Analyzing+the+Remnants+of+a+Computer+Security+Incident

COMPUTER FORENSIC DISK BASICS
 * have multiple "platters" or disks (see vocab)
 * sectors are grouped into clusters and clusters vary (vocab)
 * some disks become fragments (vocab)

MANAAGMENT OF DIGITAL EVIDENCE
 * collectiong, processing, and analyzing evidence
 * focus on legal aspects
 * you should focus on everything as if it were to be seen in court

COMPUTER FORENSICS ANALYSIS
 * two major dangers are loss of info and alteration
 * Key aspects of data collection
 * 1) the tools you use
 * 2) the techniques you use to collect data
 * 3) the tools used for analyzing
 * 4) the techniques for analyzing
 * requirements for collection tools
 * 1) dont alter data when collecting
 * 2) collect all the data "we" want and only that data
 * 3) be able to establish that they worked properly
 * 4) must be accepted by the computer forensic investigative community
 * 5) the results must be repeatable

EVIDENCE COLLECTION
 * never pull the plug of your computer
 * bewear of hackers while youre injvestigating the victims computer
 * make bitstream backup on disk
 * 1) shut down computer
 * 2) verify the computer will boot
 * 3) reboot to DOS
 * 4) Make two physical backups
 * 5) analyze the image machine
 * restore data to the test machine

EVIDENCE ANALYSIS
 * forensic tool kits allow:
 * 1) make a bitstream image of a target disk
 * 2) Perform text searches
 * 3) write specific search scripts
 * 4) Make an MD5 hash of disks
 * 5) List the files and directories on the target disk
 * 6) search for deleted files and data
 * Process for analyzing digital evidence
 * 1) make a disk image backup
 * 2) catalog the disk using a file listing utility
 * 3) Creat a key word list appropriate for the investigation
 * 4) Use a search tool for your keywords in all the hiden ares of the disk
 * 5) evaluate the results of your searches
 * 6) document your results
 * 7) repeat if necessary