Forensic Imaging and Artifacts analysis of Linux & Mac (EXT & HFS+)
|
|
- Darrell Tucker
- 8 years ago
- Views:
Transcription
1 Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. To view a copy of this license, visit Forensic Imaging and Artifacts analysis of Linux & Mac (EXT & HFS+) BLOSSOM Manchester Metropolitan University (Funded by Higher Education Academy) l.han@mmu.ac.uk
2 1. Learning Objectives This lab aims to learn how to perform forensic imaging and forensic analysis of Linux /Mac OS using open source tools. 2. Preparation 1) Under Linux environment 2) Some documents that you may need to refer to: 3. Tasks 'Virtual-MachineGuide.pdf' Linux-Guide.pdf BLOSSOM-UserGuide.pdf Setup & Installation: Start a single virtual machine as you have done with previous exercises (see Virtual Machine Guide): # kvm -cdrom /var/tmp/blossomfiles/blossom-0.98.iso -m 512 -net nic,macaddr=52:54:00:12:34:57 -net vde -name node-one
3 Task 1 Creating Linux File System & Imaging Using dcfldd 1.1 Creating forensically sound images of devices is an extremely important part of forensic computing, since that will be what you will be analysing for evidence so that the original piece of evidence would not be changed and remain as admissible evidence. Due to the nature of this lab being on a virtual machine, we must first create a file system that can then be imaged. # dd if=/dev/zero of=disk-image count=10240 # mkfs t ext3 q disk-image This will create an empty 5MB large file system of type EXT3. We must also mount it to a device in order to allow for live imaging: # mkdir fs # mount o loop disk-image fs This will create a directory called fs, and mount the disk-image to the directory as the first loop device available, which should be /dev/loop Now with the file system in place, we can use dcfldd to create a forensically sound image of the file system. dcfldd is very similar to dd with certain exceptions relating to the forensically sound acquisition of disk images, allowing for hash creation and validation for example. The command to image the mounted device would be as follows: # dcfldd if=/dev/loop1 of=dcfldd.img hashwindow=5m hash=md5,sha1 hashlog=dcfldd.hashlog This will take /dev/loop1 as the input device and output the image as dcfldd.img. hashwindow, hash and hashlog are all commands that relate to the forensic verification of the image, hashwindow states at which point the hash verification should occur, for which 5MB has been chosen due to the file system size, hash states the choice of hash functions to be used for verification, for which MD5 and SHA1 have been selected, and hashlog stores the output of the hash functions into a hash log. 1.3 Before delving in to analysing file systems, a key point to understand is the reason for using hash functions to verify the image file. Whenever the disk image is changed, even in the slightest manner, the result of each hash function will be drastically different. This can be seen by viewing the hashlog previously created, and then copying a file in to the file system and creating the disk image again, and you will be able to see the extreme differences between the hash function results.
4 Task 2 Using Sleuthkit to analyse Linux Artifacts 2.1 Sleuthkit is an Open Source piece of software that contains tools with the potential to provide a forensic analysis on disk images. We will look in to multiple different commands, why the command helps in a forensic investigation, and will also delve in to certain artifacts of forensic importance contained within a linux file system. The first command we will look at is fsstat: # fsstat dcfldd.img This will display information about the file system that we created in the previous task, showing such important information as the type of file system, and times relating to the time which it was last written to, checked and mounted. Metadata information is also displayed, providing the inode number of the root directory, and the content / block information provides information that is needed to extract raw data from the file system, such as telling us the amount of block groups, how many inodes and blocks are in a group. This information could potentially help in recovering deleted data. 2.2 The next command we will look at is stat, which simply allows us to discover metadata about files in the file system. We will also look in to the function known as hard linking files in EXT file systems. For this we will create some test files within the mounted file system: # cd fs # touch file1 # echo I am file1 > file1 This will create a file called file1 with the text I am file1 inside. Perform the stat function now: # stat file1 This will display information about file1, such as the last time accessed, modified and changed, as well as device, block and inode information and levels of access control. We will now hard link file1 to another file, file2 using the ln command, and then view its metadata: # ln file1 file2 # stat file2 We will now be shown information about the newly created hard link to file1. When viewed, both file1 and file2 will show the exact same content, being I am file1, and will also display the same inode and block information. Compare both file1 and file2 in stat and it will
5 become apparent that both of these files are simply just referencing the same inode. Another type of linking can also occur in an EXT file system, which is known as soft linking. Soft links have a path to another file in place of the block pointers in its inode, therefore serving as an indirect reference to the file: # ln s file1 file3 Now view the metadata of both files through the stat command. The file, file1 will remain unchanged completely, not even realising that it is also file3 ; however, file3 will show that is has no data allocated to it, the size of the file will be the number of bytes in the target files name, and it will also be its own inode. The forensic value of metadata becomes quite apparent over the previous few exercises, such as being able to find the ownership information about a suspect file in order to reduce the number of people involved in an investigation based on access privileges to a machine. In preparation for the next task, delete the file file1 from the file system we created using the following command: # rm file1 NOTE: After this task, recreate the dcfldd.img file so it includes the files created during the previous task. 2.3 Another set of useful commands in sluethkit is fls and icat. The files and directories named in the image can be recovered using fls, which will also display the inode location of files, and if file1 is displayed as inode 12, we can recover the file using icat : # fls dcfldd.img fls reveals that the file at inode 12 (file1) has been deleted, but as it is shown by this command, we can then recover it using the following command: # icat -r dcfldd.img 12 > file1 The -r tag states that we wish to recover the file at the inode location specified in the image, and the > signifies where the file will be saved and what is will be called, and for simplicities sake it has been named file1. Next we can use the stat command used previously to verify that the file has in fact been recovered (Check the size, blocks etc).
6 Task 3 Creating MAC File System & Imaging Using dcfldd 3.1 As with the first task, we are going to have to create a file system within the virtual machine to image, but this time we will be using the HFS+ file system, which is the file system primarily used in MAC computers. First, we must create the initial file system file in the same way as before, but we add the file system type in a slightly different manner: #dd if=/dev/zero of=mac-image count=10240 #mkfs.hfsplus v Untitled mac-image This creates the file mac-image as a 5MB file of type HFS+. Next, we must mount it, again in a similar fashion to before: #mkdir mfs #mount t hfsplus o loop mac-image mfs This will create the directory mfs and mount the file mac-image to the directory as the next loop device available, which should be /dev/loop2. Question: With the basic HFS+ file system up and running, what would the command be to create an image of it? Use the command and name the output file dcflddmac.img
7 Task 4 Using Sleuthkit / MAC Artifacts 4.1 As with the EXT3 image created earlier, the HFS+ image can be analysed using Sleuthkit in a similar manner: # fsstat dcflddmac.img This will show information pertaining to the file system, which should show that the file system type is HFS+, and also information about metadata, block allocation and mount information. 4.2 The next command we will look in to is fls, which provides a list of the files and directory names in the image: # fls dcflddmac.img This should display 6 HFS+ special files, which are the backbone of the HFS+ file system. These are denoted by the $ symbol before each file name. Question: What are the HFS+ special files and what is the purpose of each file? What are these similar files similar to? Research these via the Internet.
Network Forensics Network Traffic Analysis
Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative
More informationDigital Forensics Tutorials Acquiring an Image with Kali dcfldd
Digital Forensics Tutorials Acquiring an Image with Kali dcfldd Explanation Section Disk Imaging Definition Disk images are used to transfer a hard drive s contents for various reasons. A disk image can
More informationIntroduction to Websites & Dynamic Content
Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative
More informationSQL Injection. Blossom Hands-on exercises for computer forensics and security
Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative
More informationLukas Limacher Department of Computer Science, ETH. Computer Forensics. September 25, 2014
Lukas Limacher Department of Computer Science, ETH Zürich Computer Forensics September 25, 2014 Contents 9 Computer Forensics 1 91 Objectives 1 92 Introduction 2 921 Incident Response 2 922 Computer Forensics
More informationInstalling MooseFS Step by Step Tutorial
Installing MooseFS Step by Step Tutorial Michał Borychowski MooseFS Support Manager contact@moosefs.org march 2010 Gemius SA Overview... 3 MooseFS install process on dedicated machines... 3 Master server
More informationLab III: Unix File Recovery Data Unit Level
New Mexico Tech Digital Forensics Fall 2006 Lab III: Unix File Recovery Data Unit Level Objectives - Review of unallocated space and extracting with dls - Interpret the file system information from the
More informationPython Scripting with Scapy
Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative
More informationDigital Forensics Lecture 3. Hard Disk Drive (HDD) Media Forensics
Digital Forensics Lecture 3 Hard Disk Drive (HDD) Media Forensics Current, Relevant Topics defendants should not use disk-cleaning utilities to wipe portions of their hard drives before turning them over
More informationNetwork Packet Analysis and Scapy Introduction
Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative
More informationOpen Source Data Recovery
Open Source Data Recovery Options and Techniques CALUG MEETING October 2008 !! Disclaimer!! This presentation is not sponsored by any organization of the US Government I am here representing only myself
More information2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.
Acquisition and Tools COMP 2555: Principles of Computer Forensics Autumn 2014 http://www.cs.du.edu/2555 1 Planning Your Investigation! A basic investigation plan should include the following activities:!
More informationNetwork Attacks. Blossom Hands-on exercises for computer forensics and security
Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative
More informationDIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,
DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE Vahidin Đaltur, Kemal Hajdarević, Internacional Burch University, Faculty of Information Technlogy 71000 Sarajevo, Bosnia
More informationCapturing a Forensic Image. By Justin C. Klein Keane <jukeane@sas.upenn.edu> 12 February, 2013
Capturing a Forensic Image By Justin C. Klein Keane 12 February, 2013 Before you Begin The first step in capturing a forensic image is making an initial determination as to the
More informationComputer Forensics using Open Source Tools
Computer Forensics using Open Source Tools COMP 5350/6350 Digital Forensics Professor: Dr. Anthony Skjellum TA: Ananya Ravipati Presenter: Rodrigo Sardinas Overview Use case explanation Useful Linux Commands
More informationDigital Forensics Tutorials Acquiring an Image with FTK Imager
Digital Forensics Tutorials Acquiring an Image with FTK Imager Explanation Section Digital Forensics Definition The use of scientifically derived and proven methods toward the preservation, collection,
More informationUnix/Linux Forensics 1
Unix/Linux Forensics 1 Simple Linux Commands date display the date ls list the files in the current directory more display files one screen at a time cat display the contents of a file wc displays lines,
More informationDefining Digital Forensic Examination and Analysis Tools Using Abstraction Layers
Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers Brian Carrier Research Scientist @stake Abstract This paper uses the theory of abstraction layers to describe the purpose
More informationWhere is computer forensics used?
What is computer forensics? The preservation, recovery, analysis and reporting of digital artifacts including information stored on computers, storage media (such as a hard disk or CD-ROM), an electronic
More informationComparing and Contrasting Windows and Linux Forensics. Zlatko Jovanovic. International Academy of Design and Technology
Comparing and Contrasting Windows and Linux Forensics Zlatko Jovanovic International Academy of Design and Technology Abstract Windows and Linux are the most common operating systems used on personal computers.
More informationComputer forensic science
Computer forensic science This drive has been victimized! Mallory 1 CS78 students must help! CS78 students What happened?! Every student gets a copy 2 Forensic science it s detective work Computer forensic
More informationFORENSIC ANALYSIS OF USB MEDIA EVIDENCE. Jesús Alexander García. Luis Alejandro Franco. Juan David Urrea. Carlos Alfonso Torres
FORENSIC ANALYSIS OF USB MEDIA EVIDENCE Jesús Alexander García Luis Alejandro Franco Juan David Urrea Carlos Alfonso Torres Manuel Fernando Gutiérrez UPB 2012 Content INTRODUCTION... 3 OBJECTIVE 4 EVIDENCE
More informationRecovery of deleted files on a TrueCrypt volume March 23, 2010 rationallyparanoid.com
Recovery of deleted files on a TrueCrypt volume March 23, 2010 rationallyparanoid.com TrueCrypt is a well-known and widely used open source application used for encryption. However at the bottom of their
More informationTELE 301 Lecture 7: Linux/Unix file
Overview Last Lecture Scripting This Lecture Linux/Unix file system Next Lecture System installation Sources Installation and Getting Started Guide Linux System Administrators Guide Chapter 6 in Principles
More informationLecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation
Computer Forensics and Digital Investigation Computer Security EDA263, lecture 14 Ulf Larson Lecture outline! Introduction to Computer Forensics! Digital investigation! Conducting a Digital Crime Scene
More informationSSL Tunnels. Introduction
SSL Tunnels Introduction As you probably know, SSL protects data communications by encrypting all data exchanged between a client and a server using cryptographic algorithms. This makes it very difficult,
More informationUSB 2.0 Flash Drive User Manual
USB 2.0 Flash Drive User Manual 1 INDEX Table of Contents Page 1. IMPORTANT NOTICES...3 2. PRODUCT INTRODUCTION...4 3. PRODUCT FEATURES...5 4. DRIVER INSTALLATION GUIDE...6 4.1 WINDOWS 98 / 98 SE... 6
More informationMSc Computer Security and Forensics. Examinations for 2009-2010 / Semester 1
MSc Computer Security and Forensics Cohort: MCSF/09B/PT Examinations for 2009-2010 / Semester 1 MODULE: COMPUTER FORENSICS & CYBERCRIME MODULE CODE: SECU5101 Duration: 2 Hours Instructions to Candidates:
More informationIntroduction to The Sleuth Kit (TSK) By Chris Marko. Rev1 September, 2005. Introduction to The Sleuth Kit (TSK) 1
Introduction to The Sleuth Kit (TSK) By Chris Marko Rev1 September, 2005 Introduction to The Sleuth Kit (TSK) 1 This paper provides an introduction to The Sleuth Kit (referred to as TSK herein), from Brian
More informationIncident Response and Computer Forensics
Incident Response and Computer Forensics James L. Antonakos WhiteHat Forensics Incident Response Topics Why does an organization need a CSIRT? Who s on the team? Initial Steps Detailed Project Plan Incident
More informationDigital Forensics For Unix. The SANS Institute
Digital Forensics For Unix The SANS Institute John Green john@cybersecuritysciences.com Hal Pomeranz hal@deer-run.com 1 1 Forensics in a Nutshell Evidence seizure Investigation and analysis Reporting results
More informationSECURE, AUDITED PROCESSING OF DIGITAL EVIDENCE: FILESYSTEM SUPPORT FOR DIGITAL EVIDENCE BAGS
SECURE, AUDITED PROCESSING OF DIGITAL EVIDENCE: FILESYSTEM SUPPORT FOR DIGITAL EVIDENCE BAGS Golden G. Richard III and Vassil Roussev Department of Computer Science, University of New Orleans New Orleans,
More informationSetting up Radmind For an OSX Public Lab
Setting up Radmind For an OSX Public Lab Radmind consists of a set of about ten Unix Commands installed on both the client and server machines. A GUI application, called Radmind Assistant, provides a simplified
More informationSystem administration basics
Embedded Linux Training System administration basics Michael Opdenacker Thomas Petazzoni Free Electrons Copyright 2009, Free Electrons. Creative Commons BY SA 3.0 license Latest update: Dec 20, 2010, Document
More informationBackTrack Hard Drive Installation
BackTrack Hard Drive Installation BackTrack Development Team jabra [at] remote-exploit [dot] org Installing Backtrack to a USB Stick or Hard Drive 1 Table of Contents BackTrack Hard Drive Installation...3
More informationLinux in Law Enforcement
Linux in Law Enforcement It's all about CONTROL Barry J. Grundy CALUG MEETING JUNE 2008 !! Disclaimer!! This presentation is not sponsored by any organization of the US Government I am here representing
More informationDigital Forensics. Tom Pigg Executive Director Tennessee CSEC
Digital Forensics Tom Pigg Executive Director Tennessee CSEC Definitions Digital forensics Involves obtaining and analyzing digital information as evidence in civil, criminal, or administrative cases Analyze
More informationCHAPTER 17: File Management
CHAPTER 17: File Management The Architecture of Computer Hardware, Systems Software & Networking: An Information Technology Approach 4th Edition, Irv Englander John Wiley and Sons 2010 PowerPoint slides
More informationThe Linux System. o Updating without touching the user's files and configurations.
Backups In Linux The Linux System Many Linux distros set up seperate "/home" and "/" (root) partitions. User configuration files are hidden with a "." (period) in the front of the name. Separate partitions
More informationAcronis Backup & Recovery 10 Server for Linux. Installation Guide
Acronis Backup & Recovery 10 Server for Linux Installation Guide Table of contents 1 Before installation...3 1.1 Acronis Backup & Recovery 10 components... 3 1.1.1 Agent for Linux... 3 1.1.2 Management
More informationGNU/LINUX Forensic Case Study (ubuntu 10.04)
GNU/LINUX Forensic Case Study (ubuntu 10.04) Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License wim.bertels@khleuven.be FCCU Federal Computer Crime Unit of Belgium Assistance house
More informationDigital Forensics with Open Source Tools
Digital Forensics with Open Source Tools Cory Altheide Harlan Carvey Technical Editor Ray Davidson AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO
More informationAlgorithms and Methods for Distributed Storage Networks 7 File Systems Christian Schindelhauer
Algorithms and Methods for Distributed Storage Networks 7 File Systems Institut für Informatik Wintersemester 2007/08 Literature Storage Virtualization, Technologies for Simplifying Data Storage and Management,
More informationForensic Acquisition and Analysis of VMware Virtual Hard Disks
Forensic Acquisition and Analysis of VMware Virtual Hard Disks Manish Hirwani, Yin Pan, Bill Stackpole and Daryl Johnson Networking, Security and Systems Administration Rochester Institute of Technology
More informationLocal File Sharing in Linux
Local File Sharing in Linux Would you like to share files among multiple users on the same Linux system? Surprisingly, this is trickier to accomplish than it appears, so here is a method that works. The
More informationLab 2 : Basic File Server. Introduction
Lab 2 : Basic File Server Introduction In this lab, you will start your file system implementation by getting the following FUSE operations to work: CREATE/MKNOD, LOOKUP, and READDIR SETATTR, WRITE and
More informationUnderstanding Core storage, logical volumes, and Fusion drives.
Understanding Core storage, logical volumes, and Fusion drives. At the root of all of the information for Fusion Drives is Core Storage. From apples support 10.8 Core Technology Over view Core Storage
More informationTEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control
TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control Version 3.4, Last Edited 9/10/2011 Students Name: Date of Experiment: Read the following guidelines before working in
More informationInstallation Guide for Crossroads Software s Traffic Collision Database
Installation Guide for Crossroads Software s Traffic Collision Database This guide will take you through the process of installing the Traffic Collision Database on a workstation and a network. Crossroads
More informationComputer Forensic Tools. Stefan Hager
Computer Forensic Tools Stefan Hager Overview Important policies for computer forensic tools Typical Workflow for analyzing evidence Categories of Tools Demo SS 2007 Advanced Computer Networks 2 Important
More informationAcronis Backup & Recovery 10 Server for Linux. Update 5. Installation Guide
Acronis Backup & Recovery 10 Server for Linux Update 5 Installation Guide Table of contents 1 Before installation...3 1.1 Acronis Backup & Recovery 10 components... 3 1.1.1 Agent for Linux... 3 1.1.2 Management
More informationUsing Symantec NetBackup with Symantec Security Information Manager 4.5
Using Symantec NetBackup with Symantec Security Information Manager 4.5 Using Symantec NetBackup with Symantec Security Information Manager Legal Notice Copyright 2007 Symantec Corporation. All rights
More informationUsing the Radmind Command Line Tools to. Maintain Multiple Mac OS X Machines
Using the Radmind Command Line Tools to Maintain Multiple Mac OS X Machines Version 0.8.1 This document describes how to install, configure and use the radmind client and server tools to maintain a small
More informationOracle VM Server Recovery Guide. Version 8.2
Oracle VM Server Recovery Guide Version 8.2 Oracle VM Server for x86 Recovery Guide The purpose of this document is to provide the steps necessary to perform system recovery of an Oracle VM Server for
More informationDualFS: A New Journaling File System for Linux
2007 Linux Storage & Filesystem Workshop February 12-13, 13, 2007, San Jose, CA DualFS: A New Journaling File System for Linux Juan Piernas SDM Project Pacific Northwest National
More informationHow To Install Oracle On Linux On A Windows 7.2.2 (Oracle) On A Ubuntu 7.3.2 Oracle (Orca) On An Ubuntu 8.2 With A Windows 8.3 (Or
Instalando Oracle no Linux e preparando ambiente para Módulo 3 10g. Software Setup Instructions 1. Open a terminal window. Login as the root user. 2. Create these operating system groups: oinstall, dba,
More informationDocuPrint C3290 FS Features Setup Guide
DocuPrint C3290 FS Features Setup Guide Adobe and PostScript are trademarks of Adobe Systems Incorporated in the United States and/or other countries. Apple, Bonjour, ColorSync, EtherTalk, Macintosh, and
More informationLive System Forensics
Live System Forensics By: Tim Fernalld & Colby Lahaie Patrick Leahy Center for Digital Investigation Champlain College 2/22/12 Contents Contents... 1 1 Introduction... 2 1.1 Research Statement... 2 1.2
More informationinforouter Version 8.0 Administrator s Backup, Restore & Disaster Recovery Guide
inforouter Version 8.0 Administrator s Backup, Restore & Disaster Recovery Guide Active Innovations, Inc. Names of all products herein are used for identification purposes only and are trademarks and/or
More informationKognitio Technote Kognitio v8.x Hadoop Connector Setup
Kognitio Technote Kognitio v8.x Hadoop Connector Setup For External Release Kognitio Document No Authors Reviewed By Authorised By Document Version Stuart Watt Date Table Of Contents Document Control...
More informationChapter 8: On the Use of Hash Functions in. Computer Forensics
Harald Baier Hash Functions in Forensics / WS 2011/2012 2/41 Chapter 8: On the Use of Hash Functions in Computer Forensics Harald Baier Hochschule Darmstadt, CASED WS 2011/2012 Harald Baier Hash Functions
More informationFile Management. Chapter 12
Chapter 12 File Management File is the basic element of most of the applications, since the input to an application, as well as its output, is usually a file. They also typically outlive the execution
More informationUsing Encrypted File Systems with Caché 5.0
Using Encrypted File Systems with Caché 5.0 Version 5.0.17 30 June 2005 InterSystems Corporation 1 Memorial Drive Cambridge MA 02142 www.intersystems.com Using Encrypted File Systems with Caché 5.0 InterSystems
More informationCPSC 2800 Linux Hands-on Lab #7 on Linux Utilities. Project 7-1
CPSC 2800 Linux Hands-on Lab #7 on Linux Utilities Project 7-1 In this project you use the df command to determine usage of the file systems on your hard drive. Log into user account for this and the following
More informationSurvey of the Operating Landscape Investigating Incidents in the Cloud
Survey of the Operating Landscape Investigating Incidents in the Cloud SESSION ID: CSV-T09 Paul A. Henry Security & Forensics Analyst vnet Security, LLC @phenrycissp Jacob Williams Chief Scientist CSRgroup
More informationQEMU-KVM + D-System Monitor Setup Manual
DEOS-FY2014-QK-02E 2013-2014 Japan Science and Technology Agency QEMU-KVM + D-System Monitor Setup Manual Version E1.2 2014/02/01 Edited by DEOS R&D Center DEOS Project JST-CREST Research Area Dependable
More informationHW 07: Ch 12 Investigating Windows
1 of 7 5/15/2015 2:40 AM HW 07: Ch 12 Investigating Windows Click 'check' on each question or your score will not be recorded. resources: windows special folders ntfs.com Windows cmdline ref how ntfs works
More informationLast modified: September 12, 2013 This manual was updated for TeamDrive Personal Server version 1.1.058
Last modified: September 12, 2013 This manual was updated for TeamDrive Personal Server version 1.1.058 2013 TeamDrive Systems GmbH Page 1 Table of Contents 1 Installing the TeamDrive Personal Server...
More informationUsing Linux VMware and SMART to Create a Virtual Computer to Recreate a Suspect's Computer. By:
Using Linux VMware and SMART to Create a Virtual Computer to Recreate a Suspect's Computer By: Senior Special Agent Ernest Baca United States Customs Service Office of Investigations Resident Agent in
More informationFile Management Chapters 10, 11, 12
File Management Chapters 10, 11, 12 Requirements For long-term storage: possible to store large amount of info. info must survive termination of processes multiple processes must be able to access concurrently
More information09'Linux Plumbers Conference
09'Linux Plumbers Conference Data de duplication Mingming Cao IBM Linux Technology Center cmm@us.ibm.com 2009 09 25 Current storage challenges Our world is facing data explosion. Data is growing in a amazing
More informationChapter 12 File Management
Operating Systems: Internals and Design Principles, 6/E William Stallings Chapter 12 File Management Dave Bremer Otago Polytechnic, N.Z. 2008, Prentice Hall Roadmap Overview File organisation and Access
More informationChapter 12 File Management. Roadmap
Operating Systems: Internals and Design Principles, 6/E William Stallings Chapter 12 File Management Dave Bremer Otago Polytechnic, N.Z. 2008, Prentice Hall Overview Roadmap File organisation and Access
More informationGuide to Computer Forensics and Investigations, Second Edition
Guide to Computer Forensics and Investigations, Second Edition Chapter 4 Current Computer Forensics Tools Objectives Understand how to identify needs for computer forensics tools Evaluate the requirements
More informationOracle Cluster File System on Linux Version 2. Kurt Hackel Señor Software Developer Oracle Corporation
Oracle Cluster File System on Linux Version 2 Kurt Hackel Señor Software Developer Oracle Corporation What is OCFS? GPL'd Extent Based Cluster File System Is a shared disk clustered file system Allows
More informationWindows NT File System. Outline. Hardware Basics. Ausgewählte Betriebssysteme Institut Betriebssysteme Fakultät Informatik
Windows Ausgewählte Betriebssysteme Institut Betriebssysteme Fakultät Informatik Outline NTFS File System Formats File System Driver Architecture Advanced Features NTFS Driver On-Disk Structure (MFT,...)
More informationAcronis Backup & Recovery 10 Server for Linux. Command Line Reference
Acronis Backup & Recovery 10 Server for Linux Command Line Reference Table of contents 1 Console mode in Linux...3 1.1 Backup, restore and other operations (trueimagecmd)... 3 1.1.1 Supported commands...
More informationOutline. Windows NT File System. Hardware Basics. Win2K File System Formats. NTFS Cluster Sizes NTFS
Windows Ausgewählte Betriebssysteme Institut Betriebssysteme Fakultät Informatik 2 Hardware Basics Win2K File System Formats Sector: addressable block on storage medium usually 512 bytes (x86 disks) Cluster:
More informationFuture Technology Devices International Ltd. Mac OS X Installation Guide
Future Technology Devices International Ltd. Mac OS X Installation Guide I Mac OS X Installation Guide Table of Contents Part I Welcome to the Mac OS X Installation Guide 2 Part II VCP Drivers 3 1 Installing
More informationMac Marshal: A Tool for Mac OS X Operating System and Application Forensics
Mac Marshal: A Tool for Mac OS X Operating System and Application Forensics Rob Joyce, Judson Powers, Frank Adelstein A Subsidiary of Architecture Technology Corporation Digital Forensic Research Workshop
More informationParagon ExtFS for Mac OS X
PARAGON Software GmbH Heinrich-von-Stephan-Str. 5c 79100 Freiburg, Germany Tel. +49 (0) 761 59018201 Fax +49 (0) 761 59018130 Internet www.paragon-software.com E-mail sales@paragon-software.com Paragon
More informationWA2321 - Continuous Integration with Jenkins- CI, Maven and Nexus. Classroom Setup Guide. Web Age Solutions Inc. Web Age Solutions Inc.
WA2321 - Continuous Integration with Jenkins- CI, Maven and Nexus Classroom Setup Guide Web Age Solutions Inc. Web Age Solutions Inc. 1 Table of Contents Part 1 - Minimum Hardware Requirements...3 Part
More informationAcronis Backup & Recovery 10 Server for Windows. Installation Guide
Acronis Backup & Recovery 10 Server for Windows Installation Guide Table of Contents 1. Installation of Acronis Backup & Recovery 10... 3 1.1. Acronis Backup & Recovery 10 components... 3 1.1.1. Agent
More informationAbstract. Microsoft Corporation Published: August 2009
Linux Integration Components Version 2 for Hyper-V (Windows Server 2008, Windows Server 2008 R2, Microsoft Hyper-V Server 2008, and Microsoft Hyper-V Server 2008 R2) Readme Microsoft Corporation Published:
More information15 AFS File Sharing. Client/Server Computing. Distributed File Systems
15 AFS File Sharing Adapted from the Open AFS Guide, http://openafs.org/doc/ AFS makes it easy for people to work together on the same files, no matter where the files are located. AFS users do not have
More informationAcronis Backup & Recovery 10 Server for Windows. Installation Guide
Acronis Backup & Recovery 10 Server for Windows Installation Guide Table of contents 1 Before installation...3 1.1 Acronis Backup & Recovery 10 components... 3 1.1.1 Agent for Windows... 3 1.1.2 Management
More information1 Basic commands. 2 Terminology. CS61B, Fall 2009 Simple UNIX Commands P. N. Hilfinger
CS61B, Fall 2009 Simple UNIX Commands P. N. Hilfinger 1 Basic commands This section describes a list of commonly used commands that are available on the EECS UNIX systems. Most commands are executed by
More informationLinux Overview. The Senator Patrick Leahy Center for Digital Investigation. Champlain College. Written by: Josh Lowery
Linux Overview Written by: Josh Lowery The Senator Patrick Leahy Center for Digital Investigation Champlain College October 29, 2012 Disclaimer: This document contains information based on research that
More informationAccXES Account Management Tool Administrator s Guide Version 10.0
AccXES Account Management Tool Administrator s Guide Version 10.0 701P41531 May 2004 Trademark Acknowledgments XEROX, AccXES, The Document Company, and the identifying product names and numbers herein
More informationTwo Parts. Filesystem Interface. Filesystem design. Interface the user sees. Implementing the interface
File Management Two Parts Filesystem Interface Interface the user sees Organization of the files as seen by the user Operations defined on files Properties that can be read/modified Filesystem design Implementing
More informationCHAD TILBURY. chad@forensicmethods.com. http://forensicmethods.com @chadtilbury
CHAD TILBURY chad@forensicmethods.com 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years in the trenches
More informationX-Ways Capture. The program executes the following steps unless you specify a different procedure in the configuration file:
Executive Summary X-Ways Capture Specialized computer forensics tool for the evidence collection phase of a forensic investigation that captures Windows and Linux live systems. X-Ways Capture employs various
More informationNSS Volume Data Recovery
NSS Volume Data Recovery Preliminary Document September 8, 2010 Version 1.0 Copyright 2000-2010 Portlock Corporation Copyright 2000-2010 Portlock Corporation Page 1 of 20 The Portlock storage management
More informationUser Manual for Data Backups
User Manual for Data Backups 1 Accepted formats are: EXT3, EXT4, NTFS, FAT32 and HFS+ (Mac OS). Recommended format: EXT3 and EXT4 Mac OS formatted disks will work only on workstations 4 and 7. Keep in
More informationCommand Line - Part 1
Command Line - Part 1 STAT 133 Gaston Sanchez Department of Statistics, UC Berkeley gastonsanchez.com github.com/gastonstat Course web: gastonsanchez.com/teaching/stat133 GUIs 2 Graphical User Interfaces
More informationAcronis Backup & Recovery 11.5
Acronis Backup & Recovery 11.5 Installation Guide Applies to the following editions: Advanced Server Virtual Edition Advanced Server SBS Edition Advanced Workstation Server for Linux Server for Windows
More information1 Introduction FrontBase is a high performance, scalable, SQL 92 compliant relational database server created in the for universal deployment.
FrontBase 7 for ios and Mac OS X 1 Introduction FrontBase is a high performance, scalable, SQL 92 compliant relational database server created in the for universal deployment. On Mac OS X FrontBase can
More informationOpen Directory. Contents. Before You Start 2. Configuring Rumpus 3. Testing Accessible Directory Service Access 4. Specifying Home Folders 4
Contents Before You Start 2 Configuring Rumpus 3 Testing Accessible Directory Service Access 4 Specifying Home Folders 4 Open Directory Groups 6 Maxum Development Corp. Before You Start Open Directory
More informationMobile Labs Plugin for IBM Urban Code Deploy
Mobile Labs Plugin for IBM Urban Code Deploy Thank you for deciding to use the Mobile Labs plugin to IBM Urban Code Deploy. With the plugin, you will be able to automate the processes of installing or
More information