Computer Forensics
Download
Report
Transcript Computer Forensics
Guide to Computer
Forensics and
Investigations,
Second Edition
Chapter 4
Current Computer Forensics Tools
Objectives
• Understand how to identify needs for computer
forensics tools
• Evaluate the requirements and expectations for
computer forensics tools
• Understand how computer forensics hardware and
software tools integrate
• Validate and test your computer forensics tools
Guide to Computer Forensics and Investigations, 2e
2
Computer Forensics Software Needs
• Look for versatility, flexibility, and robustness
–
–
–
–
–
OS
File system
Script capabilities
Automated features
Vendor’s reputation
• Keep in mind what applications you analyze
Guide to Computer Forensics and Investigations, 2e
3
Types of Computer Forensics Tools
• Hardware forensic tools
– Single-purpose components
– Complete computer systems and servers
• Software forensic tools
– Command-line applications
– GUI applications
Guide to Computer Forensics and Investigations, 2e
4
Tasks Performed by Computer
Forensics Tools
•
•
•
•
•
Acquisition
Validation and discrimination
Extraction
Reconstruction
Reporting
Guide to Computer Forensics and Investigations, 2e
5
Acquisition
• Acquisition categories:
–
–
–
–
–
Physical data copy
Logical data copy
Data acquisition format
Command-line acquisition
GUI acquisition
Guide to Computer Forensics and Investigations, 2e
6
Acquisition (continued)
• Acquisition categories (continued):
– Remote acquisition
– Verification
Guide to Computer Forensics and Investigations, 2e
7
Acquisition (continued)
Guide to Computer Forensics and Investigations, 2e
8
Validation and Discrimination
• Hashing
– Cyclic redundancy check (CRC)-32, MD5, Secure
Hash Algorithms (SHAs)
• Filtering
– Based on hash value sets
• Analyzing file headers
– Discriminate files based on their types
Guide to Computer Forensics and Investigations, 2e
9
Extraction
•
Major techniques include:
–
Data viewing
•
–
Keyword searching
•
–
How data is viewed depends on the tool used
Recovers key data facts
Decompressing
•
Archive and cabinet files
Guide to Computer Forensics and Investigations, 2e
10
Extraction (continued)
•
Major techniques include:
–
Carving
•
–
Decrypting
•
•
–
Reconstruct fragments of deleted files
Password dictionary attacks
Brute-force attacks
Bookmarking
•
First find evidence, then bookmark it
Guide to Computer Forensics and Investigations, 2e
11
Reconstruction
• Re-create a suspect’s disk drive
– Techniques
•
•
•
•
Disk-to-disk copy
Image-to-disk copy
Partition-to-partition copy
Image-to-partition copy
Guide to Computer Forensics and Investigations, 2e
12
Reporting
• Configure your forensic tools to:
– Log activities
– Generate reports
• Use this information when producing a final report
for your investigation
Guide to Computer Forensics and Investigations, 2e
13
Tool Comparisons
Guide to Computer Forensics and Investigations, 2e
14
Tool Comparisons (continued)
Guide to Computer Forensics and Investigations, 2e
15
Other Considerations for Tools
•
•
•
•
Flexibility
Reliability
Expandability
Keep a library with older version of your tools
Guide to Computer Forensics and Investigations, 2e
16
Computer Forensics Software
• Example: Norton DiskEdit
• Advantages
– Require few system resources
– Run in minimal configurations
– Fit on a bootable floppy disk
• Disadvantages
– Cannot search inside archive and cabinet files
– Most of them only work on FAT file systems
Guide to Computer Forensics and Investigations, 2e
17
UNIX/Linux Command-line Forensic
Tools
• Dominate the *nix platforms
• Examples:
–
–
–
–
SMART
The Coroner’s Toolkit (TCT)
Autopsy
SleuthKit
Guide to Computer Forensics and Investigations, 2e
18
GUI Forensic Tools
• Simplify computer forensics investigations
• Help training beginning investigators
• Most of them come into suites of tools
Guide to Computer Forensics and Investigations, 2e
19
GUI Forensic Tools (continued)
• Advantages
– Ease of use
– Multitasking
– No need for learning older OSs
• Disadvantages
– Excessive resource requirements
– Produce inconsistent results
– Create tool dependencies
Guide to Computer Forensics and Investigations, 2e
20
Computer Hardware Tools
• Provide analysis capabilities
• Hardware eventually fails
– Schedule equipment replacements
– When planning your budget
• Failures
• Consultant and vendor fees
• Anticipate equipment replacement
Guide to Computer Forensics and Investigations, 2e
21
Computer Investigation Workstations
• Carefully consider what you need
• Categories:
– Stationary
– Portable
– Lightweight
• Balance what you need and what your system can
handle
Guide to Computer Forensics and Investigations, 2e
22
Computer Investigation Workstations
(continued)
• Police agency labs
– Need many options
– Use several PC configurations
• Private corporation labs handle only system types
used in the organization
• Keep a hardware library
Guide to Computer Forensics and Investigations, 2e
23
Building your Own Workstation
• It is not as difficult as it sounds
• Advantages
– Customized to your needs
– Save money
– ISDN phone system
• Disadvantages
– Hard to find support for problems
– Can become expensive if careless
Guide to Computer Forensics and Investigations, 2e
24
Building your Own Workstation
(continued)
• You can buy one from a vendor as an alternative
• Examples:
– F.R.E.D.
– FIRE IDE
Guide to Computer Forensics and Investigations, 2e
25
Using a Write-Blocker
• Prevents data writes to a hard disk
• Software options:
– Software write-blockers are OS-dependent
– PDBlock
• Hardware options
– Ideal for GUI forensic tools
– Act as a bridge between the disk and the workstation
Guide to Computer Forensics and Investigations, 2e
26
Using a Write-Blocker (continued)
• Discards the written data
• For the OS, the data copy is successful
• Connecting technologies
– FireWire
– USB 2.0
– SCSI controllers
Guide to Computer Forensics and Investigations, 2e
27
Recommendations for a Forensic
Workstation
• Data acquisition techniques:
– USB 2.0
– FireWire
•
•
•
•
Expansion devices requirements
Power supply with battery backup
Extra power and data cables
External FireWire and USB 2.0 ports
Guide to Computer Forensics and Investigations, 2e
28
Recommendations for a Forensic
Workstation (continued)
• Ergonomic considerations
– Keyboard and mouse
– Display
• High-end video card
• Monitor
Guide to Computer Forensics and Investigations, 2e
29
Validating and Testing Forensic
Software
• Evidence could be admitted in court
• Test and validate your software to prevent
damaging the evidence
Guide to Computer Forensics and Investigations, 2e
30
Using National Institute of Standards
and Technology (NIST) Tools
• Computer Forensics Tool Testing (CFTT) program
– Based on standard testing methods
– ISO 17025 criteria
– ISO 5725
• Also evaluate disk imaging tools
– Forensic Software Testing Support Tools (FS-TSTs)
Guide to Computer Forensics and Investigations, 2e
31
Using NIST Tools (continued)
• National Software Reference Library (NSRL)
project
– Collects all known hash values for commercial
software applications and OS files
– Helps filtering known information
Guide to Computer Forensics and Investigations, 2e
32
The Validation Protocols
• Always verify your results
• Use at least two tools
– Retrieving and examination
– Verification
• Understand how tools work
• Disk editors
– Norton DiskEdit
– Hex Workshop
– WinHex
Guide to Computer Forensics and Investigations, 2e
33
The Validation Protocols (continued)
• Disk editors (continued)
– Do not have a flashy interface
– Reliable tools
– Can access raw data
Guide to Computer Forensics and Investigations, 2e
34
Computer Forensics Examination
Protocol
• Perform the investigation with a GUI tool
• Verify your results with a disk editor
– WinHex
– Hex Workshop
• Compare hash values obtained with both tools
Guide to Computer Forensics and Investigations, 2e
35
Computer Forensics Tool Upgrade
Protocol
• Test
– New releases
– Patches
– Upgrades
• If you found a problem, report it to your forensics
tool vendor
• Use a test hard disk for validation purposes
Guide to Computer Forensics and Investigations, 2e
36
Summary
• Create a business plan to get the best hardware
and software
• Computer forensics tools functions
–
–
–
–
–
Acquisition
Validation and discrimination
Extraction
Reconstruction
Reporting
Guide to Computer Forensics and Investigations, 2e
37
Summary (continued)
• Maintain a software library on your lab
• Computer forensics tools types:
– Software
– Hardware
• Forensics software:
– Command-line
– GUI
Guide to Computer Forensics and Investigations, 2e
38
Summary (continued)
• Forensics hardware:
– Customized equipment
– Commercial options
– Include workstations and write-blockers
• Always test your forensics tools
Guide to Computer Forensics and Investigations, 2e
39