Preserving Evidence ● Number one priority ● Must also find incriminating evidence ● Must search the contents of the hard drive ● Can not change the hard.

Slides:



Advertisements
Similar presentations
Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.
Advertisements

The Modern Control Boot Disk. 2 What do we mean by a Modern control boot disk? In your previous lectures you learned about the original DOS control boot.
Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
Backing up and Archiving Data Chapter 1. Introduction This presentation covers the following: – What is backing up – What is archiving – Why are both.
LET’S GET UPDATING FUN….FUN….FUN How to Update Your Web Site Presented by: Leonora Fimbres & Marci Haight February 13, 2002.
Computer Forensics.
MODULE 4 File and Folder Management. Creating file and folder A computer file is a resource for storing information, which is available to a computer.
COEN 252 Computer Forensics
No Nonsense File Collection Presented by: Pinpoint Labs Presenter: Jon Rowe, CCE, ISFCE Certified Computer Examiner Members: The International Society.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations, Second Edition
Teaching Computer Forensics Using Student Developed Evidence Files Anna Carlin Cal Poly Pomona.
Computer & Network Forensics
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Guide to Computer Forensics and Investigations Fourth Edition
Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
Guide to Computer Forensics and Investigations Fourth Edition
X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
Collection of Evidence Computer Forensics 152/252.
Data Preservation Best Practices for preserving your research data for future reuse The goal of data preservation is to ensure that your data is in a sustainable.
Guide to Computer Forensics and Investigations, Second Edition
Data Acquisition Chao-Hsien Chu, Ph.D.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
COEN 252 Computer Forensics
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.
Capturing Computer Evidence Extracting Information.
Guide to Computer Forensics and Investigations, Second Edition
Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition.
Information Technology & Computer Science E-Discovery Lab Identification and Collection Seminar on E-Discovery, February 9th, 2012, College of Information.
Passwords, Encryption Forensic Tools
Chapter 7 Working with Files.
NIST CFTT: Testing Disk Imaging Tools James R. Lyle National Institute of Standards and Technology Gaithersburg Md.
Ch 61 Using DEL, REN, MOVE, and RD /S. Ch 62 Overview Will continue to work with internal commands that help manage and manipulate files.
Guide to Computer Forensics and Investigations, Second Edition Chapter 2 Understanding Computer Investigation.
Digital Crime Scene Investigative Process
Data Recovery Techniques Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006 Matthew Alberti Horacesio Carmichael.
Microsoft Office 2008 for Mac – Illustrated Unit C: Understanding File Management.
Guide to Computer Forensics and Investigations Fourth Edition
Chapter 6 Protecting Your Files. 2Practical PC 5 th Edition Chapter 6 Getting Started In this Chapter, you will learn: − What you should know about losing.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
Evidence Handling If the evidence is there the case is yours to lose.
There are 3 ways you can use to find your Spectrum Status Report Database file. This tutorial will assume you have either previously made a database that.
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
& Selected Topics: Digital Forensics Part I: Computer Forensics Chapter 2 Understanding Computer Investigation Xinwen Fu.
Unit 2—Using the Computer Lesson 9 Windows and File Management.
CJ 317 – Computer Forensics
20/12/20151 Data Structures Backing up and Archiving Data.
IT1001 – Personal Computer Hardware & system Operations Week7- Introduction to backup & restore tools Introduction to user account with access rights.
The world leader in serving science Overview of Thermo 21 CFR Part 11 tools Overview of software used by multiple business units within the Spectroscopy.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
FILE MANAGEMENT Computer Technology Timpview High School.
By: Jeremy Henry. Road Map  What is a cybercrime?  Statistics.  Tools used by an investigator.  Techniques and procedures used.  Specific case.
Computer Forensics Tim Foley COSC 480 Nov. 17, 2006.
Case Brief Gregory Morton William Campbell Dave Wildner.
By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.
Unit Unit 4 – Windows OS File Structure Introducing Your Computer Widows File Types, Trees & Explorer.
Data Acquisition Chao-Hsien Chu, Ph.D.
Guide to Computer Forensics and Investigations Fifth Edition
Chapter 5 EnCase Concepts.
Computer Forensics Discovery and recovery of digital evidence
File Managements.
CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
Backing Up 01/12/2018.
Forensication A data backup and verification chat. Backing up and ripping data, making test beds and using equipment. This fire talk will cover: Write-blockers.
3.1 Basic Concept of Directory and Sub-directory
Forensic Recovery of Evidence Device (FRED)
Presentation transcript:

Preserving Evidence ● Number one priority ● Must also find incriminating evidence ● Must search the contents of the hard drive ● Can not change the hard drive

Procedure ● Retrieve the hard drive from the evidence locker and update the chain of custody record. ● Calculate the MD5 Hash of the drive. ● “Image the hard drive.” ● Validate the M5D hash of the drive is the same as the MD5 hash of the image. ● Make a copy of the “Image” ● Store the actual hard drive together with the original “image” in the evidence locker. ● Remember to update the chain of custody record.

Procedure (cont’d) ● Use the copy of the hard drive image to perform your forensic analysis. ● You can always go back to the original image. ● Or if necessary you can go back to the hard drive and validate the MD5 hash.

Disk Image ● A disk image is an exact copy of everything on the disk. ● Not merely a copy of all the files. ● It is an exact copy – all mistakes, errors, erasures, dates, times, ● etc. ● You can prove that it is an exact copy.

Disk Image ● Forensic Software does it. ● HW can assist. ● Software can do it.

Technique must be Validated ● NIST - ww.ncjrs.orgww.ncjrs.org ● Unix command dd ● EnCase ● SafeBack ● etc.

Cautions ● The hard drive cannot be accessed. ● The hard drive cannot be altered. ● The hard drive is sacred. ● If you mess with it you are gone!!! ● Blame always falls somewhere. ● What to do?

Technology to the Rescue ● HW – Write blockers ● SW – Write blockers

Write Blocker ● Write blockers prevent writing to the medium. ● The medium can be read but not written to. ● The modify, access, create dates cannot not be changed. ● The contents cannot be modified.

Example ● Floppies – write protect thingee.

HW Write Blocker ● Paraben ● Accommodates a number of hard drives ● Comes with cables ● Forensically certified ● Standard with Law Enforcement ● Necessary for on site image acquisition

SW Imaging ● Unix – dd if=??? of=??? ● NIST certifies that it does not corrupt the original. ● The original and the image are identical. ● EnCase ● Has an imaging function. ● WinHex ● Create Disk Image... ● Verifiable exact copy.

Week 4 Lab 1.Using WinHex image your floppy. Describe procedure in your lab report. 2.Validate that the copy is exact using MD5 hash signatures. Show in your lab report. 3.Using the image you made describe some of the contents of the floppy – floppy image. 4. the floppy image to yourself so you can use it at home.

Select Start Center

Click open disk

Click OK

Calculate MD5 Hash

Select Raw image Select a Filename and path Remember where you put the image. Calculate the MD5 Hash Click OK

Hash of the Image Is it the same as the floppy disk?

Open raw image file

Find the image file

Open the image file Claculate the MD5 hash of the file. Is it the same?

MD5 Hash of image file

Explorer the floppy image. What files are there?

Week 5 Lab 1.Create a case folder on your F_Drive. 2.Using WinHex image your floppy. Save the image in your case folder. Describe procedure in your lab report. 3.Validate that the copy is exact using MD5 hash signatures. Show in your lab report. 4.Using the image you made describe some of the contents of the floppy – floppy image. 5.Recover an image and save it your case folder. 6.Keep all of your homework in your case folder.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.