Digital Forensics. Tom Pigg Executive Director Tennessee CSEC

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Digital Forensics. Tom Pigg Executive Director Tennessee CSEC"

Transcription

1 Digital Forensics Tom Pigg Executive Director Tennessee CSEC

2 Definitions Digital forensics Involves obtaining and analyzing digital information as evidence in civil, criminal, or administrative cases Analyze /investigates data that can be retrieved from a computer s hard disk or other storage media Yields information about how a perpetrator or an attacker gained access to a network

3 Definitions Data recovery Recovering information that was deleted by mistake or lost during a power surge or server crash Uses computer forensics techniques to retrieve information that was lost Recover data that was intentionally deleted

4 Computer Investigations Computer investigations and forensics falls into two distinct categories Public investigations Private or corporate investigations Public investigations Involve government agencies responsible for criminal investigations and prosecution Organizations must observe legal guidelines

5 Computer Investigations Private or corporate investigations Deal with private companies, Aren t governed directly by criminal law Governed by internal policies that define expected employee behavior and conduct in the workplace Investigations are usually conducted in civil cases

6 Digital Forensics Role of digital forensics professionals is to gather evidence to prove that a suspect committed a crime or violated a company policy

7 Investigation Plan Prepare a forensics workstation Obtain the evidence Make a forensic copy of the evidence Return the evidence to a secure container Process the copied evidence with computer forensics tools

8 A workstation Digital Forensics Lab A write-blocker device Setup Computer forensics acquisition tool Computer forensics analysis tool Target drive to receive the source or suspect disk data

9 Acquiring the Image First rule of Digital forensics Preserve the original evidence Conduct your analysis only on a copy of the data

10 Analyzing the Image Recover data from: Deleted files File fragments Complete files Slack Unpartitioned Space Voids between partitions Deleted files linger on the disk until new data is saved on the same physical location

11 Analyzing the Image Search for keywords of interest in the case Export the data important to the case Generate a report of your activities

12 Validating Data Most critical aspect of computer forensics Requires using a hashing algorithms Validation techniques CRC-32, MD5, and SHA-1 to SHA-512

13 Hash Algorithms Cyclic Redundancy Check (CRC) Mathematical algorithm that determines whether a file s contents have changed Not considered a forensic hashing algorithm Message Digest 5 (MD5) Mathematical formula that translates a file into a hexadecimal code value, or a hash value If a bit or byte in the file changes, it alters the digital hash

14 Hash Algorithms Three rules for forensic hashes: You can t predict the hash value of a file or device No two hash values can be the same If anything changes in the file or device, the hash value must change

15 Understanding File Systems File system gives OS a road map to data on a disk Type of file system an OS uses determines how data is stored on the disk When you need to access a suspect s computer to acquire or inspect data you should be familiar with the computer s platform

16 Understanding File Systems In Microsoft file structures, sectors are grouped to form clusters Storage allocation units of one or more sectors Clusters are typically 512, 1024, 2048, 4096, or more bytes each Hidden partitions or voids are large unused gaps between partitions on a disk Partition gap is unused space between partitions

17 Understanding File Systems Microsoft OSs allocate disk space for files by clusters, which can results in drive slack Unused space in a cluster between the end of an active file and the end of the cluster Can examine a partition s physical level with a disk editor: Norton DiskEdit, WinHex, or Hex Workshop

18 Compression NTFS provides compression Under NTFS, files, folders, or entire volumes can be compressed Most computer forensics tools can uncompress and analyze compressed Windows data

19 Encryption Encrypting File System (EFS) Implements a public key and private key method of encrypting files, folders, or disk volumes When EFS is used a recovery certificate is generated and sent to the local Windows administrator account except for MS Server 2008 Users can apply EFS to files stored on their local workstations or a remote server

20 Registry Registry A database that stores hardware and software configuration information, network connections, user preferences, and setup information For investigative purposes, the Registry can contain valuable evidence To view the registry you can use Regedit/Regedt32 or a forensics registry viewer

21 Virtual Machines Virtual machine Allows you to create a representation of another computer on an existing physical computer Many of the new digital forensics software will recognize VMs

22 Digital Forensics Tools EnCase FTK ProDiscover Helix Autopsy SleuthKit

23 Contact Information Dr. Thomas L. Pigg Professor of Computer Information Systems Jackson State Community College 2046 N. Parkway Jackson, TN (731) Ext. 201

Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition Guide to Computer Forensics and Investigations, Second Edition Chapter 4 Current Computer Forensics Tools Objectives Understand how to identify needs for computer forensics tools Evaluate the requirements

More information

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd. Acquisition and Tools COMP 2555: Principles of Computer Forensics Autumn 2014 http://www.cs.du.edu/2555 1 Planning Your Investigation! A basic investigation plan should include the following activities:!

More information

Digital Forensics Tutorials Viewing Image Contents in Windows

Digital Forensics Tutorials Viewing Image Contents in Windows Digital Forensics Tutorials Viewing Image Contents in Windows Explanation Section About Disk Analysis Once the proper steps have been taken to secure and verify the disk image, the actual contents of the

More information

Computer Intrusion Forensics Literature Review

Computer Intrusion Forensics Literature Review Computer Intrusion Forensics Literature Review Nathan Balon CIS 544 October 20, 2003 Title Computer Forensics: Incident Response Essentials by Warren G. Kruse II and Jay G. Heiser Reviewed by Nathan Balon

More information

Digital Forensics Tutorials Hashing

Digital Forensics Tutorials Hashing Digital Forensics Tutorials Hashing Explanation Section Hashing - Definition Hashing refers to the use of hash functions to verify that an image is identical to the source media. Hashing is like a digital

More information

CNIT 121: Computer Forensics. 8 Forensic Duplication

CNIT 121: Computer Forensics. 8 Forensic Duplication CNIT 121: Computer Forensics 8 Forensic Duplication Types of Duplication Simple duplication Copy selected data; file, folder, partition... Forensic duplication Every bit on the source is retained Including

More information

Incident Response and Computer Forensics

Incident Response and Computer Forensics Incident Response and Computer Forensics James L. Antonakos WhiteHat Forensics Incident Response Topics Why does an organization need a CSIRT? Who s on the team? Initial Steps Detailed Project Plan Incident

More information

ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING

ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING MODULE A INTRODUCTION TO COMPUTER FORENSICS AND NVESTIGATIONS A1.0 Explain concepts related to computer forensics. A1.1 This module is measured

More information

Developing Computer Forensics Solutions for Terabyte Investigations

Developing Computer Forensics Solutions for Terabyte Investigations Developing Computer Forensics Solutions for Terabyte Investigations Eric Thompson Corporation Orem, Utah USA www.accessdata.com Overview Computer Forensic Definition, Objectives and Policies History of

More information

Digital Forensics Tutorials Acquiring an Image with FTK Imager

Digital Forensics Tutorials Acquiring an Image with FTK Imager Digital Forensics Tutorials Acquiring an Image with FTK Imager Explanation Section Digital Forensics Definition The use of scientifically derived and proven methods toward the preservation, collection,

More information

Digital Forensics: The aftermath of hacking attacks. AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC

Digital Forensics: The aftermath of hacking attacks. AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC Digital Forensics: The aftermath of hacking attacks AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC Topics Digital Forensics: Brief introduction Case Studies Case I:

More information

CYBER FORENSICS (W/LAB) Course Syllabus

CYBER FORENSICS (W/LAB) Course Syllabus 6111 E. Skelly Drive P. O. Box 477200 Tulsa, OK 74147-7200 CYBER FORENSICS (W/LAB) Course Syllabus Course Number: CSFS-0020 OHLAP Credit: Yes OCAS Code: 8134 Course Length: 130 Hours Career Cluster: Information

More information

Course Title: Computer Forensic Specialist: Data and Image Files

Course Title: Computer Forensic Specialist: Data and Image Files Course Title: Computer Forensic Specialist: Data and Image Files Page 1 of 9 Course Description The Computer Forensic Series by EC-Council provides the knowledge and skills to identify, track, and prosecute

More information

CTC 328: Computer Forensics

CTC 328: Computer Forensics FALL 2010 CSUDH COMPUTER SCIENCE DEPARTMENT CTC 328: Computer Forensics Instructor: Adam Kaplan, Ph.D. E-Mail: akaplan@csudh.edu Office: NSM E-117 WWW (Blackboard Site): http://toro.csudh.edu Class Meetings:

More information

EC-Council Ethical Hacking and Countermeasures

EC-Council Ethical Hacking and Countermeasures EC-Council Ethical Hacking and Countermeasures Description This class will immerse the students into an interactive environment where they will be shown how to scan, test, hack and secure their own systems.

More information

winhex Disk Editor, RAM Editor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR

winhex Disk Editor, RAM Editor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR winhex Disk Editor, RAM Editor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR Supervised by : Dr. Lo'ai Tawalbeh New York Institute of Technology (NYIT)-Jordan X-Ways Software Technology AG is a stock corporation

More information

Comparing and Contrasting Windows and Linux Forensics. Zlatko Jovanovic. International Academy of Design and Technology

Comparing and Contrasting Windows and Linux Forensics. Zlatko Jovanovic. International Academy of Design and Technology Comparing and Contrasting Windows and Linux Forensics Zlatko Jovanovic International Academy of Design and Technology Abstract Windows and Linux are the most common operating systems used on personal computers.

More information

Computer Forensics and Investigations Duration: 5 Days Courseware: CT 0619217065

Computer Forensics and Investigations Duration: 5 Days Courseware: CT 0619217065 Computer Forensics and Investigations Duration: 5 Days Courseware: CT 0619217065 Introduction The Computer Forensics and Investigation course presents methods to properly conduct a computer forensics investigation

More information

Where is computer forensics used?

Where is computer forensics used? What is computer forensics? The preservation, recovery, analysis and reporting of digital artifacts including information stored on computers, storage media (such as a hard disk or CD-ROM), an electronic

More information

Digital Forensics. Module 4 CS 996

Digital Forensics. Module 4 CS 996 Digital Forensics Module 4 CS 996 Hard Drive Forensics Acquisition Bit for bit copy Write protect the evidence media EnCase for DOS Safeback (NTI: www.forensics-intl.com) Analysis EnCase FTK (www.accessdata.com)

More information

COEN 152 / 252 Lab Exercise 1. Imaging, Hex Editors & File Types

COEN 152 / 252 Lab Exercise 1. Imaging, Hex Editors & File Types COEN 152 / 252 Lab Exercise 1 Imaging, Hex Editors & File Types In this lab we will explore the concepts associated with creating a forensic image. Write-blocking will be accomplished utilizing a mounted

More information

Digital Forensics Lecture 3. Hard Disk Drive (HDD) Media Forensics

Digital Forensics Lecture 3. Hard Disk Drive (HDD) Media Forensics Digital Forensics Lecture 3 Hard Disk Drive (HDD) Media Forensics Current, Relevant Topics defendants should not use disk-cleaning utilities to wipe portions of their hard drives before turning them over

More information

Forensic Acquisition and Analysis of VMware Virtual Hard Disks

Forensic Acquisition and Analysis of VMware Virtual Hard Disks Forensic Acquisition and Analysis of VMware Virtual Hard Disks Manish Hirwani, Yin Pan, Bill Stackpole and Daryl Johnson Networking, Security and Systems Administration Rochester Institute of Technology

More information

COWLEY COLLEGE & Area Vocational Technical School

COWLEY COLLEGE & Area Vocational Technical School COWLEY COLLEGE & Area Vocational Technical School COURSE PROCEDURE FOR Student Level: This course is open to students on the college level in either the freshman or sophomore year. Prerequisites: Basic

More information

Lab III: Unix File Recovery Data Unit Level

Lab III: Unix File Recovery Data Unit Level New Mexico Tech Digital Forensics Fall 2006 Lab III: Unix File Recovery Data Unit Level Objectives - Review of unallocated space and extracting with dls - Interpret the file system information from the

More information

Working with Disks and Devices Lesson 4

Working with Disks and Devices Lesson 4 Working with Disks and Devices Lesson 4 Objectives Describe MBR and GPT partition styles Describe basic and dynamic disks Describe the 4 types of dynamic volumes Use the Disk Management snap-in to manage

More information

COMPUTER FORENSICS (EFFECTIVE 2013-14) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE 2013-14 CATE STUDENT REPORTING PROCEDURES MANUAL)

COMPUTER FORENSICS (EFFECTIVE 2013-14) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE 2013-14 CATE STUDENT REPORTING PROCEDURES MANUAL) COMPUTER FORENSICS (EFFECTIVE 2013-14) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE 2013-14 CATE STUDENT REPORTING PROCEDURES MANUAL) COURSE DESCRIPTION: Computer Forensics is focused on teaching

More information

The Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices

The Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices The Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices Introduction As organizations rely more heavily on technology-based methods of communication, many corporations

More information

ITU Session Four: Device Imaging And Analysis. Mounir Kamal Q-CERT

ITU Session Four: Device Imaging And Analysis. Mounir Kamal Q-CERT ITU Session Four: Device Imaging And Analysis Mounir Kamal Q-CERT 2 Applying Forensic Science to Computer Systems Like a Detective, the archaeologist searches for clues in order to discover and reconstruct

More information

Cloud Forensics. 175 Lakeside Ave, Room 300A Phone: 802/865-5744 Fax: 802/865-6446 http://www.lcdi.champlin.edu

Cloud Forensics. 175 Lakeside Ave, Room 300A Phone: 802/865-5744 Fax: 802/865-6446 http://www.lcdi.champlin.edu Cloud Forensics Written & Researched by: Maegan Katz & Ryan Montelbano 175 Lakeside Ave, Room 300A Phone: 802/865-5744 Fax: 802/865-6446 http://www.lcdi.champlin.edu November 4, 2013 Disclaimer: This document

More information

Impact of Digital Forensics Training on Computer Incident Response Techniques

Impact of Digital Forensics Training on Computer Incident Response Techniques Impact of Digital Forensics Training on Computer Incident Response Techniques Valorie J. King, PhD Collegiate Associate Professor University of Maryland University College Presentation to AFCEA June 25,

More information

File System Forensics FAT and NTFS. Copyright Priscilla Oppenheimer 1

File System Forensics FAT and NTFS. Copyright Priscilla Oppenheimer 1 File System Forensics FAT and NTFS 1 FAT File Systems 2 File Allocation Table (FAT) File Systems Simple and common Primary file system for DOS and Windows 9x Can be used with Windows NT, 2000, and XP New

More information

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević, DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE Vahidin Đaltur, Kemal Hajdarević, Internacional Burch University, Faculty of Information Technlogy 71000 Sarajevo, Bosnia

More information

Determining VHD s in Windows 7 Dustin Hurlbut

Determining VHD s in Windows 7 Dustin Hurlbut Introduction Windows 7 has the ability to create and mount virtual machines based upon launching a single file. The Virtual Hard Disk (VHD) format permits creation of virtual drives that can be used for

More information

CCE Certification Competencies

CCE Certification Competencies CCE Certification Competencies May 10, 2012 Page 1 The Certified Computer Examiner (CCE) has evolved into one of the most desired certifications in the computer forensics industry. The certification is

More information

ACE STUDY GUIDE. 3. Which Imager pane shows information specific to file systems such as HFS+, NTFS, and Ext2? - Properties Pane

ACE STUDY GUIDE. 3. Which Imager pane shows information specific to file systems such as HFS+, NTFS, and Ext2? - Properties Pane ACE STUDY GUIDE *Note* All of the actual exam questions are in multiple choice format. This Study Guide is designed to cover all of the material on the exam, 1. FTK Imager supports the encryption of forensic

More information

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment (Exam 70-290) Table of Contents Table of Contents... 1 Course Overview... 2 Section 0-1: Introduction... 4

More information

C HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR

C HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR Page: 1 TM C HFI Computer C HFI Computer Hacking Forensic INVESTIGATOR Hacking Forensic INVESTIGATOR TM v8 v8 Page: 2 Be the leader. Deserve a place in the CHFI certified elite class. Earn cutting edge

More information

Practice Exercise March 7, 2016

Practice Exercise March 7, 2016 DIGITAL FORENSICS Practice Exercise March 7, 2016 Prepared by Leidos CyberPatriot Forensics Challenge 1 Forensics Instruction Guide Introduction The goal of this event is to learn to identify key factors

More information

AN INVESTIGATION INTO COMPUTER FORENSIC TOOLS

AN INVESTIGATION INTO COMPUTER FORENSIC TOOLS AN INVESTIGATION INTO COMPUTER FORENSIC TOOLS K.K. Arthur 1 H.S. Venter 2 Information and Computer Security Architectures (ICSA) Research Group University of Pretoria Pretoria Department of Computer Science

More information

Digital Forensics Fundamentals

Digital Forensics Fundamentals Digital Forensics Fundamentals 1 P a g e Table of Contents 1. Overview of Digital Forensics... 3 2. Evaluation of Digital forensic tools... 5 2.1 Encase Digital forensic tool... 5 2.1.1 Benefits with Encase

More information

New Technologies File System (NTFS) Priscilla Oppenheimer. Copyright 2008 Priscilla Oppenheimer

New Technologies File System (NTFS) Priscilla Oppenheimer. Copyright 2008 Priscilla Oppenheimer New Technologies File System (NTFS) Priscilla Oppenheimer NTFS Default file system for Windows NT, 2000, XP, and Windows Server 2003 No published spec from Microsoft that describes the on-disk layout Good

More information

Forensics on the Windows Platform, Part Two

Forensics on the Windows Platform, Part Two 1 of 5 9/27/2006 3:52 PM Forensics on the Windows Platform, Part Two Jamie Morris 2003-02-11 Introduction This is the second of a two-part series of articles discussing the use of computer forensics in

More information

Forensically Determining the Presence and Use of Virtual Machines in Windows 7

Forensically Determining the Presence and Use of Virtual Machines in Windows 7 Forensically Determining the Presence and Use of Virtual Machines in Windows 7 Introduction Dustin Hurlbut Windows 7 has the ability to create and mount virtual machines based upon launching a single file.

More information

Virtualization Forensics: Acquisition and analysis of a clustered VMware ESXi servers

Virtualization Forensics: Acquisition and analysis of a clustered VMware ESXi servers Virtualization Forensics: Acquisition and analysis of a clustered VMware ESXi servers Dennis Cortjens dennis.cortjens@os3.nl PLAN 28th of February, 2014 Contents 1 Information 1 1.1 Introduction............................................

More information

Configuring Windows 8.1

Configuring Windows 8.1 Course 20687D: Configuring Windows 8.1 Course Details Course Outline Module 1: Windows 8.1 in an Enterprise Environment Windows client operating systems are essential to the functionality of almost every

More information

Significance of Hash Value Generation in Digital Forensic: A Case Study

Significance of Hash Value Generation in Digital Forensic: A Case Study International Journal of Engineering Research and Development e-issn : 2278-067X, p-issn : 2278-800X, www.ijerd.com Volume 2, Issue 5 (July 2012), PP. 64-70 Significance of Hash Value Generation in Digital

More information

Computer Hacking Forensic Investigator v8

Computer Hacking Forensic Investigator v8 CÔNG TY CỔ PHẦN TRƯỜNG CNTT TÂN ĐỨC TAN DUC INFORMATION TECHNOLOGY SCHOOL JSC LEARN MORE WITH LESS! Computer Hacking Forensic Investigator v8 Course Description: EC-Council releases the most advanced Computer

More information

Fall. Forensic Examination of Encrypted Systems Matthew Postinger COSC 374

Fall. Forensic Examination of Encrypted Systems Matthew Postinger COSC 374 Fall 2011 Forensic Examination of Encrypted Systems Matthew Postinger COSC 374 Table of Contents Abstract... 3 File System Encryption... 3 Windows EFS... 3 Apple FileVault... 4 Full Disk Encryption...

More information

Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers

Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers Brian Carrier Research Scientist @stake Abstract This paper uses the theory of abstraction layers to describe the purpose

More information

Technical Procedure for Evidence Search

Technical Procedure for Evidence Search Technical Procedure for Evidence Search 1.0 Purpose - The purpose of this procedure is to provide a systematic means of searching digital evidence in order to find data sought by the search authorization.

More information

VANGUARD ONLINE BACKUP

VANGUARD ONLINE BACKUP VANGUARD ONLINE BACKUP Product Description Vanguard Online Backup is a world class solution that automates off-site and on-site backups. The application combines an easy to use interface with powerful

More information

C HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR

C HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR 1 TM C HFI Computer C HFI Computer Hacking Forensic INVESTIGATOR Hacking Forensic INVESTIGATOR TM v8 v8 2 Be the leader. Deserve a place in the CHFI certified elite class. Earn cutting edge skills in computer

More information

CNE215 Quiz 1 1. Question 1 A workgroup model is recommended for networks of what size?

CNE215 Quiz 1 1. Question 1 A workgroup model is recommended for networks of what size? CNE215 Quiz 1 1 Question 1 A workgroup model is recommended for networks of what size? a. 10 computers or less b. 10 computers or more c. 100 computers or less d. 100 computers or more Question 2 1. The

More information

What s new in 6.1. Veeam Backup & Replication

What s new in 6.1. Veeam Backup & Replication Veeam Backup & Replication What s new in 6.1 Veeam Backup & Replication now protects more than 4 million VMs in more than 40,000 organizations around the world. And although Veeam has a huge lead over

More information

Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition Objectives Determine the best acquisition method Plan data-recovery contingencies Use MS-DOS acquisition tools

More information

NTFS Compression - a forensic view

NTFS Compression - a forensic view NTFS Compression - a forensic view By: Paul Sanderson, Sanderson Forensics - October 2002 Introduction One of the little discussed, forensically speaking, features of the NTFS file system is that of file

More information

Design and Implementation of Digital Forensics Labs:

Design and Implementation of Digital Forensics Labs: Design and Implementation of Digital Forensics Labs: A Case Study for Teaching Digital Forensics to Undergraduate Students Hongmei Chi, Christy Chatmon, Edward Jones, and Deidre Evans Computer and Information

More information

Network Enabled Digital Forensics. Presented by: Ben Kingston, EnCE, MCSE, A+ FDR Forensic Data Recovery Inc.

Network Enabled Digital Forensics. Presented by: Ben Kingston, EnCE, MCSE, A+ FDR Forensic Data Recovery Inc. Network Enabled Digital Forensics Presented by: Ben Kingston, EnCE, MCSE, A+ FDR Forensic Data Recovery Inc. About the Presenter Founding member of FDR in 2001 Responsible for the implementation of FDR

More information

MS 50292: Administering and Maintaining Windows 7

MS 50292: Administering and Maintaining Windows 7 MS 50292: Administering and Maintaining Windows 7 Description: This five-day instructor-led course provides students with the knowledge and skills to successfully administer, maintain, and troubleshoot

More information

Forensic Toolkit 5.0 System Specifications Guide

Forensic Toolkit 5.0 System Specifications Guide Forensic Toolkit 5.0 System Specifications Guide Contents Forensic Toolkit 5.0 System Specifications Guide...1 AccessData FTK Overview and System Specifications Guide...3 Overview of Components...3 Hardware

More information

Computer Forensics: An Analysis on Windows and Unix from data recovery perspective

Computer Forensics: An Analysis on Windows and Unix from data recovery perspective Computer Forensics: An Analysis on Windows and Unix from data recovery perspective Palwinder Singh 1, Amarbir Singh 2 12Assistant Professor, Department Of Computer Science,GNDU, Amritsar,India -----------------------------------------------------------------------------------------------------------------------------

More information

Maintaining a Microsoft Windows Server 2003 Environment

Maintaining a Microsoft Windows Server 2003 Environment Maintaining a Microsoft Windows Server 2003 Environment Course number: 2275C Course lenght: 3 days Course Outline Module 1: Preparing to Administer a Server This module explains how to administer a server.

More information

Live System Forensics

Live System Forensics Live System Forensics By: Tim Fernalld & Colby Lahaie Patrick Leahy Center for Digital Investigation Champlain College 2/22/12 Contents Contents... 1 1 Introduction... 2 1.1 Research Statement... 2 1.2

More information

Introduction to Windows Forensics. Robert Baldi, CISSP-ISSEP Robert Clauff

Introduction to Windows Forensics. Robert Baldi, CISSP-ISSEP Robert Clauff Introduction to Windows Forensics Robert Baldi, CISSP-ISSEP Robert Clauff Session 1 & 2 Session 1 focuses on: Intro to forensic investigation Basic Windows GUI tools Session 2 focuses on: Advanced tools

More information

FORENSIC ANALYSIS OF USB MEDIA EVIDENCE. Jesús Alexander García. Luis Alejandro Franco. Juan David Urrea. Carlos Alfonso Torres

FORENSIC ANALYSIS OF USB MEDIA EVIDENCE. Jesús Alexander García. Luis Alejandro Franco. Juan David Urrea. Carlos Alfonso Torres FORENSIC ANALYSIS OF USB MEDIA EVIDENCE Jesús Alexander García Luis Alejandro Franco Juan David Urrea Carlos Alfonso Torres Manuel Fernando Gutiérrez UPB 2012 Content INTRODUCTION... 3 OBJECTIVE 4 EVIDENCE

More information

Windows Forensics Vista

Windows Forensics Vista Windows Forensics Vista Forensic Toolkit, FTK Imager and Registry Viewer Advanced Three-day Instructor-led Workshop T his advanced workshop provides the knowledge and skills necessary to analyze Microsoft

More information

Can Computer Investigations Survive Windows XP?

Can Computer Investigations Survive Windows XP? Can Computer Investigations Survive? An Examination of Microsoft and its Effect on Computer Forensics December 2001 by Kimberly Stone and Richard Keightley 2001 Guidance Software All Rights Reserved Executive

More information

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography What Is Steganography? Steganography Process of hiding the existence of the data within another file Example:

More information

State of the art of Digital Forensic Techniques

State of the art of Digital Forensic Techniques State of the art of Digital Forensic Techniques Enos K. Mabuto 1, H. S Venter 2 Department of Computer Science University of Pretoria, Pretoria, 0002, South Africa Tel: +27 12 420 3654 Email: nasbutos@yahoo.co.uk

More information

VMWare Workstation 11 Installation MICROSOFT WINDOWS SERVER 2008 R2 STANDARD ENTERPRISE ED.

VMWare Workstation 11 Installation MICROSOFT WINDOWS SERVER 2008 R2 STANDARD ENTERPRISE ED. VMWare Workstation 11 Installation MICROSOFT WINDOWS SERVER 2008 R2 STANDARD ENTERPRISE ED. Starting Vmware Workstation Go to the start menu and start the VMware Workstation program. *If you are using

More information

Microsoft Vista: Serious Challenges for Digital Investigations

Microsoft Vista: Serious Challenges for Digital Investigations Proceedings of Student-Faculty Research Day, CSIS, Pace University, May 2 nd, 2008 Microsoft Vista: Serious Challenges for Digital Investigations Darren R. Hayes and Shareq Qureshi Seidenberg School of

More information

Digital Forensic. A newsletter for IT Professionals. I. Background of Digital Forensic. Definition of Digital Forensic

Digital Forensic. A newsletter for IT Professionals. I. Background of Digital Forensic. Definition of Digital Forensic I Digital Forensic A newsletter for IT Professionals Education Sector Updates Issue 10 I. Background of Digital Forensic Definition of Digital Forensic Digital forensic involves the collection and analysis

More information

Discovery of Electronically Stored Information ECBA conference Tallinn October 2012

Discovery of Electronically Stored Information ECBA conference Tallinn October 2012 Discovery of Electronically Stored Information ECBA conference Tallinn October 2012 Jan Balatka, Deloitte Czech Republic, Analytic & Forensic Technology unit Agenda Introduction ediscovery investigation

More information

Data Protection Simple. Compliant. Secure. CONTACT US Call: 020 3397 9026 Email: Support@jms-securedata.co.uk Visit: www.jms-securedata.co.

Data Protection Simple. Compliant. Secure. CONTACT US Call: 020 3397 9026 Email: Support@jms-securedata.co.uk Visit: www.jms-securedata.co. Data Protection Simple. Compliant. Secure CONTACT US Call: 020 3397 9026 Email: Support@jms-securedata.co.uk Visit: www.jms-securedata.co.uk COMPLEX CHALLENGES SIMPLE SOLUTIONS Backups Tricky but necessary

More information

STELLAR PHOENIX for Novell NetWare Data Recovery Software User Manual

STELLAR PHOENIX for Novell NetWare Data Recovery Software User Manual STELLAR PHOENIX for Novell NetWare Data Recovery Software User Manual Copyright 2001 by Stellar Information Systems Ltd. All Rights Reserved The information contained in this documentation is subject to

More information

Microsoft Diagnostics and Recovery Toolset 7 Evaluation Guide

Microsoft Diagnostics and Recovery Toolset 7 Evaluation Guide Microsoft Diagnostics and Recovery Toolset 7 Evaluation Guide White Paper Descriptor This document provides administrators with information and steps-by-step technique for deploying Microsoft Diagnostics

More information

PREREQUISITE(S): CTS 1131, CTS 1133 and CTS 1120

PREREQUISITE(S): CTS 1131, CTS 1133 and CTS 1120 Form 2A, Page 1 FLORIDA STATE COLLEGE AT JACKSONVILLE COLLEGE CREDIT COURSE OUTLINE COURSE NUMBER: CAP 2140 COURSE TITLE: Data Forensics I PREREQUISITE(S): CTS 1131, CTS 1133 and CTS 1120 COREQUISITE(S):

More information

Presentation on Black Hat Europe 2003 Conference. Security Analysis of Microsoft Encrypting File System (EFS) http://www.elcomsoft.

Presentation on Black Hat Europe 2003 Conference. Security Analysis of Microsoft Encrypting File System (EFS) http://www.elcomsoft. Presentation on Black Hat Europe 2003 Conference Security Analysis of Microsoft Encrypting File System (EFS) Microsoft Encrypting File System Encrypting File File System System (EFS) (EFS) is is a a new

More information

Computer Forensics as an Integral Component of the Information Security Enterprise

Computer Forensics as an Integral Component of the Information Security Enterprise Computer Forensics as an Integral Component of the Information Security Enterprise By John Patzakis 10/28/03 I. EXECUTIVE SUMMARY In addition to fending off network intrusions and denial of service attacks,

More information

Digital Forensics & e-discovery Services

Digital Forensics & e-discovery Services Digital Forensics & e-discovery Services U.S. Security Associates Digital Forensics & e-discovery Services 21st century fraud investigations require expert digital forensics skills to deal with the complexities

More information

National District Attorneys Association National Center for Prosecution of Child Abuse. Computer Forensics for Prosecutors

National District Attorneys Association National Center for Prosecution of Child Abuse. Computer Forensics for Prosecutors National District Attorneys Association National Center for Prosecution of Child Abuse Computer Forensics for Prosecutors February 18-19, 2013 Portland, Oregon Detective Michael Smith Computer Crimes &

More information

Introduction. IMF Conference September 2008

Introduction. IMF Conference September 2008 Live Forensic Acquisition as Alternative to Traditional Forensic Processes Marthie Lessing* Basie von Solms Introduction The Internet and technology developments introduced a sharp increase in computer

More information

Computer Forensics. Securing and Analysing Digital Information

Computer Forensics. Securing and Analysing Digital Information Computer Forensics Securing and Analysing Digital Information Aims What is a computer? Where is the evidence? Why is digital forensics important? Seizing evidence Encryption Hidden files and folders Live

More information

Minnesota State Community and Technical College Detroit Lakes Campus

Minnesota State Community and Technical College Detroit Lakes Campus Computer Network Security Minnesota State Community and Technical College Detroit Lakes Campus Overview Philosophy Note on 2 year Colleges Certifications Program Courses CCDC Program Numbers Faculty Future

More information

Yiwo Tech Development Co., Ltd. EaseUS Todo Backup. Reliable Backup & Recovery Solution. EaseUS Todo Backup Solution Guide. All Rights Reserved Page 1

Yiwo Tech Development Co., Ltd. EaseUS Todo Backup. Reliable Backup & Recovery Solution. EaseUS Todo Backup Solution Guide. All Rights Reserved Page 1 EaseUS Todo Backup Reliable Backup & Recovery Solution EaseUS Todo Backup Solution Guide. All Rights Reserved Page 1 Part 1 Overview EaseUS Todo Backup Solution Guide. All Rights Reserved Page 2 Introduction

More information

How-To Guide Image a Hard Disk Using FTK Imager

How-To Guide Image a Hard Disk Using FTK Imager How-To Guide Image a Hard Disk Using FTK Imager Document Version 1.0 June 24, 2011 Michael G. Spohn mspohn@malware-hunters.net Introduction This document is a member of the How-To series of guides provided

More information

PIVOT Lab - Forensic Image Extraction

PIVOT Lab - Forensic Image Extraction PIVOT Lab - Forensic Image Extraction (portions of this lab are made available via sharing with CyFor Modules, NYU Polytechnic School of Engineering) Part 1= how to image a drive Part 2 = extracting evidence

More information

Enterprise Backup Overview Protecting Your Most Important Asset

Enterprise Backup Overview Protecting Your Most Important Asset Enterprise Backup Overview Protecting Your Most Important Asset For more information, please contact: Email: sales@canadianwebhosting.com Phone: 888-821-7888 Canadian Web Hosting (www.canadianwebhosting.com)

More information

Administering Microsoft SQL Server 2012 Databases

Administering Microsoft SQL Server 2012 Databases Administering Microsoft SQL Server 2012 Databases Install and Configure (19%) Plan installation. May include but not limited to: evaluate installation requirements; design the installation of SQL Server

More information

Computer Forensic Capabilities

Computer Forensic Capabilities Computer Forensic Capabilities Agenda What is computer forensics? Where to find computer evidence Forensic imaging Forensic analysis What is Computer Forensics? The preservation, identification, extraction,

More information

IOS110. Virtualization 5/27/2014 1

IOS110. Virtualization 5/27/2014 1 IOS110 Virtualization 5/27/2014 1 Agenda What is Virtualization? Types of Virtualization. Advantages and Disadvantages. Virtualization software Hyper V What is Virtualization? Virtualization Refers to

More information

MS 20687 Configuring Windows 8.1

MS 20687 Configuring Windows 8.1 P a g e 1 of 12 MS 20687 Configuring Windows 8.1 About this Course Get expert instruction and hands-on practice administering and configuring Windows 8.1 in this 5-day Microsoft Official Course. This course

More information

Lecture Computer Forensics. Chapter 4: Data Acquisition and Foundations of File System Analysis

Lecture Computer Forensics. Chapter 4: Data Acquisition and Foundations of File System Analysis Harald Baier Securing Phase/FS Foundations / WS 2011/2012 2/44 Lecture Computer Forensics Chapter 4: and Foundations of File System Analysis Harald Baier Hochschule Darmstadt, CASED WS 2011/2012 Harald

More information

Attix5 Pro Disaster Recovery

Attix5 Pro Disaster Recovery Attix5 Pro Disaster Recovery Recommended steps An overview of the recommended steps for a disaster recovery. Copyright notice and proprietary information This document is published by Attix5 or its local

More information

Advanced Methods and Techniques

Advanced Methods and Techniques 2013 CTIN Digital Forensics Conference Advanced Methods and Techniques Brett Shavers 2013 CTIN Digital Forensics Conference The XWF Book Not done yet Eric Zimmerman (FBI) is the coauthor Jimmy Weg is the

More information

EnCase 7 - Basic + Intermediate Topics

EnCase 7 - Basic + Intermediate Topics EnCase 7 - Basic + Intermediate Topics Course Objectives This 4 day class is designed to familiarize the student with the many artifacts left behind on Windows based media and how to conduct a forensic

More information

Whitepaper Enhancing BitLocker Deployment and Management with SimplySecure. Addressing the Concerns of the IT Professional Rob Weber February 2015

Whitepaper Enhancing BitLocker Deployment and Management with SimplySecure. Addressing the Concerns of the IT Professional Rob Weber February 2015 Whitepaper Enhancing BitLocker Deployment and Management with SimplySecure Addressing the Concerns of the IT Professional Rob Weber February 2015 Page 2 Table of Contents What is BitLocker?... 3 What is

More information

Course 20409A: Server Virtualization with Windows Server Hyper-V and System Center Exam Code: Duration: 40 Hrs

Course 20409A: Server Virtualization with Windows Server Hyper-V and System Center Exam Code: Duration: 40 Hrs Course 20409A: Server Virtualization with Windows Server Hyper-V and System Center Exam Code: 74-409 Duration: 40 Hrs Course Outline Module 1: Evaluating the Environment for Virtualization This module

More information

Legal Notices. AccessData Corp.

Legal Notices. AccessData Corp. Legal Notices AccessData Corp. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability

More information