Midterm Study CSE469

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

CHS addresses have a limit of xx GB, what overcome this?

8GB, LBA

●Maintaining the integrity of the evidence

Acquisition and Authentication

Copy the evidence/data without altering or damaging the original data or scene.

Acquisition/Preparation/Preservation

●Not essential to file system operations. Journal

Application category

Prove that the recovered evidence/data is the same as the original data.

Authentication

●Protect the integrity of the evidence. ●Maintain control until final disposition. ●At Booting, HD disconnection and HD Lock. ●Verify the forensic/exact image.

Authentication

Acquisition Must be done concurrently with

Authentication: to prove that the recovered evidence/data is the same as the original data.

What is the first section and the size in the ext4 layout

Boot code, 1024 bytes (2 sectors)

Investigating criminal activities using scientific knowledge or methods to produce evidence for legal actions

Digital Forensics

the application of technical knowledge to extract information from evidence while adhering to a lawful process.

Digital forensics

Refers to the sequential order in which bytes are arranged into larger numerical values when stored in memory or when transmitted over digital links

Endianness

●a.k.a Human interface category. ●Name of the file. ●Normally stored in contents of a directory along with location of the file's metadata.

File name category

( ) files result when we don't do a good job of predicting what space we need

Fragmented

Three Levels of Law Enforcement Expertise

Level 1: Street police officer Level 2: Detective Level 3: Digital forensics expert

●Data that describes a file (except for the name of the file!). ●Size, locations of content, times modified, access control info.

Metadata category

Storing data in ( ) locations improves performance when reading, writing, and updating

contiguous.

What command shows the contents of the super block?

dumpe2fs

How to see the inode number?

ls -ai

LBA = (((C * XXX) + H) * XXX) + S -1

Number of heads per cylinder (HPC). Number of sectors per track (SPT).

Digital forensics involves

Obtaining and analyzing digital information for use as evidence in civil, criminal, or administrative cases.

Legacy operating systems used to read an entire block of data from RAM when writing to disk, whether or not the entire block was part of the file being written

RAM slack

Bytes/records can be read in any order Writing can replace existing bytes or records. Seek operation moves current file pointer.

Random Access Method

"Universal" data format - not specific to any tool Requires as much storage as original disk or data

Raw

lists, creates, deletes, and verifies of partitions in Linux

fdisk

Relative to the start of the volume in logical volume address?

Logical "Disk" Volume Address (LDVA)

Relative to the start of the partition.?

Logical "Partition" Volume Address (LPVA)

Managing scheme of the volumes for data storage separately from the underlying physical disks in Linux

Logical Volume Management (LVM)

What is the usual size of the block in Linux ?

4096

what is the size of the bootstrap code in MBR?

446 bytes

What is the size of the MBR?

512 bytes

First step in the forensic process

Acquisition

●Legal rules which determine whether potential evidence can be considered by a court.

Admissibility

Provide compressed or uncompressed image files. No size restriction for disk-to-image files. Provide space in the image file or segmented files for metadata. Open source for multiple platforms and OSs - no vendor lock-in. Internal consistency checks for self-authentication.

Advanced Forensics Format ●*.afd for segmented image files. ●*.afm for AFF metadata.

The assurance that a message, transaction, or other exchange of information is from the source it claims to be from

Authenticity

Prevent/detect/deter improper denial of access to services provided by the system

Availability

●Puts the Most Significant Byte of the number in the first storage byte. ●Sun SPARC, Motorola Power PC, ARM, MISP.

Big-endian

If there are 23 or more in a particular place, the probability that two or more of them have the same birthday is greater than 0.5

Birthday attack

To copy Contents of evidence written to a storage device that exactly matches the make and model of the original: a literal duplicate of the original. Only used when something about the storage device itself is important.

Bit-stream disk-to-disk

Set of blocks. Size is configurable but always has the same structure which numbered starting at 0

Block group

Before power on, we need to change it first, when we acquire the hdd as an evidence.

Boot sequence

One of the most important things to consider in private investigations

Business continuity

Access items in file based on the contents of (part of) an item in the file. Provided in older commercial operating systems (IBM ISAM).

Keyed (or Indexed) Access Methods

What is the meaning of the 0x83 in offset 0x04 of the 1st partition entry?

Linux FS

●Puts the Least Significant Byte of the number in the first storage byte. ●IA32-based systems.

Little-endian ordering

What is meaning of permission mode 0754

see figure slide 33

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue

the Fourth Amendment

Public vs Private Investigations

the law enforcement officers w/ the statutes in the criminal law. vs. corporations, organizations w/ statutes of the civil law

what is the essential data in partition analysis

the starting and ending location for each partition

Four Rules of Evidence

●Authenticity ●Admissibility ●Completeness ●Reliability / Accuracy

Three Time Attributes

●M-A-C - mtime: Modified time - atime: Accessed time - ctime : changed time

Digital Forensics Objectives

●Retrieve data from a suspect's digital devices ●Figure out what happened, when, and who was responsible. ●Collect computer evidence for judicial purposes. ●the preservation, identification, extraction, documentation, and interpretation of computer data. ●Must be able to show proof

●Unidirectional relationship between a filename and the file. ●Directory entry contains text describing absolute or relative path name of original file. ●If the source file is deleted, the link exists but pointer is invalid.

●Symbolic (soft) links

2 types of the links in Linux system

●Symbolic (soft) links ●Hard links

How many partition entries are in the MBR? and the size of each one?

4 and 16 bytes

All bits from the evidence are copied to a file: a virtual duplicate of the original. Referred to as an "image" or "image file".

Bit-stream disk-to-image file

●General info about the file system. ●Size and layout, location of data structures, size of data units.

File system category

The assurance that someone cannot deny something, such as the receipt of a message or the authenticity of a statement or contract.

Non-repudiation

Collection of consecutive sectors in a volume.

Partitions

●How to collect the targeted evidence ●Prepare an evidence form and establish a chain of custody ●How to transport the evidence to a digital forensics lab ●How to secure evidence in an approved secure container

Planning

sabotage, embezzlement, and industrial espionage

Private investigations

Two Elements of Digital Forensics

Process and Technical Knowledge

drug crimes, sexual exploitation, and theft

Public investigations

State what you did and what you found, and show conclusive evidence

Reporting and Documentation

The way you communicate the results of your forensic examination of the evidence

Reporting/Documentation

The BIOS hardware is now being replaced by it. Adapted the GPT partitioning scheme instead of MBR.

UEFI (Unified Extensible Firmware Interface)

●Covers 163 modern and historic scripts, as well as multiple symbol sets and emoji.

Unicode

Collection of addressable sectors that an OS or application can use for data storage.

Volume/Partition

Command or tool to acquire data in Linux.Creates a raw format file that most computer forensics analysis tools can read.

dd ("data dump")

What kinds of tools are needed to extract the data in partitions?

ddmmlshex editors

What is the file type 2 in the directory entry table?

directory

What is the Linux file system format which organizes a disk into blocks and block groups ?

ext

The part of drive slack that isn't RAM slack

file slack

●Hard link: A { } that points to an { } ●Everything has a hard link to it. ●Soft link: An { } that points to a { } ●Optional.

filename, inode inode, filename

What contains the metadata about the file in EXT filesystems but does not contain the name of the file?

inode

When you are creating the file system you must ( ) of where data is stored.

keep track

Information about a file. Data about the data, Maintained by the file system. Separate from file itself but Usually attached or connected to the file.

metadata

What kinds of attributes are there in file?

name, type, date/time, size, protection, locks

What is the Linux command to see the detail file or file system's metadata?

stat filename fsstat image

Obtaining evidence covered by

the Fourth Amendment

Four Steps for Forensics Process/Flow

●Acquisition/Preparation/Preservation ●Authentication ●Analysis/Examination/Evaluation ●Reporting/ Presentation/ Documentation/Interpretation

What kinds of the info is stored in super block?

●Block size ●Total # of blocks ● # blocks per group ●# reserved blocks before group 0 ●# of inodes (total) ●# of inodes per block group

Data Recovery vs Digital Forensics

●Data Recovery - Retrieving data accidentally deleted - User WANTS it back ●Digital Forensics - Retrieving data the user deliberately obscured - User DOESN'T want it back

What are there in Directory Considerations

●Efficiency: locating a file quickly. ●Naming: convenient to users. ●Grouping: logical grouping of files by properties.

Bidirectional relationship between file names and files. ● a directory entry that points to a source file's metadata (inode). ●Metadata maintains the reference count of the number of its pointing to it ●Link reference count is decremented when a hard link is deleted. ●File data is deleted and space freed when the link reference count goes to zero.

●Hard links:

3 considerations to make file systems

●Need a location to store metadata for each file ●Directory structure ●Advanced features (self-healing files, automatic defragmentation)

Desirable Properties of Hash Functions

●Performance: Easy to compute H(m) ●Preimage resistance: Given a hash value h, it's computationally infeasible to find an m that H(m)=h ●2nd preimage (weak collision) resistance: Given m, it's computationally infeasible to find m' such that H(m')=H(m) and m'!=m ●Strong collision resistance: Computationally infeasible to find m, m' such that H(m)=H(m')

3 methods for accessing files

●Sequential Access Methods (SAM) ●Random Access Methods (RAM) ●Keyed (or indexed) Access Methods (KAM)

Four layers Forensic Analysis in media devices

●Storage media (Physical) layer analysis: storage locations of partitions and volumes ●Volume layer analysis: where the file system or data ●File system layer analysis: data structures ●Application layer analysis: to determine what program we should use.

3 features of Hash functions

1. Various Input and Unique fixed-length output 2. One-Way function (irreversible process) 3. Collision resistance

Two Acquisition Types

1. Static (or dead) acquisitions 2. Live acquisitions

When inode number is set to 0?

Deleting a File in ext4

A tool for users and applications to organize and find files.The data structure for OS to locate files (i.e., containers) on disk.

Directory (folder)

A large amount of information or data that lives a very long time and usually organized as a linear array of bytes or blocks. It is also often requiring concurrent access by multiple processes. Called a container of the information

File

What maps file names and offsets to disk blocks

File system

Five Reference model catagories

File system categoryContent categoryMetadata categoryFile name categoryApplication category

the first international treaty seeking to address Internet and computer crime (cybercrime)

The Convention on Cybercrime (Budapest Convention on Cybercrime), 2001

Forensic Science

The application of science to those criminal and civil laws that are enforced by police agencies in a criminal justice system

Where is MBR located in the disk?

The first sector (CHS 0,0,,1)

Six steps for Systematic Approach in Digital Forensics

1. Initial Assessment 2. Planning 3. Resource determination 4. Evidence acquisition and authentication 5. Risk identification, mitigation & Investigation 6. Reporting and Evaluation

Three Acquisition Methods

1. Logical Acquisition 2. Sparse Acquisition 3. Bit-stream Copy or Acquisition

Concentric circles on a disk platter

Track

3 steps in boot process.

1. POST (check HW) 2. MBR (seek boot code) 3. Bootloader (load OS)

What is the Boot signature code in MBR?

0x55 0xAA

What is the size of the LBA of the first sector in the partition?

1 double word (4 bytes)

What is the size of the Number of Sectors in the Partition?

1 double word (4 bytes)

What is the meaning of the 0x80 in offset 0x00 the 1st partition entry?

0x00=Inactive, 0x80=Active

Two types of bit-stream copies

1.Bit-stream disk-to-disk 2.Bit-stream disk-to-image file

Partition Analysis Steps

1.Locate the partition tables 2.Process the data structures to identify the partition layout of the volume 3.Conduct the consistency checks

What states that if n items are put into m containers, with n > m, then at least one container must contain more than one item

The pigeonhole principle

Provides a paper trail that tracks each time someone handles a piece of physical evidence

Chain of Custody (Evidence)

Prevent/detect/deter improper disclosure of information

Confidentiality

Goals of Computer Security (CIA Triad)

Confidentiality, Integrity, Availability

●Data on the actual files - the reason file systems exist. ●Organized into collections of standard-sized containers

Content category

What kinds of operations are there in file?

Create, Delete, Open, Close, Read, Write, Truncate, Seek, Tell

A column of tracks on disk platters

Cylinder

Describes the layout of the data

Data Structures

The area on a disk that is allocated to a file, but doesn't store any of the file's data

Drive Slack

What is the tool to acquire volatile memory

FTK imager (AccessData)

How can you prove two digital things are exactly the same?

Hash functions (Message Digests)

The device that reads and writes data to a drive in hard disk

Head

In six steps, ●Situation: ●Nature of the case: ●Specifics of the case: ●Type of evidence: ●Operating system: ●Known disk format: ●Location of evidence:

Initial Assessment

Prevent/detect/deter improper modification of information

Integrity

Discover, Extract, and Analyze the data

Investigation

A section on a track

Sector

Read all bytes or records in order from the beginning. Writing implicitly truncates files Cannot jump around

Sequential Access Method

What is the first block and the size in the block group? It stores layout info for the file systems

Super block, 1 block

How to overcome 2038 problem in ext4 filesystems?

They extends the time values from 32 bits to 64.and takes the the last two bits the least significant two bits in the new time field of the extended time


Kaugnay na mga set ng pag-aaral

Exam Three Study Guide - Psy 319

View Set

Poser des questions en français

View Set

intro to it (artificial intelligence)

View Set