Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
24 views50 pages

Module 2-1 - Basic-Technical-For-Digital-Forensics

The document discusses basic technical concepts for digital forensics including how computers store data using bits, bytes, file systems, and different types of memory and storage. It covers the difference between stand-alone, networked, mainframe, and cloud computing environments and how data can exist in active, latent, and archival forms on a computer.

Uploaded by

dungnthe172688
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
24 views50 pages

Module 2-1 - Basic-Technical-For-Digital-Forensics

The document discusses basic technical concepts for digital forensics including how computers store data using bits, bytes, file systems, and different types of memory and storage. It covers the difference between stand-alone, networked, mainframe, and cloud computing environments and how data can exist in active, latent, and archival forms on a computer.

Uploaded by

dungnthe172688
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 50

Module 2: Basic technical for

digital forensics
Topics

• Basic Computer Operation


• Bits & Bytes
• File Extensions & File Signatures
• How Computers Store Data
• RAM: Random Access Memory
• Volatility of Data
Topics

• The Difference Between Computer


Environments
• Active, Latent, and Archival Data
• Allocated and Unallocated Space
• Computer File Systems
Bits & Bytes
Bits & Bytes

• A Bit is 0 or 1
• 8 bits is a byte
– 00000000 to 11111111
– 256 possible bytes
– Can be written as a number 0 to 255
– In Hexadecimal, 00 to FF
ASCII Text

• One byte per character


• 7 bits encode character, one parity bit
• 94 printable characters
• Originally used for English
• Adapted to other languages
ASCII file in Hexadecimal

• 20 hex = 32 decimal = SPACE


• 0D 0A = 13 10 = CR LF
ASCII
Unicode

• Encodes all "commercially significant"


languages
• Two bytes per character
• FF FE at the start is a Byte Order Mark
File Headers & File Carving
GIF Image (13x16 pixels)
GIF File Header

• GIF89a – Version of GIF


• 0D 00 0A 00 – 13 pixels x 16 pixels
GIF Specification
GIF Specification
File Carving

• Rebuilding files by assembling blobs of data found


on a disk
• Relies on file headers and footers
• Done automatically by all-purpose forensic suites
like FTK and EnCase
• Many other tools exist to carve files
File Extensions & File
Signatures
File Extensions

• Usually three letters long


• Appear at the end of a file name, after a dot
• Hidden in Windows by default
• Used to specify the file type, icon, and
default application
Hide File Extensions
Incorrect File Extension
Wrong Default Application

• Any stream of bytes can be


interpreted as ASCII
Open With…
How Computers Store Data
Storage Methods

• Electromagnetism
– Hard disks and floppy disks
• Microscopic Electrical Transistors
– SSDs, USB flash drives, SD cards, etc.
• Reflecting Light
– CDs, DVDs, Blu-ray
• They are all nonvolatile – they retain data
without power
Magnetic Disks

• Platter spins at
7,000 rpm to
15,000 rpm
• Spindle is the axis
• Read/write head is
an electromagnet
mounted to an
actuator arm
– Image from textbook
Disk Controller Card

• Stores and retrieves data from the platters


• Controlled by firmware stored in the Host Protected Area
– Image from http://static.ddmcdn.com/gif/ide-controller2.jpg
Flash Memory

• Made of transistors
• Solid State Devices (SSDs)
– Faster than hard disks
– Use less power
– More expensive
Optical Storage

• Microscopic pits
encode bits
• Area between pits
are called lands
• There is one long
spiral track for the
whole disk
• Data is read with
laser light
– Image from
http://www.backgroundsy.com/file/large
/blu-ray-disc-isolated.jpg
Volatile v. Nonvolatile
Memory
• Memory is short-term storage
• Storage devices (hard disks, SSDs, and
optical disks) are nonvolatile—data is
retained without power
• RAM is main system memory
– RAM is volatile—data is lost when power goes off
Volatility of RAM

5 sec 30 sec 60 sec 5 min


RAM Forensics

• RAM contains important evidence that is not


normally written to the hard disk
– Instant messages
– Network connections
– Running processes
• BUT there are no time-stamps on RAM
contents
– It can be misleading
Computing Environments
Four Categories

• Stand-alone
• Networked
• Mainframe
• Cloud
Stand-Alone

• A computer not connected to any other


computer
– Such as a laptop not connected to Wi-Fi or cellular data
– BUT networks are everywhere now, even in BART or on
airplanes
Networked

• A computer connected to at least one other


computer
• Evidence might be on servers and network
devices as well as the local computer
• Almost every computer is networked now
Mainframe

• A powerful
computer used at a
business, or shared
by many users
• Located in a data
center or colocation
center
– Image from
http://danialsharifudin.blogspot.com/2012
/08/classification-of-computer.html
Cloud Computing
Examples of Cloud
Computing
• Gmail
• Facebook
• Twitter
• Amazon Web Services
• CloudFlare
Cloud Services

• Infrastructure as a Service (IaaS)


• Platform as a Service (PaaS)
• Software as a Service (SaaS)
IaaS

• The most basic cloud service


• Outsources hardware needs
– Servers, storage, routers, switches…
• Examples
– Amazon EC2
– Windows Azure Virtual Machines
– Google Compute Engine
– Rackspace Cloud
PaaS

• Provides a computing platform


– OS, programming language execution, database, and Web
server
• Examples
– AWS Elastic Beanstalk
– Heroku
– Google App Engine
– Windows Azure Compute
SaaS

• Providers install and operate application software


in the cloud
• Users access the software from cloud clients
• Examples
– Google Apps
– Microsoft Office 365
IaaS

• Outsource hardware needs


– Servers, storage, routers, switches…
• Examples
– Amazon EC2
– Windows Azure
– Google Compute Engine
Instagram

• Online photo-sharing site


• In Dec. 2012, Instagram changed its
terms of service
– Perpetual rights to all photos
– Right to sell photos to advertisers without
payment or notice to the user
• Instagram lost half its daily
users in a month
AWS Outage

• Dec. 24, 2012


• Netflix was down, because they rely on AWS
Amazon has had several other major outages
Cloudflare Growth
Q&A

http://fpt.edu.vn 05/20/24 50

You might also like