coen 252 computer forensics n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
COEN 252 Computer Forensics PowerPoint Presentation
Download Presentation
COEN 252 Computer Forensics

Loading in 2 Seconds...

  share
play fullscreen
1 / 7
vera-bray

COEN 252 Computer Forensics - PowerPoint PPT Presentation

82 Views
Download Presentation
COEN 252 Computer Forensics
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. COEN 252Computer Forensics Windows Evidence Acquisition Boot Disk

  2. Windows Evidence Acquisition Boot Disk • Use a boot disk to • Copy evidence from the hard drive. • But there are usually better ways. • To preview a system to discover whether an incident has occurred. • To use a string search to see whether the computer contains evidence.

  3. Windows Evidence Acquisition Boot Disk • Windows Boot disk should prevent files to be altered. • Change • command.com • io.sys to prevent it fromaccessing system components.

  4. Windows Evidence Acquisition Boot Disk • Delete the drvspace.bin file because it attempts to open compressed volumes. • Add drivers to boot disk for ethernet connection, Zip drive, etc. needed to collect the evidence. • Windows boot disks cannot access NTFS drives directly.

  5. Windows Evidence Acquisition Boot Disk • Alternatively, use a Linux boot disk. • Forensic and Incident Response Environment (FIRE) • Helix (knoppix) • Knoppix STD • Local Area Security Linux • Penguin Sleuth Kit (knoppix) • Plan-B • Snarl (FreeBSD)

  6. Evidence Gathering • Write protect the evidence hard drive with Software. • By intercepting INT13h accessed to the disk. • Write protect the evidence hard drive with Hardware.

  7. Tools for Life-Examination • Avoid using system tools on the evidence machine. • This can get you into DLL hell. • Use filemon to check what files are being accessed when you run a command from your forensic CD.