Guide to Computer Forensics and Investigations, Second Edition Chapter 10 Computer Forensics Analysis
Guide to Computer Forensics and Investigations, 2e Objectives Understand computer forensics analysis Use DriveSpy to analyze computer data Use AccessData’s Forensic Toolkit (FTK) Guide to Computer Forensics and Investigations, 2e
Objectives (continued) Use EnCase to analyze computer data Perform a computer forensics analysis Address data-hiding techniques Guide to Computer Forensics and Investigations, 2e
Understanding Computer Forensics Analysis Examining and analyzing digital evidence Nature of the case Amount of data to process Search warrants Court orders Company policies Scope creep Right of full discovery of digital evidence Guide to Computer Forensics and Investigations, 2e
Refining the Investigation Plan Steps: Determine the scope of the investigation Estimate number of hours to complete the case Determine whether you should collect all information Plan what to do in case of scope creep Determine if you have adequate resources Establish the deadline Guide to Computer Forensics and Investigations, 2e
Refining the Investigation Plan (continued) After you refine your plan, acquire evidence Examine evidence Review the latest changes in technology Find new places for hiding information Learn of new methods for storing data Verify that your tools still work Determine the suspect’s motive Guide to Computer Forensics and Investigations, 2e
Using DriveSpy to Analyze Computer Data Files DriveSpy.exe/ini/hlp DriveSpy.ini sections License File Headers File Groups Search Guide to Computer Forensics and Investigations, 2e
Using DriveSpy to Analyze Computer Data (continued) Guide to Computer Forensics and Investigations, 2e
Using DriveSpy to Analyze Computer Data (continued) File Headers Hexadecimal numbers Identify known files even if extension if different You can add more headers File Groups Consolidate similar file types Search for several header types at one time You can define your own groups Guide to Computer Forensics and Investigations, 2e
Using DriveSpy to Analyze Computer Data (continued) Guide to Computer Forensics and Investigations, 2e
Using DriveSpy to Analyze Computer Data (continued) Guide to Computer Forensics and Investigations, 2e
Using DriveSpy to Analyze Computer Data (continued) Search Include keywords Defines level of accuracy Not case sensitive Can produce false-positive hits Use hex values for special characters or keywords Guide to Computer Forensics and Investigations, 2e
Using DriveSpy to Analyze Computer Data (continued) Guide to Computer Forensics and Investigations, 2e
Using DriveSpy to Analyze Computer Data (continued) Guide to Computer Forensics and Investigations, 2e
DriveSpy Keyword Searching Search at physical level (Drive mode) or logical level (Partition mode) Use Output command to create a log Drive mode supports other file systems NTFS, HFS, UNIX/Linux Searches in partition gaps Cannot analyze archive or encrypted files Guide to Computer Forensics and Investigations, 2e
Guide to Computer Forensics and Investigations, 2e DriveSpy Scripts Run predefined commands Similar to DOS batch files Use them at all three DriveSpy modes Creating a script Use any text editor (Notepad) Enter each command line by line Can call other script files Guide to Computer Forensics and Investigations, 2e
DriveSpy Scripts (continued) Example: Guide to Computer Forensics and Investigations, 2e
DriveSpy Data Integrity Tools Wipe Overwrites possible sensitive data that can corrupt output data Works on sectors, partitions, drives, unallocated space, and MBR Available in Drive and Partition modes Guide to Computer Forensics and Investigations, 2e
DriveSpy Integrity Tools (continued) MD5 RFC-complaint MD5 function Hashes an entire partition, or specific files Available in Drive and Partition mode Dbexport Creates a text file of all specified data in a file or disk Works only in Partition mode Guide to Computer Forensics and Investigations, 2e
DriveSpy Residual Data Collection Tools Recover deleted files and unused space SaveSlack Copy slack space from files on a partition 8.3 filename with .dat as file extension Works only in Partition mode SaveFree Collects all unallocated disk space on a partition Guide to Computer Forensics and Investigations, 2e
Other Useful DriveSpy Command Tools Get FAT Entry (GFE) Chain FAT Entry (CFE) Chain Directory Entry (CDE) Trace Directory Cluster (TDC) Guide to Computer Forensics and Investigations, 2e
Other Useful DriveSpy Command Tools (continued) Cluster Boot PartMap Tables Guide to Computer Forensics and Investigations, 2e
Using Other Digital Intelligence Computer Forensics Tools Using PDBlock Prevents data from being written on a disk drive Can only be used on a true MS-DOS level Turns off BIOS’s Interrupt 13 Using PDWipe Overwrites hard disk drives For sanitation purposes Wipe disk at least three to seven times Guide to Computer Forensics and Investigations, 2e
Using AccessData’s Forensic Toolkit Supported file systems: FAT12/16/32, NTFS, Ext2fs, and Ext3fs Interacts with other tools EnCase, SafeBack, SaveSect Linux or UNIX dd command Known File Filter (KFF) Can detect even child pornography evidence Uses digital hash signatures Guide to Computer Forensics and Investigations, 2e
Using AccessData’s Forensic Toolkit (continued) Log file Searching for keywords Indexed search Live search You can specify options Analyzes compressed and encrypted files You can generate reports using bookmarks Guide to Computer Forensics and Investigations, 2e
Using AccessData’s Forensic Toolkit (continued) Guide to Computer Forensics and Investigations, 2e
Using AccessData’s Forensic Toolkit (continued) Guide to Computer Forensics and Investigations, 2e
Using AccessData’s Forensic Toolkit (continued) Guide to Computer Forensics and Investigations, 2e
Using Guidance Software’s EnCase Can access hard drives remotely Floppy and CD boot disks Built-in software write-blocker Built-in search feature GUI-based application Guide to Computer Forensics and Investigations, 2e
Using Guidance Software’s EnCase (continued) Guide to Computer Forensics and Investigations, 2e
Using Guidance Software’s EnCase (continued) Guide to Computer Forensics and Investigations, 2e
Using Guidance Software’s EnCase (continued) Options Bookmarks File signatures and hash sets Security identifiers (SIDs) Keywords View Gallery Mail Guide to Computer Forensics and Investigations, 2e
Using Guidance Software’s EnCase (continued) Timeline When items were created, deleted, or modified Report View Powerful scripting feature Guide to Computer Forensics and Investigations, 2e
Using Guidance Software’s EnCase (continued) Guide to Computer Forensics and Investigations, 2e
Using Guidance Software’s EnCase (continued) Guide to Computer Forensics and Investigations, 2e
Approaching Computer Forensics Cases Know exactly what the case requires Simply follow leads you uncover Physical evidence Digital evidence Guide to Computer Forensics and Investigations, 2e
Performing a Computer Forensics Analysis Steps: Use recently wiped target disks Inventory suspect’s hardware Remove the original disk and check date and time on CMOS Record data acquisition steps Process the data methodically and logically List all directories and files on the copied image Guide to Computer Forensics and Investigations, 2e
Performing a Computer Forensics Analysis (continued) Steps (continued): If possible, examine all directories and files starting at root Recover content of encrypted files Create a document with directory and file names on the evidence disk Identify functions of every executable file Always maintain control of evidence Guide to Computer Forensics and Investigations, 2e
Performing Forensic Analysis on Microsoft File Systems Recommendations Use antivirus on bit-stream disk-to-disk copies Examine all boot files Recover all deleted files, slack, and unallocated space FAT disk forensic analysis Create image volumes and store them on CDs Be alert for compressed partitions Guide to Computer Forensics and Investigations, 2e
Performing Forensic Analysis on Microsoft File Systems (continued) NTFS analysis tools DriveSpy NTI DiskSearch NT NTFSDOS GUI tools FTK, EnCase, Pro Discover DFT, FactFind, and iLook Guide to Computer Forensics and Investigations, 2e
UNIX and Linux Forensic Analysis Windows forensics tools EnCase FTK iLook UNIX and Linux forensics tools Sleuthkit Knoppix-STD Autopsy TASK Guide to Computer Forensics and Investigations, 2e
Addressing Data-hiding Techniques File manipulation File names and extensions Hidden property Disk manipulation Hidden partitions Bad clusters Encryption Bit shifting Steganography Guide to Computer Forensics and Investigations, 2e
Guide to Computer Forensics and Investigations, 2e Hiding Partitions Delete references to a partition Re-create links for accessing it Use disk-partitioning utilities PartitionMagic System Commander LILO Account for all disk space when analyzing a disk Guide to Computer Forensics and Investigations, 2e
Guide to Computer Forensics and Investigations, 2e Marking Bad Clusters Place sensitive information on free space Use a disk editor to mark that space as a bad cluster Common with FAT systems Guide to Computer Forensics and Investigations, 2e
Guide to Computer Forensics and Investigations, 2e Bit-shifting Old technique Shift bit patterns to alter byte values of data Make files look like binary executable code Tool Hex Workshop Guide to Computer Forensics and Investigations, 2e
Guide to Computer Forensics and Investigations, 2e Using Steganography Greek “hidden writing” Suspect can hide information on image or text document files Very hard to spot without prior knowledge Tools S-Tools DPEnvelope jpgx tte Guide to Computer Forensics and Investigations, 2e
Examining Encrypted Files Prevent unauthorized access Password or passphrase Recovering data is difficult without password Key escrow Cracking password Expert and powerful computers Persuade suspect to reveal password Guide to Computer Forensics and Investigations, 2e
Guide to Computer Forensics and Investigations, 2e Recovering Passwords Dictionary attack Brute-force attack Password guessing based on suspect’s profile Tools PRTK Advanced Password Recovery Software Toolkit @stake’s LC5 (L0phtCrack) Guide to Computer Forensics and Investigations, 2e
Guide to Computer Forensics and Investigations, 2e Summary Scope creep Determine where the digital evidence is most likely stored DriveSpy.ini comprises four sections DriveSpy scripting capability PDBlock and PDWipe tools Guide to Computer Forensics and Investigations, 2e
Guide to Computer Forensics and Investigations, 2e Summary (continued) Forensics Toolkit (FTK) Prepare your target disk Wipe it at least three to seven times Check for viruses UNIX and Linux are used on Web servers Data hiding occults digital evidence Stenography as a way to hide information Guide to Computer Forensics and Investigations, 2e