module 4 cs 996 - new york university tandon school of...
TRANSCRIPT
2/23/2005 Module 4 2
Hard Drive Forensics
AcquisitionBit for bit copy
Write protect the evidence media
EnCase for DOS
Safeback (NTI: www.forensics-intl.com)
AnalysisEnCase
FTK (www.accessdata.com)
WinHex Forensic Edition
2/23/2005 Module 4 3
Acquisition Steps With EnCase
Create EnCase boot diskDOS boot disk
Network boot disk
Start subject computer with boot disk
Acquire data to storage computerNetwork acquisition
Drive to drive acquisition
Parallel cable acquisition
Windows acquisition
2/23/2005 Module 4 4
EnCase Resources
Academic CDInstructor Notes
User Manual excerpts on analysis
Training Manual
www.guidancesoftware.comOnline videos
2/23/2005 Module 4 5
EnCase Acquisition Geometry
Network cable acquisition
SUBJECT COMPUTERSTORAGE COMPUTER
NETWORK CROSSOVER CABLE
2/23/2005 Module 4 6
EnCase Acquisition Geometry, cont.
Drive to Drive acquisition
STORAGE COMPUTERSUBJECT HARD DRIVE
IDE CABLE
2/23/2005 Module 4 7
Analysis With EnCase
Basic navigation
String searches (key words, GREP, etc.)
Signature match
Registry analysis (compound file)
Email analysis (compound file)
File viewers (third party viewers)
2/23/2005 Module 4 8
EnCase Image File
Contains more than raw dd sector image
Case information header
CRC for each 32KB of data
MD5 checksum for entire image
Image verificationDoes CRC match for each 32KB block
2/23/2005 Module 4 9
Analysis With EnCase
Install software
Initialize caseDrag and drop evidence file into EnCase
Bookmarks: reportingNeed to keep track of key findings
2/23/2005 Module 4 10
Initialize Case: EnCase Scripts
Allow custom forensic analysis
Program in C++ like API
Pre-made scriptsInitialize Case
Download from www.guidancesoftware.com
Install in: c:\program files\encase\scripts\examples
Running scripts:View Scripts | Select Script | Run
View report => Bookmarks
2/23/2005 Module 4 11
Using EnCase Scripts
Image filtering for porn investigation
Find victims; find all images
Need to look through 10,000+ images
Aspect ratio theorySelect images with 33-40% aspect ratio
Reject images that are square (+/- 2 pixels)
Reference: www.armordata.com
2/23/2005 Module 4 12
Using Bookmarks
Save important data for report
View Bookmarks: Create New FolderText
Images
2/23/2005 Module 4 15
Navigating Case View
TableSignature analysis (in Search function)
Hash analysis
Gallery
Timeline
Report
Disk
2/23/2005 Module 4 20
Finding Evidence
Sorting columns in table view
Filters, queries and scripts
Recovering folders
Keyword search
2/23/2005 Module 4 22
Filters, Queries and Scripts
FiltersUse built-in capabilities
Create queries when filter is run
QueriesCombine more than one filter in semi-custom query
ScriptsCreate your own search function using C++ like language
2/23/2005 Module 4 26
String Search
Adding keywords
Choose files/folders to be searched
Configure search
2/23/2005 Module 4 27
EnCase Search Method
First does logical search
Next does sector by sector
Compound files like .pst and .dat need to be mounted separately
PHONE TAPCLUSTER N CLUSTER N+1
2/23/2005 Module 4 33
File Signatures
Stated extension on evidence file
Header information in the file itself
Matches?
Reference for file signatures: www.garykessler.net
2/23/2005 Module 4 36
“Compound File” Analysis
Registry
Files that are composed of multiple layers
2/23/2005 Module 4 42
File Viewers
Look at file outside Encase
Add: View => File Viewers
Create association: View => File Types
Double click on file: copies and opens with viewer
QuickView Pluswww.avantstar.com
200+ different file formats
Eliminates problems with trojans, viruses, etc.