remote forensic tools --- pdir and eee
DESCRIPTION
Remote Forensic Tools --- PDIR and EEE. Tool review - remote forensic preservation and examination tools Editor : Eoghan Casey , Aaron Stanley Source : Digital Investigation (2004) Volume 1, 284 - 297 Professor : Shieh-Jeng, Wang. Remote Forensic Tools --- PDIR and EEE. - PowerPoint PPT PresentationTRANSCRIPT
Remote Forensic Tools --- PDIR and EEE
Tool review - remote forensic preservation and examination tools Editor : Eoghan Casey , Aaron Stanley Source : Digital Investigation (2004) Volume 1, 284 - 297 Professor : Shieh-Jeng, Wang
Remote Forensic Tools --- PDIR and EEE PDIR ( ProDiscover IR 3.5 ) EEE ( EnCase Enterprise Edition 4.19a ) The main propose is to integrate incident res
ponse and computer forensics.
What is remote forensics
Operation Model
Servlet :
--- A piece of software loaded into the memory of the subject computer.
--- This program starts a process listens for outside connections.
Installation methods for Stand-alone computer
Login script System patch The third-party tools :
psexec
Dameware
Secure Shell (SHH)
Relationships
Communication security
Thawte in PDIR. SAFE ( Secure Authentication for EnCase ) in
EEE.
Considerations for the network-based computer
Router Access Control Lists Internal firewall Personal firewall They are barriers that prevent examiners fro
m connecting to the servlet. EEE servlet must run on the 4445 port. PDIR servlet can use any port.
Functionalities (A)
Memory inspection --- Snapshot module Storage media examination :
--- Physical disks
--- Logical volumes
--- RAM disks (the PGP disk) --- only EEE Mounted network drives are not detected by
either tool.
Functionalities (B)
Keyword research MD5 hash comparison EEE can combine file listings multiple
system. ( PDIR connect to one remote host at a time )
Both PDIR and EEE can acquire the entire contents of a hard drive or partition of a remote host.
Security
PDIR uses Global Unique Identifiers to restrict a servlet to one client and to prevent tampering with the network communication.
EEE uses a dedicated system called the SAFE to manage security.
The SAFE protocol uses a combination of public, private, and session keys to ensure that all connections to the remote servlets are authorized and encrypted.
Performance
In pre-viewing mode, PDIR uses an average of 340 kb/s of network bandwidth, whereas the EEE uses 50kb/s.
In acquisition mode, PDIR uses an average of 5.5MB/s of network bandwidth, whereas the EEE uses 3.5MB/s.
Conclusion
PDIR is design for examining a small number of system.
EEE is designed to integrate with enterprise security architecture an examine a large number of systems simultaneously.