Hands-on: Capturing an Image with AccessData FTK Imager

advertisement
Hands-on:
Capturing an Image with AccessData
FTK Imager
Capturing an Image with AccessData
FTK Imager
• Included on AccessData Forensic Toolkit
• View evidence disks and disk-to-image files
• Makes disk-to-image copies of evidence drives
– At logical partition and physical drive level
– Can segment the image file
• Evidence drive must have a hardware writeblocking device
– Or the USB write-protection Registry feature enabled
• FTK Imager can’t acquire drive’s host protected
area
Guide to Computer Forensics
and Investigations
2
Capturing an Image with AccessData
FTK Imager (continued)
Guide to Computer Forensics
and Investigations
3
Capturing an Image with AccessData
FTK Imager (continued)
• Steps
– Boot to Windows
– Connect evidence disk to a write-blocker
– Connect target disk to write-blocker
– Start FTK Imager
– Create Disk Image
• Use Physical Drive option
Guide to Computer Forensics
and Investigations
4
Capturing an Image with AccessData
FTK Imager (continued)
Guide to Computer Forensics
and Investigations
5
Capturing an Image with AccessData
FTK Imager (continued)
Guide to Computer Forensics
and Investigations
6
Capturing an Image with AccessData
FTK Imager (continued)
Guide to Computer Forensics
and Investigations
7
Capturing an Image with AccessData
FTK Imager (continued)
Guide to Computer Forensics
and Investigations
8
Creating a Virtual Machine
Understanding Virtual Machines
• Virtual machine
– Allows you to create a representation of another
computer on an existing physical computer
• A virtual machine is just a few files on your
hard drive
– Must allocate space to it
• A virtual machine recognizes components of
the physical machine it’s loaded on
– Virtual OS is limited by the physical machine’s OS
Guide to Computer Forensics
and Investigations
10
Guide to Computer Forensics
and Investigations
11
Understanding Virtual Machines
(continued)
• In computer forensics
– Virtual machines make it possible to restore a
suspect drive on your virtual machine
• And run nonstandard software the suspect might have
loaded
• From a network forensics standpoint, you
need to be aware of some potential issues,
such as:
– A virtual machine used to attack another system
or network
Guide to Computer Forensics
and Investigations
12
Creating a Virtual Machine
• Two popular applications for creating virtual
machines
– VMware and Microsoft Virtual PC
• Using Virtual PC
– You must download and install Virtual PC first
Guide to Computer Forensics
and Investigations
13
Creating a Virtual Machine (continued)
Guide to Computer Forensics
and Investigations
14
Creating a Virtual Machine (continued)
Guide to Computer Forensics
and Investigations
15
Creating a Virtual Machine (continued)
Guide to Computer Forensics
and Investigations
16
Creating a Virtual Machine (continued)
• You need an ISO image of an OS
– Because no OSs are provided with Virtual PC
• Virtual PC creates two files for each virtual
machine:
– A .vhd file, which is the actual virtual hard disk
– A .vmc file, which keeps track of configurations you
make to that disk
• See what type of physical machine your virtual
machine thinks it’s running
– Open the Virtual PC Console, and click Settings
Guide to Computer Forensics
and Investigations
17
Creating a Virtual Machine (continued)
Guide to Computer Forensics
and Investigations
18
Creating a Virtual Machine (continued)
Guide to Computer Forensics
and Investigations
19
Current Computer Forensic Tools
Analyze Data
Using AccessData Forensic Toolkit to
Analyze Data
• Supported file systems: FAT12/16/32, NTFS,
Ext2fs, and Ext3fs
• FTK can analyze data from several sources,
including image files from other vendors
• FTK produces a case log file
• Searching for keywords
– Indexed search
– Live search
– Supports options and advanced searching
techniques, such as stemming
Guide to Computer Forensics
and Investigations
22
Using AccessData Forensic Toolkit to
Analyze Data (continued)
Guide to Computer Forensics
and Investigations
23
Using AccessData Forensic Toolkit to
Analyze Data (continued)
Guide to Computer Forensics
and Investigations
24
Using AccessData Forensic Toolkit to
Analyze Data (continued)
• Analyzes compressed files
• You can generate reports
– Using bookmarks
Guide to Computer Forensics
and Investigations
25
Using AccessData Forensic Toolkit to
Analyze Data (continued)
Guide to Computer Forensics
and Investigations
26
Recovering Password
Recovering Passwords
• Techniques
– Dictionary attack
– Brute-force attack
– Password guessing based on suspect’s profile
• Tools
– AccessData PRTK
– Advanced Password Recovery Software Toolkit
– John the Ripper
Guide to Computer Forensics
and Investigations
28
Recovering Passwords (continued)
• Using AccessData tools with passworded and
encrypted files
– AccessData offers a tool called Password
Recovery Toolkit (PRTK)
• Can create possible password lists from many sources
– Can create your own custom dictionary based on
facts in the case
– Can create a suspect profile and use biographical
information to generate likely passwords
Guide to Computer Forensics
and Investigations
29
Recovering Passwords (continued)
Guide to Computer Forensics
and Investigations
30
Recovering Passwords (continued)
Guide to Computer Forensics
and Investigations
31
Recovering Passwords (continued)
Guide to Computer Forensics
and Investigations
32
Recovering Passwords (continued)
• Using AccessData tools with passworded and
encrypted files (continued)
– FTK can identify known encrypted files and those
that seem to be encrypted
• And export them
– You can then import these files into PRTK and
attempt to crack them
Guide to Computer Forensics
and Investigations
33
Guide to Computer Forensics
and Investigations
34
Recovering Passwords (continued)
Guide to Computer Forensics
and Investigations
35
Understanding Steganography
Understanding Steganography in
Graphics Files (continued)
• Substitution
– Replaces bits of the host file with bits of data
– Usually change the last two LSBs
– Detected with steganalysis tools
• Usually used with image files
– Audio and video options
• Hard to detect
Guide to Computer Forensics
and Investigations
37
Understanding Steganography in
Graphics Files (continued)
Guide to Computer Forensics
and Investigations
38
Understanding Steganography in
Graphics Files (continued)
Guide to Computer Forensics
and Investigations
39
Using Steganalysis Tools
• Detect variations of the graphic image
– When applied correctly you cannot detect hidden
data in most cases
• Methods
– Compare suspect file to good or bad image
versions
– Mathematical calculations verify size and palette
color
– Compare hash values
Guide to Computer Forensics
and Investigations
40
Packet Sniffers
wireshark lab으로 바꾸기
(passwd sniffing)
Using Packet Sniffers
• Packet sniffers
– Devices or software that monitor network traffic
– Most work at layer 2 or 3 of the OSI model
• Most tools follow the PCAP format
• Some packets can be identified by examining
the flags in their TCP headers
• Tools
– Tcpdump
– Tethereal
Guide to Computer Forensics
and Investigations
42
Using Packet Sniffers (continued)
Guide to Computer Forensics
and Investigations
43
Using Packet Sniffers (continued)
• Tools (continued)
–
–
–
–
–
–
–
–
–
Snort
Tcpslice
Tcpreplay
Tcpdstat
Ngrep
Etherape
Netdude
Argus
Ethereal
Guide to Computer Forensics
and Investigations
44
Using Packet Sniffers (continued)
Guide to Computer Forensics
and Investigations
45
Using Packet Sniffers (continued)
Guide to Computer Forensics
and Investigations
46
Using Packet Sniffers (continued)
Guide to Computer Forensics
and Investigations
47
Viewing email header
Viewing E-mail Headers
• Learn how to find e-mail headers
– GUI clients
– Command-line clients
– Web-based clients
• After you open e-mail headers, copy and paste
them into a text document
– So that you can read them with a text editor
• Headers contain useful information
– Unique identifying numbers, IP address of sending
server, and sending time
Guide to Computer Forensics
and Investigations
49
Viewing E-mail Headers (continued)
• Outlook
– Open the Message Options dialog box
– Copy headers
– Paste them to any text editor
• Outlook Express
– Open the message Properties dialog box
– Select Message Source
– Copy and paste the headers to any text editor
Guide to Computer Forensics
and Investigations
50
Viewing E-mail Headers (continued)
Guide to Computer Forensics
and Investigations
51
Viewing E-mail Headers (continued)
Guide to Computer Forensics
and Investigations
52
Guide to Computer Forensics
and Investigations
53
Viewing E-mail Headers (continued)
• Novell Evolution
– Click View, All Message Headers
– Copy and paste the e-mail header
• Pine and ELM
– Check enable-full-headers
• AOL headers
– Click Action, View Message Source
– Copy and paste headers
Guide to Computer Forensics
and Investigations
54
Viewing E-mail Headers (continued)
Guide to Computer Forensics
and Investigations
55
Viewing E-mail Headers (continued)
Guide to Computer Forensics
and Investigations
56
Viewing E-mail Headers (continued)
Guide to Computer Forensics
and Investigations
57
Viewing E-mail Headers (continued)
Guide to Computer Forensics
and Investigations
58
Viewing E-mail Headers (continued)
• Hotmail
– Click Options, and then click the Mail Display Settings
– Click the Advanced option button under Message
Headers
– Copy and paste headers
• Apple Mail
– Click View from the menu, point to Message, and
then click Long Header
– Copy and paste headers
Guide to Computer Forensics
and Investigations
59
Viewing E-mail Headers (continued)
Guide to Computer Forensics
and Investigations
60
Viewing E-mail Headers (continued)
Guide to Computer Forensics
and Investigations
61
Viewing E-mail Headers (continued)
• Yahoo
– Click Mail Options
– Click General Preferences and Show All headers on
incoming messages
– Copy and paste headers
Guide to Computer Forensics
and Investigations
62
Guide to Computer Forensics
and Investigations
63
Recovering email
Using AccessData FTK to Recover
E-mail
• FTK
– Can index data on a disk image or an entire drive for
faster data retrieval
– Filters and finds files specific to e-mail clients and
servers
• To recover e-mail from Outlook and Outlook
Express
– AccessData integrated dtSearch
• dtSearch builds a b-tree index of all text data in a drive, an
image file, or a group of files
Guide to Computer Forensics
and Investigations
65
Guide to Computer Forensics
and Investigations
66
Using AccessData FTK to Recover
E-mail (continued)
Guide to Computer Forensics
and Investigations
67
Guide to Computer Forensics
and Investigations
68
Using AccessData FTK to Recover
E-mail (continued)
Guide to Computer Forensics
and Investigations
69
Using AccessData FTK to Recover
E-mail (continued)
Guide to Computer Forensics
and Investigations
70
Using AccessData FTK to Recover
E-mail (continued)
Guide to Computer Forensics
and Investigations
71
Download