Week 1 Flashcards
Objectives of Computer Forensics (R.A.P)
To Recover , Analyze and present computer-based material in such a way that it can be presented as evidence in the court of law.
Who Performs Computer Forensics (L.C.C.P)
Law Enforcement for Criminal Cases
Corporate IT security personal for criminal / civil cases
Corporate HR investigators for workplace investigations
Private investigators for various investigations
What does Computer Forensics Involve (P.I.E.I.D , L.I.F.P)
Preservation
Identification
Extraction
Interpretation
Documentation
Legal Processes
Integrity of Evidence
Factual Reporting of the information found
Providing expert opinion in the court of law
Preservation (P.O.M.C)
Preserve the integrity of the original evidence
Original evidence should not be modified or damaged
Make an image/copy of the original evidence and then perform analysis
Compare the copy to the original evidence to identify any modifications or damages.
Hashing (P)
prove that all the evidences are exactly the same as the original data, down to the very last bit !
What are the values returned by the hash called ?
Hash values , Hash codes , Hash sum , Hashes
Identification (S.L)
Start by identifying the evidence and its location.
Locating and identifying the evidence is a challenge for the Forensic Investigator.
Extraction (O.V.E)
Once the evidence is identified and located , the evidence should be extracted immediately.
Volatile data can be lost at any point of time. FI should extract these data from the copy he made from the original evidence.
Extracted data must be compared with original evidence and analyzed.
Interpretation (M.A)
Most important role of Fi during investigation is to is to interpret what he has found .
Analysis and inspection of the data must be interpreted in a lucid manner.
Documentation (M)
Maintained from the Beginning to End
Forensics in a nutshell
Evidence Acquisition
Investigation and Analysis
Report Finding
What is digital evidence (F.P.P.P)
Fragile , Protect , Preserve and Probative
Categories of Forensic Data (A.L.A)
Active Data - Data that can be seen
Latent Data - Data that exists despite being deleted
Archival Data - Data in backup
Persistent vs Volatile Data
Persistent Data - preserved when the computer is turned off
Volatile Data - Will be lost when the computer loses power or it is turned off.
What is a Forensic Image ?
Forensic image is a copy of original evidence generally collected by a tool that performs bit-level copying from one location to another.
Three Common Disk Image Formats (E,R,V)
Expert Witness/Encase (E01)
Raw (dd)
Virtual machine disk file (VMDK,OVF)
Forensic Disk Image Format (C.P.L)
Complete Disk - Most preferred method as it is the most comprehensive
Partition - Contains all allocation units from an individual partition on a drive / Includes Unallocated space and file slacks within that drive / Does not capture all data on a drive (As other partitions are not captured)/Taken only under certain circumstances (e.g , excessively large disk )
Logical - Only certain files are acquired
Traditional Imaging Process (T.T.S)
Traditional imaging is performed on static drives
The computer is turned off and booted into a forensic imaging environment or the disk drive is plugged in a imager or examination workstation for duplication.
Special hardware is used to prevent source media from being modified.
Hardware Write Blockers (S.M.M)
Sits in the connection between a computer and a storage unit.
Monitors the commands that are issued and prevents the computer from writing to the storage device.
Many Interface such as ATA , SCSI,Firewire,USB,SATA,etc.
Image Creation Tools (G.A)
Guidance Software - Encase
AccessData FTK imager
Encase Evidence File (C.C.H)
Called image file.
Contains suspects drive , CRC Verification , Case Identification Info (Header), MD5 Hash.
Header information is entered by the examiner and becomes part of the evidence file , and cannot be changed.
Physical Layout of Encase Evidence File (H.D.C)
Header
Data Blocks - A bit by bit copy of the data blocks on the suspect media
Checksum and hash- 32 bits verification (CRC - cyclical redundancy Check)
MD5 hash for checking of integrity
For every _ blocks Encase computes a CRC ?
Encase computes a CRC for every block of 64 sectors of data (34 kbytes) (1 sector = 512 bytes)
_ bits MD5 hash is computed for the entire data block section (exclude the CRCs)
128 bit
Hashing Objectives (E.E)
Enforces Integrity
Ensure data not modified
When can the verification process of Encase evidence file be successful ?
The verification process can only be successfully completed after both the MD5 acquisition and verification hash values match and no CRC errors are reported
Two examples of hash functions and more about them ?
MD5 and SHA1
MD5 - takes in a input message of arbitrary length and produces a 128-bit(16 bytes) hash
Source Hash Algorithm (SHA1) - It takes a message shorter than or equal to (2^64 -1) bits in length and produces a 160 bit (20 bytes) hash value.
Properties of Hashing (F.P)
-Fast and efficient one-way function that generates a bit sequence of fixed length from the original message . i.e. creating the hash value is fast . The size of the hash value is small.
- Process is proven to be irreversible (nearly impossible within a useful amount of time ).Original message cannot be recovered from the hash value.
