Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Forensic Tools. Computer Forensics: A Brief Overview Scientific process of preserving, identifying, extracting, documenting, and interpreting.

Published byRoderick Higgins Modified over 9 years ago

Similar presentations

Presentation on theme: "Computer Forensic Tools. Computer Forensics: A Brief Overview Scientific process of preserving, identifying, extracting, documenting, and interpreting."— Presentation transcript:

1 Computer Forensic Tools

2 Computer Forensics: A Brief Overview Scientific process of preserving, identifying, extracting, documenting, and interpreting data on computer The field of computer forensics began to evolve more than 30 years ago in the United States. With the growth of the Internet and increasing usage of technology devices connected to the Internet, computer crimes are increasing at a great speed.

3 Computer Crimes Computer crimes Pure computer crime Computer is the medium of a crime Computer content related crime Illegal access to a system or network Illegal transmission of data Data deletion, damage, alteration Serious hindrance to computer Identity theft Fraud E-theft Incriminating information stored in computer Child pornography Information that unleashes hostility/violence

4 Tools for Computer Forensics Computer forensic tools Integrated GUI based tools Specialized single task tools Process information Network connection information List of processes Process to port mapping Service/driver information Registry analysis Executable file analysis

5 Integrated GUI Based Tools Advantages: – More effective for analyzing content related crime – Useful for searching storage devices, for retrieving deleted files and folder, reconstructing graphic files Disadvantages: – Very expensive – Very complex in design, uses up a lot of resources – Requires trained professionals to use the tools

6 Specialized Single Task Tools Advantages: – More effective for investigating malware attacks, intrusion etc – Useful for live response and live analysis – Simple in design, most tools can be used from command line – Inexpensive, easy to learn and use – Very effective for pedagogical purposes – Can be modified/customized

7 Specialized Single Task Tools Disadvantage: – Has compatibility issues with different versions of operating systems

8 Windows Forensic Analysis Windows Forensic Analysis by Harlan Carvey – Teaches simple but effective analysis techniques for investigating malware attacks – Provides CLI based tools for complete analysis of Windows Operating Systems

9 Compatibility Issues with Newer Windows Operating System About 50% tools are not compatible with Windows XP and Vista ToolWindows XP VistaWindows 7DescriptionComment Bonus\poladt.exeYesNo Parse the raw Security file and display the audit policy Bonus\srv_sort.exeYesNo retrieve Service key info raw Registry/System file, sorting the output based on LastWrite time; automatically determines which of the available ControlSets is marked "current" ch3\code\lspd.exeYesNoparse process details from a Windows 2000 phys. memory/RAM dump, ch3\code\lspi.exeYesNoparse process image from a Windows 2000 phys. memory/RAM dump ch3\code\lspm.exeYesNodump the memory pages used by a process from a Windows 2000 phys. memory/RAM dump, ch3\code\lsproc.exeYesNoparse Windows 2000 phys. memory/RAM dump, looking for processes. ch4\code\pref_ver.exeYesNo Perl script to parse the contents of the XP layout.ini file, locate executables (.exe,.dll,.sys) and locate those files and then extract any file version information ch4\code\sr.exeYesNoUse WMI to get Restore point settings from XP (local or remote) ch4\code\old\bho.exeYesNoretrieve listing of installed BHOs from a local system ch4\code\old\pnu.exeYesNolist the contents of one of the UserAssist\GUID\Count keys, sorted by most recent time ch4\code\old\regp.exeYesNo raw Windows Registry files (ntuser.dat, system32\config\system, system32\config\software) from NT/2K/XP/2K3 systems. ch4\code\old\sam_parse.exeYesNoretrieve user information from a raw Registry/SAM file ch4\code\jt\regslack.exeYesNoNo DOS ch4\code\RegRipper\rip.exeYesNoUse this utility to run a plugins file or a single plugin against a Reg# hive file. ch4\code\RegRipper\rr.exeYesNoParse a Registry hive file for data pertinent to an investigationNo plugins ch5\code\lscl.exeYesNoread/parse restore point change logs for data ch5\code\pdfdmp.exeYesNoAttempt to extract metadata from PDF files ch5\code\pdfmeta.exeYesNoAttempt to extract metadata from PDF files ch5\code\sr.exeYesNo ch5\code\EVT\evt2xls.exeYesNo Parse Windows 2000, XP, 2003 EventLog files in binary format, putting the eventrecords into an Excel spreadsheet; can also generate a report showing event source/ID frequencies (for Security Event Log, login type is added to the event ID), suitable for entry into eventid.net ch5\code\EVT\evtrpt.exeYesNo Tool to translate the binary contents of Windows 2000, XP, and 2003 Event Logs, and generate a report of event ID frequencies and date ranges of the records. ch5\code\EVT\evtstats.exeYesNo parse the contents of Event Log files and display statistics

10 Compatibility Issues with Windows Forensic Tools ToolWindows XP VistaWindows 7DescriptionComment Bonus\poladt.exeYesNo Parse the raw Security file and display the audit policy Bonus\srv_sort.exeYesNo retrieve Service key info raw Registry/System file, sorting the output based on LastWrite time; automatically determines which of the available ControlSets is marked "current" ch3\code\lspd.exeYesNoparse process details from a Windows 2000 phys. memory/RAM dump, ch3\code\lspi.exeYesNoparse process image from a Windows 2000 phys. memory/RAM dump ch3\code\lspm.exeYesNo dump the memory pages used by a process from a Windows 2000 phys. memory/RAM dump, ch3\code\lsproc.exeYesNoparse Windows 2000 phys. memory/RAM dump, looking for processes. ch4\code\pref_ver.exeYesNo Perl script to parse the contents of the XP layout.ini file, locate executables (.exe,.dll,.sys) and locate those files and then extract any file version information ch4\code\sr.exeYesNoUse WMI to get Restore point settings from XP (local or remote) ch4\code\old\bho.exeYesNoretrieve listing of installed BHOs from a local system ch4\code\old\pnu.exeYesNo list the contents of one of the UserAssist\GUID\Count keys, sorted by most recent time ch4\code\old\regp.exeYesNo raw Windows Registry files (ntuser.dat, system32\config\system, system32\config\software) from NT/2K/XP/2K3 systems. ch4\code\old\sam_parse.exeYesNoretrieve user information from a raw Registry/SAM file ch4\code\jt\regslack.exeYesNoNo DOS ch4\code\RegRipper\rip.exeYesNoUse this utility to run a plugins file or a single plugin against a Reg# hive file. ch4\code\RegRipper\rr.exeYesNoParse a Registry hive file for data pertinent to an investigationNo plugins ch5\code\lscl.exeYesNoread/parse restore point change logs for data ch5\code\pdfdmp.exeYesNoAttempt to extract metadata from PDF files ch5\code\pdfmeta.exeYesNoAttempt to extract metadata from PDF files ch5\code\sr.exeYesNo ch5\code\EVT\evt2xls.exeYesNo Parse Windows 2000, XP, 2003 EventLog files in binary format, putting the eventrecords into an Excel spreadsheet; can also generate a report showing event source/ID frequencies (for Security Event Log, login type is added to the event ID), suitable for entry into eventid.net ch5\code\EVT\evtrpt.exeYesNo Tool to translate the binary contents of Windows 2000, XP, and 2003 Event Logs, and generate a report of event ID frequencies and date ranges of the records. ch5\code\EVT\evtstats.exeYesNo parse the contents of Event Log files and display statistics

Download ppt "Computer Forensic Tools. Computer Forensics: A Brief Overview Scientific process of preserving, identifying, extracting, documenting, and interpreting."

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
Windows XP Basics OVERVIEW Next.

Windows XP Basics OVERVIEW Next.
Unit 1: Getting Started. What is a network?? A group of two or more computers that are linked together. Network Interface Card (NIC), basic network software.

Unit 1: Getting Started. What is a network?? A group of two or more computers that are linked together. Network Interface Card (NIC), basic network software.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
RegRipper Harlan Carvey.

RegRipper Harlan Carvey.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.
Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.

Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
Software. Application Software performs useful work on general-purpose tasks such as word processing and data analysis. The user interacts with the application.

Software. Application Software performs useful work on general-purpose tasks such as word processing and data analysis. The user interacts with the application.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.
Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7.

Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7.
MCT260-Operating Systems I Operating Systems I Managing Your System.

MCT260-Operating Systems I Operating Systems I Managing Your System.
Chapter 5 System Software.

Chapter 5 System Software.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
MDOP 2010: Diagnostic and Recovery Toolset (DaRT) Speaker Fabrizio Grossi

MDOP 2010: Diagnostic and Recovery Toolset (DaRT) Speaker Fabrizio Grossi
Chapter 3 Software Two major types of software

Chapter 3 Software Two major types of software
Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Similar presentations

Ads by Google