Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 3: Initial Assessment 6/4/2003 CSCE 590 Summer 2003.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 3: Initial Assessment 6/4/2003 CSCE 590 Summer 2003."— Presentation transcript:

1 Lecture 3: Initial Assessment 6/4/2003 CSCE 590 Summer 2003

2 Collect the Most Volatile Evidence First Memory Swap space or page file Network status and connections Processes running Storage media Removable media

3 Preparation Assemble toolkits Clean your media –Before imaging evidence media to your media –# dd if=/dev/zero of={device} –Clean floppy: # dd if=/dev/zero of=/dev/fd0 bs=1024 # dcfldd if=/dev/zero of=/dev/fd0 bs=1024 \ > hashwindow=1024 hashlog=a:\hashlog.txt

4 dd and dcfldd Low level command Copies bit for bit Does not ‘know’ data structure of data Can copy: –Single file –Piece of a file –Partition –Logical or physical disks –From stdin and stdout dcfldd – dd with integrated MD5 hashing

5 dd and dcfldd Usage Typical arguments: –if=device input file or device –of=device output file or device –bs=# block size, amount of data transferred in one I/O operation (important on tape) dcfldd –hashlog=a:\hashfile.txt –hashwindow=1024hash every 1024 bytes

6 Mystery Tape Block Sizes # dd if=device bs=128k of=/tmp/tapetest \ > count=1 –Read data, using block size of 128k until it hits the first record gap –If 128k isn’t big enough, you get an error –Else, size of /tmp/tapetest = block size of tape What kind of tape? tar, cpio, dump? –# file /tmp/tapetest

7 Splitting an Image up Copy 600 One Megabyte blocks per image # dd if=device of=media.slice1.img bs=102400 count=600 # dd if=device of=media.slice2.img bs=102400 count=600 skip=601 # dd if=device of=media.slice3.img bs=102400 count=600 skip=1201 # dd if=device of=media.slice3.img bs=102400 count=600 skip=1801

8 Typical UNIX Devices /dev/fd0(floppy) /dev/st0(tape) /dev/hdafirst IDE hard drive /dev/hdbsecond IDE hard drive /dev/sdafirst SCSI hard drive /dev/sdbsecond SCSI hard drive

9 Network dd No local clean media on victim machine, can’t reboot yet –netcat (nc) and dd (may want encryption too) –Forensic rig with cleaned media: # nc –l –p 31337 | dd of=(local clean media) –Victim system: # dd if=(local physical disk) | nc –w 3 \ > forensic.rig.net 31337 –nc host port (send to host on port) -w 3 (wait 3 milliseconds between packets) -l (listen mode, send mode is default) -p port (listen on port, use with listen mode)

10 Date and Time Windows –Date –Time Unix –w –date

11 System Configuration Information Windows: –psinfo –at –‘net’ commands: accounts, file, session, share, start, use, user, view Unix –df –k –uname –a –ifconfig –a –uptime

12 Current Users Windows –psloggedon Unix –w –who

13 Network Status and Connections Windows –arp –aIP to physical addr –netstat –anpropen sockets –fportsocket processes –nbtstatsystems connected Unix –arp –aIP to physical addr –netstat -anpropen sockets –lsof -isocket processes –Netstatsystems connected

14 Running Processes Windows –procinterrogate –list –pslist –xcheck other options too UNIX –ps –wwwaux –ps –ef –lsof –kstat –Pfind LKM hidden processes LKM = dynamically Loadable Kernel Modules like device drivers) kstat –s finds clues of LKM rootkits –/prockernel data structures for processes

15 Swap Space or Page File When there isn’t enough memory, chunks of processes will be paged out to disk Older systems, entire processes are swapped out to disk Windows: –copy c:\pagefile.sys d: –copy c:\win386.swp d:win9x Unix: –Can get it when imaging whole drive

16 Memory Windows: –Don’t use book’s method –Modified dd at: http://users.erols.com/gmgarner/forensics/ –# dd if=\\.\PhysicalMemory conv=noerror \ > | nc forensic.rig.net 31337 –Or use pmdump Unix –# dd if=/dev/mem | nc forensic.rig.net 31337 –# dd if=/dev/kmem | nc forensic.rig.net 31337 –# dd if=/dev/kcore | nc forensic.rig.net 31337

17 Storage Media Imaging to work on copies Use MD5 hashes Write blockers –Software –Hardware –busTRACE: http://www.bustrace.com/ for live imaging

18 Removable Media Make to sure to flush pending writes (sync) to removable media before removing Can be imaged like storage media

19 Physical Collection Issues Don’t overlook fingerprints on keyboard and mouse to place person at keyboard Evidence exposed to hazardous material, chemical weapons, toxic waste –Have it evaluated and approved by HAZMAT experts Organic chemicals, biological matter, fingerprint, or other forensic tests: –Fingerprinting process (cyanoacrylate) will severely damage electronic media –Scraping can physically damage media (floppy)

20 Wet Media Soaked or immersed electronic media: –Keep it immersed in distilled water –Drying in uncontrolled conditions can lead to deposits –photograph any paper labels on magnetic media before immersion in distilled water Tape or floppy just a little wet –seal in plastic bag, don't immerse Paper, cellulose based media, printouts: –freeze or freeze dry if wet

21 Wet Media Flood damage –Immerse and flush with clean water –Salt water: Place in container or plastic bag with enough ocean water to keep it immersed Immerse and flush it in distilled water ASAP Immersion may cause biological evidence to deteriorate –Separate samples before immersion if they are plentiful or it is easy –Be aware and make judgment calls

22 Tape: Physical Issues Age, disuse, poor storage conditions –Layers can become sticky and stick together or to the read head –Static buildup increases read error rates –Unrolling untreated tape can cause oxide layer to be torn from substrate Collect all pieces, can help with splices Ship to lab to be processed and reconditioned

23 Reading for Lectures 2-5: –Mandia/Prosise: Chapters 2-5, 9 –Casey: Chapter 2 (in Reading Room) Homework 1: Due Monday, June 9, 2003

Download ppt "Lecture 3: Initial Assessment 6/4/2003 CSCE 590 Summer 2003."

Similar presentations

Chapter 4 Storing Information in a Computer Peter Nortons Introduction to Computers.

Chapter 4 Storing Information in a Computer Peter Nortons Introduction to Computers.
Chapter 12: File System Implementation

Chapter 12: File System Implementation
Chapter 9 Part III Linux File System Administration

Chapter 9 Part III Linux File System Administration
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
COEN 250 Computer Forensics Unix System Life Response.

COEN 250 Computer Forensics Unix System Life Response.
FIRST COURSE Essential Computer Concepts. New Perspectives on Microsoft Office 2007: Windows XP Edition 2 Objectives Compare the types of computers Describe.

FIRST COURSE Essential Computer Concepts. New Perspectives on Microsoft Office 2007: Windows XP Edition 2 Objectives Compare the types of computers Describe.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 8: Troubleshooting Storage Devices and Display Devices.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 8: Troubleshooting Storage Devices and Display Devices.
A Guide to Unix Using Linux Fourth Edition

A Guide to Unix Using Linux Fourth Edition
Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.

Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.
Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.

Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
Passage Three Storage Devices. Training target: In this part , you should try your best to form good reading habits. In order to avoid your ill habits.

Passage Three Storage Devices. Training target: In this part , you should try your best to form good reading habits. In order to avoid your ill habits.
Data Acquisition Chao-Hsien Chu, Ph.D.

Data Acquisition Chao-Hsien Chu, Ph.D.
I/O Tanenbaum, ch. 5 p. 329 – 427 Silberschatz, ch. 13 p. 495 - 527.

I/O Tanenbaum, ch. 5 p. 329 – 427 Silberschatz, ch. 13 p
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.
1 Objectives Discuss the Windows Printer Model and how it is implemented in Windows Server 2008 Install the Print Services components of Windows Server.

1 Objectives Discuss the Windows Printer Model and how it is implemented in Windows Server 2008 Install the Print Services components of Windows Server.
1 Input/Output. 2 Principles of I/O Hardware Some typical device, network, and data base rates.

1 Input/Output. 2 Principles of I/O Hardware Some typical device, network, and data base rates.

Similar presentations

Ads by Google