Scribd
Upload
26 views

Lecture 4 CSNC4583

This document discusses digital forensics and computer data recovery. It covers topics such as data loss causes, data recovery methods, software data extraction, and data acquisition. Data acquisition in digital forensics involves collecting digital evidence from electronic media by making copies of data in its original state. There are two main types of data acquisition: static and live acquisitions. Data is typically stored in image file formats like raw, proprietary formats, or the open-source Advanced Forensics Format.

Uploaded by

Ans Waheed
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
26 views

Lecture 4 CSNC4583

This document discusses digital forensics and computer data recovery. It covers topics such as data loss causes, data recovery methods, software data extraction, and data acquisition. Data acquisition in digital forensics involves collecting digital evidence from electronic media by making copies of data in its original state. There are two main types of data acquisition: static and live acquisitions. Data is typically stored in image file formats like raw, proprietary formats, or the open-source Advanced Forensics Format.

Uploaded by

Ans Waheed
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 69

Digital Forensics

FARAZ ALI
[email protected]
+92-321-404-1740
OBJECTIVES
• Introduction to Computer Data Recovery

• Boot/Shutdown Sequence of DOS Based Computer and Controlled Boot

• Review of Key DOS Command

• FAT16 File System

• Data Recovery in FAT16

• File Extensions and Headers

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
INTRODUCTION TO COMPUTER
DATA RECOVERY
Retrieving deleted data from digital storage media (hard drives, removable media, optical devices, etc...) is called
as Data recovery.

Typical causes of loss include:


•Electric Failure

•Mechanical Failure

•Natural Disaster

•Computer Virus

•Data Corruption

•Data Crime

•Human Error

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
INTRODUCTION TO COMPUTER
DATA RECOVERY

Burnt Crushed Water Damaged

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
WHAT IS DATA LOSS?

• Data accidentally been erased


• Data is overwritten.
• Data is corrupted
• Data is inaccessible.
• Data is unable to be accessed due to functioning computer system.
• Backup is corrupted.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
WHAT CAUSES DATA LOSS?
• Destroy / Damage
• Natural Disaster
o Earthquake
o Fire
• Hardware Issues
• Virus Attack
• Human Error
o Intentional deletion
o Accidental overwriting of files
• Software Corruption

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
WHAT CAUSES DATA LOSS?
Cause Percentage Example
Fire, Flood, Lightening,
Natural Disaster 5%
Earthquakes
Win32.welchia.worm
Computer Virus 15%
Download. Trojan
Etc,
Application Error, Installation and
Software or Application Error 20%
deleting program,
Human Error 25% Accidental Deletion, Overwriting
files, etc
Hardware & System Problem 35% Disk Drive Crash, Power Surge,
manufacture defect, etc

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
FACTS OF DATA RECOVERY

• MAJORITY of deleted / lost data is recoverable.


• Storage digital system can fail, but the stored data on those storage are not completely lost.
• On some occasions when data is deleted or damage and complete data recovery is not possible. There is
always a chance for some data to be recoverable.
• Forensic analyst can recover data from crashed hard drives, operating systems, storage devices, servers,
desktops, and laptops using various proprietary data recovery tools and techniques.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
FACTS OF DATA RECOVERY

• Forensic analyst can recover data from:


o crashed hard drives
o operating systems
o storage devices
o servers
o Desktops/laptops

using various data recovery tools and data recovery techniques.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
SOFTWARE DATA EXTRACTION

• Processed or extracted data from an image file saved to another location or drive.
• Software for data extraction scans bit-by-bit sectors of the suspected hard drive(s) and restructures the file
system to another hard drive as an identical copy.
• Software is used to copy recoverable data to a destination location or drive.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
DATA RECOVERY

• The user can send a failed or corrupted hard disk drive or digital media to any company or government
department for data recovery for secure data recovery in a confidential manner.
• The company or Government department carefully performs part replacement of the logic board, heads,
spindle motor, base casting, etc. in a clean and secure environment.
• Part replacement is successful for data recovery about 50%-70%.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
What is Data Acquisition?

 Data acquisition is the process of copying data. Digital forensics, it’s the task of collecting digital evidence from
electronic media.

 There are two types of data acquisition:


 Static acquisitions
 Live acquisitions

 The processes and data integrity requirements for static and live acquisitions are similar,
 In that static acquisitions capture data that’s not accessed by other processes that can change.
 With live acquisitions, file metadata, such as date and time values, changes when read by an acquisition
tool.
 With static acquisitions, if you have preserved the original media, making a second static acquisition should
produce the same results.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Storage Formats for Digital Evidence
 Data in a forensics acquisition tool is stored as an image file

 Three formats
 Raw format
 Proprietary formats
 Advanced Forensics Format (AFF)

For more information on AFF, see www.afflib.sourceforge.net and www.basistech.com/wp-content/uploads/datasheets/Digital-Forensics-Toolsets-EN.pdf.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Raw Format

 Makes it possible to write bit-stream data to files

 Advantages
 Fast data transfers
 Ignores minor data read errors on the source drive
 Most computer forensics tools can read raw format

 Disadvantages
 Requires as much storage as the original disk or data
 Tools might not collect marginal (bad) sectors

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Proprietary Formats
 Most forensics tools have their own formats

 Advantages
 Option to compress or not compress image files
 Can split an image into smaller segmented files
 Can integrate metadata into the image file

 Disadvantages
 Inability to share an image between different tools
 File size limitation for each segmented volume

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Advanced Forensics Format
 An open-source acquisition format

 Design goals
 Provide compressed or uncompressed image files
 No size restriction for disk-to-image files
 Provide space in the image file or segmented files for metadata
 Simple design with extensibility
 Open source for multiple platforms and Oss
 Internal consistency checks for self-authentication

 File extensions include .afd for segmented image files and .afm for AFF metadata

 AFF is open source

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Acquisition Methods
 Types of acquisitions
 Static acquisitions and live acquisitions

 Four methods of data collection


 Creating a disk-to-image file
 Creating a disk-to-disk
 Creating a logical disk-to-disk or disk-to-data file
 Creating a sparse data copy of a file or folder

 Determining the best method depends on the circumstances of the investigation

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
How to Determine the Best Acquisition
Method?
 Creating a disk-to-image file
 Most common method and offers the most flexibility
 Can make more than one copy
 Copies are bit-for-bit replications of the original drive
 Compatible with many commercial forensics tools

 Creating a disk-to-disk
 When the disk-to-image copy is not possible
 Tools can adjust the disk’s geometry configuration
 Tools: EnCase and X-Ways

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
How to Determine the Best Acquisition
Method?
 Logical acquisition or sparse acquisition
 Can take several hours; use it when your time is limited
 Logical acquisition captures only specific files of interest to the case
 Sparse acquisition collects fragments of unallocated (deleted) data
 For large disks
 .PST or .OST mail files, RAID servers

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Things to Consider During Acquisition
• When making a copy, consider:
 Size of the source disk
 Lossless compression might be useful
 Use digital signatures for verification
 When working with large drives, an alternative is using lossless compression
 Whether you can retain the disk
 Time to perform the acquisition
 Where the evidence is located

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Acquisition Tools

 Acquisition tools for Windows


 Advantages
 Make acquiring evidence from a suspect drive more convenient
 Especially when used with hot-swappable devices
 Disadvantages
 Must protect acquired data with a well-tested write-blocking hardware device
 Tools can’t acquire data from a disk’s host-protected area
 Some countries haven’t accepted the use of write-blocking devices for data acquisitions

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Mini-WinFE Boot CDs and USB Drives

 Mini-WinFE
 Enables you to build a Windows forensic boot CD/DVD or USB drive so that connected drives are
mounted as read-only

 Before booting a suspect’s computer:


 Connect your target drive, such as a USB drive

 After Mini-WinFE is booted:


 You can list all connected drives and alter your target USB drive to read-write mode so you can
run an acquisition program

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Capturing an Image with AccessData FTK
Imager (1/7)
 Included with AccessData Forensic Toolkit

 Designed for viewing evidence disks and disk-to-image files

 Makes disk-to-image copies of evidence drives


 At logical partition and physical drive level
 Can segment the image file

 Evidence drive must have a hardware write-blocking device


 Or run from a Live CD, such as Mini-WinFE

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Capturing an Image with AccessData
FTK Imager (2/7)

 FTK Imager can’t acquire a drive’s host-protected


area
 Use a write-blocking device and follow these
steps
 Boot to Windows
 Connect evidence disk to a write-blocker
 Connect target disk to write-blocker
 Start FTK Imager Lite
 Create Disk Image - use the Physical Drive
option
 See the Figures on the following slides for
more steps

The FTK Imager main window

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Capturing an Image with AccessData
FTK Imager (3/7)
 Boot your forensic workstation to Windows, using an installed write-
blocker.

 Connect the evidence drive to a write-blocking device or USB device.

 Connect the target drive to a USB external drive, if you’re using a


write-blocker.

 Start FTK Imager Lite. If prompted by the User Account Control


message box, click Yes.

 In the FTK Imager main window, click File, and Create Disk Image
from the menu.

 In the Select Source dialog box, click the Physical Drive option The Select Drive dialog box
button, if necessary, and then click Next.

 In the Select Drive dialog box, click the Source Drive Selection list
arrow (see Figure), click the suspect drive, and then click Finish.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Capturing an Image with AccessData
FTK Imager (4/7)

In the Create Image dialog box, click to select the Verify images after they are created check box, if necessary,
and then click Add.
 In the Select Image Type dialog box that opens (see Figure), click the Raw (dd) option button, if necessary,
and then click Next.

The Select Image Type dialog box

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Capturing an Image with AccessData
FTK Imager (5/7)

In the Evidence Item Information dialog box, complete the case information, as shown in Figure, and then click Next.

The Evidence Item Information dialog box

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Capturing an Image with AccessData
FTK Imager (6/7)

In the Select Image Destination dialog box (see Figure, click Browse, navigate to the location for the image file (your
work folder), and click to clear the Use AD Encryption check box, if necessary.

Selecting where to save the image file

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Capturing an Image with AccessData
FTK Imager (7/7)

• In the Image Filename (Excluding Extension) text box, type


InChp03-ftk, and then click Finish.

• Next, in the Create Image dialog box, click Start to initiate the
acquisition.

• When FTK Imager finishes the acquisition, review the


information in the Drive/Image Verify Results in the dialog
box, and then click Close. Click Close again in the Creating
Image dialog box (see Figure).

• Exit FTK Imager Lite by clicking File, Exit from the menu.

An image save in progress

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
WHAT IS AN OPERATING SYSTEM

•A set of programs that controls and coordinates the use of computer hardware among various application
programs.
•The computer can be divided into four components:-
o Hardware
o Operating System
o Applications
o User

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
EXAMPLES OF OPERATING SYSTEM
•UNIX
o Solaris
o IRIX
o HP Unix
o DEC Unix
o Linux
•Microsoft
o Disk Operating System (MS-DOS),
o WIN95/10,
o WIN NT

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
EXAMPLES OF OPERATING SYSTEM
Parameters 32 Bit 64 Bit

Allow 32-bit simultaneous data Allow 64-bits simultaneous data


Architecture and Software
processing. processing.

A 64-bit Operating System and


32-bit requires 32-bit operating
Compatibility Applications CPU are required for 64-bit
systems and CPUs.
applications.

Windows 7, Windows 8, and


Vista, 7, Mac OS X, and Ubuntu.
Systems Available Windows XP and Linux models
Effective Windows XP.
are all available.

64-bit systems allow a maximum


Systems with 32-bit RAM is
Memory Limits of 17 Billion GB (16212
limited to 3.2 GB.
petabytes) of RAM.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
FUNCTIONS OF THE OPERATING
SYSTEM

•Controlling Input/Output devices.


•Memory Management.
•File storage management.
•CPU Scheduling Processes.
•CPU controlling processes.
•Loading, Initiating, Executing.
•Supervising user applications programs.
•Handling errors and restarting.
•Provide command interface between computer and user.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
DOS BASED COMPUTER

DOS-based systems are similar to nowadays systems only difference is that DOS base system uses set of
commands for initiating the system to perform different tasks.
•DOS is a variant of CP/M (Control Programing / Monitor).
•The first DOC system was used on IBM-PC in 1981.
•It resides in a small place like a Floppy disk.
•No GUI was available so the Command Level interface was available.
•Commands were used to communicate between the user and the system.
Version of DOS
•MS-DOS (Microsoft)
•PC-DOS (IBM)
•etc

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
BOOTING SEQUENCE

Booting process:
•Computer loads the operating system into its memory.

DOS booting involves reading following files into memory namely:


•IO.SYS

•MSDOS.SYS

•COMMAND COM

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
BOOTING SEQUENCE
Basic Input/Output Program (IO.SYS):
•This program provides an interface between the hardware devices and software of the system.
•It takes care of the keyboard input, character output to monitor, output to the printer, and time of the day.
The File and Disk Manager Program (MSDOS.SYS) :
•It contains file management and disk buffering management capabilities.
•It keeps track of all the disk access of an application program and remains permanently in memory.
The Command Processor (COMMAND.COM) :
•It is also called a command interpreter.
•It is the program that displays the system prompt and handles the user interface by executing the command
typed in by the user using the keyboard.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
DOS COMMAND

Types of DOS Commands


• Internal
• Commands which are already loaded in the Command.COM file while switching to the MS DOS.
• Example:
o CLS, DEL, etc
• External
• Commands which are not loaded when loading the Program but are available in the Disk which can be
invoked whenever necessary.
• Example:
o FORMAT, COPY, etc.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
DOS COMMAND

Directory
•Root Directory
•Parent Directory
A command is a set of instructions used to perform a specific work
•Interpreted by the OS interpreter to a machine language
◦ E.g. <cd Ram>,etc.
If the user requires help with any DOS commands, the User can type help and the command name at the
command prompt.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
BASIC DOS COMMANDS

• Directory Commands

• File Management Commands

• General Commands

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
DIRECTORY COMMANDS
DIR :
To list all or specific files of any directory on a specified disk.
MD :
To make directory or subdirectory on a specified disk/drive.
CD or CHDIR :
Change the DOS current working directory to the specified directory on the specified disk or check for the
current directory on the specified or default drive.
RMDIR or RD :
Removes a specified sub-directory only when it is empty. This command cannot remove the root directory
(C:\) or the current working directory.
TREE :
Displays all of the directory paths found on the specified drive.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
DIRECTORY COMMANDS

•Dir/ah :-Display all hidden files and directories.

•Dir/a-d : - Display only files.

•Dir/ad :- Display only Directories.

•Dir/a/s:-Display all directories and files with a subdirectory.

•Dir/a :- Display All Hidden And Nonhidden files and directories.

•Dir n*.* : Display all files and directories starting with ‘ n ’ alphabet.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
FILE MANAGEMENT COMMANDS

COPY :
Copies one or more files from the source disk/drive to the specified disk/drive.
DEL :
Removes specified files from specified disk/drive.
REN :
Changes the name of a file(Renaming).
ATTRIB :
Sets or shows file attributes (read, write, hidden, Archive).
FORMAT :
Formats a disk/drive for data storage and use.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
GENERAL COMMANDS

TIME :
Sets or displays the system time.
DATE :
Sets or displays system date.
TYPE :
Displays the contents of the specified file.
PROMPT :
Customizes the DOS command prompt.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
SHUT DOWN OR RESTART

Shut Down Computer Using DOS Command

shutdown -s

Restart Windows using DOS Command

shutdown -r

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
REVIEW OF KEY DOS COMMAND
• A list of each MS-DOS and Windows command line command listed on Computer Hope with a brief
explanation is available in Google Classroom.

(LECTURE 4 DOS COMMAND LIST)

• This list contains commands available for users.


• This does not mean that all the commands are going to work with your version of MS-DOS or Windows.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
FAT FILE SYSTEM
• FAT "File Allocation Table".

• Created by Microsoft in 1977.

• The FAT file system does not contain any data that falls into the application category.

• Each file system and directory is allocated a data structure, “Data Entry”

• Contain the Name, Size, and Starting address of file content.

• FAT structure is used to identify the next cluster in a file.

• Identify the allocation status of clusters.

• Due to fragments, data is stored in scattered form.

• The track of scattered data is maintained the by FAT file system.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
FAT FILE SYSTEM
• There are Four types of FAT systems:

• FAT 8
• FAT 12
• FAT 16

• FAT 32
• The major difference among them is the size of the entries in the above said Types of FAT file systems.

• FAT is still used as a preferred file system.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
FAT FILE SYSTEM

Relationship between the directory entry structures, clusters and FAT structures.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
FAT FILE SYSTEM
• The FAT file system has three physical sections.

• Reserved Are:
It includes data in the file system category, typically only 1 sector in size, size is defined in the boot sector.
• FAT Area:
It contains the primary and backup FAT structures. Starts following the reserved area and its size calculated
based on numbers and size of FAT structures.
• Data Area:
It contains clusters that will be allocated to store file and directory content.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
FAT FILE SYSTEM
FAT 8:
• Introduced in 1977, Use an 8086 processor with limited uses.

FAT 12:
• Introduced in 1980. Fat 12 consists of 12-Bit entries with limitations:-

• No Hierarchical directories

• Cluster addresses were only 12bits long.

• Disk size was stored on a 16-bit count of sectors.

• Drive Sizes and file sizes of up to 16MB using a 4KB cluster or 32 MB using an 8KB cluster.

• FAT12 cannot exceed the maximum character limit of 8 Characters plus 3 for an extension.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
FAT FILE SYSTEM
FAT 16:
• Used in both older and in modern systems.

• FAT16 was the Primary file system for MS-DOS 4.0 and MS-DOS 6.22.

• Use 16 bits for addressing clusters.

• Format drives can range from 2GB to 16GB.

• FAT16 holds 65,536 maximum numbers of files.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
FAT FILE SYSTEM

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
FAT FILE SYSTEM
FAT 32
• Interduce in 1996 for windows 95.

• Support larger volumes, better performance and flexibility.

• Enable partition size up till 2TB or more.

• FAT32 hold 268,173,300 number files.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
FAT FILE SYSTEM

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
DATA RECOVERY IN FAT16
• Analyzing the file system category of data.

• Determine the file system layout and configuration.

• Specific analysis techniques can be conducted.

• To find out which OS formatted the disk or hidden data.

• Need to locate and process the boot sector.

• Data might provide some clues about recent activity and location is given in the boot sector.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
DATA RECOVERY IN FAT16
• Fat file systems clusters marked as bad should be examined.

• Many disks handle bad sectors at the hardware level as an operating system does not.

• Bad data units should be examined with any type of file system. As Microsoft store data in FAT clusters that
are marked as bad.
• Bad data units should be examined with any type of file system.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
FILE EXTENSIONS AND HEADERS
• File extensions are letters after the dot in a file name.

• These letters tell you what kind of a file it is, and what program it will open in.

• Some file extensions are visible and some are hidden. Hidden files can be viewed after changing the viewing
option in windows.

My Computer and choose Tools > Folder Options > View > Details
• The File extension is the ending of a file that helps identify the type of file in operating systems i.e.: “Microsoft
Windows”.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Validating Data Acquisitions
 Validating evidence may be the most critical aspect of computer forensics

 Requires using a hashing algorithm utility

 Validation techniques
 CRC-32, MD5, and SHA-1 to SHA-512

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Linux Validation Methods

 Validating dd-acquired data


 You can use md5sum or sha1sum utilities
 md5sum or sha1sum utilities should be run on all suspect disks and volumes or segmented volumes

 Validating dcfldd acquired data


 Use the hash option to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512
 hashlog option outputs hash results to a text file that can be stored with the image files
 vf (verify file) option compares the image file to the original medium

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Windows Validation Methods

 Windows has no built-in hashing algorithm tools for computer forensics


 Third-party utilities can be used

 Commercial computer forensics programs also have built-in validation features


 Each program has its own validation technique

 Raw format image files don’t contain metadata


 Separate manual validation is recommended for all raw acquisitions

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Using Remote Network Acquisition Tools
 You can remotely connect to a suspect computer via a network connection and copy data from it
 Remote acquisition tools vary in configurations and capabilities
 Drawbacks
 Antivirus, antispyware, and firewall tools can be configured to ignore remote access programs
 Suspects could easily install their own security tools that trigger an alarm to notify them of remote access
intrusions

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Remote Acquisition with ProDiscover (1/2)

 ProDiscover Incident Response functions:


 Capture volatile system state information
 Analyze current running processes
 Locate unseen files and processes
 Remotely view and listen to IP ports
 Run hash comparisons
 Create a hash inventory of all files remotely

 PDServer remote agent


 ProDiscover utility for remote access
 Needs to be loaded on the suspect

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Remote Acquisition with ProDiscover (2/2)
 PDServer installation modes
 Trusted CD
 Preinstallation
 Pushing out and running remotely

 PDServer can run in a stealth mode


 Can change process name to appear as OS function

 Remote connection security features


 Password protection
 Encryption
 Secure communication protocol
 Write-protected trusted binaries
 Digital signatures

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Remote Acquisition with EnCase
Enterprise

EnCase Endpoint Investigator, can perform the following functions:

Search and collect internal and external network systems over a wide geographical area

Support multiple OSs and file systems

Triage to help determine systems’ relevance to an investigation

Perform simultaneous searches of up to five systems at a time

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Remote Acquisition with R-Tools R-Studio
 R-Tools suite of software is designed for data recovery

 Can remotely access networked computer systems

 Creates raw format acquisitions

 Supports various file systems

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Using Other Forensics-Acquisition Tools

Other commercial acquisition tools


 PassMark Software ImageUSB

 ASRData SMART

 Runtime Software

 ILookIX Investigator IXimager

 SourceForge

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
FILE EXTENSIONS AND HEADERS
Document File Types Video File Types:

Document type Media File type

doc: Microsoft Word


mov: QuickTime
xls: Microsoft Excel
avi: Windows Media Player
ppt: Microsoft PowerPoint
mpeg: opens in Windows
pub: Microsoft Publisher
wmv: Windows Media Player
wps: Microsoft Works
asf: Windows Media Player
wpd: Word Perfect
gvi: Google Video Player
pdf: Adobe Reader file
rm: Real Media Player
rtf: Rich Text Format (opens in Word)
swf: Flash Player
txt: Text file (opens in Notepad)

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Thank You
Question and Answers

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)

You might also like