Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Data Expert The following slides are from a presentation developed to support/explain a Data Forensics expert testimony. Click or hit spacebar.

Published byRolf Gilbert Modified over 9 years ago

Similar presentations

Presentation on theme: "Computer Data Expert The following slides are from a presentation developed to support/explain a Data Forensics expert testimony. Click or hit spacebar."— Presentation transcript:

1 Computer Data Expert The following slides are from a presentation developed to support/explain a Data Forensics expert testimony. Click or hit spacebar to advance slides.

2 www.executivepresentations.com Hard Drive Data Storage Basics 0 00110011 - Bit - Byte (8 bits) 001100110011001100110011001100110011001100110011 - Sector (512 bytes) - Cluster (4 sectors in this example) 001100110011001100110011001100110011001100110011 Hard Drive - as many clusters as drive geometry allows dependant on number of sectors in a cluster

3 www.executivepresentations.com When you write a file…  Starting at the “Master Boot Record” – Data is written to clusters around the hard disk into “unallocated” space. Master Boot Record 1 2 3 4

4 www.executivepresentations.com When you write a file…  Each time data is written to a cluster… – The entire cluster is marked “allocated” (occupied). UnallocatedSpace Full Cluster

5 www.executivepresentations.com When you write a file…  Each time data is written to a cluster… – The entire cluster is marked “allocated” (occupied). – Even if only one byte of data is actually used. UnallocatedSpace Entire Cluster is marked as “used” even though there is free space there is free space Full Cluster “SlackSpace”ActualData

6 www.executivepresentations.com Slack Space  This cluster is comprised of four 512-byte sectors, occupied by a file of approximately 2.5 sectors (1280 bytes) in length. File 3214 4 Sector Cluster

7 www.executivepresentations.com Slack Space  This cluster is comprised of four 512-byte sectors, occupied by a file of approximately 2.5 sectors (1280 bytes) in length.  The Remainder of Sector 3 and all of Sector 4 is “Slack Space.” Similar to an audio tape recording. Slack Space File 3214 4 Sector Cluster

8 www.executivepresentations.com When you delete files…  Multiple-step process Empty Bin (nofiles)

9 www.executivepresentations.com When you delete files…  Multiple-step process – Deleting moves files to the recycle bin Empty Bin Full Bin (containsfiles) (nofiles) FILEDELETED

10 www.executivepresentations.com When you delete files…  Multiple-step process – Deleting moves files to the recycle bin – Recycle bin must be manually emptied, with a confirmation dialog, to actually “delete” the files Delete Confirmation Dialog Empty Bin Full Bin (containsfiles) FILEDELETED

11 www.executivepresentations.com But are the files REALLY gone?  No — – But the files (data) are now in “unallocated” (unoccupied) clusters, and are available to be written over. – Although the files disappear to most users, the data remains, and is recoverable. Clusters marked “unallocated” by file system but data remains MasterBootRecord

12 www.executivepresentations.com How do you completely delete files?  Files are not fully deleted unless they are overwritten or the disk is actually “wiped.” Slack Space often includes portions of previous files Old File data Continues to exist until overwritten 3214 4 Sector Cluster

13 www.executivepresentations.com  A disk contains 2 files, – File 1 is 2 clusters What is file fragmentation? File 1 2 clusters

14 www.executivepresentations.com  A disk contains 2 files, – File 1 is 2 clusters – File 2 in 3 clusters What is file fragmentation? File 1 2 clusters File 2 3 clusters

15 www.executivepresentations.com  A disk contains 2 files, – File 1 is 2 clusters – File 2 in 3 clusters  File 1, a 2-cluster file, is deleted What is file fragmentation? 2 clusters become available File 2

16 www.executivepresentations.com  A disk contains 2 files, – File 1 is 2 clusters – File 2 in 3 clusters  File 1, a 2-cluster file, is Deleted  File 3, a 5-cluster file, is Saved – File 3 now exists in two file fragments What is file fragmentation? File 3 File 2 2 clusters 3 clusters FRAGMENTATION

17 www.executivepresentations.com Writing a file to a fragmented HDD  After use, fewer and fewer contiguous clusters remain. Most new files are saved with fragmentation, and disk fragmentation increases over time, while old file data remains in unallocated space. MasterBootRecord Old/Existing File Data New files are rarely in contiguous clusters as drive becomes fragmented.

Download ppt "Computer Data Expert The following slides are from a presentation developed to support/explain a Data Forensics expert testimony. Click or hit spacebar."

Similar presentations

Intro to WinHex CSC 414.

Intro to WinHex CSC 414.
Peripheral Storage Devices

Peripheral Storage Devices
Lesson 9 Types of Storage Devices.

Lesson 9 Types of Storage Devices.
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Types Of Storage Device

Types Of Storage Device
Operating Systems File Management.

Operating Systems File Management.
Text Searches Slack Space Unallocated Space

Text Searches Slack Space Unallocated Space
SEMINAR ON FILE SLACK AND DISK SLACK

SEMINAR ON FILE SLACK AND DISK SLACK
Threats to privacy in the forensic analysis of database systems Patrick Stahlberg, Gerome Miklau, and Brian Neil Levine Department of Computer Science.

Threats to privacy in the forensic analysis of database systems Patrick Stahlberg, Gerome Miklau, and Brian Neil Levine Department of Computer Science.
Computer Forensics BACS 371

Computer Forensics BACS 371
1 X-Ways Security: Permanent Erasure Supervised By: Dr. Lo’ai Tawalbeh Prepared By :Murad M. Ali.

1 X-Ways Security: Permanent Erasure Supervised By: Dr. Lo’ai Tawalbeh Prepared By :Murad M. Ali.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
File System Analysis.

File System Analysis.
Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.

Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
1 CSCD 496 Computer Forensics Lecture 7 File Systems – Windows Winter 2010.

1 CSCD 496 Computer Forensics Lecture 7 File Systems – Windows Winter 2010.
Basic File Recovery Techniques BACS 371 Computer Forensics.

Basic File Recovery Techniques BACS 371 Computer Forensics.
Storage device.

Storage device.
Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.

Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.
 What is electronic data?  Information stored electronically, e.g. pictures, music, documents, etc.  Where can you store your data?  Cell phones 

 What is electronic data?  Information stored electronically, e.g. pictures, music, documents, etc.  Where can you store your data?  Cell phones 
Chapter 4 Operating Systems and File Management. 4 Chapter 4: Operating Systems and File Management 2 Chapter Contents  Section A: Operating System Basics.

Chapter 4 Operating Systems and File Management. 4 Chapter 4: Operating Systems and File Management 2 Chapter Contents  Section A: Operating System Basics.

Similar presentations

Ads by Google