26
Real Forensics The hard way

Real Forensics

Tags:

Embed Size (px)

DESCRIPTION

Real Forensics. The hard way. Data Recovery. What data/evidence can you retrieve from a hard drive. Usually dd is good enough Sometimes real help is needed. Real Help. Hard Drive recovered from Columbia Shuttle accident February 1, 2003 400 Mbyte - PowerPoint PPT Presentation

Citation preview

Page 1: Real Forensics

Real Forensics

The hard way

Page 2: Real Forensics

Data Recovery

• What data/evidence can you retrieve from a hard drive.

• Usually dd is good enough

• Sometimes real help is needed

Page 3: Real Forensics

Real Help

• Hard Drive recovered from Columbia Shuttle accident

• February 1, 2003

• 400 Mbyte http://www.sciam.com/article.cfm?id=hard-drive-recovered-from-columbia

• 99% of the data was recovered from a Xenon shear thinning experiment

Page 4: Real Forensics

Hard Drive Mounted on Plate

Page 5: Real Forensics

HDD Internals

Page 6: Real Forensics

Ontrack Data Recovery

• Probably:– Remove the platters and cleaned them.

– Rebuilt the Spindle assembly

– Mounted in a new case

– Exercised in a clean room

Page 7: Real Forensics

Hard Drive Architecture

Page 8: Real Forensics
Page 9: Real Forensics

HDD Capacity

10,000

`2015

Page 10: Real Forensics

MRU Lists

Most Recently Used Lists

Page 11: Real Forensics

Best Known

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

• A MRU list for about every application

• Used by the app to list your last accessed docs from that app.

Page 12: Real Forensics

PowerPoint

Page 13: Real Forensics

Which was the last one?

First Second

Page 14: Real Forensics

RunMRUMost recently run programs the the Run Command.

cmdregeditmsconfig

Page 15: Real Forensics

Typed URLsHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs

Page 16: Real Forensics

Opened and Saved MRUsChronological list of Opened/Saved files

Page 17: Real Forensics

Opened and Saved MRUsVia File Extensions

Page 18: Real Forensics

.exe’s

Page 19: Real Forensics

Apps Associated with a File Extension

Page 20: Real Forensics

ComDlg32

Page 21: Real Forensics

Search AssistantSubkeys are for different search approaches:

5001 – Internet Search Assistant5603 – XP file search5604 – “word or phrase in a file”

Page 22: Real Forensics

System Restore Points

• Restore the system to a previous state

• Restore Points built in the background– Trigged by installation of apps/drivers

(unsigned)– Done once a day by default

Page 23: Real Forensics

What gets restored

• Registry

• Local profiles

• COM+ database

• WFP DLL cache

• WMI database

• IIS database

Page 24: Real Forensics

What doesn’t.

• DRM

• WPA settings

• SAM hive

• User-created data stored in the user profile

• Contents of redirected folders

Page 25: Real Forensics

System Restore ConfigurationRestore Point updates in seconds = 1 day

Retention of Restore Points in seconds

Page 26: Real Forensics

Lab 6.1

• Determine MRUs• Typed URLs

• Recent files opened/viewed by app» Order viewed

• Latest searches

• What apps were recently run from cmd.exe


CNIT 121: Computer Forensics - samsclass.info · CNIT 121: Computer Forensics 1 Real-World Incidents. Events and Incidents

CNIT 121: Computer Forensics - samsclass.info · CNIT 121: Computer Forensics 1 Real-World Incidents. Events and Incidents

Documents
Is Mobile Device Forensics Really Forensics?

Is Mobile Device Forensics Really Forensics?

Documents
OleDetection Forensics and Anti-forensics of Steganography ...users.cs.fiu.edu/~fortega/df/research/infohiding/Erbacher-Ole... · OleDetection—Forensics and Anti-Forensics of Steganography

OleDetection Forensics and Anti-forensics of Steganography ...users.cs.fiu.edu/~fortega/df/research/infohiding/Erbacher-Ole... · OleDetection—Forensics and Anti-Forensics of Steganography

Documents
OleDetection Forensics and Anti-forensics of Steganography ...fortega/df/research/infohiding/Erbacher... · OleDetection—Forensics and Anti-Forensics of Steganography in OLE2-Formatted

OleDetection Forensics and Anti-forensics of Steganography ...fortega/df/research/infohiding/Erbacher... · OleDetection—Forensics and Anti-Forensics of Steganography in OLE2-Formatted

Documents
Comp ter Forensics It’s NotComputer Forensics: It’s … ter Forensics It’s NotComputer Forensics: ... Computer Forensics Can be Useful with ... Solid state drives & deleted file

Comp ter Forensics It’s NotComputer Forensics: It’s … ter Forensics It’s NotComputer Forensics: ... Computer Forensics Can be Useful with ... Solid state drives & deleted file

Documents
FORENSICS JOURNAL - Stevenson Universitystevenson.edu/online/publications/forensics/documents/...FORENSICS JOURNAL 1 Welcome to the third edition of the Stevenson University Forensics

FORENSICS JOURNAL - Stevenson Universitystevenson.edu/online/publications/forensics/documents/...FORENSICS JOURNAL 1 Welcome to the third edition of the Stevenson University Forensics

Documents
FORENSICS OF ACADEMIC CREDENTIAL AND CV FRAUD … Forensics of Academic Credential and CV...institutions ( diploma mills) and curriculum vitae misrepresentation. Work with real life

FORENSICS OF ACADEMIC CREDENTIAL AND CV FRAUD … Forensics of Academic Credential and CV...institutions ( diploma mills) and curriculum vitae misrepresentation. Work with real life

Documents
FORENSICS & SECURITY - Elsevierscitechconnect.elsevier.com/.../forensics-security... · SEP 2014 • ISBN: 9780124052130 FORENSIC SCIENCE Introduction to Environmental Forensics,

FORENSICS & SECURITY - Elsevierscitechconnect.elsevier.com/.../forensics-security... · SEP 2014 • ISBN: 9780124052130 FORENSIC SCIENCE Introduction to Environmental Forensics,

Documents
Desktop Forensics: Windows - ULisboa · Desktop Forensics: Windows Part II.A. Techniques and Tools: Computer Forensics CSF: Forensics Cyber-Security Fall 2015 Nuno Santos

Desktop Forensics: Windows - ULisboa · Desktop Forensics: Windows Part II.A. Techniques and Tools: Computer Forensics CSF: Forensics Cyber-Security Fall 2015 Nuno Santos

Documents
The Real World Forensics

The Real World Forensics

Technology
Forensics · Disk Forensics Mobile Forensics E-mail investigations Questioned document Cryptography, examination Steganography Live Forensics and Network Forensics Audio/video authentication

Forensics · Disk Forensics Mobile Forensics E-mail investigations Questioned document Cryptography, examination Steganography Live Forensics and Network Forensics Audio/video authentication

Documents
COMPUTER FORENSICS · 2019-08-24 · 1.0 Computer Forensics In Today’s World 1.0 Intro To Computer Forensics 2.0 Need For Computer Forensics 3.0 What is Cyber Crime 4.0 Forensics

COMPUTER FORENSICS · 2019-08-24 · 1.0 Computer Forensics In Today’s World 1.0 Intro To Computer Forensics 2.0 Need For Computer Forensics 3.0 What is Cyber Crime 4.0 Forensics

Documents
Live Forensics Investigations Computer Forensics 2013

Live Forensics Investigations Computer Forensics 2013

Documents
COE589: Digital Forensics - ccse.kfupm.edu.saahmadsm/coe589-122/00_Overview_Logisti… · Digital Forensics computer forensics mobile forensics network forensics ... COE589 - Ahmad

COE589: Digital Forensics - ccse.kfupm.edu.saahmadsm/coe589-122/00_Overview_Logisti… · Digital Forensics computer forensics mobile forensics network forensics ... COE589 - Ahmad

Documents
Professionisti a tutela della verità - P&P Investigazioni...Digital & Mobile Forensics Digital Forensics Network Forensics Embedded & Software Forensics Metodologia d’Intervento

Professionisti a tutela della verità - P&P Investigazioni...Digital & Mobile Forensics Digital Forensics Network Forensics Embedded & Software Forensics Metodologia d’Intervento

Documents
Tor Forensics on Windows OS - Isaca Romaisacaroma.it/pdf/150416-17/Tor Forensics on Windows... · REAL CASE Management salaries of a private company were published on a Blog Through

Tor Forensics on Windows OS - Isaca Romaisacaroma.it/pdf/150416-17/Tor Forensics on Windows... · REAL CASE Management salaries of a private company were published on a Blog Through

Documents
iPhone Forensics Methodology and Tools · Forensics methodologies, iPhone forensics, forensics tools, digital forensics evidence handling, INTRODUCTION iPhone mobile phone is becoming

iPhone Forensics Methodology and Tools · Forensics methodologies, iPhone forensics, forensics tools, digital forensics evidence handling, INTRODUCTION iPhone mobile phone is becoming

Documents
COMPUTER FORENSICS - Boise Chapter€¦ · 3 Mobile device forensics 4 Other 5 References Computer forensics Main article: computer forensics ... 1.19 Computer Forensics Solution

COMPUTER FORENSICS - Boise Chapter€¦ · 3 Mobile device forensics 4 Other 5 References Computer forensics Main article: computer forensics ... 1.19 Computer Forensics Solution

Documents
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics

DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics

Technology
Computer Forensics – Tracking the Cyber vandals Forensics

Computer Forensics – Tracking the Cyber vandals Forensics

Documents
Memory Forensics - publish.illinois.edupublish.illinois.edu/.../files/2014/03/acc-forensics.pdfWhat is Computer Forensics? Mobile Device Forensics Network Forensics Memory & Data Forensics

Memory Forensics - publish.illinois.edupublish.illinois.edu/.../files/2014/03/acc-forensics.pdfWhat is Computer Forensics? Mobile Device Forensics Network Forensics Memory & Data Forensics

Documents
Anti-Forensics and Anti-Anti-Forensics

Anti-Forensics and Anti-Anti-Forensics

Documents
DIGITAL FORENSICS CASOS DE LA VIDA REAL INFOSECURITY 2017... · DIGITAL FORENSICS: CASOS DE LA VIDA REAL IDIOTA #2 Se realizaron los procesos legales pertinentes Al hacerse entrega

DIGITAL FORENSICS CASOS DE LA VIDA REAL INFOSECURITY 2017... · DIGITAL FORENSICS: CASOS DE LA VIDA REAL IDIOTA #2 Se realizaron los procesos legales pertinentes Al hacerse entrega

Documents
Digital Evidence and Computer Forensics Oct 7-8 2013/Tab 02 Oct 7-8... · Digital Evidence and Computer Forensics COMPUTER FORENSICS FORENSICS FORENSICS

Digital Evidence and Computer Forensics Oct 7-8 2013/Tab 02 Oct 7-8... · Digital Evidence and Computer Forensics COMPUTER FORENSICS FORENSICS FORENSICS

Documents
Windows 8 Forensics & Anti Forensics

Windows 8 Forensics & Anti Forensics

Technology
Scalable and Real-time Network Forensics

Scalable and Real-time Network Forensics

Documents
Implementation of Forensic Analysis Procedures for ...Android Forensics, Instant Messenger Forensics, Viber Forensics, WhatsApp Forensics. 1. INTRODUCTION ... communication medium

Implementation of Forensic Analysis Procedures for ...Android Forensics, Instant Messenger Forensics, Viber Forensics, WhatsApp Forensics. 1. INTRODUCTION ... communication medium

Documents
USB FORENSICS -PRODISCOVER USB FORENSICS –ENCASE V7csc.csudh.edu/cae/.../2013/11/All-is-not-Lost-Forensics-on-a-USB-Ale… · USB FORENSICS -PRODISCOVER USB FORENSICS -PRODISCOVER

USB FORENSICS -PRODISCOVER USB FORENSICS –ENCASE V7csc.csudh.edu/cae/.../2013/11/All-is-not-Lost-Forensics-on-a-USB-Ale… · USB FORENSICS -PRODISCOVER USB FORENSICS -PRODISCOVER

Documents
Preventive Digital Forensics: Creating Preventive Digital Forensics

Preventive Digital Forensics: Creating Preventive Digital Forensics

Documents
© The Forensics Files Lincoln-Douglas Debate The Forensics Files The Forensics Files

© The Forensics Files Lincoln-Douglas Debate The Forensics Files The Forensics Files

Documents