An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

Slides:



Advertisements
Similar presentations
Chapter 4 Storing Information in a Computer Peter Nortons Introduction to Computers.
Advertisements

Chapter 12: File System Implementation
Peripheral Storage Devices
Lesson 9 Types of Storage Devices.
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Types Of Storage Device
Disk Fundamentals. More than one platter (round cylinders)
Computer Forensics.
SEMINAR ON FILE SLACK AND DISK SLACK
Guide to Computer Forensics and Investigations, Second Edition
Effective Discovery Techniques In Computer Crime Cases.
File System Analysis.
FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)
Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
Guide to Computer Forensics and Investigations Fourth Edition
X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.
Connecting with Computer Science, 2e
Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
Operating Systems File systems
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
Storage device.
Operating System & Application Files BACS 371 Computer Forensics.
Applying Digital Forensic techniques to AIM Gareth Knight, FIDO Project Manager Anatomy Theatre & Museum, King’s College London 15 th August 2011.
COEN 252 Computer Forensics
Capturing Computer Evidence Extracting Information.
Guide to Computer Forensics and Investigations, Second Edition
Hands-on: Capturing an Image with AccessData FTK Imager
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
Objectives Learn what a file system does
Presented to: Sir Ahmad Karim
BACS 371 Computer Forensics
Guide to Computer Forensics and Investigations, Second Edition Chapter 2 Understanding Computer Investigation.
Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Fourth Edition.
Software Utilities Pages 65 to 73 Looking After Your Computer Nick Sims.
Software.
Data Recovery Techniques Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006 Matthew Alberti Horacesio Carmichael.
Computer Forensics Principles and Practices
Lecture No 11 Storage Devices
Component 4: Introduction to Information and Computer Science Unit 4: Application and System Software Lecture 3 This material was developed by Oregon Health.
Bits, Bytes, Files, Hard Drives. Bits, Bytes, Letters and Words ● Bit – single piece of information ● Either a 0 or a 1 ● Byte – 8 bits of information.
PC Maintenance: Preparing for A+ Certification Chapter 10: Introduction to Disk Storage.
File System Management File system management encompasses the provision of a way to store your data in a computer, as well as a way for you to find and.
1 IT Investigative Tools Tools and Services for the Forensic Auditor.
The disk surface is divided into tracks. into tracks. 1.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Guest Lecture September 21, 2009.
Guide to Computer Forensics and Investigations Fourth Edition
Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven.
Chapter 5 Organizing Files and Folders. 2Practical PC 5 th Edition Chapter 5 Getting Started In this Chapter, you will learn: − How to get a list of your.
Describing Storage Devices  Storage terms  Media is the material storing data  Storage devices manage the media  Magnetic devices use a magnet  Optical.
1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.
FAT File Allocation Table
Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA Search.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
Chapter 8 File Systems FAT 12/16/32. Defragmentation Defrag a hard drive – Control Panel  System and Security  Administration tools  Defrag hard drive.
Hands-On Microsoft Windows Server 2008 Chapter 7 Configuring and Managing Data Storage.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
By: Jeremy Henry. Road Map  What is a cybercrime?  Statistics.  Tools used by an investigator.  Techniques and procedures used.  Specific case.
Computer Forensics Tim Foley COSC 480 Nov. 17, 2006.
By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.
File organization Secondary Storage Devices Lec#7 Presenter: Dr Emad Nabil.
Computer Science 210 Computer Organization
Windows XP File Systems
CHAPTER 4 Memory System Organization and Architecture
Digital Forensics CJ
Lesson 9 Types of Storage Devices.
Presentation transcript:

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department

Topics  What is Computer Forensics?  Why do we need Computer Forensics?  Live Analysis Versus Static Analysis  Capturing a Drive Image  The Organization of Hard Disks  The Organization of File Systems  Where’s the Data?  Forensic Tools

What is Computer Forensics?  Computer Forensics is a process used to locate digital information that may be used to help prove guilt or innocence.  Computer Forensics procedures must be properly followed to avoid contamination (altering) of the evidence (information).  Very important to maintain the Chain of Custody.

Why do we need Computer Forensics?  Support law enforcement.  Many types of documents are now stored electronically.  Learn about the techniques used by cyber-criminals.  Computers may be the instrument used in a crime or the victim of a crime.

Live Analysis Versus Static Analysis  Live Analysis: Forensics performed on a running system. More things to look at during live analysis than a static analysis. Do you pull the plug or perform an orderly shutdown?  Static Analysis: Forensics performed on a copy of the data from a system. This type of analysis is done most often.

Live Analysis Things to record:  System time and date.  User’s logged on to the system.  Open network connections.  Network drives mapped to the system.  Processes that are running.  What is on the Desktop and Clipboard.

Static Analysis Things to look for:  Registry entries.  Hidden files and folders, encrypted files.  Images, s, IM logs, other files.  Misnamed files.  Deleted files.  Data in unallocated space and Slack space.

Capturing a Drive Image  A write-blocker must be used to prevent write operations on the drive being imaged. Can be software or hardware.  Entire drive is imaged, including unallocated space, to a clean drive.  Image must be verified to guarantee integrity. This is done using a hash function.

Capturing a Drive Image  One bit is a 0 or a 1.  One byte is 8 bits.  One KB (Kilo Byte) is 1024 bytes.  One MB (Mega Byte) is 1024 KB.  One GB (Giga Byte) is 1024 MB.  A 500 GB drive contains 536,870,912,000 bytes (over 143 million pages!!!).  One TB (Terra Byte) is 1024 GB.

Capturing a Drive Image  Drive may be imaged via a USB or FireWire connection, or over the network.  The size of the drive being imaged affects the time required to perform the capture.  The speed of the connection also affects the time required to image the drive.  A 500 GB drive may require 8 hours or several days to acquire.

Image is Verified via a Hash

The Organization of Hard Disks  A hard disk contains one or more platters.  Each platter contains two sides (surfaces).  Each surface contains circular tracks divided into sectors. Each track may contain 64 sectors. Each sector contains 512 bytes of data.  A 500 GB hard drive contains over 1 billion sectors.

Typical Hard Drive

The Organization of Hard Disks  The hard disk spins at a fast rate (5400 rpm or 7200 rpm).  A read/write head hovers over the surface and picks up the magnetized 1s and 0s stored on the surface.  Data is transferred between the disk and main memory on the motherboard.

The Organization of File Systems  A File System is a logical way of organizing the sectors on a disk.  Different Operating Systems support different file systems:  Windows: FAT and NTFS  Linux: EXT3  Mac OS X: HFS+ FAT is the most widely supported file system.

The Organization of File Systems  Sectors on a disk are allocated as follows for the FAT (File Allocation Table) file system:  Boot sector  FAT sectors  Directory sectors  Data sectors

Operation of FAT

Challenges of FAT  After a lot of use (files created, edited, and deleted) the FAT becomes very fragmented.  Not easy to search through the FAT on a hard disk as it is very large.  Need software to interpret the FAT for us.  File slack may contain valuable data.

Where is the File Slack?

What Happens when a File is Deleted?  The file’s entries in the FAT are set to ‘free.’  The file’s entry in the Directory has its first byte (letter) changed to an unprintable code (E5)… all other file properties stay the same.  The data content of the file remains stored on disk until overwritten.

A Sample Directory

Where’s the Data?  Registry.  Files and folders.  Deleted files.  Unallocated space.  Slack space.  System files: HIBERFIL.SYS, INDEX.DAT, PAGEFILE.SYS.

Forensic Tools  Hex editor: Display, search, and modify hexadecimal data.  Forensic analysis software:  FTK (Forensic Toolkit)  EnCase  Autopsy  X-Ways

FTK (Forensic ToolKit)

Forensic Tools  Network traffic sniffer/analyzer  Imaging software  Hashing software  Log file analyzer  Steganography software

Skills Needed by a Forensic Examiner  Knowledge of Operating Systems.  Knowledge of File Systems.  Must understand networking and TCP/IP.  Must possess necessary software for imaging and analyzing images.  Must possess additional software such as hex editor, log file analyzer, etc.  Lots of patience !!!

Thank you!  Questions?  Contact Info:  James L. Antonakos, Professor, CST 

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.