Data Representation and Files Examination Flashcards
Bit
- smallest unit in the binary system
- either 0 or 1
Byte
- equals 8 bits
Kilobyte
- 1024 byte
Megabyte
- 1024 kilobyte
Gigabyte
- 1024 megabyte
Terabyte
- 1024 gigabyte
What is the difference between a Kilobyte and Kilobit?
- Kilobyte = 1024 bytes; 8192 bits (1024 * 8)
- Kilobit = 1024 bits
When is byte used? When is bit used?
- byte is used when measuring the size of a file
- bit is used when measuring the speed of a connection
How many values does the Hex system have?
- 16
- 0
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- A
- B
- C
- D
- E
- F
ASCII
- a system used by computers to represent characters and symbols in a numerical form
- Each symbol is given a number/code
What are the 3 primary locations of metadata?
- MFT records
- File header
- Magic number
MFT
- Master File Table
- used by the NTFS file system to store metadata
- necessary to retrieve files from the NTFS partitions
- each file has one or more MFT records
Why is a tool need to view MFT records?
- MFT records are not visible to users through Windows Explorer
What is a tool for viewing MFT records?
- Directory Snoop
- Allows the examination of NTFS and FAT32 disks
File Header
- unique identification found at the beginning/head of every file
- usually contains data used by the application that opens the file
- contains attributes like: name, author, date of creation, size, error detection/correction data
How can file headers/trailers by checked?
- Hex editor
Magic Number
- unique string, at the beginning of the file, used to identify the type of file
- method used by Unix/Linux systems to ID a file without reading the whole header
- /usr/share/file/magic
What are the 3 types of Metadata
- system
- substantive
- embedded and external
Substantive Metadata
- contains information on the modifications of a document
System Metadata
- created/edited/used by the system
- OS file system relies heavily on metadata to keep track of files
- Storage devices use system metadata to track addresses of the contained files and how they are stored
How can System Metadata be used in an investigation?
- system metadata can be used to track a file that doesn’t exist anymore (removed, deleted, moved)
- can also be used to construct a timeline for the events that occurred on that file
- CANNOT be used to retrieve the contents of a file
What are the 4 components primarily interested in for System Metadata?
- MAC: modified, accessed, created entries
- EM: stores last time MFT was modified
- Create: when FILE was created (not data)
- Access: when file was last opened, moved, or copied
- Modify: when the content was last changed
How can system metadata of a file be viewed?
- Properties > General and Details tabs
DMS
- Directory Management System
- systems used to log, manage, and organize the storage of digital documents
- keeps track of stored documents and users who own, modify, or view documents
- Example: OpenKM
Cashing
- Creation of temporary files and data by OS utilities, such as an Internet browser
- Ex. most recently viewed web pages for easy loading
Where are common places to “hide” files?
- Metadata
- Windows registry
- ADS (Alternative Data Stream)
Windows Registry
- big directory containing many configuration files
- used by the OS and applications to store configurations related to how the application behaves
Where does Windows store which applications should run at Startup?
- HKML\software\microsoft\windows\currentversion\run
How is the registry organized?
- Organized into directories called Keys
- Each Key contains Values
- Registry Values can be viewed, edited, or created
- Regedit is the most common tool for registry modification and viewing
Where are most Linux configuration files stored?
/etc
ADS
- Alternative Data Stream
- NTFS only
- allows a user to store data within a file without affecting its size or view
- accessed using the ‘:’ character
- Ex: file.txt:hidden.txt
What are some tools that can be used to inspect a file’s ADS?
- Streams.exe (sysinternals)
- ADS Detector
DOCX
- the extension and format used by Word 2007 and later editions
- Word 2003 and earlier versions used DOC
Executable Files
- text file that contains instructions which the processor reads and executes
- Windows: Portable Executables (EXE)
- Linux: ELF (Executable Linkable Format) or Binary files
EXE Files
- produced with compilers
- written in code (C, C++, C#, JAVA) then compiled
- the compiler takes code and translates it into machine code
- the compiler also adds a header to the code before putting it together in the final EXE
- EXE file content is arranged into Sections
EXE Header
- contains the following information:
- Exports: the functions within that executable which other executables can call
- Imports: imported DDL files
- Exporting: allowing other programs to import and run a code from a .DLL file
- code w/in a DLL file is usually separated into segments (functions)
- when an EXE wants to import code from a DLL file, it usually links to a specific function
rundll32
- system EXE file which takes a DLL file name and function and executes them
What is a tool that can be used to view functions linked to an EXE?
- Dependency Walker
- allows you to view imported DLLs within the EXE and the functions that the EXE imports from each DLL
