Beruflich Dokumente
Kultur Dokumente
Digital Investigation
CHAPTER 3:
CURRENT COMPUTER
FORENSICS TOOLS
Management & Science University
FISE
Lab Workstations
FISE
Mobile Workstation
FISE
Acquisition
Acquisition
10
VOOM HardCopy 3P
FISE
11
Acquisition
12
Acquisition
13
Acquisition
The
raw data format, typically created with the
UNIX/Linux dd command, is a simple bit-for-bit copy of a
data file, a disk partition, or an entire drive.
A raw imaging tool can copy data from one drive to
another disk or to segmented files.
Because its a true unaltered copy, you can view a raw
image files contents with any hexadecimal editor, such
as Hex Workshop or WinHex. Hexadecimal editors, also
known as disk editors (such as Norton DiskEdit), provide
a hexadecimal view and a plaintext view of the data
FISE
Management & Science University
14
Viewing data
in a
hexadecimal
editor
FISE
Management & Science University
15
16
Hashing
Filtering
Analyzing file headers
17
18
19
20
21
FISE
Management & Science University
22
23
Extraction
FISE
Management & Science University
24
25
26
27
FISE
28
With some tools, you can set filters to select the file
types to search, such as searching only PDF documents.
Another function in some forensics tools is indexing all
words on a drive.
X-Ways Forensics and FTK 1.6x and earlier offer this
feature, using the binary index (Btree) search engine
from dtSearch.
FTK 2.0 also includes indexing but has switched to an
Oracle database and takes advantage of this database
programs indexing capabilities.
These features make instant lookup for keywords
possible, which speeds up analysis.
FISE
Management & Science University
29
30
31
32
Datacarving
options in
FTK
FISE
Management & Science University
33
34
35
36
Reconstruction
The purpose of having a reconstruction feature in
a forensics tool is to re-create a suspect drive to
show what happened during a crime or an
incident.
Another reason for duplicating a suspect drive is
to create a copy for other computer investigators,
who might need a fully functional copy of the
drive so that they can perform their own
acquisition, test, and analysis of the evidence.
FISE
Management & Science University
37
Disk-to-disk copy
Image-to-disk copy
Partition-to-partition copy
Image-to-partition copy
FISE
Management & Science University
38
39
40
SafeBack
SnapBack
EnCase
FTK Imager
ProDiscover
X-Ways Forensics
All these tools have proprietary formats that can be restored only
by the same application that created them.
For example, a ProDiscover image (.eve format) can be restored
only by using ProDiscover.
FISE
Management & Science University
41
Reporting
FISE
Management & Science University
42
43
44
Whether you use a suite of tools or a taskspecific tool, you have the option of
selecting one that enables you to analyze
digital evidence.
Computer
Forensics
Tools have 3 types:
1.
2.
3.
Software
45
FISE
Management & Science University
46
FISE
Management & Science University
47
48
Helix
FISE
Management & Science University
49
FISE
50
BackTrack
Sleuth Kit is a Linux forensics tool, and Autopsy is the GUI browser
interface for accessing Sleuth Kits tools.
Knoppix-STD
FISE
Management & Science University
51
52
53
ease of use.
the capability to perform multiple tasks.
no requirement to learn older OSs.
Their disadvantages
54
Technology
changes
rapidly,
and
hardware
manufacturers
have
designed
most
computer
components to last about 18 months between failures.
For this reason, you should schedule equipment
replacements periodicallyideally, every 18 months if
you use the hardware fulltime.
Most computer forensics operations use a workstation 24
hours a day for a week or longer between complete
shutdowns.
Forensics hardware covers the following issues:
Forensic Workstations
Using a Write-Blocker
FISE
Management & Science University
55
Forensic Workstations
FISE
Management & Science University
56
Forensic Workstations
FISE
Management & Science University
57
Using a Write-Blocker
FISE
Management & Science University
58
Using a Write-Blocker
FISE
Management & Science University
59
Using a Write-Blocker
When you restart the workstation and examine the blocked drive,
you wont see the data or files you copied to it previously.
Many vendors have developed write-blocking devices that connect
to a computer through FireWire, USB 2.0, SATA, and SCSI
controllers.
Most of these write-blockers enable you to remove and reconnect
drives without having to shut down your workstation, which saves
time in processing the evidence drive.
For more information on write-blocker specifications, visit
www.cftt.nist.gov. The following vendors provide write-blocking
devices:
www.digitalintelligence.com
www.forensicpc.com
FISE
Management & Science University
60
ULTRAKIT that
contain various
types of WriteBlockers
FISE
61
62
63
64
4.
5.
6.
For example, use the image of a closed case file created with a
trusted forensics tool to test a new tool in the same category
and see whether it produces the same results.
65
66
67
1.
2.
3.
Disk editors typically show files, file headers, file slack, RAM
slack, and other data on the physical disk.
Disk editors are reliable and capable of accessing sectors of
the digital evidence to verify your findings.
If you decide to use a Computer Forensics
Examination Protocol, use the recommended steps as
the following:
First, conduct your investigation of the digital evidence with one GUI tool.
Then perform the same investigation with a disk editor to verify that the
GUI tool is seeing the same digital evidence in the same places on the
test or suspect drives image.
If a file is recovered, obtain the hash value with the GUI tool and the disk
editor, and then compare the results to verify whether the file has the
same value in both tools.
FISE
Management & Science University
68
69
70
the test best way is to build a test hard disk to store data in
unused space allocated for a file, also known as file slack.
You can then use a forensics tool to retrieve it.
If you can retrieve the data with that tool and verify your
findings with a second tool, you know the tool is reliable.
As computer forensics tools continue to evolve, you should
check the Web for new editions, updates, patches, and
validation tests for your tools.
Always validate what the hardware or software tool is doing as
opposed to what its supposed to be doing. Be confident and
knowledgeable about the capabilities of your forensics toolbox.
Remember to test and document why a tool does or doesnt
work the way its supposed to.
FISE
Management & Science University
71
Chapter Summary
72
Chapter Summary
73
Chapter Summary
74
THE END
FISE
Management & Science University
75