What You Need for This Project
- A Windows machine, real or virtual. I did it on the Mac in a VMware Fusion virtual machine running 32-bit Windows 7 Pro.
- Your Windows machine needs to have either Microsoft Wordor Open Office installed. If you don't have it,get Open Office here:
Downloading ProDiscover Basic Edition
In your Windows machine, open a Web browser and go toAt the bottom of the page, click the'Download ProDiscover Basic Edition (Version 8.2.0.5)'link. It's a free product and 73 MB in size. I used the 32-bit version, but you can try the 64-bit version if you like.
Installing ProDiscover
Thoroughly examine all data on a computer system, locate any evidence that is stored on that system and safely preserve that evidence for use in a court of law.
On your Windows desktop,right-clickthe ProDiscoverRelease8205Basic.zip file andclick 'Extract All...', Extract.Right-click the ProDiscoverRelease8205Basic.exe fileand click 'Run as Administrator'.
Click through the installer as usual to install the software.
Downloading a Sample Disk Image
In your Windows machine, in a Web browser, downloadthis file:This is an image of a 10 MB hard disk partition which contains several active files and several deleted files. The file is 418 KB in size.
Save the file on your desktop.
On your Windows desktop,right-clickthe p15.zip file andclick 'Extract All...', Extract.
Starting ProDiscover Basic
On your desktop, double-click the'ProDiscover Basic' icon.In the 'Launch Dialog' box, enter a'Project Number' of 15 and a'Project File Name' of 15-YOURNAME,replacing 'YOURNAME' with your own name,as shown below:
Click Open.
This creates a Project, but so far the Project has noevidence in it.
Adding an Image File
From the ProDiscover menu bar, clickAction, Add,'Image File...',as shown below. (This refers to a forensichard disk image, not a visible image likeJPG or GIF.)Navigate to your desktop,double-click the p15folder, anddouble-click the p15.ddfile.
Viewing the Hard Drive Image in Content View
In the left pane of ProDiscover, in the'Content View' section, click the plus signto expandImages.Expand C:UsersstudentDesktopp15p15.dd
Double-click C:
The contents of C: are displayed,as shown below.
Notice these items:
- In the left pane, a tree-structured list of thecontents of C appears.
- $Extend and 'System VolumeInformation' contain NTFSfile system data, which would be tedious toanalyze. Most of the time you don't haveto bother to analyze it--that's what ProDiscoverdoes for you.
- $RECYCLE.BIN contains files in the Recycle Bin, as you might guess.
- 'Deleted Files' contains files that were deleted, but are still recoverable by ProDiscover. As you will see, ProDiscover can't recover all of them.
- The upper right pane shows all the files in theroot of C:. Notice that there are three filesat the bottom with file extensions--these arethe active files (not deleted).
Viewing a DOCX File
In the upper right-pane of ProDiscover,click bill-of-rights.The lower right pane displays the file contentsin ASCII, as shown below. Since this is a .docx file, thecontents are not easy to read in this form.
In the upper right-pane of ProDiscover,double-click bill-of-rights.
If you have Microsoft Word or Open Office installed,the file will open in the appropriate applicationand become readable, as shown below.
If you don't have it, get Open Office here:
Saving a Screen Image
Make sure your screen shows these two items:- YOUR NAME in the title bar of ProDiscover
- Amendment I followed by readable text inMicrosoft Word or Open Office Writer
Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.
YOU MUST SUBMIT A FULL-SCREEN IMAGE TO GET FULL CREDIT!
Open Paint and paste in the image.
Save the image with the filename 'Your Name Proj 15a'. Use your real name, not the literal text 'Your Name'.
Viewing JPG files
In the upper right-pane of ProDiscover,double-click images. A visiblephoto of a kitten appears in 'Windows PhotoViewer' or some other image viewer.Notice the ASCII view in the lower right paneof ProDiscover. This shows the image bytes.JPEG images begin with a header including theASCII text 'JFIF', as shown below.
Double-click the puppy file and examineit in Photo Viewer and in ASCII view.
![Prodiscover Basic For Mac Prodiscover Basic For Mac](http://i0.wp.com/hackforlab.com/wp-content/uploads/2015/08/ProDiscover-Incident-Response-Capture-Image.png)
Using Gallery View
In the upper right pane of ProDiscover,right-click the puppy file and click'Gallery View.This is similar to the way WindowsExplorer displays folder contents.
Scroll down to see the thumbnail imagesof the two JPG files,as shown below.
Viewing Deleted Files
In the left pane of ProDiscover, click'Deleted Files'. Two files appearin the upper right pane,as shown below.Double-click the gun image. It opens inPhoto Viewer. As you can see, ProDisdcoverwas able to completely recover this file, includingthe file name.
Double-click the hackers-manifesto.docx file.
It opens in your DOCX viewer, as shown below.
Viewing All Files
In the left pane of ProDiscover, click'All Files'.A box pops up saying 'CAUTION:...that may take some time tocomplete...'. Click Yes.
This is probably the friendliest view in ProDiscover.As shown below, both active and recovered filesare shown as convenient icons,as shown below.
Viewing the Physical Drive in Cluster View
Most of the time, you can find what you need usingContent View. However, if you want to getright down to the raw bytes on the disk,you can use Cluster View.In the left pane of ProDiscover,in the 'Cluster View' section,click the plus signto expandImages.
Double-click C:UsersstudentDesktopp15p15.dd
In the top right pane,the physical drive is shown in 'Cluster View'--agrid of colored rectangles,as shown below.
Click the first red rectangle, cluster 0. In the lower rightpane, notice that it starts at address 0,as shown below.
On your keyboard, press the right-arrow key tomove to the next cluster, cluster 1.
Cluster 1 starts at address 200,as shown below.
Move right through the next few clusters tosee the pattern. Each cluster is 200 bytesin size. The 200 is in hexadecimal, so it's512 bytes in decimal. These so-called'Clusters' are actually Sectors, becauseat the direct physical level we are using,the disk has no concept of 'Clusters'.
Click the first red rectangle again to selectCluster 0. This is thefirst cluster on the disk--the Master Boot Record.
In the lower right pane, scroll down to find thecharacteristic readable text always seen in theMBR: 'Error loading operating system',as shown below.
Saving a Screen Image
Make sure your screen shows these two items:- YOUR NAME in the title bar of ProDiscover
- 'Error loading operating system' in the lowerright pane.
Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.
YOU MUST SUBMIT A FULL-SCREEN IMAGE TO GET FULL CREDIT!
Open Paint and paste in the image.
Save the image with the filename 'Your Name Proj 15b'. Use your real name, not the literal text 'Your Name'.
Viewing the Logical Drive in Cluster View
In the left pane of ProDiscover,in the 'Cluster View' section,click C:.In the top right pane, click the first rectangle toselect Cluster 0. Look at the lower rightpane--this cluster starts at address zero,as shown below.
Notice that this address is relative to the startof the C: partition, so it is not the sameas the physical sector 0 that containsthe Master Boot Record.
Notice the colors: the green clusters are 'Used'--thatis, they contain active data. The blue clusters are'Unused' and may contain latent data.
On your keyboard, press the right-arrow key tomove to the next cluster, cluster 1.
Cluster 1 starts at address 1000,as shown below.
Move to the right a few more times to see thepattern: the clusters are all 1000 bytes insize now. In Hexadecimal, that's 4 KB,the usual cluster size for an NTFS partition.
Click the first red rectangle again to selectCluster 0. This is thefirst cluster on the partition--the Partition BootSector.
In the lower right pane,in the top row, find the characters NTFS,as shown below. This, obviously, indicatesthat the partition is formatted with theNTFS file system.
Saving a Screen Image
Make sure your screen shows these two items:- YOUR NAME in the title bar of ProDiscover
- 'NTFS' in the lowerright pane.
Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.
YOU MUST SUBMIT A FULL-SCREEN IMAGE TO GET FULL CREDIT!
Open Paint and paste in the image.
Save the image with the filename 'Your Name Proj 15c'. Use your real name, not the literal text 'Your Name'.
Turning in your Project
Email the images to [email protected] with the subject line:Proj 15 from YOUR NAMESources
http://www.ntfs.com/ntfs-system-files.htmLast Modified: 4-7-14 1:16 PM
Related Software Categories: Antivirus | Backup | Drivers | File & Disk Management | File Compression | IS/IT Solutions | Network | Optimizers & Diagnostics | Ping & Trace Tools | Printers
FREE DOWNLOAD Download ProDiscover Basic 7.0 | DEVELOPER HOME ProDiscover Basic 7.0 |
ProDiscover Basic edition is the free member of the ProDiscover family for hard disk security examination. It may not be as comprehensive as the other two products in the family, but it will give you an idea of the great potential these suite of products have. Meeting the criteria of the National Institute of Standards' Disk Imaging Tool Specification 3.1.6, this application will make your job easier, improve your productivity, and preserve the data needed for any legal proceedings.
System requirements: Not specified
Added: | 04 September, 2012 | File size: | 75.7 MB |
Status: | new | Download times: | 1 Mb/s: 10 m 06 s |
Editor rating: | Download now! |
URL: | HTML: |
FREE DOWNLOAD Download ProDiscover Basic 7.0 | DEVELOPER HOME ProDiscover Basic 7.0 |
| |
| |
| |
| |
| |
| |
| |
| |
| |
|
FREE DOWNLOAD Download ProDiscover Basic 7.0 | DEVELOPER HOME ProDiscover Basic 7.0 |
| |
| |
| |
| |
|
FREE DOWNLOAD Download ProDiscover Basic 7.0 | DEVELOPER HOME ProDiscover Basic 7.0 |
Categories
Liberty BASIC for Windows 4.5.1
539 downloadsLiberty BASIC is an ideal personal Windows programming tool. Great for light programming or for learning to program (tutorial included). Create your own utilities, games, business apps and more. Large online community. Special classroom pricing!
539 downloadsLiberty BASIC is an ideal personal Windows programming tool. Great for light programming or for learning to program (tutorial included). Create your own utilities, games, business apps and more. Large online community. Special classroom pricing!
Windows Std Serial Comm Lib for Visual Basic 5.1
944 downloadsVisual Basic Serial communications component
944 downloadsVisual Basic Serial communications component
Run BASIC Free Edition 1.01
115 downloadsCreate web applications in BASIC easily
115 downloadsCreate web applications in BASIC easily
Help With Windows Basic Computer Skills 1.0
82 downloadsHelp With Windows Basic Computer Skills - lesson on using the recycle bin the right way to safely delete your files.
82 downloadsHelp With Windows Basic Computer Skills - lesson on using the recycle bin the right way to safely delete your files.
Help With Basic Mac Computer Skills 1.0
59 downloadsHelp With Basic Mac Computer Skills - Easy video computer lesson on using the Trash the right way to safely delete your fies.
59 downloadsHelp With Basic Mac Computer Skills - Easy video computer lesson on using the Trash the right way to safely delete your fies.
Visual Basic 6.0 HelpVistaXPDiamond 2.0.0.0
346 downloadsVisual Basic 6.0 activex controls (HVXPD)
346 downloadsVisual Basic 6.0 activex controls (HVXPD)
Omikron Basic .0 8
13 downloadsAbout Omikron Basic
A multipurpose
13 downloadsAbout Omikron Basic
A multipurpose
Euratlas Periodis Basic 1.0
18 downloadsEuratlas Periodis Basic, is a new version of
18 downloadsEuratlas Periodis Basic, is a new version of
Microsoft Visual Basic Runtime .0 SP 6
66 downloadsMicrosoft Visual Basic Runtime is a self-extracting executable file that installs versions of the Microsoft Visual Basic run-time files required by all applications created with Visual Basic 6.
66 downloadsMicrosoft Visual Basic Runtime is a self-extracting executable file that installs versions of the Microsoft Visual Basic run-time files required by all applications created with Visual Basic 6.
Spreadsheet Basic 1.2.0
18 downloadsSpreadsheet Basic (spBasic) is a Computer Programming Language used in Microsoft's Excel spreadsheets.
18 downloadsSpreadsheet Basic (spBasic) is a Computer Programming Language used in Microsoft's Excel spreadsheets.
Related Searches
- FullRecall
3908 downloads - Outlook Export Wizard
3609 downloads - SugarSync Manager
4637 downloads - Belarc Advisor
3297 downloads - Cobian Backup
3451 downloads - Samsung Kies
3513 downloads - Camfrog
5457 downloads - EaseUS Partition Master
3332 downloads - SUPERAntiSpyware
4035 downloads - PeerBlock
3898 downloads - SUMo
3619 downloads - Turbo Pascal
4075 downloads
Latest Software Searches