coen 252 computer forensics l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
COEN 252 Computer Forensics PowerPoint Presentation
Download Presentation
COEN 252 Computer Forensics

Loading in 2 Seconds...

play fullscreen
1 / 7

COEN 252 Computer Forensics - PowerPoint PPT Presentation


  • 149 Views
  • Uploaded on

COEN 252 Computer Forensics. Windows Evidence Acquisition Boot Disk. Windows Evidence Acquisition Boot Disk. Use a boot disk to Copy evidence from the hard drive. But there are usually better ways. To preview a system to discover whether an incident has occurred.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'COEN 252 Computer Forensics' - garson


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
coen 252 computer forensics

COEN 252Computer Forensics

Windows Evidence Acquisition Boot Disk

windows evidence acquisition boot disk
Windows Evidence Acquisition Boot Disk
  • Use a boot disk to
    • Copy evidence from the hard drive.
      • But there are usually better ways.
    • To preview a system to discover whether an incident has occurred.
    • To use a string search to see whether the computer contains evidence.
windows evidence acquisition boot disk3
Windows Evidence Acquisition Boot Disk
  • Windows Boot disk should prevent files to be altered.
  • Change
    • command.com
    • io.sys

to prevent it fromaccessing system components.

windows evidence acquisition boot disk4
Windows Evidence Acquisition Boot Disk
  • Delete the drvspace.bin file because it attempts to open compressed volumes.
  • Add drivers to boot disk for ethernet connection, Zip drive, etc. needed to collect the evidence.
  • Windows boot disks cannot access NTFS drives directly.
windows evidence acquisition boot disk5
Windows Evidence Acquisition Boot Disk
  • Alternatively, use a Linux boot disk.
    • Forensic and Incident Response Environment (FIRE)
    • Helix (knoppix)
    • Knoppix STD
    • Local Area Security Linux
    • Penguin Sleuth Kit (knoppix)
    • Plan-B
    • Snarl (FreeBSD)
evidence gathering
Evidence Gathering
  • Write protect the evidence hard drive with Software.
    • By intercepting INT13h accessed to the disk.
  • Write protect the evidence hard drive with Hardware.
tools for life examination
Tools for Life-Examination
  • Avoid using system tools on the evidence machine.
    • This can get you into DLL hell.
  • Use filemon to check what files are being accessed when you run a command from your forensic CD.