SlideShare una empresa de Scribd logo
1 de 65
Creating & Accessing
                   Forensic Images
                How to Access Multiple Image Types Using
                      Various Forensic Techniques




Brett Shavers
Topics
Forensic Image Creation Applications
Forensic Image Types
Accessing the Forensic Images
Converting the Forensic Images into
Different Forensic Image Types




                                       2
Forensic Images
Basically, a forensic image is an exact, bit for
bit copy of an original electronic media. This
includes all the deleted files also
(unallocated/slack/free space).
A mirror image is not the best way to describe a
forensic image (do you look exactly the way you
do in a mirror or is instead an opposite view of
you?). A forensic image is an EXACT copy, not
an opposite copy.
                                            3
Forensic Images
When you ask for an image, make sure you know
what you are asking for.
A Ghost image may not be a forensic image (unless
you ask for a forensic Ghost image, and even then, it
may not be)
An image may not be a complete forensic image.
A copy may not be a forensic image at all.
Ask for a FORENSIC IMAGE. There is no mistake as
to what that means. It’s every single ONE and ZERO
on the media.
                                                  4
Purposes of Creating
  Forensic Images
Purposes of Creating
           Forensic Images
Evidence preservation
Working “copy” of the original to examine
Multiple image copies for multiple examiners to
decrease the amount of time to complete
examinations.
Prove/Disprove Allegations such as the “Trojan
Defense” in virtual environments. Forensic
images can be booted virtually and tests can be
run on the running image.

                                            6
Creating Images
1.      Ideal World Example:
           Write blocked evidence source (hardware or
           software)
           Scrubbed/wiped destination drive
           Forensic boot CD (DOS or Linux), forensic boot
           floppy (DOS), Linux OS, Windows OS, or Apple OS
2.      Non-ideal World Examples:
     1.    Using suspect machine
     2.    Using Windows
     3.    No hardware write blocker
     4.    Using Software write blocker
     5.    Using no write blockers at all
                                                             7
Destination
  Drive

                Best Case OnlyofFlows
                        Data
                        Direction Arrows




        Forensic
       Workstation

                       Hardware            Original
                      Writeblocker         Evidence




                                                8
Destination
 Destination
  Drive
    Drive
                                      Data Only Flows
                                      Direction of Arrows




        Forensic
          Forensic Workstation
       Workstation
        (Software Write Blocker,
                                                            Original
                                                            Original
                            Hardware
       and/or forensic DOS/Linux
                                                            Evidence
                                                            Evidence
                  Boot     Writeblocker




                                                                 9
Destination
  Drive




               Suspect Machine
             Software write blocker,
          forensic boot with CD/Floppy
                to DOS or Linux



                                         10
Destination
  Drive




               Suspect Machine
          Acquisition tool running from
              operating system.



                                          11
Types of Problems
Types of Problems
RAIDs
Whole Disk Encryption
Vista BitLocker
Apple computers
Hard to remove hard drives
Servers
NETWORKS-Windows Server, Netware,
Novell, Unix, Linux, and “I NEED A MOTRIN!
                                      13
Normal on the Outside




Over a half dozen hard drives!!! Is it a RAID or not?
This is important as it can determine how to image.
                                                        14
Types of Image Formats
Types of Forensic Images
Encase/Expert Witness (GUIDANCE SOFTWARE)
SMART (ASR DATA)
Safeback (NTI)
WinHex (X-WAYS FORENSICS)
DD
ProDiscover File Format
SDI32 (VOGON)
ILook Image (IRS)
AFF-Advanced Forensic Format
Gfzip
Sgzip
Paraben Forensic Image Format
GHOST
Others (?) and others to come I’m sure.
                                            16
Imaging Software
  Applications
Our Imaging Applications
               and Examples
X-Ways Forensics      (WinHex backup)
Encase                (Encase E01)
FTK                    (SMART)
NTimage                (dd)
NTI                    (Safeback image)
Ghost                 (be careful, as it may not be a forensic image…)
Exact clone           (not really an image, but an exact copy)



      We will be conducting an experiment during this presentation.
         The evidence sample will be a 7GB Windows XP system
     Our evidence file will be “evidence.txt” on the evidence hard drive.




                                                                            18
A brief on some tools
There are many tools you can use to create
forensic images.
You need to know the strengths and
limitations of each tool in order to choose
the best for the task at hand.
Even when on site for one job, you may be
using several different tools to handle
different computer configurations.

                                         19
Encase Format
Maybe the most widely used format (.e01)
Compressible and searchable
Proprietary format with additional information
placed inside the image (header information,
CRC’s every block of 64 sectors, plus a footer
with a hash for the entire image (INTEGRATED
HASH)
DOS and Windows acquisition
Limited to 2GB segment sizes


                          http://guidancesoftware.com/   20
21
WinHex Backup
Not interpretable as a disk-(Winhex
backup)
Not accessible by other applications
Internal hash
DOS (using the imaging application known
as Replica) and Windows Acquisition
However, it can also create other formats
as well (dd, Encase, clone)
                 http://x-ways.net/forensics/index-m.html
                                                            22
23
dd
Interpretable by many applications
No internal hash (separate file)
Not compressed (if it is compressed, it
must be decompressed for forensic
examinations)
Not restricted to the 2GB size restriction of
the Encase format
Format: Raw image, compressed raw
image
                            http://www.dmares.com
                                                    24
25
Windows based acquisition
Able to run from CD, Flashdrive or from
the destination media (external hard drive
as an example)
Ability to create multiple image types onto
multiple destination drives at the same
time
Formats: Encase, SMART, dd
                         http://www.accessdata.com
                                                     26
27
Linux
Many bootable CD’s that can create
several variants of images (Encase image,
dd)
There are many free forensic versions of
Linux bootable CD’s that contain other
tools in additional to imaging applications.




                                           28
Safeback
Safeback Image
The latest release of Safeback creates an
image that isn’t accessible by the majority
of forensic tools…
This is a serious drawback to this format.




                                              30
31
Live Imaging
There are times when you can’t shut the computer down and
need to create a forensic image. This is when you make an
image of that running computer by running a forensic
application on that computer! This is not something to try
without testing and training!

Data on the computer will change, there is nothing you can do
about it.
However, you can image the RAM.
You can create a logical or physical image using different
tools.


                                                        32
Some Live Imaging Tools
FTK Imager
X-Ways Capture
Helix (dd) and NetCat
Enterprise editions of forensic applications
(Encase EEE, ProDiscover IR/IN
Nearly any tool that can run from either an
external device such as a USB drive or CD can be
used on running machines to create an image. It
is NOT a good idea to use an application that must
be installed on the suspect machine.
                                              33
Forensic Boot Disks
Boot floppy (to DOS)
  Make it a FORENSIC boot floppy!
  Non-forensic boot floppies WILL access the
  drive and then you will have explaining to do.


Linux Bootable CD
  Make sure the distribution you choose doesn’t
  automatically MOUNT the drives!


                                                   34
Converting Images from
One Format to Another
Practical Exercises
No matter which image format you create,
there is always the request of providing a
copy of your image in a format that is
different than what you created.
Additionally, when you employ different
forensic applications on one image, you
may need to convert one format to another
to access it with different tools.
For this, we are going to convert some
images!
                                         36
Image Conversion Examples
      We are going to convert the following:

Original to Encase (using FTK, Encase, & Winhex)
Encase image to dd (using FTK)
dd to Restored Clone (using Winhex)
Clone to dd (using FTK, WinHex)
Encase to Restored Clone (using Winhex, Encase)
SMART to Encase (using FTK)
SMART to dd (using FTK)
Any of the above to vmware to boot to a live
machine!
                                               37
38
Recap
We created Various Image Types…
  dd format
  Encase format
  WinHex backup
  SMART format
…Using Various Applications
  Encase
  FTK
  X-Ways Forensics
  Ntimage
And converted one image format to another

                                            39
Accessing the Images
Accessing the Images
Forensic Applications
 Guidance Software “Encase”
 Accessdata “Forensic Tool Kit”
 X-Ways “X-Ways Forensics”
 Other misc forensic applications
Other Non-Forensic Applications
 Mount Image Pro
 LiveView
 Vmware

                                    41
But first, a word about GHOST
Ghost was NOT designed as a forenisc collection
utility. It’s great at what it does (clones active
data)
You can set it to capture all data space, but you
will be limited to the forensic tools that can access
it. You also risk not doing it correctly and losing
your only chance to capture an original image.
If you truly need a forensic image, use an
application that has been designed and tested
solely for forensic images. Don’t make due with
anything less, or you risk your forensic image.
                                                  42
Forensic Applications
Encase, FTK, X-Ways Forensics, etc…
 Each can acquire the image for analysis
 Indexing/cataloging of data
 Searching of words, strings, etc…
 Export of native files from the image
 Creation of analysis reports
 Duplication and conversion of images
 Along with multiple other features

                                           43
44
Non-Standard Applications
Mount Image Pro
Virtual Forensic Computing
LiveView
Vmware
Symantec Ghost (beware!)




                             45
Non-Standard Applications
Mount Image Pro
 Access of the image as a drive letter in
 Windows
 Tools can be run against the drive letter as if it
 were an actual drive (anti-virus, data recovery
 tools, etc…)
 No (expensive) forensic applications required
 to view the image
 Native files can be extracted
 (Paraben’s P2 Explorer is similar to MIP)
                         http://www.mountimage.com/
                                                      46
47
48
vmware
 Clone can be booted into vmware
 dd image can be booted into vmware
 Encase image can be booted into vmware
 vmware file can be accessed as a drive letter
 in Windows
 VMware is a versatile application that was not
 designed for forensic use, but clearly can be
 used as supplement tool in examinations.



                              http://www.vmware.com
                                                      49
Booting Encase Images
           into vmware
Virtual Forensic Computing (not free)
  Allows an Encase image to be booted into
  vmware
  Can also boot a physical drive or dd image
  Requires Mount Image Pro (also not free)




                                               50
51
Booting dd Images into vmware
LiveView (free)
  Allows for dd images to be booted into
  vmware
  Only requires vmware player (free) and
  vmware diskmount utility (free also)
  An Encase image can be converted to dd and
  then booted to vmware (a workaround to not
  using the Virtual Forensic Computing and
  Mount Image Pro applications)

                                           52
53
Booting a Physical Drive to vmware
 LiveView can boot to vmware (after it generates
 the configuration files)
 Virtual Forensic Computing can boot to vmware
 after Mount Image Pro mounts the drive
 Our next video:
   Cloned hard drive, attached with hardware write
   blocker
   Using LiveView, we will boot it to vmware.
   No writes to the clone, all writes go to a separate
   folder.

                                                         54
55
Did Our Original Evidence
     File Ever Change with All
           These Images


(remember the evidence.txt we talked about in the beginning?
 That file has resided on each image conversion we did. We
  even booted the image with the file on it! Has it changed?)
Hashing, re-hashed…
MD5 is an algorithm that is used to verify
data integrity through the creation of a
128-bit message digest from data input
(which may be a message of any length)
that is claimed to be as unique to that
specific data as a fingerprint is to the
specific individual.


  http://WhatIs.techtarget.com/definition/0,,sid9_gci211545,00.htm
                                                                     57
  l
Or Brett’s Definition….
A hash is a RBN* (really big number) that is
  created to give a fingerprint to a file. And
  actually, the strength of the hash is way
  stronger than any fingerprint comparison!

A hash is also only ‘one way’, meaning, you can
  take the RBN and reverse it to the original file.
  An analogy would be taking a pound of beef
  and putting it through a grinder. You can’t
  ungrind the beef to it’s original condition.
                                                                                                           58
 *I made up the RBN, no one in court will get it the joke….it’s actually a MD5 or SHA hash, technically…
Our evidence.txt file…
…was created on the original evidence.
A hash was created with the original evidence.
The file was extracted from the Encase image with
Encase and hashed.
The file was extracted from the SMART image with
FTK and hashed.
The file was extracted from the dd image with X-
Ways Forensics and hashed.
The file was extracted from the dd that was
converted from the Encase image and hashed.
The file was extracted from the vmware restored
boot session and hashed.
The result was…
                                               59
All Hashes Matched!
What’s the Point?
With a true forensic image, the data is an exact bit
for bit copy of the original. All files can be hashed
to give each a very unique number.
You can convert the images without changing the
data on the images.
You can create as many ‘originals’ as needed with
one forensic image.
If you don’t create a forensic image in the
beginning, you may never get a second chance to
capture the first original image.
                                                   61
Summary
There is no ‘one’ method of creating a forensic image.
The concept is to protect the original evidence and
create an exact clone/bit stream image.
Images can be converted between different formats.
Various forensic applications can access certain
image formats.
Images can be restored and even booted into a virtual
computing environment.
Not one tool does it all, none are better than others, it
all depends on the circumstances when used.
                                                     62
Summary
When a forensic image is needed, it is best to
have someone trained in this specific area to
create the image. You only get one shot at it.
If you even think you may need a forensic
image in the future, nothing is lost by spending
a little more time to create it in the beginning.
Don’t use tools that are not designed for a
purpose other than what they are marketed for.
A hammer does not solve every problem, it
sometimes creates more problems.
                                              63
Summary
The physical process of imaging is actually
simple, but something always invariably will go
wrong and problems are encountered that have
to be solved.
An experienced computer forensics examiner
can pretty much image anything, solve every
problem, and walk away with a perfect forensic
image. Others…well, like I said, you only get
one shot to capture the first original image.
                                           64
Questions?




   Brett Shavers
brett@e3discovery.com
 www.e3discovery.com    65

Más contenido relacionado

La actualidad más candente

Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsFilip Maertens
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigationedwardbel
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - NotesKranthi
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDr Raghu Khimani
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logsanilinvns
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
CHA & LBA Addressing
CHA & LBA Addressing  CHA & LBA Addressing
CHA & LBA Addressing DINESH KAMBLE
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - NotesKranthi
 

La actualidad más candente (20)

Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic Investigations
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigation
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu Khimani
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
Encase Forensic
Encase ForensicEncase Forensic
Encase Forensic
 
E mail forensics
E mail forensicsE mail forensics
E mail forensics
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
 
CHA & LBA Addressing
CHA & LBA Addressing  CHA & LBA Addressing
CHA & LBA Addressing
 
Data recovery tools
Data recovery toolsData recovery tools
Data recovery tools
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes
 

Destacado

Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software   august 2011Encase V7 Presented by Guidance Software   august 2011
Encase V7 Presented by Guidance Software august 2011CTIN
 
Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...Bradley Schatz
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Damir Delija
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation Damir Delija
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 

Destacado (6)

Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software   august 2011Encase V7 Presented by Guidance Software   august 2011
Encase V7 Presented by Guidance Software august 2011
 
Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
 

Similar a Accessing Forensic Images

Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxChapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxchristinemaritza
 
Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Vipin George
 
Intro to digital forensic imaging
Intro to digital forensic imagingIntro to digital forensic imaging
Intro to digital forensic imagingDetectalix
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkitsamiable_indian
 
Group project linux helix
Group project linux helixGroup project linux helix
Group project linux helixJeff Carroll
 
My freeware-shareware-programs2205
My freeware-shareware-programs2205My freeware-shareware-programs2205
My freeware-shareware-programs2205mark scott
 
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-ForensicsDefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-ForensicsMichael Smith
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic InvestigatorAgape Inc
 
d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 1 0 ) 9 5 – 1 .docx
d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 1 0 ) 9 5 – 1 .docxd i g i t a l i n v e s t i g a t i o n 6 ( 2 0 1 0 ) 9 5 – 1 .docx
d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 1 0 ) 9 5 – 1 .docxtheodorelove43763
 
Workshop 2 revised
Workshop 2 revisedWorkshop 2 revised
Workshop 2 revisedpeterchanws
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
kbrgwillis.pdf
kbrgwillis.pdfkbrgwillis.pdf
kbrgwillis.pdfKblblkb
 
Digital Forensic Tools - Application Specific.
Digital Forensic Tools - Application Specific.Digital Forensic Tools - Application Specific.
Digital Forensic Tools - Application Specific.guestcf6f5b
 
Digital Forensic tools - Application Specific
Digital Forensic tools - Application SpecificDigital Forensic tools - Application Specific
Digital Forensic tools - Application Specificideaflashed
 
UALUG SFD Pesentation
UALUG SFD PesentationUALUG SFD Pesentation
UALUG SFD PesentationRob Connolly
 

Similar a Accessing Forensic Images (20)

Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxChapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
 
File000173
File000173File000173
File000173
 
Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation
 
Deft v7
Deft v7Deft v7
Deft v7
 
Intro to digital forensic imaging
Intro to digital forensic imagingIntro to digital forensic imaging
Intro to digital forensic imaging
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkits
 
Group project linux helix
Group project linux helixGroup project linux helix
Group project linux helix
 
Deft
DeftDeft
Deft
 
My freeware-shareware-programs2205
My freeware-shareware-programs2205My freeware-shareware-programs2205
My freeware-shareware-programs2205
 
Linux Recovery
Linux RecoveryLinux Recovery
Linux Recovery
 
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-ForensicsDefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
 
d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 1 0 ) 9 5 – 1 .docx
d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 1 0 ) 9 5 – 1 .docxd i g i t a l i n v e s t i g a t i o n 6 ( 2 0 1 0 ) 9 5 – 1 .docx
d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 1 0 ) 9 5 – 1 .docx
 
Show me your kung fuzz
Show me your kung fuzzShow me your kung fuzz
Show me your kung fuzz
 
Workshop 2 revised
Workshop 2 revisedWorkshop 2 revised
Workshop 2 revised
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
 
kbrgwillis.pdf
kbrgwillis.pdfkbrgwillis.pdf
kbrgwillis.pdf
 
Digital Forensic Tools - Application Specific.
Digital Forensic Tools - Application Specific.Digital Forensic Tools - Application Specific.
Digital Forensic Tools - Application Specific.
 
Digital Forensic tools - Application Specific
Digital Forensic tools - Application SpecificDigital Forensic tools - Application Specific
Digital Forensic tools - Application Specific
 
UALUG SFD Pesentation
UALUG SFD PesentationUALUG SFD Pesentation
UALUG SFD Pesentation
 

Más de CTIN

Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drivesCTIN
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source ForensicsCTIN
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4CTIN
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicCTIN
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsCTIN
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Nra
NraNra
NraCTIN
 
Live Forensics
Live ForensicsLive Forensics
Live ForensicsCTIN
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityCTIN
 
Edrm
EdrmEdrm
EdrmCTIN
 
Computer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassComputer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassCTIN
 
CyberCrime
CyberCrimeCyberCrime
CyberCrimeCTIN
 
Search Warrants
Search WarrantsSearch Warrants
Search WarrantsCTIN
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector ConcernsCTIN
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007CTIN
 
Raidprep
RaidprepRaidprep
RaidprepCTIN
 

Más de CTIN (20)

Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows Systems
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
Nra
NraNra
Nra
 
Live Forensics
Live ForensicsLive Forensics
Live Forensics
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It Security
 
Edrm
EdrmEdrm
Edrm
 
Computer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassComputer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer Trespass
 
CyberCrime
CyberCrimeCyberCrime
CyberCrime
 
Search Warrants
Search WarrantsSearch Warrants
Search Warrants
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007
 
Raidprep
RaidprepRaidprep
Raidprep
 

Último

UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncObject Automation
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
20200723_insight_release_plan
20200723_insight_release_plan20200723_insight_release_plan
20200723_insight_release_planJamie (Taka) Wang
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataSafe Software
 

Último (20)

UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation Inc
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
20200723_insight_release_plan
20200723_insight_release_plan20200723_insight_release_plan
20200723_insight_release_plan
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
 

Accessing Forensic Images

  • 1. Creating & Accessing Forensic Images How to Access Multiple Image Types Using Various Forensic Techniques Brett Shavers
  • 2. Topics Forensic Image Creation Applications Forensic Image Types Accessing the Forensic Images Converting the Forensic Images into Different Forensic Image Types 2
  • 3. Forensic Images Basically, a forensic image is an exact, bit for bit copy of an original electronic media. This includes all the deleted files also (unallocated/slack/free space). A mirror image is not the best way to describe a forensic image (do you look exactly the way you do in a mirror or is instead an opposite view of you?). A forensic image is an EXACT copy, not an opposite copy. 3
  • 4. Forensic Images When you ask for an image, make sure you know what you are asking for. A Ghost image may not be a forensic image (unless you ask for a forensic Ghost image, and even then, it may not be) An image may not be a complete forensic image. A copy may not be a forensic image at all. Ask for a FORENSIC IMAGE. There is no mistake as to what that means. It’s every single ONE and ZERO on the media. 4
  • 5. Purposes of Creating Forensic Images
  • 6. Purposes of Creating Forensic Images Evidence preservation Working “copy” of the original to examine Multiple image copies for multiple examiners to decrease the amount of time to complete examinations. Prove/Disprove Allegations such as the “Trojan Defense” in virtual environments. Forensic images can be booted virtually and tests can be run on the running image. 6
  • 7. Creating Images 1. Ideal World Example: Write blocked evidence source (hardware or software) Scrubbed/wiped destination drive Forensic boot CD (DOS or Linux), forensic boot floppy (DOS), Linux OS, Windows OS, or Apple OS 2. Non-ideal World Examples: 1. Using suspect machine 2. Using Windows 3. No hardware write blocker 4. Using Software write blocker 5. Using no write blockers at all 7
  • 8. Destination Drive Best Case OnlyofFlows Data Direction Arrows Forensic Workstation Hardware Original Writeblocker Evidence 8
  • 9. Destination Destination Drive Drive Data Only Flows Direction of Arrows Forensic Forensic Workstation Workstation (Software Write Blocker, Original Original Hardware and/or forensic DOS/Linux Evidence Evidence Boot Writeblocker 9
  • 10. Destination Drive Suspect Machine Software write blocker, forensic boot with CD/Floppy to DOS or Linux 10
  • 11. Destination Drive Suspect Machine Acquisition tool running from operating system. 11
  • 13. Types of Problems RAIDs Whole Disk Encryption Vista BitLocker Apple computers Hard to remove hard drives Servers NETWORKS-Windows Server, Netware, Novell, Unix, Linux, and “I NEED A MOTRIN! 13
  • 14. Normal on the Outside Over a half dozen hard drives!!! Is it a RAID or not? This is important as it can determine how to image. 14
  • 15. Types of Image Formats
  • 16. Types of Forensic Images Encase/Expert Witness (GUIDANCE SOFTWARE) SMART (ASR DATA) Safeback (NTI) WinHex (X-WAYS FORENSICS) DD ProDiscover File Format SDI32 (VOGON) ILook Image (IRS) AFF-Advanced Forensic Format Gfzip Sgzip Paraben Forensic Image Format GHOST Others (?) and others to come I’m sure. 16
  • 17. Imaging Software Applications
  • 18. Our Imaging Applications and Examples X-Ways Forensics (WinHex backup) Encase (Encase E01) FTK (SMART) NTimage (dd) NTI (Safeback image) Ghost (be careful, as it may not be a forensic image…) Exact clone (not really an image, but an exact copy) We will be conducting an experiment during this presentation. The evidence sample will be a 7GB Windows XP system Our evidence file will be “evidence.txt” on the evidence hard drive. 18
  • 19. A brief on some tools There are many tools you can use to create forensic images. You need to know the strengths and limitations of each tool in order to choose the best for the task at hand. Even when on site for one job, you may be using several different tools to handle different computer configurations. 19
  • 20. Encase Format Maybe the most widely used format (.e01) Compressible and searchable Proprietary format with additional information placed inside the image (header information, CRC’s every block of 64 sectors, plus a footer with a hash for the entire image (INTEGRATED HASH) DOS and Windows acquisition Limited to 2GB segment sizes http://guidancesoftware.com/ 20
  • 21. 21
  • 22. WinHex Backup Not interpretable as a disk-(Winhex backup) Not accessible by other applications Internal hash DOS (using the imaging application known as Replica) and Windows Acquisition However, it can also create other formats as well (dd, Encase, clone) http://x-ways.net/forensics/index-m.html 22
  • 23. 23
  • 24. dd Interpretable by many applications No internal hash (separate file) Not compressed (if it is compressed, it must be decompressed for forensic examinations) Not restricted to the 2GB size restriction of the Encase format Format: Raw image, compressed raw image http://www.dmares.com 24
  • 25. 25
  • 26. Windows based acquisition Able to run from CD, Flashdrive or from the destination media (external hard drive as an example) Ability to create multiple image types onto multiple destination drives at the same time Formats: Encase, SMART, dd http://www.accessdata.com 26
  • 27. 27
  • 28. Linux Many bootable CD’s that can create several variants of images (Encase image, dd) There are many free forensic versions of Linux bootable CD’s that contain other tools in additional to imaging applications. 28
  • 30. Safeback Image The latest release of Safeback creates an image that isn’t accessible by the majority of forensic tools… This is a serious drawback to this format. 30
  • 31. 31
  • 32. Live Imaging There are times when you can’t shut the computer down and need to create a forensic image. This is when you make an image of that running computer by running a forensic application on that computer! This is not something to try without testing and training! Data on the computer will change, there is nothing you can do about it. However, you can image the RAM. You can create a logical or physical image using different tools. 32
  • 33. Some Live Imaging Tools FTK Imager X-Ways Capture Helix (dd) and NetCat Enterprise editions of forensic applications (Encase EEE, ProDiscover IR/IN Nearly any tool that can run from either an external device such as a USB drive or CD can be used on running machines to create an image. It is NOT a good idea to use an application that must be installed on the suspect machine. 33
  • 34. Forensic Boot Disks Boot floppy (to DOS) Make it a FORENSIC boot floppy! Non-forensic boot floppies WILL access the drive and then you will have explaining to do. Linux Bootable CD Make sure the distribution you choose doesn’t automatically MOUNT the drives! 34
  • 35. Converting Images from One Format to Another
  • 36. Practical Exercises No matter which image format you create, there is always the request of providing a copy of your image in a format that is different than what you created. Additionally, when you employ different forensic applications on one image, you may need to convert one format to another to access it with different tools. For this, we are going to convert some images! 36
  • 37. Image Conversion Examples We are going to convert the following: Original to Encase (using FTK, Encase, & Winhex) Encase image to dd (using FTK) dd to Restored Clone (using Winhex) Clone to dd (using FTK, WinHex) Encase to Restored Clone (using Winhex, Encase) SMART to Encase (using FTK) SMART to dd (using FTK) Any of the above to vmware to boot to a live machine! 37
  • 38. 38
  • 39. Recap We created Various Image Types… dd format Encase format WinHex backup SMART format …Using Various Applications Encase FTK X-Ways Forensics Ntimage And converted one image format to another 39
  • 41. Accessing the Images Forensic Applications Guidance Software “Encase” Accessdata “Forensic Tool Kit” X-Ways “X-Ways Forensics” Other misc forensic applications Other Non-Forensic Applications Mount Image Pro LiveView Vmware 41
  • 42. But first, a word about GHOST Ghost was NOT designed as a forenisc collection utility. It’s great at what it does (clones active data) You can set it to capture all data space, but you will be limited to the forensic tools that can access it. You also risk not doing it correctly and losing your only chance to capture an original image. If you truly need a forensic image, use an application that has been designed and tested solely for forensic images. Don’t make due with anything less, or you risk your forensic image. 42
  • 43. Forensic Applications Encase, FTK, X-Ways Forensics, etc… Each can acquire the image for analysis Indexing/cataloging of data Searching of words, strings, etc… Export of native files from the image Creation of analysis reports Duplication and conversion of images Along with multiple other features 43
  • 44. 44
  • 45. Non-Standard Applications Mount Image Pro Virtual Forensic Computing LiveView Vmware Symantec Ghost (beware!) 45
  • 46. Non-Standard Applications Mount Image Pro Access of the image as a drive letter in Windows Tools can be run against the drive letter as if it were an actual drive (anti-virus, data recovery tools, etc…) No (expensive) forensic applications required to view the image Native files can be extracted (Paraben’s P2 Explorer is similar to MIP) http://www.mountimage.com/ 46
  • 47. 47
  • 48. 48
  • 49. vmware Clone can be booted into vmware dd image can be booted into vmware Encase image can be booted into vmware vmware file can be accessed as a drive letter in Windows VMware is a versatile application that was not designed for forensic use, but clearly can be used as supplement tool in examinations. http://www.vmware.com 49
  • 50. Booting Encase Images into vmware Virtual Forensic Computing (not free) Allows an Encase image to be booted into vmware Can also boot a physical drive or dd image Requires Mount Image Pro (also not free) 50
  • 51. 51
  • 52. Booting dd Images into vmware LiveView (free) Allows for dd images to be booted into vmware Only requires vmware player (free) and vmware diskmount utility (free also) An Encase image can be converted to dd and then booted to vmware (a workaround to not using the Virtual Forensic Computing and Mount Image Pro applications) 52
  • 53. 53
  • 54. Booting a Physical Drive to vmware LiveView can boot to vmware (after it generates the configuration files) Virtual Forensic Computing can boot to vmware after Mount Image Pro mounts the drive Our next video: Cloned hard drive, attached with hardware write blocker Using LiveView, we will boot it to vmware. No writes to the clone, all writes go to a separate folder. 54
  • 55. 55
  • 56. Did Our Original Evidence File Ever Change with All These Images (remember the evidence.txt we talked about in the beginning? That file has resided on each image conversion we did. We even booted the image with the file on it! Has it changed?)
  • 57. Hashing, re-hashed… MD5 is an algorithm that is used to verify data integrity through the creation of a 128-bit message digest from data input (which may be a message of any length) that is claimed to be as unique to that specific data as a fingerprint is to the specific individual. http://WhatIs.techtarget.com/definition/0,,sid9_gci211545,00.htm 57 l
  • 58. Or Brett’s Definition…. A hash is a RBN* (really big number) that is created to give a fingerprint to a file. And actually, the strength of the hash is way stronger than any fingerprint comparison! A hash is also only ‘one way’, meaning, you can take the RBN and reverse it to the original file. An analogy would be taking a pound of beef and putting it through a grinder. You can’t ungrind the beef to it’s original condition. 58 *I made up the RBN, no one in court will get it the joke….it’s actually a MD5 or SHA hash, technically…
  • 59. Our evidence.txt file… …was created on the original evidence. A hash was created with the original evidence. The file was extracted from the Encase image with Encase and hashed. The file was extracted from the SMART image with FTK and hashed. The file was extracted from the dd image with X- Ways Forensics and hashed. The file was extracted from the dd that was converted from the Encase image and hashed. The file was extracted from the vmware restored boot session and hashed. The result was… 59
  • 61. What’s the Point? With a true forensic image, the data is an exact bit for bit copy of the original. All files can be hashed to give each a very unique number. You can convert the images without changing the data on the images. You can create as many ‘originals’ as needed with one forensic image. If you don’t create a forensic image in the beginning, you may never get a second chance to capture the first original image. 61
  • 62. Summary There is no ‘one’ method of creating a forensic image. The concept is to protect the original evidence and create an exact clone/bit stream image. Images can be converted between different formats. Various forensic applications can access certain image formats. Images can be restored and even booted into a virtual computing environment. Not one tool does it all, none are better than others, it all depends on the circumstances when used. 62
  • 63. Summary When a forensic image is needed, it is best to have someone trained in this specific area to create the image. You only get one shot at it. If you even think you may need a forensic image in the future, nothing is lost by spending a little more time to create it in the beginning. Don’t use tools that are not designed for a purpose other than what they are marketed for. A hammer does not solve every problem, it sometimes creates more problems. 63
  • 64. Summary The physical process of imaging is actually simple, but something always invariably will go wrong and problems are encountered that have to be solved. An experienced computer forensics examiner can pretty much image anything, solve every problem, and walk away with a perfect forensic image. Others…well, like I said, you only get one shot to capture the first original image. 64
  • 65. Questions? Brett Shavers brett@e3discovery.com www.e3discovery.com 65