Digital Forensics Lecture 3. Hard Disk Drive (HDD) Media Forensics
|
|
- Francis Walker
- 7 years ago
- Views:
Transcription
1 Digital Forensics Lecture 3 Hard Disk Drive (HDD) Media Forensics
2 Current, Relevant Topics defendants should not use disk-cleaning utilities to wipe portions of their hard drives before turning them over to plaintiffs in the course of discovery RIAA asked the judge for a mirrored copy of Tschirhart's hard drive data was removed from the hard drive before it was turned over we found a number of file deletion programs and their log files Tschirhart's own expert "consistent with defragmentation of the hard drive. Even though the hard drive had been altered, the investigators found evidence that P2P software had been installed music files had been downloaded the wiping utilities had been removed as well arstechnica.com
3 Research Topics Presentation Rules The goal is to pass on information that might be of value to a forensic investigator Fine to sit or stand Fine to use viewgraphs or not Any viewgraphs must be in PowerPoint format and must be ed by 7:00 AM the day of the presentation Each presentation is limited to 5 minutes Depending on the material and level of interest, we may explore a topic further Write up is due at presentation
4 This Week s Presentations 1. CD-R/RW and DVD+-R/RW media analysis 2. File carving 3. Tools for MAC digital forensics
5 Lecture Overview Legal/Policy Preparation Collection Analysis Findings/ Evidence Reporting/ Action Very Brief Overview of Lecture 2 Isolation through virtualization Analysis and relevant tools High-level format (File System) Digital Forensic Tools
6 Brief Summary of Last Lecture Physical-layer forensic issues for HDDs Materials, geometry, and low-level structure HDD function and operation Data recovery using physical-layer techniques The first level of abstraction (Volumes) Volume 1 Volume 2 Unallocated Primary Storage Media 1 P G R
7 Module 1 Isolation Through Virtualization (e.g., VMWare)
8 The Goal is to Maintain Integrity of the Investigation New Tools Testing Investigator Change ACCESS Process ACCESS Unauthorized Users and Networks Investigation Environment MODIFY READ Evidence Data Investigator Evidence Consumer Verify TOOLS VERIFY MODIFY GENERATE Reports GENERATE READ Analysis Data MODIFY GENERATE Incremental Reports
9 VMWare Will Serve as Our Investigation Environment
10 VMware Device Specifics Provides a variety of virtual hardware HDD (IDE or SCSI) Stored as a binary file on the host OS Can add or remove HDD very easily CD and DVD drives (IDE or SCSI) Can use ISO image on host OS as CD or DVD Memory (RAM) limited by physical RAM USB 1.1 and 2.0 Floppy Can use ISO image on host OS as floppy NIC (Ethernet) Audio Adapter Serial port Parallel port Generic SCSI device Can save and revert to snapshots of system state Virtual hardware is very stable
11 Important Information About Our Analysis Virtual Machine We will use a Fedora Core VM for our Analysis User = root Password = letmein Do not modify the analysis VM unless specified in lab instructions
12 Module 2 Analysis and Relevant Tools
13 Analysis of Volumes Generally the first step in media analysis Should occur after preservation of evidence Media imaging or cloning are the generally accepted methods of preserving evidence Account for all storage space Create a partition map and understand the resulting volumes Requires careful accounting for each sector Guide analysis of other constructs, including higher-layer abstractions File systems Databases Other logical containers, etc.
14 The Sleuth Kit Tools (learn through hands-on labs) File system layer (partitions, file systems) fsstat first used in lab 3 to determine block size File name layer (file name structures) ffind fls Meta-data layer (inodes, directory entries, file attributes) icat ifind ils istat Data unit layer (disk blocks) dcat first used in lab 3 to extract disk blocks dls first used in lab 2 to copy unallocated space and slack space dstat dcalc first used in lab 3 to compute absolute block to recover
15 Module 3 High Level Format (File Systems)
16 Our approach to understanding HDD DF We will begin at the physical-layer and work toward increasing abstraction using a data driven approach Understanding and Evidence Specific to Abstract? File File System Volume 1 Physical Media You Are Here Volume n
17 HDD Structure (just prior to adding file system) Blank media Low-level format Partition VBC 1 DPB 1 Sectors (512+ B) Redundant Sectors (512+ B) VBC 2 DPB 2 MBR VBR 1 MBC MPT VBR 2 MBR = master boot record MBC = master boot code MPT = master partition table VBR = volume boot record VBC = volume boot code DPB = disk parameter block
18 High-Level Format (Creating Disk Blocks) MBC MPT Clusters, Blocks, Fragments, etc. (different names for the same thing) Sectors Blocks High-level format creates the file system Sectors are too small for most HDDs (address space is too large) Sectors are grouped into groups of N to form clusters, N is a positive integer This becomes the indivisible data size for the installed operating system
19 Master Boot Record File System (MBR) Structures MBC MPT High-Level Format (Creating File Systems) Allocated/Unallocat ed Space Clusters, Blocks, Fragments, etc. (different names for the same thing) MPT now contains file system type and cluster size Cluster (fragment, segment) sizes are multiples of 512 octets (one sector) This becomes the indivisible file size for the operating system A file system structure is created FAT creates a file allocation table (simple table) NTFS creates a master file table (database) Linux EXT2/3 creates a virtual file system Each file system behaves differently
20 What is Slack Space? (space between end of file and end of cluster) Sector Cluster (512 octets) ( x 512 octets) File of length 4628 octets slack space Consider a file containing 4628 octets 4628 = (1024 x 4) full clusters and part of a fifth cluster There will be (5 x 1024) 4628 = 492 unused octets This unused space is called slack space
21 Why is Slack Space Important? Unallocated Space (New Drive) Allocated Space Unallocated Space (After File deletion) Allocated Space (Reallocated, new file) Slack Space Why isn t this also slack space?
22 Blank Media Low-Level Format Individual Sector 512 octets Sector overhead Redundant Sectors (Only visible to HDD controller) Partitioning Master Boot Record (MBR) Inter-partition gap Partition #1 MBC MPT VBC DPB VBC DPB Partition #2 Volume Boot Record (VBR) Unused sectors Master Boot Record (MBR) File System Structures Free Space High-level Format MBC MPT Clusters OS Install Master Boot Record (MBR) File System Structures OS Code/Data Free Space Page File MBC MPT
23 What is the Role of a File System? Provides data storage and retrieval Associates names with data files Organizes files into parent directories Stores file attributes Modify, Access, Creation (MAC) times Disk blocks used for file storage Others depending on specific file system Maintains lists of unallocated disk blocks
24 What Do Most File Systems Have in Common? Unique file (or directory) identifiers inodes (Linux terminology, Windows is unknown) Data structure that associates file names and inodes Indivisible storage units formed of disk clusters e.g., blocks, clusters, fragments, etc. Pointers to blocks where file is stored File attributes, e.g., times, parent directories, deleted flag, ownership, permissions, etc. Unallocated block list
25 Files Systems Have Significant Structural and Functional Differences Journaling Meta-data storage Variable length allocation units Fragments Distributed file system data structures inode allocation algorithms Search efficient data structures trees
26 What File System Attributes/Behaviors are of Interest to a DF investigator? File deletion File growth File shrinkage File replacement Resource reuse directory blocks, inodes, blocks, etc. Time stamp behavior What else?
27 NTFS File System NTFS uses a master file table (MFT) More of a database than a table Each entry is referenced by a unique number Stores file/directory attributes $Data is just one attribute and multiple $Data attributes are allowed MAC times Stores up to 1500 octets of data directly Larger files are stored indirectly IN_USE flag is cleared when a file is deleted All attributes are maintained until MFT entry is reused Indirect storage may persist even after entry is reused
28 Ext2 File System Linux uses data structures called inodes to represent a file or directory Each inode has a unique number Contains a description of the file Size, MAC Times, file type, access rights, owners, etc. Contains pointers to blocks where data is stored Files names are stored in a separate data structure Referenced by inode number Allows multiple names for the same file Character and block are special files types that do not store data Point to a device driver Larger files are stored through up to three levels of indirection deleted flag is set when a file is deleted
29 Example of Indirection
30 Module 4 Digital Forensic Tools
31 Disk Imaging and Cloning Disk imaging and cloning is a standard and necessary step to preserve evidence We will use dd to perform our clone and imaging Cloning Disk/Volume to disk Imaging Disk/Volume to file
32 Hash Functions Used for integrity function Common hash functions MD5, SHA-1, SHA-256 File Hash Function Hash dccidd will compute MD5, SHA-1, and SHA- 256 concurrent with imaging operation
33 The Sleuth Kit Forensics analysis tools Written by Brian Carrier Based on The Coroner s Tool Kit by Dan Farmer Based on a layered model of analysis Tested on multiple systems Linux, Mac OS X, CYGWIN, FreeBSD, OpenBSD, Solaris Supports NTFS, FAT, FFS, EXT2FS, and EXT3FS Autopsy is a web-based tool that uses The Sleuth Kit
34 MBR File System Structures MPT name, inode, MBC allocated space inode attributes unallocated space File system layer fsstat MPT File name layer ffind, fls name, inode Meta-data layer icat, ifind, ils, istat inode, attributes Data unit layer dcat, dls, dstat, dcalc allocated space unallocated space
35 The Sleuth Kit Tools (learn through hands-on labs) File system layer (partitions, file systems) fsstat first used in lab 3 to determine block size File name layer (file name structures) ffind fls Meta-data layer (inodes, directory entries, file attributes) icat ifind ils istat Data unit layer (disk blocks) dcat first used in lab 3 to extract disk blocks dls first used in lab 2 to copy unallocated space and slack space dstat dcalc first used in lab 3 to compute absolute block to recover
36 Questions? After all, you are an investigator
Introduction to The Sleuth Kit (TSK) By Chris Marko. Rev1 September, 2005. Introduction to The Sleuth Kit (TSK) 1
Introduction to The Sleuth Kit (TSK) By Chris Marko Rev1 September, 2005 Introduction to The Sleuth Kit (TSK) 1 This paper provides an introduction to The Sleuth Kit (referred to as TSK herein), from Brian
More informationOpen Source Data Recovery
Open Source Data Recovery Options and Techniques CALUG MEETING October 2008 !! Disclaimer!! This presentation is not sponsored by any organization of the US Government I am here representing only myself
More informationDefining Digital Forensic Examination and Analysis Tools Using Abstraction Layers
Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers Brian Carrier Research Scientist @stake Abstract This paper uses the theory of abstraction layers to describe the purpose
More informationLab III: Unix File Recovery Data Unit Level
New Mexico Tech Digital Forensics Fall 2006 Lab III: Unix File Recovery Data Unit Level Objectives - Review of unallocated space and extracting with dls - Interpret the file system information from the
More informationWhere is computer forensics used?
What is computer forensics? The preservation, recovery, analysis and reporting of digital artifacts including information stored on computers, storage media (such as a hard disk or CD-ROM), an electronic
More informationForensic Imaging and Artifacts analysis of Linux & Mac (EXT & HFS+)
Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative
More informationHow do Users and Processes interact with the Operating System? Services for Processes. OS Structure with Services. Services for the OS Itself
How do Users and Processes interact with the Operating System? Users interact indirectly through a collection of system programs that make up the operating system interface. The interface could be: A GUI,
More informationUnix/Linux Forensics 1
Unix/Linux Forensics 1 Simple Linux Commands date display the date ls list the files in the current directory more display files one screen at a time cat display the contents of a file wc displays lines,
More informationAcronis Disk Director 11 Advanced Server. Quick Start Guide
Acronis Disk Director 11 Advanced Server Quick Start Guide Copyright Acronis, Inc., 2000-2010. All rights reserved. Acronis and Acronis Secure Zone are registered trademarks of Acronis, Inc. "Acronis Compute
More informationFile System Forensics FAT and NTFS. Copyright Priscilla Oppenheimer 1
File System Forensics FAT and NTFS 1 FAT File Systems 2 File Allocation Table (FAT) File Systems Simple and common Primary file system for DOS and Windows 9x Can be used with Windows NT, 2000, and XP New
More informationDigital Forensics. Tom Pigg Executive Director Tennessee CSEC
Digital Forensics Tom Pigg Executive Director Tennessee CSEC Definitions Digital forensics Involves obtaining and analyzing digital information as evidence in civil, criminal, or administrative cases Analyze
More informationLab V: File Recovery: Data Layer Revisited
New Mexico Tech Digital Forensics Fall 2006 Lab V: File Recovery: Data Layer Revisited Objectives - Perform searches based on file headers - Data Carving with Foremost - Zip password recovery Procedures
More informationSTUDY GUIDE CHAPTER 4
STUDY GUIDE CHAPTER 4 True/False Indicate whether the statement is true or false. 1. A(n) desktop operating system is designed for a desktop or notebook personal computer. 2. A(n) mirrored user interface
More informationFORENSIC ANALYSIS OF USB MEDIA EVIDENCE. Jesús Alexander García. Luis Alejandro Franco. Juan David Urrea. Carlos Alfonso Torres
FORENSIC ANALYSIS OF USB MEDIA EVIDENCE Jesús Alexander García Luis Alejandro Franco Juan David Urrea Carlos Alfonso Torres Manuel Fernando Gutiérrez UPB 2012 Content INTRODUCTION... 3 OBJECTIVE 4 EVIDENCE
More informationChapter 4. Operating Systems and File Management
Chapter 4 Operating Systems and File Management Chapter Contents Section A: Operating System Basics Section B: Today s Operating Systems Section C: File Basics Section D: File Management Section E: Backup
More informationComputer Forensic Tools. Stefan Hager
Computer Forensic Tools Stefan Hager Overview Important policies for computer forensic tools Typical Workflow for analyzing evidence Categories of Tools Demo SS 2007 Advanced Computer Networks 2 Important
More informationForensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM)
s Unix Definition of : Computer Coherent application of a methodical investigatory techniques to solve crime cases. Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM) s Unix
More informationMODULE 3 VIRTUALIZED DATA CENTER COMPUTE
MODULE 3 VIRTUALIZED DATA CENTER COMPUTE Module 3: Virtualized Data Center Compute Upon completion of this module, you should be able to: Describe compute virtualization Discuss the compute virtualization
More informationCHAPTER 17: File Management
CHAPTER 17: File Management The Architecture of Computer Hardware, Systems Software & Networking: An Information Technology Approach 4th Edition, Irv Englander John Wiley and Sons 2010 PowerPoint slides
More informationTELE 301 Lecture 7: Linux/Unix file
Overview Last Lecture Scripting This Lecture Linux/Unix file system Next Lecture System installation Sources Installation and Getting Started Guide Linux System Administrators Guide Chapter 6 in Principles
More informationUsing Open Source Digital Forensics Software for Digital Archives Workshop
Using Open Source Digital Forensics Software for Digital Archives Workshop Mark A. Matienzo 04 Manuscripts and Archives, Yale University Library Society of American Archivists University of Michigan School
More informationDigital Forensics Tutorials Acquiring an Image with FTK Imager
Digital Forensics Tutorials Acquiring an Image with FTK Imager Explanation Section Digital Forensics Definition The use of scientifically derived and proven methods toward the preservation, collection,
More informationwinhex Disk Editor, RAM Editor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR
winhex Disk Editor, RAM Editor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR Supervised by : Dr. Lo'ai Tawalbeh New York Institute of Technology (NYIT)-Jordan X-Ways Software Technology AG is a stock corporation
More informationIncident Response and Computer Forensics
Incident Response and Computer Forensics James L. Antonakos WhiteHat Forensics Incident Response Topics Why does an organization need a CSIRT? Who s on the team? Initial Steps Detailed Project Plan Incident
More informationLinux in Law Enforcement
Linux in Law Enforcement It's all about CONTROL Barry J. Grundy CALUG MEETING JUNE 2008 !! Disclaimer!! This presentation is not sponsored by any organization of the US Government I am here representing
More informationFAT32 vs. NTFS Jason Capriotti CS384, Section 1 Winter 1999-2000 Dr. Barnicki January 28, 2000
FAT32 vs. NTFS Jason Capriotti CS384, Section 1 Winter 1999-2000 Dr. Barnicki January 28, 2000 Table of Contents List of Figures... iv Introduction...1 The Physical Disk...1 File System Basics...3 File
More informationFile System Management
Lecture 7: Storage Management File System Management Contents Non volatile memory Tape, HDD, SSD Files & File System Interface Directories & their Organization File System Implementation Disk Space Allocation
More informationChapter Contents. Operating System Activities. Operating System Basics. Operating System Activities. Operating System Activities 25/03/2014
Chapter Contents Operating Systems and File Management Section A: Operating System Basics Section B: Today s Operating Systems Section C: File Basics Section D: File Management Section E: Backup Security
More informationActive@ Password Changer for DOS User Guide
Active@ Password Changer for DOS User Guide 1 Active@ Password Changer Guide Copyright 1999-2014, LSOFT TECHNOLOGIES INC. All rights reserved. No part of this documentation may be reproduced in any form
More informationEaseUS Partition Master
Reviewer s Guide Contents Introduction... 2 Chapter 1... 3 What is EaseUS Partition Master?... 3 Versions Comparison... 4 Chapter 2... 5 Using EaseUS Partition Master... 5 Partition Manager... 5 Disk &
More informationDiscovery of Electronically Stored Information ECBA conference Tallinn October 2012
Discovery of Electronically Stored Information ECBA conference Tallinn October 2012 Jan Balatka, Deloitte Czech Republic, Analytic & Forensic Technology unit Agenda Introduction ediscovery investigation
More informationOpen Source and Incident Response
Open Source and Incident Response Joe Lofshult, CISSP, GCIH 1 Agenda Overview Open Source Tools FIRE Demonstration 2 Overview Incident Adverse event that threatens security in computing systems and networks.
More informationDigital Forensics For Unix. The SANS Institute
Digital Forensics For Unix The SANS Institute John Green john@cybersecuritysciences.com Hal Pomeranz hal@deer-run.com 1 1 Forensics in a Nutshell Evidence seizure Investigation and analysis Reporting results
More informationComputer Forensics using Open Source Tools
Computer Forensics using Open Source Tools COMP 5350/6350 Digital Forensics Professor: Dr. Anthony Skjellum TA: Ananya Ravipati Presenter: Rodrigo Sardinas Overview Use case explanation Useful Linux Commands
More informationvsphere Web Access Administrator's Guide
vsphere Web Access Administrator's Guide vsphere Web Access 4.1 ESX 4.1 vcenter Server 4.1 This document supports the version of each product listed and supports all subsequent versions until the document
More informationReview from last time. CS 537 Lecture 3 OS Structure. OS structure. What you should learn from this lecture
Review from last time CS 537 Lecture 3 OS Structure What HW structures are used by the OS? What is a system call? Michael Swift Remzi Arpaci-Dussea, Michael Swift 1 Remzi Arpaci-Dussea, Michael Swift 2
More informationGuide to Computer Forensics and Investigations, Second Edition
Guide to Computer Forensics and Investigations, Second Edition Chapter 4 Current Computer Forensics Tools Objectives Understand how to identify needs for computer forensics tools Evaluate the requirements
More information2.6.1 Creating an Acronis account... 11 2.6.2 Subscription to Acronis Cloud... 11. 3 Creating bootable rescue media... 12
USER'S GUIDE Table of contents 1 Introduction...3 1.1 What is Acronis True Image 2015?... 3 1.2 New in this version... 3 1.3 System requirements... 4 1.4 Install, update or remove Acronis True Image 2015...
More informationCOS 318: Operating Systems
COS 318: Operating Systems File Performance and Reliability Andy Bavier Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall10/cos318/ Topics File buffer cache
More informationForensic Investigator. Module XI Linux Forensics
Computer Hacking Forensic Investigator Module XI Linux Forensics Module Objective This module will familiarize you with the following: Use of Linux as a forensic tool. Recognizing partitions in Linux.
More informationChapter 12 File Management
Operating Systems: Internals and Design Principles Chapter 12 File Management Eighth Edition By William Stallings Files Data collections created by users The File System is one of the most important parts
More informationRECOVERING FROM SHAMOON
Executive Summary Fidelis Threat Advisory #1007 RECOVERING FROM SHAMOON November 1, 2012 Document Status: FINAL Last Revised: 2012-11-01 The Shamoon malware has received considerable coverage in the past
More informationChapter 12 File Management
Operating Systems: Internals and Design Principles, 6/E William Stallings Chapter 12 File Management Dave Bremer Otago Polytechnic, N.Z. 2008, Prentice Hall Roadmap Overview File organisation and Access
More informationChapter 12 File Management. Roadmap
Operating Systems: Internals and Design Principles, 6/E William Stallings Chapter 12 File Management Dave Bremer Otago Polytechnic, N.Z. 2008, Prentice Hall Overview Roadmap File organisation and Access
More informationVMware Tools Configuration Utility User's Guide
VMware Tools Configuration Utility User's Guide VMware Fusion 3.0 vsphere 4.1 VMware Workstation 7.0 VMware Player 3.0 This document supports the version of each product listed and supports all subsequent
More informationAcronis True Image 2015 REVIEWERS GUIDE
Acronis True Image 2015 REVIEWERS GUIDE Table of Contents INTRODUCTION... 3 What is Acronis True Image 2015?... 3 System Requirements... 4 INSTALLATION... 5 Downloading and Installing Acronis True Image
More informationFile System & Device Drive. Overview of Mass Storage Structure. Moving head Disk Mechanism. HDD Pictures 11/13/2014. CS341: Operating System
CS341: Operating System Lect 36: 1 st Nov 2014 Dr. A. Sahu Dept of Comp. Sc. & Engg. Indian Institute of Technology Guwahati File System & Device Drive Mass Storage Disk Structure Disk Arm Scheduling RAID
More informationWindows OS File Systems
Windows OS File Systems MS-DOS and Windows 95/98/NT/2000/XP allow use of FAT-16 or FAT-32. Windows NT/2000/XP uses NTFS (NT File System) File Allocation Table (FAT) Not used so much, but look at as a contrast
More informationChapter 8: Installing Linux The Complete Guide To Linux System Administration Modified by M. L. Malone, 11/05
Chapter 8: Installing Linux The Complete Guide To Linux System Administration Modified by M. L. Malone, 11/05 At the end of this chapter the successful student will be able to Describe the main hardware
More informationNew Technologies File System (NTFS) Priscilla Oppenheimer. Copyright 2008 Priscilla Oppenheimer
New Technologies File System (NTFS) Priscilla Oppenheimer NTFS Default file system for Windows NT, 2000, XP, and Windows Server 2003 No published spec from Microsoft that describes the on-disk layout Good
More informationIFSM 310 Software and Hardware Concepts. A+ OS Domain 2.0. A+ Demo. Installing Windows XP. Installation, Configuration, and Upgrading.
IFSM 310 Software and Hardware Concepts "You have to be a real stud hombre cybermuffin to handle 'Windows'" - Dave Barry Topics A+ Demo: Windows XP A+ OS Domain 2.0 Chapter 12: File and Secondary Storage
More information2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.
Acquisition and Tools COMP 2555: Principles of Computer Forensics Autumn 2014 http://www.cs.du.edu/2555 1 Planning Your Investigation! A basic investigation plan should include the following activities:!
More informationRecovery of deleted files on a TrueCrypt volume March 23, 2010 rationallyparanoid.com
Recovery of deleted files on a TrueCrypt volume March 23, 2010 rationallyparanoid.com TrueCrypt is a well-known and widely used open source application used for encryption. However at the bottom of their
More informationLukas Limacher Department of Computer Science, ETH. Computer Forensics. September 25, 2014
Lukas Limacher Department of Computer Science, ETH Zürich Computer Forensics September 25, 2014 Contents 9 Computer Forensics 1 91 Objectives 1 92 Introduction 2 921 Incident Response 2 922 Computer Forensics
More informationLecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation
Computer Forensics and Digital Investigation Computer Security EDA263, lecture 14 Ulf Larson Lecture outline! Introduction to Computer Forensics! Digital investigation! Conducting a Digital Crime Scene
More informationUsing VMware Workstation
VMware Workstation 10 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of
More informationFile Systems for Flash Memories. Marcela Zuluaga Sebastian Isaza Dante Rodriguez
File Systems for Flash Memories Marcela Zuluaga Sebastian Isaza Dante Rodriguez Outline Introduction to Flash Memories Introduction to File Systems File Systems for Flash Memories YAFFS (Yet Another Flash
More informationPractice Exercise March 7, 2016
DIGITAL FORENSICS Practice Exercise March 7, 2016 Prepared by Leidos CyberPatriot Forensics Challenge 1 Forensics Instruction Guide Introduction The goal of this event is to learn to identify key factors
More informationGuide to Computer Forensics and Investigations, Second Edition
Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition Objectives Determine the best acquisition method Plan data-recovery contingencies Use MS-DOS acquisition tools
More informationInstalling a Second Operating System
Installing a Second Operating System Click a link below to view one of the following sections: Overview Key Terms and Information Operating Systems and File Systems Managing Multiple Operating Systems
More informationDesign and Implementation of a Live-analysis Digital Forensic System
Design and Implementation of a Live-analysis Digital Forensic System Pei-Hua Yen Graduate Institute of Information and Computer Education, National Kaohsiung Normal University, Taiwan amber8520@gmail.com
More informationVirtualization. Michael Tsai 2015/06/08
Virtualization Michael Tsai 2015/06/08 What is virtualization? Let s first look at a video from VMware http://bcove.me/x9zhalcl Problems? Low utilization Different needs DNS DHCP Web mail 5% 5% 15% 8%
More informationSolaris For The Modern Data Center. Taking Advantage of Solaris 11 Features
Solaris For The Modern Data Center Taking Advantage of Solaris 11 Features JANUARY 2013 Contents Introduction... 2 Patching and Maintenance... 2 IPS Packages... 2 Boot Environments... 2 Fast Reboot...
More informationGetting Started User s Guide
Getting Started This short guide can help you to quickly start using Acronis True Image Home 2011. It describes just a few of the key features of Acronis True Image Home 2011. For detailed program information,
More informationVMware vsphere Data Protection 5.8 TECHNICAL OVERVIEW REVISED AUGUST 2014
VMware vsphere Data Protection 5.8 TECHNICAL OVERVIEW REVISED AUGUST 2014 Table of Contents Introduction.... 3 Features and Benefits of vsphere Data Protection... 3 Additional Features and Benefits of
More informationEaseUS Backup Center User Guide
EaseUS Backup Center User Guide Welcome... 2 Getting started... 2 Software Requirements... 2 Hardware Requirements... 2 System Requirements... 2 Supported File Systems... 3 Supported Hard Disk Types...
More informationConfiguration Maximums VMware Infrastructure 3
Technical Note Configuration s VMware Infrastructure 3 When you are selecting and configuring your virtual and physical equipment, you must stay at or below the maximums supported by VMware Infrastructure
More informationVMware vsphere Data Protection 6.0
VMware vsphere Data Protection 6.0 TECHNICAL OVERVIEW REVISED FEBRUARY 2015 Table of Contents Introduction.... 3 Architectural Overview... 4 Deployment and Configuration.... 5 Backup.... 6 Application
More informationUser Guide. Version 3.0
Kaseya Backup and Disaster Recovery User Guide Version 3.0 October 12, 2009 About Kaseya Kaseya is a global provider of IT automation software for IT Solution Providers and Public and Private Sector IT
More information3. USB FLASH DRIVE PREPARATION. Almost all current PC firmware permits booting from a USB drive, allowing the launch
3. USB FLASH DRIVE PREPARATION 3.1 INTRODUCTION Almost all current PC firmware permits booting from a USB drive, allowing the launch of an operating system from a bootable flash drive. Such a configuration
More informationDIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,
DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE Vahidin Đaltur, Kemal Hajdarević, Internacional Burch University, Faculty of Information Technlogy 71000 Sarajevo, Bosnia
More informationGetting Started with VMware Fusion
Getting Started with VMware Fusion VMware Fusion for Mac OS X 2008 2012 EN-000933-00 2 Getting Started with VMware Fusion You can find the most up-to-date technical documentation on the VMware Web site
More informationParallels Desktop for Mac
Parallels Software International, Inc. Parallels Desktop for Mac Quick Start Guide 3.0 (c) 2005-2007 Copyright 2006-2007 by Parallels Software International, Inc. All rights reserved. Parallels and Parallels
More informationOperating Systems CSE 410, Spring 2004. File Management. Stephen Wagner Michigan State University
Operating Systems CSE 410, Spring 2004 File Management Stephen Wagner Michigan State University File Management File management system has traditionally been considered part of the operating system. Applications
More informationDigital Forensics Tutorials Acquiring an Image with Kali dcfldd
Digital Forensics Tutorials Acquiring an Image with Kali dcfldd Explanation Section Disk Imaging Definition Disk images are used to transfer a hard drive s contents for various reasons. A disk image can
More informationForensic Acquisition and Analysis of VMware Virtual Hard Disks
Forensic Acquisition and Analysis of VMware Virtual Hard Disks Manish Hirwani, Yin Pan, Bill Stackpole and Daryl Johnson Networking, Security and Systems Administration Rochester Institute of Technology
More informationCCE Certification Competencies
CCE Certification Competencies May 10, 2012 Page 1 The Certified Computer Examiner (CCE) has evolved into one of the most desired certifications in the computer forensics industry. The certification is
More informationGetting Started with Paragon Recovery CD. Quick Guide
Getting Started with Paragon Recovery CD Quick Guide Paragon Recovery CD 2 Quick Guide CONTENTS 1 Introduction... 3 2 Distribution...3 2.1 Distributive CD...3 2.2 Online Distribution...3 3 Booting from
More informationHands-On How-To Computer Forensics Training
j8fm6pmlnqq3ghdgoucsm/ach5zvkzett7guroaqtgzbz8+t+8d2w538ke3c7t 02jjdklhaMFCQHihQAECwMCAQIZAQAKCRDafWsAOnHzRmAeAJ9yABw8v2fGxaq skeu29sdxrpb25zidxpbmznogtheories...ofhilz9e1xthvqxbb0gknrc1ng OKLbRXF/j5jJQPxXaNUu/It1TQHSiyEumrHNsnn65aUMPnrbVOVJ8hV8NQvsUE
More informationCS197U: A Hands on Introduction to Unix
CS197U: A Hands on Introduction to Unix Lecture 4: My First Linux System J.D. DeVaughn-Brown University of Massachusetts Amherst Department of Computer Science jddevaughn@cs.umass.edu 1 Reminders After
More informationSetup Cisco Call Manager on VMware
created by: Rainer Bemsel Version 1.0 Dated: July/09/2011 The purpose of this document is to provide the necessary steps to setup a Cisco Call Manager to run on VMware. I ve been researching for a while
More informationDigital Forensics with Open Source Tools
Digital Forensics with Open Source Tools Cory Altheide Harlan Carvey Technical Editor Ray Davidson AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO
More informationKaseya 2. User Guide. Version 7.0. English
Kaseya 2 Backup User Guide Version 7.0 English September 3, 2014 Agreement The purchase and use of all Software and Services is subject to the Agreement as defined in Kaseya s Click-Accept EULATOS as updated
More informationBackup Solution Testing on UCS for Small-Medium Range Customers (Disk to Tape) Acronis Advanced Backup Software
Backup Solution Testing on UCS for Small-Medium Range Customers (Disk to Tape) Acronis Advanced Backup Software First Published: April 28, 2014 Last Modified: May 06, 2014 Americas Headquarters Cisco Systems,
More informationAn overview of FAT12
An overview of FAT12 The File Allocation Table (FAT) is a table stored on a hard disk or floppy disk that indicates the status and location of all data clusters that are on the disk. The File Allocation
More informationVirtualization in Linux
Virtualization in Linux Kirill Kolyshkin September 1, 2006 Abstract Three main virtualization approaches emulation, paravirtualization, and operating system-level virtualization are covered,
More informationBackTrack Hard Drive Installation
BackTrack Hard Drive Installation BackTrack Development Team jabra [at] remote-exploit [dot] org Installing Backtrack to a USB Stick or Hard Drive 1 Table of Contents BackTrack Hard Drive Installation...3
More informationImation Clip USB 2.0 Flash Drive. Imation Drive Manager Software. User s Manual
Imation Clip USB 2.0 Flash Drive Imation Drive Manager Software User s Manual Contents Introduction... 3 Features... 3 System Requirements... 4 Handling and Operating Recommendations... 4 Driver Installation...
More informationRAID installation guide for Silicon Image SiI3114
RAID installation guide for Silicon Image SiI3114 Contents Contents 2 1 Introduction 4 1.1 About this Guide 4 1.2 The Basics 4 1.2.1 What is RAID? 4 1.2.2 Advantages of RAID 4 1.2.3 Disadvantages of RAID
More informationJust EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012
Just EnCase Presented By Larry Russell CalCPA State Technology Committee May 18, 2012 What is e-discovery Electronically Stored Information (ESI) Discover or Monitor for Fraudulent Activity Tools used
More informationIntelligent disaster recovery. Dell DL backup to Disk Appliance powered by Symantec
Intelligent disaster recovery Dell DL backup to Disk Appliance powered by Symantec The PowerVault DL Backup to Disk Appliance Powered by Symantec Backup Exec offers the industry s only fully integrated
More informationManaging Remote Access
VMWARE TECHNICAL NOTE VMware ACE Managing Remote Access This technical note explains how to use VMware ACE to manage remote access through VPN to a corporate network. This document contains the following
More informationLive View. A New View On Forensic Imaging. Matthiew Morin Champlain College
Live View A New View On Forensic Imaging Matthiew Morin Champlain College Morin 1 Executive Summary The main purpose of this paper is to provide an analysis of the forensic imaging tool known as Live View.
More informationOperating System Installation Guide
Operating System Installation Guide This guide provides instructions on the following: Installing the Windows Server 2008 operating systems on page 1 Installing the Windows Small Business Server 2011 operating
More informationP2V Best Practices. Joe Christie Technical Trainer
Joe Christie Technical Trainer What is P2V? A process used to create a virtual machine that duplicates an existing physical computer. What is P2VA? A set of utilities from VMware for reliably creating
More informationThe Linux Virtual Filesystem
Lecture Overview Linux filesystem Linux virtual filesystem (VFS) overview Common file model Superblock, inode, file, dentry Object-oriented Ext2 filesystem Disk data structures Superblock, block group,
More informationITU Session Four: Device Imaging And Analysis. Mounir Kamal Q-CERT
ITU Session Four: Device Imaging And Analysis Mounir Kamal Q-CERT 2 Applying Forensic Science to Computer Systems Like a Detective, the archaeologist searches for clues in order to discover and reconstruct
More informationBrightStor ARCserve Backup Disaster Recovery From Physical Machines to Virtual Machines
BrightStor ARCserve Backup Disaster Recovery From Physical Machines to Virtual Machines Best Practices Guide BrightStor ARCserve Backup r11.5 Version 1.0 Author: @ca.com Contents Chapter
More informationX-Ways Capture. The program executes the following steps unless you specify a different procedure in the configuration file:
Executive Summary X-Ways Capture Specialized computer forensics tool for the evidence collection phase of a forensic investigation that captures Windows and Linux live systems. X-Ways Capture employs various
More information