160 likes | 334 Views
Forensic Tools. by Donald Wood CSS 350. Overview . Forensic tools are an important part of the computer forensic investigator’s ability to perform his/her job. Imaging Tools (disk imaging, write protection, etc) Search Tools (Text, program, etc)
E N D
Forensic Tools by Donald Wood CSS 350
Overview • Forensic tools are an important part of the computer forensic investigator’s ability to perform his/her job. • Imaging Tools (disk imaging, write protection, etc) • Search Tools (Text, program, etc) • Data Recovery Tools (deleted files, format recovery, etc) • Recommended Hardware Tools • Monitoring tools, both network and individual system • Strengths, weaknesses, risks, reviews of each
Imaging Suggested Tool • DeepSparDisk Imager • The first dedicated imaging device built to handle disk-level problems. DeepSpar Disk Imager Forensic Edition is a portable version of DeepSpar Disk Imager Data Recovery Edition with addition of forensic-specific functionality.
Imaging Suggested Tool Con’t • Strengths • Maps scanned sectors and “remembers” just where you left off if the process is interrupted. • Weaknesses • Drive caching can cause problems for example: if there is a bad sector within the read ahead block it can cause the drive to hang or timeout • Risks • Same as weakness • Reviews • Accesses the drive directly using its own hardware and software routines to send ATA read commands so any media errors can be identified immediately, blocks containing bad sectors are skipped and the imaging process continues from the next block of data until the first pass is finished. Once complete, it then goes backwards through the drive so that any drive caching is disabled.
Search Tools • Hurricane Search • Created to help you search for evidence and solve computer crime. Hurricane Search helps find text stored on computer hard drives. Build evidence by searching text files, PDF documents, and Word files thoroughly as well as finding evidence in binary files with embedded information on hard drives.
Search Tools Con’t • Strengths • Elect multiple directories to include or exclude from searches, User interface enhances the way you work through minimized keystrokes, Preview results in context, Search data hidden in compressed Zip and Binary files • Weaknesses • None Listed • Risks • None Listed • Reviews • Used worldwide by thousands of professionals to find text and build legal evidence. Our customers have reported that Hurricane Search is used to conduct employee investigation, ensure intellectual property protection, assist law enforcement officers, and located malicious data in business environments or on client workstations.
Data Recovery • DriveLook V1.00 • Scans a drive or a partition of a drive for text strings and stores them in a table. After completion of the scan you can browse this table and view the locations where the words have been found. The search function allows you to do fast inquiries for combinations of words.
Data Recovery Con’t • Strengths • The search function allows you to do fast inquiries for combinations of words. • Weaknesses • Limited to a Windows OS • Risks • None Listed • Reviews • Used worldwide by thousands of professionals to find text and build legal evidence. Our customers have reported that Hurricane Search is used to conduct employee investigation, ensure intellectual property protection, assist law enforcement officers, and located malicious data in business environments or on client workstations.
Recommended Hardware Tools • A hardware platform could be anything from a 7-bay tower to a portable small form factor system or even a laptop. A system with a MicroATXmotherboard and medium form factor case is a reasonable compromise for a static lab station. A standard MicroATX board will supply onboard video and be able to support 2 PCI cards, 2 PCI Express cards, 4 DIMMs, Parallel and Serial ATA hard drives, Floppy drives, USB 2.0, and Gigabit Ethernet. A new Intel or AMD CPU will be more than sufficient for most investigations. While the processor speed does make a difference for certain operations, one of the mainstays of the forensic investigation is the keyword search which requires that each sector of a suspect hard drive be examined and the speed of that process relies almost entirely on the speed of the drive itself. Instead of investing in high-priced workstations with the top-of-the-line CPUs, investigators should focus on ensuring the highest speed I/O bus so the system can quickly access the data stored on disk.
Network Monitoring Tools • Network Monitoring • Scrutinizer- delivers a diverse range of free and commercial flow measuring and monitoring tools.
Network Monitoring Tools Con’t • Strengths • Saves unlimited amounts of past NetFlow data. • Weaknesses • None Listed • Risks • None Listed • Reviews • Saves unlimited amounts of past NetFlowdata. Adds several additional traffic analysis Report Types (e.g. Flows, Flow Volume, NBAR Support, etc.). Algorithms perform Network Behavior Analysis on all flows across all routers / switches. Top (applications, hosts, flows, countries, domains, etc.) across all routers / switches. Constantly resolving all IP addresses. Uses saved Scrutinizer Reports to monitor for threshold violations. • http://media.plixer.com/promo/scrutinizerPromo.html
Host Monitoring Tools • Advanced Host Monitor Version 8.58 • Host Monitor is a highly scalable network monitoring software suitable for small and enterprise-level networks.
Host Monitoring Tools Con’t • Strengths • In the event of network errors, HostMonitor will alert the network administrator (or even correct the problem when possible) before problems get seriously out of hand. • Weaknesses • None Listed • Risks • None Listed • Reviews • A system management tool that continuously monitors servers' availability and performance. In the event of network errors, HostMonitor will alert the network administrator (or even correct the problem when possible) before problems get seriously out of hand. This helps protect your company's data and reduces the likelihood of costly network failures. • http://www.ks-soft.net/hostmon.eng/mainwin1.htm
Resources • http://www.deepspar.com/products-ds-disk-imager-forensic.html?gclid=CMaD8rf6tKECFQz_iAod0Em2Dw • http://www.hurricanesoft.com/hsforensics.jsp • http://www.runtime.org/drivelook.htm • https://www.issa.org/Library/Journals/2006/March/Stanley,%20McGoff%20-%20Choosing%20Hardware%20for%20a%20Computer%20Forensic%20Lab.pdf • http://www.plixer.com/products/netflow-sflow/free-netflow-scrutinizer.php • http://www.ks-soft.net/hostmon.eng/