That's my choice, and I'm sticking to it.

I've decided reading more than one book at a time is probably not a good idea. So, I'm going to read, Guide To Computer Forensics and Investigations, first. That being said, I've proceeded through chapter 2 and here are some findings.

Chapter 2: Understanding Computer Investigations
This chapter discusses the in's and out's of an investigation. I really never thought of the proper way to investigate a machine legally, but, obviously documentation is key. The stuff I am more interested in is actually doing the investigating. Even though this book is only three years old, it shows age in this chapter. I understand that this book is tailored to those who use Windows machines and have little forensic background. However, this chapter discusses in detail how to create a DOS based boot floppy. Need I say more? Needless to say I glazed over during much of this discussion, as I have found much more useful tools. All of which are not restricted to 1.44 MB floppies. Knoppix, as stated in an earlier post, being the primary tool of use. Other bootable operating systems I've used are Bart's PE (http://www.nu2.nu/pebuilder/), Oophcrack (http://ophcrack.sourceforge.net/), and last but definitely not least the BCCD (http://www.bccd.net/)

Bart's PE is a Windows XP bootable environment. There are quite a few optional pluggins to enhance what is already available. One of which will reset the administrative password on Windows XP machines. This has helped me a few times in the past after dropping a machine out of active directory. I have had some difficulties trying to create a fully bloated Bart's disk that includes all the plugins. Yet, you can usually find prebuilt iso's with the plugins already installed.

Ophcrack is simply a bootable password cracker. That is if you don't want to use a Bart's disk to change the password. Ophcrack uses rainbow tables that are preloaded, but, there is an option to add additional tables from removable media if available. I've always wanted to try the 80 GB worth of hashes from Project Rainbow Crack, but never found the time. (http://project-rainbowcrack.com/table.htm)

DriveSpy is the bootable environment on a floppy that is discussed in this chapter. Upon doing some further investigation, there is nothing that drivespy can do that Knoppix cannot. For instance, you can tailor DriveSpy to keep a log of all the commands you run while looking at evidence on the command line. Enter, bash_history, in Knoppix. However, the chapter does mention the ability to look through unallocated and slack space on a disk. Add that to the To Do list, because I'm not exactly sure how to look through slack space on a disk. Maybe I'm making that sound more difficult than it really is.

A great piece of information discussed in this chapter was about finding deleted files on a Windows machine. The FAT32 file system uses the lowercase sigma character to signify that a file has been deleted. So, when perusing the file allocation tables, file names that begin with a sigma have been deleted. Very cool! I am guessing this is how my Undelete freeware application works. I found a little more information on the subject from Informit here: http://www.informit.com/articles/article.aspx?p=339066 This reading piqued my interest into how other file systems do trash cleanup.

While this chapter wasn't exactly enthralling, it did touch on a couple items that I would like to investigate further. Hopefully, I'll find some time over the weekend to do this. So, I've discussed one item on my To Do list to research for this class, here are a few more items:

- Unallocated and Slack Space Research
- How do other file systems denote deleted files (HFS+, Ext's, NTFS)
- Also, getting an exact copy of a drive or "piece of evidence" as the book would call it. What I'm interested in is creating an iso of an HFS+ Mac OSX drive, then to stepping into the drive backup. I have the perfect situation ready at home. I recently purchased a new hard drive for my Macbook and didn't wipe the contents off of the old disk. Sounds like a date with Netcat and DD are in order for this weekend!