Slide khóa học pháp lý chương 6 current computer forensics tools
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (827.23 KB, 57 trang )
.c
om
du
o
ng
th
an
co
ng
Guide to Computer Forensics
and Investigations
Fourth Edition
cu
u
Chapter 7
Current Computer Forensics
Tools
Last modified 10-4-10 11:40 am
CuuDuongThanCong.com
/>
.c
om
Objectives
cu
u
du
o
ng
th
an
co
ng
• Explain how to evaluate needs for computer
forensics tools
• Describe available computer forensics software
tools
• List some considerations for computer forensics
hardware tools
• Describe methods for validating and testing
computer forensics tools
CuuDuongThanCong.com
/>
.c
om
ng
co
cu
u
du
o
ng
th
an
Evaluating Computer
Forensics Tool Needs
CuuDuongThanCong.com
/>
.c
om
Evaluating Computer Forensics Tool
Needs
ng
th
an
co
OS
File system(s)
Script capabilities
Automated features
Vendor’s reputation for support
du
o
–
–
–
–
–
ng
• Look for versatility, flexibility, and robustness
cu
u
• Keep in mind what application files you will be
analyzing
CuuDuongThanCong.com
/>
.c
om
Types of Computer Forensics Tools
ng
• Hardware forensic tools
th
an
co
– Range from single-purpose
components to complete computer
systems and servers
du
o
– Types
ng
• Software forensic tools
Logicube Talon
(link Ch 7a)
cu
u
• Command-line applications
• GUI applications
– Commonly used to copy data from a suspect’s disk
drive to an image file
CuuDuongThanCong.com
/>
.c
om
Tasks Performed by Computer
Forensics Tools
u
du
o
ng
th
an
co
Acquisition
Validation and discrimination
Extraction
Reconstruction
Reporting
cu
–
–
–
–
–
ng
• Five major categories:
CuuDuongThanCong.com
/>
.c
om
Acquisition
u
du
o
ng
th
an
Physical data copy
Logical data copy
Data acquisition format
Command-line acquisition
GUI acquisition
Remote acquisition
Verification
cu
–
–
–
–
–
–
–
co
ng
• Making a copy of the original drive
• Acquisition subfunctions:
CuuDuongThanCong.com
/>
.c
om
Acquisition (continued)
co
ng
• Two types of data-copying methods are used in
software acquisitions:
th
an
– Physical copying of the entire drive
– Logical copying of a disk partition
du
o
ng
• The formats for disk acquisitions vary
cu
u
– From raw data to vendor-specific proprietary
compressed data
• You can view the contents of a raw image file with
any hexadecimal editor
CuuDuongThanCong.com
/>
.c
om
ng
co
an
th
ng
du
o
u
cu
CuuDuongThanCong.com
/>
.c
om
Acquisition (continued)
th
an
co
ng
• Creating smaller segmented files is a typical
feature in vendor acquisition tools
• All computer forensics acquisition tools have a
method for verification of the data-copying process
cu
u
du
o
ng
– That compares the original drive with the image
CuuDuongThanCong.com
/>
.c
om
Validation and discrimination
ng
• Validation
an
• Discrimination of data
co
– Ensuring the integrity of data being copied
cu
u
du
o
ng
th
– Involves sorting and searching through all
investigation data
CuuDuongThanCong.com
/>
.c
om
Validation and discrimination
(continued)
ng
• Subfunctions
co
– Hashing
an
• CRC-32, MD5, Secure Hash Algorithms
th
– Filtering
du
o
ng
• Known system files can be ignored
• Based on hash value sets
u
– Analyzing file headers
cu
• Discriminate files based on their types
• National Software Reference Library (NSRL) has
compiled a list of known file hashes
– For a variety of OSs, applications, and images
CuuDuongThanCong.com
/>
cu
u
du
o
ng
th
an
co
ng
.c
om
Tasks Performed by Computer
Forensics Tools (continued)
CuuDuongThanCong.com
/>
.c
om
Validation and discrimination
(continued)
co
ng
• Many computer forensics programs include a list of
common header values
th
an
– With this information, you can see whether a file
extension is incorrect for the file type
cu
u
du
o
ng
• Most forensics tools can identify header values
CuuDuongThanCong.com
/>
.c
om
ng
co
an
th
ng
du
o
u
cu
CuuDuongThanCong.com
/>
cu
u
du
o
ng
th
an
co
ng
.c
om
Tasks Performed by Computer
Forensics Tools (continued)
CuuDuongThanCong.com
/>
.c
om
ng
co
an
th
ng
du
o
u
cu
CuuDuongThanCong.com
/>
.c
om
Extraction
cu
u
du
o
ng
th
an
co
ng
• Recovery task in a computing investigation
• Most demanding of all tasks to master
• Recovering data is the first step in analyzing an
investigation’s data
CuuDuongThanCong.com
/>
.c
om
Extraction (continued)
cu
u
du
o
ng
th
an
Data viewing
Keyword searching
Decompressing
Carving (reconstructing
file fragments)
– Decrypting
– Bookmarking
co
–
–
–
–
ng
• Subfunctions
• Keyword search speeds up analysis for
investigators
CuuDuongThanCong.com
/>
cu
u
du
o
ng
th
an
co
ng
.c
om
FTK's Search Pane
CuuDuongThanCong.com
/>
.c
om
Extraction (continued)
th
an
co
ng
• From an investigation perspective, encrypted files
and systems are a problem
• Many password recovery tools have a feature for
generating potential password lists
du
o
ng
– For a password dictionary attack
cu
u
• If a password dictionary attack fails, you can run a
brute-force attack
CuuDuongThanCong.com
/>
.c
om
Reconstruction
u
du
o
ng
th
Disk-to-disk copy
Image-to-disk copy
Partition-to-partition copy
Image-to-partition copy
cu
–
–
–
–
an
co
ng
• Re-create a suspect drive to show what happened
during a crime or an incident
• Subfunctions
• This is easiest if a matching blank hard disk is
available, same make and model
CuuDuongThanCong.com
/>
.c
om
Reconstruction (continued)
co
an
th
ng
u
du
o
SafeBack
SnapBack
EnCase
FTK Imager
ProDiscover
cu
–
–
–
–
–
ng
• Some tools that perform an image-to-disk copy:
CuuDuongThanCong.com
/>
.c
om
VOOM Shadow 2
cu
u
du
o
ng
th
an
co
ng
• For write-blocked courtroom demos using real
original drive, use Voom Shadow 2 (link Ch 7b)
CuuDuongThanCong.com
/>
.c
om
Reporting
th
ng
– Log reports
– Report generator
an
co
ng
• To complete a forensics disk analysis and
examination, you need to create a report
• Subfunctions
cu
u
du
o
• Use this information when producing a final report
for your investigation
CuuDuongThanCong.com
/>
