Presentation is loading. Please wait.

Presentation is loading. Please wait.

COEN 252 Computer Forensics Windows Evidence Acquisition Boot Disk.

Published byBlaise Morrison Modified over 8 years ago

Similar presentations

Presentation on theme: "COEN 252 Computer Forensics Windows Evidence Acquisition Boot Disk."— Presentation transcript:

1 COEN 252 Computer Forensics Windows Evidence Acquisition Boot Disk

2 Use a boot disk to Copy evidence from the hard drive. But there are usually better ways. To preview a system to discover whether an incident has occurred. To use a string search to see whether the computer contains evidence.

3 Windows Evidence Acquisition Boot Disk Windows Boot disk should prevent files to be altered. Change command.com io.sys to prevent it from accessing system components.

4 Windows Evidence Acquisition Boot Disk Delete the drvspace.bin file because it attempts to open compressed volumes. Add drivers to boot disk for ethernet connection, Zip drive, etc. needed to collect the evidence. Windows boot disks cannot access NTFS drives directly.

5 Windows Evidence Acquisition Boot Disk Alternatively, use a Linux boot disk. Forensic and Incident Response Environment (FIRE) Forensic and Incident Response Environment (FIRE) Helix (knoppix) Knoppix STD Local Area Security Linux Penguin Sleuth Kit (knoppix) Plan-B Snarl (FreeBSD)

6 Evidence Gathering Write protect the evidence hard drive with Software. By intercepting INT13h accessed to the disk. Write protect the evidence hard drive with Hardware.

7 Tools for Life-Examination Avoid using system tools on the evidence machine. This can get you into DLL hell. Use filemon to check what files are being accessed when you run a command from your forensic CD.

Download ppt "COEN 252 Computer Forensics Windows Evidence Acquisition Boot Disk."

Similar presentations

The Modern Control Boot Disk. 2 What do we mean by a Modern control boot disk? In your previous lectures you learned about the original DOS control boot.

The Modern Control Boot Disk. 2 What do we mean by a Modern control boot disk? In your previous lectures you learned about the original DOS control boot.
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Write Blocking CSC 485/585.

Write Blocking CSC 485/585.
Systems Software System Software Enables the applications software to interact with the computer and Helps the computer manage its internal and external.

Systems Software System Software Enables the applications software to interact with the computer and Helps the computer manage its internal and external.
The Penguin Sleuth Kit By Ernest Baca

The Penguin Sleuth Kit By Ernest Baca
Section 3.2: Operating Systems Security

Section 3.2: Operating Systems Security
2.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 2: Installing Windows Server.

2.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 2: Installing Windows Server.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.

Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.

Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.

2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
Starting Out with C++: Early Objects 5/e © 2006 Pearson Education. All Rights Reserved Starting Out with C++: Early Objects 5 th Edition Chapter 1 Introduction.

Starting Out with C++: Early Objects 5/e © 2006 Pearson Education. All Rights Reserved Starting Out with C++: Early Objects 5 th Edition Chapter 1 Introduction.
Module 6: Managing Data Storage. Overview Managing File Compression Configuring File Encryption Implementing Disk Quotas.

Module 6: Managing Data Storage. Overview Managing File Compression Configuring File Encryption Implementing Disk Quotas.
®® Microsoft Windows 7 for Power Users Tutorial 10 Backing Up and Restoring Files.

®® Microsoft Windows 7 for Power Users Tutorial 10 Backing Up and Restoring Files.
Developed by Klaus Knopper Linux Consultant. What is Knoppix?  Unix-like operating system  Run directly from CD or DVD  Bootable from USB flash drive.

Developed by Klaus Knopper Linux Consultant. What is Knoppix?  Unix-like operating system  Run directly from CD or DVD  Bootable from USB flash drive.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.

COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
COEN 252 Computer Forensics Introduction to Computer Forensics  Thomas Schwarz, S.J. 2009 w/ T. Scocca.

COEN 252 Computer Forensics Introduction to Computer Forensics  Thomas Schwarz, S.J w/ T. Scocca.
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.

Similar presentations

Ads by Google