260 likes | 726 Views
Lecture 5 Applying Process to Computer Forensics Winter 2010. CSCD496 Computer Forensics. Introduction. Look at digital data acquisition Just what is called static acquisition for now Disk and other storage media Live acquisition is another technique
E N D
Lecture 5 Applying Process to Computer Forensics Winter 2010 CSCD496Computer Forensics
Introduction • Look at digital data acquisition • Just what is called static acquisition for now • Disk and other storage media • Live acquisition is another technique • And includes capturing RAM and any other volatile data from a live machine
Static Acquisition • Process of copying data • Goal of Static Acquisition • Preserve data and establish integrity • No question of the validity of data so it can be used as evidence in court
Formats for Acquisition • Different Formats of digital files from copying forensics software • Proprietary format • Most commercial tools produce their own format • One popular standard supported by many tools • Open Source • Free with most Linux distributions • Raw format from Linux dd tool • Bit-by-bit copy of the media • Also supported by commercial tools • Creates a sequential flat file of suspect drive
Advantages or Disadvantages • Advantages of Raw • Fast transfer, important for large disk copies • Can handle minor data read errors • Universal format, most tools can read it • Disadvantages of Raw • Requires as much storage space as original disk • Fail to collect bad sectors on disk • Commercial tools make more effort to collect all data
Advantages or Disadvantages • Advantages of Proprietary Format • Offer features not available with Raw • Compress image, saves space • Can flexibly split images into smaller files to fit onto other media • Can integrate meta data into image, hash value of original disk, date and time of copy • Disadvantages of Proprietary Format • Can't share image between vendors analysis tools
Advantages or Disadvantages • Example Propriety Format • lLook Iximager produces three proprietary formats • IDIF, IRBF and IEIT • Can copy to raw format for use by other tools • Ilook is only available to Law Enforcement agencies http://www.perlustro.com/
Standard Formats • Encase's format, Expert Witness • Closest to a standard • Recognized by other commercial tools • Can generate generic versions of Expert Witness format • X-Ways Forensics, Access Data Forensic Toolkit (FTK), and SMART • Can be compressed or uncompressed http://www.guidancesoftware.com/computer-forensics-ediscovery-software-digital-evidence.htm
Standard Formats • Another proposed OpenSource acquisition format • Advanced Forensic Format (AFF) • AFF is a new format proposed by Dr. Simson Garfinkel, a forensics researcher • Expectation is that AFF will become standard of the future for acquisition of data • Both Sleuthkit and Autopsy support the aff image format http://www.afflib.org/
AFF Format • An open standard enables investigators to use their preferred tools to solve crimes and gather intelligence • Proprietary file formats means you will convert from one format to another to use multiple tools • Converting between formats risks data corruption if the formats are not well understood • Metadata may be lost if all formats do not support the same forms of metadata • Read more about the AFF format http://www.forensicswiki.org/wiki/AFF
Techniques of Acquisition • Several ways to do static acquisition • Typically done on computer or digital media seized as evidence • Most Common • Disk-to-image file • Provides greatest flexibility • Bit-by-bit copy of original drive • Can use a variety of tools to read and analyze data
Techniques of Acquisition • Another Method • Disk-to-disk copy • Copying data from one drive to another • Circumstances when you might have to do that • Older drive, with hardware or software errors • Some tools can adjust disk geometry to match original suspect drive • Do that, so exact circumstances of disk are preserved • SafeBack, SnapCopy are two tools that run in and MSDos window do a disk-to-disk copy • Encase also does this type of data acquisition
Linux vs. Windows • Do you think it matters which OS you use to analyze the disk or data? • Yes. • Windows can contaminate your evidence drive! • Must protect drive with a write blocking device • Hardware devices can be inserted between disk and the OS used to analyze and copy the data • More about these in a later chapter
Linux vs. Windows • Windows XP Blocking Feature • Since Service Pack 2, • Feature added to XP to turn off writing to USB devices • Must edit registry to do this, book has step-by-step instructions, Chapter 4 • Connect suspect drive to USB external drive after you turn off write permission to that USB device • Will not allow you to write to device • Make a copy of data
Linux Live Boot CD • Linux can access a drive that is not mounted, means you can't read or write to it in usual way • However, newer Linux distributions automatically mount and allow access to connected drives • Can allow alteration of data • Answer: Linux Live Boot CD
Linux Live Boot CD • CAINE Live CD • http://www.caine-live.net/ • Knoppix • http://www.knoppix-std.org/download.html • F.I.R.E. • http://fire.dmzs.com/ • Penguin Sleuth • http://www.linux-forensics.com/ • DeftLinux • http://www.deftlinux.net/
Live CD's for Data Acquisition • Live CD's • Advantages, • Have a number of tools in one distribution • Configured by default to mount as read-only any connected storage media • Can then access and examine media connected to suspect machine • We will be exploring Live CD's in more detail later
Validating Data Acquisitions • Anything you can do to validate evidence to prove it wasn't compromised • Typically, accepted technique – data hash • Linux • Two hash functions, md5sum and sha1sum • Take hash of original drive – save it • Take hash of copied image file – save it • Compare it – Does it match?
Validating Data Acquisitions • Windows • Sigh ... No built-in hash utilities • Third party hex editors • Xways WinHex http://www.x-ways.net/winhex/index-m.html • Breakpoint Software Hex Workshop http://www.bpsoft.com/ • Produce hashes of files • Commercial Tools • Uses built-in hash capabilities • ProDiscover .eve file – stores metadata with file • Date, time and hash value of original media • Each time you load image ProDiscover checks hash value • Insures it matches saved hash of original media
Protocol of Images • Strongly Recommended • Make 2 copies of your media • Why? • Stuff happens to images • Don't want to be caught without another image • Destroy your case – lose evidence, no more case
Linux dd Command • dd • Oldest imaging tool still used • Although it is functional and requires only minimal resources to run, it lacks some useful features found in more modern imagers • Metadata gathering, • Error correction, • Piecewise hashing, • User-friendly interface • Ported to Linux, Mac and Windows
Newer Version of dd • dcfldd is an enhanced version of dd developed by the U.S. Department of Defense Computer Forensics Lab Useful features for forensic investigators such as: • On-the-fly hashing of the transmitted data. • Progress bar of how much data has already been sent. • Verification image is identical to original drive, bit-for-bit • Output can be split into multiple files. • Logs and data can be piped into external applications
Example Using dd • Example: Preserve Image of Floppy md5sum /dev/fd0 > /tmp/original-md5 Why? Use the dd command dd if=/dev/fd0 of=/tmp/disk.img bs=1k What should I do next? md5sum /tmp/disk.img > /tmp/img-md5 cat /tmp/*md5 Am I finished here?
Summary • Data Acquisition critical part of the forensics process • Mess this up, and your evidence is useless • Need to be very careful to not impact the data you are trying hard to preserve • Live CD's, write-blockers – hardware and software, help preserve integrity
Finish • Friday – Guest Speaker – Brian Kamp • Think about good questions you can ask!!!