Definitions Flashcards
What is a byte
8 bits
What is a nibble
half of a byte or 4 bits
What is a bit
1 or 0
What is a CPU
central processing unit acts as the brain of machine. All information processed by the computer is processed by the CPU
What is RAM
Random access memory is volatile data, which stores data before its processed by the CPU. RAM only contains information when there is power
What is ROM
Read only memory (ROM) is non-volatile data, usually boot information, boot strap code, or code loading the operating system
What are peripheral devices
Hard drives (HDs), CDs, USBs, and other long term storage devices that are used to store and exchange files
What is the motherboard
The motherboard connects various components in the computer. It is a printed circuit with connectors (graphics cards, USBs, network devices, etc.)
What are the stages of the forensic process
- Seizure - Gathering of digital devices
- Imaging & Verification: Taking a forensic copy and validating the copy.
- Analysis: Analyzing the image to discover evidence
- Reporting: Reporting on evidence discovered and methods used to discover this evidence.
What is Image verification
hashing is used to validate image is same as source data / hasn’t been altered. A hash is a one‐way mathematical function that provides a representation of data
MD5 hash collision is 1 in 2^128 chance of happening
Md5 hash is 16 bytes (128 bits)
What is a File Signature
magic value found at beginning (and sometimes end) of a files content that indicates the file type
What is Data Carving
involves matching signatures in raw disk contents to see if they match a file signature
What is File Recovery
File recovery techniques make use of the file system information that remains after deletion of a file.
What is File Carving
Carving deals with the raw data on the media and doesn’t use the file system structure during its process
What is the difference between File Recovery and File Carving
File recovery techniques make use of the file system information that remains after deletion of a file.
Carving deals with the raw data on the media and doesn’t use the file system structure during its process. Identifies files in file system in unallocated and file slack
Disadvantage of file carving is false positives, slow process
What is Live Data Forensics (LDF)
forensics conducted against a running machine to account for situations in which dead box forensics would be an issue (encryption, cloud storage, passwords, can’t take offline (server) etc)
What are risks associated with Live Data Forensics
- Altering of data
- Be aware of potential data loss, scheduled wiping/remote wiping
What are benefits of Live Data Forensics
-Identify encryption / get access to unencrypted data
-Identify cloud storage / internet storage contents (No local copies)
- LDF on servers allows information to be gathered / images to be taken without shutting down
- RAM can contain passwords, chat history, malware
- LDF can be faster to analyze data
What is a structure of a HDD
Platter, Read/Write Head, Spindle, Actuator
What is in the structure of a platter
Track
Geometric Sector
Sector
Cluster
What are the components of the sector structure
- Synchronization - timing (make sure R/W head is positioned correctly)
- Header (CHS address) - used so controller is certain its reading the right sector
- CRC - checks to see information has not become corrupt
What is a cluster
A number of sectors (usually 512 sectors per cluster)
What is Disk Addressing
- Initially used CHS - Cylinder, Head, and Sector
- Specified the track number, R/W head to use, and sector
- Replaced with LBA (logical block addressing)
○ Linear index scheme
○ First block is LBA 0, second is LBA 1, etc.
○ 48 bits used for addressing (248 blocks can be addressed)
What is the logical structure of a Disk
Master Boot Record
Unallocated Space
Partitions
What is the Master Boot Record
Master Boot Record (MBR) is one sector in size (512 bytes) and first sector (LBA 0) of HDD
○ 446 byte boot code
○ 64 byte partition table
○ 2 byte signature
What are the three types of partitions
Primary, Extended, Logical
What is a Primary Partition
A primary partition stores a single file system. The information on these is stored in the MBR’s Partition table.
What is an Extended Partition
Extended partitions contain logical partitions. They are used to overcome the four partition limit for primary partitions.
What is a Logical Partition
Each logical partition stores a file system, however, logical partitions are not found in the MBR, but the EBR (Extended Boot Record)
What is the Partition Table Structure
Partition table starts at 0x1BE
Partition table entries
○ One entry per partition
○ Multi-byte values are in Little endian format***
○ Max 4 entries per partition table
○ Extended boot records (EBR) for more than 4 partitions
○ MBR can contain four primary partitions or three primary partitions and one extended partition
What is difference between post-mortem imaging and live imaging
Post mortem - imaging while computer is off / physical disk image / no changes likely made to hard drive
Live imaging - access to live data / check for encryption / changes will definitely be made during imaging / faster analysis than post mortem
How can you recover a file from NTFS
- Information about file contents are stored in $DATA attribute
- This may be resident or non-resident
- If resident, the actual file contents will be found in the MFT Record – there are no other
clusters occupied by this file on disk! - If non-resident a run list will point us to the cluster locations
A resident $DATA attribute is only used for very small files. These are most likely simple text
files. For most file types $DATA is non-resident. Non-resident data is stored in regular clusters
on the file system. A Run List tells how many clusters are in it and where they are located. The run list is found by finding the two bytes at 0x20 in the Non-Resident Attribute
What is forensic imaging
A forensic image is a bit-by-bit copy of the device. Every single bit is copied from the physical device and stored in the image.
Convert hex located at 0x0E in LE to FAT time
Example: 44455242592020204C4F472018A54C5E285129510000376628518801912A0000
Time: 0x4C5E
0x5E 4C
11:50
Convert hex located at 0x10 in LE to FAT date
Example: 44455242592020204C4F472018A54C5E285129510000376628518801912A0000
Date: 0x2851
08/09/2020
Convery 0xF1 6A to FAT Date
0xF1 6A
1111 0001 0110 1010
Year = 1111000 = 120 (+1980) = 2100
Month = 1011 = 11
Day = 01010 = 10
Convery 0x84DA to FAT Time
0x84 DA
1000 0100 1101 1010
Hour = 10000 = 16
Minute = 100110 = 38
Seconds = 11010 = 26 (*2) = 52 or 53
Convert 10001110 2’s compliment to decimal
01110010
=-114
