Computer Forensics Basics

Questions and Answers

What is the standard size of each sector on magnetic disks formatted for Windows?

512 bytes (correct)

2048 bytes

256 bytes

1024 bytes

Which of the following best describes clusters in the context of data storage?

The smallest unit of data stored on a disk

The exact size of a file in bytes

Single sectors that represent file allocation units

One or more adjacent sectors representing allocation units (correct)

How is logical file size defined?

It refers to the amount of space a file actually occupies on disk

It is the size of the file as seen by the operating system (correct)

It includes file slack space

It is the same as physical file size

What is the purpose of the partition table on a disk?

To identify corresponding locations of partitions

What is the portion of unused space between the logical end of a file and the physical end of a cluster called?

File slack space

How many primary partitions can a fixed disk have at most?

Four

Which of the following statements is true regarding the bootable partition?

Only one partition can be bootable at a time.

What does the master boot record (MBR) contain?

Information about the disk's partition layout

Which of the following is NOT included in a typical data report?

Daily operational expenses

What type of software is considered miscellaneous but essential for data reporting?

Wiping software

Which conclusion addresses the need for collaboration in investigations?

Aim for collaboration with civilian experts and corporate entities

What is identified as a necessary requirement for conducting investigations?

Minimum resources and employee training

Which of the following is an example of a network tool required for data reporting?

Antivirus software

What aspect of NTFS systems allows forensic investigators to evaluate information?

File system fragmentation

Which verification tool is commonly used to ensure data integrity?

CRC (Cyclical Redundancy Check)

What is one of the five broad categories of computer forensic software?

Data preservation tools

What type of files are specifically designed to conceal the contents of the original file?

Hidden files

What does the acronym BIOS stand for?

Basic Input/Output System

Which of the following is NOT a category of data analysis tools?

Data visualization

What does encryption do to a message?

Converts it into an indecipherable form

What should standard operating procedures (SOP) in forensic investigations do?

Reflect technological advancements

What is the purpose of Hashkeeper software?

It lists known files

Which of the following best describes 'file slack'?

Unused space in a file that can contain residual data

What is part of the boot process that checks hardware functionality?

POST (Power-on self-test)

What is the purpose of data extraction tools in computer forensics?

To retrieve digital evidence from various types of files

Which tool is specifically designed for data recovery during forensic investigations?

Data extraction software

Which of the following would be examined to analyze user-configuration settings?

File structure of the drive

What does steganography aim to achieve?

To hide the data from view

Which analysis example involves looking for relevance and patterns in file names?

Reviewing file names

What is the smallest physical storage unit on a disk?

Sectors

Which type of storage retains data even when the power is turned off?

Nonvolatile storage

What term refers to the allocated parts of a physical drive managed as independent units?

Logical file size

Which component is responsible for reading and writing data on a disk?

Head

What is the physical file size?

Actual space the file occupies on a disk

What does the term 'track' refer to in disk structure?

Circular path on a disk where data is stored

Which of the following represents a nonvolatile storage medium?

CD-ROM

What is the relationship between bits and bytes?

8 bits make 1 byte

What function does the File Allocation Table (FAT) serve in data storage?

Creates a map or directory identifying file locations

What happens to the data when a file is deleted in a FAT system?

The data remains intact but is marked as available

Which file system was developed to improve security and performance while supporting larger file sizes?

NTFS

What does the Master File Table (MFT) contain in an NTFS file system?

Records for every file in NTFS

What was one of the major concerns prior to the introduction of disk operating systems?

Data deployment and management

Which of the following is NOT a file system currently available from Microsoft?

HFS+

Which characteristic is primarily improved by NTFS compared to FAT?

Security and space utilization

What issue may arise for investigators dealing with hidden partitions?

The logical drive size may not match identified characteristics

Study Notes

Computer Forensics: Terminology and Requirements

• Computer forensics is the practice of collecting, analyzing, and reporting digital data.
• This data must be legally admissible.
• It's used for crime detection and prevention, as well as disputes involving digital evidence.
• The goal of computer forensics is to examine digital media correctly to identify, preserve, recover, analyze, and present digital information.

Computer Forensics - An Emerging Discipline

• The discipline is affected by new technologies, criminal behaviors, and changing police strategies.
• Maintaining the integrity of evidence is crucial.
• A chain of custody (CoC) is a chronological record documenting the seizure, handling, and analysis of physical or digital evidence.
• It's vital to prevent contamination of evidence during analysis by preventing virus introduction and keeping the evidence in an unaltered state.

Traditional Problems in Computer Investigations

• Local law enforcement faces increased responsibilities with dwindling budgets, limiting their capacity to acquire adequate training.
• Communication and cooperation between agencies can be inadequate or nonexistent.
• Over-reliance on automated programs or self-proclaimed experts may not always lead to success.
• Victims of cybercrimes may be hesitant to report incidents due to perceived law enforcement incompetence.
• Corporations may discourage victims from cooperating.

Evidence Corruption

• Follow the cardinal rules of computer investigations:
• Always work from an image of the original hard drive.
• Thoroughly document all activities.
• Maintain a proper chain of custody of all evidence.

Disk Structure and Digital Evidence

• Terms to know:
• Operating systems (OS)
• Hardware
• Software (including firmware and computer programs)
• Static memory
• Volatile memory (like RAM)
• Nonvolatile storage (such as hard drives)
• Computer storage (includes primary and secondary storage)
• Floppy disks/diskettes
• CD-ROMs and CD-RWs
• Hard/fixed disks

Disk Structure and Data Storage

• Drives (Physical): Devices and data at the electronic or machine level
• Physical file size: The actual space occupied by a file on a disk
• Logical: Allocated parts of a physical drive functioning as independent units
• Logical file size: The exact size of a file in bytes

Disk Structure and Storage

• Terms:
  • Bits
  • Tracks
  • Cylinder
  • Sectors
  • Shaft
  • Head
  • Actuator arm
  • Platters
  • Spindle
  • ASCII
  • Binary System
  • Hexadecimal System
  • Clusters
  • Compressed files

Data Storage Scheme

• Sectors: Fixed units for data storage on disks, the smallest physical unit
• Clusters: Groups of adjacent sectors, the fundamental units for magnetic disk storage; size may vary with disk size, representing the minimum space allocated for a file on a disk.
• Logical file size: Refers to the precise size of a file in bytes.
• Physical file size: The actual amount of space a file occupies on the disk.
• File slack space: Unused space between a file's logical end and the physical end of a cluster. This space is often useful in forensic investigations.

Data Storage Scheme - Partitions

• Partitions: Sections of fixed disks, categorized as a single unit by the OS (maximum of four).
• The "boot" drive's partition needs to be bootable.
• Some hard disks might include extended partitions that can be subdivided into more logical partitions for independent use.
• Partitioning creates a master boot record and partition table for the hard disk.

Data Storage Scheme - Partitions Table

• Identifies the locations of partitions on a drive.
• Shows which partition is bootable (only one is usually bootable at a time).
• Contains the master boot record (MBR).
• Stores partition data at designated physical locations (typically cylinder = 0, head = 0, sector = 1).
• Important knowledge for forensic investigations, as partitions can be hidden.

Data Storage Scheme - File Systems

• File Systems: The disk management platform employed by a particular operating system. It structures and organizes data on a hard drive.
• File systems emerged after the introduction of DOS for efficient data deployment and maximized use of disk space

Data Storage Scheme – FAT

• FAT (File Allocation Table): Represents a directory map showing locations of each file portion on the drive.
• FAT tables contain file names, sizes, and cluster assignments, recording data location step by step.
• A deleted file doesn't erase data. It just marks the file's clusters as available for reuse.

Data Storage Scheme - NTFS

• NTFS (New Technology File System): Developed by Microsoft to improve performance, security, and improve large file support.
• NTFS records files by using a Master File Table (MFT) instead of a FAT to store every file information.
• More efficient for storage space and more secure than FAT.
• NTFS fragmentation information is still available for forensic investigations.

Disk Structure and Digital Evidence - Firmware

• Firmware: Operating instructions not only for hardware
• BIOS (Basic Input/Output System): Initial commands in the boot process (using boot/absolute sectors 0).
• POST (Power-on Self Test): A diagnostic process.

Disk Structure and Digital Evidence – Data Integrity

• Data integrity: Verification of data correctness and completeness.
• Cyclical redundancy checksum (CRC): Tool for validation.
• MD5-Hash: Verification tool.
• HashKeeper: Software listing known files.

Developing Computer Forensic Science Capabilities

• Standard Operating Procedures (SOPs) are subject to change due to advancements.
• SOPs should be clearly defined, available, and encompass appropriate software, hardware, and procedures.
• SOP reviews should be carried out annually to reflect technology advancements.

Minimum Software Requirements

• Five broad categories of software tools:

1. Data preservation, duplication, and verification tools.
2. Data recovery/extraction tools (logical and physical).
3. Data analysis tools (e.g., indexing, search, viewer, etc.).
4. Data reporting tools.
5. Network utilities

1 - Data Preservation, Duplication, and Verification Tools

• National Institute of Standards and Technology (NIST) defines imaging programs as tools capable of making bit-by-bit duplicates.
• The image is made onto fixed or removable media; the original disk must not be altered during the process.
• The tools must verify the disk image's integrity and log I/O errors.

2 - Data Recovery/Extraction Tools

• Physical Extraction Phase: Identifies and documents data across the entire physical drive without regard for file system.
• Logical Extraction Phase: Identifies and extracts files based on the OS, file systems and applications, including relevant data from areas like active files, deleted files, file slack, and unallocated file space. Includes keyword searches, file carving, and extracting partition tables to determine if the entire physical drive size is valid.

2 - Data Recovery/Extraction Tools (continued)

• Overt Files: Regular files.
• Hidden Files: Intentionally hidden copies of original data.
• Slack Space: Gaps between the logical end of a file and the physical end of a cluster, typically holding residual data.
• Swap Files: Temporary files used by applications.
• Password Protected, Encrypted and Compressed Files: Tools are needed to decode, decrypt, and decompress these files.
• Steganography: Techniques designed to conceal data within other files.

3 - Data Analysis Tools

• Data analysis tools are categorized in 5 general groups:
• Indexing
• Text searching
• Viewers
• Time frame analysis
• Application analysis

3 - Data Analysis Tools (Examples)

• Analyze file names for relevance or patterns.
• Determine the number and types of operating systems.
• Understand the installed applications.
• Consider relationships like emails and attachments.
• Identify unknown file types to ascertain their forensic value.

3 - Data Analysis Tools (continued)

• Analyze user default storage locations and directory structures of the drive to determine if any data was stored in an alternate location.
• Examine user configuration settings for additional data.

4 - Data Reporting Tools

• Documentation requirements such as:
  • Lab details (name, address, and contact information)
  • Date of the report
  • Investigator's details (name, signature, and address)
  • Case number
  • Case specifics (suspects, victims, and offenses)
  • Lab case identifier
  • Evidence log, including dates and receipt of evidence, as well as seizure details, and descriptions of items.

5 - Other Required Software

• Presentation applications (e.g., PowerPoint)
• Word processing programs
• Spreadsheet software
• Wiping software
• Antivirus software
• Network utilities

Conclusions

• Poor investigations might stem from administrative issues and inadequate resources, as well as a lack of training.
• The need for skilled professionals to support forensic computer science capabilities.
• Collaboration with civilian experts and businesses is often needed.
• Investigations should adhere to minimum standards, including specific equipment and premises.

Description

Explore the fundamentals of computer forensics, including key terminology and requirements for handling digital evidence. Learn about the importance of maintaining evidence integrity and the challenges faced in digital investigations. This quiz covers essential concepts that are crucial for anyone interested in the field of computer forensics.