Chap 3 - Current Computer Forensics Tools

8/17/2019 Chap 3 - Current Computer Forensics Tools

1/75

Management & Science University © FISE

1

TCF2043TCF2043

Digital InvestigationDigital Investigation

CHAPTER 3:CHAPTER 3:

CURRENT COMPUTERCURRENT COMPUTERFORENSICS TOOSFORENSICS TOOS


2/75


2

Eval!ating Co"#!te$ Fo$ensi%s ToolEval!ating Co"#!te$ Fo$ensi%s Tool

Nee&sNee&s So"e '!estions to as( )*en eval!ating tools

in%l!&e t*e +ollo)ing: On which OS does the forensics tool run?

Is the tool versatile? For example, does it work in Windows 9,!", and #ista and produce the same results in all three OSs?

$an the tool anal%&e more than one 'le s%stem, such as F(),*)FS, and +xt2fs?

$an a scriptin lanuae -e used with the tool to automate

repetitive functions and tasks? .oes the tool have an% automated features that can help

reduce the time needed to anal%&e data? What is the vendor/s reputation for providin product support?


3/75


0

T,#es o+ Co"#!te$ Fo$ensi%s ToolsT,#es o+ Co"#!te$ Fo$ensi%s Tools

$omputer forensics tools are divided into two maor cateories

*a$&)a$e and so+t)a$e3

Ha$&)a$e Fo$ensi%s Tools

rane from simple, sinle purpose components to completecomputer s%stems and servers3

Sinle4purpose components can -e devices, such as the ($(5.(+$46627W" 8ltra Wide S$SI4to4I.+ ride, which is desined towrite4-lock an I.+ drive connected to a S$SI ca-le3

Some examples of complete s%stems are .iital Intellience F353+3.3

s%stems, .IS (dvanced Forensic Workstations, and Forensic$omputers Forensic +xamination Stations and porta-le units3

)o see photos of these tower and porta-le units, o to the Forensic$omputers We- site at www3forensic4computers3com and do asearch3


4/75


:

Fo$ensi% To)e$ I- D!al .eon /!a&Co$e

Ulti"ate Fo$ensi% Ma%*in

Fo$ensi% Anal,sis o$(station1D!al SiCo$

e .eon

a5 o$(stationsa5 o$(stations


5/75


;

Fo$ensi% Ai$ite - M6 III

Fo$ensi% Mo5ile o$(station II

Mo5ile o$(statioMo5ile o$(statio


6/75


<

So+t)a$e Fo$ensi%s ToolsSo+t)a$e Fo$ensi%s Tools

Software forensics tools are rouped into command4lineapplications and =8I applications3

Some tools are speciali&ed to perform one task, such as

Safeack, a command4line disk ac>uisition tool from*ew )echnoloies, Inc3 *)I@3

Other tools are desined to perform man% diAerenttasks3

For example, )echnolo% "athwa%s "ro4 .iscover, !4Wa%s Forensics, =uidance Software +n$ase, and(ccess.ata F)B are =8I tools desined to perform mostcomputer forensics ac>uisition and anal%sis functions3


7/75


6

So+t)a$e Fo$ensi%s ToolsSo+t)a$e Fo$ensi%s Tools

Software forensics tools are commonl% used tocop% data from a suspect/s drive to an imae'le3

Can% =8I ac>uisition tools can read allstructures in an imae 'le as thouh the imaewere the oriinal drive3

Can% anal%sis tools, such as "ro.iscover,+n$ase, F)B, !4Wa%s Forensics, IDook, andothers, have the capa-ilit% to anal%&e imae'les3


8/75


Tas(s Pe$+o$"e& 5, Co"#!te$Tas(s Pe$+o$"e& 5, Co"#!te$

Fo$ensi%s ToolsFo$ensi%s Tools (ll computer forensics tools, -oth hardware

and software, perform speci'c functions3

)hese functions are rouped into 've maorcateories

13 (c>uisition

23 #alidation and discrimination

03 +xtraction

:3 5econstruction

;3 5eportin


9/75


9


Fo$ensi%s ToolsFo$ensi%s Tools A%'!isition

(c>uisition, the 'rst task in computer forensics investiations,is makin a cop% of the oriinal drive3

this procedure preserves the oriinal drive to make sure itdoesn/t -ecome corrupt and damae the diital evidence3

Su-functions in the ac>uisition cateor% include the followin "h%sical data cop% Doical data cop%

.ata ac>uisition format $ommand4line ac>uisition =8I ac>uisition 5emote ac>uisition #eri'cation


10/75


17



Some computer forensics software suites, such as(ccess.ata F)B and +n$ase, provide separate tools for

ac>uirin an imae3 Eowever, some investiators choose to use hardware

devices, such as the Doicu-e )alon, #OOC Eard$op% 0,or ImaeC(SSter Solo III Forensic unit from Intellient$omputer Solutions, Inc3, for ac>uirin an imae3

)hese hardware devices have their own -uilt4in softwarefor data ac>uisition3 *o other device or proram isneeded to make a duplicate drive however, %ou stillneed forensics software to anal%&e the data3


11/75


12/75


12



Other ac>uisition tools re>uire com-inin hardware devices andsoftware prorams to make disk ac>uisitions3

For example, =uidance Software has a .OS proram, +n3exe,and a function in its Windows application, +n$ase, for makindata ac>uisitions3

Cakin an ac>uisition with +n3exe re>uires a "$ runnin CS4.OS, a 124volt hard drive power connector Colex, S()(, or onespeci'ed for the hard drive %ou/re ac>uirin@, and a data ca-le,such as an I.+ "()(@, a S()(, or a S$SI connector ca-le3

)he Windows +n$ase application re>uires a write4-lockerdevice, such as Fastloc, to prevent Windows from accessinand corruptin a suspect drive3


13/75


10



)wo t%pes of data4cop%in methods are used in softwareac>uisitions ph%sical cop%in of the entire drive and loical

cop%in of a disk partition3 Cost software ac>uisition tools include the option of imain an

entire ph%sical drive or ust a loical partition3 )he situation dictates whether %ou make a ph%sical or loical

ac>uisition3

One reason to choose a loical ac>uisition is drive encr%ption3 makin a ph%sical ac>uisition of a drive with whole disk

encr%ption results in unreada-le data3 With a loical ac>uisition, however, %ou can still read and

anal%&e the 'les3


14/75


1:



)he raw data format, t%picall% created with the8*I!GDinux dd command, is a simple -it4for4-it cop% of a

data 'le, a disk partition, or an entire drive3 ( raw imain tool can cop% data from one drive to

another disk or to semented 'les3

ecause it/s a true unaltered cop%, %ou can view a rawimae 'le/s contents with an% hexadecimal editor, suchas Eex Workshop or WinEex3 Eexadecimal editors, alsoknown as disk editors such as *orton .isk+dit@, providea hexadecimal view and a plaintext view of the data


15/75


1;

-ie)ing &atain a

*ea&e%i"ale&ito$


16/75


1<


Fo$ensi%s ToolsFo$ensi%s Tools -ali&ation an& Dis%$i"ination

)wo issues in dealin with computer evidence arecritical3

First is ensurin the interit% of data -ein copiedHthevalidation process3

Second is the discrimination of data, which involvessortin and searchin throuh all investiation data3

)he process of validatin data is what allowsdiscrimination of data3

Can% forensics software vendors oAer three methodsfor discriminatin data values3


17/75


16


Fo$ensi%s ToolsFo$ensi%s Tools )hese are the su-functions of the validation and

discrimination function Eashin

Filterin (nal%&in 'le headers

#alidatin data is done -% o-tainin hash values3

(s a standard feature, most forensics tools and man%

disk editors have one or more t%pes of data hashin3 Eow data hashin is used depends on the

investiation, -ut usin a hashin alorithm on theentire suspect drive and all its 'les is a ood idea3


18/75


1


Fo$ensi%s ToolsFo$ensi%s Tools )his method produces a uni>ue hexadecimal value for data,

used to make sure the oriinal data hasn/t chaned3

)his uni>ue value has other potential uses3

For example, in the corporate environment, %ou could create aknown ood hash value list of a fresh installation of an OS, allapplications, and all known ood imaes and documentsspreadsheets, text 'les, and so on@3

With this information, an investiator could inore all 'les on

this known ood list and focus on other 'les on the disk thataren/t on this list3 )his process is known as 'lterin3

Filterin can also -e used to 'nd data for evidence in criminalinvestiations or to -uild a case for terminatin an emplo%ee3


19/75


19


Fo$ensi%s ToolsFo$ensi%s Tools )he primar% purpose of data discrimination is to remove ood

data from suspicious data3

=ood data consists of known 'les, such as OS 'les and commonprorams Cicrosoft Word, for example@3

)he *ational Software 5eference Di-rar% *S5D@ has compiled alist of known 'le hashes for a variet% of OSs, applications, andimaes that can -e downloaded fromwww3nsrl3nist3ovG.ownloads3htm see Fiure@3

Several computer forensics prorams can interate known ood

'le hash sets, such as the ones from the *S5D, and comparethem to 'le hashes from a suspect drive to see whether the%match3

With this process, %ou can eliminate lare amounts of data>uickl% so that %ou can focus %our evidence anal%sis3


20/75


27

T*e &o)nloa& #age o+ t*e National So+t)a$e Re+e$en%e i5$a$,


21/75


21


Fo$ensi%s ToolsFo$ensi%s Tools ou can also -ein -uildin %our own hash sets3

(nother feature to consider for hashin functions is hashin andcomparin sectors of data3

)his feature is useful for identif%in framents of data in slack and free

disk space that miht -e partiall% overwritten3 (n additional method of discriminatin data is anal%&in and verif%in

header values for known 'le t%pes3

Similar to the hash values of known 'les, man% computer forensics

prorams include a list of common header values3 With thisinformation, %ou can see whether a 'le extension is incorrect for the

'le t%pe3 5enamin 'le extensions is a common wa% to tr% to hide data, and %ou

could miss pertinent data if %ou don/t check 'le headers3

For example, in the 'le header for Forensic.ata3doc, %ou see the

letters JKFIFL see Fiure@3


22/75

Management & Science University

© FISE

22


23/75


24/75


© FISE

2:


Fo$ensi%s ToolsFo$ensi%s Tools Et$a%tion )he extraction function is the recover% task in a computin

investiation and is the most challenin of all tasks to master3

5ecoverin data is the 'rst step in anal%&in an investiation/sdata3

)he followin su-functions of extraction are used ininvestiations

13 .ata viewin

23 Be%word searchin

03 .ecompressin

:3 $arvin

;3 .ecr%ptin


25/75


© FISE

2;


Fo$ensi%s ToolsFo$ensi%s Tools Can% computer forensics tools include a data4viewin

mechanism for diital evidence3

Eow data is viewed depends on the tool3

)ools such as "ro.iscover, !4Wa%s Forensics, F)B, +n$ase,SC(5), IDook, and others oAer several wa%s to view data,includin loical drive structures, such as folders and'les3

)hese tools also displa% allocated 'le data and

unallocated disk areas with special 'le and disk viewers3 ein a-le to view this data in its normal form makes

anal%&in and collectin clues for the investiation easier3


26/75


© FISE

2<


Fo$ensi%s ToolsFo$ensi%s Tools ( common task in computin investiations is searchin

for and recoverin ke% data facts3

$omputer forensics prorams have functions for

searchin for ke%words of interest to the investiation3 8sin a ke%word search speeds up the anal%sis process

for investiators, if used correctl% however, a poorselection of ke%words enerates too much information3

For example, the name JenL is a poor search term

-ecause it enerates a lare num-er of false positivehits3

)o reduce false4positive hits, %ou need to re'ne thesearch scope3


27/75


© FISE

26


Fo$ensi%s ToolsFo$ensi%s Tools One wa% is to search on com-inations of

words, in which one word is within so man%words of the next3

For example, with F)B/s Indexed Searchfeature see next Fiure@, %ou could searchfor the word JenL within one word of the

word JFranklinL -% enterin Jen wG1FranklinL and narrow the search further withthe word JSonL as a separate entr% in theSearch )erm text -ox3


28/75


© FISE

2

T*e In&ee& Sea$%* +eat!$e in FT6


29/75


© FISE

29


Fo$ensi%s ToolsFo$ensi%s Tools With some tools, %ou can set 'lters to select the 'le

t%pes to search, such as searchin onl% ".F documents3

(nother function in some forensics tools is indexin all

words on a drive3 !4Wa%s Forensics and F)B 13


30/75


© FISE

07


Fo$ensi%s ToolsFo$ensi%s Tools (nother function to consider for extraction is the format

the forensics tool can read3

For example, F)B has a -uilt4in function that reads and

indexes data from Cicrosoft 3pst and3 ost 'les +n$ase has a third4part% add4on that performs indexin

and anal%&es Cicrosoft 3pst 'les3

In addition, +n$ase, !4Wa%s Forensics, and "ro.iscoverena-le %ou to create scripts for extractin data, -ut F)B

doesn/t have this feature3 Beep in mind that %ou have to use a com-ination of

tools to retrieve and report on evidence from diitaldevices accuratel%3


31/75


© FISE

01


Fo$ensi%s ToolsFo$ensi%s Tools "art of the investiation process also involves reconstructin

framents of 'les that have -een deleted from a suspectdrive3

In *orth (merica, this reconstruction is referred to as

JcarvinL in +urope, it/s called Jsalvain3L Investiators often need to -e a-le to extract data from

unallocated disk space3

Docatin 'le header information, as mentioned previousl% inJ#alidation and .iscrimination,L is a relia-le method for

carvin data3 Cost forensics tools anal%&e unallocated areas of a drive or an

imae 'le and locate framents or entire 'le structures thatcan -e carved and copied into a newl% reconstructed 'le3


32/75


© FISE

02


Fo$ensi%s ToolsFo$ensi%s Tools Some investiators prefer carvin framented

data manuall% with a command4line tool, -utadvanced =8I tools, such as !4Wa%s Forensics,

+n$ase, F)B, and "ro.iscover, with -uilt4infunctions for carvin are used more commonl%now3

For example, the next Fiure shows an option in

F)B for addin carved 'les to a case automaticall%3 Some tools, such as .ataDifter and .avor%, are

speci'call% desined to carve known data t%pesfrom exported unallocated disk space3


33/75


© FISE

00

DataData

%a$ving%a$vingo#tions ino#tions in

FT6 FT6


34/75


© FISE

0:


Fo$ensi%s ToolsFo$ensi%s Tools ( maor challene in computin investiations is

anal%&in, recoverin, and decr%ptin data fromencr%pted 'les or s%stems3

+ncr%ption can -e used on a drive, disk partition, or'le3

Can% e4mail services, such as Cicrosoft Outlook,provide encr%ption protection for 3pst folders andmessaes3

)he t%pes of encr%ption rane from platform speci'c,such as Windows +ncr%ptin File S%stem +FS@, tothird4part% vendors, such as "rett% =ood "rivac% "="@and =nu"=3


35/75


© FISE

0;


Fo$ensi%s ToolsFo$ensi%s Tools From an investiation perspective, encr%pted 'les

and s%stems are a pro-lem3

Can% password recover% tools have a feature for

eneratin potential password lists for a passworddictionar% attack3

F)B, for example, produces a list of possi-lepasswords for an encr%pted 'le from a suspect drive3

(ccess.ata has also created an advanced password4crackin software suite called .istri-uted *etwork(ttack .*(@ that allows multiple machines toattempt crackin a password3


36/75


© FISE

0<


Fo$ensi%s ToolsFo$ensi%s Tools (fter locatin the evidence, the next task is

to -ookmark it so that %ou can refer to itlater when needed3

Can% forensics tools use -ookmarks to insertdiital evidence into a report enerator,which produces a technical report in E)CD or5)F format of the examination/s 'ndins3

When the report enerator is launched,-ookmarks are loaded into the report3


37/75


© FISE

06


Fo$ensi%s ToolsFo$ensi%s Tools Re%onst$!%tion )he purpose of havin a reconstruction feature in

a forensics tool is to re4create a suspect drive to

show what happened durin a crime or anincident3

(nother reason for duplicatin a suspect drive isto create a cop% for other computer investiators,

who miht need a full% functional cop% of thedrive so that the% can perform their ownac>uisition, test, and anal%sis of the evidence3


38/75


© FISE

0


Fo$ensi%s ToolsFo$ensi%s Tools )hese are the su-functionsof reconstruction

13 .isk4to4disk cop%

23 Imae4to4disk cop%

03 "artition4to4partition cop%

:3 Imae4to4partition cop%


39/75


© FISE

09


Fo$ensi%s ToolsFo$ensi%s Tools )here are several wa%s to re4create an imae of a suspect drive3

8nder ideal circumstances, the -est and most relia-le method iso-tainin the same make and model drive as the suspect drive3

If the suspect drive has -een manufactured recentl%, locatin an

identical drive is fairl% eas%3 and vise versa@ )he simplest method of duplicatin a drive is usin a tool that

makes a direct disk4to4disk cop% from the suspect drive to the

taret drive3

Can% tools can perform this task3

One free tool is the 8*I!GDinux dd command, -ut it has a maordisadvantae )he taret drive -ein written to must -e

identical to the oriinal suspect@ drive, with the same c%linder,sector, and track count3


40/75


© FISE

:7


Fo$ensi%s ToolsFo$ensi%s Tools If an identical drive is unavaila-le, manipulatin the drive/s

c%linders, sectors, and tracks to match the oriinal drive miht-e possi-le throuh %our workstation/s IOS3

For a disk4to4disk cop%, -oth hardware and software duplicators

are availa-le Eardware duplicators are the fastest wa% to cop% data from one

disk to another3

Eardware duplicators, such as Doicu-e )alon, Doicu-e ForensicC.;, and ImaeC(SSter Solo III Forensics Eard .rive .uplicator,

adust the taret drive/s eometr% to match the suspect drive/sc%linder, sectors, and tracks3

Software duplicators, althouh slower than hardware duplicators,include Snapack, Safeack, +n$ase, and !4Wa%s Forensics3


41/75


42/75


© FISE

:2


Fo$ensi%s ToolsFo$ensi%s Tools Re#o$ting )o complete a forensics disk anal%sis and examination,

%ou need to create a report3

efore Windows forensics tools were availa-le, thisprocess re>uired cop%in data from a suspect drive andextractin the diital evidence manuall%3

)he investiator then copied the evidence to a separateproram, such as a word processor, to create a report3

File data that couldn/t -e read in a word processorHdata-ases, spreadsheets, and raphics, for exampleHmade it diMcult to insert nonprinta-le characters, suchas -inar% data, into a report3


43/75


© FISE

:0


Fo$ensi%s ToolsFo$ensi%s Tools )%picall%, these reports weren/t stored electronicall%

-ecause investiators had to collect printouts fromseveral diAerent applications to consolidate

ever%thin into one lare paper report3 *ewer Windows forensics tools can produce

electronic reports in a variet% of formats, such asword processin documents, E)CD We- paes, or(cro-at ".F 'les3

)hese are the su-functions of the reportin function Do reports 5eport enerator


44/75


© FISE

::


Fo$ensi%s ToolsFo$ensi%s Tools (s part of the validation process, often %ou need to

document the steps %ou took to ac>uire data from asuspect drive3

Can% forensics tools, such as F)B, IDook, and !4Wa%sForensics, can produce a lo report that recordsactivities the investiator performed3

)hen a -uilt4in report enerator is used to create areport in a variet% of formats3

)he followin tools are some that oAer reportenerators displa%in -ookmarked evidence EnCase7 FT67 Iloo(7 .a,s Fo$ensi%s7 an& P$oDis%ove$8


45/75


© FISE

:;

Co"#!te$ Fo$ensi%s So+t)a$e ToolsCo"#!te$ Fo$ensi%s So+t)a$e Tools

Whether %ou use a suite of tools or a task4speci'c tool, %ou have the option ofselectin one that ena-les %ou to anal%&e

diital evidence3

Co"#!te$ Fo$ensi%s So+t)a$eTools *ave 3 t,#es:

13 $ommand4Dine Forensics )ools

23 8*I!GDinux Forensics )ools

03 Other =8I Forensics )ools


46/75


© FISE

:<


Co""an&ine Fo$ensi%s Tools 8sed mostl% for old "c/s3

)he 'rst tools that anal%&ed and extracted data from Nopp%disks and hard disks were CS4.OS tools for IC "$ 'le s%stems3

One of the 'rst CS4.OS tools used for computer investiationswas *orton .isk+dit3

)his tool used manual processes that re>uired investiators tospend considera-le time on a t%pical ;77 C drive3

One advantae of usin command4line tools for an investiationis that the% re>uire few s%stem resources -ecause the%/redesined to run in minimal con'urations3

In fact, most tools 't on -oota-le media Nopp% disk, 8S drive,$., or .#.@3


47/75


© FISE

:6


UNI.9in! Fo$ensi%s Tools )he nix platforms have lon -een the primar% command4line

OSs3

Eowever, with =8Is now availa-le with nix platforms, these OSsare -ecomin more popular with home and corporate end users3

Some of the popular tools are

SMART

SC(5) is desined to -e installed on numerous Dinuxversions, includin =entoo, Fedora, S8S+, .e-ian, Bnoppix,8-untu, Slackware, and more3

ou can anal%&e a variet% of 'le s%stems with SC(5) for alist of 'le s%stems or to download an evaluation ISO imaefor SC(5) and SC(5) Dinux, o to www3asrdata23com3

http://www.asrdata2.com/http://www.asrdata2.com/


48/75


© FISE

:


SC(5) includes several plu4in utilities3

)his modular approach makes it possi-le touprade SC(5) components easil% and >uickl%3

(nother useful option in SC(5) is the hex viewer3 Eex values are color4coded to make it easier to

see where a 'le -eins and ends3

SC(5) also oAers a reportin feature3

+ver%thin %ou do durin %our investiation withSC(5) is loed, so %ou can select what %ouwant to include in a report, such as -ookmarks3


49/75


© FISE

:9


Heli One of the easiest suites to use -ecause of its user interface3

What/s uni>ue a-out Eelix is that %ou can load it on a liveWindows s%stem, and it loads as a -oota-le Dinux OS from acold -oot3

Its Windows component is used for live ac>uisitions3

some international courts have not accepted live ac>uisitionsas a valid forensics practice3

.urin corporate investiations, often %ou need to retrieve5(C and other data, such as the suspect/s user pro'le, froma workstation or server that can/t -e sei&ed or turned oA3 )hat/s wh% Eelix is used3


50/75


51/75


© FISE

;1


a%(T$a%( is another Dinux Dive $. used -% man% securit% professionals and

forensics investiators3

It includes a variet% of tools and has an eas%4to4use interface3

A!to#s, an& Sle!t* 6it Sleuth Bit is a Dinux forensics tool, and (utops% is the =8I -rowser

interface for accessin Sleuth Bit/s tools3

6no##iSTD

Bnoppix Securit% )ools .istri-ution S).@ is a collection of tools forcon'urin securit% measures, includin computer and networkforensics3

it doesn/t allow %ou to alter or damae the s%stem %ou/re

anal%&in3


52/75


© FISE

;2

T*e 6no##iSTD in+o$"ationT*e 6no##iSTD in+o$"ation

)in&o) in in&o)s)in&o) in in&o)s


53/75


© FISE

;0


Ot*e$ ;UI Fo$ensi%s Tools

Several software vendors have introduced forensicstools that work in Windows3

)hese =8I tools have also simpli'ed trainin for-einnin examiners

Cost =8I tools are put toether as suites of tools3

For example, the larest =8I tool vendorsH

)echnolo% "athwa%s, (ccess.ata, and =uidanceSoftwareHoAer tools that perform most of the tasks3

(s with all software, each suite has its strenths andweaknesses3


54/75


© FISE

;:


Ot*e$ ;UI Fo$ensi%s Tools =8I tools have several advantaes, such as

ease of use3 the capa-ilit% to perform multiple tasks3 no re>uirement to learn older OSs3

)heir disadvantaes excessive resource re>uirements needin lare amounts of 5(C,

for example@ producin inconsistent results -ecause of the t%pe of OS used,

such as Windows #ista 024-it or uired3


55/75


© FISE

;;

Co"#!te$ Fo$ensi%s Ha$&)a$e ToolsCo"#!te$ Fo$ensi%s Ha$&)a$e Tools

)echnolo% chanes rapidl%, and hardwaremanufacturers have desined most computercomponents to last a-out 1 months -etween failures3

For this reason, %ou should schedule e>uipmentreplacements periodicall%Hideall%, ever% 1 months if%ou use the hardware fulltime3

Cost computer forensics operations use a workstation 2:hours a da% for a week or loner -etween complete

shutdowns3 Forensics hardware covers the followin issues

Forensic Workstations 8sin a Write4locker


56/75


© FISE

;<


Fo$ensi% o$(stations )he more diverse %our investiation environment, the more

options %ou need3

In eneral, forensic workstations can -e divided into thefollowin cateories

Stationa$, )o$(stationH( tower with several -a%s andman% peripheral devices

Po$ta5le )o$(stationH( laptop computer with a -uilt4inD$. monitor and almost as man% -a%s and peripherals asa stationar% workstation

ig*t)eig*t )o$(stationH8suall% a laptop computer-uilt into a carr%in case with a small selection ofperipheral options


57/75


© FISE

;6


Fo$ensi% o$(stations

When considerin options to add to a -asicworkstation, keep in mind that "$s have

limitations on how man% peripherals the% canhandle3

)he more peripherals %ou add, the morepotential pro-lems %ou miht have, especiall%

if %ou/re usin an older version of Windows3

ou must learn to -alance what %ou actuall%need with what %our s%stem can handle3


58/75


© FISE

;


Using a $itelo%(e$ )he 'rst item %ou should consider for a forensic workstation is

a write4-locker3

Write-lockers protect evidence disks -% preventin data from-ein written to them3

Software and hardware write4-lockers perform the samefunction -ut in a diAerent fashion3

Software write4-lockers, such as ".lock from .iitalIntellience, t%picall% run in a shell mode for example, .OS@3

".lock chanes interrupt 10 of a workstation/s IOS toprevent writin to the speci'ed drive3 If %ou attempt to writedata to the -locked drive, an alarm sounds, advisin that nowrites have occurred3


59/75


© FISE

;9


Using a $itelo%(e$ Eardware write4-lockers are ideal for =8I forensics tools3

)he% prevent the OS from writin data to the -locked drive3

Eardware write4-lockers act as a -ride -etween the suspectdrive and the forensic workstation3

In the Windows environment, when a write4-locker is installed onan attached drive, the drive appears as an% other attached disk3

ou can naviate to the -locked drive with an% Windowsapplication3

When %ou cop% data to the -locked drive or write updates to a 'lewith Word, Windows shows that the data cop% is successful3Eowever, the write4-locker actuall% discards the written dataHinother words, data is written to null3


60/75


© FISE


61/75


© FISE


62/75


© FISE


63/75


© FISE


64/75


© FISE

uirementsHForeach cateor%, descri-e the technical features or

functions a forensics tool must have3

03 .evelop test assertionsHased on the re>uirements,create tests that prove or disprove the tool/s capa-ilit%to meet the re>uirements3


65/75


© FISE


66/75


© FISE


67/75


© FISE

uall% important3

One wa% to compare results and verif% a new tool is -%usin a disk editor, such as Eex Workshop or WinEex, to

view data on a disk in its raw format3


68/75


© FISE


69/75


© FISE


70/75


© FISE

67

Co"#!te$ Fo$ensi%s Tool U#g$a&eCo"#!te$ Fo$ensi%s Tool U#g$a&e

P$oto%olP$oto%ol In addition to verif%in %our results -% usin two disk4anal%sis tools,

%ou should test all new releases and OS patches and uprades tomake sure the%/re relia-le and don/t corrupt evidence data3

*ew releases and OS uprades and patches can aAect the wa%

%our forensics tools perform3 If %ou determine that a patch or uprade isn/t relia-le, don/t use it

on %our forensic workstation until the pro-lem has -een 'xed3

If a pro-lem exist, such as not -ein a-le to read old imae 'leswith the new release or the disk editor eneratin errors after %ouappl% the latest service pack, %ou can 'le an error report with the

vendor3 In most cases, the vendor addresses the pro-lem and provides a

new patch, which %ou should check with another round ofvalidation testin3


71/75


© FISE

61

Co"#!te$ Fo$ensi%s Tool U#g$a&eCo"#!te$ Fo$ensi%s Tool U#g$a&e

P$oto%olP$oto%ol the test -est wa% is to -uild a test hard disk to store data in

unused space allocated for a 'le, also known as 'le slack3

ou can then use a forensics tool to retrieve it3

If %ou can retrieve the data with that tool and verif% %our

'ndins with a second tool, %ou know the tool is relia-le3 (s computer forensics tools continue to evolve, %ou should

check the We- for new editions, updates, patches, and

validation tests for %our tools3

(lwa%s validate what the hardware or software tool is doin as

opposed to what it/s supposed to -e doin3 e con'dent andknowledea-le a-out the capa-ilities of %our forensics tool-ox3

5emem-er to test and document wh% a tool does or doesn/twork the wa% it/s supposed to3


72/75


© FISE

62

C*a#te$ S!""a$,C*a#te$ S!""a$,

a%'!isition )he process of creatin a duplicate imae of dataone of the 've re>uired functions of computer forensics tools3

5$!te+o$%e atta%( )he process of tr%in ever% com-inationof charactersHletters, num-ers, and special characters

t%picall% found on a ke%-oardHto 'nd a matchin password orpassphrase value for an encr%pted 'le3

Co"#!te$ Fo$ensi%s Tool Testing 1CFTT ( proectsponsored -% the *ational Institute of Standards and )echnolo% to manae research on computer forensics tools3

&is%$i"ination )he process of sortin and searchin throuhinvestiation data to separate known ood data fromsuspicious data alon with validation, one of the 've re>uiredfunctions of computer forensics tools3


73/75


© FISE

60


et$a%tion )he process of pullin relevant data from an imaeand recoverin or reconstructin data framents one of the've re>uired functions of computer forensics tools3

(e,)o$& search ( method of 'ndin 'les or other information

-% enterin relevant characters, words, or phrases in a searchtool3

National So+t)a$e Re+e$en%e i5$a$, 1NSR ( *IS) proectwith the oal of collectin all known hash values for commercialsoftware and OS 'les3

#ass)o$& &i%tiona$, atta%( (n attack that uses a collectionof words or phrases that miht -e passwords for an encr%pted'le3 "assword recover% prorams can use a password dictionar%to compare potential passwords to an encr%pted 'le/s passwordor passphrase hash values3


74/75


© FISE

6:


$e%onst$!%tion )he process of re-uildin data 'lesone of the 've re>uired functions of computerforensics tools3

vali&ation )he process of checkin the accurac% ofresults alon with discrimination, one of the 'vere>uired functions of computer forensics tools3

)$ite5lo%(e$ ( hardware device or softwareproram that prevents a computer from writin data

to an evidence drive3 Software write4-lockers t%picall%alter interrupt 10 write functions to a drive in a "$/sIOS3 Eardware write4-lockers are usuall% -ridindevices -etween a drive and the forensic workstation3


75/75

THE ENDTHE END

Documents

Chap 3 - Current Computer Forensics Tools