Scribd Logo
Upload

Welcome to Scribd!

  • 6 views

    Storage Memory

    Uploaded by

    SADRONU
    This document discusses analyzing system storage for incident response. It notes that storage devices like USB drives and disk drives contain important data that can help determine the root cause of an incident. It outlines some of the key types of data that can be extracted and analyzed from storage, including web artifacts, email, images, and file metadata. It then discusses several commercial forensic platforms that are commonly used, including EnCase, Forensic Toolkit, and other tools that can perform the required analysis.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Storage Memory

    Uploaded by

    SADRONU
    6 views3 pages
    This document discusses analyzing system storage for incident response. It notes that storage devices like USB drives and disk drives contain important data that can help determine the root cause of an incident. It outlines some of the key types of data that can be extracted and analyzed from storage, including web artifacts, email, images, and file metadata. It then discusses several commercial forensic platforms that are commonly used, including EnCase, Forensic Toolkit, and other tools that can perform the required analysis.

    Original Description:

    Original Title

    StorageMemory

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses analyzing system storage for incident response. It notes that storage devices like USB drives and disk drives contain important data that can help determine the root cause of an incident. It outlines some of the key types of data that can be extracted and analyzed from storage, including web artifacts, email, images, and file metadata. It then discusses several commercial forensic platforms that are commonly used, including EnCase, Forensic Toolkit, and other tools that can perform the required analysis.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    6 views3 pages

    Storage Memory

    Uploaded by

    SADRONU
    This document discusses analyzing system storage for incident response. It notes that storage devices like USB drives and disk drives contain important data that can help determine the root cause of an incident. It outlines some of the key types of data that can be extracted and analyzed from storage, including web artifacts, email, images, and file metadata. It then discusses several commercial forensic platforms that are commonly used, including EnCase, Forensic Toolkit, and other tools that can perform the required analysis.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 3

    Analyzing System Storage

    8
    So far, the evidence that has been analyzed has focused on those elements that are obtained
    from the network or the system's memory. Even though incident root cause may be ferreted
    out from these evidence sources, it is also important to understand how to obtain
    evidentiary material from a system's storage, whether that is removable storage such as
    USB devices or the larger connected disk drives. In these containers is a good deal of data
    that may be leveraged by incident response analysts in determining root cause. It should be
    noted that this chapter will only be able to scratch the surface, as entire volumes have been
    devoted to the depth of forensic evidence available. Rather, it is hoped that this chapter
    provides some concrete areas of focus with the understanding that analysts will gain a
    better sense of some of the tools that can be employed, as well as an understanding of some
    of the critical data that can be leveraged.

    Forensic platforms
    Over the past 15 years, there has been an increase in the power of disk forensic platforms.
    For the incident response analyst, there are options as to what type of platform can be
    leveraged for conducting an examination of the disk drives. Often, the limiting factor in
    utilizing these platforms is the cost of more robust systems, when a lower cost alternative
    will be just as effective for an incident response team.
    Analyzing System Storage

    Web artifacts: With a great deal of data stored on the drive associated with web
    searching, forensic platforms should have the ability to examine these pieces of
    data. This is very handy when examining social engineering attacks where users
    navigate to a malicious website.
    Email carving: Incident responders may be called into cases where malicious
    employees are involved in illegal activities or have committed policy violations.
    Often, evidence of this type of conduct is contained within emails on the suspect
    system.Having a platform that can pull this data out for immediate view, assists
    the analyst to view communications between the suspect system and others.
    Image viewer: Often it is necessary to view the images saved on systems. As was
    stated previously, law enforcement utilizes this feature to determine if there is
    evidence of child exploitation on a system. Incident response analysts can utilize
    these features to determine if there has been a policy violation.
    Metadata: Key pieces of data about files such as date and time created, file hashes
    and location of a suspect file on the disk are useful when examining a system
    associated with an incident. For example, the time an application is run, taken in
    conjunction with a piece of malware, may be correlated with network activity
    allowing the analyst to determine the actual executable run.

    In terms of commercial options, the following three platforms are generally accepted as
    sound and are in use by commercial and government entities all over the world. Each of
    these have the features described among other more specialized tools.

    EnCase guidance software: Arguably the preeminent forensics platform, EnCase


    has a long history with the platform being used in major criminal investigations
    such as the BTK Killer. EnCase is a feature-rich platform that makes it a powerful
    tool in the hands of a trained analyst.In addition to disk forensics, EnCase also
    has integrated features for mobile devices. This is a powerful capability for
    organizations that may have to analyze not only disks, but also mobile devices, in
    connection with an incident.
    Forensic Took Kit by Access Data: In Chapter 5, Understanding Forensic Imaging,
    the FTK Imager tool was utilized to acquire disk and memory evidence. This tool
    is part of a suite of tools provided by Access Data specifically tailored to disk
    forensics.In addition to the imager, Access Data has a fully featured forensic
    platform that allows analysts to perform the range of tasks associated with an
    incident. FTK is in use by law enforcement agencies such as the Federal Bureau
    of Investigation and has proven to be more than effective in assisting analysts
    with incident investigations.

    [ 189 ]

    You might also like