Download Lecture 10 - The University of Texas at Dallas

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts
no text concepts found
Transcript
Digital Forensics
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Lecture #10
Forensics Tools and Standards
September 24, 2008
Outline
 Review
 Forensics Tools
 Standards
 File Systems (Unix, Linux)
 Reference: Chapters 7 and 8 of Textbook
 http://www.cftt.nist.gov/NISTIR_7490.pdf
Review
 Part 2:
- Lecture 8: Windows File System and Forensics
- Lecture #9: Forensics Tools
Forensics Tools
 Hardware Forensics Tools
- Range from single purpose components (e.g., devices) to
complete systems (forensics workstations)
 Software Forensics Tools
Analysis tools such ProDiscover and EnCase
-
Functions of Forensics Tools
 Acquisition
 Validation and Discrimination
 Extraction
 Reconstruction
 Reporting
 Comparison of some forensics tools are given on page 277 of
Textbook (ProDiscover, AccessData, EnCase)
Functions of Forensics Tools - 2
 Acquisition
- Tools for data acquisition
- Physical data copy, logical data copy, data acquiring
format, GUI acquisition
 Validation and Discrimination
Integrity of the data, Also includes hashing, filtering,
analyzing file headers
 Extraction
- Recovery task
Data viewing, Keyword searching, Decompressing
-
 Reconstruction
 Reporting
Functions of Forensics Tools - 3
 Reconstruction
- Recreate the crime scene (suspect drive)
- Disk to disk copy, Image to disk copy, etc.
 Reporting
- Reporting generation tools help the examiner the prepare
-
report
Also helps to log reports
Software Tools
 Command line forensics tools
 Unix/Linux forensics tools
- SMART, Helix, Autopsy and Sleuth Kit
 GUI Forensics Tools
- Visualizing the data is important to understand the data
Hardware Tools
 Forensics workstations
- How to build a workstation
- What are the components
- How are the workstations connected in a lab
- How can distributed forensics be carried out
 Write Blockers
- Write blocker devoices to protect evidence disks (see the
discussion in Chapter 4 under data acquisition)
Validating Forensics Tools
 NIST (National Institute of Standards and Technology) is
coming up with standards for validation (will be discussed
under standards)
- Establish categories for forensics tools, Identify forensics
category requirements, Develop test assertions
Identify test cases
- Establish test method
- Report test results
- NIST (National Institute of Standards and Technology) is
coming up with standards for validation (will be discussed
under standards
 Chapter 7 discusses validation protocols as well as some
examination protocols
-
NIST Standards
 There are three digital forensics projects at the National Institute of
Standards and Technology (NIST).
 These projects are supported by the U.S. Department of Justice's
National Institute of Justice (NIJ), federal, state, and local law
enforcement, and the National Institute of Standards and
Technology Office of Law Enforcement Standards (OLES) to
promote efficient and effective use of computer technology in the
investigation of crimes involving computers.
 These projects are the following:
- • National Software Reference Library (NSRL)
• Computer Forensic Tool Testing (CFTT)
- • Computer Forensic Reference Data Sets (CFReDS)
-
NSRL
 The NSRL is designed to collect software from various sources and
incorporate file profiles computed from this software into a
Reference Data Set (RDS) including hashes of known files created
when software is installed on a computer. The law enforcement
community approached NIST requesting a software library and
signature database that meets four criteria:
- • The organizations involved in the implementation of the file
profiles must be unbiased and neutral.
- • Control over the quality of data provided by the database must
be maintained.
- • A repository of original software must be made available from
which data can be reproduced.
- • The database must provide a wide range of capabilities with
respect to the information that can be obtained from file systems
under investigation.
NSRL
 The primary focus of the NSRL is to aid computer forensics
examiners in their investigations of computer systems.
 The majority of stakeholders are in federal, state and local law
enforcement in the United States and internationally.
 These organizations typically use the NSRL data to aid in criminal
investigations.
CFTT
 The goal of the CFTT project at NIST is to establish a methodology
for testing computer forensic software tools through the
development of general tool specifications, test procedures, test
criteria, test sets, and test hardware. The results provide the
information necessary for toolmakers to improve tools, for users to
make informed choices about acquiring and using computer
forensics tools, and for interested parties to understand the tools
capabilities.
 The testing methodology developed by NIST is functionality driven.
The activities of forensic investigations are separated into discrete
functions, such as hard disk write protection, disk imaging, string
searching, etc. A test methodology is then developed for each
category. After a test methodology is developed it is posted to the
web.
CFReDS
 The Computer Forensic Reference Data Sets (CFReDS)
provide to an investigator documented sets of simulated digital
evidence for examination.
 Since CFReDS has documented contents, such as target search
strings seeded in known locations, investigators can compare the
results of searches for the target strings with the known placement
of the strings.
 Investigators can use CFReDS in several ways including validating
the software tools used in their investigations, equipment check
out, training investigators, and proficiency testing of investigators
as part of laboratory accreditation.
 The CFReDS site is a repository of images. Some images are
produced by NIST, often from the CFTT (tool testing) project, and
some are contributed by other organizations.
CFReDS
 In addition to test images, the CFReDS site contains resources to
aid in creating test images.
 These creation aids are in the form of interesting data files, useful
software tools and procedures for specific tasks.
 The CFReDS web site is http://www.cfreds.nist.gov.
International Standards
 The Scientific Working Group on Digital Evidence (SWGDE) was established
in February 1998 through a collaborative effort of the Federal Crime
Laboratory Directors. SWGDE, as the U.S.-based component of
standardization efforts conducted by the International Organization on
Computer Evidence (IOCE), was charged with the development of crossdisciplinary guidelines and standards for the recovery, preservation, and
examination of digital evidence, including audio, imaging, and electronic
devices.
 The following document was drafted by SWGDE and presented at the
International Hi-Tech Crime and Forensics Conference (IHCFC) held in
London, United Kingdom, October 4-7, 1999. It proposes the establishment of
standards for the exchange of digital evidence between sovereign nations
and is intended to elicit constructive discussion regarding digital evidence.
This document has been adopted as the draft standard for U.S. law
enforcement agencies.
 http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm
Macintosh Operating System (MAC OS X)
 Early MAC OS used HFS (Hierarchical file system) OS X uses
HFS+ (optional) and also supports Unix File System
 OS 9 supports Volumes. Volume can be all or part of the
storage media for hard disks
 Newer MACs booted can be booted from CD, DVD, Firewire
drive. Older systems booted from hard drive
 Some forensics tools special for OS X. Some other Windows
tools can also be used
Unix/Linux Operating System
 Everything is a file including disk drives, monitors, tape
drives, network interface cards, etc.
 Unix has four components for its file system
- Boot block, superblock, Inode, data block
Block is smallest disk allocation
Boot clock has bootstrap code, superblock has system
information, Inode is assignee to every file allocation
unit., data blocks store directories and files
 Forensic examiner must understand the boot process of the
operating system
 Disk partitions in Unix/Linus is very different from Windows.
In Unix/Linux partitions are labeled as paths.
-
Summary of Lectures 8 and 9
 Overview of File Systems
 Examples: Windows, MAC, Unix/Linux
 Three important concepts a forensics examiner should know:
- The boot process, the file system, and the disk
structures/partitions
 Tools exist for each of the operating systems
 Standards are emerging for conducting a forensics
examination
- Need more standards for data formats, processes,
metadata etc .
References
 Reference: Chapters 7 and 8 of Textbook
 http://www.cftt.nist.gov/NISTIR_7490.pdf