Computer Forensics Exam 1
Decimal Number
- series of symbols, and each symbol has a value 10,000 | 1,000 | 100 | 10 | 1 | ----------------------------- 3 | 5 | 8 | 1 | 2 | The symbol in the right-most column has a value of 1. The next column to the left has a value of 10. Each column has a value that is 10 times as much as the previous column. 3 is the most significant symbol 2 is the least significant symbol 3(10,000) + 5(1000) + 8(100) + 1(10) + 2(1) = Decimal Number 35,812
System Start-Up Process
-Computer power on -CPU initialization *CPU looks to the ROM BIOS for its first instruction (POST) *Power on Self Test (POST) ^Checking the BIOS chip and then tests CMOS RAM ^Checking video card, hard drives, floppy drives, ports, keyboard and mouse, etc. ^If functioning properly, successful CPU initialization -Basic Input Output System (BIOS) *Check CMOS chip to find out where to check (boot sequence) for OS
Data Structure
-Computers know the layout of the data because of data structures -describes how data are laid out -works like a template or map -broken up into fields, and each field has a size and name, although this information is not saved with the data -see slide 28 W3 -a flag uses 1 bit. One byte can contain 8 flags -see slide 29 W3
Bits and Bytes
-Computers use binary number format -Only 0s and 1s -Each 0 or 1 is called a bit -Bits are organized into groups of 8 called bytes -Byte = smallest amount of space that is typically allocated to data. *can only hold 256 values, so bytes are grouped together to store large numbers. *Typical sizes include 2, 4, or 8 bytes
Writing to a Disk or Image File
-Create a duplicate copy using HDD *must be wiped with zeros *can be modified once mounted -Create an image file in HDD or any storage *more common way *no automatic mount *can be broken into smaller images to fit smaller storages than source disk
Chain of Custody
-Critical function of investigation that continuously records log info of each and every action that is taken on or against a piece of evidence and of every movement that evidence makes -Critical for evidence admissibility
Investigation Process Models
-DOJ guidelines(late 90s) *preparation: prepare equipment and tools *collection: search physical location for possible digital evidence and acquire (e.g., collect or copy digital media) *examination: review the media for evidence (initial screen) *analysis: review the results for their value in the case *reporting: document results of investigation
Data Unit in Data Area (FAT system)
-Data area (excluding root dir in FAT 12/16) uses cluster addresses. (The reserved area and FAT area use sector addresses) -The first cluster is cluster 2 -Cluster 2 in FAT12/16 vs. FAT32 *FAT12/16: after root directory ^^Root directory is located at the very beginning of data area *FAT32: after FAT area, or the first sector of data area Slides 19-24 W5
Hard Drive Duplication Methods
-Dedicated forensic duplication systems -System-to-system imaging -Imaging on the original system
First thing to do at the scene
-Determine who is in charge (or who you report to; which is not the DFI) -Identify what is the crime scene -What "area" is allowed to enter
"Best Evidence" Rule
-Evidence should be original and the actual item investigated or examined -Federal Rules of Evidence consider a printout of computer data to be original if it can be read by sight and if it accurately represents the stored data -A proper forensic image as long only if the original evidence has been returned to its owner
Boot Code in MBR
-Exists in the first 446 bytes of the first 512-byte sector -Standard Microsoft boot code processes the partition table in the MBR and identifies which partition has the bootable flag set -When it finds such a partition, it looks in the first sector of the partition and executes the code found there. The code in the start of the partition will be operating system-specific -Boot sector viruses insert themselves into the first 446 bytes of the MBR so that they are executed every time the computer is booted -Multiple OS boot option code can be either in Boot Code or in the bootable partition -Sector 0 begins at the start of the boot code. The partition table w/ four entries begins at the byte address 465. Sector 1 begins after the four entries.
FAT Area
-FAT16 has 16‐bit entries, and FAT32 has 32-bit entries - The entries are addressed starting with 0, and each entry corresponds to the cluster with the same address -If not allocated, its entry will have a 0 in it. -If a cluster is allocated, its entry will be non-‐‐zero and will contain the address of the next cluster in the file or directory. -If it is the last cluster in a file or directory, its entry will have an end-‐‐ of-‐‐file marker, which is any value greater than 0xff8 for FAT12, 0xfff8 for FAT16 and 0x0fff fff8 for FAT32 Slide 37 W5
Data Unit- Cluster and Block
-File systems use the logical volume addresses but also assign logical file system addresses because they group consecutive sectors to form a data unit. -File systems use both sector and cluster addresses
Boot Sequence
-Follow the boot sequence of disk specified in CMOS, use the first OS available -Ability to boot from OS not in the hard disk drive is important feature for digital investigation
US Constitution
-Fourth Amendment *prohibits unreasonable search and seizures/requires warrants to be judicially sanctioned and supported by probable cause -Fifth Amendment *prevents the gov from ever forcing a citizen to provide self-incriminating testimony ^No password for protected data can be forcefully acquired(even with a warrant)
GUID Partition Table (GPT)
-GUID = Globally Unique ID -BIOS uses MBR (mostly) -> getting obsolete -Extensible Firmware Interface (EFI) and Unified EFI (UEFI) replaces BIOS -EFI and UEFI uses GPT instead of MBR EFI/UEFI is used mainly in systems with 64-bit Intel processors -can support up to 128 partitions and uses 64-bit LBA addresses
Big- and little-endian Ordering
-IA32 based systems (i.e., Intel Pentium) and their 64-bit counterparts use the little-endian ordering. *we need to "rearrange" the bytes if we want the most significant byte to be the left-most number. -Sun SPARC and Motorola PowerPC (i.e., Apple Computers) systems use big-endian ordering.
Guideline for First Responder
-If computer is on, leave it on -If computer is off, leave it off -No technical assist from anyone unauthorized should be allowed -Avoid compromising physical evidence on computer devices -Protect yourself from biohazards -Pull the plug *immediately halts processing but destroys data in memory and can corrupt files *data in memory could be collected using "cold boot" attack or DMA attack. -Shut down *writes entries into the system activity logs(change of the state of the evidence)
Types of Forensic Investigations
-Internal Investigations *In case of violation of company policies and guidelines -Civil Investigations *In case of IPR risk, company's network security breach, unauthorized use of company resources *e.g. intrusion, DoS attack, malicious code/comm, misuse, etc. -Criminal Investigations
Incident Response - Corporate
-Large company *incident responder might be a technician-level employee in security or information technology -Small company *network administrator or security officer might also be the incident responder
Corporate/Private Investigations
-Not subject to the same fourth amendment rules -Often involve misuse or abuse of company assets, falsification of data, discrimination, harassment, and similar matters likely to involve litigation. -E.g. employees who violate the company's security policy *investigator can often trace and neutralize these threats without the involvement of law enforcement *if illegal activity is found, police involvement is necessary
The Daubert Guideline for DFI (digital forensics investigation)
-Not well met for digital evidence due to some challenges *procedure details of tools are not available ^IPR concerns for proprietary tools ^open source tools are not well documented -Some basic testing by NIST, no formal/rigorous testing result of file system tools (disk imaging)
Data Unit Allocation Strategies
-OSes use different data allocation strategies -While allocation of consecutive data units is tried in typical cases, it is not always possible and a file can be fragmented. -Three Strategies *First Available (from the beginning) *Next Available (from the last allocated cluster) *Best fit (searches for consecutive data units) -To update a file, applications can create a new copy or modify the existing file Slide 6 W5
Hard Disk Technology
-One of the most common sources of digital evidence -Most common interface types *ATA/IDE (Integrated Disk Electronics) or PATA ^IDE means a hard disk has a built-in logic board ^IDE disk uses ATA interface ^40 or 44 pin connectors *SATA (serial ATA) ^Better cable and speed, no jumpers ^direct connect to controller (no chaining of devices) *SCSI (Small Computer Systems Interface) ^More costly, used mainly for servers ^Various connector types (difficult to carry all
File Allocation Table File System (FAT)
-One of the most simple file systems found in common operating systems. -FAT system is the primary file system of the Microsoft DOS and Windows 9x operating systems. - FAT system is supported later Windows systems. -Two important data structures in FAT system *File Allocation Table *Directory entries Slides 14-17 W5
Device Configuration Overlay (DCO) See last slide of W3
-PC vendors can buy different size HDDs and configure to have same number of sectors -Forensics tools may not capture DCO. *FTK cannot not capture DCO/HPA *EnCase can capture both -DEVICE_CONFIGURATION_SET: create or change a DCO -DEVICE_CONFIGURATION_RESET: remove DCO 0GB 18GB 19GB 20GB | | | | V v V V ---------------------------------------------- |User Addressable Sectors | HPA | DCO | ---------------------------------------------- ^ ^ ^ IDENTIFY_DEVICE | | READ_NATIVE_MAX_ADDRESS | DEVICE_CONFIGURATION_IDENTIFY |
Forensic Analysis Scopes
-Physical Storage Media Analysis *Memory Analysis *Volume analysis -> Database analysis, swap space analysis, file system analysis-> application/OS analysis -Network Analysis
Disk Imaging on a Dedicated Forensic System
-Platform specifically built and designed to accommodate numerous types of hard drive connections. -Specialized bit-level imaging software transfers an exact copy of the contents of the original hard drive (or other data source) to one or more blanks -Typically, an investigator will make more than one copy of the suspect hard drive using this method. *if forensic analysis is correct, produce the same results on identical copies of the drive
DOS Partitions
-Primary file system partition = entry is in the MBR and the partition contains a file system or other structured data -Primary extended partition = entry is in the MBR, and the partition contains additional partitions -Secondary file system partition (or logical partition in Windows) = located inside the primary extended partition bounds and contains a file system or other structured data -Secondary extended partition = contains a partition table and a secondary file system partition
File Systems
-Provide a mechanism for users to store data in a hierarchy of files and directories -consists of structural and user data that are organized such that the computer knows where to find them -independent from any specific computer
Reporting
-Reporting the results of the analysis, including: *findings relevant to the case *actions that were performed *actions left to be performed *recommended improvements to procedures and tools
Incident Respone
-Response to a computer crime, security policy, violation, or similar event -Secure, preserve and document digital evidence -Happens BEFORE the forensic analysis begins -Incident responder is not necessarily the forensic specialist who will conduct the analysis of the digital evidence
Securing the scene (by first responder or DFI)
-Safety first -Integrity second (computer, data, network) -Then secure evidence -This is for any digital devices that contain data or encryption key *network switches, routers, servers, mobile phones, printer, digital camera, usb, flash memory, external HDD *RSA SecureID = USB dongle with encryption key -Identify data sources
Hard Disk Geometry (after low-level format)
-Sector *smallest addressable unit of storage *1 sector has typically 512 bytes -Cluster *a group of sector *allocation unit of data in file systems
Evidence
-Something that can establish or disprove a fact *Real evidence = things you carry to court and show *Documentary evidence = files, log, e-mail *Testimonial evidence = to support or validate other evidence types *Demonstrative evidence = to recreate or explain other evidence
CHS Limitation
-The original ATA specification uses a 16-bit cylinder value, a 4-bit head value, and an 8-bit sector value -Older BIOS uses 10 bit cylinder value, 8 bit head value and 6 bit sector value -This can allow only a 504MB disk *1024 x 16 x 63 x 512 = 504MB -New BIOS uses 1024c x 255h x 63s which allows 8.1GB -LBA overcomes this limitation by using logical address
File Allocation Table (FAT)
-Two Purposes *to deteremine the allocation status of a cluster *to find the next allocated cluster in a file or directory -Typically two FATs in a FAT file system, but exact number is given in the boot sector -First FAT starts after the reserved sectors (reserved sector size is also given in the boot sector) -Total size of each FAT is also given in the boot sector -Second FAT, if exists, starts int he sector following the end of the first
Digital Forensics Hardware Tools
-Used for incident response and forensic labs. Includes: *forensic computers *write-blocking devices *imaging devices (disk duplicator) *data wiping devices *encryption hardware
Using the original system
-Uses the original (suspect) computer to perform the disk imaging transfer process -A blank drive matching the original hard drive's capacity and configuration is added to the system -A forensic boot disk is used to create a bit-level image of the original disk -Method is typically used in on the scene incident response when it is impractical to transport a computer to the lab.
System-to-System Disk Imaging
-Uses two separate computer systems -- the suspect and a specialized forensics imaging system -Depending on the type of drives and connections available, both systems are booted from CD-ROM, DVD, USB drive, or floppy disk which loads the imaging software -Data is transferred between the computers using serial parallel, Ethernet, or USB ports -This method can be slow; often not suited to on the scene incident response
FAT Directory Entry
-contains the name and metadata for a file or directory -located in the clusters allocated to the file's parent directory -data structure supports a name that has only 8 characters in the name and 3 characters in the extension -first byte of the data structure works as the allocation status, and if it is set to 0xe5 or 0x00, the directory entry is unallocated. -Otherwise, the (first) byte is used to store the first character of the file name Slides 39-41 W5
Hexadecimal Number
-has 16 symbols (the numbers 0 to 9 followed by the letters A to F) -each column has a decimal value that is 16 times as much as the previous column Hexadecimal Number: 0x8BE4 4096 | 256 | 16 | 1 | ------------------------ 8 | 11 | 14 | 4 | Reference 0xB = 11 0xE = 14 8(4096) + 11(256) + 14(16) + 4(1) = 35,812 (decimal number)
FAT32 FSINFO
-includes hints about where the operating system can allocate new clusters -its location is given in the boot sector (byte 48-49) -part of the reserved area Slide 34-35 W5
FAT File System - Boot Sector
-located in the first sector of FAT file system -part of the reserved area -FAT12/16 and FAT32 have different versions of the boot sector, but they both have the same initial 36 bytes Slides 28-33 W5
File Recovery
-when a file is deleted from within Windows, the directory entry is marked as unused and the FAT entries for the clusters are set to 0. -We can find the starting location and the size of the file. However, We have no information about the remaining clusters in the file. -Two approaches for choosing the remaining clusters *blindly read the amount of data needed for the file size *Read only from the unallocated clusters Slide 26 W5
UTF-16
stores the most heavily used characters in a 2-byte value and the lesser-used characters in a 4-byte value. *uses less space than UTF-32
UTF-8
uses 1, 2, or 4 bytes to store a character. each character requires a different number of bytes, and the most frequently used bytes use only 1 byte Both UTF-8 and UTF-16 use a variable number of bytes to store each character and, therefore, making processing the data more difficult UTF-8 is frequently used because it has the least amount of wasted space and because ASCII is a subset of it *A UTF-8 string that has only the characters in ASCII uses only 1 byte per character and has the same values as the equivalent ASCII string.
UTF-32
uses a 4 byte value for each character, which might waste a lot of space
Volume
A volume is a collection of addressable sectors that an Operating System (OS) or application can use for data storage. The sectors in a volume need not be consecutive on a physical storage device -A hard disk is an example of a volume that is located in consecutive sectors -to assemble multiple storage volumes into one storage volume -to partition storage volumes into independent partitions
Data Categories in a File System
All data in a file system belong to one of the following categories: - file system category: contains the general file system information - content category: contains the data that comprise the actual content of a file - metadata category: contains the data that describe a file - file name category, or human interface category: contains the data that assign a name to each file - application category: contains data that provide special features Slide 9 + 10 W5
Analysis
Analyze the results of the examination to generate useful answers to the questions presented in the previous phases. (The case is typically 'solved' in this phase)
Digital Evidence in Action
BTK killer
Data structure for DOS partition entries in MBR
Byte Range 0-0 = Bootable Flag, not essential 1-3 = Starting CHS address, essential 4-4 = Partition Type, not essential 5-7 = Ending CHS address, essential 8-11 = Starting LBA address, essential 12-15 = Size in sectors, essential
Data Structures for MBR
Byte Range 0-455 = Boot Code; not essential 446-461 = Partition Entry 1, essential 462-477 = Partition Entry 2, essential 478-493 = Partition Entry 3, essential 494-509 = Partition Entry 4, essential 510-511 = Signature Value (0xAA55), not essential
Error Handling
Do not ignore any bad sector. Rather log the address and write 0s for it. This will keep other data in a correct location
Evidence Handling Workflow
Identify -> Photograph -> Document (where found, make, model, S/N, description -> package -> transport -> store -> destruction or return
Examination
Identify and extract the relevant information from the collected data, using appropriate forensic tools and techniques, while continuing to maintain integrity of the evidence
Collection (or Acquisition)
Identify, isolate, label, record, and collect the data and physical evidence related to the incident being investigated, while establishing and maintaining integrity of the evidence through chain of custody
CHS to LBA
LBA = (((C * heads_per_cylinder)+H) * sector_per_track) + S - 1 E.g., In a hard disk with 16 heads per cylinder, 63 sectors per track. Has a CHS address 2, 3, 4 LBA = (((2*16)+3)*63)+4-1 = 2208 -2*16 = 32 tracks in two cylinders (cylinder 0 and 1) -32+3 = 35 total tracks before the track 3 in cylinder 2 -35*63 sector per track = 2205 sectors -2205+4-1 = 2208 LBA, S=4 means 4th sector and LBA sector starts from 0
DOS style partition using MBR
Master Boot Record (MBR) is in the first 512-byte sector of a disk - DOS partitions are used with DOS, Windows, Linux, and IA32-based FreeBSD and OpenBSD systems. - MBR includes partition table that has four entries (up to four partitions) -Each entry has the following fields: *Starting CHS address (for windows 98, ME, etc.) *Ending CHS address *Starting LBA address (for windows 2000 and beyond) *Number of sectors in partition *Type of partition (FAT, NTFS, etc., Linux does not care the type) *Flags (bootable or not)
Phase Goals (Physical) for preservation, survey, documentation, search & collection, and reconstruction
Preservation - Secure entrance/exit, prevent changes Survey - walking through scene, identify evidence Documentation - photograph, sketches, evidence/scene maps Search & Collection - in-depth search Reconstruction - develop theories
Phase Goals (Digital) for preservation, survey, documentation, search & collection, and reconstruction
Preservation - prevent changes (network isolation, collecting volatile data, copy entire digital environment Survey - identify obvious evidence (in lab) Documentation - photo & description of digital device Search & Collection - analysis of system for nonobvious evidence Reconstruction - Similar to physical Computer being investigated = digital crime scene End Goal = ID a person, which involve physical investigation
Digital Evidence Collection Flow Chart
See w2 slide 12-15
Forensic Investigation Process
-Collection (Acquisition): -Examination -Analysis -Reporting
Crimes using computers
- As a target of the crime *computer network intrusion *DDOS attack - As an instrument of the crime *Child porn *Cyber stalking/bulling *ID theft *Pirated computer software *Forgery/Falsification of documents *Corporate fraud *Terrorism and national security
Examples of evidence
- Computer Fraud *Financial and asset data, credit card data, e-mails -Child exploitation *chat log, photo/video, image editing software, internet/SNS activity, movie files, relevant file and directory names -Network intrusion and hacking *network user ID and IP addresses, virus and spyware, system logs, etc.
Digital Forensics vs. Computer Forensics
- DF includes computer forensics + forensics on all other digital devices capable of storing digital data *Networking Forensics *Mobile device Forensics *Activity tracking device forensics, etc. - DF requires substantial knowledge of computer systems, file systems, OS, networking systems, HW, etc. - DF does not need to have the deepest understanding on theoretic knowledge on CS but must have familiarity with a wide range of subject matter
Damaged Data Units
- Many file systems have ability to mark a data unit as damaged * No need in modern HDD that detects bad sectors - A user could manually add a data unit to the damaged list and place data in it - Acquisition tools report bad sectors, so that report can be compared the damaged list to identify sectors that may have been manually added to hide data
Digital Forensics
- discipline that combines elements of law and computer science in order to collect and analyze computer data from a variety of computer systems, networks, storage devices, and other devices using digital communications as the source and flow of information in a way that is admissible as evidence in a court of law - (Law, Computer Science & Technology, Investigation & Detective Skill)
Binary Number
- has only two symbols (0 and 1) and each column has a decimal value that is two times as much as the previous column - max value for a fixed bit size 2^8 - 1 = 255, 2^32 - 1 - 4,294,967,295 Binary Number: 1001 0011 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 | <-DecimalValue -------------------------------- 1 | 0 | 0 | 1 | 0 | 0 | 1 | 1 | 1(128) + 0(64) + 0(32) + 1(16) + 8(0) + 4(0) + 2(1) + 1(1) = 147
Forensics
- relating to the use of scientific knowledge or methods in solving crimes - relating to, used in, or suitable to a court of law
ASCII - Strings and Character Coding
-"American Standard Code for Information Interchange" -ASCII assigns a numerical value to the characters in American English. *E.g., the letter 'A' is equal to 0x41, '&' is equal to 0x26 *the largest defined value is 0x7E (127 in decimal) which means that 1 byte can be used to store each character. *the first 32 values are defined as control characters and are not printable (e.g., the 0x07 bell sound -For an example, see slide 21 W3 -In ASCII encoding, the endian ordering does not play a role in how the characters are stored because these are separate 1-byte values. -Therefore, the first character in the word or sentence is always in the first allocated byte. -The series of bytes in a word or sentence is called a string. Many times, the string ends with the NULL symbol, which is 0x00.
When a search warrant is not required
-"Plain View" doctrine states an officer can seize evidence that is in plain view as long as: *officer is legally present at the site of the evidence *officer can legally access the evidence *officer has probable cause that it is related to a crime -A device can be seized in case there is owner's written consent which acknowledges future forensic examination by trained examiner
Locard's Exchange Principle
-"Sherlock Holmes of France" -"Every contact by a criminal leaves behind a trace" -"Everything that enters a crime scene does two things. It leaves part of itself behind, and it takes part of the scene with it. -Paul Kirk stated, "Physical evidence cannot be wrong or wholly absent. Only human failure to find it, study and understand it, can diminish its value. -Same principle applies to digital evidence -Westerfield-van Dam case
Why is digital forensics (DF) important?
-95% of criminals leave evidence which could be investigated through computer forensic procedure -Criminals are getting smarter -Data-hiding/security technologies are getting better *cryptography *steganography -Computer systems are getting complex & vary
Partition
-A collection of consecutive sectors in a volume -A partition is also a volume -A partition system is dependent on the operating system and not the type of interface on the hard disk *Windows = FAT, NTFS *MAC = HFS, HFS + *Linux = Ext2 -The purpose of a partition system is to organize the layout of a volume *the starting and ending location for each partition is essential *no data in the first and last sector of a partition W4 slides 11-16
Slack Space
-A file must allocate a full data unit, even if it needs only a small part of it. -The unused bytes in the last data unit are called slack space -Considered allocated space -Two slack spaces *Ram Slack = between the end of the file and the end of the sector in which the file ends ^^OS determines what to pad the file content with (E.g. most OS fills with zeros, early Windows fill with data in memory) *File Slack = the remaining unused sectors in the data unit ^^some OSes wipe the sectors, others ignore them
Digital Forensic Investigation
-A process that develops and tests hypotheses to answer questions about already occurred digital events *what/who caused the event *when/why did the event occur -Driven by practical needs and available tools, not by fundamental theories
Hosted Protected Area (HPA)
-A special area of the disk that can be used to save data -A casual observer (including OS) might not see it. -IDE controller has registers that contain information about the connected hard drive that can be queried using ATA commands. -The size of HPA is configurable using ATA commands, and many disks have a size of 0 by default. *READ_NATIVE_MAX_ADDRESS *SET_MAX_ADDRESS *IDENTIFY_DEVICE -OS uses IDENTIFY_DEVICE to find out the size of hard drive -HPA-aware S/W or firmware (e.g., BIOS) can read HPA data -HPA is created at the end of the hard disk 0GB 19GB 20GB | | | V V V ---------------------------------------------- |User Addressable Sectors | HPA | ---------------------------------------------- ^ ^ IDENTIFY_DEVICE | READ_NATIVE_MAX_ADDRESS
Incident Response - Criminal Investigation
-A sworn law enforcement officer or "crime lab" technician can be incident responder -law enforcement can be called in after corporate personnel have done their own incident response if there is criminal activity
Strings and Character Encoding - Unicode
-ASCII *works if you use American English only *limited for the rest of the world because their native symbols cannot be represented. -Unicode *solves this problem by using more than 1 byte to store the numerical version of a symbol. *The version 4.0 Unicode standard supports over 96,000 characters, which requires 4-bytes per character instead of the 1 byte that ASCII requires. *Three ways of storing a Unicode character ^UTF (Unicode Transformation Formats)-32, UTF-16, UTF-8
Image File Format
-Additional descriptive data about acquisition *hash, acquisition time/date -Raw image is most flexible -Embedded image is common for proprietary solutions See slide 4 W4 for image
Admissible digital evidence
-Authenticity *evidence presented came from where he/she claims -Integrity *was not altered in any way during examination/no opportunity to be replaced or altered in the interim -Relevance *evidence must have a bearing on the event being investigated. *info about unrelated crime cannot be used -Reliability *should be no question about the truth of the investigator's conclusion. *use standardized/verified forensics tools and methods (Daubert guideline) -Legally Obtained *different regulation apples to internal/civil/criminal investigations while criminal investigation is most restrictive in terms of legal requirements. A judge can render evidence admissible or inadmissable
Sector Address in Hard Disk
-CHS *Cylinder address(C), Head number(H), Sector address(S) *based on physical address *obsolete, older computers still use it -LBA(logical block address) *LBA address 0 = CHS address 0,0,1 *LBA address 1 = CHS address 0,0,2 *CHS 0,1,1 = sector 1 of the second head in the same cylinder
The Daubert Test
-Case of Daubert v. Merrill Dow Pharmaceuticals established new criteria to determine the reliability, relevancy, and admissibility of scientific evidence -Guidelines for entering technical evidence into U.S. Court: *Has the procedure been published in journals and generally accepted? *Had the procedure been independently tested and what is the error rate?
Boot Process Components
-Central Processing Unit (CPU) -Basic Input Output System (BIOS) *also known as system BIOS, ROM BIOS, or PC BIOS -Complementary Metal Oxide Silicon (CMOS) *ram with battery
Search Warrant
-Clearly states what you are searching for -Clearly states the area you are authorized to search -Signed by a judge
Case Management
1. Incident alerts or accusation - crime or policy violation 2. Assessment of worth - prioritize/choose 3. Incident/crime scene protocols - actions at the scene; real/virtual 4. Identification or seizure - recognition and proper packaging 5. Preservation - integrity; modification free 6. Recovery - get it ALL; hidden/deleted 7. Harvesting - data about data 8. Reduction - filter then eliminate 9. Organization and search - focus 10. Analysis - Scrutinize 11. Reporting - detailed record 12. Persuasion and testimony - translate and explain
Five areas in GPT Disk
1. Protective MBR -contains a DOS partition table with one entry..The single entry is for a partition with a type of 0xEE that spans the entire disk. - This partition exists so that legacy computers can recognize the disk as being used and do not try to format it. - EFI does not actually use the partition, though. 2. GPT header - starts in sector 1 - defines the size and location of the partition table, which are fixed when the GPT disk is created. - Windows limits the number of entries in the partition table to 128. - also contains a checksum of the header and the partition table so that errors or modifications can be detected. 3. Partition Table - Each entry contains a starting and ending address, a type value, a name, attribute flags, and a GUID value. - The 128-‐‐ bit GUID is supposed to be unique for that system and is set when the partition table is created. 4. Partition Area - the largest area and contains the sectors that will be allocated to partitions. - The starting and ending sectors for this area (not the each partition area) are defined in the GPT header 5. Backup area - contains a backup copy of the GPT header and partition table. It is located in the sector following the partition area. See last few slides in W4
Binary and Hexadecimal
1001 0011 to Hexadecimal = 0x9 | 0x3 0x93 to Binary = 0x9 | 0x3 1001 0011