2.

Key Technical
Concepts
 Topics
• Basic Computer Operation
• Bits & Bytes
• File Extensions & File Signatures
• How Computers Store Data
• RAM: Random Access Memory
• Volatility of Data
 Topics
• The Difference Between Computer
Environments
• Active, Latent, and Archival Data
• Allocated and Unallocated Space
• Computer File Systems
Bits & Bytes
 Bits & Bytes
• A Bit is 0 or 1
• 8 bits is a byte
o 00000000 to 11111111
o 256 possible bytes
o Can be written as a number 0 to 255
o In Hexadecimal, 00 to FF
 ASCII Text

• One byte per character

• 7 bits encode character, one parity bit
• 94 printable characters
• Originally used for English
• Adapted to other languages
 ASCII file in Hexadecimal

• 20 hex = 32 decimal = SPACE

• 0D 0A = 13 10 = CR LF
 ASCII

• From Wikipedia (Link Ch 2a)

 Unicode

• Encodes all "commercially significant" languages

• Two bytes per character
• FF FE at the start is a Byte Order Mark
o Link Ch 2c
File Headers & File Carving
GIF Image (13x16 pixels)
 GIF File Header
• GIF89a – Version of GIF
• 0D 00 0A 00 – 13 pixels x 16
pixels
 GIF Specification

• Link Ch 2d
 GIF Specification

• Link Ch 2d
 File Carving
• Rebuilding files by assembling blobs
of data found on a disk
• Relies on file headers and footers
• Done automatically by all-purpose
forensic suites like FTK and EnCase
• Many other tools exist to carve files
Project X1: Identifying File Types
File Extensions & File
Signatures
 File Extensions
• Usually three letters long
• Appear at the end of a file name,
after a dot
• Hidden in Windows by default
• Used to specify the file type,
icon, and default application
Hide File Extensions
Incorrect File Extension
 Wrong Default Application

• Any stream of bytes can be

interpreted as ASCII
Open With…
How Computers Store Data
 Physical
• Computer needs a
device to write the
data on e.g HDD,
pendrive
• Can be classified into
2 categories:
o Removable data storage
o Non removable data storage
Logical
• Computer needs an
organized file system
to write the data
o Enables the computer to
retrieve data efficiently
o Can save the physical space
effectively
 Primary memory Secondary memory
• Requires power to • Slowest and cheapest
maintain the stored form of memory
information • It cannot be processed
• Random access directly by CPU
memory (RAM) • nonvolatile—data is
• RAM is volatile—data retained without power
is lost when power
goes off • Eg. HDD,flash card,
pendrive,magnetic
optical disk,floppy disk
 Storage Methods
• Electromagnetism
o Hard disks and floppy disks
• Microscopic Electrical Transistors
o SSDs, USB flash drives, SD cards, etc.
• Reflecting Light
o CDs, DVDs, Blu-ray
• They are all nonvolatile – they
retain data without power
 Magnetic Disks
• Platter spins at
7,000 rpm to 15,000
rpm
• Spindle is the axis
• Read/write head is
an electromagnet
mounted to an
actuator arm
o Image from textbook
 Disk Controller Card
• Stores and retrieves data from the platters
• Controlled by firmware stored in the Host
Protected Area
o Image from http://static.ddmcdn.com/gif/ide-
controller2.jpg
 Flash Memory
• Made of transistors
• Solid State Devices (SSDs)
o Faster than hard disks
o Use less power
o More expensive
 Optical Storage
• Microscopic pits
encode bits
• Area between pits
are called lands
• There is one long
spiral track for the
whole disk
• Data is read with
laser light
 RAM Forensics
• RAM contains important evidence
that is not normally written to the
hard disk
o Instant messages
o Network connections
o Running processes
• BUT there are no time-stamps on
RAM contents
o It can be misleading
Computing Environments
 Four Categories
• Stand-alone
• Networked
• Mainframe
• Cloud
 Stand-Alone
• A computer not connected to any
other computer
o Such as a laptop not connected to Wi-Fi
or cellular data
o BUT networks are everywhere now, even
in BART or on airplanes
 Networked
• A computer connected to at least
one other computer
• Evidence might be on servers
and network devices as well as
the local computer
• Almost every computer is
networked now
 Mainframe
• A powerful computer
used at a business,
or shared by many
users
• Located in a data
center or colocation
center
o Image from
http://danialsharifudin.blogspot.com/2
012/08/classification-of-computer.html
Cloud Computing
 Examples of Cloud Computing
• Gmail
• Facebook
• Twitter
• Amazon Web Services
• CloudFlare
 Cloud Services
• Infrastructure as a Service (IaaS)
• Platform as a Service (PaaS)
• Software as a Service (SaaS)
• From Wikipedia (Link Ch 2m)
 IaaS
• The most basic cloud service
• Outsources hardware needs
o Servers, storage, routers, switches…
• Examples
o Amazon EC2
o Windows Azure Virtual Machines
o Google Compute Engine
o Rackspace Cloud
• Link Ch 2m
 PaaS
• Provides a computing platform
o OS, programming language execution,
database, and Web server
• Examples
o AWS Elastic Beanstalk
o Heroku
o Google App Engine
o Windows Azure Compute
• Link Ch 2m
 SaaS
• Providers install and operate
application software in the cloud
• Users access the software from cloud
clients
• Examples
o Google Apps
o Microsoft Office 365
• Link Ch 2m
 IaaS
• Outsource hardware needs
o Servers, storage, routers, switches…
• Examples
o Amazon EC2
o Windows Azure
o Google Compute Engine
• Link Ch 2m
• From link Ch 2g
• From link Ch 2g
 Instagram
• Online photo-sharing site
• In Dec. 2012, Instagram changed its
terms of service
o Perpetual rights to all photos
o Right to sell photos to advertisers
without payment or notice to the user
• Instagram lost half its daily users
in a month
o Links Ch 2h, Ch 2i
2. Key Technical Concepts
Part 2
Active, Latent, and Archival
Data
 Active Data
• Data the operating system can
"see" and use
• Files and folders that appear in
Windows Explorer
• Reside in allocated space
• Can be acquired by copying files
 Latent Data
• Data that has been deleted or
partially overwritten
• Invisible to OS
• Does not appear in Windows
Explorer
• A bitstream or forensic image
is required to acquire this data
 Archival Data
• Also called Backups
• Commonly stored on
o External hard drives
o DVDs
o Magnetic tapes
o Cloud backup services like Iron Mountain
or Symform
 Legacy Archival Data
• Made with software or hardware
that is no longer in production
• To acquire the data, you need to
get old devices
o User's groups
o eBay
• Image: PDP-11 at
Defcon 17
o Link Ch 2n
Computer File Systems
 File System
• Is an index or database containing the
physical location of every piece of data on
a hard disk.
• Keeps track of used and free sectors
• Location of each file
• Filename
• Last modified date
• Permissions
• Different OS have a different file format
 FAT (File Allocation Table)
• Oldest and simplest file system
• FAT12 (for floppy disks)
• FAT16 (2 GB max. partition size)
o 4 GB on Win 2000 (link Ch 2p)
• FAT32 (Common on USB drives)
o Not used on Windows XP or later
• FATX for the X-Box
• exFAT used for Windows CE
o Link Ch 2o
 NTFS (New Technology File System)

• Used by Win XP, 7, and Server

• Advantages
o Journaling (recovers from errors)
o Encryption
o Permissions
o Uses B-Trees for fast searches
 HFS+ (Hierarchical File
System)
• Used by Apple products
• Also uses B-Trees
• Related versions
o HFS
o HFSX
 Linux file system??
• ext2, ext3 and ext4), XFS, JFS, ReiserFS and btrfs
Allocated and Unallocated
Space
 Space on a Hard Drive
• Allocated
o Active data
o In use
o Can be seen by OS
• Unallocated
o No longer in use
o Slack space (Drive slack)
o Invisible to OS
 Space on a Hard Drive
• Host Protected Area and
Device Configuration Overlays
o Hidden area on a hard drive
o Difficult to detect
o Not used by OS
o Stores device firmware and data
o Accessed by firmware update routines,
which can be reverse engineered
 Data Persistence
• Old Data is Left in Slack Space
o Unallocated clusters
o Remains on drive until overwritten
o Can be years
• Even an Overwrite may not get it
all
o If the new file doesn't use all the sectors
 Magnetic Drive Storage
• Sector = 512 bytes
o All data is read and written a sector at a
time
• Cluster
o Varies, often 4096 bytes = 8 sectors
o OS can only use space a cluster at a
time
 Page File (Swap Space)
• Used for virtual memory
o Temporary storage when your
computer runs out of available RAM
o Windows puts data here even when
RAM is not full
o It also loads old data from swap back
into RAM
o I once found something years old in
my RAM
 Potential Page File Contents
• Passwords
• Fragments of images or
documents
• Anything else from RAM
• BUT there is no timestamp, so it
will be hard to connect to a
specific user or event
 Hiberfil.sys
• Contains entire RAM contents
o Filled when a computer hibernates
 Whole Disk Encryption
• Because of the Page file and the
Hiberfil
o You can never be sure where your data is
• Whole Disk Encryption
o The only way to be sure all your data is
protected
o Microsoft BitLocker
o Apple FileVault
o TrueCrypt (Open Source)
Q&A