Login or Sign Up
Add a Fix
Featured Fixes:
| |
| |
| |
| |
| |
| |
| |
BootMed
dd
hard drive
live cd
recover
Recovery
Ubuntu
Undelete
Virtual Machine
VMWare
 |
Info | Report |  |
| Views: 6079 | |||
| 100% Success Rate (2 votes) | |||
Did this work for you?   |
|||
| Logger: jake |
|||
| Date: January 12th, 2011 | |||
 |
 |
||
The Question
How does a Computer Forensic Investigator carry out an investigation on a password protected PC?
Tags: DIY, Computer, Forensic, Investigation, Detective, How to, DoD, Cyber Crime Center, dc3dd, Department of Defense
How To
This How-To will guide you through essentially the same methods that a Computer Forensics Investigator would follow. Each step is performed using free and/or open source software. This is not to say that this tutorial is watered down - some of the software used was developed for the Department of Defense's Cyber Crime Center. While what you find probably would not hold up in court, it may avoid you going there; or it may just be something that interests you. The goal is to recover information concerning what the computer user is doing, what programs he is using, what files he has accessed, created or deleted, some of his browsing history, email etc. It assumes that you can have full access to the computer for a few hours.
The first and most important step is imaging the suspect's hard drive. A hard drive image an exact copy of the hard drive. It will duplicate what is on the hard drive as well as the "free space," from which deleted files can be recovered. This is the only step that will involve the actual computer. Once you have imaged the computer's hard drive you will have no need to return to it.
To complete this step you will need an external hard drive that is larger than the drive you are going to image. You will also need a CAINE live cd (Computer Aided INvestigative Environment), from which you will run the a program called dc3dd, which was developed for the DoD. Do not worry if you do not have a CAINE live, making one is part of this tutorial: How to Create a Hard Drive Image for Forensic Purposes
Now that you have the image you can create a virtual computer with it. Basically, you will boot up the image of the hard drive from a program called VMWare. You will be able to logon to the computer (reseting passwords is part of the tutorial) and use it as if you were in front of it.
While there are more comprehensive ways to search for evidence, simply by "entering into their world" you can get a lot of information quickly and easily. What files are on the Desktop? What files have recently been opened? What programs does the user access frequently? (By the order on the Start menu) etc. To create a virtual computer from your image, follow this tutorial: How to Create a Virtual Machine from a Raw Hard Drive Image
If the computer you imaged has a password protected Windows login, follow this tutorial to see how to reset it:
How to Reset a Window's Password on a Virtual Machine (VMWare)
While it maybe be tempting to dive into the virtual machine, by using the computer you will damage deleted files. So the first step in data gathering needs to be recovering deleted files.
The deleted files will be gathered in bulk and will be searched in the next step. To recover deleted files from the virtual machine follow this tutorial: How to Recover Deleted Files from a Virtual Machine (VMWare)
Now that you have recovered the deleted files it is time to do some strategic analysis.
Places to look:
- Check the Recent Documents Folder -The recent folder contains a complete list, the Start menu list is abridged
- Check internet history and file access history by examining the index.dat files - Index.dat files hold histories that are not always deleted when a user clears their history.
- Check the histories in instant messenger programs.
Perhaps the easiest (though not the most comprehensive) way to sort through the data in your virtual machine is to install Google Desktop and run queries through it. This will be especially needed to sort through the many undeleted files that were recovered without names. Follow this tutorial to complete this step:
Additional Resources