Digital forensics
From Inforail
Contents
Forensics
File systems
- recover deleted files
- NTFS
- streams //hiding data
- why are they there? (file zone downloads)
- MFT size, small files are right there
- streams //hiding data
- file carving
SIM card
- deleted SMS recovery
- last dialled numbers
- last registered networks? //EF LOCI
Data sanitization
- wiping
- peter gutman method
- wear leveling vs sanitization
Traces in the OS
- recently opened files
- registry
- browser cache
- hibernate file
- swap file
Metadata
- documents
- BTK Killer: Dennis Rader was convicted of a string of serial killings that occurred over a period of sixteen years. Towards the end of this period, Rader sent letters to the police on a floppy disk. Metadata within the documents implicated an author named "Dennis" at "Christ Lutheran Church"; this evidence helped lead to Rader's arrest.
- images
- EXIF
- GPS
- timestamps
- owner email
- JPEG compression //error-level analysis
- fake planes an satellite photos
- EXIF
- audio
- ID3 tags
- headers
- email; - finding students who cheat
- hardware
- HDD write blocker
- vs mount as read-only
- firewire RAM access
- HDD write blocker
- software
- producing image dumps
- photorec
- methods
- steganography
- cold boot attack
- guidelines
- do not turn computer off
- do not leave computer on :-)
- transport in a Faraday cage
- battery use increases
- resources
- forensicswiki
- misc
- fingerprints on swipe sensors
- SQLite vacuum //what happens before that
- networks vs `trojan defense`
- process
- seizure
- acquisition
- analysis
- legal aspects
- chain of custody
- the lure book discussion