Section 1 Analytic Question Answers




Скачать 32.46 Kb.
НазваниеSection 1 Analytic Question Answers
Дата конвертации13.05.2013
Размер32.46 Kb.
ТипДокументы

Lab 1: Windows Imaging

IST 454: Computer and Cyber Forensics

September 14, 2010






Team #8

Isiah Jones Kimberli Scanio Mike Muldoon Ngaire Underhill

{ilj102, kws5370, mym5362, nvu5006}@psu.edu


Table of Contents


Analytic Question Answers 5

Present the Results 8

Task 1 - Forensically Clean Storage Hard Drive 8

Task 2 – Write Protect the Suspect Drive 9

Task 4 – Make a Forensically Sound Image using FTK 13

Bibliography 21



Introduction




When conducting an investigation that involves digital evidence it is always advised practice to create several images or bit-by-bit forensic copies of the digital content. This will allow for the preservation of the digital evidence while allowing enough copies to conduct analysis on. Having more than one copy also can protect the admissibility of the evidence in court if by any chance damage or theft comes to the digital evidence. In this particular lab we begin learning how to capture images from the Windows platform.

Section 1



Analytic Question Answers





  1. How does a bit-stream image differ from a normal backup copy?

A bit-stream image is the file or files in which a bit-stream copy is stored. A bit-stream image copy is an exact duplicate of the data from the original storage medium. The bit-stream copy is a bit by bit copy of all of the data on the storage medium including unused space and deleted files. The copy is an “image” making it easier to authenticate and store. Whereas, the normal backup copy is more cumbersome and it can not be authenticated. Additionally, a normal copy can result in inadvertently altered data. According to Nelson, Phillips, and Steuart a normal copy can only copy or compress files that are stored in a folder or are of a known file type; it can not copy deleted files, e-mails, or recover file fragments.

  1. What is the purpose of using a write-blocker hardware or software for imaging? Please search in the Internet to find two hardware write-blockers and provide a brief description and source of each.

The purpose of using a write-blocker hardware or software for imaging is to create a read only environment, ensuring integrity of the drive contents. The are a couple different commercial hardware write-blockers on the market such as Tableau and UltraBlock. The UltraBlock creates a read-only environment in which one can acquire forensically sound data from an IDE or SATA hard drive. An example is the ultrablock eSATA IDE/ SATA. More information can be found at http://www.digitalintelligence.com/forensicwriteblockers.php. Another example is the WiebeTech USB WriteBlocker. The WiebeTech is a forensic in-line USB WriteBlocker. This device is very small and extremely portable and compatible with single storage devices. More information for the Wiebe can be found at http://www.wiebetech.com/products/USB-WriteBlocker.php.

  1. What is the general principle/logic of using a software approach to write-protect a drive?

The general principle to utilizing a software approach to write-protect a hard drive has evolved over the years. The original design of only block known writes has given way to only allow known reads design (Lyle & Black, 2005). The purpose of this change is a more robust and secure design. A hard drive software write block tool operates by monitoring drive I/O commands sent from the PC through a given access interface. Any commands that could modify a hard drive are intercepted (i.e., blocked) and not passed on to the hard drive controller (National Institute of Standards and Technology, 2003). Because of the shift in design, there is no need to have to modify the software to account for additional write commands and/or operations; they are all blocked.

  1. What are the differences and pros and cons of using hardware and software tool to write protect a suspect drive?

The differences between using hardware and software tools to write protect a suspect drive is that with a hardware write-blocker the write-blocking function is always enabled, in software this might not always be the case. With a software write-blocker there is a chance that it could be configured improperly thus destroying the integrity of the protected drive. The utilization of software write-blockers in classified computing systems sometimes requires Two Person Integrity (TPI) to ensure proper configuration.

Some of the pros and cons of both implementations can be seen below:

Pros of software implementation:

  • Software takes up no physical space in your already full investigator kit.

  • It requires no power therefore you cannot misplace or accidently forget to bring a power adaptor into the field during an investigation (ForensicSoft, 2010).

  • Software also blocks all connection types without the need for adapters.

Cons of Software implementation:

  • Unless the software runs at the very lowest level and the operating system is secure, there are usually ways for other programs to subvert a software write blocker (Lyle & Black, 2005).

Pros of hardware implementation:

  • Clear visual indication of function through physical lights/switches.

  • Difficult to use improperly, write blocking always enabled.

  • Is not reliant on an underlying operating system or software-based subsystem. (Newton, 2010)

Cons of hardware implementation:

  • A number of different interface adapters are required of different types of hard disks.

  • An additional piece of hardware that needs to be maintained and could fail.

  1. What are the advantages and disadvantages of using EnCase/FTK tools to obtain a forensic copy/image of the evidence (as compare with other approaches)?




  1. What formats of image does EnCase support? How about FTK? Please evaluate and discuss your experience of using these two software tools in terms of functionality, usability, performance, and ease of learning.




  1. Is there any other ways of acquiring images in addition to using the approach practice in this lab? Please describe the possible scenarios and approaches.

Hardware forensics tools could also be used to complete the tasks of this lab. They can range “from simple, single-purpose components to complete computer systems and servers.” Some vendor provided workstations and systems include “Intelligence F.R.E.D. systems, DIBS Advanced Forensic Workstations, and Forensic Computers Forensic Examination Stations and portable units.” (Nelson, Phillips, Enfinger, & Steuart, 2010, pp. 261, Ch 7)

Forensics workstations can be customized to ones specific needs and may offer vendor support. There are also hardware based write blockers that prevent data from being written to a suspect’s drive during the image capture process. When dealing with hardware forensics tools one must consider costs, scalability, maintenance and failures, vendor support, life span and upgrade scenarios as well as frequency of use. A scenario for using a hardware forensics tool would be using a laptop in a mobile unit or to collect volatile information on the scene of a crime or an active corporate espionage case.

  1. Please discuss under what circumstances should we use a drive-to-drive approach to acquire image?

One of the main reasons to use a drive-to-drive approach to acquire an image would be to use a laptop with portable write blocker, USB and other necessary light hardware to capture a volatile data image when arriving on a scene containing a machine that is currently on.

Section 2

Present the Results



Task 1 - Forensically Clean Storage Hard Drive



The XP machine used for this lab has three disks drives. Drive C is the regular drive, Drive D is the suspects drive, and Drive E is the storage drive. The forensic tool EnCase was used to complete task 1 where the storage drive was forensically wiped clean. Task 1 involved using EnCase to locate and choose the drive in which to completely write over; essentially preventing the recovery of the data. This task must be completed before the images of a suspect’s drive can be written to it.



Figure 1.1: Shows the local drives found on the VMWare XP computer.





Figure 1.2: Shows a summary of the drive wipe.




Task 2 – Write Protect the Suspect Drive



This task called for utilizing SafeBlock write-block software to protect and test against a USB thumb drive. However, I have access to a hardware write blocker and also tested with it. The hardware write-blocker utilized was a Tableau T8-R2. I will include screen shots of this as well.



Figure 2.1: Shows USB storage device not locked





Figure 2.2: Shows USB storage device locked





Figure 2.3: Shows Right click menu on unlocked drive




Note here that the delete and cut commands are available.


Figure 2.4: Shows Right click menu on locked drive



Note here that unlike in figure 2.3 the delete and cut commands are not available.



Figure 2.5: Shows copy error on locked drive




Here we can see that when trying to copy to the locked drive the operating system produces a write-protect error.



Figure 2.6: Shows copy error on locked drive in Cygwin




As another example I tried to copy to the drive using Cygwin, this also produced a read-only error.


Figure 2.7: Shows hardware write-blocker setup




Here we can see the setup of the Tableau hardware write-blocker. The USB key is connected on the right-hand side of the device with the left hand side of the device providing the connection to the laptop and power.

A write-blocker, whether hardware or software based, is an important tool for the computer forensics specialist. Great care must be taken in using either option to ensure that evidence in not contaminated or destroyed.

Task 4 – Make a Forensically Sound Image using FTK



This task used Access Data Forensics Tool Kit (FTK) to capture a forensic bit by bit copy or image of a suspect drive.


Figure 4.1: Step 1 locating and starting FTK to begin a new case




Figure 4.2: Creating and naming a new case





Figure 4.3: Entering biographic information on forensics examiner




Figure 4.4: Initial Case logging options to determine what events should or should not be entered into the FTK event log





Figure 4.5: Optional processes to perform on the collected image and its data contents





Figure 4.6: Options allowing exclusion of certain file types and data from case logs





Figure 4.7: Indexing options to increase search efficiency




Figure 4.8: adding evidence from drive D representing the suspect’s hard drive





Figure 4.9: New Case creation is now completed





Figure 4.10: Case with file and data classification as well as filter options





Figure 4.11 Creating a new disk image of suspect’s hard drive




Figure 4.12: Must select “PHYSICALDRIVE1” per instructions





Figure 11.12 selection of Image type “E01”.



E01 is an image file created by both FTK and Encase that allows for a layer of security that enables the ability to determine if a particular file was altered. It allows an image file to be broken up into several sequential chunks by Encase and FTK. By referencing E01 it allows the forensics software to view all the sequential follow on files as well. (Blog at WordPress.com, 2008)


Figure 4.13: Filling out evidence biographic information





Figure 4.14: Creating evidence fold to place image data




Figure 4.15: Image creation verification




FTK is an integrated forensics tool that allow for image creation, analysis, password cracking and decryption within a seamless user environment. It is cost friendly regardless of the size of the operation, organization or individual investigators. It is internationally court approved and verified. It is also one of the only Windows based tools with effective Mac features for forensics analysis on Mac platform media. (Access Data, 2011)

It is interesting to note that within this lab, FTK did not seem to have the capability to wipe and format a forensics drive as does Encase. Encase seemed to have the capability of wiping and formating drives to be used to capture the forensics image.

Conclusions




References

Bibliography


Access Data. (2011). Forensics Toolkit 3 (enough said). Retrieved 2011 йил 4-September from AccessData: A Pioneer in Digital Investigations since 1987: http://accessdata.com/products/computer-forensics/ftk

Blog at WordPress.com. (2008 йил 10-August). Forensics: What is an E01 File? Retrieved 2011 йил 4-September from Where is your Data?: http://whereismydata.wordpress.com/2008/08/10/e01-files/

ForensicSoft. (2010, January). FAQ's. Retrieved September 2011, from Forensicsoft: http://www.forensicsoft.com/faq.php

Lyle, J. R., & Black, P. E. (2005). Testing BIOS Interrupt 0x13 Based Software Write Blockers. National Institute of Standards and Technology. Monaco.

National Institute of Standards and Technology. (2003). Software Write Block Tool Specification & Test Plan. Technology Administration.

Nelson, B., Phillips, A., Enfinger, F., & Steuart, C. (2010). Guide to Computer Forensics and Investigations (4th ed.).

Newton, D. (2010, May 27). Write Blockers – Hardware vs Software. Retrieved September 2011, from Derek Newton: Information Security Insights : http://dereknewton.com/2010/05/write-blockers-hardware-vs-software/



Добавить в свой блог или на сайт

Похожие:

Section 1 Analytic Question Answers iconIdentify the letter of the choice that best completes the statement or answers the question

Section 1 Analytic Question Answers iconWritten Answers to questions not answered at Mayor’s Question Time on

Section 1 Analytic Question Answers iconWritten Answers arising from the Plenary Assembly Question and Answer Session with Transport for London

Section 1 Analytic Question Answers iconAppendix 1 London Assembly (Mayor’s Question Time) 12 December 2007 Transcript – Question and Answer Session

Section 1 Analytic Question Answers iconSection 11. (Blank) section 12. BUILDING WORK section 12 general requirements

Section 1 Analytic Question Answers iconModern Languages Section Section des Langues vivantes Linguistic diversity for democratic citizenship in Europe

Section 1 Analytic Question Answers iconPharmaceutical Analytic eBooks

Section 1 Analytic Question Answers iconReport directed by Section 12404(c) and guided by Section 12405 of the Federal Ocean Acidification Research and Monitoring Act of 2009

Section 1 Analytic Question Answers iconThe following branded section has been prepared by Construction Information Limited (Masterspec) in conjunction with the product manufacturer. The downloading and/or use of this section is subject to the following terms and conditions

Section 1 Analytic Question Answers iconAnalytic Geometry and Vector Algebra (15 hrs)


Разместите кнопку на своём сайте:
lib.convdocs.org


База данных защищена авторским правом ©lib.convdocs.org 2012
обратиться к администрации
lib.convdocs.org
Главная страница