Arduino_CSE ece ppt for working and principal of arduino.ppt
CS6004 Cyber Forensics - UNIT IV
1. CS6004 – CYBER FORENSICS
UNIT IV
EVIDENCE COLLECTION AND
FORENSICS TOOLS
2. OUTLINE
Processing Crime and Incident Scenes
Working with Windows and DOS Systems
Current Computer Forensics Tools - Software/ Hardware
Tools
2
PreparedbyR.Arthy,AP/IT,KCET
4. OBJECTIVES
Explain guidelines for seizing digital evidence at the scene
Describe how to secure a computer incident or crime scene
Describe how to preserve the evidence and establish the
chain of custody
Enumerate some general guidelines to process crime and
incident scene
4
PreparedbyR.Arthy,AP/IT,KCET
5. WHAT IS FORENSIC?
Collection and analysis of evidence
Using scientific test or techniques
To establish facts against crime
For presenting in a legal proceeding
Therefore forensic science is a scientific method of
gathering and examining information about the past which
is then used in court of law
5
PreparedbyR.Arthy,AP/IT,KCET
6. WHAT IS DIGITAL FORENSIC?
Digital Forensics is the use of scientifically derived and
proven methods toward:
the preservation, collection, validation, identification, analysis,
interpretation, documentation, and presentation of digital evidence
derived from digital devices
for the purpose of facilitation or furthering the reconstruction
of events found to be criminal, or helping to anticipate
unauthorized actions shown to be disruptive to planned
operations
6
PreparedbyR.Arthy,AP/IT,KCET
7. BRANCHES OF DIGITAL FORENSICS
The technical aspect of an investigation is divided into
several sub-branches, relating to the type of digital devices
involved:
Computer forensics, Firewall Forensics, Database Forensics,
Network forensics, Forensic data analysis and Mobile device
forensics.
The typical forensic process encompasses the seizure,
forensic imaging and analysis of digital media and the
production of a report into collected evidence.
7
PreparedbyR.Arthy,AP/IT,KCET
8. CRIMINAL INVESTIGATION
A principle in criminal investigation called Locard’s Exchange
Principle
Anyone or anything entering a crime scene takes something of
the scene with them and leaves something of themselves behind
Main goal of investigation to link crime to the suspect by
discovering threads between suspect, victim and crime scene
8
Victim
Crime
Scene
Suspect
Evidence
PreparedbyR.Arthy,AP/IT,KCET
9. DIGITAL EVIDENCE
Evidence
A piece of information that supports a conclusion
Digital evidence
Any data that is recorded or preserved on any medium in or by a
computer system or other similar digital device, that can be read
or understood by a person or a computer system or other similar
device.
It includes a display, printout or other output of that data.
9
PreparedbyR.Arthy,AP/IT,KCET
10. CHARACTERISTICS OF DIGITAL EVIDENCE
Admissible
Conformity with the common law and legislative rules
Authentic
In linking data to specific individuals and events
Accurate
Believed and is consistent
Complete
With a full story of particular circumstances.
Convincing to juries
To have probative value, subjective and practical test of
presentation
To proving beyond doubt
10
PreparedbyR.Arthy,AP/IT,KCET
11. [CONTD…]
All investigations must follow the following rules of
evidence:
Digital evidence integrity must be preserved to be admissible in
court.
If the evidence is contaminated it cannot be de-contaminated
Digital evidence must be reliable: Authenticity evidence, clear
easy to understand, and believable by a jury
Digital evidence must be complete : Exculpatory evidence for
alternative suspects
11
PreparedbyR.Arthy,AP/IT,KCET
13. [CONTD…]
e-mails,
digital photographs,
ATM transaction logs,
word processing documents,
Instant message histories,
files saved from accounting program,
spreadsheets,
internet browser histories,
databases,
the contents of computer memory,
computer backups, computer printouts,
Global Positioning System tracks,
logs from a hotel’s electronic door locks, and
digital video or audio files
13
PreparedbyR.Arthy,AP/IT,KCET
15. [CONTD…]
Generally involves the following steps:
1. Seizing Digital Evidence at the Scene
2. Securing a computer incident or crime scene
3. Preserving the data
4. Establishing the chain of custody
5. Examining data for evidence
15
PreparedbyR.Arthy,AP/IT,KCET
17. INTRODUCTION
Law enforcement can seize evidence with a proper
warrant
Corporate investigators might have the authority only to
make an image of the suspect’s drive
When seizing digital evidence in criminal investigations
Follow U.S. DoJ standards for seizing digital data
Civil investigations follow same rules - require less
documentation
Consult with your attorney for extra guidelines
17
PreparedbyR.Arthy,AP/IT,KCET
18. PREPARING TO ACQUIRE DIGITAL EVIDENCE
The evidence you acquire at the scene depends on the nature
of the case (Crime or Violation)
Ask your supervisor or senior forensics examiner in your
organization the following questions:
Do you need to take the entire computer and all peripherals and
media in the immediate area?
How are you going to protect the computer and media while
transporting them to your lab?
Is the computer powered on when you arrive?
Is it possible the suspect damaged or destroyed the computer,
peripherals, or media?
18
PreparedbyR.Arthy,AP/IT,KCET
19. USING A TECHNICAL ADVISOR
Technical advisor
Can help you list the tools you need to process the incident or
crime scene
Person guiding you about where to locate data and helping you
extract log records
Or other evidence from large RAID servers
Can help create the search warrant by itemizing what you need
for the warrant
19
PreparedbyR.Arthy,AP/IT,KCET
20. TECHNICAL ADVISOR RESPONSIBILITIES
Know aspects of the seized system
Direct investigator handling sensitive material
Help secure the scene
Help document the planning strategy for search and
seizure
Conduct ad hoc trainings
Document activities
Help conduct the search and seizure
20
PreparedbyR.Arthy,AP/IT,KCET
21. PROCESSING AN INCIDENT OR CRIME SCENE
- GUIDELINES
Keep a journal to document your activities
Secure the scene
Be professional and courteous with onlookers
Remove people who are not part of the investigation
Take video and still recordings of the area around the
computer
Pay attention to details
Sketch the incident or crime scene
Check state of computers as soon as possible
Don’t cut electrical power to a running system unless it’s an
older Windows 9x or MS-DOS system
Save data from current applications as safely as possible
Record all active windows or shell sessions 21
PreparedbyR.Arthy,AP/IT,KCET
22. [CONTD…]
Make notes of everything you do when copying data from a
live suspect computer
Close applications and shut down the computer
Bag and tag the evidence, following these steps:
Assign one person to collect and log all evidence
Tag all evidence you collect with the current date and time, serial
numbers or unique features, make and model, and the name of the
person who collected it
Maintain two separate logs of collected evidence
Maintain constant control of the collected evidence and the crime or
incident scene
Look for information related to the investigation
Passwords, passphrases, PINs, bank accounts
Collect documentation and media related to the investigation
Hardware, software, backup media, documentation, manuals
22
PreparedbyR.Arthy,AP/IT,KCET
23. DOCUMENTING EVIDENCE IN THE LAB
Record your activities and findings as your work
Maintain a journal to record the steps you take as you process
evidence
Goal is to reproduce the same result
When you or another investigator repeat the steps you took to
collect evidence
A journal serves as a reference that documents the
methods you need to process digital evidence
23
PreparedbyR.Arthy,AP/IT,KCET
24. SECURING A COMPUTER INCIDENT OR
CRIME SCENE
24
PreparedbyR.Arthy,AP/IT,
KCET
25. INTRODUCTION
Protecting the crime scene is crucial because if evidence is
contaminated, it cannot be decontaminated.
The main goals of securing the crime scene are the
following:
Preserve the evidence (No damage during collection,
transportation, or storage)
Keep information confidential
Depending on the situation, crime scene preservation will
vary.
Professional curiosity can destroy evidence
Involves police officers and other professionals who aren’t part of
the crime scene processing team
25
PreparedbyR.Arthy,AP/IT,KCET
26. [CONTD…]
How securing a computer incident or crime scene?
Define a secure perimeter
Use yellow barrier tape
26
PreparedbyR.Arthy,AP/IT,KCET
27. [CONTD…]
How securing a computer incident or crime scene? (Cont.)
Physical surroundings of the computer should be photographed and
clearly documented
Photographs should be taken before anything is touched
27
PreparedbyR.Arthy,AP/IT,KCET
28. [CONTD…]
How securing a computer incident or crime scene? (Cont.)
Take custody of computer, peripherals, and media.
Bag and tag all evidence
Assign one person to collect and log all evidence
Record the current date and time, serial numbers or unique features, make
and model, and the name of the person who collected it
Maintain two separate
logs of collected
evidence
Use antistatic bags
28
PreparedbyR.Arthy,AP/IT,KCET
30. CAPTURE VOLATILE DATA
Computer forensics team first captures any volatile data that
would be lost when computer is turned off and moves data to
a secure location
Contents of RAM
Current running processes
Current network connections (recent connections and open
applications/sockets)
Logon sessions
Open files: File system time and date stamps
30
PreparedbyR.Arthy,AP/IT,KCET
31. ACQUIRE IMAGE
Reboot will change disk images. Do not reboot!
After retrieving volatile data, focus on the hard drive
Make forensic backup = system image = bit-stream
backup
Copy every bit of the file system, not just the disk files!
Its accuracy meets evidence standards
Example tools include:
Prodiscover
EnCase
FTK
OS does not influence which tools to use for bit-image
capture
31
PreparedbyR.Arthy,AP/IT,KCET
32. STORING DIGITAL EVIDENCE
The media you use to store digital evidence usually depends
on how long you need to keep it
CD-Rs or DVDs
The ideal media
Capacity: up to 17 GB
Lifespan: 2 to 5 years
Magnetic tapes
Capacity: 40 to 72 GB
Lifespan: 30 years
Costs: drive: $400 to $800; tape: $40
32
PreparedbyR.Arthy,AP/IT,KCET
33. EVIDENCE RETENTION AND MEDIA STORAGE
NEEDS
To help maintain the chain of custody for digital evidence
Restrict access to lab and evidence storage area
Lab should have a sign-in roster for all visitors
Maintain logs for a period based on legal requirements
You might need to retain evidence indefinitely
Check with your local prosecuting attorney’s office or state laws to
make sure you’re in compliance
You cannot retain child pornography evidence, however
33
PreparedbyR.Arthy,AP/IT,KCET
35. [CONTD…]
Copy all image files to a large drive
Run an MD5 or SHA-1 hashing algorithm on the image
files to get a digital hash
35
PreparedbyR.Arthy,AP/IT,KCET
37. INTRODUCTION
As soon as the team begins its work, must start and
maintain a strict chain of custody
Chain of custody protects the integrity and reliability of the
evidence
It documents that evidence was under strict control at all times
and no unauthorized person was given the opportunity to corrupt
the evidence
Effective process of documenting the complete journey of the
evidence during the life of the case
Who collected it?
How & where?
Who took possession of it?
How was it stored & protected in storage?
37
PreparedbyR.Arthy,AP/IT,KCET
38. [CONTD…]
Create or use an evidence custody form
An evidence custody form serves the following functions:
Identifies the evidence
Identifies who has handled the evidence
Lists dates and times the evidence was handled
38
PreparedbyR.Arthy,AP/IT,KCET
40. PROCESSING AND HANDLING DIGITAL
EVIDENCE
Maintain the integrity of digital evidence in the lab
As you do when collecting it in the field
Steps to create image files:
Copy all image files to a large drive
Start your forensics tool to analyze the evidence
Run an MD5 or SHA-1 hashing algorithm on the image files
to get a digital hash
Secure the original media in an evidence locker
40
PreparedbyR.Arthy,AP/IT,KCET
42. LEARNING OBJECTIVES
List the key components of a disk drive.
Explain the purpose and structure of Microsoft FAT (and
NTFS) file system.
Describe different types of file deletion, and what is
required to completely remove a file from a disk.
Explain how the Windows Registry works, and enlist
different types of useful forensics information it stores.
42
PreparedbyR.Arthy,AP/IT,KCET
45. HARDWARE COMPONENTS
Motherboard / Mainboard
Processor / CPU
ROM - stores system-level programs that
should be available at all times, e.g. BIOS
Registers & CPU cache - accept, hold, and
transfer data at very high speed - very limited
capacity
Main Memory / RAM - fast temporary
memory - stores data only while computer
on
Secondary (Permanent) Storage
hard disks / drive, CD-ROM, USB, floppy
Input Devices
keyboard, mouse, …
Output Devices
monitor, printer, …
45
PreparedbyR.Arthy,AP/IT,KCET
47. SOFTWARE COMPONENTS
Operating System
Software (program + data) that runs on a
computer
it manages computer hardware &
provides common services for efficient
execution of various application software
OSs are found on almost all ‘computing’
devices,
e.g. cellular phones, video game consoles,
web servers, routers, …
47
PreparedbyR.Arthy,AP/IT,KCET
48. COMPUTER FILES
File – a self contained collection of data available to
OS and individual programs
comprises ‘related’ information
can be manipulated as an entity (e.g., deleted or moved from
one storage media to another)
must have a unique name
has an extension (.doc, .txt, .exe, …) – indicates the type of
encoding of its content and usage
48
PreparedbyR.Arthy,AP/IT,KCET
49. COMPUTER FILE SYSTEM
File System
set of method/rules for storing and retrieving computer files
(data)
gives an OS a road map to data on a secondary storage device
(e.g., disk drive, USB, CD-ROM)
file system is usually directly related to an OS
49
PreparedbyR.Arthy,AP/IT,KCET
50. DISK DRIVES / HARD DRIVE
consists of 1 or more platters coated with magnetic
material – data is stored on platters in a particular
way
each platters has 2 surfaces: top & bottom
key disk drive components:
head – the device that reads and writes data to a drive –
there is one head per platter
tracks – concentric circles on a disk platter where data is
located
sector – a pie shaped section on a track made up of 128,
256, 512 or 1024 bytes – smallest addressable storage
unit on the hard drive
a cylinder – consists of corresponding tracks on all
platters (e.g. track 12 on all d.d. platters)
geometry – refers to a disk’s structure of platters, tracks,
and sectors
50
PreparedbyR.Arthy,AP/IT,KCET
52. HEADS
Located on both sides of (each) platter only a few
nanometers from the surface
heads are semi-static (only move up/down & small
angle) - disk/platters rotate at speed of n*1000
revolutions per minute! (~ 250km/h)
heads are ‘inductive’ – they can generate a magnetic
field
by creating positive or negative fields, they polarize the
disk (platter) surface in a very tiny area
when these areas are read afterwards, the detected
polarity is transformed by a ADC into a 0 or 1
52
PreparedbyR.Arthy,AP/IT,KCET
54. EXAMPLE: DISK DRIVE CAPACITY AND SPEED:
HISTORY
54
PreparedbyR.Arthy,AP/IT,KCET
55. CLUSTER
One or a group of sectors – logical unit of
file storage on a hard drive
number of sectors in a cluster (2n), depends on:
disk size: bigger disk ⇒ bigger cluster
logical disk organization (e.g., FAT12 /16 /32 or
NTFS)
whatever the logical size of a file, it is
allocated disk space in multiples of clusters!
sectors in a cluster are physically adjacent on the
disk
clusters in a file may NOT be adjacent
clusters are managed by computers OS
55
PreparedbyR.Arthy,AP/IT,KCET
56. [CONTD…]
Example: Bigger disk - bigger cluster size …
FAT16 is not recommended for volumes larger than 511
MB. When relatively small files are placed on a FAT16
volume, FAT uses disk space inefficiently! 56
PreparedbyR.Arthy,AP/IT,KCET
57. WINDOWS FILE SYSTEMS
3 types of file systems have been used by Windows: FAT,
FAT32, NTFS
57
PreparedbyR.Arthy,AP/IT,KCET
59. FAT FILE SYSTEM
Introduction
Major Sections of FAT Hard Disks
Slack Space in FAT
Deleting FAT Files
Forensics Implications
59
PreparedbyR.Arthy,AP/IT,KCET
60. INTRODUCTION
FAT x – File Allocation Table – family of file systems for
DOS/Windows operating systems
FAT table – stores info. on status of all clusters on the disk =
‘table of content’
x = 12, 16, 32 – number of bits used for cluster
identification/numbering
bit-size of each FAT table entry
60
PreparedbyR.Arthy,AP/IT,KCET
62. [CONTD…]
Example: FAT16 capacity
Can 700 MB disk drive be formatted with a FAT16 file
system using 4KB clusters?
FAT16 ⇒ 216 = 65536 clusters
216 clusters * 4 Kbytes = 26 * 210 * 4 * 210 bytes
max capacity = 64 * 4 MB = 256 MB
62
PreparedbyR.Arthy,AP/IT,KCET
63. MAJOR SECTION
1) Boot Sector – occupies the 1st cluster on the disk
contains specific information about organization of the file
system, including: type of FAT (12/16/32) system,
# of bytes per sector,
# of sectors per track,
# of sectors per cluster,
# of read heads,
# of FAT tables,
# of clusters per FAT table, etc.
63
PreparedbyR.Arthy,AP/IT,KCET
65. [CONTD…]
2) FAT Tables
keep track of allocation status of different data clusters
entry N relates to data cluster N – the actual value is a pointer to
another FAT entry
set of clusters that constitute one file are defined by a set of linked
FAT entries
multiple FATs (FAT1 & FAT2) ensure redundancy in case of
data corruption – FAT2 is a backup of FAT 1
typically used on portable (more vulnerable) media
65
PreparedbyR.Arthy,AP/IT,KCET
68. [CONTD…]
3) Root Directory (FAT12/16 only)
stores Directory Table – table of 32-byte long entries for each
file & directory created on the disk
4) Data Area
contains file & directory data – occupies remaining sectors
(clusters) on the disk
first cluster of Data Area is numbered 2; though, this is
physical sector 33!
68
PreparedbyR.Arthy,AP/IT,KCET
71. [CONTD…]
Example: Final Exam 2010
Assume a computer employs the FAT16 file system with
components as shown below:
A file, containing a set of numbers, is stored on this computer
under the name YourFile.txt.
Using the provided information, identify the first six numbers
stored in YourFile.txt.
71
PreparedbyR.Arthy,AP/IT,KCET
73. SLACK SPACE IN FAT
phenomenon caused by the way how computers store
data/files:
files are allocated cluster-sized chunks
regardless of the actual size of data in the file
data may not be big enough to fill (all) segments, i.e. clusters
73
PreparedbyR.Arthy,AP/IT,KCET
74. [CONTD…]
sector slack - space between EOF and end of last sector
that file was written to known as RAM slack as OS pulls
any info available in RAM at that point (memory dump)
to fill this space – e.g. logon IDs, passwords, segments of
other files
cluster slack - remaining sectors in cluster known as file
slack – contains whatever was last written by disk in
those sectors (e.g. parts of a deleted file)
74
PreparedbyR.Arthy,AP/IT,KCET
75. DELETING FAT FILES
system places deletion mark on the file
deletion mark ⇒ first letter of the file name is replaced
with E5 (lower-case Greek letter σ)
FAT entries of respective clusters are still unchanged!
in DATAAREA clusters still preserve the original data!
75
PreparedbyR.Arthy,AP/IT,KCET
77. [CONTD…]
File Allocation Table (FAT) before and after deletion of
“test1.txt” file.
77
PreparedbyR.Arthy,AP/IT,KCET
78. [CONTD…]
Example: Deleting by clearing from Recycle Bin
File Allocation Table (FAT) before and after clearing
Recycle Bin.
78
PreparedbyR.Arthy,AP/IT,KCET
79. FORENSICS IMPLICATIONS
On deletion of a file, the data contained in a file is NOT ‘gone’
it is merely ‘hidden’ from he operating system and the space
it occupies is made available for reuse.
Deleted data still resides in the space previously allocated to it,
unless overwritten.
It is possible to ‘undelete’ (reconstruct) a file – or some of its parts –
even after Recycle bin has been emptied!
However, there may be evidential difficulties with files recovered
from unallocated space. We cannot state the date and time attributes
of even a complete file found in unallocated space, as there is no
respective entry in the File Directory Table.
79
PreparedbyR.Arthy,AP/IT,KCET
80. [CONTD…]
Disk Formatting – still does not erase data!
only pointers (FAT and FDT) get destroyed
data that formed the file remains intact in their locations
Disk Wiping – secure deletion – wiped files have their
directory entries and allocated space physically
overwritten by random or user-defined characters
Windows wiping tools:
Disk Wipe: http://www.diskwipe.org/
Eraser: http://eraser.heidi.ie/
80
PreparedbyR.Arthy,AP/IT,KCET
81. NTFS FILE SYSTEM
NTFS – New Technology File System – introduced for
Windows NT and Vista
provides significant improvements over FAT, including:
file and folder permissions – folder and file access can be
controlled individually
file encryption – NTFS enables strong encryption of files
and folders extremely resistant to attacks
file compression – NTFS enables lossy compression on
both files and folders
disk efficiency – NTFS supports smaller cluster size than
FAT32
greater reliability – NTFS writes a log of changes being
made to files and folders (NTFS journal), which helps the OS
to recover from system failures … 81
PreparedbyR.Arthy,AP/IT,KCET
82. WINDOWS REGISTRY
critical part of any Windows OSs - hierarchical
database containing configuration information about:
system hardware;
installed software (programs);
property settings;
profile for each user, etc.
OS uses instructions stored in the registry
to determine how installed hardware and software should
function
e.g. typical software comes with a Windows installer that
writes to the registry during installation
system must be restarted for changes to take place …
82
PreparedbyR.Arthy,AP/IT,KCET
83. [CONTD…]
Example: Opening Windows Registry
Type ‘regedit’ in cmd window.
Registry comprises 5 to 7 hierarchical folders – hives.
Folders’ names start with HKEY – Handle to a Key.
83
PreparedbyR.Arthy,AP/IT,KCET
85. [CONTD…]
Forensics Implications – information (i.e. potential
evidence) that reside in the Registry make it a
significant forensics resource
information that can be found in the registry include:
general information about the OS
startup (boot-time) applications
logs of computers that have communicated with the host
logs of USBs that have been connected to the host
logs of Web site histories and typed URLs
downloaded files/programs, e.g. wiping programs to destroy
evidence
auto complete Internet Explorer passwords
85
PreparedbyR.Arthy,AP/IT,KCET
86. [CONTD…]
Example: Registry Information about OS
Keys to look at (investigate):
HKLMSoftwareMicrosoftWindows NTCurrentVersion
Obtained info: OS version, Installation Date, Product ID, etc.
Example: Registry Information about Time Zone
Keys to look at (investigate):
HKLMSystemControlSet001ControlTimeZoneInformation
Example: Registry Information about Startup Applications
Keys to look at (investigate):
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRunonce
(Typically used to load an application for installation the next time the
computer boots. After the machine reboots, the entry is removed.)
Services/programs enlisted in these ‘files’ run each time / when a user
logs on.
Malware (spyware, trojans, worms, viruses) often attempt to embed
themselves in these startup areas.
86
PreparedbyR.Arthy,AP/IT,KCET
87. [CONTD…]
Example: Registry Information about LAN Computers
Keys to look at (investigate):
HKCUSoftwareMicrosoftWindowsCurrentVersionExplore
rComputerDescriptions
A computer on a properly configured LAN should be able to
display all the computers on that network through
MyNetworkPlace. The list of these computer – i.e. devices
that the host has ever connected to – is stored in the Registry.
87
PreparedbyR.Arthy,AP/IT,KCET
88. [CONTD…]
Example: Registry Information about USB Devices
Keys to look at (investigate):
HKLMSystemControlSet00xEnumUSBSTOR
Anytime a device is connected to a USB, driver are queried
and the device’s information is stored into the Registry.
88
PreparedbyR.Arthy,AP/IT,KCET
89. [CONTD…]
Example: Registry Information about IE Passwords
Keys to look at (investigate):
HKCUSoftwareMicrosoftInternetExplorerMain
Key to look at: “FormSuggest PW Ask” – should be “yes” ⇒
Windows AutoComplete Password feature is enabled.
List of ‘memorized’ passwords can be found at:
HKCUSoftwareMicrosoftInternetExplorerIntelliFormsSto
rage2
89
PreparedbyR.Arthy,AP/IT,KCET
91. OUTLINE
Introduction
Evaluating Computer Forensics Tool Needs
Types of Computer Forensics Tools
Tasks Performed by Computer Forensics Tools
Command-Line Forensics Tools
UNIX/Linux Forensics Tools
GUI Forensics Tools
Forensic Workstations
Validating and Testing Forensics Software
Using Validation Protocols
Computer Forensics Examination Protocol
Example 91
PreparedbyR.Arthy,AP/IT,KCET
92. INTRODUCTION
Computer forensics tools are constantly being developed,
updated, patched, and revised.
Therefore, checking vendors’ Web sites routinely to look
for new features and improvements is important.
Before purchasing any forensics tools, consider whether
the tool can save you time during investigations and
whether that time savings affects the reliability of data
you recover.
92
PreparedbyR.Arthy,AP/IT,KCET
93. EVALUATING COMPUTER FORENSICS TOOL
NEEDS
Some questions to ask when evaluating computer
forensic tools:
On which OS does the forensics tool run?
Is the tool versatile? For example, does it work in Windows
98, XP, and Vista and produce the same results in all three
OSs?
Can the tool analyze more than one file system, such as FAT,
NTFS, and Ext2fs?
Can a scripting language be used with the tool to automate
repetitive functions and tasks?
Does the tool have any automated features that can help
reduce the time needed to analyze data?
What is the vendor’s reputation for providing product
support? 93
PreparedbyR.Arthy,AP/IT,KCET
94. [CONTD…]
When you search for tools, keep in mind what file types
you’ll be analyzing.
For example, if you need to analyze Microsoft Access
databases, look for a product designed to read these files.
If you’re analyzing e-mail messages, look for a forensics
tool capable of reading e-mail content.
94
PreparedbyR.Arthy,AP/IT,KCET
95. TYPES OF COMPUTER FORENSICS TOOLS
Hardware forensic tools
Range from single-purpose components to complete
computer systems and servers
Software forensic tools
Types
Command-line applications
GUI applications
Commonly used to copy data from a suspect’s disk drive to
an image file
95
PreparedbyR.Arthy,AP/IT,KCET
96. TASKS PERFORMED BY COMPUTER
FORENSICS TOOLS
All computer forensics tools, both hardware and
software, perform specific functions.
Five major categories:
Acquisition
Validation and discrimination
Extraction
Reconstruction
Reporting
96
PreparedbyR.Arthy,AP/IT,KCET
97. 1. ACQUISITION
Acquisition, the first task in computer forensics
investigations, is making a copy of the original drive.
Acquisition subfunctions:
Physical data copy
Logical data copy
Data acquisition format
Command-line acquisition
GUI acquisition
Remote acquisition
Verification
97
PreparedbyR.Arthy,AP/IT,KCET
98. [CONTD…]
Some computer forensics software suites, such as
AccessData FTK and EnCase, provide separate tools for
acquiring an image.
However, some investigators opt to use hardware
devices, such as the Logicube Talon, VOOM HardCopy
3, or ImageMASSter Solo III Forensic unit from
Intelligent Computer Solutions, Inc., for acquiring an
image.
These hardware devices have their own built-in software
for data acquisition.
No other device or program is needed to make a
duplicate drive; however, you still need forensics
software to analyze the data 98
PreparedbyR.Arthy,AP/IT,KCET
99. [CONTD…]
Two types of data-copying methods are used in software
acquisitions:
Physical copying of the entire drive
Logical copying of a disk partition
The formats for disk acquisitions vary
From raw data to vendor-specific proprietary compressed
data
You can view the contents of a raw image file with any
hexadecimal editor
99
PreparedbyR.Arthy,AP/IT,KCET
101. [CONTD…]
All computer forensics acquisition tools have a method for
verification of the data-copying process that compares the
original drive with the image.
For example, EnCase prompts you to obtain the MD5 hash
value of acquired data,
FTK validates MD5 and SHA-1 hash sets during data
acquisition, and Safe Back runs an SHA-256 hash while
acquiring data.
Hardware acquisition tools, such as Image MASSter Solo, can
perform simultaneous MD5 and CRC-32 hashing during data
acquisition.
Whether you choose a software or hardware solution for your
acquisition needs, make sure the tool has a hashing function
for verification purposes. 101
PreparedbyR.Arthy,AP/IT,KCET
102. 2. VALIDATION AND DISCRIMINATION
Two issues in dealing with computer evidence are critical.
First is ensuring the integrity of data being copied—the validation
process.
Second is the discrimination of data, which involves sorting and
searching through all investigation data.
Many forensics software vendors offer three methods for
discriminating data values.
Hashing
Filtering
Analyzing file headers
Validating data is done by obtaining hash values.
This unique hexadecimal value for data, used to make sure the
original data hasn’t changed. 102
PreparedbyR.Arthy,AP/IT,KCET
104. [CONTD…]
The primary purpose of data discrimination is to remove
good data from suspicious data.
Good data consists of known files, such as OS files and
common programs (Microsoft Word, for example).
The National Software Reference Library (NSRL) has
compiled a list of known file hashes for a variety of OSs,
applications, and images.
104
PreparedbyR.Arthy,AP/IT,KCET
106. 3. EXTRACTION
The extraction function is the recovery task in a
computing investigation and is the most challenging of
all tasks to master.
Recovering data is the first step in analyzing an
Investigation’s data.
The following sub functions of extraction are used in
Investigations.
Data viewing
Keyword searching
Decompressing
Carving
Decrypting
Bookmarking3 106
PreparedbyR.Arthy,AP/IT,KCET
107. [CONTD…]
Many computer forensics tools include a dataviewing
mechanism for digital evidence.
Tools such as ProDiscover, X-Ways Forensics, FTK,
EnCase, SMART, ILook, and others offer several ways
to view data, including logical drive structures, such as
folders and files.
107
PreparedbyR.Arthy,AP/IT,KCET
108. [CONTD…]
A common task in computing investigations is searching
for and recovering key data facts.
Computer forensics programs have functions for
searching for keywords of interest to the investigation.
Using a keyword search speeds up the analysis process
for investigators.
With some tools, you can set filters to select the file
types to search, such as searching only PDF documents.
Another function in some forensics tools is indexing all
words on a drive.
X-Ways Forensics and FTK 1.6x and earlier offer this
feature, using the binary index (Btree) search engine
from dtSearch.
108
PreparedbyR.Arthy,AP/IT,KCET
110. 4. RECONSTRUCTION
The purpose of having a reconstruction feature in a
forensics tool is to re-create a suspect drive to show what
happened during a crime or an incident.
Another reason for duplicating a suspect drive is to
create a copy for other computer investigators, who
might need a fully functional copy of the drive so that
they can perform their own acquisition, test, and analysis
of the evidence.
These are the sub functions of reconstruction:
Disk-to-disk copy
Image-to-disk copy
Partition-to-partition copy
Image-to-partition copy 110
PreparedbyR.Arthy,AP/IT,KCET
111. [CONTD…]
There are several ways to re-create an image of a suspect
drive. Under ideal circumstances, the best and most
reliable method is obtaining the same make and model
drive as the suspect drive,
If the suspect drive has been manufactured recently,
locating an identical drive is fairly easy.
A drive manufactured three months ago might be out of
production and unavailable for sale, which makes
locating identical older drives more difficult.
111
PreparedbyR.Arthy,AP/IT,KCET
112. [CONTD…]
The simplest method of duplicating a drive is using a
tool that makes a direct disk-to-disk copy from the
suspect drive to the target drive.
One free tool is the UNIX/Linux dd command, but it has
a major disadvantage:
The target drive being written to must be identical to the
original (suspect) drive, with the same cylinder, sector,
and track count.
112
PreparedbyR.Arthy,AP/IT,KCET
113. [CONTD…]
For a disk-to-disk copy, both hardware and software
duplicators are available; hardware duplicators are the
fastest way to copy data from one disk to another.
Hardware duplicators, such as Logicube Talon, Logicube
Forensic MD5, and ImageMASSter Solo III Forensics
Hard Drive Duplicator, adjust the target drive’s geometry
to match the suspect drive’s cylinder, sectors, and tracks.
113
PreparedbyR.Arthy,AP/IT,KCET
114. [CONTD…]
For image-to-disk and image-to-partition copies, many
more tools are available, but they are considerably
slower in transferring data.
The following are some tools that perform an imageto-
disk copy:
SafeBack
SnapBack
EnCase
FTK Imager
ProDiscover
X-Ways Forensics
114
PreparedbyR.Arthy,AP/IT,KCET
115. 5. REPORTING
To complete a forensics disk analysis and examination, you need to
create a report.
Before Windows forensics tools were available, this process required
copying data from a suspect drive and extracting the digital evidence
manually.
The investigator then copied the evidence to a separate program,
such as a word processor, to create a report.
Newer Windows forensics tools can produce electronic reports in a
variety of formats, such as word processing documents, HTML Web
pages, or Acrobat PDF files.
These are the sub functions of the reporting function:
Log reports
Report generator 115
PreparedbyR.Arthy,AP/IT,KCET
116. [CONTD…]
Many forensics tools, such as FTK, ILook, and X-Ways Forensics,
can produce a log report that records activities the investigator
performed.
Then a built-in report generator is used to create a report in a variety
of formats.
The following tools are some that offer report generators displaying
bookmarked evidence:
EnCase
FTK
Ilook
X-Ways Forensics
ProDiscover
The log report can be added to your final report as additional
documentation of the steps you took during the examination, which
can be useful if repeating the examination is necessary.
116
PreparedbyR.Arthy,AP/IT,KCET
117. COMMAND-LINE FORENSICS TOOLS
The first tools that analyzed and extracted data from
floppy disks and hard disks were MS-DOS tools for IBM
PC file systems.
One of the first MS-DOS tools used for computer
investigations was Norton Disk Edit.
This tool used manual processes that required
investigators to spend considerable time on a typical 500
MB drive.
Eventually, programs designed for computer forensics
were developed for DOS, Windows, Apple, NetWare,
and UNIX systems.
117
PreparedbyR.Arthy,AP/IT,KCET
118. [CONTD…]
Some of these early programs could extract data from
slack and free disk space; others were capable only of
retrieving deleted files.
Current programs are more robust and can search for
specific words or characters, import a keyword list to
search, calculate hash values, recover deleted items,
conduct physical and logical analyses, and more.
Some command-line forensics tools are created
specifically for DOS/Windows platforms;
others are created for Macintosh and UNIX/Linux. Because
there are many different versions of UNIX and Linux, these
OSs are often referred to as *nix platforms. 118
PreparedbyR.Arthy,AP/IT,KCET
121. UNIX/LINUX FORENSICS TOOLS
The *nix platforms have long been the primary
command-line OSs, but typical end users haven’t used
them widely.
However, with GUIs now available with *nix platforms,
these OSs are becoming more popular with home and
corporate end users.
There are several *nix tools for forensics analysis, such
as SMART, BackTrack, Autopsy with Sleuth Kit, and
Knoppix-STD.
SMART is designed to be installed on numerous Linux
versions, including Gentoo, Fedora, SUSE, Debian,
Knoppix, Ubuntu, Slackware, and more. 121
PreparedbyR.Arthy,AP/IT,KCET
122. [CONTD…]
You can analyze a variety of file systems with SMART;
SMART includes several plug-in utilities. This modular approach
makes it possible to upgrade SMART components easily and
quickly.
SMART can also take advantage of multithreading capabilities in
OSs and hardware.
Another useful option in SMART is the hex viewer. Hex values are
color-coded to make it easier to see where a file begins and ends.
SMART also offers a reporting feature. Everything you do during
your investigation with SMART is logged, so you can select what
you want to include in a report, such as bookmarks.
122
PreparedbyR.Arthy,AP/IT,KCET
123. [CONTD…]
Helix One of the easiest suites to use is Helix because of
its user interface. What’s unique about Helix is that you
can load it on a live Windows system, Its Windows
component is used for live acquisitions
During corporate investigations, often you need to
retrieve RAM and other data, such as the suspect’s user
profile, from a workstation or server that can’t be seized
or turned off.
This data is extracted while the system is running and
captured in its state at the time of extraction.
123
PreparedbyR.Arthy,AP/IT,KCET
124. [CONTD…]
To do a live acquisition, insert the Helix CD into the
suspect’s machine. After clicking I ACCEPT in the
licensing window, you see the Helix menu
124
PreparedbyR.Arthy,AP/IT,KCET
125. [CONTD…]
BackTrack is another Linux Live CD used by many security
professionals and forensics investigators. It includes a variety of
tools and has an easy-to-use KDE interface.
Autopsy and Sleuth Kit is a Linux forensics tool, and Autopsy is
the GUI browser interface for accessing Sleuth Kit’s tools.
Knoppix Security Tools Distribution (STD) is a collection of tools
for configuring security measures, including computer and network
forensics.
Note that Knoppix- STD is forensically sound, so it doesn’t allow
you to alter or damage the system you’re analyzing.
If you boot this CD into Windows, Knoppix lists available tools.
Although many of the tools have GUI interfaces, some are still
command line only.
125
PreparedbyR.Arthy,AP/IT,KCET
126. GUI FORENSICS TOOLS
Several software vendors have introduced forensics tools
that work in Windows.
Because GUI forensics tools don’t require the same
understanding of MS-DOS and file systems as
command-line tools, they can simplify computer
forensics investigations.
These GUI tools have also simplified training for
beginning examiners; however, you should continue to
learn about and use command-line tools because some
GUI tools might miss critical evidence.
126
PreparedbyR.Arthy,AP/IT,KCET
127. [CONTD…]
GUI tools have several advantages, such as ease of use,
the capability to perform multiple tasks, and no
requirement to learn older OSs.
Their disadvantages range from excessive resource
requirements (needing large amounts of RAM, for
example) and producing inconsistent results because of
the type of OS used, such as Windows Vista 32-bit or 64-
bit systems
127
PreparedbyR.Arthy,AP/IT,KCET
128. FORENSIC WORKSTATIONS
Many computer vendors offer a wide range of forensic
workstations that you can tailor to meet your
investigation needs.
Forensic workstations can be divided into the following
categories:
Stationary workstation—A tower with several bays and many
peripheral devices
Portable workstation—A laptop computer with a builtin LCD
monitor and almost as many bays and peripherals as a
stationary workstation
Lightweight workstation—Usually a laptop computer built
into a carrying case with a small selection of peripheral
options.
128
PreparedbyR.Arthy,AP/IT,KCET
129. [CONTD…]
Building Your Own Workstation
If you have the time and skill to build your own forensic
workstation, you can customize it to your needs and save
money, although you might have trouble finding support for
problems that develop.
For example, peripheral devices might conflict with one
another, or components might fail. If you build your own
forensic workstation, you should be able to support the
hardware.
If you decide that building a forensic workstation is beyond
your skills, several vendors offer workstations designed for
computer forensics, such as the F.R.E.D. unit from Digital
Intelligence or the Dual Xeon Workstation from Forensic PC.
Having a vendor-supplied workstation has its advantages.
129
PreparedbyR.Arthy,AP/IT,KCET
130. [CONTD…]
Using a Write-Blocker
The first item you should consider for a forensic workstation
is a write-blocker.
Write blockers protect evidence disks by preventing data
from being written to them.
Software and hardware write-blockers perform the same
function but in a different fashion.
Software write-blockers, such as PDBlock from Digital
Intelligence, typically run in a shell mode (for example,
DOS).
130
PreparedbyR.Arthy,AP/IT,KCET
131. [CONTD…]
[contd…]
If you attempt to write data to the blocked drive, an alarm sounds,
advising that no writes have occurred.
With hardware write-blockers, you can connect the evidence drive to
your workstation and start the OS as usual.
Hardware write-blockers are ideal for GUI forensics tools.
They prevent Windows or Linux from writing data to the blocked
drive.
Hardware write-blockers act as a bridge between the suspect drive
and the forensic workstation.
Many vendors have developed write-blocking devices that connect
to a computer through FireWire, USB 2.0, SATA, and SCSI
controllers.
Most of these write-blockers enable you to remove and reconnect
drives without having to shut down your workstation, which saves
time in processing the evidence drive.
131
PreparedbyR.Arthy,AP/IT,KCET
132. VALIDATING AND TESTING FORENSICS
SOFTWARE
Using National Institute of Standards and Technology
(NIST) Tools :
NIST has created criteria for testing computer forensics tools,
which are included in the articlen “General Test Methodology
for Computer Forensic Tools”.
Testing Standards:
Establish categories for computer forensics tools
Identify computer forensics category requirements
Develop test assertions
Identify test cases
Establish a test method
Report test result 132
PreparedbyR.Arthy,AP/IT,KCET
133. USING VALIDATION PROTOCOLS
After retrieving and examining evidence data with one tool, you
should verify your results by performing the same tasks with other
similar forensics tools.
For example, after you use one forensics tool to retrieve disk data,
you use another to see whether you retrieve the same information.
Although this step might seem unnecessary, you might be asked on
the witness stand “How did you verify your results?” To satisfy the
need for verification, you need at least two tools to validate software
or hardware upgrades.
The tool you use to validate the results should be well tested and
documented.
133
PreparedbyR.Arthy,AP/IT,KCET
134. COMPUTER FORENSICS EXAMINATION
PROTOCOL
1. First, conduct your investigation of the digital evidence
with one GUI tool.
2. Then perform the same investigation with a disk editor
to verify that the GUI tool is seeing the same digital
evidence in the same places on the test or suspect drive’s
image.
3. If a file is recovered, obtain the hash value with the GUI
tool and the disk editor, and then compare the results to
verify whether the file has the same value in both tools.
134
PreparedbyR.Arthy,AP/IT,KCET
135. COMPUTER FORENSICS TOOL UPGRADE
PROTOCOL
In addition to verifying your results by using two disk-
analysis tools, you should test all new releases and OS
patches and upgrades to make sure they’re reliable and
don’t corrupt evidence data.
New releases and OS upgrades and patches can affect the
way your forensics tools perform.
135
PreparedbyR.Arthy,AP/IT,KCET
141. [CONTD….]
STEP 2: VALIDATION AND DISCRIMINATION
141
Prodiscvoer provides three hashing algorithms
•MD5 :- It is 128 bit hash. It is most commonly
used has algorithm in India.
•SHA-1 :- It is forensics more accurate & widely
recommended for forensics hash verification
•SHA-256 :- It is highly secured but time
consuming
PreparedbyR.Arthy,AP/IT,KCET