Intro to Cyber Crime and Computer Forensics CS 42736273 September 22, 2003 - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

Intro to Cyber Crime and Computer Forensics CS 42736273 September 22, 2003

Description:

SCRUB. SCRUBS the Disk. Writes all zeroes, then all ones, then all F6s. ... A list of drives to be scrubbed can be specified by separating drive numbers with commas. ... – PowerPoint PPT presentation

Number of Views:59
Avg rating:3.0/5.0
Slides: 20
Provided by: rayva9
Category:

less

Transcript and Presenter's Notes

Title: Intro to Cyber Crime and Computer Forensics CS 42736273 September 22, 2003


1
Intro to Cyber Crime and Computer Forensics CS
4273/6273 September 22, 2003
MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF
COMPUTER SCIENCE
2
Introduction to the NTI Incident Response Suite
MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF
COMPUTER SCIENCE
3
NTI Incident Response Suite
  • New Technologies, Inc.
  • Gresham, Oregon
  • Started by two former Secret Service Employees
  • Michael Anderson
  • Joseph Enders
  • Consists of approximately 20 tools

4
NTI Incident Response Suite
  • CRCMD5
  • DISKSIG
  • DOC
  • FILECNVT
  • FILELIST
  • FILTER_I
  • GETFREE
  • GETSLACK
  • GETSWAP
  • GETTIME
  • GEXTRACT
  • MAP
  • MSPRO
  • NTA
  • PTABLE
  • SCRUB
  • SEIZED
  • SPACES
  • TXTSRCHP
  • SAFEBACK

5
CRCMD5
  • Obviously creates a hash of a file or disk image.
  • CRC Cyclic Redundancy Check
  • MD5 I dont remember what it stands for.
  • Hashes the file or image and two hashes that are
    the same, then statistically, the two images have
    to be the same.
  • Command of the form
  • CRCMD5 file1 filen

6
DISKSIG
  • Runs a CRCMD5 on a set of one or more disks.
  • Command of the form
  • Disksig /b c z
  • /b switch includes boot sector.
  • Necessary for file systems with dynamic boot
    records like Windows.

7
DOC
  • Takes a snap shot of the directory
  • Command of the form
  • DOC c\mydocu1
  • Records creation time to the second.

8
FILECNVT
  • Converts the output of a FileList command to
    DBASEIII Format.
  • Command
  • Filecnvt
  • It automatically detects any filelist output
    files and asks which you would like to convert
  • Then it creates DBASEIII file version.

9
FILELIST
  • Reads all files on the disk and puts them in one
    or more files.
  • Command of the form
  • FILELIST /m /lxxx Output-file drive
    drive...
  • If the "/m" option is specified, an MD5 digest
    will be performed on each file.
  • If the "/lxxx" option is specified, the user can
    specify the size of the output file. (default
    size is 2.1Gb)

10
FILTER_I
  • Filters out unreadable characters from the output
    of other tools.
  • Used as a /f switch on other commands.

11
GETFREE
  • Gets all of the free space on a disk and puts it
    in one or more files.
  • Command of the form
  • Getfree /f drive1 driven

12
GETSLACK
  • Gets all of the data in slack space on the disk
    and puts it one or more files
  • Command of the form
  • Getslack /f drive1 driven

13
GETSWAP
  • Gets all of the information in swap space and
    puts it in one or more files.
  • Command of the form
  • getswap

14
GETTIME
  • Records the time in CMOS
  • Used for validating time of seizure.
  • Should be run as soon as possible after seizure.

15
GEXTRACT
  • Extracts all graphic files from a disk.
  • Default is all JPG, GIF and BMP files
  • Command of the form
  • GEXTRACT options
  • The output directory must already exist. If you
    want to extract to the working folder (the folder
    the program was executed from), don't supply an
    output directory.
  • /JPG Will scan for JPG files
  • /GIF Will scan for GIF files
  • /BMP Will scan for BMP files

16
PTABLE
  • Displays partition table information
  • Command ptable
  • Will list all of the partition tables for all
    disks in the system.

17
SCRUB
  • SCRUBS the Disk
  • Writes all zeroes, then all ones, then all F6s.
  • Three passes are performed
  • Command of the form
  • SCRUB /d /p /g
  • /d Specifies the drives to be cleared, with
    drive 0 being the first drive. A list of drives
    to be scrubbed can be specified by separating
    drive numbers with commas. For example
    /d0,1,2
  • At least one drive (or all drives) must be
    specified.
  • /p Specifies the number of passes to be
    performed.
  • If /p is not specified, two scrubbing passes are
    made.
  • /g By default, SCRUB requests verification
    from the operator before a drive is scrubbed. If
    the /g switch is used, verification is skipped
    and scrubbing begins

18
SAFEBACK
  • Creates an image of the Disk
  • Well discuss this more on Monday.

19
Homework 3
  • Use the tools located in the NTI directory to
    discover all of the evidence you can find on the
    evidence disk in the laboratory computer.
  • The evidence will be there by this afternoon, so
    start this evening or tomorrow, and as always,
    keep a journal.
  • Homework is due next Wednesday.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Intro to Cyber Crime and Computer Forensics CS 42736273 September 22, 2003" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!