Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guide to Computer Forensics and Investigations, Second Edition

Published byApril Arline Norton Modified over 8 years ago

Similar presentations

Presentation on theme: "Guide to Computer Forensics and Investigations, Second Edition"— Presentation transcript:

1 Guide to Computer Forensics and Investigations, Second Edition
Chapter 4 Current Computer Forensics Tools

2 Guide to Computer Forensics and Investigations, 2e
Objectives Understand how to identify needs for computer forensics tools Evaluate the requirements and expectations for computer forensics tools Understand how computer forensics hardware and software tools integrate Validate and test your computer forensics tools Guide to Computer Forensics and Investigations, 2e

3 Computer Forensics Software Needs
Look for versatility, flexibility, and robustness OS File system Script capabilities Automated features Vendor’s reputation Keep in mind what applications you analyze Guide to Computer Forensics and Investigations, 2e

4 Types of Computer Forensics Tools
Hardware forensic tools Single-purpose components Complete computer systems and servers Software forensic tools Command-line applications GUI applications Guide to Computer Forensics and Investigations, 2e

5 Tasks Performed by Computer Forensics Tools
Acquisition Validation and discrimination Extraction Reconstruction Reporting Guide to Computer Forensics and Investigations, 2e

6 Guide to Computer Forensics and Investigations, 2e
Acquisition Acquisition categories: Physical data copy Logical data copy Data acquisition format Command-line acquisition GUI acquisition Guide to Computer Forensics and Investigations, 2e

7 Acquisition (continued)
Acquisition categories (continued): Remote acquisition Verification Guide to Computer Forensics and Investigations, 2e

8 Acquisition (continued)
Guide to Computer Forensics and Investigations, 2e

9 Validation and Discrimination
Hashing Cyclic redundancy check (CRC)-32, MD5, Secure Hash Algorithms (SHAs) Filtering Based on hash value sets Analyzing file headers Discriminate files based on their types Guide to Computer Forensics and Investigations, 2e

10 Guide to Computer Forensics and Investigations, 2e
Extraction Major techniques include: Data viewing How data is viewed depends on the tool used Keyword searching Recovers key data facts Decompressing Archive and cabinet files Guide to Computer Forensics and Investigations, 2e

11 Extraction (continued)
Major techniques include: Carving Reconstruct fragments of deleted files Decrypting Password dictionary attacks Brute-force attacks Bookmarking First find evidence, then bookmark it Guide to Computer Forensics and Investigations, 2e

12 Guide to Computer Forensics and Investigations, 2e
Reconstruction Re-create a suspect’s disk drive Techniques Disk-to-disk copy Image-to-disk copy Partition-to-partition copy Image-to-partition copy Guide to Computer Forensics and Investigations, 2e

13 Guide to Computer Forensics and Investigations, 2e
Reporting Configure your forensic tools to: Log activities Generate reports Use this information when producing a final report for your investigation Guide to Computer Forensics and Investigations, 2e

14 Guide to Computer Forensics and Investigations, 2e
Tool Comparisons Guide to Computer Forensics and Investigations, 2e

15 Tool Comparisons (continued)
Guide to Computer Forensics and Investigations, 2e

16 Other Considerations for Tools
Flexibility Reliability Expandability Keep a library with older version of your tools Guide to Computer Forensics and Investigations, 2e

17 Computer Forensics Software
Example: Norton DiskEdit Advantages Require few system resources Run in minimal configurations Fit on a bootable floppy disk Disadvantages Cannot search inside archive and cabinet files Most of them only work on FAT file systems Guide to Computer Forensics and Investigations, 2e

18 UNIX/Linux Command-line Forensic Tools
Dominate the *nix platforms Examples: SMART The Coroner’s Toolkit (TCT) Autopsy SleuthKit Guide to Computer Forensics and Investigations, 2e

19 Guide to Computer Forensics and Investigations, 2e
GUI Forensic Tools Simplify computer forensics investigations Help training beginning investigators Most of them come into suites of tools Guide to Computer Forensics and Investigations, 2e

20 GUI Forensic Tools (continued)
Advantages Ease of use Multitasking No need for learning older OSs Disadvantages Excessive resource requirements Produce inconsistent results Create tool dependencies Guide to Computer Forensics and Investigations, 2e

21 Computer Hardware Tools
Provide analysis capabilities Hardware eventually fails Schedule equipment replacements When planning your budget Failures Consultant and vendor fees Anticipate equipment replacement Guide to Computer Forensics and Investigations, 2e

22 Computer Investigation Workstations
Carefully consider what you need Categories: Stationary Portable Lightweight Balance what you need and what your system can handle Guide to Computer Forensics and Investigations, 2e

23 Computer Investigation Workstations (continued)
Police agency labs Need many options Use several PC configurations Private corporation labs handle only system types used in the organization Keep a hardware library Guide to Computer Forensics and Investigations, 2e

24 Building your Own Workstation
It is not as difficult as it sounds Advantages Customized to your needs Save money ISDN phone system Disadvantages Hard to find support for problems Can become expensive if careless Guide to Computer Forensics and Investigations, 2e

25 Building your Own Workstation (continued)
You can buy one from a vendor as an alternative Examples: F.R.E.D. FIRE IDE Guide to Computer Forensics and Investigations, 2e

26 Guide to Computer Forensics and Investigations, 2e
Using a Write-Blocker Prevents data writes to a hard disk Software options: Software write-blockers are OS-dependent PDBlock Hardware options Ideal for GUI forensic tools Act as a bridge between the disk and the workstation Guide to Computer Forensics and Investigations, 2e

27 Using a Write-Blocker (continued)
Discards the written data For the OS, the data copy is successful Connecting technologies FireWire USB 2.0 SCSI controllers Guide to Computer Forensics and Investigations, 2e

28 Recommendations for a Forensic Workstation
Data acquisition techniques: USB 2.0 FireWire Expansion devices requirements Power supply with battery backup Extra power and data cables External FireWire and USB 2.0 ports Guide to Computer Forensics and Investigations, 2e

29 Recommendations for a Forensic Workstation (continued)
Ergonomic considerations Keyboard and mouse Display High-end video card Monitor Guide to Computer Forensics and Investigations, 2e

30 Validating and Testing Forensic Software
Evidence could be admitted in court Test and validate your software to prevent damaging the evidence Guide to Computer Forensics and Investigations, 2e

31 Using National Institute of Standards and Technology (NIST) Tools
Computer Forensics Tool Testing (CFTT) program Based on standard testing methods ISO criteria ISO 5725 Also evaluate disk imaging tools Forensic Software Testing Support Tools (FS-TSTs) Guide to Computer Forensics and Investigations, 2e

32 Using NIST Tools (continued)
National Software Reference Library (NSRL) project Collects all known hash values for commercial software applications and OS files Helps filtering known information Guide to Computer Forensics and Investigations, 2e

33 The Validation Protocols
Always verify your results Use at least two tools Retrieving and examination Verification Understand how tools work Disk editors Norton DiskEdit Hex Workshop WinHex Guide to Computer Forensics and Investigations, 2e

34 The Validation Protocols (continued)
Disk editors (continued) Do not have a flashy interface Reliable tools Can access raw data Guide to Computer Forensics and Investigations, 2e

35 Computer Forensics Examination Protocol
Perform the investigation with a GUI tool Verify your results with a disk editor WinHex Hex Workshop Compare hash values obtained with both tools Guide to Computer Forensics and Investigations, 2e

36 Computer Forensics Tool Upgrade Protocol
Test New releases Patches Upgrades If you found a problem, report it to your forensics tool vendor Use a test hard disk for validation purposes Guide to Computer Forensics and Investigations, 2e

37 Guide to Computer Forensics and Investigations, 2e
Summary Create a business plan to get the best hardware and software Computer forensics tools functions Acquisition Validation and discrimination Extraction Reconstruction Reporting Guide to Computer Forensics and Investigations, 2e

38 Guide to Computer Forensics and Investigations, 2e
Summary (continued) Maintain a software library on your lab Computer forensics tools types: Software Hardware Forensics software: Command-line GUI Guide to Computer Forensics and Investigations, 2e

39 Guide to Computer Forensics and Investigations, 2e
Summary (continued) Forensics hardware: Customized equipment Commercial options Include workstations and write-blockers Always test your forensics tools Guide to Computer Forensics and Investigations, 2e

Download ppt "Guide to Computer Forensics and Investigations, Second Edition"

Similar presentations

Working with Disks and Devices

Working with Disks and Devices
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
No Nonsense File Collection Presented by: Pinpoint Labs Presenter: Jon Rowe, CCE, ISFCE Certified Computer Examiner Members: The International Society.

No Nonsense File Collection Presented by: Pinpoint Labs Presenter: Jon Rowe, CCE, ISFCE Certified Computer Examiner Members: The International Society.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Guide to Computer Forensics and Investigations Fifth Edition

Guide to Computer Forensics and Investigations Fifth Edition
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
COS 413 Day 13. Agenda Questions? Assignment 4 Due Assignment 5 posted –Due Oct 21 Capstone proposal Due Oct 17 Lab 5 on Oct 15 in N105 –Hands-on Projects.

COS 413 Day 13. Agenda Questions? Assignment 4 Due Assignment 5 posted –Due Oct 21 Capstone proposal Due Oct 17 Lab 5 on Oct 15 in N105 –Hands-on Projects.
11 INSTALLING WINDOWS XP Chapter 2. Chapter 2: Installing Windows XP2 INSTALLING WINDOWS XP  Prepare a computer for the installation of Microsoft Windows.

11 INSTALLING WINDOWS XP Chapter 2. Chapter 2: Installing Windows XP2 INSTALLING WINDOWS XP  Prepare a computer for the installation of Microsoft Windows.
MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 Systems Design, Implementation, Maintenance, and Review Chapter 13.

MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 Systems Design, Implementation, Maintenance, and Review Chapter 13.
CSCD 496 Computer Forensics

CSCD 496 Computer Forensics
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
Guide to Computer Forensics and Investigations Third Edition Chapter 7 Current Computer Forensics Tools.

Guide to Computer Forensics and Investigations Third Edition Chapter 7 Current Computer Forensics Tools.
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
1 CSCD496 Computer Forensics Lecture 5 Applying Process to Computer Forensics Winter 2010.

1 CSCD496 Computer Forensics Lecture 5 Applying Process to Computer Forensics Winter 2010.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 2: Managing Hardware Devices.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 2: Managing Hardware Devices.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.

COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.

Similar presentations

Ads by Google