1.PRACTICAL DEMONSTRATIONSOFDIGITAL FORENSIC TOOLS

2. INSTRUCTORS PROFILEAdeoje Adetunji EmmanuelCertified Ethical Hacker (CEH)EC-Council Security Analyst(ECSA)Computer Hacking Forensic Investigator(CHFI)AccessData Certified Examiner(ACE)Certified Information System Auditor(CISA)Encase specialistLicensed Penetration Tester(LPT)2 3. agenda Introduction The Forensic Investigation Objective of Digital Forensics Analysis Roles of Digital Forensic Analysts in IR Forensic readiness and Business continuity Computer forensic process Computer forensics tools Demos 4. Introduction Data breaches, hacking attacks, viruses, and insider threats are some ofthe security issues many companies face on a daily basis. Besidesemploying preventive measures, such as the use of firewalls andintrusion detection devices to prevent data breaches and thwartexternal attacks, many organizations around the world have been usingcomputer forensics to identify instances of computer misuse and illegalintrusion. The use of computer forensic techniques also has flourished in theinternal audit profession. However, many internal auditors are unaware of the advantages thatcomputer forensics can bring to audit investigations. Learning how to acquire, analyze, and report data through the use ofcomputer forensics can help auditors make the most of thisinvestigative technique, as well as recover previously deleteddocuments that can provide the "smoking gun" needed to determine ifa fraudulent activity took place. 5. 5 6. 6 7. THE FORENSIC INVESTIGATION Computer forensics is the application of analytical techniques on digital mediaafter a computer security incident has occurred. Its goal is to identify exactly what happened on a digital system and who wasresponsible through a structured, investigative approach. Forensic investigations cover all areas of computer misuse, including fraud,Internet and e-mail abuse, entry to pornographic Web sites, and hacking, aswell as accidental deletions or alterations of data. During the forensic investigation, evidence may be obtained in a variety ofways, including affidavits, search warrants, depositions, and expert testimony.Regardless of the means used to obtain data, examination of a computer orother device must be done thoroughly, carefully, and without changinganything. This ensures that the integrity of the original data and the evidencesvalidity are maintained. If an internal auditor suspects fraud may have occurred, he or she should fillout an incident detection report form or similar document. The documentneeds to specify the date and time of the suspected fraud, who reported theincident, the nature of the incident, and the system(s) and application(s)involved. Note: It is important for companies to have an established, clear process fordealing with these kinds of incidents. This kind of pre-planning can helpensure that the proper channels are followed when an incident occurs. Forensic investigations consist of three phases: acquiring the evidence,analyzing results, and reporting results. Below is a description of each. 8. Acquiring the Evidence The process of securing or acquiring evidence starts withpreviewing the contents of a computers hard drive or othermedia. To acquire the electronic data, including deletedinformation, the storage device must be mirrored orduplicated exactly bit by bit. Once the storage device is secured, a second device may beneeded as a working copy if the original storage device wasnot seized or secured. This allows the examiner access to an unaltered copy of theelectronic data. 9. Imaging An image is an exact replica of the computers hard drive or othermedia, and should include any slack space.The image is then investigated, rather than the original, to avoidaltering the original data, which would make any evidence gatheredinadmissible in court.Imaging is a vital step in a computer forensic investigation and isaccepted as the best method for capturing computer evidence that maybe presented in a court of law. Having captured an exact image of the data, the next step is to processit. All data must be processed, including deleted or partially overwrittenfiles, information hidden outside normal storage areas, and data invirtual memory and slack space. The most common method used by forensic examiners to capture thisdata is by using a write-blocking device. This device prevents the forensic examiners machine from writing oraltering the data on the suspect drive. Windows operating systems arenotorious for this problem. 10. Understanding Bit-stream Copies10 11. Typically, the suspect drive is removed from the machine if possible andplugged directly into the write-blocking device. Once this has occurred, anexaminer can make what is called a "bit-stream" image of the drive. This is an exact bit-for-bit copy of the drives contents, including deleted space,file slack, and logical files. Another method of capturing this data is using a Linux live CD or a boot disk,which allows the investigator to view the files on the drive, including deletedspace and unallocated clusters, without altering the drives contents. Theexaminer can then copy the files onto an external hard drive and view them. Hidden data often contains the most vital evidence to prove or disprove a case.In some cases, a file extraction may be appropriate. In other situations, a dataindex may be created to support powerful search tools. After auditors have a complete image of the drive, they can start collecting theevidence. Most forensic software includes ready-made scripts for a variety of operatingsystems that automate certain functions such as encrypted registry parser, filefinder, and file mounter. Because different programs may work better for different tasks, auditors shouldensure organizations are using the right product based on their data analysisneeds. 12. Slack space The data between the end of the logical file to the end of the clustercontaining the data is called slack space. Slack space will usuallycontain data from files that used this space before, making it a richdepository of evidence. Because of its history the portion of the slack space from the end of thelogical file to the end of the sector (not the cluster) was called RAMslack or sector slack The remainder of the slack, from the end of the last sector containing thelogical file until the end of the cluster, is called file slack. The entire slack space, comprising both RAM or sector slack and fileslack 13. Computer forensics focuses on three categories of data: Active Data: These are the current files on thecomputer, still visible in directories and available toapplications. One important evidentiary point about data on ahard drive is that no matter what it may represent,whether simple text or convoluted spreadsheets, itexists only as infinitesimal magnetic flux reversalsrepresenting ones and zeroes which must beprocessed by software to be intelligible.13 14. Latent Data: Latent data (also called ambient data) aredeleted files and other data, including memory dumps thathave lodged in the digital cracks but can still be retrieved. Latent data also includes swap files, temporary files, printerspool files, metadata and shadow data. Latent data are generally inaccessible absent the use ofspecialized tools and techniques. This data resides on themedia, e.g., the hard drive, in, e.g., slack space and other areasmarked available for data storage but not yet overwritten byother data. The recovery of latent data is the art most often associated withcomputer forensics, but the identification, extraction andmanagement of active data is no less demanding of a forensicexperts skill. 14 15. Archival Data: This is data thats been transferred orbacked up to peripheral media, like tapes, CDs, ZIP disks,floppy disks, network servers or the Internet. Archivaldata can be staggeringly voluminous, particularly in a largeorganization employing frequent, regular back upprocedures. It is critically important to recognize that an archivalrecord of a source media never reflects all of the data thatcan be identified and extracted from the source mediabecause such back ups dont carry forward latent data. Accordingly, an opponents offer to furnish copies of backup tapes is, while valuable, no substitute for a forensicexamination of a true bit-by-bit copy of the source diskdrive. 15 16. Disk imaging using FTK Imager Encase FTK Imager Lite 16 17. Six File systems that FTK Imager can Read17 18. Four types of Evidences18 19. Formats that FTK Imager can read 19 20. 20 21. Encase evidence file 22. 22 23. Data on the Computer In files In log files Lost when machine is powered off Browser history Windows prefetch area Slack spaceLost if you wait too long Open network connections Virtual memory Physical memory Network traces 23 24. Understanding Bit-stream Copies Bit-by-bit copy of the original storage medium Exact copy of the original disk Different from a simple backup copy Backup software only copy known files Backup software cannot copy deleted files or e-mailmessages, or recover file fragments24 25. Data in Unexpected Places Anti-virus alerts, real-time anti-virus scans License enforcement / application metering [anything]Management Software Patch management Software management Configuration management Asset management25 26. Analyzing the Results The second phase, analyzing the results, takes place after all theevidence is acquired and imaged properly. Because every case is different, auditors need to be fully trained whenconducting a data analysis, or they should recommend a trainedforensic examiner performs the evaluation if they lack the professionaltraining to do so. To analyze the evidence, auditors should use the working copy ofretrieved, deleted, electronic data only, including files and folders.Auditors also need to maintain a chain of custody when handling theevidence.To maintain a digital chain of custody, all images should be hashed the process of creating a small digital fingerprint of the data. During the data analysis stage, software also is used to inspect the rawdata and organize it into an understandable report. As a result, the auditor must be able to tell the computer what to lookfor by using text-string search terms that will identify data pertainingto the specific incident under investigation.s 27. Reporting ResultsThe final phase of the forensic examination is creating the report and reporting theevidence.Final reports of the investigation should include a list of all the evidence gathered, a copyof printed documents listed as appendices, and an executive summary.In certain cases, (e.g., to obtain a search warrant or make a criminal charge), auditors mayneed to create interim reports. These reports are updated as new information is gatheredand until the investigation is completed.Report findings need to be ready to be used in a court of law. For instance, reports shouldclearly explain what made the company or auditor suspicious of the hard drive:how the hard drive was imagedhow the data was handled prior to the analysiswhere within the hard drive the evidence was foundand what the evidence means.Internal auditors who conduct the forensic examination should expect to be called toprovide expert testimony during the court case and help the organization review theopposing counsels evidence. 28. ADDITIONAL STEPS AND TECHNIQUES Before and during the forensic investigation, internal auditors can take additional steps to ensure evidence is court-ready. Prior to the forensic examination, the auditor should physically secure the system in question and take pictures of theroom, the area surrounding the system, and the system itself. In addition, the auditor needs to secure the evidence onsite or in a laboratory to ensure a proper chain of custody isfollowed and digital evidence is secured effectively. The auditor should also document all system details and anyconnections to the system, such as network cables and 802.11x connections. The following actions should be avoided at all cost prior to collecting the evidence: Modifying the time and date stamps of the system(s) containing the evidence before duplication takesplace. Executing nontrusted binaries by double-clicking or running any executable files that are on thecomputer (e.g., evidence.exe could be a wiping program that, when run, can destroy all the evidence onthe drive). Terminating the rogue process. This pertains to processes on the computer that are displayed whenusers pressCtrl+Alt+Delete. In hacking cases, its common for people to press Ctrl+Alt+Delete and killany processes they are unsure about. This may have adverse effects, such as wiping the drive or log filesand notifying the attacker that the process has been discovered. Updating the system before the forensic investigation takes place. Not recording executed commands. Installing software on the system. 29. Offline Analysis An offline analysis is when the investigation takes place on the imaged copy. When preparing the evidence, auditors need to know how to power down the system correctly. Some systems must be shut down properly, while others can be turned off by pulling the plug 30. Comparison of systems that can be turned off through the shut-down methodor pull-the-plug method 31. Why Live Forensics? Big disks Disk capacity keeps increasing (Oct06: 500Gb for ~$158) faster thanprocessors Terabyte systems are big and common Searching (or indexing) takes time Mirroring takes time Minimal downtime (mission critical sys) Harder to seize systems (even with court order) Provide context for static analysis Low-profile examination Long data lifetimes Some data is only in RAM 32 32. Live Analysis While collecting the evidence, a live or offline analysis can be performed as part of the gathering process. A live analysis takes place when the forensic investigation is conducted on the live system (i.e., the system is not powered down). Due to the volatile nature of digital media, auditors need to document all the steps taken while collecting the evidence during a live analysis. Besides refraining from installing software on the system, the auditor should not update the system with any security patches or hot fixes prior to imaging the drive. If the computer has any active windows open, pictures should be taken of the monitor as part of the examinations documentation, as well as the area by the systems clock to determine whether there are encrypted containers and, if so, whether they are open. Internal auditors may encounter problems during any live analysis. Some of these problems include: 33. Destruction or alteration of digital evidence by the auditor. Because computer files only getoverwritten when data needs to take its place on the hard drive, clicking on files or folders on acomputer will result in information being written to the drive, potentially overwriting valuableevidence. During a live analysis, this is unavoidable. To capture potentially overwritten data, theauditor should write every action performed on the system so that the forensic examiner can rule outthat activity. Logic bombs and slag code. This refers to a piece of code or application that does something basedon a condition. For example, wiping software commonly erases the drive on startup or shutdown.Therefore, the auditor can trigger a logic bomb or slag code simply by clicking on Start>Shutdown.The best way to avoid this situation is to unplug the machine from the wall. This will prevent softwarecode from running, because the machine will have no electricity to run. If the investigation involves alaptop, after unplugging the machine, the investigator can shutdown the laptop by pressing the powerbutton and holding it down for approximately five to 10 seconds. This will cut all power to themachine and force it to shutdown. Trojan binaries and root kits. Trojans and root kits are installed by the attacker. When operational,they send alerts to the hacker after a specific action takes place. Some Trojans even allow the attackerto view the computer screen in real time. Properly shutting down the machine, will prevent thehacker from seeing what the forensic investigator is doing. At a minimum, the computers Internetconnection must be disabled so that information is not sent to the attacker. No access to slack space, pagefile/hibernation files, Windows NT file system transaction logs,and print spoolers. Sometimes, these files may contain just the right evidence needed to prove acase. For instance, in cases involving the use of forged checks, printed files could have all the evidenceneeded. However, if the investigator is unable to access these files, the evidence could be lost as theinvestigation moves forward and files are imaged. Once the data is gathered during the live analysis, the system must be imaged. Depending on the typeof operating system, the auditor may need to shut down the system properly without damaging theevidence, while still allowing the system to boot up. 34. Information Available Running processes Open files Network connections Memory (physical / virtual dumps) Regular disk files35 35. Information Available (2) Images of entire disk Live disk imaging (a.k.a. shooting a moving target) Deleted files Live file carving Unencrypted document fragments Encryption keys for whole-disk encryptionschemes Copies of volatile-only malware (for disassemblyand investigation) 36 36. Running Processes Windows Open files Open network connections Registry activity Open DLLs Unix Open files Open network connections Access to corresponding EXE, even if deleted Command line that invoked application Environment variables 37 37. Memory Process memory Finer-grained than dumping entire RAM Easier to make sense of virtual address space for aprocess than physical memory More likely to find contiguous application structures Can yield passwords, document fragments, unencrypteddocuments Kernel memory Search for hidden processes Evaluate health of kernel String searches Most brute force technique39 38. C:VolatoolsBasic-1.1.1>python volatools ident -f d:MEMDUMP.1GBImage Name: d:MEMDUMP.1GBImage Type: XP SP2VM Type: nopaeDTB: 0x39000Datetime: Thu Mar 22 18:07:31 2007 40 39. C:VolatoolsBasic-1.1.1>python volatools files -f d:MEMDUMP.1GB************************************************************************Pid: 4File Documents and SettingsAdministrator.HE00NTUSER.DATFile Documents and SettingsAdministrator.HE00NTUSER.DAT.LOGFile System Volume Information_restore{1625C426-0868-4E67-8C21- 25BB305F7E1E}RP228change.logFile TopologyFile pagefile.sysFile WINDOWSsystem32configSECURITYFile WINDOWSsystem32configSECURITY.LOGFile WINDOWSsystem32configsoftwareFile WINDOWSsystem32configsoftware.LOGFile hiberfil.sysFile WINDOWSsystem32configsystemFile WINDOWSsystem32configsystem.LOGFile WINDOWSsystem32configdefaultFile WINDOWSsystem32configdefault.LOGFile WINDOWSsystem32configSAMFile WINDOWSsystem32configSAM.LOGFile Documents and SettingsNetworkService.NT AUTHORITYNTUSER.DATFile Documents and SettingsNetworkService.NT AUTHORITYntuser.dat.LOGFile File Documents and SettingsLocalService.NT AUTHORITYntuser.dat.LOGFile Documents and SettingsLocalService.NT AUTHORITYNTUSER.DATFile WINDOWSCSC00000001************************************************************************Pid: 436File WINDOWSFile WINDOWSsystem32 41 40. C:VolatoolsBasic-1.1.1>python volatools pslist -f d:MEMDUMP.1GBNamePidPPid Thds Hnds TimeSystem4065 262Thu Jan 01 00:00:00 1970smss.exe4364321 Thu Mar 15 08:04:12 2007csrss.exe 49243620 421Thu Mar 15 08:04:13 2007winlogon.exe51643622 626Thu Mar 15 08:04:14 2007services.exe56051617 366Thu Mar 15 08:04:14 2007lsass.exe 57251619 405Thu Mar 15 08:04:15 2007svchost.exe 75256021 214Thu Mar 15 08:04:15 2007svchost.exe 8125609264Thu Mar 15 08:04:16 2007svchost.exe 87656072 1582 Thu Mar 15 08:04:16 2007svchost.exe 924560695 Thu Mar 15 08:04:16 2007svchost.exe 9765607137Thu Mar 15 08:04:16 2007spoolsv.exe 1176 56014 159Thu Mar 15 08:04:17 2007MDM.EXE 1372 560485 Thu Mar 15 08:04:25 2007ntrtscan.exe1416 56013 65 Thu Mar 15 08:04:25 2007tmlisten.exe1548 56014 179Thu Mar 15 08:04:28 2007OfcPfwSvc.exe 1636 5609145Thu Mar 15 08:04:29 2007alg.exe 2028 5606103Thu Mar 15 08:04:32 2007XV69C2.EXE3361416 184 Thu Mar 15 08:04:34 2007AcroRd32.exe2452 8480-1 Wed Mar 21 03:53:27 2007explorer.exe8403844 16 410Thu Mar 22 23:05:51 2007jusched.exe 2608 840236 Thu Mar 22 23:05:54 2007PccNTMon.exe2184 840467 Thu Mar 22 23:05:54 2007ctfmon.exe3084 840170 Thu Mar 22 23:05:54 2007reader_sl.exe 1240 840235 Thu Mar 22 23:05:55 2007cmd.exe 368840130 Thu Mar 22 23:07:01 2007dumpmem.exe 2132 368117 Thu Mar 22 23:07:30 2007 42 41. C:VolatoolsBasic-1.1.1>python volatools sockets -f d:memdump.blueluPidPort Proto Create Time1828 50017Wed Mar 28 02:22:36 200744456 Wed Mar 28 02:22:20 20077361356 Wed Mar 28 02:22:25 20074681900 17Wed Mar 28 02:22:58 20071961031 6 Wed Mar 28 02:22:54 20071936 1025 6 Wed Mar 28 02:22:35 200741396 Wed Mar 28 02:22:20 20071828 0255 Wed Mar 28 02:22:36 20071112 12317Wed Mar 28 02:22:39 20071804 1029 17Wed Mar 28 02:22:37 20073841028 6 Wed Mar 28 02:22:36 20073841032 6 Wed Mar 28 02:22:56 2007413717Wed Mar 28 02:22:20 20071936 1026 6 Wed Mar 28 02:22:35 20073161030 6 Wed Mar 28 02:22:44 20071164 3793 6 Wed Mar 28 02:22:28 20074681900 17Wed Mar 28 02:22:58 20071828 4500 17Wed Mar 28 02:22:36 2007413817Wed Mar 28 02:22:20 20071961037 6 Wed Mar 28 02:23:03 20071936 1027 6 Wed Mar 28 02:22:35 2007444517Wed Mar 28 02:22:20 20071112 12317Wed Mar 28 02:22:39 200743 42. Live-Response MethodologiesThere are three basic methodologies for performing live response on a Windows system: local ,remote and hybrid.Local Response MethodologyPerforming live response locally means you are sitting at the console of the system, entering commandsat the keyboard, and saving information locally, either directly to the hard drive or to a removable(thumb drive, USB-connected external drive) or network resource (network share) that appears as alocal resource.The simplest way to implement the local methodology is with a batch file.An example of a simple batch file that you can use during live response looks like this:tlist.exe c > %1tlist-c.logtlist.exe t > %1tlist-t.logtlist.exe s > %1tlist-s.logtcpvcon.exe can > %1tcpvcon-can.lognetstat.exe ano > %1netstat-ano.logThere you go; three utilities and five simple commands. Save this file as local.bat and include it on theCD, along with copies of the associated tools.44 43. Remote Response MethodologyRemote Response MethodologyThe remote response methodology generally consists of a series of commands executed against asystem from across the network. This methodology is very useful in situations with many systems,because the process of logging into the system and running commands is easy toAutomateImplementing our local methodology batch file for the remote methodology is fairly trivial:psexec.exe %1 u %2 p %3 -c tlist.exe c > tlist-c.logpsexec.exe %1 u %2 p %3 -c tlist.exe t > tlist-t.logpsexec.exe %1 u %2 p %3 -c tlist.exe s > tlist-s.logpsexec.exe %1 u %2 p %3 -c tcpvcon -can > tcpvcon-can.logpsexec.exe %1 u %2 p %3 c:windowssystem32netstat.exe ano > %1netstat-ano.logThis batch file (remote.bat) sits on the responders system and is launched as follows:C:forensicscase007>remote.bat 192.168.0.7 Administrator passwordOnce the batch file has completed, the responder has the output of the commands in five files, ready foranalysis, on her system. 45 44. The Hybrid Approach (a.k.a. Using the FSP)The Hybrid Approach (a.k.a. Using the FSP)This methodology is most often used in situations where the responder cannot log in to the systemsremotely but wants to collect all information from a number of systems and store that data in a centrallocation. The responder (or an assistant) will go to the system with a CD or thumb drive (ideally, onewith a write-protect switch that is enabled), access the system, and run the tools to collect information.As the tools are executed, each one will send its output over the network to the central forensicserver. In this way, no remote logins are executed, trusted tools are run from a nonmodifiable source,and very little is written to the hard drive of the victim system. With the right approach and planning,the responder can minimize his interaction with the system, reducing the number of choices heneeds to make with regard to input commands and arguments as well as reducing the chance formistakes. 46 45. FSPC and FRUC FSPC is the server component, which resides on your forensic workstation. This system will be where all of the data you collect is stored and managed, and then eventually analyzed. FSPC [-d case dir] [-n case name] [-p port] [-i investigator] [-l logfile] [-c] [-v] [-h] -d case dir....Case directory (default: cases) -n case name...Name of the current case -i invest......Investigators name -p port........Port to listen on (default: 7070) -l logfile.....Case logfile (default: case.log) -v.............Verbose output (more info, good for monitoring activity) -c.............Close FSP after CLOSELOG command sent (best used when collecting data from only one system) -h.............Help (print this information) Ex: C:>fspc -d cases -n testcase -i "H. Carvey" C:>fspc -n newcase -p 8047 46. FRUC is the client component, used to collect data from "victim" system. Download thezipped archive, and extract all of the files (2 EXE files and several DLLs) into a directory,add your third party tools, update your INI file (the default is "fruc.ini") appropriately,and then burn everything to a CD (or copy it to a thumb drive). Then youre ready.Launch the FRUC with the "-h" switch and youll see...FRUC v 1.2 [-s server IP] [-p port] [-f ini file] [-h]First Responder Utility (CLI) v.1.2, data collection utilityof the Forensics Server Project-s system......IP address of Forensics Server-p port........Port to connect to on the Forensics Server-f file........Ini file to use (use other options to override ini file configuration settings)-v.............Verbose output (more info, good for monitoring activity)-h.............Help (print this information)Ex: C:>fruc -s -p -f 48 47. Using netcatFor our purposes, we wont go into an exhaustive description of netcat; well use it to transmit information from one system to another. First, we need to set up a listener on our forensic server, and we do that with the following command line:D:forensics>nc L p 80 > case007.txttlist.exe c | nc %1 %2 w 5tlist.exe t | nc %1 %2 w 5tlist.exe s | nc %1 %2 w 5tcpvcon -can | nc %1 %2 w 5netstat.exe ano | nc %1 %2 w 5Save this file as hybrid.bat, and then launch it from the command line, like so (D: is still the CD-ROM drive):D:>remote.bat 192.168.1.10 80Once we run this batch file, well have all our data safely off the victim system and on ourforensic server for safekeeping and analysis.49 48. Network Forensics50 49. Network Miner Network Miner is a network forensic analysis tool that was developed in order tofacilitate the task of performing network forensic investigations as well as conductingincident response. Network Miner is designed to collect data about hosts on a network rather than tocollect data regarding the traffic on the network. It has a graphical user interface where the main view is host centric (informationgrouped per host) rather than packet centric (information showed as a list ofpackets/frames). One of the most appreciated functions in NetworkMiner is the ability to easily extract files from captured network traffic in protocols such as HTTP, FTP, TFTP and SMB. NetworkMiner actually reassembles files to disk on the fly as it parses a PCAP file.A lot of other useful information like user credentials, transmitted parameters,operating systems, hostnames, server banners etcetera can also be extracted fromnetwork traffic with NetworkMiner. All of this is of course performed fully passive, so that no traffic is emitted to thenetwork while performing the network forensic analysis. 51 50. Analyzing Network Traffic52 51. 53 52. Forensic softwares Dump toolsPermanent deletion of files Ds2dump PD Wipe Choas reader File integrity checkers Slack space & data recovery Hash Keeper tools Disk imaging tools DriveSpy Image Ontrack SnapBack DataArrest Hard disk write protection IXimager toolsPartition managers Pdblock Part Write-blocker Explore2fs NoWrite DriveDock 54 53. Forensic softwares contdLinux/UNIX toolsMultipurpose tools Ltools ByteBack Mtools Maresware TCT BIA Protect Tools TCTUTILs LC-Technology SoftwarePassword recovery tool WinHex specialist editor @stake ProDiscover DFTInternet History ViewerToolkitsASRData NTI-ToolsFtimes DataLifterOxygen phone manager R-Tools 55 54. Data Recovery ToolsThese tools may be used to recover information frommany sources including PDAs, cameras, and diskdrives.e.gDevice SeizureByteBack56 55. Permanent Deletion of FilesDrive wiping is a crucial component of all digital forensicexaminations. Any drive that is not thoroughly wipedhas to be considered suspect. The following tools aidin this goal.e.g PDWipe, R-wipe Dariks Boot and Nuke57 56. File Integrity CheckerThese tools help you to prove that the le you copied into evidence has not been altered subsequently. They make possible a quick and reliable diagnosis of a system image for the purpose of determining if any changes have occurred.e.gFilemon,Hash keeper58 57. Disk Imaging ToolsThese tools will create a bit-image copy of a drive orother media.e.g. Snapback DatArrest, SafeBack 3.0 Encase FTK Prodiscover 59 58. Partition ManagersHelps to create partitions on a Drivee.gPartimageMagic partition60 59. E-mail Recovery Tools This product provides forensic analysis, advancedsearching, and converting and Exporting of e-mail. E.g. E-mail Examiner can examine over 16 e-mail formats, including AOL 9.0, PSTles, and morthan14 others. Paraben suite 61 60. Password Recovery ToolsA password cracker hashes all the words in a dictionary le and comparesevery result with the password hash. If a match is found, the passwordis the dictionary word. The following are tools that may be used to lepoorly congured passwords. e.g. @Stake, Decryption Collection Enterprise, AIM Password Decoder, MS Access Database Password Decoder, Paraben suite Elcomsoft suiteTalk about GPU tools( Hashcat, Ighashgpu etc)62 61. NetAnalysisThis product allows for the analysis of a Web browsers history data. It iscommonly used by law enforcement in child pornography cases. Theforensic examination and analysis of user activity on the Internet can bethe pivotal evidence in any case.e.g.Cookie viewer63 62. Adobe ReaderThese tools are used to decrypt pdf files so that they can be easily edited.e.g. Nitro Elcomsoft suite Paraben suite 64 63. Stealth SuiteUsers without a forensic background can use the Stealth Suite to assess activity on a computer hard disk. These tools can help identify whether a targeted computer system was used to access inappropriate information. 65 64. Computer Incident Response SuiteThis suite of tools is often used in corporate andgovernment investigations and security risk reviews.They are optimized for MS-DOS, which is the lowestcost forensic platform for MS-DOS and Windowsprocessing. Many of the tools also have Windowsversion.e.g.HelixCAINE 66 65. Oxygen Phone ManagerOxygen Phone Manager II for Nokia phones provides a simple and convenient way to control mobile phones from a PC.67 66. SIM Card SeizureSIM Card Seizure can be used to recover deleted Short Message Service (SMS) messages and perform comprehensive analysis of SIM card data.68 67. Steganography Steganography is defined as The art and science of hiding informationby embedding messages within other, seemingly harmless messages Steganography involves placing a hidden message in some transportmedium. The meaning is derived from two Greek words mainly Stegos whichmeans secret and Graphie which means writing.Tools:Snow, Fort knox, Blind side, image hide, Digital watermarks are imperceptible or barely perceptible transformations of digital data; often thedigital data set is a digital multimedia object69 68. Recovering deleted filesAcronis Recovery Acronis Recovery Expert protects data by recovering hard disk partitions, if damaged or lost by any reason. ItExpertsupports disks with capacity greater than 180 Gb. It has unique feature of working independently from bootableCDs or diskettes that recovers partitions even if the operating system fails to boot.Active@ UNERASER- DATA Recovery is a compact and powerful undelete utility that can recover deleted files and folders on FAT12, FAT16,FAT32 and NTFS systems. It can even restore files from deleted and reformatted partitions. It is not necessary to installthe utility on your systems hard drive, as it fits on a boot floppy disk, removing the possibility of overwriting data whichyou want to recoverR-linuxR-Linux recovers files from existing logical disks even when file records are lost. R-Linux is a file recovery utility for theExt2FS filesystem used in Linux OS and several Unix versions. R-Linux uses unique IntelligentScan technology and a flexible parametersetting that makes recovery faster.Filesaver The FileSaver tool is an undelete application that works by searching for bits of data that can be recovered and piecedtogether to form the original file.FileSaver restores as many files from as many drives as possible.Data Recovery Tool: File Scavenger can recover files that have been accidentally deleted This would include files that have been removed from :File Scavenger Recycle Bin DOS shell Network drive Windows Explorer. File Scavenger supports both basic and dynamic disks,NTFS compression, and Unicode filenamesRestorer 2000 It supports windows 95/98/ME/NT/2000/XP platform. It allows the investigator to: Undelete files Unerase files Unformat files Restore and recover data from NTFS and FAT partitions O&O UneraseO&O Unerase recovers deleted files with the help of an algorithm which enables more files to be recovered at a time.O&O Unerase can also recover important documents such as digital photography, exe rogram files etcZero Assumption It is a free data recovery tool that works with digital images. Digital photographs that are deleted from a digital camera can beDigital Image retrieved using this tool It supports media such as CompactFlash, MemoryStick, SmartMedia etc that can be accessedRecoverythrough an Operating SystemSearch and RecoverIt allows the investigator to quickly recover deleted or destroyed files, folders, songs, pictures, videos, programs, criticalsystem components, web pages, and email messages in Microsoft Outlook and Outlook Express, Netscape, and Eudora 70 69. Overview of forensic HardwaresHardware DeviceDescriptionNoWriteNoWrite prevents data from being written to the hard disk. It supports hard disk drives with high capacities. It is compatible with all kinds of devices including USB or FireWire boxes, adapters, and cables belonging to IDE. It supports communication between common IDE interfaces.FireWire FireWire DriveDock is a forensic instrument designed to load hard drives on computer systems. It comprises of a 3.5-inchDriveDockhard drive that is used along with a single device to give complete FireWire desktop storage. It is a compact device of about 4 cubic inches that would control everything in a 3.5-inch hard drive.LockDown Lockdown by Paraben is an advanced Firewire or USB to IDE write-blocker that combines swiftness and portability to allow IDE media to be acquired quickly and safely in Windows based systems.Write Protect Card The Write Protect Card Reader transfers data to a computer system from digital cameras, digital camcorders, PDAs, MP3Reader players and digital voice recorders. It can read multiple types of ash memory while blocking any writes to it. It is a small palm-size package with a simple USB 2.0/1.1 connection and requires no external power.Drive Lock IDE The DriveLock IDE Hard Drive Write Protection is designed to completely prevent write commands from being accidentally sent to hard disk drives connected through the IDE or PATA hard drive interfaces. This write protect device also blocks Serial ATA hard drives using the SATA option. It is designed to block write commands sent to the hard drive while previewed or duplicated.Serial-ATA The DriveLock Serial-ATA device is a hardware writeDriveLock Kitprotect device designed to prevent data writes to SATA, IDE and PATA hard disk drives. The tool is connected to a computers PATA interface in order to block write commands sent to the hard drive while being previewed or duplicated.Wipe MASSter Wipe MASSter is a commercial drive wiper.ImageMASSter Designed exclusively for Forensic data acquisition, theSolo-3 ITImageMASSter Solo-III Forensics data imaging tool is a light weight, portable hand-held device that can acquire data to one or two evidence drives in high speed, exceeding 3GB/Min. 71 70. WHATS NEXT? A forensic investigation can be conducted on any device that stores electronic data, suchas a computer hard drive, smart card, or palm pilot. Internal auditors can use computerevidence in a variety of crimes where incriminating documents can be found, includingcases involving financial fraud, embezzlement, or data theft. A key point to rememberduring any forensic examination is that protection of the evidence is critical.Furthermore, the results of a forensic examination can be rewarding. Collecting evidencecan allow organizations to respond to any problems immediately and authoritatively andto maintain the companys professional image. Auditors who wish to learn more about computer forensics can visit the ComputerForensics, Cyber Crime, and Steganography Resources Web site, www.forensics.nl/.Besides finding information on computer forensics, auditors can search online for freeforensic tools. A couple of good Web sites include: http://users.erols.com/gmgarner/forensics/: This Web site offers freeware forensic toolsfor Microsoft Windows platforms. http://ftimes.sourceforge.net/FTimes/index.shtml: The site takes visitors to the FTimessystem base-lining and evidence collection tool. www.securityfocus.com/tools/525: The Security Focus Web page provides a link to AFind,a tool that lists a files last access time without changing it. www.weirdkid.com/products/emailchemy/: This site provides a link to Emailchemy, amail-format viewer program. http://ircr.tripod.com/: This site has a link to a Windows forensic tool that enables usersto create an incident response collection report. 71. Live Forensics: Selected Web Sites www.invisiblethings.org http://www.vidstrom.net/ http://www.usenix.org/events/sec05/tech/full_papers/chow/chow.pdf (14thUsenix Security) http://www.security-assessment.com/Presentations/Auscert_2006_-_Defeating_Live_Windows_Forensics_DB_v1.8.ppt http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf http://forensic.seccure.net/ http://www.knoppix.net http://www.gcn.com/print/25_22/41502-1.html (Special Report, Live forensicsis the future for law enforcement) http://news.com.com/2100-7349_3-5092781.html (U.K. teen acquitted withTrojan defense, Oct. 17, 2003) http://www.newsmax.com/archives/articles/2003/8/12/204345.shtml (TheTrojan Horse Defense in Child Pornography, Aug. 13, 2003) 73 72. Tools! Tools! Tools! http://www.forensicswiki.org/wiki/Tools http://www.mccrackenassociates.com/links/sectools.htm http://www.sourceforge.net/projects/windowsir/files/ http://www.cftt.nist.gov/ http://www.ntsecurity.nu/toolbox/promiscdetect/ http://www.mandiant.com/products/free_software 74 73. PRACTICAL DEMOS75