Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Similar presentations

Presentation on theme: "Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes."— Presentation transcript:

1 Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes at the Computer - Computer Forensic Analysis If only that [insert name of inanimate object here] could talk. With forensic analysis, computers can talk. And, they can tell us plenty!

2 Focus The focus of this excerpt, was on the retrieval of information from a computer and techniques used by criminal investigators to gather evidence. Content: –The ways for retrieving files and evidence from a suspects computer. –The methods used to secure and document the contents of the computer. Computer Forensic Analysis

3 Securing the Crime Scene When an investigator first arrives on the scene there are a few things that he would need to do. –Check for any remote connections (internet or direct) –Check devices and connections to the computer –Turn the computer off Simply disconnect the computer Computer Forensic Analysis

4 HDD Summary Hard Drive structure: –Clusters are made up of Sectors –These are all on the same platter –Clusters are used to store files or file segments in DOS (under FAT filesystem) HDD Summary

5 FAT FileSystem Stores single files into separate clusters. –Clusters are usually ~ 32k (depends size of drive). –Used in DOS / Win95 / NT. –Has since been replaced by FAT32 and NTFS. HDD Summary

6 DOS Left to its own devices. DOS forgets nothing. Every time you type a key on the keyboard, DOS will store the keypress. When opening encrypted files, the plaintext will be stored on the drive somewhere. Files are not erased when you ask them to be deleted, they are merely renamed, producing unallocated space. DOS

7 Will store files contiguously (in order) until drive space fills up, then will place them where it can. DOS can also become fragmented. This is when files and their fragments are littered across the disk space, and require multiple head reads to access the one file. –This means that the input/output time for files will be longer. DOS

8 There are spaces left over, when files dont completely fill clusters, this space is called slack space. DOS

9 Slack Space Slack space, is the space unused by files in a cluster. –Whenever DOS clears its memory, it stores the garbage into a place on the hard drive, this is called the slack. –Slack is invisible to the file system on the local computer as there are no files in this space. Slack Space

10 What can we find out ? There is a lot of information stored in slack space this can be used to discover and uncover details about the computers activities. Such as : –Files (and their contents) –Memory dumps –Garbage –Keyboard and other input / output –Directory information Slack Space

11 e.g. Directory Information If a floppy was in use on a computer, then the slack space can be used on the disk, instead of on the computers hard drive. If directory information has been stored into the slack space on the floppy, it can be used to identify where the disk came from. Slack Space

12 Unallocated Space Unallocated space is the space which is used up by files which have been marked as deleted, but not actually deleted. When DOS deletes a file, it is renamed (the first letter of the file is changed to a special character). The special character is recognized by DOS and is not displayed as a file. Unallocated Space

13 The Files The files which make up this space will be entirely complete as long as no other file has been stored in its place. –When a file is stored across multiple clusters, a fragment of the file could be overwritten, but the file would still exist to be (mostly) extracted. All the contents of this file (and the slack space around the file) are unaltered until a file is placed into the cluster. Unallocated Space

14 Windows Swap Files Usually exists in two types. –Permanent Swap Files These would be stored for various reasons, and would remain even after rebooting. –Temporary Swap Files This is volatile, so when windows shuts down, the information is removed or lost. Could retain this information by disrupting the power to the computer. Windows Temp Space

15 Windows Swap File The windows swap file will contain a plethora of information for the criminal investigator to discover and use. This information includes : –Memory of running processes. –Programs when they were swapped out to disk. –Keyboard inputs. Windows Temp Space

16 Windows Browser Caches The cache is where a browser stores recently accessed images and files, to allow the browser to quickly open pages that have been recently viewed This information can be used to discover the web activities of the computer user prior to the seizure of the computer Windows Temp Space

17 Unix / *ix Operating Systems Although Unix does not have Windows or DOS to provide it with swap files full of information, the drive may still contain information, and can contain slack space These operating systems have what is known as a swap drive, which is simply a partition of drive space allocated to the specific use for virtual memory, this is similar to Windows swap space Unix Disks

18 Collecting Evidence Now that we know where to look for information, we need to know how we can look in these places, and the precautions we need to take before doing so. –As stated previously we need to ensure that there are no external connections being made to the computer which could cause information to be lost or altered. –We will also need copies made of the original data, to allow us to perform our searches. Computer Forensic Analysis

19 Collecting information The author presents tools for discovering information –Backup Software, to create a duplicate of the computer under investigation to search for evidence on. –Software to list the files and directory structure of the entire drive. –Programs to get the data from the slack and unallocated spaces. –A filtering program to search for specific keywords and filter out information which is deemed to be worthless. Collecting Evidence

20 e.g. Chaining Chaining is a method used to find an entire file, (given that it does not all exist in one place) from unallocated and slack space. –In unallocated space, each sector has a pointer to the next and previous file fragments. –In slack space, given that this is continually overwritten, the file may be incomplete. Collecting Evidence

21 Final Steps After the information is found, a criminal investigator has to sign and seal the evidence, as would a normal detective. This involves: –Creating a unique fingerprint of the files or evidence that has been found. –Encryption of these new files, using a public key encryption program, with a trusted persons public key. Collecting Evidence

22 Considerations Times are changing in relation to computer security and privacy, in terms of hardware and software. –What effects do the larger hard drives have in terms of applying the techniques described? Computer Forensic Analysis – Fat32 was introduced to combat large space wastage on larger drives. Does this affect the way in which slack space can be accessed, does slack space still exist ?

Download ppt "Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes."

Similar presentations

Ads by Google