Forensics toolbox
1 / 44

Forensics Toolbox - PowerPoint PPT Presentation

  • Updated On :

Forensics Toolbox. Paul A. Henry MCP+I, MCSE, CCSA, CCSE, CISSP-ISSAP, CISM, CISA, CIFI, CCE Florida PI License C2800597 Forensics & Recovery LLC Florida PI Agency License A2900048. Latest Additions To My Tool Kit. Cellebrite UFED SafeBlockXP SAFE Boot CD VOOM III F-Response

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Forensics Toolbox' - june

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Forensics toolbox

Forensics Toolbox

Paul A. Henry


Florida PI License C2800597

Forensics & Recovery LLC

Florida PI Agency License A2900048

Latest additions to my tool kit
Latest Additions To My Tool Kit

  • Cellebrite UFED

  • SafeBlockXP

  • SAFE Boot CD


  • F-Response

  • Tableau TD1

  • HBGary RAM FastDump

  • FTK 2.x

Cellebrite ufed
Cellebrite UFED

  • Cell phones were becoming a part of larger forensic jobs

    • Recognized that I am not going to make a living imaging cell phones but had lost a couple of larger jobs because I could not include the cell phones along with the laptops and PCs

  • Tried several software solutions

    • Limited to small range of phones

    • Driver support is really really bad

    • No write block protection

    • I do not like the idea of jail-breaking

Cellebrite ufed1
Cellebrite UFED

  • Supports CDMA, GSM, IDEN and TDMA

  • Covers 1700+ phones / PDA’s

  • What does it capture?

    • Phonebook

    • Pictures

    • Videos

    • Text Messages

    • Call Logs

    • ESN and IMEI information

  • Complete MD5 verified evidence reports

  • Writes NOTHING to the phone

Cellebrite ufed2
Cellebrite UFED

  • Interfaces

    • USB

    • Serial

    • Bluetooth

    • Infrared

    • RJ45

    • SIM / USIM Reader

    • SD Card Reader

    • Ethernet

    • Mini DIN to PC Com Port

Cellebrite ufed3
Cellebrite UFED

  • Yes it supports 2G / 3G iPhones also new Google G1

    • Can unlock the iPhone using plist files from host without jail-breaking

    • Memory dump extracts 382 files including 180 property list files (Plist files)

      • SQLite databases

      • SMS

      • Notes

      • Call History

      • Calendar

      • Address Book

      • Appstore program data

Cellebrite ufed5
Cellebrite UFED

  • New version of MobileSync Browser with direct support for UFED Memory Dump is coming from Vaughn Cordero

Cellebrite ufed11
Cellebrite UFED

  • 1700 + Phone and PDA support is huge

  • 63 adapter cables included

  • Also available as a ruggedized kit

  • Integrated write block – no jail breaking

  • Great reporting with MD5 validation

Safe block xp

  • Point & Click write blocking in Windows

  • Simultaneously block multiple devices

    • Nearly anything that plugs in to Windows can be write blocked

  • Application independent

    • Transparent to your other applications

  • FAST – no USB or FireWire bottleneck

  • HPA and DCO support

    • Remove, store replace

Safe block xp1

  • Using the 5 step “NIST like” methodology outlined in the Helix documentation validated that it did not alter the hard drive under test

  • 1. Prepare the media

    • a. Insert the drive into the removable drive tray

    • b. Wipe drive and validate

    • c. Format the drive

    • d. Copy data to the drive

    • e. Delete a portion of the data on the drive

Safe block xp2

  • f. Since all of my drives are configured to use write caching for

  • performance, I added the extra step of flush the drive write cache using the

  • MS SysInternals “Sync” program

  • g. Image and MD5 Hash the drive to a folder called “Step-1”

  • 2. Test the media

    • a. Copy additional data to the drive

    • b. Delete a portion of the data that was written to the drive

    • c. Flush the drive cache

  • Safe block xp3
    SAFE Block XP

    • d. Image and MD5 Hash the drive to a folder called “Step-2”

    • e. Compare the MD5 Hash for the drive in folder “Step-1” with the MD5

    • Hash for the image in folder “Step 2”. The media had in fact been changed

    • so the MD5 Hash values should be different

  • 3. Activate the write blocking device

    • a. Activate the software write block for the drive under test

  • Safe block xp4
    SAFE Block XP

    • 4. Test the write blocking device

      • a. Attempt to copy data to the drive

      • b. Attempt to delete data from the drive

      • c. Attempt to format the drive

      • d. Flush the drive cache

      • e. Image and MD5 Hash the drive to a folder called “Step-5”

    • 5. Check for any changes in the media

      • a. Compare the MD5 Hash for the image in folder Step-2 and the MD5 Hash

      • for the image contained in folder Step-5

    Safe block xp5
    SAFE Block XP

    • – If the write block is forensically

    • sound the MD5 Hashes will match validating that the write block

    • prevented any changes to the drive

    Safe boot cd
    SAFE Boot CD

    • Windows based alternative to Linux

    • Built on top of SAFE Block XP

    • Compatible with numerous tools

      • FTK Imager

      • EnCase6

      • X-Ways

      • WinRAR

      • Win Hex

      • Irfanview image viewer

      • VLC video viewer

      • Open Office 1.5

    Safe boot cd1
    SAFE Boot CD

    • Includes utility to create bootable USB

    • Includes utility to create tools media

    Safe boot cd2
    SAFE Boot CD

    • Built in file explorer

    Safe boot cd3
    SAFE Boot CD

    • Integrated search utility

    Safe boot cd4
    SAFE Boot CD

    • Command line

    Voom hardcopy iii
    VOOM Hardcopy III

    • Full test data available here:


    • Claims 7.5 GB Min

      • Maximum I found with off the shelf drives was 5.6 GB Min

    • Provides two SATA target ports

      • Wipe two drives simultaneously

      • Copy one source to two targets

      • Image one source to two targets

    • Current version only supports SHA1

    • Provides CRC for file chunks

    Voom hardcopy iii2
    VOOM Hardcopy III

    • Notable findings

      • No performance degradation when SHA1 enabled

      • No performance degradation when wiping 2 drives simultaneously

      • No performance degradation when copying one source to two targets

      • No performance degradation when imaging one source to two targets

    F response

    • Vendor agnostic solution for remote forensics

      • Provides read only access to the full physical disk of any remote computer on the wire

      • Provides read only access to RAM in Windows computers on the wire

        • Except Vista x64

    • Remote physical drive or RAM simply look like a local resource to your forensic tools

    F response1

    • I have used it for remote access to image Windows XP and Windows Vista as well as a MacBook Pro and an iMac while running my tools on a local Vista x64 machine with no issues

    • Great alternative to digging out your watch repair tools to take apart that laptop ;-)

    • Great way to handle a RAID array

    • Small “defendable” footprint on the host

      • USB insertion and USB app execution

    F response2

    • I purchased the “Field Edition”

      • Allows for one to one connection

    • Also available as a “Consultant Edition”

      • Allows for access to multiple source machines using a single USB key

    • Also available as a “Enterprise Edition”

      • Distribute to many targets across the entire enterprise with an unlimited license

    • Indispensable tool – I don’t leave home without it

    Tableau td1
    Tableau TD1

    • Fastest imager I have used to date

      • When imaging 1 source to 1 target

    • Claims 6.0 GB Min

      • Maximum I saw was 5.9 GB Min

    • When imaging a 500 GB source to a 1 TB target it completed 26 minutes faster then its nearest competitor

    • Features

      • Multiple wipe modes

      • SHA1 and MD5 Hashes

      • Keyboard port available but no keyboard required to enter data (keypad)

    Tableau td11
    Tableau TD1

    • Log data written to USB key or USB printer

    • Retains user data and configuration in memory and allows 1 button imaging

    • Integrated SATA and IDE source / target ports

      • No need for external IDE adapters

      • Also includes laptop and ZIF connectors

    Final imager considerations
    Final Imager Considerations

    • The Voom Hardcopy III and Tableau TD1 are both formidable imagers

    • If you need to regularly image to two targets or wipe two drive simultaneously then the Voom Hardcopy III is a good choice

    • If you want the fastest imager, do not need to image or wipe multiple drives but need SHA and MD5 hashing or multiple wipe modes then the TD1 is a good choice

    • Tough choice - I bought them both ;-)

    Hbgary ram capture
    HBGary RAM Capture

    • Live forensics playing a much more important role in forensics

      • So much volatile info available in RAM

      • Keys to the kingdom & smoking gun


    • I have tested many tools that claimed to be able to capture a complete image of RAM in a Vista environment

      • Only 1 tool can handle capturing more then 8Gb of RAM in Vista x64

      • HBGary FastDump ROCKS

    Ftk 2 x
    FTK 2.x

    • I have done a lot of work with FTK 2.x

      • I do not work for them but am a member of the beta team

    • In the simplest of terms FTK 2.x works well but you need the horse power to properly run it

    • I moved to FTK years ago because I like the automation they bring to the table – not found in other products

    • Not making excuses for them but the move to Vista has been difficult for EVERYONE

    Ftk 2 x1
    FTK 2.x

    • What do I run FTK on?

    Ftk 2 x2
    FTK 2.x

    • Intel Quad-core Q9450 over clocked to 3.2 Ghz

    • FSB at 1600 – DDR2 1066 RAM (cooled)

    • 8 SATA ports – using 5 slot removable rack with hot swap SATA backplane

    Ftk 2 x3
    FTK 2.x

    • Best investment for FTK 2.x

      • I run mine with 8 – 300 GB 10k velociraptors in RAID 0

    Ftk 2 x4
    FTK 2.x

    • Performance

      • Processing images < 1,000,000 objects

        • Speeds of up to 70 objects per second

      • Processing images > 1,500,000 objects

        • Speeds of up to 50 objects per second

    • I have a stand alone configuration

    • So what does that mean?

      • 500 GB HD with 1.8 million objects

      • <10 hrs start to finish in RAID 0

        • Carve everything

        • Process PST’s

        • Separate compound files / metadata

    Ftk 2 x5
    FTK 2.x

    • I found best performance under Vista x64

      • Kill ReadyBoost

      • Kill SuperFetch

      • Turn off visual enhancements

      • Disable UAC / AV / Update / backup

    • 1 huge RAID 0 array – partitioned as separate drives

      • Let the adaptec buffer manager sort it out

      • I store my images and back up everything over a dedicated 1GB LAN to a RAID 5 NAS

    • Forensics

    • & Recovery LLC

    • Florida PI License A 29004


    • Paul A. Henry


    • Florida PI License C2800597

    • 25 SE 69th Place Ocala, Fl 34480 Telephone (954) 854 9143 [email protected]