Digital Forensics. Module 4 CS 996

Similar documents

Excerpts from EnCase Introduction to Computer Forensics

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

Course Title: Computer Forensic Specialist: Data and Image Files

EnCase 7 - Basic + Intermediate Topics

Digital Forensics. Tom Pigg Executive Director Tennessee CSEC

Technical Procedure for Evidence Search

User Manual. Published: 12-Mar-15 at 09:36:51

Guide to Computer Forensics and Investigations, Second Edition

PTK Forensics. Dario Forte, Founder and Ceo DFLabs. The Sleuth Kit and Open Source Digital Forensics Conference

ACE STUDY GUIDE. 3. Which Imager pane shows information specific to file systems such as HFS+, NTFS, and Ext2? - Properties Pane

Microsoft Windows PowerShell v2 For Administrators

Legal Notices. AccessData Corp.

Upon Installation, Soda

Guide to Computer Forensics and Investigations, Second Edition

Just EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012

Computer Forensics using Open Source Tools

MSc Computer Security and Forensics. Examinations for / Semester 1

EC-Council Ethical Hacking and Countermeasures

Introduction To EnCase 7

ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING

Practice Exercise March 7, 2016

Determining VHD s in Windows 7 Dustin Hurlbut

Statistical Reporting Tool. Installation & Use Guide

Microsoft Office Outlook 2010: Level 1

Advanced Registry Forensics with Registry Decoder. Dr. Vico Marziale Sleuth Kit and Open Source Digital Forensics Conference /03/2012

Computer Forensics. Securing and Analysing Digital Information

Forensically Determining the Presence and Use of Virtual Machines in Windows 7

Fundamental Theory & Practice of Digital Forensics. Training Course

Results CRM 2012 User Manual

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

Digital Forensic Techniques

EnCase v7 Essential Training. Sherif Eldeeb

Digital Forensics Tutorials Acquiring an Image with FTK Imager

Windows File Analyser Guidance Allan S Hay

Avira Exchange Security Version 12. HowTo

SonicWALL CDP 5.0 Microsoft Exchange InfoStore Backup and Restore

INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION

PRODISC VER. Computer Forensics Family. User Manual. Version 4.8 9/06

Creating a Forensic Computer System: Basic Hardware and Software Specifications

Using Outlook Web Access

Digital Forensics: The aftermath of hacking attacks. AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC

Microsoft Office Outlook 2013: Part 1

EnCase Portable. Extend Your Forensic Reach with Powerful Triage & Data Collection

Kaseya 2. User Guide. Version 7.0. English

Executable Integrity Verification

winhex Disk Editor, RAM Editor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR

Introduction to Computer Forensics ITP 499 (3 Units)

Cloud Service Edition. Operations Guide

Redline Users Guide. Version 1.12

DataPA OpenAnalytics End User Training

Computer Forensics Processing Checklist. Pueblo High-Tech Crimes Unit

Is the Open Way a Better Way? Digital Forensics using Open Source Tools

RAID Rebuilding. Objectives CSC 486/586. Imaging RAIDs. Imaging RAIDs. Imaging RAIDs. Multi-RAID levels??? Video Time

Virtual Hard Disk Forensics Using EnCase

Connecting to your Database!... 3

Monitor file integrity using MultiHasher

User Guide. Version 3.2. Copyright Snow Software AB. All rights reserved.

Useful Computer Forensics Tools Updated: Jun 10, 2003

NovaBACKUP. User Manual. NovaStor / November 2011

Cloud Forensics. 175 Lakeside Ave, Room 300A Phone: 802/ Fax: 802/

ACS ChemWorx User Guide

Module One: Getting Started Opening Outlook Setting Up Outlook for the First Time Understanding the Interface...

Monitoring System Status

COEN 152 / 252 Lab Exercise 1. Imaging, Hex Editors & File Types

FHLBNY File Transfer System (FTS)

Paraben s P2C 4.1. Release Notes

Microsoft Outlook 2013 Part 1: Introduction to Outlook

Build Your Knowledge!

BACKUP & RESTORE (FILE SYSTEM)

Backup and Disaster Recovery Software for Microsoft Windows Servers

Table of Contents. The Discussion Board Forum Changing the Displayed Threads Within a Thread... 10

This document presents the new features available in ngklast release 4.4 and KServer 4.2.

GUIDEWIRE. Introduction to Using WebMail. macrobatix. Learn how to: august 2008

Live System Forensics

ArcGIS 10.1 Web Apps and APIs. John Hasthorpe & Kai Hübner

CHAPTER 11: SALES REPORTING

Direct Storage Access Using NetApp SnapDrive. Installation & Administration Guide

Word Press Theme Video Stream Apptha

Log Analyzer Reference

JAVS Scheduled Publishing. Installation/Configuration... 4 Manual Operation... 6 Automating Scheduled Publishing... 7 Windows XP... 7 Windows 7...

Automatic updates for Websense data endpoints

SmartLock Pro Plus Audit View OPERATOR GUIDE

This is a training module for Maximo Asset Management V7.1. In this module, you learn to use the E-Signature user authentication feature.

Upgrading MySQL from 32-bit to 64-bit

PROACTIS: Supplier User Guide Contract Management

Installing Windows 98 in Windows Virtual PC 7 (Windows Virtual PC)

SharePoint 2010 End User - Level II

IS L06 Protect Servers and Defend Against APTs with Symantec Critical System Protection

InventoryControl for use with QuoteWerks Quick Start Guide

Events Forensic Tools for Microsoft Windows

Hosted Connecting Steps Client Installation Instructions

About This Document 3. About the Migration Process 4. Requirements and Prerequisites 5. Requirements... 5 Prerequisites... 5

ediscovery 6.0 Release Notes

CYBER FORENSICS (W/LAB) Course Syllabus

Transcription:

Digital Forensics Module 4 CS 996

Hard Drive Forensics Acquisition Bit for bit copy Write protect the evidence media EnCase for DOS Safeback (NTI: www.forensics-intl.com) Analysis EnCase FTK (www.accessdata.com) WinHex Forensic Edition 2/23/2005 Module 4 2

Acquisition Steps With EnCase Create EnCase boot disk DOS boot disk Network boot disk Start subject computer with boot disk Acquire data to storage computer Network acquisition Drive to drive acquisition Parallel cable acquisition Windows acquisition 2/23/2005 Module 4 3

EnCase Resources Academic CD Instructor Notes User Manual excerpts on analysis Training Manual www.guidancesoftware.com Online videos 2/23/2005 Module 4 4

EnCase Acquisition Geometry Network cable acquisition NETWORK CROSSOVER CABLE SUBJECT COMPUTER STORAGE COMPUTER 2/23/2005 Module 4 5

EnCase Acquisition Geometry, cont. Drive to Drive acquisition IDE CABLE STORAGE COMPUTER SUBJECT HARD DRIVE 2/23/2005 Module 4 6

Analysis With EnCase Basic navigation String searches (key words, GREP, etc.) Signature match Registry analysis (compound file) Email analysis (compound file) File viewers (third party viewers) 2/23/2005 Module 4 7

EnCase Image File Contains more than raw dd sector image Case information header CRC for each 32KB of data MD5 checksum for entire image Image verification Does CRC match for each 32KB block 2/23/2005 Module 4 8

Analysis With EnCase Install software Initialize case Drag and drop evidence file into EnCase Bookmarks: reporting Need to keep track of key findings 2/23/2005 Module 4 9

Initialize Case: EnCase Scripts Allow custom forensic analysis Program in C++ like API Pre-made scripts Initialize Case Download from www.guidancesoftware.com Install in: c:\program files\encase\scripts\examples Running scripts: View Scripts Select Script Run View report => Bookmarks 2/23/2005 Module 4 10

Using EnCase Scripts Image filtering for porn investigation Find victims; find all images Need to look through 10,000+ images Aspect ratio theory Select images with 33-40% aspect ratio Reject images that are square (+/- 2 pixels) Reference: www.armordata.com 2/23/2005 Module 4 11

Using Bookmarks Save important data for report View Bookmarks: Create New Folder Text Images 2/23/2005 Module 4 12

2/23/2005 Module 4 13

2/23/2005 Module 4 14

Navigating Case View Table Signature analysis (in Search function) Hash analysis Gallery Timeline Report Disk 2/23/2005 Module 4 15

2/23/2005 Module 4 16

2/23/2005 Module 4 17

2/23/2005 Module 4 18

2/23/2005 Module 4 19

Finding Evidence Sorting columns in table view Filters, queries and scripts Recovering folders Keyword search 2/23/2005 Module 4 20

2/23/2005 Module 4 21

Filters, Queries and Scripts Filters Use built-in capabilities Create queries when filter is run Queries Combine more than one filter in semi-custom query Scripts Create your own search function using C++ like language 2/23/2005 Module 4 22

2/23/2005 Module 4 23

2/23/2005 Module 4 24

2/23/2005 Module 4 25

String Search Adding keywords Choose files/folders to be searched Configure search 2/23/2005 Module 4 26

EnCase Search Method First does logical search Next does sector by sector Compound files like.pst and.dat need to be mounted separately CLUSTER N PHONE TAP CLUSTER N+1 2/23/2005 Module 4 27

2/23/2005 Module 4 28

2/23/2005 Module 4 29

2/23/2005 Module 4 30

2/23/2005 Module 4 31

2/23/2005 Module 4 32

File Signatures Stated extension on evidence file Header information in the file itself Matches? Reference for file signatures: www.garykessler.net 2/23/2005 Module 4 33

2/23/2005 Module 4 34

2/23/2005 Module 4 35

Compound File Analysis Registry Email Files that are composed of multiple layers 2/23/2005 Module 4 36

Access Registry 2/23/2005 Module 4 37

Win98: user.dat 2/23/2005 Module 4 38

View Email Folder Compound file Locate.dbx or.pst files View file structure 2/23/2005 Module 4 39

2/23/2005 Module 4 40

2/23/2005 Module 4 41

File Viewers Look at file outside Encase Add: View => File Viewers Create association: View => File Types Double click on file: copies and opens with viewer QuickView Plus www.avantstar.com 200+ different file formats Eliminates problems with trojans, viruses, etc. 2/23/2005 Module 4 42

Add File Viewer 2/23/2005 Module 4 43

Create Association (View Filetypes) 2/23/2005 Module 4 44

Next Lab Assignment Familiarize yourself with EnCase Complete the posted lab assignment 2/23/2005 Module 4 45