Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

Published byPhilip Fisher Modified over 9 years ago

Similar presentations

Presentation on theme: "An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department."— Presentation transcript:

1 An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department

2 Topics  What is Computer Forensics?  Why do we need Computer Forensics?  Live Analysis Versus Static Analysis  Capturing a Drive Image  The Organization of Hard Disks  The Organization of File Systems  Where’s the Data?  Forensic Tools

3 What is Computer Forensics?  Computer Forensics is a process used to locate digital information that may be used to help prove guilt or innocence.  Computer Forensics procedures must be properly followed to avoid contamination (altering) of the evidence (information).  Very important to maintain the Chain of Custody.

4 Why do we need Computer Forensics?  Support law enforcement.  Many types of documents are now stored electronically.  Learn about the techniques used by cyber-criminals.  Computers may be the instrument used in a crime or the victim of a crime.

5 Live Analysis Versus Static Analysis  Live Analysis: Forensics performed on a running system. More things to look at during live analysis than a static analysis. Do you pull the plug or perform an orderly shutdown?  Static Analysis: Forensics performed on a copy of the data from a system. This type of analysis is done most often.

6 Live Analysis Things to record:  System time and date.  User’s logged on to the system.  Open network connections.  Network drives mapped to the system.  Processes that are running.  What is on the Desktop and Clipboard.

7 Static Analysis Things to look for:  Registry entries.  Hidden files and folders, encrypted files.  Images, emails, IM logs, other files.  Misnamed files.  Deleted files.  Data in unallocated space and Slack space.

8 Capturing a Drive Image  A write-blocker must be used to prevent write operations on the drive being imaged. Can be software or hardware.  Entire drive is imaged, including unallocated space, to a clean drive.  Image must be verified to guarantee integrity. This is done using a hash function.

9 Capturing a Drive Image  One bit is a 0 or a 1.  One byte is 8 bits.  One KB (Kilo Byte) is 1024 bytes.  One MB (Mega Byte) is 1024 KB.  One GB (Giga Byte) is 1024 MB.  A 500 GB drive contains 536,870,912,000 bytes (over 143 million pages!!!).  One TB (Terra Byte) is 1024 GB.

10 Capturing a Drive Image  Drive may be imaged via a USB or FireWire connection, or over the network.  The size of the drive being imaged affects the time required to perform the capture.  The speed of the connection also affects the time required to image the drive.  A 500 GB drive may require 8 hours or several days to acquire.

11 Image is Verified via a Hash

12 The Organization of Hard Disks  A hard disk contains one or more platters.  Each platter contains two sides (surfaces).  Each surface contains circular tracks divided into sectors. Each track may contain 64 sectors. Each sector contains 512 bytes of data.  A 500 GB hard drive contains over 1 billion sectors.

13 Typical Hard Drive

14

15 The Organization of Hard Disks  The hard disk spins at a fast rate (5400 rpm or 7200 rpm).  A read/write head hovers over the surface and picks up the magnetized 1s and 0s stored on the surface.  Data is transferred between the disk and main memory on the motherboard.

16 The Organization of File Systems  A File System is a logical way of organizing the sectors on a disk.  Different Operating Systems support different file systems:  Windows: FAT and NTFS  Linux: EXT3  Mac OS X: HFS+ FAT is the most widely supported file system.

17 The Organization of File Systems  Sectors on a disk are allocated as follows for the FAT (File Allocation Table) file system:  Boot sector  FAT sectors  Directory sectors  Data sectors

18 Operation of FAT

19 Challenges of FAT  After a lot of use (files created, edited, and deleted) the FAT becomes very fragmented.  Not easy to search through the FAT on a hard disk as it is very large.  Need software to interpret the FAT for us.  File slack may contain valuable data.

20 Where is the File Slack?

21 What Happens when a File is Deleted?  The file’s entries in the FAT are set to ‘free.’  The file’s entry in the Directory has its first byte (letter) changed to an unprintable code (E5)… all other file properties stay the same.  The data content of the file remains stored on disk until overwritten.

22 A Sample Directory

23 Where’s the Data?  Registry.  Files and folders.  Deleted files.  Unallocated space.  Slack space.  System files: HIBERFIL.SYS, INDEX.DAT, PAGEFILE.SYS.

24 Forensic Tools  Hex editor: Display, search, and modify hexadecimal data.  Forensic analysis software:  FTK (Forensic Toolkit)  EnCase  Autopsy  X-Ways

25 FTK (Forensic ToolKit)

26 Forensic Tools  Network traffic sniffer/analyzer  Imaging software  Hashing software  Log file analyzer  Steganography software

27 Skills Needed by a Forensic Examiner  Knowledge of Operating Systems.  Knowledge of File Systems.  Must understand networking and TCP/IP.  Must possess necessary software for imaging and analyzing images.  Must possess additional software such as hex editor, log file analyzer, etc.  Lots of patience !!!

28 Thank you!  Questions?  Contact Info:  James L. Antonakos, Professor, CST  antonakos_j@sunybroome.edu

Download ppt "An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department."

Similar presentations

Chapter 4 Storing Information in a Computer Peter Nortons Introduction to Computers.

Chapter 4 Storing Information in a Computer Peter Nortons Introduction to Computers.
Chapter 12: File System Implementation

Chapter 12: File System Implementation
Peripheral Storage Devices

Peripheral Storage Devices
Lesson 9 Types of Storage Devices.

Lesson 9 Types of Storage Devices.
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Types Of Storage Device

Types Of Storage Device
Disk Fundamentals. More than one platter (round cylinders)

Disk Fundamentals. More than one platter (round cylinders)
Computer Forensics.

Computer Forensics.
SEMINAR ON FILE SLACK AND DISK SLACK

SEMINAR ON FILE SLACK AND DISK SLACK
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
File System Analysis.

File System Analysis.
FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)

FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)
Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.

Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.

X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.
Connecting with Computer Science, 2e

Connecting with Computer Science, 2e
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
Operating Systems File systems

Operating Systems File systems

Similar presentations

Ads by Google