Digital ForensicsOutlineReviewForensics ToolsFunctions of Forensics ToolsFunctions of Forensics Tools - 2Functions of Forensics Tools - 3Software ToolsHardware ToolsValidating Forensics ToolsNIST StandardsNSRLSlide 13CFTTCFReDSSlide 16International StandardsMacintosh Operating System (MAC OS X)Unix/Linux Operating SystemSummary of Lectures 8 and 9ReferencesDigital ForensicsDr. Bhavani ThuraisinghamThe University of Texas at DallasLecture #10Forensics Tools and StandardsSeptember 24, 2008OutlineReviewForensics ToolsStandardsFile Systems (Unix, Linux)Reference: Chapters 7 and 8 of Textbookhttp://www.cftt.nist.gov/NISTIR_7490.pdfReviewPart 2:-Lecture 8: Windows File System and Forensics -Lecture #9: Forensics ToolsForensics ToolsHardware Forensics Tools-Range from single purpose components (e.g., devices) to complete systems (forensics workstations)Software Forensics Tools-Analysis tools such ProDiscover and EnCaseFunctions of Forensics ToolsAcquisitionValidation and DiscriminationExtractionReconstructionReportingComparison of some forensics tools are given on page 277 of Textbook (ProDiscover, AccessData, EnCase)Functions of Forensics Tools - 2Acquisition-Tools for data acquisition-Physical data copy, logical data copy, data acquiring format, GUI acquisitionValidation and Discrimination-Integrity of the data, Also includes hashing, filtering, analyzing file headersExtraction-Recovery task-Data viewing, Keyword searching, DecompressingReconstructionReportingFunctions of Forensics Tools - 3Reconstruction-Recreate the crime scene (suspect drive)-Disk to disk copy, Image to disk copy, etc.Reporting-Reporting generation tools help the examiner the prepare report-Also helps to log reportsSoftware ToolsCommand line forensics toolsUnix/Linux forensics tools-SMART, Helix, Autopsy and Sleuth KitGUI Forensics Tools-Visualizing the data is important to understand the dataHardware ToolsForensics workstations-How to build a workstation-What are the components-How are the workstations connected in a lab-How can distributed forensics be carried outWrite Blockers-Write blocker devoices to protect evidence disks (see the discussion in Chapter 4 under data acquisition)Validating Forensics ToolsNIST (National Institute of Standards and Technology) is coming up with standards for validation (will be discussed under standards)-Establish categories for forensics tools, Identify forensics category requirements, Develop test assertions-Identify test cases-Establish test method-Report test results-NIST (National Institute of Standards and Technology) is coming up with standards for validation (will be discussed under standardsChapter 7 discusses validation protocols as well as some examination protocolsNIST StandardsThere are three digital forensics projects at the National Institute of Standards and Technology (NIST).These projects are supported by the U.S. Department of Justice's National Institute of Justice (NIJ), federal, state, and local law enforcement, and the National Institute of Standards and Technology Office of Law Enforcement Standards (OLES) to promote efficient and effective use of computer technology in the investigation of crimes involving computers. These projects are the following:-• National Software Reference Library (NSRL)-• Computer Forensic Tool Testing (CFTT)-• Computer Forensic Reference Data Sets (CFReDS)NSRLThe NSRL is designed to collect software from various sources and incorporate file profiles computed from this software into a Reference Data Set (RDS) including hashes of known files created when software is installed on a computer. The law enforcement community approached NIST requesting a software library and signature database that meets four criteria:-• The organizations involved in the implementation of the file profiles must be unbiased and neutral.-• Control over the quality of data provided by the database must be maintained.-• A repository of original software must be made available from which data can be reproduced.-• The database must provide a wide range of capabilities with respect to the information that can be obtained from file systems under investigation.NSRLThe primary focus of the NSRL is to aid computer forensics examiners in their investigations of computer systems. The majority of stakeholders are in federal, state and local law enforcement in the United States and internationally. These organizations typically use the NSRL data to aid in criminal investigations.CFTTThe goal of the CFTT project at NIST is to establish a methodology for testing computer forensic software tools through the development of general tool specifications, test procedures, test criteria, test sets, and test hardware. The results provide the information necessary for toolmakers to improve tools, for users to make informed choices about acquiring and using computer forensics tools, and for interested parties to understand the tools capabilities.The testing methodology developed by NIST is functionality driven. The activities of forensic investigations are separated into discrete functions, such as hard disk write protection, disk imaging, string searching, etc. A test methodology is then developed for each category. After a test methodology is developed it is posted to the web.CFReDSThe Computer Forensic Reference Data Sets (CFReDS) provide to an investigator documented sets of simulated digital evidence for examination. Since CFReDS has documented contents, such as target search strings seeded in known locations, investigators can compare the results of searches for the target strings with the known placement of the strings. Investigators can use CFReDS in several ways including validating the software tools used in their investigations, equipment check out, training investigators, and proficiency testing of investigators as part of laboratory accreditation.The CFReDS site is a repository of images. Some images are produced by NIST, often from the CFTT (tool testing) project, and some are contributed by other organizations.CFReDSIn addition to test images, the CFReDS site contains resources to aid in creating test images.These creation aids are in the form of interesting data files, useful software tools and procedures for specific tasks. The CFReDS web site is http://www.cfreds.nist.gov.International StandardsThe Scientific
View Full Document
Unlocking...