Join Us!

Notifications
Clear all

New to Forensics  

  RSS
techmerlin
(@techmerlin)
Member

Hello all,

I am fairly new to the computer forensics scene, I have many years in the IT feild both in supporting and installling networks and their users. I have recently began exploring the forensics side of thigs as I have always been quite intrested with it.

I came across this site a week or so ago and just love it, there is some great information in here and some great topics. As I build my forensics knowledge I am just curious as to what approch alot of you take who have done this for a while when examing a case.

With the amount of information you have to go through on a case, I realize you have some knowledge of what you are looking for depending on the case (e.g. pornography, fraud etc.). When examing media I come across many parts of files e.g. when looking at a word document you see such things as "CompObj, DocumentSummaryInformation, SummaryInformation,1 Table, ObjectPool and Word Document"

I realize the MetaData is very important or can be in many cases which appears to be what I see in "Document Summary Information" but what about some of these other items, are each of these usually examined and if so what type things are you looking for in them.

Sorry if this is long winded, I am just a sucker for knowing things -)

Thanks everyone for you input

Quote
Posted : 14/08/2005 12:50 am
andy1500mac
(@andy1500mac)
Member

Hi Techmerlin,

Coming from a similar background I became interested in computer forensics a couple of years ago. I decided after much thought to jump into it with both feet and return to school while working full time. Before I did this I first picked up a couple of books on the subject to get a general understanding of the basics. Some of them can be found here http//www.forensicfocus.com/computer-forensics-books

Much of the info is redundant but the different perspectives and writing styles make for interesting reading. They answered many of my initial questions (as did going through all the posts on this forum). If you want a good read specific to windows try Windows Forensics and Incident Recovery by H.Carvey (a member of ForensicFocus) it is well written and covers a wide range of topics that will I guarantee pique your interest even more (it did for me).

Here is another link I found to be chalk full of good resources http//www.e-evidence.info. Lastly good through past posts as many times they will answer a question you have. I posted something on documentation practices recently that was clearly answered around a year ago (had a slow day at work and found it only today).

Specific to your questions on metadata they can contain computer user names, paths to folders, how many revisions may have been done to a document, if it has been printed or saved to floppy and a host of other tidbits depending on the application/settings.

Hope this helps,
Andrew-

ReplyQuote
Posted : 14/08/2005 6:28 am
techmerlin
(@techmerlin)
Member

Andy,

THanks for your info and links, I will be sure to try and find that book you suggested as it sounds as though it is a good read.

Question I have for you, I see what can be contained in the MetaData and how useful it can be. I have done a number of examinations of drives, CD's and other media learing more and more. the one thing I notice, I am using a FTK and when I exam media where there are some word documents I get a number of files showing, FTK list hundreds of files but most of the files are CompObj, DocumentSummaryInformation, SummaryInformation,1 Table, ObjectPool and Word Document and they appear to be for each word document and some multiple times.

What is this showing, is it showing for eac 'set' of these files was that a time the document was edited or modified..?

thoughts..?

Thanks Again

ReplyQuote
Posted : 14/08/2005 10:10 pm
andy1500mac
(@andy1500mac)
Member

Techmerlin,

I have been doing much of my work using WinHex Forensic Edition. In terms of metadata I will also use the CLI tool strings.exe from sysinternals. I do have the trial version of FTK (5000 file limit) and test it on small thumb drive images and floppies although I haven’t really had a chance to delve too deeply into it.

Someone will correct me if I’m wrong but I believe for each .doc for example in FTK the tool shows the “metadata” as a separate object/file for lack of a better word. Meaning letter.doc will have Documentsummaryinfo, summaryinfo and CompOdj (all metadata) associated to it, as well as any file slack for the specific cluster the file resides in.

So although you may have only 5 word documents on disk, depending on the view in FTK it can initially look like 20 or so…?

Andrew-

ReplyQuote
Posted : 14/08/2005 10:45 pm
armresl
(@armresl)
Senior Member

Are you doing these exams for your current company?

have you gone to any training on FTK?

ReplyQuote
Posted : 15/08/2005 8:34 am
andy1500mac
(@andy1500mac)
Member

Hi Armresl,

I’m doing any courses out of personal interest. These include college, workshops and eventually a cert or two. The only exams I do are for testing purposes and are not done in association with my present employer.

The vendor based training I hope to include somewhere down the line but as all this is out of my own pocket and amounts to quite a lot of $$$ (software, workshops-Can government based and college courses) it will have to wait.

Andrew-

ReplyQuote
Posted : 15/08/2005 5:29 pm
gmarshall139
(@gmarshall139)
Active Member

So although you may have only 5 word documents on disk, depending on the view in FTK it can initially look like 20 or so…?

You are correct. FTK is automatically breaking down the compound file structure of the office documents. FTK also breaks down the pagefile and the unallocated space into numerous smaller blocks. I don't see the benefit to any of this, unless it has something to do with the indexing.

ReplyQuote
Posted : 15/08/2005 6:26 pm
techmerlin
(@techmerlin)
Member

Thanks for your input Greg -)

ReplyQuote
Posted : 15/08/2005 10:56 pm
armresl
(@armresl)
Senior Member

FTK's boot camp class covers a lot of the items you are looking for, and the windows forensics class picks up where it left off. Don't believe there are too many classes in and or around the Canada area, but I know they are greatly expanding the area which they teach classes i.e. Japan, Netherlands, London, etc.

Hope you can find something in your area.

In Sept they will also be rolling out a certification program for FTK called ACE.

Best wishes

ReplyQuote
Posted : 16/08/2005 2:16 am
techmerlin
(@techmerlin)
Member

I have been searching for FTK training in Canada. There is one in Calgary, Alberta (Canada) but nothing in Ontario that I can find and I Am very surprised at that. Doeas anyone know of anything in Ontario?

Thanks

ReplyQuote
Posted : 16/08/2005 9:07 pm
Share: