Chapter 5-9

american standard code for information interchange (ASCII

8-bit configuration, Unicode uses an 8-bit, a 16-bit, or a 32-bit configuration.

Registry

A database that stores hardware and software configuration information, network connections, user preferences, and setup information

geometry

A disk drive's internal organization of platters, tracks, and sectors.

attribute ID

A record field is referred to as an

sector

A section on a track, usually made up of 512 bytes.

Validation

A way to confirm that a tool is functioning as intended

Logical EOF

Actual ending of the file

Unicode

An international data format.

RAM slack

An unintentional side effect of FAT16 allowing large clusters was that it reduced fragmentation.

unallocated disk space

Area of the disk where the deleted file resides. Available to receive new data from newly created files or other files needing more space.

logical cluster numbers (LCNs),

Become the addresses that allow the MFT to link to nonresident files on the disk's partition. When a disk is created as an NTFS file structure OS assigns logical clusters to the entire disk partition. These assigned clusters are called

tracks

Circles on a magnetic storage device where data is stored or retrieved.

physical address

Clusters and their addresses are specific to a logical disk drive, which is a disk partition. Sector numbers are called?

cylinder

Column of tracks on two or more disk platters. Typically, each platter has two surfaces: top and bottom.

Device drivers

Contain instructions for the OS for hardware devices

Inodes

Contains file and directory metadata and provide a mechanism for linking data stored in data blocks.

Boot Block

Contains the bootstrap code. A UNIX/Linux computer has only one of these on the main hard disk.

head

Device that reads and writes data to a drive.

Virtual machines

Enable you to run another OS on an existing physical computer (known as the host computer) by emulating a computer's hardware environment

File Allocation Table (FAT)

File structure database that Microsoft originally designed for floppy disks. Filenames, directory names, date and time stamps, the starting cluster number, and file attributes.

Hierarchical File System (HFS)

Files stored in nested directories (folders)

Keychains

Files used to manage passwords for applications, Web sites, and other system files. The Mac application Keychain Access enables you to restore passwords

Inode blocks

First data after the superblock. Assigned to every file allocation unit.

logical address

First sector of all disks contains a system area, the boot record, and a file structure database. OS assigns these cluster numbers

file system

Gives OS a road map to data on a disk

Computer Forensics Tool Testing (CFTT)

ISO standard 27037 states: Digital Evidence First Responders (DEFRs) should use validated tools using a set of guidelines.

brute-force attack

If a password dictionary attack fails, you can run a

Encrypting File System (EFS)

Implements a public keyand private keymethod of encrypting files, folders, or disk volumes

Fourth Extended File System (Ext4)

Improved management of large files and offered more flexibility. Adoption of Ext4 was slower in some Linux distributions. Now considered the standard file system for most distributions.

indirect pointers

In a file's inode, the first 10 pointers are called

Master Boot Record (MBR)

In a hexadecimal editor, such as WinHex, you can find the first partition at offset 0x1BE.

Apple File System (APFS)

Introduced in macOSHigh Sierra. When data is written to a device, metadata is also copied to help with crash protection.

Extended Format File System (HFS+)

Introduced with Mac OS 8.1. Supports smaller file sizes on larger volumes, resulting in more efficient disk use.

NT File System (NTFS)

Introduced with Windows NT. Primary file system for Windows 10. Microsoft's move toward a journaling file system. It records a transaction before the system carries it out.

recovery certificate

Is generated and sent to the local Windows administrator account.

data runs

MFT record provides cluster addresses where the file is stored on the drive's partition - Referred to as

password dictionary attack

Many password recovery tools have a feature for generating potential password lists

one-time passphrase

Many vendors use a bootable CD or USB drive that prompts for a

Write-blocker

Prevents data writes to a hard disk. This is the first item you should consider for a forensic workstation.

Verification

Proves that two sets of data are identical by calculating hash values or using another similar method. A related process is filtering, which involves sorting and searching through investigation findings to separate good data and suspicious data.

Reconstruction

Re-create a suspect drive to show what happened during a crime or an incident

Metadata

Records in the MFT are called

Superblock

Specifies disk geometry, available space, and keeps track of all inodes. Manages the file system.

Extents overflow file

Stores any file information not in the MDB or a VCB

Volume Control Block (VCB)

Stores information from the MDB when OS mounts

Second Extended File System (Ext2)

The early file system standard was

High Performance File System (HPFS)

The file system IBM uses for its OS/2 operating system.

Partition Boot Sector

The first data set of an NTFS disk. It starts at sector [0] of the disk drive and can expand up to 16 sectors.

Acquisition

The first task in digital forensics investigations, is making a copy of the original drive.

Physical EOF

The number of bytes allotted on the volume for a file

double-indirect pointers

The pointers in the second layer are called

master file table (MFT)

The second database used by the NTFS file system to track the contents of a volume or logical drive.

file slack

The unused space created when a file is saved. If the allocated space is larger than the file, the remaining space is slack space and can contain passwords, logon IDs, file fragments, and deleted e-mails..

Extraction

This function is the recovery task in a digital investigation and is the most challenging of all tasks to master. Recovering data is the first step in analyzing an investigation's data.

Reporting

To perform a forensics disk analysis and examination, you need to create a report. Use this information when producing a final report for your investigation.

link count

To see files and their inode numbers, you use the ls -ia command. Inside each inode is a field called

unified logging

To view the SQLite database, use the SQLite Database Browser (http://sqlitebrowser.org). You can also use the new macOS feature called

UTF-8(Unicode Transformation Format)

UTF-16, and UTF-32. For Western-language alphabetic characters, UTF-8 is identical to ASCII.

partition gap

Unused space between partitions.

drive slack

Unused space in a cluster between the end of an active file and the end of the cluster.

Alternate data streams

Ways in which data can be appended to a file (intentionally or not) and potentially obscure evidentiary data. In NTFS, alternate data streams become an additional file attribute.

virtual cluster number (VCN),

When data is first written to nonresident files, an LCN address is assigned to the file. This LCN becomes the file's

Data blocks

Where directories and files are stored on a disk drive. This location is linked directly to inodes.

partition

Windows OSs can have three primary partitions followed by an extended partition that can contain one or more logical drives. Large unused gaps between partitions on a disk.

bad block inode

Windows doesn't keep track of bad sectors, but Linux does in an inode called

logical block

a collection of data that can't exceed 512 bytes.

allocation block

a group of consecutive logical blocks. As volumes increase in size, one allocation block might be composed of three or more logical blocks. When you save a file, it's assigned to an

BootSect.dos

a hidden file, which contains the address (boot sector location) of each OS.

tarball

a highly compressed data file containing one or more files or directories and their contents. It's similar to Windows zip utilities and typically has a .tar or .gz extension.

hard link

a pointer that allows accessing the same file by different filenames (Rute-Users-Guide/Linux Dictionary V 0.16, www.tldp.org/LDP/Linux-Dictionary/html/ index.html). The filenames refer to the same inode and physical location on a drive.

Hal.dll

allows the OS kernel to communicate with the computer's hardware. Dynamic link library, located in the systemroot\Windows\System32 folder.

Symbolic links

are pointers to other files and aren't included in the link count.

Resource block

contains additional information. Such as menus and dialog boxes. A volume is any storage medium used to store files

Resilient File System(ReFS)

designed to address very large data storage needs such as the cloud.

Boot.ini

displays a boot menu.

B*-tree

file system in earlier Mac version. Actual file data is stored on the leaf nodes. Also uses header, index, and map nodes.

Clumps

groups of contiguous allocation blocks. Reduce fragmentation.

National Software Reference Library (NSRL)

has compiled a list of known file hashes for a variety of OSs, applications, and images.

Recovery Key Agent

implements the recovery certificate

Ntoskrnl.exe

is the Windows XP OS kernel, located in the systemroot\Windows\ System32 folder.

NTBootdd.sys

is the device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS.

NT Loader (Ntldr)

loads the OS.

plist files

preference files for installed applications on a system, usually stored in /Library/Preferences.

Third Extended File System (Ext3)

replaced Ext2 in most Linux distributions

Keyword search

speeds up analysis for investigators

map node

stores a node descriptor and map record.

header note

stores information about the B*-tree file.

index node

stores link information to previous and next nodes.

catalog

the listing of all files and directories on the volume and is used to maintain relationships between files and directories on a volume.

triple-indirect pointers

the pointers in the last or third layer are called

Personal identity information (PII)

trade secrets caused by computer theft of particular concern is the theft of laptop computers and handheld devices to help prevent loss of information, software vendors now provide whole disk encryption.

data fork

typically contains data the user creates, such as text or spreadsheets

bootstrap process

​Information contained in ROM that a computer accesses during startup; this information tells the computer how to access the OS and hard drive.