c2b_default

Bruce Nikkel 2_1_acquisition_tools.pdf

Bruce Nikkel 2_1_acquisition_tools.pdf

Bruce Nikkel 2_1_acquisition_tools.pdf

15
0.0 (0)

Fichier Détails

Cartes-fiches 15
Langue English
Catégorie Informatique
Niveau Université
Crée / Actualisé 20.06.2019 / 02.07.2021
Lien de web
https://card2brain.ch/box/20190620_bruce_nikkel_41partitionanalysis_pdf_wIla
Intégrer
<iframe src="https://card2brain.ch/box/20190620_bruce_nikkel_41partitionanalysis_pdf_wIla/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
Étudier

What is important of "forensically sound" acquisition according to the NIST Computer Forensic Tool Testing (CFTT) standard:

  • completeness - every (accessible) sector of a drive
  • sector zero to sector n (last sector of drive)
  • no modification of evidence drive
  • report/log all I/O errors
  • tool user documentation must be correct

What is done to preserver the integrity of evidence and why is it done

Can be a seperate step, or is built into forensic tools

Dataintegrity is guarantied through cryptographic hashes.

  • These can be validated at a later time
  • changing one single bit is detected
  • piece-wise hashing can also be done where the hash of individual files, data blobs, etc... is taken.

What commands can you use to double check the evidence drive.

  • lshw -class disk
  • lspci
  • lsusb
  • lsscsi
  • lsblk
  • dmesg

What information about an evidence drive is taken?

  • photograph of drive
  • S.M.A.R.T data
  • hdparm -l /dev/sda
  • smartctl -x /dev/sda

 

 

Smart data is digital information that is formatted so it can be acted upon at the collection point before being sent to a downstream analytics platform for further data consolidation and analytics.

What should you always do when dealing with an evidence drive?

Always double-check source and destination devices!!!

what does the dd command do?

The dd command:

  • copies data blocks from input to output
  • can be used to copy disk sectors to file
  • don't forget: no file copying, but sector copying

Basic syntax

  • dd if=myinputfile of=myoutputfile

Copying disk sectors:

  • dd if=/dev/sda of=myoutputfile

DD = "Dangerous and Deadly"

What are some forensic variations of the dd command and what aditional features do they have?

Forensic acquisition tools based on dd:

  • dcfldd
  • dc3dd

Additional features they include:

  • cryptographic hashing
  • improved error handling
  • logging of errors and activity
  • performance optimization
  • hash verification checking
  • live progress monitoring

What is done when forensic images are made?

Forensic images are HUGE

  • plan carefully, they can take hours or days
  • forensic file formatsn have compression
  • dd has no compression, but can be piped into gzip, there is no seeking

Seeking = searching

 

What filesystem can be used for images and what are the advantages of it?

Squashfs: compressed file system

  • built into kernel, multithreaded - fast
  • forensic friendly - can add files, but not delete or modify
  • easy and safe to mount as filesystem
  • block level compression
  • huge file sizes

What charecteristics is needed for forensic image formats?

Forensics need more that just raw images:

  • compression
  • split files (pieces)
  • security (encrypted images)
  • builtin hashes, logs
  • possible to add meta data
  • some are not just drive images

What are some popular forensic formats?

  • EnCase EWF - commercial format (oldest, "Expert Witness")
  • FTK SMART - commercial format
  • Afflib - open source, "Advanced Forensic Format"

How can you validate the integrity of evidence?

  • store hashes separatly
  • confirm hashes
  • hash windows (possibly built inot file format)
  • split files

What can causes errors in the image acquisition?

  • heat
  • old failing disks, bad blocks
  • read sectors backward
  • kernel errors (dmesg, journalctl)
  • bad cables

What is write blocker and what does it do?

Write blockers are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents.

Write blockers do:

  • intercept dangerous commands sent to drive (ATA/SCSI/NVME)
  • hardware protection against writing
  • software write blockesr also exist (hard to maintain and guarantee)
  • Linux kernel flags to set a block device read-only

Why are write blockers used?

Write blockers are used because:

  • automated OS processes can write to the disc which is not wanted. (indexing, auto-mounting, AV scans, filesystem journals written out, RAID reasembly)
  • Human error (wrong commands, drag and drop, mistakes) could cause the modification of the evidence
  • Write blockers are part of the standard forensic process.

Étudier