The document discusses the benefits and process of building WinFE, a Windows forensic environment that can be run from RAM or a USB drive. Key points include that WinFE allows booting on x86 devices regardless of operating system, runs Windows compatible tools, and is highly customizable. The document provides detailed instructions on compiling WinFE using the Windows AIK and WinBuilder utility, including how to add drivers, copy files to USB, and use various forensic tools for encryption detection, imaging RAM and drives, and triage.
Anti-Forensics: Real world identification, analysis and preventionSeccuris Inc.
Reliance on forensic investigation of information systems has become a daily requirement for law enforcement and security practitioners around the world.
Effective evidence collection and analysis is the foundation of any investigation; identification of suspects, motives and methods demand the acquisition of the largest amount information that evidence can provide us. Anti-Forensics – Real world identification, analysis and prevention will discuss how criminals, attackers, non-enlightened investigators all have the ability to impact the amount useful information we have at our disposal. Michael will show the audience real world scenarios detailing how Anti-forensics tools are used to
hide and destroy incriminating evidence, outlining common anti-forensic techniques. This will be followed by discussion of hands-on identification and prevention
practices used to raise awareness around current academic research and identify potential solutions for practitioners and law enforcement organizations.
Pre-auth SYSTEM RCE on Windows Is more common than you think
----
With minimal to no effort, we can gain SYSTEM level access to hundreds, if not, thousands of machines on the internet [remotely]. No, this is not a new super 1337 exploit and no this is not even a new technique. No super fancy website with poorly designed logo is necessary, there is nothing new here. Tim and Dennis have discovered that something only stupid sysadmins would do turns out to be much more prevalent than expected. What starts off as a sysadmin's innocent attempt to fix an issue, turns into complete compromise of entire servers/workstations with no effort needed from the attacker. Tim and Dennis will discuss how we came to this realization and explain how we automated looking for these issues in order to find hundreds of vulnerable machines over the internet. Tim and Dennis explain the tool developed for automation, provide statistics discovered from our research, and go over ways to protect yourself from falling victim to the issue.
Anti-Forensics: Real world identification, analysis and preventionSeccuris Inc.
Reliance on forensic investigation of information systems has become a daily requirement for law enforcement and security practitioners around the world.
Effective evidence collection and analysis is the foundation of any investigation; identification of suspects, motives and methods demand the acquisition of the largest amount information that evidence can provide us. Anti-Forensics – Real world identification, analysis and prevention will discuss how criminals, attackers, non-enlightened investigators all have the ability to impact the amount useful information we have at our disposal. Michael will show the audience real world scenarios detailing how Anti-forensics tools are used to
hide and destroy incriminating evidence, outlining common anti-forensic techniques. This will be followed by discussion of hands-on identification and prevention
practices used to raise awareness around current academic research and identify potential solutions for practitioners and law enforcement organizations.
Pre-auth SYSTEM RCE on Windows Is more common than you think
----
With minimal to no effort, we can gain SYSTEM level access to hundreds, if not, thousands of machines on the internet [remotely]. No, this is not a new super 1337 exploit and no this is not even a new technique. No super fancy website with poorly designed logo is necessary, there is nothing new here. Tim and Dennis have discovered that something only stupid sysadmins would do turns out to be much more prevalent than expected. What starts off as a sysadmin's innocent attempt to fix an issue, turns into complete compromise of entire servers/workstations with no effort needed from the attacker. Tim and Dennis will discuss how we came to this realization and explain how we automated looking for these issues in order to find hundreds of vulnerable machines over the internet. Tim and Dennis explain the tool developed for automation, provide statistics discovered from our research, and go over ways to protect yourself from falling victim to the issue.
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
This presentation outlined how performing memory forensics on a single memory image broke open an extremely large intrusion in the non-profit space. Tools, techniques and procedures (TTP’s) of an advanced actor intrusion will be highlighted during a technical deep-dive of memory analysis and related workflow.
Types of Computer Forensics Technology, Types of Military Computer Forensic Technology, Types of Law Enforcement, Computer Forensic Technology, Types of Business Computer Forensic Technology, Specialized Forensics Techniques, Hidden Data and How to Find It, Spyware and Adware, Encryption Methods and Vulnerabilities, Protecting Data from Being Compromised Internet Tracing Methods, Security and Wireless Technologies, Avoiding Pitfalls with Firewalls Biometric Security Systems
computer forensics: consists of history, their need, types of crime, how experts work, rules of evidence, forensic tools, tools based on different categories.
extremely detailed ppt, consists of information difficult to find. very useful for paper presentation competitions.
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
This presentation outlined how performing memory forensics on a single memory image broke open an extremely large intrusion in the non-profit space. Tools, techniques and procedures (TTP’s) of an advanced actor intrusion will be highlighted during a technical deep-dive of memory analysis and related workflow.
Types of Computer Forensics Technology, Types of Military Computer Forensic Technology, Types of Law Enforcement, Computer Forensic Technology, Types of Business Computer Forensic Technology, Specialized Forensics Techniques, Hidden Data and How to Find It, Spyware and Adware, Encryption Methods and Vulnerabilities, Protecting Data from Being Compromised Internet Tracing Methods, Security and Wireless Technologies, Avoiding Pitfalls with Firewalls Biometric Security Systems
computer forensics: consists of history, their need, types of crime, how experts work, rules of evidence, forensic tools, tools based on different categories.
extremely detailed ppt, consists of information difficult to find. very useful for paper presentation competitions.
Course Objectives:
• Help the student to achieve a broad understanding of the
main types of memory forensic data gathering and analysis
• Serve as an introduction to low level concepts necessary for
a proper understanding of the task of performing memory
forensics on Windows, MacOSX and Linux (incl. Android).
• Put the student in contact with different memory forensics
tools and provide him information on how to use the
gathered forensic data to perform a wide range of
investigations
This is a draft presentation of a video lesson taken from the course "Digital forensics with Kali Linux" published by Packt Publishing in May 2017: https://www.packtpub.com/networking-and-servers/digital-forensics-kali-linux
This presentation introduces memory forensics and recalls the most important concepts of virtual memory and paging.
This PDF is of a Nearpod presentation about evaluating websites' trustworthiness which you can view in its entirety at http://npps.co/internetsleuthpdf. It will give you a glimpse of what you can expect from Nearpod and its capabilities to enhance your classroom experience. Via this presentation, your students will become internet sleuths by evaluating websites' trustworthiness and credibility, and distinguishing fact from fiction online. ELA. Elementary School. Age: 8+
This is a draft presentation of a video lesson taken from the course "Digital forensics with Kali Linux" published by Packt Publishing in May 2017: https://www.packtpub.com/networking-and-servers/digital-forensics-kali-linux
In this presentation we are going to cover the recovery of deleted files from a disk image using three CLI file carving tools pre-installed on Kali Linux: Foremost, Scalpel and Photorec.
Forensic Anaysis on Twitter including its Privacy and Policy, Terms and Conditions, Cookies, Data dissemination, Login or Sign Up, Payment Options, References, Tweets and many more.
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierBasis Technology
Autopsy 3 is an easy to use digital forensics tool. Its development started after discussions at the first OSDF conference, with the goal of being a platform for which other developers will write modules. Autopsy allows you to perform a digital forensics exam on Windows using a free tool. This talk will cover the basic features of Autopsy, including timeline analysis, registry analysis, web artifact analysis, keyword search, and hash sets. There will also be discussion about future modules, and how to get involved as a user or developer.
With 1.2 billion monthly active users on Facebook alone, it’s not surprising that social media networks can be a rich source of information for investigators. And because Americans spend more time on social media than any other major Internet activity, including email, social media information and evidence is plentiful. You just need to know how to get it.
Finding, preserving and collecting social media evidence often requires some forensic skills, as well as an understanding of the laws that govern its collection and use. It’s important for investigators to be aware of both the possibilities and limitations of social media forensics.
The opening address for the Windows Embedded & Robotics European Campus Tour. This presentation provides an overview of the Embedded Windows technology available and lots of examples of its use.
This is a part of the slide set used at the MakerSpace Noida (India) launch event, Pi Maker Workshop. This slide set is designed to help people get started with the Raspberry Pi and also serves as a collection of innovative projects and some core basic concepts that can aid anybody with their first few steps into the world of DIY electronics or maybe serve as a refresher for the experienced.
Feel free to refer and share but please don't alter the watermarks :)
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...Nicolas Collery
Full Disk Encryption (FDE) may be rather useful as a defense mechanism against potential theft of a computer system. However, when the system is compromised and requires careful forensic analysis, FDE can be quite painful to forensic analysts. Unless you deal with standard and widely supported encryption such as LUKS, Bitlocker, TrueCrypt or few others, it might really hard to get through the layers of crypto code in proprietary software.
This presentation delivered at HTCIA (HIGH TECHNOLOGY CRIME INVESTIGATION ASSOCIATION - Singapore) highlights few techniques to let a remote analyst perform investigations.
https://htcia.org
BITS: Introduction to linux, distributions and installationBITS
This slide is part of the BITS training session: "Introduction to linux for life sciences."
See http://www.bits.vib.be/index.php?option=com_content&view=article&id=17203890%3Abioperl-additional-material&catid=84&Itemid=284
Defending Against the Dark Arts of LOLBINS Brent Muir
Copy of my slides from my 2020 Poland Confidence presentation...
This talk will provide an overview of the LOLBIN/LOLBAS estate, why they are a preferred attack tool over malware, and how organisations can better secure their estate against their abuse.
Presentation on conducting mobile device forensics without the use of expensive commercial tools, instead utilising FOSS alternatives. Conducting manual analysis makes you a better forensic analyst as well as helps to discover more potential evidence. From acquisition, to analysis, to malware disassembly, this presentation will provide a primer on all facets of mobile forensics.
Update from my previous presentation on dealing with SanDisk SecureAccess encrypted containers; including a bypass of the SecureAccess V2 software to see the contents of the encrypted containers.
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingBrent Muir
This presentation follows on from some research I conducted earlier this year in relation to the encryption software utilised by SanDisk USB thumb drives. The presentation details how to best process this data forensically. The presentation also explains how to flash USB thumb drives as part of this process to mimic SanDisk devices.
This report details various security vulnerabilities facing organisations that are connected to the Internet. It focuses primarily on Denial of Service (DoS) attacks, providing an understanding of how these types of attacks are carried out and outlines the current technological resources available to provide countermeasures to DoS attacks. The recommendations provided at the end of the report allow organisations to gain the ability to minimise the harmful impact that DoS attacks can inflict upon their business.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
3. Ability to boot on all x86 devices regardless of OS
Windows
Linux
OSX (requires optical drive)
RunsWindows compatible tools
The price is right
Cost ofWindows OS licence
Highly customisable
3
4. BartPE (2003)
Live version ofWindows based on XP/2003
UtilisedWindows Presinstallation Environment (PE)
http://www.nu2.nu/pebuilder/screenshots/
4
5. Microsoft (SysInternals) created first “official”
WinFE guide (2008)
Highly modified OS
▪ No GUI interface, CMD based only
▪ Registry keys modified to not mount devices by default
▪ Basic functionality, required batch scripts or plenty of
DOS commands
▪ Based onVista, compatible with Windows 7
5
7. WinBuilder -Windows PE building utility
WinFE script created by Brett Shavers that
modified the same registry keys as SysInternals
instructions (2010)
Retained GUI interface
Write ProtectTool Management Console
(replacement Disk Manager)
7
9. Microsoft Windows (32bit or 64bit) ISO
Provides the baseband core OS files
Windows Automated Installation Kit (AIK)
Provides Windows PE bootable image thatWinFE is based upon
WIM (Windows Image) mounting tools
WinBuilder withWinFE scripts
Provides advanced interface features ofWinFE (desktop GUI
support, etc)
9
10. Two modes for third-party applications:
Run from RAM
▪ Stops end-users modifying installed programs
▪ Takes up more RAM when booting (if working with low-
specced PCs)
Run from Disk
▪ Easier to update (no more recompiling the fullWIM)
10
12. Steps to compile your own version ofWinFE:
1. InstallWindows AIK
2. Mount Windows 7 ISO and remember the drive letter
3. InstallWinBuilder and point it to the drive letter of the mounted ISO
4. Configure the scripts required throughWinBuilder (includingTweaks
WinFE)
5. Prepare any third-party software you require on WinFE
6. Run the WinBuilder program and set desired options This should output a
WinFE ISO as well as the files necessary to copy to a USB dongle
7. Edit the Boot loader (BCD) to allow a maximum timeout and require user
input into selectingWinFE from a boot menu
8. Test the WinFE release to ensure that it is forensically sound
12
13. Slip streaming drivers intoWinFE requires 2 tools (AIK):
Imagex - used to mount WIM
located in C:Program FilesWindows AIKToolsx86Servicing
DISM - used to install drivers
located in C:Program FilesWindows AIKToolsx86Servicing
1. imagex /mountrw C:WinFETargetWin7PE_SEsourcesboot.wim 1 C:winFEmount
2. dism.exe /image:C:WinFEMount /add-driver /driver:"C:WinFEFiles to injectHaspHasp"
/recurse
3. imagex.exe /unmount /commit C:winFEmount
13
14. In order to copy the WinFE files to a USBThumb Drive you must first prepare the
thumb drive so that it is clean and bootable. Follow these steps:
1. Plug-in USB thumb drive into computer
2. Start CMD
3. Start Diskpart (type: diskpart)
4. Select the relevant USB thumb drive (to see available drives, type: list disk) (to select disk
type: select disk #) - where # is the relevant disk number
5. Clean the USB thumb drive (type: clean)
6. Create a primary partition (type: create partition primary)
7. Set the USB thumb drive as bootable (type: active)
8. Format the USB thumb drive (type: format fs=NTFS quick label="WinFE")
9. Exit Diskpart (type: exit)
14
15. Live:
The software onWinFE can also be run on a live system, w/o booting into
theWinFEOS (assuming portable apps).
Conducting an encryption test
Ability to image RAM, Disks, mounted encrypted partitions
Tools can all be updated on the fly
Booting:
Booting into theWinFE environment conforms to industry best practice
in that it maintains the forensic state of the hard drives within the
suspect’s computer.
15
16. EnCase - v6 & v7 (requires licence
dongle and slip-streaming HASP
drivers)
X-Ways /WinHex – all versions
(requires licence dongle)
TrueCrypt
FTK Imager
VirtualBox
Wireshark
RegistryBrowser
Volatility – standalone version
All Nirsoft tools
Many more
16
17. 1. Power down computer
2. InsertWinFE USB device into suspects computer
3. Power on computer and enter the BIOS or UEFI
While in the BIOS it is recommended to take note of the system’s date and time.
4. Once in the BIOS change the boot order to the WinFE USB device – this should
show up in the BIOS as a USB device (or choose the optical drive if booting
from CD)
5. Save the changes to the BIOS and let the computer reboot
6. The computer should now boot intoWinFE boot menu. 17
18. Write ProtectTool Management Console
Mount / unmount physical drives attached to the computer
as read-only or read-write.
Add custom drivers
(e.g. software RAID drivers)
18
22. WINDOWS OS – CryptHunter (LE only)
1. Plug in the WinFE USB thumb drive into the suspect's computer
2. The WinFE USB drive should now be visible in Explorer (My
Computer). Browse to the directory titled "CryptHunter" and
double-click on the file called "crypthunter". This will begin the
encryption test.
3. If anything of note is discovered a pop-up box will appear
warning that encryption may be present.
22
24. LINUX OSes – quick and dirty
Method 1 –Terminal
1. Open the terminal (console / konsole) and type
mount and hit enter (return)
2. This command will list all currently mounted drives
on the computer, look for the word "crypt“
24
26. MAC OSX – quick and dirty
Method 1 – Identify FileVault
1. Browse to "Computer" "Users". If the user
account has the following icon then "FileVault" is
enabled. FileVault encrypts all of the user's files.
26
27. Method 2 – Activity Monitor
1. Other 3rd part encryption tools are available for Mac OSX. In
order to check if these encryption programs are running. Browse
to "Applications“ "Utilities" "Activity Monitor“
2. Once the Activity Monitor is displayed use the drop-down menu
to select "All Processes“
3. Look for any process that includes the word "crypt". If any of the
processes mention the word "crypt" then it is likely that the
computer features encryption.
27
29. RAM:
DumpIt
Simple executable, puts output in same directory as EXE
Has some issues with RAM larger than 8GB
WinPMEM
CMD based
Supports RAM larger than 8GB
Supports RAW & Crashdump formats
FTK Imager
GUI version only
Supports RAW acquisition as well as Pagefile.sys & Hiberfil.sys
Larger footprint than DumpIt & WinPMEM
HD:
FTK Imager
29
31. RAM:
OSXPMEM
Supports up to and including 10.9.x
Creates kernel mirror driver (must be extracted onto local
machine to run or from HFS+/exFAT partition)
Supports Raw, Mach-O, and ELF formats
1. copy OSXPMem.tar.gz to local directory
2. tar xvf OSXPMem.tar.gz
3. ./osxpmem -h to give help
4. ./osxpmem memory.dump
31
32. HD:
FTK Imager for Mac
CLI only, no GUI
Needs to be copied to local machine to run (or on
HFS+/exFAT partition)
Mac OSX Forensic Imager
Needs to be copied to local machine to run (or on
HFS+/exFAT partition)
32
33. 1. Connect an external hard drive (via USB) to the
suspect's computer
2. Open "WinFEWrite ProtectTool Management
Console " and mount this new drive as read/write
NOTE – if this is the first drive you are mounting in WinFE it will
be given the drive letter “C”
This drive will now be visible inWindows Explorer
3. Open FTK Imager and image normally
33
34. Even w/o X-Ways or EnCase dongles there
are a number of tools to facilitate triage of
devices
Apple Bootcamp script allows HFS+
partitions to be seen throughWinFE w/o third
party tools
34
35. XnView:
Graphic files
Recursively look at directories
Tag files create reports
35
40. SQLite
SQLite DB Browser
SQLiteQ
Microsoft ESE/EDB/JET Blue DB files
Nirsoft ESEDatabaseView
40
41. Web browser history
Nirsoft BrowsingHistoryView
▪ IE (including 10/11), Firefox, Chrome, Safari
Windows Registry
LockAnd Code RegistryBrowser
▪ Mount the suspect's drive as read-only usingWrite Protect
Tool first
41
Very basic:
No write-protection of devices
No Windows Explorer
- all tools were 3rd party
No GUI but could run GUI software (for example FTK Imager or XWF)
Windows 8/8.1 WinFE require Windows Assessment and Deployment Kit (Windows ADK)
http://www.microsoft.com/en-us/download/details.aspx?id=39982&751be11f-ede8-5a0c-058c-2ee190a24fa6=True
Example of slip-streaming the HASP dongle drivers (for EnCase)
Dependant on host PC resources, there is the ability to boot the suspect’s PC as a forensically sound VM with VirtualBox (requires 64bit WinFE, lots of RAM and MIP to mount physical disk)
mount image write-cached function)
If this menu is not displayed then the computer is trying to boot into another OS pull the power cord!
If you are LE I recommend that you get access to the US CERT program CryptHunter (free):
Small footprint, able to detect many encryption programs as well as boot sector abnormalities
Supports: BestCrypt, DriveCrypt, Sophos SafeGaurd, Paragon Encrypted Disk, PGPDisk, TrueCrypt, BitLocker
If non-LE (or CryptHunter is not available) it is useful to check Task Manager for running processes
Can also look at running processes to determine if any encryption programs are running
Latest version of FileVault allows for full disk encryption and therefore the symbol may not be present on the user directory
Windows imaging HDs live, there is FTK Imager (including CLI), Cygwin DD, also EnCase acquisition / imager, XWF if dongle present
As well as Nirsoft Opera History View, cache view, etc