Hands-on: Capturing an Image with AccessData FTK Imager

Slides:



Advertisements
Similar presentations
Working with Disks and Devices
Advertisements

Guide to Computer Forensics and Investigations Fourth Edition Chapter 11 Virtual Machines, Network Forensics, and Live Acquisitions.
VMWare Workstation Installation. Starting Vmware Workstation Go to the start menu and start the VMware Workstation program. *Note: The following instructions.
6 C H A P T E R © 2001 The McGraw-Hill Companies, Inc. All Rights Reserved1 Electronic Mail Electronic mail has revolutionized the way people communicate.
Guide to Computer Forensics and Investigations, Second Edition
Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations Fourth Edition
2.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 2: Installing Windows Server.
Guide to Computer Forensics and Investigations Fourth Edition
Computer & Network Forensics
COS 413 Day 13. Agenda Questions? Assignment 4 Due Assignment 5 posted –Due Oct 21 Capstone proposal Due Oct 17 Lab 5 on Oct 15 in N105 –Hands-on Projects.
Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
Guide to Computer Forensics and Investigations Third Edition Chapter 7 Current Computer Forensics Tools.
Guide to Computer Forensics and Investigations Third Edition
Guide to Computer Forensics and Investigations Third Edition Chapter 12 Investigations.
Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.
Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.
COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.
Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.
COS 413 Day 17. Agenda Quiz 2 corrected –2 A’s, 6 B’s & 1 C Assignment 5 corrected –5 B’s, 2 C’s, 1 non-submit & 1 corrupt file that I cannot read Lab.
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
1 Chapter Overview Managing Compression Managing Disk Quotas Increasing Security with EFS Using Disk Defragmenter, Check Disk, and Disk Cleanup.
 Contents 1.Introduction about operating system. 2. What is 32 bit and 64 bit operating system. 3. File systems. 4. Minimum requirement for Windows 7.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
VMWare Workstation Installation. Starting Vmware Workstation Go to the start menu and start the VMware Workstation program. *Note: The following instructions.
1 Using Compressed Files and Folders Applications and operating systems read and write to compressed files. NTFS uncompresses the file before making it.
Guide to Computer Forensics and Investigations, Second Edition
Capturing Computer Evidence Extracting Information.
Guide to Computer Forensics and Investigations, Second Edition
Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 Investigations.
Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition.
Wireshark Presented By: Hiral Chhaya, Anvita Priyam.
Passwords, Encryption Forensic Tools
Section 6.1 Explain the development of operating systems Differentiate between operating systems Section 6.2 Demonstrate knowledge of basic GUI components.
Guide to Computer Forensics and Investigations Fourth Edition
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter objectives are listed in the beginning.
Hands-On Microsoft Windows Server 2008
Guide to Computer Forensics and Investigations, Second Edition Chapter 2 Understanding Computer Investigation.
Guide to Computer Forensics and Investigations, Second Edition Chapter 13 Investigations.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 15 Installing and Using Windows XP Professional.
ITE 1 Chapter 5. Chapter 5 is a Large Chapter It has a great deal of useful information about operating systems. You will find this VERY helpful when.
Hands-On Virtual Computing
Teaching Digital Forensics w/Virtuals By Amelia Phillips.
Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Fourth Edition.
Guide to Computer Forensics and Investigations Fourth Edition Unit 8 Investigations.
File Recovery and Forensics
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 14 Managing and Troubleshooting Windows 2000.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 5 Windows XP Professional McGraw-Hill.
Guide to Computer Forensics and Investigations Fifth Edition
Chapter 9 Digital Forensics Analysis and Validation
Chapter 4 System Software. Software Programs that tell a computer what to do and how to do it. Sets of instructions telling computers to perform actions.
Guide to Computer Forensics and Investigations Fourth Edition
Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Fourth Edition.
Guide to Computer Forensics and Investigations, Second Edition Chapter 11 Recovering Image Files.
Guide to Computer Forensics and Investigations, Second Edition Chapter 12 Network Forensics.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Hands-On Virtual Computing
VMWare Workstation Installation. Starting Vmware Workstation Go to the start menu and start the VMware Workstation program. *Note: The following instructions.
Hands-On Microsoft Windows Server 2008 Chapter 7 Configuring and Managing Data Storage.
Guide to Computer Forensics and Investigations Fourth Edition Chapter 11 Virtual Machines, Network Forensics, and Live Acquisitions.
GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS FOURTH EDITION CHAPTER 7 CURRENT COMPUTER FORENSICS TOOLS.
Digital Forensics 2 Lecture 2: Understanding steganography in graphic files Presented by : J.Silaa Lecture: FCI Based on Guide to Computer Forensics and.
Digital Forensics 2 (DFC721S)
CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
Guide to Computer Forensics and Investigations Third Edition
Presentation transcript:

Hands-on: Capturing an Image with AccessData FTK Imager 67335_PPT_ch04.ppt : pages 26~32

Capturing an Image with AccessData FTK Imager Included on AccessData Forensic Toolkit View evidence disks and disk-to-image files Makes disk-to-image copies of evidence drives At logical partition and physical drive level Can segment the image file Evidence drive must have a hardware write-blocking device Or the USB write-protection Registry feature enabled FTK Imager can’t acquire drive’s host protected area 67335_PPT_ch04.ppt : pages 26~32 Guide to Computer Forensics and Investigations

Capturing an Image with AccessData FTK Imager (continued) Guide to Computer Forensics and Investigations

Capturing an Image with AccessData FTK Imager (continued) Steps Boot to Windows Connect evidence disk to a write-blocker Connect target disk to write-blocker Start FTK Imager Create Disk Image Use Physical Drive option Guide to Computer Forensics and Investigations

Capturing an Image with AccessData FTK Imager (continued) Guide to Computer Forensics and Investigations

Capturing an Image with AccessData FTK Imager (continued) Guide to Computer Forensics and Investigations

Capturing an Image with AccessData FTK Imager (continued) Guide to Computer Forensics and Investigations

Capturing an Image with AccessData FTK Imager (continued) Guide to Computer Forensics and Investigations

Creating a Virtual Machine 67335_PTT_ch06.ppt : pages 77~86

Understanding Virtual Machines Allows you to create a representation of another computer on an existing physical computer A virtual machine is just a few files on your hard drive Must allocate space to it A virtual machine recognizes components of the physical machine it’s loaded on Virtual OS is limited by the physical machine’s OS Guide to Computer Forensics and Investigations

Guide to Computer Forensics and Investigations

Understanding Virtual Machines (continued) In computer forensics Virtual machines make it possible to restore a suspect drive on your virtual machine And run nonstandard software the suspect might have loaded From a network forensics standpoint, you need to be aware of some potential issues, such as: A virtual machine used to attack another system or network Guide to Computer Forensics and Investigations

Creating a Virtual Machine Two popular applications for creating virtual machines VMware and Microsoft Virtual PC Using Virtual PC You must download and install Virtual PC first Guide to Computer Forensics and Investigations

Creating a Virtual Machine (continued) Guide to Computer Forensics and Investigations

Creating a Virtual Machine (continued) Guide to Computer Forensics and Investigations

Creating a Virtual Machine (continued) Guide to Computer Forensics and Investigations

Creating a Virtual Machine (continued) You need an ISO image of an OS Because no OSs are provided with Virtual PC Virtual PC creates two files for each virtual machine: A .vhd file, which is the actual virtual hard disk A .vmc file, which keeps track of configurations you make to that disk See what type of physical machine your virtual machine thinks it’s running Open the Virtual PC Console, and click Settings Guide to Computer Forensics and Investigations

Creating a Virtual Machine (continued) Guide to Computer Forensics and Investigations

Creating a Virtual Machine (continued) Guide to Computer Forensics and Investigations

Current Computer Forensic Tools Chapter 7

Analyze Data Ch09.ppt : pages 9~13

Using AccessData Forensic Toolkit to Analyze Data Supported file systems: FAT12/16/32, NTFS, Ext2fs, and Ext3fs FTK can analyze data from several sources, including image files from other vendors FTK produces a case log file Searching for keywords Indexed search Live search Supports options and advanced searching techniques, such as stemming Guide to Computer Forensics and Investigations

Using AccessData Forensic Toolkit to Analyze Data (continued) Guide to Computer Forensics and Investigations

Using AccessData Forensic Toolkit to Analyze Data (continued) Guide to Computer Forensics and Investigations

Using AccessData Forensic Toolkit to Analyze Data (continued) Analyzes compressed files You can generate reports Using bookmarks Guide to Computer Forensics and Investigations

Using AccessData Forensic Toolkit to Analyze Data (continued) Guide to Computer Forensics and Investigations

Recovering Password Ch09.ppt: pages 34~41

Recovering Passwords Techniques Tools Dictionary attack Brute-force attack Password guessing based on suspect’s profile Tools AccessData PRTK Advanced Password Recovery Software Toolkit John the Ripper Guide to Computer Forensics and Investigations

Recovering Passwords (continued) Using AccessData tools with passworded and encrypted files AccessData offers a tool called Password Recovery Toolkit (PRTK) Can create possible password lists from many sources Can create your own custom dictionary based on facts in the case Can create a suspect profile and use biographical information to generate likely passwords Guide to Computer Forensics and Investigations

Recovering Passwords (continued) Guide to Computer Forensics and Investigations

Recovering Passwords (continued) Guide to Computer Forensics and Investigations

Recovering Passwords (continued) Guide to Computer Forensics and Investigations

Recovering Passwords (continued) Using AccessData tools with passworded and encrypted files (continued) FTK can identify known encrypted files and those that seem to be encrypted And export them You can then import these files into PRTK and attempt to crack them Guide to Computer Forensics and Investigations

Guide to Computer Forensics and Investigations

Recovering Passwords (continued) Guide to Computer Forensics and Investigations

Understanding Steganography ch10.ppt : pages 53~56

Understanding Steganography in Graphics Files (continued) Substitution Replaces bits of the host file with bits of data Usually change the last two LSBs Detected with steganalysis tools Usually used with image files Audio and video options Hard to detect Guide to Computer Forensics and Investigations

Understanding Steganography in Graphics Files (continued) Guide to Computer Forensics and Investigations

Understanding Steganography in Graphics Files (continued) Guide to Computer Forensics and Investigations

Using Steganalysis Tools Detect variations of the graphic image When applied correctly you cannot detect hidden data in most cases Methods Compare suspect file to good or bad image versions Mathematical calculations verify size and palette color Compare hash values Guide to Computer Forensics and Investigations

Packet Sniffers wireshark lab으로 바꾸기 (passwd sniffing) Ch11.ppt : pages 22~27

Using Packet Sniffers Packet sniffers Devices or software that monitor network traffic Most work at layer 2 or 3 of the OSI model Most tools follow the PCAP format Some packets can be identified by examining the flags in their TCP headers Tools Tcpdump Tethereal Guide to Computer Forensics and Investigations

Using Packet Sniffers (continued) Guide to Computer Forensics and Investigations

Using Packet Sniffers (continued) Tools (continued) Snort Tcpslice Tcpreplay Tcpdstat Ngrep Etherape Netdude Argus Ethereal Guide to Computer Forensics and Investigations

Using Packet Sniffers (continued) Guide to Computer Forensics and Investigations

Using Packet Sniffers (continued) Guide to Computer Forensics and Investigations

Using Packet Sniffers (continued) Guide to Computer Forensics and Investigations

Viewing email header Ch12.ppt: pages 12~26

Viewing E-mail Headers Learn how to find e-mail headers GUI clients Command-line clients Web-based clients After you open e-mail headers, copy and paste them into a text document So that you can read them with a text editor Headers contain useful information Unique identifying numbers, IP address of sending server, and sending time Guide to Computer Forensics and Investigations

Viewing E-mail Headers (continued) Outlook Open the Message Options dialog box Copy headers Paste them to any text editor Outlook Express Open the message Properties dialog box Select Message Source Copy and paste the headers to any text editor Guide to Computer Forensics and Investigations

Viewing E-mail Headers (continued) Guide to Computer Forensics and Investigations

Viewing E-mail Headers (continued) Guide to Computer Forensics and Investigations

Guide to Computer Forensics and Investigations

Viewing E-mail Headers (continued) Novell Evolution Click View, All Message Headers Copy and paste the e-mail header Pine and ELM Check enable-full-headers AOL headers Click Action, View Message Source Copy and paste headers Guide to Computer Forensics and Investigations

Viewing E-mail Headers (continued) Guide to Computer Forensics and Investigations

Viewing E-mail Headers (continued) Guide to Computer Forensics and Investigations

Viewing E-mail Headers (continued) Guide to Computer Forensics and Investigations

Viewing E-mail Headers (continued) Guide to Computer Forensics and Investigations

Viewing E-mail Headers (continued) Hotmail Click Options, and then click the Mail Display Settings Click the Advanced option button under Message Headers Copy and paste headers Apple Mail Click View from the menu, point to Message, and then click Long Header Guide to Computer Forensics and Investigations

Viewing E-mail Headers (continued) Guide to Computer Forensics and Investigations

Viewing E-mail Headers (continued) Guide to Computer Forensics and Investigations

Viewing E-mail Headers (continued) Yahoo Click Mail Options Click General Preferences and Show All headers on incoming messages Copy and paste headers Guide to Computer Forensics and Investigations

Guide to Computer Forensics and Investigations

Recovering email Ch12.ppt: Pages 52~58

Using AccessData FTK to Recover E-mail Can index data on a disk image or an entire drive for faster data retrieval Filters and finds files specific to e-mail clients and servers To recover e-mail from Outlook and Outlook Express AccessData integrated dtSearch dtSearch builds a b-tree index of all text data in a drive, an image file, or a group of files Guide to Computer Forensics and Investigations

Guide to Computer Forensics and Investigations

Using AccessData FTK to Recover E-mail (continued) Guide to Computer Forensics and Investigations

Guide to Computer Forensics and Investigations

Using AccessData FTK to Recover E-mail (continued) Guide to Computer Forensics and Investigations

Using AccessData FTK to Recover E-mail (continued) Guide to Computer Forensics and Investigations

Using AccessData FTK to Recover E-mail (continued) Guide to Computer Forensics and Investigations

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.