This course contains optional, ungraded activities that provide opportunities to work with and become familiar with forensic tools and activities. To complete these, you will need some basic supplies and to download programs and files. There is no charge for any of these downloads.
Supplies
USB Drive
For some activities, you will need a USB drive with at least three files of any format on it. You can use any size drive, but using one that is one GB or less will keep the imaging process from being too long. To make this activity realistic, do not use a brand new drive. Instead use one that you have loaded and deleted files from over time.
Blank CD
If your machine has a CD drive, you may want to burn a CD Helix2009R1.
Downloads
Many activities require using forensic software. Some require data files that you will analyze with the software. All are available for free.
This table lists all of these downloads and the units where they are used. Links and instructions are also included in the activities for each unit.
Unless otherwise noted, these downloads are all for Windows.
| Download | URL | Description | Units |
|---|---|---|---|
| FTK Imager lite | http://accessdata.com/product-download | Hard drive imaging software | 1,7 |
| HashCalc | www.slavasoft.com/hashcalc/ | Hash calculator | 1 |
| SIFT Workstation 3 | https://digital-forensics.sans.org/community/downloads | A virtual Linux machine for Windows that includes an incident response and forensic tool suite | 2,3,4,5 |
| Linux Financial Case.001 | Download from edX |
A file with data for analysis. After downloading and extracting the zip file, generate and confirm it’s hash value.
|
3 |
| Autopsy | https://www.sleuthkit.org/autopsy/download.php | A digital forensics platform and graphical interface to The Sleuth Kit | 4,7 |
| Volatility (Also available for Mac) | http://www.volatilityfoundation.org/releases | Memory analysis tool | 5 |
| Malware Analyst’s Cookbook DVD | https://www.sendspace.com/pro/dl/p87m18 | Disk Image file | 5 |
| Helix2009R1 |
http://e-fense.com/products.php Click "Helix 3" at the end of the sentence of "If you are looking for the free, original Helix (2009R1) you need Helix 3". |
Disk Image file | 5 |
| AccessData’s Registry Viewer | http://accessdata.com/product-download/registry-viewer-1.8.1.3 | Allows viewing of Windows registry files | 6 |
| Hive files SAM, SYSTEM and Mark-NTUSER.DAT | Download from edX | Data files for analysis | 6 |
| WinLabEnCase.E01 | Download from edX | Data files for analysis | 7 |
| Invisible Secrets | http://www.invisiblesecrets.com/ver2/index.html | Cryptographic tool | 8 |
| OpenSteg | https://www.openstego.com/ | Data hiding and watermarking tool | 8 |