1 / 25

COS/PSA 413

COS/PSA 413. Day 15. Agenda. Assignment 3 corrected 5 A’s, 4 B’s and 1 C Lab 5 corrected 4 A’s and 1 B Lab 6 corrected A, 2 B’s, 1 C and 1 D Lab 7 write-up Due Lab 8 write-up Due Nov. 4 Capstone Proposals Over due See guidelines in WebCT 8 require some modifications (emails sent)

verena
Download Presentation

COS/PSA 413

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COS/PSA 413 Day 15

  2. Agenda • Assignment 3 corrected • 5 A’s, 4 B’s and 1 C • Lab 5 corrected • 4 A’s and 1 B • Lab 6 corrected • A, 2 B’s, 1 C and 1 D • Lab 7 write-up Due • Lab 8 write-up Due Nov. 4 • Capstone Proposals Over due • See guidelines in WebCT • 8 require some modifications (emails sent) • Next Progress report Due on November 4 • Timing of proposal and progress reports is 10% of Grade • In others words if you don’t do this part the best score you can get is a B • Today we will be discussing Computer Forensic Analysis • Chap 10 in both texts with differences (using FTK) • Tomorrow is Lab 9 in OMS • Make sure you read lab beforehand • Know what it is you are trying accomplish • Hands-on Project 10-1, and 10-3 • Lab notes will be distributed tomorrow

  3. Computer Forensic Analysis Chapter 10

  4. Learning Objectives • Understand Computer Forensic Analysis • Use DriveSpy to Analyze Computer Data • Use Other Digital Intelligence Computer Forensics Tools • Use AccessData’s Forensic Toolkit • Perform a Computer Forensic Analysis • Address Data-Hiding Techniques

  5. Understanding Computer Forensics Analysis • Examining and analyzing digital evidence • Nature of the case • Amount of data to process • Search warrants • Court orders • Company policies • Scope creep • Right of full discovery of digital evidence

  6. Refining the Investigation Plan • Steps: • Determine the scope of the investigation • Estimate number of hours to complete the case • Determine whether you should collect all information • Plan what to do in case of scope creep • Determine if you have adequate resources • Establish the deadline

  7. Refining the Investigation Plan (continued) • After you refine your plan, acquire evidence • Examine evidence • Review the latest changes in technology • Find new places for hiding information • Learn of new methods for storing data • Verify that your tools still work • Determine the suspect’s motive

  8. Understanding Computer Forensic Analysis • Perform the following tasks to investigate: • Examine file and folder date and time stamps. • Locate and extract all log files. • Locate and recover any temporary print spool files. • Locate and recover any encrypted or archived files. • Perform a keyword search on all data within the digital evidence. • Examine Windows shortcuts, Internet, and Recycle Bin files.

  9. Using DriveSpy to Analyze Computer Data • Files • DriveSpy.exe/ini/hlp • DriveSpy.ini sections • License • File Headers • File Groups • Search • Ascii – hex –decimal conversion • http://www.ascii.cl/

  10. Using DriveSpy to Analyze Computer Data (continued)

  11. Using DriveSpy to Analyze Computer Data (continued) • File Headers • Hexadecimal numbers • Identify known files even if extension if different • You can add more headers • File Groups • Consolidate similar file types • Search for several header types at one time • You can define your own groups

  12. Using DriveSpy to Analyze Computer Data (continued)

  13. Using DriveSpy to Analyze Computer Data (continued)

  14. Using DriveSpy to Analyze Computer Data (continued) • Search • Include keywords • Defines level of accuracy • Not case sensitive • Can produce false-positive hits • Use hex values for special characters or keywords

  15. Using DriveSpy to Analyze Computer Data (continued)

  16. Using DriveSpy to Analyze Computer Data (continued)

  17. DriveSpy Keyword Searching • Search at physical level (Drive mode) or logical level (Partition mode) • Use Output command to create a log • Drive mode supports other file systems • NTFS, HFS, UNIX/Linux • Searches in partition gaps • Cannot analyze archive or encrypted files

  18. DriveSpy Scripts • Run predefined commands • Similar to DOS batch files • Use them at all three DriveSpy modes • Creating a script • Use any text editor (Notepad) • Enter each command line by line • Can call other script files

  19. DriveSpy Scripts (continued) • Example:

  20. DriveSpy Data Integrity Tools • Wipe • Overwrites possible sensitive data that can corrupt output data • Works on sectors, partitions, drives, unallocated space, and MBR • Available in Drive and Partition modes

  21. DriveSpy Integrity Tools (continued) • MD5 • RFC-complaint MD5 function • Hashes an entire partition, or specific files • Available in Drive and Partition mode • Dbexport • Creates a text file of all specified data in a file or disk • Works only in Partition mode

  22. DriveSpy Residual Data Collection Tools • Recover deleted files and unused space • SaveSlack • Copy slack space from files on a partition • 8.3 filename with .dat as file extension • Works only in Partition mode • SaveFree • Collects all unallocated disk space on a partition • Works only in Partition mode

  23. Other Useful DriveSpy Command Tools • Get FAT Entry (GFE) • Chain FAT Entry (CFE) • Chain Directory Entry (CDE) • Trace Directory Cluster (TDC)

  24. Other Useful DriveSpy Command Tools (continued) • Cluster • Boot • PartMap • Tables

  25. Using Other Digital Intelligence Computer Forensics Tools • Using PDBlock • Prevents data from being written on a disk drive • Can only be used on a true MS-DOS level • Turns off BIOS’s Interrupt 13 • Using PDWipe • Overwrites hard disk drives • For sanitation purposes • Wipe disk at least three to seven times

More Related