• No results found

Developing Computer Forensics Solutions for Terabyte Investigations

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Developing Computer Forensics Solutions for Terabyte Investigations"

Copied!
7
0
0

Loading.... (view fulltext now)

Download now ( 7 Page )

Full text

(1)

AccessData

Developing Computer Forensics

Solutions for Terabyte Investigations

Eric Thompson

AccessData Corporation

Orem, Utah USA

www.accessdata.com

AccessData

Overview

• Computer Forensic – Definition, Objectives and

Policies

• History of computer growth and the growth of

computer forensics

• Problems facing computer forensics examiners both

today as well as in the next several years

• AccessData computer forensics tools

(2)

AccessData

• IT Security

• Intrusion Detection

• Incident Response

• Electronic Discovery

• IT Intelligence Gathering

Intrusion Incident Time Line

Pre-Incident Preparation

(IT Security)

Incident

(Intrusion Detection)

Post-Incident Analysis

(Computer Forensics)

Post-Incident Recovery

(3)

AccessData

Computer Forensics Objectives

and Policies

• Computer Forensic:

– Emphasis is placed on data preservation.

– Hard drives data is preserved in hard drive “image” files.

– Hard drive write blocking devices are used to prevent accidental changes of the evidence.

– Hash value are used as fingerprints or digital “DNA”

• Discovery must be reproducible.

• Computer forensics expert must follow rules for handling evidenc e. • Care must be taken during site triage not to contaminate computer

data.

– Accidental contamination of computer data can make evidence inadmissible.

– Accidental modification of date and time stamps.

– Booting a MS Windows system will alter hard drive contents.

AccessData

The Need for Computer Forensics

• IT Network Security – Post incident research (after the network is repaired and the security hole patched) gather information to be able to legally prove:

– Who attacked the network. – How was the network attacked.

– What information may have been compromised.

• Investigate and document questionable behavior of employees including use / abuse of the computer or company network. • Processing a computer that is incidental to a crime

– Crimes including illegal weapons, drug trafficking, illegal pornography, anarchy

(4)

AccessData

• Storage space is limited. Data is primarily stored primarily on 3 ½ and 5 ¼ floppy disks. Average hard drives are small <100 meg. • Forensics tools are DOS based. Norton’s DiskEdit and Mace Utilities

are primary investigative tool of choice.

• Operating System is DOS and therefore did not require HD write protection.

• Large cases involve 10,000+ files.

• Computer forensics experts had little to no formal training. • 1989 – Ron Eatinger starts Computer Investigative Specialist

program at University of North Texas later to be moved to FLETC. • 1991 - IACIS (International Association of Computer Investigative

Specialists) first conference in Portland, Oregon. • Software applications with encryption are easily broken

Computer Forensics 1992-1995

• Storage space is still limited. Iomega Zip disks are replacing floppy disks as removable media. Average hard drive are relatively small <500 Meg.

• Microsoft Windows gains momentum with Windows 3.11 and Windows 95.

• Most investigations still involve only one computer. • Large cases involve 100,000+ files.

• Increased activity at FBI, FLETC, IACIS to train US Law Enforcement Agents to become computer forensics experts. • Most commercial applications with encryption are easily breakable

however underground community starts to use PGP (free military grade encryption)

• Computer forensics tools still predominantly DOS based tools but are now optimized for high speed searching and data reconstruction.

(5)

AccessData

Computer Forensics 1995-1999

• Hard drive storage space grows rapidly. Average hard drive are several gigs.

• Microsoft’s dominates PC’s with Windows 95 and Windows 98 • Many investigations start to involve more than just one computer. • Large cases involve 1,000,000+ files.

• Increased international interest in computer forensics tools and training.

• Microsoft introduces 40-bit encryption in their office products. A single computer needs several months to “break” a single file. • Introduction of specialized GUI computer forensics tools such as

Expert Witness and EnCase. These tools are both based on a Windows Explorer model.

AccessData

Computer Forensics 2000 - 2004

• Hard drive storage space continues to grow rapidly. Average hard drive are 40 - 100 gigs.

• Microsoft’s continues their dominance with Windows 2000 and Windows XP. Linux gains momentum.

• Many investigations now involve 5 or more computers. Some investigations involve 50+ computers.

• Large cases involve 10,000,000+ files.

• Increased international interest in computer forensics

• In the year 2000 US Government demilitarized encryption. 128-bit encryption adopted by Microsoft and many others.

• AccessData introduces its computer forensics tool built upon a database rather than based on Windows Explorer.

(6)

AccessData

• Hard drive storage space will continue to grow. Personal computers will soon have terabyte hard drives.

• Microsoft’s next generation OS will encrypt all user data automatically via EFS (128 bit encryption). Linux will continue to gain momentum. • Investigations will involve 25+ electronic devices. Personal

computers, PDAs, Internet storage, Digital cameras, USB thumb drives .

• Large cases will soon involve 100,000,000 files.

• Internet file sharing simplifies the exchange of digital contraband. • Removable media will soon be able to store several gigs.

Some Problems Facing Computer

Forensics Examinations in the Future

• How long will it take traditional forensics software to process 100 million files:

– A single PC hashing and processing 250 files per second will take over 5 days to process 100 million files.

• How long will it take a PC perform a live search of 1 terabytes of data:

– At the rate of 10Meg per second it will take more than a day to complete a single search

• Problem once encryption is always active in the file system:

– No decryption keys ….. no data

– File slack and unallocated space will be gibberish

– High speed hardware and software searches will be frustrated because data must be decrypted before searching can take place

(7)

AccessData

Developing Future Computer

Forensics Solutions

• Windows Explorer based tools will continue to be needed for field triage work

• Forensics tools for the lab will be built on relational database technology (Interbase, Microsoft SQL, Oracle, etc.)

• Distributed computing will automate the processing of numerous hard drive images

• Data searching performed via pre-built index tables

• Decryption technology seamlessly integrated into forensics tools • Password recovery and code breaking performed by large distributed

networks (200+ machines)

• Computer forensics performed by forensics examiners - Investigation performed by Investigators

AccessData

Input - HD Images

Forensics Processing SQL Database

Output - Case Database

Distributed Processing of

Evidence (10+computers)

Password Recovery

LAN/WAN clients 200+ machines Distributed Code Breaking GUI Investigation Tool

References

Download now ( PDF - 7 Page - 128.56 KB )

Related documents

Threshold 34 in Round Outdoor Firebowl with Slate Tile and Copper Mantel dpci # stock # WAD15038T

W Do NOT clean any part of this outdoor fireplace in a self cleaning oven as it may damage the finish.. W Use only Blue Rhino Global

Mug/Candle Warmer with Bluetooth Speaker

• Este producto está destinado exclusivamente para el uso en interiores y no comercial de los hogares en sólo velas tarro calentamiento; no utilice el producto al aire libre o

CODE OF PRACTICE FOR INFO-COMMUNICATIONS FACILITIES IN BUILDINGS

1.10.2 The developer or owner (as the case may be) shall be responsible for drilling through concrete floor or walls of buildings and will provide any service fittings, conduits and

Acute Renal Failure. Objectives. By the end of this session you should be able to:

Pre-renal azotemia caused by volume depletion Pre-renal azotemia caused by advanced liver disease Pre-renal azotemia caused by congestive heart failure Post-ischemic and

LOGO AND PROMOTIONAL MATERIALS

United Nations offices, Funds and Programmes and other subsidiary organs and organizations of the United Nations System may use the ZHC logo without obtaining prior approval from

Goljan - Audio Transcripts

CHAPTER 1: Cell Injury... CHAPTER 8:

Mobility Management in DECT/IPv6 Networks

After the DECT location registration procedure, and the Care-of Address configuration is completed, the PP sends a Binding Update to its Home Agent to inform it about the

Strategies for thiazole/oxazole-modified microcin discovery

Furthermore, the discovery of two similar clusters in disparate organisms prompted researches to use genome mining to identify similar cluster with homologs of the B, C, and