ARBA MINCH UNIVERSITY

FACULTY OF COMPUTING AND SOFTWARE ENGINEERING

Digital Forensic and Cyber Crime

Chapter- 3:
collecting Evidence
.

1
 Outlines
o When the device is off
o When the device is on
o Live investigation: Preparation
o Live investigation: Conducting
o Live investigation: Afterthoughts

2
 Evidence collection
 Evidence collection is the act of documenting an organization’s compliance
processes and outcomes
 Documenting Evidence
 Relevant and fact-based
 Understandable format
 Clearly written
 Describe evidence collection process
 Results clearly stated

3
 Why Collect Evidence?
 The simple reasons for collecting evidence are:
 Future Prevention: without knowing what happened, you have no hope of ever
being able to stop someone else from doing it again.
 Responsibility: the attacker is responsible for the damage done, and the only way to
bring him to justice is with adequate evidence to prove his actions.
 The victim has a responsibility to the community.
 Information gathered after a compromise can be examined and used by others
to prevent further attacks

4
 Presenting Computer Evidence in Court
 Four types of computer evidence may be presented in court
 Real—actual and tangible
 Documentary—written

 Testimonial—written or spoken by witness

 Demonstrative—facts or objects
 Expert Testimony

 The expert must tell the jury

 What he or she did
 Why he or she did it
 How he or she did it
 What the findings were
5
 Rules of Evidence
• Special knowledge is needed to locate and collect evidence and special care is required to
preserve and transport the evidence.

• Evidence in a computer crime case may differ from traditional forms of evidence in as

much as most computer-related evidence is intangible — in the form of an electronic pulse

or magnetic charge.

• The evidence must be competent, relevant, and material to the issue, and it must be
presented in compliance with the rules of evidence.

• Anything that tends to prove directly or indirectly that a person may be responsible for
the commission of a criminal offense may be legally presented against him.

• Proof may include the oral testimony of witnesses or the introduction of physical or
6
documentary evidence.
 Rules of Evidence
• Admissible: Must be able to be used in court or elsewhere.

• Authentic: Evidence relates to incident in relevant way.

• Complete: Exculpatory evidence for alternative suspects.

• Reliable: No question about authenticity & veracity (truth).

• Believable: Clear, easy to understand, and believable by a jury.

7
 Types of Evidences
• The most common forms of evidence are direct, real, documentary, and demonstrative.

• Direct evidence is oral testimony, whereby the knowledge is obtained from any of
the witness’s five senses and is in itself proof or disproof of a fact in issue.
• Real evidence, also known as associative or physical evidence, is made up of
tangible objects that prove or disprove guilt.
• Documentary evidence is evidence presented to the court in the form of business
records, manuals, and printouts, for example. Much of the evidence submitted in
a computer crime case is documentary evidence.
• Demonstrative evidence is evidence used to aid the jury. It may be in the form of a
model, experiment, chart, or an illustration offered as proof.

8
 Cont’d …
• When seizing evidence from a computer-related crime, the investigator should collect any
and all physical evidence, such as the computer, peripherals, notepads, or documentation,
in addition to computer-generated evidence.

• Four types of computer-generated evidence are:

• Visual output on the monitor.

• Printed evidence on a printer.

• Printed evidence on a plotter.

• Film recorder (i.e., a magnetic representation on disk and optical representation on

CD).

9
 Best evidence rule
• The best evidence rule, which had been established to deter any alteration of evidence,
either intentionally or unintentionally, states that the court prefers the original evidence at
the trial rather than a copy, but will accept a duplicate under these conditions:
• The original was lost or destroyed by fire, flood, or other acts of God. This has
included such things as careless employees or cleaning staff.
• The original was destroyed in the normal course of business.

• The original is in possession of a third party who is beyond the court’s order power

10
 exclusionary and hearsay Rule
• Evidence must be gathered by law enforcement in accordance with court guidelines
governing search and seizure or it will be excluded (Exclusionary Rule).
• Any evidence collected in violation of the guideline is considered to be “Fruit of the
Poisonous Tree” and will not be admissible.
• Evidence may also be excluded for other reasons, such as violations of the Electronic
Communications Privacy Act(ECPA)
• Hearsay is secondhand evidence: evidence that is not gathered from the personal knowledge
of the witness but from another source.
• Its value depends on the veracity and competence of the source.
• Under the US federal Rules of Evidence, all business records, including computer records,
are considered hearsay, because there is no firsthand proof that they are accurate, reliable, and
trustworthy.
• In general, hearsay evidence is not admissible in court.
11
 Top 10 LOCATION FOR EVIDENCE
1) Internet History Files 6) Settings, folder structure, file names
2) Temporary Internet Files 7) File Storage Dates
3) Slack/Unallocated Space 8) Software/Hardware added
4) Buddy lists, personal chat room 9) File Sharing ability
records, P2P, others saved areas
10) E-mails
5) News groups/club lists/posting

12
 Digital evidence
 Any data that is recorded or preserved on any medium in or by a computer system
or other similar device, that can be read or understand by a person or a computer
system or other similar device.
 It includes a display, print out or other output of that data.”
 Characteristics Include”
 Latent as fingerprint or DNA
 Fragile and can be easily altered, damaged, or destroyed.
 Can be Time sensitive

13
 Types of Digital evidence
1. PERSISTANT DATA,
 Meaning data that remains intact when the computer is turned off. E.g. hard
drives, disk drives and removable storage devices (such as USB drives or flash
drives).
2. VOLATILE DATA,
 Which is data that would be lost if the computer is turned off. E.g. deleted files,
computer history, the computer's registry, temporary files and web browsing
history.

14
 Digital evidence
 When the Device is off: There is only the data stored on the static memory, such as
a hard drive, for you to examine.
 However, there is still some processing that needs to be done before you can
analyze the actual data on the storage unit
 When conducting a forensic examination, especially in law enforcement, actions
must be taken to eliminate any chance of modifying the actual evidence
 Contaminated evidence will in turn not be viable in court
 live evidence: the rule of thumb is to always document, in detail, what you do to
live evidence

15
 Digital evidence…
 The goal of any software is to create a bit-by-bit copy of the original data and then

conduct the examination on the copy

 Make sure that the copy and the original is the same
 In forensic terms the copy is generally called a disk image or a forensic disk image
 To create a disk image the examiner needs to connect the data source subject to
examination to a special device or an ordinary computer
 Write blocker is a device that is put between the digital evidence and the computer
connected to and prohibits the computer from writing any data to the device
 using disk imaging software and write blockers to create forensically sound copies of
digital evidence is crucial in order to perform a forensically sound examination
 The process and tools used varies depending on what type of device you are examining
16
but the theoretical approach remains the same
 Digital evidence
 When the Device is on
 When examining a computer or device that is turned on, a live examination, the
examiner gets the opportunity to collect volatile data that includes information on
what the device is currently up to
 It also gives the examiner the opportunity to examine if any of the active hard drives
are encrypted and collect unencrypted data from them
 Common implementations of Full Disk Encryption (FDE) ensure that all data on the
hard drive is encrypted when the computer is off
 The ultimate goal of a live investigation is to preserve as much volatile data as
possible and ensure that data resting on hard drives is available for later analysis

17
 Digital Evidence Collection …
 There are three main steps of live Investigations: preparation, conducting, and afterthoughts
 Live Investigation: Preparation
 The preparation step is divided into two parts
1. general (indicated by orange boxes) step is divided into creating a process and a response kit
 Create a process concerns putting words and deciding how to carry out the rest of
the tasks in the process
 process should cover a list of hardware and software you need, persons that are
supposed to carry out live searches and preferably the competences needed.
2. Specific: concerned with the preparation related to the specific live investigation in question
 make any preparations needed for the specific live investigation including gathering
additional tools and knowledge and include getting in contact with any other persons that are
involved in the house search
18
 Evidence Collection …


19
 Evidence Collection …
 Live Investigation: Conducting:
 conducting is done with police officers and any other forensic experts
 Conducting step involves all tasks that are performed on-site and has two important things
1. depending on legislation or a corporate environment, you will have different rules and
regulations that restrict how you may work
2. depending on the type of investigation and when you are called to the scene, all steps
may not apply
 The live investigation should have the following ultimate goals:
 Document what is visually present on screen
 Collect volatile data
 Check if any data is encrypted and secure data from encrypted storage
 Provide clues for the continued house search. 20
Evidence Collection …

21
 Evidence Collection …
 Live Investigation: Afterthoughts
 First thing to do is to write a protocol that describes what was done and any
possible findings during the live investigating
 The responsibility of documenting may vary between different legislations but at
the very least, you should document what you have done during the live
investigations

22
 Chapter -4
Collecting Data

23
o Outlines
o Imaging
o Collecting memory dumps
o Collecting registry data
o Collecting video from surveillance

24
 Collecting Data
 A forensic examination will most likely begin with collecting data.
 Collecting data from different sources such as hard drives, windows registry, and volatile
sources.
 It is also common, especially in incident response, to collect live data from a network and
 networking devices such as routers and switches.
 Collecting data from video surveillance systems can be a tedious task that often falls into
the hands of a forensic examiner
 Imaging: is the process of copying a hard drive or other secondary storage media into a
forensic image that can be used for the forensic examination.
 An important aspect of a forensic examination is to ensure that the actual data on the hard
drive that is to be examined is not compromised and the only way to fully do is by making
a forensic image and examine the image. 25
 Collecting Data
 Imaging: ….
 The best and safest way to create a forensic image is making a physical image of a
hard drive
 To do this, you physically remove the hard drive from the computer and connect it to
your own computer using a write blocker.
 A write blocker is a device that prohibits your computer from writing to the hard drive
 To make a disk image with FTK you can use the program FTK imager
 Selecting an image file or contents of a folder will let you browse for the image or
folder you want to import

26
 Imaging …

FTK imager source sélection menu

FTK imager
physical source
27
 Collecting Memory Dumps
 Memory can hold a lot of interesting information including encryption keys, encrypted
data in its decrypted format and more.
 Unfortunately, the possibility to collect memory only presents itself during live
investigations as the memory is volatile and the content is lost when the power is
turned off.
 However, collecting the data in memory should be a natural part of the forensic
process whenever possible
 the most common way to collect memory is by using some trusted tool from within the
operating system of the computer from which you are going to collect the memory
dump
 One tool that can be used for this purpose is FTK imager
28
 Cont’d
 collecting memory is that the memory dump is stored as one big file
 DMA attacks exploit the design of the IEEE 1394 interface specifically the part of the
standard called DMA
 Many different connectors, including Firewire, Thunderbolt, PC card, and other PCI
express devise, use the IEEE 1394 interface and are thereby susceptible to a DMA attack
 To conduct a DMA attack, you would connect your computer to the victim computer and
present your computer as a SBP-2 unit directory.
 The victim computer will then give you read/write access to the lower 4 GB of its RAM,
allowing you to dump it
 DMA attack is Inception, a free open source tool easy to carry out and
 drawback only get access to the lower 4 GB of RAM, and modern computers often hold
much more memory 29
 Cont’d …
 Cold boot attack is an attack were you basically freeze the memory modules, reboot
the victim computer and use a USB stick to make it boot a small process designed to
dump the contents of memory
 The attack is possible due to the fact that when a computer is rebooted or turned off,
data in memory is not lost immediately

30
 Collecting Registry Data
 To analyze the registry, you need to collect the registry hives.
 Collecting the registry hives is a straight forward process.
 If you are examining the forensic image of a computer, the registry hives are stored
as files in the system partition.
 They are located in the folder “C:\Windows \System32\config\”.
 The NTuser.dat is located in the root of each user’s home directory.

31
 Collecting Network Data
 A source of information is sometimes important in criminal investigations and in
incident response in the actual network infrastructure.
 By collecting data from the network and information from network devices, a
Computer Security Incident Response Team (CSIRT) or forensic examiner can get an
understanding
 what is actually going on in the network
 incident response, incident could be malware infected some device in
the network using relay malicious e-mails to other organizations.
 A CSIRT would be very interested in swiftly locating the infected host, and monitor
network traffic to identify the originating device of those e-mails.
 Collecting and analyzing network traffic can be done with a number of different tools
32
and usually requires some knowledge about data communication
 Collecting Network Data
 monitoring the actual traffic is powerful, network devices such as routers, switches,
firewalls, and intrusion detection systems (IDS) should be given equal attention.
 routers and switches are used to forward data from one location to another
 while firewalls and IDS determine and monitor what type of traffic can leave and enter
the network
 devices contain log files or volatile data that describes the rules that are used at the moment
and how they were recently applied.
 can answer questions about who communicated with whom and what service (or at least port
number) used for communication.
 a very common objection to evidence found in a computer during a forensic
examination in law enforcement, the computer must have been remote controlled
 While it is very hard to determine if a computer wasn’t remote controlled, 33
 Collecting Video from Surveillance
 collecting video from surveillance is not as easy as you would think
 you never know what to expect when you set out to collect video from surveillance
equipment
 there are loads of different manufacturers, standards, and approaches to record and
store surveillance video
 some systems only accept FAT32-formatted memory sticks, while others require
NTFS or even ext4 formatting due to file size limitations
 Time is critical when dealing with surveillance video
 It's essential to record both the surveillance equipment's timestamp and current
accurate time, noting any differences.
 Being prepared and adaptable is key to successfully collecting video from surveillance
equipment. 34
 Process of a Live Examination
 the process of a live examination is often more comprehensive than just imaging,
collecting memory, and collecting registry.
 At a minimum, you would also like to collect information about time settings, active
users, devices connected via USB or the network, and document active programs


Reading assignment

35
 Chapter 5:
Analyzing Data and Writing Reports

36
Outlines

o Setting the stage

o Forensic analysis
o Reporting

37
 Setting the Stag
o A general rule in criminal investigations is that everyone is innocent until proven guilty
and that investigations should not aim to prosecute a specific person but to uncover the
truth.
o this is achieved in different ways including that suspects has the right to a proper
defense, investigations should be unconditional and transparent and the defense should
be able to know how conclusions were reached so that they can be disputed
o the analysis and report writing of forensic expert has to make sure that his work meets
the following requirements:
o Unbiased: incriminating and exonerating evidence is considered and taken into account.
In reality, this would mean that if you are asked to see if a computer was used during a
specific period in time
o Reproducible meaning that you document the basis for your conclusions well enough for
someone else to replicate your analysis. The general idea is that if someone does the
38
 Forensic Analysis
o forensic analysis is way of answering question that the investigation has
o To answer the question
o Use forensic image
o Live investigation
o sources of information such as interrogations or whatever seems reasonable
in your case
o forensics is usually needed to clarify the purpose of the forensic investigation.
o E.g. Find all incriminating or exonerating evidence in relation to online fraud

39
 Forensic Analysis
o What is considered on the while doing analysis is :
o Account for all data
o Get computer install date, operating system version, list of users and registered owner
o Get time zone information and clock settings
o Find network drive maps
o When completed the investigation and used different methods to search through the data on the
computer, you are examining, time to analyze the information you found and draw conclusions
o When completed your analysis, it is time for the final task of reporting your findings in a good
report, and that deserves a section of its own

40
 Reporting
o The final step in a forensic analysis is to write a report.
o The report basically serves two purposes.
1. to present the objective findings and then may include conclusions based on the
findings.
2. understand the conclusions always depend on the knowledge and interpretation of
the findings, thus the conclusions are in some sense subjective
o The content of a report differ based on legislation and local policies
o The all report includes:
o Case data
o Purpose of examination
o Findings
o Conclusions

41
 Chapter 6
Indexing, Searching and Cracking

42
o Outlines
o Indexing
o Searching
o Cracking

43
 Indexing
o A text index is commonly used for two purposes
1. a database that allows for fast searching using keywords or regular expressions.
2. can be extracted and used as a dictionary in password cracking attempts
 Indexing is a technique where you create an index of a forensic image
 When creating an index, the data on the hard drive is seen in alphanumerical form
 The data is read from beginning to end, and all cohesive strings are listed in the
index
 The resulting index is useful in two ways:
1. use the index to do fast searches for keywords,
E.g. the forensic software returns all files that contains that keyword
2. use of the index is as a word list in password cracking
index contain every alphanumerical string present on the device that you are examining,
there is a good chance that contain one or more passwords related to something on the
44
 Indexing
o On indexes, there are some terms that needs to be familiar with: spaces, letters and
noise words.
o Spaces are symbols that are used to separate the data into strings
o letters are the symbols that make up a string
o noise words are words that are ignored in the index because they are considered too
frequent
o E.g. words like it, and, or
o The strings that can be added to the index are the following:
o Stretch
o Center
o FF
o The reason that those strings are the cohesive strings of signs defined as letters in the
sample data.
45
 Indexing
o Understanding indexing works is crucial for conducting efficient searches.
o Indexing involves creating a structured data format that maps specific terms or
keywords to their locations within a dataset, such as text documents or databases.
o The representation "FF808080" likely refers to a hexadecimal color code, which can be
interpreted as a format or encoding method when letters represent numbers.
o During the indexing process, noise words like "Center" are often filtered out to focus on
more relevant terms, optimizing the index for faster and more accurate searches.
o Forensic tools commonly offer options to control the string length used in index entries,
allowing customization to meet specific analysis needs.
o Tools like Autopsy enable users to select specific character sets (comprising letters,
numbers, signs, etc.) for inclusion in searches. This customization is particularly
important for tasks like password cracking.
o Indexing plays a significant role in password cracking by facilitating faster searches for
specific character combinations or patterns within large datasets, leveraging indexing
efficiency to quickly identify potential passwords.
46
Indexing
o

47
 Searching
o A very common task during forensic examinations is to search for keywords
o searching is a common and important task, it can be time consuming
o Most forensic tools, including FTK, provide two different ways to conduct searches:
1. live searches: is quite straightforward
 are not constrained by a precomputed index, can search any sign you want and most
forensic tools accept some kind of regular expressions
 more flexibility than index searches
 FTK, live and index searches are conducted from within the case analysis mode in
the tabs “live search” and “index search
1. index searches: very fast, and you commonly get the results instantly but
o Finding specific sentences can be challenging, even though many indexing search
engines allow for use of regular expressions and logical operators
48
 Searching
o Digging deeper into how keywords for any type of search can be expressed in two
different options:
1. Exact words: is a simple task, and they are exact words
2. Regular expressions: expressing patterns using what is called a regular expression
language
 Variations in spelling: spelled in different ways, as ecstasy, Xstasy and ecstasy
 Searching for patterns: pattern matching any e-mail address, phone numbers,
credit card number, social security numbers
 E.g. [a-zA-Z] will match any upper or lowercase English letter
 any proper forensic software support both exact and regular expression

49
 Cracking
o Cracking called hacking, intrusion or whatnot is the art of breaking something
o It is to break passwords or encryption to get access to data or to break authentication
systems to gain access to some system
o In context of digital forensics, cracking is a common practice used to get access to
data that someone made unavailable
o tools for password cracking Access Data Password Recovery ToolKit (PRTK) and
open-source alternative Hashcat
o use of the DMA attack, to bypass authentication mechanisms of operating systems
o Password Cracking Using PRTK
o PRTK is a tool that can crack a large number of different file types and encryption
schemes

50
 Cracking
o The following procedure are used for password cracking:
 Create dictionaries.
 Create attack profile.
 Run the attack.
 Password Cracking Using Hashcat: is a vastly different approach than using
 PRTK. Perhaps the most notable differences are the following:
 Hashcat expects a password hash to be cracked
 Hashcat is a cracking tool and not a dictionary utility
 Hashcat is a password cracker: its support many hash algorithms but
does not include decryption attacks.
 It is a CLI cracker, not a GUI.

51
 Chapter 7
Finding Artifacts

52
o outlines
o Install date
o Time zone information
o Users on the system
o Registered owner
o Partition analysis and recovery
o Deleted files
o Analyzing compound files
o Analyzing file metadata
o Analyzing Log file
o Analyzing Unorganized data

53
 Artifacts
o In doing a forensic examination to answer questions asked by the investigation, you
need to look for evidence that you can use to draw conclusions.

o The pieces of evidence that you find are sometimes referred to as artifacts

o Install Date: install date for the computer can be of great importance

o e.g. Imagine you're investigating an event from 2015. If a computer was set up in 2016,
finding relevant information on it will likely be challenging, so you might choose to
disregard that computer. Additionally, if a suspect claims to have purchased a computer
in 2017 but it shows signs of being installed in 2015, this could raise suspicions that the
suspect is concealing information.

o Anyhow, the install date is found in Windows registry, in the SOFTWARE hive.
54
o Using AccessData Registry Viewer, the install date can be found by viewing common
 Artifacts
o The InstallDate key can also be found by browsing the registry hive to the following
path: Microsoft\Windows NT\CurrentVersion.

o Time Zone Information:

o the world is divided into time zones that make the time differ from location to location.

o The time zone settings on your computer will therefore affect the displayed time and the
time that is noted in time stamps

o The time zone is sometimes expressed as the name of the time zone (Pacific Standard
Time) or as the offset from UTC (UTC-08:00)

o Time zone settings applied for a computer are found in Windows registry, in the
SYSTEM hive, in the following path: ControlSet001\Control\TimeZoneInformation
55
o The system clock is also dependent on the daylight savings settings.

o Daylight savings tells you to turn the clock one hour back in the fall and one hour
forward in the spring.

o Users in the System: finding out what users that are present in the system

o There are several ways to find out what users that are present in the system such as
looking into what users that have home folders in the Users folder

o it is easy to manipulate a file system.

o Registry is a much safer way to find out the users of the system

o Information about the users in the system is present in the SAM hive under the key:
SAM\SAM\Domains\Account\Users.
56
o Good place to describe user identifiers in Windows

 a security identifier (SID)

 relative identifier (RID): it is last part of the SID is a numeric value

 The RID for the built-in administrator account is always 500 and the guest account is
always 501

 the SID and RID never change for a user account

 the SAM registry hive tell you the users present in the systems and AccessData Registry
Viewer will evaluate the RID and username for each user.

 The registry keep track of the number of logins for each user, when the user last logged

57
 Registered Owner
o When installing Windows, you can register a name as the registered owner of the
system and information is kept in registry

o The registered owner is present in the SYSTEM registry hive at the following

o path: Microsoft\Windows NT\CurrentVersion.

o Partition Analysis and Recovery: accounting for all data on a hard drive is essential and
a good way to identify hidden partitions or slack space

58
 Deleted Files
o Finding deleted files is a very common task for a computer forensic expert

o In criminal investigations, deleted files are great importance cover their tracks

o The process of recovering deleted files is called data recovery

o data recovery can be done with following three way

o Recovering files deleted from the MFT:

o File carving: is used to find files that cannot just be restored

o Recover data fragments.

59
 Deleted Files
 Recovering files deleted from the MFT: Windows systems commonly use the NTFS file
system and that all files are listed in the Master File Table (MFT)

 when a file is deleted that the file entry in the MFT is removed but the actual file is
commonly left on the hard drive until it is overwritten

 using FTK, FTK imager, and Autopsy

o TRIM(time resolution imaging mode) is essentially a function that immediately wipes data
that is deleted from the operating system, making restoration impossible used in SSD.

o File carving: is used to find files that cannot just be restored

 A file carver is a tool that does the carving process and generate a file that can be used
as evidence, it has to be:

 A working complete file 60

and Fitting into the active case.
 Analyzing Compound Files
 Several files that can contain important data are called compound files

 A compound file is basically a file that maintains its own file structure and includes file
types such as compressed files and Microsoft Office files

 To expand compound files in FTK, select “Expand compound files” during

preprocessing or at a later stage as additional analysis.

 The same can be done in Autopsy using the ingest module “Embedded File Extractor”.

 Analyzing File Metadata: metadata is information about the file it regards

 Focuses on actual file content, metadata is often equal interest to a forensic examiner

 The information is highly depends on the content

 most file systems attach some metadata, including time stamps, to all files in the file
61
 Analyzing Compound Files
 Analyzing File Metadata…

 The following types of metadata, commonly of interest to a forensic examiner:

 NTFS time stamps created, access, modified and MFT modified time

 EXIF(Exchangeable image file format) data:contain a very extensive set of metadata

and has very rich source of information
 Name of the device, Serial number, Version and model,GPS coordinates picture
was taken and Custom tags added by the camera vendor
 Office metadata: has great interest to a computer forensic examiner.
 The office metadata holds several pieces of information including:
 • Name of original author and name of the person who last saved the document
 • Original creation and Last save date
 • When the document was last printed
 • Total time spent working on the document 62
 Analyzing Log Files
 computer forensic examination, it is common to analyze how different applications were used.

 includes messages going in and out of a chat application or analyzing transactions to and from a bit
coin wallet

 Analyzing chat logs is commonly a quite straightforward process as the structure of chat logs tend to
be rather obvious

 The process for analyzing chat logs can be summarized as follows

 Use favorite forensic tool to locate chat logs.

 Common search terms include message, msg, received, or sent.

 Understand the chat log by examining it and, if needed, conduct an experiment.

 Prepare the chat log for presentation, preferably in an automatic fashion.

63
 Analyzing Unorganized Data
 A hard drive contains unorganized data, including slack space, which is residual data left behind after
file deletion.

 Other sources of unorganized data in forensic examinations include Pagefile and memory dumps, as
well as the Hiberfile created during Windows hibernation.

 categorization as unorganized, Pagefile, Hiberfile, and memory dumps can actually be analyzed in a
structured manner, as detailed in memory analysis.

 These data sources, due to their unique handling within the operating system, often yield valuable
artifacts.

 Pagefile and Hiberfile, much like memory dumps, store information used by the computer, such as
data swapped from working memory or the machine state during hibernation.

 Additionally, encrypted data viewed by a computer is temporarily stored in memory in decrypted

form, making recovery possible from memory, Pagefile, or Hiberfile.
64
 Analyzing Unorganized Data
 The process of analyzing unorganized data revolves around effective searching and interpreting
results. Utilizing keywords and regular expressions helps identify patterns.

 Keeping a record of successful search terms streamlines future investigations

 For instance, if a file occupying five clusters is deleted and replaced by a new file that is four and a
half clusters large, the remaining half cluster contains file slack, potentially harboring fragments of
various file types and information

65
End of chapter -1
thank you
questions ?????

66