Become Computer Forensics Expert & Start your career!

Udemy course: Become Computer Forensics Expert & Start your career! by EH Academy approx. 1.5hrs long

Things you will learn:

• Understand the process to handle a crime scene

• Conduct computer forensics analysis to find the evidence

• Maintain the integrity of the data and will able to perform hashing

• Learn the process to acquire disk images and the process to analyze disks

Notes

Computer Forensics Process

1. Collection - plan for acquiring the data and what are the sources of data

2. Examination - sift and extract data of interest for evidence

3. Analysis - analyse data gathered and draw conclusions

4. Reporting - present information

• Disk imaging - exact copies of storage media and protect the original data storage.

• Evidence: evidence is hidden

• Destination image types:

(a) Raw (disk dump)

(b) E01 (encase file format)

(c) SMART (metadata is on another file)

(d) AFF (data and meta are all in a file)

• Create image and note hash values. If hash values are altered, data integrity is lost.

• Important to validate hash value before and after copy to ensure nothing is altered.

Analyse disk image on Windows:

1. FTK Imager extracts evidence

Overview shows a summary of all the data files on the disk image (includes deleted files)

2. ProDiscover Basic analyses the connected disk e.g. USB drive, shows content and cluster view depending on preferences

Create disk image on Linux:

• DD command line

• Dcfldd - advanced version of DD

Process for Creating Disk Image on Linux

1. Identify partition fdisk -l

2. Check the system file and space parted -l

3. Create a folder and mount it on Linux file system sudo mkdir /mnt/example

4. Mount the drive on the created folder sudo mount /dev/sdb /mnt/example

5. Create another folder for case analysis mkdir /mnt/example/case

6. Note the details in output file fdisk fdisk -l >/mnt/example/case/fdisk.txt

7. Create the image, store md5 and sha256 in the selected folder dcfldd if=/dev/sdb hash=md5,sha256 hashwindow=1G md5log=/root/md5.txt sha256log=/root/sha256.txt hashcon=after conv=noerror,syncof=/root/diskimage.dd

Analyse disk image on Linux:

Autopsy analyses the disk image by showing system information, metadata information, file information.

Examine disk image on Linux:

Digital Forensics Framework in Linux uses open-source technologies. It can find hidden data, recover deleted files, analyse files and examine metadata.

First up, with 1.5hrs of learning, you can't become a professional like what they say. The content is an overview of the forensic processes and introduction to some commonly used tools. Good stepping stone to explore in-depth into Forensics!