1 / 19

Intro to Cyber Crime and Computer Forensics CS 4273/6273 September 22, 2003

Intro to Cyber Crime and Computer Forensics CS 4273/6273 September 22, 2003. MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE. Introduction to the NTI Incident Response Suite. MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE. NTI Incident Response Suite.

violet
Download Presentation

Intro to Cyber Crime and Computer Forensics CS 4273/6273 September 22, 2003

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intro to Cyber Crime and Computer Forensics CS 4273/6273 September 22, 2003 MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

  2. Introduction to the NTI Incident Response Suite MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

  3. NTI Incident Response Suite • New Technologies, Inc. • Gresham, Oregon • Started by two former Secret Service Employees • Michael Anderson • Joseph Enders • Consists of approximately 20 tools

  4. CRCMD5 DISKSIG DOC FILECNVT FILELIST FILTER_I GETFREE GETSLACK GETSWAP GETTIME GEXTRACT MAP MSPRO NTA PTABLE SCRUB SEIZED SPACES TXTSRCHP SAFEBACK NTI Incident Response Suite

  5. CRCMD5 • Obviously creates a hash of a file or disk image. • CRC – Cyclic Redundancy Check • MD5 – I don’t remember what it stands for. • Hashes the file or image and two hashes that are the same, then statistically, the two images have to be the same. • Command of the form: • CRCMD5 file1 … filen

  6. DISKSIG • Runs a CRCMD5 on a set of one or more disks. • Command of the form: • Disksig {/b} c: …z: • /b switch includes boot sector. • Necessary for file systems with dynamic boot records like Windows.

  7. DOC • Takes a snap shot of the directory • Command of the form: • DOC c:\mydocu~1 • Records creation time to the second.

  8. FILECNVT • Converts the output of a FileList command to DBASEIII Format. • Command: • Filecnvt • It automatically detects any filelist output files and asks which you would like to convert • Then it creates DBASEIII file version.

  9. FILELIST • Reads all files on the disk and puts them in one or more files. • Command of the form: • FILELIST [/m] [/l:xxx] Output-file drive: [drive:...] • If the "/m" option is specified, an MD5 digest will be performed on each file. • If the "/l:xxx" option is specified, the user can specify the size of the output file. (default size is 2.1Gb)

  10. FILTER_I • Filters out unreadable characters from the output of other tools. • Used as a “/f” switch on other commands.

  11. GETFREE • Gets all of the free space on a disk and puts it in one or more files. • Command of the form: • Getfree {/f} drive1 … driven

  12. GETSLACK • Gets all of the data in slack space on the disk and puts it one or more files • Command of the form: • Getslack {/f} drive1 … driven

  13. GETSWAP • Gets all of the information in swap space and puts it in one or more files. • Command of the form: • getswap

  14. GETTIME • Records the time in CMOS • Used for validating time of seizure. • Should be run as soon as possible after seizure.

  15. GEXTRACT • Extracts all graphic files from a disk. • Default is all JPG, GIF and BMP files • Command of the form: • GEXTRACT <testfile> <outputdir> [options] • The output directory must already exist. If you want to extract to the working folder (the folder the program was executed from), don't supply an output directory. • /JPG Will scan for JPG files • /GIF Will scan for GIF files • /BMP Will scan for BMP files

  16. PTABLE • Displays partition table information • Command: ptable • Will list all of the partition tables for all disks in the system.

  17. SCRUB • SCRUBS the Disk • Writes all zeroes, then all ones, then all F6s. • Three passes are performed • Command of the form: • SCRUB /d:<drives> /p:<passes> /g • /d Specifies the drives to be cleared, with drive 0 being the first drive. A list of drives to be scrubbed can be specified by separating drive numbers with commas. For example: /d:0,1,2 • At least one drive (or all drives) must be specified. • /p Specifies the number of passes to be performed. • If /p is not specified, two scrubbing passes are made. • /g By default, SCRUB requests verification from the operator before a drive is scrubbed. If the /g switch is used, verification is skipped and scrubbing begins

  18. SAFEBACK • Creates an image of the Disk • We’ll discuss this more on Monday.

  19. Homework 3 • Use the tools located in the NTI directory to discover all of the evidence you can find on the evidence disk in the laboratory computer. • The evidence will be there by this afternoon, so start this evening or tomorrow, and as always, keep a journal. • Homework is due next Wednesday.

More Related