what does computer forensics involve Show the preservation, acquisition, extraction, and interpretation of computer data the basis of computer forensics comprises the physical and tangible components of the computer -programs and applications carry out a set of instructions on the hardware is a set of instructions compiled into a program that performs a particular task the ain circuit board contained within a computer (or other electronic devices) contained on the motherboard, the system bus is a vast complex netwrok of wire that serves to carry data from one hardware deice to another ROM chips store programs called firm , used to start the boot process and onfigure a computer's components Random Access Memory (RAM) -serves to take the burden off the computers processor and hard disk drive -the computer, aware that it may need certain data at a moments notice, stores the data in RAM -referred to as volatile memory because not permanent -its contents undergo constant change and are forever lost once power is taken away fromthe coputer central processing unit (CPU) aka the processor, is the brains of the computer these devices are used to get data into the computer. ex. keyboard, mouse, scanner equipment through which data is obtained from the computer . for ex, monitor, printer, speakers -typically the primary location of data storage within a computer -different operating systems map out HDD in different manners
Evidence locations and forms on HDD evidence exists in many different locations and in numerous forms on a HDD after partitioning and formatting processes are complete, the HDD will have a map of the layout of the defined space in that partition -partitions utilize a File Allocation Table (FAT) to keep track of the location of files and folders (data ) on the HDD Processing the Electronic Crime Scene -need warrants, documentation, good investigation techniques -at this point, a decision must be made as to whether a live accusition of the data is necessary factors that influence shutdown vs. pulling the plug decision ex. ifencryption is being used, pulling the plug will encrypt the data rendering it unreadable without a password or key, therefore pulling the plug would not be prudent -if crucial evidential data exists in RAM and has not been saved to HDD it will be lost with discontinuation of power to the system, another option must be
considered -regardless, the equipment will most likely be siezed forensic image acquisition -once items have been siezed, data need to be obtained for analysis -thorughout entire process, te examiner must adopt the method that is least intrusive -the goal with obtaining data from a HDD is to do so with out altering even one bit of data
-because booting a HDD to its operating system changes many files and could destroy data, obtaining data is accomplished by removing the HDD from the system and placing it in a lab forensic computer so that a forensic image can be created -this fingerprint is accomplished through the use of message digest 5 (MD5) , secure hash algorithm (SHA) or similar validated algorithm -before imagine the drie, the algorithm is run and a 32 character alphanumeric string is produced based on the drives contents -it then runs against a resulting forensic image and then if nothing changed, the same alphanumeric string will be produced, this demonstrating that the image is all includive of the original contents and that nothing was altered in the process data which the operating system is aware of, this data is easily accessible to the user. ex. word processing documents, spreadsheets, pictures created by the programs as a sort of back up on the fly can also prove valuable as evidence data in the swap space (utilized to conserve the valuable RAM within the cumputer system) can yield evidentiary data data that has veeb deleted or partially overwritten. this is present in areas of files and disks not known to the user or OP system. ex.: slack space, unallocated space, swap space where can latent data exist
in both RAM and file slack the area from the end of the logical file to the end of the sector the remaining area from the end of the final sector containing data to the end of the cluster how can data be orphaned in latent areas the constant shuffling of data through deletion, defragmentation , swapping -when a user deletes fles the data typically remains behind -deleted files are therefore another souce of latent data to be examined during forensiz analysis places where a forensic compiter examiner ight look to detemine what websites have been recently visited by user internet cache, cookies, internet history -a history file can be located and read with a forensic software package -also examine bookmarks and favourite places take form ###,###, which can vary from 0-255 -IP addresses provide the means by which data can be routed to the appropriate location, and they also provide the means by which most internet investigations are conducted investigation of internet communications -an investigator tracking the orgin of an email seeks out the senders IP address in the email header. Chat and instant messages are located in a computers RAM -tracking the orgin of unauthorized computer intrustions, or hacking, requires investifating a computers log file, RAM and network traffic a device designed to protect against intrustions into a computer network preferred method for preserving data on a mobile device leaving a mobile device running but placing it in something that will block its communcation information present on a cell phone carrier, photos and video, call logs, social media, text logs Where should one look for latent data?Latent data is found in the combined remaining information content on the computer from deleted files in unallocated space, swap files, print spooler files, memory dumps, the slack space of existing files and temporary cache.
Which of the following is the best definition of latent data quizlet?What is the first thing a crime-scene investigator should do when encountering computer forensic evidence? Which of the following is the best definition of latent data? is retained until the disk space it occupies is allocated for another use, May be identified using forensic image acquisition software.
What is the first thing a crime scene investigator should do when encountering computer forensic evidence?A satellite connection. The first thing a crime scene investigator should do when encountering computer forensic evidence is: a. Unplug every device from the CPU to preserve the hard disk drive.
Which is one of the most common places to begin searching for evidential data?One of the most common places to begin to look for evidential data is in: The word processing or text-based document files.
|