1. Computer Forensic Incidents - Afzal
1.1. What is computer forensic- Gathering of digital evidence in a manner which should be untainted, authentic and can be admissible in the court of law
1.1.1. What is the legal system. Different laws and criminal cases in the digital forensics as case study and different section and act for the same.
1.1.1.1. Criminal incidents like Identity Theft, online auction, Child pornography, Network Intrusions etc.
1.1.1.1.1. Computer Frauds. Frauds can be Internal and External. Internal frauds can be done in a company by the internal users by using company resources.External frauds are done by outsiders mostly by hackers for financial gains.For eg;Denial of service, Intrusions etc.
2. OS / Disk Storage Concepts - Hari
2.1. CHS Cylinders, Heads and Sectors; LBA-Logical Block addressing. A cluster is a minimum unit the OS uses to store info. (4096 byte cluster for only 1 byte).
2.1.1. Master Boot Record - initial disk sector consists of 1. Master bootstrap loader code (466 bytes); next 4 partition records and the hexadecimal signature 55AA completes a valid MBR; The FAT / MFT are Master File Indexes storing info about disk's directory stru and what clusters are used.
2.1.2. When a file is deleted, the OS rewrites the info in the file index about the file's clusters freed. Data remains on the disk till rewritten. Slack space is where many deleted files may reside and be recovered as evidence;
2.1.3. File Mgt Concept is important for forensic; 0s and 1s (1 is on and 0 is off); - basic unit of binary info is bit; basic unit of memory is byte; location of the byte is memory address
2.1.4. 1 byte=8 bits; 1 KB= 1024 bytes; 1 MB=1000 KB; 1 MB=1000 KB; 1GB=1000 MB; 1 TB=1000 GB; 1 PB-Petabytes= 1000 TB; 1 Exabyte- EB=1000TB; 1 Zettabyte = 1000EBs
2.1.5. Format is set of rules referred by appln for saving; Quickviewplus, outside-in and ACDSee etc allow direct access to varios file formats
2.2. DOS was the first operating system used on early IBM PCs - use of disks is an inherent part; FILE ALLOCATION TABLE File system is used. Last standalone version is MS DOS 6.22; MS DOS 7.0 runs underneath the first windows 95 ver while 7.1 or later underlie windows vers from Windows 95 OEM Service Rel or later. MS DOS 7.1 supports VFAT and FAT32 New Tech File system was brought in to avoid crippling windows NT and is not based on FAT. NTFS shares stage with UNIX and LINUX .Files contain any info - Code or Data and Prog files.Directories are special kind of files that contain list of file names. and can be nested.
2.2.1. Each track is broken into smaller units called sectors; each sector holds 512 bytes of user data. A hard disk is made up of multiple platters; each platter uses 2 heads to record and read data - 1 for top and 1 for bottom (Instead of track no. referred as cylinder no.) Cylinder is the set of all tracks that all the heads are currently positioned.
2.3. New node
3. Digital Acquisition and analysis tools - Maddy
3.1. Goal - Protect & Preserve the evidence to ensure authenticity & integrity
3.2. Defenitions
3.2.1. Acquisition : Process of extracting digital evidence by following properly laid out procedures.
3.2.2. Copy : An exact replica of the digital evidence. Only the contents are replicated not the attributes.
3.2.3. Duplicate : An accurate digital reproduction of all the data in the electronic storage including the content and attributes
3.2.3.1. Document Everything, Take Macro photographs, Ensure the target media is sterile and atleast of the same size as the evidence media
3.2.3.1.1. Authenticate
3.2.3.2. Ensure the original evidence media is write blocked
3.3. Authentication Methods : Digital Fingerprints
3.3.1. Hashing : CRC32, SHA1, MD5, SHA2
4. Digital Evidence Protocol - Abhishek
4.1. Rules of Evidence
4.1.1. (1) Digital Information can be recovered including deleted files
4.1.2. (2) Expert must be allowed to retrieve the recoverable files
4.1.3. (3) Duplicate of digital evidence is admissible as long as someone knowledgeable can authenticate it
4.2. Different types of Data Files
4.2.1. (a) Active Data || Readily available eg word,spreadsheets, web pages
4.2.2. (b) Archival Data Files that have been sent for storage as that data is not used frequently
4.2.3. (c) Back Up Data||copied to safe area to ensure recovery in case of system failure
4.2.4. (d) Residual Data ||Not visible to end user but recoverable from digital media
4.2.4.1. (1) Free Space
4.2.4.2. (2) File Slack
4.2.4.3. (3) RAM Slack
4.2.4.4. (4) Swap Files
4.2.4.5. (5) Temp Files
4.2.4.6. (6) Unallocated Space
4.2.5. (e) MetaData||data points such as date, time, author and relevant details of document author
4.2.6. (f) Electronic Mail
4.2.7. (g) Background Data|| such as audit trails, system logs, ACL records