- Hi, my name in Jungwoo Ryoo,and welcome to Computer Forensics Essential Training.This course provides an introduction to computer forensicsby going over all the major aspects of computer forensics.By the end of this course,you will have a good understandingof what computer forensics is all about.We'll start with preparing forcomputer forensics investigations.In this chapter, we will be usingsoftware and hardware write blockersto protect your evidence.In the next chapter, we'll be usinghashing tools, such as MD5 sum,to verify the validity of your evidence.
Next, we will learn how to acquire datausing a commercial data acquisition software,such as FTK imager.Finally, we will be analyzing the acquired datausing open source computer software suite, called Autopsy.Now, let's get started withComputer Forensics Essential Training.
Computer forensics is used to find legal evidence in computers or storage devices. Although this course won't teach you how to become a digital forensics detective, it will cover the basics of this growing (and exciting) technical field. Author Jungwoo Ryoo reviews the basics: the goals of computer forensics, the types of investigations it's used for, a forensic investigator's typical toolset, and the legal implications of this type of work. Then he'll show how to prepare for an investigation; acquire data "live" while the system is running, statically from a hard drive, or from a remote machine; make sure data is kept in its original state with software and hardware write blockers; analyze the data; and create a report of your findings. Jungwoo uses a combination of open-source and commercial software, so you'll be able to uncover the information you need with the tools that are in your budget.
Understanding computer forensics
Using a hex editor
Preparing a target drive
Ensuring data integrity with hashing
Indexing and searching
Generating a report
Skill Level Intermediate
Show MoreShow Less
Q: Which operating systems support built-in write blocking?
A: Microsoft introduced the registry concept into its OS with the release of Windows 95. As a result, registry-based write blocking has been available since then. In this course, we tested registry-based write blocking on both Windows 7 and Windows 8.
If for whatever reason your OS doesn’t support registry-based write blocking, you can enable software-based write blocking via a forensics software suite such as EnCase. Finally, If all fails, you can always use hardware write blockers.
Q: Are there other ways to access deleted files in the usbimage.001 file?
A: When opening the usbimage.001 file in Autopsy and trying to recover the deleted file (i.e. dreamCar.jpg), as shown the chapter 5 movie “Searching,” if you don’t see the deleted file in the Data Sources tree, you can still view and extract the deleted file in the Views tree as shown below.