Professional Documents
Culture Documents
Chap 8 EPCF
Chap 8 EPCF
Chap 8 EPCF
Computer Forensics
Chap 8 Computer Basics For
Digital Investigators
The Basics
Central Processing Unit (CPU)
Processing instruction for every computer
Basic Input and Output System (BIOS)
Handles basic movement of data in a computer
Programs use it to communicate with CPU
Power on Self Test (POST)
A small program that tests basic components of a computer
Verifies integrity of CPU and Program itself
Then it checks all others: drives, monitor, RAM and keyboard
Before POST is complete and after BIOS is activated, some
computers allow you to edit the configuration using
Complementary Metal Oxide Silicon (CMOS)
Result of POST are checked against CMOS settings
Disk Boot
An operating system extends the function
of the BIOS and interfaces with the
outside world
Boot sequence looks for location of OS
and loads
The ability to boot up from a disk is
important when the hard disk may contain
evidence
Representation of data
Digital data is a sequence of “0” and “1” called
bits
Bit Representation
little-endian Intel based
Big-endian Sun and Mac based
Common data representation is Hexadecimal
Another one is ASCII (table 8.1)
We need to use tools that display data in
hexadecimal and ASCII
Storage Media
Hard disks, floppy disk, thumb drives etc.
Hard disks are the richest in digital evidence
Integrated Disk Electronics (IDE) or Advanced
Technology Attachment (ATA)
Higher performance SCSI drives
Fireware is an adaptation of SCSI standards that
provides high speed access to a chain of devices
All hard drives contain platters made of light,
righid material such aluminum, ceramic or glass
More on Hard Drives
Platters have a magnetic coating on both sides and
spin between a pair of read/write heads
These heads move like a needle on top of the old LP
records but on a cushion of air created by the disk
above the surface
The heads can align particles of magnetic media
called writing, and can detect how the magnetic
particles are assigned – called reading
Particles aligned one way are considered “0” and
aligned another way “1”
Storage
Cylinders are the data tracks that the data is
being recorded on
Each track/cylinder is divided into sectors that
contain 512 bytes of information
512*8 bits of information
Location of data can be determined by which
cylinder they are on which head can access
them and which sector contains them or CHS
addressing
Capacity of a hard drive # of C*H*S*512
Limitations
Event Discovery Analysis Decision Investigate
Or
reportable crimes;
n ot
When the investigation reveals that
the trail of evidence extends beyond
the boundaries of your enterprise
network; and
When you know you’re over your
head.
File System Locations
SKIP SECTION 8.5 for now
Very Brief Intro to Encryption
Encryption is a process that translated plaintext/digital
object into unreadable format or digital object
Encryption uses the concept of a key which is a type of
data that when applied using a specific algorithm will
result in unreadable data
Symmetric Encryption – decryption is simply a
reverse of the encryption (using the same key)
Asymmetric Encryption – decryption process is
different from encryption and usually done with
different keys
Digital Signatures
Electronic method to ensure:
Data is from who it says it is from
Data has NOT been altered