Digital Forensics - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

Digital Forensics

Description:

How to build a workstation. What are the components. How are the workstations connected in a lab ... use the NSRL data to aid in criminal investigations. ... – PowerPoint PPT presentation

Number of Views:1390
Avg rating:3.0/5.0
Slides: 22
Provided by: chrisc8
Category:

less

Transcript and Presenter's Notes

Title: Digital Forensics


1
Digital Forensics
  • Dr. Bhavani Thuraisingham
  • The University of Texas at Dallas
  • Lecture 10
  • Forensics Tools and Standards
  • September 24, 2008

2
Outline
  • Review
  • Forensics Tools
  • Standards
  • File Systems (Unix, Linux)
  • Reference Chapters 7 and 8 of Textbook
  • http//www.cftt.nist.gov/NISTIR_7490.pdf

3
Review
  • Part 2
  • Lecture 8 Windows File System and Forensics
  • Lecture 9 Forensics Tools

4
Forensics Tools
  • Hardware Forensics Tools
  • Range from single purpose components (e.g.,
    devices) to complete systems (forensics
    workstations)
  • Software Forensics Tools
  • Analysis tools such ProDiscover and EnCase

5
Functions of Forensics Tools
  • Acquisition
  • Validation and Discrimination
  • Extraction
  • Reconstruction
  • Reporting
  • Comparison of some forensics tools are given on
    page 277 of Textbook (ProDiscover, AccessData,
    EnCase)

6
Functions of Forensics Tools - 2
  • Acquisition
  • Tools for data acquisition
  • Physical data copy, logical data copy, data
    acquiring format, GUI acquisition
  • Validation and Discrimination
  • Integrity of the data, Also includes hashing,
    filtering, analyzing file headers
  • Extraction
  • Recovery task
  • Data viewing, Keyword searching, Decompressing
  • Reconstruction
  • Reporting

7
Functions of Forensics Tools - 3
  • Reconstruction
  • Recreate the crime scene (suspect drive)
  • Disk to disk copy, Image to disk copy, etc.
  • Reporting
  • Reporting generation tools help the examiner the
    prepare report
  • Also helps to log reports

8
Software Tools
  • Command line forensics tools
  • Unix/Linux forensics tools
  • SMART, Helix, Autopsy and Sleuth Kit
  • GUI Forensics Tools
  • Visualizing the data is important to understand
    the data

9
Hardware Tools
  • Forensics workstations
  • How to build a workstation
  • What are the components
  • How are the workstations connected in a lab
  • How can distributed forensics be carried out
  • Write Blockers
  • Write blocker devoices to protect evidence disks
    (see the discussion in Chapter 4 under data
    acquisition)

10
Validating Forensics Tools
  • NIST (National Institute of Standards and
    Technology) is coming up with standards for
    validation (will be discussed under standards)
  • Establish categories for forensics tools,
    Identify forensics category requirements, Develop
    test assertions
  • Identify test cases
  • Establish test method
  • Report test results
  • NIST (National Institute of Standards and
    Technology) is coming up with standards for
    validation (will be discussed under standards
  • Chapter 7 discusses validation protocols as well
    as some examination protocols

11
NIST Standards
  • There are three digital forensics projects at the
    National Institute of Standards and Technology
    (NIST).
  • These projects are supported by the U.S.
    Department of Justice's National Institute of
    Justice (NIJ), federal, state, and local law
    enforcement, and the National Institute of
    Standards and Technology Office of Law
    Enforcement Standards (OLES) to promote efficient
    and effective use of computer technology in the
    investigation of crimes involving computers.
  • These projects are the following
  • National Software Reference Library (NSRL)
  • Computer Forensic Tool Testing (CFTT)
  • Computer Forensic Reference Data Sets (CFReDS)

12
NSRL
  • The NSRL is designed to collect software from
    various sources and incorporate file profiles
    computed from this software into a Reference Data
    Set (RDS) including hashes of known files created
    when software is installed on a computer. The law
    enforcement community approached NIST requesting
    a software library and signature database that
    meets four criteria
  • The organizations involved in the
    implementation of the file profiles must be
    unbiased and neutral.
  • Control over the quality of data provided by
    the database must be maintained.
  • A repository of original software must be made
    available from which data can be reproduced.
  • The database must provide a wide range of
    capabilities with respect to the information that
    can be obtained from file systems under
    investigation.

13
NSRL
  • The primary focus of the NSRL is to aid computer
    forensics examiners in their investigations of
    computer systems.
  • The majority of stakeholders are in federal,
    state and local law enforcement in the United
    States and internationally.
  • These organizations typically use the NSRL data
    to aid in criminal investigations.

14
CFTT
  • The goal of the CFTT project at NIST is to
    establish a methodology for testing computer
    forensic software tools through the development
    of general tool specifications, test procedures,
    test criteria, test sets, and test hardware. The
    results provide the information necessary for
    toolmakers to improve tools, for users to make
    informed choices about acquiring and using
    computer forensics tools, and for interested
    parties to understand the tools capabilities.
  • The testing methodology developed by NIST is
    functionality driven. The activities of forensic
    investigations are separated into discrete
    functions, such as hard disk write protection,
    disk imaging, string searching, etc. A test
    methodology is then developed for each category.
    After a test methodology is developed it is
    posted to the web.

15
CFReDS
  • The Computer Forensic Reference Data Sets
    (CFReDS) provide to an investigator documented
    sets of simulated digital evidence for
    examination.
  • Since CFReDS has documented contents, such as
    target search strings seeded in known locations,
    investigators can compare the results of searches
    for the target strings with the known placement
    of the strings.
  • Investigators can use CFReDS in several ways
    including validating the software tools used in
    their investigations, equipment check out,
    training investigators, and proficiency testing
    of investigators as part of laboratory
    accreditation.
  • The CFReDS site is a repository of images. Some
    images are produced by NIST, often from the CFTT
    (tool testing) project, and some are contributed
    by other organizations.

16
CFReDS
  • In addition to test images, the CFReDS site
    contains resources to aid in creating test
    images.
  • These creation aids are in the form of
    interesting data files, useful software tools and
    procedures for specific tasks.
  • The CFReDS web site is http//www.cfreds.nist.gov.

17
International Standards
  • The Scientific Working Group on Digital Evidence
    (SWGDE) was established in February 1998 through
    a collaborative effort of the Federal Crime
    Laboratory Directors. SWGDE, as the U.S.-based
    component of standardization efforts conducted by
    the International Organization on Computer
    Evidence (IOCE), was charged with the development
    of cross-disciplinary guidelines and standards
    for the recovery, preservation, and examination
    of digital evidence, including audio, imaging,
    and electronic devices.
  • The following document was drafted by SWGDE and
    presented at the International Hi-Tech Crime and
    Forensics Conference (IHCFC) held in London,
    United Kingdom, October 4-7, 1999. It proposes
    the establishment of standards for the exchange
    of digital evidence between sovereign nations and
    is intended to elicit constructive discussion
    regarding digital evidence. This document has
    been adopted as the draft standard for U.S. law
    enforcement agencies.
  • http//www.fbi.gov/hq/lab/fsc/backissu/april2000/s
    wgde.htm

18
Macintosh Operating System (MAC OS X)
  • Early MAC OS used HFS (Hierarchical file system)
    OS X uses HFS (optional) and also supports Unix
    File System
  • OS 9 supports Volumes. Volume can be all or part
    of the storage media for hard disks
  • Newer MACs booted can be booted from CD, DVD,
    Firewire drive. Older systems booted from hard
    drive
  • Some forensics tools special for OS X. Some other
    Windows tools can also be used

19
Unix/Linux Operating System
  • Everything is a file including disk drives,
    monitors, tape drives, network interface cards,
    etc.
  • Unix has four components for its file system
  • Boot block, superblock, Inode, data block
  • Block is smallest disk allocation
  • Boot clock has bootstrap code, superblock has
    system information, Inode is assignee to every
    file allocation unit., data blocks store
    directories and files
  • Forensic examiner must understand the boot
    process of the operating system
  • Disk partitions in Unix/Linus is very different
    from Windows. In Unix/Linux partitions are
    labeled as paths.

20
Summary of Lectures 8 and 9
  • Overview of File Systems
  • Examples Windows, MAC, Unix/Linux
  • Three important concepts a forensics examiner
    should know
  • The boot process, the file system, and the disk
    structures/partitions
  • Tools exist for each of the operating systems
  • Standards are emerging for conducting a forensics
    examination
  • Need more standards for data formats, processes,
    metadata etc .

21
References
  • Reference Chapters 7 and 8 of Textbook
  • http//www.cftt.nist.gov/NISTIR_7490.pdf
Write a Comment
User Comments (0)
About PowerShow.com