No Results Found
The page you requested could not be found. Try refining your search, or use the navigation above to locate the post.
hash-value the answer to everything!
Your role as a computer forensics professional is to gather evidence from a suspect’s computer and determine whether the suspect committed a crime or violated a company policy.
Court order = private sector // Search warrant = law enforcement
4 corners of search warrant. Can and cannot do. If not on the warrant then you cannot get the data. Affidavit to give to judge to ask for a warrant.
Communications/emails, pictures, text.
Evidence(smoking gun, person will likely be found guilty) Issue: Someone could have put it on their computer. Could’ve been adjusted, important where it came from. Challenge to identify who used the computer. Did the defendant or a friend/family member. Friend/family member set up the defendant? How to put the defendant at the time of the creation of the item.
Hardware imager (Write blocker): Image of control then get the result expected until firmware update. Get hash value, make sure it’s consistent
Certifications: Some of the best don’t have any.
Written test & Practical component(DFCP)
Sets Standards: Expected level of knowledge.
Cert does not equal knowledgeable.
Taking an image of a drive
Image of a drive: a bit stream image a data set of questions. Every bit of data since every since 1..0 since the last 1…0 is saved.
Do not work on original evidence(But if you wait, you could lose valuable time to prove guilt or rescue a victim)
Forensic preview of a computer, barely leaves a footprint.
Take picture of environment and then do your examination.
Changes to the operating systems by installing a new usb and talking to the OS.(Measured)
Boot within a linux distro live cd to preserve evidence – Also collect RAM(because volatile) Before shutting down the computer, a live acquisition should be done to capture the RAM, too.
Memory gets paged to the hard disk(efficiency, lack of resources
Hibernation file – “dirty bit”, if windows did not shutdown properly.
Encrypted drives = Dead in the water most of the time.
You can have a preview of the hard drive but it does not see deleted files.
Hex search to look for headers(4 bytes unique image for each type of image)
Best practice: Take an image first. Make a copy of the 1st image = working copy. How many images do i have to store if i return the computer.
Hash collisions: In computer science, a collision or clash is a situation that occurs when two distinct pieces of data have the same hash value, checksum, fingerprint, or cryptographic digest. Collisions are unavoidable whenever members of a very large set are mapped to a relatively short bit string.
Chain-of-Custody: Is the route the evidence takes from the time you find it until the case is closed or goes to court. It is what you say it is, establishes uniqueness. Name of people who touched it. Many cases are thrown out because the chain of custody can not be proved or has been broken. When this happens, there is a possibility that the evidence has been corrupted.
Everything that can be seen through a GUI.(Deleting information off of your computer is simply removing the pointer that is pointing to that specific item) Forensics copy, get all the data = no. More things are needed.
Exculpatory(not guilty) and Inculpatory(guilty)
Legacy copies – needs to be secure
2 Computers (2-3 cases a month)(4 computers can be more appropriate)
Package a computer goes into a seal.
ProDiscover Basic is a free forensic tool. This tutorial will show you how to
You are now finished with the Project 1: ProDiscover Software Intro !
Data acquisition is the process of copying data. For computer forensics, it’s the task of collecting digital evidence from electronic media. The two types of data acquisition are static and live acquisitions. The future of data acquisitions is shifting toward live acquisitions because of the use of disk encryption with newer operating systems. The only shortcoming with live acquisitions is not being able to perform repeatable processes which are critical for collecting digital evidence. Making a second live acquisition while a computer is running collects new data because of dynamic changes in the OS. Your goal when acquiring data for a static acquisition is to preserve the digital evidence. You should also take steps to make sure you acquire an image that can be verified.
Consistency of how the process is done
Index: creates a database, so later on, info is easily searchable
Keyword search: Point in the right direction. Back end throughout the whole drive.
Index Keyword Search: Front end, checks your indexed information. May search for ASCII formatted words or Hex strings(form of the data, 99% of computers).
Restrictions…(limit to think outside of the box) Never going to be a best way to do things.
Example: Checklist… You have to have a control, that means using the same mouse,monitors, hard drive, etc..(Crazy but must be done. At least is law enforcement)
Could become outdated
Don’t forget things to do.
You should also make contingency plans in case software or hardware doesn’t work or you encounter a failure during an acquisition. Many computer investigators don’t make duplicates of their evidence because they don’t have enough time or resources to make a second image. However, if the first copy doesn’t work correctly, having a duplicate is worth the effort and resources.
As a standard practice, make at least two images of the digital evidence you collect. If you have more than one imaging tool, such as ProDiscover Basic, FTK, and X-Ways Forensics, make the first copy with one tool and the second copy with the other tool. Remember that Murphy’s Law applies to computer forensics, too: If anything can go wrong, it will.
Many acquisition tool don’t copy data in the host protected area (HPA) of a disk drive. For these situations, consider using a hardware acquisition tool that can access the drive at the BIOS level, such as ProDiscover with the NoWrite FPU write-blocker, ImageMASSter Solo, or X-Ways Replica.
As part of your contingency planning, you must be prepared to deal with encrypted drives. A static acquisition on most whole disk encrypted drives currently involves decrypting the drives, which requires the user’s cooperation in providing the decryption key.
The biggest concern with whole disk encryption is getting the decryption key. In criminal investigations, this might be impossible because if a disk contains evidence supporting the crime, a suspect had a strong motivation to not supply the decryption key. Researchers at Princeton University have produced a technique to recover passwords and passphrases from RAM.
Many computer forensics acquisition tools create a disk-to-image file in an older open-source format, known as raw, as well as their own proprietary format.
Examiners performed a bit-by-bit copy from one disk to another disk the same size or larger. The advantages of the raw format are fast data transfers and the capability to ignore data read errors on the source drive. In addition, most computer forensic tolls can read the raw format, making it a universal acquisition format for most tools. One disadvantage of the raw format is that it requires as much storage space as the original disk or data set. Also, it might not collect marginal(bad) sectors on the source drive, meaning they have a low threshold of retry reads on weak media spots on a drive.
One major disadvantage of proprietary format acquisitions is the inability to share an image between different vendors’ computer forensics analysis tools. Another problem with proprietary and raw formats is a file size limitations for each segmented volume. Typically proprietary format tools produce a segmented file of 650 MB. Of all the proprietary formats for image acquisitions, the Expert Witness format is currently the unofficial standard. .E01 extension
Expect AFF to become a future standard for forensically sound acquisitions formats.
Typically, a static acquisition is done on a computer seized during a police raid, for example. If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is available-meaning the computer is powered on and has been logged on by the suspect. Static acquisitions are always preferred way to collect digital evidence. For both types of acquisitions, data can be collected with four methods: creating a disk-to-image file(most common), creating a disk-to-disk copy(Use a write blocker because of potential registry changes), creating a logical disk-to-disk or disk-to-data file, or creating a sparse copy of a folder or file.
Creating a disk-to-image file is the most common method and offers the most flexibility for your investigation. Sometimes you can’t make a disk-to-image file because of hardware or software errors or incompatibilities. This problem is more common when you have to acquire older drives. For these drives, you might have to create a disk-to-disk copy of the suspect drive.
Collecting evidence from a large drive can take several hours. If your time is limited, consider using a logical acquisition or sparse acquisition data copy method. A logical acquisition captures only specific files of interest to the case or specific types of files. A sparse acquisition is similar but also collects fragments of allocated (deleted) data. An example of a logical acquisition is an e-mail investigation that requires collecting only Outlook .pst or .ost files.
If you can’t retain the original evidence drive and must return it to the owner, as in in discovery demand for a civil litigation case, check with the requester, such as your lawyer or supervisor, and ask whether a logical acquisition is acceptable. If not, you may have to refer the matter back to your lawyer or supervisor. When performing an acquisition under these conditions, make sure you have a good copy because most discovery demands give you only one chance to capture data. In addition, make sure you have a reliable forensic tool that you know how to use.
Size is not an issue but speed is.
Image file bit for bit (.dd file is a fast way of imaging)
What are the advantages and disadvantages “.dd or file format” // universally accepted across different formats.
500GB → 320GB image file will work because of free space.
(Expert Witness Format)E01 → E02 →.. E99→ EAB → most common type of image file. Fairly widely accepted not as much as .dd. E01 is compressible,
disadvantage – limits the number of tools to analyze the data.
EWF in linux
5. Open up your virtual machine and start Kali Linux.
8. You should now see your Terminal open with Sleuth Kit and Autopsy open. Highlight ‘http://localhost :9999/autopsy‘, right click and click “Copy Link Address“. Simply clicking, “Copy” will not work.
14. In the box under Location, type the directory you put your .dd file. If you are root and copied the file to your desktop then you could type something like this, “/root/Desktop/[NameofTheFileGoesHere]“. Under Type click Partition and under Import Method, click Copy. Then click next. (*note being in root is frowned upon due to security reasons)
16. In the Select a volume to analyze or add a new image file dialog box, click the Analyze button.
20. Clicking around you can see various images of deleted and not deleted files. In this picture you can see a deleted picture that we were able to recover. (*When we delete a file/picture/etc.. you are simply removing the pointer to that particular item.)
22. Click File Type, Click Sort Files by Type, and then click OK.
23. Here we can see the results of Categories, Images, Files Skipped, and Number of Files.
24. Lastly, click Image Details. you will now be able to see different information about the image. Explore and see what you can find !
You are now finished with the Project 2: Sleuth & Autopsy Intro !
The page you requested could not be found. Try refining your search, or use the navigation above to locate the post.