Difference between revisions of "Summerschool Aachen 2004/Incident Research Lab"

Slides

Notes on Presentations

Notes on Lab Session

Software packages you might find usefull

You might want to look into the following tools:

• graverobber - grab important data from system
• ddrescue - spiced up dd
• sleuthkit, autopsy - forensic toolkit (includes inode cat, ...)
• fcrackzip - zip password cracker
• nasm - netwide disasembler
• e2undel - undelete for ext2
• ntfstools - undelete for ntfs
• bview - nice hex editor, vim-like
• bsdmainutils (includes hd), or vim (includes xxd)
• chntpw - reset windows passwords, browse registry

Have a look at the Links page!

Images to look at

Image from a Cash Register

Forensic Imaging Best Practice

1. get a disk and ensure that there is a ID on that disk. IDs should look like UU-YYYY-MM-DD-X where UU is your user ID, YYYY, MM, DD represent the date and X is a roman number used as a serial number to distinguish several hard disks you image in one day. So I might use something like md-2004-10-04-I as an ID. Write it on the disk with marker and create a directory with the same name for your evidence data.

2. Connect the disk to your computer. You might want to try to remove the original disk from one of our external USB disk and put in the disk to image. We find that "real" IDE and SCSI works better.

3. Go to you evidence directory and create a file like md-2004-10-04-I.txt where you note model, serial number manufacturer, etc. of the HD, other noteworthy thinks, your name and actual time. Then create the image with something like dd if=/dev/hdX of=./md-2004-10-04-I.image

4. Upload the your whole evidence directory to ftp://discovery.informatik.rwth-aachen.de/incoming/DiskImages/

5. Now start analyzing the Image, add your observations to the evidence directory and upload missing stuff when done.