1 / 13

Remote Forensic Tools --- PDIR and EEE

Remote Forensic Tools --- PDIR and EEE. Tool review - remote forensic preservation and examination tools Editor : Eoghan Casey , Aaron Stanley Source : Digital Investigation (2004) Volume 1, 284 - 297 Professor : Shieh-Jeng, Wang. Remote Forensic Tools --- PDIR and EEE.

gretel
Download Presentation

Remote Forensic Tools --- PDIR and EEE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Remote Forensic Tools --- PDIR and EEE • Tool review - remote forensic preservation and examination tools • Editor : Eoghan Casey , Aaron Stanley • Source : Digital Investigation (2004) Volume 1, 284 - 297 • Professor : Shieh-Jeng, Wang

  2. Remote Forensic Tools --- PDIR and EEE • PDIR ( ProDiscover IR 3.5 ) • EEE ( EnCase Enterprise Edition 4.19a ) • The main propose is to integrate incident response and computer forensics.

  3. What is remote forensics

  4. Operation Model • Servlet : --- A piece of software loaded into the memory of the subject computer. --- This program starts a process listens for outside connections.

  5. Installation methods for Stand-alone computer • Login script • System patch • The third-party tools : psexec Dameware Secure Shell (SHH)

  6. Relationships

  7. Communication security • Thawte in PDIR. • SAFE ( Secure Authentication for EnCase ) in EEE.

  8. Considerations for the network-based computer • Router Access Control Lists • Internal firewall • Personal firewall • They are barriers that prevent examiners from connecting to the servlet. • EEE servlet must run on the 4445 port. • PDIR servlet can use any port.

  9. Functionalities (A) • Memory inspection --- Snapshot module • Storage media examination : --- Physical disks --- Logical volumes --- RAM disks (the PGP disk) --- only EEE • Mounted network drives are not detected by either tool.

  10. Functionalities (B) • Keyword research • MD5 hash comparison • EEE can combine file listings multiple system. ( PDIR connect to one remote host at a time ) • Both PDIR and EEE can acquire the entire contents of a hard drive or partition of a remote host.

  11. Security • PDIR uses Global Unique Identifiers to restrict a servlet to one client and to prevent tampering with the network communication. • EEE uses a dedicated system called the SAFE to manage security. • The SAFE protocol uses a combination of public, private, and session keys to ensure that all connections to the remote servlets are authorized and encrypted.

  12. Performance • In pre-viewing mode, PDIR uses an average of 340 kb/s of network bandwidth, whereas the EEE uses 50kb/s. • In acquisition mode, PDIR uses an average of 5.5MB/s of network bandwidth, whereas the EEE uses 3.5MB/s.

  13. Conclusion • PDIR is design for examining a small number of system. • EEE is designed to integrate with enterprise security architecture an examine a large number of systems simultaneously.

More Related