CIS Project 1 February 13, 2017 Jerad Godsave
|
|
- Berenice White
- 5 years ago
- Views:
Transcription
1 CIS Project 1 February 13, 2017 Jerad Godsave Part 1) a) Below are a few screenshots indicating verification that the original evidence and the newly created.e01 forensic image match:
2 Part 1) b) The matter of verifying an image's digital fingerprint is essential when compiling a forensic image. If a disk has indeed been copied with an imaging tool, you must preserve the image files. A digital hash is a way of uniquely identifying file data. A specific hash value the digital fingerprint will be generated by a forensic hashing algorithm to ensure bit or byte alteration has not occurred in the process of collecting data. The value inherent in verification is the component of data integrity known as accuracy. Accuracy is essential when investigating digital data as tampering file contents can alter and even compromise a forensics investigation and further, credibility of evidence diminishes. Part 1) c) After creating a directory listing from FTK Imager there is attribution that is revealing of metadata related to the image file in this case, the forensic image. The metadata of the image file has a directory listing including such attributes as the file name, file path, size (in bytes), 'created' field, 'modified' field, 'accessed' field, and an 'Is deleted' field. A directory listing may be useful in discovering evidentiary material for a particular case, providing a summary of instances and interactions with the data therein. During the discovery phase of a case, this material may open up new lines of questioning or insight to the investigator to sort through. Part 2) a) Below is a screenshot displaying the Raw/DD formatted image conversion verification results to confirm the.e01 and Raw/DD formatted images match via hash results: Part 2) b) There exist both advantages and disadvantages using a raw/dd image compared to an E01 formatted forensic image.the advantages include: fast data transfers capability to ignore minor data read errors on the source drive a universal acquisition format The disadvantages of utilizing a raw/dd image format include: it requires as much storage space as the original disk or data set
3 some format tools may not collect marginal (bad) sectors on source drives resulting in a low threshold of retry reads on weak spots performing a validation check with hashing functions create a separate file Whichever format is chosen depends on the constraints of the case and the available resources to complete a forensic investigation. Part 3) a) After mounting the raw forensic image flash drive, the dcfldd utility was used to generate a hash on the fly along with writing of the image to the larger of the two flash drives. Below is displayed the command used to generate the image copy and the hash function writing it to a text file: Part 3) b) The difference between imaging "/dev/sdc" vs. "/dev/sdc1" is a difference of context. One is to utilize "/dev/sdc" when refering to an entire drive. One is to utilize "/dev/sdc1" or "/dev/sdc#" when acquiring a specific partition on the drive. Part 3) c) The forensic image has completed. Below is a calculation of the MD5 hash using the md5sum command and the redirection to a text file.
4 Part 3) d) After reviewing both of the MD5 hashes of the small flash drive using the "cat" command, the hashes do indeed match, meaning the digital hexadecimal code value was not different. This consistency informs the investigator that based on the contents of the image, a single bit or byte has not changed in any files on the image, since doing so would alter the hash value as the hash value verifies the integrity of the digital evidence obtained. Part 4) a) Below is a screenshot of the MD5 hash output from Winhex of the small thumb drive which now includes only a text file. The hash calculated results in the following hexadecimal hash output: A67A1AA2531DAD0E B20.
5 Part 4) b) The hashes calculated before unplugging the thumb drive and after plugging the thumb drive do not match. After plugging the thumb drive in, the resulting hash value was: DCC348760C4BE63B3E778FE83577E935. It can be concluded that some alteration of the data contained on the image is altered or some alteration of the image itself. It is possible to surmise then that writing to the flash drive occurs after plugging in a device. This has ramifications in an investigation and careful consideration should be made prior to plugging in evidence for a forensic investigation. Part 4) c) After enabling read-only/write-blocking for USBs, it is discovered that the generated hash values differ and that it was not possible to upload any files to the USB stick. The hash value generated post-write-blocking configuration is: 81944AC29FBA7B9CBD18AC5A3A70E5AA. The tool is not 100% forensically sound. In order for 100% assuredness, a commercial USB hardware write blocker must be purchased. However, the process is not forensically sound. A USB mass storage devices that are already mounted as writeable will stay writeable until they are removed and reinserted. One should have a contingency plan to ensure that one obtains a forensically sound acquisition by making two acquisitions if there is enough data storage. The first acquisition should be compressed, and the second should be uncompressed. If one acquisition becomes corrupt, the other one is available for analysis. Part 5) a) There exist both advantages and disadvantages to both FTK Imager and dcfldd command tool to create a forensic image. Among the advantages of utilizing "FTK Imager", include: highly stable and fast, comprehensive processing and indexing up front, supports distributed processing, access to the Windows Registry where compromise is often found, and additional plug-ins due to its extended support and feature rich toolset. Disadvantages of utilizing "FTK Imager", include: less control of the process, support only on a Windows based device, limited command line support, and inability to read segmented file extensions starting with.000 resulting in renaming files incrementally. Advantages of linux command line tool "dcfldd", include: integrated validation options integrated such as hash and hashlog, development by the Department of Defense Forensic Computing laboratory, tighter control over process and segmentation with forensic imaging, support for a Windows executable, and quick formatting over mounted vs. unmounted images/flash drives. Disadvantages of "dcfldd" command tool, include: possibility of entering an infinite loop when a faulty sector is encountered, possible misalignment of the data in the image after a faulty sector is encountered on the source drive, and less support since it is not for commercial purposes. Part 5) b) If I were tasked with acquiring a forensic image of a storage device, I would utilize FTK Imager due to the mere reason of possible misalignment of data during the encounter of a faulty sector in dcfldd. With my integrity as an examiner in the field and the data's integrity on the line, FTK Imager is preferrable. In addition, most computers run Windows and it only makes since to have a tool that can sort through the Windows Registry for evidentiary material in an investigation. Part 6) The equipment used for this project include the following software components: AccessData FTK Imager Thumbscrew Software USB Write Blocker Windows 8.1 Pro 64-bit Operating System VMWare Workstation 12 Pro, version build Deft Linux 8.2 version.iso image live running version
6 WinHex 16.7 SR-1 x86 dcfldd command line program based off version of dd found in GNU Coreutils package 7-Zip zip file manager The equipment used for this project include the following hardware equipment: AMD A APU with Radeon HD Graphics 3.2 GHz processor 5.40 GB of usable RAM System type: x64-based processor Two flash drives: 1.85 GB Centon USB device (NTFS formatted), 32 GB Samsung compact flash USB device (NTFS formatted) HP Pavilion series p7-1414pc desktop
Ed Ferrara, MSIA, CISSP
MIS 5208 - Lecture 12 Investigation Methods Data Acquisition Ed Ferrara, MSIA, CISSP eferrara@temple.edu Objectives List digital evidence storage formats Explain ways to determine the best acquisition
More informationCSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak
CSN08101 Digital Forensics Lecture 6: Acquisition Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Objectives Storage Formats Acquisition Architecture Acquisition Methods Tools Data Acquisition
More informationDigital Forensics Lecture 02- Disk Forensics
Digital Forensics Lecture 02- Disk Forensics Hard Disk Data Acquisition Akbar S. Namin Texas Tech University Spring 2017 Analysis of data found on a storage device It is more common to do dead analysis
More informationComputer Hacking Forensic Investigator. Module X Data Acquisition and Duplication
Computer Hacking Forensic Investigator Module X Data Acquisition and Duplication Scenario Allen a forensic investigator was hired by a bank to investigate employee fraud. The bank has four 30 GB machines
More informationSource: https://articles.forensicfocus.com/2018/03/02/evidence-acquisition-using-accessdata-ftk-imager/
by Chirath De Alwis Source: https://articles.forensicfocus.com/2018/03/02/evidence-acquisition-using-accessdata-ftk-imager/ Forensic Toolkit or FTK is a computer forensics software product made by AccessData.
More informationANALYSIS AND VALIDATION
UNIT V ANALYSIS AND VALIDATION Validating Forensics Objectives Determine what data to analyze in a computer forensics investigation Explain tools used to validate data Explain common data-hiding techniques
More informationON THE SELECTION OF WRITE BLOCKERS FOR DISK ACQUISITION: A COMPARATIVE PRACTICAL STUDY
ON THE SELECTION OF WRITE BLOCKERS FOR DISK ACQUISITION: A COMPARATIVE PRACTICAL STUDY Mousa Al Falayleh College of Computer Info. Tech. American University in the Emirates Dubai, United Arab Emirates
More informationRunning head: FTK IMAGER 1
Running head: FTK IMAGER 1 FTK Imager Jean-Raymond Ducasse CSOL-590 June 26, 2017 Thomas Plunkett FTK IMAGER 2 FTK Imager Outline Process for Adding Individual Files & Folders as Evidence Items Although
More informationIncident Response Data Acquisition Guidelines for Investigation Purposes 1
Incident Response Data Acquisition Guidelines for Investigation Purposes 1 1 Target Audience This document is aimed at general IT staff that may be in the position of being required to take action in response
More informationAcknowledgments About the Authors
Preface p. xv Acknowledgments p. xix About the Authors p. xxi Case Studies p. xxv Live Incident Response p. 1 Windows Live Response p. 3 Analyzing Volatile Data p. 5 The System Date and Time p. 6 Current
More informationDIGITAL FORENSIC PROCEDURE. Procedure Name: Mounting an EnCase E01 Logical Image file with FTK Imager. Category: Image Mounting
DIGITAL FORENSIC PROCEDURE Procedure Name: Mounting an EnCase E01 Logical Image file with FTK Imager Category: Image Mounting Procedure Development Development Owner Mr. O Organization DFIR Team Document
More information10/13/11. Objectives. Live Acquisition. When do we consider doing it? What is Live Acquisition? The Order of Volatility. When do we consider doing it?
Live Acquisition Objectives Understand what Live Acquisition is and when it is appropriate Understand the concept of Order of Volatility Understand live acquisition issues and limitations Be able to perform
More informationCIS Business Computer Forensics and Incident Response. Lab Protocol 03: Acquisition
CIS 8630 Business Computer Forensics and Incident Response Lab Protocol 03: Acquisition Purpose: Ensure every student has experienced imaging digital storage media, hashing digital media, transferring
More informationDigital Forensics Practicum CAINE 8.0. Review and User s Guide
Digital Forensics Practicum CAINE 8.0 Review and User s Guide Ana L. Hernandez Master of Science in Cybersecurity Digital Forensics Concentration University of South Florida 12-8-2017 Table of Contents
More informationForensic Toolkit System Specifications Guide
Forensic Toolkit System Specifications Guide February 2012 When it comes to performing effective and timely investigations, we recommend examiners take into consideration the demands the software, and
More informationForensics for Cybersecurity. Pete Dedes, CCE, GCFA, GCIH
Forensics for Cybersecurity Pete Dedes, CCE, GCFA, GCIH WHO AM I? Pete Dedes, Forensics Analyst, Sword & Shield Enterprise Security Education Bachelor s of Science Computer Science, University of Tennessee
More informationOHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE
OHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE I. Description of Course: 1. Department/Course: CNET - 174 2. Title: Computer Forensics 3. Cross Reference: 4. Units: 3 Lec Hrs:
More informationAccessData Imager Release Notes
AccessData Imager 4.2.0 Document Date: 11/21/2017 2017 AccessData Group, Inc. All rights reserved. This document lists the changes in this release of AccessData Imager. All known issues published with
More informationChapter Two File Systems. CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D.
Chapter Two File Systems CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D. 1 Learning Objectives At the end of this section, you will be able to: Explain the purpose and structure of file systems
More informationComputer Forensic Capabilities. Cybercrime Lab Computer Crime and Intellectual Property Section United States Department of Justice
Computer Forensic Capabilities Cybercrime Lab Computer Crime and Intellectual Property Section United States Department of Justice Agenda What is computer forensics? Where to find computer evidence Forensic
More informationGuide to Computer Forensics and Investigations Fourth Edition. Chapter 6 Working with Windows and DOS Systems
Guide to Computer Forensics and Investigations Fourth Edition Chapter 6 Working with Windows and DOS Systems Understanding Disk Drives Disk drives are made up of one or more platters coated with magnetic
More informationForensic Image Capture. Digital Forensics NETS1032 Winter 2018
Forensic Image Capture Digital Forensics NETS1032 Winter 2018 Storage Devices Storage devices are implemented using one or more of several technologies The oldest method of modern information storage is
More informationAccessData Imager Release Notes
AccessData Imager 3.4.2 Document Date: 3/29/2016 2015 AccessData Group, Inc. All rights reserved. This document lists the changes in this release of AccessData Imager. All known issues published with previous
More informationAccessData Imager Release Notes
AccessData Imager 4.1.1 Release Notes Document Date: 7/19/2017 2017 AccessData Group, Inc. All rights reserved. Introduction This document lists the changes in this release of AccessData Imager. All known
More informationRemote Device Mounting Service
HOW TO USE REMOTE DEVICE MOUNTING SERVICES The Remote Data Mounting Services (RDMS) lets you acquire live evidence from active and remote network computers. You can gather many types of active information
More informationF-RESPONSE NOW/UNIVERSAL VALIDATION TESTING REPORT
F-Response Now/Universal Validation Testing Report () F-RESPONSE NOW/UNIVERSAL VALIDATION TESTING REPORT INCLUDES F-RESPONSE DISCOVERYSHARES, PHYSICAL DEVICES, PARTITIONS, AND MEMORYSHARES 1 F-Response
More informationAccessData Advanced Forensics
This advanced five-day course provides the knowledge and skills necessary to install, configure and effectively use Forensic Toolkit (FTK ), FTK Imager Password Recovery Toolkit (PRTK ) and Registry Viewer.
More informationOperating System Specification Mac OS X Snow Leopard (10.6.0) or higher and Windows XP (SP3) or higher
BlackLight is a multi-platform forensic analysis tool that allows examiners to quickly and intuitively analyze digital forensic media. BlackLight is capable of analyzing data from Mac OS X computers, ios
More informationFTK Imager 2.9 Release Notes
FTK Imager 2.9 Release Notes These release notes apply to AccessData FTK Imager 2.9 IMPORTANT INFORMATION If the machine running imager has an active internet connection and you are viewing HTML from the
More informationGuide to Computer Forensics and Investigations Fourth Edition. Chapter 2 Understanding Computer Investigations
Guide to Computer Forensics and Investigations Fourth Edition Chapter 2 Understanding Computer Investigations Objectives Explain how to prepare a computer investigation Apply a systematic approach to an
More informationDigital Media Transfer Workflow Documentation
Digital Media Transfer Workflow Documentation Release =0 Rockefeller Archive Center Feb 22, 2018 Contents 1 Inventorying Digital Media Items 3 1.1 Overview.................................................
More informationQuantifying FTK 3.0 Performance with Respect to Hardware Selection
Quantifying FTK 3.0 Performance with Respect to Hardware Selection Background A wide variety of hardware platforms and associated individual component choices exist that can be utilized by the Forensic
More informationComputer Forensics: Investigating Data and Image Files, 2nd Edition. Chapter 3 Forensic Investigations Using EnCase
Computer Forensics: Investigating Data and Image Files, 2nd Edition Chapter 3 Forensic Investigations Using EnCase Objectives After completing this chapter, you should be able to: Understand evidence files
More informationUser Manual. Published: 25-Oct-17 at 18:38:40
User Manual Published: 25-Oct-17 at 18:38:40 Chapter Contents Published: 25-Oct-17 at 18:38:36 Quick Start Guide... 11 Wibu CodeMeter Activation Dongle... 11 System Requirements... 11 Download... 11 Installation...
More informationAccessData Imager Release Notes
AccessData Imager 3.3.0 Document Date: 12/08/2014 2014 AccessData Group, Inc. All rights reserved. This document lists the changes in AccessData Imager 3.3.0. All known issues published with previous release
More informationIntroduction to Computer Forensics
Introduction to Computer Forensics Subrahmani Babu Scientist- C, Computer Forensic Laboratory Indian Computer Emergency Response Team (CERT-In) Department of Information Technology, Govt of India. babu_sivakami@cert-in.org.in
More informationSelective deletion of non-relevant Data
Selective deletion of non-relevant Data Christian Zoubek, Konstantin Sack 23rd March 2017 Outline - Introduction - Selective deletion - Evaluation - Conclusion page 2 Motivation - In law enforcement investigations
More information(Title) Student s Name. Academic Institution
Running head: DIGITAL FORENSICS (Title) Student s Name Academic Institution DIGITAL FORENSICS 2 Introduction Digital forensics is a branch of forensic science that deals with investigations and recovery
More informationAccession Procedures Born-Digital Materials Workflow
Accession Procedures Born-Digital Materials Workflow Initiating Author: Department: Sam Meister Archives & Special Collections Revision History Date Version Description Changed by 02/29/12 0.1 Draft 03/27/12
More informationINSTITUTO SUPERIOR TÉCNICO
INSTITUTO SUPERIOR TÉCNICO DEPARTAMENTO DE ENGENHARIA INFORMÁTICA FORENSICS CYBER-SECURITY MEIC, METI Lab Guide III & IV Case Solving: Mr. Informant Case 2015/2016 nuno.m.santos@tecnico.ulisboa.pt 1 Introduction
More informationAccessData Imager Release Notes
AccessData Imager 3.4.3 Release Notes Document Date: 11/4/2016 2016 AccessData Group, Inc. All rights reserved. Introduction This document lists the changes in this release of AccessData Imager. All known
More informationAccessData Imager Release Notes
AccessData Imager 3.4.0 Document Date: 4/08/2015 2015 AccessData Group, Inc. All rights reserved. This document lists the changes in AccessData Imager 3.4.0. All known issues published with previous release
More informationInstitutional Records & Archives March 2017 ACCESSIONING FILES FROM EXTERNAL DRIVE
ACCESSIONING FILES FROM EXTERNAL DRIVE CONTENTS I. Basic Workflow... 1 II. Unique Identifier... 2 III. Write-Blocking... 2 IV. Virus Scans... 4 V. File Transfer... 5 A. Bagger... 5 B. FTK Imager... 5 VI.
More informationA Formal Logic for Digital Investigations: A Case Study Using BPB Modifications.
A Formal Logic for Digital Investigations: A Case Study Using BPB Modifications. Abstract I. Mitchell Middlesex University, UK A Formal Logic is developed and the following presented: i) Notation for Formal
More informationKNOPPIX Bootable CD Validation Study for Live Forensic Preview of Suspects Computer
KNOPPIX Bootable CD Validation Study for Live Forensic Preview of Suspects Computer By: Ernest Baca www.linux-forensics.com ebaca@linux-forensics.com Page 1 of 18 Introduction I have recently become very
More informationACCESSDATA FTK RELEASE NOTES
ACCESSDATA FTK 3.3.0 RELEASE NOTES INTRODUCTION This document provides important information relative to the use of FTK 3.3.0. IMPORTANT INFORMATION If the machine running Imager or FTK has an active internet
More informationScientific Working Group on Digital Evidence
Disclaimer: As a condition to the use of this document and the information contained therein, the SWGDE requests notification by e-mail before or contemporaneous to the introduction of this document, or
More informationSYSTEM SPECIFICATIONS GUIDE
SYSTEM SPECIFICATIONS GUIDE AD Enterprise NETWORK INVESTIGATION AND POST-BREACH ANALYSIS v6.5 Revision (May 8, 2018) www.accessdata.com Contents AccessData Enterprise Overview and System Specifications
More informationA Study on Linux. Forensics By: Gustavo Amarchand, Keanu. Munn, and Samantha Renicker 11/1/2018
A Study on Linux 11/1/2018 Forensics By: Gustavo Amarchand, Keanu Munn, and Samantha Renicker Abstract In the field of computer forensics investigators must be familiar with many different systems and
More informationTimeline Creation and Analysis Guides
Timeline Creation and Analysis Guides Written by Chapin Bryce Researched by Chapin Bryce 175 Lakeside Ave, Room 300A Phone: 802/865-5744 Fax: 802/865-6446 http://www.lcdi.champlin.edu Timeline Creation
More informationAccessData FTK Imager
AccessData FTK Imager LEGAL INFORMATION AccessData Corp. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied
More informationVolatile Data Acquisition & Analysis
Volatile Data Acquisition & Analysis Villanova University Department of Computing Sciences D. Justin Price Spring 2014 VOLATILE INFORMATION Memory that requires power to maintain data. Exists as Physical
More informationAccessData Imager Release Notes
AccessData Imager 3.4.0.5 Document Date: 10/27/2015 2015 AccessData Group, Inc. All rights reserved. This document lists the changes in the verion of AccessData Imager. All known issues published with
More informationMatt Danner Flashback Data
Preservation Strategies and Data Collection from a Forensic Expert's Point of View Best practices on executing preservation and administering collection protocols with emphasis on forensically sound methods
More informationSkout Collect Version 2.0.1
Skout Collect Version 2.0.1 Evaluation Report September 2012 NIJ Electronic Crime Technology Center of Excellence 550 Marshall St., Suite B Phillipsburg, NJ 08865 www.ectcoe.org NIJ ECTCoE Testing and
More informationThis version has been archived. Find the current version at on the Current Documents page. Archived Version. Capture of Live Systems
Scientific Working Group on Digital Evidence Capture of Live Systems Disclaimer: As a condition to the use of this document and the information contained therein, the SWGDE requests notification by e-mail
More informationHDD Data Recovery Training
HDD Data Recovery Training Forensics Laboratory Based Hard Drive Data Recovery Course Duration: 3 days Venue: On demand Seat availability: On demand (recommended no more than 12) Language: English/Cantonese/Mandarin
More informationChapter 7 Forensic Duplication
Chapter 7 Forensic Duplication Ed Crowley Spring 11 Topics Response Strategies Forensic Duplicates and Evidence Federal Rules of Evidence What is a Forensic Duplicate? Hard Drive Development Forensic Tool
More informationMediaClone, Inc. IT Solutions: Innovative solutions for the IT market SuperWiper
Uzi 2017 Catalog.indd 1 4/12/17 12:32 PM MediaClone, Inc. MediaClone was founded by two experienced and creative executives who have been working in the Computer Forensic and IT markets since their inception.
More informationAccessData FTK Quick Installation Guide
AccessData FTK Quick Installation Guide Document date: May 20, 2014 2014 AccessData Group, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system,
More informationFormat Hard Drive After Install Ubuntu From Usb
Format Hard Drive After Install Ubuntu From Usb is it possible to format and partition the new hdd (external to my laptop, and connected to my laptop via sata-usb adapter), and install Ubuntu on the new
More informationCOMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9
COMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9 Course Code: 3401 Prepare for the CHFI certification while learning advanced forensics investigation techniques. EC-Council released the most advanced computer
More informationDigital Forensics Lecture 01- Disk Forensics
Digital Forensics Lecture 01- Disk Forensics An Introduction to Akbar S. Namin Texas Tech University Spring 2017 Digital Investigations and Evidence Investigation of some type of digital device that has
More informationDATA RECOVERY FROM PROPRIETARY- FORMATTED CCTV HARD DISKS
Chapter 15 DATA RECOVERY FROM PROPRIETARY- FORMATTED CCTV HARD DISKS Aswami Ariffin, Jill Slay and Kim-Kwang Choo Abstract Digital video recorders (DVRs) for closed-circuit television (CCTV) commonly have
More informationCourse 832 EC-Council Computer Hacking Forensic Investigator (CHFI)
Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI) Duration: 5 days You Will Learn How To Understand how perimeter defenses work Scan and attack you own networks, without actually harming
More informationChapter 7 Forensic Duplication
Chapter 7 Forensic Duplication Ed Crowley Spring 10 Topics Response Strategies Forensic Duplicates and Evidence Federal Rules of Evidence What is a Forensic Duplicate? Hard Drive Development Forensic Tool
More informationNIST CFTT: Testing Disk Imaging Tools
NIST CFTT: Testing Disk Imaging Tools James R. Lyle National Institute of Standards and Technology Gaithersburg Md. 20899-8970 1. Introduction There is a critical need in the law enforcement community
More informationChapter 2. Index.dat
Chapter 2 Index.dat Internet History Practical Exercise Anatomy of a MSIE / History.IE5\Index.dat File 1. Use WinHEX to open up the file named: \Student Files\02_Internet_History\Index.dat. 2. Let s examine
More informationCYB 610 Project 6 Workspace Exercise
CYB 610 Project 6 Workspace Exercise I. Digital Forensics Lab (Introduction to FTK Imager) a. Lab Rules: Each student has to do the lab individually. No content directly quoted from Internet or other sources
More informationCertified Digital Forensics Examiner
Certified Digital Forensics Examiner Course Title: Certified Digital Forensics Examiner Duration: 5 days Class Format Options: Instructor-led classroom Live Online Training Prerequisites: A minimum of
More informationOSForensics v5 Review by Jarno Baselier
OSForensics v5 Review by Jarno Baselier I have been curious for quite some time about the forensic software OSForensics from Passmark Software. As befits every good forensic package, many tasks can be
More informationCertified Digital Forensics Examiner
Certified Digital Forensics Examiner ACCREDITATIONS EXAM INFORMATION The Certified Digital Forensics Examiner exam is taken online through Mile2 s Assessment and Certification System ( MACS ), which is
More informationGetting Bits off Disks: Using open source tools to stabilize and prepare born-digital materials for long-term preservation
Getting Bits off Disks: Using open source tools to stabilize and prepare born-digital materials for long-term preservation Sam Meister University of Montana Best Practices Exchange 2013 November 13, 2013
More informationSuperImager TM -Rugged USB Display Touch Screen SAS Drive Slots A Computer Forensic- Field Analysis Platform Unit
SuperImager TM -Rugged USB 3.0 12.1 Display Touch Screen SAS Drive Slots A Computer Forensic- Field Analysis Platform Unit (SIR-0024) The SuperImager Rugged USB 3.0 unit is a high speed potable, computer
More informationLinux Essentials. Smith, Roderick W. Table of Contents ISBN-13: Introduction xvii. Chapter 1 Selecting an Operating System 1
Linux Essentials Smith, Roderick W. ISBN-13: 9781118106792 Table of Contents Introduction xvii Chapter 1 Selecting an Operating System 1 What Is an OS? 1 What Is a Kernel? 1 What Else Identifies an OS?
More informationINSTITUTO SUPERIOR TÉCNICO
INSTITUTO SUPERIOR TÉCNICO DEPARTAMENTO DE ENGENHARIA INFORMÁTICA FORENSICS CYBER-SECURITY MEIC, METI Lab Guide II Evidence Examination 2015/2016 nuno.m.santos@tecnico.ulisboa.pt 1 Introduction This guide
More informationManual Format Flash Drive Ntfs Windows Xp
Manual Format Flash Drive Ntfs Windows Xp Windows XP, NTFS, Flash Drive, Format I am given the option of formatting the flash drive when I right-click on it, but I am not given any options, just drop.
More informationWhat's new 9 Magnet AXIOM 11 System requirements 12
USER GUIDE CONTENTS What's new 9 Magnet AXIOM 11 System requirements 12 Administrator permissions 13 Clock speed and cores 13 Memory 13 Storage devices 13 Virtualization 13 Installing Magnet AXIOM 14 Set
More informationNIST SP Notes Guide to Integrating Forensic Techniques into Incident Response
NIST SP800-86 Notes Guide to Integrating Forensic Techniques into Incident Response Authors: Karen Kent, Suzanne Chevalier, Tim Grance, Hung Dang, August 2006 Computer Forensics The application of science
More informationCounter-Forensic Tools Failures & Fingerprints. Matthew Geiger
Counter-Forensic Tools Failures & Fingerprints Matthew Geiger mgeiger@cert.org Roadmap What do these tools do? Who produces and sells them? Why do we care? Legal issues Summary of testing procedures &
More informationCIS Business Computer Forensics and Incident Response. Lab Protocol 02: FileSystems/VM
Name: CIS 8630 Business Computer Forensics and Incident Response Lab Protocol 02: FileSystems/VM Purpose: Ensure every student has experienced forensics distinctions between imaging digital storage media,
More informationDisclaimer of Liability: Redistribution Policy:
Disclaimer of Liability: With respect to this document, neither the Marshall University Forensic Science Center nor any of its employees, makes any warranty, express or implied, including the warranty
More informationWindows 7 Handbook Tool 32 Bits Iso Imagem
Windows 7 Handbook Tool 32 Bits Iso Imagem You can easily play a song while images slide show in media center. Click on below button to download free windows 7 iso 32 bit and 64 bit. someone provide me
More informationManually Mount Usb Flash Drive Linux Command Line Fedora
Manually Mount Usb Flash Drive Linux Command Line Fedora This page explains how to use USB drives, like external hard disks and USB flash By default, storage devices that are plugged into the system mount
More informationMachine Language and System Programming
زبان ماشين وبرنامه نويسی سيستم Machine Language and System Programming جلسه دوازدھم دانشگاه صنعتی ھمدان پاييز 1389 Objectives Explain the purpose and structure of file systems Describe Microsoft file structures
More informationManual Format Flash Drive Ntfs Allocation Unit Size
Manual Format Flash Drive Ntfs Allocation Unit Size Hi, How do I determine the cluster size that is from the Manufacturer of any hard disk m.2 sata card back to the default manufacturer disk cluster size
More informationManually Mount Usb Flash Drive Linux Command Line Redhat
Manually Mount Usb Flash Drive Linux Command Line Redhat How to Format USB in Linux using Command Line. This article will help you to format USB Flash drive in Ubuntu systems via Command line. So first
More informationAndroid Forensics: Simplifying Cell Phone Examinations
Android Forensics: Simplifying Cell Phone Examinations Jeff Lessard, Gary Kessler 2010 Presented By: Manaf Bin Yahya Outlines Introduction Mobile Forensics Physical analysis Logical analysis CelleBrite
More informationMac Os Manual For Pc Iso Image Directory >>>CLICK HERE<<<
Mac Os Manual For Pc Iso Image Directory So happens that I have tried this using the DVD, pendrive and also copying the ISO file to the desktop and to the "Documents" folder as My equipment is a mid 2011
More informationInstructions for Switching from MSD to HID (Windows, Mac & Linux)
Instructions for Switching from MSD to HID (Windows, Mac & Linux) John Poulson, Wibu-Systems USA, 2013 April 22 MSD = Mass Storage Device, like any detachable memory drive attached to a USB port. HID =
More informationPresented by: Nafiseh Mahmoudi Spring 2017
Presented by: Nafiseh Mahmoudi Spring 2017 Authors: Publication: Type: ACM Transactions on Storage (TOS), 2016 Research Paper 2 High speed data processing demands high storage I/O performance. Flash memory
More informationS23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group
S23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill
More informationContact Information. Contact Center Operating Hours. Other Contact Information. Contact Monday through Thursday Friday
Contact Information Contact Center Operating Hours Contact Monday through Thursday Friday Phone: 1.801.796.0944 8 AM 5 PM Eastern Time 8 AM 3 PM Eastern Time Online chat: http://support.paraben.com 10
More informationAccessData FTK Quick Installation Guide
AccessData FTK Quick Installation Guide Document date: February 11, 2015 2015 AccessData Group, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval
More informationSection 6 Storage Space
Section 6 Storage Space By the end of this section you should be able to: Access and use storage devices View used and available space Understand file compression Compress and edit files Extract compressed
More informationMission Guide: GUI Windows
Mission Guide: GUI Windows Your Mission: Use F-Response to connect to a remote Windows machine Using F-Response to connect to a remote Windows machine and access one or more targets Step 1: Open and start
More informationInitial Bootloader > Flash Drive. Warning. If not used carefully this process can be dangerous
Initial Bootloader > Flash Drive Warning If not used carefully this process can be dangerous Running the script used in this article with an incorrect argument can cause loss of data and potentially damage
More informationBandura High-speed disk duplicator. User s Manual v1.4
Bandura High-speed disk duplicator User s Manual v1.4 Thank you for purchasing an Atola Technology product The Atola Bandura is a stand-alone high-speed 1-to-1 disk drive duplicator built for professional
More informationAutopsy as a Service Distributed Forensic Compute That Combines Evidence Acquisition and Analysis
Autopsy as a Service Distributed Forensic Compute That Combines Evidence Acquisition and Analysis Presentation to OSDFCon 2016 Dan Gonzales, Zev Winkelman, John Hollywood, Dulani Woods, Ricardo Sanchez,
More information24) Type a note then click the OK button to save the note. This is a good way to keep notes on items of interest.
23) Click File Analysis Tab - This allows forensic investigators to look for files on the system as they would on a regular system. Key file attributes are provided to assist the investigator (file size,
More information