COS 413 Day 13. Agenda Questions? Assignment 4 Due Assignment 5 posted –Due Oct 21 Capstone proposal Due Oct 17 Lab 5 on Oct 15 in N105 –Hands-on Projects.

Slides:



Advertisements
Similar presentations
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Advertisements

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
Guide to Computer Forensics and Investigations, Second Edition
Guide to Computer Forensics and Investigations Fifth Edition
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Lesson 13 PROTECTING AND SHARING DOCUMENTS
Guide to Computer Forensics and Investigations, Second Edition
Guide to Computer Forensics and Investigations Fourth Edition
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
File Management Systems
Guide to Computer Forensics and Investigations Fourth Edition
Computer & Network Forensics
Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
Guide to Computer Forensics and Investigations Third Edition Chapter 7 Current Computer Forensics Tools.
Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 5. Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September.
Chapter 12 File Management Systems
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
Guide to Computer Forensics and Investigations, Second Edition
COEN 252 Computer Forensics
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.
Capturing Computer Evidence Extracting Information.
Guide to Computer Forensics and Investigations, Second Edition
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.
Hands-on: Capturing an Image with AccessData FTK Imager
Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 Investigations.
Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition.
Chapter 7 Working with Files.
Guide to Computer Forensics and Investigations Fourth Edition
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
 FILE S SYSTEM  DIFFERENT FILE SYSTEMS  FILE SYSTEM COMPONENTS  FILE OPERATIONS  LOG STRUCTERD FILE SYSTEM  FILE EXAMPLES.
Guide to Computer Forensics and Investigations, Second Edition Chapter 2 Understanding Computer Investigation.
1 Chapter 12 File Management Systems. 2 Systems Architecture Chapter 12.
Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Fourth Edition.
Chapter Fourteen Windows XP Professional Fault Tolerance.
Digital Crime Scene Investigative Process
Chapter 9 Digital Forensics Analysis and Validation
Data Recovery Techniques Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006 Matthew Alberti Horacesio Carmichael.
Computer Forensics Principles and Practices
Guide to Computer Forensics and Investigations Fourth Edition
Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven.
Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Fourth Edition.
1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 11: Managing Access to File System Resources.
MCSE Guide to Microsoft Windows Vista Professional Chapter 5 Managing File Systems.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
IT1001 – Personal Computer Hardware & system Operations Week7- Introduction to backup & restore tools Introduction to user account with access rights.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
Chapter 3 Data Acquisition Guide to Computer Forensics and Investigations Fifth Edition All slides copyright Cengage Learning with additional info from.
Computer Forensics Tim Foley COSC 480 Nov. 17, 2006.
Silberschatz, Galvin and Gagne ©2011 Operating System Concepts Essentials – 8 th Edition Chapter 3: Windows7 Part 3.
GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS FOURTH EDITION CHAPTER 7 CURRENT COMPUTER FORENSICS TOOLS.
Windows Vista Configuration MCTS : NTFS Security Features and File Sharing.
11 SUPPORTING WINDOWS XP FILE AND FOLDER ACCESS Chapter 5.
Digital Forensics Anthony Lawrence. Overview Digital forensics is a branch of forensics focusing on investigating electronic devises. Important in for.
Creighton Barrett Dalhousie University Archives
Chapter 9 Digital Forensics Analysis and Validation
Digital Forensics 2 Lecture 2: Understanding steganography in graphic files Presented by : J.Silaa Lecture: FCI Based on Guide to Computer Forensics and.
Digital Forensics 2 (DFC721S)
Chapter 5 EnCase Concepts.
CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
Exam Information CSI5107 Network Security.
1 Guide to Computer Forensics and Investigations Sixth Edition Chapter 3 Data Acquisition.
Presentation transcript:

COS 413 Day 13

Agenda Questions? Assignment 4 Due Assignment 5 posted –Due Oct 21 Capstone proposal Due Oct 17 Lab 5 on Oct 15 in N105 –Hands-on Projects 7-1 through 7-5 on Pages We are skipping Chap 8 Quiz 2 on Oct 24? –Chaps 6,7,9 & 10 –Open book, Open notes –20 M/C and 5 essays Discussion on Computer Forensics Analysis and Validation

Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations4 Objectives Determine what data to analyze in a computer forensics investigation Explain tools used to validate data Explain common data-hiding techniques Describe methods of performing a remote acquisition

Guide to Computer Forensics and Investigations5 Determining What Data to Collect and Analyze Examining and analyzing digital evidence depends on: –Nature of the case –Amount of data to process –Search warrants and court orders –Company policies Scope creep –Investigation expands beyond the original description Right of full discovery of digital evidence

Guide to Computer Forensics and Investigations6 Approaching Computer Forensics Cases Some basic principles apply to almost all computer forensics cases –The approach you take depends largely on the specific type of case you’re investigating Basic steps for all computer forensics investigations –For target drives, use only recently wiped media that have been reformatted And inspected for computer viruses

Guide to Computer Forensics and Investigations7 Approaching Computer Forensics Cases (continued) Basic steps for all computer forensics investigations (continued) –Inventory the hardware on the suspect’s computer and note the condition of the computer when seized –Remove the original drive from the computer Check date and time values in the system’s CMOS –Record how you acquired data from the suspect drive – use hashes to vaildate –Process the data methodically and logically

Guide to Computer Forensics and Investigations8 Approaching Computer Forensics Cases (continued) Basic steps for all computer forensics investigations (continued) –List all folders and files on the image or drive –If possible, examine the contents of all data files in all folders Starting at the root directory of the volume partition –For all password-protected files that might be related to the investigation Make your best effort to recover file contents

Guide to Computer Forensics and Investigations9 Approaching Computer Forensics Cases (continued) Basic steps for all computer forensics investigations (continued) –Identify the function of every executable (binary or.exe) file that doesn’t match known hash values –Maintain control of all evidence and findings, and document everything as you progress through your examination

Guide to Computer Forensics and Investigations10 Refining and Modifying the Investigation Plan Considerations –Determine the scope of the investigation –Determine what the case requires –Whether you should collect all information –What to do in case of scope creep The key is to start with a plan but remain flexible in the face of new evidence

Guide to Computer Forensics and Investigations11 Using AccessData Forensic Toolkit to Analyze Data Supported file systems: FAT12/16/32, NTFS, Ext2fs, and Ext3fs FTK can analyze data from several sources, including image files from other vendors FTK produces a case log file Searching for keywords –Indexed search –Live search –Supports options and advanced searching techniques, such as stemming

Guide to Computer Forensics and Investigations12 Using AccessData Forensic Toolkit to Analyze Data (continued)

Guide to Computer Forensics and Investigations13 Using AccessData Forensic Toolkit to Analyze Data (continued)

Guide to Computer Forensics and Investigations14 Using AccessData Forensic Toolkit to Analyze Data (continued) Analyzes compressed files You can generate reports –Using bookmarks

Guide to Computer Forensics and Investigations15 Using AccessData Forensic Toolkit to Analyze Data (continued)

Guide to Computer Forensics and Investigations16 Validating Forensic Data One of the most critical aspects of computer forensics Ensuring the integrity of data you collect is essential for presenting evidence in court Most computer forensic tools provide automated hashing of image files Computer forensics tools have some limitations in performing hashing –Learning how to use advanced hexadecimal editors is necessary to ensure data integrity

Guide to Computer Forensics and Investigations17 Validating with Hexadecimal Editors Advanced hexadecimal editors offer many features not available in computer forensics tools –Such as hashing specific files or sectors Hex Workshop provides several hashing algorithms –Such as MD5 and SHA-1 –See Figures 9-4 through 9-6 Hex Workshop also generates the hash value of selected data sets in a file or sector

Guide to Computer Forensics and Investigations18 Validating with Hexadecimal Editors (continued)

Guide to Computer Forensics and Investigations19 Validating with Hexadecimal Editors (continued)

Guide to Computer Forensics and Investigations20 Validating with Hexadecimal Editors (continued)

Guide to Computer Forensics and Investigations21 Validating with Hexadecimal Editors (continued) Using hash values to discriminate data –AccessData has a separate database, the Known File Filter (KFF) Filters known program files from view, such as MSWord.exe, and identifies known illegal files, such as child pornography –KFF compares known file hash values to files on your evidence drive or image files –Periodically, AccessData updates these known file hash values and posts an updated KFF

Guide to Computer Forensics and Investigations22 Validating with Computer Forensics Programs Commercial computer forensics programs have built-in validation features ProDiscover’s.eve files contain metadata that includes the hash value –Validation is done automatically Raw format image files (.dd extension) don’t contain metadata –So you must validate raw format image files manually to ensure the integrity of data

Guide to Computer Forensics and Investigations23 Validating with Computer Forensics Programs (continued) In AccessData FTK Imager –When you select the Expert Witness (.e01) or the SMART (.s01) format Additional options for validating the acquisition are displayed –Validation report lists MD5 and SHA-1 hash values Figure 9-7 shows how ProDiscover’s built-in validation feature works

Guide to Computer Forensics and Investigations24 Validating with Computer Forensics Programs (continued)

Guide to Computer Forensics and Investigations25 Addressing Data-hiding Techniques File manipulation –Filenames and extensions –Hidden property Disk manipulation –Hidden partitions –Bad clusters Encryption –Bit shifting –Steganography

Guide to Computer Forensics and Investigations26 Hiding Partitions Delete references to a partition using a disk editor –Re-create links for accessing it Use disk-partitioning utilities –GDisk –PartitionMagic –System Commander –LILO Account for all disk space when analyzing a disk

Guide to Computer Forensics and Investigations27 Hiding Partitions (continued)

Guide to Computer Forensics and Investigations28 Hiding Partitions (continued)

Guide to Computer Forensics and Investigations29 Marking Bad Clusters Common with FAT systems Place sensitive information on free space Use a disk editor to mark space as a bad cluster To mark a good cluster as bad using Norton Disk Edit –Type B in the FAT entry corresponding to that cluster

Guide to Computer Forensics and Investigations30 Bit-shifting Old technique Shift bit patterns to alter byte values of data Make files look like binary executable code Tool –Hex Workshop

Guide to Computer Forensics and Investigations31 Bit-shifting (continued)

Guide to Computer Forensics and Investigations32 Bit-shifting (continued)

Guide to Computer Forensics and Investigations33 Bit-shifting (continued)

Guide to Computer Forensics and Investigations34 Using Steganography to Hide Data Greek for “hidden writing” Steganography tools were created to protect copyrighted material –By inserting digital watermarks into a file Suspect can hide information on image or text document files –Most steganography programs can insert only small amounts of data into a file Very hard to spot without prior knowledge Tools: S-Tools, DPEnvelope, jpgx, and tte

Guide to Computer Forensics and Investigations35 Examining Encrypted Files Prevent unauthorized access –Employ a password or passphrase Recovering data is difficult without password –Key escrow Designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure –Cracking password Expert and powerful computers –Persuade suspect to reveal password

Guide to Computer Forensics and Investigations36 Recovering Passwords Techniques –Dictionary attack –Brute-force attack –Password guessing based on suspect’s profile Tools –AccessData PRTK –Advanced Password Recovery Software Toolkit –John the Ripper

Guide to Computer Forensics and Investigations37 Recovering Passwords (continued) Using AccessData tools with passworded and encrypted files –AccessData offers a tool called Password Recovery Toolkit (PRTK) Can create possible password lists from many sources –Can create your own custom dictionary based on facts in the case –Can create a suspect profile and use biographical information to generate likely passwords

Guide to Computer Forensics and Investigations38 Recovering Passwords (continued)

Guide to Computer Forensics and Investigations39 Recovering Passwords (continued)

Guide to Computer Forensics and Investigations40 Recovering Passwords (continued)

Guide to Computer Forensics and Investigations41 Recovering Passwords (continued) Using AccessData tools with passworded and encrypted files (continued) –FTK can identify known encrypted files and those that seem to be encrypted And export them –You can then import these files into PRTK and attempt to crack them

Guide to Computer Forensics and Investigations42

Guide to Computer Forensics and Investigations43 Recovering Passwords (continued)

Guide to Computer Forensics and Investigations44 Performing Remote Acquisitions Remote acquisitions are handy when you need to image the drive of a computer far away from your location –Or when you don’t want a suspect to be aware of an ongoing investigation

Guide to Computer Forensics and Investigations45 Remote Acquisitions with Runtime Software Runtime Software offers the following shareware programs for remote acquisitions: –DiskExplorer for FAT –DiskExplorer for NTFS –HDHOST Preparing DiskExplorer and HDHOST for remote acquisitions –Requires the Runtime Software, a portable media device (USB thumb drive or floppy disk), and two networked computers

Guide to Computer Forensics and Investigations46 Remote Acquisitions with Runtime Software (continued) Making a remote connection with DiskExplorer –Requires running HDHOST on a suspect’s computer –To establish a connection with HDHOST, the suspect’s computer must be: Connected to the network Powered on Logged on to any user account with permission to run noninstalled applications –HDHOST can’t be run surreptitiously –See Figures 9-18 through 9-24

Guide to Computer Forensics and Investigations47

Guide to Computer Forensics and Investigations48 Remote Acquisitions with Runtime Software (continued)

Guide to Computer Forensics and Investigations49 Remote Acquisitions with Runtime Software (continued)

Guide to Computer Forensics and Investigations50 Remote Acquisitions with Runtime Software (continued)

Guide to Computer Forensics and Investigations51 Remote Acquisitions with Runtime Software (continued)

Guide to Computer Forensics and Investigations52 Remote Acquisitions with Runtime Software (continued)

Guide to Computer Forensics and Investigations53 Remote Acquisitions with Runtime Software (continued)

Guide to Computer Forensics and Investigations54 Remote Acquisitions with Runtime Software (continued) Making a remote acquisition with DiskExplorer –After you have established a connection with DiskExplorer from the acquisition workstation You can navigate through the suspect computer’s files and folders or copy data –The Runtime tools don’t generate a hash for acquisitions

Guide to Computer Forensics and Investigations55 Remote Acquisitions with Runtime Software (continued)

Guide to Computer Forensics and Investigations56 Summary Examining and analyzing digital evidence depends on the nature of the investigation and the amount of data you have to process For most computer forensics investigations, you follow the same general procedures One of the most critical aspects of computer forensics is validating digital evidence

Guide to Computer Forensics and Investigations57 Summary (continued) Data hiding involves changing or manipulating a file to conceal information Remote acquisitions are useful for making an image of a drive when the computer is far away from your location or when you don’t want a suspect to be aware of an ongoing investigation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.