The document discusses various aspects of digital forensics, including traditional methods, live forensics, and anti-digital forensics. It highlights essential tools and commands used in the process, as well as challenges faced like data encryption and wiping. The conclusion emphasizes the advantages of live forensics in initiating investigations while noting that traditional methods are more effective for data collection.

1. Digital Forensics Evidence

2. Road MapBasic Digital ForensicsTraditional Digital ForensicsLive Digital Forensics Anti-Digital Forensics Questions

3. Basic ForensicsRegistry Thumbs.dbIndex.dat Commands

4. Registry Last LogonHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogonSecurity CenterHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center Recent DocumentsHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.doc Typed URLshkcu\software\microsoft\internet explorer\typedurls

5. Thumbs.DBPictures opened in Windows OSFilmstripThumbnails Thumbs.DB Viewer

6. Index.DATContains all of the Web sites Every URLEvery Web pageAll email sent or received through Outlook or Outlook ExpressAll internet temp filesAll pictures viewed

7. CommandsDir: Lists all files and directories in the directory that you are currently in.Ls: List the contents of your home directory by adding a tilde after the ls command.Ps: Displays the currently-running processes.Fdisk: A utility that provides disk partitioning functions, and information.

8. Traditional ForensicsHardware Write Block/Software Write BlockCell PhonesDigital Forensics Programs Hex EditorFTKEnCaseProDiscover

9. Hardware Write Block

10. Hardware Write BlockHard Drive Connected

11. Hardware Write Block Image in process

12. Destination Drive

13. Safe Block XP

14. Software Write BlockRegistry Edit USB BlockHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePoliciesWrite protectDisable WriteProtect dword:00000001Enable WriteProtect dword:00000000

15. Cell Phone

16. USB Drive

17. Hex Editor

18. FTK

19. EnCase

20. EnCase Continued

21. ProDiscover

22. Live Digital Forensics ProDiscover IRHelixSleuth Kit & Autopsy CaineFTK/EnCase making them live?Both newer offerings have live capabilities

23. ProDiscoverIR

24. Live environment warnings

25. Helix

26. Helix Continued

27. Sleuth Kit & Autopsy

28. Caine

29. FTK/EnCase Live?Older versions no. EnCase 4.6 no.FTK 1.8 no. New versions yes EnCase 6 supports network and live digital forensics.FTK 3 supports live digital forensics

30. Problems Firewalls/Routers/SwitchesProxiesIP packetsTTL issuesIDS

31. Anti-Digital Forensics SteganographyEncryptionData WipingMetadata SpoilageAlternative Data StreamsIndex.DatThumbs.db Death of digital forensics

32. SteganographyDetectionWetStone Technologies' GargoyleNiels Provos' Stegdetect HidingStegoMagicwbStegoHIP (Hide In Picture)

33. StegoMagic

34. wbStego

35. HIP

36. EncryptionFile encryptionFull disc-encryption

37. Data WipingM-Sweep Pro Data Eliminator DBANDOD 5220.22MFile Shredder Beyond DOD

38. M-Sweep Pro Data Eliminator

39. DBAN

40. File Shredder

41. Metadata spoilage MetaspolitTimeStompSlackMetachanger

42. Metasploit

43. Timestomp

44. MetaChanger

45. Alternative data streamsData fork Resource fork old Macintosh Hierarchical File SystemImpossible to protect your system against ADS.Cannot be disabledNo way to limit this capability redirect [>] and colon [:] to fork one file into another.C:\test> type c:\windows\notepad.exe > ads.txt:hidden.exe

46. Alternate Data Streams scan engine

47. Locations of Index.DAT files VISTA\Users\<Username>\AppData\Roaming\Microsoft\Windows\Cookies\index.dat\Users\<Username>\AppData\Roaming\Microsoft\Windows\Cookies\low\index.dat\Users\<Username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.datC:\Users\<UserName>\AppData\Local\Microsoft\Windows\History\Content.IE5\index.dat

48. Index.DAT Analyzer

49. Thumbs.DB Viewer

50. Death of Digital ForensicsSSDs are much like memorySmallest part written too is a sectorErases data in a block Anything changes physical placement of dataLogical placement stays the same. Black boxes from a system's point of viewProperty

51. ConclusionWe can see the live digital forensics is best used for starting an investigation. Traditional Digital forensics is best for collecting the data And knowing the techniques of Anti-digital forensics can help the investigator find data that he/she might not other wise be able to find.

52. Questions