exam2 - CSE 494/598 Forensic Computing: Computer and...

Info iconThis preview shows pages 1–7. Sign up to view the full content.

View Full Document Right Arrow Icon
CSE 494/598 Forensic Computing: Computer and Network Forensics Prof. Gail-Joon Ahn Cyber Gazette ! DShield Web Honeypot ! The SANS ISC is releasing an alpha version of the DShield Web Honeypot to extend DShield's visibility into web-based attack traffic. The intention of the web honeypot project is to harness multiple capture points run by volunteers for the collection of potentially harmful traffic on the web. ! The data collected through the sensors are fed to the Dshield web database where human volunteers as well as machines pour through the data looking for abnormal trends and behavior. In addition, they attempt to measure web attack prevelance and find objective metrics to recommend protective measures. PDF processed with CutePDF evaluation edition www.CutePDF.com
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
IMPORTANT DATES ! Exam #1: Feb 19, 2009 ! Assignment #1: Mar 3, 2009 ! Spring Break: Mar 10 & 12, 2009 ! Exam #2: Mar 31, 2009 ! Class Project Due: Apr 23, 2009 ! Paper Report Due: Apr 28, 2009 ! Class Presentation: Apr 28 & 30, 2009 May 5, 2009 ! Exam #3 (Final): May 7, 2009 (12:10PM – 2:00PM) 3 4 Outline ! File Forensics ! Storage Media Analysis ! Volume Analysis ! File System Analysis ! Heuristic and Systematic ! Microsoft File Structures " FAT and NTFS
Background image of page 2
Storage Media Analysis ! Hard Disk Geometry ! Head – the device that reads and writes data to a drive ! Track – concentric circle on a disk platter ! Cylinder – a column of tracks on disk platters ! Sector – a section on a track 5 Volume Analysis ! Purpose of Volume Analysis ! Involves looking at the data structures that are involved with partitioning and assembling the bytes in storage devices ! Partitions ! Collection of consecutive sectors in a volume ! Each OS and hardware platform uses a different partitioning method Partition 1 Partition 2 Partition 3 Hard Disk Volume D: Volume C: Volume E: Volume
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
7 Volume Analysis (cont’d) ! Master Boot Record ! Located at first sector of HD ! Cylinder 0, head 0, sector 1 Offset Description Size 0x0000 Executable Code (Boots Computer) 446 Bytes 0x01BE 1st Partition Entry 16 Bytes 0x01CE 2nd Partition Entry 16 Bytes 0x01DE 3rd Partition Entry 16 Bytes 0x01EE 4th Partition Entry 16 Bytes 0x01FE Boot Record Signature (0x55 0xAA) 2 Bytes FILE SYSTEM ANALYSIS
Background image of page 4
9 File System Analysis: Microsoft File Structures ! In Microsoft file structures, sectors are grouped to form clusters ! Storage allocation units of one or more sectors ! Clusters are typically 512, 1024, 2048, 4096, or more bytes each ! Combining sectors minimizes the overhead of writing or reading files to a disk ! File System Category ! Boot sector ! Content Category ! Finding the clusters ! Cluster allocation status/methods ! Matadata Category ! Directory entry ! Cluster chains ! File Name Category File System Analysis: Microsoft File Structures – cont’d
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Partition 1 Partition 2 Partition 3 Hard Disk Volume D: Volume C: Volume E: Volume FAT12 FAT16 FAT32 VFAT NTFS …… File System Analysis: Microsoft File Structures – cont’d 12 !
Background image of page 6
Image of page 7
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 77

exam2 - CSE 494/598 Forensic Computing: Computer and...

This preview shows document pages 1 - 7. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online