Computer Forensic Tools
Transcript of Computer Forensic Tools
Computer Forensic Tools
Stefan Hager
SS 2007 Advanced Computer Networks 2
Overview
Important policies for computerforensic toolsTypical Workflow for analyzing evidenceCategories of ToolsDemo
SS 2007 Advanced Computer Networks 3
Important policies for computerforensic tools
evidence must not get compromised or contaminated during investigation disk imaging necessaryensure data integrity hashing (MD5, SHA-1...)digital evidence must be permitted during litigationadheres to the standards of evidence that are admissible in a court of law
SS 2007 Advanced Computer Networks 4
Typical Workflow for analyzing evidence
SS 2007 Advanced Computer Networks 5
Categories of Computer Forensic Tools
Disk Imaging Memory Imaging Data and Disk AnalysisSpecial OS Live DistributionsNetwork Forensics
SS 2007 Advanced Computer Networks 6
Disk Imaging
Hardware imagerse.g. handhelds that clone source driveswrite blocker to protect data on source drivefast: up to 4GB/min (SCSI)usually no additional software necessary
SS 2007 Advanced Computer Networks 7
Disk Imaging
multiple interfaces supportede.g. IDE, SATA, PATA, SCSI, USB,
Firewire, Flash Cards...
SS 2007 Advanced Computer Networks 8
Disk Imaging
Software imagersUnix-based imagers
dd, dcfldd, AIR, rdd, sddWindows-based imagers
ProDiscovery (images FAT12,16,32 and NTFS)AccessData (read, aquire, decrypt, analyze)
calculate hashes (MD5, SHA-1)checksumming
SS 2007 Advanced Computer Networks 9
Memory Imaging
making an image of physical memory
linux: dd captures the contents of physical memory using device file /dev/memwindows: hibernation c:\hiberfil.sys
SS 2007 Advanced Computer Networks 10
Data and Disk Analysis Tools
Purpose: extract, manipulate, validate dataPartition Recovery (e.g. gpart)
recover deleted/corrupt partitionsguess partition tablesrecover boot sector (e.g. fdisk /mbr restores boot code in MBR, but not the partition
Data Evaluation and Recovery (e.g. autopsy)
restore deleted/corrupt filesRAID reconstruction (RAID level 0 - striping, level 5)Password Recovery / Breaking – open files that are password protected
SS 2007 Advanced Computer Networks 11
Data and Disk Analysis Tools
Carving (e.g. foremost)search an input for files or other kinds of objects based on contentrecover files when directory entries missing/corrupt, deleted files, damaged medialook for file headers and footers"carving out" blocks between these two boundariesusually executed on a disk image and not on the original disk
SS 2007 Advanced Computer Networks 12
Data and Disk Analysis Tools
Metadata Extractionextract Metadata from different file formats (Microsoft Office Documents, PDF, Binary files, ...)MAC times (Modification, Access, Creation - UNIX)WAC times (Written, Accessed, Created – WINDOWS)file typeUser ID, Group ID
SS 2007 Advanced Computer Networks 13
Data and Disk Analysis Tools
Evaluation of timelines (e.g. Zeitline)
analyzing and evaluating data for event reconstructionsources: MAC times, WAC times, system logs, firewall logs, application datatimelines consist of events (time spans)events belonging to the same action grouped togetherevents can have sub- and superevents (hierarchy)
SS 2007 Advanced Computer Networks 14
Data and Disk Analysis Tools
Evaluation of timelinese.g. events:
access program gccaccess file xaccess library y
grouped together tocompile program x
super event of this group could beinstall rootkit z
SS 2007 Advanced Computer Networks 15
Special OS Live Distributions
Free DistributionsDEFT Linux (built upon Kubuntu)Helix (built upon Knoppix)
Commerial DistributionsSMART Linux (by ASR Data)MacQuisition Boot CD (for imaging Macintosh Systems)
SS 2007 Advanced Computer Networks 16
Network forensics
Network vulnerability scanners (e.g. NESSUS)
based on security vulnerability databasedetects remote as well as local flaws
Network protocol analyzers (e.g. wireshark, ethereal)
many protocols supportedLive Capture / Offline AnalysisVoIP analysis
SS 2007 Advanced Computer Networks 17
Network forensics
Search for rootkits (e.g. chkrootkit)scripts for checking system binaries for rootkit informationchecks for signs of trojanschecks whether the interface is in promiscuous mode
SS 2007 Advanced Computer Networks 18
Demo
SS 2007 Advanced Computer Networks 19
References
Vacca, J. R.: Computer Forensics: Computer Crime Scene Investigation. Hingham, Mass.: Charles River Media 2002.http://www.forensicswiki.orghttp://www.forensics.nl/toolkitshttp://en.wikipedia.org/wiki/Digital_Forensic_Tools
SS 2007 Advanced Computer Networks 20
References
http://en.wikipedia.org/wiki/Computer_forensicshttp://www.encase.com/products/ef_works.aspx
SS 2007 Advanced Computer Networks 21
Tools
http://www.chkrootkit.org/http://www.guidancesoftware.com/http://www.sleuthkit.org/autopsy/desc.phphttp://foremost.sf.net/http://www.sleuthkit.org/http://www.porcupine.org/forensics/tct.html
SS 2007 Advanced Computer Networks 22
Tools
http://projects.cerias.purdue.edu/forensics/timeline.phphttp://www.porcupine.org/forensics/tct.htmlhttp://www.forensicswiki.org/wiki/Helixhttp://www.stevelab.net/deft/http://www.wireshark.org/
SS 2007 Advanced Computer Networks 23
Questions
1. Explain shortly 3 tasks of disk analysis tools (Slides 10-14)
2. What are important policies for computer forensic tools? (Slide 3)
SS 2007 Advanced Computer Networks 24
Thank you for your attention!