Computer Forensics Review Flashcards

Overview

• Introduction
  • Electronic devices leave digital footprints and data trails.
  • Computer forensics encompasses data preservation, acquisition, extraction, and interpretation.
  • Various electronic devices are included in computer forensics.

The Basics

• Hardware vs Software
  • Hardware: Physical components of a computer.
  • Software: Programs that execute tasks on hardware.

Key Terminology

• Computer Case/Chassis: Enclosure for internal components.
• Power Supply: Converts wall outlet power for use by components.
• Motherboard: Main circuit board connecting all hardware parts.
• System Bus: Network of wires on the motherboard carrying data.

Memory Types

• Read-Only Memory (ROM): Stores firmware for booting and configuration.
• Random Access Memory (RAM): Volatile memory storing data temporarily while active.
• Central Processing Unit (CPU): The brain of the computer processing instructions.

Input/Output Devices

• Input Devices:
  • Examples: Keyboard, mouse, joystick, scanner.
• Output Devices:
  • Examples: Monitor, printer, speakers.

Hard Disk Drive (HDD) Details

• Primary data storage location, with different operating system mapping.
• Data Evidence:
  • Two types: Visible and latent data.

Data Storage Methods

• Partitioning: Organizing HDD space into segments for use.
• Sectors: Basic units of storage, typically 512 bytes.
• Clusters: Combinations of sectors defined by the operating system.
• Tracks: Concentric circles on the platter of the HDD.
• Cylinders: Groups of tracks stacked vertically.

File Management Systems

• File Allocation Table (FAT): Map of files and folders in a partition.
• NTFS (New Technology File System): Used in modern Windows systems, includes a Master File Table (MFT).

Processing the Electronic Crime Scene

• Similar to traditional crime scene processing:
  • Warrants and documentation needed.
  • Decision on live data acquisition must be made.

Shutdown vs. Pulling the Plug

• Considerations:
  • Encryption may render data unreadable if power is cut.
  • Critical data in RAM could be lost if power is severed.

Forensic Image Acquisition

• Best Practices: Aims to avoid altering data during acquisition.
• Generally involves removing HDDs to create forensics images.
• Fingerprinting for Verification:
  • Use of cryptographic algorithms like MD5 or SHA to ensure data integrity.

Data Types in Forensics

• Visible Data: Data accessible to users, such as documents, spreadsheets, photos, etc.
• Temporary Files: Created for backup, can provide evidence.
• Latent Data: Not known to the operating system, including RAM slack and deleted file remnants.

Analysis of Internet Data

• Investigators look for:
  • Cached files, cookies, internet history.
• Use forensic software to read history files and bookmarks.

IP Address Basics

• Format: ###.###.###.###, with values between 0-255.
• Essential for directing data on the Internet and investigating web activity.

Investigating Internet Communications

• Email Tracking: Origin traced via sender's IP address in headers.
• Chat Logs: Often reside in RAM.
• Unauthorized Access Investigation: Analyze log files, RAM, and network traffic.

Summary of Content

• The material covers crucial aspects of computer forensics including terminology, data management, evidentiary guidelines, and internet analysis methods, essential for understanding computer forensics practices.