Incident Response and Computer Forensics
|
|
- Oswald Carson
- 7 years ago
- Views:
Transcription
1 Incident Response and Computer Forensics James L. Antonakos WhiteHat Forensics Incident Response Topics Why does an organization need a CSIRT? Who s on the team? Initial Steps Detailed Project Plan Incident Response Flowchart Digital Forensics An Actual Incident Table Top Exercises 2 Computer Forensics Topics What is Computer Forensics? Why do we need Computer Forensics? Live Analysis Versus Static Analysis Capturing a Drive Image The Organization of Hard Disks The Organization of File Systems The FAT File System The NTFS File System The EXT3 File System Where s the Data? Forensic Tools 1
2 Why does an organization need a CSIRT? An organization needs a CSIRT if they utilize computers, no matter what the size of the organization. No matter how well trained, an employee is still vulnerable. Non existent security policies and processes also contribute to vulnerabilities. No matter how well protected, a computer is still vulnerable. 4 Who s on the team? The CSIRT members come from all areas of the organization: Information Technology Help Desk Human Resources Public Relations Legal Fiscal Facilities External Consultant 5 Initial Steps Starting up the CSIRT involves the following steps: Obtain approval from upper management to create the CSIRT. Invite the initial members to meet. Explain the purpose of the CSIRT and core services provided. Describe the role of each member of the team. Assign a CSIRT leader / main point of contact. Develop a detailed project plan for implementation. Execute the project plan and become operational. Evaluate CSIRT effectiveness. 6 2
3 Detailed Project Plan The detailed project plan involves the following steps: Establish team communication method. Decide on hours of operation. Determine incident reporting and tracking procedures. Devise the incident response flowchart. Perform table top exercises. Establish how an incident is escalated. Develop CSIRT policies. Determine QA metrics. Partner with another CSIRT. Roll out CSIRT to organization. Incident Response Flowchart Incident Response Flowchart 3
4 Incident Response Flowchart Incident Response Flowchart What is Computer Forensics? Computer Forensics is a process used to locate digital information that may be used to help prove guilt or innocence. Computer Forensics procedures must be properly followed to avoid contamination (altering) of the evidence (information). Very important to maintain the Chain of Custody. 4
5 Digital Forensics Digital Forensics is performed to record the state of a system at the time of an incident, assist law enforcement, and help determine how an incident occurred and what happened. In the event that digital forensics are required, there are several procedures to follow. In all parts of the activity, proper documentation should be maintained, such as recording the time and date the evidence was handled, who handled the evidence, and the reason the evidence was handled. First, determine if live or static forensics are required on a system: Live Forensics: Performed on a running system. Static Forensics: Performed on an evidence image. 13 Digital Forensics Live Forensics: This is performed on a running system. There is digital evidence present on a running system that is not present on a system that has been off. This evidence includes: Time / date Logged on user Remote users Windows clipboard data What is on the Desktop Running processes and services The contents of RAM Mapped network drives Network traffic and open connections In addition to this evidence, everything covered under static forensics can also be examined. 14 Digital Forensics Static Forensics: This is performed on an image of a hard disk collected using appropriate law enforcement techniques (chain of custody maintained, a write blocker used during image capture, the use of hashing to verify the integrity of the forensic image). This evidence includes examining: Existing files: User created files, such as Office documents and photos Internet history IM logs System Event logs Hidden files and folders Encrypted files The Registry PAGEFILE.SYS and HIBERFIL.SYS Deleted files File slack space Unallocated disk space 15 5
6 An Actual Incident Names were changed to protect the innocent. Prior to the CSIRT being established, a company experienced a security incident involving ransomware. A remote staff member was reading and clicked on a link that opened a ZIP file containing a PDF document. When she opened the PDF, her system became quite unresponsive. Even though her system was connected to the organization via a VPN, she became concerned and called Help Desk. Help Desk had her disconnect her system from the VPN. 16 An Actual Incident The system was still slow and unresponsive while Help Desk asked routine questions. Then a ransom message appeared, informing the staff member that her files have been encrypted and the amount of money to be paid via BitCoin in order to obtain the decryption key. 17 An Actual Incident 18 6
7 An Actual Incident At no time during this process did the endpoint protection software indicate the presence of malware. Help Desk informed the staff member to mail her system back to the organization as they would provide a new system. When the Help Desk team member got off the phone, he informed the head network engineer of the situation. Since remote employees connecting over VPN have one or more organizational hard drives mapped to the remote system, the network engineer thought it was likely that files on the organizations file servers may have been encrypted as well. 19 An Actual Incident The network engineer looked up the affected staff member in Active Directory to determine her role and the files and folder permissions in effect for her. Because permission was properly limited to only the files she needed to access to perform her work, the number of encrypted files encountered on the organizations systems was very small. These files were restored from backup. As a result of this incident, additional security awareness training for all employees was conducted, with emphasis on safe use of and web browsing. 20 Table Top Exercises Table top exercises consist of mock scenarios that are used to test the effectiveness of the incident response flowchart. Here is a short list of scenarios: 1. Web page defacement 2. Malware / Ransomware infection 3. Social Engineering activity 4. Unknown Remote Desktop activity 5. Distributed Denial of Service attack underway 6. New Security Advisory 7. Unauthorized Access / Compromised Accounts 8. Employee engaging in inappropriate activity 9. Information Asset theft / Data breach discovered 10. Rogue wireless access point discovered 11. Intentional damage to equipment 21 7
8 Table Top Exercises Here are some sample questions that may help direct the discussion of the scenario: Who decides how many incident response team members would participate in handling this incident? Besides the incident response team, what groups within the organization would be involved in handling this incident? To which external parties would the incident be reported? When would each report occur? How would each report be made? What other communications with external parties may occur? Report to another CSIRT? What tools and resources are necessary to handle this incident? What aspects of the response would be different if the incident occurs at a different day and time (on hours versus off hours)? What aspects of the response would be different if the incident occurs at a different location (onsite versus offsite)? 22 Hands on Activity Break into small groups. Choose a table top scenario. Discuss whether it is an event or an incident. If it is an incident, go through the incident response flowchart and gauge the effectiveness of the flowchart in handling all aspects of the incident. Share your findings with the other groups. 23 Why do we need Computer Forensics? Support law enforcement. Many types of documents are now stored electronically. Learn about the techniques used by cybercriminals. Computers may be the instrument used in a crime or the victim of a crime. 8
9 Live Analysis Versus Static Analysis Live Analysis: Forensics performed on a running system. More things to look at during live analysis than a static analysis. Do you pull the plug or perform an orderly shutdown? Static Analysis: Forensics performed on a copy of the data from a system. This type of analysis is done most often. Live Analysis Things to record: System time and date. User s logged on to the system. Open network connections. Network drives mapped to the system. Processes that are running. What is on the Desktop and Clipboard. Static Analysis Things to look for: Registry entries. Hidden files and folders, encrypted files. Images, s, IM logs, other files. Misnamed files. Deleted files. Data in unallocated space and Slack space. 9
10 Capturing a Drive Image A write blocker must be used to prevent write operations on the drive being imaged. Can be software or hardware. Entire drive is imaged, including unallocated space, to a clean drive. Image must be verified to guarantee integrity. This is done using a hash function. Capturing a Drive Image One bit is a 0 or a 1. One byte is 8 bits. One KB (Kilo Byte) is 1024 bytes. One MB (Mega Byte) is 1024 KB. One GB (Giga Byte) is 1024 MB. A 500 GB drive contains 536,870,912,000 bytes (over 143 million pages!!!). One TB (Terra Byte) is 1024 GB. Capturing a Drive Image Drive may be imaged via a USB or FireWire connection, or over the network. The size of the drive being imaged affects the time required to perform the capture. The speed of the connection also affects the time required to image the drive. A 500 GB drive may require 8 hours or several days to acquire. 10
11 Image is Verified via a Hash What is a File System? Establishes a logical organization for file storage over a wide range of physical storage devices. Makes it easy for users (and programs) to create, alter, copy, and delete files. Provides long term, high speed access to files. Enables file sharing over a network File System vs Operating System A file system is not an operating system. A file system needs an operating system in order to be useful. An operating system supports one or more file systems: Windows: FAT, NTFS Linux: EXT, FAT Mac OS X: HFS, FAT electroniclighthouse.com.au 33 11
12 File System vs Operating System 34 The Organization of Hard Disks A hard disk contains one or more platters. Each platter contains two sides (surfaces). Each surface contains circular tracks divided into sectors. Each track may contain 64 sectors. Each sector contains 512 bytes of data. A 500 GB hard drive contains over 1 billion sectors. Typical Hard Drive 12
13 Typical Hard Drive The Organization of Hard Disks The hard disk spins at a fast rate (5400 rpm or 7200 rpm). A read/write head hovers over the surface and picks up the magnetized 1s and 0s stored on the surface. Data is transferred between the disk and main memory on the motherboard. The Organization of File Systems A File System is a logical way of organizing the sectors on a disk. Different Operating Systems support different file systems: Windows: FAT and NTFS Linux: EXT3 Mac OS X: HFS+ FAT is the most widely supported file system. 13
14 The Organization of File Systems Sectors on a disk are allocated as follows for the FAT (File Allocation Table) file system: Boot sector FAT sectors Directory sectors Data sectors Operation of FAT Challenges of FAT After a lot of use (files created, edited, and deleted) the FAT becomes very fragmented. Not easy to search through the FAT on a hard disk as it is very large. Need software to interpret the FAT for us. File slack may contain valuable data. 14
15 Where is the File Slack? What Happens when a File is Deleted? The file s entries in the FAT are set to free. The file s entry in the Directory has its first byte (letter) changed to an unprintable code (E5) all other file properties stay the same. The data content of the file remains stored on disk until overwritten. A Sample Directory 15
16 The NTFS File System NTFS maintains a Master File Table that stores information (called metadata) about every file on the volume. Bear in mind that everything in NTFS is a file, including the list of bad clusters, the allocation bitmap that shows which clusters are allocated, and the transaction log that records all transactions on the volume. The structure of NTFS is more complicated than that of FAT, requiring around 10 MB for an empty file system, making NTFS unsuitable for floppy disks. 46 The NTFS File System 47 The NTFS File System 48 16
17 The NTFS File System 49 The NTFS File System 50 Where s the Data? Registry. Files and folders. Deleted files. Unallocated space. Slack space. System files: INDEX.DAT PAGEFILE.SYS HIBERFIL.SYS ebriatic.com 51 17
18 The EXT File System EXT2 was developed in 1993 for Linux. EXT3 added to Linux in Main new feature was journaling, which has three modes: Journal Ordered Writeback EXT4 added to Linux in Larger file systems supported. technologicia.com 52 The EXT File System 53 The EXT File System Recovering a deleted file in EXT2 is very easy as all information still resides in the inode for the file. Recovering a deleted file in EXT3 is much more difficult as the block pointer fields in the inode (and in the indirect blocks) are zeroed out. All is not lost however, as files may potentially be recovered by examining information contained in the journal
19 Forensic Tools Hex editor: Display, search, and modify hexadecimal data. Forensic analysis software: FTK (Forensic Toolkit) EnCase Autopsy X Ways FTK (Forensic ToolKit) Forensic Tools Network traffic sniffer/analyzer Imaging software Hashing software Log file analyzer Steganography software 19
20 Skills Needed by a Forensic Examiner Knowledge of Operating Systems. Knowledge of File Systems. Must understand networking and TCP/IP. Must possess necessary software for imaging and analyzing images. Must possess additional software such as hex editor, log file analyzer, etc. Lots of patience!!! Thank you! James L. Antonakos james@whitehatforensics.com (607)
FORENSIC ANALYSIS OF USB MEDIA EVIDENCE. Jesús Alexander García. Luis Alejandro Franco. Juan David Urrea. Carlos Alfonso Torres
FORENSIC ANALYSIS OF USB MEDIA EVIDENCE Jesús Alexander García Luis Alejandro Franco Juan David Urrea Carlos Alfonso Torres Manuel Fernando Gutiérrez UPB 2012 Content INTRODUCTION... 3 OBJECTIVE 4 EVIDENCE
More informationDigital Forensics. Tom Pigg Executive Director Tennessee CSEC
Digital Forensics Tom Pigg Executive Director Tennessee CSEC Definitions Digital forensics Involves obtaining and analyzing digital information as evidence in civil, criminal, or administrative cases Analyze
More informationFall. Forensic Examination of Encrypted Systems Matthew Postinger COSC 374
Fall 2011 Forensic Examination of Encrypted Systems Matthew Postinger COSC 374 Table of Contents Abstract... 3 File System Encryption... 3 Windows EFS... 3 Apple FileVault... 4 Full Disk Encryption...
More informationMSc Computer Security and Forensics. Examinations for 2009-2010 / Semester 1
MSc Computer Security and Forensics Cohort: MCSF/09B/PT Examinations for 2009-2010 / Semester 1 MODULE: COMPUTER FORENSICS & CYBERCRIME MODULE CODE: SECU5101 Duration: 2 Hours Instructions to Candidates:
More informationFile System Forensics FAT and NTFS. Copyright Priscilla Oppenheimer 1
File System Forensics FAT and NTFS 1 FAT File Systems 2 File Allocation Table (FAT) File Systems Simple and common Primary file system for DOS and Windows 9x Can be used with Windows NT, 2000, and XP New
More informationDigital Forensic Techniques
Digital Forensic Techniques Namrata Choudhury, Sr. Principal Information Security Analyst, Symantec Corporation Professional Techniques T23 CRISC CGEIT CISM CISA AGENDA Computer Forensics vs. Digital Forensics
More informationDigital Forensics Tutorials Acquiring an Image with FTK Imager
Digital Forensics Tutorials Acquiring an Image with FTK Imager Explanation Section Digital Forensics Definition The use of scientifically derived and proven methods toward the preservation, collection,
More informationImpact of Digital Forensics Training on Computer Incident Response Techniques
Impact of Digital Forensics Training on Computer Incident Response Techniques Valorie J. King, PhD Collegiate Associate Professor University of Maryland University College Presentation to AFCEA June 25,
More informationForensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM)
s Unix Definition of : Computer Coherent application of a methodical investigatory techniques to solve crime cases. Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM) s Unix
More informationNew Technologies File System (NTFS) Priscilla Oppenheimer. Copyright 2008 Priscilla Oppenheimer
New Technologies File System (NTFS) Priscilla Oppenheimer NTFS Default file system for Windows NT, 2000, XP, and Windows Server 2003 No published spec from Microsoft that describes the on-disk layout Good
More information& Data Processing 2. Exercise 2: File Systems. Dipl.-Ing. Bogdan Marin. Universität Duisburg-Essen
Folie a: Name & Data Processing 2 2: File Systems Dipl.-Ing. Bogdan Marin Fakultät für Ingenieurwissenschaften Abteilung Elektro-und Informationstechnik -Technische Informatik- Objectives File System Concept
More informationProf. Dr. Ing. Axel Hunger Dipl.-Ing. Bogdan Marin. Operation Systems and Computer Networks Betriebssysteme und Computer Netzwerke
Ex 2 File Systems A file is a logical collection of information and a file system is a collection of files, where the latter may also include a variety of other objects that share many of the properties
More informationDetection of Data Hiding in Computer Forensics. About Your Presenter
Detection of Data Hiding in Computer Forensics NEbraskaCERT Conference August 22nd, 2008 James E. Martin CISSP, JD About Your Presenter 2008-Present: Security Engineer, West Corporation 2004-2008: Senior
More informationFAQ for USB Flash Drive
FAQ for USB Flash Drive 1. What is a USB Flash Drive? A USB Flash Drive consists of a flash memory data storage device integrated with a USB interface. USB Flash Drives are typically removable and rewritable.
More informationSecurity Management. Keeping the IT Security Administrator Busy
Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching
More informationChapter 11 File and Disk Maintenance
Chapter 11 File and Disk Maintenance Detecting and Repairing Disk Errors with Check Disk Physical hard drive problems wear and tear on hard disk. Minimize problem and conserve power with Power Management
More informationDIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,
DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE Vahidin Đaltur, Kemal Hajdarević, Internacional Burch University, Faculty of Information Technlogy 71000 Sarajevo, Bosnia
More informationFile System Management
Lecture 7: Storage Management File System Management Contents Non volatile memory Tape, HDD, SSD Files & File System Interface Directories & their Organization File System Implementation Disk Space Allocation
More informationIncident Response and Forensics
Incident Response and Forensics Yiman Jiang, President and Principle Consultant Sumus Technology Ltd. James Crooks, Manager - Advisory Services PricewaterhouseCoopers LLP UBC 2007-04-12 Outline Computer
More informationAcronis True Image 2015 REVIEWERS GUIDE
Acronis True Image 2015 REVIEWERS GUIDE Table of Contents INTRODUCTION... 3 What is Acronis True Image 2015?... 3 System Requirements... 4 INSTALLATION... 5 Downloading and Installing Acronis True Image
More informationEC-Council Ethical Hacking and Countermeasures
EC-Council Ethical Hacking and Countermeasures Description This class will immerse the students into an interactive environment where they will be shown how to scan, test, hack and secure their own systems.
More informationComputer Forensic Capabilities
Computer Forensic Capabilities Agenda What is computer forensics? Where to find computer evidence Forensic imaging Forensic analysis What is Computer Forensics? The preservation, identification, extraction,
More information2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.
Acquisition and Tools COMP 2555: Principles of Computer Forensics Autumn 2014 http://www.cs.du.edu/2555 1 Planning Your Investigation! A basic investigation plan should include the following activities:!
More informationComputer Forensics as an Integral Component of the Information Security Enterprise
Computer Forensics as an Integral Component of the Information Security Enterprise By John Patzakis 10/28/03 I. EXECUTIVE SUMMARY In addition to fending off network intrusions and denial of service attacks,
More informationOverview of Computer Forensics
Overview of Computer Forensics Don Mason, Associate Director National Center for Justice and the Rule of Law University of Mississippi School of Law [These materials are based on 4.3.1-4.3.3 in the National
More informationNSS Volume Data Recovery
NSS Volume Data Recovery Preliminary Document September 8, 2010 Version 1.0 Copyright 2000-2010 Portlock Corporation Copyright 2000-2010 Portlock Corporation Page 1 of 20 The Portlock storage management
More informationUser Guide. Laplink Software, Inc. Laplink DiskImage 7 Professional. User Guide. UG-DiskImagePro-EN-7 (REV. 5/2013)
1 Laplink DiskImage 7 Professional Laplink Software, Inc. Customer Service/Technical Support: Web: http://www.laplink.com/contact E-mail: CustomerService@laplink.com Laplink Software, Inc. 600 108th Ave.
More informationIT Essentials v4.1 LI 11.4.5 Upgrade and configure storage devices and hard drives. IT Essentials v4.1 LI 12.1.3 Windows OS directory structures
IT Essentials v4.1 LI 11.4.5 Upgrade and configure storage devices and hard drives 2.3 Disk management tools In Windows Vista and Windows 7, use the following path: Start > Start Search > type diskmgmt.msc
More informationCCE Certification Competencies
CCE Certification Competencies May 10, 2012 Page 1 The Certified Computer Examiner (CCE) has evolved into one of the most desired certifications in the computer forensics industry. The certification is
More informationOperating Systems Forensics
Operating Systems Forensics Section II. Basic Forensic Techniques and Tools CSF: Forensics Cyber-Security MSIDC, Spring 2015 Nuno Santos Summary! Windows boot sequence! Relevant Windows data structures!
More information716 West Ave Austin, TX 78701-2727 USA
Investigating by Computer Second edition GLOBAL Headquarters the gregor building 716 West Ave Austin, TX 78701-2727 USA VI. INVESTIGATING WITH DIGITAL FORENSICS The increasing usage of the Internet and
More informationInformation Technology Audit & Forensic Techniques. CMA Amit Kumar
Information Technology Audit & Forensic Techniques CMA Amit Kumar 1 Amit Kumar & Co. (Cost Accountants) A perfect blend of Tax, Audit & Advisory services Information Technology Audit & Forensic Techniques
More informationActive @ UNDELETE Users Guide
Active @ UNDELETE Users Guide Contents 2 Contents Legal Statement...5 Active@ UNDELETE Overview... 6 Getting Started with Active@ UNDELETE... 7 Active@ UNDELETE Views And Windows... 7 Recovery Explorer
More informationCOMPUTER FORENSICS (EFFECTIVE 2013-14) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE 2013-14 CATE STUDENT REPORTING PROCEDURES MANUAL)
COMPUTER FORENSICS (EFFECTIVE 2013-14) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE 2013-14 CATE STUDENT REPORTING PROCEDURES MANUAL) COURSE DESCRIPTION: Computer Forensics is focused on teaching
More informationJust EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012
Just EnCase Presented By Larry Russell CalCPA State Technology Committee May 18, 2012 What is e-discovery Electronically Stored Information (ESI) Discover or Monitor for Fraudulent Activity Tools used
More informationwinhex Disk Editor, RAM Editor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR
winhex Disk Editor, RAM Editor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR Supervised by : Dr. Lo'ai Tawalbeh New York Institute of Technology (NYIT)-Jordan X-Ways Software Technology AG is a stock corporation
More informationIntroduction. IMF Conference September 2008
Live Forensic Acquisition as Alternative to Traditional Forensic Processes Marthie Lessing* Basie von Solms Introduction The Internet and technology developments introduced a sharp increase in computer
More informationA+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 3 Installing Windows
: Managing, Maintaining, and Troubleshooting, 5e Chapter 3 Installing Windows Objectives How to plan a Windows installation How to install Windows Vista How to install Windows XP How to install Windows
More informationDeveloping Computer Forensics Solutions for Terabyte Investigations
Developing Computer Forensics Solutions for Terabyte Investigations Eric Thompson Corporation Orem, Utah USA www.accessdata.com Overview Computer Forensic Definition, Objectives and Policies History of
More informationDigital Forensics: The aftermath of hacking attacks. AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC
Digital Forensics: The aftermath of hacking attacks AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC Topics Digital Forensics: Brief introduction Case Studies Case I:
More informationINCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION
" - * INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION CHRIS PROSISE KEVIN MANDIA McGraw-Hill /Osborne New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul
More informationTypes Of Storage Device
Types Of Storage Device by AA A POG D EE SRM U Outline Categorizing Storage Devices Magnetic Storage Devices Optical Storage Devices Categorizing Storage Devices Storage devices hold data, even when the
More informationForensic Acquisition and Analysis of VMware Virtual Hard Disks
Forensic Acquisition and Analysis of VMware Virtual Hard Disks Manish Hirwani, Yin Pan, Bill Stackpole and Daryl Johnson Networking, Security and Systems Administration Rochester Institute of Technology
More informationManaging Applications, Services, Folders, and Libraries
Lesson 4 Managing Applications, Services, Folders, and Libraries Learning Objectives Students will learn to: Understand Local versus Network Applications Remove or Uninstall an Application Understand Group
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 13 Business Continuity
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 13 Business Continuity Objectives Define environmental controls Describe the components of redundancy planning List disaster recovery
More informationUnderstand Backup and Recovery Methods
Understand Backup and Recovery Methods Lesson Overview Understand backup and recovery methods. In this lesson, you will explore: Backup management Backup options Recovery methods Backup Management Windows
More informationComputer Forensic Tools. Stefan Hager
Computer Forensic Tools Stefan Hager Overview Important policies for computer forensic tools Typical Workflow for analyzing evidence Categories of Tools Demo SS 2007 Advanced Computer Networks 2 Important
More informationComputer Hacking Forensic Investigator v8
CÔNG TY CỔ PHẦN TRƯỜNG CNTT TÂN ĐỨC TAN DUC INFORMATION TECHNOLOGY SCHOOL JSC LEARN MORE WITH LESS! Computer Hacking Forensic Investigator v8 Course Description: EC-Council releases the most advanced Computer
More informationDesigning and Deploying Connected Device Solutions for Small and Medium Business
Designing and Deploying Connected Device Solutions for Small and Medium Business HPATA Connected Devices Study Guide Rev 1.1 Table of Contents 1.1 Describe and recognize common desktop virtualization technologies
More informationComputer Forensics. Securing and Analysing Digital Information
Computer Forensics Securing and Analysing Digital Information Aims What is a computer? Where is the evidence? Why is digital forensics important? Seizing evidence Encryption Hidden files and folders Live
More information10 steps to better secure your Mac laptop from physical data theft
10 steps to better secure your Mac laptop from physical data theft Executive summary: This paper describes changes Mac users can make to improve the physical security of their laptops, discussing the context
More informationCourse overview. CompTIA A+ Certification (Exam 220 902) Official Study Guide (G188eng verdraft)
Overview This 5-day course is intended for those wishing to qualify with. A+ is a foundation-level certification designed for IT professionals with around 1 year's experience whose job role is focused
More informationRetrieving Internet chat history with the same ease as a squirrel cracks nuts
Retrieving Internet chat history with the same ease as a squirrel Yuri Gubanov CEO, Belkasoft http://belkasoft.com SANS Forensic Summit September 21, 2011 London, Great Britain What is Instant Messenger!
More informationWhere is computer forensics used?
What is computer forensics? The preservation, recovery, analysis and reporting of digital artifacts including information stored on computers, storage media (such as a hard disk or CD-ROM), an electronic
More information2.6.1 Creating an Acronis account... 11 2.6.2 Subscription to Acronis Cloud... 11. 3 Creating bootable rescue media... 12
USER'S GUIDE Table of contents 1 Introduction...3 1.1 What is Acronis True Image 2015?... 3 1.2 New in this version... 3 1.3 System requirements... 4 1.4 Install, update or remove Acronis True Image 2015...
More informationEnCase v7 Essential Training. Sherif Eldeeb https://eldeeb.net
هللامسب EnCase v7 Essential Training What s in this course Explore the most notable features of the new version. Everything you need to know about EnCase v7 to conduct basic investigations. Create Cases
More informationSierra College ADMINISTRATIVE PROCEDURE No. AP 3721
Sierra College ADMINISTRATIVE PROCEDURE No. AP 3721 Electronic Information Security and Data Backup Procedures Date Adopted: 4/13/2012 Date Revised: Date Reviewed: References: Health Insurance Portability
More informationEaseUS Partition Master
Reviewer s Guide Contents Introduction... 2 Chapter 1... 3 What is EaseUS Partition Master?... 3 Versions Comparison... 4 Chapter 2... 5 Using EaseUS Partition Master... 5 Partition Manager... 5 Disk &
More informationCan Computer Investigations Survive Windows XP?
Can Computer Investigations Survive? An Examination of Microsoft and its Effect on Computer Forensics December 2001 by Kimberly Stone and Richard Keightley 2001 Guidance Software All Rights Reserved Executive
More informationAdvanced Digital Forensics ITP 475 (4 Units)
Advanced Digital Forensics ITP 475 (4 Units) Description In 2007, the FBI reported that over 200 major companies reported a loss of over 60 million dollars due to computer crime. Computers are becoming
More informationScoMIS Encryption Service
Introduction This guide explains how to implement the ScoMIS Encryption Service for a secondary school. We recommend that the software should be installed onto the laptop by ICT staff; they will then spend
More informationBACKUP & RESTORE (FILE SYSTEM)
Table of Contents Table of Contents... 1 Perform a Backup (File System)... 1 What Gets Backed Up... 2 What Does Not Get Backed Up... 3 Perform a Restore... 4 Perform a Backup (File System) The following
More informationIntroduction to Network Security Comptia Security+ Exam. Computer Forensics. Evidence. Domain 5 Computer Forensics
Introduction to Network Security Comptia Security+ Exam Domain 5 Computer Forensics Computer Forensics Forensics relates to the application of scientific knowledge and method to legal problems Investigating
More informationQuickSpecs. Models. HP StorageWorks X510 3TB Data Vault. HP StorageWorks X500 Data Vault. HP StorageWorks X500 Data Vault.
Overview Store it, Secure it, Share it! You have more pressing concerns than how to backup and share your data but you know it needs to be done and you know it would benefit your business. The series provides
More informationDigital Forensics Lecture 3. Hard Disk Drive (HDD) Media Forensics
Digital Forensics Lecture 3 Hard Disk Drive (HDD) Media Forensics Current, Relevant Topics defendants should not use disk-cleaning utilities to wipe portions of their hard drives before turning them over
More informationYou have more pressing concerns than how to backup and share your data but you know it needs to be done and you know it would benefit your business.
Overview Store it, Secure it, Share it! You have more pressing concerns than how to backup and share your data but you know it needs to be done and you know it would benefit your business. The series provides
More informationHands-On How-To Computer Forensics Training
j8fm6pmlnqq3ghdgoucsm/ach5zvkzett7guroaqtgzbz8+t+8d2w538ke3c7t 02jjdklhaMFCQHihQAECwMCAQIZAQAKCRDafWsAOnHzRmAeAJ9yABw8v2fGxaq skeu29sdxrpb25zidxpbmznogtheories...ofhilz9e1xthvqxbb0gknrc1ng OKLbRXF/j5jJQPxXaNUu/It1TQHSiyEumrHNsnn65aUMPnrbVOVJ8hV8NQvsUE
More informationTELE 301 Lecture 7: Linux/Unix file
Overview Last Lecture Scripting This Lecture Linux/Unix file system Next Lecture System installation Sources Installation and Getting Started Guide Linux System Administrators Guide Chapter 6 in Principles
More informationApplications of Data Recovery Tools to Digital Forensics: Analyzing the Host Protected Area with the PC-3000
Applications of Data Recovery Tools to Digital Forensics: Analyzing the Host Protected Area with the PC-3000 Richard Leickly and David Angell Circle Hook Data Recovery { Richard, David}@CircleHookDR.com
More informationRemote Network Accelerator
Remote Network Accelerator Evaluation Guide LapLink Software 10210 NE Points Drive Kirkland, WA 98033 Tel: (425) 952-6000 www.laplink.com LapLink Remote Network Accelerator Evaluation Guide Page 1 of 19
More informationMcGraw-Hill Technology Education McGraw-Hill Technology Education
McGraw-Hill Technology Education McGraw-Hill Technology Education Copyright 2006 by The McGraw-Hill Companies, Inc. All rights reserved. Copyright 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
More informationComputer Forensics and Investigations Duration: 5 Days Courseware: CT 0619217065
Computer Forensics and Investigations Duration: 5 Days Courseware: CT 0619217065 Introduction The Computer Forensics and Investigation course presents methods to properly conduct a computer forensics investigation
More informationSSD Guru. Installation and User Guide. Software Version 1.4
SSD Guru Installation and User Guide Software Version 1.4 Contents Welcome!............................................................................. 1 Key features.........................................................................
More informationDefining Digital Forensic Examination and Analysis Tools Using Abstraction Layers
Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers Brian Carrier Research Scientist @stake Abstract This paper uses the theory of abstraction layers to describe the purpose
More informationOne Solution for Real-Time Data protection, Disaster Recovery & Migration
One Solution for Real-Time Data protection, Disaster Recovery & Migration Built-in standby virtualisation server Backs up every 15 minutes up to 12 servers On and Off-site Backup User initialed file, folder
More informationLukas Limacher Department of Computer Science, ETH. Computer Forensics. September 25, 2014
Lukas Limacher Department of Computer Science, ETH Zürich Computer Forensics September 25, 2014 Contents 9 Computer Forensics 1 91 Objectives 1 92 Introduction 2 921 Incident Response 2 922 Computer Forensics
More informationComputer Forensics: Permanent Erasing
Computer Forensics: Permanent Erasing Prepared By : Yousef T. Aburabie and Mohamd Alomari Supervised By: Dr. Lo ai Tawalbeh, New York Institute of Technology (NYIT)-Jordan s campus-2006 Introduction "Delete"
More informationinformation security and its Describe what drives the need for information security.
Computer Information Systems (Forensics Classes) Objectives for Course Challenges CIS 200 Intro to Info Security: Includes managerial and Describe information security and its critical role in business.
More informationWindows Client/Server Local Area Network (LAN) System Security Lab 2 Time allocation 3 hours
Windows Client/Server Local Area Network (LAN) System Security Lab 2 Time allocation 3 hours Introduction The following lab allows the trainee to obtain a more in depth knowledge of network security and
More informationCHAPTER 17: File Management
CHAPTER 17: File Management The Architecture of Computer Hardware, Systems Software & Networking: An Information Technology Approach 4th Edition, Irv Englander John Wiley and Sons 2010 PowerPoint slides
More information2013 Boston Ediscovery Summit. Computer Forensics for the Legal Issue-Spotter
2013 Boston Ediscovery Summit Computer Forensics for the Legal Issue-Spotter 2006-2013 James Berriman CEO, Evidox Corporation A Preliminary Comment Issue spotting applies to the practice of ediscovery
More informationBlackBerry 10.3 Work and Personal Corporate
GOV.UK Guidance BlackBerry 10.3 Work and Personal Corporate Published Contents 1. Usage scenario 2. Summary of platform security 3. How the platform can best satisfy the security recommendations 4. Network
More informationWindows OS File Systems
Windows OS File Systems MS-DOS and Windows 95/98/NT/2000/XP allow use of FAT-16 or FAT-32. Windows NT/2000/XP uses NTFS (NT File System) File Allocation Table (FAT) Not used so much, but look at as a contrast
More informationWhat is Digital Forensics?
DEVELOPING AN UNDERGRADUATE COURSE IN DIGITAL FORENSICS Warren Harrison PSU Center for Information Assurance Portland State University Portland, Oregon 97207 warren@cs.pdx.edu What is Digital Forensics?
More informationHow To Get A Computer Hacking Program
CHFI v8(computer Hacking Forensics Investigator) Course Description & Overview Overview CHFIv8 Course Description EC-Council releases the brand new Version 8 of the Computer Hacking Forensics Investigator
More informationCDFE Certified Digital Forensics Examiner (CFED Replacement)
Course: CDFE Certified Digital Forensics Examiner (CFED Replacement) Description: Price: $3,450.00 Category: Popular Courses Duration: 5 days Schedule: Request Dates Outline: COURSE OVERVIEW Computer Forensics
More informationLectures 9 Advanced Operating Systems Fundamental Security. Computer Systems Administration TE2003
Lectures 9 Advanced Operating Systems Fundamental Security Computer Systems Administration TE2003 Lecture overview At the end of lecture 9 students can identify, describe and discuss: Main factors while
More informationActive @ UNDELETE Users Guide
Active @ UNDELETE Users Guide Contents 2 Contents Legal Statement...5 Active@ UNDELETE Overview... 6 Getting Started with Active@ UNDELETE... 7 Active@ UNDELETE Views And Windows... 7 Recovery Explorer
More informationThat Point of Sale is a PoS
SESSION ID: HTA-W02 That Point of Sale is a PoS Charles Henderson Vice President Managed Security Testing Trustwave @angus_tx David Byrne Senior Security Associate Bishop Fox Agenda POS Architecture Breach
More informationRecover data from a defective Fujitsu desktop drive
Data Compass - Case Study Recover data from a defective Fujitsu desktop drive Symptom: Data on the Fujitsu desktop drive is not accessible directly by the client. The initial diagnosis implies that the
More informationUSB 3.0 DUAL SATA HDD DOCKING STATION
USB 3.0 DUAL SATA HDD DOCKING STATION User Manual (DA-70547) Introduction DA-70547 is a USB3.0 enabled dual-sata hard drive enclosure. It supports simultaneously use of two 2.5 or 3.5 SATA hard disk for
More informationCyber Security Response to Physical Security Breaches
Cyber Security Response to Physical Security Breaches INTRODUCTION Physical break-ins and other unauthorized entries into critical infrastructure locations, such as electrical power substations, have historically
More informationCSCA0102 IT & Business Applications. Foundation in Business Information Technology School of Engineering & Computing Sciences FTMS College Global
CSCA0102 IT & Business Applications Foundation in Business Information Technology School of Engineering & Computing Sciences FTMS College Global Chapter 2 Data Storage Concepts System Unit The system unit
More informationipod Forensics Update
Abstract ipod Forensics Update Matthew Kiley Tim Shinbara Marcus Rogers Purdue University Cyber Forensics Laboratory Department of Computer and Information Technology Purdue University From student to
More informationHow To Restore An Org Server With Anor Backup For Windows 7.5.2 (Oracle)
Oracle Server Backup User Guide TABLE OF CONTENTS Introduction... 2 Oracle Server Backup... 3 Features... 3 Requirements for Oracle server backup... 3 How to enable ARCHIVELOG Mode... 3 System Requirements...
More informationEnCase Portable. Extend Your Forensic Reach with Powerful Triage & Data Collection
GUIDANCE SOFTWARE EnCase Portable EnCase Portable Extend Your Forensic Reach with Powerful Triage & Data Collection GUIDANCE SOFTWARE EnCase Portable EnCase Portable Triage and Collect with EnCase Portable
More informationCOS 318: Operating Systems
COS 318: Operating Systems File Performance and Reliability Andy Bavier Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall10/cos318/ Topics File buffer cache
More informationWindows Administration Terminal Services, AD and the Windows Registry. INLS 576 Spring 2011 Tuesday, February 24, 2011
Windows Administration Terminal Services, AD and the Windows Registry INLS 576 Spring 2011 Tuesday, February 24, 2011 Terminal Services Uses RDP (Remote Desktop Protocol), relies on TCP/IP, and falls under
More informationNorton Save and Restore
Norton Save and Restore Norton Save and Restore User's Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
More informationUpgrading Client Security and Policy Manager in 4 easy steps
Page 1 of 13 F-Secure White Paper Upgrading Client Security and Policy Manager in 4 easy steps Purpose This white paper describes how to easily upgrade your existing environment running Client Security
More information