Hardware
Physical components of a computer
-case, keyboard, monitor, motherboard, RAM, HDD, mouse, and so on; generally speaking, if it is a computer component you can touch, it is ___. v
IT investigations and data forensics a necessary component of a company's security program.
Moreover, on the corporate side, issues of regulatory compliance, such as HIPAA and Sarbanes-Oxley, and problems of employee misconduct have made...
Computer forensics
Involves the preservation, acquisition, extraction, analysis, and interpretation of computer data.
Cell phones, personal digital assistants (PDAs), iPods, digital cameras, flash memory cards, smart cards, jump drive, and many others.
More and more devices are capable of storying electronic data:
The personal computer
The most logical place to start to examine these practices is with the most common form of electronic data:
Software
A set of instructions compiled into a program that performs a particular task; ___ consists of programs and applications that carry out a set of instructions on the hardware.
Computer Case/Chassis
Physical box holding the fixed internal computer components in place.
Power Supply
Converts power from the wall outlet to a usable format for the computer and its components.
Motherboard
Main system board of a computer (any many other electronic devices), which delivers power, data, and instructions to the computers's components; every component in the computer connects to the ___ ___, either directly or indirectly.
Sockets
___ on the mother board typically accept things like random access memory (RAM) or the central processing unit (CPU).
System Bus
Vast, complex network of wires that carry data from one hardware device to another located on the motherboard.
Binary computing
This network (system bus) is analogous to a complex highway. Data is sent along the bus in the form of ones and zeros (or, to be accurate, as electrical impulses representing an "on" or "off" state); this two-state form of data is known as ___ ___.
Firmware
ROM chips store programs called ___, used to start the boot process and configure a computer's components.
Complementary metal-oxide semiconductor (CMOS); Basic input-output system (BIOS)
This was a separate chip that allowed the user to exercise setup control serval system components. Regardless of how this technology is presented on the motherboard, it can be referred to as the ___.
Initiates the booting process and enables the computer to communicate with various devices in the system such as disk drives, keyboard, monitor, and printer.
The operation of the BIOS is relevant to several computer forensic procedures, particularly the boot sequence. It is the set of routines associated with the BIOS in ROM that...
Changes to the data, thus compromising the integrity of evidence.
It is important not to boot the actual computer under investigation to the original hard disk drive. This would cause...
Basic input-output system (BIOS)
The ___ allows investigators to control the boot process to some degree.
Read-only memory (ROM)
Special chips on the motherboard used to start the boot (start-up) process and configure a computer's components.
Central Processing Unit (CPU)
Main chip within the computer, also referred to as the "brain" of the computer, which handles most of the operations (i.e., code and instructions) of the computer. Referred to as a "processor", is essentially the "brain" of the computer. The part of the c
Random-access memory (RAM)
Volatile memory of a computer, where programs and instructions that are in use are stored. When computer is turned off, its contents are lost
Input Device
Used to get data into the computer or to give the computer instructions. ___ ___ are also part of the "user" side of the computer. Examples include the keyboard, mouse, joystick, and scanner.
Output Device
Equipment through which data is obtained from the computer. ___ ___ are also part of the "user" side of the computer, and provide the results of the user's tasks. They include the monitor, printer, and speakers.
Hard Disk Drive (HDD)
Typically the main storage location within the computer, which consists of magnetic platters contained in a case (usually 3.5" long in a desktop computer and 2.5" in a laptop) and is usually where the operating system, applications, and user data are stor
What happens when a person turns on a computer?
#NAME?
What does a forensic scientist need to do when they find a computer at a crime scene?
Perform a live acquisition of the data, Perform a system shutdown, Pull the plug, Or a combination of these 3 things
Live and Dead
What are the states a computer can be found at a crime scene?
Operating systems (OS)
The software that provides the bridge between the system hardware and the user; it lets the user interact with the hardware and manages the file system and applications. Some examples are Windows (XP, Vista, and Windows 7), Linux, and Mac.
Partition
A contiguous set of blocks that are defined and treated as an independent disk. This means that a hard disk drive can hold several ___, making a single HDD appear as several disks.
Low-level formatting, partitioning, and formatting
A drive is prepared in 3 processes:
Low-level formatting
Typically done by the manufacturer, dividing the platters into tracks and sectors.
Partitioning
Accomplished through a utility such as a fdisk or Disk Manager, defining a contiguous set of blocks.
Formatting
Initializing portions of the disk and creating the file system structure. The process of preparing a hard disk drive to store and retrieve data in its current form.
Sector
The smallest addressable unit of data by a hard disk drive; generally consists of 512 bytes.
Byte
A group of 8 bits
Bit
Short for "binary digit"; taking the form of either a one or a zero, it is the smallest unit of information on a machine.
Cluster
A group of sectors in multiples of two; ___ size varies from file system to file system and is typically the minimum space allocated to a file.
File allocation table (FAT)
___ use a ___ to track the location of files and folders (i.e., data) on the HDD, whereas NTFS file systems (used by most current Windows systems-Vista, XP, and Windows 7) use, among other things, a "master file table (MFT)".
Write-blocked
The examiner must ensure that the drive to be analyzed is in a ___-___, or read-only, state when creating the forensic image.
Message Digest 5 (MD5)/ Secure Hash Algorithm (SHA)
A software algorithm used to "fingerprint" a file or contents of a disk; used to verify that an acquired image of suspect data was not altered during the process of imaging.
Forensic image
Therefore, a ___ ___--one that copies every single bit of information on the drive-- is necessary.
EnCase, Forensic Toolkit (FTK), Forensic Autopsy (Linux-based freeware), and SMART (Linux-based software by ASR Data)
The most popular software forensic tools--___--all include a method for obtaining a forensic image.
visible data
All data that the operating system is presently aware of and thus is readily accessible to the user.
Swap Files
A file or defined space on the HDD used to conserve RAM; data is swapped, or paged to this file/space to free RAM for apps that are in use
Temporary Files
Files temporarily written by an app to perform a function or to provide a "backup" copy of a work product should the computer experience a catastrophic failure
latent data
Areas of files and disks that are typically not apparent to the computer (and operating system) user but contain data nonetheless
Latent data is one of the reasons a forensic image is created
How is latent data useful to a forensic scientist?
Slack space
Empty space on a hard disk created because of the way the HDD stores files
Forensic examination software
A more common option in data forensics is to use specialized ___.
Unallocated space
Latent data might be found in ___ ___, the unused area of the HDD that the operating file system table sees as empty (containing no logical files) but that may contain old data.
Defragmenting
___ an HDD involves moving noncontiguous data back together.
Internet Cache
Portions of visited web pages placed on the local HDD to facilitate quicker retrieval when a web page is revisited.
Cookies
Files placed on a computer from a visited website that are used to track visits to and usage of that site.
Internet History
An accounting of websites visited; different browsers store this information in different ways.
Bookmarks
A feature that enables the user to designate favorite sites for fast and easy access.
Hacking
Slang term used to refer to performing an unauthorized computer or network intrusion.
Hardware or software designed to protest intrusions into an internet network.
What is the purpose of a firewall?
Internet protocol address (IP)
Computers that participate on the internet, therefore, must be provided with an address known as an ___ ___ from the Internet service provider to which they connect.
Software programs
___ ___ are applications that carry out a set of instructions.
The screen of any running computer monitor; all the connections to the main system unit, such as peripheral devices (i.e., keyboard, monitor, speakers, mouse, etc.); and equipment serial numbers.
Aspects of a computer that should be photographed close up at an electronic crime scene include...
A live examination prior to disconnecting power.
Evidentiary considerations may require the investigator to perform...
If encryption is suspected, and thus pulling the plug would re-encrypt the data, rendering it unreadable without a password or key, and if data exists in RAM that has not been saved to the HDD and will thus be lost if power to the system is discontinued.
Two situations in which an investigator would not unplug a computer at an electronic crime scene are...
Visible; latent data
The types of computer evidence can be grouped under two major sub-headings...
Latent data
Data that the operating system is not aware of. The constant shuffling of data through deletion, defragmentation, swapping, and so on, is one of the reasons data is stored in ___ areas.
RAM slack and file slack
Latent data can exist in both...
RAM slack
The area from the end of the logical file to the end of the sector.
File slack
The remaining area from the end of the final sector containing data to the end of the cluster.
Deleted files
When user deletes files, the data typically remains behind, so ___ ___ are another source of latent data.
Internet cache, cookies, and the Internet history
Places where a forensic computer examiner might look to determine what websites a computer user visited recently are...
Forensic software package
The history file can be located and read with a ___ ___ ___. Another way to access websites that have been visited is by examining bookmarks and favorite places.
0 to 255
IP addresses take the form ###.###.###.###, in which, generally speaking, ### can be any number from ___ - ___.
The sender's IP address in the e-mail's header.
An investigator tracking the origin of an e-mail seeks out...
Chat and instant messages
___ and ___ ___ are typically located in a computer's random-access memory (RAM).
Log file, RAM, and network traffic
Chat and instant messages are typically located in a computer's...
Mobile devices
Offer many of the services that are offered by computers and other devices. These devices can provide a vast amount of useful and evidentiary data in an investigation.
The preferred method for preserving data on a mobile device.
Leaving a mobile device running but placing it in something that sill block its communication is...
The variety of ways that different devices store and manage data.
Complications arise in extracting and evaluating data from mobile devices because of...
Hardware
Physical components of a computer
-case, keyboard, monitor, motherboard, RAM, HDD, mouse, and so on; generally speaking, if it is a computer component you can touch, it is ___. v
IT investigations and data forensics a necessary component of a company's security program.
Moreover, on the corporate side, issues of regulatory compliance, such as HIPAA and Sarbanes-Oxley, and problems of employee misconduct have made...
Computer forensics
Involves the preservation, acquisition, extraction, analysis, and interpretation of computer data.
Cell phones, personal digital assistants (PDAs), iPods, digital cameras, flash memory cards, smart cards, jump drive, and many others.
More and more devices are capable of storying electronic data:
The personal computer
The most logical place to start to examine these practices is with the most common form of electronic data:
Software
A set of instructions compiled into a program that performs a particular task; ___ consists of programs and applications that carry out a set of instructions on the hardware.
Computer Case/Chassis
Physical box holding the fixed internal computer components in place.
Power Supply
Converts power from the wall outlet to a usable format for the computer and its components.
Motherboard
Main system board of a computer (any many other electronic devices), which delivers power, data, and instructions to the computers's components; every component in the computer connects to the ___ ___, either directly or indirectly.
Sockets
___ on the mother board typically accept things like random access memory (RAM) or the central processing unit (CPU).
System Bus
Vast, complex network of wires that carry data from one hardware device to another located on the motherboard.
Binary computing
This network (system bus) is analogous to a complex highway. Data is sent along the bus in the form of ones and zeros (or, to be accurate, as electrical impulses representing an "on" or "off" state); this two-state form of data is known as ___ ___.
Firmware
ROM chips store programs called ___, used to start the boot process and configure a computer's components.
Complementary metal-oxide semiconductor (CMOS); Basic input-output system (BIOS)
This was a separate chip that allowed the user to exercise setup control serval system components. Regardless of how this technology is presented on the motherboard, it can be referred to as the ___.
Initiates the booting process and enables the computer to communicate with various devices in the system such as disk drives, keyboard, monitor, and printer.
The operation of the BIOS is relevant to several computer forensic procedures, particularly the boot sequence. It is the set of routines associated with the BIOS in ROM that...
Changes to the data, thus compromising the integrity of evidence.
It is important not to boot the actual computer under investigation to the original hard disk drive. This would cause...
Basic input-output system (BIOS)
The ___ allows investigators to control the boot process to some degree.
Read-only memory (ROM)
Special chips on the motherboard used to start the boot (start-up) process and configure a computer's components.
Central Processing Unit (CPU)
Main chip within the computer, also referred to as the "brain" of the computer, which handles most of the operations (i.e., code and instructions) of the computer. Referred to as a "processor", is essentially the "brain" of the computer. The part of the c
Random-access memory (RAM)
Volatile memory of a computer, where programs and instructions that are in use are stored. When computer is turned off, its contents are lost
Input Device
Used to get data into the computer or to give the computer instructions. ___ ___ are also part of the "user" side of the computer. Examples include the keyboard, mouse, joystick, and scanner.
Output Device
Equipment through which data is obtained from the computer. ___ ___ are also part of the "user" side of the computer, and provide the results of the user's tasks. They include the monitor, printer, and speakers.
Hard Disk Drive (HDD)
Typically the main storage location within the computer, which consists of magnetic platters contained in a case (usually 3.5" long in a desktop computer and 2.5" in a laptop) and is usually where the operating system, applications, and user data are stor
What happens when a person turns on a computer?
#NAME?
What does a forensic scientist need to do when they find a computer at a crime scene?
Perform a live acquisition of the data, Perform a system shutdown, Pull the plug, Or a combination of these 3 things
Live and Dead
What are the states a computer can be found at a crime scene?
Operating systems (OS)
The software that provides the bridge between the system hardware and the user; it lets the user interact with the hardware and manages the file system and applications. Some examples are Windows (XP, Vista, and Windows 7), Linux, and Mac.
Partition
A contiguous set of blocks that are defined and treated as an independent disk. This means that a hard disk drive can hold several ___, making a single HDD appear as several disks.
Low-level formatting, partitioning, and formatting
A drive is prepared in 3 processes:
Low-level formatting
Typically done by the manufacturer, dividing the platters into tracks and sectors.
Partitioning
Accomplished through a utility such as a fdisk or Disk Manager, defining a contiguous set of blocks.
Formatting
Initializing portions of the disk and creating the file system structure. The process of preparing a hard disk drive to store and retrieve data in its current form.
Sector
The smallest addressable unit of data by a hard disk drive; generally consists of 512 bytes.
Byte
A group of 8 bits
Bit
Short for "binary digit"; taking the form of either a one or a zero, it is the smallest unit of information on a machine.
Cluster
A group of sectors in multiples of two; ___ size varies from file system to file system and is typically the minimum space allocated to a file.
File allocation table (FAT)
___ use a ___ to track the location of files and folders (i.e., data) on the HDD, whereas NTFS file systems (used by most current Windows systems-Vista, XP, and Windows 7) use, among other things, a "master file table (MFT)".
Write-blocked
The examiner must ensure that the drive to be analyzed is in a ___-___, or read-only, state when creating the forensic image.
Message Digest 5 (MD5)/ Secure Hash Algorithm (SHA)
A software algorithm used to "fingerprint" a file or contents of a disk; used to verify that an acquired image of suspect data was not altered during the process of imaging.
Forensic image
Therefore, a ___ ___--one that copies every single bit of information on the drive-- is necessary.
EnCase, Forensic Toolkit (FTK), Forensic Autopsy (Linux-based freeware), and SMART (Linux-based software by ASR Data)
The most popular software forensic tools--___--all include a method for obtaining a forensic image.
visible data
All data that the operating system is presently aware of and thus is readily accessible to the user.
Swap Files
A file or defined space on the HDD used to conserve RAM; data is swapped, or paged to this file/space to free RAM for apps that are in use
Temporary Files
Files temporarily written by an app to perform a function or to provide a "backup" copy of a work product should the computer experience a catastrophic failure
latent data
Areas of files and disks that are typically not apparent to the computer (and operating system) user but contain data nonetheless
Latent data is one of the reasons a forensic image is created
How is latent data useful to a forensic scientist?
Slack space
Empty space on a hard disk created because of the way the HDD stores files
Forensic examination software
A more common option in data forensics is to use specialized ___.
Unallocated space
Latent data might be found in ___ ___, the unused area of the HDD that the operating file system table sees as empty (containing no logical files) but that may contain old data.
Defragmenting
___ an HDD involves moving noncontiguous data back together.
Internet Cache
Portions of visited web pages placed on the local HDD to facilitate quicker retrieval when a web page is revisited.
Cookies
Files placed on a computer from a visited website that are used to track visits to and usage of that site.
Internet History
An accounting of websites visited; different browsers store this information in different ways.
Bookmarks
A feature that enables the user to designate favorite sites for fast and easy access.
Hacking
Slang term used to refer to performing an unauthorized computer or network intrusion.
Hardware or software designed to protest intrusions into an internet network.
What is the purpose of a firewall?
Internet protocol address (IP)
Computers that participate on the internet, therefore, must be provided with an address known as an ___ ___ from the Internet service provider to which they connect.
Software programs
___ ___ are applications that carry out a set of instructions.
The screen of any running computer monitor; all the connections to the main system unit, such as peripheral devices (i.e., keyboard, monitor, speakers, mouse, etc.); and equipment serial numbers.
Aspects of a computer that should be photographed close up at an electronic crime scene include...
A live examination prior to disconnecting power.
Evidentiary considerations may require the investigator to perform...
If encryption is suspected, and thus pulling the plug would re-encrypt the data, rendering it unreadable without a password or key, and if data exists in RAM that has not been saved to the HDD and will thus be lost if power to the system is discontinued.
Two situations in which an investigator would not unplug a computer at an electronic crime scene are...
Visible; latent data
The types of computer evidence can be grouped under two major sub-headings...
Latent data
Data that the operating system is not aware of. The constant shuffling of data through deletion, defragmentation, swapping, and so on, is one of the reasons data is stored in ___ areas.
RAM slack and file slack
Latent data can exist in both...
RAM slack
The area from the end of the logical file to the end of the sector.
File slack
The remaining area from the end of the final sector containing data to the end of the cluster.
Deleted files
When user deletes files, the data typically remains behind, so ___ ___ are another source of latent data.
Internet cache, cookies, and the Internet history
Places where a forensic computer examiner might look to determine what websites a computer user visited recently are...
Forensic software package
The history file can be located and read with a ___ ___ ___. Another way to access websites that have been visited is by examining bookmarks and favorite places.
0 to 255
IP addresses take the form ###.###.###.###, in which, generally speaking, ### can be any number from ___ - ___.
The sender's IP address in the e-mail's header.
An investigator tracking the origin of an e-mail seeks out...
Chat and instant messages
___ and ___ ___ are typically located in a computer's random-access memory (RAM).
Log file, RAM, and network traffic
Chat and instant messages are typically located in a computer's...
Mobile devices
Offer many of the services that are offered by computers and other devices. These devices can provide a vast amount of useful and evidentiary data in an investigation.
The preferred method for preserving data on a mobile device.
Leaving a mobile device running but placing it in something that sill block its communication is...
The variety of ways that different devices store and manage data.
Complications arise in extracting and evaluating data from mobile devices because of...