SlideShare a Scribd company logo

Chapter_5_DF.pptx POWER POINT PRESENATION DIGITAL FORENSICS

Download as PPTX, PDF
R
ramakrishnandrhv

DATA FORENSICS

Data & Analytics
1 of 16
DIGITAL FORENSICS DR. NILAKSHI JAIN Email ID: nilakshijain1986@gmail.com
FORENSIC DUPLICATION 5.1 Introduction to Forensic Duplication 5.2 Rules of Forensic Duplication (Thumb Rule) 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive CHAPTER FIVE
5.1 Introduction 5.2 Rules of Forensic Duplication 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive Introduction To Forensic Duplication : A forensic duplicate contains the same digital data as the original piece of evidence. Many times, with data collection process, forensic duplication process also gets started, which is based on response strategy already formulated.
5.1 Introduction 5.2 Rules of Forensic Duplication 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive Rules of Forensic Duplication : 1. Make two copies of the original media (digital evidence). (a) One copy becomes the working copy on which investigation will be done. (b) One copy is a library/control copy for future reference. (c) Verify the integrity of the copies. 2. The working copy is used for the analysis. 3. The library copy is stored for disclosure purposes or in the event that the working copy becomes corrupted. 4. If performing a drive to drive imaging (not an image file), use clean media to copy to: 5. Verify the integrity of all images using hash values.
5.1 Introduction 5.2 Rules of Forensic Duplication 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive Necessity of Forensic Duplication : Forensic duplication importance can be summarized as: 1. Working from a duplicate image provides following features: (a) Preserves the original digital evidences. (b) Prevents inadvertent alteration of original digital evidence during examination. (c) Allows recreation of the duplicate image, if necessary. 2. Digital evidence can be duplicated with no degradation from copy to copy: (a) This is not the case with most other forms of evidence.
5.1 Introduction 5.2 Rules of Forensic Duplication 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive Forensic Duplicates as Admissible Evidence : Digital evidence should satisfy minimum criteria of legal standards. Some standards are given by the United States, known as Federal Rules of Evidence (FRE). 1. FRE §1002 requires an original to prove the content of a writing, record, or photograph. This means the item or information presented in court must be original. It follows from the best evidence rule: Copying can introduce errors. 2. FRE §1001 (3) states that if data are deposited in a computer or alike device, any printout or other output readable by sight, shown to reflect the data precisely is an “original.” 3. FRE §1003 states that a duplicate is admissible to the same extent as an original if: (a) An honest question is elevated to the authenticity of the original or (b) In the circumstances, it would be partial to confess the identical in lieu of the original.
5.1 Introduction 5.2 Rules of Forensic Duplication 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive Important Terms in Forensic Duplicate : 1. Forensic Duplicate : Forensic duplicate stores every bit of information from source in a raw bitstream format. In a process of forensic duplication, 5GB of drive results in 5GB of forensic data. 2. Qualified Forensic Duplicate : The file that stores every bit of information from the source is referred to as qualified forensic duplicate in the altered form. In-band hashes and empty sector compression are the example of two altered forms. In some tools, it may read a number of sectors from the source. SafeBack and EnCase can be used to generate qualified forensic duplicate. 3. Restored Image : Restoration of a forensic duplicate or qualified forensic duplicate to another storage media results in restored image. It is a complicated process. As the forensic duplicate is restored to the destination hard drive, the partition tables are updated with the new values. 4. Mirror Image : A hardware that does a bit-for-bit copy from one HDD to another is used to generate a mirror image. Generating mirror image presents an extra step in forensic investigation process.
5.1 Introduction 5.2 Rules of Forensic Duplication 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive Forensic Image Formats : 1. Complete Disk Image : The process for getting a “complete disk image” is meant to duplicate each addressable computer memory unit on the medium. This includes Host Protected Areas (HPAs) and Drive Configuration Overlays (DCOs). 2. Partition Image : Most forensic imaging tools permit you specify a personal partition, or volume, as the source for a picture. A partition image may be a set of a whole disk image and contains all of the allocation units from a personal partition on a drive. This includes the unallocated space and file slack present within that partition.
5.1 Introduction 5.2 Rules of Forensic Duplication 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive Forensic Image Formats : 3. Logical Image : A logical image is a smaller amount of Associate in Nursing “image” and additional of a straightforward copy. A logical image is less of an “image” and more of a simple copy. 4. Image Integrity : When a forensic image is formed, cryptologic checksums are generated for two reasons. First, once the image is taken from a drive, which is offline (static) and preserved, the hash is employed to verify and demonstrate that the forensic image could be a true and correct illustration of the initial. Second, the hash is employed to sight if the info was changed since the purpose of your time at which the image was created.
5.1 Introduction 5.2 Rules of Forensic Duplication 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive Traditional Duplication : 1. Hardware Write Blockers : The write blockers are generally protocol bridges that contain changed code or an ASIC designed to intercept a set of the protocol’s commands. With these in your kit, you will faithfully duplicate SATA, PATA, SCSI, SAS, and USB devices. 2. Image Creation Tools : The three main tools we tend to use are a unit DC3dd, AccessData’s FTK Imager, and steering Software’s incase. Each has its pros and cons that build it additional or less appropriate for a given scenario.
5.1 Introduction 5.2 Rules of Forensic Duplication 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive Live System Duplication : The creation of an image of media in a system that is actively running is the example of a live system duplication. This case is not most popular; however, it is usually the only alternative. The system could also be a particularly business-critical system that cannot be taken down except throughout terribly short maintenance windows. Make sure to document precisely what you probably did, as well as the tool you used, the procedure you followed, what services could also be running, and the actual dates and times. You may need that info just in case somebody “challenges” the actual fact that you changed the system. Such challenges are simply refuted if you have got the proper documentation
5.1 Introduction 5.2 Rules of Forensic Duplication 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive Forensic Duplication Tool Requirements : Forensic duplication tools must satisfy the following criteria: 1. The tool shall make a bitstream duplicate or an image of an original disk or partition. 2. The tool shall not alter the original disk. 3. The tool will be able to verify the integrity of a disk image file. 4. The tool shall log I/O errors. 5. The tool’s documentation shall be correct. 6. The tool should create a mirror image or forensic duplicate of the original storage media. 7. The tool must be able handle read errors. 8. The tool should not make any changes to the source medium. 9. The tool must have the capability to be held up to scientific review. Results must be verifiable by a third party. 10. If there are no errors accessing the source, then the tool shall create a bitstream duplicate or image of the source. 11. If there are I/O errors accessing the source, then the tool shall create a qualified bitstream duplicate or image of the source. 12. The tool shall log I/O errors in an accessible and readable form, including the type of error and location of the error.
5.1 Introduction 5.2 Rules of Forensic Duplication 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive Forensic Duplication Tool Requirements : 13. The tool shall be able to access disk drives through one or more well-defined interfaces. 14. Documentation shall be correct, insofar as the mandatory and any implemented optional requirements are concerned, that is, if a user following the tool’s documented procedures produces the expected result, then the documentation is deemed correct. 15. If the tool copies a source to a destination that is larger than the source, then it will document the contents of the areas on the destination that are not part of the copy. 16. If the tool copies a source to a destination that is smaller than the source, then the tool will notify the user, truncate the copy, and log this action. Some Examples of forensic duplication tools are: a. SafeBack (www.forensics-intl.com) b. Ghost (www.symantec.com) c. DD (standard UNIX/Linux utility) d. Encase (www.encase.com) e. Mareware f. FTK (www.accessdata.com) g. ProDiscover Basic
5.1 Introduction 5.2 Rules of Forensic Duplication 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive Creating a Forensic Duplicate of a Hard Drive : 1. Duplicating with dd and dcfldd : For creating a true forensic duplicate image, dd utility is the most efficient tool. ddwill perform bit-for-bit copy of the original, as long as the operating system kernel recognizes the storage medium. However, it is expensive. 2. Creating a Linux Boot Media : Preparation for duplication using Linux is difficult from the methods that we discuss in this section. But using Linux is worthy, as it can be the most flexible boot environment in the toolbox. 3. Performing a Duplication with dd : Sometimes, to fit on a specific media type, such as CD/DVD or file systems with files fewer than 2.1 GB, duplication will be stored in a series of files. This is usually referred to as segmented image. 4. Duplicating with the Open Data Duplicator : The new open source tool is ODD. To perform forensic duplication simultaneously on a number of computers over a Local LAN, the client-server model is followed by this tool. To use the software on single forensic workstations, you need to run both halves on the same computer. Three portions of ODD are: 1. Bootable CD-ROMs: This is similar to Trinux Linux Distributions; 2. Server-side applications: Most of the duplications, such as string searches, calculation of hashes, and storage of true forensic duplications, will be done by the server. 3. Client-side applications: If you are duplicating drives on forensic workstations, this portion may be run locally.
5.1 Introduction 5.2 Rules of Forensic Duplication 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive Creating a Qualified Forensic Duplicate of a Hard Drive : 1. Creating a Boot Disk : Clean operating environment is required for imaging a system. You must create an MS DOS boot disk when imaging drives using DOS applications such as SafeBack or EnCase. 2. Creating a Qualified Forensic Duplicate with SafeBack : New Technology Inc. (NTI) offers SafeBack. It is used to make qualified forensic duplication of any hard drive. You need to have a clear environment ready on the floppy for SafeBack application because it runs from DOS boot floppy. 3. Creating a Qualified Forensic Duplicate with EnCase : The most popular commercially available forensic tool is EnCase from Guidance Software. It provides ‘easy-to-navigate’ GUI. Allowing the examiner to customize the types of searches performed by the tool, a flexible scripting language in included. Preview option is the most significant feature of EnCase. You can use the preview function to quickly ascertain whether a computer system is material to the issue being investigated, during the first stages of the investigation.
DR. NILAKSHI JAIN • Thank you Email ID : nilakshijain1986@gmail.com

Recommended

ITE - Chapter 5
ITE - Chapter 5ITE - Chapter 5
ITE - Chapter 5
Irsandi Hasan
 
Red hat enterprise_linux-5-installation_guide-en-us
Red hat enterprise_linux-5-installation_guide-en-usRed hat enterprise_linux-5-installation_guide-en-us
Red hat enterprise_linux-5-installation_guide-en-us
Hari Krishna
 
iam giving you entire process of  forensc duplication;the response.pdf
iam giving you entire process of  forensc duplication;the response.pdfiam giving you entire process of  forensc duplication;the response.pdf
iam giving you entire process of  forensc duplication;the response.pdf
mukhtaransarcloth
 
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docxComputer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
maxinesmith73660
 
Red hat enterprise_linux-5.5-release_notes-en-us
Red hat enterprise_linux-5.5-release_notes-en-usRed hat enterprise_linux-5.5-release_notes-en-us
Red hat enterprise_linux-5.5-release_notes-en-us
Duong Hieu
 
Question 10 Forensic investigation should be conducted in a trusted en.pdf
Question 10 Forensic investigation should be conducted in a trusted en.pdfQuestion 10 Forensic investigation should be conducted in a trusted en.pdf
Question 10 Forensic investigation should be conducted in a trusted en.pdf
Owen2FLTuckerk
 
Truly non-intrusive OpenStack Cinder backup for mission critical systems
Truly non-intrusive OpenStack Cinder backup for mission critical systemsTruly non-intrusive OpenStack Cinder backup for mission critical systems
Truly non-intrusive OpenStack Cinder backup for mission critical systems
Dipak Kumar Singh
 
docslide-3df5a529-2ffd-ef23.ppt
docslide-3df5a529-2ffd-ef23.pptdocslide-3df5a529-2ffd-ef23.ppt
docslide-3df5a529-2ffd-ef23.ppt
PrasannaDeSilva7
 

Recommended

ITE - Chapter 5
ITE - Chapter 5ITE - Chapter 5
ITE - Chapter 5
Irsandi Hasan
 
Red hat enterprise_linux-5-installation_guide-en-us
Red hat enterprise_linux-5-installation_guide-en-usRed hat enterprise_linux-5-installation_guide-en-us
Red hat enterprise_linux-5-installation_guide-en-us
Hari Krishna
 
iam giving you entire process of  forensc duplication;the response.pdf
iam giving you entire process of  forensc duplication;the response.pdfiam giving you entire process of  forensc duplication;the response.pdf
iam giving you entire process of  forensc duplication;the response.pdf
mukhtaransarcloth
 
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docxComputer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
maxinesmith73660
 
Red hat enterprise_linux-5.5-release_notes-en-us
Red hat enterprise_linux-5.5-release_notes-en-usRed hat enterprise_linux-5.5-release_notes-en-us
Red hat enterprise_linux-5.5-release_notes-en-us
Duong Hieu
 
Question 10 Forensic investigation should be conducted in a trusted en.pdf
Question 10 Forensic investigation should be conducted in a trusted en.pdfQuestion 10 Forensic investigation should be conducted in a trusted en.pdf
Question 10 Forensic investigation should be conducted in a trusted en.pdf
Owen2FLTuckerk
 
Truly non-intrusive OpenStack Cinder backup for mission critical systems
Truly non-intrusive OpenStack Cinder backup for mission critical systemsTruly non-intrusive OpenStack Cinder backup for mission critical systems
Truly non-intrusive OpenStack Cinder backup for mission critical systems
Dipak Kumar Singh
 
docslide-3df5a529-2ffd-ef23.ppt
docslide-3df5a529-2ffd-ef23.pptdocslide-3df5a529-2ffd-ef23.ppt
docslide-3df5a529-2ffd-ef23.ppt
PrasannaDeSilva7
 
Ite pc v40_chapter5
Ite pc v40_chapter5Ite pc v40_chapter5
Ite pc v40_chapter5
paulinagonzapyl
 
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imaging
Marco Alamanni
 
Expert systems : computer hardware problem
Expert systems : computer hardware problemExpert systems : computer hardware problem
Expert systems : computer hardware problem
mazlinapsas
 
QCM_TSHOOT.pdf
QCM_TSHOOT.pdfQCM_TSHOOT.pdf
QCM_TSHOOT.pdf
gorguindiaye
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
KatherineJack1
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
EmmaJack2018
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
lizabonilla
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
sarahlazeto
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
LillieDickey
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
marysherman2018
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
sweetsour2017
 
Forts and Fights Scaling Performance on Unreal Engine*
Forts and Fights Scaling Performance on Unreal Engine*Forts and Fights Scaling Performance on Unreal Engine*
Forts and Fights Scaling Performance on Unreal Engine*
Intel® Software
 
The new HP Z8 Fury G5 Workstation Desktop PC: Crunch through demanding worklo...
The new HP Z8 Fury G5 Workstation Desktop PC: Crunch through demanding worklo...The new HP Z8 Fury G5 Workstation Desktop PC: Crunch through demanding worklo...
The new HP Z8 Fury G5 Workstation Desktop PC: Crunch through demanding worklo...
Principled Technologies
 
Windows 7 Advantages
Windows 7 AdvantagesWindows 7 Advantages
Windows 7 Advantages
sharkness
 
Scale testing and cost analysis study: VMware Horizon View 5.2 virtual deskto...
Scale testing and cost analysis study: VMware Horizon View 5.2 virtual deskto...Scale testing and cost analysis study: VMware Horizon View 5.2 virtual deskto...
Scale testing and cost analysis study: VMware Horizon View 5.2 virtual deskto...
Principled Technologies
 
Floyd Imaging
Floyd ImagingFloyd Imaging
Floyd Imaging
👨🏻‍💻 Keith Kikta
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
Creating a Scheduled Backup and Replicating System Folders Introduct.docx
Creating a Scheduled Backup and Replicating System Folders Introduct.docxCreating a Scheduled Backup and Replicating System Folders Introduct.docx
Creating a Scheduled Backup and Replicating System Folders Introduct.docx
williejgrant41084
 
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat Security Conference
 
Manual user ful desktop
Manual user ful desktopManual user ful desktop
Manual user ful desktop
jeffersonpbrt
 
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
amitlee9823
 
👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...
👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...
👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...
karishmasinghjnh
 

More Related Content

Similar to Chapter_5_DF.pptx POWER POINT PRESENATION DIGITAL FORENSICS

Expert systems : computer hardware problem
Expert systems : computer hardware problemExpert systems : computer hardware problem
Expert systems : computer hardware problem
mazlinapsas
 
Windows 7 Advantages
Windows 7 AdvantagesWindows 7 Advantages
Windows 7 Advantages
sharkness
 
Scale testing and cost analysis study: VMware Horizon View 5.2 virtual deskto...
Scale testing and cost analysis study: VMware Horizon View 5.2 virtual deskto...Scale testing and cost analysis study: VMware Horizon View 5.2 virtual deskto...
Scale testing and cost analysis study: VMware Horizon View 5.2 virtual deskto...
Principled Technologies
 
Creating a Scheduled Backup and Replicating System Folders Introduct.docx
Creating a Scheduled Backup and Replicating System Folders Introduct.docxCreating a Scheduled Backup and Replicating System Folders Introduct.docx
Creating a Scheduled Backup and Replicating System Folders Introduct.docx
williejgrant41084
 
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat Security Conference
 
Manual user ful desktop
Manual user ful desktopManual user ful desktop
Manual user ful desktop
jeffersonpbrt
 

Similar to Chapter_5_DF.pptx POWER POINT PRESENATION DIGITAL FORENSICS (20)

Ite pc v40_chapter5
Ite pc v40_chapter5Ite pc v40_chapter5
Ite pc v40_chapter5
 
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imaging
 
Expert systems : computer hardware problem
Expert systems : computer hardware problemExpert systems : computer hardware problem
Expert systems : computer hardware problem
 
QCM_TSHOOT.pdf
QCM_TSHOOT.pdfQCM_TSHOOT.pdf
QCM_TSHOOT.pdf
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
 
Forts and Fights Scaling Performance on Unreal Engine*
Forts and Fights Scaling Performance on Unreal Engine*Forts and Fights Scaling Performance on Unreal Engine*
Forts and Fights Scaling Performance on Unreal Engine*
 
The new HP Z8 Fury G5 Workstation Desktop PC: Crunch through demanding worklo...
The new HP Z8 Fury G5 Workstation Desktop PC: Crunch through demanding worklo...The new HP Z8 Fury G5 Workstation Desktop PC: Crunch through demanding worklo...
The new HP Z8 Fury G5 Workstation Desktop PC: Crunch through demanding worklo...
 
Windows 7 Advantages
Windows 7 AdvantagesWindows 7 Advantages
Windows 7 Advantages
 
Scale testing and cost analysis study: VMware Horizon View 5.2 virtual deskto...
Scale testing and cost analysis study: VMware Horizon View 5.2 virtual deskto...Scale testing and cost analysis study: VMware Horizon View 5.2 virtual deskto...
Scale testing and cost analysis study: VMware Horizon View 5.2 virtual deskto...
 
Floyd Imaging
Floyd ImagingFloyd Imaging
Floyd Imaging
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
 
Creating a Scheduled Backup and Replicating System Folders Introduct.docx
Creating a Scheduled Backup and Replicating System Folders Introduct.docxCreating a Scheduled Backup and Replicating System Folders Introduct.docx
Creating a Scheduled Backup and Replicating System Folders Introduct.docx
 
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiled
 
Manual user ful desktop
Manual user ful desktopManual user ful desktop
Manual user ful desktop
 

Recently uploaded

Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
amitlee9823
 
👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...
👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...
👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...
karishmasinghjnh
 
➥🔝 7737669865 🔝▻ Sambalpur Call-girls in Women Seeking Men 🔝Sambalpur🔝 Esc...
➥🔝 7737669865 🔝▻ Sambalpur Call-girls in Women Seeking Men 🔝Sambalpur🔝 Esc...➥🔝 7737669865 🔝▻ Sambalpur Call-girls in Women Seeking Men 🔝Sambalpur🔝 Esc...
➥🔝 7737669865 🔝▻ Sambalpur Call-girls in Women Seeking Men 🔝Sambalpur🔝 Esc...
amitlee9823
 
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
amitlee9823
 
Call Girls In Bellandur ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bellandur ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bellandur ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bellandur ☎ 7737669865 🥵 Book Your One night Stand
amitlee9823
 
Just Call Vip call girls Mysore Escorts ☎️9352988975 Two shot with one girl (...
Just Call Vip call girls Mysore Escorts ☎️9352988975 Two shot with one girl (...Just Call Vip call girls Mysore Escorts ☎️9352988975 Two shot with one girl (...
Just Call Vip call girls Mysore Escorts ☎️9352988975 Two shot with one girl (...
gajnagarg
 
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
amitlee9823
 
Just Call Vip call girls roorkee Escorts ☎️9352988975 Two shot with one girl ...
Just Call Vip call girls roorkee Escorts ☎️9352988975 Two shot with one girl ...Just Call Vip call girls roorkee Escorts ☎️9352988975 Two shot with one girl ...
Just Call Vip call girls roorkee Escorts ☎️9352988975 Two shot with one girl ...
gajnagarg
 
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNKDATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
Timothy Spann
 
Call Girls In Nandini Layout ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Nandini Layout ☎ 7737669865 🥵 Book Your One night StandCall Girls In Nandini Layout ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Nandini Layout ☎ 7737669865 🥵 Book Your One night Stand
amitlee9823
 
➥🔝 7737669865 🔝▻ mahisagar Call-girls in Women Seeking Men 🔝mahisagar🔝 Esc...
➥🔝 7737669865 🔝▻ mahisagar Call-girls in Women Seeking Men 🔝mahisagar🔝 Esc...➥🔝 7737669865 🔝▻ mahisagar Call-girls in Women Seeking Men 🔝mahisagar🔝 Esc...
➥🔝 7737669865 🔝▻ mahisagar Call-girls in Women Seeking Men 🔝mahisagar🔝 Esc...
amitlee9823
 
➥🔝 7737669865 🔝▻ Ongole Call-girls in Women Seeking Men 🔝Ongole🔝 Escorts S...
➥🔝 7737669865 🔝▻ Ongole Call-girls in Women Seeking Men 🔝Ongole🔝 Escorts S...➥🔝 7737669865 🔝▻ Ongole Call-girls in Women Seeking Men 🔝Ongole🔝 Escorts S...
➥🔝 7737669865 🔝▻ Ongole Call-girls in Women Seeking Men 🔝Ongole🔝 Escorts S...
amitlee9823
 
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
amitlee9823
 
➥🔝 7737669865 🔝▻ Mathura Call-girls in Women Seeking Men 🔝Mathura🔝 Escorts...
➥🔝 7737669865 🔝▻ Mathura Call-girls in Women Seeking Men 🔝Mathura🔝 Escorts...➥🔝 7737669865 🔝▻ Mathura Call-girls in Women Seeking Men 🔝Mathura🔝 Escorts...
➥🔝 7737669865 🔝▻ Mathura Call-girls in Women Seeking Men 🔝Mathura🔝 Escorts...
amitlee9823
 
Call Girls In Shivaji Nagar ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Shivaji Nagar ☎ 7737669865 🥵 Book Your One night StandCall Girls In Shivaji Nagar ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Shivaji Nagar ☎ 7737669865 🥵 Book Your One night Stand
amitlee9823
 

Recently uploaded (20)

Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
 
👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...
👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...
👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...
 
➥🔝 7737669865 🔝▻ Sambalpur Call-girls in Women Seeking Men 🔝Sambalpur🔝 Esc...
➥🔝 7737669865 🔝▻ Sambalpur Call-girls in Women Seeking Men 🔝Sambalpur🔝 Esc...➥🔝 7737669865 🔝▻ Sambalpur Call-girls in Women Seeking Men 🔝Sambalpur🔝 Esc...
➥🔝 7737669865 🔝▻ Sambalpur Call-girls in Women Seeking Men 🔝Sambalpur🔝 Esc...
 
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
 
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
 
Call Girls In Bellandur ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bellandur ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bellandur ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bellandur ☎ 7737669865 🥵 Book Your One night Stand
 
Thane Call Girls 7091864438 Call Girls in Thane Escort service book now -
Thane Call Girls 7091864438 Call Girls in Thane Escort service book now -Thane Call Girls 7091864438 Call Girls in Thane Escort service book now -
Thane Call Girls 7091864438 Call Girls in Thane Escort service book now -
 
Just Call Vip call girls Mysore Escorts ☎️9352988975 Two shot with one girl (...
Just Call Vip call girls Mysore Escorts ☎️9352988975 Two shot with one girl (...Just Call Vip call girls Mysore Escorts ☎️9352988975 Two shot with one girl (...
Just Call Vip call girls Mysore Escorts ☎️9352988975 Two shot with one girl (...
 
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
 
Just Call Vip call girls roorkee Escorts ☎️9352988975 Two shot with one girl ...
Just Call Vip call girls roorkee Escorts ☎️9352988975 Two shot with one girl ...Just Call Vip call girls roorkee Escorts ☎️9352988975 Two shot with one girl ...
Just Call Vip call girls roorkee Escorts ☎️9352988975 Two shot with one girl ...
 
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNKDATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
 
Call Girls In Nandini Layout ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Nandini Layout ☎ 7737669865 🥵 Book Your One night StandCall Girls In Nandini Layout ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Nandini Layout ☎ 7737669865 🥵 Book Your One night Stand
 
Anomaly detection and data imputation within time series
Anomaly detection and data imputation within time seriesAnomaly detection and data imputation within time series
Anomaly detection and data imputation within time series
 
➥🔝 7737669865 🔝▻ mahisagar Call-girls in Women Seeking Men 🔝mahisagar🔝 Esc...
➥🔝 7737669865 🔝▻ mahisagar Call-girls in Women Seeking Men 🔝mahisagar🔝 Esc...➥🔝 7737669865 🔝▻ mahisagar Call-girls in Women Seeking Men 🔝mahisagar🔝 Esc...
➥🔝 7737669865 🔝▻ mahisagar Call-girls in Women Seeking Men 🔝mahisagar🔝 Esc...
 
➥🔝 7737669865 🔝▻ Ongole Call-girls in Women Seeking Men 🔝Ongole🔝 Escorts S...
➥🔝 7737669865 🔝▻ Ongole Call-girls in Women Seeking Men 🔝Ongole🔝 Escorts S...➥🔝 7737669865 🔝▻ Ongole Call-girls in Women Seeking Men 🔝Ongole🔝 Escorts S...
➥🔝 7737669865 🔝▻ Ongole Call-girls in Women Seeking Men 🔝Ongole🔝 Escorts S...
 
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
 
➥🔝 7737669865 🔝▻ Mathura Call-girls in Women Seeking Men 🔝Mathura🔝 Escorts...
➥🔝 7737669865 🔝▻ Mathura Call-girls in Women Seeking Men 🔝Mathura🔝 Escorts...➥🔝 7737669865 🔝▻ Mathura Call-girls in Women Seeking Men 🔝Mathura🔝 Escorts...
➥🔝 7737669865 🔝▻ Mathura Call-girls in Women Seeking Men 🔝Mathura🔝 Escorts...
 
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
 
Call Girls In Shivaji Nagar ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Shivaji Nagar ☎ 7737669865 🥵 Book Your One night StandCall Girls In Shivaji Nagar ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Shivaji Nagar ☎ 7737669865 🥵 Book Your One night Stand
 
Aspirational Block Program Block Syaldey District - Almora
Aspirational Block Program Block Syaldey District - AlmoraAspirational Block Program Block Syaldey District - Almora
Aspirational Block Program Block Syaldey District - Almora
 

Chapter_5_DF.pptx POWER POINT PRESENATION DIGITAL FORENSICS

  • 1. DIGITAL FORENSICS DR. NILAKSHI JAIN Email ID: nilakshijain1986@gmail.com
  • 2. FORENSIC DUPLICATION 5.1 Introduction to Forensic Duplication 5.2 Rules of Forensic Duplication (Thumb Rule) 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive CHAPTER FIVE
  • 3. 5.1 Introduction 5.2 Rules of Forensic Duplication 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive Introduction To Forensic Duplication : A forensic duplicate contains the same digital data as the original piece of evidence. Many times, with data collection process, forensic duplication process also gets started, which is based on response strategy already formulated.
  • 4. 5.1 Introduction 5.2 Rules of Forensic Duplication 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive Rules of Forensic Duplication : 1. Make two copies of the original media (digital evidence). (a) One copy becomes the working copy on which investigation will be done. (b) One copy is a library/control copy for future reference. (c) Verify the integrity of the copies. 2. The working copy is used for the analysis. 3. The library copy is stored for disclosure purposes or in the event that the working copy becomes corrupted. 4. If performing a drive to drive imaging (not an image file), use clean media to copy to: 5. Verify the integrity of all images using hash values.
  • 5. 5.1 Introduction 5.2 Rules of Forensic Duplication 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive Necessity of Forensic Duplication : Forensic duplication importance can be summarized as: 1. Working from a duplicate image provides following features: (a) Preserves the original digital evidences. (b) Prevents inadvertent alteration of original digital evidence during examination. (c) Allows recreation of the duplicate image, if necessary. 2. Digital evidence can be duplicated with no degradation from copy to copy: (a) This is not the case with most other forms of evidence.
  • 6. 5.1 Introduction 5.2 Rules of Forensic Duplication 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive Forensic Duplicates as Admissible Evidence : Digital evidence should satisfy minimum criteria of legal standards. Some standards are given by the United States, known as Federal Rules of Evidence (FRE). 1. FRE §1002 requires an original to prove the content of a writing, record, or photograph. This means the item or information presented in court must be original. It follows from the best evidence rule: Copying can introduce errors. 2. FRE §1001 (3) states that if data are deposited in a computer or alike device, any printout or other output readable by sight, shown to reflect the data precisely is an “original.” 3. FRE §1003 states that a duplicate is admissible to the same extent as an original if: (a) An honest question is elevated to the authenticity of the original or (b) In the circumstances, it would be partial to confess the identical in lieu of the original.
  • 7. 5.1 Introduction 5.2 Rules of Forensic Duplication 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive Important Terms in Forensic Duplicate : 1. Forensic Duplicate : Forensic duplicate stores every bit of information from source in a raw bitstream format. In a process of forensic duplication, 5GB of drive results in 5GB of forensic data. 2. Qualified Forensic Duplicate : The file that stores every bit of information from the source is referred to as qualified forensic duplicate in the altered form. In-band hashes and empty sector compression are the example of two altered forms. In some tools, it may read a number of sectors from the source. SafeBack and EnCase can be used to generate qualified forensic duplicate. 3. Restored Image : Restoration of a forensic duplicate or qualified forensic duplicate to another storage media results in restored image. It is a complicated process. As the forensic duplicate is restored to the destination hard drive, the partition tables are updated with the new values. 4. Mirror Image : A hardware that does a bit-for-bit copy from one HDD to another is used to generate a mirror image. Generating mirror image presents an extra step in forensic investigation process.
  • 8. 5.1 Introduction 5.2 Rules of Forensic Duplication 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive Forensic Image Formats : 1. Complete Disk Image : The process for getting a “complete disk image” is meant to duplicate each addressable computer memory unit on the medium. This includes Host Protected Areas (HPAs) and Drive Configuration Overlays (DCOs). 2. Partition Image : Most forensic imaging tools permit you specify a personal partition, or volume, as the source for a picture. A partition image may be a set of a whole disk image and contains all of the allocation units from a personal partition on a drive. This includes the unallocated space and file slack present within that partition.
  • 9. 5.1 Introduction 5.2 Rules of Forensic Duplication 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive Forensic Image Formats : 3. Logical Image : A logical image is a smaller amount of Associate in Nursing “image” and additional of a straightforward copy. A logical image is less of an “image” and more of a simple copy. 4. Image Integrity : When a forensic image is formed, cryptologic checksums are generated for two reasons. First, once the image is taken from a drive, which is offline (static) and preserved, the hash is employed to verify and demonstrate that the forensic image could be a true and correct illustration of the initial. Second, the hash is employed to sight if the info was changed since the purpose of your time at which the image was created.
  • 10. 5.1 Introduction 5.2 Rules of Forensic Duplication 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive Traditional Duplication : 1. Hardware Write Blockers : The write blockers are generally protocol bridges that contain changed code or an ASIC designed to intercept a set of the protocol’s commands. With these in your kit, you will faithfully duplicate SATA, PATA, SCSI, SAS, and USB devices. 2. Image Creation Tools : The three main tools we tend to use are a unit DC3dd, AccessData’s FTK Imager, and steering Software’s incase. Each has its pros and cons that build it additional or less appropriate for a given scenario.
  • 11. 5.1 Introduction 5.2 Rules of Forensic Duplication 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive Live System Duplication : The creation of an image of media in a system that is actively running is the example of a live system duplication. This case is not most popular; however, it is usually the only alternative. The system could also be a particularly business-critical system that cannot be taken down except throughout terribly short maintenance windows. Make sure to document precisely what you probably did, as well as the tool you used, the procedure you followed, what services could also be running, and the actual dates and times. You may need that info just in case somebody “challenges” the actual fact that you changed the system. Such challenges are simply refuted if you have got the proper documentation
  • 12. 5.1 Introduction 5.2 Rules of Forensic Duplication 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive Forensic Duplication Tool Requirements : Forensic duplication tools must satisfy the following criteria: 1. The tool shall make a bitstream duplicate or an image of an original disk or partition. 2. The tool shall not alter the original disk. 3. The tool will be able to verify the integrity of a disk image file. 4. The tool shall log I/O errors. 5. The tool’s documentation shall be correct. 6. The tool should create a mirror image or forensic duplicate of the original storage media. 7. The tool must be able handle read errors. 8. The tool should not make any changes to the source medium. 9. The tool must have the capability to be held up to scientific review. Results must be verifiable by a third party. 10. If there are no errors accessing the source, then the tool shall create a bitstream duplicate or image of the source. 11. If there are I/O errors accessing the source, then the tool shall create a qualified bitstream duplicate or image of the source. 12. The tool shall log I/O errors in an accessible and readable form, including the type of error and location of the error.
  • 13. 5.1 Introduction 5.2 Rules of Forensic Duplication 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive Forensic Duplication Tool Requirements : 13. The tool shall be able to access disk drives through one or more well-defined interfaces. 14. Documentation shall be correct, insofar as the mandatory and any implemented optional requirements are concerned, that is, if a user following the tool’s documented procedures produces the expected result, then the documentation is deemed correct. 15. If the tool copies a source to a destination that is larger than the source, then it will document the contents of the areas on the destination that are not part of the copy. 16. If the tool copies a source to a destination that is smaller than the source, then the tool will notify the user, truncate the copy, and log this action. Some Examples of forensic duplication tools are: a. SafeBack (www.forensics-intl.com) b. Ghost (www.symantec.com) c. DD (standard UNIX/Linux utility) d. Encase (www.encase.com) e. Mareware f. FTK (www.accessdata.com) g. ProDiscover Basic
  • 14. 5.1 Introduction 5.2 Rules of Forensic Duplication 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive Creating a Forensic Duplicate of a Hard Drive : 1. Duplicating with dd and dcfldd : For creating a true forensic duplicate image, dd utility is the most efficient tool. ddwill perform bit-for-bit copy of the original, as long as the operating system kernel recognizes the storage medium. However, it is expensive. 2. Creating a Linux Boot Media : Preparation for duplication using Linux is difficult from the methods that we discuss in this section. But using Linux is worthy, as it can be the most flexible boot environment in the toolbox. 3. Performing a Duplication with dd : Sometimes, to fit on a specific media type, such as CD/DVD or file systems with files fewer than 2.1 GB, duplication will be stored in a series of files. This is usually referred to as segmented image. 4. Duplicating with the Open Data Duplicator : The new open source tool is ODD. To perform forensic duplication simultaneously on a number of computers over a Local LAN, the client-server model is followed by this tool. To use the software on single forensic workstations, you need to run both halves on the same computer. Three portions of ODD are: 1. Bootable CD-ROMs: This is similar to Trinux Linux Distributions; 2. Server-side applications: Most of the duplications, such as string searches, calculation of hashes, and storage of true forensic duplications, will be done by the server. 3. Client-side applications: If you are duplicating drives on forensic workstations, this portion may be run locally.
  • 15. 5.1 Introduction 5.2 Rules of Forensic Duplication 5.3 Necessity of Forensic Duplication 5.4 Forensic Duplicates as Admissible Evidence 5.5 Important Terms in Forensic Duplicate 5.6 Forensic Image Formats 5.7 Traditional Duplication 5.8 Live System Duplication 5.9 Forensic Duplication Tool Requirements 5.10 Creating a Forensic Duplicate of a Hard Drive 5.11 Creating a Qualified Forensic Duplicate of a Hard Drive Creating a Qualified Forensic Duplicate of a Hard Drive : 1. Creating a Boot Disk : Clean operating environment is required for imaging a system. You must create an MS DOS boot disk when imaging drives using DOS applications such as SafeBack or EnCase. 2. Creating a Qualified Forensic Duplicate with SafeBack : New Technology Inc. (NTI) offers SafeBack. It is used to make qualified forensic duplication of any hard drive. You need to have a clear environment ready on the floppy for SafeBack application because it runs from DOS boot floppy. 3. Creating a Qualified Forensic Duplicate with EnCase : The most popular commercially available forensic tool is EnCase from Guidance Software. It provides ‘easy-to-navigate’ GUI. Allowing the examiner to customize the types of searches performed by the tool, a flexible scripting language in included. Preview option is the most significant feature of EnCase. You can use the preview function to quickly ascertain whether a computer system is material to the issue being investigated, during the first stages of the investigation.
  • 16. DR. NILAKSHI JAIN • Thank you Email ID : nilakshijain1986@gmail.com