Understanding of igital Forensic Tools Syllabus Quality assurance, Too! validation, Tool Selection, Hardware and Software tools Contents 6.1 Quality Assurance 62 Tool Validation 63 Tool Selection irrUnderstanding of Digit Foren Digital Forensics Gi Quality Assurance * Quality assurance is defined as "a assure the accuracy and reliability © i wide array er , eae rea ing ese documeiaton and training e ee orts, evidence 7 a3 san a m is the consolidation of practices Procedures rk and products that the organization ed ocumented system of protocols Used 4, wel f analytical results” of subjects including peer Teviews of * The quality management syste : used to ensure the quality of the W' Produces. _ i¢ examination, reports must he . al_forensi : 1. Administrative review : All digit : olicy and for atic acministatvely reviewed for consistency with agency POUCy editorial correctness. : ' final digital forensic examinati 2. Technical review : At least 10 percent of digi tion reports must be technically reviewed by eee digital forensic examiner (peer reviewed) before the reports are PUPNS cae be from the same or a different organization. The * The reviewing examiner may a purpose of the technical review is to ensure the following : The report is clear and understandable. 2. The procedures performed were adequately documented and forensically sound. ‘The exam documentation was sufficiently detailed to enable reproduction of the results. The interpretations and conclusions of the examiner were reasonable, supported by the examination documentation, and scientifically valid. « In a proficiency test, examiners must demonstrate their competence with mock evidence. There are four types of proficiency tests : 1. Open test : The analystis) and technical support personnel are aware they are being tested. 2. Blind test : The anal . are being tested. bed ical support personnel are not aware they * 3. Internal test : Conducted by the agency itself 4. External test : Conducted by an agency indi ependent of i ted. jm Tool Validation of the agency being test Toole ate used to analyze GE i digital data used in 2 of the 3 phases of computer ee ° disprove criminal activity. It is ics, TECHNICAL PUBLICATION; 4 up-thy USt fr6-3 ___Understanding of Di pail Forensics sing digital data i git for forensic examination is a critical phi ess. Forensic personnel vail Gften have only. tne opportuni Santas id using. untested tools could unintentionally alter the ft coc tent possible, i P aie OF id ensure the tools they use to acquire tended and accurately acquire the validation testing may by th e organi tity (for example, anoth 1 ne performing the validation test must de That were tested, the expected results, this standard, the organizat pro data, an » To the ex digital evi data. The reputable en The organization the requirements the testing: To comply with roduce the report if requested. L Documentation ? All the paperwork associ into a case file. The case file will contain all of the documentation pert including paperwork generated by the examiner and others. e submission forms, requests for assistance, examiners’ case reports, COPY of the search authority, chain of 1] organizations shoul lated to operate as int be performed er digital forensic laboratory). locument the test, including | and the actual results of tion must be able to | | | | ecific case is collected ated with a sp taining tO widely ation is captur' jetail (make, tc. 2. Forms: Preprinte: the necessary describe the ev’ chain of custody, rt : The examiner's final report is tigators, opposing counsel, and s0 d forms are inform: are idence in d document the 3, Examiner's final repo that is delivered to prosecutors, inves or near the end of an investigation.Digital Forensics 6-4 Understanding of Digital Forensi Tog * The primary goal of the tool catalog is to provide an easily searchable catalog ., forensic tools. This enables practitioners to find eae s Specific technical needs. The Catalog provides the ability to search by technic Ea based on specific digital forensics functions, such as disk imaging or deleted ¢, recovery. * There are two basic types of data that are collected, persistent data and Volatile data. Persistent data is that which is stored on a hard drive or another medium and 's preserved when the computer is tuned off. Volatile data is any data that ig Stored in memory or exist in transit and will be lost when the computer is tumeq off, Volatile data might be key evidence, so it is important that if the computer ig on at the scene of the crime it remain on. There are a variety of tools used to collect data. * Tools are used to analyze digital data and prove or disprove criminal activity. It is used in 2 of the 3 phases of computer forensics. 1. Acquisition - Images systems and gathers evidence 2, Analysis - Examines data and recovers deleted content 3. Presentation - Tools not used Computer Forensic Tools Capabilities 1. Recover deleted files. 2. Find out what external devices have been attached and what users accessed them. 3. Determine what programs ran. 4. Recover web pages. 5. Recover emails and users who read them, 6. Recover chat logs. 7. Determine file servers used. 8. Discover document's hidden history. 9. Recover phone records and SMS text messages from mobile devices, Hardware and Software Tools Types of computer forensics tools : 1. Hardware forensic tools : Range computer systems and servers, 2 Software forensic tools : There are two Command-line applications and GUI commonly used to copy data from from single-purpose components to complete types of software forensic tools. applications are two types. It is: ect's disk d; ve to an image file Up-thnust for knowledge 8 susp. TECHNICAL PUBLICATIONS'4, Reconstruction 5, Re 4, Acquisition : The acquisit digital system for later ana evidence from a crime sq fibres, blood samples, physical data copy, Logi acquisition, GUI acquisi 3, Extraction : The extraction function is investigation. The sub-functions of ae Tecovery task in a co viewing, Keyword searching, Decomy Bookmarking. P a put are used in investigations are Dat essing, Carving, Decrypting and 4 ae : oe of having a reconstruction feature in a forensics tool ive to show what happened during a crime or an i incident. Another reason for duplicating a suspect drive is to create a copy for other computer investigators, who might need a fully functional copy of the drive so that they can perform their own acquisition, test, and analysis of the evidence. These are the subfunctions of reconstruction : Disk-to-disk copy, Image-to-disk copy, Partition-to-partition copy and Image-to-partition copy. 5. Reporting : To complete a forensics disk analysis and examination, you need to create a report. Before Windows forensics tools were available, this process required copying data from a suspect drive and extracting the digital evidence manually. The investigator then copied the evidence to a separate program, such 4s. a word processor, to create a report. m Tools Te Sleuth Kit (TSK) ' The Sleuth Kit (TSK) is a library and collection of Unix- 2nd utilities to allow for the forensic analysis of or syst examination of DOS, BSD, Mac, Sun, GPT partitions and dike OES EE csr wa) PUBLICATIONS® - an up-thrus and Windows-based tools tems. It allows— Sanding of Digital Fo, Tt also includes the autopsy euPPorts integration with SQLit for incident Tesponse. With this Kit, the user can examine the computer file systems throu, Ron-intrusive approach that is not dependent on the investigated ™aching operating system to Process the file system, deleted and hidden from files Dos, BSD, Mac, Sun and Linux Partitions. The results Benerated by Sleuth Kit tools are used by another tool. The autopsy forensic browser Which presents such details as image integrity, keyword Searches and other automatized operations about the investigated partition through 5 8raphical interface. The Sleuth Kit was written in C and Perl and uses an aspect of the TCT code. 2. The Coroner's Toolkit (eT) * The TCT tools do not Tecognize NTFS, FAT or EXT3 partitions, little use when Performing forensic investigations in machines with Microsoft Linux operating systems with EXTS file systems. Toole forensic browser as a Staphical analysis tog) ang fe database. It can be run on live Windows 8ystemg Windows and/or FTK can analyze data from several sources, vendors. FTK also produces a case log file, of all activities during the examination extractions. including image files from other where you can maintain a detailed log such as keyword searches and dats information. It is highly f all types of investigators includi: intelligence agency, pri i resources personnel. It is used within a forensic Paradigm, for use in criminal o1 wsic the software enables discovery of evidence r civil legal Proceedings. Internal investigators can develop TECHNICAL PUBLICATIONS an Up-thr.,.documentation to suy preserve evidence that cou tions of Maresware rune! d. Key word searching e. Files verification f. Drive wiping for inf File reformatting h. Documenting ai a 5, proDiscover Basic Ate Uinbai 1. Explain various tool selection methods in context of digital forensa TECHNICAL PUBLICATIONS® - an up-thnust for knowledge