Exam 1 Flashcards
Bit
The smallest unit of measurement that a computer can interpret.
Also called a binary digit.
Binary
Being binary implies only implies only two possible states: 0 or 1
+5v or -5v
Yes or No
ASCII
American Standard Codes for Information Interchange.
7 bits per character.
Allows for 128 character possibilities.
1968.
Extended ASCII
8 bits (1 byte) per character. Added another 128 for a total of 256 characters.
Byte
Collection of 8 bits representing a single character.
Digital Forensics
The science of locating, extracting, and analyzing digital evidence in legal matters.
FBI CART
FBI Computer Analysis and Response Team.
Circa 1984.
No personal computers yet, started with larger main-frame type computers.
Fourth Amendment
Search warrants needed for digital devices.
Probable cause that crime has occurred and evidence is still there.
Can no longer search phone incident to arrest.
Warrants only apply to government, not corporate or private.
Sub-Disciplines
Growing in number. Computer Forensics. Network Forensics. Data Recovery. Disaster Recovery.
Network Forensics
Enterprise network environment.
Vulnerability assessment and risk management group.
IACIS
International Association of Computer Investigative Specialists.
Formed by police officers who wanted to formalize credentials in computing investigations.
Formed in early 1990’s.
Understanding Case Law
Technology evolves at an exponential rate.
Case law used when statutes or regulations don’t exist.
Laws developed in the 70’s.
Computer Investigation Types
Public investigations.
Private or corporate investigations.
Public Investigations
Law enforcement.
Performed by commissioned (armed) officers.
Moving toward more civilian investigators.
Private Investigations
No fourth amendment restrictions.
Mostly internal with corporations.
Often have tools for own needs.
Can still involve legal-type aspects.
Everything from harassment to falsifying data.
Can lead to criminal charges.
Handles evidence similar to law enforcement so that if it becomes criminal it can be handed over to police or court.
Professional Conduct in Corporate Investigations
Maintain objectivity by forming and sustaining unbiased opinions of case.
Keep cases confidential.
Case may become criminal if murder is involved (rare).
Professional conduct to maintain credibility.
Digital Forensics Examiner
Must know more than one computing platform.
Corporate Investigation Guidelines
Display warning banners to remind visitors and employees of policies.
Establish company policies.
Define and limit number of authorized requesters who can start investigation.
Silver-platter Doctrine
When private investigations hand evidence over to law enforcement because of indications of criminal activity.
Computer Forensics Lab
Conduct investigations.
Store evidence.
House equipment, hardware, and software.
ASCLD
American Society of Crime Laboratory Directors. Gives guidelines for: Managing a lab. Acquiring an official certification. Auditing lab functions and procedures.
Lab Manager Duties: Administrative
Enforce ethical standards among lab staff members.
Create and monitor lab policies for staff.
Promote group consensus in decision making.
Set reasonable production schedules.
Lab Manager Duties: Lab
Plan updates for lab.
Maintain fiscal responsibility for lab needs.
Provide safe and secure workplace for staff and evidence.
Lab Manager Duties: Processes
Set up processes for managing cases.
Establish and promote quality-assurance processes.
Estimate when to respect preliminary and final results.
Estimate how many cases an investigator can handle.
Lab Staff Member Duties
Hardware and software. OS and file types. Technical training. Deductive reasoning. Investigative skills.
Lab Budget Training
Break costs down into daily/quarterly/annual expenses.
Use past investigation expenses to extrapolate expected future costs.
Lab Expenses
Hardware.
Software.
Facility space.
Trained personnel.
Lab Budget Planning
Estimate number of cases lab expects to examine.
Identify types of computers you’re likely to examine.
Account for changes in technology.
Use statistics to determine which computer crimes are most likely to occur.
Acquiring Certification and Training
Update skills through appropriate training.
CEECS
Certified Electronic Evidence Collection Specialist.
CFCE
Certified Forensic Computer Examiner.
HTCN
High-Tech Crime Network.
Certified Computer Crime Investigator, basic and advanced level.
Certified Computer Forensic Technician, basic and advanced level.
EnCE
EnCase Certified Examiner Certification.
ACE
AccessData Certified Examiner Certification.
HTCIA
High Technology Crime Investigation Association.
SANS
SysAdmin, Audit, Network, Security Institute
NTI
NewTechnologies, Inc.
FLETC
Federal Law Enforcement Training Center
NW3C
National White Collar Crime Center
Physical Requirements for a Computer Forensics Lab
Secure so that evidence is not lost, corrupted, or destroyed.
Safe and secure physical environment.
Keep inventory control of assets.
Know when to reorder supplies.
Lab Security Needs: General
Secure to preserve integrity of evidence data.
People working together should have same access level.
Staff briefed about security policy.
Lab Security Needs: General Minimum Requirements
Small room with true floor-to-ceiling walls.
Door access with locking mechanism.
Secure containers.
Visitor’s log.
Conducting High-Risk Investigations
These demand more security than min. requirements.
TEMPEST facilities, very expensive.
Electromagnetic Radiation (EMR) proof.
Can use low-emanation workstations instead.
Using Evidence Containers
slide 6.2-7.1
Overseeing Facility Maintenance
slide 7.2
Physical Security Needs
slide 7.3
Auditing a Computer Forensics Lab
slide 8.1
Computer Forensic Lab Floorplans
slide 8.2-9.1
Selecting a Basic Forensic Workstation
slide 9.2
Workstations for Police Labs
slide 9.3
Workstations for Private/Corporate Labs
slide 10.1
Stocking Hardware Peripherals
slide 10.2
Maintaining Operating Systems and Software Inventories
slide 10.3
Using a Disaster Recovery Plan
slide 11.1
Planning Equipment Upgrades
slide 11.2
Using Laptop Forensic Workstations
slide 11.3
Lab Summary Points
slide 12.1-2
Expanded Bits
Every time you add a bit, you expand the possibilities by a factor of 2.
1 Byte Conversion Table
128 - 64 - 32 - 16 - 8 - 4 - 2 - 1
Byte to Decimal Conversion
Add the corresponding bit values (128, 64…2,1).
Hexadecimal
Base-16 counting system. 1 byte (8 bits) per hex value (4F).
Decimal
Base-10 counting system.
Nibble
Half a byte (4 bits).
Hexadecimal to Decimal
16^1, etc. Do we need to know this??
Unicode
2 bytes (16 bits) per character. Allows for 2^16 character possibilities. Can accommodate multiple languages. ~ 68,000 human languages. Sometimes uses 4 bytes per character. Currently used in Windows, Macintosh, Office
Reading Multiple Bytes
Some values require multiple bytes for a given value.
Windows date and time requires 8 bytes.
Big Endian
Left to right.
Most significant byte is read first.
Motorola systems, old Macintosh.
Little Endian
Right to left.
Least significant byte is read first.
Intel-based systems.
Byte Groups: Words
1 byte: BYTE.
2 bytes: WORD.
4 bytes: DWORD (double word).
8 bytes: QWORD (quad word).
Byte Groups: Numbers
1 byte: BYTE.
2 bytes: SHORT.
3 bytes: INT.
4 bytes: LONG.
Byte Groups: Integers
Numbers can be expressed as positive or negative (signed integers).
Numbers with only positive values (unsigned integers).
Pos/neg values determined by left-most bit.
0 indicates positive integer, 1 indicates a negative.
Encryption
The process of obfuscating data through some encoding methodology or mathematical formula.
This can be a the bit, nibble, or byte level.
Bit Shifting
The process of shifting bits in a byte left or right.
Nibble Swapping
Switches two nibbles within a byte.
Bit Xoring
Using a key. Adding bits together. 0 + 0 = 0. 1 + 1 = 0. 1 + 0 = 1.
Hex Editors
HxD.
Winhex.
Diskedit.
Offset
Number of bytes from a designated point.
Beginning of file, sector, drive, record, attribute.
File Extensions
Use three letter extensions to help identify them.
(doc, exe, jpg, pdf,txt,etc.)
Changing extensions prevent files for opening.
File Headers
In many file types, the first few bytes of data contain specific values that indicate file type.
If changed, file cannot be viewed properly.
Also known as Signatures or Magic Numbers.
File Type Viewers
Instead of using native application to view files, it’s often easier to use a file viewer.
Quickview Plus, Keyview Pro, Diskjockey 2000.
Graphic Viewers
slide 15.1
Hash Value
Value is expressed in hexadecimal and is calculated based on the content of the item examined.
Digital fingerprint of a particular file at a particular time.
Any content changes changes value.
Hashing Algorithms
MD5.
SHA-1.
CRC.
MD5
Hashing algorithm. Commonly used in forensics. Typically expressed as a hex number. 128 (16 bytes, 32-digit hex number) long. 1 to 2^128 chance in two being the same.
SHA-1
Hashing algorithm.
Commonly used in forensics.
160 bits (20 bytes) long.
Weaknesses make it unfit for cryptographic use.
Hashable Data
Text string (group of words).
Files, data region, sectors.
Volumes and physical drives.
Authentication and Verification of Files
Use hash values to see if they are in fact the same file or not.
Hashing
One way process.
Cannot create file from hash.
Get hash from input.
Hash Values in Forensics
Identification. Verification. Authentication/Validation. Value matching for file exclusion. Value matching for file flagging.
Hash Input
Arbitrary block of data.
Any given data object (file, sector, cluster, volume, media device, application, text block, etc.)
Individual bytes, hex values, or also text.
Hash Output
Regardless of the size of the input object, the result is a fixed-length hexadecimal value.
Hexadecimal digest is mapped to its input object.
CRC
Hashing algorithm. Cyclic Redundancy Check. Developed to ensure data integrity. Used especially during transmission. Used for sector checking: bad or good. Make sure programs are not corrupted.
Checksum vs. CRC
16,32,64-bit variations.
Commonly used to ensure data integrity.
Detection of unwanted change in programs or data strings.
Verification of sterilization.
CRC in Forensics
Old and weak.
Not used anymore except as a wipe verification using Checksum64 (similar in concept to CRC).
Forensic Hash Verification
Show data has not been altered.
Renaming file (without altering contents) does not change hash value of file.
Verify no changes made during imaging.
Verify zero-wipe (Checksum64).
Forensic Hash Authentication/Validation
Validate data received from opposing expert was not corrupted.
Validate copied image file.
Under proper circumstances can authenticate that restored image to another HD is exact copy of original HD.
Hash File Exclusion
Exclude authentic system files from exam.
Exclude known software files from exam.
Greatly reduces number of files being examined.
Increases speed of exam.
Also called “negative hashing” or “De-NISTing”.
Hash File Flagging
Hash list of known files can be compiled and matched against files found on image.
Watermarking files
Hash Set
List or database of common hash values.
Files you seek to eliminate from exam.
Files of interest to identify.
Investigators sometimes share hash values to link subjects to crimes in other jurisdictions.
Hash “Collisions”
Chinese researcher “broke” MD5 hash by producing 2 files with same hash value.
Manipulated bit by bit until it matched.
May be questioned about this in court.
Enough to make community move to SHA-1.
Hash Value Mismatches: Software
Same data, different results.
Some programs that create image files add data to files.
Bad memory.
Carving functions of different programs may differ (logical file size vs. physical size).
Hash Value Mismatches: Hardware
Same data, different results.
Read errors on data media, bad sectors.
Different utilities may read bad sectors differently.
First hash done on device, second on volume level.
SSD
Solid State Drives (2007). Contains no moveable parts. Speeds up access to data. Uses less battery power. Built-in storage efficiency and intelligence.
SSD Garbage Collection
Relocation of data on the drive so that space for deleted files can be erased for re-use.
Broken into “blocks”.
SSD Garbage Collection: Blocks
Each block contains smaller “pages”.
Data written to pages but only an entire block can be deleted.
If block has 1 page unused, it will relocate it to be able to delete that block.
SSD Wear-Leveling
SSD blocks have a life-cycle for write/erase.
3,000-10,000 cycles.
Controller moves data from a more used block to lesser used block.
Done to ensure uniform “wearing” of the drive.
SSD Feature Problems
Garbage collection and wear-leveling.
Independent of the OS drive is used on.
Known to activate when SSD is in use, idle or a few minutes after power on.
SSD Forensic Problems
Features resident on controller so connecting it to write-blocker does NOTHING.
Very possible to get hash mismatches even after properly blocking them.
Need to be aware of issues and be able to explain them.
Hardware
The physical parts of a computer system.
Software
Instructions for the computer.
Electro Static Discharge
Human body can build up charge in the range of 25,00 volts.
Data stored as pos/neg .05 volts, as 1’s and 0’s on the drive.
System Ports
SCSI: Small Computer System Interface.
NTSC video.
Firewire.
Motherboard
Main printed circuit board.
Securely mounted inside case.
Embedded with some laptops.
Contains several buses, ports, and sockets.
CPU
Central Processing Unit.
Located in socket on motherboard, usually covered by a heat sync device.
ZIF (Zero Insertion Force) pins.
CMOS
Complimentary Metal Oxide Semiconductor.
Battery on motherboard.
Maintains system date, time, boot sequence, diagnostic information.
Most susceptible component to Electro Static Discharge.
BIOS
Basic Input Output System.
POST (Power On Self Test).
Instructions held in ROM.
May be password protected.
Memory
ROM.
RAM.
ROM
Read-Only Memory.
Permanently stored instructions.
RAM
Random Access Memory. Group of memory chips. Dynamic RAM (DRAM).
Bus
slide 13.2-3
Expansion Board
slide 14.1-3
Hard Disk Drives
HHD.
Store operating system (OS), programs, files.
Controllers are part of drive (IDE, SATA, etc).
IDE
Integrated Drive Electronics.
Each IDE bus is a channel in which two devices can be installed on (Master and Slave).
Primary and Secondary.
40-pin ribbon cable.
Officially know as the ATA (AT Attachment specification).
SATA
Serial Advances Technology Attachment.
Serial ATA cable.
HHD Encoding Methods and Interfaces.
IDE.
EIDE.
SATA.
SSD.
EIDE
Enhanced Integrated Drive Electronics.
HDD Interfaces
Normally today’s motherboards have at least two IDE/EIDE buses.
Platter
Drives usually have more than one.
Each is referenced by top and bottom sides or heads.
Each side is broken into concentric circles called tracks.
Usually numbered starting with 0.
Tracks
The concentric circles on a platter.
Numbered starting with 0.
Broken into sectors.
Cylinder
The group of identically number tracks across multiple platters.
Numbered starting with 0.
Sectors
Section of a track.
Numbered starting with 1.
Each sector always 512 bytes of data in DOS/Windows system.
Lots of wasted space.
Hard Drive Structure
Number of tracks or head may vary depending on size of drive.
CHS
Cylinder Head Sector.
3D coordinate for data.
First identify Head, then cylinder, then sector (although not written that way!).
Can be used to calculate drive capacity.
Calculating Drive Size
Cylinders * Heads * Sectors per Track * 512 bytes per sector.
Usually assume that number of sectors per track is constant.
Current drives usually have 63.
Formatting
Current drives use zone recording.
LBA
Logical Block Addressing.
Treats sectors linearly then translated CHS value to operating system.
MBR
Master Boot Record.
First track is reserved for it, only uses 1 sector.
First 446 bytes of MBR contain Boot Code.
Remainder is made up of the Partition Table (64 bytes).
Gives info about itself (location, size, structure, etc).
Boot Code
First 446 bytes of MBR.
Code varies depending on OS.
At offset 440 there is a 32-bit value called the Disk Signature.
Partition Table
Allows for 4 16-byte entries.
Last two bytes of the sector are hex values 55 AA.
MBR Partition Table Entries
slide 15.1
Boot Indicator
Only one partition can be marked as bootable.
00 non -bootable.
80 bootable.
MBR in Forensics
First track reserved for MBR, but it only uses one sector, so there are lots of space to hide things.
Primary vs. Extended Partitions
Primary partitions can be bootable.
Extended partitions cannot.
Extended Partitions
There can only be one extended partition.
Extended partitions can be split into multiple logical drives/volumes.
A partition table exists in the first sector of each logical volume.
No boot code will be present and at most only two entries will be used.
