This is just a demo map that you can delete right away, if you feel like it...
What is the legal system. Different laws and criminal cases in the digital forensics as case study and different section and act for the same., Criminal incidents like Identity Theft, online auction, Child pornography, Network Intrusions etc., Computer Frauds. Frauds can be Internal and External. Internal frauds can be done in a company by the internal users by using company resources.External frauds are done by outsiders mostly by hackers for financial gains.For eg;Denial of service, Intrusions etc., Investigating challenges are like growing hard disk space and more GBs mean for overall acquisition and analysis time
Master Boot Record - initial disk sector consists of 1. Master bootstrap loader code (466 bytes); next 4 partition records and the hexadecimal signature 55AA completes a valid MBR; The FAT / MFT are Master File Indexes storing info about disk's directory stru and what clusters are used.
When a file is deleted, the OS rewrites the info in the file index about the file's clusters freed. Data remains on the disk till rewritten. Slack space is where many deleted files may reside and be recovered as evidence;
File Mgt Concept is important for forensic; 0s and 1s (1 is on and 0 is off); - basic unit of binary info is bit; basic unit of memory is byte; location of the byte is memory address
1 byte=8 bits; 1 KB= 1024 bytes; 1 MB=1000 KB; 1 MB=1000 KB; 1GB=1000 MB; 1 TB=1000 GB; 1 PB-Petabytes= 1000 TB; 1 Exabyte- EB=1000TB; 1 Zettabyte = 1000EBs
Format is set of rules referred by appln for saving; Quickviewplus, outside-in and ACDSee etc allow direct access to varios file formats
Each track is broken into smaller units called sectors; each sector holds 512 bytes of user data. A hard disk is made up of multiple platters; each platter uses 2 heads to record and read data - 1 for top and 1 for bottom (Instead of track no. referred as cylinder no.) Cylinder is the set of all tracks that all the heads are currently positioned.
Acquisition : Process of extracting digital evidence by following properly laid out procedures.
Copy : An exact replica of the digital evidence. Only the contents are replicated not the attributes.
Duplicate : An accurate digital reproduction of all the data in the electronic storage including the content and attributes, Document Everything, Take Macro photographs, Ensure the target media is sterile and atleast of the same size as the evidence media, Authenticate, In Lab, More Controlled, More Time, Using specialized hardware, Software based duplicators, FTK Imager, With Segmentation no Compression in Raw binary mode, DD, Command line utility, WinHex, No Segmentation & compression in raw binary mode, Encase, Supports segmentation & compression in raw binary mode, On Scene, Less Controlled, Less Time, Using Hand Held disc duplicator, Network Based Imaging using specialized software, Ensure the original evidence media is write blocked
Hashing : CRC32, SHA1, MD5, SHA2
(1) Digital Information can be recovered including deleted files
(2) Expert must be allowed to retrieve the recoverable files
(3) Duplicate of digital evidence is admissible as long as someone knowledgeable can authenticate it
(a) Active Data || Readily available eg word,spreadsheets, web pages
(b) Archival Data Files that have been sent for storage as that data is not used frequently
(c) Back Up Data||copied to safe area to ensure recovery in case of system failure
(d) Residual Data ||Not visible to end user but recoverable from digital media, (1) Free Space, (2) File Slack, (3) RAM Slack, (4) Swap Files, (5) Temp Files, (6) Unallocated Space
(e) MetaData||data points such as date, time, author and relevant details of document author
(f) Electronic Mail
(g) Background Data|| such as audit trails, system logs, ACL records