DF WK 4 Current Digital Foresics Tools
Acquisition
Acquisition : making a copy of the original drive
•Acquisition sub functions incudes
Physical data copy
Logical data copy
Data acquisition format
•Command-line acquisition
•GUI acquisition
Remote, live, and memory acquisitions
There are Two types of data-copying methods are used in software acquisitions:
1. Physical
2. Logical copying of the entire drive copying of a disk partition (better for encrypted drives)
Five Categories of Functions For Evaluating DF Tools
Five Categories of Functions For Evaluating DF Tools
1. Acquisition
2. Validation and Verification
3. Extraction
4. Reconstruction
5. Reporting for Evaluating DF To
Validation and Verification •Validation:
Validation and Verification
•Validation: A way to confirm that a tool is functioning as intended
•Verification: Proves that two sets of data are identical by calculating hash values or using another similar method
•A related process is filtering, which involves sorting and searching through investigation findings to separate good data and suspicious data Validation and Verification Subfunctions
•Hashing •CRC-32, MD5, SHA-1 (Secure Hash Algorithms) •Analyzing file headers •Discriminate files based on their types •Filtering •Good data from bad. Is based on hash values. (HINT: Check NSRL)
Extraction
The Recovery of Information
•Recovering data is the first step in analyzing an investigation’s data
Sub-functions of extraction :
•Data viewing
•Keyword searching
•Decompressing or uncompressing
•Carving/salvaging
•Decrypting encrypted files, folders, drives, and disks •Bookmarking or tagging
Data Carving
Data Carving is part of the EXTRACTION Phase
it is the process of reassembling files from raw data fragments when no file system metadata are available
.it Involves extracting and recovering data from a larger data set.
Data carving techniques frequently occur during a digital investigation when the unallocated file system space is analyzed to extract files.
Reconstruction
Reconstruction
•Is the process of rebuilding data files
•Re-create a suspect drive to show what happened during a crime or an incident
Methods of reconstruction
•Disk-to-disk copy
•Partition-to-partition copy
•Image-to-disk copy
•Image-to-partition copy
•Rebuilding files from data runs and carving
To re-create an image of a suspect drive
•Copy an image to another location, such as a partition, a physical disk, or a virtual machine
•Simplest method is to use a tool that makes a direct disk-to-image copy
Examples of disk-to-image copy tools: •Linux dd command •ProDiscover •Voom Technologies has “Shadow 3” tool
Reporting
Reporting
•To perform a forensics disk analysis and examination, you need to create a report
Sub functions of reporting
•Bookmarking or tagging
•Log reports
•Timelines
•Report generator
OpenSource Foresincs tools
Some Examples of OpenSource tools include:
•Wireshark (for network forensics) and NMAP
•Oxygen Forensics
•Sleuthkit •(use with Autopsy if you don’t like CLI!!)
•SANS SIFT (Linux/Ubuntu) •Volatility (great for memory forensics)
•CAINE (packed full of DF tools) •Computer Aided Investigative Env’t
•Xplico (great for email forensics)
Two types of Digital Forensics Tools
Two types of Digital Forensics Tools
1. Hardware forensic tools •Range from single-purpose components to complete computer systems and servers
• Write Blockers
• Tableau USB Bridge
• F.R.E.D. systems , or DIBS
2. Software
•Two types forensic tools
1. Command-line applications
2. GUI applications
• Pathways ProDiscover
• AccessData FTK
• PassMark OSForensics
• Guidance Encase
• Helix Pro • SANS SIFT •Commonly used to copy data from a suspect’s disk drive to an image file
The Forensic Recovery of Evidence Device (FRED) system
The Forensic Recovery of Evidence Device (FRED) system is a specialized hardware and software solution designed for digital forensics investigations. Developed by Digital Intelligence, FRED systems provide investigators with powerful and reliable tools to conduct detailed forensic analysis of digital evidence.
Key Features of the FRED System
Key Features of the FRED System:
1. High-Performance Hardware:
• Powerful Processors: Equipped with high-speed processors to handle intensive data processing tasks.
• Ample Memory and Storage: Large RAM and multiple storage options, including SSDs and HDDs, to accommodate extensive datasets and enable fast data access.
• Write-Blockers: Integrated write-blocking technology to prevent any modification of the original data during analysis, ensuring evidence integrity.
• Multiple I/O Ports: A variety of input/output ports for connecting different types of storage media, including USB, SATA, SAS, and more.
2. Specialized Software:
• Forensic Imaging: Tools to create exact bit-for-bit copies of digital storage devices, preserving the original evidence (e.g., FTK Imager, EnCase).
• Data Analysis: Applications for in-depth analysis of digital evidence, including file recovery, metadata examination, and timeline creation (e.g., Autopsy, X-Ways Forensics).
• Network Forensics: Tools to analyze network traffic and logs, useful in tracing cyber-attacks and identifying breaches (e.g., Wireshark).
• Memory Forensics: Utilities to analyze volatile memory (RAM) captures, often used to identify malware and other transient data (e.g., Volatility).
3. Ergonomics and Design:
• Modular Design: FRED systems are designed with modular components, making it easy to upgrade or customize based on specific investigative needs.
• Portable Options: Some FRED systems are available in portable configurations, allowing forensic investigators to conduct on-site examinations.
Linux Forensics Tools
Linux Forensics Tools:
SMART
•Designed to be installed on numerous Linux versions
•Can analyze a variety of file systems with SMART •Many plug-in utilities are included with SMART •Another useful option in SMART is its hex viewer
Helix 3 •One of the easiest suites to begin with
•You can load it on a live Windows system
• Loads as a bootable Linux OS from a cold boot
•**Some international courts have not accepted live acquisitions as a valid forensics practice
Kali Linux ,Formerly known as BackTrack ,Includes a variety of tools and has an easy-to-use KDE interface
Autopsy and SleuthKit •Sleuth Kit is a Linux forensics tool •Autopsy is the GUI browser interface used to access Sleuth Kit’s tools