Scribd
Upload
150 views

Forensics

This document provides an introduction to basic computer forensics tools and concepts. It describes two tools, BGInfo and Nigilant, that can gather system information and artifacts from a computer. BGInfo displays basic system details in the background, while Nigilant produces a more in-depth report of processes, services, users and ports. It also creates a physical memory dump. Finally, the document introduces CAINE, an open-source forensic distribution that allows analysis and reporting in a learning environment.

Uploaded by

Josiah Marcano
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
150 views

Forensics

This document provides an introduction to basic computer forensics tools and concepts. It describes two tools, BGInfo and Nigilant, that can gather system information and artifacts from a computer. BGInfo displays basic system details in the background, while Nigilant produces a more in-depth report of processes, services, users and ports. It also creates a physical memory dump. Finally, the document introduces CAINE, an open-source forensic distribution that allows analysis and reporting in a learning environment.

Uploaded by

Josiah Marcano
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Experiment 4

Forensics

Computer forensics is not exactly like it’s portrayed in the movies and on TV. Performing a computer
forensic investigation requires significant levels of technical skill, patience, organization, and the ability
to follow specific procedures. You need to be able to follow very specific instructions and protocols to
work in the field of computer forensics.

In this section you will see a few basic forensic tools and a forensic suite (which includes a variety of
tools). The forensic suite (CAINE) is actually a Linux distribution that we will run as a virtual machine.

The following projects are intended to give introductory exposure to computer forensics and get your
guys excited about the field of computer forensics. You will not be ready, or qualified, to complete a
forensics investigation after doing this experiment. You will need a great deal more experience and
certified training in order to be qualified to initiate a real investigation. Again, these projects are just an
introduction to the IT security field.

BGINFO

In general, computer forensics gathers information (artifacts) from a computer system while trying to
explain what information is present and its origin. When people first hear the word “forensics” they put
up mental road blocks and just assume that they won’t understand what is going on. We are going to
start slowly with basic software that gathers general information from a computer. Then we will move
on to tools with more functionality.

The first tool we will look at is BgInfo . It shows basic system information on the computer background.
Systems administrators are always running multiple DOS commands or clicking through a series of
windows to get basic information that they need about the local computer. Having it displayed in the
background saves administrators time and effort. Let’s look at a quick example using BgInfo.

1. Download BgInfo from http://technet.microsoft.com/en-us/sysinternals/bb897557


2. click save
3. unzip
4. double click Bginfo.exe
5. click anywhere on the text to stop the ten-second timer (it will close the program if you don’t)
6. remove any fields you don’t want to see by editing the text directly (i.e., select and delete lines).
7. Take a screenshot
8. Click OK
9. Take a screenshot of your computer background with the system information showing.

Questions

1. What DOS commands would you have to enter to get the information shown by BgInfo?
2. Why would an administrator need to know the IP and MAC addresses for a given computer?
3. Can you change your MAC address?

NIGILANT

Let’s look at a tool that has more functionality and is closer to being a true forensic tool. Nigilant is more
of an incident response took than a complete forensic suite. Nigilant will produce a full report showing
current system information including all processes, services, users, and network ports. These basic facts
may provide investigators with information about what is happening on the system and who is making it
happen. It will help direct the investigation.

Nigilant will also produce a complete physical memory (RAM) dump. Oftentimes there is information
held in RAM that may not be written to the hard drive. This will produce an image file as large as the
amount of RAM installed on the local machine. You can also inspect existing files and /or deleted files
directly without changing them.

1. Download Nigilant from http://www.agileriskmanagement.com/download.html


2. Unzip
3. Install
4. Double click nigilant32.exe
5. Click Run
6. Click on the Nigilant32 screen
7. Click File, Preview Disk
8. Select the largest drive
9. Click Apply
10. Scroll down until you see the Security folder you made on C:\security
11. Double click the security folder
12. Select the YourName.txt file you created earlier (or any other file)
13. Take a screenshot
14. Click Tools, Snapshot Computer
15. Take a screenshot
16. Click Tools, Image Physical Memory (this will take a couple of minutes, we will use this image
later in CAINE)

Questions
1. Why are investigators so concerned about preserving the times a file was written, accessed, and
created?
2. What types of information would be in the RAM memory dump that wouldn’t be on the hard
drive?
3. Why does the program show the file in hexadecimal?
4. What does the Extract File feature in Nigilant32 do?

CAINE

CAINE is a distribution focused on IT forensics. It is a good learning environment for beginning users.
CAINE has intuitive interfaces, a variety of functionality, and good reporting/documentation tools. Most
IT forensics suites are quite expensive and require a fair amount of training. A free tool like CAINE that
has a good collection, analysis, and reporting tools is invaluable for someone just starting out in the field.

You can download a copy and have fun.

You might also like