Transcript here - Department of Electrical Engineering & Computer Science

CSE 4482: Computer Security Management:
Assessment and Forensics
Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875
Lectures: Tues (CB 122), 7–10 PM
Office hours: Wed 3-5 pm (CSEB 3043), or by
appointment.
Textbooks:
1. "Management of Information Security", M. E. Whitman, H. J.
Mattord, Nelson Education / CENGAGE Learning, 2011, 3rd Edition
2. "Guide to Computer Forensics and Investigations", B. Nelson, A.
Phillips, F. Enfinger, C. Steuart, Nelson Education / CENGAGE
Learning, 2010, 4th Edition.
4/13/2015
1
GFCI Ch 1: Computer Forensics
Objectives
• Define computer forensics
• Describe how to prepare for computer
investigations and explain the difference
between law enforcement agency and
corporate investigations
• Explain the importance of maintaining
professional conduct
2
What is Computer Forensics?
Definition: Involves obtaining and analyzing
digital information, often as evidence in
civil, criminal, or administrative cases
Computer forensics:
– Investigates data that can be retrieved from a
computer’s hard disk or other storage media
– Task of recovering data that users have
hidden or deleted and using it as evidence
– Evidence can be inculpatory (“incriminating”)
or exculpatory
3
Computer Forensics Versus Other
Related Disciplines
• Network forensics
– Yields information about how a perpetrator or
an attacker gained access to a network
• Data recovery
– Recovering information that was deleted by
mistake, or lost during a power surge or server
crash
– Typically you know what you’re looking for
4
Computer Forensics Versus Other
Related Disciplines (continued)
• Disaster recovery
– Uses computer forensics techniques to
retrieve information their clients have lost
Investigators often work as a team to
make computers and networks secure in
an organization
5
Digital Evidence
• Locard’s principle: “every contact leaves a trace”
• any information, stored or transmitted in
digital form, that a party to a court case may
use at a trial
To be accepted in court, digital evidence must
meet certain criteria …
• Admissibility
• Authenticity
Case study
• In this case, American Express (Amex) claimed that Mr.
Vinhnee had failed to pay his credit card debts, and took
legal action to recover the money. But the trial judge
determined that Amex failed to authenticate its electronic
records, and therefore Amex could not admit its own
business records into evidence. Among other problems,
the court said that Amex failed to provide adequate
information about its computer policy & system control
procedures, control of access to relevant databases &
programs, how changes to data were recorded or logged,
what backup practices were in place, and how Amex could
provide assurance of continuing integrity of their records.
• The judge pointed out that, "... the focus is not on the
circumstances of the creation of the record, but rather on
the circumstances of the preservation of the record
so as to assure that the document being proffered is the
same as the document that originally was created ...“
• http://www.proofspace.com/technology/discovery.php
Lessons
• Document your access control and backup
procedures and policies and test effectiveness
of your controls.
• Have the changes to your databases and
content/record management system routinely
recorded and logged.
• Protect your electronic record from postarchival tampering with modern data integrity
and trusted time-stamping technologies.
• Document the audit procedures you use to
provide assurance of the continuing
authenticity of the records.
• http://www.proofspace.com/technology/discovery.php
The Investigations Triad
9
Computer Forensics: A Brief History
• By the 1970s, electronic crimes were increasing,
especially in the financial sector
– Most law enforcement officers didn’t know enough
about computers to ask the right questions
– Or to preserve evidence for trial
•1980s
–PCs gained popularity and
different OSs emerged
–Disk Operating System
(DOS) was available
–Forensics tools were
simple, and most were
generated by government
agencies
10
A Brief History (1980s)
• Mid-1980s
– Xtree Gold appeared on the market
• Recognized file types and retrieved lost or deleted files
– Norton DiskEdit soon followed
• And became the best tool for finding deleted file
•1987 Apple Mac SE A Macintosh with an
external EasyDrive hard
disk with 60 MB of
storage
11
A Brief History (1990s)
• Tools for computer forensics were available
• International Association of Computer Investigative
Specialists (IACIS)
• Training on software for forensics investigations
• IRS created search-warrant programs
• ExpertWitness for the Macintosh
– First commercial GUI software for computer forensics
– Created by ASR Data
• ExpertWitness for the Macintosh
– Recovers deleted files and fragments of deleted files
• Large hard disks posed problems for investigators
• Other software
– iLook
– AccessData Forensic Toolkit (FTK)
12
Understanding Case Law
• Technology is evolving at a very rapid pace
– Existing laws and statutes cannot keep up
• Case law used when statutes or regulations
don’t exist
• Case law allows legal counsel to use previous
cases similar to the current one
– Because the laws don’t yet exist
• Each case is evaluated on its own merit and
issues
• Computer Crime & Intellectual Property document at US
DoJ: http://www.cybercrime.gov/ssmanual/index.html
13
Case study
• “… an investigator viewing computer files by using a
search warrant related to drug dealing. While viewing
the files, he ran across images of child pornography.
Instead of waiting for a new warrant, he kept
searching. As a result, all evidence regarding the
pictures was excluded. Investigators must be familiar
with recent rulings to avoid making similar mistakes.”
• case law does not involve creating new
criminal offenses
Developing Computer Forensics
Resources
• know more than one computing platform
– Such as DOS, Windows 9x, Linux, Macintosh, and
current Windows platforms
• Join many computer user groups - Computer
Technology Investigators Network (CTIN)
– Meets monthly to discuss problems that law enforcement and
corporations face
• High Technology Crime Investigation
Association (HTCIA)
– Exchanges information about techniques related to
computer investigations and security
15
Developing Computer Forensics
Resources (continued)
• User groups can be helpful
• Build a network of computer forensics
experts and other professionals
– And keep in touch through e-mail
• Outside experts can provide detailed
information you need to retrieve digital
evidence
16
Case Study
A user group helped convict a child molester in Pierce
County, Washington, in 1996. The suspect installed
video cameras throughout his house, served alcohol to
young women to intoxicate them, and secretly filmed
them playing strip poker. When he was accused of
molesting a child, police seized his computers and
other physical evidence. The investigator discovered
that the computers used CoCo DOS, an OS that had
been out of use for years. The investigator contacted a
local user group, which supplied the standard
commands and other information needed to gain
access to the system. On the suspect’s computer, the
investigator found a diary detailing the suspect’s
actions over the past 15 years, including the
molestation of more than 400 young women. As a
result, the suspect received a longer sentence than if
he had been convicted of molesting only one child.
Investigating Computers
Typically includes
• collecting computer data securely,
• examining suspect data to determine details
such as origin and content,
• presenting compute-based information to
courts, and
• applying laws to computer practice.
Two distinct categories
• Public investigations
• Private or corporate investigations
Public investigations
• Involve government agencies responsible
for criminal investigations and prosecution
• Organizations must observe legal
guidelines
•Law of search
and seizure:
Protects rights of
all people, incl.
suspects
19
Private Investigations
• Private or corporate investigations
– Deal with private companies, non-law-enforcement
government agencies, and lawyers
– Aren’t governed directly by criminal law or Fourth
Amendment issues
– Governed by internal policies that define expected
employee behavior and conduct in the workplace
• Private corporate investigations also involve
litigation disputes
• Investigations are usually conducted in civil
cases
20
Understanding Law Enforcements
Agency Investigations
• In a criminal case, a suspect is tried for a
criminal offense
– Such as burglary, murder, or molestation
• Computers and networks are only tools that
can be used to commit crimes
– Many states have added specific language to
criminal codes to define crimes involving
computers
• Following the legal process
– Legal processes depend on local custom,
legislative standards, and rules of evidence
21
Understanding LEA
Investigations (continued)
• Criminal case follows three stages: The
complaint, the investigation, and the
prosecution
22
Understanding LEA
Investigations (continued)
• A criminal case begins when someone finds
evidence of an illegal act
• Complainant makes an allegation, an
accusation or supposition of fact
• A police officer interviews the complainant
and writes a report about the crime
• Police blotter provides a record of clues to
crimes that have been committed previously
• Investigators delegate, collect, and process
the information related to the complaint
23
Understanding LEA
Investigations (continued)
• After a case is built, the information is turned
over to the prosecutor
• Affidavit
– Sworn statement of support of facts about or
evidence of a crime
• Submitted to a judge to request a search warrant
– Have the affidavit notarized under sworn oath
• Judge must approve and sign a search
warrant, it can be used to collect evidence
24
Understanding LEA
Investigations (continued)
25
Understanding Corporate
Investigations
• Private or corporate investigations Involve private
companies and lawyers who address company
policy violations and litigation disputes
• Corporate computer crimes can involve:
–
–
–
–
–
–
E-mail harassment
Falsification of data
Gender and age discrimination
Embezzlement
Sabotage
Industrial espionage
26
Preventive measures
• Establishing company policies
– One way to avoid litigation is to publish and maintain
policies that employees find easy to read and follow
– Published company policies provide a line of
authority
• For a business to conduct internal investigations
– Well-defined policies
• Give computer investigators and forensic examiners the
authority to conduct an investigation
• Displaying Warning Banners
– Another way to avoid litigation
– Usually appears when a computer starts or connects
to the company intranet, network, or virtual private
network
27
Preventive measures (continued)
– Warning banner
• Informs end users that the organization reserves the
right to inspect computer systems and network traffic
at will
• Establishes the right to conduct an investigation
– As a corporate computer investigator
• Make sure company displays well-defined warning
banner
28
More on Corporate Investigations
• Designating an authorized requester
– Authorized requester has the power to conduct
investigations
– Policy should be defined by executive management
– Groups that should have direct authority to request
computer investigations
•
•
•
•
•
Corporate Security Investigations
Corporate Ethics Office
Corporate Equal Employment Opportunity Office
Internal Auditing
The general counsel or Legal Department
29
Ch 2: Understanding Computer
Investigations
Objectives:
• Explain how to prepare a computer
investigation
• Apply a systematic approach to an
investigation
• Describe procedures for corporate high-tech
investigations
• Explain requirements for data recovery
workstations and software
• Describe how to conduct an investigation
• Explain how to complete and critique a case
Preparing a Computer Investigation
• Role of computer forensics professional is to
gather evidence to prove that a suspect
committed a crime or violated a company policy
• Collect evidence that can be offered in court or
at a corporate inquiry
– Investigate the suspect’s computer
– Preserve the evidence on a different computer
• Follow an accepted procedure to prepare a case
• Chain of custody: Route the evidence takes
from the time you find it until the case is closed
or goes to court
31
Case study: CD Universe Prosecution Failure
• “An extortion attempt involving credit card numbers
stolen from the computers of Internet retailer CD
Universe occurred in January 2000. Someone calling
himself “Maxim” said that he had copied 300,000 credit
card numbers from their database in December 1999.
Maxim threatened to post that confidential data on the
Internet unless he was paid $100,000 …Six months
after Maxim had broken into CD Universe, US authorities
were unable to find him. Even if law enforcement had
found him, they probably would not have been able to
prosecute the case because e-evidence collected from
the company’s computers had not been properly
protected. The chain of custody had not been
properly established.
• Although it was not clear exactly how the CD Universe
evidence was compromised, it seemed that in the initial
rush to learn how Maxim got into the company’s
network, FBI agents and employees from three
computer security firms accessed original files instead of
working from a forensic copy. …”
An Overview of a Computer Crime
• Computers can contain information that helps
law enforcement determine:
– Chain of events leading to a crime
– Evidence that can lead to a conviction
• Law enforcement officers should follow proper
procedure when acquiring the evidence
– Digital evidence can be easily altered by an
overeager investigator
• Information on hard disks might be password
protected
• Guidelines: Ch 1, 2 in
http://www.cybercrime.gov/ssmanual/index.html
33
Examining a Computer Crime
34
An Overview of a Company
Policy Violation
• Employees misusing resources can cost
companies millions of dollars
• Misuse includes:
– Surfing the Internet
– Sending personal e-mails
– Using company computers for personal tasks
• Example: Two employees have gone
missing…
35
Taking a Systematic Approach
• Steps for problem solving
– Make an initial assessment about the type
of case you are investigating
– Determine a preliminary design or
approach Create a detailed checklist
– Determine the resources you need
– Obtain and copy an evidence disk drive
– Identify the risks
– Mitigate or minimize the risks
– Test the design
36
Taking a Systematic Approach II
• Steps for problem solving (continued)
– Analyze and recover the digital evidence
– Investigate the data you recover
– Complete the case report
– Critique the case
37
Assessing the Case
• Systematically outline the case details
–
–
–
–
–
–
–
Situation
Nature of the case
Specifics of the case
Type of evidence
Operating system
Known disk format
Location of evidence
• Based on case details, you can determine the
case requirements
– Type of evidence
– Computer forensics tools
– Special operating systems
38
Planning an Investigation
A basic investigation plan should include:
• Acquire the evidence
• Complete an evidence form and establish a chain of
custody
• Transport the evidence to a computer forensics lab
• Secure evidence in an approved secure container
• Prepare a forensics workstation
• Obtain the evidence from the secure container
• Make a forensic copy of the evidence
• Return the evidence to the secure container
• Process the copied evidence with computer forensics
tools
39
Securing Your Evidence
• Use evidence bags to secure and catalog
the evidence
• Use computer safe products
– Antistatic bags
– Antistatic pads
• Use well padded containers
• Use evidence tape to seal all openings
– Floppy disk or CD drives
– Power supply electrical cord
• Write your initials on tape to prove that
evidence has not been tampered with
• Consider computer specific temperature and
humidity ranges
40
Procedures for Corporate HighTech Investigations
• Develop formal procedures and informal
checklists, to cover all issues important
to high-tech investigations
• Majority of investigative work for
termination cases involves employee
abuse of corporate assets
41
Internet abuse investigations
• To conduct an investigation you need:
–
–
–
–
Organization’s Internet proxy server logs
Suspect computer’s IP address
Suspect computer’s disk drive
Your preferred computer forensics analysis tool
• Recommended steps
– Use standard forensic analysis techniques and procedures
– Use appropriate tools to extract all Web page URL
information
– Contact the network firewall administrator and request a
proxy server log
– Compare the data recovered from forensic analysis to the
proxy server log
– Continue analyzing the computer’s disk drive data
42
E-mail abuse investigations
• To conduct an investigation you need:
– An electronic copy of the offending e-mail that contains
message header data
– If available, e-mail server log records
– For e-mail systems that store users’ messages on a central
server, access to the server
– Access to the computer for performing forensic analysis
– Your preferred computer forensics analysis tool
• Recommended steps
– Use the standard forensic analysis techniques
– Obtain an electronic copy of the suspect’s and victim’s e-mail
folder or data
– For Web-based e-mail investigations, use tools such as FTK’s
Internet Keyword Search option to extract all related e-mail
address information
– Examine header data of all messages of interest
43
Attorney-Client Privilege
Investigations
• Under attorney-client privilege (ACP)
rules for an attorney
– You must keep all findings confidential
• The extra secrecy introduces additional
problems
44
Media Leak Investigations
• In the corporate environment, controlling sensitive
data can be difficult
• Consider the following for media leak investigations
–
–
–
–
–
Examine e-mail
Examine Internet message boards
Examine proxy server logs
Examine known suspects’ workstations
Examine all company telephone records
• Steps to take for media leaks
– Interview management privately
• To get a list of employees who have direct knowledge of the
sensitive data
–
–
–
–
Identify media source that published the information
Review company phone records
Obtain a list of keywords related to the media leak
Perform keyword searches on proxy and e-mail servers
45
Media Leak Investigations II
• Steps to take for media leaks (continued)
– Discreetly conduct forensic disk acquisitions and
analysis
– From the forensic disk examinations, analyze all email correspondence
• And trace any sensitive messages to other people
– Expand the discreet forensic disk acquisition and
analysis
– Consolidate and review your findings periodically
– Routinely report findings to management
46
Industrial Espionage Investigations
• All suspected industrial espionage cases should
be treated as criminal investigations
• Staff needed
– Computing investigator who is responsible for disk
forensic examinations
– Technology specialist who is knowledgeable of the
suspected compromised technical data
– Network specialist who can perform log analysis and
set up network sniffers
– Threat assessment specialist (typically an attorney)
• Many guidelines in the text.
47
Understanding Data Recovery
Workstations and Software
• Investigations are conducted on a computer
forensics lab (or data-recovery lab)
• Computer forensics and data-recovery are
related but different
• Computer forensics workstation
– Specially configured personal computer
– Loaded with additional bays and forensics
software
• To avoid altering the evidence use:
– Forensics boot floppy disk
– Write-blockers devices
48
Setting Up your Computer for
Computer Forensics
• Basic requirements
–
–
–
–
–
–
–
A workstation running Windows XP or Vista
A write-blocker device
Computer forensics acquisition tool
Computer forensics analysis tool
Target drive to receive the source or suspect disk data
Spare PATA or SATA ports
USB ports
• Additional useful items
–
–
–
–
–
–
–
–
Network interface card (NIC)
Extra USB ports
FireWire 400/800 ports
SCSI card
Disk editor tool
Text editor tool
Graphics viewer program
Other specialized viewing tools
49
Bit-Stream Copies
• Bit-stream copy
– Bit-by-bit copy of the original storage medium
– Exact copy of the original disk
– Different from a simple backup copy
• Backup software only copy known files
• Backup software cannot copy deleted files, e-mail
messages or recover file fragments
• Bit-stream image
– File containing the bit-stream copy of all data on a
disk or partition
– Also known as forensic copy
• Copy image file to a target disk that matches the
original disk’s manufacturer, size and model
50
Bit-stream Copies (continued)
51
Acquiring an Image of Evidence
Media
• First rule of computer forensics: Preserve the
original evidence
• Conduct your analysis on a copy of the data
• Using ProDiscover Basic to acquire a thumb
drive
– Create a work folder for data storage
– Steps
• On the thumb drive locate the write-protect switch and place
the drive in write-protect mode
• Start ProDiscover Basic
52
ProDiscover use (continued)
53
ProDiscover use (continued)
• Using ProDiscover Basic to acquire a thumb
drive (continued)
– Steps (continued)
• In the main window, click Action, Capture Image from the
menu
• Click the Source Drive drop-down list, and select the
thumb drive
• Click the >> button next to the Destination text box
• Type your name in the Technician Name text box
• ProDiscover Basic then acquires an image of the USB
thumb drive
• Click OK in the completion message box
54
ProDiscover use (continued)
55
Analyzing Digital Evidence
• Your job is to recover data from:
– Deleted files
– File fragments
– Complete files
• Deleted files linger on the disk until new
data is saved on the same physical
location
• Tool
– ProDiscover Basic
56
Analyzing Digital Evidence (contd)
• Steps
– Start ProDiscover Basic
– Create a new case
– Type the project number
– Add an Image File
• Steps to display the contents of the
acquired data
– Click to expand Content View
– Click All Files under the image filename
path
57
Analyzing Digital Evidence
(continued)
58
Analyzing Digital Evidence (contd)
• Analyze the data
– Search for information related to the complaint
• Data analysis can be most time-consuming task
59
ProDiscover Basic can
• Search for keywords of interest in the case
• Display the results in a search results window
• Click each file in the search results window
and examine its content in the data area
• Export the data to a folder of your choice
• Search for specific filenames
• Generate a report of your activities
60
ProDiscover Basic - contd
61
ProDiscover Basic - contd
62
Completing the Case
• You need to produce a final report
– State what you did and what you found
• Include ProDiscover report to document your
work
• Repeatable findings
– Repeat the steps and produce the same result
• If required, use a report template
• Report should show conclusive evidence
– Suspect did or did not commit a crime or violate a
company policy
63
Critiquing the Case
• Ask yourself the following questions:
– How could you improve your performance in the
case?
– Did you expect the results you found? Did the
case develop in ways you did not expect?
– Was the documentation as thorough as it could
have been?
– What feedback has been received from the
requesting source?
– Did you discover any new problems? If so, what
are they?
– Did you use new techniques during the case or
during research?
64
Next: Ch 4 - Data Acquisition
Objectives
• List digital evidence storage formats
• Explain ways to determine the best acquisition
method
• Describe contingency planning for data acquisitions
• Explain how to use acquisition tools
• Explain how to validate data acquisitions
• Describe RAID acquisition methods
• Explain how to use remote network acquisition
tools
• List other forensic tools available for data
acquisitions
Understanding Storage Formats
for Digital Evidence
• Three formats
– Raw format
– Proprietary formats
– Advanced Forensics Format (AFF)
66
Raw Format
• Makes it possible to write bit-stream data to files
• Advantages
– Fast data transfers
– Can ignore minor data read errors on source drive
– Most computer forensics tools can read raw format
• Disadvantages
– Requires as much storage as original disk or data
– Tools might not collect marginal (bad) sectors
67
Proprietary Formats
• Features offered
– Option to compress or not compress image files
– Can split an image into smaller segmented files
– Can integrate metadata into the image file
• Disadvantages
– Inability to share an image between different
tools
– File size limitation for each segmented volume
68
Advanced Forensics Format
• Open source, developed by Dr. Simson L.
Garfinkel of Basis Technology Corporation
• Design goals
– Provide compressed or uncompressed image files
– No size restriction for disk-to-image files
– Provide space in the image file or segmented files for
metadata
– Simple design with extensibility
– Internal consistency checks for self-authentication
• File extensions include .afd for segmented image
files and .afm for AFF metadata
69
Types of Data Acquisition
• Static acquisitions and live acquisitions
• Four methods
–
–
–
–
Bit-stream disk-to-image file
Bit-stream disk-to-disk
Logical disk-to-disk or disk-to-disk data
Sparse data copy of a file or folder
70
Bit stream copy
• Bit-stream disk-to-image file
– Most common method
– Can make more than one copy
– Copies are bit-for-bit replications of the original
drive
– ProDiscover, EnCase, FTK, SMART, Sleuth Kit,
X-Ways, iLook
• Bit-stream disk-to-disk
– When disk-to-image copy is not possible
– Consider disk’s geometry configuration
– EnCase, SafeBack, SnapCopy
71
Logical acquisition or sparse
acquisition
– When your time is limited
– Logical acquisition captures only specific files
of interest to the case
– Sparse acquisition also collects fragments of
unallocated (deleted) data
– For large disks
– PST or OST mail files, RAID servers
72
Determining the Best Acquisition
Method (continued)
• When making a copy, consider:
– Size of the source disk
• Lossless compression might be useful
• Use digital signatures for verification
– When working with large drives, an alternative
is using tape backup systems
– Whether you can retain the disk
73
Contingency Planning for Image
Acquisitions
• Create a duplicate copy of your evidence image
file
• Make at least two images of digital evidence
– Use different tools or techniques
• Copy host protected area of a disk drive as well
– Consider using a hardware acquisition tool that can
access the drive at the BIOS level
• Be prepared to deal with encrypted drives
– Whole disk encryption feature in Windows Vista
Ultimate and Enterprise editions
74
Using Acquisition Tools
• Acquisition tools for Windows
– Advantages
• Make acquiring evidence from a suspect drive
more convenient
– Especially when used with hot-swappable
devices
– Disadvantages
• Must protect acquired data with a well-tested
write-blocking hardware device
• Tools can’t acquire data from a disk’s host
protected area
75
Windows XP Write-Protection
with USB Devices
• USB write-protection feature
– Blocks any writing to USB devices
• Target drive needs to be connected to an internal
PATA (IDE), SATA, or SCSI controller
• Steps to update the Registry for Windows XP SP2
– Back up the Registry
– Modify the Registry with the write-protection feature
– Create two desktop icons to automate switching between
enabling and disabling writes to USB device
76
Windows XP Write-Protection
with USB Devices (continued)
77
Acquiring Data with a Linux Boot
CD
• Linux can access a drive that isn’t mounted
• Windows OSs and newer Linux
automatically mount and access a drive
• Forensic Linux Live CDs don’t access media
automatically
– Which eliminates the need for a write-blocker
• Using Linux Live CD Distributions
– Forensic Linux Live CDs
• Contain additionally utilities
78
Acquiring Data with a Linux Boot
CD (continued)
• Using Linux Live CD Distributions (continued)
– Forensic Linux Live CDs (continued)
• Configured not to mount, or to mount as read-only, any
connected storage media
• Well-designed Linux Live CDs for computer forensics
– Helix
– Penguin Sleuth
– FCCU
• Preparing a target drive for acquisition in
Linux
– Linux distributions can create Microsoft FAT and
NTFS partition tables
79
Acquiring Data with a Linux Boot
CD (continued)
• Preparing a target drive for acquisition in
Linux (continued)
– fdisk command lists, creates, deletes, and
verifies partitions in Linux
– mkfs.msdos command formats a FAT file
system from Linux
• Acquiring data with dd in Linux
– dd (“data dump”) command
• Can read and write from media device and data file
• Creates raw format file that most computer forensics
analysis tools can read
80
Acquiring Data with dd (contd)
– Shortcomings of dd command
• Requires more advanced skills than average user
• Does not compress data
• dd command is intended as a data management tool, not
designed for forensics acquisitions
• dd command combined with the split command: Segments
output into separate volumes
• Acquiring data with dcfldd in Linux
– dcfldd additional functions
•
•
•
•
Specify hex patterns or text for clearing disk space
Log errors to an output file for analysis and review
Use several hashing options
Refer to a status display indicating the progress of the
acquisition in bytes
• Split data acquisitions into segmented volumes with
numeric extensions
• Verify acquired data with original disk or media data
81
Capturing an Image with
ProDiscover Basic
• Connecting the suspect’s drive to your workstation
–
–
–
–
–
Document the chain of evidence for the drive
Remove the drive from the suspect’s computer
Configure the suspect drive’s jumpers as needed
Connect the suspect drive
Create a storage folder on the target drive
• Using ProDiscover’s Proprietary Acquisition Format
– Image file will be split into segments of 650MB
– Creates image files with an .eve extension, a log file (.log
extension), and a special inventory file (.pds extension)
82
Capturing an Image with
ProDiscover Basic (continued)
83
84
Capturing an Image with
ProDiscover Basic (continued)
• Using ProDiscover’s Raw Acquisition Format
– Select the UNIX style dd format in the Image
Format list box
– Raw acquisition saves only the image data and
hash value
85
Capturing an Image with
AccessData FTK Imager
• Included on AccessData Forensic Toolkit
• View evidence disks and disk-to-image files
• Makes disk-to-image copies of evidence
drives
– At logical partition and physical drive level
– Can segment the image file
• Evidence drive must have a hardware writeblocking device
– Or the USB write-protection Registry feature
enabled
• FTK Imager can’t acquire drive’s host
protected area
86
Capturing an Image with
AccessData FTK Imager II
87
Capturing an Image with
AccessData FTK Imager III
Steps
• Boot to Windows
• Connect evidence disk to a write-blocker
• Connect target disk to write-blocker
–Start FTK Imager
–Create Disk Image
•Use Physical Drive
option
88
Capturing an Image with
AccessData FTK Imager IV
89
Validating Data Acquisitions
• Most critical aspect of computer forensics
• Requires using a hashing algorithm utility
• Validation techniques
– CRC-32, MD5, and SHA-1 to SHA-512
90
Linux Validation Methods
• Validating dd acquired data
– You can use md5sum or sha1sum utilities
– md5sum or sha1sum utilities should be run on all suspect
disks and volumes or segmented volumes
• Validating dcfldd acquired data
– Use the hash option to designate a hashing algorithm of
md5, sha1, sha256, sha384, or sha512
– hashlog option outputs hash results to a text file that can
be stored with the image files
– vf (verify file) option compares the image file to the
original medium
91
Windows Validation Methods
• Windows has no built-in hashing algorithm
tools for computer forensics
– Third-party utilities can be used
• Commercial computer forensics programs
also have built-in validation features
– Each program has its own validation technique
• Raw format image files don’t contain
metadata
– Separate manual validation is recommended
for all raw acquisitions
92
Performing RAID Data
Acquisitions
• Size is the biggest concern
– Many RAID systems now have terabytes of data
• What is RAID and what is it used for?
• Redundant array of independent (formerly
“inexpensive”) disks (RAID)
– Computer configuration involving two or more
disks
– Originally developed as a data-redundancy
measure
93