Week 3

Question 1

Data Encoding Schemas

Answer 1

How is data stored?

Question 2

Binary

Answer 2

0s, 1s, base-2

Question 3

8 binary digits

Answer 3

1 byte/character

Question 4

hexadecimal

Answer 4

base 16 representation of a character

Question 5

ASCII

Answer 5

American Standard Code for Information Interchange

• limited to 256 character codes

Question 6

What does formatting a drive do? (3)

Answer 6

Makes partitions. Partitions organize the disk space into different sections with different purposes.

• installs a file table. A file table is a catalog keeping track of where different files are stored on the drive.

-erases the “pointers” to the data on the drive, but the data itself is not erased.

Question 7

Partitioning Physical Disk

Answer 7

Partition 1- Reserved
2- Data
3- Recovery

Question 8

Unallocated space

Answer 8

is not part of partitions, Recycled/deleted goes here.
hard to make cases w/ data in unallocated space

Question 9

FAT

Answer 9

File Allocation Table

• traces lifespan of files in data storage medium
• when was file created, modified
• some, but not all, varieties of FAT can track ownership, deletion
• data is stored in sectors and then clusters
• these can have many redundancies
• limited in ability to track metadata

Question 10

NTFS

Answer 10

New Technology File System

• tracks life span of file
• higher degree of detail in tracking files
• flexibility for growth
• lots of file organization available

Question 11

Data Acquisition

Answer 11

• should be forensically sound
• defensible
  -repeatable
• make copy of original

Question 12

Physical

Answer 12

• bit by bit, bitstream
• all data, undeleted, deleted, unallocated space, entire OS
• gets more metadata
• slower, more expensive, takes more physical, digital space

Question 13

Logical

Answer 13

just user files, folders
slack space - space in bwtn clusters of stored logical data where other data existed

usually no deleted/unallocated space

usually quicker, cheaper, less space

Question 14

Metadata

Answer 14

“data about data”
-info about file
- ownership, authorship
- file names, dates, times, size, mod, location,

changing metadata doesn’t change the file

can only change metadata for your view

EXIF data in cams

Question 15

Hardware and Software

Answer 15

Forensic Stand Alone Imagers

Software-based imaging

Question 16

Forensic Stand Alone Imagers (3)

Answer 16

• Tableau TD Series
• Forensic Falcon
• Atola Task Force

Question 17

Software-based imaging

Answer 17

FTK Imager
Paladin
Macquisition
Magnet Acquire

Question 18

Secure Evidence File Formats

Answer 18

DD/Data Dump
-exact copy of full medium = no compression

RAW
IMG
E01, EX01

Question 19

Data Acquisition File Formats

Answer 19

L01 - Logical only

Question 20

collision

Answer 20

different files with same hash values, can implicate the innocent

Question 21

MD5

Answer 21

Message Digest 5 (base 32/64)

Question 22

SHA-1

Answer 22

Secure Hash Algorithm - base 64 - higher numbers more secure

Question 23

What is usually hashed?

Answer 23

known CSAM
known malware
phone biometrics
phone pics
passwords

Question 24

Data Acquisition Steps

Answer 24

Identify what needs to be acquired
▪ What size is the storage medium?
▪ Do you have an equal or larger
storage medium on which to place
data?
 Photograph original evidence
▪ Multiple angles/sides
▪ Close-up of serial & model numbers
▪ Ensure to get connections,
Damage, etc., in photographs

Prepare target media (definition)
▪ Target media should be wiped & validated to
ensure no cross-contamination
▪ How do we validate wiped data medium?
▪ Target media should be formatted in same
formatting scheme as original evidence

Ensure evidence is handled properly
▪ Anti-static mat, no magnets in the area
 Connect to validated forensic write-blocker
▪ Can be hardware or software-based**
▪ Can be combined with stand-alone forensic disk
imager
▪ May also be installed as part of your
Forensic workstation
▪ Needs to be validated & logged

Direct imager or imaging software which
medium you want to acquire
▪ Can be physical (full disk) or logical (files/folders)
▪ VERY IMPORTANT STEP
▪ If you acquire the wrong thing, you’ve wasted time
 Direct imager or imaging software what type
of image file you want to create
▪ DD/RAW, E01, etc.
 Format your target storage medium

Direct imager or imaging software where to
place the newly-created forensic image
▪ Ensure the target medium is at least as large as
the original evidence medium
▪ Be careful not to create a “clone” disk at this stage
– will not verify
 Choose verification status & hashing
algorithm (if available)
 Create image
▪ General rule: 100GB per hour

Question 25

RAID

Answer 25

Redundant Array of Independent Disks

can be set up in different formats

Question 26

Challenges to Data Acquisition

Answer 26

Physical damage to storage medium
 Encryption
 Secure startup and/or BIOS password
 Trim or other secure data erasure
 Anti-forensic tools
 Overall size of medium(s) to be acquired
 Improper formatting of target media
 “Always on” devices = Data always changing
 Cloud-based primary storage