DOCSLIB.ORG

Building an Intelligent Assistant for Digital Forensics Umit Karabiyik

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Florida State University Libraries Electronic Theses, Treatises and Dissertations The Graduate School 2015 Building an Intelligent Assistant for Digital Forensics Umit Karabiyik Follow this and additional works at the FSU Digital Library. For more information, please contact [email protected] FLORIDA STATE UNIVERSITY COLLEGE OF ARTS AND SCIENCES BUILDING AN INTELLIGENT ASSISTANT FOR DIGITAL FORENSICS By UMIT KARABIYIK A Dissertation submitted to the Department of Computer Science in partial fulfillment of the requirements for the degree of Doctor of Philosophy 2015 Copyright c 2015 Umit Karabiyik. All Rights Reserved. Umit Karabiyik defended this dissertation on July 13, 2015. The members of the supervisory committee were: Sudhir Aggarwal Professor Directing Dissertation Simon Foo University Representative Zhenhai Duan Committee Member Xiuwen Liu Committee Member The Graduate School has verified and approved the above-named committee members, and certifies that the dissertation has been approved in accordance with university requirements. ii This dissertation is dedicated to my beloved wife Tu˘gba and our lovely daughter Azra Hamide iii ACKNOWLEDGMENTS First of, I would like to express my deepest appreciation to my advisor and major professor Dr. Sudhir Aggarwal. I cannot admit how much I learned from him and how he inspired me during my studies. Specifically, I appreciate the patient guidance, advice and motivation that Dr. Aggarwal provided me during our meetings and would like to thank him for being very supportive and understanding over the past 5 years. Without his guidance and persistent help this dissertation would not have been possible. I feel very fortunate to have had the opportunity of working with him. I would like to extend my appreciation to my committee members Dr. Xiuwen Liu, Dr. Zhenhai Duan and the university representative Dr. Simon Foo, for their valuable time and recommendations during my studies. I would also thank my friends Dr. Elvan Aktas, Dr. Fatih Oncul and Dr. Kemal Akkaya for their motivation and giving me excellent suggestions about the academic life in the USA. I also would like to thank my fellow friend Shiva Houshmand for her friendship and collaborations in several projects. I also extend my thanks to Clayton Butler for his assistance and the time that he spend with me to test my system at the ECIT lab. I also express my gratitude to the FSU Department of Computer Science support staff. I particularly thank Eleanor McNealy, Daniel Clawson and Edwina Hall for their assistance handling many administrative issues at both department and university level. I would also like to thank all the FSU Global Engagement administrative staff, particularly to my exchange visitor adviser Tanya Schaad, for their support and help for dealing with all the immigration bureaucracy in the US. I would like to thank my parents for believing in me and supporting me in every aspect for many years. I would also like to thank all my loyal friends in the US and in Turkey. Last and certainly not least, I would like to thank my beloved wife Tu˘gba Karabiyik and my lovely daughter Azra Hamide Karabiyik, for filling my life with energy, peace and love. iv TABLE OF CONTENTS ListofTables.......................................... vii ListofFigures ......................................... viii Abstract............................................. ... x 1 Introduction 1 2 Related Work 5 3 Background and Literature Review 8 3.1 DigitalForensics .................................... 8 3.1.1 Digital Forensics Phases . 8 3.1.2 Digital Forensics Branches . 10 3.1.3 Computer Forensics . 10 3.1.4 Other Digital Forensics Branches . 19 3.1.5 Digital Forensics Tools . 21 3.1.6 CurrentProblems ................................. 25 3.2 ArtificialIntelligence ............................... 27 3.2.1 Knowledge Representation . 28 3.2.2 ExpertSystems................................... 28 4 AUDIT: Automated Disk Investigation Toolkit 31 4.1 Preliminary Design of AUDIT . 31 4.2 Building the Knowledge Base for AUDIT . 34 4.2.1 Investigator Level Knowledge . 35 4.2.2 Tools Level Knowledge . 36 4.3 Configuration, Parameterization and Integration of Tools . 37 4.4 WorkingwithAUDIT ................................... 39 4.5 TestingAUDIT...................................... 42 4.5.1 GraphicFilesSearch................................ 42 4.5.2 SensitiveNumberSearch ............................. 43 5 Advanced Automated Disk Investigation Toolkit 45 5.1 New High-Level Design of AUDIT . 45 5.1.1 Database Component . 46 5.1.2 Knowledge Base Component . 48 5.1.3 Core Engine Component . 49 5.1.4 ExpertSystemDesigninJess. 50 5.2 Model of Hierarchical Disk Investigation . 52 5.2.1 TheModel ..................................... 53 5.3 ReportinginAUDIT................................... 58 v 6 Evaluation & Experimental Results 61 6.1 ExperimentalSetup ................................. 61 6.2 TestingPart1...................................... 64 6.3 TestingPart2...................................... 66 7 Conclusion 70 7.1 SummaryoftheProblem ................................. 70 7.2 Solution: Automated Disk Investigation Toolkit . 71 7.3 Contributions...................................... 71 7.4 FutureDirections.................................. 72 Appendix A Copyright Permission 74 Bibliography .......................................... 75 BiographicalSketch ..................................... 81 vi LIST OF TABLES 5.1 Schema of the tools table in the AUDIT database . 47 6.1 Extension type and quantity of files in dataset . 62 6.2 Size, type and quantity of horse pictures . 63 6.3 Number of files in each space on the disk . 64 6.4 Finding graphics and email files . 64 6.5 Hidden document files and their locations . 65 6.6 Results of CCN, SSN and email address search . 65 6.7 Analysis times with and without AUDIT . 66 6.8 Sample benchmark disk images . 66 6.9 Type and fragmentation information for documents files . 68 6.10 Type and fragmentation information for graphics files . 69 vii LIST OF FIGURES 3.1 The digital forensics investigative process . .......... 9 3.2 Digital forensics branches . 11 3.3 Internal structure of a hard disk drive [58] . 12 3.4 A hard disk divided up into partitions and volumes . 13 3.5 Example hard disk volume organized into three partitions . 14 3.6 Disk layout and master boot record (MBR) space . 16 3.7 Volume slack on hard disk . 17 3.8 Partition slack on hard disk . 17 4.1 High-level design of AUDIT . 32 4.2 The tools table in the AUDIT database . 33 4.3 Simple Example of a CLIPS Rule in AUDIT . 35 4.4 Salience declaration rule . 35 4.5 Facts initially added to the knowledge base . 36 4.6 New facts added to the knowledge base . 36 4.7 Therulerunsforcreditcardsearch . 37 4.8 Facts assumed to be added to de knowledge base . 39 4.9 Function used for invoking scalpel for graphic file carving . 40 4.10 Starting screen of the user interface of AUDIT . 41 4.11 Popup showing files recovered from unallocated space . 43 4.12 Find SSNs output report for Credit Card and Social Security Numbers . 44 5.1 High-level design of AUDIT . 46 5.2 Sample entries in the new tools table in the AUDIT database . 47 5.3 A rule used for updating the knowledge base . 48 5.4 Original fact before updating . 48 viii 5.5 Modifiedfactafterupdating ............................ 49 5.6 A rule used for updating the database . 49 5.7 CreatingaJesstemplateinJava . 51 5.8 A rule used in AUDIT for email address search . 51 5.9 Executing bulk extractor for email address search . 52 5.10 Model of hierarchical disk analyses . 54 5.11 Command line for TestDisk and sample output . 55 5.12 Command line for gpart and sample output . 55 5.13 Partial output of fsstat . 56 5.14 Outputofmmls ...................................... 56 5.15 Example of a hierarchical disk analysis . 58 5.16 Partial examination report of a single partition disk image . 59 5.17 Partial inference report for slack space extraction . 60 6.1 Directorytreestructureintestdiskimages . 62 6.2 Filehidingprocess................................ 63 6.3 Sample of non ASCII file names . 67 6.4 Layoutoftestdisk1................................... 67 6.5 Layoutoftestdisk2................................... 67 6.6 Layout of nps-2010-emails.E01 disk image . 69 ix ABSTRACT Software tools designed for disk analysis play a critical role today in digital forensics investigations. However, these digital forensics tools are often difficult to use, usually task specific, and generally require professionally trained users with IT backgrounds. The relevant tools are also often open source requiring additional technical knowledge and proper configuration. This makes it difficult for investigators without some computer science background to easily conduct the needed disk analysis. In this dissertation, we present AUDIT, a novel automated disk investigation toolkit that sup- ports investigations conducted by non-expert (in IT and disk technology) and expert investigators. Our system design and implementation of AUDIT intelligently integrates open source tools and guides non-IT professionals while requiring minimal technical knowledge about the disk structures and file systems of the target disk image. We also present a new hierarchical disk investigation model which leads AUDIT to systematically examine the disk in its totality based on its phys- ical and logical structures. AUDIT’s capabilities as an intelligent digital assistant are evaluated through a series of experiments comparing it with a human investigator as well as against standard benchmark disk images.
Recommended publications
  • Guidelines on Mobile Device Forensics

    Guidelines on Mobile Device Forensics

    NIST Special Publication 800-101 Revision 1 Guidelines on Mobile Device Forensics Rick Ayers Sam Brothers Wayne Jansen http://dx.doi.org/10.6028/NIST.SP.800-101r1 NIST Special Publication 800-101 Revision 1 Guidelines on Mobile Device Forensics Rick Ayers Software and Systems Division Information Technology Laboratory Sam Brothers U.S. Customs and Border Protection Department of Homeland Security Springfield, VA Wayne Jansen Booz Allen Hamilton McLean, VA http://dx.doi.org/10.6028/NIST.SP. 800-101r1 May 2014 U.S. Department of Commerce Penny Pritzker, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director Authority This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. § 3541 et seq., Public Law (P.L.) 107-347. NIST is responsible for developing information security standards and guidelines, including minimum requirements for Federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate Federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in Circular A- 130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in Circular A- 130, Appendix III, Security of Federal Automated Information Resources. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on Federal agencies by the Secretary of Commerce under statutory authority.
  • Filesystems HOWTO Filesystems HOWTO Table of Contents Filesystems HOWTO

    Filesystems HOWTO Filesystems HOWTO Table of Contents Filesystems HOWTO

    Filesystems HOWTO Filesystems HOWTO Table of Contents Filesystems HOWTO..........................................................................................................................................1 Martin Hinner < [email protected]>, http://martin.hinner.info............................................................1 1. Introduction..........................................................................................................................................1 2. Volumes...............................................................................................................................................1 3. DOS FAT 12/16/32, VFAT.................................................................................................................2 4. High Performance FileSystem (HPFS)................................................................................................2 5. New Technology FileSystem (NTFS).................................................................................................2 6. Extended filesystems (Ext, Ext2, Ext3)...............................................................................................2 7. Macintosh Hierarchical Filesystem − HFS..........................................................................................3 8. ISO 9660 − CD−ROM filesystem.......................................................................................................3 9. Other filesystems.................................................................................................................................3
  • Booting and Installing the Operating System Grado En Inform´Atica2017/2018 Departamento De Computaci´On Facultad De Inform´Atica Universidad De Coru˜Na

    Booting and Installing the Operating System Grado En Inform´Atica2017/2018 Departamento De Computaci´On Facultad De Inform´Atica Universidad De Coru˜Na

    Booting and Installing the Operating System Grado en Inform´atica2017/2018 Departamento de Computaci´on Facultad de Inform´atica Universidad de Coru~na Antonio Y´a~nezIzquierdo Antonio Y´a~nezIzquierdo Booting and Installing the Operating System 1 / 85 ContentsI 1 Selecting and preparing installation media installing an O.S. installation media preparing the media 2 The boot process booting booting steps 3 Preparing the disks. Basic disk partitioning disks partitions 4 Sharing disks among O.S.s sharing disks among O.S.s 5 Boot loaders lilo grub Antonio Y´a~nezIzquierdo Booting and Installing the Operating System 2 / 85 ContentsII elilo syslinux using removable media Antonio Y´a~nezIzquierdo Booting and Installing the Operating System 3 / 85 Selecting and preparing installation media Selecting and preparing installation media Antonio Y´a~nezIzquierdo Booting and Installing the Operating System 4 / 85 Selecting and preparing installation media installing an O.S. Selecting and preparing installation media !installing an O.S. Antonio Y´a~nezIzquierdo Booting and Installing the Operating System 5 / 85 Selecting and preparing installation media installing an O.S. Installing an O.S. the most common use of O.S.s is having them \installed" onto computers, and being run from the computer's storage devices there are also some \live" O.S.s that don't require installation but usually have limitations concerning what users can do and what software can be added installing is the process by which we put the O.S. files in one (or more) of the storage units of the system, thus allowing the system to execute the OS directly Antonio Y´a~nezIzquierdo Booting and Installing the Operating System 6 / 85 Selecting and preparing installation media installing an O.S.
  • Partition-Rescue

    Partition-Rescue

    Partition-Rescue Revision History Revision 1 2008-11-24 09:27:50 Revised by: jdd mainly title change in the wiki Partition-Rescue Table of Contents 1. Revision History..............................................................................................................................................1 2. Beginning.........................................................................................................................................................2 2.1. What's in...........................................................................................................................................2 2.2. What to do right now?.......................................................................................................................2 2.3. Legal stuff.........................................................................................................................................2 2.4. What do I need to know right now?..................................................................................................3 3. Technical info..................................................................................................................................................4 3.1. Disks.................................................................................................................................................4 3.2. Partitions...........................................................................................................................................4 3.3. Why is
  • Partition.Pdf

    Partition.Pdf

    Linux Partition HOWTO Anthony Lissot Revision History Revision 3.5 26 Dec 2005 reorganized document page ordering. added page on setting up swap space. added page of partition labels. updated max swap size values in section 4. added instructions on making ext2/3 file systems. broken links identified by Richard Calmbach are fixed. created an XML version. Revision 3.4.4 08 March 2004 synchronized SGML version with HTML version. Updated lilo placement and swap size discussion. Revision 3.3 04 April 2003 synchronized SGML and HTML versions Revision 3.3 10 July 2001 Corrected Section 6, calculation of cylinder numbers Revision 3.2 1 September 2000 Dan Scott provides sgml conversion 2 Oct. 2000. Rewrote Introduction. Rewrote discussion on device names in Logical Devices. Reorganized Partition Types. Edited Partition Requirements. Added Recovering a deleted partition table. Revision 3.1 12 June 2000 Corrected swap size limitation in Partition Requirements, updated various links in Introduction, added submitted example in How to Partition with fdisk, added file system discussion in Partition Requirements. Revision 3.0 1 May 2000 First revision by Anthony Lissot based on Linux Partition HOWTO by Kristian Koehntopp. Revision 2.4 3 November 1997 Last revision by Kristian Koehntopp. This Linux Mini−HOWTO teaches you how to plan and create partitions on IDE and SCSI hard drives. It discusses partitioning terminology and considers size and location issues. Use of the fdisk partitioning utility for creating and recovering of partition tables is covered. The most recent version of this document is here. The Turkish translation is here. Linux Partition HOWTO Table of Contents 1.
  • Comparative Evaluation of Mobile Forensic Tools

    Comparative Evaluation of Mobile Forensic Tools

    See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/322250449 Comparative Evaluation of Mobile Forensic Tools Chapter in Advances in Intelligent Systems and Computing · January 2018 DOI: 10.1007/978-3-319-73450-7_11 CITATIONS READS 0 486 6 authors, including: John Alhassan Sanjay Misra Federal University of Technology Minna Covenant University Ota Ogun State, Nigeria 40 PUBLICATIONS 16 CITATIONS 302 PUBLICATIONS 1,059 CITATIONS SEE PROFILE SEE PROFILE Adewole Adewumi Rytis Maskeliunas Covenant University Ota Ogun State, Nigeria Kaunas University of Technology 51 PUBLICATIONS 46 CITATIONS 94 PUBLICATIONS 164 CITATIONS SEE PROFILE SEE PROFILE Some of the authors of this publication are also working on these related projects: Learning from Failure: Evaluation of Agent Dyads in the Context of Adversarial Classification Game View project Biohashing based on Boolean logic operations View project All content following this page was uploaded by Rytis Maskeliunas on 08 January 2018. Provided by Covenant University Repository The user has requested enhancement of the downloaded file. CORE Metadata, citation and similar papers at core.ac.uk Comparative Evaluation of Mobile Forensic Tools J. K. Alhassan1(&), R. T. Oguntoye1, Sanjay Misra2, Adewole Adewumi2, Rytis Maskeliūnas3, and Robertas Damaševičius3 1 Federal University of Technology, Minna, Nigeria [email protected] 2 Covenant University, Otta, Nigeria [email protected] 3 Kaunas University of Technology, Kaunas, Lithuania [email protected] Abstract. The rapid rise in the technology today has brought to limelight mobile devices which are now being used as a tool to commit crime. Therefore, proper steps need to be ensured for Confidentiality, Integrity, Authenticity and legal acquisition of any form of digital evidence from the mobile devices.
  • Freebsd Enterprise Storage Polish BSD User Group Welcome 2020/02/11 Freebsd Enterprise Storage

    Freebsd Enterprise Storage Polish BSD User Group Welcome 2020/02/11 Freebsd Enterprise Storage

    FreeBSD Enterprise Storage Polish BSD User Group Welcome 2020/02/11 FreeBSD Enterprise Storage Sławomir Wojciech Wojtczak [email protected] vermaden.wordpress.com twitter.com/vermaden bsd.network/@vermaden https://is.gd/bsdstg FreeBSD Enterprise Storage Polish BSD User Group What is !nterprise" 2020/02/11 What is Enterprise Storage? The wikipedia.org/wiki/enterprise_storage page tells nothing about enterprise. Actually just redirects to wikipedia.org/wiki/data_storage page. The other wikipedia.org/wiki/computer_data_storage page also does the same. The wikipedia.org/wiki/enterprise is just meta page with lin s. FreeBSD Enterprise Storage Polish BSD User Group What is !nterprise" 2020/02/11 Common Charasteristics o Enterprise Storage ● Category that includes ser$ices/products designed &or !arge organizations. ● Can handle !arge "o!umes o data and !arge num%ers o sim#!tano#s users. ● 'n$olves centra!ized storage repositories such as SA( or NAS de$ices. ● )equires more time and experience%expertise to set up and operate. ● Generally costs more than consumer or small business storage de$ices. ● Generally o&&ers higher re!ia%i!it'%a"aila%i!it'%sca!a%i!it'. FreeBSD Enterprise Storage Polish BSD User Group What is !nterprise" 2020/02/11 EnterpriCe or EnterpriSe? DuckDuckGo does not pro$ide search results count +, Goog!e search &or enterprice word gi$es ~ 1 )00 000 results. Goog!e search &or enterprise word gi$es ~ 1 000 000 000 results ,1000 times more). ● /ost dictionaries &or enterprice word sends you to enterprise term. ● Given the *+,CE o& many enterprise solutions it could be enterPRICE 0 ● 0 or enterpri$e as well +.
  • A User-Oriented Network Forensic Analyser

    A User-Oriented Network Forensic Analyser

    A USER-ORIENTED NETWORK FORENSIC ANALYSER 1 1 1,2 1,2 D. Joy , F. Li , N.L. Clarke and S.M. Furnell 1Centre for Security, Communications and Network Research (CSCAN) Plymouth University, Plymouth, United Kingdom 2Security Research Institute, Edith Cowan University, Western Australia [email protected] Abstract Network forensics is becoming an increasingly important tool in the investigation of cyber and computer- assisted crimes. Unfortunately, whilst much effort has been undertaken in developing computer forensic file system analysers (e.g. Encase and FTK), such focus has not been given to Network Forensic Analyser Tools (NFATs). The single biggest barrier to effective NFATs is the handling of large volumes of low-level traffic and being able to exact and interpret forensic artefacts and their context – for example, being able extract and render application-level objects (such as emails, web pages and documents) from the low-level TCP/IP traffic but also understand how these applications/artefacts are being used. Whilst some studies and tools are beginning to achieve object extraction, results to date are limited to basic objects. No research has focused upon analysing network traffic to understand the nature of its use – not simply looking at the fact a person requested a webpage, but how long they spend on the application and what interactions did they have with whilst using the service (e.g. posting an image, or engaging in an instant message chat). This additional layer of information can provide an investigator with a far more rich and complete understanding of a suspect’s activities. To this end, this paper presents an investigation into the ability to derive high-level application usage characteristics from low-level network traffic meta-data.
  • Practical Investigations of Digital Forensics Tools for Mobile Devices Maynard Yates II, M.S

    Practical Investigations of Digital Forensics Tools for Mobile Devices Maynard Yates II, M.S

    Practical Investigations of Digital Forensics Tools for Mobile Devices Maynard Yates II, M.S. Florida Agricultural and Mechanical University Department of Computer and Information Sciences Technical Building A, Room 211 Tallahassee, FL 32307-5100 [email protected] ABSTRACT A few examples of these changes are: With the continued growth of the mobile device market, the Correspondence: Postal mail → Electronic mail (E- possibility of their use in criminal activity will only continue to mail) → SMS messages (text messages) increase. While the mobile device market provides a great variety of manufactures and models causing a strong diversity. It Telecommunications: Telephones → car powered cell becomes difficult for a professional investigator to choose the phones→ battery powered cell phones proper forensics tools for seizing internal data from mobile Calendar: Secretary → Day Planner→ Personal Data devices. Through this paper, we will give a comprehensive Assistant (PDA)→ “Smartphone” perspective of each popular digital forensic tool and offer an inside view for investigators to choose their free sources or commercial tools. In addition, a summary for the future direction As technology continues to permeate society and mobile for forensics tools in mobile devices. computing becomes more prevalent, people will more heavily depend on applications such as e-mail, SMS (Short Message Service), MMS (Multimedia Messaging Service) and online Categories and Subject Descriptors transactions (i.e. bank, ins, etc); such devices provide a good K.4.1. [Computers and Society]: Public Policy Issues - abuse source of evidence for forensic investigators to prove or disprove and crime involving computers; D.4.6 [Operating Systems]: the commitment of crimes or location of suspects/victims [6].
  • Comprehensive Study of Digital Forensics

    Comprehensive Study of Digital Forensics

    ISSN: 2278 – 1323 International Journal of Advanced Research in Computer Engineering & Technology Volume 1, Issue 5, July 2012 COMPREHENSIVE STUDY OF DIGITAL FORENSICS Jatinder kaur, Gurpal Singh SMCA, Thapar University, Patiala-147004, India [email protected], [email protected] Abstract— This paper presenting the review about digital forensics, it consists of techniques as well as various tools used to accomplish the tasks in the digital forensic process. Network forensics is forensics and important technology for network security area. In this paper, we inspect digital evidence collection processes using these tools. From last few decades the Figure 1 : Shows processes to collect digital data digital forensic techniques have been improved appreciably but still we face a lack of effective forensics tools to deal with varied incidents caused by these rising technologies and the advances 2. Collect, observe & preserve. in cyber crime. This article discusses the tools used in network 3. Analyze , identify and forensics , various gaps founds in these tools, and the 4. Rebuild the evidence and verify the result every time [16]. advantages and disadvantages of these tools. In the document describe digital evidence collection process Index Terms— Forensics, Digital evidence, Network forensics, as follows: computer forensics, Cyber crime , Encase, Sleuth Kit. 1. Where is the evidence? List out the systems were involved in the incident and from which evidence will be collected. I. INTRODUCTION 2. Establish what is likely to be relevant and admissible. Forensics is use of science and technology to investigate and When in doubt err on the side of collecting too much rather establish facts in criminal and civil courts of law.
  • Trinityhome Trinity Rescue

    Trinityhome Trinity Rescue

    19/4/2017 Trinity Rescue Kit | CPR for your computer | Trinityhome | Trinityhome Trinity Rescue Kit | CPR for your computer Getting started with TRK 0. Quick and dirty guide to using TRK 0.1 The easiest way to get it onto a CD: a self burning TRK 0.2 Burning TRK with Magiciso 0.3 Booting from TRK 0.4 Resetting passwords 1. TRK for Linux newbies 1.1 What is TRK? What 's a live distribution? 1.2 What is different between accessing your PC from Windows and accessing from TRK? 1.3 Getting around with common linux commands (cd, cp, mv, rm, more, grep, mount) 1.4 Reading information about your PC (dmesg, /proc/partitions) 2. TRK own commands and utils 2.1 Virusscan 2.2 Winpass: reset your Windows XP ­ Vista ­ Seven password 2.3 Mass Clone: a multicast disk cloning tool 2.4 Winclean 2.5 Mountallfs 2.6 Updatetrk 2.7 Trk2usb 2.8 Trk2iso 2.9 Fileserver 2.10 Bridge 2.11 Setip 2.12 Setproxy 2.19 Ntfsundeleteall 2.13 Getswap 2.14 Trinisup 2.15 Pi ­ automated backup wrapper script originally for Partition Image 2.20 Clonexp (obsoleted by mclone) 3. Procedures 3.1 Rescueing files of dying harddiscs (mounting network => cp, ddrescue) 3.2 Recovering deleted files or files from formatted drives (ntfsundeleteall, photorec) 3.3 Recovering lost partitions (testdisk, gpart, fdisk) 3.4 Bootsector repair 3.5 Manually cloning a Windows installation 3.6 Hardware testing 3.7 Virus scanning 3.8 Manual PC cleaning 4. Boot time options and triggers 4.1 Boot menu options 4.2 Triggers http://trinityhome.org/Home/Print_Collate.php?collate_pages=37,182,183,184,185,186,38,54,55,56,57,39,40,42,128,178,45,46,50,47,49,51,52,48,53,179,180,189,4… 1/71 19/4/2017 Trinity Rescue Kit | CPR for your computer | Trinityhome | 4.2.1 The TRK options server: make your lan TRK aware 4.2.2 Scripts on the computer's local harddisks 4.2.3 Script on the TRK medium 5.
  • A Comparison of Computer Forensic Tools: an Open-Source Evaluation

    A Comparison of Computer Forensic Tools: an Open-Source Evaluation

    A Comparison of Computer Forensic Tools: An Open-Source Evaluation Adam Cervellone, B.S., Graduate Student, Marshall University Forensic Science Center, 1401 Forensic Science Drive, Huntington, WV 25701 901725850 Agency Supervisor-Robert Price Jr., M.S., Forensic Scientist I, North Carolina State Crime Laboratory, 121 E. Tryon Road, Raleigh NC 27601 Technical Assistant- Joshua Brunty, M.S., Marshall University Forensic Science Center, 1401 Forensic Science Drive, Huntington, WV, 25701 MU Topic Advisor-Terry Fenger, Ph.D., Marshall University Forensic Science Center, 1401 Forensic Science Drive, Huntington, WV, 25701 Cervellone 1 of 30 Abstract The world of digital forensics is an ever-evolving field with multiple tools for analysis from which to choose. Many of these tools have very focused functions such as Mac and iOS device analysis, registry examination, steganography analysis, mobile device examination, password recovery and countless others. Other tools are full featured suites capable of analyzing a large case containing multiple items. The major problem with many of these tools is cost. While they may be robust, they may not be affordable for a smaller lab that wants to do digital forensics. This research focuses on industry standard forensic software such as: Guidance Software® EnCase® Forensic 6, AccessData® FTK® (Forensic Toolkit) 5, as well as SANS SIFT Workstation 3.0. The SIFT Workstation is a freely available open-source processing environment that contains multiple tools with similar functionality to EnCase® and FTK®. This study evaluates the processing and analysis capabilities of each tool. In addition to processing functionality, a simple cost analysis study was done. The latter portion of the research displayed how much a lab may have to spend to get a single examiner fully on-line with each tool.