Computer Forensics Tools - PowerPoint PPT Presentation

Computer Forensics Tools

Hardware

and

Software

Forensic Tools

• Tools are used to analyze digital data & prove or disprove criminal activity
• Used in 2 of the 3 Phases of Computer Forensics
• Acquisition – Images systems & gathers evidence
• Analysis – Examines data & recovers deleted content
• Presentation – Tools not used

• Data must be relevant & reliable
• Reliability of evidence gathered by tools assessed by judge in pre-trial hearing aka Daubert Hearing
• Assesses Methodology to gather evidence
• Sound scientific practices?
• Reliable evidence?

• Frye Test – past method
• Responsibility on scientific community
• Defined acceptable evidence gathering procedures
• Used Peer Reviewed Journals
• Daubert Hearing – current method
• Offers additional methods to test quality of evidence

Source: http://www.owlinvestigations.com/forensic_articles/aural_spectrographic/standards_of_admissibility.html

• Testing – Is this procedure tested?
• Error Rate – What is the error rate of this procedure?
• Publication – Has procedure been published and reviewed by peers?
• Acceptance – Is the procedure generally accepted within the relevant scientific community?

Sources: http://www.daubertexpert.com/basics.html

http://onin.com/fp/daubert_links.html#whatisadauberthearing

• Network Firewall
• Remote Access
• Network Security Management
• Vulnerability Management
• Wireless
• Emergent Technology

• Antispyware
• Antivirus
• Authentication
• E-Mail Security
• Identity & Access Management
• Intrusion Detection
• Intrusion Prevention

• Acquisition Tools
• Data Discovery Tools
• Internet History Tools
• Image Viewers
• E-mail Viewers

• Password Cracking Tools
• Open Source Tools
• Mobile Device tools (PDA/Cell Phone)
• Large Storage Analysis Tools

• Extract & Index Data
• Create Electronic Images of Data
• Search by Keyword or Document Similarity
• Metadata
• Author
• Date Created & Updated
• Email date sent, received

• Analyze data
• Retrieve data from different media
• Convert between different media and file formats
• Extract text & data from documents
• Create images of the documents
• Print documents
• Archive documents

• Reads Information in Complete History Database
• Displays List of Visited Sites
• Opens URLs in Internet Explorer
• Adds URLs to Favorites
• Copies URLs
• Prints URLS
• Saves Listing/Ranges as Text File

• Views Files
• Converts Files
• Catalogs Files
• Side by Side File Comparisons

• Password Recovery
• Allows access to computers
• 3 Methods to Crack Passwords
• Dictionary Attack
• Hybrid Attack
• Brute Force Attack

Source: http://www-128.ibm.com/developerworks/library/s-crack/

• Free tools available to Computer Forensic Specialists
• Cover entire scope of forensic tools in use
• May more clearly and comprehensively meet the Daubert guidelines than closed source tools
• Among the most widely used

Source: http://software.newsforge.com/software/05/04/05/2052235.shtml?tid=129&tid=136&tid=147&tid=2&tid=132

• Number and variety of toolkits considerably more limited than for computers
• Require examiner to have full access to device
• Most tools focus on a single function
• Deleted data remains on PDA until successful HotSync with computer

Sources: http://csrc.nist.gov/publications/nistir/nistir-7100-PDAForensics.pdf

http://www.cs.ucf.edu/courses/cgs5132/spring2002/presentation/weiss.ppt#5

Typically include the most often used tools

Parben

The Coroner’s Toolkit (TCT)

The Sleuth Kit (TSK)

EnCase

Forensic Toolkit (FTK)

Maresware

• EnCase
• ByteBack
• Forensic Toolkit
• Maresware
• Parben
• Coroner’s Toolkit
• The Sleuth Kit

• Originally developed for law enforcement
• Built around case management
• Integrated Windows-based graphical user interface (GUI)
• Multiple Features

• Cloning/Imaging
• Automated File Recovery
• Rebuild Partitions & Boot Records
• Media Wipe
• Media Editor
• Software Write Block

• Another Tool Suite
• Acquires & Examines Electronic Data
• Imaging Tool
• File Viewer

• Collection of Tool rather than Tool Suite
• Main Difference – Tools are Stand-Alone & Called as Needed
• 4 Notable Tools
• Declasfy
• Brandit
• Bates_no
• Upcopy

• Collection of Stand-Alone Tools
• Made up of 10 Individual Software Tool Sets
• Purchased Separately, Price Break for Multiple Tool Purchases
• Frequently Used with Mobile Devices

• Open Source Tool Suite
• Supports a Post-Mortem Analysis of Unix & Linux Systems
• Written for Incident Response rather than Law Enforcement
• Not Designed for Requirements to Produce & Prosecute

• Open-Source Software Suite
• Built on TCT
• Collection of Command-Line Tools
• Provides Media Management & Forensic Analysis
• Core Toolkit Consists of 6 Tools

• Various Hardware & Software platforms
• Collect Data
• Process Data
• Save Data
• Display Data in Meaningful Manner

• Workstations - Copy & Analysis
• Drive Imaging System
• Drive Wiper
• Bridge
• Write Blocker
• SATA, SCSI, IDE, USB

Imaging Device

SCSI Bridge

• Workstations starting at $5,000
• Bridges starting at $200
• Drive Wipers starting at $1000
• Wide assortment of special cables and hardware accessories vary in price
• Software – Free (Open Source) to over $1000

• Expected Types of Investigations
• Internal Reporting
• Prosecution
• Operating Systems
• Budget
• Technical Skill
• Role
• Law Enforcement
• Private Organization

• Make Lists
• Don’t Overbuy
• Overlapping Tools
• No One-Size Fits All
• Training

Computer Forensics Jump Start. Michael G. Solomon, Diane Barret & Neil Broom. Sybex, San Francisco 2005

Hacking Exposed – Computer Forensics. Chris Davis, Aaron Philipp & David Cowen. McGraw-Hill, New York 2005.

Forensic and Investigative Accounting. D. Larry Crumbley, Lester E. Heitger & G. Stevenson Smith. CCH Inc., Chicago 2003