Forensics Midterm 2

metadata

data to describe a file

application

data to provide special features and is not related to the file

damaged data units

file systems have ability to mark data unit as damaged, user can manually add data to damaged sector to hide, acquisition tools can report bad sectors describe how to handle

file system, content, metadata, file name, application

five categories of file system

next

from last allocated cluster

file name

human info

Byte

is the smallest space for data and is used by ASCII where each value is one byte

FAT File system boot sector

located in last sector of FAT file system, located in first sector of FAT file system, part of the reserved area, both FAT 12/16 and FAT 32 have same initial 36 bytes

dd duplication

numerous hardware connects; bit level and transfers exact copy, usually more than 1

Secondary Extended Partition

partition contains partition table and secondary file system partition

Primary extended file system

partition in MBR containing additional partitions

Primary File System

partition whose entry in the MBR and contains a file system or other structured data

File Allocation Table

primary system of MS DOS, Windows 9x, supported in later windows systems, contains two data structures

RAM

slack - between end of file and end of sector, might have encryption info, was writing to memory

FILE

slack - remaining unused sectors in the data file

dd, system to system, original

three hard drive duplication methods

RAM, FILE

two types of slack space -

ASCII

used for strings and collection of single bytes, used for strings, which are collections of single bytes, largest value is 0x7f, mull terminated, American English only, first 32 bytes unreadable

Unicode

used instead of ASCII for non-English languages

original

uses blank drive added to system and boot disk to create bit level image

UTF 32

4 bytes per character and wastes space

binary

8 bits = 1 byte, based on 2, max value is 255

sector

A _____ is the smallest addressable united of storage at 512 bytes

partitions

A hard disk volume contains

sectors

A volume contains a collection of_______ for data storage and not need by consecutive

hard disk

A_______ is a volume located in consecutive sectors

0, cluster, EOF

Characteristics of FAT Area [1] means not allocated, allocated contains address of next [2], if last cluster has [3] or 0x0fff fff8

used by DOS, Windows, Linux, IA32, Free BSO, Open BSD and is 512 bytes

Characteristics of MBR

Partition

Collection of consecutive sectors in a volume formatted to a file system, organizes layout of a volume, dependent upon OS, starting and ending sectors specified in the ___ data structure

cluster, sector

Data area (excluding root dir in FAT 12/16) use [1] addresses. The reserved area and FAT area use [2] addresses.

cluster

Data area unit is a

name, directory, 8, byte

Descriptions for Directory Entries in FAT system: contains [1] and metadata, located in clusters allocated to file's parent [2], has only a name of [3] characters and 3 in the extension, first [4] works as allocation status

36

FAT 12/16 and FAT32 have different version of the boot sector, but they both have the same initial _______ bytes

2, 4, 0, cluster

FAT16 uses [1] byte values; FAT32 uses [2] byte values; entries are addressed starting with [3] and each entry corresponds to the [4] with the same address

can find the starting cluster location and file size, the file's cluster chain is no longer available, cannot find the starting location and size of the file

File recovery in FAT

cluster, sector

File systems use both ____ and ____ addresses

data unit

File systems use logical volume addresses and assign logical file system addresses to group consecutive sectors to form a ________

CHS, CHS, LBA, partition

Fill in the blanks for the entries in the partition table in MBRstarting [1], ending [2], starting [3], Number of sectors, flags, [4] types

cluster, directory, boot,

Fill in the blanks regarding the FAT - Two purposes: determine allocation status of a [1], find next allocated cluster in a file or [2]. Typically two FATS in an FAT file system, but exact number is given in the [3] sector.

reserved, boot, first

First FAT starts after [4] sectors, also given in the boot sector. Total size of each FAT is also given in the [5] sectorSecond FAT if exists, starts in the sector following the end of the [6] FAT

GPT Header

Found in sector 1, defines size and location of partition table and is fixed when GPT created, limited to 128 entries

more common, may include dates, hash, times, and can be broken into smaller images

HDD image characteristics

serial ATA

Hard Drive Interface with better cable speed, no jumpers, used for servers, direct connections to controller (SCSI)

can

If directory is deleted, the entry is free to be used for other file and directory so can/cannot recover contents of directory 1 until it is written over.

disconnect the power.

If information is being written or destroyed,

do not disconnect the power.

If information is in plain view or is in use,

00

In MBR, _____ means not bootable

cluster

Is a group of sectors

only 504 MB disk

Limitations of CHS

memory

Media Analysis includes_______ analysis

Big

Most systems use_____ Endian ordering with the exception of Pentium and IA 32.

Protective MBR, GPT Header, Partition Table, Partition Area, Backup Area

Number the areas of the GPT disk with 1 being the first section and 5 being the last Partition area [1] Protective MBR [2]Partition Table [3]Backup Area [4] GPT Header [5]

32, 2

One FAT cluster is either 16 or [1] bits, or [2] or 4 bytes respectively.

preserve and log

Pulling the plug on a Windows machine will

cylinder, sector, head

Sector address includes

HOST PROTECTED AREA

Size is configurable, located at end of hard drive, saves data, IDE controller has registers that query using ATA commands

446

The first_____ bytes in MBR is boot code and is subject to bootable viruses each time the computer initializes

cluster

The purpose of FAT is to locate status of and determine the next allocation of a

contents

The_____ of a file name contains actual data

reserve, fat, data

Three parts of the FAT file system layout

blindly, clusters

Two approaches for choosing remaining clusters in file recovery - [1] read the amount of data needed for file size; Read only from the unallocated [2]

UTF 8

1, 2, 4 bytes with 1 used for heavily used characters

UTF 16

2 bytes for heavily used characters, 4 bytes others

2

The first cluster in the real data area is cluster

Device Configuration Overlay

Using ________ , vendors can configure hard drive sectors

File System Applications and Operation System, swap space, database, memory analysis

What 4 processes include Physical Computer Forensics Analysis Scopes?

Directory Entires and File Allocation Table

What are the TWO data structures in the FAT system?

first available, best, next available

What are the three data unit allocation strategies

Partition Table

What includes the start and ending addresses, type value, name, flags, and GUID?

Protected MBR

What is a DOS partition table with one entry with partition type 0xEE which spans entire disk so legacy computer recognizes the disk and does not format it?

cluster

What is a group of sectors?

Partition Area

What is the largest area of the GPT disk, with sectors allocated to partitions, defines start and end sectors of GPT header?

Directory Entries

What part of the FAT includes the list of file names and is mapped to clusters containing content?

unused, 0

When a file is deleted within Windows, the directory entry is marked as [1] and the FAT entries for the clusters are set to [2].

Backup Area

Where is the GPT header also contained?

Tape over floppy and power

Which NIJ process guidelines differs from general guidelines to secure the scene and preserve evidence?

LBA

Which addressing does not exist in physical memory

Encase

Which forensics tool can access the Host Protected Area

Advanced Technology Attachment, Serial ATA

Which of the following are the most common hard drive interface types - 2

original

Which of the hard drive duplication methods is best suited when transport is impractical?

Software

Which write blocker allows for if, write, then, exist else continue?

can be wiped with 0's or modified, is a duplicate copy, is a raw image

Write to disk image parameters

file system

contains general file system info telling where data is

first

[1] available - from beginning

root

____ directory is always at the beginning of Cluster 2 in FAT 12/16

File

_____ systems can create, modify files to update, independent from any specific computer, store data in hierarchy, created by partitions

FAT Table

___________ tells which clusters are available for file name or contents

Secondary File System Partition

aka logical partition inside primary extended partition and contains file system or other structured data

decimal

based on 10

hex

based on 16, 0-9, A-F

system to system

boot from CD, DVD, USB, Floppy, using serial, parallel, ENET, or USB

best fit

consecutive data units, minimizes fragmentation

content

contains data that comprise the actual content of a file