Forensics Toolbox Paul A. Henry MCP+I, MCSE, CCSA, CCSE,
CISSP-ISSAP, CISM, CISA, CIFI, CCE Florida PI License C2800597
Forensics & Recovery LLC Florida PI Agency License A2900048
Paul A. Henry MCP+I, MCSE, CCSA, CCSE, CISSP-ISSAP, CISM, CISA,
CIFI, CCE Florida PI License C2800597 Forensics & Recovery LLC
Florida PI Agency License A2900048 Slide 2 Latest Additions To My
Tool Kit Cellebrite UFED SafeBlockXP SAFE Boot CD VOOM III
F-Response Tableau TD1 HBGary RAM FastDump FTK 2.x Slide 3
Cellebrite UFED Cell phones were becoming a part of larger forensic
jobs Recognized that I am not going to make a living imaging cell
phones but had lost a couple of larger jobs because I could not
include the cell phones along with the laptops and PCs Tried
several software solutions Limited to small range of phones Driver
support is really really bad No write block protection I do not
like the idea of jail-breaking Slide 4 Cellebrite UFED Supports
CDMA, GSM, IDEN and TDMA Covers 1700+ phones / PDAs What does it
capture? Phonebook Pictures Videos Text Messages Call Logs ESN and
IMEI information Complete MD5 verified evidence reports Writes
NOTHING to the phone Slide 5 Cellebrite UFED Interfaces USB Serial
Bluetooth Infrared RJ45 SIM / USIM Reader SD Card Reader Ethernet
Mini DIN to PC Com Port Slide 6 Cellebrite UFED Yes it supports 2G
/ 3G iPhones also new Google G1 Can unlock the iPhone using plist
files from host without jail-breaking Memory dump extracts 382
files including 180 property list files (Plist files) SQLite
databases SMS Notes Call History Calendar Address Book Appstore
program data Slide 7 Cellebrite UFED Slide 8 New version of
MobileSync Browser with direct support for UFED Memory Dump is
coming from Vaughn Cordero Slide 9 Cellebrite UFED Slide 10 Slide
11 Slide 12 Slide 13 Slide 14 1700 + Phone and PDA support is huge
63 adapter cables included Also available as a ruggedized kit
Integrated write block no jail breaking Great reporting with MD5
validation Slide 15 SAFE Block XP Point & Click write blocking
in Windows Simultaneously block multiple devices Nearly anything
that plugs in to Windows can be write blocked Application
independent Transparent to your other applications FAST no USB or
FireWire bottleneck HPA and DCO support Remove, store replace Slide
16 SAFE Block XP Using the 5 step NIST like methodology outlined in
the Helix documentation validated that it did not alter the hard
drive under test 1. Prepare the media a. Insert the drive into the
removable drive tray b. Wipe drive and validate c. Format the drive
d. Copy data to the drive e. Delete a portion of the data on the
drive Slide 17 SAFE Block XP f. Since all of my drives are
configured to use write caching for performance, I added the extra
step of flush the drive write cache using the MS SysInternals Sync
program g. Image and MD5 Hash the drive to a folder called Step-1
2. Test the media a. Copy additional data to the drive b. Delete a
portion of the data that was written to the drive c. Flush the
drive cache Slide 18 SAFE Block XP d. Image and MD5 Hash the drive
to a folder called Step-2 e. Compare the MD5 Hash for the drive in
folder Step-1 with the MD5 Hash for the image in folder Step 2. The
media had in fact been changed so the MD5 Hash values should be
different 3. Activate the write blocking device a. Activate the
software write block for the drive under test Slide 19 SAFE Block
XP 4. Test the write blocking device a. Attempt to copy data to the
drive b. Attempt to delete data from the drive c. Attempt to format
the drive d. Flush the drive cache e. Image and MD5 Hash the drive
to a folder called Step-5 5. Check for any changes in the media a.
Compare the MD5 Hash for the image in folder Step-2 and the MD5
Hash for the image contained in folder Step-5 Slide 20 SAFE Block
XP If the write block is forensically sound the MD5 Hashes will
match validating that the write block prevented any changes to the
drive Slide 21 SAFE Block XP Slide 22 SAFE Boot CD Windows based
alternative to Linux Built on top of SAFE Block XP Compatible with
numerous tools FTK Imager EnCase6 X-Ways WinRAR Win Hex Irfanview
image viewer VLC video viewer Open Office 1.5 Slide 23 SAFE Boot CD
Includes utility to create bootable USB Includes utility to create
tools media Slide 24 SAFE Boot CD Built in file explorer Slide 25
SAFE Boot CD Integrated search utility Slide 26 SAFE Boot CD
Command line Slide 27 VOOM Hardcopy III Full test data available
here:
http://www.forensicsandrecovery.com/Public/Blog/Entries/2009/4/29_Re
al_World_Testing_-_Voom_Hardcopy_III.html Claims 7.5 GB Min Maximum
I found with off the shelf drives was 5.6 GB Min Provides two SATA
target ports Wipe two drives simultaneously Copy one source to two
targets Image one source to two targets Current version only
supports SHA1 Provides CRC for file chunks Slide 28 VOOM Hardcopy
III Slide 29 Notable findings No performance degradation when SHA1
enabled No performance degradation when wiping 2 drives
simultaneously No performance degradation when copying one source
to two targets No performance degradation when imaging one source
to two targets Slide 30 F-Response Vendor agnostic solution for
remote forensics Provides read only access to the full physical
disk of any remote computer on the wire Provides read only access
to RAM in Windows computers on the wire Except Vista x64 Remote
physical drive or RAM simply look like a local resource to your
forensic tools Slide 31 F-Response I have used it for remote access
to image Windows XP and Windows Vista as well as a MacBook Pro and
an iMac while running my tools on a local Vista x64 machine with no
issues Great alternative to digging out your watch repair tools to
take apart that laptop ;-) Great way to handle a RAID array Small
defendable footprint on the host USB insertion and USB app
execution Slide 32 F-Response I purchased the Field Edition Allows
for one to one connection Also available as a Consultant Edition
Allows for access to multiple source machines using a single USB
key Also available as a Enterprise Edition Distribute to many
targets across the entire enterprise with an unlimited license
Indispensable tool I dont leave home without it Slide 33 Tableau
TD1 Fastest imager I have used to date When imaging 1 source to 1
target Claims 6.0 GB Min Maximum I saw was 5.9 GB Min When imaging
a 500 GB source to a 1 TB target it completed 26 minutes faster
then its nearest competitor Features Multiple wipe modes SHA1 and
MD5 Hashes Keyboard port available but no keyboard required to
enter data (keypad) Slide 34 Tableau TD1 Log data written to USB
key or USB printer Retains user data and configuration in memory
and allows 1 button imaging Integrated SATA and IDE source / target
ports No need for external IDE adapters Also includes laptop and
ZIF connectors Slide 35 Tableau TD1 Slide 36 Final Imager
Considerations The Voom Hardcopy III and Tableau TD1 are both
formidable imagers If you need to regularly image to two targets or
wipe two drive simultaneously then the Voom Hardcopy III is a good
choice If you want the fastest imager, do not need to image or wipe
multiple drives but need SHA and MD5 hashing or multiple wipe modes
then the TD1 is a good choice Tough choice - I bought them both ;-)
Slide 37 HBGary RAM Capture Live forensics playing a much more
important role in forensics So much volatile info available in RAM
Keys to the kingdom & smoking gun http://volatility.tumblr.com/
I have tested many tools that claimed to be able to capture a
complete image of RAM in a Vista environment Only 1 tool can handle
capturing more then 8Gb of RAM in Vista x64 HBGary FastDump ROCKS
Slide 38 FTK 2.x I have done a lot of work with FTK 2.x I do not
work for them but am a member of the beta team In the simplest of
terms FTK 2.x works well but you need the horse power to properly
run it I moved to FTK years ago because I like the automation they
bring to the table not found in other products Not making excuses
for them but the move to Vista has been difficult for EVERYONE
Slide 39 FTK 2.x What do I run FTK on? Slide 40 FTK 2.x Intel
Quad-core Q9450 over clocked to 3.2 Ghz FSB at 1600 DDR2 1066 RAM
(cooled) 8 SATA ports using 5 slot removable rack with hot swap
SATA backplane Slide 41 FTK 2.x Best investment for FTK 2.x I run
mine with 8 300 GB 10k velociraptors in RAID 0 Slide 42 FTK 2.x
Performance Processing images < 1,000,000 objects Speeds of up
to 70 objects per second Processing images > 1,500,000 objects
Speeds of up to 50 objects per second I have a stand alone
configuration So what does that mean? 500 GB HD with 1.8 million
objects Slide 43 FTK 2.x I found best performance under Vista x64
Kill ReadyBoost Kill SuperFetch Turn off visual enhancements
Disable UAC / AV / Update / backup 1 huge RAID 0 array partitioned
as separate drives Let the adaptec buffer manager sort it out I
store my images and back up everything over a dedicated 1GB LAN to
a RAID 5 NAS Slide 44 Forensics & Recovery LLC Florida PI
License A 29004 www.forensicsandrecovery.com Paul A. Henry MCP+I,
MCSE, CCSA, CCSE, CISSP-ISSAP, CISM, CISA, CIFI, CCE Florida PI
License C2800597 25 SE 69 th Place Ocala, Fl 34480 Telephone (954)
854 9143 [email protected]
