Upload File

cos/psa 413 day 9. agenda questions? assignment 4 posted quiz corrected –3 a’s, 3 b’s, & 3...

  • Home
  • Documents
  • COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between
63
COS/PSA 413 COS/PSA 413 Day 9

Post on 20-Dec-2015

217 views

Category:

Documents


0 download

Report

Tags:

TRANSCRIPT

Page 1: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

COS/PSA 413COS/PSA 413

Day 9

Page 2: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Agenda• Questions?• Assignment 4 posted• Quiz Corrected

– 3 A’s, 3 B’s, & 3 C’s

• Lab 3 write-ups corrected– 7 A’s & 2 B’s– Difference between explain and descibe

• Windows hash tool– hash.zip

• Continue Discussion On Working with Windows and DOS

Page 3: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Chapter 6Working with Windows and DOS

Systems

Guide to Computer Forensicsand Investigations

Third Edition

Page 4: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 4

Examining NTFS Disks

• New Technology File System (NTFS)– Introduced with Windows NT– Primary file system for Windows Vista

• Improvements over FAT file systems– NTFS provides more information about a file– NTFS gives more control over files and folders

• NTFS was Microsoft’s move toward a journaling file system

• http://technet.microsoft.com/en-us/library/cc781134.aspx

http://technet.microsoft.com/en-us/library/cc781134.aspx
Page 5: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 5

Examining NTFS Disks (continued)

• In NTFS, everything written to the disk is considered a file

• On an NTFS disk– First data set is the Partition Boot Sector– Next is Master File Table (MFT)

• NTFS results in much less file slack space

• Clusters are smaller for smaller disk drives

• NTFS also uses Unicode– An international data format

Page 6: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 6

Examining NTFS Disks (continued)

Page 7: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 7

NTFS File System

• MFT contains information about all files on the disk– Including the system files the OS uses

• In the MFT, the first 15 records are reserved for system files

• Records in the MFT are called metadata

Page 8: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 8

NTFS File System (continued)

Page 9: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 9

NTFS File System (continued)

Page 10: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 10

MFT and File Attributes

• In the NTFS MFT– All files and folders are stored in separate records of

1024 bytes each

• Each record contains file or folder information– This information is divided into record fields

containing metadata

• A record field is referred to as an attribute ID

• File or folder information is typically stored in one of two ways in an MFT record:– Resident and nonresident

Page 11: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 11

MFT and File Attributes (continued)

• Files larger than 512 bytes are stored outside the MFT– MFT record provides cluster addresses where the

file is stored on the drive’s partition• Referred to as data runs

• Each MFT record starts with a header identifying it as a resident or nonresident attribute

Page 12: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 12

Page 13: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 13

Page 14: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 14

Page 15: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 15

Page 16: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 16

MFT and File Attributes (continued)

• When a disk is created as an NTFS file structure– OS assigns logical clusters to the entire disk partition

• These assigned clusters are called logical cluster numbers (LCNs)– Become the addresses that allow the MFT to link to

nonresident files on the disk’s partition

Page 17: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 17

NTFS Data Streams

• Data streams– Ways data can be appended to existing files– Can obscure valuable evidentiary data, intentionally

or by coincidence

• In NTFS, a data stream becomes an additional file attribute– Allows the file to be associated with different

applications

• You can only tell whether a file has a data stream attached by examining that file’s MFT entry

Page 18: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 18

NTFS Compressed Files

• NTFS provides compression similar to FAT DriveSpace 3

• Under NTFS, files, folders, or entire volumes can be compressed

• Most computer forensics tools can uncompress and analyze compressed Windows data

Page 19: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 19

NTFS Encrypting File System (EFS)

• Encrypting File System (EFS)– Introduced with Windows 2000– Implements a public key and private key method of

encrypting files, folders, or disk volumes

• When EFS is used in Windows Vista Business Edition or higher, XP Professional, or 2000,– A recovery certificate is generated and sent to the

local Windows administrator account

• Users can apply EFS to files stored on their local workstations or a remote server

Page 20: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 20

EFS Recovery Key Agent

• Recovery Key Agent implements the recovery certificate– Which is in the Windows administrator account

• Windows administrators can recover a key in two ways: through Windows or from an MS-DOS command prompt

• MS-DOS commands– Cipher– Copy– Efsrecvr (used to decrypt EFS files)

Page 21: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 21

Deleting NTFS Files

• When a file is deleted in Windows XP, 2000, or NT– The OS renames it and moves it to the Recycle Bin

• Can use the Del (delete) MS-DOS command– Eliminates the file from the MFT listing in the same

way FAT does

Page 22: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 22

Understanding Whole Disk Encryption

• In recent years, there has been more concern about loss of– Personal identity information (PII) and trade

secrets caused by computer theft

• Of particular concern is the theft of laptop computers and other handheld devices

• To help prevent loss of information, software vendors now provide whole disk encryption

Page 23: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 23

Understanding Whole Disk Encryption (continued)

• Current whole disk encryption tools offer the following features:– Preboot authentication– Full or partial disk encryption with secure hibernation– Advanced encryption algorithms– Key management function– A Trusted Platform Module (TPM) microchip to

generate encryption keys and authenticate logins

Page 24: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 24

Understanding Whole Disk Encryption (continued)

• Whole disk encryption tools encrypt each sector of a drive separately

• Many of these tools encrypt the drive’s boot sector – To prevent any efforts to bypass the secured drive’s

partition

• To examine an encrypted drive, decrypt it first– Run a vendor-specific program to decrypt the drive

Page 25: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 25

Examining Microsoft BitLocker

• Available only with Vista Enterprise and Ultimate editions

• Hardware and software requirements– A computer capable of running Windows Vista– The TPM microchip, version 1.2 or newer– A computer BIOS compliant with Trusted Computing

Group (TCG)– Two NTFS partitions– The BIOS configured so that the hard drive boots

first before checking other bootable peripherals

Page 26: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 26

Examining Third-Party Disk Encryption Tools

• Some available third-party WDE utilities:– PGP Whole Disk Encryption– Voltage SecureDisk– Utimaco SafeGuard Easy– Jetico BestCrypt Volume Encryption– SoftWinter Sentry 2020 for Windows XP

• Some available open-source encryption tools:– TrueCrypt– CrossCrypt– FreeOTFE

Page 27: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 27

Understanding the Windows Registry

• Registry– A database that stores hardware and software

configuration information, network connections, user preferences, and setup information

• For investigative purposes, the Registry can contain valuable evidence

• To view the Registry, you can use:– Regedit (Registry Editor) program for Windows 9x

systems– Regedt32 for Windows 2000 and XP

Page 28: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 28

Exploring the Organization of the Windows Registry

• Registry terminology:– Registry

– Registry Editor

– HKEY

– Key

– Subkey

– Branch

– Value

– Default value

– Hives

Page 29: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 29

Exploring the Organization of the Windows Registry (continued)

Page 30: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 30

Exploring the Organization of the Windows Registry (continued)

Page 31: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 31

Exploring the Organization of the Windows Registry (continued)

Page 32: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 32

Examining the Windows Registry

• Use ProDiscover Basic to extract System.dat and User.dat from an image file

Page 33: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 33

Page 34: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 34

Examining the Windows Registry (continued)

Page 35: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 35

Examining the Windows Registry (continued)

• Use AccessData Registry Viewer to see what information you can find in these files

Page 36: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 36

Examining the Windows Registry (continued)

Page 37: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 37

Examining the Windows Registry (continued)

Page 38: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 38

Examining the Windows Registry (continued)

Page 39: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 39

Understanding Microsoft Startup Tasks

• Learn what files are accessed when Windows starts

• This information helps you determine when a suspect’s computer was last accessed– Important with computers that might have been used

after an incident was reported

Page 40: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 40

Startup in Windows NT and Later

• All NTFS computers perform the following steps when the computer is turned on:– Power-on self test (POST)– Initial startup– Boot loader– Hardware detection and configuration– Kernel loading– User logon

Page 41: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 41

Startup in Windows NT and Later (continued)

• Startup Files for Windows XP:– NT Loader (NTLDR)

– Boot.ini

– BootSect.dos

– NTDetect.com

– NTBootdd.sys

– Ntoskrnl.exe

– Hal.dll

– Pagefile.sys

– Device drivers

Page 42: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 42

Startup in Windows NT and Later (continued)

• Windows XP System Files

Page 43: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 43

Startup in Windows NT and Later (continued)

• Contamination Concerns with Windows XP– When you start a Windows XP NTFS workstation,

several files are accessed immediately• The last access date and time stamp for the files

change to the current date and time

– Destroys any potential evidence• That shows when a Windows XP workstation was last

used

Page 44: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 44

Startup in Windows 9x/Me

• System files in Windows 9x/Me containing valuable information can be altered easily during startup

• Windows 9x and Windows Me have similar boot processes– With Windows Me you can’t boot to a true MS-DOS

mode

• Windows 9x OSs have two modes:– DOS protected-mode interface (DPMI)– Protected-mode GUI

Page 45: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 45

Startup in Windows 9x/Me (continued)

• The system files used by Windows 9x have their origin in MS-DOS 6.22– Io.sys communicates between a computer’s BIOS,

the hardware, and the OS kernel• If F8 is pressed during startup, Io.sys loads the

Windows Startup menu

– Msdos.sys is a hidden text file containing startup options for Windows 9x

– Command.com provides a command prompt when booting to MS-DOS mode (DPMI)

Page 46: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 46

Startup in Windows 9x/Me (continued)

Page 47: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 47

Understanding MS-DOS Startup Tasks

• Two files are used to configure MS-DOS at startup: – Config.sys

• A text file containing commands that typically run only at system startup to enhance the computer’s DOS configuration

– Autoexec.bat• A batch file containing customized settings for MS-

DOS that runs automatically

• Io.sys is the first file loaded after the ROM bootstrap loader finds the disk drive

Page 48: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 48

Understanding MS-DOS Startup Tasks (continued)

• Msdos.sys is the second program to load into RAM immediately after Io.sys– It looks for the Config.sys file to configure device

drivers and other settings

• Msdos.sys then loads Command.com

• As the loading of Command.com nears completion, Msdos.sys looks for and loads Autoexec.bat

Page 49: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 49

Other Disk Operating Systems

• Control Program for Microprocessors (CP/M)– First nonspecific microcomputer OS– Created by Digital Research in 1970– 8-inch floppy drives; no support for hard drives

• Digital Research Disk Operating System (DR-DOS)– Developed in 1988 to compete with MS-DOS– Used FAT12 and FAT16 and had a richer command

environment

Page 50: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 50

Other Disk Operating Systems (continued)

• Personal Computer Disk Operating System (PC-DOS)– Created by Microsoft under contract for IBM– PC-DOS works much like MS-DOS

Page 51: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 51

Understanding Virtual Machines

• Virtual machine– Allows you to create a representation of another

computer on an existing physical computer

• A virtual machine is just a few files on your hard drive– Must allocate space to it

• A virtual machine recognizes components of the physical machine it’s loaded on– Virtual OS is limited by the physical machine’s OS

Page 52: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 52

Page 53: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 53

Understanding Virtual Machines (continued)

• In computer forensics– Virtual machines make it possible to restore a

suspect drive on your virtual machine• And run nonstandard software the suspect might have

loaded

• From a network forensics standpoint, you need to be aware of some potential issues, such as:– A virtual machine used to attack another system or

network

Page 54: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 54

Creating a Virtual Machine

• Two popular applications for creating virtual machines– VMware and Microsoft Virtual PC

• Using Virtual PC– You must download and install Virtual PC first

Page 55: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 55

Creating a Virtual Machine (continued)

Page 56: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 56

Creating a Virtual Machine (continued)

Page 57: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 57

Creating a Virtual Machine (continued)

Page 58: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 58

Creating a Virtual Machine (continued)

• You need an ISO image of an OS– Because no OSs are provided with Virtual PC

• Virtual PC creates two files for each virtual machine:– A .vhd file, which is the actual virtual hard disk– A .vmc file, which keeps track of configurations you

make to that disk

• See what type of physical machine your virtual machine thinks it’s running– Open the Virtual PC Console, and click Settings

Page 59: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 59

Creating a Virtual Machine (continued)

Page 60: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 60

Creating a Virtual Machine (continued)

Page 61: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 61

Summary

• When booting a suspect’s computer, using boot media, such as forensic boot floppies or CDs, you must ensure that disk evidence isn’t altered

• The Master Boot Record (MBR) stores information about partitions on a disk

• Microsoft used FAT12 and FAT16 on older operating systems

• To find a hard disk’s capacity, use the cylinders, heads, and sectors (CHS) calculation

Page 62: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 62

Summary (continued)

• When files are deleted in a FAT file system, the Greek letter sigma (0x05) is inserted in the first character of the filename in the directory

• New Technology File System (NTFS) is more versatile because it uses the Master File Table (MFT) to track file information

• In NTFS, data streams can obscure information that might have evidentiary value

Page 63: COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between

Guide to Computer Forensics and Investigations 63

Summary (continued)

• Maintain a library of older operating systems and applications

• NTFS can encrypt data with EFS and BitLocker

• NTFS can compress files, folders, or volumes

• Windows Registry keeps a record of attached hardware, user preferences, network connections, and installed software

• Virtual machines enable you to run other OSs from a Windows computer


Copyright 2005 Prentice Hall1 Bus 411 DAY 11. Copyright 2005 Prentice Hall Ch 7-2 Agenda Assignment #3 corrected 3 A’s, 2 B’s, 1 C, 2 F’s and 1 non-submits

A’s device signals · 2002-09-18 · A’s device signals an interrupt B’s device signals an interrupt starts device starts device time T WAIT/block WAIT/block starts device time->

Carrano - Chapter 2CS 15033 Program Memory Allocation Program B’s Run-Time Stack (Room for B’s growth) Program B’s Data Heap Program B Program A’s

COS 125 DAY 15. Agenda Assignment 4 Posted Corrected –4 A’s, 3 B’s, 2 C’s and 1 MIA Assignment 5 posted –Due April 4 Left to do –4 Assignments (9 total)

PII Personally Identifiable Information Training and · PDF filePII‐Personally Identifiable Information‐Training and ... A in student B’s record without student A’s permission

ELC 310 Day 20. Agenda Questions? Quiz 3 Graded –2–2 A’s, 2 B’s and 2 C’s –1–1 quiz left covering all of last text (Dec 8) Market Plans Graded –3–3 A’s,

Rob Jenkins · PDF fileVary level of difficulty ... Interact with the text ... Example Practice: Divide the class into A’s and B’s, giving

ELC 200 Day 10. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Assignment #3 Corrected –2 A’s, 10 B’s, 3 C’s, 1 D, 2 F’s and 1 non-submit

ELC 200 Day 10. Agenda Questions? Assignment 2 Corrected 11 A’s, 2 B’s Assignment 3 is Due Assignment 4 will be posted soon Quiz 2 on March 7 Chap

COS 420 DAY 5 & 6. Agenda Assignment 1 Corrected 2 A’s, 3 B’s and 1 D Good results I gave everyone full credit for question 5 since the question wasn’t

COS 338 Day 18. DAY 18 Agenda Second capstone progress report over due Lab 5 graded 1 A, 2 B’s, 2 F’s and 1 non-submits Assignment 5 Graded 2 A’s, 2 B’s

COS 413 Day 17. Agenda Quiz 2 corrected –2 A’s, 6 B’s & 1 C Assignment 5 corrected –5 B’s, 2 C’s, 1 non-submit & 1 corrupt file that I cannot read Lab

Midterm Distribution 31 A’s, 37 B’s, 26 C’s, 21 D’s, 17 F’s

ELC 200 Day 26. Agenda Questions from last Class? Assignment 6, 7 & 8 all posted Assignment 6 Corrected 6 A’s, 5 B’s, 1 C, 1 F (late) and 1 MIA Assignment

Prentice Hall © 2004 1 COS 346 Day 20. 7-2 Agenda Questions? Assignment 8 Corrected –3 A’s, 3 B’s & 2 D’s Assignment 9 Due Assignment 10 will be posted

COS/PSA 413 Day 8. Agenda Questions? Assignment 2 Corrected –5 A’s 2 B’s and 3 C’s Lab 2 Write-ups Corrected –Pay more attention to detail, answer the

Mostly A’s – Generation X Mostly B’s – Veterans Mostly C’s – Generation Y Mostly D’s – Baby Boomers Quiz

“A’s or “B’s”p1cdn4static.sharpschool.com/UserFiles/Servers... · currently the most requested series closely followed by The Selection Trilogy by Kiera Cass (The Selection,

Transmission Control Protocol (TCP) · processes on site A & B {A’s TCP informs B’s TCP to get approval {A’s TCP and B’s TCP exchange data in both directions ... N = 13, M

CHAPTER Day 21 BUS 222. Agenda Questions? Assignment 6 Corrected – 6 A’s, 3 B’s, 3 C’s, 1 MIA Assignment 7 Posted – Marketing Assignment 7.pdf Marketing

COS 125 DAY 25. Agenda Assignment 7 is corrected 5 A’s, 2 B’s, 1 C and 1 F Assignment 8 (last one) is posted Due May 2 Left to do 3 rd and final

CHAPTER Day 9 BUS 222. Ch 1 -2 Agenda Questions Assignment 2 Corrected – 5 A’s, 5 B’s, 4 C’s, 2 D’s, & 1 F Quiz 1 corrected – 2 A+, 2 A’s, 3 B’s, 3 C’s,

Athens Democracy & City Development. Test Information A’s = 67 B’s = 179 C’s = 80 D’s = 13 E’s = 4 Average grade = 83

COS/PSA 413 Day 11. Agenda Lab 4 Write-ups Corrected –2 A’s, 2 B’s and 1 C –Some need more attention to detail Lab 5 write-ups due Oct 19 Wednesday Lab

Prentice Hall © 2004 1 COS 346 Day 17. 7-2 Agenda Questions? Assignment 7 Corrected –4 A’s and 4 B’s Assignment 8 posted –Due April 6 Quiz 2 next class

Insight May 2015. Using Insight How good are the results in my subject? Number of passes Number of A’s, B’s, C’s, D’s, N/A’s How do the results in my

Our Newest Scorpion! - WSDsandridge.wsd.net › images › aboutSRJH › stakeholderreportQ12014-… · 1st Qtr. 36,775 Total Days Absent 1st Qtr. 1,860 Total A’s and B’s earned

Copyright 2005 Prentice Hall1 Bus 411 DAY11. Copyright 2005 Prentice Hall Ch 7-2 Agenda Assignment #3 Corrected 3 A’s, 3 B’s and 2 non-submit PUT

ELC 200 Day 22 E-Security. Awad –Electronic Commerce 2/e © 2003 Prentice Hall 2 Day 22 Agenda Quiz 3 Corrected –14 A’s, 2 B’s and 3 no-takes –Too easy!

COS 413 Day 15. Agenda Assignment 4 corrected –2 A’s, 5 B’s, 1 C and 1 non-submit Assignment 5 Due Assignment 6 will be assigned next week Lab 4 write-up

Copyright 2005 Prentice Hall1 Bus 411 Day 14. Copyright 2007 Prentice Hall Ch 7-2 Agenda Assignment 4 Corrected 2 A’s, 4 B’s, 2 C’s & 2 D’s Assignment

COS 125 DAY 20. Agenda Assignment 5 corrected 3 A’s, 4 B’s, 1 D and 1 F’s 4 late turn-ins @ -20 points per day Time of submission is the later of the

ELC 200 Day 23. Agenda Questions from last Class? Assignment 5 corrected 3 A’s, 2 B’s, 1 C, 3 D, 4 F’s Most D’s and F’s are due to lateness Better

COS 125 Day 17. Agenda Assignment #4 Corrected – 4 A’s, 5 B’s, 3 C’s, and 3 non-submits Assignment #5 Due Exam #3 Corrected – 5 A’s, 5 B’s, 2 C’s, 2 D’s

Chapter 9 E-Security. Awad –Electronic Commerce 2/e © 2003 Prentice Hall 2 Day 24 Agenda Quiz 3 Corrected –4 A’s, 4 B’s and 1 C Quiz 4 (last) will be