SCAN0207 - Slack Space — hidden space on a disk where DOS...

Info icon This preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
Image of page 1
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: - Slack Space — hidden space on a disk where DOS attempts to write a file to clear its RAM memory Unallocated space is the space taken by the “real” file when you erase it Special tools are needed to view slack and unallocated space Swap files created by MS Windows are a potential bonanza for forensic investigators Stub — small portion of a program placed in memory to hold program together until time comes for program to run again Swap files are written to constantly and changed Starting Windows creates and deletes many temporary files, some are swap files Web browsers, such as Netscape and MS lnternet Explorer, create cache files to improve performance Cache files also hold clues as to web usage, or visits to certain sites, such a child pornography, hacker sites, etc Management of Digital Evidence - US. Department of Justice Federal Guidelines for Searching and Seizing Computers contains guidelines for collection of computers as evidence C» {10+ 3M5 Cm+ +0 8° Computer Forensic Analysis cm Q case-by 4053: hosts) . Two major dangers of collecting computer forensic data: - Loss of data , u - Alteration of Data *COHQCV everyt‘hing out -F’fr-3+' 2 Darrow - Requirements for collection tools. it down 0:: 3+ bQCOK'héfi dearer Nina} - Must not alter data 3 _ . , . - Collect all of and only the data we want 6 ?—€r‘hmfil‘ Tb ‘fiqe‘ (705% - Must establish they worked properly - Must be generally accepted by computer forensic community - Results they produce must be repeatable Evidence Collection - Rules of digital evidence collection: - Treat all evidence as if it will be used in criminal litigation - Never work directly on the evidence itself— make a copy - Once a copy is made, safely store original and maintain a chain of custody - Label and catalog everything, document your findings and use a technique which allows you to establish when the evidence was collected and that it hasn’t been altered since then Process for Collecting Evidence - Observe whether suspect computer is on or off, and carefully assess surroundings Carefully observe screen display {PQVerfl' remove. OCC 6:33 _ . . Unplug modem or network connection from computer — do not turn it off! K rmwe’ faint?» Files If modem was connected to a telephone, do not use telephone to call someone Last number dialed may still be present on the phone Check for numbers or other information from phone that may reveal other information in the event the computer is attached to a DHCP server, it can cause computer to hunt for an address server and add unwanted data Check with network administrator or operator to determine how network works if screen reflects a remote session running, it is important to disconnect connection at once Document connections to the PC - Label all connections E’EVEQYTHlNG WMP ‘ Pitfi are, impor-t'ofl‘t— .,_ - Once you determine it is time to get into PC, simply pull the plug Use/E Ofien de‘b-ni-i— know +’n - Test before reconnecting the hard drives Exits-1— 2 “W? Oar M ‘6‘} - Reboot to DOS (never Windows) be “CCQEEQ ,( . _ U +0 - Make two physical backups of the hard drive rmt-ej 7 ' O‘H'ered (€394 - #Use one backup to create an image of the machine under test, save the other for evidence Y - Analyze the image machine *Psles moved ovy helm/W - To make a physical image, an external drive, such as an lomega, Jag or Zip drive is needed CWe, 09m to eat C ‘ - A second method is to backup directly to a second hard disk w hen Seq» 88 63? Evidence Analysis is ‘t fi-h/ program - Make an MD5 hash of disks and files n P lama - List the files and directories present - Search for deleted files and data, data in file slack, and data in caches and swap files ...
View Full Document

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern