SlideShare a Scribd company logo

Computer Forensics Analysis and Validation.ppt

Download as PPT, PDF
M
mcjaya2024

CN

Education
1 of 59
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
Computer Forensics Analysis and Validation
Objectives • Determine what data to analyze in a computer forensics investigation • Explain tools used to validate data • Explain common data-hiding techniques • Describe methods of performing a remote acquisition
Determining What Data to Collect and Analyze
Determining What Data to Collect and Analyze • Examining and analyzing digital evidence depends on: – Nature of the case – Amount of data to process – Search warrants(an official written statement) and court orders – Company policies • Scope creep – Investigation expands beyond the original description
Approaching Computer Forensics Cases • Some basic principles apply to almost all computer forensics cases – The approach you take depends largely on the specific type of case you’re investigating • Basic steps for all computer forensics investigations – For target drives, use only recently wiped media that have been reformatted and inspected for computer viruses
Approaching Computer Forensics Cases (continued) • Basic steps for all computer forensics investigations (continued) – Inventory the hardware on the suspect’s computer and note the condition of the computer when seized – Remove the original drive from the computer • Check date and time values in the system’s CMOS – Record how you acquired data from the suspect drive – Process the data methodically and logically
Approaching Computer Forensics Cases (continued) • Basic steps for all computer forensics investigations (continued) – List all folders and files on the image or drive – If possible, examine the contents of all data files in all folders • Starting at the root directory of the volume partition – For all password-protected files that might be related to the investigation • Make your best effort to recover file contents
Approaching Computer Forensics Cases (continued) • Basic steps for all computer forensics investigations (continued) – Identify the function of every executable (binary or .exe) file that doesn’t match known hash values – Maintain control of all evidence and findings, and document everything as you progress through your examination
Refining and Modifying the Investigation Plan • Considerations – Determine the scope of the investigation – Determine what the case requires – Whether you should collect all information – What to do in case of scope creep • The key is to start with a plan but remain flexible in the face of new evidence
Using AccessData Forensic Toolkit to Analyze Data • Supported file systems: FAT12/16/32, NTFS, Ext2fs, and Ext3fs • FTK can analyze data from several sources, including image files from other vendors • FTK produces a case log file(record of events) • Searching for keywords – Indexed search - allows for fast searching based on keywords. FTK automatically indexes your evidence while the case is being processed. – Live search-This is a time consuming process involving an item- by-item comparison with the search term. • Supports options and advanced searching techniques, such as stemming(finds variations on endings, like: applies, applied, apply. applied applying in a search for apply applies)
Indexed Search
Index search options
Live search
Using AccessData Forensic Toolkit to Analyze Data (continued) • Analyzes compressed files • You can generate reports – Using bookmarks(can do quick access)
Using AccessData Forensic Toolkit to Analyze Data (continued)
Validating Forensic Data
validation and verification • Validation is the process of checking whether the specification captures the customer's needs, while verification is the process of checking that the software meets the specification. • Validation uses methods like black box (functional) testing, gray box testing, and white box (structural) testing etc. Verification is to check whether the soft Verification: Are we building the product right? Validation: Are we building the right product?
According to the Capability Maturity Model(CMM) Capability Maturity Model • Software Validation: The process of evaluating software during or at the end of the development process to determine whether it satisfies specified requirements. • Software Verification: The process of evaluating software to determine whether the products of a given development phase satisfy the conditions imposed at the start of that phase.
Validating Forensic Data • One of the most critical aspects of computer forensics • Ensuring the integrity of data you collect is essential for presenting evidence in court. • Most computer forensic tools provide automated hashing of image files • Computer forensics tools have some limitations in performing hashing(process of converting a given key into another value)
• Hashing is the process of converting a given key into another value. A hash function is used to generate the new value according to a mathematical algorithm. The result of a hash function is known as a hash value or simply, a hash.
Validating with Hexadecimal Editors • Advanced hexadecimal editors offer many features not available in computer forensics tools – Such as hashing specific files or sectors • Hex Workshop provides several hashing algorithms – Such as MD5 and SHA-1 • Hex Workshop also generates the hash value of selected data sets in a file or sector
Validating with Hexadecimal Editors (continued)
Validating with Hexadecimal Editors (continued)
Validating with Hexadecimal Editors (continued)
Validating with Hexadecimal Editors (continued) • Using hash values to discriminate data – AccessData has a separate database, the Known File Filter (KFF) • Filters known program files from view, such as MSWord.exe, and identifies known illegal files, such as child pornography – KFF compares known file hash values to files on your evidence drive or image files Periodically – AccessData updates these known file hash values and posts an updated KFF
Validating with Computer Forensics Programs • Commercial computer forensics programs have built-in validation features • ProDiscover’s .eve(EmbeddedVectorEditor) files contain metadata that includes the hash value – Validation is done automatically • Raw format image files (.dd extension) don’t contain metadata – So you must validate raw format image files manually to ensure the integrity of data Note: .eve files are general application for drawing vector diagrams
Addressing Data-hiding Techniques
Addressing Data-hiding Techniques • File manipulation – Filenames and extensions – Hidden property • Disk manipulation – Hidden partitions – Bad clusters • Encryption – Bit shifting – Steganography
Hiding Partitions • We can create a partition and then hide it using a disk editor. • We can get access to hidden partitions using tools such as: – Gdisk(Ghost’s disk) – PartitionMagic – System Commander – LILO(Linux Loader)
Hiding Partitions (continued)
Hiding Partitions (continued)
Marking Bad Clusters • Common with FAT systems • Place sensitive information on free space • Use a disk editor to mark space as a bad cluster • To mark a good cluster as bad using Norton Disk Edit – Type B in the FAT entry corresponding to that cluster
Bit-shifting • Old technique • Shift bit patterns to alter byte values of data • Make files look like binary executable code • Tool – Hex Workshop
Bit-shifting (continued)
Bit-shifting (continued)
Bit-shifting (continued)
Using Steganography to Hide Data • Greek for “hidden writing” • Steganography tools were created to protect copyrighted material – By inserting digital watermarks into a file • Suspect can hide information on image or text document files – Most steganography programs can insert only small amounts of data into a file • Very hard to spot without prior knowledge • Tools: S-Tools, DPEnvelope, jpgx, and tte
Examining Encrypted Files • Prevent unauthorized access – Employ a password or passphrase • Recovering data is difficult without password – Key escrow • Designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure – Cracking password • Expert and powerful computers – Persuade suspect to reveal password
Recovering Passwords • Techniques – Dictionary attack(A dictionary attack is a method of breaking into a password- protected computer or server by systematically entering every word in a dictionary as a password.) – Brute-force attack (cryptographic hack that relies on guessing possible combinations of a targeted password until the correct password is discovered. ) – Password guessing based on suspect’s profile(Password guessing is an online technique that involves attempting to authenticate a particular user to the system. ) • Tools – AccessData PRTK – Advanced Password Recovery Software Toolkit – John the Ripper Note: Password cracking refers to an offline technique in which the attacker has gained access to the password hashes or database
Recovering Passwords (continued) • Using AccessData tools with passworded and encrypted files – AccessData offers a tool called Password Recovery Toolkit (PRTK) • Can create possible password lists from many sources – Can create your own custom dictionary based on facts in the case – Can create a suspect profile and use biographical information to generate likely passwords
Word List • FTK finds all stings in the data and makes a Word List from them
Recovering Passwords (continued)
Recovering Passwords (continued)
Recovering Passwords (continued) • Using AccessData tools with passworded and encrypted files (continued) – FTK can identify known encrypted files and those that seem to be encrypted • And export them – You can then import these files into PRTK and attempt to crack them
Computer Forensics Analysis and Validation.ppt
Recovering Passwords (continued)
Performing Remote Acquisitions
Performing Remote Acquisitions • Remote acquisitions are handy when you need to image the drive of a computer far away from your location – Or when you don’t want a suspect to be aware of an ongoing investigation
Remote Acquisitions with Runtime Software • Runtime Software offers the following shareware programs for remote acquisitions: – DiskExplorer for FAT – DiskExplorer for NTFS – HDHOST • Preparing DiskExplorer and HDHOST for remote acquisitions – Requires the Runtime Software, a portable media device (USB thumb drive or floppy disk), and two networked computers
Remote Acquisitions with Runtime Software (continued) • Making a remote connection with DiskExplorer – Requires running HDHOST on a suspect’s computer – To establish a connection with HDHOST, the suspect’s computer must be: • Connected to the network • Powered on • Logged on to any user account with permission to run noninstalled applications – HDHOST can’t be run surreptitiously
Computer Forensics Analysis and Validation.ppt
Remote Acquisitions with Runtime Software (continued)
Remote Acquisitions with Runtime Software (continued)
Remote Acquisitions with Runtime Software (continued)
Remote Acquisitions with Runtime Software (continued)
Remote Acquisitions with Runtime Software (continued)
Remote Acquisitions with Runtime Software (continued)
Remote Acquisitions with Runtime Software (continued) • Making a remote acquisition with DiskExplorer – After you have established a connection with DiskExplorer from the acquisition workstation • You can navigate through the suspect computer’s files and folders or copy data – The Runtime tools don’t generate a hash for acquisitions
Remote Acquisitions with Runtime Software (continued)

More Related Content

Similar to Computer Forensics Analysis and Validation.ppt (20)

PPTX
Computer Forensics and investigation module 3
ssuserec53e73
 
PPTX
Data Acquisition
primeteacher32
 
PDF
dataacquisition.pdf
Jayaprasanna4
 
PDF
Cyber Forensics Module 2
Manu Mathew Cherian
 
PDF
CNIT 121: 11 Analysis Methodology
Sam Bowne
 
PPT
Introduction to computer forensic
Online
 
PPTX
Computer Forensics
Bense Tony
 
PDF
Computer forencis
Teja Bheemanapally
 
PPTX
Latest presentation
Adetunji Adeoje
 
PPTX
Computer forensics toolkit
Milap Oza
 
PPTX
cyber Forensics
Muzzammil Wani
 
PPT
Computer forensics
Lalit Garg
 
PPTX
Computer forensics libin
libinp
 
PPTX
DigitalForensics foundation and investigation tools
lexwill2000
 
PPT
DigitalForensics.ppt
ssuserba01a3
 
PPT
DigitalForensics.ppt
TamannaTabassum21
 
PPT
CF.ppt
KhusThakkar
 
PPT
Guide to computer forensics and investigation.ppt
MaluOffice
 
PPT
data acquisition in computer forensics and
ssuserec53e73
 
PDF
Watching the Detectives: Using digital forensics techniques to investigate th...
GarethKnight
 
Computer Forensics and investigation module 3
ssuserec53e73
 
Data Acquisition
primeteacher32
 
dataacquisition.pdf
Jayaprasanna4
 
Cyber Forensics Module 2
Manu Mathew Cherian
 
CNIT 121: 11 Analysis Methodology
Sam Bowne
 
Introduction to computer forensic
Online
 
Computer Forensics
Bense Tony
 
Computer forencis
Teja Bheemanapally
 
Latest presentation
Adetunji Adeoje
 
Computer forensics toolkit
Milap Oza
 
cyber Forensics
Muzzammil Wani
 
Computer forensics
Lalit Garg
 
Computer forensics libin
libinp
 
DigitalForensics foundation and investigation tools
lexwill2000
 
DigitalForensics.ppt
ssuserba01a3
 
DigitalForensics.ppt
TamannaTabassum21
 
CF.ppt
KhusThakkar
 
Guide to computer forensics and investigation.ppt
MaluOffice
 
data acquisition in computer forensics and
ssuserec53e73
 
Watching the Detectives: Using digital forensics techniques to investigate th...
GarethKnight
 

More from mcjaya2024 (20)

PPT
cyber forensics Email Investigations.ppt
mcjaya2024
 
PPT
Cell Phone and Mobile Devices Forensics.ppt
mcjaya2024
 
PPT
cyber forensics Footprinting and Scanning.ppt
mcjaya2024
 
PPT
cyber forensics-enum,sniffing,malware threat.ppt
mcjaya2024
 
PPT
Classless Interdomain Data Routing CIDR.ppt
mcjaya2024
 
PPT
Computer Network in Network software.ppt
mcjaya2024
 
PPT
web program-Extended MARKUP Language XML.ppt
mcjaya2024
 
PPTX
Web programming-Introduction to JSP.pptx
mcjaya2024
 
PPT
web program -Life cycle of a servlet.ppt
mcjaya2024
 
PPT
web programmimg- concpt in JAVABEANS.ppt
mcjaya2024
 
PPT
web program-Inheritance,pack&except in Java.ppt
mcjaya2024
 
PPT
123 JAVA CLASSES, OBJECTS AND METHODS.ppt
mcjaya2024
 
PPT
web programming-Multithreading concept in Java.ppt
mcjaya2024
 
PPT
Processing Crime and Incident Scenes.ppt
mcjaya2024
 
PPT
Working with Windows and DOS Systems (1).ppt
mcjaya2024
 
PDF
enterprise resource plnning ERP vendors.pdf
mcjaya2024
 
PPT
ERP and elctronic commerce online12.ppt
mcjaya2024
 
PPT
Enterprise resourse planning ERPlife cycle.ppt
mcjaya2024
 
PPT
Project Management Issues in ERP IS 6006.ppt
mcjaya2024
 
PDF
mySAP_Supply_Chain_Management_Solution_Map.pdf
mcjaya2024
 
cyber forensics Email Investigations.ppt
mcjaya2024
 
Cell Phone and Mobile Devices Forensics.ppt
mcjaya2024
 
cyber forensics Footprinting and Scanning.ppt
mcjaya2024
 
cyber forensics-enum,sniffing,malware threat.ppt
mcjaya2024
 
Classless Interdomain Data Routing CIDR.ppt
mcjaya2024
 
Computer Network in Network software.ppt
mcjaya2024
 
web program-Extended MARKUP Language XML.ppt
mcjaya2024
 
Web programming-Introduction to JSP.pptx
mcjaya2024
 
web program -Life cycle of a servlet.ppt
mcjaya2024
 
web programmimg- concpt in JAVABEANS.ppt
mcjaya2024
 
web program-Inheritance,pack&except in Java.ppt
mcjaya2024
 
123 JAVA CLASSES, OBJECTS AND METHODS.ppt
mcjaya2024
 
web programming-Multithreading concept in Java.ppt
mcjaya2024
 
Processing Crime and Incident Scenes.ppt
mcjaya2024
 
Working with Windows and DOS Systems (1).ppt
mcjaya2024
 
enterprise resource plnning ERP vendors.pdf
mcjaya2024
 
ERP and elctronic commerce online12.ppt
mcjaya2024
 
Enterprise resourse planning ERPlife cycle.ppt
mcjaya2024
 
Project Management Issues in ERP IS 6006.ppt
mcjaya2024
 
mySAP_Supply_Chain_Management_Solution_Map.pdf
mcjaya2024
 
Ad

Recently uploaded (20)

PDF
QNL June Edition hosted by Pragya the official Quiz Club of the University of...
Pragya - UEM Kolkata Quiz Club
 
PPTX
Neurodivergent Friendly Schools - Slides from training session
Pooky Knightsmith
 
PPTX
CATEGORIES OF NURSING PERSONNEL: HOSPITAL & COLLEGE
PRADEEP ABOTHU
 
PDF
Horarios de distribución de agua en julio
pegazohn1978
 
PDF
Biological Bilingual Glossary Hindi and English Medium
World of Wisdom
 
PDF
Dimensions of Societal Planning in Commonism
StefanMz
 
PDF
CONCURSO DE POESIA “POETUFAS – PASSOS SUAVES PELO VERSO.pdf
Colégio Santa Teresinha
 
PPTX
PPT-Q1-WK-3-ENGLISH Revised Matatag Grade 3.pptx
reijhongidayawan02
 
PDF
Generative AI: it's STILL not a robot (CIJ Summer 2025)
Paul Bradshaw
 
PPTX
How to Create a PDF Report in Odoo 18 - Odoo Slides
Celine George
 
PPTX
How to Create Odoo JS Dialog_Popup in Odoo 18
Celine George
 
PPTX
Growth and development and milestones, factors
BHUVANESHWARI BADIGER
 
PDF
The History of Phone Numbers in Stoke Newington by Billy Thomas
History of Stoke Newington
 
PPTX
How to Handle Salesperson Commision in Odoo 18 Sales
Celine George
 
PPTX
A PPT on Alfred Lord Tennyson's Ulysses.
Beena E S
 
PDF
Aprendendo Arquitetura Framework Salesforce - Dia 03
Mauricio Alexandre Silva
 
PPTX
care of patient with elimination needs.pptx
Rekhanjali Gupta
 
PDF
Knee Extensor Mechanism Injuries - Orthopedic Radiologic Imaging
Sean M. Fox
 
PDF
DIGESTION OF CARBOHYDRATES,PROTEINS,LIPIDS
raviralanaresh2
 
PPT
Talk on Critical Theory, Part One, Philosophy of Social Sciences
Soraj Hongladarom
 
QNL June Edition hosted by Pragya the official Quiz Club of the University of...
Pragya - UEM Kolkata Quiz Club
 
Neurodivergent Friendly Schools - Slides from training session
Pooky Knightsmith
 
CATEGORIES OF NURSING PERSONNEL: HOSPITAL & COLLEGE
PRADEEP ABOTHU
 
Horarios de distribución de agua en julio
pegazohn1978
 
Biological Bilingual Glossary Hindi and English Medium
World of Wisdom
 
Dimensions of Societal Planning in Commonism
StefanMz
 
CONCURSO DE POESIA “POETUFAS – PASSOS SUAVES PELO VERSO.pdf
Colégio Santa Teresinha
 
PPT-Q1-WK-3-ENGLISH Revised Matatag Grade 3.pptx
reijhongidayawan02
 
Generative AI: it's STILL not a robot (CIJ Summer 2025)
Paul Bradshaw
 
How to Create a PDF Report in Odoo 18 - Odoo Slides
Celine George
 
How to Create Odoo JS Dialog_Popup in Odoo 18
Celine George
 
Growth and development and milestones, factors
BHUVANESHWARI BADIGER
 
The History of Phone Numbers in Stoke Newington by Billy Thomas
History of Stoke Newington
 
How to Handle Salesperson Commision in Odoo 18 Sales
Celine George
 
A PPT on Alfred Lord Tennyson's Ulysses.
Beena E S
 
Aprendendo Arquitetura Framework Salesforce - Dia 03
Mauricio Alexandre Silva
 
care of patient with elimination needs.pptx
Rekhanjali Gupta
 
Knee Extensor Mechanism Injuries - Orthopedic Radiologic Imaging
Sean M. Fox
 
DIGESTION OF CARBOHYDRATES,PROTEINS,LIPIDS
raviralanaresh2
 
Talk on Critical Theory, Part One, Philosophy of Social Sciences
Soraj Hongladarom
 
Ad

Computer Forensics Analysis and Validation.ppt

  • 2. Objectives • Determine what data to analyze in a computer forensics investigation • Explain tools used to validate data • Explain common data-hiding techniques • Describe methods of performing a remote acquisition
  • 3. Determining What Data to Collect and Analyze
  • 4. Determining What Data to Collect and Analyze • Examining and analyzing digital evidence depends on: – Nature of the case – Amount of data to process – Search warrants(an official written statement) and court orders – Company policies • Scope creep – Investigation expands beyond the original description
  • 5. Approaching Computer Forensics Cases • Some basic principles apply to almost all computer forensics cases – The approach you take depends largely on the specific type of case you’re investigating • Basic steps for all computer forensics investigations – For target drives, use only recently wiped media that have been reformatted and inspected for computer viruses
  • 6. Approaching Computer Forensics Cases (continued) • Basic steps for all computer forensics investigations (continued) – Inventory the hardware on the suspect’s computer and note the condition of the computer when seized – Remove the original drive from the computer • Check date and time values in the system’s CMOS – Record how you acquired data from the suspect drive – Process the data methodically and logically
  • 7. Approaching Computer Forensics Cases (continued) • Basic steps for all computer forensics investigations (continued) – List all folders and files on the image or drive – If possible, examine the contents of all data files in all folders • Starting at the root directory of the volume partition – For all password-protected files that might be related to the investigation • Make your best effort to recover file contents
  • 8. Approaching Computer Forensics Cases (continued) • Basic steps for all computer forensics investigations (continued) – Identify the function of every executable (binary or .exe) file that doesn’t match known hash values – Maintain control of all evidence and findings, and document everything as you progress through your examination
  • 9. Refining and Modifying the Investigation Plan • Considerations – Determine the scope of the investigation – Determine what the case requires – Whether you should collect all information – What to do in case of scope creep • The key is to start with a plan but remain flexible in the face of new evidence
  • 10. Using AccessData Forensic Toolkit to Analyze Data • Supported file systems: FAT12/16/32, NTFS, Ext2fs, and Ext3fs • FTK can analyze data from several sources, including image files from other vendors • FTK produces a case log file(record of events) • Searching for keywords – Indexed search - allows for fast searching based on keywords. FTK automatically indexes your evidence while the case is being processed. – Live search-This is a time consuming process involving an item- by-item comparison with the search term. • Supports options and advanced searching techniques, such as stemming(finds variations on endings, like: applies, applied, apply. applied applying in a search for apply applies)
  • 14. Using AccessData Forensic Toolkit to Analyze Data (continued) • Analyzes compressed files • You can generate reports – Using bookmarks(can do quick access)
  • 15. Using AccessData Forensic Toolkit to Analyze Data (continued)
  • 17. validation and verification • Validation is the process of checking whether the specification captures the customer's needs, while verification is the process of checking that the software meets the specification. • Validation uses methods like black box (functional) testing, gray box testing, and white box (structural) testing etc. Verification is to check whether the soft Verification: Are we building the product right? Validation: Are we building the right product?
  • 18. According to the Capability Maturity Model(CMM) Capability Maturity Model • Software Validation: The process of evaluating software during or at the end of the development process to determine whether it satisfies specified requirements. • Software Verification: The process of evaluating software to determine whether the products of a given development phase satisfy the conditions imposed at the start of that phase.
  • 19. Validating Forensic Data • One of the most critical aspects of computer forensics • Ensuring the integrity of data you collect is essential for presenting evidence in court. • Most computer forensic tools provide automated hashing of image files • Computer forensics tools have some limitations in performing hashing(process of converting a given key into another value)
  • 20. • Hashing is the process of converting a given key into another value. A hash function is used to generate the new value according to a mathematical algorithm. The result of a hash function is known as a hash value or simply, a hash.
  • 21. Validating with Hexadecimal Editors • Advanced hexadecimal editors offer many features not available in computer forensics tools – Such as hashing specific files or sectors • Hex Workshop provides several hashing algorithms – Such as MD5 and SHA-1 • Hex Workshop also generates the hash value of selected data sets in a file or sector
  • 22. Validating with Hexadecimal Editors (continued)
  • 23. Validating with Hexadecimal Editors (continued)
  • 24. Validating with Hexadecimal Editors (continued)
  • 25. Validating with Hexadecimal Editors (continued) • Using hash values to discriminate data – AccessData has a separate database, the Known File Filter (KFF) • Filters known program files from view, such as MSWord.exe, and identifies known illegal files, such as child pornography – KFF compares known file hash values to files on your evidence drive or image files Periodically – AccessData updates these known file hash values and posts an updated KFF
  • 26. Validating with Computer Forensics Programs • Commercial computer forensics programs have built-in validation features • ProDiscover’s .eve(EmbeddedVectorEditor) files contain metadata that includes the hash value – Validation is done automatically • Raw format image files (.dd extension) don’t contain metadata – So you must validate raw format image files manually to ensure the integrity of data Note: .eve files are general application for drawing vector diagrams
  • 28. Addressing Data-hiding Techniques • File manipulation – Filenames and extensions – Hidden property • Disk manipulation – Hidden partitions – Bad clusters • Encryption – Bit shifting – Steganography
  • 29. Hiding Partitions • We can create a partition and then hide it using a disk editor. • We can get access to hidden partitions using tools such as: – Gdisk(Ghost’s disk) – PartitionMagic – System Commander – LILO(Linux Loader)
  • 32. Marking Bad Clusters • Common with FAT systems • Place sensitive information on free space • Use a disk editor to mark space as a bad cluster • To mark a good cluster as bad using Norton Disk Edit – Type B in the FAT entry corresponding to that cluster
  • 33. Bit-shifting • Old technique • Shift bit patterns to alter byte values of data • Make files look like binary executable code • Tool – Hex Workshop
  • 37. Using Steganography to Hide Data • Greek for “hidden writing” • Steganography tools were created to protect copyrighted material – By inserting digital watermarks into a file • Suspect can hide information on image or text document files – Most steganography programs can insert only small amounts of data into a file • Very hard to spot without prior knowledge • Tools: S-Tools, DPEnvelope, jpgx, and tte
  • 38. Examining Encrypted Files • Prevent unauthorized access – Employ a password or passphrase • Recovering data is difficult without password – Key escrow • Designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure – Cracking password • Expert and powerful computers – Persuade suspect to reveal password
  • 39. Recovering Passwords • Techniques – Dictionary attack(A dictionary attack is a method of breaking into a password- protected computer or server by systematically entering every word in a dictionary as a password.) – Brute-force attack (cryptographic hack that relies on guessing possible combinations of a targeted password until the correct password is discovered. ) – Password guessing based on suspect’s profile(Password guessing is an online technique that involves attempting to authenticate a particular user to the system. ) • Tools – AccessData PRTK – Advanced Password Recovery Software Toolkit – John the Ripper Note: Password cracking refers to an offline technique in which the attacker has gained access to the password hashes or database
  • 40. Recovering Passwords (continued) • Using AccessData tools with passworded and encrypted files – AccessData offers a tool called Password Recovery Toolkit (PRTK) • Can create possible password lists from many sources – Can create your own custom dictionary based on facts in the case – Can create a suspect profile and use biographical information to generate likely passwords
  • 41. Word List • FTK finds all stings in the data and makes a Word List from them
  • 44. Recovering Passwords (continued) • Using AccessData tools with passworded and encrypted files (continued) – FTK can identify known encrypted files and those that seem to be encrypted • And export them – You can then import these files into PRTK and attempt to crack them
  • 48. Performing Remote Acquisitions • Remote acquisitions are handy when you need to image the drive of a computer far away from your location – Or when you don’t want a suspect to be aware of an ongoing investigation
  • 49. Remote Acquisitions with Runtime Software • Runtime Software offers the following shareware programs for remote acquisitions: – DiskExplorer for FAT – DiskExplorer for NTFS – HDHOST • Preparing DiskExplorer and HDHOST for remote acquisitions – Requires the Runtime Software, a portable media device (USB thumb drive or floppy disk), and two networked computers
  • 50. Remote Acquisitions with Runtime Software (continued) • Making a remote connection with DiskExplorer – Requires running HDHOST on a suspect’s computer – To establish a connection with HDHOST, the suspect’s computer must be: • Connected to the network • Powered on • Logged on to any user account with permission to run noninstalled applications – HDHOST can’t be run surreptitiously
  • 52. Remote Acquisitions with Runtime Software (continued)
  • 53. Remote Acquisitions with Runtime Software (continued)
  • 54. Remote Acquisitions with Runtime Software (continued)
  • 55. Remote Acquisitions with Runtime Software (continued)
  • 56. Remote Acquisitions with Runtime Software (continued)
  • 57. Remote Acquisitions with Runtime Software (continued)
  • 58. Remote Acquisitions with Runtime Software (continued) • Making a remote acquisition with DiskExplorer – After you have established a connection with DiskExplorer from the acquisition workstation • You can navigate through the suspect computer’s files and folders or copy data – The Runtime tools don’t generate a hash for acquisitions
  • 59. Remote Acquisitions with Runtime Software (continued)