Week 2 Flashcards
Spinning Internal Hard Drives (HDD)
-
Used in many computer applications including
Home PCs & laptop computers
▪ Gaming systems
▪ DVR or video recording systems
▪ Can be internal or external (portable,
stand-alone)
▪ Server arrays
Benefits of HDDs
Readily available to consumers
▪ Varying storage sizes, currently 500 GB to 18 TB+
▪ Less expensive than solid state drives
▪ Data recovery generally easier
▪ Can be arranged in a RAID
▪ Redundant Array of Independent Disks
▪ Can be formatted in various ways
▪ Used to increase storage capacity &
Reduce data loss
Downsides
More susceptible to mechanical
failure
▪ Can be heavy, depending on size
▪ Generally less reliable means of
storage
▪ Advanced Data Recovery costly
& time-consuming
▪ If handled improperly, can result in
data damage or loss (static,
magnetic
also these are made in 3/4 places, they come from families which need to be understood in order to recover them properly
Architecture of HDDs
Heads that read platters and transfer Data to the user
Magnetic Platters Or plates where Data is stored
platters can only spin so fast so data only gets read so fast
Interface hardware or ROM (read only memory) helps translate
The data to readable For the user
Solid State Drives
SSDs
same applications as spinning hard drives
but
Generally lower storage capacity
▪ Cost is higher
▪ No moving parts
▪ Can also be set up in a RAID
▪ Multiple different types
Same basic technology is used in USB
thumb drives, phone data storage, etc
SSD Architecture
There are no moving
parts, So the
footprint and weight
Is much less than
spinning hard drives
Connection to
computer is made
via direct connection
to mother/logic
board of computer or
device
Data is stored on
Memory chips in
blocks and pages
Notes: SSDs (and thumb drives, etc.) have a
“shelf life” and can only be written to a specified
number of times before end of life. Some are also
non-removable.
Peripheral Devices
Memory Cards, USBs, Gaming, Alexs
Memory Cards
Come in different sizes…
▪ SD, MiniSD, Micro SD
▪ Used in external storage on
cameras, phones (non-Apple), GPS
devices, etc.
▪ Usually formatted in FAT-32 (will
discuss in later lesson)
▪ Capacity currently up to 1.5TB
▪ Can be formatted to run operating
system or other utility
USB Thumb or Stick drives
Often used for portability & data
Xfer on PCs & gaming systems
▪ Name-brand manufacturers usually
apply a serial number, which is
good forensic evidence
▪ Capacity currently up to 2TB
▪ Can be formatted to run operating
system or other utility
▪ Often used in software licensing
Mobile Phones/Tablets
Two main operating systems: Apple &
Android
Android manufactured by multiple
companies
Newest iterations store up to 2TB of
data, with potential external storage
“Always on” cellular network
connectivity
Stores valuable evidence including
text/app messages, geo-location data,
pictures, video & more.
Other Storage Devices
Stand-alone GPS units, Gaming Systems
Gaming Systems
Usually have network connectivity
▪ Can store videos, pictures, chat
records, etc.
▪ Several have the ability to play Blue
Ray disks
▪ Increasingly relevant in child
exploitation investigations
Stand-alone GPS units
Still in use by truckers, hikers,
motorcyclists, etc.
▪ More modern versions run on
Android operating system
▪ Generally behave as an external
storage device when connected to
PC
▪ Excellent evidence in personal
injury/accident cases, missing
persons, etc.
ASCLD
American Society of Crime Lab Directors - main body of accreditation for crime labs, but it’s not mandatory for all labs to have accreditation
Digital Forensic Lab Physical Requirements
Small room with true floor-to-ceiling walls
▪ Door access with a locking mechanism (limited to
authorized users, including cleaning crews), which can be
a regular key lock, combination lock, or an electronic lock
capable of logging who accessed it
▪ Secure container, such as a safe or heavy-duty file cabinet
with a quality padlock that prevents drawers from
opening
▪ Visitor’s log with legible entries listing all people who have
accessed the lab and showing the date, time in, and time
out
Video Surveillance
▪ Dedicated signal-blocking work area or signal-blocking
device for working
▪ Limited internet access (if any)
▪ Environmental controls conducive to mitigate heat
from high-level processing & electronic use
▪ License access logging
▪ License access area (dongle server optional)
Recommended Additional Equipment
Digital Camera (phone camera not recommended)
▪ Antistatic & signal blocking bags
▪ External CD/DVD/Blue Ray drive
▪ Assorted cables for USB 3.0 to USB-C, Thunderbolt,
hard drive connection cables (SATA, IDE, M.2)
▪ Assorted adapters
▪ A “toaster”
▪ External Hard Drives of varying capacity
▪ Computer/electronics tool kit
Recommended Maintenance
Keep all operating systems up to date…
by putting update and plugging in to computer w/o internet
▪ Keep all forensic tools updated
▪ Keep all peripheral programs updated
▪ MS Office tools
▪ Video & image viewers
▪ Email tools
▪ Scripting tools
Disaster recovery…
▪ Image both OS drive & tools storage drive on a schedule
▪ Image administrative storage medium on a schedule..
▪ Instructor Siewert’s personal “ouch” moment
▪ Plan for equipment upgrades
▪ Budgeting
▪ Workload requirements
▪ Requirements of modern forensic tools & operating systems
▪ Slower computers = longer processing & analysis time
▪ Click & wait……….
Accreditation
Governed by…
▪ American Society of Crime Lab Directors (ASCLD)
▪ Under the principles of…
▪ International Standards Organization (ISO)
▪ One common ISO Standard is ISO/IEC 17025
▪ Governs Accreditation for Forensic Service Providers
▪ Accreditation can be gained by public or private entities
▪ Manuals, documents can be found at:
https://anab.ansi.org/2018-iso-iec-17025-forensicaccreditation-documents-0
What is the purpose ISO/ICE 17025 &
Accreditation?
Provides guidance on standard operation of forensic
labs
▪ Issues some standards of practice for forensics
generally
▪ Gives credibility to the lab
▪ Allows for business to be conducted in uniform matter
no matter the location
▪ Vets QC, policy, practice, personnel & other credentials
Should I create a lab?
Do you have the workload to justify expense?
▪ Expense = Hardware + Software + Training (all takes time)
▪ Can your organization afford the necessary tools &
equipment?
▪ Full or part-time lab? Dedicated personnel?
▪ Accreditation or not?
▪ Infrastructure
space?
Forensic Workstation: Hardware
Windows-based PC
Separate HDDs and/or
SSDs for:
▪ Operating System
▪ Tools Storage
▪ Database Storage (tooldependent)
▪ Evidence storage
▪ May be part of a RAID array
Write-blocker (internal or
external)
High CPU processing speed
with as many cores as
feasible within budget
Graphical Processing Unit
(GPU) of high capacity &
speed to handle work
overload & password
cracking
Capacity for more than one
Monitor
At least 32-64 GB of RAM
Optional Equipment:
▪ Hot-swappable internal drive
bays
▪ Imaging tray with cooling fan
▪ Physical locking mechanism
▪ External drive connections for
SATA, IDE, etc.
(TEST)
Portable/Field Forensic WOrkstations
Often have slower
processing speed & less
storage capacity
Great for field triage or
on-site applications
Often not as upgradable
as desktop PCs
Can be custom built with
many of the same specs
as desktop PCs
Forensic Workstation Software (Automatic Tools) Paid Computer Analysis
Magnet Axiom & Axiom Cyber
X-Ways Forensics
OpenText Encase Forensic
Cellebrite Blacklight
Magnet Axiom & Axiom Cyber
▪ ”All-in-one” approach
▪ Supports Windows, Mac, Linux, iOS, Android & more
▪ Training & certification available
▪ Cost for tool: ~$7,000 + yearly maintenance ~$3,000
X-Ways Forensics
Has free component called WinHex
▪ Robust tool that isn’t a system resource hog
▪ Training & Certification available
▪ Cost for tool: ~$1,750 + yearly maintenance ~$850
OpenText Encase Forensic
Once a major contributor, not used as often
▪ Training & certification available
▪ Cost for tool: ~$7,500 + yearly maintenance ~$3,500
Cellebrite Blacklight
Operates on both Windows & Mac platforms
▪ Specializes in Mac data acquisition & analysis
▪ Training & Certification available
▪ Cost for tool: ?
Forensic Workstation Software (Automatic Tools) OPEN SOURCE Computer Analysis
Autopsy by Basis Technology
Sumuri Paladin
Eric Zimmerman’s Tools
RegRipper
Autopsy by Basis Technology
Very capable tool for Windows & Android analysis
▪ Training & certification available
▪ Customizable plug-ins for those code-inclined
▪ Cost for tool: Free & Open Source
Sumuri Paladin
Bootable Linux tool with multiple applications
▪ Most often used: image creation on systems with nonremovable drives
▪ Has apps included to perform virtually all forensic
needs
Eric Zimmerman’s Tools
Suite of tools designed for triage & specific artifact
analysis
▪ Available on GitHub
RegRipper
Command-line tool used to parse data & artifacts from
Windows registry (to be discussed in detail later)
▪ Developed by Harlan Carvey: Author & IR Expert
▪ Routinely updated with plug-ins. Communitysupported
Forensic Workstation Software (Automatic Tools) Paid Mobile Analysis
- Magnet Axiom(see previous)
- Cellebrite Universal Forensic Extraction Device (UFED) & Physical Analyzer
- Oxygen Forensics
- XRY Xamine
- Gray Key or Gray Shift
Cellebrite Universal Forensic Extraction
Used by law enforcement worldwide
▪ Android, iOS, GPS, Blackberry, Windows Phone, etc.
support
▪ Constantly being developed, updated
▪ Training & certification available
▪ Cost for tool: ~$11,000 + yearly maintenance ~$7,500
▪ Advanced capabilities cost over $20,000 more per yea
Oxygen Forensics
Used by law enforcement worldwide
▪ Android, iOS, GPS, Blackberry, Windows Phone, etc.
support
▪ Training & certifications available
▪ Cost for tool: ~$7,000 + yearly maintenance ~$3,000
XRY Xamine
Acquisition & analysis tool
▪ Cost: ??
Gray Key or Gray Shift
Law Enforcement Only Tool
▪ Tool is designed to bypass pass code security on iOS &
Android Devices
▪ Supports full file system extraction after first unlock
▪ Limited data if before first unlock
▪ Unit is tied to LE agency & monitored via IP address
▪ Cost for tool: ~$10,000 and up + yearly maintenance at
same cost… Annually!
Analyst Training + Certification
Training in DF is extremely important!
Field is always changing & evolving
▪ Mobile forensics is the most prominent with this
▪ Operating systems upgraded regularly (phone &
computer)
▪ Apple Mac OS is always changing
▪ Applications added & updated regularly
▪ Hardware advancements & improvements
▪ Tool-specific updates, improvements
Training and/or certification in DF is done in two
main ways
▪ Vendor-neutral
▪ Vendor Specific
Vendor-Neutral training focuses on competencies,
concepts, methodologies & principles
▪ Generally offered as part of a DF organization or
association. Does NOT equal “free”
Vendor-Specific training teaches participants how
to use a specific DF tool for specific purposes
CFCE
Certified Computer Forensic
Examiner (CFCE) certification process
6+ month long process, peer-reviewed, coached
(IACIS)
International Association of Computer Investigative
Specialists
Vendor-Neutral Training Options
▪ International Association of Computer Investigative
Specialists (IACIS)
▪ Capstone course: Basic Computer Forensic Examiner (BCFE) – 2
weeks
▪ Open to any member of IACIS (not LE restrictive)
▪ Comprehensive basic vendor-neutral training with basic
equipment as part of tuition ($3,795)
▪ Upon completion, eligible to sit for Certified Computer Forensic
Examiner (CFCE) certification process
▪ 6+ month long process, peer-reviewed, coached
▪ Also has 1 &2-week specialized courses
SANS Institute
▪ Offers a library of courses for computer forensics, mobile device
forensics, information security, incident response, network
security, etc.
▪ Computer forensic certification is GIAC Certified Forensic
Examiner (GCFE)
▪ Open to all in the field of information security, compliance,
forensics, etc.
▪ Cost is HIGH - $5,000-$10,000
Vendor-Neutral Training Options (Cont.)
▪ International Society of Forensic Computer Examiners
(ISFCE)
▪ Primary course & certification is the Certified Computer
Examiner (CCE)
▪ Applicants can sit for the test without attending a class
▪ A “CCE Bootcamp” is also available at cost
▪ Open to all in the field of digital forensics
▪ Peer-reviewed, coached
▪ Re-certification mandatory to maintain
National White Collar Crime Center (NW3C)
▪ Non-profit, partially government-funded
▪ Offers a library of courses for computer forensics, mobile device
forensics, network forensics, online investigation, etc.
▪ Several computer and mobile-based forensic certifications
▪ Offers both LE-only & publicly available classes
▪ Online & in-person classes offered
National Computer Forensic Institute (NCFI)
▪ Operated by the US Secret Service
▪ Goal is to train state & local LE on basics of computer forensics,
mobile forensics & network forensics
▪ Must be LE & sponsored by local USSS office
▪ Free to LE. Class provides all software, hardware & training
▪ Basic Computer Evidence Response Training (BCERT) is
capstone 5-week course given in Hoover, AL
▪ Not specifically vendor-neutral, but provides training for
multiple vendor tools
CCE
Certified Computer Examiner
Primary course & certification for ISFCE
ISFCE
International Society of Forensic Computer Examiners
Vendor-Specific Training
Offered by most (if not all) DF tool vendors
▪ Goal is competency within a discipline working with a tool created
by a specific vendor
▪ Some offer just training, while others offer both training &
certification
▪ Highlights:
▪ EnCase Certified Examiner (EnCE)
▪ Magnet Certified Forensic Examiner (MCFE)
▪ Cellebrite Certified Mobile Examiner (CCME)
▪ Also Cellebrite Certified Operator & Physical Analyst (CCO, CCPA)
▪ X-Ways Forensics X-Pert