lesson 1 introduction to digi forensics
TRANSCRIPT
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 1/47
Forensics
Lesson 1: Introduction
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 2/47
About the Instructor
Chuck Easttom [email protected] www.ChuckEasttom.com
Certifications A+,Network+, iNet+, Server+, Linux+, MCP (Windows 2000 Pro, VB 6 [Desktopand Distributed]), MCAD, MCSE, MCDBA, MCSA, MCT, MCTS (Windows Server 2008, SQLServer 2008, Visual Studio 2010, Windows 7), MCITP(Windows 7 and SQL Server 2008)CIW Security Analyst, CEH, CHFI, ECSA, EC Council Certified Instructor, CISSP, ISSAP,and others.
Education: B.A. and M.Ed. from Southeastern Oklahoma State University. Ph.D. in progress from Northcentral University.
Publications: 11computer science books. Currently working on #12
Worked as a subject matter expert for CompTIA in the creation of the Security+, Server+, andLinux+ exams as well as revising the CTT+.
7 Computer science related provisional patents
Experience: many years in IT, 10+ years of teaching/training.
Creates study guides for Ucertify.com http://www.ucertify.com/blog/chuck-easttom.html
Frequent expert witness in computer related computer cases
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 3/47
About class
Text book Hacking Exposed Computer Forensics,Second Edition: Computer Forensics Secrets &Solutions
Publisher: McGraw-Hill Osborne Media; 2 edition
(September 10, 2009) ISBN-10: 0071626778
ISBN-13: 978-0071626774
It is also available via Kindle
Course is 21 hours
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 4/47
Computer Forensics Certifications
EC Council Certified Hacking Forensic Investigatorhttp://www.eccouncil.org/certification/computer_hacking_forensic_investigator.aspx
Certificate Forensic Computer Examiner (IACIS)
http://www.iacis.com/ Certified Computer Examiner http://www.isfce.com/
GIAC certified Forensics Examinerhttp://giac.org/certifications/forensics/
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 5/47
What is computer forensics?
Computer forensics is considered to be the use ofanalytical and investigative techniques to identify,collect, examine and preserve evidence/informationwhich is magnetically stored or encoded.
First Responders play a critical role. If you handlethe situation wrong at the outset, it may beimpossible to prosecute the perpetrators.
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 6/47
What is computer forensics (continued)
“If you manage or administer information systems andnetworks, you should understand computer forensics.Forensics is the process of using scientific knowledgefor collecting, analyzing, and presenting evidence to
the courts. (The word forensics means “to bring to the court.” ) Forensics deals primarily with the recovery
and analysis of latent evidence. Latent evidence cantake many forms, from fingerprints left on a window to
DNA evidence recovered from blood stains to the fileson a hard drive.” -http://www.us-cert.gov/reading_room/forensics.pdf
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 7/47
Computer forensics
Science of investigation Forensics process
Preparation
Collection
Analysis Reporting
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 8/47
Types of Investigations
(found in chapter 1 of hacking Exposed ComputerForensics Second Edition)
Theft of trade secrets
Corporate malfeasance
External Breach Civil discovery
Criminal Investigations
Computer crimes Terrorism
Child Pornography
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 9/47
The investigator
Investigator Bias Qualifications
Training
Certifications
CHFI, GIAC, Encase, CISSP Traits
Validation of findings
Proper handling of evidence
Complete investigation Technically competent
Compliance with laws
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 10/47
The lab
Chapter 3 of the Hacking Exposed ComputerForensics book)
Spoliation of evidence from environment
Temperature control
Fire and power protection Flood protection
Spoliation of evidence via network
isolation
Spoliation of evidence via physical access Locks
Evidence lockers
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 11/47
Proper Case Management
Follow the law
Follow good practices
Confidentiality
DOCUMENT DOCUMENT DOCUMENTDOCUMENT
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 12/47
Evidence gathering principles
Touch as little as possible
Establish clear procedures
Document everything
Use tested and accepted techniques and tools
The process is:
Identify Collect & preserve
Analyze
Present
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 13/47
Forensics Guidelines
1) Make a digital copy of the original evidence.Investigators make a copy of the evidence and workwith the copy to reduce the possibility of inadvertentlychanging the original evidence.
2) Authenticate that the copy of the evidence.Investigators must verify the copy of the evidence isexactly the same as the original.
3) Analyze the digital copy. The specific procedures
performed in an investigation are determined by thespecific circumstances under which the investigation isoccurring.
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 14/47
Document Damages
Another important step is to document the specific lossessuffered due to the attack. Losses typically include:
Labor cost spent in response and recovery. (Multiply thenumber of participating staff by their hourly rates.)
If equipment was damaged, the cost of that equipment. If data was lost or stolen, what was the value of that
data? How much did it cost to obtain that data and howmuch will it cost to reconstruct it?
Any lost revenue including losses due to down time,having to give customers credit due to inconvenience, orany other way in which revenue was lost.
Documenting the exact damages due to the attack is just
as important as documenting the attack itself .
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 15/47
Warrants
According to the Supreme Court, a "'seizure' of property occurs when there
is some meaningful interference with an individual's possessory interests inthat property, "United States v. Jacobsen, 466 U.S. 109, 113 (1984), and theCourt has also characterized the interception of intangible communicationsas a seizure in the case of Berger v. New York , 388 U.S. 41, 59-60 (1967).Now that means that law enforcement need not take property in order for itto be considered seizure. Merely interfering with an individuals access to hisor her own property constitutes seizure. And Berger v. New York extends thatto communications. Now if law enforcements conduct does not violate aperson's "reasonable expectation of privacy," then formally it does notconstitute a Fourth Amendment "search" and no warrant is required. Nowthere have been many cases where the issue of reasonable expectation ofprivacy has been argued. But to use an example that is quite clear, if I savea message in an electronic diary I clearly have a reasonable expectation ofprivacy, but if I post such a message on a public bulletin board, I can haveno expectation of privacy. In less clear cases a general rule is that courtshave held that law enforcement officers are prohibited from accessing andviewing information stored in a computer if it would be prohibited from
opening a closed container and examining its contents in the same situation.
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 16/47
Warrants Continued
In computer crime cases, two consent issues arise particularly often.
First, when does a search exceed the scope of consent? Forexample, when a person agrees to the search of a location, forexample their apartment, does that consent authorize the retrieval ofinformation stored in computers at the location? Second, who is theproper party to consent to a search? Can roommates, friends, and
parents legally grant consent to a search of another person'scomputer files? These are all very critical questions. That must beconsidered when searching a computer. In general courts have heldthat the actual owner of a property can grant consent. For example aparent of a minor child can grant consent to search the living
quarters and computers. However a roommate who shares rent canonly grant consent to search living quarters and computers that areco-owned by both parties. A roommate cannot grant consent tosearch the private property of the other person.
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 17/47
Chain of custody
Keep a record of Discoverer of the evidence
Collection location
Date and time of collection
Names of everyone who had access Names of everyone who “owned” the evidence
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 18/47
US Laws
TITLE 18 > PART I > CHAPTER 121
2703. Required disclosure of customer communications or records
http://www.law.cornell.edu/uscode/18/usc_sec_18_00002703----000-.html
TITLE 18 > PART I > CHAPTER 47
1029. Fraud and related activity in connection with access devices
http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001029----000-
.html TITLE 18 > PART I > CHAPTER 47
1030. Fraud and related activity in connection with computers
http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000-
.html
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 19/47
Other Federal Laws to know
The Electronic Communications Privacy Act of1986
The Communications Decency Act of 1996
No Electronic Theft Act of 1997
Digital Millennium Copyright Act Children's Internet Protection Act
CAN-SPAM Act of 2003
Identity theft Enforcement and Restitution Act of2008
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 20/47
File Systems
The general purpose of a file system is to handlefiles. This includes:
Managing access to files is an issue that is handled bythe file system.
Establishing who has access rights to a given file must bemanaged in some systematic manner. This includespermissions for reading, writing, and executing the file.
File system recovery (with Journaling File Systems)
.
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 21/47
File Systems - Journaling
Journaling is basically the process whereby the file system keeps a
record of what file transactions take place so that in the event of ahard drive crash the files can be recovered. Journaling file systemsare fault tolerant because the file system will log all changes to files,directories, or file structures. The log in which changes are recordedis referred to as the file systems journal. Thus the term journaling file
systems. There are actually two types of journaling: physical and logical. With
physical journaling, the system logs a copy of every block that isabout to be written to the storage device, before it is written. The logalso includes a checksum of those blocks, to make sure there is no
error in writing the block. With logical journaling only changes to filemetadata are stored in the journal.
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 22/47
File Systems FAT
FAT (File Allocation Table) is an older system, that was popular withMicrosoft operating systems for many years. FAT was first implemented in Microsoftstandalone Disk BASIC. FAT stores file locations by sector in a file calledeponymously, the File Allocation table. This table contains information about whichclusters are being used by what particular files, and which clusters are free to beused. The various extensions of FAT (FAT16, FAT32) differ in the number of bitsavailable for file names. For example FAT16 only supports 16 bit file names, whereas
FAT32 supports 32 bit file names. The hard drive is divided into one or more partitions. Each partition is then divided up
into identically sized clusters. Cluster sizes vary depending on the type of FAT filesystem being used and the size of the partition, but are usually between 2 KB and 32KB.
The File Allocation Table (FAT) is really a list of entries that map to each cluster on the
partition. Each entry records one of five things: The cluster number of the next cluster for this file.
If this cluster is the end of a chain, then it will have a special end of cluster chain (EOC) entry.
Bad clusters have a special entry in the File Allocation Table
Reserved clusters have a special entry in the File Allocation Table
Open, or available clusters, are also marked in the File Allocation Table
NOTE: Floppy disks use FAT 12
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 23/47
File Systems NTFS Microsoft eventually introduced a new file system, to replace FAT. This file system is
called New Technology File System (NTFS). This is the file system used by WindowsNT 4, 2000, XP, Vista, 7, Server 2003 and Server 2008. On major improvement ofNTFS over FAT was the increased volume sizes NTFS could support. The maximumNTFS volume size is 264−1 clusters. At of this writing, no version of Windows currently
supports volumes that large.
NTFS also introduced a number of other interesting features. Perhaps the most
notable is its support of the Encrypted File System (EFS). This allows the end user toeasily encrypt and decrypt individual files and folders.
There are several individual files that are key to this file system. Two of the mostfundamental are the MFT (Master File Table some sources call it the Meta File Table)file and the cluster bitmap. The MFT describes all files on the volume, including filenames, timestamps, security identifiers, and file attributes such as "read only","compressed", "encrypted", etc. This file contains one base file record for each file anddirectory on an NTFS volume. It serves the same purpose as the file allocation tabledoes in FAT and FAT32. The cluster bitmap file is a map of all the clusters on the harddrive. This is an array of bit entries where each bit indicates whether its correspondingcluster is allocated/used or free/unused.
Unlike FAT/FAT32, NTFS is a journaling file system, as we previously described.NTFS uses the NTFS Log ($Logfile) to record information about changes to the
volume
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 24/47
NTFS Continued
v1.0 with NT 3.1,
v1.1 with NT 3.5
v1.2 with NT 3.51 and NT 4
v3.0 from Windows 2000 ("NTFS V5.0" or "NTFS5")
v3.1 from Windows XP "NTFS V5.1"
Windows Server 2003 "NTFS V5.2“
Windows Server 2008 and Windows Vista (mid-2005) "NTFS V6.0“
Windows Server 2008 R2 and Windows 7 (occasionally "NTFS V6.1"
.
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 25/47
NTFS Files
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 26/47
File Systems EXT Extended File System, was the first file system created specifically for Linux. There
have been many versions of EXT, the current version is 4. The EXT 4 file system cansupport volumes with sizes up to 1 exabyte (1018 bytes or 1 billion gigabytes)and fileswith sizes up to 16 terabytes. This is frankly a huge file and volume size, and nocurrent hard drives come even close to that volume size. For an administrator, one ofthe most exciting features of EXT 4 is that it is backward compatible with EXT 2 and
EXT 3, making it possible to mount drives that use those earlier versions of EXT. EXT was not originally a journaling file system, but journaling was added in later
versions. Journaling was first introduced in EXT3. EXT 3 and 4 support three specifictypes of journaling. The most secure and safe level is called „journal‟. With the journal
level, metadata and file contents are written to the journal before being written to themain file system. The next level, slightly less secure than „journal‟ is called „ordered‟.
With this level only metadata is written to the journal. However, changes to files are
not journaled until they have been committed to the disk. Finally, the least secure levelis „writeback. Only metadata is written to the journal, and it might be written to the
journal before or after it is actually committed. EXT4 introduced checksums in the journal to prevent errors. EXT3 did not have check summing for the journal.
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 27/47
File Systems Reiser The Reiser File System is a popular journaling file system, used primarily with Linux.
Reiser was the first file system to be included with the standard Linux kernel, and firstappeared in kernel version 2.4.1. Unlike some file systems, Reiser supported
journaling from its inception, where as EXT did not support journaling until version 3.Reiser File System is open source and was invented by Hans Reiser.
Several Linux distributions have used Reiser as their file system including SuSE andDebian. However many of those distributions are moving away from Reiser because
its future development may be hampered. The problem is not with the file systemitself, but rather that the inventor, who was also responsible for supporting andupdating the file system, has been convicted of murdering his wife
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 28/47
File Systems Berkley Fast File Systems
The Berkley Fast File System is also known as theUnix File System. As its name(s) suggest it wasdeveloped at Berkley specifically for Unix. Like manyfile systems, Berkley uses a bitmap to track freeclusters, indicating which clusters are available andwhich are not. Like EXT, Berkley also includes theFSCK utility. This is only one of many similaritiesbetween Berkley and EXT. In fact some sourcesconsider EXT to just be a variant of the Berkley FastFile System
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 29/47
Types of Data
Active Data, is the information that you and I cansee. Data files, programs, and files used by theoperating system. This is the easiest type of data toobtain.
Archival Data, is data that has been backed up andstored. This could consist of backup tapes, CD's,floppies, or entire hard drives to cite a few examples.
Latent Data, is the information that one typically
needs specialized tools to get at. An example wouldbe information that has been deleted or partiallyoverwritten.
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 30/47
Basics
Secure
Scene
Personnel
preserve
Document Document the items
Document the procedures
Preserve chain of custody
Attention to detail
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 31/47
Make a forensic copy
Don‟t analyze the actual drive in question.
Make a forensic copy.
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 32/47
At the scene
Immediately determine if a destructive program isrunning on the computer. If one is running, theinvestigator should pull the power plug. This willensure no further evidence is lost. Place tape acrossall open disk drives so that no media is inadvertentlyplaced in the disk drives. The system date and timeshould be collected from the BIOS setup. This timeshould be compared with a reliable time source (e.g.,one synchronized with an atomic clock), and any
discrepancies noted. This may be important if it isnecessary to correlate events between two computers,or between the activities of a user and the times
associated with particular files on the computer.
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 33/47
At the scene continued
Document the computer and its surroundings
Use video tape if available
If the computer is running, take a photograph of thescreen.
Take photographs of the front, side, and back of thecomputer.
Note any and all connected devices
Physically open the computer and take photographsof the inside of the computer
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 34/47
Making a forensic copy of the drive
Knoppix security distribution http://s-t-d.org/
Penguin sleuth kit http://www.linux-forensics.com/
Forensically wipe the destination drive
A forensic wipe can be accomplished with the dd
command: dd if=/dev/zero of=/dev/hdb1 bs=2048
Verify via grep
grep –v „0‟ /dev/hdb1
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 35/47
dd
dd is a common Unix program whose primary purpose isthe low-level copying and conversion of raw data
The name is an allusion to mainframe JCL DDstatement.
It is jokingly said to stand for "disk destroyer", "datadestroyer", or "delete data", since, being used forlow-level operations on hard disks, a small mistake,such as reversing the if and of parameters, can
possibly result in the loss of some or all data on adisk
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 36/47
Making a forensics copy (continued)
Netcat reads and writes bits over a network connection.The command to run on the forensics server is:
# nc –l –p 8888 > evidence.dd
This sets up the listen process on the forensics serve priorto sending the data from the subject‟s computer. On the
subject‟s computer we use the dd command to read the
first partition:
# dd if=/dev/hda1 | nc 192.168.0.2 8888 –w 3
We pipe the output of the dd command to netcat , whichsends the bits over the network to the specified networkaddress and port on our listening forensic computer.
The argument –w 3 indicates that netcat should wait 3seconds before closing the connection upon finding no
more data.
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 37/47
Calculate the hash
After we create the image we must verify its integrity.You must calculate the hash of the source hard driveby issuing the following command from the subject‟s
computer:
# md5sum /dev/hda1 | nc 192.168.0.2 8888 –w 3
This command calculates the MD5 hash of the sourcehard drive and pipes the results over the network to
our forensic server
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 38/47
Compare the hash
We capture this information by setting up a listening process on the
forensic computer as demonstrated in the first command below:
# nc –l –p 8888 >> evidence.md5
The command
# md5sum evidence.dd >> evidence.md5
calculates the MD5 hash of our forensic image and appends it to thepreviously created MD5 file. The “>>” command appends the output of
the command to an existing file.
WARNING: If we were to use a single “>” the file evidence.md5 would
have been overwritten by the output of the command, rather than
appended.If our hashes match then the imaging was successful and analysis canbegin
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 39/47
What to check
Files
Browser
System logs
Deleted files
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 40/47
Handling Images as evidence
Preserve the original digital image. This is critical.You may need to enhance images to see somedetail, but that enhancement should be done to acopy. You should retain the original image exactly asyou found it. The original file must never be writtenover or deleted
Preserve images in their original format.
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 41/47
Undelete files- Undelete plus
Undelete Plus is available from http://www.undelete-plus.com for $29.95. What makes this tool worthy ofmention is that it is very easy to use. You simplyselect a drive, and click the scan button and it will listany deleted files it finds.
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 42/47
Undelete files - DiskDigger
This product is available athttp://dmitrybrant.com/diskdigger and is freeware.This makes it an attractive product. The site doesaccept donations, but you are free to download anduse this product at no charge. This utility has awizard interface that walks the user through theprocess
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 43/47
Lab 1
Use Disk Digger to recover files from your computer
Estimated time: 20 minutes
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 44/47
Video
Encase Demo
http://www.youtube.com/watch?v=O4ce74q2zqM
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 45/47
Forensic Tools
Encase
The Sleuth Kit http://www.sleuthkit.org/sleuthkit/
Helix http://www.e-fense.com/h3-enterprise.php
FREE 30 Day trial
The Disk Investigatorhttp://www.theabsolute.net/sware/dskinv.html
Microsoft Computer Online Forensic EvidenceExtractor(COFEE)
http://www.microsoft.com/industry/government/solutions/cofee/
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 46/47
Links
http://www.computerforensicsworld.com/ http://www.forensicswiki.org/wiki/Main_Page
http://www.computerforensics.com/
http://www.computerforensics.com/ FBI Computer Forensics
http://www.fbi.gov/hq/lab/fsc/backissu/oct2000/computer.htm
United States Secret Servicehttp://www.secretservice.gov/ectf.shtml
Federal Bureau of Investigationhttp://www.cert.org/tech_tips/FBI_investigates_cri
me.html
8/11/2019 Lesson 1 Introduction to digi forensics
http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 47/47
A collection of forensics tools
http://www.forensicswiki.org/wiki/Tools