SlideShare a Scribd company logo

Forensic Duplication Lecture

D
Dr. Ramchandra Mangrulkar

The document discusses forensic duplication, which involves creating an accurate copy of digital evidence that can be admitted in court. It describes the importance of duplicating every bit of accessible data on a storage device and ensuring the process does not alter the original. Several types of forensic images are outlined, including complete disk images, partition images, and logical images. Characteristics of forensic duplication tools and methods like hashing are also summarized.

Engineering
1 of 19
Download to read offline
Lecture #32: Forensic Duplication Dr.Ramchandra Mangrulkar October 8, 2020 Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 1 / 19
Forensic Duplication 1 During an incident, a significant amount of data is gathered, preserved, cataloged, and analyzed. 2 The most comprehensive sources of information is a forensic image of an affected or suspect computer system. 3 Processes, formats, and tools that are used by the forensic community to properly duplicate data. 4 A court may find that the best available duplication acceptable and render it admissible. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 2 / 19
Types of Forensic Duplication A simple duplication consists of making a copy of specific data. The data may consist of a single file, a group of files, a partition on a hard drive, an entire hard drive, or other elements of data storage devices and the information stored on them. A forensic duplication is an accurate copy of data that is created with the goal of being admissible as evidence in legal proceedings. Furthermore, we define forensic duplication as an image of every accessible bit from the source medium. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 3 / 19
Characteristics of Forensic Duplication Tools ability to image or account for every bit of accessible. data on the storage medium. must create a forensic duplicate of the original storage medium. must handle read errors in a robust and graceful manner. the process must not make any changes to the original storage medium. must generate results that are repeatable and verifiable by a third party. must generate logs that detail the actions requested and any errors encountered. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 4 / 19
Forensics Image Format IR teams will create and process three primary types of forensic images Complete Disk Image Partition Image Logical Image Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 5 / 19
Complete Disk Image A “complete disk image” is intended to duplicate every addressable allocation unit on the storage medium. includes Host Protected Areas (HPAs) and Drive Configuration Overlays (DCOs). complete disk image, the output file contains every allocation unit, or sector, accessible to the imaging software. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 6 / 19
Overview of the Disk Areas A service area is a logical area on the hard-drive (residing on the platters) set aside by hard-drive vendors for internally managing the drive. These areas are outside the hard-drive’s Logical Block Address (LBA) space and as such are non-addressable and inaccessible via the standard ATA commands. The service area contains both code and data modules, such as defect management modules, SMART data modules, self-test modules and much more. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 7 / 19
Disk Areas Disk Firmware Area (DPA) The firmware is composed of a series of modules. Examples are: SECU (Security System Module), P-List, G-List, T-List, SMART Attributes, and U-List (Firmware Zone Translator). The Host Protected Area (HPA) is used for holding diagnostics and other utilities required by the manufacturer such as the boot sector, the user addressable sectors, start of the reserved area, and the code for the boot. A Device Configuration Overlay (DCO) is similar to the HPA, but is used by manufacturers to configure drive sizes, to enable and disable features on the disk. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 8 / 19
Case Study Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 9 / 19
Case Study Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 10 / 19
Partition Image Tools allow you specify an individual partition, or volume, as the source for an image. A partition image is a subset of a complete disk image and contains all of the allocation units from an individual partition on a drive. A partition image still affords you the opportunity to perform low-level analysis and attempt to undelete files and examine slack space from that partition. Because a partition image does not capture all the data on a drive, it is taken only under special circumstances. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 11 / 19
Logical Image A logical image is less of an “image” and more of a simple copy, and it’s the type of duplication we referred to previously as a “simple duplication.” Both FTK Imager and EnCase have the ability to create evidence containers for logical files. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 12 / 19
Image Integrity When a forensic image is created, cryptographic checksums are generated for two reasons. First, when the image is taken from a drive that is offline (static) and preserved, the hash is used to verify and demonstrate that the forensic image is a true and accurate representation of the original. Second, the hash is used to detect if the data was modified since the point of time at which the image was created. The hash is simply used to ensure that the integrity has been maintained throughout the life of the image. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 13 / 19
Traditional Duplication 1 Traditional imaging is performed on static drives (that is, hard drives that are not part of an active, running system Hardware Write Blockers The best way to ensure that the source media is not modified in any way is to use specialized hardware that prohibits write commands from reaching the drive controller. A set of these write blockers should be in every IR team’s kit. The write blockers are typically protocol bridges that contain modified firmware or an ASIC designed to intercept a subset of the protocol’s commands. 1 Incident Response Computer Forensics, Third Edition Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 14 / 19
Case Study Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 15 / 19
Case Study Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 16 / 19
Image Creation Tools The most common method to create a forensic duplicate is via software. The three main tools we use are DC3dd, AccessData’s FTK Imager, and Guidance Software’s EnCase dd, DCFLdd, and DC3dd Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 17 / 19
Live System Duplication A live system duplication is defined as the creation of an image of media in a system that is actively running. the system may be an extremely business-critical system that cannot be taken down. Performing a live image will make minor modifications to the system, but you will be able to get an image. Be sure to document exactly what you did, including the tool you used, the procedure you followed, what services may be running, and the exact dates and times. If “challenged” , the fact that you modified the system. Such challenges are more easily refuted if you have the proper documentation. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 18 / 19
Duplication of Enterprise Asset the evidence that is part of an investigation resides on a very large RAID, SAN, NAS, or other massive central storage system. it’s infeasible to make a complete duplicate of the entire original source due to the sheer volume of data or the complexity of the storage configuration. formulate an appropriate plan to create a logical copy of only the relevant data Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 19 / 19

Recommended

Lecture #31 : Windows Forensics
Lecture #31 : Windows ForensicsLecture #31 : Windows Forensics
Lecture #31 : Windows ForensicsDr. Ramchandra Mangrulkar
 
Lecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and ReportingLecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and ReportingDr. Ramchandra Mangrulkar
 
LEcture #28-#30
LEcture #28-#30LEcture #28-#30
LEcture #28-#30Dr. Ramchandra Mangrulkar
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - NotesKranthi
 
computer forensics
computer forensics computer forensics
computer forensics samantha jarrett
 
Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Vishal Tandel
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Lecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file systemLecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file systemAlchemist095
 

Recommended

Lecture #31 : Windows Forensics
Lecture #31 : Windows ForensicsLecture #31 : Windows Forensics
Lecture #31 : Windows ForensicsDr. Ramchandra Mangrulkar
 
Lecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and ReportingLecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and ReportingDr. Ramchandra Mangrulkar
 
LEcture #28-#30
LEcture #28-#30LEcture #28-#30
LEcture #28-#30Dr. Ramchandra Mangrulkar
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - NotesKranthi
 
computer forensics
computer forensics computer forensics
computer forensics samantha jarrett
 
Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Vishal Tandel
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Lecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file systemLecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file systemAlchemist095
 
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)Dr. Ramchandra Mangrulkar
 
Lecture #12,#13 : Program and OS Security -Part I
Lecture #12,#13 : Program and OS Security -Part ILecture #12,#13 : Program and OS Security -Part I
Lecture #12,#13 : Program and OS Security -Part IDr. Ramchandra Mangrulkar
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsLalit Garg
 
cyber forensics
cyber forensicscyber forensics
cyber forensicsAmbuj Kumar
 
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic securityLecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic securityAlchemist095
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - NotesKranthi
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - NotesKranthi
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic toolsParsons Corporation
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics00heights
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - NotesKranthi
 
Cs6004 cyber fofrensics_qb
Cs6004 cyber fofrensics_qbCs6004 cyber fofrensics_qb
Cs6004 cyber fofrensics_qbloyola ICAM college of engineering and technology
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)AltheimPrivacy
 
NIST - определения для Интернета вещей
NIST - определения для Интернета вещейNIST - определения для Интернета вещей
NIST - определения для Интернета вещейVictor Gridnev
 
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...AltheimPrivacy
 
The design of forensic computer workstations
The design of forensic computer workstationsThe design of forensic computer workstations
The design of forensic computer workstationsjkvr100
 
FORENSIC COMPUTING MODELS: TECHNICAL OVERVIEW
FORENSIC COMPUTING MODELS: TECHNICAL OVERVIEWFORENSIC COMPUTING MODELS: TECHNICAL OVERVIEW
FORENSIC COMPUTING MODELS: TECHNICAL OVERVIEWcscpconf
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Latest presentation
Latest presentationLatest presentation
Latest presentationAdetunji Adeoje
 
Fs Ch 18
Fs Ch 18Fs Ch 18
Fs Ch 18warren142
 

More Related Content

What's hot

Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)Dr. Ramchandra Mangrulkar
 
Lecture #12,#13 : Program and OS Security -Part I
Lecture #12,#13 : Program and OS Security -Part ILecture #12,#13 : Program and OS Security -Part I
Lecture #12,#13 : Program and OS Security -Part IDr. Ramchandra Mangrulkar
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsLalit Garg
 
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic securityLecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic securityAlchemist095
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - NotesKranthi
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - NotesKranthi
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics00heights
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - NotesKranthi
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)AltheimPrivacy
 
NIST - определения для Интернета вещей
NIST - определения для Интернета вещейNIST - определения для Интернета вещей
NIST - определения для Интернета вещейVictor Gridnev
 
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...AltheimPrivacy
 
The design of forensic computer workstations
The design of forensic computer workstationsThe design of forensic computer workstations
The design of forensic computer workstationsjkvr100
 
FORENSIC COMPUTING MODELS: TECHNICAL OVERVIEW
FORENSIC COMPUTING MODELS: TECHNICAL OVERVIEWFORENSIC COMPUTING MODELS: TECHNICAL OVERVIEW
FORENSIC COMPUTING MODELS: TECHNICAL OVERVIEWcscpconf
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 

What's hot (20)

Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
 
Lecture #12,#13 : Program and OS Security -Part I
Lecture #12,#13 : Program and OS Security -Part ILecture #12,#13 : Program and OS Security -Part I
Lecture #12,#13 : Program and OS Security -Part I
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
cyber forensics
cyber forensicscyber forensics
cyber forensics
 
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic securityLecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
 
Cs6004 cyber fofrensics_qb
Cs6004 cyber fofrensics_qbCs6004 cyber fofrensics_qb
Cs6004 cyber fofrensics_qb
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)
 
NIST - определения для Интернета вещей
NIST - определения для Интернета вещейNIST - определения для Интернета вещей
NIST - определения для Интернета вещей
 
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
 
The design of forensic computer workstations
The design of forensic computer workstationsThe design of forensic computer workstations
The design of forensic computer workstations
 
FORENSIC COMPUTING MODELS: TECHNICAL OVERVIEW
FORENSIC COMPUTING MODELS: TECHNICAL OVERVIEWFORENSIC COMPUTING MODELS: TECHNICAL OVERVIEW
FORENSIC COMPUTING MODELS: TECHNICAL OVERVIEW
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 

Similar to Forensic Duplication Lecture

Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Forensic Investigation of Android Operating System
Forensic Investigation of Android Operating SystemForensic Investigation of Android Operating System
Forensic Investigation of Android Operating Systemnishant24894
 
Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics reportyash sawarkar
 
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxChapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxchristinemaritza
 
Techniques in Computer Forensics: A Recovery Perspective
Techniques in Computer Forensics: A Recovery PerspectiveTechniques in Computer Forensics: A Recovery Perspective
Techniques in Computer Forensics: A Recovery PerspectiveCSCJournals
 
Forensic drive correlation
Forensic drive correlationForensic drive correlation
Forensic drive correlationRamesh Gubba
 
Comparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction ToolsComparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction Toolsijtsrd
 
A Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis ToolsA Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis ToolsSamantha Vargas
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic InvestigatorAgape Inc
 
Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the ArchiveGarethKnight
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newKatherineJack1
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newEmmaJack2018
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newmarysherman2018
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newLillieDickey
 

Similar to Forensic Duplication Lecture (20)

Latest presentation
Latest presentationLatest presentation
Latest presentation
 
Fs Ch 18
Fs Ch 18Fs Ch 18
Fs Ch 18
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
 
Forensic Investigation of Android Operating System
Forensic Investigation of Android Operating SystemForensic Investigation of Android Operating System
Forensic Investigation of Android Operating System
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics report
 
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxChapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
 
Techniques in Computer Forensics: A Recovery Perspective
Techniques in Computer Forensics: A Recovery PerspectiveTechniques in Computer Forensics: A Recovery Perspective
Techniques in Computer Forensics: A Recovery Perspective
 
Forensic drive correlation
Forensic drive correlationForensic drive correlation
Forensic drive correlation
 
Comparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction ToolsComparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction Tools
 
A Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis ToolsA Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis Tools
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
 
Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the Archive
 
F1805023942
F1805023942F1805023942
F1805023942
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
 

More from Dr. Ramchandra Mangrulkar

Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)Dr. Ramchandra Mangrulkar
 
Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Dr. Ramchandra Mangrulkar
 
Lecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application SecurityLecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application SecurityDr. Ramchandra Mangrulkar
 
Lecture # 14: Salami and Linearization Attacks
Lecture # 14: Salami and Linearization Attacks Lecture # 14: Salami and Linearization Attacks
Lecture # 14: Salami and Linearization Attacks Dr. Ramchandra Mangrulkar
 
Lecture #9 : Single Sign on and Federation Identity Management
Lecture #9 : Single Sign on and Federation Identity ManagementLecture #9 : Single Sign on and Federation Identity Management
Lecture #9 : Single Sign on and Federation Identity ManagementDr. Ramchandra Mangrulkar
 
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityLecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityDr. Ramchandra Mangrulkar
 
Lecture #7: Bell Lapdula and Biba Model of Multilevel Security
Lecture #7: Bell Lapdula and Biba Model of Multilevel SecurityLecture #7: Bell Lapdula and Biba Model of Multilevel Security
Lecture #7: Bell Lapdula and Biba Model of Multilevel SecurityDr. Ramchandra Mangrulkar
 
Lecture #3: Defense Strategies and Techniques: Part II
Lecture #3: Defense Strategies and Techniques: Part II Lecture #3: Defense Strategies and Techniques: Part II
Lecture #3: Defense Strategies and Techniques: Part IIDr. Ramchandra Mangrulkar
 
Lecture #2: Defence Strategies and Techniques (Security): Part I
Lecture #2: Defence Strategies and Techniques (Security): Part ILecture #2: Defence Strategies and Techniques (Security): Part I
Lecture #2: Defence Strategies and Techniques (Security): Part IDr. Ramchandra Mangrulkar
 
Lecture #1: Access Control : Various Cyber attacks and Latest Statistics
Lecture #1: Access Control : Various Cyber attacks and Latest StatisticsLecture #1: Access Control : Various Cyber attacks and Latest Statistics
Lecture #1: Access Control : Various Cyber attacks and Latest StatisticsDr. Ramchandra Mangrulkar
 
Stream cipher: Play Fair, Hill Cipher, Product Cipher
Stream cipher: Play Fair, Hill Cipher, Product CipherStream cipher: Play Fair, Hill Cipher, Product Cipher
Stream cipher: Play Fair, Hill Cipher, Product CipherDr. Ramchandra Mangrulkar
 

More from Dr. Ramchandra Mangrulkar (20)

Blockchain#2.pdf
Blockchain#2.pdfBlockchain#2.pdf
Blockchain#2.pdf
 
Blockchain#1.pdf
Blockchain#1.pdfBlockchain#1.pdf
Blockchain#1.pdf
 
Blockchain#3.pdf
Blockchain#3.pdfBlockchain#3.pdf
Blockchain#3.pdf
 
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
 
Lecture #25 : Oauth 2.0
Lecture #25 : Oauth 2.0Lecture #25 : Oauth 2.0
Lecture #25 : Oauth 2.0
 
Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)
 
Lecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security BreachLecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security Breach
 
Lecture #22 : Web Privacy & Security Breach
Lecture #22 : Web Privacy & Security BreachLecture #22 : Web Privacy & Security Breach
Lecture #22 : Web Privacy & Security Breach
 
Lecture #21: HTTPS , SSL & TLS
Lecture #21: HTTPS , SSL & TLSLecture #21: HTTPS , SSL & TLS
Lecture #21: HTTPS , SSL & TLS
 
Lecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application SecurityLecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application Security
 
Lecture # 14: Salami and Linearization Attacks
Lecture # 14: Salami and Linearization Attacks Lecture # 14: Salami and Linearization Attacks
Lecture # 14: Salami and Linearization Attacks
 
Lecture #9 : Single Sign on and Federation Identity Management
Lecture #9 : Single Sign on and Federation Identity ManagementLecture #9 : Single Sign on and Federation Identity Management
Lecture #9 : Single Sign on and Federation Identity Management
 
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityLecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
 
Lecture #6: Multilevel Security Models
Lecture #6: Multilevel Security ModelsLecture #6: Multilevel Security Models
Lecture #6: Multilevel Security Models
 
Lecture #7: Bell Lapdula and Biba Model of Multilevel Security
Lecture #7: Bell Lapdula and Biba Model of Multilevel SecurityLecture #7: Bell Lapdula and Biba Model of Multilevel Security
Lecture #7: Bell Lapdula and Biba Model of Multilevel Security
 
Lecture #4: Access Control Policies
Lecture #4: Access Control PoliciesLecture #4: Access Control Policies
Lecture #4: Access Control Policies
 
Lecture #3: Defense Strategies and Techniques: Part II
Lecture #3: Defense Strategies and Techniques: Part II Lecture #3: Defense Strategies and Techniques: Part II
Lecture #3: Defense Strategies and Techniques: Part II
 
Lecture #2: Defence Strategies and Techniques (Security): Part I
Lecture #2: Defence Strategies and Techniques (Security): Part ILecture #2: Defence Strategies and Techniques (Security): Part I
Lecture #2: Defence Strategies and Techniques (Security): Part I
 
Lecture #1: Access Control : Various Cyber attacks and Latest Statistics
Lecture #1: Access Control : Various Cyber attacks and Latest StatisticsLecture #1: Access Control : Various Cyber attacks and Latest Statistics
Lecture #1: Access Control : Various Cyber attacks and Latest Statistics
 
Stream cipher: Play Fair, Hill Cipher, Product Cipher
Stream cipher: Play Fair, Hill Cipher, Product CipherStream cipher: Play Fair, Hill Cipher, Product Cipher
Stream cipher: Play Fair, Hill Cipher, Product Cipher
 

Recently uploaded

GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSCAESB
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineeringmalavadedarshan25
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx959SahilShah
 
power system scada applications and uses
power system scada applications and usespower system scada applications and uses
power system scada applications and usesDevarapalliHaritha
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024hassan khalil
 
chaitra-1.pptx fake news detection using machine learning
chaitra-1.pptx fake news detection using machine learningchaitra-1.pptx fake news detection using machine learning
chaitra-1.pptx fake news detection using machine learningmisbanausheenparvam
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfAsst.prof M.Gokilavani
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidNikhilNagaraju
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoão Esperancinha
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.eptoze12
 
HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2RajaP95
 
Current Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLCurrent Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLDeelipZope
 
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEINFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEroselinkalist12
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxk795866
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSKurinjimalarL3
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerAnamika Sarkar
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxDeepakSakkari2
 

Recently uploaded (20)

🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
 
GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentation
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineering
 
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx
 
power system scada applications and uses
power system scada applications and usespower system scada applications and uses
power system scada applications and uses
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024
 
chaitra-1.pptx fake news detection using machine learning
chaitra-1.pptx fake news detection using machine learningchaitra-1.pptx fake news detection using machine learning
chaitra-1.pptx fake news detection using machine learning
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfid
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.
 
HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2
 
Current Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLCurrent Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCL
 
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEINFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptx
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptx
 

Forensic Duplication Lecture

  • 1. Lecture #32: Forensic Duplication Dr.Ramchandra Mangrulkar October 8, 2020 Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 1 / 19
  • 2. Forensic Duplication 1 During an incident, a significant amount of data is gathered, preserved, cataloged, and analyzed. 2 The most comprehensive sources of information is a forensic image of an affected or suspect computer system. 3 Processes, formats, and tools that are used by the forensic community to properly duplicate data. 4 A court may find that the best available duplication acceptable and render it admissible. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 2 / 19
  • 3. Types of Forensic Duplication A simple duplication consists of making a copy of specific data. The data may consist of a single file, a group of files, a partition on a hard drive, an entire hard drive, or other elements of data storage devices and the information stored on them. A forensic duplication is an accurate copy of data that is created with the goal of being admissible as evidence in legal proceedings. Furthermore, we define forensic duplication as an image of every accessible bit from the source medium. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 3 / 19
  • 4. Characteristics of Forensic Duplication Tools ability to image or account for every bit of accessible. data on the storage medium. must create a forensic duplicate of the original storage medium. must handle read errors in a robust and graceful manner. the process must not make any changes to the original storage medium. must generate results that are repeatable and verifiable by a third party. must generate logs that detail the actions requested and any errors encountered. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 4 / 19
  • 5. Forensics Image Format IR teams will create and process three primary types of forensic images Complete Disk Image Partition Image Logical Image Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 5 / 19
  • 6. Complete Disk Image A “complete disk image” is intended to duplicate every addressable allocation unit on the storage medium. includes Host Protected Areas (HPAs) and Drive Configuration Overlays (DCOs). complete disk image, the output file contains every allocation unit, or sector, accessible to the imaging software. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 6 / 19
  • 7. Overview of the Disk Areas A service area is a logical area on the hard-drive (residing on the platters) set aside by hard-drive vendors for internally managing the drive. These areas are outside the hard-drive’s Logical Block Address (LBA) space and as such are non-addressable and inaccessible via the standard ATA commands. The service area contains both code and data modules, such as defect management modules, SMART data modules, self-test modules and much more. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 7 / 19
  • 8. Disk Areas Disk Firmware Area (DPA) The firmware is composed of a series of modules. Examples are: SECU (Security System Module), P-List, G-List, T-List, SMART Attributes, and U-List (Firmware Zone Translator). The Host Protected Area (HPA) is used for holding diagnostics and other utilities required by the manufacturer such as the boot sector, the user addressable sectors, start of the reserved area, and the code for the boot. A Device Configuration Overlay (DCO) is similar to the HPA, but is used by manufacturers to configure drive sizes, to enable and disable features on the disk. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 8 / 19
  • 9. Case Study Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 9 / 19
  • 10. Case Study Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 10 / 19
  • 11. Partition Image Tools allow you specify an individual partition, or volume, as the source for an image. A partition image is a subset of a complete disk image and contains all of the allocation units from an individual partition on a drive. A partition image still affords you the opportunity to perform low-level analysis and attempt to undelete files and examine slack space from that partition. Because a partition image does not capture all the data on a drive, it is taken only under special circumstances. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 11 / 19
  • 12. Logical Image A logical image is less of an “image” and more of a simple copy, and it’s the type of duplication we referred to previously as a “simple duplication.” Both FTK Imager and EnCase have the ability to create evidence containers for logical files. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 12 / 19
  • 13. Image Integrity When a forensic image is created, cryptographic checksums are generated for two reasons. First, when the image is taken from a drive that is offline (static) and preserved, the hash is used to verify and demonstrate that the forensic image is a true and accurate representation of the original. Second, the hash is used to detect if the data was modified since the point of time at which the image was created. The hash is simply used to ensure that the integrity has been maintained throughout the life of the image. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 13 / 19
  • 14. Traditional Duplication 1 Traditional imaging is performed on static drives (that is, hard drives that are not part of an active, running system Hardware Write Blockers The best way to ensure that the source media is not modified in any way is to use specialized hardware that prohibits write commands from reaching the drive controller. A set of these write blockers should be in every IR team’s kit. The write blockers are typically protocol bridges that contain modified firmware or an ASIC designed to intercept a subset of the protocol’s commands. 1 Incident Response Computer Forensics, Third Edition Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 14 / 19
  • 15. Case Study Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 15 / 19
  • 16. Case Study Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 16 / 19
  • 17. Image Creation Tools The most common method to create a forensic duplicate is via software. The three main tools we use are DC3dd, AccessData’s FTK Imager, and Guidance Software’s EnCase dd, DCFLdd, and DC3dd Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 17 / 19
  • 18. Live System Duplication A live system duplication is defined as the creation of an image of media in a system that is actively running. the system may be an extremely business-critical system that cannot be taken down. Performing a live image will make minor modifications to the system, but you will be able to get an image. Be sure to document exactly what you did, including the tool you used, the procedure you followed, what services may be running, and the exact dates and times. If “challenged” , the fact that you modified the system. Such challenges are more easily refuted if you have the proper documentation. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 18 / 19
  • 19. Duplication of Enterprise Asset the evidence that is part of an investigation resides on a very large RAID, SAN, NAS, or other massive central storage system. it’s infeasible to make a complete duplicate of the entire original source due to the sheer volume of data or the complexity of the storage configuration. formulate an appropriate plan to create a logical copy of only the relevant data Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 19 / 19