Part IV: Tools for Computer Forensics and Incident Response
Chapter List
- Chapter 20: Creating a Bootable Environment and Live Response Tool Kit
Chapter 20: Creating a Bootable Environment and Live Response Tool Kit
Overview
When a call comes in that a system has been hacked, the forensic consultant has to be ready to move quickly. Sometimes, the victim system will be so badly damaged by the attack that the machine won’t even be able to boot. Some victim systems may be functional, but the “powers that be” will allow the victim to be taken offline to perform proper analysis on it. Still others, however, will require that the system remain online while the analysis is performed. No matter what the scenario, the forensic consultant has to be prepared to deal with it.In this chapter, we’ll tell you how to create a bootable response media (usually either CD-ROM or floppy) that contains all the tools you’ll need to perform a proper response analysis to an attack. We’ll also put together a collection of critical Windows and Unix tools that can be used for forensic analysis on live systems.
< Day Day Up > - Chapter 21: Commercial Forensic Duplication Tool Kits
Chapter 21: Commercial Forensic Duplication Tool Kits
Overview
Once the decision is made that an investigation will take place, it is usually a good idea to obtain a forensic image of the machines involved in the incident. Several choices of forensic duplication software are available; both commercial and noncommercial tools have withstood the burden the legal system has placed on them. This chapter reviews several tools that are available commercially. Typically, mid-sized to large organizations lean toward commercially available software, so this chapter describes four of the most popular packages: EnCase, Safeback, SnapBack, and Ghost.Once the decision is made that an investigation will take place, it is usually a good idea to obtain a forensic image of the machines involved in the incident. Forensic images, also called evidence grade or bit-stream copies, exactly replicate all sectors on a given storage device.You may want to read the Case Study at the end of the chapter first to familiarize yourself with the hard drives and the situation you will face when you use these forensic duplication tools. The Case Study will be referred to as the “example” within the following sections.Note The tools discussed in this chapter perform forensic duplication and not analysis. See Chapters 22, 23, and 24 for information on tools to aid in forensic analysis.In keeping with the flow of the investigation, we now move to the Forensic Duplication step in the timeline:- Chapter 22: Open-Source Forensic Duplication Tool Kits
Chapter 22: Open-Source Forensic Duplication Tool Kits
Overview
Chapter 21 reviewed several commercially distributed tool kits that perform forensic duplications. The tool kit discussed in this chapter can be assembled for free, and in a modest amount of time, you can easily master its use.With the proliferation of open-source operating systems such as Linux, OpenBSD, NetBSD, and FreeBSD, a whole suite of tools (and source code) is available to the general public that never existed before. Many of the general system administration tools such as dd, losetup, vnconfig, and md5sum can be used for investigations just as effectively as their commercial counterparts.This chapter explains the use of these tools and how they have proved to be important additions to the investigator’s tool kit. Because these tools are free and the results of the duplication methods they provide can be imported into nearly any forensic analysis suite, you may prefer to use these tools over any others. It is important that you note, however, that to use these tools, you’ll need a high level of experience and a slight knowledge of file system technical details.Just as we discussed needing a trusted boot disk (or CD-ROM) in Chapter 21, forensic duplication with noncommercial software has the same requirement. Because Linux is an open-source operating system, many successful distributions have been developed to make Linux run on CDs or floppy disks without accessing the hard drive. We suggest you check out Trinux, which is a Linux distribution designed to run off of a CD-ROM. You can research Trinux at http://trinux.sourceforge.net. Knoppix, available at http://www.knoppix.net, follows the same vein. It is designed to be installed from a CD-ROM, has excellent documentation, and has been more actively developed than Trinux. Knoppix will have more support for “strange” hardware and more recent tools. Additionally, a similar distribution of FreeBSD is offered at http://sourceforge.net/projects/freebsdtogo/ and properly named FreeBSD To Go.Another project worth mentioning is F.I.R.E, or the Forensic and Incident Response Environment. It offers an easy-to-navigate menu system for performing a wide variety of forensics and security analyses on a computer without altering the evidence. For more information about forensics-capable CDs, see http://www.linux-forensics.com/links.html. For information on bootable CDs in general, see http://www.distrowatch.com/dwres.php?resource=cd.Multiple Linux distributions have been designed for the forensics examiner to run off a CD-ROM, including Trinux, Knoppix, Knoppix-STD, FIRE, and many others. These versatile distributions are complete with analysis tools, data collection resources, disk recovery utilities, security testing capabilities, and even virus scanning. Information about each distribution is shown in the following table.DistributionWeb SiteStrong PointsTrinuxSmall size allows it to run on old computersKnoppixBest hardware detection and GUI, extensive list of toolsKnoppix-STDKnoppix Security Tools distribution includes an extensive suite of security, incident response, and forensics-related toolsF.I.R.EForensic and incident response environment has nice menu system that makes it easy to useIn this chapter, we are still within the forensic duplication stage of our investigation:- Chapter 23: Tool Kits to Aid in Forensic Analysis
- Chapter 24: Tools to Aid in Internet Activity Reconstruction
- Chapter 25: Generalized Editors and Viewers
|
|
< Day Day Up > |
|
Để đặt mua sản phẩm xin vui lòng .gif)
ĐỊA CHỈ VĂN PHÒNG TẠI MỸ
LIÊN HỆ: USAORDER.COM.VN
USAOrder (VN): .png){kind=small}
: (024) 3 200 2116
Không có nhận xét nào:
Đăng nhận xét