rv see WP:LEAD and it's also unreferenced |
Undid revision 592147277 by ErrantX (talk) |
||
Line 1: | Line 1: | ||
There're two broad categories of Forensic Acquisitions: <br> |
|||
⚫ | During the 1980s, most of [[digital forensics|digital forensic investigations]] consisted of " |
||
1. '''Volatile Analysis''' - Live Analysis, information which would be lost if you turn off the machine. For example, active logon sessions or open ports connected, arp cache poisoning, or processes running at the time of examination, what's in memory at the moment. CIRT needs '''collect Volatile forensic before they offline the compromised machine'''. |
|||
<br> |
|||
2. '''Non-Volatile Analysis''' - For example, registry, services/applications installed, browser history, timestamps/owner/digital signature of critical system files and hard disk. These information will not be lost when you turn off the machine. |
|||
<br> |
|||
<br> |
|||
Digital Forensic Acquisition Tools (Aka "Forensic Toolkits") are used in: |
|||
<br> |
|||
1. Establish '''Security Baseline''' BEFORE an incident happen.<br> |
|||
2. Security Incident Response by CIRT (Critical Incident Response Team) AFTER an incident is detected (Or, '''when it's happenning'''!).<br> |
|||
3. Penetration Testing/Hacking: foot printing/enumeration/discovery (Legitimate tools used by Security Professionals, when in the wrong hand, can be used for malicious purposes) |
|||
<br> |
|||
<br> |
|||
With Digital Forensic Tools, Investigator can answer these important questions: Is the machine compromised? If so, '''how''', '''when''' (Check System Clock, important! Otherwise you can't make sense of timestamp's and your whole case will fall apart) and '''what'''? The '''Anatomy of the Attack'''. |
|||
⚫ | During the 1980s, most of [[digital forensics|digital forensic investigations]] consisted of '''"Non-Volatile Analysis"''', examining digital media directly using non-specialist tools. In the 1990's, several [[freeware]] and other proprietary tools (both hardware and software) were created to allow investigations to take place ''without modifying media'' - it's important '''not''' to modify the media during inspection (Or leave as little foot print as possible) as '''Digital Evidence''' may be used in court and any modification may lead to claims of '''Evidence Tampering'''. |
||
Recent advances in Forensic Technologies come from '''Mobile Technologies''' and '''Cloud Computing'''. And, last but not least, tools/GUI for visualization/filtering/comparing of collected Forensic - Forensic data is unless unless you can efficiently search/analyze the collected data. |
|||
<br> |
|||
==Computer forensics== |
==Computer forensics== |
Revision as of 10:14, 24 January 2014
There're two broad categories of Forensic Acquisitions:
1. Volatile Analysis - Live Analysis, information which would be lost if you turn off the machine. For example, active logon sessions or open ports connected, arp cache poisoning, or processes running at the time of examination, what's in memory at the moment. CIRT needs collect Volatile forensic before they offline the compromised machine.
2. Non-Volatile Analysis - For example, registry, services/applications installed, browser history, timestamps/owner/digital signature of critical system files and hard disk. These information will not be lost when you turn off the machine.
Digital Forensic Acquisition Tools (Aka "Forensic Toolkits") are used in:
1. Establish Security Baseline BEFORE an incident happen.
2. Security Incident Response by CIRT (Critical Incident Response Team) AFTER an incident is detected (Or, when it's happenning!).
3. Penetration Testing/Hacking: foot printing/enumeration/discovery (Legitimate tools used by Security Professionals, when in the wrong hand, can be used for malicious purposes)
With Digital Forensic Tools, Investigator can answer these important questions: Is the machine compromised? If so, how, when (Check System Clock, important! Otherwise you can't make sense of timestamp's and your whole case will fall apart) and what? The Anatomy of the Attack.
During the 1980s, most of digital forensic investigations consisted of "Non-Volatile Analysis", examining digital media directly using non-specialist tools. In the 1990's, several freeware and other proprietary tools (both hardware and software) were created to allow investigations to take place without modifying media - it's important not to modify the media during inspection (Or leave as little foot print as possible) as Digital Evidence may be used in court and any modification may lead to claims of Evidence Tampering.
Recent advances in Forensic Technologies come from Mobile Technologies and Cloud Computing. And, last but not least, tools/GUI for visualization/filtering/comparing of collected Forensic - Forensic data is unless unless you can efficiently search/analyze the collected data.
Computer forensics
Name | Platform | License | Version | Description |
---|---|---|---|---|
SANS Investigative Forensics Toolkit - SIFT | Ubuntu | 2.1 | Multi-purpose forensic operating system | |
Registry Recon | Windows | proprietary | 2.0.0.0530 | Forensics tool that rebuilds Windows registries from anywhere on a hard drive and parses them for deep analysis. |
EnCase | Windows | proprietary | 7.09 | Multi-purpose forensic tool |
EPRB | Windows | proprietary | 1435 | Set of tools for encrypted systems & data decryption and password recovery |
Windows Forensic Toolchest - Fool Moon | Windows | proprietary | 3.0.0.7 | Structured and repeatable automated Live Forensic Response, Incident Response, or Audit on a Windows system while collecting security-relevant information. |
FTK | Windows | proprietary | 5.1.1 | Multi-purpose tool, commonly used to index acquired media. [1] |
PlatformAuditProbe - AppliedAlgo | Windows | freeware | 1.6 | Multi-purpose forensic operating system |
PTK Forensics | LAMP | proprietary | 2.0 | GUI for The Sleuth Kit |
The Coroner's Toolkit | Unix-like | IBM Public License | 1.19 | A suite of programs for Unix analysis |
COFEE | Windows | proprietary | n/a | A suite of tools for Windows developed by Microsoft, only available to law enforcement |
The Sleuth Kit | Unix-like/Windows | IPL, CPL, GPL | 4.1.2 | A library of tools for both Unix and Windows |
Categoriser 4 Pictures[2] | Windows | freeware | 4.0.2 | Image categorisation tool develop, available to law enforcement |
Open Computer Forensics Architecture | Linux | LGPL/GPL | 2.3.0 | Computer forensics framework for CF-Lab environment |
SafeBack[3] | N/a | proprietary | 3.0 | Digital media (evidence) acquisition and backup |
Windows To Go | n/a | proprietary | n/a | Bootable operating system |
Wireshark | cross-platform | freeware | n/a | Open-source packet capture/analyzer, backend library used is [win]pcap. |
Nuix / Proof Finder | Windows | proprietary | 5.0.4 | Forensic analysis & fraud prevention software. Full text search, extracts emails, credit card numbers, IP addresses, URLs. Skin tone analysis. Support for ingesting Windows, Mac OS, Linux and mobile device data. |
Netherlands Forensic Institute / Xiraf[4] | n/a | proprietary | n/a | Computer-forensic online service. [5] |
Memory forensics
Memory forensics tools are used to acquire and/or analyze a computer's volatile memory (RAM). They are often used in incident response situations to preserve evidence in memory that would be lost when a system is shutdown, and to quickly detect stealthy malware by directly examining the operating system and other running software in memory.
Name | Vendor/Sponsor | Platform | License |
---|---|---|---|
WindowsSCOPE | BlueRISC | Windows | proprietary |
Volatililty | Volatile Systems | Windows & Linux | Free (GPL) |
Mobile device forensics
Mobile forensics tools tend to consist of both a hardware and software component. Mobile phones come with a diverse range of connectors, the hardware devices support a number of different cables and perform the same role as a write blocker in computer devices.
Name | Platform | License | Version | Description |
---|---|---|---|---|
Cellebrite Mobile Forensics[6] | Windows | proprietary | Universal Forensics Extraction Device - Hardware and Software | |
Secure View Mobile Forenscis Software[6] | Windows | proprietary | Hardware/Software package | |
Radio Tactics Aceso[6] | Windows | proprietary | "All-in-one" unit with a touch screen | |
Paraben Device Seizure[6] | Windows | proprietary | Hardware/Software package | |
MicroSystemation XRY/XACT[6] | Windows | proprietary | Hardware/Software package, specialises in deleted data | |
Oxygen Forensic Suite (former Oxygen Phone Manager[6]) | Windows | proprietary | Smart forensics for smartphones | |
Elcomsoft iOS Forensic Toolkit (EIFT) | Windows, Mac | proprietary | Acquires bit-precise images of Apple iOS devices in real time | |
Elcomsoft Phone Password Breaker (EPPB) | Windows | proprietary | Enables forensic access to password-protected backups for smartphones and portable devices based on RIM BlackBerry and Apple iOS platforms, | |
MOBILedit! Forensic[6] | Windows | proprietary | Hardware-Connection kit/Software package |
Other
Name | Platform | License | Version | Description |
---|---|---|---|---|
HashKeeper | Windows | free | n/a | Database application for storing file hash signatures |
Evidence Eliminator | Windows | proprietary | 6.03 | Anti-forensics software, claims to delete files securely |
DECAF | Windows | free | n/a | Tool which automatically executes a set of user defined actions on detecting Microsoft's COFEE tool |
References
- ^ http://www.accessdata.com/support/product-downloads/ftk-download-page
- ^ Sanderson, P (2006). "Mass image classification". Digital Investigations. 3 (4): 190–195. doi:10.1016/j.diin.2006.10.010.
{{cite journal}}
:|access-date=
requires|url=
(help); Unknown parameter|month=
ignored (help) - ^ Mohay, George M. (2003). Computer and intrusion forensics. Artechhouse. p. 395. ISBN 1-58053-369-8.
- ^ Bhoedjang, R; et al. (2012). "Engineering an online computer forensic service". Digital Investigations. 9 (2): 96–108. doi:10.1016/j.diin.2012.10.001.
{{cite journal}}
: Explicit use of et al. in:|last=
(help); Unknown parameter|month=
ignored (help) - ^ http://www.forensicinstitute.nl/products_and_services/forensic_products/xiraf/
- ^ a b c d e f g Mislan, Richard (2010). "Creating laboratories for undergraduate courses in mobile phone forensics". Proceedings of the 2010 ACM conference on Information technology education. ACM: 111–116. Retrieved 29 November 2010.
Among the most popular tools are products named MicroSystemation GSM .XRY and .XACT, Cellebrite UFED, Susteen Secure View2, Paraben Device Seizure, Radio Tactics Aceso, Oxygen Phone Manager, and Compelson MobilEdit Forensic