computer forensics exam 2

chapters 15, 16, 17, 18, & 19

cpu

performs mathematical calculations and runs programs

bios

basic input and output system — contains information necessary for computer components to communicate with one another and stores some basic preferences

bios passwords

can present a barrier when digital investigators need to boot a computer. circumvent the password by resetting the cmos or having an expert control the heads to overwrite the password

post

(power on self test) part of bios that checks hardware at power on to ensure it is operating correctly

cmos

(complementary metal oxide silicon)

what is data on disks stored based on

“endianess” of the processor

binary

ones and zeroes, representing on and off. most basic number system

file format

standard way that information is encoded for storage in a computer file

hard disk drive

stores data by magnetizing physical spots on a spinning disk

solid state drive

uses nand flash memory cells to store bits(?)

one sector

512 bytes

one cluster

4-8 sectors

how can data be hidden on a disk

unallocated areas, slack spaces, changed name or file extensions, hidden within other files, limits of forensic tools, encryption

private key encryption

one shared private key is used for encryption and decryption

public key encryption

one private key and one public key is used for encryption and decryption respectively

encryption

changing original text into a secret message using cryptography

decryption

changing secret message back to original form

cleartext data

data stored or transmitted without encryption

plaintext

data to be encrypted

key

mathematical value entered into the algorithm to produce cyphertext

hash algorithms

creates a unique digital fingerprint for a set of data

hashing algorithm characteristics

fixed size, unique, original, secure

most common hash algorithms

message digest, secure hash algorithm, whirlpool, ripemd, password hashes

message digest 2 (MD)

added padding to make short messages 128 bits, 32byte output

message digest 4

length of message padded to 512 bits, has flaws

message digest 5

addresses md4’s flaws, uses four variables of 32 bits each in a round-robin fashion to create a value

secure hash algorithm (SHA)

more secure than MD

original cryptographic algorithms

data encryption standard, triple data encryption standard, advanced encryption standard

data encryption standard

block cipher that divides plaintext into 64-bit blocks and then executes the algorithm 16 times

advanced encryption standards

official encryption standard used by the U.S government, replaced DES

weakness of symmetric algorithms

distributing and maintaining a secure single key among multiple users distributed geographically

asymmetric cryptographic algorithms / public key cryptography

requires a pair of keys

RSA

Ron Rivest, Adi Shamir, and Leonard Adleman; most common asymmetric cryptography algorithm that uses two large prime numbers

elliptic curve cryptography

uses sloping curves; add the values of two points on the curve to derive a third one

file systems

tells operating systems where to find files and pieces of files

FAT file systems

maps file clusters in a table

ntfs

much more complex than FAT, more efficient. uses unicode instead of ascii

MFT

master file table, contains a list of records that store most of the information needed to locate data on the disk

uninitialized space

space that is allocated to a file that is not in use

data recovery

recovering deleted data from unallocated space

file carving

another approach to recovering deleted files

slack space

leftover storage space on a computer's hard disk drive when a file does not need all the space it has been allocated

log files

stores various records of events; may contain information about user accounts that were used to commit a crime and can show that a user account might have been stolen

log data analysis process

analyze number of events, variety of events, network behaviors, ability, capacity, and performance metrics of hardware, software security matrices according to some compromised methods

windows registry

database of information, settings, options, and other values for software and hardware installed on all versions of microsoft windows operating systems

registry

database that contains default settings, user, and system defined settings in windows computers; monitors, observes, and records the activities performed by the user in the computer

chrome history file

contains urls visited, timestamps, and typed urls

chrome cookies and sessions

stored in a sqlite database named cookies, contains session tokens, authentication states, and tracking data

chrome cache and temporary files

stored in the cache folder; contains cached web pages and other temporary data

internet trace forensic recovery

investigators can extract and analyze files using sqlite database viewers, forensic tools, and cache viewers

web browsercookies

temporary data set by website, keeps track of who you are, what sites you have visited, things you may have searched for, etc

first party cookie

cookie created by website user is currently visiting

third-party cookie

tracks the user’s browsing history

session cookie

stored in ram and expires when browser is closed

persistent cookie

recorded on computer’s hard drive

secure cookie

used only when browser visits server over secure connection, always encrypted

cookie attributes

name/value, domain/host, path, expires / max-age, creation / last access timestamps, secure / httponly flags, encrypted value / storage

forensic process

identify running browsers, acquire evidence, file system image and record hashes, document processes if live, collect relevant artifacts, preserve chain of custody and metadata, parse cookie stores, decrypt encrypted cookie values, convert timestamps & make timeline, correlate with server logs, and document findings and significance

linux

core of the operating system

third extended file system

journaling file system which has a built-in file recovery mechanism

fourth extended file system

added support for partitions larger than 16 tb, improved management of large files, more flexibility, considers everything a file

boot block

contains instructions for startup (bootstrap code)

superblock

contains vital information about the system and is considered metadata (disk geometry & available space)

inode block

contains the first data after the superblock

data block

stores files and directories

inodes

contains file and directory metadata

hard link

a pointer that allows accessing the same file by different filenames, acts as a copy of the selected file

link count

field inside each inode that specifies the number of hard links

symbolic links

an actual link to the original file

catalog

listing of all files and directories on the volume

data fork

contains data the user creates, such as text or spreadsheets

resource fork

contains information such as menus, dialog boxes, icons, executable code, and controls when working with an application

logical block

collection of data that can’t’ exceed 512 bytes

clumps

groups of contiguous allocation blocks

plist

property list ; preference files for installed applications on a system

keychains

used to manage passwords

preparation

prepare to seize evidence with a search warrant

write blockers

hardware devices connected between a drive you wish to copy and the drive to which you wish to copy

portable RAID system

redundant array of inexpensive disks ; a collection of hard drives designed to be tolerant of the loss of one or more hard disks while retaining data

survey

a methodical process of finding all potential sources of digital evidence and making informed, reasoned decisions about what digital evidence to preserve

documentation

note chain of custody, evidence intake & inventory, preservation guidelines, and preservation notes

preservation

digital evidence needs to be preserved in a way that it is not altered / minimal alterations; use hashes to ensure data is not changed

how to preserve digital evidence

place the computers and media in secure storage, extract only the information needed, acquire everything from evidential computer and storage media // work on a copy of the data

bit-stream copies

identical copies of hard disk data

swap files

portion of disk storage that the operating system uses as an extension of physical memory

hibernation files

a system file that stores the contents of ram to disk when the computer enters hibernation or sleep mode

reporting

take everything done in an investigation and tie it together in a report that can be given to others; clear communication, description of evidence, and analysis of evidence