Академический Документы
Профессиональный Документы
Культура Документы
Volatile Information
The following are some of the specific types of volatile information that investigators should
collect:
• System time
• Logged-on user(s)
• Open files
• Network information
• Network connections
• Process information
• Process-to-port mapping
• Process memory
• Network status
• Clipboard contents
• Service/driver information
• Command history
• Mapped drives
• Shares
Nonvolatile Information
The following are some of the specific types of nonvolatile information investigators collect:
• Hidden files
• Slack space
• Swap files
• Index.dat files
• Metadata
• Hidden ADS (alternate data streams)
• Windows Search index
• Unallocated clusters
• Unused partitions
• Hidden partitions
• Registry settings
• Connected devices
• Event logs
Introduction to Linux Forensics
Types of Linux Distributions
• Desktop distributions, which include a graphical interface
and common applications, suitable for home use.
• Server or enterprise distributions that are used primarily for
business applications, but can also be used as a home server.
• Live-CD distributions that are stored on bootable storage
devices. A Live CD is a bootable version of an operating
system that is loaded directly into RAM and functions
outside and independently of the target computer’s
operating system.
Linux Forensics
Linux has a number of simple utilities for imaging and basic disk
analysis, including the following:
• dd: Copies data from an input file or device to an output file or
device
• sfdisk and fdisk: Determines the disk structure
• grep: Searches files for instances of an expression or pattern
• md5sum and sha1sum: Create and store an MD5 or SHA-1
hash of a file or list of files (including devices)
• file: Reads file header information in an attempt to ascertain its
type, regardless of name or extension
• xxd: Command-line hex dump tool
• ghex and khexedit: Gnome and KDE (X Window interfaces) hex
editors
Application Password Crackers
A password cracker is a program that is used to
identify an unknown or forgotten password to a
computer or network resource. It can also be
used to obtain unauthorized access to resources.
Password-Cracking Methods
Most password crackers use one or more of the
following methods:
• Brute force attack
• Dictionary attack
• Syllable attack
• Rule-based attack
• Hybrid attack
• Password guessing
• Rainbow attack
Brute Force Attack
• In a brute force attack, the attacker tries every
possible combination of characters until the
correct password is found. It is a slow method
and takes a large amount of time against
longer passwords.
Dictionary Attack
• In a dictionary attack, a dictionary file is loaded into the cracking
application that runs against user accounts.
• The program uses every word present in the dictionary to find the
password. Dictionary attacks can be considered more useful than
brute force attacks, although they do not work against systems that
use passphrases.