coen 252 computer forensics
DESCRIPTION
COEN 252 Computer Forensics. Windows Evidence Acquisition Boot Disk. Windows Evidence Acquisition Boot Disk. Use a boot disk to Copy evidence from the hard drive. But there are usually better ways. To preview a system to discover whether an incident has occurred. - PowerPoint PPT PresentationTRANSCRIPT
COEN 252Computer Forensics
Windows Evidence Acquisition Boot Disk
Windows Evidence Acquisition Boot Disk
Use a boot disk to Copy evidence from the hard drive.
But there are usually better ways. To preview a system to discover
whether an incident has occurred. To use a string search to see whether
the computer contains evidence.
Windows Evidence Acquisition Boot Disk
Windows Boot disk should prevent files to be altered.
Change command.com io.sys
to prevent it from accessing system components.
Windows Evidence Acquisition Boot Disk
Delete the drvspace.bin file because it attempts to open compressed volumes.
Add drivers to boot disk for ethernet connection, Zip drive, etc. needed to collect the evidence.
Windows boot disks cannot access NTFS drives directly.
Windows Evidence Acquisition Boot Disk Alternatively, use a Linux boot disk.
Forensic and Incident Response Environment (FIRE)
Helix (knoppix) Knoppix STD Local Area Security Linux Penguin Sleuth Kit (knoppix) Plan-B Snarl (FreeBSD)
Evidence Gathering
Write protect the evidence hard drive with Software. By intercepting INT13h accessed to
the disk. Write protect the evidence hard
drive with Hardware.
Tools for Life-Examination
Avoid using system tools on the evidence machine. This can get you into DLL hell.
Use filemon to check what files are being accessed when you run a command from your forensic CD.