Add to collection(s) Add to saved
  1. Social Science
  2. Law
  3. Forensic Science

computer forensics

1
COMPUTER FORENSICS
Introduction
2



Computers have permeated society and are used
in countless ways with innumerable applications.
Similarly, the role of electronic data in
investigative work has realized exponential
growth in the last decade.
The usage of computers and other electronic
data storage devices leaves the footprints and
data trails of their users.
Criminalistics, 10e
Richard Saferstein
© 2011, 2007, 2004, 2001, 1998, 1995 Pearson Higher Education,
Upper Saddle River, NJ 07458. • All Rights Reserved.
19-
Introduction
3


Computer forensics involves the preservation,
acquisition, extraction, and interpretation of
computer data.
In today’s world of technology, many devices are
capable of storing data and could thus be
grouped into the field of computer forensics.
Criminalistics, 10e
Richard Saferstein
© 2011, 2007, 2004, 2001, 1998, 1995 Pearson Higher Education,
Upper Saddle River, NJ 07458. • All Rights Reserved.
19-
The Basics
4



Before getting into the nuts and bolts of
computers, the important distinction between
hardware and software must be established.
Hardware comprises the physical and tangible
components of the computer.
Software conversely, is a set of instructions
compiled into a program that performs a
particular task. Software are those programs
and applications that carry out a set of
instructions on the hardware.
Criminalistics, 10e
Richard Saferstein
© 2011, 2007, 2004, 2001, 1998, 1995 Pearson Higher Education,
Upper Saddle River, NJ 07458. • All Rights Reserved.
19-
Terminology
5




Computer Case/Chassis: This is the physical box
holding the fixed internal computer components in
place.
Power Supply: PC’s power supply converts the
power it gets from the wall outlet to a useable
format for the computer and its components.
Motherboard: The main circuit board contained
within a computer (or other electronic devices) is
referred to as the motherboard.
System Bus: Contained on the motherboard, the
system bus is a vast complex network of wires that
serves to carry data from one hardware device to
another.
Criminalistics, 10e
Richard Saferstein
© 2011, 2007, 2004, 2001, 1998, 1995 Pearson Higher Education,
Upper Saddle River, NJ 07458. • All Rights Reserved.
19-
Terminology
6


Read Only Memory (ROM): ROM chips store
programs called firmware, used to start the boot
process and configure a computer’s components.
Random Access Memory (RAM): RAM serves to take
the burden off of the computer’s processor and Hard
Disk Drive (HDD).
 The
computer, aware that it may need certain data at
a moments notice, stores the data in RAM.
 RAM is referred to as volatile memory because it is not
permanent; its contents undergo constant change and
are forever lost once power is taken away from the
computer.
Criminalistics, 10e
Richard Saferstein
© 2011, 2007, 2004, 2001, 1998, 1995 Pearson Higher Education,
Upper Saddle River, NJ 07458. • All Rights Reserved.
19-
Terminology
7


Central Processing Unit (CPU): The CPU, also referred
to as a processor, is essentially the brains of the
computer.
Input Devices: These devices are used to get data into
the computer

To name a few:
 Keyboard
 Mouse
 Joy
stick
 Scanner
Criminalistics, 10e
Richard Saferstein
© 2011, 2007, 2004, 2001, 1998, 1995 Pearson Higher Education,
Upper Saddle River, NJ 07458. • All Rights Reserved.
19-
Terminology
8

Output Devices: Equipment through which data is
obtained from the computer.
 To
name a few:
 Monitor
 Printer
 Speakers

The Hard Disk Drive (HDD) is typically the primary
location of data storage within the computer.
Criminalistics, 10e
Richard Saferstein
© 2011, 2007, 2004, 2001, 1998, 1995 Pearson Higher Education,
Upper Saddle River, NJ 07458. • All Rights Reserved.
19-
Terminology
9




Different operating systems map out (partition)
HDDs in different manners
Examiners must be familiar with the file system they
are examining.
Evidence exists in many different locations and in
numerous forms on a HDD.
The type of evidence can be grouped under two
major sub-headings: visible and latent data.
Criminalistics, 10e
Richard Saferstein
© 2011, 2007, 2004, 2001, 1998, 1995 Pearson Higher Education,
Upper Saddle River, NJ 07458. • All Rights Reserved.
19-
How Data is Stored
10




Generally speaking a HDD needs to have its
space defined before it is ready for use.
Partitioning the HDD is the first step.
When partitioned, HDDs are mapped
(formatted) and have a defined layout.
They are logically divided into sectors, clusters,
tracks, and cylinders.
Criminalistics, 10e
Richard Saferstein
© 2011, 2007, 2004, 2001, 1998, 1995 Pearson Higher Education,
Upper Saddle River, NJ 07458. • All Rights Reserved.
19-
How Data is Stored
11

Sectors are typically 512 bytes in size.
Remember a byte is 8 bits .
 A bit is a single 1 or 0.


Clusters are groups of sectors and their size is
defined by the operating system.
Clusters are always in sector multiples of two.
 A cluster, therefore, will consist of 2, 4, 6, 8, or etc.
sectors. (With modern day operating systems, the user
can exercise some control over the amount of sectors per
cluster.)



Tracks are concentric circles that are defined
around the platter.
Cylinders are groups of tracks that reside directly
above and below each other.
Criminalistics, 10e
Richard Saferstein
© 2011, 2007, 2004, 2001, 1998, 1995 Pearson Higher Education,
Upper Saddle River, NJ 07458. • All Rights Reserved.
19-
How Data is Stored
12



After the partitioning and formatting processes are
complete, the HDD will have a map of the layout
of the defined space in that partition.
Partitions utilize a File Allocation Table “FAT” to
keep track of the location of files and folders
(data) on the HDD.
While the NTFS partition (most current Window
systems-2000 and XP) utilizes, among other things,
a Master File Table (MFT).
Criminalistics, 10e
Richard Saferstein
© 2011, 2007, 2004, 2001, 1998, 1995 Pearson Higher Education,
Upper Saddle River, NJ 07458. • All Rights Reserved.
19-
How Data is Stored
13




Each partition table (map) tracks data in different
ways.
The computer forensic examiners should be versed
in the technical nuances of the HDDs they examine.
It is sufficient for purposes here, however, to
merely visualize the partition table as a map to
where the data is located.
This map uses the numbering sectors, clusters,
tracks, and cylinders to keep track of the data.
Criminalistics, 10e
Richard Saferstein
© 2011, 2007, 2004, 2001, 1998, 1995 Pearson Higher Education,
Upper Saddle River, NJ 07458. • All Rights Reserved.
19-
Processing the Electronic CS
14

Processing the electronic crime scene has a lot in
common with processing a traditional crime scene.
 Warrants
 Documentation
 Good

investigation techniques
At this point, a decision must be made as to
whether a live acquisition of the data is
necessary.
Criminalistics, 10e
Richard Saferstein
© 2011, 2007, 2004, 2001, 1998, 1995 Pearson Higher Education,
Upper Saddle River, NJ 07458. • All Rights Reserved.
19-
Shutdown vs. Pulling the Plug
15




Several factors influence the systematic shutdown vs.
pulling the plug decision.
For example, if encryption is being used and pulling
the plug will encrypt the data rendering it
unreadable without a password or key, therefore
pulling the plug would not be prudent.
Similarly, if crucial evidentiary data exists in RAM
and has not been saved to the HDD and will thus be
lost with discontinuation of power to the system,
another option must be considered.
Regardless, the equipment will most likely be seized.
Criminalistics, 10e
Richard Saferstein
© 2011, 2007, 2004, 2001, 1998, 1995 Pearson Higher Education,
Upper Saddle River, NJ 07458. • All Rights Reserved.
19-
Forensic Image Acquisition
16




Now that the items have been seized, the data
needs to be obtained for analysis.
The computer Hard Disk Drive will be used as an
example, but the same “best practices” principals
apply for other electronic devices as well.
Throughout the entire process, the computer
forensic examiner must adopt the method that is
least intrusive.
The goal with obtaining data from a HDD is to do
so with out altering even one bit of data.
Criminalistics, 10e
Richard Saferstein
© 2011, 2007, 2004, 2001, 1998, 1995 Pearson Higher Education,
Upper Saddle River, NJ 07458. • All Rights Reserved.
19-
Forensic Image Acquisition
17



Because booting a HDD to its operating system
changes many files and could potentially destroy
evidentiary data, obtaining data is generally
accomplished by removing the HDD from the system
and placing it in a laboratory forensic computer so
that a forensic image can be created.
Occasionally, in cases of specialized or unique
equipment or systems the image of the HDD must be
obtained utilizing the seized computer.
Regardless, the examiner needs to be able to prove
that the forensic image he/she obtained includes
every bit of data and caused no changes (writes) to
the HDD.
Criminalistics, 10e
Richard Saferstein
© 2011, 2007, 2004, 2001, 1998, 1995 Pearson Higher Education,
Upper Saddle River, NJ 07458. • All Rights Reserved.
19-
Computer Fingerprint
18




To this end, a sort of fingerprint of the drive is taken
before and after imaging.
This fingerprint is accomplished through the use of a
Message Digest 5 (MD5), Secure Hash Algorithm
(SHA), or similar validated algorithm.
Before imaging the drive the algorithm is run and a
32 character alphanumeric string is produced based
on the drive’s contents.
It then run against the resulting forensic image and if
nothing changed the same alphanumeric string will
be produced, thus demonstrating that the image is
all-inclusive of the original contents and that nothing
was altered in the process.
Criminalistics, 10e
Richard Saferstein
© 2011, 2007, 2004, 2001, 1998, 1995 Pearson Higher Education,
Upper Saddle River, NJ 07458. • All Rights Reserved.
19-
Visible Data
19



Visible data is that data which the operating system
is aware of.
Consequently this data is easily accessible to the user.
From an evidentiary standpoint, it can encompass any
type of user created data like:
 Word
processing documents
 Spread sheets
 Accounting records
 Databases
 Pictures
Criminalistics, 10e
Richard Saferstein
© 2011, 2007, 2004, 2001, 1998, 1995 Pearson Higher Education,
Upper Saddle River, NJ 07458. • All Rights Reserved.
19-
Temporary Files and Swap Space
20



Temporary files, created by programs as a sort of
“back-up on the fly” can also prove valuable as
evidence.
Finally, data in the swap space (utilized to conserve
the valuable RAM within the computer system) can
yield evidentiary data.
Latent data, on the other hand, is that data which the
operating system is not aware of.
Criminalistics, 10e
Richard Saferstein
© 2011, 2007, 2004, 2001, 1998, 1995 Pearson Higher Education,
Upper Saddle River, NJ 07458. • All Rights Reserved.
19-
Latent Data
21




Evidentiary latent data can exist in both RAM and file
slack.
RAM slack is the area from the end of the logical file
to the end of the sector.
File slack is the remaining area from the end of the
final sector containing data to the end of the cluster.
Another area where latent data might be found is in
unallocated space.
 Unallocated
space is that space on a HDD the
operating system sees as empty and ready for data.
Criminalistics, 10e
Richard Saferstein
© 2011, 2007, 2004, 2001, 1998, 1995 Pearson Higher Education,
Upper Saddle River, NJ 07458. • All Rights Reserved.
19-
Latent Data
22



The constant shuffling of data through deletion,
defragmentation, swapping, etc., is one of the ways
data is orphaned in latent areas.
Finally, when a user deletes files the data typically
remains behind.
Deleted files are therefore another source of latent
data to be examined during forensic analysis.
Criminalistics, 10e
Richard Saferstein
© 2011, 2007, 2004, 2001, 1998, 1995 Pearson Higher Education,
Upper Saddle River, NJ 07458. • All Rights Reserved.
19-
Knowledge and Skill
23



Computer file systems and data structures are vast
and complex.
Therefore, areas of forensic analysis are almost
limitless and constrained only by the knowledge and
skill of the examiner.
With a working knowledge of a computer’s function,
how they are utilized, and how they store data, an
examiner is on his or her way to begin to locate the
evidentiary data.
Criminalistics, 10e
Richard Saferstein
© 2011, 2007, 2004, 2001, 1998, 1995 Pearson Higher Education,
Upper Saddle River, NJ 07458. • All Rights Reserved.
19-
Review Questions 1-12
24












Describe the difference between software and media and give two examples of each
What is the motherboard and why is it central to the functioning of a computer?
Define RAM and ROM and explain the difference between the two.
Define the terms input device and output device and name three examples of each/
What is the most common storage device on most computers? Name three other types of storage devices.
What type of hardware device do personal computers typically use to communicate with one another? Name
two ways this device can send and receive data.
What is the role of the operating system in a computer? Name three common operating systems.
Name and describe the two processes that must be performed on a hard disk drive (HDD) before it is ready for
use.
What is a FAT and what is its purpose?
What is the forensic examiner’s main goal when obtaining data from an HDD? Why is this best accomplished by
removing the HDD from the system and placing it in a laboratory forensic computer?
Why does a forensic examiner take a “
“fingerprint“
” of a drive before and after imaging its contents?
What is a swap file and how is it useful for forensic examiners?
Criminalistics, 10e
Richard Saferstein
© 2011, 2007, 2004, 2001, 1998, 1995 Pearson Higher Education,
Upper Saddle River, NJ 07458. • All Rights Reserved.
19-
Review Questions 13-17
25





What is the difference between visible and latent
data? How is latent data viewed?
What is file slack? How can it be useful to the forensic
examiner?
What is unallocated space? Name three processes that
cause latent data to be stored in unallocated space.
What is an Internet cache and why is it of interest to
forensic examiners?
What are cookies? What is their basic purpose and
how are they used by forensic examiners?
Criminalistics, 10e
Richard Saferstein
© 2011, 2007, 2004, 2001, 1998, 1995 Pearson Higher Education,
Upper Saddle River, NJ 07458. • All Rights Reserved.
19-
Figure 19–3 Partitions of a hard disk drive.
26
Figure 19–7 As user switches between applications and
performs multiple tasks, data is swapped back and forth
between RAM and the computer’s hard drive. This area on the
hard drive is referred to as either swap space or a paging file.
27
Figure 19–8 Slack space illustrated in a two-sector cluster.
Cluster sizes are typically greater than two sectors, but
two sectors are displayed here for simplicity.
28
Figure 19–9 File slack.
29
Related documents
Figure 14-15 Chromatogram of a residue sample collected
Figure 14-15 Chromatogram of a residue sample collected
chapter 1 letters - goodwinscience
chapter 1 letters - goodwinscience
12 - Tripod
12 - Tripod
Tool Marks and Impressions
Tool Marks and Impressions
Document
Document
What is the primary duty of a forensic toxicologist?
What is the primary duty of a forensic toxicologist?
club drugs
club drugs
Fingerprint Patterns
Fingerprint Patterns
timm chapter 9
timm chapter 9
chapter 1 - goodwinscience
chapter 1 - goodwinscience
Figure 13–1 Cross section of skin showing hair growing out
Figure 13–1 Cross section of skin showing hair growing out
Download