While documenting these type of cases we have to follow
some basic procedure for recovering the evidence with some of the
forensics tools.
- For target drives, utilized recently cleaned media that have
been reformatted and investigated for viruses or malware.
- Tally the hardware on the suspect's pc, and note condition of
seized pc
- For static acquisitions, eliminate original drive and check the
date and time values in system's CMOS
- Document every single step that will help you to obtain
information from the suspect drive
- List all folders and files on the image or drive
- Inspect contents of all data files in all folders
- Retriever file contents for all passsword-protected files
•
- Identify function of every, executable file that doesn't match
hash values
- Maintain control of all proof and discoveries
Approving with Hexadecimal Editors
- Advanced hex editors offer highlights not accessible in
computerized legal sciences instruments, for example, Hashing
explicit records or areas
- With assistance of hash an incentive close by You can utilize a
crime scene investigation device to look for suspicious record that
may have its name changed to resemble a harmless document
- WinHex gives MD5 and SHA-1 hashing calculations
Distinguishing the file headers and determine how their
extensions are mismatched
- The most common is hide the data by changing file
extensions
- Another hiding technique is Selecting the Hidden aspects in a
file's Properties dialog box.
- There is another way to check file headers by using advance
forensic tools will compare the file mRension to verify that it's
correct, If there's a discrepancy the tool flags the file as a
possible changed file.
Techniques and tools you can use for recovering
passwords from the protected files
- Brute-force attacks :- Use every possible combinations. This
method requirse a lot of time and computing power.
- To decrypt any encrypted file, user can provide a password
- We can use key escrow to recover encrypted data,It is used when
if user forget their passwords.
- Dictionary attack :- Uses most common words found in the
dictionary and tries them as passwords.
- Password-cracking tools are available for handling
password-protected data. Some are integrated into digital forensics
tools like Last Bit, AccessData PRTK, Oph cradle, John the Ripper,
Passware etc
- Salting passwords :- Change hash values and makes cracking
passwords more difficult.
- Rainbow table :-A file containing the hash values for every
possible password that can be generated from a computer's keyboard,
No conversion necessary, so it is faster than a brute-force or
dictionary attack.
For recovering passwords you can use some of the techniques
like
• Dictionary attacks
• Rainbows tables
• Brute-force attacks