1 / 25

CSCD496 Computer Forensics

Lecture 5 Applying Process to Computer Forensics Winter 2010. CSCD496 Computer Forensics. Introduction. Look at digital data acquisition Just what is called static acquisition for now Disk and other storage media Live acquisition is another technique

nicole
Download Presentation

CSCD496 Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Lecture 5 Applying Process to Computer Forensics Winter 2010 CSCD496Computer Forensics

  2. Introduction • Look at digital data acquisition • Just what is called static acquisition for now • Disk and other storage media • Live acquisition is another technique • And includes capturing RAM and any other volatile data from a live machine

  3. Static Acquisition • Process of copying data • Goal of Static Acquisition • Preserve data and establish integrity • No question of the validity of data so it can be used as evidence in court

  4. Formats for Acquisition • Different Formats of digital files from copying forensics software • Proprietary format • Most commercial tools produce their own format • One popular standard supported by many tools • Open Source • Free with most Linux distributions • Raw format from Linux dd tool • Bit-by-bit copy of the media • Also supported by commercial tools • Creates a sequential flat file of suspect drive

  5. Advantages or Disadvantages • Advantages of Raw • Fast transfer, important for large disk copies • Can handle minor data read errors • Universal format, most tools can read it • Disadvantages of Raw • Requires as much storage space as original disk • Fail to collect bad sectors on disk • Commercial tools make more effort to collect all data

  6. Advantages or Disadvantages • Advantages of Proprietary Format • Offer features not available with Raw • Compress image, saves space • Can flexibly split images into smaller files to fit onto other media • Can integrate meta data into image, hash value of original disk, date and time of copy • Disadvantages of Proprietary Format • Can't share image between vendors analysis tools

  7. Advantages or Disadvantages • Example Propriety Format • lLook Iximager produces three proprietary formats • IDIF, IRBF and IEIT • Can copy to raw format for use by other tools • Ilook is only available to Law Enforcement agencies http://www.perlustro.com/

  8. Standard Formats • Encase's format, Expert Witness • Closest to a standard • Recognized by other commercial tools • Can generate generic versions of Expert Witness format • X-Ways Forensics, Access Data Forensic Toolkit (FTK), and SMART • Can be compressed or uncompressed http://www.guidancesoftware.com/computer-forensics-ediscovery-software-digital-evidence.htm

  9. Standard Formats • Another proposed OpenSource acquisition format • Advanced Forensic Format (AFF)‏ • AFF is a new format proposed by Dr. Simson Garfinkel, a forensics researcher • Expectation is that AFF will become standard of the future for acquisition of data • Both Sleuthkit and Autopsy support the aff image format http://www.afflib.org/

  10. AFF Format • An open standard enables investigators to use their preferred tools to solve crimes and gather intelligence • Proprietary file formats means you will convert from one format to another to use multiple tools • Converting between formats risks data corruption if the formats are not well understood • Metadata may be lost if all formats do not support the same forms of metadata • Read more about the AFF format http://www.forensicswiki.org/wiki/AFF

  11. Techniques of Acquisition • Several ways to do static acquisition • Typically done on computer or digital media seized as evidence • Most Common • Disk-to-image file • Provides greatest flexibility • Bit-by-bit copy of original drive • Can use a variety of tools to read and analyze data

  12. Techniques of Acquisition • Another Method • Disk-to-disk copy • Copying data from one drive to another • Circumstances when you might have to do that • Older drive, with hardware or software errors • Some tools can adjust disk geometry to match original suspect drive • Do that, so exact circumstances of disk are preserved • SafeBack, SnapCopy are two tools that run in and MSDos window do a disk-to-disk copy • Encase also does this type of data acquisition

  13. Linux vs. Windows • Do you think it matters which OS you use to analyze the disk or data? • Yes. • Windows can contaminate your evidence drive! • Must protect drive with a write blocking device • Hardware devices can be inserted between disk and the OS used to analyze and copy the data • More about these in a later chapter

  14. Linux vs. Windows • Windows XP Blocking Feature • Since Service Pack 2, • Feature added to XP to turn off writing to USB devices • Must edit registry to do this, book has step-by-step instructions, Chapter 4 • Connect suspect drive to USB external drive after you turn off write permission to that USB device • Will not allow you to write to device • Make a copy of data

  15. Linux Live Boot CD • Linux can access a drive that is not mounted, means you can't read or write to it in usual way • However, newer Linux distributions automatically mount and allow access to connected drives • Can allow alteration of data • Answer: Linux Live Boot CD

  16. Linux Live Boot CD • CAINE Live CD • http://www.caine-live.net/ • Knoppix • http://www.knoppix-std.org/download.html • F.I.R.E. • http://fire.dmzs.com/ • Penguin Sleuth • http://www.linux-forensics.com/ • DeftLinux • http://www.deftlinux.net/

  17. Live CD's for Data Acquisition • Live CD's • Advantages, • Have a number of tools in one distribution • Configured by default to mount as read-only any connected storage media • Can then access and examine media connected to suspect machine • We will be exploring Live CD's in more detail later

  18. Validating Data Acquisitions • Anything you can do to validate evidence to prove it wasn't compromised • Typically, accepted technique – data hash • Linux • Two hash functions, md5sum and sha1sum • Take hash of original drive – save it • Take hash of copied image file – save it • Compare it – Does it match?

  19. Validating Data Acquisitions • Windows • Sigh ... No built-in hash utilities • Third party hex editors • Xways WinHex http://www.x-ways.net/winhex/index-m.html • Breakpoint Software Hex Workshop http://www.bpsoft.com/ • Produce hashes of files • Commercial Tools • Uses built-in hash capabilities • ProDiscover .eve file – stores metadata with file • Date, time and hash value of original media • Each time you load image ProDiscover checks hash value • Insures it matches saved hash of original media

  20. Protocol of Images • Strongly Recommended • Make 2 copies of your media • Why? • Stuff happens to images • Don't want to be caught without another image • Destroy your case – lose evidence, no more case

  21. Linux dd Command • dd • Oldest imaging tool still used • Although it is functional and requires only minimal resources to run, it lacks some useful features found in more modern imagers • Metadata gathering, • Error correction, • Piecewise hashing, • User-friendly interface • Ported to Linux, Mac and Windows

  22. Newer Version of dd • dcfldd is an enhanced version of dd developed by the U.S. Department of Defense Computer Forensics Lab Useful features for forensic investigators such as: • On-the-fly hashing of the transmitted data. • Progress bar of how much data has already been sent. • Verification image is identical to original drive, bit-for-bit • Output can be split into multiple files. • Logs and data can be piped into external applications

  23. Example Using dd • Example: Preserve Image of Floppy md5sum /dev/fd0 > /tmp/original-md5 Why? Use the dd command dd if=/dev/fd0 of=/tmp/disk.img bs=1k What should I do next? md5sum /tmp/disk.img > /tmp/img-md5 cat /tmp/*md5 Am I finished here?

  24. Summary • Data Acquisition critical part of the forensics process • Mess this up, and your evidence is useless • Need to be very careful to not impact the data you are trying hard to preserve • Live CD's, write-blockers – hardware and software, help preserve integrity

  25. Finish • Friday – Guest Speaker – Brian Kamp • Think about good questions you can ask!!!

More Related