Book-Notes Section 15 Flashcards
🧱 What is EDRM?
EDRM stands for Electronic Discovery Reference Model.
It’s a framework that shows the standard steps involved in handling digital evidence during e-discovery (legal or investigative cases).
Think of it as a roadmap that guides teams on how to find, process, and use digital information in a legal or compliant way.
🗂️ EDRM Stages (Simplified):
Here are the main steps in the EDRM model:
Information Governance
🧹 Keep data organized from the start (policies, backups, retention).
Identification
🔍 Figure out what data might be important for the case.
Preservation
🧊 Protect that data so it doesn’t get changed or deleted.
Collection
📥 Gather the data in a safe and legally sound way.
Processing
🧼 Filter out junk, remove duplicates, and prepare for review.
Review
👀 Examine the data to decide what’s relevant or sensitive.
Analysis
🧠 Understand what the data means—like timelines, communications, or actions taken.
Production
📤 Deliver the data in a way that lawyers or courts can use (e.g., organized documents).
Presentation
🎤 Use the data as evidence in legal proceedings (in court, investigations, etc.).
🧠 Why does EDRM matter?
Helps standardize the e-discovery process.
Ensures legal teams, forensic experts, and IT all work together properly.
Protects the integrity and chain of custody of digital evidence.
venue and nexus
🏛️ Venue – “Where” a case is heard
Venue refers to the physical or legal location where a legal case is tried.
It could be a specific court, jurisdiction, or geographic area.
🧠 Think of it as:
“Which court or which location is the right place to handle this case?”
🔍 Why it matters:
Cybercrimes can involve multiple locations (like attacker in one country, victim in another), so choosing the right venue is important for the legal process.
🌐 Nexus – “Connection” between a person, place, or event and the case
Nexus means a link or connection between two things.
In legal terms, it usually refers to the connection between the suspect/system and the jurisdiction or crime.
🧠 Think of it as:
“Is there a valid connection between the place and the crime, so that this court has authority?”
🔍 Example: If someone attacks a U.S. company from another country, prosecutors must show a nexus (connection) between the crime and the U.S. to prosecute the attacker in a U.S. court.
💾 What is Block Size?
Block size is the smallest unit of data a drive (like HDD, SSD, or USB) can read or write at a time.
🧠 Think of it like:
A drive works like a notebook, and each block is a page.
Even if you only want to write one word, it still takes up a whole page.
📦 Common Block Sizes:
512 bytes (older traditional size)
4096 bytes (4 KB) – Most common in modern drives (called Advanced Format)
Larger block sizes are used in high-performance or large file storage systems
❓ Why does Block Size Matter?
Efficiency:
If you’re storing lots of small files, smaller block sizes help save space.
If you’re storing large files, larger block sizes are faster and more efficient.
Performance:
Bigger blocks = fewer operations = faster reading/writing for big files.
Forensics and Recovery:
In digital forensics, knowing the block size helps tools reconstruct files accurately from raw disk images.
📘 Example:
Let’s say a drive has a block size of 4 KB, and you store a 2 KB file:
It still uses one full block (4 KB).
The extra 2 KB is wasted space (called slack space).
🧱 What does bs mean in dd?
bs stands for block size.
It tells dd how much data to read/write at a time.
🐢 Why the default is slow:
By default, dd uses a very small block size (usually 512 bytes or 1 KB).
This means it reads/writes tiny chunks, one at a time.
That creates lots of overhead (thousands or millions of slow read/write operations).
Result: Slower performance — especially for large files or drives.
🚀 Why a larger block size = faster performance:
When you increase the block size, for example:
dd if=/dev/sda of=image.img bs=1M
You’re telling dd to read/write 1 megabyte at a time.
Fewer operations
Less CPU overhead
Much faster copy/imaging speed
🧪 Example:
Compare these two:
dd if=/dev/sda of=image.img bs=512 # Slow
dd if=/dev/sda of=image.img bs=4M # Much faster
The second one will usually finish much quicker, especially on modern drives.
⚠️ A Quick Tip:
Larger bs values like 1M, 4M, or 8M are usually safe.
Don’t go too big (like 1G), or you might run into memory issues on smaller systems.
💾 What is a Logical Drive?
A logical drive is a virtual (software-defined) section of a physical hard drive.
🧠 Think of it like this:
You take a big hard drive and divide it into smaller pieces that each act like their own “mini-drive” — that’s a logical drive.
These are created through partitioning.
🧱 Example:
You have a 1 TB physical hard drive:
You split it into:
Drive C: 600 GB
Drive D: 400 GB
Here, C and D are logical drives, even though they’re part of the same physical disk.
🧱 Basic Concept:
A partition is a section of a hard drive that’s been set aside for use.
A logical drive is a type of partition—but not all partitions are logical drives.
Let’s explain with an example 👇
💽 Drive Structure Overview:
Physical Drive
🧱 The actual hard disk (e.g., your 500GB or 1TB drive)
Partitions
🧩 The drive is divided into parts:
Primary partitions (can boot an OS)
Extended partition (a container for logical drives)
Logical Drives
📁 Created inside an extended partition.
Treated like separate drives (e.g., D:, E:)
Useful if you want more than 4 partitions (because MBR allows only 4 primary partitions)
what’s the difference between Forensic copies and logical copies?
🔍 Forensic Copy = Exact, bit-by-bit clone
It copies everything — even deleted files, empty space, and hidden data.
It’s also called an “image” or “bitstream copy”.
Used in digital forensics to make sure nothing is missed.
Maintains evidence integrity (used in court).
🧠 Think of it like:
📸 A perfect photocopy of every single page in a book, including the blank pages and notes in the margins.
📁 Logical Copy = Only visible files and folders
Copies just the user-accessible files (like documents, images, etc.).
Does not include deleted files, hidden data, or unallocated space.
Faster and smaller, but not good for deep forensic analysis.
🧠 Think of it like:
📂 You open the book and copy only the chapters you see, not the deleted or hidden content.
are you telling me if I made a logical copy and then hashed it using MD5, them compared to the actual drive, they won’t match?
Exactly — you’re spot on for thinking that way. ✅
Yes — if you:
Make a logical copy of a drive (just the visible files and folders)
Then create an MD5 hash of that logical copy
And compare it to the MD5 hash of the entire drive (forensic copy)
👉 They will NOT match.
🔍 Why?
Because a logical copy:
Does not include deleted files
Skips unallocated space
Misses hidden partitions, file system metadata, and system areas
May change timestamps or permissions during copying
Meanwhile, a forensic copy (like using dd or FTK Imager):
Captures the entire disk bit-for-bit, including all the above
So its hash represents everything on the disk — not just what’s visible to the user
🧰 What does “Forensic Suites” mean?
A forensic suite is a complete software package (or toolkit) that helps digital investigators collect, analyze, and report digital evidence from devices like:
Hard drives
USBs
Phones
Memory (RAM)
Network data
🧠 Think of it like:
A digital detective’s toolbox — with everything in one place to handle a full investigation.
💼 Examples of Forensic Suites:
FTK (Forensic Toolkit): Powerful suite for disk imaging, analysis, and reporting
🗑️ Why is deleting a file considered non-destructive?
When you delete a file, the file is not actually erased from the disk. Instead, the system just removes the reference to it in the file table.
🧠 Think of it like:
Crossing a file’s name off the table of contents in a book, but leaving the actual pages inside the book.
🔍 Here’s what actually happens:
The file’s name is removed from the directory listing.
The space it used is marked as “free”.
But the actual data blocks (the contents of the file) remain on the disk — until something new is written over them.
That’s why forensic tools can often recover deleted files — because they’re still physically there, just no longer listed by the operating system.
🗂️ What is Slack Space?
Slack space is the leftover (unused) space inside a disk block or cluster after a file is saved.
🧠 Think of it like:
You write a short note on a full sheet of paper. The note only takes half the page, but the rest of the page is still there, blank but unused.
That blank part is the slack space — and it might contain data from earlier files, deleted information, or random leftover bits.
🧱 Why does Slack Space exist?
Files are stored in blocks or clusters (e.g., 4 KB per cluster).
If a file is smaller than a cluster, the rest of the cluster remains unused.
That unused space isn’t wiped — it may contain leftover data from previous files.
🔍 Example:
Cluster size: 4 KB
File size: 2 KB
Slack space: 2 KB (still present on the disk, but not part of the current file)
🧪 Why is it important in forensics?
Slack space can:
Contain fragments of deleted files
Hold hidden or residual data
Reveal evidence not visible in the file system
🛠 Forensic tools can scan slack space to recover:
Password fragments
Email snippets
Malware traces
Chat messages
🧹 What are Secure Delete Tools?
Secure delete tools are designed to permanently delete files by not just removing them, but by overwriting their data so it cannot be recovered — even with forensic tools.
🛠️ How do they work?
Here’s the basic process:
Delete the file (removes the file’s entry from the file system)
Overwrite the data location with random data or specific patterns (1s, 0s)
Often done multiple times for extra security
Remove file metadata (file names, timestamps, etc.)
Optionally, overwrite slack space or unallocated space
🧠 Why is this needed?
Because normal deletion only removes the file’s “pointer” — the actual data remains on the disk and can be recovered using forensic tools.
🧪 Secure deletion makes recovery nearly impossible by physically replacing the file’s data.
⚙️ What is Wear Leveling?
Wear leveling is a technique used in SSDs and flash memory to prolong their life.
🧠 Why it’s needed:
Flash memory wears out after too many writes to the same spot.
So, wear leveling spreads out writes evenly across the entire drive.
📦 Example:
Instead of writing data to the same block over and over, the SSD writes it to different blocks each time — even if you’re updating the same file.
🧽 Why does wear leveling make secure deletion hard?
Because the data you’re trying to delete might not be exactly where you think it is anymore.
You overwrite “file A” — but the old data block may still exist elsewhere.
SSD’s internal controller might redirect where data is written.
As a result, secure deletion tools that work well on HDDs don’t always guarantee success on SSDs.
🧪 What is CFReDS?
CFReDS stands for:
Computer Forensics Reference Data Sets
It’s a project created by NIST (National Institute of Standards and Technology) to provide realistic digital evidence datasets for:
Training
Testing
Tool validation
Practice in digital forensics
🧠 Think of it like:
A “practice case” for digital forensics — with fake evidence, files, emails, images, and more — designed to help forensic professionals learn, test tools, or improve skills without using real or sensitive data.
📦 What does CFReDS include?
Disk images (e.g., .dd, .E01)
Sample emails
Chat logs
Pictures
Malware
Hidden/deleted files
Encryption scenarios
Metadata
All structured like real forensic cases — but for learning and tool testing.
🛠️ Who uses CFReDS?
User Type Use Case
Forensic Students Practice analyzing disk images
Tool Developers Test if their tools find the right evidence
Investigators Train on tricky or realistic cases
Researchers Benchmark performance or accuracy
what’s Rhino hunt
The Rhino Hunt is a digital forensic challenge provided by the National Institute of Standards and Technology (NIST) as part of their Computer Forensics Reference Data Sets (CFReDS) project. It offers a simulated scenario for forensic practitioners to test and enhance their investigative skills.
