Windows Forensic Analysis DVD Toolkit, Essay Example

Analyze the four (4) methods of data acquisition to determine how an investigator selects the appropriate method to use in a given situation.

The four main methods of data acquisition are bit-stream disk-to-image file, Bit-stream disk-to-disk, Sparse data copy of a file, and sparse data copy of an entire folder. Cloud computing has ushered in a new era of data acquisition that offers the chance for new methods such as Trusted Platform Modules, the management plane, forensics-as-a-service, and legal solutions, which entail less trust but entails more extensive cooperation from the cloud service provider. The four main methods of data acquisition are executed depending on the type of computer forensic investigation is being implemented. There are three main aspects of computer forensics examinations  which  require integrity checks. These  are archival data, active data,  and latent data (NY Computer Science Services, 2012). These three types of data require integrity checks throughout the computer forensic process. Active data represents information that can be utilized and it is the simplest type of data to acquire. Active data entails data files, programs, used files and operating systems. Archival data is stored through a diverse range of methods, hard drives, USB, CD, or even in the form of tapes. Latent data requires tools for access, and it’s usually the most difficult to retrieve. The reason latent data is so difficult to retrieve it has been deleted or overwritten, checking the integrity of files, specifically those in the mentioned databases is the core focus of computer forensics.

Determine how an investigator can plan for hardware, software, and / or general failures during data acquisition.

In some cases, computer forensics involves  the search for evidence before the an actual crash occurs. This is done in  as opposed to waiting until an error presents itself. This involves the investigator planning for software, hardware or other general failures through threat  identification methods like isolating questionable behavior by individuals who used the system being reviewed or by the system itself.  Investigators scan and evaluate system integrity.   System hardware is subject to being corrupted or stolen prior to and even during investigation.  If a hacker is able to gain access to central processing, they can reboot the system by circumventing logical access. This presents the possibility for fraud, disclosure of sensitive data, or the introduction of Trojan horses to the system.  If an investigator can identify these threat early on, it can make it very difficult to identify and trace system corruption .

There are a wide range of data acquisition tools  utilized for forensic investigation  and for retrieving or supporting data. OpenNMS is a network management platform developed as an open source tool. It’s noted when utilizing this resource, “the end result of this, from a responder/analyst perspective, was that a malware infection became the least frequent activity to occur on a system” (Carvey, 2011). Tools that are used to secure open source systems are significantly useful because they can adapt to a wide range of malware or data sets that might potentially damage a network.  Sipc is a voice over IP, or VoIP software that relies on Session Initiation Protocol (SIP). Through this reliance voice and video are supported  to distribute a telephony network, support voice, video, and data media streams between system users (Luo, 2012).  Open source networks present a very real malware threat, and it’s even worse that data forensic experts note malware authors design their viruses to be intuitive, “as malware authors and intruders began taking specific steps to ensure that their actions became less noticeable and “flew beneath the radar”, these actions became more difficult to detect, as the infections did not result in massive amounts of file activity or memory consumption” (Carvey, 2011) . The main way investigators can prevent unexpected events is through utilizing equally intuitive tools that predict potential threats before they happen..

Justify the necessity of validating data acquisition and determine the negative effects on an investigation if this step is not performed.

The three main steps to a forensic investigation are the acquisition of the evidence, the authentication of the recovered evidence, and the analysis of the evidence. Authors do note that while there are other aspects of an investigation that can be added or alterations that can be made, these are the core essential steps of the process. They further note that even if these steps are followed validation of the data acquisition or maintaining a valid “chain of documents” is essential to achieving the objective of the investigation. Bui, Enyeart and Luong state that, “the chain documents everything that happens to the evidence: who handled it, where and how it was handled, and how it was stored. It preserves the integrity of the evidence. Even if the suspect was guilty, if the chain is not maintained, a lawyer can argue that the chain of custody was not properly established, casting doubt on the damning evidence acquired during the analysis phase” (Bui, Enyeart & Luong, (2003). This clearly defines the necessity of validating the data acquisition in an investigation as a court of law could deem the evidence acquired inadmissible.

Describe the acquisition procedures and tools for Windows and Linux data acquisitions.

Some very powerful computer forensic tools include, Foremost, Scalpel, Photorec, FTK, and Ddrescue. Current data acquisition for Linux entails two hashing algorithm utilities, known as md5sum and sha1sum. For windows, the EnCase DOS program En.exe requires the use of a MS-DOS boot through a CD or floppy disk as well as a network crossover for forensic purposes. This method is also compatible with Linux. There are also two tools associated with EnCase, known as SnapBack DatArrest and SafeBack which supplement the acquisition of data for Linux and Windows. SnapBack DatArrest functions through the use of a MS-DOS boot, and it can perform the copy of data of an evidence drive in one of three ways, while SafeBack executes a SHA-256 calculation for sectors copied gurantee data integrity and it’s the only disk to disk automated tool that allows users to copy data to smaller target drives than the drive of a suspect. Foremost is a forensic data carving tool that works with  the Linux operating system. This tool was initially structured by the U.S. Air Force, as its commands lets  users extract data from a number of different data types, specifically gif, jpg, png, ole, and pdf.

References

Bui, S., Enyeart, M., & Luong, J. (2003). Issues in Computer Forensics. Santa Clara University Computer Engineering, USA.

Carvey, H. (2011). Windows forensic analysis dvd toolkit. Syngress.

Dykstra, J., & Sherman, A. T. (2012). Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust, and techniques. Digital Investigation, 9, S90-S98.

Luo, J. (2012). Affective computing and intelligent interaction. (p. 980). Springer.