Computer Forensic Evidence Collection and Management

Slides:



Advertisements
Similar presentations
Hard Disks Low-level format- organizes both sides of each platter into tracks and sectors to define where items will be stored on the disk. Partitioning:
Advertisements

Chapter 4 Storing Information in a Computer Peter Nortons Introduction to Computers.
Chapter 12: File System Implementation
Hard Disk Drives Chapter 7.
Disk Fundamentals. More than one platter (round cylinders)
Section 5a Types of Storage Devices.
What You Will Learn Components of a computer’s system software The importance of an operating system Functions of an operating system Types of user interfaces.
Essential Introduction to Computers. What is a Computer? An electronic device, operating under the control of instructions stored in its own memory, that.
Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
1 Web Server Administration Chapter 3 Installing the Server.
Office 2003 Introductory Concepts and Techniques M i c r o s o f t CPTG104 Intro to Information Systems Dr. Hwang Essential Introduction to Computers.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.
Operating Systems File systems
Guide to Computer Forensics and Investigations Fourth Edition Chapter 8 Macintosh and Linux Boot Processes and File Systems.
Introduction to Computers Section 5A. home Storage Involves Two Processes Writing data Reading data.
Computer Parts There are many parts that work together to make a computer work.
Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
Living in a Digital World Discovering Computers 2011.
Storage device.
SECONDARY STORAGE DEVICES. MAGNETIC TAPE Data tape that stores large amounts of information that can only accessed sequentially. Commonly used for off-site.
SOFTWARE.
Learning Outcomes At the end of this lesson, students should be able to: State the types of system software – Operating system – Utility system Describe.
Section 6.1 Explain the development of operating systems Differentiate between operating systems Section 6.2 Demonstrate knowledge of basic GUI components.
Lesson 4 Computer Software
CIS 105 Concepts and Terminology Unit 3 CIS 105 Survey of Computer Information Systems Essential Concepts and Terminology Study Unit Three.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 8 Understanding and Installing Hard Drives.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
Operating Systems Operating System
Computer Concepts 2013 Chapter 4 Operating Systems and File Management.
Chapter 4 Operating Systems and File Management. 4 Chapter 4: Operating Systems and File Management 2 Chapter Contents  Section A: Operating System Basics.
BACS 371 Computer Forensics
 FILE S SYSTEM  DIFFERENT FILE SYSTEMS  FILE SYSTEM COMPONENTS  FILE OPERATIONS  LOG STRUCTERD FILE SYSTEM  FILE EXAMPLES.
4 1 Operating System Activities  An operating system is a type of system software that acts as the master controller for all activities that take place.
Ch Review1 Review Chapter Microcomputer Systems Hardware, Software, and the Operating System.
1 Chapter Overview Floppy Disk Drives Hard Disk Drives.
A+ Guide to Software Managing, Maintaining and Troubleshooting THIRD EDITION Chapter 2 How an OS Works with Hardware and Other Software.
Understanding and Troubleshooting Your PC. Chapter 5: Understanding, Installing, and Troubleshooting Disk Drives2 Chapter Objectives  In this chapter,
Your Interactive Guide to the Digital World Discovering Computers 2012.
How Hardware and Software Work Together
Guide to Linux Installation and Administration, 2e1 Chapter 2 Planning Your System.
Lecture No 11 Storage Devices
Introduction to Hard Drives Chapter 6 - Key Terms Information Compiled by Diane Ferris, Michele Henderson & Vicki Kertz.
PC Maintenance: Preparing for A+ Certification Chapter 10: Introduction to Disk Storage.
Chapter Two Input and Storage Devices Part II: Storage Devices.
File System Management File system management encompasses the provision of a way to store your data in a computer, as well as a way for you to find and.
1 Interface Two most common types of interfaces –SCSI: Small Computer Systems Interface (servers and high-performance desktops) –IDE/ATA: Integrated Drive.
Chapter 3 Partitioning Drives using NTFS and FAT32 Prepared by: Khurram N. Shamsi.
Guide to Computer Forensics and Investigations, Second Edition Chapter 8 Macintosh and Linux Boot Processes and File Systems.
Storage Devices A storage device is used to store instructions, data, and information when they are not being used in memory – Magnetic disks use magnetic.
Chapter 7 Storage. What is storage? Holds data, instructions, and information for future use Storage medium is physical material used for storage Also.
Practical PC, 7 th Edition Chapter 4: File Basics.
Computer Architecture CST 250
Linux+ Guide to Linux Certification Chapter Six Linux Filesystem Administration.
Storage Devices 1. Objectives Overview Differentiate between storage devices and storage media Describe the characteristics of an internal hard disk including.
Chapter 9: Networking with Unix and Linux. Objectives: Describe the origins and history of the UNIX operating system Identify similarities and differences.
Chapter 8: Installing Linux The Complete Guide To Linux System Administration.
A+ Second Edition Genetic Computer School Lesson 5 Storage Devices.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
Hands-On Microsoft Windows Server 2008 Chapter 7 Configuring and Managing Data Storage.
Computer Operating Systems And Software applications.
File Systems : Hierarchical File System (HFS, for Mac OS) Prepared by : Mohammad Azzuri bin Zaidi UFH
Instructor: Syed Shuja Hussain Chapter 4: Operating System Basics.
Computers: Tools for an Information Age
Chapter 11: File System Implementation
Introduction to Computing
Chapter 7.
Booting Up 15-Nov-18 boot.ppt.
Chapter 4 File Basics.
Lesson 9 Types of Storage Devices.
Hard disk basics Prof:R.CHARLES SILVESTER JOE Departmet of Electronics St.Joseph’s College,Trichy.
Presentation transcript:

Computer Forensic Evidence Collection and Management Chapter 9 Computer Systems Disk and File Structure

Chapter Objectives Identify the various components of a hard drive and the structure of disk media Learn the differences among the numerous disk drive interfaces and functions Become familiar the Windows, Macintosh, and Linux file structures Identify the forensic tools used to identify the retrieve evidence from Windows, Macintosh, and Linux systems

Introduction This chapter provides an overview of computer disk drives and how data is stored an managed on Microsoft, Macintosh, and Linux systems. It is essential that he computer forensic examiner understand the operation of these Oss to avoid damaging or destroying valuable evidence. Technical knowledge is required concerning the process of accessing and modifying system settings and options. A thorough understanding of disk drive operations, components, and configuration are required to successfully identify and retrieve digital data evidence. Forensic examination of disk drives and file system requires a considerable amount of education and practical experience.

Disk Drive Overview The hard disk is the primary storage location where data is permanently stored. The four main components of a hard disk are: Platters Head arms Chassis Head actuator The capacity of a computer hard disk drive and the files it contains can be confusing. The capacity of the disk drive that is to be imaged will be concern to the forensic examiner.

Disk Drive Overview (Cont.) Most computer hard disk drives are permanently stored in an internal hard drive bay at the form of the compute and are connected with one ATA/SCSI cable and power cable. Disk drives are constructed of one or more cylinders (platters) coated with magnetic material. The geometry or configurations reflects the internal organization of the disk drive. The components that make up the physical disk patter includes : A cylinder or platter: contains a set of tracks on a multiheaded disk that may be accessed without head movements. Tracks are addressable concentric rings on magnetic, secondary storage disks used for storing data. Sectors are the smallest using of storage on a disk. The boot sector is the very first sector on a hard drive. The master boot record (MBR) describes how the hard drive is organized. Digital images are written on the tracks as bytes. The typical hard disk has a storage capacity of 512 bytes per sector.

Computer Hard Drive Interfaces Computer hard disk interfaces include various specifications of AT attachment drives. The computer interfaces allow a computer to send and retrieve information for storage devices, such as computer hard disk drives and CD-ROM drives. A brief description of these categories of drives will be useful to the forensic examiner. ATA (AT Attachment) interfaces are the most commonly used interfaces on IBM-compatible computers. ATAPI (AT Attachment Packet) is an extension to ATA that allow support for devices such as tape drives and other computer peripherals. IDE (Integrated Drive Electronics) is more commonly knows as ATA and is a standard interface for IBM- compatible hard drives. EIDE is the next generation of IDE interface that was developed by Western Digital and an interface commonly used on IBM compatible computers. CMOS or complementary metal oxide substrate uses logical block addressing and enhanced cylinder, head and sector configuration.

Computer Hard Drive Interfaces (Cont.) Newer drives technology. SCSI (Small Computer System Interface) is a standard for parallel interfaces that transfers information at a rate of 8 bps and fasters, which is faster than the average parallel interface. SATA (Serial ATA) was first released in August 2001 and is a replacement for the parallel ATA interface use in IBM compatible computers. USB (universal serial bus) is an external peripheral interface standard for communication between a computer and external peripherals over a cable using bi-serial transmission.

Computer Hard Drive Interfaces (Cont.) Other technology. RAID (Redundant array of Inexpensive disks) is an assortment of hard disk drives connected and setup in ways to help protect and/or speed up the performance of a computer’s disk storage. RAID levels 1-5, 10, and 15 can be implemented through software or special hardware controllers. CD (Compact Disk) is a flat round storage medium that is ready bay a laser in a CD-ROM drive. DVD (Digital Versatile Disk) or DVD-ROM (Digital Video Disk) is a type of disk drive that allows for large amounts of data on one disk. Optical media store information in a manner different from magnetic media. On the surface of a CD, data is configured into three areas: lead-in, program, and lead-out. The computer forensics examiner might need to retrieve evidence from a DC or DVD.

Microsoft File System Overview Forensic examiners need to understand how Windows and DOS computers store files. BIOS (Basic Input/output System) runs at the computer start-up where it configures devices and the boots the operating system. BIOS information is stored on a ROM (Read-only Memory) Bootstrap is the first code executed when the computer is on. NTFS (New Technology File System) is Windows NT’s replacement for the DOS FAT and OS/2’s HPFS (High-performance File System FAT (File Allocation table) is a file system table used by the FAT-file system. It contains information about where on the disk the content of the files is stored. There are three versions of FAT: FAT12, FAT 16, and FAT32 Partitions A partition is a segment of the hard drive that is separated from other portions of the hard disk drive. It is possible for users to hide data in voids between partitions on hard drive. Theis unused space between partitions is called the partition gap. The forensic examiner can use a number of tools to examine a partition’s physical level. This includes: Norton Disk Edit, WinHex Hex Workshop

Microsoft File System Overview (Cont.) Master Book Record MBR is a small program that is executed when a computer boots up. Typically, the MBR resides on the first sector of the hard disk. The MBR stores information about the partitions on a disk and their locations, size, and other critical items. Registry Data The registry consists of a database that contains hardware and software configuration, setup information and user preferences. The registry is used in Windows operating systems The forensic examiner might find useful information in the registry database. We have two versions Reedit and Regedit32 The registry for Windows 9x is located in System.dat and User.dat, which is located in the Windows root directory. Registry information for Windows 2000 and XP is located in the Winnt\Config and Windows\System32\Regedt.exe. Windows Forensic Tools A number of computer forensic tools are describe on the vendors Webpage. Some include: Trinity Rescue Kit (TRK), The Farmers’ Boot CD, The SleuthKit, Autopsy Browser

Macintosh Computer Systems The Macintosh (Mac) is an alternative PC platform to DOS-based PCs developed by Apple in the 1980s. The Map is a popular computer for schools and graphics professionals. The current Mac OS is Mac OS-X v.10.40.6 Mac uses a HFS (Hierarchical File System) where files are stored in directories or folders. The file manager handles the reading, writing, and storage of data. The finder is another Mac tool that interacts with the OS to keep track of files and maintain each user’s desktop The data fork contain data that the user creates. Resource fork contains the menu, icons, dialog boxes, controls, and executable code. A volume is any storage media used to store files. An allocation block consist of the number of blocks assembled in the Mac file system when a file is saved. A logical block is a collection not exceeding 512 bytes. The logical EOF refers to the number of bytes that contain data. The physical EOF represents the number of the allocation block for the file. Macintosh computers use open firmware instead of BIOS firmware.

Macintosh Computer Systems (Cont.) Forensic Tools for Mac Systems Most forensic tool are oriented toward the Windows environment; however, new packages have become available to assist in investigation involving Mac computers. MacForensicsLab MacQuisition Boot CD Open-Source forensics Open-source forensic tools The Mac OS is a Unix-based system and most user files are created and saved in the user’s home directory.

UNIX/Linux Systems UNIX is an OS that originated at Bell labs in 1969 as an interactive time-sharing system UNIX became the first OS written in the C programming language. UNIX has evolved as a kind of large freeware product with a variety of versions UNIX is well-known for its relative hardware independence and portable application interfaces. Linux is a version of UNIX that urns on a variety of hardware platforms. Linux uses inodes, or information nodes , that contain deceptive information about each file or directory. The inode number is an integer unique to the device upon which it is stored. All files are hard links to inodes. An inode is a pointer to other inodes or blocks. Each inode keeps an internal link count, and when the number becomes 0, Linux deletes the file. Everything is UNIX and Linux is a file. All UNIX files are defined as objects,. UNIX consist of boot block, superblock, inode and data block components that define the file system. A block is a disk allocation unit that ranges from 512 bytes and up. A partition is a logical section of a disk.

UNIX/Linux Systems (Cont.) Examining a UNIX or Linux System The forensic personnel must first review the documentation of the UNIX system being examined for information concerning the boot process and other specifics to a particular system. UNIX system, such as file servers or Web servers, probably cannot be powered down. There are also specific processes that occur when powering on a UNIX workstation. UNIX and Linux Forensic Tools UNIX and Linux tools are available from a number of sources including: SMART Linux: Is a live DC and an installable distribution of Linux designed for DATA Forensics and Incident Response from ASR Data ForensiX, Linux Forensic eXaminer: Collects and analyzes digital evidence. Maresware: Catalog, hashes and strings searching programs

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.