We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byAniya Reams
Modified about 1 year ago
Next Generation Data Forensics & Linux Thomas Rude, CISSP August 2002
Agenda Thomas Rude, © 2002 ● Overview of Data Forensics ● Agents of Change ● Future of Data Forensics ● Linux as Next Generation Data Forensics platform ● Questions
Data Forensics, Infancy Thomas Rude, © 2002 Historically data forensics has focused on imaging and analyzing standalone personal computers (PCs). - small hard drives - DOS-based utilities
Evolving Data Forensics Thomas Rude, © 2002 First agents of change; - significantly larger hard drives (>500MB) - significant increase in number of PCs - increase in use of PCs in crimes
Evolving Data Forensics Thomas Rude, © 2002 Second agents of change; - significant increase in use of non-PC devices - servers, handhelds, digital cameras, etc. - increase in non-Windows operating systems - MacOS, UNIX flavors, Linux flavors, etc.
Evolving Data Forensics Thomas Rude, © 2002 Where does the data forensic community stand today? Electronic data is stored in many devices, ranging from wrist watches, telephony boxes, and enterprise servers. Increasingly forensic examiners are dealing with 'non-traditional' PCs, corporate security personnel are first responders to incidents, and critical data is residing in volatile system memory.
NG Forensics Defined Thomas Rude, © 2002 "The scientific process of imaging and analyzing data stored in any electronic format, for the purpose of reporting findings in a neutral manner, with no predisposition as to guilt or innocence." farmerdude, 2002
NG Forensics & Linux Thomas Rude, © 2002 Next generation data forensics platform of choice? Linux
NG Forensics & Linux Thomas Rude, © 2002 What makes Linux so powerful? - everything, including hardware, is a file - support for numerous file system types - ability to analyze a live system in a minimally invasive manner - ability to chain commands - ability to monitor and log processes & commands - ability to review source code - ability to create bootable media
NG Forensics & Linux Thomas Rude, © 2002 File Recognition within Linux; - ease of replication (clear text config files) - seeing everything as a file allows for a degree of control over that file - degree of security - degree of granularity over how the operating system environment behaves
NG Forensics & Linux Thomas Rude, © 2002 File Recognition within Linux; - So what is the benefit to the forensic examiner? - examiner has ability to control how the operating system touches devices (I.E., consistent mounting of devices in a read only manner that does not alter the data on the evidentiary device)
NG Forensics & Linux Thomas Rude, © 2002 Numerous File System Types Support; - Linux can interpret many file system types, including; ext2, ext3, FFS, HPFS, FAT, VFAT, NTFS, ISO9660, UDF, UFS, etc. - Win32 can interpret a few file system types, including; FAT, VFAT, and NTFS
NG Forensics & Linux Thomas Rude, © 2002 Numerous File System Types Support; - So what does this mean for the examiner? - If you use Win32 as your platform for analysis and you wish to view data in its logical format, then you must have a driver for that specific file system type written. - Win32 + no fs driver = one big blob
NG Forensics & Linux Thomas Rude, © 2002 Numerous File System Types Support; - So what does this mean for the examiner? - If you use Linux as your platform for analysis and you wish to view data in its logical format, chances are you already have a driver for that fs type availabe for use - Linux + fs driver = pretty logical format
NG Forensics & Linux Thomas Rude, © 2002 Analyzing a Live System, Minimally Invasively; - Almost all compromised systems have trojaned commands - Linux provides a method for analyzing this compromised system, in its running state, in a minimally invasive manner
NG Forensics & Linux Thomas Rude, © 2002 Analyzing a Live System, Minimally Invasively; - The goal of all data forensic work is to not alter the evidence wherever possible - Extremely difficult to perform - However, Linux can prove helpful
NG Forensics & Linux Thomas Rude, © 2002 Analyzing a Live System, Minimally Invasively; - Trusted binaries on trusted media (floppy, CD) - Use Vi editor to issue commands without stepping all over the system logs - Commands such as 'script' can be used in conjunction with 'time' to provide an accurate log of what commands were issued and at what time
NG Forensics & Linux Thomas Rude, © 2002 Chaining Commands; - commands useful to the forensic examiner may be chained together in order to increase productivity - example; dd if=/dev/hdd conv=noerror bs=1024 of=image1 2>> image_error_log ; md5sum image1 > image1_hash
NG Forensics & Linux Thomas Rude, © 2002 Chaining Commands; - Linux also provides ability to redirect standard input/output/error - examples; dd if=/dev/sda conv=noerror bs=1024 | gzip > scsi_image.gz dd if=/dev/sda conv=noerror bs=1024 | split -b 640m cat xa* > new_sda_image_file
NG Forensics & Linux Thomas Rude, © 2002 Ability to Monitor and Log Processes & Commands; - Linux provides an environment rich in auditing and logging user activities - Value to forensic examiner? Trail of what happened when and by whom or what. - Commands include; script, w, pstree, ps, strace, lsof, etc.
NG Forensics & Linux Thomas Rude, © 2002 Source Code Review; - most all commands used by a forensic examiner on the Linux platform are open source, and therefore, their code is freely available for review - allows for customization of code - more importantly, allows for increased technical knowledge (knowing what's happening 'behind the scenes') and ability to defend tool
NG Forensics & Linux Thomas Rude, © 2002 Trusted Boot Media; - Whether a floppy diskette or a CD-ROM, bootable Linux media can be created and customized - Allows forensic examiner to create personalized toolsets for most any situation, as well as trusted binaries to use for processing
NG Forensics & Linux Thomas Rude, © 2002 What does all of this mean? - The power of Linux empowers the forensic examiner
NG Forensics & Linux Thomas Rude, © 2002 Questions?
Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA Data.
By Jason Swoyer. Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums. Computer.
Guide To UNIX Using Linux Third Edition Chapter 8: Exploring the UNIX/Linux Utilities.
Intro to Linux for Cyber Crime Investigators and Computer Forensic Examiners By Ernest Baca
1 ITSK 2611 Welcome. 2 Operating System 3 What is an OS Resource Manager –Disk –Memory –CPU Device Manager –Printers –Video Card –Sound Card Utility.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Microsoft Windows NT Embedded 4.0 A Technical Overview Microsoft Corporation.
The Penguin Sleuth Kit By Ernest Baca
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.
Software 1. Software is divided into parts System software Operating system Utility software Application software 2.
System Software System software deals with the physical complexities of how the hardware works. System software deals with the physical complexities of.
The Modern Control Boot Disk. 2 What do we mean by a Modern control boot disk? In your previous lectures you learned about the original DOS control boot.
Computers Parts/Types. Topics Definition Types of Computers Parts of Computer System Impact on Society.
Computer Forensics Peter Caggiano. Outline My Background What is it? What Can it do and not do? Goals Evidence Types of forensics Future problems How.
Honeywall CD-ROM. Developers and Speakers Dave Dittrich University of Washington Rob McMillen USMC Jeff Nathan Sygate William Salusky AOL.
Machine Architecture CMSC 104, Section 4 Richard Chang 1.
PTA Linux Series Copyright Professional Training Academy, CSIS, University of Limerick, 2006 © Workshop V Files and the File System Part B – File System.
CHAP 6 – COMPUTER FORENSIC ANALYSIS. 2 Objectives Of Analysis Process During Investigation: The purpose of this process is to discover and recover evidences.
Forensics Application of scientific knowledge to a problem Computer Forensics Application of the scientific method in reconstructing a sequence.
Honeywall CD-ROM. 2 Developers and Speakers Dave Dittrich University of Washington Rob McMillen USMC Jeff Nathan Sygate William Salusky AOL.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
Rootkits. EC-Council The Problem Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.
1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.
Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven.
Computing Essentials 2014 System Software © 2014 by McGraw-Hill Education. This proprietary material solely for authorized instructor use. Not authorized.
FILE S SYSTEM DIFFERENT FILE SYSTEMS FILE SYSTEM COMPONENTS FILE OPERATIONS LOG STRUCTERD FILE SYSTEM FILE EXAMPLES.
OPERATING SYSTEMS AND SYSTEMS SOFTWARE. SYSTEMS SOFTWARE Systems software consists of the programs that control the operations of the computer and its.
OPERATING SYSTEMS DO YOU REQUIRE AN OPERATING SYSTEM IN YOUR SYSTEM?
Computing Fundamenatls CMSC 201 Computer Science I Penny Rheingans University of Maryland Baltimore County (with inspiration from previous 201 instructors.
By Mr. Abdalla A. Shaame 1. What is Computer An electronic device that stores, retrieves, and processes data, and can be programmed with instructions.
04/21/2004CSCI 315 Operating Systems Design1 Disk Management.
Operating Systems Manage system resources –CPU scheduling –Process management –Memory management –Input/Output device management –Storage device management.
IST 222 Day 3. Homework for Today Take up homework and go over Go to Microsoft website and check out their hardware compatibility list.
1 CP586 © Peter Lo 2003 Multimedia Communication Standards and Delivery Methods.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
2.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 2: Installing Windows Server.
© Paradigm Publishing Inc. 4-1 Chapter 4 System Software.
Thomas Schwarz, S.J. SCU Comp. Eng COEN 252 Collection of Evidence.
Calculators are used to increase speed and accuracy of numerical computations The abacus has roots dating back over 5,000 years Mechanical calculators.
Is a program that acts as an intermediary between the user of the devices, which are cut by CO computer and applications (programs) which it runs are used.
7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA.
Computer Forensics DOS Partitioning. Partitioning Practices We separate partition practices into those used by Personal Computers: DOS Apple Servers.
Chapter 14: Computer and Network Forensics Guide to Computer Network Security.
Storage device. Diskettes (floppy disks) Hard disks High-capacity floppy disks Disk cartridges Magnetic tape.
Introduction to Unix (CA263) File System By Tariq Ibn Aziz.
Chapter 4: Operating Systems and File Management 1 Operating Systems and File Management Chapter 4.
Allocation Methods - Contiguous An allocation method refers to how disk blocks are allocated for files: Contiguous allocation – each file occupies set.
© 2017 SlidePlayer.com Inc. All rights reserved.