COURSE UNDERSTANDING DATA RECOVERY WORKSTATIONS

CHAPTEROVERVIEW
2 l
AND SOFTWARE

Understanding

2
Data Recovery
Workstations and
CHAPTER Software
LE AR NI NG OUTCOMES
By the end of this chapter, you should be able to:

1 . Explain File Systems and Disk structure;

2. Identify the types of Hard Disks and their interfaces;

3. Identify the types of Forensic Tools used for investigation; and

4 . Identify how to execute Forensic Investigation.

i. 35
 UNDERSTANDING DATA RECOVERY WORKSTATIONS l CHAPTER 2
AND SOFTWARE

INTRODUCTION
Data is the powerful force of any system that uses computers. Easy data accessibility
is the reason the internet become popular, and the ability to modify, store, process,
and retrieve data is a major reason why computers are used in homes and business
around the world.

The term storage media usually refers to a means of storing data permanently,
and different methods can be used to store data more or less permanently on several
different media types. These methods include storing data’s on a disk or using optical disks.

In this chapter, we’ll look at different types of file systems and storage medias, and
learn how they store data. We will also learn about one of the most common data
types that is saved to media and analyzed in computer forensic examinations. Image
files formats contains digital photos. As we will see, these files can be created in a
variety of different formats, and numerous techniques and tools can be used to view
and recover damaged files.

2.1 File Systems and Disk Structure

File systems interact with the operating system so that the operating system can find
files requested from the hard disk. The file system keeps the table of contents of the
files on the disk. While a file is requested, the table of contents is searched to locate
and access the file. To put in another way, the hard disk is like a library that contains
books, whereas the file system is used to determine where those books are placed on
the shelves.

To understand this better, let’s take a quick look at hard disks. In a hard disk on
which an operating system is installed is broken into large pieces called “clusters or
allocation units”. In a hard disk each cluster will contain a number of sectors. A disk

36
CHAPTER 2 l
UNDERSTANDING DATA RECOVERY WORKSTATIONS
AND SOFTWARE

partition (separation) contains the sectors. Without added support, each partition would
be one large unit of data. All operating systems add a directory structure to assign names
to each file and manage the free space available to create new files.

The directory formation and method for organizing a partition is called a File System.
The different file systems replicate different operating system requirements. The similar
hard disk can have partitions with file systems belonging to DOS, NT, or LINUX.
When more than one file system type is installed on a hard drive, this is called
multi-boot or dual-boot configuration.

2.1.1 Disk structure

Hard disks are nonvolatile hardware storage device that is used to store and retrieve
data quickly. Nonvolatile storage is a physical media that retrieves data without electrical
power which means that no data is lost when the computer is powered off, making
hard disks suitable for permanent storage of information.

2.1.2 Overview of a Hard Disk

Most Hard Disks (HDDs) are designed for installation inside a computer, and for
that reason they were referred to as fixed disks. The most common factors that have
been used over the past few decades are:
• 5.25-inch These were the first hard drives that were used on PCs, and they were
commonly installed in machines during the 1980s.
• 3.5-inch This is the common size of form factor used in modern PCs.
• 2.5-inch This is the common size of form factor used in laptop/notebook
computers. (Source: Official CHFI guide)

i. 37
 UNDERSTANDING DATA RECOVERY WORKSTATIONS l CHAPTER 2
AND SOFTWARE

Types of Hard Disks:

Figure 1.1: 2.5 inch HDD

Figure 1.2: 3.5 inch Hard Disks

38
CHAPTER 2 l
UNDERSTANDING DATA RECOVERY WORKSTATIONS
AND SOFTWARE

From figure 1.2 you can see that it has several connections that allow it to be installed
in a computer. The 2.5 inch hard disk doesn’t have these components because it is
installed differently in a laptop; a cover is removed from the laptop (generally on the
back of the computer), where the 2.5 inch HDD is inserted into a slot. The 3.5 inch
HDD needs to be installed in the computer using the following components on the
outside of the HDD:

i. 39
 UNDERSTANDING DATA RECOVERY WORKSTATIONS l CHAPTER 2
AND SOFTWARE

Tracks:
When the platters in a hard disk spin, the read/write head moves into a position
on the platter where it can read the data’s. A track is a Part of the platter which
passing under the read/write head. Tracks are concentric circle on the disk where
data is saved on the magnetic surface of the platter. Each or single hard disk can
have thousands of tracks. These tracks are holding data’s, and pass beneath the
stationary read/write head as the platter rotates.

The tracks are numbered from zero to the highest numbered track (which is typically
1,023), starting from the outermost edge of the disk to the track nearest the
center of the platter. In other form, the first track on the disk is the track on the outer edge
of the platter, and the highest numbered disk is close to the center.

Sector:

Sectors are segments of track, and the smallest physical storage unit on a disk.
As seen in the figure 1.4, the disk is further organized by dividing the platter into
pie slices, which also divide the tracks into smaller segments. These segments are
known as sectors, and they are typically 512 bytes (0.5 kb) in size. By identifying
the track number and particular sector in which a piece of data is stored, a computer
is able to locate where data is physically stored on the disk.

40
CHAPTER 2 l
UNDERSTANDING DATA RECOVERY WORKSTATIONS
AND SOFTWARE

2.1.3 Hard Disk Interfaces

The hard disk interface is one of the standard
disk to the computer so that the machine can
This interface used by an HDD which serves as
data to flow between the computer and the
interfaces includes:
technologies used to connect the hard
access data stored on the hard disk.
a communication channel and allowing
HDD. The most common hard disk

i. 41
 UNDERSTANDING DATA RECOVERY WORKSTATIONS l CHAPTER 2
AND SOFTWARE

2.1.4 Types of file systems

Computer file system types can be classified into disk file systems, network file
systems and special purpose file systems.

42
CHAPTER 2 l
UNDERSTANDING DATA RECOVERY WORKSTATIONS
AND SOFTWARE

i. 43
UNDERSTANDING DATA RECOVERY WORKSTATIONS l CHAPTER 2
AND SOFTWARE

44
CHAPTER 2 l
UNDERSTANDING DATA RECOVERY WORKSTATIONS
AND SOFTWARE

(a) What is the file systems presently used in your computer or

laptop?
(b) What type of hard disk used by your computer? Find out other
types of file Systems and Hard Disk types?

i. 45
 UNDERSTANDING DATA RECOVERY WORKSTATIONS l CHAPTER 2
AND SOFTWARE

2.2 Computer Forensics tools

Forensic tools will often trait the ability to acquire evidence from the hard disk.
By imaging (duplicating) data, the information from a machine can be acquired and
then analyzed for any information that is applicable to the case. In situations isn’t
necessary, but data simply needs to be recovered, these same tools can assist in retrieving
information that was previously lost. There is no single solution for all the various
requirements of a computer forensic investigation. Computer Forensic tools have been
developed for different operating system platforms. Some tools are open source tools
and the others are proprietary. Different tools exist for performing evidence acquisition
from live systems and analyzing the evidence. Some commonly used computer forensic
tools are listed below:

46
CHAPTER 2 l
UNDERSTANDING DATA RECOVERY WORKSTATIONS
AND SOFTWARE

These computer forensic tools may be evaluated against different criteria such as
the completeness in functionality of the tool, the time taken by the tool to perform
its function, the ease of use and user friendliness of the tool, cost of the tool,
acceptability of the tool in court, and so on.

2.2.1 Imaging Tools

The course of imaging a hard drive involves making a bit-by-bit copy of the drive
to a raw image file also called as the analysis drive. Imaging a suspects hard
drive is one of the most critical functions of the computer forensic process. It is most
important that no data be written to the suspect’s hard drive during this process.
To ensure this, a software based or hardware based write-blocker technology is
used. Write-blocker tools ensure that any write to the disk being imaged is blocked.
It is also essential that every bit copied to the analysis drive is exactly the same as
that found in the suspects drive. Plenty of imaging tools have been developed for
use in a forensic examination. Some of the imaging tools have been described in
more detail below.

i. 47
 UNDERSTANDING DATA RECOVERY WORKSTATIONS l CHAPTER 2
AND SOFTWARE

2.2.2 Analysis Tools

Forensic analysis behavior differ based on the type of media being analyzed,
the file system used, and so on. Some of the activities involved in forensic analysis
were discussed in prior passages. Some of the commonly used analysis tools are
furthered described.

48
CHAPTER 2 l
UNDERSTANDING DATA RECOVERY WORKSTATIONS
AND SOFTWARE

2.2.3 Forensic Toolkits

Forensic tool kits generally provide set of
of a computer forensic investigation. There is
that encompasses all the forensic activities
There are two following toolkits that can be
activities.
tools for performing many activities
no single toolkit has been developed
that an investigation might require.
used to perform a variety of forensic

i. 49
 UNDERSTANDING DATA RECOVERY WORKSTATIONS l CHAPTER 2
AND SOFTWARE

(a) Find out other Forensic tools used for investigation?

(b) Find out the other features of Encase Tool?

50
CHAPTER 2 l
UNDERSTANDING DATA RECOVERY WORKSTATIONS
AND SOFTWARE

2.3 Executing an Investigation

Inevitably and frequently without notice or sufficient preparation, police investigators

find themselves confronted with the challenges of high technology. While in the course
of a basic criminal investigation, an investigator comes across computer equipment
(hardware & software) that might enclose important evidence, the question that
often surfaces is, what should the investigator do? This question cannot be answered
with a simple response such as “shut it down and take it”. Instead, Instead, investigators
need to know what valid options there are and become properly trained in computer
search & seizure and computer-related evidentiary issues.

High technology evidence presents unique and challenging situations for the
investigator. In addition to ensuring that the necessary forensic examination and
essential preservation of computer evidence is done, the investigator needs specialized
training and tools with which to work with.

The use of advanced search programs, access to sophisticated computer equipment,

a working knowledge of evidence recovery methods, and a keen understanding of
the types of associated computer evidence are all key factors that help investigators
find evidence in computers.

2.3.1 Search Warrant Considerations

When investigators learn that a computer system is involved in some measurable

way with the offense, they need to elaborate on “how” the computer was used. For
example, if the police have learned from knowledgeable and reliable sources that
a particular person uses a computer data base and spreadsheet program to account
for illicit drug sales, then investigators need to include this information in their
affidavits. Furthermore, investigators should carefully decide on how much of this
information should be included in the affidavit without compromising source identity.

Obviously, if we are protecting a confidential informant who may be one of only

a few persons having access to this particular computer data, we may prematurely
reveal our source. In many cases, sophisticated drug dealers, money launders,
organized crime accountants and others, have effectively used coded/encrypted
shipment, financial and customer data files in the furtherance of their criminal
activities. In the situation mentioned above, the computer now becomes an instrumentality
of the offense besides being evidence of a crime and a storage device or container
of evidence. Of course, our immediate right for seizure is further justified, so long as
we have articulated it in the affidavit as particular items to be seized.

i. 51
 UNDERSTANDING DATA RECOVERY WORKSTATIONS l CHAPTER 2
AND SOFTWARE

If, on the other hand, during a lawful search, without any prior knowledge of computers
being used, we discover a computer system at the scene, can we look in its files?
The answer to this is, yes! Using the example above, we can justify the computer
data search so long as we had asked for judicial permission to search for records
associated with illegal sales, distribution, design, manufacturing, production,
cultivation, importing, and illicit use of controlled drugs. Investigators should include
in their affidavits some commonly accepted language that generally describes
computer evidence such as, “Any and all records pertaining to (specify), found in
either electronic or written form, located in devices capable of data storage and
retrieval.” This should effectively cover network, desktop, laptop and pocket computers,
data watches, memory telephones and most other electronic data storage systems,
where evidence could be found.

Forensic investigators are allowed to reasonably search in any place where these
items (data records) could be located. Investigators should justify their search into
these devices based upon some specific training, knowledge and/or experience they
obtained, suggesting that the described records can in fact be stored on computer systems.

In the writing of the affidavit, investigators should to be aware of the correct computer
terminology when describing the places to be searched and items to be seized.
Examples of specific computer language can often be found in previous search
warrants, and selected training materials. In order to help satisfy the particularity
requirement, investigators need to describe the particular computer system sought.
When investigators do not know the exact description of the computer, but suspect
or know of its use, then using general descriptions and definitions of a computer
system might be adequate.

2.3.2 Scope of the Investigation Search

The process of taking down a computer system depends in large upon the scope
of the search, according to the system’s configuration (LAN, WAN networks,
mainframes, servers, PC’s, etc.). If the subject of the warrant is operating on a
network, then keep in mind that the ability to store evidence throughout that
network is possible. When conducting controlled searches, investigators should also
look at network drives, the network & local backup copies, including mirrored/
redundant logical drives, the local disk drives and various removable storage drives,
disks and tapes.

Investigators must also know that many businesses store their backup information
off-site, often with contracted third party vendors.

52
CHAPTER 2 l
UNDERSTANDING DATA RECOVERY WORKSTATIONS
AND SOFTWARE

2.3.3 Identifying & Seizing Software/Hardware

Prior to the execution of the search warrant, the investigator should get as much
information on the type of computer system they are searching for and possibly seizing.
Police need to know that computer systems can comprise a number of hardware
components and software.

Today’s computer system can obviously have a printer, mouse, monitor, modem,
keyboard, central processing unit (CPU), main circuit board, expansion board,
hard, floppy, tape, removable, CD-ROM/DVD and optical drives, memory modules,
computer chips and so much more. Police need to be able to recognize computer
equipment when they come across it and seize these items if they are within the
scope of the search and listed as items to be seized.

2.3.4 Seizing Smaller, Whole Computer Systems

When forensic investigators are dealing with smaller networks, desktops PC and
workstations an attempt to justify the taking of the whole system should be based
on the following criteria. When an entire organization is fully involved in an ongoing
criminal scheme, with little legitimate business, (in non-essential services) and
evidence of the crime is clearly present throughout the network, an entire system
seizure might be proper.

In small level desktop situations, investigators must seize the whole system, after
requesting to do so in the affidavit. Investigators seizing the whole systems should
be justified it by wording their affidavits in such a way so as to refer to the
computer as a “system”, dependant on set configurations to preserve “best evidence”
in a state of original configuration. This may include peripherals, components,
manuals, and software.

In order to the above, investigators should make every effort to lessen the
inconvenience of an on-site search. Some time estimates of manual data search
and analyses are 1 megabyte for every 1hour of investigation work. Based on this
equation, a 1-Gigabyte hard drive may take up to 1000 hours to fully examine.
This assumes that each piece of data is decrypted, decoded, compiled, read,
interpreted and printed out.

i. 53
 UNDERSTANDING DATA RECOVERY WORKSTATIONS l CHAPTER 2
AND SOFTWARE

2.3.5 Condition of Evidence

Computer files can be found on various types of storage mediums in all sorts
of deceptively modified, hidden, compressed, encrypted and semi-erased conditions.
Therefore, investigators need to be technically prepared to deal with evidence found
in these conditions and should mention these conditional factors in their affidavits
in order to legally expand their scope.
Onsite Interviews
Forensic Investigators need to seek out critical information from persons present
or having direct knowledge of the computer system. The mainly important information
that investigators need is information about passwords/security devices on the system.
If there is no actual custody or interrogation of the suspect asking for this information
without the standard Miranda warnings is permissible, however giving the warnings
is the preferred method. Sometimes by asking other persons present, the investigator
can obtain the same information.

Also, ask if there are onsite/offsite backups, privilege levels and access controls
present in the computer system. Of course, investigators should also ask about the
evidence they seek to find in the computer, relating to their case. If a person states
that the evidence you seek to find is located in the computer system, a cursory examination
is not necessary. However, don’t restrict your search to the areas that the suspect
directs you to look. Always be prepared for evidence in multiple locations. a

2.3.6 Forensic Image Backup

Computer crime investigators recognize the vulnerability of electronic data and

strongly suggest that forensically acceptable image duplication software be used in
investigations. After the investigator makes a duplicate image of the seized media
(hard drive, floppy, removable drives, etc.) and restores this backup onto another
system, the original evidence should be secured away. The restored backup image
(exact copy of the original) now becomes the location to search for electronic evidence.

Remember a proper forensic image will copy each sector of the original media,
including unused areas, data that is hidden, partially erased and encrypted, allowing
the investigator to attempt restoration of data.

54
CHAPTER 2 l
UNDERSTANDING DATA RECOVERY WORKSTATIONS
AND SOFTWARE

2.3.7 Searching & Retrieving Evidence

A huge number of forensic tools exist that enable investigators to streamline and
control their search for evidence in storage devices. A complete list of computer forensic
software is available by request. For instance, there are a number of specialized
search programs that allow investigators to structure customize searches for important
evidence. Investigators need to know that encrypted data and various compressed
data formats will not allow these types of searches until the data is uncompressed
or decrypted.

After the evidence is located, it needs to be understood and interrelated to the case
being investigation. Computer investigators utilize specialized viewer and conversion
programs that can accommodate many file formats for quick viewing and printing
of evidence.

Create a scenario and based on chapter 2.3, what are all the permission
do we need to Execute an Investigation?

SUMMARY

1. This is the second module for the computer forensics course. This module
describes what Disk Structure is and gives a detailed explanation disk.
2. In this chapter you have learnt what a hard disk is, and then various types of
hard disk interfaces.
3. In addition, this module pointed out about Forensic Tools. Additionally
explained the different types of Forensic tools available for computer forensic
investigation. Further discussed about some of the commonly used forensic
tools.
4. Finally you have learnt about the steps that are involved in executing a
forensic investigation such as Search Warrant Considerations, Identifying
& Seizing Software/Hardware, Condition of Evidence, Onsite Interviews,
Forensic Image Backup, and Searching & Retrieving Evidence and so on.

i. 55
 UNDERSTANDING DATA RECOVERY WORKSTATIONS l CHAPTER 2
AND SOFTWARE

GLOSARRY

ATA Advanced Technology Attachment.

HDD Hard Disk.

EIDE Enhanced Integrated Drive Electronics.

FTK Forensic Toolkit.

IDE Integrated Drive Electronics.

MFT Master File Table.

SCSI Small Computer System Interface.

USB Universal Serial Bus.

VFS Virtual File System.

FAT File Allocation Table.

NTFS New Technology File

TCT The coroner’s Toolkit.

56
CHAPTER 2 l
UNDERSTANDING DATA RECOVERY WORKSTATIONS
AND SOFTWARE

TRUE/FALSE QUESTIONS

1. The file system keeps a table of contents of the files on the disk.
True False

2. Hard disks are volatile storage device that are used to store and retrieve data
quickly.
True False

3. 5.25-inch was the first hard drives used on PCs.

True False

4. A jumper is a connector that works as an on/off switch for hard disc.

True False

5. Tracks are segments of sector, and the smallest physical storage unit on a disk.
True False

6. Linux supports multiple file system through the use of a Virtual File System.
True False

7. The dd utility is used to make a byte-wise copy of a file.

True False

8. An investigators does not need information about passwords/security devices

on the system.
True False

9. Evidor is a tool that is used to search hard disks for textual information.
True False

10. WinHex is a editor that can be used to examine files that have been acquired
for analysis.
True False

i. 57
 UNDERSTANDING DATA RECOVERY WORKSTATIONS l CHAPTER 2
AND SOFTWARE

MULTIPLE CHOICE QUESTIONS 1

1. ________investigator toolset are computer forensic tools are used to acquire an

image from seized computers.
A. iLook
B. sLook
C. cLook
D. xLook

2. Which of the following is most common hard disk interfaces:

A. UPS
B. USB
C. SUB
D. None of the above.

3. Which of the following is file system of Microsoft operating systems?

A. FAT 12
B. FAT 13
C. FAT 14
D. FAT 15

4. ___________is a forensic DOS shell designed to emulate and extend the

capabilities of DOS to meet forensic needs.
A. SpyDrive
B. iLook
C. DriveSpy
D. None of the above.

5. Encase automatically create___________hash values to preserve the integrity of

the evidence collected.
A. Sha1
B. MD3
C. Sha2
D. MD5

58
CHAPTER 2 l
UNDERSTANDING DATA RECOVERY WORKSTATIONS
AND SOFTWARE

MULTIPLE CHOICE QUESTIONS 2

1. The coroner’s Toolkit (TCT) is a collection of tools are used to perform a

post-mortem forensic analysis of a ______ system.
A. Linux
B. UNIX
C. Windows
D. Macintosh

2. ____________automatically retrieves and sorts deleted and partially overwritten

files.
A. Forensic Toolkit.
B. Toolkit
C. Forensic tool.
D. None of the above.

3. Which of the following is not a component of The coroner’s Toolkit ?

A. Grave-robber.
B. its
C. mactime
D. unrm

4. Hard disk is composed of predefined _________ that form concerning rings on

the disk.
A. Rows
B. Columns
C. tracks
D. None of the above.

5. __________ allows you to clone a hard disk.

A. WinHex
B. Winhax
C. Winmax
D. None of the above.

i. 59
 UNDERSTANDING DATA RECOVERY WORKSTATIONS l CHAPTER 2
AND SOFTWARE

REFERENCES

Simson L. Garfinkel . 2006. AFF: a new format for storing hard drive images
Commun. ACM 49(2):85-87. New York. USA..

Simson L. Garfinkel. 2006. Forensic feature extraction and cross-drive analysis

Digital Investigation 3(Supplement-1):71—81..

Bishop, M. (1993). Teaching computer security. Paper presented at the IFIP TC11,
2006.

Blankenhorn, C. A., Huebner, E., & Cook, M. (2005). Forensic investigation of

data in live high volume environments Retrieved October 2, 2006, 2006, from.
http://www.cit.uws.edu.au/compsci/computerforensicsTechnical%2520Reports/Blan-
kenhorn 2005.doc

Bogen, A. C., & Dampier, D. A. (2004). Knowledge discovery and experience

modeling in computer forensics media analysis. Paper presented at the 2004
International Symposium on Information and Communication Technologies, Las
Vegas, Nevada.

Buchholz, F. P. (2004). Providing process origin information to aid in computer

forensic investigations. Journal of Computer Security, 12(5), 753-776.

Carney, M., & Rogers, M. (2004). The Trojan Made Me Do It: A First Step
in Statistical Based Computer Forensics Event Reconstruction. International
Journal of Digital Evidence, 2(4).

Carrier, B., & Spafford, E. H. (2003). Getting physical with the digital
investigation process. International Journal of Digital Evidence, 2(2), 1-20.

Casey, E. (2002). Error, Uncertainty, and Loss in Digital Evidence. International Jour-
nal of Digital Evidence, 1(3), 71-74.

Casey, E. (2006). Investigating Sophisticated Security Breaches. Communications

of the ACM,49(2), 48-55.

Ciardhuáin, S. (2004). An Extended Model of Cybercrime Investigations.

International Journal of Digital Evidence, 3(1).

Corey, V., Peterman, C., Shearin, S., Greenberg, M. S., & Van Bokkel-
en, J. (2002). Network Forensics Analysis. Internet Computing, IEEE, 6(6),
60-66.

60
CHAPTER 2 l
UNDERSTANDING DATA RECOVERY WORKSTATIONS
AND SOFTWARE

Dai, J. S., Xiao, J. M., & Zhang, J. (2005). Research and Design of a Distributed
Network Real Forensics System. Journal of University of Electronic Science
and Technology of China, 34(3), 347-350.

i. 61