Note-16

Note-16 - CSE 494/598 Forensic Computing: Computer and...

Info iconThis preview shows pages 1–9. Sign up to view the full content.

View Full Document Right Arrow Icon
CSE 494/598 Forensic Computing: Computer and Network Forensics Prof. Gail-Joon Ahn Cyber Gazette ! Conficker C Analysis by SRI ! http://mtc.sri.com/Conficker/addendumC/ index.html
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
IMPORTANT DATES ! Exam #1: Feb 19, 2009 ! Assignment #1: Mar 3, 2009 ! Spring Break: Mar 10 & 12, 2009 ! Exam #2: Mar 31, 2009 ! Assignment #2: Apr 7, 2009 ! Class Project Due: Apr 23, 2009 ! Paper Report Due: Apr 28, 2009 ! Class Presentation: Apr 28 & 30, 2009 May 5, 2009 ! Exam #3 (Final): May 7, 2009 (12:10PM – 2:00PM) 3 Paper Presentation ! April 28 th ! Group : Ho An and Fengze Xie ! Towards Models for Forensic Analysis ! Group : Terrance Cuny and Farooq Khera ! A Hardware-based Memory Acquisition Procedure ! April 30th ! Group : Fei Hong and Sanket Sheth ! Forensic Analysis of File System Intrusions using Improved Backtracking ! Group : Pradeep Sekar and Deepak Barge ! ReVirt: Enabling Intrusion Analysis through VM Logging and Replay ! May 5th ! Group : Joseph Schneider and Darin Tupper ! Secure Audit Logs to Support Computer Forensics
Background image of page 2
Special Requirements ! Thursday, April 9 ! Please print out your report on the Assignment # and bring it to class ! Each group should take seats based on the assignment Exam #2 ! Mean ! 78.6 ! Median ! 74
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Q1 8 ! Microsoft OSs allocate disk space for files by clusters ! Results in drive slack ! Unused space in a cluster between ! the end of an active file and ! the end of the cluster ! Drive slack includes: ! RAM slack and file slack ! An unintentional side effect of FAT16 having large clusters was that it reduced fragmentation ! As cluster size increased File System Analysis: Drive Slack
Background image of page 4
9 ! Example ! Create a large file ! 5,000 characters (bytes) ! Save on a FAT 16 disk ! OS reserves one 64-sector cluster ! 64*512 = 32,768 bytes ! Unused space: 32,768 – 5,000 = 27,768 ! This is file slack File System Analysis: Drive Slack – cont’d 10 ! Example (cont.) ! 5,000 bytes of data occupies 10 sectors ! 10 * 512 = 5,120 bytes ! Where does the other 120 bytes come from? Memory ! This is RAM slack ! 120 bytes from RAM go after the data and before the end of the last sector used File System Analysis: Drive Slack – cont’d
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
11 ! RAM slack ! Could be anything stored in memory ! Logon IDs ! Passwords ! File fragments File System Analysis: Drive Slack – cont’d 12 Drive Slack Data File System Analysis: Drive Slack – cont’d
Background image of page 6
Q2 Partition 1 Partition 2 Partition 3 Hard Disk Volume D: Volume C: Volume E: Volume FAT12 FAT16 FAT32 VFAT NTFS …… File System Analysis: Microsoft File Structures
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
0000432: 0000 0000 0000 0000 0000 0000 0000 00 01 0000448: 0100 07 fe 3f7f 3f00 0000 4160 1f00 8000 0000464: 0180 0bfe 3f8c 8060 1f00 cd2f 0300 0000 0000480: 0000496: 55aa The byte offset in decimal 16 bytes of the data in hexadecimal File System Analysis: FAT Structure – Boot Sector # Flag Type Starting Sector Size 1 0x00 0x07 0x0000003f (63) 0x001f6041 (2,056,257)
Background image of page 8
Image of page 9
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 08/30/2009 for the course CSE 494 taught by Professor Rao during the Spring '08 term at ASU.

Page1 / 23

Note-16 - CSE 494/598 Forensic Computing: Computer and...

This preview shows document pages 1 - 9. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online