INCS 712: Computer Forensics
Spring 2007, Fall Term 2006
New York Institute of
- Class room is: C104
- The articles are posted on the web.
12/11/2006 will be OFF.
- GSM forensic article and presentation are posted now
Article and presentation about "Checking Microsoft for signs of compromise"
Unix security and forensics presentation is posted.
Bluetooth technology/security nice interesting presentation is posted
Wireless forensics presentation is now on the web!
Special Thanks for Rami AL-Attar
who provided us with many useful tools, and material
And thanks for all of for the tools and the nice
- The reading assignments will be distributed in the class/by email
- The final exam will be a take home exam. It will be sent to you by email.
concerns with the post-analysis of computer systems that have been
compromised. In this course, we will study forensic tools and techniques that
combine information accumulated from various systems to reconstruct the
behaviors and actions of cyber criminals. Computer forensics focuses on
reconstruction of events that lead to the system corruption, with the main goals
of recovering critical data and learning techniques used by hackers to help
improving the protection of the systems and prevent similar attacks in the
INCS 615 : Network Security and Perimeter Protection
620 : Operating System Security
An overview of Computer
An examination of digital forensic Model.
Computer Crimes: Presentation by
- User Activtity Tracing :Browser Log Files and Recycle Bin Deciphered.
Presentation prepared by Mahmoud
Abu Also'ud and Rami Al-Khateeb,
Track and examine web browsing activity and
deletion of files through the Windows recycle bin that took place on a certain
Deciphers Internet Explorer's ever-growing
internal history/cache file index.dat. Displays complete URLs, date and time
of the last visit, user names, file sizes, filename extensions, and more.
Allows to sort by any criterion. Reads from one more more files you specify,
or searches complete folders and subfolders, or even entire hard disks (or raw
images of hard disks) in allocated space, free space, and slack space, for
traces of someone having surfed the Internet. Occassionally, accesses to local
files are logged, too. You may search for specific domain, file, and user
Also deciphers the browser history file "history.dat"
produced by Mozilla/Firefox and the browser cache file "dcache4.url" created
by the Opera browser.
Also deciphers the hidden Windows recycle
bin file info2 located in every Recycled/Recycler folder. Displays the
original path and filename, date and time of deletion, file size, and more,
sometimes even if the recycle bin has been emptied
- Computer Forensics Editing:
presentation prepared by
Lo'ai Hattar and Omar Zayadat
editor for hard disks, floppy disks, CD-ROM & DVD, ZIP, Smart Media,
Compact Flash, ...
- Native support for FAT, NTFS, Ext2/3, ReiserFS, Reiser4,
UFS, CDFS, UDF
- Built-in interpretation of RAID systems and dynamic disks
- Various data recovery techniques
providing access to physical RAM and other processes' virtual memory
Data interpreter, knowing 20 data types
- Editing data structures using
templates (e.g. to
repair partition table/boot sector)
- Concatenating and splitting files, unifying and dividing
odd and even bytes/words
Analyzing and comparing files
- Particularly flexible search and replace functions
- Data Recovery:
presentation prepared by
Rami Sabatin and Hadil Antwan,
from logically corrupted or formatted drives. Study two separate, fully
automated data recovery mechanisms to maximize the chances of
success. One mechanism works with files of any type, the other one
recovers JPG, PNG, GIF, TIFF, BMP, MS Word/Excel/PowerPoint (DOC/XLS/PPS/...),
RTF, MS Access (MDB), PostScript (EPS), Acrobat (PDF), Quicken (QDF), HTML,
XML, DBX, PST, CAD (DWG), PSD, ZIP, GZ, RAR, RIFF (WAV, AVI), Real Audio/Media
(RA, RAM, RM), Quicktime (MOV), Windows Media (ASF) and MPEG (MPG).
Specifically supports FAT12, FAT16, FAT32, and NTFS.
Mo'utasem Hamour and Ibrahim Alqarout,
Radwan Abu Jassar
Search text on hard disks and retrieves the
context of keyword occurrences on computer media, not only by examining
all files (the entire allocated space, even Windows swap/paging and
hibernate files), but also currently unallocated space and so-called
slack space. That means it will even find data from files that have
been deleted, if physically still existing. Please note that Evidor
cannot access remote networked hard disks.
Find and gather digital evidence on computer
media. Evidor also comes most handy in civil (pre-)litigation if one party
wants to examine (inspect) the computers of the other party. Evidor can be
used on site for electronic discovery, will usually not disclose
unrelated proprietary or confidential information and does not impose an undue
burden on the responding party in terms of personnel, time and money. Evidor
serves as an automated forensic examiner, saving you the cost of many hours of
hard manual expert work. Evidor produces reliable, replicable, neutral, and
simple results, just as needed before court. Powerful and fast.
Mohammad Al-omari and Yousef Aburabia,
- Delete selected confidential files securely, such that they
are not recoverable.
- Wipe free drive space and clear slack space, to get rid of
sensitive data from deleted files, esp. temporary files.
- Clean formerly used NTFS file records, which contain
filenames and other data
- Erase logical drives or entire physical disks completely
and irreversibly, e.g. to produce forensically clean target media or to
sanitize media before re-use in a different environment of before donating.
- Trusted download: copy files from classified media without
slack space overhang
Try This Free Erasing Tool
- Forensic and the GSM Mobile phone system.
- Checking microsoft windows for signs of compromise:
- "Forensics and Cyber Crime: An Introduction.” by Marjie T.
Britz . Prentice Hall (August 01, 2003) ISBN:
- Computer Forensics, Computer crime scene investigations. J. Vacca, Charles
River Media, 2nd edition, 2005
- Guide to Copmuter Forensics and Investigation. B. Nelson, A. Philips, etc.
Thomson Course Technology 2rd ed., 2006
- Reading Articles Assignments: 20 %
- Papers and Presentations: 40 %
- Final: 40 %
Dr. Lo'ai A. Tawalbeh