SlideShare a Scribd company logo

Lecture #32: Forensic Duplication

D
Dr. Ramchandra Mangrulkar

The document discusses forensic duplication, which involves creating an accurate copy of digital evidence that can be admitted in court. It describes the importance of duplicating every bit of accessible data on a storage device and ensuring the process does not alter the original. Several types of forensic images are outlined, including complete disk images, partition images, and logical images. Characteristics of forensic duplication tools and methods like hashing are also summarized.

1 of 19
Download to read offline
1
Lecture #32: Forensic Duplication Dr.Ramchandra Mangrulkar October 8, 2020 Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 1 / 19
2
Forensic Duplication 1 During an incident, a significant amount of data is gathered, preserved, cataloged, and analyzed. 2 The most comprehensive sources of information is a forensic image of an affected or suspect computer system. 3 Processes, formats, and tools that are used by the forensic community to properly duplicate data. 4 A court may find that the best available duplication acceptable and render it admissible. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 2 / 19
3
Types of Forensic Duplication A simple duplication consists of making a copy of specific data. The data may consist of a single file, a group of files, a partition on a hard drive, an entire hard drive, or other elements of data storage devices and the information stored on them. A forensic duplication is an accurate copy of data that is created with the goal of being admissible as evidence in legal proceedings. Furthermore, we define forensic duplication as an image of every accessible bit from the source medium. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 3 / 19
Most read
4
Characteristics of Forensic Duplication Tools ability to image or account for every bit of accessible. data on the storage medium. must create a forensic duplicate of the original storage medium. must handle read errors in a robust and graceful manner. the process must not make any changes to the original storage medium. must generate results that are repeatable and verifiable by a third party. must generate logs that detail the actions requested and any errors encountered. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 4 / 19
5
Forensics Image Format IR teams will create and process three primary types of forensic images Complete Disk Image Partition Image Logical Image Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 5 / 19
6
Complete Disk Image A “complete disk image” is intended to duplicate every addressable allocation unit on the storage medium. includes Host Protected Areas (HPAs) and Drive Configuration Overlays (DCOs). complete disk image, the output file contains every allocation unit, or sector, accessible to the imaging software. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 6 / 19
7
Overview of the Disk Areas A service area is a logical area on the hard-drive (residing on the platters) set aside by hard-drive vendors for internally managing the drive. These areas are outside the hard-drive’s Logical Block Address (LBA) space and as such are non-addressable and inaccessible via the standard ATA commands. The service area contains both code and data modules, such as defect management modules, SMART data modules, self-test modules and much more. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 7 / 19
8
Disk Areas Disk Firmware Area (DPA) The firmware is composed of a series of modules. Examples are: SECU (Security System Module), P-List, G-List, T-List, SMART Attributes, and U-List (Firmware Zone Translator). The Host Protected Area (HPA) is used for holding diagnostics and other utilities required by the manufacturer such as the boot sector, the user addressable sectors, start of the reserved area, and the code for the boot. A Device Configuration Overlay (DCO) is similar to the HPA, but is used by manufacturers to configure drive sizes, to enable and disable features on the disk. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 8 / 19
9
Case Study Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 9 / 19
10
Case Study Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 10 / 19
11
Partition Image Tools allow you specify an individual partition, or volume, as the source for an image. A partition image is a subset of a complete disk image and contains all of the allocation units from an individual partition on a drive. A partition image still affords you the opportunity to perform low-level analysis and attempt to undelete files and examine slack space from that partition. Because a partition image does not capture all the data on a drive, it is taken only under special circumstances. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 11 / 19
Most read
12
Logical Image A logical image is less of an “image” and more of a simple copy, and it’s the type of duplication we referred to previously as a “simple duplication.” Both FTK Imager and EnCase have the ability to create evidence containers for logical files. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 12 / 19
13
Image Integrity When a forensic image is created, cryptographic checksums are generated for two reasons. First, when the image is taken from a drive that is offline (static) and preserved, the hash is used to verify and demonstrate that the forensic image is a true and accurate representation of the original. Second, the hash is used to detect if the data was modified since the point of time at which the image was created. The hash is simply used to ensure that the integrity has been maintained throughout the life of the image. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 13 / 19
14
Traditional Duplication 1 Traditional imaging is performed on static drives (that is, hard drives that are not part of an active, running system Hardware Write Blockers The best way to ensure that the source media is not modified in any way is to use specialized hardware that prohibits write commands from reaching the drive controller. A set of these write blockers should be in every IR team’s kit. The write blockers are typically protocol bridges that contain modified firmware or an ASIC designed to intercept a subset of the protocol’s commands. 1 Incident Response Computer Forensics, Third Edition Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 14 / 19
Most read
15
Case Study Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 15 / 19
16
Case Study Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 16 / 19
17
Image Creation Tools The most common method to create a forensic duplicate is via software. The three main tools we use are DC3dd, AccessData’s FTK Imager, and Guidance Software’s EnCase dd, DCFLdd, and DC3dd Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 17 / 19
18
Live System Duplication A live system duplication is defined as the creation of an image of media in a system that is actively running. the system may be an extremely business-critical system that cannot be taken down. Performing a live image will make minor modifications to the system, but you will be able to get an image. Be sure to document exactly what you did, including the tool you used, the procedure you followed, what services may be running, and the exact dates and times. If “challenged” , the fact that you modified the system. Such challenges are more easily refuted if you have the proper documentation. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 18 / 19
19
Duplication of Enterprise Asset the evidence that is part of an investigation resides on a very large RAID, SAN, NAS, or other massive central storage system. it’s infeasible to make a complete duplicate of the entire original source due to the sheer volume of data or the complexity of the storage configuration. formulate an appropriate plan to create a logical copy of only the relevant data Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 19 / 19
Lecture #32: Forensic Duplication Dr.Ramchandra Mangrulkar October 8, 2020 Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 1 / 19
Forensic Duplication 1 During an incident, a significant amount of data is gathered, preserved, cataloged, and analyzed. 2 The most comprehensive sources of information is a forensic image of an affected or suspect computer system. 3 Processes, formats, and tools that are used by the forensic community to properly duplicate data. 4 A court may find that the best available duplication acceptable and render it admissible. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 2 / 19
Types of Forensic Duplication A simple duplication consists of making a copy of specific data. The data may consist of a single file, a group of files, a partition on a hard drive, an entire hard drive, or other elements of data storage devices and the information stored on them. A forensic duplication is an accurate copy of data that is created with the goal of being admissible as evidence in legal proceedings. Furthermore, we define forensic duplication as an image of every accessible bit from the source medium. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 3 / 19
Characteristics of Forensic Duplication Tools ability to image or account for every bit of accessible. data on the storage medium. must create a forensic duplicate of the original storage medium. must handle read errors in a robust and graceful manner. the process must not make any changes to the original storage medium. must generate results that are repeatable and verifiable by a third party. must generate logs that detail the actions requested and any errors encountered. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 4 / 19
Forensics Image Format IR teams will create and process three primary types of forensic images Complete Disk Image Partition Image Logical Image Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 5 / 19
Complete Disk Image A “complete disk image” is intended to duplicate every addressable allocation unit on the storage medium. includes Host Protected Areas (HPAs) and Drive Configuration Overlays (DCOs). complete disk image, the output file contains every allocation unit, or sector, accessible to the imaging software. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 6 / 19
Overview of the Disk Areas A service area is a logical area on the hard-drive (residing on the platters) set aside by hard-drive vendors for internally managing the drive. These areas are outside the hard-drive’s Logical Block Address (LBA) space and as such are non-addressable and inaccessible via the standard ATA commands. The service area contains both code and data modules, such as defect management modules, SMART data modules, self-test modules and much more. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 7 / 19
Disk Areas Disk Firmware Area (DPA) The firmware is composed of a series of modules. Examples are: SECU (Security System Module), P-List, G-List, T-List, SMART Attributes, and U-List (Firmware Zone Translator). The Host Protected Area (HPA) is used for holding diagnostics and other utilities required by the manufacturer such as the boot sector, the user addressable sectors, start of the reserved area, and the code for the boot. A Device Configuration Overlay (DCO) is similar to the HPA, but is used by manufacturers to configure drive sizes, to enable and disable features on the disk. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 8 / 19
Case Study Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 9 / 19
Case Study Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 10 / 19
Partition Image Tools allow you specify an individual partition, or volume, as the source for an image. A partition image is a subset of a complete disk image and contains all of the allocation units from an individual partition on a drive. A partition image still affords you the opportunity to perform low-level analysis and attempt to undelete files and examine slack space from that partition. Because a partition image does not capture all the data on a drive, it is taken only under special circumstances. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 11 / 19
Logical Image A logical image is less of an “image” and more of a simple copy, and it’s the type of duplication we referred to previously as a “simple duplication.” Both FTK Imager and EnCase have the ability to create evidence containers for logical files. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 12 / 19
Image Integrity When a forensic image is created, cryptographic checksums are generated for two reasons. First, when the image is taken from a drive that is offline (static) and preserved, the hash is used to verify and demonstrate that the forensic image is a true and accurate representation of the original. Second, the hash is used to detect if the data was modified since the point of time at which the image was created. The hash is simply used to ensure that the integrity has been maintained throughout the life of the image. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 13 / 19
Traditional Duplication 1 Traditional imaging is performed on static drives (that is, hard drives that are not part of an active, running system Hardware Write Blockers The best way to ensure that the source media is not modified in any way is to use specialized hardware that prohibits write commands from reaching the drive controller. A set of these write blockers should be in every IR team’s kit. The write blockers are typically protocol bridges that contain modified firmware or an ASIC designed to intercept a subset of the protocol’s commands. 1 Incident Response Computer Forensics, Third Edition Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 14 / 19
Case Study Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 15 / 19
Case Study Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 16 / 19
Image Creation Tools The most common method to create a forensic duplicate is via software. The three main tools we use are DC3dd, AccessData’s FTK Imager, and Guidance Software’s EnCase dd, DCFLdd, and DC3dd Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 17 / 19
Live System Duplication A live system duplication is defined as the creation of an image of media in a system that is actively running. the system may be an extremely business-critical system that cannot be taken down. Performing a live image will make minor modifications to the system, but you will be able to get an image. Be sure to document exactly what you did, including the tool you used, the procedure you followed, what services may be running, and the exact dates and times. If “challenged” , the fact that you modified the system. Such challenges are more easily refuted if you have the proper documentation. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 18 / 19
Duplication of Enterprise Asset the evidence that is part of an investigation resides on a very large RAID, SAN, NAS, or other massive central storage system. it’s infeasible to make a complete duplicate of the entire original source due to the sheer volume of data or the complexity of the storage configuration. formulate an appropriate plan to create a logical copy of only the relevant data Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 19 / 19
Ad

Recommended

Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Mithileysh Sathiyanarayanan
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
Piyush Jain
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
Kranthi
 
Cyber forensic-Evedidence collection tools
Cyber forensic-Evedidence collection toolsCyber forensic-Evedidence collection tools
Cyber forensic-Evedidence collection tools
N.Jagadish Kumar
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes
Kranthi
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifacts
gaurang17
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes
Kranthi
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensics
anupriti
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptx
GulnurAzat
 
Computer Forensics ppt
Computer Forensics pptComputer Forensics ppt
Computer Forensics ppt
OECLIB Odisha Electronics Control Library
 
Dial up security
Dial up securityDial up security
Dial up security
Ramla Sheikh
 
3170725_Unit-1.pptx
3170725_Unit-1.pptx3170725_Unit-1.pptx
3170725_Unit-1.pptx
YashPatel132112
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
Ersoy AKSOY
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
MD SAQUIB KHAN
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensics
Mayank Chaudhari
 
Backup and recovery
Backup and recoveryBackup and recovery
Backup and recovery
dhawal mehta
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
Sunil Kumar
 
Cybersecurity: Public Sector Threats and Responses
Cybersecurity: Public Sector Threats and Responses Cybersecurity: Public Sector Threats and Responses
Cybersecurity: Public Sector Threats and Responses
Directorate of Information Security | Ditjen Aptika
 
Legal aspects of digital forensics
Legal aspects of digital forensics Legal aspects of digital forensics
Legal aspects of digital forensics
KakshaPatel3
 
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imaging
Marco Alamanni
 
Bangladesh Bank Assistant Maintenance Engineer Question Solution.
Bangladesh Bank Assistant Maintenance Engineer Question Solution.Bangladesh Bank Assistant Maintenance Engineer Question Solution.
Bangladesh Bank Assistant Maintenance Engineer Question Solution.
Engr. Md. Jamal Uddin Rayhan
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineering
Sweta Kumari Barnwal
 
Computer crimes and forensics
Computer crimes and forensics Computer crimes and forensics
Computer crimes and forensics
Avinash Mavuru
 
information security and backup system
information security and backup systeminformation security and backup system
information security and backup system
Engr. Md. Jamal Uddin Rayhan
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Roberto Ellis
 
Network security
Network security Network security
Network security
Madhumithah Ilango
 
Latest presentation
Latest presentationLatest presentation
Latest presentation
Adetunji Adeoje
 
Fs Ch 18
Fs Ch 18Fs Ch 18
Fs Ch 18
warren142
 

More Related Content

What's hot (20)

CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptx
GulnurAzat
 
Computer Forensics ppt
Computer Forensics pptComputer Forensics ppt
Computer Forensics ppt
OECLIB Odisha Electronics Control Library
 
Dial up security
Dial up securityDial up security
Dial up security
Ramla Sheikh
 
3170725_Unit-1.pptx
3170725_Unit-1.pptx3170725_Unit-1.pptx
3170725_Unit-1.pptx
YashPatel132112
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
Ersoy AKSOY
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
MD SAQUIB KHAN
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensics
Mayank Chaudhari
 
Backup and recovery
Backup and recoveryBackup and recovery
Backup and recovery
dhawal mehta
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
Sunil Kumar
 
Cybersecurity: Public Sector Threats and Responses
Cybersecurity: Public Sector Threats and Responses Cybersecurity: Public Sector Threats and Responses
Cybersecurity: Public Sector Threats and Responses
Directorate of Information Security | Ditjen Aptika
 
Legal aspects of digital forensics
Legal aspects of digital forensics Legal aspects of digital forensics
Legal aspects of digital forensics
KakshaPatel3
 
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imaging
Marco Alamanni
 
Bangladesh Bank Assistant Maintenance Engineer Question Solution.
Bangladesh Bank Assistant Maintenance Engineer Question Solution.Bangladesh Bank Assistant Maintenance Engineer Question Solution.
Bangladesh Bank Assistant Maintenance Engineer Question Solution.
Engr. Md. Jamal Uddin Rayhan
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineering
Sweta Kumari Barnwal
 
Computer crimes and forensics
Computer crimes and forensics Computer crimes and forensics
Computer crimes and forensics
Avinash Mavuru
 
information security and backup system
information security and backup systeminformation security and backup system
information security and backup system
Engr. Md. Jamal Uddin Rayhan
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Roberto Ellis
 
Network security
Network security Network security
Network security
Madhumithah Ilango
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptx
GulnurAzat
 
Computer Forensics ppt
Computer Forensics pptComputer Forensics ppt
Computer Forensics ppt
OECLIB Odisha Electronics Control Library
 
Dial up security
Dial up securityDial up security
Dial up security
Ramla Sheikh
 
3170725_Unit-1.pptx
3170725_Unit-1.pptx3170725_Unit-1.pptx
3170725_Unit-1.pptx
YashPatel132112
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
Ersoy AKSOY
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
MD SAQUIB KHAN
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensics
Mayank Chaudhari
 
Backup and recovery
Backup and recoveryBackup and recovery
Backup and recovery
dhawal mehta
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
Sunil Kumar
 
Cybersecurity: Public Sector Threats and Responses
Cybersecurity: Public Sector Threats and Responses Cybersecurity: Public Sector Threats and Responses
Cybersecurity: Public Sector Threats and Responses
Directorate of Information Security | Ditjen Aptika
 
Legal aspects of digital forensics
Legal aspects of digital forensics Legal aspects of digital forensics
Legal aspects of digital forensics
KakshaPatel3
 
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imaging
Marco Alamanni
 
Bangladesh Bank Assistant Maintenance Engineer Question Solution.
Bangladesh Bank Assistant Maintenance Engineer Question Solution.Bangladesh Bank Assistant Maintenance Engineer Question Solution.
Bangladesh Bank Assistant Maintenance Engineer Question Solution.
Engr. Md. Jamal Uddin Rayhan
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineering
Sweta Kumari Barnwal
 
Computer crimes and forensics
Computer crimes and forensics Computer crimes and forensics
Computer crimes and forensics
Avinash Mavuru
 
information security and backup system
information security and backup systeminformation security and backup system
information security and backup system
Engr. Md. Jamal Uddin Rayhan
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Roberto Ellis
 
Network security
Network security Network security
Network security
Madhumithah Ilango
 

Similar to Lecture #32: Forensic Duplication (20)

Latest presentation
Latest presentationLatest presentation
Latest presentation
Adetunji Adeoje
 
Fs Ch 18
Fs Ch 18Fs Ch 18
Fs Ch 18
warren142
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
rakesh mishra
 
508_Test Report_NIST_DI_FTK_Imager_2_5_3_14_June 2008_Final.pdf
508_Test Report_NIST_DI_FTK_Imager_2_5_3_14_June 2008_Final.pdf508_Test Report_NIST_DI_FTK_Imager_2_5_3_14_June 2008_Final.pdf
508_Test Report_NIST_DI_FTK_Imager_2_5_3_14_June 2008_Final.pdf
MoussaFatah
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
DINESH KAMBLE
 
the Cyber - Forensics - Lab - Manual . pdf
the Cyber - Forensics - Lab - Manual . pdfthe Cyber - Forensics - Lab - Manual . pdf
the Cyber - Forensics - Lab - Manual . pdf
22cc005
 
Forensic Investigation of Android Operating System
Forensic Investigation of Android Operating SystemForensic Investigation of Android Operating System
Forensic Investigation of Android Operating System
nishant24894
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
willemvandrunen
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
Milap Oza
 
Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics report
yash sawarkar
 
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxChapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
christinemaritza
 
Techniques in Computer Forensics: A Recovery Perspective
Techniques in Computer Forensics: A Recovery PerspectiveTechniques in Computer Forensics: A Recovery Perspective
Techniques in Computer Forensics: A Recovery Perspective
CSCJournals
 
Forensic drive correlation
Forensic drive correlationForensic drive correlation
Forensic drive correlation
Ramesh Gubba
 
Comparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction ToolsComparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction Tools
ijtsrd
 
S4. MCE UNIT 4 COMPUTER SCIENCE.pptx
S4. MCE UNIT 4 COMPUTER SCIENCE.pptxS4. MCE UNIT 4 COMPUTER SCIENCE.pptx
S4. MCE UNIT 4 COMPUTER SCIENCE.pptx
CYIZAEmile
 
A Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis ToolsA Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis Tools
Samantha Vargas
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
Agape Inc
 
The design of forensic computer workstations
The design of forensic computer workstationsThe design of forensic computer workstations
The design of forensic computer workstations
jkvr100
 
Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the Archive
GarethKnight
 
F1805023942
F1805023942F1805023942
F1805023942
Niro Thakur
 
Latest presentation
Latest presentationLatest presentation
Latest presentation
Adetunji Adeoje
 
Fs Ch 18
Fs Ch 18Fs Ch 18
Fs Ch 18
warren142
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
rakesh mishra
 
508_Test Report_NIST_DI_FTK_Imager_2_5_3_14_June 2008_Final.pdf
508_Test Report_NIST_DI_FTK_Imager_2_5_3_14_June 2008_Final.pdf508_Test Report_NIST_DI_FTK_Imager_2_5_3_14_June 2008_Final.pdf
508_Test Report_NIST_DI_FTK_Imager_2_5_3_14_June 2008_Final.pdf
MoussaFatah
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
DINESH KAMBLE
 
the Cyber - Forensics - Lab - Manual . pdf
the Cyber - Forensics - Lab - Manual . pdfthe Cyber - Forensics - Lab - Manual . pdf
the Cyber - Forensics - Lab - Manual . pdf
22cc005
 
Forensic Investigation of Android Operating System
Forensic Investigation of Android Operating SystemForensic Investigation of Android Operating System
Forensic Investigation of Android Operating System
nishant24894
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
willemvandrunen
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
Milap Oza
 
Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics report
yash sawarkar
 
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxChapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
christinemaritza
 
Techniques in Computer Forensics: A Recovery Perspective
Techniques in Computer Forensics: A Recovery PerspectiveTechniques in Computer Forensics: A Recovery Perspective
Techniques in Computer Forensics: A Recovery Perspective
CSCJournals
 
Forensic drive correlation
Forensic drive correlationForensic drive correlation
Forensic drive correlation
Ramesh Gubba
 
Comparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction ToolsComparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction Tools
ijtsrd
 
S4. MCE UNIT 4 COMPUTER SCIENCE.pptx
S4. MCE UNIT 4 COMPUTER SCIENCE.pptxS4. MCE UNIT 4 COMPUTER SCIENCE.pptx
S4. MCE UNIT 4 COMPUTER SCIENCE.pptx
CYIZAEmile
 
A Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis ToolsA Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis Tools
Samantha Vargas
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
Agape Inc
 
The design of forensic computer workstations
The design of forensic computer workstationsThe design of forensic computer workstations
The design of forensic computer workstations
jkvr100
 
Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the Archive
GarethKnight
 
F1805023942
F1805023942F1805023942
F1805023942
Niro Thakur
 
Ad

More from Dr. Ramchandra Mangrulkar (20)

Gibbs sampling is a Markov Chain Monte Carlo (MCMC)
Gibbs sampling is a Markov Chain Monte Carlo (MCMC)Gibbs sampling is a Markov Chain Monte Carlo (MCMC)
Gibbs sampling is a Markov Chain Monte Carlo (MCMC)
Dr. Ramchandra Mangrulkar
 
Introduction to Research and Publications Tools.pdf
Introduction to Research and Publications Tools.pdfIntroduction to Research and Publications Tools.pdf
Introduction to Research and Publications Tools.pdf
Dr. Ramchandra Mangrulkar
 
Blockchain#2.pdf
Blockchain#2.pdfBlockchain#2.pdf
Blockchain#2.pdf
Dr. Ramchandra Mangrulkar
 
Blockchain#1.pdf
Blockchain#1.pdfBlockchain#1.pdf
Blockchain#1.pdf
Dr. Ramchandra Mangrulkar
 
Blockchain#3.pdf
Blockchain#3.pdfBlockchain#3.pdf
Blockchain#3.pdf
Dr. Ramchandra Mangrulkar
 
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
Dr. Ramchandra Mangrulkar
 
Lecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and ReportingLecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Dr. Ramchandra Mangrulkar
 
LEcture #28-#30
LEcture #28-#30LEcture #28-#30
LEcture #28-#30
Dr. Ramchandra Mangrulkar
 
Lecture #31 : Windows Forensics
Lecture #31 : Windows ForensicsLecture #31 : Windows Forensics
Lecture #31 : Windows Forensics
Dr. Ramchandra Mangrulkar
 
Lecture #25 : Oauth 2.0
Lecture #25 : Oauth 2.0Lecture #25 : Oauth 2.0
Lecture #25 : Oauth 2.0
Dr. Ramchandra Mangrulkar
 
Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)
Dr. Ramchandra Mangrulkar
 
Lecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security BreachLecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security Breach
Dr. Ramchandra Mangrulkar
 
Lecture #22 : Web Privacy & Security Breach
Lecture #22 : Web Privacy & Security BreachLecture #22 : Web Privacy & Security Breach
Lecture #22 : Web Privacy & Security Breach
Dr. Ramchandra Mangrulkar
 
Lecture #21: HTTPS , SSL & TLS
Lecture #21: HTTPS , SSL & TLSLecture #21: HTTPS , SSL & TLS
Lecture #21: HTTPS , SSL & TLS
Dr. Ramchandra Mangrulkar
 
Lecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application SecurityLecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application Security
Dr. Ramchandra Mangrulkar
 
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Dr. Ramchandra Mangrulkar
 
Lecture # 14: Salami and Linearization Attacks
Lecture # 14: Salami and Linearization Attacks Lecture # 14: Salami and Linearization Attacks
Lecture # 14: Salami and Linearization Attacks
Dr. Ramchandra Mangrulkar
 
Lecture #12,#13 : Program and OS Security -Part I
Lecture #12,#13 : Program and OS Security -Part ILecture #12,#13 : Program and OS Security -Part I
Lecture #12,#13 : Program and OS Security -Part I
Dr. Ramchandra Mangrulkar
 
Lecture #9 : Single Sign on and Federation Identity Management
Lecture #9 : Single Sign on and Federation Identity ManagementLecture #9 : Single Sign on and Federation Identity Management
Lecture #9 : Single Sign on and Federation Identity Management
Dr. Ramchandra Mangrulkar
 
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityLecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
Dr. Ramchandra Mangrulkar
 
Gibbs sampling is a Markov Chain Monte Carlo (MCMC)
Gibbs sampling is a Markov Chain Monte Carlo (MCMC)Gibbs sampling is a Markov Chain Monte Carlo (MCMC)
Gibbs sampling is a Markov Chain Monte Carlo (MCMC)
Dr. Ramchandra Mangrulkar
 
Introduction to Research and Publications Tools.pdf
Introduction to Research and Publications Tools.pdfIntroduction to Research and Publications Tools.pdf
Introduction to Research and Publications Tools.pdf
Dr. Ramchandra Mangrulkar
 
Blockchain#2.pdf
Blockchain#2.pdfBlockchain#2.pdf
Blockchain#2.pdf
Dr. Ramchandra Mangrulkar
 
Blockchain#1.pdf
Blockchain#1.pdfBlockchain#1.pdf
Blockchain#1.pdf
Dr. Ramchandra Mangrulkar
 
Blockchain#3.pdf
Blockchain#3.pdfBlockchain#3.pdf
Blockchain#3.pdf
Dr. Ramchandra Mangrulkar
 
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
Dr. Ramchandra Mangrulkar
 
Lecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and ReportingLecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Dr. Ramchandra Mangrulkar
 
LEcture #28-#30
LEcture #28-#30LEcture #28-#30
LEcture #28-#30
Dr. Ramchandra Mangrulkar
 
Lecture #31 : Windows Forensics
Lecture #31 : Windows ForensicsLecture #31 : Windows Forensics
Lecture #31 : Windows Forensics
Dr. Ramchandra Mangrulkar
 
Lecture #25 : Oauth 2.0
Lecture #25 : Oauth 2.0Lecture #25 : Oauth 2.0
Lecture #25 : Oauth 2.0
Dr. Ramchandra Mangrulkar
 
Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)
Dr. Ramchandra Mangrulkar
 
Lecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security BreachLecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security Breach
Dr. Ramchandra Mangrulkar
 
Lecture #22 : Web Privacy & Security Breach
Lecture #22 : Web Privacy & Security BreachLecture #22 : Web Privacy & Security Breach
Lecture #22 : Web Privacy & Security Breach
Dr. Ramchandra Mangrulkar
 
Lecture #21: HTTPS , SSL & TLS
Lecture #21: HTTPS , SSL & TLSLecture #21: HTTPS , SSL & TLS
Lecture #21: HTTPS , SSL & TLS
Dr. Ramchandra Mangrulkar
 
Lecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application SecurityLecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application Security
Dr. Ramchandra Mangrulkar
 
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Dr. Ramchandra Mangrulkar
 
Lecture # 14: Salami and Linearization Attacks
Lecture # 14: Salami and Linearization Attacks Lecture # 14: Salami and Linearization Attacks
Lecture # 14: Salami and Linearization Attacks
Dr. Ramchandra Mangrulkar
 
Lecture #12,#13 : Program and OS Security -Part I
Lecture #12,#13 : Program and OS Security -Part ILecture #12,#13 : Program and OS Security -Part I
Lecture #12,#13 : Program and OS Security -Part I
Dr. Ramchandra Mangrulkar
 
Lecture #9 : Single Sign on and Federation Identity Management
Lecture #9 : Single Sign on and Federation Identity ManagementLecture #9 : Single Sign on and Federation Identity Management
Lecture #9 : Single Sign on and Federation Identity Management
Dr. Ramchandra Mangrulkar
 
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityLecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
Dr. Ramchandra Mangrulkar
 
Ad

Recently uploaded (20)

Structural Design for Residential-to-Restaurant Conversion
Structural Design for Residential-to-Restaurant ConversionStructural Design for Residential-to-Restaurant Conversion
Structural Design for Residential-to-Restaurant Conversion
DanielRoman285499
 
362 Alec Data Center Solutions-Slysium Data Center-AUH-Adaptaflex.pdf
362 Alec Data Center Solutions-Slysium Data Center-AUH-Adaptaflex.pdf362 Alec Data Center Solutions-Slysium Data Center-AUH-Adaptaflex.pdf
362 Alec Data Center Solutions-Slysium Data Center-AUH-Adaptaflex.pdf
djiceramil
 
02 - Ethics & Professionalism - BEM, IEM, MySET.PPT
02 - Ethics & Professionalism - BEM, IEM, MySET.PPT02 - Ethics & Professionalism - BEM, IEM, MySET.PPT
02 - Ethics & Professionalism - BEM, IEM, MySET.PPT
SharinAbGhani1
 
David Boutry - Mentors Junior Developers
David Boutry - Mentors Junior DevelopersDavid Boutry - Mentors Junior Developers
David Boutry - Mentors Junior Developers
David Boutry
 
Présentation_gestion[1] [Autosaved].pptx
Présentation_gestion[1] [Autosaved].pptxPrésentation_gestion[1] [Autosaved].pptx
Présentation_gestion[1] [Autosaved].pptx
KHADIJAESSAKET
 
New Microsoft Office Word Documentfrf.docx
New Microsoft Office Word Documentfrf.docxNew Microsoft Office Word Documentfrf.docx
New Microsoft Office Word Documentfrf.docx
misheetasah
 
Pavement and its types, Application of rigid and Flexible Pavements
Pavement and its types, Application of rigid and Flexible PavementsPavement and its types, Application of rigid and Flexible Pavements
Pavement and its types, Application of rigid and Flexible Pavements
Sakthivel M
 
Rigor, ethics, wellbeing and resilience in the ICT doctoral journey
Rigor, ethics, wellbeing and resilience in the ICT doctoral journeyRigor, ethics, wellbeing and resilience in the ICT doctoral journey
Rigor, ethics, wellbeing and resilience in the ICT doctoral journey
Yannis
 
11th International Conference on Data Mining (DaMi 2025)
11th International Conference on Data Mining (DaMi 2025)11th International Conference on Data Mining (DaMi 2025)
11th International Conference on Data Mining (DaMi 2025)
kjim477n
 
Flow Chart Proses Bisnis prosscesss.docx
Flow Chart Proses Bisnis prosscesss.docxFlow Chart Proses Bisnis prosscesss.docx
Flow Chart Proses Bisnis prosscesss.docx
rifka575530
 
operationg systemsdocumentmemorymanagement
operationg systemsdocumentmemorymanagementoperationg systemsdocumentmemorymanagement
operationg systemsdocumentmemorymanagement
SNIGDHAAPPANABHOTLA
 
Montreal Dreamin' 25 - Introduction to the MuleSoft AI Chain (MAC) Project
Montreal Dreamin' 25 - Introduction to the MuleSoft AI Chain (MAC) ProjectMontreal Dreamin' 25 - Introduction to the MuleSoft AI Chain (MAC) Project
Montreal Dreamin' 25 - Introduction to the MuleSoft AI Chain (MAC) Project
Alexandra N. Martinez
 
Computer_vision-photometric_image_formation.pdf
Computer_vision-photometric_image_formation.pdfComputer_vision-photometric_image_formation.pdf
Computer_vision-photometric_image_formation.pdf
kumarprem6767merp
 
362 Alec Data Center Solutions-Slysium Data Center-AUH-ABB Furse.pdf
362 Alec Data Center Solutions-Slysium Data Center-AUH-ABB Furse.pdf362 Alec Data Center Solutions-Slysium Data Center-AUH-ABB Furse.pdf
362 Alec Data Center Solutions-Slysium Data Center-AUH-ABB Furse.pdf
djiceramil
 
Artificial Power 2025 raport krajobrazowy
Artificial Power 2025 raport krajobrazowyArtificial Power 2025 raport krajobrazowy
Artificial Power 2025 raport krajobrazowy
dominikamizerska1
 
Research_Sensitization_&_Innovative_Project_Development.pptx
Research_Sensitization_&_Innovative_Project_Development.pptxResearch_Sensitization_&_Innovative_Project_Development.pptx
Research_Sensitization_&_Innovative_Project_Development.pptx
niranjancse
 
A DECISION SUPPORT SYSTEM FOR ESTIMATING COST OF SOFTWARE PROJECTS USING A HY...
A DECISION SUPPORT SYSTEM FOR ESTIMATING COST OF SOFTWARE PROJECTS USING A HY...A DECISION SUPPORT SYSTEM FOR ESTIMATING COST OF SOFTWARE PROJECTS USING A HY...
A DECISION SUPPORT SYSTEM FOR ESTIMATING COST OF SOFTWARE PROJECTS USING A HY...
ijfcstjournal
 
362 Alec Data Center Solutions-Slysium Data Center-AUH-Glands & Lugs, Simplex...
362 Alec Data Center Solutions-Slysium Data Center-AUH-Glands & Lugs, Simplex...362 Alec Data Center Solutions-Slysium Data Center-AUH-Glands & Lugs, Simplex...
362 Alec Data Center Solutions-Slysium Data Center-AUH-Glands & Lugs, Simplex...
djiceramil
 
362 Alec Data Center Solutions-Slysium Data Center-AUH-ABB Furse.pdf
362 Alec Data Center Solutions-Slysium Data Center-AUH-ABB Furse.pdf362 Alec Data Center Solutions-Slysium Data Center-AUH-ABB Furse.pdf
362 Alec Data Center Solutions-Slysium Data Center-AUH-ABB Furse.pdf
djiceramil
 
社内勉強会資料_Chain of Thought .
社内勉強会資料_Chain of Thought .社内勉強会資料_Chain of Thought .
社内勉強会資料_Chain of Thought .
NABLAS株式会社
 
Structural Design for Residential-to-Restaurant Conversion
Structural Design for Residential-to-Restaurant ConversionStructural Design for Residential-to-Restaurant Conversion
Structural Design for Residential-to-Restaurant Conversion
DanielRoman285499
 
362 Alec Data Center Solutions-Slysium Data Center-AUH-Adaptaflex.pdf
362 Alec Data Center Solutions-Slysium Data Center-AUH-Adaptaflex.pdf362 Alec Data Center Solutions-Slysium Data Center-AUH-Adaptaflex.pdf
362 Alec Data Center Solutions-Slysium Data Center-AUH-Adaptaflex.pdf
djiceramil
 
02 - Ethics & Professionalism - BEM, IEM, MySET.PPT
02 - Ethics & Professionalism - BEM, IEM, MySET.PPT02 - Ethics & Professionalism - BEM, IEM, MySET.PPT
02 - Ethics & Professionalism - BEM, IEM, MySET.PPT
SharinAbGhani1
 
David Boutry - Mentors Junior Developers
David Boutry - Mentors Junior DevelopersDavid Boutry - Mentors Junior Developers
David Boutry - Mentors Junior Developers
David Boutry
 
Présentation_gestion[1] [Autosaved].pptx
Présentation_gestion[1] [Autosaved].pptxPrésentation_gestion[1] [Autosaved].pptx
Présentation_gestion[1] [Autosaved].pptx
KHADIJAESSAKET
 
New Microsoft Office Word Documentfrf.docx
New Microsoft Office Word Documentfrf.docxNew Microsoft Office Word Documentfrf.docx
New Microsoft Office Word Documentfrf.docx
misheetasah
 
Pavement and its types, Application of rigid and Flexible Pavements
Pavement and its types, Application of rigid and Flexible PavementsPavement and its types, Application of rigid and Flexible Pavements
Pavement and its types, Application of rigid and Flexible Pavements
Sakthivel M
 
Rigor, ethics, wellbeing and resilience in the ICT doctoral journey
Rigor, ethics, wellbeing and resilience in the ICT doctoral journeyRigor, ethics, wellbeing and resilience in the ICT doctoral journey
Rigor, ethics, wellbeing and resilience in the ICT doctoral journey
Yannis
 
11th International Conference on Data Mining (DaMi 2025)
11th International Conference on Data Mining (DaMi 2025)11th International Conference on Data Mining (DaMi 2025)
11th International Conference on Data Mining (DaMi 2025)
kjim477n
 
Flow Chart Proses Bisnis prosscesss.docx
Flow Chart Proses Bisnis prosscesss.docxFlow Chart Proses Bisnis prosscesss.docx
Flow Chart Proses Bisnis prosscesss.docx
rifka575530
 
operationg systemsdocumentmemorymanagement
operationg systemsdocumentmemorymanagementoperationg systemsdocumentmemorymanagement
operationg systemsdocumentmemorymanagement
SNIGDHAAPPANABHOTLA
 
Montreal Dreamin' 25 - Introduction to the MuleSoft AI Chain (MAC) Project
Montreal Dreamin' 25 - Introduction to the MuleSoft AI Chain (MAC) ProjectMontreal Dreamin' 25 - Introduction to the MuleSoft AI Chain (MAC) Project
Montreal Dreamin' 25 - Introduction to the MuleSoft AI Chain (MAC) Project
Alexandra N. Martinez
 
Computer_vision-photometric_image_formation.pdf
Computer_vision-photometric_image_formation.pdfComputer_vision-photometric_image_formation.pdf
Computer_vision-photometric_image_formation.pdf
kumarprem6767merp
 
362 Alec Data Center Solutions-Slysium Data Center-AUH-ABB Furse.pdf
362 Alec Data Center Solutions-Slysium Data Center-AUH-ABB Furse.pdf362 Alec Data Center Solutions-Slysium Data Center-AUH-ABB Furse.pdf
362 Alec Data Center Solutions-Slysium Data Center-AUH-ABB Furse.pdf
djiceramil
 
Artificial Power 2025 raport krajobrazowy
Artificial Power 2025 raport krajobrazowyArtificial Power 2025 raport krajobrazowy
Artificial Power 2025 raport krajobrazowy
dominikamizerska1
 
Research_Sensitization_&_Innovative_Project_Development.pptx
Research_Sensitization_&_Innovative_Project_Development.pptxResearch_Sensitization_&_Innovative_Project_Development.pptx
Research_Sensitization_&_Innovative_Project_Development.pptx
niranjancse
 
A DECISION SUPPORT SYSTEM FOR ESTIMATING COST OF SOFTWARE PROJECTS USING A HY...
A DECISION SUPPORT SYSTEM FOR ESTIMATING COST OF SOFTWARE PROJECTS USING A HY...A DECISION SUPPORT SYSTEM FOR ESTIMATING COST OF SOFTWARE PROJECTS USING A HY...
A DECISION SUPPORT SYSTEM FOR ESTIMATING COST OF SOFTWARE PROJECTS USING A HY...
ijfcstjournal
 
362 Alec Data Center Solutions-Slysium Data Center-AUH-Glands & Lugs, Simplex...
362 Alec Data Center Solutions-Slysium Data Center-AUH-Glands & Lugs, Simplex...362 Alec Data Center Solutions-Slysium Data Center-AUH-Glands & Lugs, Simplex...
362 Alec Data Center Solutions-Slysium Data Center-AUH-Glands & Lugs, Simplex...
djiceramil
 
362 Alec Data Center Solutions-Slysium Data Center-AUH-ABB Furse.pdf
362 Alec Data Center Solutions-Slysium Data Center-AUH-ABB Furse.pdf362 Alec Data Center Solutions-Slysium Data Center-AUH-ABB Furse.pdf
362 Alec Data Center Solutions-Slysium Data Center-AUH-ABB Furse.pdf
djiceramil
 
社内勉強会資料_Chain of Thought .
社内勉強会資料_Chain of Thought .社内勉強会資料_Chain of Thought .
社内勉強会資料_Chain of Thought .
NABLAS株式会社
 

Lecture #32: Forensic Duplication

  • 1. Lecture #32: Forensic Duplication Dr.Ramchandra Mangrulkar October 8, 2020 Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 1 / 19
  • 2. Forensic Duplication 1 During an incident, a significant amount of data is gathered, preserved, cataloged, and analyzed. 2 The most comprehensive sources of information is a forensic image of an affected or suspect computer system. 3 Processes, formats, and tools that are used by the forensic community to properly duplicate data. 4 A court may find that the best available duplication acceptable and render it admissible. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 2 / 19
  • 3. Types of Forensic Duplication A simple duplication consists of making a copy of specific data. The data may consist of a single file, a group of files, a partition on a hard drive, an entire hard drive, or other elements of data storage devices and the information stored on them. A forensic duplication is an accurate copy of data that is created with the goal of being admissible as evidence in legal proceedings. Furthermore, we define forensic duplication as an image of every accessible bit from the source medium. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 3 / 19
  • 4. Characteristics of Forensic Duplication Tools ability to image or account for every bit of accessible. data on the storage medium. must create a forensic duplicate of the original storage medium. must handle read errors in a robust and graceful manner. the process must not make any changes to the original storage medium. must generate results that are repeatable and verifiable by a third party. must generate logs that detail the actions requested and any errors encountered. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 4 / 19
  • 5. Forensics Image Format IR teams will create and process three primary types of forensic images Complete Disk Image Partition Image Logical Image Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 5 / 19
  • 6. Complete Disk Image A “complete disk image” is intended to duplicate every addressable allocation unit on the storage medium. includes Host Protected Areas (HPAs) and Drive Configuration Overlays (DCOs). complete disk image, the output file contains every allocation unit, or sector, accessible to the imaging software. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 6 / 19
  • 7. Overview of the Disk Areas A service area is a logical area on the hard-drive (residing on the platters) set aside by hard-drive vendors for internally managing the drive. These areas are outside the hard-drive’s Logical Block Address (LBA) space and as such are non-addressable and inaccessible via the standard ATA commands. The service area contains both code and data modules, such as defect management modules, SMART data modules, self-test modules and much more. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 7 / 19
  • 8. Disk Areas Disk Firmware Area (DPA) The firmware is composed of a series of modules. Examples are: SECU (Security System Module), P-List, G-List, T-List, SMART Attributes, and U-List (Firmware Zone Translator). The Host Protected Area (HPA) is used for holding diagnostics and other utilities required by the manufacturer such as the boot sector, the user addressable sectors, start of the reserved area, and the code for the boot. A Device Configuration Overlay (DCO) is similar to the HPA, but is used by manufacturers to configure drive sizes, to enable and disable features on the disk. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 8 / 19
  • 9. Case Study Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 9 / 19
  • 10. Case Study Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 10 / 19
  • 11. Partition Image Tools allow you specify an individual partition, or volume, as the source for an image. A partition image is a subset of a complete disk image and contains all of the allocation units from an individual partition on a drive. A partition image still affords you the opportunity to perform low-level analysis and attempt to undelete files and examine slack space from that partition. Because a partition image does not capture all the data on a drive, it is taken only under special circumstances. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 11 / 19
  • 12. Logical Image A logical image is less of an “image” and more of a simple copy, and it’s the type of duplication we referred to previously as a “simple duplication.” Both FTK Imager and EnCase have the ability to create evidence containers for logical files. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 12 / 19
  • 13. Image Integrity When a forensic image is created, cryptographic checksums are generated for two reasons. First, when the image is taken from a drive that is offline (static) and preserved, the hash is used to verify and demonstrate that the forensic image is a true and accurate representation of the original. Second, the hash is used to detect if the data was modified since the point of time at which the image was created. The hash is simply used to ensure that the integrity has been maintained throughout the life of the image. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 13 / 19
  • 14. Traditional Duplication 1 Traditional imaging is performed on static drives (that is, hard drives that are not part of an active, running system Hardware Write Blockers The best way to ensure that the source media is not modified in any way is to use specialized hardware that prohibits write commands from reaching the drive controller. A set of these write blockers should be in every IR team’s kit. The write blockers are typically protocol bridges that contain modified firmware or an ASIC designed to intercept a subset of the protocol’s commands. 1 Incident Response Computer Forensics, Third Edition Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 14 / 19
  • 15. Case Study Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 15 / 19
  • 16. Case Study Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 16 / 19
  • 17. Image Creation Tools The most common method to create a forensic duplicate is via software. The three main tools we use are DC3dd, AccessData’s FTK Imager, and Guidance Software’s EnCase dd, DCFLdd, and DC3dd Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 17 / 19
  • 18. Live System Duplication A live system duplication is defined as the creation of an image of media in a system that is actively running. the system may be an extremely business-critical system that cannot be taken down. Performing a live image will make minor modifications to the system, but you will be able to get an image. Be sure to document exactly what you did, including the tool you used, the procedure you followed, what services may be running, and the exact dates and times. If “challenged” , the fact that you modified the system. Such challenges are more easily refuted if you have the proper documentation. Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 18 / 19
  • 19. Duplication of Enterprise Asset the evidence that is part of an investigation resides on a very large RAID, SAN, NAS, or other massive central storage system. it’s infeasible to make a complete duplicate of the entire original source due to the sheer volume of data or the complexity of the storage configuration. formulate an appropriate plan to create a logical copy of only the relevant data Dr.Ramchandra Mangrulkar Lecture #32: Forensic Duplication October 8, 2020 19 / 19