Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Forensics Toolbox

advertisement 
Forensics Toolbox
Paul A. Henry
MCP+I, MCSE, CCSA, CCSE, CISSP-ISSAP, CISM, CISA, CIFI, CCE
Florida PI License C2800597
Forensics & Recovery LLC
Florida PI Agency License A2900048
Latest Additions To My Tool Kit
•
•
•
•
•
•
•
•
Cellebrite UFED
SafeBlockXP
SAFE Boot CD
VOOM III
F-Response
Tableau TD1
HBGary RAM FastDump
FTK 2.x
Cellebrite UFED
• Cell phones were becoming a part of
larger forensic jobs
– Recognized that I am not going to make a
living imaging cell phones but had lost a
couple of larger jobs because I could not
include the cell phones along with the
laptops and PCs
• Tried several software solutions
–
–
–
–
Limited to small range of phones
Driver support is really really bad
No write block protection
I do not like the idea of jail-breaking
Cellebrite UFED
• Supports CDMA, GSM, IDEN and TDMA
• Covers 1700+ phones / PDA’s
• What does it capture?
–
–
–
–
–
–
Phonebook
Pictures
Videos
Text Messages
Call Logs
ESN and IMEI information
• Complete MD5 verified evidence reports
• Writes NOTHING to the phone
Cellebrite UFED
• Interfaces
–
–
–
–
–
–
–
–
–
USB
Serial
Bluetooth
Infrared
RJ45
SIM / USIM Reader
SD Card Reader
Ethernet
Mini DIN to PC Com Port
Cellebrite UFED
• Yes it supports 2G / 3G iPhones also
new Google G1
– Can unlock the iPhone using plist files
from host without jail-breaking
– Memory dump extracts 382 files including
180 property list files (Plist files)
• SQLite databases
• SMS
• Notes
• Call History
• Calendar
• Address Book
• Appstore program data
Cellebrite UFED
Cellebrite UFED
• New version of MobileSync Browser with
direct support for UFED Memory Dump
is coming from Vaughn Cordero
Cellebrite UFED
Cellebrite UFED
Cellebrite UFED
Cellebrite UFED
Cellebrite UFED
Cellebrite UFED
•
•
•
•
•
1700 + Phone and PDA support is huge
63 adapter cables included
Also available as a ruggedized kit
Integrated write block – no jail breaking
Great reporting with MD5 validation
SAFE Block XP
• Point & Click write blocking in Windows
• Simultaneously block multiple devices
• Nearly anything that plugs in to
Windows can be write blocked
• Application independent
• Transparent to your other applications
• FAST – no USB or FireWire bottleneck
• HPA and DCO support
• Remove, store replace
SAFE Block XP
• Using the 5 step “NIST like” methodology
outlined in the Helix documentation
validated that it did not alter the hard
drive under test
1. Prepare the media
a. Insert the drive into the removable
drive tray
b. Wipe drive and validate
c. Format the drive
d. Copy data to the drive
e. Delete a portion of the data on the
drive
SAFE Block XP
f. Since all of my drives are configured
to use write caching for
performance, I added the extra step of
flush the drive write cache using the
MS SysInternals “Sync” program
g. Image and MD5 Hash the drive to a
folder called “Step-1”
2. Test the media
a. Copy additional data to the drive
b. Delete a portion of the data that was
written to the drive
c. Flush the drive cache
SAFE Block XP
d. Image and MD5 Hash the drive to a
folder called “Step-2”
e. Compare the MD5 Hash for the drive
in folder “Step-1” with the MD5
Hash for the image in folder “Step 2”.
The media had in fact been changed
so the MD5 Hash values should be
different
3. Activate the write blocking device
a. Activate the software write block for
the drive under test
SAFE Block XP
4. Test the write blocking device
a. Attempt to copy data to the drive
b. Attempt to delete data from the drive
c. Attempt to format the drive
d. Flush the drive cache
e. Image and MD5 Hash the drive to a
folder called “Step-5”
5. Check for any changes in the media
a. Compare the MD5 Hash for the image
in folder Step-2 and the MD5 Hash
for the image contained in folder Step-5
SAFE Block XP
– If the write block is forensically
sound the MD5 Hashes will match
validating that the write block
prevented any changes to the drive
SAFE Block XP
SAFE Boot CD
•Windows based alternative to Linux
•Built on top of SAFE Block XP
•Compatible with numerous tools
•FTK Imager
•EnCase6
•X-Ways
•WinRAR
•Win Hex
•Irfanview image viewer
•VLC video viewer
•Open Office 1.5
SAFE Boot CD
•Includes utility to create bootable USB
•Includes utility to create tools media
SAFE Boot CD
•Built in file explorer
SAFE Boot CD
•Integrated search utility
SAFE Boot CD
•Command line
VOOM Hardcopy III
• Full test data available here:
–
http://www.forensicsandrecovery.com/Public/Blog/Entries/2009/4/29_Re
al_World_Testing_-_Voom_Hardcopy_III.html
• Claims 7.5 GB Min
– Maximum I found with off the shelf drives
was 5.6 GB Min
• Provides two SATA target ports
– Wipe two drives simultaneously
– Copy one source to two targets
– Image one source to two targets
• Current version only supports SHA1
• Provides CRC for file chunks
VOOM Hardcopy III
VOOM Hardcopy III
• Notable findings
– No performance degradation when SHA1
enabled
– No performance degradation when wiping
2 drives simultaneously
– No performance degradation when
copying one source to two targets
– No performance degradation when
imaging one source to two targets
F-Response
• Vendor agnostic solution for remote
forensics
– Provides read only access to the full
physical disk of any remote computer on
the wire
– Provides read only access to RAM in
Windows computers on the wire
• Except Vista x64
• Remote physical drive or RAM simply
look like a local resource to your forensic
tools
F-Response
• I have used it for remote access to image
Windows XP and Windows Vista as well
as a MacBook Pro and an iMac while
running my tools on a local Vista x64
machine with no issues
• Great alternative to digging out your
watch repair tools to take apart that
laptop ;-)
• Great way to handle a RAID array
• Small “defendable” footprint on the host
– USB insertion and USB app execution
F-Response
• I purchased the “Field Edition”
– Allows for one to one connection
• Also available as a “Consultant Edition”
– Allows for access to multiple source
machines using a single USB key
• Also available as a “Enterprise Edition”
– Distribute to many targets across the
entire enterprise with an unlimited license
• Indispensable tool – I don’t leave home
without it
Tableau TD1
• Fastest imager I have used to date
– When imaging 1 source to 1 target
• Claims 6.0 GB Min
– Maximum I saw was 5.9 GB Min
• When imaging a 500 GB source to a 1
TB target it completed 26 minutes faster
then its nearest competitor
• Features
– Multiple wipe modes
– SHA1 and MD5 Hashes
– Keyboard port available but no keyboard
required to enter data (keypad)
Tableau TD1
– Log data written to USB key or USB
printer
– Retains user data and configuration in
memory and allows 1 button imaging
– Integrated SATA and IDE source / target
ports
• No need for external IDE adapters
• Also includes laptop and ZIF connectors
Tableau TD1
Final Imager Considerations
• The Voom Hardcopy III and Tableau TD1
are both formidable imagers
• If you need to regularly image to two
targets or wipe two drive simultaneously
then the Voom Hardcopy III is a good
choice
• If you want the fastest imager, do not
need to image or wipe multiple drives but
need SHA and MD5 hashing or multiple
wipe modes then the TD1 is a good
choice
• Tough choice - I bought them both ;-)
HBGary RAM Capture
• Live forensics playing a much more
important role in forensics
– So much volatile info available in RAM
– Keys to the kingdom & smoking gun
– http://volatility.tumblr.com/
• I have tested many tools that claimed to
be able to capture a complete image of
RAM in a Vista environment
– Only 1 tool can handle capturing more
then 8Gb of RAM in Vista x64
– HBGary FastDump ROCKS
FTK 2.x
• I have done a lot of work with FTK 2.x
– I do not work for them but am a member
of the beta team
• In the simplest of terms FTK 2.x works
well but you need the horse power to
properly run it
• I moved to FTK years ago because I like
the automation they bring to the table –
not found in other products
• Not making excuses for them but the
move to Vista has been difficult for
EVERYONE
FTK 2.x
• What do I run FTK on?
FTK 2.x
• Intel Quad-core Q9450 over clocked to
3.2 Ghz
• FSB at 1600 – DDR2 1066 RAM (cooled)
• 8 SATA ports – using 5 slot removable
rack with hot swap SATA backplane
FTK 2.x
• Best investment for FTK 2.x
• I run mine with 8 – 300 GB 10k
velociraptors in RAID 0
FTK 2.x
• Performance
– Processing images < 1,000,000 objects
• Speeds of up to 70 objects per second
– Processing images > 1,500,000 objects
• Speeds of up to 50 objects per second
• I have a stand alone configuration
• So what does that mean?
– 500 GB HD with 1.8 million objects
– <10 hrs start to finish in RAID 0
• Carve everything
• Process PST’s
• Separate compound files / metadata
FTK 2.x
• I found best performance under Vista
x64
–
–
–
–
Kill ReadyBoost
Kill SuperFetch
Turn off visual enhancements
Disable UAC / AV / Update / backup
• 1 huge RAID 0 array – partitioned as
separate drives
– Let the adaptec buffer manager sort it out
– I store my images and back up everything
over a dedicated 1GB LAN to a RAID 5
NAS
Forensics
& Recovery LLC
Florida PI License A 29004
www.forensicsandrecovery.com
Paul A. Henry
MCP+I, MCSE, CCSA, CCSE, CISSP-ISSAP, CISM, CISA, CIFI, CCE
Florida PI License C2800597
25 SE 69th Place Ocala, Fl 34480
Telephone (954) 854 9143
phenry@forensicsandrecovery.com
Related documents
101 - File Hash Identification
101 - File Hash Identification
Most popular questions
Most popular questions
PPT Presentation - Projects at Harvard
PPT Presentation - Projects at Harvard
acheck-week3
acheck-week3
NANC 468 - iconectiv11and119 - FRS
NANC 468 - iconectiv11and119 - FRS
Mash
Mash
Focus Systems signs exclusive authorized forensic training deal with
Focus Systems signs exclusive authorized forensic training deal with
Download
advertisement