1 / 56

COS/PSA 413

COS/PSA 413. Day 11. Agenda. Lab 4 Write-ups Corrected 2 A’s, 2 B’s and 1 C Some need more attention to detail Lab 5 write-ups due Oct 19 Wednesday Lab 6 tomorrow in OMS Projects 7-1, 7-2, 7-3, and 7-4 (same projects in Chap 6 of 2e)

coy
Télécharger la présentation

COS/PSA 413

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. COS/PSA 413 Day 11

  2. Agenda • Lab 4 Write-ups Corrected • 2 A’s, 2 B’s and 1 C • Some need more attention to detail • Lab 5 write-ups due Oct 19 Wednesday • Lab 6 tomorrow in OMS • Projects 7-1, 7-2, 7-3, and 7-4 (same projects in Chap 6 of 2e) • For Project 7-2 create the excel file before you get to the lab • Next week we have two labs (7&8 on data acquisition) • Assignment 3 posted (due Oct 21) • Capstone Proposals Over due • See guidelines in WebCT • 9 require some modifications (emails sent) • First Progress report Due on October 21 • Timing of proposal and progress reports is 10% of Grade • Exam 2 on Oct 21 (Friday) • Chaps 5-8, 10 M/C (30 Points) , 10 Short Answer (30 points), 5 Essays (40 points) Open Book, Open Notes, 70 min. time limit. • Today we will discuss Data Acquisition • Chap 9 in both books (has significant changes!)

  3. Data Acquisition Chapter 9

  4. Learning Objectives • Determine the Best Acquisition Method • Plan Data Recovery Contingences • Use MS-DOS Acquisition Tools • Use GUI Acquisition Tools • Acquire data on Linux Computers • Use Other Data Acquisition Tools

  5. Determining the Best Acquisition Method • Three ways • Bit-stream disk-to-image file • Bit-stream disk-to-disk • Sparse data copy of a file or folder • Bit-stream disk-to-image file • Most common method • Can make more than one copy • EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLook

  6. Determining the Best Acquisition Method (continued) • Bit-stream disk-to-disk • When disk-to-image copy is not possible • Consider disk’s geometry CHS configuration • SafeBack, SnapCopy, Norton Ghost 2002 • Sparse data copy • Creates exact copies of folders and files • For large disks • PST or OST mail files, RAID servers

  7. Determining the Best Acquisition Method (continued) • When making a copy, consider: • Size of the source disk • Lossless compression might be useful • Use digital signatures for verification • Whether you can retain the disk • How much time you have • Location of the evidence

  8. Determining the Best Acquisition Method DoubleSpace (DriveSpace)– An MS-DOS disk compression utility distributed with MS-DOS 6.0 and 6.20. Algorithm – A formula or set of steps for solving a particular problem. To be an algorithm, a set of rules must be unambiguous and have a clear stopping point. Lossless Compression (Lossy Compression)– A compression technique that can lose data but not perceptible quality when a file is restored. Files that use lossy compression include JPEG and MPEG.

  9. Planning Data Recovery Contingencies • Create a duplicate copy of your evidence image file • Make at least two copies of digital evidence • Use different tools or techniques • Copy host-protected area of a disk drive as well • Image MaSSter Solo • HAZMAT and environment conditions

  10. Planning Data Recovery Contingencies HAZMAT concerns: - Does the evidence location have adequate electrical power? - Is there enough light at the evidence location or do you have to bring floodlights, flashlights, or other kinds of lighting? - Is the temperature of the evidence location too warm, too cold, or too humid?

  11. Using MS-DOS Acquisition Tools • Original tools • Fit on a forensic boot floppy disk • Require fewer resources • DriveSpy • Data-preservation commands • Data-manipulation commands

  12. Using MS-DOS Acquisition Tools Viewing Absolute and Logical Sectors 1. Navigate to the Tools folder of the work folder. 2. Type DriveSpy at the command prompt. 3. At the SYS prompt, type D0. 4. Note the numbers for the start and end sectors, and select a number between those, such as 2344. 5. At the D0 prompt, type Sector 2344. A sector map will appear.

  13. Using MS-DOS Acquisition Tools

  14. Using MS-DOS Acquisition Tools Viewing Absolute and Logical Sectors Continued... 6. Press Esc to return to the D0 prompt. 7. Type P1 to use the Partition mode. 8. At the D0P1 prompt, type Sector 2344. 9. Pres Esc to return to the D0P1 and then type exit.

  15. Using MS-DOS Acquisition Tools

  16. Understanding How DriveSpy Accesses Sector Ranges • First method • Absolute starting sector, total number of sectors • Example 0:1000,100 (primary master drive) • Second method • Absolute starting sector-ending sector • Example 0:1000-1100 (101 sectors) • Moving data • CopySect 0:1000,100 1:2000,100

  17. Using MS-DOS Acquisition Tools • Saving a Partition with SavePart • Navigate to the Tools folder and run Toolpath.bat. If necessary create a folder called Chapter in your work folder and a subfolder called Chapter inside Chap09. • Change to the Chap09\Chapter folder. • Type DriveSpy at the command prompt. • At the SYS prompt, type DriveSpy to start DriveSpy. • At the SYS prompt, type Drives.

  18. Using MS-DOS Acquisition Tools

  19. Using MS-DOS Acquisition Tools Saving a Partition with SavePart Continued… 6. At the SYS prompt, type D0.

  20. Using MS-DOS Acquisition Tools

  21. Using MS-DOS Acquisition Tools Saving a Partition with SavePart Continued... 7. At the D0 prompt, type Part 1.

  22. Using MS-DOS Acquisition Tools

  23. Using MS-DOS Acquisition Tools Saving a Partition with SavePart Continued... 8. Insert a floppy disk that contains a few files into the floppy drive. At the D0P1 prompt, type Drive A. 9. At the DA prompt, type Part 1 to access the partition level. 10. At the DAP1 prompt, type SavePart C:\work folder\Cha09\Chapter\Case_9sp.ima to copy the partition to the floppy disk to an image file Case_9sp.ima on your hard disk.

  24. Using MS-DOS Acquisition Tools

  25. Using MS-DOS Acquisition Tools Saving a Partition with SavePart Continued... 11. At the DAP1 prompt, type exit to Close DriveSpy.

  26. Using MS-DOS Acquisition Tools

  27. Using MS-DOS Acquisition Tools • Restoring the Case_9sp.ima Image File • At an MS-DOS prompt, navigate to the Tools folder on your work folder, type Toolpath.bat. Then type cd C:\work folder\Chap09\Chapter and navigate to Chap09\Chapter folder in your work folder. • AT the command prompt, type DriveSpy. • At the SYS prompt, type Output Chap2rp2.txt to create the output file.

  28. Using MS-DOS Acquisition Tools Restoring the Case_9sp.ima Image File Continued... 4. At the SYS prompt, type Drive A to access the floppy drive. At the DA prompt, type Part 1 to access the partition level of the floppy disk. 5. At the DAP1 prompt, type WritePart Case_9sp.ima to restore the image file you created in Chap09\Chapter. When a warning appears, type Y to continue. It will take a few minutes to restore the image file.

  29. Using MS-DOS Acquisition Tools

  30. Using MS-DOS Acquisition Tools

  31. Using MS-DOS Acquisition Tools Restoring the Case_9sp.ima Image File Continued... 6. At the DAP1 prompt, type exit to close DriveSpy. Reboot to Windows.

  32. Using MS-DOS Acquisition Tools • Copying Sectors from One Drive to Another: • Access a command prompt, and navigate to the Tools folder. • AT the command prompt, type DriveSpy to start DriveSpy. • At the SYS prompt, type Output C:\work folder\Chap09\Chapter\Chap09rp3.txt to record the commands you see and the results. • At the SYS prompt, type Drives to connect to your workstation.

  33. Using MS-DOS Acquisition Tools

  34. Using MS-DOS Acquisition Tools Copying Sectors from One Drive to Another Continued... 5. At the SYS prompt, type Copy Sect 1:0,1665216 3:0 to copy Drive 1 from absolute sectors 0 to 1665216 to Drive 3 starting at absolute sector 0. 6. When a warning appears showing the source and destination drives, verify that they are correct by typing Y to continue. Copying the sectors may take a few minutes. When it has finished, DriveSpy displays Done! And returns to the SYS prompt.

  35. Using MS-DOS Acquisition Tools

  36. Using MS-DOS Acquisition Tools Copying Sectors from One Drive to Another Continued... 7. At the SYS prompt, type exit to close DriveSpy. Then reboot your computer.

  37. Using MS-DOS Acquisition Tools • Saving Sectors in DriveSpy • Access a command prompt and navigate to the Tools folder of your work folder. At the command prompt, type DriveSpy. • At the SYS prompt, type Output C:\work folder\Chap09\Chapter\Chap9rp4.txt to create an output file to record your actions and results. • At the SYS prompt, type Drives to determine which drive to copy. • At the SYS prompt, type D3 to access the drive you want to copy. Substitute the number for your drive as necessary.

  38. Using MS-DOS Acquisition Tools Saving Sectors in DriveSpy: Cont. 5. At the D3 prompt, type P1 to select the partition that contains the sectors you want to copy. 6. At the D3P1 prompt, type SaveSect 3:0-415232 C:\work folder\Chap09\Chapter\Case_9s.dat to copy sectors 0 to 415232 to a data file named Case_9s.dat. 7. At the D3P1 prompt, type exit to close DriveSpy.

  39. Using MS-DOS Acquisition Tools

  40. Using MS-DOS Acquisition Tools • Using the WriteSect Command: • Access a command prompt and navigate to the Tools folder of your work folder. At the command prompt, type DriveSpy. • At the SYS prompt, type Output C:\work folder\Chap09\Chapter\Chap9rp5.txt to record the commands you use and their results in an output file. • At the SYS prompt, type Drives to list the system recognized drives. Select the drive to which you want to copy data from. • At the SYS prompt, type D3 to access the drive.

  41. Using MS-DOS Acquisition Tools Using the WriteSect Command: Cont. 5. At the SYS prompt, type D3 to access the drive you want. Substitute the number for your drive as necessary. 6. At the D3 prompt, type WriteSect C:\work folder\Chap09\Chapter\Case_9s.dat 3:0 to start transferring data to absolute sector 0 on Dive 3. Substitute drive and folder names for those on your system as necessary. 7. Type Y when a warning appears. 8. At the D3 prompt, type exit to close DriveSpy.

  42. Using Windows Acquisition Tools • Preparing for a Data Acquisition with FTKExplorer • Boot a forensic workstation with Windows using an installed write-blocker such as Digital Intelligence FireChief. • Connect the evidence disk to a write-blocking device or the FireChief write-block bay. • Connect the target disk o the FireChief writeable bay.

  43. Using Windows Acquisition Tools • Acquiring Evidence With FTK Explorer (Imager) • Click the Start button, point to the Programs, point to AccessData, point to Forensic Toolkit, and then click FTK Explorer. (Imager)= • Click File on the menu bar, and then click Image Drive. The Select Local Drive dialog box opens.

  44. Using Windows Acquisition Tools

  45. Using Windows Acquisition Tools Continued… 3. Click the Select a drive list arrow, and then click the drive for which you want to create an image, such as D: (MS-DOS_6_FAT). If your workstation is running Windows 98 and the drive you are acquiring is an NTFS or Ext2fs drive, click the Physical option button to access the drive for acquisition. Then click OK. The Export Disk Image dialog box opens.

  46. Using Windows Acquisition Tools

  47. Acquiring Data on Linux Computers Disadvantages of using the dd command; - You need to know advanced UNIX shell scripting and commands. - You must specify the number of blocks per save-set volume to create a volume. - You might not be able to use the dd command on your PC, depending on the distribution and version of Linux you are using. - You cannot use the dd command to automatically adjust drive geometry to the match the target drive, as with the DriveSpy CopySect command.

  48. Using Other Forensics Acquisition Tools SafeBack does the following: - Creates disk-to-image files. - Copies from source disk to an image on a tape drive. - Copies from a source disk to a target disk, adjusting the target drive’s geometry to match the source drive. - Copies from a source disk to a target disk using a parallel port laplink cable. - Copies a partition to an image file.

  49. Using Other Forensics Acquisition Tools SafeBack does the following: - Compresses acquired files to reduce the volume save-set sizes. SafeBack provides the following four programs: - Master.exe– The main SafeBack utility program. - Remote.exe – For connecting two computers and transferring data with a parallel port laplink. - Restpart.exe – For restoring a partition that is saved separate from the entire suspect’s disk. - Tapsi.exe – For connecting SCSI devices for your data acquisition.

  50. Chapter Summary • You can acquire digital evidence from disk drives in three ways: creating a bit-stream disk-to-image file, making a bit-stream disk-to-disk copy, or creating a sparse data copy of a specific folder path or file. • Several tools on the market allow you to restore disks that are larger or smaller than the suspect’s source drive.

More Related