CHAPTER 4 NOTES
Popular in Cyber Forensics
Popular in Department
This 11 page One Day of Notes was uploaded by Matt Curtis on Friday January 30, 2015. The One Day of Notes belongs to IST 454 at Pennsylvania State University taught by Chao Chu in Spring2015. Since its upload, it has received 300 views.
Reviews for CHAPTER 4 NOTES
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 01/30/15
Matthew Curtis 30 January 2015 IST 454 CHAPTER 4 NOTES Understanding Storage Formats for Digital Evidence 0 3 Formats 0 Raw Format I Vendors made it possible to write bitstream data to files I Technique creates simple sequential at files of a suspect drive or data set Advantages gt Fast Data Transfers gt Ability to ignore minor data read errors on source drive gt It s a universal acquisition format for most forensic tools Disadvantages gt Requires as much storage as the original disk or data set gt Freeware versions have a low threshold of retry reads on weak media spots on a drive 0 Proprietary Format I Offer several features Option to compress or not compress image files of a suspect drive thus saving space on target drive Capability to split an image into smaller segmented files for archiving purposes such as CD s or DVD s with data integrity checks integrated into each segment Capability to integrate metadata into the image file date and time hash value selfauthentication of original disk or medium investigator or examiner name and comments or case details I Disadvantages Inability to share an image between different vendors forensic analysis tools File size limitation for each segmented volume 0 Advanced Forensic Format AFF I Format Goals Creating compressed or uncompressed image files No size restriction for disktoimage files Providing space in the image file or segmented files for metadata Simple design with extensibility 0 Open source for multiple computing platforms and OS 0 Offer internal consistency checks for selfauthentication I Advantages 0 Open Source 0 Vendors have no implementation restrictions 0 Predicted to become future format standard Determining the Best Acquisition Method 0 Acquisition Types 0 Static Acquisitions I Done on computers seized during police raids I Preferred way to collect digital evidence 0 Live Acquisitions 0 Four Methods 0 BitStream disktoimage le I Most common method I Offers most exibility I Can make one or many copies of a suspect drive I Allows other forensic tools to read most common types of disktoimage files you create 0 BitStream disktodisk I Better used for older drives I Can adjust target s disk geometry to copy data to match with suspects drive 0 Logical disktodisk or disktodisk data I Captures only specific files of interest to the case or specific types of files I When your time is limited 0 Sparse data copy of a le or folder I Collects fragments of unallocated deleted data I Use this method ONLY when you don t need to examine the entire drive I For large disks 0 When making a copy consider 0 Size of the source disk I Lossless compression might be useful I Use digital signatures for verification 0 When working with large drives an alternative is using tape backup systems 0 Whether you can retain the disk Contjngencv Planning for Image Acquisitions 0 Create a duplicate copy of your disktoimage le 0 Make at least two images of digital evidence 0 Use different tools or techniques 0 Copy host protected area of a disk drive as well 0 Consider using a hardware acquisition tool that can access the drive at the BIOS level 0 Be prepared to deal with encrypted drives 0 Whole disk encryption feature in Windows Vista Ultimate and Enterprise editions Using Acquisition Tools 0 Windows Acquisition Tools 0 Advantages I Make acquiring evidence from a suspect drive more convenient 0 Especially when used with hotswappable devices 0 Disadvantages I Must protect acquired data with welltested writeblocking hardware device I Tools can t acquire data from a disk s host protected area Windows XP WriteProtection with USB Devices 0 USB writeprotection feature 0 Blocks any writing to USB devices 0 Target drive needs to be connected to an internal PATA IDE SATA or SCSI controller 0 Steps to update the Registry for Windows XP SP2 0 Back up the Registry 0 Modify the Registry with the writeprotection feature 0 Create two desktop icons to automate switching between enabling and disabling writes to USB device Acguiring Data with a Linux Boot CD 0 Linux can access a drive that isn t mounted 0 Windows OSs and newer Linux automatically mount and access a drive 0 Forensic Linux Live CDs don t access media automatically 0 Which eliminates the need for a writeblocker 0 Using Linux Live CD Distributions O Forensic Linux Live CDs I Contain additionally utilities I Configured not to mount or to mount as readonly any connected storage media I Welldesigned Linux Live CDs for computer forensics Helix Penguin Sleuth FCCU 0 Preparing a target drive for acquisition in Linux 0 Linux distributions can create Microsoft FAT and NTFS partition tables 0 fdisk command lists creates deletes and verifies partitions in Linux 0 mkfsmsdos command formats a FAT file system from Linux 0 Acquiring data with dd in Linux 0 dd data dump command 0 Can read and write from most media devices and data files 0 Creates raw format file that most computer forensics analysis tools can read 0 Shortcomings of dd command I Requires more advanced skills than average user I Does not compress data 0 dd command combined with the split command I Segments output into separate volumes 0 Acquiring data with dc dd in Linux 0 dd command is intended as a data management tool I Not designed for forensics acquisitions I Specify hex patterns or text for clearing disk space I Log errors to an output file for analysis and review I Use several hashing options I Refer to a status display indicating the progress of the acquisition in bytes I Split data acquisitions into segmented volumes with numeric extensions I Verify acquired data with original disk or media data Qinturing an Image with ProDiscover Basic 0 Connecting the suspect s drive to your workstation Document the chain of evidence for the drive Remove the drive from the suspect s computer Configure the suspect drive s jumpers as needed Connect the suspect drive Create a storage folder on the target drive OOOOO 0 Using ProDiscover s Proprietary Acquisition Format 0 Image file will be split into segments of 650MB 0 Creates image files with an eve extension a log file log extension and a special inventory file pds extension 0 Using ProDiscover s Raw Acquisition Format 0 Select the UNIX style dd format in the Image Format list box 0 Raw acquisition saves only the image data and hash value 0 Creates a log file pds extension and segmented volume files Qinturing an Image with ACCESSDE l FTK Imager 0 Included on licensed copy of AccessData Forensic Toolkit 0 Requires using a device ie USB 0 View evidence disks and disktoimage les 0 Can read CD and DVD file systems 0 Provides a view of a disk partition or an image file as though it s a mounted partition 0 Provides additional panes showing the content of selected files 0 Makes disktoimage copies of evidence drives 0 At logical partition and physical drive level 0 Can segment the image file 0 Evidence drive must have a hardware writeblocking device 0 Or the USB writeprotection Registry feature enabled 0 FTK Imager can t acquire drive s host protected area 0 If evidence drive has host protected area MUST use advanced acquisition tool 0 Steps 0 Boot to Windows Connect evidence disk to a writeblocker Connect target disk to writeblocker Start FTK Imager Create Disk Image 39 Use Physical Drive option 0 O O O Validating D231 Acquisitions 0 Most critical aspect of computer forensics 0 Integrity of data collected is weakest point of digital investigations 0 Requires using a hashing algorithm utility for validation O Creates a binary or hexadecimal number representing the uniqueness of a data set file or disk drive I Known as a Digital Footprint 0 Validation techniques 0 CRC32 MD5 and SHAl to SHA512 Linux Validation Methods 0 Validating dd acquired data 0 You can use md5sum or shalsum utilities 0 md5 sum or shalsum utilities should be run on all suspect disks and volumes or segmented volumes 0 Validating dc dd acquired data 0 Use the hash option to designate a hashing algorithm of md5 shal sha256 sha384 or sha512 O hashlog option outputs hash results to a text file that can be stored with the image files 0 vf verify file option compares the image file to the original medium Windows Validation Methods 0 Windows has no builtin hashing algorithm tools for computer forensics 0 Thirdparty utilities can be used 0 Commercial computer forensics programs also have builtin validation features 0 Each program has its own validation technique 0 Used with acquisition data in its proprietary format 0 Raw format image files don t contain metadata 0 Separate manual validation is recommended for all raw acquisitions 0 Essential to the integrity of digital evidence Performing RAID Data Acquisitions 0 Size is the biggest concern 0 Many RAID systems now have terabytes of data Understanding RAID 0 Redundant array of independent formerly inexpensive disks RAID 0 Computer configuration involving two or more disks 0 Originally developed as a dataredundancy measure to minimize data loss caused by disk failure 0 Provided increased storage capabilities RAID 0 0 Provides rapid access and increased storage 0 Lack of redundancy 0 Made up of 2 disks per volume 0 Designed for data recovery 0 RAID 1 0 Designed for data recovery 0 Prevents computer downtime 0 More expensive than RAID 0 RAID 2 0 Similar to RAID 1 0 Data is written to a disk on a bit level 0 Has better data integrity checking than RAID 0 I Errorcorrecting code ECC used to verify if the write was successful 0 Slower than RAID 0 RAID 3 0 Uses data stripping and dedicated parity 0 Requires at least 3 disks 0 Similar to RAID 0 RAID 4 0 Data is written in blocks RAID 5 0 Similar to RAIDs 0 and 3 0 Places parity recovery data on each disk I Parity rebuilds corrupted data automatically when failed drive is replaced RAID 6 O Redundant parity on each disk 0 Recovers any two disks that fail due to extra parity stored on each disk RAID 10 or mirrored striping 0 Also known as RAID 10 0 Combination of RAID 1 and RAID 0 0 Provides fast access and redundancy of data storage RAID 15 or mirrored striping with parity 0 Also known as RAID 15 0 Combination of RAID 1 and RAID 5 0 Offers most robust data recovery and access speed of all RAID configurations 0 More Costly Acquiring RAID Disks Concerns 0 How much data storage is needed 0 What type of RAID is used 0 Do you have the right acquisition tool 0 Can the tool read a forensically copied RAID image 0 Can the tool read split data saves of each RAID disk Older hardware rmware RAID systems can be a challenge when you re making an image Vendors offering RAID acquisition functions as recovery features 0 Technologies Pathways ProDiscover 0 Guidance Software EnCase O XWays Forensics O 0 Runtime Software RTools Technologies 0 Occasionally a RAID system is too large for a static acquisition 0 0 Goal is to collect a complete image of evidence drives Retrieve only the data relevant to the investigation with the sparse or logical acquisition method Using Remote Networl Acauis on Tools 0 You can remotely connect to a suspect computer via a network connection and copy data from it 0 Remote acquisition tools vary in con gurations and capabilities 0 Drawbacks O O O LAN s data transfer speeds and routing table con icts could cause problems Gaining the permissions needed to access more secure subnets Remote access program risk of being detected by antivirus antispyware and firewall tools Heavy traffic could cause delays and errors Remote Acquisition with ProDiscover 0 ProDiscover Investigator O O O O O 0 Designed to capture data from suspects computer while the user is operating it Preview a suspect s drive remotely while it s in use Perform a live acquisition Encrypt the connection Copy the suspect computer s RAM Use the optional stealth mode 0 ProDiscover Incident Response 0 00000 0 Designed to be integrated into a network intrusion analysis tool Capture volatile system state information Analyze current running processes Locate unseen files and processes Remotely view and listen to IP ports Run hash comparisons Create a hash inventory of all files remotely 0 PDServer remote agent 0 O ProDiscover utility for remote access Needs to be loaded on the suspect 0 PDServer installation modes 0 Trusted CD I Creates special CD containing PDServer remote agent I Used to load PDServer manually on suspects computer 0 Preinstallation I Enables network security administrators to respond to network attacks and malware contaminations quickly 0 Pushing out and running remotely I Helps investigators respond quickly to incidents I Data collected in realtime O PDServer can run in a stealth mode 0 Can change process name to appear as OS function 0 Password protection I PDServer on target computer is password protected I Password is always encrypted O Encryption I Communication between PDServer on suspect s and investigators computers can be encrypted 0 Secure Communication Protocol I All connections have globally unique identifiers GIUDs I Prevents packet insertion into the data stream 0 Write Protected Trusted Binaries I PDServer can run from a writeprotected device ie CD 0 Digital Signatures I PDServer and its removal device driver PARemovalsys are digitally signed to verify they haven t been tampered with before and during the remote connection Remote Acquisition with ProDiscover 0 Remote Acquisition with EnCase Enterprise 0 Remote data acquisition of a computer s media and RAM data Integration with intrusion detection system IDS tools Options to create an image of data from one or more systems Preview of systems A wide range of file system formats 0 RAID support for both hardware and software 0 Remote Acquisition with RTools RStudio 0 RTools suite of software is designed for data recovery 0 Remote connection uses Triple Data Encryption Standard 3DES encryption O Creates raw format acquisitions 0 Supports various file systems 0000 Remote Acquisition with Runtime Softw 0 Utilities 0 DiskEXplorer for FAT O DiskEXplorer for NTFS O HDHOST I Remote access program that allows communications between two computers 0 Features for acquisition 0 Create a raw format image file 0 Segment the raw format or compressed image 0 Access network computers drives Using Other ForensicsAcquisition Tools 0 Tools 0 SnapB ack DatArrest I Older forensics acquisition program that runs from a boot oppy disk I Can make an image of an evidence drive in 3 ways gt DisktoSCSI drive magnetic tape or Jaz disk gt Disktonetwork drive gt Disktodisk O NTI SafeB ack I Creates image files I Copies from a suspect drive to an image on a tape drive I Copies from a suspect drive to a target drive disktodisk copy adjusting the target drive s geometry to match the suspect drive I Copies from a suspect drive to a target drive by using parallel port laplink cable I Copies a partition to an image file I Compresses image files to reduce the number of volume segments 0 DIBS USA RAID I Developed Rapid Action Imaging Device RAID to make forensically sound disk copies I Designed to make disktodisk images ILook Investigator IXimager I Can acquire single drives and RAID drives I IDIFA compressed format I IRBFA raw format I IEIFAn encrypted format for added security Vogon International SDi32 I Creates a raw format image of a drive I Writeblocker is needed when using this tool I Password Cracker POD gt Device that removes the password on a drive s firmware card ASRData SMART I Linux forensics analysis tool that can make image files of a suspect drive I Capabilities gt Robust data reading of bad sectors on drives gt Mounting suspect drives in writeprotected mode gt Mounting target drives in readwrite mode gt Optional compression schemes Australian Department of Defence PyFlag I PyFlag tool gt Intended as a network forensics analysis tool gt Can create proprietary format Expert Witness image files gt Uses sgzip and gzip in Linux
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'