View
226
Download
0
Category
Preview:
Citation preview
8/3/2019 15681_Forensic Resources and Tools
1/48
8/3/2019 15681_Forensic Resources and Tools
2/48
We will now briefly examine some, but not all,of the forensic resources and tools that are
employed in the law enforcement community.
The forensic aspects of the major operatingsystems will also be discussed.
The tools will be examined on the basis oftheir major functional category including
duplication, authentication, search, forensicanalysis, and file viewing tools.
8/3/2019 15681_Forensic Resources and Tools
3/48
1. Operating Systems: MS-DOS
WINDOWS
BeOS Linux
8/3/2019 15681_Forensic Resources and Tools
4/48
one of the most widely known operatingsystems in existence.
Depending on the version, its strength is itsrelative simplicity and the fact is that onlythree files are really required to have afunctional operating system
COMMAND.COM, MSDOS.SYS, and IO.SYS.
8/3/2019 15681_Forensic Resources and Tools
5/48
most forensically invasive operating system. Windows versions have only recently been
utilized for forensic duplication due to thedevelopment ofhardware write blockingdevices that prevent the operating systemfrom altering the evidentiary magnetic media.
Microsoft Windows, strength lies in its market
pervasiveness and the fact thatcomprehensive forensic analysis tools likeFTK and EnCase have been developed to runon it.
8/3/2019 15681_Forensic Resources and Tools
6/48
It is a high performance operating systemsimilar in some ways to Linux that providesprofessional users and enthusiasts with ahigh performance environment to quickly and
easily develop applications and content and isdesigned to facilitate the integration of newtechnologies.
can be used for media acquisition becauseautomatically attempt to mount magneticmedia that is connected to it.
8/3/2019 15681_Forensic Resources and Tools
7/48
Just like BeOS, Linux can also be used formedia acquisition.
Linux also includes many powerful low leveland file utilities that can be employed forforensic purposes.
It natively incorporates support to be able tomount and analyze many different types of
file systems both attached locally and over anetwork using a capability known as networkblock device.
Very powerful OS from a forensic point of
view.
8/3/2019 15681_Forensic Resources and Tools
8/48
2. Duplication : many sector-imaging andduplication tools available.
Safeback Snapback DatArrest
EnCase and FastBloc
ByteBack Disk Image Backup System (DIBSTM)
VOGON evidential hardware
Norton Ghost
Dd
ICS Image MASSter Solo 2 forensic systems
8/3/2019 15681_Forensic Resources and Tools
9/48
was designed as an evidence-processing toolwith error-checking built into every phase ofthe evidence backup and restoration process.
A command-line-based utility executed froma controlled boot disk has not changed allthat significantly over the past 12 years andcontinues to be in use with many lawenforcement and government agenciesworldwide.
8/3/2019 15681_Forensic Resources and Tools
10/48
Command line-based imaging utility easy to use
has particular strength in imaging SCSI disk
drives
8/3/2019 15681_Forensic Resources and Tools
11/48
FastBloc is a hardware write blocking devicethat allows forensic acquisition of an IDE harddrive using EnCase in the Microsoft Windowsenvironment which provides greatly increased
acquisition speed.
8/3/2019 15681_Forensic Resources and Tools
12/48
command line forensic duplication utility. ByteBacks data recovery heritage is apparent
in the number of data recovery featuresincluding the ability to rebuild lost datastructures including partition and FATs.
8/3/2019 15681_Forensic Resources and Tools
13/48
is an integrated hardware and softwareimaging and analysis system.
Unlike other forensic systems, it employs aSCSIMOD system to store evidentiary images
8/3/2019 15681_Forensic Resources and Tools
14/48
Vogon, another U.K. company, marketsanother integrated hardware and softwareimaging and analysis solution.
The Vogon hardware adopts a differentapproach to other imaging systems in that itutilizes high capacity, 200 GB HewlettPackard LTO Ultrium SCSI tape drives as theimaging media.
8/3/2019 15681_Forensic Resources and Tools
15/48
is a widely utilized commercial systembackup and recovery program fromSymantec.
In standard use Ghost does not meet forensicrequirements due to the fact that it does notproduce a true image but instead interpretsinformation from the master boot record andpartition tables.
With the employment of certain commandline switches, particularly the image raw (IR)switch, however, Ghost can be utilized to
create forensically sound clones and images.
8/3/2019 15681_Forensic Resources and Tools
16/48
dd is a low-level file utility and potentially thelowest-cost forensic imaging utility that isincluded with most distributions of UNIX andLinux.
8/3/2019 15681_Forensic Resources and Tools
17/48
is an integrated hand-held duplicationsystem that is in use with the U.S. SecretService and other law enforcement agenciesaround the world.
It is capable of imaging and cloning multipleIDE and SCSI drives and maintains an audittrail of all device activities.
8/3/2019 15681_Forensic Resources and Tools
18/48
3. Authentication: is a critically importantelement of the forensic process and should
take place at many stages. The various tools are:
1. Hash
2. Md5sum3. Hashkeeper
4. National Software Reference Library
8/3/2019 15681_Forensic Resources and Tools
19/48
is a command line program that calculates a32-bit cyclic redundancy check (CRC), 128-bit md5 or 160-bit SHA-1 hash of a filesupporting file signature analysis.
8/3/2019 15681_Forensic Resources and Tools
20/48
is a GNU implementation of the md5algorithm for the UNIX and Linux operatingsystem.
8/3/2019 15681_Forensic Resources and Tools
21/48
is a Microsoft Access database to maintain arecord of md5 hash sets for forensic use.
also maintains specialized hash sets relatedto child pornography and narcotics and isavailable only to law enforcement authorities
8/3/2019 15681_Forensic Resources and Tools
22/48
similar to Hashkeeper in that it provides a setof OWHF reference data derived from md5that can be used to reduce the number offiles that have to be reviewed or examined
during an investigation.
8/3/2019 15681_Forensic Resources and Tools
23/48
4. Search: Various search tools areencompassed-
dtSearch DiskSearch Pro
Net threat Analyzer
String Search
grep
File Extractor
Foremost
8/3/2019 15681_Forensic Resources and Tools
24/48
Created by dtCorporation.
Its a full text search and retrieval engine forWindows environment.
Makes use of indexes and is very fast
8/3/2019 15681_Forensic Resources and Tools
25/48
Created by New Technologies Inc.
Its a command line text search engine.
is able to search through both active files,and free and unallocated space employingfuzzy logic technology.
It is able to deal with embedded and encodedtext formats and is able to search on up to250 keywords simultaneously.
8/3/2019 15681_Forensic Resources and Tools
26/48
Was previously known as IP filter.
Created by New Technologies Inc.
Its a command line search tool.
designed to detect text strings specifically
related to Internet usage including e-mail,Web browsing and file downloads
8/3/2019 15681_Forensic Resources and Tools
27/48
Is a command line text search engine.
Designed to search data on the basis ofkeywords at the logical file system level.
8/3/2019 15681_Forensic Resources and Tools
28/48
It is a UNIX/Linux low-level, regularexpression text string search utility that isextremely powerful.
It is able to search through active files,unallocated space or a hard drives at the rawdevice level
8/3/2019 15681_Forensic Resources and Tools
29/48
specifically designed to search through
unallocated space on hard drives or containedin forensic image files at the binary level forhexadecimal values that represent specificfile headers of interest to the computerforensic examiner.
File Extractor is then able to sequentiallyextract an arbitrarily specified amount of data
past the file header and write it to a file of thesame type as the detected header.
very useful for recovering deleted, partiallyoverwritten files where the header is still
intact, particularly graphics files.
8/3/2019 15681_Forensic Resources and Tools
30/48
provides a similar type of functionality as FileExtractor, but for Linux.
It is available as a separate package or as partof the FIRE forensic Linux distribution
8/3/2019 15681_Forensic Resources and Tools
31/48
5. Analysis: available tools are-
Expert Witness
Forensic Toolkit EnCase
Ilook Investigator
WinHex
Curses Hexedit Automated Computer Examination System
ForensiX
Storage Media Archival and Recovery ToolKit
Datalifter v2.0 forensic support tools
NetAnalysis
8/3/2019 15681_Forensic Resources and Tools
32/48
the first fully integrated forensic dataacquisition and analysis program designedbased on the specifications and requirementsof the law enforcement community.
It was initially developed for the Macintoshplatform but was then ported over to theMicrosoft Windows environment
8/3/2019 15681_Forensic Resources and Tools
33/48
is a relatively new and fully integratedforensic data acquisition and analysisprogram that integrates a number ofextremely powerful features not found in
other forensic analysis suites includingintegrated dtSearch1 technology.
8/3/2019 15681_Forensic Resources and Tools
34/48
is a fully integrated forensic data acquisitionand analysis program widely used incommercial forensics.
8/3/2019 15681_Forensic Resources and Tools
35/48
is designed to examine image files of seizedcomputer systems that have been made withSafeback, dd, EnCase or any other utility.
8/3/2019 15681_Forensic Resources and Tools
36/48
No forensics toolkit is complete without apowerful hex editor program for low-level fileanalysis and WinHex, by Stefan Fleischmannfrom X-Ways AG, fills this role admirably.
8/3/2019 15681_Forensic Resources and Tools
37/48
A powerful hex editor program for theUNIX/Linux environment is [N] CursesHexedit.
8/3/2019 15681_Forensic Resources and Tools
38/48
designed for the Microsoft Windows NT4platform.
8/3/2019 15681_Forensic Resources and Tools
39/48
is a law enforcement only integrated forensicdata acquisition and analysis program,designed for the Linux operating system
8/3/2019 15681_Forensic Resources and Tools
40/48
is a very powerful integrated forensic dataacquisition and analysis program designedfor the Linux and BeOS operating systems.
combines sanitization, acquisition,
authentication, and analysis.
8/3/2019 15681_Forensic Resources and Tools
41/48
is a suite of 10 tools supporting recovery andanalysis of data from both cloned drives andsector image files.
8/3/2019 15681_Forensic Resources and Tools
42/48
is a forensic Internet history analysis toolcurrently in BETA testing.
It supports analysis of browser use, filedownloads etc.
8/3/2019 15681_Forensic Resources and Tools
43/48
6. File Viewers
Quick View Plus
IRFANView32 Resplendent Registrar
GUIDClean
Unmozify
8/3/2019 15681_Forensic Resources and Tools
44/48
is probably the best known general fileviewing utility available.
It has support for almost all documents,presentations, and graphic formats making itan invaluable tool for the computer forensicexaminer.
8/3/2019 15681_Forensic Resources and Tools
45/48
is a very fast 32-bit graphics viewer thatsupports almost all image formats that are inuse on the Internet and plugins available thatsupport many movie formats.
8/3/2019 15681_Forensic Resources and Tools
46/48
allows detailed examination of MicrosoftWindows registry files with more advancedfeatures.
It supports searching, bookmarking, andprinting details of relevant keys
8/3/2019 15681_Forensic Resources and Tools
47/48
GUIDClean is a freeware program that allowsdetection and display of the Global UniqueIdentifiers (GUID) that Microsoft Windows 98and some versions of Microsoft Word and
Excel, prior to MS Office 2000, placed indocuments.
The GUID is based on the MAC address of thesystems network card, if one is present,allowing tracking of documents to the systemon which they were authored.
8/3/2019 15681_Forensic Resources and Tools
48/48
is an Internet browser offline viewer programthat can be used to examine and reconstructWeb pages from browser history files and thecache directories of Internet Explorer and
Netscape Navigator.
Recommended