I have an exam coming up. yet it was unable that i could grab the answers to the exam to know if i was on the right track. was just wondering if anyone can confirm if i am on the right track with these.
on a windows machine describe places other than that of the internet cache, where evidence relating to internet activity can be found. - It can be found use full search throught the history folder in mydocuments/appdata/ where .dat files can be found of websites that were viewed on the system. Cookies can also hold valuable information relating to internet activity on the machine in question as can sessions. With the net internet browsers currently available they all store session information relating to the last session viewed on the machine. These files can then be restored which it will give the forensics investigators an on screen view of what the suspect was viewing.
Given that an individual is claiming that the content has been placed on their PC by maliciuos code, how would you attempt to refute such a claim.
The system can be scanned for any traces of malicious code and if there is some found the dates in which the file was run can be checked against the file that was added onto the system. The pagefile can also be viewed and searched for any information relating to malware. If information was found it can then be researched to figure out if the files were added locally or remotely. If remotely network logs can then be examined to see if any files came over the network or if there was a high level of network usage after the malicious code was run.
If you were given a 20gb harddrive which had been used to image an 8gb drive and found during analysis that there was more than the 8gb image on the disk, what would this indicate, how would you then proceed?
This would indicate that there are files either in slack space or unallocated space. the slack space and the unallocated space can be extraced using the dls command in linux terminal. Once this is found it can be converted so that only the visible ascii chars are visible, which can then be searched for any valuable information which may be relavant to the case. autopsy can be used to search unallocated space but it cannot search the slack space within an image.
one question which i am not to sure about howver is one that asks
compare and contrast the features of FAT and NTFS that effect forensic analysis.
would this be the fact that NTFS has the EFS feature? and compression? what about FAT tho?
Thanks in advance guys
compare and contrast the features of FAT and NTFS that effect forensic analysis.
would this be the fact that NTFS has the EFS feature? and compression? what about FAT tho?
Is this an essay test that you are preparing to take? This particular question is pretty broad. You could write quite a bit about this sort of thing and many people have. You might just start talking about the difference between a FAT table and an $MFT. That could lean into a discussion about how file records differ between the two such as the difference in temporal data, etc. I'd also touch on issues like maximum file sizes, volume sizes, etc, etc. Maybe talk about cool NTFS metafiles like $Logfile?
it was just a short exam question in the practice exam. We didnt get any answers so it was just a matter of me getting the answer and hoping it was right. And wanted to check. The answer should only be a paragraph long. i was thinking just stating the difference between the two and that it can be a bit tougher to get the data off NTFS drive due to the encryption and compression that the NTFS file comes with. However if the MFT is still in tack then it can still be obtained.
are the other answers on the right track? they are also short answers
If you were given a 20gb harddrive which had been used to image an 8gb drive and found during analysis that there was more than the 8gb image on the disk, what would this indicate, how would you then proceed?
This would indicate that there are files either in slack space or unallocated space. the slack space and the unallocated space can be extraced using the dls command in linux terminal. Once this is found it can be converted so that only the visible ascii chars are visible, which can then be searched for any valuable information which may be relavant to the case. autopsy can be used to search unallocated space but it cannot search the slack space within an image.
Are you assuming the 20gb harddrive has been forensically wiped before use
not sure. that is the exact question in the exam for 2008 as it is stated there. that is a good point. as the data on the disk could be nothing at all related to the case then