0%(2)0% fanden dieses Dokument nützlich (2 Abstimmungen)
2K Ansichten28 Seiten
Forensic forensics is the study of computer forensics. Forensic forensics are the study of how computers work. There are EnScripts that can automate most of the tasks described herein.
Forensic forensics is the study of computer forensics. Forensic forensics are the study of how computers work. There are EnScripts that can automate most of the tasks described herein.
Copyright:
Attribution Non-Commercial (BY-NC)
Verfügbare Formate
Als PDF, TXT herunterladen oder online auf Scribd lesen
Forensic forensics is the study of computer forensics. Forensic forensics are the study of how computers work. There are EnScripts that can automate most of the tasks described herein.
Copyright:
Attribution Non-Commercial (BY-NC)
Verfügbare Formate
Als PDF, TXT herunterladen oder online auf Scribd lesen
Notes There are EnScripts that have been developed to automate most of the tasks described herein. I choose to complete most of my examinations manually as I can’t be 100% certain of the integrity of a given EnScript. For example, what if the EnScript was created by an adversary? Could the results really be relied on? If you were testifying in court, could you explain how the EnScript worked? As such, the methods described in this text are the manual methods. If an EnScript for such a task exists I will try to note it, but I will not go into the details of executing the EnScript.
Test Strategy • Before starting the analysis, read all of the test questions and try to create a strategy. This will help guide your analysis and ultimately save you time as you will not be as tempted to jump from question to question. • After reading the questions, create your Bookmark structure. Remember that your report will contain the names of the Bookmark folders as page titles so you will want to name the folders appropriately prior to submitting your final report.
First Response • Scenario: responding to a digital crime scene. – Safety is the first consideration. • Know what type of environment you’ll be entering. – Home vs. business – Reputation for the part of town in which it is located – Will you be the first on scene? – Will you be working solo or as part of a team? – Can the dispatcher provide you with a history of other incidents that have taken place at the scene? – Is the suspect present? – Has he\she been restrained? – Read the Search Warrant • Is your search limited in any way or are you given carte blanche to seize and search any digital evidence? – Secure the digital crime scene • Photograph the environment before entering to preserve its initial state. • If the computer is running, photograph the screen. • Establish a perimeter around the computer(s). • Restrict access to areas in which digital evidence is located.
• Coverage continues for 7 more pages in the Forensic Secrets
Recovering Deleted Volumes • Master Boot Record (MBR) – 512 bytes in length. – Loads the Volume Boot Record from the active partition. – Contains the Master Partition Table. – Partition table indicates the relative starting sector for each partition that is or was on the hard drive. – Locate the MBR, recover the partition table and note the relative start sector for each partition.
Initial processing • Once you have added the evidence to the case and\or recovered any deleted volumes, save your case. Select “Save all” from the File menu to save the case as well as keywords, settings, search hits, etc. • Once you have saved the initial configuration you can begin the initial processing steps. These steps consist of a basic search that will lay the foundation for the remainder of your case.
Bookmarks • There are several types of bookmarks within EnCase – Folder Information Bookmark • The Folder Information Bookmark will document the specific details regarding the evidence file (i.e. the hard drive or USB drive). • To create a Folder Information Bookmark, right click the physical disk in Tree view and select “Bookmark Folder Structure.” – Select the Include Device Information checkbox and change the value in the “Columns” box to zero. This will prevent the actual folder structure from being displayed on the report. – Select the destination bookmark folder for the report and click OK.
• Coverage of Sweeping Bookmarks, Highlighted Data
Bookmarks and Notes Bookmarks is included in the Forensic Secrets eBook: Buy Now!
Data hiding • There are multiple methods of hiding data on a computer hard drive. Among the most common methods: – Changing the extension on a file (ex. Renaming Hotties.jpeg to Hotties.dll) to a casual user this picture file would appear to be a system file because it appears as jibberish when opened. – Using a hex editor to write data into any of the disk areas mentioned on the Disk Geography slides. • Data hiding techniques are covered in 3 more pages in the Forensic Secrets eBook: Buy Now!
Installing a file viewer • To install a file viewer within EnCase you must: – Install the program on your investigation machine – Within EnCase click • View File Viewers • Right click in Table pane, select New • Name the file viewer, browse to the path to the executable – In order to use the file viewer to open a particular file type, you must also associate the file type with the file viewer
Searching • GREP vs. non-GREP – GREP is a powerful search tool that allows you to include variables in your search expressions that will match strings of data that include those variables. GREP is particularly useful when searching for keywords with known format: • Credit Card numbers • Social Security Numbers • Phone Numbers • Domain names • Email addresses
Keyword Search • The following explains how to set up case-level keywords: – Click Keywords from the Case toolbar – Right Click in Table Pane and select New • Enter the search expression and name for the search in the appropriate fields.
Registry Analysis • The Windows registry is comprised of four files or hives. – HKEY_LOCAL_MACHINE\SYSTEM – HKEY_LOCAL_MACHINE\SOFTWARE – HKEY_LOCAL_MACHINE\SECURITY – HKEY_LOCAL_MACHINE\SAM • The filenames, highlighted in red above, are all located at the following path: %Windir%\System32\Config\ – Within EnCase, navigate to %Windir%\System32 and highlight the Config dierctory. – The filenames do not have file extensions.
$MFT Analysis • To locate the $MFT record entry: – Set up a keyword for the file for which you are searching; i.e. Forensics.doc. Select the keyword and then select the $MFT so that it is the only file against which you are running the search. – View your search hit and switch the View pane to Hex view. • The search hit (filename) will appear (approximately) in the middle of the $MFT record. • Search upward and find the word “FILE” that precedes the filename. • Click on the F in FILE and highlight (sweep) forward 1024 bytes. This should place you at the character just before the next occurrence of the word FILE. • What you have highlighted is the $MFT record for the file in question. • Techniques for extracting file dates from $MFT records are included in the Forensic Secrets eBook: Buy Now!
Password guessing • The odds are that during the course of a forensic analysis you are going to run into password protected files (.doc, .zip, etc.) or entire password protected volumes (i.e. TrueCrypt volume(s)). • There is no single strategy for guessing passwords and all efforts may ultimately be in vain.
SID Analysis • There are a couple different methods for identifying a user’s SID: – Recycle bin record – Registry analysis • Locate the ProfileList Key in the Software hive of the registry. • Expand the ProfileList Key and the SIDs are listed as subkeys. • Highlight one of the SIDs and click on ProfileImagePath in Table Pane. • Switch View Pane to Text View using the Unicode @ 80 text style. • The path to the relevant user’s profile will be listed in the View Pane. You can determine the username from this information. • Three more pages of SID Analysis are included in the Forensic Secrets eBook: Buy Now!
Removable Media Analysis • There are a couple strategies that can be used to prove that a known USB drive was plugged into a hard drive: – Link file analysis • Manual method - covered on the following pages. • Link File Parser EnScript – USB Device History Enscript • Created by Lance Mueller http://www.forensickb.com • Available at Guidance Software EnScript Library – Setupapi.log may also contain connection information regarding removable media that has been used on the computer in question. Setupapi.log is best viewed in ASCII@120 text style within EnCase.
Additional Info • The Forensic Secrets eBook also contains in- depth descriptions of resident vs. non-resident files, Internet Cookie analysis, and definitions for: – Unused disk area – Unallocated clusters – Pagefile.sys – Hiberfil.sys – Volume slack – File slack – RAM slack • Visit EnCESecrets to Buy Now! Questions • If you have questions regarding whether something