SlideShare a Scribd company logo

Lecture 9 and 10 comp forensics 09 10-18 file system

Download as PPT, PDF
A
Alchemist095

This document discusses various topics related to computer forensics, including data acquisition, digital evidence storage formats, acquisition methods, using acquisition tools, validating data acquisition, RAID acquisition methods, remote network acquisition tools, processing crime scenes, and analyzing evidence. It provides details on different types of data acquisition, such as static and live acquisition. It also describes best practices for securing evidence, gathering evidence, and analyzing evidence as part of a computer forensics investigation.

Education
1 of 52
1 COMPUTER FORENSICS ISC541 (LECTURE 8) 09-10-2018
2 Data Acquisition ● Types of acquisition ● Digital evidence storage formats ● Acquisition methods ● Contingency planning ● Using acquisition tools ● Validating data acquisition ● RAID acquisition methods ● Remote network acquisition tools ● Some forensics tools
3 Types of Acquisition ● Static Acquisition – Acquire data from the original media – The data in the original media will not change ● Live Acquisition – Acquire data while the system is running – A second live acquisition will not be the same ● Will focus on static acquisition
4 Digital Evidence Storage Formats● Raw formats – Bit by bit copying of the data from the disk – Many tools could be used ● Proprietary formats – Vendors have special formats ● Standards – XML based formats for digital evidence – Digital Evidence Markup Language (Funded by National Institute of Justice) – Experts have argued that technologies that allow disparate law enforcement jurisdictions to share crime-related information will greatly facilitate fighting crime. One of these technologies is the Global Justice XML Data Model (GJXDM). – http://ncfs.ucf.edu/digital_evd.html
5 Acquisition Methods ● Disk to Image File ● Disk to Disk ● Logical acquisition – Acquire only certain files if the disk is too large ● Sparse acquisition – Similar to logical acquisition but also collects fragments of unallocated (i.e. deleted) data
6 Compression Methods ● Compression methods are used for very large data storage – E.g., Terabytes/Petabytes storage ● Lossy vs Lossless compression – Lossless data compression is a class of data compression algorithms that allows the exact original data to be reconstructed from the compressed data. The term lossless is in contrast to lossy data compression, which only allows an approximation of the original data to be reconstructed, in exchange for better compression rates.
7 Contingency Planning ● Failure occurs during acquisition – Recovery methods ● Make multiple copies – At least 2 copies ● Encryption decryption techniques so that the evidence is not corrupted
8 Storage Area Network Security Systems ● High performance networks that connects all the storage systems – After as disaster such as terrorism or natural disaster (9/11 or Katrina), the data has to be availability – Database systems is a special kind of storage system ● Benefits include centralized management, scalability reliability, performance ● Security attacks on multiple storage devices – Secure storage is being investigated
9 Network Disaster Recovery Systems ● Network disaster recovery is the ability to respond to an interruption in network services by implementing a disaster recovery plan ● Policies and procedures have to be defined and subsequently enforced ● Which machines to shut down, determine which backup servers to use, When should law enforcement be notified
10 Using Acquisition Tools ● Acquisition tools have been developed for different operating systems including Windows, Linux, Mac ● It is important that the evidence drive is write protected ● Example acquisition method: – Document the chain of evidence for the drive to be acquired – Remove drive from suspect’s computer – Connect the suspect drive to USB or Firewire write-blocker device (if USB, write protect it via Registry write protect feature) – Create a storage folder on the target drive
11 Using Acquisition Tools - 2 ● Example tools include ProDiscover, Access Data FTK Imager ● Click on All programs and click on specific tool (e.g., ProDiscover ● Perform the commands – E.g. Capture Image ● For additional security, use passwords
12 FTK imager ● ProDiscover
13 Validating Data Acquisition ● Create hash values – CRC-32 (older methods), MD5, SHA series ● Linux validation – Hash algorithms are included and can be executed using special commands ● Windows validation – No hash algorithms built in, but works with 3rd party programs
14 RAID Acquisition Methods ● RAID: Redundant array of independent disks ● RAID storage is used for large files and to support replication ● Data is stored using multiple methods – E.g, Striping ● When RAID is acquired, need special tools to be used depending on the way the data is stored
15 Remote Network Acquisition Tools ● Preview suspects file remotely while its being used or powered on ● Perform live acquisition while the suspect’s computer is powered on ● Encrypt the connection between the suspect’s computer and the examiner’s computer ● Copy the RAM while the computer is powered on ● Use stealth mode to hide the remote connection from the suspect’s computer ● Variation for the individual tools (ProDiscover, EnCase)
16 Some Forensics Tools ● ProDiscover – http://www.techpathways.com/prodiscoverdft.htm – http://www.techpathways.com/DesktopDefault.asp x ● EnCase – http://www.guidancesoftware.com/ – http://www.guidancesoftware.com/products/ef_ind ex.asp ● NTI Safeback – http://www.forensics-intl.com/safeback.html
17 Processing Crime and Incident Scenes:
18 Processing Crime and Incident Scenes: ● Topics – Understanding the rules of evidence – Collecting evidence in private-sector incident scenes – Processing law enforcement crime scenes – Steps to Processing Crime and Incident Scenes – Case study ● Other topics – Forensics technologies
19 Securing Evidence ● To secure and catalog evidence large evidence bags, tapes, tags, labels, etc. may be used ● Tamper Resistant Evidence Security Bags – Example: EVIDENT – “These heavy-duty polyethylene evidence bags require no prepackaging of evidence prior to use. The instantaneous adhesive closure strip is permanent and impossible to open without destroying the seal. A border pattern around the edge of the bag reveals any attempt at cutting or tampering with evidence.” ● See also the work of SWDGE (Scientific Working Group on Digital Evidence) and IOCE (International Organization on Computer Evidence)
20 Gathering Evidence ● Bit Stream Copy – Bit by bit copy of the original drive or storage medium – Bit stream image is the file containing the bit stream copy of all data on a disk ● Using ProDiscover to acquire a thumb drive – On a thumb drive locate the write protect switch and place drive in write protect model – Start ProDiscover – Click Action, Capture Image from menu – Click Save – Write name of technician – Use hash algorithms for security – Click OK
21 Analyzing Evidence ● Start ProDiscover ● Create new file ● Click on image file to be analyzed ● Search for keywords, patterns and enter patterns to be searched ● Click report and export file
22 Understanding the Rules of Evidence ● Federal rules of evidence; each state also may have its own rules of evidence – www.usdoj.gov ● Computer records are in general hearsay evidence unless they qualify as business records – Hearsay evidence is second hand or indirect evidence – Business records are records of regularly conducted business activity such as memos, reports, etc. ● Computer records consist of computer generated records and computer stored records ● Computer generated records include log files while computer stored records are electronic data
23 Private sector incident scenes ● Corporate investigations – Employee termination cases, Attorney-Client privilege investigations, Media leak investigations, Industrial espionage investigations ● Private sector incident scenes – Private section includes private corporations and government agencies not involved with law enforcement – They must comply with state public disclosure and federal Freedom of Information act and make certain documents available as public records – Law enforcement is called if needed (if the investigation becomes a criminal investigation)
24 Law Enforcement crime Scenes ● A law enforcement officer may seize criminal evidence only with probable cause – A specific crime was committed – Evidence of the crime exists – Place to searched includes the evidence ● The forensics team should know about the terminology used in warrants ● To prepare for a search and carry out an investigation the following steps have to be carried out – Identifying the nature of the case, the type of computing system, determine whether computer can be seized, identify the location, determine who is in charge, determine the tools
25 Steps to processing crime and incident scenes ● Seizing a computer incident or crime scene ● Sizing the digital evidence at crime scene ● Storing the digital evidence ● Obtaining a digital hash ● Conducting analysis and reporting ● Reference: Chapter 5
26 Case Study (Chapter 5) ● Company A (Mr. Jones) gets an order for widgets from Company B. When the order is ready, B says it did not place the order. A then retrieves the email sent by B. B states it did not send the email. What should A do? ● Steps to carry out – Close Mr. Jones Outlook – User windows explorer to locate Outlook PST that has Mr.,. Jones business email – Determine the size of PST and connect appropriate media device (e.g. USB) – Copy PST into external USB – Fill out evidence form – date/time etc. – Leave company A and return to the investigation desk and carry out the investigation
27 Digital Forensics Analysis ● Digital Forensics Analysis Techniques ● Reconstructing past events ● Conclusion and Links ● References – http://www.gladyshev.info/publications/thesis/ ● Formalizing Event Reconstruction in Digital Investigations Pavel Gladyshev,  Ph.D. dissertation,  2004, University College Dublin, Ireland (Main Reference) – http://www.porcupine.org/forensics/forensic- discovery/chapter3.html (Background on file systems)
28 Digital Evidence Examination and Analysis Techniques ● Search techniques ● Reconstruction of Events ● Time Analysis
29 Search Techniques ● Search techniques – This group of techniques searches collected information to answer the question whether objects of given type, such as hacking tools, or pictures of certain kind, are present in the collected information. – According to the level of search automation, techniques can be grouped into manual browsing and automated searches. Automated searches include keyword search, regular expression search, approximate matching search, custom searches, and search of modifications. ● Manual browsing – Manual browsing means that the forensic analyst browses collected information and singles out objects of desired type. The only tool used in manual browsing is a viewer of some sort. It takes a data object, such as file or network packet, decodes the object and presents the result in a human-comprehensible form. Manual browsing is slow. Most investigations collect large quantities of digital information, which makes manual browsing of the entire collected information unacceptably time consuming.
30 Search Techniques ● Keyword search – This is automatic search of digital information for data objects containing specified key words. It is the earliest and the most widespread technique for speeding up manual browsing. The output of keyword search is the list of found data objects – Keywords are rarely sufficient to specify the desired type of data objects precisely. As a result, the output of keyword search can contain false positives, objects that do not belong to the desired type even though they contain specified keywords. To remove false positives, the forensic scientist has to manually browse the data objects found by the keyword search. – Another problem of keyword search is false negatives. They are objects of desired type that are missed by the search. False negatives occur if the search utility cannot properly interpret the data objects being searched. It may be caused by encryption, compression, or inability of the search utility to interpret novel data – It prescribes (1) to choose words and phrases highly specific to the objects of the desired type, such as specific names, addresses, bank account numbers, etc.; and (2) to specify all possible variations of these words.
31 ● Regular expression search – Regular expression search is an extension of keyword search. Regular expressions provide a more expressible language for describing objects of interest than keywords. Apart from formulating keyword searches, regular expressions can be used to specify searches for Internet e-mail addresses, and files of specific type. Forensic utility EnCase performs regular expression searches. – Regular expression searches suffer from false positives and false negatives just like keyword searches, because not all types of data can be adequately defined using regular expressions. Search Techniques
32 ● Approximate matching search – Approximate matching search is a development of regular expression search. It uses matching algorithm that permits character mismatches when searching for keyword or pattern. The user must specify the degree of mismatches allowed. – Approximate matching can detect misspelled words, but mismatches also increase the number of false positives. One of the utilities used for approximate search is agrep. Search Techniques
33 ● Custom searches – The expressiveness of regular expressions is limited. Searches for objects satisfying more complex criteria are programmed using a general purpose programming language. For example, the FILTER_1 tool from new Technologies Inc. uses heuristic procedure to find full names of persons in the collected information. Most custom searches, including FILTER_1 tool suffers from false positives and false negatives. Search Techniques
34 ● Search of modifications – Search of modification is automated search for data objects that have been modified since specified moment in the past. Modification of data objects that are not usually modified, such as operating system utilities, can be detected by comparing their current hash with their expected hash. A library of expected hashes must be built prior to the search. Several tools for building libraries of expected hashes are described in the “file hashes" – Modification of a file can also be inferred from modification of its timestamp. Although plausible in many cases, this inference is circumstantial. Investigator assumes that a file is always modified simultaneously with its timestamp, and since the timestamp is modified, he infers that the file was modified too. This is a form of event reconstruction Search Techniques
35 Event Reconstruction ● Search techniques are commonly used for finding incriminating information, because ”currently, mere possession of a digital computer links a suspect to all the data it contains" ● However, the mere fact of presence of objects does not prove that the owner of the computer is responsible for putting the objects in it. ● Apart from the owner, the objects can be generated automatically by the system. Or they can be planted by an intruder or virus program. Or they can be left by the previous owner of the computer. ● To determine who is responsible, the investigator must reconstruct events in the past that caused presence of the objects. ● Reconstruction of events inside a computer requires understanding of computer functionality. ● Many techniques emerged for reconstructing events in specific operating systems. They can be classified according to the primary object of analysis.
36 Event Reconstruction ● Two major classes are identified: – log file analysis and file system analysis. ● Log file analysis – A log file is a purposefully generated record of past events in a computer system; organized as a sequence of entries. An entry usually consists of a timestamp, an identifier of the process that generated the entry, and some description of the reason for generating an entry. – It is common to have multiple log files on a single computer system. Different log files are usually created by the operating system for different types of events. In addition, many applications maintain their own log files. – Log file entries are generated by the system processes when something important (from the process's point of view) happens. For example, a TCP wrapper process may generate one log file entry when a TCP connection is established and another log file entry when the TCP connection is released.
37 Event Reconstruction – The knowledge of circumstances, in which processes generate log file entries, permits forensic scientist to infer from presence or absence of log file entries that certain events happened. For example, from presence of two log file entries generated by TCP wrapper for some TCP connection X, forensic scientist can conclude that ● TCP connection X happened ● X was established at the time of the first entry ● X was released at the time of the second entry – This reasoning suffers from implicit assumptions. It is assumed that the log file entries were generated by the TCP wrapper, which functioned according to the expectations of the forensic scientist; that the entries have not been tampered with; and that the timestamps on the entries reect real time of the moments when the entries were generated. It is not always possible to ascertain these assumptions, which results in several possible explanations for appearance of the log file entries.
38 Event Reconstruction – For example, if possibility of tampering cannot be excluded, then forgery of the log file entries could be a possible explanation for their existence. To combat uncertainty caused by multiple explanations, forensic analyst seeks corroborating evidence, which can reduce number of possible explanations or give stronger support to one explanation – Determining temporal order with timestamps. ● Timestamps on log file entries are commonly used to determine temporal order of entries from different log files. The process is complicated by two time related problems, even if the possibility of tampering is excluded. ● First problem: if the log file entries are recorded on different computers with different system clocks. Apart from individual clock imprecision, there may be an unknown skew between clocks used to produce each of the timestamps. If the skew is unknown, it is possible that the entry with the smaller timestamp could have been generated after the entry with the bigger timestamp. ● Second problem: if resolution of the clocks is too coarse. As a result, the entries may have identical timestamps, in which case it is also not possible to determine whether one entry was generated before the other.
39 Event Reconstruction ● File system analysis – In most operating systems, a data storage device is represented at the lowest logical level by a sequence of equally sized storage blocks that can be read and written independently. – Most file systems divide all blocks into two groups. One group is used for storing user data, and the other group is used for storing structural information. – Structural information includes structure of directory tree, file names, locations of data blocks allocated for individual les, locations of unallocated blocks, etc. Operating system manipulates structural information in a certain well-defined way that can be exploited for event reconstruction.
40 Event Reconstruction – Detection of deleted files. ● Information about individual files is stored in standardized file entries whose organization diers from file system to file system. ● In Unix file systems, the information about a file is stored in a combination of i-node and directory entries pointing to that i-node. ● In Windows NT file system (NTFS), information about a file is stored in an entry of the Master File Table. ● When a disk or a disk partition is first formatted, all such file set to initial “unallocated" value. ● When a file entry is allocated for a file, it becomes active. Its fields are filled with proper information about the file. ● In most file systems, however, the file entry is not restored to the “unallocated“ value when the file is deleted. As a result, presence of a file entry whose value is different from the initial “unallocated" value, indicates that that file entry once represented a file, which was subsequently deleted.
41 Event Reconstruction – File attribute analysis. ● Every file in a file system is either active or deleted; has a set of attributes such as name, access permissions, timestamps and location of disc blocks allocated to the file. ● File attributes change when applications manipulate files via operating system calls. ● File attributes can be analyzed in the same way as log file entries. – Timestamps are a particularly important source of information for event reconstruction. ● In most file systems a file has at least one timestamp. In NTFS, for example, every active (i.e. non-deleted) file has three timestamps, which are collectively known as MAC-times. – Time of last Modification (M) – Time of last Access (A) – Time of Creation (C)
42 Event Reconstruction ● Imagine that there is a log file that records every file operation in the computer. ● In this imaginary log file, each of the MAC-times would correspond to the last entry for the corresponding operation (modification, access, or creation) on the file entry in which the timestamp is located. ● To visualize this similarity between MAC-times and the log file, the mactimes tool from the coroner's toolkit sorts individual MAC-times of files; both active and deleted; and presents them in a list, which resembles a log file. ● Signatures of different activities can be identified in MAC-times like in ordinary log files. ● Following are several such signatures, which have been published.
43 Event Reconstruction ● Restoration of a directory from a backup: The fact that a directory was restored from a backup can be detected by inequality of timestamps on the directory itself and on its sub-directory `.' or `..'. When the directory is first created, both the directory timestamp and the timestamp on its sub-directories `.' and `..' are equal. When the directory is restored from a backup, the directory itself is assigned the old timestamp, but its subdirectories `.' and `..' are timestamped with the time of backup restoration. ● Exploit compilation, running, and deletion: The signature of compiling, running, and deleting an exploit program is explored. It is concluded that when someone compiles, runs, and deletes an exploit program, we expect to find traces of the deleted program source file, of the deleted executable file, as well as traces of compiler temporary files." ● Moving a file: When a file is being moved in Microsoft FAT file systems, the old file entry is deleted, and a new file entry is used in the new location. The new file entry maintains same block allocation information as the old entry. Thus, the discovery of a deleted file entry, whose allocation information is identical to some active file, supports possibility that the file was moved.
44 Event Reconstruction – Reconstruction of deleted files. ● In most file systems file deletion does not erase the information stored in the file. Instead, the file entry and the data blocks used by the file are marked as unallocated, so that they can be reused later for another file. Thus, unless the data blocks and the deleted file entry have been re-allocated to another file, the deleted file can usually be recovered by restoring its file entry and data blocks to active status. ● Even if the file entry and some of the data blocks have been re-allocated, it may still be possible to reconstruct parts of the file. The lazarus tool for example, uses several heuristics to find and piece together blocks that (could have) once belonged to a file. Lazarus uses heuristics about file systems and common file formats. ● In most file systems, a file begins at the beginning of a disk block; Most file systems write file into contiguous blocks, if possible; Most file formats have a distinguishing pattern of bytes near the beginning of the le; For most file formats, same type of data is stored in all blocks of a file.
45 Event Reconstruction ● Lazarus analyses disc blocks sequentially. For each block, lazarus tries to determine (1) the type of data stored in the block { by calculating heuristic characteristics of the data in the block; and (2) whether the block is a first block in a file { using well known file signatures. Once the block is determined as a first block", all subsequent blocks with the same type of information are appended to it until new first block" is found. ● This process can be viewed as a very crude and approximate reconstruction based on some knowledge of the file system and application programs. Each reconstructed file can be seen as a statement that that file was once created by an application program, which was able to write such a file. ● Since lazarus makes very bold assumptions about the file system, its reconstruction is highly unreliable. Despite that fact, lazarus works well for small files that t entirely in one disk block. ● The effectiveness of tools such as lazarus can probably be improved by using more sophisticated techniques for determining the type of information contained in a disk block. One such technique that employs support vector machines
46 What is Lazarus? ● Lazarus is a program that attempts to resurrect deleted files or data from raw data - most often the unallocated portions of a Unix file system, but it can be used on any data, such as system memory, swap, etc. ● It has two basic logical pieces - one that grabs input from a source and another that dissects, analyzes, and reports on its findings. ● It can be used for recovering lost data and files (accidentally removed by yourself or maliciously), as a tool for better understanding how a Unix system works, investigate/spy on system and user activity, etc.
47 Time Analysis ● Timestamps are readily available source of time, but they are easy to forge. ● Several attempts have been made to determine time of event using sources other than timestamps. ● Currently, two such methods have been published. They are time bounding and dynamic time analysis. ● Time bounding – Timestamps can be used for determining temporal order of events. The inverse of this process is also possible if the temporal order of events is known a priori, then it can be used to estimate time of events. – Suppose that three events A, B, and C happened. Suppose also that it is known that event A happened before event B, and that event B happened before event C. The time of event B must, therefore, be bounded by the times of events A and C.
48 Time Analysis ● Dynamic time analysis – External sources of time may be used; one could exploit the ability of web servers to insert timestamps into web pages, which they transmit to the client computers. – As a result of this insertion, a web page stored in a web browser's disk cache has two timestamps. – The first timestamp is the creation time of the file, which contains the web page. The second timestamp is the timestamp inserted by the web server. – the oset between the two timestamps of the web page reects the deviation of the local clock from the real time. It is proposed to use that oset to calculate the real time of other timestamps on the local machine. – To improve precision, it is proposed to use the average oset calculated for a number of web pages downloaded from different web servers. – This analysis assumes that (1) timestamps are not tampered with, and that (2) the oset between system clock and real time is constant at all times (or at least that it does not deviate dramatically).
49 Conclusion ● The need for effective and efficient digital forensic analysis has been a major driving force in the development of digital forensics. ● Manual browsing was initially the only way to do digital forensics. ● It was later augmented with various search utilities and, more recently, with tools such as mactimes and lazarus that support more in-depth analysis of digital evidence. ● Due to the limited time and manpower available to a forensic investigation, there is a constant demand for tools and techniques that increase the
50 Links – http://www.porcupine.org/forensics/forensic- discovery/chapter4.html – http://homepage.smc.edu/morgan_david/cs40/anal yze-ext2.htm – http://www.sleuthkit.org/sleuthkit/docs/ref_fs.html – http://www.ddj.com/184404242 – http://www.itoc.usma.edu/workshop/2005/Papers/ Follow%20ups/20050616_IAW05_CombinedVis.pdf – http://forensic.seccure.net
51 Reference https://www.utdallas.edu/~bxt043000/Teach ing/CS-4398/F2014/ 51
52 Summary & Questions

Recommended

Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
Parsons Corporation
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
primeteacher32
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
vishnuv43
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
Cleverence Kombe
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
Priya Manik
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 

Recommended

Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
Parsons Corporation
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
primeteacher32
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
vishnuv43
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
Cleverence Kombe
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
Priya Manik
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensik
newbie2019
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)AltheimPrivacy
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Oldsun
 
Data recovery tools
Data recovery toolsData recovery tools
Data recovery tools
university of Gujrat, pakistan
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
 
Data recovery power point
Data recovery power pointData recovery power point
Data recovery power point
tutannandi
 
Digital investigation
Digital investigationDigital investigation
Digital investigation
unnilala11
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
rakesh mishra
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Roberto Ellis
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedure
newbie2019
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Steps
gamemaker762
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
abdullah roomi
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
Ambuj Kumar
 
Computer forensics and Investigation
Computer forensics and InvestigationComputer forensics and Investigation
Computer forensics and Investigation
Neha Raju k
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Mithileysh Sathiyanarayanan
 
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
Sam Bowne
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Data recovery
Data recoveryData recovery
Data recovery
Abhinav Parihar
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
Novizul Evendi
 
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic securityLecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
Alchemist095
 

More Related Content

What's hot

Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensik
newbie2019
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)AltheimPrivacy
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Oldsun
 
Data recovery tools
Data recovery toolsData recovery tools
Data recovery tools
university of Gujrat, pakistan
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
 
Data recovery power point
Data recovery power pointData recovery power point
Data recovery power point
tutannandi
 
Digital investigation
Digital investigationDigital investigation
Digital investigation
unnilala11
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
rakesh mishra
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Roberto Ellis
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedure
newbie2019
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Steps
gamemaker762
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
abdullah roomi
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
Ambuj Kumar
 
Computer forensics and Investigation
Computer forensics and InvestigationComputer forensics and Investigation
Computer forensics and Investigation
Neha Raju k
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Mithileysh Sathiyanarayanan
 
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
Sam Bowne
 
Data recovery
Data recoveryData recovery
Data recovery
Abhinav Parihar
 

What's hot (20)

Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensik
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Data recovery tools
Data recovery toolsData recovery tools
Data recovery tools
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
Data recovery power point
Data recovery power pointData recovery power point
Data recovery power point
 
Digital investigation
Digital investigationDigital investigation
Digital investigation
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedure
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Steps
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
 
Computer forensics and Investigation
Computer forensics and InvestigationComputer forensics and Investigation
Computer forensics and Investigation
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
Data recovery
Data recoveryData recovery
Data recovery
 

Similar to Lecture 9 and 10 comp forensics 09 10-18 file system

Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
Novizul Evendi
 
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic securityLecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
Alchemist095
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
Online
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - NotesKranthi
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
Alchemist095
 
WP Helsinki Meetup - GDPR for devs
WP Helsinki Meetup - GDPR for devsWP Helsinki Meetup - GDPR for devs
WP Helsinki Meetup - GDPR for devs
Tiia Rantanen
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
Online
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its roleSudeshna Basak
 
Latihan4 comp-forensic-bab3
Latihan4 comp-forensic-bab3Latihan4 comp-forensic-bab3
Latihan4 comp-forensic-bab3sabtolinux
 
Ch 3C Processing Crime and Incident Scenes.ppt
Ch 3C Processing Crime and Incident Scenes.pptCh 3C Processing Crime and Incident Scenes.ppt
Ch 3C Processing Crime and Incident Scenes.ppt
whbwi21Basri
 
Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery Image
Mohamed Khaled
 
Operations Security
Operations SecurityOperations Security
Operations Security
Mauro Alberto
 
Latest presentation
Latest presentationLatest presentation
Latest presentation
Adetunji Adeoje
 
cyber Forensics
cyber Forensicscyber Forensics
cyber Forensics
Muzzammil Wani
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
Manu Mathew Cherian
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
Manu Mathew Cherian
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensics
pranjal dutta
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
 

Similar to Lecture 9 and 10 comp forensics 09 10-18 file system (20)

Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic securityLecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
 
WP Helsinki Meetup - GDPR for devs
WP Helsinki Meetup - GDPR for devsWP Helsinki Meetup - GDPR for devs
WP Helsinki Meetup - GDPR for devs
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
 
Latihan4 comp-forensic-bab3
Latihan4 comp-forensic-bab3Latihan4 comp-forensic-bab3
Latihan4 comp-forensic-bab3
 
Ch 3C Processing Crime and Incident Scenes.ppt
Ch 3C Processing Crime and Incident Scenes.pptCh 3C Processing Crime and Incident Scenes.ppt
Ch 3C Processing Crime and Incident Scenes.ppt
 
Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery Image
 
Operations Security
Operations SecurityOperations Security
Operations Security
 
Latest presentation
Latest presentationLatest presentation
Latest presentation
 
cyber Forensics
cyber Forensicscyber Forensics
cyber Forensics
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
Computer forencis
Computer forencisComputer forencis
Computer forencis
 
Incident response
Incident responseIncident response
Incident response
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensics
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
 

Recently uploaded

Synthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxSynthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptx
Pavel ( NSTU)
 
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBCSTRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
kimdan468
 
Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.
Atul Kumar Singh
 
Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
Mohd Adib Abd Muin, Senior Lecturer at Universiti Utara Malaysia
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
siemaillard
 
Chapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdfChapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdf
Kartik Tiwari
 
S1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptxS1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptx
tarandeep35
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
Levi Shapiro
 
The Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official PublicationThe Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official Publication
Delapenabediema
 
How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...
Jisc
 
Marketing internship report file for MBA
Marketing internship report file for MBAMarketing internship report file for MBA
Marketing internship report file for MBA
gb193092
 
Embracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic ImperativeEmbracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic Imperative
Peter Windle
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
DhatriParmar
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
Vivekanand Anglo Vedic Academy
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
Jisc
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
MysoreMuleSoftMeetup
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
TechSoup
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Thiyagu K
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
Balvir Singh
 
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th SemesterGuidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Atul Kumar Singh
 

Recently uploaded (20)

Synthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxSynthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptx
 
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBCSTRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
 
Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.
 
Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 
Chapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdfChapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdf
 
S1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptxS1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptx
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
 
The Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official PublicationThe Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official Publication
 
How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...
 
Marketing internship report file for MBA
Marketing internship report file for MBAMarketing internship report file for MBA
Marketing internship report file for MBA
 
Embracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic ImperativeEmbracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic Imperative
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
 
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th SemesterGuidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th Semester
 

Lecture 9 and 10 comp forensics 09 10-18 file system

  • 2. 2 Data Acquisition ● Types of acquisition ● Digital evidence storage formats ● Acquisition methods ● Contingency planning ● Using acquisition tools ● Validating data acquisition ● RAID acquisition methods ● Remote network acquisition tools ● Some forensics tools
  • 3. 3 Types of Acquisition ● Static Acquisition – Acquire data from the original media – The data in the original media will not change ● Live Acquisition – Acquire data while the system is running – A second live acquisition will not be the same ● Will focus on static acquisition
  • 4. 4 Digital Evidence Storage Formats● Raw formats – Bit by bit copying of the data from the disk – Many tools could be used ● Proprietary formats – Vendors have special formats ● Standards – XML based formats for digital evidence – Digital Evidence Markup Language (Funded by National Institute of Justice) – Experts have argued that technologies that allow disparate law enforcement jurisdictions to share crime-related information will greatly facilitate fighting crime. One of these technologies is the Global Justice XML Data Model (GJXDM). – http://ncfs.ucf.edu/digital_evd.html
  • 5. 5 Acquisition Methods ● Disk to Image File ● Disk to Disk ● Logical acquisition – Acquire only certain files if the disk is too large ● Sparse acquisition – Similar to logical acquisition but also collects fragments of unallocated (i.e. deleted) data
  • 6. 6 Compression Methods ● Compression methods are used for very large data storage – E.g., Terabytes/Petabytes storage ● Lossy vs Lossless compression – Lossless data compression is a class of data compression algorithms that allows the exact original data to be reconstructed from the compressed data. The term lossless is in contrast to lossy data compression, which only allows an approximation of the original data to be reconstructed, in exchange for better compression rates.
  • 7. 7 Contingency Planning ● Failure occurs during acquisition – Recovery methods ● Make multiple copies – At least 2 copies ● Encryption decryption techniques so that the evidence is not corrupted
  • 8. 8 Storage Area Network Security Systems ● High performance networks that connects all the storage systems – After as disaster such as terrorism or natural disaster (9/11 or Katrina), the data has to be availability – Database systems is a special kind of storage system ● Benefits include centralized management, scalability reliability, performance ● Security attacks on multiple storage devices – Secure storage is being investigated
  • 9. 9 Network Disaster Recovery Systems ● Network disaster recovery is the ability to respond to an interruption in network services by implementing a disaster recovery plan ● Policies and procedures have to be defined and subsequently enforced ● Which machines to shut down, determine which backup servers to use, When should law enforcement be notified
  • 10. 10 Using Acquisition Tools ● Acquisition tools have been developed for different operating systems including Windows, Linux, Mac ● It is important that the evidence drive is write protected ● Example acquisition method: – Document the chain of evidence for the drive to be acquired – Remove drive from suspect’s computer – Connect the suspect drive to USB or Firewire write-blocker device (if USB, write protect it via Registry write protect feature) – Create a storage folder on the target drive
  • 11. 11 Using Acquisition Tools - 2 ● Example tools include ProDiscover, Access Data FTK Imager ● Click on All programs and click on specific tool (e.g., ProDiscover ● Perform the commands – E.g. Capture Image ● For additional security, use passwords
  • 13. 13 Validating Data Acquisition ● Create hash values – CRC-32 (older methods), MD5, SHA series ● Linux validation – Hash algorithms are included and can be executed using special commands ● Windows validation – No hash algorithms built in, but works with 3rd party programs
  • 14. 14 RAID Acquisition Methods ● RAID: Redundant array of independent disks ● RAID storage is used for large files and to support replication ● Data is stored using multiple methods – E.g, Striping ● When RAID is acquired, need special tools to be used depending on the way the data is stored
  • 15. 15 Remote Network Acquisition Tools ● Preview suspects file remotely while its being used or powered on ● Perform live acquisition while the suspect’s computer is powered on ● Encrypt the connection between the suspect’s computer and the examiner’s computer ● Copy the RAM while the computer is powered on ● Use stealth mode to hide the remote connection from the suspect’s computer ● Variation for the individual tools (ProDiscover, EnCase)
  • 16. 16 Some Forensics Tools ● ProDiscover – http://www.techpathways.com/prodiscoverdft.htm – http://www.techpathways.com/DesktopDefault.asp x ● EnCase – http://www.guidancesoftware.com/ – http://www.guidancesoftware.com/products/ef_ind ex.asp ● NTI Safeback – http://www.forensics-intl.com/safeback.html
  • 17. 17 Processing Crime and Incident Scenes:
  • 18. 18 Processing Crime and Incident Scenes: ● Topics – Understanding the rules of evidence – Collecting evidence in private-sector incident scenes – Processing law enforcement crime scenes – Steps to Processing Crime and Incident Scenes – Case study ● Other topics – Forensics technologies
  • 19. 19 Securing Evidence ● To secure and catalog evidence large evidence bags, tapes, tags, labels, etc. may be used ● Tamper Resistant Evidence Security Bags – Example: EVIDENT – “These heavy-duty polyethylene evidence bags require no prepackaging of evidence prior to use. The instantaneous adhesive closure strip is permanent and impossible to open without destroying the seal. A border pattern around the edge of the bag reveals any attempt at cutting or tampering with evidence.” ● See also the work of SWDGE (Scientific Working Group on Digital Evidence) and IOCE (International Organization on Computer Evidence)
  • 20. 20 Gathering Evidence ● Bit Stream Copy – Bit by bit copy of the original drive or storage medium – Bit stream image is the file containing the bit stream copy of all data on a disk ● Using ProDiscover to acquire a thumb drive – On a thumb drive locate the write protect switch and place drive in write protect model – Start ProDiscover – Click Action, Capture Image from menu – Click Save – Write name of technician – Use hash algorithms for security – Click OK
  • 21. 21 Analyzing Evidence ● Start ProDiscover ● Create new file ● Click on image file to be analyzed ● Search for keywords, patterns and enter patterns to be searched ● Click report and export file
  • 22. 22 Understanding the Rules of Evidence ● Federal rules of evidence; each state also may have its own rules of evidence – www.usdoj.gov ● Computer records are in general hearsay evidence unless they qualify as business records – Hearsay evidence is second hand or indirect evidence – Business records are records of regularly conducted business activity such as memos, reports, etc. ● Computer records consist of computer generated records and computer stored records ● Computer generated records include log files while computer stored records are electronic data
  • 23. 23 Private sector incident scenes ● Corporate investigations – Employee termination cases, Attorney-Client privilege investigations, Media leak investigations, Industrial espionage investigations ● Private sector incident scenes – Private section includes private corporations and government agencies not involved with law enforcement – They must comply with state public disclosure and federal Freedom of Information act and make certain documents available as public records – Law enforcement is called if needed (if the investigation becomes a criminal investigation)
  • 24. 24 Law Enforcement crime Scenes ● A law enforcement officer may seize criminal evidence only with probable cause – A specific crime was committed – Evidence of the crime exists – Place to searched includes the evidence ● The forensics team should know about the terminology used in warrants ● To prepare for a search and carry out an investigation the following steps have to be carried out – Identifying the nature of the case, the type of computing system, determine whether computer can be seized, identify the location, determine who is in charge, determine the tools
  • 25. 25 Steps to processing crime and incident scenes ● Seizing a computer incident or crime scene ● Sizing the digital evidence at crime scene ● Storing the digital evidence ● Obtaining a digital hash ● Conducting analysis and reporting ● Reference: Chapter 5
  • 26. 26 Case Study (Chapter 5) ● Company A (Mr. Jones) gets an order for widgets from Company B. When the order is ready, B says it did not place the order. A then retrieves the email sent by B. B states it did not send the email. What should A do? ● Steps to carry out – Close Mr. Jones Outlook – User windows explorer to locate Outlook PST that has Mr.,. Jones business email – Determine the size of PST and connect appropriate media device (e.g. USB) – Copy PST into external USB – Fill out evidence form – date/time etc. – Leave company A and return to the investigation desk and carry out the investigation
  • 27. 27 Digital Forensics Analysis ● Digital Forensics Analysis Techniques ● Reconstructing past events ● Conclusion and Links ● References – http://www.gladyshev.info/publications/thesis/ ● Formalizing Event Reconstruction in Digital Investigations Pavel Gladyshev,  Ph.D. dissertation,  2004, University College Dublin, Ireland (Main Reference) – http://www.porcupine.org/forensics/forensic- discovery/chapter3.html (Background on file systems)
  • 28. 28 Digital Evidence Examination and Analysis Techniques ● Search techniques ● Reconstruction of Events ● Time Analysis
  • 29. 29 Search Techniques ● Search techniques – This group of techniques searches collected information to answer the question whether objects of given type, such as hacking tools, or pictures of certain kind, are present in the collected information. – According to the level of search automation, techniques can be grouped into manual browsing and automated searches. Automated searches include keyword search, regular expression search, approximate matching search, custom searches, and search of modifications. ● Manual browsing – Manual browsing means that the forensic analyst browses collected information and singles out objects of desired type. The only tool used in manual browsing is a viewer of some sort. It takes a data object, such as file or network packet, decodes the object and presents the result in a human-comprehensible form. Manual browsing is slow. Most investigations collect large quantities of digital information, which makes manual browsing of the entire collected information unacceptably time consuming.
  • 30. 30 Search Techniques ● Keyword search – This is automatic search of digital information for data objects containing specified key words. It is the earliest and the most widespread technique for speeding up manual browsing. The output of keyword search is the list of found data objects – Keywords are rarely sufficient to specify the desired type of data objects precisely. As a result, the output of keyword search can contain false positives, objects that do not belong to the desired type even though they contain specified keywords. To remove false positives, the forensic scientist has to manually browse the data objects found by the keyword search. – Another problem of keyword search is false negatives. They are objects of desired type that are missed by the search. False negatives occur if the search utility cannot properly interpret the data objects being searched. It may be caused by encryption, compression, or inability of the search utility to interpret novel data – It prescribes (1) to choose words and phrases highly specific to the objects of the desired type, such as specific names, addresses, bank account numbers, etc.; and (2) to specify all possible variations of these words.
  • 31. 31 ● Regular expression search – Regular expression search is an extension of keyword search. Regular expressions provide a more expressible language for describing objects of interest than keywords. Apart from formulating keyword searches, regular expressions can be used to specify searches for Internet e-mail addresses, and files of specific type. Forensic utility EnCase performs regular expression searches. – Regular expression searches suffer from false positives and false negatives just like keyword searches, because not all types of data can be adequately defined using regular expressions. Search Techniques
  • 32. 32 ● Approximate matching search – Approximate matching search is a development of regular expression search. It uses matching algorithm that permits character mismatches when searching for keyword or pattern. The user must specify the degree of mismatches allowed. – Approximate matching can detect misspelled words, but mismatches also increase the number of false positives. One of the utilities used for approximate search is agrep. Search Techniques
  • 33. 33 ● Custom searches – The expressiveness of regular expressions is limited. Searches for objects satisfying more complex criteria are programmed using a general purpose programming language. For example, the FILTER_1 tool from new Technologies Inc. uses heuristic procedure to find full names of persons in the collected information. Most custom searches, including FILTER_1 tool suffers from false positives and false negatives. Search Techniques
  • 34. 34 ● Search of modifications – Search of modification is automated search for data objects that have been modified since specified moment in the past. Modification of data objects that are not usually modified, such as operating system utilities, can be detected by comparing their current hash with their expected hash. A library of expected hashes must be built prior to the search. Several tools for building libraries of expected hashes are described in the “file hashes" – Modification of a file can also be inferred from modification of its timestamp. Although plausible in many cases, this inference is circumstantial. Investigator assumes that a file is always modified simultaneously with its timestamp, and since the timestamp is modified, he infers that the file was modified too. This is a form of event reconstruction Search Techniques
  • 35. 35 Event Reconstruction ● Search techniques are commonly used for finding incriminating information, because ”currently, mere possession of a digital computer links a suspect to all the data it contains" ● However, the mere fact of presence of objects does not prove that the owner of the computer is responsible for putting the objects in it. ● Apart from the owner, the objects can be generated automatically by the system. Or they can be planted by an intruder or virus program. Or they can be left by the previous owner of the computer. ● To determine who is responsible, the investigator must reconstruct events in the past that caused presence of the objects. ● Reconstruction of events inside a computer requires understanding of computer functionality. ● Many techniques emerged for reconstructing events in specific operating systems. They can be classified according to the primary object of analysis.
  • 36. 36 Event Reconstruction ● Two major classes are identified: – log file analysis and file system analysis. ● Log file analysis – A log file is a purposefully generated record of past events in a computer system; organized as a sequence of entries. An entry usually consists of a timestamp, an identifier of the process that generated the entry, and some description of the reason for generating an entry. – It is common to have multiple log files on a single computer system. Different log files are usually created by the operating system for different types of events. In addition, many applications maintain their own log files. – Log file entries are generated by the system processes when something important (from the process's point of view) happens. For example, a TCP wrapper process may generate one log file entry when a TCP connection is established and another log file entry when the TCP connection is released.
  • 37. 37 Event Reconstruction – The knowledge of circumstances, in which processes generate log file entries, permits forensic scientist to infer from presence or absence of log file entries that certain events happened. For example, from presence of two log file entries generated by TCP wrapper for some TCP connection X, forensic scientist can conclude that ● TCP connection X happened ● X was established at the time of the first entry ● X was released at the time of the second entry – This reasoning suffers from implicit assumptions. It is assumed that the log file entries were generated by the TCP wrapper, which functioned according to the expectations of the forensic scientist; that the entries have not been tampered with; and that the timestamps on the entries reect real time of the moments when the entries were generated. It is not always possible to ascertain these assumptions, which results in several possible explanations for appearance of the log file entries.
  • 38. 38 Event Reconstruction – For example, if possibility of tampering cannot be excluded, then forgery of the log file entries could be a possible explanation for their existence. To combat uncertainty caused by multiple explanations, forensic analyst seeks corroborating evidence, which can reduce number of possible explanations or give stronger support to one explanation – Determining temporal order with timestamps. ● Timestamps on log file entries are commonly used to determine temporal order of entries from different log files. The process is complicated by two time related problems, even if the possibility of tampering is excluded. ● First problem: if the log file entries are recorded on different computers with different system clocks. Apart from individual clock imprecision, there may be an unknown skew between clocks used to produce each of the timestamps. If the skew is unknown, it is possible that the entry with the smaller timestamp could have been generated after the entry with the bigger timestamp. ● Second problem: if resolution of the clocks is too coarse. As a result, the entries may have identical timestamps, in which case it is also not possible to determine whether one entry was generated before the other.
  • 39. 39 Event Reconstruction ● File system analysis – In most operating systems, a data storage device is represented at the lowest logical level by a sequence of equally sized storage blocks that can be read and written independently. – Most file systems divide all blocks into two groups. One group is used for storing user data, and the other group is used for storing structural information. – Structural information includes structure of directory tree, file names, locations of data blocks allocated for individual les, locations of unallocated blocks, etc. Operating system manipulates structural information in a certain well-defined way that can be exploited for event reconstruction.
  • 40. 40 Event Reconstruction – Detection of deleted files. ● Information about individual files is stored in standardized file entries whose organization diers from file system to file system. ● In Unix file systems, the information about a file is stored in a combination of i-node and directory entries pointing to that i-node. ● In Windows NT file system (NTFS), information about a file is stored in an entry of the Master File Table. ● When a disk or a disk partition is first formatted, all such file set to initial “unallocated" value. ● When a file entry is allocated for a file, it becomes active. Its fields are filled with proper information about the file. ● In most file systems, however, the file entry is not restored to the “unallocated“ value when the file is deleted. As a result, presence of a file entry whose value is different from the initial “unallocated" value, indicates that that file entry once represented a file, which was subsequently deleted.
  • 41. 41 Event Reconstruction – File attribute analysis. ● Every file in a file system is either active or deleted; has a set of attributes such as name, access permissions, timestamps and location of disc blocks allocated to the file. ● File attributes change when applications manipulate files via operating system calls. ● File attributes can be analyzed in the same way as log file entries. – Timestamps are a particularly important source of information for event reconstruction. ● In most file systems a file has at least one timestamp. In NTFS, for example, every active (i.e. non-deleted) file has three timestamps, which are collectively known as MAC-times. – Time of last Modification (M) – Time of last Access (A) – Time of Creation (C)
  • 42. 42 Event Reconstruction ● Imagine that there is a log file that records every file operation in the computer. ● In this imaginary log file, each of the MAC-times would correspond to the last entry for the corresponding operation (modification, access, or creation) on the file entry in which the timestamp is located. ● To visualize this similarity between MAC-times and the log file, the mactimes tool from the coroner's toolkit sorts individual MAC-times of files; both active and deleted; and presents them in a list, which resembles a log file. ● Signatures of different activities can be identified in MAC-times like in ordinary log files. ● Following are several such signatures, which have been published.
  • 43. 43 Event Reconstruction ● Restoration of a directory from a backup: The fact that a directory was restored from a backup can be detected by inequality of timestamps on the directory itself and on its sub-directory `.' or `..'. When the directory is first created, both the directory timestamp and the timestamp on its sub-directories `.' and `..' are equal. When the directory is restored from a backup, the directory itself is assigned the old timestamp, but its subdirectories `.' and `..' are timestamped with the time of backup restoration. ● Exploit compilation, running, and deletion: The signature of compiling, running, and deleting an exploit program is explored. It is concluded that when someone compiles, runs, and deletes an exploit program, we expect to find traces of the deleted program source file, of the deleted executable file, as well as traces of compiler temporary files." ● Moving a file: When a file is being moved in Microsoft FAT file systems, the old file entry is deleted, and a new file entry is used in the new location. The new file entry maintains same block allocation information as the old entry. Thus, the discovery of a deleted file entry, whose allocation information is identical to some active file, supports possibility that the file was moved.
  • 44. 44 Event Reconstruction – Reconstruction of deleted files. ● In most file systems file deletion does not erase the information stored in the file. Instead, the file entry and the data blocks used by the file are marked as unallocated, so that they can be reused later for another file. Thus, unless the data blocks and the deleted file entry have been re-allocated to another file, the deleted file can usually be recovered by restoring its file entry and data blocks to active status. ● Even if the file entry and some of the data blocks have been re-allocated, it may still be possible to reconstruct parts of the file. The lazarus tool for example, uses several heuristics to find and piece together blocks that (could have) once belonged to a file. Lazarus uses heuristics about file systems and common file formats. ● In most file systems, a file begins at the beginning of a disk block; Most file systems write file into contiguous blocks, if possible; Most file formats have a distinguishing pattern of bytes near the beginning of the le; For most file formats, same type of data is stored in all blocks of a file.
  • 45. 45 Event Reconstruction ● Lazarus analyses disc blocks sequentially. For each block, lazarus tries to determine (1) the type of data stored in the block { by calculating heuristic characteristics of the data in the block; and (2) whether the block is a first block in a file { using well known file signatures. Once the block is determined as a first block", all subsequent blocks with the same type of information are appended to it until new first block" is found. ● This process can be viewed as a very crude and approximate reconstruction based on some knowledge of the file system and application programs. Each reconstructed file can be seen as a statement that that file was once created by an application program, which was able to write such a file. ● Since lazarus makes very bold assumptions about the file system, its reconstruction is highly unreliable. Despite that fact, lazarus works well for small files that t entirely in one disk block. ● The effectiveness of tools such as lazarus can probably be improved by using more sophisticated techniques for determining the type of information contained in a disk block. One such technique that employs support vector machines
  • 46. 46 What is Lazarus? ● Lazarus is a program that attempts to resurrect deleted files or data from raw data - most often the unallocated portions of a Unix file system, but it can be used on any data, such as system memory, swap, etc. ● It has two basic logical pieces - one that grabs input from a source and another that dissects, analyzes, and reports on its findings. ● It can be used for recovering lost data and files (accidentally removed by yourself or maliciously), as a tool for better understanding how a Unix system works, investigate/spy on system and user activity, etc.
  • 47. 47 Time Analysis ● Timestamps are readily available source of time, but they are easy to forge. ● Several attempts have been made to determine time of event using sources other than timestamps. ● Currently, two such methods have been published. They are time bounding and dynamic time analysis. ● Time bounding – Timestamps can be used for determining temporal order of events. The inverse of this process is also possible if the temporal order of events is known a priori, then it can be used to estimate time of events. – Suppose that three events A, B, and C happened. Suppose also that it is known that event A happened before event B, and that event B happened before event C. The time of event B must, therefore, be bounded by the times of events A and C.
  • 48. 48 Time Analysis ● Dynamic time analysis – External sources of time may be used; one could exploit the ability of web servers to insert timestamps into web pages, which they transmit to the client computers. – As a result of this insertion, a web page stored in a web browser's disk cache has two timestamps. – The first timestamp is the creation time of the file, which contains the web page. The second timestamp is the timestamp inserted by the web server. – the oset between the two timestamps of the web page reects the deviation of the local clock from the real time. It is proposed to use that oset to calculate the real time of other timestamps on the local machine. – To improve precision, it is proposed to use the average oset calculated for a number of web pages downloaded from different web servers. – This analysis assumes that (1) timestamps are not tampered with, and that (2) the oset between system clock and real time is constant at all times (or at least that it does not deviate dramatically).
  • 49. 49 Conclusion ● The need for effective and efficient digital forensic analysis has been a major driving force in the development of digital forensics. ● Manual browsing was initially the only way to do digital forensics. ● It was later augmented with various search utilities and, more recently, with tools such as mactimes and lazarus that support more in-depth analysis of digital evidence. ● Due to the limited time and manpower available to a forensic investigation, there is a constant demand for tools and techniques that increase the
  • 50. 50 Links – http://www.porcupine.org/forensics/forensic- discovery/chapter4.html – http://homepage.smc.edu/morgan_david/cs40/anal yze-ext2.htm – http://www.sleuthkit.org/sleuthkit/docs/ref_fs.html – http://www.ddj.com/184404242 – http://www.itoc.usma.edu/workshop/2005/Papers/ Follow%20ups/20050616_IAW05_CombinedVis.pdf – http://forensic.seccure.net