COMPUTER FORENSICS
HOW DATA IS STORED
Generally speaking, an HDD needs to have its space defined before it is ready for use. Partitioning the HDD is the first step. When partitioned, HDDs are mapped (formatted) and have a defined layout.
RAM
Referred to as volatile memory because it is not permanent; its contents undergo constant change and are forever lost once power is taken away from the computer.
Motherboard
The main circuit board contained within a computer. The computer, aware that it may need certain data at a moments notice, stores the data in RAM.
FORENSIC IMAGE ACQUISITION 2
Because booting an HDD to its operating system changes many files and could potentially destroy evidentiary data, obtaining data is generally accomplished by removing the HDD from the system and placing it in a laboratory forensic computer so that a forensic image can be created.
Hardware
Comprises the physical components of the computer.
Software
Conversely, is a set of instructions compiled into a program that performs particular tasks on the hardware.
LATENT DATA
Data of which the operating system is unaware. The constant shuffling of data through deletion, defragmentation, swapping, and so on is one of the ways that data is orphaned in latent areas. Finally, when a user deletes files, the data typically remains behind.
Hard Disk Drive 2 (HDD)
Examiners must be familiar with the file system that they are examining. Evidence exists in many locations and in numerous forms on an HDD. The type of evidence can be grouped under two major sub-headings: visible and latent data.
THE BASICS
Hardware vs. software
IP ADDRESSES
IP addresses provide the means by which data can be routed to the appropriate location, and they also provide the means by which most Internet investigations are conducted. IP addresses take the form ###.###.###.###, in which, generally speaking, ### can be any number between 0 and 255.
TEMPORARY FILES AND SWAP SPACE
Temporary files, created by programs as a sort of "back-up on the fly," can also prove valuable as evidence. Finally, data in the swap space (utilized to conserve valuable RAM within the computer system) can yield evidentiary data.
VISIBLE DATA
The data of which the operating system is aware. Consequently, this data is easily accessible to the user.
INTRODUCTION
The use of computers and other electronic data storage devices leaves the footprints and data trails of their users. Computer forensics involves the preservation, acquisition, extraction, and interpretation of computer data.
FORENSIC IMAGE ACQUISITION
Throughout the entire process, the computer forensic examiner must adopt the method that is least intrusive. The goal of obtaining data from an HDD is to do so without altering even one bit of data.
Hard Disk Drive (HDD)
Typically the primary location of data storage within the computer. Different operating systems map out (partition) HDDs in different manners.
