Active Data is the information that we can actually see. This includes data files, programs, and files used by the operating system. This is the easiest type of data to obtain.
Archival Data is data that has been backed up and stored. This could mean backup tapes, CDs, floppies, or entire hard drives.
Latent Data is the information that one typically needs specialized tools to access. An example of latent data would be information that has been deleted or partially overwritten.
A computer investigation could involve looking at all of these data types, depending on the circumstances. Obtaining latent data is by far the most time consuming and costly.
Computer forensics is all about obtaining the proof of a crime or breech of policy. It focuses on obtaining proof of an illegal misuse of computers in a way that could lead to the prosecution of the culprit.
Understanding Storage Formats for Digital Evidence
Three formats:
Raw format
Proprietary formats
Advanced Forensics Format (AFF)
Raw Format
Makes it possible to write bit-stream data to files
Advantages:
Fast data transfers
Can ignore minor data read errors on source drive
Most computer forensics tools can read raw format
Disadvantages:
Requires as much storage as original disk or data
Tools might not collect marginal (bad) sectors
Proprietary Formats
Advantages:
Option to compress or not compress image files
Can split an image into smaller segmented files
Can integrate metadata into the image file
Disadvantages:
Inability to share an image between different tools
File size limitation for each segmented volume
Advanced Forensics Format
Design goals:
Provide compressed or uncompressed image files
No size restriction for disk-to-image files
Provide space in the image file or segmented files for metadata
Simple design with extensibility
Open source for multiple platforms and OSs
Internal consistency checks for self-authentication
Determining the Best Acquisition Method
Types of acquisitions:
Static acquisitions and live acquisitions
Four methods:
Bit-stream disk-to-image file
Bit-stream disk-to-disk
Logical disk-to-disk or disk-to-disk data
Sparse data copy of a file or folder
Bit-stream disk-to-image file
Most common method
Can make more than one copy
Copies are bit-for-bit replications of the original drive
ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLook
Bit-stream disk-to-disk
When disk-to-image copy is not possible
Consider disk’s geometry configuration
EnCase, SafeBack, SnapCopy
Logical acquisition or sparse acquisition
When your time is limited
Logical acquisition captures only specific files of interest to the case
Sparse acquisition also collects fragments of unallocated (deleted) data
For large disks
PST or OST mail files, RAID servers
Spares data copy
When making a copy, consider:
Get Help With Your Essay
If you need assistance with writing your essay, our professional essay writing service is here to help!
Size of the source disk
Lossless compression might be useful
Use digital signatures for verification
When working with large drives, an alternative is using tape backup systems
Whether you can retain the disk
Contingency Planning for Image Acquisitions
Create a duplicate copy of your evidence image file
Make at least two images of digital evidence
Use different tools or techniques
Copy host protected area of a disk drive as well
Consider using a hardware acquisition tool that can access the drive at the BIOS level
Be prepared to deal with encrypted drives
Whole disk encryption feature in Windows Vista Ultimate and Enterprise editions
Capturing an Image with ProDiscover Basic
Connecting the suspect’s drive to your workstation
Document the chain of evidence for the drive
Remove the drive from the suspect’s computer
Configure the suspect drive’s jumpers as needed
Connect the suspect drive
Create a storage folder on the target drive
Using ProDiscover’s Proprietary Acquisition Format
Image file will be split into segments of 650MB
Creates image files with an .eve extension, a log file (.log extension), and a special inventory file (.pds extension)
Using ProDiscover’s Raw Acquisition Format
Select the UNIX style dd format in the Image Format list box
Raw acquisition saves only the image data and hash value
Capturing an Image with AccessData FTK Imager
Included on AccessData Forensic Toolkit
View evidence disks and disk-to-image files
Makes disk-to-image copies of evidence drives
At logical partition and physical drive level
Can segment the image file
Evidence drive must have a hardware write-blocking device
Or the USB write-protection Registry feature enabled
FTK Imager can’t acquire drive’s host protected area
Steps
Boot to Windows
Connect evidence disk to a write-blocker
Connect target disk to write-blocker
Start FTK Imager
Create Disk Image
Use Physical Drive option
Remote Connections
GoToMyPC allows you to access and work on your computer on-the-fly from any location connected to the Internet. Get reliable, convenient and secure access to email, files, programs and network resources from home or the road.
http://img.techpowerup.org/090806/Capture265.jpg
FEATURE
CAPABILITY
BENEFIT
Automatic Setup
Automatic Setup
Plug-in automatically launches, installs and configures itself. No restart required.
Set up and ready to go in minutes, even by novice users.
Universal Viewer
Universal Viewer
When you connect to your computer, the Viewer window launches automatically, allowing you to view and control your computer from another Microsoft® Windows®, Microsoft® Windows® CE, Macintosh®, Linux, Unix® or Solaris® computer. No pre-loaded software required.
Access your computer from any Web browser on any operating system at any time. Even work on your office Microsoft® Windows® PC from your Macintosh® at home.
Encryption and Maximum Security
Encryption and Maximum Security
All data is protected with AES encryption using 128-bit keys. Dual passwords and end-to-end user authentication. Optional One-Time Passwords provide maximum security.
Most secure Internet connection available in a remote-access service. Nobody can “see” what you’re doing (not even us).
https://www.gotomypc.com/images/1×1.gif
Optimal Performance
Optimal Performance
Connect to your computer in seconds and enjoy fast in-session performance.
Be more productive – faster. Quick connections and better performance mean you get more done in less time.
https://www.gotomypc.com/images/1×1.gif
True Color
True Color
View your desktop in true 24-bit color.
Enjoy a true-to-life, full-color view of your desktop – perfect for looking at pictures and reviewing design work.
Remote Printing
Remote Printing
Print documents to any printer wherever you happen to be.
A hard copy of that forgotten file is only a connection away – print your document even if you don’t have the application.
https://www.gotomypc.com/images/1×1.gif
https://www.gotomypc.com/images/mcr/fileSync.gif
File Sync
and Transfer
Synchronize files and folders between your computer and any remote computer with just a click. Or transfer files and folders from one computer to another by simply dragging and dropping between screens.
Increase file organization between your computers to eliminate confusion.
https://www.gotomypc.com/images/1×1.gif
https://www.gotomypc.com/images/mcr/sound.gif
Sound
https://www.gotomypc.com/images/1×1.gif
Hear sound at any remote PC with customizable audio settings. Automatic muting on the PC you are accessing remotely means sound can only be heard by you.
Get the complete experience of being at your PC. Hear system alerts, voice mail, music or any other sound from your remote PC.
Guest Invite
Guest Invite
Invite a second person to temporarily view or share control of your PC.
Great for tech support, demos or “conference” viewing of info. Save time by meeting on-the-fly on your PC.
https://www.gotomypc.com/images/1×1.gif
Multi-Monitor Support
Multi-Monitor Support
Use GoToMyPC with multiple monitors connected to a single computer.
Work on multiple monitors whether they’re connected to your host computer or to the computer at your remote-access location.
PocketView Wireless Access
PocketViewâ„¢ Wireless Access
Securely access your PC from your Pocket PC, Microsoft® Windows® Mobile or Microsoft® Windows® CE wireless device.
Ultimate mobility with on-the-fly remote access to your PC desktop – including your email, all your files, all your applications and your corporate intranet.
Network Forensic Tools
Iris Network Traffic Analyzer
Continuous vulnerability forensics plus network performance analysis
Iris Network Traffic Analyzer empowers your security and operations teams by providing granular data monitoring and precise packet and session reconstruction capabilities. The solution is designed to combine process and technology into a single effective system for network forensics.
Today’s organizations rely on the continuity and security of underlying IT systems at all times. This requirement is further amplified when you take into account the fact that most security or performance issues, whether due to malicious acts, user non-compliance or simple bandwidth mis allocation, generally reside above your network in the applications being serviced by your infrastructure.
http://img.brothersoft.com/screenshots/softimage/r/retina_network_security_scanner-223041-1237543697.jpeg
http://i25.tinypic.com/dpd8bm.jpg
Virtual Tap
Most organizations today have already invested substantial time, money, and training for solutions that monitor their network’s security and performance at the physical level. However, these solutions, such as firewalls, network intrusion detection and prevention devices, virus scanning, and data loss prevention tools have been unable to provide the same functionality in a virtualized environment because of their inability to monitor network traffic between virtual servers inside physical servers. This has led to the need for another, parallel investment in time, energy, and money into “virtual” versions of all of these security devices and processes-until now.
http://www.net-security.org/images/articles/virtual_tap_diagram.jpg
Using Remote Network Acquisition Tools
You can remotely connect to a suspect computer via a network connection and copy data from it
Remote acquisition tools vary in configurations and capabilities
Drawbacks
LAN’s data transfer speeds and routing table conflicts could cause problems
Gaining the permissions needed to access more secure subnets
Heavy traffic could cause delays and errors
Remote Acquisition with ProDiscover
With ProDiscover Investigator you can:
Preview a suspect’s drive remotely while it’s in use
Perform a live acquisition
Encrypt the connection
Copy the suspect computer’s RAM
Use the optional stealth mode
ProDiscover Incident Response additional functions
Capture volatile system state information
Analyze current running processes
Locate unseen files and processes
Remotely view and listen to IP ports
Run hash comparisons
Create a hash inventory of all files remotely
PDServer remote agent
ProDiscover utility for remote access
Needs to be loaded on the suspect
PDServer installation modes
Trusted CD
Preinstallation
Pushing out and running remotely
PDServer can run in a stealth mode
Can change process name to appear as OS function
Remote connection security features
Password Protection
Encryption
Secure Communication Protocol
Write Protected Trusted Binaries
Digital Signatures
Remote Acquisition with EnCase Enterprise
Remote acquisition features
Remote data acquisition of a computer’s media and RAM data
Integration with intrusion detection system (IDS) tools
Options to create an image of data from one or more systems
Preview of systems
A wide range of file system formats
RAID support for both hardware and software
Remote Acquisition with R-Tools R-Studio
R-Tools suite of software is designed for data recovery
Remote connection uses Triple Data Encryption Standard (3DES) encryption
Creates raw format acquisitions
Supports various file systems
Using Other Forensics-Acquisition Tools
Tools
SnapBack DatArrest
SafeBack
DIBS USA RAID
ILook Investigator IXimager
Vogon International SDi32
ASRData SMART
Australian Department of Defence PyFlag
SnapBack DatArrest
Columbia Data Products
Old MS-DOS tool
Can make an image on three ways
Disk to SCSI drive
Disk to network drive
Disk to disk
Fits on a forensic boot floppy
SnapCopy adjusts disk geometry
NTI SafeBack
Reliable MS-DOS tool
Small enough to fit on a forensic boot floppy
Performs an SHA-256 calculation per sector copied
Creates a log file
Functions
Disk-to-image copy (image can be on tape)
Disk-to-disk copy (adjusts target geometry)
Parallel port laplink can be used
Copies a partition to an image file
Compresses image files
Cite This Work
To export a reference to this article please select a referencing style below: