Best Choice For Beginners!
Free Trading Education!
Free Demo Account!
Big Sign-up Bonus!
Perfect For Experienced Traders!
Coding Analysis Toolkit Instructions
Introduction: Coding Analysis Toolkit Instructions
The Coding Analysis Toolkit (CAT) is a free qualitative data analysis software that exists entirely online. For researchers with textual data, CAT allows for the categorizing and patternization of large-scale data amounts into quantitative amounts. Graham R. Gibbs and Celia Taylor in their article How and What to Code describe coding as, “the process of combing the data for themes, ideas and categories and then marking similar passages of text with a code label so that they can easily be retrieved at a later stage for further comparison and analysis.”
NOTE: For an overview of the Coding process refer to How and What to Code a resource designed to explain the practice.
Reference: Gibbs, G. R., & C. (2005, June 30). How and What to Code . Retrieved March 12, 2020, from http://onlineqda.hud.ac.uk/Intro_QDA/how_what_to_.
Teachers! Did you use this instructable in your classroom?
Add a Teacher Note to share how you incorporated it into your lesson.
Step 1: How to Make a Primary Account
Launch your Browser (CAT is optimized for Safari, Google Chrome, Internet Explorer, and Mozilla Firefox)
Search for the Coding Analysis Toolkit through your preferred search engine (Google) and find the link titled CAT Homepage: http://cat.texifter.com/app/main.aspx NOTE: The original CAT website has moved! It is no longer the top option on Google Searches; if you access this option, use the attached hyperlink within the page to redirect to the correct website. Once you have reached the CAT Homepage (Pictured Below) look to the top right corner of the page towards the USERNAME and PASSWORD login boxes. To the left of the USERNAME textbox, select the link Register for a free account (see red arrow).
Clicking the Register for a free account link will take you to the New User Registration page (pictured below). With a list of corresponding fields needed to establish a Primary account.
NOTE: Primary accounts serve as project leaders during analysis. As such, they have increased admin responsibilities such as: Locking and Unlocking Datasets Managing Sub-Account Permissions After completing necessary text boxes and clicking Register (see red arrow) you will be taken to the Thank You Screen.
Step 2: How to Login
When you plan to revisit the site after creating your account, just type in your created username and password in the upper right hand corner of the main homepage (see blue boxes).
NOTE: The login process is the same for both primary and sub accounts.
Step 3: How to Add Sub Accounts
Making a sub-account allows a primary account holder to invite collaborators into their current coding process. If you are working in a group it is important to have the different group members decide on a primary account holder (whose responsibilities are detailed within the “How to Make a Primary Account” Section), and have the remaining group members utilize this process afterwards.
*These directions are for primary account holders.
Best Choice For Beginners!
Free Trading Education!
Free Demo Account!
Big Sign-up Bonus!
Perfect For Experienced Traders!
Login to CAT and access the Main Menu. Select the Account tab along the page’s header. (see red box) Within the dropdown menu under Account, select Manage Sub Accounts (see blue arrow) it will take you to the Manage Sub Accounts page.
Within the Manage Sub Accounts page (pictured below) select the blue text: Add New Sub-Account. It will redirect you to the Add Sub Account page.
The Add Sub Account Page (pictured below) operates similarly to the New User Registration page.
Place the requested information into each text box. NOTE: Only sections marked with a red asterisk (*) must be completed. The additional fields are optional depending on one’s preference of detail.
When making sub-accounts it is important to make the distinction between expert and regular accounts. To change sub-account status use the drop down menu titled Account Type (see red arrow)
Expert Accounts have permission to access, upload, and lock datasets. This option allows the sub-account holder to contribute directly to the research process beyond coding. Choose expert account for sub-accounts of collaborators. Regular Accounts can only access datasets when granted permission from the primary account holder. These accounts are best for coders who are not collaborators.
When all required fields and any additional fields have been completed, select the Create Account button at the bottom of the page (see blue box).
A CAT registration email will be sent to the email address listed within the Sub-Account page. After this email is confirmed these sub-account usernames will appear within your list of Available Coders.
Step 4: Creating Data Files and Codes
Uploading Data Files and Codes is the basis of CAT. Uploading your content (Data File), and the codes by which you will analyze them, occurs within the same page. It is important to remember the difference between the two:
Data Files: These are the sections of text that you want to analyze. Some common data files include: interview transcriptions, writing samples, and any other body of text that you would like to assess.
To design a data file that can be uploaded into CAT you must organize your text into standard paragraphs without formatting. See image below for example. NOTE: Highlighting your text and selecting the option “Clear Formatting” does this automatically. After clearing the formatting of your data file you can save the file as a plaintext document (txt). This ensures that it will be clear of formatting and readable by CAT.
Codes: Codes are the options by which you are organizing your data file (text). Codes are broken into three main parts: Codes; Definitions; Keystrokes Codes are the actual options that you will choose from when undergoing the process. These will appear as the different buttons on the screen during the coding process. Definitions are the meaning that you attach to each code. For example the code: FUNNY JOKE might have the definition: something that is humorous Keystrokes are the corresponding buttons on your keypad that you can select as option to choose each code. NOTE: You need not use keystrokes. We recommend simply clicking the code buttons with your cursor. Similarly to the data file, save this document, without formatting, to your desktop as a plaintext (txt) document. An example of a plaintext file of codes is color coded below.
Step 5: Uploading Datasets and Codes
Once you have created and saved plaintext (txt) files of both your Codes and Dataset onto your desktop you can upload them to CAT.
From the homepage (pictured below), navigate to the header item called “Datasets.” Within the Dataset dropdown select “Upload Raw Dataset” (see red box) this will navigate you to the Upload Raw Dataset screen. NOTE: Your datasets will exist, but be considered RAW until they are locked. When in doubt, check Raw Datasets to find any that you are working on–chances are if they aren’t locked they are there.
Once on the Upload Raw Dataset screen (pictured below) be sure to title your dataset.
To upload your text and codes use the attach file buttons (see red box). The top box works for your data file (text) and the bottom box is for your created codes. Select “Standard” for the Data Format Style: dropdown menu.
The three checkboxes (Disable Verification for User-Defined and Multiple Coding, Allow User-Defined Codes, Allow Coder to Select Multiple Codes) are optional. If you are using codes that don’t exist in a binary (i.e. YES/NO) we highly recommend selecting “Allow Coder to Select Multiple Codes” for any analysis that exists beyond a binary option.
After you have added your data file and codes to the corresponding areas, selected the Standard Data Format Style, and chosen your additional options, press the Upload button (see blue box).
After selecting Upload you will be taken to the Add/Edit Raw Dataset Codes page. With our method, you have already added all needed components of both your data file and codes.
If you want to add additional codes, fill in the text boxes and dropdown menu next to New Code and select the add code button. These follow the same format as the creation of codes on a plaintext (txt).
See attached image for the corresponding components of a code (Codes; Definitions; Keystrokes) When you have checked your codes, select the Finished button (see blue box).
The Finished button will transport you to the View Raw Dataset page. You are now ready to select coders and begin the coding process!
Step 6: Assigning Coders
Coders are any accounts that are either primary or sub-accounts you have added. These usernames will automatically appear within the Available Coders box.
Select the coder you wish to add with your mouse. After this person’s name highlights blue (see picture below) click the add button (see red box). NOTE: To add all Coders select the Add All option.
To remove coders select their username and the remove button (see blue box). Once you have selected your coders select the Set Chosen Coders button (see purple box).
This will modify the screen with a red text above the View Raw Dataset page title saying “Permissions Set.” After assigning coders use the header to select Code Datasets from the Dataset dropdown menu.
Step 7: Coding Datasets
Selecting the Code Datasets option from the Dataset dropdown will redirect you to the Code Datasets (pictured below) page.
This page is divided into three categories within a chart: Dataset Name, # Complete, and Total Paragraphs. Dataset Name: This is what you titled your dataset. Click the blue name to access and begin coding (see red arrow). # Complete: Indicates how many paragraphs of you data file you have coded. This should be zero to begin. Total Paragraphs: This is how many paragraphs are in your data file. Each paragraph is coded individually. In our example, each coder will code 18 passages.
Selecting the Dataset name will take you to the Coding Page (pictured below). This page has a paragraph from the data file, your codes represented in buttons, and (if you have selected the Allow Coder to Select Multiple Codes option during the Upload Raw Dataset phase) the Code Item button.
Read the paragraph and select the corresponding code text boxes that relate to it. If you have allowed for multiple codes you must select the Code Item button to advance to the validation screen (see red button). NOTE: You must select the Code Item button to record your choice, the next button moves you to another paragraph without recording your code selections.
If you have Allow Coder to Select Multiple Codes option activated, you will be transported to a Verify Choices page. Verification ensures that your choices are accurate. Select Verify Choices at the top of the page to continue on to the next paragraph.
NOTE: If you have not selected the Allow Coder to Select Multiple Codes option, you will skip this page and move on to the next paragraph immediately after a code selection. After you have coded all paragraphs in your data file select the Click here on the following page. This will notify the project manager (primary account holder) that this coder has completed the dataset. After selecting Click here you will be returned to the Code Datasets page with red text reading Notification Sent (pictured below).
From the View Raw Dataset page all datasets that are considered raw will appear. Select the dataset you have just completed by clicking it’s name (written in blue).
This will transport you to the corresponding page related to that dataset (pictured below). Select the Lock Dataset? Option (see red box). Select the Lock it and Archive it option on the following page. You are now ready to begin validating.
Step 8: How to Validate Datasets
Validating datasets allows coders to ensure that the chosen codes they have made are accurate. This process allows validators to select if a chosen code is valid or not valid in response to a specific paragraph. This process ensures accuracy in your final data. NOTE: Datasets must be locked to access validation.
From the homepage, select Validate Datasets from the Validation drop down menu along the header. This will transport you to the Adjudication – Validate Dataset page. Within the Adjudication – Validate Dataset select your dataset from the Dataset:menu (see red box). Select all codes you wish to validate on the following screen (this is the same process as adding coders discussed earlier) and select Continue. On the validation pages select either Valid or Not Valid as you advance through the paragraphs (see red box). When you have completed validating the dataset you can look at reports of your data.
Step 9: How to Access Data Reports
Data reports are the reason you complete the process. They allow you to sort through your qualitative data, create charts, and analyze the information. This process will show you a basic formulation of data in a viewable format. NOTE: Datasets must be locked to access Data Reports.
From the menu header select the Dataset Reports from the Reports menu (see red box). This will take you to the Dataset Report page.
On the Dataset Report page (pictured below) select the blue name of your dataset.
On the following page (pictured below) select the preferred options from the list of checkboxes (see red box).
Select the coders and codes you wish to include in the report by selecting and adding them as done before.
When you have made your choices, select Generate Report (see blue box) to visualize your findings! Congratulations you have used CAT.
Necessary analysis toolkit for each trader
Evaluator is an open source quantitative risk analysis toolkit. Based on the OpenFAIR taxonomy and risk assessment standard, Evaluator empowers an organization to perform a quantifiable, repeatable, and data-driven risk review. Install Evaluator via the standard CRAN mechanisms. To run the default, but optional, report functions, use the dependencies = TRUE flag to pull in the additional packages needed for reporting.
|Tags||risk risk-assessment risk-management openfair r|
CORAS Risk Assessment Platform
Platform for risk analysis of security critical IT systems using UML, based on the CORAS model-based risk assessment methodology. Contains an XML and UML repository, facilitating management and reuse of analysis results.
An API/application to assist with running and managing an Information Security Management System
Machinery System Risk Assessment Framework
Machinery System Risk Assessment Framework
Risk Management Framework
This Project is one of my dreams , it is a total solution for a Risk Management in banks – phase one market risk – phase two credit risk – phase three operational this is a huge project that i can’t handle alone , so I’d like others to join me Please Leave your feed back
LARS (Lightning Assessment of Risk for a Structure). LARS is a simple tool for the lightning assessment of risk for a structure, according to standard IEC 62305-2, first edition.
Risk Quantify Financial Engine
Risk Quantify aims to provide a comprehensive framework for the trading, risk analysis and back office management of financial derivatives. Initially the system will support FX, Interest Rate and Equity-based products.
coinai – Seed applications based on AI for digital currency quantitative analysis, medium-term forecast and asset allocation for the secondary market of the BANCA community
coinai is a set of seed applications based on AI for digital currency quantitative analysis, medium-term forecast, and asset allocation for the secondary market of the BANCA community. Clients can use CoinAI to conduct in-depth analysis of digital tokens and compare the investment value and risk of different currencies. They can also obtain the prediction for the future trend of tokens based on artificial intelligence and big data smart beta market timing models. According to your own risk assessment, you are one click away from building the optimum portfolio.
Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 8, Fourth Edition
In this excerpt of Windows Forensic Analysis Toolkit, author Harlan Carvey discusses what Volume Shadow Copies are and how they affect forensic analysis in Windows 8.
The following is an excerpt from the book Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 8, Fourth Editionwritten by author Harlan Carvey and published by Syngress. This section from chapter three outlines what Volume Shadow Copies are and how the technology can be used to further an investigation.
VSCs are one of the new, ominous sounding aspects of the Windows operating systems (specifically, Windows XP, in a limited manner, and more so with Vista and Windows 7) that can significantly impact an analyst’s examination. VSCs are significant and interesting as a source of artifacts, enough to require their own chapter.
With the release of Windows XP, Microsoft introduced the Volume Shadow Copy Service to provide functionality for backing up critical system files in order to assist with system recovery. With Windows XP, users and administrators saw this functionality as System Restore Points which were created automatically under various conditions (every 24 hours, when a driver was installed, etc.) and could also be created manually, as illustrated in Figure 3.1.
As illustrated in Figure 3.1, users can not only create Restore Points, but they can also restore the computer to an earlier time. This proved to be useful functionality, particularly when a user installed something (application, driver, etc.) that failed to work properly, or the system became infected with malware of some kind. Users could revert the core functionality of their systems to a previous state through the System Restore functionality, effectively recovering it to a previous state. However, System Restore Points do not back up everything on a system; for example, user data files are not backed up (and are therefore not restored, either), and all of the data in the SAM hive of the Registry is not backed up, as you wouldn’t want users to restore their system to a previous point in time and have them not be able to access it, as a previous password had been restored. So, while System Restore Points did prove useful when a user needed to recover their system to a previous state, they did little to back up user data and provide access to previous copies of other files. From a forensic analysis, a great deal of historical data could be retrieved from System Restore Points, including backed up system files and Registry hives. Analysts still need to understand how backed up files could be “mapped” to their original file names but the fact that the files are backed up is valuable in itself.
Figure 3.1: Windows XP System Restore Point functionality.
Tip: System Files in Restore Points
One use of system files being backed up to Windows XP System Restore Points is that when malware is installed as device driver (executable file with a “.sys” extension), it would be backed up to a Restore Point. If the installation process had included modifying the file time stamps so that the file appeared to have been created on the system during the original installation process, the true creation date could be verified via the master file table (MFT; see Chapter 4). Further, if there were six Restore Points, and the system file was not backed up in the older five Restore Points, and was only available in the most recent Restore Point, this would also provide an indication that the observed creation date for the file was not correct.
With the release of Vista, the functionality provided by the Volume Shadow Copy Service to support services such as Windows Backup and System Restore was expanded. In particular, the amount and type of data captured by System Restore was expanded to include block-level, incremental “snapshots” of a system (only the modified information was recorded) at a given point in time. These “snapshots” — known as VSCs — appeared in a different manner to the user. VSCs operate at the block level within the file system, backing up and providing access to previous versions of system and user data files within a particular volume. As with System Restore Points, the actual backups are transparent to the user, but with VSCs, the user can restore previous versions of files through the Previous Versions shell extension, as illustrated in Figure 3.2 (from a Windows 7 system).
Figure 3.2: Windows 7
Okay, so what does this mean to the forensic analyst? From an analyst’s perspective, there is a great deal of historical information within backed up files. Accessing these files can provide not just historical data (previous contents, etc.) but additional analysis can be conducted by comparing the available versions over time.
As you’d expect, there are several Registry keys that have a direct impact on the performance of the Volume Shadow Copy Service (VSS; the service which supports the various functions that lead to VSCs). As this is a Windows service, the primary key of interest is:
However, it is important to understand that disabling the VSC Service may affect other applications aside from just disabling VSCs, such as Windows Backup. As such, care should be taken in disabling this service on production systems. Also, forensic analysts examining Vista and Windows 7 systems that do not appear to have any VSCs available should check this key to see if the service had been disabled prior to the system being acquired.
There’s another key within the System hive that affects VSC behavior, and that is:
Beneath this key are three subkeys: FilesNotToBackup, FilesNotToSnapshot, and KeysNotToRestore. The names should be pretty self-explanatory, but just in case, the FilesNotToBackup key contains a list of files and directories that (according to Microsoft; additional information is available online at https://msdn.microsoft.com/en-us/library/bb891959(v=vs.85).aspx) backup applications should not backup and restore. On a default Windows 7 installation, this list includes temporary files (as in those in the %TEMP% directory), the pagefile, hibernation file (if one exists), the Offline Files Cache, Internet Explorer index.dat files, as well as number of log file directories. The FilesNotToSnapshot key contains a list of files that should be deleted from newly created shadow copies. Finally, the KeysNotToRestore key contains lists of subkeys and values that should not be restored. It should be noted that within this key, values that end in “\” indicate that subkeys and values for the listed key will not be restored, while values that end in “\*” indicate that subkeys and values for the listed key will not be restored from backup, but new values will be included from the backup.
Another Registry key to be very aware of is the following:
This key contains a value named “<09f7edc5-294e-4180-af6afb0e6a0e9513>,” and the data within that value will tell you which volumes are being monitored by the Volume Shadow Service. The data for this value can contain multiple strings, each of which references a volume GUID and the drive letter for the volume, separated by a colon. This value will mirror what is listed in the Protection Settings section of the System Properties dialog, as illustrated in Figure 3.3.
Figure 3.3: System Properties dialog.
Tip: Finding VSCs
I’ve run into and used the SPP\Clients key quite a bit during examinations. One of the steps I include in order to orient myself to an image prior to an examination, I will check (via FTK Imager or ProDiscover, usually) to see if there are any difference files available within the System Volume Information folder. In a number of cases, I’ve found none, and upon further examination, found that the VSS service was set to run automatically upon system boot. During examinations in which historical information would be very valuable, I will then verify the LastWrite time on the SPP\Clients key, and check the data of the “<09f7edc5-294e-4180-af6a-fb0e6a0e9513>” value. Using this information, I can then state my findings based on those values in my report; many times, I find from the client that deleting or clearing the value is actually part of the standard system configurations for the enterprise.
Accessing VSCs on live Vista, Windows 2008, and Windows 7 systems is a relatively simple task, as Windows systems ship with the necessary native system tools to access VSCs. In order to see the available VSCs for the C:\ drive of the Vista or Windows 7 system that you’re logged into, type the following command into a command prompt using elevated privileges (you may need to right-click the command prompt window and choose “Run as Administrator”):
C:\>vssadmin list shadows /for=c:
Example results of this command are illustrated in Figure 3.4.
Figure 3.4: Sample output of the vssadmin command.
As you can see illustrated in Figure 3.3, we can use the vssadmin command to gather considerable information about available VSCs on the system.
The Windows Management Instrumentation (WMI) class Win32_ShadowCopy (documentation found online at https://msdn.microsoft.com/en-us/library/aa394428 (v=VS.85).aspx) provides an interface for programmatically extracting much of the same information from Windows systems made available by the vssadmin command. However, according to information available at the Microsoft web site (see the “Community Content” section of the previously linked page) at the time of this writing, this class is not supported on the 64-bit version of Windows 2008. Testing using a Perl script indicates that this is also true for Windows 7; the script didn’t work at all on 64-bit Windows 7, but ran very well on the 32-bit edition. A sample of what is available via Perl (or other methods for accessing WMI classes) appears as follows:
Don’t like the command line approach? Hey, that’s okay — it’s not for everyone. Head on over to ShadowExplorer.com and get a copy of ShadowExplorer (at the time of this writing, version 0.8 is available). Download and run the setup file on your system in order to install ShadowExplorer on the system in question. The web site describes ShadowExplorer as being useful to all users, but especially so to users with Windows 7 Home Edition, who don’t have access to VSCs by default. Once you install and launch ShadowExplorer, you will see the interface as illustrated in Figure 3.5.
Windows Forensic Analysis Toolkit
At checkout, use discount code PBTY14 for 25% off
As illustrated in Figure 3.5, you can use the drop-down selector beneath menu bar to select the date of the VSC you would like access to; unfortunately, ShadowExplorer will only show you the VSCs available within the volume or drive (i.e., C:\, D:\) on which it is installed. Therefore, if your system has a D:\ drive, you’ll need to rerun the installation program and install it on that drive, as well, in order to view the VSCs on that drive. Navigating through the tree view in the lefthand pane, locate the file for which you’d like to see a previous version, right-click the file and choose “Export” to copy that file to another location.
Going back to the command prompt, in order to access the VSCs on your live system and have access to the previous versions of files within those VSCs, you’ll need to make a symbolic link to a VSC. To do that, go to the listing for a VSC, as illustrated in Figure 3.3, and select (you’ll need to have Quick Edit mode enabled in your command prompt) the VSC identifier, which appears after “Shadow Copy Volume.” Then go back to the prompt and type the following command:
Do not hit the Enter key at this point. Once you get the far with command, rightclick to paste the selected VSC identifier into the prompt and then add a trailing slash (“\”), so that the command looks like the following:
C:\>mklink /d C:\vsc \\?\GLOBALROOT\Device\
Remember to add the trailing slash to the command — this is very important! This is not something that is clearly documented at the Microsoft site, but has been found to be the case by a number of forensic analysts, to include Rob Lee, of SANS fame, and Jimmy Weg, a law enforcement officer from Montana. Now, go ahead and hit the Enter key, and you should see that the symbolic link was successfully created. Now you can navigate to the C:\vsc directory, and browse and access the files via the command prompt or Windows Explorer. Once you’re done doing whatever you’re going to do with these files (review, copy, etc.), type the following command to remove the symbolic directory link:
This series of commands is going to be very important throughout the rest of this chapter, so it’s important that we understand some of the key points. First, use the vssadmin command to get the list of VSCs for a particular volume; note that when you run the command from the command prompt, you do not have to be in that volume. For example, if you want to list the VSCs for the D:\ volume, you can do so using the following command, run from the C:\ volume.
C:\>vssadmin list shadows /for=d:
Once you know which VSC you’d like to access, you can use the mklink command to create a symbolic link to that VSC. Remember, you must be sure that the VSC identifier (i.e., \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy20\) ends with a trailing slash. Finally, once you’ve completed working in that VSC, you remove the symbolic link with the rmdir command.
A number of commercial forensic analysis applications provide access to VSCs within acquired images, and ProDiscover is just one of those applications. However, ProDiscover is also the only commercial forensic analysis application to which I have access. As such, I briefly mention its ability to access VSCs on live systems here. For those who want more detailed information on how to use ProDiscover for this purpose, Christopher Brown posted a five-page PDF format paper at the Technology Pathways, LLC, web site that describes how to use ProDiscover IR (the Incident Response Edition) to access and acquire VSCs on remote live systems. This can be very valuable to an investigator who needs to quickly access these resources in another location, or to do so surreptitiously. The paper can be found on the web at http://toorcon.techpathways.com/uploads/LiveVolumeShadowCopyWithProDiscoverIR.pdf.
If you’re a user of the fantastic F-Response tool from Matt Shannon, particularly the Enterprise Edition (EE), you’ll be very happy to know that you can use this product to access VSCs on remote systems. This may be important for a variety of reasons; a user within your enterprise environment may have “lost” an important file that they were working on, you may need to access an employee’s system surreptitiously, or you may need to quickly acquire data from a system located in another building in another area of the city. While I generally don’t recommend acquiring full system images over the network, even over a VPN, you can use tools like F-Response EE, which provides read-only access to the remote system drive, in order to collect specific information and selected files from remote systems very quickly. This will allow you to perform a quick triage of systems, and potentially perform a good deal of data reduction and reduce the impact of your response activities on your organization by identifying the specific systems that need to be acquired.
That being said, perhaps the best way to discuss F-Response EE’s ability to provide access to VSCs is through a demonstration. Before describing the setup I used and walking through this demonstration, I need to make it clear that I used F-Response EE because Matt was gracious enough to provide me with a copy to work with; this process that I’m going to walk through can be used with all versions of F-Response, including the Consultant and Field Kit editions.
Tip: F-Response VSC Demo Setup
For my demonstration, I don’t have a full network to “play with,” so I opted to use the tools that I do have available. I booted my 64-bit Windows 7 Professional analysis system, and then started up a 32-bit Windows 7 Ultimate virtual machine (VM) in VMPlayer. I had set the Network Adapter in the settings for the VM to “bridged,” so that the VM appeared as a system on the network. For the demonstration, the IP address of the running VM was 192.168.1.8, and the IP address of the host was 192.168.1.5. On both systems, the Windows firewalls were disabled (just for the demonstration, I assure you!) in order to simulate a corporate environment. Also, it is important to note that Windows 7 ships with the iSCSI initiator already installed, so I didn’t need to go out and install it separately.
Again, this demonstration makes use of F-Response EE (thanks to Matt Shannon for allowing me the honor to work with this wonderful tool!). Once I logged into my analysis system, I plugged in my F-Response EE dongle and launched the F-Response License Manager Monitor to install and start the License Manager service. I then launched the F-Response Enterprise Management Console (FEMC) and started by configuring the credentials that I would be using to access the remote system. I clicked File→Configure Credentials… from the menu bar, and entered the appropriate username/password information to access the remote system (if you’re in an Active Directory domain, check the “Use Current User Credentials” option). Next, I clicked File→Configure Options… and configured my deployment options appropriately (for this demo, I didn’t select the “Physical Memory” option in the Host Configuration section).
Figure 3.6: FEMC Direct Connect UI.
As I was going to connect to a specific system, I selected Scan→Direct Scan from the menu bar, and entered the IP address of the target system (i.e., 192.168.1.8), and clicked the Open button. Once the connection was made, F-Response was installed and started on the target system, as illustrated in Figure 3.6.
From there, I logged into the C:\ volume on the target host, and that host’s C:\ drive appeared on my analysis system as the F:\ volume. I then ran the following command on my analysis system:
C:\>vssadmin list shadows /for=f:
Read an excerpt
Download the PDF of chapter three to learn more!
In order to access the oldest VSC listed (HarddiskVolumeShadowCopy17, created on January 4, 2020), I entered the following command in a command prompt on my analysis system:
C:\>mklink /d d:\test \\?\GLOBALROOT\Device\
This command created a symbolic link on my analysis system called “d:\test” that contained the contents of a VSC created on the target system on January 4, 2020, and allowed me to access all of the files with that directory, albeit via the read-only access provided by F-Response EE.
Warning: Accessing VSCs on Live Systems
It is very important to remember that when you’re accessing VSCs on live systems, that system, whether accessed remotely or locally, is still subject to operating normally. What this means is that if you’re accessing the oldest VSC that you found, the system itself is still going about its normal operations, and that VSC could be overwritten to make room for another VSC, as under normal conditions, the VSCs are subject to the “first-in-first-out” (FIFO) process. This actually happened to me while I was working on some of the demonstrations listed in this chapter. The remote live system continued to operate normally, and the VSC I was accessing was removed simply because I had taken too long to complete the testing (I was just browsing through some of the files). I had to back out of my demonstration and restart it. When I did, I found that the output of the vssadmin command was quite a bit different, particularly with respect to the dates on which the available shadow copies had been created.
Another very important aspect of accessing VSCs (and this applies to accessing VSCs within images, as well) is that you need to be very careful about the files you click or double-click on. Remember, if you double-click a file that is in a VSC on a remote system, your analysis system is going to apply its own rules to accessing and opening that file. This means that if you see a PDF file that you’d like to click on, you should be very sure that it wasn’t what led to the remote system being infected in the first place. If it is a malicious PDF, and your system isn’t protected (updated antivirus (AV) and PDF viewer, etc.), then your system may become infected, as well.
As I mentioned, there are a number of commercial forensic analysis applications and tools that provide analysts and responders with the ability to access VSCs on remote systems, and what we’ve discussed here are only a few of your (and my) available options. The application and methodology you choose to use depends largely on your needs, abilities, and preferences (and, of course, which tool or set of tools you can afford).
About the author:
Harlan Carvey (CISSP) is a Vice President of Advanced Security Projects with Terremark Worldwide, Inc. Terremark is a leading global provider of IT infrastructure and “cloud computing” services, based in Miami, FL. Harlan is a key contributor to the Engagement Services practice, providing disk forensics analysis, consulting, and training services to both internal and external customers. Harlan has provided forensic analysis services for the hospitality industry, financial institutions, as well as federal government and law enforcement agencies. Harlan’s primary areas of interest include research and development of novel analysis solutions, with a focus on Windows platforms. Harlan holds a bachelor’s degree in electrical engineering from the Virginia Military Institute and a master’s degree in the same discipline from the Naval Postgraduate School. Harlan resides in Northern Virginia with his family.
Best Choice For Beginners!
Free Trading Education!
Free Demo Account!
Big Sign-up Bonus!
Perfect For Experienced Traders!