Computer Forensics Basics

Questions and Answers

What is the standard size of each sector on magnetic disks formatted for Windows?

• 512 bytes (correct)
• 2048 bytes
• 256 bytes
• 1024 bytes

Which of the following best describes clusters in the context of data storage?

• The smallest unit of data stored on a disk
• The exact size of a file in bytes
• Single sectors that represent file allocation units
• One or more adjacent sectors representing allocation units (correct)

How is logical file size defined?

• It refers to the amount of space a file actually occupies on disk
• It is the size of the file as seen by the operating system (correct)
• It includes file slack space
• It is the same as physical file size

What is the purpose of the partition table on a disk?

To identify corresponding locations of partitions (D)

What is the portion of unused space between the logical end of a file and the physical end of a cluster called?

File slack space (B)

How many primary partitions can a fixed disk have at most?

Four (B)

Which of the following statements is true regarding the bootable partition?

Only one partition can be bootable at a time. (B)

What does the master boot record (MBR) contain?

Information about the disk's partition layout (B)

Which of the following is NOT included in a typical data report?

Daily operational expenses (B)

What type of software is considered miscellaneous but essential for data reporting?

Wiping software (B)

Which conclusion addresses the need for collaboration in investigations?

Aim for collaboration with civilian experts and corporate entities (C)

What is identified as a necessary requirement for conducting investigations?

Minimum resources and employee training (C)

Which of the following is an example of a network tool required for data reporting?

Antivirus software (B)

What aspect of NTFS systems allows forensic investigators to evaluate information?

File system fragmentation (D)

Which verification tool is commonly used to ensure data integrity?

CRC (Cyclical Redundancy Check) (C)

What is one of the five broad categories of computer forensic software?

Data preservation tools (C)

What type of files are specifically designed to conceal the contents of the original file?

Hidden files (A)

What does the acronym BIOS stand for?

Basic Input/Output System (A)

Which of the following is NOT a category of data analysis tools?

Data visualization (B)

What does encryption do to a message?

Converts it into an indecipherable form (B)

What should standard operating procedures (SOP) in forensic investigations do?

Reflect technological advancements (D)

What is the purpose of Hashkeeper software?

It lists known files (B)

Which of the following best describes 'file slack'?

Unused space in a file that can contain residual data (D)

What is part of the boot process that checks hardware functionality?

POST (Power-on self-test) (A)

What is the purpose of data extraction tools in computer forensics?

To retrieve digital evidence from various types of files (B)

Which tool is specifically designed for data recovery during forensic investigations?

Data extraction software (D)

Which of the following would be examined to analyze user-configuration settings?

File structure of the drive (A)

What does steganography aim to achieve?

To hide the data from view (B)

Which analysis example involves looking for relevance and patterns in file names?

Reviewing file names (A)

What is the smallest physical storage unit on a disk?

Sectors (C)

Which type of storage retains data even when the power is turned off?

Nonvolatile storage (D)

What term refers to the allocated parts of a physical drive managed as independent units?

Logical file size (C)

Which component is responsible for reading and writing data on a disk?

Head (C)

What is the physical file size?

Actual space the file occupies on a disk (C)

What does the term 'track' refer to in disk structure?

Circular path on a disk where data is stored (B)

Which of the following represents a nonvolatile storage medium?

CD-ROM (A)

What is the relationship between bits and bytes?

8 bits make 1 byte (D)

What function does the File Allocation Table (FAT) serve in data storage?

Creates a map or directory identifying file locations (C)

What happens to the data when a file is deleted in a FAT system?

The data remains intact but is marked as available (D)

Which file system was developed to improve security and performance while supporting larger file sizes?

NTFS (D)

What does the Master File Table (MFT) contain in an NTFS file system?

Records for every file in NTFS (B)

What was one of the major concerns prior to the introduction of disk operating systems?

Data deployment and management (B)

Which of the following is NOT a file system currently available from Microsoft?

HFS+ (D)

Which characteristic is primarily improved by NTFS compared to FAT?

Security and space utilization (B)

What issue may arise for investigators dealing with hidden partitions?

The logical drive size may not match identified characteristics (C)

Flashcards

Sectors

Fixed units on a disk where data is stored. The smallest physical storage unit.

Logical File Size

The actual size of a file in bytes, as reported by the operating system.

Physical File Size

The actual space a file occupies on the disk.

Logical Drive

Allocated parts of a physical drive, managed as independent units.

Primary Storage

Computer storage space directly connected to the CPU, like RAM

Secondary Storage

Storage devices, such as hard drives, for long-term data storage.

Binary System

A system of representing data using only 0s and 1s.

Clusters

Groups of sectors; used to manage data storage efficiency on the disk.

Sector Size

The amount of space (in bytes) for a single sector on a magnetic disk.

Sector Numbering

Sectors are numbered sequentially on tracks.

Cluster Size

Amount of space, in sectors, a file needs on the disk.

File Slack

Unused space between a logical file's end and the physical end of its cluster allocation.

Partition

A section of a hard disk, treated as a single unit by the OS (up to 4 main partitions).

Slack Space

Unused space within a file's allocated space on a hard drive. This space can potentially hold deleted data.

EFS (Encrypting File System)

A feature that encrypts files on a disk, making them inaccessible without the appropriate decryption key. This adds complexity to forensic investigations.

BIOS (Basic Input/Output System)

A set of instructions that run when a computer starts up, initializing the hardware and loading the operating system.

POST (Power-On Self-Test)

A series of checks performed by the BIOS during computer startup to ensure hardware components are functioning properly.

Data Integrity

The state of data being complete, accurate, and unchanged. It's essential for forensic investigations to ensure evidence hasn't been tampered with.

CRC (Cyclical Redundancy Check)

A mathematical process used to verify data integrity by comparing the checksum of data with a pre-calculated value.

MD5 Hash

A cryptographic hash function that produces a unique digital fingerprint for a file or piece of data, used to verify data integrity.

Hashkeeper

Software used to create and maintain a database of known file hashes to help identify and verify files.

File Systems

The software that organizes and manages data on a hard drive, allowing the operating system to understand and access data efficiently.

FAT (File Allocation Table)

A directory that keeps track of where each piece of a file is located on the hard drive. It allows the operating system to quickly assemble the file when needed.

NTFS (New Technology File System)

A modern file system developed by Microsoft for better security, performance, and larger file storage. It uses a Master File Table to manage data.

Master File Table (MFT)

A central database in an NTFS file system that holds information about every file on the drive, including its name, location, size, and access permissions.

What happens when a file is deleted?

Deleting a file doesn't erase the actual data, but simply marks the file's clusters as free to be used again.

Data Storage Scheme

The methods used to store and manage data on a hard drive, including file systems and allocation tables.

Why are file systems important in forensic investigations?

File systems are essential for forensic investigations because they provide crucial information about how data is organized and stored on a drive, helping investigators analyze and recover deleted files.

What is the purpose of a disk operating system?

Disk operating systems (DOS) were introduced to simplify data management for applications and provide a more structured way of storing data.

Data Reporting Tools

Software applications used to generate comprehensive reports about a case, including evidence details, analysis findings, and conclusions.

Presentation Applications

Software for creating visually appealing presentations (like PowerPoint), often used to showcase findings or explain complex concepts.

Word Processing Applications

Software for creating and editing documents, essential for writing detailed reports, case summaries, and analysis narratives.

Spreadsheet Applications

Software for organizing and analyzing data in rows and columns, useful for tracking evidence logs, timestamps, and identifying patterns.

Wiping Software

Software used to securely erase data from storage devices, preventing recovery of sensitive information during investigations.

What are hidden files?

Files that have been manipulated (often intentionally) to conceal the contents of the original file.

What is slack space?

Unused space within a file's allocated space on a hard drive. It can potentially hold deleted data.

What is a swap file?

A temporary file used by the operating system when an application runs out of memory.

What is steganography?

A technique used to hide data within other data, making it difficult to detect.

Data analysis tools

Tools used to examine and interpret digital evidence, including indexing, searching, viewing, time frame analysis, and application analysis.

File name analysis

Examining file names for patterns and relevance to the investigation.

File type analysis

Identifying unknown file types to determine their significance to the investigation.

Default storage location analysis

Examining the user's default storage locations and file structure to detect unusual data placement.

Study Notes

Computer Forensics: Terminology and Requirements

• Computer forensics is the practice of collecting, analyzing, and reporting digital data.
• This data must be legally admissible.
• It's used for crime detection and prevention, as well as disputes involving digital evidence.
• The goal of computer forensics is to examine digital media correctly to identify, preserve, recover, analyze, and present digital information.

Computer Forensics - An Emerging Discipline

• The discipline is affected by new technologies, criminal behaviors, and changing police strategies.
• Maintaining the integrity of evidence is crucial.
• A chain of custody (CoC) is a chronological record documenting the seizure, handling, and analysis of physical or digital evidence.
• It's vital to prevent contamination of evidence during analysis by preventing virus introduction and keeping the evidence in an unaltered state.

Traditional Problems in Computer Investigations

• Local law enforcement faces increased responsibilities with dwindling budgets, limiting their capacity to acquire adequate training.
• Communication and cooperation between agencies can be inadequate or nonexistent.
• Over-reliance on automated programs or self-proclaimed experts may not always lead to success.
• Victims of cybercrimes may be hesitant to report incidents due to perceived law enforcement incompetence.
• Corporations may discourage victims from cooperating.

Evidence Corruption

• Follow the cardinal rules of computer investigations:
• Always work from an image of the original hard drive.
• Thoroughly document all activities.
• Maintain a proper chain of custody of all evidence.

Disk Structure and Digital Evidence

• Terms to know:
• Operating systems (OS)
• Hardware
• Software (including firmware and computer programs)
• Static memory
• Volatile memory (like RAM)
• Nonvolatile storage (such as hard drives)
• Computer storage (includes primary and secondary storage)
• Floppy disks/diskettes
• CD-ROMs and CD-RWs
• Hard/fixed disks

Disk Structure and Data Storage

• Drives (Physical): Devices and data at the electronic or machine level
• Physical file size: The actual space occupied by a file on a disk
• Logical: Allocated parts of a physical drive functioning as independent units
• Logical file size: The exact size of a file in bytes

Disk Structure and Storage

• Terms:
  • Bits
  • Tracks
  • Cylinder
  • Sectors
  • Shaft
  • Head
  • Actuator arm
  • Platters
  • Spindle
  • ASCII
  • Binary System
  • Hexadecimal System
  • Clusters
  • Compressed files

Data Storage Scheme

• Sectors: Fixed units for data storage on disks, the smallest physical unit
• Clusters: Groups of adjacent sectors, the fundamental units for magnetic disk storage; size may vary with disk size, representing the minimum space allocated for a file on a disk.
• Logical file size: Refers to the precise size of a file in bytes.
• Physical file size: The actual amount of space a file occupies on the disk.
• File slack space: Unused space between a file's logical end and the physical end of a cluster. This space is often useful in forensic investigations.

Data Storage Scheme - Partitions

• Partitions: Sections of fixed disks, categorized as a single unit by the OS (maximum of four).
• The "boot" drive's partition needs to be bootable.
• Some hard disks might include extended partitions that can be subdivided into more logical partitions for independent use.
• Partitioning creates a master boot record and partition table for the hard disk.

Data Storage Scheme - Partitions Table

• Identifies the locations of partitions on a drive.
• Shows which partition is bootable (only one is usually bootable at a time).
• Contains the master boot record (MBR).
• Stores partition data at designated physical locations (typically cylinder = 0, head = 0, sector = 1).
• Important knowledge for forensic investigations, as partitions can be hidden.

Data Storage Scheme - File Systems

• File Systems: The disk management platform employed by a particular operating system. It structures and organizes data on a hard drive.
• File systems emerged after the introduction of DOS for efficient data deployment and maximized use of disk space

Data Storage Scheme – FAT

• FAT (File Allocation Table): Represents a directory map showing locations of each file portion on the drive.
• FAT tables contain file names, sizes, and cluster assignments, recording data location step by step.
• A deleted file doesn't erase data. It just marks the file's clusters as available for reuse.

Data Storage Scheme - NTFS

• NTFS (New Technology File System): Developed by Microsoft to improve performance, security, and improve large file support.
• NTFS records files by using a Master File Table (MFT) instead of a FAT to store every file information.
• More efficient for storage space and more secure than FAT.
• NTFS fragmentation information is still available for forensic investigations.

Disk Structure and Digital Evidence - Firmware

• Firmware: Operating instructions not only for hardware
• BIOS (Basic Input/Output System): Initial commands in the boot process (using boot/absolute sectors 0).
• POST (Power-on Self Test): A diagnostic process.

Disk Structure and Digital Evidence – Data Integrity

• Data integrity: Verification of data correctness and completeness.
• Cyclical redundancy checksum (CRC): Tool for validation.
• MD5-Hash: Verification tool.
• HashKeeper: Software listing known files.

Developing Computer Forensic Science Capabilities

• Standard Operating Procedures (SOPs) are subject to change due to advancements.
• SOPs should be clearly defined, available, and encompass appropriate software, hardware, and procedures.
• SOP reviews should be carried out annually to reflect technology advancements.

Minimum Software Requirements

• Five broad categories of software tools:

1. Data preservation, duplication, and verification tools.
2. Data recovery/extraction tools (logical and physical).
3. Data analysis tools (e.g., indexing, search, viewer, etc.).
4. Data reporting tools.
5. Network utilities

1 - Data Preservation, Duplication, and Verification Tools

• National Institute of Standards and Technology (NIST) defines imaging programs as tools capable of making bit-by-bit duplicates.
• The image is made onto fixed or removable media; the original disk must not be altered during the process.
• The tools must verify the disk image's integrity and log I/O errors.

2 - Data Recovery/Extraction Tools

• Physical Extraction Phase: Identifies and documents data across the entire physical drive without regard for file system.
• Logical Extraction Phase: Identifies and extracts files based on the OS, file systems and applications, including relevant data from areas like active files, deleted files, file slack, and unallocated file space. Includes keyword searches, file carving, and extracting partition tables to determine if the entire physical drive size is valid.

2 - Data Recovery/Extraction Tools (continued)

• Overt Files: Regular files.
• Hidden Files: Intentionally hidden copies of original data.
• Slack Space: Gaps between the logical end of a file and the physical end of a cluster, typically holding residual data.
• Swap Files: Temporary files used by applications.
• Password Protected, Encrypted and Compressed Files: Tools are needed to decode, decrypt, and decompress these files.
• Steganography: Techniques designed to conceal data within other files.

3 - Data Analysis Tools

• Data analysis tools are categorized in 5 general groups:
• Indexing
• Text searching
• Viewers
• Time frame analysis
• Application analysis

3 - Data Analysis Tools (Examples)

• Analyze file names for relevance or patterns.
• Determine the number and types of operating systems.
• Understand the installed applications.
• Consider relationships like emails and attachments.
• Identify unknown file types to ascertain their forensic value.

3 - Data Analysis Tools (continued)

• Analyze user default storage locations and directory structures of the drive to determine if any data was stored in an alternate location.
• Examine user configuration settings for additional data.

4 - Data Reporting Tools

• Documentation requirements such as:
  • Lab details (name, address, and contact information)
  • Date of the report
  • Investigator's details (name, signature, and address)
  • Case number
  • Case specifics (suspects, victims, and offenses)
  • Lab case identifier
  • Evidence log, including dates and receipt of evidence, as well as seizure details, and descriptions of items.

5 - Other Required Software

• Presentation applications (e.g., PowerPoint)
• Word processing programs
• Spreadsheet software
• Wiping software
• Antivirus software
• Network utilities

Conclusions

• Poor investigations might stem from administrative issues and inadequate resources, as well as a lack of training.
• The need for skilled professionals to support forensic computer science capabilities.
• Collaboration with civilian experts and businesses is often needed.
• Investigations should adhere to minimum standards, including specific equipment and premises.

Description

Explore the fundamentals of computer forensics, including key terminology and requirements for handling digital evidence. Learn about the importance of maintaining evidence integrity and the challenges faced in digital investigations. This quiz covers essential concepts that are crucial for anyone interested in the field of computer forensics.