Which is the first tool that analyzed and extracted data from floppy disks and hard disks for IBM PC file systems?

Evaluating Digital Forensic Tools Needs

open source tools, best value for as many features as possible

Hardware forensic tools

Range from single-purpose components to complete computer systems and servers

Software forensics tools

Types:
Command-line applications and GUI applications
-commonly used to to copy data from a suspects drive to image file

5 categories of tasks preformed by Digital Forensic Tools

1.) Acquisition
2.) Validation and Verfication
3.) Extratraction
4.) Reconstruction
5.) Reporting

Acquistion

Making a copy of the orignal drive

Subfunctions of Acquisition

-physical data copy
-logicqla data copy
-data acquistion format
-command-line acquistion
-GUI Acquistion
-Remote, live, and memory acquisition

Physical data copy

exact duplicate of drive

Logical data copy

some parts deleted, partition file (means some parts are missing)

Raw Data Format

you can view everything, no restrictions, can view with any hexadecimal editor

Vendor-specific properietary

Has restrictions, creating smaller segmented files is typically a feature in propiertary

Remote acquistion

-Remote acquistion of files is common in larger organizations
Popular tools such as AccessData and EnCase can do remote acquistions of forensic drive images on a network

Validation

confirming a tool is functioning as intended

Verfication

proves that 2 dats of data are identical by calculating hash values

Filtering

related process to the verfication process which involved sorting and searching through investigation files to seperate good and suspicious data

Subfunctions of Validation and Verfication

-Hashing
-Filtering
-Analyzing file header
-discrimante files based on their type
-National Software Refrence Library (NSRL)
-complied list of known hashes
-Computer forensic programs have list of common header values
- with this info, you can see whether a file extension
is incorrect for the file type (think changing file name, data hiding, pornography--->resume)

Extraction

-Recovery task in a digital investigation
-Recovering data is first step in analyzing and investigations data

Subfunctions of Extraction

-Data viewing
-Carving
-Keyword searching
-decrypting
-decompressing or uncompressing
-bookmarking or tagging

keyword search

speeds up analysis

Encrypt files and systems are a problem. True or false

True

Password recovery

-many password recovery tools have a feature for generating potential password lists
-for a password dictionary attack
- if a password is a dictionary attack fails, you can run a brute-force attack

Reconstruction

-Re-create a suspect drive to show what happened during a crime scence or incident
-Re-create a victim drive to return property and minimize re-victimazation
-Except illegal contraband

Methods of Reconstruction

-disk-to-image
-disk-to-disk
-partition-to-partition copy
-Rebuilding files from data runs and carving
-To recreate an image of a suspect drive, copy image to another location (i.e partition, physical drive, or virtual machine)

Disk-to-image

simpliest and most commone method used
Examples: EnCase, FTK, ProDiscover, Linux DD

Reporting

to preform forensic disks analysis and examination you need to create a report

Subfunctions of Reporting

-book marking or tagging
-logging
-report generator

Other consideration for tools

-flexability
-reliability
-future expandability
-take into consideration, cost and maintence support for tools

Command-line forensic lines

-the first tools that analyzed and extracted data from a floppy disk and hard-disks were MS-Dos tools for IBM PC file systems
-Norton DiskEdit- one of first MS-Dos tools used, command-line tools require few system resources, designed to run in minimal configurtions.
-current programs more powerful and capable

Linux Forensic Tools

- Linux and replaced Unix
-becoming more popular with home and business end users

SMART

-designed to be installed on numerous Linux versions
-can analyze a variety of file systems
-many plug-in utlities
- has hex-viewer

Helix 3

-one of easiest suites to begin with
-can load on live windows system
-loads as a bootable Linux OS from cold boot
**- some internation courts have not accepted live acquistions as a valid form of forensic practice

Kali Linux

-aka Backtrack
-includes varity of tools and has easy KDE interface

Autopsy and Sleuthkit

-Sleuthkit is a forensic tool
- Autopsy is a GUI broweser interface used to access sleuthkit tools

GUI forensic tools

-can simplify digital forensic investigations
-have simplified training
-most are put together as suites of tools
Advantages: easy to use, multitasking, no need for learning older OS's
Disadvantages: tool dependencies, produce inconsistent results amongst other tools, excessive resource requirements

Digital Forensic Hardware Tools

-technology changes rapidly
-hardware eventually fails
-when planning budget consider:
amount of time you expect workstation to be running, failures and replacement and fees

write-blocker

-prevents data writes to a hard disk
-using write blocker, can navigate to the blocked drive with any application
-discards the written data
-for the OS the data copy is succesful
-connecting technologies
-firewire, USB 2.0, 3.0
-SATA, PATA and SCSI controllers

software-enabled blocker

typically run in shell mode (windows CLI)
Ex: PDBlock from Digital Intelligence

Hardware options

Ideal for GUI tools, act as bridge between suspect drive and work station

Using Validation Protocols

-always verify your results by performing the same tasks with other simial forensic tools
-use at least 2 tools for retreiving, examination and verification
-disk editors are reliable tools and can access raw data
-disk editors do nothave flashy interface, but they do: acess raw data and are reliable

Computer forensics Examination Protocol

-Preform the investigation with a GUI tool
-verify your results with a disk editor
-compare hash values obtained with both tools

Digital forensics tool upgrade protocol

test
-new relases
-OS patches and upgrades
- if you find a proble, report it to forensic tool vendor, do not use too until problem is fixed
-use a test hard disk for validation purposes
-check the web for new editions, updates, patches, and validation tests for your tools

Computer forensics tool testsing (CFTT)

-manages research on comp forensic tools
-NIST has created critera for testing computer forensic tools based on
-standard testing methods
-ISO 17025 critera for testing items that have no current standars