Presentation is loading. Please wait.

Presentation is loading. Please wait.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal."— Presentation transcript:

1 COS/PSA 413 Day 16

2 Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal participation in the lab exercises. Lab 8 write-up Due Capstone Proposals Over due –See guidelines in WebCT –8 require some modifications (emails sent) –Next Progress report Due on November 4 –Timing of proposal and progress reports is 10% of Grade In others words if you don’t do this part the best score you can get is a B Capstone progress report 2 due Today we will be discussing Computer Forensic Analysis –Chap 10 in both texts with differences (using FTK)

3 Using Access Data’s Forensic Toolkit Forensic Toolkit (FTK) – A GUI software tool used for forensic examinations.

4 Using Access Data’s Forensic Toolkit Forensic Toolkit can perform on the following platforms: -Microsoft FAT12, FAT16, and FAT32 -Microsoft NTFS -Linux Ext2fs and Ext3fs

5 Using Access Data’s Forensic Toolkit FTK can analyze the following image file types: -EnCase image files -Linux or UNIX dd image files -New Technologies, Inc. SafeBack image files -FTK Explorer dd image files -DriveSpy’s SaveSect output files

6 Using Access Data’s Forensic Toolkit Known File Filter – A program database that is updated periodically by AccessData that contains the hash values of known files such as MSWORD.exe or illicit items floating on the web.

7 Using Access Data’s Forensic Toolkit Use FTK>Tools>Export Word list

8 Using Access Data’s Forensic Toolkit

9 Perform a Computer Forensic Analysis 1.Use only recently wiped media for the investigation. 1.Otherwise “old data” peeks through 2.Inventory the hardware on the suspects computer and note the condition of the computer when seized. 3.Remove the original disk drive, and then check the date, time, and CMOS settings. 4.Record how you acquired data from the disk. 5.When examining the forensic bit-stream image copy of the disk, process the data methodically and logically. 6.List all directories and files copied from the image.

10 Perform a Computer Forensic Analysis 7.Examine the contents of the data files in all directories starting at the root directory. 8.Make you best effort to recover encrypted files. Use password recovery tools if necessary. 9.Create a file that lists all of the directories and files on the evidence drive. 10. Identify the function of every executable file that does not match known hash values. 11. Always maintain control of all evidence findings.

11 Perform a Computer Forensic Analysis You need the following computer hardware for your computing-forensics workstation: -PC with color monitor, keyboard, mouse and CD-RW. -Cables and tools including ribbon cables, power cords, power extenders, and splitters. -One or more spare target drives to analyze evidence. -Anti-static wrist strap and pad.

12 Perform a Computer Forensic Analysis You need the following computer software and media for your computing-forensics workstation: -Windows 9x or more recent installed on the C: drive and a forensic boot floppy disk. -Bit-stream acquisition tool. -Computer forensic analysis tool. -CD-Rs. -Floppy disks. -Evidence forms and labels.

13 Perform a Computer Forensic Analysis Performing Forensic Analysis on Microsoft File Systems 1.Run antivirus on all forensic workstations and disks. 2.Run antivirus on all files after bit-stream image has been created. 3.Examine all boot files located in the root directory. 4.Recover all deleted files and save them to a specified location. 5.Recover all file slack and unallocated space to a directory.

14 Perform a Computer Forensic Analysis Guidelines for Examining Evidence -Create separate folders to store evidence. -Maintain a log to collect relevant information and notes from your observations. -Periodically review the data collected from the investigation. -Apply deductive reasoning to your findings to help build new leads. -Research data that you are not familiar with.

15 Perform a Computer Forensic Analysis Freeware Unix Tools -Freeware UNIX and LINUX data analysis: Purdue University -The Coroner,s Toolkit (TCT) -TCTUTILs -TASK

16 Addressing Data Hiding Techniques Hiding Partitions-A process where a user creates a partition, stores files in the partition and then using a disc editor removes any references to the partitaion.

17 Addressing Data Hiding Techniques Marking Bad Clusters –a process where a user creates a marks a cluster as BAD, stores data in the cluster using a disc editor

18 Addressing Data Hiding Techniques Bit Shifting – Also known as a transposition cipher. The data in a file is simply shift by number of bits (less than 8) to make the file unreadable

19 Bit Shifting Bit shifting a file changes its hash value

20 Addressing Data Hiding Techniques Steganography – A cryptographic technique for embedding information into something else for the sole purpose of hiding that information from the casual observer.

21 Addressing Data Hiding Techniques Key Escrow – A technology designed to recover encrypted data if users forget their passphrase or if the user key is corrupt due to a system failure. Password Cracking – Use industry standard software to recover password

22 Chapter Summary -When conducting computer forensic analysis, you must guard against scope creep so that you remain focused on the primary job. -For all computer operating systems, you need to determine where the digital evidence most likely will be stored by examining date and time stamps. -The DriveSpy.ini file contains critical information regarding you license in the license section. -Other useful features of DriveSpy are script files. Other tools are available to retrieve residual data such as free space and slack space.

23 Chapter Summary -The PDBlock program is designed to prevent data from being written on a disk drive. PDWipe is designed to wipe all portion of a disk drive. -For any computer forensics investigation, prepare the disks where images will be stored by wiping the drives and running antivirus. Inventory the hardware. Remove the original disk and check data and time values. Create a bit- stream image of the disk drive. List all folders in the root directory. Run hashes on files. Document all findings.

24 Chapter Summary -UNIX and Linux machines are commonly used as web servers. You need to collect volatile data, log files, and swap files when performing an investigation. -Data hiding involves changing or manipulating a file to conceal the file of its contents from anyone other than the owner of the file. -Steganography was created to protect the copyrights of art placed online. People use this to hide data.

Download ppt "COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal."

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
This presentation will take a look at to prevent your information from being discovered by and investigator.

This presentation will take a look at to prevent your information from being discovered by and investigator.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
5-9/12/2005 CPE 101 1 How to format your computer and re-install Windows XP.

5-9/12/2005 CPE How to format your computer and re-install Windows XP.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.

Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Computer & Network Forensics

Computer & Network Forensics
COS 413 Day 13. Agenda Questions? Assignment 4 Due Assignment 5 posted –Due Oct 21 Capstone proposal Due Oct 17 Lab 5 on Oct 15 in N105 –Hands-on Projects.

COS 413 Day 13. Agenda Questions? Assignment 4 Due Assignment 5 posted –Due Oct 21 Capstone proposal Due Oct 17 Lab 5 on Oct 15 in N105 –Hands-on Projects.
1 Web Server Administration Chapter 3 Installing the Server.

1 Web Server Administration Chapter 3 Installing the Server.
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 5. Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September.

COS/PSA 413 Day 5. Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September.
COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.

COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.
Chapter 12 File Management Systems

Chapter 12 File Management Systems
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.

COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.

COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.

Similar presentations

Ads by Google