The PC as VictimThe PC as Victim

Reviewing an Active SystemReviewing an Active System

Computers change state by:Computers change state by: User interactionUser interaction Process executionProcess execution Data transfersData transfers Power cyclesPower cycles

What is Lost When you Power What is Lost When you Power DownDown

Registers, cache contentsMemory contentsState of network connectionsState of running processesContents of storage mediaContents of removable and

back up media

Plan for Live SystemsPlan for Live Systems

Step Windows 2000/NT

UNIX

Establish a new shell

cmd.exe Bash

Record system date and time

Date, time W

Who is logged on Loggedon W

Record open sockets

Netstat Netstat

List processes that open sockets

Fport Lsof

List currently running processes

Pslist Ps

List systems recently connected

Nbtstat Netstat

Record system time Date, time W

Record steps taken doskey Script, vi, history

BIOSBIOS

System uses during boot process to identify hard drives and storage devices that contain OS Check BIOS for

Drive geometry of evidence media Boot sequence of system

Boot from clean floppy with OS Review BIOS Geometry is different (# of cylinders is different) Failure to log configuration from BIOS means booting from imaged disk may fail if not aligned on correct

cylinder boundaries The boot process can be altered! What does this mean?

Forensic Duplication ToolsForensic Duplication Tools

All data must be imagedTool should handle read

errorsNo changes to original

dataScientific testing

(validation)Check sum

MethodologyMethodology

Safety net Process of safeguarding magnetic

media Insures evidence not destroyed Guarantees accuracy and integrity

of dataFor HD boot from floppy (A:\)

Virus free Back-up software Prevent writes Document condition of disk

Creating a Boot DiskCreating a Boot Disk

Format a: /U /S IO.sys Msdos.sys Command.com Drvspace.bin (delete it)

Use diskedit to alter io.sys Tools to find all occurrences of C:\ 11 instances of a reference to C:\ Change to A:\ Use MD5

Generating a Host ImageGenerating a Host Image

Attach to the suspect system a write-protected, verified system disk with:

Operating system, duplication software, & then reboot

Generate an image of the suspect system disk Mount it on a verified system Advantages of this approach include:

Not affecting the operational environment of the suspect system because you're examining an image of it on another system

Preserving the original evidence for subsequent legal proceedings

Back up ImagesBack up Images

DAT is cheapestZips (removable HDs) format & verify CD ROM as second level backupSafeback only does a minimum of a

partition Physical drive is entire drive Logical drives partition on a physical drive

(0 or 1) Backing up logical drives misses partition

table

DuplicationDuplication

Determine need for duplication 3 approaches

Image storage medium by removing it and attaching to forensic station

Image by attaching a hard drive to suspect computer Hard drive must be scrubbed Large enough to accommodate data

Image the storage medium by sending the disk image over a closed network Allows multiple images to be gathered at the same

time Perform checksums on original and image

Create DuplicateCreate Duplicate

Prompts for location to create an audit file

4 modes of operation Backup Restore Verify Copy (backup and restore at

the same time)

Hard DrivesHard Drives

IDE vs SCSI drives Terminology

Platters, cylinders, sectors, tracks

Partitioning Partition types (see p. 69 K&H)

Drive letters 3 absolutes: A: & B: are floppies C: is booted partition

Hard DrivesHard Drives

MBR

MBR

Master Boot record has partition table that defines # of drives

Unused

Unused

C:\

D:\

Unused areas can be written to-- up to 31K of data

Chain of CustodyChain of Custody

List of people that touched or had control of evidenceEvidence tag

Consent & signature Receipt & transfer Description

A list of office staff near evidenceState of the system when foundSerial numbersPeripherals attachedPrevent future access with seized

Avoiding Technical MishapsAvoiding Technical Mishaps

Altering time and date stampsTerminating rogue processesPatching the system before

investigationNot recording commands executed on

the systemUsing tools that require a GUIWriting over evidence by installing

software driversWriting over evidence by running

programs that store on hard drive

CautionsCautions

Never allow suspect to touch the computer after decision to investigate Remove/restrict under subterfuge

Remove computer or HD to secure area

Beware of magnetic devices to eraseBe aware of burn boxes to destroy

diskettesConfiscate all storage media (check

keychain for Trek)

Copying Your DataCopying Your Data

Bit stream image is the first step Whole data not just files Safeback (standard for law

enforcement) www.forensics-intl.com

Ghost www.symantec.com

Dd UNIX utility Diskcopy/V Snapback www.cdp.com Byte Back www.toolsthatwork.com

ATTRIBATTRIB

To display the attribute settings of all files in the current directory:ATTRIB To display the attributes of a directory:ATTRIB directoryname To display the attributes of a file:ATTRIB filename To set or remove attributes of a file or directory:ATTRIB [ + | - R] [ + | - A] [ + | - S] [ + | - H] [directory|filename] [/S] + Sets an attribute. - Clears an attribute.

R, Read-only file A, Archive file S, System fileH, Hidden file/S, Processes files in all directories in the specified path

To display the attributes of a file named "news86": ATTRIB news86

To assign the Read-Only attribute to the file "report.txt", use: ATTRIB +R report.txt

To remove the System and Hidden attributes from "record.txt": ATTRIB -S -H record.txt

To hide the directory "c:\secret:" ATTRIB +H c:\secret

To hide the files (but not the directories) in the C:\ directory: ATTRIB +H c:*.*

CHKDSKCHKDSKCHKDSK [path] [/F] [/V] path Specifies the drive and directory to check./F Fixes errors on the disk. /V Displays the full path and name of every file on the disk.

DRIVPRMDRIVPRMThe DRIVPARM command can only be invoked through Config.sys. The DRIVPARM command modifies the parameters of an existing physical drive. It does not create a new logical drive. The settings specified in the DRIVPARM command override the driver definitions for any previous block device.

DRIVPARM=/D:number [/C] [/F:factor] [/H:heads] [/I] [/N] [/S:sectors] [/T:tracks]

/D:numberSpecifies the physical drive number. number can be range from 0 to 255. Drive number 0 corresponds with drive a:, Drive number 1 corresponds with drive b:, and so on.

How could this be used?

FINDFINDFIND [/V] [/C] [/N] [/I] "string" "filename1" "filename2" "filename ..."

/V Displays all lines NOT containing the specified string./C Displays only a count of lines containing the string. If used with /V, FIND displays a count of the lines that do not contain the specified string./N Displays line numbers with the lines. If /C and /N are used together, /N is ignored./I Ignores the case of characters in string. By default FIND is case sensitive and searches for an exact character match.String The text string to be found. String must be in inverted commas.Filename The file(s) to be searched. If filename does not contain spaces, it does not need to be enclosed in inverted commas.

FINDFINDTo display all lines from the file "pencil.ad" that contain the string "Pencil Sharpener": FIND "Pencil Sharpener" pencil.ad If the string contains quotation marks, these must be doubled:

FIND "This paper is ""for discussion only."" It is not a final report." report.doc To search the current directory for the string "PROMPT" in all .BAT files:

FOR %f in (*.bat) DO FIND "PROMPT" %f To search your hard disk to find and display the filenames on drive C that contain the string "CPU", you can use the pipe "|" to direct the results of a DIR command to FIND:

DIR c:\ /s /b | FIND "CPU"

Remember, the default output from DIR can be upper and/or lower case depending on how a file was saved. To catch all instances of "CPU", "cpu". etc. either use the /L switch with DIR (to force lower case output), or the /I switch with FIND (to ignore case in string).

LASTdriveLASTdriveUsed to designate the maximum number of drives (real and virtual) recognized by the operating system.

The LASTDRIVE command can only be invoked from Config.sys.LASTDRIVE=x LASTDRIVEHIGH=x xA single letter (A to Z) representing the last valid drive that MS-DOS is to recognize. (Default is Z)Note: a trailing colon should not be included.

PathPathThe PATH command is used to view or modify the Path environmental variable and is synonymous with "SET PATH=".

To set a path: PATH path1 [;path2...]] or

PATH=path1 [;path2...]] To add directories to an existing Path environmental variable:

PATH %path%; path3 [;path4...]]To clear all path settings: PATH ; To display the current path settings: PATH

1.To add the directory c:\downloads to the regular path, enter PATH %path%;c:\downloads

2.To add a directory name that contains a space, enclose the name in inverted commas: PATH %path%;c:\"program files"\dos

or PATH %path%;"c:\program files\

dos"

Del or eraseDel or erase

To delete a file: DEL [path] filename [/P] To delete all files in a directory (with confirmation): DEL path or

DEL path \*.* To delete all files in a directory (without confirmation): DEL path \?*.*

DEL path \** (in Dos7.0 - confirmation is required in Dos7.1)

Filename The file to delete./P Forces confirmation before deleting each file.

ModeModeThe MODE series of commands is used to control the

computers links with its peripherals. 1. Display lines and columns 2. Display configuration 3. Printer configuration 4. Serial port configuration 5. Device status 6. Redirect printing from parallel to serial port 7. Set typematic rate 8. Set code page (character set) for international use

MODE CON[:] [COLS=c] [LINES=n] C The number of characters per line. c can be 40 or

80 (Default: 80).N The number of lines displayed on the screen. n

can be 25, 43, or 50 (Default: 25).MODE CON Lines=50

MODE [device] [/STATUS] Device The name of the device. Default: all

installed devices.

DeltreeDeltree

Delete directory and subdirectories

To delete a directory and all the subdirectories and files contained therein:

DELTREE [/Y] directory To delete all the files and subdirectories but leave the directory itself:

DELTREE [/Y] directory\*.* To delete a file:

DELTREE [/Y] filename

directory The directory to be deleted./Y Suppresses prompts for confirmation before deleting

DeltreeDeltreeTo delete the TEMP directory on drive C, including all files and subdirectories of the TEMP directory: DELTREE c:\temp

To delete all the files and subdirectories in the "temp" directory leaving an empty "temp" directory for future use, and avoiding the prompt for confirmation:

DELTREE /Y c:\temp\*.*

To delete the read-only file text.doc in the c:\data directory (without resetting the attributes): DELTREE /Y c:\data\text.doc

FormatFormatFORMAT drive: [/Switches] /V[:label] Specifies a volume label.

/S Copies system files to the formatted disk (to make a boot disk).

/B Allocates space on the formatted disk for system files.

/C Tests clusters that are currently marked "bad.“ By default, if a disk contains clusters that have been marked

as "bad", FORMAT does not retest the clusters; it simply leaves them marked "bad"./AUTOTEST Formatting proceeds without further user input or warning messages. All sectors previously marked bad on the hard drive are retested (i.e. equivalent to including the /C switch)².

MoreMore

The MORE command reads standard input from a pipe or redirected file and displays one screen of information at a time.

MORE filename MORE < filename command | MORE [path][filename] Command a command whose output is to be

displayed.filename file(s) to display one screen at a time

MORE clients.new MORE < clients.new TYPE clients.new | MORE

PromptPromptTo change the command prompt: PROMPT [text] text Any series of alphanumeric characters including the following special codes:  $P  Current drive and path $E  Escape code (ASCII code 27) $N  Current drive   $G  > $V  Windows version number $L  < $D  Current date  $B  | $T  Current time $Q  = $_  Carriage return and linefeed $$  $ $H  Backspace (erases previous character) To reset the prompt to its default ($N$G): PROMPT $N$G

ShellShellSpecifies the command interpreter you want MS-DOS to use. The SHELL command can only be invoked from Config.sys.

SHELL=filename [path] [parameters] filename The full filename and path of the command

interpreter to be usedpath The path to the command interpreter parameters Any command-line parameters or switches that can be used with the specified command interpreter

If Command.com is in the root directory and is to be loaded with its default values, the following line is optional:

SHELL=c:\command.com c:\ /P

SwitchesSwitches

SWITCHES= /F /K /N /E[:n] Invoked from config.sys

/F Skips the two-second delay after displaying the "Starting MS- DOS . . ." message during startup./K Forces an enhanced keyboard to behave like a conventional keyboard. If Ansi.sys is installed, its K switch should also be used./N Disables the F5 and F8 keys used to bypass commands in Config.sys and Autoexec.bat. It does not disable the Ctrl-F5 and Ctrl-F8 keys which bypass loading Drvspace.bin; to disable these keys, see DRVSPACE.

VolVolDisplays a disk's volume label and serial number. Can be used with LABEL to identify a drive

VOL [drive:]

VOL E:

CopyCopyThe prime use of COPY is to copy one or more files to another location but it can also be used to combine (concatenate) files and to type directly to a file, printer, or other device

COPY source [destination] [/V] [/Y | /-Y] source The file(s) to be copied. Although this must be a single

parameter, it may include multiple files specified using wildcards (* or ?). It may also be a valid device (e.g.,

CON)Destination The directory and/or filename for the new file(s). If destination... is not specified source is copied to the current directory with the same name and creation date as the original. file /A Forces COPY to treat the file as an ASCII test filefile /B Forces COPY to treat the file as a binary file /V Verifies that new files can be read (does not compare with the original - see VERIFY)./Y No warning prompt before overwriting a file (default when COPY is used in a batch file)./-Y Displays a warning and requires confirmation before

overwriting a file (default when COPY is used from the command line).

TypeTypeThe TYPE command is used to display the contents of an ASCII

text file on screen. TYPE filename

1. To display the contents of HOLIDAY.MAR: TYPE holiday.mar

2. If the file is too long to fit on a single screen: TYPE holiday.mar | MORE

3. To pipe the contents of GO.TXT to a DEL command requiring confirmation before deleting all files in a directory. TYPE go.text | DEL *.* If the first two characters of GO.TXT contain a "Y" or "y" followed by an [Enter], the files will be deleted. Anything else and the operation will be skipped.

FdiskFdiskFDISK is a menu driven utility used to configure and/or display information about the partitions on a hard disk.

Before a hard disk can be recognized by DOS (or any other compatible operating system), a Master Boot Record (MBR) must be established. The MBR defines areas of the disk to be a(n):

•Primary Partition and/or •Extended Partition

CAUTION: Using FDISK to modify or delete partitions on a hard drive renders all the data associated with that partition unavailable – I.e., deleted!

FDISK [/X] To display a summary of the partition structure on all hard drives: FDISK [/STATUS] To create partitions without going through the

standard FDISK menus: FDISK [/X] drive [/PRI:size] [/EXT:size] [/LOG:size] [/PRMT | /Q] FDISK /MBR To rewrite the Master Boot Record of the primary drive without altering the partition table information: FDISK /CMBR drive To rewrite the Master Boot Record of any drive (drive) without altering the partition table information:

Pipes & RedirectionPipes & RedirectionA number of Dos commands send output to the screen and/or require

input from the user. Redirection is a mechanism whereby the output of a command can be fed either to some other device (a printer or file) or to another program or command.

There are four redirection functions: > Redirect output>> Append< Redirect input| Pipe

1. To print out a sorted directory listing of all files in the Windows directory: DIR c:\windows /o/a > PRN

2. To create a file containing the directory listing of the same directory: DIR c:\windows /o/a > c:\data\directories\windows.txt

3. DIR c:\windows\system /o/a >> c:\data\directories\windows.txt

Batch filesBatch files

             COPY CON COPYFILE.BAT   {ENTER} or EDIT    COPYFILE.BAT    {ENTER}

                FORMAT A:      {ENTER}     

           COPY *.*       {ENTER}                DIR A:  {ENTER}

CTRL+Z or Save, Exit from the menu

To run the file Type:

COPYFILE {ENTER}

CopyCopyCOPY source1 + source2 + ... destination [/V] [/Y | /-Y]

1. To combine "mar89.rpt", "apr89.rpt" and "may.rpt" into one file named "report.rpt" in the current directory:

COPY mar89.rpt + apr89.rpt + may89.rpt report.rpt

2. To combine all files in the current directory on the current drive that have the extension ".rpt" into one file named "combined.rpt":

COPY *.rpt combined.rpt 3. To combine a series of files that have ".txt" extensions with their

corresponding ".ref" files to make new files with the same file names but with ".doc" extensions (ie "file1.txt" is combined with "file1.ref" to form "file1.doc", and so on).

COPY *.txt + *.ref *.doc 4. To combine first all files with the ".txt" extension, then all files with

the ".ref" extension into one file named "combin.doc": COPY *.txt + *.ref combin.doc

fcfcCompares two files or sets of files and displays the differences between them.

FC [/Switches] file1 file2 FC c:\test1.txt c:\test2.txt

/B Performs a binary comparison. This is the default mode for comparing files when file1 has an extension of .EXE, .COM, .SYS, .OBJ, .LIB, or .BIN./L Compares files as ASCII. This is the default mode for comparing files when file1 does not have an extension of .EXE, .COM, .SYS, .OBJ, .LIB, or .BIN./LBn Sets the number of lines for the internal line buffer. If the files being compared have more than this number of consecutive differing lines, FC cancels the comparison. Default value of n: 100/N Displays the line numbers on an ASCII comparison./C Disregards the case of letters/T Does not expand tabs to spaces. By default, tabs are treated as spaces with 1 tab = 8 spaces./W Compresses tabs and multiple spaces to a single space for the

comparison.

MemMemThe MEM command is used to display a table showing how memory (RAM) is currently allocated

MEM [/Switches] None Displays the status of the computer's used and free memory/C Lists the programs that are currently loaded into memory and shows how much conventional and upper memory each program is using. /D Lists the programs and internal drivers that are currently loaded into memory./F Lists the free areas of conventional and upper memory./M progname   Shows how the program (progname) is currently using memory./P Pauses after each screenful of information./H Brief help (same as /?).

Mem/C/PMem/C/P

XcopyXcopyCopies files and directory trees. XCOPY source [destination] [/Switches]

source The file(s) to be copied. Although this must be a single parameter, it may include multiple files specified using wildcards (* or ?).

destination The location and/or name(s) of new files. Scope: By default, XCOPY will confine its

operation to files in the source directory. /E Copies the complete subdirectory structure of source and

all files therein./S Copies the complete subdirectory structure of source and

all files therein but does not copy empty subdirectories.

/T W Copies the subdirectory structure of source but does not copy any files and does not copy empty subdirectories. To include empty subdirectories, use with the /E switch.

1. XCOPY will not copy a folder's attributes (eg. 'hidden'). These have to be set as required using Windows Explorer or ATTRIB.

XcopyXcopy

1. To copy all files and subdirectories from the data directory to the disk in drive a: xcopy c:\data a: /s or xcopy c:\data\*.* a: /s

2. To copy all files and subdirectories from the data directory created/modified since 1st Jan.1997 to the disk in drive a: should be:xcopy c:\data a: /s /d:1/1/97

DiskcopyDiskcopyDISKCOPY is used to duplicate floppy disks. Any data on the destination disk is overwritten.

DISKCOPY drive1: [drive2:] [/1] [/V] [/M] drive1 Drive containing disk to be copied from (and to, if the computer has only one floppy drive) .drive2 Drive containing disk to be copied to (if different from drive1)./V Verifies that the information is copied correctly./M Force multi-pass copy using memory only.

DOS Commands & DOS Commands & UtilitiesUtilities

www.evilpigeon.net/tutorials/commands/http://www.butterwick0.freeserve.co.uk/

tutor/menu.htmlhttp://www.maem.umr.edu/~batch/

batchtoc.htmhttp://home7.inet.tele.dk/batfiles/http://www.simtel.net/pub/msdos/http://www.ntfs.com/products.htmhttp://www.opus.co.tt/dave/index.htm

Searching for EvidenceSearching for Evidence

Know what you are looking forCreate list of termsUse text search tools to find dataCheck hacker sites for names of

programsAnti-virus web sites for

information on recent infections and registry entries

Evidence on the Hard DriveEvidence on the Hard Drive

Hard disk drives Files Erased files File slack Hidden partitions Encrypted files Compressed data (zip) Windows swap file Windows temp files Application temp files Encrypted files Hidden files/folders

Read and write in blocks of data (clusters) Files not stored in 1 piece or contiguous

Fixed blocks have even number of sectorsLow level format creates the sectors (at

factory)Clusters at high level format done by OSFloppies can have low and high level

formats at same timeBad sectors are marked

Knowing How Data is Knowing How Data is WrittenWritten

Tracking FilesTracking Files

2 areas of vulnerability Signal strength of bits provide

ghosts--Border areas on tracks may still contain previous signal

Guard region on tracks—variances in read-write head leave scraps of data

Overwriting with 0s and 1s not a guarantee—original signal may be stronger and leave data in guard regions

Tools used to Eliminate DataTools used to Eliminate Data

Delete and erase individual (or groups of) files Check recycle bin Recovery with Unerase or Undelete (DOS)

Disk scrubbers Fdisk and Format (DOS)

Format only writes a new empty root-it does not erase data clusters

Fdisk simply rearranges partition space 3-Pass std www.dss.mil/isec/nispom.htm DoD

5220-22M Tools include: Evidence eliminator,File

Monster, East-tec eraser, WipeInfo

Shredding DataShredding Data

Simple deletes of files/folders Recycle bin deletes Shredding tools

Shred2 Email shredding

Email is persistent Simple delete Archived Backups

File SlackFile Slack

Storage space between end of file and the end of the last cluster assigned to a specific space.

Space filled with random data from memory when the file is closed

512 bytes

File_A File Slack

File_B Parts of File_A + File slack

File A deleted

Swap filesSwap files

Memory fills upSends to swap file

Dynamic (disappears on shut down) Static (stays and goes to unallocated

space on HD)

Unallocated Unallocated (Erased File Space)(Erased File Space)

Storage space on HD available to be overwritten by the OS when new files are created File name remains Data remains File slack remains

Contents may be fragments of deleted files Deletes Out of space errors HD reformats

Swap FileSwap File

Windows relies on a swap file

Swaps disk space for RAMActs as scratch pad (write

behind)Any work can pass through

Shadow (ghost) DataShadow (ghost) Data

Data written in binary 0 and 1 in concentric rings (tracks)

Horizontal head alignment and vertical head placement is different each time data is written and rewritten to the same track.

Limits effectiveness of disk scrubberswww.metanet.org/mnt/lib/

homebrew_stm.html --not completely reliable yet

Use multiple over writes on all disks Security.tao.ca/secure_del.shtml

Examining slack, unallocated and Examining slack, unallocated and swapswap

File System Layer

Location of Evidence DOS/Windows

Location of Evidence Linux

Application storage

File Files

Information Classification

Directories/folder

Directories

Storage space allocation

FAT Inode & data bitmaps

Blocking format Clusters Blocks

Data Classification

Partitions Partitions

Physical Absolute sectors or C/H/S

Absolute sectors

Make 2 bitstream copies of original Label copies and work only 1 Remove original from work area Benchmark drive file with MD5 List files

Determine compressed or encrypted Check dates

Build a list of words to search for using TXTSEARCH (NTI) or Encase

Unlinked clusters must be re-linked Deleted files recovered

Organizing for a SearchOrganizing for a Search

Knowing How Data is WrittenKnowing How Data is Written

Data stored in fixed length blocks as clusters

Size of clusters varies by type & storage capacity of media

FAT tracks clusters allocated to a fileFAT uses cluster numbers to find data FAT 12, 16, 32 each have different

number of clustersSectors are units of storage of 512

bytes (4096 bits)

Looking at the FATLooking at the FAT

Using Norton Unerase Wizard to find the lost filenames In place replacement will wipe out

forensic data!Use Diskedit/w to find deleted files

Block allocation table is a chain for OS to follow when reconstructing a file

Blocks can have 3 values: pointer to next, EOF if the last one (FF F8) or bad (FF F7)

Deleting a file causes FAT to have a sigma character (E5) in first byte, sets file size to 0 and marks all blocks as available

Reconstruction uses file size and clusters to re-create

Add your initials to name to identify later

Looking at the FATLooking at the FAT

Places Where Data Can LivePlaces Where Data Can Live

Timed Backup

Temp

TempPrint

Swap

Slack Slack

Original

Document

Forensic Data LocationsForensic Data Locations

Slack Space left over at the end of data and last

cluster/block Does every file have slack space? Amount of slack ~half the block size—the

larger the block, the more slack Cannot access slack—OS won’t allow a read

past EOF

Swap WORD documents contain random data (use hex editor or

Notepad)

Unallocated Blocks not currently in use Files deleted have freed-up space until overwritten

Step by StepStep by Step

Install hard drive on forensic boxInstall as secondary controller Forensic box set to boot from

primary or floppyMake a bit stream image of driveAuthenticate hard drive Document date and time

File recoveryFile recovery

Non-invasive read to determine deletes

Restore deleted files File Recovery tools

Norton Unerase Wizard

MD5--ChecksumsMD5--Checksums

Comparing FilesComparing Files

DOS prompt Syntax : CRCMD5 /h drive

Returns unique check sums for files on specified drive

ShredShred

Virtual ShreddingVirtual Shredding

Active Records Active Records managementmanagement

Document controlDocument control

Active Rights Management technology

• Documents

• Web

• Email

Based on policies for key distribution

Federal law (2000) allowed electronic documents the same legal standing as paper: Are they equal if senderAre they equal if sender

can shred them remotely?can shred them remotely?

If sender has 30 day limit and recipient has a 7 year If sender has 30 day limit and recipient has a 7 year legal obligation?legal obligation?

Any Vulnerabilities?Any Vulnerabilities?

DemonstrationDemonstration

GetFree

Examining MS OfficeExamining MS Office

Tracking Changes set Properties Open in Notepad to find

evidence

Linking to SuspectLinking to Suspect

MAC address Ipconfig/all or winipfg

Hidden file folders (notepad) Details about

environment stored in memory

Windows systemWindows system

Sysedit View autoexec.bat. Config.sys, Windows

passwords Regedit

Auto complete functions in IE (web sites) Network information Run history Software installed (if hidden)

Password files Find *.pwl PWLTool www.webdon.com

Locating saved Locating saved InformationInformation

DemonstrationDemonstration

Hiding Files & Directories

Forensic ToolkitsForensic Toolkits Forensic toolkit www.foundstone.com

NT specific, command line NTI www.forensics-intl.com

Any OS, command line Coroner’s Toolkit www.fish.com

UNIX-specific, live system ForensiX www.all.net

Linux, GUI Encase www.encase.com

Popular with police, GUI

Hardware UnitsHardware Units

ICS –www.ics-iq.com Forensic Computers

www.forensic-computers.com