Professional Documents
Culture Documents
Computer Forensic Chapter 9
Computer Forensic Chapter 9
Computer Forensic Chapter 9
Analysis
Chapter 9
Learning Outcome:
Conduct forensic
investigation if your system is
compromised.
At the end of this
lesson, student are 01 Listing the electronic evidence.
expected to:
02 Analyze the identification of data.
02 Identification of Data.
Requires
Is easily special tools
altered or and
destroyed equipment
1 2 3 4 5
and software
registration Deleted and hidden
information. 2 4 files.
Financial records
Type of Analysis
Video Analysis
Audio Analysis
Picture Analysis
Network Protocol built on top of transmission
control protocol/Internet protocol
Time (TCP/IP) that ensures accurate local
timekeeping with reference to radio,
atomic, or other clocks located on the
Protocol Internet.
This protocol is capable of 01
(NTP) synchronizing distributed clocks
within milliseconds over long periods
of time. 04
Many authentication
systems, Kerberos
being the most
03
prominent example,
use dated tickets to
control access to
systems and resources.
02
NTP began as a tool that permitted
05
researchers to synchronize workstation
clocks to within milliseconds or better.
Technique Identification Of Data
Teacher Teacher
• Infographic Style
Validating
with
Hexadecimal
Editors
Member Name Member Name
Get a modern PowerPoint Get a modern PowerPoint
Presentation that is Presentation that is
beautifully designed. beautifully designed.
Teacher Teacher
Data Hiding Technique
Data hiding involves
changing or manipulating a
file to conceal information.
Data-hiding techniques
include hiding entire
partitions, changing file
extensions, setting file
attributes to hidden, bit-
shifting, using encryption,
and setting up password
protection.
Example of Data Hiding Technique
Hiding Partitions
Bit-Shifting
Software For
Digital Evidence
Data Dump
DCode
D
D D
D
D
DATA
DUMP
DCode
Case Studies
A CFS team (CFST) arrived at a company site to collect
computer evidence from a server. The company was not
the perpetrator of the investigated crime but apparently
did possess imported evidence that resided on a mission-
critical server that could not be taken offline. What did the
CFST do to collect key evidence to solve this problem?
The following is a partial solution to aid the CFS in coming up with his or
her own solution to solve this case.
The CFST successfully used a computer forensics tool to preview the
server and collect key evidence, without disrupting operations.
Without the computer forensics tool,
the CFST would have either walked away from the scene empty-handed
or performed a highly invasive and incomplete investigation by making
logical file copies of active data.
Thank You
Work Hard, Dream Big