Guide to Computer Forensics and Investigations, Second Edition



Similar documents
2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

Digital Forensics. Tom Pigg Executive Director Tennessee CSEC

Guide to Computer Forensics and Investigations, Second Edition

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING

COMPUTER FORENSICS (EFFECTIVE ) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE CATE STUDENT REPORTING PROCEDURES MANUAL)

Digital Forensics Tutorials Acquiring an Image with FTK Imager

Useful Computer Forensics Tools Updated: Jun 10, 2003

Digital Forensics. Module 4 CS 996

Open Source and Incident Response

Computer Forensic Tools. Stefan Hager

Lecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation

M6310 USB Flash Drive Tester/Duplicator

CYBER FORENSICS (W/LAB) Course Syllabus

Guide to Computer Forensics and Investigations, Second Edition

Selecting the Right NAS File Server

What the student will need:

Pointsec Enterprise Encryption and Access Control for Laptops and Workstations

Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers

Developing Computer Forensics Solutions for Terabyte Investigations

A Better Approach to Backup and Bare-Metal Restore: Disk Imaging Technology

Using Linux VMware and SMART to Create a Virtual Computer to Recreate a Suspect's Computer. By:

Quantifying Hardware Selection in an EnCase v7 Environment

Alliance Key Manager A Solution Brief for Technical Implementers

Installing an OS on a Server

How to Plan for Disaster Recovery

PREREQUISITE(S): CTS 1131, CTS 1133 and CTS 1120

Microsoft Windows 7. Administration. Instant Reference. William Panek WILEY. Wiley Publishing, Inc.

Advanced Server Virtualization: Vmware and Microsoft Platforms in the Virtual Data Center

MSc Computer Security and Forensics. Examinations for / Semester 1

SecureDoc Disk Encryption Cryptographic Engine

ITU Session Four: Device Imaging And Analysis. Mounir Kamal Q-CERT

Chapter 8: Installing Linux The Complete Guide To Linux System Administration Modified by M. L. Malone, 11/05

white paper GoodSync Enterprise The Ideal Solution For Corporate File Synchronization and Backup

EUCIP IT Administrator - Module 2 Operating Systems Syllabus Version 3.0

EaseUS Backup Center User Guide

Acronis Backup & Recovery Online Stand-alone. User Guide

Backup & Recovery. 10 Suite PARAGON. Data Sheet. Automatization Features

Digital Forensics Lecture 3. Hard Disk Drive (HDD) Media Forensics

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

Streamlining Patch Testing and Deployment

Indian Efforts in Cyber Forensics

Ovation Security Center Data Sheet

YubiCloud OTP Validation Service. Version 1.2

BACKUP STRATEGY AND DISASTER RECOVERY POLICY STATEMENT

Windows Client/Server Local Area Network (LAN) System Security Lab 2 Time allocation 3 hours

Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition

Digital Evidence Search Kit

BACKUP SECURITY GUIDELINE

EnCase v7 Essential Training. Sherif Eldeeb

Continuous Monitoring Data Acquisition System

Information Technology Audit & Forensic Techniques. CMA Amit Kumar

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Introduction to Computer Forensics ITP 499 (3 Units)

SUMMARIES OF VIDEOS GRADE 11 SYSTEMS TECHNOLOGIES

Acronis Backup & Recovery 10 Server for Windows. Installation Guide

MAXIMUM PROTECTION, MINIMUM DOWNTIME

ManageEngine Desktop Central Training

Impact of Digital Forensics Training on Computer Incident Response Techniques

NCTE Advice Sheet Storage and Backup Advice Sheet 7

Chapter 3: The Investigator s Office and Laboratory

Acronis Backup & Recovery Online Advanced. User Guide

That Point of Sale is a PoS

Incident Response and Computer Forensics

Digital Forensics, ediscovery and Electronic Evidence

Acronis Backup & Recovery Online Advanced. User Guide

Synergy Controller Cloud Storage Features and Benefits

CAMAvision v18.5.x System Specification Guide 7/23/2014

Using HP System Software Manager for the mass deployment of software updates to client PCs

How To Back Up A Computer To A Backup On A Hard Drive On A Microsoft Macbook (Or Ipad) With A Backup From A Flash Drive To A Flash Memory (Or A Flash) On A Flash (Or Macbook) On

Enterprise Erase LAN

Oracle Database 10g: Backup and Recovery 1-2

Upgrade to Webtrends Analytics 8.7: Best Practices

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

Supplier Information Security Addendum for GE Restricted Data

TEST CHAPTERS 1 & 2 OPERATING SYSTEMS

Executable Integrity Verification

CTC 328: Computer Forensics

Tiburon Master Support Agreement Exhibit 6 Back Up Schedule & Procedures. General Notes on Backups

Virtualization s Evolution

information security and its Describe what drives the need for information security.

Advanced Diploma In Hardware, Networking & Server Configuration

Just EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012

Acronis Backup & Recovery 10 Server for Windows. Installation Guide

Guidelines on Digital Forensic Procedures for OLAF Staff

Acronis Backup & Recovery Online Stand-alone. User Guide

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February

Acronis Backup & Recovery 10 Server for Windows. Installation Guide

Business Virtualization

Responsible Access and Use of Information Technology Resources and Services Policy

A Day in the Life of a Cyber Tool Developer

How To Use Quantum Rbs Inc. Small Business Backup

Agenda. Overview Configuring the database for basic Backup and Recovery Backing up your database Restore and Recovery Operations Managing your backups

Advanced Network Video And Alarm Management Suite

Design Document for Implementing a Digital Forensics Laboratory

Computer Forensics Processing Checklist. Pueblo High-Tech Crimes Unit

Firewalls Overview and Best Practices. White Paper

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

Transcription:

Guide to Computer Forensics and Investigations, Second Edition Chapter 4 Current Computer Forensics Tools Objectives Understand how to identify needs for computer forensics tools Evaluate the requirements and expectations for computer forensics tools Understand how computer forensics hardware and software tools integrate Validate and test your computer forensics tools Guide to Computer Forensics and Investigations, 2e 2 Computer Forensics Software Needs Look for versatility, flexibility, and robustness OS File system Script capabilities Automated features Vendor s reputation Keep in mind what applications you analyze Guide to Computer Forensics and Investigations, 2e 3 1

Types of Computer Forensics Tools Hardware forensic tools Single-purpose components Complete computer systems and servers Software forensic tools Command-line applications GUI applications Guide to Computer Forensics and Investigations, 2e 4 Tasks Performed by Computer Forensics Tools Acquisition Validation and discrimination Extraction Reconstruction Reporting Guide to Computer Forensics and Investigations, 2e 5 Acquisition Acquisition categories: Physical data copy Logical data copy Data acquisition format Command-line acquisition GUI acquisition Guide to Computer Forensics and Investigations, 2e 6 2

Acquisition (continued) Acquisition categories (continued): Remote acquisition Verification Guide to Computer Forensics and Investigations, 2e 7 Acquisition (continued) Guide to Computer Forensics and Investigations, 2e 8 Validation and Discrimination Hashing Cyclic redundancy check (CRC)-32, MD5, Secure Hash Algorithms (SHAs) Filtering Based on hash value sets Analyzing file headers Discriminate files based on their types Guide to Computer Forensics and Investigations, 2e 9 3

Extraction Major techniques include: Data viewing How data is viewed depends on the tool used Keyword searching Recovers key data facts Decompressing Archive and cabinet files Guide to Computer Forensics and Investigations, 2e 10 Extraction (continued) Major techniques include: Carving Reconstruct fragments of deleted files Decrypting Password dictionary attacks Brute-force attacks Bookmarking First find evidence, then bookmark it Guide to Computer Forensics and Investigations, 2e 11 Reconstruction Re-create a suspect s disk drive Techniques Disk-to-disk copy Image-to-disk copy Partition-to-partition copy Image-to-partition copy Guide to Computer Forensics and Investigations, 2e 12 4

Reporting Configure your forensic tools to: Log activities Generate reports Use this information when producing a final report for your investigation Guide to Computer Forensics and Investigations, 2e 13 Tool Comparisons Guide to Computer Forensics and Investigations, 2e 14 Tool Comparisons (continued) Guide to Computer Forensics and Investigations, 2e 15 5

Other Considerations for Tools Flexibility Reliability Expandability Keep a library with older version of your tools Guide to Computer Forensics and Investigations, 2e 16 Computer Forensics Software Example: Norton DiskEdit Advantages Require few system resources Run in minimal configurations Fit on a bootable floppy disk Disadvantages Cannot search inside archive and cabinet files Most of them only work on FAT file systems Guide to Computer Forensics and Investigations, 2e 17 UNIX/Linux Command-line Forensic Tools Dominate the *nix platforms Examples: SMART The Coroner s Toolkit (TCT) Autopsy SleuthKit Guide to Computer Forensics and Investigations, 2e 18 6

GUI Forensic Tools Simplify computer forensics investigations Help training beginning investigators Most of them come into suites of tools Guide to Computer Forensics and Investigations, 2e 19 GUI Forensic Tools (continued) Advantages Ease of use Multitasking No need for learning older OSs Disadvantages Excessive resource requirements Produce inconsistent results Create tool dependencies Guide to Computer Forensics and Investigations, 2e 20 Computer Hardware Tools Provide analysis capabilities Hardware eventually fails Schedule equipment replacements When planning your budget Failures Consultant and vendor fees Anticipate equipment replacement Guide to Computer Forensics and Investigations, 2e 21 7

Computer Investigation Workstations Carefully consider what you need Categories: Stationary Portable Lightweight Balance what you need and what your system can handle Guide to Computer Forensics and Investigations, 2e 22 Computer Investigation Workstations (continued) Police agency labs Need many options Use several PC configurations Private corporation labs handle only system types used in the organization Keep a hardware library Guide to Computer Forensics and Investigations, 2e 23 Building your Own Workstation It is not as difficult as it sounds Advantages Customized to your needs Save money ISDN phone system Disadvantages Hard to find support for problems Can become expensive if careless Guide to Computer Forensics and Investigations, 2e 24 8

Building your Own Workstation (continued) You can buy one from a vendor as an alternative Examples: F.R.E.D. FIRE IDE Guide to Computer Forensics and Investigations, 2e 25 Using a Write-Blocker Prevents data writes to a hard disk Software options: Software write-blockers are OS-dependent PDBlock Hardware options Ideal for GUI forensic tools Act as a bridge between the disk and the workstation Guide to Computer Forensics and Investigations, 2e 26 Using a Write-Blocker (continued) Discards the written data For the OS, the data copy is successful Connecting technologies FireWire USB 2.0 SCSI controllers Guide to Computer Forensics and Investigations, 2e 27 9

Recommendations for a Forensic Workstation Data acquisition techniques: USB 2.0 FireWire Expansion devices requirements Power supply with battery backup Extra power and data cables External FireWire and USB 2.0 ports Guide to Computer Forensics and Investigations, 2e 28 Recommendations for a Forensic Workstation (continued) Ergonomic considerations Keyboard and mouse Display High-end video card Monitor Guide to Computer Forensics and Investigations, 2e 29 Validating and Testing Forensic Software Evidence could be admitted in court Test and validate your software to prevent damaging the evidence Guide to Computer Forensics and Investigations, 2e 30 10

Using National Institute of Standards and Technology (NIST) Tools Computer Forensics Tool Testing (CFTT) program Based on standard testing methods ISO 17025 criteria ISO 5725 Also evaluate disk imaging tools Forensic Software Testing Support Tools (FS-TSTs) Guide to Computer Forensics and Investigations, 2e 31 Using NIST Tools (continued) National Software Reference Library (NSRL) project Collects all known hash values for commercial software applications and OS files Helps filtering known information Guide to Computer Forensics and Investigations, 2e 32 The Validation Protocols Always verify your results Use at least two tools Retrieving and examination Verification Understand how tools work Disk editors Norton DiskEdit Hex Workshop WinHex Guide to Computer Forensics and Investigations, 2e 33 11

The Validation Protocols (continued) Disk editors (continued) Do not have a flashy interface Reliable tools Can access raw data Guide to Computer Forensics and Investigations, 2e 34 Computer Forensics Examination Protocol Perform the investigation with a GUI tool Verify your results with a disk editor WinHex Hex Workshop Compare hash values obtained with both tools Guide to Computer Forensics and Investigations, 2e 35 Computer Forensics Tool Upgrade Protocol Test New releases Patches Upgrades If you found a problem, report it to your forensics tool vendor Use a test hard disk for validation purposes Guide to Computer Forensics and Investigations, 2e 36 12

Summary Create a business plan to get the best hardware and software Computer forensics tools functions Acquisition Validation and discrimination Extraction Reconstruction Reporting Guide to Computer Forensics and Investigations, 2e 37 Summary (continued) Maintain a software library on your lab Computer forensics tools types: Software Hardware Forensics software: Command-line GUI Guide to Computer Forensics and Investigations, 2e 38 Summary (continued) Forensics hardware: Customized equipment Commercial options Include workstations and write-blockers Always test your forensics tools Guide to Computer Forensics and Investigations, 2e 39 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information