Computer Forensics Notes

Slightly_Doggo

Slightly Nervous Doggo
Server Admin
Fennec
Ruppell
Red
Member
Each week I will be posting my notes from the Computer Forensics course on Edx.org. This this thread can be used for quick reference for beginners. I recommend anyone interested in Cybersecurity to take the course themselves, and follow the Getting Started: Cybersecurity program.
 

Slightly_Doggo

Slightly Nervous Doggo
Server Admin
Fennec
Ruppell
Red
Member
Computer Forensics: Unit 1 Notes

  • Forensic Science is the examination and investigation of crime using scientific methods

  • Digital forensics is a branch of forensic sciences primarily focusing on digital evidence

  • Farmer & Venema define digital forensics as: Gathering and analyzing data in a manner as free from distortion or bias as possible to reconstruct data or what has happened in the past of a system

  • Types of forensics
    • System (Unix/Linux, Windows, etc)
    • Memory
    • Mobile
    • Networking
    • Internet and Cloud
  • Anti-Digital Forensics (ADF) is the destruction of evidence to make forensics work more difficult. This include overwriting files, wiping drives, hiding or obfuscating files, and encryption

  • Expert Witness: follow procedures of the court and testify their findings, analysis and conclusion

  • Steps of the forensics process: Collect, preserve, analyze and report

  • Forensics Procedure:
    • Follow incident response and procedures of the company.
    • Example: How to turn off a computer? Soft or hard shutdown? If you shutdown, you lose active TCP connections, memory, etc. Rootkit might detect a soft shutdown and remove evidence. Yank power cord to prevent this.
  • Chain of custody: Documentation and records maintained on how evidence is how handled, and by who

  • Bitstream copy: Drive imaging, occurs at the disk level instead of file level. Use FTK imaging to create a bitstream copy.

  • Cryptographic hash algorithm for authentication of data. Hashing is a one way form of encryption. Collision free, so messages can't produce the same hash. Ex. MD5 and SHA1

  • SIFT: Ubuntu based linux distro for forensics tools

  • What to look for in analysis?: Partition tables (hidden data between partitions), generate a timeline of data, retrieve deleted and encrypted data, keyword search.

  • Report: Summary, analysis details, statement and conclusion. As a professional, you can give opinions.