Guide to Computer Forensics and Investigations, Second Edition - PowerPoint PPT Presentation

1 / 39
About This Presentation
Title:

Guide to Computer Forensics and Investigations, Second Edition

Description:

Guide to Computer Forensics and Investigations, Second Edition Chapter 4 Current Computer Forensics Tools Objectives Understand how to identify needs for computer ... – PowerPoint PPT presentation

Number of Views:568
Avg rating:3.0/5.0
Slides: 40
Provided by: Rafae124
Category:

less

Transcript and Presenter's Notes

Title: Guide to Computer Forensics and Investigations, Second Edition


1
Guide to Computer Forensics and Investigations,
Second Edition
  • Chapter 4
  • Current Computer Forensics Tools

2
Objectives
  • Understand how to identify needs for computer
    forensics tools
  • Evaluate the requirements and expectations for
    computer forensics tools
  • Understand how computer forensics hardware and
    software tools integrate
  • Validate and test your computer forensics tools

3
Computer Forensics Software Needs
  • Look for versatility, flexibility, and robustness
  • OS
  • File system
  • Script capabilities
  • Automated features
  • Vendors reputation
  • Keep in mind what applications you analyze

4
Types of Computer Forensics Tools
  • Hardware forensic tools
  • Single-purpose components
  • Complete computer systems and servers
  • Software forensic tools
  • Command-line applications
  • GUI applications

5
Tasks Performed by Computer Forensics Tools
  • Acquisition
  • Validation and discrimination
  • Extraction
  • Reconstruction
  • Reporting

6
Acquisition
  • Acquisition categories
  • Physical data copy
  • Logical data copy
  • Data acquisition format
  • Command-line acquisition
  • GUI acquisition

7
Acquisition (continued)
  • Acquisition categories (continued)
  • Remote acquisition
  • Verification

8
Acquisition (continued)
9
Validation and Discrimination
  • Hashing
  • Cyclic redundancy check (CRC)-32, MD5, Secure
    Hash Algorithms (SHAs)
  • Filtering
  • Based on hash value sets
  • Analyzing file headers
  • Discriminate files based on their types

10
Extraction
  • Major techniques include
  • Data viewing
  • How data is viewed depends on the tool used
  • Keyword searching
  • Recovers key data facts
  • Decompressing
  • Archive and cabinet files

11
Extraction (continued)
  • Major techniques include
  • Carving
  • Reconstruct fragments of deleted files
  • Decrypting
  • Password dictionary attacks
  • Brute-force attacks
  • Bookmarking
  • First find evidence, then bookmark it

12
Reconstruction
  • Re-create a suspects disk drive
  • Techniques
  • Disk-to-disk copy
  • Image-to-disk copy
  • Partition-to-partition copy
  • Image-to-partition copy

13
Reporting
  • Configure your forensic tools to
  • Log activities
  • Generate reports
  • Use this information when producing a final
    report for your investigation

14
Tool Comparisons
15
Tool Comparisons (continued)
16
Other Considerations for Tools
  • Flexibility
  • Reliability
  • Expandability
  • Keep a library with older version of your tools

17
Computer Forensics Software
  • Example Norton DiskEdit
  • Advantages
  • Require few system resources
  • Run in minimal configurations
  • Fit on a bootable floppy disk
  • Disadvantages
  • Cannot search inside archive and cabinet files
  • Most of them only work on FAT file systems

18
UNIX/Linux Command-line Forensic Tools
  • Dominate the nix platforms
  • Examples
  • SMART
  • The Coroners Toolkit (TCT)
  • Autopsy
  • SleuthKit

19
GUI Forensic Tools
  • Simplify computer forensics investigations
  • Help training beginning investigators
  • Most of them come into suites of tools

20
GUI Forensic Tools (continued)
  • Advantages
  • Ease of use
  • Multitasking
  • No need for learning older OSs
  • Disadvantages
  • Excessive resource requirements
  • Produce inconsistent results
  • Create tool dependencies

21
Computer Hardware Tools
  • Provide analysis capabilities
  • Hardware eventually fails
  • Schedule equipment replacements
  • When planning your budget
  • Failures
  • Consultant and vendor fees
  • Anticipate equipment replacement

22
Computer Investigation Workstations
  • Carefully consider what you need
  • Categories
  • Stationary
  • Portable
  • Lightweight
  • Balance what you need and what your system can
    handle

23
Computer Investigation Workstations (continued)
  • Police agency labs
  • Need many options
  • Use several PC configurations
  • Private corporation labs handle only system types
    used in the organization
  • Keep a hardware library

24
Building your Own Workstation
  • It is not as difficult as it sounds
  • Advantages
  • Customized to your needs
  • Save money
  • ISDN phone system
  • Disadvantages
  • Hard to find support for problems
  • Can become expensive if careless

25
Building your Own Workstation (continued)
  • You can buy one from a vendor as an alternative
  • Examples
  • F.R.E.D.
  • FIRE IDE

26
Using a Write-Blocker
  • Prevents data writes to a hard disk
  • Software options
  • Software write-blockers are OS-dependent
  • PDBlock
  • Hardware options
  • Ideal for GUI forensic tools
  • Act as a bridge between the disk and the
    workstation

27
Using a Write-Blocker (continued)
  • Discards the written data
  • For the OS, the data copy is successful
  • Connecting technologies
  • FireWire
  • USB 2.0
  • SCSI controllers

28
Recommendations for a Forensic Workstation
  • Data acquisition techniques
  • USB 2.0
  • FireWire
  • Expansion devices requirements
  • Power supply with battery backup
  • Extra power and data cables
  • External FireWire and USB 2.0 ports

29
Recommendations for a Forensic Workstation
(continued)
  • Ergonomic considerations
  • Keyboard and mouse
  • Display
  • High-end video card
  • Monitor

30
Validating and Testing Forensic Software
  • Evidence could be admitted in court
  • Test and validate your software to prevent
    damaging the evidence

31
Using National Institute of Standards and
Technology (NIST) Tools
  • Computer Forensics Tool Testing (CFTT) program
  • Based on standard testing methods
  • ISO 17025 criteria
  • ISO 5725
  • Also evaluate disk imaging tools
  • Forensic Software Testing Support Tools (FS-TSTs)

32
Using NIST Tools (continued)
  • National Software Reference Library (NSRL)
    project
  • Collects all known hash values for commercial
    software applications and OS files
  • Helps filtering known information

33
The Validation Protocols
  • Always verify your results
  • Use at least two tools
  • Retrieving and examination
  • Verification
  • Understand how tools work
  • Disk editors
  • Norton DiskEdit
  • Hex Workshop
  • WinHex

34
The Validation Protocols (continued)
  • Disk editors (continued)
  • Do not have a flashy interface
  • Reliable tools
  • Can access raw data

35
Computer Forensics Examination Protocol
  • Perform the investigation with a GUI tool
  • Verify your results with a disk editor
  • WinHex
  • Hex Workshop
  • Compare hash values obtained with both tools

36
Computer Forensics Tool Upgrade Protocol
  • Test
  • New releases
  • Patches
  • Upgrades
  • If you found a problem, report it to your
    forensics tool vendor
  • Use a test hard disk for validation purposes

37
Summary
  • Create a business plan to get the best hardware
    and software
  • Computer forensics tools functions
  • Acquisition
  • Validation and discrimination
  • Extraction
  • Reconstruction
  • Reporting

38
Summary (continued)
  • Maintain a software library on your lab
  • Computer forensics tools types
  • Software
  • Hardware
  • Forensics software
  • Command-line
  • GUI

39
Summary (continued)
  • Forensics hardware
  • Customized equipment
  • Commercial options
  • Include workstations and write-blockers
  • Always test your forensics tools
Write a Comment
User Comments (0)
About PowerShow.com