Lecture 9 - Process of digital forensics Step 3 Flashcards
What is the 3rd step of computer forensics
Analysis
Steps of analysis?
- physical searching
- whitelist production
- registry examination
- browser analysis
- reconstruction
First step of the analysis step?
Create a case in Autopsy
-> ensure to check hash (no changes to the copy)
-> pick relevant autopsy features for the case (e.g. foremost fetches deleted files , e.g. keyword searching e.g. metacam (getting camera files))
What is the step of whitelist production?
Producing a list of files that will be excluded from the analysis as they’re not relevant to the investigation. This is done by comparing hashes of the files with whitelisted hashes. Files not on this list are restricted from running on a normal system.
How can we get whitelist hashes?
using md5deep
How can a whitelist be used in digital forensics?
Files that are not on the whitelist might be suspect.
What is the step of registry examination?
Here we identify the installed applications, devices and users on the OS.
What software can we use for registry examination?
regviewer
Why do we have a registry step in the analysis?
For:
- User Activity Tracking
* Malware Analysis
* Network Activity Analysis
* Recovery of Deleted Data
* User Authentication Analysis
What is the step of browser analysis?
Where we go through browser activities of that device. Mainly history, bookmarks and recent items
What software can we use to discover browser files e.g. index.dat
autopsy
What is the step of reconstruction within the analysis?
Creation of .fls file and use of Zeitline
for examining all the events. This program can also be used to create a timeline of events.
-> this can be used to further investigate or dig into files
Is establishing a timeline important?
establishing a timeline is one of the most crucial parts of the investigation
