Photographic documentation must be used to…
Place material and to avoid claims of mistaken identity or mis-configuration
Storage comes in arbitrary forms:
- Tiny USB mass storage devices
- Gaming consoles
- Smart watches
- Phones
- Digital photo frames
- Local surveillance camera storage
- Photo frames
- Backup media
Forensic Duplication:
The ability to produce an identical byte stream from the duplicate as from the original
A forensic duplicate as a file (or artefact) containing…
Every bit of information from the source, typically in a raw format
A qualified duplicate provides…
The same information as a forensic duplicate, but contains further embedded meta-data or employs certain kinds of compression
A restored image is a…
Forensic or qualified forensic duplicate restored to another storage medium
A mirror image provides a…
Bit-wise copy from one medium to another
Device must ensure that no write occurs on the original device but…
Recall that even during the read-only operation, the device may alter its internal state
Imaging device must…
Perform sector-by-sector copying
Error conditions must be…
Identified clearly, detailed logging
Integrity of duplicated data must be…
Traceable, typically using cryptographic hash information
Creating Forensic Duplicates - Addition information which should be recorded:
- Time and location of duplication session
* Diagnostic information from device
Any mechanism providing imaging or write blocking must provide assurance of maintaining the objectives:
- Manufacturers may need to provide expert testimony when challenged
- Forensic laboratories may provide test results
- The NIST CFTT provides detailed test plans for imaging and write blocking devices
- Hardware-based systems are simple to implement and particularly to validate
Volume systems may be used to…
Combine multiple sub-volumes into a single volume
All components required for duplication must be…
Identified and recorded clearly
In the case of files, disks and partitions may contain un-allocated as well as slack space, can be used by…
Arbitrary file systems and must be analysed separately
Reconstruction of on-disk data depends on a number of factors including:
- Has the medium been used in some way after the incident
- Has any deletion occurred
- Is the use of wiping tools suspected
- Is the presence of anti-forensic or malware components suspected
- Is the file system complete
- Is knowledge of file content or file format available
- Is sought-after information replicated
Establishing that a volume holds a FAT file system:
- Finding the 0x55AA boot sector signature or in the reserved area is quickest approach
- Even for file systems, the structure of FAT can often be hypothesised
Identify the first cluster:
Easy only if the exact FAT type and cluster size is known
Knowledge of the OS version which created or used the file system is important which means…
Cluster allocation strategy may vary
Once a directory entry has been located, the base entry must be identified:
- For long file names, multiple entries may exist
- Recall that the allocation status is set by the first byte of the base entry
- The base directory entry will also hold the starting cluster of the file
- On creating a new directory, the OS will generally zero/wipe the cluster, the first two entries are for “.” and “..” entries
The FAT structure will contain a chained list of entries for all data clusters and the last block will contain…
An End-of-File (EOF) marker
Deleted/De-allocated files will result in…
Deletion of first byte of directory entry
Deletion of first byte of directory entry can cause…
Ambiguity in file names
-
Introduction to Forensic Science3
-
Digital Evidence14
-
Forensics Walk-Through16
-
Magnetic Storage Media, Volumes, and Encryption17
-
FAT File Systems14
-
Reconstructing FAT File System Structures29
-
Microsoft Windows Storage Architecture38
-
The Windows NTFS File System35
-
File and Volume Encryption11
-
Physical Storage Artefacts in Magnetic Media8
-
Nonvolatile Storage Forensics43
-
Microsoft Windows Kernel Architecture65
-
Introduction to Microsoft Windows Live Forensics17
-
Microsoft Windows Security Architecture35
-
Memory Acquisition and Forensics6
-
Firmware and Forensics0
-
Host-Based Network Forensics Sources0
-
Network-Component Forensic Information Collection0
-
Email Forensics0
-
Malware Concepts and Objectives0
-
Malware Infiltration Mechanisms0
-
Malware Exfiltration Mechanisms0
-
Malware Concealment and Detection Techniques0
-
Mobile Device Forensics Introduction0
-
Android Forensics Fundamentals0
-
iOS Forensics Fundamentals0
