Intro to cyber crime and computer forensics cs 4273 6273 september 22 2003
Download
1 / 19

Intro to Cyber Crime and Computer Forensics CS 4273/6273 September 22, 2003 - PowerPoint PPT Presentation


  • 147 Views
  • Uploaded on

Intro to Cyber Crime and Computer Forensics CS 4273/6273 September 22, 2003. MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE. Introduction to the NTI Incident Response Suite. MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE. NTI Incident Response Suite.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Intro to Cyber Crime and Computer Forensics CS 4273/6273 September 22, 2003' - violet


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Intro to cyber crime and computer forensics cs 4273 6273 september 22 2003
Intro to Cyber Crime and Computer Forensics CS 4273/6273 September 22, 2003

MISSISSIPPI STATE UNIVERSITY

DEPARTMENT OF COMPUTER SCIENCE


Introduction to the nti incident response suite
Introduction to the NTI Incident Response Suite

MISSISSIPPI STATE UNIVERSITY

DEPARTMENT OF COMPUTER SCIENCE


Nti incident response suite
NTI Incident Response Suite

  • New Technologies, Inc.

    • Gresham, Oregon

    • Started by two former Secret Service Employees

      • Michael Anderson

      • Joseph Enders

  • Consists of approximately 20 tools


Nti incident response suite1

CRCMD5

DISKSIG

DOC

FILECNVT

FILELIST

FILTER_I

GETFREE

GETSLACK

GETSWAP

GETTIME

GEXTRACT

MAP

MSPRO

NTA

PTABLE

SCRUB

SEIZED

SPACES

TXTSRCHP

SAFEBACK

NTI Incident Response Suite


Crcmd5
CRCMD5

  • Obviously creates a hash of a file or disk image.

  • CRC – Cyclic Redundancy Check

  • MD5 – I don’t remember what it stands for.

  • Hashes the file or image and two hashes that are the same, then statistically, the two images have to be the same.

  • Command of the form:

    • CRCMD5 file1 … filen


Disksig
DISKSIG

  • Runs a CRCMD5 on a set of one or more disks.

  • Command of the form:

    • Disksig {/b} c: …z:

    • /b switch includes boot sector.

      • Necessary for file systems with dynamic boot records like Windows.


DOC

  • Takes a snap shot of the directory

  • Command of the form:

    • DOC c:\mydocu~1

  • Records creation time to the second.


Filecnvt
FILECNVT

  • Converts the output of a FileList command to DBASEIII Format.

  • Command:

    • Filecnvt

    • It automatically detects any filelist output files and asks which you would like to convert

    • Then it creates DBASEIII file version.


Filelist
FILELIST

  • Reads all files on the disk and puts them in one or more files.

  • Command of the form:

    • FILELIST [/m] [/l:xxx] Output-file drive: [drive:...]

      • If the "/m" option is specified, an MD5 digest will be performed on each file.

      • If the "/l:xxx" option is specified, the user can specify the size of the output file. (default size is 2.1Gb)


Filter i
FILTER_I

  • Filters out unreadable characters from the output of other tools.

  • Used as a “/f” switch on other commands.


Getfree
GETFREE

  • Gets all of the free space on a disk and puts it in one or more files.

  • Command of the form:

    • Getfree {/f} drive1 … driven


Getslack
GETSLACK

  • Gets all of the data in slack space on the disk and puts it one or more files

  • Command of the form:

    • Getslack {/f} drive1 … driven


Getswap
GETSWAP

  • Gets all of the information in swap space and puts it in one or more files.

  • Command of the form:

    • getswap


Gettime
GETTIME

  • Records the time in CMOS

  • Used for validating time of seizure.

  • Should be run as soon as possible after seizure.


Gextract
GEXTRACT

  • Extracts all graphic files from a disk.

  • Default is all JPG, GIF and BMP files

  • Command of the form:

    • GEXTRACT <testfile> <outputdir> [options]

    • The output directory must already exist. If you want to extract to the working folder (the folder the program was executed from), don't supply an output directory.

    • /JPG Will scan for JPG files

    • /GIF Will scan for GIF files

    • /BMP Will scan for BMP files


Ptable
PTABLE

  • Displays partition table information

  • Command: ptable

  • Will list all of the partition tables for all disks in the system.


Scrub
SCRUB

  • SCRUBS the Disk

  • Writes all zeroes, then all ones, then all F6s.

  • Three passes are performed

  • Command of the form:

    • SCRUB /d:<drives> /p:<passes> /g

    • /d Specifies the drives to be cleared, with drive 0 being the first drive. A list of drives to be scrubbed can be specified by separating drive numbers with commas. For example: /d:0,1,2

      • At least one drive (or all drives) must be specified.

    • /p Specifies the number of passes to be performed.

      • If /p is not specified, two scrubbing passes are made.

    • /g By default, SCRUB requests verification from the operator before a drive is scrubbed. If the /g switch is used, verification is skipped and scrubbing begins


Safeback
SAFEBACK

  • Creates an image of the Disk

  • We’ll discuss this more on Monday.


Homework 3
Homework 3

  • Use the tools located in the NTI directory to discover all of the evidence you can find on the evidence disk in the laboratory computer.

  • The evidence will be there by this afternoon, so start this evening or tomorrow, and as always, keep a journal.

  • Homework is due next Wednesday.


ad