1 / 10

Intro to Cyber Crime and Computer Forensics CS 4273/6273 September 29, 2004

Intro to Cyber Crime and Computer Forensics CS 4273/6273 September 29, 2004. MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE. Introduction to the NTI NTFS Software. MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE. FILELIST FILTER_I GETFREE GETSLACK GETSWAP

snana
Download Presentation

Intro to Cyber Crime and Computer Forensics CS 4273/6273 September 29, 2004

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intro to Cyber Crime and Computer Forensics CS 4273/6273 September 29, 2004 MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

  2. Introduction to the NTI NTFS Software MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

  3. FILELIST FILTER_I GETFREE GETSLACK GETSWAP GETTIME Sdfgs\ Sdfgs sdfgs NTFSFLST FILTER_I NTFSGETF NTFSGETS GETSWAP GETTIME NTFS_DS NTICOPY CLUSTOUT NTI Incident Response Suite & Corresponding NTFS Version

  4. NTFSFLST • Reads all files on the disk and puts them in one or more files. • Command of the form: • NTFSFLST [/m] [/l:xxx] Output-file drive: [drive:...] • If the "/m" option is specified, an MD5 digest will be performed on each file. • If the "/l:xxx" option is specified, the user can specify the size of the output file. (default size is 2.1Gb)

  5. FILTER_I • Filters out unreadable characters from the output of other tools. • Used as a “/f” switch on other commands.

  6. NTFSGETF • Gets all of the free space on a disk and puts it in one or more files. • Command of the form: • NTFSGETF {/f} drive1 … driven

  7. NTFSGETS • Gets all of the data in slack space on the disk and puts it one or more files • Command of the form: • NTFSGETS {/f} drive1 … driven

  8. GETSWAP • Gets all of the information in swap space and puts it in one or more files. • Command of the form: • Getswap • ON NTFS File Systems, Swap is stored in: PAGEFILE.SYS

  9. GETTIME • Records the time in CMOS • Used for validating time of seizure. • Should be run as soon as possible after seizure.

  10. NTFS_DS • Searches disk using DS2 utility created by Bill Haynes. • NTICOPY and CLUSTOUT are then used to copy those files or clusters from the evidence disk to a working directory.

More Related