1 ITU Session Four: Device Imaging And Analysis Mounir Kamal Q-CERT
2 2 Applying Forensic Science to Computer Systems Like a Detective, the archaeologist searches for clues in order to discover and reconstruct something that happened. Like the detective, the archaeologist founds no clues, too small or insignificant. And like the detective, the archaeologist must usually work with fragmentary and often confusing information. Finally, the detective and the archaeologist have their goal the completion of a report, base on a study of their clues, that not only tell us what happened but prove it. (1966 Meighan Archaeology)
3 3 The Forensic Process The nature of the electronic evidence is such that it poses special challenges for its admissibility in Court. To meet these challenges, follow proper forensic procedures including and not limited to
4 4 Central Processing Unit The CPU is the Core of any Computer system, including all new devices especially the one we would like to Collect, Examine, or Analyze The first stage in the boot process is to get the CPU started With an electrical pulse coming from the power supply Once the CPU is started, it goes to the basic input and output system (BIOS)
5 5 POST and CMOS -Bios contains a program called the power-on self test (POST). -Post tests the fundamental components of the computer. -Computers use CMOS RAM chips to retain the date, time, hard drives, and others When collecting digital evidence from a computer, it is often necessary to interrupt the boot process and examine the CMOS setting such as Date, Time, Hard Drive configuration, And Boot Sequence
6 6 CASE EXAMPLE (UNITED STATES v. ZACARIAS MOUSSAOUI 2003 During the trial of convicted terrorist Zacarias Moussaoui: The laptop had lost all power including CMOS battery; The government examined its contents, making it more difficult to authenticate the associated digital evidence; The loss of all power means the original date and time can not be retrieved; Nor the type of port and peripherals enabled; And it lost the setting of hard disk parameters and the controller as well. Fortunately the CMOS settings were recorded when the laptop was originally processed by Secret Service Agency on SEP 11,2001 before the power was lost.
7 7 System Boot Operating System extends the functions of the BIOS, and acts as an interface between the computer and the outside world. The ability to prevent a computer from using the operating system on the hard disk is important when the disk contains evidence. Knowing How to Change The Boot Sequence of a Computer Before Power-on IS A MUST In one case a technician was asked to note the system time of a computer before removing the hard disk. He booted and tried to interrupt the boot process to access the CMOS, not using the correct Hotkey. As a result, the system booted from the evidentiary hard drive, altering the date-time stamps of files
8 8 Cryptographic Hash Function is a Transformation that takes an input of string or message of any length and produce a fixed length string as output sometimes termed a message digest or a digital fingerprint. This near uniqueness makes hashing algorithms like MD5 important tools for documenting Digital evidence.
9 9 Collection and Preservation The goal of digital preservation is to maintain the ability to display, retrieve, and use digital collections in the face of rapidly changing technological and organizational infrastructures and elements.
10 10 CASE EXAMPLE In one homicide case, law enforcement seized the victim's computer but instead of treating it as they would any other piece of evidence, ence, they placed the computer in an office, turned it on and operated it to see what they could find thus altering the system and potentially destroying useful date-time time stamp information and other data. Additionally, they connected to the victim's Internet account, thus t altering data on the e server and creating log entries that alarmed other investigators because they did not know who had accessed the victim's account after her death.
11 11 Collection Options Collect Hardware Collect all digital evidence, leave hardware Only collect the digital evidence that you need
12 12 Collection options Collect Hardware Relevant Cybercrime Categories Advantage Hardware as Fruits of crimes Hardware as instrumentality Hardware as evidence Hardware contains large amount of digital evidence Requires little technical expertise The method is relatively simple and less open to criticism Hardware can be examined later in a controlled environment Hardware is available for others to examine at a later date Disadvantage Risks damaging the equipment in transit Risks not being able to boot (BIOS password) Risks not being able to access all evidence on the drive (e.g. EFS) Risks liability for unnecessary disruption of business Develops a bad reputation for heavy handedness It will not be applicable in some cases like investigation of servers
13 13 Collection options Collect All digital evidence, leave hardware Relevant Cybercrime Categories Advantage Information as Fruits of crimes Information as instrumentality Information as evidence Digital evidence can be examined later in a controlled environment Working with a copy prevents damage of original evidence Minimizes the risk of damaging hardware and disrupting business Disadvantage Requires equipment and technical expertise Risks not being able to access all evidence on the drive (e.g. EFS) Risks missing evidence (Protected Area) Risks destroying evidence (Content of RAM) Time Consuming Methods are more open to criticism than collecting hardware because more can go wrong
14 14 Collection options Only collect the digital evidence that you need Relevant Cybercrime Categories Advantage Information as Fruits of crimes Information as instrumentality Information as evidence Allows for a range of expertise Can ask for help from system admin/owner Quick and inexpensive Avoids risks and liabilities of collecting hardware Disadvantage Can miss or destroy evidence (e.g. rootkit) Methods are most open to criticism because more can go wrong than collecting all of the evidence
15 15 Chain of Custody Refers to the document or paper trail showing the seizure, custody, control, transfer, analysis, and disposition of physical and electronic evidence. For evidence to be used in court to convict persons of crimes, it must be handled in an intensively careful manner to avoid later allegations of tampering or misconduct which can compromise the case of the prosecution toward acquittal.
16 16 CASE EXAMPLE A A group of computer intruders gained unauthorized access to an IRIX I server and used it to store stolen materials, including several credit card databases stolen from e-commerce e Web sites. A system administrator made copies of the stolen materials along with log files and other items left by the intruders. The system administrator combined all of the files into a large compressed archive and transferred the archive, via the network, to a system with a CD-ROM burner. Unfortunately, the compressed archive file became corrupted in transit t but this was not realized until the investigators attempted to open the archive a at a later date. By this time, the original files had been deleted from the IRIX system. It was possible to recover some data from the archive file but not enough to build a solid case.
17 17 Preserving The Evidence Bitstream Copying (Imaging) V. Regular Copying
18 18 Bitstream Copying (Forensic Image) Bitstream copying duplicates everything in the cluster including anything that is in the slack space and unallocated space. Important Rules when doing Forensic Image: Use a Write Blocker whenever you interact with the digital evidence To be sure no alteration will be done to your evidence Hash digital evidence before imaging it To verify the digital evidence imaging process Create at least two images from two different tools of the Digital Evidence To make sure at least one of the images was successful
19 19 Imaging Computer Storage Methods of imaging Computer Storage: Hardware Duplication Device Forensic Workstation Evidence Acquisition Boot Disk with direct device connected Evidence Acquisition Boot Disk with Network Connection
20 20 Hardware Duplication Device Images Drives up to 5.5 GB per minutes Stores entire images in single ISO file (DD type files) Hashing (MD5) to ease forensic validation Of the data Use specific converter to work with Image laptop drives or SATA drives The Main benefit of Using Hardware Duplication Device is that It Cuts your Imaging Time In Half
21 21 Forensic Workstation Forensic Workstation with Write Blocker Built-in Image a wide range of Harddisk Storage Use any imaging software like DD, Encase, FTK Use any Hashing algorithms you require The main benefit of Using Forensic Workstation is flexibility Video Clip Write Blocker
22 22 Evidence Acquisition Boot Disk with direct device connected Use any imaging software like DD, FTK imager Use any Hashing algorithms you required Use other forensic tools for fast investigation One of the best open source CDs to do these functions is Helix You do not need to open the digital evidence and remove the harddisk
23 23 Evidence Acquisition Boot Disk with Network Connection Use any imaging software like DD, FTK imager Use any Hashing algorithms you required Use NetCat to transfer the Image from the evidence to the Forensic System You do not need to open the digital evidence and remove the harddisk
24 24 Evidence Acquisition- Others In the Field of computer forensics, you deal with gathering digital evidence available in different types of devices such as Flash Memory CD/DVD PDA Mobile Phone ipod Printer Scanner Camera Fax Machine
25 25 Evidence Acquisition- Flash Memory How OS accesses Flash File Systems -In Case of Hard disk the OS accesses the hard disk through File system Driver FSD. The FSD issues Commands to the hard disk for ATA command to read sector or logical block address. -A USB flash disk presents itself to the OS as disk storage, then the FSD commands are channeled to the USB through the USB flash Disk, the USB flash controller interprets the access commands in flash memory. -The LBA and ATA commands will not be the same as the physical address in a flash chip. The information for mapping an LBA to a Physical location is stored in the flash Memory.
26 26 Evidence Acquisition- Flash Memory Tools used for Flash Memory acquisition -DD Command -Encase -FTK imager -Sleuth kit & Autopsy (Open Source forensic tools) Notes: Write blocker must used when Imaging flash memory Video Clip
27 27 Evidence Acquisition- PDA Modern PDAs are hybrid devices integrating wireless, Bluetooth, infrared, WiFi, mobile phone, camera, global positioning system, basic computing capabilities, Internet etc. Investigating crimes involving PDAs are more challenging than those involving normal computers. This is mainly because these devices are more compact, battery operated and store data in volatile memory. A PDA is never really turned off as long as it has sufficient battery power. Evidence residing in PDA is highly volatile in nature.
28 28 Evidence Acquisition- PDA Forensic tools acquire data from a PDA device in one of two ways: Physical acquisition implies a bit-by-bit copy of an entire physical store (e.g., a disk drive or RAM chip). logical acquisition implies a bit-by-bit copy of logical storage objects (e.g. directories and files). physical acquisition is preferable, since it allows any data remnants present (e.g., unallocated RAM or unused file system space) to be examined. Some Tools Used in PDA Acquisition and Analysis: EnCase PDA Seizure Paraben for PDA POSE
29 29 Evidence Acquisition- Mobile Phone Mobile phone forensics is the science of recovering digital evidence from a mobile phone under forensically sound conditions using accepted methods. Mobile Phone forensics includes the analysis of both SIMM and Phone Memory each requires a separate procedure. Information Stored in Mobile Phone -Phone numbers and Addresses -Photo, Video, and Voice Records -SMS, MMS Messages and s -Notes -Meting Schedule and Tasks -Call Log
30 30 Evidence Acquisition- Mobile Phone Some Tools Used in Mobile Phone Acquisition and Analysis: -Oxygen -Paraben -Cell Seizure -MOBILEedit! -OPM -TULP2G
31 31 Evidence Acquisition Output
32 32 Examination and Analysis Examination is preparing digital evidence to facilitate the analysis stage. Preservation, traceability, validation and filter techniques, pattern matching, hidden data recovery and extraction (DFRWS Model) It includes Filter/Reduction Class/Individual characteristics Data Recovery / Salvage Data Recovery /Salvage already known for the most of US
33 33 Examination Filter and Reduction Eliminating valid system files and other known entities that have no relevance to the investigation. Focusing on investigation on the most probable User-Created data Less methodical data reduction techniques such as searching for specific keywords or extracting only certain type of files, may not only miss important clues but can still leave the examiners floundering in a sea of superfluous data
34 34 Examination Class characteristics Two important questions when examining digital evidence What is it classification/identification? Where did it come from (evolution of source)? To Determine if file with a.doc is Microsoft Word or Word Perfect It is class characteristic and in this case you have to examine the header of the file EXAMPLE: a virus/worm called Melissa hit the Internet. Melissa traveled in a Microsoft Word document that was attached to an message. This virus/worm propagated so quickly that it overloaded many servers, and forced several large organizations to shut down their servers to prevent further damage. It was widely reported that David Smith, the individual who created the virus/worm, was tracked down with the help of a feature of Microsoft Office and GUID filed in the word file.
35 35 Examination Data Recovery Recovery using Automated tools to re-link the recent deleted file to the FAT (Tools: FTK, EnCase, and Norton) File Carving by searching in the unallocated space and swap file for class characteristic such as file header (Tools: FTK, EnCase, Easy Recovery, and OnTrack) Recovery from Password protection and Encryption Many tools can recover files protected by passwords Password logon when performing function reconstruction using restored clone of Windows 2000/NT/XP using L0ptcrack will be useful The most powerful tools currently available are PRTK and DNA from Access Data
36 36 Live View Demo is developed by CERT, Software Engineering Institute Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image out physical disk. Full disk raw images Bootable partition raw images Physical Disks (attached via a USB or Firewire bridge) Windows 2003, XP, 2000, NT, Me, 98 Linux (limited support) Video Clip
37 37 Analysis Example: Microsoft Windows Log files log files can record which account was used to access a system at a given time. User accounts allow two forms of access to computers. File System Traces An individual's actions on a computer leave many traces that digital investigators can use to glean what occurred on the system. Registry The Registry on Windows NT/2000/XP is comprised of several hive files located in "%systemroot%\system32\config" and a hive file named "ntuser.dat" for each user account. Windows systems use the Registry to store system configuration and usage details
38 38 Analysis Example: Microsoft Windows-2 Internet Traces Accessing the Internet leaves a wide variety of information on a computer including Web sites, and contents viewed. Web Browser: When an individual first views a Web page the browser caches the page and associated elements such as images on disk such as: Cached pages and images Internet History activity Cookies files for Internet Browsing Pasco is one of the open source tools for analyzing the Index.dat Files Web Historian is a free tool analyzing the web history FTK is commercial software to reconstruct the visited web sites
39 39 Analysis Example: Microsoft Windows-3 - clients often contain messages that have been sent from and received at a given computer. FTK is used to view a file containing with Word document attachments. FTK can interpret a variety of proprietary formats, including Outlook. EnCase can also interpret some of these proprietary formats using the View File Structure feature.
40 40 Reconstruction Investigation reconstruction leads to a more complete picture of a crime What happened, who caused the events when, where, how, and why Three types of reconstruction: Functional Analysis Relational Analysis Temporal Analysis
41 41 Reconstruction Functional Analysis There are several purpose to assigning how a computer system functioned To Determine if the individual or computer was capable of performing actions necessary to commit the crime. To gain a better understanding of a piece of digital evidence or the crime as a whole. To prove that digital evidence was tampered with. To gain insight into an offender s intent and motive. To determine the proper working of the system during the relevant time period.
42 42 Reconstruction Relational Analysis To identify relationships between suspect, Victim, and Crime Scene It will be useful to create nodes representing places, , IP addresses used, Telephone number,.
43 43 Temporal Analysis When Investigating a crime, it is usually desirable to know the time and sequence of events. Most operating systems keep track of the creation, last modification and access time of files and folders.
44 44 References Digital Evidence and Computer Crime-Forensic Science (Eoghan Casey) Electronic Crime Scene Investigation (US Department Of Justice)
What is computer forensics? The preservation, recovery, analysis and reporting of digital artifacts including information stored on computers, storage media (such as a hard disk or CD-ROM), an electronic
Digital Forensics Tutorials Acquiring an Image with FTK Imager Explanation Section Digital Forensics Definition The use of scientifically derived and proven methods toward the preservation, collection,
DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE Vahidin Đaltur, Kemal Hajdarević, Internacional Burch University, Faculty of Information Technlogy 71000 Sarajevo, Bosnia
Operating Systems Forensics Section II. Basic Forensic Techniques and Tools CSF: Forensics Cyber-Security MSIDC, Spring 2015 Nuno Santos Summary! Windows boot sequence! Relevant Windows data structures!
Computer Forensics and Digital Investigation Computer Security EDA263, lecture 14 Ulf Larson Lecture outline! Introduction to Computer Forensics! Digital investigation! Conducting a Digital Crime Scene
Digital Forensics Dr. Vic Fay-Wolfe Department of Computer Science University of Rhode Island Topics What is Digital Forensics? Cases Digital Forensics Practice Algorithms and Computer Sci Digital Forensics
Overview of Computer Forensics Don Mason, Associate Director National Center for Justice and the Rule of Law University of Mississippi School of Law [These materials are based on 4.3.1-4.3.3 in the National
Digital Forensics Tom Pigg Executive Director Tennessee CSEC Definitions Digital forensics Involves obtaining and analyzing digital information as evidence in civil, criminal, or administrative cases Analyze
Acquisition and Tools COMP 2555: Principles of Computer Forensics Autumn 2014 http://www.cs.du.edu/2555 1 Planning Your Investigation! A basic investigation plan should include the following activities:!
Computer Forensic Capabilities Agenda What is computer forensics? Where to find computer evidence Forensic imaging Forensic analysis What is Computer Forensics? The preservation, identification, extraction,
: Managing, Maintaining, and Troubleshooting, 5e Chapter 3 Installing Windows Objectives How to plan a Windows installation How to install Windows Vista How to install Windows XP How to install Windows
Computer Forensics and Investigations Duration: 5 Days Courseware: CT 0619217065 Introduction The Computer Forensics and Investigation course presents methods to properly conduct a computer forensics investigation
Live Forensic Acquisition as Alternative to Traditional Forensic Processes Marthie Lessing* Basie von Solms Introduction The Internet and technology developments introduced a sharp increase in computer
Incident Response and Computer Forensics James L. Antonakos WhiteHat Forensics Incident Response Topics Why does an organization need a CSIRT? Who s on the team? Initial Steps Detailed Project Plan Incident
Introduction to Data Forensics Jeff Flaig, Security Consultant January 15, 2014 WHAT IS COMPUTER FORENSICS Computer forensics is the process of methodically examining computer media (hard disks, diskettes,
DEVELOPING AN UNDERGRADUATE COURSE IN DIGITAL FORENSICS Warren Harrison PSU Center for Information Assurance Portland State University Portland, Oregon 97207 firstname.lastname@example.org What is Digital Forensics?
I Digital Forensic A newsletter for IT Professionals Education Sector Updates Issue 10 I. Background of Digital Forensic Definition of Digital Forensic Digital forensic involves the collection and analysis
Live View A New View On Forensic Imaging Matthiew Morin Champlain College Morin 1 Executive Summary The main purpose of this paper is to provide an analysis of the forensic imaging tool known as Live View.
Design and Implementation of a Live-analysis Digital Forensic System Pei-Hua Yen Graduate Institute of Information and Computer Education, National Kaohsiung Normal University, Taiwan email@example.com
Guide to Computer Forensics and Investigations, Second Edition Chapter 4 Current Computer Forensics Tools Objectives Understand how to identify needs for computer forensics tools Evaluate the requirements
COMPUTER FORENSICS (EFFECTIVE 2013-14) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE 2013-14 CATE STUDENT REPORTING PROCEDURES MANUAL) COURSE DESCRIPTION: Computer Forensics is focused on teaching
EC-Council Ethical Hacking and Countermeasures Description This class will immerse the students into an interactive environment where they will be shown how to scan, test, hack and secure their own systems.
EnCase 7 - Basic + Intermediate Topics Course Objectives This 4 day class is designed to familiarize the student with the many artifacts left behind on Windows based media and how to conduct a forensic
Digital Forensic Techniques Namrata Choudhury, Sr. Principal Information Security Analyst, Symantec Corporation Professional Techniques T23 CRISC CGEIT CISM CISA AGENDA Computer Forensics vs. Digital Forensics
The Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices Introduction As organizations rely more heavily on technology-based methods of communication, many corporations
Computer Intrusion Forensics Literature Review Nathan Balon CIS 544 October 20, 2003 Title Computer Forensics: Incident Response Essentials by Warren G. Kruse II and Jay G. Heiser Reviewed by Nathan Balon
Universität Mannheim Praktische Informatik I 21.03.2007 Examining and imaging data on running systems using LiveWire" Steven W. Wood Master of Science (Florida Institute of Technology) ALSTE Technologies
Digital Forensics Fundamentals 1 P a g e Table of Contents 1. Overview of Digital Forensics... 3 2. Evaluation of Digital forensic tools... 5 2.1 Encase Digital forensic tool... 5 2.1.1 Benefits with Encase
ITU Session Two: Conduct a forensically safe investigation Mounir Kamal Mkamal@Qcert.org Q-CERT 2 The Importance of Crime Scene One of the main goals in an investigation is to attribute the crime to its
Lars Daniel,, EnCE, ACE, CTNS Digital Forensic Examiner Digital Forensics for Attorneys Overview of Digital Forensics Digital Forensics For Attorneys Overview of Digital Forensics Types of Digital Evidence
April 18th, 2005 1 2 3 Objectives Evidence acquisition Recovery and examination of suspect digital evidence (think Warrick Brown on CSI) Hardware: servers, workstations, laptops, PDAs, mobiles, cameras
1 of 5 9/27/2006 3:52 PM Forensics on the Windows Platform, Part Two Jamie Morris 2003-02-11 Introduction This is the second of a two-part series of articles discussing the use of computer forensics in
Computer Forensics as an Integral Component of the Information Security Enterprise By John Patzakis 10/28/03 I. EXECUTIVE SUMMARY In addition to fending off network intrusions and denial of service attacks,
Digital Forensics Larry Daniel Introduction A recent research report from The Yankee Group found that 67.6 percent of US households in 2002 contained at least one PC The investigators foresee three-quarters
Forensic Toolkit Sales and Promotional Summary ACCESSDATA, ON YOUR RADAR What is AccessData s Forensic Toolkit? Also known as FTK, this application enables you to perform complete and thorough computer
State of the art of Digital Forensic Techniques Enos K. Mabuto 1, H. S Venter 2 Department of Computer Science University of Pretoria, Pretoria, 0002, South Africa Tel: +27 12 420 3654 Email: firstname.lastname@example.org
Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers Brian Carrier Research Scientist @stake Abstract This paper uses the theory of abstraction layers to describe the purpose
Computer Forensic Tools Stefan Hager Overview Important policies for computer forensic tools Typical Workflow for analyzing evidence Categories of Tools Demo SS 2007 Advanced Computer Networks 2 Important
1 Chapter 7 Securing Information Systems LEARNING TRACK 3: COMPUTER FORENSICS For thirty years, a serial murderer known as the BTK killer (standing for bind, torture, and kill) remained at large in Wichita,
Impact of Digital Forensics Training on Computer Incident Response Techniques Valorie J. King, PhD Collegiate Associate Professor University of Maryland University College Presentation to AFCEA June 25,
COURCE TITLE DURATION CompTIA A+ Certification 40 H. Overview: The target student is anyone with basic computer user skills who is interested in: obtaining a job as an IT professional or PC technician.
Technical Data Cloning Utility for Rockwell Automation Industrial Computers Topic Page About the Cloning Utility 2 Recovery Partition Considerations 2 Prepare to Boot from the Accessories CD 3 Start the
Discovering Computers 2008 Chapter 8 Operating Systems and Utility Programs Chapter 8 Objectives Identify the types of system software Summarize the startup process on a personal computer Summarize the
ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING MODULE A INTRODUCTION TO COMPUTER FORENSICS AND NVESTIGATIONS A1.0 Explain concepts related to computer forensics. A1.1 This module is measured
Getting Physical with the Digital Investigation Process Brian Carrier Eugene H. Spafford Center for Education and Research in Information Assurance and Security CERIAS Purdue University Abstract In this
FORENSIC ANALYSIS OF USB MEDIA EVIDENCE Jesús Alexander García Luis Alejandro Franco Juan David Urrea Carlos Alfonso Torres Manuel Fernando Gutiérrez UPB 2012 Content INTRODUCTION... 3 OBJECTIVE 4 EVIDENCE
Lecture 6: Operating Systems and Utility Programs Chapter 8 Objectives Identify the types of system software Summarize the startup process on a personal computer Summarize the features of several stand-alone
Computer and Phone Forensics Califorensics i Don Vilfer, JD, ACE 916-789-1602 Don@Califorensics.com www.califorensics.com WHY DO WE CARE ABOUT FORENSICS? Lawyers and Investigators need to be equipped to
AN INVESTIGATION INTO COMPUTER FORENSIC TOOLS K.K. Arthur 1 H.S. Venter 2 Information and Computer Security Architectures (ICSA) Research Group University of Pretoria Pretoria Department of Computer Science
7 TM 7 Enhance business functionality and productivity with guaranteed protection from 7 Server 7 Server is a total backup and recovery solution for Windows. With support for all operating systems, 7 Server
An overview of IT Security Forensics Manu Malek, Ph.D. Stevens Institute of Technology email@example.com www.cs.stevens.edu/~mmalek April 2008 IEEE Calif. 1 Outline Growing Threats/Attacks Need for Security
7 TM 7 Automat backup and restore management for all networked laptops & workstations from a centralized administrating console 7 Advanced Workstation assures that critical business information is well
SecureDoc Disk Encryption Cryptographic Engine FIPS 140-2 Non-Proprietary Security Policy Abstract: This document specifies Security Policy enforced by SecureDoc Cryptographic Engine compliant with the
Developing Computer Forensics Solutions for Terabyte Investigations Eric Thompson Corporation Orem, Utah USA www.accessdata.com Overview Computer Forensic Definition, Objectives and Policies History of
Course Title: Computer Forensic Specialist: Data and Image Files Page 1 of 9 Course Description The Computer Forensic Series by EC-Council provides the knowledge and skills to identify, track, and prosecute
To Catch a Thief: Computer Forensics in the Classroom Anna Carlin firstname.lastname@example.org Steven S. Curl email@example.com Daniel Manson firstname.lastname@example.org Computer Information Systems Department California
IAPE STANDARDS SECTION 16 DIGITAL EVIDENCE IAPE STANDARD SECTION 16.1 DIGITAL EVIDENCE Standard: Digital evidence is a critical element of modern criminal investigation that should be maintained in strict
CERIAS Tech Report 2003-29 GETTING PHYSICAL WITH THE DIGITAL INVESTIGATION PROCESS Brian Carrier & Eugene H. Spafford Center for Education and Research in Information Assurance and Security, Purdue University,
The Legal Argument 1 email@example.com Abstract This paper addresses digital forensic analysis tools and their use in a legal setting. To enter scientific evidence into a United States court, a
7 TM 7 Simplify and automate backup and recovery manageability while maintaining business continuity 7 Advanced Server is FarStone s next generation backup and recovery utility to protect your business
Windows Forensics Vista Forensic Toolkit, FTK Imager and Registry Viewer Advanced Three-day Instructor-led Workshop T his advanced workshop provides the knowledge and skills necessary to analyze Microsoft
7 7 Enhance business functionality and productivity with guaranteed protection from 7 Server 7 Server is a total backup and recovery solution for Windows. With support for all operating systems, 7 Server
Technology in Action Alan Evans Kendall Martin Mary Anne Poatsy Eleventh Edition Technology in Action Chapter 4 System Software: The Operating System, Utility Programs, and File Management. Chapter Topics
SUMMARIES OF VIDEOS GRADE 11 SYSTEMS TECHNOLOGIES 1. Case Study - Understanding Computers and Computing A computer is an electronic device that can accept, process and store data by following instructions
1 Cell Phone Forensics For Legal Professionals Lars E. Daniel, EnCE, ACE, AME, CTNS, SCE, SCCM, SCA Digital Forensics Examiner Cell Phone Acquisition and Examination Collection and Acquiring Cell Phones
Retrieving Internet chat history with the same ease as a squirrel Yuri Gubanov CEO, Belkasoft http://belkasoft.com SANS Forensic Summit September 21, 2011 London, Great Britain What is Instant Messenger!
7 TM 7 Simplify and automate backup and recovery manageability while maintaining business continuity 7 Advanced Server is FarStone s next generation backup and recovery utility to protect your business
Can Computer Investigations Survive? An Examination of Microsoft and its Effect on Computer Forensics December 2001 by Kimberly Stone and Richard Keightley 2001 Guidance Software All Rights Reserved Executive
Marshal Ltd. Date: 02/06/2007 Marshal EndPoint Security From Best Practice Document Hints and Tips Marshal Software Ltd CSL 005 Marshal EndPoint Security Best Practice (2) Privacy Control: None Version:
1- A (firewall) is a computer program that permits a user on the internal network to access the internet but severely restricts transmissions from the outside 2- A (system failure) is the prolonged malfunction
Lesson 4 Managing Applications, Services, Folders, and Libraries Learning Objectives Students will learn to: Understand Local versus Network Applications Remove or Uninstall an Application Understand Group
Digital Evidence and Computer Forensics Don Mason Associate Director Copyright 2012 National Center for Justice and the Rule of Law All Rights Reserved Objectives After this session, you will be able to:
What You Will Learn... Computers Are Your Future Chapter 4 The two major components of operating system software Why a computer isn t useful without an operating system The five basic functions of an operating
Discovery of Electronically Stored Information ECBA conference Tallinn October 2012 Jan Balatka, Deloitte Czech Republic, Analytic & Forensic Technology unit Agenda Introduction ediscovery investigation
Chapter 8 Objectives Chapter 8 Operating Systems and Utility Programs Identify the the types types of of system software Summarize the the startup process on on a a personal computer Describe the the functions
EFFICIENT FORENSIC TOOLS FOR HANDHELD DEVICES: A COMPREHENSIVE PERSPECTIVE Somasheker Akkaladevi 1 1 Virginia State University Department of Computer Information Systems Petersburg, Virginia 23806, USA
Larry E. Daniel, EnCE, DFCP, BCE Digital Forensic Examiner Digital Forensics for Attorneys An Overview of Digital Forensics About Your Presenter EnCase Certified Examiner (EnCE) Digital Forensics Certified
Total Backup Recovery Ultimate Backup & Recovery Solution for Businesses & Organizations Total Backup Recovery 7 Series is a total backup and recovery solution for businesses and organizations. The series
A+ Guide to Managing and Maintaining Your PC, 7e Chapter 16 Fixing Windows Problems Objectives Learn what to do when a hardware device, application, or Windows component gives a problem Learn what to do
Live System Forensics By: Tim Fernalld & Colby Lahaie Patrick Leahy Center for Digital Investigation Champlain College 2/22/12 Contents Contents... 1 1 Introduction... 2 1.1 Research Statement... 2 1.2
" - * INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION CHRIS PROSISE KEVIN MANDIA McGraw-Hill /Osborne New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul