Understanding Forensic Images

Slides:

Advertisements

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Advertisements

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)

Text Searches Slack Space Unallocated Space

SEMINAR ON FILE SLACK AND DISK SLACK

Threats to privacy in the forensic analysis of database systems Patrick Stahlberg, Gerome Miklau, and Brian Neil Levine Department of Computer Science.

BACS 371 Computer Forensics

Computer Forensics BACS 371

1 X-Ways Security: Permanent Erasure Supervised By: Dr. Lo’ai Tawalbeh Prepared By :Murad M. Ali.

OPEN SOURCE TOOLS Dr. Abraham Professor UTPA. Open Source Freely redistributable Provides access to source code End user may modify source code.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.

Guide to Computer Forensics and Investigations Fourth Edition

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

Section Disk Failures Kevin Grant

Ext3 Journaling File System “absolute consistency of the filesystem in every respect after a reboot, with no loss of existing functionality” chadd williams.

 What is electronic data?  Information stored electronically, e.g. pictures, music, documents, etc.  Where can you store your data?  Cell phones 

COEN 252 Computer Forensics Forensic Duplication of Hard Drives.

COEN 252 Computer Forensics

Capturing Computer Evidence Extracting Information.

Chapter 5: System Software: Operating Systems and Utility Programs.

MHDD Data Recovery & Forensics v15 - © 2009 MHDD 1 Hard Drive Kung Fu Magic MFT & File Based Imaging Data Recovery Forensics by Scott A. Moulton

BACS 371 Computer Forensics

Maintaining File Services. Shadow Copies of Shared Folders Automatically retains copies of files on a server from specific points in time Prevents administrators.

Data Recovery Techniques Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006 Matthew Alberti Horacesio Carmichael.

Computer Forensics Principles and Practices

Bits, Bytes, Files, Hard Drives. Bits, Bytes, Letters and Words ● Bit – single piece of information ● Either a 0 or a 1 ● Byte – 8 bits of information.

File Systems Dr John Cowell phones off (please). Q 1 Which of the following statements about NTFS is NOT true? a) NTFS uses 64 bit addressing. b) Supports.

1 IT Investigative Tools Tools and Services for the Forensic Auditor.

1 Floppy Drive Formatting ©Richard Goldman February, 2001.

Computer Data Expert The following slides are from a presentation developed to support/explain a Data Forensics expert testimony. Click or hit spacebar.

CJ386-Unit 7 Review A questioned document is any material that contains marks, symbols or signs conveying a meaning or message and whose source or authenticity.

VITAL at the National Library of Wales Glen Robson

Q1 Assume that we determine 2 virtual sectors, and each sectors contain 8 data blocks. If we want to store 9 data in VS0, then this VS0 is insufficient.

DO NOW: 1. Go to Page 5 and mark a 5 in the corner in your Computer Manual and label “Do Now” at the top of the page. 2. Copy this question: Why do you.

File system and file structures

COEN 252: Computer Forensics Hard Drive Evidence.

Chapter 8 File Systems FAT 12/16/32. Defragmentation Defrag a hard drive – Control Panel  System and Security  Administration tools  Defrag hard drive.

COEN 252 Computer Forensics Forensic Duplication of Hard Drives.

Trust Bundle Publisher Create Unsigned Trust BundleCreate Signed Trust Bundle C:\TrustAnchors Trust Anchor Directory Create Bundle Browse … Optional Meta.

AccessData User Summit 2016 April 5 th – 7 th, 2016 Lake Mary, FL The Pros and Cons of JTAG and Chip Off Extractions.

Chapter 8 Forensic Duplication Spring Incident Response & Computer Forensics.

Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.

Forensic Investigation Techniques Michael Jones. Overview Purpose People Processes Michael JonesDigital Forensic Investigations2.

Digital Forensics Anthony Lawrence. Overview Digital forensics is a branch of forensics focusing on investigating electronic devises. Important in for.

Advanced Computer Forensics

Finishing a Presentation in PowerPoint 2016

Digital Forensics 2 Lecture 2: Understanding steganography in graphic files Presented by : J.Silaa Lecture: FCI Based on Guide to Computer Forensics and.

Paging Examples Assume a page size of 1K and a 15-bit logical address space. How many pages are in the system?

Acquisition and Examination of Forensic Evidence

O.S Lecture 13 Virtual Memory.

مدیریت استراتژيک منابع انسانی

Forensic Concept of Data

Putting An Image on Your Web Page

COEN 252: Computer Forensics

Arleen Williams ESL 3 Academic

Great! on in in front of under above next to behind between next.

Disk Structure Analysis

Fractals The Hilbert Curve.

CET4860 Mark Pollitt Associate Professor

Thursday April 19, 2018 (Discussion – Storing and Retrieving Data, Processing the Electronic Crime Scene)

Ռազմավարական կառավարում

COEN 252: Computer Forensics

CSE 451: Operating Systems Autumn 2009 Module 17 Berkeley Log-Structured File System Ed Lazowska Allen Center

Forensic Recovery of Evidence Device (FRED)

Digital Forensics Andrew Schierberg, Fort Mitchell Police, Schierberg LAw Jay Downs, Kenton County Police.

Recap – Intro to Project 3 and FAT32

FAT File System.

Presentation transcript:

Understanding Forensic Images Mark Pollitt Associate Professor

Files Have Three Parts Meta Data File Data Allocated Space Slack DataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataData Slack This is an old file that was overwritten by the data file above, but you can still read the end of it. This is what is known as file slack. Meta Data File Data

File Copy Meta Data Changes File Data Stays the Same Slack Is NOT Copied File Copy only takes the file data and modifies the meta data, leaving the slack behind.

Forensic Copy - Bit Image Drive 1 2 3 4 5 6 7 Forensic Image File DataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataDataData Slack This is an old file that was overwritten by the data file above, but you can still read the end of it. This is what is known as file slack. In a forensic copy, we copy every bit (data and slack) of every sector, including the metadata areas. Thus, we have a compete duplicate of the drive contents.