Professional Documents
Culture Documents
CHAPTEROVERVIEW
2 l
AND SOFTWARE
Understanding
2
Data Recovery
Workstations and
CHAPTER Software
LE AR NI NG OUTCOMES
By the end of this chapter, you should be able to:
i. 35
UNDERSTANDING DATA RECOVERY WORKSTATIONS l CHAPTER 2
AND SOFTWARE
INTRODUCTION
Data is the powerful force of any system that uses computers. Easy data accessibility
is the reason the internet become popular, and the ability to modify, store, process,
and retrieve data is a major reason why computers are used in homes and business
around the world.
The term storage media usually refers to a means of storing data permanently,
and different methods can be used to store data more or less permanently on several
different media types. These methods include storing data’s on a disk or using optical disks.
In this chapter, we’ll look at different types of file systems and storage medias, and
learn how they store data. We will also learn about one of the most common data
types that is saved to media and analyzed in computer forensic examinations. Image
files formats contains digital photos. As we will see, these files can be created in a
variety of different formats, and numerous techniques and tools can be used to view
and recover damaged files.
File systems interact with the operating system so that the operating system can find
files requested from the hard disk. The file system keeps the table of contents of the
files on the disk. While a file is requested, the table of contents is searched to locate
and access the file. To put in another way, the hard disk is like a library that contains
books, whereas the file system is used to determine where those books are placed on
the shelves.
To understand this better, let’s take a quick look at hard disks. In a hard disk on
which an operating system is installed is broken into large pieces called “clusters or
allocation units”. In a hard disk each cluster will contain a number of sectors. A disk
36
CHAPTER 2 l
UNDERSTANDING DATA RECOVERY WORKSTATIONS
AND SOFTWARE
partition (separation) contains the sectors. Without added support, each partition would
be one large unit of data. All operating systems add a directory structure to assign names
to each file and manage the free space available to create new files.
The directory formation and method for organizing a partition is called a File System.
The different file systems replicate different operating system requirements. The similar
hard disk can have partitions with file systems belonging to DOS, NT, or LINUX.
When more than one file system type is installed on a hard drive, this is called
multi-boot or dual-boot configuration.
Hard disks are nonvolatile hardware storage device that is used to store and retrieve
data quickly. Nonvolatile storage is a physical media that retrieves data without electrical
power which means that no data is lost when the computer is powered off, making
hard disks suitable for permanent storage of information.
Most Hard Disks (HDDs) are designed for installation inside a computer, and for
that reason they were referred to as fixed disks. The most common factors that have
been used over the past few decades are:
• 5.25-inch These were the first hard drives that were used on PCs, and they were
commonly installed in machines during the 1980s.
• 3.5-inch This is the common size of form factor used in modern PCs.
• 2.5-inch This is the common size of form factor used in laptop/notebook
computers. (Source: Official CHFI guide)
i. 37
UNDERSTANDING DATA RECOVERY WORKSTATIONS l CHAPTER 2
AND SOFTWARE
38
CHAPTER 2 l
UNDERSTANDING DATA RECOVERY WORKSTATIONS
AND SOFTWARE
From figure 1.2 you can see that it has several connections that allow it to be installed
in a computer. The 2.5 inch hard disk doesn’t have these components because it is
installed differently in a laptop; a cover is removed from the laptop (generally on the
back of the computer), where the 2.5 inch HDD is inserted into a slot. The 3.5 inch
HDD needs to be installed in the computer using the following components on the
outside of the HDD:
i. 39
UNDERSTANDING DATA RECOVERY WORKSTATIONS l CHAPTER 2
AND SOFTWARE
Tracks:
When the platters in a hard disk spin, the read/write head moves into a position
on the platter where it can read the data’s. A track is a Part of the platter which
passing under the read/write head. Tracks are concentric circle on the disk where
data is saved on the magnetic surface of the platter. Each or single hard disk can
have thousands of tracks. These tracks are holding data’s, and pass beneath the
stationary read/write head as the platter rotates.
The tracks are numbered from zero to the highest numbered track (which is typically
1,023), starting from the outermost edge of the disk to the track nearest the
center of the platter. In other form, the first track on the disk is the track on the outer edge
of the platter, and the highest numbered disk is close to the center.
Sector:
Sectors are segments of track, and the smallest physical storage unit on a disk.
As seen in the figure 1.4, the disk is further organized by dividing the platter into
pie slices, which also divide the tracks into smaller segments. These segments are
known as sectors, and they are typically 512 bytes (0.5 kb) in size. By identifying
the track number and particular sector in which a piece of data is stored, a computer
is able to locate where data is physically stored on the disk.
40
CHAPTER 2 l
UNDERSTANDING DATA RECOVERY WORKSTATIONS
AND SOFTWARE
The hard disk interface is one of the standard technologies used to connect the hard
disk to the computer so that the machine can access data stored on the hard disk.
This interface used by an HDD which serves as a communication channel and allowing
data to flow between the computer and the HDD. The most common hard disk
interfaces includes:
i. 41
UNDERSTANDING DATA RECOVERY WORKSTATIONS l CHAPTER 2
AND SOFTWARE
Computer file system types can be classified into disk file systems, network file
systems and special purpose file systems.
42
CHAPTER 2 l
UNDERSTANDING DATA RECOVERY WORKSTATIONS
AND SOFTWARE
i. 43
UNDERSTANDING DATA RECOVERY WORKSTATIONS l CHAPTER 2
AND SOFTWARE
44
CHAPTER 2 l
UNDERSTANDING DATA RECOVERY WORKSTATIONS
AND SOFTWARE
i. 45
UNDERSTANDING DATA RECOVERY WORKSTATIONS l CHAPTER 2
AND SOFTWARE
Forensic tools will often trait the ability to acquire evidence from the hard disk.
By imaging (duplicating) data, the information from a machine can be acquired and
then analyzed for any information that is applicable to the case. In situations isn’t
necessary, but data simply needs to be recovered, these same tools can assist in retrieving
information that was previously lost. There is no single solution for all the various
requirements of a computer forensic investigation. Computer Forensic tools have been
developed for different operating system platforms. Some tools are open source tools
and the others are proprietary. Different tools exist for performing evidence acquisition
from live systems and analyzing the evidence. Some commonly used computer forensic
tools are listed below:
46
CHAPTER 2 l
UNDERSTANDING DATA RECOVERY WORKSTATIONS
AND SOFTWARE
These computer forensic tools may be evaluated against different criteria such as
the completeness in functionality of the tool, the time taken by the tool to perform
its function, the ease of use and user friendliness of the tool, cost of the tool,
acceptability of the tool in court, and so on.
The course of imaging a hard drive involves making a bit-by-bit copy of the drive
to a raw image file also called as the analysis drive. Imaging a suspects hard
drive is one of the most critical functions of the computer forensic process. It is most
important that no data be written to the suspect’s hard drive during this process.
To ensure this, a software based or hardware based write-blocker technology is
used. Write-blocker tools ensure that any write to the disk being imaged is blocked.
It is also essential that every bit copied to the analysis drive is exactly the same as
that found in the suspects drive. Plenty of imaging tools have been developed for
use in a forensic examination. Some of the imaging tools have been described in
more detail below.
i. 47
UNDERSTANDING DATA RECOVERY WORKSTATIONS l CHAPTER 2
AND SOFTWARE
Forensic analysis behavior differ based on the type of media being analyzed,
the file system used, and so on. Some of the activities involved in forensic analysis
were discussed in prior passages. Some of the commonly used analysis tools are
furthered described.
48
CHAPTER 2 l
UNDERSTANDING DATA RECOVERY WORKSTATIONS
AND SOFTWARE
Forensic tool kits generally provide set of tools for performing many activities
of a computer forensic investigation. There is no single toolkit has been developed
that encompasses all the forensic activities that an investigation might require.
There are two following toolkits that can be used to perform a variety of forensic
activities.
i. 49
UNDERSTANDING DATA RECOVERY WORKSTATIONS l CHAPTER 2
AND SOFTWARE
50
CHAPTER 2 l
UNDERSTANDING DATA RECOVERY WORKSTATIONS
AND SOFTWARE
High technology evidence presents unique and challenging situations for the
investigator. In addition to ensuring that the necessary forensic examination and
essential preservation of computer evidence is done, the investigator needs specialized
training and tools with which to work with.
i. 51
UNDERSTANDING DATA RECOVERY WORKSTATIONS l CHAPTER 2
AND SOFTWARE
If, on the other hand, during a lawful search, without any prior knowledge of computers
being used, we discover a computer system at the scene, can we look in its files?
The answer to this is, yes! Using the example above, we can justify the computer
data search so long as we had asked for judicial permission to search for records
associated with illegal sales, distribution, design, manufacturing, production,
cultivation, importing, and illicit use of controlled drugs. Investigators should include
in their affidavits some commonly accepted language that generally describes
computer evidence such as, “Any and all records pertaining to (specify), found in
either electronic or written form, located in devices capable of data storage and
retrieval.” This should effectively cover network, desktop, laptop and pocket computers,
data watches, memory telephones and most other electronic data storage systems,
where evidence could be found.
Forensic investigators are allowed to reasonably search in any place where these
items (data records) could be located. Investigators should justify their search into
these devices based upon some specific training, knowledge and/or experience they
obtained, suggesting that the described records can in fact be stored on computer systems.
In the writing of the affidavit, investigators should to be aware of the correct computer
terminology when describing the places to be searched and items to be seized.
Examples of specific computer language can often be found in previous search
warrants, and selected training materials. In order to help satisfy the particularity
requirement, investigators need to describe the particular computer system sought.
When investigators do not know the exact description of the computer, but suspect
or know of its use, then using general descriptions and definitions of a computer
system might be adequate.
The process of taking down a computer system depends in large upon the scope
of the search, according to the system’s configuration (LAN, WAN networks,
mainframes, servers, PC’s, etc.). If the subject of the warrant is operating on a
network, then keep in mind that the ability to store evidence throughout that
network is possible. When conducting controlled searches, investigators should also
look at network drives, the network & local backup copies, including mirrored/
redundant logical drives, the local disk drives and various removable storage drives,
disks and tapes.
Investigators must also know that many businesses store their backup information
off-site, often with contracted third party vendors.
52
CHAPTER 2 l
UNDERSTANDING DATA RECOVERY WORKSTATIONS
AND SOFTWARE
Prior to the execution of the search warrant, the investigator should get as much
information on the type of computer system they are searching for and possibly seizing.
Police need to know that computer systems can comprise a number of hardware
components and software.
Today’s computer system can obviously have a printer, mouse, monitor, modem,
keyboard, central processing unit (CPU), main circuit board, expansion board,
hard, floppy, tape, removable, CD-ROM/DVD and optical drives, memory modules,
computer chips and so much more. Police need to be able to recognize computer
equipment when they come across it and seize these items if they are within the
scope of the search and listed as items to be seized.
When forensic investigators are dealing with smaller networks, desktops PC and
workstations an attempt to justify the taking of the whole system should be based
on the following criteria. When an entire organization is fully involved in an ongoing
criminal scheme, with little legitimate business, (in non-essential services) and
evidence of the crime is clearly present throughout the network, an entire system
seizure might be proper.
In small level desktop situations, investigators must seize the whole system, after
requesting to do so in the affidavit. Investigators seizing the whole systems should
be justified it by wording their affidavits in such a way so as to refer to the
computer as a “system”, dependant on set configurations to preserve “best evidence”
in a state of original configuration. This may include peripherals, components,
manuals, and software.
In order to the above, investigators should make every effort to lessen the
inconvenience of an on-site search. Some time estimates of manual data search
and analyses are 1 megabyte for every 1hour of investigation work. Based on this
equation, a 1-Gigabyte hard drive may take up to 1000 hours to fully examine.
This assumes that each piece of data is decrypted, decoded, compiled, read,
interpreted and printed out.
i. 53
UNDERSTANDING DATA RECOVERY WORKSTATIONS l CHAPTER 2
AND SOFTWARE
Computer files can be found on various types of storage mediums in all sorts
of deceptively modified, hidden, compressed, encrypted and semi-erased conditions.
Therefore, investigators need to be technically prepared to deal with evidence found
in these conditions and should mention these conditional factors in their affidavits
in order to legally expand their scope.
Onsite Interviews
Forensic Investigators need to seek out critical information from persons present
or having direct knowledge of the computer system. The mainly important information
that investigators need is information about passwords/security devices on the system.
If there is no actual custody or interrogation of the suspect asking for this information
without the standard Miranda warnings is permissible, however giving the warnings
is the preferred method. Sometimes by asking other persons present, the investigator
can obtain the same information.
Also, ask if there are onsite/offsite backups, privilege levels and access controls
present in the computer system. Of course, investigators should also ask about the
evidence they seek to find in the computer, relating to their case. If a person states
that the evidence you seek to find is located in the computer system, a cursory examination
is not necessary. However, don’t restrict your search to the areas that the suspect
directs you to look. Always be prepared for evidence in multiple locations. a
Remember a proper forensic image will copy each sector of the original media,
including unused areas, data that is hidden, partially erased and encrypted, allowing
the investigator to attempt restoration of data.
54
CHAPTER 2 l
UNDERSTANDING DATA RECOVERY WORKSTATIONS
AND SOFTWARE
A huge number of forensic tools exist that enable investigators to streamline and
control their search for evidence in storage devices. A complete list of computer forensic
software is available by request. For instance, there are a number of specialized
search programs that allow investigators to structure customize searches for important
evidence. Investigators need to know that encrypted data and various compressed
data formats will not allow these types of searches until the data is uncompressed
or decrypted.
After the evidence is located, it needs to be understood and interrelated to the case
being investigation. Computer investigators utilize specialized viewer and conversion
programs that can accommodate many file formats for quick viewing and printing
of evidence.
Create a scenario and based on chapter 2.3, what are all the permission
do we need to Execute an Investigation?
SUMMARY
1. This is the second module for the computer forensics course. This module
describes what Disk Structure is and gives a detailed explanation disk.
2. In this chapter you have learnt what a hard disk is, and then various types of
hard disk interfaces.
3. In addition, this module pointed out about Forensic Tools. Additionally
explained the different types of Forensic tools available for computer forensic
investigation. Further discussed about some of the commonly used forensic
tools.
4. Finally you have learnt about the steps that are involved in executing a
forensic investigation such as Search Warrant Considerations, Identifying
& Seizing Software/Hardware, Condition of Evidence, Onsite Interviews,
Forensic Image Backup, and Searching & Retrieving Evidence and so on.
i. 55
UNDERSTANDING DATA RECOVERY WORKSTATIONS l CHAPTER 2
AND SOFTWARE
GLOSARRY
56
CHAPTER 2 l
UNDERSTANDING DATA RECOVERY WORKSTATIONS
AND SOFTWARE
TRUE/FALSE QUESTIONS
1. The file system keeps a table of contents of the files on the disk.
True False
2. Hard disks are volatile storage device that are used to store and retrieve data
quickly.
True False
5. Tracks are segments of sector, and the smallest physical storage unit on a disk.
True False
6. Linux supports multiple file system through the use of a Virtual File System.
True False
9. Evidor is a tool that is used to search hard disks for textual information.
True False
10. WinHex is a editor that can be used to examine files that have been acquired
for analysis.
True False
i. 57
UNDERSTANDING DATA RECOVERY WORKSTATIONS l CHAPTER 2
AND SOFTWARE
58
CHAPTER 2 l
UNDERSTANDING DATA RECOVERY WORKSTATIONS
AND SOFTWARE
i. 59
UNDERSTANDING DATA RECOVERY WORKSTATIONS l CHAPTER 2
AND SOFTWARE
REFERENCES
Simson L. Garfinkel . 2006. AFF: a new format for storing hard drive images
Commun. ACM 49(2):85-87. New York. USA..
Bishop, M. (1993). Teaching computer security. Paper presented at the IFIP TC11,
2006.
Carney, M., & Rogers, M. (2004). The Trojan Made Me Do It: A First Step
in Statistical Based Computer Forensics Event Reconstruction. International
Journal of Digital Evidence, 2(4).
Carrier, B., & Spafford, E. H. (2003). Getting physical with the digital
investigation process. International Journal of Digital Evidence, 2(2), 1-20.
Casey, E. (2002). Error, Uncertainty, and Loss in Digital Evidence. International Jour-
nal of Digital Evidence, 1(3), 71-74.
Corey, V., Peterman, C., Shearin, S., Greenberg, M. S., & Van Bokkel-
en, J. (2002). Network Forensics Analysis. Internet Computing, IEEE, 6(6),
60-66.
60
CHAPTER 2 l
UNDERSTANDING DATA RECOVERY WORKSTATIONS
AND SOFTWARE
Dai, J. S., Xiao, J. M., & Zhang, J. (2005). Research and Design of a Distributed
Network Real Forensics System. Journal of University of Electronic Science
and Technology of China, 34(3), 347-350.
i. 61