Chapter 8 Forensic Duplication Spring 2016 - Incident Response & Computer Forensics.

Slides:



Advertisements
Similar presentations
Storage Management Lecture 7.
Advertisements

Working with Disks and Devices
Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
CSN08101 Digital Forensics Lecture 6: Acquisition
The Penguin Sleuth Kit By Ernest Baca
VMWare to Hyper-V FOR SERVER What we looked at before migration  Performance – Hyper-V performs at near native speeds.  OS Compatibility – Hyper-V.
Computer Forensics.
OPEN SOURCE TOOLS Dr. Abraham Professor UTPA. Open Source Freely redistributable Provides access to source code End user may modify source code.
Effective Discovery Techniques In Computer Crime Cases.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations Fourth Edition
Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
Computer & Network Forensics
1.1 Installing Windows Server 2008 Windows Server 2008 Editions Windows Server 2008 Installation Requirements X64 Installation Considerations Preparing.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
1 CSCD496 Computer Forensics Lecture 5 Applying Process to Computer Forensics Winter 2010.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
Collection of Evidence Computer Forensics 152/252.
Data Acquisition Chao-Hsien Chu, Ph.D.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
COEN 252 Computer Forensics
Capturing Computer Evidence Extracting Information.
Guide to Computer Forensics and Investigations, Second Edition
Hands-on: Capturing an Image with AccessData FTK Imager
Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition.
Guide to Computer Forensics and Investigations Fourth Edition
Computing Fundamentals Module A Unit 2: Using Windows Vista LessonTopic 8Looking at Operating Systems 9Looking at the Windows Desktop 10Starting Application.
Guide to Computer Forensics and Investigations Fourth Edition
F8-Noncommercial-Based Forensic Duplications Dr. John P. Abraham Professor UTPA.
Guide to Computer Forensics and Investigations, Second Edition Chapter 2 Understanding Computer Investigation.
Computers Are Your Future Eleventh Edition Chapter 4: System Software Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall1.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 5 Windows XP Professional McGraw-Hill.
Digital Crime Scene Investigative Process
Please Note: Information contained in this document is considered LENOVO CONFIDENTIAL For Lenovo Internal Use Only Do Not Copy or Distribute!! For Lenovo.
Introduction to Interactive Media Interactive Media Tools: Software.
Software.
Managing Disks and Drives Chapter 13 powered by dj.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. System Forensics, Investigation, and Response.
Computer Forensics Peter Caggiano. Outline My Background What is it? What Can it do and not do? Goals Evidence Types of forensics Future problems How.
Guide to Computer Forensics and Investigations Fourth Edition
Computer Forensics Infosec Pro Guide Ch 6 Testing Your Tools.
Configuring Data Protection Chapter 12 powered by dj.
Cisco Discovery Home and Small Business Networking Chapter 2 – Operating Systems Jeopardy Review Darren Shaver – Kubasaki High School – Okinawa, Japan.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
& Selected Topics: Digital Forensics Part I: Computer Forensics Chapter 2 Understanding Computer Investigation Xinwen Fu.
 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.
Microsoft Windows XP Professional MCSE Exam
Mastering Windows Network Forensics and Investigation Chapter 17: The Challenges of Cloud Computing and Virtualization.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
Hands-On Microsoft Windows Server 2008 Chapter 7 Configuring and Managing Data Storage.
Chapter 3 Data Acquisition Guide to Computer Forensics and Investigations Fifth Edition All slides copyright Cengage Learning with additional info from.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
Chapter 7 Live Data Collection Spring Incident Response & Computer Forensics.
Computer Forensics Tim Foley COSC 480 Nov. 17, 2006.
Computer Forensics By Chris Brown. Computer Forensics Defined Applying computer science to aid in the legal process Utilization of predefined set of procedures.
Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.
ITMT 1371 – Windows 7 configuration Chapter 2: Installing Windows 7 ITMT 1371 – Windows 7 Configuration.
VMware Recovery Software RECOVER DATA FROM CORRUPT VMDK FILE.
Creighton Barrett Dalhousie University Archives
Data Acquisition Chao-Hsien Chu, Ph.D.
5.0 : Windows Operating System
Knut Kröger & Reiner Creutzburg
Booting Up 15-Nov-18 boot.ppt.
CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.
Forensic Recovery of Evidence Device (FRED)
Storage Management Lecture 7.
“Encryption threatens to lead all of us to a very dark place.”
1 Guide to Computer Forensics and Investigations Sixth Edition Chapter 3 Data Acquisition.
Presentation transcript:

Chapter 8 Forensic Duplication Spring Incident Response & Computer Forensics

Introduction  Two types of duplications  Simple duplication: copying specific data  Forensic duplication: an accurate copy (image of every accessible bit)  The tool used to make the image must  Have the ability to copy every bit of accessible data  Create a forensic duplicate of the original storage medium  Handle the read errors in a robust and graceful manner  Not make any changes to the source  Generate results that are repeatable and verifiable

Forensic Image Formats  There are three primary types of forensic images  Complete disk  Partition A subset of complete disk image Contains all of the allocation units from a given partition including unallocated space and slack space in that partition May be required under special circumstances  Logical Simple duplication May be required under special circumstances

Image Integrity  Generate cryptographic checksums  Reasons  To verify that the result is an exact duplicate  To detect if that data is later modified

Traditional Duplication  Performed on static drives  Hardware write blockers  Image creation tools  dd and its variations (dcfldd, dc3dd)  FTK Imager by AccessData  EnCase by Guidance Software

dd and its Variations  Weaknesses of dd  No built-in capability to generate cryptographic checksum  Does not provide feedback during the process DCFLdd  Developed by US Department of Defense Computer Forensics Laboratory (DCFL)  Derived from the original dd  Available at: sourceforge.net/projects/dcfldd DC3dd  Developed by Defense Cyber Crime Center  Also derived from the original dd  Newer than DCFLdd – contains recent updates and features  Available at: sourceforge.net/projects/dc3dd

FTK Imager and EnCase  FTK Imager  Available for MS Windows, Linux, and Mac OS  Windows version is GUI based Full version Lite version: Portable – will run directly from a removable media Encase  Available for MS Windows and Linux

Live System Duplication  Imaging a system that is actively running  Not a preferred method  May be the only option available under some circumstances Riskier  No writer blocker to prevent overwriting the evidence The process will make minor changes to the source system The image may not be the exact duplicate  The source is dynamic

Live System Duplication  Never install anything on the source drive  Run tools from external media or network shares  Use software that is lightweight to minimize the impact on the source  Example: FTK Imager Lite

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.