Computer Forensics and Evidence Integrity

Questions and Answers

What is the smallest physical storage unit on a disk?

• Track
• Cluster
• Cylinder
• Sector (correct)

Which of the following best describes logical drives in computer forensics?

• Allocated parts of a physical drive managed as independent units (correct)
• Actual space occupied by files on a disk
• Temporary storage used during computation
• Physical layout of a disk's surface

Which piece of hardware is responsible for reading and writing data on a disk?

• Head (correct)
• Platter
• Actuator arm
• Spindle

What type of memory is referred to as volatile memory?

Cache and RAM (D)

In the context of data storage, what does a track refer to?

An arc-shaped portion of a disk's surface (D)

What does the File Allocation Table (FAT) do?

Creates a map of the drive identifying file locations (B)

Which file system is known for providing security and larger file size capabilities?

NTFS (D)

What happens to a file's data when it is deleted by a user in a file system?

The data remains but is marked as available for use. (C)

What is the primary function of a file system?

To organize data on a hard disk (A)

Which of the following is NOT a file system available from Microsoft?

ext4 (B)

What is a requirement for an imaging program as defined by NIST?

It must log I/O errors. (A)

During the physical extraction phase, what does keyword searching accomplish?

It identifies data that the file system may not account for. (B)

Which characteristic is NOT identified during logical extraction?

Physical location on the disk (A)

What is the primary goal of computer forensics?

To protect digital evidence from alterations (B)

Which of the following is NOT a traditional problem in computer investigations?

High rates of victim reporting (A)

What is the main purpose of data reduction in the logical extraction process?

To eliminate duplicate and known files. (A)

What is the role of file carving during physical extraction?

To reconstruct files even when the file system is not intact. (D)

What is a major reason for the low reporting rate of cyber crimes by victims?

Perceived incompetence of law enforcement (C)

Which of the following is one of the cardinal rules of computer investigations?

Document every step of the process (A)

What challenge arises from excessive dependence on automated programs in investigations?

Great expectations may not be met (B)

What best describes the logical file size on a disk?

The exact size of the file in bytes (D)

Which term refers to arc-shaped portions of a disk track used for data storage?

Sectors (A)

Which storage type retains data without requiring power?

Nonvolatile storage (B)

What component in a disk drive is responsible for moving the read/write head across the platters?

Actuator arm (C)

Which of the following represents a system for encoding information in electronic devices?

Binary system (C)

What is the standard size of each sector on magnetic disks formatted for Windows?

512 bytes (D)

Which of the following accurately describes file slack space?

It is the unused space between the logical end of a file and the physical end of a cluster. (D)

What is the maximum number of primary partitions that can be created on a fixed disk?

4 (D)

What does the partition table NOT indicate?

Total disk space available (C)

Which statement is true regarding clusters in magnetic disk storage?

Clusters represent the basic allocation units of magnetic disk storage. (B)

What is one tool used for verifying data integrity?

MD5-Hash (C)

Which category of software tools would you use for extracting deleted files?

Data recovery/extraction tools (B)

Why should Standard Operating Procedures (SOP) be reviewed annually in forensic investigations?

Technology evolves, impacting investigation methods (D)

What impact does the Encrypting File System (EFS) have on investigations?

It adds complexity to the investigative process (A)

What is NOT one of the five categories of minimum software requirements for forensic investigations?

Programming languages (A)

What is a primary feature of the New Technology File System (NTFS)?

It uses a Master File Table to manage files. (D)

Which statement accurately describes the purpose of the File Allocation Table (FAT)?

It creates a map that identifies the location of each piece of a file. (B)

What significant change did the introduction of disk operating systems bring to data management?

They reduced the data management burden for applications. (A)

Which characteristic of NTFS makes it more advantageous than FAT in terms of storage efficiency?

It manages files through clusters that can be of variable sizes. (A)

Why might investigators become confused when analyzing a logical drive's size?

They could overlook hidden partitions that are not readily visible. (C)

Flashcards

Computer Forensics Goal

Protecting digital evidence from alterations, damage, or corruption.

Inadequate Resources in Investigations

Limited funds and personnel in law enforcement hinder effective investigations.

Evidence Corruption in Investigations

Altering or damaging the original evidence affects the investigation's outcome.

Importance of Documentation

Detailed recording of all actions is crucial in computer investigations.

Chain of Custody

Maintaining a record of evidence's handling from seizure to presentation in court.

Sector

A fixed, arc-shaped portion of a disk track, used for storing data; the smallest physical storage unit on a disk.

Logical file size

The exact size of a file measured in bytes, as shown in file properties.

Physical file size

The actual amount of space a file occupies on a disk.

Logical

Parts of a physical drive that work as independent units, important for computer forensics.

Physical

Drives (devices) and the data stored at the machine level.

Imaging Programs

Software used to create an exact copy of a hard drive or partition without altering the original. This copy, called an image, preserves the data for analysis.

Physical Extraction

The process of recovering data from a hard drive regardless of the file system, examining the entire physical drive for any potential evidence.

Logical Extraction

The process of recovering data based on the operating system and file system, focusing on files, deleted files, and other accessible data.

Keyword Searching

A technique used during physical extraction to search for specific words or phrases within the raw data on a drive, regardless of file system organization.

File Carving

A method used in physical extraction to recover files based on their file signatures or headers, even if the file system information is missing or corrupted.

What are File Systems?

File Systems are the organizational structures that operating systems use to manage data on hard drives. They organize data in a way that makes it easy to access and retrieve.

FAT - How does it work?

A FAT (File Allocation Table) is a directory that keeps track of the location of each piece of a file. It stores information like the file's name, size, and the starting cluster of where data is located.

File Deletion - FAT

When a file is deleted using FAT, the data itself isn't erased. Instead, the FAT marks the file's clusters as available, making them reusable for new data. This means deleted data can still be recovered.

What is NTFS?

NTFS, the New Technology File System, is an advanced file system developed by Microsoft. It offers enhanced security, improved performance, and the ability to store larger files compared to FAT.

What is the MFT?

The Master File Table (MFT) is a central database found in NTFS. It contains detailed information about every file on the drive, including file names, sizes, permissions, and locations.

What is a Sector?

The smallest physical unit of storage on a disk. It's an arc-shaped portion of a track, storing data like a tiny segment of a pie.

What is a Track?

A concentric circle on a disk platter, like a groove on a record. It holds a continuous stream of data.

What is a Cylinder?

A vertical stack of tracks, one above another, across all platters of a hard drive.

What are Clusters?

Groups of contiguous sectors. They're the smallest unit that can be allocated to a file. Think of them as building blocks for files.

What is the difference between Physical and Logical file size?

Physical file size represents the actual disk space a file occupies. Logical file size refers to the exact size of a file in bytes, as displayed in its properties.

What is a cluster?

A cluster is a group of one or more adjacent sectors. It's the minimum amount of space that a file can occupy on a disk.

What is file slack space?

File slack space is the unused space between the end of a file and the end of its cluster. It's like the extra room in a box after you've packed your belongings.

What is a partition?

A partition is a section of a hard drive that acts as a separate storage unit, like a room in a house. It allows you to organize and manage your files.

What is a partition table?

A partition table is a specific area on a hard drive that contains information about each partition, like its location and bootable status.

BIOS

The Basic Input/Output System, a fundamental firmware that initiates the boot process by loading the bootstrap loader from the boot sector.

POST

Power-on Self-Test, a diagnostic routine the BIOS runs after the computer turns on to check for hardware malfunctions.

Data Integrity Tools

Methods for ensuring the accuracy and authenticity of digital evidence, preventing accidental or intentional alteration.

CRC

Cyclical Redundancy Check, a data validation tool that uses a mathematical calculation to detect errors during data transmission or storage.

MD5 Hash

An algorithm generating a unique fingerprint for a file, allowing verification of data integrity.

What is a File System?

A file system is the structure an operating system uses to manage data on a hard drive. It's like a filing cabinet for your computer, keeping all your data organized and accessible.

FAT: What is it?

FAT, or File Allocation Table, is like an index that tells the computer where to find each piece of a file on the drive. It stores file name, size, and location of the first block of data.

What happens when you delete a file in FAT?

Deleting a file in FAT doesn't erase the data itself. It simply marks the file's allocated space as available for reuse. So, deleted data can often be recovered.

Study Notes

Computer Forensics and Cyber Crime

• Computer forensics is the practice of collecting, analyzing, and reporting digital data legally. It aids in crime detection and prevention, resolving disputes
• Its purpose is to examine digital media, identify, preserve, recover, analyze, and report facts and opinions about the digital information
• Computer forensics is an emerging discipline, affected by new technologies, evolving criminal behavior, and changing police strategies
• Maintaining the integrity of evidence is crucial to computer forensic investigations. This involves maintaining a chain of custody, protecting the evidence from contamination, and ensuring any analysis preserves the original state

Evidence Integrity

• Chain of Custody (CoC) documents the seizure, handling, analysis, and disposition of evidence, ensuring its integrity. It involves detailed records of every stage
• Employing a chain of custody is crucial for legal admissibility
• The process requires procedures for maintaining accurate records at every stage
• Avoiding contamination or alteration of digital evidence is paramount

Traditional Problems in Computer Investigations

• Local law enforcement faces increasing responsibilities and dwindling budgets, limiting educational opportunities
• Cooperation and communication among agencies is frequently weak
• Overreliance on automated programs and self-proclaimed experts can be detrimental in computer investigations
• Insufficient reporting of crimes due to victims' perceptions of law enforcement's capabilities, self-serving behavior of corporate advisors and inadequate resources, hindering effective investigations

Evidence Corruption – Cardinal Rules of Computer Investigations

• Always work from a duplicate image, leaving the original hard drive unharmed
• Thorough documentation is essential in every step
• Maintain a meticulous chain of custody

Disk Structure and Digital Evidence

• Terms: Nonvolatile storage, computer storage, primary storage, secondary storage, floppy disks, CD-ROMs, CD-RWs, hard disks, operating systems, hardware, software, firmware, static memory, volatile memory
• Drives: Physical drives at the machine level; physical file size (actual space); logical drives (independent units) in forensic analysis, crucial for computer forensics.
  • Logical file size, exact size of a file in bytes
• Data Storage Scheme: Sectors: smallest physical unit, arc-shaped portion of a track. Sectors are sequentially numbered.
  • Magnetic disks formatted for Windows use 512 bytes per sector
  • Clusters grouped adjacent sectors, minimum space allocation for individual files
  • File slack space, unused area between a file's end and the cluster's end
• Partitions: Disk partitions that operating systems divide the disk into (maximum four).
  • Partition of the "boot" drive that the operating system resides on has to be bootable
  • Extended partitions can be subdivided into logical drives. A master boot record and partition table are created for the hard drive to track partitions
• Partition table: identifies locations of partitions and indicates which partition is bootable. Also contains MBR and partition data at specific locations on the disk
• File systems: Underlying structure for computer data organization on a hard disk. Examples are FAT16, FAT32, and NTFS. The file system structure greatly impacts how data is retrieved after crimes occur
• FAT (File Allocation Table): Map or directory of each part of a file
  • File stored in a nonphysical space until the clusters are used
  • Deleting a file does not delete its data on the disk, just marks the cluster as available
• NTFS (New Technology File System): developed by Microsoft, provides security, performance, and larger file sizes.
  • Data is structured using a table-based system where data is indexed
  • Fragmentation means that data is stored in different locations on the disk, which can impact forensics but is a feature of the file system itself

Firmware – Operating Instructions

• BIOS (Basic Input/Output System): initial commands concerning the bootstrap loader
• POST (Power-on Self-Test): process verifying devices after power on

Data Integrity

• Cyclical redundancy checksum (CRC): tool for data validation
• MD5 Hash: data verification tool
• Hashkeeper: software listing known files

Developing Computer Forensic Science Capabilities

• SOPs must be clear and easily accessible, current, and include different software, hardware, and specific investigative procedures
• SOPs should undergo annual review due to the field's dynamic nature

Minimum Software Requirements

• Categories: Data preservation, duplication, and verification; Data recovery/extraction; Data analysis; Data reporting; Network utilities

Data Preservation, Duplication and Verification Tools

• NIST defines imaging programs as tools that create a bit-by-bit copy of a disk or partition, onto a fixed or removable media. The tool must not alter the original disk and must be able to access IDE and SCSI devices. It must verify the integrity of the image file and log all errors, providing extensive documentation.

Data Recovery/Extraction Tools

• Physical Extraction: identifying data across the entire physical hard drive without regard to file system structure
• Logical Extraction: identifying data based on the installed file system(s) and application(s), including active files, deleted files, slack space, and unallocated file space. Includes keyword searching, file carving, or the analysis of unused space on the disk partitions.

Data Analysis Tools

• Categories: Indexing, text searching, viewers, time frame analysis, and application analysis
• Examples: analyzing file names, identifying different operating systems, correlating data to applications, assessing relations between files (such as emails), and determining the value of unknown file types to investigations. One can examine where files were stored in the OS or the disk structure

Data Reporting Tools

• Reports must include lab name, address, report date, investigating officer name, agency, case number, case details, case information, lab case identifier, evidence log, and the physical description of any evidence.

Other Required Software

• Miscellaneous software needed includes presentation software (like PowerPoint), word processors, spreadsheet software, wiping software, antivirus software, and networking tools.

Conclusions

• Poor investigations usually stem from inadequate resources, inadequate training, and lack of administrative initiative
• Need for sufficient training and tools for forensic computer science
• Collaboration between forensic investigators and civilian or corporate experts is frequently important.
• Meeting minimum requirements like appropriate equipment and housing is important

Description

This quiz covers the fundamentals of computer forensics, focusing on the techniques used for collecting and analyzing digital data. It also emphasizes the importance of maintaining evidence integrity through proper chain of custody procedures. Test your knowledge on how these practices aid in crime detection and legal processes.