Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forensic Concept of Data

Published byRachel Chapman Modified over 6 years ago

Similar presentations

Presentation on theme: "Forensic Concept of Data"— Presentation transcript:

1 Forensic Concept of Data
© Dr. D. Kall Loper, all rights reserved Storage Forensics Forensic Concept of Data

2 Storage Forensics Definitions User Data
Any data visible to the under normal operation of the system. The vast majority of evidence will be found in user data. This includes files in the ‘Recycling Bin’ or the Macintosh ‘Trash Can.’ Definitions

3 Storage Forensics Definitions Image
An exact copy of a hard drive, including slack space, unallocated space, and the Windows™ swap file, if present. This copy is not like logical copies made with the operating system’s ‘copy’ command in that it includes all of the latent data as well as active files. Definitions © Dr. D. Kall Loper, all rights reserved

4 Storage Forensics Definitions Latent Data
All data on a storage device that is not accessible through the operating system. This includes: Unallocated Space, File Slack Protected Files, and Virtual Memory. Definitions © Dr. D. Kall Loper, all rights reserved

5 Storage Forensics Definitions Unallocated Space
All the clusters on a drive that are not currently assigned to a file. Definitions Access Data (2003). Forensic tool kit: User’s guide. Orem, UT: Access Data. p. 242 © Dr. D. Kall Loper, all rights reserved

6 Storage Forensics Definitions Sector
A sector is a logical block* defined by the hard drive firmware. Prior to January 2011, and a preceding transition period, sector size was set at 512 bytes. Advanced Format Hard Disk Drives use 4096 byte sectors. A sector is a low-level formatting artifact. Definitions A logical block implies LBA (logical block addressing, but the eponymous sector was formerly used in CHS—Cylinder Head Sector—addressing). The term was sometimes synonymous with “block,” but block became associated with a variable length data run used on media beyond the hard disk drive. © Dr. D. Kall Loper, all rights reserved

7 Storage Forensics Definitions Cluster
Fixed-length blocks that store files. Each cluster is assigned a unique number by the computer operating system. A cluster is a high-level formatting artifact. Definitions Access Data (2003). Forensic tool kit: User’s guide. Orem, UT: Access Data. p. 241 © Dr. D. Kall Loper, all rights reserved

8 Slack Space Illustration On this hard drive,
There are 4096 bytes per cluster. There are 512 bytes per sector. Thus, there are 8 sectors per cluster. (4,096 ÷ 512 = 8) Illustration

9 Storage Forensics Definitions File Slack
Unused space. File systems store files in fixed-length blocks called clusters. Because few files are a size that is an exact multiple of the cluster size, there is typically unused space between the end of the file and the end of the last cluster used by that file. Definitions Access Data (2003). Forensic tool kit: User’s guide. Orem, UT: Access Data. p. 241 © Dr. D. Kall Loper, all rights reserved

10 Storage Forensics Definitions RAM Slack
RAM slack is latent data used by the operating system to ‘pad’ the end of a file to completely fill its last sector. Hard drives write one complete sector at a time. They need the padding. Definitions

11 Slack Space Illustration In this file, The file is 2304 bytes.
Each of the first four sectors contain 512 bytes, but the file cannot fill a fifth. (512 x 4 = 2048) ( = 256) Illustration

12 Slack Space Illustration In this file,
The remaining 256 bytes are filled with data from the system memory: RAM. In this illustration, the file is green; the RAM slack is blue. Illustration

13 Slack Space Illustration In this file,
The remaining space in the cluster is called file slack. In this illustration, file slack is red. Illustration

14 Storage Forensics Definitions Virtual Memory
Virtual memory (VM) is a technique that allows a computer to use hard drive space as a form of super-slow RAM. While it is not efficient, it allows a system with insufficient memory to complete tasks and not crash when main memory runs out. The file created is called: Swap File, in Windows and Paging File, in UNIX. Definitions

15 Storage Forensics Virtual Memory and RAM Slack
Accessing VM and RAM slack are two ways to read the contents of system memory. Active memory may hold lists of network connections (ARP cache, etc.) or indicate the way a computer was being used at the time.

Download ppt "Forensic Concept of Data"

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Operating Systems File Management.

Operating Systems File Management.
Part IV: Memory Management

Part IV: Memory Management
© Vera Castleman Software Grade 10. What is software? A program is a collection of instructions to do a job. Programs are collectively known as SOFTWARE.

© Vera Castleman Software Grade 10. What is software? A program is a collection of instructions to do a job. Programs are collectively known as SOFTWARE.
SEMINAR ON FILE SLACK AND DISK SLACK

SEMINAR ON FILE SLACK AND DISK SLACK
Computer Forensics BACS 371

Computer Forensics BACS 371
Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.

Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
File Management Systems

File Management Systems
Virtual Memory CS 147 October 30, 2007 Chris Stewart.

Virtual Memory CS 147 October 30, 2007 Chris Stewart.
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
CPSC 231 Secondary storage (D.H.)1 Learning Objectives Understanding disk organization. Sectors, clusters and extents. Fragmentation. Disk access time.

CPSC 231 Secondary storage (D.H.)1 Learning Objectives Understanding disk organization. Sectors, clusters and extents. Fragmentation. Disk access time.
Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.

Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.
Week 6 Operating Systems.

Week 6 Operating Systems.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Computers in the real world Objectives Understand what is meant by memory Difference between RAM and ROM Look at how memory affects the performance of.

Computers in the real world Objectives Understand what is meant by memory Difference between RAM and ROM Look at how memory affects the performance of.
1. Memory Manager 2 Memory Management In an environment that supports dynamic memory allocation, the memory manager must keep a record of the usage of.

1. Memory Manager 2 Memory Management In an environment that supports dynamic memory allocation, the memory manager must keep a record of the usage of.
George Skarbek May 2010. What drives? There are three types of virtual drives that can help. They are: A mapped network drive Virtual CD/DVD drive RAM.

George Skarbek May What drives? There are three types of virtual drives that can help. They are: A mapped network drive Virtual CD/DVD drive RAM.
Chapter 8: Operating Systems and Utility Programs Catherine Gifford Dan Falgares.

Chapter 8: Operating Systems and Utility Programs Catherine Gifford Dan Falgares.
Bits, Bytes, Files, Hard Drives. Bits, Bytes, Letters and Words ● Bit – single piece of information ● Either a 0 or a 1 ● Byte – 8 bits of information.

Bits, Bytes, Files, Hard Drives. Bits, Bytes, Letters and Words ● Bit – single piece of information ● Either a 0 or a 1 ● Byte – 8 bits of information.

Similar presentations

Ads by Google