guide to computer forensics and i ti tid investigations ...2profs.net/steve/cisntwk442/ch09.pdf ·...
TRANSCRIPT
![Page 1: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/1.jpg)
Guide to Computer Forensics d I ti tiand InvestigationsThird Edition
Chapter 9Chapter 9Computer Forensics Analysis and
Validation
![Page 2: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/2.jpg)
ObjectivesObjectives
• Determine what data to analyze in a computer forensics investigation
• Explain tools used to validate data• Explain common data-hiding techniques• Describe methods of performing a remote
acquisition
Guide to Computer Forensics and Investigations 2
![Page 3: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/3.jpg)
Determining What Data to Collect and Analyze
Examining and analyzing digital evidence depends• Examining and analyzing digital evidence depends on:– Nature of the caseNature of the case– Amount of data to process– Search warrants and court orders– Company policies
• Scope creep– Investigation expands beyond the original description
• Right of full discovery of digital evidence
Guide to Computer Forensics and Investigations 3
![Page 4: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/4.jpg)
Approaching Computer Forensics Cases
• Some basic principles apply to almost all computer forensics cases– The approach you take depends largely on the
specific type of case you’re investigating• Basic steps for all computer forensics• Basic steps for all computer forensics
investigations– For target drives, use only recently wiped media that g , y y p
have been reformatted• And inspected for computer viruses
Guide to Computer Forensics and Investigations 4
![Page 5: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/5.jpg)
Approaching Computer Forensics Cases (continued)
• Basic steps for all computer forensics investigations (continued)– Inventory the hardware on the suspect’s computer
and note the condition of the computer when seized– Remove the original drive from the computer– Remove the original drive from the computer
• Check date and time values in the system’s CMOS– Record how you acquired data from the suspect y
drive– Process the data methodically and logically
Guide to Computer Forensics and Investigations 5
![Page 6: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/6.jpg)
Approaching Computer Forensics Cases (continued)
• Basic steps for all computer forensics investigations (continued)– List all folders and files on the image or drive– If possible, examine the contents of all data files in
all foldersall folders• Starting at the root directory of the volume partition
– For all password-protected files that might be related gto the investigation
• Make your best effort to recover file contents
Guide to Computer Forensics and Investigations 6
![Page 7: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/7.jpg)
Approaching Computer Forensics Cases (continued)
• Basic steps for all computer forensics investigations (continued)– Identify the function of every executable (binary or
.exe) file that doesn’t match known hash values– Maintain control of all evidence and findings and– Maintain control of all evidence and findings, and
document everything as you progress through your examination
Guide to Computer Forensics and Investigations 7
![Page 8: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/8.jpg)
Refining and Modifying the Investigation Plan
• Considerations– Determine the scope of the investigation– Determine what the case requires– Whether you should collect all information
Wh t t d i f– What to do in case of scope creep• The key is to start with a plan but remain flexible in
the face of new evidencethe face of new evidence
Guide to Computer Forensics and Investigations 8
![Page 9: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/9.jpg)
Using AccessData Forensic Toolkit to Analyze Data
S f 12/16/32 S• Supported file systems: FAT12/16/32, NTFS, Ext2fs, and Ext3fs
• FTK can analyze data from several sources• FTK can analyze data from several sources, including image files from other vendors
• FTK produces a case log fileFTK produces a case log file• Searching for keywords
– Indexed search– Live search– Supports options and advanced searching
Guide to Computer Forensics and Investigations 9
techniques, such as stemming
![Page 10: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/10.jpg)
Using AccessData Forensic Toolkit to Analyze Data (continued)
Guide to Computer Forensics and Investigations 10
![Page 11: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/11.jpg)
Using AccessData Forensic Toolkit to Analyze Data (continued)
Guide to Computer Forensics and Investigations 11
![Page 12: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/12.jpg)
Using AccessData Forensic Toolkit to Analyze Data (continued)
• Analyzes compressed files• You can generate reports
– Using bookmarks
Guide to Computer Forensics and Investigations 12
![Page 13: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/13.jpg)
Using AccessData Forensic Toolkit to Analyze Data (continued)
Guide to Computer Forensics and Investigations 13
![Page 14: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/14.jpg)
Validating Forensic DataValidating Forensic Data
• One of the most critical aspects of computer• One of the most critical aspects of computer forensics
• Ensuring the integrity of data you collect is g g y yessential for presenting evidence in court
• Most computer forensic tools provide automated hashing of image files
• Computer forensics tools have some limitations in performing hashingperforming hashing– Learning how to use advanced hexadecimal editors
is necessary to ensure data integrity
Guide to Computer Forensics and Investigations 14
y g y
![Page 15: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/15.jpg)
Validating with Hexadecimal EditorsValidating with Hexadecimal Editors
• Advanced hexadecimal editors offer many features not available in computer forensics tools– Such as hashing specific files or sectors
• Hex Workshop provides several hashing algorithmsS h MD5 d SHA 1– Such as MD5 and SHA-1
– See Figures 9-4 through 9-6• Hex Workshop also generates the hash value of• Hex Workshop also generates the hash value of
selected data sets in a file or sector
Guide to Computer Forensics and Investigations 15
![Page 16: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/16.jpg)
Validating with Hexadecimal Editors (continued)
Guide to Computer Forensics and Investigations 16
![Page 17: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/17.jpg)
Validating with Hexadecimal Editors (continued)
Guide to Computer Forensics and Investigations 17
![Page 18: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/18.jpg)
Validating with Hexadecimal Editors (continued)
Guide to Computer Forensics and Investigations 18
![Page 19: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/19.jpg)
Validating with Hexadecimal Editors (continued)
• Using hash values to discriminate data– AccessData has a separate database, the Known
( )File Filter (KFF)• Filters known program files from view, such as
MSWord.exe, and identifies known illegal files, such , g ,as child pornography
– KFF compares known file hash values to files on your evidence drive or image filesyour evidence drive or image files
– Periodically, AccessData updates these known file hash values and posts an updated KFF
Guide to Computer Forensics and Investigations 19
p p
![Page 20: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/20.jpg)
Validating with Computer Forensics Programs
• Commercial computer forensics programs have built-in validation features
• ProDiscover’s .eve files contain metadata that includes the hash value
Validation is done automatically– Validation is done automatically• Raw format image files (.dd extension) don’t
contain metadatacontain metadata– So you must validate raw format image files
manually to ensure the integrity of data
Guide to Computer Forensics and Investigations 20
![Page 21: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/21.jpg)
Validating with Computer Forensics Programs (continued)
• In AccessData FTK Imager– When you select the Expert Witness (.e01) or the
S ( ) fSMART (.s01) format• Additional options for validating the acquisition are
displayedp y– Validation report lists MD5 and SHA-1 hash values
• Figure 9-7 shows how ProDiscover’s built-in validation feature works
Guide to Computer Forensics and Investigations 21
![Page 22: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/22.jpg)
Validating with Computer Forensics Programs (continued)
Guide to Computer Forensics and Investigations 22
![Page 23: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/23.jpg)
Addressing Data hiding TechniquesAddressing Data-hiding Techniques
File manipulation• File manipulation– Filenames and extensions– Hidden propertyHidden property
• Disk manipulation– Hidden partitionsHidden partitions– Bad clusters
• Encryption– Bit shifting– Steganography
Guide to Computer Forensics and Investigations 23
![Page 24: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/24.jpg)
Hiding PartitionsHiding Partitions
• Delete references to a partition using a disk editor– Re-create links for accessing it
• Use disk-partitioning utilities– GDisk– PartitionMagic– System Commander
LILO– LILO• Account for all disk space when analyzing a disk
Guide to Computer Forensics and Investigations 24
![Page 25: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/25.jpg)
Hiding Partitions (continued)Hiding Partitions (continued)
Guide to Computer Forensics and Investigations 25
![Page 26: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/26.jpg)
Hiding Partitions (continued)Hiding Partitions (continued)
Guide to Computer Forensics and Investigations 26
![Page 27: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/27.jpg)
Marking Bad ClustersMarking Bad Clusters
• Common with FAT systems• Place sensitive information on free space• Use a disk editor to mark space as a bad cluster• To mark a good cluster as bad using Norton Disk
Edit– Type B in the FAT entry corresponding to that cluster
Guide to Computer Forensics and Investigations 27
![Page 28: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/28.jpg)
Bit shiftingBit-shifting
• Old technique• Shift bit patterns to alter byte values of data• Make files look like binary executable code• Tool
– Hex Workshop
Guide to Computer Forensics and Investigations 28
![Page 29: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/29.jpg)
Bit shifting (continued)Bit-shifting (continued)
Guide to Computer Forensics and Investigations 29
![Page 30: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/30.jpg)
Bit shifting (continued)Bit-shifting (continued)
Guide to Computer Forensics and Investigations 30
![Page 31: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/31.jpg)
Bit shifting (continued)Bit-shifting (continued)
Guide to Computer Forensics and Investigations 31
![Page 32: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/32.jpg)
Using Steganography to Hide DataUsing Steganography to Hide Data
Greek for “hidden writing”• Greek for hidden writing• Steganography tools were created to protect
copyrighted materialcopyrighted material– By inserting digital watermarks into a file
• Suspect can hide information on image or text p gdocument files– Most steganography programs can insert only small
f d i filamounts of data into a file• Very hard to spot without prior knowledge
T l S T l DPE l j d tt
Guide to Computer Forensics and Investigations 32
• Tools: S-Tools, DPEnvelope, jpgx, and tte
![Page 33: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/33.jpg)
Examining Encrypted FilesExamining Encrypted Files
• Prevent unauthorized access• Prevent unauthorized access– Employ a password or passphrase
• Recovering data is difficult without passwordRecovering data is difficult without password– Key escrow
• Designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure
– Cracking passwordCracking password• Expert and powerful computers
– Persuade suspect to reveal password
Guide to Computer Forensics and Investigations 33
![Page 34: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/34.jpg)
Recovering PasswordsRecovering Passwords
• Techniques– Dictionary attack– Brute-force attack– Password guessing based on suspect’s profile
T l• Tools– AccessData PRTK
Advanced Password Recovery Software Toolkit– Advanced Password Recovery Software Toolkit– John the Ripper
Guide to Computer Forensics and Investigations 34
![Page 35: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/35.jpg)
Recovering Passwords (continued)Recovering Passwords (continued)
Using AccessData tools with passworded and• Using AccessData tools with passworded and encrypted files– AccessData offers a tool called Password RecoveryAccessData offers a tool called Password Recovery
Toolkit (PRTK)• Can create possible password lists from many
sources– Can create your own custom dictionary based on
facts in the case– Can create a suspect profile and use biographical
information to generate likely passwords
Guide to Computer Forensics and Investigations 35
![Page 36: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/36.jpg)
Recovering Passwords (continued)Recovering Passwords (continued)
Guide to Computer Forensics and Investigations 36
![Page 37: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/37.jpg)
Recovering Passwords (continued)Recovering Passwords (continued)
Guide to Computer Forensics and Investigations 37
![Page 38: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/38.jpg)
Recovering Passwords (continued)Recovering Passwords (continued)
Guide to Computer Forensics and Investigations 38
![Page 39: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/39.jpg)
Recovering Passwords (continued)Recovering Passwords (continued)
• Using AccessData tools with passworded and encrypted files (continued)– FTK can identify known encrypted files and those
that seem to be encrypted• And export themAnd export them
– You can then import these files into PRTK and attempt to crack them
Guide to Computer Forensics and Investigations 39
![Page 40: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/40.jpg)
Guide to Computer Forensics and Investigations 40
![Page 41: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/41.jpg)
Recovering Passwords (continued)Recovering Passwords (continued)
Guide to Computer Forensics and Investigations 41
![Page 42: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/42.jpg)
Performing Remote AcquisitionsPerforming Remote Acquisitions
• Remote acquisitions are handy when you need to image the drive of a computer far away from your l tilocation– Or when you don’t want a suspect to be aware of an
ongoing investigationongoing investigation
Guide to Computer Forensics and Investigations 42
![Page 43: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/43.jpg)
Remote Acquisitions with Runtime Software
• Runtime Software offers the following shareware programs for remote acquisitions:– DiskExplorer for FAT– DiskExplorer for NTFS
HDHOST– HDHOST• Preparing DiskExplorer and HDHOST for remote
acquisitionsacquisitions– Requires the Runtime Software, a portable media
device (USB thumb drive or floppy disk), and two
Guide to Computer Forensics and Investigations 43
networked computers
![Page 44: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/44.jpg)
Remote Acquisitions with Runtime Software (continued)
• Making a remote connection with DiskExplorer– Requires running HDHOST on a suspect’s computer– To establish a connection with HDHOST, the
suspect’s computer must be:• Connected to the network• Connected to the network• Powered on• Logged on to any user account with permission to run
noninstalled applications– HDHOST can’t be run surreptitiously
See Figures 9 18 through 9 24
Guide to Computer Forensics and Investigations 44
– See Figures 9-18 through 9-24
![Page 45: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/45.jpg)
Guide to Computer Forensics and Investigations 45
![Page 46: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/46.jpg)
Remote Acquisitions with Runtime Software (continued)
Guide to Computer Forensics and Investigations 46
![Page 47: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/47.jpg)
Remote Acquisitions with Runtime Software (continued)
Guide to Computer Forensics and Investigations 47
![Page 48: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/48.jpg)
Remote Acquisitions with Runtime Software (continued)
Guide to Computer Forensics and Investigations 48
![Page 49: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/49.jpg)
Remote Acquisitions with Runtime Software (continued)
Guide to Computer Forensics and Investigations 49
![Page 50: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/50.jpg)
Remote Acquisitions with Runtime Software (continued)
Guide to Computer Forensics and Investigations 50
![Page 51: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/51.jpg)
Remote Acquisitions with Runtime Software (continued)
Guide to Computer Forensics and Investigations 51
![Page 52: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/52.jpg)
Remote Acquisitions with Runtime Software (continued)
• Making a remote acquisition with DiskExplorer– After you have established a connection with
fDiskExplorer from the acquisition workstation• You can navigate through the suspect computer’s files
and folders or copy datapy– The Runtime tools don’t generate a hash for
acquisitions
Guide to Computer Forensics and Investigations 52
![Page 53: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/53.jpg)
Remote Acquisitions with Runtime Software (continued)
Guide to Computer Forensics and Investigations 53
![Page 54: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/54.jpg)
SummarySummary
• Examining and analyzing digital evidence depends on the nature of the investigation and the amount
f d t h tof data you have to process• For most computer forensics investigations, you
follow the same general proceduresfollow the same general procedures• One of the most critical aspects of computer
forensics is validating digital evidenceg g
Guide to Computer Forensics and Investigations 54
![Page 55: Guide to Computer Forensics and I ti tid Investigations ...2profs.net/steve/CISNTWK442/Ch09.pdf · – AccessData PRTK – Advanced Password Recovery Software ToolkitAdvanced Password](https://reader033.vdocuments.net/reader033/viewer/2022050503/5f94fe438bb1d150c34c9d35/html5/thumbnails/55.jpg)
Summary (continued)Summary (continued)
• Data hiding involves changing or manipulating a file to conceal information
• Remote acquisitions are useful for making an image of a drive when the computer is far away from your location or when you don’t want afrom your location or when you don t want a suspect to be aware of an ongoing investigation
Guide to Computer Forensics and Investigations 55