Understanding Storage Formats For Digital Evidence Information Technology Essay
Active Data is the information that we can actually see. This includes data files, programs, and files used by the operating system. This is the easiest type of data to obtain.
Archival Data is data that has been backed up and stored. This could mean backup tapes, CDs, floppies, or entire hard drives.
Latent Data is the information that one typically needs specialized tools to access. An example of latent data would be information that has been deleted or partially overwritten.
A computer investigation could involve looking at all of these data types, depending on the circumstances. Obtaining latent data is by far the most time consuming and costly.
Computer forensics is all about obtaining the proof of a crime or breech of policy. It focuses on obtaining proof of an illegal misuse of computers in a way that could lead to the prosecution of the culprit.
Understanding Storage Formats for Digital Evidence
Advanced Forensics Format (AFF)
Makes it possible to write bit-stream data to files
Fast data transfers
Can ignore minor data read errors on source drive
Most computer forensics tools can read raw format
Requires as much storage as original disk or data
Tools might not collect marginal (bad) sectors
Option to compress or not compress image files
Can split an image into smaller segmented files
Can integrate metadata into the image file
Inability to share an image between different tools
File size limitation for each segmented volume
Advanced Forensics Format
Provide compressed or uncompressed image files
No size restriction for disk-to-image files
Provide space in the image file or segmented files for metadata
Simple design with extensibility
Open source for multiple platforms and OSs
Internal consistency checks for self-authentication
Determining the Best Acquisition Method
Types of acquisitions:
Static acquisitions and live acquisitions
Bit-stream disk-to-image file
Logical disk-to-disk or disk-to-disk data
Sparse data copy of a file or folder
Bit-stream disk-to-image file
Most common method
Can make more than one copy
Copies are bit-for-bit replications of the original drive
ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLook
When disk-to-image copy is not possible
Consider disk’s geometry configuration
EnCase, SafeBack, SnapCopy
Logical acquisition or sparse acquisition
When your time is limited
Logical acquisition captures only specific files of interest to the case
Sparse acquisition also collects fragments of unallocated (deleted) data
For large disks
PST or OST mail files, RAID servers
Spares data copy
When making a copy, consider:
Size of the source disk
Lossless compression might be useful
Use digital signatures for verification
When working with large drives, an alternative is using tape backup systems
Whether you can retain the disk
Contingency Planning for Image Acquisitions
Create a duplicate copy of your evidence image file
Make at least two images of digital evidence
Use different tools or techniques
Copy host protected area of a disk drive as well
Consider using a hardware acquisition tool that can access the drive at the BIOS level
Be prepared to deal with encrypted drives
Whole disk encryption feature in Windows Vista Ultimate and Enterprise editions
Capturing an Image with ProDiscover Basic
Connecting the suspect’s drive to your workstation
Document the chain of evidence for the drive
Remove the drive from the suspect’s computer
Configure the suspect drive’s jumpers as needed
Connect the suspect drive
Create a storage folder on the target drive
Using ProDiscover’s Proprietary Acquisition Format
Image file will be split into segments of 650MB
Creates image files with an .eve extension, a log file (.log extension), and a special inventory file (.pds extension)
Using ProDiscover’s Raw Acquisition Format
Select the UNIX style dd format in the Image Format list box
Raw acquisition saves only the image data and hash value
Capturing an Image with AccessData FTK Imager
Included on AccessData Forensic Toolkit
View evidence disks and disk-to-image files
Makes disk-to-image copies of evidence drives
At logical partition and physical drive level
Can segment the image file
Evidence drive must have a hardware write-blocking device
Or the USB write-protection Registry feature enabled
FTK Imager can’t acquire drive’s host protected area
Boot to Windows
Connect evidence disk to a write-blocker
Connect target disk to write-blocker
Start FTK Imager
Create Disk Image
Use Physical Drive option
GoToMyPC allows you to access and work on your computer on-the-fly from any location connected to the Internet. Get reliable, convenient and secure access to email, files, programs and network resources from home or the road.
Plug-in automatically launches, installs and configures itself. No restart required.
Set up and ready to go in minutes, even by novice users.
When you connect to your computer, the Viewer window launches automatically, allowing you to view and control your computer from another Microsoft® Windows®, Microsoft® Windows® CE, Macintosh®, Linux, Unix® or Solaris® computer. No pre-loaded software required.
Access your computer from any Web browser on any operating system at any time. Even work on your office Microsoft® Windows® PC from your Macintosh® at home.
Encryption and Maximum Security
Encryption and Maximum Security
All data is protected with AES encryption using 128-bit keys. Dual passwords and end-to-end user authentication. Optional One-Time Passwords provide maximum security.
Most secure Internet connection available in a remote-access service. Nobody can “see” what you’re doing (not even us).
Connect to your computer in seconds and enjoy fast in-session performance.
Be more productive – faster. Quick connections and better performance mean you get more done in less time.
View your desktop in true 24-bit color.
Enjoy a true-to-life, full-color view of your desktop – perfect for looking at pictures and reviewing design work.
Print documents to any printer wherever you happen to be.
A hard copy of that forgotten file is only a connection away – print your document even if you don’t have the application.
Synchronize files and folders between your computer and any remote computer with just a click. Or transfer files and folders from one computer to another by simply dragging and dropping between screens.
Increase file organization between your computers to eliminate confusion.
Hear sound at any remote PC with customizable audio settings. Automatic muting on the PC you are accessing remotely means sound can only be heard by you.
Get the complete experience of being at your PC. Hear system alerts, voice mail, music or any other sound from your remote PC.
Invite a second person to temporarily view or share control of your PC.
Great for tech support, demos or “conference” viewing of info. Save time by meeting on-the-fly on your PC.
Use GoToMyPC with multiple monitors connected to a single computer.
Work on multiple monitors whether they’re connected to your host computer or to the computer at your remote-access location.
PocketView Wireless Access
PocketViewâ„¢ Wireless Access
Securely access your PC from your Pocket PC, Microsoft® Windows® Mobile or Microsoft® Windows® CE wireless device.
Ultimate mobility with on-the-fly remote access to your PC desktop – including your email, all your files, all your applications and your corporate intranet.
Network Forensic Tools
Iris Network Traffic Analyzer
Continuous vulnerability forensics plus network performance analysis
Iris Network Traffic Analyzer empowers your security and operations teams by providing granular data monitoring and precise packet and session reconstruction capabilities. The solution is designed to combine process and technology into a single effective system for network forensics.
Today’s organizations rely on the continuity and security of underlying IT systems at all times. This requirement is further amplified when you take into account the fact that most security or performance issues, whether due to malicious acts, user non-compliance or simple bandwidth mis allocation, generally reside above your network in the applications being serviced by your infrastructure.
Most organizations today have already invested substantial time, money, and training for solutions that monitor their network’s security and performance at the physical level. However, these solutions, such as firewalls, network intrusion detection and prevention devices, virus scanning, and data loss prevention tools have been unable to provide the same functionality in a virtualized environment because of their inability to monitor network traffic between virtual servers inside physical servers. This has led to the need for another, parallel investment in time, energy, and money into “virtual” versions of all of these security devices and processes-until now.