Computer Forensics B

This is the latest in my series of posts on Computer Forensics based on the course I am doing with Infinite Skills.  I will first look at the computer forensics software Encase which is probably the market leader and it’s primary purpose is to find and analyze files. It can analyze a sector on a hard drive and tell the type of file and even partially recover a deleted file. If you select a file within the Encase program various information about its properties will be shown when you press report. Another very similar program is FTK although that works in Linux. Encase works with Windows. There are also various in built programs like Windows Process Manager that can be used in connection with computer forensics. Many computer forensics use AFF or advanced forensic files as the file structure within the software. Encase has its own proprietary file system. In general computers should have NTFS as their file system as you can attach conditions as to who can do what within a program. FAT 32 good as it is doesn’t have this permissions feature. CD’s tend to use either ISO1660 or Joliet as their file structure.

Malware Forensics

The book I read to research this post was Malware Forensics Field Guide For Windows Systems by Eoghan Casey et al which is an excellent book which I bought from kindle. This book looks at the legal aspects mostly according to American law and also looks at the technical aspects of dealing with a virus infestation on either a network or desktop pc. It lists loads of software that can do the various jobs, far too many to list here and looks at doing the basics with some of this software. Eoghan is a bit of a legend in Digital Forensics and I have read quite a lot of books by him. There is also quite a lot of posts on different aspects of digital forensics at my computing blog at http://scratbag.me & my technology blog at http://scratbagroberts.com

If your computer is attacked by malware it’s best to analyze it in a live state which means with out re booting it which will often destroy any evidence. Many professionals use MD5 or Memory Digest 5 to copy the hard drive. One problem facing you in this job is there is various types of memory that all need to be copied. Another problem is what you copy it to, in most cases it will be an external hard drive due to the enormous amount of data. Also copying it to writable media like dvdr’s takes longer. A good program that will copy a network to another network hard drive is Encase Enterprise. A lot of malware nowadays contains keyloggers to find things like passwords, something to locate credit card numbers & an email address for this information to be sent to. One way you can spot malware is you use a port sniffer like wireshark it will constantly try to access the internet to send its newfound information. This book is nearly 1,000 pages and covers every aspect of malware and I really enjoyed reading it.