Title of Subject
advertisement
Computer Forensics Tools Hardware and Software Forensic Tools Computer Forensic Tools Tools are used to analyze digital data & prove or disprove criminal activity Used in 2 of the 3 Phases of Computer Forensics Acquisition – Images systems & gathers evidence Analysis – Examines data & recovers deleted content Presentation – Tools not used Admissibility of Forensic Evidence in Court Data must be relevant & reliable Reliability of evidence gathered by tools assessed by judge in pre-trial hearing aka Daubert Hearing Assesses Methodology to gather evidence Sound scientific practices? Reliable evidence? Pre-trial Hearings Frye Test – past method Responsibility on scientific community Defined acceptable evidence gathering procedures Used Peer Reviewed Journals Daubert Hearing – current method Offers additional methods to test quality of evidence Source: http://www.owlinvestigations.com/forensic_articles/aural_spectrographic/standards _of_admissibility.html Daubert Hearing Process Testing – Is this procedure tested? Error Rate – What is the error rate of this procedure? Publication – Has procedure been published and reviewed by peers? Acceptance – Is the procedure generally accepted within the relevant scientific community? Sources: http://www.daubertexpert.com/basics.html http://onin.com/fp/daubert_links.html#whatisadauberthearing Types of Security Software Network Firewall Remote Access Network Security Management Vulnerability Management Wireless Emergent Technology Antispyware Antivirus Authentication E-Mail Security Identity & Access Management Intrusion Detection Intrusion Prevention Types of Forensic Software Acquisition Tools Password Cracking Data Discovery Tools Tools Open Source Tools Internet History Mobile Device tools Tools Image Viewers (PDA/Cell Phone) E-mail Viewers Large Storage Analysis Tools Electronic Data Discovery Tools Extract & Index Data Create Electronic Images of Data Search by Keyword or Document Similarity Metadata Author Date Created & Updated Email date sent, received More About Electronic Data Discovery Tools Analyze data Retrieve data from different media Convert between different media and file formats Extract text & data from documents Create images of the documents Print documents Archive documents Internet History Tools Reads Information in Complete History Database Displays List of Visited Sites Opens URLs in Internet Explorer Adds URLs to Favorites Copies URLs Prints URLS Saves Listing/Ranges as Text File Image & E-Mail Viewers Views Files Converts Files Catalogs Files Side by Side File Comparisons Password Cracking Tools Password Recovery Allows access to computers 3 Methods to Crack Passwords Dictionary Attack Hybrid Attack Brute Force Attack Source: http://www-128.ibm.com/developerworks/library/s-crack/ Open Source Tools Free tools available to Computer Forensic Specialists Cover entire scope of forensic tools in use May more clearly and comprehensively meet the Daubert guidelines than closed source tools Among the most widely used Source: http://software.newsforge.com/software/05/04/05/2052235.shtml?tid=129&tid =136&tid=147&tid=2&tid=132 Mobile Device Tools Number and variety of toolkits considerably more limited than for computers Require examiner to have full access to device Most tools focus on a single function Deleted data remains on PDA until successful HotSync with computer Sources: http://csrc.nist.gov/publications/nistir/nistir-7100-PDAForensics.pdf http://www.cs.ucf.edu/courses/cgs5132/spring2002/presentation/weiss.ppt#5 Forensic Tool Suites Provide a lower cost way to maximize the tools Typically include the most often used tools Parben The Coroner’s Toolkit (TCT) The Sleuth Kit (TSK) EnCase Forensic Toolkit (FTK) Maresware A Closer Look EnCase ByteBack Forensic Toolkit Maresware Parben Coroner’s Toolkit The Sleuth Kit EnCase Originally developed for law enforcement Built around case management Integrated Windows-based graphical user interface (GUI) Multiple Features ByteBack Cloning/Imaging Automated File Recovery Rebuild Partitions & Boot Records Media Wipe Media Editor Software Write Block Forensic Toolkit (FTK) Another Tool Suite Acquires & Examines Electronic Data Imaging Tool File Viewer Maresware Collection of Tool rather than Tool Suite Main Difference – Tools are Stand-Alone & Called as Needed 4 Notable Tools Declasfy Brandit Bates_no Upcopy Paraben Collection of Stand-Alone Tools Made up of 10 Individual Software Tool Sets Purchased Separately, Price Break for Multiple Tool Purchases Frequently Used with Mobile Devices Coroner’s Toolkit (TCT) Open Source Tool Suite Supports a Post-Mortem Analysis of Unix & Linux Systems Written for Incident Response rather than Law Enforcement Not Designed for Requirements to Produce & Prosecute The Sleuth Kit (TSK) Open-Source Software Suite Built on TCT Collection of Command-Line Tools Provides Media Management & Forensic Analysis Core Toolkit Consists of 6 Tools Hardware Acquisition Tools Various Hardware & Software platforms Collect Data Process Data Save Data Display Data in Meaningful Manner Forensic Hardware Workstations Copy & Analysis Drive Imaging System Drive Wiper Bridge Write Blocker SATA, SCSI, IDE, USB Imaging Device SCSI Bridge Tool Costs Workstations starting at $5,000 Bridges starting at $200 Drive Wipers starting at $1000 Wide assortment of special cables and hardware accessories vary in price Software – Free (Open Source) to over $1000 Choosing Your Forensic Toolkit Expected Types of Investigations Internal Reporting Prosecution Operating Systems Budget Technical Skill Role Law Enforcement Private Organization Prepare to Tool Up Make Lists Don’t Overbuy Overlapping Tools No One-Size Fits All Training References Computer Forensics Jump Start. Michael G. Solomon, Diane Barret & Neil Broom. Sybex, San Francisco 2005 Hacking Exposed – Computer Forensics. Chris Davis, Aaron Philipp & David Cowen. McGraw-Hill, New York 2005. Forensic and Investigative Accounting. D. Larry Crumbley, Lester E. Heitger & G. Stevenson Smith. CCH Inc., Chicago 2003
