Difference between pages "How to image an IDE disk with aimage and FreeBSD" and "Timeline Analysis Bibliography"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Category HowTos -> Howtos)
 
m (Papers)
 
Line 1: Line 1:
Here is a photo of my disk imaging system:
+
==Papers==
 +
* S. Willassen, [http://www.igi-global.com/articles/details.asp?ID=33298 "A Model Based Approach to Timestamp Evidence Interpretation"], International Journal of Digital Crime and Forensics, 1:2, 2009
  
[[Image:ImagingStationx4.jpg|320px|Photo of an open computer with 4 hard drives connected.]]
+
* Olsson, Jens [http://www.bth.se/fou/cuppsats.nsf/bbb56322b274389dc1256608004f052b/2e5256fe7d0e57d5c12574bd0072d894!OpenDocument Digital Evidence with an Emphasis on Time],  Master's Thesis, Blekinge Institute of Technology, September 2008.
 +
* R. Koen, M. Olivier, [http://icsa.cs.up.ac.za/issa/2008/Proceedings/Full/43.pdf "The Use of File Timestamps in Digital Forensics"], ISSA 2008, Johannesburg, South Africa, July 2008
 +
* S. Willassen, [http://www.diva-portal.org/ntnu/abstract.xsql?dbid=2145 "Methods for Enhancement of Timestamp Evidence in Digital Investigations"], PhD Dissertation, Norwegian University of Science and Technology, 2008
 +
* S. Willassen, [http://www.willassen.no/svein/pub/ares08.pdf "Finding Evidence of Antedating in Digital Investigations"], ARES 2008, Barcelona, Spain, March 2008
 +
* S. Willassen, [http://www.willassen.no/svein/pub/ifip08.pdf "Hypothesis Based Investigation of Digital Timestamp"], 4th IFIP WG 11.9 Workskop on Digital Evidence, Kyoto, Japan, January 2008
 +
* S. Willassen, [http://www.willassen.no/svein/pub/efor08.pdf "Timestamp Evidence Correlation by model based clock hypothesis testing"], E-Forensics 2008, Adelaide, Australia, January 2008
 +
* F. Buchholz, [http://www.infosec.jmu.edu/reports/jmu-infosec-tr-2007-001.pdf "An Improved Clock Model for Translating Timestamps"], JMU-INFOSEC-TR-2007-001, James Madison University
 +
* F. Buchholz, B. Tjaden, [http://www.dfrws.org/2007/proceedings/p31-buchholz.pdf "A brief study of time"], Digital Investigation 2007:4S
 +
* K. Chow, F. Law, M. Kwan, P. Lai, [http://i.cs.hku.hk/~cisc/forensics/papers/RuleOfTime.pdf "The Rules of Time on NTFS File System"], 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering, Seattle, Washington, April 2007
 +
* B. Schatz, G. Mohay, A. Clark, [http://www.dfrws.org/2006/proceedings/13-%20Schatz.pdf "A correlation method for establishing provenance of timestamps in digital evidence"], Digital Investigation 2006:3S
 +
* P. Gladyshev, A. Patel, [http://www.utica.edu/academic/institutes/ecii/publications/articles/B4A90270-B5A9-6380-68863F61C2F7603D.pdf "Formalizing Event Time Bouding in Digital Investigation"], International Journal of Digital Evidence, vol 4:2, 2005
 +
* C. Boyd, P. Forster, "Time and Date issues in forensic computing - a case study", Digital Investigation 2004:1
 +
* M.W. Stevens, "Unification of relative time frames for digital forensics", Digital Investigation 2004:1
 +
* [http://www.utica.edu/academic/institutes/ecii/publications/articles/A048B1E4-B921-1DA3-EB227EE7F61F2053.pdf "Dynamic Time & Date Stamp Analysis"], M .C. Weil, International Journal of Digital Evidence, vol 1:2, 2002
  
Key elements of the disk imaging system:
+
* [http://infoviz.pnl.gov/pdf/themeriver99.pdf ThemeRiver: In Search of Trends, Patterns, and Relationships], Susan Havre, Beth Hetzler, and Lucy Nowell, Battelle Pacific Northwest Division, Richland, Washington, 1999
* You need to have an internal IDE card which is not used for anything but disk imaging;
+
* [http://www.conceptsymbols.com/web/publications/2003_timelines.pdf Timeline Visualization of Research Fronts], Steven A. Morris2, G. Yen, Zheng Wu, Benyam Asnake , School of Electrical and Computer Engineering, Oklahoma State University, Stillwater, Oklahoma. 2003
* You need to have an external hard drive power supply, so that you can power the IDE drives without using your computer's power supply (if you use your computer's power supply, you can easily crash your computer when attaching or detaching the power supply);
+
* [http://well-formed-data.net/archives/26/visualizing-gaps-in-time-based-lists Visualizing gaps in time-based lists], Moritz Stefaner, November 6, 2000
  
=Imaging Checklist=
+
==Programs==
# [[How To Set Up a Disk Imaging Station|Set up a disk imaging station]];
+
; [[Zeitline]] — Forensic timeline editor
# You should have a 50-pin IDE ribbon cable going from your IDE controller to the desktop;
+
: http://projects.cerias.purdue.edu/forensics/timeline.php
# Do not connect your imaging drive yet!
+
: http://sourceforge.net/projects/zeitline/
# Boot the computer into FreeBSD;
+
# Attach the IDE hard drive to the ribbon cable FIRST;
+
# Now, attach power to the IDE drive;
+
# You need to determine which ATA port the IDE drive is now connected to. In all likelihood it is <tt>ata0, ata1, ata2</tt> or <tt>ata3</tt>. If you have an internal hard drive on an IDE interface, then the internal interface is probably <tt>ata0</tt> and <tt>ata1</tt> and the external is probably on <tt>ata2</tt> or <tt>ata3</tt>;
+
# You also need a place to store the AFF files you are going to be creating. I usually put them in <tt>/usr/affs</tt> which is a directory you will need to create;
+
# Log in as ''root'';
+
# mkdir /usr/affs
+
# Now, try to image the drive with this command:
+
  aimage ata2 /usr/affs/disk1.aff
+
# If this doesn't work, try:
+
  aimage ata3 /usr/affs/disk1.aff
+
# If it works, you'll see the aimage program running.
+
  
=What can go wrong=
+
; [[sorter]] — [[Sleuthkit]]'s [[MAC times]] sorting program.
* ''aimage'' may not be installed. If you get the error message "aimage: command not found" then you need to install [[AFFLIB]] and then make sure that the ''aimage'' command (usually installed in ''/usr/local/bin'') is in your ''PATH''. You can check this out by running ''/usr/local/bin/aimage'' instead of ''aimage'';
+
* Your source drive can be broken, ''aimage'' should tell you this;
+
* You can run out of disk space. You need a LOT of disk space to store disk images — figure 30GB to image a 60GB drive.
+
  
=What to do after you have made your images=
+
; [http://code.google.com/p/simile-widgets/ Simile Timeline and Timeplot]
Once you have made a few images, you'll need to put them somewhere. Typically this means uploading them to a server.
+
 
=See Also=
+
==See Also==
[[How To Set Up a Disk Imaging Station]]
+
* http://www.timeforensics.com/
[[Category:Howtos]]
+
 
 +
 
 +
 
 +
 
 +
 
 +
[[Category:Tools]]
 +
[[Category:Bibliographies]]
 +
[[Category:Timeline Analysis]]

Revision as of 17:44, 31 July 2009

Papers

Programs

Zeitline — Forensic timeline editor
http://projects.cerias.purdue.edu/forensics/timeline.php
http://sourceforge.net/projects/zeitline/
sorterSleuthkit's MAC times sorting program.
Simile Timeline and Timeplot

See Also