Guide to Computer Forensics and Investigations, Second Edition

Transcription

1 Guide to Computer Forensics and Investigations, Second Edition Chapter 4 Current Computer Forensics Tools Objectives Understand how to identify needs for computer forensics tools Evaluate the requirements and expectations for computer forensics tools Understand how computer forensics hardware and software tools integrate Validate and test your computer forensics tools Guide to Computer Forensics and Investigations, 2e 2 Computer Forensics Software Needs Look for versatility, flexibility, and robustness OS File system Script capabilities Automated features Vendor s reputation Keep in mind what applications you analyze Guide to Computer Forensics and Investigations, 2e 3 1

2 Types of Computer Forensics Tools Hardware forensic tools Single-purpose components Complete computer systems and servers Software forensic tools Command-line applications GUI applications Guide to Computer Forensics and Investigations, 2e 4 Tasks Performed by Computer Forensics Tools Acquisition Validation and discrimination Extraction Reconstruction Reporting Guide to Computer Forensics and Investigations, 2e 5 Acquisition Acquisition categories: Physical data copy Logical data copy Data acquisition format Command-line acquisition GUI acquisition Guide to Computer Forensics and Investigations, 2e 6 2

3 Acquisition (continued) Acquisition categories (continued): Remote acquisition Verification Guide to Computer Forensics and Investigations, 2e 7 Acquisition (continued) Guide to Computer Forensics and Investigations, 2e 8 Validation and Discrimination Hashing Cyclic redundancy check (CRC)-32, MD5, Secure Hash Algorithms (SHAs) Filtering Based on hash value sets Analyzing file headers Discriminate files based on their types Guide to Computer Forensics and Investigations, 2e 9 3

4 Extraction Major techniques include: Data viewing How data is viewed depends on the tool used Keyword searching Recovers key data facts Decompressing Archive and cabinet files Guide to Computer Forensics and Investigations, 2e 10 Extraction (continued) Major techniques include: Carving Reconstruct fragments of deleted files Decrypting Password dictionary attacks Brute-force attacks Bookmarking First find evidence, then bookmark it Guide to Computer Forensics and Investigations, 2e 11 Reconstruction Re-create a suspect s disk drive Techniques Disk-to-disk copy Image-to-disk copy Partition-to-partition copy Image-to-partition copy Guide to Computer Forensics and Investigations, 2e 12 4

5 Reporting Configure your forensic tools to: Log activities Generate reports Use this information when producing a final report for your investigation Guide to Computer Forensics and Investigations, 2e 13 Tool Comparisons Guide to Computer Forensics and Investigations, 2e 14 Tool Comparisons (continued) Guide to Computer Forensics and Investigations, 2e 15 5

6 Other Considerations for Tools Flexibility Reliability Expandability Keep a library with older version of your tools Guide to Computer Forensics and Investigations, 2e 16 Computer Forensics Software Example: Norton DiskEdit Advantages Require few system resources Run in minimal configurations Fit on a bootable floppy disk Disadvantages Cannot search inside archive and cabinet files Most of them only work on FAT file systems Guide to Computer Forensics and Investigations, 2e 17 UNIX/Linux Command-line Forensic Tools Dominate the *nix platforms Examples: SMART The Coroner s Toolkit (TCT) Autopsy SleuthKit Guide to Computer Forensics and Investigations, 2e 18 6

7 GUI Forensic Tools Simplify computer forensics investigations Help training beginning investigators Most of them come into suites of tools Guide to Computer Forensics and Investigations, 2e 19 GUI Forensic Tools (continued) Advantages Ease of use Multitasking No need for learning older OSs Disadvantages Excessive resource requirements Produce inconsistent results Create tool dependencies Guide to Computer Forensics and Investigations, 2e 20 Computer Hardware Tools Provide analysis capabilities Hardware eventually fails Schedule equipment replacements When planning your budget Failures Consultant and vendor fees Anticipate equipment replacement Guide to Computer Forensics and Investigations, 2e 21 7

8 Computer Investigation Workstations Carefully consider what you need Categories: Stationary Portable Lightweight Balance what you need and what your system can handle Guide to Computer Forensics and Investigations, 2e 22 Computer Investigation Workstations (continued) Police agency labs Need many options Use several PC configurations Private corporation labs handle only system types used in the organization Keep a hardware library Guide to Computer Forensics and Investigations, 2e 23 Building your Own Workstation It is not as difficult as it sounds Advantages Customized to your needs Save money ISDN phone system Disadvantages Hard to find support for problems Can become expensive if careless Guide to Computer Forensics and Investigations, 2e 24 8

9 Building your Own Workstation (continued) You can buy one from a vendor as an alternative Examples: F.R.E.D. FIRE IDE Guide to Computer Forensics and Investigations, 2e 25 Using a Write-Blocker Prevents data writes to a hard disk Software options: Software write-blockers are OS-dependent PDBlock Hardware options Ideal for GUI forensic tools Act as a bridge between the disk and the workstation Guide to Computer Forensics and Investigations, 2e 26 Using a Write-Blocker (continued) Discards the written data For the OS, the data copy is successful Connecting technologies FireWire USB 2.0 SCSI controllers Guide to Computer Forensics and Investigations, 2e 27 9

10 Recommendations for a Forensic Workstation Data acquisition techniques: USB 2.0 FireWire Expansion devices requirements Power supply with battery backup Extra power and data cables External FireWire and USB 2.0 ports Guide to Computer Forensics and Investigations, 2e 28 Recommendations for a Forensic Workstation (continued) Ergonomic considerations Keyboard and mouse Display High-end video card Monitor Guide to Computer Forensics and Investigations, 2e 29 Validating and Testing Forensic Software Evidence could be admitted in court Test and validate your software to prevent damaging the evidence Guide to Computer Forensics and Investigations, 2e 30 10

11 Using National Institute of Standards and Technology (NIST) Tools Computer Forensics Tool Testing (CFTT) program Based on standard testing methods ISO criteria ISO 5725 Also evaluate disk imaging tools Forensic Software Testing Support Tools (FS-TSTs) Guide to Computer Forensics and Investigations, 2e 31 Using NIST Tools (continued) National Software Reference Library (NSRL) project Collects all known hash values for commercial software applications and OS files Helps filtering known information Guide to Computer Forensics and Investigations, 2e 32 The Validation Protocols Always verify your results Use at least two tools Retrieving and examination Verification Understand how tools work Disk editors Norton DiskEdit Hex Workshop WinHex Guide to Computer Forensics and Investigations, 2e 33 11

12 The Validation Protocols (continued) Disk editors (continued) Do not have a flashy interface Reliable tools Can access raw data Guide to Computer Forensics and Investigations, 2e 34 Computer Forensics Examination Protocol Perform the investigation with a GUI tool Verify your results with a disk editor WinHex Hex Workshop Compare hash values obtained with both tools Guide to Computer Forensics and Investigations, 2e 35 Computer Forensics Tool Upgrade Protocol Test New releases Patches Upgrades If you found a problem, report it to your forensics tool vendor Use a test hard disk for validation purposes Guide to Computer Forensics and Investigations, 2e 36 12

13 Summary Create a business plan to get the best hardware and software Computer forensics tools functions Acquisition Validation and discrimination Extraction Reconstruction Reporting Guide to Computer Forensics and Investigations, 2e 37 Summary (continued) Maintain a software library on your lab Computer forensics tools types: Software Hardware Forensics software: Command-line GUI Guide to Computer Forensics and Investigations, 2e 38 Summary (continued) Forensics hardware: Customized equipment Commercial options Include workstations and write-blockers Always test your forensics tools Guide to Computer Forensics and Investigations, 2e 39 13