Computer Forensics

1
Computer Forensics

• Tools and Lab design

2
Table of contents

• What is Computer Forensics?
• Forensic Process
• Corporate versus Law Enforcement
• Preparation
• What is Computer Evidence
• Chain of Custody
• Common tasks
• Common Forensic Suites
• Encase
• Forensic Toolkit (FTK)
• Sleuth Kit and Autopsy Browser
• Conclusion
• Future Plans- Lab Task

3
What is Computer Forensics?

• Computer investigation and analysis techniques
  that involve the identification, preservation,
  extraction, documentation, and interpretation of
  computer data to determine potential legal
  evidence.

4
Forensic Process

• Identifying evidence
• Preserving evidence
• Analyzing evidence
• Presenting evidence

5
Corporate versus Law Enforcement

• Whereas the corporate world focuses on prevention
  and detection, the law enforcement realm focuses
  on investigation and prosecution.

6
Preparation

• Knowing different types of hardware
• Knowing different types of software
• Keeping up-to-date with new I/O devices
• Knowing various operating systems
• Knowing different types of file systems
• Identifying maintenance tools
• Knowing legal rights and limits

7
What is Computer Evidence

• Any computer hardware, software, or data that can
  be used to prove one or more of the five Ws and
  an H of a security incident (i.e., who, what,
  when, where, why, and how).

8
Chain of Custody

• Documentation of all the steps that evidence has
  taken from the time it is located at the crime
  scene to the time it's introduced in the
  courtroom.

9
Common Forensic Suites

• A set of tools and/or software programs used to
  analyze a computer for collection of evidence.
• EnCase
• Forensic Toolkit (FTK)
• Sleuth Kit (TSK)
• Autopsy Forensic browser

10
Encase

• EnCase is an integrated Windows-based graphical
  user interface (GUI) suite of tools.

11
Encase Features

• Automated Analysis
• Multiple Sorting Fields
• Filter Conditions
• Queries
• View "Deleted" Files and Other Unallocated Data
  in Context
• Hash Analysis
• Built-in Registry Viewer
• Encrypted Volumes and Hard Drive Encryption
• Hardware Analysis
• Log and Event File Analysis
• File Signature Analysis

12
Forensic Toolkit (FTK)

• FTK runs in Windows operating systems and
  provides a very powerful tool set to acquire and
  examine electronic media.

13
Forensic Toolkit Features

• Easy to use
• View over 270 different file formats with
  Stellent's Outside In Viewer Technology
• FTK Explorer allows you to quickly navigate
  through acquired images
• Advanced Searching
• Full text indexing powered by dtSearch yields
  instant text search results
• Advance searches for JPEG images and Internet
  text
• Automatically recover deleted files and
  partitions
• Target key files quickly by creating custom file
  filters
• E-mail Zip File Analysis
• View, search, print, and export e-mail messages
  and attachments
• Recover deleted and partially deleted e-mail
• Automatically extract data from PKZIP, WinZip,
  WinRAR, GZIP, and TAR compressed files

14
FTK Features Cont.

• File Filter
• Identify and flag standard operating system and
  program files
• Registry Viewer
• Access and decrypt protected storage data
• AutoComplete form data from Google, Yahoo, and
  more
• Internet Explorer account login names and
  passwords
• View independent registry files
• Opens all versions of Windows Registry files
• Access User.dat, NTUser.dat, Sam, System,
  Security, Software, and Default files

15
Sleuth Kit and Autopsy Browser

• TSK is a collection of command-line tools that
  provides media management and forensic analysis
  functionality.
• The Autopsy Forensic browser is a GUI front end
  for the TSK product.

16
Sleuth Kit Core Tools

• File System Layer
• File Name Layer  
• Meta Data Layer  
• Data Unit Layer  
• Media Management  
• hfind
• mactime
• sorter

17
Autopsy Browser Adds to TSK

• Dead Analysis
• Live Analysis  
• Case Management  
• Even Sequencer  
• Notes
• Image Integrity  
• Reports
• Logging

18
Conclusion

• Sleuth Kit along with Autopsy Browser has been
  selected as the best tool to implement for hands
  on training.

19
Future Plans - Lab Tasks

• The goals are
• Use the application of forensic investigative and
  analytical techniques
• Identify and retrieve information
• Deleted information
• Hidden information
• Lost information
• Encrypted information
• Inaccessible information