Scribd
Upload
31 views35 pages

Lec3 23-3-2024

Uploaded by

dr.ashehata2013
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
31 views35 pages

Lec3 23-3-2024

Uploaded by

dr.ashehata2013
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 35

Contingency Planning for

Image Acquisitions
Contingency Planning for Image Acquisitions
Make contingency plans in case software or hardware doesn’t
work or you encounter a failure during an acquisition
• Create a duplicate copy of your evidence image file
• Make at least two images of digital evidence
– Use different tools or techniques (make more attempts to copy
corrupted areas of a drive. So using more than one tool can be helpful in
making sure data has been copied correctly.)
• Copy host protected area of a disk drive
– Consider using a hardware acquisition tool that can access
the drive at the BIOS level
• Be prepared to deal with encrypted drives
– Whole disk encryption feature in Windows Vista Ultimate
and Enterprise editions (Ref. page 100)
Encrypted Hard Drives
• Windows BitLocker
• TrueCrypt
• If the machine is on, a live acquisition will capture
the decrypted hard drive
• Otherwise, you will need the key or passphrase
– The suspect may provide it
Using Acquisition Tools
• Acquisition tools for Windows
– Advantages
• Make acquiring evidence from a suspect drive more convenient
– Especially when used with hot-swappable devices ( USB-3 or SATA)
– Disadvantages
• Must protect acquired data with a well-tested write-blocking hardware
device
• Tools can’t acquire data from a disk’s host protected area
Windows Write-Protection with USB Devices

• USB write-protection feature


– Blocks any writing to USB devices
• Target drive needs to be connected to an internal
PATA (IDE), SATA, or SCSI controller
• Works in Windows XP SP2, Vista, and Win 7
Validating Data Acquisitions
Validating Data Acquisitions
• Hashing algorithm utilities create a binary or hexadecimal
number that represents the uniqueness of a data set, such as a
file or disk drive. This unique number is referred to as a “digital
fingerprint.
• Most critical aspect of computer forensics
• Requires using a hashing algorithm utility
• Validation techniques
– CRC-32, MD5, and SHA-1 to SHA-512
• MD5 has collisions, so it is not perfect, but it’s still widely used
• SHA-1 has some collisions but it’s better than MD5
forensic examinations of data files on a disk drive, collisions are of little
concern
• These hashing algorithm utilities are available as stand-alone
programs or are integrated into many acquisition tools
Performing RAID Data
Acquisitions
Performing RAID Data Acquisitions
• Redundant array of independent (formerly
“inexpensive”) disks (RAID)
– Computer configuration involving two or more disks
– Originally developed as a data-redundancy measure
– Many RAID systems now have terabytes of data
• RAID 0 (Striped)
– Provides rapid access and increased storage
– Lack of redundancy
• RAID 1 (Mirrored)
– Designed for data recovery
– More expensive than RAID 0
• RAID 2
– Similar to RAID 1
– Data is written to a disk on a bit level
– Has better data integrity checking than RAID 0
– Slower than RAID 0
Understanding RAID (continued)
• RAID 3
– Uses data striping and dedicated parity
– Need at least 3 disks
• RAID 4
– Data is written in blocks
• RAID 5
– Similar to RAIDs 0 and 3
– Places parity recovery data on each disk
• RAID 6
– Redundant parity on each disk
• RAID 5
– Similar to RAIDs 0 and 3
– Places parity recovery data on each disk
– If a disk in a RAID array has a data failure, the parity on
other disks rebuilds the corrupt data automatically
when the failed drive is replaced
Understanding RAID (continued)

• RAID 10, or mirrored striping


– Also known as RAID 1+0
– Combination of RAID 1 and RAID 0
• RAID 15, or mirrored striping with parity,
- Also known as RAID 1+5,
- A combination of RAID 1 and RAID 5.
- Most robust data recovery capability and speed of access of
all RAID configurations and is also more costly.
Acquiring RAID Disks

• Concerns
– How much data storage is needed?
– What type of RAID is used?
– Do you need to have all drives connected?
– Do you have the right acquisition tool?
– Can the tool read a forensically copied RAID image?
– Can the tool read split data saves of each RAID disk?
Acquiring RAID Disks (continued)
• Vendors offering RAID acquisition functions
– Technologies Pathways ProDiscover
– Guidance Software EnCase
– X-Ways Forensics
– Runtime Software
– R-Tools Technologies
• Occasionally, a RAID system is too large for a
static acquisition
– Retrieve only the data relevant to the investigation
with the sparse or logical acquisition method
Using Remote Network
Acquisition Tools
Using Remote Network Acquisition Tools

• You can remotely connect to a suspect computer via a network


connection and copy data from it
• Remote acquisition tools vary in configurations and capabilities
• Drawbacks
– Remote access tool could be blocked by antivirus
– LAN’s data transfer speeds and routing table conflicts could
cause problems
– Gaining the permissions needed to access more secure
subnets
– Heavy traffic could cause delays and errors
Remote Acquisition with ProDiscover Investigator

• Preview a suspect’s drive remotely while it’s in


use(live acquisition)
• Perform a live acquisition
– Also called a “smear” because data is being altered
• Encrypt the connection
• Copy the suspect computer’s RAM
Remote Acquisition with ProDiscover Incident
Response

• All the functions of ProDiscover Investigator plus


– Capture volatile system state information
– Analyze current running processes
– Locate unseen files and processes
– Remotely view and listen to IP ports
– Run hash comparisons to find Trojans and rootkits
– Create a hash inventory of all files remotely
PDServer Remote Agent
• ProDiscover utility for remote access
• Needs to be loaded on the suspect computer
• PDServer installation modes
– Trusted CD
– Preinstallation
– Pushing out and running remotely
• PDServer can run in a stealth mode
– Can change process name to appear as OS function
Remote Connection Security Features

• Password Protection
• Encrypted communications
• Secure Communication Protocol
• Write Protected Trusted Binaries
• Digital Signatures
Remote Acquisition with EnCase
Enterprise
• Remotely acquires media and RAM data
• Integration with intrusion detection system (IDS) tools
• Options to create an image of data from one or more systems
• Preview of systems
• A wide range of file system formats
• RAID support for both hardware and software
Other Remote Acquisition Tools

• R-Tools R-Studio
• WetStone LiveWire
• F-Response
Remote Acquisition with Runtime
Software
• Compact Shareware Utilities
– DiskExplorer for FAT
– DiskExplorer for NTFS
– HDHOST (Remote access program)
• Features for acquisition
– Create a raw format image file
– Segment the raw format or compressed image
– Access network computers’ drives
Using Other Forensics-
Acquisition Tools
Using Other Forensics-Acquisition
Tools
• Tools
– SnapBack DatArrest
– SafeBack
– DIBS USA RAID
– ILook Investigator IXimager
– Vogon International SDi32
– ASRData SMART
– Australian Department of Defence PyFlag
SnapBack DatArrest

• Columbia Data Products


• Old MS-DOS tool
• Can make an image on three ways
– Disk to SCSI drive
– Disk to network drive
– Disk to disk
• Fits on a forensic boot floppy
• SnapCopy adjusts disk geometry
NTI SafeBack

• Reliable MS-DOS tool


• Small enough to fit on a forensic boot floppy
• Performs an SHA-256 calculation per sector copied
• Creates a log file
NTI SafeBack (continued)

• Functions
– Disk-to-image copy (image can be on tape)
– Disk-to-disk copy (adjusts target geometry)
• Parallel port laplink can be used
– Copies a partition to an image file
– Compresses image files
DIBS USA RAID
• Rapid Action Imaging Device (RAID)
– Makes forensically sound disk copies
– Portable computer system designed to make disk-to-
disk images
– Copied disk can then be attached to a write-blocker
device
ILook Investigator IXimager
• Iximager
– Runs from a bootable floppy or CD
– Designed to work only with ILook Investigator
– Can acquire single drives and RAID drives
ASRData SMART
• Linux forensics analysis tool that can make image
files of a suspect drive
• Capabilities
– Robust data reading of bad sectors on drives
– Mounting suspect drives in write-protected mode
– Mounting target drives in read/write mode
– Optional compression schemes
Australian Department of Defence
PyFlag
• PyFlag tool
– Intended as a network forensics analysis tool
– Can create proprietary format Expert Witness image
files
– Uses sgzip and gzip in Linux

You might also like