Forensic analysis of Windows hosts using UNIX-based tools Source : Digital Investigation (2004) 1, 197-212 Writer : Cory Altheide Reporter : Yao Professor.

Slides:



Advertisements
Similar presentations
Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
Advertisements

DOCUMENT TYPES. Digital Documents Converting documents to an electronic format will preserve those documents, but how would such a process be organized?
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall
CAPTURE SOFTWARE Please take a few moments to review the following slides. Please take a few moments to review the following slides. The filing of documents.
OPEN SOURCE TOOLS Dr. Abraham Professor UTPA. Open Source Freely redistributable Provides access to source code End user may modify source code.
Effective Discovery Techniques In Computer Crime Cases.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA Investigating.
Internet Artifacts Dr. John Abraham Professor UTPA.
Guide to Computer Forensics and Investigations Fourth Edition
Computer & Network Forensics
X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.
Technology for Computer Forensics by Alicia Castro.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Presented by Mina Haratiannezhadi 1.  publishing, editing and modifying content  maintenance  central interface  manage workflows 2.
Chapter 11 Basic Windows and Windows Commands. Overview of what an Operating System does To identify and use common desktop and home screen icons To manipulate.
Encase Overview. What is Encase EnCase Forensic is the industry standard in computer forensic investigation technology. Encase is a single tool, capable.
Advance evidence collection and analysis of web browser activity by Junhoon Oh David Rivera 11/7/2013 Digital Forensics.
Operating System & Application Files BACS 371 Computer Forensics.
Applying Digital Forensic techniques to AIM Gareth Knight, FIDO Project Manager Anatomy Theatre & Museum, King’s College London 15 th August 2011.
OS and Application Files BACS 371 Computer Forensics.
Hands-on: Capturing an Image with AccessData FTK Imager
Sleuthkit/Autopsy Kevin Krause.
Educause October 29, 2001 A GEM of a Resource: The Gateway to Educational Materials Copyright Nancy Virgil Morgan, This work is the intellectual.
Hardware vs. Software Computer systems consist of both hardware and software. Hardware refers to anything you can physically touch. Keyboards, mice, monitors,
WINDOWS SYSTEMS AND ARTIFACTS John P. Abraham Professor UTPA.
 FILE S SYSTEM  DIFFERENT FILE SYSTEMS  FILE SYSTEM COMPONENTS  FILE OPERATIONS  LOG STRUCTERD FILE SYSTEM  FILE EXAMPLES.
IOTA Improved Design and Implementation of a Modular and Extensible Website Framework Andrew Hamilton – TJHSST Computer Systems Lab Abstract.
Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 12 Electronic Mail.
Quality of Service Mechanisms Introducing SysTools DBX CONVERTER.
Chapter 17 ©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. Forensic Examination of Windows Systems.
Digital Forensics and Demonstration of Basic Forensic Techniques Thanks to… Jim Gordon MSc MBCS Worcester University 12th Nov 2012 Digital Infrastructure.
Dušan Mikulaj, Marek Laššák, Institute of Forensic Science, Slovakia – Bratislava Comparison of open source and commercial software in forensic informatics.
CS526: Information Security Chris Clifton December 4, 2003 Forensics.
Tool Names: 1. VISION 2. PASCO 3. GALLETA. Tool 1 VISION.
1 IT Investigative Tools Tools and Services for the Forensic Auditor.
Guide to Linux Installation and Administration, 2e1 Chapter 7 The Role of the System Administrator.
Technology in Computer Forensics  Alicia Castro  Thesis Defense  Master of Software Engineering  Department of Computer Science  University of Colorado,
1Computer Sciences Department Princess Nourah bint Abdulrahman University.
Computer Security Fundamentals by Chuck Easttom Chapter 14 Introduction to Forensics.
 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.
Web Forensics Matthew M. Kimball.
Technical Awareness on Analysis of Headers.
Understand Permissions LESSON Security Fundamentals.
First Looks: Basic Investigations of Windows Vista Lance Mueller
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholder to insert your own image. DATABASE.
Chapter 3 Data Acquisition Guide to Computer Forensics and Investigations Fifth Edition All slides copyright Cengage Learning with additional info from.
OST TO PST How to deal with the problem of OST when Outlook gets terminated abruptly ?
PHP stands for …….. “PHP Hypertext Pre-processor” and is a server-side scripting language like ASP. PHP scripts are executed on the server PHP supports.
Recover & Convert DBX to PST, EML, MSG, HTML, MBOX & RTF DBX Converter Software Safe Recovery Software helps to recover larger and unlimited DBX files.
Investigations 2016 First semester [ 12 week ]-Forensic Analysis of the Windows 7 Registry.
VMware Recovery Software RECOVER DATA FROM CORRUPT VMDK FILE.
How to Recover Deleted System Apps on Android? /recovrdroiddata /Android-Data-Recovery /alexwaston14/android-news/ /channel/UC78X71c6EY-3gboc8qP6a9Q.
Creighton Barrett Dalhousie University Archives
Encase Overview.
MBOX to PST Converter tool to convert MBOX to Outlook PST.
Extract and Correlate Evidences in Computer Forensics
NTFS.
Intro to PHP.
Tutorial 6 PHP & MySQL Li Xu
Computer Forensics Lab 1 INFORMATION TECHNOLOGY DEPARTMENT LEBANESE FRENCH UNIVERSITY (LFU) COURSE CODE: IT402CF 1.
Digital Forensics Dr. Bhavani Thuraisingham
Browsers and "Of course, the best way to get accurate information on the Internet is to post something wrong and wait for corrections."
Computer Applications -Generic Elective
Hashing files Searching files for keywords
Web Application Development Using PHP
How To Repair Outlook Express Inbox.dbx File After Crash.
Presentation transcript:

Forensic analysis of Windows hosts using UNIX-based tools Source : Digital Investigation (2004) 1, Writer : Cory Altheide Reporter : Yao Professor : Shiuh-Jeng, Wang

Tools SMART for Linux ( ARSData company ) --- a commercial software Autopsy ( by Brain Carrier ) --- a free, open source software

Properties of the SMART for Linux Support for several image compression format. The ability to recover deleted files. The ability to mount split image files. Support for NTFS and FAT file format.

Properties of the Autopsy A web-based wrapper for the Sleuthkit. A modular, extensible design which allows for easy end-user extension, and reduces the likelihood of encountering a single point of failure. Support for NTFS and FAT file format.

Deleted file recovery Both tools perform recovery of deleted files on FAT and NTFS systems, however, Autopsy’s NTFS recovery is somewhat rudimentary compared to SMART’s. When compared to recovering deleted files from a FAT file system, recovery on NTFS file systems seems almost trivial.

Unallocated space Both tools allow for the extration of unallocated space to some degree, although the extraction performed by SMART is far more granular and customizable. “foremost” is a very good tool for performing file carving against recovered unallocated or otherwise unstructured space.

Keyword searching SMART --- simple term search --- Unicode term search Autopsy --- lack of Unicode support

Window file examination Trojan Defense --- use Clam Antivirus and F-prot to scan mounted volume for known malicious code.

Pasco, Galleta, and Rifiuti Rifiuti parses INFO2 files from the Recycle Bin. --- INFO2 file is an index of the former metadata Galleta parses Internet Explorer cookies. --- a plain text file Pasco parses Internet Explorer history files. --- an index.dat file stores data about a user’s web surfing history

files LibPST is a library for parsing Outlook PST files. Readpst read PST input and produces a number of specifiable output format. ( by default, is the mbox format ) LibDBX parses Outlook Express DBX files. Readoe produces valid mbox files.

Processing Windows Registry hives Regviewer --- stable Chntpw Regedit Kregedit --- unstable

An up-and coming forensic tool FLAG is a very ambitious forensics utility originally created by the Australian Department od Defense. PyFLAG is a complete rewrite of FLAG using the Python programming language. Equipped with the MySQL database backend, reconstruction of TCP streams from imported capture files, importation of arbitrary log files.

Conclusion The current tools will continue to develop, and new tools will emerge. As Linux continues to grow and mature as an operating system, the public demand for interoperability will grow along with it.