Guide to Computer Forensics and Investigations, Second Edition



Similar documents
2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

Course Title: Computer Forensic Specialist: Data and Image Files

ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING

Guide to Computer Forensics and Investigations, Second Edition

Useful Computer Forensics Tools Updated: Jun 10, 2003

MSc Computer Security and Forensics. Examinations for / Semester 1

Digital Forensics Tutorials Acquiring an Image with FTK Imager

NIST CFTT: Testing Disk Imaging Tools

COMPUTER FORENSICS (EFFECTIVE ) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE CATE STUDENT REPORTING PROCEDURES MANUAL)

EC-Council Ethical Hacking and Countermeasures

Updates Click to check for a newer version of the CD Press next and confirm the disc burner selection before pressing finish.

Digital Forensics. Tom Pigg Executive Director Tennessee CSEC

IFSM 310 Software and Hardware Concepts. A+ OS Domain 2.0. A+ Demo. Installing Windows XP. Installation, Configuration, and Upgrading.

Cloning Utility for Rockwell Automation Industrial Computers

HP One-Button Disaster Recovery (OBDR) Solution for ProLiant Servers

ITU Session Four: Device Imaging And Analysis. Mounir Kamal Q-CERT

User Guide. Laplink Software, Inc. Laplink DiskImage 7 Professional. User Guide. UG-DiskImagePro-EN-7 (REV. 5/2013)

COEN 152 / 252 Lab Exercise 1. Imaging, Hex Editors & File Types

Computer Forensics Discipline

HAVE YOUR COMPUTER FORENSICS TOOLS BEEN TESTED?

Digital Forensics. Module 4 CS 996

A+ Guide to Managing and Maintaining Your PC, 7e. Chapter 16 Fixing Windows Problems

Creating a Forensic Computer System: Basic Hardware and Software Specifications

Retrospect 7.7 User s Guide Addendum

EnCase 7 - Basic + Intermediate Topics

Acronis Backup & Recovery 10 Workstation. Installation Guide

IBM Rapid Restore PC powered by Xpoint - v2.02 (build 6015a)

4 Backing Up and Restoring System Software

Survey of Disk Image Storage Formats

Computer Forensics. Securing and Analysing Digital Information

Computer Forensic Capabilities

EMERGENCY DISK RESTORE OPTION (AO REV EA) OPTION EDR

Quick Start Guide. Version R91. English

Legal Notices. AccessData Corp.

Acronis Backup & Recovery 10 Server for Windows. Installation Guide

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 3 Installing Windows

USB Bare Metal Restore: Getting Started

Multicam Installation guide. Table of Contents

Cloning Utility for VersaView Industrial Computers

Technical Procedure for Evidence Search

Network Attached Storage System Recovery Procedure

information security and its Describe what drives the need for information security.

Forensics on the Windows Platform, Part Two

Discovery of Electronically Stored Information ECBA conference Tallinn October 2012

Windows 7. Tips and Tricks. Scott Sekinger

Understanding Backup and Recovery Methods. Lesson 8

Creating a Complete Backup of Shelby v5 Data

Installing and Upgrading to Windows 7

SATA RAID Function (Only for chipset Sil3132 used) User s Manual

Acronis True Image 2015 REVIEWERS GUIDE

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

RAID Manual. Edition. Trademarks V1.0 P/N: CK8-A5-0E

Design and Implementation of a Live-analysis Digital Forensic System

Understanding Backup and Recovery Methods

Protecting Virtual Servers with Acronis True Image Echo

Digital Forensics Lecture 3. Hard Disk Drive (HDD) Media Forensics

Exam: QUESTION 1 QUESTION 2 QUESTION 3 QUESTION 4

RAID User Guide. Edition. Trademarks V1.0 P/N: C51GME0-00

Colorfly Tablet Upgrade Guide

EUCIP IT Administrator - Module 2 Operating Systems Syllabus Version 3.0

Dell DR4000 Disk Backup System. Introduction to the Dell DR4000 Restore Manager A primer for creating and using a Restore Manager USB flash drive

Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Q&A. DEMO Version

DOCUMENTATION SHADOWPROTECT - MICROSOFT WINDOWS SYSTEM BACKUP AND RESTORE OPERATIONS

AN INVESTIGATION INTO COMPUTER FORENSIC TOOLS

Cover sheet. How do you create a backup of the OS systems during operation? SIMATIC PCS 7. FAQ November Service & Support. Answers for industry.

ALTIRIS Deployment Solution 6.8 Preboot Automation Environment

Intel Matrix Storage Manager 8.x

Digital Evidence Search Kit

Acer erecovery Management

Version: Page 1 of 5

HP RDX Continuous Data Protection Software Quickstart Guide

Acronis True Image 10 Home Reviewer s Guide

2.5" XTreme Files OS & Data Backup/Restore User Manual Please read the Instruction manual before using the XTreme Files (X Series) 1.

IBM i Version 7.2. Security Service Tools

SIRIS. Bare Metal Restore Guide

Windows 8 Backup, Restore & Recovery By John Allen

STELLAR PHOENIX for Novell NetWare Data Recovery Software User Manual

Type Message Description Probable Cause Suggested Action. Fan in the system is not functioning or room temperature

Acronis Backup & Recovery 10 Server for Windows. Installation Guide

: HP HP Version : R6.1

HP One-Button Disaster Recovery Solution for ProLiant Servers

UltraBac Documentation. UBDR Gold. Administrator Guide UBDR Gold v8.0

Installing Windows 98 in Windows Virtual PC 7 (Windows Virtual PC)

Navigating the Rescue Mode for Linux

ZENworks 11 Support Pack 4 Full Disk Encryption Agent Reference. May 2016

2.6.1 Creating an Acronis account Subscription to Acronis Cloud Creating bootable rescue media... 12

NovaBACKUP. User Manual. NovaStor / November 2011

Cloud Attached Storage

Guide to SATA Hard Disks Installation and RAID Configuration

A STUDY OF FORENSIC IMAGING IN THE ABSENCE OF WRITE-BLOCKERS

Protecting Virtual Servers with Acronis True Image

Digital Forensics: The aftermath of hacking attacks. AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC

Security Service tools user IDs and passwords

Vess A2000 Series. NVR Storage Appliance. Windows Recovery Instructions. Version PROMISE Technology, Inc. All Rights Reserved.

Reviewer s Guide. EaseUS Backup Solution. EaseUS Todo Backup Reviewer s Guide 1. Contents Introduction Chapter 1...3

ANDROID RECOVERY STICK QUICK START GUIDE

Transcription:

Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition Objectives Determine the best acquisition method Plan data-recovery contingencies Use MS-DOS acquisition tools Guide to Computer Forensics and Investigations, 2e 2 Objectives (continued) Use GUI acquisition tools Use X-Ways Replica and other tools for data acquisition Recover data from PDAs Guide to Computer Forensics and Investigations, 2e 3 1

Determining the Best Acquisition Method Three ways Bit-stream disk-to-image file Bit-stream disk-to-disk Sparse data copy of a file or folder Bit-stream disk-to-image file Most common method Can make more than one copy EnCase, FTK, SMART, Sleuth Kit, X-Ways, ilook Guide to Computer Forensics and Investigations, 2e 4 Determining the Best Acquisition Method (continued) Bit-stream disk-to-disk When disk-to-image copy is not possible Consider disk s geometry CHS configuration SafeBack, SnapCopy, Norton Ghost 2002 Sparse data copy Creates exact copies of folders and files For large disks PST or OST mail files, RAID servers Guide to Computer Forensics and Investigations, 2e 5 Determining the Best Acquisition Method (continued) When making a copy, consider: Size of the source disk Lossless compression might be useful Use digital signatures for verification Whether you can retain the disk How much time you have Location of the evidence Guide to Computer Forensics and Investigations, 2e 6 2

Planning Data Recovery Contingencies Create a duplicate copy of your evidence image file Make at least two copies of digital evidence Use different tools or techniques Copy host-protected area of a disk drive as well Image MaSSter Solo HAZMAT and environment conditions Guide to Computer Forensics and Investigations, 2e 7 Using MS-DOS Acquisition Tools Original tools Fit on a forensic boot floppy disk Require fewer resources DriveSpy Data-preservation commands Data-manipulation commands Guide to Computer Forensics and Investigations, 2e 8 Understanding How DriveSpy Accesses Sector Ranges First method Absolute starting sector, total number of sectors Example 0:1000,100 (primary master drive) Second method Absolute starting sector-ending sector Example 0:1000-1100 (101 sectors) Moving data CopySect 0:1000,100 1:2000,100 Guide to Computer Forensics and Investigations, 2e 9 3

Understanding How DriveSpy Accesses Sector Ranges (continued) Guide to Computer Forensics and Investigations, 2e 10 Using DriveSpy Data-Preservation Commands Work only on FAT16 and FAT32 disks SavePart Acquires an entire partition Even non-dos partitions WritePart Re-creates saved partition to its original format Be careful when restoring non-dos partitions Guide to Computer Forensics and Investigations, 2e 11 Using the SavePart Command Creates an image file of a partition Uses lossless compression Copies image to target disk Smaller disks Removable media Generates an MD5 hash value Cannot be used with partition gaps Guide to Computer Forensics and Investigations, 2e 12 4

Using the WritePart Command Re-create saved partition image files created with SavePart Decompresses the image file and writes it to the target disk Checks if target disk is equal or larger than original disk Prompts for all disks where image file is stored Guide to Computer Forensics and Investigations, 2e 13 Using the WritePart Command (continued) Guide to Computer Forensics and Investigations, 2e 14 Using the WritePart Command (continued) Guide to Computer Forensics and Investigations, 2e 15 5

Using DriveSpy Data-Manipulation Commands Isolate specific areas of a disk for examination Commands: SaveSect WriteSect Guide to Computer Forensics and Investigations, 2e 16 Using the SaveSect Command Copies specific sectors on a disk to a file Bit-stream copy Creates non-compressed files Flat files For hidden or deleted partitions and gaps Drive and Partition modes Example: SaveSect 1:40000-49999 c:\dir_name\file_name Guide to Computer Forensics and Investigations, 2e 17 Using the SaveSect Command (continued) Guide to Computer Forensics and Investigations, 2e 18 6

Using the WriteSect Command Re-creates data acquired with SaveSect Use it on DriveSpy s Drive and Partition modes Example: WriteSect c:\dir_name\file_name 2:10000 Disadvantage: Can overwrite data on target disk Useful for non-microsoft FAT file systems Guide to Computer Forensics and Investigations, 2e 19 Using the WriteSect Command (continued) Guide to Computer Forensics and Investigations, 2e 20 Using Windows Acquisition Tools Make job more convenient Hot-swappable devices Drawbacks: Windows can contaminate your evidence Require write-blocking hardware devices Cannot access host-protected areas Guide to Computer Forensics and Investigations, 2e 21 7

AccessData FTK Imager Included on AccessData FTK View evidence disks and bit-stream image files Makes bit-stream disk-to-image copies At logical partition and physical drive level Can segment the image file Guide to Computer Forensics and Investigations, 2e 22 AccessData FTK Imager (continued) Guide to Computer Forensics and Investigations, 2e 23 AccessData FTK Imager (continued) Steps: Boot up Windows Connect evidence disk to a write-blocker Connect target disk to write-blocker Start FTK Imager Create Disk Image Use Physical Drive option Guide to Computer Forensics and Investigations, 2e 24 8

AccessData FTK Imager (continued) Guide to Computer Forensics and Investigations, 2e 25 Using X-Ways X Replica Compact bit-streaming application program Fits on a forensic bootable floppy disk Produces a dd-like image Disk-to-image copy Disk-to-disk copy Can access host protected areas Guide to Computer Forensics and Investigations, 2e 26 Using Replica Create a forensic boot floppy disk Boot in MS-DOS Replica checks if HPA on BIOS is on If yes, asks you to turn it off Reboot Copy information Guide to Computer Forensics and Investigations, 2e 27 9

PDA Data Acquisition PDAs store, send, and receive data PDA/cell phone Synch with host computers Duplicate a host PC during an investigation Paraben Forensic Tool Special tool GUI-based tool Guide to Computer Forensics and Investigations, 2e 28 PDA Data Acquisition (continued) Guide to Computer Forensics and Investigations, 2e 29 PDA Data Acquisition (continued) Seize all PDA components Cables and power supplies Learn how to put PDA in debug mode Guide to Computer Forensics and Investigations, 2e 30 10

PDA Data Acquisition (continued) Guide to Computer Forensics and Investigations, 2e 31 General Considerations for PDA Investigations Seize the PDA and host computer PDA caddy and cables Collect documentation Get the power supply and recharge batteries Leave it plugged into the PDA Create a bit-stream image and a backup copy of the host PC Obtain or locate password used on the PDA Guide to Computer Forensics and Investigations, 2e 32 Re-create the Host Computer Steps: Connect caddy, cables, and external cards Install backup copy on new host Install PDA software Read documentation and synch PDA Examine downloaded PDA content Guide to Computer Forensics and Investigations, 2e 33 11

Re-create the Host Computer (continued) Guide to Computer Forensics and Investigations, 2e 34 Using Other Forensics-Acquisition Tools SnapBack DatArrest SafeBack EnCase Guide to Computer Forensics and Investigations, 2e 35 Exploring SnapBack DatArrest Columbia Data Products Old, reliable MS-DOS tool Perform bit-stream copy in three ways: Disk to SCSI drive Disk to network drive Disk to Disk Fits on a forensic boot floppy SnapCopy adjusts disk geometry Guide to Computer Forensics and Investigations, 2e 36 12

Exploring SafeBack Reliable MS-DOS tool Performs an SHA-256 calculation per sector copied Creates a log file Guide to Computer Forensics and Investigations, 2e 37 Exploring SafeBack (continued) Functions: Disk-to-image copy (image can be on tape) Disk-to-disk copy (adjusts target geometry) Parallel port laplink can be used Copies a partition to an image file Compresses acquire information Guide to Computer Forensics and Investigations, 2e 38 Exploring EnCase Windows Forensic Tool from Guidance Software Creates forensic boot floppy disks Load En.exe to the floppy Implements the best compression algorithm Copy methods Disk-to-disk Disk-to-network server drive Disk-to-drive on parallel port Guide to Computer Forensics and Investigations, 2e 39 13

Exploring EnCase (continued) Guide to Computer Forensics and Investigations, 2e 40 Summary Data acquisition methods: Bit-stream disk-to-image file Bit-stream disk-to-disk Sparse data copy Several tools available Lossless compression is acceptable Plan your digital evidence contingencies Use tools that can read partition gaps Guide to Computer Forensics and Investigations, 2e 41 Summary (continued) Be careful when using tools Risk of overwrite previous data Windows data acquisition tools Easy to use Can modify data DriveSpy, FTK Imager, Replica, SnapBack, SafeBack Investigations might involve PDAs Guide to Computer Forensics and Investigations, 2e 42 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information