Azure Platform as a Service, or PaaS, provides prebuilt Windows servers that can run customer supplied applications. Azure Infrastructure as a Service, or IaaS, provides the hardware and virtualization environment on which the customer can run its own Windows or Linux systems and applications. The Resource drive is used for system temporary storage and is where the page file will be located for Windows VMs.
The resource drive in IaaS has the same function as in PaaS, temporary system storage. IaaS VMs may also have one or more Data drives. As we shall see, this is something that the security responder can leverage to capture drive images. Forensics begins with evidence collection. Depending on nature of the incident and the capability of the security response team, security responders will often also want to collect complete copies of the hard drives and a dump of the physical memory.
The good news is that any data that can be collected from Windows machines in a physical environment can be similarly collected from a Windows system in Azure. There is no reason to think that this situation will be any different for Linux VMs hosted in Azure.
One of the capabilities the security responder has in Azure, at least for IaaS VMs currently, is the ability to attach Data drives as needed to a running VM, without rebooting.
This allows the security responder to launch tools from, and copy output files to, the newly attached Data drive, minimizing the impact of evidence collection on the existing VHDs. These operations may be performed through the Azure management portal, or programmatically via the Azure API. In the screen shot below, for example, we have attached a new data drive from which we are running LiveKD to create a full memory dump of the VM. Of course, we are writing the dump file to the newly attached Data drive.
Attaching a Data disk works well for collecting a variety of live data. In the screen shot below we have run a rather comprehensive data gathering script, using a number of Windows command line tools, as well as other standard tools of the trade, such as utilities from Sysinternals and NirSoft. All of these utilities work as they would on a similarly configured physical system. Finally, whole drives can be copied from within the VM, just as they might be collected from a remote physical machine.
In the screenshot below, we are imaging the C: OS drive of a running IaaS VM to a Data drive that we attached to the system to capture disk images of the existing drives. Although we have not yet tested remote imaging tools, such as F-Response, in Azure ourselves, these sorts of collection tools could be used for remote drive or memory capture from Azure VMs.
This approach to evidence collection is fairly common in the enterprise, but it would require the VMs to have been configured with the proper networking endpoints to allow access for the remote collection software. EnCase comes built-in with many forensic features, such as keyword searches, e-mail searches, and Web page carving. The numerous versions of its forensic software range from mobile device acquisitions to full-blown network forensic-analysis tools.
EnCase is sold by Guidance Software on its Web site. Support for EnCase is rock solid, and the technical support staff knows how to solve problems fairly quickly in addition to providing multilanguage support. FTK has automated, to a high degree, the hard, behind-the-scenes work of setting up searches. Press the Email button and out pop the e-mails. Everything you need to order the software and training is on the site. Even the certification process is available for you to peruse.
The Paraben forensic tools compete with the top two computer forensic software makers EnCase and FTK described earlier in this chapter. Still, the company truly shines in the mobile forensic arena. With more cases going mobile, Device Seizure is a must-have tool. Device Seizure and all the extras that can go with it are at www. The basic idea behind forensic hardware is to facilitate the forensic transfer of digital evidence from one device to another as quickly as possible.
In addition to the laboratory version, FRED comes in mobile versions that facilitate the acquisition of evidence in the field for quick analysis. Digital Intelligence, at www. The company also offers training in the use of its systems and provides helpful technical support. When you need a small footprint and useful equipment for field use, the CRU field kit is hard to beat, figuratively and literally.
Even with its small footprint, this field kit has the most popular interfaces available, and you can even customize it for your unique needs.
Using the CRU field kit , you can carry the essential pieces of your forensic toolkit. The heart of this field kit consists of the write-protect devices that WiebeTech manufactures in-house. Logicube offers some of the fastest disk-to-disk and disk-to-image transfer equipment now on the market. As storage devices grow larger, transferring 4 gigabytes per minute can save quite a bit of time over other field data acquisition methods. EMBED for wordpress. Want more? Advanced embedding details, examples, and help!
Description Forensic Toolkit, the name of the software engineering and specialized in digital research. Features and Forensic Toolkit Very high speed Digital Data Find You There are efficient solutions for finding digital evidence Setting a custom search to find better information. Addeddate Identifier forensic-toolkit-international-v There are no reviews yet. Be the first one to write a review. Community Collections.
Generally, large forensic software suites have to be able to do the following:. Compared to law enforcement agencies, corporations are usually not concerned with volatile RAM captures. They are also usually not interested in previewing ability. The field of forensic software analysis is filled with forward-thinking innovators and prolific, existing software companies that are ready to expand their operation. Large forensic software providers tend to appear at large industry gatherings, such as the High Tech Crime Investigation Association Conference, but there are many of these conferences across North America.
BlackLight started 5 years ago, developing a Mac-only forensic tool. It has now become a good Windows examination tool as well. It will analyze all iOS devices as well as Android.
However, it is not capable of analyzing BlackBerry devices. They have an additional tool called MacQuisition. It does a very good job of discovering encryption and can join together fusion drives into one volume.
AccessData is the leading provider of E-Discovery, Computer and Mobile Device Forensics for corporations, law firms, and government agencies. Their digital forensics solutions include Forensic ToolKit FTK , which provides comprehensive processing and indexing up front, so filtering and searching are faster than with any other solution on the market. The former allows mobile forensic examiners to quickly collect, easily identify and effectively obtain the key data other solutions miss. Guidance Software, founded in , develops EnCase Forensic Software, which is a PC-only forensic tool that has been the mainstay of forensics for over a decade.
The tool has made the headlines in when it was used in the murder trial of David Westerfield to examine his computers to find evidence of child pornography, and when French police used EnCase to discover critical emails from Richard Colvin Reid, also known as the Shoe Bomber.
EnCase Forensic Software is capable of acquisitions, hard drive restoration cloning bit for bit and make a cloned HDD , complete a comprehensive disk-level investigation, and extensive reporting, among many other things. Developed by a former police officer and programmer, Magnet Forensics is a complete digital investigation platform used by over 3, agencies and organizations around the world.
0コメント