Lecture 4 CSNC4583

Digital Forensics
FARAZ ALI
FarazAli@ucp.edu.pk
+92-321-404-1740
OBJECTIVES
• Introduction to Computer Data Recovery
• Boot/Shutdown Sequence of DOS Based Computer and Controlled Boot
• Review of Key DOS Command
• FAT16 File System
• Data Recovery in FAT16
• File Extensions and Headers
Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
INTRODUCTION TO COMPUTER
DATA RECOVERY
Retrieving deleted data from digital storage media (hard drives, removable media, optical devices, etc...) is called
as Data recovery.
Typical causes of loss include:

•Electric Failure
•Mechanical Failure
•Natural Disaster
•Computer Virus
•Data Corruption
•Data Crime
•Human Error
Faraz Ali
(Lecturer FOIT)
INTRODUCTION TO COMPUTER
DATA RECOVERY
Burnt Crushed Water Damaged
Faraz Ali
(Lecturer FOIT)
WHAT IS DATA LOSS?
• Data accidentally been erased

• Data is overwritten.
• Data is corrupted
• Data is inaccessible.
• Data is unable to be accessed due to functioning computer system.
• Backup is corrupted.
Faraz Ali
(Lecturer FOIT)
WHAT CAUSES DATA LOSS?
• Destroy / Damage
• Natural Disaster
o Earthquake
o Fire
• Hardware Issues
• Virus Attack
• Human Error
o Intentional deletion
o Accidental overwriting of files
• Software Corruption
Faraz Ali
(Lecturer FOIT)
WHAT CAUSES DATA LOSS?
Cause Percentage Example
Fire, Flood, Lightening,
Natural Disaster 5%
Earthquakes
Win32.welchia.worm
Computer Virus 15%
Download. Trojan
Etc,
Application Error, Installation and
Software or Application Error 20%
deleting program,
Human Error 25% Accidental Deletion, Overwriting
files, etc
Hardware & System Problem 35% Disk Drive Crash, Power Surge,
manufacture defect, etc
Faraz Ali
(Lecturer FOIT)
FACTS OF DATA RECOVERY
• MAJORITY of deleted / lost data is recoverable.

• Storage digital system can fail, but the stored data on those storage are not completely lost.
• On some occasions when data is deleted or damage and complete data recovery is not possible. There is
always a chance for some data to be recoverable.
• Forensic analyst can recover data from crashed hard drives, operating systems, storage devices, servers,
desktops, and laptops using various proprietary data recovery tools and techniques.
Faraz Ali
(Lecturer FOIT)
FACTS OF DATA RECOVERY
• Forensic analyst can recover data from:

o crashed hard drives
o operating systems
o storage devices
o servers
o Desktops/laptops
using various data recovery tools and data recovery techniques.
Faraz Ali
(Lecturer FOIT)
SOFTWARE DATA EXTRACTION
• Processed or extracted data from an image file saved to another location or drive.
• Software for data extraction scans bit-by-bit sectors of the suspected hard drive(s) and restructures the file
system to another hard drive as an identical copy.
• Software is used to copy recoverable data to a destination location or drive.
Faraz Ali
(Lecturer FOIT)
DATA RECOVERY
• The user can send a failed or corrupted hard disk drive or digital media to any company or government
department for data recovery for secure data recovery in a confidential manner.
• The company or Government department carefully performs part replacement of the logic board, heads,
spindle motor, base casting, etc. in a clean and secure environment.
• Part replacement is successful for data recovery about 50%-70%.
Faraz Ali
(Lecturer FOIT)
What is Data Acquisition?
 Data acquisition is the process of copying data. Digital forensics, it’s the task of collecting digital evidence from
electronic media.
 There are two types of data acquisition:

 Static acquisitions
 Live acquisitions
 The processes and data integrity requirements for static and live acquisitions are similar,
 In that static acquisitions capture data that’s not accessed by other processes that can change.
 With live acquisitions, file metadata, such as date and time values, changes when read by an acquisition
tool.
 With static acquisitions, if you have preserved the original media, making a second static acquisition should
produce the same results.
Faraz Ali
(Lecturer FOIT)
Storage Formats for Digital Evidence
 Data in a forensics acquisition tool is stored as an image file
 Three formats
 Raw format
 Proprietary formats
 Advanced Forensics Format (AFF)
For more information on AFF, see www.afflib.sourceforge.net and www.basistech.com/wp-content/uploads/datasheets/Digital-Forensics-Toolsets-EN.pdf.
Faraz Ali
(Lecturer FOIT)
Raw Format
 Makes it possible to write bit-stream data to files
 Advantages
 Fast data transfers
 Ignores minor data read errors on the source drive
 Most computer forensics tools can read raw format
 Disadvantages
 Requires as much storage as the original disk or data
 Tools might not collect marginal (bad) sectors
Faraz Ali
(Lecturer FOIT)
Proprietary Formats
 Most forensics tools have their own formats
 Advantages
 Option to compress or not compress image files
 Can split an image into smaller segmented files
 Can integrate metadata into the image file
 Disadvantages
 Inability to share an image between different tools
 File size limitation for each segmented volume
Faraz Ali
(Lecturer FOIT)
Advanced Forensics Format
 An open-source acquisition format
 Design goals
 Provide compressed or uncompressed image files
 No size restriction for disk-to-image files
 Provide space in the image file or segmented files for metadata
 Simple design with extensibility
 Open source for multiple platforms and Oss
 Internal consistency checks for self-authentication
 File extensions include .afd for segmented image files and .afm for AFF metadata
 AFF is open source
Faraz Ali
(Lecturer FOIT)
Acquisition Methods
 Types of acquisitions
 Static acquisitions and live acquisitions
 Four methods of data collection

 Creating a disk-to-image file
 Creating a disk-to-disk
 Creating a logical disk-to-disk or disk-to-data file
 Creating a sparse data copy of a file or folder
 Determining the best method depends on the circumstances of the investigation
Faraz Ali
(Lecturer FOIT)
How to Determine the Best Acquisition
Method?
 Creating a disk-to-image file
 Most common method and offers the most flexibility
 Can make more than one copy
 Copies are bit-for-bit replications of the original drive
 Compatible with many commercial forensics tools
 Creating a disk-to-disk
 When the disk-to-image copy is not possible
 Tools can adjust the disk’s geometry configuration
 Tools: EnCase and X-Ways
Faraz Ali
(Lecturer FOIT)
How to Determine the Best Acquisition
Method?
 Logical acquisition or sparse acquisition
 Can take several hours; use it when your time is limited
 Logical acquisition captures only specific files of interest to the case
 Sparse acquisition collects fragments of unallocated (deleted) data
 For large disks
 .PST or .OST mail files, RAID servers
Faraz Ali
(Lecturer FOIT)
Things to Consider During Acquisition
• When making a copy, consider:
 Size of the source disk
 Lossless compression might be useful
 Use digital signatures for verification
 When working with large drives, an alternative is using lossless compression
 Whether you can retain the disk
 Time to perform the acquisition
 Where the evidence is located
Faraz Ali
(Lecturer FOIT)
Acquisition Tools
 Acquisition tools for Windows

 Advantages
 Make acquiring evidence from a suspect drive more convenient
 Especially when used with hot-swappable devices
 Disadvantages
 Must protect acquired data with a well-tested write-blocking hardware device
 Tools can’t acquire data from a disk’s host-protected area
 Some countries haven’t accepted the use of write-blocking devices for data acquisitions
Faraz Ali
(Lecturer FOIT)
Mini-WinFE Boot CDs and USB Drives
 Mini-WinFE
 Enables you to build a Windows forensic boot CD/DVD or USB drive so that connected drives are
mounted as read-only
 Before booting a suspect’s computer:

 Connect your target drive, such as a USB drive
 After Mini-WinFE is booted:

 You can list all connected drives and alter your target USB drive to read-write mode so you can
run an acquisition program
Faraz Ali
(Lecturer FOIT)
Capturing an Image with AccessData FTK
Imager (1/7)
 Included with AccessData Forensic Toolkit
 Designed for viewing evidence disks and disk-to-image files
 Makes disk-to-image copies of evidence drives

 At logical partition and physical drive level
 Can segment the image file
 Evidence drive must have a hardware write-blocking device

 Or run from a Live CD, such as Mini-WinFE
Faraz Ali
(Lecturer FOIT)
Capturing an Image with AccessData
FTK Imager (2/7)
 FTK Imager can’t acquire a drive’s host-protected

area
 Use a write-blocking device and follow these
steps
 Boot to Windows
 Connect evidence disk to a write-blocker
 Connect target disk to write-blocker
 Start FTK Imager Lite
 Create Disk Image - use the Physical Drive
option
 See the Figures on the following slides for
more steps
The FTK Imager main window
Faraz Ali
(Lecturer FOIT)
FTK Imager (3/7)
 Boot your forensic workstation to Windows, using an installed write-
blocker.
 Connect the evidence drive to a write-blocking device or USB device.
 Connect the target drive to a USB external drive, if you’re using a

write-blocker.
 Start FTK Imager Lite. If prompted by the User Account Control

message box, click Yes.
 In the FTK Imager main window, click File, and Create Disk Image
from the menu.
 In the Select Source dialog box, click the Physical Drive option The Select Drive dialog box
button, if necessary, and then click Next.
 In the Select Drive dialog box, click the Source Drive Selection list
arrow (see Figure), click the suspect drive, and then click Finish.
Faraz Ali
(Lecturer FOIT)
FTK Imager (4/7)
In the Create Image dialog box, click to select the Verify images after they are created check box, if necessary,
and then click Add.
 In the Select Image Type dialog box that opens (see Figure), click the Raw (dd) option button, if necessary,
and then click Next.
The Select Image Type dialog box
Faraz Ali
(Lecturer FOIT)
FTK Imager (5/7)
In the Evidence Item Information dialog box, complete the case information, as shown in Figure, and then click Next.
The Evidence Item Information dialog box
Faraz Ali
(Lecturer FOIT)
FTK Imager (6/7)
In the Select Image Destination dialog box (see Figure, click Browse, navigate to the location for the image file (your
work folder), and click to clear the Use AD Encryption check box, if necessary.
Selecting where to save the image file
Faraz Ali
(Lecturer FOIT)
FTK Imager (7/7)
• In the Image Filename (Excluding Extension) text box, type

InChp03-ftk, and then click Finish.
• Next, in the Create Image dialog box, click Start to initiate the
acquisition.
• When FTK Imager finishes the acquisition, review the

information in the Drive/Image Verify Results in the dialog
box, and then click Close. Click Close again in the Creating
Image dialog box (see Figure).
• Exit FTK Imager Lite by clicking File, Exit from the menu.
An image save in progress
Faraz Ali
(Lecturer FOIT)
WHAT IS AN OPERATING SYSTEM
•A set of programs that controls and coordinates the use of computer hardware among various application
programs.
•The computer can be divided into four components:-
o Hardware
o Operating System
o Applications
o User
Faraz Ali
(Lecturer FOIT)
EXAMPLES OF OPERATING SYSTEM
•UNIX
o Solaris
o IRIX
o HP Unix
o DEC Unix
o Linux
•Microsoft
o Disk Operating System (MS-DOS),
o WIN95/10,
o WIN NT
Faraz Ali
(Lecturer FOIT)
EXAMPLES OF OPERATING SYSTEM
Parameters 32 Bit 64 Bit
Allow 32-bit simultaneous data Allow 64-bits simultaneous data

Architecture and Software
processing. processing.
A 64-bit Operating System and

32-bit requires 32-bit operating
Compatibility Applications CPU are required for 64-bit
systems and CPUs.
applications.
Windows 7, Windows 8, and

Vista, 7, Mac OS X, and Ubuntu.
Systems Available Windows XP and Linux models
Effective Windows XP.
are all available.
64-bit systems allow a maximum

Systems with 32-bit RAM is
Memory Limits of 17 Billion GB (16212
limited to 3.2 GB.
petabytes) of RAM.
Faraz Ali
(Lecturer FOIT)
FUNCTIONS OF THE OPERATING
SYSTEM
•Controlling Input/Output devices.

•Memory Management.
•File storage management.
•CPU Scheduling Processes.
•CPU controlling processes.
•Loading, Initiating, Executing.
•Supervising user applications programs.
•Handling errors and restarting.
•Provide command interface between computer and user.
Faraz Ali
(Lecturer FOIT)
DOS BASED COMPUTER
DOS-based systems are similar to nowadays systems only difference is that DOS base system uses set of
commands for initiating the system to perform different tasks.
•DOS is a variant of CP/M (Control Programing / Monitor).
•The first DOC system was used on IBM-PC in 1981.
•It resides in a small place like a Floppy disk.
•No GUI was available so the Command Level interface was available.
•Commands were used to communicate between the user and the system.
Version of DOS
•MS-DOS (Microsoft)
•PC-DOS (IBM)
•etc
Faraz Ali
(Lecturer FOIT)
BOOTING SEQUENCE
Booting process:
•Computer loads the operating system into its memory.
DOS booting involves reading following files into memory namely:

•IO.SYS
•MSDOS.SYS
•COMMAND COM
Faraz Ali
(Lecturer FOIT)
BOOTING SEQUENCE
Basic Input/Output Program (IO.SYS):
•This program provides an interface between the hardware devices and software of the system.
•It takes care of the keyboard input, character output to monitor, output to the printer, and time of the day.
The File and Disk Manager Program (MSDOS.SYS) :
•It contains file management and disk buffering management capabilities.
•It keeps track of all the disk access of an application program and remains permanently in memory.
The Command Processor (COMMAND.COM) :
•It is also called a command interpreter.
•It is the program that displays the system prompt and handles the user interface by executing the command
typed in by the user using the keyboard.
Faraz Ali
(Lecturer FOIT)
DOS COMMAND
Types of DOS Commands

• Internal
• Commands which are already loaded in the Command.COM file while switching to the MS DOS.
• Example:
o CLS, DEL, etc
• External
• Commands which are not loaded when loading the Program but are available in the Disk which can be
invoked whenever necessary.
• Example:
o FORMAT, COPY, etc.
Faraz Ali
(Lecturer FOIT)
DOS COMMAND
Directory
•Root Directory
•Parent Directory
A command is a set of instructions used to perform a specific work
•Interpreted by the OS interpreter to a machine language
◦ E.g. <cd Ram>,etc.
If the user requires help with any DOS commands, the User can type help and the command name at the
command prompt.
Faraz Ali
(Lecturer FOIT)
BASIC DOS COMMANDS
• Directory Commands
• File Management Commands
• General Commands
Faraz Ali
(Lecturer FOIT)
DIRECTORY COMMANDS
DIR :
To list all or specific files of any directory on a specified disk.
MD :
To make directory or subdirectory on a specified disk/drive.
CD or CHDIR :
Change the DOS current working directory to the specified directory on the specified disk or check for the
current directory on the specified or default drive.
RMDIR or RD :
Removes a specified sub-directory only when it is empty. This command cannot remove the root directory
(C:\) or the current working directory.
TREE :
Displays all of the directory paths found on the specified drive.
Faraz Ali
(Lecturer FOIT)
DIRECTORY COMMANDS
•Dir/ah :-Display all hidden files and directories.
•Dir/a-d : - Display only files.
•Dir/ad :- Display only Directories.
•Dir/a/s:-Display all directories and files with a subdirectory.
•Dir/a :- Display All Hidden And Nonhidden files and directories.
•Dir n*.* : Display all files and directories starting with ‘ n ’ alphabet.
Faraz Ali
(Lecturer FOIT)
FILE MANAGEMENT COMMANDS
COPY :
Copies one or more files from the source disk/drive to the specified disk/drive.
DEL :
Removes specified files from specified disk/drive.
REN :
Changes the name of a file(Renaming).
ATTRIB :
Sets or shows file attributes (read, write, hidden, Archive).
FORMAT :
Formats a disk/drive for data storage and use.
Faraz Ali
(Lecturer FOIT)
GENERAL COMMANDS
TIME :
Sets or displays the system time.
DATE :
Sets or displays system date.
TYPE :
Displays the contents of the specified file.
PROMPT :
Customizes the DOS command prompt.
Faraz Ali
(Lecturer FOIT)
SHUT DOWN OR RESTART
Shut Down Computer Using DOS Command
shutdown -s
Restart Windows using DOS Command
shutdown -r
Faraz Ali
(Lecturer FOIT)
REVIEW OF KEY DOS COMMAND
• A list of each MS-DOS and Windows command line command listed on Computer Hope with a brief
explanation is available in Google Classroom.
(LECTURE 4 DOS COMMAND LIST)
• This list contains commands available for users.

• This does not mean that all the commands are going to work with your version of MS-DOS or Windows.
Faraz Ali
(Lecturer FOIT)
FAT FILE SYSTEM
• FAT "File Allocation Table".
• Created by Microsoft in 1977.
• The FAT file system does not contain any data that falls into the application category.
• Each file system and directory is allocated a data structure, “Data Entry”
• Contain the Name, Size, and Starting address of file content.
• FAT structure is used to identify the next cluster in a file.
• Identify the allocation status of clusters.
• Due to fragments, data is stored in scattered form.
• The track of scattered data is maintained the by FAT file system.
Faraz Ali
(Lecturer FOIT)
FAT FILE SYSTEM
• There are Four types of FAT systems:
• FAT 8
• FAT 12
• FAT 16
• FAT 32
• The major difference among them is the size of the entries in the above said Types of FAT file systems.
• FAT is still used as a preferred file system.
Faraz Ali
(Lecturer FOIT)
FAT FILE SYSTEM
Relationship between the directory entry structures, clusters and FAT structures.
Faraz Ali
(Lecturer FOIT)
FAT FILE SYSTEM
• The FAT file system has three physical sections.
• Reserved Are:
It includes data in the file system category, typically only 1 sector in size, size is defined in the boot sector.
• FAT Area:
It contains the primary and backup FAT structures. Starts following the reserved area and its size calculated
based on numbers and size of FAT structures.
• Data Area:
It contains clusters that will be allocated to store file and directory content.
Faraz Ali
(Lecturer FOIT)
FAT FILE SYSTEM
FAT 8:
• Introduced in 1977, Use an 8086 processor with limited uses.
FAT 12:
• Introduced in 1980. Fat 12 consists of 12-Bit entries with limitations:-
• No Hierarchical directories
• Cluster addresses were only 12bits long.
• Disk size was stored on a 16-bit count of sectors.
• Drive Sizes and file sizes of up to 16MB using a 4KB cluster or 32 MB using an 8KB cluster.
• FAT12 cannot exceed the maximum character limit of 8 Characters plus 3 for an extension.
Faraz Ali
(Lecturer FOIT)
FAT FILE SYSTEM
FAT 16:
• Used in both older and in modern systems.
• FAT16 was the Primary file system for MS-DOS 4.0 and MS-DOS 6.22.
• Use 16 bits for addressing clusters.
• Format drives can range from 2GB to 16GB.
• FAT16 holds 65,536 maximum numbers of files.
Faraz Ali
(Lecturer FOIT)
FAT FILE SYSTEM
Faraz Ali
(Lecturer FOIT)
FAT FILE SYSTEM
FAT 32
• Interduce in 1996 for windows 95.
• Support larger volumes, better performance and flexibility.
• Enable partition size up till 2TB or more.
• FAT32 hold 268,173,300 number files.
Faraz Ali
(Lecturer FOIT)
FAT FILE SYSTEM
Faraz Ali
(Lecturer FOIT)
DATA RECOVERY IN FAT16
• Analyzing the file system category of data.
• Determine the file system layout and configuration.
• Specific analysis techniques can be conducted.
• To find out which OS formatted the disk or hidden data.
• Need to locate and process the boot sector.
• Data might provide some clues about recent activity and location is given in the boot sector.
Faraz Ali
(Lecturer FOIT)
DATA RECOVERY IN FAT16
• Fat file systems clusters marked as bad should be examined.
• Many disks handle bad sectors at the hardware level as an operating system does not.
• Bad data units should be examined with any type of file system. As Microsoft store data in FAT clusters that
are marked as bad.
• Bad data units should be examined with any type of file system.
Faraz Ali
(Lecturer FOIT)
FILE EXTENSIONS AND HEADERS
• File extensions are letters after the dot in a file name.
• These letters tell you what kind of a file it is, and what program it will open in.
• Some file extensions are visible and some are hidden. Hidden files can be viewed after changing the viewing
option in windows.
My Computer and choose Tools > Folder Options > View > Details
• The File extension is the ending of a file that helps identify the type of file in operating systems i.e.: “Microsoft
Windows”.
Faraz Ali
(Lecturer FOIT)
Validating Data Acquisitions
 Validating evidence may be the most critical aspect of computer forensics
 Requires using a hashing algorithm utility
 Validation techniques
 CRC-32, MD5, and SHA-1 to SHA-512
Faraz Ali
(Lecturer FOIT)
Linux Validation Methods
 Validating dd-acquired data

 You can use md5sum or sha1sum utilities
 md5sum or sha1sum utilities should be run on all suspect disks and volumes or segmented volumes
 Validating dcfldd acquired data

 Use the hash option to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512
 hashlog option outputs hash results to a text file that can be stored with the image files
 vf (verify file) option compares the image file to the original medium
Faraz Ali
(Lecturer FOIT)
Windows Validation Methods
 Windows has no built-in hashing algorithm tools for computer forensics

 Third-party utilities can be used
 Commercial computer forensics programs also have built-in validation features

 Each program has its own validation technique
 Raw format image files don’t contain metadata

 Separate manual validation is recommended for all raw acquisitions
Faraz Ali
(Lecturer FOIT)
Using Remote Network Acquisition Tools
 You can remotely connect to a suspect computer via a network connection and copy data from it
 Remote acquisition tools vary in configurations and capabilities
 Drawbacks
 Antivirus, antispyware, and firewall tools can be configured to ignore remote access programs
 Suspects could easily install their own security tools that trigger an alarm to notify them of remote access
intrusions
Faraz Ali
(Lecturer FOIT)
Remote Acquisition with ProDiscover (1/2)
 ProDiscover Incident Response functions:

 Capture volatile system state information
 Analyze current running processes
 Locate unseen files and processes
 Remotely view and listen to IP ports
 Run hash comparisons
 Create a hash inventory of all files remotely
 PDServer remote agent

 ProDiscover utility for remote access
 Needs to be loaded on the suspect
Faraz Ali
(Lecturer FOIT)
Remote Acquisition with ProDiscover (2/2)
 PDServer installation modes
 Trusted CD
 Preinstallation
 Pushing out and running remotely
 PDServer can run in a stealth mode

 Can change process name to appear as OS function
 Remote connection security features

 Password protection
 Encryption
 Secure communication protocol
 Write-protected trusted binaries
 Digital signatures
Faraz Ali
(Lecturer FOIT)
Remote Acquisition with EnCase
Enterprise
EnCase Endpoint Investigator, can perform the following functions:
Search and collect internal and external network systems over a wide geographical area
Support multiple OSs and file systems
Triage to help determine systems’ relevance to an investigation
Perform simultaneous searches of up to five systems at a time
Faraz Ali
(Lecturer FOIT)
Remote Acquisition with R-Tools R-Studio
 R-Tools suite of software is designed for data recovery
 Can remotely access networked computer systems
 Creates raw format acquisitions
 Supports various file systems
Faraz Ali
(Lecturer FOIT)
Using Other Forensics-Acquisition Tools
Other commercial acquisition tools

 PassMark Software ImageUSB
 ASRData SMART
 Runtime Software
 ILookIX Investigator IXimager
 SourceForge
Faraz Ali
(Lecturer FOIT)
FILE EXTENSIONS AND HEADERS
Document File Types Video File Types:
Document type Media File type
doc: Microsoft Word

mov: QuickTime
xls: Microsoft Excel
avi: Windows Media Player
ppt: Microsoft PowerPoint
mpeg: opens in Windows
pub: Microsoft Publisher
wmv: Windows Media Player
wps: Microsoft Works
asf: Windows Media Player
wpd: Word Perfect
gvi: Google Video Player
pdf: Adobe Reader file
rm: Real Media Player
rtf: Rich Text Format (opens in Word)
swf: Flash Player
txt: Text file (opens in Notepad)
Faraz Ali
(Lecturer FOIT)
Thank You
Question and Answers
Faraz Ali
(Lecturer FOIT)

Lecture 4 CSNC4583

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lecture 4 CSNC4583

Uploaded by

Copyright:

Available Formats

Digital Forensics

• Boot/Shutdown Sequence of DOS Based Computer and Controlled Boot

• Review of Key DOS Command

• FAT16 File System

• Data Recovery in FAT16

• File Extensions and Headers

Typical causes of loss include:

Burnt Crushed Water Damaged

• Data accidentally been erased

• MAJORITY of deleted / lost data is recoverable.

• Forensic analyst can recover data from:

using various data recovery tools and data recovery techniques.

 There are two types of data acquisition:

For more information on AFF, see www.afflib.sourceforge.net and www.basistech.com/wp-content/uploads/datasheets/Digital-Forensics-Toolsets-EN.pdf.

 Makes it possible to write bit-stream data to files

 AFF is open source

 Four methods of data collection

 Determining the best method depends on the circumstances of the investigation

 Acquisition tools for Windows

 Before booting a suspect’s computer:

 After Mini-WinFE is booted:

 Designed for viewing evidence disks and disk-to-image files

 Makes disk-to-image copies of evidence drives

 Evidence drive must have a hardware write-blocking device

 FTK Imager can’t acquire a drive’s host-protected

The FTK Imager main window

 Connect the evidence drive to a write-blocking device or USB device.

 Connect the target drive to a USB external drive, if you’re using a

 Start FTK Imager Lite. If prompted by the User Account Control

The Select Image Type dialog box

The Evidence Item Information dialog box

Selecting where to save the image file

• In the Image Filename (Excluding Extension) text box, type

• When FTK Imager finishes the acquisition, review the

An image save in progress

Allow 32-bit simultaneous data Allow 64-bits simultaneous data

A 64-bit Operating System and

Windows 7, Windows 8, and

64-bit systems allow a maximum

•Controlling Input/Output devices.

DOS booting involves reading following files into memory namely:

Types of DOS Commands

• File Management Commands

•Dir/ah :-Display all hidden files and directories.

•Dir/a-d : - Display only files.

•Dir/ad :- Display only Directories.

•Dir/a/s:-Display all directories and files with a subdirectory.

•Dir/a :- Display All Hidden And Nonhidden files and directories.

Shut Down Computer Using DOS Command

Restart Windows using DOS Command

(LECTURE 4 DOS COMMAND LIST)

• This list contains commands available for users.

• Created by Microsoft in 1977.

• Contain the Name, Size, and Starting address of file content.

• FAT structure is used to identify the next cluster in a file.

• Identify the allocation status of clusters.

• Due to fragments, data is stored in scattered form.

• The track of scattered data is maintained the by FAT file system.

• FAT is still used as a preferred file system.

• Cluster addresses were only 12bits long.

• Disk size was stored on a 16-bit count of sectors.

• Use 16 bits for addressing clusters.

• Format drives can range from 2GB to 16GB.