Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guide to Computer Forensics and Investigations, Second Edition Chapter 10 Computer Forensics Analysis.

Similar presentations


Presentation on theme: "Guide to Computer Forensics and Investigations, Second Edition Chapter 10 Computer Forensics Analysis."— Presentation transcript:

1 Guide to Computer Forensics and Investigations, Second Edition Chapter 10 Computer Forensics Analysis

2 Guide to Computer Forensics and Investigations, 2e2 Objectives Understand computer forensics analysis Use DriveSpy to analyze computer data Use AccessData’s Forensic Toolkit (FTK)

3 Guide to Computer Forensics and Investigations, 2e3 Objectives (continued) Use EnCase to analyze computer data Perform a computer forensics analysis Address data-hiding techniques

4 Guide to Computer Forensics and Investigations, 2e4 Understanding Computer Forensics Analysis Examining and analyzing digital evidence –Nature of the case –Amount of data to process –Search warrants –Court orders –Company policies Scope creep Right of full discovery of digital evidence

5 Guide to Computer Forensics and Investigations, 2e5 Refining the Investigation Plan Steps: –Determine the scope of the investigation –Estimate number of hours to complete the case –Determine whether you should collect all information –Plan what to do in case of scope creep –Determine if you have adequate resources –Establish the deadline

6 Guide to Computer Forensics and Investigations, 2e6 Refining the Investigation Plan (continued) After you refine your plan, acquire evidence Examine evidence Review the latest changes in technology –Find new places for hiding information –Learn of new methods for storing data –Verify that your tools still work Determine the suspect’s motive

7 Guide to Computer Forensics and Investigations, 2e7 Using DriveSpy to Analyze Computer Data Files –DriveSpy.exe/ini/hlp DriveSpy.ini sections –License –File Headers –File Groups –Search

8 Guide to Computer Forensics and Investigations, 2e8 Using DriveSpy to Analyze Computer Data (continued)

9 Guide to Computer Forensics and Investigations, 2e9 Using DriveSpy to Analyze Computer Data (continued) File Headers –Hexadecimal numbers –Identify known files even if extension if different –You can add more headers File Groups –Consolidate similar file types –Search for several header types at one time –You can define your own groups

10 Guide to Computer Forensics and Investigations, 2e10 Using DriveSpy to Analyze Computer Data (continued)

11 Guide to Computer Forensics and Investigations, 2e11 Using DriveSpy to Analyze Computer Data (continued)

12 Guide to Computer Forensics and Investigations, 2e12 Using DriveSpy to Analyze Computer Data (continued) Search –Include keywords –Defines level of accuracy –Not case sensitive –Can produce false-positive hits –Use hex values for special characters or keywords

13 Guide to Computer Forensics and Investigations, 2e13 Using DriveSpy to Analyze Computer Data (continued)

14 Guide to Computer Forensics and Investigations, 2e14 Using DriveSpy to Analyze Computer Data (continued)

15 Guide to Computer Forensics and Investigations, 2e15 DriveSpy Keyword Searching Search at physical level (Drive mode) or logical level (Partition mode) Use Output command to create a log Drive mode supports other file systems –NTFS, HFS, UNIX/Linux Searches in partition gaps Cannot analyze archive or encrypted files

16 Guide to Computer Forensics and Investigations, 2e16 DriveSpy Scripts Run predefined commands Similar to DOS batch files Use them at all three DriveSpy modes Creating a script –Use any text editor (Notepad) –Enter each command line by line –Can call other script files

17 Guide to Computer Forensics and Investigations, 2e17 DriveSpy Scripts (continued) Example:

18 Guide to Computer Forensics and Investigations, 2e18 DriveSpy Data Integrity Tools Wipe –Overwrites possible sensitive data that can corrupt output data –Works on sectors, partitions, drives, unallocated space, and MBR –Available in Drive and Partition modes

19 Guide to Computer Forensics and Investigations, 2e19 DriveSpy Integrity Tools (continued) MD5 –RFC-complaint MD5 function –Hashes an entire partition, or specific files –Available in Drive and Partition mode Dbexport –Creates a text file of all specified data in a file or disk –Works only in Partition mode

20 Guide to Computer Forensics and Investigations, 2e20 DriveSpy Residual Data Collection Tools Recover deleted files and unused space SaveSlack –Copy slack space from files on a partition –8.3 filename with.dat as file extension –Works only in Partition mode SaveFree –Collects all unallocated disk space on a partition –Works only in Partition mode

21 Guide to Computer Forensics and Investigations, 2e21 Other Useful DriveSpy Command Tools Get FAT Entry (GFE) Chain FAT Entry (CFE) Chain Directory Entry (CDE) Trace Directory Cluster (TDC)

22 Guide to Computer Forensics and Investigations, 2e22 Other Useful DriveSpy Command Tools (continued) Cluster Boot PartMap Tables

23 Guide to Computer Forensics and Investigations, 2e23 Using Other Digital Intelligence Computer Forensics Tools Using PDBlock –Prevents data from being written on a disk drive –Can only be used on a true MS-DOS level –Turns off BIOS’s Interrupt 13 Using PDWipe –Overwrites hard disk drives –For sanitation purposes –Wipe disk at least three to seven times

24 Guide to Computer Forensics and Investigations, 2e24 Using AccessData’s Forensic Toolkit Supported file systems: FAT12/16/32, NTFS, Ext2fs, and Ext3fs Interacts with other tools –EnCase, SafeBack, SaveSect –Linux or UNIX dd command Known File Filter (KFF) –Can detect even child pornography evidence –Uses digital hash signatures

25 Guide to Computer Forensics and Investigations, 2e25 Using AccessData’s Forensic Toolkit (continued) Log file Searching for keywords –Indexed search –Live search –You can specify options Analyzes compressed and encrypted files You can generate reports using bookmarks

26 Guide to Computer Forensics and Investigations, 2e26 Using AccessData’s Forensic Toolkit (continued)

27 Guide to Computer Forensics and Investigations, 2e27 Using AccessData’s Forensic Toolkit (continued)

28 Guide to Computer Forensics and Investigations, 2e28 Using AccessData’s Forensic Toolkit (continued)

29 Guide to Computer Forensics and Investigations, 2e29 Using Guidance Software’s EnCase Can access hard drives remotely Floppy and CD boot disks –Built-in software write-blocker Built-in search feature GUI-based application

30 Guide to Computer Forensics and Investigations, 2e30 Using Guidance Software’s EnCase (continued)

31 Guide to Computer Forensics and Investigations, 2e31 Using Guidance Software’s EnCase (continued)

32 Guide to Computer Forensics and Investigations, 2e32 Using Guidance Software’s EnCase (continued) Options –Bookmarks –File signatures and hash sets –Security identifiers (SIDs) –Keywords View –Gallery –Mail

33 Guide to Computer Forensics and Investigations, 2e33 Using Guidance Software’s EnCase (continued) Timeline –When items were created, deleted, or modified Report View Powerful scripting feature

34 Guide to Computer Forensics and Investigations, 2e34 Using Guidance Software’s EnCase (continued)

35 Guide to Computer Forensics and Investigations, 2e35 Using Guidance Software’s EnCase (continued)

36 Guide to Computer Forensics and Investigations, 2e36 Approaching Computer Forensics Cases Know exactly what the case requires Simply follow leads you uncover –Physical evidence –Digital evidence

37 Guide to Computer Forensics and Investigations, 2e37 Performing a Computer Forensics Analysis Steps: –Use recently wiped target disks –Inventory suspect’s hardware –Remove the original disk and check date and time on CMOS –Record data acquisition steps –Process the data methodically and logically –List all directories and files on the copied image

38 Guide to Computer Forensics and Investigations, 2e38 Performing a Computer Forensics Analysis (continued) Steps (continued): –If possible, examine all directories and files starting at root –Recover content of encrypted files –Create a document with directory and file names on the evidence disk –Identify functions of every executable file –Always maintain control of evidence

39 Guide to Computer Forensics and Investigations, 2e39 Performing Forensic Analysis on Microsoft File Systems Recommendations –Use antivirus on bit-stream disk-to-disk copies –Examine all boot files –Recover all deleted files, slack, and unallocated space FAT disk forensic analysis –Create image volumes and store them on CDs Be alert for compressed partitions

40 Guide to Computer Forensics and Investigations, 2e40 Performing Forensic Analysis on Microsoft File Systems (continued) NTFS analysis tools –DriveSpy –NTI DiskSearch NT –NTFSDOS –GUI tools FTK, EnCase, Pro Discover DFT, FactFind, and iLook

41 Guide to Computer Forensics and Investigations, 2e41 UNIX and Linux Forensic Analysis Windows forensics tools –EnCase –FTK –iLook UNIX and Linux forensics tools –Sleuthkit –Knoppix-STD –Autopsy –TASK

42 Guide to Computer Forensics and Investigations, 2e42 Addressing Data-hiding Techniques File manipulation –File names and extensions –Hidden property Disk manipulation –Hidden partitions –Bad clusters Encryption –Bit shifting –Steganography

43 Guide to Computer Forensics and Investigations, 2e43 Hiding Partitions Delete references to a partition –Re-create links for accessing it Use disk-partitioning utilities –PartitionMagic –System Commander –LILO Account for all disk space when analyzing a disk

44 Guide to Computer Forensics and Investigations, 2e44 Marking Bad Clusters Place sensitive information on free space Use a disk editor to mark that space as a bad cluster Common with FAT systems

45 Guide to Computer Forensics and Investigations, 2e45 Bit-shifting Old technique Shift bit patterns to alter byte values of data Make files look like binary executable code Tool –Hex Workshop

46 Guide to Computer Forensics and Investigations, 2e46 Using Steganography Greek “hidden writing” Suspect can hide information on image or text document files Very hard to spot without prior knowledge Tools –S-Tools –DPEnvelope –jpgx –tte

47 Guide to Computer Forensics and Investigations, 2e47 Examining Encrypted Files Prevent unauthorized access –Password or passphrase Recovering data is difficult without password –Key escrow –Cracking password Expert and powerful computers –Persuade suspect to reveal password

48 Guide to Computer Forensics and Investigations, 2e48 Recovering Passwords Dictionary attack Brute-force attack Password guessing based on suspect’s profile Tools –PRTK –Advanced Password Recovery Software Toolkit LC5 (L0phtCrack)

49 Guide to Computer Forensics and Investigations, 2e49 Summary Scope creep Determine where the digital evidence is most likely stored DriveSpy.ini comprises four sections DriveSpy scripting capability PDBlock and PDWipe tools

50 Guide to Computer Forensics and Investigations, 2e50 Summary (continued) Forensics Toolkit (FTK) Prepare your target disk –Wipe it at least three to seven times –Check for viruses UNIX and Linux are used on Web servers Data hiding occults digital evidence Stenography as a way to hide information


Download ppt "Guide to Computer Forensics and Investigations, Second Edition Chapter 10 Computer Forensics Analysis."

Similar presentations


Ads by Google