (“little Endian” or “big Endian”) • Encoded in UTF-8, UTF-16, or UTF-32 Unicode or any of dozens of legacy text encoding systems Odyssey recognizes text regardless of whether the text:
  • 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot
  • 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Keywords are also known as Seed Information as they are the starting point of the investigation Keyword search list can be built on an existing list Indexing is the process of pre-calculating the location of keywords in advance of the search in order to speed up the search process Bitwise searching looks for simple text strings or regular expression matches in any sectors on a drive including both unallocated and slack space Investigations require a combination of context specific searching techniques, and the methodology Odyssey Digital Forensics is software that finds all keyword variations with one search
  • 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited