Digital Forensics

Module 4

CS 996

2/23/2005 Module 4 2

Hard Drive Forensics

AcquisitionBit for bit copy

Write protect the evidence media

EnCase for DOS

Safeback (NTI: www.forensics-intl.com)

AnalysisEnCase

FTK (www.accessdata.com)

WinHex Forensic Edition

2/23/2005 Module 4 3

Acquisition Steps With EnCase

Create EnCase boot diskDOS boot disk

Network boot disk

Start subject computer with boot disk

Acquire data to storage computerNetwork acquisition

Drive to drive acquisition

Parallel cable acquisition

Windows acquisition

2/23/2005 Module 4 4

EnCase Resources

Academic CDInstructor Notes

User Manual excerpts on analysis

Training Manual

www.guidancesoftware.comOnline videos

2/23/2005 Module 4 5

EnCase Acquisition Geometry

Network cable acquisition

SUBJECT COMPUTERSTORAGE COMPUTER

NETWORK CROSSOVER CABLE

2/23/2005 Module 4 6

EnCase Acquisition Geometry, cont.

Drive to Drive acquisition

STORAGE COMPUTERSUBJECT HARD DRIVE

IDE CABLE

2/23/2005 Module 4 7

Analysis With EnCase

Basic navigation

String searches (key words, GREP, etc.)

Signature match

Registry analysis (compound file)

Email analysis (compound file)

File viewers (third party viewers)

2/23/2005 Module 4 8

EnCase Image File

Contains more than raw dd sector image

Case information header

CRC for each 32KB of data

MD5 checksum for entire image

Image verificationDoes CRC match for each 32KB block

2/23/2005 Module 4 9

Analysis With EnCase

Install software

Initialize caseDrag and drop evidence file into EnCase

Bookmarks: reportingNeed to keep track of key findings

2/23/2005 Module 4 10

Initialize Case: EnCase Scripts

Allow custom forensic analysis

Program in C++ like API

Pre-made scriptsInitialize Case

Download from www.guidancesoftware.com

Install in: c:\program files\encase\scripts\examples

Running scripts:View Scripts | Select Script | Run

View report => Bookmarks

2/23/2005 Module 4 11

Using EnCase Scripts

Image filtering for porn investigation

Find victims; find all images

Need to look through 10,000+ images

Aspect ratio theorySelect images with 33-40% aspect ratio

Reject images that are square (+/- 2 pixels)

Reference: www.armordata.com

2/23/2005 Module 4 12

Using Bookmarks

Save important data for report

View Bookmarks: Create New FolderText

Images

2/23/2005 Module 4 13

2/23/2005 Module 4 14

2/23/2005 Module 4 15

Navigating Case View

TableSignature analysis (in Search function)

Hash analysis

Gallery

Timeline

Report

Disk

2/23/2005 Module 4 16

2/23/2005 Module 4 17

2/23/2005 Module 4 18

2/23/2005 Module 4 19

2/23/2005 Module 4 20

Finding Evidence

Sorting columns in table view

Filters, queries and scripts

Recovering folders

Keyword search

2/23/2005 Module 4 21

2/23/2005 Module 4 22

Filters, Queries and Scripts

FiltersUse built-in capabilities

Create queries when filter is run

QueriesCombine more than one filter in semi-custom query

ScriptsCreate your own search function using C++ like language

2/23/2005 Module 4 23

2/23/2005 Module 4 24

2/23/2005 Module 4 25

2/23/2005 Module 4 26

String Search

Adding keywords

Choose files/folders to be searched

Configure search

2/23/2005 Module 4 27

EnCase Search Method

First does logical search

Next does sector by sector

Compound files like .pst and .dat need to be mounted separately

PHONE TAPCLUSTER N CLUSTER N+1

2/23/2005 Module 4 28

2/23/2005 Module 4 29

2/23/2005 Module 4 30

2/23/2005 Module 4 31

2/23/2005 Module 4 32

2/23/2005 Module 4 33

File Signatures

Stated extension on evidence file

Header information in the file itself

Matches?

Reference for file signatures: www.garykessler.net

2/23/2005 Module 4 34

2/23/2005 Module 4 35

2/23/2005 Module 4 36

“Compound File” Analysis

Registry

Email

Files that are composed of multiple layers

2/23/2005 Module 4 37

Access Registry

2/23/2005 Module 4 38

Win98: user.dat

2/23/2005 Module 4 39

View Email Folder

Compound file

Locate .dbx or .pst files

View file structure

2/23/2005 Module 4 40

2/23/2005 Module 4 41

2/23/2005 Module 4 42

File Viewers

Look at file outside Encase

Add: View => File Viewers

Create association: View => File Types

Double click on file: copies and opens with viewer

QuickView Pluswww.avantstar.com

200+ different file formats

Eliminates problems with trojans, viruses, etc.

2/23/2005 Module 4 43

Add File Viewer

2/23/2005 Module 4 44

Create Association (View Filetypes)

2/23/2005 Module 4 45

Next Lab Assignment

Familiarize yourself with EnCase

Complete the posted lab assignment