Computer Forensic Tools. Stefan Hager



Similar documents
2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

Computer Forensics using Open Source Tools

Open Source and Incident Response

Digital Forensics Tutorials Acquiring an Image with FTK Imager

Hands-On How-To Computer Forensics Training

Guide to Computer Forensics and Investigations, Second Edition

INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION

Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM)

Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers

Information Technology Audit & Forensic Techniques. CMA Amit Kumar

EnCase v7 Essential Training. Sherif Eldeeb

Digital Forensics Lecture 3. Hard Disk Drive (HDD) Media Forensics

Incident Response and Computer Forensics

Chapter Contents. Operating System Activities. Operating System Basics. Operating System Activities. Operating System Activities 25/03/2014

EC-Council Ethical Hacking and Countermeasures

Forensics Book 2: Investigating Hard Disk and File and Operating Systems. Chapter 5: Windows Forensics II

CYBER FORENSICS (W/LAB) Course Syllabus

Capturing a Forensic Image. By Justin C. Klein Keane <jukeane@sas.upenn.edu> 12 February, 2013

GNU/LINUX Forensic Case Study (ubuntu 10.04)

State of the art of Digital Forensic Techniques

ITU Session Four: Device Imaging And Analysis. Mounir Kamal Q-CERT

MSc Computer Security and Forensics. Examinations for / Semester 1

Design and Implementation of a Live-analysis Digital Forensic System

Intelligent disaster recovery. Dell DL backup to Disk Appliance powered by Symantec

Data Storage and Backup. Sanjay Goel School of Business University at Albany, SUNY

Lecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation

Acronis Disk Director 11 Advanced Server. Quick Start Guide

Digital Forensic. A newsletter for IT Professionals. I. Background of Digital Forensic. Definition of Digital Forensic

10 Ways to Not Get Caught Hacking On Your Mac

CDFE Certified Digital Forensics Examiner (CFED Replacement)

UNDELETE Users Guide

Contents. vii. Preface. P ART I THE HONEYNET 1 Chapter 1 The Beginning 3. Chapter 2 Honeypots 17. xix

Computing forensics: a live analysis

CHAPTER 17: File Management

Unix/Linux Forensics 1

EnCase 7 - Basic + Intermediate Topics

USB 2.0 Flash Drive User Manual

ZENworks 11 Support Pack 4 Full Disk Encryption Agent Reference. May 2016

Computer Hacking Forensic Investigator v8

Q. If I purchase a product activation key on-line, how long will it take to be sent to me?

Just EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012

FORENSIC ANALYSIS OF USB MEDIA EVIDENCE. Jesús Alexander García. Luis Alejandro Franco. Juan David Urrea. Carlos Alfonso Torres

Digital Forensics Tutorials Acquiring an Image with Kali dcfldd

Discovery of Electronically Stored Information ECBA conference Tallinn October 2012

ITM 642: Digital Forensics Sanjay Goel School of Business University at Albany, State University of New York

Open Source Data Recovery

TELE 301 Lecture 7: Linux/Unix file

Introduction to BitLocker FVE

Computer Forensic Specialist. Course Title: Computer Forensic Specialist: Storage Device & Operating Systems

Forensic Acquisition and Analysis of VMware Virtual Hard Disks

Where is computer forensics used?

Operating System Today s Operating Systems File Basics File Management Application Software

A STUDY OF FORENSIC IMAGING IN THE ABSENCE OF WRITE-BLOCKERS

ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING

Update: About Apple RAID Version 1.5 About this update

NSS Volume Data Recovery

Security Maintenance Practices. IT 4823 Information Security Administration. Patches, Fixes, and Revisions. Hardening Operating Systems

File System Forensics FAT and NTFS. Copyright Priscilla Oppenheimer 1

ICANWK401A Install and manage a server

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

STUDY GUIDE CHAPTER 4

UNDELETE Users Guide

What is Digital Forensics?

COURCE TITLE DURATION CompTIA A+ Certification 40 H.

HARD DISK MANAGER 14 / FULL FEATURES LIST. HDM 14 Suite. Features. HDM 14 Pro. Drive Partitioning. Data Backup & Restore

EaseUS Partition Master

Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Q&A. DEMO Version

File System & Device Drive. Overview of Mass Storage Structure. Moving head Disk Mechanism. HDD Pictures 11/13/2014. CS341: Operating System

Guide to Computer Forensics and Investigations, Second Edition

Acronis True Image 10 Home Reviewer s Guide

Forensically Determining the Presence and Use of Virtual Machines in Windows 7

NISTIR 7276 The Impact of RAID on Disk Imaging

Digital Forensics with Open Source Tools

Computer Forensics. Securing and Analysing Digital Information

BackupAssist Common Usage Scenarios

Linux in Law Enforcement

2.6.1 Creating an Acronis account Subscription to Acronis Cloud Creating bootable rescue media... 12

Windows Server 2008 Essentials. Installation, Deployment and Management

SSD Guru. Installation and User Guide. Software Version 1.4

PCI Express SATA / esata 6Gb/s RAID Card User Manual

COMPUTER FORENSICS (EFFECTIVE ) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE CATE STUDENT REPORTING PROCEDURES MANUAL)

Forensic Decryption of FAT BitLocker Volumes

Getting Physical with the Digital Investigation Process

USB Bare Metal Restore: Getting Started

is605 Dual-Bay Storage Enclosure for 3.5 Serial ATA Hard Drives FW400 + FW800 + USB2.0 Combo External RAID 0, 1 Subsystem User Manual

QUICK RECOVERY FOR RAID

IBM Rapid Restore PC powered by Xpoint - v2.02 (build 6015a)

White Paper: Whole Disk Encryption

Installing, Configuring and Administering Microsoft Windows

Full Drive Encryption Security Problem Definition - Encryption Engine

Encrypting stored data. Tuomas Aura T Information security technology

RECOVERING DELETED DATA FROM FAT PARTITIONS WITHIN MOBILE PHONE HANDSETS USING TRADITIONAL IMAGING TECHNIQUES

Scene of the Cybercrime Second Edition. Michael Cross

Paragon Backup Retention Wizard

Full Disk Encryption Agent Reference

Transcription:

Computer Forensic Tools Stefan Hager

Overview Important policies for computer forensic tools Typical Workflow for analyzing evidence Categories of Tools Demo SS 2007 Advanced Computer Networks 2

Important policies for computer forensic tools evidence must not get compromised or contaminated during investigation disk imaging necessary ensure data integrity hashing (MD5, SHA-1...) digital evidence must be permitted during litigation adheres to the standards of evidence that are admissible in a court of law SS 2007 Advanced Computer Networks 3

Typical Workflow for analyzing evidence SS 2007 Advanced Computer Networks 4

Categories of Computer Forensic Tools Disk Imaging Memory Imaging Data and Disk Analysis Special OS Live Distributions Network Forensics SS 2007 Advanced Computer Networks 5

Disk Imaging Hardware imagers e.g. handhelds that clone source drives write blocker to protect data on source drive fast: up to 4GB/min (SCSI) usually no additional software necessary SS 2007 Advanced Computer Networks 6

Disk Imaging multiple interfaces supported e.g. IDE, SATA, PATA, SCSI, USB, Firewire, Flash Cards... SS 2007 Advanced Computer Networks 7

Disk Imaging Software imagers Unix-based imagers dd, dcfldd, AIR, rdd, sdd Windows-based imagers ProDiscovery (images FAT12,16,32 and NTFS) AccessData (read, aquire, decrypt, analyze) calculate hashes (MD5, SHA-1) checksumming SS 2007 Advanced Computer Networks 8

Memory Imaging making an image of physical memory linux: dd captures the contents of physical memory using device file /dev/mem windows: hibernation c:\hiberfil.sys SS 2007 Advanced Computer Networks 9

Data and Disk Analysis Tools Purpose: extract, manipulate, validate data Partition Recovery (e.g. gpart) recover deleted/corrupt partitions guess partition tables recover boot sector (e.g. fdisk /mbr restores boot code in MBR, but not the partition Data Evaluation and Recovery (e.g. autopsy) restore deleted/corrupt files RAID reconstruction (RAID level 0 - striping, level 5) Password Recovery / Breaking open files that are password protected SS 2007 Advanced Computer Networks 10

Data and Disk Analysis Tools Carving (e.g. foremost) search an input for files or other kinds of objects based on content recover files when directory entries missing/corrupt, deleted files, damaged media look for file headers and footers "carving out" blocks between these two boundaries usually executed on a disk image and not on the original disk SS 2007 Advanced Computer Networks 11

Data and Disk Analysis Tools Metadata Extraction extract Metadata from different file formats (Microsoft Office Documents, PDF, Binary files,...) MAC times (Modification, Access, Creation - UNIX) WAC times (Written, Accessed, Created WINDOWS) file type User ID, Group ID SS 2007 Advanced Computer Networks 12

Data and Disk Analysis Tools Evaluation of timelines (e.g. Zeitline) analyzing and evaluating data for event reconstruction sources: MAC times, WAC times, system logs, firewall logs, application data timelines consist of events (time spans) events belonging to the same action grouped together events can have sub- and superevents (hierarchy) SS 2007 Advanced Computer Networks 13

Data and Disk Analysis Tools Evaluation of timelines e.g. events: access program gcc access file x access library y grouped together to compile program x super event of this group could be install rootkit z SS 2007 Advanced Computer Networks 14

Special OS Live Distributions Free Distributions DEFT Linux (built upon Kubuntu) Helix (built upon Knoppix) Commerial Distributions SMART Linux (by ASR Data) MacQuisition Boot CD (for imaging Macintosh Systems) SS 2007 Advanced Computer Networks 15

Network forensics Network vulnerability scanners (e.g. NESSUS) based on security vulnerability database detects remote as well as local flaws Network protocol analyzers (e.g. wireshark, ethereal) many protocols supported Live Capture / Offline Analysis VoIP analysis SS 2007 Advanced Computer Networks 16

Network forensics Search for rootkits (e.g. chkrootkit) scripts for checking system binaries for rootkit information checks for signs of trojans checks whether the interface is in promiscuous mode SS 2007 Advanced Computer Networks 17

Demo SS 2007 Advanced Computer Networks 18

References Vacca, J. R.: Computer Forensics: Computer Crime Scene Investigation. Hingham, Mass.: Charles River Media 2002. http://www.forensicswiki.org http://www.forensics.nl/toolkits http://en.wikipedia.org/wiki/digital_ Forensic_Tools SS 2007 Advanced Computer Networks 19

References http://en.wikipedia.org/wiki/compu ter_forensics http://www.encase.com/products/ef _works.aspx SS 2007 Advanced Computer Networks 20

Tools http://www.chkrootkit.org/ http://www.guidancesoftware.com/ http://www.sleuthkit.org/autopsy/d esc.php http://foremost.sf.net/ http://www.sleuthkit.org/ http://www.porcupine.org/forensics /tct.html SS 2007 Advanced Computer Networks 21

Tools http://projects.cerias.purdue.edu/fo rensics/timeline.php http://www.porcupine.org/forensics /tct.html http://www.forensicswiki.org/wiki/h elix http://www.stevelab.net/deft/ http://www.wireshark.org/ SS 2007 Advanced Computer Networks 22

Questions 1. Explain shortly 3 tasks of disk analysis tools (Slides 10-14) 2. What are important policies for computer forensic tools? (Slide 3) SS 2007 Advanced Computer Networks 23

Thank you for your attention! SS 2007 Advanced Computer Networks 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information