My CEIC 2014 Experience in Las Vegas I came home from the Computer Enterprise Investigations Conference (CEIC) 2014 with a stack of newly acquired business cards, an assortment of trinkets from Las Vegas, and a great breadth of new information that will surely shape my years at Champlain College to come. It was […]
Continue reading
What we found in the Volume Shadow Copy for Windows 7 After creating a raw image of the Volume Shadow Copy, we were able to view it in both FTK and Encase. We most often used Encase to examine the raw image file and received positive results. We cross referenced the log of what was […]
Continue reading
As we are finishing the IEF project we are coming to the realization that IEF does not parse 100% of the internet artifacts on a drive. That’s not to say the tool isn’t useful, it just the IEF should not be used by itself. This project entailed generating internet data on a fresh computer and taking detailed notes during the process. Thirty three hours later the data is ready for IEF to parse. We took the drive out of the computer, hooked it up to a write blocker and imaged the drive in an E01 format. We then ran IEF on both the drive and the E01 to see if there would be different results. The results, unsurprisingly, were identical. After comparing the results to my notes we notice there were a lot of things missing. For one, only two thirds of the artifacts we generated data for were discovered by IEF. Continue reading
Our next venture is to make a tutorial for Internet Evidence Finder (IEF) for local law enforcement. This tool parses many different internet artifacts that are located in: Common Areas/Folder Locations, pagefile.sys, $MFT, $Logfile, hiberfil.sys, Volume Shadow Copies, Unallocated Clusters, and File Slack; and presents most data in a more readable and understandable format. One […]
Continue reading