Cyber Forensics

Unit – 1
Computer Forensics

Prof. Ashwini Solegaonkar

Department of Information Technology and Computer Science
D. G. Ruparel College of Arts, Science and Commerce, Mumbai-16
 What Is DATA?
• In computing, data is information that has been translated into a form that is
more convenient to move or process.

• Relative to today's computer s and transmission media, data is information

converted into binary digital form
Computer Forensics

ashwini.solegaonkar@gmail.com
 What is Data Recovery
• Data recovery is the process when the corrupt or inaccessible data is being
retrieved from the damaged or in some way corrupted digital media when it
cannot be accessed normally.

• It is frequently used when the data needs to be recovered from such devices as
DVDs, CDs, Floppy Disks, Hard Disk Drives, Xboxes, Mobile Phones, Tapes,
Memory Cards, Personal Digital Assistants and many other items.
Computer Forensics

• Causes for Data Loss

• Mechanical failure of the device
• Damage to the device,
• Human error,
• power surges
• software viruses

• Data Loss
• There are two categories of data loss :-
• Logical Failures
• Physical Failures

ashwini.solegaonkar@gmail.com
 Logical Failures
• Reasons behind a logical hard drive crash, such as
• File system corruption,
• OS malfunction,
• Severe conflict with recently installed hardware/software
• Virus /malware infection.
Computer Forensics

• Generally, in these situations, data is easier to recover as long as the data has not
been overwritten by subsequent usage.

ashwini.solegaonkar@gmail.com
 Physical Hard Drive Failure
• If BIOS is not showing your hard drive or there is clicking/clinging sound at start-
up or even no sound of disk movement, then may be your hard drive has been
physically damaged.

• It can be a mechanical components failure, electrical damage or firmware

corruption that is responsible for the failure of the hard drive.
Computer Forensics

• With advanced data recovery tools, techniques, skilled team of engineers and
must needed CLASS 100 Clean Room labs, these recovery service providers are
able to recover data from any damaged hard drive safely.

ashwini.solegaonkar@gmail.com
 The Data Recovery Process
• Repair Disk
Damage to the hard disk drive, if applicable, is diagnosed and repaired.
Damaged components are replaced. Firmware failures are identified and
repaired.

• Image Disk
The repaired drive is read and data copied to another disk, preserving the state
Computer Forensics

of the data when the drive or media was received.

• Restore Data
The retrieved data is then copied to new media (for example a USB drive) and
returned to the client.

• Retrieve Data
Damage or corruption to the file system is diagnosed and repaired to permit
access to the individual files. Individual files are checked for corruption and
repaired if necessary.

ashwini.solegaonkar@gmail.com
 File system
• A file system is a means to organize data expected to be retained after a program
terminates by providing procedures to store, retrieve and update data, as well as
manage the available space on the device(s) which contain it.

• File systems are used on data storage devices, such as hard disk drives, floppy
disks, optical discs, or flash memory storage devices, to maintain the physical
locations of the computer files.
Computer Forensics

• Organizes data in an efficient manner and is tuned to the specific characteristics

of the device.

• There is usually a tight coupling between the operating system and the file
system.

• To control access to the data and Metadata.

• Without a file system programs would not be able to access data by file name or
directory and would need to be able to directly access data regions on a storage
device.

ashwini.solegaonkar@gmail.com
 File Attributes
• One of the characteristics stored for each file is a set of file attributes that give
the operating system and application software more information about the file
and how it is intended to be used.
 Read – Only
 Hidden
 System
 Volume Label
 Directory
Computer Forensics

 Archive

• Read-Only
• Read-Only: Most software, when seeing a file marked read-only, will refuse
to delete or modify it.

• This is pretty straight-forward. For example, DOS will say "Access denied" if
you try to delete a read-only file. On the other hand, Windows Explorer will
happily munch it. Some will choose the middle ground: they will let you
modify or delete the file, but only after asking for confirmation.

ashwini.solegaonkar@gmail.com
 File Attributes
• Hidden
• This one is pretty self-explanatory as well; if the file is marked hidden then
under normal circumstances it is hidden from view.

• DOS will not display the file when you type "DIR" unless a special flag is
used, as shown in the earlier example.

• System
Computer Forensics

• This flag is used to tag important files that are used by the system and
should not be altered or removed from the disk.

• In essence, this is like a "more serious" read-only flag and is for the most
part treated in this manner.

• Volume Label
• Every disk volume can be assigned an identifying label, either when it is
formatted, or later through various tools such as the DOS command "LABEL".
The volume label is stored in the root directory as a file entry with the label
attribute set.

ashwini.solegaonkar@gmail.com
 File Attributes
• Directory
• This is the bit that differentiates between entries that describe files and
those that describe subdirectories within the current directory.

• In theory you can convert a file to a directory by changing this bit. Of course
in practice, trying to do this would result in a mess--the entry for a directory
has to be in a specific format.
Computer Forensics

ashwini.solegaonkar@gmail.com
 How hard disks work?
• If you are to dismantle the hard disk drive by opening the top casing (after
removing all the necessary screws), the first thing you'll see is a spindle holding
one or a number of mirror like hard rotating platters (commonly called data
platter).

• The platters could be made to spin at an extremely high speed, technically

between 5,400 to 10,000 revolutions per minute (RPM).
Computer Forensics

• An extremely thin magnetic coating is layered onto the surface of the platter that
is polished to mirror-type smoothness.

ashwini.solegaonkar@gmail.com
 How hard disks work?
• Platter
• The platter is usually made of glass or ceramic (modern platter may use titanium).
Commonly a hard disk contains 1 to 10 identical platters that are stacked in
parallel to form a cylinder. There is usually one Read Write (RW) head designated
per platter face, and each head is attached to a single actuator shaft which moves
all heads in unison and performs a uniform synchronous motion during reading or
writing of data.
Computer Forensics

ashwini.solegaonkar@gmail.com
 How hard disks work?
• Read Write Head
• The RW head is the key component that performs the reading and writing
functions. It is placed on a slider which is in term connected to an actuator
arm which allow the RW head to access various parts of the platter during
data IO functions by sliding across the spinning platter.

• Flying Height
Computer Forensics

• To write a piece of information to the disk, an electromagnetic flux is

transmitted through the head which hovers very closely to the platter.
• The RW head suspends on a thin cushion of air which the spinning platter
induces.
• This designed distance between the head and platter is called the flying
height. It can literally measure to a few millionths of an inch.

ashwini.solegaonkar@gmail.com
 How hard disks work?
• Read Write Function of Disk
• As the head writes data onto the disk, it changes its magnetic polarization to
induce either a one or zero value.
• During a read request, data is interpreted when the magnetic fields on the
platter brings about an electrical change (as a result of change in electrical
resistance of some special material property) in the read-head that passes
over it.
• These electrical fields are then encoded and transmitted to the CPU to be
Computer Forensics

processed and read by the system.

• Parking of RW Head
• When the computer is switched off, the head is usually pulled to a safe
parking zone to prevent the head from scratching against the data zone on
platter when the air bearing subsides.
• This process is called a parking and different techniques have been
implemented in various hard disks to handle the take offs and landings.
• In a Ramp load/unload design, a lifting mechanism parks the head outside of
the platter onto a "parking bay" prior to a shutdown. It then automatically
unparks and relocates itself above the disk platter when the platter spins up
to appropriate rotational speed.
ashwini.solegaonkar@gmail.com
 How hard disks work?
• Hard Disk Controller PCB Board

• A hard disk also contains a pcb controller circuit board that regulates data
traffic.

• It ensures massive data to be streamed in and out of the disk smoothly. A

Computer Forensics

logic board that sits under the drive controls and connects the spindle, head
actuator, and various disk functions of the disk.

• Embedded with a micro-controller, it executes self diagnostics test and cleans

up data working area in the memory and all internal chip bus in the hard
drive when it powers up.

ashwini.solegaonkar@gmail.com
 Hard Disk Parts Overview
Computer Forensics

ashwini.solegaonkar@gmail.com
 The investigations triad

• Vulnerability assessment and risk

management
Computer Forensics

• Network intrusion detection and incident

response
• Computer investigations

ashwini.solegaonkar@gmail.com
 WHAT IS A COMPUTER SECURITY
INCIDENT?
• A computer security incident as any unlawful, unauthorized, or
unacceptable action that involves a computer system or a computer
network. Such an action can include any of the following events:

 Theft of trade secrets

 Email spam or harassment
Computer Forensics

 Unauthorized or unlawful intrusions into computing systems

 Embezzlement
 Denial-of-service (DoS) attacks
 Tortious interference of business relations
 Extortion
 Any unlawful action when the evidence of such action may be stored
on computer media such as fraud, threats, and traditional crimes.

ashwini.solegaonkar@gmail.com
 WHAT ARE THE GOALS OF INCIDENT
RESPONSE?
•In our incident response methodology, we emphasize the goals of corporate
security professionals with legitimate business concerns, but we also take
into consideration the concerns of law enforcement officials. Thus, we
developed a methodology that promotes a coordinated, cohesive response
and achieves the following:
Computer Forensics

 Prevents a disjointed, noncohesive response (which could be

disastrous)
 Confirms or dispels whether an incident occurred
 Promotes accumulation of accurate information
 Establishes controls for proper retrieval and handling of evidence
 Protects privacy rights established by law and policy
 Minimizes disruption to business and network operations

ashwini.solegaonkar@gmail.com
 WHAT ARE THE GOALS OF INCIDENT
RESPONSE?
 Allows for criminal or civil action against perpetrators
 Provides accurate reports and useful recommendations
 Provides rapid detection and containment
 Minimizes exposure and compromise of proprietary data
Computer Forensics

 Protects your organization’s reputation and assets

 Educates senior management
 Promotes rapid detection and/or prevention of such incidents in the
future (via lessons learned, policy changes, and so on)

ashwini.solegaonkar@gmail.com
 INCIDENT RESPONSE METHODOLOGY
In our methodology, there are seven major components of incident
response:
 Pre-incident preparation: Take actions to prepare the organization to
deal with incident.
 Detection of incidents: Identify a potential computer security
incident.
Computer Forensics

 Initial response: Perform an initial investigation, recording the basic

details surrounding the incident, assembling the incident response
team, and notifying the individuals who need to know about the
incident.
 Formulate response strategy: Based on the results of all the known
facts, determine the best response and obtain management
approval. Determine what civil, criminal, administrative, or other
actions are appropriate to take, based on the conclusions drawn from
the investigation.

ashwini.solegaonkar@gmail.com
 INCIDENT RESPONSE METHODOLOGY
 Investigate the incident: Perform a thorough collection of data.
Review the data collected to determine what happened, when it
happened, who did it, and how it can be prevented in the future.
 Reporting: Accurately report information about the investigation in a
manner useful to decision makers.
 Resolution: Employ security measures and procedural changes,
Computer Forensics

record lessons learned, and develop long-term fixes for any problems
identified

ashwini.solegaonkar@gmail.com
 INCIDENT RESPONSE METHODOLOGY
Computer Forensics

ashwini.solegaonkar@gmail.com