Current Computer Forensics Tools

Current Computer Forensics Tools
Unit 4
Chamundeswari Arumugam
Professor
SSN College of Engineering, Chennai
July 2019
July 2019 1 / 15
1 Current Computer Forensics Tools
Evaluating Computer Forensics Tool Needs

Computer Forensics Software Tools
Computer Forensics Hardware Tools
Validating and Testing Forensics Software
July 2019 2 / 15
Evaluating tools include the following:OS does the forensics

tool run, versatile, file system, automated features, automate
repetitive functions, etc.
1 Types of Computer Forensics Tools : Hardware - F.R.E.D.
systems, DIBS, etc. Software - ProDiscover, X-Ways,
EnCase, and AccessData FTK, etc.
2 Tasks Performed by Computer Forensics Tools : Five major
categories for refining data analysis and recovery are
(1)Acquisition (2)Validation and discrimination (3)Extraction
(4)Reconstruction (5)Reporting.
1 Acquisition : Acquisition is making a copy of the original drive.
Subfunctions in the acquisition - Physical data copy, Logical data copy,
Data acquisition format, Command-line acquisition, GUI acquisition,
Remote acquisition, Verification.
FTK and EnCase, software tools for acquiring an image. Logicube Talon,
VOOM HardCopy 3, or ImageMASSter Solo III Forensic unit provide
hardware devices with built-in software, for acquiring an image.
Hex Workshop tool - hexadecimal view & plaintext view of the data (Fig
1).
Current Computer Forensics Tools Evaluating Computer Forensics Tool Needs July 2019 3 / 15
2 Validation and discriminationThe integrity of copied data is validation and

sorting and searching through all investigation data is discrimination.
i Function addressed here (1)Hashing (2)Filtering (3)Analyzing file headers
ii Validating data is done by obtaining hash values. Validation can be done by
comparing sectors of data.
iii Data discrimination is to remove good data from suspicious data. Good data
consists of known files, such as OS files and common programs.
v Analyzing and verifying header values for known file types.Eg. In the file header
for ForensicData.doc, you see the letters ”JFIF using winhex editor. (Fig 2).
3 Extraction Recovery task in a computing investigation and is the most
challenging of all tasks to master.
i Subfunctions of extraction : Data viewing, Keyword searching, Decompressing,
Carving, Decrypting, Bookmarking.
ii Some tools also display allocated file data and unallocated disk areas with
special file and disk viewers.
iii Keyword search speeds up the analysis process for investigators
iv Another function for extraction is the format the forensics tool can read.
v Reconstructing fragments of files that have been deleted from a suspect drive.
vi Analyze unallocated areas of a drive or an image file and locate fragments or
entire file structures that can be carved and copied into a newly reconstructed
file. eg. DataLifter and Davory tools.
4 Reconstruction The purpose of having a reconstruction feature in a forensics

tool is to re-create a suspect drive to show what happened during a crime or an
incident.
i Subfunctions of reconstruction: Disk-to-disk copy, Image-to-disk copy,
Partition-to-partition copy, Image-to-partition copy
ii UNIX/Linux dd command, but it has a major disadvantage - The target drive
being written to must be identical to the original (suspect) drive, with the same
cylinder, sector, and track count. several vendors have developed tools that can
force a geometry change from a suspect drive to a target drive.
iii For a disk-to-disk copy, both hardware and software duplicators are available.
Hardware duplicators are the fastest way to copy data from one disk to another.
iv Tools for image-to-disk copy: SafeBack, SnapBack, EnCase, FTK Imager,
ProDiscover, X-Ways Forensics.
v Voom Technologies Shadow Drive product shadows the suspect drive. This
Voom device with drives is connected to a computer, to enable data that would
normally be written to the suspect drive is redirected to the shadow drive.
5 Reporting To complete a forensics disk analysis and examination, you need to

create a report.
i Newer Windows forensics tools can produce electronic reports in a variety of
formats, such as word processing documents, HTML Web pages, or Acrobat
PDF files.
ii Subfunctions of the reporting function:Log reports, Report generator.
iii Many forensics tools, such as FTK, ILook, and X-Ways Forensics, can produce a
log report that records activities the investigator performed.
iv Report generators tools - displaying bookmarked evidence:EnCase,
FTK,ILook,X-Ways Forensics,ProDiscover
3 Tool Comparisons
1 Command-Line Forensics Tools

i First MS-DOS tools used for computer investigations was
Norton DiskEdit.
ii Advantage : Require few system resources because they are
designed to run in minimal configurations.
iii Command-line tools in Linux, such as the dd and dcfldd
commands.
iv For DOS/Windows platforms, a number of companies, such
as NTI, Digital Intelligence,MaresWare, DataLifter, and
ByteBack, are well recognized for their work in command-line
forensics tools.
v The Dir command shows the file owner.
Current Computer Forensics Tools Computer Forensics Software Tools July 2019 10 / 15
2 UNIX/Linux Forensics Tools

Tools- SMART, BackTrack, Autopsy with Sleuth Kit, and
Knoppix-STD.
1 SMART is designed to be installed on numerous Linux
versions, including Gentoo,Fedora, SUSE, Debian, Knoppix,
Ubuntu, Slackware, and more. Features : hex viewer,
reporting feature, bookmarks, etc.
2 Helix is user interface and used for live acquisition. Features:
capture RAM and other data, log file, etc.
3 BackTrack is another Linux Live CD. Autopsy and Sleuth Kit,
are included with the BackTrack tools.
4 Autopsy and Sleuth Kit is a Linux forensics tool, and Autopsy
is the GUI browser interface for accessing Sleuth Kits tools.
5 Knoppix-STD is a collection of tools for configuring security
measures, including computer and network forensics.
Current Computer Forensics Tools Computer Forensics Software Tools July 2019 11 / 15
Hardware manufacturers have designed most computer

components to last about 18 months between failures.
Most computer forensics operations use a workstation 24
hours a day for a week or longer between complete shutdowns.
1. Forensic Workstations
i Forensic workstations can be divided into the following
categories(1) Stationary workstation(2)Portable
workstation(3)Lightweight workstation.
ii To handle diverse investigations, use two or three
configurations of PCs.
2. Building Your Own Workstation
i Building a forensic workstation isnt as difficult as it sounds
but can quickly become expensive if you arent careful.
Current Computer Forensics Tools Computer Forensics Hardware Tools July 2019 12 / 15
3. Using a Write-Blocker Write blockers protect evidence disks

by preventing data from being written to them.
i Software write-blockers, such as PDBlock from Digital
Intelligence, typically run in a shell mode.
ii Hardware write-blockers prevent Windows or Linux from
writing data to the blocked drive.
4. Recommendations for a Forensic Workstation
i Workstation - Digital Intelligence FireChief, WiebeTech
Forensic DriveDock, DriveDock FireWire bridge, Logicube
Talon.
ii Decide on stationary or lightweight forensic workstation.
iii Memory and processor power as your budget allows and
various sizes of hard drives.
iv Select the device to perform the functions as per need.
Current Computer Forensics Tools Computer Forensics Hardware Tools July 2019 13 / 15
1. Using National Institute of Stds and Technology(NIST) Tools

i National Institute of Standards and Technology(NIST)
manages research projects on computer forensics tools.
ii Forensics lab criteria and testing standards in lab are (1)
Establish categories for computer forensics tools(2) Identify
computer forensics category requirements(3) Develop test
assertions(4) Identify test cases(5) Establish a test
method(6)Report test results that follow ISO 17025(7)
Another standards document, ISO 5725, demands accuracy
of the testing process, so results must be repeatable and
reproducible.
iii NIST created the National Software Reference Library
(NSRL) with the goal of collecting all known hash values for
commercial software and OS files. The primary hash NSRL
uses is SHA-1, which generates a known set of digital
signatures.
Current Computer Forensics Tools Validating and Testing Forensics Software July 2019 14 / 15
2. Using Validation Protocols

i After retrieving and examining evidence data with one tool,
verify the results by performing the same tasks with other
similar forensics tools.
ii Investigators must be confident in a tool(s) capability to
produce consistent and accurate findings during analysis.
3. Computer Forensics Examination Protocol
i (1) Conduct investigation of the digital evidence with one GUI
tool(2) Perform investigation with a disk editor for verification
(3) Obtain the hash value with the GUI tool and the disk
editor, and then compare the results to verify whether the file
has the same value in both tools. Eg. Many investigators in
both the public and private sectors use FTK and EnCase.
4. Computer Forensics Tool Upgrade Protocol
i. Test all new releases and OS patches and upgrades to make
sure they are reliable and do not corrupt evidence data.
Current Computer Forensics Tools Validating and Testing Forensics Software July 2019 15 / 15

Current Computer Forensics Tools

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Current Computer Forensics Tools

Загружено:

Авторское право:

Доступные форматы

Current Computer Forensics Tools

1 Current Computer Forensics Tools

Evaluating Computer Forensics Tool Needs

Evaluating tools include the following:OS does the forensics

2 Validation and discriminationThe integrity of copied data is validation and

4 Reconstruction The purpose of having a reconstruction feature in a forensics

5 Reporting To complete a forensics disk analysis and examination, you need to

1 Command-Line Forensics Tools

2 UNIX/Linux Forensics Tools

Hardware manufacturers have designed most computer

3. Using a Write-Blocker Write blockers protect evidence disks

1. Using National Institute of Stds and Technology(NIST) Tools

2. Using Validation Protocols

Вам также может понравиться