COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start...

COS/PSA 413

Day 16

Agenda

• Lab 7 Corrected– 2 A’s, 1 B and 2 F’s – Some of you need to start putting more effort into these labs– I also expect to be equal participation in the lab exercises.

• Lab 8 write-up Due• Capstone Proposals Over due

– See guidelines in WebCT– 8 require some modifications (emails sent)– Next Progress report Due on November 4 – Timing of proposal and progress reports is 10% of Grade

• In others words if you don’t do this part the best score you can get is a B• Capstone progress report 2 due• Today we will be discussing Computer Forensic Analysis

– Chap 10 in both texts with differences (using FTK)

Using Access Data’s Forensic Toolkit

Forensic Toolkit (FTK) – A GUI software tool used for forensic examinations.


Forensic Toolkit can perform on the following platforms:

-Microsoft FAT12, FAT16, and FAT32

-Microsoft NTFS

-Linux Ext2fs and Ext3fs


FTK can analyze the following image file types:

-EnCase image files

-Linux or UNIX dd image files

-New Technologies, Inc. SafeBack image files

-FTK Explorer dd image files

-DriveSpy’s SaveSect output files


Known File Filter – A program database that is updated periodically by AccessData that contains the hash values of known files such as MSWORD.exe or illicit items floating on the web.


Use FTK>Tools>Export Word list

Perform a Computer Forensic Analysis

1. Use only recently wiped media for the investigation.

1. Otherwise “old data” peeks through

2. Inventory the hardware on the suspects computer and note the condition of the computer when seized.

3. Remove the original disk drive, and then check the date, time, and CMOS settings.

4. Record how you acquired data from the disk.

5. When examining the forensic bit-stream image copy of the disk, process the data methodically and logically.

6. List all directories and files copied from the image.


7. Examine the contents of the data files in all directories starting at the root directory.

8. Make you best effort to recover encrypted files. Use password recovery tools if necessary.

9. Create a file that lists all of the directories and files on the evidence drive.

10. Identify the function of every executable file that does not match known hash values.

11. Always maintain control of all evidence findings.


You need the following computer hardware for your computing-forensics workstation:

- PC with color monitor, keyboard, mouse and CD-RW.

- Cables and tools including ribbon cables, power cords, power extenders, and splitters.

- One or more spare target drives to analyze evidence.

- Anti-static wrist strap and pad.


You need the following computer software and media for your computing-forensics workstation:

- Windows 9x or more recent installed on the C: drive and a forensic boot floppy disk.

- Bit-stream acquisition tool.

- Computer forensic analysis tool.

- CD-Rs.

- Floppy disks.

- Evidence forms and labels.


Performing Forensic Analysis on Microsoft File Systems

1. Run antivirus on all forensic workstations and disks.

2. Run antivirus on all files after bit-stream image has been created.

3. Examine all boot files located in the root directory.

4. Recover all deleted files and save them to a specified location.

5. Recover all file slack and unallocated space to a directory.


Guidelines for Examining Evidence

- Create separate folders to store evidence.

- Maintain a log to collect relevant information and notes from your observations.

- Periodically review the data collected from the investigation.

- Apply deductive reasoning to your findings to help build new leads.

- Research data that you are not familiar with.


Freeware Unix Tools

- Freeware UNIX and LINUX data analysis: Purdue University

- The Coroner,s Toolkit (TCT)

- TCTUTILs

- TASK

Addressing Data Hiding Techniques

Hiding Partitions-A process where a user creates a partition, stores files in the partition and then using a disc editor removes any references to the partitaion.


Marking Bad Clusters –a process where a user creates a marks a cluster as BAD, stores data in the cluster using a disc editor


Bit Shifting – Also known as a transposition cipher. The data in a file is simply shift by number of bits (less than 8) to make the file unreadable

Bit Shifting

Bit shifting a file changes its hash value


Steganography – A cryptographic technique for embedding information into something else for the sole purpose of hiding that information from the casual observer.


Key Escrow – A technology designed to recover encrypted data if users forget their passphrase or if the user key is corrupt due to a system failure.

Password Cracking – Use industry standard software to recover password

Chapter Summary

- When conducting computer forensic analysis, you must guard against scope creep so that you remain focused on the primary job.

- For all computer operating systems, you need to determine where the digital evidence most likely will be stored by examining date and time stamps.

- The DriveSpy.ini file contains critical information regarding you license in the license section.

- Other useful features of DriveSpy are script files. Other tools are available to retrieve residual data such as free space and slack space.

Chapter Summary

- The PDBlock program is designed to prevent data from being written on a disk drive. PDWipe is designed to wipe all portion of a disk drive.

- For any computer forensics investigation, prepare the disks where images will be stored by wiping the drives and running antivirus. Inventory the hardware. Remove the original disk and check data and time values. Create a bit-stream image of the disk drive. List all folders in the root directory. Run hashes on files. Document all findings.

Chapter Summary

- UNIX and Linux machines are commonly used as web servers. You need to collect volatile data, log files, and swap files when performing an investigation.

- Data hiding involves changing or manipulating a file to conceal the file of its contents from anyone other than the owner of the file.

- Steganography was created to protect the copyrights of art placed online. People use this to hide data.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start...

Documents

Transcript of COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start...