Computer Forensic Tools. Computer Forensics: A Brief Overview Scientific process of preserving, identifying, extracting, documenting, and interpreting.

Slides:

Advertisements

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Advertisements

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Effective Discovery Techniques In Computer Crime Cases.

Windows XP Basics OVERVIEW Next.

Unit 1: Getting Started. What is a network?? A group of two or more computers that are linked together. Network Interface Card (NIC), basic network software.

COEN 250 Computer Forensics Windows Life Analysis.

RegRipper Harlan Carvey.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.

Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

Software. Application Software performs useful work on general-purpose tasks such as word processing and data analysis. The user interacts with the application.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.

Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7.

MCT260-Operating Systems I Operating Systems I Managing Your System.

Chapter 5 System Software.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MDOP 2010: Diagnostic and Recovery Toolset (DaRT) Speaker Fabrizio Grossi

Chapter 3 Software Two major types of software

Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Operating System & Application Files BACS 371 Computer Forensics.

Computer Software.

Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.

OS and Application Files BACS 371 Computer Forensics.

Virtual Memory Tuning   You can improve a server’s performance by optimizing the way the paging file is used   You may want to size the paging file.

Computer for Health Sciences

© Paradigm Publishing Inc. 4-1 Chapter 4 System Software.

1 Introduction to PostgreSQL. 2 Documents PostgreSQL 8 for Windows (*) Beginning Databases with PostgreSQL From Novice to Professional, Second Edition.

Computing Fundamentals Module A Unit 2: Using Windows Vista LessonTopic 8Looking at Operating Systems 9Looking at the Windows Desktop 10Starting Application.

Your Interactive Guide to the Digital World Discovering Computers 2012.

Chapter 4 System Software.

Mastering Windows Network Forensics and Investigation Chapter 12: Windows Event Logs.

This presentation is the property of Paradigm Information Systems It is confidential to the intended recipient for the purpose of evaluating FMS Any other.

Objectives Overview Define the term, database, and explain how a database interacts with data and information Define the term, data integrity, and describe.

Section 1: Introducing Group Policy What Is Group Policy? Group Policy Scenarios New Group Policy Features Introduced with Windows Server 2008 and Windows.

Module 7: Fundamentals of Administering Windows Server 2008.

COEN 250 Computer Forensics Windows Life Analysis.

Tool Names: 1. VISION 2. PASCO 3. GALLETA. Tool 1 VISION.

Module 2 Configuring Disks and Device Drivers. Module Overview Partitioning Disks in Windows® 7 Managing Disk Volumes Maintaining Disks in Windows 7 Installing.

Timeline Analysis Geoff Black, EnCE, SnortCP Senior Forensic Consultant Professional Services Division Guidance Software, Inc.

SCSC 555 Frank Li.  Introduction to Enumeration  Enumerate Microsoft OS  Enumerate *NIX OS  Enumerate NetWare OS (skip) 2.

Week #3 Objectives Partition Disks in Windows® 7 Manage Disk Volumes Maintain Disks in Windows 7 Install and Configure Device Drivers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 11: Monitoring Server Performance.

The Windows Registry as a forensic resource Harlan Carvey /$ - see front matter a 2005 Elsevier Ltd. All rights reserved. doi: /j.diin

Troubleshooting Security Issues Lesson 6. Skills Matrix Technology SkillObjective Domain SkillDomain # Monitoring and Troubleshooting with Event Viewer.

Windows and File Management

C OMPUTING E SSENTIALS Timothy J. O’Leary Linda I. O’Leary Presentations by: Fred Bounds.

COEN 250 Computer Forensics Windows Life Analysis.

CSCI 1033 Computer Hardware Course Overview. Go to enter TA in the “Enter Promotion Code” box on the bottom right corner.

© Paradigm Publishing, Inc. 4-1 Chapter 4 System Software Chapter 4 System Software.

Module 13: Monitoring Resources and Performance. Overview Using Task Manager to Monitor System Performance Using Performance and Maintenance Tools to.

 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.

Application Software System Software.

Virtualization Technology and Microsoft Virtual PC 2007 YOU ARE WELCOME By : Osama Tamimi.

Digital Communication Systems Comp Functions of the Operating System.

FILE ORGANIZATION.

THE WINDOWS OPERATING SYSTEM Computer Basics 1.2.

Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring Windows Server 2008 Printing.

Systems Software. Systems software Applications software such as word processing, spreadsheet or graphics packages Operating systems software to control.

“Candidates were not advantaged by defining every type of operating system provided as examples in the explanatory notes of the standard. Candidates who.

Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.

CITA 171 Section 1 DOS/Windows Introduction. DOS Disk operating system (DOS) –Term most often associated with MS-DOS –Single-tasking operating system.

Computer Forensics. OVERVIEW OF SEMINAR Introduction Introduction Defining Cyber Crime Defining Cyber Crime Cyber Crime Cyber Crime Cyber Crime As Global.

Investigations 2016 First semester [ 12 week ]-Forensic Analysis of the Windows 7 Registry.

2 pt 3 pt 4 pt 5pt 1 pt 2 pt 3 pt 4 pt 5 pt 1 pt 2pt 3 pt 4pt 5 pt 1pt 2pt 3 pt 4 pt 5 pt 1 pt 2 pt 3 pt 4pt 5 pt 1pt Applications Sharing Computer Literate.

BACKUP AND RESTORE. The main area to be consider when designing a backup strategy Which information should be backed up Which technology should be backed.

Knut Kröger & Reiner Creutzburg

Information Technology Ms. Abeer Helwa

Bethesda Cybersecurity Club

Presentation transcript:

Computer Forensic Tools

Computer Forensics: A Brief Overview Scientific process of preserving, identifying, extracting, documenting, and interpreting data on computer The field of computer forensics began to evolve more than 30 years ago in the United States. With the growth of the Internet and increasing usage of technology devices connected to the Internet, computer crimes are increasing at a great speed.

Computer Crimes Computer crimes Pure computer crime Computer is the medium of a crime Computer content related crime Illegal access to a system or network Illegal transmission of data Data deletion, damage, alteration Serious hindrance to computer Identity theft Fraud E-theft Incriminating information stored in computer Child pornography Information that unleashes hostility/violence

Tools for Computer Forensics Computer forensic tools Integrated GUI based tools Specialized single task tools Process information Network connection information List of processes Process to port mapping Service/driver information Registry analysis Executable file analysis

Integrated GUI Based Tools Advantages: – More effective for analyzing content related crime – Useful for searching storage devices, for retrieving deleted files and folder, reconstructing graphic files Disadvantages: – Very expensive – Very complex in design, uses up a lot of resources – Requires trained professionals to use the tools

Specialized Single Task Tools Advantages: – More effective for investigating malware attacks, intrusion etc – Useful for live response and live analysis – Simple in design, most tools can be used from command line – Inexpensive, easy to learn and use – Very effective for pedagogical purposes – Can be modified/customized

Specialized Single Task Tools Disadvantage: – Has compatibility issues with different versions of operating systems

Windows Forensic Analysis Windows Forensic Analysis by Harlan Carvey – Teaches simple but effective analysis techniques for investigating malware attacks – Provides CLI based tools for complete analysis of Windows Operating Systems

Compatibility Issues with Newer Windows Operating System About 50% tools are not compatible with Windows XP and Vista ToolWindows XP VistaWindows 7DescriptionComment Bonus\poladt.exeYesNo Parse the raw Security file and display the audit policy Bonus\srv_sort.exeYesNo retrieve Service key info raw Registry/System file, sorting the output based on LastWrite time; automatically determines which of the available ControlSets is marked "current" ch3\code\lspd.exeYesNoparse process details from a Windows 2000 phys. memory/RAM dump, ch3\code\lspi.exeYesNoparse process image from a Windows 2000 phys. memory/RAM dump ch3\code\lspm.exeYesNodump the memory pages used by a process from a Windows 2000 phys. memory/RAM dump, ch3\code\lsproc.exeYesNoparse Windows 2000 phys. memory/RAM dump, looking for processes. ch4\code\pref_ver.exeYesNo Perl script to parse the contents of the XP layout.ini file, locate executables (.exe,.dll,.sys) and locate those files and then extract any file version information ch4\code\sr.exeYesNoUse WMI to get Restore point settings from XP (local or remote) ch4\code\old\bho.exeYesNoretrieve listing of installed BHOs from a local system ch4\code\old\pnu.exeYesNolist the contents of one of the UserAssist\GUID\Count keys, sorted by most recent time ch4\code\old\regp.exeYesNo raw Windows Registry files (ntuser.dat, system32\config\system, system32\config\software) from NT/2K/XP/2K3 systems. ch4\code\old\sam_parse.exeYesNoretrieve user information from a raw Registry/SAM file ch4\code\jt\regslack.exeYesNoNo DOS ch4\code\RegRipper\rip.exeYesNoUse this utility to run a plugins file or a single plugin against a Reg# hive file. ch4\code\RegRipper\rr.exeYesNoParse a Registry hive file for data pertinent to an investigationNo plugins ch5\code\lscl.exeYesNoread/parse restore point change logs for data ch5\code\pdfdmp.exeYesNoAttempt to extract metadata from PDF files ch5\code\pdfmeta.exeYesNoAttempt to extract metadata from PDF files ch5\code\sr.exeYesNo ch5\code\EVT\evt2xls.exeYesNo Parse Windows 2000, XP, 2003 EventLog files in binary format, putting the eventrecords into an Excel spreadsheet; can also generate a report showing event source/ID frequencies (for Security Event Log, login type is added to the event ID), suitable for entry into eventid.net ch5\code\EVT\evtrpt.exeYesNo Tool to translate the binary contents of Windows 2000, XP, and 2003 Event Logs, and generate a report of event ID frequencies and date ranges of the records. ch5\code\EVT\evtstats.exeYesNo parse the contents of Event Log files and display statistics

Compatibility Issues with Windows Forensic Tools ToolWindows XP VistaWindows 7DescriptionComment Bonus\poladt.exeYesNo Parse the raw Security file and display the audit policy Bonus\srv_sort.exeYesNo retrieve Service key info raw Registry/System file, sorting the output based on LastWrite time; automatically determines which of the available ControlSets is marked "current" ch3\code\lspd.exeYesNoparse process details from a Windows 2000 phys. memory/RAM dump, ch3\code\lspi.exeYesNoparse process image from a Windows 2000 phys. memory/RAM dump ch3\code\lspm.exeYesNo dump the memory pages used by a process from a Windows 2000 phys. memory/RAM dump, ch3\code\lsproc.exeYesNoparse Windows 2000 phys. memory/RAM dump, looking for processes. ch4\code\pref_ver.exeYesNo Perl script to parse the contents of the XP layout.ini file, locate executables (.exe,.dll,.sys) and locate those files and then extract any file version information ch4\code\sr.exeYesNoUse WMI to get Restore point settings from XP (local or remote) ch4\code\old\bho.exeYesNoretrieve listing of installed BHOs from a local system ch4\code\old\pnu.exeYesNo list the contents of one of the UserAssist\GUID\Count keys, sorted by most recent time ch4\code\old\regp.exeYesNo raw Windows Registry files (ntuser.dat, system32\config\system, system32\config\software) from NT/2K/XP/2K3 systems. ch4\code\old\sam_parse.exeYesNoretrieve user information from a raw Registry/SAM file ch4\code\jt\regslack.exeYesNoNo DOS ch4\code\RegRipper\rip.exeYesNoUse this utility to run a plugins file or a single plugin against a Reg# hive file. ch4\code\RegRipper\rr.exeYesNoParse a Registry hive file for data pertinent to an investigationNo plugins ch5\code\lscl.exeYesNoread/parse restore point change logs for data ch5\code\pdfdmp.exeYesNoAttempt to extract metadata from PDF files ch5\code\pdfmeta.exeYesNoAttempt to extract metadata from PDF files ch5\code\sr.exeYesNo ch5\code\EVT\evt2xls.exeYesNo Parse Windows 2000, XP, 2003 EventLog files in binary format, putting the eventrecords into an Excel spreadsheet; can also generate a report showing event source/ID frequencies (for Security Event Log, login type is added to the event ID), suitable for entry into eventid.net ch5\code\EVT\evtrpt.exeYesNo Tool to translate the binary contents of Windows 2000, XP, and 2003 Event Logs, and generate a report of event ID frequencies and date ranges of the records. ch5\code\EVT\evtstats.exeYesNo parse the contents of Event Log files and display statistics