CNS 320 Week1 Lecture

8/22/2019 CNS 320 Week1 Lecture

1/63

1

CNS 320: COMPUTER FORENSICS& INCIDENT RESPONSE

Week 1

Copyright 2013, John McCash. This work may be copied, modified, displayed anddistributed under conditions set forth in the Creative Commons Attribution-Noncommercial License. To view a copy of this license, visithttp://creativecommons.org/licenses/by-nc/2.0/ or send a letter to CreativeCommons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/


2/63

Your Fearless Leader

(I am Geek. See my alphabet soup!)

John McCashCompTIA Sec+, GCIH, GAWN(expired), GCFA,

GCFE, EnCE, GREM, SANS Lethal Forensicator23-years in IT

Specialized in Security for the last 15 years, andForensics & Incident Response for the last 4

Extensive experience in digital forensics, incidentresponse , and security/system/networkadministration on diverse platforms in veryheterogenious environments

BS and MS in CS from Bradley University (1988)Currently works for a major telecommunications

equipment provider (Technical Lead of APTResponse Team), and is a contributor to theSANS forensic blog. 2


3/63

3

Course Description

Introduction to the topics ofComputer Forensics and Incident

Response on Windows Systems PREREQUISITES:

Familiarity with Windows and Linux

computer usage Familiarity with Windows and Linux

Administration & Internals Helpful


4/63

Content in Flux

Course originally developed with an eye towardprocess and legal issues (Ive stripped out almost allof that old content, but a few elements remain)

Materials are still under revision

Im trying to provide a significant amount of technicaland practical content which you may be able toactually apply

I will work with you as a class to make this course asinteresting as possible without (I hope) leaving manyof you in the dust

Be aware that the most interesting & useful of thecontent will require its underpinnings to be force-fedat a rather rapid rate, which will increase the difficulty

Students at the SANS Institute refer to this process asdrinking from the fire hose

4


5/63

Apologies in Advance

Course Design Challenges Selecting digestible information subsets

Organizing the material

In many disciplines, specifics follow logicallyfrom generalities based on consistent rules

IMHO Forensics is much more empirical,more like an infinite progression of

narrowly defined specialties, with lots ofcase-by-case variation

Ive attempted to select material for theclass which is both representative anduseful

5


6/63

Why all the deep background?

(assuming you dont expect to be

designing your own forensic tools)

Forensic tools frequently do squirrely things

You will need to recognize when thishappens, and possibly figure out what the

results should have been by hand

You will likely need to explain to a non-technical person (or a jury) exactlyhow/why a tool produced a given result

You will want to know that certaininformation is available (and where) evenwhen a tool youve had to use did notprovide it

6


7/63

Push-Button Forensic Tools

Good In that they can free up time for a ForensicAnalyst and enable him to spend that effort on moreproblematic areas

Bad In that they can be error-prone, and a lazy orclueless analyst relying on their output can make

improperly-based assertions which can be refuted, orat the least cast doubt on other findings

Always cross-check & verify results on which importantassertions are based using different tools, and properlyexplain any significant anomalies

You should always know, at least in a general way,from what artifact a result was obtained, and be able,with reasonable effort, to backtrack & manually stepthrough the methodology used to create it

Note that these statements represent my moderate

viewpoint on a somewhat controversial topic 7


8/63

8

Syllabus

As you can see, weve got a lab as aclassroom

Well be making use of that each week

I hope to cover practical application ofeach element immediately afterintroducing it in lecture

30-50% of each class period will bedevoted to lab


9/63

9

Syllabus

DIGITAL EVIDENCE DEFINITION &USAGE (Briefly)

Authentication and Chain of Custody

Courtroom Usage

FORENSIC PROCESSES

Collection

Examination Analysis

Reporting


10/63

Syllabus

WINDOWS FORENSIC TOOLS & ARTIFACTS Windows Disk Partitioning NTFS Registry Fundamentals

Malware Detection & Analysis in Memory Link Files & Win7 Jumplists Application Metadata Log Analysis Timelines

Incident Response Lifecycle Preparation Identification Containment Eradication Recovery Follow-Up & Lessons Learned 10


11/63

Syllabus

Additional material, if theres time

Browser & Web Forensics

Internet Explorer

Firefox

Google Chrome


12/63

CNS-320 Week-By-Week

Week 1:

Lab: Physical & Logical Imaging

Week 2

Lab: NTFS Examination & Analysis

Week 3

Lab: Registry Examination & Analysis

Week4

Quiz over week 1-3 content

Week 6: Labs

Week 7: Quiz #2

Week 9: Labs

Week 10: Quiz #3, Review 12


13/63

13

D2L

We will be using D2L, one of CDMsCourse Management Systems. Thesystem can be found at

https://d2l.depaul.edu. Lectures (Powerpoint)

Assignments

Grades

Documents Syllabus

Etc
https://d2l.depaul.edu/https://d2l.depaul.edu/


14/63

Class Participation

Please feel free to interrupt. There are no stupid questions, only stupid

instructors. Be a loudmouth! Youll get more out of the

class that way. So will everyone else. The only reason you have an instructor

instead of just reading out of a book andtaking tests is so you can ask about things

that arent in the materials. The more questions you ask, the more

youll learn, as will the rest of the class. If I say something that makes no sense,

for gods sake stop me! I probably justconfused at least half of you! 14


15/63

Labs

Familiarize you with tools hands-on

Ensure everyone can perform

demonstrated tasks Let you ask questions when tools

dont perform as expected

Despite not being graded, this is themost important portion of the class

15


16/63

16

Communications with Instructor

Email is preferred.

Please include CNS 320 in the subject lineof all email communications

You may request a scheduledtelephone/web conference.

My email address [email protected]

Cell phone 847-660-3373 (Please callonly between 5:00 PM and 9:00 PM)

Office hours: Thursdays, 9:00-10:30 pm
mailto:[email protected]:[email protected]


17/63

17

Grading

Three Quizzes (20% each)

Final Exam (40%)


18/63

18

Final Exam

Final 11/15/2012

Exam Format

Short Answer Content will be drawn from lecture

slides & notes


19/63

Primary Textbook

Windows Forensic AnalysisToolkit 3rd EditionBy: Harlan Carvey

Publisher: SyngressPub. Date: January 15, 2012Print ISBN-13: 978-1-59749-727-5Web ISBN-13: 978-1-59749-728-2Available as an ebook at

http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597497275

19
http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597497275http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597497275http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597497275http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597497275http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597497275http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597497275http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597497275http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597497275


20/63

Optional Reference

File System Forensic AnalysisBy: Brian Carrier

Publisher: Addison-Wesley Professional

Pub. Date: March 17, 2005

Print ISBN-10: 0-321-26817-2

Print ISBN-13: 978-0-321-26817-4Available as an ebook at

http://proquestcombo.safaribooksonline.com.ezproxy2.lib.depaul.edu/book/networking/forensic-analysis/0321268172

20
http://www.informit.com/authors/author_bio.aspx?ISBN=9780321268174http://proquestcombo.safaribooksonline.com.ezproxy2.lib.depaul.edu/book/networking/forensic-analysis/0321268172http://proquestcombo.safaribooksonline.com.ezproxy2.lib.depaul.edu/book/networking/forensic-analysis/0321268172http://proquestcombo.safaribooksonline.com.ezproxy2.lib.depaul.edu/book/networking/forensic-analysis/0321268172http://proquestcombo.safaribooksonline.com.ezproxy2.lib.depaul.edu/book/networking/forensic-analysis/0321268172http://proquestcombo.safaribooksonline.com.ezproxy2.lib.depaul.edu/book/networking/forensic-analysis/0321268172http://proquestcombo.safaribooksonline.com.ezproxy2.lib.depaul.edu/book/networking/forensic-analysis/0321268172http://proquestcombo.safaribooksonline.com.ezproxy2.lib.depaul.edu/book/networking/forensic-analysis/0321268172http://www.informit.com/authors/author_bio.aspx?ISBN=9780321268174


21/63

Other Course Materials

Other course materials will be availableon the web, including the DePaulUniversity Libraries' website at

http://www.lib.depaul.edu/ Lecture slides & reading assignments will

be posted on D2L each week the night

before class

21
http://www.lib.depaul.edu/http://www.lib.depaul.edu/


22/63

Partial list of Forensic Blogs (for future

reference or research)

Didier Stevens - http://blog.didierstevens.com/ ForensicIT.EU - http://forensicit.eu/ SANS Computer Forensics, Investigation, and Response - http://computer-

forensics.sans.org/blog Matthieu Suiche - http://www.msuiche.net/ Volatility - http://volatility.tumblr.com/ Computer Forensics/E-Discovery Tips/Tricks and Information (Mark McKinnon) -

http://cfed-ttf.blogspot.com/ int for(ensic){blog;} (Andreas Schuster) - http://computer.forensikblog.de/en/ A Geek Raised by Wolves (Jesse Kornblum) - http://jessekornblum.livejournal.com/ (Lance Mueller) Computer Forensics, Malware Analysis & Digital Investigations -

http://www.forensickb.com/ Windows Incident Response (Harlan Carvey) - http://windowsir.blogspot.com/ forensic . seccure . net (Mariusz Burdach) - http://seccure.blogspot.com/ Forensic Computing (Mike Murr) - http://www.forensicblog.org/ Forensic Focus Blog (Jaimie Morris) - http://forensicfocus.blogspot.com/ Forensic Incident Response (Hogfly) - http://forensicir.blogspot.com/ Hacking Exposed Computer Forensics Blog -

http://hackingexposedcomputerforensicsblog.blogspot.com/ digfor (Andre Ross) - http://digfor.blogspot.com/ Computer Forensics and Incident Response - http://breach-inv.blogspot.com/ ForensicZone - http://forensiczone.blogspot.com/ The Digital Standard - http://thedigitalstandard.blogspot.com/

22
http://blog.didierstevens.com/http://forensicit.eu/http://computer-forensics.sans.org/bloghttp://computer-forensics.sans.org/bloghttp://computer-forensics.sans.org/bloghttp://www.msuiche.net/http://volatility.tumblr.com/http://cfed-ttf.blogspot.com/http://cfed-ttf.blogspot.com/http://computer.forensikblog.de/en/http://jessekornblum.livejournal.com/http://www.forensickb.com/http://www.forensickb.com/http://windowsir.blogspot.com/http://seccure.blogspot.com/http://www.forensicblog.org/http://forensicfocus.blogspot.com/http://forensicir.blogspot.com/http://hackingexposedcomputerforensicsblog.blogspot.com/http://hackingexposedcomputerforensicsblog.blogspot.com/http://digfor.blogspot.com/http://breach-inv.blogspot.com/http://forensiczone.blogspot.com/http://thedigitalstandard.blogspot.com/http://thedigitalstandard.blogspot.com/http://forensiczone.blogspot.com/http://breach-inv.blogspot.com/http://breach-inv.blogspot.com/http://breach-inv.blogspot.com/http://digfor.blogspot.com/http://hackingexposedcomputerforensicsblog.blogspot.com/http://forensicir.blogspot.com/http://forensicfocus.blogspot.com/http://www.forensicblog.org/http://seccure.blogspot.com/http://windowsir.blogspot.com/http://www.forensickb.com/http://jessekornblum.livejournal.com/http://computer.forensikblog.de/en/http://cfed-ttf.blogspot.com/http://cfed-ttf.blogspot.com/http://cfed-ttf.blogspot.com/http://volatility.tumblr.com/http://www.msuiche.net/http://computer-forensics.sans.org/bloghttp://computer-forensics.sans.org/bloghttp://computer-forensics.sans.org/bloghttp://forensicit.eu/http://blog.didierstevens.com/


23/63

Computer Forensics Podcasts

Forensic 4cast -http://www.forensic4cast.com/

Cyberspeak -http://cyberspeak.libsyn.com/

Inside the Core (Mac) -http://insidethecore.com/

23
http://www.forensic4cast.com/http://cyberspeak.libsyn.com/http://insidethecore.com/http://insidethecore.com/http://cyberspeak.libsyn.com/http://www.forensic4cast.com/


24/63

24

Academic Integrity

Student Resources at DePaul. Plagiarism is a major form of academic dishonesty

involving the presentation of the work of another asone's own. Plagiarism includes but is not limited to thefollowing: The direct copying of any source, such aswritten and verbal material, computer files, audio disks,

video programs or musical scores, whether published orunpublished, in whole or part, without properacknowledgement that it is someone else's. Copying ofany source in whole or part with only minor changes inwording or syntax, even with acknowledgement.Submitting as one's own work a report, examinationpaper, computer file, lab report or other assignment thathas been prepared by someone else. This includesresearch papers purchased from any other person oragency. The paraphrasing of another's work or ideaswithout proper acknowledgement.
http://academicintegrity.depaul.edu/Resources/Students/index.htmlhttp://academicintegrity.depaul.edu/Resources/Students/index.html


25/63

25

Definition of Plagiarism

Plagiarism involves using the work ofanother person and presenting it as yourown.

Outright copying of someone else's writing isthe most clear-cut form of plagiarism.

But other forms exist.

Mosaic

Paraphrase

Insufficient acknowledgement


26/63

26

Other plagiarism resources

North Carolina State University

Georgetown University

Stanford University

Northwestern University
http://www.lib.ncsu.edu/scc/tutorial/plagiarism/more.htmlhttp://www.georgetown.edu/honor/plagiarism.htmlhttp://www.stanford.edu/dept/vpsa/judicialaffairs/students/plagiarism.htmhttp://www.northwestern.edu/uacc/plagiar.htmlhttp://www.northwestern.edu/uacc/plagiar.htmlhttp://www.stanford.edu/dept/vpsa/judicialaffairs/students/plagiarism.htmhttp://www.georgetown.edu/honor/plagiarism.htmlhttp://www.lib.ncsu.edu/scc/tutorial/plagiarism/more.html


27/63

Terminology

Internet Security Glossary - RFC 4949 by R. W. Shirey

http://www.ietf.org/rfc/rfc4949.txt

Microsoft Solutions for SecurityGlossary http://www.microsoft.com/security/glossa

ry.mspx

SANS Glossary of Security Terms http://www.sans.org/resources/glossary.

php

27
http://www.ietf.org/rfc/rfc4949.txthttp://www.microsoft.com/security/glossary.mspxhttp://www.microsoft.com/security/glossary.mspxhttp://www.sans.org/resources/glossary.phphttp://www.sans.org/resources/glossary.phphttp://www.sans.org/resources/glossary.phphttp://www.sans.org/resources/glossary.phphttp://www.microsoft.com/security/glossary.mspxhttp://www.microsoft.com/security/glossary.mspxhttp://www.ietf.org/rfc/rfc4949.txt


28/63

Terminology

Legal Terms

Nolos Legal Dictionary

Findlaw Legal Dictionary

28
http://www.nolo.com/lawcenter/dictionary/wordindex.cfmhttp://dictionary.lp.findlaw.com/http://dictionary.lp.findlaw.com/http://www.nolo.com/lawcenter/dictionary/wordindex.cfm


29/63

Outline of Tonights Material

Digital Evidence & Forensic Processes

Digital Evidence

What is it?

How do we find it?

How do we preserve it?

Lab: FTK Imager Usage

Memory Imaging using FTK Imager

Physical Disk Imaging

Logical Disk Imaging

29


30/63

What/Where is Digital Evidence?

Everybody knows its on computerhard disks

Where else can digital evidence befound?

Think outside the box for a minute. Itsalmost everywhere

30


31/63

What/Where is Digital Evidence?

Computer Hard Drives, Memory, BIOS Settings

Printers, Copiers/Multifunction Devices, and othercomputer peripherals may actually be completeembedded computer systems

Integrated components may also be embedded systems Flash Drives with significant storage capacity are now

very small, and can easily be hidden

Network Hardware; Switches, Routers, Firewalls, WAPs,Web Proxy Gateways

SIEMS & other log aggregation systems Phones, other portable electronic devices, game

consoles & peripherals, even some refrigerators

The Cloud

31


32/63

Data is Easily Hidden

32


33/63

Sometimes even a whole system

33


34/63

Example of Reliability & Completeness

Issues

Casey Anthony acquitted in 2011 Discrepency between results of parsing of a

Firefox v2 history.dat file with NetAnalysisand Cacheback used to cast doubt on the

forensic analysis Firefix v2 history.dat file was recovered from

unallocated space NetAnalysis reported 8878 records (there were

actually 9075 possibly determined by hand)

and one visit to chloroform.html Cacheback 2.8 RC2 reported 8571 records and84 visits (incorrect!) to chloroform.html.

After subsequent revision, Cacheback matched9048 records in the file.

34


35/63

Digital Forensic Artifacts

Any change made as a result of anevent of interest

Locards Exchange Principal Our job is to sift Digital Evidence for

Forensic Artifacts

35


36/63

Forensic Processes

Goals

Collect evidence, ensuring itsintegrity over the entire forensic

lifecycle

Analyze & Report on Evidence

Present findings, deriving facts aboutthe issue of concern from the evidence,and ensuring that all such derivedfacts are properly qualified

36


37/63

Formal Forensic Frameworks and

Processes (NIST)

National Institute of Standards and Technology (NIST) specialpublication 800-86, Guide to Integrating Forensic Techniques intoIncident Response

37
http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdfhttp://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdfhttp://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdfhttp://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf


38/63

Formal Forensic Frameworks and

Processes (DFRWS)

38


39/63

Digital Forensics Specialties

Network Forensics

Log Analysis

OS Forensics

Windows UNIX

MacOS-X

Linux

Solaris, HPUX, IRIX Other

Embedded SystemsForensics

Mobile DeviceForensics

Apple iOS

Android Other

Malware Forensics

Application

Forensics Databases

Web Apps

39


40/63

Evidence Preservation

Physical evidence items protectedusing chain of custody process

Documents every individual with accessto item at any time from collectionforward

Minimizing number of entries is key

Digital items protected usingredundant copies and cryptographichashes

40


41/63

Chain of Custody

Chain of custody establishesAuthenticity (legal term)

Goal: To ensure no alteration of theoriginal evidence during collection,storage or analysis

Requires documenting procedures usedin the collection, storage and analysis

of evidence

41


42/63

Chain of Custody

A piece of paper or electronicallystored information, without anyindication of its creator, source, or

custodian may not be authenticatedunder Federal Rule of Evidence 901.

42


43/63

Real-World Chain of Custody and

Evidence Handling Procedures

(One stringent example. Not the only way.)

Physical Elements Prenumbered evidence tags & tamper evident

bags w/labels for collector, date/time,location, signature. Specific number ranges provided to designated

evidence collectors to provide redundantcollector identification

Paper log forms (may be a single form, but iftwo, no overlap other than reference number) Inventory collection

Chain of custody transfer information

Evidence lockup database 43


44/63

Physical Evidence Collection

Evidence items tagged, bagged, labeled bycollector

Bag & tag numbers and in-situ collectioninformation for each item documented on paper

inventory collection forms Collection process may be recorded using

timestamped photos or audio/video recordings.These recordings may themselves be treated asevidence items, requiring tamper-evidenthandling.

Evidence tag # is permanently assigned toevidence item

Evidence bag # & label info provide chain of

custody assurance from collection to log-in 44


45/63

On-Site Electronic Evidence Collection

Reasons

Triage (to determine whether an evidenceitem is to be physically collected or not, or to

identify subsets of existing evidence, such asa very large RAID array, that must becollected)

Volatile data which may otherwise not

survive transport to evidence lockup (welldiscuss this in more detail next week)

45


46/63

On-Site Electronic Evidence Collection

Digital evidence collected onto pre-wiped virginmedia, then tagged, bagged, time/date/locationnoted, & signed for, just like physical evidence

Documentation

Written account of actions

Potentially tool log files, which could be written to thesame media as the collected evidence

Collection process may be recorded using

timestamped photos or audio/video recordings. Theserecordings may themselves be treated as evidenceitems, requiring tamper-evident handling.

46


47/63

Evidence Log-In

Performed back at evidence lock-up Data from paper inventory collection forms

is transcribed into evidence lockup database

Data from tamper evident evidence bags isalso transcribed into database

If no collector noted on forms, this isinferred from numbers, and that fact noted

Copies of collection recordings may be

attached Chain of custody form initially filled out &

entered by receiving lockup representative,including lockup receipt date/time

Items scheduled for examination 47


48/63

Initial Evidence Examination

1. Chain of custody form updated by technician

2. Bag opened by evidence technician andevidence physically examined for descriptiveinfo omitted at time of original collection

3. Additional data documented by technician &recorded into database with notation as tosource. Electronic info may also be added.

4.

All technician activities documented andpossibly audio/video recorded

5. Forensic imaging of original evidence mayalso be done at this point

6. Original evidence then returned to lockup 48


49/63

Subsequently

Chain of custody form joins evidenceitem permanently

Each time evidence is returned to lockup,

chain of custody data is updated indatabase

Multiple copies of all forensic data may

be made for subsequent directexamination, but chain of custody onthese need not be tracked

49


50/63

Chain of Custody at this Point

1. Collector

2. Evidence lockup

3. 1st

Examining Evidence Technician4. Evidence lockup

Minimizing the number of entries iskey to good chain of custodyprocedure

50


51/63

Chain of Custody Paper Form Elements

Evidence tag number

Original collection bag number

Collector name

Date & time collected Data for each custodian (multiple blanks

for subsequent entries): Name & Organizaton

Date & time received

Signature

Notes (to identify bag opening & anyirregularities)

51


52/63

Inventory Paper Form Elements

Evidence number of item

Evidence collection bag number

Evidence # of collection recording

Collector name

Collection date/time

Collection location (address, room, etc.)

Unique evidence description (couldinclude explicit fields for color, model,serial#, and possibly a space for attachedphoto)

52


53/63

Imaging

An image is a bit-for-bit copy of a piece of digitalevidence (disk, flash, RAM, DVD etc.)

Forensic images can be stored and accessed in avariety of standard formats such as Raw, E01, or AFF

Images are typically validated as unchanged by useof one or more of a number of cryptographic hashalgorithms (md5, sha1, sha256)

On dead systems, disk imaging should be performedvia a hardware write-blocker to ensure that originalevidence is unchanged

On live systems, it is almost certain that the imagehash for a disk in use or system memory will notmatch

Exact methodologies will vary from organization toorganization

53


54/63

Physical vs. Logical Imaging

Physical Image Full image ofcomplete physical disk devicecontent

Logical Image Image of a logicalvolume mounted on a live system.

Portion of a physical device

RAID spread across several differentphysical devices

Mounted encrypted volume

Mounted network volume54


55/63

Hashing

Cryptographic hashes are algorithms thatcan be applied to arbitrarily long sequencesof data bytes with the aim of producing amuch shorter result which is still unique

Mathematically infeasible to reverse

For some such algorithms, there are knowncollisions & mechanisms for producing them

If this is a risk, the simplest method to avoidis to use two different hashes (MD5 & SHA1for example)

Most commonly used: MD5, SHA1, SHA256

55


56/63

Cryptographic Hash Algorithms

MD5 32 character output

6830723bbaade6e72dbbfb5c91466c9e

SHA1- 40 character output

7d6ae63b1201e68e5e686c10eabbd7eef76cf19e

SHA256 64 character output

b21f00291949d848e4fe0f94ac76dcc40d68c6ffad873f515a7304f54566ce6e

56


57/63

More Hashing Algorithms

A lgorithm Output size(bits)

Internalstate

size[1]

Blocksize

Lengthsize

Wordsize

Rounds

Collision Second

Preimage

Preimage

GOST 256 256 256 256 32 256 Yes (2105) Yes (2192) Yes (2192)

HA VAL 256/224/192

/160/128

256 1,024 64 32 160/128/

96

Yes No No

M D2 128 384 128 - 32 864 Yes (263.3) No Yes (273)M D4 128 128 512 64 32 48 Yes (3) Yes (264) Yes (278.4)

M D5 128 128 512 64 32 64 Yes (220.96) No Yes (2123.4)

PANAM A 256 8,736 256 - 32 - Yes No No

RadioGatn Up to

608/1,216 (19

words)

58

words

3 words - 164 - With flaws

(2352 or 2704)

No No

RIPEM D 128 128 512 64 32 48 Yes (218) No No

RIPEM D-128/256 128/256 128/256 512 64 32 64 No No No

RIPEM D-160 160 160 512 64 32 80 Yes (251:48) No No

RIPEM D-320 320 320 512 64 32 80 No No No

SHA-0 160 160 512 64 32 80 Yes (233.6) No No

SHA-1 160 160 512 64 32 80 Yes (251) No No

SHA-256/224 256/224 256 512 64 32 64 Yes (228.5:24) No Yes (2248.4:42)

SHA -512/384 512/384 512 1,024 128 64 80 Yes (232.5:24) No Yes (2494.6:42)

Tiger(2)-192/160/128 192/160/128 192 512 64 64 24 Yes (262:19) No Yes (2184.3)

Best known attacks(complexity:rounds)[2]


58/63

Fuzzy Hashing

Method of measuring similarity between differentfiles Ssdeep is the most commonly used fuzzy hashing

utility.

Most effective on files containing large amounts oftext, less so with purely binary data, but YMMV.

Fuzzy hashing is also referred to as contexttriggered piecewise hashing (CTPH)

A complete explanation of CTPH can be found athttp://dfrws.org/2006/proceedings/12-Kornblum.pdf

58
http://dfrws.org/2006/proceedings/12-Kornblum.pdfhttp://dfrws.org/2006/proceedings/12-Kornblum.pdfhttp://dfrws.org/2006/proceedings/12-Kornblum.pdfhttp://dfrws.org/2006/proceedings/12-Kornblum.pdfhttp://dfrws.org/2006/proceedings/12-Kornblum.pdf


59/63

Free Imaging & Analysis Tools

Helix3 (not Helix3 Pro or Helix3Enterprise) - https://www.e-fense.com/store/index.php?_a=viewProd&productId=11&ccUser=f6e155820240b2

7967246d7ec8f9fa2d AccessData FTK Imager

http://accessdata.com/support/adownloads#FTKImager, as well as partof Helix3

SANS SIFT Kit - http://computer-forensics.sans.org/community/downloads

59

C l U d G l P
https://www.e-fense.com/store/index.php?_a=viewProd&productId=11&ccUser=f6e155820240b27967246d7ec8f9fa2dhttps://www.e-fense.com/store/index.php?_a=viewProd&productId=11&ccUser=f6e155820240b27967246d7ec8f9fa2dhttps://www.e-fense.com/store/index.php?_a=viewProd&productId=11&ccUser=f6e155820240b27967246d7ec8f9fa2dhttps://www.e-fense.com/store/index.php?_a=viewProd&productId=11&ccUser=f6e155820240b27967246d7ec8f9fa2dhttps://www.e-fense.com/store/index.php?_a=viewProd&productId=11&ccUser=f6e155820240b27967246d7ec8f9fa2dhttps://www.e-fense.com/store/index.php?_a=viewProd&productId=11&ccUser=f6e155820240b27967246d7ec8f9fa2dhttp://accessdata.com/support/adownloadshttp://accessdata.com/support/adownloadshttp://accessdata.com/support/adownloadshttp://computer-forensics.sans.org/community/downloadshttp://computer-forensics.sans.org/community/downloadshttp://computer-forensics.sans.org/community/downloadshttp://computer-forensics.sans.org/community/downloadshttp://computer-forensics.sans.org/community/downloadshttp://computer-forensics.sans.org/community/downloadshttp://accessdata.com/support/adownloadshttp://accessdata.com/support/adownloadshttps://www.e-fense.com/store/index.php?_a=viewProd&productId=11&ccUser=f6e155820240b27967246d7ec8f9fa2dhttps://www.e-fense.com/store/index.php?_a=viewProd&productId=11&ccUser=f6e155820240b27967246d7ec8f9fa2dhttps://www.e-fense.com/store/index.php?_a=viewProd&productId=11&ccUser=f6e155820240b27967246d7ec8f9fa2dhttps://www.e-fense.com/store/index.php?_a=viewProd&productId=11&ccUser=f6e155820240b27967246d7ec8f9fa2dhttps://www.e-fense.com/store/index.php?_a=viewProd&productId=11&ccUser=f6e155820240b27967246d7ec8f9fa2d


60/63

Commonly Used General Purpose

Forensic Tool Suites

EnCase (Guidance Software)

FTK Forensic Toolkit (AccessData)

SANS Linux SIFT Kit (Free) Helix (Free, but discontinued)

60


61/63

SIFT Kit Contents

The Sleuth Kit (File system Analysis Tools) log2timeline (Timeline Generation Tool) ssdeep & md5deep (Hashing Tools) Foremost/Scalpel (File Carving) WireShark (Network Forensics) Vinetto (thumbs.db examination) Pasco (IE Web History examination) Rifiuti (Recycle Bin examination) Volatility Framework (Memory Analysis) DFLabs PTK (GUI Front-End for Sleuthkit)

Autopsy (GUI Front-End for Sleuthkit) PyFLAG (GUI Log/Disk Examination) Regripper (Registry Analysis) 100s more tools -> See Detailed Tool Listing

61


62/63

Reading for Next Week1. MFT Section in Chapter 4 of Windows Forensic Analysis Toolkit 3rd Edition

By: Harlan CarveyPublisher: SyngressPub. Date: January 15, 2012Print ISBN-13: 978-1-59749-727-5Web ISBN-13: 978-1-59749-728-2Available as an ebook at http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597497275

2. Digital Forensics: Detecting time stamp manipulation - http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/

3. NTFS $I30 Attributes: Evidence of Deleted and Overwritten Files http://forensicmethods.com/ntfs-index-attribute4. Skim Chapters 5 (PC-based Partitions), 8 (File System Analysis), 11 (NTFS Concepts), 12 (NTFS Analysis), and 13

(NTFS Data Structures) of

File System Forensic Analysis Try to actually read through the section on Index Attributes and Data Structures. Iknow its a little opaque, but its a really good reference, and I dont know of a more readable summary thatgoes into any significant detail.

By: Brian CarrierPublisher: Addison-Wesley ProfessionalPub. Date: March 17, 2005Print ISBN-10: 0-321-26817-2Print ISBN-13: 978-0-321-26817-4Available as an ebook at http://proquestcombo.safaribooksonline.com.ezproxy2.lib.depaul.edu/book/networking/forensic-

analysis/0321268172

62
http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/http://forensicmethods.com/ntfs-index-attributehttp://forensicmethods.com/ntfs-index-attributehttp://forensicmethods.com/ntfs-index-attributehttp://forensicmethods.com/ntfs-index-attributehttp://forensicmethods.com/ntfs-index-attributehttp://forensicmethods.com/ntfs-index-attributehttp://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/


63/63

Questions?

CNS 320 Week1 Lecture

Documents

Transcript of CNS 320 Week1 Lecture