SlideShare a Scribd company logo
1 of 145
Download to read offline
CS6004 – CYBER FORENSICS
UNIT IV
EVIDENCE COLLECTION AND
FORENSICS TOOLS
OUTLINE
 Processing Crime and Incident Scenes
 Working with Windows and DOS Systems
 Current Computer Forensics Tools - Software/ Hardware
Tools
2
PreparedbyR.Arthy,AP/IT,KCET
PROCESSING CRIME
AND
INCIDENT SCENES
OBJECTIVES
 Explain guidelines for seizing digital evidence at the scene
 Describe how to secure a computer incident or crime scene
 Describe how to preserve the evidence and establish the
chain of custody
 Enumerate some general guidelines to process crime and
incident scene
4
PreparedbyR.Arthy,AP/IT,KCET
WHAT IS FORENSIC?
 Collection and analysis of evidence
 Using scientific test or techniques
 To establish facts against crime
 For presenting in a legal proceeding
 Therefore forensic science is a scientific method of
gathering and examining information about the past which
is then used in court of law
5
PreparedbyR.Arthy,AP/IT,KCET
WHAT IS DIGITAL FORENSIC?
 Digital Forensics is the use of scientifically derived and
proven methods toward:
 the preservation, collection, validation, identification, analysis,
interpretation, documentation, and presentation of digital evidence
derived from digital devices
 for the purpose of facilitation or furthering the reconstruction
of events found to be criminal, or helping to anticipate
unauthorized actions shown to be disruptive to planned
operations
6
PreparedbyR.Arthy,AP/IT,KCET
BRANCHES OF DIGITAL FORENSICS
 The technical aspect of an investigation is divided into
several sub-branches, relating to the type of digital devices
involved:
 Computer forensics, Firewall Forensics, Database Forensics,
Network forensics, Forensic data analysis and Mobile device
forensics.
 The typical forensic process encompasses the seizure,
forensic imaging and analysis of digital media and the
production of a report into collected evidence.
7
PreparedbyR.Arthy,AP/IT,KCET
CRIMINAL INVESTIGATION
 A principle in criminal investigation called Locard’s Exchange
Principle
 Anyone or anything entering a crime scene takes something of
the scene with them and leaves something of themselves behind
 Main goal of investigation to link crime to the suspect by
discovering threads between suspect, victim and crime scene
8
Victim
Crime
Scene
Suspect
Evidence
PreparedbyR.Arthy,AP/IT,KCET
DIGITAL EVIDENCE
 Evidence
 A piece of information that supports a conclusion
 Digital evidence
 Any data that is recorded or preserved on any medium in or by a
computer system or other similar digital device, that can be read
or understood by a person or a computer system or other similar
device.
 It includes a display, printout or other output of that data.
9
PreparedbyR.Arthy,AP/IT,KCET
CHARACTERISTICS OF DIGITAL EVIDENCE
 Admissible
 Conformity with the common law and legislative rules
 Authentic
 In linking data to specific individuals and events
 Accurate
 Believed and is consistent
 Complete
 With a full story of particular circumstances.
 Convincing to juries
 To have probative value, subjective and practical test of
presentation
 To proving beyond doubt
10
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 All investigations must follow the following rules of
evidence:
 Digital evidence integrity must be preserved to be admissible in
court.
 If the evidence is contaminated it cannot be de-contaminated
 Digital evidence must be reliable: Authenticity evidence, clear
easy to understand, and believable by a jury
 Digital evidence must be complete : Exculpatory evidence for
alternative suspects
11
PreparedbyR.Arthy,AP/IT,KCET
EXAMPLES
12
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 e-mails,
 digital photographs,
 ATM transaction logs,
 word processing documents,
 Instant message histories,
 files saved from accounting program,
 spreadsheets,
 internet browser histories,
 databases,
 the contents of computer memory,
 computer backups, computer printouts,
 Global Positioning System tracks,
 logs from a hotel’s electronic door locks, and
 digital video or audio files
13
PreparedbyR.Arthy,AP/IT,KCET
DIGITAL FORENSIC PROCESSES
14
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Generally involves the following steps:
1. Seizing Digital Evidence at the Scene
2. Securing a computer incident or crime scene
3. Preserving the data
4. Establishing the chain of custody
5. Examining data for evidence
15
PreparedbyR.Arthy,AP/IT,KCET
SEIZING DIGITAL EVIDENCE AT THE SCENE
16
PreparedbyR.Arthy,AP/IT,
KCET
INTRODUCTION
 Law enforcement can seize evidence with a proper
warrant
 Corporate investigators might have the authority only to
make an image of the suspect’s drive
 When seizing digital evidence in criminal investigations
 Follow U.S. DoJ standards for seizing digital data
 Civil investigations follow same rules - require less
documentation
 Consult with your attorney for extra guidelines
17
PreparedbyR.Arthy,AP/IT,KCET
PREPARING TO ACQUIRE DIGITAL EVIDENCE
 The evidence you acquire at the scene depends on the nature
of the case (Crime or Violation)
 Ask your supervisor or senior forensics examiner in your
organization the following questions:
 Do you need to take the entire computer and all peripherals and
media in the immediate area?
 How are you going to protect the computer and media while
transporting them to your lab?
 Is the computer powered on when you arrive?
 Is it possible the suspect damaged or destroyed the computer,
peripherals, or media?
18
PreparedbyR.Arthy,AP/IT,KCET
USING A TECHNICAL ADVISOR
 Technical advisor
 Can help you list the tools you need to process the incident or
crime scene
 Person guiding you about where to locate data and helping you
extract log records
 Or other evidence from large RAID servers
 Can help create the search warrant by itemizing what you need
for the warrant
19
PreparedbyR.Arthy,AP/IT,KCET
TECHNICAL ADVISOR RESPONSIBILITIES
 Know aspects of the seized system
 Direct investigator handling sensitive material
 Help secure the scene
 Help document the planning strategy for search and
seizure
 Conduct ad hoc trainings
 Document activities
 Help conduct the search and seizure
20
PreparedbyR.Arthy,AP/IT,KCET
PROCESSING AN INCIDENT OR CRIME SCENE
- GUIDELINES
 Keep a journal to document your activities
 Secure the scene
 Be professional and courteous with onlookers
 Remove people who are not part of the investigation
 Take video and still recordings of the area around the
computer
 Pay attention to details
 Sketch the incident or crime scene
 Check state of computers as soon as possible
 Don’t cut electrical power to a running system unless it’s an
older Windows 9x or MS-DOS system
 Save data from current applications as safely as possible
 Record all active windows or shell sessions 21
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Make notes of everything you do when copying data from a
live suspect computer
 Close applications and shut down the computer
 Bag and tag the evidence, following these steps:
 Assign one person to collect and log all evidence
 Tag all evidence you collect with the current date and time, serial
numbers or unique features, make and model, and the name of the
person who collected it
 Maintain two separate logs of collected evidence
 Maintain constant control of the collected evidence and the crime or
incident scene
 Look for information related to the investigation
 Passwords, passphrases, PINs, bank accounts
 Collect documentation and media related to the investigation
 Hardware, software, backup media, documentation, manuals
22
PreparedbyR.Arthy,AP/IT,KCET
DOCUMENTING EVIDENCE IN THE LAB
 Record your activities and findings as your work
 Maintain a journal to record the steps you take as you process
evidence
 Goal is to reproduce the same result
 When you or another investigator repeat the steps you took to
collect evidence
 A journal serves as a reference that documents the
methods you need to process digital evidence
23
PreparedbyR.Arthy,AP/IT,KCET
SECURING A COMPUTER INCIDENT OR
CRIME SCENE
24
PreparedbyR.Arthy,AP/IT,
KCET
INTRODUCTION
 Protecting the crime scene is crucial because if evidence is
contaminated, it cannot be decontaminated.
 The main goals of securing the crime scene are the
following:
 Preserve the evidence (No damage during collection,
transportation, or storage)
 Keep information confidential
 Depending on the situation, crime scene preservation will
vary.
 Professional curiosity can destroy evidence
 Involves police officers and other professionals who aren’t part of
the crime scene processing team
25
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 How securing a computer incident or crime scene?
 Define a secure perimeter
 Use yellow barrier tape
26
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 How securing a computer incident or crime scene? (Cont.)
 Physical surroundings of the computer should be photographed and
clearly documented
 Photographs should be taken before anything is touched
27
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 How securing a computer incident or crime scene? (Cont.)
 Take custody of computer, peripherals, and media.
 Bag and tag all evidence
 Assign one person to collect and log all evidence
 Record the current date and time, serial numbers or unique features, make
and model, and the name of the person who collected it
 Maintain two separate
logs of collected
evidence
 Use antistatic bags
28
PreparedbyR.Arthy,AP/IT,KCET
PRESERVING THE DATA
29
PreparedbyR.Arthy,AP/IT,KCET
CAPTURE VOLATILE DATA
 Computer forensics team first captures any volatile data that
would be lost when computer is turned off and moves data to
a secure location
 Contents of RAM
 Current running processes
 Current network connections (recent connections and open
applications/sockets)
 Logon sessions
 Open files: File system time and date stamps
30
PreparedbyR.Arthy,AP/IT,KCET
ACQUIRE IMAGE
 Reboot will change disk images. Do not reboot!
 After retrieving volatile data, focus on the hard drive
 Make forensic backup = system image = bit-stream
backup
 Copy every bit of the file system, not just the disk files!
 Its accuracy meets evidence standards
 Example tools include:
 Prodiscover
 EnCase
 FTK
 OS does not influence which tools to use for bit-image
capture
31
PreparedbyR.Arthy,AP/IT,KCET
STORING DIGITAL EVIDENCE
 The media you use to store digital evidence usually depends
on how long you need to keep it
 CD-Rs or DVDs
 The ideal media
 Capacity: up to 17 GB
 Lifespan: 2 to 5 years
 Magnetic tapes
 Capacity: 40 to 72 GB
 Lifespan: 30 years
 Costs: drive: $400 to $800; tape: $40
32
PreparedbyR.Arthy,AP/IT,KCET
EVIDENCE RETENTION AND MEDIA STORAGE
NEEDS
 To help maintain the chain of custody for digital evidence
 Restrict access to lab and evidence storage area
 Lab should have a sign-in roster for all visitors
 Maintain logs for a period based on legal requirements
 You might need to retain evidence indefinitely
 Check with your local prosecuting attorney’s office or state laws to
make sure you’re in compliance
 You cannot retain child pornography evidence, however
33
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
34
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Copy all image files to a large drive
 Run an MD5 or SHA-1 hashing algorithm on the image
files to get a digital hash
35
PreparedbyR.Arthy,AP/IT,KCET
ESTABLISHING THE CHAIN OF CUSTODY
36
PreparedbyR.Arthy,AP/IT,KCET
INTRODUCTION
 As soon as the team begins its work, must start and
maintain a strict chain of custody
 Chain of custody protects the integrity and reliability of the
evidence
 It documents that evidence was under strict control at all times
and no unauthorized person was given the opportunity to corrupt
the evidence
 Effective process of documenting the complete journey of the
evidence during the life of the case
 Who collected it?
 How & where?
 Who took possession of it?
 How was it stored & protected in storage?
37
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Create or use an evidence custody form
 An evidence custody form serves the following functions:
 Identifies the evidence
 Identifies who has handled the evidence
 Lists dates and times the evidence was handled
38
PreparedbyR.Arthy,AP/IT,KCET
EXAMINING DATA FOR EVIDENCE
39
PreparedbyR.Arthy,AP/IT,KCET
PROCESSING AND HANDLING DIGITAL
EVIDENCE
 Maintain the integrity of digital evidence in the lab
 As you do when collecting it in the field
 Steps to create image files:
 Copy all image files to a large drive
 Start your forensics tool to analyze the evidence
 Run an MD5 or SHA-1 hashing algorithm on the image files
to get a digital hash
 Secure the original media in an evidence locker
40
PreparedbyR.Arthy,AP/IT,KCET
WORKING WITH WINDOWS
AND DOS SYSTEMS
LEARNING OBJECTIVES
 List the key components of a disk drive.
 Explain the purpose and structure of Microsoft FAT (and
NTFS) file system.
 Describe different types of file deletion, and what is
required to completely remove a file from a disk.
 Explain how the Windows Registry works, and enlist
different types of useful forensics information it stores.
42
PreparedbyR.Arthy,AP/IT,KCET
OUTLINE
 Hard Disk
 FAT
 NTFS
 Windows Registry
43
PreparedbyR.Arthy,AP/IT,KCET
COMPUTER COMPONENTS
44
PreparedbyR.Arthy,AP/IT,KCET
HARDWARE COMPONENTS
 Motherboard / Mainboard
 Processor / CPU
 ROM - stores system-level programs that
should be available at all times, e.g. BIOS
 Registers & CPU cache - accept, hold, and
transfer data at very high speed - very limited
capacity
 Main Memory / RAM - fast temporary
memory - stores data only while computer
on
 Secondary (Permanent) Storage
 hard disks / drive, CD-ROM, USB, floppy
 Input Devices
 keyboard, mouse, …
 Output Devices
 monitor, printer, …
45
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
46
PreparedbyR.Arthy,AP/IT,KCET
SOFTWARE COMPONENTS
 Operating System
 Software (program + data) that runs on a
computer
 it manages computer hardware &
provides common services for efficient
execution of various application software
 OSs are found on almost all ‘computing’
devices,
 e.g. cellular phones, video game consoles,
web servers, routers, …
47
PreparedbyR.Arthy,AP/IT,KCET
COMPUTER FILES
 File – a self contained collection of data available to
OS and individual programs
 comprises ‘related’ information
 can be manipulated as an entity (e.g., deleted or moved from
one storage media to another)
 must have a unique name
 has an extension (.doc, .txt, .exe, …) – indicates the type of
encoding of its content and usage
48
PreparedbyR.Arthy,AP/IT,KCET
COMPUTER FILE SYSTEM
 File System
 set of method/rules for storing and retrieving computer files
(data)
 gives an OS a road map to data on a secondary storage device
(e.g., disk drive, USB, CD-ROM)
 file system is usually directly related to an OS
49
PreparedbyR.Arthy,AP/IT,KCET
DISK DRIVES / HARD DRIVE
 consists of 1 or more platters coated with magnetic
material – data is stored on platters in a particular
way
 each platters has 2 surfaces: top & bottom
 key disk drive components:
 head – the device that reads and writes data to a drive –
there is one head per platter
 tracks – concentric circles on a disk platter where data is
located
 sector – a pie shaped section on a track made up of 128,
256, 512 or 1024 bytes – smallest addressable storage
unit on the hard drive
 a cylinder – consists of corresponding tracks on all
platters (e.g. track 12 on all d.d. platters)
 geometry – refers to a disk’s structure of platters, tracks,
and sectors
50
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
51
PreparedbyR.Arthy,AP/IT,KCET
HEADS
 Located on both sides of (each) platter only a few
nanometers from the surface
 heads are semi-static (only move up/down & small
angle) - disk/platters rotate at speed of n*1000
revolutions per minute! (~ 250km/h)
 heads are ‘inductive’ – they can generate a magnetic
field
 by creating positive or negative fields, they polarize the
disk (platter) surface in a very tiny area
 when these areas are read afterwards, the detected
polarity is transformed by a ADC into a 0 or 1
52
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
53
PreparedbyR.Arthy,AP/IT,KCET
EXAMPLE: DISK DRIVE CAPACITY AND SPEED:
HISTORY
54
PreparedbyR.Arthy,AP/IT,KCET
CLUSTER
 One or a group of sectors – logical unit of
file storage on a hard drive
 number of sectors in a cluster (2n), depends on:
 disk size: bigger disk ⇒ bigger cluster
 logical disk organization (e.g., FAT12 /16 /32 or
NTFS)
 whatever the logical size of a file, it is
allocated disk space in multiples of clusters!
 sectors in a cluster are physically adjacent on the
disk
 clusters in a file may NOT be adjacent
 clusters are managed by computers OS
55
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Example: Bigger disk - bigger cluster size …
 FAT16 is not recommended for volumes larger than 511
MB. When relatively small files are placed on a FAT16
volume, FAT uses disk space inefficiently! 56
PreparedbyR.Arthy,AP/IT,KCET
WINDOWS FILE SYSTEMS
 3 types of file systems have been used by Windows: FAT,
FAT32, NTFS
57
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
58
PreparedbyR.Arthy,AP/IT,KCET
FAT FILE SYSTEM
 Introduction
 Major Sections of FAT Hard Disks
 Slack Space in FAT
 Deleting FAT Files
 Forensics Implications
59
PreparedbyR.Arthy,AP/IT,KCET
INTRODUCTION
 FAT x – File Allocation Table – family of file systems for
DOS/Windows operating systems
 FAT table – stores info. on status of all clusters on the disk =
‘table of content’
 x = 12, 16, 32 – number of bits used for cluster
identification/numbering
 bit-size of each FAT table entry
60
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Example: FAT12, FAT16, FAT32
61
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Example: FAT16 capacity
Can 700 MB disk drive be formatted with a FAT16 file
system using 4KB clusters?
FAT16 ⇒ 216 = 65536 clusters
216 clusters * 4 Kbytes = 26 * 210 * 4 * 210 bytes
max capacity = 64 * 4 MB = 256 MB
62
PreparedbyR.Arthy,AP/IT,KCET
MAJOR SECTION
1) Boot Sector – occupies the 1st cluster on the disk
 contains specific information about organization of the file
system, including: type of FAT (12/16/32) system,
 # of bytes per sector,
 # of sectors per track,
 # of sectors per cluster,
 # of read heads,
 # of FAT tables,
 # of clusters per FAT table, etc.
63
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
64
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
2) FAT Tables
 keep track of allocation status of different data clusters
 entry N relates to data cluster N – the actual value is a pointer to
another FAT entry
 set of clusters that constitute one file are defined by a set of linked
FAT entries
 multiple FATs (FAT1 & FAT2) ensure redundancy in case of
data corruption – FAT2 is a backup of FAT 1
 typically used on portable (more vulnerable) media
65
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Example: Use of FAT system
66
PreparedbyR.Arthy,AP/IT,KCET
[CONTTD…]
 FAT entry values
67
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
3) Root Directory (FAT12/16 only)
 stores Directory Table – table of 32-byte long entries for each
file & directory created on the disk
4) Data Area
 contains file & directory data – occupies remaining sectors
(clusters) on the disk
 first cluster of Data Area is numbered 2; though, this is
physical sector 33!
68
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Example: (Root) Directory Table entries in bytes
69
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Example: File fragmentation / cluster allocation in FAT
70
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
Example: Final Exam 2010
 Assume a computer employs the FAT16 file system with
components as shown below:
 A file, containing a set of numbers, is stored on this computer
under the name YourFile.txt.
 Using the provided information, identify the first six numbers
stored in YourFile.txt.
71
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
72
PreparedbyR.Arthy,AP/IT,KCET
SLACK SPACE IN FAT
 phenomenon caused by the way how computers store
data/files:
 files are allocated cluster-sized chunks
 regardless of the actual size of data in the file
 data may not be big enough to fill (all) segments, i.e. clusters
73
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 sector slack - space between EOF and end of last sector
that file was written to known as RAM slack as OS pulls
any info available in RAM at that point (memory dump)
to fill this space – e.g. logon IDs, passwords, segments of
other files
 cluster slack - remaining sectors in cluster known as file
slack – contains whatever was last written by disk in
those sectors (e.g. parts of a deleted file)
74
PreparedbyR.Arthy,AP/IT,KCET
DELETING FAT FILES
 system places deletion mark on the file
 deletion mark ⇒ first letter of the file name is replaced
with E5 (lower-case Greek letter σ)
 FAT entries of respective clusters are still unchanged!
 in DATAAREA clusters still preserve the original data!
75
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Example: Deleting by sending to Recycle Bin
76
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 File Allocation Table (FAT) before and after deletion of
“test1.txt” file.
77
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Example: Deleting by clearing from Recycle Bin
 File Allocation Table (FAT) before and after clearing
Recycle Bin.
78
PreparedbyR.Arthy,AP/IT,KCET
FORENSICS IMPLICATIONS
 On deletion of a file, the data contained in a file is NOT ‘gone’
 it is merely ‘hidden’ from he operating system and the space
 it occupies is made available for reuse.
 Deleted data still resides in the space previously allocated to it,
unless overwritten.
 It is possible to ‘undelete’ (reconstruct) a file – or some of its parts –
even after Recycle bin has been emptied!
 However, there may be evidential difficulties with files recovered
from unallocated space. We cannot state the date and time attributes
of even a complete file found in unallocated space, as there is no
respective entry in the File Directory Table.
79
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Disk Formatting – still does not erase data!
 only pointers (FAT and FDT) get destroyed
 data that formed the file remains intact in their locations
 Disk Wiping – secure deletion – wiped files have their
directory entries and allocated space physically
overwritten by random or user-defined characters
 Windows wiping tools:
 Disk Wipe: http://www.diskwipe.org/
 Eraser: http://eraser.heidi.ie/
80
PreparedbyR.Arthy,AP/IT,KCET
NTFS FILE SYSTEM
 NTFS – New Technology File System – introduced for
Windows NT and Vista
 provides significant improvements over FAT, including:
 file and folder permissions – folder and file access can be
controlled individually
 file encryption – NTFS enables strong encryption of files
and folders extremely resistant to attacks
 file compression – NTFS enables lossy compression on
both files and folders
 disk efficiency – NTFS supports smaller cluster size than
FAT32
 greater reliability – NTFS writes a log of changes being
made to files and folders (NTFS journal), which helps the OS
to recover from system failures … 81
PreparedbyR.Arthy,AP/IT,KCET
WINDOWS REGISTRY
 critical part of any Windows OSs - hierarchical
database containing configuration information about:
 system hardware;
 installed software (programs);
 property settings;
 profile for each user, etc.
 OS uses instructions stored in the registry
 to determine how installed hardware and software should
function
 e.g. typical software comes with a Windows installer that
writes to the registry during installation
 system must be restarted for changes to take place …
82
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Example: Opening Windows Registry
 Type ‘regedit’ in cmd window.
 Registry comprises 5 to 7 hierarchical folders – hives.
 Folders’ names start with HKEY – Handle to a Key.
83
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
84
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Forensics Implications – information (i.e. potential
evidence) that reside in the Registry make it a
significant forensics resource
 information that can be found in the registry include:
 general information about the OS
 startup (boot-time) applications
 logs of computers that have communicated with the host
 logs of USBs that have been connected to the host
 logs of Web site histories and typed URLs
 downloaded files/programs, e.g. wiping programs to destroy
evidence
 auto complete Internet Explorer passwords
85
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Example: Registry Information about OS
 Keys to look at (investigate):
 HKLMSoftwareMicrosoftWindows NTCurrentVersion
 Obtained info: OS version, Installation Date, Product ID, etc.
 Example: Registry Information about Time Zone
 Keys to look at (investigate):
 HKLMSystemControlSet001ControlTimeZoneInformation
 Example: Registry Information about Startup Applications
 Keys to look at (investigate):
 HKLMSoftwareMicrosoftWindowsCurrentVersionRun
 HKLMSoftwareMicrosoftWindowsCurrentVersionRunonce
 (Typically used to load an application for installation the next time the
computer boots. After the machine reboots, the entry is removed.)
 Services/programs enlisted in these ‘files’ run each time / when a user
logs on.
 Malware (spyware, trojans, worms, viruses) often attempt to embed
themselves in these startup areas.
86
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Example: Registry Information about LAN Computers
 Keys to look at (investigate):
 HKCUSoftwareMicrosoftWindowsCurrentVersionExplore
rComputerDescriptions
 A computer on a properly configured LAN should be able to
display all the computers on that network through
MyNetworkPlace. The list of these computer – i.e. devices
that the host has ever connected to – is stored in the Registry.
87
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Example: Registry Information about USB Devices
 Keys to look at (investigate):
 HKLMSystemControlSet00xEnumUSBSTOR
 Anytime a device is connected to a USB, driver are queried
and the device’s information is stored into the Registry.
88
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Example: Registry Information about IE Passwords
 Keys to look at (investigate):
 HKCUSoftwareMicrosoftInternetExplorerMain
 Key to look at: “FormSuggest PW Ask” – should be “yes” ⇒
 Windows AutoComplete Password feature is enabled.
 List of ‘memorized’ passwords can be found at:
 HKCUSoftwareMicrosoftInternetExplorerIntelliFormsSto
rage2
89
PreparedbyR.Arthy,AP/IT,KCET
Current Computer Forensics
Tools - Software/ Hardware
Tools
OUTLINE
 Introduction
 Evaluating Computer Forensics Tool Needs
 Types of Computer Forensics Tools
 Tasks Performed by Computer Forensics Tools
 Command-Line Forensics Tools
 UNIX/Linux Forensics Tools
 GUI Forensics Tools
 Forensic Workstations
 Validating and Testing Forensics Software
 Using Validation Protocols
 Computer Forensics Examination Protocol
 Example 91
PreparedbyR.Arthy,AP/IT,KCET
INTRODUCTION
 Computer forensics tools are constantly being developed,
updated, patched, and revised.
 Therefore, checking vendors’ Web sites routinely to look
for new features and improvements is important.
 Before purchasing any forensics tools, consider whether
the tool can save you time during investigations and
whether that time savings affects the reliability of data
you recover.
92
PreparedbyR.Arthy,AP/IT,KCET
EVALUATING COMPUTER FORENSICS TOOL
NEEDS
 Some questions to ask when evaluating computer
forensic tools:
 On which OS does the forensics tool run?
 Is the tool versatile? For example, does it work in Windows
98, XP, and Vista and produce the same results in all three
OSs?
 Can the tool analyze more than one file system, such as FAT,
NTFS, and Ext2fs?
 Can a scripting language be used with the tool to automate
repetitive functions and tasks?
 Does the tool have any automated features that can help
reduce the time needed to analyze data?
 What is the vendor’s reputation for providing product
support? 93
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 When you search for tools, keep in mind what file types
you’ll be analyzing.
 For example, if you need to analyze Microsoft Access
databases, look for a product designed to read these files.
 If you’re analyzing e-mail messages, look for a forensics
tool capable of reading e-mail content.
94
PreparedbyR.Arthy,AP/IT,KCET
TYPES OF COMPUTER FORENSICS TOOLS
 Hardware forensic tools
 Range from single-purpose components to complete
computer systems and servers
 Software forensic tools
 Types
 Command-line applications
 GUI applications
 Commonly used to copy data from a suspect’s disk drive to
an image file
95
PreparedbyR.Arthy,AP/IT,KCET
TASKS PERFORMED BY COMPUTER
FORENSICS TOOLS
 All computer forensics tools, both hardware and
software, perform specific functions.
 Five major categories:
 Acquisition
 Validation and discrimination
 Extraction
 Reconstruction
 Reporting
96
PreparedbyR.Arthy,AP/IT,KCET
1. ACQUISITION
 Acquisition, the first task in computer forensics
investigations, is making a copy of the original drive.
 Acquisition subfunctions:
 Physical data copy
 Logical data copy
 Data acquisition format
 Command-line acquisition
 GUI acquisition
 Remote acquisition
 Verification
97
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Some computer forensics software suites, such as
AccessData FTK and EnCase, provide separate tools for
acquiring an image.
 However, some investigators opt to use hardware
devices, such as the Logicube Talon, VOOM HardCopy
3, or ImageMASSter Solo III Forensic unit from
Intelligent Computer Solutions, Inc., for acquiring an
image.
 These hardware devices have their own built-in software
for data acquisition.
 No other device or program is needed to make a
duplicate drive; however, you still need forensics
software to analyze the data 98
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Two types of data-copying methods are used in software
acquisitions:
 Physical copying of the entire drive
 Logical copying of a disk partition
 The formats for disk acquisitions vary
 From raw data to vendor-specific proprietary compressed
data
 You can view the contents of a raw image file with any
hexadecimal editor
99
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
100
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 All computer forensics acquisition tools have a method for
verification of the data-copying process that compares the
original drive with the image.
 For example, EnCase prompts you to obtain the MD5 hash
value of acquired data,
 FTK validates MD5 and SHA-1 hash sets during data
acquisition, and Safe Back runs an SHA-256 hash while
acquiring data.
 Hardware acquisition tools, such as Image MASSter Solo, can
perform simultaneous MD5 and CRC-32 hashing during data
acquisition.
 Whether you choose a software or hardware solution for your
acquisition needs, make sure the tool has a hashing function
for verification purposes. 101
PreparedbyR.Arthy,AP/IT,KCET
2. VALIDATION AND DISCRIMINATION
 Two issues in dealing with computer evidence are critical.
 First is ensuring the integrity of data being copied—the validation
process.
 Second is the discrimination of data, which involves sorting and
searching through all investigation data.
 Many forensics software vendors offer three methods for
discriminating data values.
 Hashing
 Filtering
 Analyzing file headers
 Validating data is done by obtaining hash values.
 This unique hexadecimal value for data, used to make sure the
original data hasn’t changed. 102
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
103
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 The primary purpose of data discrimination is to remove
good data from suspicious data.
 Good data consists of known files, such as OS files and
common programs (Microsoft Word, for example).
 The National Software Reference Library (NSRL) has
compiled a list of known file hashes for a variety of OSs,
applications, and images.
104
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
105
PreparedbyR.Arthy,AP/IT,KCET
3. EXTRACTION
 The extraction function is the recovery task in a
computing investigation and is the most challenging of
all tasks to master.
 Recovering data is the first step in analyzing an
Investigation’s data.
 The following sub functions of extraction are used in
Investigations.
 Data viewing
 Keyword searching
 Decompressing
 Carving
 Decrypting
 Bookmarking3 106
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Many computer forensics tools include a dataviewing
mechanism for digital evidence.
 Tools such as ProDiscover, X-Ways Forensics, FTK,
EnCase, SMART, ILook, and others offer several ways
to view data, including logical drive structures, such as
folders and files.
107
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 A common task in computing investigations is searching
for and recovering key data facts.
 Computer forensics programs have functions for
searching for keywords of interest to the investigation.
 Using a keyword search speeds up the analysis process
for investigators.
 With some tools, you can set filters to select the file
types to search, such as searching only PDF documents.
 Another function in some forensics tools is indexing all
words on a drive.
 X-Ways Forensics and FTK 1.6x and earlier offer this
feature, using the binary index (Btree) search engine
from dtSearch.
108
PreparedbyR.Arthy,AP/IT,KCET
[CONTD….]
 Example – Keyword Search
109
PreparedbyR.Arthy,AP/IT,KCET
4. RECONSTRUCTION
 The purpose of having a reconstruction feature in a
forensics tool is to re-create a suspect drive to show what
happened during a crime or an incident.
 Another reason for duplicating a suspect drive is to
create a copy for other computer investigators, who
might need a fully functional copy of the drive so that
they can perform their own acquisition, test, and analysis
of the evidence.
 These are the sub functions of reconstruction:
 Disk-to-disk copy
 Image-to-disk copy
 Partition-to-partition copy
 Image-to-partition copy 110
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 There are several ways to re-create an image of a suspect
drive. Under ideal circumstances, the best and most
reliable method is obtaining the same make and model
drive as the suspect drive,
 If the suspect drive has been manufactured recently,
locating an identical drive is fairly easy.
 A drive manufactured three months ago might be out of
production and unavailable for sale, which makes
locating identical older drives more difficult.
111
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 The simplest method of duplicating a drive is using a
tool that makes a direct disk-to-disk copy from the
suspect drive to the target drive.
 One free tool is the UNIX/Linux dd command, but it has
a major disadvantage:
 The target drive being written to must be identical to the
original (suspect) drive, with the same cylinder, sector,
and track count.
112
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 For a disk-to-disk copy, both hardware and software
duplicators are available; hardware duplicators are the
fastest way to copy data from one disk to another.
 Hardware duplicators, such as Logicube Talon, Logicube
Forensic MD5, and ImageMASSter Solo III Forensics
 Hard Drive Duplicator, adjust the target drive’s geometry
to match the suspect drive’s cylinder, sectors, and tracks.
113
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 For image-to-disk and image-to-partition copies, many
more tools are available, but they are considerably
slower in transferring data.
 The following are some tools that perform an imageto-
disk copy:
 SafeBack
 SnapBack
 EnCase
 FTK Imager
 ProDiscover
 X-Ways Forensics
114
PreparedbyR.Arthy,AP/IT,KCET
5. REPORTING
 To complete a forensics disk analysis and examination, you need to
create a report.
 Before Windows forensics tools were available, this process required
copying data from a suspect drive and extracting the digital evidence
manually.
 The investigator then copied the evidence to a separate program,
such as a word processor, to create a report.
 Newer Windows forensics tools can produce electronic reports in a
variety of formats, such as word processing documents, HTML Web
pages, or Acrobat PDF files.
 These are the sub functions of the reporting function:
 Log reports
 Report generator 115
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Many forensics tools, such as FTK, ILook, and X-Ways Forensics,
can produce a log report that records activities the investigator
performed.
 Then a built-in report generator is used to create a report in a variety
of formats.
 The following tools are some that offer report generators displaying
bookmarked evidence:
 EnCase
 FTK
 Ilook
 X-Ways Forensics
 ProDiscover
 The log report can be added to your final report as additional
documentation of the steps you took during the examination, which
can be useful if repeating the examination is necessary.
116
PreparedbyR.Arthy,AP/IT,KCET
COMMAND-LINE FORENSICS TOOLS
 The first tools that analyzed and extracted data from
floppy disks and hard disks were MS-DOS tools for IBM
PC file systems.
 One of the first MS-DOS tools used for computer
investigations was Norton Disk Edit.
 This tool used manual processes that required
investigators to spend considerable time on a typical 500
MB drive.
 Eventually, programs designed for computer forensics
were developed for DOS, Windows, Apple, NetWare,
and UNIX systems.
117
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Some of these early programs could extract data from
slack and free disk space; others were capable only of
retrieving deleted files.
 Current programs are more robust and can search for
specific words or characters, import a keyword list to
search, calculate hash values, recover deleted items,
conduct physical and logical analyses, and more.
 Some command-line forensics tools are created
specifically for DOS/Windows platforms;
 others are created for Macintosh and UNIX/Linux. Because
there are many different versions of UNIX and Linux, these
OSs are often referred to as *nix platforms. 118
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
119
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
120
PreparedbyR.Arthy,AP/IT,KCET
UNIX/LINUX FORENSICS TOOLS
 The *nix platforms have long been the primary
command-line OSs, but typical end users haven’t used
them widely.
 However, with GUIs now available with *nix platforms,
these OSs are becoming more popular with home and
corporate end users.
 There are several *nix tools for forensics analysis, such
as SMART, BackTrack, Autopsy with Sleuth Kit, and
Knoppix-STD.
 SMART is designed to be installed on numerous Linux
versions, including Gentoo, Fedora, SUSE, Debian,
Knoppix, Ubuntu, Slackware, and more. 121
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 You can analyze a variety of file systems with SMART;
 SMART includes several plug-in utilities. This modular approach
makes it possible to upgrade SMART components easily and
quickly.
 SMART can also take advantage of multithreading capabilities in
OSs and hardware.
 Another useful option in SMART is the hex viewer. Hex values are
color-coded to make it easier to see where a file begins and ends.
 SMART also offers a reporting feature. Everything you do during
your investigation with SMART is logged, so you can select what
you want to include in a report, such as bookmarks.
122
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Helix One of the easiest suites to use is Helix because of
its user interface. What’s unique about Helix is that you
can load it on a live Windows system, Its Windows
component is used for live acquisitions
 During corporate investigations, often you need to
retrieve RAM and other data, such as the suspect’s user
profile, from a workstation or server that can’t be seized
or turned off.
 This data is extracted while the system is running and
captured in its state at the time of extraction.
123
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 To do a live acquisition, insert the Helix CD into the
suspect’s machine. After clicking I ACCEPT in the
licensing window, you see the Helix menu
124
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 BackTrack is another Linux Live CD used by many security
professionals and forensics investigators. It includes a variety of
tools and has an easy-to-use KDE interface.
 Autopsy and Sleuth Kit is a Linux forensics tool, and Autopsy is
the GUI browser interface for accessing Sleuth Kit’s tools.
 Knoppix Security Tools Distribution (STD) is a collection of tools
for configuring security measures, including computer and network
forensics.
 Note that Knoppix- STD is forensically sound, so it doesn’t allow
you to alter or damage the system you’re analyzing.
 If you boot this CD into Windows, Knoppix lists available tools.
Although many of the tools have GUI interfaces, some are still
command line only.
125
PreparedbyR.Arthy,AP/IT,KCET
GUI FORENSICS TOOLS
 Several software vendors have introduced forensics tools
that work in Windows.
 Because GUI forensics tools don’t require the same
understanding of MS-DOS and file systems as
command-line tools, they can simplify computer
forensics investigations.
 These GUI tools have also simplified training for
beginning examiners; however, you should continue to
learn about and use command-line tools because some
GUI tools might miss critical evidence.
126
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 GUI tools have several advantages, such as ease of use,
the capability to perform multiple tasks, and no
requirement to learn older OSs.
 Their disadvantages range from excessive resource
requirements (needing large amounts of RAM, for
example) and producing inconsistent results because of
the type of OS used, such as Windows Vista 32-bit or 64-
bit systems
127
PreparedbyR.Arthy,AP/IT,KCET
FORENSIC WORKSTATIONS
 Many computer vendors offer a wide range of forensic
workstations that you can tailor to meet your
investigation needs.
 Forensic workstations can be divided into the following
categories:
 Stationary workstation—A tower with several bays and many
peripheral devices
 Portable workstation—A laptop computer with a builtin LCD
monitor and almost as many bays and peripherals as a
stationary workstation
 Lightweight workstation—Usually a laptop computer built
into a carrying case with a small selection of peripheral
options.
128
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Building Your Own Workstation
 If you have the time and skill to build your own forensic
workstation, you can customize it to your needs and save
money, although you might have trouble finding support for
problems that develop.
 For example, peripheral devices might conflict with one
another, or components might fail. If you build your own
forensic workstation, you should be able to support the
hardware.
 If you decide that building a forensic workstation is beyond
your skills, several vendors offer workstations designed for
computer forensics, such as the F.R.E.D. unit from Digital
Intelligence or the Dual Xeon Workstation from Forensic PC.
 Having a vendor-supplied workstation has its advantages.
129
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Using a Write-Blocker
 The first item you should consider for a forensic workstation
is a write-blocker.
 Write blockers protect evidence disks by preventing data
from being written to them.
 Software and hardware write-blockers perform the same
function but in a different fashion.
 Software write-blockers, such as PDBlock from Digital
Intelligence, typically run in a shell mode (for example,
DOS).
130
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 [contd…]
 If you attempt to write data to the blocked drive, an alarm sounds,
advising that no writes have occurred.
 With hardware write-blockers, you can connect the evidence drive to
your workstation and start the OS as usual.
 Hardware write-blockers are ideal for GUI forensics tools.
 They prevent Windows or Linux from writing data to the blocked
drive.
 Hardware write-blockers act as a bridge between the suspect drive
and the forensic workstation.
 Many vendors have developed write-blocking devices that connect
to a computer through FireWire, USB 2.0, SATA, and SCSI
controllers.
 Most of these write-blockers enable you to remove and reconnect
drives without having to shut down your workstation, which saves
time in processing the evidence drive.
131
PreparedbyR.Arthy,AP/IT,KCET
VALIDATING AND TESTING FORENSICS
SOFTWARE
 Using National Institute of Standards and Technology
(NIST) Tools :
 NIST has created criteria for testing computer forensics tools,
which are included in the articlen “General Test Methodology
for Computer Forensic Tools”.
 Testing Standards:
 Establish categories for computer forensics tools
 Identify computer forensics category requirements
 Develop test assertions
 Identify test cases
 Establish a test method
 Report test result 132
PreparedbyR.Arthy,AP/IT,KCET
USING VALIDATION PROTOCOLS
 After retrieving and examining evidence data with one tool, you
should verify your results by performing the same tasks with other
similar forensics tools.
 For example, after you use one forensics tool to retrieve disk data,
you use another to see whether you retrieve the same information.
 Although this step might seem unnecessary, you might be asked on
the witness stand “How did you verify your results?” To satisfy the
need for verification, you need at least two tools to validate software
or hardware upgrades.
 The tool you use to validate the results should be well tested and
documented.
133
PreparedbyR.Arthy,AP/IT,KCET
COMPUTER FORENSICS EXAMINATION
PROTOCOL
1. First, conduct your investigation of the digital evidence
with one GUI tool.
2. Then perform the same investigation with a disk editor
to verify that the GUI tool is seeing the same digital
evidence in the same places on the test or suspect drive’s
image.
3. If a file is recovered, obtain the hash value with the GUI
tool and the disk editor, and then compare the results to
verify whether the file has the same value in both tools.
134
PreparedbyR.Arthy,AP/IT,KCET
COMPUTER FORENSICS TOOL UPGRADE
PROTOCOL
 In addition to verifying your results by using two disk-
analysis tools, you should test all new releases and OS
patches and upgrades to make sure they’re reliable and
don’t corrupt evidence data.
 New releases and OS upgrades and patches can affect the
way your forensics tools perform.
135
PreparedbyR.Arthy,AP/IT,KCET
EXAMPLE - PRODISCOVER
136
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
137
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
STEP 1: AQUISITION
138
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
139
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Loads all the content
140
PreparedbyR.Arthy,AP/IT,KCET
[CONTD….]
STEP 2: VALIDATION AND DISCRIMINATION
141
Prodiscvoer provides three hashing algorithms
•MD5 :- It is 128 bit hash. It is most commonly
used has algorithm in India.
•SHA-1 :- It is forensics more accurate & widely
recommended for forensics hash verification
•SHA-256 :- It is highly secured but time
consuming
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
STEP 3: EXTRACTION
 Data Carving
142
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
 Keyword Searching
143
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
STEP 4: RECONSTRUCTION
144
PreparedbyR.Arthy,AP/IT,KCET
[CONTD…]
STEP 5: REPORTING
145
PreparedbyR.Arthy,AP/IT,KCET

More Related Content

What's hot

Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Computer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumComputer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumOWASP Khartoum
 
Ce hv6 module 57 computer forensics and incident handling
Ce hv6 module 57 computer forensics and incident handlingCe hv6 module 57 computer forensics and incident handling
Ce hv6 module 57 computer forensics and incident handlingVi Tính Hoàng Nam
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsSCREAM138
 
An introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsAn introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsZyxware Technologies
 
Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating proceduresSoumen Debgupta
 
Computer Forensic Softwares
Computer Forensic SoftwaresComputer Forensic Softwares
Computer Forensic SoftwaresDhruv Seth
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsHiren Selani
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its roleSudeshna Basak
 
computer forensics
computer forensicscomputer forensics
computer forensicsshivi123456
 

What's hot (20)

computer forensics
computer forensics computer forensics
computer forensics
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Computer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumComputer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP Khartoum
 
Ce hv6 module 57 computer forensics and incident handling
Ce hv6 module 57 computer forensics and incident handlingCe hv6 module 57 computer forensics and incident handling
Ce hv6 module 57 computer forensics and incident handling
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
An introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsAn introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensics
 
Lect 1 computer forensics
Lect 1 computer forensicsLect 1 computer forensics
Lect 1 computer forensics
 
Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating procedures
 
computer forensics
computer forensicscomputer forensics
computer forensics
 
Computer Forensic Softwares
Computer Forensic SoftwaresComputer Forensic Softwares
Computer Forensic Softwares
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
cyber forensics
cyber forensicscyber forensics
cyber forensics
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
 
Codebits 2010
Codebits 2010Codebits 2010
Codebits 2010
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
computer forensics
computer forensicscomputer forensics
computer forensics
 

Similar to CS6004 Cyber Forensics - UNIT IV

computerforensics-140212060522-phpapp02.pdf
computerforensics-140212060522-phpapp02.pdfcomputerforensics-140212060522-phpapp02.pdf
computerforensics-140212060522-phpapp02.pdfGnanavi2
 
Introduction To Forensic Methodologies
Introduction To Forensic MethodologiesIntroduction To Forensic Methodologies
Introduction To Forensic MethodologiesLedjit
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptOnkar1431
 
computer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptxcomputer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptxssuser2bf502
 
computer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptxcomputer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptxDaniyaHuzaifa
 
Business Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicBusiness Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicDhiren Gala
 
Computer forensics Slides
Computer forensics SlidesComputer forensics Slides
Computer forensics SlidesVarun Sehgal
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentationSomya Johri
 
Digital Evidence - the defence, prosecution, & the court
Digital Evidence - the defence, prosecution, & the courtDigital Evidence - the defence, prosecution, & the court
Digital Evidence - the defence, prosecution, & the courtCell Site Analysis (CSA)
 
A Review on Recovering and Examining Computer Forensic Evidences
A Review on Recovering and Examining Computer Forensic EvidencesA Review on Recovering and Examining Computer Forensic Evidences
A Review on Recovering and Examining Computer Forensic EvidencesBRNSSPublicationHubI
 
76 s201924
76 s20192476 s201924
76 s201924IJRAT
 
L11 - Intro to Computer Forensics.ppt
L11 - Intro to Computer Forensics.pptL11 - Intro to Computer Forensics.ppt
L11 - Intro to Computer Forensics.pptRebeccaMunasheChimhe
 
sakshi Computer_forensics_ppt.ppt
sakshi Computer_forensics_ppt.pptsakshi Computer_forensics_ppt.ppt
sakshi Computer_forensics_ppt.pptSakshiAlex
 

Similar to CS6004 Cyber Forensics - UNIT IV (20)

computerforensics-140212060522-phpapp02.pdf
computerforensics-140212060522-phpapp02.pdfcomputerforensics-140212060522-phpapp02.pdf
computerforensics-140212060522-phpapp02.pdf
 
Introduction To Forensic Methodologies
Introduction To Forensic MethodologiesIntroduction To Forensic Methodologies
Introduction To Forensic Methodologies
 
Computer forensic
Computer forensicComputer forensic
Computer forensic
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
computer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptxcomputer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptx
 
computer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptxcomputer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptx
 
Business Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicBusiness Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer Forensic
 
Computer Forensics ppt
Computer Forensics pptComputer Forensics ppt
Computer Forensics ppt
 
Chap 1 general introduction to computer forensics
Chap 1  general introduction to computer forensicsChap 1  general introduction to computer forensics
Chap 1 general introduction to computer forensics
 
Cyber forensics ppt
Cyber forensics pptCyber forensics ppt
Cyber forensics ppt
 
Computer forensics Slides
Computer forensics SlidesComputer forensics Slides
Computer forensics Slides
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentation
 
Digital Evidence - the defence, prosecution, & the court
Digital Evidence - the defence, prosecution, & the courtDigital Evidence - the defence, prosecution, & the court
Digital Evidence - the defence, prosecution, & the court
 
A Review on Recovering and Examining Computer Forensic Evidences
A Review on Recovering and Examining Computer Forensic EvidencesA Review on Recovering and Examining Computer Forensic Evidences
A Review on Recovering and Examining Computer Forensic Evidences
 
76 s201924
76 s20192476 s201924
76 s201924
 
Sued or Suing: Introduction to Digital Forensics
Sued or Suing: Introduction to Digital ForensicsSued or Suing: Introduction to Digital Forensics
Sued or Suing: Introduction to Digital Forensics
 
L11 - Intro to Computer Forensics.ppt
L11 - Intro to Computer Forensics.pptL11 - Intro to Computer Forensics.ppt
L11 - Intro to Computer Forensics.ppt
 
3170725_Unit-1.pptx
3170725_Unit-1.pptx3170725_Unit-1.pptx
3170725_Unit-1.pptx
 
sakshi Computer_forensics_ppt.ppt
sakshi Computer_forensics_ppt.pptsakshi Computer_forensics_ppt.ppt
sakshi Computer_forensics_ppt.ppt
 
3170725_Unit-1.pptx
3170725_Unit-1.pptx3170725_Unit-1.pptx
3170725_Unit-1.pptx
 

More from ArthyR3

Unit IV Knowledge and Hybrid Recommendation System.pdf
Unit IV Knowledge and Hybrid Recommendation System.pdfUnit IV Knowledge and Hybrid Recommendation System.pdf
Unit IV Knowledge and Hybrid Recommendation System.pdfArthyR3
 
VIT336 – Recommender System - Unit 3.pdf
VIT336 – Recommender System - Unit 3.pdfVIT336 – Recommender System - Unit 3.pdf
VIT336 – Recommender System - Unit 3.pdfArthyR3
 
OOPs - JAVA Quick Reference.pdf
OOPs - JAVA Quick Reference.pdfOOPs - JAVA Quick Reference.pdf
OOPs - JAVA Quick Reference.pdfArthyR3
 
NodeJS and ExpressJS.pdf
NodeJS and ExpressJS.pdfNodeJS and ExpressJS.pdf
NodeJS and ExpressJS.pdfArthyR3
 
MongoDB.pdf
MongoDB.pdfMongoDB.pdf
MongoDB.pdfArthyR3
 
REACTJS.pdf
REACTJS.pdfREACTJS.pdf
REACTJS.pdfArthyR3
 
ANGULARJS.pdf
ANGULARJS.pdfANGULARJS.pdf
ANGULARJS.pdfArthyR3
 
JQUERY.pdf
JQUERY.pdfJQUERY.pdf
JQUERY.pdfArthyR3
 
Qb it1301
Qb   it1301Qb   it1301
Qb it1301ArthyR3
 
CNS - Unit v
CNS - Unit vCNS - Unit v
CNS - Unit vArthyR3
 
Cs8792 cns - unit v
Cs8792   cns - unit vCs8792   cns - unit v
Cs8792 cns - unit vArthyR3
 
Cs8792 cns - unit iv
Cs8792   cns - unit ivCs8792   cns - unit iv
Cs8792 cns - unit ivArthyR3
 
Cs8792 cns - unit iv
Cs8792   cns - unit ivCs8792   cns - unit iv
Cs8792 cns - unit ivArthyR3
 
Cs8792 cns - unit i
Cs8792   cns - unit iCs8792   cns - unit i
Cs8792 cns - unit iArthyR3
 
Java quick reference
Java quick referenceJava quick reference
Java quick referenceArthyR3
 
Cs8792 cns - Public key cryptosystem (Unit III)
Cs8792   cns - Public key cryptosystem (Unit III)Cs8792   cns - Public key cryptosystem (Unit III)
Cs8792 cns - Public key cryptosystem (Unit III)ArthyR3
 
Cryptography Workbook
Cryptography WorkbookCryptography Workbook
Cryptography WorkbookArthyR3
 
Cs6701 cryptography and network security
Cs6701 cryptography and network securityCs6701 cryptography and network security
Cs6701 cryptography and network securityArthyR3
 
Compiler question bank
Compiler question bankCompiler question bank
Compiler question bankArthyR3
 

More from ArthyR3 (20)

Unit IV Knowledge and Hybrid Recommendation System.pdf
Unit IV Knowledge and Hybrid Recommendation System.pdfUnit IV Knowledge and Hybrid Recommendation System.pdf
Unit IV Knowledge and Hybrid Recommendation System.pdf
 
VIT336 – Recommender System - Unit 3.pdf
VIT336 – Recommender System - Unit 3.pdfVIT336 – Recommender System - Unit 3.pdf
VIT336 – Recommender System - Unit 3.pdf
 
OOPs - JAVA Quick Reference.pdf
OOPs - JAVA Quick Reference.pdfOOPs - JAVA Quick Reference.pdf
OOPs - JAVA Quick Reference.pdf
 
NodeJS and ExpressJS.pdf
NodeJS and ExpressJS.pdfNodeJS and ExpressJS.pdf
NodeJS and ExpressJS.pdf
 
MongoDB.pdf
MongoDB.pdfMongoDB.pdf
MongoDB.pdf
 
REACTJS.pdf
REACTJS.pdfREACTJS.pdf
REACTJS.pdf
 
ANGULARJS.pdf
ANGULARJS.pdfANGULARJS.pdf
ANGULARJS.pdf
 
JQUERY.pdf
JQUERY.pdfJQUERY.pdf
JQUERY.pdf
 
Qb it1301
Qb   it1301Qb   it1301
Qb it1301
 
CNS - Unit v
CNS - Unit vCNS - Unit v
CNS - Unit v
 
Cs8792 cns - unit v
Cs8792   cns - unit vCs8792   cns - unit v
Cs8792 cns - unit v
 
Cs8792 cns - unit iv
Cs8792   cns - unit ivCs8792   cns - unit iv
Cs8792 cns - unit iv
 
Cs8792 cns - unit iv
Cs8792   cns - unit ivCs8792   cns - unit iv
Cs8792 cns - unit iv
 
Cs8792 cns - unit i
Cs8792   cns - unit iCs8792   cns - unit i
Cs8792 cns - unit i
 
Java quick reference
Java quick referenceJava quick reference
Java quick reference
 
Cs8792 cns - Public key cryptosystem (Unit III)
Cs8792   cns - Public key cryptosystem (Unit III)Cs8792   cns - Public key cryptosystem (Unit III)
Cs8792 cns - Public key cryptosystem (Unit III)
 
Cryptography Workbook
Cryptography WorkbookCryptography Workbook
Cryptography Workbook
 
Cns
CnsCns
Cns
 
Cs6701 cryptography and network security
Cs6701 cryptography and network securityCs6701 cryptography and network security
Cs6701 cryptography and network security
 
Compiler question bank
Compiler question bankCompiler question bank
Compiler question bank
 

Recently uploaded

21scheme vtu syllabus of visveraya technological university
21scheme vtu syllabus of visveraya technological university21scheme vtu syllabus of visveraya technological university
21scheme vtu syllabus of visveraya technological universityMohd Saifudeen
 
CLOUD COMPUTING SERVICES - Cloud Reference Modal
CLOUD COMPUTING SERVICES - Cloud Reference ModalCLOUD COMPUTING SERVICES - Cloud Reference Modal
CLOUD COMPUTING SERVICES - Cloud Reference ModalSwarnaSLcse
 
Dynamo Scripts for Task IDs and Space Naming.pptx
Dynamo Scripts for Task IDs and Space Naming.pptxDynamo Scripts for Task IDs and Space Naming.pptx
Dynamo Scripts for Task IDs and Space Naming.pptxMustafa Ahmed
 
Research Methodolgy & Intellectual Property Rights Series 2
Research Methodolgy & Intellectual Property Rights Series 2Research Methodolgy & Intellectual Property Rights Series 2
Research Methodolgy & Intellectual Property Rights Series 2T.D. Shashikala
 
8th International Conference on Soft Computing, Mathematics and Control (SMC ...
8th International Conference on Soft Computing, Mathematics and Control (SMC ...8th International Conference on Soft Computing, Mathematics and Control (SMC ...
8th International Conference on Soft Computing, Mathematics and Control (SMC ...josephjonse
 
Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...
Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...
Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...Nitin Sonavane
 
The Entity-Relationship Model(ER Diagram).pptx
The Entity-Relationship Model(ER Diagram).pptxThe Entity-Relationship Model(ER Diagram).pptx
The Entity-Relationship Model(ER Diagram).pptxMANASINANDKISHORDEOR
 
Linux Systems Programming: Semaphores, Shared Memory, and Message Queues
Linux Systems Programming: Semaphores, Shared Memory, and Message QueuesLinux Systems Programming: Semaphores, Shared Memory, and Message Queues
Linux Systems Programming: Semaphores, Shared Memory, and Message QueuesRashidFaridChishti
 
Worksharing and 3D Modeling with Revit.pptx
Worksharing and 3D Modeling with Revit.pptxWorksharing and 3D Modeling with Revit.pptx
Worksharing and 3D Modeling with Revit.pptxMustafa Ahmed
 
handbook on reinforce concrete and detailing
handbook on reinforce concrete and detailinghandbook on reinforce concrete and detailing
handbook on reinforce concrete and detailingAshishSingh1301
 
Basics of Relay for Engineering Students
Basics of Relay for Engineering StudentsBasics of Relay for Engineering Students
Basics of Relay for Engineering Studentskannan348865
 
21P35A0312 Internship eccccccReport.docx
21P35A0312 Internship eccccccReport.docx21P35A0312 Internship eccccccReport.docx
21P35A0312 Internship eccccccReport.docxrahulmanepalli02
 
Low Altitude Air Defense (LAAD) Gunner’s Handbook
Low Altitude Air Defense (LAAD) Gunner’s HandbookLow Altitude Air Defense (LAAD) Gunner’s Handbook
Low Altitude Air Defense (LAAD) Gunner’s HandbookPeterJack13
 
Seizure stage detection of epileptic seizure using convolutional neural networks
Seizure stage detection of epileptic seizure using convolutional neural networksSeizure stage detection of epileptic seizure using convolutional neural networks
Seizure stage detection of epileptic seizure using convolutional neural networksIJECEIAES
 
Performance enhancement of machine learning algorithm for breast cancer diagn...
Performance enhancement of machine learning algorithm for breast cancer diagn...Performance enhancement of machine learning algorithm for breast cancer diagn...
Performance enhancement of machine learning algorithm for breast cancer diagn...IJECEIAES
 
Final DBMS Manual (2).pdf final lab manual
Final DBMS Manual (2).pdf final lab manualFinal DBMS Manual (2).pdf final lab manual
Final DBMS Manual (2).pdf final lab manualBalamuruganV28
 
Microkernel in Operating System | Operating System
Microkernel in Operating System | Operating SystemMicrokernel in Operating System | Operating System
Microkernel in Operating System | Operating SystemSampad Kar
 
Lab Manual Arduino UNO Microcontrollar.docx
Lab Manual Arduino UNO Microcontrollar.docxLab Manual Arduino UNO Microcontrollar.docx
Lab Manual Arduino UNO Microcontrollar.docxRashidFaridChishti
 
analog-vs-digital-communication (concept of analog and digital).pptx
analog-vs-digital-communication (concept of analog and digital).pptxanalog-vs-digital-communication (concept of analog and digital).pptx
analog-vs-digital-communication (concept of analog and digital).pptxKarpagam Institute of Teechnology
 
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdfInvolute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdfJNTUA
 

Recently uploaded (20)

21scheme vtu syllabus of visveraya technological university
21scheme vtu syllabus of visveraya technological university21scheme vtu syllabus of visveraya technological university
21scheme vtu syllabus of visveraya technological university
 
CLOUD COMPUTING SERVICES - Cloud Reference Modal
CLOUD COMPUTING SERVICES - Cloud Reference ModalCLOUD COMPUTING SERVICES - Cloud Reference Modal
CLOUD COMPUTING SERVICES - Cloud Reference Modal
 
Dynamo Scripts for Task IDs and Space Naming.pptx
Dynamo Scripts for Task IDs and Space Naming.pptxDynamo Scripts for Task IDs and Space Naming.pptx
Dynamo Scripts for Task IDs and Space Naming.pptx
 
Research Methodolgy & Intellectual Property Rights Series 2
Research Methodolgy & Intellectual Property Rights Series 2Research Methodolgy & Intellectual Property Rights Series 2
Research Methodolgy & Intellectual Property Rights Series 2
 
8th International Conference on Soft Computing, Mathematics and Control (SMC ...
8th International Conference on Soft Computing, Mathematics and Control (SMC ...8th International Conference on Soft Computing, Mathematics and Control (SMC ...
8th International Conference on Soft Computing, Mathematics and Control (SMC ...
 
Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...
Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...
Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...
 
The Entity-Relationship Model(ER Diagram).pptx
The Entity-Relationship Model(ER Diagram).pptxThe Entity-Relationship Model(ER Diagram).pptx
The Entity-Relationship Model(ER Diagram).pptx
 
Linux Systems Programming: Semaphores, Shared Memory, and Message Queues
Linux Systems Programming: Semaphores, Shared Memory, and Message QueuesLinux Systems Programming: Semaphores, Shared Memory, and Message Queues
Linux Systems Programming: Semaphores, Shared Memory, and Message Queues
 
Worksharing and 3D Modeling with Revit.pptx
Worksharing and 3D Modeling with Revit.pptxWorksharing and 3D Modeling with Revit.pptx
Worksharing and 3D Modeling with Revit.pptx
 
handbook on reinforce concrete and detailing
handbook on reinforce concrete and detailinghandbook on reinforce concrete and detailing
handbook on reinforce concrete and detailing
 
Basics of Relay for Engineering Students
Basics of Relay for Engineering StudentsBasics of Relay for Engineering Students
Basics of Relay for Engineering Students
 
21P35A0312 Internship eccccccReport.docx
21P35A0312 Internship eccccccReport.docx21P35A0312 Internship eccccccReport.docx
21P35A0312 Internship eccccccReport.docx
 
Low Altitude Air Defense (LAAD) Gunner’s Handbook
Low Altitude Air Defense (LAAD) Gunner’s HandbookLow Altitude Air Defense (LAAD) Gunner’s Handbook
Low Altitude Air Defense (LAAD) Gunner’s Handbook
 
Seizure stage detection of epileptic seizure using convolutional neural networks
Seizure stage detection of epileptic seizure using convolutional neural networksSeizure stage detection of epileptic seizure using convolutional neural networks
Seizure stage detection of epileptic seizure using convolutional neural networks
 
Performance enhancement of machine learning algorithm for breast cancer diagn...
Performance enhancement of machine learning algorithm for breast cancer diagn...Performance enhancement of machine learning algorithm for breast cancer diagn...
Performance enhancement of machine learning algorithm for breast cancer diagn...
 
Final DBMS Manual (2).pdf final lab manual
Final DBMS Manual (2).pdf final lab manualFinal DBMS Manual (2).pdf final lab manual
Final DBMS Manual (2).pdf final lab manual
 
Microkernel in Operating System | Operating System
Microkernel in Operating System | Operating SystemMicrokernel in Operating System | Operating System
Microkernel in Operating System | Operating System
 
Lab Manual Arduino UNO Microcontrollar.docx
Lab Manual Arduino UNO Microcontrollar.docxLab Manual Arduino UNO Microcontrollar.docx
Lab Manual Arduino UNO Microcontrollar.docx
 
analog-vs-digital-communication (concept of analog and digital).pptx
analog-vs-digital-communication (concept of analog and digital).pptxanalog-vs-digital-communication (concept of analog and digital).pptx
analog-vs-digital-communication (concept of analog and digital).pptx
 
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdfInvolute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
 

CS6004 Cyber Forensics - UNIT IV

  • 1. CS6004 – CYBER FORENSICS UNIT IV EVIDENCE COLLECTION AND FORENSICS TOOLS
  • 2. OUTLINE  Processing Crime and Incident Scenes  Working with Windows and DOS Systems  Current Computer Forensics Tools - Software/ Hardware Tools 2 PreparedbyR.Arthy,AP/IT,KCET
  • 4. OBJECTIVES  Explain guidelines for seizing digital evidence at the scene  Describe how to secure a computer incident or crime scene  Describe how to preserve the evidence and establish the chain of custody  Enumerate some general guidelines to process crime and incident scene 4 PreparedbyR.Arthy,AP/IT,KCET
  • 5. WHAT IS FORENSIC?  Collection and analysis of evidence  Using scientific test or techniques  To establish facts against crime  For presenting in a legal proceeding  Therefore forensic science is a scientific method of gathering and examining information about the past which is then used in court of law 5 PreparedbyR.Arthy,AP/IT,KCET
  • 6. WHAT IS DIGITAL FORENSIC?  Digital Forensics is the use of scientifically derived and proven methods toward:  the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital devices  for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations 6 PreparedbyR.Arthy,AP/IT,KCET
  • 7. BRANCHES OF DIGITAL FORENSICS  The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital devices involved:  Computer forensics, Firewall Forensics, Database Forensics, Network forensics, Forensic data analysis and Mobile device forensics.  The typical forensic process encompasses the seizure, forensic imaging and analysis of digital media and the production of a report into collected evidence. 7 PreparedbyR.Arthy,AP/IT,KCET
  • 8. CRIMINAL INVESTIGATION  A principle in criminal investigation called Locard’s Exchange Principle  Anyone or anything entering a crime scene takes something of the scene with them and leaves something of themselves behind  Main goal of investigation to link crime to the suspect by discovering threads between suspect, victim and crime scene 8 Victim Crime Scene Suspect Evidence PreparedbyR.Arthy,AP/IT,KCET
  • 9. DIGITAL EVIDENCE  Evidence  A piece of information that supports a conclusion  Digital evidence  Any data that is recorded or preserved on any medium in or by a computer system or other similar digital device, that can be read or understood by a person or a computer system or other similar device.  It includes a display, printout or other output of that data. 9 PreparedbyR.Arthy,AP/IT,KCET
  • 10. CHARACTERISTICS OF DIGITAL EVIDENCE  Admissible  Conformity with the common law and legislative rules  Authentic  In linking data to specific individuals and events  Accurate  Believed and is consistent  Complete  With a full story of particular circumstances.  Convincing to juries  To have probative value, subjective and practical test of presentation  To proving beyond doubt 10 PreparedbyR.Arthy,AP/IT,KCET
  • 11. [CONTD…]  All investigations must follow the following rules of evidence:  Digital evidence integrity must be preserved to be admissible in court.  If the evidence is contaminated it cannot be de-contaminated  Digital evidence must be reliable: Authenticity evidence, clear easy to understand, and believable by a jury  Digital evidence must be complete : Exculpatory evidence for alternative suspects 11 PreparedbyR.Arthy,AP/IT,KCET
  • 13. [CONTD…]  e-mails,  digital photographs,  ATM transaction logs,  word processing documents,  Instant message histories,  files saved from accounting program,  spreadsheets,  internet browser histories,  databases,  the contents of computer memory,  computer backups, computer printouts,  Global Positioning System tracks,  logs from a hotel’s electronic door locks, and  digital video or audio files 13 PreparedbyR.Arthy,AP/IT,KCET
  • 15. [CONTD…]  Generally involves the following steps: 1. Seizing Digital Evidence at the Scene 2. Securing a computer incident or crime scene 3. Preserving the data 4. Establishing the chain of custody 5. Examining data for evidence 15 PreparedbyR.Arthy,AP/IT,KCET
  • 16. SEIZING DIGITAL EVIDENCE AT THE SCENE 16 PreparedbyR.Arthy,AP/IT, KCET
  • 17. INTRODUCTION  Law enforcement can seize evidence with a proper warrant  Corporate investigators might have the authority only to make an image of the suspect’s drive  When seizing digital evidence in criminal investigations  Follow U.S. DoJ standards for seizing digital data  Civil investigations follow same rules - require less documentation  Consult with your attorney for extra guidelines 17 PreparedbyR.Arthy,AP/IT,KCET
  • 18. PREPARING TO ACQUIRE DIGITAL EVIDENCE  The evidence you acquire at the scene depends on the nature of the case (Crime or Violation)  Ask your supervisor or senior forensics examiner in your organization the following questions:  Do you need to take the entire computer and all peripherals and media in the immediate area?  How are you going to protect the computer and media while transporting them to your lab?  Is the computer powered on when you arrive?  Is it possible the suspect damaged or destroyed the computer, peripherals, or media? 18 PreparedbyR.Arthy,AP/IT,KCET
  • 19. USING A TECHNICAL ADVISOR  Technical advisor  Can help you list the tools you need to process the incident or crime scene  Person guiding you about where to locate data and helping you extract log records  Or other evidence from large RAID servers  Can help create the search warrant by itemizing what you need for the warrant 19 PreparedbyR.Arthy,AP/IT,KCET
  • 20. TECHNICAL ADVISOR RESPONSIBILITIES  Know aspects of the seized system  Direct investigator handling sensitive material  Help secure the scene  Help document the planning strategy for search and seizure  Conduct ad hoc trainings  Document activities  Help conduct the search and seizure 20 PreparedbyR.Arthy,AP/IT,KCET
  • 21. PROCESSING AN INCIDENT OR CRIME SCENE - GUIDELINES  Keep a journal to document your activities  Secure the scene  Be professional and courteous with onlookers  Remove people who are not part of the investigation  Take video and still recordings of the area around the computer  Pay attention to details  Sketch the incident or crime scene  Check state of computers as soon as possible  Don’t cut electrical power to a running system unless it’s an older Windows 9x or MS-DOS system  Save data from current applications as safely as possible  Record all active windows or shell sessions 21 PreparedbyR.Arthy,AP/IT,KCET
  • 22. [CONTD…]  Make notes of everything you do when copying data from a live suspect computer  Close applications and shut down the computer  Bag and tag the evidence, following these steps:  Assign one person to collect and log all evidence  Tag all evidence you collect with the current date and time, serial numbers or unique features, make and model, and the name of the person who collected it  Maintain two separate logs of collected evidence  Maintain constant control of the collected evidence and the crime or incident scene  Look for information related to the investigation  Passwords, passphrases, PINs, bank accounts  Collect documentation and media related to the investigation  Hardware, software, backup media, documentation, manuals 22 PreparedbyR.Arthy,AP/IT,KCET
  • 23. DOCUMENTING EVIDENCE IN THE LAB  Record your activities and findings as your work  Maintain a journal to record the steps you take as you process evidence  Goal is to reproduce the same result  When you or another investigator repeat the steps you took to collect evidence  A journal serves as a reference that documents the methods you need to process digital evidence 23 PreparedbyR.Arthy,AP/IT,KCET
  • 24. SECURING A COMPUTER INCIDENT OR CRIME SCENE 24 PreparedbyR.Arthy,AP/IT, KCET
  • 25. INTRODUCTION  Protecting the crime scene is crucial because if evidence is contaminated, it cannot be decontaminated.  The main goals of securing the crime scene are the following:  Preserve the evidence (No damage during collection, transportation, or storage)  Keep information confidential  Depending on the situation, crime scene preservation will vary.  Professional curiosity can destroy evidence  Involves police officers and other professionals who aren’t part of the crime scene processing team 25 PreparedbyR.Arthy,AP/IT,KCET
  • 26. [CONTD…]  How securing a computer incident or crime scene?  Define a secure perimeter  Use yellow barrier tape 26 PreparedbyR.Arthy,AP/IT,KCET
  • 27. [CONTD…]  How securing a computer incident or crime scene? (Cont.)  Physical surroundings of the computer should be photographed and clearly documented  Photographs should be taken before anything is touched 27 PreparedbyR.Arthy,AP/IT,KCET
  • 28. [CONTD…]  How securing a computer incident or crime scene? (Cont.)  Take custody of computer, peripherals, and media.  Bag and tag all evidence  Assign one person to collect and log all evidence  Record the current date and time, serial numbers or unique features, make and model, and the name of the person who collected it  Maintain two separate logs of collected evidence  Use antistatic bags 28 PreparedbyR.Arthy,AP/IT,KCET
  • 30. CAPTURE VOLATILE DATA  Computer forensics team first captures any volatile data that would be lost when computer is turned off and moves data to a secure location  Contents of RAM  Current running processes  Current network connections (recent connections and open applications/sockets)  Logon sessions  Open files: File system time and date stamps 30 PreparedbyR.Arthy,AP/IT,KCET
  • 31. ACQUIRE IMAGE  Reboot will change disk images. Do not reboot!  After retrieving volatile data, focus on the hard drive  Make forensic backup = system image = bit-stream backup  Copy every bit of the file system, not just the disk files!  Its accuracy meets evidence standards  Example tools include:  Prodiscover  EnCase  FTK  OS does not influence which tools to use for bit-image capture 31 PreparedbyR.Arthy,AP/IT,KCET
  • 32. STORING DIGITAL EVIDENCE  The media you use to store digital evidence usually depends on how long you need to keep it  CD-Rs or DVDs  The ideal media  Capacity: up to 17 GB  Lifespan: 2 to 5 years  Magnetic tapes  Capacity: 40 to 72 GB  Lifespan: 30 years  Costs: drive: $400 to $800; tape: $40 32 PreparedbyR.Arthy,AP/IT,KCET
  • 33. EVIDENCE RETENTION AND MEDIA STORAGE NEEDS  To help maintain the chain of custody for digital evidence  Restrict access to lab and evidence storage area  Lab should have a sign-in roster for all visitors  Maintain logs for a period based on legal requirements  You might need to retain evidence indefinitely  Check with your local prosecuting attorney’s office or state laws to make sure you’re in compliance  You cannot retain child pornography evidence, however 33 PreparedbyR.Arthy,AP/IT,KCET
  • 35. [CONTD…]  Copy all image files to a large drive  Run an MD5 or SHA-1 hashing algorithm on the image files to get a digital hash 35 PreparedbyR.Arthy,AP/IT,KCET
  • 36. ESTABLISHING THE CHAIN OF CUSTODY 36 PreparedbyR.Arthy,AP/IT,KCET
  • 37. INTRODUCTION  As soon as the team begins its work, must start and maintain a strict chain of custody  Chain of custody protects the integrity and reliability of the evidence  It documents that evidence was under strict control at all times and no unauthorized person was given the opportunity to corrupt the evidence  Effective process of documenting the complete journey of the evidence during the life of the case  Who collected it?  How & where?  Who took possession of it?  How was it stored & protected in storage? 37 PreparedbyR.Arthy,AP/IT,KCET
  • 38. [CONTD…]  Create or use an evidence custody form  An evidence custody form serves the following functions:  Identifies the evidence  Identifies who has handled the evidence  Lists dates and times the evidence was handled 38 PreparedbyR.Arthy,AP/IT,KCET
  • 39. EXAMINING DATA FOR EVIDENCE 39 PreparedbyR.Arthy,AP/IT,KCET
  • 40. PROCESSING AND HANDLING DIGITAL EVIDENCE  Maintain the integrity of digital evidence in the lab  As you do when collecting it in the field  Steps to create image files:  Copy all image files to a large drive  Start your forensics tool to analyze the evidence  Run an MD5 or SHA-1 hashing algorithm on the image files to get a digital hash  Secure the original media in an evidence locker 40 PreparedbyR.Arthy,AP/IT,KCET
  • 42. LEARNING OBJECTIVES  List the key components of a disk drive.  Explain the purpose and structure of Microsoft FAT (and NTFS) file system.  Describe different types of file deletion, and what is required to completely remove a file from a disk.  Explain how the Windows Registry works, and enlist different types of useful forensics information it stores. 42 PreparedbyR.Arthy,AP/IT,KCET
  • 43. OUTLINE  Hard Disk  FAT  NTFS  Windows Registry 43 PreparedbyR.Arthy,AP/IT,KCET
  • 45. HARDWARE COMPONENTS  Motherboard / Mainboard  Processor / CPU  ROM - stores system-level programs that should be available at all times, e.g. BIOS  Registers & CPU cache - accept, hold, and transfer data at very high speed - very limited capacity  Main Memory / RAM - fast temporary memory - stores data only while computer on  Secondary (Permanent) Storage  hard disks / drive, CD-ROM, USB, floppy  Input Devices  keyboard, mouse, …  Output Devices  monitor, printer, … 45 PreparedbyR.Arthy,AP/IT,KCET
  • 47. SOFTWARE COMPONENTS  Operating System  Software (program + data) that runs on a computer  it manages computer hardware & provides common services for efficient execution of various application software  OSs are found on almost all ‘computing’ devices,  e.g. cellular phones, video game consoles, web servers, routers, … 47 PreparedbyR.Arthy,AP/IT,KCET
  • 48. COMPUTER FILES  File – a self contained collection of data available to OS and individual programs  comprises ‘related’ information  can be manipulated as an entity (e.g., deleted or moved from one storage media to another)  must have a unique name  has an extension (.doc, .txt, .exe, …) – indicates the type of encoding of its content and usage 48 PreparedbyR.Arthy,AP/IT,KCET
  • 49. COMPUTER FILE SYSTEM  File System  set of method/rules for storing and retrieving computer files (data)  gives an OS a road map to data on a secondary storage device (e.g., disk drive, USB, CD-ROM)  file system is usually directly related to an OS 49 PreparedbyR.Arthy,AP/IT,KCET
  • 50. DISK DRIVES / HARD DRIVE  consists of 1 or more platters coated with magnetic material – data is stored on platters in a particular way  each platters has 2 surfaces: top & bottom  key disk drive components:  head – the device that reads and writes data to a drive – there is one head per platter  tracks – concentric circles on a disk platter where data is located  sector – a pie shaped section on a track made up of 128, 256, 512 or 1024 bytes – smallest addressable storage unit on the hard drive  a cylinder – consists of corresponding tracks on all platters (e.g. track 12 on all d.d. platters)  geometry – refers to a disk’s structure of platters, tracks, and sectors 50 PreparedbyR.Arthy,AP/IT,KCET
  • 52. HEADS  Located on both sides of (each) platter only a few nanometers from the surface  heads are semi-static (only move up/down & small angle) - disk/platters rotate at speed of n*1000 revolutions per minute! (~ 250km/h)  heads are ‘inductive’ – they can generate a magnetic field  by creating positive or negative fields, they polarize the disk (platter) surface in a very tiny area  when these areas are read afterwards, the detected polarity is transformed by a ADC into a 0 or 1 52 PreparedbyR.Arthy,AP/IT,KCET
  • 54. EXAMPLE: DISK DRIVE CAPACITY AND SPEED: HISTORY 54 PreparedbyR.Arthy,AP/IT,KCET
  • 55. CLUSTER  One or a group of sectors – logical unit of file storage on a hard drive  number of sectors in a cluster (2n), depends on:  disk size: bigger disk ⇒ bigger cluster  logical disk organization (e.g., FAT12 /16 /32 or NTFS)  whatever the logical size of a file, it is allocated disk space in multiples of clusters!  sectors in a cluster are physically adjacent on the disk  clusters in a file may NOT be adjacent  clusters are managed by computers OS 55 PreparedbyR.Arthy,AP/IT,KCET
  • 56. [CONTD…]  Example: Bigger disk - bigger cluster size …  FAT16 is not recommended for volumes larger than 511 MB. When relatively small files are placed on a FAT16 volume, FAT uses disk space inefficiently! 56 PreparedbyR.Arthy,AP/IT,KCET
  • 57. WINDOWS FILE SYSTEMS  3 types of file systems have been used by Windows: FAT, FAT32, NTFS 57 PreparedbyR.Arthy,AP/IT,KCET
  • 59. FAT FILE SYSTEM  Introduction  Major Sections of FAT Hard Disks  Slack Space in FAT  Deleting FAT Files  Forensics Implications 59 PreparedbyR.Arthy,AP/IT,KCET
  • 60. INTRODUCTION  FAT x – File Allocation Table – family of file systems for DOS/Windows operating systems  FAT table – stores info. on status of all clusters on the disk = ‘table of content’  x = 12, 16, 32 – number of bits used for cluster identification/numbering  bit-size of each FAT table entry 60 PreparedbyR.Arthy,AP/IT,KCET
  • 61. [CONTD…]  Example: FAT12, FAT16, FAT32 61 PreparedbyR.Arthy,AP/IT,KCET
  • 62. [CONTD…]  Example: FAT16 capacity Can 700 MB disk drive be formatted with a FAT16 file system using 4KB clusters? FAT16 ⇒ 216 = 65536 clusters 216 clusters * 4 Kbytes = 26 * 210 * 4 * 210 bytes max capacity = 64 * 4 MB = 256 MB 62 PreparedbyR.Arthy,AP/IT,KCET
  • 63. MAJOR SECTION 1) Boot Sector – occupies the 1st cluster on the disk  contains specific information about organization of the file system, including: type of FAT (12/16/32) system,  # of bytes per sector,  # of sectors per track,  # of sectors per cluster,  # of read heads,  # of FAT tables,  # of clusters per FAT table, etc. 63 PreparedbyR.Arthy,AP/IT,KCET
  • 65. [CONTD…] 2) FAT Tables  keep track of allocation status of different data clusters  entry N relates to data cluster N – the actual value is a pointer to another FAT entry  set of clusters that constitute one file are defined by a set of linked FAT entries  multiple FATs (FAT1 & FAT2) ensure redundancy in case of data corruption – FAT2 is a backup of FAT 1  typically used on portable (more vulnerable) media 65 PreparedbyR.Arthy,AP/IT,KCET
  • 66. [CONTD…]  Example: Use of FAT system 66 PreparedbyR.Arthy,AP/IT,KCET
  • 67. [CONTTD…]  FAT entry values 67 PreparedbyR.Arthy,AP/IT,KCET
  • 68. [CONTD…] 3) Root Directory (FAT12/16 only)  stores Directory Table – table of 32-byte long entries for each file & directory created on the disk 4) Data Area  contains file & directory data – occupies remaining sectors (clusters) on the disk  first cluster of Data Area is numbered 2; though, this is physical sector 33! 68 PreparedbyR.Arthy,AP/IT,KCET
  • 69. [CONTD…]  Example: (Root) Directory Table entries in bytes 69 PreparedbyR.Arthy,AP/IT,KCET
  • 70. [CONTD…]  Example: File fragmentation / cluster allocation in FAT 70 PreparedbyR.Arthy,AP/IT,KCET
  • 71. [CONTD…] Example: Final Exam 2010  Assume a computer employs the FAT16 file system with components as shown below:  A file, containing a set of numbers, is stored on this computer under the name YourFile.txt.  Using the provided information, identify the first six numbers stored in YourFile.txt. 71 PreparedbyR.Arthy,AP/IT,KCET
  • 73. SLACK SPACE IN FAT  phenomenon caused by the way how computers store data/files:  files are allocated cluster-sized chunks  regardless of the actual size of data in the file  data may not be big enough to fill (all) segments, i.e. clusters 73 PreparedbyR.Arthy,AP/IT,KCET
  • 74. [CONTD…]  sector slack - space between EOF and end of last sector that file was written to known as RAM slack as OS pulls any info available in RAM at that point (memory dump) to fill this space – e.g. logon IDs, passwords, segments of other files  cluster slack - remaining sectors in cluster known as file slack – contains whatever was last written by disk in those sectors (e.g. parts of a deleted file) 74 PreparedbyR.Arthy,AP/IT,KCET
  • 75. DELETING FAT FILES  system places deletion mark on the file  deletion mark ⇒ first letter of the file name is replaced with E5 (lower-case Greek letter σ)  FAT entries of respective clusters are still unchanged!  in DATAAREA clusters still preserve the original data! 75 PreparedbyR.Arthy,AP/IT,KCET
  • 76. [CONTD…]  Example: Deleting by sending to Recycle Bin 76 PreparedbyR.Arthy,AP/IT,KCET
  • 77. [CONTD…]  File Allocation Table (FAT) before and after deletion of “test1.txt” file. 77 PreparedbyR.Arthy,AP/IT,KCET
  • 78. [CONTD…]  Example: Deleting by clearing from Recycle Bin  File Allocation Table (FAT) before and after clearing Recycle Bin. 78 PreparedbyR.Arthy,AP/IT,KCET
  • 79. FORENSICS IMPLICATIONS  On deletion of a file, the data contained in a file is NOT ‘gone’  it is merely ‘hidden’ from he operating system and the space  it occupies is made available for reuse.  Deleted data still resides in the space previously allocated to it, unless overwritten.  It is possible to ‘undelete’ (reconstruct) a file – or some of its parts – even after Recycle bin has been emptied!  However, there may be evidential difficulties with files recovered from unallocated space. We cannot state the date and time attributes of even a complete file found in unallocated space, as there is no respective entry in the File Directory Table. 79 PreparedbyR.Arthy,AP/IT,KCET
  • 80. [CONTD…]  Disk Formatting – still does not erase data!  only pointers (FAT and FDT) get destroyed  data that formed the file remains intact in their locations  Disk Wiping – secure deletion – wiped files have their directory entries and allocated space physically overwritten by random or user-defined characters  Windows wiping tools:  Disk Wipe: http://www.diskwipe.org/  Eraser: http://eraser.heidi.ie/ 80 PreparedbyR.Arthy,AP/IT,KCET
  • 81. NTFS FILE SYSTEM  NTFS – New Technology File System – introduced for Windows NT and Vista  provides significant improvements over FAT, including:  file and folder permissions – folder and file access can be controlled individually  file encryption – NTFS enables strong encryption of files and folders extremely resistant to attacks  file compression – NTFS enables lossy compression on both files and folders  disk efficiency – NTFS supports smaller cluster size than FAT32  greater reliability – NTFS writes a log of changes being made to files and folders (NTFS journal), which helps the OS to recover from system failures … 81 PreparedbyR.Arthy,AP/IT,KCET
  • 82. WINDOWS REGISTRY  critical part of any Windows OSs - hierarchical database containing configuration information about:  system hardware;  installed software (programs);  property settings;  profile for each user, etc.  OS uses instructions stored in the registry  to determine how installed hardware and software should function  e.g. typical software comes with a Windows installer that writes to the registry during installation  system must be restarted for changes to take place … 82 PreparedbyR.Arthy,AP/IT,KCET
  • 83. [CONTD…]  Example: Opening Windows Registry  Type ‘regedit’ in cmd window.  Registry comprises 5 to 7 hierarchical folders – hives.  Folders’ names start with HKEY – Handle to a Key. 83 PreparedbyR.Arthy,AP/IT,KCET
  • 85. [CONTD…]  Forensics Implications – information (i.e. potential evidence) that reside in the Registry make it a significant forensics resource  information that can be found in the registry include:  general information about the OS  startup (boot-time) applications  logs of computers that have communicated with the host  logs of USBs that have been connected to the host  logs of Web site histories and typed URLs  downloaded files/programs, e.g. wiping programs to destroy evidence  auto complete Internet Explorer passwords 85 PreparedbyR.Arthy,AP/IT,KCET
  • 86. [CONTD…]  Example: Registry Information about OS  Keys to look at (investigate):  HKLMSoftwareMicrosoftWindows NTCurrentVersion  Obtained info: OS version, Installation Date, Product ID, etc.  Example: Registry Information about Time Zone  Keys to look at (investigate):  HKLMSystemControlSet001ControlTimeZoneInformation  Example: Registry Information about Startup Applications  Keys to look at (investigate):  HKLMSoftwareMicrosoftWindowsCurrentVersionRun  HKLMSoftwareMicrosoftWindowsCurrentVersionRunonce  (Typically used to load an application for installation the next time the computer boots. After the machine reboots, the entry is removed.)  Services/programs enlisted in these ‘files’ run each time / when a user logs on.  Malware (spyware, trojans, worms, viruses) often attempt to embed themselves in these startup areas. 86 PreparedbyR.Arthy,AP/IT,KCET
  • 87. [CONTD…]  Example: Registry Information about LAN Computers  Keys to look at (investigate):  HKCUSoftwareMicrosoftWindowsCurrentVersionExplore rComputerDescriptions  A computer on a properly configured LAN should be able to display all the computers on that network through MyNetworkPlace. The list of these computer – i.e. devices that the host has ever connected to – is stored in the Registry. 87 PreparedbyR.Arthy,AP/IT,KCET
  • 88. [CONTD…]  Example: Registry Information about USB Devices  Keys to look at (investigate):  HKLMSystemControlSet00xEnumUSBSTOR  Anytime a device is connected to a USB, driver are queried and the device’s information is stored into the Registry. 88 PreparedbyR.Arthy,AP/IT,KCET
  • 89. [CONTD…]  Example: Registry Information about IE Passwords  Keys to look at (investigate):  HKCUSoftwareMicrosoftInternetExplorerMain  Key to look at: “FormSuggest PW Ask” – should be “yes” ⇒  Windows AutoComplete Password feature is enabled.  List of ‘memorized’ passwords can be found at:  HKCUSoftwareMicrosoftInternetExplorerIntelliFormsSto rage2 89 PreparedbyR.Arthy,AP/IT,KCET
  • 90. Current Computer Forensics Tools - Software/ Hardware Tools
  • 91. OUTLINE  Introduction  Evaluating Computer Forensics Tool Needs  Types of Computer Forensics Tools  Tasks Performed by Computer Forensics Tools  Command-Line Forensics Tools  UNIX/Linux Forensics Tools  GUI Forensics Tools  Forensic Workstations  Validating and Testing Forensics Software  Using Validation Protocols  Computer Forensics Examination Protocol  Example 91 PreparedbyR.Arthy,AP/IT,KCET
  • 92. INTRODUCTION  Computer forensics tools are constantly being developed, updated, patched, and revised.  Therefore, checking vendors’ Web sites routinely to look for new features and improvements is important.  Before purchasing any forensics tools, consider whether the tool can save you time during investigations and whether that time savings affects the reliability of data you recover. 92 PreparedbyR.Arthy,AP/IT,KCET
  • 93. EVALUATING COMPUTER FORENSICS TOOL NEEDS  Some questions to ask when evaluating computer forensic tools:  On which OS does the forensics tool run?  Is the tool versatile? For example, does it work in Windows 98, XP, and Vista and produce the same results in all three OSs?  Can the tool analyze more than one file system, such as FAT, NTFS, and Ext2fs?  Can a scripting language be used with the tool to automate repetitive functions and tasks?  Does the tool have any automated features that can help reduce the time needed to analyze data?  What is the vendor’s reputation for providing product support? 93 PreparedbyR.Arthy,AP/IT,KCET
  • 94. [CONTD…]  When you search for tools, keep in mind what file types you’ll be analyzing.  For example, if you need to analyze Microsoft Access databases, look for a product designed to read these files.  If you’re analyzing e-mail messages, look for a forensics tool capable of reading e-mail content. 94 PreparedbyR.Arthy,AP/IT,KCET
  • 95. TYPES OF COMPUTER FORENSICS TOOLS  Hardware forensic tools  Range from single-purpose components to complete computer systems and servers  Software forensic tools  Types  Command-line applications  GUI applications  Commonly used to copy data from a suspect’s disk drive to an image file 95 PreparedbyR.Arthy,AP/IT,KCET
  • 96. TASKS PERFORMED BY COMPUTER FORENSICS TOOLS  All computer forensics tools, both hardware and software, perform specific functions.  Five major categories:  Acquisition  Validation and discrimination  Extraction  Reconstruction  Reporting 96 PreparedbyR.Arthy,AP/IT,KCET
  • 97. 1. ACQUISITION  Acquisition, the first task in computer forensics investigations, is making a copy of the original drive.  Acquisition subfunctions:  Physical data copy  Logical data copy  Data acquisition format  Command-line acquisition  GUI acquisition  Remote acquisition  Verification 97 PreparedbyR.Arthy,AP/IT,KCET
  • 98. [CONTD…]  Some computer forensics software suites, such as AccessData FTK and EnCase, provide separate tools for acquiring an image.  However, some investigators opt to use hardware devices, such as the Logicube Talon, VOOM HardCopy 3, or ImageMASSter Solo III Forensic unit from Intelligent Computer Solutions, Inc., for acquiring an image.  These hardware devices have their own built-in software for data acquisition.  No other device or program is needed to make a duplicate drive; however, you still need forensics software to analyze the data 98 PreparedbyR.Arthy,AP/IT,KCET
  • 99. [CONTD…]  Two types of data-copying methods are used in software acquisitions:  Physical copying of the entire drive  Logical copying of a disk partition  The formats for disk acquisitions vary  From raw data to vendor-specific proprietary compressed data  You can view the contents of a raw image file with any hexadecimal editor 99 PreparedbyR.Arthy,AP/IT,KCET
  • 101. [CONTD…]  All computer forensics acquisition tools have a method for verification of the data-copying process that compares the original drive with the image.  For example, EnCase prompts you to obtain the MD5 hash value of acquired data,  FTK validates MD5 and SHA-1 hash sets during data acquisition, and Safe Back runs an SHA-256 hash while acquiring data.  Hardware acquisition tools, such as Image MASSter Solo, can perform simultaneous MD5 and CRC-32 hashing during data acquisition.  Whether you choose a software or hardware solution for your acquisition needs, make sure the tool has a hashing function for verification purposes. 101 PreparedbyR.Arthy,AP/IT,KCET
  • 102. 2. VALIDATION AND DISCRIMINATION  Two issues in dealing with computer evidence are critical.  First is ensuring the integrity of data being copied—the validation process.  Second is the discrimination of data, which involves sorting and searching through all investigation data.  Many forensics software vendors offer three methods for discriminating data values.  Hashing  Filtering  Analyzing file headers  Validating data is done by obtaining hash values.  This unique hexadecimal value for data, used to make sure the original data hasn’t changed. 102 PreparedbyR.Arthy,AP/IT,KCET
  • 104. [CONTD…]  The primary purpose of data discrimination is to remove good data from suspicious data.  Good data consists of known files, such as OS files and common programs (Microsoft Word, for example).  The National Software Reference Library (NSRL) has compiled a list of known file hashes for a variety of OSs, applications, and images. 104 PreparedbyR.Arthy,AP/IT,KCET
  • 106. 3. EXTRACTION  The extraction function is the recovery task in a computing investigation and is the most challenging of all tasks to master.  Recovering data is the first step in analyzing an Investigation’s data.  The following sub functions of extraction are used in Investigations.  Data viewing  Keyword searching  Decompressing  Carving  Decrypting  Bookmarking3 106 PreparedbyR.Arthy,AP/IT,KCET
  • 107. [CONTD…]  Many computer forensics tools include a dataviewing mechanism for digital evidence.  Tools such as ProDiscover, X-Ways Forensics, FTK, EnCase, SMART, ILook, and others offer several ways to view data, including logical drive structures, such as folders and files. 107 PreparedbyR.Arthy,AP/IT,KCET
  • 108. [CONTD…]  A common task in computing investigations is searching for and recovering key data facts.  Computer forensics programs have functions for searching for keywords of interest to the investigation.  Using a keyword search speeds up the analysis process for investigators.  With some tools, you can set filters to select the file types to search, such as searching only PDF documents.  Another function in some forensics tools is indexing all words on a drive.  X-Ways Forensics and FTK 1.6x and earlier offer this feature, using the binary index (Btree) search engine from dtSearch. 108 PreparedbyR.Arthy,AP/IT,KCET
  • 109. [CONTD….]  Example – Keyword Search 109 PreparedbyR.Arthy,AP/IT,KCET
  • 110. 4. RECONSTRUCTION  The purpose of having a reconstruction feature in a forensics tool is to re-create a suspect drive to show what happened during a crime or an incident.  Another reason for duplicating a suspect drive is to create a copy for other computer investigators, who might need a fully functional copy of the drive so that they can perform their own acquisition, test, and analysis of the evidence.  These are the sub functions of reconstruction:  Disk-to-disk copy  Image-to-disk copy  Partition-to-partition copy  Image-to-partition copy 110 PreparedbyR.Arthy,AP/IT,KCET
  • 111. [CONTD…]  There are several ways to re-create an image of a suspect drive. Under ideal circumstances, the best and most reliable method is obtaining the same make and model drive as the suspect drive,  If the suspect drive has been manufactured recently, locating an identical drive is fairly easy.  A drive manufactured three months ago might be out of production and unavailable for sale, which makes locating identical older drives more difficult. 111 PreparedbyR.Arthy,AP/IT,KCET
  • 112. [CONTD…]  The simplest method of duplicating a drive is using a tool that makes a direct disk-to-disk copy from the suspect drive to the target drive.  One free tool is the UNIX/Linux dd command, but it has a major disadvantage:  The target drive being written to must be identical to the original (suspect) drive, with the same cylinder, sector, and track count. 112 PreparedbyR.Arthy,AP/IT,KCET
  • 113. [CONTD…]  For a disk-to-disk copy, both hardware and software duplicators are available; hardware duplicators are the fastest way to copy data from one disk to another.  Hardware duplicators, such as Logicube Talon, Logicube Forensic MD5, and ImageMASSter Solo III Forensics  Hard Drive Duplicator, adjust the target drive’s geometry to match the suspect drive’s cylinder, sectors, and tracks. 113 PreparedbyR.Arthy,AP/IT,KCET
  • 114. [CONTD…]  For image-to-disk and image-to-partition copies, many more tools are available, but they are considerably slower in transferring data.  The following are some tools that perform an imageto- disk copy:  SafeBack  SnapBack  EnCase  FTK Imager  ProDiscover  X-Ways Forensics 114 PreparedbyR.Arthy,AP/IT,KCET
  • 115. 5. REPORTING  To complete a forensics disk analysis and examination, you need to create a report.  Before Windows forensics tools were available, this process required copying data from a suspect drive and extracting the digital evidence manually.  The investigator then copied the evidence to a separate program, such as a word processor, to create a report.  Newer Windows forensics tools can produce electronic reports in a variety of formats, such as word processing documents, HTML Web pages, or Acrobat PDF files.  These are the sub functions of the reporting function:  Log reports  Report generator 115 PreparedbyR.Arthy,AP/IT,KCET
  • 116. [CONTD…]  Many forensics tools, such as FTK, ILook, and X-Ways Forensics, can produce a log report that records activities the investigator performed.  Then a built-in report generator is used to create a report in a variety of formats.  The following tools are some that offer report generators displaying bookmarked evidence:  EnCase  FTK  Ilook  X-Ways Forensics  ProDiscover  The log report can be added to your final report as additional documentation of the steps you took during the examination, which can be useful if repeating the examination is necessary. 116 PreparedbyR.Arthy,AP/IT,KCET
  • 117. COMMAND-LINE FORENSICS TOOLS  The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for IBM PC file systems.  One of the first MS-DOS tools used for computer investigations was Norton Disk Edit.  This tool used manual processes that required investigators to spend considerable time on a typical 500 MB drive.  Eventually, programs designed for computer forensics were developed for DOS, Windows, Apple, NetWare, and UNIX systems. 117 PreparedbyR.Arthy,AP/IT,KCET
  • 118. [CONTD…]  Some of these early programs could extract data from slack and free disk space; others were capable only of retrieving deleted files.  Current programs are more robust and can search for specific words or characters, import a keyword list to search, calculate hash values, recover deleted items, conduct physical and logical analyses, and more.  Some command-line forensics tools are created specifically for DOS/Windows platforms;  others are created for Macintosh and UNIX/Linux. Because there are many different versions of UNIX and Linux, these OSs are often referred to as *nix platforms. 118 PreparedbyR.Arthy,AP/IT,KCET
  • 121. UNIX/LINUX FORENSICS TOOLS  The *nix platforms have long been the primary command-line OSs, but typical end users haven’t used them widely.  However, with GUIs now available with *nix platforms, these OSs are becoming more popular with home and corporate end users.  There are several *nix tools for forensics analysis, such as SMART, BackTrack, Autopsy with Sleuth Kit, and Knoppix-STD.  SMART is designed to be installed on numerous Linux versions, including Gentoo, Fedora, SUSE, Debian, Knoppix, Ubuntu, Slackware, and more. 121 PreparedbyR.Arthy,AP/IT,KCET
  • 122. [CONTD…]  You can analyze a variety of file systems with SMART;  SMART includes several plug-in utilities. This modular approach makes it possible to upgrade SMART components easily and quickly.  SMART can also take advantage of multithreading capabilities in OSs and hardware.  Another useful option in SMART is the hex viewer. Hex values are color-coded to make it easier to see where a file begins and ends.  SMART also offers a reporting feature. Everything you do during your investigation with SMART is logged, so you can select what you want to include in a report, such as bookmarks. 122 PreparedbyR.Arthy,AP/IT,KCET
  • 123. [CONTD…]  Helix One of the easiest suites to use is Helix because of its user interface. What’s unique about Helix is that you can load it on a live Windows system, Its Windows component is used for live acquisitions  During corporate investigations, often you need to retrieve RAM and other data, such as the suspect’s user profile, from a workstation or server that can’t be seized or turned off.  This data is extracted while the system is running and captured in its state at the time of extraction. 123 PreparedbyR.Arthy,AP/IT,KCET
  • 124. [CONTD…]  To do a live acquisition, insert the Helix CD into the suspect’s machine. After clicking I ACCEPT in the licensing window, you see the Helix menu 124 PreparedbyR.Arthy,AP/IT,KCET
  • 125. [CONTD…]  BackTrack is another Linux Live CD used by many security professionals and forensics investigators. It includes a variety of tools and has an easy-to-use KDE interface.  Autopsy and Sleuth Kit is a Linux forensics tool, and Autopsy is the GUI browser interface for accessing Sleuth Kit’s tools.  Knoppix Security Tools Distribution (STD) is a collection of tools for configuring security measures, including computer and network forensics.  Note that Knoppix- STD is forensically sound, so it doesn’t allow you to alter or damage the system you’re analyzing.  If you boot this CD into Windows, Knoppix lists available tools. Although many of the tools have GUI interfaces, some are still command line only. 125 PreparedbyR.Arthy,AP/IT,KCET
  • 126. GUI FORENSICS TOOLS  Several software vendors have introduced forensics tools that work in Windows.  Because GUI forensics tools don’t require the same understanding of MS-DOS and file systems as command-line tools, they can simplify computer forensics investigations.  These GUI tools have also simplified training for beginning examiners; however, you should continue to learn about and use command-line tools because some GUI tools might miss critical evidence. 126 PreparedbyR.Arthy,AP/IT,KCET
  • 127. [CONTD…]  GUI tools have several advantages, such as ease of use, the capability to perform multiple tasks, and no requirement to learn older OSs.  Their disadvantages range from excessive resource requirements (needing large amounts of RAM, for example) and producing inconsistent results because of the type of OS used, such as Windows Vista 32-bit or 64- bit systems 127 PreparedbyR.Arthy,AP/IT,KCET
  • 128. FORENSIC WORKSTATIONS  Many computer vendors offer a wide range of forensic workstations that you can tailor to meet your investigation needs.  Forensic workstations can be divided into the following categories:  Stationary workstation—A tower with several bays and many peripheral devices  Portable workstation—A laptop computer with a builtin LCD monitor and almost as many bays and peripherals as a stationary workstation  Lightweight workstation—Usually a laptop computer built into a carrying case with a small selection of peripheral options. 128 PreparedbyR.Arthy,AP/IT,KCET
  • 129. [CONTD…]  Building Your Own Workstation  If you have the time and skill to build your own forensic workstation, you can customize it to your needs and save money, although you might have trouble finding support for problems that develop.  For example, peripheral devices might conflict with one another, or components might fail. If you build your own forensic workstation, you should be able to support the hardware.  If you decide that building a forensic workstation is beyond your skills, several vendors offer workstations designed for computer forensics, such as the F.R.E.D. unit from Digital Intelligence or the Dual Xeon Workstation from Forensic PC.  Having a vendor-supplied workstation has its advantages. 129 PreparedbyR.Arthy,AP/IT,KCET
  • 130. [CONTD…]  Using a Write-Blocker  The first item you should consider for a forensic workstation is a write-blocker.  Write blockers protect evidence disks by preventing data from being written to them.  Software and hardware write-blockers perform the same function but in a different fashion.  Software write-blockers, such as PDBlock from Digital Intelligence, typically run in a shell mode (for example, DOS). 130 PreparedbyR.Arthy,AP/IT,KCET
  • 131. [CONTD…]  [contd…]  If you attempt to write data to the blocked drive, an alarm sounds, advising that no writes have occurred.  With hardware write-blockers, you can connect the evidence drive to your workstation and start the OS as usual.  Hardware write-blockers are ideal for GUI forensics tools.  They prevent Windows or Linux from writing data to the blocked drive.  Hardware write-blockers act as a bridge between the suspect drive and the forensic workstation.  Many vendors have developed write-blocking devices that connect to a computer through FireWire, USB 2.0, SATA, and SCSI controllers.  Most of these write-blockers enable you to remove and reconnect drives without having to shut down your workstation, which saves time in processing the evidence drive. 131 PreparedbyR.Arthy,AP/IT,KCET
  • 132. VALIDATING AND TESTING FORENSICS SOFTWARE  Using National Institute of Standards and Technology (NIST) Tools :  NIST has created criteria for testing computer forensics tools, which are included in the articlen “General Test Methodology for Computer Forensic Tools”.  Testing Standards:  Establish categories for computer forensics tools  Identify computer forensics category requirements  Develop test assertions  Identify test cases  Establish a test method  Report test result 132 PreparedbyR.Arthy,AP/IT,KCET
  • 133. USING VALIDATION PROTOCOLS  After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools.  For example, after you use one forensics tool to retrieve disk data, you use another to see whether you retrieve the same information.  Although this step might seem unnecessary, you might be asked on the witness stand “How did you verify your results?” To satisfy the need for verification, you need at least two tools to validate software or hardware upgrades.  The tool you use to validate the results should be well tested and documented. 133 PreparedbyR.Arthy,AP/IT,KCET
  • 134. COMPUTER FORENSICS EXAMINATION PROTOCOL 1. First, conduct your investigation of the digital evidence with one GUI tool. 2. Then perform the same investigation with a disk editor to verify that the GUI tool is seeing the same digital evidence in the same places on the test or suspect drive’s image. 3. If a file is recovered, obtain the hash value with the GUI tool and the disk editor, and then compare the results to verify whether the file has the same value in both tools. 134 PreparedbyR.Arthy,AP/IT,KCET
  • 135. COMPUTER FORENSICS TOOL UPGRADE PROTOCOL  In addition to verifying your results by using two disk- analysis tools, you should test all new releases and OS patches and upgrades to make sure they’re reliable and don’t corrupt evidence data.  New releases and OS upgrades and patches can affect the way your forensics tools perform. 135 PreparedbyR.Arthy,AP/IT,KCET
  • 140. [CONTD…]  Loads all the content 140 PreparedbyR.Arthy,AP/IT,KCET
  • 141. [CONTD….] STEP 2: VALIDATION AND DISCRIMINATION 141 Prodiscvoer provides three hashing algorithms •MD5 :- It is 128 bit hash. It is most commonly used has algorithm in India. •SHA-1 :- It is forensics more accurate & widely recommended for forensics hash verification •SHA-256 :- It is highly secured but time consuming PreparedbyR.Arthy,AP/IT,KCET
  • 142. [CONTD…] STEP 3: EXTRACTION  Data Carving 142 PreparedbyR.Arthy,AP/IT,KCET