Digital ForensicsChapters 1-3 of TextbookData Acquisition: Chapter 4Types of AcquisitionDigital Evidence Storage FormatsAcquisition MethodsCompression MethodsContingency PlanningStorage Area Network Security SystemsNetwork Disaster Recovery SystemsUsing Acquisition ToolsUsing Acquisition Tools - 2Validating Data AcquisitionSlide 14RAID Acquisition MethodsRemote Network Acquisition ToolsSome Forensics ToolsProcessing Crime and Incident Scenes: Chapter 5Securing EvidenceGathering EvidenceAnalyzing EvidenceUnderstanding the Rules of EvidencePrivate sector incident scenesLaw Enforcement crime ScenesSteps to processing crime and incident scenesCase Study (Chapter 5)Digital Forensics AnalysisDigital Evidence Examination and Analysis TechniquesSearch TechniquesSlide 30Slide 31Slide 32Slide 33Slide 34Event ReconstructionSlide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Slide 45What is Lazarus?Time AnalysisSlide 48ConclusionLinksDigital ForensicsDr. Bhavani ThuraisinghamThe University of Texas at DallasLecture #4Data Acquisition, Processing Crime Scenes and Digital Forensics AnalysisSeptember 3, 2010Chapters 1-3 of TextbookChapter 1: Understanding digital forensics-What is digital forensics, conducting investigation, case law (fourth amendment)Chapter 2: Understanding investigations-Steps for an investigation: systematic approach-Evidence collections and analysis-Report writingChapter 3: Forensics Laboratory-Physical requirements, Workstation requirements, Making a case to build a labData Acquisition: Chapter 4Types of acquisitionDigital evidence storage formatsAcquisition methodsContingency planningUsing acquisition toolsValidating data acquisitionRAID acquisition methodsRemote network acquisition toolsSome forensics toolsTypes of AcquisitionStatic Acquisition-Acquire data from the original media-The data in the original media will not changeLive Acquisition-Acquire data while the system is running-A second live acquisition will not be the sameWill focus on static acquisitionDigital Evidence Storage FormatsRaw formats-Bit by bit copying of the data from the disk-Many tools could be usedProprietary formats-Vendors have special formatsStandards-XML based formats for digital evidence-Digital Evidence Markup Language (Funded by National Institute of Justice)-Experts have argued that technologies that allow disparate law enforcement jurisdictions to share crime-related information will greatly facilitate fighting crime. One of these technologies is the Global Justice XML Data Model (GJXDM).-http://ncfs.ucf.edu/digital_evd.htmlAcquisition MethodsDisk to Image FileDisk to Disk Logical acquisition-Acquire only certain files if the disk is too largeSparse acquisition-Similar to logical acquisition but also collects fragments of unallocated (i.e. deleted) dataCompression MethodsCompression methods are used for very large data storage-E.g., Terabytes/Petabytes storageLossy vs Lossless compression-Lossless data compression is a class of data compression algorithms that allows the exact original data to be reconstructed from the compressed data. The term lossless is in contrast to lossy data compression, which only allows an approximation of the original data to be reconstructed, in exchange for better compression rates.Contingency PlanningFailure occurs during acquisition-Recovery methodsMake multiple copies-At least 2 copiesEncryption decryption techniques so that the evidence is not corruptedStorage Area Network Security SystemsHigh performance networks that connects all the storage systems-After as disaster such as terrorism or natural disaster (9/11 or Katrina), the data has to be availability-Database systems is a special kind of storage systemBenefits include centralized management, scalability reliability, performanceSecurity attacks on multiple storage devices-Secure storage is being investigatedNetwork Disaster Recovery SystemsNetwork disaster recovery is the ability to respond to an interruption in network services by implementing a disaster recovery palmPolicies and procedures have to be defined and subsequently enforcedWhich machines to shut down, determine which backup servers to use, When should law enforcement be notifiedUsing Acquisition ToolsAcquisition tools have been developed for different operating systems including Windows, Linux, Mac It is important that the evidence drive is write protectedExample acquisition method:-Document the chain of evidence for the drive to be acquired-Remove drive from suspect’s computer-Connect the suspect drive to USB or Firewire write-blocker device (if USB, write protect it via Registry write protect feature)-Create a storage folder on the target driveUsing Acquisition Tools - 2Example tools include ProDiscover, Access Data FTK ImagerClick on All programs and click on specific took (e.g., ProDiscoverPerform the commands -E.g. Capture ImageFor additional security, use passwordsValidating Data AcquisitionCreate hash values-CRC-32 (older methods), MD5, SHA seriesLinux validation-Hash algorithms are included and can be executed using special commandsWindows validation-No hash algorithms built in, but works with 3rd party programsMhX(Author)=h(h(Author)||h(Author.value))MhX(title)=h(h(title)||h(title.value))titletitleAuthorAuthorparagraphPolitic_pageLiterary_pageParagraphstitledatetitleAuthortitleAuthortopictitleAuthortopictitleAuthortopictitleAuthortopicArticleNewspaperFrontpageLeadingSport_pagenews newsPoliticparagraphMhX(paragraph)=h(h(paragraph)||h(paragraph.content)|| MhX(Author)||MhX(title))Merkle Hash Signature ExampleRAID Acquisition MethodsRAID: Redundant array of independent disksRAID storage is used for large files and to support replicationData is stored using multiple methods-E.g, StripingWhen RAID is acquired, need special tools to be used depending on the way the data is storedRemote Network Acquisition ToolsPreview suspects file remotely while its being used or powered onPerform live acquisition while the suspect’s computer ism powered onEncrypt the connection between the suspect’s computer and the examiner’s computerCopy the RAM while the computer is powered onUse stealth mode to hide the remote connection from the suspect’s computerVariation for the individual tools (ProDiscover, EnCase)Some Forensics
View Full Document