We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byAniya Reams
Modified about 1 year ago
Next Generation Data Forensics & Linux Thomas Rude, CISSP August 2002
Agenda Thomas Rude, © 2002 ● Overview of Data Forensics ● Agents of Change ● Future of Data Forensics ● Linux as Next Generation Data Forensics platform ● Questions
Data Forensics, Infancy Thomas Rude, © 2002 Historically data forensics has focused on imaging and analyzing standalone personal computers (PCs). - small hard drives - DOS-based utilities
Evolving Data Forensics Thomas Rude, © 2002 First agents of change; - significantly larger hard drives (>500MB) - significant increase in number of PCs - increase in use of PCs in crimes
Evolving Data Forensics Thomas Rude, © 2002 Second agents of change; - significant increase in use of non-PC devices - servers, handhelds, digital cameras, etc. - increase in non-Windows operating systems - MacOS, UNIX flavors, Linux flavors, etc.
Evolving Data Forensics Thomas Rude, © 2002 Where does the data forensic community stand today? Electronic data is stored in many devices, ranging from wrist watches, telephony boxes, and enterprise servers. Increasingly forensic examiners are dealing with 'non-traditional' PCs, corporate security personnel are first responders to incidents, and critical data is residing in volatile system memory.
NG Forensics Defined Thomas Rude, © 2002 "The scientific process of imaging and analyzing data stored in any electronic format, for the purpose of reporting findings in a neutral manner, with no predisposition as to guilt or innocence." farmerdude, 2002
NG Forensics & Linux Thomas Rude, © 2002 Next generation data forensics platform of choice? Linux
NG Forensics & Linux Thomas Rude, © 2002 What makes Linux so powerful? - everything, including hardware, is a file - support for numerous file system types - ability to analyze a live system in a minimally invasive manner - ability to chain commands - ability to monitor and log processes & commands - ability to review source code - ability to create bootable media
NG Forensics & Linux Thomas Rude, © 2002 File Recognition within Linux; - ease of replication (clear text config files) - seeing everything as a file allows for a degree of control over that file - degree of security - degree of granularity over how the operating system environment behaves
NG Forensics & Linux Thomas Rude, © 2002 File Recognition within Linux; - So what is the benefit to the forensic examiner? - examiner has ability to control how the operating system touches devices (I.E., consistent mounting of devices in a read only manner that does not alter the data on the evidentiary device)
NG Forensics & Linux Thomas Rude, © 2002 Numerous File System Types Support; - Linux can interpret many file system types, including; ext2, ext3, FFS, HPFS, FAT, VFAT, NTFS, ISO9660, UDF, UFS, etc. - Win32 can interpret a few file system types, including; FAT, VFAT, and NTFS
NG Forensics & Linux Thomas Rude, © 2002 Numerous File System Types Support; - So what does this mean for the examiner? - If you use Win32 as your platform for analysis and you wish to view data in its logical format, then you must have a driver for that specific file system type written. - Win32 + no fs driver = one big blob
NG Forensics & Linux Thomas Rude, © 2002 Numerous File System Types Support; - So what does this mean for the examiner? - If you use Linux as your platform for analysis and you wish to view data in its logical format, chances are you already have a driver for that fs type availabe for use - Linux + fs driver = pretty logical format
NG Forensics & Linux Thomas Rude, © 2002 Analyzing a Live System, Minimally Invasively; - Almost all compromised systems have trojaned commands - Linux provides a method for analyzing this compromised system, in its running state, in a minimally invasive manner
NG Forensics & Linux Thomas Rude, © 2002 Analyzing a Live System, Minimally Invasively; - The goal of all data forensic work is to not alter the evidence wherever possible - Extremely difficult to perform - However, Linux can prove helpful
NG Forensics & Linux Thomas Rude, © 2002 Analyzing a Live System, Minimally Invasively; - Trusted binaries on trusted media (floppy, CD) - Use Vi editor to issue commands without stepping all over the system logs - Commands such as 'script' can be used in conjunction with 'time' to provide an accurate log of what commands were issued and at what time
NG Forensics & Linux Thomas Rude, © 2002 Chaining Commands; - commands useful to the forensic examiner may be chained together in order to increase productivity - example; dd if=/dev/hdd conv=noerror bs=1024 of=image1 2>> image_error_log ; md5sum image1 > image1_hash
NG Forensics & Linux Thomas Rude, © 2002 Chaining Commands; - Linux also provides ability to redirect standard input/output/error - examples; dd if=/dev/sda conv=noerror bs=1024 | gzip > scsi_image.gz dd if=/dev/sda conv=noerror bs=1024 | split -b 640m cat xa* > new_sda_image_file
NG Forensics & Linux Thomas Rude, © 2002 Ability to Monitor and Log Processes & Commands; - Linux provides an environment rich in auditing and logging user activities - Value to forensic examiner? Trail of what happened when and by whom or what. - Commands include; script, w, pstree, ps, strace, lsof, etc.
NG Forensics & Linux Thomas Rude, © 2002 Source Code Review; - most all commands used by a forensic examiner on the Linux platform are open source, and therefore, their code is freely available for review - allows for customization of code - more importantly, allows for increased technical knowledge (knowing what's happening 'behind the scenes') and ability to defend tool
NG Forensics & Linux Thomas Rude, © 2002 Trusted Boot Media; - Whether a floppy diskette or a CD-ROM, bootable Linux media can be created and customized - Allows forensic examiner to create personalized toolsets for most any situation, as well as trusted binaries to use for processing
NG Forensics & Linux Thomas Rude, © 2002 What does all of this mean? - The power of Linux empowers the forensic examiner
NG Forensics & Linux Thomas Rude, © 2002 Questions?
Introduction to Computers Part II. Software Computer software generally consists of three types: Programming Software Application Software System software.
Windows 2008 Active Directory Configuration – Week 4 of 6 Microsoft Test: Mark McCoy MCSE, CNE, CISSP.
Unattended Installation for Window XP By Marshall Cooper.
Computer Forensics. Introduction Topics to be covered –Defining Computer Forensics –Reasons for gathering evidence –Who uses Computer Forensics –Steps.
File Concept A file is a named collection of related information that is recorded on secondary storage. A file has a define structure, which we must know.
Introduction to Computer Forensics Reference: Chapter 13, Computer Network Security, Springer, Joseph M. Kizza.
What you will find in this presentation What is computer forensics? The four As How disk storage works in your case How files live on disk Where evidence.
“Official” binary from Google Supported by Google Google branding Automatic updates Browser used in Google Chrome OS Code released under BSD license as.
Share Your PC Get Started. Sharing a computer used to mean that others could see your private files, install software you didn't want, or change your.
Presented by Nikita Shah 5th IT ( ) INTRUSION DETECTION SYSYTEM.
Spyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The.
MLAN Maguire Local Area Network Version 2.0, May 1998.
Logical IT Security By Prashant Mali.
Manage e-Project Information. Use of the Guide This guide sets out to provide a framework tool to assist e-Project information users. The object of the.
Software Development QA Best Practices May 20, 2010 Suzette Hackl, CSM Senior Project Manager Skyline Technologies, Inc.
Abstract Linux continues to gain momentum as a cost-effective operating system [OS]. Many companies are obtaining significant ROI & savings by migrating.
Longhorn Academy Server Management Dave & Sebastian.
CSN08101 Digital Forensics Lecture 6: Acquisition Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak.
Network Security Workshop BUSAN 2003 Saravanan Kulanthaivelu
Distributed Computing Dr. Eng. Ahmed Moustafa Elmahalawy Computer Science and Engineering Department.
Testing Relational Database. Overview Once the design of a database system has been completed, the developers are ready to move into the implementation.
Converting DataQuest Reports or UDR’s to Excel or Word.
Computer Forensics. What is Computer Forensics? Scientific process of preserving, identifying, extracting, documenting, and interpreting data on a computer.
1 Computer Forensics Michael Watson Director of Security Incident Management NSAA Conference 10/2/09 1.
February 22, /2/ AN INTRODUCTION TO COMPUTER TECHNOLOGY This lesson introduces key concepts related to how computers work. Computer-related.
MCTS Guide to Microsoft Windows 7 Chapter 13 Enterprise Computing.
Computing Higher - SD Process – Topic 2 St Andrew’s High School Unit 2 Software Development Process.
Tools and techniques that support user interface development Design support is needed because designing software is typically very complex and requires.
Intro to Virtualization Phil Grimes Coach / Mentor Security Consultant.
© 2016 SlidePlayer.com Inc. All rights reserved.