Professional Documents
Culture Documents
Cyber Forensics Unit - 1 Computer Forensics
Cyber Forensics Unit - 1 Computer Forensics
Unit – 1
Computer Forensics
ashwini.solegaonkar@gmail.com
What is Data Recovery
• Data recovery is the process when the corrupt or inaccessible data is being
retrieved from the damaged or in some way corrupted digital media when it
cannot be accessed normally.
• It is frequently used when the data needs to be recovered from such devices as
DVDs, CDs, Floppy Disks, Hard Disk Drives, Xboxes, Mobile Phones, Tapes,
Memory Cards, Personal Digital Assistants and many other items.
Computer Forensics
• Data Loss
• There are two categories of data loss :-
• Logical Failures
• Physical Failures
ashwini.solegaonkar@gmail.com
Logical Failures
• Reasons behind a logical hard drive crash, such as
• File system corruption,
• OS malfunction,
• Severe conflict with recently installed hardware/software
• Virus /malware infection.
Computer Forensics
• Generally, in these situations, data is easier to recover as long as the data has not
been overwritten by subsequent usage.
ashwini.solegaonkar@gmail.com
Physical Hard Drive Failure
• If BIOS is not showing your hard drive or there is clicking/clinging sound at start-
up or even no sound of disk movement, then may be your hard drive has been
physically damaged.
• With advanced data recovery tools, techniques, skilled team of engineers and
must needed CLASS 100 Clean Room labs, these recovery service providers are
able to recover data from any damaged hard drive safely.
ashwini.solegaonkar@gmail.com
The Data Recovery Process
• Repair Disk
Damage to the hard disk drive, if applicable, is diagnosed and repaired.
Damaged components are replaced. Firmware failures are identified and
repaired.
• Image Disk
The repaired drive is read and data copied to another disk, preserving the state
Computer Forensics
• Restore Data
The retrieved data is then copied to new media (for example a USB drive) and
returned to the client.
• Retrieve Data
Damage or corruption to the file system is diagnosed and repaired to permit
access to the individual files. Individual files are checked for corruption and
repaired if necessary.
ashwini.solegaonkar@gmail.com
File system
• A file system is a means to organize data expected to be retained after a program
terminates by providing procedures to store, retrieve and update data, as well as
manage the available space on the device(s) which contain it.
• File systems are used on data storage devices, such as hard disk drives, floppy
disks, optical discs, or flash memory storage devices, to maintain the physical
locations of the computer files.
Computer Forensics
• There is usually a tight coupling between the operating system and the file
system.
• Without a file system programs would not be able to access data by file name or
directory and would need to be able to directly access data regions on a storage
device.
ashwini.solegaonkar@gmail.com
File Attributes
• One of the characteristics stored for each file is a set of file attributes that give
the operating system and application software more information about the file
and how it is intended to be used.
Read – Only
Hidden
System
Volume Label
Directory
Computer Forensics
Archive
• Read-Only
• Read-Only: Most software, when seeing a file marked read-only, will refuse
to delete or modify it.
• This is pretty straight-forward. For example, DOS will say "Access denied" if
you try to delete a read-only file. On the other hand, Windows Explorer will
happily munch it. Some will choose the middle ground: they will let you
modify or delete the file, but only after asking for confirmation.
ashwini.solegaonkar@gmail.com
File Attributes
• Hidden
• This one is pretty self-explanatory as well; if the file is marked hidden then
under normal circumstances it is hidden from view.
• DOS will not display the file when you type "DIR" unless a special flag is
used, as shown in the earlier example.
• System
Computer Forensics
• This flag is used to tag important files that are used by the system and
should not be altered or removed from the disk.
• In essence, this is like a "more serious" read-only flag and is for the most
part treated in this manner.
• Volume Label
• Every disk volume can be assigned an identifying label, either when it is
formatted, or later through various tools such as the DOS command "LABEL".
The volume label is stored in the root directory as a file entry with the label
attribute set.
ashwini.solegaonkar@gmail.com
File Attributes
• Directory
• This is the bit that differentiates between entries that describe files and
those that describe subdirectories within the current directory.
• In theory you can convert a file to a directory by changing this bit. Of course
in practice, trying to do this would result in a mess--the entry for a directory
has to be in a specific format.
Computer Forensics
ashwini.solegaonkar@gmail.com
How hard disks work?
• If you are to dismantle the hard disk drive by opening the top casing (after
removing all the necessary screws), the first thing you'll see is a spindle holding
one or a number of mirror like hard rotating platters (commonly called data
platter).
• An extremely thin magnetic coating is layered onto the surface of the platter that
is polished to mirror-type smoothness.
ashwini.solegaonkar@gmail.com
How hard disks work?
• Platter
• The platter is usually made of glass or ceramic (modern platter may use titanium).
Commonly a hard disk contains 1 to 10 identical platters that are stacked in
parallel to form a cylinder. There is usually one Read Write (RW) head designated
per platter face, and each head is attached to a single actuator shaft which moves
all heads in unison and performs a uniform synchronous motion during reading or
writing of data.
Computer Forensics
ashwini.solegaonkar@gmail.com
How hard disks work?
• Read Write Head
• The RW head is the key component that performs the reading and writing
functions. It is placed on a slider which is in term connected to an actuator
arm which allow the RW head to access various parts of the platter during
data IO functions by sliding across the spinning platter.
• Flying Height
Computer Forensics
ashwini.solegaonkar@gmail.com
How hard disks work?
• Read Write Function of Disk
• As the head writes data onto the disk, it changes its magnetic polarization to
induce either a one or zero value.
• During a read request, data is interpreted when the magnetic fields on the
platter brings about an electrical change (as a result of change in electrical
resistance of some special material property) in the read-head that passes
over it.
• These electrical fields are then encoded and transmitted to the CPU to be
Computer Forensics
• Parking of RW Head
• When the computer is switched off, the head is usually pulled to a safe
parking zone to prevent the head from scratching against the data zone on
platter when the air bearing subsides.
• This process is called a parking and different techniques have been
implemented in various hard disks to handle the take offs and landings.
• In a Ramp load/unload design, a lifting mechanism parks the head outside of
the platter onto a "parking bay" prior to a shutdown. It then automatically
unparks and relocates itself above the disk platter when the platter spins up
to appropriate rotational speed.
ashwini.solegaonkar@gmail.com
How hard disks work?
• Hard Disk Controller PCB Board
• A hard disk also contains a pcb controller circuit board that regulates data
traffic.
logic board that sits under the drive controls and connects the spindle, head
actuator, and various disk functions of the disk.
ashwini.solegaonkar@gmail.com
Hard Disk Parts Overview
Computer Forensics
ashwini.solegaonkar@gmail.com
The investigations triad
ashwini.solegaonkar@gmail.com
WHAT IS A COMPUTER SECURITY
INCIDENT?
• A computer security incident as any unlawful, unauthorized, or
unacceptable action that involves a computer system or a computer
network. Such an action can include any of the following events:
ashwini.solegaonkar@gmail.com
WHAT ARE THE GOALS OF INCIDENT
RESPONSE?
•In our incident response methodology, we emphasize the goals of corporate
security professionals with legitimate business concerns, but we also take
into consideration the concerns of law enforcement officials. Thus, we
developed a methodology that promotes a coordinated, cohesive response
and achieves the following:
Computer Forensics
ashwini.solegaonkar@gmail.com
WHAT ARE THE GOALS OF INCIDENT
RESPONSE?
Allows for criminal or civil action against perpetrators
Provides accurate reports and useful recommendations
Provides rapid detection and containment
Minimizes exposure and compromise of proprietary data
Computer Forensics
ashwini.solegaonkar@gmail.com
INCIDENT RESPONSE METHODOLOGY
In our methodology, there are seven major components of incident
response:
Pre-incident preparation: Take actions to prepare the organization to
deal with incident.
Detection of incidents: Identify a potential computer security
incident.
Computer Forensics
ashwini.solegaonkar@gmail.com
INCIDENT RESPONSE METHODOLOGY
Investigate the incident: Perform a thorough collection of data.
Review the data collected to determine what happened, when it
happened, who did it, and how it can be prevented in the future.
Reporting: Accurately report information about the investigation in a
manner useful to decision makers.
Resolution: Employ security measures and procedural changes,
Computer Forensics
record lessons learned, and develop long-term fixes for any problems
identified
ashwini.solegaonkar@gmail.com
INCIDENT RESPONSE METHODOLOGY
Computer Forensics
ashwini.solegaonkar@gmail.com