Guide to Digital Forensics and Investigations 5th Edition Chapter 3 Review Questions

Guide to Reckoner Forensics and Investigations 5th Edition Chapter vi Electric current Digital Forensics Tools

Objectives • Explain how to evaluate needs for digital forensics tools • Describe available digital forensics software tools • List some considerations for digital forensics hardware tools • Describe methods for validating and testing forensics tools Guide to Computer Forensics and Investigations, 5th Edition © Cengage Learning 2015 2

Evaluating Digital Forensics Tool Needs • Consider open-source tools; the best value for equally many features as possible • Questions to ask when evaluating tools: – On which OS does the forensics tool run – What file systems can the tool analyze? – Can a scripting linguistic communication be used with the tool to automate repetitive functions? – Does it have automated features? – What is the vendor's reputation for providing support? Guide to Estimator Forensics and Investigations, Fifth Edition © Cengage Learning 2015 three

Types of Digital Forensics Tools • Hardware forensic tools – Range from unmarried-purpose components to complete computer systems and servers • Software forensic tools – Types • Command-line applications • GUI applications – Commonly used to copy data from a suspect's disk bulldoze to an epitome file Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 four

Tasks Performed past Digital Forensics Tools • Follow guidelines set up up past NIST'southward Computer Forensics Tool Testing (CFTT) programme • ISO standard 27037 states: Digital Testify Kickoff Responders (DEFRs) should apply validated tools • Five major categories: – – – Acquisition Validation and verification Extraction Reconstruction Reporting Guide to Computer Forensics and Investigations, 5th Edition © Cengage Learning 2015 five

Tasks Performed by Digital Forensics Tools • Acquisition – Making a copy of the original drive • Acquisition subfunctions: – – – Physical information re-create Logical information copy Data conquering format Command-line conquering GUI acquisition Remote, live, and memory acquisitions Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 6

Tasks Performed past Digital Forensics Tools • Acquisition (cont'd) – Two types of data-copying methods are used in software acquisitions: • Physical copying of the entire drive • Logical copying of a deejay sectionalisation – The formats for disk acquisitions vary • From raw data to vendor-specific proprietary – You can view the contents of a raw image file with any hexadecimal editor Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 7

Tasks Performed by Digital Forensics Tools Guide to Computer Forensics and Investigations, 5th Edition © Cengage Learning 2015 8

Tasks Performed by Digital Forensics Tools • Conquering (cont'd) – Creating smaller segmented files is a typical feature in vendor conquering tools – Remote conquering of files is common in larger organizations • Popular tools, such as Access. Data and En. Case, can practice remote acquisitions of forensics drive images on a network Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 9

Tasks Performed by Digital Forensics Tools • Validation and Verification – Validation • A way to ostend that a tool is functioning as intended – Verification • Proves that two sets of data are identical by calculating hash values or using another similar method • A related process is filtering, which involves sorting and searching through investigation findings to separate good information and suspicious data Guide to Calculator Forensics and Investigations, 5th Edition © Cengage Learning 2015 10

Tasks Performed by Digital Forensics Tools • Validation and verification (cont'd) – Subfunctions • Hashing – CRC-32, MD five, SHA-1 (Secure Hash Algorithms) • Filtering – Based on hash value sets • Analyzing file headers – Discriminate files based on their types – National Software Reference Library (NSRL) has compiled a listing of known file hashes • For a variety of OSs, applications, and images Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 11

Tasks Performed past Digital Forensics Tools Guide to Computer Forensics and Investigations, 5th Edition © Cengage Learning 2015 12

Tasks Performed past Digital Forensics Tools • Validation and bigotry (cont'd) – Many computer forensics programs include a list of mutual header values • With this information, you lot can see whether a file extension is incorrect for the file type – About forensics tools can identify header values Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 xiii

Tasks Performed by Digital Forensics Tools Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 fourteen

Tasks Performed by Digital Forensics Tools Guide to Computer Forensics and Investigations, 5th Edition © Cengage Learning 2015 15

Tasks Performed by Digital Forensics Tools Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 16

Tasks Performed by Digital Forensics Tools • Extraction – Recovery task in a digital investigation – Virtually challenging of all tasks to master – Recovering information is the first step in analyzing an investigation's information Guide to Estimator Forensics and Investigations, Fifth Edition © Cengage Learning 2015 17

Tasks Performed by Digital Forensics Tools • Extraction (cont'd) – Subfunctions of extraction • • • Data viewing Keyword searching Decompressing or uncompressing Carving Decrypting Bookmarking or tagging – Keyword search speeds up analysis for investigators Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 18

Tasks Performed past Digital Forensics Tools Guide to Computer Forensics and Investigations, 5th Edition © Cengage Learning 2015 19

Tasks Performed by Digital Forensics Tools Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 xx

Tasks Performed by Digital Forensics Tools • Extraction (cont'd) – From an investigation perspective, encrypted files and systems are a problem – Many password recovery tools accept a feature for generating potential password lists • For a password dictionary assail – If a password dictionary set on fails, you tin run a animate being-forcefulness assail Guide to Computer Forensics and Investigations, 5th Edition © Cengage Learning 2015 21

Tasks Performed by Digital Forensics Tools • Reconstruction – Re-create a suspect bulldoze to testify what happened during a crime or an incident – Methods of reconstruction • • • Deejay-to-disk copy Partition-to-partition copy Epitome-to-disk copy Image-to-partition copy Rebuilding files from data runs and carving Guide to Estimator Forensics and Investigations, 5th Edition © Cengage Learning 2015 22

Tasks Performed by Digital Forensics Tools • Reconstruction (cont'd) – To copy an image of a suspect drive • Re-create an image to another location, such as a partitioning, a physical disk, or a virtual machine • Simplest method is to apply a tool that makes a direct disk-to-epitome copy – Examples of disk-to-image copy tools: • Linux dd command • Pro. Observe • Voom Technologies Shadow Drive Guide to Estimator Forensics and Investigations, 5th Edition © Cengage Learning 2015 23

Tasks Performed by Digital Forensics Tools • Reporting – To perform a forensics disk analysis and exam, you lot need to create a report – Subfunctions of reporting • Bookmarking or tagging • Log reports • Report generator – Utilise this data when producing a final report for your investigation Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 24

Tool Comparisons Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 25

Tool Comparisons Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 26

Other Considerations for Tools • Considerations – Flexibility – Reliability – Future expandability • Create a software library containing older versions of forensics utilities, OSs, and other programs Guide to Estimator Forensics and Investigations, Fifth Edition © Cengage Learning 2015 27

Digital Forensics Software Tools • The following sections explore some options for command-line and GUI tools in both Windows and UNIX/Linux Guide to Figurer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 28

Control-line Forensics Tools • The first tools that analyzed and extracted information from floppy disks and difficult disks were MS-DOS tools for IBM PC file systems • Norton Disk. Edit – One of the offset MS-DOS tools used for computer investigations – Control-line tools require few organisation resources • Designed to run in minimal configurations – Current programs are more powerful and take many more than capabilities Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 29

Linux Forensics Tools • UNIX has been by and large replaced by Linux – You might still run into systems running UNIX • Linux platforms are becoming more popular with home and business end users • SMART – – Designed to exist installed on numerous Linux versions Can analyze a variety of file systems with SMART Many plug-in utilities are included with SMART Another useful option in SMART is its hex viewer Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 30

Linux Forensics Tools • Helix 3 – One of the easiest suites to begin with – You can load it on a alive Windows system • Loads every bit a bootable Linux OS from a cold kicking – **Some international courts have not accustomed live acquisitions as a valid forensics practice • Kali Linux – Formerly known as Back. Rail – Includes a diverseness of tools and has an easy-to-use KDE interface Guide to Estimator Forensics and Investigations, Fifth Edition © Cengage Learning 2015 31

Linux Forensics Tools • Dissection and Sleuth. Kit – Sleuth Kit is a Linux forensics tool – Autopsy is the GUI browser interface used to access Sleuth Kit'due south tools – Affiliate vii explains how to utilize these tools Guide to Calculator Forensics and Investigations, 5th Edition © Cengage Learning 2015 32

Other GUI Forensics Tools • GUI forensics tools can simplify digital forensics investigations • Have also simplified training for beginning examiners • About of them are put together equally suites of tools • Advantages – Ease of use – Multitasking – No need for learning older OSs Guide to Calculator Forensics and Investigations, Fifth Edition © Cengage Learning 2015 33

Other GUI Forensics Tools • Disadvantages – Excessive resource requirements – Produce inconsistent results – Create tool dependencies • Investigators' may want to use only one tool • Should be familiar with more than one type of tool Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 34

Digital Forensics Hardware Tools • Technology changes rapidly • Hardware eventually fails – Schedule equipment replacements periodically • When planning your budget consider: – Corporeality of time you look the forensic workstation to be running – Failures – Consultant and vendor fees – Anticipate equipment replacement Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 35

Forensic Workstations • Advisedly consider what you need • Categories – Stationary workstation – Portable workstation – Lightweight workstation • Balance what you need and what your system can handle – Remember that RAM and storage need updating as technology advances Guide to Figurer Forensics and Investigations, 5th Edition © Cengage Learning 2015 36

Forensic Workstations • Constabulary agency labs – Need many options – Employ several PC configurations • Go along a hardware library in addition to your software library • Private corporation labs – Handle but arrangement types used in the system Guide to Figurer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 37

Forensic Workstations • Building a forensic workstation is non as difficult equally it sounds • Advantages – Customized to your needs – Save money • Disadvantages – Difficult to find support for bug – Can go expensive if devil-may-care • Also demand to identify what you intend to clarify Guide to Reckoner Forensics and Investigations, Fifth Edition © Cengage Learning 2015 38

Forensic Workstations • Some vendors offer workstations designed for digital forensics • Examples – F. R. E. D. unit from Digital Intelligence – Hardware mounts from Forensic. PC • Having vendor back up can salvage yous time and frustration when you lot have problems • Can mix and match components to go the capabilities yous need for your forensic workstation Guide to Figurer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 39

Using a Write-Blocker • Write-blocker – Prevents data writes to a hard disk • Software-enabled blockers – Typically run in a beat out manner (Windows CLI) – Example: PDBlock from Digital Intelligence • Hardware options – Platonic for GUI forensic tools – Human action as a bridge between the doubtable bulldoze and the forensic workstation Guide to Reckoner Forensics and Investigations, Fifth Edition © Cengage Learning 2015 40

Using a Write-Blocker • You can navigate to the blocked drive with any awarding • Discards the written data – For the Os the data copy is successful • Connecting technologies – Fire. Wire – USB two. 0 and iii. 0 – SATA, PATA, and SCSI controllers Guide to Figurer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 41

Recommendations for a Forensic Workstation • Determine where data acquisitions volition take place • With Firewire and USB write-blocking devices – You can acquire data easily with Digital Intelligence Burn down. Chief and a laptop computer – Burn. Wire • If you want to reduce hardware to carry: – Wiebe. Tech Forensic Drive. Dock with its regular Drive. Dock Fire. Wire bridge or the Logicube Talon Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 42

Recommendations for a Forensic Workstation • Recommendations when choosing stationary or lightweight workstation: – Full belfry to permit for expansion devices – As much memory and processor ability every bit upkeep allows – Different sizes of hard drives – 400 -watt or better ability supply with battery fill-in – External Fire. Wire and USB 2. 0 ports – Array of drive adapter bridges Guide to Figurer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 43

Recommendations for a Forensic Workstation • Recommendations when choosing stationary or lightweight workstation (cont'd): – Ergonomic keyboard and mouse – A proficient video card with at least a 17 -inch monitor – High-terminate video card and dual monitors • If you accept a limited upkeep, one option for outfitting your lab is to use high-end game PCs Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 44

Validating and Testing Forensic Software • It is important to make sure the evidence yous recover and analyze tin can be admitted in court • You must test and validate your software to prevent damaging the evidence Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 45

Using National Institute of Standards and Technology Tools • NIST publishes manufactures, provides tools, and creates procedures for testing/validating forensics software • Computer Forensics Tool Testing (CFTT) project – Manages inquiry on computer forensics tools • NIST has created criteria for testing computer forensics tools based on: – Standard testing methods – ISO 17025 criteria for testing items that have no current standards Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 46

Using National Institute of Standards and Engineering Tools • Your lab must meet the following criteria – – – Establish categories for digital forensics tools Place forensics category requirements Develop test assertions Identify examination cases Establish a exam method Report test results • ISO 5725 - specifies results must exist repeatable and reproducible Guide to Computer Forensics and Investigations, 5th Edition © Cengage Learning 2015 47

Using National Institute of Standards and Applied science Tools • NIST created the National Software Reference Library (NSRL) project – Collects all known hash values for commercial software applications and Os files • Uses SHA-one to generate a known ready of digital signatures chosen the Reference Data Set (RDS) – Helps filtering known data – Can use RDS to locate and identify known bad files Guide to Figurer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 48

Using Validation Protocols • E'er verify your results by performing the aforementioned tasks with other like forensics tools • Use at least two tools – Retrieving and exam – Verification • Sympathise how forensics tools work • One way to compare results and verify a new tool is by using a disk editor – Such equally Hex Workshop or Win. Hex Guide to Reckoner Forensics and Investigations, Fifth Edition © Cengage Learning 2015 49

Using Validation Protocols • Deejay editors exercise non have a flashy interface, however they: – Are reliable tools – Can access raw information • Computer Forensics Examination Protocol – Perform the investigation with a GUI tool – Verify your results with a disk editor – Compare hash values obtained with both tools Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 fifty

Using Validation Protocols • Digital Forensics Tool Upgrade Protocol – Test • New releases • Bone patches and upgrades – If yous discover a problem, report information technology to forensics tool vendor • Do non use the forensics tool until the problem has been fixed – Utilise a test hard deejay for validation purposes – Check the Web for new editions, updates, patches, and validation tests for your tools Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 51

Summary • Consult your business concern plan to become the best hardware and software • Computer forensics tools functions – – – Acquisition Validation and verification Extraction Reconstruction Reporting • Maintain a software library on your lab Guide to Computer Forensics and Investigations, 5th Edition © Cengage Learning 2015 52

Summary • Computer Forensics tools types – Software – Hardware • Forensics software – Command-line – GUI • Forensics hardware – Customized equipment – Commercial options – Include workstations and write-blockers Guide to Figurer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 53

Summary • Tools that run in Windows and other GUI environments don't require the same level of calculating expertise as command-line tools • Always run a validation exam when upgrading your forensics tools Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 54

dickinsoncomel1957.blogspot.com

Source: https://slidetodoc.com/guide-to-computer-forensics-and-investigations-fifth-edition-5/

Share this post