1 / 115

COS/PSA 413

COS/PSA 413. Day 5. Agenda. Questions? Assignment 1 Corrected 3 A’s, 5 B’s & 1 C Answers on next slide Assignment 2 Due Assignment 3 posted Quiz 1 on September 26 Chaps 1-5, Open book, Open notes 20 M/C and 5 essays Lab 2 Write-ups due September 24 @ 3:35

madeline
Download Presentation

COS/PSA 413

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COS/PSA 413 Day 5

  2. Agenda • Questions? • Assignment 1 Corrected • 3 A’s, 5 B’s & 1 C • Answers on next slide • Assignment 2 Due • Assignment 3 posted • Quiz 1 on September 26 • Chaps 1-5, Open book, Open notes • 20 M/C and 5 essays • Lab 2 • Write-ups due September 24 @ 3:35 • Finish Discussion on Data Acquisition and begin discussion on Processing Crime and incident Scenes

  3. Assignment 1 • 1-2 • Two maine statues • Title 17-A subsections 432 & 433 • There are more but these are the original -> 1989 • http://janus.state.me.us/legis/statutes/17-A/title17-Ach0sec0.html • Cases • Maine public broadcasting hack • 1-3 • Illegla Downloading (yes) and bandwidth (No) Guide to Computer Forensics and Investigations

  4. Guide to Computer Forensicsand InvestigationsThird Edition Chapter 4 Data Acquisition

  5. Validating Data Acquisitions • Most critical aspect of computer forensics • Requires using a hashing algorithm utility • Validation techniques • CRC-32, MD5, and SHA-1 to SHA-512 Guide to Computer Forensics and Investigations

  6. Linux Validation Methods • Validating dd acquired data • You can use md5sum or sha1sum utilities • md5sum or sha1sum utilities should be run on all suspect disks and volumes or segmented volumes • Validating dcfldd acquired data • Use the hash option to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512 • hashlog option outputs hash results to a text file that can be stored with the image files • vf (verify file) option compares the image file to the original medium Guide to Computer Forensics and Investigations

  7. Windows Validation Methods • Windows has no built-in hashing algorithm tools for computer forensics • Third-party utilities can be used • Commercial computer forensics programs also have built-in validation features • Each program has its own validation technique • Raw format image files don’t contain metadata • Separate manual validation is recommended for all raw acquisitions Guide to Computer Forensics and Investigations

  8. Performing RAID Data Acquisitions • Size is the biggest concern • Many RAID systems now have terabytes of data Guide to Computer Forensics and Investigations

  9. Understanding RAID • Redundant array of independent (formerly “inexpensive”) disks (RAID) • Computer configuration involving two or more disks • Originally developed as a data-redundancy measure • RAID 0 • Provides rapid access and increased storage • Lack of redundancy • RAID 1 • Designed for data recovery • More expensive than RAID 0 Guide to Computer Forensics and Investigations

  10. Understanding RAID (continued) • RAID 2 • Similar to RAID 1 • Data is written to a disk on a bit level • Has better data integrity checking than RAID 0 • Slower than RAID 0 • RAID 3 • Uses data stripping and dedicated parity • RAID 4 • Data is written in blocks Guide to Computer Forensics and Investigations

  11. Understanding RAID (continued) Guide to Computer Forensics and Investigations

  12. Understanding RAID (continued) Guide to Computer Forensics and Investigations

  13. Understanding RAID (continued) Guide to Computer Forensics and Investigations

  14. Understanding RAID (continued) • RAID 5 • Similar to RAIDs 0 and 3 • Places parity recovery data on each disk • RAID 6 • Redundant parity on each disk • RAID 10, or mirrored striping • Also known as RAID 1+0 • Combination of RAID 1 and RAID 0 Guide to Computer Forensics and Investigations

  15. Understanding RAID (continued) Guide to Computer Forensics and Investigations

  16. Acquiring RAID Disks • Concerns • How much data storage is needed? • What type of RAID is used? • Do you have the right acquisition tool? • Can the tool read a forensically copied RAID image? • Can the tool read split data saves of each RAID disk? • Older hardware-firmware RAID systems can be a challenge when you’re making an image Guide to Computer Forensics and Investigations

  17. Acquiring RAID Disks (continued) • Vendors offering RAID acquisition functions • Technologies Pathways ProDiscover • Guidance Software EnCase • X-Ways Forensics • Runtime Software • R-Tools Technologies • Occasionally, a RAID system is too large for a static acquisition • Retrieve only the data relevant to the investigation with the sparse or logical acquisition method Guide to Computer Forensics and Investigations

  18. Using Remote Network Acquisition Tools • You can remotely connect to a suspect computer via a network connection and copy data from it • Remote acquisition tools vary in configurations and capabilities • Drawbacks • LAN’s data transfer speeds and routing table conflicts could cause problems • Gaining the permissions needed to access more secure subnets • Heavy traffic could cause delays and errors Guide to Computer Forensics and Investigations

  19. Remote Acquisition with ProDiscover • With ProDiscover Investigator you can: • Preview a suspect’s drive remotely while it’s in use • Perform a live acquisition • Encrypt the connection • Copy the suspect computer’s RAM • Use the optional stealth mode • ProDiscover Incident Response additional functions • Capture volatile system state information • Analyze current running processes Guide to Computer Forensics and Investigations

  20. Remote Acquisition with ProDiscover (continued) • ProDiscover Incident Response additional functions (continued) • Locate unseen files and processes • Remotely view and listen to IP ports • Run hash comparisons • Create a hash inventory of all files remotely • PDServer remote agent • ProDiscover utility for remote access • Needs to be loaded on the suspect Guide to Computer Forensics and Investigations

  21. Remote Acquisition with ProDiscover (continued) • PDServer installation modes • Trusted CD • Preinstallation • Pushing out and running remotely • PDServer can run in a stealth mode • Can change process name to appear as OS function Guide to Computer Forensics and Investigations

  22. Remote Acquisition with ProDiscover (continued) • Remote connection security features • Password Protection • Encryption • Secure Communication Protocol • Write Protected Trusted Binaries • Digital Signatures Guide to Computer Forensics and Investigations

  23. Remote Acquisition with EnCase Enterprise • Remote acquisition features • Remote data acquisition of a computer’s media and RAM data • Integration with intrusion detection system (IDS) tools • Options to create an image of data from one or more systems • Preview of systems • A wide range of file system formats • RAID support for both hardware and software Guide to Computer Forensics and Investigations

  24. Remote Acquisition with R-Tools R-Studio • R-Tools suite of software is designed for data recovery • Remote connection uses Triple Data Encryption Standard (3DES) encryption • Creates raw format acquisitions • Supports various file systems Guide to Computer Forensics and Investigations

  25. Remote Acquisition with Runtime Software • Utilities • DiskExplorer for FAT • DiskExplorer for NTFS • HDHOST • Features for acquisition • Create a raw format image file • Segment the raw format or compressed image • Access network computers’ drives Guide to Computer Forensics and Investigations

  26. Using Other Forensics-Acquisition Tools • Tools • SnapBack DatArrest • SafeBack • DIBS USA RAID • ILook Investigator IXimager • Vogon International SDi32 • ASRData SMART • Australian Department of Defence PyFlag Guide to Computer Forensics and Investigations

  27. SnapBack DatArrest • Columbia Data Products • Old MS-DOS tool • Can make an image on three ways • Disk to SCSI drive • Disk to network drive • Disk to disk • Fits on a forensic boot floppy • SnapCopy adjusts disk geometry Guide to Computer Forensics and Investigations

  28. NTI SafeBack • Reliable MS-DOS tool • Small enough to fit on a forensic boot floppy • Performs an SHA-256 calculation per sector copied • Creates a log file Guide to Computer Forensics and Investigations

  29. NTI SafeBack (continued) • Functions • Disk-to-image copy (image can be on tape) • Disk-to-disk copy (adjusts target geometry) • Parallel port laplink can be used • Copies a partition to an image file • Compresses image files Guide to Computer Forensics and Investigations

  30. DIBS USA RAID • Rapid Action Imaging Device (RAID) • Makes forensically sound disk copies • Portable computer system designed to make disk-to-disk images • Copied disk can then be attached to a write-blocker device Guide to Computer Forensics and Investigations

  31. ILook Investigator IXimager • Iximager • Runs from a bootable floppy or CD • Designed to work only with ILook Investigator • Can acquire single drives and RAID drives Guide to Computer Forensics and Investigations

  32. Vogon International SDi32 • Creates a raw format image of a drive • Write-blocker is needed when using this tool • Password Cracker POD • Device that removes the password on a drive’s firmware card Guide to Computer Forensics and Investigations

  33. ASRData SMART • Linux forensics analysis tool that can make image files of a suspect drive • Capabilities • Robust data reading of bad sectors on drives • Mounting suspect drives in write-protected mode • Mounting target drives in read/write mode • Optional compression schemes Guide to Computer Forensics and Investigations

  34. Australian Department of Defence PyFlag • PyFlag tool • Intended as a network forensics analysis tool • Can create proprietary format Expert Witness image files • Uses sgzip and gzip in Linux Guide to Computer Forensics and Investigations

  35. Summary • Data acquisition methods • Disk-to-image file • Disk-to-disk copy • Logical disk-to-disk or disk-to-data file • Sparse data copy • Several tools available • Lossless compression is acceptable • Plan your digital evidence contingencies • Write-blocking devices or utilities must be used with GUI acquisition tools Guide to Computer Forensics and Investigations

  36. Summary (continued) • Always validate acquisition • A Linux Live CD, such as Helix, provides many useful tools for computer forensics acquisitions • Preferred Linux acquisition tool is dcfldd (not dd) • Use a physical write-blocker device for acquisitions • To acquire RAID disks, determine the type of RAID • And then which acquisition tool to use Guide to Computer Forensics and Investigations

  37. Guide to Computer Forensicsand InvestigationsThird Edition Chapter 5 Processing Crime and Incident Scenes

  38. Objectives • Explain the rules for digital evidence • Describe how to collect evidence at private-sector incident scenes • Explain guidelines for processing law enforcement crime scenes • List the steps in preparing for an evidence search • Describe how to secure a computer incident or crime scene Guide to Computer Forensics and Investigations

  39. Objectives (continued) • Explain guidelines for seizing digital evidence at the scene • List procedures for storing digital evidence • Explain how to obtain a digital hash • Review a case to identify requirements and plan your investigation Guide to Computer Forensics and Investigations

  40. Identifying Digital Evidence • Digital evidence • Can be any information stored or transmitted in digital form • U.S. courts accept digital evidence as physical evidence • Digital data is a tangible object • Some require that all digital evidence be printed out to be presented in court Guide to Computer Forensics and Investigations

  41. Identifying Digital Evidence (continued) • General tasks investigators perform when working with digital evidence: • Identify digital information or artifacts that can be used as evidence • Collect, preserve, and document evidence • Analyze, identify, and organize evidence • Rebuild evidence or repeat a situation to verify that the results can be reproduced reliably • Collecting computers and processing a criminal or incident scene must be done systematically Guide to Computer Forensics and Investigations

  42. Understanding Rules of Evidence • Consistent practices help verify your work and enhance your credibility • Comply with your state’s rules of evidence or with the Federal Rules of Evidence • Evidence admitted in a criminal case can be used in a civil suit, and vice versa • Keep current on the latest rulings and directives on collecting, processing, storing, and admitting digital evidence Guide to Computer Forensics and Investigations

  43. Understanding Rules of Evidence (continued) • Data you discover from a forensic examination falls under your state’s rules of evidence • Or the Federal Rules of Evidence • Digital evidence is unlike other physical evidence because it can be changed more easily • The only way to detect these changes is to compare the original data with a duplicate • Most federal courts have interpreted computer records as hearsay evidence • Hearsay is secondhand or indirect evidence Guide to Computer Forensics and Investigations

  44. Understanding Rules of Evidence (continued) • Business-record exception • Allows “records of regularly conducted activity,” such as business memos, reports, records, or data compilations • Generally, computer records are considered admissible if they qualify as a business record • Computer records are usually divided into: • Computer-generated records • Computer-stored records Guide to Computer Forensics and Investigations

  45. Understanding Rules of Evidence (continued) • Computer records must be shown to be authentic and trustworthy • To be admitted into court • Computer-generated records are considered authentic • If the program that created the output is functioning correctly • Collecting evidence according to the proper steps of evidence control helps ensure that the computer evidence is authentic Guide to Computer Forensics and Investigations

  46. Understanding Rules of Evidence (continued) • When attorneys challenge digital evidence • Often they raise the issue of whether computer-generated records were altered • Or damaged after they were created • One test to prove that computer-stored records are authentic is to demonstrate that a specific person created the records • The author of a Microsoft Word document can be identified by using file metadata Guide to Computer Forensics and Investigations

  47. Guide to Computer Forensics and Investigations

  48. Guide to Computer Forensics and Investigations

  49. Understanding Rules of Evidence (continued) • The process of establishing digital evidence’s trustworthiness originated with written documents and the best evidence rule • Best evidence rule states: • To prove the content of a written document, recording, or photograph, ordinarily the original writing, recording, or photograph is required • Federal Rules of Evidence • Allow a duplicate instead of originals when it is produced by the same impression as the original Guide to Computer Forensics and Investigations

  50. Understanding Rules of Evidence (continued) • As long as bit-stream copies of data are created and maintained properly • The copies can be admitted in court, although they aren’t considered best evidence Guide to Computer Forensics and Investigations

More Related