1 / 9

Forensics3

Forensics3. Capturing Computer Evidence Extracting Information. Do not boot the system because doing so may change the evidence Remove the Hard Disk Turn on the computer to view the BIOS settings System date, time – compare to current values Memory comfiguration Boot order.

loc
Download Presentation

Forensics3

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Forensics3 Capturing Computer Evidence Extracting Information

  2. Do not boot the system because doing so may change the evidence • Remove the Hard Disk • Turn on the computer to view the BIOS settings • System date, time – compare to current values • Memory comfiguration • Boot order If system is off

  3. Capture most volatile data first • Registers, cache • Routing table, Address Resolution Protocol cache, kernel statistics • RAM memory • Temporary file systems • Disk • Remote logging • Physical configuration, network topology • Archival media Live System

  4. Create a CD with your forensic software on it • Insert a USB Flash Drive as E: • Insert the CDRom with your forensic software into the CDRom drive • In a command window run the following • D: • Date >E:\date.txt • Time >E:\time.txt • Arp –a >E:\arp.txt • Netstat –a >E:\netstat.txt • Tracert <ab.com> >E:\routeto_ab.txt • Psservice >E:\psservice.txt • Shut down the system and remove the Hard Disk Live System

  5. Do not use the system to search files for evidence • Accessing a file changes the last access date for that file on the hard drive • It is important to preserve the evidence in it’s original state Live system

  6. Connect Hard drive to analysis computer using a hardware Write Blocker • Find the hash function value for the drive • Use a disk wipe program (such as DBAN) to initialize the media used for the forensic copy before use • Use forensic software to create a bit level copy (image) to a wiped disk • Verify that the copy has the same hash function value • Use the copy in read only mode to gather evidence Make Forensic Copy of Hard Drive

  7. Connect the disk image to a forensic computer in read only mode • Examine the following • cache of temporary internet files • browser history files • browser cookies • Files in strange places • Files with strange names • Recently modified files • Activity logs • Email headers Looking for evidence

  8. Recycle Bin • Deleted Files • Hidden Files • Slack Space • Encrypted Files • Steganography • Swap Space • Hibernation Files • Hidden Disk Partitions More Places to Look

  9. Slack Space

More Related