Dell™ Digital Forensics Solution Guide
Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates potential damage to hardware or loss of data if instructions are not followed. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. ____________________ Information in this document is subject to change without notice. © 2011 Dell Inc. All rights reserved.
Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . 7 . . . . . . . . . . . 9 The Dell Digital Forensics Lifecycle . . . . . . . 11 . . . . . . . . . . . . . . . . . . 12 . . . . . . . . . . . . . . . . . . . . . 12 Dell’s Solution Eases Industry Pain Points Solution Components In the Field In the Datacenter . About This Document . . . . . . . . . . . . . . . . . 13 . . . . . . . . . . . . . . . . . . 16 Related Documentation and Resources . 2 Triage . . . . . . .
. . . . . . . . . . . . 23 . . . . . . . . . . . . . . . . 33 Configure a Collector Profile Deploy Triage Tools . Reviewing Collected Files After Triage . 3 Ingest . . . . . . . Single-server Solution . . . . . . . . . . . . . 39 . . . . . . . . . . . . . . . 40 . . . . . . 40 . . . . . . . . . . . . . . . 42 . . . . . . . . 42 Multi-server Solution (High Availability) Datacenter-enabled FTK 1.8 Single FTK 1.8 Session Per Desktop Multiple FTK 1.8 Sessions Per Desktop .
. . . . . . . . . . . . . . . . . . . . . . . . 64 . . . . . . . . . . . . . . . . . . . . . . . . . 64 Scalability Security . . . . . . . . . . . . . . . 64 Administrative Control Layer and Active Directory 65 Computer-Based Security Layer and Active Directory . . . . . . . . . . . . . . . . . . 65 . . . . . . . . . . . . . . . . . . . . . 66 Physical Access Layer Tiered Storage . Matching Evidence Archiving and Retrieval to the Life of the Case. . . . . . . . . . . . . . . . . . . .
Checking the Installation . . . . . . . . . . . . . . 81 Finding Files on the Network . . . . . . . . . . . . . . 81 . . . . . . . . . . . . . . . . . . . 82 . . . . . . . . . . . . . . . 82 . . . . . . . . . . . . . 82 . . . . . . . . . . . . . . . . . 82 Open an Existing Case . . . . . . . . . . . . . . . 82 Create an Analysis Job . . . . . . . . . . . . . . . 83 . . . . . . . . . . . . . . . . 83 . . . . . . . . . . 84 . . . . . . . . 84 Analysis Using FTK .
Archiving Using NTP Software ODDM . 8 Troubleshooting . . . . . . . 93 . . . . . . . . . . . . . . . . . . . 95 General Troubleshooting Tips . . . . . . . . . . . . . . 95 . . . . . . . . . . 95 . . 95 . . . 96 . . 96 Forensics Software-Specific Issues EnCase: EnCase launches in Acquisition Mode FTK Lab: Browser launched by client cannot display User Interface . . . . . . . . . . . . FTK 1.8: 5000 object limit\trial version message FTK 1.
6 Contents
Introduction Triage Ingest Store Analyze Present Archive In recent years there has been an exponential increase in the volume, velocity, variety, and sophistication of digital activity by criminals and terrorist groups around the world. Today, most crimes have a digital component. Some have called it a digital tsunami. This growth has been augmented by dramatic advances in electronic hardware.
Table 1-1.
investigative personnel can conduct digital forensics data triage and collection quickly and simply, ensuring chain-of-custody from the field to the datacenter, and into the courtroom. The Dell Digital Forensics Lifecycle The Dell Digital Forensics Solution assists the forensics investigator across the six stages of the forensics lifecycle: Triage, Ingest, Store, Analyze, Present, and Archive. Figure 1-1.
Ingest Ingest is the stage of the digital forensics process in which the target data is imaged (unless it has been imaged in the field as part of the Triage stage), and an exact copy of the suspect storage device is created in such a way that the integrity of the duplicate can be assured by comparing hashes of both the original and duplicate data drives. In common with existing practices, suspect data is imaged in the Dell Digital Forensics Solution.
of Custody may be defined as maintaining the integrity of digital data as evidence from the time it is collected, through the time findings are reported, and until the time it may be presented in a court of law. Present Using the Dell Digital Forensics Solution, viewing teams and investigators can access potential case evidence securely and in real time, thus mitigating the need to release evidence on DVDs or to require experts to travel to the lab for file access purposes.
• An end-to-end solution that significantly lowers the complexity of planning, implementing and managing an enterprise-level digital forensics process • An affordable and flexible solution that is modular and scalable, expandable and pay-as-you-go Solution Components In the Field The mobile portion of the solution fits into one hardshell case designed to fit into the overhead bin of an aircraft.
Figure 1-2.
• NTP Software On-Demand Data Management (ODDM) • Symantec Enterprise Vault • Symantec Backup Exec 2010 • Dell PowerConnect Switches • Extreme Networks Switches The Dell PowerEdge Rack and Blade Servers can fulfill a variety of roles: file server, evidence server, archive server, database server, EnCase and FTK license servers, backup server, or domain controller. They support Microsoft Active Directory and all the security and forensics software that make up the Dell Digital Forensics Solution.
Figure 1-3.
About This Document This document covers each stage of the digital forensics process in its own chapter, with additional chapters on troubleshooting, hardware and software supported by the Solution. Each of the process chapters begins with a discussion of best practices and specific issues that you may encounter as you implement and manage the Solution, and then moves to a walk-through of the various tools and components relevant to that stage of the Solution.
Triage Ingest Store Analyze Present Archive What is Triage? Triage allows the digital forensics investigator to browse the data contained on suspect devices and to make decisions as to which devices are actually evidentiary and worth seizing for immediate imaging on site (if the data comprises a small volume) or for later imaging in the datacenter.
Easy to Use The Triage components of the Solution are ready to use right out of the hardshell case. The pre installed software offers an intuitive touch screen interface. User defined, reusable collection profiles for different scenarios may be created for standard deployment. Forensically Acceptable Triage software enforces an efficient and forensically acceptable process, ensuring any potential evidence is captured, reviewed, and stored without compromise.
Collecting Digital Forensics Evidence Figure 2-1. Collection Workflow secure scene Is the device on? Are trained personnel available? Is the device a networked environment? do not turn the device off. Are destructive processes running? Is evidence visible on the screen? do not turn device on.
Standard vs. Live Acquisition The Dell Digital Forensics Solution offers two types of acquisition: Standard and Live. During a standard acquisition procedure, the Dell ruggedized laptop uses the SPEKTOR boot disk to capture triage data from an already powereddown target storage device. A live acquisition triage procedure, on the other hand, aims to capture triage data from a still powered-up target storage device, obtaining evidence not otherwise available.
Figure 2-2. Home Screen Burn a Boot CD for Standard Acquisition Procedures 1 At the Home screen, tap or click Admin. Then tap or click Burn Boot CD. Figure 2-3. Burn Boot CD Button on the Home Screen 2 Follow the instructions on the screen, and then click Finish. Register a Collector or Store Disk NOTE: Collectors must be licensed and configured by SPEKTOR before they can be used with your Dell Digital Forensics Solution. Contact your systems administrator if you need additional Collectors or licenses.
Figure 2-4. Unknown Collector or Store Disk Status Indicator 2 Tap or click the Status Indicator icon that corresponds to the Collector or store disk you plugged into the Dell ruggedized laptop. The icon for the device that has been registered will turn green (for a Collector) or orange (for a store disk). 3 The Unknown Device Menu will display. Figure 2-5. Unknown Device Menu 4 Tap or click Register this device as a Collector or Register this device as a Store Disk. 5 Tap or click Yes.
Figure 2-6. Dirty Collector and Store Disk Icons . NOTE: Collectors and store disks, whether newly registered or previously used on other data collections, must be cleaned before they can be deployed against a target. 6 For a store disk only, enter the serial number of the store disk. Clean a Collector or Store Disk NOTE: Allow approximately two hours per 100 GB of Collector volume. 1 Select the Status Indicator representing the Collector you want to clean.
Configuring a Collector allows the user to determine a series of specific filetypes or files created between a specific set of dates that the Collector will pull from the suspect storage device for triage. The more you are able to restrict your collection parameters, the more quickly the target data can be acquired for review. Dell recommends establishing a set of standard configuration profiles that you or your agency encounter repeatedly.
2 If you have previously created a configuration profile that you want to use, select the profile and tap or click Configure using selected profile to initiate configuration of the Collector; otherwise, tap or click New to create a new profile. NOTE: Figure 2-9 shows the Selected Profile screen at first use of the software before any profiles have been defined and saved. when you have begun creating configuration profiles, they will appear in this screen for your use.
Figure 2-10. Profile Configuration Step 1: Acquisition Type 4 Determine the timestamp settings for your new profile. The more specific you can be, the shorter time it will take to process the captured files. Figure 2-11.
5 Click the right arrow in the upper-right corner of the screen. 6 In the File Extension Filter screen, select the filetypes you want to collect. Use the right arrow to move the selected filetypes and their associated extensions from the Not Selected to the Currently Selected list box. Figure 2-12. Profile Configuration Step 3: File Extension Filter 7 Click the right arrow in the upper-right corner of the screen when you have finished selecting filetypes and extensions.
NOTE: Unless specifically required, it is suggested that you leave Quick Mode off. 8 In the Quick Mode screen, select the number of megabytes (1 MB, 5 MB, 10 MB, or Entire File) of the first part of files that you want to capture. By collecting only the first part of very large files (usually multimedia files), you will be able to review enough of the files to determine the subject matter while minimizing the amount of processing time required.
Figure 2-14. Profile Configuration Step 5: System Files 11 Click the right arrow in the upper-right corner of the screen.
12 At the Deleted File Filter screen, determine whether or not you want to include live and deleted files, only live files, or only deleted files in your collection. If you do not select any of these options, you will collect no files. Figure 2-15.
14 At the Profile Name screen, enter a name for your new profile, then tap or click Save Profile. Figure 2-16. Profile Configuration Step 7: Profile Name 15 Click the right arrow in the upper-right corner of the screen.Your new profile appears in the Selected Profile screen. The Collector Configuration screen will display the title of the profile (in this case, 14 days all files), and it will list the profile’s details in the main portion of the window.
Figure 2-17. Selected Profile After Profile Creation 16 Tap or click Configure using selected profile to initiate configuration of your Collector.
Figure 2-18. Selected Profile After Profile Creation 17 Tap or click OK to begin Collector configuration. This process will take only a minute or two. When the configuration of your Collector is complete, the Collector is ready to be deployed against a target computer or target storage device. See "Deploy Triage Tools" on page 33. 18 Click the right arrow in the upper-right corner of the screen. Deploy Triage Tools NOTE: For the differences between live and standard acquisition, see "Standard vs.
Deploy a Collector for Standard Acquisition Against a Target Computer WARNING: You must change the system boot order from within the target computer’s system BIOS before attempting a standard acquisition. If the target computer is set to boot from its hard drive instead of from the optical drive with the SPEKTOR boot disk in place, the target computer’s drive contents will be altered. Ensure that you know how to access the target computer system BIOS before powering up the target computer.
9 Remove the SPEKTOR boot disk from the optical drive, unplug the Collector from the target computer’s USB port, and plug it into an available USB port on the Dell ruggedized laptop. Deploy a Collector for Standard Acquisition Against a Target Storage Device 1 Plug the target storage device into either the read-only USB port or the firewire port of the Dell ruggedized laptop. 2 Tap or click Deploy Collector.
Figure 2-20. Run as Administrator 6 Enter the information requested in the SPEKTOR Live Collection screen, then click Run. 7 When prompted, click Close. 8 Disconnect the Collector from the target device and store it safely for later ingestion into the datacenter. Reviewing Collected Files After Triage 1 From the Collector Menu, click Reporting. This option indexes the collected data and creates a set of reports automatically.
Figure 2-21. Generate Reports 3 Click OK when the report generation process is complete to return to the Reporting menu. NOTE: Refer to the SPEKTOR User Manual for more information on creating and exporting reports using specific criteria. See "Related Documentation and Resources" on page 16. 4 Click View Collection Report to review your reports, then click one of the five report categories, Images, Documents, Multimedia, Other, or System, to view specific reports.
38 Triage
Ingest Triage Store Analyze Present Archive The Ingest stage of the Dell Digital Forensics Solution consists of creating an image of the target storage device (if that has not already been accomplished during the Triage stage) then transferring that image to a centralized location from which it may be accessed for analysis.
Single-server Solution In the single EnCase 6 server solution, multiple clients can connect to one server. All clients are pointed to this server and cannot connect to any other EnCase 6 server. In the event of a server failure, all client connections will be lost. Multi-server Solution (High Availability) In the multiserver solution, a user will connect to the EnCase 6 application on the Citrix farm and will be directed seamlessly to the EnCase 6 server currently working with the lightest load.
Figure 3-1. Datacenter-enabled EnCase 6 Client/Server Schematic EST 0 1 2 3 4 5 EST 0 1 2 3 4 5 EST 0 1 2 3 4 5 In the event of a server failure, the user would need to click the desktop EnCase application icon again, and the system will redirect the user connection to the next available server hosting EnCase 6. Each EnCase server can support x user sessions, where x = (number of cores x 2). Each user session requires 3 GB of server RAM.
Datacenter-enabled FTK 1.8 In the Datacenter-enabled FTK 1.8 solution, the FTK 1.8 application is hosted on a Dell server device(s) in the datacenter, providing multiuser FTK 1.8 sessions (one unique user session per server). Single FTK 1.8 Session Per Desktop In the single server FTK 1.8 solution, multiple clients can connect to a single server. All clients are pointed to this server and cannot connect to any other FTK 1.8 server. In the event of a server failure, all client connections will be lost.
Figure 3-2. Multiple FTK 1.8 Client and Server Schematic EST 0 1 2 3 4 5 EST 0 1 2 3 4 5 EST 0 1 2 3 4 5 In the event of a server failure, the user would lose access to the corresponding server session of FTK 1.8. In this case, the user would need to continue to function using the other FTK servers. All case and evidence information (assuming the user has NAS access privileges) is available from all server sessions of FTK 1.8 through the shared NAS/SAN. Each FTK 1.
Single FTK 3 Server Solution In the single FTK 3 server solution, a single FTK 3 client can connect to a single server. The client is pointed to this server and cannot connect to any other FTK 3 server. In the event of a server failure, the client connection will be lost. The FTK 3 server will also be running the local FTK embedded Oracle database because this version of the database does not support collaboration between other FTK Oracle databases or other FTK users.
Figure 3-3. Datacenter-enabled FTK 3 Client and Server Schematic EST 0 1 2 3 4 5 EST 0 1 2 3 4 5 EST 0 1 2 3 4 5 Using FTK Standard edition, each server must run a local version of the FTK-embedded Oracle database (one version of Oracle database per concurrent user). This version of the FTK application and Oracle database does not support collaboration between other FTK users or other FTK Oracle databases.
Each FTK 3 server can support one concurrent user session. Each user session requires 64 GB of server RAM (48 GB for Oracle and 16 GB for FTK), and 1000+ I/O per second for the file store plus 600+ I/O per second for the database (minimum configuration). FTK 3 Lab Edition In the FTK 3 Lab Edition configuration, the user will connect to a server hosting AccessData Lab and the centralized case database. Multiple users can access the same case concurrently, and run different analyses at the same time as well.
Multiple Forensics Applications Delivered to One Desktop In the multivendor and multiapplication solution, all of the individual application solutions described previously are combined to provide the forensics analyst with access to all forensics applications (EnCase 6, FTK 1.8 and FTK 3, or FTK 3 Lab edition) from a single desktop, a single pane of glass.
Network Configuration Recommendations Table 3-1. Recommended IP Address Structure IP Address Server Function 192.168.1.1 Domain Controller 1 DF-DC1 192.168.1.2 Domain Controller 2 DF-DC2 192.168.1.3 Evidence Server DF-Evidence 192.168.1.4 Workspace Server DF-Workspace 192.168.1.5 FTK Oracle Server DF-FTK 10.1.0.0/24 1 GB Static IP address range 10.1.1.0/24 10 GB Static IP address range 10.1.2.0/24 1 GB DHCP range, clients 10.1.0.250-254 1 GB Switch(es) 10.1.1.
Table 3-3. Recommended Naming Conventions for NIC Teaming NIC Team 1 Public Network For servers connected to one another NIC Team 2 iSCSI For servers connected to EqualLogic storage devices Table 3-4.
Call Name Drive Local or RAID SAN Evidence 8 T: SAN RAID50 Evidence 9 U: SAN RAID50 Workspace 1 V: SAN RAID50 Workspace 2 W: SAN RAID50 Workspace 3 X: SAN RAID50 Workspace 4 Y: SAN RAID50 Workspace 5 Z: SAN RAID50 Figure 3-5. Notes Recommended File Structure Dell Forensics Domain XXXXX.&&& XXXXX.&&& XXXXX.&&& Export Encase6 V:\ CASE0001 XXXXX.&&& Temp Index XXXXX.&&& Workspace Share FTK3 \\Workspace\Share XXXXX.&&& FTK1.8 XXXXX.&&& XXXXX.
How to Perform Ingest Using the Dell Digital Forensics Solution Ingest Using SPEKTOR Register and Clean an External USB Device as a Store Disk 1 Plug the unregistered external USB device in a Collector port on the ruggedized laptop. 2 Click or tap the device icon when it appears; then click or tap Register the Device as a Store Disk→ Yes. Then enter the requested information. 3 From the right-hand menu, select the registered device; then tap or click Clean/Reformat→ Clean.
b Plug the target storage device into either the Read Only USB port or the FireWire port on the right-hand side of the ruggedized laptop. c Select the drive or partitions you want to image, and then click the right arrow in the upper-right corner of the screen. d Enter the case information requested, and then tap or click Image Now. e If necessary, tap or click Configure Imaging Options to change the Image Format or Compression Type, or to Wipe Sectors on Read Errors, or Perform Additional SHA1 Hash.
h Unplug the target storage device and the store disk from the ruggedized laptop; then return the store disk to the datacenter for storage and analysis. NOTE: Transferring an image may take a long time; six hours for a typical 60 GB hard drive transfer is not unusual. Ingest Using EnCase In the Dell Digital Forensics Solution, licensing for EnCase is accomplished using a network licensing system.
e In the EnCase Acquisition screen, click the Add Device menu option. f Ensure that the Sessions checkbox is checked. g In the right-hand pane, select your case. h Click Add Evidence Files; then navigate to the E01 repository (using the best practice configuration outlined in Figure 3-5, this repository should be stored on drive X:\). i Click Next→ Next→ Finish. A stopwatch icon appears in the lower-right portion of the EnCase Acquisition screen, and EnCase will verify the E01 file.
Connecting the Tableau Write-Blocker to a SATA Hard Drive 1 Ensure the T35es Forensic SATA/IDE bridge's DC IN B is in the B On position. 2 Connect the TP2 or TP3 power source to the left side of the T35es SATA bridge using the 5-pin Mini-DIN connector. 3 Connect the power cable to the TP2 power source and also into an electrical socket. 4 Turn the power on to verify that the write block LED is on; then turn off the power to the bridge prior to connecting to the target storage device.
NOTE: The 7-Pin DIN plug on the TP3 Power Supply will not work with the Tableau bridges. You must use the included 7-pin DIN to 5-pin DIN TCA-P7-P5 adapter cable to connect the TP3 power supply to the Tableau bridges. 3 Connect the power cable to the TP2 power source and also into an electrical socket. 4 Turn the power on to verify that the write block LED is ON; then turn the power to the bridge OFF before connecting to the target hard drive.
Create an Image of the Target Storage Device 1 Within the AccessData FTK Imager application, click File→ Create Disk Image . . . 2 In the Select Source pop-up, select the type of evidence you want to image: Physical Drive, Logical Drive, Image File, Contents of a Folder, or Fernico Device, and click Next. NOTE: The following uses the Imaging a Physical Drive option to demonstrate the image creation process.The other file options are covered in the FTK User’s Guide.
3 In the Case Log Options window, select the set of options you want to change: • Case and evidence events • Error messages • Bookmarking events • Searching events • Data carving/Internet searches • Other events 4 In the Processes to Perform window, select the processes you want to conduct.
8 From the Refine Index window, include and exclude different types of data from the indexing process. 9 Click Next. Add Evidence 1 Click Add Evidence. The Add Evidence to Case pop-up appears. 2 Select the type of evidence to add to your case: Acquired Image of Drive, Local Drive, Contents of a Folder, or Individual File by selecting the radio button. Then click Continue. 3 Navigate to the image, drive, folder, or file; select the file and click Open.
3 Browse to your Case Folder Directory, and select your Processing Manager from the drop-down box. NOTE: If you do not know where your Case Folder Directory and Processing Manager are, see your systems administrator. 4 Click Detailed Options to refine the data you want to include in your case See the AccessData FTK 3 User’s Guide for further information on restricting case data. See "Related Documentation and Resources" on page 16. 5 Click OK. The Manage Evidence window opens.
Ingest 61
62 Ingest
Store Triage Ingest Analyze Present Archive The traditional approach to digital evidence storage starts with investigators working independently on individual workstations in a multiple-silo configuration. The evidence file is stored, more or less insecurely, on the workstation or transferred from a storage server to the workstation on a daily basis, burdening the network with the continual transfer of very large files.
can be completed even more quickly because several analysts and consulting specialists, such as foreign language experts, can work on the same *.E01 file simultaneously from different workstations. Work can be triaged according to difficulty and assigned to analysts with differing levels of experience; a junior analyst can take charge of the more timeconsuming task of pulling graphic files from an *.
Consider the following suggestions: • Place the examination servers and data storage inside a dedicated examination laboratory space. In this way, all servers, data warehouses, physical cabling, switches, and routers are physically protected by the same security measures that restrict laboratory access. • Use entry control protocols, such as fingerprint or retinal scans, or smart card access.
Accounts" on page 71 for information on working with user accounts, and see also "Active Directory Support for Secure Password Policies" on page 70 for information on password creation. Additional Information on Security and Digital Forensics SP 800-41 Rev. 1 Sept. 2009 Guidelines on Firewalls and Firewall Policy SP 800-46 Rev. 1 Jun. 2009 Guide to Enterprise Telework and Remote Access Security SP 800-55 Rev.
Figure 4-1. Tiered Storage Usage for Archiving and Retrieval Figure 4-1 shows the suggested path for storage of digital evidence from the time that evidence is collected to its eventual long-term storage on tape or final deletion.
case data. This approach reduces the cost of storage in the forensics lab because all data does not need to be kept in the lab, no matter what the current relevance, it can be moved seamlessly to slower storage. Trial (Present) – In the event of the case making it to trial, the forensics lab will want to have quick access to the evidence and case data to respond to any questions during the court case.
4 Select the appropriate option in Group Scope. 5 Select the Group Type. 6 Select Protect from accidental deletion. 7 Modify the Managed By, Member Of, and Members sections, and then click OK. Adding Members to A Group (Windows Server 2008) 1 Click Start→ Administrative Tools→ Active Directory Administrative Center. 2 In the navigation pane, click the folder in which the group resides. 3 Right-click the group, and then click Properties. 4 Select Add on the Members tab.
Editing a New GPO (Windows Server 2008) In Windows Server 2008, GPOs are managed using the GPMC. 1 To open the GPMC, click Start→ Administrative Tools→ Group Policy Management. 2 Navigate to the forest and domain in which the GPO resides, and then click Group Policy Objects. 3 Right-click the GPO. 4 Make the necessary changes to the settings and save them.
• – Symbols Passwords must not contain three or more consecutive characters from the account’s name or user’s name Fine-Grained Password Policies In Windows Server 2008, Active Directory Domain Services supports Password Setting Objects (PSOs) that apply to particular global security groups or users within a domain. A PSO can specify password length in characters, password complexity, minimum and maximum password age, and other attributes.
If the user will use a different name to log on to computers running Windows 95, Windows 98, or Windows NT, then you can change the user logon name as it appears in User logon name (pre-Windows 2000) to the different name. 9 In Password and Confirm password, type the user's password, and then select the appropriate password options.
6 In User logon name, type FTKServMgr. The service account will log on with the name you entered. From the drop-down list, click the UPN suffix that must be appended to the service account logon name (following the @ symbol). Click Next. 7 In Password and Confirm password, type a password for the service account. 8 Select the appropriate password options, and then click Next. 9 Click Finish to complete creating a service account.
Setting Up Security for Individual Case and Evidence Files 1 In Windows Explorer, navigate to the file for which you will establish file permissions. Right-click the file, and then select Properties. 2 Click the Security tab. 3 Uncheck the check box beside Everyone, if necessary. 4 Add only the users who will be requiring access to the file as determined by the policy of your workplace. 74 a Click Add. b In the Enter the object names to select field, enter the names of the appropriate users.
Store 75
76 Store
Analyze Triage Ingest Store Present Archive There are several different types of analyses the investigator needs to be able to conduct on evidence data, including file signature and hash analysis, and extensive indexing and keyword searches.
File Signature Analysis Every file has a file type, usually indicated by the file name’s three- or fourletter extension. For example, a text file might have a *.txt extension, and an image file might have a *.jpg extension. Not uncommonly, these file extensions will have been changed to something seemingly innocuous--an image file, for example, might be renamed with a text file extension in an attempt to mask its pornographic contents.
between one another within the group. Distributed processing is not the same as parallel processing, which refers to the use of multiple processors that share a single memory asset. Consider the following, which will give you a rough idea of the advantages of the Dell Solution using a distributed processing installation, using distributed processing, completing an analysis of five 200 GB files may take only 3.
2 Enter the path to the case folder in the Create New Case dialog box in UNC format: (\\[computername_or_IP_address]\[pathname]\[filen ame]) 3 Click Detailed Options, and select options as you normally would. 4 Click OK to return to the New Case Options dialog box, and enter a check mark beside the Open the case option. Click OK to create the new case and open it. 5 Click Add after the new case is opened and the Manage Evidence dialog box is automatically opened.
Checking the Installation When you have completed the installation, open the Task Manager on the remote computer, and keep it open while you add the evidence and begin processing. These steps will allow you to watch the activity of the ProcessingEngine.exe in the Processes tab. The Distributed Processing Engine does not activate until a case exceeds approximately 30,000 items. When it does activate, you will see the CPU percentage and Memory usage increase for the ProcessingEngine.exe in the Task Manager.
Analysis Using FTK Open an Existing Case Using the File Menu 1 From within FTK, select File, and then select Open Case. 2 Highlight the case you want to open and click it to launch the case. NOTE: All case files are named case.ftk. The case.ftk file for each case is stored in the applicable case folder. From the Command Line At the command line type: path_to_ftk_program_file\ftk.
Create an Analysis Job 1 Click the Analysis Jobs tab in the main Source Processor dialog. 2 Click New. The Create Analysis Job/Job Name dialog displays. The default job name is Job__[yyyy_mm_dd__hh_mm_ss], for example: Job___2009_06_24__03_42_42_PM. A job name cannot contain spaces at the beginning or end of the name, or any of the following characters: \ / : * ? " < > | 3 Enter a job name and click Next. The Create Analysis Job/Module Selection dialog displays.
3 Select the analysis job, and then click Run. Source Processor runs the analysis on the selected evidence. When the analysis is complete, the data browser displays. Performing a Signature Analysis 1 Click Search. 2 Check the Verify file signatures box in the Additional Options area in the lower right, and then click Start. The signature analysis routine runs in the background. On completion, a search complete dialog displays. The dialog presents search status, times, and file data.
Present Triage Ingest Store Analyze Archive Reporting the results of your analysis is an integral part of the Dell Digital forensics Solution, and is handled primarily through the forensics software you are using as part of the Solution. How to Create Reports Using the Dell Digital Forensics Solution Create and Export Reports Using EnCase 6 1 Select the items to report on, whether they are files, bookmarks, search hits, or other data.
d If desired, select Burn to Disc to enable the Destination Folder box, then right-click Archive Files to create a new folder and save an .iso file to disc. e Click OK Reports Using FTK 1 Click File→ Report to launch the Report Wizard. 2 Enter the basic case information requested by the wizard. 3 Select the properties for bookmarks. 4 Determine whether and how you want to display case graphics in your report.
Archive Triage Ingest Store Analyze Present No digital forensics solution is complete without a scalable, secure, and comprehensive archive and retrieval component. Your Dell Digital Forensics Solution offers that and more. In the Dell Solution framework, we have tried to create a simple interface that works with all forensics applications to control the life cycle of the evidence and case files.
Figure 7-1. Cross-media, Cross-case Search Capabilities of the Dell Solution A very powerful optional search component allows information correlation between ingested data sets. This component provides the ability to conduct internet-like searches on the entire case data store, both of active and of online content, as well as archived material from previous cases.
merely needs to navigate through the original folder structure, locate the folder or file she wants to restore, right-click the file or folder, and then select the restore option. Dell recommends that all evidence and case files be located on a central scalable NAS device that allows for a central expandable point of storage, allowing for easy collaboration between analysts. This recommendation also allows a single point of audit for chain-of-custody purposes.
To ensure that in the event of a disaster data can be restored with the minimum recovery point possible, the backup is split into equal sections and is run in the space of a month. This process requires that the maximum backup size is restricted to 15 TB for any full backup. Each LUN then takes incremental updates for the rest of the backup cycle until a full backup is due again. Figure 7-2. Best Practice Backup Plan Off-host vs.
Two types of backup can be performed, either over the network or as an off-host backup. • In an over-the-network configuration, all backup data is transmitted over the network to the backup server using a backup agent that is resident on the server. • In an off-host backup solution, some of the servers with the larger file stores do not back up their data over the network. Instead the storage array takes a snapshot of the LUN and then mounts this copy directly to the backup server.
The following figure shows the agents that are required per server for facilitating backup: Figure 7-3.
How to Archive Using the Dell Digital Forensics Solution On-Demand Archiving NTP Software ODDM and NTP Software Right-Click Data Movement (RCDM) work in conjunction with Enterprise Vault to mitigate the need for scans of the entire file system, as in the case of conventional archiving, by implementing on-demand archiving. Storage costs are reduced and the quality of archiving is improved.
2 The analyst selects the files to be archived using the NTP Software Storage Investigator, and then clicks Archive. However, if the NTP RCDM add-on is installed, he right-clicks the files. When the files are selected, the NTP Software Storage Investigator notifies NTP Software ODDM, which in turn activates Enterprise Vault. The archive request is added to the archiving queue.
Troubleshooting Triage Ingest Store Analyze Present Archive General Troubleshooting Tips • Make sure all clients and servers can see each other—that they are able to ping one another by both the NetBIOS name as well as by the IP address. • Make sure firewalls allow traffic. • Reboot servers and clients to make sure that all installation and configuration changes have been recognized by the systems.
FTK Lab: Browser launched by client cannot display User Interface 1 Make sure the client has MS Silverlight installed. 2 Make sure Oracle services have started on the server hosting the Oracle database. FTK 1.8: 5000 object limit\trial version message If you receive this message, FTK has no license. Ensure that the network license server is working and has the FTK 1.
7 Look in the Citrix Delivery Services Console to make sure that the user launching the application is in a Group allowed to launch the application. 8 For streamed applications, make sure that User Account Control (UAC) is turned off on the server. Frozen or Crashed Citrix Sessions When users do not log off from their Citrix sessions properly, the orphaned sessions begin to slow and may eventually cause the server to freeze or crash.
98 Troubleshooting
Index A D Analyze, 9-10, 67, 77 EnCase, 82 types of analysis, 77 Distributed Processing compared to parallel processing, 78 definition, 78 using FTK 3.1, 79 Archive, 9, 11, 67-68, 93 and recall times, 89 client one-click, 88 using NTP Software ODDM, 93 B Backup, 89 agents, 92 best practices, 89 network, 91 off-host, 91 off-host vs.
viewing reports, 86 H Hash Analysis, 77 I Ingest, 9, 39, 51 definition, 10 using EnCase, 53 using FTK, 56 using SPEKTOR, 51 L O On-Demand Archiving, 93 installation, 93 ODDM, 93 RCDM, 93 requirements, 93 P Present, 9, 11, 67-68, 85 R Ruggedized laptop how to turn on, 20 live acquisition vs.
Store Disk cleaning, 23 register, 21 T Tableau Write-Blocker, 54 connecting to IDE HD, 55 connecting to SATA HD, 55 Tiered Storage, 66 Triage, 9, 17, 87 definition, 17 how to perform, 20 reviewing collected files, 36 Troubleshooting, 95 Citrix, 96 EnCase, 95 forensics software, 95 FTK 1.
102 Index