Home About Us Sign Up Downloads FAQ Contact Us
 
Using OnScene Investigator

..................................................................................................................................................

~~~~Triage (256).png ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

OnScene Investigator CD from Forensics Matter
OnScene Investigator (OSI) is built for first respondents to a scene or for anyone who needs to quickly review or copy information on a suspect computer. OnScene Investigator requires the boot CD, OnScene Investigator client and a crossover cable.
Key functions of OnScene Investigator

  1. Viewing the contents of the internet cache in thumbnail view
  2. Copying the suspect’s index.dat for review in Xways Trace or Digital Detective
  3. Copying the suspect’s mail file for review in an email investigation software such as Paraben’s Email Examiner
  4. Searching for keywords on a suspect computer before proceeding to imaging

 

Using OnScene Investigator

w
Step 1  Boot from the  Onscene Investigator CD in the suspect computer. Wait till the suspect computer shows the following screen. Then select Start OnScene Investigator Boot CD. 
w

Tip: If OnScene Boot CD fails to detect the installed network card, you can use a USB-LAN USB 2.0 to 10/100 Ethernet Adapter. To use a USB-LAN, reboot the CD and select “Start OnScene Investigator  Boot CD (USBLAN only)”

Once Onscene Boot CD has finished booting it will show this screen

Computer Forensics Experts

Creating an Image with OSI

Previewing PST Files

On Scene Computer Forensics

Copy with MD5 report

Windows Recycle Bin

Computer Forensics For Apple Mac

Viewing the Internet Cache

Registry Hives

Using OnScene Investigator

Using Registry LHF

Down Data Sheet

Uses for OnScene Investigator

Project Roadmap



Find a Reseller

Become a Reseller


Training Certification


 
 
 

w

 Step 2 Connect a crossover cable between the suspect computer and the investigator’s laptop or computer

Network Image


Step 3 On the Investigator’s computer  use the IP Changer to se the IP. w
Step 4   Triage Desktop PNG.png Start OnScene Investigator  
w
OnScene Investigator Opens
w
Step 5 Once the Suspect Status shows “Suspect Available” Click the Connect button Connect.png. This will connect to the suspect computer


Step 6 Once connected, the Onscene Investigator client will show all detected partitions on the suspect computer.  All partitions are mounted in “Read Only” mode. You can browse the contents of the hard drive by selecting the partition in the Suspect Drives Window.

Onscene Investigator Functions
w  Search:  The Onscene Investigator search function.
All or part of the file name- you can search for the keyword in the name of the file. From the ‘Look In:  section you can select which partition to search.
A word or phrase in the file- You can search for the Keyword in the contents of the file. From the
w 

Email Search Button- you can search for known mail files.  
The following is a list of the mail files currently detected.
PST - Outlook - Personal Storage Table
OST - Outlook - Offline storage Table
DBX - DBX - (Outlook Express 5, 6)
IDX - AOL - Temporary Internet Mail File
MBX - Eudora and others - Mailbox Message File
EML - Outlook Express and other - Electronic Mail
MSG - Outlook and others - Exchange Mail Message
NSF - Lotus Notes File
NS4 - Notes Database (Older Form)
NS3 - Notes Database (Older Form)
NS2 - Notes Database (Older Form)
WAB - Outlook Address Book
MSF - EarthLink E-mail Message File
EDB - Exchange Data Base
 
History Search – searches for
history.dat - Mozilla Internet History
index.dat - Internet Explorer History
Working and copying search results
w 
Search results are viewed in the Search results tab. Clicking on any item in the Search results tab will preview the file in the preview window below.

 

w 
Coping search results can be done by selecting the check box and then right clicking and selecting  Copy selected files to investigator.

Special Thanks
Thanks to all the people who helped with Onscene Investigator as an idea and program.
Russell Jeffery - for all the graphics and icons.  Russell is a brilliant graphic designer - check out his website.
www.emigraph.com
Nigel (The Gun) Carson - for advice &testing

Peter Mercer
Peter.Mercer@npss.com.au
Director
Forensic-Matters-Logo.gif

Home I Site Map I About Us I Help I Terms & Conditions
Copyright 2007 www.forensicsmatter.com All Rights Reserved.