Digital Forensics Tools
Digital forensics tools and techniques
Digital forensics tools and techniques
The Sleuthkit is one of the most powerful and commonly used tools in digital forensics. It provides individual tools as well as a library for analysis, deleted file recovery, and forensics investigation of a large number of common filesystems. Use of the Sleuthkit also teaches the investigator complete details of analyzed filesystems as well as understanding of how data is stored on disk.
This module focuses on file carving. In this video we discuss the use of file carving to recover lost data for legal, corporate, and personal uses. You will learning the advantages and disadvantages of header/footer carving versus deep carving. We also discuss the main tools used for file carving: Scalpel and Photorec.
Event logs store information (including time-stamps) regarding hardware errors, services stopping and starting, user and service account logins and logoffs, software installations, and much more. This module will teach you how to use event logs to your advantage in a forensics investigation.
The Registry is easily the best source of information when it comes to Windows investigations. It stores a large amount of information about hardware, software and user information are all stored in the Registry. In this module, you learn some of the basics behind the registry such as structure, examples of what is recorded and where, how it is viewed, as well as Anti-Forensics tools.
Shortcut files, which have a .lnk extension, allow users to leave markers in convenient places for access to files and folders deep within the filesystem hierarchy. Common shortcuts include Desktop icons to applications, icons to external drives, and icons to mapped network shares. In this module we explore the metadata stored within LNK files and show their immense forensics value. In the lab students process LNK files on their own and answer questions seen in common investigative scenarios.
Jump lists are a feature of Windows 7 and are implemented as on-disk databases that contain the values seen when an application is right clicked on in the task bar. This often includes the files recently opened with a particular application. A record of recently accessed files, along with the other metadata contained within the jump list databases, provide very useful forensic artifacts. In this module we discuss how to locate and analyze jump lists and how to use this analysis within investigations. During the lab, students will investigate sample jump lists on their own to answer questions that commonly occur during real world investigations.
System Restore is the backup facility integrated into Windows XP. Its purpose is to backup files that are essential to the operating system and that can be restored in case of major errors. In this module you'll learn why System Restore is so useful for forensics investigators.
The Volume Shadow Service (VSS) provides block-level differential backups for volumes which it is active on. Accessing these backups, known as copies, during a forensics investigation can let investigators recover files, metadata, and other forensics artifacts going back far in time. In this module we discuss the Volume Shadow Service, how to access the copies it creates, and some of the pitfalls investigators face when first dealing with the VSS.
Registry Decoder is an open source forensics tool that performs automated acquisition and analysis of registry hives. In this module we explore the 'live' version of this tool and also learn how to use the browse and search features of the offline analysis tool. In the lab you will be given a pre-processed Registry Decoder case and then have to answer questions based on investigation with Registry Decoder.
Registry Decoder is an open source forensics tool that performs automated acquisition and analysis of registry hives. In this module we explore the time lining, differencing, and path-based features of Registry Decoder. In the lab you will be given a pre-processed Registry Decoder case and then have to answer questions based on investigation with Registry Decoder.
Microsoft Office is the most common suite of applications found on non-server machines as it is used by corporations, small businesses, and individuals alike. Investigating MS Office documents is relevant during cases involving data exfiltration, malware analysis, and employee misconduct, among others. This module with teach you how to gather and utilize useful information from MS Office documents.
NTFS INDX Attributes are used to efficiently track files in a directory.They can be used to find meta data for all files in a directory, including those that were previously deleted from that directory. After working through this module, you should better understand how the NTFS INDX operates and how to best leverage the available information to your advantage.