Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

ch10

advertisement 
Guide to Computer
Forensics and
Investigations,
Second Edition
Chapter 10
Computer Forensics Analysis
Objectives
• Understand computer forensics analysis
• Use DriveSpy to analyze computer data
• Use AccessData’s Forensic Toolkit (FTK)
Guide to Computer Forensics and Investigations, 2e
2
Objectives (continued)
• Use EnCase to analyze computer data
• Perform a computer forensics analysis
• Address data-hiding techniques
Guide to Computer Forensics and Investigations, 2e
3
Understanding Computer
Forensics Analysis
• Examining and analyzing digital evidence
–
–
–
–
–
Nature of the case
Amount of data to process
Search warrants
Court orders
Company policies
• Scope creep
• Right of full discovery of digital evidence
Guide to Computer Forensics and Investigations, 2e
4
Refining the Investigation Plan
• Steps:
–
–
–
–
–
–
Determine the scope of the investigation
Estimate number of hours to complete the case
Determine whether you should collect all information
Plan what to do in case of scope creep
Determine if you have adequate resources
Establish the deadline
Guide to Computer Forensics and Investigations, 2e
5
Refining the Investigation Plan
(continued)
• After you refine your plan, acquire evidence
• Examine evidence
• Review the latest changes in technology
– Find new places for hiding information
– Learn of new methods for storing data
– Verify that your tools still work
• Determine the suspect’s motive
Guide to Computer Forensics and Investigations, 2e
6
Using DriveSpy to Analyze
Computer Data
• Files
– DriveSpy.exe/ini/hlp
• DriveSpy.ini sections
–
–
–
–
License
File Headers
File Groups
Search
Guide to Computer Forensics and Investigations, 2e
7
Using DriveSpy to Analyze
Computer Data (continued)
Guide to Computer Forensics and Investigations, 2e
8
Using DriveSpy to Analyze
Computer Data (continued)
• File Headers
– Hexadecimal numbers
– Identify known files even if extension if different
– You can add more headers
• File Groups
– Consolidate similar file types
– Search for several header types at one time
– You can define your own groups
Guide to Computer Forensics and Investigations, 2e
9
Using DriveSpy to Analyze
Computer Data (continued)
Guide to Computer Forensics and Investigations, 2e
10
Using DriveSpy to Analyze
Computer Data (continued)
Guide to Computer Forensics and Investigations, 2e
11
Using DriveSpy to Analyze
Computer Data (continued)
• Search
–
–
–
–
–
Include keywords
Defines level of accuracy
Not case sensitive
Can produce false-positive hits
Use hex values for special characters or keywords
Guide to Computer Forensics and Investigations, 2e
12
Using DriveSpy to Analyze
Computer Data (continued)
Guide to Computer Forensics and Investigations, 2e
13
Using DriveSpy to Analyze
Computer Data (continued)
Guide to Computer Forensics and Investigations, 2e
14
DriveSpy Keyword Searching
• Search at physical level (Drive mode) or logical
level (Partition mode)
• Use Output command to create a log
• Drive mode supports other file systems
– NTFS, HFS, UNIX/Linux
• Searches in partition gaps
• Cannot analyze archive or encrypted files
Guide to Computer Forensics and Investigations, 2e
15
DriveSpy Scripts
•
•
•
•
Run predefined commands
Similar to DOS batch files
Use them at all three DriveSpy modes
Creating a script
– Use any text editor (Notepad)
– Enter each command line by line
– Can call other script files
Guide to Computer Forensics and Investigations, 2e
16
DriveSpy Scripts (continued)
• Example:
Guide to Computer Forensics and Investigations, 2e
17
DriveSpy Data Integrity Tools
• Wipe
– Overwrites possible sensitive data that can corrupt
output data
– Works on sectors, partitions, drives, unallocated
space, and MBR
– Available in Drive and Partition modes
Guide to Computer Forensics and Investigations, 2e
18
DriveSpy Integrity Tools (continued)
• MD5
– RFC-complaint MD5 function
– Hashes an entire partition, or specific files
– Available in Drive and Partition mode
• Dbexport
– Creates a text file of all specified data in a file or disk
– Works only in Partition mode
Guide to Computer Forensics and Investigations, 2e
19
DriveSpy Residual Data
Collection Tools
• Recover deleted files and unused space
• SaveSlack
– Copy slack space from files on a partition
– 8.3 filename with .dat as file extension
– Works only in Partition mode
• SaveFree
– Collects all unallocated disk space on a partition
– Works only in Partition mode
Guide to Computer Forensics and Investigations, 2e
20
Other Useful DriveSpy
Command Tools
•
•
•
•
Get FAT Entry (GFE)
Chain FAT Entry (CFE)
Chain Directory Entry (CDE)
Trace Directory Cluster (TDC)
Guide to Computer Forensics and Investigations, 2e
21
Other Useful DriveSpy
Command Tools (continued)
•
•
•
•
Cluster
Boot
PartMap
Tables
Guide to Computer Forensics and Investigations, 2e
22
Using Other Digital Intelligence
Computer Forensics Tools
• Using PDBlock
– Prevents data from being written on a disk drive
– Can only be used on a true MS-DOS level
– Turns off BIOS’s Interrupt 13
• Using PDWipe
– Overwrites hard disk drives
– For sanitation purposes
– Wipe disk at least three to seven times
Guide to Computer Forensics and Investigations, 2e
23
Using AccessData’s Forensic Toolkit
• Supported file systems: FAT12/16/32, NTFS,
Ext2fs, and Ext3fs
• Interacts with other tools
– EnCase, SafeBack, SaveSect
– Linux or UNIX dd command
• Known File Filter (KFF)
– Can detect even child pornography evidence
– Uses digital hash signatures
Guide to Computer Forensics and Investigations, 2e
24
Using AccessData’s Forensic Toolkit
(continued)
• Log file
• Searching for keywords
– Indexed search
– Live search
– You can specify options
• Analyzes compressed and encrypted files
• You can generate reports using bookmarks
Guide to Computer Forensics and Investigations, 2e
25
Using AccessData’s Forensic Toolkit
(continued)
Guide to Computer Forensics and Investigations, 2e
26
Using AccessData’s Forensic Toolkit
(continued)
Guide to Computer Forensics and Investigations, 2e
27
Using AccessData’s Forensic Toolkit
(continued)
Guide to Computer Forensics and Investigations, 2e
28
Using Guidance Software’s EnCase
• Can access hard drives remotely
• Floppy and CD boot disks
– Built-in software write-blocker
• Built-in search feature
• GUI-based application
Guide to Computer Forensics and Investigations, 2e
29
Using Guidance Software’s EnCase
(continued)
Guide to Computer Forensics and Investigations, 2e
30
Using Guidance Software’s EnCase
(continued)
Guide to Computer Forensics and Investigations, 2e
31
Using Guidance Software’s EnCase
(continued)
• Options
–
–
–
–
Bookmarks
File signatures and hash sets
Security identifiers (SIDs)
Keywords
• View
– Gallery
– Mail
Guide to Computer Forensics and Investigations, 2e
32
Using Guidance Software’s EnCase
(continued)
• Timeline
– When items were created, deleted, or modified
• Report View
• Powerful scripting feature
Guide to Computer Forensics and Investigations, 2e
33
Using Guidance Software’s EnCase
(continued)
Guide to Computer Forensics and Investigations, 2e
34
Using Guidance Software’s EnCase
(continued)
Guide to Computer Forensics and Investigations, 2e
35
Approaching Computer
Forensics Cases
• Know exactly what the case requires
• Simply follow leads you uncover
– Physical evidence
– Digital evidence
Guide to Computer Forensics and Investigations, 2e
36
Performing a Computer Forensics
Analysis
• Steps:
– Use recently wiped target disks
– Inventory suspect’s hardware
– Remove the original disk and check date and time
on CMOS
– Record data acquisition steps
– Process the data methodically and logically
– List all directories and files on the copied image
Guide to Computer Forensics and Investigations, 2e
37
Performing a Computer Forensics
Analysis (continued)
• Steps (continued):
– If possible, examine all directories and files starting
at root
– Recover content of encrypted files
– Create a document with directory and file names on
the evidence disk
– Identify functions of every executable file
– Always maintain control of evidence
Guide to Computer Forensics and Investigations, 2e
38
Performing Forensic Analysis on
Microsoft File Systems
• Recommendations
– Use antivirus on bit-stream disk-to-disk copies
– Examine all boot files
– Recover all deleted files, slack, and unallocated
space
• FAT disk forensic analysis
– Create image volumes and store them on CDs
• Be alert for compressed partitions
Guide to Computer Forensics and Investigations, 2e
39
Performing Forensic Analysis on
Microsoft File Systems (continued)
• NTFS analysis tools
–
–
–
–
DriveSpy
NTI DiskSearch NT
NTFSDOS
GUI tools
• FTK, EnCase, Pro Discover DFT, FactFind, and iLook
Guide to Computer Forensics and Investigations, 2e
40
UNIX and Linux Forensic Analysis
• Windows forensics tools
– EnCase
– FTK
– iLook
• UNIX and Linux forensics tools
–
–
–
–
Sleuthkit
Knoppix-STD
Autopsy
TASK
Guide to Computer Forensics and Investigations, 2e
41
Addressing Data-hiding Techniques
• File manipulation
– File names and extensions
– Hidden property
• Disk manipulation
– Hidden partitions
– Bad clusters
• Encryption
– Bit shifting
– Steganography
Guide to Computer Forensics and Investigations, 2e
42
Hiding Partitions
• Delete references to a partition
– Re-create links for accessing it
• Use disk-partitioning utilities
– PartitionMagic
– System Commander
– LILO
• Account for all disk space when analyzing a disk
Guide to Computer Forensics and Investigations, 2e
43
Marking Bad Clusters
• Place sensitive information on free space
• Use a disk editor to mark that space as a bad
cluster
• Common with FAT systems
Guide to Computer Forensics and Investigations, 2e
44
Bit-shifting
•
•
•
•
Old technique
Shift bit patterns to alter byte values of data
Make files look like binary executable code
Tool
– Hex Workshop
Guide to Computer Forensics and Investigations, 2e
45
Using Steganography
• Greek “hidden writing”
• Suspect can hide information on image or text
document files
• Very hard to spot without prior knowledge
• Tools
–
–
–
–
S-Tools
DPEnvelope
jpgx
tte
Guide to Computer Forensics and Investigations, 2e
46
Examining Encrypted Files
• Prevent unauthorized access
– Password or passphrase
• Recovering data is difficult without password
– Key escrow
– Cracking password
• Expert and powerful computers
– Persuade suspect to reveal password
Guide to Computer Forensics and Investigations, 2e
47
Recovering Passwords
•
•
•
•
Dictionary attack
Brute-force attack
Password guessing based on suspect’s profile
Tools
– PRTK
– Advanced Password Recovery Software Toolkit
– @stake’s LC5 (L0phtCrack)
Guide to Computer Forensics and Investigations, 2e
48
Summary
• Scope creep
• Determine where the digital evidence is most likely
stored
• DriveSpy.ini comprises four sections
• DriveSpy scripting capability
• PDBlock and PDWipe tools
Guide to Computer Forensics and Investigations, 2e
49
Summary (continued)
• Forensics Toolkit (FTK)
• Prepare your target disk
– Wipe it at least three to seven times
– Check for viruses
• UNIX and Linux are used on Web servers
• Data hiding occults digital evidence
• Stenography as a way to hide information
Guide to Computer Forensics and Investigations, 2e
50
Related documents
review3
review3
Forensics – Chapters 1-3 Study Guide Helpers
Forensics – Chapters 1-3 Study Guide Helpers
Senior Software Engineer - Computer Science Job Board
Senior Software Engineer - Computer Science Job Board
computerforensicsspeialist.doc - Kiamichi
computerforensicsspeialist.doc - Kiamichi
Download
advertisement