Please enable JavaScript.
Coggle requires JavaScript to display documents.
Computer Forensics Case Study - Coggle Diagram
Computer Forensics Case Study
Memory Forensics
Memory Forensics
is a way to find and extract this valuable information from memory(RAM).
Tools
Volatility
: Volatility is an open source tool that uses plugins to process this type of information
python2
vol.py
Imageinfo
is used to identify the operating system, service pack, and hardware architecture.
Leafpad
is a Linux-based open source text editor.
HKEY
CLASSES ROOT key creates a registry view that combines the data from these two sources.
Shellbags
are registry keys that are used to enhance the user experience and recall the user's preferences when necessary.
Illegal Possession images
rm
: Clear browser chahe
curl
: Using one of the supported protocols, the curl command sends data to or from a network server (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT)
Tools
Wireshark
wge
t: Download the link
Rhino hunting
mkdir
making directory
unzip
: unzip the hashes
md5
to verify the hashes
fdisk
command can view, create, delete, change, resize, copy and move partitions on a hard drive
mmls
Can show unallocated sectors so it can be used to search for hidden data
fsstat
: Shows file system details and statistics including layout, sizes, and labels
Steganography
Tools
stegdetect
used for hiding photos
stegcrack
: used to crack password
jphide:
Capture Traffic
rhino.log
Time stamp
: Display the system time stamp
FTP:
Traffic log analysis
HTTP:
Traffic log analysis
P2P
Tools
Regripper
Rip.pl
bash tool
Wine
Sqlit3
files
Sample-1.mp3.torrent
Contraband.mp3.torrent
Torrent File editor
AnalyzeMFT
Exiftool
md5deep
SHA1deep
fdisk
:is one of the tools you can use to display a partition table
fsstat
:will give you the file system information of a partition.
file system:
A file system governs how files are named, stored and accessed in a partition
l
osetup
: will mount the disk image as a device on the system
chmod
modifies the file permissions.
fls
can be used to list the directories and/or files on a given partition.
echo
: command to create column names
ca
t command to output the contents of the file directory text file
-e:
allows echo to recognize backslash characters
Tree
:can also be used to generate a file directory
md5sum
NIST Data Leakage
Packages
npm
package manager for node
pasco
update packages repositorie and get latest package
nformation
Tools
Regripper
rip.pl
Parsing
logfileparser:LogFile ,records and transactions entries, Decode NTFS attribute
wine
Wine enables Linux users to run Microsoft Windows applications on Unix-like operating systems without the performance/memory penalties of an emulator.
rcrack
password cracking tool
unparser
unparser parse journal's contents and features several output format
libraries
sqlite
sqlite3:terminal based front end ,evaluate query interactively,,displays result in multiple format
libseed
A tool for assisting in creating seed spec compliant algorithms. To
access the ESE(Extensible storage access the ESE(Extensible storage
libpff
library to access the Personal Folder File (PFF) and the
Offline Folder File (OFF) format
icat:opens the named image(s) and copies the file with the specified inode number to standard output
fls:List file and directory name in a disk image
mmls:Display the partition layout of a volume system
fsstat:Display the general details of the file system
istat:The istat command displays the i-node information for a particular file.
md5sum
Hashes
SHA256, SHA1
SHA256 standard is used in document integrity checks, computes the SHA1 calculate message digest of a file
hashdeep
hasshdeep is a set of tools to compute
MD5, SHA1, SHA256, tiger whirlpool hashsums of arbitrary number of files recursively.
fdisk::is one of the tools you can use to display a partition table