This article serves as a general guideline, rule-set and other details regarding the grounds of computer forensics. We will aim to answer many of the questions in the field, as well as to point out what may be needed. We will provide forms, and labels that you can utilize during your own investigations, some legal issues jurisdiction effects, content to be viewed, and a brief over-view of the Wire Tap Act. If you plan to follow any of these guides please do so for educational purposes and not in a real environment if you cannot procure the hardware or software to perform a digital forensics. Within this documentation I will also aim to provide case studies through mockup hacks and attacks on a privately owned network and virtual system to provide details as to how evidence collection works, what to look for and how to assess the situation upon arrival.

The main purpose of this document will be to combine both incident response and Linux forensics into one single article. Please keep in mind that the information presented in this segment will require intractions with the suspect machine. While we would prefer that analysts utilize the script here: https://networkdefensesolutions.com/index.php/products/58-desktop-services-linux/289-linuxir if you feel any other tools would work best for you. Please use those.

Extracting files, and or recovery of critical forensic information is key within the process of computer forensics. Out in the wild there are a plethora of tools that a forensic examiner may choose to utilize in order to do so. Although this does not directly relate to recovery of files from a forensic stand point, it can also be utilized for users who have lost data and want to try their hand at recovery of information. The focus of this document will be around Autopsy and how to use the free tool in order to recover said files.

Although stated in a previous writeup concerning computer forensics, it can be quite an expensive endeavor. Some of the things that you may come across whereby an expense is needed you may be able to get away with utilizing, Linux. When we discussed the need for write-blockers, it was said that you needed to purchase an expensive write-blocker that would allow you to make a disk image with ease of mind. However, you don't really need to do this. This article will explain how you can utilize Linux in order to pull a disk image and then feed it into ProDiscover and of course, bypass the need for a write blocker. This document will also detail how you can recover files that were deleted for a forensic investigation.

Recovering files with Forensic tools can be a great help when putting together a case, or even when you need to recover files that have been accidentally deleted. This paper will discuss how to utilize autopsy in order to recover, and pillage for files that have been deleted.

This document highlights some of the issues that forensic examiners face when dealing with encrypted files. Ideally, it will also point out how a forensic examiner may procure access to items that are encrypted with the use of a small browser trick which may be commonly overlooked by attackers. Although it's directed at the common person when engaging, it can also be applied to those who are not well versed with forensic obfuscation techniques. This focus herein will be centric around zip, browsers and other types of access.

Sometimes in computer forensics you will come across an issue where you may need to interact with the RAM within a computer. This example does not take the efforts into discussing an attack and the steps that you need to set up, but rather, it discusses tracking an event in memory. This is normally seen when a service, or application has been attacked. Once an exploit has been executed against the system, and if the attack is happening when the investigator is present – a forensic examiner may take the following steps as a sort of outline to assist.

This document will detail how you can recover lost or, deleted files during an incident or, if in the event you are facing a forensics. Topics discussed will be: 1) Analyzing the file system for files that were deleted, 2) Determining the date/time of a deleted file and lastly 3) The recovery of said files and or artifacts. Please note, dates and times within this article are discussed if in the event a legal proceeding is taking place and a cease notice has been delivered. This is to prove or disprove that a suspect system has been modified AFTER a cease notice was sent. You can also utilize this article if you are in need of recovering files that have been lost or damaged.

This article covers information regarding ProDiscover Forensic tools to retrieve files from a computer whose data has been destroyed. The main purpose of this document is for forensic file recovery with ProDiscover. Although this is an older version it may in fact be the same in the newer versions -- if however, it is not we will attempt to get a newer version of ProDiscover in order to demonstrate the use of the software in another article.