Presentation is loading. Please wait.

Presentation is loading. Please wait.

Capturing Computer Evidence Extracting Information.

Published byJuniper Snow Modified over 8 years ago

Similar presentations

Presentation on theme: "Capturing Computer Evidence Extracting Information."— Presentation transcript:

1 Capturing Computer Evidence Extracting Information

2 * Do not boot the system because doing so may change the evidence * Remove the Hard Disk * Turn on the computer to view the BIOS settings * System date, time – compare to current values * Memory comfiguration * Boot order

3 * Capture most volatile data first * Registers, cache * Routing table, Address Resolution Protocol cache, kernel statistics * RAM memory * Temporary file systems * Disk * Remote logging * Physical configuration, network topology * Archival media

4 * Create a CD with your forensic software on it * Insert a USB Flash Drive as E: * Insert the CDRom with your forensic software into the CDRom drive * In a command window run the following * D: * Date >E:\date.txt * Time >E:\time.txt * Arp –a >E:\arp.txt * Netstat –a >E:\netstat.txt * Tracert >E:\routeto_ab.txt * Psservice >E:\psservice.txt * Shut down the system and remove the Hard Disk

5 * Do not use the system to search files for evidence * Accessing a file changes the last access date for that file on the hard drive * It is important to preserve the evidence in it’s original state

6 * Connect Hard drive to analysis computer using a hardware Write Blocker * Find the hash function value for the drive * Use a disk wipe program (such as DBAN) to initialize the media used for the forensic copy before use * Use forensic software to create a bit level copy (image) to a wiped disk * Verify that the copy has the same hash function value * Use the copy in read only mode to gather evidence

7 * Connect the disk image to a forensic computer in read only mode * Examine the following * cache of temporary internet files * browser history files * browser cookies * Files in strange places * Files with strange names * Recently modified files * Activity logs * Email headers

8 * Recycle Bin * Deleted Files * Hidden Files * Slack Space * Encrypted Files * Steganography * Swap Space * Hibernation Files * Hidden Disk Partitions

9

Download ppt "Capturing Computer Evidence Extracting Information."

Similar presentations

Computer Forensics.

Computer Forensics.
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Max Secure Software founded in Jan 2003 develops innovative privacy, security, protection and performance solutions for Internet users. The company is.

Max Secure Software founded in Jan 2003 develops innovative privacy, security, protection and performance solutions for Internet users. The company is.
OC RIMS Cyber Safety & Security Incident Response.

OC RIMS Cyber Safety & Security Incident Response.
Computer Forensics.

Computer Forensics.
This presentation will take a look at to prevent your information from being discovered by and investigator.

This presentation will take a look at to prevent your information from being discovered by and investigator.
Support for Windows 7 Chapter 2 Securing and Troubleshooting Windows 7.

Support for Windows 7 Chapter 2 Securing and Troubleshooting Windows 7.
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Section 3.2: Operating Systems Security

Section 3.2: Operating Systems Security
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
5-9/12/2005 CPE 101 1 How to format your computer and re-install Windows XP.

5-9/12/2005 CPE How to format your computer and re-install Windows XP.
X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.

X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.

COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
The sequence of folders to a file or folder is called a(n) ________.

The sequence of folders to a file or folder is called a(n) ________.
Operating System & Application Files BACS 371 Computer Forensics.

Operating System & Application Files BACS 371 Computer Forensics.
Applying Digital Forensic techniques to AIM Gareth Knight, FIDO Project Manager Anatomy Theatre & Museum, King’s College London 15 th August 2011.

Applying Digital Forensic techniques to AIM Gareth Knight, FIDO Project Manager Anatomy Theatre & Museum, King’s College London 15 th August 2011.
Developed by Klaus Knopper Linux Consultant. What is Knoppix?  Unix-like operating system  Run directly from CD or DVD  Bootable from USB flash drive.

Developed by Klaus Knopper Linux Consultant. What is Knoppix?  Unix-like operating system  Run directly from CD or DVD  Bootable from USB flash drive.

Similar presentations

Ads by Google