RadioGraPhy és una eina per a l'anàlisi forense de sistemes Windows, pensada per extreure el màxim d'informació disponible:
- Claus de registre relacionades amb el procés d'arrencada de l'equip i d'inici de sessió
- Claus de registre amb la configuració de l'Internet Explorer
- Comptes d'usuari i les seves propietats
- Fitxers d'inici
- Serveis del sistema
- Contingut del fitxer hosts
- Controladors de dispositius carregats
- Unitats de disc compartides
- Finestres ocultes
- Processos de sistema en execució
- Informació de xarxa (connexions obertes, ports que escolten…).
Funciona amb una interfície gràfica:
Interfície gràfica de RadioGraPhy
i també des de la línia d'ordres.
L'article «Acquisition and Analysis of Volatile Memory from Android Devices» explica una tècnica, aplicable al sistema Android però també, per extensió a Linux, per a la recuperació del contingut de la memòria RAM.
Un article (l'accés al tex complet és de pagament) sobre l'impacte que té l'augment dels discos durs xifrats en les tasques d'investigació forense: «The growing impact of full disk encryption on digital forensics»:
The increasing use of full disk encryption (FDE) can significantly hamper digital investigations, potentially preventing access to all digital evidence in a case. The practice of shutting down an evidential computer is not an acceptable technique when dealing with FDE or even volume encryption because it may result in all data on the device being rendered inaccessible for forensic examination. To address this challenge, there is a pressing need for more effective on-scene capabilities to detect and preserve encryption prior to pulling the plug. In addition, to give digital investigators the best chance of obtaining decrypted data in the field, prosecutors need to prepare search warrants with FDE in mind. This paper describes how FDE has hampered past investigations, and how circumventing FDE has benefited certain cases. This paper goes on to provide guidance for gathering items at the crime scene that may be useful for accessing encrypted data, and for performing on-scene forensic acquisitions of live computer systems. These measures increase the chances of acquiring digital evidence in an unencrypted state or capturing an encryption key or passphrase. Some implications for drafting and executing search warrants to dealing with FDE are discussed.
Seguint amb els articles que aquests darrers dies tracten sobre les possibilitats de recuperar informació a les unitats SSD, «Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?»
Here we show that it is imprudent and potentially reckless to rely on existing evidence collection processes and procedures, and we demonstrate that conventional assumptions about the behaviour of storage media are no longer valid. In particular, we demonstrate that modern storage devices can operate under their own volition in the absence of computer instructions. Such operations are highly destructive of traditionally recoverable data. This can contaminate evidence; can obfuscate and make validation of digital evidence reports difficult; can complicate the process of live and dead analysis recovery; and can complicate and frustrate the post recovery forensic analysis.
Our experimental findings demonstrate tat solid-state drives (SSDs) have the capacity to destroy evidence catastrophically under their own volition, in the absence of specific instructions to do so from a computer.
Això va una mica en contradicció amb l'estudi que vaig citar ara fa uns dies… diuen que les unitats SSD plantegen un problema alhora de realitzar una anàlisi forense donada les funcionalitats que inclouen moltes unitats de reorganitzar internament la informació:
As a result, most SSDs have firmware that automatically carries out “self healing” or “garbage collection” procedures that can permanently erase or alter files that have been marked for deletion. The process often begins as soon as three minutes after the drive is powered on and happens with no warning. The user need not initiate any commands, and the drive emits no lights or makes any sounds to indicate the purging is taking place.
