1. Trang chủ
  2. » Công Nghệ Thông Tin

Báo cáo tìm hiểu công cụ forensics

21 833 1

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 21
Dung lượng 1,13 MB

Nội dung

OSFORENSICS FEATURES: ......................... 1 ACCESS DATA FTK FEATURES: ..................... 9 PRODISCOVER BASIC FEATURES: ................... 13 GUIDANCE SOFTWARE ENCASE FORENSIC FEAUTURES:... 17

Trang 1

Posts and Telecommunications Institute of Technology

Trang 2

OSFORENSICS FEATURES: 1 ACCESS DATA FTK FEATURES: 9 PRODISCOVER BASIC FEATURES: 13 GUIDANCE SOFTWARE ENCASE FORENSIC FEAUTURES: 17

TABLE OF CONTENTS

Trang 3

OSFORENSICS

OSForensics is a new digital investigation tool which lets you

extract forensic data or uncover hidden information from computers OSForensics has a number of unique features which make the discovery

of relevant forensic data even faster, such as high-performance deep file searching and indexing, e-mail and e-mail archive searching and the ability to analyze recent system activity and active memory

OSFORENSICS FEATURES:

 Case Management:

cases Cases are used to group together findings ( file, note,

evindence photo,device ) from other functions into a single

location that can be exported or saved for later analysis

 Generate Report:

the style, layout and appearance to be modified with any web authoring application of your choice (or you can directly edit the HTML and CSS) Customizable elements include fonts, colors, and page layout

 File name Search:

to locate files on a Windows computer You can search by filename, size, creation and modified dates, and other criteria Results are returned and made available in several different useful views This includes the Timeline View which allows you to sift through the

matches on a timeline, making evident the pattern of user activity on the machine

advanced options for the File Name Search ( Search for Folder Names , Search in Sub Folders, File Size Limits )

 Recent Activity:

recent activity, such as accessed websites, installed programs, USB drives, wireless networks, and recent downloads This is especially useful for identifying trends and patterns of the user, and any

material that had been accessed recently

Trang 4

 Recover Deleted Files:

after they have been removed from the Recycle Bin This allows you to review the files that the user may have attempted to destroy

 Memory Viewer:

forensics analysis on a live system or a static memory dump There are

2 types of memory analysis that can be performed:

•Live Analysis

•Static Analysis

 Web Browser:

OSForensics This module add the ability to load web pages from the web and save screen captures of web pages to the current opened case

 Password Recovery & Decryption

Edge, IE, Firefox, and Opera This can be done on the live machine or from an image of a harddrive Data recovered includes, the URL of the website (usually HTTPS), the login username, the site's password, the browser used to access the site & the Window's user name Blacklisted URLs are also reported, showing the user has visited the site but elected not to store a password in the browser

is for older documents that use 40bit encryption (old XLS, DOC & PDF

Trang 5

files) For these documents is it possible to try all possible keys to decrypt the document, with the output being an unencrypted file

 Signatures

structure between two points in time Generating a signature creates a snapshot of the directory structure, which includes information about the contained files' path, size and attributes Changes to a directory structure such as files that were created, modified and deleted can be identified by comparing two signatures These differences can quickly identify potential files of interest on a suspected machine, such as newly installed software or deleted evidence files Signatures differ from Hash Sets in the following ways:

functionality:

a signature

previously generated signatures A summary of any changes between the signatures are displayed to the user

 Forensic Imaging:

and restore disk image files, which are bit-by-bit copies of a

partition, physical disk or volume Disk imaging is essential in

securing an exact copy of a storage device, so it can be used for

forensics analysis without risking the integrity of the original data Conversely, an image file can be restored back to a disk on the

system

 System Inforation:

the core components of the system including but not limited to:

Trang 6

 Bitlocker detection

 Registry Activity:

 Most Recently Used (MRU) Lists

OSForensics can retrieve data about recently accessed applications, documents, media and network shares by scanning locations in the registry which store a user's Most Recently Used (MRU) lists The data which can be tracked by OSForensics includes (but isn't limited to) files accessed in Microsoft Office applications, Microsoft Wordpad, Microsoft Paint, Microsoft Media Player, Windows Search, Connected Network Drives and the Windows Run command

 Connected USB Devices

OSForensics can display the details of USB devices which have been recently connected to the computer, providing information about the last connection date and device information such as Manufacturer Name, Product ID and Serial Number The types of devices which can be detected include USB Flash Drives (UFDs), Portable Hard Disk Drives and external USB-connected devices such as DVD-ROM drives

 Wireless Network Connections

OSForensics can list the MAC address of wireless networks connected using the Windows Zero Config Service This feature is available on machines running Windows XP only

 Event Log:

OSForensics will scan the Windows logs for system activity such

as the following events:

 Security Log Events such as account login attempts, logouts and password changes

 System Log Events such as Windows update attempts, system boot/shutdown, and driver installations

 Application Log Events such as application installation attempts

 Microsoft Office user interaction events (OAlerts)

 OS X Artifacts

OSForensics uncovers the following OS X artefacts on Mac drives:

Trang 7

 Safari history, bookmarks, downloads, and cookies

 Most Recently Used (MRU) items, network locations, documents, multimedia

 Installed Programs

 USB connected iOS devices

 Mounted Volumes

 WiFi

 Mobile backups for iOS devices

 Hidden Disk Areas - HPA/DCO

OSForensics™ can discover and expose the HPA and DCO hidden

areas of a hard disk, which can used for malicious intent including hiding illegal data The Host Protected Area (HPA) and Device

Configuration Overlay (DCO) are features for hiding sectors of a hard disk from being accessible to the end user

 Detecting

OSForensics will first attempt to detect and display the size of the HPA/DCO hidden areas If successfully found, they can be removed or imaged, exposing the hidden data

 Removing

Once the HPA and/or DCO hidden areas have been successfully detected, they can be removed so that the data hidden in those sectors can be accessed and analyzed by Raw Disk Viewer and

other OSForensics modules

 Imaging

Alternatively, the HPA/DCO hidden areas can be preserved by creating an image of the hidden sectors and saving it into a file This file can then be analyzed by other OSForensics

modules such as th built-in file viewer

 Verify and Match Files

OSForensics makes use of number of a advanced hashing algorithms

to create a unique, digital fingerprint that can be used to identify a file

 Hash Set Lookup

OSForensics makes use of hash sets to quickly identify known safe

or known suspected files to reduce the need for further time-consuming analysis A hash set consists of a collection of hash values of these files in order to search a storage media for particular files of interest In particular, files that are known to be safe or trusted

Trang 8

can be eliminated from file searches Hash sets can also be used to identify the presence of malicious, contraband, or incriminating files such as bootleg software, pornography, viruses and evidence files

 Create and Verify Hash Values

Create a unique, digital identifier for a file or disk volume by calculating its hash value using the Verify/Create Hash module in OSForensics Choose from a number of cryptographic algorithms to create a hash, such as SHA-1, MD5 and SHA-256 Hash values uniquely identify the contents of a file and can be used to discover other files with the same content, regardless of differing file name or file extension

 Find Misnamed Files

OSForensics™ can identify files whose contents do not match their file extension Uncover a user's attempt at concealing photos, documents or other evidence (also known as "dark data") by using the Mismatch File Search!

The Mismatch File Search module analyzes the content of files and identifies any files whose raw bytes are not consistent with their file extension Configure the file search to include inaccessible files, or use your own customized file filter!

 Search Emails

OSForensics™ allows you to perform full-text searches within email archives used by many popular e-mail programs such as Microsoft Outlook, Mozilla Thunderbird, Outlook Express and more

- Supported Email File Types

.pst, ost (Outlook),.mbox, mbx, eml, msf (Mozilla, Thunderbird, Eudora, Unix mail, and more),.msg (Outlook),.eml (Outlook Express),.dbx (Outlook Express)

Note that OSForensics can index these formats without needing the corresponding e-mail client to be installed.Additionally the indexing process is not limited to just emails, but can also index other files such as Word Documents and PDFs also making their contents available for searching

ESE Database Viewer

OSForensics™ includes an ESE database (ESEDB) viewer for databases stored in the Extensible Storage Engine (ESE) file format, including

Trang 9

the new Win10 database structure The ESEDB format, in particular, is used by several Microsoft applications that store data with potential forensics value, including the following:

 Windows (Desktop) Search

 Windows Live Mail

 Microsoft Exchange Server

 Internet Explorer

The ESE database viewer allows the user to search for database records that match a specified criteria, including text phrases, date ranges and numerical values

 SQLite Database Browser

OSForensics™ includes an SQLite database viewer for databases stored in the SQLite file format The SQLite database format is used by several platforms, such as the iPhone, Firefox and Chrome

 Prefetch Viewer

OSForensics™ includes a Prefetch viewer for viewing application execution metrics stored by the operating system's Prefetcher The Prefetcher is a component that improves the performance of the system

by pre-caching applications and its associated files into RAM, reducing disk access To facilitate this, the Prefetcher collects application usage details such as:

- Application run count

- Last run time

- Files/disks that the application uses while executing

Using this information, forensics investigators can determine a suspect's application usage patterns (eg "Cleaner" software used recently) and files that have been opened (eg documents)

 Thumbnail Cache Viewer

OSForensics™ provides a viewer capable of displaying image thumbnails stored in the Window's thumbnail cache database When a user opens Windows Explorer to browse the contents of folders, Windows automatically saves a thumbnail of the files in the thumbnail cache database for quick viewing at a later time This can be useful for forensics purposes especially for cases where even though the user has deleted the original image file, the thumbnail of the image still remains

in the thumbnail cache

The Thumbnail Cache Viewer is capable of displaying thumbnails stored

in the following files:

Trang 10

- thumbcache_idx.db,thumbcache_16.db,thumbcache_32.db,thumbcache_48.db,thumbcache_96.db,thumbcache_256.db,thumbcache_1024.db,thumbcache_1600.db,iconcache_idx.db, iconcache_16.db

 Rebuild RAID

disk images belonging to a RAID array Being able to properly image systems with RAID configurations for forensics analysis is sometimes challenging, due to the fact that having access to the RAID parameters (such as the RAID level and stripe size) that were used may not be possible The following RAID levels are supported: RAID 0,RAID 1, RAID 3,RAID 4, RAID 5,RAID 0+1, RAID 1+0

- Detect RAID parameters

automatically configure the RAID parameters These RAID parameters are obtained from the metadata that is stored in the disk image, which can also be viewed in OSForensics The following RAID metadata formats may be detectable by OSForensics:

Intel Matrix RAID, Linux mdadm RAID, SNIA DDFv1, Highpoint v2

RocketRAID, Highpoint v3 RocketRAID, Adaptec HostRAID, Integrated Technology Express RAID, JMIcron RAID

 Plist Viewer

View the contents stored in the Plist files which are typically used by OSX and iOS to store settings and properties

OSForensics™ includes an Plist viewer to view the contents of

Plist (property list) files which are commonly used by MacOS, OSX and iOS to store settings and properties Plist files typically have the extension of ".plist" The Plist Viewer within OSForensics is able to display both binaries and XML formatted plist files

The Plist viewer allows the user to search within key and values that match a specified text phrase

Trang 11

ACCESS DATA FTK

FTK quickly locates evidence and forensically collects and

analyzes any digital device or system producing, transmitting or

storing data by using a single application from multiple devices Known for its intuitive interface, email analysis, customizable data views, processing speeds and stability, FTK also lays the framework so your solution can grow with your organization’s needs for a smooth expansion

FTK supports the following filesystems:DVD (UDF), CD (ISO,

Joliet, and CDFS),FAT (12, 16, and 32),exFAT,VXFS,EXT (2, 3, and 4), NTFS (and NTFS compressed),HFS, HFS+, and HFSX

ACCESS DATA FTK FEATURES:

Remote Machine Analysis

With the single-node enterprise, users can preview, acquire

and analyze evidence remotely from computers on your network

Capturing an Image:

disk-to-image files created from other proprietary formats FTK Imager can read AccessData ad1, Expert Witness (EnCase) e01,SafeBack (up to version 2.0), SMART s01, and raw format files In addition to disk media, FTK Imager can read CD and DVD file systems )

Reading file with text mode, hex mode or automatic mode

Unicode characters, even if the file is not a text file.This mode can

be useful for viewing text and binary data that is not visible when a file is viewed in its native application

hexadecimal code You can use the Hex Value Interpreter to interpret hexadecimal values as decimal integers and possible time and date values

previewing a file’s contents, according to the file type

Trang 12

Image Mounting/UnMouting

or physical device, for read-only viewing This action opens the image

as a drive and allows you to browse the content in Windows and other applications Supported types are RAW/dd images, E01, S01, AFF, AD1, and L01 Full disk images RAW/dd, E01, and S01 can be mounted

Physically

View and recovery an deleted file

print, e-mail, salvage files, or organize files as needed, without altering the original evidence

AD (ACCESS DATA) Encryption and EFS Encryption

and for AD1 images

user to specify the key and hash algorithms, so the defaults of

AES-256 and SHA-512 are always used

,*.pem )

drive or an image with FTK Imager

Exporting File Hash Lists Hashing

contents This value can then be used to prove that a copy of a file has not been altered in any way from the original file It is

computationally infeasible for an altered file to generate the same hash number as the original version of that file The Export File Hash List feature in FTK Imager uses the MD5 and SHA1 hash algorithms to generate hash numbers for files

Verifying Drives and Images

Ngày đăng: 01/11/2017, 23:16

TỪ KHÓA LIÊN QUAN

w