Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forensic analysis of Windows hosts using UNIX-based tools Source : Digital Investigation (2004) 1, 197-212 Writer : Cory Altheide Reporter : Yao Professor.

Published byJemima Thompson Modified over 9 years ago

Similar presentations

Presentation on theme: "Forensic analysis of Windows hosts using UNIX-based tools Source : Digital Investigation (2004) 1, 197-212 Writer : Cory Altheide Reporter : Yao Professor."— Presentation transcript:

1 Forensic analysis of Windows hosts using UNIX-based tools Source : Digital Investigation (2004) 1, 197-212 Writer : Cory Altheide Reporter : Yao Professor : Shiuh-Jeng, Wang

2 Tools SMART for Linux ( ARSData company ) --- a commercial software Autopsy ( by Brain Carrier ) --- a free, open source software

3 Properties of the SMART for Linux Support for several image compression format. The ability to recover deleted files. The ability to mount split image files. Support for NTFS and FAT file format.

4 Properties of the Autopsy A web-based wrapper for the Sleuthkit. A modular, extensible design which allows for easy end-user extension, and reduces the likelihood of encountering a single point of failure. Support for NTFS and FAT file format.

5 Deleted file recovery Both tools perform recovery of deleted files on FAT and NTFS systems, however, Autopsy’s NTFS recovery is somewhat rudimentary compared to SMART’s. When compared to recovering deleted files from a FAT file system, recovery on NTFS file systems seems almost trivial.

6 Unallocated space Both tools allow for the extration of unallocated space to some degree, although the extraction performed by SMART is far more granular and customizable. “foremost” is a very good tool for performing file carving against recovered unallocated or otherwise unstructured space.

7 Keyword searching SMART --- simple term search --- Unicode term search Autopsy --- lack of Unicode support

8 Window file examination Trojan Defense --- use Clam Antivirus and F-prot to scan mounted volume for known malicious code.

9 Pasco, Galleta, and Rifiuti Rifiuti parses INFO2 files from the Recycle Bin. --- INFO2 file is an index of the former metadata Galleta parses Internet Explorer cookies. --- a plain text file Pasco parses Internet Explorer history files. --- an index.dat file stores data about a user’s web surfing history

10 Email files LibPST is a library for parsing Outlook PST files. Readpst read PST input and produces a number of specifiable output format. ( by default, is the mbox format ) LibDBX parses Outlook Express DBX files. Readoe produces valid mbox files.

11 Processing Windows Registry hives Regviewer --- stable Chntpw Regedit Kregedit --- unstable

12 An up-and coming forensic tool FLAG is a very ambitious forensics utility originally created by the Australian Department od Defense. PyFLAG is a complete rewrite of FLAG using the Python programming language. Equipped with the MySQL database backend, reconstruction of TCP streams from imported capture files, importation of arbitrary log files.

13 Conclusion The current tools will continue to develop, and new tools will emerge. As Linux continues to grow and mature as an operating system, the public demand for interoperability will grow along with it.

Download ppt "Forensic analysis of Windows hosts using UNIX-based tools Source : Digital Investigation (2004) 1, 197-212 Writer : Cory Altheide Reporter : Yao Professor."

Similar presentations

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
DOCUMENT TYPES. Digital Documents Converting documents to an electronic format will preserve those documents, but how would such a process be organized?

DOCUMENT TYPES. Digital Documents Converting documents to an electronic format will preserve those documents, but how would such a process be organized?
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall
CAPTURE SOFTWARE Please take a few moments to review the following slides. Please take a few moments to review the following slides. The filing of documents.

CAPTURE SOFTWARE Please take a few moments to review the following slides. Please take a few moments to review the following slides. The filing of documents.
OPEN SOURCE TOOLS Dr. Abraham Professor UTPA. Open Source Freely redistributable Provides access to source code End user may modify source code.

OPEN SOURCE TOOLS Dr. Abraham Professor UTPA. Open Source Freely redistributable Provides access to source code End user may modify source code.
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 Investigating.

Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA Investigating.
Internet Artifacts Dr. John Abraham Professor UTPA.

Internet Artifacts Dr. John Abraham Professor UTPA.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Computer & Network Forensics

Computer & Network Forensics
X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.

X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.
Technology for Computer Forensics by Alicia Castro.

Technology for Computer Forensics by Alicia Castro.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.

COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Presented by Mina Haratiannezhadi 1.  publishing, editing and modifying content  maintenance  central interface  manage workflows 2.

Presented by Mina Haratiannezhadi 1.  publishing, editing and modifying content  maintenance  central interface  manage workflows 2.
Chapter 11 Basic Windows and Windows Commands. Overview of what an Operating System does To identify and use common desktop and home screen icons To manipulate.

Chapter 11 Basic Windows and Windows Commands. Overview of what an Operating System does To identify and use common desktop and home screen icons To manipulate.
Encase Overview. What is Encase EnCase Forensic is the industry standard in computer forensic investigation technology. Encase is a single tool, capable.

Encase Overview. What is Encase EnCase Forensic is the industry standard in computer forensic investigation technology. Encase is a single tool, capable.
Advance evidence collection and analysis of web browser activity by Junhoon Oh David Rivera 11/7/2013 Digital Forensics.

Advance evidence collection and analysis of web browser activity by Junhoon Oh David Rivera 11/7/2013 Digital Forensics.

Similar presentations

Ads by Google