Home

Information Systems Security

1. LAW INVESTIGATIONS AND ETHICS Your Computer Forensic Toolkit Kelly J KJ Kuchta he last article was Part 1 of the series and was about building a computer forensics laboratory and what it should include That arti cle briefly discussed forensics tools that you might need This article takes a more detailed look at the type of tools that are used in computer forensics In Part 1 forensic software was categorized into seven different categories 1 imaging 2 analysis 3 conversion 4 viewing 5 moni toring 6 security utilities and 7 over the counter software These cat egories to define tools will be used in this article The forensic software to be reviewed here is probably used by a vast majority of computer forensic professionals and it is the most com mon in the field The latest informa tion on Linux based forensic tools will be provided Most businesses use Microsoft Windows products so the tools that are going to be reviewed will provide good results for this envi ronment There are also other prod ucts which are useful but will not be reviewed here because of the focus of the article and the space allotted for this topic The areas covered will be product functionality limitation level of expertise required price and mis cellaneous information needed to use the application New forensics software is being introduced on a weekly basis Conse quently this article shoul
2. Price At the time this article was written a single copy of ForensiX was offered for 899 Miscellaneous Information Nothing noted Other tools that are often used in the forensic community are ILook and Drive Spy ILook is only offered to the law enforcement community so unless you are a law enforcement offi cer you are out of luck especially since it is free CONVERSION To get data into a format that can be viewed searched or even recognized conversion tools are sometimes neces sary Today more tools allow for both importing and exporting of data from and to other applications Most text files can be converted to similar appli cations therefore I will not belabor the point However e mail presents a much different issue For e mail I strongly suggest using UniAccess UniAccess www comaxis com Functionality UniAccess supports the conversion of e mail between the following e mail applications Exchange Outlook Notes GroupWise Netscape Eudora IMAP4 Pegasus Mail ExpressIT cc Mail daVinci Notework Compu Serve Calypso and HTML It is also powerful if users need to view a large number of e mails on an e mail appli cation that is unfamiliar e mail can be exported to a familiar application Limitations None noted Level of Expertise Required Because UniAccess is not a main stream product a good dose of patience is needed As with most data conversion processes things do not always
3. adavi com Functionality The company Web site describes Silent Watch as follows ADAVI Silent Watch allows you to control misuse of your computers and restrict objectionable content that may harm or distract others on your computer network ADAVI Silent Watch will also track computer idle time record keystrokes URL logs monitor incom ing and outgoing e mail and monitor an unlimited number of computers on your network The single user or at home application is call Silent Guard Limitations None noted Level of Expertise Required Silent Watch has evolved into a net work based product Because of the complexity of network issues it requires the forensic professional to have network skills It is highly advisable to test and use the product prior to using it in the field Silent Guard its stand alone product is much more user friendly Price A single copy of Silent Watch including four seats may be purchased for 199 95 Additional seats can be INFORMATION SYSTEMS SECURITY SEPTEMBER OCTOBER 2001 purchased in incremental blocks A sin gle license of Silent Guard is 49 95 Miscellaneous Information Many in the news media prominently mention Silent Watch and Win WhatWhere Investigator The news media seems to indicate that these products are being used by a fair number of individuals Most of the examples given by these accounts were of private citizens monitoring children spo
4. contents or an image of the document EnCase and FTK have built in file viewers which allow the forensic examiner to view several pages of thumbnail pictures at one time and then concentrate on a particular file to determine key information about the file such as creation date size etc An example of the thumbnail view in EnCase is illustrated in Exhibit 4 There are a number of stand alone viewers to consider Specifics about each of them follows Quickview Plus v 6 0 http www jasc com Functionality Quickview Plus has the ability to view over 200 different file formats This makes it a good all around prod uct to view many different files with out having to purchase and open the different types of applications en countered It supports Win 95 Win 98 WinNT and Windows 2000 Limitations None noted Level of Expertise Required Quickview is very easy to use and requires only a basic amount of knowledge to use the application properly Price The price for Quickview Plus varies from the low 40 range to as high as 59 Miscellaneous Information None noted INFORMATION SYSTEMS SECURITY SEPTEMBER OCTOBER 2001 EXHIBIT 4 Thumbnail View in EnCase T EnCase Professional Edition New Case SQ Be ER View Iod Window Help D New GF Open Swe Add SAcquire Preview v Casa Yeo Next ASearch _ Sigs Case All Files Found File O 835 CRESHOW PG O O
5. knows one day it might be worth something Better yet it will make the job much easier when you are trying The type of work the computer forensics profes sional is involved with determines the software tools they carry LAW INVESTIGATIONS AND ETHICS SEPTEMBER OCTOBER 2001 Enhance your Shift your to recreate data from the age of Noah The same can be said for hardware Ask for the same privileges as for software Reconstructing records and data from 5 or even 10 years ago may be accomplished only by having access to old equipment Think of the old 8 track tapes or vinyl records Their use is very limited without the right hardware or U aE E a a professional WRAP UP Now that you have had some expo sure to some of the tools that a foren sic professional might use you need to get some training The next article in this series will cover what kind of training programs are available what to look for in the curriculum the number of hands on exercises that you should receive where to find these training courses and finally some pitfalls to avoid E prestige into high speed Write for Information Systems Security If you ve written white papers conducted professional seminars or solved important real world problems you can probably contribute to Information Systems Security It s not as difficult as you think Under the guidance of
6. made a commitment to improve A number of enhancements are planned between now and 2009 I have heard nothing but good things about technical sup port issues Monitoring In Part 1 I mentioned that occasion ally the events that the user is trying to investigate are ongoing After the electronic evidence is preserved the event may be monitored in a near or real time basis There are plenty of different types of applications avail able However for this article I will focus on two keystroke capture pro grams and sniffers Keystroke capture programs can be instrumental in obtaining a confes sion from the instigator especially when it is in their own words as cap tured on the keyboard The premise is that all of the activity on the key board is recorded and preserved Two programs that might warrant atten tion are Investigator and Silent Watch LAW INVESTIGATIONS AND ETHICS SEPTEMBER OCTOBER 2001 Investigator www winwhatwhere com Functionality This application has many interest ing features that make it appealing in investigating IT events The company Web site describes it as follows WinWhatWhere Investigator pro vides a highly detailed audit trail of all computer activity This includes date time elapsed time window titles URLs and keystrokes pro viding an accurate picture of usage on the monitored computer A forensic professional must have access to the t
7. multiple views of files in Hex Text or a report summary It also allows information to be exported to other formats or files Exhibit 2 illustrates the typical view seen with EnCase LAW INVESTIGATIONS AND ETHICS SEPTEMBER OCTOBER 2001 Limitations EnCase appears to have difficulty in viewing Linux file structures and is not as powerful on Linux as it is on Windows products Level of Expertise Required EnCase does not require a great deal of training to master the basic func tionality Persons who attend a train ing class and can use their newfound skills on a regular basis can quickly contribute to your practice Most of the analysis functionality is fairly intuitive Guidance Software also pro vides a better than average user manual Price EnCase has two versions Standard and Professional A single user license for Standard is 995 and the Professional version is 1 650 Miscellaneous Information EnCase is probably one of the most popular forensic analysis tools used in the computer forensics community providing the user with a good sup port group of other professionals who are familiar with the product NTI Forensic Utilities www forensics intl com Functionality NTI has been in the business of pro viding forensic tools since 1996 and is the owner of SafeBack NTIT s tools are actually a collection of utilities designed to do specific tasks such as capturing file s
8. 0 d S OL lbo 90 90 FF 90 00 OD OD OD 34 OD 3 74 G4 4D GE OO 00 00 00 00 53 74 GL 63 64 61 72 00 00 00 00 00 65 Ol O0 OO OO FF FF 0O 00 00 00 00 00 aD 6l 70 49 44 ZD 00 O0 OO OD OO OO OO OO FF FF FF FF CO CO 0O OO OO SA 49 CO 01 00 00 00 00 00 00 00 Q0 FF FF 00 09 QA OO 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 O0 O0 Ol O0 O2 OD OO OO OO 00 00 00 00 00 00 00 CA 00 OA 00 ED OO O0 O0 OD OD OS OO OD OO OD OO 45 GO 0O 0O 0O 0O GE OL 00 00 00 F F 00 00 00 00 00 O0 44 69 73 70 GC 6l 00 00 00 00 00 2D 30 35 3A 30 30 29 00 00 00 O0 00 65 72 6B 20 54 6S ED 0O 00 00 00 00 20 20 IOO456 42 Gi cz oo o0 oo OD OD OD OD OD OD OD OD 0O 0O O New Open GJ Save GB i Add ZyAcqure X Preview WiCase YN ie Next MbSearch Sigs Fie Deleted Archive Fie Deleted Archive canta aNVUSEA TXT bt Fio Deleted Archive cont ONYUSE STXT bt Fie Deleted Overwriten oana aNVUSEGIXT bt File Deleted Oververtten 4 conta QNYUSE 7 TXT tt Fie Deleted Overwitten anmo ANVUSE OTXT bt Fis Dektod Overwertten 4 conta Fie Deliou Overwrtnen 5 20 4D 4D 46 20 56 65 72 20 00 00 20 00 00 00 20 43 65 EE 9 00 CO GO 00 00 00 00 00 00 38 36 00 00 00 00 00 PF PF PF OO C4 00 00 0O 00 00 00 00 00 O 00 00 CO CO OO 00 00 OO 00 00 00 06 00 00 00 00 00 00 00 aD 0O 24 0O 00 00 OO 00 C t 99 69 00 00 00 00 00 74 79 2c 00 00 00 00 00 00 14 00 oo oo 60 oo oo oo oo Bao Limitations None noted Level of Expertis
9. 629 234mrpit git O 690 toxkser 1 sit Disk Evidence Report Script 891 targas r O 692 0a y moeste C O 893 o3 eg My Monster i D em dson O Cogo uaig O 9 wort 0g O e ach aeai O E9 383031373061656 eam 7 lt j D y 45 5 Long Seeley Distance i 100 FREE j minutes DO o resa oo CAE m HS anne I O S04 rerai D 905 EASYSPACE 466 1 waced Ma O UpstinilTark ixedCore 4 OfpIMas1Tase jitad LTack inasnsuwa 0 E OS4p MailTaskPlagi2a Diez gts pa oe cme Thumbs Plus v 4 10 http www cerious com Functionality Thumbs Plus provides a full page of thumbnail graphic files allowing a quick visual review of the contents to look for things of interest It is compat ible with Win 95 Win 98 WinNT and 2000 It allows the user the ability to adjust the image quality of the picture and preview movie clips including the audio portion and offers a conversion feature for converting multiple files Limitations None noted Level of Expertise Required This application is very easy to use and requires only a basic amount of knowl edge to use the application properly Price New users of Thumbs Plus should expect to spend 79 95 for a licensed copy Miscellaneous Information This is a robust application that Cerious Software Inc has
10. Volume C Folders D WINDA SYSTEM te cose E e uewen 12 768 431 48 Orive Type Fixed Bytes Per Sector 512 Total Capacity 13657 014 272 bytes 12 768 Unallocated 13 238 042 624 bytes 12 368 Allocated 416 971 648 bytes 399 665 Volume Ofset Volume Seral Sectors Per Track Number of FATs Boot Sectors It has been reported that EnCase has some difficulty in imaging large evi dence files This limitation can be overcome by using certain techniques and the newest version is thought to address this issue Level of Expertise Required EnCase does not take a great deal of training to master the basic function ality Persons who attend a training class and can use their newfound skills on a regular basis can quickly contribute to your practice Guidance Software also provides a better than average user manual Price EnCase has two versions Standard and Professional A single user license for Standard is 995 and the Profes sional version is 1 650 Miscellaneous Information Guidance Software provides both technical support and an EnCase user group to answer questions Guidance was scheduled to release a new version of EnCase 3 0 sometime in the second quarter of 2001 ForensiX hitp all net For Linux gurus the dd command makes a forensics quality image of the media to be copied I know of only one Linux forensic utility It s devel oped and sold by Fred Cohen amp A
11. arget computer s hard drive Investigator allows the applica tion to be loaded onto the target com puter making it invisible to the user The forensic professional chooses where the application is placed in the target computer s directory Then the program is only visible by using a cer tain combination of keystrokes which is how the forensic professional will need to access the application in the future The data must then be retrieved through direct access to the computer or through its Stealth Email feature This feature will allow the forensic professional to compress the captured data and e mail it to an account of their choice unknown to the user The frequency and time of the e mails are customiz able to permit updates as often as necessary Limitations None noted Level of Expertise Required Investigator is fairly easy to use but I highly recommend testing and using the product first before using it in the field If not set up correctly your efforts can be compromised Just remember that the bad guys can also use software against you So be careful Price A single copy of WinWhatWhere Investigator may be purchased for 99 Miscellaneous Information As with all of the monitoring software I discussed there are privacy issues that must be addressed Please understand which issues that are pertinent to the situation before deploying these tools or any other tools of this nature Silent Watch www
12. d not be considered to contain an all inclusive list of forensics software products I write about tools that I am familiar with The biggest concern in using these tools should be that the user is comfortable with the results and how the product works The current debate among the forensic communi ty is with point and click tools Purists argue that in order to really know what is going on with tools users must understand exactly what KELLY J KUCHTA is the National Director for the METASeS DefenseONE Computer Forensic and Litigation Support Services based in Phoenix Arizona He is an active member of the High Technology Crime Investigation Association HTCIA Association of Certified Fraud Examiners ACFE Computer Security Institute CSD International Association of Financial Crime Investigators Association IAFCD and the American Society of Industrial Security ASIS He currently serves as the Chair of the ASIS Standing Council of Information Technology Security LAW INVESTIGATIONS AND ETHICS SEPTEMBER OCTOBER 2001 they are doing The purists further argue that most users really do not know what is going on when they point and click their way around a computer forensic examination Additionally the professional is not encouraged to validate the results instead relying on the output of the application To their point what application is bug free These individ uals tend to prefer utili
13. e Required It is strongly suggested that users be familiar with RedHat Linux because many of the features require the use of UNIX like code to execute certain commands Price At the time this article was written a single copy of ForensiX was offered for 899 Miscellaneous Information Dr Fred Cohen is very well respected in the computer forensic area and has an excellent reputation of being accu rate and knowledgeable From all accounts this tool is a good one There are other imaging tools that I have not mentioned such as Snapback Drive Image Pro Byte Back and of course Linux Snapback and Byte Back are utilities that are favored by the law enforcement com munity however they are only offered to the law enforcement community ANALYSIS In Part 1 analysis tools were defined as conducting document application or word searches file comparisons matching data from a known document to an unknown doc ument reviewing deleted data or comparing source code I will outline a few of the more popular tools below and mention several that may war rant further research EnCase www guidancesoftware com Functionality EnCase provides the ability to search for the text in GREP Case Sensitive and Unicode It also provides the examiner with the ability to view thumbnails of graphic files It can bookmark files of interest into the case folder for future reference and place them into reports It allows for
14. editor Jeff Ott Information Systems Security has become the leading publication for information security professionals and managers network admin istrators and systems administrators at all levels We re looking for papers and books on all aspects of information systems security including Computer operations security Application and systems development Security architecture and models Physical security Cryptology Security management practices Law investigations and ethics Access control systems and methodologies Business continuity and disaster recovery planning Telecommunications and network security We invite you to submit a proposal for an article or a book For author guidelines please contact one of the editors or visit our Web site www auerbach publications com Rich O Hanley Publisher Auerbach Publications 535 Fifth Ave Suite 806 New York NY 10017 212 286 1010 ro hanley crcpress com Jeff Ott Editor METASeS jeff ott metagroup com INFORMATION SYSTEMS SECURITY SEPTEMBER OCTOBER 2001
15. kup Exec ARCserve etc ct yo The type of work the computer forensics professional is involved with determines the software tools they carry If their skill sets are used pri marily in an incident response mode the toolkit may be more heavily weighed to password cracking en cryption and the hash utilities Computer forensics professionals who spend much of their time in the litiga tion support area will likely consider a search or indexing software such as DT Search to be their best friend The software must index the data and then allow the user to search by key words finding every instance of the keyword The most time consuming part is the indexing piece however after the indexing is completed search time is minuscule OVER THE COUNTER SOFTWARE AND HARDWARE At this time things are changing fre quently and without warning I strongly recommend that organiza tions save at least one copy of every version of operating systems they have used as well as e mail applica tions and proprietary software The best way to accomplish this is by approaching the person in the IT group who is in charge of the Bone Yard Every organization has a Bone Yard Its the place where old and used equipment and software go to after their purpose has been served Before any item is tossed ask this IT person to contact you to deter mine your interest You can start a nice little library of old software Who
16. lack deleted files or chaining fragmented files The utili ties are designed to accommodate DOS FAT and NTFS file structures of Windows operating systems NTI has a robust suite of tools for just about every forensic need Limitations A user looking for a fully integrated GUI product to shorten the learning curve is looking in the wrong place Plan on allowing plenty of time to master these tools and the results will be pleasing Level of Expertise Required The user must be comfortable and familiar with MS DOS and DOS based products such Disk Edit and System Commander If a user cannot master a majority of the DOS com mands it will be difficult to use this tool to its fullest potential The required time to master these tools can be much longer but once accom plished the examiner will generally know the ins and outs of computer forensic examinations Price These utilities can be purchased in a package or Suite or they may be purchased individually Contact NTI for price information Miscellaneous Information The price for NTI tools includes a training class on how to use them Each utility is licensed to the user to help establish ownership of the tools and validate their use Most NTI tools cannot be purchased without attend ing their training classes Access Data s Forensic Toolkit or FTK www accessdata com Functionality FTK provides full text indexing advanced searching known file fil
17. n GUI MS DOS application Level of Expertise Required While SafeBack is not hard to use it does require the user to have at the very least a basic understanding of MS DOS Price At the time of this article the price for this single product could not be determined Contact NTI to deter mine if SafeBack can be purchased separately or if it is included in their other forensics tool suites Miscellaneous Information Sydex stood behind its product and its functionality If necessary it sent a representative to the court to sub stantiate the product s functionality It is unclear whether the new owner NTI will continue this practice However NTI s track record of tech nology support is equally as impres sive SafeBack is an application that is well established and has been bat tle tested in court Users should feel reasonable confidence in using this product EnCase www guidancesoftware com Functionality EnCase s latest version 2 16a has a number of different features that make it useful It is a Windows based application with a GUI that gives it a polished look and feel Forensic pro fessionals should take advantage of its unique evidence acquisition features The newest Professional versions can be used to acquire evidence from various operating systems such as FAT12 FAT16 FAT32 NTFS EXT2 CD ROM and Macintosh While not having the track record of SafeBack Encase is a solid imaging tool It pro
18. sed the SafeBack prod uct and currently markets it with the rest of their products which will be mentioned here INFORMATION SYSTEMS SECURITY SEPTEMBER OCTOBER 2001 Functionality SafeBack is an MS DOS based pro gram which makes an exact bit stream imaging of media like a hard drive without altering the data As of this article the latest version avail able is 2 18 What makes SafeBack so powerful is that it is not file oriented Therefore it will make an image of just about any hard drive that can be read by a computer regardless of the target system s operating system SafeBack has a robust audit fea ture that gives the user the ability to compare the original data to the copied data The application uses both a 16 bit CRC checksum for each block of data and a 32 bit CRC check sum for the file itself to create a hash of the original evidence and the copy Both hashes are compared to deter mine that both the original and the copy are exactly the same The math ematical likelihood of getting a CRC match from different data is astro nomical This information can be saved to a file and used to verify that the data is in fact authentic This process can be replicated numerous times to determine the accuracy of the data so long as the information has not been changed Note Data is easily modified This fact will be addressed in the article on computer forensic methodology Limitations SafeBack is a no
19. ssociates Functionality The preferred operating system for ForensiX version 1 0 is RedHat Linux although other versions of UNIX will partially support it It is capable of imaging Mac DOS Windows UNIX and other disks and files It can also image PCMCIA cards IDE SCSI parallel serial etc Other important features are that it automatically produces chain of evi dence information does not modify the original evidence accommodates large amounts of data reported to be 16 terabytes and will replay the analysis with automatic analysis integrity verification INFORMATION SYSTEMS SECURITY SEPTEMBER OCTOBER 2001 BEGE picai View with EnCase ng EnCase Professional Edition New Case Afe Eat yon Took wrdon Hep SOO Mool OQ Ous O10 Hirot OC APPLOS C caTroot COMMAND 35 23 32 00 00 i OC syseckup OC SYSTEM Weta meres t NYUSE 9 TXT Pictures Bookmerksy T Lock 0 55 72 6C 43 61 63 68 6 0 00 00 40 00 00 00 01 00 oo oo oo oo oo oo OD OD OD OD OD 00 09 00 00 00 00 00 00 00 00 O0 49 44 2m 31 2C 03 00 ZC 00 00 00 00 O0 00 OO OO OO OO OO jpo oo oo oo oo oo oo oo oo oo oo oo OD 00 00 00 E8 00 00 00 00 00 QA 00 E8 00 00 l s 78 69 3 00 OO O OO OO PP PP PP F O 208 47 4D 54 00 00 00 O0 OD 20 29 20 4D ES 79 20 S4 65 67 00 00 00 00 00 6C 70 61 0l OO 00 00 44 C 74 4D 00 OO OO OO OO 20 44 61 79 C 69 67 OO CO 00 00 0
20. ter ing graphical file viewing hash veri fication and interoperability with Access Data s password recovering kit sold separately It can accommo date all FAT operating systems NTFS EXT2 and CDFS Limitations None Level of Expertise Required As with most forensics tools some training is suggested to maximize effective use Access Data provides INFORMATION SYSTEMS SECURITY SEPTEMBER OCTOBER 2001 training with the purchase of their software although the product may be purchased separately Price A single licensed copy is 995 Miscellaneous Information A new version of FTK was scheduled for release in the second quarter of 2001 ForensiX ttp all net Most have heard a commentary about how powerful and flexible Linux can be ForensiX provides these features and more Functionality Its biggest virtues are that ForensiX can quickly search through large vol umes of data examine deleted files swap space and other key areas of interest It has the ability to view graphics files from disks at the rate of one every second and provides pro grammable and customizable analy sis capabilities along with a Web based user manual and audio train ing built into the application Limitations None noted Level of Expertise Required It is strongly suggested that users be familiar with RedHat Linux because many of the features require the use of UNIX like code to execute certain commands
21. the highest standards of con duct to obtain results This article will focus on two of these principles The others will be covered in subsequent articles The principles covered here are the use of tested tools to replicate findings and preserve evidence I have yet to find one tool that does everything I need it to do Some tools have multiple functions and will be mentioned throughout the article Just as tradesmen have many tools in their toolboxes so should users anticipate their needs and bring along familiar tools Let s dig into the toolbox IMAGING An important part of computer foren sics is the acquisition and preservation of evidence To complete this process an application is needed that makes an exact copy of the data or lack of data in each sector of the targeted hard drive This must be accomplished without changing any of the data This process is called making an image or producing a mirror image The image can then be searched for items of inter est or it can be restored to another hard drive or media Because an exact image of the suspected hard drive has been made the restored image can be used in place of the original drive and searched without the concern of alter ing the original data Some common imaging applications will be described SafeBack www forensics intl com SafeBack was originally created in 1990 and marketed by Sydex Inc In March 2000 New Technology Inc NTI purcha
22. ties DOS applications or working with applica tions that require a great deal of understanding about the process Neophytes argue that this line of thinking is out of date pragmatic and limiting They argue that using point and click tools provides a shorter learning curve and helps bring a greater number of professionals into the field more quickly There is also the feeling that the old guard is reluctant to change and thereby makes claims of hypocrisy Whatever the stance the points that most everyone agrees on are validate and understand results be able to explain how the tool works and never violate the basic principles of computer forensics An individual who works in this area for any amount of time must be prepared to sit down in front of a client boss judge or jury and explain what the tools do BASIC PRINCIPLES Everything that a computer forensics professional does should be grounded in certain principles They are Never work on original evidence Use tools that have been tested and are capable of replicating find ings Take copious notes or have track ing capabilities of all efforts Strictly follow established proce dures for evidence preservation Maintain chain of custody An individual who works in this area for any amount of time must be prepared to sit down in front of a client boss judge or jury and explain what the tools do Use
23. uses or significant others However it is also mentioned that businesses use the products with some success Just remember that the bad guys can also use software against you So be careful Sniffers come in many shapes and sizes Use the one that provides the highest level of comfort and confi dence for its purpose One considera tion is that sniffers can collect huge amounts of data When zeroing in on a target it is essential to have the ability to control the device s collec tion activity These logs must be pre served for future reference The diversity of sniffers that are available to forensics professionals is not covered in this article however there are two that I would like to mention I have had very good experi ences with Session Wall 3 and Network Flight Recorder SECURITY UTILITIES If given a chance look at an experi enced computer forensics profession al s toolkit It will contain a potpourri of utilities that have been collected over the years The list will likely include 1 Password crackers Cain LOpht Crack John the Ripper etc o 2 Encryption software PGP 3 Erase utilities Wipe Info ecure Clean etc 4 Comparison utilities Araxis Merge 2001 Professional oO 5 Hash utilities MD5 etc WM 6 DOS utilities and operating sys ems Disk Edit etc 7 Search and indexing utilities T Search etc O 8 Back up software Bac
24. vides an audit feature to verify and authenticate evidence It will auto matically record details about the evi dence acquisition process and place them into a report format This type of information might include drive specifics dates and times hash val ues etc It allows the forensic profes sional to create and organize the evidence file to individual prefer ences A sample of the report view in EnCase version 2 14 is illustrated in Exhibit 1 Limitations LAW INVESTIGATIONS AND ETHICS SEPTEMBER OCTOBER 2001 BESLLEM Report View in EnCase v2 14 at EnCore Professional Edition New Caso E Ble Ed Yew Tooke Window Help The computer system clock read 03 2101 18 21 24 Evidence acquired under DOS 7 10 using version 2 14 File Integrity Verifying Drive Geometry Total Sze 132GB 27 609 120 sectors Start Seetor D New Open GJ Sre amp Add SyAcquire Preview DH Zoom in Gl Zoom Out Export Case Prev Next PhSearch _ Sigs EnCase Report Case New Case Pegel Evidence Number Laptop Alias Laptop File WFstatl giLAPTOP E01 was acquired by Mark Wagner at 00 2101 1821 24 Sire 0 Unknown 26700030 Volume C Parameters File System FAT32 Sectors Per Cluster 16 Total Sectors 26 98 S67 Total Clusters 1 667 116 Free Clusters 1 615 972 Volume Name OEM Versiory MSWING 1 Heads 255 Unused Sectors 63 Sectors Per FAT 13 032
25. work as planned Do not put a junior person on this process until a process or methodology has been developed Price UniAccess is 295 and allows up to 50 licensed users Miscellaneous Information UniAccess cannot be purchased directly from Com Axis Technology However their Web site provides authorized dealers by area Exhibit 3 LAW INVESTIGATIONS AND ETHICS SEPTEMBER OCTOBER 2001 ELLE Step 1 of Conversion Using UniAccess UniAccess 1 0 Email Folder Conversion Convert From Exchange Uutlook ExpresslT Native pressi T SMTP Please select from the options below Exchange Outlook ili ka Convert To Netscape z Ea illustrates the initial step of the con version process with UniAccess VIEWING Many times a forensic professional will be asked to find certain graphics files or to determine their contents The law enforcement community deals with this issue frequently in the area of child pornography Some of technologically savvy individuals with illegal immoral and unethical intent attempt to hide the presence of contraband in these files by changing the file header to disguise its con tents To really know what is in the files they must be viewed A viewing application is instrumental to view not only graphics files but also other types of files Viewing applications present the forensic examiner with a thumbnail picture of the file

Information Systems Security

Contents

Download Pdf Manuals

Related Search

Related Contents