Reading‐14 - LPouliot/Soph-Spring-FOR-100-Digital-Forensics GitHub Wiki
Research/Reference/Tools for Module 14 Homework
Homework Assignments & Readings
FOR100-01 Web Lecture and Tool overview
Internal Investigation - Hints
Videos to Watch
Tools
Browser Tools
Below you can find a list of free Internet browsing tools:
BrowsingHistoryViewLinks to an external site. IEHistoryViewLinks to an external site. IECacheViewLinks to an external site. ChromeCacheViewLinks to an external site. ChromeHistoryViewLinks to an external site. OtherLinks to an external site. NirSoft Browser Tools HindsightLinks to an external site. for Google Chrome
Internal Investigation - Case hints
What is a LAMP Stack?Links to an external site.
Mounting the E01 file:
FTK Imager
Use FTK Image and then go to File then Image Mounting... then select the image file you want to mount. Also, I would go with "Logical Only" for this case as physical is not needed. Then select the Drive Letter to mount the forensic image to. After that, select the Mount Method, which should be "Block Device / Writable" so we can access those protected directories within the forensic image. Finally, select the location where the "Write Cache Folder" should be stored and then click the Mount button.
How to use Nirsoft tools:
Using ChromeCacheView
In order to investigate the Google Chrome Cache found in the forensic image you mounted, you need to change the default cache location that the tool is using. To do that, all you need to do is go to File then Select Cache Folder and then changing the drive letter to reflect the drive that the forensic image is currently mounted to. After that just click the OK button to proceed. Example:
Z:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Cache
Using ChromeHistoryView
In order to investigate the Google Chrome History found in the forensic image you mounted, you need to change the default cache location that the tool is using. To do that, all you need to do is go to Options then Advanced Options and then changing the drive letter to reflect the drive that the forensic image is currently mounted to. After that just click the OK button to proceed. Example:
Z:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\History
Using IECacheView
In order to investigate the Internet Explorer Cache found in the forensic image you mounted, you need to change the default cache location that the tool is using. To do that, all you need to do is go to File then Select Cache Folder and then changing the drive letter to reflect the drive that the forensic image is currently mounted to. After that just click the OK button to proceed. Example:
Z:\Users\IEUser\AppData\Local\Microsoft\Windows\WebCache
Using BrowsingHistoryView
In order to investigate all history of browsing activity found in the forensic image you mounted, you need to change the default cache location that the tool is using. To do that, all you need to do is go to Options then Advanced Options and then go to the section saying "Load history from..." and select "Load history from the specified profile (For example: c:\users\admin)" and then in the field below that make sure you type the path to the profile we want to investigate. After that just click the OK button to proceed. Example:
Z:\Users\IEUser\