Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Slides:



Advertisements
Similar presentations
File management GAP Toolkit 5 Training in basic drug abuse data management and analysis Training session 2.
Advertisements

Operating Systems File Management.
Computer Basics Hit List of Items to Talk About ● What and when to use left, right, middle, double and triple click? What and when to use left, right,
Text Searches Slack Space Unallocated Space
Computer Forensics.
SEMINAR ON FILE SLACK AND DISK SLACK
Computer Forensics BACS 371
1 X-Ways Security: Permanent Erasure Supervised By: Dr. Lo’ai Tawalbeh Prepared By :Murad M. Ali.
This presentation will take a look at to prevent your information from being discovered by and investigator.
Discovering Computers Fundamentals, Third Edition CGS 1000 Introduction to Computers and Technology Fall 2006.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
File System Analysis.
FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)
5-9/12/2005 CPE How to format your computer and re-install Windows XP.
File Management Systems
Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,
Managing Your Files. Objectives Develop file management strategies Explore files and folders Create, name, copy, move, and delete folders Name, copy,
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
The sequence of folders to a file or folder is called a(n) ________.
5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
Chapter 3: Where are programs and data stored?. What kinds of memory are there? The main memory The main memory –ROM: Read-only memory Store permanently.
Operating Systems.
 Contents 1.Introduction about operating system. 2. What is 32 bit and 64 bit operating system. 3. File systems. 4. Minimum requirement for Windows 7.
Step 1 - Start your PC and place your Windows XP CD in your CD/DVD- ROM drive. Your PC should automatically detect the CD and you will get a message saying.
Capturing Computer Evidence Extracting Information.
A Feature-Based of IT Automation using kaseya’s agent procedure called the wiping of unallocated disk space using cipher.exe Developed By: Estuardo Fernandez.
Guide to Computer Forensics and Investigations, Second Edition
Microsoft Office Illustrated Fundamentals Unit B: Understanding File Management.
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
Chapter 7 Working with Files.
Objectives Learn what a file system does
IT Essentials: PC Hardware and Software 1 Chapter 7 Windows NT/2000/XP Operating Systems.
BACS 371 Computer Forensics
Computer Literacy BASICS: A Comprehensive Guide to IC 3, 5 th Edition Lesson 3 Windows File Management 1 Morrison / Wells / Ruffolo.
Teach Yourself Windows 95 Module 2: Files, Folders, and Features.
TERMS TO KNOW. Desktop This does not mean a computer desktop vs. a laptop. You probably keep a number of commonly used items on your desk at home such.
Digital Crime Scene Investigative Process
University of Management & Technology 1 Operating Systems & Utility Programs.
Explain the purpose of an operating system
Software.
Computer Forensics Principles and Practices
Chapter 8: Operating Systems and Utility Programs Catherine Gifford Dan Falgares.
Chapter 3 Managing Disk and File Systems. File Storage Basics Windows XP supports two types of storage Basic Dynamic Basic storage system Centers on partitioning.
Disk Fragmentation 1. Contents What is Disk Fragmentation Solution For Disk Fragmentation Key features of NTFS Comparing Between NTFS and FAT 2.
Bits, Bytes, Files, Hard Drives. Bits, Bytes, Letters and Words ● Bit – single piece of information ● Either a 0 or a 1 ● Byte – 8 bits of information.
1 Interface Two most common types of interfaces –SCSI: Small Computer Systems Interface (servers and high-performance desktops) –IDE/ATA: Integrated Drive.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. System Forensics, Investigation, and Response.
Guide to Computer Forensics and Investigations Fourth Edition
Computing Fundamentals Module Lesson 10 — File Management with Windows Explorer Computer Literacy BASICS.
Lesson 12: Using the Recycle Bin deleting files or folders what the Recycle Bin is restoring files from the Recycle Bin emptying the Recycle Bin identifying.
Technology Vocabulary By: Rakeysha Patterson. Search Engine  A computer program that searches documents, especially on the World Wide Web, for a specified.
IT1001 – Personal Computer Hardware & system Operations Week7- Introduction to backup & restore tools Introduction to user account with access rights.
Computer Literacy BASICS: A Comprehensive Guide to IC 3, 5 th Edition Lesson 3 Windows File Management 1 Morrison / Wells / Ruffolo.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
Digital Forensics. Hardware components Motherboard Motherboard System bus System bus CPU CPU ROM ROM RAM RAM HDD HDD Input devices Input devices Output.
Chapter 8 File Systems FAT 12/16/32. Defragmentation Defrag a hard drive – Control Panel  System and Security  Administration tools  Defrag hard drive.
COMP091 – Operating Systems 1 Memory Management. Memory Management Terms Physical address –Actual address as seen by memory unit Logical address –Address.
Computer Forensics Tim Foley COSC 480 Nov. 17, 2006.
Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.
File System Department of Computer Science Southern Illinois University Edwardsville Spring, 2016 Dr. Hiroshi Fujinoki CS 314.
By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.
Digital Forensics Anthony Lawrence. Overview Digital forensics is a branch of forensics focusing on investigating electronic devises. Important in for.
File Management.
Forensic Concept of Data
Thursday April 19, 2018 (Discussion – Storing and Retrieving Data, Processing the Electronic Crime Scene)
Microsoft Office Illustrated Fundamentals
Department of Computer Science
Presentation transcript:

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes at the Computer - Computer Forensic Analysis If only that [insert name of inanimate object here] could talk. With forensic analysis, computers can talk. And, they can tell us plenty!

Focus The focus of this excerpt, was on the retrieval of information from a computer and techniques used by criminal investigators to gather evidence. Content: –The ways for retrieving files and evidence from a suspects computer. –The methods used to secure and document the contents of the computer. Computer Forensic Analysis

Securing the Crime Scene When an investigator first arrives on the scene there are a few things that he would need to do. –Check for any remote connections (internet or direct) –Check devices and connections to the computer –Turn the computer off Simply disconnect the computer Computer Forensic Analysis

HDD Summary Hard Drive structure: –Clusters are made up of Sectors –These are all on the same platter –Clusters are used to store files or file segments in DOS (under FAT filesystem) HDD Summary

FAT FileSystem Stores single files into separate clusters. –Clusters are usually ~ 32k (depends size of drive). –Used in DOS / Win95 / NT. –Has since been replaced by FAT32 and NTFS. HDD Summary

DOS Left to its own devices. DOS forgets nothing. Every time you type a key on the keyboard, DOS will store the keypress. When opening encrypted files, the plaintext will be stored on the drive somewhere. Files are not erased when you ask them to be deleted, they are merely renamed, producing unallocated space. DOS

Will store files contiguously (in order) until drive space fills up, then will place them where it can. DOS can also become fragmented. This is when files and their fragments are littered across the disk space, and require multiple head reads to access the one file. –This means that the input/output time for files will be longer. DOS

There are spaces left over, when files dont completely fill clusters, this space is called slack space. DOS

Slack Space Slack space, is the space unused by files in a cluster. –Whenever DOS clears its memory, it stores the garbage into a place on the hard drive, this is called the slack. –Slack is invisible to the file system on the local computer as there are no files in this space. Slack Space

What can we find out ? There is a lot of information stored in slack space this can be used to discover and uncover details about the computers activities. Such as : –Files (and their contents) –Memory dumps –Garbage –Keyboard and other input / output –Directory information Slack Space

e.g. Directory Information If a floppy was in use on a computer, then the slack space can be used on the disk, instead of on the computers hard drive. If directory information has been stored into the slack space on the floppy, it can be used to identify where the disk came from. Slack Space

Unallocated Space Unallocated space is the space which is used up by files which have been marked as deleted, but not actually deleted. When DOS deletes a file, it is renamed (the first letter of the file is changed to a special character). The special character is recognized by DOS and is not displayed as a file. Unallocated Space

The Files The files which make up this space will be entirely complete as long as no other file has been stored in its place. –When a file is stored across multiple clusters, a fragment of the file could be overwritten, but the file would still exist to be (mostly) extracted. All the contents of this file (and the slack space around the file) are unaltered until a file is placed into the cluster. Unallocated Space

Windows Swap Files Usually exists in two types. –Permanent Swap Files These would be stored for various reasons, and would remain even after rebooting. –Temporary Swap Files This is volatile, so when windows shuts down, the information is removed or lost. Could retain this information by disrupting the power to the computer. Windows Temp Space

Windows Swap File The windows swap file will contain a plethora of information for the criminal investigator to discover and use. This information includes : –Memory of running processes. –Programs when they were swapped out to disk. –Keyboard inputs. Windows Temp Space

Windows Browser Caches The cache is where a browser stores recently accessed images and files, to allow the browser to quickly open pages that have been recently viewed This information can be used to discover the web activities of the computer user prior to the seizure of the computer Windows Temp Space

Unix / *ix Operating Systems Although Unix does not have Windows or DOS to provide it with swap files full of information, the drive may still contain information, and can contain slack space These operating systems have what is known as a swap drive, which is simply a partition of drive space allocated to the specific use for virtual memory, this is similar to Windows swap space Unix Disks

Collecting Evidence Now that we know where to look for information, we need to know how we can look in these places, and the precautions we need to take before doing so. –As stated previously we need to ensure that there are no external connections being made to the computer which could cause information to be lost or altered. –We will also need copies made of the original data, to allow us to perform our searches. Computer Forensic Analysis

Collecting information The author presents tools for discovering information –Backup Software, to create a duplicate of the computer under investigation to search for evidence on. –Software to list the files and directory structure of the entire drive. –Programs to get the data from the slack and unallocated spaces. –A filtering program to search for specific keywords and filter out information which is deemed to be worthless. Collecting Evidence

e.g. Chaining Chaining is a method used to find an entire file, (given that it does not all exist in one place) from unallocated and slack space. –In unallocated space, each sector has a pointer to the next and previous file fragments. –In slack space, given that this is continually overwritten, the file may be incomplete. Collecting Evidence

Final Steps After the information is found, a criminal investigator has to sign and seal the evidence, as would a normal detective. This involves: –Creating a unique fingerprint of the files or evidence that has been found. –Encryption of these new files, using a public key encryption program, with a trusted persons public key. Collecting Evidence

Considerations Times are changing in relation to computer security and privacy, in terms of hardware and software. –What effects do the larger hard drives have in terms of applying the techniques described? Computer Forensic Analysis – Fat32 was introduced to combat large space wastage on larger drives. Does this affect the way in which slack space can be accessed, does slack space still exist ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.