Week 6 Flashcards
How do digital forensic tools assist the investigator? (8)
Presenting basic system/device information that is often useful in investigations
▪ Streamlining & automating processes
▪ Presenting data in a user-friendly environment
▪ Reducing case backlog & time
▪ Highlighting the important pieces of evidence in the case while potentially disregarding the irrelevant pieces of evidence
▪ Working around any counter-forensics measures (encryption)
▪ Allowing for manual analysis in a graphical user interface
▪ Depending on the tool, can also allow for customized analysis using scripts, code, etc
What are the two types of digital forensic tools?
Hardware-Based and Software-Based
What are hardware-based tools used for? (5)
Analyzing the file system of the evidence
source to determine feasibility of imaging
(copying)
▪ Inputting basic case data to accompany the disk image file
▪ Providing numerous options for creation of the forensic disk image (RAW, logical, etc.)
▪ Creation of the forensic disk image
▪ Validation of the forensic disk image
What are the two Hardware-Based tools that we went over?
Logicube Forensic Falcon and Tableau TD2u
Logicube Forensic Falcon
This is write-blocked so the original evidence cannot be altered. You can plug in an evidence drive and then your target drive.
Tableau TD2u
Can also plug in evidence and then target drive.
What are the three things are that should be done pre-acquisition?
Photograph evidence
▪ Verify chain-of-custody
▪ Ensure & validate our target media is wiped (
Make sure everything is forensically sound!
What are mobile acquisition tools?
Serve the same purpose as computer
hard drive acquisition tools (create a copy to work off of)
Many more variables than for
computer storage device
Can be stand-alone or PC-based
Various methods & procedures for
acquisition of mobile devices
Unable to be verified as true &
accurate copy if not a physical
acquisition** (because the data is always changing)
The hardware and the software need to speak the same language.
What’s happening in mobile device
acquisition?
The HARDWARE needs to ”speak the language”
of the SOFTWARE
▪ Exploits & ”Agents” are often uploaded to
facilitate communication
▪ Various connections, modifications & settings need to be changed in order to facilitate this process
▪ Back in the day…
▪ Cellular stores used to use this to Xfer contacts, pictures,
phone log, etc.
▪ Only since the advent of “smarter” phones has this data been realized as great evidence
Example of Mobile Acquisition Tool
The Cellebrite bag - pics in slide deck
What information from the device is shown after acquisition?
Owner name, Apple ID, last factory upgrade, the devices it’s synced to, if there is encryption, etc. This is all important info to include in a report!
Positives of Software Acquisition Tools
Take up less physical space than
hardware tools
▪ Can often be deployed remotely or in
stand-alone format (USB thumb drive) (even to multiple units at once)
▪ Some are free/Open-source
Negatives of Software Acquisition Tools
Rely on software measures to ensure the
evidence is not altered (write-blockers) (when you plug in a thumb drive, you alter evidence, that’s okay! document it!)
▪ Often slower than hardware-based tools
▪ Work productivity decreased while using (if you use it on a live system the system is very slow)
Paid Forensic Tools
Cellbrite
Oxygen
Magnet Axiom
Recon Lab (MAC specific)
AccessData
OpenText
Sanderson
X-Ways
