Performing Forensic Analysis by yaoyufang


									         Performing a Forensic Analysis at the Physical and Logical Layers

1. Capture volatile information.
2. Document hardware configuration of the system in BIOS (take picture of screens and
   show how the system is connected also).
3. Pull plug.
4. Transport system to a secure location.
5. Use either a forensic duplicate (preferred), hashing all data on the duplicate or do a
   live system review of the system.

Media                                         Forensic Duplication Software
Floppy Disks                                  DOS 6.22 diskcopy command
Hard Disks                                    SafeBack, Norton Ghost, EnCase, dd

6. Document system date and time.
7. Make a list of keyword search terms to use during investigation.
8. Perform a physical analysis of the duplicate or media

Physical Analysis
                              Looking for:                     Tools:
Partition Information          Hidden Partitions              NTFSDOS
                                                               Partition Magic
String Search                    All Web site URLS            StringSearch
                                 All e-mail addresses
                                 Key word search strings      BinText
                                 Keywords within              WinHex
                                  executables/binaries         Hurricane Trial (formerly
Search and extract            File containing specific file    WinHex
                              headers (i.e. a .JPG file that
                              is named as another file
                              type to hide its true file
File slack and free space                                      NTI file extraction tools
extraction                                                     (
Deleted Files                                                  Norton Unerase

      Examine and note the hard drive geometry.
      Examine the partitions, making certain that all of the partitions and unallocated
       space add up to the total disk capacity. DOS’ FDISK can be used to view FAT
       paritions, but you will need NTFSDOS or Partition Magic to view NTFS
      Swap files, unallocated space and file slack contain mostly binary information –
       which can be tedious to review. Slack space is random in nature so you might
       find a logon name or password buried somewhere, or fragments of messages and
       documents. Slack can also be found on floppies and other media.
      Shadow data is data that remains on the disk, even after its been erased or
       formatted. Shadow data requires very expensive, specialized equipment to
       retrieve it.
      All recoverable deleted files should be restored. It is recommended that the first
       character of restored files are changed from a HEX E5 to “-“ or other unique
       character, to enable easy identification later!
      Extract a list of all Web site URLs and a list of all e-mail addresses on the
       computer- especially those that are deleted using WinHex.

9. Perform a logical analysis of the duplicate or media. A logical analysis attempts to
   reconstruct what the user(s) were doing a the PC. Typically, people will try to cover
   up their activities by hiding files, changing file extensions, deleting files and through
   the use of encryption or steganography. Multiple file formats can even be combined
   into a single file (metadata – see link on site). Watch for unusual file paths that make
   it difficult to follow – particularly noticeable with Trojan programs is that the files
   and processes running will have either been “trojaned” (check with trusted md5
   checksums) or will using regular “system-type” of names (i.e. novell.exe – loading
   an ftp server).

                                    Logical Analysis
Hidden Files                                                    DOS attrib -h command
                                                                hfind.exe - JD Glaser
Search for file extensions                                       QuickView Plus (no
                                                                trial version)
Look for links to sites and other documents inside of            URLSerch
documents                                                       WinHex
Examine File Properties - created, modified, accessed           filestat.exe by JD Glaser
(without changing file properties data)
Look for data hidden in the whitespace of documents             BinText
Look for comments in Word documents displayed on screen         Manual Inspection
Look for formulas in tables and other file names in             Manual Inspection
Excel: Look for hidden Columns                                  Manual Inspection
Database - Design View - look for links to other files          Manual Inspection
Look for Spyware                                                sfind.exe by JD Glaser
                        sfind.exe c:/
Look for Hidden Files   hfind.exe c:/

To top