Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.

Published byMyles May Modified over 8 years ago

Similar presentations

Presentation on theme: "Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008."— Presentation transcript:

1 Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008

2 Review of Lectures 103 l Lecture 1: Overview of Digital Forensics l Lecture 2: Background on Information Security l Lecture 3: Data recovery, Evidence collection, preservation and analysis

3 Review of Chapters 1-3 of Textbook l Chapter 1: Understanding digital forensics - What is digital forensics, conducting investigation, case law (fourth amendment) l Chapter 2: Understanding investigations - Steps for an investigation: systematic approach - Evidence collections and analysis - Report writing l Chapter 3: Forensics Laboratory - Physical requirements, Workstation requirements, Making a case to build a lab

4 Data Acquisition: Outline l Types of acquisition l Digital evidence storage formats l Acquisition methods l Contingency planning l Using acquisition tools l Validating data acquisition l RAID acquisition methods l Remote network acquisition tools l Some forensics tools l Reference: Chapter 4 of text book

5 Types of Acquisition l Static Acquisition - Acquire data from the original media - The data in the original media will not change l Live Acquisition - Acquire data while the system is running - A second live acquisition will not be the same l Will focus on static acquisition

6 Digital Evidence Storage Formats l Raw formats - Bit by bit copying of the data from the disk - Many tools could be used l Proprietary formats - Vendors have special formats l Standards - XML based formats for digital evidence - Digital Evidence Markup Language (Funded by National Institute of Justice) - Experts have argued that technologies that allow disparate law enforcement jurisdictions to share crime-related information will greatly facilitate fighting crime. One of these technologies is the Global Justice XML Data Model (GJXDM). - http://ncfs.ucf.edu/digital_evd.html

7 Acquisition Methods l Disk to Image File l Disk to Disk l Logical acquisition - Acquire only certain files if the disk is too large l Sparse acquisition - Similar to logical acquisition but also collects fragments of unallocated (i.e. deleted) data

8 Compression Methods l Compression methods are used for very large data storage - E.g., Terabytes/Petabytes storage l Lossy vs Lossless compression - Lossless data compression is a class of data compression algorithms that allows the exact original data to be reconstructed from the compressed data. The term lossless is in contrast to lossy data compression, which only allows an approximation of the original data to be reconstructed, in exchange for better compression rates.data compressionalgorithmslossy data compression

9 Contingency Planning l Failure occurs during acquisition - Recovery methods l Make multiple copies - At least 2 copies l Encryption decryption techniques so that the evidence is not corrupted

10 Storage Area Network Security Systems l High performance networks that connects all the storage systems - After as disaster such as terrorism or natural disaster (9/11 or Katrina), the data has to be availability - Database systems is a special kind of storage system l Benefits include centralized management, scalability reliability, performance l Security attacks on multiple storage devices - Secure storage is being investigated

11 Network Disaster Recovery Systems l Network disaster recovery is the ability to respond to an interruption in network services by implementing a disaster recovery palm l Policies and procedures have to be defined and subsequently enforced l Which machines to shut down, determine which backup servers to use, When should law enforcement be notified

12 Using Acquisition Tools l Acquisition tools have been developed for different operating systems including Windows, Linux, Mac l It is important that the evidence drive is write protected l Example acquisition method: - Document the chain of evidence for the drive to be acquired - Remove drive from suspect’s computer - Connect the suspect drive to USB or Firewire write- blocker device (if USB, write protect it via Registry write protect feature) - Create a storage folder on the target drive

13 Using Acquisition Tools - 2 l Example tools include ProDiscover, Access Data FTK Imager l Click on All programs and click on specific took (e.g., ProDiscover l Perform the commands - E.g. Capture Image l For additional security, use passwords

14 Validating Data Acquisition l Create hash values - CRC-32 (older methods), MD5, SHA series l Linux validation - Hash algorithms are included and can be executed using special commands l Windows validation - No hash algorithms built in, but works with 3 rd party programs

15 MhX(Author)=h(h(Author)||h(Author.value)) MhX(title)=h(h(title)||h(title.value)) title Author paragraph Politic_page Literary_page Paragraphs title date title Author titleAuthor topic titleAuthor topic titleAuthor topic titleAuthor topic Article Newspaper Frontpage Leading Sport_page news Politic paragraph MhX(paragraph)=h(h(paragraph)||h(paragraph.content)|| MhX(Author)||MhX(title)) Merkle Hash Signature Example

16 RAID Acquisition Methods l RAID: Redundant array of independent disks l RAID storage is used for large files and to support replication l Data is stored using multiple methods - E.g, Striping l When RAID is acquired, need special tools to be used depending on the way the data is stored

17 Remote Network Acquisition Tools l Preview suspects file remotely while its being used or powered on l Perform live acquisition while the suspect’s computer ism powered on l Encrypt the connection between the suspect’s computer and the examiner’s computer l Copy the RAM while the computer is powered on l Use stealth mode to hide the remote connection from the suspect’s computer l Variation for the individual tools (ProDiscover, EnCase)

18 Some Forensics Tools l ProDiscover - http://www.techpathways.com/prodiscoverdft.htm http://www.techpathways.com/prodiscoverdft.htm - http://www.techpathways.com/DesktopDefault.aspx http://www.techpathways.com/DesktopDefault.aspx l EnCase - http://www.guidancesoftware.com/ http://www.guidancesoftware.com/ - http://www.guidancesoftware.com/products/ef_index.asp http://www.guidancesoftware.com/products/ef_index.asp l NTI Safeback - http://www.forensics-intl.com/safeback.html http://www.forensics-intl.com/safeback.html

Download ppt "Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008."

Similar presentations

Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
CSN08101 Digital Forensics Lecture 6: Acquisition

CSN08101 Digital Forensics Lecture 6: Acquisition
Guide to Computer Forensics and Investigations Fifth Edition

Guide to Computer Forensics and Investigations Fifth Edition
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
COS 413 Day 13. Agenda Questions? Assignment 4 Due Assignment 5 posted –Due Oct 21 Capstone proposal Due Oct 17 Lab 5 on Oct 15 in N105 –Hands-on Projects.

COS 413 Day 13. Agenda Questions? Assignment 4 Due Assignment 5 posted –Due Oct 21 Capstone proposal Due Oct 17 Lab 5 on Oct 15 in N105 –Hands-on Projects.
COS/PSA 413 Day 5. Agenda Questions? Assignment 1 due –Not corrected-still missing one submission Assignment 2 posted –Case project 2-1 on page 72 and.

COS/PSA 413 Day 5. Agenda Questions? Assignment 1 due –Not corrected-still missing one submission Assignment 2 posted –Case project 2-1 on page 72 and.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
Guide to Computer Forensics and Investigations Third Edition Chapter 7 Current Computer Forensics Tools.

Guide to Computer Forensics and Investigations Third Edition Chapter 7 Current Computer Forensics Tools.
1 CSCD496 Computer Forensics Lecture 5 Applying Process to Computer Forensics Winter 2010.

1 CSCD496 Computer Forensics Lecture 5 Applying Process to Computer Forensics Winter 2010.
COS/PSA 413 Day 5. Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September.

COS/PSA 413 Day 5. Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September.
Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google.

Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google.
Chapter 14: Computer and Network Forensics

Chapter 14: Computer and Network Forensics
Data Acquisition Chao-Hsien Chu, Ph.D.

Data Acquisition Chao-Hsien Chu, Ph.D.
COEN 252 Computer Forensics

COEN 252 Computer Forensics

Similar presentations

Ads by Google