Forensics

Tutorial Overview.  The objective of this tutorial is twofold.  The first is to introduce you to some of the tools and techniques used for forensic analysis.  The second is to demonstrate some of the mechanisms used by malicious attackers as well as forensic experts to disrupt computer networks and manipulate information access.

This tutorial session will cover data storage and access, bypassing filtered [blocked] ports, reviewing Internet activity, and the use of steganography. Open-source forensic tools will be introduced and demonstrated for each exercise.  The tutorial has been setup for all of the exercises and the required executables are accessible through linked short-cuts on the desktop of the administrator (no password needed to logon). The desktop is shown below:

If you would like to do the exercise in your own computer the installation instructions are given in the Appendix. If you need further assistance, contact the GSA.

Equipment/Software.  Most of the tools used for this lab exercise is freely available for non-commercial testing purposes and opensource software, either freeware or shareware.

Hidden Files

• Hex Workshop v4.23 hex editor (Shareware download from www.hexworkshop.com)
• MD5Hash (Freeware download from www.digital-detective.co.uk/freetools/md5.asp)
• Text Editor

Port Redirection

• Quick 'n Easy FTP Server (Freeware download from http://www.pablosoftwaresolutions.com)
• FPIPE (Freeware download from http://www.foundstone.com)
• FPORT (Freeware download from http://www.foundstone.com)

IE Activity analysis

• Pasco (Freeware download from http://www.foundstone.com)
• Galleta (Freeware download from http://www.foundstone.com)
• Internet Explorer cache file (index.dat)
• Internet Explorer cookie files

Steganography

• JPHS (Jpeg Hide and Seek) v0.5 (Freeware download from www.stegoarchive.com)
• Text editor
• Image file in jpeg format

Browse Pages << | < | 1 2 3 4 5 6 | > | >>