2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.



Similar documents
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition

Digital Forensics. Tom Pigg Executive Director Tennessee CSEC

Digital Forensics Tutorials Acquiring an Image with Kali dcfldd

Digital Forensics Tutorials Acquiring an Image with FTK Imager

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

MSc Computer Security and Forensics. Examinations for / Semester 1

COMPUTER FORENSICS (EFFECTIVE ) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE CATE STUDENT REPORTING PROCEDURES MANUAL)

Course Title: Computer Forensic Specialist: Data and Image Files

Survey of Disk Image Storage Formats

Computer Forensic Tools. Stefan Hager

Digital Forensics. Module 4 CS 996

User Manual. Published: 12-Mar-15 at 09:36:51

Incident Response and Computer Forensics

Lecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation

ITU Session Four: Device Imaging And Analysis. Mounir Kamal Q-CERT

Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers

EC-Council Ethical Hacking and Countermeasures

NIST CFTT: Testing Disk Imaging Tools

CYBER FORENSICS (W/LAB) Course Syllabus

Live View. A New View On Forensic Imaging. Matthiew Morin Champlain College

CTC 328: Computer Forensics

COEN 152 / 252 Lab Exercise 1. Imaging, Hex Editors & File Types

EnCase 7 - Basic + Intermediate Topics

Where is computer forensics used?

Computer Forensic Capabilities

FORENSIC ANALYSIS OF USB MEDIA EVIDENCE. Jesús Alexander García. Luis Alejandro Franco. Juan David Urrea. Carlos Alfonso Torres

Useful Computer Forensics Tools Updated: Jun 10, 2003

Technical Procedure for Evidence Search

Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM)

Chapter 8: On the Use of Hash Functions in. Computer Forensics

A STUDY OF FORENSIC IMAGING IN THE ABSENCE OF WRITE-BLOCKERS

Computer Forensics using Open Source Tools

Forensic Imaging and Artifacts analysis of Linux & Mac (EXT & HFS+)

State of the art of Digital Forensic Techniques

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Open Source and Incident Response

PRODISC VER. Computer Forensics Family. User Manual. Version 4.8 9/06

Computer Forensics. Securing and Analysing Digital Information

Discovery of Electronically Stored Information ECBA conference Tallinn October 2012

Legal Notices. AccessData Corp.

Capturing a Forensic Image. By Justin C. Klein Keane <jukeane@sas.upenn.edu> 12 February, 2013

Just EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012

Forensic Acquisition and Analysis of VMware Virtual Hard Disks

Determining VHD s in Windows 7 Dustin Hurlbut

Comparing and Contrasting Windows and Linux Forensics. Zlatko Jovanovic. International Academy of Design and Technology

EnCase v7 Essential Training. Sherif Eldeeb

ADVANCED FORENSIC FORMAT: AN OPEN, EXTENSIBLE FORMAT FOR DISK IMAGING

Computer Forensic Analysis in a Virtual Environment

File System Forensics FAT and NTFS. Copyright Priscilla Oppenheimer 1

X-Ways Capture. The program executes the following steps unless you specify a different procedure in the configuration file:

NSS Volume Data Recovery

Forensically Determining the Presence and Use of Virtual Machines in Windows 7

INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION

CCE Certification Competencies

Hands-On How-To Computer Forensics Training

Guide to Computer Forensics and Investigations, Second Edition

Digital Forensic Techniques

Quantifying Hardware Selection in an EnCase v7 Environment

A Short Introduction to Digital and File System Forensics

The Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices

Computer Forensics as an Integral Component of the Information Security Enterprise

Digital Forensics: The aftermath of hacking attacks. AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC

Digital Forensics Lecture 3. Hard Disk Drive (HDD) Media Forensics

NovaBACKUP. User Manual. NovaStor / November 2011

New Technologies File System (NTFS) Priscilla Oppenheimer. Copyright 2008 Priscilla Oppenheimer

winhex Disk Editor, RAM Editor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR

How To Use Attix5 Pro For A Fraction Of The Cost Of A Backup

Retrieving Internet chat history with the same ease as a squirrel cracks nuts

HAVE YOUR COMPUTER FORENSICS TOOLS BEEN TESTED?

USB Bare Metal Restore: Getting Started

GNU/LINUX Forensic Case Study (ubuntu 10.04)

Fixity Checks: Checksums, Message Digests and Digital Signatures Audrey Novak, ILTS Digital Preservation Committee November 2006

MICROSOFT EXAM QUESTIONS & ANSWERS

Evaluation of Software Write Blocking In SAFE Block XP V1.1

Significance of Hash Value Generation in Digital Forensic: A Case Study

EnCase Portable. Extend Your Forensic Reach with Powerful Triage & Data Collection

Lukas Limacher Department of Computer Science, ETH. Computer Forensics. September 25, 2014

Forensics on the Windows Platform, Part Two

Impact of Digital Forensics Training on Computer Incident Response Techniques

Updates Click to check for a newer version of the CD Press next and confirm the disc burner selection before pressing finish.

information security and its Describe what drives the need for information security.

Service Overview CloudCare Online Backup

AN INVESTIGATION INTO COMPUTER FORENSIC TOOLS

Recovering Data from Windows Systems by Using Linux

Cisco Networking Academy Program Curriculum Scope & Sequence. Fundamentals of UNIX version 2.0 (July, 2002)

Chapter 8: Installing Linux The Complete Guide To Linux System Administration Modified by M. L. Malone, 11/05

AD Image Encryption. Format Version 1.2

Chapter 14 Analyzing Network Traffic. Ed Crowley

Chapter 7 Securing Information Systems

How To Back Up A Computer To A Backup On A Hard Drive On A Microsoft Macbook (Or Ipad) With A Backup From A Flash Drive To A Flash Memory (Or A Flash) On A Flash (Or Macbook) On

Kaseya 2. User Guide. Version 7.0. English

Symmetric and Public-key Crypto Due April , 11:59PM

Transcription:

Acquisition and Tools COMP 2555: Principles of Computer Forensics Autumn 2014 http://www.cs.du.edu/2555 1 Planning Your Investigation! A basic investigation plan should include the following activities:! Acquire the evidence! Complete an evidence form and establish a chain of custody! Transport the evidence to a computer forensics lab! Secure evidence in an approved secure container! Prepare a forensics workstation! Obtain the evidence from the secure container! Make a forensic copy of the evidence! Return the evidence to the secure container! Process the copied evidence with computer forensics tools 2! Bit-stream copy Understanding Bit-Stream Copies! Bit-by-bit copy of the original storage medium! Exact copy of the original disk! Different from a simple backup copy! Backup software only copy known files! Backup software cannot copy deleted files, e-mail messages or recover file fragments! Bit-stream image! File containing the bit-stream copy of all data on a disk or partition! Also known as forensic copy 3 Bit-stream Copies (contd.)! Copy image file to a target disk that matches the original disk s manufacturer, size and model Original disk Disk with image Target disk

4 Acquiring an Image of Evidence Media! First rule of computer forensics! Preserve the original evidence! Conduct your analysis only on a copy of the data! Tool! ProDiscover Basic! FTK Imager! Linux dd command 5 Integrity of Digital Evidence! Maintain the integrity of digital evidence in the lab! As you do when collecting it in the field! First steps:! Create image files in a large drive! Start your forensics tool to analyze the evidence! Run a MD5 or SHA-1 hashing algorithm on the source and the image files to get a digital hash (and match)! Secure the original media in an evidence locker 6 A Simple Hash Function 7 A Simple Hash Function (contd.) HASH FUNCTION HASH FUNCTION Forensics ASCII(F) = 070 ASCII(o) = 111 ASCII(r) = 114 ASCII(e) = 101 ASCII(n) = 110 ASCII(s) HASH FUNCTION = 115 ASCII(i) = 105 ASCII(c) = 099 ASCII(s) = 115 Sum 940 In Hex 0x3AC 0x3AC forensics ASCII(f) = 102 ASCII(o) = 111 ASCII(r) = 114 ASCII(e) = 101 ASCII(n) = 110 ASCII(s) HASH FUNCTION = 115 ASCII(i) = 105 ASCII(c) = 099 ASCII(s) = 115 Sum 972 In Hex 0x3CC 0x3CC

8! Cyclic Redundancy Check (CRC) Obtaining a Digital Hash! Mathematical algorithm that determines whether a file s contents have changed! Most recent version is CRC-32! Not considered a forensic hashing algorithm! Message Digest 5 (MD5)! Mathematical formula that translates a file into a hexadecimal code value, or a hash value! Also called a message digest! If a bit or byte in the file changes, it alters the digital hash 9 XOR 1011 11010011 input Another Hash Function 11010011 000 input padded with 3 zero bits to the right 01100011 000 1011 00111011 000 random string of 4 bits, with highest order bit = 1 1011 00010111 000 1011 00000001 000 1 011 00000000 011 3-bit hash value of the input 11010011 10 XOR 1011 10010011 Another Hash Function (Contd.) input 10010011 000 input padded with 3 zero bits to the right 00100011 000 1011 00001111 000 1011 00000100 000 101 1 00000001 100 1 011 00000000 111 11 Obtaining a Digital Hash (contd.)! Three rules for forensic hashes:! Given the hash value, you can t easily find the file or device from which it was generated! No two hash values can be the same! Called a collision if it happens! If anything changes in the file or device, the hash value must change

12 elvis HASH FUNCTION 0x223! Collisions make a hash function weak collision lives HASH FUNCTION 0x223 Collisions! Cannot always avoid but can make their occurrences infrequent 13 Obtaining a Digital Hash (contd.)! Secure Hash Algorithm version 1 (SHA-1)! A newer hashing algorithm! Developed by the National Institute of Standards and Technology (NIST)! In both MD5 and SHA-1, collisions have occurred! Two different inputs producing the same hash value! But they are still used since the collisions are rare 14 Obtaining a Digital Hash (contd.)! Most computer forensics hashing needs can be satisfied with a nonkeyed hash function! A unique hash number generated by a software tool, such as the Linux md5sum command! Keyed hash set! Created by an encryption utility s secret key! Secret key is used by the hash function to generate the digest! You can use the MD5 function in FTK Imager to obtain the digital signature of a file! Or an entire drive 15! Three formats! Raw format Storage Formats for Digital Evidence! Proprietary formats! Advanced Forensics Format (AFF)

16! Makes it possible to write bit-stream data to files! Advantages! Fast data transfers! Can ignore minor data read errors on source drive! Most computer forensics tools can read raw format! Disadvantages! Requires as much storage as original disk or data! Tools might not collect marginal (bad) sectors Raw Format 17! Features offered Proprietary Formats! Option to compress or not compress image files! Can split an image into smaller segmented files! Can integrate metadata into the image file! Disadvantages! Inability to share an image between different tools! File size limitation for each segmented volume 18 Advanced Forensics Format! Developed by Dr. Simson L. Garfinkel of Basis Technology Corporation! Design goals! Provide compressed or uncompressed image files! No size restriction for disk-to-image files! Provide space in the image file or segmented files for metadata! Simple design with extensibility! Open source for multiple platforms and OSs! Internal consistency checks for self-authentication! File extensions include.afd for split image files and.afm for AFF metadata 19! Types of acquisitions! Static acquisitions! Deriving a drive image without booting from it! Typically done on a seized computer! Live acquisitions! Deriving a drive image when it is being used Data Acquisition Types! Acquiring a network drive without bringing it down! Four methods! Bit-stream disk-to-image file! Bit-stream disk-to-disk! Logical disk-to-disk or disk-to-data file! Sparse data copy of a file or folder

20! Bit-stream disk-to-image file! Most common method! Can make more than one copy Data Acquisition Types (contd.)! Copies are bit-for-bit replications of the original drive! ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-Ways, ilook! Bit-stream disk-to-disk! When disk-to-image copy is not possible! Consider disk s geometry configuration! EnCase, SafeBack, SnapCopy 21 Data Acquisition Types (contd.)! Logical acquisition or sparse acquisition! When your time is limited! Logical acquisition captures only specific files of interest to the case! E.g. Outlook.pst or.ost files during an e-mail investigation! Sparse acquisition also collects fragments of unallocated (deleted) data! Useful for large disks! RAID servers 22 Data Acquisition Types (contd.)! When making a copy, consider:! Size of the source disk! Lossless compression might be useful! Use digital signatures for verification! When working with large drives, an alternative is using tape backup systems! Whether you can retain the disk 23 Contingency Planning! Create a duplicate copy of your evidence image file! Make at least two images of digital evidence! Use different tools or techniques! Copy host protected area (HPA) of a disk drive as well! HPA is a part of the drive that is not visible to an operating system! Consider using a hardware acquisition tool that can access the drive at the BIOS level! Be prepared to deal with encrypted drives

24 Acquisition tools for Windows Advantages Especially when used with hot-swappable devices Disadvantages See Page 107 of book Applies to current Windows versions as well Make acquiring evidence from a suspect drive more convenient Blocking USB Writes in Windows Back up the Registry Must protect acquired data with a well-tested write-blocking hardware device Tools can t acquire data from a disk s host protected area 26 Write-blocker Prevents data writes to a hard disk Software write-blockers are OS dependant Example: PDBlock from Digital Intelligence Ideal for GUI forensic tools Act as a bridge between the suspect drive and the forensic workstation For the OS the data copy is successful Connecting technologies Hardware options Using a Write-Blocker (contd.) Can navigate to the blocked drive with any application Discards the written data Software-enabled blockers 27 Using a Write-Blocker Modify the Registry with the write-protection feature Create two desktop icons to automate switching between enabling and disabling writes to USB device E.g. use Windows System Restore feature to create a restore point FireWire USB 2.0 SCSI controllers 25 Using Acquisition Tools

28 Acquiring Data with a Linux Boot CD! Linux can access a drive that isn t mounted! Windows OSs and newer Linux automatically mount and access a drive! Forensic Linux Live CDs don t access media automatically! Which eliminates the need for a write-blocker! Using Linux Live CD Distributions! Contain additional utilities! Configured not to mount, or to mount as read-only, any connected storage media! Well-designed Linux Live CDs for computer forensics! DEFT Linux (http://www.deftlinux.net/download/)! Helix3 Pro Acquiring with a Linux Boot CD (contd.) 29! Preparing a target drive for acquisition in Linux! Linux distributions can create Microsoft FAT and NTFS partition tables! fdisk command lists, creates, deletes, and verifies partitions in Linux! mkfs.msdos command formats a FAT file system from Linux! See Page 111 of book! Acquiring data with dd in Linux! dd ( data dump ) command! Can read and write from media device and data file! Creates raw format file that most computer forensics analysis tools can read Acquiring with a Linux Boot CD (contd.) 30! Acquiring data with dd in Linux (contd.)! Shortcomings of dd command! Requires more advanced skills than average user! Does not compress data! dd command combined with the split command! Segments output into separate volumes! Acquiring data with dcfldd in Linux! dd command is intended as a data management tool! Not designed for forensics acquisitions Acquiring with a Linux Boot CD (contd.) 31! Acquiring data with dcfldd in Linux (contd.)! dcfldd additional functions! Specify hex patterns or text for clearing disk space! Log errors to an output file for analysis and review! Use several hashing options! Refer to a status display indicating the progress of the acquisition in bytes! Split data acquisitions into segmented volumes with numeric extensions! Verify acquired data with original disk or media data! Sample: man page available at http://linux.die.net/man/1/ dcfldd! dcfldd if=/dev/hd0 hash=md5,sha256 hashwindow=100m md5log=md5.txt sha256log=sha256.txt hashconv=after bs=512 conv=noerror,sync split=1g splitformat=aa of=driveimage.dd

32 Validating Data Acquisitions! Most critical aspect of computer forensics! Requires using a hashing algorithm utility! Validation techniques! CRC-32, MD5, and SHA-1 to SHA-512 33! Validating dd acquired data! You can use md5sum or sha1sum utilities Linux Validation Methods! md5sum or sha1sum utilities should be run on all suspect disks and volumes or segmented volumes! Validating dcfldd acquired data! Use the hash option to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512! hashlog option outputs hash results to a text file that can be stored with the image files! vf (verify file) option compares the image file to the original medium! dcfldd if=/dev/sda vf=sda.img! 34 Windows Validation Methods! Windows has no built-in hashing algorithm tools for computer forensics! Third-party utilities can be used! Commercial computer forensics programs also have built-in validation features! Each program has its own validation technique! Raw format image files don t contain metadata! Separate manual validation is recommended for all raw acquisitions 35 Types of Computer Forensics Tools! Hardware forensic tools! Range from single-purpose components to complete computer systems and servers! Software forensic tools! Types! Command-line applications! GUI applications! Commonly used to! copy data from a suspect s disk drive to an image file! aid in evidence collection

36! Five major categories:! Acquisition! Validation and discrimination! Extraction! Reconstruction! Reporting Tasks Performed by Tools! Many tools let you perform more than one of these tasks 37! Acquisition! Making a copy of the original drive! Subfunctions! Physical data copy! Logical data copy! Data acquisition format! Command-line acquisition! GUI acquisition! Remote acquisition! Verification Acquisition Tools 38 Acquisition Tools (contd.)! Two types of data-copying methods are used in software acquisitions:! Physical copying of the entire drive! Logical copying of a disk partition! The formats for disk acquisitions vary! From raw data to vendor-specific proprietary compressed data! You can view the contents of a raw image file with any hexadecimal editor 39 A Hexadecimal Editor

40 Acquisition Tools (contd.)! Creating smaller segmented files is a typical feature in vendor acquisition tools! All computer forensics acquisition tools have a method for verification of the data-copying process! That compares the original drive with the image 41 Validation and Discrimination! Validation! Ensuring the integrity of data being copied! Discrimination of data! Remove good data from suspicious data! Involves sorting and searching through all investigation data 42 Validation and Discrimination (contd.)! Subfunctions! Hashing! CRC-32, MD5, Secure Hash Algorithms! Filtering! Based on hash value sets! Analyzing file headers! Discriminate files based on their types! National Software Reference Library (NSRL) has compiled a list of known file hashes! For a variety of OSs, applications, and images 43 File Discrimination Using Header a typical JPEG file header

44! Extraction! Recovery task in a computing investigation! Most demanding of all tasks to master Extraction! Recovering data is the first step in analyzing an investigation s data! Subfunctions! Data viewing! Keyword searching! Decompressing! Carving! Decrypting! Bookmarking! Keyword search speeds up analysis for investigators 45 Extraction (contd.)! From an investigation perspective, encrypted files and systems are a problem! Many password recovery tools have a feature for generating potential password lists! For a password dictionary attack! If a password dictionary attack fails, you can run a brute-force attack 46! Reconstruction Reconstruction! Re-create a suspect drive to show what happened during a crime or an incident! Subfunctions! Disk-to-disk copy! Image-to-disk copy! Partition-to-partition copy! Image-to-partition copy! Some tools that perform an image-to-disk copy:! SafeBack, SnapBack, EnCase, FTK Imager, ProDiscover 47! Reporting Reporting! To complete a forensics disk analysis and examination, you need to create a report! Subfunctions! Log reports! Report generator! Use this information when producing a final report for your investigation

48! Always verify your results! Use at least two tools! Retrieving and examination! Verification Using Validation Protocols! Understand how tools work (the reason why we are in this class)! What is it that the tools do?! One way to compare results and verify a new tool is by using a disk editor! Lets you do a little more than hex editors such as Hex Workshop or WinHex 49 References! Ch 4,7: B. Nelson, A. Phillips and C. Steuart, Guide to Computer Forensics and Investigations. ISBN: 978-1-435-49883-9! Useful links:! http://www.forensicswiki.org/wiki/category:live_cd! http://www.deftlinux.net! Very helpful: http://www.deftlinux.net/deft-manual/! http://linux.die.net/man/1/dcfldd