Forensics: Chapter 18- Forensic Computing

footprints and data trails

The usage of computers and other electronic data storage devices leaves the _________________ and __________ ___________

preservation, acquisition, extraction, and interpretation

Computer forensics involves the ... of computer data

Hardware

comprises the physical and tangible components of the computer

Software

a set of instructions compiled into a program that performs a particular task

Software

those programs and applications that carry out a set of instructions on the hardware

Computer Case/Chassis

This is the physical box holding the fixed internal computer components in place

Power Supply

PC's power supply converts the power it gets from the wall outlet to a useable format for the computer and its components

Motherboard

the main circuit board contained within a computer (or other electronic devices) is referred to as the __________________

System Bus

contained on the motherboard, the system bus is a vast complex network of wires that serves to carry data from one hardware device to another

Read-Only Terminology Memory (ROM)

ROM chips store programs called firmware, used to start the boot process and configure a computer's components

Random access memory (RAM)

RAM serves to take the burden off of the computer's processor and Hard Disk Drive (HDD)

RAM

The computer, aware that it may need certain data at a moments notice, stores the data in the ________

volatile memory

RAM is referred to as ____________ ___________ because it is not permanent; its contents undergo constant change and are forever lost once power is taken away from the computer

Central Processing Unit (CPU)

The CPU, also referred to as a processor, is essentially the brains of the computer

Input devices

The devices used to get data into the computer: keyboard, image, joystick, scanner

Output devices

Equipment through which data is obtained from the computer: monitor, printer, speakers

The Hard Disk Drive (HDD)

typically the primary location of data storage within the computer

different manners

Different operating systems map out HDDs in _________________ _______________

different locations; numerous forms

Evidence exists in many ________________ _______________ and in _______________ __________ on an HDD

visible and latent data

The type of evidence can be grouped under two major sub-headings in the HDD:

first step

partitioning the HDD is the

space defined

An HDD needs to have its ___________ _____________ before it is ready for use

mapped; defined layout

When partitioned, HDDs are ______________ and have a ______________ ___________

sectors, clusters, tracks, and cylinders

HDDs are logically divided into

512 bytes in size

Sectors are typically

8 bits

A byte is

1 or 0

A bit is a single

Clusters

groups of sectors and their size is defined by the operating system

2, 4, 6, 8, etc.

A cluster will consist of

Tracks

Concentric circles that are defined around the platter

Cylinders

groups of tracks that reside directly above and below each other

a map of the layout of the defined space in that partition

After partitioning and formatting processes are complete, the HDD will have

File Allocation Table (FAT)

Partitions utilize a ________ _________________ __________ to keep track of the location of files and folders (data) on the HDD

different ways

Each partition table (map) tracks data in...

a map

It is sufficient for purposes here, however, to merely visualize the partition table as __ _________ to where the data is located

numbering sectors, clusters, tracks, and cylinders

The map uses ...to keep track of the data

warrants, documentation, good investigative techniques

Processing the electronic crime scene is similar to processing a traditional crime scene because it requires:

encrypt the data rendering it unreadable

If encryption is being used, pulling the plug will ... without a password or key; therefore, pulling the plug would not be prudent

it will be lost with discontinuation of power to the system

If crucial evidentiary data exists in RAM and has not been saved to the HDD, ...

1) encryption 2) if data exists in the RAM, but has not been saved to the HDD

Two situations where you would avoid pulling the plug

cipher-text only

the cryptanalyst has access only to a collection of ciphertexts or codetexts

Known-plaintext

the attacker has a set of ciphertexts to which he knows the corresponding plaintext

Chosen-plaintext (cipher text)

the attacker can obtain the ciphertexts (plaintexts) corresponding to an arbitrary set of plaintexts (ciphertexts) of his own choosing

Adaptive chosen-plaintext

like a chosen-plaintext attack, except the attacker can choose subsequent plaintexts based on information learned from previous encryptions. Similarly adaptive chosen ciphertext attack

Related-key attack

Like a chosen-plaintext attack, except the attacker can obtain cipher texts encrypted under two different keys. The keys are unknown, but the relationship between them is known; for example, two keys that differ in the one bit

least intrusive

Throughout the entire forensic image acquisition process, the computer forensic examiner must adopt the method that is ___________ _______________

altering even one bit of data

The goal with obtaining data from an HDD is to do so without

removing the HDD from the system and placing it in a laboratory forensic computer, so that a forensic image can be created

Because booting a HDD to its operating system changes many files and could potentially destroy evidentiary data, obtaining data is generally accomplished by...

no changes

Regardless, the examiner needs to be able to prove that the forensic image he/she obtained includes every bit of data and caused _____ ____________ (writes) to the HDD

"fingerprint"

A sort of " " of the drive is taken before and after imaging

MD5, SHA, or similar validated algorithm

The fingerprint is accomplished through the use of a

32-character alphanumeric string

Before imaging the drive, the algorithm is run and a ... is produced based on the drive's contents

Visible data

that data which the operating system is aware of

easily accessible

Visible data is _________ _________________ to the user

word processing documents, spreadsheets, accounting records, databases, pictures

Visible data can encompass any type of user created data, such as:

latent data

that data that the operating system is not aware of

swap space

utilized to conserve the valuable RAM within the computer system

RAM slack

is the area from the end of the logical file to the end of the sector

File slack

the remaining area from the end of the final sector containing data to the end of the cluster

unallocated space

Another place where latent data might be found is in an

unallocated space

that space on a HDD the operating system sees as empty and ready for data

remains behind

when a user deletes files, the data typically _______________ ______________

deleted files

________________ __________ are another source of latent data

1) internet cache 2) cookies 3) internet history

Places where a forensic computer examiner might look to determine what websites a computer user has visited recently are:

bookmarks and favorite places

Another way to access web sites that have been visited is by examining _________________ and _____________ _____________

0 to 255

IP addresses can be any number from ____ to _________

IP addresses

provide the means by which data can be routed to the appropriate location, and they also provide the means by which most internet investigations are conducted

IP address in the email's header

An investigator tracking the origin of an email seeks out the sender's...

RAM

chat and instant messages are typically located in a computer's ________

firewall

designed to protect against intrusions into a computer network