Note-11

Note-11 - CSE 494/598 Forensic Computing: Computer and...

Info iconThis preview shows pages 1–4. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: CSE 494/598 Forensic Computing: Computer and Network Forensics Prof. Gail-Joon Ahn Cyber Gazette ! SSL Session Hijacking -- revisited ! Requirements: " A combination of poorly educated users, fewer security warnings in browsers, and sites that mix secured and unsecured content ! Intercepted 200 requests for SSL encrypted pages over 20 hours " 114 Yahoo! credentials " 50 Gmail credentials " 16 credit-card numbers ! Consideration: " Network infrastructure (promiscuous mode) " Content provider " Usable security 3 Outline ! File Forensics ! Storage Media Analysis ! Volume Analysis ! File System Analysis ! Heuristic and Systematic ! Microsoft File Structures " FAT and NTFS 0000432: 0000 0000 0000 0000 0000 0000 0000 00 01 0000448: 0100 07 fe 3f7f 3f00 0000 4160 1f00 8000 0000464: 0180 0bfe 3f8c 8060 1f00 cd2f 0300 0000 0000480: 0000496: 55aa The byte offset in decimal 16 bytes of the data in hexadecimal File System Analysis: FAT Structure Boot Sector # Flag Type Starting Sector Size 1 0x00 0x07 0x0000003f (63) 0x001f6041 (2,056,257) 2 ? ? ? ? The first 446 bytes contain boot code http://www.statman.info/conversions/hexadecimal.html 3 Outline ! File Forensics ! Storage Media Analysis ! Volume Analysis ! File System Analysis ! Heuristic and Systematic ! Microsoft File Structures " FAT and NTFS 0000432: 0000 0000 0000 0000 0000 0000 0000 00 01 0000448: 0100 07 fe 3f7f 3f00 0000 4160 1f00 8000 0000464: 0180 0bfe 3f8c 8060 1f00 cd2f 0300 0000 0000480: 0000496: 55aa The byte offset in decimal 16 bytes of the data in hexadecimal File System Analysis: FAT Structure Boot Sector # Flag Type Starting Sector Size 1 0x00 0x07 0x0000003f (63) 0x001f6041 (2,056,257) 2 ? ? ? ? The first 446 bytes contain boot code http://www.statman.info/conversions/hexadecimal.html How about sectors 1-62? File System Analysis: Content Analysis ! Cluster is a group of consecutive sectors and the number of sectors must be a power of 2 ! The maximum cluster size is 32KB ! Address of the first cluster is 2 ! Obviously ! To locate a specific data unit (first cluster) ! To determine its allocation status File System Analysis: File Allocation Table File.dat 4,000 bytes Cluster 34 Directory Entry Structures Cluster 34 Cluster 35 Clusters FAT Structure 35 EOF Reserved area FAT area Data area Physical Layout of a FAT file system 32 33 34 35 36 File System Analysis:...
View Full Document

This note was uploaded on 08/30/2009 for the course CSE 494 taught by Professor Rao during the Spring '08 term at ASU.

Page1 / 11

Note-11 - CSE 494/598 Forensic Computing: Computer and...

This preview shows document pages 1 - 4. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online