Download presentation
Presentation is loading. Please wait.
Published byNelson Cunningham Modified over 8 years ago
1
COEN 252: Computer Forensics Hard Drive Evidence
2
Disk Overview Hard Drives Removable Devices
3
Hard Drive Overview Data is stored in sectors of 512B, sectors are completely written and read. Data stays, unless it is overwritten. In principle, it is possible to read traces of overwritten data with an electron- microscope. Under most circumstances, this is impractical.
4
Hard Drive Sources of Evidence Current Files Look for access times and other metadata Location of files (e.g. inode number) allows sometimes reconstruction of events.
5
Hard Drive Sources of Evidence Contained in deleted files, that have not yet been completely overwritten.
6
Hard Drive Sources of Evidence (RAM slack) Small portions of memory written to disk with the end of a file.
7
Hard Drive Sources of Evidence Virtual Memory (VM) paging files.
8
Hard Drive Sources of Evidence Contained in various metadata associated with the file system or the disk partitioning
9
Hard Drive Sources of Evidence Data that has been deliberatively hidden. Device Configuration Overlay Host Protected Area Hidden Partition Unallocated portion of disk drive
10
Hard Drive Sources of Evidence Data that has been deliberatively hidden.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.