±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 32784
New Yesterday: 6 Visitors: 189

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

How to get started?

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

How to get started?

Post Posted: Fri Aug 18, 2017 8:24 am

Hey guys,

I try to get into this whole forensic "thing", but i kinda feel totally lost.....
Is there any way to get started from the scratch? like a tutorial or a book you can recommend for a complete noob?
I tried to find something in google, did a few challenges (ok... i failed at a few challenges..), but i didnt find a real good practical way to learn about forensics :/

my requirements are basic linux knowledge (with kali running and on vbox the sans sift). Another problem is they are all using encase (which i can not afford) or proDiscover Basic (just windows as far is i know) and so i dont even know witch tool to use.
concrete problems are for example: what to do with a .001 or .eve file? what tools do i need to use on them and so on...


i would really appreciate some help/tipps!

kind regards

fenrir

ps: sry for my bad english  

Fenrir
Newbie
 
 
  

Re: How to get started?

Post Posted: Fri Aug 18, 2017 2:18 pm

- Fenrir

Is there any way to get started from the scratch? like a tutorial or a book you can recommend for a complete noob?


Sure, there are lots of books, web sites, blogs, etc....for example:

windowsir.blogspot.com...arted.html



- Fenrir

I tried to find something in google, did a few challenges (ok... i failed at a few challenges..), but i didnt find a real good practical way to learn about forensics :/


Well, consider this...what makes you think you failed at the challenges? What did you do when attempting those challenges? Some challenges include links to submitted answers...have you taken a look at those?

- Fenrir

my requirements are basic linux knowledge (with kali running and on vbox the sans sift). Another problem is they are all using encase (which i can not afford) or proDiscover Basic (just windows as far is i know) and so i dont even know witch tool to use.


You don't need to use EnCase or any of the commercially available tools. I use FTK Imager to extract data from images. You can use Autopsy or the SleuthKit tools. A lot of the work I do, I do using tools I wrote, batch scripts, and Notepad++.

- Fenrir

concrete problems are for example: what to do with a .001 or .eve file? what tools do i need to use on them and so on...


What you do with the image files and the "tools you use on them" depends on what you're trying to achieve. What are your analysis goals?  

keydet89
Senior Member
 
 
  

Re: How to get started?

Post Posted: Sat Aug 19, 2017 3:04 pm

- keydet89

Sure, there are lots of books, web sites, blogs, etc....for example:

windowsir.blogspot.com...arted.html

thanks for that helpful link!
i also have found 2 quite good books Smile

- keydet89

Well, consider this...what makes you think you failed at the challenges? What did you do when attempting those challenges? Some challenges include links to submitted answers...have you taken a look at those?

for example one challenge gives you a example.eve file and it is said, that i should look after docoments with "book." in the name.
But i can't even open this file ._. i have simple no idea and .eve files are not very common, so i find nothing about it in google.
i tried a few easy things like the strings-command, but nothing.
Finally i tried even to run ProDiscover Basic (like it is recommended from the challenge author) on wine, but for some reason i can't open images ("error opening the file. success") and nothing to find on google about it, too.
Do you know by any chance how to get something out of an .eve file?
i would just have to know how to convert such an file to dd....

anyway, many thanks for your answer!  

Fenrir
Newbie
 
 
  

Re: How to get started?

Post Posted: Sat Aug 19, 2017 4:11 pm

See if following these helps:

www.darknessgate.com/c...usb-drive/

www.forensicswiki.org/...roDiscover
www.forensicswiki.org/...ile_format
web.archive.org/web/20...rmatv4.pdf

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: How to get started?

Post Posted: Sat Aug 19, 2017 7:21 pm

ok.... somehow i have the feeling that .eve is a specific file format of ProDiscover. omg.
too bad my ProDiscover buggs on wine :/

but thanks a lot for the broad hint! Otherwise i would still penetrate google with .eve requests Very Happy

What OS do you guys have? I wonder if it's more simple on a windows machine with the whole guy tools...  

Fenrir
Newbie
 
 
  

Re: How to get started?

Post Posted: Sat Aug 19, 2017 7:56 pm

It's not really about OS but rather about file formats.

That particular tool uses a proprietary format, whilst *all* the rest use either a plain "dd" or RAW one or the Encase (also proprietary, but much more widely used) EWF or .E01 format.

You could use a Windows install to run the ProDiscover and use it to only convert the .eve file to "plain" RAW, *like*:
what-when-how.com/wind...is-part-8/

If the file is not compressed, converting it should be straightforward using the info in the given .pdf, if it is compressed it is probably beyond your current level of knowledge/experience, and could be actually an excellent exercise in the future.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: How to get started?

Post Posted: Mon Aug 21, 2017 12:13 pm

@jaclaz
Many thanks for your help. I will keep it in mind.

I thought it might be a good idea to start a little more slowly. So i imaged an old usb of mine, where i created and deleted a few testfiles.
So i was able to recover the recently deleted files, but there are also lots of orphan files (jpg, mp3 usw).
I did exactly the same in order to recover them, as i did for my testfiles, but instead of an jpeg or an mp3 i always got just an binary file ._.
I use autopsy browser in linux.
Is it just not possibly to recover these old files (the most of them are from 2008, but the stick was rarely used), or am i doing something wrong?
Is there another good recovery tool on linux i could try?

thanks in advance Smile

edit: foremost did the job.... unbelievable what this tool can do Shocked  

Last edited by Fenrir on Mon Aug 21, 2017 12:54 pm; edited 1 time in total

Fenrir
Newbie
 
 

Page 1 of 2
Go to page 1, 2  Next