Evaluating A Selection of Tools for Extraction of Forensic Data: Disk ...

More documents

Recommendations

Info

Drive Setup: Partition Table: Log highlights: AIR 2.0.0 (Release Date: 17th, Feb 2010) Sector count: 156,301,488 Write blocker: N/A Source hashes MD5 checksum: 69fdef5d5de3a207bc2a04017c38c3fd SHA1 checksum: 9d768ab184ed9a172031f0f7b7f721f2bdf80b59 /dev/sdb: current max LBA: 94,863,828 /dev/sdb: native max LBA: 94,863,828 /dev/sdb: physical max LBA: 156,301,488 /dev/sdb: HPA not set /dev/sdb: DCO set from sector 94,863,828 to 156,301,487 Device Start End #sectors File System /dev/sdb1 63 41945714 41945652 NTFS /dev/sdb2 41945715 94863824 52918110 Ext3 /dev/sdb3 94863825 156296384 61432560 NTFS 271 (DCO) Start DC3DD (md5 sha512): Mon Jul 26 02:57:13 NZST 2010 dc3dd 6.12.4 started at 2010-07-26 02:57:13 +1200 command line: dc3dd hash=md5,sha512 hashlog=/tmp/hash.log status=noxfer if=/dev/sda skip=0 conv=noerror iflag=direct ibs=32768 compiled options: DEFAULT_BLOCKSIZE=32768 sector size: 512 (assumed) md5 TOTAL: 69fdef5d5de3a207bc2a04017c38c3fd sha512 TOTAL: 4ad5009bfc6232521fd893ad7d8cc7e0d592aa5de8cb6904b8d189664656ec517 cc0e31fb57a93d034a3c23498c1494d54e2488835c2b6c3588b3607af48ad5f 94868928+0 sectors in 94868928+0 sectors out dc3dd completed at 2010-07-26 04:16:50 +1200 Command completed: Mon Jul 26 04:16:53 NZST 2010 Start VERIFY: Mon Jul 26 04:16:53 NZST 2010 Command-line: cat /mnt/dconew/new/ST380817AS_DCO_94868928.* | aircounter 2>> /usr/local/share/air/logs/air.buffer.data | dc3dd hash=md5,sha512 hashlog=/tmp/verify_hash.log status=noxfer of=/dev/null VERIFY SUCCESSFUL: Hashes match Orig = md5 TOTAL: 69fdef5d5de3a207bc2a04017c38c3fd sha512 TOTAL: 4ad5009bfc6232521fd893ad7d8cc7e0d592aa5de8cb6904b8d189664656ec517 cc0e31fb57a93d034a3c23498c1494d54e2488835c2b6c3588b3607af48ad5f Copy = md5 TOTAL: 69fdef5d5de3a207bc2a04017c38c3fd sha512 TOTAL: 4ad5009bfc6232521fd893ad7d8cc7e0d592aa5de8cb6904b8d189664656ec517 cc0e31fb57a93d034a3c23498c1494d54e2488835c2b6c3588b3607af48ad5f Command completed: Mon Jul 26 05:50:14 NZST 2010
AIR 2.0.0 (Release Date: 17th, Feb 2010) Results by assertion: AFR-01 PASSED AIC-01 PASSED AHS-02 FAILED AFR-02 PASSED AIC-02 PASSED AHS-03 FAILED AFR-03 PASSED AIC-05 PASSED ALOG-01 PASSED AFR-04 PASSED AIC-06 PASSED ALOG-02 PASSED AFR-05 PASSED AIC-07 PASSED ALOG-03 PASSED AFR-06 FAILED AIC-08 PASSED AFR-07 PASSED AHS-01 FAILED Analysis: Test FAILED to achieve the expected Result. AIR failed to detect and acquire the hidden areas in the hard drive. Dc3dd itself supports hidden areas detection. 3.12. TC-05-DD Test Case TC-05-DD (AIR 2.0.0) Test & Case Summary: Acquire a digital source to an image file in an alternate supported format Notes: The original testing purpose was to acquire a HD image to DD format but error occurred during acquisition. Assertion: AFR-01 The tool accesses the digital source with a supported access interface AFR-02 The tool acquires a digital source AFR-03 The tool operates in an execution environment AFR-04 The tool creates an image file of the digital source AFR-05 The tool acquires all the visible data sectors from the digital source AFR-07 All data sectors acquired from the digital source are acquired accurately. AIC-01 The data represented by an image file is the same as the data acquired by the tool. AIC-02 The tool creates an image file according to the file format the user specified. ALOG-01 If the tool logs any information regarding to the acquisition, the information is accurately logged in the log file. ALOG-02 The tool display correct information about the acquisition to the user. ALOG-03 The tool display correct information regarding to the acquisition to the user and the information displayed is Source Device: Drive Setup: consistent with the log file if the log file function is supported Drive Model: ST380811 AS (80GB) Serial Number: 6PS2CA4Z Sector count: 156,296,385 Write blocker: Tableau Forensic SATA/IDE Bridge IEEE 1394 SBP2 Device Source hashes MD5 checksum: d615c245f1124a2482a5d56ffa8a1c55 Total sectors: 156,296,385 (80GB) /dev/sdb: current max LBA: 156,296,385 /dev/sdb: native max LBA: 156,296,385 272
Page 1 and 2:
Evaluating A Selection of Tools for
Page 3 and 4:
Acknowledgements This thesis has be
Page 5 and 6:
imaging data when building disk ima
Page 7 and 8:
2.3.3.1 dcfldd ....................
Page 9 and 10:
4.3 Research Analysis .............
Page 11 and 12:
List of Tables Table 2.1: Existing
Page 13 and 14:
AI Access Interface AM Access Metho
Page 15 and 16:
SWGDE Scientific Working Group on D
Page 17 and 18:
NetIntercept Network monitoring and
Page 19 and 20:
The aim of this chapter is to provi
Page 21 and 22:
producing unreliable results. Extra
Page 23 and 24:
1.4 CONCLUSION Chapter 1 is concern
Page 25 and 26:
forensic software EnCase and Sleuth
Page 27 and 28:
2.1.2 Investigative Processes And S
Page 29 and 30:
Preparation Collection Examination
Page 31 and 32:
13 Investigative Process Model (Fre
Page 33 and 34:
eaders to have better understanding
Page 35 and 36:
text or hexadecimal format (Adopted
Page 37 and 38:
3. Duplicability and Modifiability
Page 39 and 40:
oth original and duplicate copy of
Page 41 and 42:
Apache web server and Microsoft Int
Page 43 and 44:
forensic tools, process or procedur
Page 45 and 46:
Guo et al. (2009) have proposed a f
Page 47 and 48:
Table 2.4 Mandatory features of Dis
Page 49 and 50:
2.3.3.2 dc3dd Dc3dd is another enha
Page 51 and 52:
area to backup their Proprietary so
Page 53 and 54:
Also, MBR disks only support four p
Page 55 and 56:
Table 2.6 Functionalities of Disk I
Page 57 and 58:
for digital investigation to identi
Page 59 and 60:
studies and discussions, the requir
Page 61 and 62:
answered. Details of data collectio
Page 63 and 64:
experts will be used to narrow down
Page 65 and 66:
anomalies are analysed to identify
Page 67 and 68:
esulting acceptance spectrum can be
Page 69 and 70:
Figure 3.5. Process of evaluation c
Page 71 and 72:
Stage 1 Understand the discipline o
Page 73 and 74:
Testing requirements Selected disk
Page 75 and 76:
Phase 1 Select the software disk im
Page 77 and 78:
connected to the computer using a P
Page 79 and 80:
When the acquired images are saved
Page 81 and 82:
3.4.3 Data Analysis Methods GA is a
Page 83 and 84:
There are many other types of hardw
Page 85 and 86:
Main Research Question Sub Question
Page 87 and 88:
4.1 VARIARTIONS IN RESEARCH SPECIFI
Page 89 and 90:
4.2.1 Testing Environment Two execu
Page 91 and 92:
Using program HDAT2, HPA and DCO ar
Page 93 and 94:
4.2.2.3 TC-03: Acquiring A Hard Dri
Page 95 and 96:
Table 4.7 TC-06 Result Summary Test
Page 97 and 98:
FTK Imager successfully verified th
Page 99 and 100:
Assertions AHS01-03 AFR01-03 AFR01-
Page 101 and 102:
Helix 3 pro was unable to recover t
Page 103 and 104:
Helix 3 Pro was not able to read th
Page 105 and 106:
The method of data analysis is desc
Page 107 and 108:
4.4 PRESENTATION OF FINDINGS A summ
Page 109 and 110:
Pass Rates (%) 100.00% 90.00% 80.00
Page 111 and 112:
Pass Rate (%) 100.00% 90.00% 80.00%
Page 113 and 114:
5.0 INTRODUCTION Chapter 5 Discussi
Page 115 and 116:
tools. For instance, the test case
Page 117 and 118:
their latest FTK Imager release not
Page 119 and 120:
information of the total number of
Page 121 and 122:
Helix 3 Pro presented some usabilit
Page 123 and 124:
Software support is minimum and the
Page 125 and 126:
2.2.4, forensic software validation
Page 127 and 128:
elease version mounts file systems
Page 129 and 130:
and TC-18, AIR has outperformed oth
Page 131 and 132:
6.0 INTRODUCTION Chapter 6 Conclusi
Page 133 and 134:
inconsistent with what is stated in
Page 135 and 136:
eginning of and the end of the disk
Page 137 and 138:
6.4 CONCLUSION The main objective o
Page 139 and 140:
Beebe, N. L., & Clark, J. G. (2005)
Page 141 and 142:
Erbacher, R. F. (2010). Validation
Page 143 and 144:
Kunda, D., & Brooks, L. (1999). App
Page 145 and 146:
Payne, C. (2002). On the Security o
Page 147 and 148:
Smith, R. (2009). Make the most of
Page 149 and 150:
Cases Daubert v. Merrell Dow Pharma
Page 151 and 152:
Appendix 2 - Testing requirements 1
Page 153 and 154:
06 format should contain same data
Page 155 and 156:
Test Cases Description Assertions f
Page 157 and 158:
Assertions for Fundamental Requirem
Page 159 and 160:
TSP-AIC-10 TSP-AIC-11 image file fo
Page 161 and 162:
4.1 Drive Reset (Common in most Tes
Page 163 and 164:
This procedure outlines the process
Page 165 and 166:
7. Keep setting “noerror, sync”
Page 167 and 168:
Appendix 6 - Gap Analysis Matrix 15
Page 169 and 170:
Image Creation (IC) Function Requir
Page 171 and 172:
Appendix 7 - Disk Imaging Tools Tes
Page 173 and 174:
FTK Imager 2.9.0.1385 (Release Date
Page 175 and 176:
Page 177 and 178:
Source Device: Drive Setup: Log hig
Page 179 and 180:
Log highlights: Results by assertio
Page 181 and 182:
1.6 TC-02-FAT16 FTK Imager 2.9.0.13
Page 183 and 184:
Source Device: Drive Setup: Partiti
Page 185 and 186:
Page 187 and 188:
1.10 TC-02-HFS+ FTK Imager 2.9.0.13
Page 189 and 190:
Page 191 and 192:
1.12 TC-03-DCO FTK Imager 2.9.0.138
Page 193 and 194:
1.13 TC-05-DD FTK Imager 2.9.0.1385
Page 195 and 196:
1.14 TC-05-Smart FTK Imager 2.9.0.1
Page 197 and 198:
Page 199 and 200:
Drive Setup: Log highlights: Result
Page 201 and 202:
Results by assertion: FTK Imager 2.
Page 203 and 204:
1.19 TC-10-CorruptImage FTK Imager
Page 205 and 206:
Page 207 and 208:
1.21 TC-11-E01_Smart FTK Imager 2.9
Page 209 and 210:
Page 211 and 212:
Page 213 and 214:
1.25 TC-11-Smart_E01 FTK Imager 2.9
Page 215 and 216:
Page 217 and 218:
Page 219 and 220:
Page 221 and 222:
Results by assertion: verified FTK
Page 223 and 224:
Page 225 and 226:
Page 227 and 228:
Helix3 Pro R3 (Release Date: 30 th
Page 229 and 230:
Results by assertion: Helix3 Pro R3
Page 231 and 232:
2.3. TC-02-NTFS Helix3 Pro R3 (Rele
Page 233 and 234:
Page 235 and 236:
Device: Serial Number: 6PS2CA4Z Sec
Page 237 and 238: Partition Table: Log highlights: Re
Page 239 and 240: Log highlights: Results by assertio
Page 241 and 242: Results by assertion: Helix3 Pro R3
Page 243 and 244: Source Device: Drive Setup: Partiti
Page 245 and 246: 2.11. TC-03-DCO Helix3 Pro R3 (Rele
Page 247 and 248: 2.12. TC-05-EnCase6 Helix3 Pro R3 (
Page 249 and 250: 2.13. TC-06-UNC Helix3 Pro R3 (Rele
Page 251 and 252: 2.14. TC-07-InsufficientSpace & TC-
Page 253 and 254: Helix3 Pro R3 (Release Date: 30 th
Page 265 and 266: Drive Setup: Partition Table (GPT d
Page 269 and 270: AIR 2.0.0 (Release Date: 17th, Feb
Page 273 and 274: 3.3. TC-02-NTFS Test Case TC-02-NTF
Page 275 and 276: 3.4. TC-02-Ext2 AIR 2.0.0 (Release
Page 277 and 278: 3.5. TC-02-Ext3 AIR 2.0.0 (Release
Page 279 and 280: 3.6. TC-02-FAT16 Test Case TC-02-FA
Page 285 and 286: Results by assertion: AIR 2.0.0 (Re
Page 287: AIR 2.0.0 (Release Date: 17th, Feb
Page 291 and 292: AIR 2.0.0 (Release Date: 17th, Feb
Page 299 and 300: 3.17. TC-13 Overlapping Partitions
Page 301 and 302: Partition Table: Log highlights: Re
Page 305 and 306: 3.21. TC-16-02 Acquire a GPT disk A
Page 309: Partition Table: Log highlights: Re
show all

Evaluating A Selection of Tools for Extraction of Forensic Data: Disk ...

Create successful ePaper yourself

Delete template?

Save as template?