Introduction to Disk Forensics Discovering evidences in mass storage devices
|
|
- Hannah Gray
- 5 years ago
- Views:
Transcription
1 Introduction to Disk Forensics Discovering evidences in mass storage devices ictlab s.r.l. - Spinoff Università di Catania IPLAB - Università di Catania info@ictlab.srl Catania - April 26, 2017
2 1 Introduction 10 2 Computer Basics for Digital Investigators Disk Investigation 45 3 Tools and Discussion 30
3 What happens behind the scenes?
4 What happens behind the scenes? What s this?
5 What happens behind the scenes? What s this? How it works?
6 What happens behind the scenes? Power-up Computer Power-up phases: 1. CPU Reset 2. Power-on Self Test (POST) 3. BIOS 4. Boot (disk?)
7 What happens behind the scenes? BIOS - CMOS BIOS Password vs. CMOS DATA - Date-Time Information - Peripherals Configuration - Etc. Denies Access Data Destroyed CMOS Reset: only solution
8 What happens behind the scenes? BOOT System looks for an Operating System (first in drive sequence) Preventing a computer from using the operating system on the hard disk is IMPORTANT when the disk contains evidence.
9 What happens behind the scenes? Power-up Computer Power-up phases: 1. CPU Reset 2. Power-on Self Test (POST) 3. BIOS 4. Boot (disk?)
10 What happens behind the scenes? Representation of DATA Little Endian Vs. Big Endian Viewing Two Tcp-dump Files Created on Intel-Based and Sun Systems Shows the Difference between Little- and Big-Endian Representations of the Same UNIX Data (in Bold)
11 What happens behind the scenes? Representation of DATA Binary, HEX, ASCII, Etc.
12 What happens behind the scenes? Representation of DATA Files Additional common file signatures are tabulated at
13 What happens behind the scenes? Representation of DATA Images EXIF
14 What happens behind the scenes? Hard Drives How HDs functions? How data are stored? Where data can be hidden?
15 What happens behind the scenes? Hard Drives IDE (Integrated Disk Electronics) Connectors: (SATA SCSI)
16 What happens behind the scenes? 512 bytes Hard Drives Magnetic patterns on a hard disk as seen through a magnetic force microscope. Peaks indicate a one (1) and troughs signify a zero (0).
17 What happens behind the scenes? 512 bytes Hard Drives: SMART Modern ATA hard drives use SMART (Self-Monitoring, Analysis, and Reporting Technology) to record basic information on the controller such as how many times the drive has spun up, how many hours it has been powered on, and current internal temperature. This information helps computers anticipate and warn when a hard drive is likely to stop working properly. Specialized tools are needed!
18 What happens behind the scenes? 512 bytes Hard Drives: Special Track The first cylinder on a disk (a.k.a. the maintenance track) is used to store information about the drive such as its geometry and the location of bad sectors. By intentionally marking portions of the disk as bad, an individual can conceal data in these areas from the operating system.
19 What happens behind the scenes? 512 bytes Hard Drives: Hidden Partitions Invisible to Operating Systems Easy-to-find by using tools that are specifically designed to conduct forensic examinations Professional VS. Amateur
20 What happens behind the scenes? Hard Drives: File Systems New Cylinder FAT Family (Windows) NTFS (Windows) HFS Family (MAC) EXT Family (Linux) UFS (Solaris)
21 What happens behind the scenes? Hard Drives: Files
22 What happens behind the scenes? Hard Drives: Files Contents File2 of the file Used
23 What happens behind the scenes? Hard Drives: Files When a file takes up less than one cluster, other files will not use the additional space in that cluster (File Slack Space) When a file is deleted, its entry in the file system is updated to indicate its deleted status and the clusters that were previously allocated to storing are unallocated and can be reused to store a new file. The data will remain on the disk until a new file overwrites them.
24 What happens behind the scenes? Not all storage devices have file systems! BACKUP Tapes On UNIX machines, swap partitions do not have file systems
25 Data Hiding / Obfuscation (within File Systems) Many ways Hidden/Lost Partitions (Solution: Search pattern on disk byte-wise) Name Changing: child-porn.jpg! system32.exe (Solution: file signature) Hidden Files (Solution: don t use native OS) Alternate Data Stream: An alternate data stream is a feature of Microsoft NTFS that allows one file to be effectively tacked onto another file without being visible to regular users of the system. This feature was intended to provide compatibility with Macintosh resource forks, but some malicious programs use alternate data streams to hide themselves on Windows systems running NTFS. (Solution: disk byte-wise analysis) Steganography
26 The question is HOW? Forensic Examinations Tools PRO Automate operations Some Tools have comfortable GUIs EASY and FAST CONS Understanding of what is behind Different results in different tools Common Sense Needed
27 Log Files Windows: C:\Windows\System32\config o o o o Application usage statistics Login account data Security data DIFFICULT to find and read Linux: /var/log o o Almost Everything on the system Easy to read but easy to tamper
28 Windows Registry System configuration and usage details Use of Removable USB devices
29 Internet Traces Modem logs Browsers Clients FTP Clients P2P Clients
30 Where do we start?
31 ISO IEC 27037/2012 Guidelines for identification, collection, acquisition, and preservation of digital evidence.
32 Crime Scene Laboratory Preparation Examination and Analysis Survey Reconstruction Preservation Documentation Reporting Results
33 Partition Analysis fdisk -l: Shows all partitions and memory devices mmls /dev/xxx or mmls filename.dd: shows all partitions in a device mount: shows filesystem types of mounted devices and mode (rw)
34 Mount (where?) /dev/fdx25 for floppy disks (es. /dev/fd0); /dev/hdx hard disk IDE; /dev/sdx hard disk SATA or USB devices; /dev/cdrom for optical devices.
35 Mount (how?) mount t type o options source mount_point o Type: filesystem type for example fat, ntfs-3g, ext3, etc. choose «auto» when not sure! o Source: /dev/hda1 or /dev/sda1 o Mount_point: directory that should be created BEFORE launching mount command o Options: ro: read-only rw: read-write loop: for image-files noatime: access time not modified noexec: doesn t allow executables
36 Mount: examples (devices) mount t ntfs-3g o rw /dev/sdb1 /media/dest mount t ntfs-3g o ro /dev/sdb1 /media/evidence
37 Mount: examples (images) If image file is of an entire disk and not of single partition: mount t ntfs o ro,loop,noatime,noauto,noexec,offset=$((512*32256)) dump.dd /media/dest??????
38 Mount: examples (images) Mmls dump.dd: I want Partition 3 offset=$((512*32256))
39 Never Forget When Finished: umount /media/mount_point
40 Devices Acquisition: Method Compute Device HASH Bit-stream Copy of Device Compute Image HASH and check with device one
41 Hash md5sum /dev/sda sha1sum /dev/sda md5deep l /root/evidence/ > hash_device.txt o Recursively computes hashes of files and save them in a txt dhash -t -f /dev/sda --md5 --sha1 -l dhashlog.html o o o Computes md5 && sha1 and gives remaining time GUI Provided Multilanguage
42 Devices Acquisition: dd dd if=/dev/sda of=/media/diskimage.img dd if=/dev/sda of=/dev/sdb!!!!dangerous!!!!
43 Devices Acquisition: dd dd if=/dev/sda of=/media/diskimage.img dd if=/dev/sda of=/dev/sdb!!!!dangerous!!!! Devices Acquisition: ddrescue Same signature Sets zero on unreadable bits
44 Devices Acquisition: dcfldd dcfldd if=/dev/sda of=/media/disk.img hash=sha1 hash=md5 o Computes hash and acquisition at the same time Devices Acquisition: dhash (again) dhash -t -f /dev/sda --md5 --sha1-o disk.dd o Acquisition and hash
45 Data Analysis: Timeline (First STEP) FLS (example for images with single partition) fls -z GMT -s 0 -m C: -f ntfs -r /images/disco-c.dd > /workdir/disco-c.body -z: time zone of the system to be analyzed; -s: delay in seconds between system time and UTC; -m: text prefix of path and filename; -f: file system type; /images/disk-c.dd: input image; /workdir/disk-c.body: output; -o: offset, for images with multiple partitions.
46 Data Analysis: Timeline (Body File)????????????????
47 Data Analysis: Timeline (Second STEP) Mactime (body! csv) mactime -b /workdir/disk-c.body -z gmt -d > /workdir/disk-c.csv -b: input file; -z: time zone; -d > /workdir/disco-c.csv: output Activity Analysis: -d i file_name: daily activity -h i file_name: hour activity
48 Data Analysis: Timeline Mactime d -i!!!!
49 Data Analysis: Timeline Mactime (ouput)
50 Data Analysis: Super Timeline Log2timeline (uses file system metadata) 1. Apache2 Access log; 2. Apache2 Error log; 3. Google Chrome history; 4. Encase dirlisting; 5. Windows Event Log files (EVT); 6. Windows Event Log files (EVTX); 7. EXIF; 8. Firefox bookmark; 9. Firefox 2 history; 10. Firefox 3 history; 11. FTK Imager Dirlisting CSV file; 12. Generic Linux log file; 13. Internet Explorer history file, parsing index.dat; 14. Windows IIS W3C log file; 15. ISA server text export; 16. Mactime body file; 17. McAfee AntiVirus Log; 18. MS-SQL Error log; 19. Opera Global and Direct browser history; 20. OpenXML metadata (Office 2007); 21. PCAP files; [ ]
51 Data Analysis: Super Timeline Log2timeline (Example) mount -o ro,loop,show_sys_files,streams_interface=windows,offset=$ ((512*63)) /mnt/raw/img.dd /mnt/c
52 Data Analysis: Super Timeline Log2timeline (Example) log2timeline -p f winxp -r -z Europe/Rome /mnt/c/ -m C: -w c-log2t-unsorted.csv -p: recursive preprocessing (for further analysis); -f: OS type; -r: recursive analysis of file; -z: time zone; -m: prefix string for path -w: ouput (csv file)
53 Data Analysis: Super Timeline Log2timeline (Example) log2timeline -p f winxp -r -z Europe/Rome /mnt/c/ -m C: -w c-log2t-unsorted.csv -p: recursive preprocessing (for further analysis); -f: OS type; -r: recursive analysis of file; -z: time zone; -m: prefix string for path -w: ouput (csv file) Returns CSV files in analysis order
54 Data Analysis: Super Timeline L2t_process (Example) l2t_process -i -b c-log2t-unsorted.csv -y k keywords.txt > c-log2t csv -i: prints information not in the time interval if timestomping is suspected; -y: forces date format: yyyy-mm-dd; -b: input -k: for keywords
55 Data Analysis: Super Timeline L2t_process (Output) 1. Date 2. Time 3. Timezone 4. MACB 5. Source 6. Sourcetype 7. Type 8. User 9. Host 10. Short 11. Desc 12. Version 13. Filename 14. Inode 15. Notes 16. Format 17. Extra Long List of entries: - File System operations - Meta-data - Register - Events - Links - Browser history - Etc.
56 Data Analysis: file and directory search Locate (Example) locate finanza q i (case insensitive, show access errors) locate *.png -q Find (Example) find. -iwholename *porn*.png (all files containing porn, case insensitive find. -ctime -2 > lista.txt (file created in last two days)
57 Data Analysis: File Carving Foremost (Example) foremost -o outpdir dump.img (uses configuration in /etc/ foremost.conf) foremost -t png -o outpdir dump.img tiff wmv mov pdf ole doc zip rar jpg gif png bmp avi exe mpg wav htm cpp
58 Data Analysis: Tools (GUI) DHash: Acquisition Hash
59 Data Analysis: Tools (GUI) Guymager: Acquisition Case management
60 Data Analysis: Tools (GUI) Catfish: Find Locate
61 Data Analysis: Tools (GUI) FindWild: Search file contents Locate
62 Data Analysis: Tools (GUI) Hunchbacked 4most: Foremost Implementation
63 Data Analysis: Tools (GUI) Hunchbacked 4most: Scalpel Implementation
64 Data Analysis: Autopsy File System Analysis Carving Timeline reconstruction Almost Everything!
65 Internet Traces: Browsers IEHistoryView IECookieView IECacheView MozillaHistoryView MozillaCookieView MozillaCacheView MyLastSearch:
66 Internet Traces File.pst (Microsoft Outlook) Kernel Outlook PST Viewer Mail Navigator Microsoft Outlook (Be Careful) SQLITE (Mozilla Thunderbird)
67 Internet Traces (Cloud) Dropbox (example) Files.dbx Config.dbx File_cache.dbx Server_path Parent_path Local_sjid (file version number) Local_mtime (modified time) Local_ctime (created time) "!!! Dropbox Decryptor (MAGNET FORENSIC)
68 Questions? ictlab s.r.l. - Spinoff Università di Catania info@ictlab.srl Catania - April 26, 2017
Disk Forensics. Oliver Giudice. Banca D Italia
Disk Forensics Oliver Giudice Banca D Italia oliver.giudice@bancaditalia.it Dipartimento di Matematica e Informatica Università degli Studi di Catania giudice@dmi.unict.it Outline Computer Basics for Digital
More informationForensic Timeline Splunking. Nick Klein
Forensic Timeline Splunking Nick Klein A long time ago... Brian Carrier brought us Sleuthkit, based on the earlier work of Dan Farmer and Wietse Venema date size type meta file 16 Nov 2011 15:39:44 17
More informationComputer Forensics: Investigating Data and Image Files, 2nd Edition. Chapter 3 Forensic Investigations Using EnCase
Computer Forensics: Investigating Data and Image Files, 2nd Edition Chapter 3 Forensic Investigations Using EnCase Objectives After completing this chapter, you should be able to: Understand evidence files
More informationDigital Forensics Lecture 01- Disk Forensics
Digital Forensics Lecture 01- Disk Forensics An Introduction to Akbar S. Namin Texas Tech University Spring 2017 Digital Investigations and Evidence Investigation of some type of digital device that has
More informationContact Details and Technical Information
Contact Details and Technical Information GetData Forensic Pty Ltd GetData Forensics USA Suite 204 1007 North Sepulveda Blvd # 1543 13a Montgomery St Manhattan Beach, CA 90267 Kogarah NSW 2217 USA Australia
More informationDigital Forensics Practicum CAINE 8.0. Review and User s Guide
Digital Forensics Practicum CAINE 8.0 Review and User s Guide Ana L. Hernandez Master of Science in Cybersecurity Digital Forensics Concentration University of South Florida 12-8-2017 Table of Contents
More informationDigital forensics. Andrej Brodnik. Andrej Brodnik: Digital Forensics
Digital forensics Andrej Brodnik Computer pre-knowledge: architecture of computers basics (BIOS) operating system secondary memory (disc) and its organization file systems chapter 15 Startup startup steps
More informationEd Ferrara, MSIA, CISSP
MIS 5208 - Lecture 12 Investigation Methods Data Acquisition Ed Ferrara, MSIA, CISSP eferrara@temple.edu Objectives List digital evidence storage formats Explain ways to determine the best acquisition
More informationANALYSIS AND VALIDATION
UNIT V ANALYSIS AND VALIDATION Validating Forensics Objectives Determine what data to analyze in a computer forensics investigation Explain tools used to validate data Explain common data-hiding techniques
More informationIntroduction. Collecting, Searching and Sorting evidence. File Storage
Collecting, Searching and Sorting evidence Introduction Recovering data is the first step in analyzing an investigation s data Recent studies: big volume of data Each suspect in a criminal case: 5 hard
More informationINSTITUTO SUPERIOR TÉCNICO
INSTITUTO SUPERIOR TÉCNICO DEPARTAMENTO DE ENGENHARIA INFORMÁTICA FORENSICS CYBER-SECURITY MEIC, METI Lab Guide II Evidence Examination 2015/2016 nuno.m.santos@tecnico.ulisboa.pt 1 Introduction This guide
More informationChapter Two File Systems. CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D.
Chapter Two File Systems CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D. 1 Learning Objectives At the end of this section, you will be able to: Explain the purpose and structure of file systems
More informationForensic Analysis. The Treachery of Images. Alexandre Dulaunoy. February 5, Forensic Analysis Bibliography Use case Q and A
Bibliography Use case Q and A The Treachery of Images February 5, 2016 Bibliography Use case Q and A Introduction Disclaimer Images ( The Treachery of Images ) (1928) Rene Magritte La Trahison des Bibliography
More informationContact Information. Contact Center Operating Hours. Other Contact Information. Contact Monday through Thursday Friday
Contact Information Contact Center Operating Hours Contact Monday through Thursday Friday Phone: 1.801.796.0944 8 AM 5 PM Eastern Time 8 AM 3 PM Eastern Time Online chat: http://support.paraben.com 10
More informationIntroduction to Volume Analysis, Part I: Foundations, The Sleuth Kit and Autopsy. Digital Forensics Course* Leonardo A. Martucci *based on the book:
Part I: Foundations, Introduction to Volume Analysis, The Sleuth Kit and Autopsy Course* Leonardo A. Martucci *based on the book: File System Forensic Analysis by Brian Carrier LAM 2007 1/12h Outline Part
More informationOverview Metadata Extraction Tool Hachoir Sleuthkit Summary CS 6V Metadata Extraction Tools. Junyuan Zeng
CS 6V81-05 Metadata Extraction Tools Junyuan Zeng Department of Computer Science The University of Texas at Dallas September 23 th, 2011 Outline 1 Overview 2 Metadata Extraction Tool Overview 3 Hachoir
More informationGJU IT-forensics course. Storage medium analysis
Harald Baier Storage medium analysis / 2014-04-02 1/32 GJU IT-forensics course Storage medium analysis Harald Baier Hochschule Darmstadt, CASED 2014-04-02 Partitions Harald Baier Storage medium analysis
More informationWindows Forensics Advanced
Windows Forensics Advanced Index: CF102 Description Windows Forensics - Advanced is the next step for forensics specialists, diving deeper into diverse processes on Windows OS serving computer investigators.
More informationGuide to Computer Forensics and Investigations Fourth Edition. Chapter 6 Working with Windows and DOS Systems
Guide to Computer Forensics and Investigations Fourth Edition Chapter 6 Working with Windows and DOS Systems Understanding Disk Drives Disk drives are made up of one or more platters coated with magnetic
More informationThe Sleuth Kit v2.01 and Autopsy Forensic Browser Demonstration. Anthony Dowling
The Sleuth Kit v2.01 and Autopsy Forensic Browser Demonstration Anthony Dowling Date: June 02, 2006 ii Abstract The Sleuth Kit is a collection of Linux tools that perform different aspects of a file system
More informationComputer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition. Chapter 6 Linux Forensics
Computer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition Chapter 6 Linux Forensics Objectives After completing this chapter, you should be able to: Create
More informationmakes floppy bootable o next comes root directory file information ATTRIB command used to modify name
File Systems File system o Designed for storing and managing files on disk media o Build logical system on top of physical disk organization Tasks o Partition and format disks to store and retrieve information
More informationDigital Forensics Lecture 02- Disk Forensics
Digital Forensics Lecture 02- Disk Forensics Hard Disk Data Acquisition Akbar S. Namin Texas Tech University Spring 2017 Analysis of data found on a storage device It is more common to do dead analysis
More informationTimeline Creation and Analysis Guides
Timeline Creation and Analysis Guides Written by Chapin Bryce Researched by Chapin Bryce 175 Lakeside Ave, Room 300A Phone: 802/865-5744 Fax: 802/865-6446 http://www.lcdi.champlin.edu Timeline Creation
More informationAccessData AD Lab Release Notes
AccessData AD Lab 6.2.1 Release Notes Document Date: 4/24/2017 2017 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues for this
More informationForensic Analysis - 2nd Lab Session
File System Forensic and Analysis December 12, 2014 File System Analysis File System Analysis can be used for Analysis the activities of an attacker on the honeypot file system. Analysis of a malware leaving
More informationAccessData Forensic Toolkit 6.2 Release Notes
AccessData Forensic Toolkit 6.2 Release Notes Document Date: 4/3/2017 2017 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues for
More informationAccessData Forensic Toolkit Release Notes
AccessData Forensic Toolkit 6.2.1 Release Notes Document Date: 4/24/2017 2017 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues
More information24) Type a note then click the OK button to save the note. This is a good way to keep notes on items of interest.
23) Click File Analysis Tab - This allows forensic investigators to look for files on the system as they would on a regular system. Key file attributes are provided to assist the investigator (file size,
More informationAccessData Forensic Toolkit 5.6 Release Notes
AccessData Forensic Toolkit 5.6 Release Notes Document Date: 12/08/2014 2014 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues
More informationAccessData Triage 2.3 Release Notes
AccessData Triage 2.3 Release Notes Document Date: August 26, 2013 2013 AccessData Group, Inc. All rights reserved Introduction These Release Notes cover important information, new features, and fixed
More informationPost Mortem an Introduction to Filesystem Forensics and Data Recovery Dr. Oliver Tennert, Head of Technology
Post Mortem an Introduction to Filesystem Forensics and Data Recovery Dr. Oliver Tennert, Head of Technology 3. Secure Linux Administrator s Conference 2008 11.12.2008, Magdeburg Overview What is forensic
More informationAccessData Forensic Toolkit 5.5 Release Notes
AccessData Forensic Toolkit 5.5 Release Notes Document Date: 8/20/2014 2014 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues
More informationCHAPTER 11: IMPLEMENTING FILE SYSTEMS (COMPACT) By I-Chen Lin Textbook: Operating System Concepts 9th Ed.
CHAPTER 11: IMPLEMENTING FILE SYSTEMS (COMPACT) By I-Chen Lin Textbook: Operating System Concepts 9th Ed. File-System Structure File structure Logical storage unit Collection of related information File
More informationFile Systems and Volumes
File Systems and Volumes Section II. Basic Forensic Techniques and Tools CSF: Forensics Cyber-Security MSIDC, Spring 2015 Nuno Santos Summary! Data organization in storage systems! File deletion and recovery!
More informationDefeating Forensic Analysis
Defeating Forensic Analysis CEIC 2006 Technical Lecture 1 Thursday, May 4 10:30 am to 11:30 am Presented by Vincent Liu and Patrick Stach Welcome Vincent Liu Managing Director, Stach & Liu Researcher,
More informationThis is Worksheet and Assignment 12. Disks, Partitions, and File Systems
This is Worksheet and Assignment 12 This is a combined Worksheet and Assignment.. Quizzes and tests may refer to work done in this Worksheet and Assignment; save your answers. You will use a checking program
More informationA Geeks Guide to Digital Forensics. or: How I learned to stop worrying and love the hex editor
A Geeks Guide to Digital Forensics or: How I learned to stop worrying and love the hex editor Qualifications Background Author Researcher Forensics: Geek Computer scientist, prev CIO, cofounder of viaforensics
More informationComputer Hacking Forensic Investigator. Module X Data Acquisition and Duplication
Computer Hacking Forensic Investigator Module X Data Acquisition and Duplication Scenario Allen a forensic investigator was hired by a bank to investigate employee fraud. The bank has four 30 GB machines
More informationAccessData Triage 2.4 Release Notes
AccessData Triage 2.4 Release Notes Document Date: October 25, 2013 2013 AccessData Group, Inc. All rights reserved Introduction These Release Notes cover important information, new features, and fixed
More informationContact Information. Contact Center Operating Hours. Other Contact Information. Contact Monday through Thursday Friday
Contact Information Contact Center Operating Hours Contact Monday through Thursday Friday Phone: 1.801.796.0944 8 AM 5 PM Eastern Time 8 AM 3 PM Eastern Time Online chat: http://support.paraben.com 10
More informationGuide to Computer Forensics and Investigations Fourth Edition. Chapter 2 Understanding Computer Investigations
Guide to Computer Forensics and Investigations Fourth Edition Chapter 2 Understanding Computer Investigations Objectives Explain how to prepare a computer investigation Apply a systematic approach to an
More informationIntroduction to Computer Forensics
Introduction to Computer Forensics Subrahmani Babu Scientist- C, Computer Forensic Laboratory Indian Computer Emergency Response Team (CERT-In) Department of Information Technology, Govt of India. babu_sivakami@cert-in.org.in
More informationForensic and Log Analysis GUI
Forensic and Log Analysis GUI David Collett I am not representing my Employer April 2005 1 Introduction motivations and goals For sysadmins Agenda log analysis basic investigations, data recovery For forensics
More informationCSE 4482 Computer Security Management: Assessment and Forensics. Computer Forensics: Working with Windows and DOS Systems
CSE 4482 Computer Security Management: Assessment and Forensics Computer Forensics: Working with Windows and DOS Systems Instructor: N. Vlajic,, Fall 2010 Required reading: Guide to Computer Forensics
More informationAccessData Forensic Toolkit Release Notes
AccessData Forensic Toolkit 5.6.4 Release Notes Document Date: 9/8/2015 2015 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues
More information412 Notes: Filesystem
412 Notes: Filesystem A. Udaya Shankar shankar@cs.umd.edu December 5, 2012 Contents 1 Filesystem interface 2 2 Filesystem implementation 3 3 FAT (mostly from Wikepedia) 5 4 UFS (mostly from Wikepedia)
More informationLinux File System Study Guide
Linux File System Study Guide Copyright 1998, 1999 P. Tobin Maginnis This document is free; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the
More informationS23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group
S23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill
More informationFILE SYSTEM IMPLEMENTATION. Sunu Wibirama
FILE SYSTEM IMPLEMENTATION Sunu Wibirama File-System Structure Outline File-System Implementation Directory Implementation Allocation Methods Free-Space Management Discussion File-System Structure Outline
More informationPractice Test. Guidance Software GD Guidance Software GD0-110 Certification Exam for EnCE Outside North America. Version 1.6
Guidance Software GD0-110 Guidance Software GD0-110 Certification Exam for EnCE Outside North America Practice Test Version 1.6 QUESTION NO: 1 A FAT directory has as a logical size of: A. One cluster B.
More informationAccession Procedures Born-Digital Materials Workflow
Accession Procedures Born-Digital Materials Workflow Initiating Author: Department: Sam Meister Archives & Special Collections Revision History Date Version Description Changed by 02/29/12 0.1 Draft 03/27/12
More informationCSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak
CSN08101 Digital Forensics Lecture 6: Acquisition Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Objectives Storage Formats Acquisition Architecture Acquisition Methods Tools Data Acquisition
More informationdeft User Guide Stefano Fratepietro, Sandro Rossetti R. 0,6
deft User Guide Stefano Fratepietro, Sandro Rossetti R. 0,6 2 This manual is dedicated to Ele and Silvia: thank you for your infinite patience. It's also dedicated to bubu and Paguro,we really hope that
More informationCIS Project 1 February 13, 2017 Jerad Godsave
CIS 484-75-4172 Project 1 February 13, 2017 Jerad Godsave Part 1) a) Below are a few screenshots indicating verification that the original evidence and the newly created.e01 forensic image match: Part
More informationOperating System Specification Mac OS X Snow Leopard (10.6.0) or higher and Windows XP (SP3) or higher
BlackLight is a multi-platform forensic analysis tool that allows examiners to quickly and intuitively analyze digital forensic media. BlackLight is capable of analyzing data from Mac OS X computers, ios
More informationDigital Forensics Module Part 2. Jaap van Ginkel Silvio Oertli
Digital Forensics Module Part 2 Jaap van Ginkel Silvio Oertli July 2016 Hands-On (Acquisition) Tools used in the Hands-on Workshop We will use open source tools for this part DEFT 8.2 (Forensic Linux distribution)
More informationAccessData Enterprise Release Notes
AccessData Enterprise 6.0.2 Release Notes Document Date: 3/09/2016 2016 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues for
More informationParaben Examiner 9.0 Release Notes
Paraben E-mail Examiner 9.0 Release Notes 1 Paraben Corporation Welcome to Paraben s E-mail Examiner 9.0! Paraben s Email Examiner-EMX allows for the forensic examination of the most popular local e-mail
More informationTool reviewdwinhex. Eoghan Casey a,b, ) PRODUCT REVIEW. Introduction
Digital Investigation (2004) 1, 114e128 www.elsevier.com/locate/diin PRODUCT REVIEW Tool reviewdwinhex Eoghan Casey a,b, ) a Knowledge Solutions LLC, 61535 S Hwy 97 #9-148, Bend, OR 97702, United States
More informationINSTITUTO SUPERIOR TÉCNICO
INSTITUTO SUPERIOR TÉCNICO DEPARTAMENTO DE ENGENHARIA INFORMÁTICA FORENSICS CYBER-SECURITY MEIC, METI Lab Guide III & IV Case Solving: Mr. Informant Case 2015/2016 nuno.m.santos@tecnico.ulisboa.pt 1 Introduction
More informationAccessData Forensic Toolkit Release Notes
AccessData Forensic Toolkit 5.3.3 Release Notes Document Date: 5/19/2014 2014 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues
More informationRunning head: FTK IMAGER 1
Running head: FTK IMAGER 1 FTK Imager Jean-Raymond Ducasse CSOL-590 June 26, 2017 Thomas Plunkett FTK IMAGER 2 FTK Imager Outline Process for Adding Individual Files & Folders as Evidence Items Although
More informationFile System Concepts File Allocation Table (FAT) New Technology File System (NTFS) Extended File System (EXT) Master File Table (MFT)
File System Concepts File Allocation Table (FAT) New Technology File System (NTFS) Extended File System (EXT) Master File Table (MFT) 1 FILE SYSTEM CONCEPTS: FILE ALLOCATION TABLE (FAT) Alex Applegate
More informationIT ESSENTIALS V. 4.1 Module 5 Fundamental Operating Systems
IT ESSENTIALS V. 4.1 Module 5 Fundamental Operating Systems 5.0 Introduction 1. What controls almost all functions on a computer? The operating system 5.1 Explain the purpose of an operating system 2.
More informationHard Drive Recovery Using SystemRescueCD Michael Ward 4/1/2008 Introduction SystemRecoveryCD is a bootable live CD featuring a version of Linux specifically created to recover data from damaged or infected
More informationNIST SP Notes Guide to Integrating Forensic Techniques into Incident Response
NIST SP800-86 Notes Guide to Integrating Forensic Techniques into Incident Response Authors: Karen Kent, Suzanne Chevalier, Tim Grance, Hung Dang, August 2006 Computer Forensics The application of science
More informationAdvanced Operating Systems
Advanced Operating Systems File Systems: File Allocation Table, Linux File System, NTFS Lecture 10 Case Studies of File Systems File Allocation Table (FAT) Unix File System Berkeley Fast File System Linux
More informationABSTRACT. Forensic analysis is the process of searching for evidence and preserving it for further
ABSTRACT Forensic analysis is the process of searching for evidence and preserving it for further examination. Examination of the evidence provides important information about suspect s behavior which
More informationincident reponse unravelled
Tux's Angels: Incident Response Unravelled linux.conf.au MEL8OURNE2008 Tux's Angels: Incident Response Unravelled Something to lighten the mood... angels@lca:~/ angels@lca:~/ Who we are Amelia, Kate, Vanessa
More informationFile System Implementation. Sunu Wibirama
File System Implementation Sunu Wibirama File-System Structure Outline File-System Implementation Directory Implementation Allocation Methods Free-Space Management Discussion File System Structure File
More informationChapter 6. Linux File System
Chapter 6 Linux File System 1 File System File System management how to store informations on storage devices The Hierarchical Structure Types of file Common File system Tasks 2 The Hierarchical Structure
More informationThere is a general need for long-term and shared data storage: Files meet these requirements The file manager or file system within the OS
Why a file system? Why a file system There is a general need for long-term and shared data storage: need to store large amount of information persistent storage (outlives process and system reboots) concurrent
More informationCST8207: GNU/Linux Operating Systems I Lab Nine Disks, Partitions, and File Systems Part 2. Disks, Partitions, and File Systems - Part 2 of 2
Student Name: Lab Section: Disks, Partitions, and File Systems - Part 2 of 2 1 Due Date - Upload to Blackboard by 8:30am Monday April 9, 2012 Submit the completed lab to Blackboard following the Rules
More informationInstalling Linux (Chapter 8) Note packet # 4. CSN 115 Operating Systems Ken Mead Genesee Community College. Objectives
Installing Linux (Chapter 8) Note packet # 4 CSN 115 Operating Systems Ken Mead Genesee Community College Objectives Learn about the hardware components of your computer system Configure hard disk space
More informationOHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE
OHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE I. Description of Course: 1. Department/Course: CNET - 174 2. Title: Computer Forensics 3. Cross Reference: 4. Units: 3 Lec Hrs:
More informationA file system is a clearly-defined method that the computer's operating system uses to store, catalog, and retrieve files.
File Systems A file system is a clearly-defined method that the computer's operating system uses to store, catalog, and retrieve files. Module 11: File-System Interface File Concept Access :Methods Directory
More informationOPERATING SYSTEM. Chapter 12: File System Implementation
OPERATING SYSTEM Chapter 12: File System Implementation Chapter 12: File System Implementation File-System Structure File-System Implementation Directory Implementation Allocation Methods Free-Space Management
More informationOPERATING SYSTEMS & UTILITY PROGRAMS
OPERATING SYSTEMS & UTILITY PROGRAMS System Software System software consists of the programs that control the operations of the computer and its devices. Functions that system software performs include:
More informationFile Systems. What do we need to know?
File Systems Chapter 4 1 What do we need to know? How are files viewed on different OS s? What is a file system from the programmer s viewpoint? You mostly know this, but we ll review the main points.
More informationUsing grub to Boot various Operating Systems
Operating Systems and Systems Integration Using grub to Boot various Operating Systems Contents 1 Aim 2 2 What You Will Do 2 3 Background 2 3.1 Installing grub in MBR from a floppy, and from the OS........
More informationChapter 11: Implementing File
Chapter 11: Implementing File Systems Chapter 11: Implementing File Systems File-System Structure File-System Implementation Directory Implementation Allocation Methods Free-Space Management Efficiency
More informationFilesystem. Disclaimer: some slides are adopted from book authors slides with permission
Filesystem Disclaimer: some slides are adopted from book authors slides with permission 1 Recap Directory A special file contains (inode, filename) mappings Caching Directory cache Accelerate to find inode
More informationCIS Business Computer Forensics and Incident Response. Lab Protocol 02: FileSystems/VM
Name: CIS 8630 Business Computer Forensics and Incident Response Lab Protocol 02: FileSystems/VM Purpose: Ensure every student has experienced forensics distinctions between imaging digital storage media,
More informationChapter 11: Implementing File Systems. Operating System Concepts 9 9h Edition
Chapter 11: Implementing File Systems Operating System Concepts 9 9h Edition Silberschatz, Galvin and Gagne 2013 Chapter 11: Implementing File Systems File-System Structure File-System Implementation Directory
More informationSource: https://articles.forensicfocus.com/2018/03/02/evidence-acquisition-using-accessdata-ftk-imager/
by Chirath De Alwis Source: https://articles.forensicfocus.com/2018/03/02/evidence-acquisition-using-accessdata-ftk-imager/ Forensic Toolkit or FTK is a computer forensics software product made by AccessData.
More informationLinux Essentials. Smith, Roderick W. Table of Contents ISBN-13: Introduction xvii. Chapter 1 Selecting an Operating System 1
Linux Essentials Smith, Roderick W. ISBN-13: 9781118106792 Table of Contents Introduction xvii Chapter 1 Selecting an Operating System 1 What Is an OS? 1 What Is a Kernel? 1 What Else Identifies an OS?
More informationForensic Image Capture. Digital Forensics NETS1032 Winter 2018
Forensic Image Capture Digital Forensics NETS1032 Winter 2018 Storage Devices Storage devices are implemented using one or more of several technologies The oldest method of modern information storage is
More informationFCCU GNU/Linux Forensic Boot CD
FCCU GNU/Linux Forensic Boot CD Hack.lu Forensic Workshop Christophe Monniez Geert Van Acker Who we are... General Direction of the Judicial Police Direction for combatting economical and financial crime
More informationTesting the Date Maintenance of the File Allocation Table File System
Abstract Testing the Date Maintenance of the File Allocation Table File Tom Waghorn Edith Cowan University e-mail: twaghorn@student.ecu.edu.au The directory entries used in the File Allocation Table filesystems
More informationPartitioning and Formatting Guide
Partitioning and Formatting Guide Version 1.2 Date 05-15-2006 Partitioning and Formatting Guide This guide is designed to explain how to setup your drive with the correct partition and format for your
More informationParaben s Data Recovery Stick User Manual
Paraben s Data Recovery Stick User Manual Contents About Paraben s Data Recovery Stick... 3 System Requirements... 3 Getting Started... 4 Data Recovery... 4 Application User Interface... 5 Main Page...
More informationA Formal Logic for Digital Investigations: A Case Study Using BPB Modifications.
A Formal Logic for Digital Investigations: A Case Study Using BPB Modifications. Abstract I. Mitchell Middlesex University, UK A Formal Logic is developed and the following presented: i) Notation for Formal
More informationChapter 10: File System Implementation
Chapter 10: File System Implementation Chapter 10: File System Implementation File-System Structure" File-System Implementation " Directory Implementation" Allocation Methods" Free-Space Management " Efficiency
More informationAccessData Forensic Toolkit Release Notes
AccessData Forensic Toolkit 5.6.1 Release Notes Document Date: 3/09/2015 2015 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues
More informationSoma s Installation Notes
For Details, Contact: Thay Soma sundaram Telephone: 850-644-6448 E-mail: soma@sb.fsu.edu Soma s Installation Notes Kasha Laboratory of Biophysics Institute of Molecular Biophysics Florida State University
More informationProject Report 22 February /90 Advanced Computer Forensics Professor Yin Pan
Project Report 22 February 2009 4055.841.39/90 Advanced Computer Forensics Professor Yin Pan Table of Contents Executive Summary... 4 Caveats in the Research Process... 4 DeviceInfo... 4 Process Overview...
More informationCS370 Operating Systems
CS370 Operating Systems Colorado State University Yashwant K Malaiya Spring 2018 Lecture 22 File Systems Slides based on Text by Silberschatz, Galvin, Gagne Various sources 1 1 Disk Structure Disk can
More informationChapter 11: File System Implementation. Objectives
Chapter 11: File System Implementation Objectives To describe the details of implementing local file systems and directory structures To describe the implementation of remote file systems To discuss block
More informationComputer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition. Chapter 5 Windows Forensics II
Computer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition Chapter 5 Windows Forensics II Objectives After completing this chapter, you should be able to:
More information