Solution Guide
Contents
1. 13 About This Document 16 Related Documentation and Resources 16 ue Ee 17 What is 17 Dell s Triage Solution Advantage 17 Collecting Digital Forensics Evidence 19 Standard vs Live Acquisition 20 How to Perform Triage Using the Dell Digital Forensics Solution 20 Turn on Your Dell Ruggedized Laptop 20 Burn a Boot CD for Standard Acquisition 21 Register a Collector Store Disk 21 Clean a Collector or Store Disk 23 Contents Configure a Collector Profile 23 Deploy Triage 001 5 33 Reviewing Collected Files After Triage 36 35240 8 ur exces teta a 39 Datacenter enabled EnCase6 39 Single server Solution 40 Multi server Solution High Availability 40 Datacenter enabled FIK18 42 Single 1 8 Session Per Desktop 42 Multiple FTK 1 8 Sessions Per Desktop 42 Datacenter enabled FIK3 43 Single FTK 3 Server Solution 44 Multiserver Solution No High Availability 44 FIK3LabEdition 46 Multiple Forensics Applications Delivered to 8 17 Network Configuration Recommendati2. Collect Windows Page fle pagefiie sys 8 Collect Windows Mibernabon file hiberfi sys Note The options on this page wil overnde any timestamp and fle extension options for specific files found matching Universal Time UTC ie then Save Profile werz Sep ar 11 Click the right arrow in the upper right corner of the screen Local Time UTC 04 59 Triage 29 12 At the Deleted File Filter screen determine whether or not you want to include live and deleted files only live files or only deleted files in your collection If you do not select any of these options you will collect no files Figure 2 15 Profile Configuration Step 6 Deleted File Filter SPEKTOR Forensic Intelligence Control POD 23 Version 1 3 0 0 INTELLIGENCE MODE PEK Collector Configuration Profile Wizard Admin Re fresh Deleted File Filter Live Non_System 6017 gt G13 COMMS Up Live fles only Deleted only Please Note 1f the space occupied by deleted file has been overwritten or partially overwritten the deleted file wil either be t corrupted or possible to collec Save Profile 4 eR E diez Sap 1347 189 SPEKTOR Formoe LA NOTE Only deleted files that have not been overwritten already on the target device are likely to be collected successfully files that have
3. 95 EnCase EnCase launches in Acquisition Mode 95 Lab Browser launched by client cannot display User Interface 96 1 8 5000 object limit trial version message 96 FTK 1 8 Cannot Access Temp File error appears on AUN CD ow ak Seeks se 96 Citrix 15 96 Citrix Applications won tlaunch 96 Frozen or Crashed Citrix Sessions 97 HERO cen enter eru Oe eae got se dua 99 Contents Contents Introduction amp Triage Ingest Store Analyze Present Archive In recent years there has been an exponential increase in the volume velocity variety and sophistication of digital activity by criminals and terrorist groups around the world Today most crimes have a digital component Some have called it a digital tsunami This growth has been augmented by dramatic advances in electronic hardware The expanding diversity of consumer electronic devices and their increasing memory and storage capacity offer criminals and terrorists a wealth of opportunity to hide harmful information It is not uncommon for PCs and laptops to come with hard drives that measure in the hundreds of Gigabytes of storage The latest hard drives include options for one or four Terabytes Consider that a single Terabyte can store the content of two hundred DVDs a vast amount of storage representing a problem that will only continue to grow
4. Enter the basic case information requested by the wizard Select the properties for bookmarks Determine whether and how you want to display case graphics in your report Determine whether or not you want to include a section in your report that lists the file paths and file properties of files in selected categories Add the Registry Viewer sections if desired View the report outside of FTK 86 1 2 Browse to the report file Click the report file then e Click index htm to open an HTML document in a web browser e Click report pdf to open the report in a PDF viewer Present Archive Ss 9 Triage _ Ingest Store Analyze Present No digital forensics solution is complete without a scalable secure and comprehensive archive and retrieval component Your Dell Digital Forensics Solution offers that and more In the Dell Solution framework we have tried to create a simple interface that works with all forensics applications to control the life cycle of the evidence and case files Due to the fact that it is difficult to predict when data might be needed in the future or how long an investigation may last we have created a flexible solution that requires the individual forensics analyst to determine the files he will recall and archive This solution uses a tiered approach to storage tailored to your needs a mix of SATA and SAS hardware and user driven archiving using NTP s On Demand Archiving sof
5. Existing forensic triage solutions can be slow and may even miss data because they perform tasks such as keyword searches or hash matching during data collection Dell s Digital Forensics Solution overcomes this obstacle by using the computing power of the Dell ruggedized laptop rather than the target PC to perform analysis on the collected data In some cases you may be able to bypass imaging and indexing processes in the forensics lab altogether Triage 17 Easy to Use The Triage components of the Solution are ready to use right out of the hardshell case The pre installed software offers an intuitive touch screen interface User defined reusable collection profiles for different scenarios may be created for standard deployment Forensically Acceptable Triage software enforces an efficient and forensically acceptable process ensuring any potential evidence is captured reviewed and stored without compromise Flexible The Triage components can be used to examine the most common digital storage devices and platforms including devices running under both Windows and Apple s Mac OS X operating systems as well as a wide array of digital storage device types such as MP3 players external hard drives memory cards mobile and satellite phones GPS units iPads and iPhones and flash drives Furthermore triage results using the Dell Digital Forensics Solution are exportable to other programs Powerful The Dell ruggedized l
6. 37 38 Triage Ingest 2 x qd amp Triage Inge Store Analyze Present Archive The Ingest stage of the Dell Digital Forensics Solution consists of creating an image of the target storage device if that has not already been accomplished during the Triage stage then transferring that image to a centralized location from which it may be accessed for analysis To move the forensics applications into the datacenter and still preserve the standard user experience Dell in partnership with Citrix has created several distinct software packages for the mainline forensics applications to move them seamlessly into the data center creating a more available faster and capable user experience As part of its Digital Forensics Solution Dell has currently certified the following forensics applications SPEKTOR EnCase 6 FTK 1 8 e standalone version e FTK3 Lab Any of these forensics applications may be used in any combination for simultaneous access from a single user device Datacenter enabled EnCase 6 In the following solution example the EnCase 6 application is hosted on a Dell server device s in the datacenter providing multiuser EnCase 6 sessions Ingest 39 Single server Solution In the single EnCase 6 server solution multiple clients can connect to one server All clients are pointed to this server and cannot connect to any other EnCase 6 server In the event of a server failure all client
7. Task Manager Finding Files on the Network Best practice demands that evidence and working files be stored separately on the network Dell recommends setting up two share drives then establishing case files and subfiles from there as illustrated in Figure 5 3 Figure 5 3 Dell Recommended File Structure Dell Forensics Domain YOK GE S 73 8 Y 2 N m 30000 X EEE diss IS UU 0001 01 01 Case0001 02 E01 s N XOX GSK N 0001 03 01 m PN Case0002 01E01 SN Caseo002 02 o FTKS X c MM CASEO001 SS i FTKLS v Evidence Share Ww AP vid 002 Workspace Share Workspace Share 77 Analyze 81 Analysis Using FTK Open an Existing Case Using the File Menu 1 From within FTK select File and then select Open Case 2 Highlight the case you want to open and click it to launch the case LA NOTE All case files are named case ftk The case ftk file for each case is stored in the applicable case folder From the Command Line At the command line type path to ftk program fileMftk exe OpenCase target case directory Processing Case Evidence FTK processes evidence as a case is created or as evidence is later added to the case For instructions on creating a new case see Create a Case on page 59 or refer to FTK User s Guide For instructions on adding evidence to an existing case see Add Evidence to a Case on page
8. SATA IDE bridge Connect the other female Molex connector of the TC2 8 Molex style power cable to the suspect hard drive s Molex connector Connect the blue end of the TC6 8 IDE Signal Cable so as to align pin 1 to the T35es SATA IDE bridge Connect the black end of the TC6 8 IDE Signal Cable to the target storage device Plug one end of the data cable USB 2 0 two FireWire 800 connections Orion 4 pin FireWire 400 connection to one of the ports on the left side of the T35es SATA bridge Plug the other end of the data cable to a port on the Dell ruggedized laptop or Dell OptiPlex workstation Flip the switch on the top of the T35es SATA IDE bridge to the A On position The Dell ruggedized laptop or Dell OptiPlex workstation should recognize the presence of the target storage device Ingest Using FTK 1 8 and 3 0 Datacenter enabled In the Dell Digital Forensics Solution licensing for FTK is accomplished using a network licensing system Typically the FTK Network Licensing Server is installed on one of the datacenter servers and an FTK dongle containing multiple user licenses is plugged into that server The FTK clients are configured to look to that server for licensing and no local dongles are required See the Dell Digital Forensics Installation and Configuration Guide for further information See Related Documentation and Resources on page 16 Also see your network systems administrator for information specific to your agency s
9. SN SSN 0000 amp amp amp N iu Ag OK EEK SN N Case0001 01E01 R N Case0001 02 E01 S gt Case0001 03 E01 SI J0000C amp amp amp IN Case0002 01E01 N SA DY IS D v Evidence Share NS Fileserver Evidence 0002 Workspace Share Workspace Share WM Case0002 02 E01 12 4 1 50 Ingest How to Perform Ingest Using the Dell Digital Forensics Solution Ingest Using SPEKTOR Register and Clean an External USB Device as a Store Disk 1 Plug the unregistered external USB device in a Collector port on the ruggedized laptop 2 Click or tap the device icon when it appears then click or tap Register the Device as a Store Disk Yes Then enter the requested information 3 From the right hand menu select the registered device then tap or click Clean Reformat Clean 4 Click OK when the process completes Deploy the Store Disk 1 Plug in the store disk to the ruggedized laptop then tap or click the store disk device to display the Store Disk Menu 2 Inthe Store Disk Menu tap or click Deploy If you are deploying against a target computer a Tap or click Target Computer b Remove the storage disk from the ruggedized laptop and plug it into a spare USB port on the target computer c Follow the same deployment instructions as for capturing a triage image in Deploy Triage Tools on page 33 d When the boot CD is loaded the SPEKTOR Imaging Wizard will walk you
10. a single case may use up the investigator s hardware assets Dell s Digital Forensics Solution provides the significant advantages of distributed processing and that can change the picture entirely We ll take a look at distributed processing shortly but first let s examine some of the types of analysis that the digital forensics investigator typically encounters Types of Analysis Hash Analysis A hash function uses cryptographic algorithms to create a digital fingerprint from data The hash can be used to compare a hash of the original data to one of the analyzed forensic data which may be accepted in court as proof that the two groups of data are identical Hash analysis compares case file hash values with known stored hash values Analyze 77 File Signature Analysis Every file has a file type usually indicated by the file name s three or four letter extension For example a text file might have a txt extension and an image file might have a jpg extension Not uncommonly these file extensions will have been changed to something seemingly innocuous an image file for example might be renamed with a text file extension in an attempt to mask its pornographic contents However every file also possesses a file header that includes a file type code different from the extension but solely indicative of a specific file type For example a bmp file will have the file type header code bm8 When the file type header code
11. and Processing Manager are see your systems administrator 4 Click Detailed Options to refine the data you want to include in your case See the AccessData 3 User s Guide for further information on restricting case data See Related Documentation and Resources on page 16 5 Click OK The Manage Evidence window opens Add Evidence to a Case 60 1 In the Manage Evidence window click Add Then click the radio button beside the type of evidence you want to add Acquired Image s All Images in Directory Contents of a Directory Individual File s Physical Drive or Logical Drive Then click OK Navigate to the Evidence directory and select your evidence file Then click Open Choose a time zone required Click OK The Data Processing Status window opens When the Process State changes to Finished click Close The evidence now appears in the case within the software interface Ingest Ingest 61 62 Ingest Store o x Qh amp Triage Ingest Store Analyze Present Archive The traditional approach to digital evidence storage starts with investigators working independently on individual workstations in a multiple silo configuration The evidence file is stored more or less insecurely on the workstation or transferred from a storage server to the workstation on a daily basis burdening the network with the continual transfer of very large files The structure fails to take advantage of the
12. and the file extension differ the digital forensics analyst must more closely examine the data Figure 5 1 Distributed Processing What is Distributed Processing Distributed processing refers to the use of multiple processors each with its own memory asset that are individually applied to a different portion of a single computational task and that use a message passing system to communicate 78 Analyze between one another within the group Distributed processing is not the same as parallel processing which refers to the use of multiple processors that share a single memory asset Consider the following which will give you a rough idea of the advantages of the Dell Solution using a distributed processing installation using distributed processing completing an analysis of five 200 GB files may take only 3 5 hours while processing a single 200 GB file on a standalone workstation might take roughly 7 8 hours to accomplish Moving evidence data processing from the analyst s workstation to the server isn t the end the Dell Solution also offers the option of running analytical software itself such as FTK and EnCase on the server allowing the workstation to become an integrated interface that is able to run multiple instances of different forensics software packages under concurrently viewed operating systems with no client performance degradation Using Distributed Processing in FTK 3 1 Distributed Processing allows you t
13. been deleted and then overwritten will either be corrupt or unretrievable 13 Click the right arrow in the upper right corner of the screen 30 Triage 14 At the Profile Name screen enter a name for your new profile then tap or click Save Profile Figure 2 16 Profile Configuration Step 7 Profile Name SPEKTOR Forensic Intelligence Control POD 23 Version 1 3 0 0 INTELLIGENCE MODE Collector Configuration Profile Wizard Profile Name Live Non_System 7017 gt gt gt COMMS Up fv 23 5 tvidence Live Non_System 23 6 v Save Profile B SPEKTORB 48 0 41 Wee 22 sep 105 15 Click the right arrow in the upper right corner of the screen Your new profile appears in the Selected Profile screen The Collector Configuration screen will display the title of the profile in this case 14 days all files and it will list the profile s details in the main portion of the window Triage 31 Figure 2 17 Selected Profile After Profile Creation SPEKTORO Forensic Intelligence Control POD 23 Version 1 3 0 0 INTELLIGENCE MODE Collector Configuration CP23 C6 Selected Profile gt AE 7 of 16 14 days all files me A STANDARD Acquisition will be performed Files ACCESSED in the last 14 DAYS Windows Page file WILL NOT be collected pagefile sys Windows Hibernation file WILL NOT be collected hyberfil sys ALL fi
14. connections will be lost Multi server Solution High Availability In the multiserver solution a user will connect to the EnCase 6 application on the Citrix farm and will be directed seamlessly to the EnCase 6 server currently working with the lightest load In the event that the user is running multiple instantiations of the EnCase 6 software each instantiation could be created by a different server The user experience would be preserved because the user would be totally unaware of the way multiple instances are created and all sessions would appear to be running from the same server with the same look and feel 40 Ingest Figure 3 1 Datacenter enabled EnCase 6 Client Server Schematic In the event of a server failure the user would need to click the desktop EnCase application icon again and the system will redirect the user connection to the next available server hosting EnCase 6 Each EnCase server can support x user sessions where x number of cores x 2 Each user session requires 3 GB of server RAM Ingest 41 Datacenter enabled 1 8 In the Datacenter enabled FTK 1 8 solution the FTK 1 8 application is hosted on a Dell server device s in the datacenter providing multiuser FTK 1 8 sessions one unique user session per server Single FTK 1 8 Session Per Desktop In the single server FTK 1 8 solution multiple clients can connect to a single server All clients are pointed to this server and cannot con
15. ensure that in the event of a disaster data can be restored with the minimum recovery point possible the backup is split into equal sections and is run in the space of a month This process requires that the maximum backup size is restricted to 15 TB for any full backup Each LUN then takes incremental updates for the rest of the backup cycle until a full backup is due again Figure 7 2 Best Practice Backup Plan Off host vs Network Due to the size of data that needs to be moved onto tape for disaster recovery purposes in most forensics labs the LUNs storage is divided into 15 TB LUNs This requirement allows for easier management and backup and it also reduces file system cluster failure over time in the event of a failure 90 Archive Two types of backup can be performed either over the network or as an off host backup e In an over the network configuration all backup data is transmitted over the network to the backup server using a backup agent that is resident on the server off host backup solution some of the servers with the larger file stores do not back up their data over the network Instead the storage array takes a snapshot of the LUN and then mounts this copy directly to the backup server This process increases overall backup speed as no backup files are transmitted over the normal network to cause additional network contention issues In many forensics labs today backups are conducted over 10 GB n
16. in the Tree pane A list of case files with their associated file signatures and other data displays in the Table pane Sort the data as desired Analyze Present Dg 9 Triage Ingest Store Analyze Hemp Ache 7 Reporting the results of your analysis is an integral part of the Dell Digital forensics Solution and is handled primarily through the forensics software you are using as part of the Solution How to Create Reports Using the Dell Digital Forensics Solution Create and Export Reports Using EnCase 6 1 Select the items to report on whether they are files bookmarks search hits or other data Select the type of report you want using the tabs in the Tree pane From the Table tab in the Table pane enable the items you want to show in the report From the Table tab switch to the Report tab Modify the report as needed Export the report to a format viewable outside EnCase a Right click in the report and click Export from the drop down menu The Export Report dialog opens b Click the appropriate radio button to select the output format you want to use TEXT RTF or HTML c Enter or navigate to the output path Present 85 d If desired select Burn to Disc to enable the Destination Folder box then right click Archive Files to create a new folder and save an iso file to disc e Click OK Reports Using FTK 1 c N 6 Click Report to launch the Report Wizard
17. of SAS and SATA hardware and the entire forensics datacenter may be centrally managed by an administrative manager 46 Ingest Multiple Forensics Applications Delivered to One Desktop In the multivendor and multiapplication solution all of the individual application solutions described previously are combined to provide the forensics analyst with access to all forensics applications EnCase 6 FTK 1 8 and FTK 3 or FTK 3 Lab edition from a single desktop a single pane of glass All applications can be delivered in a high availability mode so that in the event of a failure the user still has access to that specific application and in the case of FTK 1 8 the user has access by using one of the other FTK 1 8 icons on the desktop Ingest 47 Network Configuration Recommendations Table 3 1 Recommended IP Address Structure IP Address Server Function Server Name 192 168 1 1 Domain Controller 1 DF DCI 192 168 1 2 Domain Controller 2 DF DC2 192 168 1 3 Evidence Server DF Evidence 192 168 1 4 Workspace Server DF Workspace 192 168 1 5 FTK Oracle Server DF FTK 10 1 0 0 24 1 GB Static IP address range 10 1 1 0 24 10 GB Static IP address range 10 1 2 0 24 1 GB DHCP range clients 10 1 0 250 254 10 1 1 250 254 10 1 0 200 1 GB Switch es 10 GB Switch es DNS Server Table 3 2 Recommended Naming Conventions for Solution Servers Name Domain Name Domain Controller 1 Domain Controller 2 Evidence Storage Workspace Oracle SO
18. one version of Oracle database per concurrent user This version of the FTK application and Oracle database does not support collaboration between other FTK users or other FTK Oracle databases Each Oracle database has an Oracle backup agent on the server and the database is backed up as part of the normal backup regimen see Archive on page 87 for further information In the event of a server failure the user would need to manually connect to another available FTK 3 server If n 1 FTK 3 servers are available However in the event that the Oracle database has also failed no access will be available to already processed pre existing cases as these will be linked specifically to the original local FTK 3 Oracle database for that user Ingest 45 Each FTK 3 server can support one concurrent user session Each user session requires 64 GB of server RAM 48 GB for Oracle and 16 GB for FTK and 1000 I O per second for the file store plus 600 I O per second for the database minimum configuration FTK 3 Lab Edition In the FTK 3 Lab Edition configuration the user will connect to a server hosting AccessData Lab and the centralized case database Multiple users can access the same case concurrently and run different analyses at the same time as well Processing is handled using a distributed processing model Figure 3 4 3 Lab Edition Client and Server Schematic Case storage is optimized using a mix
19. or to require experts to travel to the lab for file access purposes 4 Archive The Dell Solution offers formalized backup recovery and archiving infrastructure to help optimize cooperation between agencies and security divisions and even across borders free up administrative overhead provide consistency between labs and minimize risks to the digital chain of custody Additionally Dell s Digital Forensics Solution blueprint includes an optional search component that allows for information correlation between ingested data sets Dell s Solution Eases Industry Pain Points Using the Dell Digital Forensics Solution can make the process of bringing digital evidence from the crime scene to the courtroom infinitely simpler for investigative professionals by providing e State of the art datacenter networking that speeds ingestion analysis and sharing of digital information Information assurance by further automating the digital forensics process thereby lowering the risk of error and data compromise e Additional data integrity assurance currently through the use of the most secure hash protocols and soon through the implementation of an auditing feature that will help automate chain of custody records E NOTE Any conclusions or recommendations in this document that may resemble legal advice should be vetted through legal counsel Always check with your local jurisdiction local prosecutors and local forensics laboratory r
20. scrutiny This recall needs to happen in a very timely manner but the data is very rarely required instantaneously Delete In most countries around the globe public sector bodies are not allowed to hold data indefinitely once the data has reached the legal limit of retention A simple process needs to be available to delete that data This process may be required also in the case where a not guilty verdict has been returned and the data also needs to be deleted How to Set Up Storage Security Using the Dell Digital Forensics Solution and Active Directory Creating and Populating Groups in Active Directory Groups are established through Active Directory Domain Services Windows Server 2008 Creating a New Group Windows Server 2008 1 Click Start Administrative Tools Active Directory Administrative Center 2 In the navigation pane right click the node to which you want to add a new group click New Then click Group 3 Enter the name of the new group 68 Store oO A Select the appropriate option in Group Scope Select the Group Type Select Protect from accidental deletion Modify the Managed By Member Of and Members sections and then click OK Adding Members to A Group Windows Server 2008 1 oa fF 0 N Click Start Administrative Tools Active Directory Administrative Center In the navigation pane click the folder in which the group resides Right click the group and then click Properti
21. the process chapters begins with a discussion of best practices and specific issues that you may encounter as you implement and manage the Solution and then moves to a walk through of the various tools and components relevant to that stage of the Solution Related Documentation and Resources You can access additional information at support dell com manuals 16 Introduction rage Ingest Store _ Analyze Present Archive What is Triage Triage allows the digital forensics investigator to browse the data contained on suspect devices and to make decisions as to which devices are actually evidentiary and worth seizing for immediate imaging on site if the data comprises a small volume or for later imaging in the datacenter This ability to preview and seize only select target devices can substantially reduce the delays that affect investigators ability to present evidence in a timely fashion Triage can curtail the backlog of storage devices awaiting imaging back at the forensics lab using fewer resources avoiding adding to an already overloaded ingestion queue and dramatically reducing operating costs Dell s Triage Solution Advantage Mobile Dell s Digital Forensics Solution can be at the crime scene with the investigator all components have been thoroughly pre tested to work together and they cover a broad range of target device ports and connectors that you might expect to find in the field Fast
22. through the remainder of the imaging process Step by step instructions may be found in the SPEKTOR User Manual See Related Documentation and Resources on page 16 for more information e Shutdown the target computer unplug the store disk and then return the store disk to the datacenter for storage If you are deploying against a target storage device locally a Tap or click Target Storage Device Ingest 51 b Plug the target storage device into either the Read Only USB port or the FireWire port on the right hand side of the ruggedized laptop c Select the drive or partitions you want to image and then click the right arrow in the upper right corner of the screen d Enter the case information requested and then tap or click Image Now e If necessary tap or click Configure Imaging Options to change the Image Format or Compression Type or to Wipe Sectors on Read Errors or Perform Additional SHA1 Hash NOTE An MDS hash will always be generated during the imaging process LA NOTE See the SPEKTOR User Manua for further information on each of these imaging options See Related Documentation and Resources on page 16 Figure 3 6 Configure Imaging Options Configure Imaging Options CP6 S2 Image Format Compression Type lg Encase 5 None Save Current Settings as Def act 2 Restore Original Defeats 3 Cancel f Tap or click Image Now Yes to start the imaging process g When the imaging process
23. 60 or refer to the FTK User s Guide See Related Documentation and Resources on page 16 for more information Analysis Using EnCase Open an Existing Case 1 From the file menu select File Open 2 Browse to the case and click Open 82 Analyze Create an Analysis Job 1 2 Click the Analysis Jobs tab in the main Source Processor dialog Click New The Create Analysis Job Job Name dialog displays The default job name is Job__ yyyy_mm_dd__hh_mm_ss for example Job 2009 06 24 03 42 42 PM A job name cannot contain spaces at the beginning or end of the name or any of the following characters lt gt Enter a job name and click Next The Create Analysis Job Module Selection dialog displays This dialog shows module folders in the left pane and single modules within those folders in the right pane If a module is included in an analysis job but there is no data for that module when that job is run against a collection that module is ignored This feature allows you to create generic analyses jobs for a variety of collected data sets Enter a check the module s check box You may select more than one module Analyses modules do not have user configurable settings To select all the modules in a group enter a check beside that group s folder name in the left pane Click Finish NOTE Analyses jobs may list available modules not listed in collection jobs These modules are identified as legacy modul
24. Dell Digital Forensics Solution Guide Notes Cautions and Warnings LA NOTE A NOTE indicates important information that helps you make better use of your computer A CAUTION A CAUTION indicates potential damage to hardware or loss of data if instructions are not followed A WARNING A WARNING indicates a potential for property damage personal injury or death Information in this document is subject to change without notice 2011 Dell Inc All rights reserved Reproduction of these materials in any manner whatsoever without the written permission of Dell Inc is strictly forbidden Trademarks used in this text Dell the DELL logo PowerEdge EqualLogic and PowerConnect are trademarks of Dell Inc Oracle is a registered trademark of Oracle Corporation and or its affiliates Citrix is a registered trademark of Citrix Systems Inc in the United States and or other countries Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products Dell Inc disclaims any proprietary interest in trademarks and trade names other than its own 2011 07 Rev A00 Contents 1 _1 7 The Dell Digital Forensics Lifecycle 9 Dell s Solution Eases Industry Pain Points 11 SolutionComponents 12 Inthe Field i cea hoe eg we eS 12 Inthe
25. Disconnect the Collector from the target device and store it safely for later ingestion into the datacenter Reviewing Collected Files After Triage 1 From the Collector Menu click Reporting This option indexes the collected data and creates a set of reports automatically 2 From the Collector Collections screen select a Main Report then click Generate Selected Reports 36 Triage Figure 2 21 Generate Reports Collector Collections CP26 C3 A 2 s gt gt lt Collection 1 of 1 gt Collection Details Case Reference Target Reference User Location Configuration New Profile User Input Start Date 2010 09 20 User Input Start Time 14 34 Reports Reporting options D 2 Generate Selected Reports A view Reports 3 LJ Main Report J Hash matching Keywords 1 Integrity Export Report Exists 3 Cancel Click OK when the report generation process is complete to return to the Reporting menu NOTE Refer to the SPEKTOR User Manua for more information on creating and exporting reports using specific criteria See Related Documentation and Resources on page 16 Click View Collection Report to review your reports then click one of the five report categories Images Documents Multimedia Other or System to view specific reports Report Exists Report Exists Triage
26. File Signature Analysis 78 What is Distributed Processing 78 Using Distributed Processing FTK 3 1 79 Contents Checking the Installation 81 Finding Files onthe Network 81 Analysis Using FTIK 82 Open an Existing Case 82 Processing Case Evidence 82 Analysis Using EnCase 82 Open an Existing Case 82 Create anAnalysisJob 83 Run an Analysis Job 83 Performing a Signature Analysis 84 Viewing Signature Analysis Results 84 b Preselit evel 85 How to Create Reports Using the Dell Digital Forensics 5011 0 85 Create and Export Reports Using EnCase6 85 Reports UsingFIK 86 F fe fu ct oe LEES 87 Client One Click Archive Solution 88 Dell Backup Recommendations 89 Backup of Evidence andCasefiles 89 Off hostvs Network 90 How to Archive Using the Dell Digital Forensics 0 93 On Demand Archiving 93 lt 93 93 Contents Archiving Using NTP Software ODDM 93 8 Troubleshooting 95 General Troubleshooting Tips 95 Forensics Software Specificlssues
27. From PCs to laptops mobile phones to thumb drives and even game consoles digital forensics professionals are being pushed to the limit to clone ingest index analyze and store growing amounts of suspect data while preserving the digital chain of custody and continuing to protect citizens Introduction 7 Table 1 1 How Big is a Zettabyte Kilobyte KB 1 000 bytes 2KB a typewritten page Megabyte MB 1 000 000 bytes 5 MB the complete works of Shakespeare Gigabyte GB 1 000 000 000 bytes 20 GB a good collection of the works of Beethoven Terabyte TB 1 000 000 000 000 bytes 10 TB an academic research library Petabyte PB 1 000 000 000 000 000 bytes 20 PB production of hard disk drives annually Exabyte EB 1 000 000 000 000 000 000 5EB all words ever spoken by bytes human beings Zettabyte ZB 1 000 000 000 000 000 000 000 248 expected data created bytes globally during 2010 Roger E Bohn et al How Much Information 2009 Global Information Industry Center University of California San Diego January 2010 When suspected criminals have been charged and computer and other digital assets seized digital forensics professionals are put under enormous pressure to process and analyze potential evidence in a very short space of time and in environments less than well suited to ensuring evidentiary requirements Where whole organizations are suspected of criminal or terrorist act
28. Gi Edi verse on Burn a Boot CD for Standard Acquisition Procedures 1 Atthe Home screen tap or click Admin Then tap or click Burn Boot CD Figure 2 3 Burn Boot CD Button on the Home Screen Burn Boot CD 2 Follow the instructions on the screen and then click Finish Register a Collector or Store Disk NOTE Collectors must be licensed and configured by SPEKTOR before they can be used with your Dell Digital Forensics Solution Contact your systems administrator if you need additional Collectors or licenses 1 Plug in anew Collector or store disk to one of the USB ports on the left hand side of the Dell ruggedized laptop The device appears on the screen as an unrecognized device Triage 21 Figure 2 4 Unknown Collector or Store Disk Status Indicator Ae Unknown 2 Tap or click the Status Indicator icon that corresponds to the Collector or store disk you plugged into the Dell ruggedized laptop The icon for the device that has been registered will turn green for a Collector or orange for a store disk 3 The Unknown Device Menu will display Figure 2 5 Unknown Device Menu SPEKTORS Forensic Intelligence Control POD 23 Version 1 3 0 0 INTELLIGENCE MODE Register this device as a Collector f 23 6 Register this device as a Store Disk EG mmt an 4 Taporclick Register this device as a Collector or Register this device as a Store Disk 5 Taporclick Yes The status
29. Ingest on page 39 security is an agency s primary consideration where storage is concerned Physical Access Layer Your digital forensics evidence server files should be housed more securely than any other files in your organization including Human Resources files 64 Store Consider the following suggestions Place the examination servers and data storage inside a dedicated examination laboratory space In this way all servers data warehouses physical cabling switches and routers are physically protected by the same security measures that restrict laboratory access Use entry control protocols such as fingerprint or retinal scans or smart card access Route all examination traffic through network switches dedicated to and connected physically to only examination servers and workstations Administrative Control Layer and Active Directory Your solution configuration will run on a Windows operating system and thus the remainder of this chapter discusses Windows and its Active Directory Group and User security features Active Directory is built on group security and its related features A group is a collection of users or computers within a domain The two basic types of groups are distribution groups used for E mail distribution and security groups Establishing security groups allows you to create and apply security related policies including e Access to shared resources and the level of that access e User
30. L FTK Lab FTK Standalone Distributed Processing Manager s Distributed Processing Engine s 48 Ingest Abbreviation DF Digital Forensics DF DC1 DF DC2 DF Evidence DF Workspace DF Oracle DF SQL FTK Lab FTK DF DPM DF DPM1 DF DPM2 DF DPE DF DPE1 DF DPE2 Table 3 3 Recommended Naming Conventions for NIC Teaming NIC Team 1 Public Network For servers connected to one another NIC Team 2 iSCSI For servers connected to EqualLogic storage devices Table 3 4 Recommended Drive Letter Mapping Structure Call Name Drive Localor RAID Notes SAN Local Drive C Local RAID1 2xSAS 15 disks D Local CD ROM E F G SQL H SAN RAIDO 1 Must not be on SATA disks Oracle I SAN RAIDO 1 Must not be on SATA disks EV Vault drive J SAN RAID50 Backup to disk SAN RAID50 Spare L SAN RAID50 Evidence 1 M SAN RAID50 Evidence 2 N SAN RAID50 Evidence 3 0 SAN RAID50 Evidence 4 P SAN RAID50 Evidence 5 Q SAN RAID50 Evidence 6 R SAN RAID50 Evidence 7 S SAN RAID50 Ingest 49 Call Name Drive Localor RAID Notes SAN Evidence 8 RAID50 Evidence 9 U SAN RAID50 Workspace 1 V SAN RAID50 Workspace 2 W SAN RAID50 Workspace 3 RAID50 Workspace 4 Y SAN RAID50 Workspace 5 Z SAN RAID50 Figure 3 5 Recommended File Structure is Dell Forensics Domain 0000 EE S Ne N YOK amp amp amp X3 ES 0000 EE JH N 0000 666 FTI HOOK amp amp amp
31. Solution installation 56 Ingest Create an Image of the Target Storage Device 1 9 Within the AccessData Imager application click Create Disk Image In the Select Source pop up select the type of evidence you want to image Physical Drive Logical Drive Image File Contents of a Folder or Fernico Device and click Next NOTE The following uses the Imaging a Physical Drive option to demonstrate the image creation process The other file options are covered in the FTK User s Guide See Related Documentation and Resources on page 16 Using the drop down box select the physical drive you want to image from the available drives then click Finish In the Create Image pop up click and select the type of image you want to create Raw SMART E01 or AFF Then click Next Enter the requested information in the Evidence Item Information window Case Number Evidence Number Unique Description Examiner and Notes Then click Next In the Select Image Destination window browse to the storage area allocated for evidence images see Figure 3 5 for Dell s recommended file and server nomenclature enter an image filename and then click Click Start The Creating Image pop up appears and provides a progress bar of the operation NOTE The image creation process can take hours depending on the volume of data being added If you opted earlier to view a summary of the image results the Dri
32. Start Logoff Ok and not to simply click the boxed x in the upper right hand corner of the session window However you may still encounter this issue and here are two ways to resolve it 1 Manually log off the user a Open a session as the Citrix Administrator b Review the list of open sessions and manually close each session 2 Reboot the server Troubleshooting 97 98 Troubleshooting Index A D Analyze 9 10 67 77 Distributed Processing EnCase 82 compared to parallel types of analysis 77 processing 78 definition 78 Archive 9 11 67 68 93 using FTK 3 1 79 and recall times 89 client one click 88 using NTP Software ODDM 93 EnCase B analysis 82 Backup 89 create and export reports 85 datacenter enabled 39 agents 92 how to create an analysis job 83 best practices 89 DS how to open an existing case 82 network 91 off host 91 off host vs network 90 how to perform a signature analysis 84 how to run an analysis job 83 troubleshooting 95 C Collector F cleaning 23 deploying 34 Register 21 FTK 1 8 and 3 0 datacenter enabled ingest 56 1 8 datacenter enabled 42 3 datacenter enabled 43 3 Lab Edition 46 3 0 Lab Edition ingest 59 File Signature Analysis 78 Collector Profile configuring 23 Index 99 viewing reports 86 H Hash Analysis 77 Ingest 9 39 51 definition 10 using EnCase 53 using FTK 56 using SPEKTOR 51 L live ac
33. ally archive data that must be stored for legal purposes Requirements NTP Software ODDM requires Microsoft IIS Microsoft Framework SQL and Enterprise Vault NTP Software ODDM and Enterprise Vault must be installed on the same server Larger installations can maintain the SQL database on a dedicated server Installation For detailed installation instructions for NTP Software ODDM and NTP Software RCDM see the Dell Digital Forensics Installation and Configuration Guide See Related Documentation and Resources on page 16 for more information Archiving Using NTP Software ODDM User Driven Archiving 1 When the analyst stores data files NTP Software QFS will alert the user that the files may need to be archived Archive 93 2 The analyst selects the files to be archived using the NTP Software Storage Investigator and then clicks Archive However if the NTP RCDM add on is installed he right clicks the files When the files are selected the NTP Software Storage Investigator notifies NTP Software ODDM which in turn activates Enterprise Vault The archive request is added to the archiving queue 94 Archive Troubleshooting 6 Ingest Store Analyze Present Archive General Troubleshooting Tips Make sure all clients and servers can see each other that they are able to ping one another by both the NetBIOS name as well as by the IP address Make sure firewalls allow tra
34. ame time controlling costs A mix of SATA and SAS drives of varying capacities and performance levels can be tailored to match data profiles and this mix can be re evaluated periodically to maintain optimization over time Typically mission critical data such as case data for cases currently in the analysis stage is stored on high performance high cost drives while less urgent data such as case files for cases just beginning the appeals process or those cases that are closed is moved to low cost high capacity drives 66 Store Figure 4 1 Tiered Storage Usage for Archiving and Retrieval Figure 4 1 shows the suggested path for storage of digital evidence from the time that evidence is collected to its eventual long term storage on tape or final deletion Matching Evidence Archiving and Retrieval to the Life of the Case Evidence Seizure Analyze When the digital device is first seized a high tech crime lab will normally want to get the potential evidence off of the device as quickly as possible and start the analysis process The faster an analyst can search and index an evidence file the quicker a decision can be made whether to progress the case or not Evidence Identification Present When evidence has been potentially found during the analysis stage different skill sets may now be required Language technical drawings accounting etc The evidence now needs to be categorized by the view
35. and avoid exceeding the capacity of the Collector Triage 23 Configuring a Collector allows the user to determine a series of specific filetypes or files created between a specific set of dates that the Collector will pull from the suspect storage device for triage The more you are able to restrict your collection parameters the more quickly the target data can be acquired for review Dell recommends establishing a set of standard configuration profiles that you or your agency encounter repeatedly Examples of such standard configuration profiles are as follows e Photos and Videos would capture filetypes such as jpg png swf vob and wmvy which are associated with photographs video or other types of visual media Documents would specifically collect filetypes such as all pdf doc docx txt Audio Files would gather mp3 mp4 wav and other audio files Configuring a Collector for Acquisition LA NOTE For an explanation of the differences between standard and live acquisition see Standard vs Live Acquisition on page 20 LA NOTE When a Collector is configured for standard or live acquisition it must be cleaned before it can be reconfigured for use in the other type of acquisition 1 From the Collector Menu tap or click Configure Collector Figure 2 8 Collector Menu E 2 Configure Collector 154 e GB free space Lj 24 Triage 2 Ifyou have previously created a configurat
36. aptop controls the entire process from performing an automated analysis of targeted data to delivering detailed results in easy to use report format within a few minutes of data capture Using the Dell Solution the investigator will be able to run multiple triage scans in parallel with a single license key 18 Triage Collecting Digital Forensics Evidence Figure 2 1 Collection Workflow f secure scene M Is the device on re traine personnel estructive process running 5 evidence visible on the screen document and hotograph information request assistance do not turn device on 4 remove power cord from device s label all connections on device s locate and secure evidence 2 4 process all devices secure evidence Triage 19 Standard vs Live Acquisition The Dell Digital Forensics Solution offers two types of acquisition Standard and Live During a standard acquisition procedure the Dell ruggedized laptop uses the SPEKTOR boot disk to capture triage data from an already powered down target storage device A live acquisition triage procedure on the other hand aims to capture triage data from a still powered up target storage device obtaining evidence not otherwise available Previously industry standards required that the investigator unplug and seize a digital de
37. ator Citrix Issues Citrix Applications won t launch 1 Make sure all the services particularly MFCOM and IMA have started on the servers hosting XenApp 2 Make sure the client can see and ping the XenApp servers 3 Check the firewall on clients and XenApp servers to make sure XenApp ports are open 4 Check the Citrix license server to make sure the network licensing service has a license it can issue The Citrix Licensing Server is typically installed on one of the Citrix XenApp servers accessible via Start Programs Citrix Management Consoles Citrix Licensing 5 Open the Citrix Management Console Start Programs Citrix Management Consoles Citrix Delivery services console Then run a discovery to ensure that all the XenApp servers are present in the farm 6 Ensure that the application has been published to a valid XenApp server that is included in the farm 96 Troubleshooting 1 Look in the Citrix Delivery Services Console to make sure that the user launching the application is in a Group allowed to launch the application 8 For streamed applications make sure that User Account Control UAC is turned off on the server Frozen or Crashed Citrix Sessions When users do not log off from their Citrix sessions properly the orphaned sessions begin to slow and may eventually cause the server to freeze or crash Therefore it is extremely important that users follow best practices to formally and properly log off each session
38. ckout settings Passwords and other authentication policies are created using GPOs See Applying Security Policies Using Group Policy Objects on page 69 for information on creating and editing a GPO Suggested Strong Password Settings The following values are suggested when configuring password settings Enforce password history The number of unique passwords that must be used before a password can be reused Set to 24 Maximum password age Passwords must be changed every x days Set to 90 Minimum password age The number of days a password must be in effect before it can be changed Set to 1 or 2 Minimum password length Set to 8 or 12 characters e Password must meet complexity requirements Set to Enabled The following policies are applied Passwords must be at least 6 characters in length Passwords must include characters from at least three of these four categories e Uppercase characters e Lowercase characters e Numerals 0 through 9 70 Store e Symbols Passwords must not contain three or more consecutive characters from the account s name or user s name Fine Grained Password Policies In Windows Server 2008 Active Directory Domain Services supports Password Setting Objects PSOs that apply to particular global security groups or users within a domain A PSO can specify password length in characters password complexity minimum and maximum password age and other attribute
39. comprised of the following components Dell PowerEdge R410 R610 and R710 Rack Servers Dell PowerEdge M610 and M710 Blade Servers Dell EqualLogic 40006000 Series SAN Windows Server 2008 R2 Citrix XenApp 6 0 AccessData FTK 1 8 AccessData FTK 3 AccessData Lab Guidance EnCase 6 15 Introduction 13 e NTP Software On Demand Data Management Symantec Enterprise Vault Symantec Backup Exec 2010 e Dell PowerConnect Switches Extreme Networks Switches The Dell PowerEdge Rack and Blade Servers can fulfill a variety of roles file server evidence server archive server database server EnCase and FTK license servers backup server or domain controller They support Microsoft Active Directory and all the security and forensics software that make up the Dell Digital Forensics Solution 14 Introduction Figure 1 3 Dell Digital Forensics Solution Datacenter 1 PowerEdge R410 server or R610 server optional 2 Dell PowerConnect switch 3 Dell Precision or OptiPlex workstation 4 Dell PowerConnect switch 5 1GB data stream Dell PowerEdge M1000E and M610 Blade servers 10 GB data stream Dell EqualLogic PS4000 or PS6000 series storage systems Dell PowerVault ML class storage Introduction 15 About This Document This document covers each stage of the digital forensics process in its own chapter with additional chapters on troubleshooting hardware and software supported by the Solution Each of
40. deliver much quicker completion rates than tape All files can be encrypted onto tape for additional security when they reach the long term archive phase of the Solution which may require additional licensing Dell Backup Recommendations Backup of Evidence and Case files A forensics lab has three core file types Image files These are the forensically sound images of the suspect device Once ingested they never change and only need to be backed up once possible extensions E01 DD etc Evidence files tend to be found low in quantity but very large in size e Case files These are the data files and indexes that are the result of analyses they may need to be exported out of the forensics application The files change frequently if the case is currently live and they can contain multiple extension types requiring them to be backed up on a daily basis Case files tend to be numerous in quantity but usually very small in size e Database This file type is used only in 3 at the moment but it holds all of the links between the case files and the evidence files as well as all of the investigation bookmarks and notes Database file types must be backed up daily Figure 7 2 shows the suggested best practice for backing up a digital forensics lab Due to the fact that many forensics labs have 50 TB plus of storage it may not be possible to complete a full backup in a standard weekend backup window Archive 89 To
41. egabytes 1 MB 5 MB 10 MB or Entire File of the first part of files that you want to capture By collecting only the first part of very large files usually multimedia files you will be able to review enough of the files to determine the subject matter while minimizing the amount of processing time required LA NOTE If you did not select file extensions in step 6 no files will be collected and no filetypes will be displayed for selection in this screen Return to step 6 and select the required filetypes to activate for step 8 Figure 2 13 Profile Configuration Step 4 Quick Mode SPEKTOR Forensic Intelligence Control POD 23 Version 1 3 0 0 INTELLIGENCE MODE Collector Configuration Profile Wizard Quick Mode Live Non_System 107 COMMS Up 9j Quick mode REP First 23 5 First First 10M0 ww 5 23 6 Save Profile B 5 Foeennc Wee 2 Sop 1347 9 Click the right arrow in the upper right corner of the screen 10 Tap or click the appropriate button to select any system files that you want to include your collection 28 Triage Figure 2 14 Profile Configuration Step 5 System Files SPEKTOR Forensic Intelligence Control POD 23 Version 1 3 0 0 INTELLIGENCE MODE Collector Configuration Profile Wizard System Files Live Non_System Collect Windows Registry
42. egarding their preferred method s of digital evidence collection Introduction 11 e An end to end solution that significantly lowers the complexity of planning implementing and managing an enterprise level digital forensics process e An affordable and flexible solution that is modular and scalable expandable and pay as you go Solution Components In the Field The mobile portion of the solution fits into one hardshell case designed to fit into the overhead bin of an aircraft The rugged case carries all the tools and software required for onsite triage of suspect storage devices and it includes a Dell E6400 XFR Ruggedized Laptop with SPEKTOR forensics software pre installed Tableau Forensics Write Blockers with accessories an optional number of external USB hard drives that are licensed to work with the SPEKTOR software as triage image collectors a 50 1 card reader and the adaptors and cables listed in Figure 1 2 12 Introduction Figure 1 2 Dell Digital Forensics Solution Mobile Components 4A C9 N 5 1 2 12 d 2 5 BRS 7 6 50 1 card reader 6 Image restore disk USB DVD ROM 7 SPEKTOR boot disk Collector USB cables 8 Dell ruggedized laptop Phone cables option for SPEKTOR PI 9 ruggedized laptop power supply optional External hard drive Collectors 5 10 Pelican Case In the Datacenter In the datacenter the Dell Digital Forensics Solution includes a customized configuration
43. ence to Case pop up appears 2 Select the type of evidence to add to your case Acquired Image of Drive Local Drive Contents of a Folder or Individual File by selecting the radio button Then click Continue 3 Navigate to the image drive folder or file select the file and click Open If you selected Acquired Image of Drive as your evidence type an Evidence Information pop up will appear Enter the requested information and click OK If you selected Local Drive as your evidence type a TheSelect Local Drive pop up appears Select the local drive you want to add then select either Logical Analysis or Physical Analysis Click OK b Inthe Evidence Information window enter the required information then click OK If you selected Contents of a Folder or Individual File select the folder or file you want to add to your case then click Open 4 Click Next 5 Inthe New Case Setup is Now Complete window review your selections Then click Finish Ingest Using FTK 3 Lab Edition Create an Image of the Target Storage Device See Create an Image of the Target Storage Device on page 57 Create a Case 1 Click Case New The New Case Options window appears 2 Enter your case name and any reference or description information required by your agency Ingest 59 3 Browse to your Case Folder Directory and select your Processing Manager from the drop down box LA NOTE If you do not know where your Case Folder Directory
44. es Select Add on the Members tab Enter the name of the user computer or group that you are adding and then click OK Applying Security Policies Using Group Policy Objects Once you have created a group you can collectively apply security settings and other attributes to the members of that group by creating and configuring a Group Policy Object GPO Doing so makes it easy to maintain security for users and resources as your digital forensics organization changes Creating and Editing GPOs Creating a New GPO Windows Server 2008 In Windows Server 2008 GPOs are managed using the Group Policy Management Console GPMC 1 To open the GPMC click Start Administrative Tools Group Policy Management Navigate to the forest and domain in which you will create the new object and then click Group Policy Objects Click New Enter the name of the new GPO and then click OK Store 69 Editing a New GPO Windows Server 2008 In Windows Server 2008 GPOs are managed using the GPMC 1 To open the GPMC click Start Administrative Tools Group Policy Management 2 Navigate to the forest and domain in which the GPO resides and then click Group Policy Objects 3 Right click the GPO 4 Make the necessary changes to the settings and save them Active Directory Support for Secure Password Policies Active Directory supports a variety of authentication policies including smart cards strong password and account lo
45. es so you can analyze data that was collected in previous versions of Source Processor using modules that no longer exist Run an Analysis Job 1 From the Collected Data tab select the evidence that you want to analyze by first selecting the job name in the left pane Then select the actual evidence files in the table on the right Click Run Analysis The Select Analysis to Run dialog opens Analyze 83 3 Select the analysis job and then click Run Source Processor runs the analysis on the selected evidence When the analysis is complete the data browser displays Performing a Signature Analysis 1 Click Search 2 Check the Verify file signatures box in the Additional Options area in the lower right and then click Start The signature analysis routine runs in the background On completion a search complete dialog displays The dialog presents search status times and file data You can view these same data in the console Viewing Signature Analysis Results 1 84 Click Set Include in the Tree pane to display all files in the case At this level Set Include selects everything in the evidence file Organize the columns in the Table pane so that the Name File Ext and Signature columns are next to each other Sort columns with Signature at the first level File Ext at the second level and Name at the third level Scroll up or down to see all the signatures Click Set Include in the Entries selection
46. etworks Archive 91 The following figure shows the agents that are required per server for facilitating backup Figure 7 3 Backup Agents Qy Type Application OF X ien i 1 i RO weosener nj a 4 AlN N 5 Open File Agent AD Active Directory 0 Oracle Agent generic database agent required on Symantec s Backup Exec SA SQL Agent generic database agent required on Backup Exec NBU Net Backup Server BE Backup Exec Server EV Symantec Enterprise Vault backup license MI Monthly Full Backup daily incremental Ss System State taken once per month LA NOTE As data quantity grows with time an off host backup solution may be required 92 Archive How to Archive Using the Dell Digital Forensics Solution On Demand Archiving NTP Software ODDM and NTP Software Right Click Data Movement RCDM work in conjunction with Enterprise Vault to mitigate the need for scans of the entire file system as in the case of conventional archiving by implementing on demand archiving Storage costs are reduced and the quality of archiving is improved Depending on the stage of the data life cycle as described in Matching Evidence Archiving and Retrieval to the Life of the Case on page 67 the analyst may choose to archive data in longer term storage or retain the data for immediate access and processing In addition NTP Software ODDM can be used to automatic
47. ffic Reboot servers and clients to make sure that all installation and configuration changes have been recognized by the systems Forensics Software Specific Issues EnCase EnCase launches in Acquisition Mode This issue indicates that EnCase has no license 1 Within EnCase select Tools Options and make sure the User Key Path Server Key Path and Server Address are filled out these fields should point to the locations of the license keys 2 Check the firewall on the client and EnCase license server to make sure port 4445 is open 3 Make sure the client can ping the EnCase license server Troubleshooting 95 Lab Browser launched by client cannot display User Interface 1 Make sure the client has MS Silverlight installed 2 Make sure Oracle services have started on the server hosting the Oracle database FTK 1 8 5000 object limit trial version message If you receive this message FTK has no license Ensure that the network license server is working and has the FTK 1 8 licenses in place 1 Opena browser window on the server hosting the network license service and enter http localhost 5555 into the address bar 2 Observe whether or not the licenses are in place If they are not you must install the licenses FTK 1 8 Cannot Access Temp File error appears on launch Allow the user launching the application or their Citrix session to have access to the server hard drive OR run the application as an administr
48. gh speed storage and retrieval across an enterprise level network environment allow for a multiuser configuration that increases efficiency and productivity Analysts will no longer have to allocate their individual computing assets to complete evidence analysis as all this will happen on the server dedicated for that purpose Analyze The parallel processing capability provided by the Dell Digital Forensics Solution allows the analyst to index and triage data on high performance servers rather than on far less powerful individual PCs Additionally multiple analyst sessions may be run concurrently on single or multiple workstations using the back end configurations that comprise the Solution This capability helps protect both system and evidence integrity helps prevent the need for workstation rebuilds if malicious code is mistakenly executed helps preserve chain of custody and obviates the need for analyst workstation rebuilds when moving from one case to the next In the Digital Forensics environment Chain 10 Introduction of Custody may be defined as maintaining the integrity of digital data as evidence from the time it is collected through the time findings are reported and until the time it may be presented in a court of law 99 Present Using the Dell Digital Forensics Solution viewing teams and investigators can access potential case evidence securely and in real time thus mitigating the need to release evidence on DVDs
49. he new case and open it Click Add after the new case is opened and the Manage Evidence dialog box is automatically opened Select the evidence file to add and then click Open The path to the evidence is designated by drive letter by default Change the path to UNC format by changing the drive letter to the machine name or IP address where the evidence file is located according to the following syntax W computername or IP address pathname filenam e Leave the remaining path as is The UNC path to the evidence is illustrated in the following figure Figure 5 2 Manage Evidence Dialogue Box x Path abde3 E01 Washer 15 1 E Mantooth32 E01 messier e01 ID Name 01 precious E01 Description E Washer 15 E01 Evidence Group 30 Manage Add Remove Refinement Options Language Setting Time Zone America Denver 2 Field Mode Case KFF Options eme 9 Click OK Analyze Checking the Installation When you have completed the installation open the Task Manager on the remote computer and keep it open while you add the evidence and begin processing These steps will allow you to watch the activity of the ProcessingEngine exe in the Processes tab The Distributed Processing Engine does not activate until a case exceeds approximately 30 000 items When it does activate you will see the CPU percentage and Memory usage increase for the ProcessingEngine exe in the
50. igital Forensics Lifecycle SS Triage The triage process allows the digital forensics investigator the opportunity to quickly view the contents of target devices to determine whether or not the device should be removed to the lab for further analysis and preparation for presentation in court Introduction 9 amp Ingest Ingest is the stage of the digital forensics process in which the target data is imaged unless it has been imaged in the field as part of the Triage stage and an exact copy of the suspect storage device is created in such a way that the integrity of the duplicate can be assured by comparing hashes of both the original and duplicate data drives In common with existing practices suspect data is imaged in the Dell Digital Forensics Solution Instead of imaging data onto a single workstation however the imaged data is ingested into a central evidence repository By ingesting data immediately into the datacenter data is available to multiple analysts transfer from one device to another is minimized and productivity and efficiency is dramatically improved Ingestion can however take place in the field if the target storage capacity is small enough The Dell Digital Forensics Solution provides onsite ingestion through the use of an optional SPEKTOR Imager module N Store The Dell Digital Forensics Solution provides a wide range of possible storage and network access options to suit the individual customer Hi
51. indicator will show the new Collector or store disk number and its status will change to Dirty 22 Triage Figure 2 6 Dirty Collector and Store Disk Icons NOTE Collectors and store disks whether newly registered or previously used on other data collections must be cleaned before they can be deployed against a target 6 Fora store disk only enter the serial number of the store disk Clean a Collector or Store Disk NOTE Allow approximately two hours 100 GB of Collector volume 1 Select the Status Indicator representing the Collector you want to clean 2 Onthe Collector Menu tap or click Clean Collector 3 Tap or click Yes to confirm your selection Cleaning begins and the Status Indicator will confirm the cleaning progress When cleaning has completed the software will run a verification program to confirm that the only characters on the Collector drive are zeros Figure 2 7 Registered Clean Collector and Store Disk Status Indicators LA NOTE If the cleaning process has not been successful the status indicator will indicate that the Collector remains dirty You will need to re initiate the cleaning process If cleaning is unsuccessful a second time try another Collector or store disk Configure a Collector Profile LA NOTE By default configuration settings in the triage software are setto collect no files Specify a restricted subset of all files on the target device to lower collection time
52. ing teams The heavy processing is now over so the evidence can reside on slower more cost effective long term storage Waiting for Trial Archive After all the potential evidence has been gathered and the case is proceeding normally there is no need to keep the case data and evidence images in online storage where it can be accessed instantaneously In normal cases the lab will be able to cope with case recall time of days which may be done proactively if a known forward event will trigger the need for the Store 67 case data This approach reduces the cost of storage in the forensics lab because all data does not need to be kept in the lab no matter what the current relevance it can be moved seamlessly to slower storage Trial Present In the event of the case making it to trial the forensics lab will want to have quick access to the evidence and case data to respond to any questions during the court case Custodial Sentence Archive In the event of a custodial sentence most countries require the Police or justice department to keep the evidence and case files for a minimum period or the length of the custodial sentence plus a reasonable time for appeal or 99 years The goal here is to put the data onto a long term inexpensive storage medium that protects the integrity and confidentially of the data Appeal Present In the event of appeal the case data and evidence may need to be recalled for further analysis or
53. ion profile that you want to use select the profile and tap or click Configure using selected profile to initiate configuration of the Collector otherwise tap or click New to create a new profile NOTE Figure 2 9 shows the Selected Profile screen at first use of the software before any profiles have been defined and saved when you have begun creating configuration profiles they will appear in this screen for your use NOTE Navigation from one of the Collector Configuration screens to the next is accomplished by tapping or clicking the left and right arrow buttons at the top and to one side of the screen Figure 2 9 Select Profile Collecter Configuration CPi Ci Sebe ted Pretite 4 Me Profiles 3 Determine the type of acquisition you want to perform Live or Standard see Standard vs Live Acquisition on page 20 for further information on the difference between Live and Standard Acquisition types then tap or click either Live Acquisition or Standard Acquisition Triage 25 Figure 2 10 Profile Configuration Step 1 Acquisition Type Collector Configuration Profile Wizard New Profile 10 7 DA z lal Live Aquisition omary Collection Optians Include Please Acquisition should only be used on Windows PC s that currently on f the target computer is off Standard Acquisition shoud be used 4 Determine the timestamp settings for your
54. ired image in the case file associated with the device where the image was taken Replace a source device adds the newly acquired image to the case and removes the previewed device where the acquisition was made d Click Finish When the imaging process is complete the Acquisition Results dialog box will be displayed Working with Tableau Write Blockers VAN CAUTION Do not remove a hard drive from a forensic bridge while the power is on A CAUTION Do not use USB cable extenders with any forensic bridge 54 Ingest Connecting the Tableau Write Blocker to a SATA Hard Drive 1 Ensure the T35es Forensic SATA IDE bridge s DC IN B is in the B On position Connect the TP2 or TP3 power source to the left side of the T35es SATA bridge using the 5 pin Mini DIN connector Connect the power cable to the TP2 power source and also into an electrical socket Turn the power on to verify that the write block LED is on then turn off the power to the bridge prior to connecting to the target storage device Connect the female Molex connector of the TC5 8 SATA Style power cable to the DC OUT position located on the right side of the T35es SATA IDE bridge Connect the SATA power connector of the TC5 8 SATA Style power cable to the target hard drive s SATA power connector A CAUTION Using both Molex and SATA power connections when connecting to a 10 11 target storage device will overload the target device Connect the TC3 8 SATA sig
55. is complete tap or click OK 52 Ingest 2 h Unplug the target storage device and the store disk from the ruggedized laptop then return the store disk to the datacenter for storage and analysis NOTE Transferring an image may take a long time six hours for a typical 60 GB hard drive transfer is not unusual Ingest Using EnCase In the Dell Digital Forensics Solution licensing for EnCase is accomplished using a network licensing system Typically an instance of EnCase SAFE is installed on one of the datacenter servers and a dongle containing multiple user licenses is connected to that server EnCase clients are configured to look to that server for licensing and no local dongles are required See the Dell Digital Forensics Installation and Configuration Guide for further information See Related Documentation and Resources on page 16 Also see your network systems administrator for information specific to your agency s Solution installation 1 Attach the target storage device to the appropriate ingest workstation in the datacenter a If you are imaging a SATA drive see Connecting the Tableau Write Blocker to a SATA Hard Drive on page 55 for further information b Ifyou are imaging an IDE drive see Connecting the Tableau Write Blocker to an IDE Hard Drive on page 55 for further information Create a new case NOTE The following instructions refer to the network and folder structure outlined as Dell s sugges
56. ivity the number of devices to be analyzed can escalate dramatically Digital forensics provides a means for acquiring data retrieved from computers or other digital devices mobile phones games consoles flash drives GPSs etc and the scientific examination and analysis of that data in a manner that ensures the information can be used in a court of law The Dell Digital Forensics Solution comprises the first end to end true enterprise level solution for law enforcement corporate and government security agencies and e discovery organizations providing all the hardware software and service and support necessary to collect triage ingest or image store analyze report and archive digital evidence Using Dell s scalable and affordable enterprise server and storage hardware and depending on the requirements of your software environment Oracle database systems on the back end a combination of Dell s ruggedized laptops and SPEKTOR software in the field and full service and support from Dell 8 Introduction investigative personnel can conduct digital forensics data triage and collection quickly and simply ensuring chain of custody from the field to the datacenter and into the courtroom The Dell Digital Forensics Lifecycle The Dell Digital Forensics Solution assists the forensics investigator across the six stages of the forensics lifecycle Triage Ingest Store Analyze Present and Archive Figure 1 1 The Dell D
57. le extensions will be collected Quick mode will NOT be used A comprehensive Windows registry dump WILL be performed Live AND deleted files will be recovered v Configure using selected profile Cancel ez Sop E 16 Taporclick Configure using selected profile to initiate configuration of your Collector 32 Triage Figure 2 18 Selected Profile After Profile Creation SPEKTOR Forensic Intelligence Control POD 23 Version 1 3 0 0 INTELLIGENCE MODE Collector Configuration CP23 C6 Creating partitions for collections and reports 2 Formatting partitions for LIVE acquisition Configuring Collector Success 29 23 5 A A 29 23 6 Xv B SPEKTOR Fono weet 22 sep 139 17 Taporclick OK to begin Collector configuration This process will take only a minute or two When the configuration of your Collector is complete the Collector is ready to be deployed against a target computer or target storage device See Deploy Triage Tools on page 33 18 Click the right arrow in the upper right corner of the screen Deploy Triage Tools LA NOTE For the differences between live and standard acquisition see Standard vs Live Acquisition on page 20 LA NOTE Although it is possible to use a Collector for several cases best practices strongly recommend that each Collector contain only the data pertaining to a single case although data from multiple storage device
58. led FTK 3 solution the application is hosted on a Dell server device s in the datacenter providing a single FTK 3 application session per server Ingest 43 Single FTK 3 Server Solution In the single FTK 3 server solution a single FTK 3 client can connect to a single server The client is pointed to this server and cannot connect to any other FTK 3 server In the event of a server failure the client connection will be lost The FTK 3 server will also be running the local FTK embedded Oracle database because this version of the database does not support collaboration between other FTK Oracle databases or other FTK users Multiserver Solution No High Availability In the multiserver solution each client will connect to their home FTK 3 server and cannot connect to any to other 3 server When a server has a session of FTK 3 running it is no longer available to accept any new FTK 3 client session the software setup in the Dell forensic framework makes it impossible for a server to run more than one session of the FTK 3 application simultaneously By allowing only one session to run per server the multithreaded FTK 3 application is able to devote all available server resources to processing a case thus improving performance 44 Ingest Figure 3 3 Datacenter enabled 3 Client and Server Schematic Using Standard edition each server must run a local version of the FTK embedded Oracle database
59. multaneously from different workstations Work can be triaged according to difficulty and assigned to analysts with differing levels of experience a junior analyst can take charge of the more time consuming task of pulling graphic files from an E01 file while the more experienced senior analyst can better spend her time doing more complicated review and analysis of those graphic files Scalability On the back end Solution datacenter components are modular and they are designed with scalability in mind Because the datacenter is handling the workload workstations do not have to be loaded with memory or computing power In fact very inexpensive lightweight terminals can be used to access the required evidence files and even the analytical software stored within the datacenter Security The escalating trend toward information aggregation makes our data storage systems increasingly vulnerable At the same time access to evidence storage should be the most rigorously controlled area of a digital forensics system Best practice calls for implementation of a three tiered strategy e Strictly regulated physical access that limits access to the hardware on which your evidence data resides e An administrative control layer that includes the use of group policies e Computer based security such as secure password creation policies To this end when the issue of designing the volume and structure adequate to your needs is addressed see
60. nal cable to the T35es SATA IDE bridge Connect the other end of the TC3 8 SATA Signal Cable to the target storage device Plug one end of the data cable USB 2 0 two Fire Wire 800 connections or Orion 4 pin FireWire 400 to one of the ports on the left side of the T35es SATA IDE bridge Plug the other end of the data cable to a port on the Dell ruggedized laptop or on the Dell OptiPlex workstation Flip the switch on the top of the T35es SATA IDE bridge to the A ON position The Dell ruggedized laptop or Dell OptiPlex workstation should now register the presence of the target storage device Connecting the Tableau Write Blocker to an IDE Hard Drive 1 Ensure the T35es Forensic SATA IDE bridge s DC IN B is in the B On position Connect the TP2 or TP3 power source to the left side of the T35es SATA IDE bridge via the 5 pin Mini DIN connector Ingest 55 LA NOTE The 7 Pin DIN plug on the TP3 Power Supply will not work with the Tableau 10 11 bridges You must use the included 7 pin DIN to 5 pin DIN TCA P7 P5 adapter cable to connect the TP3 power supply to the Tableau bridges Connect the power cable to the TP2 power source and also into an electrical socket Turn the power on to verify that the write block LED is ON then turn the power to the bridge OFF before connecting to the target hard drive Connect one female Molex connector of the TC2 8 Molex style Power cable to the DC OUT located on the right side of the T35es
61. nect to any other 1 8 server In the event of a server failure all client connections will be lost The user can run only one session of FTK 1 8 per each Windows user account Multiple FTK 1 8 Sessions Per Desktop In the multiserver FTK 1 8 solution a user will connect to the FTK 1 8 servers by using multiple desktop icons FTK Serverl FTK 2 etc Each link is associated with a specific server For illustration purposes Figure 3 2 shows the border of the running FTK 1 8 server session as color coded to the server running the session of 1 8 serverl blue server2 red Two sessions of the FTK 1 8 application cannot be run from the same server using the same user account The server based FTK 1 8 application user experience is the same across clients 42 Ingest Figure 3 2 Multiple FTK 1 8 Client and Server Schematic In the event of a server failure the user would lose access to the corresponding server session of FTK 1 8 In this case the user would need to continue to function using the other FTK servers All case and evidence information assuming the user has NAS access privileges is available from all server sessions of FTK 1 8 through the shared NAS SAN Each FTK 1 8 server can support x user sessions where x number of cores x 2 Each user session requires 3 GB of server RAM and 1000 I O per second of datacenter disk performance Datacenter enabled 3 In the datacenter enab
62. new profile The more specific you can be the shorter time it will take to process the captured files Figure 2 11 Profile Configuration Step 2 File Timestamp Settings Collector Configuration Profile Wizard File Timestamp Filter New Profile t fw bst 6 Do not fiter on ome stamps 26 Triage Click the right arrow in the upper right corner of the screen 6 In the File Extension Filter screen select the filetypes you want to collect Use the right arrow to move the selected filetypes and their associated extensions from the Not Selected to the Currently Selected list box Figure 2 12 Profile Configuration Step 3 File Extension Filter SPEKTOR Forensic Intelligence Control POD 23 Version 1 3 0 0 INTELLIGENCE MODE Collector Configuration Profile Wizard Live Non_System File Extension Filter Colect fies with extensions matching following kst only Not Selected Currently Selected J i E CP23 C5 214 Y v lal A R f 23 6 See ian 1 mmm ee di Wet 2 Sep 13 07 7 Click the right arrow in the upper right corner of the screen when you have finished selecting filetypes and extensions 21 Triage LA NOTE Unless specifically required it is suggested that you leave Quick Mode off 8 Inthe Quick Mode screen select the number of m
63. o apply the additional resources of up to three additional computers at a time to the processing of your cases Once you have installed and configured the Distributed Processing Engine you can reduce your case processing time exponentially LA NOTE As a rule of thumb using Distributed Processing does not reduce processing times unless the number of objects to be processed exceeds 1 000 times the number of cores that exist within the system For example on a system with eight cores the additional distributed processing engine machines may not lower processing time unless the evidence contains more than 8 000 items LA NOTE For information on installing and configuring the Distributed Processing module as part of your Solution refer to the appropriate section of the User Guide 1 Make sure the case folder is shared before trying to add and process evidence If you are following Dell s recommended filenaming conventions the case folder should be located on your workspace drive W If you are unsure where your case folder is located contact your systems administrator Analyze 79 7 8 Enter the path to the case folder in the Create New Case dialog box in UNC format computername_or IP address pathname filen ame Click Detailed Options and select options as you normally would Click OK to return to the New Case Options dialog box and enter a check mark beside the Open the case option Click OK to create t
64. ons 48 How to Perform Ingest Using the Dell Digital Forensics Solution 51 Ingest Using 5 51 Ingest UsingEnCase 53 Ingest Using 1 8 and 3 0 Datacenter enabled 56 Ingest Using Lab Edition 59 E STONE ha gies Week RENE eM 63 Efficiency cA otc Rande 63 Contents Scalability 64 WS eee 64 Physical AccessLayer 64 Administrative Control Layer and Active Directory 65 Computer Based Security Layer and Active Directory 65 Tiered Storage 66 Matching Evidence Archiving and Retrieval to the Life of the Case 67 How to Set Up Storage Security Using the Dell Digital Forensics Solution and Active Directory 68 Creating and Populating Groups in Active Directory 68 Applying Security Policies Using Group Policy Objects 69 Creating andEditingGPOs 69 Editing a New GPO Windows Server 2008 70 Active Directory Support for Secure Password POIIGIES 5 5 eS duc te o BA ues 70 Active Directory User Accounts 7 Create a Non administrative User 73 Setting Up Security for Individual Case and Evidence Files 74 5 JADSIVZE io ee ee Set ES 77 Types ofAnalysis 11 8 17
65. orm a background process to move that file to either a tape device or to a near line storage device This process happens completely seamlessly in the background with no performance degradation to the user s workstation whatsoever When the background process has been completed the file icon attributed to that file will change to grey to clearly indicate to the user that the file has been archived but the folder and file structure are still visible so the user can easily find the file again in the future for restoration purposes To restore a file the user 88 Archive merely needs to navigate through the original folder structure locate the folder or file she wants to restore right click the file or folder and then select the restore option Dell recommends that all evidence and case files be located on a central scalable NAS device that allows for a central expandable point of storage allowing for easy collaboration between analysts This recommendation also allows a single point of audit for chain of custody purposes When a file has been selected for archive it is moved into the next available system processing window from the primary storage to a secondary option tape or near line Archive and recall times will vary greatly depending on the current traffic to and from the centralized NAS storage the current files being archived and the type of media that comprises the secondary storage option For example near line SATA will
66. ou keep accurate and detailed notes during this procedure as part of chain of custody best practices NOTE You do not need the SPEKTOR Boot Disk to accomplish a live acquisition deployment Click Deploy Collector Target Computer On the target device navigate to My Computer or Computer on those computers operating under Windows Vista or Windows 7 Double click Collector icon appears when it appears to view the contents of the Collector Figure 2 19 Collector Icon 4 Click the folder named with the highest number Only one folder will appear if this is your first deployment since cleaning this Collector Right click spektor live exe then select Run as administrator in the drop down box If a message appears asking you to grant permission for the application to run as administrator click Continue Triage 35 Figure 2 20 Run as Administrator qe MEE SO v Bh Open Bem Fevostes z utrne spior 0522219 stas Open Computer A M ELTETT anea amp Loca C1 wen324d ys Trostieshect comp za COLECTOR 2 a Tp na Pw to Taibo Per ta Start Maru pronn anera Serd te Cat Copy Creste shortcut Detete amp pektor BMae sg Cuts madhet B 6 Enter the information requested in SPEKTOR Live Collection screen then click Run When prompted click Close 8
67. quisition vs standard acquisition 20 Network Configuration 48 drive letter mapping 49 file structure 50 IP address structure 48 NIC teaming naming conventions 49 server naming conventions 48 NTP Software 93 NTP Software RCDM 93 0 On Demand Archiving 93 installation 93 ODDM 93 RCDM 93 requirements 93 Present 9 11 67 68 85 Ruggedized laptop how to turn on 20 5 Solution Components 12 in the datacenter 13 in the field 12 SPEKTOR clean a collector or store disk 23 configure a collector for acquisition 24 deploying against targets 33 ingest 51 optional imager module 10 register a collector or store disk 21 review reports 36 standard acquisition vs live acquisition 20 Store 9 10 63 Index 100 Store Disk cleaning 23 register 21 T Tableau Write Blocker 54 connecting to IDE HD 55 connecting to SATA HD 55 Tiered Storage 66 Triage 9 17 87 definition 17 how to perform 20 reviewing collected files 36 Troubleshooting 95 Citrix 96 EnCase 95 forensics software 95 FTK 1 8 96 FTK Lab 96 general tips 95 Index 101 102 Index
68. re you must be a member of the Account Operators group Domain Admins group or the Enterprise Admins group in Active Directory or you must have been delegated the appropriate authority As a security best practice consider using Aun asto perform this procedure For more information see Default local groups Default groups and Using Run as Establish an FTK Service Manager Account LA NOTE During the course of FTK installation you will be asked for the name of the user account that you plan to use for managing the Distributed Processing feature Do not use If you are using the distributed processing feature of FTK as one of your digital forensics tools you must create an FTK Service Manager account in Active Directory to handle automatic updating of passwords During the FTK installation process you will be asked to provide the name of the user that will be used to monitor and manage the distributed processing function This account must be created as a service in Active Directory and it must have administrator privileges but should not be the Administrator account to provide the continual handshake between FTK and the evidence server that the distributed processing feature requires 1 In Active Directory open Administrative Tools and then click Active Directory Users and Computers In the console tree double click the Domain node In the Details pane right click the organizational unit where you want to add the service accoun
69. rights including password requirements e Account lockout policies e Software restriction policies Distribution of security patches to notebooks desktops and servers For example you can create a group containing administrative workstations and a second group containing administrative users Then you can use Group Policy Objects GPOs to limit access to those workstations and members of the administrative users group See Applying Security Policies Using Group Policy Objects on page 69 for information on working with group policy objects Computer Based Security Layer and Active Directory Active Directory also provides Kerberos a network authentication security protocol that allows nodes communicating over non secure networks to prove their identity to one another in a secure manner See Active Directory User Store 65 Accounts on page 71 for information on working with user accounts and see also Active Directory Support for Secure Password Policies on page 70 for information on password creation Additional Information on Security and Digital Forensics SP 800 41 Rev 1 Sept 2009 Guidelines on Firewalls and Firewall Policy SP 800 46 Rev 1 Jun 2009 Guide to Enterprise Telework and Remote Access Security SP 800 55 Rev 1 Jul 2008 Performance Measurement Guide for Information Security Tiered Storage Dell s Digital Forensics Solution uses tiered storage strategies to accommodate rapid data growth while at the s
70. s Consequently you can create multiple PSOs that correspond to the organizational structure of your digital forensics facility For example you can use PSOs to implement longer passwords that expire monthly for administrative users and shorter passwords that expire every three months for analysts Active Directory User Accounts Establishing User Accounts for Forensics Analysts 1 Open Active Directory Users and Computers a Click Start Control Panel b Double click Administrative Tools and then double click Active Directory Users and Computers 2 Inthe console tree right click the folder in which you want to add a user account Where Active Directory Users and Computers domain node folder Point to New and then click User In First name type the user s first name In Initials type the user s initials In Last name type the user s last name Modify Full name to add initials or reverse order of first and last names og 43 C In User logon name type the user logon name click the UPN suffix in the drop down list and then click Next Store 71 If the user will use a different name to log on to computers running Windows 95 Windows 98 or Windows NT then you can change the user logon name as it appears in User logon name pre Windows 2000 to the different name 9 In Password and Confirm password type the user s password and then select the appropriate password options LA NOTE To perform this procedu
71. s from that single case may be stored on the Collector Triage 33 Deploy a Collector for Standard Acquisition Against a Target Computer E Nis wn 34 WARNING You must change the system boot order from within the target computer s system BIOS before attempting a standard acquisition If the target computer is set to boot from its hard drive instead of from the optical drive with the SPEKTOR boot disk in place the target computer s drive contents will be altered Ensure that you know how to access the target computer system BIOS before powering up the target computer WARNING Before powering up the target computer ensure that you have placed the SPEKTOR boot disk in the optical drive to which the target computer is set to boot Failure to boot up the target computer without the boot disk in place will result in the alteration of the target computer s drive contents NOTE You must have a SPEKTOR boot disk to accomplish a standard acquisition deployment against a target computer See Burn a Boot CD for Standard Acquisition Procedures on page 21 for further information on creating a boot disk On the Dell ruggedized laptop tap or click Deploy Collector Select Target Computer Click OK then unplug the Collector from the Dell ruggedized laptop Plug in the Collector to an available USB port on the target computer NOTE Dell recommends that you always use the target computer s internal optical drive with the boo
72. speed of distributed processing economies of scale and substantial cost savings that an enterprise level parallel processing and tiered storage architecture has to offer Additionally within this configuration it is difficult at best to efficiently share data or collaborate with internal and external teams to ensure regular and reliable evidence data backups to audit file changes and most importantly to ensure file integrity and security Efficiency The Dell Digital Forensics Solution can adapt to many different IT configurations The closer the configuration is to a true enterprise level design comprised of workstations dedicated processing servers capable of distributed processing a network infrastructure based on parallel rather than serial communication and storage the greater the payoff will be in terms of efficiency There is less and faster network traffic because distributed processors do the bulk of the work the network is only transferring the results of that work rather than the actual evidence files themselves When evidence files are maintained on the server instead of on the workstation the analyst is free to use the workstation to initiate and monitor multiple jobs rather than being restricted trying to process a single job Furthermore analyses Store 63 can be completed even more quickly because several analysts and consulting specialists such as foreign language experts can work on the same E01 file si
73. t Select New and then click User 4 InFirst name type FTKServMgr for the service account leave Last name blank 5 Modify Full name as desired 72 Store 8 9 In User logon name type FTKServMgr The service account will log on with the name you entered From the drop down list click the UPN suffix that must be appended to the service account logon name following the symbol Click Next In Password and Confirm password type a password for the service account Select the appropriate password options and then click Next Click Finish to complete creating a service account Create a Non administrative User Account 1 oF c N 2 10 Log to a computer running Windows Vista with an administrative user account Open the Start menu Right click Computer and then click Manage Click the arrow next to Local Users and Groups Right click Users and then click New User Type the name of the user for whom you are creating an account For example if you want to name the user webuser1 then you would type webuser1 in the Username field and also in the Full name field Type a password that you will remember in the Password and Confirm Password fields NOTE Passwords are case sensitive The password you type in the Password and Confirm Password fields must match to be able to add the user account Uncheck the User must change password at next logon check box Check the Password never expires and User canno
74. t change password check boxes Click Create and then click Close Click File and then click Exit Store 73 Setting Up Security for Individual Case and Evidence Files 74 1 In Windows Explorer navigate to the file for which you will establish file permissions Right click the file and then select Properties Click the Security tab Uncheck the check box beside Everyone if necessary Add only the users who will be requiring access to the file as determined by the policy of your workplace a Click Add b Inthe Enter the object names to select field enter the names of the appropriate users Then click OK c Modify the Permissions for each user as determined by the policy of your workplace Store Store 75 76 Store Analyze o x IAI Triage Ingest Store Anaya Present Archive There are several different types of analyses the investigator needs to be able to conduct on evidence data including file signature and hash analysis and extensive indexing and keyword searches All of these analyses require considerable processing power as evidence files for a single case can reach sizes approaching the terabyte range and processing these files can take tens of hours even days using datacenter architectures commonly set in place today Investigators attempting this analysis on a single workstation must take this issue into account when scheduling case processing because the analysis and indexing of
75. t disk If this is not possible use an external optical drive with a USB connector Place the SPEKTOR boot disk in the optical drive Access the target computer s system BIOS program and change the boot order so that the target computer will boot from the optical drive The SPEKTOR boot disk will load and the boot drive interface will display Enter the information requested on the screen pressing Enter or the arrow keys to move between fields then move to the COLLECT field and press Enter to begin data collection CAUTION Do not remove the SPEKTOR boot disk from the optical drive until the target computer has shut down completely When the collection process is complete press Enter to shut down the target computer Triage 9 Remove the SPEKTOR boot disk from the optical drive unplug the Collector from the target computer s USB port and plug it into an available USB port on the Dell ruggedized laptop Deploy a Collector for Standard Acquisition Against a Target Storage Device 1 Plug the target storage device into either the read only USB port or the firewire port of the Dell ruggedized laptop Tap or click Deploy Collector Tap or click Target Storage Device enter the required information then tap or click Collect from Device When the collection has completed unplug the target storage device from the USB port and tap or click OK Deploy a Collector for Live Acquisition NOTE Ensure that y
76. ted best practice for its Digital Forensics Solution see Figure 3 5 for further information a Click New and then enter the information requested b On the W drive work area create folders using the following structure W N CaseName EnCase6 Export W N CaseName EnCase6 Temp W N CaseName EnCase 6 Index c Click Finish d Click Yes for each request to create the folder Ingest 53 e Inthe EnCase Acquisition screen click the Add Device menu option f Ensure that the Sessions checkbox is checked g Inthe right hand pane select your case h Click Add Evidence Files then navigate to the E01 repository using the best practice configuration outlined in Figure 3 5 this repository should be stored on drive X i Click Next2 Next Finish A stopwatch icon appears in the lower right portion of the EnCase Acquisition screen and EnCase will verify the E01 file Depending on the file size the verification may take some time 3 Within the EnCase software add the target storage device using the Add Device wizard 4 Acquire your device content a From within the EnCase software click Cases Entries Home then right click the device you want to acquire b Select Acquire from the drop down menu Inthe After Acquisition dialogue box select the appropriate New Image File type e Do not add the options that exclude the newly acquired image from the case currently open e Add to Case adds the newly acqu
77. tware Dell s Solution consists of modular components that provide a scalable environment that can be expanded to meet growing demands for processing and storage requirements The Solution s formalized backup recovery and archiving BURA infrastructure helps optimize cooperation between agencies and forces and across borders It frees up administrative burdens by automating much of the task of backing up data provides consistency between interagency labs and minimizes risks to the digital chain of custody Archive 87 Figure 7 1 Cross media Cross case Search Capabilities of the Dell Solution A very powerful optional search component allows information correlation between ingested data sets This component provides the ability to conduct internet like searches on the entire case data store both of active and of online content as well as archived material from previous cases Client One Click Archive Solution Using the Dell Digital Forensics Solution archiving and retrieval tools an analyst can archive or recall both single files and entire directory structures with the right click of his mouse Additional right click commands have been added to the NTP On Demand Archiving software so that the user has to simply select and archive or select and restore data When a file has been selected for archiving an additional window will appear prompting the user to confirm the action When confirmed the solution will perf
78. ve Image Verify Results window will appear when the image creation process completes Review the results and then click Close Click Close again to close the Creating Image window Create a Case 1 2 Click File2 New Case Enter the following Investigator Name Case Number Case Name Case Path and Case Folder In the Forensic Examiner Information window enter the following Agency Company Examiner s Name Address Phone Fax E Mail and Comments Then click Next Ingest 57 58 In the Case Log Options window select the set of options you want to change Case and evidence events Error messages Bookmarking events Searching events Data carving Internet searches Other events In the Processes to Perform window select the processes you want to conduct Select the Processes from the following options MDS Hash SHAI Hash KFF Lookup Entropy Test Full Text Index Store Thumbnails Decrypt EFS Files File Listing Database HTML File Listing Data Carve Registry Reports Click Next From the Refine Case window include or exclude different types of data from your case Pre configured options include five common requirements Include All Items Optimal Settings Email Emphasis Text Emphasis Graphics Emphasis Click Next Ingest 8 From the Refine Index window include and exclude different types of data from the indexing process 9 Click Next Add Evidence 1 Click Add Evidence The Add Evid
79. vice for transport and examination back at the lab This practice meant the loss of potentially valuable evidence in the form of stored volatile data any data stored on the clipboard currently open files the contents of RAM and cached passwords etc Additionally encrypted data may be lost should the computer be shut down prior to imaging the disk Furthermore many computers have BIOS and hard drive passwords that are user determined and removing power from a live system with a BIOS password can cause loss of access to the entire content of the device Industry best practices require the investigator to approach a suspect data storage device with the following guidelines in mind e If the device is powered on keep it on where possible until a thorough investigation can be performed Ifthe device is powered off leave it off The reason for these guidelines is that the investigator must be careful to preserve the storage device as he finds it at the scene and to introduce as little change as possible to the device and its contents How to Perform Triage Using the Dell Digital Forensics Solution Turn on Your Dell Ruggedized Laptop 1 Press the power button to log on to the Dell ruggedized laptop The laptop automatically loads the SPEKTOR software 2 Taporclick Accept EULA The Home screen opens 20 Triage Figure 2 2 Home Screen SPEKTORO Forensic Intelligence Control POD 23 Version 1 3 0 0 INTELLIGENCE MODE
Download Pdf Manuals
Related Search