Presentation is loading. Please wait.

Presentation is loading. Please wait.

Real Forensics The hard way. Data Recovery What data/evidence can you retrieve from a hard drive. Usually dd is good enough Sometimes real help is needed.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Real Forensics The hard way. Data Recovery What data/evidence can you retrieve from a hard drive. Usually dd is good enough Sometimes real help is needed."— Presentation transcript:

1 Real Forensics The hard way

2 Data Recovery What data/evidence can you retrieve from a hard drive. Usually dd is good enough Sometimes real help is needed

3 Real Help Hard Drive recovered from Columbia Shuttle accident February 1, 2003 400 Mbyte http://www.sciam.com/article.cfm?id=hard-drive-recovered-from-columbia 99% of the data was recovered from a Xenon shear thinning experiment

4 Hard Drive Mounted on Plate

5 HDD Internals

6 Ontrack Data Recovery Probably: –Remove the platters and cleaned them. –Rebuilt the Spindle assembly –Mounted in a new case –Exercised in a clean room

7 Hard Drive Architecture

8

9 HDD Capacity 10,000 `2015

10 MRU Lists Most Recently Used Lists

11 Best Known HKEY_CURRENT_USER\Software\Micro soft\Windows\CurrentVersion\Explorer\Rec entDocs A MRU list for about every application Used by the app to list your last accessed docs from that app.

12 PowerPoint

13 Which was the last one? FirstSecond

14 RunMRU Most recently run programs the the Run Command. cmd regedit msconfig

15 Typed URLs HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs

16 Opened and Saved MRUs Chronological list of Opened/Saved files

17 Opened and Saved MRUs Via File Extensions

18 .exe’s

19 Apps Associated with a File Extension

20 ComDlg32

21 Search Assistant Subkeys are for different search approaches: 5001 – Internet Search Assistant 5603 – XP file search 5604 – “word or phrase in a file”

22 System Restore Points Restore the system to a previous state Restore Points built in the background –Trigged by installation of apps/drivers (unsigned) –Done once a day by default

23 What gets restored Registry Local profiles COM+ database WFP DLL cache WMI database IIS database

24 What doesn’t. DRM WPA settings SAM hive User-created data stored in the user profile Contents of redirected folders

25 System Restore Configuration Restore Point updates in seconds = 1 day Retention of Restore Points in seconds

26 Lab 6.1 Determine MRUs Typed URLs Recent files opened/viewed by app »Order viewed Latest searches What apps were recently run from cmd.exe

Download ppt "Real Forensics The hard way. Data Recovery What data/evidence can you retrieve from a hard drive. Usually dd is good enough Sometimes real help is needed."

Similar presentations

Working with the Windows Registry Computer Club of the Sandhills November 12, 2012.

Working with the Windows Registry Computer Club of the Sandhills November 12, 2012.
MODULE 3: OS & APP LAYERS. Agenda Preparing and importing a gold image Creating and understanding Install Machines Creating basic Application layers Understanding.

MODULE 3: OS & APP LAYERS. Agenda Preparing and importing a gold image Creating and understanding Install Machines Creating basic Application layers Understanding.
Downloading and Installing WinID3 Dental Training Module I Richard M. Scanlon, D.M.D.

Downloading and Installing WinID3 Dental Training Module I Richard M. Scanlon, D.M.D.
Your Friend and Mine The Windows Registry. What is the Registry? ► Think of as a giant 411 switchboard ► Simple idea of centralized one-stop shopping.

Your Friend and Mine The Windows Registry. What is the Registry? ► Think of as a giant 411 switchboard ► Simple idea of centralized one-stop shopping.
Drives, Directories and Files. A computer file is a block of arbitrary information, or resource for storing information. Computer files can be considered.

Drives, Directories and Files. A computer file is a block of arbitrary information, or resource for storing information. Computer files can be considered.
FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)

FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)
Lesson 13 PROTECTING AND SHARING DOCUMENTS

Lesson 13 PROTECTING AND SHARING DOCUMENTS
Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.

Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.
Computer Memory GCSE Computing.

Computer Memory GCSE Computing.
The Windows Registry Adapted from

The Windows Registry Adapted from
Chapter 3: Configuring the Windows Vista Environment.

Chapter 3: Configuring the Windows Vista Environment.
RegRipper Harlan Carvey.

RegRipper Harlan Carvey.
Registry Analysis What is it? What does it contain?

Registry Analysis What is it? What does it contain?
Chapter 12 - Backup and Disaster Recovery1 Ch. 12 – Backups and Disaster Recovery MIS 431 – Created Spring 2006.

Chapter 12 - Backup and Disaster Recovery1 Ch. 12 – Backups and Disaster Recovery MIS 431 – Created Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Chapter 11 Basic Windows and Windows Commands. Overview of what an Operating System does To identify and use common desktop and home screen icons To manipulate.

Chapter 11 Basic Windows and Windows Commands. Overview of what an Operating System does To identify and use common desktop and home screen icons To manipulate.
Operating System & Application Files BACS 371 Computer Forensics.

Operating System & Application Files BACS 371 Computer Forensics.
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
© 2009 Autodesk Troubleshooting common installation problems TS14868637 AutoCAD (LT) Product Support By Tom Stoeckel.

© 2009 Autodesk Troubleshooting common installation problems TS AutoCAD (LT) Product Support By Tom Stoeckel.
Module 2 Deploying SharePoint Portal Server 2003.

Module 2 Deploying SharePoint Portal Server 2003.

Similar presentations

Ads by Google