1 / 20

Intro to Cyber Crime and Computer Forensics CS 4273/6273 October 5, 2005

Intro to Cyber Crime and Computer Forensics CS 4273/6273 October 5, 2005. MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE. Introduction to the EnCase Investigative Software. MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE. EnCase. Guidance Software

mercia
Download Presentation

Intro to Cyber Crime and Computer Forensics CS 4273/6273 October 5, 2005

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Intro to Cyber Crime and Computer Forensics CS 4273/6273 October 5, 2005 MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

  2. Introduction to the EnCase Investigative Software MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

  3. EnCase • Guidance Software • Pasadena, California • Resources include • Software • Message Board • Web Site Update Section • EnCase Legal Journal • First Developed 1998

  4. Windows Based Forensics • Forensic Data Acquisition and Analysis • Based on the Specifications of the Law Enforcement Community • Provides a mechanism for conducting and documenting searches of computer hardware. • Completely Non-Invasive

  5. Limitations of Earlier Technology • Before EnCase… • Separate programs had to be used to image, store, verify the integrity of data. • Manual journals had to be kept to list hash values, and all notes about the investigation. • This required sometimes days of lab time.

  6. The New Legal Standard • Courts in the U.S. provide a presumption of authenticity to computer evidence processed or generated by software or systems shown to be standard within the industry. • EnCase is one of the deFacto standard tools in the community. • Used by over 500 law enforcement agencies around the country. • Also used by many private agency investigators.

  7. Features of EnCase 3.0 • Reads any IDE or SCSI hard drive or CD-ROM and save an exact image to disk. • Uses CRC and MD5 hashes • Password protection of evidence • View the entire drive image, including hidden and free space. • Search image for keywords. • View files with changing state of the file. • Treats list of sectors on the hard drive as flat array of sectors. No discussion of heads, cylinders and sectors.

  8. Continued… • Analyze file and folder structure on all media using: • FAT-12 Floppies • FAT-16 Windows 95 • FAT-32 Windows 98 • NTFS Windows NT, 2000, XP • HFS, HFS+ • CD Compact Disks • EXT2 Linux • UFS Unix

  9. Continued… • Combine any number of Evidence Files to create a Case. • Through a single examination, • View, search and sort evidence in all files within the case. • Records all evidence searches and bookmarks on typeset report.

  10. Continued… • Analyze and authenticate file signatures • Allows investigator to build and use Hash Libraries to identify known files. • Has a built-in gallery view that enables rapid isolation and bookmarking of suspect graphic files. • Has a macro language that allows complex tasks to be automated.

  11. Continued… • Provides ability to acquire and preview over network cable. • Built-in viewers for: • Registry files • Zip files • DBX files (Outlook Express) • Acquires Palm PDAs and RAIDS (Redundant Array of Inexpensive Disks)

  12. Evidence Files • Central component of EnCase methodology • Consists of: • Header • Checksum and data blocks • MD5 block CRC 64 sectors of data Case Info MD5

  13. Image Verification • Compute a CRC for each sector in the evidence file, and use that to verify that each block has not changed. Any deviations are noted in the Case File. • Automatic background process that happens every time another evidence file is added to the case.

  14. Encase for DOS • Used for Imaging Subject Computers • Insert boot disk in subject machine and turn it on. • Boot to the DOS prompt and type en • A DOS interface will appear that will show physical drives on the left and logical drives on the right. • Imaging can now be done through network cable or laplink cable.

  15. Previewing • Similar to acquiring but much faster. • Allows the investigator to view the data as if it was acquired, but with no record keeping. • Primarily used for deciding whether to pursue a full investigation. • Not possible to preview safely. Hard drive will change due to swap file activity. • Never investigate a previewed drive.

  16. Acquisitions • Parallel Port Cable Acquisitions • Windows • DOS • Network Cable Acquisitions • Using provided “cross-over” network cable. • “Drive to Drive” in DOS • Subject and Target Drives both connected to the same motherboard.

  17. Continued… • Acquiring RAIDS: DOS Mode • Hardware: array controlled by the RAID controller card. • Software: array controlled by the operating system. • Acquiring PDAs: Windows Mode • Palms supported: III, V, VII, M100, M105, Handspring (Neo, Prism, Edge, Pro)

  18. Continued… • Acquiring Zip Disks: DOS • Acquiring Jaz Disks: DOS • Acquiring Floppy Disks: DOS or Windows • Other Media as long as driver software is available.

  19. Investigating with EnCase • Acquire each subject drive and place in individual evidence files. • Create a new Case File. • Add evidence files into case one at a time. • Can also use raw image files like those created by other utilities. • Recover folders using the “recover folders” command. • Run Signature Analysis by doing search.

  20. EnCase Message Board • http://www.EnCase.com • Exchange Ideas • Ask questions • Provide Answers • Discussions of all kinds • Requires username and password to prevent criminal access.

More Related