Intro to Digital Forensics

¡Supera tus tareas y exámenes ahora con Quizwiz!

What are the five major categories performed by digital forensics tools?

1. Acquisition. 2. Validation and Verification. 3. Extraction. 4. Reconstruction. 5. Reporting.

Three Rules for Forensic Hashes

You can't predict the hash value of a file or device. No two hash values can be the same. If anything changes in the file or device, the hash value must change.

SMART

Designed to be installed on numerous Linux versions. Can analyze a variety of file systems with SMART. Many plug-in utilities are included with SMART. Another useful option in SMART is its hex viewer.

Raw Format Advantages

Fast data transfers. Ignores minor data read errors on source drive. Most computer forensics tools can read raw format.

Considerations

Flexibility Reliability Future expandability Cost Maintenance & Support

Kali Linux

Formerly known as BackTrack. Includes a variety of tools and has an easy-to-use KDE interface.

Acquisition Tools for Windows Advantages

Make acquiring evidence from a suspect drive more convenient. (Especially when used with hot-swappable devices.) Most common OS in the market.

Raw Format

Makes it possible to write bit-stream data to files.

Acquisition

Making a copy of the original drive.

Computer Forensics Tool Testing (CFTT)

Manages research on computer forensics software.

Password Dictionary Attack

Many password recovery tools have a feature for generating potential password lists.

Verification

Proves that two sets of data are identical by calculating hash values or using another similar method. A related process is filtering, which involves sorting and searching through investigation findings to separate good data and suspicious data.

Advanced Forensics Format

Provide compressed or uncompressed image files. No size restriction for disk-to-image files. Provide space in the image file or segmented files for metadata. Simple design with extensibility. Open source for multiple platforms and Oss. Internal consistency checks for self-authentication.

Hardware Forensic Tools

Range from single-purpose components to complete computer systems and servers.

Reconstruction

Re-create a suspect drive to show what happened during a crime or an incident. Re-create a victim drive to return property and minimize inconvenience or re-victimization (except illegal contraband).

Extraction

Recovery task in a digital investigation. Most challenging of all tasks to master. Recovering data is the first step in analyzing an investigation's data.

Loseless Compression

Reduces file size without removing data. Based on Huffman or Lempel-Ziv-Welch coding (For redundant bits of data). Utilities: WinZip, PKZip, StuffIt, and FreeZip.

Raw File Format

Referred to as a digital negative. Typically found on many higher-end digital cameras.

Substitution

Replaces bits of the host file with other bits of data. Usually change the last two LSBs (least significant bit). Detected with steganalysis tools.

Raw Format Disadvantages

Requires as much storage as original disk or data. Tools might not collect marginal (bad) sectors.

What does a Keyword Search do?

Speeds up analysis for investigators.

SleuthKit

A Linux forensics tool.

Secure Hash Algorithm version 1 (SHA-1)

A newer hashing algorithm. Developed by the NIST.

Validation

A way to confirm that a tool is functioning as intended.

Raster Images

Also collection of pixels, but pixels are stored in rows and better for printing.

Vector Graphics

Based on mathematical instructions. Uses lines stead of dots. Store only the calculations for drawing lines and shapes. Smaller than bitmap files, preserve quality when image is enlarged. CorelDraw, Adobe illustrator.

Creating an Investigation Plan

Beginning a case by defining the: Goal and Scope of investigation, Materials and Resources needed, Tasks to perform, and reporting.

Sub-Functions of Reporting

Bookmarking or tagging Log reports Report generator

GUI Forensic Tools

Can simplify digital forensics investigations. Have also simplified training for beginning examiners. Most of them are put together as suites of tools.

Logical Acquisition

Captures only specific files of interest to the case.

Data Hiding

Changing or manipulating a file to conceal information.

Data Compression

Coding data from a larger to a smaller from.

Bitmap Images

Collection of dots. Grids of individual pixels.

Sparse Acquisition

Collects fragments of unallocated (deleted) data.

Metafile Graphics

Combination of bitmap and vector. Combine raster and vector graphics. Example Scanned photo (bitmap) with text (vector). Share advantages and disadvantages of both types When enlarged, bitmap part loses quality

Exchangeable Image File (EXIF)

Commonly used to store digital pictures. Developed by JEITA as a standard for storing metadata in JPEG and TIF files.

How do you re-create an image of a suspect drive?

Copy an image to another location, such as a partition, a physical disk, or a virtual machine Simplest method is to use a tool that makes a direct disk-to-image copy.

Four Methods of Data Collection

Creating a disk-to-image file. Creating a disk-to-disk. Creating a logical disk-to-disk or disk-to-data file. Creating a sparse data copy of a file or folder.

Extraction Sub-functions

Data viewing, keyword searching, decompressing or uncompressing, carving, decrypting, and bookmarking or tagging.

Screen Resolution

Determines amount of detail.

Methods of Reconstruction

Disk-to disk copy, Partition-to-partition copy, Image-to-disk copy, Image-to-partition copy, rebuilding files from data runs and carving.

GUI Forensic Tools Advantages

Easy to use, multitasking, no need for learning older OSs.

Examples of Disk-to-Image Copy Tools.

EnCase FTK ProDiscover Linux DD

FTK Imager Outputs Image files into four different formats:

EnCase files (E01) Raw files (DD) SMART files (S01) Sleuth Kit (AFF)

EnCase outputs Evidence Image files into two different types (formats):

Ex01 (Current) E01 (Legacy)

GUI Forensic Tools Disadvantages

Excessive resource requirements. Produce inconsistent results amongst other tools. Create tool dependencies. Investigators' may want to use only one tool. Should be familiar with more than one type of tool.

Validation and Verification Sub-functions

Hashing (CRC-32, MD5, SHA-1 SECURE HASHING ALGORITHMS). Filtering- based on hash value sets. Analyzing file headers- discriminate files based on their types.

Insertion

Hidden data is not displayed when viewing host file in its associated program. You need to analyze the data structure carefully. Example: Web page.

Steganography

Hides information inside image files (an ancient technique). Two forms are insertion and substitution.

Data Hiding Techniques

Hiding entire partitions. Changing file extensions. Setting file attributes to hidden. Bit-shifting. Using encryption. Setting up password protection.

When can you run a Brute-force attack?

If a password dictionary attack fails.

Proprietary Format Disadvantages

Inability to share an image between different tools. File size limitation for each segmented volume.

Cyclic Redundancy Check (CRC)

Mathematical algorithm that determines whether a file's contents have changed. Not considered a forensic hashing algorithm.

Message Digest 5 (MD5)

Mathematical formula that translates a file into a hexadecimal code value, or a hash value. If a bit or byte in the file changes, it alters the hash value, which can be used to verify a file or drive that has not been tampered with.

Creating a Disk-to-Image File

Most common method and offers most flexibility. Can make more than one copy. Copies are bit-for-bit replications of the original drive. Most forensic tools have this capability.

Proprietary Formats

Most forensics tools have their own formats.

Acquisition Tools for Windows Disadvantages

Must protect acquired data with a well-tested write-blocking hardware device. Tools can't acquire data from a disk's host protected area.

Helix 3

One of the easiest suites to begin with. You can load it on a live Windows system. Loads as a bootable Linux OS from a cold boot. **Some international courts have not accepted live acquisitions as a valid forensics practice.

Norton DiskEdit

One of the first MS-DOS tools used for computer investigations. Command-line tools require few system resources. Designed to run in minimal configurations. Current programs are more powerful and have many more capabilities.

Proprietary Format Advantages

Option to compress or not compress image files. Can split an image into smaller segmented files. Can integrate metadata into the image file.

Lossy Compression

Permanently discards bits of information. Vector quantization (VQ). Determines what data to discard based on vectors in the graphics file. Utility: Lzip.

Acquisition Sub-functions

Physical data copy, logical data copy, data acquisition format, command-line acquisition, GUI acquisition, and remote, live and memory acquisitions.

Static Acquisition

Post mortem/device off.

Live Acquisition

Powered-on device

Write-blocker

Prevents data writes to a hard disk.

Demosaicing

Process of converting raw picture data to another format.

Autopsy

The GUI browser interface used to access Sleuth Kit's tools.

Reporting

To perform a forensics disk analysis and examination, you need to create a report.

Software Forensic Tools

Types: Command-line applications and GUI applications. Commonly used to copy data from a suspect's disk drive to an image file.

Scope Creep

When an investigation expands beyond the original description Because of unexpected evidence found attorneys may ask investigators to examine other areas to recover more evidence. Increases the time and resources needed to extract, analyze, and present evidence

Creating a Disk-to-Disk

When disk-to-image copy is not possible. Tools can adjust disk's geometry configuration. Some forensic tools have this capability.


Conjuntos de estudio relacionados

CWTS-2-Introduction to Wireless Local Area Networking

View Set

Lección 15 Lesson Test Review 1-Escuchar; 2- Imágenes; 3-Completar; 4-Opciones; 5-Oraciones; 6-Completar; 7-Escoger; 8-Oraciones; 9-Ayer; 10 Lectura"Beber Alcohol" (corrected)

View Set

Chapter 23: Adult Women and Men (FINAL EXAM)

View Set

Module 5 Speaking Questions : Questions - French

View Set

UNMC health assessment exam 4 practice questions

View Set

el gran robo argentino sentences

View Set

Advanced algorithms & complexity

View Set

Chapter 31: Pain Practice Questions

View Set