Docstoc

Computer Forensics

Document Sample
Computer Forensics Powered By Docstoc
					Computer Forensics

   Jennifer Hansen
         Since the 1990’s
• Computer technology has grown
  tremendously
Computers use to only be available to:
• Very Rich
• NASA
• Military
           Computer Crimes
• Murder for hire
  – Extramarital affairs
  – Stalker
• Arson
  – Financial Records
• Burglary
  – Stolen items sold online
 Computer Crimes (continued)
• Terrorism
  – Hacking into government security
• Child Abuse
  – Pedophiles
         Computer Forensics
•   Preserve Data
•   Acquire Data
•   Extract Data
•   Analyze Data
        Devices that store data
•   Cell phone
•   PDA
•   IPODS
•   Digital Camera
•   Flash/Memory card
•   Jump Drive
•   Smart card
•   Discs
•   PC
•   more
                  Hardware
• Physical components of a computer case.
  Something that can be touched or seen
  – Keyboard
  – Monitor
  – Motherboard
  – CPU (central processing unit)
  – RAM (Random access memory)
  – HDD (Hard disc drive)
  – Mouse
                     Software
• Set of instructions compiled into a program that
  performs a particular task
  –   Windows
  –   Mac OS
  –   Linux
  –   Netscape
  –   Quicken
  –   Unix
  –   Word processors (microsoft office)
  –   Firefox
  –   Internet Explorer
  –   Microsoft Money
        Hardware Components
•   Motherboard
•   System Bus
•   Central Processing Unit
•   Read only memory
•   Random access memory
•   Hard disc drive
•   Input device
•   Output device
              Motherboard
• Main system board
  of a computer
• Delivers power,
  data, instructions to
  components
  – Sockets for chips-
    accept RAM, CPU,
    Keyboard, mouse,
    CD drive, floppy
    drive, monitor
     Motherboard (continued)
• Slots for add on cards
  – Video card to connect pc to monitor
  – Network card or modem to connect to internet
  – Sound card for speakers
 System Bus (Computer Highway)
• Vast complex network of wires that carry
  data from one hardware device to another
• Sent as binary computing (1 and 0)
 Central Processing Unit (CPU)
• Processor= Brain of computer
• Computer part that “computes” (codes and
  instructs)
• All operations run through CPU
  – Opening programs
  – Running programs
  – Complex mathmatical function
    Read-only memory (ROM)
• Special chips on motherboard stores
  programs called firmware used to start the
  “boot process” (starting up the computer)
  and configure components
• Technology referred to as BIOS (basic
  input-output system) controls boot.
• In forensics it is important to control
  booting up of pc
      Hard Disc Drive (HDD)
• Main storage location within the computer
• Magnetic Platters contained in case
• Stores operating system, programs, data
  files, permanent storage
• Can add expansion cards
• Most data on HDD
• Would be very slow if all things were run
  off this
Random Access Memory (RAM)
• The volatile memory of the computer
• When power is turned off the contents are
  lost
• Programs and instructions are loaded
  while in use
  – Chips in motherboard
         RAM (continued)
• Takes burden off of processor and HDD
• Lost when power is taken away
               Input devices
•   Keyboard
•   Mouse
•   Joystick
•   Scanner
             Output Devices
• Monitor
• Printer
• Speakers
      Operating System (OS)
• Software that allows the user to interact
  with the hardware and manages file
  system and applications
  – Windows
  – Linux
  – Mac OS
        Partitioning the HDD
• Before an OS can speak to an HDD a
  partition must be defined
• Partition= contiguous set of blocks
  (physical areas of HDD in which data can
  be stored that are defined and treated as
  independent disks
• Creating storage drawers
        Formatting the HDD
• Initializes portions of HDD so they can
  store and file data
• Logically defined- no physical partitions
  can be seen
          Mapping the HDD
• Disks are divided into
  – Sectors
  – Clusters
  – Tracks
  – Cylinders
                 Bit vs Byte
• Bit- smallest unit of information on a
  machine
  – Takes form of 1 or 0 (known as binary)


• Byte- 8 bits
                  Sector
• Smallest unit of data that a hard drive can
  address. Usually 512 bytes in size
                   Cluster
• Minimum space allocated to a file (Groups
  of sectors)
• Size determined by file system
• Always in multiples of 2
  – 2, 4, 6, 8….. sectors
       Tracks and Cylinders
• Tracks- concentric circles defined around
  platter
• Cylinders- groups of tracks that reside
  above and below each other
    File Allocated Table (FAT)
• Map of the layout of the defined space of
  the partition
• Tracks location of files and folders on HDD
• Like safe deposit boxes
 What happens in pressing power
         on computer
1. Wakes up motherboard and all hardware
2. Flash ROM chip on motherboard (one with
   BIOS) conducts a power-on-self-test (POST)
   to make sure everything is working and
   determines boot order (usually HDD) Can be
   start up disk
3. HDD locates the first sector of its disk
   (masterboot record) determines layout and
   boots the operating system (Windows, Mac
   OS, Linux)
4. Desktop appears
   Once a program is open…..
• Typing data is loaded into RAM
• When saves or closed it is stored in the
  HDD
• If printed it goes through system bus to
  printer
  Processing the electronic crime
              scene
• Pictures- close ups of serial/ID #’s
• Sketches-technical sketches if attached to
  a network
• Usually do not touch computer until all
  photos of all input devices are taken
  – Exception to this rule is if perpetrator is trying
    to delete files and investigator can stop the
    deletion process
Investigator must decide if they will
             perform-
•   Live acquisition of data
•   Perform a system shutdown
•   Pull the plug
•   Combination of these
        If data is encrypted ..
• If the plug is pulled it will be password
  protected or require a key to open
• Anything on RAM not accessible once
  cord is pulled
• Most of the time computers are seized
  unless it is a corporate office where
  servers are fundamental to business
  operations
   Forensic Image Acquisition
• Removal of HDD is common so one can
  take a “picture” of the HDD
• During the boot process the files on an
  HDD can be altered, moved, or even
  deleted
• The forensic scientist ensures the content
  is “write-blocked” read only status where
  no new data can be added
  To prove data has not been altered
• The scientist before and after the data is used
  runs a program called Message Digest 5
  (MD5)/Secure Hash Algorithm (SHA)

• It produces a unique alpha numeric sequence
  that should be able to be reproduced after data
  is searched
• Latent data would be unused memory
   Analysis of Electronic Data
• Visible Data- all data that the operating
  system is presently aware of and
  accessible to the user
• Latent Data- areas of files and disks that
  are typically not apparent to the computer
  user (and often not to the operating
  system) but contain data nonetheless
              Visible data
• Data/Work product files
  – Word processors (word, excel, powerpoint,
    access)
  – Quicken
  – Microsoft money
• Swap file data
• Temporary Files
               Swap file data
• A file or defined space on the HDD to
  which data is written, or swapped, to free
  RAM for applications that are in use
  – Usually used when multiple programs open to
    not drag “power” from RAM
     • Scientist will use Norton disk editor or Win-Hex
            Temporary files
• Files temporarily written by an application
  to perform a function
  – Recovery file made by program
  – Print spool files
             Latent Data
• Slack Space
• Unallocated Space
• Deleted Files
              Slack Space
• Empty space on HDD created by the way
  the hard
• Smallest unit a HDD recognizes is 512
  bytes. What if the file is only 100 bytes?
  – The slack space of 412 bytes is created.
• Example- safety deposit box has 1
  document but has more room not used
               RAM Slack
• The area beginning at the end of the
  logical file and terminating at the end of
  that sector
                File slack
• The area that begins at the end of the last
  sector that contains logical data and
  terminates at the end of the cluster
RAM SLACK and File Slack
         Unallocated Space
• The area of the HDD that the operating
  system (file system table) sees as empty
  and ready for data.
• Unused portion of HDD
            Deleted Files
• Even when recycled bin is emptied data
  still exists until overwritten