A computer forensic investigator would most likely look for latent data in temporary files.

what does computer forensics involve 

the preservation, acquisition, extraction, and interpretation of computer data

the basis of computer forensics

comprises the physical and tangible components of the computer -programs and applications carry out a set of instructions on the hardware

is a set of instructions compiled into a program that performs a particular task 

the ain circuit board contained within a computer (or other electronic devices) 

contained on the motherboard, the system bus is a vast complex netwrok of wire that serves to carry data from one hardware deice to another

ROM chips store programs called firm , used to start the boot process and onfigure a computer's components

Random Access Memory (RAM)

-serves to take the burden off the computers processor and hard disk drive -the computer, aware that it may need certain data at a moments notice, stores the data in RAM -referred to as volatile memory because not permanent -its contents undergo constant change and are forever lost once power is taken away fromthe coputer

central processing unit (CPU)

aka the processor, is the brains of the computer

these devices are used to get data into the computer. ex. keyboard, mouse, scanner

equipment through which data is obtained from the computer . for ex, monitor, printer, speakers

-typically the primary location of data storage within a computer -different operating systems map out HDD in different manners

Evidence locations and forms on HDD

evidence exists in many different locations and in numerous forms on a HDD
The type of evidence can be grouped into 2: 1)visible 2)latend data

after partitioning and formatting processes are complete, the HDD will have a map of the layout of the defined space in that partition -partitions utilize a File Allocation Table (FAT) to keep track of the location of files and folders (data ) on the HDD

Processing the Electronic Crime Scene

-need warrants, documentation, good investigation techniques -at this point, a decision must be made as to whether a live accusition of the data is necessary

factors that influence shutdown vs. pulling the plug decision

ex. ifencryption is being used, pulling the plug will encrypt the data rendering it unreadable without a password or key, therefore pulling the plug would not be prudent -if crucial evidential data exists in RAM and has not been saved to HDD it will be lost with discontinuation of power to the system, another option must be considered -regardless, the equipment will most likely be siezed

forensic image acquisition

-once items have been siezed, data need to be obtained for analysis -thorughout entire process, te examiner must adopt the method that is least intrusive -the goal with obtaining data from a HDD is to do so with out altering even one bit of data -because booting a HDD to its operating system changes many files and could destroy data, obtaining data is accomplished by removing the HDD from the system and placing it in a lab forensic computer so that a forensic image can be created
-in cases of specalizie equipment of systems, the image of the HDD must be obtainedtlizing the siezed computer -the examiner needs to be able to prove that the forensic image they obtained includes every bit of data and caused no changes (writes) to the HDD

-this fingerprint is accomplished through the use of message digest 5 (MD5) , secure hash algorithm (SHA) or similar validated algorithm -before imagine the drie, the algorithm is run and a 32 character alphanumeric string is produced based on the drives contents -it then runs against a resulting forensic image and then if nothing changed, the same alphanumeric string will be produced, this demonstrating that the image is all includive of the original contents and that nothing was altered in the process

data which the operating system is aware of, this data is easily accessible to the user. ex. word processing documents, spreadsheets, pictures

created by the programs as a sort of back up on the fly can also prove valuable as evidence

data in the swap space (utilized to conserve the valuable RAM within the cumputer system) can yield evidentiary data

data that has veeb deleted or partially overwritten. this is present in areas of files and disks not known to the user or OP system. ex.: slack space, unallocated space, swap space

where can latent data exist

in both RAM and file slack

the area from the end of the logical file to the end of the sector

the remaining area from the end of the final sector containing data to the end of the cluster

how can data be orphaned in latent areas

the constant shuffling of data through deletion, defragmentation , swapping -when a user deletes fles the data typically remains behind -deleted files are therefore another souce of latent data to be examined during forensiz analysis

places where a forensic compiter examiner ight look to detemine what websites have been recently visited by user

internet cache, cookies, internet history -a history file can be located and read with a forensic software package -also examine bookmarks and favourite places

take form ###,###, which can vary from 0-255 -IP addresses provide the means by which data can be routed to the appropriate location, and they also provide the means by which most internet investigations are conducted

investigation of internet communications

-an investigator tracking the orgin of an email seeks out the senders IP address in the email header. Chat and instant messages are located in a computers RAM -tracking the orgin of unauthorized computer intrustions, or hacking, requires investifating a computers log file, RAM and network traffic

a device designed to protect against intrustions into a computer network

preferred method for preserving data on a mobile device

leaving a mobile device running but placing it in something that will block its communcation

information present on a cell phone

carrier, photos and video, call logs, social media, text logs

Where should one look for latent data?

Which of the following is the best definition of latent data quizlet?

What is the first thing a crime scene investigator should do when encountering computer forensic evidence?

Which is one of the most common places to begin searching for evidential data?