Computer Forensics White Paper

Please download to get full document.

View again

of 145
8 views
PDF
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Document Description
Computer Forensics: Final Report Thomas Partington, 1st May 2007 Supervisor: Mike Stannett. Module: COM3020 This report is submitted in partial fulfilment of the requirement for the degree of Bachelor of Engineering with Honours in Software Engineering by Thomas Partington. i All sentences or passages quoted in this report from other people’s work have been specifically acknowledged by clear cross-referencing to author, work and page(s). Any illustrations which are not the work of the author of
Document Share
Documents Related
Document Tags
Document Transcript
  Computer Forensics: Final Report Thomas Partington, 1st May 2007Supervisor: Mike Stannett. Module: COM3020 This report is submitted in partial fulfilment of the requirement for the degree of Bachelor of Engineering with Honours in Software Engineering by Thomas Partington.i  All sentences or passages quoted in this report from other people’s work have been specificallyacknowledged by clear cross-referencing to author, work and page(s). Any illustrations which arenot the work of the author of this report have been used with the explicit permission of the srcina-tor and are specifically acknowledged. I understand that failure to do this amounts to plagiarismand will be considered grounds for failure in this project and the degree examination as a whole. *** 1 [I have lined up your signature, the date (now generated by MyDate), etc, usingtabular.] Name: Thomas PartingtonSignature:Date: 1st May 2007 1 MPS changed: ii  Contents 1 Introduction 12 Literature Survey 2 2.1 Hidden Data - Where to look . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22.2 Layer 1 – Raw Binary Data on a Storage Device (Hard Disk) . . . . . . . . . . . . 32.2.1 Bad Sectors/Tracks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.2.2 Finding Data Hidden in Bad Sectors/Tracks . . . . . . . . . . . . . . . . . . 42.2.3 Host Protected Areas and Device Configuration Overlays . . . . . . . . . . 42.2.4 Hard Disk Imaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.3 Layer 2.1 – Volumes/Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.3.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.3.2 DOS Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.3.3 Volumes/Partitions – Hidden Data . . . . . . . . . . . . . . . . . . . . . . . 82.4 Layer 2.2 – File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.4.1 NTFS – New Technologies File System . . . . . . . . . . . . . . . . . . . . . 92.4.2 Data Obfuscation: Deleted Data and Possible Recovery . . . . . . . . . . . 102.4.3 Zero–Footprinting: Wiping the evidence . . . . . . . . . . . . . . . . . . . . 112.4.4 Hidden Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122.4.5 Encrypted Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.5 Layer 3: Data In Context (Files) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142.5.1 Event Reconstruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142.5.2 Hidden Data: Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . 152.6 Current Computer Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.6.1 EnCase by Guidance Software . . . . . . . . . . . . . . . . . . . . . . . . . 172.6.2 Forensic Toolkit by Access Data . . . . . . . . . . . . . . . . . . . . . . . . 182.6.3 ProDiscover Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.6.4 SMART by ASR Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3 Requirements and Analysis 18 3.1 The Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193.1.1 Analysing a Hard Disk and Creating an Image . . . . . . . . . . . . . . . . 193.1.2 Partition Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213.1.3 File System Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223.1.4 Encrypted Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233.1.5 Event Reconstruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243.1.6 Steganalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243.1.7 General Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253.1.8 Non–Functional Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 253.2 Specific Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 4 Design 29 4.1 X-Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294.2 Partition Analysis Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384.3 File System Analysis Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 5 Implementation 43 5.1 Disk Imaging Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445.2 Partition Analysis Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465.3 File System Analysis Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 6 Testing 48 6.1 Disk Imaging Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48iii  6.1.1 Test Specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486.1.2 Test Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506.1.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516.2 Partition Analysis Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536.2.1 Test Specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536.2.2 Test Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546.2.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546.3 File System Analysis Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556.3.1 Test Specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556.3.2 Test Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586.3.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 7 Conclusions 59 7.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597.2 Work Achieved . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607.3 Suggestions for Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 8 Appendix A i 8.1 X-Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i8.2 Screen-shots of the Prototype System . . . . . . . . . . . . . . . . . . . . . . . . . v 9 Appendix B xiv 9.1 Test Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv9.2 Test Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lxiv
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks