Disk Forensics. Oliver Giudice. Banca D Italia
|
|
- Charlotte Cunningham
- 5 years ago
- Views:
Transcription
1 Disk Forensics Oliver Giudice Banca D Italia oliver.giudice@bancaditalia.it Dipartimento di Matematica e Informatica Università degli Studi di Catania giudice@dmi.unict.it
2 Outline Computer Basics for Digital Investigators Applying Forensic Science to Computers Windows & Linux System Analysis Tools Overview
3 Computer Basics for Digital Investigators What happens behind the scenes?
4 Computer Basics for Digital Investigators What happens behind the scenes? What s this?
5 Computer Basics for Digital Investigators What happens behind the scenes? What s this? How it works?
6 Computer Basics for Digital Investigators What happens behind the scenes? Power-up Computer Power-up phases: 1. CPU Reset 2. Power-on Self Test (POST) 3. BIOS 4. Boot (disk?)
7 Computer Basics for Digital Investigators What happens behind the scenes? BIOS - CMOS BIOS Password vs. CMOS DATA - Date-Time Information - Peripherals Configuration - Etc. Denies Access Data Destroyed CMOS Reset: only solution
8 Computer Basics for Digital Investigators What happens behind the scenes? BOOT System looks for an Operating System (first in drive sequence) Preventing a computer from using the operating system on the hard disk is IMPORTANT when the disk contains evidence.
9 Computer Basics for Digital Investigators What happens behind the scenes? Representation of DATA Little Endian Vs. Big Endian Viewing Two Tcp-dump Files Created on Intel-Based and Sun Systems Shows the Difference between Little- and Big-Endian Representations of the Same UNIX Data (in Bold)
10 Computer Basics for Digital Investigators What happens behind the scenes? Representation of DATA Binary, HEX, ASCII, Etc.
11 Computer Basics for Digital Investigators What happens behind the scenes? Representation of DATA Files Additional common file signatures are tabulated at
12 Computer Basics for Digital Investigators What happens behind the scenes? Representation of DATA Images EXIF
13 Computer Basics for Digital Investigators What happens behind the scenes? Hard Drives How HDs functions? How data are stored? Where data can be hidden?
14 Computer Basics for Digital Investigators What happens behind the scenes? Hard Drives IDE (Integrated Disk Electronics) Connectors: (SATA SCSI)
15 Computer Basics for Digital Investigators What happens behind the scenes? 512 bytes Hard Drives Magnetic patterns on a hard disk as seen through a magnetic force microscope. Peaks indicate a one (1) and troughs signify a zero (0).
16 Computer Basics for Digital Investigators What happens behind the scenes? 512 bytes Hard Drives: SMART Modern ATA hard drives use SMART (Self-Monitoring, Analysis, and Reporting Technology) to record basic information on the controller such as how many times the drive has spun up, how many hours it has been powered on, and current internal temperature. This information helps computers anticipate and warn when a hard drive is likely to stop working properly. Specialized tools are needed!
17 Computer Basics for Digital Investigators What happens behind the scenes? 512 bytes Hard Drives: Special Track The first cylinder on a disk (a.k.a. the maintenance track) is used to store information about the drive such as its geometry and the location of bad sectors. By intentionally marking portions of the disk as bad, an individual can conceal data in these areas from the operating system.
18 Computer Basics for Digital Investigators What happens behind the scenes? 512 bytes Hard Drives: Hidden Partitions Invisible to Operating Systems Easy-to-find by using tools that are specifically designed to conduct forensic examinations Professional VS. Amateur
19 Computer Basics for Digital Investigators What happens behind the scenes? Hard Drives: File Systems FAT Family (Windows) NTFS (Windows) HFS Family (MAC) EXT Family (Linux) UFS (Solaris) New Cylinder
20 Computer Basics for Digital Investigators What happens behind the scenes? Hard Drives: File Systems FAT Family (Windows) NTFS (Windows) HFS Family (MAC) EXT Family (Linux) UFS (Solaris) New Cylinder GPT
21 Computer Basics for Digital Investigators What happens behind the scenes? Hard Drives: Files When a file takes up less than one cluster, other files will not use the additional space in that cluster (File Slack Space) When a file is deleted, its entry in the file system is updated to indicate its deleted status and the clusters that were previously allocated to storing are unallocated and can be reused to store a new file. The data will remain on the disk until a new file overwrites them.
22 Computer Basics for Digital Investigators What happens behind the scenes? Not all storage devices have file systems! BACKUP Tapes On UNIX machines, swap partitions do not have file systems
23 Computer Basics for Digital Investigators Data Hiding / Obfuscation (within File Systems) Many ways Hidden/Lost Partitions (Solution: Search pattern on disk byte-wise) Name Changing: child-porn.jpg! system32.exe (Solution: file signature) Hidden Files (Solution: don t use native OS) Alternate Data Stream: An alternate data stream is a feature of Microsoft NTFS that allows one file to be effectively tacked onto another file without being visible to regular users of the system. This feature was intended to provide compatibility with Macintosh resource forks, but some malicious programs use alternate data streams to hide themselves on Windows systems running NTFS. (Solution: disk byte-wise analysis) Steganography
24 Computer Basics for Digital Investigators The question is HOW? Forensic Examinations Tools PRO Automate operations Some Tools have comfortable GUIs EASY and FAST CONS Understanding of what is behind Different results in different tools Common Sense Needed
25 Applying Forensic Science to Computers Where do we start?
26 Applying Forensic Science to Computers ISO IEC 27037/2012 Guidelines for identification, collection, acquisition, and preservation of digital evidence.
27 Applying Forensic Science to Computers Crime Scene Laboratory Preparation Examination and Analysis Survey Reconstruction Preservation Documentation Reporting Results
28 Windows & Linux System Analysis Log Files Windows: C:\Windows\System32\config o o o o Application usage statistics Login account data Security data DIFFICULT to find and read Linux: /var/log o o Almost Everything on the system Easy to read but easy to tamper
29 Windows & Linux System Analysis Windows Registry System configuration and usage details Use of Removable USB devices
30 Windows & Linux System Analysis Internet Traces Modem logs Browsers Clients FTP Clients P2P Clients
31 Tools Overview Partition Analysis fdisk -l: Shows all partitions and memory devices mmls /dev/xxx or mmls filename.dd: shows all partitions in a device mount: shows filesystem types of mounted devices and mode (rw)
32 Tools Overview Mount (where?) /dev/fdx25 for floppy disks (es. /dev/fd0); /dev/hdx hard disk IDE; /dev/sdx hard disk SATA or USB devices; /dev/cdrom for optical devices.
33 Mount (how?) Tools Overview mount t type o options source mount_point o Type: filesystem type for example fat, ntfs-3g, ext3, etc. choose «auto» when not sure! o Source: /dev/hda1 or /dev/sda1 o Mount_point: directory that should be created BEFORE launching mount command o Options: ro: read-only rw: read-write loop: for image-files noatime: access time not modified noexec: doesn t allow executables
34 Tools Overview Mount: examples (devices) mount t ntfs-3g o rw /dev/sdb1 /media/dest mount t ntfs-3g o ro /dev/sdb1 /media/evidence
35 Tools Overview Mount: examples (images) If image file is of an entire disk and not of single partition: mount t ntfs o ro,loop,noatime,noauto,noexec,offset= $((512*32256)) dump.dd /media/dest??????
36 Tools Overview Mount: examples (images) Mmls dump.dd: I want Partition 3 offset=$((512*32256))
37 Tools Overview Never Forget When Finished: umount /media/mount_point
38 Tools Overview Devices Acquisition: Method Compute Device HASH Bit-stream Copy of Device Compute Image HASH and check with device one
39 Tools Overview Hash md5sum /dev/sda sha1sum /dev/sda md5deep l /root/evidence/ > hash_device.txt o Recursively computes hashes of files and save them in a txt dhash -t -f /dev/sda --md5 --sha1 -l dhashlog.html o Computes md5 && sha1 and gives remaining time o GUI Provided o Multilanguage
40 Tools Overview Devices Acquisition: dd dd if=/dev/sda of=/media/diskimage.img dd if=/dev/sda of=/dev/sdb!!!!dangerous!!!!
41 Tools Overview Devices Acquisition: dd dd if=/dev/sda of=/media/diskimage.img dd if=/dev/sda of=/dev/sdb!!!!dangerous!!!! Devices Acquisition: ddrescue Same signature Sets zero on unreadable bits
42 Tools Overview Devices Acquisition: dcfldd dcfldd if=/dev/sda of=/media/disk.img hash=sha1 hash=md5 o Computes hash and acquisition at the same time Devices Acquisition: dhash (again) dhash -t -f /dev/sda --md5 --sha1-o disk.dd o Acquisition and hash
43 Tools Overview Data Analysis: Timeline (First STEP) FLS (example for images with single partition) fls -z GMT -s 0 -m C: -f ntfs -r /images/disco-c.dd > /workdir/disco-c.body -z: time zone of the system to be analyzed; -s: delay in seconds between system time and UTC; -m: text prefix of path and filename; -f: file system type; /images/disk-c.dd: input image; /workdir/disk-c.body: output; -o: offset, for images with multiple partitions.
44 Tools Overview Data Analysis: Timeline (Body File)????????????????
45 Tools Overview Data Analysis: Timeline (Second STEP) Mactime (body! csv) mactime -b /workdir/disk-c.body -z gmt -d > /workdir/disk-c.csv -b: input file; -z: time zone; -d > /workdir/disco-c.csv: output Activity Analysis: -d i file_name: daily activity -h i file_name: hour activity
46 Tools Overview Data Analysis: Timeline Mactime d -i!!!!
47 Tools Overview Data Analysis: Timeline Mactime (ouput)
48 Tools Overview Data Analysis: Super Timeline Log2timeline (uses file system metadata) 1. Apache2 Access log; 2. Apache2 Error log; 3. Google Chrome history; 4. Encase dirlisting; 5. Windows Event Log files (EVT); 6. Windows Event Log files (EVTX); 7. EXIF; 8. Firefox bookmark; 9. Firefox 2 history; 10. Firefox 3 history; 11. FTK Imager Dirlisting CSV file; 12. Generic Linux log file; 13. Internet Explorer history file, parsing index.dat; 14. Windows IIS W3C log file; 15. ISA server text export; 16. Mactime body file; 17. McAfee AntiVirus Log; 18. MS-SQL Error log; 19. Opera Global and Direct browser history; 20. OpenXML metadata (Office 2007); 21. PCAP files; [ ]
49 Tools Overview Data Analysis: Super Timeline Log2timeline (Example) mount -o ro,loop,show_sys_files,streams_interface=windows,offset=$ ((512*63)) /mnt/raw/img.dd /mnt/c
50 Tools Overview Data Analysis: Super Timeline Log2timeline (Example) log2timeline -p f winxp -r -z Europe/Rome /mnt/c/ -m C: -w c-log2t-unsorted.csv -p: recursive preprocessing (for further analysis); -f: OS type; -r: recursive analysis of file; -z: time zone; -m: prefix string for path -w: ouput (csv file)
51 Tools Overview Data Analysis: Super Timeline Log2timeline (Example) log2timeline -p f winxp -r -z Europe/Rome /mnt/c/ -m C: -w c-log2t-unsorted.csv -p: recursive preprocessing (for further analysis); -f: OS type; -r: recursive analysis of file; -z: time zone; -m: prefix string for path -w: ouput (csv file) Returns CSV files in analysis order
52 Tools Overview Data Analysis: Super Timeline L2t_process (Example) l2t_process -i -b c-log2t-unsorted.csv -y k keywords.txt > c-log2t csv -i: prints information not in the time interval if timestomping is suspected; -y: forces date format: yyyy-mm-dd; -b: input -k: for keywords
53 Tools Overview Data Analysis: Super Timeline L2t_process (Output) 1. Date 2. Time 3. Timezone 4. MACB 5. Source 6. Sourcetype 7. Type 8. User 9. Host 10. Short 11. Desc 12. Version 13. Filename 14. Inode 15. Notes 16. Format 17. Extra Long List of entries: - File System operations - Meta-data - Register - Events - Links - Browser history - Etc.
54 Tools Overview Data Analysis: file and directory search Locate (Example) locate finanza q i (case insensitive, show access errors) locate *.png -q Find (Example) find. -iwholename *porn*.png (all files containing porn, case insensitive find. -ctime -2 > lista.txt (file created in last two days)
55 Tools Overview Data Analysis: File Carving Foremost (Example) foremost -o outpdir dump.img (uses configuration in /etc/ foremost.conf) foremost -t png -o outpdir dump.img tiff wmv mov pdf ole doc zip rar jpg gif png bmp avi exe mpg wav htm cpp
56 Tools Overview Data Analysis: Tools (GUI) DHash: Acquisition Hash
57 Tools Overview Data Analysis: Tools (GUI) Guymanager: Acquisition Case management
58 Tools Overview Data Analysis: Tools (GUI) Catfish: Find Locate
59 Tools Overview Data Analysis: Tools (GUI) FindWild: Search file contents Locate
60 Tools Overview Data Analysis: Tools (GUI) Hunchbacked 4most: Foremost Implementation
61 Tools Overview Data Analysis: Tools (GUI) Hunchbacked 4most: Scalpel Implementation
62 Tools Overview Data Analysis: Autopsy File System Analysis Carving Timeline reconstruction Almost Everything!
63 Tools Overview Internet Traces: Browsers IEHistoryView IECookieView IECacheView MozillaHistoryView MozillaCookieView MozillaCacheView MyLastSearch:
64 Internet Traces Tools Overview File.pst (Microsoft Outlook) Kernel Outlook PST Viewer Mail Navigator Microsoft Outlook (Be Careful) SQLITE (Mozilla Thunderbird)
65 Tools Overview Internet Traces (Cloud) Dropbox (example) Files.dbx Config.dbx File_cache.dbx Server_path Parent_path Local_sjid (file version number) Local_mtime (modified time) Local_ctime (created time) "!!! Dropbox Decryptor (MAGNET FORENSIC)
66 Thanks for your attention.
Introduction to Disk Forensics Discovering evidences in mass storage devices
Introduction to Disk Forensics Discovering evidences in mass storage devices ictlab s.r.l. - Spinoff Università di Catania IPLAB - Università di Catania info@ictlab.srl Catania - April 26, 2017 1 Introduction
More informationForensic Timeline Splunking. Nick Klein
Forensic Timeline Splunking Nick Klein A long time ago... Brian Carrier brought us Sleuthkit, based on the earlier work of Dan Farmer and Wietse Venema date size type meta file 16 Nov 2011 15:39:44 17
More informationComputer Forensics: Investigating Data and Image Files, 2nd Edition. Chapter 3 Forensic Investigations Using EnCase
Computer Forensics: Investigating Data and Image Files, 2nd Edition Chapter 3 Forensic Investigations Using EnCase Objectives After completing this chapter, you should be able to: Understand evidence files
More informationDigital Forensics Lecture 01- Disk Forensics
Digital Forensics Lecture 01- Disk Forensics An Introduction to Akbar S. Namin Texas Tech University Spring 2017 Digital Investigations and Evidence Investigation of some type of digital device that has
More informationContact Details and Technical Information
Contact Details and Technical Information GetData Forensic Pty Ltd GetData Forensics USA Suite 204 1007 North Sepulveda Blvd # 1543 13a Montgomery St Manhattan Beach, CA 90267 Kogarah NSW 2217 USA Australia
More informationDigital forensics. Andrej Brodnik. Andrej Brodnik: Digital Forensics
Digital forensics Andrej Brodnik Computer pre-knowledge: architecture of computers basics (BIOS) operating system secondary memory (disc) and its organization file systems chapter 15 Startup startup steps
More informationEd Ferrara, MSIA, CISSP
MIS 5208 - Lecture 12 Investigation Methods Data Acquisition Ed Ferrara, MSIA, CISSP eferrara@temple.edu Objectives List digital evidence storage formats Explain ways to determine the best acquisition
More informationANALYSIS AND VALIDATION
UNIT V ANALYSIS AND VALIDATION Validating Forensics Objectives Determine what data to analyze in a computer forensics investigation Explain tools used to validate data Explain common data-hiding techniques
More informationINSTITUTO SUPERIOR TÉCNICO
INSTITUTO SUPERIOR TÉCNICO DEPARTAMENTO DE ENGENHARIA INFORMÁTICA FORENSICS CYBER-SECURITY MEIC, METI Lab Guide II Evidence Examination 2015/2016 nuno.m.santos@tecnico.ulisboa.pt 1 Introduction This guide
More informationDigital Forensics Practicum CAINE 8.0. Review and User s Guide
Digital Forensics Practicum CAINE 8.0 Review and User s Guide Ana L. Hernandez Master of Science in Cybersecurity Digital Forensics Concentration University of South Florida 12-8-2017 Table of Contents
More informationIntroduction. Collecting, Searching and Sorting evidence. File Storage
Collecting, Searching and Sorting evidence Introduction Recovering data is the first step in analyzing an investigation s data Recent studies: big volume of data Each suspect in a criminal case: 5 hard
More informationGJU IT-forensics course. Storage medium analysis
Harald Baier Storage medium analysis / 2014-04-02 1/32 GJU IT-forensics course Storage medium analysis Harald Baier Hochschule Darmstadt, CASED 2014-04-02 Partitions Harald Baier Storage medium analysis
More informationChapter Two File Systems. CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D.
Chapter Two File Systems CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D. 1 Learning Objectives At the end of this section, you will be able to: Explain the purpose and structure of file systems
More informationIntroduction to Volume Analysis, Part I: Foundations, The Sleuth Kit and Autopsy. Digital Forensics Course* Leonardo A. Martucci *based on the book:
Part I: Foundations, Introduction to Volume Analysis, The Sleuth Kit and Autopsy Course* Leonardo A. Martucci *based on the book: File System Forensic Analysis by Brian Carrier LAM 2007 1/12h Outline Part
More informationContact Information. Contact Center Operating Hours. Other Contact Information. Contact Monday through Thursday Friday
Contact Information Contact Center Operating Hours Contact Monday through Thursday Friday Phone: 1.801.796.0944 8 AM 5 PM Eastern Time 8 AM 3 PM Eastern Time Online chat: http://support.paraben.com 10
More informationOverview Metadata Extraction Tool Hachoir Sleuthkit Summary CS 6V Metadata Extraction Tools. Junyuan Zeng
CS 6V81-05 Metadata Extraction Tools Junyuan Zeng Department of Computer Science The University of Texas at Dallas September 23 th, 2011 Outline 1 Overview 2 Metadata Extraction Tool Overview 3 Hachoir
More informationForensic Analysis. The Treachery of Images. Alexandre Dulaunoy. February 5, Forensic Analysis Bibliography Use case Q and A
Bibliography Use case Q and A The Treachery of Images February 5, 2016 Bibliography Use case Q and A Introduction Disclaimer Images ( The Treachery of Images ) (1928) Rene Magritte La Trahison des Bibliography
More informationWindows Forensics Advanced
Windows Forensics Advanced Index: CF102 Description Windows Forensics - Advanced is the next step for forensics specialists, diving deeper into diverse processes on Windows OS serving computer investigators.
More informationComputer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition. Chapter 6 Linux Forensics
Computer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition Chapter 6 Linux Forensics Objectives After completing this chapter, you should be able to: Create
More informationGuide to Computer Forensics and Investigations Fourth Edition. Chapter 6 Working with Windows and DOS Systems
Guide to Computer Forensics and Investigations Fourth Edition Chapter 6 Working with Windows and DOS Systems Understanding Disk Drives Disk drives are made up of one or more platters coated with magnetic
More informationThe Sleuth Kit v2.01 and Autopsy Forensic Browser Demonstration. Anthony Dowling
The Sleuth Kit v2.01 and Autopsy Forensic Browser Demonstration Anthony Dowling Date: June 02, 2006 ii Abstract The Sleuth Kit is a collection of Linux tools that perform different aspects of a file system
More informationAccessData AD Lab Release Notes
AccessData AD Lab 6.2.1 Release Notes Document Date: 4/24/2017 2017 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues for this
More informationAccessData Forensic Toolkit 6.2 Release Notes
AccessData Forensic Toolkit 6.2 Release Notes Document Date: 4/3/2017 2017 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues for
More informationAccessData Forensic Toolkit Release Notes
AccessData Forensic Toolkit 6.2.1 Release Notes Document Date: 4/24/2017 2017 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues
More informationmakes floppy bootable o next comes root directory file information ATTRIB command used to modify name
File Systems File system o Designed for storing and managing files on disk media o Build logical system on top of physical disk organization Tasks o Partition and format disks to store and retrieve information
More informationTimeline Creation and Analysis Guides
Timeline Creation and Analysis Guides Written by Chapin Bryce Researched by Chapin Bryce 175 Lakeside Ave, Room 300A Phone: 802/865-5744 Fax: 802/865-6446 http://www.lcdi.champlin.edu Timeline Creation
More informationForensic Analysis - 2nd Lab Session
File System Forensic and Analysis December 12, 2014 File System Analysis File System Analysis can be used for Analysis the activities of an attacker on the honeypot file system. Analysis of a malware leaving
More informationDigital Forensics Lecture 02- Disk Forensics
Digital Forensics Lecture 02- Disk Forensics Hard Disk Data Acquisition Akbar S. Namin Texas Tech University Spring 2017 Analysis of data found on a storage device It is more common to do dead analysis
More informationPost Mortem an Introduction to Filesystem Forensics and Data Recovery Dr. Oliver Tennert, Head of Technology
Post Mortem an Introduction to Filesystem Forensics and Data Recovery Dr. Oliver Tennert, Head of Technology 3. Secure Linux Administrator s Conference 2008 11.12.2008, Magdeburg Overview What is forensic
More information24) Type a note then click the OK button to save the note. This is a good way to keep notes on items of interest.
23) Click File Analysis Tab - This allows forensic investigators to look for files on the system as they would on a regular system. Key file attributes are provided to assist the investigator (file size,
More informationAccessData Triage 2.3 Release Notes
AccessData Triage 2.3 Release Notes Document Date: August 26, 2013 2013 AccessData Group, Inc. All rights reserved Introduction These Release Notes cover important information, new features, and fixed
More informationAccessData Forensic Toolkit 5.6 Release Notes
AccessData Forensic Toolkit 5.6 Release Notes Document Date: 12/08/2014 2014 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues
More informationCHAPTER 11: IMPLEMENTING FILE SYSTEMS (COMPACT) By I-Chen Lin Textbook: Operating System Concepts 9th Ed.
CHAPTER 11: IMPLEMENTING FILE SYSTEMS (COMPACT) By I-Chen Lin Textbook: Operating System Concepts 9th Ed. File-System Structure File structure Logical storage unit Collection of related information File
More informationAccessData Forensic Toolkit 5.5 Release Notes
AccessData Forensic Toolkit 5.5 Release Notes Document Date: 8/20/2014 2014 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues
More informationFile Systems and Volumes
File Systems and Volumes Section II. Basic Forensic Techniques and Tools CSF: Forensics Cyber-Security MSIDC, Spring 2015 Nuno Santos Summary! Data organization in storage systems! File deletion and recovery!
More informationDefeating Forensic Analysis
Defeating Forensic Analysis CEIC 2006 Technical Lecture 1 Thursday, May 4 10:30 am to 11:30 am Presented by Vincent Liu and Patrick Stach Welcome Vincent Liu Managing Director, Stach & Liu Researcher,
More informationThis is Worksheet and Assignment 12. Disks, Partitions, and File Systems
This is Worksheet and Assignment 12 This is a combined Worksheet and Assignment.. Quizzes and tests may refer to work done in this Worksheet and Assignment; save your answers. You will use a checking program
More informationA Geeks Guide to Digital Forensics. or: How I learned to stop worrying and love the hex editor
A Geeks Guide to Digital Forensics or: How I learned to stop worrying and love the hex editor Qualifications Background Author Researcher Forensics: Geek Computer scientist, prev CIO, cofounder of viaforensics
More informationFILE SYSTEM IMPLEMENTATION. Sunu Wibirama
FILE SYSTEM IMPLEMENTATION Sunu Wibirama File-System Structure Outline File-System Implementation Directory Implementation Allocation Methods Free-Space Management Discussion File-System Structure Outline
More informationPractice Test. Guidance Software GD Guidance Software GD0-110 Certification Exam for EnCE Outside North America. Version 1.6
Guidance Software GD0-110 Guidance Software GD0-110 Certification Exam for EnCE Outside North America Practice Test Version 1.6 QUESTION NO: 1 A FAT directory has as a logical size of: A. One cluster B.
More informationContact Information. Contact Center Operating Hours. Other Contact Information. Contact Monday through Thursday Friday
Contact Information Contact Center Operating Hours Contact Monday through Thursday Friday Phone: 1.801.796.0944 8 AM 5 PM Eastern Time 8 AM 3 PM Eastern Time Online chat: http://support.paraben.com 10
More informationAccessData Triage 2.4 Release Notes
AccessData Triage 2.4 Release Notes Document Date: October 25, 2013 2013 AccessData Group, Inc. All rights reserved Introduction These Release Notes cover important information, new features, and fixed
More informationGuide to Computer Forensics and Investigations Fourth Edition. Chapter 2 Understanding Computer Investigations
Guide to Computer Forensics and Investigations Fourth Edition Chapter 2 Understanding Computer Investigations Objectives Explain how to prepare a computer investigation Apply a systematic approach to an
More informationIntroduction to Computer Forensics
Introduction to Computer Forensics Subrahmani Babu Scientist- C, Computer Forensic Laboratory Indian Computer Emergency Response Team (CERT-In) Department of Information Technology, Govt of India. babu_sivakami@cert-in.org.in
More informationCSE 4482 Computer Security Management: Assessment and Forensics. Computer Forensics: Working with Windows and DOS Systems
CSE 4482 Computer Security Management: Assessment and Forensics Computer Forensics: Working with Windows and DOS Systems Instructor: N. Vlajic,, Fall 2010 Required reading: Guide to Computer Forensics
More informationAccessData Forensic Toolkit Release Notes
AccessData Forensic Toolkit 5.6.4 Release Notes Document Date: 9/8/2015 2015 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues
More information412 Notes: Filesystem
412 Notes: Filesystem A. Udaya Shankar shankar@cs.umd.edu December 5, 2012 Contents 1 Filesystem interface 2 2 Filesystem implementation 3 3 FAT (mostly from Wikepedia) 5 4 UFS (mostly from Wikepedia)
More informationINSTITUTO SUPERIOR TÉCNICO
INSTITUTO SUPERIOR TÉCNICO DEPARTAMENTO DE ENGENHARIA INFORMÁTICA FORENSICS CYBER-SECURITY MEIC, METI Lab Guide III & IV Case Solving: Mr. Informant Case 2015/2016 nuno.m.santos@tecnico.ulisboa.pt 1 Introduction
More informationS23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group
S23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill
More informationRunning head: FTK IMAGER 1
Running head: FTK IMAGER 1 FTK Imager Jean-Raymond Ducasse CSOL-590 June 26, 2017 Thomas Plunkett FTK IMAGER 2 FTK Imager Outline Process for Adding Individual Files & Folders as Evidence Items Although
More informationComputer Hacking Forensic Investigator. Module X Data Acquisition and Duplication
Computer Hacking Forensic Investigator Module X Data Acquisition and Duplication Scenario Allen a forensic investigator was hired by a bank to investigate employee fraud. The bank has four 30 GB machines
More informationParaben Examiner 9.0 Release Notes
Paraben E-mail Examiner 9.0 Release Notes 1 Paraben Corporation Welcome to Paraben s E-mail Examiner 9.0! Paraben s Email Examiner-EMX allows for the forensic examination of the most popular local e-mail
More informationFile System Implementation. Sunu Wibirama
File System Implementation Sunu Wibirama File-System Structure Outline File-System Implementation Directory Implementation Allocation Methods Free-Space Management Discussion File System Structure File
More informationAccessData Enterprise Release Notes
AccessData Enterprise 6.0.2 Release Notes Document Date: 3/09/2016 2016 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues for
More informationDigital Forensics Module Part 2. Jaap van Ginkel Silvio Oertli
Digital Forensics Module Part 2 Jaap van Ginkel Silvio Oertli July 2016 Hands-On (Acquisition) Tools used in the Hands-on Workshop We will use open source tools for this part DEFT 8.2 (Forensic Linux distribution)
More informationLinux File System Study Guide
Linux File System Study Guide Copyright 1998, 1999 P. Tobin Maginnis This document is free; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the
More informationAccessData Forensic Toolkit Release Notes
AccessData Forensic Toolkit 5.3.3 Release Notes Document Date: 5/19/2014 2014 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues
More informationAccession Procedures Born-Digital Materials Workflow
Accession Procedures Born-Digital Materials Workflow Initiating Author: Department: Sam Meister Archives & Special Collections Revision History Date Version Description Changed by 02/29/12 0.1 Draft 03/27/12
More informationFile System Concepts File Allocation Table (FAT) New Technology File System (NTFS) Extended File System (EXT) Master File Table (MFT)
File System Concepts File Allocation Table (FAT) New Technology File System (NTFS) Extended File System (EXT) Master File Table (MFT) 1 FILE SYSTEM CONCEPTS: FILE ALLOCATION TABLE (FAT) Alex Applegate
More informationOperating System Specification Mac OS X Snow Leopard (10.6.0) or higher and Windows XP (SP3) or higher
BlackLight is a multi-platform forensic analysis tool that allows examiners to quickly and intuitively analyze digital forensic media. BlackLight is capable of analyzing data from Mac OS X computers, ios
More informationOHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE
OHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE I. Description of Course: 1. Department/Course: CNET - 174 2. Title: Computer Forensics 3. Cross Reference: 4. Units: 3 Lec Hrs:
More informationNIST SP Notes Guide to Integrating Forensic Techniques into Incident Response
NIST SP800-86 Notes Guide to Integrating Forensic Techniques into Incident Response Authors: Karen Kent, Suzanne Chevalier, Tim Grance, Hung Dang, August 2006 Computer Forensics The application of science
More informationTool reviewdwinhex. Eoghan Casey a,b, ) PRODUCT REVIEW. Introduction
Digital Investigation (2004) 1, 114e128 www.elsevier.com/locate/diin PRODUCT REVIEW Tool reviewdwinhex Eoghan Casey a,b, ) a Knowledge Solutions LLC, 61535 S Hwy 97 #9-148, Bend, OR 97702, United States
More informationOPERATING SYSTEMS & UTILITY PROGRAMS
OPERATING SYSTEMS & UTILITY PROGRAMS System Software System software consists of the programs that control the operations of the computer and its devices. Functions that system software performs include:
More informationForensic Image Capture. Digital Forensics NETS1032 Winter 2018
Forensic Image Capture Digital Forensics NETS1032 Winter 2018 Storage Devices Storage devices are implemented using one or more of several technologies The oldest method of modern information storage is
More informationIT ESSENTIALS V. 4.1 Module 5 Fundamental Operating Systems
IT ESSENTIALS V. 4.1 Module 5 Fundamental Operating Systems 5.0 Introduction 1. What controls almost all functions on a computer? The operating system 5.1 Explain the purpose of an operating system 2.
More informationHard Drive Recovery Using SystemRescueCD Michael Ward 4/1/2008 Introduction SystemRecoveryCD is a bootable live CD featuring a version of Linux specifically created to recover data from damaged or infected
More informationAdvanced Operating Systems
Advanced Operating Systems File Systems: File Allocation Table, Linux File System, NTFS Lecture 10 Case Studies of File Systems File Allocation Table (FAT) Unix File System Berkeley Fast File System Linux
More informationForensic and Log Analysis GUI
Forensic and Log Analysis GUI David Collett I am not representing my Employer April 2005 1 Introduction motivations and goals For sysadmins Agenda log analysis basic investigations, data recovery For forensics
More informationABSTRACT. Forensic analysis is the process of searching for evidence and preserving it for further
ABSTRACT Forensic analysis is the process of searching for evidence and preserving it for further examination. Examination of the evidence provides important information about suspect s behavior which
More informationincident reponse unravelled
Tux's Angels: Incident Response Unravelled linux.conf.au MEL8OURNE2008 Tux's Angels: Incident Response Unravelled Something to lighten the mood... angels@lca:~/ angels@lca:~/ Who we are Amelia, Kate, Vanessa
More informationChapter 6. Linux File System
Chapter 6 Linux File System 1 File System File System management how to store informations on storage devices The Hierarchical Structure Types of file Common File system Tasks 2 The Hierarchical Structure
More informationThere is a general need for long-term and shared data storage: Files meet these requirements The file manager or file system within the OS
Why a file system? Why a file system There is a general need for long-term and shared data storage: need to store large amount of information persistent storage (outlives process and system reboots) concurrent
More informationCSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak
CSN08101 Digital Forensics Lecture 6: Acquisition Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Objectives Storage Formats Acquisition Architecture Acquisition Methods Tools Data Acquisition
More informationA file system is a clearly-defined method that the computer's operating system uses to store, catalog, and retrieve files.
File Systems A file system is a clearly-defined method that the computer's operating system uses to store, catalog, and retrieve files. Module 11: File-System Interface File Concept Access :Methods Directory
More informationOPERATING SYSTEM. Chapter 12: File System Implementation
OPERATING SYSTEM Chapter 12: File System Implementation Chapter 12: File System Implementation File-System Structure File-System Implementation Directory Implementation Allocation Methods Free-Space Management
More informationdeft User Guide Stefano Fratepietro, Sandro Rossetti R. 0,6
deft User Guide Stefano Fratepietro, Sandro Rossetti R. 0,6 2 This manual is dedicated to Ele and Silvia: thank you for your infinite patience. It's also dedicated to bubu and Paguro,we really hope that
More informationCIS Project 1 February 13, 2017 Jerad Godsave
CIS 484-75-4172 Project 1 February 13, 2017 Jerad Godsave Part 1) a) Below are a few screenshots indicating verification that the original evidence and the newly created.e01 forensic image match: Part
More informationFile Systems. What do we need to know?
File Systems Chapter 4 1 What do we need to know? How are files viewed on different OS s? What is a file system from the programmer s viewpoint? You mostly know this, but we ll review the main points.
More informationChapter 11: Implementing File
Chapter 11: Implementing File Systems Chapter 11: Implementing File Systems File-System Structure File-System Implementation Directory Implementation Allocation Methods Free-Space Management Efficiency
More informationChapter. Chapter. Magnetic and Solid-State Storage Devices
Chapter Chapter 9 Magnetic and Solid-State Storage Devices Objectives Explain how magnetic principles are applied to data storage. Explain disk geometry. Identify disk partition systems. Recall common
More informationUsing grub to Boot various Operating Systems
Operating Systems and Systems Integration Using grub to Boot various Operating Systems Contents 1 Aim 2 2 What You Will Do 2 3 Background 2 3.1 Installing grub in MBR from a floppy, and from the OS........
More informationChapter 11: Implementing File Systems. Operating System Concepts 9 9h Edition
Chapter 11: Implementing File Systems Operating System Concepts 9 9h Edition Silberschatz, Galvin and Gagne 2013 Chapter 11: Implementing File Systems File-System Structure File-System Implementation Directory
More informationFilesystem. Disclaimer: some slides are adopted from book authors slides with permission
Filesystem Disclaimer: some slides are adopted from book authors slides with permission 1 Recap Directory A special file contains (inode, filename) mappings Caching Directory cache Accelerate to find inode
More informationSource: https://articles.forensicfocus.com/2018/03/02/evidence-acquisition-using-accessdata-ftk-imager/
by Chirath De Alwis Source: https://articles.forensicfocus.com/2018/03/02/evidence-acquisition-using-accessdata-ftk-imager/ Forensic Toolkit or FTK is a computer forensics software product made by AccessData.
More informationCIS Business Computer Forensics and Incident Response. Lab Protocol 02: FileSystems/VM
Name: CIS 8630 Business Computer Forensics and Incident Response Lab Protocol 02: FileSystems/VM Purpose: Ensure every student has experienced forensics distinctions between imaging digital storage media,
More informationPartitioning and Formatting Guide
Partitioning and Formatting Guide Version 1.2 Date 05-15-2006 Partitioning and Formatting Guide This guide is designed to explain how to setup your drive with the correct partition and format for your
More informationChapter 10: File System Implementation
Chapter 10: File System Implementation Chapter 10: File System Implementation File-System Structure" File-System Implementation " Directory Implementation" Allocation Methods" Free-Space Management " Efficiency
More informationCST Algonquin College 2
Partitions Lab due dates: Labs are due as specified usually on Page1 of the Lab document Lab due dates are expressed as: 10 min before the end of the lab period during a certain week There is a grace period
More informationA Study on Linux. Forensics By: Gustavo Amarchand, Keanu. Munn, and Samantha Renicker 11/1/2018
A Study on Linux 11/1/2018 Forensics By: Gustavo Amarchand, Keanu Munn, and Samantha Renicker Abstract In the field of computer forensics investigators must be familiar with many different systems and
More informationFCCU GNU/Linux Forensic Boot CD
FCCU GNU/Linux Forensic Boot CD Hack.lu Forensic Workshop Christophe Monniez Geert Van Acker Who we are... General Direction of the Judicial Police Direction for combatting economical and financial crime
More informationA Formal Logic for Digital Investigations: A Case Study Using BPB Modifications.
A Formal Logic for Digital Investigations: A Case Study Using BPB Modifications. Abstract I. Mitchell Middlesex University, UK A Formal Logic is developed and the following presented: i) Notation for Formal
More informationCS370 Operating Systems
CS370 Operating Systems Colorado State University Yashwant K Malaiya Spring 2018 Lecture 22 File Systems Slides based on Text by Silberschatz, Galvin, Gagne Various sources 1 1 Disk Structure Disk can
More informationChapter 11: File System Implementation. Objectives
Chapter 11: File System Implementation Objectives To describe the details of implementing local file systems and directory structures To describe the implementation of remote file systems To discuss block
More informationCST8207: GNU/Linux Operating Systems I Lab Nine Disks, Partitions, and File Systems Part 2. Disks, Partitions, and File Systems - Part 2 of 2
Student Name: Lab Section: Disks, Partitions, and File Systems - Part 2 of 2 1 Due Date - Upload to Blackboard by 8:30am Monday April 9, 2012 Submit the completed lab to Blackboard following the Rules
More informationAccessData Forensic Toolkit Release Notes
AccessData Forensic Toolkit 5.6.1 Release Notes Document Date: 3/09/2015 2015 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues
More informationNIST CFTT: Testing Disk Imaging Tools
NIST CFTT: Testing Disk Imaging Tools James R. Lyle National Institute of Standards and Technology Gaithersburg Md. 20899-8970 1. Introduction There is a critical need in the law enforcement community
More informationInstalling Linux (Chapter 8) Note packet # 4. CSN 115 Operating Systems Ken Mead Genesee Community College. Objectives
Installing Linux (Chapter 8) Note packet # 4 CSN 115 Operating Systems Ken Mead Genesee Community College Objectives Learn about the hardware components of your computer system Configure hard disk space
More informationChapter 11: Implementing File Systems
Chapter 11: Implementing File Systems Operating System Concepts 99h Edition DM510-14 Chapter 11: Implementing File Systems File-System Structure File-System Implementation Directory Implementation Allocation
More informationAcknowledgments About the Authors
Preface p. xv Acknowledgments p. xix About the Authors p. xxi Case Studies p. xxv Live Incident Response p. 1 Windows Live Response p. 3 Analyzing Volatile Data p. 5 The System Date and Time p. 6 Current
More information