Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCD 496 Computer Forensics

Similar presentations


Presentation on theme: "CSCD 496 Computer Forensics"— Presentation transcript:

1 CSCD 496 Computer Forensics
Lecture 6 Tools for Computer Forensics Winter 2010

2 Introduction A successful Computer Forensics investigator
Must have a lot of tools! Think of tools like Batman Utility Belt James Bond special devices While you won't be sticking to walls ...

3 Introduction Computer Security similar to Digital Forensics
Need knowledge of OS's, networks, software vulnerabilities, defense types of software Firewalls, virus software, Intrusion detection Digital Forensics differs Evidence is the focus, not preventing compromise Specialized tools become critical to collecting and preserving evidence

4 Goal of Having Tools Prior to Investing Time/Money in Tool(s)‏
Ask: What will the tool do for me? Automated features – Save time Allow examination of new file systems Vendor reputation – increase confidence in results

5 Types of Tools Two Main categories of tools
Hardware Tools Range from simple single purpose components to complete forensics systems Software Tools Most common Windows and Linux OS based Simple image makers to full featured programs Frequently use both in collecting and preserving evidence

6 Investigative Process Model
Persuasion and testimony Ends with testimony Reporting Analysis Tools Organization and Search Case Management Reduction Harvesting Tools Recovery Preservation Identification of seizure Incident/Crime scene protocols Tools Assessment of worth Incident Alerts or accusation Begins with Incident alert

7 Type of Tools Hardware Tools
Complete investigative systems, Digital Forensics Workstation Can put one together yourself Suggestions in Chapters 2 and 3 Buy one ready made like the F.R.E.D. Forensic Recovery and Forensics Device About $6000

8 F.R.E.D. Information FORENSIC SYSTEMS
“F.R.E.D. family of forensic workstations consists of integrated forensic processing platforms capable of handling most challenging computer case” F.R.E.D. professional forensic systems, and the Digital Intelligence UltraBay universal write protected imaging bay, deliver the ability to easily duplicate evidence directly from IDE/SCSI/SATA hard drives, floppies, CDs, DVDs, ZIP cartridges, 4MM DAT tapes and PC Card/Smartmedia/SD-MMC/Memory Stick/Compact

9 Hardware Forensic Devices
Write Blockers Hardware Device that intercepts data intended for the disk Prevents writing that could alter data Many types IDE, SCSCI and SATA interfaces Connect your evidence disk drive to your workstation and start OS as usual Acts as a bridge between disk drive and forensic workstation

10 Write Blocker Hardware
Implement media write blockers during acquisition: Prevent changes to evidence Sit between forensic machine and media SCSI, SATA, IDE, etc

11 Hardware Forensic Devices
Hardware Write Blocker Windows drive appears as any other drive Can access the drive to view files Or use word to read files When you copy data to blocked drive Shows copy was a success Write blocker actually discards the data Data is written to NULL When you look at disks, won’t see data or files you copied to it

12 UltraBlock-SATA Example – Digital Intelligence
The UltraBlock-SATA can be connected to your laptop or desktop using FireWire-A (400 Mb/s) or the FireWire-B (800 Mb/s) interfaces Like the UltraBlock-IDE, the UltraBlock-SATA is provided with write protection enabled by default Is user configurable for Read-Only or Read-Write Operation. Cost: UltraBlock – SATA $ 199 SATA Kit $ 281 UltraBlock Scsi Kit $ 446

13 Type of Tools Software Tools
Most common and numerous compared to hardware Command line tools, GUI tools, Windows, Unix/Linux, OS specific tools Today, look mostly at Windows tools Later, cover Linux/Unix OS tools, mostly open source One way to group tools is by investigative function Can be grouped into five categories which map to tasks used in a computer investigation Some of these tools specific to a single task Others, full featured programs used across all tasks

14 Tools by Investigative Tasks
Tasks include 1. Acquisition 2. Validation and Discrimination 3. Extraction 4. Reconstruction 5. Reporting

15 Acquisition What is the goal of acquisition?
Is obtaining the data from a crime scene First step in an investigation, typically Make copy of the original disk drive Preserve digital evidence Two types of software acquisition Physical copying of a disk – entire disk Logical copying of a disk partition

16 Acquisition Bit Stream copy
Bit-by-bit copy of the original storage medium Exact duplicate Example: dd command in Unix/Linux Creates a file, called a Bit Stream Image file Already covered this ...

17 Acquisition - Image File
X-Ways Forensics

18 Acquisition – Image File
Encase example

19 Validation and Discrimination
Validation of Data Why do we do this? Ensures integrity of data Need this to prove guilt or innocence to legal system Where we use hashes of original data and compare to copies of acquired data Do this each time we access the copy Most integrated forensics tools do this automatically for you

20 Validation and Discrimination
Discrimination of Data Sorting and Searching of Data Purpose: Separate “good” data from “suspicious” data Subfunctions of Validation and Discrimination Hashing Filtering Analysis of File Headers

21 Validation and Discrimination
Hash Values of Known Files Discriminate between known files and unknown files Known list of good file hash values Maintained by NIST at National Software Reference Library (NSRL)‏ Forensics Tools - import known good file hashes Compare them to files on suspect drive

22 Validation and Discrimination
Analyze Header Values Many programs include list of common file header values Known file types have distinctive headers Allow OS to determine file type See whether file extension matches header value Common to hide files by changing extension jpg or gif becomes .txt Header will disagree – shows up in tool

23 Extraction Most demanding task Recovery digital evidence
View data, keyword search, file carving, decryption Tools below have Nice GUI, plus offer all of the above capabilities FTK, EnCase, SMART, iLook, ProDiscover

24 Extraction Keyword Search
Allows you to search for keywords of interest When doing text/pattern searches usually also run: File signature verification Review file headers Match with extension Hash computation Compute hashes on all files

25 Extraction File Signature verification
Encase can compare each file header to library of over 220 unique known signatures to determine file type, eg .doc, .jpg, etc

26 Extraction Case one: A file header matches a known value but the
extension does not match Can assist in finding files with changed extensions For example renaming a .jpg file with a .txt extension: Can do for every file and quick sort to search for inconsistencies

27 Extraction Case two: Encase will act consistent with header when
A file header matches a known value but the file does not have an extension Encase will act consistent with header when file is double clicked, e.g. launch Excel for file matching Excel header Encase will act consistent with header when file is viewed e.g. Gallery view will display pictures even though no extensions

28 Extraction Hash computation Calculate the MD5 hash of every file

29 Extraction Import NIST known OS MD5 or SHA-1 hashes available on their web site

30 Evidence Analysis Encase now indicates “*known” files (* used for sorting purposes)‏

31 Extraction Now use an Encase Filter to remove these files from view and searches: In this case, reduced 21,085 files to 14,787 30% less files to search!

32 Extraction Deconstruct file fragments From deleted files
“Carving” name in the US Locate file header information Most tools also analyze unallocated areas of a disk drive or bit stream image file Locate entire file structure of file fragments carved out and copied to a new file

33 Extraction Decryption
Encrypted data is a problem for forensics investigations Files can be encrypted, entire disk or partition Some tools produce list of words for password guessing of an encrypted area Could possibly locate password in a temporary file on disk, if you are lucky!! Can also run a brute force attack against the file

34 Reconstruction Task of re-creating a suspect's disk drive
Don't always have to do this, depends Run suspect computer to show what happened during a crime Or, create an identical copy for other investigators Do a bit-by-bit copy to identical disk as suspect disk Disk technology changes pretty fast Not likely to find identical drive and model

35 Reconstruction Several ways to do this Hardware and Software tools
Disk-to-disk copy Image-to-disk copy Partition-to-partition copy Image-to-partition copy Hardware and Software tools All of these tools adjust target disk geometry Means if target disk differs from original suspect disk will map cylinders, sectors and tracks of original to target Target Disk must be equal or larger in size

36 Reconstruction Hardware Tools Software Tools Hardware is fastest
Logical Forensic SF-5000 Logical Forensic MD5 Image MaSSter Solo 2 Software Tools Safeback, SnapCopy plus others

37 Reporting Many forensics tools also do reporting Log Report
Produce a report of steps taken in an investigation Good if need to repeat an investigation Or, review steps taken Peer review of the case FTK, iLook, X-Ways Forensic, Encase, ProDiscover Plus most others

38 Validating and Testing Forensic Software
NIST - National Institute of Standards and Technology NIST sponsored a project called “Computer Forensics Tool Testing” (CFTT)‏ Why might you want to test these tools?

39 Validating and Testing Forensic Software
NIST - National Institute of Standards and Technology Publishes articles, tools and procedures for testing and validating computer forensics software Software should be verified so that there is greater confidence in digital evidence used in court Created a general approach for testing computer forensics tools Criteria for testing is at the same site MD5 and SHA-1Hashes of Known files

40 Examples of Tools Disk that came with your Book has:
Technology Pathways ProDiscover Basic Access Data Forensic Toolkit (FTK), Registry Viewer and FTK Imager Runtime Software DiskExplorer for FAT, NTFS and HDHOST X-Ways Forensics WinHex Page xxiii in text has links to many other tools For next assignment, you get to download tools, play with them ... fun, fun, fun !!!

41 Resources Resources for Tools E-Evidence List of Software Tools
Open Source Forensics Tools: The Legal Argument Brian Carrier evidence.org/papers/opensrc_legal.pdf Nice source of references and tool discussions for open source tools Evaluating Commercial Counter Forensics Tools Matthew Geiger rforensics.pdf

42 Summary and Limitations
Tools Are Critical to being a Computer Forensics Investigator!!! Better set of tools More complete analysis of data More types of analysis and data/computers can analyze More confidence that data was handled correctly Confidence in evidence increases Important in court Tool Limitations Encrypted data, can't help too much Steganography

43 References Nelson, Bill et al. “Guide to Computer Forensics Investigations” Chapter 7

44 Finish Check Web Site for Reading Assignment due today,
Next Assignment on Friday !!!


Download ppt "CSCD 496 Computer Forensics"

Similar presentations


Ads by Google