Week 2 Flashcards

1
Q

Spinning Internal Hard Drives (HDD)

A

-

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Used in many computer applications including

A

Home PCs & laptop computers
▪ Gaming systems
▪ DVR or video recording systems
▪ Can be internal or external (portable,
stand-alone)
▪ Server arrays

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Benefits of HDDs

A

Readily available to consumers
▪ Varying storage sizes, currently 500 GB to 18 TB+
▪ Less expensive than solid state drives
▪ Data recovery generally easier
▪ Can be arranged in a RAID
▪ Redundant Array of Independent Disks
▪ Can be formatted in various ways
▪ Used to increase storage capacity &
Reduce data loss

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Downsides

A

More susceptible to mechanical
failure
▪ Can be heavy, depending on size
▪ Generally less reliable means of
storage
▪ Advanced Data Recovery costly
& time-consuming
▪ If handled improperly, can result in
data damage or loss (static,
magnetic

also these are made in 3/4 places, they come from families which need to be understood in order to recover them properly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Architecture of HDDs

A

Heads that read platters and transfer Data to the user

Magnetic Platters Or plates where Data is stored

platters can only spin so fast so data only gets read so fast

Interface hardware or ROM (read only memory) helps translate
The data to readable For the user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Solid State Drives

A

SSDs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

same applications as spinning hard drives

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

but

A

Generally lower storage capacity
▪ Cost is higher
▪ No moving parts
▪ Can also be set up in a RAID
▪ Multiple different types

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Same basic technology is used in USB
thumb drives, phone data storage, etc

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

SSD Architecture

A

There are no moving
parts, So the
footprint and weight
Is much less than
spinning hard drives

Connection to
computer is made
via direct connection
to mother/logic
board of computer or
device

Data is stored on
Memory chips in
blocks and pages

Notes: SSDs (and thumb drives, etc.) have a
“shelf life” and can only be written to a specified
number of times before end of life. Some are also
non-removable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Peripheral Devices

A

Memory Cards, USBs, Gaming, Alexs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Memory Cards

A

Come in different sizes…
▪ SD, MiniSD, Micro SD
▪ Used in external storage on
cameras, phones (non-Apple), GPS
devices, etc.
▪ Usually formatted in FAT-32 (will
discuss in later lesson)
▪ Capacity currently up to 1.5TB
▪ Can be formatted to run operating
system or other utility

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

USB Thumb or Stick drives

A

Often used for portability & data
Xfer on PCs & gaming systems
▪ Name-brand manufacturers usually
apply a serial number, which is
good forensic evidence
▪ Capacity currently up to 2TB
▪ Can be formatted to run operating
system or other utility
▪ Often used in software licensing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Mobile Phones/Tablets

A

Two main operating systems: Apple &
Android
 Android manufactured by multiple
companies
 Newest iterations store up to 2TB of
data, with potential external storage
 “Always on” cellular network
connectivity
 Stores valuable evidence including
text/app messages, geo-location data,
pictures, video & more.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Other Storage Devices

A

Stand-alone GPS units, Gaming Systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Gaming Systems

A

Usually have network connectivity
▪ Can store videos, pictures, chat
records, etc.
▪ Several have the ability to play Blue
Ray disks
▪ Increasingly relevant in child
exploitation investigations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Stand-alone GPS units

A

Still in use by truckers, hikers,
motorcyclists, etc.
▪ More modern versions run on
Android operating system
▪ Generally behave as an external
storage device when connected to
PC
▪ Excellent evidence in personal
injury/accident cases, missing
persons, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

ASCLD

A

American Society of Crime Lab Directors - main body of accreditation for crime labs, but it’s not mandatory for all labs to have accreditation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Digital Forensic Lab Physical Requirements

A

Small room with true floor-to-ceiling walls
▪ Door access with a locking mechanism (limited to
authorized users, including cleaning crews), which can be
a regular key lock, combination lock, or an electronic lock
capable of logging who accessed it
▪ Secure container, such as a safe or heavy-duty file cabinet
with a quality padlock that prevents drawers from
opening
▪ Visitor’s log with legible entries listing all people who have
accessed the lab and showing the date, time in, and time
out

Video Surveillance
▪ Dedicated signal-blocking work area or signal-blocking
device for working
▪ Limited internet access (if any)
▪ Environmental controls conducive to mitigate heat
from high-level processing & electronic use
▪ License access logging
▪ License access area (dongle server optional)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Recommended Additional Equipment

A

Digital Camera (phone camera not recommended)
▪ Antistatic & signal blocking bags
▪ External CD/DVD/Blue Ray drive
▪ Assorted cables for USB 3.0 to USB-C, Thunderbolt,
hard drive connection cables (SATA, IDE, M.2)
▪ Assorted adapters
▪ A “toaster”
▪ External Hard Drives of varying capacity
▪ Computer/electronics tool kit

21
Q

Recommended Maintenance

A

Keep all operating systems up to date…
by putting update and plugging in to computer w/o internet

▪ Keep all forensic tools updated
▪ Keep all peripheral programs updated
▪ MS Office tools
▪ Video & image viewers
▪ Email tools
▪ Scripting tools

Disaster recovery…
▪ Image both OS drive & tools storage drive on a schedule
▪ Image administrative storage medium on a schedule..
▪ Instructor Siewert’s personal “ouch” moment
▪ Plan for equipment upgrades
▪ Budgeting
▪ Workload requirements
▪ Requirements of modern forensic tools & operating systems
▪ Slower computers = longer processing & analysis time
▪ Click & wait……….

22
Q

Accreditation

A

Governed by…
▪ American Society of Crime Lab Directors (ASCLD)
▪ Under the principles of…
▪ International Standards Organization (ISO)
▪ One common ISO Standard is ISO/IEC 17025
▪ Governs Accreditation for Forensic Service Providers
▪ Accreditation can be gained by public or private entities
▪ Manuals, documents can be found at:
https://anab.ansi.org/2018-iso-iec-17025-forensicaccreditation-documents-0

23
Q

What is the purpose ISO/ICE 17025 &
Accreditation?

A

Provides guidance on standard operation of forensic
labs
▪ Issues some standards of practice for forensics
generally
▪ Gives credibility to the lab
▪ Allows for business to be conducted in uniform matter
no matter the location
▪ Vets QC, policy, practice, personnel & other credentials

24
Q

Should I create a lab?

A

Do you have the workload to justify expense?
▪ Expense = Hardware + Software + Training (all takes time)
▪ Can your organization afford the necessary tools &
equipment?
▪ Full or part-time lab? Dedicated personnel?
▪ Accreditation or not?
▪ Infrastructure

space?

25
Forensic Workstation: Hardware
Windows-based PC  Separate HDDs and/or SSDs for: ▪ Operating System ▪ Tools Storage ▪ Database Storage (tooldependent) ▪ Evidence storage ▪ May be part of a RAID array Write-blocker (internal or external)  High CPU processing speed with as many cores as feasible within budget  Graphical Processing Unit (GPU) of high capacity & speed to handle work overload & password cracking Capacity for more than one Monitor  At least 32-64 GB of RAM  Optional Equipment: ▪ Hot-swappable internal drive bays ▪ Imaging tray with cooling fan ▪ Physical locking mechanism ▪ External drive connections for SATA, IDE, etc. (TEST)
26
Portable/Field Forensic WOrkstations
Often have slower processing speed & less storage capacity  Great for field triage or on-site applications  Often not as upgradable as desktop PCs  Can be custom built with many of the same specs as desktop PCs
27
Forensic Workstation Software (Automatic Tools) Paid Computer Analysis
Magnet Axiom & Axiom Cyber X-Ways Forensics OpenText Encase Forensic Cellebrite Blacklight
28
Magnet Axiom & Axiom Cyber
▪ ”All-in-one” approach ▪ Supports Windows, Mac, Linux, iOS, Android & more ▪ Training & certification available ▪ Cost for tool: ~$7,000 + yearly maintenance ~$3,000
29
X-Ways Forensics
Has free component called WinHex ▪ Robust tool that isn’t a system resource hog ▪ Training & Certification available ▪ Cost for tool: ~$1,750 + yearly maintenance ~$850
30
OpenText Encase Forensic
Once a major contributor, not used as often ▪ Training & certification available ▪ Cost for tool: ~$7,500 + yearly maintenance ~$3,500
31
Cellebrite Blacklight
Operates on both Windows & Mac platforms ▪ Specializes in Mac data acquisition & analysis ▪ Training & Certification available ▪ Cost for tool: ?
32
Forensic Workstation Software (Automatic Tools) OPEN SOURCE Computer Analysis
Autopsy by Basis Technology Sumuri Paladin Eric Zimmerman’s Tools RegRipper
33
Autopsy by Basis Technology
Very capable tool for Windows & Android analysis ▪ Training & certification available ▪ Customizable plug-ins for those code-inclined ▪ Cost for tool: Free & Open Source
34
Sumuri Paladin
Bootable Linux tool with multiple applications ▪ Most often used: image creation on systems with nonremovable drives ▪ Has apps included to perform virtually all forensic needs
35
Eric Zimmerman’s Tools
Suite of tools designed for triage & specific artifact analysis ▪ Available on GitHub
36
RegRipper
Command-line tool used to parse data & artifacts from Windows registry (to be discussed in detail later) ▪ Developed by Harlan Carvey: Author & IR Expert ▪ Routinely updated with plug-ins. Communitysupported
37
Forensic Workstation Software (Automatic Tools) Paid Mobile Analysis
- Magnet Axiom(see previous) - Cellebrite Universal Forensic Extraction Device (UFED) & Physical Analyzer - Oxygen Forensics - XRY Xamine - Gray Key or Gray Shift
38
Cellebrite Universal Forensic Extraction
Used by law enforcement worldwide ▪ Android, iOS, GPS, Blackberry, Windows Phone, etc. support ▪ Constantly being developed, updated ▪ Training & certification available ▪ Cost for tool: ~$11,000 + yearly maintenance ~$7,500 ▪ Advanced capabilities cost over $20,000 more per yea
39
Oxygen Forensics
Used by law enforcement worldwide ▪ Android, iOS, GPS, Blackberry, Windows Phone, etc. support ▪ Training & certifications available ▪ Cost for tool: ~$7,000 + yearly maintenance ~$3,000
40
XRY Xamine
Acquisition & analysis tool ▪ Cost: ??
41
Gray Key or Gray Shift
Law Enforcement Only Tool ▪ Tool is designed to bypass pass code security on iOS & Android Devices ▪ Supports full file system extraction after first unlock ▪ Limited data if before first unlock ▪ Unit is tied to LE agency & monitored via IP address ▪ Cost for tool: ~$10,000 and up + yearly maintenance at same cost... Annually!
42
Analyst Training + Certification
Training in DF is extremely important!  Field is always changing & evolving ▪ Mobile forensics is the most prominent with this ▪ Operating systems upgraded regularly (phone & computer) ▪ Apple Mac OS is always changing ▪ Applications added & updated regularly ▪ Hardware advancements & improvements ▪ Tool-specific updates, improvements Training and/or certification in DF is done in two main ways ▪ Vendor-neutral ▪ Vendor Specific  Vendor-Neutral training focuses on competencies, concepts, methodologies & principles ▪ Generally offered as part of a DF organization or association. Does NOT equal “free”  Vendor-Specific training teaches participants how to use a specific DF tool for specific purposes
43
CFCE
Certified Computer Forensic Examiner (CFCE) certification process 6+ month long process, peer-reviewed, coached
44
(IACIS)
International Association of Computer Investigative Specialists
45
Vendor-Neutral Training Options
▪ International Association of Computer Investigative Specialists (IACIS) ▪ Capstone course: Basic Computer Forensic Examiner (BCFE) – 2 weeks ▪ Open to any member of IACIS (not LE restrictive) ▪ Comprehensive basic vendor-neutral training with basic equipment as part of tuition ($3,795) ▪ Upon completion, eligible to sit for Certified Computer Forensic Examiner (CFCE) certification process ▪ 6+ month long process, peer-reviewed, coached ▪ Also has 1 &2-week specialized courses SANS Institute ▪ Offers a library of courses for computer forensics, mobile device forensics, information security, incident response, network security, etc. ▪ Computer forensic certification is GIAC Certified Forensic Examiner (GCFE) ▪ Open to all in the field of information security, compliance, forensics, etc. ▪ Cost is HIGH - $5,000-$10,000 Vendor-Neutral Training Options (Cont.) ▪ International Society of Forensic Computer Examiners (ISFCE) ▪ Primary course & certification is the Certified Computer Examiner (CCE) ▪ Applicants can sit for the test without attending a class ▪ A “CCE Bootcamp” is also available at cost ▪ Open to all in the field of digital forensics ▪ Peer-reviewed, coached ▪ Re-certification mandatory to maintain National White Collar Crime Center (NW3C) ▪ Non-profit, partially government-funded ▪ Offers a library of courses for computer forensics, mobile device forensics, network forensics, online investigation, etc. ▪ Several computer and mobile-based forensic certifications ▪ Offers both LE-only & publicly available classes ▪ Online & in-person classes offered National Computer Forensic Institute (NCFI) ▪ Operated by the US Secret Service ▪ Goal is to train state & local LE on basics of computer forensics, mobile forensics & network forensics ▪ Must be LE & sponsored by local USSS office ▪ Free to LE. Class provides all software, hardware & training ▪ Basic Computer Evidence Response Training (BCERT) is capstone 5-week course given in Hoover, AL ▪ Not specifically vendor-neutral, but provides training for multiple vendor tools
46
CCE
Certified Computer Examiner Primary course & certification for ISFCE
47
ISFCE
International Society of Forensic Computer Examiners
48
Vendor-Specific Training
Offered by most (if not all) DF tool vendors ▪ Goal is competency within a discipline working with a tool created by a specific vendor ▪ Some offer just training, while others offer both training & certification ▪ Highlights: ▪ EnCase Certified Examiner (EnCE) ▪ Magnet Certified Forensic Examiner (MCFE) ▪ Cellebrite Certified Mobile Examiner (CCME) ▪ Also Cellebrite Certified Operator & Physical Analyst (CCO, CCPA) ▪ X-Ways Forensics X-Pert