JPEG
Most common graphic file format, full color graphic format (16.7 million colors) with a relatively small file size
BMP
(bitmap image file or
... [Show More] bitmap) is a raster graphics image file format used to store digital images.
WINDOWS
GIF
a lossless format for image files that supports both animated and static images.
Remote Acquisitions
Prodiscover
Wetstone
Live Wire
F Response
F-Response
vendor-neutral specialty remote access utility designed to work with any digital forensics program, allows reading of suspect drive
Windows Recovery- EaseUS
Format recovery
Emptied from recycle bin Partition loss/damage Software crash Virus Unexpected shutdown
Disk Digger
undeletes and recovers lost files from hard drives, memory cards, and usb flash drives
Quick Recovery
Lost, Deleted, Deteriorated files
Repairs bad sectors Encrypted and password protected files
Advance Disk Recovery
Scans for deleted files and folders Quick scan Deep scan
Data Recovery Pro
Restores deleted emails and some files
Data Rescue 4
MAC Recover from crashed/virus/ corrupted or accidentally formatted.
Net Commands
Net Config;
Net file;
Net Use;
Net View;
Net Name;
Net start;
Net sessions;
Steganography Techniques
Cover Generation Technique;Substitution Technique;Transform Domain Technique;Spread Spectrum Technique;
Cover Generation Technique:
A cover generation method actually creates a cover for the sole purpose of hiding information
Substitution Technique:
Replaces redundant or unneeded bits of a cover with the bits from the secret message
Transform Domain Technique:
Hides the message data in the transform space of a signal. Can be commonly used in JPEG's photos
Spread Spectrum Technique:
There are two types of spread spectrum techniques, direct sequence and frequency hopping.
Guidelines for Evidence Collection
[RFC 3227] provides a list of the volatile data that should be captured first:
1. System date and time,
2. Current network connections,
3. Current open ports and applications listening on those ports,
4. Applications that are currently running
forensic investigations in a wireless environment:
1. Obtain a search warrant.
2. Identify wireless devices.
3. Document and maintain chain of custody.
4. Detect wireless connections.
5. Determine wireless field's strength.
6. Map wireless zones and hot spots.
7. Connect to the wireless network.
8. Acquire and analyze data.
9. Generate a report.
A computer forensic expert makes sure that the following rules are upheld during an investigation process:
1. Preservation of evidence
2. Prevention of contamination of evidence
3. Extraction and preservation of evidence
4. Accountability of evidence
5. Limited interference of the crime scene on normal life
6. Ethics of investigation
Steps to evaluate and secure a scene:
1. Follow the policies of the legal authority for securing the crime scene.
2. Verify the type of incident.
3. Ensure that the scene is safe for responders.
4. Isolate other persons who are present at the scene.
5. Locate and help the victim.
6. Verify any data that is related to the offense.
Steps to evaluate and secure a scene: (continued)
7. Transmit flash messages to responding units.
8. Request help as needed
9. Establish a security perimeter.
10. Protect volatile evidence.
11. Document the devices that contain perishable data.
12. Observe the situation and record observations.13. Protect physical evidence or hidden fingerprints.
The generic processes of the First Responder Procedures are to:
1. Protect the system and resources.
2. Contain the intrusion.
3. Preserve the evidence [logs, files, etc.] in a legally acceptable way.
4. Notify Management, Incidence Response, etc.
Federal Rules of Evidence [OPINIONS AND EXPERT TESTIMONY]
Rule 701 - Opinion Testimony by Lay Witnesses;
Rule 702 - Testimony by Expert Witnesses;
Rule 703 - Bases of an Expert's Opinion Testimony;
Rule 704 - Opinion on an Ultimate Issue;
Rule 705 - Disclosing the Facts or Data Underlying an Expert's Opinion;
Rule 706 - Court-Appointed Expert Witnesses;
Pre-Investigation Phase
Set up CFL, toolkit, workstationset up investigaiton team and approval from authorityPlanning process, define mission goals, secure case perimeter and devices involved.
Investigation Phase
Acquisition, preservation, and analysis of the data to identify the source of crime and culprit.
Implement the technical knowledge to find evidence, examine, document and preserve the findings.
Post-Investigation Phase
Ensure target audience can easily understand report
Ensure report provides adequate and acceptable evidence
report should comply with all local laws and standards
should be legally sound and acceptable in court of law
Slack Space
Unused storage capacity
Swap space
The space on the disk reserved for the full virtual memory space of a process.
Hashing Algorithm Lengths
SHA-1
SHA-512
MD5 256
CRC-32
MD6 - 512
Netstat Commands
Netstat
-a Displays all connections and listening ports.
-e Displays Ethernet statistics.
-n Displays addresses and port numbers in numerical form.
-r Displays the routing table.
-o Displays the owning process ID associated with each connection.
Steganography
Steganography (pronounced STEHG-uh-NAH-gruhf-ee, from Greeksteganos, or "covered," and graphie, or "writing") is the hiding of a secret message within an ordinary message and the extraction of it at its destination to maintain the confidentiality of data. [Show Less]