OSFORENSICS FEATURES: ......................... 1 ACCESS DATA FTK FEATURES: ..................... 9 PRODISCOVER BASIC FEATURES: ................... 13 GUIDANCE SOFTWARE ENCASE FORENSIC FEAUTURES:... 17
Trang 1Posts and Telecommunications Institute of Technology
Trang 2OSFORENSICS FEATURES: 1 ACCESS DATA FTK FEATURES: 9 PRODISCOVER BASIC FEATURES: 13 GUIDANCE SOFTWARE ENCASE FORENSIC FEAUTURES: 17
TABLE OF CONTENTS
Trang 3OSFORENSICS
OSForensics is a new digital investigation tool which lets you
extract forensic data or uncover hidden information from computers OSForensics has a number of unique features which make the discovery
of relevant forensic data even faster, such as high-performance deep file searching and indexing, e-mail and e-mail archive searching and the ability to analyze recent system activity and active memory
OSFORENSICS FEATURES:
Case Management:
cases Cases are used to group together findings ( file, note,
evindence photo,device ) from other functions into a single
location that can be exported or saved for later analysis
Generate Report:
the style, layout and appearance to be modified with any web authoring application of your choice (or you can directly edit the HTML and CSS) Customizable elements include fonts, colors, and page layout
File name Search:
to locate files on a Windows computer You can search by filename, size, creation and modified dates, and other criteria Results are returned and made available in several different useful views This includes the Timeline View which allows you to sift through the
matches on a timeline, making evident the pattern of user activity on the machine
advanced options for the File Name Search ( Search for Folder Names , Search in Sub Folders, File Size Limits )
Recent Activity:
recent activity, such as accessed websites, installed programs, USB drives, wireless networks, and recent downloads This is especially useful for identifying trends and patterns of the user, and any
material that had been accessed recently
Trang 4 Recover Deleted Files:
after they have been removed from the Recycle Bin This allows you to review the files that the user may have attempted to destroy
Memory Viewer:
forensics analysis on a live system or a static memory dump There are
2 types of memory analysis that can be performed:
•Live Analysis
•Static Analysis
Web Browser:
OSForensics This module add the ability to load web pages from the web and save screen captures of web pages to the current opened case
Password Recovery & Decryption
Edge, IE, Firefox, and Opera This can be done on the live machine or from an image of a harddrive Data recovered includes, the URL of the website (usually HTTPS), the login username, the site's password, the browser used to access the site & the Window's user name Blacklisted URLs are also reported, showing the user has visited the site but elected not to store a password in the browser
is for older documents that use 40bit encryption (old XLS, DOC & PDF
Trang 5files) For these documents is it possible to try all possible keys to decrypt the document, with the output being an unencrypted file
Signatures
structure between two points in time Generating a signature creates a snapshot of the directory structure, which includes information about the contained files' path, size and attributes Changes to a directory structure such as files that were created, modified and deleted can be identified by comparing two signatures These differences can quickly identify potential files of interest on a suspected machine, such as newly installed software or deleted evidence files Signatures differ from Hash Sets in the following ways:
functionality:
a signature
previously generated signatures A summary of any changes between the signatures are displayed to the user
Forensic Imaging:
and restore disk image files, which are bit-by-bit copies of a
partition, physical disk or volume Disk imaging is essential in
securing an exact copy of a storage device, so it can be used for
forensics analysis without risking the integrity of the original data Conversely, an image file can be restored back to a disk on the
system
System Inforation:
the core components of the system including but not limited to:
Trang 6 Bitlocker detection
Registry Activity:
Most Recently Used (MRU) Lists
OSForensics can retrieve data about recently accessed applications, documents, media and network shares by scanning locations in the registry which store a user's Most Recently Used (MRU) lists The data which can be tracked by OSForensics includes (but isn't limited to) files accessed in Microsoft Office applications, Microsoft Wordpad, Microsoft Paint, Microsoft Media Player, Windows Search, Connected Network Drives and the Windows Run command
Connected USB Devices
OSForensics can display the details of USB devices which have been recently connected to the computer, providing information about the last connection date and device information such as Manufacturer Name, Product ID and Serial Number The types of devices which can be detected include USB Flash Drives (UFDs), Portable Hard Disk Drives and external USB-connected devices such as DVD-ROM drives
Wireless Network Connections
OSForensics can list the MAC address of wireless networks connected using the Windows Zero Config Service This feature is available on machines running Windows XP only
Event Log:
OSForensics will scan the Windows logs for system activity such
as the following events:
Security Log Events such as account login attempts, logouts and password changes
System Log Events such as Windows update attempts, system boot/shutdown, and driver installations
Application Log Events such as application installation attempts
Microsoft Office user interaction events (OAlerts)
OS X Artifacts
OSForensics uncovers the following OS X artefacts on Mac drives:
Trang 7 Safari history, bookmarks, downloads, and cookies
Most Recently Used (MRU) items, network locations, documents, multimedia
Installed Programs
USB connected iOS devices
Mounted Volumes
WiFi
Mobile backups for iOS devices
Hidden Disk Areas - HPA/DCO
OSForensics™ can discover and expose the HPA and DCO hidden
areas of a hard disk, which can used for malicious intent including hiding illegal data The Host Protected Area (HPA) and Device
Configuration Overlay (DCO) are features for hiding sectors of a hard disk from being accessible to the end user
Detecting
OSForensics will first attempt to detect and display the size of the HPA/DCO hidden areas If successfully found, they can be removed or imaged, exposing the hidden data
Removing
Once the HPA and/or DCO hidden areas have been successfully detected, they can be removed so that the data hidden in those sectors can be accessed and analyzed by Raw Disk Viewer and
other OSForensics modules
Imaging
Alternatively, the HPA/DCO hidden areas can be preserved by creating an image of the hidden sectors and saving it into a file This file can then be analyzed by other OSForensics
modules such as th built-in file viewer
Verify and Match Files
OSForensics makes use of number of a advanced hashing algorithms
to create a unique, digital fingerprint that can be used to identify a file
Hash Set Lookup
OSForensics makes use of hash sets to quickly identify known safe
or known suspected files to reduce the need for further time-consuming analysis A hash set consists of a collection of hash values of these files in order to search a storage media for particular files of interest In particular, files that are known to be safe or trusted
Trang 8can be eliminated from file searches Hash sets can also be used to identify the presence of malicious, contraband, or incriminating files such as bootleg software, pornography, viruses and evidence files
Create and Verify Hash Values
Create a unique, digital identifier for a file or disk volume by calculating its hash value using the Verify/Create Hash module in OSForensics Choose from a number of cryptographic algorithms to create a hash, such as SHA-1, MD5 and SHA-256 Hash values uniquely identify the contents of a file and can be used to discover other files with the same content, regardless of differing file name or file extension
Find Misnamed Files
OSForensics™ can identify files whose contents do not match their file extension Uncover a user's attempt at concealing photos, documents or other evidence (also known as "dark data") by using the Mismatch File Search!
The Mismatch File Search module analyzes the content of files and identifies any files whose raw bytes are not consistent with their file extension Configure the file search to include inaccessible files, or use your own customized file filter!
Search Emails
OSForensics™ allows you to perform full-text searches within email archives used by many popular e-mail programs such as Microsoft Outlook, Mozilla Thunderbird, Outlook Express and more
- Supported Email File Types
.pst, ost (Outlook),.mbox, mbx, eml, msf (Mozilla, Thunderbird, Eudora, Unix mail, and more),.msg (Outlook),.eml (Outlook Express),.dbx (Outlook Express)
Note that OSForensics can index these formats without needing the corresponding e-mail client to be installed.Additionally the indexing process is not limited to just emails, but can also index other files such as Word Documents and PDFs also making their contents available for searching
ESE Database Viewer
OSForensics™ includes an ESE database (ESEDB) viewer for databases stored in the Extensible Storage Engine (ESE) file format, including
Trang 9the new Win10 database structure The ESEDB format, in particular, is used by several Microsoft applications that store data with potential forensics value, including the following:
Windows (Desktop) Search
Windows Live Mail
Microsoft Exchange Server
Internet Explorer
The ESE database viewer allows the user to search for database records that match a specified criteria, including text phrases, date ranges and numerical values
SQLite Database Browser
OSForensics™ includes an SQLite database viewer for databases stored in the SQLite file format The SQLite database format is used by several platforms, such as the iPhone, Firefox and Chrome
Prefetch Viewer
OSForensics™ includes a Prefetch viewer for viewing application execution metrics stored by the operating system's Prefetcher The Prefetcher is a component that improves the performance of the system
by pre-caching applications and its associated files into RAM, reducing disk access To facilitate this, the Prefetcher collects application usage details such as:
- Application run count
- Last run time
- Files/disks that the application uses while executing
Using this information, forensics investigators can determine a suspect's application usage patterns (eg "Cleaner" software used recently) and files that have been opened (eg documents)
Thumbnail Cache Viewer
OSForensics™ provides a viewer capable of displaying image thumbnails stored in the Window's thumbnail cache database When a user opens Windows Explorer to browse the contents of folders, Windows automatically saves a thumbnail of the files in the thumbnail cache database for quick viewing at a later time This can be useful for forensics purposes especially for cases where even though the user has deleted the original image file, the thumbnail of the image still remains
in the thumbnail cache
The Thumbnail Cache Viewer is capable of displaying thumbnails stored
in the following files:
Trang 10- thumbcache_idx.db,thumbcache_16.db,thumbcache_32.db,thumbcache_48.db,thumbcache_96.db,thumbcache_256.db,thumbcache_1024.db,thumbcache_1600.db,iconcache_idx.db, iconcache_16.db
Rebuild RAID
disk images belonging to a RAID array Being able to properly image systems with RAID configurations for forensics analysis is sometimes challenging, due to the fact that having access to the RAID parameters (such as the RAID level and stripe size) that were used may not be possible The following RAID levels are supported: RAID 0,RAID 1, RAID 3,RAID 4, RAID 5,RAID 0+1, RAID 1+0
- Detect RAID parameters
automatically configure the RAID parameters These RAID parameters are obtained from the metadata that is stored in the disk image, which can also be viewed in OSForensics The following RAID metadata formats may be detectable by OSForensics:
Intel Matrix RAID, Linux mdadm RAID, SNIA DDFv1, Highpoint v2
RocketRAID, Highpoint v3 RocketRAID, Adaptec HostRAID, Integrated Technology Express RAID, JMIcron RAID
Plist Viewer
View the contents stored in the Plist files which are typically used by OSX and iOS to store settings and properties
OSForensics™ includes an Plist viewer to view the contents of
Plist (property list) files which are commonly used by MacOS, OSX and iOS to store settings and properties Plist files typically have the extension of ".plist" The Plist Viewer within OSForensics is able to display both binaries and XML formatted plist files
The Plist viewer allows the user to search within key and values that match a specified text phrase
Trang 11ACCESS DATA FTK
FTK quickly locates evidence and forensically collects and
analyzes any digital device or system producing, transmitting or
storing data by using a single application from multiple devices Known for its intuitive interface, email analysis, customizable data views, processing speeds and stability, FTK also lays the framework so your solution can grow with your organization’s needs for a smooth expansion
FTK supports the following filesystems:DVD (UDF), CD (ISO,
Joliet, and CDFS),FAT (12, 16, and 32),exFAT,VXFS,EXT (2, 3, and 4), NTFS (and NTFS compressed),HFS, HFS+, and HFSX
ACCESS DATA FTK FEATURES:
Remote Machine Analysis
With the single-node enterprise, users can preview, acquire
and analyze evidence remotely from computers on your network
Capturing an Image:
disk-to-image files created from other proprietary formats FTK Imager can read AccessData ad1, Expert Witness (EnCase) e01,SafeBack (up to version 2.0), SMART s01, and raw format files In addition to disk media, FTK Imager can read CD and DVD file systems )
Reading file with text mode, hex mode or automatic mode
Unicode characters, even if the file is not a text file.This mode can
be useful for viewing text and binary data that is not visible when a file is viewed in its native application
hexadecimal code You can use the Hex Value Interpreter to interpret hexadecimal values as decimal integers and possible time and date values
previewing a file’s contents, according to the file type
Trang 12 Image Mounting/UnMouting
or physical device, for read-only viewing This action opens the image
as a drive and allows you to browse the content in Windows and other applications Supported types are RAW/dd images, E01, S01, AFF, AD1, and L01 Full disk images RAW/dd, E01, and S01 can be mounted
Physically
View and recovery an deleted file
print, e-mail, salvage files, or organize files as needed, without altering the original evidence
AD (ACCESS DATA) Encryption and EFS Encryption
and for AD1 images
user to specify the key and hash algorithms, so the defaults of
AES-256 and SHA-512 are always used
,*.pem )
drive or an image with FTK Imager
Exporting File Hash Lists Hashing
contents This value can then be used to prove that a copy of a file has not been altered in any way from the original file It is
computationally infeasible for an altered file to generate the same hash number as the original version of that file The Export File Hash List feature in FTK Imager uses the MD5 and SHA1 hash algorithms to generate hash numbers for files
Verifying Drives and Images