We’ll get started at 19:05
course review
comp6445 week09
house keeping
- investigation
- report feedback
- court case
- myexperience
investigation
- we literally did this during the tute
- if you don’t get full marks im calling the police
report feedback
- yeah I didn’t marks yours
- marks should come out next week
solutions
| question | answer |
|---|---|
| Visited websites | wikipedia.org amazon.com bing.com collegelifeweekly.com birdtrader.co.uk internationalowlcenter.org yahoo.com google.com |
| Skype email | [email protected] |
| Video app | musical.ly |
solutions
| question | answer |
|---|---|
| New name | TikTok |
| Skype name | generalhaze28 |
| Delivery | 1900 |
| Response | Thank you! |
| Location | Harris Riverfront Park |
solutions
| question | answer |
|---|---|
| Search | Huntington, West Virginia, 25701 |
| CMLocker | 17/02/03 12:15 |
| Timezone | -5 |
| contacts | 3 |
| smcavoy32 | /vol31/system/recent_images/110_task_thumbnail.png |
court case
| when | monday wk10, 6-8:30pm |
|---|---|
| where | Law Theatre G23 |
| compulsory | no |
| who can attend | anyone |
| pizza | party |
Come along, it’ll be fun
myexperience
oh no
Exam
| when | idk |
|---|---|
| duration | 3 hours |
| worth | 40% |
what’s in it?
3 sections
- multiple choice questions
- technical questions
- professionalism questions
what’ll it include
- likely to have one question from each topic
- section 2 and 3 will be longer answer questions, and likely won’t be as straight-forward (e.g. they might be based on scenarios)
- you won’t be given files to digest/examine, but you may be given screenshots of tooling
how to study?
- learn content not covered in the weekly challenges
- delve deeper into content that was (many topics were discussed, but not assessed, e.g. file slack)
- review the case studies (maybe highlight/note down key parts of the discussion around them)
Revision
01: physical evidence handling
- what is the difference between covert and overt?
- what are first steps when you arrive on the scene?
- what is chain of custody?
- what are the forensics acqusitions methods?
02: the forensic process
- admissible evidence must be ____ and ____?
- what are the steps of the forensic process?
- what is the difference between ethics and morals?
- where could someone hide information on a drive?
03: file systems
- what are the three main components of FAT32?
- how are meta-data structures represented in NTFS?
- what happens to a file when it’s deleted, what happens to it’s contents?
- what is file carving? how does it work?
04: timeline analysis
- what is timestomping?
- why is it important to use the correct timezone?
- you’ve realized your timeline doesn’t make sense with some new data coming in, what should you do?
05: network forensics
- what can network forensics be used for?
- you’ve found a piece of suspicious traffic (e.g. a wierd IP, download of a strange file), how can you determine if it’s malicious
- what barriers might prevent you from performing an investigation of a packet capture?
07: memory forensics
- why is collecting a memory dump difficult?
- how might you get access to a memory dump?
- what might be stored in memory that would be worthwhile to investigate?
- what is processing hollowing?
08: mobile forensics
- you’ve collected a phone, where might you look for good stores of information?
- why is imaging a phone so difficult
- what types of techniques are there to isolate a phone, what methods are there for acquisition?
09: revision
- wait what