Enviar pesquisa
Carregar
File000129
•
1 gostou
•
1,190 visualizações
Desmond Devendran
Seguir
Negócios
Tecnologia
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 87
Baixar agora
Baixar para ler offline
Recomendados
File000127
File000127
Desmond Devendran
File000125
File000125
Desmond Devendran
File000122
File000122
Desmond Devendran
File000123
File000123
Desmond Devendran
File000128
File000128
Desmond Devendran
File000132
File000132
Desmond Devendran
File000121
File000121
Desmond Devendran
File000174
File000174
Desmond Devendran
Recomendados
File000127
File000127
Desmond Devendran
File000125
File000125
Desmond Devendran
File000122
File000122
Desmond Devendran
File000123
File000123
Desmond Devendran
File000128
File000128
Desmond Devendran
File000132
File000132
Desmond Devendran
File000121
File000121
Desmond Devendran
File000174
File000174
Desmond Devendran
File000124
File000124
Desmond Devendran
File000173
File000173
Desmond Devendran
File000126
File000126
Desmond Devendran
File000131
File000131
Desmond Devendran
File000115
File000115
Desmond Devendran
File000150
File000150
Desmond Devendran
File000120
File000120
Desmond Devendran
File000175
File000175
Desmond Devendran
File000138
File000138
Desmond Devendran
File000148
File000148
Desmond Devendran
File000136
File000136
Desmond Devendran
CHFI 1
CHFI 1
Desmond Devendran
Linux forensics
Linux forensics
Santosh Khadsare
Ce hv6 module 46 securing laptop computers
Ce hv6 module 46 securing laptop computers
Vi Tính Hoàng Nam
Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation
Vipin George
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software tools
N.Jagadish Kumar
Initial Response and Forensic Duplication
Initial Response and Forensic Duplication
Jyothishmathi Institute of Technology and Science Karimnagar
Forensics of a Windows System
Forensics of a Windows System
Conferencias FIST
Ch12
Ch12
Raja Waseem Akhtar
Data recovery tools
Data recovery tools
university of Gujrat, pakistan
File000152
File000152
Desmond Devendran
Cyber forensics
Cyber forensics
pranjal dutta
Mais conteúdo relacionado
Mais procurados
File000124
File000124
Desmond Devendran
File000173
File000173
Desmond Devendran
File000126
File000126
Desmond Devendran
File000131
File000131
Desmond Devendran
File000115
File000115
Desmond Devendran
File000150
File000150
Desmond Devendran
File000120
File000120
Desmond Devendran
File000175
File000175
Desmond Devendran
File000138
File000138
Desmond Devendran
File000148
File000148
Desmond Devendran
File000136
File000136
Desmond Devendran
CHFI 1
CHFI 1
Desmond Devendran
Linux forensics
Linux forensics
Santosh Khadsare
Ce hv6 module 46 securing laptop computers
Ce hv6 module 46 securing laptop computers
Vi Tính Hoàng Nam
Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation
Vipin George
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software tools
N.Jagadish Kumar
Initial Response and Forensic Duplication
Initial Response and Forensic Duplication
Jyothishmathi Institute of Technology and Science Karimnagar
Forensics of a Windows System
Forensics of a Windows System
Conferencias FIST
Ch12
Ch12
Raja Waseem Akhtar
Data recovery tools
Data recovery tools
university of Gujrat, pakistan
Mais procurados
(20)
File000124
File000124
File000173
File000173
File000126
File000126
File000131
File000131
File000115
File000115
File000150
File000150
File000120
File000120
File000175
File000175
File000138
File000138
File000148
File000148
File000136
File000136
CHFI 1
CHFI 1
Linux forensics
Linux forensics
Ce hv6 module 46 securing laptop computers
Ce hv6 module 46 securing laptop computers
Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software tools
Initial Response and Forensic Duplication
Initial Response and Forensic Duplication
Forensics of a Windows System
Forensics of a Windows System
Ch12
Ch12
Data recovery tools
Data recovery tools
Semelhante a File000129
File000152
File000152
Desmond Devendran
Cyber forensics
Cyber forensics
pranjal dutta
Computer forensics
Computer forensics
Ramesh Ogania
File000117
File000117
Desmond Devendran
Latest presentation
Latest presentation
Adetunji Adeoje
Quality of information
Quality of information
Mahmoud Shaqria
Ce hv6 module 55 preventing data loss
Ce hv6 module 55 preventing data loss
Vi Tính Hoàng Nam
Mis chapter 5
Mis chapter 5
Filmon Habtemichael Tesfai
Digital Forensics in the Archive
Digital Forensics in the Archive
GarethKnight
Computer forensics toolkit
Computer forensics toolkit
Milap Oza
Analysis of digital evidence
Analysis of digital evidence
rakesh mishra
Computer Forensics
Computer Forensics
Bense Tony
Computer Forensics
Computer Forensics
Alchemist095
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014
Muzzammil Wani
Preserving and recovering digital evidence
Preserving and recovering digital evidence
Online
Electornic evidence collection
Electornic evidence collection
Fakrul Alam
Computer forensics and its role
Computer forensics and its role
Sudeshna Basak
know more about computers
know more about computers
Juanjose482
Cyber forensics ppt
Cyber forensics ppt
RoshiniVijayakumar1
Semelhante a File000129
(20)
File000152
File000152
Cyber forensics
Cyber forensics
Computer forensics
Computer forensics
File000117
File000117
Latest presentation
Latest presentation
Quality of information
Quality of information
Ce hv6 module 55 preventing data loss
Ce hv6 module 55 preventing data loss
Mis chapter 5
Mis chapter 5
Digital Forensics in the Archive
Digital Forensics in the Archive
Computer forensics toolkit
Computer forensics toolkit
Analysis of digital evidence
Analysis of digital evidence
Computer Forensics
Computer Forensics
Computer Forensics
Computer Forensics
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014
Preserving and recovering digital evidence
Preserving and recovering digital evidence
Electornic evidence collection
Electornic evidence collection
Computer forensics and its role
Computer forensics and its role
know more about computers
know more about computers
Cyber forensics ppt
Cyber forensics ppt
Mais de Desmond Devendran
Siam key-facts
Siam key-facts
Desmond Devendran
Siam foundation-process-guides
Siam foundation-process-guides
Desmond Devendran
Siam foundation-body-of-knowledge
Siam foundation-body-of-knowledge
Desmond Devendran
Enterprise service-management-essentials
Enterprise service-management-essentials
Desmond Devendran
Service Integration and Management
Service Integration and Management
Desmond Devendran
Diagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_en
Desmond Devendran
File000176
File000176
Desmond Devendran
File000172
File000172
Desmond Devendran
File000171
File000171
Desmond Devendran
File000170
File000170
Desmond Devendran
File000169
File000169
Desmond Devendran
File000168
File000168
Desmond Devendran
File000167
File000167
Desmond Devendran
File000166
File000166
Desmond Devendran
File000165
File000165
Desmond Devendran
File000164
File000164
Desmond Devendran
File000163
File000163
Desmond Devendran
File000162
File000162
Desmond Devendran
File000161
File000161
Desmond Devendran
File000160
File000160
Desmond Devendran
Mais de Desmond Devendran
(20)
Siam key-facts
Siam key-facts
Siam foundation-process-guides
Siam foundation-process-guides
Siam foundation-body-of-knowledge
Siam foundation-body-of-knowledge
Enterprise service-management-essentials
Enterprise service-management-essentials
Service Integration and Management
Service Integration and Management
Diagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_en
File000176
File000176
File000172
File000172
File000171
File000171
File000170
File000170
File000169
File000169
File000168
File000168
File000167
File000167
File000166
File000166
File000165
File000165
File000164
File000164
File000163
File000163
File000162
File000162
File000161
File000161
File000160
File000160
Último
Psychic Reading | Spiritual Guidance – Astro Ganesh Ji
Psychic Reading | Spiritual Guidance – Astro Ganesh Ji
astral oracle
Healthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare Newsletter
JamesConcepcion7
Technical Leaders - Working with the Management Team
Technical Leaders - Working with the Management Team
Arik Fletcher
WSMM Media and Entertainment Feb_March_Final.pdf
WSMM Media and Entertainment Feb_March_Final.pdf
JamesConcepcion7
Welding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan Dynamics
IndiaMART InterMESH Limited
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...
Aggregage
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
Mintel Group
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
ssuserf63bd7
NAB Show Exhibitor List 2024 - Exhibitors Data
NAB Show Exhibitor List 2024 - Exhibitors Data
Exhibitors Data
EUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exporters
Peter Horsten
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
Operational Excellence Consulting
Appkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptx
appkodes
Data Analytics Strategy Toolkit and Templates
Data Analytics Strategy Toolkit and Templates
Aurelien Domont, MBA
PSCC - Capability Statement Presentation
PSCC - Capability Statement Presentation
Anamaria Contreras
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
Quiz Club, Indian Institute of Technology, Patna
Types of Cyberattacks - ASG I.T. Consulting.pdf
Types of Cyberattacks - ASG I.T. Consulting.pdf
ASGITConsulting
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
Hector Del Castillo, CPM, CPMM
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
ssuserf63bd7
Pitch Deck Teardown: Xpanceo's $40M Seed deck
Pitch Deck Teardown: Xpanceo's $40M Seed deck
HajeJanKamps
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
Chris Skinner
Último
(20)
Psychic Reading | Spiritual Guidance – Astro Ganesh Ji
Psychic Reading | Spiritual Guidance – Astro Ganesh Ji
Healthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare Newsletter
Technical Leaders - Working with the Management Team
Technical Leaders - Working with the Management Team
WSMM Media and Entertainment Feb_March_Final.pdf
WSMM Media and Entertainment Feb_March_Final.pdf
Welding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan Dynamics
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
NAB Show Exhibitor List 2024 - Exhibitors Data
NAB Show Exhibitor List 2024 - Exhibitors Data
EUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exporters
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
Appkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptx
Data Analytics Strategy Toolkit and Templates
Data Analytics Strategy Toolkit and Templates
PSCC - Capability Statement Presentation
PSCC - Capability Statement Presentation
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
Types of Cyberattacks - ASG I.T. Consulting.pdf
Types of Cyberattacks - ASG I.T. Consulting.pdf
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Pitch Deck Teardown: Xpanceo's $40M Seed deck
Pitch Deck Teardown: Xpanceo's $40M Seed deck
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
File000129
1.
Module XVI –
Data Acquisition and Duplication
2.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: White House Email Forensics Case Won’t be Easy to Crack Source: http://www.fcw.com/
3.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Scenario Adams Central Band’s Director Jeremy Johnson, 26, of 227 West South St., was formally charged on September 21, 2006 with seven counts of child seduction and 41 counts of possession of child pornography. Investigators found hundreds of images of child pornography on Johnson’s home computer. Johnson was accused of seducing a senior female student at Adams Central when she was aged 18. Johnson had been taking part in a special sharing service over the Internet and appeared to have been trading child porn back and forth with other collectors. Det. Sgt. Steve Cale and Det. Gary Burkhart initiated the investigation and collected Johnson’s Desktop computer and his laptop. During investigation, they found that there were over 500 images that appeared to be of children less than 18 years of age in a state of nudity engaged in various stages of sexual activity. They also found some e- mails that consisted of pornographic messages. Source: http://www.news-banner.com/index/news-app/story.4999
4.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Determining the Best Data Acquisition Methods • Understanding the Data Recovery Contingencies • Data Acquisition Tools • The Need for Data Duplication • Data Duplication Tools This module will familiarize you with:
5.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Data Acquisition Methods Need for Data Duplication Data Acquisition Tools Data Recovery Contingencies Data Duplication Tools
6.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Acquisition
7.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Acquisition Forensic data acquisition is a process of collecting information from various media in accordance with certain standards for the purpose of analyzing its forensic value Some common terminologies used in data acquisition: • The small signal increment that can be detected by a data acquisition systemResolution: • Commonly used terminology, but supports only one connection at a time and transmission distance up to 50 feet RS232: • Rarely used terminology, but supports communication to more than one device on the bus at a time and supports transmission distances of approximately 5,000 feet RS485: • Speed at which a data acquisition system collects data normally expressed in samples per second Sample Rate: • Denotes how a signal is inputted to a data acquisition device Single-ended Input
8.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Data Acquisition Systems Serial Communication Data Acquisition Systems • It is used when the actual location of the data is at some distance from the computer • Communication standards such as RS232 and RS485 are used in this system depending on the distance to be supported USB Data Acquisition Systems • Peripheral devices such as printers, monitors, modems, and data acquisition devices can be attached with the use of USB • It is an easy option as it requires only one cable to connect the data acquisition device to the PC
9.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Data Acquisition Systems (cont’d) Data Acquisition Plug-in Boards • These boards are directly plugged into the computer bus • Each board has unique I/O map location Parallel Port Data Acquisition Systems • Parallel port used for the printer connection is used for the data acquisition device • It supports high sample rate even if the distance between the computer and acquisition device is limited
10.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Determining the Best Acquisition Methods • Creating a bit-stream disk-to-image file • Making a bit-stream disk-to-disk copy • Creating a sparse data copy of a folder or file Forensic investigators acquire digital evidence using the following methods:
11.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Recovery Contingencies Investigators must make contingency plans when data acquisition fails To preserve digital evidence, investigators need to create a duplicate copy of the evidence files In case the original data recovered is corrupted, investigators can make use of the second copy Use at least two data acquisition tools to create copy of the evidence incase the investigator’s preferred tool does not properly recover data
12.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Acquisition Mistakes Choosing wrong resolution for data acquisition Using wrong cables and cabling techniques Not enough time for system development Making the wrong connections Having poor instrument knowledge
13.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Duplication
14.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Duplication Data duplication is useful for the preservation of the original evidence Preserve the data • All the tests to be carried out on the data are generally carried out on the copy of the original data keeping the original data safe Never work on the original data • Use special tools and software for imaging the data devices • This data will be treated as forensically sound copy
15.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Issues with Data Duplication Data duplication may contaminate the original data Contaminated data is not accepted as evidence There are chances of tampering the duplicate data Data fragments can be overwritten and data stored in the Windows swap file can be altered or destroyed If the original data is contaminated, then important evidence is lost which causes problems in the investigation process
16.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Duplication in a Mobile Multi-Database System Duplication of the database results in fault tolerance It can be used even if the software and hardware fails Data duplication increases the reliability of the system Requests for particular data items can be handled by different nodes concurrently It increases the response time and gives an improved performance
17.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Duplication System Used in USB Devices Data duplication method is used to control the data transmission between USB devices Data is transmitted between two USB devices without the help of the computer The duplication system consists of at least serial interface engine circuit, a CPU, and a data buffer unit CPU is connected between the source SUB and target USB with the help of serial interface engine circuit Data buffer is used as a memory buffer space while the digital data is transmitted between the source and the destination USB devices
18.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Backup Backup is the activity of copying files or databases so that they will be preserved in case of equipment failure or other catastrophe Backup approach can be categorized as local, remote, online, or offline It is important to: • Restore the original data after a data breach or disaster • Restore some files if they are accidentally deleted or corrupted It may serve as an image file that can be used for forensic investigation and analysis of evidence in a cyber crime It may be used as an evidence in trials of computer crimes
19.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Acquisition Tools and Commands
20.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MS-DOS Data Acquisition Tool: DriveSpy DriveSpy enables the investigator to direct data from one particular sector range to another sector It provides two methods in accessing disk sector ranges: A built in Sector (and Cluster) Hex Viewer which can be used to examine DOS and non-DOS partitions Configurable logging capabilities to document the investigation (keystroke-by- keystroke if desired) The ability to create and restore the compressed forensic images of the drive partitions Full scripting capabilities to automate processing activities
21.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Using Windows Data Acquisition Tools Windows data acquisition tools allow the investigator to acquire evidence from a disk with the help of removable media such as USB storage devices These tools can use Firewire to connect hard disks to the forensic lab systems Data acquisition tools in Windows cannot acquire data from the host protected area of the disk
22.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited FTK Imager FTK Imager allows you to acquire physical device images and logically view data from FAT, NTFS, EXT 2 and 3, as well as HFS and HFS+ file systems
23.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Acquiring Data on Linux Forensic investigators use the built- in Linux command “dd” to copy data from a disk drive This command can make a bit-stream disk-to-disk file, disk-to-image file, block- to-block copy/ block-to-file copy The “dd” command can copy the data from any disk that Linux can mount and access Other forensic tools such as AccessData FTK and Ilook can read dd image files • dd if=/*source* of=/*destination* where: if = infile, or evidence you are copying (a hard disk, tape, etc.) source = source of evidence of = outfile, or copy of evidence destination = where you want to put the copy Syntax:
24.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited dd Command dd if=<source> of=<target> bs=<byte size>("USUALLY" some power of 2, not less than 512 bytes(ie, 512, 1024, 2048, 4096, 8192, 16384, but can be ANY reasonable number.) skip= seek= conv=<conversion> Suppose a 2GB hard disk is seized as evidence. use DD to make a complete physical backup of the hard disk: •dd if=/dev/hda of=/dev/case5img1 Copy one hard disk partition to another hard disk: •dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror Make an ISO image of a CD: •dd if=/dev/hdc of=/home/sam/mycd.iso bs=2048 conv=notrunc Copy a floppy disk: •dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc Restore a disk partition from an image file: •dd if=/home/sam/partition.image of=/dev/sdb2 bs=4096 conv=notrunc,noerror Copy ram memory to a file: •dd if=/dev/mem of=/home/sam/mem.bin bs=1024
25.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Extracting the MBR To see the contents of MBR, use this command: •# dd if=/dev/hda of=mbr.bin bs=512 count=1 # od -xa mbr.bin The dd command, which needs to be run from root, reads the first 512 bytes from /dev/hda (the first Integrated Drive Electronics, or IDE drive) and writes them to the mbr.bin file The od command prints the binary file in hex and ASCII formats
26.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Netcat Command • dd if=/dev/hda bs=16065b | netcat targethost-IP 1234 Source Machine • netcat -l -p 1234 | dd of=/dev/hdc bs=16065b Target Machine
27.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited dd Command (Windows XP Version) Linux dd utility ported to Windows: dd.exe if=.PhysicalDrive0 of=d:imagesPhysicalDrive0.img --md5sum --verifymd5 -- md5out=d:imagesPhysicalDrive0.img.md5
28.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mount Image Pro Mount Image Pro is a computer forensics tool for Computer Forensics investigations. It enables the mounting of: • EnCase • Unix/Linux DD images • SMART • ISO It mounts image files as a drive letter under the Windows file system It maintains the MD5 HASH integrity which can be tested by the reacquisition of the mounted drive and a comparison of MD5 checksums It will also open EnCase password protected image files without the password
29.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mount Image Pro
30.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Snapshot Tool Snapshot is a Data acquisition tool
31.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Snapback DatArrest SnapBack Live, which allows it to perform a "True Image Backup" of a server while it is live and in use If the "bad guys" see you coming and start deleting files, DatArrest recovers all the files, including the deleted files The DatArrest Suite provides the ability to copy: • Server hard drive to tape • PC hard drive to tape • Server or PC hard drive to removable media • Hard drive to hard drive • Tape to tape
32.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Acquisition Toolbox Data Acquisition Toolbox provides tools for analog input, analog output, and digital Input/Output It supports variety of PC-compatible data acquisition hardware • Customizing the acquisition process • Accessing built-in features of hardware devices • Incorporating the analysis and visualization features • Saving data for post-processing • Updating test setup for result analysis Data Acquisition Toolbox enables:
33.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Acquisition Toolbox: Screenshot
34.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Acquisition Tool: SafeBack SafeBack is an industry standard self-authenticating computer forensics tool that is used to create evidence grade backups of hard drives It is used to create mirror-image (bit-stream) backup files of hard disks or to make a mirror-image copy of an entire hard disk drive or partition It creates a log file of all transactions it performs
35.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hardware Tool: Image MASSter Solo-3 Forensic The ImageMASSter Solo-3 Forensic data imaging tool is a light weight, portable hand-held device that can acquire data to one or two evidence drives at speeds exceeding 3GB/Min Designed exclusively for Forensic data acquisition Figure: Image MASSter Solo-3 Forensic
36.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Image MASSter Solo-3 Forensic (cont’d) • MD5 and CRC32 Hashing • Touch Screen User Interface • High Speed Operation • Built in Write Protection • Built in FireWire 1394B and USB 2.0 Interface • Captures to Two Evidence Drives Simultaneously • Multiple Capture Methods • WipeOut • Audit Trail and Logs • Multiple Media Support • Upgradeable Features: • Device Configuration Overlay (DCO) Option • Host Protected Area (HPA) Option • WipeOut DoD Option • WipeOut Fast Option • LinkMASSter Application • Linux-DD Capture Option Software features: Figure: Image MASSter Solo-3 Forensic
37.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Image MASSter: RoadMASSter -3 Road MASSter 3 is a portable computer forensic lab used to: • Acquire data • Preview and image hard drives • Analyze data in the field It is designed to perform both as a fast and reliable hard drive imaging and data analysis It can acquire or analyze data from FireWire 1394A/B, USB, IDE, SATA, SAS, and SCSI Figure: Road MASSter-3
38.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Image MASSter: Wipe MASSter Wipe MASSter is designed to erase and sanitize hard drives It ensures that there are no traces of the previous data on the hard drive Intuitive menu provides simple pattern-based scan to sanitize the hidden partition on any hard drive Figure: Wipe MASSter
39.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Image MASSter: DriveLock Image MASSter DriveLock device is a hardware write protect solution which prevents data writes It has four versions: • Serial-ATA DriveLock Kit USB/1394B • DriveLock Firewire/USB • DriveLock IDE • DriveLock In Bay
40.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hardware Tool: LinkMASSter-2 Forensic The LinkMASSter 2 is High Speed Forensic Data Acquisition device that provides the tools necessary to seize data from a Suspect’s unopened Notebook or PC using the FireWire 1394A/B or USB 1.0/2.0 interface The device supports the MD5, CRC32 or SHA1 hashing methods during data capture, ensuring that the transferred data is an exact replica of the suspect’s data without modification Seize the data from P-ATA, S-ATA, SCSI or Notebook drives Data transfer rates can exceed 3GB/min Figure: Link MASSter -2 Forensic
41.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited LinkMASSter-2 Forensic (cont’d) Features: • FireWire 1394B and USB 2.0 Interface • MD5 and CRC32 and SHA1 Hashing • Forensic Toolkit Graphical User Interface • High Speed Operation • Multiple Capture Methods • Write Protection • Multiple Media Support • WipeOut • Audit Trail and Logs Software Features: • LinkMASSter Application • Hashing • Single Capture Option • Linux-DD Capture Option • Intelligent Capture Option • WipeOut DoD Option • WipeOut Fast Option Figure: Link MASSter-2 Forensic
42.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hardware Tool: RoadMASSter-2 The RoadMASSter -2 Forensics data acquisition and analysis tool is designed to perform both as a fast and reliable hard drive imaging and data analysis This computer forensic system is built for the road with all the tools necessary to acquire or analyze data from today’s common interface technologies including FireWire, USB, Flash, ATA, S-ATA, and SCSI This computer forensic portable lab is used by law enforcement agencies as well as corporate security to acquire data and analyze data in the field Figure: Road MASSter-2
43.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited RoadMASSter-2 (cont’d) • MD5 and CRC32 and SHA1 Hashing • Forensic Toolkit Graphical User Interface • High Speed Operation • Multiple Capture Methods • Built in Write Protection • Built in LinkMASSter FireWire 1394B and USB 2.0 Interface • Multiple Media Support • Preview and Analyze • WipeOut • Audit Trail and Logs Features: • WipeOut DoD Option • WipeOut Fast Option • LinkMASSter Application • Linux-DD Capture Mode • Single Capture Mode • Intelligent Capture Mode Software Features: Figure: Road MASSter-2
44.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: Echo PLUS & Sonix • It is the portable hard drive cloning solution • Data Transfer Rate: Speeds up to 1.8 GB/min (UDMA 2 Mode) • Hard drive duplication: Single-target, drive-to-drive duplicator for IDE, UDMA, and SATA drives Echo PLUS • Sonix transfers data to and from a hard drive at 3.3GB/min • It allows the user to configure up to 24 partitions for various loads and applications Sonix
45.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube : OmniClone Xi Series • The OmniClone Xi supports UDMA-5 transfer speeds for cloning IDE, EIDE, UDMA, & SATA drives at up to 3.5 GB/min10 Xi • All information with current system software release is stored on the Omniclone's 64 MB compact flash card2 Xi Figure: OmniClone 2XiFigure: OmniClone 10Xi
46.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube : OmniClone Xi Series (cont’d) • It offers an optional Database software program that enables the user to scan and log hard drive cloning sessions which include hard drive make, model, serial number, and firmware revision 5 Xi Figure: OmniClone 5Xi
47.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: OmniPORT Forensic OmniPort device allows immediate access to the majority of the current USB Flash devices It captures and deploys data to or from most USB Flash drives It is compatible with Thumb Drives, Pen Drive type devices, Flash Memory Cards using USB Card readers, and 2.5” and 3.5” external USB drives It can be connected directly to a PC’s motherboard and booted as an IDE device It allows data cloning to or from the attached USB drive by the Logicube Echo Plus, Sonix, OmniClone 10Xi/5Xi/2Xi, Forensic Talon Figure: OmniPORT
48.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: OmniWipe & Clone Card Pro • OmniWipe sanitizes multiple IDE, EIDE, UDMA, and SATA drives simultaneously at up to 2.3GB/min • It performs quick one-pass wipe and high-speed Security Erase OmniWipe • It is a PCMCIA adapter that allows hard drive data recovery transfer rates up to 175 MB/Min • It clones the data to and from a laptop computer Clone Card Pro Figure: OmniWipe
49.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: Forensic MD5 Forensic MD5 is a forensic hard disk data recovery system for law enforcement, corporate security, and cybercrime investigation It’s in-built MD-5 engine allows for imaging speed up to 3.3 GB/min It ensures bit-for-bit accuracy, guaranteeing zero chance of alteration of the suspect and evidence drives Forensic MD5 Features: • Number of connectivity options • MD5 verification • Creates DD images • Field-Tested ruggedized case • On-site reporting • It is portable • Unidirectional data transfer Figure: Forensic MD5
50.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: Forensic Talon Forensic Talon Features: • Advanced keyword search • MD5 or SHA-256 Authentication • Unidirectional data transfer • Creates DD images on-the-fly • HPA and DCO capture • Portable and high-speed data capturing Forensic Talon is a forensic data capture system specifically designed for the requirements of law enforcement, military, corporate security, and investigators It simultaneously images and verifies data up to 4 GB/min It captures IDE/UDMA/SATA drives, and can capture SCSI drives via USB cable Figure: Forensic Talon
51.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: RAID I/O Adapter RAID I/O Adapter enables the Forensic Talon to capture a suspect RAID drive pair directly to 1 destination drive, and 1 suspect drive to 2 destination drives Features of RAID I/O Adapter: • Captures RAID-0, RAID-1, and JBOD configurations • Supports MD5/SHA-256 scan and keyword search mode during any 1-to-2 capture • Supports both native and DD image operation modes during 1-to-2 and 2-to-1 capturing • Supports drive defect scan and WipeClean modes during 1- to-2 Figure: RAID I/O Adapter
52.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: GPStamp • Computes the exact location of capture in 3D space; accurate to within 50 meters • Adds accurate latitude, longitude, and time to the capture report and log • It is capable of acquiring satellites and fixes within most buildings GPStamp Features: Logicube GPStamp is a device that produces a verified fix on the location, time, and date of the data captured Investigators can bolster their credibility by specifying when and where data captures are performed Figure: GPStamp
53.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: Portable Forensic Lab The Portable Forensic Lab (PFL) is a portable computer forensic field lab housed in a special ruggedized carrying case This tool gives the investigator a head start, often cutting the time to acquire critical data The PFL includes all that a computer forensic examiner needs to such as: • Data capture evidence at high speed from multiple sources • Browse data from multiple types of digital media • Analyze the data capture material using computer forensic analysis software such as FTK from AccessData Figure: Portable Forensic Lab
54.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: CellDEK Logicube CellDEK is a cell phone data extraction device which identifies devices by brand, model number, dimensions, and photographs It is portable and compatible with over 1100 of the most popular cell phones and PDAs It captures the data within 5 minutes and displays on screen, and prompts for downloading to a portable USB device Investigators can immediately gain access to vital information, saving days of waiting for a report from a crime lab Figure: CellDEK
55.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: Desktop WritePROtects Logicube Desktop WritePROtects is a data recovery adapter used to protect the hard drives It has two versions: • IDE Destop WritePROtect • SATA Destop WritePROtect It allows only a small subset of the ATA specification commands to flow to the protected drive and blocks all other commands It connects via IDE or SATA cable to the HDD forensic tools for data capture It guarantees read-only access when analyzing the captured or cloned drive under Windows Figure: Desktop WritePROtects
56.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: USB Adapter • Store/restore images to a network server • Modify a drive's contents • Defragment the master drive • Reformat the master drive • Manage partitions using third party software It allows the investigator to: USB Adapter allows for cloning and drive management directly through the USB (1.1 or 2.0) port on a PC or laptop It is capable of cloning at speeds up to 750 MB/min Figure: USB Adapter
57.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: Adapters • F-ADP-1.8 • F-ADP-COMP-FL • F-ADP-DOM • F-ADP-HITACHI-DS • F-ADP-STND • F-ADP-STND-3A • F-ADP-STND-6A • F-ADP-ZIF • F-ADP-IDE OmniClone IDE laptop Adapters • F-ADP-SCSI-50 • F-ADP-SCSI-80 OmniClone SCSI Adapters
58.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: Cables • F-CABLE-30A • F-CABLE-5 • F-CABLE-9 • F-CABLE-RP10 • F-CABLE-RP15 • F-CABLE-RP2 • F-CABLE-RP5 • F-CABLE-SOL OmniClone IDE Cables • F-CABLE-SAS5 • F-CABLE-SATA • F-CABLE-SATA18 • F-CABLE-SATAEP • F-CABLE-SATAXI OmniClone SATA Cables
59.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logicube: Cables (Cont’d) • F-CABLE-RP2U • F-CABLE-RP5U • F-CABLE-RP10U • F-CABLE-RP15U • F-CABLE-SOLU • F-CABLE-5U • F-CABLE-9U • F-CABLE-30U • F-CABLE-XI, F-CABLE-2XI • F-CABLE-5XI, F-CABLE-10XI OmniClone UDMA IDE Cables • F-CABLE-SCSI • F-CABLE-SCSI2 • F-CABLE-SCSI4 OmniClone SCSI Cables
60.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Duplication Tools
61.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Duplication Tool: R-drive Image R-Drive Image is an important tool that provides disk image files creation for backup or duplication purposes Disk image file contains exact, byte-by-byte copy of a hard drive, partition or logical disk R-Drive can create partitions with various compression levels freely without stopping Windows OS These drive image files can then be stored in a variety of places, including various removable media such as CD-R(W) or DVD-R(W) , Iomega Zip or Jazz disks
62.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited R-drive Image: Screenshot
63.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Duplication Tool: DriveLook • Indexes the hard drive for the text that was written to it • Searches through a list of all words stored on the drive • View the location of words in the disk editor • Switches between different views • Uses image file as input • Access remote drives through serial cable or TCP/IP The DriveLook Tool has the following features:
64.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Drivelook: Screenshot
65.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Duplication Tool: DiskExplorer DiskExplorer aides examiners to investigate any drive and recover data Two versions of DiskExplorer exist: • DiskExplorer for FAT • DiskExplorer for NTFS The tool also has provisions to navigate through the drive by jumping to: • Partition table • Boot record • Master file table • Root directory
66.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DiskExplorer: Screenshot
67.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Save-N-Sync The quickest, easiest, and economical way to synchronize small number of folders It allows you to synchronize and backup files from a source folder on one computer to a target folder on a second networked computer or storage device
68.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Save-N-Sync
69.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hardware Tool: ImageMASSter 6007SAS The ImageMASSter 6007SAS is the only hard drive duplication unit in the market that supports SAS (Serial Attach SCSI) hard drives It copies simultaneously at high speed from SATA/SAS/SCSI/IDE hard drives to any 7 SAS/SATA/IDE target hard drives It is a Windows based machine with one Giga-Bit Network connection, which allows downloading or uploading files to or from drives using network drive Figure: Image MASSter 6007SAS
70.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited ImageMASSter 6007SAS (cont’d) • High Speed Copy Operation • SAS and SATA duplicator • SCSI Duplicator • Server Migration • All Operating Systems can be copied • Multiple Copy Modes • Supports Any File System • Network Connectivity • WipeOut • Mount and Modify Drives • Hot Swap Drives • Scale Partitions • Windows based Features: • MultiMASSter • IQCOPY • Auto Scale and Format Partitions • Image Copy • WipeOut DoD • WipeOut Fast Option • Store Log Information • Error Detection and Verification • Manage User Defined Settings Software Features: Figure: Image MASSter 6007SAS
71.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hardware Tool: Disk Jockey IT Designed exclusively for IT data duplication The Disk Jockey IT data imaging tool is a light weight, portable hand-held device that can copy data to one or two target drives at speeds exceeding 2GB/Min Mirror two hard disk drives for real-time backup (RAID level 1) and data is stored simultaneously on both drives Data can be copied from one disk to another without using a computer at speeds of up to 2 GB/min Figure: Disk Jockey IT
72.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Disk Jockey IT (cont’d) • Standalone HD Mode • Mirroring • Spanning • Fast Disk to Disk Copies • Disk Copy Compare / Verification • Hard Disk Read Test • Two levels of erase Features: Figure: Disk Jockey IT
73.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited SCSIPAK SCSIPAK is a set of system tools which extend the support of tape drives under Microsoft Windows NT and Windows 2000 operating systems It is a software and tape based data conversion-duplication system Data can be downloaded from a tape or optical disk and then written simultaneously upto seven drives at once The image file from the tape or optical medium is stored under NT along with an index file which contains details of tape file and set marks, directory partitions, or unused optical sectors This allows for the duplication of even complex format tapes and optical disks
74.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited IBM DFSMSdss A reliable utility to quickly move, copy, and backup data Functions: • Moves and replicates data • Manages storage space efficiently • Backups and recovers data • Converts data sets and volumes FlashCopy in DFSMSdss: • FlashCopy provides a fast data duplication capability • This option helps to eliminate the need to stop applications for extended periods of time in order to perform backups and restores
75.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tape Duplication System: QuickCopy QuickCopy is the premier tape duplication system for data/software distribution applications It is a complete production system for software and data distribution • Duplicate Master tape to one or more Target tapes • Duplicate from Master Images stored on hard drives • Multi-tasking for mixed jobs • 100% Verification of all copies made at user option • Microsoft NT Operating System and User Interface (GUI) • Available CD-R copying with QuickCopy-CD option Features: Figure: QuickCopy
76.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DeepSpar: Disk Imager Forensic Edition • Reading the status of each retrieved sector • Data being imaged • Types of imaging files Visualize the imaging process by: DeepSpar Disk Imager Forensic Edition is a portable version of DeepSpar Disk Imager Data Recovery Edition with addition of forensic- specific functionality and used to handle disk-level problems Figure: Disk Imager Forensic Edition
77.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DeepSpar: 3D Data Recovery • This phase deals with drives that are not responding, and drives that appear functional and can be imaged, but produces useless data • Recommended tool: PC-3000 Drive Restoration System Phase 1: Drive Restoration • This phase deals with creating a clean duplicate of the disk contents on a new disk that can be used as a stable platform for phase 3 • Recommended tool: DeepSpar Disk Imager Phase 2: Disk Imaging • This phase involves rebuilding the file system, extracting user’s data, and verifying the integrity of files • Recommended tool: PC-3000 Data Extractor Phase 3: Data Retrieval DeepSpar data recovery systems pioneered the 3D Data Recovery process - a professional approach to data recovery centered on the following three phases:
78.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Phase 1 Tool: PC-3000 Drive Restoration System • Designed for the data recovery of businesses • Universal utilities give faster drive diagnostics • Repairs the drive and secures every data of the user • Software included with PC-3000 features a user-friendly Microsoft Windows XP/2000 interface • PC-3000 has built-in features to treat particular drives for their most common failures Features of PC-3000 Drive Restoration System: PC-3000 Drive Restoration System tool is used for drive restoration It fixes firmware issues for all hard disk drive manufacturers and virtually all drive families Figure: PC-3000 Drive Restoration System
79.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Phase 2 Tool: DeepSpar Disk Imager The disk imaging device built to recover bad sectors on a hard drive DeepSpar Disk Imager Features: • Retrieves up to 90 percent of bad sectors • Special vendor-specific ATA commands are used that pre-configure the hard drive for imaging • Reduces the time it takes to image a disk with bad sectors • Failing hard drives are imaged with care and intelligence • Real-time reporting gives a window on the type and quality of data imaging Figure: Disk Imager
80.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Phase 3 Tool: PC-3000 Data Extractor • Retrieves the user’s data from drives with damaged logical structures • Allows to analyze the logical structure of a damaged drive and depending on the severity of damage, selects specific files that the user wants to recover • If the drive's translator module is damaged, it creates a virtual translator to create a map of offsets and copies the necessary data PC-3000 Data Extractor Features: PC-3000 Data Extractor is a software add-on to PC-3000 that diagnoses and fixes file system issues It works in tandem with PC-3000 hardware to recover data from any media (IDE HDD, SCSI HDD, and flash memory readers)
81.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MacQuisition MacQuisition is a forensic acquisition tool used to safely image Mac source drives using the source system • Identifies the source device • Configures the destination’s location • Images directly over the network • Uses the command line • Log case, exhibit, and evidence tracking numbers and notes • Automatically generates MD5, SHA1, and SHA 256 hashes Features:
82.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MacQuisition: Screenshot Step1: Source Identification Step3: Case Information
83.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MacQuisition: Screenshot (cont’d) Step5: Imaging/ Status Information
84.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Athena Archiver Athena Archiever is an email archiving and storage management system Features: • Tag and organize millions of emails instantly Email review and classification • Ensure email compliance with regulations and acceptable use policies Enforceable email policy management • It moves the bulk of email information stored to cheaper near line drives, which can be replicated offsite to ensure high level of reliability Flexible storage management
85.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Investigators can acquire data in three ways: creating a bit-stream, disk-to-image file, making a bit-stream disk-to-disk copy, or creating a sparse data copy of a specific folder path or file Data duplication is essential for the proper preservation of the digital evidence Windows data acquisition tools allow the investigator to acquire evidence from a disk with the help of removable media such as USB storage devices Forensic investigators use the built- in Linux command “dd” to copy data from a disk drive The SavePart command retrieves information about the partition space in the hard disk
86.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
87.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Baixar agora