SlideShare ist ein Scribd-Unternehmen logo

Computer forensic lifecycle

Computer Forensic Expert
Computer Forensic Expert

Computer Forensic lifecycle

Daten & Analysen
1 von 11
Downloaden Sie, um offline zu lesen
Computer  Forensic  Lifecycle  (common  PC/Laptop)   1. Preparation   a. Preparation  steps   i. Test  and  familiarize  yourself  with  software  tools   ii. Prepare  hard  drives   1. Wipe  &  verify   2. Partitioning   a. Filesystem  type   3. Load  tools   iii. Prepare  flash  drives   1. Wipe  &  verify   2. Partitioning   a. Filesystem  type   3. Load  tools   b. Initial  response  kit   i. Necessary  hardware   1. Prepared  flash  drive(s)   2. Prepared  hard  drive(s)   3. Hand  tools   ii. Necessary  software   1. RAM  collection  software   2. Encryption  detection  software   3. Imaging  software   iii. Other  necessary  equipment   1. Forms  (CoC,  computer  worksheet)   2. Notepad   3. Bags,  tape,  labels,  pens   4. Camera/Video    
2. Identify,  Triage,  Collect  and  Document   a. Initial  response  considerations   i. Safety   ii. Safeguarding  digital  evidence  from  further  tampering   iii. Urgency     b. Triaging  Live  computers   i. Initial  triage   1. Deletion  or  other  potentially  destructive  action  in  progress?   a. Stop  process  vs.  shutting  down  computer   2. If  circumstances  dictate,  disconnecting  physical  network  connection   a. Necessary  to  collect  minimal  information  prior  to  disconnection?   b. Disconnect  physical  network  connection   i. Hardware  wireless  switch  (laptop)   ii. Unlocked  Screen   1. Wireless  status/disconnect  required?   2. Determine  level  of  access   a. Administrator  access   i. Collection  of  volatile  data   1. Follow  order  of  volatility   a. RAM  collection   b. Other  volatile  Data   i. Comprehensive  networking  information   ii. Running  applications   iii. Date  &  time   c. Detecting  encrypted  volumes  
i. Logical  imaging   ii. Obtain  Bitlocker  recovery  key   2. Shutdown  system   b. Non-­‐administrator  access   i. Collection  of  volatile  data   1. Follow  order  of  volatility   a. Other  volatile  data   i. Comprehensive  networking  information   ii. Running  applications   iii. Date  &  time   b. Detecting  encrypted  volumes   i. Logical  imaging   iii. Locked  Screen   1. Shutdown  system   a. Pulling  plug  vs.  shutdown  process   c. Collection  of  digital  media   i. Marking/labeling   d. Documentation   i. CoC   ii. Notes              
  3. Imaging  Process   a. Interface  considerations  –  Available  adapters  and  connectors   1. USB   2. SCSI   3. PATA   4. SATA   5. SAS   6. ZIFF     b. Hardware-­‐based  imaging  devices   i. Storage  considerations   1. Pre-­‐prepared  HD  (wiped)   2. Drive  capacity   ii. Tableau   1. Native  .E01  support   iii. Weibetech   iv. Logicube     c. Software  Imaging   i. Storage  considerations   1. Pre-­‐prepared  HD  (wiped)   2. Drive  capacity   ii. Hardware  write-­‐blockers   1. Tableau   2. Weibetech   3. Others   iii. Software  write-­‐blockers   1. EnCase  Fastbloc  SE   2. Registry  hack  
iv. No  write  blocker   1. Linux  /  Unix  /  OSX     d. Verification  Process   i. Hash  verification     4. Analysis  Process   a. Pre-­‐Analysis  preparation   i. Root  Case  Folder   1. Location   2. Naming  convention   3. Case  folder  subcomponents   a. Evidence  files   b. Export   c. Temp   d. Index     b. Pre-­‐Analysis  Processing   i. Identification  of  all  archives,  encrypted  volumes,  virtual  machines.   1. Virtual  mounting     ii. Hash  Analysis   1. Good  vs.  bad  hashes  (Known  vs.  Unknown)   2. Generating  hash  values  for  each  file   3. Comparing  hash  sets   4. Filtering  out  identified  files     iii. File  Signature  Analysis     iv. Keyword  indexing  (optional)  
  c. Case-­‐Specific  Analysis  Techniques  (common  techniques)   i. RAM  Analysis  (if  applicable)   1. Strings   2. Redline   3. HBGary  Responder     ii. Keyword  Searching   1. Live  searching   2. Index  Searching   3. Unicode   4. GREP     iii. Internet  History  Analysis   1. IE   a. Internet  history   b. Favorites   c. Zone  identifier  files   d. Configuration  settings     2. Firefox   a. Internet  history   b. Favorites   c. Configuration  settings     3. Chrome   a. Internet  history   b. Favorites   c. Configuration  settings    
4. Safari   a. Internet  history   b. Favorites     c. Configuration  setting     5. 3rd  party  tools   a. Netanalysis   b. Web  Historian     iv. Email  Analysis   1. Client  based   a. Outlook   b. Outlook  Express   c. Thunderbird   2. Web  based   a. Gmail   b. Hotmail   c. Yahoo     v. Windows  Event  logs   1. Location   2. Types   3. Format   a. XP  vs.  Vista  /  7/  8   4. 3rd  party  tools   a. Splunk   b. Highlighter     vi. Social  Media  Analysis   1. Twitter  
2. Facebook   3. Google+   vii. Instant  Messaging   1. Gtalk   2. Yahoo   3. Live  /  Communicator  /  Lync     viii. User  Profile  Analysis  (recent  docs,  LNK,  etc)   1. Desktop   2. Downloads   3. Documents   4. Videos   5. Photos     ix. Registry  Analysis   1. Global   a. User  accounts  /  SIDS   b. Installed  applications   c. Passwords   2. User  Specific   a. Protected  Storage  Passwords   b. UserAssist   c. MRU  /  Recently  opened  files   d. Background  Image   3. 3rd  party  tools   a. regripper   b. regdecoder   c. WRR  (mitec)     x. USB  Device  Analysis  
1. XP   a. Registry   i. Mounted  Devices   ii. USBSTOR   b. setupapi.log   2. Vista  /  7  /  8   a. Registry   i. Mounted  Devices   ii. USBSTOR   b. setupapi.dev.log  &  setupapi.app.log     xi. Recycle  Bin  Analysis   1. SID  mapping     xii. System  Restore  Points  /  Volume  Shadow  Service  (VSS)  analysis   1. XP  systems   a. 3rd  party  tools   i. Mandiant  Restore  Point  analyzer   2. Vista  /  7/  8   a. VSS  Analysis   b. 3rd  party  tools   i. ShadowExplorer   ii. FAU  dd  (Garner)     xiii. Peer-­‐to-­‐Peer    (P2P)  Analysis   1. Limewire   2. Gigatribe   3. uTorrent     xiv. Cloud  Based  Applications  
1. Dropbox   2. Microsoft  Live  mesh   3. Google  drive     xv. Basic  Data  Carving   1. pagefile.sys   2. hiberfil.sys   3. Unallocated  Space   4. Identifying  headers  &  footers   a. Base64   b. Internet  History   5. 3rd  party  tools   a. Internet  Evidence  Finder  (IEF)     xvi. Unused  Disk  areas   1. Deleted  partitions     xvii. General  Intelligence  gathering   1. Collection  of  email  addresses   2. Collection  of  phone  numbers     5. Report  Writing   a. Baseline    &  Case  specific  information     i. Request   ii. Findings   1. Drive  Info   a. Physical  size  (label)   b. Physical  size  (BIOS)   c. Logical  size   i. Logical  partitions  
d. Unused  disk  space   2. OS  Information   a. Type   b. Version   c. Patch  level  /  hotfixes   d. Install  date   e. Registered  Name  /  Organization   3. Case  specific  findings   iii. Summary   iv. Recommendations     b. Timeline  of  events      

Empfohlen

Study on Live analysis of Windows Physical Memory
Study on Live analysis of Windows Physical MemoryStudy on Live analysis of Windows Physical Memory
Study on Live analysis of Windows Physical MemoryIOSR Journals
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source ForensicsCTIN
 
Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the ArchiveGarethKnight
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devicesNikos Gkogkos
 
Curriculam
CurriculamCurriculam
CurriculamVinay Mishra
 
Dia de la salud
Dia de la saludDia de la salud
Dia de la saludDiana Martinez
 
Garside Resume2015
Garside Resume2015Garside Resume2015
Garside Resume2015Steven Garside
 

Empfohlen

Study on Live analysis of Windows Physical Memory
Study on Live analysis of Windows Physical MemoryStudy on Live analysis of Windows Physical Memory
Study on Live analysis of Windows Physical MemoryIOSR Journals
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source ForensicsCTIN
 
Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the ArchiveGarethKnight
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devicesNikos Gkogkos
 
Curriculam
CurriculamCurriculam
CurriculamVinay Mishra
 
Dia de la salud
Dia de la saludDia de la salud
Dia de la saludDiana Martinez
 
Garside Resume2015
Garside Resume2015Garside Resume2015
Garside Resume2015Steven Garside
 
I&D - Taller Tema de Investigación
I&D - Taller Tema de InvestigaciónI&D - Taller Tema de Investigación
I&D - Taller Tema de InvestigaciónAna Pedraza
 
References EN
References ENReferences EN
References ENAnja Kempermann
 
Tarea artículo
Tarea artículoTarea artículo
Tarea artículoElizabeth Quiroga
 
Revision artciculo cientifico - - Lcda. Mg. Marlene Suarez
Revision artciculo cientifico - - Lcda. Mg. Marlene SuarezRevision artciculo cientifico - - Lcda. Mg. Marlene Suarez
Revision artciculo cientifico - - Lcda. Mg. Marlene SuarezJairo Castillo
 
Comprar piezas de coches en línea- una solución rápida y asequible
Comprar piezas de coches en línea- una solución rápida y asequibleComprar piezas de coches en línea- una solución rápida y asequible
Comprar piezas de coches en línea- una solución rápida y asequiblecarolllee
 
Descriptores DeCS - Clara Gallardo
Descriptores DeCS - Clara GallardoDescriptores DeCS - Clara Gallardo
Descriptores DeCS - Clara GallardoClarita Gallardo
 
Resume TRUC TO - SC
Resume TRUC TO - SCResume TRUC TO - SC
Resume TRUC TO - SCThanh Truc TO
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory ForensicsAnshul Tayal
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - publicSandro Suffert
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smartJeff Beley
 
Hsc computer science chap 1 Operating System (1).pdf
Hsc computer science chap 1 Operating System (1).pdfHsc computer science chap 1 Operating System (1).pdf
Hsc computer science chap 1 Operating System (1).pdfAAFREEN SHAIKH
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newKatherineJack1
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newEmmaJack2018
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newmarysherman2018
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newsweetsour2017
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newLillieDickey
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newsarahlazeto
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newlizabonilla
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfGnanavi2
 
3871778
38717783871778
3871778Christiaan Beek
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 

Weitere ähnliche Inhalte

Andere mochten auch

I&D - Taller Tema de Investigación
I&D - Taller Tema de InvestigaciónI&D - Taller Tema de Investigación
I&D - Taller Tema de InvestigaciónAna Pedraza
 
Revision artciculo cientifico - - Lcda. Mg. Marlene Suarez
Revision artciculo cientifico - - Lcda. Mg. Marlene SuarezRevision artciculo cientifico - - Lcda. Mg. Marlene Suarez
Revision artciculo cientifico - - Lcda. Mg. Marlene SuarezJairo Castillo
 
Comprar piezas de coches en línea- una solución rápida y asequible
Comprar piezas de coches en línea- una solución rápida y asequibleComprar piezas de coches en línea- una solución rápida y asequible
Comprar piezas de coches en línea- una solución rápida y asequiblecarolllee
 
Descriptores DeCS - Clara Gallardo
Descriptores DeCS - Clara GallardoDescriptores DeCS - Clara Gallardo
Descriptores DeCS - Clara GallardoClarita Gallardo
 

Andere mochten auch (7)

I&D - Taller Tema de Investigación
I&D - Taller Tema de InvestigaciónI&D - Taller Tema de Investigación
I&D - Taller Tema de Investigación
 
References EN
References ENReferences EN
References EN
 
Tarea artículo
Tarea artículoTarea artículo
Tarea artículo
 
Revision artciculo cientifico - - Lcda. Mg. Marlene Suarez
Revision artciculo cientifico - - Lcda. Mg. Marlene SuarezRevision artciculo cientifico - - Lcda. Mg. Marlene Suarez
Revision artciculo cientifico - - Lcda. Mg. Marlene Suarez
 
Comprar piezas de coches en línea- una solución rápida y asequible
Comprar piezas de coches en línea- una solución rápida y asequibleComprar piezas de coches en línea- una solución rápida y asequible
Comprar piezas de coches en línea- una solución rápida y asequible
 
Descriptores DeCS - Clara Gallardo
Descriptores DeCS - Clara GallardoDescriptores DeCS - Clara Gallardo
Descriptores DeCS - Clara Gallardo
 
Resume TRUC TO - SC
Resume TRUC TO - SCResume TRUC TO - SC
Resume TRUC TO - SC
 

Ähnlich wie Computer forensic lifecycle

2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - publicSandro Suffert
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smartJeff Beley
 
Hsc computer science chap 1 Operating System (1).pdf
Hsc computer science chap 1 Operating System (1).pdfHsc computer science chap 1 Operating System (1).pdf
Hsc computer science chap 1 Operating System (1).pdfAAFREEN SHAIKH
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newKatherineJack1
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newEmmaJack2018
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newmarysherman2018
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newsweetsour2017
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newLillieDickey
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newsarahlazeto
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newlizabonilla
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfGnanavi2
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 
219568662-QUICK-Cloud-Storage-Forensic-Analysis-Presentation.pptx
219568662-QUICK-Cloud-Storage-Forensic-Analysis-Presentation.pptx219568662-QUICK-Cloud-Storage-Forensic-Analysis-Presentation.pptx
219568662-QUICK-Cloud-Storage-Forensic-Analysis-Presentation.pptxSachinGosavi15
 
1. The sale of sensitive or confidential company information to a .docx
1. The sale of sensitive or confidential company information to a .docx1. The sale of sensitive or confidential company information to a .docx
1. The sale of sensitive or confidential company information to a .docxambersalomon88660
 
Foundation of Digital Forensics
Foundation of Digital ForensicsFoundation of Digital Forensics
Foundation of Digital ForensicsVictor C. Sovichea
 
Stop pulling the plug
Stop pulling the plugStop pulling the plug
Stop pulling the plugKamal Rathaur
 

Ähnlich wie Computer forensic lifecycle (20)

Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smart
 
Hsc computer science chap 1 Operating System (1).pdf
Hsc computer science chap 1 Operating System (1).pdfHsc computer science chap 1 Operating System (1).pdf
Hsc computer science chap 1 Operating System (1).pdf
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
3871778
38717783871778
3871778
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
 
219568662-QUICK-Cloud-Storage-Forensic-Analysis-Presentation.pptx
219568662-QUICK-Cloud-Storage-Forensic-Analysis-Presentation.pptx219568662-QUICK-Cloud-Storage-Forensic-Analysis-Presentation.pptx
219568662-QUICK-Cloud-Storage-Forensic-Analysis-Presentation.pptx
 
1. The sale of sensitive or confidential company information to a .docx
1. The sale of sensitive or confidential company information to a .docx1. The sale of sensitive or confidential company information to a .docx
1. The sale of sensitive or confidential company information to a .docx
 
Foundation of Digital Forensics
Foundation of Digital ForensicsFoundation of Digital Forensics
Foundation of Digital Forensics
 
Stop pulling the plug
Stop pulling the plugStop pulling the plug
Stop pulling the plug
 
1500 mcq questions of computer knowledge for bank exams
1500 mcq questions of computer knowledge for bank exams1500 mcq questions of computer knowledge for bank exams
1500 mcq questions of computer knowledge for bank exams
 

Kürzlich hochgeladen

Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...shivangimorya083
 
April 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's AnalysisApril 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's Analysismanisha194592
 
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAl Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAroojKhan71
 
Best VIP Call Girls Noida Sector 22 Call Me: 8448380779
Best VIP Call Girls Noida Sector 22 Call Me: 8448380779Best VIP Call Girls Noida Sector 22 Call Me: 8448380779
Best VIP Call Girls Noida Sector 22 Call Me: 8448380779Delhi Call girls
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfLars Albertsson
 
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...amitlee9823
 
Week-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionWeek-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionfulawalesam
 
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptx
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptxBPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptx
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptxMohammedJunaid861692
 
Mature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptxMature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptxolyaivanovalion
 
Halmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxHalmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxolyaivanovalion
 
CebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxCebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxolyaivanovalion
 
Introduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxIntroduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxfirstjob4
 
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...SUHANI PANDEY
 
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Zuja dropshipping via API with DroFx.pptx
Zuja dropshipping via API with DroFx.pptxZuja dropshipping via API with DroFx.pptx
Zuja dropshipping via API with DroFx.pptxolyaivanovalion
 
Accredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdfAccredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdfadriantubila
 

Kürzlich hochgeladen (20)

Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...
 
April 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's AnalysisApril 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's Analysis
 
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAl Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
 
Best VIP Call Girls Noida Sector 22 Call Me: 8448380779
Best VIP Call Girls Noida Sector 22 Call Me: 8448380779Best VIP Call Girls Noida Sector 22 Call Me: 8448380779
Best VIP Call Girls Noida Sector 22 Call Me: 8448380779
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdf
 
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
 
Week-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionWeek-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interaction
 
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptx
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptxBPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptx
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptx
 
Mature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptxMature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptx
 
Halmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxHalmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFx
 
Abortion pills in Doha Qatar (+966572737505 ! Get Cytotec
Abortion pills in Doha Qatar (+966572737505 ! Get CytotecAbortion pills in Doha Qatar (+966572737505 ! Get Cytotec
Abortion pills in Doha Qatar (+966572737505 ! Get Cytotec
 
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in KishangarhDelhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
 
CebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxCebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptx
 
Introduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxIntroduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptx
 
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
 
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Zuja dropshipping via API with DroFx.pptx
Zuja dropshipping via API with DroFx.pptxZuja dropshipping via API with DroFx.pptx
Zuja dropshipping via API with DroFx.pptx
 
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Accredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdfAccredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdf
 
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts ServiceCall Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
 

Computer forensic lifecycle

  • 1. Computer  Forensic  Lifecycle  (common  PC/Laptop)   1. Preparation   a. Preparation  steps   i. Test  and  familiarize  yourself  with  software  tools   ii. Prepare  hard  drives   1. Wipe  &  verify   2. Partitioning   a. Filesystem  type   3. Load  tools   iii. Prepare  flash  drives   1. Wipe  &  verify   2. Partitioning   a. Filesystem  type   3. Load  tools   b. Initial  response  kit   i. Necessary  hardware   1. Prepared  flash  drive(s)   2. Prepared  hard  drive(s)   3. Hand  tools   ii. Necessary  software   1. RAM  collection  software   2. Encryption  detection  software   3. Imaging  software   iii. Other  necessary  equipment   1. Forms  (CoC,  computer  worksheet)   2. Notepad   3. Bags,  tape,  labels,  pens   4. Camera/Video    
  • 2. 2. Identify,  Triage,  Collect  and  Document   a. Initial  response  considerations   i. Safety   ii. Safeguarding  digital  evidence  from  further  tampering   iii. Urgency     b. Triaging  Live  computers   i. Initial  triage   1. Deletion  or  other  potentially  destructive  action  in  progress?   a. Stop  process  vs.  shutting  down  computer   2. If  circumstances  dictate,  disconnecting  physical  network  connection   a. Necessary  to  collect  minimal  information  prior  to  disconnection?   b. Disconnect  physical  network  connection   i. Hardware  wireless  switch  (laptop)   ii. Unlocked  Screen   1. Wireless  status/disconnect  required?   2. Determine  level  of  access   a. Administrator  access   i. Collection  of  volatile  data   1. Follow  order  of  volatility   a. RAM  collection   b. Other  volatile  Data   i. Comprehensive  networking  information   ii. Running  applications   iii. Date  &  time   c. Detecting  encrypted  volumes  
  • 3. i. Logical  imaging   ii. Obtain  Bitlocker  recovery  key   2. Shutdown  system   b. Non-­‐administrator  access   i. Collection  of  volatile  data   1. Follow  order  of  volatility   a. Other  volatile  data   i. Comprehensive  networking  information   ii. Running  applications   iii. Date  &  time   b. Detecting  encrypted  volumes   i. Logical  imaging   iii. Locked  Screen   1. Shutdown  system   a. Pulling  plug  vs.  shutdown  process   c. Collection  of  digital  media   i. Marking/labeling   d. Documentation   i. CoC   ii. Notes              
  • 4.   3. Imaging  Process   a. Interface  considerations  –  Available  adapters  and  connectors   1. USB   2. SCSI   3. PATA   4. SATA   5. SAS   6. ZIFF     b. Hardware-­‐based  imaging  devices   i. Storage  considerations   1. Pre-­‐prepared  HD  (wiped)   2. Drive  capacity   ii. Tableau   1. Native  .E01  support   iii. Weibetech   iv. Logicube     c. Software  Imaging   i. Storage  considerations   1. Pre-­‐prepared  HD  (wiped)   2. Drive  capacity   ii. Hardware  write-­‐blockers   1. Tableau   2. Weibetech   3. Others   iii. Software  write-­‐blockers   1. EnCase  Fastbloc  SE   2. Registry  hack  
  • 5. iv. No  write  blocker   1. Linux  /  Unix  /  OSX     d. Verification  Process   i. Hash  verification     4. Analysis  Process   a. Pre-­‐Analysis  preparation   i. Root  Case  Folder   1. Location   2. Naming  convention   3. Case  folder  subcomponents   a. Evidence  files   b. Export   c. Temp   d. Index     b. Pre-­‐Analysis  Processing   i. Identification  of  all  archives,  encrypted  volumes,  virtual  machines.   1. Virtual  mounting     ii. Hash  Analysis   1. Good  vs.  bad  hashes  (Known  vs.  Unknown)   2. Generating  hash  values  for  each  file   3. Comparing  hash  sets   4. Filtering  out  identified  files     iii. File  Signature  Analysis     iv. Keyword  indexing  (optional)  
  • 6.   c. Case-­‐Specific  Analysis  Techniques  (common  techniques)   i. RAM  Analysis  (if  applicable)   1. Strings   2. Redline   3. HBGary  Responder     ii. Keyword  Searching   1. Live  searching   2. Index  Searching   3. Unicode   4. GREP     iii. Internet  History  Analysis   1. IE   a. Internet  history   b. Favorites   c. Zone  identifier  files   d. Configuration  settings     2. Firefox   a. Internet  history   b. Favorites   c. Configuration  settings     3. Chrome   a. Internet  history   b. Favorites   c. Configuration  settings    
  • 7. 4. Safari   a. Internet  history   b. Favorites     c. Configuration  setting     5. 3rd  party  tools   a. Netanalysis   b. Web  Historian     iv. Email  Analysis   1. Client  based   a. Outlook   b. Outlook  Express   c. Thunderbird   2. Web  based   a. Gmail   b. Hotmail   c. Yahoo     v. Windows  Event  logs   1. Location   2. Types   3. Format   a. XP  vs.  Vista  /  7/  8   4. 3rd  party  tools   a. Splunk   b. Highlighter     vi. Social  Media  Analysis   1. Twitter  
  • 8. 2. Facebook   3. Google+   vii. Instant  Messaging   1. Gtalk   2. Yahoo   3. Live  /  Communicator  /  Lync     viii. User  Profile  Analysis  (recent  docs,  LNK,  etc)   1. Desktop   2. Downloads   3. Documents   4. Videos   5. Photos     ix. Registry  Analysis   1. Global   a. User  accounts  /  SIDS   b. Installed  applications   c. Passwords   2. User  Specific   a. Protected  Storage  Passwords   b. UserAssist   c. MRU  /  Recently  opened  files   d. Background  Image   3. 3rd  party  tools   a. regripper   b. regdecoder   c. WRR  (mitec)     x. USB  Device  Analysis  
  • 9. 1. XP   a. Registry   i. Mounted  Devices   ii. USBSTOR   b. setupapi.log   2. Vista  /  7  /  8   a. Registry   i. Mounted  Devices   ii. USBSTOR   b. setupapi.dev.log  &  setupapi.app.log     xi. Recycle  Bin  Analysis   1. SID  mapping     xii. System  Restore  Points  /  Volume  Shadow  Service  (VSS)  analysis   1. XP  systems   a. 3rd  party  tools   i. Mandiant  Restore  Point  analyzer   2. Vista  /  7/  8   a. VSS  Analysis   b. 3rd  party  tools   i. ShadowExplorer   ii. FAU  dd  (Garner)     xiii. Peer-­‐to-­‐Peer    (P2P)  Analysis   1. Limewire   2. Gigatribe   3. uTorrent     xiv. Cloud  Based  Applications  
  • 10. 1. Dropbox   2. Microsoft  Live  mesh   3. Google  drive     xv. Basic  Data  Carving   1. pagefile.sys   2. hiberfil.sys   3. Unallocated  Space   4. Identifying  headers  &  footers   a. Base64   b. Internet  History   5. 3rd  party  tools   a. Internet  Evidence  Finder  (IEF)     xvi. Unused  Disk  areas   1. Deleted  partitions     xvii. General  Intelligence  gathering   1. Collection  of  email  addresses   2. Collection  of  phone  numbers     5. Report  Writing   a. Baseline    &  Case  specific  information     i. Request   ii. Findings   1. Drive  Info   a. Physical  size  (label)   b. Physical  size  (BIOS)   c. Logical  size   i. Logical  partitions  
  • 11. d. Unused  disk  space   2. OS  Information   a. Type   b. Version   c. Patch  level  /  hotfixes   d. Install  date   e. Registered  Name  /  Organization   3. Case  specific  findings   iii. Summary   iv. Recommendations     b. Timeline  of  events