Digitel Forensics = ted Data ERI Finding Dele’ on a computer, it is placed in the Tecycle bin or fy Jeted loin 7 , BS When a file is aA of trash is emptied (ie, by the deletion of conten recycle bin or tr removed from the file allocation table, which » ma és 8 re Jeted are Here ene on hard drives. : file resides is marked as free space (ie, Unalloc he file still resides in that space (at least ung _ i, hy that names and location: + The space where the but # after it is deleted artially overwritten by new data) P ving is a process used in computer forensics to extract data fe : es an storage device without the assistance of the file anv created the file. It is a method that recovers files at unalocne , a any file information and is used to reo data an d eaaae = forensic investigation. It is also called ear which 58 2 generat : on format ia ' extracting structured data out of raw data, bas at specific cen 4 ty present in the structured data. « As a forensics technique that recovers files based merely on file structure 2a. content and without any matching file system meta-data, file carving is mos ee used to recover files from the unallocated space in.a drive. « Unallocated space refers to the area of the drive which no longer holds any fie information as indicated by the file system structures like the file table. In the case of damaged or missing file system structures, this may involve the whole drive, + In simple words, many file systems do not zero-out the data when they delete i: Instead, they simply remove the knowledge of where it is. File carving is the Process of reconstructing files by scanning the raw bytes of the disk ang reassembling them. This is usually done by examining the header (the first few bytes) and footer (the last few bytes) of a file. Data Recovery . Pee from FAT and NTFS is done in two ways : ig deleted data from unallocated space. . ‘ naerng data from slack Space, ‘0cat is ted space is searched for Tecovering deleted directory. Tools EnCase and S TeCovery to, 1 TY tools are EnCase, FIK and X-Ways. These tools us? # bit-stream £0 PY Of a disk to gi also displa 0 display a ae 8 deleted es, without actuall vse crstuction of the file system TECHNICAL py jp, = ifying the FAT. eaerani suing of pun [SCRipreatievedt, Pasion O ee Sea et, AneMatOS, Roske, Lenton S Ereth, > ‘gigestras Slice Quisisana; toe, Mewemes, QIIDASS, 18 42, AcmeeMeND. 23:Dee APIS L842, soit coodzgH 00 80067 OE eeutee BA, Laccetion SSpareth saccnsemengntiae: Femieriiennymnnerawen rags as: Stina ciebeaie, tag, Madang Ste RSIS, 28 48, Acwemned, C2 APES IEE pont Fee sang A MOORE RITE S008 WO gE SER RE ARCO RIES. RA, Lacation: CApareih enrekitemaapestinvs £4 QuOto, (eae, Mews, SNIOAD, S8.SS, Acomaned. ¢1fowin DS, F840, Seaved @ x e0088 OOH. HF See BAe 3 abe ancmyten: ua. Locator: CAgarenm omcennempenenn rs £: 3, {ats wecktieg, DLN WARD, 38 48, Rowewees! C1 Oeer Fete 4:42 : aperen ys PMG OBEP SOPOT G9 Sao ERED £498, ‘ Soo S84 RB, Ait UIS A WooatO® Ag 3, IF OE, Meatied BROMO 7°35, Aecomsed: BIDET EE reamed. 20075 eat 2, Accessed: #5: eer S788), SHAY, Acbapaed: BE uke ts 18 Se an, aaron: 4 canon 99, J 2918, IRE Meied TAE7 BOSS. 22U8, comune: t4syh ts? 18:06 corres, Sozem. oF OSPR Se Atesces . ccas ea ferme SAgareen ceccrtsemmpape doe Fone remnant: C3 Oot Marnitaarhiancdioch 207 G ance So: Sk Sos a, Aiomutee 4. Locaten eee eens a . SRSA, Mowers. yfFig. 4.1.4 Limitations of Data Carving Not all data can be carved. Carving is based on characteristic signatures or patterns. For example, JPEG files typically have the "JFIF" signature in the beginning, followed by the file header. PDF files begin with "%PDF" and ZIP archives start with "PK". Some other files can be true binary. Logical file size : It is the actual size of the file. Physical file size : It is the size given to the file on the hard disk. The physical file size is always greater than or equal to the logical file size. File slack is the difference between the physical file size and logical file size. The file slack should always be less than 1 cluster. For example : A data file size is 5055 bytes and it is given 2 clusters space. 1 cluster = 4096 bytes. Two clusters mean 8192 bytes, File slack = 8192 ~ 5055is he nee on puter Operating Sytem Ata sed: if deleted files do not show up i 5 recover them by using cert es of deleted fil g one of the many commerci 1 reas il ge a le of el - ie recovery is based on the fact aa We recovery tools Fe comets the fle when its being deleted, Instead indows does not . : exact Jocation of that file on the disk is being a = second fo previously occupied by the file is then advertised as aa lees. Te sitter vith zeroes o other data just yet: availible - Dnt pot sword protection and Encryption ome casey digital investigators to overcome pass’ ‘ computer they are processing. a disk is fully encrypted and suspect who investigator. If type of encryption encryption key is infeasible. password, then it is impossible to word protection or encryption refuses to give up the key is totally algorithm is also known, @ brute | Hibernating Files is a file that the microsoft windows opera! es into hibernate mode. This file stores the state that in the hard drive, by the just before hibernate mode was activated, f hibernation, hiberfil.sys ca" be u! vihen the computer comes out 0} previous state. Hiberfilsys is @ hi windows file folder options. The windows 10 system Hibernation. Hibernation isa quickly, It works by saving current user and folders) to the hard drive temporarily: when rebooting the system hibernation mode tit exacly ‘how it was. Users ould put the system? into hiberat ays or even weeks and it will still restore inthe exact same mannet ting system -iberfil sys only see it in the e user could and folders’ in the dden file. This means that ger if checked ‘Show nidden files ‘of which is has several power mana} tion that allows the § configuration (euch as prosPoe — ating itl Frenes Sn sleep y d.allows the computer f0 fur itself on ay Sleep saves power an RAM requires power to ‘On ag + Sleep save nt working again _ Stay active wants to sta n eemode requites yur PC t0 have conn, 7 wy amourtt of Power. Wg 1s, That is why though it uses a very OP sleep mode, the computer might seem fo shutdown, but jp blinking LED light present at the front of the aly em is not fully off. You just need to prey, press the power button and the ake, op indicates that the computer SYS ard, move the mouse oF ire up immediately. system Wi ‘As compared to the sleep mode, slowly and retrieves files at a slow pace: the computer in hibernation mode tira, _ ERE Hybrid Sleep Mode y «if we put sleep and hibernate mode into one blender and thoroughly mi up, then the end product would be hybrid mode. Mt + In this mode, your computer can hibernate and sleep at the same time. This was designed for desktop computers whereas for laptops it is activated by a ee Ate 1. Define sleep, hibernation and hybrid sleep. 2. Describe techniques to find deleted data. 7A Examining Window Registry # The rey a ae me of keys. Each key is like the branch of a tree. Each le " zero or more child keys. Each key can contain mn information and usage details. Res ‘such . try seep ate stare senna i database that stores inti ion. \ Network connections, user preferen® g Pp contains 5 REY CLAS RecN an keys 7 pated are used to sot contains information on file including whit Y-CURRENT_uspR Paricular fle type, eee * © contai information in the ‘ins: \¢ HKEY_UsER a aa oe settings that are built from TECH ring the | ICAL PUBLICATIONS® - = on process. Up-thrust for kno) mete3. HKEY. ‘ fluding na ACH ne the most time in, ST 8 and soft compute te 4. HKEY_USERS : It contain . This is the ence — computer. This includes sen ormation oni 9€T8 feng, — on. This key contains Sear for programs, 2 the users who | 5, HKEY_CURRENT_conrig peed for each user MP configuranes © the | _ardware configuration, S°¥A6 information se out the computers 1 In some registry file, ke ** Keys val converted to ASCII and saved Baen 1 hexadecimal format by i le it +The registry contains the configuration inf can be and may also contain information about rece tn that a suspect had installed a progra gut recently used the hardware and software Programs and files. im or application may be found in the mae 1. Explain registry structure in brie, See eee EJ Recycle Bin Operation « Recycle bin is a place where deleted items are temporarily stored in windows unless they are permanently deleted. It provides users the option to recover deleted files in windows operating systems. + When a user “deletes” a file in windows, the file itself is not actually deleted. The file at this point is copied into the recycle bin's system folder, where it is held until the user gives further instructions on what to do withthe fle This location | depending on the version of windows the users running The recycler folder is a hidden directory, 59 ° have to make some changes in the folder options to view that directory: The recycle bin occupies 4 predetermined amount of serge ae 7 computer's hard disk (which can be adjusted). yt foes gb items in the recycle bin are purged. This means ee overwrite the earliest deleted items the space needed to hold them. with the more recently-deleted itemsDigital Forensics 4-8 Computer Operating sy ¢ Fig. 4.3.1 shows recycler folder Fig. 4.3.1 Recycler folder « Fig. 4.3.2 shows location of recycle bin.b — C : oe to the recyey RY ny : M or by F Sle bin a ¢ oe Finally, the user can tight a dragging and dro” different thay putting files into the raepeae Ick on an item an PB the te They le bin ; 0 can back out. bin is that we can ds oe delete . oe fy TOUgh it © benefit A user can actual} et buh on en: he bypass the bin altogether, p, is ways. , user Presses Shift PYPassing can be «i unallocated space without ey, _ * Delete, the file win” 2 ble of configure machines to bypa 7 Boing through the oa wa ® Straight to . SS the recycle fj sers even brush the sides of i> recyele ae it aogether. Your deleted fe wane incriminating file on their computer, works, they put all their faith in th move. Not fully understanding how thei recycle bin. Now users know that’s a bad Recycle bin bypass : If an examiner Suspects that the system has been set to bypass the recycle bin, the first thing they would check would be the registry. The "NukeOnDelete" value would be set to "1" indicating that this function had been switched on. 7 le bin altogether by The user could configure the system to igs ms a < setich on es the editing the recycle bin penta ne aie fo 1 in the SOFTWARE \ Microsoft elete WORD value for NukeOn! 3 fe < Windows\ Current Version\ Explorer\BitBucet subkey.DigtatForscs 410M rat = at ee a Geners! Secumty Detats Previous Versions a lacton ence Type offe — Microsat Werd Document (docx) Doene wth GB) Word ideskton) rere © Users ADMIN \Denktop 11.7 KB (12.021 bytes) Sze on dick 12.0 KB (12,289 bytes) Frday. May 27. 2022, 2-44-11 PM Creates Modtes Faday. May 27, 2022, 2:44:12 PM Accessed Today. May 30, 2022, 3:24:02 PM Atrutes Cl Resdony [“] Hidden: | Advanced Fig. 4.4.1 Metadata information as seen after right-clicking on the file * Although file system metadata like file permissions, file status (active verus deleted) = information about whether a file is resident or nonresident can be iseful in right context, the aspect of file system metadata that often draws the ‘most attention is the date-time stamp information, + Wind = a fn most tani tools display only the date-time stamp information eee mr fomation Attribute (SIA) of the MET record, largely time stamps that get updated when a file or folder isoe rene PF , / aaa ee p Removing Metadata moe | open file explorer ang te : 8° the fe ior ocument, Se The, righ st ae Pate Last Pert, Alternati ere hold on it ang ALT + Enter on keybyay ia he properties window PPeRS forthe selected « the metadata stored with vo Se a a, the "Remove Properties and Personal inf or # Part of cig formation” ting," PAM Oc 1 Fig 442 shows remove prop erties window, Fig. 4.4.2 Remove properties window oe The remove properties window is opened, where you can | The rem download ae i a great option. No need to 7 i : and online tools are a great sae "Online tools : Medes vena r install anything. Without the metadata. wish IT and cybersecurity . eta from a variety of fle ine tool by adarsus, sea - MetaClean is a free online to " va a* PDFYeah is a free, online, all-in-one solution for PDF files. While the free offered vary, they have a dedicated PDF file metadata Temover, + Tt clean 50 MB file size, “by * Meatdata++ is software created by logipole with the sole Purpose of eating removing metadata from files. While it's not Open-source, meta datas categorized as freeware. User can use metadata++ to edit and ‘rem, ove and any private information from images, audio files, video files and tex: nats variety of formats, 1. Deere tcniges remove metadata EI, um Restore Points and Shadow Copies Gm 1. Restore Point ; System activity ang Teates a restore cular activities Occur, T} of activiti i sg a. nie 'YPES of activities that trigger automatic Creation of restore points a) Installing software b) Updating hardware drivers, ©) Installing new hardware drivers, Manual creations of estore points TECHNICAL pip)...d recording the changes, These changes ae sarees M4 since the Ine ea other which creates a history of the file/folder 7 ; is can be very useful if a user accidently deleted a file or saved changes ie ue ot mean to. For example, if the user accidently deleted the entire ih [ resto! Users can also use it if acidently ted important files to restore those files, » Fig. 45.1 shows shadow copies a Previous versions come from restore pots or from 4) Wesomn Baoan ti ns aaemsesen? | « Yesterday (2) | ib My Folder 472472016 1200 94 i My Folder | "Dene reso points and shadow Spi