Location: KSU Center, 3333 Busbee Dr NW, Kennesaw, GA 30144.,
located behind the Cracker Barrell at the intersection of Busbee Dr. and Chastain rd.
Rooms #:462 and 460 two seperate rooms. Dates and room assignments below
Scheduled times and room assignments:
Oct 1: 09:00-11:00 (2 hours) room 462
Oct 8: 09:00-10:00 (1 hour) room 460
Oct 15: 09:00-10:00 (1 hour) room 462
===============================================
Background:
During your work as a computer forensic investigator, or
corporate security person you will often have to process "evidence" or data for the invesgitation.
In most cases, this processing will involve some basic steps. Three of which will be performed during these sessions.
Items covered:
First, you will probably want to prepare a list or catalog of all the files within the suspect or evidence directory. This "cataloging" process is a basic step
in any evidence collection whether it be physical evidence, or computer evidence. You need to know what files or evidence you will be responsible for.
Yes/no???
Then second, to ensure data integrity you might wish to perform a hash of the original evidence so you can validate the evidence later on. Hashing of evidentiary
files/data is almost aways recommended to validate your processes.
And finally, when you have identified the evidentiary files you wish to process, you need to forensically copy the files from the source to a destination for
further analysys. OR after the analysis is complete, copy the evidence to a medium to provide to the reviewer, or for safe long term storage.
These three items mentioned above will be the heart of the discussions, and the testing you will conduct.
===============================================
In many cases a forensic suite can accomplish all these steps. But also, in many cases you are asked or forced to perform these steps: catalog/list, hash, copy
of the evidence outside of a forensic suite. In order to perform these three basic steps you need reliable software which you can testify actually works and
performed the action in a true and accurate evidentiary fashion. And in many cases the investigator blindly takes for granted that the programs recommended by
co-workers who themselves have used this software blindly believing it is providing true and accurate evidentiary results.
So, if you are performing these actions outside of the 4-star multi-mega-dollar suite, you will be using stand alone "recommended" software. Does the software
that was recommended and that which you are using live up to its advertising, or reputation? Can you defend its actions in court because you have tested its
capability yourself? Or do you merely say, other forensicators have recommended it, so it must work. YEH, RIGHT!!!. So why don't you test it yourself? (what a brilliant idea!!)
That is what the first hour of this session is about. It talks about realistic, practical tool testing
and how you might develop your own tool testing data and REQUIREMENTS that your software must test in order to pass the tests you have designed.
===============================================
During these sessions, you will be provided some basic test data and the parameters and requirments for the software testing. The first software you will test
is that which you are currently using in your day to day operations. In order to do this, you are asked to bring with you any file cataloging/listing,
hashing, and copy software you are currently using. Even if you only use Explorer or DIR to list, and Explorer to drag and drop copy. These programs will be
the first you test.
Then you will test the sample software that will be provided to see if it meets reasonable investigation and evidentiary requirements. You will determine if it
meets your needs not someone elses needs, and how it compares to your own that you have brought to the session. In short:
Hour 1. discuss and develop test processes, and evidentiary testdata
Hour 2. test file cataloging software (hour 2)
Hour 3. test file hashing software (hour 3)
Hour 4. test file copying software (hour 4), and for fun, test zip/unzip software. isn't that merely a fancy copy?
The follwing information is intended for all persons who will be attending the KSU
Cybercrime Skills Workshop - for Forensic Tool Validation sessions Oct 1, 8, 15.
The class hours are heavy in command line and GUI hands-on.
The hours for the sessions are:
Oct 1: 09:00-11:00 (2 hours) room 462
Oct 8: 09:00-10:00 (1 hour) room 460
Oct 15: 09:00-10:00 (1 hour) room 462
In preparation for the sessions you are asked to do the following preparation.
1. Bring to the sessions a WINDOWS computer to work on. (windows 10 preferred, but WIN7 will work)
2. Have a 4G or larger thumb drive formatted to NTFS. (a seperate hard drive folder is also acceptable)
During the sessions, you can work directly on your computer in an empty sub-directory.
However, all the practical test scenarios are designed to work better on the NTFS thumb drive.
3. Download all the executables shown below. They are all encrypted, and the password will be provided at the proper time.
4. Bring any software you currently use to catalog/list, hash, copy files in your day to day operations.
You will test your software first. Then the samples provided.
5. Read the pre-test information below. Download the pre-test and take the test to get you ready for the sessions.
===========================================
Pre-Test =========
Item 2 on the KSU link requests that all prospective attendees take this test and report the results when signing up at their site.
!!! Message regarding this and the other executables below which you will need to download. !!!
Consider it and all the other executables below for the class evidence.
If you are a forensic person and your server won't allow download of executable evidence, I suggest you find another method of downloading this executable.
After all, what will you tell the opposing attorney when he asks why you couldn't download pertinent evidence? My browser wouldn't let me do it!! or maybe: the
dog ate it.
Please download and take this pre-test.
It is set up so you can determine if you may need to brush up on your command line or basic commands.
There may be some more technical questions relating to hashing and/or file copy, since the sessions involve both.
Since these sessions will be hands on testing software, you really need to have good grasp of command line operations.
Instructions for the pre-test:
1. download the PRETEST.EXE from here.
2. on a windows machine, open a command window. (Maybe a 2nd for research to the answers. This is an open book/window exam)
3. run the pre-test within the command window. C:\YOUR_DIR>_PRETEST
If you use the name: _PRETEST.EXE and it errors off, run again without the .EXE
There are about 22 multiple choice questions to answer which
deal mostly about basic command line DOS commands such as DIR, DEL, REN. and some technical stuff like what is
this binary value equal to: 1001
You may have to do some quick online research during the test to obtain the correct answer to
a question such as: what does DIR /r do?
Again; you might want to have a 2nd command window open so you can research the answers while taking the test.
At the end you will be shown which answers are correct and be provided a score.
You will determine if you need to bush up on your command line skills before attending the sessions
since a lot of the sample software being provided to test is both command line and GUI.
===========================================
The files to download and put on your thumb drive are, and their approximate size:
Day 1: _CATALOG_EVIDENCE.exe 340K bytes, Sample evidence and file/directory cataloging software to test.
Day 2 & 3: _DEMO_FILES.exe 12K bytes Tool testing, "Evidence" files for the hash, and copy testing.
Day 2: _SOFTWARE_HASH.exe 340K bytes, Programs to test in the hash tool tests
Day 3: _SOFTWARE_COPY.exe 330K bytes, Programs to test in the copy tool tests
General: _SOFTWARE_MIN.exe 800K bytes, More sample software for testing.
UPDATED batch files Run this last to replace all other batch files.
Powerpoints Used in the class
Total download size of the exe's is approximately 2.8 GIG.
These executables contain the necessary test files and some sample software which you will test during the 3 day session. These are encrypted executables to protect from prying (early eyes) you will be provided the appropriate password at the correct time.
If you have any software that you regularly use to perform the listed tasks below,
please bring it along so it can be tested also. Your own software will/should be the
first packages you will test.
First day we will test: directory or file cataloging/listing
Second day we will test: file hashing, or forensic hashing
Finally, we will test: file copy or forensic copying or zip/unzip
Don't forget to bring your Windows computer/laptop to the session.
If you decide to work directly on your computer, it must have an NTFS drive to work on for the tests to properly work.
BTW: To restate: all the executables are encrypted and you will be provided the passwords at the proper time. This is so everyone begins the tests and evaluations at the same time.
If you have any questions please feel free to contact me at: dan@dmares.com