Đang tải... (xem toàn văn)
OSFORENSICS FEATURES: ......................... 1 ACCESS DATA FTK FEATURES: ..................... 9 PRODISCOVER BASIC FEATURES: ................... 13 GUIDANCE SOFTWARE ENCASE FORENSIC FEAUTURES:... 17
Posts and Telecommunications Institute of Technology TPHCM,10-2017 TABLE OF CONTENTS OSFORENSICS FEATURES: ACCESS DATA FTK FEATURES: PRODISCOVER BASIC FEATURES: 13 GUIDANCE SOFTWARE ENCASE FORENSIC FEAUTURES: 17 OSFORENSICS OSForensics is a new digital investigation tool which lets you extract forensic data or uncover hidden information from computers OSForensics has a number of unique features which make the discovery of relevant forensic data even faster, such as high-performance deep file searching and indexing, e-mail and e-mail archive searching and the ability to analyze recent system activity and active memory OSFORENSICS FEATURES: Case Management: In the case management window can be used to create and manage cases Cases are used to group together findings ( file, note, evindence photo,device ) from other functions into a single location that can be exported or saved for later analysis Generate Report: OSForensics generates reports as HTML web pages, which allows the style, layout and appearance to be modified with any web authoring application of your choice (or you can directly edit the HTML and CSS) Customizable elements include fonts, colors, and page layout File name Search: OSForensics provides one of the fastest and most powerful ways to locate files on a Windows computer You can search by filename, size, creation and modified dates, and other criteria Results are returned and made available in several different useful views This includes the Timeline View which allows you to sift through the matches on a timeline, making evident the pattern of user activity on the machine The File Name Search Configuration Window allows for setting advanced options for the File Name Search ( Search for Folder Names , Search in Sub Folders, File Size Limits ) Recent Activity: The Recent Activity module scans the system for evidence of recent activity, such as accessed websites, installed programs, USB drives, wireless networks, and recent downloads This is especially useful for identifying trends and patterns of the user, and any material that had been accessed recently NGUYEN HOAN NAM DUONG – N14DCAT032 Recover Deleted Files: OSForensics allows you to recover and search deleted files, even after they have been removed from the Recycle Bin This allows you to review the files that the user may have attempted to destroy Memory Viewer: The Memory Viewer module allows the user to perform memory forensics analysis on a live system or a static memory dump There are types of memory analysis that can be performed: •Live Analysis •Static Analysis Web Browser: The Web Browser module provides a basic web viewer from within OSForensics This module add the ability to load web pages from the web and save screen captures of web pages to the current opened case Password Recovery & Decryption With OSForensics you can recovery browser passwords from Chrome, Edge, IE, Firefox, and Opera This can be done on the live machine or from an image of a harddrive Data recovered includes, the URL of the website (usually HTTPS), the login username, the site's password, the browser used to access the site & the Window's user name Blacklisted URLs are also reported, showing the user has visited the site but elected not to store a password in the browser OSForensics also recovers the following: Outlook and Windows Live Mail passwords Saved Wifi passwords Windows autologon password Windows 7, 8, and 10 product keys Microsoft Office & Visual Studio product keys Ports (Serial/Parallel) Network adapters Physical and Optical Drives Bitlocker detection Decryption & password recovery of office documents The method is for older documents that use 40bit encryption (old XLS, DOC & PDF NGUYEN HOAN NAM DUONG – N14DCAT032 files) For these documents is it possible to try all possible keys to decrypt the document, with the output being an unencrypted file Signatures Signatures allow users to identify changes in a directory structure between two points in time Generating a signature creates a snapshot of the directory structure, which includes information about the contained files' path, size and attributes Changes to a directory structure such as files that were created, modified and deleted can be identified by comparing two signatures These differences can quickly identify potential files of interest on a suspected machine, such as newly installed software or deleted evidence files Signatures differ from Hash Sets in the following ways: OSForensics provides the following File Signature Analysis functionality: Create Signature: Module that handles all aspects of generating a signature Compare Signature: Module that allows the user to compare previously generated signatures A summary of any changes between the signatures are displayed to the user Forensic Imaging: The disk imaging functionality allows the investigator to create and restore disk image files, which are bit-by-bit copies of a partition, physical disk or volume Disk imaging is essential in securing an exact copy of a storage device, so it can be used for forensics analysis without risking the integrity of the original data Conversely, an image file can be restored back to a disk on the system System Inforation: - The System Information module displays detailed information about the core components of the system including but not limited to: CPU, Motherboard and Memory BIOS Video card/Display devices USB controllers and devices Ports (Serial/Parallel) Network adapters Physical and Optical Drives NGUYEN HOAN NAM DUONG – N14DCAT032 Bitlocker detection Registry Activity: Most Recently Used (MRU) Lists OSForensics can retrieve data about recently accessed applications, documents, media and network shares by scanning locations in the registry which store a user's Most Recently Used (MRU) lists The data which can be tracked by OSForensics includes (but isn't limited to) files accessed in Microsoft Office applications, Microsoft Wordpad, Microsoft Paint, Microsoft Media Player, Windows Search, Connected Network Drives and the Windows Run command Connected USB Devices OSForensics can display the details of USB devices which have been recently connected to the computer, providing information about the last connection date and device information such as Manufacturer Name, Product ID and Serial Number The types of devices which can be detected include USB Flash Drives (UFDs), Portable Hard Disk Drives and external USB-connected devices such as DVD-ROM drives Wireless Network Connections OSForensics can list the MAC address of wireless networks connected using the Windows Zero Config Service This feature is available on machines running Windows XP only Event Log: OSForensics will scan the Windows logs for system activity such as the following events: Security Log Events such as account login attempts, logouts and password changes System Log Events such as Windows update attempts, system boot/shutdown, and driver installations Application Log Events such as application installation attempts Microsoft Office user interaction events (OAlerts) OS X Artifacts OSForensics uncovers the following OS X artefacts on Mac drives: NGUYEN HOAN NAM DUONG – N14DCAT032 Safari history, bookmarks, downloads, and cookies Most Recently Used (MRU) items, network locations, documents, multimedia Installed Programs USB connected iOS devices Mounted Volumes WiFi Mobile backups for iOS devices Hidden Disk Areas - HPA/DCO OSForensics™ can discover and expose the HPA and DCO hidden areas of a hard disk, which can used for malicious intent including hiding illegal data The Host Protected Area (HPA) and Device Configuration Overlay (DCO) are features for hiding sectors of a hard disk from being accessible to the end user Detecting OSForensics will first attempt to detect and display the size of the HPA/DCO hidden areas If successfully found, they can be removed or imaged, exposing the hidden data Removing Once the HPA and/or DCO hidden areas have been successfully detected, they can be removed so that the data hidden in those sectors can be accessed and analyzed by Raw Disk Viewer and other OSForensics modules Imaging Alternatively, the HPA/DCO hidden areas can be preserved by creating an image of the hidden sectors and saving it into a file This file can then be analyzed by other OSForensics modules such as th built-in file viewer Verify and Match Files OSForensics makes use of number of a advanced hashing algorithms to create a unique, digital fingerprint that can be used to identify a file Hash Set Lookup OSForensics makes use of hash sets to quickly identify known safe or known suspected files to reduce the need for further time-consuming analysis A hash set consists of a collection of hash values of these files in order to search a storage media for particular files of interest In particular, files that are known to be safe or trusted NGUYEN HOAN NAM DUONG – N14DCAT032 can be eliminated from file searches Hash sets can also be used to identify the presence of malicious, contraband, or incriminating files such as bootleg software, pornography, viruses and evidence files Create and Verify Hash Values Create a unique, digital identifier for a file or disk volume by calculating its hash value using the Verify/Create Hash module in OSForensics Choose from a number of cryptographic algorithms to create a hash, such as SHA-1, MD5 and SHA-256 Hash values uniquely identify the contents of a file and can be used to discover other files with the same content, regardless of differing file name or file extension Find Misnamed Files OSForensics™ can identify files whose contents not match their file extension Uncover a user's attempt at concealing photos, documents or other evidence (also known as "dark data") by using the Mismatch File Search! The Mismatch File Search module analyzes the content of files and identifies any files whose raw bytes are not consistent with their file extension Configure the file search to include inaccessible files, or use your own customized file filter! Search Emails OSForensics™ allows you to perform full-text searches within email archives used by many popular e-mail programs such as Microsoft Outlook, Mozilla Thunderbird, Outlook Express and more - Supported Email File Types pst, ost (Outlook),.mbox, mbx, eml, msf (Mozilla, Thunderbird, Eudora, Unix mail, and more),.msg (Outlook),.eml (Outlook Express),.dbx (Outlook Express) Note that OSForensics can index these formats without needing the corresponding e-mail client to be installed.Additionally the indexing process is not limited to just emails, but can also index other files such as Word Documents and PDFs also making their contents available for searching ESE Database Viewer OSForensics™ includes an ESE database (ESEDB) viewer for databases stored in the Extensible Storage Engine (ESE) file format, including NGUYEN HOAN NAM DUONG – N14DCAT032 the new Win10 database structure The ESEDB format, in particular, is used by several Microsoft applications that store data with potential forensics value, including the following: Windows (Desktop) Search Windows Live Mail Microsoft Exchange Server Internet Explorer The ESE database viewer allows the user to search for database records that match a specified criteria, including text phrases, date ranges and numerical values SQLite Database Browser OSForensics™ includes an SQLite database viewer for databases stored in the SQLite file format The SQLite database format is used by several platforms, such as the iPhone, Firefox and Chrome Prefetch Viewer OSForensics™ includes a Prefetch viewer for viewing application execution metrics stored by the operating system's Prefetcher The Prefetcher is a component that improves the performance of the system by pre-caching applications and its associated files into RAM, reducing disk access To facilitate this, the Prefetcher collects application usage details such as: - Application run count Last run time Files/disks that the application uses while executing Using this information, forensics investigators can determine a suspect's application usage patterns (eg "Cleaner" software used recently) and files that have been opened (eg documents) Thumbnail Cache Viewer OSForensics™ provides a viewer capable of displaying image thumbnails stored in the Window's thumbnail cache database When a user opens Windows Explorer to browse the contents of folders, Windows automatically saves a thumbnail of the files in the thumbnail cache database for quick viewing at a later time This can be useful for forensics purposes especially for cases where even though the user has deleted the original image file, the thumbnail of the image still remains in the thumbnail cache The Thumbnail Cache Viewer is capable of displaying thumbnails stored in the following files: NGUYEN HOAN NAM DUONG – N14DCAT032 - thumbcache_idx.db,thumbcache_16.db,thumbcache_32.db,thumbcache_4 8.db,thumbcache_96.db,thumbcache_256.db,thumbcache_1024.db,thumbcache _1600.db,iconcache_idx.db, iconcache_16.db Rebuild RAID OSForensics™ can rebuild a single RAID image from a set of physical disk images belonging to a RAID array Being able to properly image systems with RAID configurations for forensics analysis is sometimes challenging, due to the fact that having access to the RAID parameters (such as the RAID level and stripe size) that were used may not be possible The following RAID levels are supported: RAID 0,RAID 1, RAID 3,RAID 4, RAID 5,RAID 0+1, RAID 1+0 - Detect RAID parameters When the member disk images are added, OSForensics will try to automatically configure the RAID parameters These RAID parameters are obtained from the metadata that is stored in the disk image, which can also be viewed in OSForensics The following RAID metadata formats may be detectable by OSForensics: Intel Matrix RAID, Linux mdadm RAID, SNIA DDFv1, Highpoint v2 RocketRAID, Highpoint v3 RocketRAID, Adaptec HostRAID, Integrated Technology Express RAID, JMIcron RAID Plist Viewer View the contents stored in the Plist files which are typically used by OSX and iOS to store settings and properties OSForensics™ includes an Plist viewer to view the contents of Plist (property list) files which are commonly used by MacOS, OSX and iOS to store settings and properties Plist files typically have the extension of ".plist" The Plist Viewer within OSForensics is able to display both binaries and XML formatted plist files The Plist viewer allows the user to search within key and values that match a specified text phrase NGUYEN HOAN NAM DUONG – N14DCAT032 ACCESS DATA FTK FTK quickly locates evidence and forensically collects and analyzes any digital device or system producing, transmitting or storing data by using a single application from multiple devices Known for its intuitive interface, email analysis, customizable data views, processing speeds and stability, FTK also lays the framework so your solution can grow with your organization’s needs for a smooth expansion FTK supports the following filesystems:DVD (UDF), CD (ISO, Joliet, and CDFS),FAT (12, 16, and 32),exFAT,VXFS,EXT (2, 3, and 4), NTFS (and NTFS compressed),HFS, HFS+, and HFSX ACCESS DATA FTK FEATURES: Remote Machine Analysis With the single-node enterprise, users can preview, acquire and analyze evidence remotely from computers on your network Capturing an Image: FTK Imager is designed for viewing evidence disks and disk-toimage files created from other proprietary formats FTK Imager can read AccessData ad1, Expert Witness (EnCase) e01,SafeBack (up to version 2.0), SMART s01, and raw format files In addition to disk media, FTK Imager can read CD and DVD file systems ) Reading file with text mode, hex mode or automatic mode Text mode allows you to preview a file’s contents as ASCII or Unicode characters, even if the file is not a text file.This mode can be useful for viewing text and binary data that is not visible when a file is viewed in its native application Hex mode allows you to view every byte of data in a file as hexadecimal code You can use the Hex Value Interpreter to interpret hexadecimal values as decimal integers and possible time and date values Automatic mode automatically chooses the best method for previewing a file’s contents, according to the file type NGUYEN HOAN NAM DUONG – N14DCAT032 Image Mounting/UnMouting Image Mounting allows forensic images to be mounted as a drive or physical device, for read-only viewing This action opens the image as a drive and allows you to browse the content in Windows and other applications Supported types are RAW/dd images, E01, S01, AFF, AD1, and L01 Full disk images RAW/dd, E01, and S01 can be mounted Physically View and recovery an deleted file Exporting or copying files from an evidence item allows you to print, e-mail, salvage files, or organize files as needed, without altering the original evidence AD (ACCESS DATA) Encryption and EFS Encryption AD Encryption is enabled for E01, S01, and raw/dd disk images, and for AD1 images The user interface in FTK and Imager currently not allow the user to specify the key and hash algorithms, so the defaults of AES256 and SHA-512 are always used AD encryption supports either a password or cert ( *.p12, *.pfx ,*.pem ) EFS Encryption: You can check for encrypted data on a physical drive or an image with FTK Imager Exporting File Hash Lists Hashing the process of generating a unique value based on a file’s contents This value can then be used to prove that a copy of a file has not been altered in any way from the original file It is computationally infeasible for an altered file to generate the same hash number as the original version of that file The Export File Hash List feature in FTK Imager uses the MD5 and SHA1 hash algorithms to generate hash numbers for files Verifying Drives and Images NGUYEN HOAN NAM DUONG – N14DCAT032 10 FTK Imager allows you to calculate MD5 and SHA1 hash values for entire drives and images to verify that copies of evidence items have not been altered in any way from the originals Obtaining Protected Registry Files The Windows operating system does not allow you to copy or save live Registry files Without FTK Imager, users have had to image their hard drive and then extract the Registry files, or boot their computer from a boot disk and copy the Registry files from the inactive operating system on the drive FTK Imager provides a much easier solution It circumvents the Windows operating system and its file locks, thus allowing you to copy the live Registry files Password recovery and all Registry files: Retrieves Users, System, SAM, NTUSER.DAT, Default, Security, Software, and Userdiff files from which you can recover account information and possible passwords to other files This list can also be imported to the AccessData password recovery tools, such as PRTK, and DNA Evidence Item Information When creating or exporting a forensic image, you can enter information and notes about the evidence contained in the image you are creating This information is saved to the same location as the image file, with the same name, but with a TXT extension Malware Triage & Analysis Available as an option to FTK, Cerberus is an automated malware triage platform solution designed to integrate with FTK It’s a first layer of defense against the risk of imaging unknown devices and allows you to identify risky files after processing your data in FTK Then you can see which files are potentially infected and can avoid exporting them Cerberus is one tool in your malware arsenal and helps you identify potentially malicious files It can: • Determine both the behavior and intent of security breaches sooner by providing complex analysis prior to a full-blown malware attack • Strengthen security defenses and prevent malicious software from running with state-of-the-art technology called whitelisting NGUYEN HOAN NAM DUONG – N14DCAT032 11 • Take action sooner when security breaches occur; unlike other competitors Cerberus doesn’t rely on a sandbox or signature-based solutions Password Cracking and Recovery Unlock files when you don’t know the password with marketleading decryption password cracking and recovery Visualization Automatically construct timelines and graphically illustrate relationships among parties of interest in a case With Email, Social and File Visualization you can view data in multiple display formats, including timelines, cluster graphs, pie charts, geolocations and more, to help you determine relationships and find key pieces of information Then generate reports that are easily consumed by attorneys, CIOs or other investigators Advanced volatile and memory analysis Volatile data is information that changes frequently and is often lost upon powering down the computer The acquisition of this type of information should be made with the equipment powered on, which is known as live acquisition Volatile data will include information about the running process, network connections, clipboard contents, and data in memory This information may be critical to the discovery of the cause of an incident or to understand a specific behavior The FTK imager can help in the collection of this data, specifically memory acquisition Once collected, you can a deeper analysis using the platform FTK NGUYEN HOAN NAM DUONG – N14DCAT032 12 PRODISCOVER BASIC You can use it to acquire and analyze data from several different file systems, such as Microsoft FAT and NTFS, Linux Ext2 and Ext3, and other UNIX file systems PRODISCOVER BASIC FEATURES: Capture an image Disk imaging is essential in securing an exact copy of a storage device, so it can be used for forensics analysis without risking the integrity of the original data View and Recovery a Deleted File Analysis of "dd" images on supported file systems To create physical or logical images UNIX style "dd" images can be added to projects If the "dd" image is split into several images they should be numbered sequentially and all contain a 000, 001 sequence or any other desired file extension if the user intends to use a split configuration control file (.pds) Convert image file: The tool has the ability to convert an image from either the native ProDiscover format or the dd format to an ISO format ProDiscover also has the ability to create files needed to boot the image in VMware Convert ProDiscover Image to "DD" Convert ProDiscover Image to "ISO" Convert "DD" Image to "ISO" VMWare Support for "DD" Images Convert Expert Witness Image (E01) to DD Search for key words in image file or disk (RAW Mode) Detecting file systems within the HPA (Hardware Protected Area) ProDiscover creates cryptographic checksums of “interesting files” in popular SHA1 and MD5 algorithms These checksums can then be compared to known file checksums maintained in the National Drug Intelligence Center (NDIC) Hashkeeper database NGUYEN HOAN NAM DUONG – N14DCAT032 13 Recover a group of clusters On many occasions an examiner will want to recover unallocated clusters or disk slack from evidence disk to a specified location Recovering a cluster or group of clusters from Cluster Detecting Disk or Image Installed OS Information about the installed operating system of an evidence disk or image is sometimes critical to an investigation To search an evidence disk or image for this information and add the data to a projects report View Image EXIF Meta Data The Tag tables in EXIF meta data provide a tremendous amount of potentially useful information if contained in the EXIF section of a JPEG file View Windows Registry The registry viewer allows investigators to browse the registry of a Windows system and select individual registry keys as evidence of interest To process the windows registry ProDiscover needs to read several files on the disk in addition to individual registry files themselves Match File Signatures and File Extensions On a windows systems a file signature identifying the type of file is normally contained in the first 20 bytes of the file Search The Windows Registry Creating Hash Database Files ProDiscover allows users to export file names and hash values of items selected as evidence of interest in the Hashkeeper *.HSH format for later use in hash comparison, filtering and the "Find Suspect Files" function found in ProDiscover Incident Response Viewing the Windows Event Logs NGUYEN HOAN NAM DUONG – N14DCAT032 14 ProDiscover allows users to add the Windows Event Logs to a project form images or directly connected disks Once the event logs are added to a current project, users can review individual log entires and select as evidence of interest if needed Capturing Physical Memory When connecting to remote systems using ProDiscover Incident Response or Investigator users may find it useful to capture the live volatile physical memory of the suspect system Collection of physical memory images allows the investigator to conduct searches of the physical memory image to find indications of compromise or passwords cached in memory Passwords cached in memory may be useful to investigators later in the analysis of encrypted documents Extracting Internet History Information about a users Internet Web surfing habits is often crucial to investigations ProDiscover allows investigators to quickly search for, and extract information from Internet history files (IE, Chrome, and FireFox) Once the information is extracted it is automatically added to the project report View Email Items ProDiscover allows users to add the Windows email client databases to a project form images or directly connected disks Supported formats include all current versions of Microsoft Outlook PST and OST databases as well as Outlook Express DBX format Once the email databases are added to a current project, users can review individual email items including calendar, notes, tasks, and contacts, then select as evidence of interest if needed Create MD5 or SHA1 hash of images and files Prodiscover allows you to create and calculate MD5 and SHA1 hash values for entire drives and images to verify that copies of evidence items have not been altered in any way from the originals Detect operating system installed Project file is XML formatted Analyze file header signatures to file extensions and detect mismatches NGUYEN HOAN NAM DUONG – N14DCAT032 15 Bates number and batch transfer evidence of interest Bates number : place identifying numbers and/or date/time-marks on images and documents as they are scanned or processed -> provides identification, protection and automatic consecutive numbering of the images I/O error reporting Extensive search capability PD can search any type of files, data, information of the data,… Recover deleted files contained in slack space Each Windows disk contains a hidden folder named Recycled (FAT/FAT32), or Recycler (NTFS) This folder is where Windows 9x and Windows NT/2000 keeps deleted files Slack space: is not normally seen ,refers to the storage area of a hard drive from the end of a stored file to the end of the file cluster in the hard drive Secure Wipe Disk Secure Wipe Disk allows the user to image to a target drive that is "Forensically Clean" giving you confidence that your case work will not be jeopardized NGUYEN HOAN NAM DUONG – N14DCAT032 16 GUIDANCE SOFTWARE ENCASE FORENSIC EnCase Forensic provides investigators with a single tool capable of conducting large-scale and complex investigations from beginning to end It features an intuitive GUI, superior analytics, enhanced email/Internet support and a powerful scripting engine GUIDANCE SOFTWARE ENCASE FORENSIC FEAUTURES: Acquiring You can add EnCase evidence files and raw evidence files to the case You can reacquire raw evidence files, so that they are translated into EnCase evidence files complete with metadata and hash values You can add EnCase evidence files originating in other cases as well Acquiring many types, the source includes : Local drives(using a write blocker), Palm Pilot, Network crossover (using LiEn) and Local devices(LiEn disk-to-disk) o LiEn : runs on the LiEn CD using Linux OS and enables the following functions: • Performing drive-to-drive acquisitions • Performing crossover acquisitions Delay loading of Internet Artifact - Encase analyze Internet artifacts and related data as a separate thread after the case loads These artifacts and data include: Internet artifact records, Selected and In Report settings, Bookmarked Internet artifact records, Search hits for the internet artifact records Hashing You can perform hashing before or after an acquisition, so an investigator can determine if the device should be acquired, or if the contents have changed Using an MD5 algorithm to create a Hash set for file, folders Searching for files with a particular hash value on the target machine by using “Hash Finder” Hashing before or after an acquisition so an investigator can determine if the device should be acquired, or if the contents have changed NGUYEN HOAN NAM DUONG – N14DCAT032 17 When files in a case are hashed, they are compared to the library, then the hash set and hash category columns populate Recovering Folders types of folders can be recovered: Folders on FAT volumes NTFS folders UFS and EXT2/3 partitions Recovering Partitions Occasionally a device is formatted or even FDISKed in an attempt to destroy evidence Formatting and FDISKing a hard drive does not actually delete data + Formatting deletes the structure indicating where the folders and files are on the disk + FDISK deletes a drive's partition information EnCase can rebuild both partition information and directory and folder structure Restoring Evidence EnCase allows an investigator to restore evidence files to prepared media Restoring evidence files to media theoretically permits the investigator to boot the restored media and view the subject's computing environment without altering the original evidence Restoring media, however, can be challenging Snapshot to DB Module Set This script takes snapshots of nodes across a network and stores the snapshots in a SQL database It also reads from the database to create reports on the snapshots taken Keyword Finder The Keyword Finder processing option in the File Processor module lets you create a list of keywords for searching documents on a target machine Hash Finder The Hash Finder processing option in the File Processor module lets you search for files with a particular hash value on the target machine Hash values are stored in hash sets that can be identified by a name and category Reports Source Processor stores the most recent analysis in memory in a report, so you can view it multiple times without running the analysis NGUYEN HOAN NAM DUONG – N14DCAT032 18 again These results only stay active during the current session of Source Processor EnCase Decryption Suite (EDS) enables decryption of encrypted files and folders by domain users and local users, including: Disk and volume encryption Microsoft BitLocker ,GuardianEdge Encryption Plus/Encryption Anywhere/Hard Disk Encryption ,Utimaco SafeGuard Easy, McAfee SafeBoot, WinMagic SecureDoc Full Disk Encryption,PGP Whole Disk Encryption - File based encryption Microsoft Encrypting File System (EFS),CREDANT Mobile Guardian Mounted files PST (Microsoft Outlook), S/MIME encrypted email in PST files, NSF (Lotus Notes), Protected storage (ntuser.dat) , Security hive, Active Directory 2003 (ntds.dit) The LinEn™ utility runs on the LinEn CD using the Linux operating system and enables the following functions: Performing drive-to-drive acquisitions Performing crossover acquisitions LinEn runs independently of the Linux operating system thus improving acquisition speeds, and runs in 32-bit mode (rather than 16-bit mode) Because Linux provides greater device support, LinEn can acquire data from a larger set of devices As with other modifications has a feature automatically computer operating systems, to prevent inadvertent disk writes, to the operating system need to be made Linux typically called autofs installed by default This feature mounts, and thus writes to, any medium attached to the Physical Disk Emulator The EnCase Physical Disk Emulator (PDE) module allows investigators to mount computer evidence as a local drive for examination through Windows Explorer NGUYEN HOAN NAM DUONG – N14DCAT032 19 ...TABLE OF CONTENTS OSFORENSICS FEATURES: ACCESS DATA FTK FEATURES: PRODISCOVER BASIC FEATURES: 13 GUIDANCE SOFTWARE ENCASE FORENSIC FEAUTURES: 17 OSFORENSICS OSForensics is a new digital... within OSForensics This module add the ability to load web pages from the web and save screen captures of web pages to the current opened case Password Recovery & Decryption With OSForensics... Connections OSForensics can list the MAC address of wireless networks connected using the Windows Zero Config Service This feature is available on machines running Windows XP only Event Log: OSForensics