Computer Forensics BACS 371

Slides:

Advertisements

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Advertisements

Operating Systems File Management.

Chapter 4 : File Systems What is a file system?

Text Searches Slack Space Unallocated Space

Computer Data Forensics Drive Slack and Format – Lab 2 Concept Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,

SEMINAR ON FILE SLACK AND DISK SLACK

BACS 371 Computer Forensics

File System Analysis.

File Management Systems

Guide to Computer Forensics and Investigations Fourth Edition

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

METU Department of Computer Eng Ceng 302 Introduction to DBMS Disk Storage, Basic File Structures, and Hashing by Pinar Senkul resources: mostly froom.

1 Friday, July 07, 2006 “Vision without action is a daydream, Action without a vision is a nightmare.” - Japanese Proverb.

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Chapter 13 Disk Storage, Basic File Structures, and Hashing.

Avishai Wool lecture Introduction to Systems Programming Lecture 12 File Systems.

Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –

Basic File Recovery Techniques BACS 371 Computer Forensics.

Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.

BACS 371 Computer Forensics

Computer System Basics 2 Hard Drive Storage & File Partitions Computer Forensics BACS 371.

1.A file is organized logically as a sequence of records. 2. These records are mapped onto disk blocks. 3. Files are provided as a basic construct in operating.

BACS 371 Computer Forensics

Chapter 10 Storage and File Structure Yonsei University 2 nd Semester, 2013 Sanghyun Park.

Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 17 Disk Storage, Basic File Structures, and Hashing.

1 Chapter 12 File Management Systems. 2 Systems Architecture Chapter 12.

1 File Systems Chapter Files 6.2 Directories 6.3 File system implementation 6.4 Example file systems.

Lecture 9: The FAT and VFAT Filesystems 6/16/2003 CSCE 590 Summer 2003.

Bits, Bytes, Files, Hard Drives. Bits, Bytes, Letters and Words ● Bit – single piece of information ● Either a 0 or a 1 ● Byte – 8 bits of information.

Investigation of a USB Storage Device (FAT16)

Operating Systems COMP 4850/CISG 5550 File Systems Files Dr. James Money.

The Functions of Operating Systems Desktop PC Operating Systems.

Lesson 12: Using the Recycle Bin deleting files or folders what the Recycle Bin is restoring files from the Recycle Bin emptying the Recycle Bin identifying.

File Storage Organization The majority of space on a device is reserved for the storage of files. When files are created and modified physical blocks are.

D75P 34 – HNC Computer Architecture Week 5 Memory Maps. © C Nyssen/Aberdeen College 2003 All images © C Nyssen/Aberdeen College except where stated Prepared.

DISK THEORY. Disk Theory n How information is stored on disk n How we can take advantage of that when bad things happen.

CPS120: Introduction to Computer Science File Systems and Directories Nell Dale John Lewis.

Computer Data Expert The following slides are from a presentation developed to support/explain a Data Forensics expert testimony. Click or hit spacebar.

Lecture 10 Page 1 CS 111 Summer 2013 File Systems Control Structures A file is a named collection of information Primary roles of file system: – To store.

© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems File systems.

File system In computing, a file system is a method of storing and organizing computer files and the data they contain to make it easy to find and access.

It consists of two parts: collection of files – stores related data directory structure – organizes & provides information Some file systems may have.

Computer Forensics Hard Drive Format.

2007/5/ Digital Forensic Research Workshop (DFRWS) New Orleans, LA 1 Data Hiding in Journaling File Systems Knut Eckstein, Marko Jahnke 報告人：陳晉煒.

1 CSC103: Introduction to Computer and Programming Lecture No 28.

File system and file structures

COEN 252: Computer Forensics Hard Drive Evidence.

Disk storage systems Question#1 (True/False) A track is divided into multiple units called sectors.

Chapter 8 File Systems FAT 12/16/32. Defragmentation Defrag a hard drive – Control Panel  System and Security  Administration tools  Defrag hard drive.

Files An operating system, maintains descriptive information about files in a data structure called a file descriptor. NameDeletion control Storage Organization.

DATA MANAGEMENT 1) File StructureFile Structure 2) Physical OrganisationPhysical Organisation 3) Logical OrganisationLogical Organisation 4) File OrganisationFile.

C Programming Day 2. 2 Copyright © 2005, Infosys Technologies Ltd ER/CORP/CRS/LA07/003 Version No. 1.0 Union –mechanism to create user defined data types.

Hiding Evidence in “Plain Sight” Computer Forensics BACS 371.

File Systems and Disk Management

Ch. 8 File Structures Sequential files. Text files. Indexed files.

Chapter 11: File System Implementation

Disk Storage, Basic File Structures, and Hashing

Filesystems 2 Adapted from slides of Hank Levy

Forensic Concept of Data

Chapter 11: File System Implementation

(Discussion and WS – Analysis of Electronic Data)

COEN 252: Computer Forensics

RDBMS Chapter 4.

Disk Structure Analysis

COEN 252: Computer Forensics

Chapter 11: File System Implementation

Understanding Forensic Images

File system : Disk Space Management

Chapter 5 File Systems -Compiled for MCA, PU

The Design and Implementation of a Log-Structured File System

Presentation transcript:

Computer Forensics BACS 371 File Slack Summary

Places to hide evidence 4/14/2017 Places to hide evidence Evidence can be hidden in many places within a disk. The notion of “empty space” on a disk is more complicated than you might suspect. The question becomes “what are the different types of empty space?” Unused (bad blocks, deleted file space, network protocol fields) Unallocated space (free space, unused sectors) File slack (unused space at the end of each file) (c) ITT Educational Services, Inc.

File Collection of Information written to a disk Generally created in an application-specific format Occupies a fixed number of clusters Each file’s cluster has a pointer to the next cluster in the file The final cluster contains the End of File (EOF) marker

Files Logical File Size Physical File Size File Slack Exact size of contents of file in bytes Physical File Size Amount of space a file occupies on disc in bytes File Slack Unused space between logical end of file and physical end of a cluster Two types: RAM slack and Disk Slack Physical File Size <- Logical File Size -> <- File Slack ->

File Slack What does File Slack Contain? Who knows??!! Old data that was deleted but not overwritten yet May contain remnants of older files, or other evidence including Passwords Old directory structures Miscellaneous information ….

File Slack Example Hello World! Has 12 Characters in the file But occupies 4096 bytes on the disk!

File Slack Example

File Slack Example File Contents: “Hello world!” 12 bytes 3rd Sector Disk Slack: 4096 Bytes – 512 Bytes = 3584 Bytes RAM slack – to the end of the sector DISK slack – to the end of the cluster Assumptions: Sector Size = 512 Bytes Cluster Size = 4KB = 8 Sectors 2nd Sector RAM Slack: 512 bytes – 12 bytes = 500 bytes

File Slack Summary RAM Slack Disk Slack Unused space at the end of a sector. Contains information adjacent to the stored information from Main Memory (RAM). Example: The file has only 12 characters, but must write a minimum 512-byte block to the disk – the other 500 characters are whatever happen to be in RAM at the time. Disk Slack Unused space at the end of the cluster. Contains information left over on the disk from prior files. Example: The file system must always write in multiples of clusters (4096 bytes in this case.) The other 3584 bytes (7 sectors) are filled with whatever used to be in the clusters before they were marked for deletion.