CIS Project 1 February 13, 2017 Jerad Godsave

Transcription

1 CIS Project 1 February 13, 2017 Jerad Godsave Part 1) a) Below are a few screenshots indicating verification that the original evidence and the newly created.e01 forensic image match:

2 Part 1) b) The matter of verifying an image's digital fingerprint is essential when compiling a forensic image. If a disk has indeed been copied with an imaging tool, you must preserve the image files. A digital hash is a way of uniquely identifying file data. A specific hash value the digital fingerprint will be generated by a forensic hashing algorithm to ensure bit or byte alteration has not occurred in the process of collecting data. The value inherent in verification is the component of data integrity known as accuracy. Accuracy is essential when investigating digital data as tampering file contents can alter and even compromise a forensics investigation and further, credibility of evidence diminishes. Part 1) c) After creating a directory listing from FTK Imager there is attribution that is revealing of metadata related to the image file in this case, the forensic image. The metadata of the image file has a directory listing including such attributes as the file name, file path, size (in bytes), 'created' field, 'modified' field, 'accessed' field, and an 'Is deleted' field. A directory listing may be useful in discovering evidentiary material for a particular case, providing a summary of instances and interactions with the data therein. During the discovery phase of a case, this material may open up new lines of questioning or insight to the investigator to sort through. Part 2) a) Below is a screenshot displaying the Raw/DD formatted image conversion verification results to confirm the.e01 and Raw/DD formatted images match via hash results: Part 2) b) There exist both advantages and disadvantages using a raw/dd image compared to an E01 formatted forensic image.the advantages include: fast data transfers capability to ignore minor data read errors on the source drive a universal acquisition format The disadvantages of utilizing a raw/dd image format include: it requires as much storage space as the original disk or data set

3 some format tools may not collect marginal (bad) sectors on source drives resulting in a low threshold of retry reads on weak spots performing a validation check with hashing functions create a separate file Whichever format is chosen depends on the constraints of the case and the available resources to complete a forensic investigation. Part 3) a) After mounting the raw forensic image flash drive, the dcfldd utility was used to generate a hash on the fly along with writing of the image to the larger of the two flash drives. Below is displayed the command used to generate the image copy and the hash function writing it to a text file: Part 3) b) The difference between imaging "/dev/sdc" vs. "/dev/sdc1" is a difference of context. One is to utilize "/dev/sdc" when refering to an entire drive. One is to utilize "/dev/sdc1" or "/dev/sdc#" when acquiring a specific partition on the drive. Part 3) c) The forensic image has completed. Below is a calculation of the MD5 hash using the md5sum command and the redirection to a text file.

4 Part 3) d) After reviewing both of the MD5 hashes of the small flash drive using the "cat" command, the hashes do indeed match, meaning the digital hexadecimal code value was not different. This consistency informs the investigator that based on the contents of the image, a single bit or byte has not changed in any files on the image, since doing so would alter the hash value as the hash value verifies the integrity of the digital evidence obtained. Part 4) a) Below is a screenshot of the MD5 hash output from Winhex of the small thumb drive which now includes only a text file. The hash calculated results in the following hexadecimal hash output: A67A1AA2531DAD0E B20.

5 Part 4) b) The hashes calculated before unplugging the thumb drive and after plugging the thumb drive do not match. After plugging the thumb drive in, the resulting hash value was: DCC348760C4BE63B3E778FE83577E935. It can be concluded that some alteration of the data contained on the image is altered or some alteration of the image itself. It is possible to surmise then that writing to the flash drive occurs after plugging in a device. This has ramifications in an investigation and careful consideration should be made prior to plugging in evidence for a forensic investigation. Part 4) c) After enabling read-only/write-blocking for USBs, it is discovered that the generated hash values differ and that it was not possible to upload any files to the USB stick. The hash value generated post-write-blocking configuration is: 81944AC29FBA7B9CBD18AC5A3A70E5AA. The tool is not 100% forensically sound. In order for 100% assuredness, a commercial USB hardware write blocker must be purchased. However, the process is not forensically sound. A USB mass storage devices that are already mounted as writeable will stay writeable until they are removed and reinserted. One should have a contingency plan to ensure that one obtains a forensically sound acquisition by making two acquisitions if there is enough data storage. The first acquisition should be compressed, and the second should be uncompressed. If one acquisition becomes corrupt, the other one is available for analysis. Part 5) a) There exist both advantages and disadvantages to both FTK Imager and dcfldd command tool to create a forensic image. Among the advantages of utilizing "FTK Imager", include: highly stable and fast, comprehensive processing and indexing up front, supports distributed processing, access to the Windows Registry where compromise is often found, and additional plug-ins due to its extended support and feature rich toolset. Disadvantages of utilizing "FTK Imager", include: less control of the process, support only on a Windows based device, limited command line support, and inability to read segmented file extensions starting with.000 resulting in renaming files incrementally. Advantages of linux command line tool "dcfldd", include: integrated validation options integrated such as hash and hashlog, development by the Department of Defense Forensic Computing laboratory, tighter control over process and segmentation with forensic imaging, support for a Windows executable, and quick formatting over mounted vs. unmounted images/flash drives. Disadvantages of "dcfldd" command tool, include: possibility of entering an infinite loop when a faulty sector is encountered, possible misalignment of the data in the image after a faulty sector is encountered on the source drive, and less support since it is not for commercial purposes. Part 5) b) If I were tasked with acquiring a forensic image of a storage device, I would utilize FTK Imager due to the mere reason of possible misalignment of data during the encounter of a faulty sector in dcfldd. With my integrity as an examiner in the field and the data's integrity on the line, FTK Imager is preferrable. In addition, most computers run Windows and it only makes since to have a tool that can sort through the Windows Registry for evidentiary material in an investigation. Part 6) The equipment used for this project include the following software components: AccessData FTK Imager Thumbscrew Software USB Write Blocker Windows 8.1 Pro 64-bit Operating System VMWare Workstation 12 Pro, version build Deft Linux 8.2 version.iso image live running version

6 WinHex 16.7 SR-1 x86 dcfldd command line program based off version of dd found in GNU Coreutils package 7-Zip zip file manager The equipment used for this project include the following hardware equipment: AMD A APU with Radeon HD Graphics 3.2 GHz processor 5.40 GB of usable RAM System type: x64-based processor Two flash drives: 1.85 GB Centon USB device (NTFS formatted), 32 GB Samsung compact flash USB device (NTFS formatted) HP Pavilion series p7-1414pc desktop