Identification and Analysis of hard disk drive in digital forensic



Similar documents
Significance of Hash Value Generation in Digital Forensic: A Case Study

Software Quality Characteristics Tested For Mobile Application Development

Local Area Network Management

REQUIREMENTS FOR A COMPUTER SCIENCE CURRICULUM EMPHASIZING INFORMATION TECHNOLOGY SUBJECT AREA: CURRICULUM ISSUES

Applying Multiple Neural Networks on Large Scale Data

Digital Forensics Tutorials Acquiring an Image with FTK Imager

Red Hat Enterprise Linux: Creating a Scalable Open Source Storage Infrastructure

Fuzzy Sets in HR Management

A framework for performance monitoring, load balancing, adaptive timeouts and quality of service in digital libraries

Standards and Protocols for the Collection and Dissemination of Graduating Student Initial Career Outcomes Information For Undergraduates

Overview of Computer Forensics

An Innovate Dynamic Load Balancing Algorithm Based on Task

Quality evaluation of the model-based forecasts of implied volatility index

ON SELF-ROUTING IN CLOS CONNECTION NETWORKS. BARRY G. DOUGLASS Electrical Engineering Department Texas A&M University College Station, TX

EaseUS Partition Master

ADJUSTING FOR QUALITY CHANGE

INTEGRATED ENVIRONMENT FOR STORING AND HANDLING INFORMATION IN TASKS OF INDUCTIVE MODELLING FOR BUSINESS INTELLIGENCE SYSTEMS

How To Get A Loan From A Bank For Free

Evaluating Inventory Management Performance: a Preliminary Desk-Simulation Study Based on IOC Model

Searching strategy for multi-target discovery in wireless networks

Online Bagging and Boosting

Incident Response and Computer Forensics

Generating Certification Authority Authenticated Public Keys in Ad Hoc Networks

An Approach to Combating Free-riding in Peer-to-Peer Networks

Research Article Performance Evaluation of Human Resource Outsourcing in Food Processing Enterprises

Paragon Backup Retention Wizard

AutoHelp. An 'Intelligent' Case-Based Help Desk Providing. Web-Based Support for EOSDIS Customers. A Concept and Proof-of-Concept Implementation

Analyzing Spatiotemporal Characteristics of Education Network Traffic with Flexible Multiscale Entropy

RECURSIVE DYNAMIC PROGRAMMING: HEURISTIC RULES, BOUNDING AND STATE SPACE REDUCTION. Henrik Kure

Use of extrapolation to forecast the working capital in the mechanical engineering companies

PHYSICIAN OFFICE IT SECURITY GUIDE

International Journal of Management & Information Systems First Quarter 2012 Volume 16, Number 1

Digital forensic techniques for static analysis of NTFS images

Guide to Computer Forensics and Investigations, Second Edition

An Integrated Approach for Monitoring Service Level Parameters of Software-Defined Networking

Financial Aid Workshop Promotional Kit

PERFORMANCE METRICS FOR THE IT SERVICES PORTFOLIO

Media Adaptation Framework in Biofeedback System for Stroke Patient Rehabilitation

New for 2016! Get Licensed

Managing Complex Network Operation with Predictive Analytics

The Fundamentals of Modal Testing

An Improved Decision-making Model of Human Resource Outsourcing Based on Internet Collaboration

The Research of Measuring Approach and Energy Efficiency for Hadoop Periodic Jobs

Audio Engineering Society. Convention Paper. Presented at the 119th Convention 2005 October 7 10 New York, New York USA

ASIC Design Project Management Supported by Multi Agent Simulation

Performance Evaluation of Machine Learning Techniques using Software Cost Drivers

Study on the development of statistical data on the European security technological and industrial base

CONCEPT MAPPING FOR DIGITAL FORENSIC INVESTIGATIONS

An online sulfur monitoring system can improve process balance sheets

EFFECTIVE DIGITAL FORENSIC ANALYSIS OF THE NTFS DISK IMAGE

Machine Learning Applications in Grid Computing

MSc Computer Security and Forensics. Examinations for / Semester 1

LCOS Projector WUX500

Guide to Intel Rapid Storage

Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers

Mathematical Model for Glucose-Insulin Regulatory System of Diabetes Mellitus

High Performance Chinese/English Mixed OCR with Character Level Language Identification

A magnetic Rotor to convert vacuum-energy into mechanical energy

The Benefit of SMT in the Multi-Core Era: Flexibility towards Degrees of Thread-Level Parallelism

Introduction to the Microsoft Sync Framework. Michael Clark Development Manager Microsoft

Study on the development of statistical data on the European security technological and industrial base

This paper studies a rental firm that offers reusable products to price- and quality-of-service sensitive

Energy Proportionality for Disk Storage Using Replication

Introduction to I/O and Disk Management

Method of supply chain optimization in E-commerce

Preference-based Search and Multi-criteria Optimization

Anecdotal Notes and Checklists

Pure Bending Determination of Stress-Strain Curves for an Aluminum Alloy

Evaluating Software Quality of Vendors using Fuzzy Analytic Hierarchy Process

CRM FACTORS ASSESSMENT USING ANALYTIC HIERARCHY PROCESS

Real Time Target Tracking with Binary Sensor Networks and Parallel Computing

Survey on Different Phases of Digital Forensics Investigation Models

OpenGamma Documentation Bond Pricing

( C) CLASS 10. TEMPERATURE AND ATOMS

Exercise 4 INVESTIGATION OF THE ONE-DEGREE-OF-FREEDOM SYSTEM

Insurance Spirals and the Lloyd s Market

Important Compliance Information. How to obtain and use the new documents (if fillable PDF s are mentioned above)

Optimal Resource-Constraint Project Scheduling with Overlapping Modes

Course Title: Computer Forensic Specialist: Data and Image Files

Sensors as a Service Oriented Architecture: Middleware for Sensor Networks

Amplifiers and Superlatives

A CHAOS MODEL OF SUBHARMONIC OSCILLATIONS IN CURRENT MODE PWM BOOST CONVERTERS

EC-Council Ethical Hacking and Countermeasures

SOME APPLICATIONS OF FORECASTING Prof. Thomas B. Fomby Department of Economics Southern Methodist University May 2008

Option B: Credit Card Processing

Exploiting Hardware Heterogeneity within the Same Instance Type of Amazon EC2

A Fast Algorithm for Online Placement and Reorganization of Replicated Data

Transcription:

Identification and Analysis of hard disk drive in digital forensic Kailash Kuar Dr. Sanjeev Sofat Dr. Naveen Aggarwal Phd(CSE) Student Prof. and Head CSE Deptt. Asst. Prof. CSE Deptt. PEC University of Technology PEC University of Technology UIET, Punjab University kuar2002002@yahoo.co sanjeevsofat@pec.ac.in navagg@gail.co ABSTRACT The draatic increase in crie relating to the Internet and coputers has caused a growing need for coputer forensics. Coputer forensic tools have been developed to assist coputer forensic investigators in conducting a proper investigation into digital cries. Digital forensics is a growing and iportant fields of research for current intelligence, law enforceent, and ilitary organizations today. As ore inforation is stored in digital for, the need and ability to analyze and process this inforation for relevant evidence has grown in coplexity. Digital Forensics helps this inforation for analyzing and evaluating digital data as evidence. The practice of digital forensics is new. When coputers becae coon in hoes and businesses, the police ore and ore often cae across coputers which contained forensic evidence. This paper focuses on the identification and analysis of hard disk drive in digital forensics exaination. Keywords: Digital forensics, HDD, PDA.INTRODUCTION The field of digital forensic analysis has experienced rapid growth in recent years, as the use of coputer forensic analysis proved invaluable in a wide range of legal proceedings. Digital forensics is used not only to investigate coputerized cries, such as network intrusion, fabrication of data and illegitiate aterial distribution through digital services, but also to investigate crie where evidence is stored in any digital forat on any digital device. Copounding with the increased usage and collection of digital evidence is the rapidly increasing storage capacity of edia such as hard disks (Turner, 2005). The rapid expansion in storage requireents is not confined to the field of forensics, with odern data reduction and deduplication techniques widely deployed in priary enterprise storage applications. This paper explains the iportance of the inforation that exists in hard disk drive for forensic analysis and investigations. The contribution of the paper is ainly twofold: a) a systeatic ethod for finding fingerprints of identification of hard disk drive. b) the ost iportant one is a extracting sensitive inforation for analysis, The reainder of this paper is organized as follows. Section 2 gives an overview of the hard disk drives. Section 3 provides a short background on digital forensics. Section 4 focuses on forensic analysis process odel for extracting sensitive inforation fro hard disk drive. Finally section 5 concludes the paper and our future work. 2.HARD DISK DRIVES - THE BASICS Despite the phenoenal increase in obile devices such as obile phones and PDAs over recent years, the hard disk drive (or just "hard disk" or "hard drive") reains the ost coon focus of coputer forensic investigation. In any ways, the basic design of the hard disk has changed very little since its introduction, although changes to individual coponents have brought about rearkable iproveents in speed, capacity and reliability. Exposing the internal architecture of a typical hard disk drive contains the four ajor coponents as described briefly over here. They are the Disk Platter, Head Ar, the Chassis, and the Head Actuator. The Chassis is the part of the hard disk that acts as the base and provides the physical support to it. The Chassis is the part of the hard disk drive over which the other parts are placed. 2. PLATTERS Platters are the circular disks located one above the other and ounted on a central pole known as a spindle. The platters are specially coated on each side with a coating which enables the to store data in agnetic for. Data is stored in concentric circles on both upper and lower surfaces of the platter and these circles are referred to as tracks. Each track is divided into individual sections called sectors when a disk is powered on and the syste needs to read or write data the platters spin at a very high speed (driven by the spindle otor) which enables the correct part of the disk to be read through use of the actuator ar and the coponents associated with it. 2.2 ACTUATOR ARM (OR ACTUATOR ASSEMBLY OR HEAD ASSEMBLY) In order to actually read data fro or write data to a disk (i.e. to or fro a platter) a tiny device called a read/write head needs to be positioned just above the platter surface. In order to position the head correctly it is located on the end of a "head ar" (strictly speaking, the read/write head is attached to a "head slider" which itself is attached to the head ar). The nuber of 674

head ars present in a hard disk is deterined by the nuber of platters with each ar usually being used to position a read/write head on either side of a platter. Head ars are joined together in a structure referred to as an actuator ar, actuator assebly or head assebly. In order to position the read/write heads in the correct place on the platters the assebly pivots on an axis which allows the heads to ove across the platter surface. This action, together with the rotation of the platter itself, allows the heads to be positioned correctly. 2.3 HARD DRIVE TECHNICAL SPECIFICATIONS PARAMETERS For factor 3.5 02 2.5 69.9.8 54 Width Height Largest capacity 25.4 3 TB (200)/4 TB Prototype (20) 7 5.5 TB (200) 5, 8 320 GB (2009) Platte rs (Max) 5 Table. Current hard disk for factors For factor Width Largest capacity 5.25 FH 46 47 GB (998) 5.25 HH 46 9.3GB (998).3 43 40 GB (2007) 42 20 GB (CFII/ZIF/ID (2006) E-Flex) 0.85 24 8 GB (2004) 4 3 Platters (Max) 4 Table2. Obsolete hard disk for factors 2.4 UNDERSTANDING HARD DISK PERFORMANCE IN FORENSIC APPLICATIONS The sequential nature of forensic iaging also largely eliinates the benefits of fast interface transfer rates and large on-disk cache buffers. Even experienced forensic practitioners are often fooled by clais of high interface transfer rates, so we will spend soe tie discussing the difference between edia transfer rate and interface transfer rate. 4 Interface Peak Data Peak Data Rate Rate (bits/sec) (bytes/sec) IDE UDMA 5-00 Mbytes/sec IDE UDMA 6-33 Mbytes/sec SATA I.5 Gbits/sec 50 Mbytes/sec SATA II 3.0 Gbits/sec 300 Mbytes/sec esata Sae as SATA Sae as SATA I I or II or II Ultra SCSI 320-320 Mbytes/sec FireWire400 400 Mbits/sec 40 Mbytes/sec (394A) FireWire800 800 Mbits/sec 80 Mbytes/sec (394B) USB 2.0 480 Mbits/sec 48 Mbytes/sec Table3. Peak Interface Transfer Rates for Selected Interface Technologies Coon hard disks today eploy the SATA (Serial ATA) interface standard. As shown in Table, SATA I offer an interface transfer rate of.5gbit/sec and SATA II offers an interface transfer rate of 3.0Gbit/sec. To those not failiar with the difference between edia transfer rate and interface transfer rate, these nubers ake it see like a SATA I drive should be able to transfer data at 50MB/sec or a SATA II drive should be able to transfer data at 300MB/sec. 3.DIGITAL FORENSICS The use of scientifically derived and proven ethods toward the preservation, collection, validation, identification, analysis, interpretation, docuentation and presentation of digital evidence derived fro digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criinal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations. In 200, the Digital Forensics Research Workshop [DFRW] [8] proposed a process for digital investigations that involves the following six steps. Identification Preservation Collection Exaination Analysis Presentation Fig. Digital forensic investigation process 675

Digital forensics is the science of identifying, extracting, analyzing and presenting the digital evidence that has been stored in the digital electronic storage devices to be used in a court of law [, 2, 3]. While forensic investigation attepts to provide full descriptions of a digital crie scene, in coputer systes, the priary goals of digital forensic analysis are fivefold: i) to identify all the unwanted events that have taken place, ii) to ascertain their effect on the syste, iii) to acquire the necessary evidence to support a lawsuit, iv) to prevent future incidents by detecting the alicious techniques used and v) to recognize the inciteent reasons and intendance of the attacker for future predictions [2,4]. The general coponent in digital forensic process are; acquisition, preservation, and analysis [5]. Digital electronic evidence could be described as the inforation and data of investigative value that are stored by an electric device, such evidence [6]. Data can be recovered even if deleted fro a user s point of view. Techniques for recovery of deleted inforation are therefore central to digital forensics. Digitally stored inforation can easily be anipulated, so great care has to be taken when handling digital evidence, in order to be able to prove the origin of the inforation. This research focuses on the above entioned third goal of acquiring the necessary evidence of suspect hard disk that take place on a coputer syste. 4.FORENSIC ANALYSIS PROCESS In this section, we describe the forensic analysis process we had adopted to achieve the above entioned objectives of this research work. We conducted an epirical study using selected digital forensic tools that are predoinantly used in practice. Since each utility does soe specific functionality, a collection of such tools were necessary to perfor a coprehensive set of functionalities. Hence, the following forensic utilities / tools were adopted to conduct the experiental investigation in this research work: In an investigation, the analysis phase is the one that ost relies on the investigator s skills and experience. To analyze the data collected about a case, an investigator wants to understand and know where the suspect ight have hidden the data and in what forats and what application he ight have used. Soe patterns in the data are iportant; once found and fully exained; they can lead to ore evidence. In order to achieve a successful analysis, any tools are adopted to aid investigators analyze the collected data. Coon tools include EnCase [9] and the Forensic ToolKit [7] which coes with a searching tool dtsearch. These tools display the files of a storage edia and allow the user to navigate through the files siilar to traditional file explorers. However, they provide additional features that are useful in forensics context such as displaying file headers and opening copressed files. Soe of these tools provide ore contextual analysis features such as queries and a tie-line view of the files. However, the investigator is responsible for anually perforing the analysis and gathering knowledge fro the extracted data. 4. DISK IDENTIFICATION In soe cases, if the accused has denied that the evidence presented in front of judiciary is not belonging fro his/her hard drive. There are various tools available for hard disk identification in freeware, we can download and run in the accused hard drive but, it ay change the hard drive integrity value. For these we have proposed soe operating syste utility in window environent and hardware analysis (BIOS) to retrieve hard drive identification inforation fro accused coputer without affecting the original hard drive attributes. Step : Syste inforation (BIOS): The basic input/output syste (BIOS) software is built into the PC, and is the first code run by a PC when powered on ('boot firware'). The priary function of the BIOS is to set up the hardware and load and start an operating syste. When the PC starts up, the first job for the BIOS is to initialize and identify syste devices such as the hard disk drive, video display card, keyboard, ouse, optical disc drive and other hardware. The BIOS software provides useful inforation of hard disk drive such as serial no., vendor nae, and capacity for identification purpose. Step 2: Operating Syste (sinfo32.exe) MSINFO32 displays a coprehensive view of hardware, syste coponents, and software environent of accused coputer. This tool display all syste inforation such as installed devices, drivers, CPU, BIOS, RAM, Display, Hard Disks, Reovable edia and uch ore inforation you can find out without changing syste and drive integrity. Fig2. Syste Inforation Tool Storage Hard Disk 676

Step 3: The device anager utility also plays an iportant role to fetch inforation of all hardware connected to the coputer as storage devices, network adapter, ode etc., go to disk drives option and click on properties and go to the details you can find the serial no. of the hard disk connected to that syste. the integrity of the digital evidence. In other words, this procedure is necessary to prove that the data is exactly the replica as the original created at that tie and date staps of the acquired data atch that of the original. A cryptographic technique called a hash is used as a sort of electronic fingerprint for an individual file or even an entire hard drive. (kruse, p. 3) The EnCase for DOS utility provides the option of creating an MD5 hash value of the evidence at the tie of acquisition. This hash value is of the newly created drive iage. For evidentiary purposes, it is critically iportant that this hash value exists. Without it, there is no proof that the acquired iage is an exact atch of the original hard drive Stage 3: Evidence Analysis: During the analysis phase of the investigation, EnCase allows the investigator to create a hash value for any file. Since the hash value is deterined by the file s contents, any change to the file or tiestap results in a isatch with any future MD5 hash value. Misatched hash values strongly iply that the file has been odified either intentionally or unintentionally. It is also iportant to note that a hash value cannot be generated on a partial file; therefore, if a deleted file has been partially overwritten, an MD5 hash value for that incoplete file is not available. Fig3. Coputer anageent- disk drives The above entioned ethod is ainly focus to provide identification inforation of hard drive of accused before retrieving any valuable inforation for law enforceent using forensic iaging tools such as EnCase or FTK. This precious inforation can be used in front of court of law for supportive evidence. 4.2 DISK ANALYSIS Now, we adopted the following three stages to perfor digital forensic analysis in a coprehensive anner: Stage : Hard disk data acquisition: The first step in this investigative process is to acquire the evidence. The goal is to obtain an exact replica of the data without coproising its integrity; however, because coputer systes ay contain volatile data in RAM, the acquisition process is a dynaic one. We will assue that we are only interested in files that are known to have been created and stored on the crie suspect s hard drive. For this purpose we are using Windows based forensic data acquisition and analysis tool EnCase Forensic Edition Version 4. Stage 2: Evidence authentication: In this stage the investigator has to search and authenticate the evidence. The ai is to verify For the experiental investigation of the effectiveness of the above tools, we created test data on a Pentiu (R) Core (TM) 2 Due CPU,.89 GHz, 0.99 of RAM with Windows XP professional. The next two steps involved for iaging digital evidence fro suspect hard disk drive, for analysis and exaination purpose: Step : Power down the Suspect Syste: Powering down the suspect syste allows you to state on the record and in your docuentation that you ve established a tie and date upon which no other odifications will occur in the syste. It is iportant that you are able to prove that nothing you do in the course of your collection, analysis, and reporting odifies the original evidence. Look inside the syste to deterine what drive(s) exist and reove the, even if they are not currently attached to any cabling. Step 2: Forensically Iage the Drive with an EnCase DOS Boot Disk: Here we create an EnCase DOS boot disk using the EnCase progra. If you do not have an iage for the EnCase DOS boot disk, you can download it. Guidance Software offers boot disks that you can download at www.guidancesoftware.co/support/downloads.sht (under the Drivers section).. Choose Tools Create Boot Disk in EnCase and follow the propts. 2. Power down the syste. 3. Reattach the suspect drive to the syste. 677

4. Boot up the syste using the EnCase DOS boot disk; depending on the version of EnCase you re using, you will either go directly into EnCase for DOS or to the coand propt. At the coand propt, enter en and press return. 5. Unlock the disk to which you will be writing the iage of the suspect drive by highlighting Lock, pressing enter, and choosing the disk drive to unlock (in this case, we re unlocking Disk), as shown here: drive, through the use of syste BIOS and operating syste tools. Second, task to analyze digital evidence fro hard disk drive with the help of digital forensic iaging tool EnCase DOS Boot Disk. Soe data ining technique such as nae entity association, text suarization and iage association can be applied for analysis of suspect s hard disk drive for future work. ACKNOWLEDGMENT The authors thankful to Mr. Aandeep Jindal, Project Assistant PEC university of Technology, Chandigarh, for their useful suggestion and hardware support for this research paper. REFERENCES [] M. Reith, C. Carr, & G. Gunsch: An exaination of digital forensic odels, International Journal of Digital Evidence,, pp. -2 (2002). [2] M. Alazab, S. Venkatraan & P. Watters: Digital forensic techniques for static analysis of NTFS iages, Proceedings of ICIT2009, Fourth International Conference on Inforation Technology, IEEE Xplore (2009). Fig3. EnCase DOS Version interface 6. Your screen should now look like the following illustration, with the suspect drive (Disk) shown as locked and the drive to which you want to write the iage (Disk0) unlocked. 7. Select Acquire and choose the suspect drive (Drive). You can ove between options by pressing the tab key. After you have selected the suspect drive, press enter. 8. Provide the path to the directory on the iage drive to which you want the iage of the suspect drive to be written and the nae of the iage file, and then press enter. Before you choose OK, ake sure that the drive you are writing to is FAT6 or FAT32, as DOS cannot read fro or write to drives of other file systes. You ust also ake sure that enough free space is available on the destination drive to hold the iage. The iage will always be about 2K larger than the suspect drive for casespecific inforation EnCase stores in the file, so never try to iage a suspect drive to another drive of the sae or a saller size without using copression. 5.CONCLUSION & FUTURE WORK In this paper we have entioned soe technique which can help to identify the suspect hard disk before analysis of digital evidence. Once gathered, the inforation is then prepared it for law enforceent agencies. Our proposed ethod ais to address two probles: the first task to identify the suspect s hard [3] B. Carrier: File syste forensic analysis, Addison-Wesley Professional, USA, (2008). [4] S. Ardisson: Producing a Forensic Iage of Your Client s Hard Drive? What You Need to Know, Qubit,, pp. -2 (2007). [4] S. Ardisson: Producing a Forensic Iage of Your Client s Hard Drive? What You Need to Know, Qubit,, pp. -2 (2007). [5] M. Andrew: Defining a Process Model for Forensic Analysis of Digital Devices and Storage Media, Proceedings of SADFE2007, Second International Workshop on Systeatic Approaches to Digital Forensic Engineering, pp. 6-30 (2007). [6] E Investigation: Electronic Crie Scene Investigation: A Guide for First Responders, US Departent of Justice, NCJ, (200). [7] AccessData Corp. Forensic toolkit (ftk). http://www.accessdata.co/forensictoolkit.htl. [8] G. Paler. A road ap for digital forensic research. Report Fro the First Digital Forensic Research Workshop (DFRWS), August 200. http://www.dfrws.org/200/dfrws-r-final.pdf. [9] Guidance Software Inc. Encase forensics. http://www.guidancesoftware.co. 678

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information