CYBR 4853 - Chapter 3
Three primary norms within the hacker community have been identified across multiple studies
(1) technology; (2) knowledge; and (3) secrecy
perform an MD5 or SHA-1 hash on a file before and after it's compressed. If the compression is done correctly, both versions have the same hash value. If the hashes don't match, that means something corrupted the compressed file, such as a hardware or software error. perform two separate hashes with different algorithms, such as MD5 and SHA-1
An easy way to test lossless compression
Computer Fraud and Abuse Act (CFAA),
At the federal level, the primary statutes used to prosecute hacking cases are referred to as the listed as Section 1030 of Title 18 of the US Criminal Code first passed in 1986 and has been revised multiple times over the past three decades prosecute attacks against a "protected computer," stipulates seven applications of hacking as violations of federal law
lossy compression
Compression algorithms for graphics files use what's called can change daa used with .jpeg files to reduce file size and doesn't affect image quality it isn't used for forensics acquisitions.
Linux Live CDs
ISO images that can be burned to a CD or DVD. Ubuntu, openSUSE, Arch Linux, Fedora, and Slackware Most of these Linux distributions are for Linux OS recovery, A few Linux ISO images are designed specifically for digital forensics - additional utilities that aren't typically installed in normal Linux distributions - configured not to mount, or to mount as read-only - To access media, you have to give specific instructions to the Live CD boot session
check with the requester and ask whether a logical acquisition is acceptable If not, you have to refer the matter back to the requester. make sure you have a good copy because most discovery demands give you only one chance to capture data.
If you can't retain the original evidence drive and must return it to the owner
logical acquisition
If your time is limited, consider using this captures only specific files of interest to the case or specific types of files If you have to recover data from a RAID or storage area network (SAN) server with several exabytes (EB) or more of data storage, this might the only option In e-discovery for the purpose of litigation, this is becoming the preferred method ex: email investigation
noob or newbie
Individuals who are new to hacking and have minimal knowledge of technology may be referred to as may be used derogatorily in order to embarrass that person, generally have no status within the hacker community referred to as lamers or wannabes by older members
Linux Boot CD
Linux can access a drive that isn't mounted Physical access for the purpose of reading data can be done on a connected media device
Preparing a Target Drive for Acquisition in Linux
Linux distributions can create Microsoft FAT and NTFS partition tables
ASRData SMART
Linux forensics analysis tool that can make image files of a suspect drive. produce proprietary or raw format images and includes the following capabilities: • Robust data reading of bad sectors on drives • Mounting suspect drives in write-protected mode • Mounting target drives, including NTFS drives, in read/write mode • Optional compression schemes to speed up acquisition or reduce the amount of storage needed for acquired digital evidence
acquisition tools
Many forensics software vendors have developed these that run in Windows make acquiring evidence from a suspect drive more convenient you must protect drives with a well-tested write-blockng HW device most Windows tools can't acquire data from a disk's host protected area
whole disk encryption
Microsoft has added this with BitLocker to its newer operating systems makes performing static acquisitions more difficult A static acquisition on most of these involves decrypting the drives, which requires the user's cooperation in providing the decryption key Most of these tools at least have a manual process for decrypting data, which is converting the encrypted disk to an unencrypted disk
Proprietary Formats
Most commercial forensics tools have their own formats for collecting digital evidence ADVS - The option to compress or not compress image files - capability to split an image into smaller segmented files with data integrity checks - capability to integrate metadata into the image file DIS: - inability to share an image between different vendors' computer forensics analysis tools - file size limitation for each segmented volume. -- segmented file of 650 MB, no more than 2 GB. Expert Witness format is currently the unofficial standard X-Ways Forensics, AccessData Forensic Toolkit (FTK), and SMART
Mini-WinFE.
One forensically sound Windows boot utility enables you to build a Windows forensic boot CD/DVD or USB drive with a modification in its Windows Registry file so that connected drives are mounted as read-only Before booting a suspect's computer with THIS, you need to connect your target drive, such as a USB drive you can list all connected drives and alter your target USB drive to readwrite mode so that you can run an acquisition program you need a Windows installation DVD (version 8 or later) and FTK Imager Lite or X-Ways Forensics installed Follow the instructions in the preceding Web sites to create the ISO and then burn it to CD or transfer it to a USB drive.
tools and kits found on hacker websites and forums
One of the key ways in which a person may hack early on involves the use of these resources automate the use of exploits against known vulnerabilities.
Capture the Flag (CTF) competitions
DefCon and some regional cons hackers compete against each other individually or in teams to hack one another, while at the same time defending their resources from others. the dual nature of hacking techniques for both attack and defense.
Advanced Forensic Format
Dr. Simson L. Garfinkel open-source acquisition format • Capable of producing compressed or uncompressed image files • No size restriction for disk-to-image files • Space in the image file or segmented files for metadata • Simple design with extensibility • Open source for multiple computing platforms and OSs • Internal consistency checks for self-authentication digital forensics vendors have no implementation restrictions
Secrecy
Since some forms of hacking are illegal, an individual who attempts to brag about their activities to others can place themselves at risk of arrest or legal sanctions they use various techniques to reduce the likelihood that their real identity is compromised - handles - closed web forums and private message boards - some hacker groups prevent their sites from appearing in search engine results like Google Hackers, therefore, tread a fine line between sharing information and keeping certain knowledge private has also affected the way in which individuals engage with one another at conferences and in public settings. individual attendees may be surrounded by people who are focused on identifying malicious hackers
Performing RAID Data Acquisitions
Size is the biggest concern because many RAID systems are now pushing into terabytes of dat
TRUE Windows - an acquisition workstation can access and alter data in the Recycle Bin Linux - the workstation most likely alters metadata, such as mount point configurations for an Ext3 or Ext4 drive
T/F: In Windows OSs and newer Linux kernels, when you connect a drive via USB, FireWire, external SATA, or even internal PATA or SATA controllers, both OSs automatically mount and access the drive
True
T/F: With the larger disks now available, copying small RAID systems to one large disk is possible,
Remote Acquisition with R-Tools R-Studio
The R-Tools suite of software is designed for data recovery R-Studio network edition can remotely access networked computer systems remote connection uses Triple Data Encryption Standard (3DES) encryptio Data acquired with R-Studio network edition creates raw format acquisitions, and it's capable of recovering many different file systems, including ReFS
• Technology Pathways ProDiscover • Guidance Software EnCase • X-Ways Forensics • AccessData FTK • Runtime Software • R-Tools Technologies
The following are some vendors offering RAID acquisition functions:
The punishments for these acts vary based largely on
The punishments for these acts vary based largely on
-the size of the source (suspect) disk - whether you can retain the source disk as evidence - how much time you have to perform the acquisition - where the evidence is located
To determine which acquisition method to use for an investigation, consider
Remote Acquisition with WetStone US-LATT PRO
US-LATT PRO, part of a suite of tools developed by WetStone can connect to a networked computer remotely and perform a live acquisition of all drives connected to it
• Trusted CD—For this manual installation method, ProDiscover can create a special CD/DVD or USB drive containing the PDServer remote agent. It's used to load PDServer manually on the suspect computer. • Preinstallation—For networks with a configured OS, the PDServer remote agent can be added to the standard installation of high-risk computers, which enables network security administrators to respond to network attacks and malware contaminations quickly. Any network management tool, such as DameWare (www.dameware.com) or Hyena (www.systemtools.com/hyena/), can be used to initiate a connection with ProDiscover. This is a remote method of installing the remote acquisition tool. • Pushing out and running remotely—Downloading PDServer to a remote computer helps investigators respond quickly to incidents. Data is collected in real time when using this function. This is a remote method of installing the remote acquisition tool.
PDServer remote agent can be installed in three different ways
Remote Network Acquisition Tools
Recent improvements in forensics tools include the capability to acquire disk data or data fragments (sparse or logical) remotely. connect to a suspect computer remotely via a network connection and copy data from it. vary in configurations and capabilities being able to connect to a suspect's computer remotely to perform an acquisition has tremendous appeal saves time minimizes the chances of a suspect discovering that an investigation is taking place. have to be done as live acquisitions advanced privileges are required to push agent applications to the remote system. tivirus, antispyware, and firewall tools if suspects have administrator rights on their computers, they could easily install their own security tools that trigger an alarm
RAID 0
Windows XP, 2000, and NT servers and workstations rapid access and increased data storage two or more disk drives become one large volume, so the computer views the disks as a single disk. tracks of data on this mode of storage cross over to each disk logical addressing scheme makes it seem as though each track of data is continuous throughout all disks. ack one starts on the first physical disk and continues to the second physical disk. the two disks appear as one large disk eased speed and data storage capability spread over two or more disks that can be one large disk partition lack of redundancy; if a disk fails, data isn't continuously available
Windows Validation Methods
Windows has no built-in hashing algorithm tools for digital forensics Windows third-party programs do thirdparty programs range from hexadecimal editors, such as X-Ways WinHex or Breakpoint Software Hex Workshop, to forensics programs, such as ProDiscover, EnCase, and FTK Commercial forensics programs also have built-in validation features ProDiscover notifies you that the acquisition is corrupt and can't be considered reliable evidence raw format image files don't contain metadata a separate manual validation is recommended for all raw acquisitions at the time of analysis The MD5 hash value is added to the proprietary format image or segmented files
RAID Redundant array of independent (formerly "inexpensive") disks
a computer configuration involving two or more physical disks. developed as a dataredundancy measure to minimize data loss caused by a disk failure provided increased storage capabilities Several levels of RAID can be implemented through software or special hardware controllers
Web defacements
allow an actor to replace the original web page with content of their own design, including text and images an ideal mechanism for politically motivated attackers to express their attitudes and beliefs to the larger world
sparse acquisition
also collects fragments of unallocated (deleted) data similar to logical acquisition If your time is limited, consider using this use this method only when you don't need to examine the entire drive
John Draper
also known as Cap'n Crunch active in the 1970s and 1980s in the hacker community known for having blown a giveaway whistle found in a box of Cap'n Crunch cereal into his phone receiver - created the perfect 2600 Hz tone that was necessary to enable an individual to connect to long-distance lines at that time - phreaking, garnered a great deal of respect and attention from the phreaking community and popular media
internal attacker
an individual who is authorized to use and has legitimate access to computers, networks, and certain data stored on these systems
digital fingerprint
binary or hexadecimal number that represents the uniqueness of a data set making any alteration in one of the files produces a completely different hash value
The 1990s: affordable technology, the computer security community, and financial gain
computer security community began to emerge incorporation of skilled hackers who understood the process of identifying and securing vulnerable software and hardware prosecution and detention of Kevin Mitnick Mitnick began a computer security consulting business World Wide Web and PC had radically altered the nature of business and communications. digitization of sensitive financial and government information and massive databases accessible online Financial service providers and business platforms moved to online environments motives for hacking also shifted toward economic gain complexity of the tools used by hackers increased phishing grew individuals began to apply hacking techniques and skills in attacks based on political and social agendas against government and private industry targets
phishing
consumers are tricked into transmitting financial information to fraudulent websites where the information is housed for later fraud
Flood-Net
created by "Electronic Disturbance Theater This program was designed as a standalone tool to enable unskilled actors to engage in denial-of-service attacks against various government services as a form of "civil disobedience" first employed in an attack against the Mexican government because of their treatment of Zapatista separatists hackers in India and Pakistan engaged in a series of defacement attacks over a four-year period from 1998 to 2001
creating a disk-to-image file, creating a disk-to-disk copy, creating a logical disk-to-disk or disk-to-data file, or creating a sparse copy of a folder or file.
data can be collected with four methods
Validating dcfldd Acquired Data
dcfldd is designed for forensics data acquisition validation options integrated: hash and hashlog hash option to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512 hashlog option outputs hash results to a text file that can be stored with image files To create an MD5 hash output file during a dcfldd acquisition, you enter the following command (in one line) at the shell prompt: To see the results of files generated with the split command, you enter the list directory (ls) command at the shell prompt. If your forensics tool requires starting with an .001 extension, the files need to be renamed incrementally vf (verify file), which compares the image file to the original medium, such as a partition or drive vf option applies only to a nonsegmented image file.
Linux Validation Methods
dd and dcfldd, have several options that can be combined with other commands to validate data dcfldd command has additional options that validate data collected from an acquisition. Validating acquired data with the dd command requires using other shell commands. Current distributions of Linux include two hashing algorithm utilities: md5sum and sha1sum
Validating dd Acquired Data
dd if¼/dev/sdb j split -b 650m - image_sdb produces segmented volumes of the /dev/sdb drive, with each segmented volume named image_sdb and an incrementing extension of .aa, .ab, .ac, and so on: To validate all segmented volumes of a suspect drive with the md5sum utility, you use the Linux shell commands in the following steps For the saved images, remember to change to the directory where the data was saved To use sha1sum instead of md5sum, just replace all md5sum references in commands with sha1sum md5sum or sha1sum utilities should be run on all suspect disks and volumes or segmented volumes
protected computer
defined as any computer used exclusively or non-exclusively by a financial institution or the federal government, as well as any computer used to engage in interstate or foreign commerce or communication generally provide protection to virtually any computer connected to the Internet and to increase the efficacy of federal statutes to prosecute hacking crimes
hashing algorithm utility
designed to create a binary or hexadecimal number that represents the uniqueness of a data set X-Ways Forensics, X-Ways WinHex, and IDM Computing Solution's UltraCompare available as stand-alone programs or are integrated into many acquisition tool
RAID 5
distributed data and distributed parity and stripes data tracks across all disks in the RAID array places parity data on each disk a disk in a RAID array has a data failure, the parity on other disks rebuilds the corrupt data automatically when the failed drive is replaced.
RAID 6,
distributed data and distributed parity (double parity) function the same way as RAID 5 each disk in the RAID array has redundant parity vers any two disks that fail because of the additional parity stored on each disk.
collisions
exceptions been found to occur in a small number of files with MD5, and SHA-1 might also be subject to collisions are of little concern
Gray-hat hacker
fall somewhere between these two camps, as their motives shift or change depending on the specific situation used to identify the ethical flexibility and lack of consistency in individual hackers' actions may use their knowledge for beneficial purposes one day, while breaking into a computer system to steal information the following day.
live acquisitions
file metadata, such as date and time values, changes when read by an acquisition tool. Making a second while a computer is running collects new data because of dynamic changes in the OS If the computer has an encrypted drive, this is done if password is available
forensic boot CD/DVD or USB drive
gives you a way to acquire data from a suspect computer and write-protect the disk drive. Accessing a computer's disk drive directly might not be practical for a forensics acquisition can be Windows or Linux.
preserve the digital evidence
goal when acquiring data for a static acquisition you have only one chance to create a reliable copy of disk evidence with a data acquisition tool
static acquisitions
if you have preserved the original media, making a second static acquisition should produce the same results The data on the original disk isn't altered, no matter how many times an acquisition is done done on a computer seized during a police raid always the preferred way to collect digital evidence limitations - encrypted drive that's readable only when the computer is powered on or a computer that's accessible only over a network
RAID 1
made up of two disks for each volume and is designed for data recovery in the event of a disk failure contents of the two disks are identical When data is written to a volume, the OS writes the data twice If one drive fails, the OS switches to the other disk. mirroring ensures that data isn't lost and helps prevent computer downtime takes two disks for each volume, which doubles the cost of disk storage
contingency plans
make these in case software or hardware doesn't work or you encounter a failure during an acquisition.
dd command,
means "data dump." available on all UNIX and Linux distributions can be used to read and write data from a media device and a data file isn't bound by a logical file system's data structures, meaning the drive doesn't have to be mounted for dd to access it creates a raw format file that most forensics analysis tools can read, which makes it useful for data acquisitions. combined with the split command segments output into separate volumes Next, you perform a raw format image of the entire suspect drive to the target directory If you need to use the dd command, it's better to use the split command's default of incremented letter extensions and make smaller segments renaming each segmented volume's extension with incremented numbers instead of letters might be necessary
RAID 15
mirrored striping with parity, RAID 1+5, most robust data recovery capability and speed of access of all RAID configurations and is also more costly.
RAID 10
mirrored striping, RAID 1+0, provides fast access and redundancy of data storage
Creating a disk-to-image file
most common method offers the most flexibility for your investigation. you can make one or many copies of a suspect drive bit-for-bit replications of the original drive you can use other forensics tools, to read the most common types of disk-to-image files you create MS-DOS tools can only read data from a drive.
handles
nicknames in online and offline environments in order to establish an identity separate from their real identity serve as a digital representation of self may be humorous or serious, depending on the individual its use helps create a persona that can be responsible for successful hacks and activities and diminish the likelihood of reprisals from law enforcement
Runtime Software
offers several compact shareware programs for data acquisition and recovery, including DiskExplorer for FAT and DiskExplorer for NTFS designed its tools to be file system specific • Create a raw format image file. • Segment the raw format or compressed image for archiving purposes. • Access network computers' drives.
RAID 2
rapid access and increased storage by configuring two or more disks as one large volume data is written to disks on a bit level. error-correcting code (ECC) is used to verify whether the write is successful. better data integrity checking than RAID 0 slower than RAID 0. Striping (bit level)
dd command shortcomings
requires more advanced skills target drive needs to be equal to or larger than the suspect drive
Acquiring RAID
requires only similar-size drives that match each disk in the RAID array. Occasionally, a RAID system is too large for a static acquisition your goal is to collect a complete image of evidence drives retrieving only the data relevant to the investigation with the sparse or logical acquisition method is the only practical solution
• How much data storage is needed to acquire all data for a forensics image? • What type of RAID is used? Is it Windows RAID 0 or 1 or an integrated hardwarefirmware vendor's RAID 5, 10, or 15? Is it another unknown configuration or OS (Linux, UNIX, mainframe)? • Do you have an acquisition tool capable of copying the data correctly? • Can the tool read a forensic copy of a RAID image? • Can the tool read split data saves of each RAID disk, and then combine all images of each disk into one RAID virtual drive for analysis?
the following concerns for getting an image of a RAID server's disks:
Data acquisition
the process of copying data the task of collecting digital evidence from electronic media. are shifting toward live acquisitions with newer operating systems (
static acquisitions and live acquisitions.
two types of acquisitions
Acquiring Data with dd in Linux
unique feature of a forensics Linux Live CD is that it can mount and read most drives. To perform a data acquisition on a suspect computer, all you need are the following: • A forensics Linux Live CD • A USB, FireWire, or SATA external drive with cables • Knowledge of how to alter the suspect computer's BIOS to boot from the Linux Live CD • Knowledge of which shell commands to use for the data acquisition
Black-hat hackers
use the same techniques and vulnerabilities in order to gain access to information or harm systems argue that they are no different from white hats; instead it is a perceptual difference among security professionals
RAID 4
uses data striping and dedicated parity (block writing), except data is written in blocks rather than bytes.
RAID 3
uses data striping and dedicated parity and requires at least three disks stripes tracks across all disks that make up one volume implements dedicated parity of data to ensure recovery if data is corrupted Dedicated parity is stored on one disk
Remote Acquisition with F-Response
vendor-neutral specialty remote access utility designed to work with any digital forensics program examiners can access remote drives at the physical level and view raw data. four different versions: Enterprise Edition, Consultant 1 Convert Edition, Consultant Edition, and TACTICAL Edition
leet
viewed as a hacker by others in the subculture. no single way, however, to determine when a person is "officially" considered a hacker
• Penguin Sleuth (www.linux-forensics.com) • F.I.R.E (http://fire.dmzs.com) • CAINE (www.caine-live.net) • Deft (www.deftlinux.net) • Kali Linux (www.kali.org), previously known as BackTrack (www.backtrack-linux. org/wiki/index.php/Forensics Boot) • Knoppix (www.knopper.net/knoppix/index-en.html) • SANS Investigate Forensic Toolkit (SIFT; http://computer-forensics.sans.org/ community/downloads) can download these ISO images to any computer and then burn them to CD/DVD with burner software - An alternative is using a USB drive instead of a CD or DVD. After creating a Linux Live CD, test it on your workstation - your workstation's BIOS to see whether it boots first from the CD or DVD on the system - place it in the CD or DVD drive and reboot your system - Linux loads into your computer's memory, and a common GUI for Linux is displayed
well-designed Linux Live CDs for digital forensics
PDServer,
you have the option of running it in a stealth mode Windows Task Manager lists the process as PDServer • Password protection—PDServer on the target computer is password-protected, and the password is encrypted at all times. • Encryption—All communication between PDServer on the suspect's and investigator's computers can be encrypted. ProDiscover provides 256-bit Advanced Encryption Standard (AES) or Twofish encryption for the connection. • Secure communication protocol—All connections between the suspect's and examiner's computers have globally unique identifiers (GUIDs) to prevent inserting packets in the data stream. • Write-protected trusted binaries—PDServer can run from a write-protected device, such as a CD. • Digital signatures—PDServer and its removal device driver, PARemoval.sys, are digitally signed to verify that they haven't been tampered with before and during the remote connection.
important functions dcfldd offers that aren't possible with dd
• Specify hexadecimal patterns or text for clearing disk space. • Log errors to an output file for analysis and review. • Use the hashing options MD5, SHA-1, SHA-256, SHA-384, and SHA-512 with logging and the option of specifying the number of bytes to hash, such as specific blocks or sectors. • Refer to a status display indicating the acquisition's progress in bytes. • Split data acquisitions into segmented volumes with numeric extensions (unlike dd's limit of 99). • Verify the acquired data with the original disk or media data.
denial-of-service attack
Such an attack prevents individuals from being able to use communications services, thereby rendering them useless.
TRUE
T/F: As a usual practice, don't mount a suspect media device as a precaution against any writes to it.
True
T/F: If the suspect drive already contains compressed data, such as several large zip files, the imaging tool can't compress the data any further,
2 If you have more than one imaging tool, such as ProDiscover, FTK, and X-Ways Forensics, make the first copy with one tool and the second copy with the other tool.
As a standard practice, make at least x images of the digital evidence you collect
Raw Format
Examiners performed a bit-by-bit copy from one disk to another disk the same size or larger vendors made it possible to write bitstream data to files. This copy technique creates simple sequential flat files of a suspect drive or data set. The output of these flat files is referred to as a ADVS: - fast data transfers - capability to ignore minor data read errors on the source drive. - most forensics tools can read the raw format DIS: - requires as much storage space as the original disk or data set - some toole versions, might not collect marginal (bad) sectors on the source drive, - low threshold of retry reads on weak media spots on a drive. validation check by using Cyclic Redundancy Check (CRC32), Message Digest 5 (MD5), and Secure Hash Algorithm (SHA-1 or later) hashing functions - separate file containing the hash value
Capturing an Image with AccessData FTK Imager Lite
FTK Imager is a data acquisition tool that's included with a licensed copy of AccessData Forensic Toolkit requires using a USB dongle for licensing. free and requires no dongle license and can be downloaded available for both Windows and Macintosh designed for viewing evidence disks and disk-to-image files created from other proprietary formats can read AccessData .ad1, Expert Witness (EnCase) .e01, SMART .s01, Advanced Forensic Format, and raw format files can make disk-to-image copies of evidence drives and enables you to acquire an evidence drive from a logical partition level or a physical drive level define the size of each disk-to-image file volume
Acquiring Data with dcfldd in Linux
Nicholas Harbour of the Defense Computer Forensics Laboratory (DCFL) developed a tool that can be added to most UNIX/Linux OSs. many features designed for forensics acquisitions follow the same precautions as with dd. can also write to the wrong device, if you aren't careful All commands need to be run from a privileged root shell session
PassMark Software ImageUSB
PassMark Software has an acquisition tool called ImageUSB To create a bootable flash drive, you need Windows XP or later and ImageUSB downloaded from the OSForensics Web site
lossless compression
Popular archiving tools, such as PKZip, WinZip, and WinRAR, use an algorithm referred to as saves disk space Most imaging tools have an option to use Image files can be reduced by as much as 50% of the original.
Remote Acquisition with ProDiscover
ProDiscover Incident Response • Capture volatile system state information. • Analyze current running processes on a remote system. • Locate unseen files and processes on a remote system that might be running malware or spyware. • Remotely view and listen to IP ports on a compromised system. • Run hash comparisons on a remote system to search for known Trojans and rootkits. • Create a hash inventory of all files on a system remotely (a negative hash search capability) to establish a baseline if it gets attacked.
physical
ProDiscover can acquire RAID disks at the WHAT level After all disks have been acquired, a ProDiscover Group file (.pdg extension) is created lists the paths to each physical disk's image data if the RAID acquisition takes several storage drives
validating digital evidence
Probably the most critical aspect of computer forensics is weakest point of any digital investigation requires using a hashing algorithm utility
host protected area (HPA)
Some acquisition tools don't copy data in the BLANK of a HD Check the vendor's documentation to verify that its tool can copy a drive's this consider using a hardware acquisition tool that can access the drive at the BIOS level,
external attacker
Someone who attempts to change grades or access sensitive systems, but is not a student or an authorized user, would be defined as an no existing relationship with the network owners and are completely outside of the network
hardware or software errors or incompatibilities. is more common when you have to acquire older drives you might have to create a disk-to-disk copy
Sometimes you can't make a disk-to-image file because
script kiddies
The ability to hack a target quickly and easily is enticing for individuals who are new to the subculture because they may feel that such an act will garner status or respect from others They do not, however, understand the way in which these tools actually affect computer systems, so their attacks often fail or cause greater harm than initially intended meant to shame individuals by recognizing their use of pre-made scripts or tools, their lack of skill, and the concurrent harm they may cause
Technology
The act of hacking has been directly and intimately tied to this The interests and activities of hackers center on computer software and hardware, understanding hardware can improve an individual's understanding of software and vice versa an individual's connection to this and their sense of ownership over the tools of their "craft" increases their ability to hack To generate such a connection, hackers must develop a deep appreciation of computers and be willing to explore and apply their knowledge Hackers must be curious and explore this often through creative play often emerges early in youth Identifying peers who share their affinity for this online or offline is also extremely valuable
getting the decryption key
The biggest concern with whole disk encryption
Knowledge
The central importance of technology in this subculture drives individuals to form a deep commitment to having this and mastery of a variety of technological tools Hackers spend a significant amount of time learning about technology in order to understand how devices work at deep levels. hacker community stresses that individuals need to learn on their own the idea of being a hacker is driven in part by curiosity and experiential THIS that can only be developed through personal experience. most hackers learn by spending hours every day reading manuals, tutorials, and forum posts in order to learn new things Hackers also belong to multiple forums, mailing lists, and groups The increasing importance of video-sharing sites has also enabled people to create tutorials that describe in explicit detail and demonstrate how to hack Individuals who can apply their THIS of technology in a practical fashion often garner respect from others within the subculture Demonstrations of technological mastery provide cues that they are a hacker with some skill and ability. One of the most salient demonstrations of mastery of technology may be seen at cons, where individuals can compete in hacking challenges and competitions The importance of THIS is also reflected in the way in which hackers refer to individuals within the hacker subculture,
duplicate of your disk-to-image file
The most common and time-consuming technique for preserving evidence is creating a they don't have enough time if the first copy doesn't work correctly, having a duplicate is worth the effort and resources.
1. Knowingly accessing a computer without authorization or by exceeding authorized access and obtaining information protected against disclosure which could be used to the disadvantage of the USA or to the advantage of a foreign nation and willfully deliver that information to another person not entitled to receive it or retain the information and refuse to deliver it to the person entitled to receive it 2. Knowingly accessing a computer without authorization or by exceeding authorized access to: a. Obtain information contained in a financial record of a financial institution or of a card issuer or contained in a file of a consumer reporting agency on a consumer; b. Obtain information from any federal department or agency; c. Information from any protected computer (18 USC § 1030 Sect. (a) (2)). 3. To intentionally and without authorization access any non-public computer of a US department or agency that is exclusively for the use of the government and affects the use of that computer 4. To knowingly and with the intent to defraud access a protected computer without authorization or by exceeding authorized access and thereby further the intended fraud and obtaining anything of value
there are four offenses that immediately pertain to hacking as discussed thus far cover a wide range of offenses and are written broadly enough to prosecute hackers regardless of whether they are internal or external attackers
White hat hacker
thought to be "ethical" hackers who work to find errors in computer systems and programs to benefit general computer security
Remote Acquisition with EnCase Enterprise
• Remote data acquisition of a computer's media and RAM data • Integration with intrusion detection system (IDS) tools that copy evidence of intrusions to an investigation workstation automatically for further analysis over the network • Options to create an image of data from one or more systems • Preview of systems to determine whether future actions, such as an acquisition, are needed • A wide range of file system formats, such as NTFS, FAT, Ext2/3, Reiser, Solaris UFS, AIX Journaling File System (JFS), LVM8, FFS, Palm, Macintosh HFS/HFS1, CDFS, ISO 9660, UDF, DVD, and more • RAID support for both hardware and software EnCase Enterprise is set up with an Examiner workstation and a Secure Authentication for EnCase (SAFE) workstation. SAFE workstation provides secure encrypted authentication for the Examiner workstation and the suspect's system remote access program in EnCase Enterprise is Servlet Servlet connects the suspect computer to the Examiner and SAFE workstations and can run in stealth mode on the suspect computer
