Sadly due to financial reasons I have had to postpone my University Education. This has been the main reason for my lack of updates recently, Sorry guys. That with loosing alot of my forensic material with a hard drive failure, things have not been overly great.
Given the funds I will soon be restoring an old computer from the Barn into a dedicated Forensic Lab type machine. *evil laff*
Rest assured I am still very much interested in expanding my Computer Forensic knowledge as well as sharing it with readers here!
I am still very much looking forward to the arrival of my pre ordered book - Windows Forensic Analysis DVD Toolkit (Paperback)
Saturday, August 15, 2009
Wednesday, April 29, 2009
Helix Forensics live CD no longer free
I used to have this backed up and lost everything on my Pc the other week. Came to collect it again and noticed its ruddy well gone from being free.
Just my luck, I was planning a run through of this tools use for my blog :(
Plenty of other free ones around I guess... but I liked Helix alot.
Off to sulk... otherwise known as find a free one.
Just my luck, I was planning a run through of this tools use for my blog :(
Plenty of other free ones around I guess... but I liked Helix alot.
Off to sulk... otherwise known as find a free one.
Thursday, April 16, 2009
Moved Home - Internet back at last.
My personal circumstances have changed alot recently. Needless to say I now have the Internet again.
I have a few projects I am working towards for this computer forensic blog site I hope to have finished soon.
There will be with any luck a few images I will be making of things you can investigate with free tools. They will involve basic cases like errmm. Well I can not find my list right now, (just moved and all) So will have to update things again in another blog at a later date.
I have noticed the site has maintained a steady stream of hits since I was away. So I just wanted to thank everyone who still comes by and reads.
Again so much more to come, just finding the time at the moment.
That about rounds things up for now.
I have a few projects I am working towards for this computer forensic blog site I hope to have finished soon.
There will be with any luck a few images I will be making of things you can investigate with free tools. They will involve basic cases like errmm. Well I can not find my list right now, (just moved and all) So will have to update things again in another blog at a later date.
I have noticed the site has maintained a steady stream of hits since I was away. So I just wanted to thank everyone who still comes by and reads.
Again so much more to come, just finding the time at the moment.
That about rounds things up for now.
Thursday, March 26, 2009
Finding out what programs have been run and when in Computer Forensic Analysis
David Cowen a Computer Forensic Expert Witness recently posted part 2 of a blog series he is completing on his blog hackingexposedcomputerforensicsblog
I really enjoyed the recent post called What did they take when they left? Part 2 – Finding out what they ran before they left
It covers Link files, prefetch and User assist keys in detail and is really good information to know as a wannabe Computer Forensic Analyst. I would really recommend if you are interested in Computer Forensic that you read this recent post. It is very detailed and specific and has alot of useful information in one place.
I eagerly await his Part 3 - Where did it go and what did they take?
On a related note I have used Windows File Analyzer my self in the past to study prefetch files and found it really interesting what you can learn. Once I have completed moving house I will do a blog about the use of this tool and what you can learn from it and show some examples. I hope to cover some use of link files as well and possibly user assist keys.
Back to box packing for me..
I really enjoyed the recent post called What did they take when they left? Part 2 – Finding out what they ran before they left
It covers Link files, prefetch and User assist keys in detail and is really good information to know as a wannabe Computer Forensic Analyst. I would really recommend if you are interested in Computer Forensic that you read this recent post. It is very detailed and specific and has alot of useful information in one place.
I eagerly await his Part 3 - Where did it go and what did they take?
On a related note I have used Windows File Analyzer my self in the past to study prefetch files and found it really interesting what you can learn. Once I have completed moving house I will do a blog about the use of this tool and what you can learn from it and show some examples. I hope to cover some use of link files as well and possibly user assist keys.
Back to box packing for me..
Tuesday, March 24, 2009
Finally decided to give Twitter a try
Thought I would give Twitter a try, seems to be growing alot and thought why not give it a try !
You can find my Twitter at http://twitter.com/p0ttah
Or I have a widget on the right there showing my recent twitters.
Please feel free to add me! I can't promise it is going to be completely Computer Forensics orientated but as its a big part of me I imagine most updates will be related.
Have fun.
You can find my Twitter at http://twitter.com/p0ttah
Or I have a widget on the right there showing my recent twitters.
Please feel free to add me! I can't promise it is going to be completely Computer Forensics orientated but as its a big part of me I imagine most updates will be related.
Have fun.
Thursday, March 19, 2009
Staffordshire University Interview Process
As it appears this was a very popular subject recently I thought I would go into a bit more detail about the Interview day I went for recently at Staffordshire University (Stafford campus).
Upon receiving an Interview date you also receive a map and directions, on arrival there was plenty of parking. I was greeted by an assigned person who was wearing something to stand out as being a helper (I forget what but it was obvious)
I was greeted warmly and got a quick tour on route to the meeting lounge type area. A short queue followed where you gave in your name. You then received a document in a folder with more information about the course and a timetable of the day head. You also got given a free drinks voucher for the nearby cafe.
You next get called forward to go on a tour of the accommodation if you are interested in that(the accommodation tours ran throughout the day in case you missed it). On returning from that it was just about time for certain groups of people depending on what course you were on to be escorted to one of the lecture theatre. Computer Forensics was the second group called amongst other courses like Computer Game Design.
You then sit down and have a big talk about the University and whats in the surrounding area. It covered everything from accommodations to fees and was made really funny in places which was really welcoming.
Once this has been completed the course lecturers came in and took people to the relevant courses they were interested in. Some courses were really popular with like 15 people going, some smaller like computer forensics which only had 4 people.
We then were escorted to the forensic lab and had an intro into Computer Forensics and was later introduced to one of the members of staff who is a working expert in Computer Forensics. While in the lab we were shown a collection of 20 or so PDA and a professional Write blocker kit which was really cool to see. It was one that was linked to Encase(I think) so the computer can detect if the write blocker is working.
We were shown the full version of Encase and had freedom to play about with the lab pcs. I noticed they also had Stenography stuff installed amongst many other things. They had a Hex edited file prepared to look at with a basic hex editor. I must admit I was expecting something a bit more exciting than picking out clear patterns in a hex edited file. We were only shown the PDA and Write blocker because I mentioned them so there was room for improvement really. I found the introduction a bit basic but can understand why it would be like this.
After the Introduction we were then taken out one by one to a small office for a quick interview with the main lecturer. It lasted about 8-15 minutes and was very informal. The questions were pretty general nothing you would want to worry about. You get a rating on a few areas and the best advise really is go in with confidence, if this is what you want to be doing show it !
I found Staffordshire University to be a great University to pick for Computer Forensics. I was really impressed with the array of tools available and lectures personality as well as the experts knowledge. All in all it was great, none of the above is meant to be negative it is just my impressions. I was really happy overall and am really excited about starting in September. I truly know I can do well on this course and with any luck will come out of this being able to become a Computer Forensic Analyst.
Website of the University
http://www.staffs.ac.uk/
Upon receiving an Interview date you also receive a map and directions, on arrival there was plenty of parking. I was greeted by an assigned person who was wearing something to stand out as being a helper (I forget what but it was obvious)
I was greeted warmly and got a quick tour on route to the meeting lounge type area. A short queue followed where you gave in your name. You then received a document in a folder with more information about the course and a timetable of the day head. You also got given a free drinks voucher for the nearby cafe.
You next get called forward to go on a tour of the accommodation if you are interested in that(the accommodation tours ran throughout the day in case you missed it). On returning from that it was just about time for certain groups of people depending on what course you were on to be escorted to one of the lecture theatre. Computer Forensics was the second group called amongst other courses like Computer Game Design.
You then sit down and have a big talk about the University and whats in the surrounding area. It covered everything from accommodations to fees and was made really funny in places which was really welcoming.
Once this has been completed the course lecturers came in and took people to the relevant courses they were interested in. Some courses were really popular with like 15 people going, some smaller like computer forensics which only had 4 people.
We then were escorted to the forensic lab and had an intro into Computer Forensics and was later introduced to one of the members of staff who is a working expert in Computer Forensics. While in the lab we were shown a collection of 20 or so PDA and a professional Write blocker kit which was really cool to see. It was one that was linked to Encase(I think) so the computer can detect if the write blocker is working.
We were shown the full version of Encase and had freedom to play about with the lab pcs. I noticed they also had Stenography stuff installed amongst many other things. They had a Hex edited file prepared to look at with a basic hex editor. I must admit I was expecting something a bit more exciting than picking out clear patterns in a hex edited file. We were only shown the PDA and Write blocker because I mentioned them so there was room for improvement really. I found the introduction a bit basic but can understand why it would be like this.
After the Introduction we were then taken out one by one to a small office for a quick interview with the main lecturer. It lasted about 8-15 minutes and was very informal. The questions were pretty general nothing you would want to worry about. You get a rating on a few areas and the best advise really is go in with confidence, if this is what you want to be doing show it !
I found Staffordshire University to be a great University to pick for Computer Forensics. I was really impressed with the array of tools available and lectures personality as well as the experts knowledge. All in all it was great, none of the above is meant to be negative it is just my impressions. I was really happy overall and am really excited about starting in September. I truly know I can do well on this course and with any luck will come out of this being able to become a Computer Forensic Analyst.
Website of the University
http://www.staffs.ac.uk/
Tuesday, March 10, 2009
Windows Forensic Analysis DVD Toolkit (Paperback)
This will be my next book. The Second Edition of Windows Forensic Analysis DVD Toolkit (Paperback)
It is not out just yet, but is due for release in the next few months. More information about the book and author can be found on his blog at below address.
Windorsir.blogspot.com
Really looking forward to the book, Was already going to get the first edition of the book, but now will wait for the second. It will hopefully give alot more in depth knowledge that I am eager to learn.
Its really well priced as well so cant ask for much more.
It is not out just yet, but is due for release in the next few months. More information about the book and author can be found on his blog at below address.
Windorsir.blogspot.com
Really looking forward to the book, Was already going to get the first edition of the book, but now will wait for the second. It will hopefully give alot more in depth knowledge that I am eager to learn.
Its really well priced as well so cant ask for much more.
Monday, March 9, 2009
Forensic Computing at Staffordshire University
I recently went and visited Staffordshire University and did an Interview for the course Forensic Computing (fg44). The interview went really well, got told I would be able to do the course "piss easy", "Yes piss is a technical term", I was given the full marks for the Interview and today received confirmation I had been offered an unconditional place. Which was great to hear !! So September here I come. Here is a link to the specific course.
http://www.staffs.ac.uk/study_here/courses/forensic-computing-tcm428355.jsp
A bit of a review of the University from my point of view. The staff were really friendly and funny, not just the computer staff either the starting talk for everyone had plenty of jokes to put people at ease. There were only four other people who were interested in Forensic Computing when I went, funny enough we were all on our own, other than one person who brought there dad I think.
They recently had a new building and new computers, they had an old forensic lab but it is apparently being updated before we arrive this year, so that's good to know. The lab had about 18 computers with Encase and numerous other things. Like a collection of about 20 PDA and a proper Write blocker kit. I was happy to know they have an expert as part of the staff who has been to court and what not and he seemed really knowledgeable.
All in all really looking forward to starting in September.
http://www.staffs.ac.uk/study_here/courses/forensic-computing-tcm428355.jsp
A bit of a review of the University from my point of view. The staff were really friendly and funny, not just the computer staff either the starting talk for everyone had plenty of jokes to put people at ease. There were only four other people who were interested in Forensic Computing when I went, funny enough we were all on our own, other than one person who brought there dad I think.
They recently had a new building and new computers, they had an old forensic lab but it is apparently being updated before we arrive this year, so that's good to know. The lab had about 18 computers with Encase and numerous other things. Like a collection of about 20 PDA and a proper Write blocker kit. I was happy to know they have an expert as part of the staff who has been to court and what not and he seemed really knowledgeable.
All in all really looking forward to starting in September.
Monday, March 2, 2009
Free Computer Forensic Tool Links
Sunday, February 22, 2009
Free Forensic Tool Links.
I had thought making a site with many up to date links with free open source tools would prove a popular spot for people wanting to start out in computer forensics.
Very few people seem to visit the site at all. Why i wonder? Is it hard to read? Is my taste in colour a bit random? Please feel free to douse the site by letting me know !
When I was starting out learning I found it really hard to find good links to open source tools to play about with. I have used the majority of the tools on the site below and hopefully given more time I can write about each of them.
I think I may even re write the links site giving more information about each item on it. Perhaps that will help.
For now, here is a little bump for the site!
http://forensic-links.blogspot.com/
http://forensic-links.blogspot.com/
Would appreciate people stopping by and letting me know how I can improve it.
Very few people seem to visit the site at all. Why i wonder? Is it hard to read? Is my taste in colour a bit random? Please feel free to douse the site by letting me know !
When I was starting out learning I found it really hard to find good links to open source tools to play about with. I have used the majority of the tools on the site below and hopefully given more time I can write about each of them.
I think I may even re write the links site giving more information about each item on it. Perhaps that will help.
For now, here is a little bump for the site!
http://forensic-links.blogspot.com/
http://forensic-links.blogspot.com/
Would appreciate people stopping by and letting me know how I can improve it.
Tuesday, February 10, 2009
My next book - EnCase Computer Forensics: The Official EnCE - EnCase Certified Examiner Study Guide (Paperback)
I have just recently purchased EnCase Computer Forensics: The Official EnCE - EnCase Certified Examiner Study Guide (Paperback) and hope to do a review soon. I am looking forward to the included CD with software and working examples to play around with.
Stay tuned !
Stay tuned !
Monday, February 9, 2009
Computer Forensic Certifications
I just thought I would share some of the certifications I have been researching for the future.
GCFA - GIAC Certified Forensics Analyst
CHFI - Certified Hacking Forensic Investigator
CISSP - Certified Information Systems Security Professional
CCE - Certified Computer Examiner
CCFT - Certified Computer Forensic Technician
EnCE - EnCase Certified Examiner
ACE - AccessData Certified Examiner
CPE - Certified ProDiscover Examiner
I have more or less decided I would go for the EnCE or ACE certification, based solely on that the majority of jobs I have seen advertised require good knowledge of either or both of these products. I am yet to see any job asking for anything else specific, but I do understand some of these certifications could give useful knowledge.
I would really appreciate hearing from anyone who has done either of these courses or in fact other courses who could share their views and opinions.
GCFA - GIAC Certified Forensics Analyst
CHFI - Certified Hacking Forensic Investigator
CISSP - Certified Information Systems Security Professional
CCE - Certified Computer Examiner
CCFT - Certified Computer Forensic Technician
EnCE - EnCase Certified Examiner
ACE - AccessData Certified Examiner
CPE - Certified ProDiscover Examiner
I have more or less decided I would go for the EnCE or ACE certification, based solely on that the majority of jobs I have seen advertised require good knowledge of either or both of these products. I am yet to see any job asking for anything else specific, but I do understand some of these certifications could give useful knowledge.
I would really appreciate hearing from anyone who has done either of these courses or in fact other courses who could share their views and opinions.
Friday, February 6, 2009
Thursday, February 5, 2009
Getting The Sleuth Kit and Autopsy Browser running on Ubuntu 8.04 Desktop with VMware Tools on windows Xp
To begin a few links you'll need.
VMware Player - Lets you create a virtual machine, think Linux inside a window.
Ubuntu 8.04 Desktop - Loads into VMplayer so you have it running in windows
The Sleuth Kit (TSK) - The website is the best source for information here.
Autopsy Forensic Browser - Makes TSK easier to use by adding graphical interface
Once you have all these downloaded you can begin by installing VMware Player.
Next go to where you placed Ubuntu and look for a file called Ubuntu you should be able to double click this to load up Ubuntu in VMware player. You can find the basic information and username/password in the info.txt found inside the same folder.
Once you are at the desktop of Ubuntu you'll be needing the TSK and Autopsy files putting on, I my self just went on firefox which is already on Ubuntu and downloaded the files above. The versions I used are sleuthkit-3.0.1.tar.gz and autopsy-2.21.tar.gz.
On your desktop where the files would appear by default, you will want to extract them using the default program offered.
Next load up Terminal which can be found at the top left in Applications/Accessories
The first thing to do here is download build essential because without it, you wont be able to compile properly. The error I was getting before installing this was.
configure: error: C++ preprocessor "/lib/cpp" fails sanity check
Type the following...
sudo aptitude update
When promoted for password enter your password.
sudo aptitude install build-essential
This should now have installed all the elements of build-essential.
-----
NOTE : Some permission issues/errors that can occur can be fixed by running the same commands from root, You can become root by typing sudo -i in terminal. To exit Root after you have run the command type exit .
Make sure you don't stay in root as it can cause more problems and damage.
-----
Next we'll install TSK. Type the following
cd /home/user/Desktop/sleuthkit-3.0.0
(Obviously if you installed it somewhere else simply adjust the above to match)
Next type.
./configure
This should run without errors after installing build essential as we did above.
Type make
Don't be afraid at all the text that appears just wait till its fininshed.
Next Type make install
You may need to add sudo before this .. so sudo make install
This should have completed the TSK install.
Moving on now to the Autopsy install. (I am assuming you have already extracted the file into a directory)
Type cd /home/user/Desktop/autopsy-2.20
Again type the commands
./configure
make
At the prompt that will appear first you'll want to say No. For more information see the INSTALL.TXT
Next you ll be asked to provide a directory for evidence locker this folder must be made by you. I placed mine on my desktop by right clicking the desktop and selecting Create folder. I named it locker.
So in the box back at the prompt you would type
/home/user/Desktop/locker
Now when you want to run autopsy make sure your in the right directory by typing this from terminal.
cd /home/user/Desktop/autopsy-2.20
Then type ./autopsy
Now copy what it says Http://localhost:9999/autopsy into firefox.
Welcome to TSK with Autopsy !
In time I hope to create some basic images for practise investigations. So keep tuned to the blog!
Remember to keep the terminal window open and when your done with it, you simply press control and c
A helpful thing to remember is check the INSTALL.txt for extra information and a good tip when using terminal is you can drag and drop files into the terminal window to quickly get the directory written for you.
I hope this guide was of use to someone, I don't claim to be an expert I just aimed this at helping any one stuck. If you ran into trouble at any stage of the above please feel free to leave a comment and Ill do my up most to see if I can help you get it fixed.
Any comments welcome.. the good, the bad and even ugly.
VMware Player - Lets you create a virtual machine, think Linux inside a window.
Ubuntu 8.04 Desktop - Loads into VMplayer so you have it running in windows
The Sleuth Kit (TSK) - The website is the best source for information here.
Autopsy Forensic Browser - Makes TSK easier to use by adding graphical interface
Once you have all these downloaded you can begin by installing VMware Player.
Next go to where you placed Ubuntu and look for a file called Ubuntu you should be able to double click this to load up Ubuntu in VMware player. You can find the basic information and username/password in the info.txt found inside the same folder.
Once you are at the desktop of Ubuntu you'll be needing the TSK and Autopsy files putting on, I my self just went on firefox which is already on Ubuntu and downloaded the files above. The versions I used are sleuthkit-3.0.1.tar.gz and autopsy-2.21.tar.gz.
On your desktop where the files would appear by default, you will want to extract them using the default program offered.
Next load up Terminal which can be found at the top left in Applications/Accessories
The first thing to do here is download build essential because without it, you wont be able to compile properly. The error I was getting before installing this was.
configure: error: C++ preprocessor "/lib/cpp" fails sanity check
Type the following...
sudo aptitude update
When promoted for password enter your password.
sudo aptitude install build-essential
This should now have installed all the elements of build-essential.
-----
NOTE : Some permission issues/errors that can occur can be fixed by running the same commands from root, You can become root by typing sudo -i in terminal. To exit Root after you have run the command type exit .
Make sure you don't stay in root as it can cause more problems and damage.
-----
Next we'll install TSK. Type the following
cd /home/user/Desktop/sleuthkit-3.0.0
(Obviously if you installed it somewhere else simply adjust the above to match)
Next type.
./configure
This should run without errors after installing build essential as we did above.
Type make
Don't be afraid at all the text that appears just wait till its fininshed.
Next Type make install
You may need to add sudo before this .. so sudo make install
This should have completed the TSK install.
Moving on now to the Autopsy install. (I am assuming you have already extracted the file into a directory)
Type cd /home/user/Desktop/autopsy-2.20
Again type the commands
./configure
make
At the prompt that will appear first you'll want to say No. For more information see the INSTALL.TXT
Next you ll be asked to provide a directory for evidence locker this folder must be made by you. I placed mine on my desktop by right clicking the desktop and selecting Create folder. I named it locker.
So in the box back at the prompt you would type
/home/user/Desktop/locker
Now when you want to run autopsy make sure your in the right directory by typing this from terminal.
cd /home/user/Desktop/autopsy-2.20
Then type ./autopsy
Now copy what it says Http://localhost:9999/autopsy into firefox.
Welcome to TSK with Autopsy !
In time I hope to create some basic images for practise investigations. So keep tuned to the blog!
Remember to keep the terminal window open and when your done with it, you simply press control and c
A helpful thing to remember is check the INSTALL.txt for extra information and a good tip when using terminal is you can drag and drop files into the terminal window to quickly get the directory written for you.
I hope this guide was of use to someone, I don't claim to be an expert I just aimed this at helping any one stuck. If you ran into trouble at any stage of the above please feel free to leave a comment and Ill do my up most to see if I can help you get it fixed.
Any comments welcome.. the good, the bad and even ugly.
Wednesday, February 4, 2009
A book of Interest
I recently read Computer Forensics for Dummies, the book is a great start to learning about computer forensics. It cost me just 12 pound and has given me a good starting knowledge of all aspects of what the job involves... From acquiring data to how to handle court. It has a good glossary of terms for reference and is very up to date being as though it was only published towards the end of 2008. I would certainly recommend this book for people starting out in the field of computer forensics, its basic, covers alot, and is cheap.. can't ask for much more than that.
That concludes my quick review of Computer Forensics for Dummies.
That concludes my quick review of Computer Forensics for Dummies.
Welcome to my Follow Computer Forensics Blog
Hi, This site is set to follow my progress in my future career to become a Computer Forensic Analyst. In time I hope to track my time through University and gathering certifications.
I will be keeping the site up to date with useful links, videos, and my experiences. For example I had trouble setting up a lab for testing but in the end have one running, all with free tools using windows Xp and vmware. Something I will cover in detail soon.
I aim the site to help other people in the similar situation of starting out in computer forensics. I found it can be very frustrating getting to grasp with new tools that help files dont cover issues I encountered.
I will be keeping the site up to date with useful links, videos, and my experiences. For example I had trouble setting up a lab for testing but in the end have one running, all with free tools using windows Xp and vmware. Something I will cover in detail soon.
I aim the site to help other people in the similar situation of starting out in computer forensics. I found it can be very frustrating getting to grasp with new tools that help files dont cover issues I encountered.
Subscribe to:
Posts (Atom)