90 likes | 220 Views
Forensics3. Capturing Computer Evidence Extracting Information. Do not boot the system because doing so may change the evidence Remove the Hard Disk Turn on the computer to view the BIOS settings System date, time – compare to current values Memory comfiguration Boot order.
E N D
Forensics3 Capturing Computer Evidence Extracting Information
Do not boot the system because doing so may change the evidence • Remove the Hard Disk • Turn on the computer to view the BIOS settings • System date, time – compare to current values • Memory comfiguration • Boot order If system is off
Capture most volatile data first • Registers, cache • Routing table, Address Resolution Protocol cache, kernel statistics • RAM memory • Temporary file systems • Disk • Remote logging • Physical configuration, network topology • Archival media Live System
Create a CD with your forensic software on it • Insert a USB Flash Drive as E: • Insert the CDRom with your forensic software into the CDRom drive • In a command window run the following • D: • Date >E:\date.txt • Time >E:\time.txt • Arp –a >E:\arp.txt • Netstat –a >E:\netstat.txt • Tracert <ab.com> >E:\routeto_ab.txt • Psservice >E:\psservice.txt • Shut down the system and remove the Hard Disk Live System
Do not use the system to search files for evidence • Accessing a file changes the last access date for that file on the hard drive • It is important to preserve the evidence in it’s original state Live system
Connect Hard drive to analysis computer using a hardware Write Blocker • Find the hash function value for the drive • Use a disk wipe program (such as DBAN) to initialize the media used for the forensic copy before use • Use forensic software to create a bit level copy (image) to a wiped disk • Verify that the copy has the same hash function value • Use the copy in read only mode to gather evidence Make Forensic Copy of Hard Drive
Connect the disk image to a forensic computer in read only mode • Examine the following • cache of temporary internet files • browser history files • browser cookies • Files in strange places • Files with strange names • Recently modified files • Activity logs • Email headers Looking for evidence
Recycle Bin • Deleted Files • Hidden Files • Slack Space • Encrypted Files • Steganography • Swap Space • Hibernation Files • Hidden Disk Partitions More Places to Look