Forensic Concept of Data

Slides:



Advertisements
Similar presentations
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Advertisements

Operating Systems File Management.
Part IV: Memory Management
© Vera Castleman Software Grade 10. What is software? A program is a collection of instructions to do a job. Programs are collectively known as SOFTWARE.
SEMINAR ON FILE SLACK AND DISK SLACK
Computer Forensics BACS 371
Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
File Management Systems
Virtual Memory CS 147 October 30, 2007 Chris Stewart.
Guide To UNIX Using Linux Third Edition
CPSC 231 Secondary storage (D.H.)1 Learning Objectives Understanding disk organization. Sectors, clusters and extents. Fragmentation. Disk access time.
Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.
Capturing Computer Evidence Extracting Information.
Week 6 Operating Systems.
BACS 371 Computer Forensics
Computers in the real world Objectives Understand what is meant by memory Difference between RAM and ROM Look at how memory affects the performance of.
1. Memory Manager 2 Memory Management In an environment that supports dynamic memory allocation, the memory manager must keep a record of the usage of.
George Skarbek May What drives? There are three types of virtual drives that can help. They are: A mapped network drive Virtual CD/DVD drive RAM.
Chapter 8: Operating Systems and Utility Programs Catherine Gifford Dan Falgares.
Bits, Bytes, Files, Hard Drives. Bits, Bytes, Letters and Words ● Bit – single piece of information ● Either a 0 or a 1 ● Byte – 8 bits of information.
Processes and OS basics. RHS – SOC 2 OS Basics An Operating System (OS) is essentially an abstraction of a computer As a user or programmer, I do not.
Guide to Computer Forensics and Investigations Fourth Edition
File Storage Organization The majority of space on a device is reserved for the storage of files. When files are created and modified physical blocks are.
Computer Systems Week 14: Memory Management Amanda Oddie.
Microsoft Office XP Illustrated Introductory, Enhanced with Programs, Files, and Folders Working.
Linux+ Guide to Linux Certification Chapter Six Linux Filesystem Administration.
Chapter 8: Installing Linux The Complete Guide To Linux System Administration.
Memory Management OS Fazal Rehman Shamil. swapping Swapping concept comes in terms of process scheduling. Swapping is basically implemented by Medium.
Chapter 7 Volume versus Partition. Cylinder, Head, and Sector (CHS) Hard or fixed disks store information on a revolving platter of metal or glass coated.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
Virtual Memory Pranav Shah CS147 - Sin Min Lee. Concept of Virtual Memory Purpose of Virtual Memory - to use hard disk as an extension of RAM. Personal.
COEN 252: Computer Forensics Hard Drive Evidence.
Chapter 8 File Systems FAT 12/16/32. Defragmentation Defrag a hard drive – Control Panel  System and Security  Administration tools  Defrag hard drive.
Files An operating system, maintains descriptive information about files in a data structure called a file descriptor. NameDeletion control Storage Organization.
CPSC 231 Secondary storage (D.H.)1 Learning Objectives Understanding disk organization. Sectors, clusters and extents. Fragmentation. Disk access time.
Chapter 7 Memory Management Eighth Edition William Stallings Operating Systems: Internals and Design Principles.
DATA MANAGEMENT 1) File StructureFile Structure 2) Physical OrganisationPhysical Organisation 3) Logical OrganisationLogical Organisation 4) File OrganisationFile.
Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.
Virtual Memory By CS147 Maheshpriya Venkata. Agenda Review Cache Memory Virtual Memory Paging Segmentation Configuration Of Virtual Memory Cache Memory.
Virtual Memory (Section 9.3). The Need For Virtual Memory Many computers don’t have enough memory in RAM to accommodate all the programs a user wants.
Lesson Objectives Aims Key Words Paging, Segmentation, Virtual Memory
Creighton Barrett Dalhousie University Archives
Memory Management.
Chapter 2 Memory and process management
Chapter 11: File System Implementation
Chapter 12: File System Implementation
Microsoft Windows 7 - Illustrated
Ramya Kandasamy CS 147 Section 3
Understanding File Management
Operating Systems (CS 340 D)
Operating System I/O System Monday, August 11, 2008.
TexPREP Summer Camp Computer Science
Introduction to Computers
CSI 400/500 Operating Systems Spring 2009
File Management.
Economics, Administration & Information system
File Structure 2018, Spring Pusan National University Joon-Seok Kim
Storage Forensics Anatomy of a Hard Drive
Computer Architecture
(Discussion and WS – Analysis of Electronic Data)
Overview Continuation from Monday (File system implementation)
Lecture 15 Reading: Bacon 7.6, 7.7
Clusters, Sectors, and Files
Threads Chapter 4.
RDBMS Chapter 4.
COEN 252: Computer Forensics
Chapter 17 COMPUTER FORENSICS.
Networks & I/O Devices.
Operating System Concepts
Operating System Concepts
Presentation transcript:

Forensic Concept of Data © Dr. D. Kall Loper, all rights reserved Storage Forensics Forensic Concept of Data

Storage Forensics Definitions User Data Any data visible to the under normal operation of the system. The vast majority of evidence will be found in user data. This includes files in the ‘Recycling Bin’ or the Macintosh ‘Trash Can.’ Definitions

Storage Forensics Definitions Image An exact copy of a hard drive, including slack space, unallocated space, and the Windows™ swap file, if present. This copy is not like logical copies made with the operating system’s ‘copy’ command in that it includes all of the latent data as well as active files. Definitions © Dr. D. Kall Loper, all rights reserved

Storage Forensics Definitions Latent Data All data on a storage device that is not accessible through the operating system. This includes: Unallocated Space, File Slack Protected Files, and Virtual Memory. Definitions © Dr. D. Kall Loper, all rights reserved

Storage Forensics Definitions Unallocated Space All the clusters on a drive that are not currently assigned to a file. Definitions Access Data (2003). Forensic tool kit: User’s guide. Orem, UT: Access Data. p. 242 © Dr. D. Kall Loper, all rights reserved

Storage Forensics Definitions Sector A sector is a logical block* defined by the hard drive firmware. Prior to January 2011, and a preceding transition period, sector size was set at 512 bytes. Advanced Format Hard Disk Drives use 4096 byte sectors. A sector is a low-level formatting artifact. Definitions A logical block implies LBA (logical block addressing, but the eponymous sector was formerly used in CHS—Cylinder Head Sector—addressing). The term was sometimes synonymous with “block,” but block became associated with a variable length data run used on media beyond the hard disk drive. © Dr. D. Kall Loper, all rights reserved

Storage Forensics Definitions Cluster Fixed-length blocks that store files. Each cluster is assigned a unique number by the computer operating system. A cluster is a high-level formatting artifact. Definitions Access Data (2003). Forensic tool kit: User’s guide. Orem, UT: Access Data. p. 241 © Dr. D. Kall Loper, all rights reserved

Slack Space Illustration On this hard drive, There are 4096 bytes per cluster. There are 512 bytes per sector. Thus, there are 8 sectors per cluster. (4,096 ÷ 512 = 8) Illustration

Storage Forensics Definitions File Slack Unused space. File systems store files in fixed-length blocks called clusters. Because few files are a size that is an exact multiple of the cluster size, there is typically unused space between the end of the file and the end of the last cluster used by that file. Definitions Access Data (2003). Forensic tool kit: User’s guide. Orem, UT: Access Data. p. 241 © Dr. D. Kall Loper, all rights reserved

Storage Forensics Definitions RAM Slack RAM slack is latent data used by the operating system to ‘pad’ the end of a file to completely fill its last sector. Hard drives write one complete sector at a time. They need the padding. Definitions

Slack Space Illustration In this file, The file is 2304 bytes. Each of the first four sectors contain 512 bytes, but the file cannot fill a fifth. (512 x 4 = 2048) (2304-2048 = 256) Illustration

Slack Space Illustration In this file, The remaining 256 bytes are filled with data from the system memory: RAM. In this illustration, the file is green; the RAM slack is blue. Illustration

Slack Space Illustration In this file, The remaining space in the cluster is called file slack. In this illustration, file slack is red. Illustration

Storage Forensics Definitions Virtual Memory Virtual memory (VM) is a technique that allows a computer to use hard drive space as a form of super-slow RAM. While it is not efficient, it allows a system with insufficient memory to complete tasks and not crash when main memory runs out. The file created is called: Swap File, in Windows and Paging File, in UNIX. Definitions

Storage Forensics Virtual Memory and RAM Slack Accessing VM and RAM slack are two ways to read the contents of system memory. Active memory may hold lists of network connections (ARP cache, etc.) or indicate the way a computer was being used at the time.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.