Data Encoding Schemas
How is data stored?
Binary
0s, 1s, base-2
8 binary digits
1 byte/character
hexadecimal
base 16 representation of a character
ASCII
American Standard Code for Information Interchange
- limited to 256 character codes
What does formatting a drive do? (3)
Makes partitions. Partitions organize the disk space into different sections with different purposes.
- installs a file table. A file table is a catalog keeping track of where different files are stored on the drive.
-erases the “pointers” to the data on the drive, but the data itself is not erased.
Partitioning Physical Disk
Partition 1- Reserved
2- Data
3- Recovery
Unallocated space
is not part of partitions, Recycled/deleted goes here.
hard to make cases w/ data in unallocated space
FAT
File Allocation Table
- traces lifespan of files in data storage medium
- when was file created, modified
- some, but not all, varieties of FAT can track ownership, deletion
- data is stored in sectors and then clusters
- these can have many redundancies
- limited in ability to track metadata
NTFS
New Technology File System
- tracks life span of file
- higher degree of detail in tracking files
- flexibility for growth
- lots of file organization available
Data Acquisition
- should be forensically sound
- defensible
-repeatable - make copy of original
Physical
- bit by bit, bitstream
- all data, undeleted, deleted, unallocated space, entire OS
- gets more metadata
- slower, more expensive, takes more physical, digital space
Logical
just user files, folders
slack space - space in bwtn clusters of stored logical data where other data existed
usually no deleted/unallocated space
usually quicker, cheaper, less space
Metadata
“data about data”
-info about file
- ownership, authorship
- file names, dates, times, size, mod, location,
changing metadata doesn’t change the file
can only change metadata for your view
EXIF data in cams
Hardware and Software
Forensic Stand Alone Imagers
Software-based imaging
Forensic Stand Alone Imagers (3)
- Tableau TD Series
- Forensic Falcon
- Atola Task Force
Software-based imaging
FTK Imager
Paladin
Macquisition
Magnet Acquire
Secure Evidence File Formats
DD/Data Dump
-exact copy of full medium = no compression
RAW
IMG
E01, EX01
Data Acquisition File Formats
L01 - Logical only
collision
different files with same hash values, can implicate the innocent
MD5
Message Digest 5 (base 32/64)
SHA-1
Secure Hash Algorithm - base 64 - higher numbers more secure
What is usually hashed?
known CSAM
known malware
phone biometrics
phone pics
passwords
Data Acquisition Steps
Identify what needs to be acquired
▪ What size is the storage medium?
▪ Do you have an equal or larger
storage medium on which to place
data?
Photograph original evidence
▪ Multiple angles/sides
▪ Close-up of serial & model numbers
▪ Ensure to get connections,
Damage, etc., in photographs
Prepare target media (definition)
▪ Target media should be wiped & validated to
ensure no cross-contamination
▪ How do we validate wiped data medium?
▪ Target media should be formatted in same
formatting scheme as original evidence
Ensure evidence is handled properly
▪ Anti-static mat, no magnets in the area
Connect to validated forensic write-blocker
▪ Can be hardware or software-based**
▪ Can be combined with stand-alone forensic disk
imager
▪ May also be installed as part of your
Forensic workstation
▪ Needs to be validated & logged
Direct imager or imaging software which
medium you want to acquire
▪ Can be physical (full disk) or logical (files/folders)
▪ VERY IMPORTANT STEP
▪ If you acquire the wrong thing, you’ve wasted time
Direct imager or imaging software what type
of image file you want to create
▪ DD/RAW, E01, etc.
Format your target storage medium
Direct imager or imaging software where to
place the newly-created forensic image
▪ Ensure the target medium is at least as large as
the original evidence medium
▪ Be careful not to create a “clone” disk at this stage
– will not verify
Choose verification status & hashing
algorithm (if available)
Create image
▪ General rule: 100GB per hour
