Saturday, March 28, 2020

DIGITAL FORENSICS:Investigation using OSForensics

DIGITAL FORENSICS: Investigation using OSForensics (Part1)

 

Step 1 - Download USB Drive Images

In this task, you will download the USB drive images from a local intranet site.
These USB drive images were collected from digitalcorpora.org web site.
Right-click USB zip file and select Extract All

Step 2

Click Start charm to access the Start screen.
When Start screen opens, type: OSforensics  On the OSForensics welcome message box, click Continue Using Free Version.
DIGITAL FORENSICS:Investigation using OSForensics
OSForensics

Step 3

In the New Case dialog box, enter your name in the Investigator text box. In the Case Name text box, type CF-DFE-002 USB drive.
Investigation using OSForensics

Investigation using OSForensics
CF-DFE-002

Step4

Click the Add Device button to open the “Select device to add” dialog box, and then click the Image File option button. Click the browse button, navigate to the folder you copied images to, and click  work-usb-2009-12-11.E01. Click Open.

Investigation using OSForensics
Image File
Investigation using OSForensics
work-usb-2009-12-11.E01

Step 5

Click the  work-usb-2009-12-11.E01 filename at the lower right, and then click the Open button to the left to open the File System Browser window.


Investigation using OSForensics

Step 6

In the Select a partition in the image dialog box asking which partition to use, leave the default setting use entire image file, and then click OK.


Step 7

Click the File Name Search icon in the File System Browser window or the left pane of the main window. In the Search String text box, type Charlie*. On the far right, click the Search button.

 
Investigation using OSForensics
File Name Search

Step 8

On the Browse for Folder dialog box, ensure that Devices in case refers to  work-usb-2009-12-11.
Click OK. Back on File Name Search window, click Search.

Investigation using OSForensics

 

Step 9

After a few moments a list of files found in USB drive is displayed.
Investigation using OSForensics

Step 10

The files displayed in Thumbnails view.
Click Timeline tab.

Investigation using OSForensics
Timeline

Create Index

To create an index of files found in the user’s USB drive image, perform the following steps:

Step 11

Click the Create Index button in the left pane. (Note: You might have to click New Index if the window is showing the results from the index of  USB drive.) In the Step  click the Pre-determined File Types option button, click all the file types listed, and then click Next.

Investigation using OSForensics


Step 12

 click the Add button.

Step 13

On the Add Start Location dialog box, verify that Whole drive option is selected and  work-usb-2009-12-11.E01 is listed.
Click OK.
Investigation using OSForensics
Add Start Location

Step 14

In the Step 3 of 5 window, in the Index Title text box, type: All File Type
Click Start Indexing.

Investigation using OSForensics

Index Title

Step 15

When the indexing is finished, click OK in the message box informing you that some errors might have occurred in the indexing process.

 
Investigation using OSForensics

Step 16

The window that opens shows you the files that were indexed, any errors that occurred, and a summary of what was done. After examining the summary, close the window.
Investigation using OSForensics
Investigation using OSForensics

You should now be able to create a case, add it to your inventory, scan the files, and perform indexing, which will be useful later for searching.   

Case Management: Cases are used to group together findings within OSForensics that can be exported or saved for later analysis.

 

ref:

osforensics

hackingarticles

#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud


หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น
* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

 

No comments:

Post a Comment