Incident Response and Computer Forensics

Size: px
Start display at page:

Download "Incident Response and Computer Forensics"

Transcription

1 Incident Response and Computer Forensics James L. Antonakos WhiteHat Forensics Incident Response Topics Why does an organization need a CSIRT? Who s on the team? Initial Steps Detailed Project Plan Incident Response Flowchart Digital Forensics An Actual Incident Table Top Exercises 2 Computer Forensics Topics What is Computer Forensics? Why do we need Computer Forensics? Live Analysis Versus Static Analysis Capturing a Drive Image The Organization of Hard Disks The Organization of File Systems The FAT File System The NTFS File System The EXT3 File System Where s the Data? Forensic Tools 1

2 Why does an organization need a CSIRT? An organization needs a CSIRT if they utilize computers, no matter what the size of the organization. No matter how well trained, an employee is still vulnerable. Non existent security policies and processes also contribute to vulnerabilities. No matter how well protected, a computer is still vulnerable. 4 Who s on the team? The CSIRT members come from all areas of the organization: Information Technology Help Desk Human Resources Public Relations Legal Fiscal Facilities External Consultant 5 Initial Steps Starting up the CSIRT involves the following steps: Obtain approval from upper management to create the CSIRT. Invite the initial members to meet. Explain the purpose of the CSIRT and core services provided. Describe the role of each member of the team. Assign a CSIRT leader / main point of contact. Develop a detailed project plan for implementation. Execute the project plan and become operational. Evaluate CSIRT effectiveness. 6 2

3 Detailed Project Plan The detailed project plan involves the following steps: Establish team communication method. Decide on hours of operation. Determine incident reporting and tracking procedures. Devise the incident response flowchart. Perform table top exercises. Establish how an incident is escalated. Develop CSIRT policies. Determine QA metrics. Partner with another CSIRT. Roll out CSIRT to organization. Incident Response Flowchart Incident Response Flowchart 3

4 Incident Response Flowchart Incident Response Flowchart What is Computer Forensics? Computer Forensics is a process used to locate digital information that may be used to help prove guilt or innocence. Computer Forensics procedures must be properly followed to avoid contamination (altering) of the evidence (information). Very important to maintain the Chain of Custody. 4

5 Digital Forensics Digital Forensics is performed to record the state of a system at the time of an incident, assist law enforcement, and help determine how an incident occurred and what happened. In the event that digital forensics are required, there are several procedures to follow. In all parts of the activity, proper documentation should be maintained, such as recording the time and date the evidence was handled, who handled the evidence, and the reason the evidence was handled. First, determine if live or static forensics are required on a system: Live Forensics: Performed on a running system. Static Forensics: Performed on an evidence image. 13 Digital Forensics Live Forensics: This is performed on a running system. There is digital evidence present on a running system that is not present on a system that has been off. This evidence includes: Time / date Logged on user Remote users Windows clipboard data What is on the Desktop Running processes and services The contents of RAM Mapped network drives Network traffic and open connections In addition to this evidence, everything covered under static forensics can also be examined. 14 Digital Forensics Static Forensics: This is performed on an image of a hard disk collected using appropriate law enforcement techniques (chain of custody maintained, a write blocker used during image capture, the use of hashing to verify the integrity of the forensic image). This evidence includes examining: Existing files: User created files, such as Office documents and photos Internet history IM logs System Event logs Hidden files and folders Encrypted files The Registry PAGEFILE.SYS and HIBERFIL.SYS Deleted files File slack space Unallocated disk space 15 5

6 An Actual Incident Names were changed to protect the innocent. Prior to the CSIRT being established, a company experienced a security incident involving ransomware. A remote staff member was reading and clicked on a link that opened a ZIP file containing a PDF document. When she opened the PDF, her system became quite unresponsive. Even though her system was connected to the organization via a VPN, she became concerned and called Help Desk. Help Desk had her disconnect her system from the VPN. 16 An Actual Incident The system was still slow and unresponsive while Help Desk asked routine questions. Then a ransom message appeared, informing the staff member that her files have been encrypted and the amount of money to be paid via BitCoin in order to obtain the decryption key. 17 An Actual Incident 18 6

7 An Actual Incident At no time during this process did the endpoint protection software indicate the presence of malware. Help Desk informed the staff member to mail her system back to the organization as they would provide a new system. When the Help Desk team member got off the phone, he informed the head network engineer of the situation. Since remote employees connecting over VPN have one or more organizational hard drives mapped to the remote system, the network engineer thought it was likely that files on the organizations file servers may have been encrypted as well. 19 An Actual Incident The network engineer looked up the affected staff member in Active Directory to determine her role and the files and folder permissions in effect for her. Because permission was properly limited to only the files she needed to access to perform her work, the number of encrypted files encountered on the organizations systems was very small. These files were restored from backup. As a result of this incident, additional security awareness training for all employees was conducted, with emphasis on safe use of and web browsing. 20 Table Top Exercises Table top exercises consist of mock scenarios that are used to test the effectiveness of the incident response flowchart. Here is a short list of scenarios: 1. Web page defacement 2. Malware / Ransomware infection 3. Social Engineering activity 4. Unknown Remote Desktop activity 5. Distributed Denial of Service attack underway 6. New Security Advisory 7. Unauthorized Access / Compromised Accounts 8. Employee engaging in inappropriate activity 9. Information Asset theft / Data breach discovered 10. Rogue wireless access point discovered 11. Intentional damage to equipment 21 7

8 Table Top Exercises Here are some sample questions that may help direct the discussion of the scenario: Who decides how many incident response team members would participate in handling this incident? Besides the incident response team, what groups within the organization would be involved in handling this incident? To which external parties would the incident be reported? When would each report occur? How would each report be made? What other communications with external parties may occur? Report to another CSIRT? What tools and resources are necessary to handle this incident? What aspects of the response would be different if the incident occurs at a different day and time (on hours versus off hours)? What aspects of the response would be different if the incident occurs at a different location (onsite versus offsite)? 22 Hands on Activity Break into small groups. Choose a table top scenario. Discuss whether it is an event or an incident. If it is an incident, go through the incident response flowchart and gauge the effectiveness of the flowchart in handling all aspects of the incident. Share your findings with the other groups. 23 Why do we need Computer Forensics? Support law enforcement. Many types of documents are now stored electronically. Learn about the techniques used by cybercriminals. Computers may be the instrument used in a crime or the victim of a crime. 8

9 Live Analysis Versus Static Analysis Live Analysis: Forensics performed on a running system. More things to look at during live analysis than a static analysis. Do you pull the plug or perform an orderly shutdown? Static Analysis: Forensics performed on a copy of the data from a system. This type of analysis is done most often. Live Analysis Things to record: System time and date. User s logged on to the system. Open network connections. Network drives mapped to the system. Processes that are running. What is on the Desktop and Clipboard. Static Analysis Things to look for: Registry entries. Hidden files and folders, encrypted files. Images, s, IM logs, other files. Misnamed files. Deleted files. Data in unallocated space and Slack space. 9

10 Capturing a Drive Image A write blocker must be used to prevent write operations on the drive being imaged. Can be software or hardware. Entire drive is imaged, including unallocated space, to a clean drive. Image must be verified to guarantee integrity. This is done using a hash function. Capturing a Drive Image One bit is a 0 or a 1. One byte is 8 bits. One KB (Kilo Byte) is 1024 bytes. One MB (Mega Byte) is 1024 KB. One GB (Giga Byte) is 1024 MB. A 500 GB drive contains 536,870,912,000 bytes (over 143 million pages!!!). One TB (Terra Byte) is 1024 GB. Capturing a Drive Image Drive may be imaged via a USB or FireWire connection, or over the network. The size of the drive being imaged affects the time required to perform the capture. The speed of the connection also affects the time required to image the drive. A 500 GB drive may require 8 hours or several days to acquire. 10

11 Image is Verified via a Hash What is a File System? Establishes a logical organization for file storage over a wide range of physical storage devices. Makes it easy for users (and programs) to create, alter, copy, and delete files. Provides long term, high speed access to files. Enables file sharing over a network File System vs Operating System A file system is not an operating system. A file system needs an operating system in order to be useful. An operating system supports one or more file systems: Windows: FAT, NTFS Linux: EXT, FAT Mac OS X: HFS, FAT electroniclighthouse.com.au 33 11

12 File System vs Operating System 34 The Organization of Hard Disks A hard disk contains one or more platters. Each platter contains two sides (surfaces). Each surface contains circular tracks divided into sectors. Each track may contain 64 sectors. Each sector contains 512 bytes of data. A 500 GB hard drive contains over 1 billion sectors. Typical Hard Drive 12

13 Typical Hard Drive The Organization of Hard Disks The hard disk spins at a fast rate (5400 rpm or 7200 rpm). A read/write head hovers over the surface and picks up the magnetized 1s and 0s stored on the surface. Data is transferred between the disk and main memory on the motherboard. The Organization of File Systems A File System is a logical way of organizing the sectors on a disk. Different Operating Systems support different file systems: Windows: FAT and NTFS Linux: EXT3 Mac OS X: HFS+ FAT is the most widely supported file system. 13

14 The Organization of File Systems Sectors on a disk are allocated as follows for the FAT (File Allocation Table) file system: Boot sector FAT sectors Directory sectors Data sectors Operation of FAT Challenges of FAT After a lot of use (files created, edited, and deleted) the FAT becomes very fragmented. Not easy to search through the FAT on a hard disk as it is very large. Need software to interpret the FAT for us. File slack may contain valuable data. 14

15 Where is the File Slack? What Happens when a File is Deleted? The file s entries in the FAT are set to free. The file s entry in the Directory has its first byte (letter) changed to an unprintable code (E5) all other file properties stay the same. The data content of the file remains stored on disk until overwritten. A Sample Directory 15

16 The NTFS File System NTFS maintains a Master File Table that stores information (called metadata) about every file on the volume. Bear in mind that everything in NTFS is a file, including the list of bad clusters, the allocation bitmap that shows which clusters are allocated, and the transaction log that records all transactions on the volume. The structure of NTFS is more complicated than that of FAT, requiring around 10 MB for an empty file system, making NTFS unsuitable for floppy disks. 46 The NTFS File System 47 The NTFS File System 48 16

17 The NTFS File System 49 The NTFS File System 50 Where s the Data? Registry. Files and folders. Deleted files. Unallocated space. Slack space. System files: INDEX.DAT PAGEFILE.SYS HIBERFIL.SYS ebriatic.com 51 17

18 The EXT File System EXT2 was developed in 1993 for Linux. EXT3 added to Linux in Main new feature was journaling, which has three modes: Journal Ordered Writeback EXT4 added to Linux in Larger file systems supported. technologicia.com 52 The EXT File System 53 The EXT File System Recovering a deleted file in EXT2 is very easy as all information still resides in the inode for the file. Recovering a deleted file in EXT3 is much more difficult as the block pointer fields in the inode (and in the indirect blocks) are zeroed out. All is not lost however, as files may potentially be recovered by examining information contained in the journal

19 Forensic Tools Hex editor: Display, search, and modify hexadecimal data. Forensic analysis software: FTK (Forensic Toolkit) EnCase Autopsy X Ways FTK (Forensic ToolKit) Forensic Tools Network traffic sniffer/analyzer Imaging software Hashing software Log file analyzer Steganography software 19

20 Skills Needed by a Forensic Examiner Knowledge of Operating Systems. Knowledge of File Systems. Must understand networking and TCP/IP. Must possess necessary software for imaging and analyzing images. Must possess additional software such as hex editor, log file analyzer, etc. Lots of patience!!! Thank you! James L. Antonakos james@whitehatforensics.com (607)

FORENSIC ANALYSIS OF USB MEDIA EVIDENCE. Jesús Alexander García. Luis Alejandro Franco. Juan David Urrea. Carlos Alfonso Torres

FORENSIC ANALYSIS OF USB MEDIA EVIDENCE. Jesús Alexander García. Luis Alejandro Franco. Juan David Urrea. Carlos Alfonso Torres FORENSIC ANALYSIS OF USB MEDIA EVIDENCE Jesús Alexander García Luis Alejandro Franco Juan David Urrea Carlos Alfonso Torres Manuel Fernando Gutiérrez UPB 2012 Content INTRODUCTION... 3 OBJECTIVE 4 EVIDENCE

More information

Digital Forensics. Tom Pigg Executive Director Tennessee CSEC

Digital Forensics. Tom Pigg Executive Director Tennessee CSEC Digital Forensics Tom Pigg Executive Director Tennessee CSEC Definitions Digital forensics Involves obtaining and analyzing digital information as evidence in civil, criminal, or administrative cases Analyze

More information

Fall. Forensic Examination of Encrypted Systems Matthew Postinger COSC 374

Fall. Forensic Examination of Encrypted Systems Matthew Postinger COSC 374 Fall 2011 Forensic Examination of Encrypted Systems Matthew Postinger COSC 374 Table of Contents Abstract... 3 File System Encryption... 3 Windows EFS... 3 Apple FileVault... 4 Full Disk Encryption...

More information

MSc Computer Security and Forensics. Examinations for 2009-2010 / Semester 1

MSc Computer Security and Forensics. Examinations for 2009-2010 / Semester 1 MSc Computer Security and Forensics Cohort: MCSF/09B/PT Examinations for 2009-2010 / Semester 1 MODULE: COMPUTER FORENSICS & CYBERCRIME MODULE CODE: SECU5101 Duration: 2 Hours Instructions to Candidates:

More information

File System Forensics FAT and NTFS. Copyright Priscilla Oppenheimer 1

File System Forensics FAT and NTFS. Copyright Priscilla Oppenheimer 1 File System Forensics FAT and NTFS 1 FAT File Systems 2 File Allocation Table (FAT) File Systems Simple and common Primary file system for DOS and Windows 9x Can be used with Windows NT, 2000, and XP New

More information

Digital Forensic Techniques

Digital Forensic Techniques Digital Forensic Techniques Namrata Choudhury, Sr. Principal Information Security Analyst, Symantec Corporation Professional Techniques T23 CRISC CGEIT CISM CISA AGENDA Computer Forensics vs. Digital Forensics

More information

Digital Forensics Tutorials Acquiring an Image with FTK Imager

Digital Forensics Tutorials Acquiring an Image with FTK Imager Digital Forensics Tutorials Acquiring an Image with FTK Imager Explanation Section Digital Forensics Definition The use of scientifically derived and proven methods toward the preservation, collection,

More information

Impact of Digital Forensics Training on Computer Incident Response Techniques

Impact of Digital Forensics Training on Computer Incident Response Techniques Impact of Digital Forensics Training on Computer Incident Response Techniques Valorie J. King, PhD Collegiate Associate Professor University of Maryland University College Presentation to AFCEA June 25,

More information

Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM)

Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM) s Unix Definition of : Computer Coherent application of a methodical investigatory techniques to solve crime cases. Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM) s Unix

More information

New Technologies File System (NTFS) Priscilla Oppenheimer. Copyright 2008 Priscilla Oppenheimer

New Technologies File System (NTFS) Priscilla Oppenheimer. Copyright 2008 Priscilla Oppenheimer New Technologies File System (NTFS) Priscilla Oppenheimer NTFS Default file system for Windows NT, 2000, XP, and Windows Server 2003 No published spec from Microsoft that describes the on-disk layout Good

More information

& Data Processing 2. Exercise 2: File Systems. Dipl.-Ing. Bogdan Marin. Universität Duisburg-Essen

& Data Processing 2. Exercise 2: File Systems. Dipl.-Ing. Bogdan Marin. Universität Duisburg-Essen Folie a: Name & Data Processing 2 2: File Systems Dipl.-Ing. Bogdan Marin Fakultät für Ingenieurwissenschaften Abteilung Elektro-und Informationstechnik -Technische Informatik- Objectives File System Concept

More information

Prof. Dr. Ing. Axel Hunger Dipl.-Ing. Bogdan Marin. Operation Systems and Computer Networks Betriebssysteme und Computer Netzwerke

Prof. Dr. Ing. Axel Hunger Dipl.-Ing. Bogdan Marin. Operation Systems and Computer Networks Betriebssysteme und Computer Netzwerke Ex 2 File Systems A file is a logical collection of information and a file system is a collection of files, where the latter may also include a variety of other objects that share many of the properties

More information

Detection of Data Hiding in Computer Forensics. About Your Presenter

Detection of Data Hiding in Computer Forensics. About Your Presenter Detection of Data Hiding in Computer Forensics NEbraskaCERT Conference August 22nd, 2008 James E. Martin CISSP, JD About Your Presenter 2008-Present: Security Engineer, West Corporation 2004-2008: Senior

More information

FAQ for USB Flash Drive

FAQ for USB Flash Drive FAQ for USB Flash Drive 1. What is a USB Flash Drive? A USB Flash Drive consists of a flash memory data storage device integrated with a USB interface. USB Flash Drives are typically removable and rewritable.

More information

Security Management. Keeping the IT Security Administrator Busy

Security Management. Keeping the IT Security Administrator Busy Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching

More information

Chapter 11 File and Disk Maintenance

Chapter 11 File and Disk Maintenance Chapter 11 File and Disk Maintenance Detecting and Repairing Disk Errors with Check Disk Physical hard drive problems wear and tear on hard disk. Minimize problem and conserve power with Power Management

More information

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević, DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE Vahidin Đaltur, Kemal Hajdarević, Internacional Burch University, Faculty of Information Technlogy 71000 Sarajevo, Bosnia

More information

File System Management

File System Management Lecture 7: Storage Management File System Management Contents Non volatile memory Tape, HDD, SSD Files & File System Interface Directories & their Organization File System Implementation Disk Space Allocation

More information

Incident Response and Forensics

Incident Response and Forensics Incident Response and Forensics Yiman Jiang, President and Principle Consultant Sumus Technology Ltd. James Crooks, Manager - Advisory Services PricewaterhouseCoopers LLP UBC 2007-04-12 Outline Computer

More information

Acronis True Image 2015 REVIEWERS GUIDE

Acronis True Image 2015 REVIEWERS GUIDE Acronis True Image 2015 REVIEWERS GUIDE Table of Contents INTRODUCTION... 3 What is Acronis True Image 2015?... 3 System Requirements... 4 INSTALLATION... 5 Downloading and Installing Acronis True Image

More information

EC-Council Ethical Hacking and Countermeasures

EC-Council Ethical Hacking and Countermeasures EC-Council Ethical Hacking and Countermeasures Description This class will immerse the students into an interactive environment where they will be shown how to scan, test, hack and secure their own systems.

More information

Computer Forensic Capabilities

Computer Forensic Capabilities Computer Forensic Capabilities Agenda What is computer forensics? Where to find computer evidence Forensic imaging Forensic analysis What is Computer Forensics? The preservation, identification, extraction,

More information

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd. Acquisition and Tools COMP 2555: Principles of Computer Forensics Autumn 2014 http://www.cs.du.edu/2555 1 Planning Your Investigation! A basic investigation plan should include the following activities:!

More information

Computer Forensics as an Integral Component of the Information Security Enterprise

Computer Forensics as an Integral Component of the Information Security Enterprise Computer Forensics as an Integral Component of the Information Security Enterprise By John Patzakis 10/28/03 I. EXECUTIVE SUMMARY In addition to fending off network intrusions and denial of service attacks,

More information

Overview of Computer Forensics

Overview of Computer Forensics Overview of Computer Forensics Don Mason, Associate Director National Center for Justice and the Rule of Law University of Mississippi School of Law [These materials are based on 4.3.1-4.3.3 in the National

More information

NSS Volume Data Recovery

NSS Volume Data Recovery NSS Volume Data Recovery Preliminary Document September 8, 2010 Version 1.0 Copyright 2000-2010 Portlock Corporation Copyright 2000-2010 Portlock Corporation Page 1 of 20 The Portlock storage management

More information

User Guide. Laplink Software, Inc. Laplink DiskImage 7 Professional. User Guide. UG-DiskImagePro-EN-7 (REV. 5/2013)

User Guide. Laplink Software, Inc. Laplink DiskImage 7 Professional. User Guide. UG-DiskImagePro-EN-7 (REV. 5/2013) 1 Laplink DiskImage 7 Professional Laplink Software, Inc. Customer Service/Technical Support: Web: http://www.laplink.com/contact E-mail: CustomerService@laplink.com Laplink Software, Inc. 600 108th Ave.

More information

IT Essentials v4.1 LI 11.4.5 Upgrade and configure storage devices and hard drives. IT Essentials v4.1 LI 12.1.3 Windows OS directory structures

IT Essentials v4.1 LI 11.4.5 Upgrade and configure storage devices and hard drives. IT Essentials v4.1 LI 12.1.3 Windows OS directory structures IT Essentials v4.1 LI 11.4.5 Upgrade and configure storage devices and hard drives 2.3 Disk management tools In Windows Vista and Windows 7, use the following path: Start > Start Search > type diskmgmt.msc

More information

CCE Certification Competencies

CCE Certification Competencies CCE Certification Competencies May 10, 2012 Page 1 The Certified Computer Examiner (CCE) has evolved into one of the most desired certifications in the computer forensics industry. The certification is

More information

Operating Systems Forensics

Operating Systems Forensics Operating Systems Forensics Section II. Basic Forensic Techniques and Tools CSF: Forensics Cyber-Security MSIDC, Spring 2015 Nuno Santos Summary! Windows boot sequence! Relevant Windows data structures!

More information

716 West Ave Austin, TX 78701-2727 USA

716 West Ave Austin, TX 78701-2727 USA Investigating by Computer Second edition GLOBAL Headquarters the gregor building 716 West Ave Austin, TX 78701-2727 USA VI. INVESTIGATING WITH DIGITAL FORENSICS The increasing usage of the Internet and

More information

Information Technology Audit & Forensic Techniques. CMA Amit Kumar

Information Technology Audit & Forensic Techniques. CMA Amit Kumar Information Technology Audit & Forensic Techniques CMA Amit Kumar 1 Amit Kumar & Co. (Cost Accountants) A perfect blend of Tax, Audit & Advisory services Information Technology Audit & Forensic Techniques

More information

Active @ UNDELETE Users Guide

Active @ UNDELETE Users Guide Active @ UNDELETE Users Guide Contents 2 Contents Legal Statement...5 Active@ UNDELETE Overview... 6 Getting Started with Active@ UNDELETE... 7 Active@ UNDELETE Views And Windows... 7 Recovery Explorer

More information

COMPUTER FORENSICS (EFFECTIVE 2013-14) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE 2013-14 CATE STUDENT REPORTING PROCEDURES MANUAL)

COMPUTER FORENSICS (EFFECTIVE 2013-14) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE 2013-14 CATE STUDENT REPORTING PROCEDURES MANUAL) COMPUTER FORENSICS (EFFECTIVE 2013-14) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE 2013-14 CATE STUDENT REPORTING PROCEDURES MANUAL) COURSE DESCRIPTION: Computer Forensics is focused on teaching

More information

Just EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012

Just EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012 Just EnCase Presented By Larry Russell CalCPA State Technology Committee May 18, 2012 What is e-discovery Electronically Stored Information (ESI) Discover or Monitor for Fraudulent Activity Tools used

More information

winhex Disk Editor, RAM Editor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR

winhex Disk Editor, RAM Editor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR winhex Disk Editor, RAM Editor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR Supervised by : Dr. Lo'ai Tawalbeh New York Institute of Technology (NYIT)-Jordan X-Ways Software Technology AG is a stock corporation

More information

Introduction. IMF Conference September 2008

Introduction. IMF Conference September 2008 Live Forensic Acquisition as Alternative to Traditional Forensic Processes Marthie Lessing* Basie von Solms Introduction The Internet and technology developments introduced a sharp increase in computer

More information

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 3 Installing Windows

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 3 Installing Windows : Managing, Maintaining, and Troubleshooting, 5e Chapter 3 Installing Windows Objectives How to plan a Windows installation How to install Windows Vista How to install Windows XP How to install Windows

More information

Developing Computer Forensics Solutions for Terabyte Investigations

Developing Computer Forensics Solutions for Terabyte Investigations Developing Computer Forensics Solutions for Terabyte Investigations Eric Thompson Corporation Orem, Utah USA www.accessdata.com Overview Computer Forensic Definition, Objectives and Policies History of

More information

Digital Forensics: The aftermath of hacking attacks. AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC

Digital Forensics: The aftermath of hacking attacks. AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC Digital Forensics: The aftermath of hacking attacks AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC Topics Digital Forensics: Brief introduction Case Studies Case I:

More information

INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION

INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION " - * INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION CHRIS PROSISE KEVIN MANDIA McGraw-Hill /Osborne New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul

More information

Types Of Storage Device

Types Of Storage Device Types Of Storage Device by AA A POG D EE SRM U Outline Categorizing Storage Devices Magnetic Storage Devices Optical Storage Devices Categorizing Storage Devices Storage devices hold data, even when the

More information

Forensic Acquisition and Analysis of VMware Virtual Hard Disks

Forensic Acquisition and Analysis of VMware Virtual Hard Disks Forensic Acquisition and Analysis of VMware Virtual Hard Disks Manish Hirwani, Yin Pan, Bill Stackpole and Daryl Johnson Networking, Security and Systems Administration Rochester Institute of Technology

More information

Managing Applications, Services, Folders, and Libraries

Managing Applications, Services, Folders, and Libraries Lesson 4 Managing Applications, Services, Folders, and Libraries Learning Objectives Students will learn to: Understand Local versus Network Applications Remove or Uninstall an Application Understand Group

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 13 Business Continuity

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 13 Business Continuity Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 13 Business Continuity Objectives Define environmental controls Describe the components of redundancy planning List disaster recovery

More information

Understand Backup and Recovery Methods

Understand Backup and Recovery Methods Understand Backup and Recovery Methods Lesson Overview Understand backup and recovery methods. In this lesson, you will explore: Backup management Backup options Recovery methods Backup Management Windows

More information

Computer Forensic Tools. Stefan Hager

Computer Forensic Tools. Stefan Hager Computer Forensic Tools Stefan Hager Overview Important policies for computer forensic tools Typical Workflow for analyzing evidence Categories of Tools Demo SS 2007 Advanced Computer Networks 2 Important

More information

Computer Hacking Forensic Investigator v8

Computer Hacking Forensic Investigator v8 CÔNG TY CỔ PHẦN TRƯỜNG CNTT TÂN ĐỨC TAN DUC INFORMATION TECHNOLOGY SCHOOL JSC LEARN MORE WITH LESS! Computer Hacking Forensic Investigator v8 Course Description: EC-Council releases the most advanced Computer

More information

Designing and Deploying Connected Device Solutions for Small and Medium Business

Designing and Deploying Connected Device Solutions for Small and Medium Business Designing and Deploying Connected Device Solutions for Small and Medium Business HPATA Connected Devices Study Guide Rev 1.1 Table of Contents 1.1 Describe and recognize common desktop virtualization technologies

More information

Computer Forensics. Securing and Analysing Digital Information

Computer Forensics. Securing and Analysing Digital Information Computer Forensics Securing and Analysing Digital Information Aims What is a computer? Where is the evidence? Why is digital forensics important? Seizing evidence Encryption Hidden files and folders Live

More information

10 steps to better secure your Mac laptop from physical data theft

10 steps to better secure your Mac laptop from physical data theft 10 steps to better secure your Mac laptop from physical data theft Executive summary: This paper describes changes Mac users can make to improve the physical security of their laptops, discussing the context

More information

Course overview. CompTIA A+ Certification (Exam 220 902) Official Study Guide (G188eng verdraft)

Course overview. CompTIA A+ Certification (Exam 220 902) Official Study Guide (G188eng verdraft) Overview This 5-day course is intended for those wishing to qualify with. A+ is a foundation-level certification designed for IT professionals with around 1 year's experience whose job role is focused

More information

Retrieving Internet chat history with the same ease as a squirrel cracks nuts

Retrieving Internet chat history with the same ease as a squirrel cracks nuts Retrieving Internet chat history with the same ease as a squirrel Yuri Gubanov CEO, Belkasoft http://belkasoft.com SANS Forensic Summit September 21, 2011 London, Great Britain What is Instant Messenger!

More information

Where is computer forensics used?

Where is computer forensics used? What is computer forensics? The preservation, recovery, analysis and reporting of digital artifacts including information stored on computers, storage media (such as a hard disk or CD-ROM), an electronic

More information

2.6.1 Creating an Acronis account... 11 2.6.2 Subscription to Acronis Cloud... 11. 3 Creating bootable rescue media... 12

2.6.1 Creating an Acronis account... 11 2.6.2 Subscription to Acronis Cloud... 11. 3 Creating bootable rescue media... 12 USER'S GUIDE Table of contents 1 Introduction...3 1.1 What is Acronis True Image 2015?... 3 1.2 New in this version... 3 1.3 System requirements... 4 1.4 Install, update or remove Acronis True Image 2015...

More information

EnCase v7 Essential Training. Sherif Eldeeb https://eldeeb.net

EnCase v7 Essential Training. Sherif Eldeeb https://eldeeb.net هللامسب EnCase v7 Essential Training What s in this course Explore the most notable features of the new version. Everything you need to know about EnCase v7 to conduct basic investigations. Create Cases

More information

Sierra College ADMINISTRATIVE PROCEDURE No. AP 3721

Sierra College ADMINISTRATIVE PROCEDURE No. AP 3721 Sierra College ADMINISTRATIVE PROCEDURE No. AP 3721 Electronic Information Security and Data Backup Procedures Date Adopted: 4/13/2012 Date Revised: Date Reviewed: References: Health Insurance Portability

More information

EaseUS Partition Master

EaseUS Partition Master Reviewer s Guide Contents Introduction... 2 Chapter 1... 3 What is EaseUS Partition Master?... 3 Versions Comparison... 4 Chapter 2... 5 Using EaseUS Partition Master... 5 Partition Manager... 5 Disk &

More information

Can Computer Investigations Survive Windows XP?

Can Computer Investigations Survive Windows XP? Can Computer Investigations Survive? An Examination of Microsoft and its Effect on Computer Forensics December 2001 by Kimberly Stone and Richard Keightley 2001 Guidance Software All Rights Reserved Executive

More information

Advanced Digital Forensics ITP 475 (4 Units)

Advanced Digital Forensics ITP 475 (4 Units) Advanced Digital Forensics ITP 475 (4 Units) Description In 2007, the FBI reported that over 200 major companies reported a loss of over 60 million dollars due to computer crime. Computers are becoming

More information

ScoMIS Encryption Service

ScoMIS Encryption Service Introduction This guide explains how to implement the ScoMIS Encryption Service for a secondary school. We recommend that the software should be installed onto the laptop by ICT staff; they will then spend

More information

BACKUP & RESTORE (FILE SYSTEM)

BACKUP & RESTORE (FILE SYSTEM) Table of Contents Table of Contents... 1 Perform a Backup (File System)... 1 What Gets Backed Up... 2 What Does Not Get Backed Up... 3 Perform a Restore... 4 Perform a Backup (File System) The following

More information

Introduction to Network Security Comptia Security+ Exam. Computer Forensics. Evidence. Domain 5 Computer Forensics

Introduction to Network Security Comptia Security+ Exam. Computer Forensics. Evidence. Domain 5 Computer Forensics Introduction to Network Security Comptia Security+ Exam Domain 5 Computer Forensics Computer Forensics Forensics relates to the application of scientific knowledge and method to legal problems Investigating

More information

QuickSpecs. Models. HP StorageWorks X510 3TB Data Vault. HP StorageWorks X500 Data Vault. HP StorageWorks X500 Data Vault.

QuickSpecs. Models. HP StorageWorks X510 3TB Data Vault. HP StorageWorks X500 Data Vault. HP StorageWorks X500 Data Vault. Overview Store it, Secure it, Share it! You have more pressing concerns than how to backup and share your data but you know it needs to be done and you know it would benefit your business. The series provides

More information

Digital Forensics Lecture 3. Hard Disk Drive (HDD) Media Forensics

Digital Forensics Lecture 3. Hard Disk Drive (HDD) Media Forensics Digital Forensics Lecture 3 Hard Disk Drive (HDD) Media Forensics Current, Relevant Topics defendants should not use disk-cleaning utilities to wipe portions of their hard drives before turning them over

More information

You have more pressing concerns than how to backup and share your data but you know it needs to be done and you know it would benefit your business.

You have more pressing concerns than how to backup and share your data but you know it needs to be done and you know it would benefit your business. Overview Store it, Secure it, Share it! You have more pressing concerns than how to backup and share your data but you know it needs to be done and you know it would benefit your business. The series provides

More information

Hands-On How-To Computer Forensics Training

Hands-On How-To Computer Forensics Training j8fm6pmlnqq3ghdgoucsm/ach5zvkzett7guroaqtgzbz8+t+8d2w538ke3c7t 02jjdklhaMFCQHihQAECwMCAQIZAQAKCRDafWsAOnHzRmAeAJ9yABw8v2fGxaq skeu29sdxrpb25zidxpbmznogtheories...ofhilz9e1xthvqxbb0gknrc1ng OKLbRXF/j5jJQPxXaNUu/It1TQHSiyEumrHNsnn65aUMPnrbVOVJ8hV8NQvsUE

More information

TELE 301 Lecture 7: Linux/Unix file

TELE 301 Lecture 7: Linux/Unix file Overview Last Lecture Scripting This Lecture Linux/Unix file system Next Lecture System installation Sources Installation and Getting Started Guide Linux System Administrators Guide Chapter 6 in Principles

More information

Applications of Data Recovery Tools to Digital Forensics: Analyzing the Host Protected Area with the PC-3000

Applications of Data Recovery Tools to Digital Forensics: Analyzing the Host Protected Area with the PC-3000 Applications of Data Recovery Tools to Digital Forensics: Analyzing the Host Protected Area with the PC-3000 Richard Leickly and David Angell Circle Hook Data Recovery { Richard, David}@CircleHookDR.com

More information

Remote Network Accelerator

Remote Network Accelerator Remote Network Accelerator Evaluation Guide LapLink Software 10210 NE Points Drive Kirkland, WA 98033 Tel: (425) 952-6000 www.laplink.com LapLink Remote Network Accelerator Evaluation Guide Page 1 of 19

More information

McGraw-Hill Technology Education McGraw-Hill Technology Education

McGraw-Hill Technology Education McGraw-Hill Technology Education McGraw-Hill Technology Education McGraw-Hill Technology Education Copyright 2006 by The McGraw-Hill Companies, Inc. All rights reserved. Copyright 2006 by The McGraw-Hill Companies, Inc. All rights reserved.

More information

Computer Forensics and Investigations Duration: 5 Days Courseware: CT 0619217065

Computer Forensics and Investigations Duration: 5 Days Courseware: CT 0619217065 Computer Forensics and Investigations Duration: 5 Days Courseware: CT 0619217065 Introduction The Computer Forensics and Investigation course presents methods to properly conduct a computer forensics investigation

More information

SSD Guru. Installation and User Guide. Software Version 1.4

SSD Guru. Installation and User Guide. Software Version 1.4 SSD Guru Installation and User Guide Software Version 1.4 Contents Welcome!............................................................................. 1 Key features.........................................................................

More information

Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers

Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers Brian Carrier Research Scientist @stake Abstract This paper uses the theory of abstraction layers to describe the purpose

More information

One Solution for Real-Time Data protection, Disaster Recovery & Migration

One Solution for Real-Time Data protection, Disaster Recovery & Migration One Solution for Real-Time Data protection, Disaster Recovery & Migration Built-in standby virtualisation server Backs up every 15 minutes up to 12 servers On and Off-site Backup User initialed file, folder

More information

Lukas Limacher Department of Computer Science, ETH. Computer Forensics. September 25, 2014

Lukas Limacher Department of Computer Science, ETH. Computer Forensics. September 25, 2014 Lukas Limacher Department of Computer Science, ETH Zürich Computer Forensics September 25, 2014 Contents 9 Computer Forensics 1 91 Objectives 1 92 Introduction 2 921 Incident Response 2 922 Computer Forensics

More information

Computer Forensics: Permanent Erasing

Computer Forensics: Permanent Erasing Computer Forensics: Permanent Erasing Prepared By : Yousef T. Aburabie and Mohamd Alomari Supervised By: Dr. Lo ai Tawalbeh, New York Institute of Technology (NYIT)-Jordan s campus-2006 Introduction "Delete"

More information

information security and its Describe what drives the need for information security.

information security and its Describe what drives the need for information security. Computer Information Systems (Forensics Classes) Objectives for Course Challenges CIS 200 Intro to Info Security: Includes managerial and Describe information security and its critical role in business.

More information

Windows Client/Server Local Area Network (LAN) System Security Lab 2 Time allocation 3 hours

Windows Client/Server Local Area Network (LAN) System Security Lab 2 Time allocation 3 hours Windows Client/Server Local Area Network (LAN) System Security Lab 2 Time allocation 3 hours Introduction The following lab allows the trainee to obtain a more in depth knowledge of network security and

More information

CHAPTER 17: File Management

CHAPTER 17: File Management CHAPTER 17: File Management The Architecture of Computer Hardware, Systems Software & Networking: An Information Technology Approach 4th Edition, Irv Englander John Wiley and Sons 2010 PowerPoint slides

More information

2013 Boston Ediscovery Summit. Computer Forensics for the Legal Issue-Spotter

2013 Boston Ediscovery Summit. Computer Forensics for the Legal Issue-Spotter 2013 Boston Ediscovery Summit Computer Forensics for the Legal Issue-Spotter 2006-2013 James Berriman CEO, Evidox Corporation A Preliminary Comment Issue spotting applies to the practice of ediscovery

More information

BlackBerry 10.3 Work and Personal Corporate

BlackBerry 10.3 Work and Personal Corporate GOV.UK Guidance BlackBerry 10.3 Work and Personal Corporate Published Contents 1. Usage scenario 2. Summary of platform security 3. How the platform can best satisfy the security recommendations 4. Network

More information

Windows OS File Systems

Windows OS File Systems Windows OS File Systems MS-DOS and Windows 95/98/NT/2000/XP allow use of FAT-16 or FAT-32. Windows NT/2000/XP uses NTFS (NT File System) File Allocation Table (FAT) Not used so much, but look at as a contrast

More information

What is Digital Forensics?

What is Digital Forensics? DEVELOPING AN UNDERGRADUATE COURSE IN DIGITAL FORENSICS Warren Harrison PSU Center for Information Assurance Portland State University Portland, Oregon 97207 warren@cs.pdx.edu What is Digital Forensics?

More information

How To Get A Computer Hacking Program

How To Get A Computer Hacking Program CHFI v8(computer Hacking Forensics Investigator) Course Description & Overview Overview CHFIv8 Course Description EC-Council releases the brand new Version 8 of the Computer Hacking Forensics Investigator

More information

CDFE Certified Digital Forensics Examiner (CFED Replacement)

CDFE Certified Digital Forensics Examiner (CFED Replacement) Course: CDFE Certified Digital Forensics Examiner (CFED Replacement) Description: Price: $3,450.00 Category: Popular Courses Duration: 5 days Schedule: Request Dates Outline: COURSE OVERVIEW Computer Forensics

More information

Lectures 9 Advanced Operating Systems Fundamental Security. Computer Systems Administration TE2003

Lectures 9 Advanced Operating Systems Fundamental Security. Computer Systems Administration TE2003 Lectures 9 Advanced Operating Systems Fundamental Security Computer Systems Administration TE2003 Lecture overview At the end of lecture 9 students can identify, describe and discuss: Main factors while

More information

Active @ UNDELETE Users Guide

Active @ UNDELETE Users Guide Active @ UNDELETE Users Guide Contents 2 Contents Legal Statement...5 Active@ UNDELETE Overview... 6 Getting Started with Active@ UNDELETE... 7 Active@ UNDELETE Views And Windows... 7 Recovery Explorer

More information

That Point of Sale is a PoS

That Point of Sale is a PoS SESSION ID: HTA-W02 That Point of Sale is a PoS Charles Henderson Vice President Managed Security Testing Trustwave @angus_tx David Byrne Senior Security Associate Bishop Fox Agenda POS Architecture Breach

More information

Recover data from a defective Fujitsu desktop drive

Recover data from a defective Fujitsu desktop drive Data Compass - Case Study Recover data from a defective Fujitsu desktop drive Symptom: Data on the Fujitsu desktop drive is not accessible directly by the client. The initial diagnosis implies that the

More information

USB 3.0 DUAL SATA HDD DOCKING STATION

USB 3.0 DUAL SATA HDD DOCKING STATION USB 3.0 DUAL SATA HDD DOCKING STATION User Manual (DA-70547) Introduction DA-70547 is a USB3.0 enabled dual-sata hard drive enclosure. It supports simultaneously use of two 2.5 or 3.5 SATA hard disk for

More information

Cyber Security Response to Physical Security Breaches

Cyber Security Response to Physical Security Breaches Cyber Security Response to Physical Security Breaches INTRODUCTION Physical break-ins and other unauthorized entries into critical infrastructure locations, such as electrical power substations, have historically

More information

CSCA0102 IT & Business Applications. Foundation in Business Information Technology School of Engineering & Computing Sciences FTMS College Global

CSCA0102 IT & Business Applications. Foundation in Business Information Technology School of Engineering & Computing Sciences FTMS College Global CSCA0102 IT & Business Applications Foundation in Business Information Technology School of Engineering & Computing Sciences FTMS College Global Chapter 2 Data Storage Concepts System Unit The system unit

More information

ipod Forensics Update

ipod Forensics Update Abstract ipod Forensics Update Matthew Kiley Tim Shinbara Marcus Rogers Purdue University Cyber Forensics Laboratory Department of Computer and Information Technology Purdue University From student to

More information

How To Restore An Org Server With Anor Backup For Windows 7.5.2 (Oracle)

How To Restore An Org Server With Anor Backup For Windows 7.5.2 (Oracle) Oracle Server Backup User Guide TABLE OF CONTENTS Introduction... 2 Oracle Server Backup... 3 Features... 3 Requirements for Oracle server backup... 3 How to enable ARCHIVELOG Mode... 3 System Requirements...

More information

EnCase Portable. Extend Your Forensic Reach with Powerful Triage & Data Collection

EnCase Portable. Extend Your Forensic Reach with Powerful Triage & Data Collection GUIDANCE SOFTWARE EnCase Portable EnCase Portable Extend Your Forensic Reach with Powerful Triage & Data Collection GUIDANCE SOFTWARE EnCase Portable EnCase Portable Triage and Collect with EnCase Portable

More information

COS 318: Operating Systems

COS 318: Operating Systems COS 318: Operating Systems File Performance and Reliability Andy Bavier Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall10/cos318/ Topics File buffer cache

More information

Windows Administration Terminal Services, AD and the Windows Registry. INLS 576 Spring 2011 Tuesday, February 24, 2011

Windows Administration Terminal Services, AD and the Windows Registry. INLS 576 Spring 2011 Tuesday, February 24, 2011 Windows Administration Terminal Services, AD and the Windows Registry INLS 576 Spring 2011 Tuesday, February 24, 2011 Terminal Services Uses RDP (Remote Desktop Protocol), relies on TCP/IP, and falls under

More information

Norton Save and Restore

Norton Save and Restore Norton Save and Restore Norton Save and Restore User's Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.

More information

Upgrading Client Security and Policy Manager in 4 easy steps

Upgrading Client Security and Policy Manager in 4 easy steps Page 1 of 13 F-Secure White Paper Upgrading Client Security and Policy Manager in 4 easy steps Purpose This white paper describes how to easily upgrade your existing environment running Client Security

More information