What is a byte
8 bits
What is a nibble
half of a byte or 4 bits
What is a bit
1 or 0
What is a CPU
central processing unit acts as the brain of machine. All information processed by the computer is processed by the CPU
What is RAM
Random access memory is volatile data, which stores data before its processed by the CPU. RAM only contains information when there is power
What is ROM
Read only memory (ROM) is non-volatile data, usually boot information, boot strap code, or code loading the operating system
What are peripheral devices
Hard drives (HDs), CDs, USBs, and other long term storage devices that are used to store and exchange files
What is the motherboard
The motherboard connects various components in the computer. It is a printed circuit with connectors (graphics cards, USBs, network devices, etc.)
What are the stages of the forensic process
- Seizure - Gathering of digital devices
- Imaging & Verification: Taking a forensic copy and validating the copy.
- Analysis: Analyzing the image to discover evidence
- Reporting: Reporting on evidence discovered and methods used to discover this evidence.
What is Image verification
hashing is used to validate image is same as source data / hasn’t been altered. A hash is a one‐way mathematical function that provides a representation of data
MD5 hash collision is 1 in 2^128 chance of happening
Md5 hash is 16 bytes (128 bits)
What is a File Signature
magic value found at beginning (and sometimes end) of a files content that indicates the file type
What is Data Carving
involves matching signatures in raw disk contents to see if they match a file signature
What is File Recovery
File recovery techniques make use of the file system information that remains after deletion of a file.
What is File Carving
Carving deals with the raw data on the media and doesn’t use the file system structure during its process
What is the difference between File Recovery and File Carving
File recovery techniques make use of the file system information that remains after deletion of a file.
Carving deals with the raw data on the media and doesn’t use the file system structure during its process. Identifies files in file system in unallocated and file slack
Disadvantage of file carving is false positives, slow process
What is Live Data Forensics (LDF)
forensics conducted against a running machine to account for situations in which dead box forensics would be an issue (encryption, cloud storage, passwords, can’t take offline (server) etc)
What are risks associated with Live Data Forensics
- Altering of data
- Be aware of potential data loss, scheduled wiping/remote wiping
What are benefits of Live Data Forensics
-Identify encryption / get access to unencrypted data
-Identify cloud storage / internet storage contents (No local copies)
- LDF on servers allows information to be gathered / images to be taken without shutting down
- RAM can contain passwords, chat history, malware
- LDF can be faster to analyze data
What is a structure of a HDD
Platter, Read/Write Head, Spindle, Actuator
What is in the structure of a platter
Track
Geometric Sector
Sector
Cluster
What are the components of the sector structure
- Synchronization - timing (make sure R/W head is positioned correctly)
- Header (CHS address) - used so controller is certain its reading the right sector
- CRC - checks to see information has not become corrupt
What is a cluster
A number of sectors (usually 512 sectors per cluster)
What is Disk Addressing
- Initially used CHS - Cylinder, Head, and Sector
- Specified the track number, R/W head to use, and sector
- Replaced with LBA (logical block addressing)
○ Linear index scheme
○ First block is LBA 0, second is LBA 1, etc.
○ 48 bits used for addressing (248 blocks can be addressed)
What is the logical structure of a Disk
Master Boot Record
Unallocated Space
Partitions
