Digital Forensics Practicum CAINE 8.0. Review and User s Guide
|
|
- Laura Foster
- 5 years ago
- Views:
Transcription
1 Digital Forensics Practicum CAINE 8.0 Review and User s Guide Ana L. Hernandez Master of Science in Cybersecurity Digital Forensics Concentration University of South Florida
2 Table of Contents I. CAINE 8.0 Overview... 1 II. CAINE 8.0 Functionality... 1 III. CAINE 8.0 User s Guide... 2 A. Create a Forensic Image... 2 B. Create a Case... 7 C. Image Analysis D. Data Carving E. Network File Analysis IV. Appendix V. Reference... 26
3 I. CAINE 8.0 Overview CAINE 8.0 which stands for Computer Aided Investigative Environment is an Italian GNU/Linux live distribution design for computer forensics. CAINE is an open source project that started as a project for Digital Forensics for Interdepartmental Centre for Research on Security (CRIS), supported by the University of Modena and Reggio Emilia, Italy. It comes packed with tools and utilities for digital investigations. The main objectives of CAINE as stated on their site is to provide investigators with an environment to support the four phases of investigations, as well as a user-friendly interface. In addition, CAINE has a Windows Incident Response and Live forensics tools. There has been 10 versions of CAINE, with the most recent 9.0 released on October 25, II. CAINE 8.0 Functionality CAINE includes a wide range of tools that are cataloged in menus such as Analysis, Memory forensics, Mobile forensics, Disks, Database, Malware analysis, Network forensics and Hashes, see Figure 1-10 for a full list of tools included. Included in the distribution are scripts to help with examination of allocated files within the Caja web browser. The script render databases, internet histories, Windows registries, deleted files, and it also extracts EXIF data to text files. Below is a description of a few tools used during this project. Autopsy Forensic Browser 2.0 is a graphical interface for the command line investigation analysis tools in The Sleuth Kit. It s essential for Linux investigation, and it can analyze disk images, local storage drives such as local drive and USB-attached drive, and logical file systems such as NTFS, FAT. UFS1/2, Ext2/3. Autopsy is HTML-based, which allows investigators to connect from different systems. Autopsy provides the following features File Listing, File Content, Hash Databases, File Type Sorting, Timeline of File Activity, Keyword Search, Meta Data Analysis, Data Unit Analysis, Image Details, Case Management, Event Sequencer, Notes, Image Integrity, Reports, Logging, Open Design (allows to export data and use it in other tools), Client Server Model. QPhotoRec is a data recovery software for lost files such as images, videos, archive and document formats. PhotoRec originally had to be run from command line to scan for deleted ANA L. HERNANDEZ 1
4 file. QPhotoRec is the GUI version of the command line. PhotoRec identifies file types by comparing its signatures to the start of each data block. This tool will work even the file system is damaged or reformatted as it doesn t work with the file system, but the underlying data. There is no risk of altering the evidence as it uses read-only access. PhotoRec work with hard disks, CD-ROMS, memory cards, USB memory drives, DD raw image, EnCase E01 image, among others. Wireshark is network protocol analyzer. It can be used to capture packets in real time, for network troubleshooting, and file analysis. Wireshark includes display filters, color coding (green for TPC, dark blue for DNS, light blue for UDP, and black for TCP packets with problems), as well as the ability to inspect individual packets. III. CAINE 8.0 User s Guide In this guide I will cover how to create a case with Autopsy, how to analyze an image, and recover files. Moreover, I will cover how to carve data from a raw image DD using QPhotoRec, and how to analyze network log files in Wireshark. All this will be done using CAINE 8.0 live distribution. A. Create a Forensic Image Step 1. After mounting the device, check it is in read-only mode using BlockON/OFF from System Tools. Check-mark the device and click OK to switch to read-only mode if needed. We do not want to compromise the integrity of the image. ANA L. HERNANDEZ 2
5 Step 2. Create a folder to store the image when captured. You will use this location later on. Step 3. Open Guymager from Main Menu. Step 4. Select disk to be imaged, ensure it is the right one before proceeding. Step 5. Right-click the selected disk and select Acquire Image. ANA L. HERNANDEZ 3
6 Step 6. The Acquire Image window will show up. Select file format, whether you want to split the image, filename, and select Hash calculation and image verification. Then click Start when ready to image. Step 7. When the image processing starts, it will show the first screen where you will see the state, progress bar, etc. as well as metadata about the image. Now wait until it completes. ANA L. HERNANDEZ 4
7 Step 8. Once completed, the state light will turn green and say Verifies & Ok, you can close the window. Step 9. Navigate to the evidence folder created in Step 2. You will see two files, one the actual acquired image, and an info file. ANA L. HERNANDEZ 5
8 Step 10. Open the info file and verify image. The info file will contain all the metadata entered previously, device information, information returned, acquisition include MD5 hash and image verification. ANA L. HERNANDEZ 6
9 B. Create a Case Step 1. Start Autopsy by clicking on Menu, then select Forensics Tools, then Analysis, then click on Autopsy 2.24 to open the program. The terminal and browser will open - Or - entering on the browser. ANA L. HERNANDEZ 7
10 Step 2. Click on New Case and fill out required information. Make sure to name the case with a significant and descriptive name for later use. Fill out description if desired, and add your initials to the case. If working with more than investigator, include their initials as well. Then click New Case. Step 3. After the case has been created, you will see the Case Directory and Configuration file directories. Note the location of the case. Select your name if there are multiple investigators. When ready click Add Host. ANA L. HERNANDEZ 8
11 Step 4. Fill out Host Name, and any other information you deem necessary and relevant for your case. Note, if time zone is left blank, it will use your local time. You should use the time from where the evidence was obtained. Then click Add Host. Step 5. The next window will show the Host Directory and Configuration file locations. Take note of the location of these directories. Then click on Add Image. ANA L. HERNANDEZ 9
12 Step 6. Click on Add Image File to add the image to be analyzed. Step 7. Add the location of your image file, then select either Disk or Partition. Disk if your image is a full disk image, and if your image is only a partition of a Disk, select Partition. Use Symlink to create a symbolic link to the image in the evidence locker. Then click Next. Note that image name should not contain space, or you will get an invalid path error. ANA L. HERNANDEZ 10
13 Step 8. Select if you want to calculate MD5 hash for integrity. It is recommended that you do, to have verification of integrity. Then click Add. Step 9. Overview data, and click OK. ANA L. HERNANDEZ 11
14 C. Image Analysis Step 1. Select the desired image, and click on Analyze Step 2. Select an analysis mode, from the menu on the top. See Steps 2-A 2-C for some examples of modes. ANA L. HERNANDEZ 12
15 Step 2-A. Image Details mode gives general file system information, this mode provides information useful for data recovery later on. Step 2-B. File Analysis shows the files and directories, including names of deleted files. ANA L. HERNANDEZ 13
16 Step 2-C. File Type Sorting mode sorts the files by internal signatures. ANA L. HERNANDEZ 14
17 Step 2-C.1 Results of the sorting. Go to Output path provided to view recovered files. Step 2-C.2 Here will be any recovered files that can be used for further analysis. ANA L. HERNANDEZ 15
18 D. Data Carving Step 1. Open QPhotoRec from Menu, then click on Add raw image to disk. Add the raw image, then click Search. Step 2. After search it completed, you can see the number of recovered files and its type. ANA L. HERNANDEZ 16
19 Step 3. Click on Destination URL, It will take you to the recovered files. You can use these files for further analysis. E. Network File Analysis Step 1. Open Wireshark, under Forensics Tools, Network forensics from Main Menu. Step 2. To add network trance for analysis, click on File then Open. Select desired network file. ANA L. HERNANDEZ 17
20 Step 3. The capture split into 3 panels, the packet list, packet details, and packet bytes. Apply filter to narrow down on desired protocols, e.g. type ftp in the filter section, and apply filter by clicking on the, and analyze the content. Step 4. To go into more details and isolate a TCP Stream, right click on a specific packet from the packet list to follow, and select Follow, then TCP Stream. ANA L. HERNANDEZ 18
21 Step 5. Follow TCP Stream window will show up. It will contain packets from that TCP session only. It can be saved by selecting Save As to save as evidence for later analysis. Then close the window. Now only packets from the selected TCP stream will show up. Step 6. To save all objects contained in the packets, click File -> Export Objects -> HTTP and save the file. It will capture data from TCP stream. Wireshark will scan the trace and list objects that have been transferred via HTTP. Note: you should ensure Preferences for TCP "Allow subdirector to reassemble TCP streams" is checked. ANA L. HERNANDEZ 19
22 Step 7. Click Save All or Save just to save the selected file. Browse to the desired location where the objects will be saved. Then close the HTTP object list window. Step 8. Open folder where the objects were saved to review the evidence. ANA L. HERNANDEZ 20
23 IV. Appendix Figure 1 - Tools Included in CAINE 8.0 Figure 2 - Tools Included in Analysis Folder ANA L. HERNANDEZ 21
24 Figure 3 - Tools Included in Disks Folder Figure 4 - Tools Included in Database Folder ANA L. HERNANDEZ 22
25 Figure 5 - Tools Included in Hash Folder Figure 6 - Tools Included in Malware Folder ANA L. HERNANDEZ 23
26 Figure 7 - Tools Included in Memory Forensics Folder Figure 8 - Tools Included in Mobile Forensics Folder ANA L. HERNANDEZ 24
27 Figure 9 - Tools Included in Network Forensics Folder Figure 10 - Tools Included in Timeline Folder ANA L. HERNANDEZ 25
28 V. Reference Analysis Tools. List of tools, Autopsy: Description, C.A.IN.E. CAINE Live USB/DVD - computer forensics digital forensics, DistroWatch. CAINE. DistroWatch.com: CAINE, Download. Wireshark Go Deep., Lyle, James R. Rhino Hunt, PhotoRec. PhotoRec - Digital Picture and File Recovery, Sharma, Shashank. CAINE 8.0 review. TechRadar, TechRadar pro IT insights for business, 23 Feb. 2017, ANA L. HERNANDEZ 26
Digital Forensics Lecture 01- Disk Forensics
Digital Forensics Lecture 01- Disk Forensics An Introduction to Akbar S. Namin Texas Tech University Spring 2017 Digital Investigations and Evidence Investigation of some type of digital device that has
More information24) Type a note then click the OK button to save the note. This is a good way to keep notes on items of interest.
23) Click File Analysis Tab - This allows forensic investigators to look for files on the system as they would on a regular system. Key file attributes are provided to assist the investigator (file size,
More informationABSTRACT. Forensic analysis is the process of searching for evidence and preserving it for further
ABSTRACT Forensic analysis is the process of searching for evidence and preserving it for further examination. Examination of the evidence provides important information about suspect s behavior which
More informationComputer Forensics: Investigating Data and Image Files, 2nd Edition. Chapter 3 Forensic Investigations Using EnCase
Computer Forensics: Investigating Data and Image Files, 2nd Edition Chapter 3 Forensic Investigations Using EnCase Objectives After completing this chapter, you should be able to: Understand evidence files
More informationEd Ferrara, MSIA, CISSP
MIS 5208 - Lecture 12 Investigation Methods Data Acquisition Ed Ferrara, MSIA, CISSP eferrara@temple.edu Objectives List digital evidence storage formats Explain ways to determine the best acquisition
More informationANALYSIS AND VALIDATION
UNIT V ANALYSIS AND VALIDATION Validating Forensics Objectives Determine what data to analyze in a computer forensics investigation Explain tools used to validate data Explain common data-hiding techniques
More informationChapter Two File Systems. CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D.
Chapter Two File Systems CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D. 1 Learning Objectives At the end of this section, you will be able to: Explain the purpose and structure of file systems
More informationDigital Forensics Lecture 02- Disk Forensics
Digital Forensics Lecture 02- Disk Forensics Hard Disk Data Acquisition Akbar S. Namin Texas Tech University Spring 2017 Analysis of data found on a storage device It is more common to do dead analysis
More informationSource: https://articles.forensicfocus.com/2018/03/02/evidence-acquisition-using-accessdata-ftk-imager/
by Chirath De Alwis Source: https://articles.forensicfocus.com/2018/03/02/evidence-acquisition-using-accessdata-ftk-imager/ Forensic Toolkit or FTK is a computer forensics software product made by AccessData.
More informationForensic Analysis - 2nd Lab Session
File System Forensic and Analysis December 12, 2014 File System Analysis File System Analysis can be used for Analysis the activities of an attacker on the honeypot file system. Analysis of a malware leaving
More informationAccessData Advanced Forensics
This advanced five-day course provides the knowledge and skills necessary to install, configure and effectively use Forensic Toolkit (FTK ), FTK Imager Password Recovery Toolkit (PRTK ) and Registry Viewer.
More informationINSTITUTO SUPERIOR TÉCNICO
INSTITUTO SUPERIOR TÉCNICO DEPARTAMENTO DE ENGENHARIA INFORMÁTICA FORENSICS CYBER-SECURITY MEIC, METI Lab Guide II Evidence Examination 2015/2016 nuno.m.santos@tecnico.ulisboa.pt 1 Introduction This guide
More informationIncident Response Data Acquisition Guidelines for Investigation Purposes 1
Incident Response Data Acquisition Guidelines for Investigation Purposes 1 1 Target Audience This document is aimed at general IT staff that may be in the position of being required to take action in response
More informationAcknowledgments About the Authors
Preface p. xv Acknowledgments p. xix About the Authors p. xxi Case Studies p. xxv Live Incident Response p. 1 Windows Live Response p. 3 Analyzing Volatile Data p. 5 The System Date and Time p. 6 Current
More informationComputer Hacking Forensic Investigator. Module X Data Acquisition and Duplication
Computer Hacking Forensic Investigator Module X Data Acquisition and Duplication Scenario Allen a forensic investigator was hired by a bank to investigate employee fraud. The bank has four 30 GB machines
More informationIntroduction. Collecting, Searching and Sorting evidence. File Storage
Collecting, Searching and Sorting evidence Introduction Recovering data is the first step in analyzing an investigation s data Recent studies: big volume of data Each suspect in a criminal case: 5 hard
More informationForensic Analysis. The Treachery of Images. Alexandre Dulaunoy. February 5, Forensic Analysis Bibliography Use case Q and A
Bibliography Use case Q and A The Treachery of Images February 5, 2016 Bibliography Use case Q and A Introduction Disclaimer Images ( The Treachery of Images ) (1928) Rene Magritte La Trahison des Bibliography
More informationThe Sleuth Kit v2.01 and Autopsy Forensic Browser Demonstration. Anthony Dowling
The Sleuth Kit v2.01 and Autopsy Forensic Browser Demonstration Anthony Dowling Date: June 02, 2006 ii Abstract The Sleuth Kit is a collection of Linux tools that perform different aspects of a file system
More informationBSc Year 2 Data Communications Lab - Using Wireshark to View Network Traffic. Topology. Objectives. Background / Scenario
BSc Year 2 Data Communications Lab - Using Wireshark to View Network Traffic Topology Objectives Part 1: (Optional) Download and Install Wireshark Part 2: Capture and Analyze Local ICMP Data in Wireshark
More informationContact Information. Contact Center Operating Hours. Other Contact Information. Contact Monday through Thursday Friday
Contact Information Contact Center Operating Hours Contact Monday through Thursday Friday Phone: 1.801.796.0944 8 AM 5 PM Eastern Time 8 AM 3 PM Eastern Time Online chat: http://support.paraben.com 10
More informationContact Details and Technical Information
Contact Details and Technical Information GetData Forensic Pty Ltd GetData Forensics USA Suite 204 1007 North Sepulveda Blvd # 1543 13a Montgomery St Manhattan Beach, CA 90267 Kogarah NSW 2217 USA Australia
More informationObjectives: (1) To learn to capture and analyze packets using wireshark. (2) To learn how protocols and layering are represented in packets.
Team Project 1 Due: Beijing 00:01, Friday Nov 7 Language: English Turn-in (via email) a.pdf file. Objectives: (1) To learn to capture and analyze packets using wireshark. (2) To learn how protocols and
More informationWindows Forensics Advanced
Windows Forensics Advanced Index: CF102 Description Windows Forensics - Advanced is the next step for forensics specialists, diving deeper into diverse processes on Windows OS serving computer investigators.
More informationS23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group
S23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill
More informationINSTITUTO SUPERIOR TÉCNICO
INSTITUTO SUPERIOR TÉCNICO DEPARTAMENTO DE ENGENHARIA INFORMÁTICA FORENSICS CYBER-SECURITY MEIC, METI Lab Guide III & IV Case Solving: Mr. Informant Case 2015/2016 nuno.m.santos@tecnico.ulisboa.pt 1 Introduction
More information10 th National Investigations Symposium
10 th National Investigations Symposium AVOIDING FORENSIC PITFALLS First Responders Guide to Preserving Electronic Evidence 6 November 2014 Bronwyn Barker Electronic Evidence Specialist Investigation 5
More informationOperating System Specification Mac OS X Snow Leopard (10.6.0) or higher and Windows XP (SP3) or higher
BlackLight is a multi-platform forensic analysis tool that allows examiners to quickly and intuitively analyze digital forensic media. BlackLight is capable of analyzing data from Mac OS X computers, ios
More informationCIS Project 1 February 13, 2017 Jerad Godsave
CIS 484-75-4172 Project 1 February 13, 2017 Jerad Godsave Part 1) a) Below are a few screenshots indicating verification that the original evidence and the newly created.e01 forensic image match: Part
More informationOHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE
OHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE I. Description of Course: 1. Department/Course: CNET - 174 2. Title: Computer Forensics 3. Cross Reference: 4. Units: 3 Lec Hrs:
More informationLab Exercise Protocol Layers
Lab Exercise Protocol Layers Objective To learn how protocols and layering are represented in packets. They are key concepts for structuring networks that are covered in 1.3 and 1.4 of your text. Review
More informationIntroduction to Volume Analysis, Part I: Foundations, The Sleuth Kit and Autopsy. Digital Forensics Course* Leonardo A. Martucci *based on the book:
Part I: Foundations, Introduction to Volume Analysis, The Sleuth Kit and Autopsy Course* Leonardo A. Martucci *based on the book: File System Forensic Analysis by Brian Carrier LAM 2007 1/12h Outline Part
More informationECCouncil Computer Hacking Forensic Investigator (V8)
ECCouncil 312-49v8 ECCouncil Computer Hacking Forensic Investigator (V8) Version: 9.0 QUESTION NO: 1 ECCouncil 312-49v8 Exam What is the First Step required in preparing a computer for forensics investigation?
More informationComputer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition. Chapter 6 Linux Forensics
Computer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition Chapter 6 Linux Forensics Objectives After completing this chapter, you should be able to: Create
More informationCOMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9
COMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9 Course Code: 3401 Prepare for the CHFI certification while learning advanced forensics investigation techniques. EC-Council released the most advanced computer
More informationLab 4: Network Packet Capture and Analysis using Wireshark
Lab 4: Network Packet Capture and Analysis using Wireshark 4.1 Details Aim: To provide a foundation in network packet capture and analysis. You may be faced with network traffic analysis, from traffic
More informationMFP: The Mobile Forensic Platform
MFP: The Mobile Forensic Platform Abstract Digital forensics experts perform investigations of machines for triage to see if there is a problem, as well as to gather evidence and run analyses. When the
More informationCSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak
CSN08101 Digital Forensics Lecture 6: Acquisition Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Objectives Storage Formats Acquisition Architecture Acquisition Methods Tools Data Acquisition
More informationPractice Test. Guidance Software GD Guidance Software GD0-110 Certification Exam for EnCE Outside North America. Version 1.6
Guidance Software GD0-110 Guidance Software GD0-110 Certification Exam for EnCE Outside North America Practice Test Version 1.6 QUESTION NO: 1 A FAT directory has as a logical size of: A. One cluster B.
More informationIntroduction to Computer Forensics
Introduction to Computer Forensics Subrahmani Babu Scientist- C, Computer Forensic Laboratory Indian Computer Emergency Response Team (CERT-In) Department of Information Technology, Govt of India. babu_sivakami@cert-in.org.in
More informationParaben Examiner 9.0 Release Notes
Paraben E-mail Examiner 9.0 Release Notes 1 Paraben Corporation Welcome to Paraben s E-mail Examiner 9.0! Paraben s Email Examiner-EMX allows for the forensic examination of the most popular local e-mail
More informationLab 2. All datagrams related to favicon.ico had been ignored. Diagram 1. Diagram 2
Lab 2 All datagrams related to favicon.ico had been ignored. Diagram 1 Diagram 2 1. Is your browser running HTTP version 1.0 or 1.1? What version of HTTP is the server running? According to the diagram
More informationUser Manual. Published: 25-Oct-17 at 18:38:40
User Manual Published: 25-Oct-17 at 18:38:40 Chapter Contents Published: 25-Oct-17 at 18:38:36 Quick Start Guide... 11 Wibu CodeMeter Activation Dongle... 11 System Requirements... 11 Download... 11 Installation...
More informationIntroduction to OSI model and Network Analyzer :- Introduction to Wireshark
Sungkyunkwan University Introduction to OSI model and Network Analyzer :- Introduction to Wireshark Syed Muhammad Raza s.moh.raza@gmail.com Copyright 2000-2014 Networking Laboratory 1/56 An Overview Internet
More informationVersion 11. NOVASTOR CORPORATION NovaBACKUP
NOVASTOR CORPORATION NovaBACKUP Version 11 2009 NovaStor, all rights reserved. All trademarks are the property of their respective owners. Features and specifications are subject to change without notice.
More informationBelkasoft Evidence Center 2018 ESSENTIALS TRAINING PROGRAM
Belkasoft Evidence Center 2018 ESSENTIALS TRAINING PROGRAM INTRODUCTION Belkasoft Essentials is intended for investigators of any level of expertise who want to acquire hands-on skills in computer, mobile
More informationLab Assignment 3 for ECE374
Lab Assignment 3 for ECE374 Posted: 02/25/18 Due: 03/08/18 In this lab, we ll take a quick look at the UDP and TCP transport protocol. Whenever possible you should hand in a Wireshark screenshot that you
More informationAccessioning Born-Digital Content with BitCurator
Electronic Records Modules Electronic Records Committee Congressional Papers Section Society of American Archivists Accessioning Born-Digital Content with BitCurator John Caldwell University of Delaware
More informationAutopsy as a Service Distributed Forensic Compute That Combines Evidence Acquisition and Analysis
Autopsy as a Service Distributed Forensic Compute That Combines Evidence Acquisition and Analysis Presentation to OSDFCon 2016 Dan Gonzales, Zev Winkelman, John Hollywood, Dulani Woods, Ricardo Sanchez,
More informationContact Information. Contact Center Operating Hours. Other Contact Information. Contact Monday through Thursday Friday
Contact Information Contact Center Operating Hours Contact Monday through Thursday Friday Phone: 1.801.796.0944 8 AM 5 PM Eastern Time 8 AM 3 PM Eastern Time Online chat: http://support.paraben.com 10
More informationDIGITAL FORENSIC PROCEDURE. Procedure Name: Mounting an EnCase E01 Logical Image file with FTK Imager. Category: Image Mounting
DIGITAL FORENSIC PROCEDURE Procedure Name: Mounting an EnCase E01 Logical Image file with FTK Imager Category: Image Mounting Procedure Development Development Owner Mr. O Organization DFIR Team Document
More informationWireshark 101 Essential Skills for Network Analysis 2 nd Edition
Wireshark 101 Essential Skills for Network Analysis 2 nd Edition Always ensure you have proper authorization before you listen to and capture network traffic. Protocol Analysis Institute, Inc 59 Damonte
More informationLab Exercise UDP. Objective. Requirements. Step 1: Capture a Trace
Lab Exercise UDP Objective To look at the details of UDP (User Datagram Protocol). UDP is a transport protocol used throughout the Internet as an alternative to TCP when reliability is not required. It
More informationAnalysis of Open Source and Proprietary Source Digital Forensic Tools
Analysis of Open Source and Proprietary Source Digital Forensic Tools Neelam Maurya Indian Institute of Information Technology neelamcs0046@gmail.com Raghvendra Pratap Singh Indian Institute of Information
More informationVendor: ECCouncil. Exam Code: EC Exam Name: Computer Hacking Forensic Investigator Exam. Version: Demo
Vendor: ECCouncil Exam Code: EC1-349 Exam Name: Computer Hacking Forensic Investigator Exam Version: Demo QUESTION 1 What is the First Step required in preparing a computer for forensics investigation?
More informationActivating Intrusion Prevention Service
Activating Intrusion Prevention Service Intrusion Prevention Service Overview Configuring Intrusion Prevention Service Intrusion Prevention Service Overview Intrusion Prevention Service (IPS) delivers
More informationACCESSDATA FTK RELEASE NOTES
ACCESSDATA FTK 3.3.0 RELEASE NOTES INTRODUCTION This document provides important information relative to the use of FTK 3.3.0. IMPORTANT INFORMATION If the machine running Imager or FTK has an active internet
More informationTanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018
Tanium Endpoint Detection and Response (ISC)² East Bay Chapter Training Day July 13, 2018 $> WhoamI 11 Years of Security Experience Multiple Verticals (Technology, Industrial, Healthcare, Biotech) 9 Years
More informationCNIT 121: Computer Forensics. 9 Network Evidence
CNIT 121: Computer Forensics 9 Network Evidence The Case for Network Monitoring Types of Network Monitoring Types of Network Monitoring Event-based alerts Snort, Suricata, SourceFire, RSA NetWitness Require
More informationLesson 4: Web Browsing
Lesson 4: Web Browsing www.nearpod.com Session Code: 1 Video Lesson 4: Web Browsing Basic Functions of Web Browsers Provide a way for users to access and navigate Web pages Display Web pages properly Provide
More informationA Study on Linux. Forensics By: Gustavo Amarchand, Keanu. Munn, and Samantha Renicker 11/1/2018
A Study on Linux 11/1/2018 Forensics By: Gustavo Amarchand, Keanu Munn, and Samantha Renicker Abstract In the field of computer forensics investigators must be familiar with many different systems and
More information2 Bay 3.5 HDD SATA NAS Media Server Setting...20 Bonjour...21 TorrentFlux Maintenance...25 Disk Utility...25 RAID Setting...
Table of contents 1. Overview of the 2 Bay NAS...3 1.1 Introduction...3 1.2 System Requirement...3 1.3 Hardware Installation...3 1.4 Setup the client PC and 2 Bay NAS...3 1.4.1 Setup network configuration
More informationFiery PRO 80 /S450 65C-KM Color Server. Printing from Windows
Fiery PRO 80 /S450 65C-KM Color Server Printing from Windows 2007 Electronics for Imaging, Inc. The information in this publication is covered under Legal Notices for this product. 45067315 01 November
More informationFTK Imager 2.9 Release Notes
FTK Imager 2.9 Release Notes These release notes apply to AccessData FTK Imager 2.9 IMPORTANT INFORMATION If the machine running imager has an active internet connection and you are viewing HTML from the
More informationVolatile Data Acquisition & Analysis
Volatile Data Acquisition & Analysis Villanova University Department of Computing Sciences D. Justin Price Spring 2014 VOLATILE INFORMATION Memory that requires power to maintain data. Exists as Physical
More informationReport For Algonquin Township Highway Department
Report For Algonquin Township Highway Department Prepared For: Prepared By: Robert Hanlon Attorney at Law robert@robhanlonlaw.com Andy Garrett Garrett Discovery Inc agarrett@garrettdiscovery.com Date:
More informationbitcurator-access-webtools Quick Start Guide Last updated: May 8th, 2018 Release(s): and later
bitcurator-access-webtools Quick Start Guide Last updated: May 8th, 2018 Release(s): 0.8.2 and later About bitcurator-access-webtools The bitcurator-access-webtools service allows users to browse file
More informationUSB2.0 IDE & LANDISK External Enclosure
USB2.0 IDE & LANDISK External Enclosure CONTENT User s Manual 1. Product Information.....................1 2. Product Specifications....................2 3. System requirements....................3 4.
More informationCHAPTER 11: IMPLEMENTING FILE SYSTEMS (COMPACT) By I-Chen Lin Textbook: Operating System Concepts 9th Ed.
CHAPTER 11: IMPLEMENTING FILE SYSTEMS (COMPACT) By I-Chen Lin Textbook: Operating System Concepts 9th Ed. File-System Structure File structure Logical storage unit Collection of related information File
More informationSCRIPT-BASED TOOL FOR REMOTE DIGITAL FORENSIC ANALYSIS
SCRIPT-BASED TOOL FOR REMOTE DIGITAL FORENSIC ANALYSIS A Master's Thesis Submitted to the Faculty of the Escola Tècnica d'enginyeria de Telecomunicació de Barcelona Universitat Politècnica de Catalunya
More informationComputer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic
Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition Chapter 2 Investigating Network Traffic Objectives After completing this chapter, you should be able to: Understand network
More informationHackveda Training - Ethical Hacking, Networking & Security
Hackveda Training - Ethical Hacking, Networking & Security Day1: Hacking windows 7 / 8 system and security Part1 a.) Windows Login Password Bypass manually without CD / DVD b.) Windows Login Password Bypass
More informationTesting the Date Maintenance of the File Allocation Table File System
Abstract Testing the Date Maintenance of the File Allocation Table File Tom Waghorn Edith Cowan University e-mail: twaghorn@student.ecu.edu.au The directory entries used in the File Allocation Table filesystems
More informationTanium Incident Response User Guide
Tanium Incident Response User Guide Version 4.4.3 September 06, 2018 The information in this document is subject to change without notice. Further, the information provided in this document is provided
More informationDisk Drill by LaWanda Warren
Disk Drill by LaWanda Warren GOAL OF PROJECT If you're a forensic investigator or even an everyday computer user and you want to recover some files or images from corrupt hard drive or even an external
More informationWireshark Tutorial. Chris Neasbitt UGA Dept. of Computer Science
Wireshark Tutorial Chris Neasbitt UGA Dept. of Computer Science Contents Introduction What is a network trace? What is Wireshark? Basic UI Some of the most useful parts of the UI. Packet Capture How do
More information9. Wireshark I: Protocol Stack and Ethernet
Distributed Systems 205/2016 Lab Simon Razniewski/Florian Klement 9. Wireshark I: Protocol Stack and Ethernet Objective To learn how protocols and layering are represented in packets, and to explore the
More informationEXAM - CFA-001. Certified Forensic Analyst (CFA) Buy Full Product.
GAQM EXAM - CFA-001 Certified Forensic Analyst (CFA) Buy Full Product http://www.examskey.com/cfa-001.html Examskey GAQM CFA-001 exam demo product is here for you to test the quality of the product. This
More informationInstructions to Upgrade Your UME-36 Pro
Instructions to Upgrade Your UME-36 Pro 1. HTTP Upgrade Instructions 2. Application Upgrade Instructions using USB Disk Drive or SD Card 3. Application Upgrade Instructions using PC with data cable 4.
More information8 MANAGING SHARED FOLDERS & DATA
MANAGING SHARED FOLDERS & DATA STORAGE.1 Introduction to Windows XP File Structure.1.1 File.1.2 Folder.1.3 Drives.2 Windows XP files and folders Sharing.2.1 Simple File Sharing.2.2 Levels of access to
More informationCYB 610 Project 6 Workspace Exercise
CYB 610 Project 6 Workspace Exercise I. Digital Forensics Lab (Introduction to FTK Imager) a. Lab Rules: Each student has to do the lab individually. No content directly quoted from Internet or other sources
More informationChapter 7 Forensic Duplication
Chapter 7 Forensic Duplication Ed Crowley Spring 11 Topics Response Strategies Forensic Duplicates and Evidence Federal Rules of Evidence What is a Forensic Duplicate? Hard Drive Development Forensic Tool
More informationSC/CSE 3213 Winter Sebastian Magierowski York University CSE 3213, W13 L8: TCP/IP. Outline. Forwarding over network and data link layers
SC/CSE 3213 Winter 2013 L8: TCP/IP Overview Sebastian Magierowski York University 1 Outline TCP/IP Reference Model A set of protocols for internetworking The basis of the modern IP Datagram Exchange Examples
More informationRunning head: FTK IMAGER 1
Running head: FTK IMAGER 1 FTK Imager Jean-Raymond Ducasse CSOL-590 June 26, 2017 Thomas Plunkett FTK IMAGER 2 FTK Imager Outline Process for Adding Individual Files & Folders as Evidence Items Although
More informationCYBERSECURITY CHALLENGES FOR YOUR CLASSROOM:
SELECTED STADIUM CYBERSECURITY CHALLENGES FOR YOUR CLASSROOM: META, FTP, DNS, HTTP, TELNET, AND SSH AUTH Meta from 2015 Fall Season NCL puzzle: http://www.nationalcyberleague.org/2016/spring/solutions_files/ncl-2015-meta.jpg
More informationZENworks 11 Support Pack 4 Endpoint Security Utilities Reference. October 2016
ZENworks 11 Support Pack 4 Endpoint Security Utilities Reference October 2016 Legal Notice For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S.
More informationComputer Forensic Capabilities. Cybercrime Lab Computer Crime and Intellectual Property Section United States Department of Justice
Computer Forensic Capabilities Cybercrime Lab Computer Crime and Intellectual Property Section United States Department of Justice Agenda What is computer forensics? Where to find computer evidence Forensic
More informationMission Guide: GUI Windows
Mission Guide: GUI Windows Your Mission: Use F-Response to connect to a remote Windows machine Using F-Response to connect to a remote Windows machine and access one or more targets Step 1: Open and start
More informationGuide to Computer Forensics and Investigations Fourth Edition. Chapter 2 Understanding Computer Investigations
Guide to Computer Forensics and Investigations Fourth Edition Chapter 2 Understanding Computer Investigations Objectives Explain how to prepare a computer investigation Apply a systematic approach to an
More informationGuide to Computer Forensics. Third Edition. Chapter 11 Chapter 11 Network Forensics
Guide to Computer Forensics and Investigations Third Edition Chapter 11 Chapter 11 Network Forensics Objectives Describe the importance of network forensics Explain standard procedures for performing a
More informationKillTest 䊾 䞣 催 ࢭ ད ᅌ㖦䊛 ᅌ㖦䊛 NZZV ]]] QORRZKYZ TKZ ϔᑈܡ䊏 ᮄ ࢭ
KillTest Exam : 312-49v8 Title : ECCouncil Computer Hacking Forensic Investigator (V8) Version : Demo 1 / 6 1.What is the First Step required in preparing a computer for forensics investigation? A. Do
More informationCyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems
Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems Section 1: Command Line Tools Skill 1: Employ commands using command line interface 1.1 Use command line commands to gain situational
More informationImage rescue Quick Start Guide
Image rescue Quick Start Guide Image Recovery - Recovers lost or deleted image files (JPEG, TIFF and RAW), from your memory card, even if you have erased them, reformatted the card, or your card has become
More informationGuide to Computer Forensics and Investigations Fourth Edition. Chapter 6 Working with Windows and DOS Systems
Guide to Computer Forensics and Investigations Fourth Edition Chapter 6 Working with Windows and DOS Systems Understanding Disk Drives Disk drives are made up of one or more platters coated with magnetic
More informationEXPRESS. Users Guide. Version 3.5
EXPRESS Users Guide Version 3.5 Table of Contents 1 System Overview... 3 2 System Requirements... 3 3 Contents in ECMTUNE System Box... 3 4 Installation Information... 4 5 Registration Information... 7
More informationNETWORK PACKET ANALYSIS PROGRAM
NETWORK PACKET ANALYSIS PROGRAM Duration: 3 days (21 hours) Mode: 1. Instructor Led Class room Training and Labs 2. Online In this hands-on course, you will receive in-depth training on Protocol analysis
More informationComputer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition. Chapter 5 Windows Forensics II
Computer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition Chapter 5 Windows Forensics II Objectives After completing this chapter, you should be able to:
More informationTimeline Creation and Analysis Guides
Timeline Creation and Analysis Guides Written by Chapin Bryce Researched by Chapin Bryce 175 Lakeside Ave, Room 300A Phone: 802/865-5744 Fax: 802/865-6446 http://www.lcdi.champlin.edu Timeline Creation
More informationThis tutorial shows how to use ACE to Identify the true causes of poor response time Document the problems that are found
FTP Application Overview This tutorial shows how to use ACE to Identify the true causes of poor response time Document the problems that are found The screen images in this tutorial were captured while
More informationChapter 2. Index.dat
Chapter 2 Index.dat Internet History Practical Exercise Anatomy of a MSIE / History.IE5\Index.dat File 1. Use WinHEX to open up the file named: \Student Files\02_Internet_History\Index.dat. 2. Let s examine
More informationMaintenance Tasks CHAPTER
CHAPTER 5 These topics describe the Maintenance tasks of Element Manager: Viewing Basic System Information, page 5-2 Configuring Basic System Information, page 5-3 Configuring Date and Time Properties,
More information