Intro to Cyber Crime and Computer Forensics CS 4273/6273 October 5, 2005 - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

Intro to Cyber Crime and Computer Forensics CS 4273/6273 October 5, 2005

Description:

DEPARTMENT OF COMPUTER SCIENCE Intro to Cyber Crime and Computer Forensics CS 4273/6273 October 5, 2005 Introduction to the EnCase Investigative Software EnCase ... – PowerPoint PPT presentation

Number of Views:210
Avg rating:3.0/5.0
Slides: 21
Provided by: rayva9
Category:

less

Transcript and Presenter's Notes

Title: Intro to Cyber Crime and Computer Forensics CS 4273/6273 October 5, 2005


1
Intro to Cyber Crime and Computer Forensics CS
4273/6273 October 5, 2005
MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF
COMPUTER SCIENCE
2
Introduction to the EnCase Investigative Software
MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF
COMPUTER SCIENCE
3
EnCase
  • Guidance Software
  • Pasadena, California
  • Resources include
  • Software
  • Message Board
  • Web Site Update Section
  • EnCase Legal Journal
  • First Developed 1998

4
Windows Based Forensics
  • Forensic Data Acquisition and Analysis
  • Based on the Specifications of the Law
    Enforcement Community
  • Provides a mechanism for conducting and
    documenting searches of computer hardware.
  • Completely Non-Invasive

5
Limitations of Earlier Technology
  • Before EnCase
  • Separate programs had to be used to image, store,
    verify the integrity of data.
  • Manual journals had to be kept to list hash
    values, and all notes about the investigation.
  • This required sometimes days of lab time.

6
The New Legal Standard
  • Courts in the U.S. provide a presumption of
    authenticity to computer evidence processed or
    generated by software or systems shown to be
    standard within the industry.
  • EnCase is one of the deFacto standard tools in
    the community.
  • Used by over 500 law enforcement agencies around
    the country.
  • Also used by many private agency investigators.

7
Features of EnCase 3.0
  • Reads any IDE or SCSI hard drive or CD-ROM and
    save an exact image to disk.
  • Uses CRC and MD5 hashes
  • Password protection of evidence
  • View the entire drive image, including hidden and
    free space.
  • Search image for keywords.
  • View files with changing state of the file.
  • Treats list of sectors on the hard drive as flat
    array of sectors. No discussion of heads,
    cylinders and sectors.

8
Continued
  • Analyze file and folder structure on all media
    using
  • FAT-12 Floppies
  • FAT-16 Windows 95
  • FAT-32 Windows 98
  • NTFS Windows NT, 2000, XP
  • HFS, HFS
  • CD Compact Disks
  • EXT2 Linux
  • UFS Unix

9
Continued
  • Combine any number of Evidence Files to create a
    Case.
  • Through a single examination,
  • View, search and sort evidence in all files
    within the case.
  • Records all evidence searches and bookmarks on
    typeset report.

10
Continued
  • Analyze and authenticate file signatures
  • Allows investigator to build and use Hash
    Libraries to identify known files.
  • Has a built-in gallery view that enables rapid
    isolation and bookmarking of suspect graphic
    files.
  • Has a macro language that allows complex tasks to
    be automated.

11
Continued
  • Provides ability to acquire and preview over
    network cable.
  • Built-in viewers for
  • Registry files
  • Zip files
  • DBX files (Outlook Express)
  • Acquires Palm PDAs and RAIDS (Redundant Array of
    Inexpensive Disks)

12
Evidence Files
  • Central component of EnCase methodology
  • Consists of
  • Header
  • Checksum and data blocks
  • MD5 block

CRC
64 sectors of data
Case Info
MD5
13
Image Verification
  • Compute a CRC for each sector in the evidence
    file, and use that to verify that each block has
    not changed. Any deviations are noted in the
    Case File.
  • Automatic background process that happens every
    time another evidence file is added to the case.

14
Encase for DOS
  • Used for Imaging Subject Computers
  • Insert boot disk in subject machine and turn it
    on.
  • Boot to the DOS prompt and type en
  • A DOS interface will appear that will show
    physical drives on the left and logical drives on
    the right.
  • Imaging can now be done through network cable or
    laplink cable.

15
Previewing
  • Similar to acquiring but much faster.
  • Allows the investigator to view the data as if it
    was acquired, but with no record keeping.
  • Primarily used for deciding whether to pursue a
    full investigation.
  • Not possible to preview safely. Hard drive will
    change due to swap file activity.
  • Never investigate a previewed drive.

16
Acquisitions
  • Parallel Port Cable Acquisitions
  • Windows
  • DOS
  • Network Cable Acquisitions
  • Using provided cross-over network cable.
  • Drive to Drive in DOS
  • Subject and Target Drives both connected to the
    same motherboard.

17
Continued
  • Acquiring RAIDS DOS Mode
  • Hardware array controlled by the RAID controller
    card.
  • Software array controlled by the operating
    system.
  • Acquiring PDAs Windows Mode
  • Palms supported III, V, VII, M100, M105,
    Handspring (Neo, Prism, Edge, Pro)

18
Continued
  • Acquiring Zip Disks DOS
  • Acquiring Jaz Disks DOS
  • Acquiring Floppy Disks DOS or Windows
  • Other Media as long as driver software is
    available.

19
Investigating with EnCase
  • Acquire each subject drive and place in
    individual evidence files.
  • Create a new Case File.
  • Add evidence files into case one at a time.
  • Can also use raw image files like those created
    by other utilities.
  • Recover folders using the recover folders
    command.
  • Run Signature Analysis by doing search.

20
EnCase Message Board
  • http//www.EnCase.com
  • Exchange Ideas
  • Ask questions
  • Provide Answers
  • Discussions of all kinds
  • Requires username and password to prevent
    criminal access.
Write a Comment
User Comments (0)
About PowerShow.com