Introduction

What is digital forensics

Process of collecting, analyzing and preserving digital evidence.
DFIR is digital forensics and incident response

Digital Forensic Process

Consists of three steps: Acquisition, analysis and reporting
Acquisition can be broken down into: identification, preservation and collection.

Identification - identify potential sources of evidence, key custodians and locations of data.
Preservation - the process of preserving relevant electronically stored information. Document all relevant information about evidence and how it was acquired.
Collection - collecting digital information that may be relevant to the investigation. Can include removing electronic devices from the scene, imaging , copying or printing out its content.
Analysis - in-depth systematic search of evidence relating to the incident. The outputs are data objects found in the collected information.
Reporting - reports are based on proven techniques and methodology and other competent forensic examiners should beagle to duplicate and reproduce the same results.

Fundamentals

Data representation

Binary

Represented with 1’s and 0’s.
This represented the flow of electricity in computing devices
Boolean
One bit - single binary value
One byte - contains 8 bits
Large files can contain several thousand bytes

Base64

Reversable encoding algorithm
This can change things into a text string. Which can be reversed to retrieve its original data

Hexadecimal

AKA - hex, base16
Uses 0-15 and uses 0-9 numbers then 10-15 is represented by the letters A-F

Octal

Uses numbers 0-7

ASCII

ASCII is the american standard code for information interchange.
UNIX and DOS-based operating systems use ASCII for text files.
Windows NT and 2000 use unicode.

Hard Disk Drive Basics

Non-volatile memory hardware device
Commonly used as the main storage in a desktop computer or laptop
Usually connected to motherboard or in an external caddy
Platters are the circular disks where magnetic data is stored in a hard disk drive
A sector is a subdivision of a track on a magnetic disk.
Each sector stores 512 bytes, newer ones can store 4096 - byte sectors
A cluster is a group of sectors
Slack Space is the leftover storage which exists on a computer's hard disk
Slackspace can contain remains of deleted files.

SSD

New generation storage device
Data is written to pages and once there's enough, it's written to a block on the drive
Garbage collection is a process used by SSDs to optimize space and improve efficiency
The goal of garbage collection is to keep as many blocks as possible
The controller looks for deleted or modified sata and moves the used pages to a new block.; It then erases the old block removing the deleted/unused data.
If you collect an SSD it has to be removed immediately to stop garbage collection. Either perform a hard shutdown or remove the cable from the physical drive
Moving files to the recycling bin does not delete them. It tells the OS that these files are ok to be overwritten.
Trim is similar to garbage collection, where it selects data and clears it
The same precautions should be taken as dealing with garbage collection
Wear levelling is a technique that some SSDs utilize to increase the lifetime of the memory.
They distribute writing on all block of an SSD so they wear evenly
A blocks receive the same number of writes to avoid writing too often

File Systems

Set of data types which are for

Data storage
Hierarchical categorization
Data management
File navigation
Accessing the data
Recovery of data

FAT16

Original filesystem for DOS and Windows 3
Very small partitions

FAT32

First introduced in win98
Uses 32 bits for data identifying
Compatible with a huge variety of devices
Cross compatible with almost all OS’s release after 1995
Can only work with files less than 4GB
Only works with partitions less than 8TB
No data protection in case of power loss
No built in file compression features
Not designed to be secure

NTFS

Proprietary journaling file system developed by microsoft
Improved support for meta data and advanced data structures
Supported by other OS like linux

EXT3/4

These are divided into userspace, kernel space and disk space.
Ext3 is commonly used by linux kernel
Uses journaling (keeping track of changes in the filesystem.
EXT4 - max volume size of data is 1exbibyte
Maximum 56 byte filename.

PreviousReport Writing NextDigital Evidence and Handling

Last updated 2 years ago

Introduction

What is digital forensics

Process of collecting, analyzing and preserving digital evidence.
DFIR is digital forensics and incident response

Digital Forensic Process

Consists of three steps: Acquisition, analysis and reporting
Acquisition can be broken down into: identification, preservation and collection.

Identification - identify potential sources of evidence, key custodians and locations of data.
Preservation - the process of preserving relevant electronically stored information. Document all relevant information about evidence and how it was acquired.
Collection - collecting digital information that may be relevant to the investigation. Can include removing electronic devices from the scene, imaging , copying or printing out its content.
Analysis - in-depth systematic search of evidence relating to the incident. The outputs are data objects found in the collected information.
Reporting - reports are based on proven techniques and methodology and other competent forensic examiners should beagle to duplicate and reproduce the same results.

Fundamentals

Data representation

Binary

Represented with 1’s and 0’s.
This represented the flow of electricity in computing devices
Boolean
One bit - single binary value
One byte - contains 8 bits
Large files can contain several thousand bytes

Base64

Reversable encoding algorithm
This can change things into a text string. Which can be reversed to retrieve its original data

Hexadecimal

AKA - hex, base16
Uses 0-15 and uses 0-9 numbers then 10-15 is represented by the letters A-F

Octal

Uses numbers 0-7

ASCII

ASCII is the american standard code for information interchange.
UNIX and DOS-based operating systems use ASCII for text files.
Windows NT and 2000 use unicode.

Hard Disk Drive Basics

Non-volatile memory hardware device
Commonly used as the main storage in a desktop computer or laptop
Usually connected to motherboard or in an external caddy
Platters are the circular disks where magnetic data is stored in a hard disk drive
A sector is a subdivision of a track on a magnetic disk.
Each sector stores 512 bytes, newer ones can store 4096 - byte sectors
A cluster is a group of sectors
Slack Space is the leftover storage which exists on a computer's hard disk
Slackspace can contain remains of deleted files.

SSD

New generation storage device
Data is written to pages and once there's enough, it's written to a block on the drive
Garbage collection is a process used by SSDs to optimize space and improve efficiency
The goal of garbage collection is to keep as many blocks as possible
The controller looks for deleted or modified sata and moves the used pages to a new block.; It then erases the old block removing the deleted/unused data.
If you collect an SSD it has to be removed immediately to stop garbage collection. Either perform a hard shutdown or remove the cable from the physical drive
Moving files to the recycling bin does not delete them. It tells the OS that these files are ok to be overwritten.
Trim is similar to garbage collection, where it selects data and clears it
The same precautions should be taken as dealing with garbage collection
Wear levelling is a technique that some SSDs utilize to increase the lifetime of the memory.
They distribute writing on all block of an SSD so they wear evenly
A blocks receive the same number of writes to avoid writing too often

File Systems

Set of data types which are for

Data storage
Hierarchical categorization
Data management
File navigation
Accessing the data
Recovery of data

FAT16

Original filesystem for DOS and Windows 3
Very small partitions

FAT32

First introduced in win98
Uses 32 bits for data identifying
Compatible with a huge variety of devices
Cross compatible with almost all OS’s release after 1995
Can only work with files less than 4GB
Only works with partitions less than 8TB
No data protection in case of power loss
No built in file compression features
Not designed to be secure

NTFS

Proprietary journaling file system developed by microsoft
Improved support for meta data and advanced data structures
Supported by other OS like linux

EXT3/4

These are divided into userspace, kernel space and disk space.
Ext3 is commonly used by linux kernel
Uses journaling (keeping track of changes in the filesystem.
EXT4 - max volume size of data is 1exbibyte
Maximum 56 byte filename.

PreviousReport Writing NextDigital Evidence and Handling

Last updated 2 years ago