All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 11 posts ] 
Author Message
 Post subject: Forensic Noob Questions
PostPosted: October 27th, 2015, 8:56 
Offline

Joined: October 27th, 2015, 8:37
Posts: 10
Location: United States of America
Hey there guys. I am kinda new to this and am trying to switch careers into digital forensics. I already know a little something but am no where near the level most of you guys are. I thought I would put out a general list of questions I had and who ever knows the answer can put it out at their own leisure. It really would help me out a lot if anyone could help me out. Who knows maybe when I am a pro I could help you lol

1. What is a major difference between FAT12/16 and FAT32 that occurs during formatting?
2. What are the common names of the areas created when a volume is formatted with the FAT32 file system and what are the contents of the areas?
3. What is a pagefile.sys file and what does the Windows operating system use this file for?
4. What is a hiberfil.sys file and what does the windows operating system use this file for?
5. Where would you find Internet history records for Internet Explorer (version 8 or greater) in the windows 7 operating systems? What is the full path for it
6. Where would you find Internet history records for Internet Explorer running in the Metro interface?
7. What is the path you would use to determine whether or not a removable drive had been used on a computer?


Top
 Profile  
 
 Post subject: Re: Forensic Noob Questions
PostPosted: October 27th, 2015, 10:09 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
I am not trying to be rude, but all of this info is already available. for most of us to answer technically, we would probably need to look it up ourselves so we got all the minutia right.. even if we know the general outline of the question.

the first question depends on the tool doing the formatting I would guess.. a camera, windows, Linux etc.. and I am not sure if you are asking what is the main difference between these filesystems, or other.

second: plenty of such resources: https://technet.microsoft.com/en-us/library/cc938438.aspx

3,4,5 any windows forensic blog

7: the registry

hope that helps a bit

EDIT: you might want to look at :
open source: http://www.sleuthkit.org/ and http://sourceforge.net/projects/osaftoolkit/
http://forensicswiki.org/wiki/Tools
http://accessdata.com/solutions/digital-forensics/forensic-toolkit-ftk/
http://www.securitywizardry.com/index.php/products/forensic-solutions/forensic-tools.html

and read, read, read, practice , practice, practice, and don't just concentrate on windows.

VM's are your friend, try and find an area to focus on as it is a big field really


Top
 Profile  
 
 Post subject: Re: Forensic Noob Questions
PostPosted: October 27th, 2015, 13:18 
Offline
User avatar

Joined: April 3rd, 2011, 0:19
Posts: 2003
Location: Providence, RI
These sound like test questions for an exam to me.... are you trying to get around doing your homework by just asking guys who do this stuff already? :D

Ah, what the heck maybe you were just out partying and are now trying to play catch-up....

pagefile.sys - this is an area of swap space that's used similar to how RAM is used for currently running processes. If you have enough RAM you can actually safely disable this in most cases.

hyberfile.sys - hybernation file. this is basically just a RAM dump from before the system goes into hybernation which is used to restore the system back to the same state it was in on wake up.

I'll let someone else answer the rest.

_________________
Data Medics - Hard Drive, SSD, and RAID Data Recovery Service Company


Top
 Profile  
 
 Post subject: Re: Forensic Noob Questions
PostPosted: October 28th, 2015, 6:28 
Offline

Joined: February 8th, 2014, 8:08
Posts: 456
Location: Eastern Europe /recovering worldwide/
Forensic Girl 21 wrote:
am trying to switch careers into digital forensics. I already know a little something
...
3. What is a pagefile.sys file and what does the Windows operating system use this file for?
4. What is a hiberfil.sys file and what does the windows operating system use this file for?

I would highly recommend to continue your education and postpone the career switch.
Compared to what we have to do during the forensic jobs here, questions above are beyond basic.

After asking about the differences, interviewer may show you e.g. a BPB and ask to determine the corresponding FS.
Or ask you (how) to create a 24 MB FAT32 partition. Or a number of similar questions you'll need to answer in real-time.

_________________
• Remote RAID, NAS, SAN, VMware, DVR (CCTV), flash and tape recovery. Data recovery support.


Top
 Profile  
 
 Post subject: Re: Forensic Noob Questions
PostPosted: October 28th, 2015, 13:29 
Offline

Joined: October 27th, 2015, 8:37
Posts: 10
Location: United States of America
Dmitri wrote:
Forensic Girl 21 wrote:
am trying to switch careers into digital forensics. I already know a little something
...
3. What is a pagefile.sys file and what does the Windows operating system use this file for?
4. What is a hiberfil.sys file and what does the windows operating system use this file for?

I would highly recommend to continue your education and postpone the career switch.
Compared to what we have to do during the forensic jobs here, questions above are beyond basic.

After asking about the differences, interviewer may show you e.g. a BPB and ask to determine the corresponding FS.
Or ask you (how) to create a 24 MB FAT32 partition. Or a number of similar questions you'll need to answer in real-time.


To answer you Demitri and everyone else on the page so far YES I know. I know these are noob questions, I know I need A LOT of Practice and I know I need more classes before officially switching careers. I know. To give you a little background about myself (I won't go into too much detail) Right now I am in a career that I hate and while the money is decent it is really starting to wear me out physically and emotionally. Because of this and other issues I need a career change. I recently found I have a deep passion for digital forensics and while my job wont allow me to travel to do to many classes I now know this is what I want to do with my life.

You guys will be seeing a lot of me on these forums (and possibly others if you frequent them). I don't mean to come across as a total idiot (and hopefully you guys don't see me that way) but while these questions may seem very elementary to most of you; you must understand I haven't even been doing this for a year yet. I sincerely hope that at least some of you will stick with me as I go from noob to mastery as you all are.

PS: Thank you for the advice it is helpful


Top
 Profile  
 
 Post subject: Re: Forensic Noob Questions
PostPosted: October 29th, 2015, 4:30 
Offline

Joined: October 20th, 2015, 9:51
Posts: 5
Location: Paris
Hello,

Knowlegde is in the books :

File System Forensic Analysis - Brian Carrier

EnCase Computer Forensics -- The Official EnCE: EnCase Certified Examiner Study Guide Steve Bunting

There is a section of forensics books in forensicfocus forum
free tools : TSK
otherwise if you can drop some money X-Ways, EnCase, Belkasoft center are well known in forensics community

Practice makes perfect

Best Regards


Top
 Profile  
 
 Post subject: Re: Forensic Noob Questions
PostPosted: October 29th, 2015, 6:51 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
I think before all that, bone up on windows fundamentals and file systems. but the bigger issue more simple, and takes focus and work. There are a lot of steps, but only 2 steps you should really focus on and work hard at: Step 1 and, to borrow a programming term, Revised(step 2).

Personally you should write them down, I have heard that writing them down makes it real... but different people need different incentives, find yours.

Find out what is actually involved in step1 and learn that six ways from Sunday. I mean devour it. by step 1 I mean:

Step1 ----Step 2-----Step 3--------etc--------------------------------------------------------------------------------------------------Goal

figure out what you THINK is involved in each step, a step can be some kind of milestone, accreditation, learning a certain thing etc

then revise each step, rewrite the table. Along the way you will change focus, possibly even the goal. but this focus makes it all a little less daunting, and a lot more obtainable. also always revising as you go means you don't spend a great deal of effort to get somewhere only to find it isn't as you planned or envisioned.

There is so much already on the net for free to learn almost anything, you really need to think how you go about it, or you end up collecting information, and asking more and more questions, but there isn't time to do that and learn deeply any one thing.

not articulated well, but hope you get the picture.

the technical stuff is the easy bit - focused learning with a family / distractions is probably harder


Top
 Profile  
 
 Post subject: Re: Forensic Noob Questions
PostPosted: November 4th, 2015, 15:47 
Offline
User avatar

Joined: April 22nd, 2015, 20:32
Posts: 413
Location: Portugal
Hi, and welcome!

Sometimes you will feel that doing some Noob questions you wont have PRO answers...

Digital Forensics can't be learned easily, it's something you keep learning and understanding as the time goes.

I would recomend you to read (File System Forensic Analysis) from Brian Carier to get started and get familiar with some of the questions you asked.

and take a look at this:

https://blogs.sans.org/computer-forensi ... r-2012.pdf

_________________
BTC Wallet - 3AoQPTBsz9PbfoanCx44Lw76Y2TwtKa1x5
Instagram https://www.instagram.com/datarecovery_morde.pt/


Top
 Profile  
 
 Post subject: Re: Forensic Noob Questions
PostPosted: November 5th, 2015, 2:08 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
SANS should have been already visited way before the OP even got to the stage of posting here.

IMHO, the biggest "noob" mistake is posting questions that are easily Googleable.

"noob" is not a derogatory term, by the way. My definition is someone that is newly interested in a certain subject.

much better results from any forum is when questions are like:

" I wanted to know ...x... and searched and found ...x... at this site ...x... but I don't understand ...x...


Top
 Profile  
 
 Post subject: Re: Forensic Noob Questions
PostPosted: December 17th, 2015, 13:51 
Offline

Joined: October 27th, 2015, 8:37
Posts: 10
Location: United States of America
Thanks you guys are awesome


Top
 Profile  
 
 Post subject: Re: Forensic Noob Questions
PostPosted: December 18th, 2015, 23:12 
Offline
User avatar

Joined: August 26th, 2012, 19:18
Posts: 293
Location: England
a little late to this party, but this link should prove useful to those (noobs?) that don't want to come across as help-vampires.

-
How To Ask Questions The Smart Way: Eric Steven Raymond

http://www.catb.org/esr/faqs/smart-questions.html

<snip>
Before You Ask

Before asking a technical question by e-mail, or in a newsgroup, or on a website chat board, do the following:

Try to find an answer by searching the archives of the forum or mailing list you plan to post to.

Try to find an answer by searching the Web.

Try to find an answer by reading the manual.

Try to find an answer by reading a FAQ.

Try to find an answer by inspection or experimentation.

Try to find an answer by asking a skilled friend.

If you're a programmer, try to find an answer by reading the source code.

When you ask your question, display the fact that you have done these things first; this will help establish that you're not being a lazy sponge and wasting people's time. Better yet, display what you have learned from doing these things. We like answering questions for people who have demonstrated they can learn from the answers.
<snip>

_________________
Когда хочется кушать – съешь всё.
Голод не тётка!


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group