Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011

Published byAmie Shelton Modified over 9 years ago

Similar presentations

Presentation on theme: "CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011"— Presentation transcript:

1 CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk

2 Lecture Objectives 1.History and definition of Digital Forensics 2.Context for an investigation 3.An overview of the main theoretical concepts 4.Storage Devices 5.Partitions

3 Recommended Reading 1.B Carrier, File System Forensic Analysis, March 27 2005, Addison-Wesley Professional 2.H Carvey, Windows Forensic Analysis DVD Toolkit, 11th June 2009, Syngress 3.C Pogue, Unix and Linux Forensic Analysis DVD Toolkit, 30th June 2008, Syngress 4.M.E. Russinovich and D.A. Solomonm, Windows Internals 5th Edition, 7th January 2009, Microsoft Press (chapter 1 to chapter 3) 5.K.J. Jones, Real Digital Forensics, 3rd October 2005, Addison-Wesley Professional

4 Online Resources Digital Forensic Research Workshop (DFRWS) – http://www.dfrws.org http://www.dfrws.org – Challenges – Projects National institute of Standards and technology (NIST) – http://www.nist.gov http://www.nist.gov Journal - Digital Investigation – http://www.sciencedirect.com http://www.sciencedirect.com Forensics Wiki – http://www.forensicswiki.org http://www.forensicswiki.org

5

6 DIGITAL FORENSICS

7 It is impossible for the criminal to act, especially considering the intensity of a crime, without leaving traces of his presence. - Edmond Locard

8 With contact between two items, there will be an exchange - Locard’s exchange principle

9 Computer Forensics 1984 – Scotland Yard: Computer Crime Unit – FBI computer forensics departments 1990 – Computer Misuse Act (CMA)

10

11

12

13

14 Digital Forensics The use of scientifically derived and proven methods towards the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from the digital sources for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations. - Digital Forensics Research Workshop

15 Investigative Context Primary Objectives Secondary Objectives Environment Law EnforcementProsecutionPost-Mortem Military IW Ops Continuity of Operations Prosecution Real-Time/Post- Mortem Business and Industry Continuity of Service Prosecution Real-Time/Post- Mortem

16 Digital Investigation A digital investigation is a process where we develop and test hypotheses that answer questions about digital events. This is done using the scientific method where we develop a hypothesis using evidence that we find and then test the hypothesis by looking for additional evidence that shows the hypothesis is impossible. Digital Evidence is a digital object that contains reliable information that supports or refutes a hypothesis. - B. Carrier, 2006 File System Forensic Analysis,

17 Static vs. Live Traditional Static Investigations – Hard disk or some other form of static resource – Data at a resting state – Able to image, return to original source and conduct further analysis Live investigation – Occurs when the machine is running

18 Volatile Investigations Has impact on device under investigation Not repeatable Does not fit in with classic forensic investigative models OS must be trusted New questions cannot be asked later

19 Investigation Process Acquisition – Preservation – Collection – Verification Analysis – Search for evidence – Hypothesis Creation – Confirm or refute hypothesis with evidence Presentation – Report the findings of the investigation – Objective manner

20 Characteristics of Evidence 1.Data can be viewed at different levels of abstraction 2.Data requires interpretation 3.Data is Fragile 4.Data is Voluminous 5.Data is difficult to associate with reality

21 Characteristics of Evidence 1.Data can be viewed at different levels of abstraction 2.Data requires interpretation 3.Data is Fragile 4.Data is Voluminous 5.Data is difficult to associate with reality

22 Characteristics of Evidence 1.Data can be viewed at different levels of abstraction 2.Data requires interpretation 3.Data is Fragile 4.Data is Voluminous 5.Data is difficult to associate with reality

23 Characteristics of Evidence 1.Data can be viewed at different levels of abstraction 2.Data requires interpretation 3.Data is Fragile 4.Data is Voluminous 5.Data is difficult to associate with reality

24 Characteristics of Evidence 1.Data can be viewed at different levels of abstraction 2.Data requires interpretation 3.Data is Fragile 4.Data is Voluminous 5.Data is difficult to associate with reality

25 Best Practice ACPO – Principle 1 - No action taken by law enforcement or their agents should change data held on an electronic device or media which may subsequently be relied upon in Court. – Principle 2 - In exceptional circumstances where a person finds it necessary to access original data held on an electronic device or media, that person must be competent to do so, and be able to give evidence explaining the relevance and the implications of their actions.

26 Best Practice ACPO – Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

27 Best Practice ACPO – Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.

28 Tools 1 st Generation – Command Line, Task oriented, Act on original data 2 nd Generation – GUI interface, capable of making copies, multi- functional 3 rd Generation – Work on distributed systems and live systems – Live… ?

29 Tool Characteristics Verifiable - Can it be shown to behave within certain bounds of behaviour? Reproducibility - Can a tool produce results which are reproducible? Non-interference - Are the results obtained with a tool that has open source code, and thus does not contain obfuscated code? Usability - Can the tool help the investigator review and make decisions about the layer of abstraction being viewed? Comprehensive - Can the tool allow the investigator access the data output of the tool at any given level of abstraction?

30 Future Research Challenges facing the investigation community – S.L. Garfinkel, Digital forensics research: The next 10 years, Digital Investigation, vol. 1, no. 7, pp. 64- 73, 2010 – “The coming Digital Forensics Crisis”

31 Challenges Size of storage devices Embedded flash devices Proliferation of operating systems and file formats Multi-device analysis Pervasive Encryption Cloud computing RAM-only Malware Legal Challenges decreasing the scope of forensic investigations

32 STORAGE DEVICES & PARTITIONS

33 Required Reading D. Byers, N. Shahmehri, “Contagious errors: Understanding and avoiding issues with imaging drives containing faulty sectors”, Digital Investigation, no. 5, pp. 29 – 33, 2008 A.Jones, C. Meyler, “What Evidence is left after disk cleaners?”, Digital Investigation, no. 1, pp. 183 – 188, 2004 B.J. Nikkel, “Forensic Analysis of GPT disks and GUID partition tables”, Digital Investigation, no.6, pp. 39-47, 2009

34 Required Reading M. Belford, “Methods of discovery and exploration of Host Protected Ares on IDE storage devices that conform the ATAPI-5”, Digital Investigation, no.2, pp. 268-275, 2006 K. MacDonald, “To Image a Macintosh”, Digital Investigation, no. 2, pp. 175 -179, 2006 J. R. Lyle, “A strategy for testing hardware write block devices”, Digital Investigation, no. 3, pp. 3-9, 2006

35 Storage Media Hard disks, floppy disk, thumb drives etc. Hard disks are the richest in digital evidence Integrated Disk Electronics (IDE) or Advanced Technology Attachment (ATA) Higher performance SCSI drives Fireware is an adaptation of SCSI standards that provides high speed access to a chain of devices All hard drives contain platters made of light, rig-hid material such aluminum, ceramic or glass

36 More on Hard Drives – Platters have a magnetic coating on both sides and spin between a pair of read/write heads – These heads move like a needle on top of the old LP records but on a cushion of air created by the disk above the surface – The heads can align particles of magnetic media called writing, and can detect how the magnetic particles are assigned – called reading – Particles aligned one way are considered “0” and aligned another way “1”

37 Hard Disks cc by-sa, Cambridge Cat/Anna, flickr.com Platters Spindle Head Actuator Arm

38 Storage Cylinders are the data tracks that the data is being recorded on Each track/cylinder is divided into sectors that contain 512 bytes of information – 512*8 bits of information Location of data can be determined by which cylinder they are on which head can access them and which sector contains them or CHS addressing Capacity of a hard drive # of C*H*S*512

39 Hard Disk Platters

40 Tracks and Sectors Track Sector (512bytes)

41 Tracks and Sectors Track #0 Track #1, Sector #7

42 Storage Characteristics Volatility – Non-Volatile – Volatile Mutability – Read/Write – Read Only – Slow Write, Fast Read Storage Accessibility – Random Access – Sequential Access Addressability – Location – File – Content

43 CHS Values 16-bit Cylinder value (C) 4-bit Head Value (H) 8-bit Sector Value (S) Old BIOS: – 10-bit C – 8-bit H – 6-bit S – Limited to 528MB disk

44 Logical Block Address (LBA) LBA address may not be related to physical location of data Overcomes the 8.1 GB Limitation of CHS Plug old CHS values into: LBA = (((CYLINDER * heads_per_cylinder) * HEAD) * sectors_per_track) + SECTOR -1 E.g. CHS 0,0,1 = LBA 0

45 Storage Volume

46

47

48 Volume vs Partition Volume – A selection of addressable sectors that can be used by an OS or application. These sectors do not have to be consecutive Partition – A selection of addressable sectors that are consecutive. By definition, a partition is a volume

49

50 Partition Analysis A Partition organises the layout of a volume Sector Addressing – Physical Address (LBA or CHS) – Logical Disk Volume Address – Logical Partition Volume Address

51 Sector Addressing B Carrier, File System Forensic Analysis, pp75

52 Partition Analysis Analyse Partition Tables – Process them to identify the layout – Can then be used to process partition accordingly – Determine the type of data inside the partition Perform a sanity check to ensure that the partition table is telling the truth This is important when imaging

53 Sanity Check B Carrier, File System Forensic Analysis, pp76

54 DOS Partitions Most commonly found with i386/x86 systems No standard reference Master Boot Record in first sector (1 st 512 byte) – Boot Code – Partition Table – Signature Value MBR Supports a maximum of 4 partitions

55 B Carrier, File System Forensic Analysis, pp 83

56 Partition Table Starting CHS Address Ending CHS Address Starting LBA Address Number of Sectors in Partition Type of Partition Flags Limitation – 2 Terabyte Disk Partition Limitation MBR Partition size field is 32 bits

57 Extended Partitions Limitation of 4 Primary Partitions Creation of 3 Primary Partitions and 1 primary extended partition Primary Extended partition uses a similar MBR layout in order to create a linked list of records, showing where each new extended partitions exists in relation to the start of the last

58 B Carrier, File System Forensic Analysis, pp 94

59

60

61

62

63

64

65 ANY QUESTIONS?

Download ppt "CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011"

Similar presentations

Chapter 12: File System Implementation

Chapter 12: File System Implementation
Hard Disk Drives Chapter 7.

Hard Disk Drives Chapter 7.
COEN 252 Computer Forensics Hard Drive Geometry. Drive Geometry Basic Definitions: Track Sector Floppy.

COEN 252 Computer Forensics Hard Drive Geometry. Drive Geometry Basic Definitions: Track Sector Floppy.
Professor Michael J. Losacco CIS 1150 – Introduction to Computer Information Systems Secondary Storage Chapter 7.

Professor Michael J. Losacco CIS 1150 – Introduction to Computer Information Systems Secondary Storage Chapter 7.
Computer System Basics 2 Hard Drive Storage & File Partitions Computer Forensics BACS 371.

Computer System Basics 2 Hard Drive Storage & File Partitions Computer Forensics BACS 371.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
MSc in Business Information Technology

MSc in Business Information Technology
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
EET 450 – Advanced Digital Chapter 10 Hard Disk Drives.

EET 450 – Advanced Digital Chapter 10 Hard Disk Drives.
Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.

Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
Managing Your Hard Disk and Operating System 23,26 March 2004 2:30pm - 4:00pm.

Managing Your Hard Disk and Operating System 23,26 March :30pm - 4:00pm.
Operating Systems File systems

Operating Systems File systems
Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.

Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.

COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Computer Forensics DOS Partitioning. Partitioning Practices  We separate partition practices into those used by Personal Computers:  DOS  Apple Servers.

Computer Forensics DOS Partitioning. Partitioning Practices  We separate partition practices into those used by Personal Computers:  DOS  Apple Servers.
T OWARDS S TANDARDS IN D IGITAL F ORENSICS E DUCATION.

T OWARDS S TANDARDS IN D IGITAL F ORENSICS E DUCATION.
Introduction to Data Forensics CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland.

Introduction to Data Forensics CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland.
An Event-based Digital Forensic Investigation Framework Brian D. Carrier Eugene H. Spafford DFRWS 2004.

An Event-based Digital Forensic Investigation Framework Brian D. Carrier Eugene H. Spafford DFRWS 2004.
1 Chapter Overview CD-ROM and DVD Drives Advanced Hard Disk Drives SCSI Drives.

1 Chapter Overview CD-ROM and DVD Drives Advanced Hard Disk Drives SCSI Drives.

Similar presentations

Ads by Google