508.1 Forensic and Investigative Essentials

508.1 – Forensic and Investigative Essentials

Intro to forensics – P19-21

Evidence – P22-23

Dirty Word List – P24

Disk Image – P25

Forensic principles – P26

Volatile Evidence – P28

Methodologies – P31-32

Summary – P32

Methodology in depth – P33-40

File system essentials – P45-73

Numbers – P47-48

Little/Big Endian – P49

5 Layers – P51

File System Layer - P52-59

DOS-based partitions – P53-55

MBR – P56-57

Common types of partitions – P58

Data Layer – P61-65

Data Storage and Allocation – P61-62

Contiguous disk space – P63

Slack space – P64

Metadata layer – P66-71

File name layer – P72

Linux EXT2, EXT3 – P74-87

Superblock – P75-76

Blocks – P77-78

Permissions – P79

File Types – P80

Time Stamps – P81

Inodes – P82

Data Pointers – P83

Directories – P84

Deletion (All layers)– P85-86

Windows File System – P88-126

Evolution – P89

FAT – P90-108

Boot Sector – P95-97

Directory Entry – P98-101

Timestamps – P99

Content Data – P102

Cluster Chain – P103

Deletion – P107

NTFS – P109-126

Boot Sector – P111-112

Clusters – P113-114

MFT (Meta.) – P115-117

Timestamps – P118

MFT Layout – P119

Deletion – P121

508.2 -508.3 Forensic Methodology Illustrated

Netcat – P23-24

Win32dd.exe - P27

Memparser –P28

Volitility – P29-30

Memdump – P31-33

Lsof – P35

Reconnaissance – P37

Md5sum – P40

Imaging –P44-68

File formats – P47-50

Dd – P56-65

HPA – P66-68

Chain of Custody – P69

Mmls – P71-75

Mount – P76-82

Timelines – P92-109

Create – P104-106

Fls – P107

Mactime – P111

File command – P122

Srch_string – P123-124

Grep – P125-126

Dirty Words – P127-129

Volatile Evidence Collection – P55

Adepto/Grab – P99-101

Hex editors – P108

TSK – P132-230

Programs – P134-136

Fsstat – P138-148

blkstat – P150

blkcat – P151-153

blkls – P154-157

Slackspace – P157-158

blkcalc – P159-160

sigfind – P162

Foremost – P166-173

Foremost for Windows – P175

ifind – P178-179

istat – P180-186

icat – P187-189

fls – P192-196

ffind – P197-199

TSK Exercises – P202-208

Sorter – P211-218

Hash Databases – P220-222

Md5deep – P223

Hfind – P224

Autopsy – P232-275

Step-by-step – P273-274

Network forensics – P279

508.4 Windows and NTFS Filesystem Forensics

Windows response and collection – P11-35

Cmd – P12-14

Cmdenv.bat – P14

Psexec – P15-16

Nc.exe – P17

WFT – P20-35

Live evidence collection – P25-31

Psinfo – P26-29

Fport – P30-31

Password Discovery – P32-35

Windows media & artifact analysis– P38-104

AV – P40

Registry – P41-61

HIVES – P42-43

NTUDER.DAT – P49-

Sam_parse.exe – P47-48

Search History – P50

Typed URLs – P51

Last commands – P52

Last files saved – P53

UserAssist – P54-57

Regripper.pl – P58-59

Regtime.exe – P60

Restore Points (XP) – P63-68

Sr.exe – P64

Changelog – P66

Rp.log – P67

Shadow (Vista) – P69-76

Vssadmin – P72

Mklink – P73

Imaging – P74-75

Prefetch/Superfetch – P77-80

Pref.pl – P79-80

Email forensics – P81-83

Shortcut (lnk) – P84-87

Lslnk.exe – P84

Word forensics – P88-91

Wmd.pl – P90-91

Thumbs.db – P92-97

Vinetto – P94

Thumbcache – P96-97

Exif – P98

Internet history (pasco) – P100

Recycle bin – P101-??

INFO2 – P103-107

Rifiuti – P104

Windows network forensics – P117-129

WFT Config file – P131

508.5 Computer Investigative Law for Forensic Analysts

Who can investigate – P3-60

Internal General – P3-4

Incident Response Policy – P5

Internal– P6-12

Outsource – P13-14

Law Enforcement – Criminal Conduct – P15-31

Common Cyber-defenses – P32-33

International aspects – P34-39

Whether to report – P40-54

Whom to Call? – P55-57

What is expected? – P58-60

Acquiring Data – P61-98

Goals – P61

Authority – P62-64

Stand alone devices – P65-66

Network and Real Time – P67-70

ECPA – P71-76

Real-Time – P77

Provider Exception – P78-79

Consent Exception – P80

Trespasser Exception – P81-82

Header information – P83-84

Lawful Access – P85-86

EU Data Retention – P87

HIPAA – P88-89

SOX – P90

GLB – P91

FERPA – P92

Other Data – P93

EU data Protection – P94-96

Outside Recon – P97

Tools – P98

Post Collection – Preservation – P99-101

Data analysis & report – P102-104

Report Writing – P105-108

Rules of Evidence – P109-113

Honeypots – P115-126

European Law – P127-128

European Version – P2-1

508.6 Advanced Forensics

Application footprinting – P4-31

Tools – P5

Active Reg monitor – P6

Step by step – P8-14

Results – P15-16

USB Reg keys – P17-19

Timeline analysis – P20

USB and setupapilog – P21-22

Firefox off USB key – P23-25

Digital file shred pro – P26-27

Unplugged – P29-30

Conclusion – P31

Fuzzy hashing – P32-37

Ssdeep – P34-37

Malware Footprinting – P114-159