Upload
ashwin-josiah-samuel
View
231
Download
0
Embed Size (px)
Citation preview
8/17/2019 Chap 3 - Current Computer Forensics Tools
1/75
Management & Science University © FISE
1
TCF2043TCF2043
Digital InvestigationDigital Investigation
CHAPTER 3:CHAPTER 3:
CURRENT COMPUTERCURRENT COMPUTERFORENSICS TOOSFORENSICS TOOS
8/17/2019 Chap 3 - Current Computer Forensics Tools
2/75
Management & Science University © FISE
2
Eval!ating Co"#!te$ Fo$ensi%s ToolEval!ating Co"#!te$ Fo$ensi%s Tool
Nee&sNee&s So"e '!estions to as( )*en eval!ating tools
in%l!&e t*e +ollo)ing: On which OS does the forensics tool run?
Is the tool versatile? For example, does it work in Windows 9,!", and #ista and produce the same results in all three OSs?
$an the tool anal%&e more than one 'le s%stem, such as F(),*)FS, and +xt2fs?
$an a scriptin lanuae -e used with the tool to automate
repetitive functions and tasks? .oes the tool have an% automated features that can help
reduce the time needed to anal%&e data? What is the vendor/s reputation for providin product support?
8/17/2019 Chap 3 - Current Computer Forensics Tools
3/75
Management & Science University © FISE
0
T,#es o+ Co"#!te$ Fo$ensi%s ToolsT,#es o+ Co"#!te$ Fo$ensi%s Tools
$omputer forensics tools are divided into two maor cateories
*a$&)a$e and so+t)a$e3
Ha$&)a$e Fo$ensi%s Tools
rane from simple, sinle purpose components to completecomputer s%stems and servers3
Sinle4purpose components can -e devices, such as the ($(5.(+$46627W" 8ltra Wide S$SI4to4I.+ ride, which is desined towrite4-lock an I.+ drive connected to a S$SI ca-le3
Some examples of complete s%stems are .iital Intellience F353+3.3
s%stems, .IS (dvanced Forensic Workstations, and Forensic$omputers Forensic +xamination Stations and porta-le units3
)o see photos of these tower and porta-le units, o to the Forensic$omputers We- site at www3forensic4computers3com and do asearch3
8/17/2019 Chap 3 - Current Computer Forensics Tools
4/75
Management & Science University © FISE
:
Fo$ensi% To)e$ I- D!al .eon /!a&Co$e
Ulti"ate Fo$ensi% Ma%*in
Fo$ensi% Anal,sis o$(station1D!al SiCo$
e .eon
a5 o$(stationsa5 o$(stations
8/17/2019 Chap 3 - Current Computer Forensics Tools
5/75
Management & Science University © FISE
;
Fo$ensi% Ai$ite - M6 III
Fo$ensi% Mo5ile o$(station II
Mo5ile o$(statioMo5ile o$(statio
8/17/2019 Chap 3 - Current Computer Forensics Tools
6/75
Management & Science University © FISE
<
So+t)a$e Fo$ensi%s ToolsSo+t)a$e Fo$ensi%s Tools
Software forensics tools are rouped into command4lineapplications and =8I applications3
Some tools are speciali&ed to perform one task, such as
Safeack, a command4line disk ac>uisition tool from*ew )echnoloies, Inc3 *)I@3
Other tools are desined to perform man% diAerenttasks3
For example, )echnolo% "athwa%s "ro4 .iscover, !4Wa%s Forensics, =uidance Software +n$ase, and(ccess.ata F)B are =8I tools desined to perform mostcomputer forensics ac>uisition and anal%sis functions3
8/17/2019 Chap 3 - Current Computer Forensics Tools
7/75
Management & Science University © FISE
6
So+t)a$e Fo$ensi%s ToolsSo+t)a$e Fo$ensi%s Tools
Software forensics tools are commonl% used tocop% data from a suspect/s drive to an imae'le3
Can% =8I ac>uisition tools can read allstructures in an imae 'le as thouh the imaewere the oriinal drive3
Can% anal%sis tools, such as "ro.iscover,+n$ase, F)B, !4Wa%s Forensics, IDook, andothers, have the capa-ilit% to anal%&e imae'les3
8/17/2019 Chap 3 - Current Computer Forensics Tools
8/75
Management & Science University © FISE
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools (ll computer forensics tools, -oth hardware
and software, perform speci'c functions3
)hese functions are rouped into 've maorcateories
13 (c>uisition
23 #alidation and discrimination
03 +xtraction
:3 5econstruction
;3 5eportin
8/17/2019 Chap 3 - Current Computer Forensics Tools
9/75
Management & Science University © FISE
9
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools A%'!isition
(c>uisition, the 'rst task in computer forensics investiations,is makin a cop% of the oriinal drive3
this procedure preserves the oriinal drive to make sure itdoesn/t -ecome corrupt and damae the diital evidence3
Su-functions in the ac>uisition cateor% include the followin "h%sical data cop% Doical data cop%
.ata ac>uisition format $ommand4line ac>uisition =8I ac>uisition 5emote ac>uisition #eri'cation
8/17/2019 Chap 3 - Current Computer Forensics Tools
10/75
Management & Science University © FISE
17
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools A%'!isition
Some computer forensics software suites, such as(ccess.ata F)B and +n$ase, provide separate tools for
ac>uirin an imae3 Eowever, some investiators choose to use hardware
devices, such as the Doicu-e )alon, #OOC Eard$op% 0,or ImaeC(SSter Solo III Forensic unit from Intellient$omputer Solutions, Inc3, for ac>uirin an imae3
)hese hardware devices have their own -uilt4in softwarefor data ac>uisition3 *o other device or proram isneeded to make a duplicate drive however, %ou stillneed forensics software to anal%&e the data3
8/17/2019 Chap 3 - Current Computer Forensics Tools
11/75
8/17/2019 Chap 3 - Current Computer Forensics Tools
12/75
Management & Science University © FISE
12
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools A%'!isition
Other ac>uisition tools re>uire com-inin hardware devices andsoftware prorams to make disk ac>uisitions3
For example, =uidance Software has a .OS proram, +n3exe,and a function in its Windows application, +n$ase, for makindata ac>uisitions3
Cakin an ac>uisition with +n3exe re>uires a "$ runnin CS4.OS, a 124volt hard drive power connector Colex, S()(, or onespeci'ed for the hard drive %ou/re ac>uirin@, and a data ca-le,such as an I.+ "()(@, a S()(, or a S$SI connector ca-le3
)he Windows +n$ase application re>uires a write4-lockerdevice, such as Fastloc, to prevent Windows from accessinand corruptin a suspect drive3
8/17/2019 Chap 3 - Current Computer Forensics Tools
13/75
Management & Science University © FISE
10
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools A%'!isition
)wo t%pes of data4cop%in methods are used in softwareac>uisitions ph%sical cop%in of the entire drive and loical
cop%in of a disk partition3 Cost software ac>uisition tools include the option of imain an
entire ph%sical drive or ust a loical partition3 )he situation dictates whether %ou make a ph%sical or loical
ac>uisition3
One reason to choose a loical ac>uisition is drive encr%ption3 makin a ph%sical ac>uisition of a drive with whole disk
encr%ption results in unreada-le data3 With a loical ac>uisition, however, %ou can still read and
anal%&e the 'les3
8/17/2019 Chap 3 - Current Computer Forensics Tools
14/75
Management & Science University © FISE
1:
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools A%'!isition
)he raw data format, t%picall% created with the8*I!GDinux dd command, is a simple -it4for4-it cop% of a
data 'le, a disk partition, or an entire drive3 ( raw imain tool can cop% data from one drive to
another disk or to semented 'les3
ecause it/s a true unaltered cop%, %ou can view a rawimae 'le/s contents with an% hexadecimal editor, suchas Eex Workshop or WinEex3 Eexadecimal editors, alsoknown as disk editors such as *orton .isk+dit@, providea hexadecimal view and a plaintext view of the data
8/17/2019 Chap 3 - Current Computer Forensics Tools
15/75
Management & Science University © FISE
1;
-ie)ing &atain a
*ea&e%i"ale&ito$
8/17/2019 Chap 3 - Current Computer Forensics Tools
16/75
Management & Science University © FISE
1<
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools -ali&ation an& Dis%$i"ination
)wo issues in dealin with computer evidence arecritical3
First is ensurin the interit% of data -ein copiedHthevalidation process3
Second is the discrimination of data, which involvessortin and searchin throuh all investiation data3
)he process of validatin data is what allowsdiscrimination of data3
Can% forensics software vendors oAer three methodsfor discriminatin data values3
8/17/2019 Chap 3 - Current Computer Forensics Tools
17/75
Management & Science University © FISE
16
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools )hese are the su-functions of the validation and
discrimination function Eashin
Filterin (nal%&in 'le headers
#alidatin data is done -% o-tainin hash values3
(s a standard feature, most forensics tools and man%
disk editors have one or more t%pes of data hashin3 Eow data hashin is used depends on the
investiation, -ut usin a hashin alorithm on theentire suspect drive and all its 'les is a ood idea3
8/17/2019 Chap 3 - Current Computer Forensics Tools
18/75
Management & Science University © FISE
1
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools )his method produces a uni>ue hexadecimal value for data,
used to make sure the oriinal data hasn/t chaned3
)his uni>ue value has other potential uses3
For example, in the corporate environment, %ou could create aknown ood hash value list of a fresh installation of an OS, allapplications, and all known ood imaes and documentsspreadsheets, text 'les, and so on@3
With this information, an investiator could inore all 'les on
this known ood list and focus on other 'les on the disk thataren/t on this list3 )his process is known as 'lterin3
Filterin can also -e used to 'nd data for evidence in criminalinvestiations or to -uild a case for terminatin an emplo%ee3
8/17/2019 Chap 3 - Current Computer Forensics Tools
19/75
Management & Science University © FISE
19
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools )he primar% purpose of data discrimination is to remove ood
data from suspicious data3
=ood data consists of known 'les, such as OS 'les and commonprorams Cicrosoft Word, for example@3
)he *ational Software 5eference Di-rar% *S5D@ has compiled alist of known 'le hashes for a variet% of OSs, applications, andimaes that can -e downloaded fromwww3nsrl3nist3ovG.ownloads3htm see Fiure@3
Several computer forensics prorams can interate known ood
'le hash sets, such as the ones from the *S5D, and comparethem to 'le hashes from a suspect drive to see whether the%match3
With this process, %ou can eliminate lare amounts of data>uickl% so that %ou can focus %our evidence anal%sis3
8/17/2019 Chap 3 - Current Computer Forensics Tools
20/75
Management & Science University © FISE
27
T*e &o)nloa& #age o+ t*e National So+t)a$e Re+e$en%e i5$a$,
8/17/2019 Chap 3 - Current Computer Forensics Tools
21/75
Management & Science University © FISE
21
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools ou can also -ein -uildin %our own hash sets3
(nother feature to consider for hashin functions is hashin andcomparin sectors of data3
)his feature is useful for identif%in framents of data in slack and free
disk space that miht -e partiall% overwritten3 (n additional method of discriminatin data is anal%&in and verif%in
header values for known 'le t%pes3
Similar to the hash values of known 'les, man% computer forensics
prorams include a list of common header values3 With thisinformation, %ou can see whether a 'le extension is incorrect for the
'le t%pe3 5enamin 'le extensions is a common wa% to tr% to hide data, and %ou
could miss pertinent data if %ou don/t check 'le headers3
For example, in the 'le header for Forensic.ata3doc, %ou see the
letters JKFIFL see Fiure@3
8/17/2019 Chap 3 - Current Computer Forensics Tools
22/75
Management & Science University
© FISE
22
8/17/2019 Chap 3 - Current Computer Forensics Tools
23/75
8/17/2019 Chap 3 - Current Computer Forensics Tools
24/75
Management & Science University
© FISE
2:
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools Et$a%tion )he extraction function is the recover% task in a computin
investiation and is the most challenin of all tasks to master3
5ecoverin data is the 'rst step in anal%&in an investiation/sdata3
)he followin su-functions of extraction are used ininvestiations
13 .ata viewin
23 Be%word searchin
03 .ecompressin
:3 $arvin
;3 .ecr%ptin
8/17/2019 Chap 3 - Current Computer Forensics Tools
25/75
Management & Science University
© FISE
2;
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools Can% computer forensics tools include a data4viewin
mechanism for diital evidence3
Eow data is viewed depends on the tool3
)ools such as "ro.iscover, !4Wa%s Forensics, F)B, +n$ase,SC(5), IDook, and others oAer several wa%s to view data,includin loical drive structures, such as folders and'les3
)hese tools also displa% allocated 'le data and
unallocated disk areas with special 'le and disk viewers3 ein a-le to view this data in its normal form makes
anal%&in and collectin clues for the investiation easier3
8/17/2019 Chap 3 - Current Computer Forensics Tools
26/75
Management & Science University
© FISE
2<
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools ( common task in computin investiations is searchin
for and recoverin ke% data facts3
$omputer forensics prorams have functions for
searchin for ke%words of interest to the investiation3 8sin a ke%word search speeds up the anal%sis process
for investiators, if used correctl% however, a poorselection of ke%words enerates too much information3
For example, the name JenL is a poor search term
-ecause it enerates a lare num-er of false positivehits3
)o reduce false4positive hits, %ou need to re'ne thesearch scope3
8/17/2019 Chap 3 - Current Computer Forensics Tools
27/75
Management & Science University
© FISE
26
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools One wa% is to search on com-inations of
words, in which one word is within so man%words of the next3
For example, with F)B/s Indexed Searchfeature see next Fiure@, %ou could searchfor the word JenL within one word of the
word JFranklinL -% enterin Jen wG1FranklinL and narrow the search further withthe word JSonL as a separate entr% in theSearch )erm text -ox3
8/17/2019 Chap 3 - Current Computer Forensics Tools
28/75
Management & Science University
© FISE
2
T*e In&ee& Sea$%* +eat!$e in FT6
8/17/2019 Chap 3 - Current Computer Forensics Tools
29/75
Management & Science University
© FISE
29
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools With some tools, %ou can set 'lters to select the 'le
t%pes to search, such as searchin onl% ".F documents3
(nother function in some forensics tools is indexin all
words on a drive3 !4Wa%s Forensics and F)B 13
8/17/2019 Chap 3 - Current Computer Forensics Tools
30/75
Management & Science University
© FISE
07
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools (nother function to consider for extraction is the format
the forensics tool can read3
For example, F)B has a -uilt4in function that reads and
indexes data from Cicrosoft 3pst and3 ost 'les +n$ase has a third4part% add4on that performs indexin
and anal%&es Cicrosoft 3pst 'les3
In addition, +n$ase, !4Wa%s Forensics, and "ro.iscoverena-le %ou to create scripts for extractin data, -ut F)B
doesn/t have this feature3 Beep in mind that %ou have to use a com-ination of
tools to retrieve and report on evidence from diitaldevices accuratel%3
8/17/2019 Chap 3 - Current Computer Forensics Tools
31/75
Management & Science University
© FISE
01
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools "art of the investiation process also involves reconstructin
framents of 'les that have -een deleted from a suspectdrive3
In *orth (merica, this reconstruction is referred to as
JcarvinL in +urope, it/s called Jsalvain3L Investiators often need to -e a-le to extract data from
unallocated disk space3
Docatin 'le header information, as mentioned previousl% inJ#alidation and .iscrimination,L is a relia-le method for
carvin data3 Cost forensics tools anal%&e unallocated areas of a drive or an
imae 'le and locate framents or entire 'le structures thatcan -e carved and copied into a newl% reconstructed 'le3
8/17/2019 Chap 3 - Current Computer Forensics Tools
32/75
Management & Science University
© FISE
02
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools Some investiators prefer carvin framented
data manuall% with a command4line tool, -utadvanced =8I tools, such as !4Wa%s Forensics,
+n$ase, F)B, and "ro.iscover, with -uilt4infunctions for carvin are used more commonl%now3
For example, the next Fiure shows an option in
F)B for addin carved 'les to a case automaticall%3 Some tools, such as .ataDifter and .avor%, are
speci'call% desined to carve known data t%pesfrom exported unallocated disk space3
8/17/2019 Chap 3 - Current Computer Forensics Tools
33/75
Management & Science University
© FISE
00
DataData
%a$ving%a$vingo#tions ino#tions in
FT6 FT6
8/17/2019 Chap 3 - Current Computer Forensics Tools
34/75
Management & Science University
© FISE
0:
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools ( maor challene in computin investiations is
anal%&in, recoverin, and decr%ptin data fromencr%pted 'les or s%stems3
+ncr%ption can -e used on a drive, disk partition, or'le3
Can% e4mail services, such as Cicrosoft Outlook,provide encr%ption protection for 3pst folders andmessaes3
)he t%pes of encr%ption rane from platform speci'c,such as Windows +ncr%ptin File S%stem +FS@, tothird4part% vendors, such as "rett% =ood "rivac% "="@and =nu"=3
8/17/2019 Chap 3 - Current Computer Forensics Tools
35/75
Management & Science University
© FISE
0;
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools From an investiation perspective, encr%pted 'les
and s%stems are a pro-lem3
Can% password recover% tools have a feature for
eneratin potential password lists for a passworddictionar% attack3
F)B, for example, produces a list of possi-lepasswords for an encr%pted 'le from a suspect drive3
(ccess.ata has also created an advanced password4crackin software suite called .istri-uted *etwork(ttack .*(@ that allows multiple machines toattempt crackin a password3
8/17/2019 Chap 3 - Current Computer Forensics Tools
36/75
Management & Science University
© FISE
0<
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools (fter locatin the evidence, the next task is
to -ookmark it so that %ou can refer to itlater when needed3
Can% forensics tools use -ookmarks to insertdiital evidence into a report enerator,which produces a technical report in E)CD or5)F format of the examination/s 'ndins3
When the report enerator is launched,-ookmarks are loaded into the report3
8/17/2019 Chap 3 - Current Computer Forensics Tools
37/75
Management & Science University
© FISE
06
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools Re%onst$!%tion )he purpose of havin a reconstruction feature in
a forensics tool is to re4create a suspect drive to
show what happened durin a crime or anincident3
(nother reason for duplicatin a suspect drive isto create a cop% for other computer investiators,
who miht need a full% functional cop% of thedrive so that the% can perform their ownac>uisition, test, and anal%sis of the evidence3
8/17/2019 Chap 3 - Current Computer Forensics Tools
38/75
Management & Science University
© FISE
0
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools )hese are the su-functionsof reconstruction
13 .isk4to4disk cop%
23 Imae4to4disk cop%
03 "artition4to4partition cop%
:3 Imae4to4partition cop%
8/17/2019 Chap 3 - Current Computer Forensics Tools
39/75
Management & Science University
© FISE
09
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools )here are several wa%s to re4create an imae of a suspect drive3
8nder ideal circumstances, the -est and most relia-le method iso-tainin the same make and model drive as the suspect drive3
If the suspect drive has -een manufactured recentl%, locatin an
identical drive is fairl% eas%3 and vise versa@ )he simplest method of duplicatin a drive is usin a tool that
makes a direct disk4to4disk cop% from the suspect drive to the
taret drive3
Can% tools can perform this task3
One free tool is the 8*I!GDinux dd command, -ut it has a maordisadvantae )he taret drive -ein written to must -e
identical to the oriinal suspect@ drive, with the same c%linder,sector, and track count3
8/17/2019 Chap 3 - Current Computer Forensics Tools
40/75
Management & Science University
© FISE
:7
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools If an identical drive is unavaila-le, manipulatin the drive/s
c%linders, sectors, and tracks to match the oriinal drive miht-e possi-le throuh %our workstation/s IOS3
For a disk4to4disk cop%, -oth hardware and software duplicators
are availa-le Eardware duplicators are the fastest wa% to cop% data from one
disk to another3
Eardware duplicators, such as Doicu-e )alon, Doicu-e ForensicC.;, and ImaeC(SSter Solo III Forensics Eard .rive .uplicator,
adust the taret drive/s eometr% to match the suspect drive/sc%linder, sectors, and tracks3
Software duplicators, althouh slower than hardware duplicators,include Snapack, Safeack, +n$ase, and !4Wa%s Forensics3
8/17/2019 Chap 3 - Current Computer Forensics Tools
41/75
8/17/2019 Chap 3 - Current Computer Forensics Tools
42/75
Management & Science University
© FISE
:2
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools Re#o$ting )o complete a forensics disk anal%sis and examination,
%ou need to create a report3
efore Windows forensics tools were availa-le, thisprocess re>uired cop%in data from a suspect drive andextractin the diital evidence manuall%3
)he investiator then copied the evidence to a separateproram, such as a word processor, to create a report3
File data that couldn/t -e read in a word processorHdata-ases, spreadsheets, and raphics, for exampleHmade it diMcult to insert nonprinta-le characters, suchas -inar% data, into a report3
8/17/2019 Chap 3 - Current Computer Forensics Tools
43/75
Management & Science University
© FISE
:0
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools )%picall%, these reports weren/t stored electronicall%
-ecause investiators had to collect printouts fromseveral diAerent applications to consolidate
ever%thin into one lare paper report3 *ewer Windows forensics tools can produce
electronic reports in a variet% of formats, such asword processin documents, E)CD We- paes, or(cro-at ".F 'les3
)hese are the su-functions of the reportin function Do reports 5eport enerator
8/17/2019 Chap 3 - Current Computer Forensics Tools
44/75
Management & Science University
© FISE
::
Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$
Fo$ensi%s ToolsFo$ensi%s Tools (s part of the validation process, often %ou need to
document the steps %ou took to ac>uire data from asuspect drive3
Can% forensics tools, such as F)B, IDook, and !4Wa%sForensics, can produce a lo report that recordsactivities the investiator performed3
)hen a -uilt4in report enerator is used to create areport in a variet% of formats3
)he followin tools are some that oAer reportenerators displa%in -ookmarked evidence EnCase7 FT67 Iloo(7 .a,s Fo$ensi%s7 an& P$oDis%ove$8
8/17/2019 Chap 3 - Current Computer Forensics Tools
45/75
Management & Science University
© FISE
:;
Co"#!te$ Fo$ensi%s So+t)a$e ToolsCo"#!te$ Fo$ensi%s So+t)a$e Tools
Whether %ou use a suite of tools or a task4speci'c tool, %ou have the option ofselectin one that ena-les %ou to anal%&e
diital evidence3
Co"#!te$ Fo$ensi%s So+t)a$eTools *ave 3 t,#es:
13 $ommand4Dine Forensics )ools
23 8*I!GDinux Forensics )ools
03 Other =8I Forensics )ools
8/17/2019 Chap 3 - Current Computer Forensics Tools
46/75
Management & Science University
© FISE
:<
Co"#!te$ Fo$ensi%s So+t)a$e ToolsCo"#!te$ Fo$ensi%s So+t)a$e Tools
Co""an&ine Fo$ensi%s Tools 8sed mostl% for old "c/s3
)he 'rst tools that anal%&ed and extracted data from Nopp%disks and hard disks were CS4.OS tools for IC "$ 'le s%stems3
One of the 'rst CS4.OS tools used for computer investiationswas *orton .isk+dit3
)his tool used manual processes that re>uired investiators tospend considera-le time on a t%pical ;77 C drive3
One advantae of usin command4line tools for an investiationis that the% re>uire few s%stem resources -ecause the%/redesined to run in minimal con'urations3
In fact, most tools 't on -oota-le media Nopp% disk, 8S drive,$., or .#.@3
8/17/2019 Chap 3 - Current Computer Forensics Tools
47/75
Management & Science University
© FISE
:6
Co"#!te$ Fo$ensi%s So+t)a$e ToolsCo"#!te$ Fo$ensi%s So+t)a$e Tools
UNI.9in! Fo$ensi%s Tools )he nix platforms have lon -een the primar% command4line
OSs3
Eowever, with =8Is now availa-le with nix platforms, these OSsare -ecomin more popular with home and corporate end users3
Some of the popular tools are
SMART
SC(5) is desined to -e installed on numerous Dinuxversions, includin =entoo, Fedora, S8S+, .e-ian, Bnoppix,8-untu, Slackware, and more3
ou can anal%&e a variet% of 'le s%stems with SC(5) for alist of 'le s%stems or to download an evaluation ISO imaefor SC(5) and SC(5) Dinux, o to www3asrdata23com3
http://www.asrdata2.com/http://www.asrdata2.com/
8/17/2019 Chap 3 - Current Computer Forensics Tools
48/75
Management & Science University
© FISE
:
Co"#!te$ Fo$ensi%s So+t)a$e ToolsCo"#!te$ Fo$ensi%s So+t)a$e Tools
SC(5) includes several plu4in utilities3
)his modular approach makes it possi-le touprade SC(5) components easil% and >uickl%3
(nother useful option in SC(5) is the hex viewer3 Eex values are color4coded to make it easier to
see where a 'le -eins and ends3
SC(5) also oAers a reportin feature3
+ver%thin %ou do durin %our investiation withSC(5) is loed, so %ou can select what %ouwant to include in a report, such as -ookmarks3
8/17/2019 Chap 3 - Current Computer Forensics Tools
49/75
Management & Science University
© FISE
:9
Co"#!te$ Fo$ensi%s So+t)a$e ToolsCo"#!te$ Fo$ensi%s So+t)a$e Tools
Heli One of the easiest suites to use -ecause of its user interface3
What/s uni>ue a-out Eelix is that %ou can load it on a liveWindows s%stem, and it loads as a -oota-le Dinux OS from acold -oot3
Its Windows component is used for live ac>uisitions3
some international courts have not accepted live ac>uisitionsas a valid forensics practice3
.urin corporate investiations, often %ou need to retrieve5(C and other data, such as the suspect/s user pro'le, froma workstation or server that can/t -e sei&ed or turned oA3 )hat/s wh% Eelix is used3
8/17/2019 Chap 3 - Current Computer Forensics Tools
50/75
8/17/2019 Chap 3 - Current Computer Forensics Tools
51/75
Management & Science University
© FISE
;1
Co"#!te$ Fo$ensi%s So+t)a$e ToolsCo"#!te$ Fo$ensi%s So+t)a$e Tools
a%(T$a%( is another Dinux Dive $. used -% man% securit% professionals and
forensics investiators3
It includes a variet% of tools and has an eas%4to4use interface3
A!to#s, an& Sle!t* 6it Sleuth Bit is a Dinux forensics tool, and (utops% is the =8I -rowser
interface for accessin Sleuth Bit/s tools3
6no##iSTD
Bnoppix Securit% )ools .istri-ution S).@ is a collection of tools forcon'urin securit% measures, includin computer and networkforensics3
it doesn/t allow %ou to alter or damae the s%stem %ou/re
anal%&in3
8/17/2019 Chap 3 - Current Computer Forensics Tools
52/75
Management & Science University
© FISE
;2
T*e 6no##iSTD in+o$"ationT*e 6no##iSTD in+o$"ation
)in&o) in in&o)s)in&o) in in&o)s
8/17/2019 Chap 3 - Current Computer Forensics Tools
53/75
Management & Science University
© FISE
;0
Co"#!te$ Fo$ensi%s So+t)a$e ToolsCo"#!te$ Fo$ensi%s So+t)a$e Tools
Ot*e$ ;UI Fo$ensi%s Tools
Several software vendors have introduced forensicstools that work in Windows3
)hese =8I tools have also simpli'ed trainin for-einnin examiners
Cost =8I tools are put toether as suites of tools3
For example, the larest =8I tool vendorsH
)echnolo% "athwa%s, (ccess.ata, and =uidanceSoftwareHoAer tools that perform most of the tasks3
(s with all software, each suite has its strenths andweaknesses3
8/17/2019 Chap 3 - Current Computer Forensics Tools
54/75
Management & Science University
© FISE
;:
Co"#!te$ Fo$ensi%s So+t)a$e ToolsCo"#!te$ Fo$ensi%s So+t)a$e Tools
Ot*e$ ;UI Fo$ensi%s Tools =8I tools have several advantaes, such as
ease of use3 the capa-ilit% to perform multiple tasks3 no re>uirement to learn older OSs3
)heir disadvantaes excessive resource re>uirements needin lare amounts of 5(C,
for example@ producin inconsistent results -ecause of the t%pe of OS used,
such as Windows #ista 024-it or uired3
8/17/2019 Chap 3 - Current Computer Forensics Tools
55/75
Management & Science University
© FISE
;;
Co"#!te$ Fo$ensi%s Ha$&)a$e ToolsCo"#!te$ Fo$ensi%s Ha$&)a$e Tools
)echnolo% chanes rapidl%, and hardwaremanufacturers have desined most computercomponents to last a-out 1 months -etween failures3
For this reason, %ou should schedule e>uipmentreplacements periodicall%Hideall%, ever% 1 months if%ou use the hardware fulltime3
Cost computer forensics operations use a workstation 2:hours a da% for a week or loner -etween complete
shutdowns3 Forensics hardware covers the followin issues
Forensic Workstations 8sin a Write4locker
8/17/2019 Chap 3 - Current Computer Forensics Tools
56/75
Management & Science University
© FISE
;<
Co"#!te$ Fo$ensi%s Ha$&)a$e ToolsCo"#!te$ Fo$ensi%s Ha$&)a$e Tools
Fo$ensi% o$(stations )he more diverse %our investiation environment, the more
options %ou need3
In eneral, forensic workstations can -e divided into thefollowin cateories
Stationa$, )o$(stationH( tower with several -a%s andman% peripheral devices
Po$ta5le )o$(stationH( laptop computer with a -uilt4inD$. monitor and almost as man% -a%s and peripherals asa stationar% workstation
ig*t)eig*t )o$(stationH8suall% a laptop computer-uilt into a carr%in case with a small selection ofperipheral options
8/17/2019 Chap 3 - Current Computer Forensics Tools
57/75
Management & Science University
© FISE
;6
Co"#!te$ Fo$ensi%s Ha$&)a$e ToolsCo"#!te$ Fo$ensi%s Ha$&)a$e Tools
Fo$ensi% o$(stations
When considerin options to add to a -asicworkstation, keep in mind that "$s have
limitations on how man% peripherals the% canhandle3
)he more peripherals %ou add, the morepotential pro-lems %ou miht have, especiall%
if %ou/re usin an older version of Windows3
ou must learn to -alance what %ou actuall%need with what %our s%stem can handle3
8/17/2019 Chap 3 - Current Computer Forensics Tools
58/75
Management & Science University
© FISE
;
Co"#!te$ Fo$ensi%s Ha$&)a$e ToolsCo"#!te$ Fo$ensi%s Ha$&)a$e Tools
Using a $itelo%(e$ )he 'rst item %ou should consider for a forensic workstation is
a write4-locker3
Write-lockers protect evidence disks -% preventin data from-ein written to them3
Software and hardware write4-lockers perform the samefunction -ut in a diAerent fashion3
Software write4-lockers, such as ".lock from .iitalIntellience, t%picall% run in a shell mode for example, .OS@3
".lock chanes interrupt 10 of a workstation/s IOS toprevent writin to the speci'ed drive3 If %ou attempt to writedata to the -locked drive, an alarm sounds, advisin that nowrites have occurred3
8/17/2019 Chap 3 - Current Computer Forensics Tools
59/75
Management & Science University
© FISE
;9
Co"#!te$ Fo$ensi%s Ha$&)a$e ToolsCo"#!te$ Fo$ensi%s Ha$&)a$e Tools
Using a $itelo%(e$ Eardware write4-lockers are ideal for =8I forensics tools3
)he% prevent the OS from writin data to the -locked drive3
Eardware write4-lockers act as a -ride -etween the suspectdrive and the forensic workstation3
In the Windows environment, when a write4-locker is installed onan attached drive, the drive appears as an% other attached disk3
ou can naviate to the -locked drive with an% Windowsapplication3
When %ou cop% data to the -locked drive or write updates to a 'lewith Word, Windows shows that the data cop% is successful3Eowever, the write4-locker actuall% discards the written dataHinother words, data is written to null3
8/17/2019 Chap 3 - Current Computer Forensics Tools
60/75
Management & Science University
© FISE
8/17/2019 Chap 3 - Current Computer Forensics Tools
61/75
Management & Science University
© FISE
8/17/2019 Chap 3 - Current Computer Forensics Tools
62/75
Management & Science University
© FISE
8/17/2019 Chap 3 - Current Computer Forensics Tools
63/75
Management & Science University
© FISE
8/17/2019 Chap 3 - Current Computer Forensics Tools
64/75
Management & Science University
© FISE
uirementsHForeach cateor%, descri-e the technical features or
functions a forensics tool must have3
03 .evelop test assertionsHased on the re>uirements,create tests that prove or disprove the tool/s capa-ilit%to meet the re>uirements3
8/17/2019 Chap 3 - Current Computer Forensics Tools
65/75
Management & Science University
© FISE
8/17/2019 Chap 3 - Current Computer Forensics Tools
66/75
Management & Science University
© FISE
8/17/2019 Chap 3 - Current Computer Forensics Tools
67/75
Management & Science University
© FISE
uall% important3
One wa% to compare results and verif% a new tool is -%usin a disk editor, such as Eex Workshop or WinEex, to
view data on a disk in its raw format3
8/17/2019 Chap 3 - Current Computer Forensics Tools
68/75
Management & Science University
© FISE
8/17/2019 Chap 3 - Current Computer Forensics Tools
69/75
Management & Science University
© FISE
8/17/2019 Chap 3 - Current Computer Forensics Tools
70/75
Management & Science University
© FISE
67
Co"#!te$ Fo$ensi%s Tool U#g$a&eCo"#!te$ Fo$ensi%s Tool U#g$a&e
P$oto%olP$oto%ol In addition to verif%in %our results -% usin two disk4anal%sis tools,
%ou should test all new releases and OS patches and uprades tomake sure the%/re relia-le and don/t corrupt evidence data3
*ew releases and OS uprades and patches can aAect the wa%
%our forensics tools perform3 If %ou determine that a patch or uprade isn/t relia-le, don/t use it
on %our forensic workstation until the pro-lem has -een 'xed3
If a pro-lem exist, such as not -ein a-le to read old imae 'leswith the new release or the disk editor eneratin errors after %ouappl% the latest service pack, %ou can 'le an error report with the
vendor3 In most cases, the vendor addresses the pro-lem and provides a
new patch, which %ou should check with another round ofvalidation testin3
8/17/2019 Chap 3 - Current Computer Forensics Tools
71/75
Management & Science University
© FISE
61
Co"#!te$ Fo$ensi%s Tool U#g$a&eCo"#!te$ Fo$ensi%s Tool U#g$a&e
P$oto%olP$oto%ol the test -est wa% is to -uild a test hard disk to store data in
unused space allocated for a 'le, also known as 'le slack3
ou can then use a forensics tool to retrieve it3
If %ou can retrieve the data with that tool and verif% %our
'ndins with a second tool, %ou know the tool is relia-le3 (s computer forensics tools continue to evolve, %ou should
check the We- for new editions, updates, patches, and
validation tests for %our tools3
(lwa%s validate what the hardware or software tool is doin as
opposed to what it/s supposed to -e doin3 e con'dent andknowledea-le a-out the capa-ilities of %our forensics tool-ox3
5emem-er to test and document wh% a tool does or doesn/twork the wa% it/s supposed to3
8/17/2019 Chap 3 - Current Computer Forensics Tools
72/75
Management & Science University
© FISE
62
C*a#te$ S!""a$,C*a#te$ S!""a$,
a%'!isition )he process of creatin a duplicate imae of dataone of the 've re>uired functions of computer forensics tools3
5$!te+o$%e atta%( )he process of tr%in ever% com-inationof charactersHletters, num-ers, and special characters
t%picall% found on a ke%-oardHto 'nd a matchin password orpassphrase value for an encr%pted 'le3
Co"#!te$ Fo$ensi%s Tool Testing 1CFTT ( proectsponsored -% the *ational Institute of Standards and )echnolo% to manae research on computer forensics tools3
&is%$i"ination )he process of sortin and searchin throuhinvestiation data to separate known ood data fromsuspicious data alon with validation, one of the 've re>uiredfunctions of computer forensics tools3
8/17/2019 Chap 3 - Current Computer Forensics Tools
73/75
Management & Science University
© FISE
60
C*a#te$ S!""a$,C*a#te$ S!""a$,
et$a%tion )he process of pullin relevant data from an imaeand recoverin or reconstructin data framents one of the've re>uired functions of computer forensics tools3
(e,)o$& search ( method of 'ndin 'les or other information
-% enterin relevant characters, words, or phrases in a searchtool3
National So+t)a$e Re+e$en%e i5$a$, 1NSR ( *IS) proectwith the oal of collectin all known hash values for commercialsoftware and OS 'les3
#ass)o$& &i%tiona$, atta%( (n attack that uses a collectionof words or phrases that miht -e passwords for an encr%pted'le3 "assword recover% prorams can use a password dictionar%to compare potential passwords to an encr%pted 'le/s passwordor passphrase hash values3
8/17/2019 Chap 3 - Current Computer Forensics Tools
74/75
Management & Science University
© FISE
6:
C*a#te$ S!""a$,C*a#te$ S!""a$,
$e%onst$!%tion )he process of re-uildin data 'lesone of the 've re>uired functions of computerforensics tools3
vali&ation )he process of checkin the accurac% ofresults alon with discrimination, one of the 'vere>uired functions of computer forensics tools3
)$ite5lo%(e$ ( hardware device or softwareproram that prevents a computer from writin data
to an evidence drive3 Software write4-lockers t%picall%alter interrupt 10 write functions to a drive in a "$/sIOS3 Eardware write4-lockers are usuall% -ridindevices -etween a drive and the forensic workstation3
8/17/2019 Chap 3 - Current Computer Forensics Tools
75/75
THE ENDTHE END