IT 4100 : Forensics

Overview

Dr Joe Francom

Forensics

Comprises 4 things:

• Collection
• Preservation
• Examination
• Presentation

Capturing

• Don't touch suspect drive. Need to make sure it hasn't been tampered with.
• Documentation
• Secure the evidence

Capture information (collection)

• dd
  • man dd

Plenty of free images to analyze at http://dftt.sourceforge.net/, or we can create our own.

Can mount with sudo mount -o loop img.iso ./mountpoint

• Sample 1
• Sample 2

Preservation

• checksums
  • md5
  • man md5sum
  • others exist like sha1sum, sha...
• hashdeep

What is data carving?

Data Carving is a data recovery search technique. It allows for users to recover data with no file system allocation information to be extracted by identifying clusters and sectors belonging to the file. Data Carving searches through the raw sectors looking for specific desired file signatures. Having no allocation information means that the investigator must specify a block size of data to carve out when a matching file signature is located. Given this, the beginning of the file is still present and there is a risk of numerous false hits. Data Carving also requires that the files recovered be located in sequential sectors as there is no allocation information to point to fragmented file portions. This method can be time and resource intensive. -ref

Tools to data carve

• example file

• another

• foremost

  foremost -t all -i image.dd

• magicrescue: The recipes are in /usr/local/share/magicrescue/recipes, command is like:

  magicrescue -r jpeg-jfif -r jpeg-exif -d outputdir 11-carve-fat.dd

How does it work

https://www.file-recovery.com/jpg-signature-format.htm

If we don't have the signature, we can't get it.

Anti forensics tools

• wipe
  • man wipe
• truecrypt