COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.

Slides:



Advertisements
Similar presentations
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Advertisements

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
Operating Systems File Management.
®® Microsoft Windows 7 for Power Users Tutorial 6 Optimizing Your Hard Disk.
Text Searches Slack Space Unallocated Space
Computer Forensics.
Computer Data Forensics Drive Slack and Format – Lab 2 Concept Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
Chapter 6 Working with Windows and DOS Systems Guide to Computer Forensics and Investigations Fourth Edition.
Guide to Computer Forensics and Investigations, Second Edition
This presentation will take a look at to prevent your information from being discovered by and investigator.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
File System Analysis.
FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)
Guide to Computer Forensics and Investigations, Second Edition
Guide to Computer Forensics and Investigations Fourth Edition
Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
Guide to Computer Forensics and Investigations Fourth Edition
Computer & Network Forensics
COS/PSA 413 Day 18. Agenda Lab 9 write-up grades –2 A’s, 1 B, 1 D and 1 F –Answer the questions with a minimal amount of BS –I will start taking off points.
X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.
© 2007 The McGraw-Hill Companies, Inc. All rights reserved Working with the Command- Line Interface Chapter 14.
COS 413 Day 13. Agenda Questions? Assignment 4 Due Assignment 5 posted –Due Oct 21 Capstone proposal Due Oct 17 Lab 5 on Oct 15 in N105 –Hands-on Projects.
COS/PSA 413 Day 3. Guide to Computer Forensics and Investigations, 2e2 Agenda Questions? Assignment 1 due Lab Write-ups (project 2-1 and 2-2) due next.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
COS/PSA 413 Lab 4. Agenda Lab 3 write-ups due Capstone Proposals due Oct 7 –See guidelines in WebCT Lab Today N105 –Using Accessdata’s ForensicsToolKit.
A+ Guide to Software, 4e Chapter 4 Supporting Windows 2000/XP Users and Their Data.
Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
COS/PSA 413 Lab 5. Agenda Lab 3 Corrected –Only got 9 out of 10 3 A’s, 3 B’s,1 C, amd 1 D –Some of you are putting may too much effort and some not enough.
COS/PSA 413 Day 5. Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September.
COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.
COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.
5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
Basic File Recovery Techniques BACS 371 Computer Forensics.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.
Capturing Computer Evidence Extracting Information.
A Feature-Based of IT Automation using kaseya’s agent procedure called the wiping of unallocated disk space using cipher.exe Developed By: Estuardo Fernandez.
Guide to Computer Forensics and Investigations, Second Edition
Hands-on: Capturing an Image with AccessData FTK Imager
Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition.
BACS 371 Computer Forensics
Computer Literacy BASICS: A Comprehensive Guide to IC 3, 5 th Edition Lesson 3 Windows File Management 1 Morrison / Wells / Ruffolo.
Guide to Computer Forensics and Investigations, Second Edition Chapter 2 Understanding Computer Investigation.
Computer Related Evidence & What is this computer geek going to do now that I have done all the hard work?
Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Fourth Edition.
Chapter 9 Digital Forensics Analysis and Validation
Digital Forensics and Demonstration of Basic Forensic Techniques Thanks to… Jim Gordon MSc MBCS Worcester University 12th Nov 2012 Digital Infrastructure.
Data Recovery Techniques Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006 Matthew Alberti Horacesio Carmichael.
3 1 Data, Information, and Files Ch.4-A; Ch.3-A,B; Ch.10-A FALL 2000 Rob Wolfe.
Computer Forensics Principles and Practices
Bits, Bytes, Files, Hard Drives. Bits, Bytes, Letters and Words ● Bit – single piece of information ● Either a 0 or a 1 ● Byte – 8 bits of information.
File System Management File system management encompasses the provision of a way to store your data in a computer, as well as a way for you to find and.
1 IT Investigative Tools Tools and Services for the Forensic Auditor.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Guest Lecture September 21, 2009.
Guide to Computer Forensics and Investigations Fourth Edition
Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Fourth Edition.
Mike Mabey CSE 598 – Spring 2010Nishanth Kotha Venkata A Robot for Google Wave.
Guide to Computer Forensics and Investigations, Second Edition Chapter 11 Recovering Image Files.
IST 222 Day 3. Homework for Today Take up homework and go over Go to Microsoft website and check out their hardware compatibility list.
Lesson 20: Managing Local Storage MOAC : Configuring Windows 8.1.
Computer Literacy BASICS: A Comprehensive Guide to IC 3, 5 th Edition Lesson 3 Windows File Management 1 Morrison / Wells / Ruffolo.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
Chapter 8 File Systems FAT 12/16/32. Defragmentation Defrag a hard drive – Control Panel  System and Security  Administration tools  Defrag hard drive.
Computer Forensics Tim Foley COSC 480 Nov. 17, 2006.
Forensic Investigation Techniques Michael Jones. Overview Purpose People Processes Michael Jones2Digital Forensic Investigations.
File Management.
CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
COMP1321 Digital Infrastructures
Digital Forensics CJ
Presentation transcript:

COS/PSA 413 Day 15

Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up Due Lab 8 write-up Due Nov. 4 Capstone Proposals Over due –See guidelines in WebCT –8 require some modifications ( s sent) –Next Progress report Due on November 4 –Timing of proposal and progress reports is 10% of Grade In others words if you don’t do this part the best score you can get is a B Today we will be discussing Computer Forensic Analysis –Chap 10 in both texts with differences (using FTK) Tomorrow is Lab 9 in OMS –Make sure you read lab beforehand –Know what it is you are trying accomplish –Hands-on Project 10-1, and 10-3 –Lab notes will be distributed tomorrow

Computer Forensic Analysis Chapter 10

Learning Objectives Understand Computer Forensic Analysis Use DriveSpy to Analyze Computer Data Use Other Digital Intelligence Computer Forensics Tools Use AccessData’s Forensic Toolkit Perform a Computer Forensic Analysis Address Data-Hiding Techniques

Understanding Computer Forensics Analysis Examining and analyzing digital evidence –Nature of the case –Amount of data to process –Search warrants –Court orders –Company policies Scope creep Right of full discovery of digital evidence

Refining the Investigation Plan Steps: –Determine the scope of the investigation –Estimate number of hours to complete the case –Determine whether you should collect all information –Plan what to do in case of scope creep –Determine if you have adequate resources –Establish the deadline

Refining the Investigation Plan (continued) After you refine your plan, acquire evidence Examine evidence Review the latest changes in technology –Find new places for hiding information –Learn of new methods for storing data –Verify that your tools still work Determine the suspect’s motive

Understanding Computer Forensic Analysis Perform the following tasks to investigate: -Examine file and folder date and time stamps. -Locate and extract all log files. -Locate and recover any temporary print spool files. -Locate and recover any encrypted or archived files. -Perform a keyword search on all data within the digital evidence. -Examine Windows shortcuts, Internet, and Recycle Bin files.

Using DriveSpy to Analyze Computer Data Files –DriveSpy.exe/ini/hlp DriveSpy.ini sections –License –File Headers –File Groups –Search Ascii – hex –decimal conversion –

Using DriveSpy to Analyze Computer Data (continued)

File Headers –Hexadecimal numbers –Identify known files even if extension if different –You can add more headers File Groups –Consolidate similar file types –Search for several header types at one time –You can define your own groups

Using DriveSpy to Analyze Computer Data (continued)

Search –Include keywords –Defines level of accuracy –Not case sensitive –Can produce false-positive hits –Use hex values for special characters or keywords

Using DriveSpy to Analyze Computer Data (continued)

DriveSpy Keyword Searching Search at physical level (Drive mode) or logical level (Partition mode) Use Output command to create a log Drive mode supports other file systems –NTFS, HFS, UNIX/Linux Searches in partition gaps Cannot analyze archive or encrypted files

DriveSpy Scripts Run predefined commands Similar to DOS batch files Use them at all three DriveSpy modes Creating a script –Use any text editor (Notepad) –Enter each command line by line –Can call other script files

DriveSpy Scripts (continued) Example:

DriveSpy Data Integrity Tools Wipe –Overwrites possible sensitive data that can corrupt output data –Works on sectors, partitions, drives, unallocated space, and MBR –Available in Drive and Partition modes

DriveSpy Integrity Tools (continued) MD5 –RFC-complaint MD5 function –Hashes an entire partition, or specific files –Available in Drive and Partition mode Dbexport –Creates a text file of all specified data in a file or disk –Works only in Partition mode

DriveSpy Residual Data Collection Tools Recover deleted files and unused space SaveSlack –Copy slack space from files on a partition –8.3 filename with.dat as file extension –Works only in Partition mode SaveFree –Collects all unallocated disk space on a partition –Works only in Partition mode

Other Useful DriveSpy Command Tools Get FAT Entry (GFE) Chain FAT Entry (CFE) Chain Directory Entry (CDE) Trace Directory Cluster (TDC)

Other Useful DriveSpy Command Tools (continued) Cluster Boot PartMap Tables

Using Other Digital Intelligence Computer Forensics Tools Using PDBlock –Prevents data from being written on a disk drive –Can only be used on a true MS-DOS level –Turns off BIOS’s Interrupt 13 Using PDWipe –Overwrites hard disk drives –For sanitation purposes –Wipe disk at least three to seven times

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.