The document discusses computer forensics, which involves gathering digital evidence from computers to investigate security incidents and cybercrimes. It outlines the goals, stages, rules, and tools used in the digital investigation process. Key aspects include maintaining a documented chain of custody, never modifying original evidence, using forensic software to acquire disk images while calculating hash values for authentication. The summary provides an overview of the key topics covered in the document.

1. n|u Pardhasaradhi.ch

2. n|u Computer Forensics : It is the application of computer investigation and analysis techniques to gather evidence It is also called as cyber forensics Goal : The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it. Pardhasaradhi.ch

3. n|u Preparation Search and seizure Acquisition and Authentication Case storage and Archival Analysis and Reporting Stages in digital investigation process Pardhasaradhi.ch

4. n|u Rules of computer forensics : Rule 1 : Never mishandle Evidence Rule 2 : Never trust the subject operating system Chain of custody Asset tags Crime scene details Ex : Ex : Avoid Live forensics Use drive encryption Check hash value with the image Pardhasaradhi.ch

5. n|u Rule 3 : Never work on original evidence Rule 4 : Document Every thing Ex : Create a bit stream copy Do not access the file system during imaging Document the errors while imaging If any If any errors arise while imaging take another copy Pardhasaradhi.ch

6. n|u Clone Vs. image : To copy or replicate the entire contents of a hard disk drive by creating an image of the hard disk drive. Hard disk drives are often cloned for batch installation on other computers, particularly those on a network, or for use as backups. Clone : Image : Some of the image types are dd,E01,smart,ad1,ISO,NRG, Images are locked format ,these are easy to carry EX: Symantec ghost Clone is used to execute the images Pardhasaradhi.ch

7. n|u Access data MAC times Modified Accessed Created FTK imager Password recovery toolkit Registry viewer Forensic toolkit Software Forensic Hub Pardhasaradhi.ch

8. Stego suite Mount image pro Ultimate forensics Tool kit Elcomsoft Helix DD for Linux

9. n|u Devices used for forensics Shadow device : write blocker As an investigative tool, boot the suspect client and connect to their network Allows read commands to pass but by blocks write commands, Hardware Forensic Hub : Faraday bag The product was designed for E items which would isolate it from the networks Pardhasaradhi.ch

10. n|u Wde Drive wiper Ex: True crypt whole disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. Full Disk Encryption prevents unauthorized access to data storage Wipe all data off of two drives at up to 8 GB per minute Automatically unlocks and wipes Host Protected Areas Cut your drive wiping time in half Very light weight - less than a pound, plus the laptop style power supply Simple, fast, portable data destruction Pardhasaradhi.ch

11. n|u Steganography is the process of hiding of a secret message within an ordinary message and extracting it at its destination Steganography Pardhasaradhi.ch Alternate Data Streams (NTFS) New Technology File System allows for Alternate Data Streams One file can be a link to multiple Alternate Data Streams of files of any size.

12. n|u Pardhasaradhi.ch

13. n|u Importance of windows files Pardhasaradhi.ch Sam SYSTEM32\COFIG User names User information like last logon count ,last login time. Ntldr NTLDR will display the versions of operating systems in a boot menu and waits a specified number of seconds before loading the first in the list System This file will help us to know details regarding the USB connected and exact time stamps for drive operations done index This file will store all the internet related data cookies, Recent history

14. n|u Making a report for forensic case Executive summary Detailed activity log Proof of process Forensic image processing Restoration and verification of images Document evidences discovered during analysis Pardhasaradhi.ch

15. n|u File slack Terminology used Data carving Data carving or File Carving is a powerful tool for recovering files and fragments of files when directory entries are corrupt or missing, Memory carving is a useful tool for analyzing physical and virtual memory dumps when the memory structures are unknown or have been overwritten. The data storage space that exists from the end of the file to the end of the last cluster assigned to the file is called "file slack" Pardhasaradhi.ch Cluster Storage of data in fixed length blocks of bytes called clusters. Clusters are essentially groupings of sectors which are used to allocate the data storage area

16. Sites: Access data- www.accessdata.com -- ace LADS - www.heysoft.de Elcom soft – www.elcomsoft.com Helix - www.e-fense.com/helix/ Stego suite – www.logon-int.com/product.asp I2analyst notebook www.Forensicfocus.com www.computerforensics1.com www.forensics.nl www.blogs.sans.org/computer-forensics/

17. n|u THANK YOU Pardhasaradhi.ch