Computer Hacking Forensic Investigator. Module X Data Acquisition and Duplication
|
|
- Arron Gregory
- 6 years ago
- Views:
Transcription
1 Computer Hacking Forensic Investigator Module X Data Acquisition and Duplication
2 Scenario Allen a forensic investigator was hired by a bank to investigate employee fraud. The bank has four 30 GB machines on the Local Area Network. One of the machines was used to transfer client account information. Allen makes two copies of the data from each of the computers and discovers that the computer used by the employee was booby trapped. He recovers the data by using the SafeBack tool.
3 Module Objective Determining the best data acquisition methods Understanding data recovery contingencies Data preservation commands The need for data duplication Data duplication tools
4 Module Flow Data acquisition methods Data recovery contingencies Need for data duplication Data preservation commands Data duplication tools
5 Determining the Best Acquisition Methods Forensic investigators acquire digital evidence using the following methods Creating a bit-stream disk-to-image file Making a bit-stream disk-to-disk copy Creating a sparse data copy of a folder or file
6 Data Recovery Contingencies Investigators must make contingency plans when data acquisition failure occurs To preserve digital evidence investigators need to create a duplicate copy of the evidence files In case the original data recovered is corrupted investigators can make use of the second copy Use of at least two data acquisition tools are preferred to create copy of evidence incase the investigator s preferred tool does not properly recover data
7 MS-DOS Data Acquisition Tools In the past software tools developed for forensics investigation were created for MS-DOS Investigators still make use of these tools as they are commercially available and easy to use Advantages of MS-DOS acquisition tools Fit in a forensic boot disk Require fewer resources to make bit-stream files User friendly
8 MS-DOS Data Acquisition Tool: DriveSpy DriveSpy enables the investigator to direct data from one particular sector range to another sector DriveSpy provides two methods in accessing disk sector ranges: Defining the absolute starting sector after a comma and the total number of sectors to be read on the drive Listing the absolute starting and ending sectors
9 DriveSpy Data Manipulation Commands There are two commands in DriveSpy that is used for Data Manipulation: The SaveSect command- Used to copy particular sectors on a disk to a file It copies the sectors as a bitstream image so that the file is a duplicate of the original sectors The WriteSect command- Used to regenerate the information acquired through the SaveSect command
10 DriveSpy Data Preservation Commands The data preservation commands in the DriveSpy application are: The SavePart command- Used to create an image file of the specified disk partition of the suspect's drive The WritePart command- Counterpart of the SavePart command Used to recreate the saved partition image file that is created with the SavePart command
11 Using Windows Data Acquisition Tools Windows data acquisition tools allow the investigator to easily acquire evidence from a disk with the help of removable media such as USB storage devices These tools also can use Firewire to connect hard disks to the forensic lab systems Data acquisition tools in Windows cannot acquire data from the host protected area of the disk
12 Data Acquisition Tool: AccessData FTK Explorer FTK Explorer acquires data that can help the investigator understand how other forensic tools in Windows work This tool was first designed to examine disks and bit-stream diskto-image files created by using other forensic software FTK Explorer can make bit-stream disk-to-image copies of evidence disks This tool allows the investigator to acquire the evidence disk from a logical partition level or a physical drive level
13 FTK
14 Acquiring Data on Linux Forensic Investigators use the built- in Linux command dd to copy data from a disk drive This command can make a bit-stream disk-todisk file, disk-to-image file, block-to-block copy/ block-to-file copy The dd command can copy data from any disk that Linux can mount and access Other forensic tools such as AccessData FTK and Ilook can read dd image files
15 Dd.Exe (Windows XP Version) Works on Windows platform Detects unauthorized dialers User friendly program Command Syntax dd.exe if=\\.\physicaldrive0 of=d:\images\physicaldrive0. img --md5sum --verifymd5 -- md5out=d:\images\physicaldri ve0.img.md5
16 Data Acquisition Tool: Snapback Exact o Server based backup program for Windows server o Copies byte by byte images of the server hard drives to the tape o Keep tracks of records o Important features are: Full open file management Remote administration Backup scheduling
17 Snapshot Data acquisition tool
18 DatArrest Supports the tools for Forensic Data Seizure Works on all IBM compatible systems Recovers the deleted data User interface tool Any removable drives can back up through DatArrest
19 Data Acquisition Tool: SafeBack SafeBack is also a MS-DOS data acquisition tool and can perform a CRC-32 calculation for each sector copied to ensure data integrity SafeBack creates a log file of all transactions it performs Functions: Creates disk-to-image files Copies data from a source disk to an image on a tape drive Copies data from a partition to an image file Compresses acquired files to reduce the volume save-set sizes
20 Data Acquisition Tool: Encase The Encase tool delivers advanced features for computer forensics and investigations It is the primary data acquisition tool that is used by forensic investigators Provides tools to conduct investigations with accuracy and efficiency Data can be acquired by: Disk to disk Disk to network server drive Parallel port with a laplink cable to the forensics workstation s disk drive
21 Encase
22 Need for Data Duplication Investigators need to worry about destructive devices that can be planted in the system by the owner. Evidence can be destroyed if the investigator is not careful Data fragments can be overwritten and data stored in the Windows swap file can be altered or destroyed Data duplication is essential for the proper preservation of digital evidence
23 Data Duplication Tool: R-drive Image R-Drive Image is an important tool that provides disk image files creation for backup or duplication purposes Disk image file contains exact, byte-by-byte copy of a hard drive, partition or logical disk R-Drive can create partitions with various compression levels freely without stopping Windows OS These drive image files can then be stored in a variety of places, including various removable media such as CD- R(W) or DVD-R(W), Iomega Zip or Jazz disks
24 R-drive Image
25 Data Duplication Tool: DriveLook The DriveLook Tool has the following features: Indexes the hard drive for the text that was written to it Searches through a list of all words stored on the drive View the location of words in the disk editor Switches between different views Uses image file as input Access remote drives through serial cable or TCP/IP
26 Drivelook
27 Data Duplication Tool: DiskExplorer DiskExplorer aides examiners to investigate any drive and recover data Two versions of DiskExplorer exist: DiskExplorer for FAT Disk Explorer for NTFS The tool also has provisions to navigate through the drive by jumping to: Partition table Boot record Master file table Root directory
28 Diskexplorer
29 Summary Investigators can acquire data in three ways: creating a bitstream, disk-to-image file, making a bit-stream disk-todisk copy, or creating a sparse data copy of a specific folder path or file The SavePart command retrieves information about the partition space in the hard disk The dd command in Linux can make bit-stream disk-todisk copy and disk-to-image file copy Lossless compression is an acceptable method for computer forensics because it does not change the data Lossy compression alters the data, leading to loss of data
Ed Ferrara, MSIA, CISSP
MIS 5208 - Lecture 12 Investigation Methods Data Acquisition Ed Ferrara, MSIA, CISSP eferrara@temple.edu Objectives List digital evidence storage formats Explain ways to determine the best acquisition
More informationGuide to Computer Forensics and Investigations Fourth Edition. Chapter 2 Understanding Computer Investigations
Guide to Computer Forensics and Investigations Fourth Edition Chapter 2 Understanding Computer Investigations Objectives Explain how to prepare a computer investigation Apply a systematic approach to an
More informationSource: https://articles.forensicfocus.com/2018/03/02/evidence-acquisition-using-accessdata-ftk-imager/
by Chirath De Alwis Source: https://articles.forensicfocus.com/2018/03/02/evidence-acquisition-using-accessdata-ftk-imager/ Forensic Toolkit or FTK is a computer forensics software product made by AccessData.
More informationCSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak
CSN08101 Digital Forensics Lecture 6: Acquisition Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Objectives Storage Formats Acquisition Architecture Acquisition Methods Tools Data Acquisition
More informationComputer Forensics: Investigating Data and Image Files, 2nd Edition. Chapter 3 Forensic Investigations Using EnCase
Computer Forensics: Investigating Data and Image Files, 2nd Edition Chapter 3 Forensic Investigations Using EnCase Objectives After completing this chapter, you should be able to: Understand evidence files
More informationChapter Two File Systems. CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D.
Chapter Two File Systems CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D. 1 Learning Objectives At the end of this section, you will be able to: Explain the purpose and structure of file systems
More informationCIS Project 1 February 13, 2017 Jerad Godsave
CIS 484-75-4172 Project 1 February 13, 2017 Jerad Godsave Part 1) a) Below are a few screenshots indicating verification that the original evidence and the newly created.e01 forensic image match: Part
More informationANALYSIS AND VALIDATION
UNIT V ANALYSIS AND VALIDATION Validating Forensics Objectives Determine what data to analyze in a computer forensics investigation Explain tools used to validate data Explain common data-hiding techniques
More informationExam Number/Code: Exam Name: Computer Hacking. Version: Demo. Forensic Investigator.
Exam Number/Code:312-49 Exam Name: Computer Hacking Forensic Investigator Version: Demo http://www.it-exams.com QUESTION NO: 1 When an investigator contacts by telephone the domain administrator or controller
More informationCOMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9
COMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9 Course Code: 3401 Prepare for the CHFI certification while learning advanced forensics investigation techniques. EC-Council released the most advanced computer
More informationRunning head: FTK IMAGER 1
Running head: FTK IMAGER 1 FTK Imager Jean-Raymond Ducasse CSOL-590 June 26, 2017 Thomas Plunkett FTK IMAGER 2 FTK Imager Outline Process for Adding Individual Files & Folders as Evidence Items Although
More informationACRONIS TRUE IMAGE 11 HOME REVIEWER S GUIDE
ACRONIS TRUE IMAGE 11 HOME REVIEWER S GUIDE Acronis True Image 11.0 Home provides the maximum flexibility to ensure you are adequately protected and can recover from unforeseen events such as viruses,
More informationDigital Forensics Lecture 01- Disk Forensics
Digital Forensics Lecture 01- Disk Forensics An Introduction to Akbar S. Namin Texas Tech University Spring 2017 Digital Investigations and Evidence Investigation of some type of digital device that has
More information10/13/11. Objectives. Live Acquisition. When do we consider doing it? What is Live Acquisition? The Order of Volatility. When do we consider doing it?
Live Acquisition Objectives Understand what Live Acquisition is and when it is appropriate Understand the concept of Order of Volatility Understand live acquisition issues and limitations Be able to perform
More informationDigital Forensics Lecture 02- Disk Forensics
Digital Forensics Lecture 02- Disk Forensics Hard Disk Data Acquisition Akbar S. Namin Texas Tech University Spring 2017 Analysis of data found on a storage device It is more common to do dead analysis
More informationDigital Forensics Practicum CAINE 8.0. Review and User s Guide
Digital Forensics Practicum CAINE 8.0 Review and User s Guide Ana L. Hernandez Master of Science in Cybersecurity Digital Forensics Concentration University of South Florida 12-8-2017 Table of Contents
More informationIncident Response Data Acquisition Guidelines for Investigation Purposes 1
Incident Response Data Acquisition Guidelines for Investigation Purposes 1 1 Target Audience This document is aimed at general IT staff that may be in the position of being required to take action in response
More informationIntroduction to Computer Forensics
Introduction to Computer Forensics Subrahmani Babu Scientist- C, Computer Forensic Laboratory Indian Computer Emergency Response Team (CERT-In) Department of Information Technology, Govt of India. babu_sivakami@cert-in.org.in
More informationNIST CFTT: Testing Disk Imaging Tools
NIST CFTT: Testing Disk Imaging Tools James R. Lyle National Institute of Standards and Technology Gaithersburg Md. 20899-8970 1. Introduction There is a critical need in the law enforcement community
More informationGuide to Computer Forensics and Investigations Fourth Edition. Chapter 6 Working with Windows and DOS Systems
Guide to Computer Forensics and Investigations Fourth Edition Chapter 6 Working with Windows and DOS Systems Understanding Disk Drives Disk drives are made up of one or more platters coated with magnetic
More informationEC-Council Computer Hacking Forensics Investigator (CHFI) v9.0
Course Overview This course will provide participants the necessary skills to identify an intruders footprints and to properly gather the necessary evidence to prosecute in the court of law. Who Should
More information(Title) Student s Name. Academic Institution
Running head: DIGITAL FORENSICS (Title) Student s Name Academic Institution DIGITAL FORENSICS 2 Introduction Digital forensics is a branch of forensic science that deals with investigations and recovery
More informationDIGITAL FORENSIC PROCEDURE. Procedure Name: Mounting an EnCase E01 Logical Image file with FTK Imager. Category: Image Mounting
DIGITAL FORENSIC PROCEDURE Procedure Name: Mounting an EnCase E01 Logical Image file with FTK Imager Category: Image Mounting Procedure Development Development Owner Mr. O Organization DFIR Team Document
More informationCourse 832 EC-Council Computer Hacking Forensic Investigator (CHFI)
Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI) Duration: 5 days You Will Learn How To Understand how perimeter defenses work Scan and attack you own networks, without actually harming
More informationCOMP091 Operating Systems 1. File Systems
COMP091 Operating Systems 1 File Systems Media File systems organize the storage space on persistent media such as disk, tape, CD/DVD/BD, USB etc. Disk, USB drives, and virtual drives are referred to as
More informationForensics on the Windows Platform, Part Two by Jamie Morris last updated February 11, 2003
SecurityFocus HOME Infocus: Forensics on the Windows Platform, Part Two 2003-02-17 12:56:05-0900 SFOnline Forensics on the Windows Platform, Part Two by Jamie Morris last updated February 11, 2003 Introduction
More informationCertified Digital Forensics Examiner
Certified Digital Forensics Examiner ACCREDITATIONS EXAM INFORMATION The Certified Digital Forensics Examiner exam is taken online through Mile2 s Assessment and Certification System ( MACS ), which is
More informationDigital Forensics. Also known as. General definition: Computer forensics or network forensics
TEL2813/IS2621 Security Management James Joshi Associate Professor Lecture 3 Jan 29, 2014 Introduction ti to Digital Forensics Digital Forensics Also known as Computer forensics or network forensics General
More informationCrash Proof - Data Loss Prevention
Crash Proof - Data Loss Prevention Software Crash Proof - Data Loss Prevention Crash Proof is data loss prevention software which once installed revives 100% data in the event of a data loss situation.
More informationAcronis Disk Director 11 Home. Quick Start Guide
Acronis Disk Director 11 Home Quick Start Guide Copyright Acronis, Inc., 2000-2010. All rights reserved. "Acronis", "Acronis Compute with Confidence", "Acronis Recovery Manager", "Acronis Secure Zone",
More informationRemote Device Mounting Service
HOW TO USE REMOTE DEVICE MOUNTING SERVICES The Remote Data Mounting Services (RDMS) lets you acquire live evidence from active and remote network computers. You can gather many types of active information
More informationThis chapter gives an overview of how to manage a computing investigation.
UNDERSTANDING COMPUTER INVESTIGATIONS After reading this chapter and completing the exercises, you will be able to: Prepare a case Begin an investigation Understand computer forensics workstations and
More informationAccessData Advanced Forensics
This advanced five-day course provides the knowledge and skills necessary to install, configure and effectively use Forensic Toolkit (FTK ), FTK Imager Password Recovery Toolkit (PRTK ) and Registry Viewer.
More informationForensic Toolkit System Specifications Guide
Forensic Toolkit System Specifications Guide February 2012 When it comes to performing effective and timely investigations, we recommend examiners take into consideration the demands the software, and
More informationIT ESSENTIALS V. 4.1 Module 5 Fundamental Operating Systems
IT ESSENTIALS V. 4.1 Module 5 Fundamental Operating Systems 5.0 Introduction 1. What controls almost all functions on a computer? The operating system 5.1 Explain the purpose of an operating system 2.
More informationC A S P E R USER GUIDE V ERSION 5.0
TM C A S P E R TM USER GUIDE V ERSION 5.0 Copyright and Trademark Information Information in this document is subject to change without notice. Federal law prohibits unauthorized use, duplication, and
More informationUsing Linux VMware and SMART to Create a Virtual Computer to Recreate a Suspect's Computer. By:
Using Linux VMware and SMART to Create a Virtual Computer to Recreate a Suspect's Computer By: Ernest Baca ebaca@linux-forensics.com www.linux-forensics.com Page 1 of 7 Introduction: Since beginning my
More informationLaplink DiskImage : Server Edition
1 Laplink DiskImage : Server Edition Laplink Software, Inc. Customer Service/Technical Support: Web: http://www.laplink.com/help E-mail: CustomerService@laplink.com Laplink Software, Inc. Bellevue Corporate
More informationFile Systems Forensics
File Systems Forensics Section II. Basic Forensic Techniques and Tools CSF: Forensics Cyber-Security MSIDC, Spring 2017 Nuno Santos Summary! Analysis of file systems! Recovery of deleted files 2 Recall
More informationWindows Core Forensics Forensic Toolkit / Password Recovery Toolkit /
The Windows Forensics Core Training follows up the AccessData BootCamp training. This advanced AccessData training class provides the knowledge and skills necessary to use AccessData products to conduct
More informationAccessData FTK Quick Installation Guide
AccessData FTK Quick Installation Guide Document date: May 20, 2014 2014 AccessData Group, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system,
More informationChapter 7 Forensic Duplication
Chapter 7 Forensic Duplication Ed Crowley Spring 11 Topics Response Strategies Forensic Duplicates and Evidence Federal Rules of Evidence What is a Forensic Duplicate? Hard Drive Development Forensic Tool
More informationAdvanced Operating Systems
Advanced Operating Systems File Systems: File Allocation Table, Linux File System, NTFS Lecture 10 Case Studies of File Systems File Allocation Table (FAT) Unix File System Berkeley Fast File System Linux
More informationInitial Bootloader > Flash Drive. Warning. If not used carefully this process can be dangerous
Initial Bootloader > Flash Drive Warning If not used carefully this process can be dangerous Running the script used in this article with an incorrect argument can cause loss of data and potentially damage
More informationChapter 7 Forensic Duplication
Chapter 7 Forensic Duplication Ed Crowley Spring 10 Topics Response Strategies Forensic Duplicates and Evidence Federal Rules of Evidence What is a Forensic Duplicate? Hard Drive Development Forensic Tool
More informationAcknowledgments About the Authors
Preface p. xv Acknowledgments p. xix About the Authors p. xxi Case Studies p. xxv Live Incident Response p. 1 Windows Live Response p. 3 Analyzing Volatile Data p. 5 The System Date and Time p. 6 Current
More informationHard facts. Hard disk drives
Hard facts Text by PowerQuest, photos and drawings Vlado Damjanovski 2004 What is a hard disk? A hard disk or hard drive is the part of your computer responsible for long-term storage of information. Unlike
More informationForensic Analysis of Windows 10 Volume Shadow Copy Service
Forensic Analysis of Windows 10 Volume Shadow Copy Service Ahmad Ghafarian, Ph.D. Dept. of Computer Science & Information Systems Mike Cottrell College of Business University of North Georgia Dahlonega,
More informationMachine Language and System Programming
زبان ماشين وبرنامه نويسی سيستم Machine Language and System Programming جلسه دوازدھم دانشگاه صنعتی ھمدان پاييز 1389 Objectives Explain the purpose and structure of file systems Describe Microsoft file structures
More informationThis is Worksheet and Assignment 12. Disks, Partitions, and File Systems
This is Worksheet and Assignment 12 This is a combined Worksheet and Assignment.. Quizzes and tests may refer to work done in this Worksheet and Assignment; save your answers. You will use a checking program
More informationModifying image file contents with Ghost Explorer. This section includes the following topics:
Modifying image file contents with Ghost Explorer This section includes the following topics: Using Ghost Explorer Viewing image files and their properties Launching a file Extracting a file or directory
More informationHow to install the software of ZNS8022
How to install the software of ZNS8022 1. Please connect ZNS8022 to your PC after finished assembly. 2. Insert Installation CD to your CD-ROM drive and initiate the auto-run program. The wizard will run
More informationFinancial CISM. Certified Information Security Manager (CISM) Download Full Version :
Financial CISM Certified Information Security Manager (CISM) Download Full Version : http://killexams.com/pass4sure/exam-detail/cism required based on preliminary forensic investigation, but doing so as
More informationDisk Imaging with Knoppix
Introduction This document explains how to use the CD-ROM bootable version of Linux, named Knoppix, to make and restore images of computer hard drives. Knoppix makes a very good system recovery tool for
More informationFile Systems. File system interface (logical view) File system implementation (physical view)
File Systems File systems provide long-term information storage Must store large amounts of data Information stored must survive the termination of the process using it Multiple processes must be able
More informationCyber Chain of Custody. Acquisition. Cyber Chain of Custody. Evidence Dynamics and the Introduction of Error. Must Be Proven!
Acquisition Cyber Chain of Custody Week 2 Protect the data from the Investigator Cyber Chain of Custody Cyber Chain of Custody Just like regular evidence, e- evidence must adhere to a Chain of Custody
More informationCYB 610 Project 6 Workspace Exercise
CYB 610 Project 6 Workspace Exercise I. Digital Forensics Lab (Introduction to FTK Imager) a. Lab Rules: Each student has to do the lab individually. No content directly quoted from Internet or other sources
More informationRelease Notes for Acronis True Image 2018
Release Notes for Acronis True Image 2018 Release date: July 31, 2017 Language: English, German, Japanese, Russian, French, Spanish, Italian, Korean, Chinese Traditional, Chinese Simplified, Dutch, Czech,
More informationFTK Imager 2.9 Release Notes
FTK Imager 2.9 Release Notes These release notes apply to AccessData FTK Imager 2.9 IMPORTANT INFORMATION If the machine running imager has an active internet connection and you are viewing HTML from the
More informationComputer Forensic Capabilities. Cybercrime Lab Computer Crime and Intellectual Property Section United States Department of Justice
Computer Forensic Capabilities Cybercrime Lab Computer Crime and Intellectual Property Section United States Department of Justice Agenda What is computer forensics? Where to find computer evidence Forensic
More informationCertified Digital Forensics Examiner
Certified Digital Forensics Examiner Course Title: Certified Digital Forensics Examiner Duration: 5 days Class Format Options: Instructor-led classroom Live Online Training Prerequisites: A minimum of
More informationON THE SELECTION OF WRITE BLOCKERS FOR DISK ACQUISITION: A COMPARATIVE PRACTICAL STUDY
ON THE SELECTION OF WRITE BLOCKERS FOR DISK ACQUISITION: A COMPARATIVE PRACTICAL STUDY Mousa Al Falayleh College of Computer Info. Tech. American University in the Emirates Dubai, United Arab Emirates
More informationTesting the Date Maintenance of the File Allocation Table File System
Abstract Testing the Date Maintenance of the File Allocation Table File Tom Waghorn Edith Cowan University e-mail: twaghorn@student.ecu.edu.au The directory entries used in the File Allocation Table filesystems
More informationProblem Overhead File containing the path must be read, and then the path must be parsed and followed to find the actual I-node. o Might require many
Sharing files o Introduction Users often need to share files amongst themselves It is convenient for the shared file to appear simultaneously in different directories belonging to different users One of
More informationIT010: CHFI: Computer Hacking Forensic & Investigation
IT010: CHFI: Computer Hacking Forensic & Investigation IT010 Rev.001 CMCT COURSE OUTLINE Page 1 of 17 Training Description: This course will provide participants the necessary skills to identify intruders
More informationAndroid Forensics: Simplifying Cell Phone Examinations
Android Forensics: Simplifying Cell Phone Examinations Jeff Lessard, Gary Kessler 2010 Presented By: Manaf Bin Yahya Outlines Introduction Mobile Forensics Physical analysis Logical analysis CelleBrite
More informationCOMPUTER HACKING Forensic Investigator
COMPUTER HACKING Forensic Investigator H.H. Sheik Sultan Tower (0) Floor Corniche Street Abu Dhabi U.A.E www.ictd.ae ictd@ictd.ae Course Introduction: CHFIv8 presents a detailed methodological approach
More informationSYSTEM SPECIFICATIONS GUIDE
SYSTEM SPECIFICATIONS GUIDE AD Enterprise NETWORK INVESTIGATION AND POST-BREACH ANALYSIS v6.5 Revision (May 8, 2018) www.accessdata.com Contents AccessData Enterprise Overview and System Specifications
More informationCSE 4482 Computer Security Management: Assessment and Forensics. Computer Forensics: Working with Windows and DOS Systems
CSE 4482 Computer Security Management: Assessment and Forensics Computer Forensics: Working with Windows and DOS Systems Instructor: N. Vlajic,, Fall 2010 Required reading: Guide to Computer Forensics
More informationIntroduction to OS. File Management. MOS Ch. 4. Mahmoud El-Gayyar. Mahmoud El-Gayyar / Introduction to OS 1
Introduction to OS File Management MOS Ch. 4 Mahmoud El-Gayyar elgayyar@ci.suez.edu.eg Mahmoud El-Gayyar / Introduction to OS 1 File Management Objectives Provide I/O support for a variety of storage device
More informationCOMPARATIVE STUDY OF TWO MODERN FILE SYSTEMS: NTFS AND HFS+
COMPARATIVE STUDY OF TWO MODERN FILE SYSTEMS: NTFS AND HFS+ Viral H. Panchal 1, Brijal Panchal 2, Heta K. Desai 3 Asst. professor, Computer Engg., S.N.P.I.T&RC, Umrakh, Gujarat, India 1 Student, Science
More informationACCESSDATA SUPPLEMENTAL APPENDIX
ACCESSDATA SUPPLEMENTAL APPENDIX Introduction to DOS and FAT OPERATING SYSTEMS The term operating system refers to the software that is required to manage a computer system and run applications on the
More informationTest Results for Disk Imaging Tools: EnCase 3.20
JUNE 03 U.S. Department of Justice Office of Justice Programs National Institute of Justice Special REPORT Test Results for Disk Imaging Tools: U.S. Department of Justice Office of Justice Programs 810
More informationINSTITUTO SUPERIOR TÉCNICO
INSTITUTO SUPERIOR TÉCNICO DEPARTAMENTO DE ENGENHARIA INFORMÁTICA FORENSICS CYBER-SECURITY MEIC, METI Lab Guide II Evidence Examination 2015/2016 nuno.m.santos@tecnico.ulisboa.pt 1 Introduction This guide
More informationAnalysis Villanova University Department of Computing Sciences D. Justin Price Spring 2014
Email Analysis Villanova University Department of Computing Sciences D. Justin Price Spring 2014 EMAIL ANALYSIS With the increase in e-mail scams and fraud attempts with phishing or spoofing Investigators
More informationAnalysis Villanova University Department of Computing Sciences D. Justin Price Fall 2014
Email Analysis Villanova University Department of Computing Sciences D. Justin Price Fall 2014 EMAIL ANALYSIS With the increase in e-mail scams and fraud attempts with phishing or spoofing Investigators
More informationAfter the Attack. Business Continuity. Planning and Testing Steps. Disaster Recovery. Business Impact Analysis (BIA) Succession Planning
After the Attack Business Continuity Week 6 Part 2 Staying in Business Disaster Recovery Planning and Testing Steps Business continuity is a organization s ability to maintain operations after a disruptive
More informationC A S P E R T ECH EDITION 5.0 USER GUIDE
TM C A S P E R TM T ECH EDITION 5.0 USER GUIDE Copyright and Trademark Information Information in this document is subject to change without notice. Federal law prohibits unauthorized use, duplication,
More informationEMC CLARiiON Backup Storage Solutions
Engineering White Paper Backup-to-Disk Guide with Computer Associates BrightStor ARCserve Backup Abstract This white paper describes how to configure EMC CLARiiON CX series storage systems with Computer
More informationLab: Setting up PL-App with a Raspberry Pi
Lab Topology Objectives Set up a Raspberry Pi board as a PL-App device Use PL-App Launcher to provision and discover PL-App devices Background Cisco Prototyping Lab is a set of hardware and software components
More informationAccession Procedures Born-Digital Materials Workflow
Accession Procedures Born-Digital Materials Workflow Initiating Author: Department: Sam Meister Archives & Special Collections Revision History Date Version Description Changed by 02/29/12 0.1 Draft 03/27/12
More informationVendor: ECCouncil. Exam Code: EC Exam Name: Computer Hacking Forensic Investigator Exam. Version: Demo
Vendor: ECCouncil Exam Code: EC1-349 Exam Name: Computer Hacking Forensic Investigator Exam Version: Demo QUESTION 1 What is the First Step required in preparing a computer for forensics investigation?
More informationAccessData Imager Release Notes
AccessData Imager 4.2.0 Document Date: 11/21/2017 2017 AccessData Group, Inc. All rights reserved. This document lists the changes in this release of AccessData Imager. All known issues published with
More informationVMware and VMware Ready are trademarks and/or registered trademarks of VMware, Inc. in the United States and/or other jurisdictions.
User's Guide Copyright Acronis, Inc., 2000-2010. All rights reserved. "Acronis", "Acronis Compute with Confidence", "Acronis Recovery Manager", "Acronis Secure Zone", Acronis Try&Decide, and the Acronis
More informationA+ Guide to Managing and Maintaining your PC, 6e. Chapter 8 Hard Drives
A+ Guide to Managing and Maintaining your PC, 6e Chapter 8 Hard Drives Introduction Hard drive: most important secondary storage device Hard drive technologies have evolved rapidly Hard drive capacities
More informationv5: How to recover your PC using the Linux Rescue CD
The Linux CD is a compact and efficient rescue environment to restore all Windows operating systems. It will only enable your to restore your imaged partitions to exactly the same size and position as
More informationA+ Guide to Hardware, 4e. Chapter 7 Hard Drives
A+ Guide to Hardware, 4e Chapter 7 Hard Drives Objectives Learn how the organization of data on floppy drives and hard drives is similar Learn about hard drive technologies Learn how a computer communicates
More informationWindows File System. File allocation table (FAT) NTFS - New Technology File System. used in Windows 95, and MS-DOS
Windows File System Windows File System File allocation table (FAT) used in Windows 95, and MS-DOS NTFS - New Technology File System 2 Key features of NTFS NTFS uses clusters(rather than sectors) as units
More informationKNOPPIX Bootable CD Validation Study for Live Forensic Preview of Suspects Computer
KNOPPIX Bootable CD Validation Study for Live Forensic Preview of Suspects Computer By: Ernest Baca www.linux-forensics.com ebaca@linux-forensics.com Page 1 of 18 Introduction I have recently become very
More information4. A mail box 9) What is an embedded system? 1. A program that comes wrapped in a box 2. A program that is permanent part of a computer 3.
SET 6 1) A 32 bit word computer can access bytes at a time. 1. 4 2. 8 3. 16 4. 32 2) Access control based on a person s fingerprints is an example of 1. Biometric identification 2. Characteristic identification
More informationC A S P E R TECH EDITION 10 USER GUIDE
TM C A S P E R TM TECH EDITION 10 USER GUIDE Copyright and Trademark Information Information in this document is subject to change without notice. Federal law prohibits unauthorized use, duplication, and
More informationCHAPTER 11: IMPLEMENTING FILE SYSTEMS (COMPACT) By I-Chen Lin Textbook: Operating System Concepts 9th Ed.
CHAPTER 11: IMPLEMENTING FILE SYSTEMS (COMPACT) By I-Chen Lin Textbook: Operating System Concepts 9th Ed. File-System Structure File structure Logical storage unit Collection of related information File
More informationPractice Test. Guidance Software GD Guidance Software GD0-110 Certification Exam for EnCE Outside North America. Version 1.6
Guidance Software GD0-110 Guidance Software GD0-110 Certification Exam for EnCE Outside North America Practice Test Version 1.6 QUESTION NO: 1 A FAT directory has as a logical size of: A. One cluster B.
More informationBackup challenge for Home Users
PARAGON Technologie GmbH, Systemprogrammierung Heinrich-von-Stephan-Str. 5c 79100 Freiburg, Germany Tel. +49 (0) 761 59018201 Fax +49 (0) 761 59018130 Internet www.paragon-software.com Email sales@paragon-software.com
More informationCS4500/5500 Operating Systems File Systems and Implementations
Operating Systems File Systems and Implementations Yanyan Zhuang Department of Computer Science http://www.cs.uccs.edu/~yzhuang UC. Colorado Springs Recap of Previous Classes Processes and threads o Abstraction
More informationTypical File Extensions File Structure
CS 355 Operating Systems File Systems File Systems A file is a collection of data records grouped together for purpose of access control and modification A file system is software responsible for creating,
More information8 MANAGING SHARED FOLDERS & DATA
MANAGING SHARED FOLDERS & DATA STORAGE.1 Introduction to Windows XP File Structure.1.1 File.1.2 Folder.1.3 Drives.2 Windows XP files and folders Sharing.2.1 Simple File Sharing.2.2 Levels of access to
More informationAccessData Forensic Toolkit Release Notes
AccessData Forensic Toolkit 6.2.1 Release Notes Document Date: 4/24/2017 2017 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues
More informationStratesave 7.0 organized Backup
7.0 organized Backup Backup Software gives you the tools for organized regular backup and imaging of your Windows Workstation, Server, or small to medium sized network. Server provides organized and automated
More informationTomTom GPS Device Forensics
TomTom GPS Device Forensics Written by Ben LeMere & Andy Sayers For more information visit GPSForensics.org blemere@gpsforensics.org asayers@gpsforensics.org Introduction: The sales of portable navigation
More information