3 COMPUTER FORENSIC DATA RECOVERY TECHNIQUES AND SOLUTIONS WORKSHOP Executive Summary Computer Forensics, a term that precisely identifies the discipline that studies the techniques and methodologies required for collection, analysis and presentation of unequivocal evidences usable in legal proceedings..
4 COMPUTER FORENSIC DATA RECOVERY TECHNIQUES AND SOLUTIONS WORKSHOP What Anti-Forensics is About anti-forensics aims to make investigations on digital media more difficult and therefore, more expensive. Knowing these steps, generally summarized as Identification, Acquisition, Analysis and Reporting, is the first measure to better understand the benefits and limitations of each antiforensic technique.
5 COMPUTER FORENSIC DATA RECOVERY TECHNIQUES AND SOLUTIONS WORKSHOP These are the general anti-forensic categories discussed within this document: Data Hiding, Obfuscation and Encryption Data Forgery Data Deletion and Physical Destruction Analysis Prevention Online Anonymity
6 COMPUTER FORENSIC DATA RECOVERY TECHNIQUES AND SOLUTIONS WORKSHOP Data Hiding, Obfuscation and Encryption The great advantage of hiding data is to maintain the availability of these when there is need. Regardless of the operating system, using the physical disk for data hiding is a widely used technique, but those related to the OS or the file system in use are quite common.
7 COMPUTER FORENSIC DATA RECOVERY TECHNIQUES AND SOLUTIONS WORKSHOP Unused Space in MBR Most hard drives have, at the beginning, some space reserved for MBR (Master Boot Record). This contains the necessary code to begin loading an OS and also contains the partition tables. The MBR also defines the location and size of each partition, up to a maximum four. The MBR only requires a single sector.
8 COMPUTER FORENSIC DATA RECOVERY TECHNIQUES AND SOLUTIONS WORKSHOP Unused Space in MBR From this and the first partition, we can find 62 unused sectors (sector n. 63 is to be considered the start of cylinder 1). For a classic DOS-style partition table, the first partition needs to start here. This results in 62 unused sectors where we can hide data. Although the size of data that we can hide in this area is limited, an expert investigator will definitely look at its contents to search for compromising material.
9 COMPUTER FORENSIC DATA RECOVERY TECHNIQUES AND SOLUTIONS WORKSHOP HPA Area The most common technique to hide data at the hardware level is to use the HPA (Host Protected Area) area of disk. This is generally an area not accessible by the OS and is usually used only for recovery operations. This area is also invisible to certain forensic tools and is therefore ideal for hiding data that we do not want to be found easily. The following image shows a representation of HPA within a physical media
10 COMPUTER FORENSIC DATA RECOVERY TECHNIQUES AND SOLUTIONS WORKSHOP
11 DATA HIDING 1 STEGANOGRAPHY 2.ENCRYPTION
12 What is Data What Is Data Hiding Data hiding is the process of making data difficult to find while also keeping it accessible for future use. Obfuscation and encryption of data give an adversary the ability to limit identification and collection of evidence by investigators while allowing access and use to themselves
13 Data Recovery Steganography is a technique where information or files are hidden within another file in an attempt to hide data by leaving it in plain sight. Steganography produces dark data that is typically buried within light
14 Data Recovery Steganography is a technique where information or files are hidden within another file in an attempt to hide data by leaving it in plain sight. Steganography produces dark data that is typically buried within light
15 Data Recovery Steganography Steganography sometimes is used when encryption is not permitted. Or, more commonly, steganography is used to supplement encryption. An encrypted file may still hide information using steganography, so even if the encrypted file is deciphered, the hidden message is not seen.
16 Data Recovery Steganography Steganography sometimes is used when encryption is not permitted. Or, more commonly, steganography is used to supplement encryption. An encrypted file may still hide information using steganography, so even if the encrypted file is deciphered, the hidden message is not seen. Special software is needed for steganography
17 STEGANOGRAPHY INVISIBLE SECRETS 2.1
18 Data Recovery INVISIBLE SECRETS 2.1
19 Data Recovery Encryption Encryption is one of the most effective techniques for mitigating forensic analysis. using strong cryptographic algorithms, for example AES256, together with the techniques adds a further fundamental level of anti-forensics security for the data that we want to hide.
20 Data Recovery Encryption The most widely used tool for antiforensics encryption is certainly TrueCrypt, an open source tool that is able to create and mount virtual encrypted disks for Windows, Linux and OS X systems.
21 Data Recovery Encryption Generally, in the presence of an encrypted mounted volume, a forensic analyst will try, without doubt, to capture the contents of the same before the volume is un-mounted. if the machine is turned off, the only option for acquiring the content of a dismounted encrypted drive is to do a brute-force password guessing attack. (The Rubber-hose is not covered by this document :>).
22 Data Recovery Encryption A noteworthy feature of TrueCrypt is that when using it for full disk encryption, it leaves a TrueCrypt Boot Loader string in its boot loader that can help a forensic analyst in the recognition of a TrueCrypt encrypted disk
23 WIPING 1 DISK CLEANING UTILITIES 2 FILE WIPING UTILITIES 3 DISK DEGAUSSING / DESTRUCTION TECHNIQUES
24 Data Recovery Artifact wiping or Data erasure Data erasure (also called data clearing or data wiping) is a software-based method of overwriting the data that completely destroys all electronic data residing on a hard disk drive or other digital media.
25 Data Recovery Data Deletion The first mission of a forensic examiner is to find as much information as possible (files) relating to a current investigation. For this purpose, he will do anything to try to recover as many files as possible from among those deleted or fragmented. However, there are some practices to prevent or hinder this process in a very efficient way..
26 Data Recovery Wiping If you want to irreversibly delete your data, you should consider the adoption of this technique. When we delete a file in our system, the space it formally occupied is in fact marked only as free. The content of this space, however, remains available, and a forensics analyst could still recover it.
27 Data Recovery Disk cleaning utilities The technique known as disk wiping overwrites this space with random data or with the same data for each sector of disk, in such a way that the original data is no longer recoverable. Data wiping can be performed at software level, with dedicated programs that are able to perform overwriting of entire disks or based on specific areas in relation to individual files.
28 Data Recovery
29 LAB 10 A steganography tool that hides secret data into audio files
31 DeepSound overview DeepSound is a steganography tool that hides secret data into audio files - wave and flac. The application also enable you to extract secret files directly from audio CD tracks. DeepSound might be used as a copyright marking software for wave, flac and audio CD. DeepSound also support encrypting secret files using AES- 256(Advanced Encryption Standard) to improve data protection.
32 LAB 10 Steganography and encryption with StegHide UI
33 StegHide UI StegHide UI is a GUI interface for Steghide, an open source steganography program to encrypt and hide data inside images (.jpeg,.bmp) and audio files (.wav,.au), it allows users to do everything Stegide can do with a point and click mouse saving you the command line learning curve. There is a tab where you can use this steganography tool in command line mode were you to feel inclined to do so, StegHide UI offers you the best of both worlds, a GUI and command line all in one program.
34 Wise Disk Cleaner Wise Disk Cleaner is a free disk utility designed to help you keep your disk clean by deleting unnecessary files. Usually, these unnecessary or junk files appear as the results of program incomplete uninstallers or temporary Internet Files. When deleting file, you can choose to erase them forever, or in case you are not sure about them you can delete them to Recycle Bin.
35 Disk Degaussing / Destruction techniques Degaussing Hard Drives Securely wipe the hard drives that your organization no longer needs. The vulnerability of information stored on a PC hard drive is a recognized security risk. It is simply not enough to delete, reformat or overwrite sensitive information. The only solution that guarantees 100% data erasure is to use hardware called a degausser to securely wipe all the data.
36 The process of degaussing a hard drive is achieved by passing it through a powerful magnetic field, this rearranges the metallic particles, completely removing any resemblance of the original data. Even if the hard drive is not working, the degaussing process can be used to ensure that data contained is removed completely and cannot be recovered.
37 DATAGONE - Automatic Pulse Discharge Hard Drive Degausser The DATAGONE is a fully automatic degausser for Hard Drives and Backup tapes. It uses pulse discharge technology and is fully processor controlled which enables the DATAGONE to offer a complete and secure erase. Capable of securely wiping Hard Drives that use both perpendicular and vertical recording techniques. The DATAGONE generates a powerful magnetic field and in less than a second completely erases the complete data from Hard Drives and Backup tapes. Its simple one pass fully automatic operation makes it ideal in businesses where security is of the utmost importance.
38 V91 Max - Most powerful, manual hard drive degausser The V91 Max is the most powerful manual hard drive degausser, designed to fully and securely wipe computer hard drives and DLT tapes. With an incredible 7000 gauss, this degausser is also capable of degaussing tapes, Audio, DAT, VHS and S- VHS, VHS Digital, 4&8mm, Beta SP/digital, video cassettes, floppy disks. Computer cartridges: DC, TK 50/70/85, DLT 3489/3490/3590
39 BitLocker BitLocker lets you encrypt the hard drive(s) on your Windows 7 and Vista Enterprise, Windows 7 and Vista Ultimate or Windows Server 2008 and R2. BitLocker will not encrypt hard drives for Windows XP, Windows 2000 or Windows Only Windows 7, Vista and Server 2008 include BitLocker. BitLocker drives can be encrypted with 128 bit or 256 bit encryption, this is plenty strong to protect your data in the event the computer is lost or stolen
40 BitLocker BitLocker protects your hard drive from offline attack. This is the type of attack where a malicious user will take the hard drive from your mobile machine and connect it to another machine so they can harvest your data. BitLocker also protects your data if a malicious user boots from an alternate Operating System.
TrueCrypt TrueCrypt Drive Encryption Software Overview TrueCrypt is an open source drive and partition encryption tool. Vanderbilt University Medical Center recommends utilizing TrueCrypt for full disk
SecureDoc Disk Encryption Cryptographic Engine FIPS 140-2 Non-Proprietary Security Policy Abstract: This document specifies Security Policy enforced by SecureDoc Cryptographic Engine compliant with the
Encrypting the Private Files on Your Computer Presentation by Eric Moore, CUGG June 12, 2010 I. File Encryption Basics A. Encryption replaces data within a file with ciphertext which resembles random data
Data Destruction and Sanitation Program Mobile (ON-SITE) Data Destruction/Shredding Services 1 Diversified Recycling utilizes state of the art equipment for their data destruction and eradication services.
Data Recovery Building A Safety Net The Villages Computer Plus Bob Walton Jan-05-2012 Data Recovery 1 Overview Review of XP, Vista & Windows 7 Built-in data protection Standalone/Offline malware protection
Disk Encryption Aaron Howard IT Security Office Types of Disk Encryption? Folder Encryption Volume or Full Disk Encryption OS / Boot Volume Data Volume Managed or Unmanaged Key Backup and Data Assurance
How to create a portable encrypted USB Key using TrueCrypt INTRODUCTION TrueCrypt Traveler Mode provides secure encryption for programs/files on portable devices such as USB Memory keys. It uses strong
DOCUMENTATION SHADOWPROTECT - MICROSOFT WINDOWS SYSTEM BACKUP AND RESTORE OPERATIONS Copyright Notice The use and copying of this product is subject to a license agreement. Any other use is prohibited.
Product Insight Do "standard tools" meet your needs when it comes to providing security for mobile PCs and data media? Author Version Document Information Utimaco Product Management Device Security 4.30.00
Encrypting stored data Tuomas Aura T-110.4206 Information security technology Outline 1. Scenarios 2. File encryption 3. Encrypting file system 4. Full disk encryption 5. Data recovery Simple applications
Introduction to BitLocker FVE (Understanding the Steps Required to enable BitLocker) Exploration of Windows 7 Advanced Forensic Topics Day 3 What is BitLocker? BitLocker Drive Encryption is a full disk
Chapter 12 - Installing Windows Objectives How to plan a Windows installation How to install Windows Vista How to install Windows XP How to install Windows 2000 How to Plan a Windows Installation Situations
: Managing, Maintaining, and Troubleshooting, 5e Chapter 3 Installing Windows Objectives How to plan a Windows installation How to install Windows Vista How to install Windows XP How to install Windows
Introduction Windows 7 has the ability to create and mount virtual machines based upon launching a single file. The Virtual Hard Disk (VHD) format permits creation of virtual drives that can be used for
Lecture 6: Operating Systems and Utility Programs Chapter 8 Objectives Identify the types of system software Summarize the startup process on a personal computer Summarize the features of several stand-alone
Using StorageCraft Recovery Environment Quick Start Guide Version R91 English May 20, 2015 Agreement The purchase and use of all Software and Services is subject to the Agreement as defined in Kaseya s
How to Encrypt your Windows 7 SDS Machine with Bitlocker ************************************ IMPORTANT ******************************************* Before encrypting your SDS Windows 7 Machine it is highly
January 22, 2013 Industrial Flash Storage Trends in Software and Security Many flash storage devices in embedded applications are used to save data but also function as disks for the OS. Most users are
How to Restore a Windows System to Bare Metal This article applies to Barracuda Backup Server firmware version 5.4 and higher. Bare metal recovery allows you to restore a complete Microsoft Windows system,
Forensically Determining the Presence and Use of Virtual Machines in Windows 7 Introduction Dustin Hurlbut Windows 7 has the ability to create and mount virtual machines based upon launching a single file.
Virtual Hard Disk Forensics Using EnCase Randy Nading, EnCE Security+ Computer Forensic Analyst, Jacobs Technology www.encase.com/ceic Agenda I. Virtual Hard Disks (VHDs) as Evidence Containers Hands On
Acronis Backup & Recovery 11 Quick Start Guide Applies to the following editions: Advanced Server Virtual Edition Advanced Server SBS Edition Advanced Workstation Server for Linux Server for Windows Workstation
Security Overview for Windows Vista Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation Agenda User and group changes Encryption changes Audit changes User rights New and modified
Guidelines on use of encryption to protect person identifiable and sensitive information 1. Introduction David Nicholson, NHS Chief Executive, has directed that there should be no transfers of unencrypted
VOICE IMPROVEMENT PROCESSOR (VIP) BACKUP AND RECOVERY PROCEDURES - Draft Version 1.0 This document contains the backup and recovery procedures for the NWR CRS VIP. These procedures shall be used by all
Technical Proposal on ATA Secure Erase Gordon Hughes+ and Tom Coughlin* +CMRR, University of California San Diego *Coughlin Associates Introduction and Summary Secure erase SE is defined in the ATA specification
Summitsoft Corporation SystemTech AntiSpyware Manual This guide is distributed with software that includes an end user agreement, this guide, as well as the software described in it, is furnished under
EASEUS Todo Backup Version 1.1 1 Table of Contents Welcome...3 About EASEUS Todo Backup...3 Starting EASEUS Todo Backup...3 Getting started...4 Hardware requirements...4 System requirements...4 Supported
Document ID:20080313-0058 Last Modified:13/03/2008 NOTE: This knowledgebase article relates to 220.127.116.11, it may also relate to later versions. Please check for relevant updates to this article (based on
Handling Encrypted Evidence & Password Recovery Nataly Koukoushkina June 2010 CCFC 2010, Workshop Passware In business for 12 years Offices in USA and Russia Products included in Certified Computer Examiner
Mobile Device Security and Encryption Standard and Guidelines University Mobile Computing and Device best practices are currently defined as follows: 1) The use of any sensitive or private data on mobile
OdysseyTM removable hard disk storage system secure. fast. expandable. P o w e r f u l d a t a p r o t e c t i o n w i t h m i n i m a l e f f o r t Imation Corp. is the only company in the world solely
Disk encryption... (not only) in Linux Milan Brož email@example.com FDE - Full Disk Encryption FDE (Full Disk Encryption) whole disk FVE (Full Volume Encryption) just some volumes (dis)advantages? + for
Crystal Practice Management Encrypting the Database www.crystalpm.com 2013 Contents Overview... 1 Level of Encryption... 1 Why encrypt your Crystal Practice Management data?... 1 How to encrypt the database...
User Guide Basic Edition Table of Contents Product Introduction Product Overview Product Features Product Installation/Registration System Requirements Installation Use as Evaluation Activate on Internet
Social Sciences Computing a division of File Security John Marcotte Director of February 2008 File Security Review security issues Overview of encryption Software Data Security Plan Questions Reasons for
TPM (Trusted Platform Module) Installation Guide V3.3.0 for Windows Vista Table of contents 1 Introduction 1.1 Convention... 4 1.2 TPM - An Overview... 5 2 Using TPM for the first time 2.1 Enabling TPM...
Release Information Avira System Speedup is a new PC optimization and error repair utility that improves the performance of your PC. Regularly cleaning your computer could save you costly maintenance fees.
TIPS IN PREVENTING INFORMATION LEAKAGE 1 Presented by Christina Keing and Frankie Fu Information Security Section (ISS), ITSC 5 Sept 2008 AIMS 2 AGENDA Recent incidents What information to protect? How
How to enable Disk Encryption on a laptop Skills and pre-requisites Intermediate IT skills required. You need to: have access to, and know how to change settings in the BIOS be confident that your data
Chapter 8 Objectives Chapter 8 Operating Systems and Utility Programs Identify the the types types of of system software Summarize the the startup process on on a a personal computer Describe the the functions
Business Virtualization Why should I consider server virtualization? Save money. Often servers are dedicated to just one or two applications. As a result servers in many organizations are only using 15
Secure Storage 1 Lost Laptops Lost and stolen laptops are a common occurrence Estimated occurrences in US airports every week: 12,000 Average cost of a lost laptop for a corporation is $50K Costs include
Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography What Is Steganography? Steganography Process of hiding the existence of the data within another file Example:
Course Title: Computer Forensic Specialist: Data and Image Files Page 1 of 9 Course Description The Computer Forensic Series by EC-Council provides the knowledge and skills to identify, track, and prosecute
Acronis Backup & Recovery 11.5 Installation Guide Applies to the following editions: Advanced Server Virtual Edition Advanced Server SBS Edition Advanced Workstation Server for Linux Server for Windows
Discovering Computers 2008 Chapter 8 Operating Systems and Utility Programs Chapter 8 Objectives Identify the types of system software Summarize the startup process on a personal computer Summarize the
PGP NetShare Quick Start Guide Version 10.2 What is PGP NetShare? The PGP NetShare product is a software tool that provides multiple ways to protect and share your data. Use PGP NetShare to: Let authorized
User Guide With Screenshots Table of Contents Product Introduction Product Overview Product Features Product Installation/Registration System Requirements Installation Use as Evaluation Activate on Internet
PARAGON Backup & Recovery 10 Suite Data Sheet Automatization Features Paragon combines our latest patented technologies with 15 years of expertise to deliver a cutting edge solution to protect home Windows
SecureAge SecureDs Data Breach Prevention Solution In recent years, major cases of data loss and data leaks are reported almost every week. These include high profile cases like US government losing personal
Avira System Speedup HowTo Table of Contents 1. Introduction... 4 1.1 What is Avira System Speedup?...4 2. Installation... 5 2.1 System Requirements...5 2.2 Installation...5 3. Using the program... 8 3.1
Windows Server 2008 R2 Essentials Installation, Deployment and Management 2 First Edition 2010 Payload Media. This ebook is provided for personal use only. Unauthorized use, reproduction and/or distribution
Encrypting a USB Drive Using TrueCrypt This document details the steps to encrypt a USB Pen drive using TrueCrypt. TrueCrypt is free and open-source security software allowing encryption of documents and
A+ Guide to Managing and Maintaining Your PC, 7e Chapter 12 7 th Edition Installing Windows (02/06/2014) Objectives How to plan a Windows installation How to install Windows Vista/7 Enterprise deployment
Cloud Backup Express Table of Contents Installation and Configuration Workflow for RFCBx... 3 Cloud Management Console Installation Guide for Windows... 4 1: Run the Installer... 4 2: Choose Your Language...
User Manual Copyright Rogev LTD Introduction Thank you for choosing FIXER1. This User's Guide is provided to you to familiar yourself with the program. You can find a complete list of all the program's
Full Disk Encryption Drives & Management Software The Ultimate Security Solution For Data At Rest Agenda Introduction Information Security Challenges Dell Simplifies Security Trusted Drive Technology Seagate
Windows Forensics Vista Forensic Toolkit, FTK Imager and Registry Viewer Advanced Three-day Instructor-led Workshop T his advanced workshop provides the knowledge and skills necessary to analyze Microsoft
TPM (Trusted Platform Module) Installation Guide V2.1 Table of contents 1 Introduction 1.1 Convention... 4 1.2 TPM - An Overview... 5 2 Using TPM for the first time 2.1 Enabling TPM... 6 2.2 Installing
FAQ for USB Flash Drive 1. What is a USB Flash Drive? A USB Flash Drive consists of a flash memory data storage device integrated with a USB interface. USB Flash Drives are typically removable and rewritable.
PGP Whole Disk Encryption Quick Start Guide version 9. What is PGP Whole Disk Encryption? The PGP Whole Disk Encryption (WDE) product is a software tool that provides multiple ways to protect your data
Operating Systems What are the functions of an? start the computer provide a user interface manage programs Chapter 8 Operating Systems and Utility Programs administer security control a network manage
Lectures 9 Advanced Operating Systems Fundamental Security Computer Systems Administration TE2003 Lecture overview At the end of lecture 9 students can identify, describe and discuss: Main factors while
Chapter 8 Types of Utility Programs and Operating Systems Discovering Computers 2012 Your Interactive Guide to the Digital World Objectives Overview Define system software and identify the two types of
Chapter 5: Fundamental Operating Systems IT Essentials: PC Hardware and Software v4.1 Chapter5 2007-2010 Cisco Systems, Inc. All rights reserved. Cisco Public 1 Chapter 5 Objectives 5.1 Explain the purpose
F-Secure Online Backup Before installation... 3 Does the F Secure Online Backup program work if there are other online backup programs installed on my computer?... 4 Are two online backup programs better
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 15 Installing and Using Windows XP Professional You Will Learn About the features and architecture of Windows XP How to install Windows
Digital Forensics Tutorials Viewing Image Contents in Windows Explanation Section About Disk Analysis Once the proper steps have been taken to secure and verify the disk image, the actual contents of the
Lesson 4 Managing Applications, Services, Folders, and Libraries Learning Objectives Students will learn to: Understand Local versus Network Applications Remove or Uninstall an Application Understand Group
Office Equipment Disposal Policy R ISK MANAGEMENT HANDOUTS OF L AWYERS MUTUAL LAWYERS MUTUAL LIABILITY INSURANCE COMPANY OF NORTH CAROLINA 5020 Weston Parkway, Suite 200, Cary, North Carolina 27513 Post
Jetico Central Manager Administrator Guide Introduction Deployment, updating and control of client software can be a time consuming and expensive task for companies and organizations because of the number
Pros 4 Technology Online Backup Features Introduction Computers are the default storage medium for most businesses and virtually all home users. Because portable media is quickly becoming an outdated and
RecoverIt Frequently Asked Questions Windows Recovery FAQs When can I use Windows Recovery application? This application is used to recover the deleted files from internal or external storage devices with
STUDY GUIDE CHAPTER 4 True/False Indicate whether the statement is true or false. 1. A(n) desktop operating system is designed for a desktop or notebook personal computer. 2. A(n) mirrored user interface
Digital Forensics Tom Pigg Executive Director Tennessee CSEC Definitions Digital forensics Involves obtaining and analyzing digital information as evidence in civil, criminal, or administrative cases Analyze
IBM Rapid Restore PC powered by Xpoint - v2.02 (build 6015a) User s Reference Guide Internal IBM Use Only This document only applies to the software version listed above and information provided may not
IT Essentials v4.1 LI 11.4.5 Upgrade and configure storage devices and hard drives 2.3 Disk management tools In Windows Vista and Windows 7, use the following path: Start > Start Search > type diskmgmt.msc
Working with Disks and Devices Lesson 4 Objectives Describe MBR and GPT partition styles Describe basic and dynamic disks Describe the 4 types of dynamic volumes Use the Disk Management snap-in to manage