![Page 1: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/1.jpg)
1
CSCD 496Computer Forensics
Lecture 6
Tools for Computer Forensics
Winter 2010
![Page 2: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/2.jpg)
2
Introduction
• A successful Computer Forensics investigator– Must have a lot of tools!– Think of tools like Batman Utility Belt– James Bond special devices
• While you won't be sticking to walls ...
![Page 3: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/3.jpg)
3
Introduction
• Computer Security similar to Digital Forensics– Need knowledge of OS's, networks, software
vulnerabilities, defense types of software• Firewalls, virus software, Intrusion detection
• Digital Forensics differs – Evidence is the focus, not preventing
compromise– Specialized tools become critical to collecting
and preserving evidence
![Page 4: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/4.jpg)
4
Goal of Having Tools
• Prior to Investing Time/Money in Tool(s)– Ask: What will the tool do for me?
• Automated features – Save time• Allow examination of new file systems• Vendor reputation – increase confidence in results
![Page 5: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/5.jpg)
5
Types of Tools
• Two Main categories of tools– Hardware Tools
• Range from simple single purpose components to complete forensics systems
– Software Tools• Most common Windows and Linux OS based• Simple image makers to full featured programs
• Frequently use both in collecting and preserving evidence
![Page 6: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/6.jpg)
6
Investigative Process Model
Incident/Crime scene protocols
Assessment of worth
Identification of seizure
Preservation
Recovery
Harvesting
Reduction
Organization and Search
Analysis
Incident Alerts or accusation
Reporting
Persuasion and testimony
Begins with Incident alert
Ends with testimony
Case
Management
Tools
Tools
Tools
![Page 7: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/7.jpg)
7
Type of Tools
• Hardware Tools– Complete investigative systems, Digital
Forensics Workstation• Can put one together yourself
– Suggestions in Chapters 2 and 3
• Buy one ready made like the F.R.E.D. Forensic Recovery and Forensics Device
– www.digitalintel.com
• About $6000
![Page 8: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/8.jpg)
8
F.R.E.D. Information
• FORENSIC SYSTEMS
• “F.R.E.D. family of forensic workstations consists of integrated forensic processing platforms capable of handling most challenging computer case”
• F.R.E.D. professional forensic systems, and the Digital Intelligence UltraBay universal write protected imaging bay, deliver the ability to easily duplicate evidence directly from IDE/SCSI/SATA hard drives, floppies, CDs, DVDs, ZIP cartridges, 4MM DAT tapes and PC Card/Smartmedia/SD-MMC/Memory Stick/Compact
![Page 9: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/9.jpg)
9
Hardware Forensic Devices
• Write Blockers– Hardware
• Device that intercepts data intended for the disk• Prevents writing that could alter data• Many types
– IDE, SCSCI and SATA interfaces
• Connect your evidence disk drive to your workstation and start OS as usual
• Acts as a bridge between disk drive and forensic workstation
![Page 10: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/10.jpg)
10
Write Blocker HardwareImplement media write blockers during acquisition:
Prevent changes to evidence Sit between forensic machine and media
SCSI, SATA, IDE, etc
![Page 11: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/11.jpg)
11
Hardware Forensic Devices
• Hardware Write Blocker– Windows drive appears as any other drive– Can access the drive to view files– Or use word to read files– When you copy data to blocked drive
• Shows copy was a success• Write blocker actually discards the data• Data is written to NULL• When you look at disks, won’t see data or files you
copied to it
![Page 12: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/12.jpg)
12
UltraBlock-SATA• Example – Digital Intelligence
– http://www.digitalintelligence.com/products/ultrablock/ • The UltraBlock-SATA can be connected to your
laptop or desktop using FireWire-A (400 Mb/s) or the FireWire-B (800 Mb/s) interfaces
• Like the UltraBlock-IDE, the UltraBlock-SATA is provided with write protection enabled by default– Is user configurable for Read-Only or Read-Write
Operation. – Cost: UltraBlock – SATA $ 199– SATA Kit $ 281 UltraBlock Scsi Kit $ 446
![Page 13: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/13.jpg)
13
Type of Tools
• Software Tools– Most common and numerous compared to hardware– Command line tools, GUI tools, Windows, Unix/Linux,
OS specific tools– Today, look mostly at Windows tools
• Later, cover Linux/Unix OS tools, mostly open source
– One way to group tools is by investigative function• Can be grouped into five categories which map to tasks used
in a computer investigation
– Some of these tools specific to a single task– Others, full featured programs used across all tasks
![Page 14: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/14.jpg)
14
Tools by Investigative Tasks
• Tasks include1. Acquisition
2. Validation and Discrimination
3. Extraction
4. Reconstruction
5. Reporting
![Page 15: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/15.jpg)
15
Acquisition
• What is the goal of acquisition?
• Is obtaining the data from a crime scene
• First step in an investigation, typically– Make copy of the original disk drive – Preserve digital evidence– Two types of software acquisition
• Physical copying of a disk – entire disk• Logical copying of a disk partition
![Page 16: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/16.jpg)
16
Acquisition• Bit Stream copy
– Bit-by-bit copy of the original storage medium– Exact duplicate– Example: dd command in Unix/Linux– Creates a file, called a Bit Stream Image file– Already covered this ...
![Page 17: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/17.jpg)
17
Acquisition - Image FileX-Ways Forensics
![Page 18: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/18.jpg)
18
Acquisition – Image File
Encase example
![Page 19: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/19.jpg)
19
Validation and Discrimination
• Validation of Data – Why do we do this?– Ensures integrity of data– Need this to prove guilt or innocence to legal
system– Where we use hashes of original data and
compare to copies of acquired data– Do this each time we access the copy– Most integrated forensics tools do this
automatically for you
![Page 20: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/20.jpg)
20
Validation and Discrimination
• Discrimination of Data – Sorting and Searching of Data– Purpose:
• Separate “good” data from “suspicious” data
• Subfunctions of Validation and Discrimination– Hashing– Filtering– Analysis of File Headers
![Page 21: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/21.jpg)
21
Validation and Discrimination
• Hash Values of Known Files– Discriminate between known files and unknown
files– Known list of good file hash values– Maintained by NIST at National Software
Reference Library (NSRL)http://www.nsrl.nist.gov/Downloads.htm
– Forensics Tools - import known good file hashes• Compare them to files on suspect drive
![Page 22: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/22.jpg)
22
Validation and Discrimination
• Analyze Header Values– Many programs include list of common file
header values– Known file types have distinctive headers– Allow OS to determine file type– See whether file extension matches header
value– Common to hide files by changing extension
• jpg or gif becomes .txt• Header will disagree – shows up in tool
![Page 23: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/23.jpg)
23
Extraction
• Most demanding task• Recovery digital evidence
– View data, keyword search, file carving, decryption
– Tools below have Nice GUI, plus offer all of the above capabilities
– FTK, EnCase, SMART, iLook, ProDiscover
![Page 24: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/24.jpg)
24
Extraction• Keyword Search
– Allows you to search for keywords of interest
When doing text/pattern searchesusually also run:
• File signature verificationReview file headers
Match with extension• Hash computation
Compute hashes on all files
![Page 25: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/25.jpg)
25
Extraction
• File Signature verification
Encase can compare each file header to library of over 220 unique known signatures to determine file type, eg .doc, .jpg, etc
![Page 26: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/26.jpg)
26
Extraction
Can assist in finding files with changed extensionsFor example renaming a .jpg file with a .txt extension:
Case one:
A file header matches a known value but theextension does not match
Can do for every file and quick sort to searchfor inconsistencies
![Page 27: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/27.jpg)
27
ExtractionCase two:
A file header matches a known value but thefile does not have an extension
Encase will act consistent with header whenfile is double clicked,
e.g. launch Excel for file matching Excel header
Encase will act consistent with header whenfile is viewed
e.g. Gallery view will display pictures eventhough no extensions
![Page 28: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/28.jpg)
28
Hash computationCalculate the MD5 hash of every file
Extraction
![Page 29: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/29.jpg)
29
Extraction
Import NIST known OS MD5 or SHA-1 hashes available on their web site
![Page 30: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/30.jpg)
30
Evidence Analysis
Encase now indicates “*known” files (* used for sorting purposes)
![Page 31: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/31.jpg)
31
Extraction
Now use an Encase Filter to remove these files from view and searches:
In this case, reduced 21,085 files to 14,78730% less files to search!
![Page 32: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/32.jpg)
32
Extraction
• Deconstruct file fragments– From deleted files– “Carving” name in the US
• Locate file header information• Most tools also analyze unallocated areas of a
disk drive or bit stream image file• Locate entire file structure of file fragments
carved out and copied to a new file
![Page 33: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/33.jpg)
33
Extraction
• Decryption– Encrypted data is a problem for forensics
investigations– Files can be encrypted, entire disk or partition– Some tools produce list of words for password
guessing of an encrypted area– Could possibly locate password in a
temporary file on disk, if you are lucky!!– Can also run a brute force attack against the
file
![Page 34: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/34.jpg)
34
Reconstruction
• Task of re-creating a suspect's disk drive– Don't always have to do this, depends
• Run suspect computer to show what happened during a crime
• Or, create an identical copy for other investigators
• Do a bit-by-bit copy to identical disk as suspect disk
• Disk technology changes pretty fast– Not likely to find identical drive and model
![Page 35: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/35.jpg)
35
Reconstruction• Several ways to do this
– Disk-to-disk copy– Image-to-disk copy– Partition-to-partition copy– Image-to-partition copy
• Hardware and Software tools– All of these tools adjust target disk geometry
• Means if target disk differs from original suspect disk will map cylinders, sectors and tracks of original to target
• Target Disk must be equal or larger in size
![Page 36: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/36.jpg)
36
Reconstruction
• Hardware Tools– Hardware is fastest – Logical Forensic SF-5000– Logical Forensic MD5– Image MaSSter Solo 2
• Software Tools– Safeback, SnapCopy plus others
![Page 37: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/37.jpg)
37
Reporting
• Many forensics tools also do reporting– Log Report
• Produce a report of steps taken in an investigation
• Good if need to repeat an investigation–Or, review steps taken
• Peer review of the case
– FTK, iLook, X-Ways Forensic, Encase, ProDiscover
• Plus most others
![Page 38: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/38.jpg)
38
Validating and Testing Forensic Software
• NIST - National Institute of Standards and Technology• NIST sponsored a project called “Computer
Forensics Tool Testing” (CFTT)• Why might you want to test these tools?
![Page 39: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/39.jpg)
39
Validating and Testing Forensic Software
• NIST - National Institute of Standards and Technology• Publishes articles, tools and procedures for testing
and validating computer forensics software• Software should be verified so that there is greater
confidence in digital evidence used in court
http://www.cftt.nist.gov» Created a general approach for testing
computer forensics tools » Criteria for testing is at the same site
• MD5 and SHA-1Hashes of Known fileshttp://www.nsrl.nist.gov/Library_Contents.htm
![Page 40: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/40.jpg)
40
Examples of Tools
• Disk that came with your Book has:• Technology Pathways ProDiscover Basic• Access Data Forensic Toolkit (FTK), Registry
Viewer and FTK Imager• Runtime Software DiskExplorer for FAT, NTFS and
HDHOST• X-Ways Forensics WinHex
– Page xxiii in text has links to many other tools– For next assignment, you get to download
tools, play with them ... fun, fun, fun !!!
![Page 41: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/41.jpg)
41
Resources• Resources for Tools
E-Evidence List of Software Tools• http://www.e-evidence.info/vendors.htmlOpen Source Forensics Tools: The Legal Argument
Brian Carrier• http://www.digital-evidence.org/papers/
opensrc_legal.pdf– Nice source of references and tool discussions
for open source toolsEvaluating Commercial Counter Forensics Tools
Matthew Geiger• http://www.dfrws.org/2005/proceedings/
geiger_couterforensics.pdf
![Page 42: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/42.jpg)
42
Summary and Limitations
• Tools Are Critical to being a Computer Forensics Investigator!!!
• Better set of tools• More complete analysis of data• More types of analysis and data/computers can
analyze• More confidence that data was handled correctly• Confidence in evidence increases• Important in court
• Tool Limitations• Encrypted data, can't help too much• Steganography
![Page 43: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/43.jpg)
43
References
– Nelson, Bill et al. “Guide to Computer Forensics Investigations”
• Chapter 7
![Page 44: 1 CSCD 496 Computer Forensics Lecture 6 Tools for Computer Forensics Winter 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062300/56649d4e5503460f94a2d5ab/html5/thumbnails/44.jpg)
44
Finish
– Check Web Site for Reading– Assignment due today,– Next Assignment on Friday !!!