Introduction to Single Purpose Forensic Tools
GIAC Certified Forensic Examiner Objectives:
Fundamental Digital Forensics
- The candidate will demonstrate an understanding of forensic methodology, key forensic concepts, identifying types of evidence on current Windows operating systems and be familiar with the structure and composition of modern Windows file systems.
Foundations of Digital Forensics Acquisitions
- The candidate will demonstrate an understanding of the methodologies and tools used to collect and process digital forensic evidence.
Overview
This lab is part of a series of lab exercises intended to support courseware for Forensics training. The development of this document is funded by the Department of Labor (DOL) Trade Adjustment Assistance Community College and Career Training (TAACCCT) Grant No. TC-22525-11-60-A-48.
Hashing is the process of taking in a stream of plain text and transforming the data into a hashed text using a hashing algorithm. You can use the hash to make sure that a message was not modified during transmission. That hash can make sure that the disk image was not tampered with. Hashed images are used in forensics investigations. Hashing is also used on files, passwords, and other pieces of data.
In this lab, you are going to image a disk and create a hash of that disk, verify integrity using file hashing tools, use Foremost to carve and recover deleted files from a disk and use a hex editor to review files.
OUTCOMES:
In this lab, you will learn to:
- Use file hashing tools to verify integrity
- Mount a partition with deleted files and folders
- Use Foremost to carve files
- Use a HEX editor