Скачать презентацию Computer Forensics Tools Hardware and Software Forensic Tools Скачать презентацию Computer Forensics Tools Hardware and Software Forensic Tools

6f42dc370d3651d505dbff6b1c4a9aee.ppt

  • Количество слайдов: 29

Computer Forensics Tools Hardware and Software Forensic Tools Computer Forensics Tools Hardware and Software Forensic Tools

Computer Forensic Tools n n Tools are used to analyze digital data & prove Computer Forensic Tools n n Tools are used to analyze digital data & prove or disprove criminal activity Used in 2 of the 3 Phases of Computer Forensics n n n Acquisition – Images systems & gathers evidence Analysis – Examines data & recovers deleted content Presentation – Tools not used

Admissibility of Forensic Evidence in Court n n n Data must be relevant & Admissibility of Forensic Evidence in Court n n n Data must be relevant & reliable Reliability of evidence gathered by tools assessed by judge in pre-trial hearing aka Daubert Hearing Assesses Methodology to gather evidence n Sound scientific practices? n Reliable evidence?

Pre-trial Hearings n Frye Test – past method n n Responsibility on scientific community Pre-trial Hearings n Frye Test – past method n n Responsibility on scientific community Defined acceptable evidence gathering procedures Used Peer Reviewed Journals Daubert Hearing – current method n Offers additional methods to test quality of evidence Source: http: //www. owlinvestigations. com/forensic_articles/aural_spectrographic/standards _of_admissibility. html

Daubert Hearing Process n n Testing – Is this procedure tested? Error Rate – Daubert Hearing Process n n Testing – Is this procedure tested? Error Rate – What is the error rate of this procedure? Publication – Has procedure been published and reviewed by peers? Acceptance – Is the procedure generally accepted within the relevant scientific community? Sources: http: //www. daubertexpert. com/basics. html http: //onin. com/fp/daubert_links. html#whatisadauberthearing

Types of Security Software n n n Network Firewall Remote Access Network Security Management Types of Security Software n n n Network Firewall Remote Access Network Security Management Vulnerability Management Wireless Emergent Technology n n n n Antispyware Antivirus Authentication E-Mail Security Identity & Access Management Intrusion Detection Intrusion Prevention

Types of Forensic Software n n n Acquisition Tools §Password Cracking Data Discovery Tools Types of Forensic Software n n n Acquisition Tools §Password Cracking Data Discovery Tools §Open Source Tools Internet History §Mobile Device tools Tools (PDA/Cell Phone) Image Viewers E-mail Viewers §Large Storage Analysis Tools

Electronic Data Discovery Tools n n Extract & Index Data Create Electronic Images of Electronic Data Discovery Tools n n Extract & Index Data Create Electronic Images of Data Search by Keyword or Document Similarity Metadata n Author n Date Created & Updated n Email date sent, received

More About Electronic Data Discovery Tools n n n n Analyze data Retrieve data More About Electronic Data Discovery Tools n n n n Analyze data Retrieve data from different media Convert between different media and file formats Extract text & data from documents Create images of the documents Print documents Archive documents

Internet History Tools n n n n Reads Information in Complete History Database Displays Internet History Tools n n n n Reads Information in Complete History Database Displays List of Visited Sites Opens URLs in Internet Explorer Adds URLs to Favorites Copies URLs Prints URLS Saves Listing/Ranges as Text File

Image & E-Mail Viewers n n Views Files Converts Files Catalogs Files Side by Image & E-Mail Viewers n n Views Files Converts Files Catalogs Files Side by Side File Comparisons

Password Cracking Tools n n n Password Recovery Allows access to computers 3 Methods Password Cracking Tools n n n Password Recovery Allows access to computers 3 Methods to Crack Passwords n n n Dictionary Attack Hybrid Attack Brute Force Attack Source: http: //www-128. ibm. com/developerworks/library/s-crack/

Open Source Tools n n Free tools available to Computer Forensic Specialists Cover entire Open Source Tools n n Free tools available to Computer Forensic Specialists Cover entire scope of forensic tools in use May more clearly and comprehensively meet the Daubert guidelines than closed source tools Among the most widely used Source: http: //software. newsforge. com/software/05/04/05/2052235. shtml? tid=129&tid =136&tid=147&tid=2&tid=132

Mobile Device Tools n n Number and variety of toolkits considerably more limited than Mobile Device Tools n n Number and variety of toolkits considerably more limited than for computers Require examiner to have full access to device Most tools focus on a single function Deleted data remains on PDA until successful Hot. Sync with computer Sources: http: //csrc. nist. gov/publications/nistir-7100 -PDAForensics. pdf http: //www. cs. ucf. edu/courses/cgs 5132/spring 2002/presentation/weiss. ppt#5

Forensic Tool Suites n n Provide a lower cost way to maximize the tools Forensic Tool Suites n n Provide a lower cost way to maximize the tools Typically include the most often used tools n n n Parben The Coroner’s Toolkit (TCT) The Sleuth Kit (TSK) En. Case Forensic Toolkit (FTK) Maresware

A Closer Look n n n n En. Case Byte. Back Forensic Toolkit Maresware A Closer Look n n n n En. Case Byte. Back Forensic Toolkit Maresware Parben Coroner’s Toolkit The Sleuth Kit

En. Case n n Originally developed for law enforcement Built around case management Integrated En. Case n n Originally developed for law enforcement Built around case management Integrated Windows-based graphical user interface (GUI) Multiple Features

Byte. Back n n n Cloning/Imaging Automated File Recovery Rebuild Partitions & Boot Records Byte. Back n n n Cloning/Imaging Automated File Recovery Rebuild Partitions & Boot Records Media Wipe Media Editor Software Write Block

Forensic Toolkit (FTK) n n Another Tool Suite Acquires & Examines Electronic Data Imaging Forensic Toolkit (FTK) n n Another Tool Suite Acquires & Examines Electronic Data Imaging Tool File Viewer

Maresware n n n Collection of Tool rather than Tool Suite Main Difference – Maresware n n n Collection of Tool rather than Tool Suite Main Difference – Tools are Stand-Alone & Called as Needed 4 Notable Tools n Declasfy n Brandit n Bates_no n Upcopy

Paraben n n Collection of Stand-Alone Tools Made up of 10 Individual Software Tool Paraben n n Collection of Stand-Alone Tools Made up of 10 Individual Software Tool Sets Purchased Separately, Price Break for Multiple Tool Purchases Frequently Used with Mobile Devices

Coroner’s Toolkit (TCT) n n Open Source Tool Suite Supports a Post-Mortem Analysis of Coroner’s Toolkit (TCT) n n Open Source Tool Suite Supports a Post-Mortem Analysis of Unix & Linux Systems Written for Incident Response rather than Law Enforcement Not Designed for Requirements to Produce & Prosecute

The Sleuth Kit (TSK) n n n Open-Source Software Suite Built on TCT Collection The Sleuth Kit (TSK) n n n Open-Source Software Suite Built on TCT Collection of Command-Line Tools Provides Media Management & Forensic Analysis Core Toolkit Consists of 6 Tools

Hardware Acquisition Tools n Various Hardware & Software platforms n Collect Data n Process Hardware Acquisition Tools n Various Hardware & Software platforms n Collect Data n Process Data n Save Data n Display Data in Meaningful Manner

Forensic Hardware n n Workstations Copy & Analysis Drive Imaging System Drive Wiper Bridge Forensic Hardware n n Workstations Copy & Analysis Drive Imaging System Drive Wiper Bridge n n Imaging Device Write Blocker SATA, SCSI, IDE, USB SCSI Bridge

Tool Costs n n n Workstations starting at $5, 000 Bridges starting at $200 Tool Costs n n n Workstations starting at $5, 000 Bridges starting at $200 Drive Wipers starting at $1000 Wide assortment of special cables and hardware accessories vary in price Software – Free (Open Source) to over $1000

Choosing Your Forensic Toolkit n Expected Types of Investigations n n n Internal Reporting Choosing Your Forensic Toolkit n Expected Types of Investigations n n n Internal Reporting Prosecution Operating Systems Budget Technical Skill Role n n Law Enforcement Private Organization

Prepare to Tool Up n n n Make Lists Don’t Overbuy Overlapping Tools No Prepare to Tool Up n n n Make Lists Don’t Overbuy Overlapping Tools No One-Size Fits All Training

References Computer Forensics Jump Start. Michael G. Solomon, Diane Barret & Neil Broom. Sybex, References Computer Forensics Jump Start. Michael G. Solomon, Diane Barret & Neil Broom. Sybex, San Francisco 2005 Hacking Exposed – Computer Forensics. Chris Davis, Aaron Philipp & David Cowen. Mc. Graw-Hill, New York 2005. Forensic and Investigative Accounting. D. Larry Crumbley, Lester E. Heitger & G. Stevenson Smith. CCH Inc. , Chicago 2003