04/18/23 1

Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875

Lectures: Tues (CB 122), 7–10 PM

Office hours: Wed 3-5 pm (CSEB 3043), or by appointment.

Textbooks: 1. "Management of Information Security", M. E. Whitman, H. J.

Mattord, Nelson Education / CENGAGE Learning, 2011, 3rd Edition 2. "Guide to Computer Forensics and Investigations", B. Nelson, A. Phillips, F. Enfinger, C. Steuart, Nelson Education / CENGAGE

Learning, 2010, 4th Edition.

CSE 4482: Computer Security Management: Assessment and Forensics

2

GFCI Ch 1: Computer Forensics

Objectives

• Define computer forensics

• Describe how to prepare for computer investigations and explain the difference between law enforcement agency and corporate investigations

• Explain the importance of maintaining professional conduct

3

What is Computer Forensics?

Definition: Involves obtaining and analyzing digital information, often as evidence in civil, criminal, or administrative cases

Computer forensics:– Investigates data that can be retrieved from a

computer’s hard disk or other storage media– Task of recovering data that users have

hidden or deleted and using it as evidence– Evidence can be inculpatory (“incriminating”)

or exculpatory

4

Computer Forensics Versus Other Related Disciplines

• Network forensics– Yields information about how a perpetrator or

an attacker gained access to a network

• Data recovery– Recovering information that was deleted by

mistake, or lost during a power surge or server crash

– Typically you know what you’re looking for

5

Computer Forensics Versus Other Related Disciplines (continued)

• Disaster recovery– Uses computer forensics techniques to

retrieve information their clients have lost

Investigators often work as a team to make computers and networks secure in an organization

Digital Evidence

• Locard’s principle: “every contact leaves a trace”

• any information, stored or transmitted in digital form, that a party to a court case may use at a trial

To be accepted in court, digital evidence must meet certain criteria …

• Admissibility• Authenticity

Case study• In this case, American Express (Amex) claimed that Mr.

Vinhnee had failed to pay his credit card debts, and took legal action to recover the money. But the trial judge determined that Amex failed to authenticate its electronic records, and therefore Amex could not admit its own business records into evidence. Among other problems, the court said that Amex failed to provide adequate information about its computer policy & system control procedures, control of access to relevant databases & programs, how changes to data were recorded or logged, what backup practices were in place, and how Amex could provide assurance of continuing integrity of their records.

• The judge pointed out that, "... the focus is not on the circumstances of the creation of the record, but rather on the circumstances of the preservation of the record so as to assure that the document being proffered is the same as the document that originally was created ...“

• http://www.proofspace.com/technology/discovery.php

Lessons• Document your access control and backup

procedures and policies and test effectiveness of your controls.

• Have the changes to your databases and content/record management system routinely recorded and logged.

• Protect your electronic record from post-archival tampering with modern data integrity and trusted time-stamping technologies.

• Document the audit procedures you use to provide assurance of the continuing authenticity of the records.

• http://www.proofspace.com/technology/discovery.php

9

The Investigations Triad

10

Computer Forensics: A Brief History • By the 1970s, electronic crimes were increasing,

especially in the financial sector– Most law enforcement officers didn’t know enough

about computers to ask the right questions– Or to preserve evidence for trial

•1980s–PCs gained popularity and different OSs emerged–Disk Operating System (DOS) was available–Forensics tools were simple, and most were generated by government agencies

11

A Brief History (1980s)

• Mid-1980s– Xtree Gold appeared on the market

• Recognized file types and retrieved lost or deleted files

– Norton DiskEdit soon followed• And became the best tool for finding deleted file

•1987 Apple Mac SE -A Macintosh with an external EasyDrive hard disk with 60 MB of storage

12

A Brief History (1990s)

• Tools for computer forensics were available• International Association of Computer Investigative

Specialists (IACIS)• Training on software for forensics investigations• IRS created search-warrant programs• ExpertWitness for the Macintosh

– First commercial GUI software for computer forensics– Created by ASR Data

• ExpertWitness for the Macintosh– Recovers deleted files and fragments of deleted files

• Large hard disks posed problems for investigators

• Other software– iLook– AccessData Forensic Toolkit (FTK)

13

Understanding Case Law

• Technology is evolving at a very rapid pace– Existing laws and statutes cannot keep up

• Case law used when statutes or regulations don’t exist

• Case law allows legal counsel to use previous cases similar to the current one– Because the laws don’t yet exist

• Each case is evaluated on its own merit and issues

• Computer Crime & Intellectual Property document at US DoJ: http://www.cybercrime.gov/ssmanual/index.html

Case study

• “… an investigator viewing computer files by using a search warrant related to drug dealing. While viewing the files, he ran across images of child pornography. Instead of waiting for a new warrant, he kept searching. As a result, all evidence regarding the pictures was excluded. Investigators must be familiar with recent rulings to avoid making similar mistakes.”

• case law does not involve creating new criminal offenses

15

Developing Computer Forensics Resources

• know more than one computing platform– Such as DOS, Windows 9x, Linux, Macintosh, and

current Windows platforms

• Join many computer user groups - Computer Technology Investigators Network (CTIN)– Meets monthly to discuss problems that law enforcement and

corporations face

• High Technology Crime Investigation Association (HTCIA)– Exchanges information about techniques related to

computer investigations and security

16

Developing Computer Forensics Resources (continued)

• User groups can be helpful

• Build a network of computer forensics experts and other professionals– And keep in touch through e-mail

• Outside experts can provide detailed information you need to retrieve digital evidence

Case Study A user group helped convict a child molester in Pierce

County, Washington, in 1996. The suspect installed video cameras throughout his house, served alcohol to young women to intoxicate them, and secretly filmed them playing strip poker. When he was accused of molesting a child, police seized his computers and other physical evidence. The investigator discovered that the computers used CoCo DOS, an OS that had been out of use for years. The investigator contacted a local user group, which supplied the standard commands and other information needed to gain access to the system. On the suspect’s computer, the investigator found a diary detailing the suspect’s actions over the past 15 years, including the molestation of more than 400 young women. As a result, the suspect received a longer sentence than if he had been convicted of molesting only one child.

Investigating Computers

Typically includes• collecting computer data securely,• examining suspect data to determine details

such as origin and content, • presenting compute-based information to

courts, and • applying laws to computer practice.

Two distinct categories• Public investigations• Private or corporate investigations

19

Public investigations

• Involve government agencies responsible for criminal investigations and prosecution

• Organizations must observe legal guidelines

•Law of search and seizure: Protects rights of all people, incl. suspects

20

Private Investigations

• Private or corporate investigations– Deal with private companies, non-law-enforcement

government agencies, and lawyers– Aren’t governed directly by criminal law or Fourth

Amendment issues– Governed by internal policies that define expected

employee behavior and conduct in the workplace

• Private corporate investigations also involve litigation disputes

• Investigations are usually conducted in civil cases

21

Understanding Law Enforcements Agency Investigations

• In a criminal case, a suspect is tried for a criminal offense– Such as burglary, murder, or molestation

• Computers and networks are only tools that can be used to commit crimes– Many states have added specific language to

criminal codes to define crimes involving computers

• Following the legal process– Legal processes depend on local custom,

legislative standards, and rules of evidence

22

Understanding LEA Investigations (continued)

• Criminal case follows three stages: The complaint, the investigation, and the prosecution

23

Understanding LEA Investigations (continued)

• A criminal case begins when someone finds evidence of an illegal act

• Complainant makes an allegation, an accusation or supposition of fact

• A police officer interviews the complainant and writes a report about the crime

• Police blotter provides a record of clues to crimes that have been committed previously

• Investigators delegate, collect, and process the information related to the complaint

24

Understanding LEA Investigations (continued)

• After a case is built, the information is turned over to the prosecutor

• Affidavit– Sworn statement of support of facts about or

evidence of a crime• Submitted to a judge to request a search warrant

– Have the affidavit notarized under sworn oath

• Judge must approve and sign a search warrant, it can be used to collect evidence

25

Understanding LEA Investigations (continued)

26

Understanding Corporate Investigations

• Private or corporate investigations Involve private companies and lawyers who address company policy violations and litigation disputes

• Corporate computer crimes can involve:– E-mail harassment– Falsification of data– Gender and age discrimination– Embezzlement– Sabotage– Industrial espionage

27

Preventive measures• Establishing company policies

– One way to avoid litigation is to publish and maintain policies that employees find easy to read and follow

– Published company policies provide a line of authority

• For a business to conduct internal investigations

– Well-defined policies• Give computer investigators and forensic examiners the

authority to conduct an investigation

• Displaying Warning Banners– Another way to avoid litigation– Usually appears when a computer starts or connects

to the company intranet, network, or virtual private network

28

Preventive measures (continued)– Warning banner

• Informs end users that the organization reserves the right to inspect computer systems and network traffic at will

• Establishes the right to conduct an investigation

– As a corporate computer investigator• Make sure company displays well-defined warning

banner

29

More on Corporate Investigations

• Designating an authorized requester– Authorized requester has the power to conduct

investigations– Policy should be defined by executive management– Groups that should have direct authority to request

computer investigations• Corporate Security Investigations• Corporate Ethics Office• Corporate Equal Employment Opportunity Office• Internal Auditing• The general counsel or Legal Department

Ch 2: Understanding Computer Investigations

Objectives:• Explain how to prepare a computer

investigation• Apply a systematic approach to an

investigation• Describe procedures for corporate high-tech

investigations• Explain requirements for data recovery

workstations and software• Describe how to conduct an investigation• Explain how to complete and critique a case

31

Preparing a Computer Investigation

• Role of computer forensics professional is to gather evidence to prove that a suspect committed a crime or violated a company policy

• Collect evidence that can be offered in court or at a corporate inquiry– Investigate the suspect’s computer– Preserve the evidence on a different computer

• Follow an accepted procedure to prepare a case• Chain of custody: Route the evidence takes

from the time you find it until the case is closed or goes to court

Case study: CD Universe Prosecution Failure

• “An extortion attempt involving credit card numbers stolen from the computers of Internet retailer CD Universe occurred in January 2000. Someone calling himself “Maxim” said that he had copied 300,000 credit card numbers from their database in December 1999. Maxim threatened to post that confidential data on the Internet unless he was paid $100,000 …Six months after Maxim had broken into CD Universe, US authorities were unable to find him. Even if law enforcement had found him, they probably would not have been able to prosecute the case because e-evidence collected from the company’s computers had not been properly protected. The chain of custody had not been properly established.

• Although it was not clear exactly how the CD Universe evidence was compromised, it seemed that in the initial rush to learn how Maxim got into the company’s network, FBI agents and employees from three computer security firms accessed original files instead of working from a forensic copy. …”

33

An Overview of a Computer Crime

• Computers can contain information that helps law enforcement determine:– Chain of events leading to a crime– Evidence that can lead to a conviction

• Law enforcement officers should follow proper procedure when acquiring the evidence– Digital evidence can be easily altered by an

overeager investigator

• Information on hard disks might be password protected

• Guidelines: Ch 1, 2 in http://www.cybercrime.gov/ssmanual/index.html

34

Examining a Computer Crime

35

An Overview of a Company Policy Violation

• Employees misusing resources can cost companies millions of dollars

• Misuse includes:– Surfing the Internet– Sending personal e-mails– Using company computers for personal tasks

• Example: Two employees have gone missing…

36

Taking a Systematic Approach

• Steps for problem solving– Make an initial assessment about the type

of case you are investigating– Determine a preliminary design or

approach Create a detailed checklist– Determine the resources you need– Obtain and copy an evidence disk drive– Identify the risks– Mitigate or minimize the risks– Test the design

37

Taking a Systematic Approach II

• Steps for problem solving (continued) – Analyze and recover the digital evidence– Investigate the data you recover– Complete the case report– Critique the case

38

Assessing the Case• Systematically outline the case details

– Situation– Nature of the case– Specifics of the case– Type of evidence– Operating system– Known disk format– Location of evidence

• Based on case details, you can determine the case requirements– Type of evidence– Computer forensics tools– Special operating systems

39

Planning an Investigation

A basic investigation plan should include:• Acquire the evidence• Complete an evidence form and establish a chain of

custody• Transport the evidence to a computer forensics lab• Secure evidence in an approved secure container• Prepare a forensics workstation• Obtain the evidence from the secure container• Make a forensic copy of the evidence• Return the evidence to the secure container• Process the copied evidence with computer forensics

tools

40

Securing Your Evidence• Use evidence bags to secure and catalog

the evidence• Use computer safe products

– Antistatic bags– Antistatic pads

• Use well padded containers• Use evidence tape to seal all openings

– Floppy disk or CD drives– Power supply electrical cord

• Write your initials on tape to prove that evidence has not been tampered with

• Consider computer specific temperature and humidity ranges

41

Procedures for Corporate High-Tech Investigations

• Develop formal procedures and informal checklists, to cover all issues important to high-tech investigations

• Majority of investigative work for termination cases involves employee abuse of corporate assets

42

Internet abuse investigations• To conduct an investigation you need:

– Organization’s Internet proxy server logs– Suspect computer’s IP address– Suspect computer’s disk drive– Your preferred computer forensics analysis tool

• Recommended steps– Use standard forensic analysis techniques and procedures– Use appropriate tools to extract all Web page URL

information– Contact the network firewall administrator and request a

proxy server log– Compare the data recovered from forensic analysis to the

proxy server log– Continue analyzing the computer’s disk drive data

43

E-mail abuse investigations• To conduct an investigation you need:

– An electronic copy of the offending e-mail that contains message header data

– If available, e-mail server log records– For e-mail systems that store users’ messages on a central

server, access to the server– Access to the computer for performing forensic analysis – Your preferred computer forensics analysis tool

• Recommended steps– Use the standard forensic analysis techniques– Obtain an electronic copy of the suspect’s and victim’s e-mail

folder or data– For Web-based e-mail investigations, use tools such as FTK’s

Internet Keyword Search option to extract all related e-mail address information

– Examine header data of all messages of interest

44

Attorney-Client Privilege Investigations

• Under attorney-client privilege (ACP) rules for an attorney– You must keep all findings confidential

• The extra secrecy introduces additional problems

45

Media Leak Investigations• In the corporate environment, controlling sensitive

data can be difficult• Consider the following for media leak investigations

– Examine e-mail– Examine Internet message boards– Examine proxy server logs– Examine known suspects’ workstations– Examine all company telephone records

• Steps to take for media leaks– Interview management privately

• To get a list of employees who have direct knowledge of the sensitive data

– Identify media source that published the information– Review company phone records– Obtain a list of keywords related to the media leak– Perform keyword searches on proxy and e-mail servers

46

Media Leak Investigations II

• Steps to take for media leaks (continued)– Discreetly conduct forensic disk acquisitions and

analysis– From the forensic disk examinations, analyze all e-

mail correspondence• And trace any sensitive messages to other people

– Expand the discreet forensic disk acquisition and analysis

– Consolidate and review your findings periodically– Routinely report findings to management

47

Industrial Espionage Investigations

• All suspected industrial espionage cases should be treated as criminal investigations

• Staff needed– Computing investigator who is responsible for disk

forensic examinations– Technology specialist who is knowledgeable of the

suspected compromised technical data– Network specialist who can perform log analysis and

set up network sniffers– Threat assessment specialist (typically an attorney)

• Many guidelines in the text.

48

Understanding Data Recovery Workstations and Software

• Investigations are conducted on a computer forensics lab (or data-recovery lab)

• Computer forensics and data-recovery are related but different

• Computer forensics workstation– Specially configured personal computer– Loaded with additional bays and forensics

software

• To avoid altering the evidence use:– Forensics boot floppy disk– Write-blockers devices

49

Setting Up your Computer for Computer Forensics

• Basic requirements– A workstation running Windows XP or Vista– A write-blocker device– Computer forensics acquisition tool– Computer forensics analysis tool– Target drive to receive the source or suspect disk data– Spare PATA or SATA ports– USB ports

• Additional useful items– Network interface card (NIC)– Extra USB ports– FireWire 400/800 ports– SCSI card– Disk editor tool– Text editor tool– Graphics viewer program– Other specialized viewing tools

50

Bit-Stream Copies

• Bit-stream copy– Bit-by-bit copy of the original storage medium– Exact copy of the original disk – Different from a simple backup copy

• Backup software only copy known files• Backup software cannot copy deleted files, e-mail

messages or recover file fragments

• Bit-stream image– File containing the bit-stream copy of all data on a

disk or partition– Also known as forensic copy

• Copy image file to a target disk that matches the original disk’s manufacturer, size and model

51

Bit-stream Copies (continued)

52

Acquiring an Image of Evidence Media

• First rule of computer forensics: Preserve the original evidence

• Conduct your analysis on a copy of the data• Using ProDiscover Basic to acquire a thumb

drive– Create a work folder for data storage– Steps

• On the thumb drive locate the write-protect switch and place the drive in write-protect mode

• Start ProDiscover Basic

53

ProDiscover use (continued)

54

ProDiscover use (continued)

• Using ProDiscover Basic to acquire a thumb drive (continued)– Steps (continued)

• In the main window, click Action, Capture Image from the menu

• Click the Source Drive drop-down list, and select the thumb drive

• Click the >> button next to the Destination text box• Type your name in the Technician Name text box• ProDiscover Basic then acquires an image of the USB

thumb drive• Click OK in the completion message box

55

ProDiscover use (continued)

56

Analyzing Digital Evidence

• Your job is to recover data from:– Deleted files– File fragments– Complete files

• Deleted files linger on the disk until new data is saved on the same physical location

• Tool– ProDiscover Basic

57

Analyzing Digital Evidence (contd)

• Steps– Start ProDiscover Basic– Create a new case– Type the project number– Add an Image File

• Steps to display the contents of the acquired data– Click to expand Content View– Click All Files under the image filename

path

58

Analyzing Digital Evidence (continued)

59

Analyzing Digital Evidence (contd)

• Analyze the data– Search for information related to the complaint

• Data analysis can be most time-consuming task

60

ProDiscover Basic can

• Search for keywords of interest in the case• Display the results in a search results window• Click each file in the search results window

and examine its content in the data area• Export the data to a folder of your choice• Search for specific filenames• Generate a report of your activities

61

ProDiscover Basic - contd

62

ProDiscover Basic - contd

63

Completing the Case

• You need to produce a final report– State what you did and what you found

• Include ProDiscover report to document your work

• Repeatable findings– Repeat the steps and produce the same result

• If required, use a report template• Report should show conclusive evidence

– Suspect did or did not commit a crime or violate a company policy

64

Critiquing the Case

• Ask yourself the following questions:– How could you improve your performance in the

case?– Did you expect the results you found? Did the

case develop in ways you did not expect?– Was the documentation as thorough as it could

have been?– What feedback has been received from the

requesting source?– Did you discover any new problems? If so, what

are they?– Did you use new techniques during the case or

during research?

Next: Ch 4 - Data Acquisition

Objectives• List digital evidence storage formats• Explain ways to determine the best acquisition

method• Describe contingency planning for data acquisitions• Explain how to use acquisition tools• Explain how to validate data acquisitions• Describe RAID acquisition methods• Explain how to use remote network acquisition

tools• List other forensic tools available for data

acquisitions

66

Understanding Storage Formats for Digital Evidence

• Three formats– Raw format

– Proprietary formats

– Advanced Forensics Format (AFF)

67

Raw Format

• Makes it possible to write bit-stream data to files

• Advantages– Fast data transfers

– Can ignore minor data read errors on source drive

– Most computer forensics tools can read raw format

• Disadvantages– Requires as much storage as original disk or data

– Tools might not collect marginal (bad) sectors

68

Proprietary Formats

• Features offered– Option to compress or not compress image files

– Can split an image into smaller segmented files

– Can integrate metadata into the image file

• Disadvantages– Inability to share an image between different

tools

– File size limitation for each segmented volume

69

Advanced Forensics Format

• Open source, developed by Dr. Simson L. Garfinkel of Basis Technology Corporation

• Design goals– Provide compressed or uncompressed image files

– No size restriction for disk-to-image files

– Provide space in the image file or segmented files for metadata

– Simple design with extensibility

– Internal consistency checks for self-authentication

• File extensions include .afd for segmented image files and .afm for AFF metadata

70

Types of Data Acquisition

• Static acquisitions and live acquisitions

• Four methods– Bit-stream disk-to-image file

– Bit-stream disk-to-disk

– Logical disk-to-disk or disk-to-disk data

– Sparse data copy of a file or folder

71

Bit stream copy

• Bit-stream disk-to-image file– Most common method– Can make more than one copy– Copies are bit-for-bit replications of the original

drive– ProDiscover, EnCase, FTK, SMART, Sleuth Kit,

X-Ways, iLook

• Bit-stream disk-to-disk– When disk-to-image copy is not possible– Consider disk’s geometry configuration– EnCase, SafeBack, SnapCopy

72

Logical acquisition or sparse acquisition

– When your time is limited

– Logical acquisition captures only specific files of interest to the case

– Sparse acquisition also collects fragments of unallocated (deleted) data

– For large disks

– PST or OST mail files, RAID servers

73

Determining the Best Acquisition Method (continued)• When making a copy, consider:

– Size of the source disk• Lossless compression might be useful

• Use digital signatures for verification

– When working with large drives, an alternative is using tape backup systems

– Whether you can retain the disk

74

Contingency Planning for Image Acquisitions

• Create a duplicate copy of your evidence image file

• Make at least two images of digital evidence– Use different tools or techniques

• Copy host protected area of a disk drive as well– Consider using a hardware acquisition tool that can

access the drive at the BIOS level

• Be prepared to deal with encrypted drives– Whole disk encryption feature in Windows Vista

Ultimate and Enterprise editions

75

Using Acquisition Tools

• Acquisition tools for Windows– Advantages

• Make acquiring evidence from a suspect drive more convenient

– Especially when used with hot-swappable devices

– Disadvantages• Must protect acquired data with a well-tested

write-blocking hardware device• Tools can’t acquire data from a disk’s host

protected area

76

Windows XP Write-Protection with USB Devices

• USB write-protection feature– Blocks any writing to USB devices

• Target drive needs to be connected to an internal PATA (IDE), SATA, or SCSI controller

• Steps to update the Registry for Windows XP SP2– Back up the Registry

– Modify the Registry with the write-protection feature

– Create two desktop icons to automate switching between enabling and disabling writes to USB device

77

Windows XP Write-Protection with USB Devices (continued)

78

Acquiring Data with a Linux Boot CD

• Linux can access a drive that isn’t mounted

• Windows OSs and newer Linux automatically mount and access a drive

• Forensic Linux Live CDs don’t access media automatically– Which eliminates the need for a write-blocker

• Using Linux Live CD Distributions– Forensic Linux Live CDs

• Contain additionally utilities

79

Acquiring Data with a Linux Boot CD (continued)

• Using Linux Live CD Distributions (continued)– Forensic Linux Live CDs (continued)

• Configured not to mount, or to mount as read-only, any connected storage media

• Well-designed Linux Live CDs for computer forensics– Helix– Penguin Sleuth– FCCU

• Preparing a target drive for acquisition in Linux– Linux distributions can create Microsoft FAT and

NTFS partition tables

80

Acquiring Data with a Linux Boot CD (continued)

• Preparing a target drive for acquisition in Linux (continued)– fdisk command lists, creates, deletes, and

verifies partitions in Linux– mkfs.msdos command formats a FAT file

system from Linux

• Acquiring data with dd in Linux– dd (“data dump”) command

• Can read and write from media device and data file• Creates raw format file that most computer forensics

analysis tools can read

81

Acquiring Data with dd (contd)– Shortcomings of dd command

• Requires more advanced skills than average user• Does not compress data• dd command is intended as a data management tool, not

designed for forensics acquisitions• dd command combined with the split command: Segments

output into separate volumes

• Acquiring data with dcfldd in Linux– dcfldd additional functions

• Specify hex patterns or text for clearing disk space• Log errors to an output file for analysis and review• Use several hashing options• Refer to a status display indicating the progress of the

acquisition in bytes• Split data acquisitions into segmented volumes with

numeric extensions• Verify acquired data with original disk or media data

82

Capturing an Image with ProDiscover Basic

• Connecting the suspect’s drive to your workstation– Document the chain of evidence for the drive

– Remove the drive from the suspect’s computer

– Configure the suspect drive’s jumpers as needed

– Connect the suspect drive

– Create a storage folder on the target drive

• Using ProDiscover’s Proprietary Acquisition Format– Image file will be split into segments of 650MB

– Creates image files with an .eve extension, a log file (.log extension), and a special inventory file (.pds extension)

83

Capturing an Image with ProDiscover Basic (continued)

84

85

Capturing an Image with ProDiscover Basic (continued)

• Using ProDiscover’s Raw Acquisition Format– Select the UNIX style dd format in the Image

Format list box

– Raw acquisition saves only the image data and hash value

86

Capturing an Image with AccessData FTK Imager

• Included on AccessData Forensic Toolkit• View evidence disks and disk-to-image files• Makes disk-to-image copies of evidence drives

– At logical partition and physical drive level– Can segment the image file

• Evidence drive must have a hardware write-blocking device– Or the USB write-protection Registry feature

enabled

• FTK Imager can’t acquire drive’s host protected area

87

Capturing an Image with AccessData FTK Imager II

88

Steps• Boot to Windows• Connect evidence disk to a write-blocker• Connect target disk to write-blocker

Capturing an Image with AccessData FTK Imager III

–Start FTK Imager–Create Disk Image

•Use Physical Drive option

89

Capturing an Image with AccessData FTK Imager IV

90

Validating Data Acquisitions

• Most critical aspect of computer forensics

• Requires using a hashing algorithm utility

• Validation techniques– CRC-32, MD5, and SHA-1 to SHA-512

91

Linux Validation Methods

• Validating dd acquired data– You can use md5sum or sha1sum utilities

– md5sum or sha1sum utilities should be run on all suspect disks and volumes or segmented volumes

• Validating dcfldd acquired data– Use the hash option to designate a hashing algorithm of

md5, sha1, sha256, sha384, or sha512

– hashlog option outputs hash results to a text file that can be stored with the image files

– vf (verify file) option compares the image file to the original medium

92

Windows Validation Methods

• Windows has no built-in hashing algorithm tools for computer forensics– Third-party utilities can be used

• Commercial computer forensics programs also have built-in validation features– Each program has its own validation technique

• Raw format image files don’t contain metadata– Separate manual validation is recommended

for all raw acquisitions

93

Performing RAID Data Acquisitions

• Size is the biggest concern– Many RAID systems now have terabytes of data

• What is RAID and what is it used for?

• Redundant array of independent (formerly “inexpensive”) disks (RAID)– Computer configuration involving two or more

disks

– Originally developed as a data-redundancy measure