chapter eight l.
Skip this Video
Loading SlideShow in 5 Seconds..
Chapter Eight PowerPoint Presentation
Download Presentation
Chapter Eight

Loading in 2 Seconds...

play fullscreen
1 / 26

Chapter Eight - PowerPoint PPT Presentation

  • Uploaded on

Chapter Eight. Forensic Terminology and Criminal Investigation. Who Benefits from Forensic Computer Science. prosecutors - variety of crime where incriminating documents can be found ranging from homicide to financial fraud to child pornography

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Chapter Eight

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
chapter eight

Chapter Eight

Forensic Terminology and Criminal Investigation

who benefits from forensic computer science
Who Benefits from Forensic Computer Science
  • prosecutors - variety of crime where incriminating documents can be found ranging from homicide to financial fraud to child pornography
  • civil litigators – personal and business records which relate to fraud, divorce, discrimination, and harassment
  • insurance companies – mitigate costs by using discovered computer evidence of possible fraud in accident, arson, and workman’s comp cases
  • corporations – ascertain evidence relating to sexual harassment, embezzlement, theft, or misappropriation of trade secrets and other internal/confidential information
  • law enforcement officials – for pre-search warrant preparations and post-seizure handling of computer equipment
  • individuals – support of claims of wrongful termination, sexual harassment, or age discrimination
why le investigations require it
Why LE investigations require it
  • Protects and maintains the integrity of potential evidence by:
    • maintaining a chain of custody
    • ensuring that viruses are not introduced
    • ensuring that evidence or potential evidence remains in an unaltered state (i.e., not destroyed, damaged, or otherwise manipulated during the investigative process.)
    • enables the creation of forensically sound images for data analysis
    • prevents allegations of corruption or misconduct
    • enables the discovery of all relevant files on suspect systems, including overt, hidden, password-protected, slack, swap, encrypted, and some deleted files
    • enhances the likelihood of timely processing (necessary to protect departments from civil litigation claiming unreasonable interruption of business operations.)
    • More specifically – establishes procedures for the recovery, preservation, and analysis of digital evidence
traditional problems in computer investigations
Traditional problems in computer investigations
  • Inadequate resources
  • Lack of communication and cooperation among agencies
  • Over-reliance on automated programs and self-proclaimed experts
  • Lack of reporting
  • Corruption of evidence
  • Encryption
inadequate resources
Inadequate Resources
  • The least equipped agencies are the least able to secure external funding for necessary equipment or training .
  • Even those agencies currently favored by funding entities struggle to justify the exponential costs associated with computer forensics.
  • Software and training such as that offered by NTI (New Technologies, Inc.) and Litton/TASC may cost as much as $2000/person.
  • Individualized licensing requires departments to send multiple attendees.
  • Federal Programs, like those offered at the FBI and FLETC, are also disproportionately attended by large, better funded agencies.
  • National White Collar Crime Center is a step in the right direction.
lack of communication
Lack of Communication
  • Traditionally, communication and cooperation between law enforcement agencies has been strained due to competing interests (funding, etc.).
  • Individual practitioners, however, have developed professional organizations like HTCIA which has encouraged collaboration.
over reliance on automated programs self proclaimed experts
Over-reliance on automated programs & self-proclaimed experts
  • The familiarity and utilization of automated programs may result in a situation where investigators know just enough to make them potentially hazardous to the very investigation to which they are dedicated.
lack of reporting
Lack of Reporting
  • Many businesses and individual citizens do not perceive the police as technologically advanced.
  • Often wish to contain the problem within
  • Believe that they may conduct their own investigation, and then turn it over to the police
  • Fear of losing consumer confidence
corruption of evidence
Corruption of Evidence
  • Many “departmental computer experts” have destroyed cases due to their lack of knowledge of disk structure.
  • Corporations or private entities which initiate investigations often fail to appreciate the legal complexities of evidence preservation and custodial documentation.
three cardinal rules of computer investigations
Three Cardinal Rules of Computer Investigations
  • Always work from an image – leaving the original intact.
  • Document, Document, Document
  • Maintain chain of custody
computer forensic science and disk structure
Computer forensic science and disk structure
  • Investigators must be aware of both the physical and logical structure, disk management, and memory storage.
simple terms
Simple Terms
  • Computer - a device capable of storing, transmitting or manipulating data through mathematical and logical processes or operations
  • Static memory - that area on hard and/or floppy disks in which data and programs are stored
  • Volatile memory - that area of a computer which holds information during processing and is erased when power is shut down
  • Semi-permanent storage - that area of a disk that is not dependent upon a power source for its continued maintenance, and which may be changed under the appropriate operating conditions (i.e., storage devices, floppy and fixed disks, magnetic tapes, etc.). This is where the majority of the work and storage is conducted, and where the most processed data is stored. Thus, it is extremely important in computer forensics.
Computer storage - the holding of data in an electromagnetic form for access by a computer processor
  • Primary storage - data in RAM and other built-in devices
  • Secondary storage - data on hard disk, tapes, and other external devices
  • Floppy disks or diskettes - single circular disks with concentric tracks which are turned by spindles under one or more heads
  • CD-ROMs have a single track, spiraling from the disk edge towards the center which may only be written to once (CDs write data from the center out, and music from the outside in; while CD-RWs act as traditional disk drives which may be written to more than once
  • Hard/fixed disks - one or more disks comprised of one or more heads which are often fixed inside a sealed enclosure (may have more than two sides if the disk consists of more than one platter)
disk structure
Disk Structure
  • Physically, a drive is usually composed of a number of rotating platters. Each platter is divided concentrically into tracks. In turn, tracks are divided into sectors, which are further divided into bytes. Finally, read/write heads are contained on either side of the platters.
Head – Each platter has one head per side. These heads are very close to the surface of the platter, and allow reading of, and writing to, the platter. Heads are numbered sequentially from zero.
  • Tracks – the concentric bands dividing each platter. Tracks are numbered sequentially beginning with zero.
  • Cylinder – the set of tracks located in the same position on every platter in the same head position. Unlike physical disk units, cylinders are intangible units. Simply put, they are a cross-section of a disk. (Imagine using a hole puncher on a perfectly positioned stack of paper. The resulting hole would be a visible representation of an empty sector). Each double-sided floppy has two tracks. The same track is on all stacked platters. The set of corresponding tracks on a magnetic disk that lie the same distance from the disk’s edge. Taken together, these tracks form a cylindrical shape. For a hard drive, a cylinder usually includes several tracks on each side of each disk platter.
data storage
Data Storage     
  • On all DOS machines, certain structural rules exist in which physical drives are loaded first, logical drives second, and drivers third.
Physical drives - devices and data at the electronic or machine level
  • Logical drives- (most important in computer forensics) are allocated parts of a physical drive that are designated and managed as independent units
  • binary digits or bits – based on principles of two – bits may likened to on/off switches. Collections of bits are interpreted by the computer and transformed into a format for non-mechanical, human consumption.
  • ASCII – American Standard Character for Information Interchange – most common set of associations between particular binary patterns and characters (ensures compatibility between systems and system components)
  • This code defines characters for the first 128 binary values (i.e. 0 to 127)
  • The first 32 of these are used as non-printing control characters which were designed to control data communications equipment and computer printers and displays
  • Extended ASCII code - provides particular character symbols to binary values 128 through 255
data interpretation
Data Interpretation
  • Binary system – interpretative rules are associated with a base of 2 with integers represented by 0’s and 1’s. the range of whole numbers that can be represented by a single byte is 0 to 255. Thus, it is often necessary to use 2 bytes to represent whole numbers, and four bytes where greater levels of precision are required.
  • Hexadecimal system - interpretative rules are associated with a base of 16, with integers ranging from 0 to 9 and A to F. Very useful for investigators as some programs reuse memory blocks without modification.
fixed units of storage
Fixed units of storage
  • Sectors – smallest physical storage unit on a disk – an arched-shaped portion of one of the disk tracks (magnetic disks formatted for U.S. versions of Windows contain a standard 512 bytes)
    • Sectors start with 1, and are numbered sequentially on a track.
  • Clusters (File Allocation Units) – comprised of one or more adjacent sectors, and represent the basic allocation units of magnetic disk storage
    • Although size varies with disk size, clusters represent the minimum space allocated to an individual file in DOS.
    • Clusters make it easier for operating systems to manage files.
  • Files – composed of one or more clusters – the smallest unit that distinguishes one set of data from another
logical vs physical
Logical vs. Physical
  • Logical file size – the exact size of a file in bytes
  • Physical file size – the actual amount of space that the file occupies on a disk
  • File slack - information found within that portion of unused space between the logical end of a file and the physical end of a cluster
    • may be likened to a table in a restaurant in which a couple is seated at a table for four. Although the extra two chairs are empty, they constructively belong to those individuals until they are finished their meal.
    • Extremely important for forensics, as the slack may contain the remnants of old files or other evidence, including passwords, old directory structures, or miscellaneous information stored in memory
  • Partition – portion of a fixed disk that the operating system identifies as a single unit (maximum of four)
  • Windows NT and other operating systems may treat multiple partitions on different physical disk drives as a single disk volume.
  • Every bootable hard disk includes one disk partition for the OS.
  • “Extended partions” may be subdivided into a maximum of 23 additional logical disks.
  • Remember: the partition of the boot drive where the operating system resides must be bootable.
  • FDISK, MS product, enables user to partition a hard drive. Partitioning creates a master boot record and partition table for the hard disk.
partitions cont d
Partitions cont’d
  • The FAT – partition table describes every logical volume on a disk.
  • It also identifies corresponding locations, indicates which partition is bootable, and contains the Master Boot Record.
  • Extremely important in forensic investigations – enables users to hide entire partitions.Investigators unaware of this fact may be confused to see that the logical drive size is contrary to identified characteristics.
  • Partition data is stored at physical: cylinder = 0; head = 0; sector = 1.
data location
Data Location
  • File Allocation Table (FAT) – system used to identify and locate files on a disk
    • 12, 16, 32 bit designations used by DOS indicate how many bits the FAT used to identify where on the disk (appropriate cluster numbers) a file resides.
  • Every number contained within the FAT identifies a particular cluster.
  • Information contained therein identifies:
    • if the cluster is “bad” or available;
    • if the end of a file is contained within;
    • the next cluster attached to a file.
  • FAT32 was created to manage space more efficiently by utilizing smaller cluster sizes.
  • NTFS – emerging in popularity – is the most efficient way to manage data
data management
Data Management
  • boot sector – located at the very first sector of the physical disk or absolute sector 0
    • Contains code that enables the computer to find the partition table and the operating system
  • BIOS (Basic Input Output System) – number of machine code routines stored in ROM that includes a variety of commands including those necessary for reading physical disks by sector which are executed upon system booting
  • bootstrap loader – the first command executed upon system booting
data integrity
Data Integrity
  • CRC (Cyclical Redundancy Checksum) – used to identify files by a computer –generated (i.e., calculated) value
  • MD5 Hash – a 128-bit verification tool developed by RSA which acts as the equivalent of digital DNA.
    • Odds that 2 different files have the same value is2128.
    • Brian Deering, NDIC, analogizes the chance of randomly generated matching has values to hitting the Pennsylvania Lottery Super 6 - 5.582 x 10^41 (or 558,205 billion, billion, billion, billion) times before this will occur
  • Hashkeeper – program which maintains the hash values of a variety of known files – reduces the amount of information needing to be processed
  • Computer crime is the wave of the future.
  • Administrators must establish forensic computer science capabilities, evaluating the feasibility of partnering LE personnel with civilian experts and relying on cooperation of corporate entities.
  • Proper training must begin with a basic understanding of computer structure and data management.