Methods and techniques for extracting evidence out of the original PC and into the hands of a forensic investigator.
The underlying technology has changed since 400 B.C., but covered writing is alive and well. Unfortunately, modern sentries are as overwhelmed, and possibly as oblivious, as they were then.
Two possible situations arise when forensically examining a system for evidence of an intrusion: performing live incident response and/or conducting a post mortem examination of hard drives
Most digital activities leave definite traces, allowing investigators to obtain essential evidence, solve criminal cases, and prevent crimes.
Despite its importance, report writing meets with a lot of ambivalence, and even antipathy, in our industry.
Windows Forensic Analysis Toolkit by Harlan Carvey provides the reader with an in-depth understanding of the Digital Forensic analysis of Windows 7 systems.
Registry Keys track each mounted volume and assigned drive letter used by the NTFS file system. Information concerning any external devices that had previously been attached to the system will be recorded in certain Registry Keys.
This book should be considered a must-read for anyone who wants to pursue a career in digital forensics and a must-have for those examiners already working in the discipline.
Digital evidence, by its very nature, is fragile and can be altered, damaged, or destroyed by improper handling or examination. For these reasons special precautions should be taken to preserve this type of evidence.
Generally, any user activity leaves some type of artifact somewhere. Depending on the type of activity, the artifacts can be of enormous forensic importance.
There are thousands of Keys in the Registry. Many of the forensically important Keys can be grouped into several broad categories based upon what potential probative information they may provide.
Vulnerabilities in the Transmission Control Protocol (TCP) present a very simple and straight-forward method for hiding data in the TCP initial handshake sequence. From an investigative perspective, analyzing the protocol requires a network protocol analyzer or sniffer.
The importance of accurate, technically competent, and valid examination results cannot be understated. Laboratory accreditation can provide a standard which can ensure confidence in the results obtained from the examination of digital evidence.
Our ability to discover hidden information during our investigations is vital, especially as new and innovative methods continue to evolve.
Its application to cyber crime brings a new and exciting dimension to the famous Locard Exchange Principle.
A typical Windows 7 Registry consists of at least five Hives, each of which performs a different function.
Before we turn our attention to the New Year, let’s take a moment to reflect on the top five articles of 2011.
Open source forensic tools may not be easy to work with, but can save a lot of grief down the road when used to validate results from proprietary tools.
Explaining what went wrong in an unsuccessful investigation requires consideration and professionalism.
While the transition from film to digital happened with little fanfare, the vastly different steps, processes, limitations, and vulnerabilities involved when creating a digital photograph hasn’t been widely recognized.
Many forensic examiners are not familiar with the Registry or its forensic importance. One way to gain first-hand knowledge is to explore the Registry on a live, non-forensic computer.
A step by step guide to handling a cyberstalking investigation.
Understanding the crime of cyberstalking will provide law enforcement with tools to serve their community in the new communication age.
To reduce the impact of cyber attacks, today’s organizations must be prepared for a rapid incident response to minimize damage to IT systems and maximize the amount of information they can learn about the attack.
The digital forensic community is receiving more criminal cases involving iTunes and other programs that support the Digital Audio Access Protocol where video files of suspected child pornography are shared across a local network. This article highlights investigations into these systems.