COS/PSA 413 Day 8. Agenda Questions? Assignment 2 Corrected –5 A’s 2 B’s and 3 C’s Lab 2...

COS/PSA 413

Day 8

Agenda• Questions?• Assignment 2 Corrected

– 5 A’s 2 B’s and 3 C’s• Lab 2 Write-ups Corrected

– Pay more attention to detail, answer the question!– 3 A’s, 2 B’s

• Exam 1 Corrected– 3 A’s, 5 B’s, 1 C and 1 D

• Lab tomorrow at N105– Using Accessdata’s ForensicsToolKit FTK– Project 4-1 through 4-6 in 2e

• Handouts provided– Individual labs, no teams required

• Discussion on Current Computer Forensics Tools – Chapter 6 in 1e and Chapter 4 in 2e (different!)

Current Computer Forensics Tools

Chapter 6

Learning Objectives

• Evaluate Your Computer Forensics Software Needs

• Use Command-Line Forensics Tools• Explore Graphical User Interface (GUI) Forensics

Tools• Explore Other Useful Computer Forensics Tools• Explore Computer Forensics Hardware

Evaluate Your Computer Forensics Software Needs

National Institute of Standards and Technology – A unit of the U.S. Commerce Department. Formerly known as the National Bureau of Standards, NIST promotes and maintains measurement standards.


Computer Forensics Tool Testing – A project crated by the National Institute of Standards and Technology (NIST) to manage research on computer forensic tools.


NIST and ISO 17025 lab standards include:-Establishing categories for computer forensics tools-Identifying computer forensics category requirements-Developing test assertions-Identifying test cases-Establishing a test method-Reporting test results


Forensic Software Testing Support Tools (FS-TST) – A collection of programs that analyze the capability of disk-imaging tools.

http://www.cftt.nist.gov/

http://www.cftt.nist.gov/


Examples of testing programs:-DISKWIPE-BADBLOCK-BADX13-CORRUPT-ADJCMP-DISKCMP-PARTCMP-DISKHASH-SECHASH


Examples of testing programs continued...-LOGCASE-LOGSETUP-PARTAB-DISKCHG-SECCMP-SECCOPY


National Software Reference Library (NSRL) – A project supported by the National Institute of Justice, federal, state, and local law enforcement, and the National Institute of Standards and Technology (NIST) to promote efficient and effective use of computer technology in the investigation of crimes involving computers.

http://www.nsrl.nist.gov/

http://www.nsrl.nist.gov/


Secure Hash Algorithm 1 (SHA-1) – A hash algorithm that creates a 160-bit message digest that a Digital Signature Algorithm (DSA) can process to generate or verify the signature for the message.

http://www.itl.nist.gov/fipspubs/fip180-1.htm


National Institute of Justice (NIJ) – The research, development, and evaluation agency of the U.S. Department of Justice dedicated to researching crime control and justice issues.

digitalevidencemanual.pdf


NIJ Publications for Electronic Crime-Managing technology in law enforcement-Investigating e-crime scenes for first responders-Analyzing computer evidence-Using technology to investigate e-crimes-Investigating technology crimes-Creating a digital evidence library-Presenting digital evidence in a courtroom-Using best practices when seizing electronic evidence


Necessary items when building a test disk:•Hard Disk – Small hard disk (1-10 GB) installed with the operating system that you typically investigate.•Disk Editor – Tools such as Norton Disk Edit, Hex Workshop, or WinHex to view the raw data on a disk.•MD5 Utility – Forensic software such as DriveSpy or a disk editor such as WinHex that contains an MD5 function.

•http://computer.howstuffworks.com/encryption5.htm

http://computer.howstuffworks.com/encryption5.htm


Necessary items when building a test disk: continued….

-Forensic boot floppy disk – Floppy disks that prevent booting from the hard disk.-Write-blocker device on the test disk – A write-blocker can be a physical device or software utility that prevents the system from recording data on an evidence disk. -Computer Forensic Software – The software you want to test, installed on the computing-forensics workstation.


Building a Test Disk on FAT16 or FAT32- Install an OS on the test disk.- Connect the test disk to the forensic workstation.- Use a disk editor such as Norton Disk Edit to locate the file slack area.- Write sample text in the slack area.- Note the exact absolute sector and cluster location on the disk drive.- Create two or three text files containing sample text.- Close the disk editor.


Building a Test Disk on NTFS- Install an OS on the test hard disk.- Connect the test disk to the forensic workstation.- Use a disk editor such as WinHex or Hex.Workshop to locate disk free space.- Create a few test files.- Note the absolute sector and cluster location for each sample text file you created.- Close the disk editor.

Use Command-Line Forensics Tools

Exploring NTI Toolshttp://www.forensics-intl.com/tools.html

- Filter – Replaces a nonprintable characters with spaces (Char 20). - Intel – Searches for possible keyboard entries; the output for this feature can be used to create a possible password list. - Names – Locates known English surnames. - Words – Finds groups of words, typically fragments or complete sentences.


Exploring Byte Back - Clone and image physical sectors of a disk drive. - Recover files automatically on FAT and NTFS file systems. - Rebuild partitions and disk boot records on all FAT and NTFS disks. - Wipe disks. - Edit disks by viewing and modifying disk data for FAT16 and FAT32 file systems. - Scan the surface of disk drives to diagnose problems.


Exploring MaresWarehttp://www.dmares.com/maresware/linksto_forensic_tools.htm

- Catalog programs – CRCKIT, DISKCAT, HASH and MDS - Disk wiping program – DECLASFY - Locking boot program – DISABLE - Floppy disk imaging program – DISIMAG - CRC and MD5 hashing program – DISCK_CRC - Hex editor program – HEX_SECT

http://www.dmares.com/maresware/linksto_forensic_tools.htm


Exploring MaresWare - Hashing compare program – HASHCMP - Multiple data stream NTFS directory program – MDIR - File and directory deletion and wiping programs – RM and RMD - Sector keyword search program – SS - Keyword search program – STRSRCH

Explore GUI Forensics Tools

Forensic Toolkit (FTK) - Text indexing to produce instant search results. - Data recovery from file systems. - E-mail recovery from leading e-mail services and products. - Data extraction from PKZip, WinZip, WinRAR, GZIP, and TAR archive files. - File filtering that eliminates known files and bad files, based on NIST, NSRL, and HashKeeper.


Exploring Guidance Software EnCase - Extracts messages from Microsoft PST files. - Spans multiple RAID volumes. - Supports NTFS compression and Access Control List (ACL) of files. - Provides advanced language support.


Exploring WinHex Specialist Edition - Disk cloning. - Disk sector imaging with or without compression, an encryption option, and a save and set volume size. - Saving to a separate data file all file slack space and unallocated space. - Keyword searching and text gathering.


Exploring ProDiscover DFT - Creates an image file of the suspect’s disk, and can read the image file it creates. - Reads images created with the UNIX and Linux dd command. - Accesses a suspect disk through a write-blocking device for previewing purposes. - Displays alternative data streams for Windows NT and 2000 NTFS file systems. - Integrates Bates numbers for your evidence for recovered data lists.


Exploring DataLifter - Disk cataloging of all files with data and time values. - Image Linker that identifies and allows you to link to any images stored on a Web site. - Internet cache and history viewer of a suspect’s Internet history file. - File signature generator. - E-Mail retriever.


Exploring DataLifter - Network ping, traceroute, and whois commands. - Recycle Bin history viewer. - Screen capture function. - File slack and free space acquisition tool.


Expert Witness for Macintosh - HFS and HFS+. - All Microsoft FAT file systems. - ISO 9960 (CDs), UFS and CDFS. - Span evidence acquisitions over several disk drives. - Generate reports. - Export data findings to Microsoft Excel to perform additional analysis.


SMART - All Microsoft FAT - NTFS - Linux Ext2fs and Ext3fs - Reiser - HFS

Explore Other Useful Computer Forensics Tools

Exploring R-Tools - R-Studio – Recover data from all FAT, NTFS and Ext2fs disks, and recover corrupt data on RAID systems. - R-Undelete – Used to restore FAT, NTFS, and Ext2fs files. Recovers altered data streams and encrypted or compressed files.


Exploring R-Tools - R-Linux – For corrupted Ext2fs drives, this can be used to create a disk image. After the disk image is created you can then use R-Studio. - R-Mail – Specially designed to recover damaged .dbx folders for Microsoft Outlook. Recovers the content of the .dbx folder messages and then creates individual messages in the .eml format.


Using Explore2fs - Move files by dragging and dropping. - Export and import files and directories. - View and execute files. - View and create symbolic links. - Delete files and directories. - Create directories. - Rename and modify file modes. - Change the user ID and group ID of files and directories.


TASK - Analyze dd image files of a suspect’s drive. - Analyze all FAT, NTFS, FFS, and Ext2fs file systems. - Use fourteen command-line tools that are organized into layers to identify the tool’s function. - Create timelines of files and directories for analysis purposes.


Autopsy Forensic Browser - Add reference notes to any findings you encounter. - Search on keywords. - Validate using MD5 hash values. - Generates reports in ASCII format. - Inspect a UNIX system in real time.


Using Graphic Viewers - Quick View Plus (www.jasc.com) - Lview Pro (www.lview.com) - ACDSee (www.acdsystems.com) - ThumbsPlus (www.cerious.com) - Irfan View (www.irfanview.com)

http://www.jasc.com/

http://www.lview.com/

http://www.acdsystems.com/

http://www.cerious.com/

http://www.irfanview.com/

Explore Computer Forensics Hardware

Computing-Investigation Workstations - Stationary Workstation – A tower with several bays and many peripheral devices. - Portable Workstation – Laptop computers with a built in LCD with almost as many bays and peripherals as a stationary workstation. - Lightweight Workstation – Usually a laptop computer built into a small carrying case with a small selection of peripheral options.


- Read-only IDE Drive Bays – A hot-swappable write-blocker device. - Drive Imaging Stations – A setup of two IDE bays, one with an integrated write-blocker and the other for reads and writes, and a 60-watt power supply with cooling fans. - Firewire – Assorted Firewire controller cards and Firewire write-blocker internal interface devices.


Forensic Computers - Original forensic tower - Portable forensic workhorse - Forensic steel tower - Forensic Air-Lite


DIBS - Forensic workstation - Mobile forensic workstation - Permanent investigation unit - Rapid action imaging device (RAID)


http://www.digitalintelligence.com/

Digital Intelligence - FRED – A tower PC that can be equipped with a cart for portability. - FREDDIE – A portable LCD screen equipped FRED unit. - FRED Sr – A stationary service case workstation that has three power supplies and extensive list of peripherals to meet almost any computing-investigation need. - FREDC – A modularized RAID system with up to eight separate forensic processors with up to 20 terabytes of disk space.

http://www.digitalintelligence.com/


Digital Intelligence - FireBlock – A Firewire IDE bay device write-blocker that can be ordered as an internal or external device with it’s own power supply. - SCSIBlock – A SCSI write-blocker device that can be ordered as an internal bay or an external bay device with its own power supply. - FireChief – A Firewire IDE dual bay external device that has an IDE write-blocker in the top bay and a read/write in the bottom bay.


Image MASSter Solo - Signature generator that produces a CRC-32 hash. - Ability to copy a source disk’s Host Protected Area to target disk. - Device Configuration Overlay (DCO) detection that forces a sector-by-sector copy of a suspect’s disk to target disk.


Image MASSter Solo - CD backup and restore capability allowing you to backup and restore a disk to a CD. - Audit trail report that can be printed out to a special thermal printer from the unit.

Chapter Summary

- Maintaining a computing-forensics lab involves creating a software library for older versions of computing-forensics utilities, operating systems (OSs), and application programs. You should maintain all older versions of software that you have used and retired, such as older versions of Windows and Linux.

Chapter Summary

- Before upgrading to a new version of a computer forensics tool, you need to run validation testing on the new version. The National Institute of Standards and Technology (NIST) has standard guidelines for verifying forensic software.

Chapter Summary

- Many computer forensics tools run in MS-DOS, including those that find file slack and free space, recover data, and search by keyword. Most of these tools run only in MS-DOS, not an MS-DOS shell window. They are also designed to run in minimal configurations, and can fit on a bootable floppy disk. Norton Disk Edit and WinHex are MS-DOS tools that allow you to find file slack and unallocated space on a drive.

Chapter Summary

- In addition to the DOS and GUI tools, you can also use computer forensics tools that are available as open source, freeware, and shareware software, though some are restricted to only law enforcement use.

Chapter Summary

- Computer forensics tools that run in a Command Prompt window include DriveSpy and Image. Computing-investigation tools that run in Windows and other Graphical User Interface (GUI) environments do not require the same level of computing expertise as MS-DOS tools, and can simplify training and investigations. These GUI tools have also simplified training for beginning examiners in computer forensics.

COS/PSA 413 Day 8. Agenda Questions? Assignment 2 Corrected –5 A’s 2 B’s and 3 C’s Lab 2...

Documents

Transcript of COS/PSA 413 Day 8. Agenda Questions? Assignment 2 Corrected –5 A’s 2 B’s and 3 C’s Lab 2...