Mais conteúdo relacionado
Semelhante a File000129 (20)
Mais de Desmond Devendran (20)
File000129
- 2. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: White House Email Forensics
Case Won’t be Easy to Crack
Source: http://www.fcw.com/
- 3. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Scenario
Adams Central Band’s Director Jeremy Johnson, 26, of 227 West South St., was
formally charged on September 21, 2006 with seven counts of child seduction and 41
counts of possession of child pornography. Investigators found hundreds of images of
child pornography on Johnson’s home computer.
Johnson was accused of seducing a senior female student at Adams Central when she
was aged 18. Johnson had been taking part in a special sharing service over the
Internet and appeared to have been trading child porn back and forth with other
collectors.
Det. Sgt. Steve Cale and Det. Gary Burkhart initiated the investigation and collected
Johnson’s Desktop computer and his laptop. During investigation, they found that
there were over 500 images that appeared to be of children less than 18 years of age in
a state of nudity engaged in various stages of sexual activity. They also found some e-
mails that consisted of pornographic messages.
Source: http://www.news-banner.com/index/news-app/story.4999
- 4. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• Determining the Best Data Acquisition Methods
• Understanding the Data Recovery Contingencies
• Data Acquisition Tools
• The Need for Data Duplication
• Data Duplication Tools
This module will familiarize you with:
- 5. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Data Acquisition Methods
Need for Data Duplication Data Acquisition Tools
Data Recovery Contingencies
Data Duplication Tools
- 7. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Acquisition
Forensic data acquisition is a process of collecting information from various media in
accordance with certain standards for the purpose of analyzing its forensic value
Some common terminologies used in data acquisition:
• The small signal increment that can be detected by a data acquisition systemResolution:
• Commonly used terminology, but supports only one connection at a time and
transmission distance up to 50 feet
RS232:
• Rarely used terminology, but supports communication to more than one device on
the bus at a time and supports transmission distances of approximately 5,000 feet
RS485:
• Speed at which a data acquisition system collects data normally expressed in samples
per second
Sample Rate:
• Denotes how a signal is inputted to a data acquisition device
Single-ended
Input
- 8. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Types of Data Acquisition
Systems
Serial Communication Data Acquisition Systems
• It is used when the actual location of the data is at some distance from
the computer
• Communication standards such as RS232 and RS485 are used in this
system depending on the distance to be supported
USB Data Acquisition Systems
• Peripheral devices such as printers, monitors, modems, and data
acquisition devices can be attached with the use of USB
• It is an easy option as it requires only one cable to connect the data
acquisition device to the PC
- 9. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Types of Data Acquisition
Systems (cont’d)
Data Acquisition Plug-in Boards
• These boards are directly plugged into the computer bus
• Each board has unique I/O map location
Parallel Port Data Acquisition Systems
• Parallel port used for the printer connection is used for the data
acquisition device
• It supports high sample rate even if the distance between the
computer and acquisition device is limited
- 10. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Determining the Best Acquisition
Methods
• Creating a bit-stream disk-to-image file
• Making a bit-stream disk-to-disk copy
• Creating a sparse data copy of a folder or file
Forensic investigators acquire digital evidence
using the following methods:
- 11. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Recovery Contingencies
Investigators must make contingency plans when data acquisition fails
To preserve digital evidence, investigators need to create a duplicate copy of the
evidence files
In case the original data recovered is corrupted, investigators can make use of the
second copy
Use at least two data acquisition tools to create copy of the evidence incase the
investigator’s preferred tool does not properly recover data
- 12. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Acquisition Mistakes
Choosing wrong resolution for data acquisition
Using wrong cables and cabling techniques
Not enough time for system development
Making the wrong connections
Having poor instrument knowledge
- 14. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Duplication
Data duplication is useful for the preservation of the original
evidence
Preserve the data
• All the tests to be carried out on the data are generally carried out on
the copy of the original data keeping the original data safe
Never work on the original data
• Use special tools and software for imaging the data devices
• This data will be treated as forensically sound copy
- 15. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Issues with Data Duplication
Data duplication may contaminate the original data
Contaminated data is not accepted as evidence
There are chances of tampering the duplicate data
Data fragments can be overwritten and data stored in the Windows
swap file can be altered or destroyed
If the original data is contaminated, then important evidence is lost
which causes problems in the investigation process
- 16. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Duplication in a Mobile
Multi-Database System
Duplication of the database results in fault tolerance
It can be used even if the software and hardware fails
Data duplication increases the reliability of the system
Requests for particular data items can be handled by different nodes
concurrently
It increases the response time and gives an improved performance
- 17. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Duplication System Used in
USB Devices
Data duplication method is used to control the data
transmission between USB devices
Data is transmitted between two USB devices without the help
of the computer
The duplication system consists of at least serial interface
engine circuit, a CPU, and a data buffer unit
CPU is connected between the source SUB and target USB with
the help of serial interface engine circuit
Data buffer is used as a memory buffer space while the digital
data is transmitted between the source and the destination
USB devices
- 18. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Backup
Backup is the activity of copying files or databases so that they will be preserved
in case of equipment failure or other catastrophe
Backup approach can be categorized as local, remote, online, or offline
It is important to:
• Restore the original data after a data breach or disaster
• Restore some files if they are accidentally deleted or corrupted
It may serve as an image file that can be used for forensic investigation and
analysis of evidence in a cyber crime
It may be used as an evidence in trials of computer crimes
- 19. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Acquisition Tools and
Commands
- 20. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MS-DOS Data Acquisition Tool:
DriveSpy
DriveSpy enables the investigator to direct data from one particular sector range
to another sector
It provides two methods in accessing disk sector ranges:
A built in Sector (and Cluster) Hex Viewer which can be used to examine DOS
and non-DOS partitions
Configurable logging capabilities to document the investigation (keystroke-by-
keystroke if desired)
The ability to create and restore the compressed forensic images of the drive
partitions
Full scripting capabilities to automate processing activities
- 21. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Using Windows Data Acquisition
Tools
Windows data acquisition tools allow the investigator to acquire evidence from a
disk with the help of removable media such as USB storage devices
These tools can use Firewire to connect hard disks to the forensic lab systems
Data acquisition tools in Windows cannot acquire data from the host protected
area of the disk
- 22. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
FTK Imager
FTK Imager allows you to acquire physical device images and logically view
data from FAT, NTFS, EXT 2 and 3, as well as HFS and HFS+ file systems
- 23. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Acquiring Data on Linux
Forensic investigators use the built- in Linux command “dd” to copy data from a
disk drive
This command can make a bit-stream disk-to-disk file, disk-to-image file, block-
to-block copy/ block-to-file copy
The “dd” command can copy the data from any disk that Linux can mount and
access
Other forensic tools such as AccessData FTK and Ilook can read dd image files
• dd if=/*source* of=/*destination*
where:
if = infile, or evidence you are copying (a hard disk, tape, etc.)
source = source of evidence of = outfile, or copy of evidence
destination = where you want to put the copy
Syntax:
- 24. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
dd Command
dd if=<source> of=<target> bs=<byte size>("USUALLY" some power of 2, not less than 512
bytes(ie, 512, 1024, 2048, 4096, 8192, 16384, but can be ANY reasonable number.) skip= seek=
conv=<conversion>
Suppose a 2GB hard disk is seized as evidence. use DD to make a complete physical backup of the hard disk:
•dd if=/dev/hda of=/dev/case5img1
Copy one hard disk partition to another hard disk:
•dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror
Make an ISO image of a CD:
•dd if=/dev/hdc of=/home/sam/mycd.iso bs=2048 conv=notrunc
Copy a floppy disk:
•dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc
Restore a disk partition from an image file:
•dd if=/home/sam/partition.image of=/dev/sdb2 bs=4096 conv=notrunc,noerror
Copy ram memory to a file:
•dd if=/dev/mem of=/home/sam/mem.bin bs=1024
- 25. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Extracting the MBR
To see the contents of MBR, use this command:
•# dd if=/dev/hda of=mbr.bin bs=512 count=1
# od -xa mbr.bin
The dd command, which needs to be run from root, reads the first
512 bytes from /dev/hda (the first Integrated Drive Electronics, or
IDE drive) and writes them to the mbr.bin file
The od command prints the binary file in hex and ASCII formats
- 26. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Netcat Command
• dd if=/dev/hda bs=16065b | netcat targethost-IP
1234
Source Machine
• netcat -l -p 1234 | dd of=/dev/hdc bs=16065b
Target Machine
- 27. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
dd Command (Windows XP
Version)
Linux dd utility ported to Windows:
dd.exe if=.PhysicalDrive0
of=d:imagesPhysicalDrive0.img --md5sum --verifymd5 --
md5out=d:imagesPhysicalDrive0.img.md5
- 28. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Mount Image Pro
Mount Image Pro is a computer forensics tool for Computer Forensics
investigations. It enables the mounting of:
• EnCase
• Unix/Linux DD images
• SMART
• ISO
It mounts image files as a drive letter under the Windows file system
It maintains the MD5 HASH integrity which can be tested by the reacquisition of
the mounted drive and a comparison of MD5 checksums
It will also open EnCase password protected image files without the password
- 30. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Snapshot Tool
Snapshot is a Data acquisition tool
- 31. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Snapback DatArrest
SnapBack Live, which allows it to perform a "True Image Backup" of a server
while it is live and in use
If the "bad guys" see you coming and start deleting files, DatArrest recovers all
the files, including the deleted files
The DatArrest Suite provides the ability to copy:
• Server hard drive to tape
• PC hard drive to tape
• Server or PC hard drive to removable media
• Hard drive to hard drive
• Tape to tape
- 32. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Acquisition Toolbox
Data Acquisition Toolbox provides tools for analog input, analog output, and
digital Input/Output
It supports variety of PC-compatible data acquisition hardware
• Customizing the acquisition process
• Accessing built-in features of hardware devices
• Incorporating the analysis and visualization features
• Saving data for post-processing
• Updating test setup for result analysis
Data Acquisition Toolbox enables:
- 33. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Acquisition Toolbox:
Screenshot
- 34. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Acquisition Tool: SafeBack
SafeBack is an industry standard self-authenticating computer forensics tool
that is used to create evidence grade backups of hard drives
It is used to create mirror-image (bit-stream) backup files of hard disks or to
make a mirror-image copy of an entire hard disk drive or partition
It creates a log file of all transactions it performs
- 35. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hardware Tool: Image MASSter
Solo-3 Forensic
The ImageMASSter Solo-3 Forensic data imaging tool is a light weight, portable
hand-held device that can acquire data to one or two evidence drives at speeds
exceeding 3GB/Min
Designed exclusively for Forensic data acquisition
Figure: Image MASSter Solo-3 Forensic
- 36. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Image MASSter Solo-3 Forensic
(cont’d)
• MD5 and CRC32 Hashing
• Touch Screen User Interface
• High Speed Operation
• Built in Write Protection
• Built in FireWire 1394B and USB
2.0 Interface
• Captures to Two Evidence Drives
Simultaneously
• Multiple Capture Methods
• WipeOut
• Audit Trail and Logs
• Multiple Media Support
• Upgradeable
Features:
• Device Configuration Overlay
(DCO) Option
• Host Protected Area (HPA) Option
• WipeOut DoD Option
• WipeOut Fast Option
• LinkMASSter Application
• Linux-DD Capture Option
Software features:
Figure: Image MASSter Solo-3 Forensic
- 37. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Image MASSter: RoadMASSter -3
Road MASSter 3 is a portable computer forensic lab used to:
• Acquire data
• Preview and image hard drives
• Analyze data in the field
It is designed to perform both as a fast and reliable hard drive
imaging and data analysis
It can acquire or analyze data from FireWire 1394A/B, USB, IDE,
SATA, SAS, and SCSI
Figure: Road MASSter-3
- 38. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Image MASSter: Wipe MASSter
Wipe MASSter is designed to erase and sanitize hard
drives
It ensures that there are no traces of the previous data on
the hard drive
Intuitive menu provides simple pattern-based scan to
sanitize the hidden partition on any hard drive
Figure: Wipe MASSter
- 39. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Image MASSter: DriveLock
Image MASSter DriveLock device is a hardware write protect solution which
prevents data writes
It has four versions:
• Serial-ATA DriveLock Kit USB/1394B
• DriveLock Firewire/USB
• DriveLock IDE
• DriveLock In Bay
- 40. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hardware Tool: LinkMASSter-2
Forensic
The LinkMASSter 2 is High Speed Forensic Data Acquisition
device that provides the tools necessary to seize data from a
Suspect’s unopened Notebook or PC using the FireWire 1394A/B
or USB 1.0/2.0 interface
The device supports the MD5, CRC32 or SHA1 hashing methods
during data capture, ensuring that the transferred data is an
exact replica of the suspect’s data without modification
Seize the data from P-ATA, S-ATA, SCSI or Notebook drives
Data transfer rates can exceed 3GB/min
Figure: Link MASSter -2 Forensic
- 41. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
LinkMASSter-2 Forensic (cont’d)
Features:
• FireWire 1394B and USB 2.0 Interface
• MD5 and CRC32 and SHA1 Hashing
• Forensic Toolkit Graphical User
Interface
• High Speed Operation
• Multiple Capture Methods
• Write Protection
• Multiple Media Support
• WipeOut
• Audit Trail and Logs
Software Features:
• LinkMASSter Application
• Hashing
• Single Capture Option
• Linux-DD Capture Option
• Intelligent Capture Option
• WipeOut DoD Option
• WipeOut Fast Option
Figure: Link MASSter-2 Forensic
- 42. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hardware Tool: RoadMASSter-2
The RoadMASSter -2 Forensics data acquisition and
analysis tool is designed to perform both as a fast and
reliable hard drive imaging and data analysis
This computer forensic system is built for the road
with all the tools necessary to acquire or analyze data
from today’s common interface technologies
including FireWire, USB, Flash, ATA, S-ATA, and
SCSI
This computer forensic portable lab is used by law
enforcement agencies as well as corporate security to
acquire data and analyze data in the field
Figure: Road MASSter-2
- 43. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
RoadMASSter-2 (cont’d)
• MD5 and CRC32 and SHA1
Hashing
• Forensic Toolkit Graphical User
Interface
• High Speed Operation
• Multiple Capture Methods
• Built in Write Protection
• Built in LinkMASSter FireWire
1394B and USB 2.0 Interface
• Multiple Media Support
• Preview and Analyze
• WipeOut
• Audit Trail and Logs
Features:
• WipeOut DoD Option
• WipeOut Fast Option
• LinkMASSter Application
• Linux-DD Capture Mode
• Single Capture Mode
• Intelligent Capture Mode
Software Features:
Figure: Road MASSter-2
- 44. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: Echo PLUS & Sonix
• It is the portable hard drive cloning solution
• Data Transfer Rate: Speeds up to 1.8 GB/min (UDMA 2 Mode)
• Hard drive duplication: Single-target, drive-to-drive duplicator
for IDE, UDMA, and SATA drives
Echo PLUS
• Sonix transfers data to and from a hard drive at 3.3GB/min
• It allows the user to configure up to 24 partitions for various
loads and applications
Sonix
- 45. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube : OmniClone Xi Series
• The OmniClone Xi supports UDMA-5 transfer speeds for cloning
IDE, EIDE, UDMA, & SATA drives at up to 3.5 GB/min10 Xi
• All information with current system software release is stored on
the Omniclone's 64 MB compact flash card2 Xi
Figure: OmniClone 2XiFigure: OmniClone 10Xi
- 46. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube : OmniClone Xi Series
(cont’d)
• It offers an optional Database software program that enables the user
to scan and log hard drive cloning sessions which include hard drive
make, model, serial number, and firmware revision
5 Xi
Figure: OmniClone 5Xi
- 47. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: OmniPORT
Forensic OmniPort device allows immediate access to the majority of the current
USB Flash devices
It captures and deploys data to or from most USB Flash drives
It is compatible with Thumb Drives, Pen Drive type devices, Flash Memory Cards
using USB Card readers, and 2.5” and 3.5” external USB drives
It can be connected directly to a PC’s motherboard and booted as an IDE device
It allows data cloning to or from the attached USB drive by the Logicube Echo
Plus, Sonix, OmniClone 10Xi/5Xi/2Xi, Forensic Talon
Figure: OmniPORT
- 48. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: OmniWipe & Clone
Card Pro
• OmniWipe sanitizes multiple IDE, EIDE, UDMA, and SATA
drives simultaneously at up to 2.3GB/min
• It performs quick one-pass wipe and high-speed Security
Erase
OmniWipe
• It is a PCMCIA adapter that allows hard drive data recovery
transfer rates up to 175 MB/Min
• It clones the data to and from a laptop computer
Clone Card Pro
Figure: OmniWipe
- 49. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: Forensic MD5
Forensic MD5 is a forensic hard disk data recovery system for law
enforcement, corporate security, and cybercrime investigation
It’s in-built MD-5 engine allows for imaging speed up to 3.3 GB/min
It ensures bit-for-bit accuracy, guaranteeing zero chance of alteration of
the suspect and evidence drives
Forensic MD5 Features:
• Number of connectivity options
• MD5 verification
• Creates DD images
• Field-Tested ruggedized case
• On-site reporting
• It is portable
• Unidirectional data transfer
Figure: Forensic MD5
- 50. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: Forensic Talon
Forensic Talon Features:
• Advanced keyword search
• MD5 or SHA-256 Authentication
• Unidirectional data transfer
• Creates DD images on-the-fly
• HPA and DCO capture
• Portable and high-speed data capturing
Forensic Talon is a forensic data capture system specifically designed
for the requirements of law enforcement, military, corporate security,
and investigators
It simultaneously images and verifies data up to 4 GB/min
It captures IDE/UDMA/SATA drives, and can capture SCSI drives via
USB cable
Figure: Forensic Talon
- 51. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: RAID I/O Adapter
RAID I/O Adapter enables the Forensic Talon to
capture a suspect RAID drive pair directly to 1
destination drive, and 1 suspect drive to 2 destination
drives
Features of RAID I/O Adapter:
• Captures RAID-0, RAID-1, and JBOD configurations
• Supports MD5/SHA-256 scan and keyword search mode
during any 1-to-2 capture
• Supports both native and DD image operation modes during
1-to-2 and 2-to-1 capturing
• Supports drive defect scan and WipeClean modes during 1-
to-2
Figure: RAID I/O Adapter
- 52. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: GPStamp
• Computes the exact location of capture in 3D
space; accurate to within 50 meters
• Adds accurate latitude, longitude, and time to
the capture report and log
• It is capable of acquiring satellites and fixes
within most buildings
GPStamp Features:
Logicube GPStamp is a device that produces a verified fix on the location, time,
and date of the data captured
Investigators can bolster their credibility by specifying when and where data
captures are performed
Figure: GPStamp
- 53. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: Portable Forensic Lab
The Portable Forensic Lab (PFL) is a portable computer
forensic field lab housed in a special ruggedized carrying
case
This tool gives the investigator a head start, often cutting the
time to acquire critical data
The PFL includes all that a computer forensic examiner
needs to such as:
• Data capture evidence at high speed from multiple sources
• Browse data from multiple types of digital media
• Analyze the data capture material using computer forensic
analysis software such as FTK from AccessData
Figure: Portable Forensic Lab
- 54. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: CellDEK
Logicube CellDEK is a cell phone data extraction device which
identifies devices by brand, model number, dimensions, and
photographs
It is portable and compatible with over 1100 of the most
popular cell phones and PDAs
It captures the data within 5 minutes and displays on screen,
and prompts for downloading to a portable USB device
Investigators can immediately gain access to vital information,
saving days of waiting for a report from a crime lab
Figure: CellDEK
- 55. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: Desktop WritePROtects
Logicube Desktop WritePROtects is a data recovery adapter used to
protect the hard drives
It has two versions:
• IDE Destop WritePROtect
• SATA Destop WritePROtect
It allows only a small subset of the ATA specification commands to flow to
the protected drive and blocks all other commands
It connects via IDE or SATA cable to the HDD forensic tools for data
capture
It guarantees read-only access when analyzing the captured or cloned
drive under Windows
Figure: Desktop WritePROtects
- 56. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: USB Adapter
• Store/restore images to a network server
• Modify a drive's contents
• Defragment the master drive
• Reformat the master drive
• Manage partitions using third party
software
It allows the investigator to:
USB Adapter allows for cloning and drive management directly through
the USB (1.1 or 2.0) port on a PC or laptop
It is capable of cloning at speeds up to 750 MB/min
Figure: USB Adapter
- 57. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: Adapters
• F-ADP-1.8
• F-ADP-COMP-FL
• F-ADP-DOM
• F-ADP-HITACHI-DS
• F-ADP-STND
• F-ADP-STND-3A
• F-ADP-STND-6A
• F-ADP-ZIF
• F-ADP-IDE
OmniClone IDE laptop Adapters
• F-ADP-SCSI-50
• F-ADP-SCSI-80
OmniClone SCSI Adapters
- 58. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: Cables
• F-CABLE-30A
• F-CABLE-5
• F-CABLE-9
• F-CABLE-RP10
• F-CABLE-RP15
• F-CABLE-RP2
• F-CABLE-RP5
• F-CABLE-SOL
OmniClone IDE Cables
• F-CABLE-SAS5
• F-CABLE-SATA
• F-CABLE-SATA18
• F-CABLE-SATAEP
• F-CABLE-SATAXI
OmniClone SATA Cables
- 59. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logicube: Cables (Cont’d)
• F-CABLE-RP2U
• F-CABLE-RP5U
• F-CABLE-RP10U
• F-CABLE-RP15U
• F-CABLE-SOLU
• F-CABLE-5U
• F-CABLE-9U
• F-CABLE-30U
• F-CABLE-XI, F-CABLE-2XI
• F-CABLE-5XI, F-CABLE-10XI
OmniClone UDMA IDE
Cables
• F-CABLE-SCSI
• F-CABLE-SCSI2
• F-CABLE-SCSI4
OmniClone SCSI Cables
- 61. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Duplication Tool: R-drive
Image
R-Drive Image is an important tool that provides disk image files creation for
backup or duplication purposes
Disk image file contains exact, byte-by-byte copy of a hard drive, partition or
logical disk
R-Drive can create partitions with various compression levels freely without
stopping Windows OS
These drive image files can then be stored in a variety of places, including
various removable media such as CD-R(W) or DVD-R(W) , Iomega Zip or Jazz
disks
- 63. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Duplication Tool: DriveLook
• Indexes the hard drive for the text that was written to it
• Searches through a list of all words stored on the drive
• View the location of words in the disk editor
• Switches between different views
• Uses image file as input
• Access remote drives through serial cable or TCP/IP
The DriveLook Tool has the following features:
- 65. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Duplication Tool:
DiskExplorer
DiskExplorer aides examiners to investigate any drive and recover data
Two versions of DiskExplorer exist:
• DiskExplorer for FAT
• DiskExplorer for NTFS
The tool also has provisions to navigate through the drive by jumping to:
• Partition table
• Boot record
• Master file table
• Root directory
- 67. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Save-N-Sync
The quickest, easiest, and
economical way to
synchronize small number of
folders
It allows you to synchronize
and backup files from a
source folder on one
computer to a target folder
on a second networked
computer or storage device
- 69. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hardware Tool: ImageMASSter
6007SAS
The ImageMASSter 6007SAS is the only hard drive
duplication unit in the market that supports SAS (Serial
Attach SCSI) hard drives
It copies simultaneously at high speed from
SATA/SAS/SCSI/IDE hard drives to any 7
SAS/SATA/IDE target hard drives
It is a Windows based machine with one Giga-Bit
Network connection, which allows downloading or
uploading files to or from drives using network drive
Figure: Image MASSter 6007SAS
- 70. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ImageMASSter 6007SAS
(cont’d)
• High Speed Copy Operation
• SAS and SATA duplicator
• SCSI Duplicator
• Server Migration
• All Operating Systems can be copied
• Multiple Copy Modes
• Supports Any File System
• Network Connectivity
• WipeOut
• Mount and Modify Drives
• Hot Swap Drives
• Scale Partitions
• Windows based
Features:
• MultiMASSter
• IQCOPY
• Auto Scale and Format Partitions
• Image Copy
• WipeOut DoD
• WipeOut Fast Option
• Store Log Information
• Error Detection and Verification
• Manage User Defined Settings
Software Features:
Figure:
Image MASSter 6007SAS
- 71. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hardware Tool: Disk Jockey IT
Designed exclusively for IT data duplication
The Disk Jockey IT data imaging tool is a light
weight, portable hand-held device that can copy
data to one or two target drives at speeds exceeding
2GB/Min
Mirror two hard disk drives for real-time backup
(RAID level 1) and data is stored simultaneously on
both drives
Data can be copied from one disk to another without
using a computer at speeds of up to 2 GB/min
Figure: Disk Jockey IT
- 72. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Disk Jockey IT (cont’d)
• Standalone HD Mode
• Mirroring
• Spanning
• Fast Disk to Disk Copies
• Disk Copy Compare / Verification
• Hard Disk Read Test
• Two levels of erase
Features:
Figure: Disk Jockey IT
- 73. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SCSIPAK
SCSIPAK is a set of system tools which extend the support of tape drives under
Microsoft Windows NT and Windows 2000 operating systems
It is a software and tape based data conversion-duplication system
Data can be downloaded from a tape or optical disk and then written
simultaneously upto seven drives at once
The image file from the tape or optical medium is stored under NT along with an
index file which contains details of tape file and set marks, directory partitions, or
unused optical sectors
This allows for the duplication of even complex format tapes and optical disks
- 74. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IBM DFSMSdss
A reliable utility to quickly move, copy, and backup data
Functions:
• Moves and replicates data
• Manages storage space efficiently
• Backups and recovers data
• Converts data sets and volumes
FlashCopy in DFSMSdss:
• FlashCopy provides a fast data duplication capability
• This option helps to eliminate the need to stop applications for extended
periods of time in order to perform backups and restores
- 75. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tape Duplication System:
QuickCopy
QuickCopy is the premier tape duplication system for
data/software distribution applications
It is a complete production system for software and data
distribution
• Duplicate Master tape to one or more Target tapes
• Duplicate from Master Images stored on hard drives
• Multi-tasking for mixed jobs
• 100% Verification of all copies made at user option
• Microsoft NT Operating System and User Interface
(GUI)
• Available CD-R copying with QuickCopy-CD option
Features:
Figure: QuickCopy
- 76. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
DeepSpar: Disk Imager Forensic
Edition
• Reading the status of each retrieved
sector
• Data being imaged
• Types of imaging files
Visualize the imaging process by:
DeepSpar Disk Imager Forensic Edition is a portable version of
DeepSpar Disk Imager Data Recovery Edition with addition of forensic-
specific functionality and used to handle disk-level problems
Figure: Disk Imager Forensic Edition
- 77. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
DeepSpar: 3D Data Recovery
• This phase deals with drives that are not responding, and drives that appear
functional and can be imaged, but produces useless data
• Recommended tool: PC-3000 Drive Restoration System
Phase 1:
Drive Restoration
• This phase deals with creating a clean duplicate of the disk contents on a new
disk that can be used as a stable platform for phase 3
• Recommended tool: DeepSpar Disk Imager
Phase 2:
Disk Imaging
• This phase involves rebuilding the file system, extracting user’s data, and
verifying the integrity of files
• Recommended tool: PC-3000 Data Extractor
Phase 3:
Data Retrieval
DeepSpar data recovery systems pioneered the 3D Data Recovery process - a
professional approach to data recovery centered on the following three phases:
- 78. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Phase 1 Tool: PC-3000 Drive
Restoration System
• Designed for the data recovery of businesses
• Universal utilities give faster drive diagnostics
• Repairs the drive and secures every data of the user
• Software included with PC-3000 features a user-friendly
Microsoft Windows XP/2000 interface
• PC-3000 has built-in features to treat particular drives
for their most common failures
Features of PC-3000 Drive Restoration
System:
PC-3000 Drive Restoration System tool is used for drive restoration
It fixes firmware issues for all hard disk drive manufacturers and virtually all drive
families
Figure:
PC-3000 Drive Restoration System
- 79. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Phase 2 Tool: DeepSpar Disk
Imager
The disk imaging device built to recover bad sectors
on a hard drive
DeepSpar Disk Imager Features:
• Retrieves up to 90 percent of bad sectors
• Special vendor-specific ATA commands are used that
pre-configure the hard drive for imaging
• Reduces the time it takes to image a disk with bad sectors
• Failing hard drives are imaged with care and intelligence
• Real-time reporting gives a window on the type and
quality of data imaging
Figure: Disk Imager
- 80. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Phase 3 Tool: PC-3000 Data
Extractor
• Retrieves the user’s data from drives with damaged logical
structures
• Allows to analyze the logical structure of a damaged drive and
depending on the severity of damage, selects specific files that the
user wants to recover
• If the drive's translator module is damaged, it creates a virtual
translator to create a map of offsets and copies the necessary data
PC-3000 Data Extractor Features:
PC-3000 Data Extractor is a software add-on to PC-3000 that diagnoses
and fixes file system issues
It works in tandem with PC-3000 hardware to recover data from any
media (IDE HDD, SCSI HDD, and flash memory readers)
- 81. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MacQuisition
MacQuisition is a forensic acquisition tool used to safely image Mac
source drives using the source system
• Identifies the source device
• Configures the destination’s location
• Images directly over the network
• Uses the command line
• Log case, exhibit, and evidence tracking numbers and notes
• Automatically generates MD5, SHA1, and SHA 256 hashes
Features:
- 82. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MacQuisition: Screenshot
Step1: Source Identification
Step3: Case Information
- 83. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MacQuisition: Screenshot (cont’d)
Step5: Imaging/ Status Information
- 84. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Athena Archiver
Athena Archiever is an email archiving and storage management system
Features:
• Tag and organize millions of emails instantly
Email review and classification
• Ensure email compliance with regulations and acceptable use policies
Enforceable email policy management
• It moves the bulk of email information stored to cheaper near line drives,
which can be replicated offsite to ensure high level of reliability
Flexible storage management
- 85. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Investigators can acquire data in three ways: creating a bit-stream, disk-to-image file, making
a bit-stream disk-to-disk copy, or creating a sparse data copy of a specific folder path or file
Data duplication is essential for the proper preservation of the digital evidence
Windows data acquisition tools allow the investigator to acquire evidence from a disk with
the help of removable media such as USB storage devices
Forensic investigators use the built- in Linux command “dd” to copy data from a disk drive
The SavePart command retrieves information about the partition space in the hard disk