Operating Systems
Kila
Ch6.pptxGuide to Computer Forensics and Investigations Sixth Edition Chapter 6
Current Digital Forensics Tools
‹#›
Guide to Computer Forensics and Investigations Sixth Edition
Chapter 6
Current Digital Forensics Tools
1
Explain how to evaluate needs for digital forensics tools
Describe available digital forensics software tools
List some considerations for digital forensics hardware tools
Describe methods for validating and testing forensics tools
Objectives
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Consider open-source tools; the best value for as many features as possible
Questions to ask when evaluating tools:
On which OS does the forensics tool run?
Is the tool versatile?
Can the tool analyze more than one file system?
Can a scripting language be used with the tool to automate repetitive functions and tasks?
Does it have automated features?
What is the vendor’s reputation for providing product support?
Evaluating Digital Forensics Tool Needs
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Hardware forensic tools
Range from simple, single-purpose components to complete computer systems and servers
Software forensic tools
Types
Command-line applications
GUI applications
Commonly used to copy data from a suspect’s disk drive to an image file
Types of Digital Forensics Tools
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Follow guidelines set up by NIST’s Computer Forensics Tool Testing (CFTT) program
ISO standard 27037 states: Digital Evidence First Responders (DEFRs) should use validated tools
Five major categories:
Acquisition
Validation and verification
Extraction
Reconstruction
Reporting
Tasks Performed by Digital Forensics Tools (1 of 20)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Acquisition
Making a copy of the original drive
Acquisition subfunctions:
Physical data copy
Logical data copy
Data acquisition format
Command-line acquisition
GUI acquisition
Remote, live, and memory acquisitions
Tasks Performed by Digital Forensics Tools (2 of 20)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Acquisition (cont’d)
Two types of data-copying methods are used in software acquisitions:
Physical copying of the entire drive
Logical copying of a disk partition
The formats for disk acquisitions vary
From raw data to vendor-specific proprietary
You can view a raw image file’s contents with any hexadecimal editor
Tasks Performed by Digital Forensics Tools (3 of 20)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Tasks Performed by Digital Forensics Tools (4 of 20)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Acquisition (cont’d)
Creating smaller segmented files is a typical feature in vendor acquisition tools
Remote acquisition of files is common in larger organizations
Popular tools, such as AccessData and EnCase, can do remote acquisitions of forensics drive images on a network
Tasks Performed by Digital Forensics Tools (5 of 20)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Validation and Verification
Validation
A way to confirm that a tool is functioning as intended
Verification
Proves that two sets of data are identical by calculating hash values or using another similar method
A related process is filtering, which involves sorting and searching through investigation findings to separate good data and suspicious data
Tasks Performed by Digital Forensics Tools (6 of 20)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Validation and verification (cont’d)
Subfunctions
Hashing
CRC-32, MD5, SHA-1 (Secure Hash Algorithms)
Filtering
Based on hash value sets
Analyzing file headers
Discriminate files based on their types
National Software Reference Library (NSRL) has compiled a list of known file hashes
For a variety of OSs, applications, and images
Tasks Performed by Digital Forensics Tools (7 of 20)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Tasks Performed by Digital Forensics Tools (8 of 20)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Validation and discrimination (cont’d)
Many computer forensics programs include a list of common header values
With this information, you can see whether a file extension is incorrect for the file type
Most forensics tools can identify header values
Tasks Performed by Digital Forensics Tools (9 of 20)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Tasks Performed by Digital Forensics Tools (10 of 20)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Tasks Performed by Digital Forensics Tools (11 of 20)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Tasks Performed by Digital Forensics Tools (12 of 20)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Extraction
Recovery task in a digital investigation
Most challenging of all tasks to master
Recovering data is the first step in analyzing an investigation’s data
Tasks Performed by Digital Forensics Tools (13 of 20)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Extraction (cont’d)
Subfunctions of extraction
Data viewing
Keyword searching
Decompressing or uncompressing
Carving
Decrypting
Bookmarking or tagging
Keyword search speeds up analysis for investigators
Tasks Performed by Digital Forensics Tools (14 of 20)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Tasks Performed by Digital Forensics Tools (15 of 20)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Tasks Performed by Digital Forensics Tools (16 of 20)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Extraction (cont’d)
From an investigation perspective, encrypted files and systems are a problem
Many password recovery tools have a feature for generating potential password lists
For a password dictionary attack
If a password dictionary attack fails, you can run a brute-force attack
Tasks Performed by Digital Forensics Tools (17 of 20)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Reconstruction
Re-create a suspect drive to show what happened during a crime or an incident
Methods of reconstruction
Disk-to-disk copy
Partition-to-partition copy
Image-to-disk copy
Image-to-partition copy
Disk-to-image copy
Rebuilding files from data runs and carving
Tasks Performed by Digital Forensics Tools (18 of 20)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Reconstruction (cont’d)
To re-create an image of a suspect drive
Copy an image to another location, such as a partition, a physical disk, or a virtual machine
Simplest method is to use a tool that makes a direct disk-to-image copy
Examples of disk-to-image copy tools:
Linux dd command
ProDiscover
Voom Technologies Shadow Drive
Tasks Performed by Digital Forensics Tools (19 of 20)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Reporting
To perform a forensics disk analysis and examination, you need to create a report
Subfunctions of reporting
Bookmarking or tagging
Log reports
Timelines
Report generator
Use this information when producing a final report for your investigation
Tasks Performed by Digital Forensics Tools (20 of 20)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Considerations
Flexibility
Reliability
Future expandability
Create a software library containing older versions of forensics utilities, OSs, and other programs
Other Considerations for Tools
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
The following sections explore some options for command-line and GUI tools in both Windows and Linux
Digital Forensics Software Tools
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for IBM PC file systems
Norton DiskEdit
One of the first MS-DOS tools used for computer investigations
Command-line tools require few system resources
Designed to run in minimal configurations
Command-line Forensics Tools
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
UNIX has been mostly replaced by Linux
You might still encounter systems running UNIX
Linux platforms have become more popular with home and business end users
SMART
Designed to be installed on numerous Linux versions
Can analyze a variety of file systems with SMART
Many plug-in utilities are included with SMART
Another useful option in SMART is its hex viewer
Linux Forensics Tools (1 of 3)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Helix 3
One of the easiest suites to use
You can load it on a live Windows system
Loads as a bootable Linux OS from a cold boot
**Some international courts have not accepted live acquisitions as a valid forensics practice
Kali Linux
Formerly known as BackTrack
Includes a variety of tools and has an easy-to-use KDE interface
Linux Forensics Tools (2 of 3)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Autopsy and SleuthKit
Sleuth Kit is a Linux forensics tool
Autopsy was the browser interface used to access Sleuth Kit’s tools
Chapter 7 explains how to use these tools
Forcepoint Threat Protection
Formerly known as Second Look
A Linux memory analysis tool
Could perform both onsite and remote memory acquisitions
Linux Forensics Tools (3 of 3)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
GUI forensics tools can simplify digital forensics investigations
Have also simplified training for beginning examiners
Most of them are put together as suites of tools
Advantages
Ease of use
Multitasking
No need for learning older OSs
Other GUI Forensics Tools (1 of 2)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Disadvantages
Excessive resource requirements
Produce inconsistent results
Create tool dependencies
Investigators’ may want to use only one tool
Should be familiar with more than one type of tool
Other GUI Forensics Tools (2 of 2)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Technology changes rapidly
Hardware eventually fails
Schedule equipment replacements periodically
When planning your budget consider:
Amount of time you expect the forensic workstation to be running
Failures
Consultant and vendor fees
Anticipate equipment replacement
Digital Forensics Hardware Tools
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Carefully consider what you need
Categories
Stationary workstation
Portable workstation
Lightweight workstation
Balance what you need and what your system can handle
Remember that RAM and storage need updating as technology advances
Forensic Workstations (1 of 4)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Police agency labs
Need many options
Use several PC configurations
Keep a hardware library in addition to your software library
Private corporation labs
Handle only system types used in the organization
Forensic Workstations (2 of 4)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Building a forensic workstation is not as difficult as it sounds
Advantages
Customized to your needs
Save money
Disadvantages
Hard to find support for problems
Can become expensive if careless
Also need to identify what you intend to analyze
Forensic Workstations (3 of 4)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Some vendors offer workstations designed for digital forensics
Examples
F.R.E.D. unit from Digital Intelligence
Hardware mounts from ForensicPC
Having vendor support can save you time and frustration when you have problems
Can mix and match components to get the capabilities you need for your forensic workstation
Forensic Workstations (4 of 4)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Write-blocker
Prevents data writes to a hard disk
Software-enabled blockers
Typically run in a shell mode (Windows CLI)
Example: PDBlock from Digital Intelligence
Hardware options
Ideal for GUI forensic tools
Act as a bridge between the suspect drive and the forensic workstation
Using a Write-Blocker (1 of 2)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
You can navigate to the blocked drive with any application
Discards the written data
For the OS the data copy is successful
Connecting technologies
FireWire
USB 2.0 and 3.0
SATA, PATA, and SCSI controllers
Using a Write-Blocker (2 of 2)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Determine where data acquisitions will take place
With Firewire and USB write-blocking devices
You can acquire data easily with Digital Intelligence FireChief and a laptop computer
If you want to reduce hardware to carry:
WiebeTech Forensic DriveDock with its regular DriveDock FireWire bridge or the Logicube Talon
Recommendations for a Forensic Workstation (1 of 3)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Recommendations when choosing stationary or lightweight workstation:
Full tower to allow for expansion devices
As much memory and processor power as budget allows
Different sizes of hard drives
400-watt or better power supply with battery backup
External FireWire and USB ports
Assortment of drive adapter bridges
Recommendations for a Forensic Workstation (2 of 3)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Recommendations when choosing stationary or lightweight workstation (cont’d):
Ergonomic keyboard and mouse
A good video card with at least a 17-inch monitor
High-end video card and dual monitors
If you have a limited budget, one option for outfitting your lab is to use high-end game PCs
Recommendations for a Forensic Workstation (3 of 3)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
It is important to make sure the evidence you recover and analyze can be admitted in court
You must test and validate your software to prevent damaging the evidence
Validating and Testing Forensic Software
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
NIST publishes articles, provides tools, and creates procedures for testing/validating forensics software
Computer Forensics Tool Testing (CFTT) project
Manages research on forensics tools
NIST has created criteria for testing forensics tools based on:
Standard testing methods
ISO 17025 criteria for testing items that have no current standards
Using National Institute of Standards and Technology Tools (1 of 3)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Your lab must meet the following criteria
Establish categories for digital forensics tools
Identify forensics category requirements
Develop test assertions
Identify test cases
Establish a test method
Report test results
ISO 5725 - specifies results must be repeatable and reproducible
Using National Institute of Standards and Technology Tools (2 of 3)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
NIST created the National Software Reference Library (NSRL) project
Collects all known hash values for commercial software applications and OS files
Uses SHA-1 to generate a known set of digital signatures called the Reference Data Set (RDS)
Helps filtering known information
Can use RDS to locate and identify known bad files
Using National Institute of Standards and Technology Tools (3 of 3)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Always verify your results by performing the same tasks with other similar forensics tools
Use at least two tools
Retrieving and examination
Verification
Understand how forensics tools work
One way to compare results and verify a new tool is by using a disk editor
Such as Hex Workshop or WinHex
Using Validation Protocols (1 of 3)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Disk editors do not have a flashy interface, however they:
Are reliable tools
Can access raw data
Digital Forensics Examination Protocol
Perform the investigation with a GUI tool
Verify your results with a disk editor
Compare hash values obtained with both tools
Using Validation Protocols (2 of 3)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Digital Forensics Tool Upgrade Protocol
Test
New releases
OS patches and upgrades
If you find a problem, report it to forensics tool vendor
Do not use the forensics tool until the problem has been fixed
Use a test hard disk for validation purposes
Check the Web for new editions, updates, patches, and validation tests for your tools
Using Validation Protocols (3 of 3)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Consult your business plan to get the best hardware and software
Computer forensics tools functions
Acquisition
Validation and verification
Extraction
Reconstruction
Reporting
Maintain a software library on your lab
Summary (1 of 3)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Computer Forensics tools types
Software
Hardware
Forensics software
Command-line
GUI
Forensics hardware
Customized equipment
Commercial options
Include workstations and write-blockers
Summary (2 of 3)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
Tools that run in Windows and other GUI environments don’t require the same level of computing expertise as command-line tools
Always run a validation test when upgrading your forensics tools
Summary (3 of 3)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
‹#›
