Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forensication A data backup and verification chat. Backing up and ripping data, making test beds and using equipment. This fire talk will cover: Write-blockers.

Published byDomenic Parks Modified over 6 years ago

Similar presentations

Presentation on theme: "Forensication A data backup and verification chat. Backing up and ripping data, making test beds and using equipment. This fire talk will cover: Write-blockers."— Presentation transcript:

1 Forensication A data backup and verification chat. Backing up and ripping data, making test beds and using equipment. This fire talk will cover: Write-blockers (hardware), dd, sha256sum, exiftool.

2 Disclaimer (01 of 02) Formal forensics is a wide field and circles around the notion of backing up information, with minimal to no changes of the source data. Deeper forensic scope also involves analyzing the platform / Operating System, in order to determine OS level access (Example - thumbs.db folder indexers) versus manually viewed files.

3 Disclaimer (02 of 02) This talk is based on using your own test data to use analytic tools and to understand how they work, without worrying about client liability. Use some test data you are familiar with, as this makes finding 'the needle in the haystack' tremendously easier to find patterns. Testing with the tools will give you the comfort to provide services for others.

4 Backstory Howdy. I got into data imaging over the years from system building and also doing support for friends, family and businesses. Originally plugging a hard drive into another machine, I would target C:\Users and grab profile data. Also including application data and whatever else. After awhile I got into Linux for file ripping. Some files are protected in windows, even as a 2nd drive.

5 Tool usage There are plenty of tools and applications with forms you can use. However they can be quite expensive. Personally, I like having built-in command line tools available. Especially for the sake of booting up a live cd at any location and being able to work, based on what I'm being asked to do or recover.

6 Write Blocker Imaging Using a hardware write-blocker is an assured way to not modify the contents of the source drive. They are around $300 USD, so you have some cheaper options to do software write blocking... but if you forget to turn it on, you can contaminate your data source. (Such as browsing a folder, having windows make new thumbs.db files)

7

8 So how do you come up with the device names?
Imaging Drives Image the drive with dd: For a 500 GB HDD, it took about 3 hours. (results below) So how do you come up with the device names?

9 Verifying disk image Now that your drive is imaged, let's start verifying with the source drive, hooked up to the write-blocker. Now that your drive is imaged, let's start verifying with the source drive, hooked up to the write-blocker. Ignore the '^[[C' output as that was presses on the keyboard while the command ran. In the above, I hooked up the cloned drive, powered up the Write-blocker, confirmed the disc mounted, then calculated the cryptographic checksum Boom! It's a match :)

10 Cryptographic Checksums
There are plenty of options for generating checksums. While sha-1 and md5 are commonly used, there are some theoretical attacks against their memory space. Signature based anti-virus seems to have some clashes in the MD5 space. Tools to get a checksum for a file are: md5sum sha1sum sha256sum

11 File contents are as follows:
Checksum examples Here I made a text file, saved it then calculated what the file’s crypto hash is (in sha256). Making a second file with a single character change, I calculated that hash. File contents are as follows:

12 Other checksum examples
ISO downloads and similar downloads tend to use MD5, so here are some extra output examples. ISO downloads and similar downloads tend to use MD5, so here are some extra output examples.

13 Other checksum examples
ISO downloads and similar downloads tend to use MD5, so here are some extra output examples. ISO downloads and similar downloads tend to use MD5, so here are some extra output examples.

14 Starting out with the image path, let’s wget a local copy.
BONUS ROUND - exiftool Here I am grabbing the logo image from my site, then checking the image metadata for extra details. Starting out with the image path, let’s wget a local copy.

15 Exiftool (continued) Now that we have a local copy of ftb-logo.png, let’s see what details we get from the file.

16 Exiftool conclusion Checking the Modify Date we see it was modified on 2009/10/13 around 5:45 PM. This matches up to the logo creation date. Checking the Comment we see the image was edited in GIMP. I can confirm that as a fact, as I left the comment export option Looking at the File Modification Date/Time that is consistent to when I uploaded that file into Wordpress for my front page of the site. There are TONS of supported file types for use with the EXIFTOOL and this is only one tool. Have fun and explore!

17 Thank you(s) I am Ryan (Mitch-kow-ski) I have the is my web home.

Download ppt "Forensication A data backup and verification chat. Backing up and ripping data, making test beds and using equipment. This fire talk will cover: Write-blockers."

Similar presentations

COMPUTERS: TOOLS FOR AN INFORMATION AGE Chapter 3 Operating Systems.

COMPUTERS: TOOLS FOR AN INFORMATION AGE Chapter 3 Operating Systems.
Linux Orientation Computer Systems Lab Computer Sciences Department Room 2350.

Linux Orientation Computer Systems Lab Computer Sciences Department Room 2350.
Nero 9 Reloaded Simply Create, Rip, Burn, Copy, Share, Backup, Play, and Enjoy January 2010.

Nero 9 Reloaded Simply Create, Rip, Burn, Copy, Share, Backup, Play, and Enjoy January 2010.
Computer & Network Forensics

Computer & Network Forensics
Windows Overview LEIT 429x Steve Builta. Where we are going… Overview of operating Systems Overview of Windows 9x Take and Edit digital Photos.

Windows Overview LEIT 429x Steve Builta. Where we are going… Overview of operating Systems Overview of Windows 9x Take and Edit digital Photos.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
How to build your own computer And why it will save you time and money.

How to build your own computer And why it will save you time and money.
Downloading and Installing AutoCAD Architecture 2015 This is a 4 step process 1.Register with the Autodesk Student Community 2.Downloading the software.

Downloading and Installing AutoCAD Architecture 2015 This is a 4 step process 1.Register with the Autodesk Student Community 2.Downloading the software.
VMWare Workstation Installation. Starting Vmware Workstation Go to the start menu and start the VMware Workstation program. *Note: The following instructions.

VMWare Workstation Installation. Starting Vmware Workstation Go to the start menu and start the VMware Workstation program. *Note: The following instructions.
Operating System & Application Files BACS 371 Computer Forensics.

Operating System & Application Files BACS 371 Computer Forensics.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Working with SharePoint Document Libraries. What are document libraries? Document libraries are collections of files that you can share with team members.

Working with SharePoint Document Libraries. What are document libraries? Document libraries are collections of files that you can share with team members.
OS and Application Files BACS 371 Computer Forensics.

OS and Application Files BACS 371 Computer Forensics.
Passwords, Encryption Forensic Tools

Passwords, Encryption Forensic Tools
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
Lesson 4 Computer Software

Lesson 4 Computer Software
Welcome to the Southeastern Louisiana University’s Online Employment Site Applicant Tutorial!

Welcome to the Southeastern Louisiana University’s Online Employment Site Applicant Tutorial!
‘ {] Chapter 2 (HW01) Getting Started with Windows 7.

‘ {] Chapter 2 (HW01) Getting Started with Windows 7.
Project 3 File, Document, Folder Management, Windows XP Explorer Windows XP Service Pack 2 Edition Comprehensive Concepts and Techniques.

Project 3 File, Document, Folder Management, Windows XP Explorer Windows XP Service Pack 2 Edition Comprehensive Concepts and Techniques.
ITE 1 Chapter 5. Chapter 5 is a Large Chapter It has a great deal of useful information about operating systems. You will find this VERY helpful when.

ITE 1 Chapter 5. Chapter 5 is a Large Chapter It has a great deal of useful information about operating systems. You will find this VERY helpful when.

Similar presentations

Ads by Google