Computer Forensics Infosec Pro Guide Ch 6 Testing Your Tools.

Slides:



Advertisements
Similar presentations
Computer Forensics Infosec Pro Guide
Advertisements

CSN08101 Digital Forensics Lecture 6: Acquisition
OPEN SOURCE TOOLS Dr. Abraham Professor UTPA. Open Source Freely redistributable Provides access to source code End user may modify source code.
Guide to Computer Forensics and Investigations Fifth Edition
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Fourth Edition
COS 413 Day 13. Agenda Questions? Assignment 4 Due Assignment 5 posted –Due Oct 21 Capstone proposal Due Oct 17 Lab 5 on Oct 15 in N105 –Hands-on Projects.
Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Third Edition
1 CSCD496 Computer Forensics Lecture 5 Applying Process to Computer Forensics Winter 2010.
Collection of Evidence Computer Forensics 152/252.
The Origin of the VM/370 Time-sharing system Presented by Niranjan Soundararajan.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
COEN 252 Computer Forensics
To run the program: To run the program: You need the OS: You need the OS:
Red Hat Installation. Installing Red Hat Linux is the process of copying operating system files from a CD, DVD, or USB flash drive to hard disk(s) on.
Using Virtualization in the Classroom. Using Virtualization in the Classroom Session Objectives Define virtualization Compare major virtualization programs.
Hands-on: Capturing an Image with AccessData FTK Imager
VMWare Workstation Installation. Starting Vmware Workstation Go to the start menu and start the VMware Workstation program. *Note: The following instructions.
Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition.
Passwords, Encryption Forensic Tools
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
COEN 252 Computer Forensics Windows Evidence Acquisition Boot Disk.
Forensic Artifacts From A Pass The Hash (PtH) Attack
IT GOVERNANCE AND CYBERCRIME Open Source Forensic Tools 19/04/10.
Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations, Second Edition Chapter 2 Understanding Computer Investigation.
Hands-On Virtual Computing
Teaching Digital Forensics w/Virtuals By Amelia Phillips.
Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Fourth Edition.
Preserving Evidence ● Number one priority ● Must also find incriminating evidence ● Must search the contents of the hard drive ● Can not change the hard.
Chapter 8 Implementing Disaster Recovery and High Availability Hands-On Virtual Computing.
Using Virtualization in the Classroom. Using Virtualization in the Classroom Session Objectives Define virtualization Compare major virtualization programs.
Exercise #1: Exploring Open- Source Operating Systems with Virtual Machines J. H. Wang Mar. 9, 2010.
Data Recovery Techniques Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006 Matthew Alberti Horacesio Carmichael.
Guide to Computer Forensics and Investigations Fourth Edition
Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Fourth Edition.
Configuring Data Protection Chapter 12 powered by dj.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
VMWare Workstation Installation. Starting Vmware Workstation Go to the start menu and start the VMware Workstation program. *Note: The following instructions.
Virtualization Infrastructure Administration Virtual machine Jakub Yaghob.
Exercise #1: Exploring Open- Source Operating Systems with Virtual Machines J. H. Wang Sep. 25, 2015.
CJ 317 – Computer Forensics
Forensics Jeff Wang Code Mentor: John Zhu (IT Support)
Mastering Windows Network Forensics and Investigation Chapter 17: The Challenges of Cloud Computing and Virtualization.
COEN 252: Computer Forensics Hard Drive Evidence.
Chapter 3 Data Acquisition Guide to Computer Forensics and Investigations Fifth Edition All slides copyright Cengage Learning with additional info from.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
By: Jeremy Henry. Road Map  What is a cybercrime?  Statistics.  Tools used by an investigator.  Techniques and procedures used.  Specific case.
Computer Forensics Tim Foley COSC 480 Nov. 17, 2006.
Chapter 8 Forensic Duplication Spring Incident Response & Computer Forensics.
Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.
By: Tom Maloney. Overview What is ProDiscover What it can be used for A few quick tools A real example ProDiscover vs. ENCASE ProDiscover IR Applications.
Virtual PC 2007 Virtualization for Fermi Desktops KTF
VIRTUAL MACHINE – VMWARE. VIRTUAL MACHINE (VM) What is a VM? – A virtual machine (VM) is a software implementation of a computing environment in which.
VMware Recovery Software RECOVER DATA FROM CORRUPT VMDK FILE.
By: Tom Maloney. Overview What is ProDiscover What it can be used for A few quick tools A real example ProDiscover vs. ENCASE ProDiscover IR Applications.
Using Virtualization in the Classroom
Creighton Barrett Dalhousie University Archives
Forensics Forensic Acquisition.
Hands-On Virtualization in the Classroom
Lab #1 Install Linux & How to Build Live CD
CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
Forensic Concept of Data
COEN 252: Computer Forensics
Different types of Linux installation
Guide to Computer Forensics and Investigations Third Edition
Forensic Recovery of Evidence Device (FRED)
1 Guide to Computer Forensics and Investigations Sixth Edition Chapter 3 Data Acquisition.
Presentation transcript:

Computer Forensics Infosec Pro Guide Ch 6 Testing Your Tools

Topics How and when to test your tools Where to get test evidence How and where to access forensic challenges How and where to access tool testing images

When Do You Need to Test? To collect data for public research or presentations – If you find a new technique, the original case data is probably confidential – You need public test data To test a forensic method To test a tool For private tests, you can use your own old cases

Evidence File Formats Raw Images – Also called "dd images" – Uncompressed: same size as the original evidence drive – Simple bitwise copy of the drive, no container – May be broken into a series of files with fixed siize – Works in all forensic tools

Evidence File Formats E01 (Expert Witness format) – Used by EnCase – Compressed – Wrapped in a file with other data, such as hashes – Not supported by all tools

Evidence File Formats Not supported by all tools – AFF (Advanced Forensic Format) Open source forensic image format – S01 Raw image compressed with gzip Geometry and hashes in a separate file – AD1 AccessData's format

Creating Your Own Test Images

Using a Virtual Machine Install the OS install same applications and service packs/patches as the system you are re- creating Create same data you are testing for Exit the VM and either create a forensic image, or feed the virtual drive into your forensic tool directly – Directly connecting it may risk altering the data

Tools to Work with Virtual Hard Disks VMXRay (link Ch 6a) VMware’s Virtual Disk Development Kit – Link Ch 6b Encase, FTK, and FTK Imager all support reading virtual hard disks, including VMware

SmartMount from ASR Data Mount forensic images in VMware and run them (link Ch 6c) Changes are store in an "overlay" file, so they never affect the forensic image itself

Live View Free, Java-based tool Converts dd images to VMware virtual machines All changes to VM are written to a separate file, to make it easy to return to the original state – Link Ch 6d

Forensic Challenges

LearnForensics YouTube Channel Link Ch 6f

Honeynet Challenges Link Ch 6g

DC3 Challenge From US DoD A year long Includes unanswered questions that require you to develop new tools – Ch 6h

DFRWS Challenge (Digital Forensics Research Workshop) Smartphone evidence re: an arms dealer – Link Ch 6i – image from Wikipedia

SANS Forensic Challenges Link Ch 6j

High School Forensic Challenge Link Ch 6k

Network Forensics Puzzle Contest

Tool Testing Images

Digital Forensic Tool Testing Images (Sourceforge) – Link Ch 6k NIST Computer Forensics Reference Data Sets Images – Including "The Hacking Case" – Link Ch 6l

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.