Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Forensics Dr. Bhavani Thuraisingham

Published byLuiz Eduardo Henriques Vidal Modified over 5 years ago

Similar presentations

Presentation on theme: "Digital Forensics Dr. Bhavani Thuraisingham"— Presentation transcript:

1 Digital Forensics Dr. Bhavani Thuraisingham
The University of Texas at Dallas Lecture #10 Forensics Tools and Standards September 23, 2009

2 Outline Review Forensics Tools Standards File Systems (Unix, Linux)
Reference: Chapters 7 and 8 of Textbook

3 Review Part 2: Lecture #8: Windows File System and Forensics
Lecture #9: Forensics Tools

4 Forensics Tools Hardware Forensics Tools
Range from single purpose components (e.g., devices) to complete systems (forensics workstations) Software Forensics Tools Analysis tools such ProDiscover and EnCase

5 Functions of Forensics Tools
Acquisition Validation and Discrimination Extraction Reconstruction Reporting Comparison of some forensics tools are given on page 277 of Textbook (ProDiscover, AccessData, EnCase)

6 Functions of Forensics Tools - 2
Acquisition Tools for data acquisition Physical data copy, logical data copy, data acquiring format, GUI acquisition Validation and Discrimination Integrity of the data, Also includes hashing, filtering, analyzing file headers Extraction Recovery task Data viewing, Keyword searching, Decompressing Reconstruction Reporting

7 Functions of Forensics Tools - 3
Reconstruction Recreate the crime scene (suspect drive) Disk to disk copy, Image to disk copy, etc. Reporting Reporting generation tools help the examiner the prepare report Also helps to log reports

8 Software Tools Command line forensics tools Unix/Linux forensics tools
SMART, Helix, Autopsy and Sleuth Kit GUI Forensics Tools Visualizing the data is important to understand the data

9 Hardware Tools Forensics workstations How to build a workstation
What are the components How are the workstations connected in a lab How can distributed forensics be carried out Write Blockers Write blocker devoices to protect evidence disks (see the discussion in Chapter 4 under data acquisition)

10 Validating Forensics Tools
NIST (National Institute of Standards and Technology) is coming up with standards for validation (will be discussed under standards) Establish categories for forensics tools, Identify forensics category requirements, Develop test assertions Identify test cases Establish test method Report test results NIST (National Institute of Standards and Technology) is coming up with standards for validation (will be discussed under standards Chapter 7 discusses validation protocols as well as some examination protocols

11 NIST Standards There are three digital forensics projects at the National Institute of Standards and Technology (NIST). These projects are supported by the U.S. Department of Justice's National Institute of Justice (NIJ), federal, state, and local law enforcement, and the National Institute of Standards and Technology Office of Law Enforcement Standards (OLES) to promote efficient and effective use of computer technology in the investigation of crimes involving computers. These projects are the following: • National Software Reference Library (NSRL) • Computer Forensic Tool Testing (CFTT) • Computer Forensic Reference Data Sets (CFReDS)

12 NSRL The NSRL is designed to collect software from various sources and incorporate file profiles computed from this software into a Reference Data Set (RDS) including hashes of known files created when software is installed on a computer. The law enforcement community approached NIST requesting a software library and signature database that meets four criteria: • The organizations involved in the implementation of the file profiles must be unbiased and neutral. • Control over the quality of data provided by the database must be maintained. • A repository of original software must be made available from which data can be reproduced. • The database must provide a wide range of capabilities with respect to the information that can be obtained from file systems under investigation.

13 NSRL The primary focus of the NSRL is to aid computer forensics examiners in their investigations of computer systems. The majority of stakeholders are in federal, state and local law enforcement in the United States and internationally. These organizations typically use the NSRL data to aid in criminal investigations.

14 CFTT The goal of the CFTT project at NIST is to establish a methodology for testing computer forensic software tools through the development of general tool specifications, test procedures, test criteria, test sets, and test hardware. The results provide the information necessary for toolmakers to improve tools, for users to make informed choices about acquiring and using computer forensics tools, and for interested parties to understand the tools capabilities. The testing methodology developed by NIST is functionality driven. The activities of forensic investigations are separated into discrete functions, such as hard disk write protection, disk imaging, string searching, etc. A test methodology is then developed for each category. After a test methodology is developed it is posted to the web.

15 CFReDS The Computer Forensic Reference Data Sets (CFReDS) provide to an investigator documented sets of simulated digital evidence for examination. Since CFReDS has documented contents, such as target search strings seeded in known locations, investigators can compare the results of searches for the target strings with the known placement of the strings. Investigators can use CFReDS in several ways including validating the software tools used in their investigations, equipment check out, training investigators, and proficiency testing of investigators as part of laboratory accreditation. The CFReDS site is a repository of images. Some images are produced by NIST, often from the CFTT (tool testing) project, and some are contributed by other organizations.

16 CFReDS In addition to test images, the CFReDS site contains resources to aid in creating test images. These creation aids are in the form of interesting data files, useful software tools and procedures for specific tasks. The CFReDS web site is

17 International Standards
The Scientific Working Group on Digital Evidence (SWGDE) was established in February 1998 through a collaborative effort of the Federal Crime Laboratory Directors. SWGDE, as the U.S.-based component of standardization efforts conducted by the International Organization on Computer Evidence (IOCE), was charged with the development of cross- disciplinary guidelines and standards for the recovery, preservation, and examination of digital evidence, including audio, imaging, and electronic devices. The following document was drafted by SWGDE and presented at the International Hi-Tech Crime and Forensics Conference (IHCFC) held in London, United Kingdom, October 4-7, It proposes the establishment of standards for the exchange of digital evidence between sovereign nations and is intended to elicit constructive discussion regarding digital evidence. This document has been adopted as the draft standard for U.S. law enforcement agencies.

18 Macintosh Operating System (MAC OS X)
Early MAC OS used HFS (Hierarchical file system) OS X uses HFS+ (optional) and also supports Unix File System OS 9 supports Volumes. Volume can be all or part of the storage media for hard disks Newer MACs booted can be booted from CD, DVD, Firewire drive. Older systems booted from hard drive Some forensics tools special for OS X. Some other Windows tools can also be used

19 Unix/Linux Operating System
Everything is a file including disk drives, monitors, tape drives, network interface cards, etc. Unix has four components for its file system Boot block, superblock, Inode, data block Block is smallest disk allocation Boot clock has bootstrap code, superblock has system information, Inode is assignee to every file allocation unit., data blocks store directories and files Forensic examiner must understand the boot process of the operating system Disk partitions in Unix/Linus is very different from Windows. In Unix/Linux partitions are labeled as paths.

20 Summary of Lectures 8 and 9
Overview of File Systems Examples: Windows, MAC, Unix/Linux Three important concepts a forensics examiner should know: The boot process, the file system, and the disk structures/partitions Tools exist for each of the operating systems Standards are emerging for conducting a forensics examination Need more standards for data formats, processes, metadata etc .

21 References Reference: Chapters 7 and 8 of Textbook

Download ppt "Digital Forensics Dr. Bhavani Thuraisingham"

Similar presentations

Write Blocking CSC 485/585.

Write Blocking CSC 485/585.
Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Guide to Computer Forensics and Investigations Fifth Edition

Guide to Computer Forensics and Investigations Fifth Edition
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
Guide to Computer Forensics and Investigations Third Edition Chapter 7 Current Computer Forensics Tools.

Guide to Computer Forensics and Investigations Third Edition Chapter 7 Current Computer Forensics Tools.
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
COS/PSA 413 Day 12. Agenda Questions? Assignment 4 posted –Due October 10 Lab 4 tomorrow in N105 –Hands-on Projects 6-1 through 6-4 on Pages 258-262 Discussion.

COS/PSA 413 Day 12. Agenda Questions? Assignment 4 posted –Due October 10 Lab 4 tomorrow in N105 –Hands-on Projects 6-1 through 6-4 on Pages Discussion.
Guide to Computer Forensics and Investigations Fourth Edition Chapter 8 Macintosh and Linux Boot Processes and File Systems.

Guide to Computer Forensics and Investigations Fourth Edition Chapter 8 Macintosh and Linux Boot Processes and File Systems.
Mobile Device Forensics Rick Ayers. Disclaimer  Certain commercial entities, equipment, or materials may be identified in this presentation in order.

Mobile Device Forensics Rick Ayers. Disclaimer  Certain commercial entities, equipment, or materials may be identified in this presentation in order.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas File Systems and Forensics Tools September 20, 2013.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas File Systems and Forensics Tools September 20, 2013.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Mohd Taufik Abdullah Department of Computer Science

Mohd Taufik Abdullah Department of Computer Science
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:

Similar presentations

Ads by Google