Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
46 Cards in this Set
- Front
- Back
Raw format |
Makes it possible to write but stream data to files. Advantages: fast data transfers Most comp forensics tools can read raw format Disadvantages: requires as much storage as original disk or data |
|
Advanced forensics format |
Design goAls: provide compressed or uncompressed image files. No size limit for disk to image files. Open source |
|
Types of acquisitions |
Static- device off Live- powered on device |
|
4 methods of data collection |
Disk to image Disk to disk Logical disk to disk or disk to data Sparse data copy or a file or folder |
|
Disk to image file |
Most common method and offers most flexibility Can make more than 1 copy Copies are but to but Most forensic tools have this capability |
|
Disk to disk |
When disk to image is not possible Tools can adjust disks geometry configuration Some forensic tools have this capability |
|
Logical or sparse acquisitions |
logical acquisition captures only specific files of interest to the case sparse acquisitions collects fragments of unallocated (deleted) data |
|
digital hash |
3 rules for forensic hashes: you can't predict the hash value of a file or deivce no 2 hash values can be the same if anything changes in the file or device, the hash value must change |
|
scope creep |
when an investigation expands beyond the original description |
|
investigation plan |
goal and scope of investigation materials and resources needed tasks to perfom reporting the approach depends on the case |
|
Data hiding |
changing or manipulating a file to conceal information
|
|
data hiding techniques |
hiding entire partitions, changing file extensions, setting file attributes to hidden, bit shifting, using encryption, setting up password protection |
|
EnCase acquisitions |
outputs evidence in image files into two different formats: Ex01 E01 (legacy) |
|
three sub-folders |
export temp report |
|
ftk imager acquisitions |
outputs image files into 4 different formats encase files (E01) Raw files (DD) smart files (S01) sleuth kit (AFF) |
|
prodiscover acquisition |
format of image: unix dd (most common, no meta data) prodiscover (.eve) recommended and has meta data |
|
recognizing graphics file |
graphic files contain digital photos, line art, 3-d images |
|
bit map images |
collection of dots
grids of individual pixels bitmap formats: (.png) (.gif)(.jpeg)(.bmp)(.tiff) |
|
vector graphics |
based on math (lines) instead of dots smaller than bitmap files preserve quality when image in enlarged CorelDraw, Adobe Illustrator Formats: (.hpgl)(.dexf) |
|
metafile graphics |
combination of the bitmap and vector ex. scanned photo (bitmap) with text (vector) |
|
raster images |
similar to bitmap in that it is also a collection of pixels (pixels stored in rows, better for printing) |
|
digital camera file formats
|
raw file format- digital negative demosaicing-process of converting raw picture data into another format Exchangable image file(Exif)-commonly used to store digital pictures-collects meta data to view exif: exif reader, prodiscover |
|
data compression |
coding data from a larger to a smaller form (lossless or lossy) |
|
lossless compression |
reduces file size without removing data (winZip, PKZip, FreeZip) |
|
Lossy compression |
permanently discards bits of info vector quantization (VQ) determines what data to discard based on vectors in the graphics file (LZip) |
|
Identifying graphics file fragments |
carving or salvaging- recovering any type of file fragments DF tools can carve from file slack and free space help identify image file fragments and put them together |
|
steganography |
hides information inside image files two major forms (insertion and substitution) |
|
Insertion steganography |
hidden data is not displayed when viewing host file in its associated program you need to analyze the data structure carefully |
|
substitution steganography |
replace bits of the host file with other bits of data -usually change the last two LSBs(least significant bits) -detected with steganography tools clues: duplicate files with different hash values |
|
Acquistion |
making a copy of the original drive -two types of methods: 1. physical copying of the entire drive 2. logical copying of a disk partiton |
|
Acquistion subfunctions |
physical data copy logical data copy data acquistion format command line acquisition gui acquistion remote, live and memory acquistions |
|
hardware forensic tools |
range from single purpose components to complete computer systems and servers |
|
software forensic tools |
command line applications gui applications commonly used to copy data from a suspects disk drive to an image file |
|
tasks performed by df tools |
1. acquistions 2. validation and verification 3. extraction 4. reconstruction 5. reporting |
|
validation |
a way to confirm that a tool is functioning as intended |
|
verification |
proves that two sets of data are identical by calculating hash values or using another similar method |
|
Subfunctions of verification and validation |
hashing (MD5 and SHA1) filtering based on hash value sets analyzing file headers-file types (see whether a file extension in incorrect for a file type) |
|
Extraction |
-recovery task in digital investigation -most challenging of all tasks to master -recovering data is the first step to analyzing data |
|
subfunctions of extraction |
data viewing, keyword searching, decompressing, uncompressing, carving, decrypting, tagging, |
|
reconstruction |
to re-create a suspect drive to show what happended during a crime or an incident or to recreate a victim drive to reutrn property and minimize inconvenience or re-victimization |
|
Methods of reconstruction |
disk to disk copy partition to partition image to disk image to partition simplest method is to use tool that makes a direct disk to image copy (EnCase, FTK, Prodiscover) |
|
Reporting |
to perform a forensics disk analysis and examination you need to create a report |
|
Write blocker |
prevents data writes to a hard disk -Software enabled: typically run in shell mode -Hardware enabled: act as a bridge b/t the suspect drive and the forensic workstation |
|
using validation protocols |
always verify your results by performing the same tasks with other similar forensics tools - use at least two tools |
|
storage formats for digital evidence |
-data in a forensics acquisition tool is stored as an image file 1. raw format 2. porprietary formats 3. advanced forensics format |
|
proprietary format |
most forensic tools have their own formats advantages: option to compress or not compress image files, can integrate meta data, can split an image into smaller images disadvantages: inability to share an image b/t diff tools, file size limitation for each segmented volume |