Digital Forensics 5 Flashcards
Tape Drives (DAT) : Make certain you first forensically wipe the target drive so you can be sure that there is no residual data on that drive. You then need to restore it to the target hard drive (magnetic or solid state) in order to analyze it.
DLT and SDLT : as with DAT, you need to make sure you have a forensically wiped hard drive to restore the data to and then restore the data to that hard drive in order to analyze it.
info …
Just like all other storage devices, a Blu-ray disk should be forensically copied to a clean, forensically wiped drive for analysis. No matter what the media, you never work with the original suspect storage if it is at all possible to avoid it.
optical media
From a forensic point of view, you should remember that many of these drives come with a small switch to put them in read-only mode. Use this whenever you are extracting data for investigation. If the drive is in read-only mode, it is unlikely you will accidentally alter the data.
USB
Steganalysis is the process of analyzing a file or files for hidden content.
A dead drop is a location where one person drops off an item and a second person picks it up.
info …
When a file is deleted, the data is not actually removed from the drive. Rather, the FAT is updated to reflect that those clusters are no longer in use. If new information is saved to the drive, it may be saved to those clusters, overwriting the old information. What this means from a forensic point of view is that the more recently a file was deleted, the more likely you will be able to recover the file. Over time, it becomes more likely that those clusters have had other information saved in them. In fact, the cluster may have been deleted and saved over several times. Because of this, recovering a deleted file is not always an all-or-nothing procedure. It is possible to recover just a portion of a file.
info …
The MFT describes all files on the volume, including filenames, timestamps, security identifiers, and file attributes, such as read-only, compressed, encrypted etc … when files are deleted clusters are first marked as deleted and moved to Recycle Bin.
NTFS
Consistency checking involves scanning a disk’s logical structure and ensuring that it is consistent with its specification. For instance, in most file systems, a directory must have at least two entries: a dot (.) entry that points to itself and a dot-dot (..) entry that points to its parent. A file system repair program reads each directory to ensure that these entries exist and point to the correct directories. If they do not, the program displays an error message, and you can correct the problem. Both chkdsk and fsck work in this fashion.
info …
few assumptions are made about the state of the file system. The file system is rebuilt from scratch using knowledge of an undamaged file system structure. In this process, scan the drive of the affected computer, noting all file system structures and possible file boundaries. Then match the results to the specifications of a working file system.
Zero-knowledge analysis
is often used to recover data from a disk where there has been some damage or where the file itself is corrupt. The purpose is to extract the data from a single file from the larger set of data, that is, the entire disk or partition.
File Carving
Anonymous remailing is another attempt to throw tracing or tracking attempts off the trail. A suspect who uses anonymous remailing sends an email message to an anonymizer. An anonymizer is an email server that strips identifying information from an email message before forwarding it with the anonymous mailing computer’s IP address.
info …
