Mini curso Autopsy e Paladin – Exemplos (Inglês)
Você receberá o arquivo PDF por e-mail assim que o pagamento for confirmado.
Este exemplar faz parte do curso de coleta e análise forense com Paladin 7 e Autopsy 4, onde será abordado todos os aspectos técnicos para a análise de um disco com Windows 10, nele serão respondidos mais de 50 quesitos técnicos com a explicação detalhada. O curso será no formato de apostilas e estará disponível em português.
Adquira este exemplar e veja o que encontrará no curso.
FORENSICS WITH AUTOPSY AND PALADIN 7
Petter Anderson Lopes
Abstract: The purpose of this article is to provide an overview of forensic data collection and analysis with the Paladin 7 Linux distribution and the Autopsy analysis tool. As such, the presentation does not have the objective of exhausting the subject. The presentation passes to an example forensic collection procedure using the Toolbox tool of the Paladin 7 distribution, after the Autopsy tool is used to analyze the Windows 10 Operating System. These procedures represent the steps that the Forensic Expert addresses to answer the proposed technical questions. Finally, this presentation also briefly discusses some free tools for computational forensics.
Keywords: Computer Forensics. Analysis. Forensics Examiner. Powershell.
Due to the great technological advance, the operating systems are actualized at all times, so, forensic computation also needs to evolve to accompany the objects of analysis. In this way, the research and analysis of digital evidence, both for legal and commercial purposes, requires a trained professional, who is the Forensic Analyst or Forensic Specialist.
To make a correct procedure of collection and analysis, aiming for excellence for report elaboration, is needed follow some rigorous and well-documented steps, the purpose of this study was explain some steps to examine evidences, during reading, will be possible to make a critical analysis about these topics.
There are many commercial tools for forensic collection and analysis on the market. However, the cost of the paid tools is often very high, so the use of the tools contained in the Paladin 7 distribution proved to be more interesting as they are totally free.
First, before you start data transfer, you need to clean up the target media, in other words, do the deep cleaning process. It is very important to check the target disk for errors and correct them. However, by forensically copying, you can generate a RAW-type image and save to a larger-capacity media, with the MD5 and SHA1 Hashes. It is very important to always keep two copies of the media, so if have a problem with one, the expert has another.
2.2 Examination and Analysis, techniques and tools
Examination – At the forensic examination stage, the Expert must collect as many data as possible to compose the material for analysis. With the use of Autopsy software, several plugins are executed at the same time, these plugins have the most diverse specialties, like Data Carving, an important procedure that serves to recover deleted data of the system.
Analysis – At this stage, the Expert will review the information collected in the previous procedure. This phase can consume most of the time in the forensic cycle because all sources of information should be investigated. All the questions submitted must be answered at this stage.
The Expert should answer all questions submitted using only free tools. The collection must be done in a Hyper-V environment, must be a bit to bit copy of the virtual disk, where the Operating System is a Windows 10. The user of this virtual machine is suspected of accessing undue content, for example virus infection techniques and anti-forensic tools, which can bring risks to the company’s network.
The complaint was made by a colleague who claims to have seen suspicious activity on 05/30/2017. The company manager decided to hire an Expert Consultant to answer their questions.
- What are the hash values (MD5 & SHA-1) of image?
Does the acquisition and verification hash value match?
- Identify the partition of PC image.
- Explain installed OS information in detail.
- What is the timezone setting?
- What is the computer name?
- Who was the last user to logon into PC?
- When was the last recorded shutdown date/time?
- Explain the information of network interface(s) with an IP address assigned by DHCP.
- List all traces about the system on/off and the user logon/logoff.
(It should be considered only during a time range between 00:00 and 21:00)
- What web browsers were used?
- What websites were the suspect accessing? (Timestamp, URL…)
- What is the IP address of company’s shared network drive?
- What actions were performed for anti-forensics on PC at the last day ‘2017-05-30’?
 System Development, Ethical Hacker, Computer Forensic Expert.