Acquisition and Tools

Transcription

! 
Planning Your Investigation
A basic investigation plan should include the following
activities:
! 
! 
! 
Acquisition and Tools
! 
! 
! 
COMP 2555: Principles of Computer Forensics
! 
Autumn 2014
http://www.cs.du.edu/2555
! 
! 
Bit-stream copy
! 
! 
! 
Bit-by-bit copy of the original storage medium
Exact copy of the original disk
Different from a simple backup copy
! 
! 
! 
! 
Bit-stream Copies (contd.)
Copy image file to a target disk that matches the original
disk’s manufacturer, size and model
Backup software only copy known files
Backup software cannot copy deleted files, e-mail messages or
recover file fragments
Bit-stream image
! 
! 
Original disk
File containing the bit-stream copy of all data on a disk or
partition
Also known as forensic copy
Disk with image
Target disk
L2: Aquisition and Tools
! 
3
Understanding Bit-Stream Copies
2
Acquire the evidence
Complete an evidence form and establish a chain of custody
Transport the evidence to a computer forensics lab
Secure evidence in an approved secure container
Prepare a forensics workstation
Obtain the evidence from the secure container
Make a forensic copy of the evidence
Return the evidence to the secure container
Process the copied evidence with computer forensics tools
1
! 
First rule of computer forensics
! 
! 
5
Acquiring an Image of Evidence Media
! 
Preserve the original evidence
Integrity of Digital Evidence
Maintain the integrity of digital evidence in the lab
! 
Conduct your analysis only on a copy of the data
! 
First steps:
! 
! 
Tool
! 
! 
! 
! 
! 
ProDiscover Basic
FTK Imager
Linux dd command
Create image files in a large drive
Start your forensics tool to analyze the evidence
Run a MD5 or SHA-1 hashing algorithm on the source and
the image files to get a digital hash (and match)
Secure the original media in an evidence locker
6
! 
As you do when collecting it in the field
7
A Simple Hash Function
A Simple Hash Function (contd.)
HASH FUNCTION
forensics
0x3AC
Forensics
ASCII(F) = 070
ASCII(o) = 111
ASCII(r) =
114
ASCII(e) = 101
ASCII(n) = 110
ASCII(s)
=
115
HASH FUNCTION
ASCII(i) =
105
ASCII(c) = 099
ASCII(s) =
115
_________________
Sum
940
In Hex
0x3AC
HASH FUNCTION
ASCII(f) =
102
ASCII(o) = 111
ASCII(r) =
114
ASCII(e) = 101
ASCII(n) = 110
ASCII(s)
=
115
HASH FUNCTION
ASCII(i) =
105
ASCII(c) = 099
ASCII(s) =
115
_________________
Sum
972
In Hex
0x3CC
0x3CC
4
Cyclic Redundancy Check (CRC)
! 
! 
! 
! 
Mathematical algorithm that determines whether a file’s
contents have changed
Most recent version is CRC-32
Not considered a forensic hashing algorithm
1011
00010111
1011
00000001
1
00000000
If a bit or byte in the file changes, it alters the digital hash
11
Another Hash Function (Contd.)
10010011
input padded with 3 zero bits to the right
! 
input
input padded with 3 zero bits to the right
! 
00100011 000
! 
1011
00000100
101
00000001
1
00000000
000
1
100
011
111
00001111 000
000
011
011
3-bit hash value of the input 11010011
Obtaining a Digital Hash (contd.)
Given the hash value, you can’t easily find the file or device
from which it was generated
No two hash values can be the same
! 
1011
000
Three rules for forensic hashes:
! 
10010011 000
XOR 1011
random string of 4 bits, with highest order bit = 1
1011
Also called a message digest
10
11010011 000
00111011 000
! 
input
01100011 000
Mathematical formula that translates a file into a hexadecimal
code value, or a hash value
! 
11010011
XOR 1011
Message Digest 5 (MD5)
! 
Another Hash Function
! 
9
Obtaining a Digital Hash
Called a collision if it happens
If anything changes in the file or device, the hash value must
change
8
12
13
Collisions
! 
Secure Hash Algorithm version 1 (SHA-1)
! 
elvis
HASH FUNCTION
! 
0x223
collision
lives
HASH FUNCTION
0x223
! 
14
Most computer forensics hashing needs can be satisfied
with a nonkeyed hash function
! 
Three formats
! 
A unique hash number generated by a software tool, such as
the Linux md5sum command
! 
! 
Raw format
Proprietary formats
Advanced Forensics Format (AFF)
Keyed hash set
! 
! 
! 
! 
Storage Formats for Digital Evidence
Created by an encryption utility’s secret key
Secret key is used by the hash function to generate the digest
You can use the MD5 function in FTK Imager to obtain
the digital signature of a file
! 
Or an entire drive
! 
15
! 
Two different inputs producing the same hash value
But they are still used since the collisions are rare
! 
! 
Collisions make a hash function weak
Cannot always avoid but can make their occurrences
infrequent
A newer hashing algorithm
Developed by the National Institute of Standards and
Technology (NIST)
In both MD5 and SHA-1, collisions have occurred
! 
! 
! 
Makes it possible to write bit-stream data to files
Advantages
! 
! 
! 
! 
! 
! 
! 
! 
Disadvantages
! 
Disadvantages
! 
Requires as much storage as original disk or data
Tools might not collect marginal (bad) sectors
Option to compress or not compress image files
Can split an image into smaller segmented files
Can integrate metadata into the image file
! 
Inability to share an image between different tools
File size limitation for each segmented volume
! 
Features offered
! 
Fast data transfers
Can ignore minor data read errors on source drive
Most computer forensics tools can read raw format
Proprietary Formats
18
! 
Developed by Dr. Simson L. Garfinkel of Basis
Technology Corporation
Design goals
! 
! 
! 
! 
! 
! 
! 
19
Advanced Forensics Format
! 
Static acquisitions
! 
! 
Provide compressed or uncompressed image files
No size restriction for disk-to-image files
Provide space in the image file or segmented files for
metadata
Simple design with extensibility
Open source for multiple platforms and OSs
Internal consistency checks for self-authentication
File extensions include .afd for split image files and .afm
for AFF metadata
Data Acquisition Types
Types of acquisitions
! 
! 
! 
! 
Deriving a drive image without booting from it
Typically done on a seized computer
Live acquisitions
! 
Deriving a drive image when it is being used
Acquiring a network drive without bringing it down
Four methods
! 
! 
! 
! 
! 
17
Raw Format
! 
Bit-stream disk-to-image file
Bit-stream disk-to-disk
Logical disk-to-disk or disk-to-data file
Sparse data copy of a file or folder
16
! 
21
Data Acquisition Types (contd.)
Bit-stream disk-to-image file
! 
! 
! 
! 
! 
Most common method
Can make more than one copy
Copies are bit-for-bit replications of the original drive
ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLook
Logical acquisition or sparse acquisition
! 
! 
Bit-stream disk-to-disk
! 
Sparse acquisition also collects fragments of unallocated
(deleted) data
Useful for large disks
! 
RAID servers
! 
! 
When disk-to-image copy is not possible
Consider disk’s geometry configuration
EnCase, SafeBack, SnapCopy
E.g. Outlook .pst or .ost files during an e-mail investigation
22
23
When making a copy, consider:
! 
Size of the source disk
! 
! 
! 
! 
! 
! 
Lossless compression might be useful
Use digital signatures for verification
! 
When working with large drives, an alternative is using tape
backup systems
Whether you can retain the disk
Use different tools or techniques
Copy host protected area (HPA) of a disk drive as
well
! 
! 
! 
Contingency Planning
Create a duplicate copy of your evidence image file
Make at least two images of digital evidence
! 
! 
! 
When your time is limited
Logical acquisition captures only specific files of interest to
the case
! 
! 
! 
HPA is a part of the drive that is not visible to an operating
system
Consider using a hardware acquisition tool that can access
the drive at the BIOS level
Be prepared to deal with encrypted drives
20
24
Acquisition tools for Windows
! 
Advantages
! 
! 
Especially when used with hot-swappable devices
! 
Disadvantages
! 
! 
See Page 107 of book
Applies to current Windows versions as well
Make acquiring evidence from a suspect drive more convenient
! 
! 
! 
Blocking USB Writes in Windows
Back up the Registry
! 
Must protect acquired data with a well-tested write-blocking
hardware device
Tools can’t acquire data from a disk’s host protected area
! 
26
Write-blocker
! 
! 
! 
Prevents data writes to a hard disk
! 
! 
Software write-blockers are OS dependant
Example: PDBlock from Digital Intelligence
! 
! 
! 
! 
Ideal for GUI forensic tools
Act as a bridge between the suspect drive and the forensic
workstation
For the OS the data copy is successful
Connecting technologies
! 
Hardware options
Using a Write-Blocker (contd.)
Can navigate to the blocked drive with any application
Discards the written data
! 
Software-enabled blockers
! 
! 
27
Using a Write-Blocker
! 
! 
Modify the Registry with the write-protection feature
Create two desktop icons to automate switching
between enabling and disabling writes to USB device
! 
E.g. use Windows System Restore feature to create a restore
point
FireWire
USB 2.0
SCSI controllers
! 
25
Using Acquisition Tools
! 
! 
! 
! 
! 
! 
! 
Which eliminates the need for a write-blocker
Using Linux Live CD Distributions
! 
! 
! 
! 
Contain additional utilities
Configured not to mount, or to mount as read-only, any connected
storage media
Well-designed Linux Live CDs for computer forensics
DEFT Linux (http://www.deftlinux.net/download/)
!  Helix3 Pro
! 
! 
! 
! 
! 
Acquiring data with dcfldd in Linux (contd.)
! 
! 
! 
! 
Segments output into separate volumes
! 
dd command is intended as a data management tool
! 
Not designed for forensics acquisitions
! 
Specify hex patterns or text for clearing disk space
Log errors to an output file for analysis and review
Use several hashing options
Refer to a status display indicating the progress of the acquisition in
bytes
Split data acquisitions into segmented volumes with numeric
extensions
Verify acquired data with original disk or media data
Sample: man page available at http://linux.die.net/man/1/
dcfldd
! 
! 
dcfldd additional functions
! 
Requires more advanced skills than average user
Does not compress data
Acquiring data with dcfldd in Linux
! 
Can read and write from media device and data file
Creates raw format file that most computer forensics analysis tools
can read
31 Acquiring with a Linux Boot CD (contd.)
dd command combined with the split command
! 
! 
! 
Shortcomings of dd command
! 
dd (“data dump”) command
! 
Acquiring data with dd in Linux (contd.)
! 
Linux distributions can create Microsoft FAT and NTFS
partition tables
fdisk command lists, creates, deletes, and verifies partitions in
Linux
mkfs.msdos command formats a FAT file system from Linux
See Page 111 of book
Acquiring data with dd in Linux
! 
! 
Preparing a target drive for acquisition in Linux
! 
Linux can access a drive that isn’t mounted
Windows OSs and newer Linux automatically mount
and access a drive
Forensic Linux Live CDs don’t access media
automatically
! 
Acquiring Data with a Linux Boot CD
dcfldd if=/dev/hd0 hash=md5,sha256 hashwindow=100M
md5log=md5.txt sha256log=sha256.txt hashconv=after
bs=512 conv=noerror,sync split=1G splitformat=aa
of=driveimage.dd
28
! 
! 
Most critical aspect of computer forensics
Requires using a hashing algorithm utility
Validation techniques
! 
! 
Validating dd acquired data
! 
! 
CRC-32, MD5, and SHA-1 to SHA-512
! 
You can use md5sum or sha1sum utilities
md5sum or sha1sum utilities should be run on all suspect
disks and volumes or segmented volumes
Validating dcfldd acquired data
! 
! 
! 
Use the hash option to designate a hashing algorithm of md5,
sha1, sha256, sha384, or sha512
hashlog option outputs hash results to a text file that can be
stored with the image files
vf (verify file) option compares the image file to the original
medium
! 
34
Windows has no built-in hashing algorithm tools for
computer forensics
! 
! 
! 
! 
! 
! 
Range from single-purpose components to complete
computer systems and servers
Software forensic tools
! 
Each program has its own validation technique
Types
! 
! 
Raw format image files don’t contain metadata
! 
Types of Computer Forensics Tools
Hardware forensic tools
Third-party utilities can be used
Commercial computer forensics programs also have
built-in validation features
! 
dcfldd if=/dev/sda vf=sda.img!
35
Windows Validation Methods
! 
Separate manual validation is recommended for all raw
acquisitions
Command-line applications
GUI applications
Commonly used to
! 
! 
! 
Linux Validation Methods
! 
33
Validating Data Acquisitions
copy data from a suspect’s disk drive to an image file
aid in evidence collection
32
36
Five major categories:
! 
! 
! 
! 
! 
! 
Acquisition
Validation and discrimination
Extraction
Reconstruction
Reporting
Acquisition
! 
! 
! 
! 
! 
Many tools let you perform more than one of these
tasks
Making a copy of the original drive
Subfunctions
! 
! 
Acquisition Tools
! 
! 
38
Two types of data-copying methods are used in software
acquisitions:
! 
! 
! 
A Hexadecimal Editor
Physical copying of the entire drive
Logical copying of a disk partition
The formats for disk acquisitions vary
! 
! 
39
Acquisition Tools (contd.)
From raw data to vendor-specific proprietary compressed
data
You can view the contents of a raw image file with any
hexadecimal editor
! 
! 
Physical data copy
Logical data copy
Data acquisition format
Command-line acquisition
GUI acquisition
Remote acquisition
Verification
! 
37
Tasks Performed by Tools
! 
Creating smaller segmented files is a typical feature in
vendor acquisition tools
! 
! 
Discrimination of data
! 
That compares the original drive with the image
Ensuring the integrity of data being copied
! 
Remove good data from suspicious data
Involves sorting and searching through all investigation data
! 
Validation
! 
All computer forensics acquisition tools have a method
for verification of the data-copying process
Validation and Discrimination
42
Subfunctions
! 
Hashing
! 
! 
Based on hash value sets
Analyzing file headers
! 
! 
CRC-32, MD5, Secure Hash Algorithms
Filtering
! 
! 
File Discrimination Using Header
a typical JPEG file header
Discriminate files based on their types
National Software Reference Library (NSRL) has
compiled a list of known file hashes
! 
For a variety of OSs, applications, and images
! 
43
Validation and Discrimination (contd.)
! 
41
Acquisition Tools (contd.)
40
Extraction
! 
! 
! 
! 
! 
! 
! 
Keyword search speeds up analysis for investigators
! 
! 
! 
! 
! 
! 
Disk-to-disk copy
Image-to-disk copy
Partition-to-partition copy
Image-to-partition copy
To complete a forensics disk analysis and examination, you
need to create a report
Subfunctions
! 
! 
Reporting
Reporting
! 
Some tools that perform an image-to-disk copy:
! 
If a password dictionary attack fails, you can run a
brute-force attack
! 
Re-create a suspect drive to show what happened during a
crime or an incident
Subfunctions
! 
For a password dictionary attack
47
Reconstruction
Reconstruction
! 
! 
! 
Data viewing
Keyword searching
Decompressing
Carving
Decrypting
Bookmarking
46
! 
! 
Subfunctions
! 
! 
! 
From an investigation perspective, encrypted files and
systems are a problem
Many password recovery tools have a feature for
generating potential password lists
! 
Recovery task in a computing investigation
Most demanding of all tasks to master
Recovering data is the first step in analyzing an investigation’s
data
Extraction (contd.)
Log reports
Report generator
Use this information when producing a final report for
your investigation
SafeBack, SnapBack, EnCase, FTK Imager, ProDiscover
! 
! 
! 
45
Extraction
44
48
Always verify your results
Use at least two tools
! 
! 
! 
Retrieving and examination
Verification
! 
Understand how tools work (the reason why we are in this class)
! 
! 
! 
! 
http://www.forensicswiki.org/wiki/Category:Live_CD
http://www.deftlinux.net
! 
One way to compare results and verify a new tool is by
using a disk editor
! 
Ch 4,7: B. Nelson, A. Phillips and C. Steuart, Guide to
Computer Forensics and Investigations. ISBN:
978-1-435-49883-9
Useful links:
! 
What is it that the tools do?
References
! 
Very helpful: http://www.deftlinux.net/deft-manual/
http://linux.die.net/man/1/dcfldd
Lets you do a little more than hex editors such as Hex
Workshop or WinHex
! 
! 
49
Using Validation Protocols

Acquisition and Tools

Transcription

Similar documents

Hash House Harriets Penang

Run #1989 - Abu Dhabi Island Hash House Harriers

Newsletter 2205 - Hash House Harriets Penang

slides

klingon - christchurch hash house harriers

Volume37-Issue 8