Guide to Computer Forensics and Investigations Fourth EditionObjectivesDetermining What Data to Collect and AnalyzeApproaching Computer Forensics CasesApproaching Computer Forensics Cases (continued)Slide 6Slide 7Refining and Modifying the Investigation PlanUsing AccessData Forensic Toolkit to Analyze DataUsing AccessData Forensic Toolkit to Analyze Data (continued)Slide 11Slide 12Slide 13Validating Forensic DataValidating with Hexadecimal EditorsValidating with Hexadecimal Editors (continued)Slide 17Slide 18Slide 19Validating with Computer Forensics ProgramsValidating with Computer Forensics Programs (continued)Slide 22Addressing Data-hiding TechniquesHiding PartitionsHiding Partitions (continued)Slide 26Marking Bad ClustersBit-shiftingBit-shifting (continued)Slide 30Slide 31Using Steganography to Hide DataExamining Encrypted FilesRecovering PasswordsRecovering Passwords (continued)Slide 36Slide 37Slide 38Slide 39Slide 40Slide 41Performing Remote AcquisitionsRemote Acquisitions with Runtime SoftwareRemote Acquisitions with Runtime Software (continued)Slide 45Slide 46Slide 47Slide 48Slide 49Slide 50Slide 51Slide 52Slide 53SummarySummary (continued)Chapter 9Computer Forensics Analysis and ValidationGuide to Computer Forensics and InvestigationsFourth EditionGuide to Computer Forensics and Investigations 2Objectives•Determine what data to analyze in a computer forensics investigation•Explain tools used to validate data•Explain common data-hiding techniques•Describe methods of performing a remote acquisitionGuide to Computer Forensics and Investigations 3Determining What Data to Collect and Analyze•Examining and analyzing digital evidence depends on:–Nature of the case–Amount of data to process–Search warrants and court orders–Company policies•Scope creep–Investigation expands beyond the original description•Right of full discovery of digital evidenceGuide to Computer Forensics and Investigations 4Approaching Computer Forensics Cases•Some basic principles apply to almost all computer forensics cases–The approach you take depends largely on the specific type of case you’re investigating•Basic steps for all computer forensics investigations–For target drives, use only recently wiped media that have been reformatted•And inspected for computer virusesGuide to Computer Forensics and Investigations 5Approaching Computer Forensics Cases (continued)•Basic steps for all computer forensics investigations (continued)–Inventory the hardware on the suspect’s computer and note the condition of the computer when seized–Remove the original drive from the computer•Check date and time values in the system’s CMOS–Record how you acquired data from the suspect drive–Process the data methodically and logicallyGuide to Computer Forensics and Investigations 6Approaching Computer Forensics Cases (continued)•Basic steps for all computer forensics investigations (continued)–List all folders and files on the image or drive–If possible, examine the contents of all data files in all folders•Starting at the root directory of the volume partition–For all password-protected files that might be related to the investigation•Make your best effort to recover file contentsGuide to Computer Forensics and Investigations 7Approaching Computer Forensics Cases (continued)•Basic steps for all computer forensics investigations (continued)–Identify the function of every executable (binary or .exe) file that doesn’t match known hash values–Maintain control of all evidence and findings, and document everything as you progress through your examinationGuide to Computer Forensics and Investigations 8Refining and Modifying the Investigation Plan•Considerations–Determine the scope of the investigation–Determine what the case requires–Whether you should collect all information–What to do in case of scope creep•The key is to start with a plan but remain flexible in the face of new evidenceGuide to Computer Forensics and Investigations 9Using AccessData Forensic Toolkit to Analyze Data•Supported file systems: FAT12/16/32, NTFS, Ext2fs, and Ext3fs•FTK can analyze data from several sources, including image files from other vendors•FTK produces a case log file•Searching for keywords–Indexed search–Live search–Supports options and advanced searching techniques, such as stemmingGuide to Computer Forensics and Investigations 10Using AccessData Forensic Toolkit to Analyze Data (continued)Guide to Computer Forensics and Investigations 11Using AccessData Forensic Toolkit to Analyze Data (continued)Guide to Computer Forensics and Investigations 12Using AccessData Forensic Toolkit to Analyze Data (continued)•Analyzes compressed files•You can generate reports–Using bookmarksGuide to Computer Forensics and Investigations 13Using AccessData Forensic Toolkit to Analyze Data (continued)Guide to Computer Forensics and Investigations 14Validating Forensic Data•One of the most critical aspects of computer forensics•Ensuring the integrity of data you collect is essential for presenting evidence in court•Most computer forensic tools provide automated hashing of image files•Computer forensics tools have some limitations in performing hashing–Learning how to use advanced hexadecimal editors is necessary to ensure data integrityGuide to Computer Forensics and Investigations 15Validating with Hexadecimal Editors•Advanced hexadecimal editors offer many features not available in computer forensics tools–Such as hashing specific files or sectors•Hex Workshop provides several hashing algorithms–Such as MD5 and SHA-1–See Figures 9-4 through 9-6•Hex Workshop also generates the hash value of selected data sets in a file or sectorGuide to Computer Forensics and Investigations 16Validating with Hexadecimal Editors (continued)Guide to Computer Forensics and Investigations 17Validating with Hexadecimal Editors (continued)Guide to Computer Forensics and Investigations 18Validating with Hexadecimal Editors (continued)Guide to Computer Forensics and Investigations 19Validating with Hexadecimal Editors (continued)•Using hash values to discriminate data–AccessData has a separate database, the Known File Filter (KFF)•Filters known program files from view, such as MSWord.exe, and identifies known illegal files, such as child pornography–KFF compares known file hash values to files on your evidence drive or image files–Periodically, AccessData