Bruce Nikkel 2_1_acquisition_tools.pdf
Bruce Nikkel 2_1_acquisition_tools.pdf
Bruce Nikkel 2_1_acquisition_tools.pdf
Kartei Details
Karten | 15 |
---|---|
Sprache | English |
Kategorie | Informatik |
Stufe | Universität |
Erstellt / Aktualisiert | 20.06.2019 / 02.07.2021 |
Lizenzierung | Keine Angabe |
Weblink |
https://card2brain.ch/box/20190620_bruce_nikkel_41partitionanalysis_pdf_wIla
|
Einbinden |
<iframe src="https://card2brain.ch/box/20190620_bruce_nikkel_41partitionanalysis_pdf_wIla/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
|
What is important of "forensically sound" acquisition according to the NIST Computer Forensic Tool Testing (CFTT) standard:
- completeness - every (accessible) sector of a drive
- sector zero to sector n (last sector of drive)
- no modification of evidence drive
- report/log all I/O errors
- tool user documentation must be correct
What is done to preserver the integrity of evidence and why is it done
Can be a seperate step, or is built into forensic tools
Dataintegrity is guarantied through cryptographic hashes.
- These can be validated at a later time
- changing one single bit is detected
- piece-wise hashing can also be done where the hash of individual files, data blobs, etc... is taken.
What commands can you use to double check the evidence drive.
- lshw -class disk
- lspci
- lsusb
- lsscsi
- lsblk
- dmesg
What information about an evidence drive is taken?
- photograph of drive
- S.M.A.R.T data
- hdparm -l /dev/sda
- smartctl -x /dev/sda
Smart data is digital information that is formatted so it can be acted upon at the collection point before being sent to a downstream analytics platform for further data consolidation and analytics.
What should you always do when dealing with an evidence drive?
Always double-check source and destination devices!!!
what does the dd command do?
The dd command:
- copies data blocks from input to output
- can be used to copy disk sectors to file
- don't forget: no file copying, but sector copying
Basic syntax
- dd if=myinputfile of=myoutputfile
Copying disk sectors:
- dd if=/dev/sda of=myoutputfile
DD = "Dangerous and Deadly"
What are some forensic variations of the dd command and what aditional features do they have?
Forensic acquisition tools based on dd:
- dcfldd
- dc3dd
Additional features they include:
- cryptographic hashing
- improved error handling
- logging of errors and activity
- performance optimization
- hash verification checking
- live progress monitoring
What is done when forensic images are made?
Forensic images are HUGE
- plan carefully, they can take hours or days
- forensic file formatsn have compression
- dd has no compression, but can be piped into gzip, there is no seeking
Seeking = searching