Revision Computer Forensics PDF

Summary

This document provides a revision of computer forensics, focusing on Windows artifact analysis. It discusses user profiles, default folder structures, and Windows Registry, essential elements for digital investigations.

Full Transcript

Doakan kami dpt 4.0 com forensics 😊

Revision Computer Forensics AppData – A hidden folder containing
user-specific settings and
Chapter 6 Windows Artifact
configurations, divided into:
Analysis
Roaming (data moves across
Windows artifact analysis is used in
devices)
digital forensics to track user activities
Local (data remains on a single
on the Windows operating system.
device)

Understanding User Profiles
Understanding Windows Registry
Default Folder Structure
The Windows Registry is a hierarchical
When Windows is installed, it creates
database that stores configuration
a default folder structure to store user
settings for users, hardware, and
and application data:
applications.
Windows XP, WinNT, Win2000: Main location:
C:\Documents and %SystemRoot%\System32\Config
Settings\%UserName%
Windows Vista, 7, 8, 10:
Hive Files:
C:\Users\%UserName%
SAM – Stores user login
information.
Types of User Profiles
SECURITY – Stores security-
Local User Profile – Created related information, including
when a user logs in for the first passwords.
time.
SOFTWARE – Stores
Roaming User Profile – A application data and Windows
network-based profile created default settings.
by administrators, allowing
SYSTEM – Stores hardware
users to access their profiles
and system configurations.
from different devices.

Determining Last Login & Password
Data in User Profiles
Changes
Each user profile has its own registry
User login data is stored in:
file (NTUSER.DAT) linked to
C:\windows\system32\config\SA
HKEY_Current_User.
M\Domains\Account\Users
Common folders found in a user
profile:
Documents: Tools that can be used:
\Users\$USER$\Documents Registry Explorer
Music: \Users\$USER$\Music RegRipper – Extracts and
Pictures: analyzes registry data in a
\Users\$USER$\Pictures readable format.
Videos: \Users\$USER$\Videos
Security Identifier (SID) & Event
Logs

Untuk calculation boleh refer sini. Untuk Malaysia’s Computer Act 1998, boleh share dlm loop / gp.tq
Doakan kami dpt 4.0 com forensics 😊

SID is a unique identifier used by o $I – Metadata containing
Windows to track objects. The last part the file path, deletion
of the SID is the Relative Identifier date, and file size.
(RID) which identifies the user role:
500 → Administrator Recovering deleted files:
501 → Guest Use $I Parse to analyze metadata of
SID can help track deleted user deleted files.
accounts. If certain RIDs are missing,
the accounts may have been deleted. Understanding Shortcut (INK) Files
LNK files are shortcuts that link to files
Event Logs: or applications and contain useful
Records system and user activities: forensic information such as:
System Logs – Windows File MAC times (Modified,
system activity. Accessed, Created timestamps)
Application Logs – Logs File size
generated by installed File path
applications. Volume details
Security Logs – Records login Location:
attempts. %Username%\Appdata\Roaming\Micr
Location: osoft\Windows\Recent
C:\Windows\System32\winevt\lo Tool:
gs
LECmd – Extracts shortcut file
data.
Analyzing Thumbcache
Thumbcache is a database of Analyzing Shellbags
thumbnail images generated when a
Shellbags store information about
user browses files in thumbnail view.
folders accessed by users, including:
Location:
AppData\Local\Microsoft\Windows\Exp Network devices
lorer Removable media
Encrypted folders
Analyzing Recycle Bin Location:
Recycle Bin stores deleted files before AppData\Local\Microsoft\Windows\US
they are permanently removed. RCLASS.DAT
Tool: ShellBags Explorer
Windows stores deleted files in
the $Recycle.Bin folder.
Each user has a subfolder Analyzing Windows Prefetch Folder
identified by their SID. Prefetch is a Windows feature that
Deleted files consist of two speeds up application loading by
parts: storing execution data in RAM.
o $R – The actual deleted Location:
file. %WINDOWS%\PREFETCH
File extension:.pf

Untuk calculation boleh refer sini. Untuk Malaysia’s Computer Act 1998, boleh share dlm loop / gp.tq
Doakan kami dpt 4.0 com forensics 😊

Stores details such as the
number of times an application
was executed and the last
execution date/time.
Tool: WinPrefetchView

Determining Time Zones
System time zone settings are crucial
for correlating event timestamps.
Registry path:
Computer\HKEY_LOCAL_MACHINE\
SYSTEM\CurrentControlSet\Control\Ti
meZoneInformation
Tool: RegRipper

Analyzing Network History
Knowing which networks a user has
connected to can provide location-
based evidence.
Locations:
C:\ProgramData\Microsoft\Wlan
svc\Profiles\Interfaces
Wi-Fi Event Logs:
C:\Windows\System32\winevt\L
ogs\Microsoft-Windows-WLAN-
AutoConfig%4Operational
Relevant Event IDs:
11010 – Connection started
11005 – Connection successful
8003 – Disconnection from the
network

Windows artifact analysis is a crucial
aspect of digital forensics as it provides
insights into user activities, including
login history, deleted files, network
connections and program executions.
By using tools like RegRipper,
Registry Explorer, ShellBags
Explorer and WinPrefetchView,
investigators can retrieve important
data for forensic investigations.

Untuk calculation boleh refer sini. Untuk Malaysia’s Computer Act 1998, boleh share dlm loop / gp.tq
Doakan kami dpt 4.0 com forensics 😊

Chapter 7 Windows Registry HKEY_CURRENT_USER is a
Forensics subkey of HKEY_USERS.
The Windows Registry is a crucial 3. HKEY_LOCAL_MACHINE (HKLM)
database that stores configuration data Stores computer-wide settings
related to system settings, user applicable to all users.
preferences, and installed applications. 4. HKEY_CLASSES_ROOT (HKCR)
It is widely used in digital forensics to A subkey of
track user activities, system changes, HKEY_LOCAL_MACHINE\Soft
and connected devices. ware.
Ensures the correct program
Understanding Windows Registry opens when a file is accessed in
The Windows Registry is a Windows Explorer.
collection of databases 5. HKEY_CURRENT_CONFIG
containing system configuration (HKCC)
data, including: Contains hardware profile
o Hardware and software settings used by the system
settings. during startup.
o User preferences and
profile information. Accessing Registry Hives Offline
o Recently accessed files,
If analyzing a live system, the
programs, and connected registry can be accessed using
devices. regedit.exe.
It consists of Keys and Values.
If working with a disk image,
Registry can be accessed using registry hives are located in:
the regedit.exe utility. o C:\Windows\System32\C
onfig
How to Open Registry Editor
1. Click Run User-Specific Registry Hives
2. Type regedit Two important hives are found in user
3. Press Enter profiles:
1. NTUSER.DAT → Mounted on
The Five Main Registry Keys HKEY_CURRENT_USER when
Windows Registry consists of five root the user logs in.
keys: o Location: C:\Users\user
1. HKEY_CURRENT_USER (HKCU) 2. USRCLASS.DAT → Mounted
Stores configuration settings for on
the currently logged-in user. HKEY_CURRENT_USER\Soft
Includes user-specific folders, ware\CLASSES.
desktop settings, and Control o Location:
Panel preferences. C:\Users\user\AppData\L
2. HKEY_USERS (HKU) ocal\Microsoft\Windows
Contains all actively loaded user
profiles.

Untuk calculation boleh refer sini. Untuk Malaysia’s Computer Act 1998, boleh share dlm loop / gp.tq
Doakan kami dpt 4.0 com forensics 😊

AmCache Hive SYSTEM\CurrentControlSet\Co
Stores information about ntrol\TimeZoneInformation
programs recently executed on Network Interfaces (IP, DHCP,
the system. Subnet, DNS):
Location: SYSTEM\CurrentControlSet\Ser
C:\Windows\AppCompat\Progra vices\Tcpip\Parameters\Interfac
ms\Amcache.hve es
Past Connected Networks:
Transaction Logs and Backups SOFTWARE\Microsoft\Windows
Registry transaction logs act NT\CurrentVersion\NetworkList\
as a journal of registry changes. Signatures\Unmanaged
Windows uses.LOG files in the SOFTWARE\Microsoft\Windows
same directory as registry hives NT\CurrentVersion\NetworkList\
to store logs of registry Signatures\Managed
modifications.
Autostart Programs (Autoruns)
Data Acquisition in Forensics Programs that automatically run at
Digital forensic investigators startup are stored in:
analyze either a live system or a NTUSER.DAT\Software\Microso
system image. ft\Windows\CurrentVersion\Run
It is recommended to image the
SOFTWARE\Microsoft\Windows
system for accuracy before \CurrentVersion\RunOnce
analysis.
GKAPE (GUI Kroll Artifact
Parser Extractor) is used for SAM Hive & User Information
acquiring registry data. Stores user account details,
including login information and user
groups.
System Information & Control Sets
Location:
The OS version can be found in:
SAM\Domains\Account\Users
SOFTWARE\Microsoft\Windows
NT\CurrentVersion
Tracking File and Folder Usage
Control Sets store system startup
configurations: Windows maintains a list of recently
accessed files:
SYSTEM\ControlSet001 →
Used for booting. NTUSER.DAT\Software\Microso
ft\Windows\CurrentVersion\Expl
SYSTEM\ControlSet002 → Last
orer\RecentDocs
known good configuration.
SYSTEM\Select\Current →
Identifies the active Control Set. Recent Document Registry Keys:
Different file extensions (e.g.,.pdf,.jpg) are categorized
Registry Hive Locations for
separately.
Investigation
Location:
Time Zone Information:

Untuk calculation boleh refer sini. Untuk Malaysia’s Computer Act 1998, boleh share dlm loop / gp.tq
Doakan kami dpt 4.0 com forensics 😊

o NTUSER.DAT\Software\ Location:
Microsoft\Windows\Curre NTUSER.DAT\Software\Microso
ntVersion\Explorer\Rece ft\Windows\CurrentVersion\Expl
ntDocs\.pdf orer\UserAssist\{GUID}\Count

Office Recent Files BAM/DAM (Background Activity
Microsoft Office maintains a record Monitor & Desktop Activity
of recently opened documents. Moderator)
Location: BAM tracks background
NTUSER.DAT\Software\Microso applications.
ft\Office\VERSION DAM optimizes power consumption
Example: in modern standby mode.
NTUSER.DAT\Software\Microso Location:
ft\Office\16.0\Word SYSTEM\CurrentControlSet\Ser
vices\bam\UserSettings\{SID}
Shellbags Analysis
Stores information about folder External Devices & USB Forensics
layout and accessed directories. Investigators often need to check if
Location: USB or external devices were
USRCLASS.DAT\Local connected.
Settings\Software\Microsoft\Win Registry stores vendor ID, product
dows\Shell\Bags ID, and timestamps of connected
USRCLASS.DAT\Local devices.
Settings\Software\Microsoft\Win Location:
dows\Shell\BagMRU SYSTEM\CurrentControlSet\En
um\USBSTOR
Open/Save Dialog MRUs
Windows remembers the last Windows Registry plays a vital role in
location where a file was forensic investigations. It provides
opened/saved. insights into user activities, system
Location: configurations, startup programs,
recently accessed files, USB devices
NTUSER.DAT\Software\Microso
and network connections. By
ft\Windows\CurrentVersion\Expl
leveraging tools like RegRipper,
orer\ComDlg32\OpenSavePIDl
Registry Explorer and GKAPE,
MRU
forensic analysts can extract valuable
evidence for investigations.
UserAssist Registry Key
Stores applications launched via
Windows Explorer, including:
Execution timestamp.
Number of times the program
was launched.
Command-line executed programs
are not recorded in UserAssist.

Untuk calculation boleh refer sini. Untuk Malaysia’s Computer Act 1998, boleh share dlm loop / gp.tq
Doakan kami dpt 4.0 com forensics 😊

Chapter 5 Acquiring Digital Evidence Supported by forensic tools like
A crucial step in forensic investigations. FTK, Sleuthkit, OSFMount,
The process involves creating forensic FTK Imager, Autopsy, X-
images of digital devices while ensuring Mount.
the integrity and authenticity of the
collected data. EnCase Format
Developed by Guidance
Forensic Image File Formats Software (now OpenText
Raw Format Corporation).
The Raw Format is the most Used worldwide by law
widely used forensic image enforcement agencies for
format. criminal investigations.
It creates a bit-by-bit copy of Allows searching within the
the original data without any forensic image.
modifications. Supports splitting images into
Can capture entire drives or multiple smaller files.
specific volumes. File extension: “.E01” (e.g.,
Supported by most forensic.E01,.E02,.E03).
software. Automatically splits files into
Used by Unix/Linux dd 640MB chunks.
command.
File extensions include.001, Other File Formats.img,.dmg,.dd,.raw. ILook Imager
Disadvantage: Requires the ProDiscover
same storage space as the Safeback by NTI
original data.
Forensic Image Validation
Advanced Forensic Format (AFF) Ensures that the captured
An open-source and forensic image is an exact
extensible forensic file format. copy of the original.
Used in both open-source and Prevents data alteration during
proprietary forensic applications. acquisition.
Supports zlib and LZMA Standard practice:
compression. Hashing is used to verify
Can be split into multiple image authenticity.
smaller files. Digital evidence is assigned
Supports encryption from AFF
a Hash Value (MD5, SHA-1,
V2.0 onwards. or SHA-256)
File extensions:
“.afd” – Segmented image
Challenges in Acquiring RAM
files.
Memory
“.afm” – Metadata files.
Windows is Locked
AFF4 is the latest version,
If a system is rebooted, RAM data is
replacing older AFF3 and
lost.
AFFLIBv3.

Untuk calculation boleh refer sini. Untuk Malaysia’s Computer Act 1998, boleh share dlm loop / gp.tq
Doakan kami dpt 4.0 com forensics 😊

Solution: Magnet Forensic
Bypass Windows login screen Another portable tool for RAM
using CaptureGUARD or capture.
Phantom Probe hardware. Supports Windows XP -
Extract passwords from RAM Windows Server 2019.
using a Direct Memory Access Process:
(DMA) attack. Download and install on a
Note: This method may leave USB drive.
traces in RAM and is not Run the tool on the target
always successful. machine.
Select storage location for
Using DMA to Unlock Locked RAM image.
Computers Click ‘Start’ to capture RAM.

Direct Memory Access (DMA) allows
direct interaction with RAM without FTK Imager
using the CPU. Creating forensic images of
Uses: various storage devices (HDD,
Bypass lock screens. USB, CDs, DVDs, etc.).
Access data without OS Previewing forensic images
security restrictions. without modifying them.
Bypass firewalls and antivirus Recovering deleted files.
software Extracting Windows Registry
files.
DMA-supported ports include:
Mounting forensic images as
FireWire, PCI, PCI-X, PCI
read-only.
Express, Thunderbolt.

Steps to Capture RAM with FTK
RAM Acquisition Tools
Imager
Belkasoft Live RAM Capturer
1. Launch FTK Imager from USB.
A small, free tool for capturing 2. Click File > Capture Memory.
RAM memory. 3. Choose the storage location for
Can be run from a USB drive. RAM image.
Captures RAM data even if anti- 4. Click ‘Capture Memory’ to
debugging or anti-dumping begin.
systems are active. 5. A progress bar indicates the
Supports Windows 7, 8, 10, XP, process.
Vista, Server 2003-2019. 6. Once finished, RAM dump is
Process: saved as memdump.mem +
Store tool on USB drive with pagefile.sys.
enough storage.
Insert USB drive into target
Acquiring Non-Volatile Memory
machine.
(Static Acquisition)
Run the program and click
‘Capture’. Before acquiring a hard drive image:
The captured RAM image is
saved as a “.mem” file.

Untuk calculation boleh refer sini. Untuk Malaysia’s Computer Act 1998, boleh share dlm loop / gp.tq
Doakan kami dpt 4.0 com forensics 😊

The suspect’s hard drive must
be write-protected using
hardware or software tools.

Physical Acquisition (Bit-Stream
Imaging)
Creates a bit-by-bit or sector-
by-sector copy of a hard drive.
Captures:
Deleted files.
Unallocated space.
Metadata from the file
system.
Fragments of previously
deleted files.
No compression is used.
Example: A 1TB hard drive will
produce a 1TB forensic image.

Logical Acquisition
Captures only active data (files
visible to the user).
Does not capture:
Deleted files.
File system metadata.
Unallocated or hidden
data.
Requires less storage than
physical acquisition.
Example:
To capture active data from
a 1TB drive, only 250GB
may be needed.
Useful for large storage
devices (RAID setups, cloud
storage, etc.).

Untuk calculation boleh refer sini. Untuk Malaysia’s Computer Act 1998, boleh share dlm loop / gp.tq
Doakan kami dpt 4.0 com forensics 😊

Chapter 1 Understanding the Digital Digital Forensics and Data Recovery
Forensics Profession and Digital Forensics: Investigates
Investigations unknown elements, often for
legal purposes.
Digital forensics involves the use of Data Recovery: Focuses on
computer science and investigative retrieving lost or deleted data
techniques to collect, analyze, and without legal concerns.
present digital evidence for legal Key Difference: In data
purposes. recovery, the investigator
already knows what they are
looking for.
Key Aspects of Digital Forensics:
Proper search authority is
required before collecting digital Digital Forensics and Related
evidence. Disciplines
The chain of custody must be The Investigation Triad
maintained to ensure evidence Vulnerability & Risk
integrity. Management – Assessing
Digital evidence must be system integrity.
validated mathematically to Intrusion Detection & Incident
confirm its authenticity. Response – Detecting and
Use of verified forensic tools responding to cyberattacks.
ensures repeatability and Digital Investigations –
accuracy. Conducting forensic analysis to
The investigation process uncover evidence.
includes reporting findings and
presenting evidence in court. History of Digital Forensics Tools
1990s: Introduction of forensic
Legal Frameworks training programs by IACIS
Federal Rules of Evidence (International Association of
(FRE): Ensures consistency in Computer Investigative
handling digital evidence in legal Specialists).
proceedings. IRS developed search-warrant
Fourth Amendment (U.S. programs for digital evidence.
Constitution): Protects ASR Data created Expert
individuals from unlawful search Witness for Macintosh.
and seizure, but digital evidence ILook was introduced and is still
may have separate legal maintained by the IRS Criminal
considerations. Investigation Division.
Case Law: Precedents from AccessData Forensic Toolkit
past legal cases help determine (FTK) became a widely used
how digital evidence is treated in commercial tool.
court.

Untuk calculation boleh refer sini. Untuk Malaysia’s Computer Act 1998, boleh share dlm loop / gp.tq
Doakan kami dpt 4.0 com forensics 😊

Understanding Case Law in Digital Private-Sector Investigations
Forensics (Corporate and Civil)
Existing laws struggle to keep Conducted by private
up with rapid technological companies, attorneys, and
advancements. internal investigators.
In the absence of specific laws, Focuses on policy violations,
case law is used, where past data breaches, and corporate
legal cases guide decisions in fraud.
new investigations. Investigations typically involve:
Forensic examiners must stay
Email harassment
updated on recent rulings
Gender and age
related to search and seizure in
discrimination
digital environments.
Financial fraud
(embezzlement, data
Preparing for Digital Investigations falsification, etc.)
Public-Sector Investigations (Law
Enforcement)
Key Concepts in Private-Sector
Conducted by government Investigations:
agencies.
Acceptable Use Policy (AUP):
Governed by criminal laws and Defines rules for using company
constitutional protections. computers and networks.
Requires search warrants and Line of Authority: Determines
compliance with the Fourth who can initiate investigations
Amendment. and who has access to
Cases typically begin with a evidence.
witness report or discovered Warning Banners: Used by
evidence. businesses to notify employees
about monitoring and reduce
Key Roles in Public-Sector legal risks.
Investigations: Bring Your Own Device
1. Digital Evidence First (BYOD): If personal devices
Responder (DEFR) – Secures connect to corporate networks,
the crime scene and preserves they may be subject to company
evidence. policies.
2. Digital Evidence Specialist
(DES) – Analyzes data and Steps in Digital Forensics
determines if specialists are Investigations
needed. 1. Make an Initial Assessment –
3. Affidavit – A sworn statement Determine the type of case and
that supports evidence collection evidence needed.
in court. 2. Develop an Investigation Plan
– Create a checklist and allocate
resources.

Untuk calculation boleh refer sini. Untuk Malaysia’s Computer Act 1998, boleh share dlm loop / gp.tq
Doakan kami dpt 4.0 com forensics 😊

3. Obtain and Secure Evidence – Collaborate with corporate
Preserve and document the legal teams.
chain of custody.
4. Analyze Digital Evidence – Interviews and Interrogations
Extract relevant data using Interviews collect witness
forensic tools. statements.
5. Report Findings – Present
Interrogations attempt to obtain
evidence in a repeatable and
confessions.
court-admissible format.
Digital forensic investigators
guide interviewers on relevant
Handling Specific Cases in Digital questions.
Forensics
Internet Abuse Investigations
Setting Up a Digital Forensics
Extract and analyze webpage
Workstation
URL history.
Windows 10+ OS
Compare forensic findings with
Write-blocker device
proxy server logs. (prevents modification of
Examine disk drive data for evidence).
cached internet activity. Digital forensic acquisition &
analysis tools.
Email Abuse Investigations High-capacity storage for
Use forensic tools to analyze evidence.
email headers and metadata. Extra USB, FireWire, and SCSI
Extract email evidence from ports for device compatibility.
server databases.
Conduct keyword searches to Conducting an Investigation
locate suspicious emails. 1. Gather Resources – Collect
forensic tools, custody forms,
Attorney-Client Privilege and storage media.
Investigations 2. Obtain and Secure Evidence –
Interview IT personnel, fill out
Requires strict confidentiality.
forms, and store evidence
Use bit-stream imaging to
securely.
create forensic copies of
3. Create a Bit-Stream Copy –
evidence.
Make an exact forensic duplicate
Perform deep disk analysis of the suspect’s storage device.
using forensic tools. 4. Analyze Digital Evidence –
Recover deleted files and
Industrial Espionage Investigations analyze data structures.
Conduct covert surveillance to 5. Report and Document
detect unauthorized data Findings – Generate a final
access. investigation report with clear
Monitor network logs and conclusions.
email traffic.

Untuk calculation boleh refer sini. Untuk Malaysia’s Computer Act 1998, boleh share dlm loop / gp.tq
Doakan kami dpt 4.0 com forensics 😊

Analyzing Digital Evidence
Deleted files remain on a disk
until overwritten.
Forensic tools (e.g., Autopsy)
can recover lost data.
The final report must be
detailed and repeatable.

Untuk calculation boleh refer sini. Untuk Malaysia’s Computer Act 1998, boleh share dlm loop / gp.tq
Doakan kami dpt 4.0 com forensics 😊

Chapter 3 Computer Forensics Lab 7. Include fire suppression
Requirements systems for equipment
protection.
Introduction Floor plan for large digital forensic lab
Many organizations, including
banks, tech companies,
retailers, and utility providers,
have in-house digital forensics
labs to speed up investigations.
Private corporations have more
flexibility in procuring the latest
software and hardware than
police labs.
A digital forensics lab is a crucial Small digital forensics lab
investment for any company that
values data security and
investigation capabilities.
The size of a forensics lab
depends on the budget available
for setup and maintenance.

Lab Physical Facility Requirements Environment Controls
1. Have only one entrance to Air cooling system – Prevents
control access. overheating of forensic
2. Avoid windows to prevent workstations, especially during
external interference or long evidence analysis tasks.
unauthorized access. Clean and well-organized
3. Be soundproof to prevent environment – Maintains
eavesdropping, using: proper temperature and low
Soundproof materials on humidity.
Good lighting – Ensures
ceilings and walls.
visibility for analysts.
Carpeted floors.
Uninterrupted Power Supply
4. Have an alarm system and (UPS) – Protects equipment
biometric access for security. from power surges and sudden
Biometric logs should be outages.
backed up for auditing
purposes.
Hardware Equipment
5. Have surveillance cameras
Storage and Workstations
covering the entire lab, including
Storage server – Stores digital
the entrance and evidence
room. evidence securely (must not be
6. Store video recordings in a connected to the internet).
secure evidence storage Forensic workstations –
room. Specialized computers for
evidence analysis.

Untuk calculation boleh refer sini. Untuk Malaysia’s Computer Act 1998, boleh share dlm loop / gp.tq
Doakan kami dpt 4.0 com forensics 😊

Portable forensic laptops – Paper shredder for secure
Used for evidence collection disposal of sensitive information.
outside the lab. Digital and video cameras for
Dedicated computers for evidence recording.
internet access (kept separate Wireless telephone for
from forensic systems). communication.
Administrative computers – Wi-Fi access point (for
Used for log management and controlled access).
general lab activities. Headsets for investigators.

Evidence Handling Equipment Networking Devices
Hardware write blockers – Router and switches –
Prevent accidental modification Connect forensic workstations to
of digital evidence. the storage server.
Portable CD/DVD drives – For Separate internet network –
accessing legacy media. Isolated from forensic systems
USB readers – For analyzing to prevent contamination.
USB devices. Firewall, switch, and router –
HDD/SSD enclosures – For Essential for securing network
external storage analysis. access.
SD card readers – To analyze
memory cards. Forensic Workstations
External hard drives and USB Windows OS (64-bit) is
thumb drives – Used for storing recommended for forensic
forensic data. workstations.
Tape drives – For long-term Best Windows editions:
data archiving.
Windows 10 Pro for
Various data cables and Workstations
connectors – Includes (recommended).
Ethernet, SATA, USB, HDMI,
Windows 10 Enterprise.
FireWire, SCSI, etc.
These editions support up to
Toolkits – Includes
6TB RAM and multiple
screwdrivers, multimeters, and
processors, ensuring efficient
flashlights for hardware
forensic processing.
handling.

Commercial Ready-Made Forensic
Office and Electrical Equipment
Workstations
UPS for each
Tri-Tech Forensics
workstation/server.
Digital Intelligence
Projector for presentations and
Cellebrite
training.
Forensic Computers Inc.
Printer, scanner, photocopier
for documentation.

Untuk calculation boleh refer sini. Untuk Malaysia’s Computer Act 1998, boleh share dlm loop / gp.tq
Doakan kami dpt 4.0 com forensics 😊

Forensic Tools 2. Assess Current Compliance
Commercial Forensic Tools Evaluate lab practices and
1. EnCase methodologies.
2. Belkasoft Evidence Center Check personnel certifications
3. FTK (Forensic Toolkit) and training.
4. X-Ways Forensics Compare lab setup with
5. Oxygen Mobile Forensic accreditation standards.

Free and Open-Source Forensic 3. Closing the Gap
Tools Identify weaknesses and areas
1. The Sleuth Kit – supports both needing improvement.
Linux and Windows. Prioritize improvements in non-
2. Autopsy – GUI-based interface compliant areas.
for The Sleuth Kit. Consider incremental
3. dd for Windows – Imaging tool accreditation (e.g., computer
for forensic copies. forensics in Year 1, mobile
4. Magnet RAM Capture – forensics in Year 2).
Captures RAM for forensic
analysis. 4. Implementation
5. Belkasoft Live RAM Capturer – Train staff to meet
Another RAM acquisition tool. accreditation standards.
6. Volatility – RAM analysis tool.
7. Memoryze – Memory capture 5. Document Compliance
and analysis. Update policies, procedures,
8. Bulk Extractor – Extracts useful and performance records to
data (emails, credit cards, URLs) meet accreditation standards.
from digital images.
9. Encrypted Disk Detector – Accreditation Benefits
Identifies encrypted disks.
Proves the lab meets industry
standards.
Lab Accreditation Requirements Enhances credibility and
Steps to Accreditation trustworthiness in forensic
1. Self-Assessment investigations.
Why is accreditation needed?
What are the benefits?
What standards should be
followed (e.g., ISO 17025, ISO
17020)?
What scope of forensic analysis
will the lab focus on (e.g.,
mobile, GPS, computer
forensics)?

Untuk calculation boleh refer sini. Untuk Malaysia’s Computer Act 1998, boleh share dlm loop / gp.tq