Welcome to CSIA200 Computer Forensics. In this class you will learn several things about digital forensics including, the pertinent laws, how to perform the steps in a forensics investigation, and the technical theory behind things like deleted files and file systems, passwords and encryption, registry, and web browser data files. You will also learn how to perform analysis on forensics disk images using a variety of tools.
In addition to learning how to perform the forensics analysis you will learn the theory behind several of the topics including the following:
Windows Registry, what it holds, where the information is stored, data that may of interest in a forensics investigation, and how to find specific information.
Password hashing, how Windows hashes and stores passwords, and how to crack the hashes.
File and disk encryption, and how to crack it
NTFS, how files are stored or deleted from a drive, how to retrieve recycled or deleted files, and how to perform disk carving and retrieve data from damaged disks.
Browsers and where they store browsing data, and how to retrieve usernames and passwords for online accounts.
The Recycle Bin and Deleted files, and how to recover deleted files.
1 – Course Introduction
- Course Tips (Video)
- The Virtual Machine You Will Need Later In The Class
- Introduction to Using the Class Virtual Machine (Video)
- Download the VM Appliance File (.Zip file you will need to extract)
- Installing The Class Virtual Machine Step 1: Installing Oracle Virtual Box Manager (Video)
- Installing The Class Virtual Machine Step 2: Downloading and Installing the VM File (Video)
- Installing The Class Virtual Machine Step 3: Logging On the VM and a Brief Tour (Video)
- [OPTIONAL] Troubleshooting Problems with Virtual Box VMs (Video)
2 – Overview of Computer Forensics
- Section Overview – What Are Forensics and Digital Forensics (Video)
- History of Forensics (Video)
- General Steps in a Forensics Investigation (Video)
- Introduction to Laws and the US Legal System (Video)
- Trials (Video)
- Testimony (Video)
- Evidence (Video)
- [Optional reading] [WARNING – Graphic Content] How bad science is undermining America’s justice system
- The Judge (Video)
- Bill of Rights & Search Warrants (PDF)
- Laws Defining Computer Crimes (PDF)
- Legal Standards Covering Forensics Tools (PDF)
- Choosing A Forensics Toolkit or Suite of Tools (PDF)
- Module 2 Lab Manual (PDF)
- Files for Lab Manual (zip archive)
- Lab Manual with Answers (PDF)
3 – Acquisition
- Introduction to Acquisition and Authorization (Video)
- Static Acquisition (Video)
- Live Acquisition (Video)
- Creating A Memory Dump (Video)
- Ramcapturer64 (ZIP)
- Princeton Freezing Ram Video Lest We Remember: Cold Boot Attacks on Encryption Keys (YouTube)
- Data Persistence in RAM – Video from Princeton University (In case the previous link fails)
- Introduction to Forensics Disk Images and FTK Imager (Video)
- AD1 and dd Formats in FTK Imager (Video)
- SMART, E01 and AFF Image File Formats (Video)
- What is Hashing (Video)
- Hashing details captions (pdf)
- ImagingPractice1.zip (ZIP)
- ImagingPractice2.zip (ZIP)
- SANS Forensics Image File Formats (PDF)
4 – Analyzing Data: Introduction
- Installing FTK (Video 4:22)
- FTK Download (zip)
- FTK Install Problems? Use the VM (Video)
- FTK Overview (Video 5:10)
- Adding Evidence to FTK (Video 4:02)
- FTK Overview Tab (Video 8:59)
- Intro to Bookmarks and Reports (Video)
- The Explore Tab (Video)
- The Graphics Tab (Video)
- Exporting Files From FTK (Video)
- Process For Simple Cases (Video)
- Simple Hiding – Files With Bad Extensions (Video)
- Lab Files
5 Analyzing Data: String Search
- Adding A Forensics Disk Image as Evidence in FTK (Video)
- FTK String Search Basics (Video 6:39)
- FTK String Search Details (Video 6:54)
- FTK Compound String Search (Video 5:49)
- FTK String Search – More Results with Stemming (Video 6:06)
- FTK String Search – More Results with Phonic (Video 3:06)
- FTK String Search – More Results with Synonym (Video 1:49)
- FTK String Search – More Results with Fuzzy (Video 2:48)
- FTK String Search – Fewer Results with Date Limit (Video 2:52)
- FTK String Search – Fewer Results with Size Limit and File Name Pattern (Video 3:08)
- FTK String Search – Wildcards in Search Term (Video 2:46)
- FTK String Search – Import Word List (Video 1:42)
- FTK Export Word List (Video 3:19)
- FTK Live Search – Case, Whole Words (Video 4:54)
- FTK Live Search – Regular Expression Intro (Video 4:38)
- FTK Live Search – Basics of Building Regular Expressions (Video 10:16)
- FTK Live Search – Getting Regular Expressions (Video 3:31)
- Regular Expression Reference Tables (PDF)
- Lab Files
- F04 Search Lab Manual (PDF)
- String Search Practice Images (ZIP)
6 Analyzing Data: Registry
- Section Introduction (Video 4:24)
- Introduction to Registry (Video 6:36)
- Registry Structure – The Main Hives (Video 9:23)
- Updating and Editing Registry (Video 11:54)
- Saving Registry to Files (Video 8:14)
- Discovering Registry Keys (Video)
- Discovering Registry Keys with RegSnap (Video 10:01)
- Building A Forensics Registry Reference (Video 2:59)
- Registry References (zip)
- FTK Registry Viewer Default Reports (Video 6:53)
- Details of FTK Registry Reports (Video 14:10)
- Inspecting Entire Registry in Registry Viewer (Video 6:19)
- Exporting Registry Files From Disk Image (Video 7:42)
- Viewing Registry Files In Registry Viewer (Video 3:28)
- Demo of all the steps of exporting registry files, viewing in Registry Viewer (Video 5:16)
- Lab Files
- F06 Windows Registry Lab Manual (pdf)
- Registry Data Files (zip)
7 Analyzing Data – Passwords and Encryption
- Introduction to Password Cracking (Video 3:15)
- Password Cracking Concepts (Video 5:34)
- Types of Password Attacks (Video 10:23)
- Encryption vs. Hashing (Video 4:57)
- Windows User Password Concepts (Video)
- Lab Manual (PDF)