Week 11 IR Project

Project: Microsoft Windows or MAC OSX Investigation

Perform an investigation of your own computer using the information from Chapter 12 or 13 in
the book and other tools you have discovered in your research. You will need to perform,
analyze and document at least four (4) of the investigation items in one or the other to be
considered complete. You choose the items you will perform, analyze and document. Create a
document in APA format to document your results and post to the dropbox.
http://windowsir.blogspot.com/p/foss-tools.html

Memory Collection Analysis

FTK Imager is a forensic tool that can be used initially to create perfect copies (forensic
images) of computer data without making changes to the original evidence (FTK Imager User
Guide, July 2, 2014). In addition to the forensic evidence the program can collect, the advantage
to using FTK Imager is that it can be run from a flashdrive alleviating the need to install it on the
suspects computer. I examined the MD5 Hash and the SHA1 Hash from both the computed
hash and the report hash. The verify result section showed that the computed and report hash
were a match.

Redline
Redline, released by Mandiant, is a forensic tool that is able to detect malware through both
memory and file analysis. In addition, Redline creates a threat assessment for suspected
malicious activity. Although there are several options in the software, one choice is the standard
collection that will collect data from the memory of the device. To provide assistance in
analyzing the data, the following information is provided during the standard collection. In
addition, tags and comments can be added as shown below. I was able to generate a list of this
information.

Network Capture/Analysis Tools

Wireshark
For capturing and analyzing network packets, Wireshark is one tool that is accessible for free.

After clicking on the Wireless Network Connection, a capture of the interface was printed on the
screen. The information included a numbered list, the time, source, destination, protocol, length,
and information identifying whether it is application data, a standard query, a name query, etc.
One note though, if this program is not run as admin or root it will not be able to see any
interfaces.

Autopsy
The digital forensic tool, Autopsy, is commonly used by law enforcement, military, and
corporate examiners to investigate what happened on a computer. You can even use it to
recover photos from your camera's memory card (Carrier, B., 2015). According to the website,
Autopsy features include timeline analysis, hash filtering, keyword search, web artifacts, data
carving, multimedia, and indicators of compromise.

The
autopsy
report is
based on
the
selection
of an
image file,
logical file,
or local
disk.

References
Autopsy Download. 2015 Sourceforge. Slashdot Media. Retrieved August 13, 2015 from
http://sourceforge.net/projects/autopsy/files/latest/download?source=files
Carrier, B. 2015. Autopsy. The Sleuth Kit. Retrieved August 13, 2015 from
http://www.sleuthkit.org/autopsy/
FTK Imager User Guide.July 2, 2014. FTK Imager Imager Download. Access Data. Retreived
August 13, 2015 from http://accessdata.com/product-download/digital-forensics/ftk-imagerversion-3.2.0.
Razaq, H. April 26, 2014. How to Use FTK Imager, part 2 of 3. Youtube.com Retreived August
13, 2015 from https://www.youtube.com/watch?v=5Y_ZB0l9NgY.
Redline. 2015. Mandiant a FireEye company. Software Downloads, Redline. Retreived on
August 13, 2015 from .http://www.mandiant.com/resources/download/redline/.
Wireshark. 2015 Wireshark Foundation download. Retrieved on August 13, 2015 from
https://www.wireshark.org/download.html.