CS6004 Cyber Forensics - UNIT IV

CS6004 – CYBER FORENSICS
UNIT IV
EVIDENCE COLLECTION AND
FORENSICS TOOLS

OUTLINE
 Processing Crime and Incident Scenes
 Working with Windows and DOS Systems
 Current Computer Forensics Tools - Software/ Hardware
Tools
2
PreparedbyR.Arthy,AP/IT,KCET

PROCESSING CRIME
AND
INCIDENT SCENES

OBJECTIVES
 Explain guidelines for seizing digital evidence at the scene
 Describe how to secure a computer incident or crime scene
 Describe how to preserve the evidence and establish the
chain of custody
 Enumerate some general guidelines to process crime and
incident scene
4

WHAT IS FORENSIC?
 Collection and analysis of evidence
 Using scientific test or techniques
 To establish facts against crime
 For presenting in a legal proceeding
 Therefore forensic science is a scientific method of
gathering and examining information about the past which
is then used in court of law
5

WHAT IS DIGITAL FORENSIC?
 Digital Forensics is the use of scientifically derived and
proven methods toward:
 the preservation, collection, validation, identification, analysis,
interpretation, documentation, and presentation of digital evidence
derived from digital devices
 for the purpose of facilitation or furthering the reconstruction
of events found to be criminal, or helping to anticipate
unauthorized actions shown to be disruptive to planned
operations
6

BRANCHES OF DIGITAL FORENSICS
 The technical aspect of an investigation is divided into
several sub-branches, relating to the type of digital devices
involved:
 Computer forensics, Firewall Forensics, Database Forensics,
Network forensics, Forensic data analysis and Mobile device
forensics.
 The typical forensic process encompasses the seizure,
forensic imaging and analysis of digital media and the
production of a report into collected evidence.
7

CRIMINAL INVESTIGATION
 A principle in criminal investigation called Locard’s Exchange
Principle
 Anyone or anything entering a crime scene takes something of
the scene with them and leaves something of themselves behind
 Main goal of investigation to link crime to the suspect by
discovering threads between suspect, victim and crime scene
8
Victim
Crime
Scene
Suspect
Evidence

DIGITAL EVIDENCE
 Evidence
 A piece of information that supports a conclusion
 Digital evidence
 Any data that is recorded or preserved on any medium in or by a
computer system or other similar digital device, that can be read
or understood by a person or a computer system or other similar
device.
 It includes a display, printout or other output of that data.
9

CHARACTERISTICS OF DIGITAL EVIDENCE
 Admissible
 Conformity with the common law and legislative rules
 Authentic
 In linking data to specific individuals and events
 Accurate
 Believed and is consistent
 Complete
 With a full story of particular circumstances.
 Convincing to juries
 To have probative value, subjective and practical test of
presentation
 To proving beyond doubt
10

[CONTD…]
 All investigations must follow the following rules of
evidence:
 Digital evidence integrity must be preserved to be admissible in
court.
 If the evidence is contaminated it cannot be de-contaminated
 Digital evidence must be reliable: Authenticity evidence, clear
easy to understand, and believable by a jury
 Digital evidence must be complete : Exculpatory evidence for
alternative suspects
11

EXAMPLES
12

[CONTD…]
 e-mails,
 digital photographs,
 ATM transaction logs,
 word processing documents,
 Instant message histories,
 files saved from accounting program,
 spreadsheets,
 internet browser histories,
 databases,
 the contents of computer memory,
 computer backups, computer printouts,
 Global Positioning System tracks,
 logs from a hotel’s electronic door locks, and
 digital video or audio files
13

DIGITAL FORENSIC PROCESSES
14

[CONTD…]
 Generally involves the following steps:
1. Seizing Digital Evidence at the Scene
2. Securing a computer incident or crime scene
3. Preserving the data
4. Establishing the chain of custody
5. Examining data for evidence
15

SEIZING DIGITAL EVIDENCE AT THE SCENE
16
PreparedbyR.Arthy,AP/IT,
KCET

INTRODUCTION
 Law enforcement can seize evidence with a proper
warrant
 Corporate investigators might have the authority only to
make an image of the suspect’s drive
 When seizing digital evidence in criminal investigations
 Follow U.S. DoJ standards for seizing digital data
 Civil investigations follow same rules - require less
documentation
 Consult with your attorney for extra guidelines
17

PREPARING TO ACQUIRE DIGITAL EVIDENCE
 The evidence you acquire at the scene depends on the nature
of the case (Crime or Violation)
 Ask your supervisor or senior forensics examiner in your
organization the following questions:
 Do you need to take the entire computer and all peripherals and
media in the immediate area?
 How are you going to protect the computer and media while
transporting them to your lab?
 Is the computer powered on when you arrive?
 Is it possible the suspect damaged or destroyed the computer,
peripherals, or media?
18

USING A TECHNICAL ADVISOR
 Technical advisor
 Can help you list the tools you need to process the incident or
crime scene
 Person guiding you about where to locate data and helping you
extract log records
 Or other evidence from large RAID servers
 Can help create the search warrant by itemizing what you need
for the warrant
19

TECHNICAL ADVISOR RESPONSIBILITIES
 Know aspects of the seized system
 Direct investigator handling sensitive material
 Help secure the scene
 Help document the planning strategy for search and
seizure
 Conduct ad hoc trainings
 Document activities
 Help conduct the search and seizure
20

PROCESSING AN INCIDENT OR CRIME SCENE
- GUIDELINES
 Keep a journal to document your activities
 Secure the scene
 Be professional and courteous with onlookers
 Remove people who are not part of the investigation
 Take video and still recordings of the area around the
computer
 Pay attention to details
 Sketch the incident or crime scene
 Check state of computers as soon as possible
 Don’t cut electrical power to a running system unless it’s an
older Windows 9x or MS-DOS system
 Save data from current applications as safely as possible
 Record all active windows or shell sessions 21

[CONTD…]
 Make notes of everything you do when copying data from a
live suspect computer
 Close applications and shut down the computer
 Bag and tag the evidence, following these steps:
 Assign one person to collect and log all evidence
 Tag all evidence you collect with the current date and time, serial
numbers or unique features, make and model, and the name of the
person who collected it
 Maintain two separate logs of collected evidence
 Maintain constant control of the collected evidence and the crime or
incident scene
 Look for information related to the investigation
 Passwords, passphrases, PINs, bank accounts
 Collect documentation and media related to the investigation
 Hardware, software, backup media, documentation, manuals
22

DOCUMENTING EVIDENCE IN THE LAB
 Record your activities and findings as your work
 Maintain a journal to record the steps you take as you process
evidence
 Goal is to reproduce the same result
 When you or another investigator repeat the steps you took to
collect evidence
 A journal serves as a reference that documents the
methods you need to process digital evidence
23

SECURING A COMPUTER INCIDENT OR
CRIME SCENE
24
PreparedbyR.Arthy,AP/IT,
KCET

INTRODUCTION
 Protecting the crime scene is crucial because if evidence is
contaminated, it cannot be decontaminated.
 The main goals of securing the crime scene are the
following:
 Preserve the evidence (No damage during collection,
transportation, or storage)
 Keep information confidential
 Depending on the situation, crime scene preservation will
vary.
 Professional curiosity can destroy evidence
 Involves police officers and other professionals who aren’t part of
the crime scene processing team
25

[CONTD…]
 How securing a computer incident or crime scene?
 Define a secure perimeter
 Use yellow barrier tape
26

[CONTD…]
 How securing a computer incident or crime scene? (Cont.)
 Physical surroundings of the computer should be photographed and
clearly documented
 Photographs should be taken before anything is touched
27

[CONTD…]
 How securing a computer incident or crime scene? (Cont.)
 Take custody of computer, peripherals, and media.
 Bag and tag all evidence
 Assign one person to collect and log all evidence
 Record the current date and time, serial numbers or unique features, make
and model, and the name of the person who collected it
 Maintain two separate
logs of collected
evidence
 Use antistatic bags
28

PRESERVING THE DATA
29

CAPTURE VOLATILE DATA
 Computer forensics team first captures any volatile data that
would be lost when computer is turned off and moves data to
a secure location
 Contents of RAM
 Current running processes
 Current network connections (recent connections and open
applications/sockets)
 Logon sessions
 Open files: File system time and date stamps
30

ACQUIRE IMAGE
 Reboot will change disk images. Do not reboot!
 After retrieving volatile data, focus on the hard drive
 Make forensic backup = system image = bit-stream
backup
 Copy every bit of the file system, not just the disk files!
 Its accuracy meets evidence standards
 Example tools include:
 Prodiscover
 EnCase
 FTK
 OS does not influence which tools to use for bit-image
capture
31

STORING DIGITAL EVIDENCE
 The media you use to store digital evidence usually depends
on how long you need to keep it
 CD-Rs or DVDs
 The ideal media
 Capacity: up to 17 GB
 Lifespan: 2 to 5 years
 Magnetic tapes
 Capacity: 40 to 72 GB
 Lifespan: 30 years
 Costs: drive: $400 to $800; tape: $40
32

EVIDENCE RETENTION AND MEDIA STORAGE
NEEDS
 To help maintain the chain of custody for digital evidence
 Restrict access to lab and evidence storage area
 Lab should have a sign-in roster for all visitors
 Maintain logs for a period based on legal requirements
 You might need to retain evidence indefinitely
 Check with your local prosecuting attorney’s office or state laws to
make sure you’re in compliance
 You cannot retain child pornography evidence, however
33

[CONTD…]
34

[CONTD…]
 Copy all image files to a large drive
 Run an MD5 or SHA-1 hashing algorithm on the image
files to get a digital hash
35

ESTABLISHING THE CHAIN OF CUSTODY
36

INTRODUCTION
 As soon as the team begins its work, must start and
maintain a strict chain of custody
 Chain of custody protects the integrity and reliability of the
evidence
 It documents that evidence was under strict control at all times
and no unauthorized person was given the opportunity to corrupt
the evidence
 Effective process of documenting the complete journey of the
evidence during the life of the case
 Who collected it?
 How & where?
 Who took possession of it?
 How was it stored & protected in storage?
37

[CONTD…]
 Create or use an evidence custody form
 An evidence custody form serves the following functions:
 Identifies the evidence
 Identifies who has handled the evidence
 Lists dates and times the evidence was handled
38

EXAMINING DATA FOR EVIDENCE
39

PROCESSING AND HANDLING DIGITAL
EVIDENCE
 Maintain the integrity of digital evidence in the lab
 As you do when collecting it in the field
 Steps to create image files:
 Copy all image files to a large drive
 Start your forensics tool to analyze the evidence
 Run an MD5 or SHA-1 hashing algorithm on the image files
to get a digital hash
 Secure the original media in an evidence locker
40

WORKING WITH WINDOWS
AND DOS SYSTEMS

LEARNING OBJECTIVES
 List the key components of a disk drive.
 Explain the purpose and structure of Microsoft FAT (and
NTFS) file system.
 Describe different types of file deletion, and what is
required to completely remove a file from a disk.
 Explain how the Windows Registry works, and enlist
different types of useful forensics information it stores.
42

OUTLINE
 Hard Disk
 FAT
 NTFS
 Windows Registry
43

COMPUTER COMPONENTS
44

HARDWARE COMPONENTS
 Motherboard / Mainboard
 Processor / CPU
 ROM - stores system-level programs that
should be available at all times, e.g. BIOS
 Registers & CPU cache - accept, hold, and
transfer data at very high speed - very limited
capacity
 Main Memory / RAM - fast temporary
memory - stores data only while computer
on
 Secondary (Permanent) Storage
 hard disks / drive, CD-ROM, USB, floppy
 Input Devices
 keyboard, mouse, …
 Output Devices
 monitor, printer, …
45

[CONTD…]
46

SOFTWARE COMPONENTS
 Operating System
 Software (program + data) that runs on a
computer
 it manages computer hardware &
provides common services for efficient
execution of various application software
 OSs are found on almost all ‘computing’
devices,
 e.g. cellular phones, video game consoles,
web servers, routers, …
47

COMPUTER FILES
 File – a self contained collection of data available to
OS and individual programs
 comprises ‘related’ information
 can be manipulated as an entity (e.g., deleted or moved from
one storage media to another)
 must have a unique name
 has an extension (.doc, .txt, .exe, …) – indicates the type of
encoding of its content and usage
48

COMPUTER FILE SYSTEM
 File System
 set of method/rules for storing and retrieving computer files
(data)
 gives an OS a road map to data on a secondary storage device
(e.g., disk drive, USB, CD-ROM)
 file system is usually directly related to an OS
49

DISK DRIVES / HARD DRIVE
 consists of 1 or more platters coated with magnetic
material – data is stored on platters in a particular
way
 each platters has 2 surfaces: top & bottom
 key disk drive components:
 head – the device that reads and writes data to a drive –
there is one head per platter
 tracks – concentric circles on a disk platter where data is
located
 sector – a pie shaped section on a track made up of 128,
256, 512 or 1024 bytes – smallest addressable storage
unit on the hard drive
 a cylinder – consists of corresponding tracks on all
platters (e.g. track 12 on all d.d. platters)
 geometry – refers to a disk’s structure of platters, tracks,
and sectors
50

[CONTD…]
51

HEADS
 Located on both sides of (each) platter only a few
nanometers from the surface
 heads are semi-static (only move up/down & small
angle) - disk/platters rotate at speed of n*1000
revolutions per minute! (~ 250km/h)
 heads are ‘inductive’ – they can generate a magnetic
field
 by creating positive or negative fields, they polarize the
disk (platter) surface in a very tiny area
 when these areas are read afterwards, the detected
polarity is transformed by a ADC into a 0 or 1
52

[CONTD…]
53

EXAMPLE: DISK DRIVE CAPACITY AND SPEED:
HISTORY
54

CLUSTER
 One or a group of sectors – logical unit of
file storage on a hard drive
 number of sectors in a cluster (2n), depends on:
 disk size: bigger disk ⇒ bigger cluster
 logical disk organization (e.g., FAT12 /16 /32 or
NTFS)
 whatever the logical size of a file, it is
allocated disk space in multiples of clusters!
 sectors in a cluster are physically adjacent on the
disk
 clusters in a file may NOT be adjacent
 clusters are managed by computers OS
55

[CONTD…]
 Example: Bigger disk - bigger cluster size …
 FAT16 is not recommended for volumes larger than 511
MB. When relatively small files are placed on a FAT16
volume, FAT uses disk space inefficiently! 56

WINDOWS FILE SYSTEMS
 3 types of file systems have been used by Windows: FAT,
FAT32, NTFS
57

[CONTD…]
58

FAT FILE SYSTEM
 Introduction
 Major Sections of FAT Hard Disks
 Slack Space in FAT
 Deleting FAT Files
 Forensics Implications
59

INTRODUCTION
 FAT x – File Allocation Table – family of file systems for
DOS/Windows operating systems
 FAT table – stores info. on status of all clusters on the disk =
‘table of content’
 x = 12, 16, 32 – number of bits used for cluster
identification/numbering
 bit-size of each FAT table entry
60

[CONTD…]
 Example: FAT12, FAT16, FAT32
61

[CONTD…]
 Example: FAT16 capacity
Can 700 MB disk drive be formatted with a FAT16 file
system using 4KB clusters?
FAT16 ⇒ 216 = 65536 clusters
216 clusters * 4 Kbytes = 26 * 210 * 4 * 210 bytes
max capacity = 64 * 4 MB = 256 MB
62

MAJOR SECTION
1) Boot Sector – occupies the 1st cluster on the disk
 contains specific information about organization of the file
system, including: type of FAT (12/16/32) system,
 # of bytes per sector,
 # of sectors per track,
 # of sectors per cluster,
 # of read heads,
 # of FAT tables,
 # of clusters per FAT table, etc.
63

[CONTD…]
64

[CONTD…]
2) FAT Tables
 keep track of allocation status of different data clusters
 entry N relates to data cluster N – the actual value is a pointer to
another FAT entry
 set of clusters that constitute one file are defined by a set of linked
FAT entries
 multiple FATs (FAT1 & FAT2) ensure redundancy in case of
data corruption – FAT2 is a backup of FAT 1
 typically used on portable (more vulnerable) media
65

[CONTD…]
 Example: Use of FAT system
66

[CONTTD…]
 FAT entry values
67

[CONTD…]
3) Root Directory (FAT12/16 only)
 stores Directory Table – table of 32-byte long entries for each
file & directory created on the disk
4) Data Area
 contains file & directory data – occupies remaining sectors
(clusters) on the disk
 first cluster of Data Area is numbered 2; though, this is
physical sector 33!
68

[CONTD…]
 Example: (Root) Directory Table entries in bytes
69

[CONTD…]
 Example: File fragmentation / cluster allocation in FAT
70

[CONTD…]
Example: Final Exam 2010
 Assume a computer employs the FAT16 file system with
components as shown below:
 A file, containing a set of numbers, is stored on this computer
under the name YourFile.txt.
 Using the provided information, identify the first six numbers
stored in YourFile.txt.
71

[CONTD…]
72

SLACK SPACE IN FAT
 phenomenon caused by the way how computers store
data/files:
 files are allocated cluster-sized chunks
 regardless of the actual size of data in the file
 data may not be big enough to fill (all) segments, i.e. clusters
73

[CONTD…]
 sector slack - space between EOF and end of last sector
that file was written to known as RAM slack as OS pulls
any info available in RAM at that point (memory dump)
to fill this space – e.g. logon IDs, passwords, segments of
other files
 cluster slack - remaining sectors in cluster known as file
slack – contains whatever was last written by disk in
those sectors (e.g. parts of a deleted file)
74

DELETING FAT FILES
 system places deletion mark on the file
 deletion mark ⇒ first letter of the file name is replaced
with E5 (lower-case Greek letter σ)
 FAT entries of respective clusters are still unchanged!
 in DATAAREA clusters still preserve the original data!
75

[CONTD…]
 Example: Deleting by sending to Recycle Bin
76

[CONTD…]
 File Allocation Table (FAT) before and after deletion of
“test1.txt” file.
77

[CONTD…]
 Example: Deleting by clearing from Recycle Bin
 File Allocation Table (FAT) before and after clearing
Recycle Bin.
78

FORENSICS IMPLICATIONS
 On deletion of a file, the data contained in a file is NOT ‘gone’
 it is merely ‘hidden’ from he operating system and the space
 it occupies is made available for reuse.
 Deleted data still resides in the space previously allocated to it,
unless overwritten.
 It is possible to ‘undelete’ (reconstruct) a file – or some of its parts –
even after Recycle bin has been emptied!
 However, there may be evidential difficulties with files recovered
from unallocated space. We cannot state the date and time attributes
of even a complete file found in unallocated space, as there is no
respective entry in the File Directory Table.
79

[CONTD…]
 Disk Formatting – still does not erase data!
 only pointers (FAT and FDT) get destroyed
 data that formed the file remains intact in their locations
 Disk Wiping – secure deletion – wiped files have their
directory entries and allocated space physically
overwritten by random or user-defined characters
 Windows wiping tools:
 Disk Wipe: http://www.diskwipe.org/
 Eraser: http://eraser.heidi.ie/
80

NTFS FILE SYSTEM
 NTFS – New Technology File System – introduced for
Windows NT and Vista
 provides significant improvements over FAT, including:
 file and folder permissions – folder and file access can be
controlled individually
 file encryption – NTFS enables strong encryption of files
and folders extremely resistant to attacks
 file compression – NTFS enables lossy compression on
both files and folders
 disk efficiency – NTFS supports smaller cluster size than
FAT32
 greater reliability – NTFS writes a log of changes being
made to files and folders (NTFS journal), which helps the OS
to recover from system failures … 81

WINDOWS REGISTRY
 critical part of any Windows OSs - hierarchical
database containing configuration information about:
 system hardware;
 installed software (programs);
 property settings;
 profile for each user, etc.
 OS uses instructions stored in the registry
 to determine how installed hardware and software should
function
 e.g. typical software comes with a Windows installer that
writes to the registry during installation
 system must be restarted for changes to take place …
82

[CONTD…]
 Example: Opening Windows Registry
 Type ‘regedit’ in cmd window.
 Registry comprises 5 to 7 hierarchical folders – hives.
 Folders’ names start with HKEY – Handle to a Key.
83

[CONTD…]
84

[CONTD…]
 Forensics Implications – information (i.e. potential
evidence) that reside in the Registry make it a
significant forensics resource
 information that can be found in the registry include:
 general information about the OS
 startup (boot-time) applications
 logs of computers that have communicated with the host
 logs of USBs that have been connected to the host
 logs of Web site histories and typed URLs
 downloaded files/programs, e.g. wiping programs to destroy
evidence
 auto complete Internet Explorer passwords
85

[CONTD…]
 Example: Registry Information about OS
 Keys to look at (investigate):
 HKLMSoftwareMicrosoftWindows NTCurrentVersion
 Obtained info: OS version, Installation Date, Product ID, etc.
 Example: Registry Information about Time Zone
 HKLMSystemControlSet001ControlTimeZoneInformation
 Example: Registry Information about Startup Applications
 HKLMSoftwareMicrosoftWindowsCurrentVersionRun
 HKLMSoftwareMicrosoftWindowsCurrentVersionRunonce
 (Typically used to load an application for installation the next time the
computer boots. After the machine reboots, the entry is removed.)
 Services/programs enlisted in these ‘files’ run each time / when a user
logs on.
 Malware (spyware, trojans, worms, viruses) often attempt to embed
themselves in these startup areas.
86

[CONTD…]
 Example: Registry Information about LAN Computers
 HKCUSoftwareMicrosoftWindowsCurrentVersionExplore
rComputerDescriptions
 A computer on a properly configured LAN should be able to
display all the computers on that network through
MyNetworkPlace. The list of these computer – i.e. devices
that the host has ever connected to – is stored in the Registry.
87

[CONTD…]
 Example: Registry Information about USB Devices
 HKLMSystemControlSet00xEnumUSBSTOR
 Anytime a device is connected to a USB, driver are queried
and the device’s information is stored into the Registry.
88

[CONTD…]
 Example: Registry Information about IE Passwords
 HKCUSoftwareMicrosoftInternetExplorerMain
 Key to look at: “FormSuggest PW Ask” – should be “yes” ⇒
 Windows AutoComplete Password feature is enabled.
 List of ‘memorized’ passwords can be found at:
 HKCUSoftwareMicrosoftInternetExplorerIntelliFormsSto
rage2
89

Current Computer Forensics
Tools - Software/ Hardware
Tools

OUTLINE
 Introduction
 Evaluating Computer Forensics Tool Needs
 Types of Computer Forensics Tools
 Tasks Performed by Computer Forensics Tools
 Command-Line Forensics Tools
 UNIX/Linux Forensics Tools
 GUI Forensics Tools
 Forensic Workstations
 Validating and Testing Forensics Software
 Using Validation Protocols
 Computer Forensics Examination Protocol
 Example 91

INTRODUCTION
 Computer forensics tools are constantly being developed,
updated, patched, and revised.
 Therefore, checking vendors’ Web sites routinely to look
for new features and improvements is important.
 Before purchasing any forensics tools, consider whether
the tool can save you time during investigations and
whether that time savings affects the reliability of data
you recover.
92

EVALUATING COMPUTER FORENSICS TOOL
NEEDS
 Some questions to ask when evaluating computer
forensic tools:
 On which OS does the forensics tool run?
 Is the tool versatile? For example, does it work in Windows
98, XP, and Vista and produce the same results in all three
OSs?
 Can the tool analyze more than one file system, such as FAT,
NTFS, and Ext2fs?
 Can a scripting language be used with the tool to automate
repetitive functions and tasks?
 Does the tool have any automated features that can help
reduce the time needed to analyze data?
 What is the vendor’s reputation for providing product
support? 93

[CONTD…]
 When you search for tools, keep in mind what file types
you’ll be analyzing.
 For example, if you need to analyze Microsoft Access
databases, look for a product designed to read these files.
 If you’re analyzing e-mail messages, look for a forensics
tool capable of reading e-mail content.
94

TYPES OF COMPUTER FORENSICS TOOLS
 Hardware forensic tools
 Range from single-purpose components to complete
computer systems and servers
 Software forensic tools
 Types
 Command-line applications
 GUI applications
 Commonly used to copy data from a suspect’s disk drive to
an image file
95

TASKS PERFORMED BY COMPUTER
FORENSICS TOOLS
 All computer forensics tools, both hardware and
software, perform specific functions.
 Five major categories:
 Acquisition
 Validation and discrimination
 Extraction
 Reconstruction
 Reporting
96

1. ACQUISITION
 Acquisition, the first task in computer forensics
investigations, is making a copy of the original drive.
 Acquisition subfunctions:
 Physical data copy
 Logical data copy
 Data acquisition format
 Command-line acquisition
 GUI acquisition
 Remote acquisition
 Verification
97

[CONTD…]
 Some computer forensics software suites, such as
AccessData FTK and EnCase, provide separate tools for
acquiring an image.
 However, some investigators opt to use hardware
devices, such as the Logicube Talon, VOOM HardCopy
3, or ImageMASSter Solo III Forensic unit from
Intelligent Computer Solutions, Inc., for acquiring an
image.
 These hardware devices have their own built-in software
for data acquisition.
 No other device or program is needed to make a
duplicate drive; however, you still need forensics
software to analyze the data 98

[CONTD…]
 Two types of data-copying methods are used in software
acquisitions:
 Physical copying of the entire drive
 Logical copying of a disk partition
 The formats for disk acquisitions vary
 From raw data to vendor-specific proprietary compressed
data
 You can view the contents of a raw image file with any
hexadecimal editor
99

[CONTD…]
100

[CONTD…]
 All computer forensics acquisition tools have a method for
verification of the data-copying process that compares the
original drive with the image.
 For example, EnCase prompts you to obtain the MD5 hash
value of acquired data,
 FTK validates MD5 and SHA-1 hash sets during data
acquisition, and Safe Back runs an SHA-256 hash while
acquiring data.
 Hardware acquisition tools, such as Image MASSter Solo, can
perform simultaneous MD5 and CRC-32 hashing during data
acquisition.
 Whether you choose a software or hardware solution for your
acquisition needs, make sure the tool has a hashing function
for verification purposes. 101

2. VALIDATION AND DISCRIMINATION
 Two issues in dealing with computer evidence are critical.
 First is ensuring the integrity of data being copied—the validation
process.
 Second is the discrimination of data, which involves sorting and
searching through all investigation data.
 Many forensics software vendors offer three methods for
discriminating data values.
 Hashing
 Filtering
 Analyzing file headers
 Validating data is done by obtaining hash values.
 This unique hexadecimal value for data, used to make sure the
original data hasn’t changed. 102

[CONTD…]
103

[CONTD…]
 The primary purpose of data discrimination is to remove
good data from suspicious data.
 Good data consists of known files, such as OS files and
common programs (Microsoft Word, for example).
 The National Software Reference Library (NSRL) has
compiled a list of known file hashes for a variety of OSs,
applications, and images.
104

[CONTD…]
105

3. EXTRACTION
 The extraction function is the recovery task in a
computing investigation and is the most challenging of
all tasks to master.
 Recovering data is the first step in analyzing an
Investigation’s data.
 The following sub functions of extraction are used in
Investigations.
 Data viewing
 Keyword searching
 Decompressing
 Carving
 Decrypting
 Bookmarking3 106

[CONTD…]
 Many computer forensics tools include a dataviewing
mechanism for digital evidence.
 Tools such as ProDiscover, X-Ways Forensics, FTK,
EnCase, SMART, ILook, and others offer several ways
to view data, including logical drive structures, such as
folders and files.
107

[CONTD…]
 A common task in computing investigations is searching
for and recovering key data facts.
 Computer forensics programs have functions for
searching for keywords of interest to the investigation.
 Using a keyword search speeds up the analysis process
for investigators.
 With some tools, you can set filters to select the file
types to search, such as searching only PDF documents.
 Another function in some forensics tools is indexing all
words on a drive.
 X-Ways Forensics and FTK 1.6x and earlier offer this
feature, using the binary index (Btree) search engine
from dtSearch.
108

[CONTD….]
 Example – Keyword Search
109

4. RECONSTRUCTION
 The purpose of having a reconstruction feature in a
forensics tool is to re-create a suspect drive to show what
happened during a crime or an incident.
 Another reason for duplicating a suspect drive is to
create a copy for other computer investigators, who
might need a fully functional copy of the drive so that
they can perform their own acquisition, test, and analysis
of the evidence.
 These are the sub functions of reconstruction:
 Disk-to-disk copy
 Image-to-disk copy
 Partition-to-partition copy
 Image-to-partition copy 110

[CONTD…]
 There are several ways to re-create an image of a suspect
drive. Under ideal circumstances, the best and most
reliable method is obtaining the same make and model
drive as the suspect drive,
 If the suspect drive has been manufactured recently,
locating an identical drive is fairly easy.
 A drive manufactured three months ago might be out of
production and unavailable for sale, which makes
locating identical older drives more difficult.
111

[CONTD…]
 The simplest method of duplicating a drive is using a
tool that makes a direct disk-to-disk copy from the
suspect drive to the target drive.
 One free tool is the UNIX/Linux dd command, but it has
a major disadvantage:
 The target drive being written to must be identical to the
original (suspect) drive, with the same cylinder, sector,
and track count.
112

[CONTD…]
 For a disk-to-disk copy, both hardware and software
duplicators are available; hardware duplicators are the
fastest way to copy data from one disk to another.
 Hardware duplicators, such as Logicube Talon, Logicube
Forensic MD5, and ImageMASSter Solo III Forensics
 Hard Drive Duplicator, adjust the target drive’s geometry
to match the suspect drive’s cylinder, sectors, and tracks.
113

[CONTD…]
 For image-to-disk and image-to-partition copies, many
more tools are available, but they are considerably
slower in transferring data.
 The following are some tools that perform an imageto-
disk copy:
 SafeBack
 SnapBack
 EnCase
 FTK Imager
 ProDiscover
 X-Ways Forensics
114

5. REPORTING
 To complete a forensics disk analysis and examination, you need to
create a report.
 Before Windows forensics tools were available, this process required
copying data from a suspect drive and extracting the digital evidence
manually.
 The investigator then copied the evidence to a separate program,
such as a word processor, to create a report.
 Newer Windows forensics tools can produce electronic reports in a
variety of formats, such as word processing documents, HTML Web
pages, or Acrobat PDF files.
 These are the sub functions of the reporting function:
 Log reports
 Report generator 115

[CONTD…]
 Many forensics tools, such as FTK, ILook, and X-Ways Forensics,
can produce a log report that records activities the investigator
performed.
 Then a built-in report generator is used to create a report in a variety
of formats.
 The following tools are some that offer report generators displaying
bookmarked evidence:
 EnCase
 FTK
 Ilook
 X-Ways Forensics
 ProDiscover
 The log report can be added to your final report as additional
documentation of the steps you took during the examination, which
can be useful if repeating the examination is necessary.
116

COMMAND-LINE FORENSICS TOOLS
 The first tools that analyzed and extracted data from
floppy disks and hard disks were MS-DOS tools for IBM
PC file systems.
 One of the first MS-DOS tools used for computer
investigations was Norton Disk Edit.
 This tool used manual processes that required
investigators to spend considerable time on a typical 500
MB drive.
 Eventually, programs designed for computer forensics
were developed for DOS, Windows, Apple, NetWare,
and UNIX systems.
117

[CONTD…]
 Some of these early programs could extract data from
slack and free disk space; others were capable only of
retrieving deleted files.
 Current programs are more robust and can search for
specific words or characters, import a keyword list to
search, calculate hash values, recover deleted items,
conduct physical and logical analyses, and more.
 Some command-line forensics tools are created
specifically for DOS/Windows platforms;
 others are created for Macintosh and UNIX/Linux. Because
there are many different versions of UNIX and Linux, these
OSs are often referred to as *nix platforms. 118

[CONTD…]
119

[CONTD…]
120

UNIX/LINUX FORENSICS TOOLS
 The *nix platforms have long been the primary
command-line OSs, but typical end users haven’t used
them widely.
 However, with GUIs now available with *nix platforms,
these OSs are becoming more popular with home and
corporate end users.
 There are several *nix tools for forensics analysis, such
as SMART, BackTrack, Autopsy with Sleuth Kit, and
Knoppix-STD.
 SMART is designed to be installed on numerous Linux
versions, including Gentoo, Fedora, SUSE, Debian,
Knoppix, Ubuntu, Slackware, and more. 121

[CONTD…]
 You can analyze a variety of file systems with SMART;
 SMART includes several plug-in utilities. This modular approach
makes it possible to upgrade SMART components easily and
quickly.
 SMART can also take advantage of multithreading capabilities in
OSs and hardware.
 Another useful option in SMART is the hex viewer. Hex values are
color-coded to make it easier to see where a file begins and ends.
 SMART also offers a reporting feature. Everything you do during
your investigation with SMART is logged, so you can select what
you want to include in a report, such as bookmarks.
122

[CONTD…]
 Helix One of the easiest suites to use is Helix because of
its user interface. What’s unique about Helix is that you
can load it on a live Windows system, Its Windows
component is used for live acquisitions
 During corporate investigations, often you need to
retrieve RAM and other data, such as the suspect’s user
profile, from a workstation or server that can’t be seized
or turned off.
 This data is extracted while the system is running and
captured in its state at the time of extraction.
123

[CONTD…]
 To do a live acquisition, insert the Helix CD into the
suspect’s machine. After clicking I ACCEPT in the
licensing window, you see the Helix menu
124

[CONTD…]
 BackTrack is another Linux Live CD used by many security
professionals and forensics investigators. It includes a variety of
tools and has an easy-to-use KDE interface.
 Autopsy and Sleuth Kit is a Linux forensics tool, and Autopsy is
the GUI browser interface for accessing Sleuth Kit’s tools.
 Knoppix Security Tools Distribution (STD) is a collection of tools
for configuring security measures, including computer and network
forensics.
 Note that Knoppix- STD is forensically sound, so it doesn’t allow
you to alter or damage the system you’re analyzing.
 If you boot this CD into Windows, Knoppix lists available tools.
Although many of the tools have GUI interfaces, some are still
command line only.
125

GUI FORENSICS TOOLS
 Several software vendors have introduced forensics tools
that work in Windows.
 Because GUI forensics tools don’t require the same
understanding of MS-DOS and file systems as
command-line tools, they can simplify computer
forensics investigations.
 These GUI tools have also simplified training for
beginning examiners; however, you should continue to
learn about and use command-line tools because some
GUI tools might miss critical evidence.
126

[CONTD…]
 GUI tools have several advantages, such as ease of use,
the capability to perform multiple tasks, and no
requirement to learn older OSs.
 Their disadvantages range from excessive resource
requirements (needing large amounts of RAM, for
example) and producing inconsistent results because of
the type of OS used, such as Windows Vista 32-bit or 64-
bit systems
127

FORENSIC WORKSTATIONS
 Many computer vendors offer a wide range of forensic
workstations that you can tailor to meet your
investigation needs.
 Forensic workstations can be divided into the following
categories:
 Stationary workstation—A tower with several bays and many
peripheral devices
 Portable workstation—A laptop computer with a builtin LCD
monitor and almost as many bays and peripherals as a
stationary workstation
 Lightweight workstation—Usually a laptop computer built
into a carrying case with a small selection of peripheral
options.
128

[CONTD…]
 Building Your Own Workstation
 If you have the time and skill to build your own forensic
workstation, you can customize it to your needs and save
money, although you might have trouble finding support for
problems that develop.
 For example, peripheral devices might conflict with one
another, or components might fail. If you build your own
forensic workstation, you should be able to support the
hardware.
 If you decide that building a forensic workstation is beyond
your skills, several vendors offer workstations designed for
computer forensics, such as the F.R.E.D. unit from Digital
Intelligence or the Dual Xeon Workstation from Forensic PC.
 Having a vendor-supplied workstation has its advantages.
129

[CONTD…]
 Using a Write-Blocker
 The first item you should consider for a forensic workstation
is a write-blocker.
 Write blockers protect evidence disks by preventing data
from being written to them.
 Software and hardware write-blockers perform the same
function but in a different fashion.
 Software write-blockers, such as PDBlock from Digital
Intelligence, typically run in a shell mode (for example,
DOS).
130

[CONTD…]
 [contd…]
 If you attempt to write data to the blocked drive, an alarm sounds,
advising that no writes have occurred.
 With hardware write-blockers, you can connect the evidence drive to
your workstation and start the OS as usual.
 Hardware write-blockers are ideal for GUI forensics tools.
 They prevent Windows or Linux from writing data to the blocked
drive.
 Hardware write-blockers act as a bridge between the suspect drive
and the forensic workstation.
 Many vendors have developed write-blocking devices that connect
to a computer through FireWire, USB 2.0, SATA, and SCSI
controllers.
 Most of these write-blockers enable you to remove and reconnect
drives without having to shut down your workstation, which saves
time in processing the evidence drive.
131

VALIDATING AND TESTING FORENSICS
SOFTWARE
 Using National Institute of Standards and Technology
(NIST) Tools :
 NIST has created criteria for testing computer forensics tools,
which are included in the articlen “General Test Methodology
for Computer Forensic Tools”.
 Testing Standards:
 Establish categories for computer forensics tools
 Identify computer forensics category requirements
 Develop test assertions
 Identify test cases
 Establish a test method
 Report test result 132

USING VALIDATION PROTOCOLS
 After retrieving and examining evidence data with one tool, you
should verify your results by performing the same tasks with other
similar forensics tools.
 For example, after you use one forensics tool to retrieve disk data,
you use another to see whether you retrieve the same information.
 Although this step might seem unnecessary, you might be asked on
the witness stand “How did you verify your results?” To satisfy the
need for verification, you need at least two tools to validate software
or hardware upgrades.
 The tool you use to validate the results should be well tested and
documented.
133

COMPUTER FORENSICS EXAMINATION
PROTOCOL
1. First, conduct your investigation of the digital evidence
with one GUI tool.
2. Then perform the same investigation with a disk editor
to verify that the GUI tool is seeing the same digital
evidence in the same places on the test or suspect drive’s
image.
3. If a file is recovered, obtain the hash value with the GUI
tool and the disk editor, and then compare the results to
verify whether the file has the same value in both tools.
134

COMPUTER FORENSICS TOOL UPGRADE
PROTOCOL
 In addition to verifying your results by using two disk-
analysis tools, you should test all new releases and OS
patches and upgrades to make sure they’re reliable and
don’t corrupt evidence data.
 New releases and OS upgrades and patches can affect the
way your forensics tools perform.
135

EXAMPLE - PRODISCOVER
136

[CONTD…]
137

[CONTD…]
STEP 1: AQUISITION
138

[CONTD…]
139

[CONTD…]
 Loads all the content
140

[CONTD….]
STEP 2: VALIDATION AND DISCRIMINATION
141
Prodiscvoer provides three hashing algorithms
•MD5 :- It is 128 bit hash. It is most commonly
used has algorithm in India.
•SHA-1 :- It is forensics more accurate & widely
recommended for forensics hash verification
•SHA-256 :- It is highly secured but time
consuming

[CONTD…]
STEP 3: EXTRACTION
 Data Carving
142

[CONTD…]
 Keyword Searching
143

[CONTD…]
STEP 4: RECONSTRUCTION
144

[CONTD…]
STEP 5: REPORTING
145

CS6004 Cyber Forensics - UNIT IV

More Related Content

What's hot (20)

Similar to CS6004 Cyber Forensics - UNIT IV (20)

More from ArthyR3 (20)

Recently uploaded (20)

CS6004 Cyber Forensics - UNIT IV