Digital Forensics and Hacking Investigations, Part 4

In Part 4 of this series, we discuss network forensics and misuse investigations; different types of devices that may hold suspect data or evidence; introduction to the 7-layer OSI model; network forensics and the role of sniffers and protocol analysis software; the function of network interface cards and layer-2 content inspection; overview of how a NIC works; overview of how a sniffer works; introduction to promiscuous mode; the 4 ways to capture traffic for network forensics; introduction to spanning and mirroring switch ports; introduction to buffered and unbuffered network taps; layer-2 transparent bridging concepts; 8-track hubs and building a receive-only ethernet cable; reasons why ARP cache poisoning shouldn’t be used for network forensics; defeating name resolution-based promiscuous mode detection; defeating specially crafted ARP and malformed multicast-based promiscuous mode detection; default snaplengths and configuring a sniffer for full packet capture; introduction to tcpdump and windump; issues with Win32-derived packet capture libraries; introduction to the Network Toolkit from CACE Technologies; and more.

This LiveAmmo Podcast is in .mp3 format, 00:36:15 in duration, and a 17.4 MB download.

Visit the LiveAmmo Computer Forensics Podcast Archives for more information about how to subscribe to our podcast and news feeds.

Digital Forensics and Hacking Investigations, Part 3

In Part 3 of this series, we discuss the initial crime scene investigative process; chain of custody and collecting evidence; civil vs. criminal investigations; limiting exposure to evidence; incident response and NIST Special Publication 800-61; BIOS analysis and understanding clock skew; the art of onsite diplomacy; probable cause and search warrants; the consent required to monitor network traffic; network forensics and the requirement for system banners, acceptable use policies, and third-party consent; consent and keystroke loggers; how law enforcement uses search warrants; the plain view doctrine; international issues with investigating computer crime; what are “artifacts”; acceptable use policies and outside contractors; initial computer forensic investigation methodology; introduction to flowcharting tools; determining required resources for a computer misuse investigation; initial risk assessment for computer crime; conveying electronic discovery concepts in layman’s terms; post action reviews for e-discovery exercises; initial operating system identification for onsite forensic analysis; and more.

This LiveAmmo Podcast is in .mp3 format, 00:46:08 in duration, and a 22.14 MB download.

Visit the LiveAmmo Computer Forensics Podcast Archives for more information about how to subscribe to our podcasts and news feeds.

Digital Forensics and Hacking Investigations, Part 2

In Part 2 of this series, we discuss definitions for intellectual property; concepts for authentication of suspect data; introduction to hashing algorithms; electronic discovery protocols; definitions and standards for digital evidence acquisition, capture, and authentication; cyberstalking and online social networks; data protection and privacy regulations; federal powers and the Interstate Commerce Clause; introduction to federal rules governing computer crime and intellectual property theft; FOIA and Sunshine Laws; the process of building a computer crime case; identification of suspect evidence, including form factors and formats used for storage containers; building a forensics toolkit; write blocking devices and the ideal disk imaging system; introduction to Host Protected Area (HPA) analysis; introduction to BIOS and firmware-based rootkits and trojan technology; and more.

Errata: In this episode we made a mistake by saying that the HPA is at the beginning of the drive; the DCO and HPA both exist at the end of the drive. Thanks to Rush for pointing this out.

This LiveAmmo Podcast is in .mp3 format, 00:46:49 in duration, and a 22.47 MB download.

Visit the LiveAmmo Computer Forensics Podcast Archives for more information about how to subscribe to our podcasts and news feeds.