Digital Forensics Quiz 2

Chapter 3 (Forensic Methods and Labs), Chapter 4 (Collecting, Seizing, and Protecting Evidence), Chapter 6 (Recovering Data)

Creating an Order of Volatility

1. Registers and cache – Fastest but most volatile data in CPU.

2. Routing tables – Holds active network routes.

3. ARP cache – Stores IP-to-MAC address mappings.

4. Process table – Tracks running processes in the OS.

5. Kernel statistics and modules – Kernel-level state and loaded drivers.

6. Main memory – Volatile RAM storing active programs and data.

7. Temporary file systems – Disk-based volatile storage (e.g., /tmp).

8. Secondary memory – Non-volatile storage like HDD/SSD.

9. Router configuration – Device setup saved in NVRAM/flash.

10. Network topology – Layout of devices and connections in a network.

Disk Structure

• Understand how computer hard disks, flash drives, and CDs are structured

• Know how to find data hidden in obscure places

File Slack Searching

• If you write a 1 kilobyte (KB) file to a disk that has a cluster size of 4 KB, the last 3 KB of the cluster are wasted

• This unused space between the logical end of file and the physical end of file is known as file slack or slack space

• File slack is a source of potential security leaks involving passwords, network logons, email, database entries, images, and word processing documents

Evidence-Handling Tasks

• Find: Gather evidence, Work in secure laboratories to isolate data and avoid contamination

• Preserve: Handle computers and storage media with caution

• Prepare: Document evidence source and ensure evidence has not changed

Proper Procedure to Collect Evidence

1. Shutting down the computer appropriately not immediately

2. Transporting the computer to a secure location

3. Preparing the system

4. Documenting the hardware configuration of the system

5. Mathematically authenticating data on all storage devices

Shutting Down the Computer

Before you shut down the computer:

• Check for running processes (ex. Task Manager in Windows)

• Take a picture of the screen so you have a record of running processes

• Check for live connections to the system (netstat, net sessions, openfiles)

Mathematically Authenticating Data on All Storage Drives

• After imaging drive, create a hash of the original and the copy

• Compare the hashes

• If they do not match exactly, something was altered

• Document hashing algorithm used and results

Hash Function

Preimage: x is the preimage of h for a hash value h = H(x)

Collision: Occurs if we have x ≠ y and H(x) = H(y)

Primary Types of Data

• Volatile data (Data that exists only while the system is powered on)

  • Ex: state of network connections, running processes, etc.

• Temporary data (Data that is stored on disk but not meant to be permanent, e.g., application logs, browser cache)

• Persistent data (Data that remains stored even after power-off)

Live Analysis

• Conducted while the system is powered on

• Captures volatile data before it disappears

• Examples: 

  • Network connections

  • Running processes

  • RAM contents

  • Encryption keys in memory

Physical Analysis

• Bit-by-bit copy of the entire storage device

• Recovers deleted or hidden data

• Key areas:

  • Swap file (extra RAM)

  • Unallocated/free space (can hold deleted files)

• Most comprehensive forensic method

Logical Analysis

• Copies data using the file system structure

• Faster and easier than physical analysis

• Limitations:

  • Cannot access deleted files (files no longer in the file system but on the drive)

  • Misses data outside the file system

Forensic Imaging

• Forensically wipe the drive: # dd if=/dev/zero of=/dev/hdb1 bs=2048

• Use netcat to set up the forensic server to listen: # nc –l –p 8888 > evidence.dd

• Use the dd command to read the first partition: # dd if=/dev/hda1 | nc 192.168.0.2 8888 –w 3

Redundant Array of Independent Disks (RAID)

• Combines multiple drives into one system

• Servers, Businesses, Data centers etc.

• Goals:

  • Speed (data striping)

  • Safety (data mirroring / parity)

  • Capacity (combine disks)

• Striping: Split data across drives for performance

• Mirroring: Duplicate data on drives for safety

• Parity: Extra data (math) that allows recovery if a drive fails

  • E.g., XOR rules

RAID Levels

• RAID 0: Striping (fast, no safety)

• RAID 1: Mirroring (safe, full copy on each disk)

• RAID 5: Striping + parity (balance of speed & safety)

• RAID 6: Striping + double parity (survives 2 failures)

• RAID 10: Mirroring + striping (fast + safe)

A forensic investigator is analyzing a RAID 5 array seized from a suspect’s office. The array has 2 data disks (A, B) and 1 parity disk (P). Each disk stores 10 binary digits:

• Disk A: 1 0 1 1 0 1 0 0 1 1

• Disk B: missing

• Disk P: 1 1 1 0 1 1 1 0 1 0

Task: Reconstruct the 10 binary digits of Disk B using the RAID 5 parity information.

A XOR P

1 0 1 1 0 1 0 0 1 1 XOR 1 1 1 0 1 1 1 0 1 0

= 0 1 0 1 1 0 1 0 0 1

A forensic lab receives a RAID 6 server containing financial records. The system uses 2 data disks (A, B) and 2 parity disks (P, Q). Each disk stores 10 binary digits:

• Disk A: missing

• Disk B: 0 1 1 0 0 1 1 0 1 0

• Disk P: 0 1 0 1 0 0 0 0 0 1

• Disk Q: 1 1 1 1 1 1 0 1 1 1

Task: Reconstruct the 10 binary digits of Disk A using the parity information.

B XOR P = 0 0 1 1 0 1 1 0 1 1

A research institute needs to store long-term medical records on a server with 12 × 6 TB drives, for a total raw capacity of 72 TB. Which one you will select? RAID 5 or RAID 6?

RAID 6 - Can survive 2 simultaneous disk failures, providing crucial redundancy

A company runs a media streaming service that stores video files on a server with 5 × 4 TB drives. The videos are already backed up to the cloud. The company wants fast read performance to serve multiple users at once. Which one you will select? RAID 5 or RAID 6?

RAID 5 - Better write performance with only single parity calculation

FAT: Storing a File in Windows

• Record cluster number for next cluster

• Add EOC entry if at end of chain

• Mark bad (0x0FFFFFF8/0x0FFFFFFF), reserved (0x0001), open clusters (0x0000)

• When a file is deleted, data not removed from disk

• FAT is updated to reflect clusters no longer in use

• New data saved to those clusters may overwrite old information

NTFS Fundamental Files

Master File Table (MFT):

• Describes all files on the volume, including filenames, time stamps, and so on

• Serves the same purpose as the file allocation table in FAT and FAT32

Cluster bitmap:

• A map of all the clusters on the hard drive

NTFS: Deleting a File in Windows

• When a file is deleted, data not removed from disk

• Clusters are marked as deleted and “moved” to Recycle Bin

• When Recycle Bin is emptied, clusters are marked as fully available

• Filename in the MFT is marked with a special character, e.g., 0xE5 that means the file has been deleted

Linux

• File Systems: Ext3, Ext4

• Contiguous Blocks: Improves performance when reading sequential files.

• Block Extensions: If a file grows beyond its allocated blocks, new blocks are linked. (Fragmentation)

• Block Size: Defined at partition creation (default 4KB).

• Inodes: Inode stores metadata: file size, permissions, timestamps, and pointers to disk blocks (where file content is).

• Soft Links: Symbolic references to other files (like Windows shortcuts).

Storing a File in Linux

• Stores files in contiguous blocks (basic storage units, like sectors/clusters in Windows)

• Exact size of blocks depends on parameters used with the command that creates the partition

• Uses inodes and soft links

Deleting a File in Linux

• Inode links directly to a specific file (inside the file system)

• Inodes do not store file names — names are stored in directories, which map a filename → inode number

• OS keeps a count of references to each hard link (inside a directory)

• When reference count reaches zero, file is deleted

Recovering a File in Linux

• Use grep to search for and recover files

• May not work for each Linux distribution and version

• Example:

  • # grep -i -a -B10 -A100 'forensics' /dev/sda2 > file.txt

  • Need to run the above command in single-user mode: init 1

The extundelete Utility

• Works with both ext3 and ext4 partitions in Linux

• Uses shell commands

• Example: To restore all deleted files from sda4 partition:

  • extundelete /dev/sda4 --restore-all

Recovering Information from Damaged Media

1. Remove drive/connect to test system

2. Boot test system (drive spinning?)

3. Copy files from drive to test system

4. Drive not recognized?

5. Perform repair

6. Image drive content

Recovering Data After Logical Damage

• May prevent host operating system from mounting or using the file system

• May cause system crashes and data loss

• May be caused by power outages, or turning off a machine while it is booting or shutting down

chkdsk (Windows)

• Stands for Check Disk

• Windows tool for checking and repairing file systems

• Detects and marks bad sectors

• Fixes inconsistencies in FAT/NTFS

• Can alter disk data – not for forensics use

fsck (Linux/Unix)

• Stands for File System Check

• Linux/Unix equivalent of chkdsk

• Repairs inodes, orphaned blocks, and FS inconsistencies

• Can alter disk data – not safe for forensic analysis

Disk Utility (macOS)

• Built-in GUI tool in macOS

• Formats, partitions, erases disks

• Can check and repair file system errors

• Can alter disk data – not suitable for forensic evidence handling

Test Disk

• Open-source, cross-platform recovery tool

• Recovers lost partitions (FAT, NTFS, Ext, HFS+)

• Rebuilds partition tables, repairs boot sectors

• Can recover deleted files (FAT/NTFS)

• Can alter structures, e.g., filesystem metadata – use carefully in forensics

The Sleuth Kit (TSK)

• Open-source digital forensic toolkit

• Provides read-only access to disk images

• Tools: fls (list files), icat (extract), istat (inode info)

• Forensic-safe: does not modify evidence

Bad Sectors

• A small unit of storage (512 bytes or 4 KB) that is damaged or unreliable

• Drive cannot reliably read or write data there

• OS tools (chkdsk, fsck) mark bad sectors so they are not reused

• Drives remap bad sectors to spare sectors automatically

• Logical bad sectors may be repaired, physical ones are permanent

• Spare sector - unused, hidden storage sector (user and the operating system normally don’t see or use them)

Types of Bad Sectors

• Physical Bad Sector (hard error)

  • Caused by scratches, wear, or hardware failure

  • Permanent, cannot be fixed

• Logical Bad Sector (soft error)

  • Caused by corruption, power loss, malware

  • Sometimes repairable by rewriting or reformatting

File Carving

• Can use file carving on a file that’s only partially recovered

• Works on any file system

• Is often used to recover data from a disk where there has been some damage or where the file itself is corrupt

• File carving utilities look for file headers and/or footers, and then pull out data found between the two boundaries

• Popular file carving tools include Scalpel and carver-recovery.exe

• Requires knowledge of file headers and footers

Which type of data should be collected first according to the order of volatility?

1. Network topology

2. Registers and cache

3. Router configuration

4. Main memory

2. Registers and cache

The unused space between the logical end of a file and the physical end of a disk cluster is called?

1. Partition gap

2. File slack

3. Disk buffer

4. Cluster residue

2. File slack

Why should forensic lab machines not be connected to the internet?

1. To reduce software licensing costs

2. To improve RAID performance

3. To prevent malware and contamination of evidence

4. To save electricity 

3. To prevent malware and contamination of evidence

FloridaPoly IT department needs to store student records on a server. The array must maximize storage efficiency while still tolerating one drive failure. They have 6 x4 4 TB drives. Which RAID level is the best option?

1. RAID 6

2. RAID 1

3. RAID 0

4. RAID 5

4. RAID 5

A financial institution must store critical transaction logs where zero downtime and high data integrity are mandatory. Since the logs are vital for audits and regulatory compliance, the storage system must remain operational even in the event of multiple unexpected hardware issues. Which RAID configuration should be chosen?

1. RAID 1

2. RAID 6

3. RAID 0

4. RAID 5

2. RAID 6

Before shutting down a suspect computer, what should an investigator do first?

1. Check for running processes and live connections.

2. Format the hard drive.

3. Disable all USB ports.

4. Install forensic tools.

1. Check for running processes and live connections.

Why should investigators create a hash of both the original drive and its forensic image?

1. To improve read speed

2. To reduce storage space

3. To encrypt the evidence

4. To authenticate and verify data integrity

4. To authenticate and verify data integrity

Which type of forensic analysis creates a bit-by-bit copy of the entire drive, including deleted files?

1. Live analysis

2. Physical analysis

3. Logical analysis

4. Metadata analysis

2. Physical analysis

In forensic imaging, why must the target drive be forensically wiped before use?

1. To increase storage capacity

2. To enable encryption

3. To remove residual data that could contaminate evidence

4. To improve its speed

3. To remove residual data that could contaminate evidence

When a file is deleted in Windows, what actually happens?

1. The clusters are marked as free, but data remains until overwritten.

2. The file is encrypted automatically.

3. The file is moved to system logs.

4. The file’s data is immediately erased from the disk.

1. The clusters are marked as free, but data remains until overwritten.

Which file system uses the Master File Table (MFT) to track files?

1. NTFS

2. HFS+

3. FAT16

4. FAT32

1. NFTS

In NFTS, how is a deleted file indicated in the file system table?

1. By marking it with a special character (eg. 0xE5)

2. By erasing the file name completely

3. By encrypting the entry

4. By renaming the file to “DELETED”

1. By marking it with a special character (eg. 0xE5)

In Linux, which structure stores metadata such as the file size, permissions, and timestamps?

1. Directory table

2. Cluster map

3. Swap file

4. Inode

4. Inode

What technique is used to recover partially damaged files by locating headers and footers?

1. Partitioning

2. Data hashing

3. Disk formatting

4. File carving

4. File carving

Which of the following statements correctly distinguishes hard links from soft links in Linux?

1. A hard link points to an inode while a soft link points to a filename

2. Deleting a hard link removes the inode immediately while deleting a soft link preserves the inode

3. Hard links work across different file systems, while soft links cannot

4. A soft link increases the inode’s reference count, while a hard link does not

1. A hard link points to an inode while a soft link points to a filename