the pc as victim. reviewing an active system computers change state by: user interaction process...
Post on 21-Dec-2015
214 views
TRANSCRIPT
Reviewing an Active SystemReviewing an Active System
Computers change state by:Computers change state by: User interactionUser interaction Process executionProcess execution Data transfersData transfers Power cyclesPower cycles
What is Lost When you Power What is Lost When you Power DownDown
Registers, cache contentsMemory contentsState of network connectionsState of running processesContents of storage mediaContents of removable and
back up media
Plan for Live SystemsPlan for Live Systems
Step Windows 2000/NT
UNIX
Establish a new shell
cmd.exe Bash
Record system date and time
Date, time W
Who is logged on Loggedon W
Record open sockets
Netstat Netstat
List processes that open sockets
Fport Lsof
List currently running processes
Pslist Ps
List systems recently connected
Nbtstat Netstat
Record system time Date, time W
Record steps taken doskey Script, vi, history
BIOSBIOS
System uses during boot process to identify hard drives and storage devices that contain OS Check BIOS for
Drive geometry of evidence media Boot sequence of system
Boot from clean floppy with OS Review BIOS Geometry is different (# of cylinders is different) Failure to log configuration from BIOS means booting from imaged disk may fail if not aligned on correct
cylinder boundaries The boot process can be altered! What does this mean?
Forensic Duplication ToolsForensic Duplication Tools
All data must be imagedTool should handle read
errorsNo changes to original
dataScientific testing
(validation)Check sum
MethodologyMethodology
Safety net Process of safeguarding magnetic
media Insures evidence not destroyed Guarantees accuracy and integrity
of dataFor HD boot from floppy (A:\)
Virus free Back-up software Prevent writes Document condition of disk
Creating a Boot DiskCreating a Boot Disk
Format a: /U /S IO.sys Msdos.sys Command.com Drvspace.bin (delete it)
Use diskedit to alter io.sys Tools to find all occurrences of C:\ 11 instances of a reference to C:\ Change to A:\ Use MD5
Generating a Host ImageGenerating a Host Image
Attach to the suspect system a write-protected, verified system disk with:
Operating system, duplication software, & then reboot
Generate an image of the suspect system disk Mount it on a verified system Advantages of this approach include:
Not affecting the operational environment of the suspect system because you're examining an image of it on another system
Preserving the original evidence for subsequent legal proceedings
Back up ImagesBack up Images
DAT is cheapestZips (removable HDs) format & verify CD ROM as second level backupSafeback only does a minimum of a
partition Physical drive is entire drive Logical drives partition on a physical drive
(0 or 1) Backing up logical drives misses partition
table
DuplicationDuplication
Determine need for duplication 3 approaches
Image storage medium by removing it and attaching to forensic station
Image by attaching a hard drive to suspect computer Hard drive must be scrubbed Large enough to accommodate data
Image the storage medium by sending the disk image over a closed network Allows multiple images to be gathered at the same
time Perform checksums on original and image
Create DuplicateCreate Duplicate
Prompts for location to create an audit file
4 modes of operation Backup Restore Verify Copy (backup and restore at
the same time)
Hard DrivesHard Drives
IDE vs SCSI drives Terminology
Platters, cylinders, sectors, tracks
Partitioning Partition types (see p. 69 K&H)
Drive letters 3 absolutes: A: & B: are floppies C: is booted partition
Hard DrivesHard Drives
MBR
MBR
Master Boot record has partition table that defines # of drives
Unused
Unused
C:\
D:\
Unused areas can be written to-- up to 31K of data
Chain of CustodyChain of Custody
List of people that touched or had control of evidenceEvidence tag
Consent & signature Receipt & transfer Description
A list of office staff near evidenceState of the system when foundSerial numbersPeripherals attachedPrevent future access with seized
Avoiding Technical MishapsAvoiding Technical Mishaps
Altering time and date stampsTerminating rogue processesPatching the system before
investigationNot recording commands executed on
the systemUsing tools that require a GUIWriting over evidence by installing
software driversWriting over evidence by running
programs that store on hard drive
CautionsCautions
Never allow suspect to touch the computer after decision to investigate Remove/restrict under subterfuge
Remove computer or HD to secure area
Beware of magnetic devices to eraseBe aware of burn boxes to destroy
diskettesConfiscate all storage media (check
keychain for Trek)
Copying Your DataCopying Your Data
Bit stream image is the first step Whole data not just files Safeback (standard for law
enforcement) www.forensics-intl.com
Ghost www.symantec.com
Dd UNIX utility Diskcopy/V Snapback www.cdp.com Byte Back www.toolsthatwork.com
ATTRIBATTRIB
To display the attribute settings of all files in the current directory:ATTRIB To display the attributes of a directory:ATTRIB directoryname To display the attributes of a file:ATTRIB filename To set or remove attributes of a file or directory:ATTRIB [ + | - R] [ + | - A] [ + | - S] [ + | - H] [directory|filename] [/S] + Sets an attribute. - Clears an attribute.
R, Read-only file A, Archive file S, System fileH, Hidden file/S, Processes files in all directories in the specified path
To display the attributes of a file named "news86": ATTRIB news86
To assign the Read-Only attribute to the file "report.txt", use: ATTRIB +R report.txt
To remove the System and Hidden attributes from "record.txt": ATTRIB -S -H record.txt
To hide the directory "c:\secret:" ATTRIB +H c:\secret
To hide the files (but not the directories) in the C:\ directory: ATTRIB +H c:*.*
CHKDSKCHKDSKCHKDSK [path] [/F] [/V] path Specifies the drive and directory to check./F Fixes errors on the disk. /V Displays the full path and name of every file on the disk.
DRIVPRMDRIVPRMThe DRIVPARM command can only be invoked through Config.sys. The DRIVPARM command modifies the parameters of an existing physical drive. It does not create a new logical drive. The settings specified in the DRIVPARM command override the driver definitions for any previous block device.
DRIVPARM=/D:number [/C] [/F:factor] [/H:heads] [/I] [/N] [/S:sectors] [/T:tracks]
/D:numberSpecifies the physical drive number. number can be range from 0 to 255. Drive number 0 corresponds with drive a:, Drive number 1 corresponds with drive b:, and so on.
How could this be used?
FINDFINDFIND [/V] [/C] [/N] [/I] "string" "filename1" "filename2" "filename ..."
/V Displays all lines NOT containing the specified string./C Displays only a count of lines containing the string. If used with /V, FIND displays a count of the lines that do not contain the specified string./N Displays line numbers with the lines. If /C and /N are used together, /N is ignored./I Ignores the case of characters in string. By default FIND is case sensitive and searches for an exact character match.String The text string to be found. String must be in inverted commas.Filename The file(s) to be searched. If filename does not contain spaces, it does not need to be enclosed in inverted commas.
FINDFINDTo display all lines from the file "pencil.ad" that contain the string "Pencil Sharpener": FIND "Pencil Sharpener" pencil.ad If the string contains quotation marks, these must be doubled:
FIND "This paper is ""for discussion only."" It is not a final report." report.doc To search the current directory for the string "PROMPT" in all .BAT files:
FOR %f in (*.bat) DO FIND "PROMPT" %f To search your hard disk to find and display the filenames on drive C that contain the string "CPU", you can use the pipe "|" to direct the results of a DIR command to FIND:
DIR c:\ /s /b | FIND "CPU"
Remember, the default output from DIR can be upper and/or lower case depending on how a file was saved. To catch all instances of "CPU", "cpu". etc. either use the /L switch with DIR (to force lower case output), or the /I switch with FIND (to ignore case in string).
LASTdriveLASTdriveUsed to designate the maximum number of drives (real and virtual) recognized by the operating system.
The LASTDRIVE command can only be invoked from Config.sys.LASTDRIVE=x LASTDRIVEHIGH=x xA single letter (A to Z) representing the last valid drive that MS-DOS is to recognize. (Default is Z)Note: a trailing colon should not be included.
PathPathThe PATH command is used to view or modify the Path environmental variable and is synonymous with "SET PATH=".
To set a path: PATH path1 [;path2...]] or
PATH=path1 [;path2...]] To add directories to an existing Path environmental variable:
PATH %path%; path3 [;path4...]]To clear all path settings: PATH ; To display the current path settings: PATH
1.To add the directory c:\downloads to the regular path, enter PATH %path%;c:\downloads
2.To add a directory name that contains a space, enclose the name in inverted commas: PATH %path%;c:\"program files"\dos
or PATH %path%;"c:\program files\
dos"
Del or eraseDel or erase
To delete a file: DEL [path] filename [/P] To delete all files in a directory (with confirmation): DEL path or
DEL path \*.* To delete all files in a directory (without confirmation): DEL path \?*.*
DEL path \** (in Dos7.0 - confirmation is required in Dos7.1)
Filename The file to delete./P Forces confirmation before deleting each file.
ModeModeThe MODE series of commands is used to control the
computers links with its peripherals. 1. Display lines and columns 2. Display configuration 3. Printer configuration 4. Serial port configuration 5. Device status 6. Redirect printing from parallel to serial port 7. Set typematic rate 8. Set code page (character set) for international use
MODE CON[:] [COLS=c] [LINES=n] C The number of characters per line. c can be 40 or
80 (Default: 80).N The number of lines displayed on the screen. n
can be 25, 43, or 50 (Default: 25).MODE CON Lines=50
MODE [device] [/STATUS] Device The name of the device. Default: all
installed devices.
DeltreeDeltree
Delete directory and subdirectories
To delete a directory and all the subdirectories and files contained therein:
DELTREE [/Y] directory To delete all the files and subdirectories but leave the directory itself:
DELTREE [/Y] directory\*.* To delete a file:
DELTREE [/Y] filename
directory The directory to be deleted./Y Suppresses prompts for confirmation before deleting
DeltreeDeltreeTo delete the TEMP directory on drive C, including all files and subdirectories of the TEMP directory: DELTREE c:\temp
To delete all the files and subdirectories in the "temp" directory leaving an empty "temp" directory for future use, and avoiding the prompt for confirmation:
DELTREE /Y c:\temp\*.*
To delete the read-only file text.doc in the c:\data directory (without resetting the attributes): DELTREE /Y c:\data\text.doc
FormatFormatFORMAT drive: [/Switches] /V[:label] Specifies a volume label.
/S Copies system files to the formatted disk (to make a boot disk).
/B Allocates space on the formatted disk for system files.
/C Tests clusters that are currently marked "bad.“ By default, if a disk contains clusters that have been marked
as "bad", FORMAT does not retest the clusters; it simply leaves them marked "bad"./AUTOTEST Formatting proceeds without further user input or warning messages. All sectors previously marked bad on the hard drive are retested (i.e. equivalent to including the /C switch)².
MoreMore
The MORE command reads standard input from a pipe or redirected file and displays one screen of information at a time.
MORE filename MORE < filename command | MORE [path][filename] Command a command whose output is to be
displayed.filename file(s) to display one screen at a time
MORE clients.new MORE < clients.new TYPE clients.new | MORE
PromptPromptTo change the command prompt: PROMPT [text] text Any series of alphanumeric characters including the following special codes: $P Current drive and path $E Escape code (ASCII code 27) $N Current drive $G > $V Windows version number $L < $D Current date $B | $T Current time $Q = $_ Carriage return and linefeed $$ $ $H Backspace (erases previous character) To reset the prompt to its default ($N$G): PROMPT $N$G
ShellShellSpecifies the command interpreter you want MS-DOS to use. The SHELL command can only be invoked from Config.sys.
SHELL=filename [path] [parameters] filename The full filename and path of the command
interpreter to be usedpath The path to the command interpreter parameters Any command-line parameters or switches that can be used with the specified command interpreter
If Command.com is in the root directory and is to be loaded with its default values, the following line is optional:
SHELL=c:\command.com c:\ /P
SwitchesSwitches
SWITCHES= /F /K /N /E[:n] Invoked from config.sys
/F Skips the two-second delay after displaying the "Starting MS- DOS . . ." message during startup./K Forces an enhanced keyboard to behave like a conventional keyboard. If Ansi.sys is installed, its K switch should also be used./N Disables the F5 and F8 keys used to bypass commands in Config.sys and Autoexec.bat. It does not disable the Ctrl-F5 and Ctrl-F8 keys which bypass loading Drvspace.bin; to disable these keys, see DRVSPACE.
VolVolDisplays a disk's volume label and serial number. Can be used with LABEL to identify a drive
VOL [drive:]
VOL E:
CopyCopyThe prime use of COPY is to copy one or more files to another location but it can also be used to combine (concatenate) files and to type directly to a file, printer, or other device
COPY source [destination] [/V] [/Y | /-Y] source The file(s) to be copied. Although this must be a single
parameter, it may include multiple files specified using wildcards (* or ?). It may also be a valid device (e.g.,
CON)Destination The directory and/or filename for the new file(s). If destination... is not specified source is copied to the current directory with the same name and creation date as the original. file /A Forces COPY to treat the file as an ASCII test filefile /B Forces COPY to treat the file as a binary file /V Verifies that new files can be read (does not compare with the original - see VERIFY)./Y No warning prompt before overwriting a file (default when COPY is used in a batch file)./-Y Displays a warning and requires confirmation before
overwriting a file (default when COPY is used from the command line).
TypeTypeThe TYPE command is used to display the contents of an ASCII
text file on screen. TYPE filename
1. To display the contents of HOLIDAY.MAR: TYPE holiday.mar
2. If the file is too long to fit on a single screen: TYPE holiday.mar | MORE
3. To pipe the contents of GO.TXT to a DEL command requiring confirmation before deleting all files in a directory. TYPE go.text | DEL *.* If the first two characters of GO.TXT contain a "Y" or "y" followed by an [Enter], the files will be deleted. Anything else and the operation will be skipped.
FdiskFdiskFDISK is a menu driven utility used to configure and/or display information about the partitions on a hard disk.
Before a hard disk can be recognized by DOS (or any other compatible operating system), a Master Boot Record (MBR) must be established. The MBR defines areas of the disk to be a(n):
•Primary Partition and/or •Extended Partition
CAUTION: Using FDISK to modify or delete partitions on a hard drive renders all the data associated with that partition unavailable – I.e., deleted!
FDISK [/X] To display a summary of the partition structure on all hard drives: FDISK [/STATUS] To create partitions without going through the
standard FDISK menus: FDISK [/X] drive [/PRI:size] [/EXT:size] [/LOG:size] [/PRMT | /Q] FDISK /MBR To rewrite the Master Boot Record of the primary drive without altering the partition table information: FDISK /CMBR drive To rewrite the Master Boot Record of any drive (drive) without altering the partition table information:
Pipes & RedirectionPipes & RedirectionA number of Dos commands send output to the screen and/or require
input from the user. Redirection is a mechanism whereby the output of a command can be fed either to some other device (a printer or file) or to another program or command.
There are four redirection functions: > Redirect output>> Append< Redirect input| Pipe
1. To print out a sorted directory listing of all files in the Windows directory: DIR c:\windows /o/a > PRN
2. To create a file containing the directory listing of the same directory: DIR c:\windows /o/a > c:\data\directories\windows.txt
3. DIR c:\windows\system /o/a >> c:\data\directories\windows.txt
Batch filesBatch files
COPY CON COPYFILE.BAT {ENTER} or EDIT COPYFILE.BAT {ENTER}
FORMAT A: {ENTER}
COPY *.* {ENTER} DIR A: {ENTER}
CTRL+Z or Save, Exit from the menu
To run the file Type:
COPYFILE {ENTER}
CopyCopyCOPY source1 + source2 + ... destination [/V] [/Y | /-Y]
1. To combine "mar89.rpt", "apr89.rpt" and "may.rpt" into one file named "report.rpt" in the current directory:
COPY mar89.rpt + apr89.rpt + may89.rpt report.rpt
2. To combine all files in the current directory on the current drive that have the extension ".rpt" into one file named "combined.rpt":
COPY *.rpt combined.rpt 3. To combine a series of files that have ".txt" extensions with their
corresponding ".ref" files to make new files with the same file names but with ".doc" extensions (ie "file1.txt" is combined with "file1.ref" to form "file1.doc", and so on).
COPY *.txt + *.ref *.doc 4. To combine first all files with the ".txt" extension, then all files with
the ".ref" extension into one file named "combin.doc": COPY *.txt + *.ref combin.doc
fcfcCompares two files or sets of files and displays the differences between them.
FC [/Switches] file1 file2 FC c:\test1.txt c:\test2.txt
/B Performs a binary comparison. This is the default mode for comparing files when file1 has an extension of .EXE, .COM, .SYS, .OBJ, .LIB, or .BIN./L Compares files as ASCII. This is the default mode for comparing files when file1 does not have an extension of .EXE, .COM, .SYS, .OBJ, .LIB, or .BIN./LBn Sets the number of lines for the internal line buffer. If the files being compared have more than this number of consecutive differing lines, FC cancels the comparison. Default value of n: 100/N Displays the line numbers on an ASCII comparison./C Disregards the case of letters/T Does not expand tabs to spaces. By default, tabs are treated as spaces with 1 tab = 8 spaces./W Compresses tabs and multiple spaces to a single space for the
comparison.
MemMemThe MEM command is used to display a table showing how memory (RAM) is currently allocated
MEM [/Switches] None Displays the status of the computer's used and free memory/C Lists the programs that are currently loaded into memory and shows how much conventional and upper memory each program is using. /D Lists the programs and internal drivers that are currently loaded into memory./F Lists the free areas of conventional and upper memory./M progname Shows how the program (progname) is currently using memory./P Pauses after each screenful of information./H Brief help (same as /?).
XcopyXcopyCopies files and directory trees. XCOPY source [destination] [/Switches]
source The file(s) to be copied. Although this must be a single parameter, it may include multiple files specified using wildcards (* or ?).
destination The location and/or name(s) of new files. Scope: By default, XCOPY will confine its
operation to files in the source directory. /E Copies the complete subdirectory structure of source and
all files therein./S Copies the complete subdirectory structure of source and
all files therein but does not copy empty subdirectories.
/T W Copies the subdirectory structure of source but does not copy any files and does not copy empty subdirectories. To include empty subdirectories, use with the /E switch.
1. XCOPY will not copy a folder's attributes (eg. 'hidden'). These have to be set as required using Windows Explorer or ATTRIB.
XcopyXcopy
1. To copy all files and subdirectories from the data directory to the disk in drive a: xcopy c:\data a: /s or xcopy c:\data\*.* a: /s
2. To copy all files and subdirectories from the data directory created/modified since 1st Jan.1997 to the disk in drive a: should be:xcopy c:\data a: /s /d:1/1/97
DiskcopyDiskcopyDISKCOPY is used to duplicate floppy disks. Any data on the destination disk is overwritten.
DISKCOPY drive1: [drive2:] [/1] [/V] [/M] drive1 Drive containing disk to be copied from (and to, if the computer has only one floppy drive) .drive2 Drive containing disk to be copied to (if different from drive1)./V Verifies that the information is copied correctly./M Force multi-pass copy using memory only.
DOS Commands & DOS Commands & UtilitiesUtilities
www.evilpigeon.net/tutorials/commands/http://www.butterwick0.freeserve.co.uk/
tutor/menu.htmlhttp://www.maem.umr.edu/~batch/
batchtoc.htmhttp://home7.inet.tele.dk/batfiles/http://www.simtel.net/pub/msdos/http://www.ntfs.com/products.htmhttp://www.opus.co.tt/dave/index.htm
Searching for EvidenceSearching for Evidence
Know what you are looking forCreate list of termsUse text search tools to find dataCheck hacker sites for names of
programsAnti-virus web sites for
information on recent infections and registry entries
Evidence on the Hard DriveEvidence on the Hard Drive
Hard disk drives Files Erased files File slack Hidden partitions Encrypted files Compressed data (zip) Windows swap file Windows temp files Application temp files Encrypted files Hidden files/folders
Read and write in blocks of data (clusters) Files not stored in 1 piece or contiguous
Fixed blocks have even number of sectorsLow level format creates the sectors (at
factory)Clusters at high level format done by OSFloppies can have low and high level
formats at same timeBad sectors are marked
Knowing How Data is Knowing How Data is WrittenWritten
Tracking FilesTracking Files
2 areas of vulnerability Signal strength of bits provide
ghosts--Border areas on tracks may still contain previous signal
Guard region on tracks—variances in read-write head leave scraps of data
Overwriting with 0s and 1s not a guarantee—original signal may be stronger and leave data in guard regions
Tools used to Eliminate DataTools used to Eliminate Data
Delete and erase individual (or groups of) files Check recycle bin Recovery with Unerase or Undelete (DOS)
Disk scrubbers Fdisk and Format (DOS)
Format only writes a new empty root-it does not erase data clusters
Fdisk simply rearranges partition space 3-Pass std www.dss.mil/isec/nispom.htm DoD
5220-22M Tools include: Evidence eliminator,File
Monster, East-tec eraser, WipeInfo
Shredding DataShredding Data
Simple deletes of files/folders Recycle bin deletes Shredding tools
Shred2 Email shredding
Email is persistent Simple delete Archived Backups
File SlackFile Slack
Storage space between end of file and the end of the last cluster assigned to a specific space.
Space filled with random data from memory when the file is closed
512 bytes
File_A File Slack
File_B Parts of File_A + File slack
File A deleted
Swap filesSwap files
Memory fills upSends to swap file
Dynamic (disappears on shut down) Static (stays and goes to unallocated
space on HD)
Unallocated Unallocated (Erased File Space)(Erased File Space)
Storage space on HD available to be overwritten by the OS when new files are created File name remains Data remains File slack remains
Contents may be fragments of deleted files Deletes Out of space errors HD reformats
Swap FileSwap File
Windows relies on a swap file
Swaps disk space for RAMActs as scratch pad (write
behind)Any work can pass through
Shadow (ghost) DataShadow (ghost) Data
Data written in binary 0 and 1 in concentric rings (tracks)
Horizontal head alignment and vertical head placement is different each time data is written and rewritten to the same track.
Limits effectiveness of disk scrubberswww.metanet.org/mnt/lib/
homebrew_stm.html --not completely reliable yet
Use multiple over writes on all disks Security.tao.ca/secure_del.shtml
Examining slack, unallocated and Examining slack, unallocated and swapswap
File System Layer
Location of Evidence DOS/Windows
Location of Evidence Linux
Application storage
File Files
Information Classification
Directories/folder
Directories
Storage space allocation
FAT Inode & data bitmaps
Blocking format Clusters Blocks
Data Classification
Partitions Partitions
Physical Absolute sectors or C/H/S
Absolute sectors
Make 2 bitstream copies of original Label copies and work only 1 Remove original from work area Benchmark drive file with MD5 List files
Determine compressed or encrypted Check dates
Build a list of words to search for using TXTSEARCH (NTI) or Encase
Unlinked clusters must be re-linked Deleted files recovered
Organizing for a SearchOrganizing for a Search
Knowing How Data is WrittenKnowing How Data is Written
Data stored in fixed length blocks as clusters
Size of clusters varies by type & storage capacity of media
FAT tracks clusters allocated to a fileFAT uses cluster numbers to find data FAT 12, 16, 32 each have different
number of clustersSectors are units of storage of 512
bytes (4096 bits)
Looking at the FATLooking at the FAT
Using Norton Unerase Wizard to find the lost filenames In place replacement will wipe out
forensic data!Use Diskedit/w to find deleted files
Block allocation table is a chain for OS to follow when reconstructing a file
Blocks can have 3 values: pointer to next, EOF if the last one (FF F8) or bad (FF F7)
Deleting a file causes FAT to have a sigma character (E5) in first byte, sets file size to 0 and marks all blocks as available
Reconstruction uses file size and clusters to re-create
Add your initials to name to identify later
Looking at the FATLooking at the FAT
Places Where Data Can LivePlaces Where Data Can Live
Timed Backup
Temp
TempPrint
Swap
Slack Slack
Original
Document
Forensic Data LocationsForensic Data Locations
Slack Space left over at the end of data and last
cluster/block Does every file have slack space? Amount of slack ~half the block size—the
larger the block, the more slack Cannot access slack—OS won’t allow a read
past EOF
Swap WORD documents contain random data (use hex editor or
Notepad)
Unallocated Blocks not currently in use Files deleted have freed-up space until overwritten
Step by StepStep by Step
Install hard drive on forensic boxInstall as secondary controller Forensic box set to boot from
primary or floppyMake a bit stream image of driveAuthenticate hard drive Document date and time
File recoveryFile recovery
Non-invasive read to determine deletes
Restore deleted files File Recovery tools
Norton Unerase Wizard
Comparing FilesComparing Files
DOS prompt Syntax : CRCMD5 /h drive
Returns unique check sums for files on specified drive
Document controlDocument control
Active Rights Management technology
• Documents
• Web
Based on policies for key distribution
Federal law (2000) allowed electronic documents the same legal standing as paper: Are they equal if senderAre they equal if sender
can shred them remotely?can shred them remotely?
If sender has 30 day limit and recipient has a 7 year If sender has 30 day limit and recipient has a 7 year legal obligation?legal obligation?
Examining MS OfficeExamining MS Office
Tracking Changes set Properties Open in Notepad to find
evidence
Linking to SuspectLinking to Suspect
MAC address Ipconfig/all or winipfg
Hidden file folders (notepad) Details about
environment stored in memory
Windows systemWindows system
Sysedit View autoexec.bat. Config.sys, Windows
passwords Regedit
Auto complete functions in IE (web sites) Network information Run history Software installed (if hidden)
Password files Find *.pwl PWLTool www.webdon.com
Forensic ToolkitsForensic Toolkits Forensic toolkit www.foundstone.com
NT specific, command line NTI www.forensics-intl.com
Any OS, command line Coroner’s Toolkit www.fish.com
UNIX-specific, live system ForensiX www.all.net
Linux, GUI Encase www.encase.com
Popular with police, GUI