computer forensic tools

Computer Forensic Tools

Stefan Hager

SS 2007 Advanced Computer Networks 2

Overview

Important policies for computerforensic toolsTypical Workflow for analyzing evidenceCategories of ToolsDemo


Important policies for computerforensic tools

evidence must not get compromised or contaminated during investigation disk imaging necessaryensure data integrity hashing (MD5, SHA-1...)digital evidence must be permitted during litigationadheres to the standards of evidence that are admissible in a court of law


Typical Workflow for analyzing evidence


Categories of Computer Forensic Tools

Disk Imaging Memory Imaging Data and Disk AnalysisSpecial OS Live DistributionsNetwork Forensics


Disk Imaging

Hardware imagerse.g. handhelds that clone source driveswrite blocker to protect data on source drivefast: up to 4GB/min (SCSI)usually no additional software necessary


Disk Imaging

multiple interfaces supportede.g. IDE, SATA, PATA, SCSI, USB,

Firewire, Flash Cards...


Disk Imaging

Software imagersUnix-based imagers

dd, dcfldd, AIR, rdd, sddWindows-based imagers

ProDiscovery (images FAT12,16,32 and NTFS)AccessData (read, aquire, decrypt, analyze)

calculate hashes (MD5, SHA-1)checksumming


Memory Imaging

making an image of physical memory

linux: dd captures the contents of physical memory using device file /dev/memwindows: hibernation c:\hiberfil.sys


Data and Disk Analysis Tools

Purpose: extract, manipulate, validate dataPartition Recovery (e.g. gpart)

recover deleted/corrupt partitionsguess partition tablesrecover boot sector (e.g. fdisk /mbr restores boot code in MBR, but not the partition

Data Evaluation and Recovery (e.g. autopsy)

restore deleted/corrupt filesRAID reconstruction (RAID level 0 - striping, level 5)Password Recovery / Breaking – open files that are password protected



Carving (e.g. foremost)search an input for files or other kinds of objects based on contentrecover files when directory entries missing/corrupt, deleted files, damaged medialook for file headers and footers"carving out" blocks between these two boundariesusually executed on a disk image and not on the original disk



Metadata Extractionextract Metadata from different file formats (Microsoft Office Documents, PDF, Binary files, ...)MAC times (Modification, Access, Creation - UNIX)WAC times (Written, Accessed, Created – WINDOWS)file typeUser ID, Group ID



Evaluation of timelines (e.g. Zeitline)

analyzing and evaluating data for event reconstructionsources: MAC times, WAC times, system logs, firewall logs, application datatimelines consist of events (time spans)events belonging to the same action grouped togetherevents can have sub- and superevents (hierarchy)



Evaluation of timelinese.g. events:

access program gccaccess file xaccess library y

grouped together tocompile program x

super event of this group could beinstall rootkit z


Special OS Live Distributions

Free DistributionsDEFT Linux (built upon Kubuntu)Helix (built upon Knoppix)

Commerial DistributionsSMART Linux (by ASR Data)MacQuisition Boot CD (for imaging Macintosh Systems)


Network forensics

Network vulnerability scanners (e.g. NESSUS)

based on security vulnerability databasedetects remote as well as local flaws

Network protocol analyzers (e.g. wireshark, ethereal)

many protocols supportedLive Capture / Offline AnalysisVoIP analysis


Network forensics

Search for rootkits (e.g. chkrootkit)scripts for checking system binaries for rootkit informationchecks for signs of trojanschecks whether the interface is in promiscuous mode


Demo


References

Vacca, J. R.: Computer Forensics: Computer Crime Scene Investigation. Hingham, Mass.: Charles River Media 2002.http://www.forensicswiki.orghttp://www.forensics.nl/toolkitshttp://en.wikipedia.org/wiki/Digital_Forensic_Tools


References

http://en.wikipedia.org/wiki/Computer_forensicshttp://www.encase.com/products/ef_works.aspx


Tools

http://www.chkrootkit.org/http://www.guidancesoftware.com/http://www.sleuthkit.org/autopsy/desc.phphttp://foremost.sf.net/http://www.sleuthkit.org/http://www.porcupine.org/forensics/tct.html


Tools

http://projects.cerias.purdue.edu/forensics/timeline.phphttp://www.porcupine.org/forensics/tct.htmlhttp://www.forensicswiki.org/wiki/Helixhttp://www.stevelab.net/deft/http://www.wireshark.org/


Questions

1. Explain shortly 3 tasks of disk analysis tools (Slides 10-14)

2. What are important policies for computer forensic tools? (Slide 3)


Thank you for your attention!