computerforensictooltestingatnist

computerforensictooltestingatnist内容摘要：

seen before 3. If unique, look at more cases 4. Examine similar anomalies 11/30/2020 Computer Forensics Show 19 Test Case Example: Setup  Setup NTFS partition – MD5: 92b27b30bee8b0ffba8c660fa1590d49 – 27,744,192 sectors – Each sector filled with sector LBA amp。 disk ID  Acquire partition – Total Sectors:27,744,191 – 494A6ED8A827AD9B5403E0CC89379956  Rehash (minus last sector) still no match 11/30/2020 Computer Forensics Show 20 Example Continued  Restore image to NTFS partition  Compare to original – Sectors differ: 47  Restore was in Windows XP …  Restore again, unpower drive, no system shutdown. Compare to original – Sectors differ: 8 – Diffs range: 27,744,18427,744,191 11/30/2020 Computer Forensics Show 21 Example Resolution  Examine the eight sectors – Last sector not imaged – Other seven are a second copy of seven sectors starting at offset 27,744,120 Know this because each sector is tagged with LBA  Verification: Acquisition hash: 494a6ed8a827ad9b5403e0cc89379956 xena:/Users/jimmy root dd bs=512 if=/dev/disk2s11 of=~jimmy/ (1009)== dd if= bs=512 skip=27744120 count=7 of= (1012)== dd if= bs=512 count=27744184 of= (1013)== cat | md5 494a6ed8a827ad9b5403e0cc89379956 (1022)== md5 MD5 () = 92b27b30bee8b0ffba8c660fa1590d49 11/30/2020 Computer Forensics Show 22 Current Activities  Hard drive imaging tools  Software hard drive write protect  Hardware hard drive write protect  Deleted file recovery  String Searching 11/30/2020 Computer Forensics Show 23 Acquisition Anomalies  Last sector of partition or drive acquire skipped in Linux  Some sectors contiguous to a faulty sectors filled rather than acquired  In a legacy BIOS acquisition (DOS), last partial cylinder not acquired  Last partial cylinder of drive not used in a restore 11/30/2020 Computer Forensics Show 24 Impact  Release 18 (Feb 2020) A US government anization was doing some testing and uncovered an issue under a specific set of circumstances.  Several vendors have made product or documentation changes  CFTT cited in some high profile court cases 11/30/2020 Computer Forensics Show 25。