Computer Forensic Tools

Post on 03-Feb-2022

13 views 0 download

Transcript of Computer Forensic Tools

Computer Forensic Tools

Stefan Hager

SS 2007 Advanced Computer Networks 2


Important policies for computerforensic toolsTypical Workflow for analyzing evidenceCategories of ToolsDemo

SS 2007 Advanced Computer Networks 3

Important policies for computerforensic tools

evidence must not get compromised or contaminated during investigation disk imaging necessaryensure data integrity hashing (MD5, SHA-1...)digital evidence must be permitted during litigationadheres to the standards of evidence that are admissible in a court of law

SS 2007 Advanced Computer Networks 4

Typical Workflow for analyzing evidence

SS 2007 Advanced Computer Networks 5

Categories of Computer Forensic Tools

Disk Imaging Memory Imaging Data and Disk AnalysisSpecial OS Live DistributionsNetwork Forensics

SS 2007 Advanced Computer Networks 6

Disk Imaging

Hardware imagerse.g. handhelds that clone source driveswrite blocker to protect data on source drivefast: up to 4GB/min (SCSI)usually no additional software necessary

SS 2007 Advanced Computer Networks 7

Disk Imaging

multiple interfaces supportede.g. IDE, SATA, PATA, SCSI, USB,

Firewire, Flash Cards...

SS 2007 Advanced Computer Networks 8

Disk Imaging

Software imagersUnix-based imagers

dd, dcfldd, AIR, rdd, sddWindows-based imagers

ProDiscovery (images FAT12,16,32 and NTFS)AccessData (read, aquire, decrypt, analyze)

calculate hashes (MD5, SHA-1)checksumming

SS 2007 Advanced Computer Networks 9

Memory Imaging

making an image of physical memory

linux: dd captures the contents of physical memory using device file /dev/memwindows: hibernation c:\hiberfil.sys

SS 2007 Advanced Computer Networks 10

Data and Disk Analysis Tools

Purpose: extract, manipulate, validate dataPartition Recovery (e.g. gpart)

recover deleted/corrupt partitionsguess partition tablesrecover boot sector (e.g. fdisk /mbr restores boot code in MBR, but not the partition

Data Evaluation and Recovery (e.g. autopsy)

restore deleted/corrupt filesRAID reconstruction (RAID level 0 - striping, level 5)Password Recovery / Breaking – open files that are password protected

SS 2007 Advanced Computer Networks 11

Data and Disk Analysis Tools

Carving (e.g. foremost)search an input for files or other kinds of objects based on contentrecover files when directory entries missing/corrupt, deleted files, damaged medialook for file headers and footers"carving out" blocks between these two boundariesusually executed on a disk image and not on the original disk

SS 2007 Advanced Computer Networks 12

Data and Disk Analysis Tools

Metadata Extractionextract Metadata from different file formats (Microsoft Office Documents, PDF, Binary files, ...)MAC times (Modification, Access, Creation - UNIX)WAC times (Written, Accessed, Created – WINDOWS)file typeUser ID, Group ID

SS 2007 Advanced Computer Networks 13

Data and Disk Analysis Tools

Evaluation of timelines (e.g. Zeitline)

analyzing and evaluating data for event reconstructionsources: MAC times, WAC times, system logs, firewall logs, application datatimelines consist of events (time spans)events belonging to the same action grouped togetherevents can have sub- and superevents (hierarchy)

SS 2007 Advanced Computer Networks 14

Data and Disk Analysis Tools

Evaluation of timelinese.g. events:

access program gccaccess file xaccess library y

grouped together tocompile program x

super event of this group could beinstall rootkit z

SS 2007 Advanced Computer Networks 15

Special OS Live Distributions

Free DistributionsDEFT Linux (built upon Kubuntu)Helix (built upon Knoppix)

Commerial DistributionsSMART Linux (by ASR Data)MacQuisition Boot CD (for imaging Macintosh Systems)

SS 2007 Advanced Computer Networks 16

Network forensics

Network vulnerability scanners (e.g. NESSUS)

based on security vulnerability databasedetects remote as well as local flaws

Network protocol analyzers (e.g. wireshark, ethereal)

many protocols supportedLive Capture / Offline AnalysisVoIP analysis

SS 2007 Advanced Computer Networks 17

Network forensics

Search for rootkits (e.g. chkrootkit)scripts for checking system binaries for rootkit informationchecks for signs of trojanschecks whether the interface is in promiscuous mode

SS 2007 Advanced Computer Networks 18


SS 2007 Advanced Computer Networks 19


Vacca, J. R.: Computer Forensics: Computer Crime Scene Investigation. Hingham, Mass.: Charles River Media 2002.http://www.forensicswiki.org

SS 2007 Advanced Computer Networks 20


SS 2007 Advanced Computer Networks 21


SS 2007 Advanced Computer Networks 22


SS 2007 Advanced Computer Networks 23


1. Explain shortly 3 tasks of disk analysis tools (Slides 10-14)

2. What are important policies for computer forensic tools? (Slide 3)

SS 2007 Advanced Computer Networks 24

Thank you for your attention!